Acnp Class 6 140725151300 Phpapp01

AEROHIVE CERTIFIED
NETWORKING PROFESSIONAL
(ACNP)
2013 Aerohive Networks CONFIDENTIAL
Introductions
What is your name?

What is your organizations name?
How long have you worked in networking?
What was your 1st computer?
Facilities Discussion
Course Material
Distribution
Course Times
Restrooms
Break room
Smoking Area
Break Schedule
Morning Break
Lunch Break
Afternoon Break
Aerohive Switching & Routing

Configuration (ACNP) Course
Overview
Each student connects to HiveManager, a remote PC, and a Aerohive AP over the Internet
from their wireless enabled laptop in the classroom, and then performs hands on labs the
cover the following topics:
Overview of Switching and Routing Platforms
Unified Network Policy Management
Spanning Tree
Device Templates
Port Types (802.1Q Ports, Phone and Data Ports, Secure Access Ports, Guest Access Ports
and WAN ports)
Aggregate Channels
PoE
VLAN to Network mapping
Router templates
Parent networks and branch subnets
Layer 3 VPN with VPN Gateway Virtual Appliance
Policy Based Routing
Router Firewall
Cookie Cutter Branch Networking
2 Day Hands on
Aerohive Training Remote Lab

Aerohive Access Points using external
antenna connections and RF cables to
connect to USB Wi-Fi client cards
(Black cables)
Access Points are connected from
eth0 to Aerohive Managed Switches
with 802.1Q
VLAN trunk support providing PoE to
the APs (Yellow cables)
Access Points are connected from
their console port to a console server
(White Cables)
Console server to permit SSH access
into the serial console of Aerohive
Access Points
Firewall with routing support, NAT,
and multiple Virtual Router Instances
Server running VMware ESXi running

Active Directory, RADIUS, NPS and
hosting the virtual clients used for
testing configurations to support the
labs
5
Copyright 2011
Aerohive CBT Learning

http://www.aerohive.com/cbt
The 20 Minute Getting Started

Video
Explains the Details
Please view the Aerohive Getting Started Videos:
http://www.aerohive.com/330000/docs/help/english/cb
t/
Start.htm
Aerohive Technical Documentation

All the latest technical documentation is available for
download at:
http://www.aerohive.com/techdocs
Aerohive Instructor Led Training

Aerohive Education Services offers a complete curriculum that provides you
with the courses you will need as a customer or partner to properly design,
deploy, administer, and troubleshoot all Aerohive WLAN solutions.
Aerohive Certified WLAN Administrator (ACWA) First-level course
Aerohive Cerified WLAN Professional (ACWP)
Second-level course
Aerohive Certified Network Professional (ACNP) Switching/Routing course

www.aerohive.com/training Aerohive Class Schedule
Over 20 books about networking have been written

by Aerohive Employees
CWNA Certified Wireless Network Administrator

Official Study Guide by David D. Coleman and David
A. Westcott
CWSP Certified Wireless Security Professional

Official Study Guide by David D. Coleman, David A.
Westcott, Bryan E. Harkins and Shawn M. Jackman
CWAP Certified Wireless Analysis Professional Official

Study Guide by David D. Coleman, David A. Westcott, Ben
Miller and Peter MacKenzie
802.11 Wireless Networks: The Definitive Guide,

Second Edition by Matthew Gast
802.11n: A Survival Guide by Matthew Gast
802.11ac: A Survival Guide by Matthew Gast
Over 20 books about networking
have been written by Aerohive
Employees
Aerohive
Employees
10
Aerohive Exams and Certifications

Aerohive Certified Wireless
Administrator (ACWA) is a first- level
certification that validates your knowledge
and understanding about Aerohive Networks
WLAN Cooperative Control Architecture.
(Based upon Instructor Led Course)
Aerohive Certified Wireless Professional
(ACWP) is the second-level certification that
validates your knowledge and understanding
about Aerohive advanced configuration and
troubleshooting. (Based upon Instructor Led
Course)
Aerohive Certified Network Professional
(ACNP) is another second-level certification
that validates your knowledge about
Aerohive switching and branch routing.
(Based upon Instructor Led Course)
11
Aerohive Forums
Aerohives online community HiveNation

Have a question, an idea or praise you want to share? Join the HiveNation
Community - a place where customers, evaluators, thought leaders and
students like yourselves can learn about Aerohive and our products while
engaging with like-minded individuals.
Please, take a moment and register during class if you are not
already a member of HiveNation.
Go to http://community.aerohive.com/aerohive and sign up!
12
Aerohive Social
Media
The HiveMind Blog:
http://blogs.aerohive.com
Follow us on Twitter: @Aerohive
Instructor: David Coleman: @mistermultipath
Instructor: Bryan Harkins: @80211University
Instructor: Gregor Vucajnk: @GregorVucajnk
Instructor: Metka Dragos: @MetkaDragos
Please feel free to tweet about #Aerohive
training during class.
13
Aerohive Technical Support

General
How do I buy Technical Support?
Support Contracts are sold on a yearly basis,
with discounts for multi-year purchases.
Customers can opt to purchase Support in
either 8x5 format or in a 24 hour format.
I have different expiration dates on several Entitlement

keys, may I combine all my support so it all expires on
the same date?
Your Aerohive Sales Rep can help you set-up Co-Term,
which allows you to select matching expiration dates for all
your support.
I want to talk to somebody

live.
Call
us at 408-510-6100 / Option 2.
We also provide
service
toll-free from within the US & Canada by dialing (866)
365-9918. Aerohive has Support Engineers in the US,
China, and the UK, providing coverage 24 hours a day.
14
Copyright 2011
Aerohive Technical Support The

Americas
How do I reach Technical Support?
Aerohive Technical Support is available 24
hours a day. This can be via the Aerohive
Support Portal or by calling. For the
Support Portal, an authorized customer can
open a Support Case. Communication is
managed via the portal with new messages
and replies. Once the issue is resolved, the
case is closed, and can be retrieved at any
time in the future.
I want to talk to somebody

For those who
wish to speak with an engineer call us
live.
at 408-510-6100 / Option 2. We also provide service

toll-free from within the US & Canada by dialing (866)
365-9918.
I need an RMA in The Americas
An RMA is generated via the Support Portal, or by calling our

Technical Support group. After troubleshooting, should the unit
require repair, we will overnight* a replacement to the US and
Canada. Other countries are international. If the unit is DOA, its
replaced with a brand new item, if not it is replaced with a like new
reburbished item.
*Restrictions may apply: time of day, location, etc.
15
Copyright 2011
Aerohive Technical Support

International
How Do I get Technical Support outside The
Americas?
Aerohive international Partners provide
dedicated Technical Support to their
customers. The Partner has received
specialized training on Aerohive Networks
product line, and has access to 24 hour
Internal Aerohive Technical Support via the
Support Portal, or by calling 408-510-6100 /
Option 2.
I need an RMA
internationally
World customers defective
units are quickly replaced

by our Partners, and
Aerohive replaces the
Partners stock once it
arrives at our location.
Partners are responsible
for all shipping charges,
duties, taxes, etc.
16
Copyright 2011
Copyright Notice
Copyright 2013 Aerohive Networks, Inc. All rights

reserved.
Aerohive Networks, the Aerohive Networks logo,
HiveOS, Aerohive AP, HiveManager, and
GuestManager are trademarks of Aerohive
Networks, Inc. All other trademarks and registered
trademarks are the property of their respective
companies.
17
QUESTIONS?
SWITCHING & ROUTING

PRODUCT LINE
Overview of hardware and software platforms
19
Aerohive Switching
Platforms
SR2024P
SR2124P
SR2148P
48 Gbps
Ethernet
48 PoE+ (779
W)
24 Gigabit Ethernet
24 PoE+ (195 W)
24 PoE+ (408 W)
4 Ports 1G SFP Uplinks
4 Ports 10 G SFP/SFP+ Uplinks
Routing with 3G/4G USB support and Line rate

switching
Switching Only
56Gbps switching
Single Power Supply
128 Gbps switch
176 Gbps switch
Redundant Power Supply Capable
20
Copyright 2011
Class Switches Deployed in Data

Center
Note: The switch model (2024) used in the lab has been superseded by improved
models.
SR2024
Internet
Line Rate Layer 2 Switch

8 Ports of PoE
Multi-authentication
access ports
SR20
24
3G
/4
G
LT
E
802.1X with fallback to

MAC auth or open
Client Visibility
View client information
by port
RADIUS Server
Internet Router
DHCP Server
USB 3G/4G Backup
Policy-based routing with Identity
AP
PoE
AP
AP
Provides Access For:

Employees
Guests
Contractors
Phones
APs
Servers
HiveManager Form Factors
RF Planner
SW, Config, & Policy
Topology
Reporting
SLA Compliance
Heat Maps
Express Mode
Enterprise Mode
Optimized for ease of use

Uniform company-wide policy
One user profile per SSID
Enterprise sophistication
Multiple Network policies
Multiple user profiles/SSID
HiveManager Appliance 2U
power&&fans
Redundant power
fans
HA redundancy
5000
8000 APs
HiveManager Virtual Appliance
VMware ESX & Player

HA redundancy
1500 APs with minimum configuration
5000
HiveManager Online
Cloud-based SaaS management
Guest Mgmt
Se
U am
pg le
Pa rad ss
th e
In
de cre
p as
In nt loym ing
cr siz e
e
n
co et as e
w
m o ing
pl rk
ex
ity
22
HiveManager Appliance
23
HiveManager Databases
24
Aerohive Routing Platforms

*
BR 100
BR 200
Single Radio
1x1 11bgn
AP
330
VPN
Gateways
AP
350
Dual Radio
L3 IPSec
VPN
Gateway
3x3:3 450 Mbps 11abgn
5-10 Mbps
FW/VPN
30-50Mbps FW/VPN
5X 10/100
5X
10/100/1000
2X 10/100/1000 Ethernet
0 PoE PSE
2X PoE PSE
0 PoE PSE
Also available as a non-Wi-Fi device
~500
Mbps
VPN
4000/1024
Tunnels
Physical/Vi
rtual
25
Copyright 2011
BR100 vs. BR200

BR100
BR200/BR200WP
5x FastEthernet
5x Gigabit Ethernet
1x1 11bgn (2.4Ghz) single radio
3x3:3 11abgn dual-band single radio (WP)
No integrated PoE
PoE (in WP model)
No console port
Console Port
No Spectrum Analysis
Integrated Spectrum Analysis (WP)
No Wireless Intrusion Detection
Full Aerohive WIPS (WP)
No local RADIUS or AD integration
Full Aerohive RADIUS, proxy, and AD
No SNMP logging
SNMP Support
26
Aerohive AP Platforms
AP121
AP141
AP330
AP350
Indoor
Industrial
Indoor
Dual Radio 802.11n
2x2:2
300 Mbps High
Power Radios
1X Gig.E
Plenum Rated
0 to 40C
USB for future use
AP230*
AP370
Indoor
AP170
Indoor
Industrial
Outdoor
Dual Radio 802.11ac/n
3x3:3
450 Mbps High Power
Radios
3x3:3 450 + 1300 Mbps High Power Radios
TPM Security Chip

2X Gig.E w/
2X Gig.E - 10/100 link
link
aggregation
aggregation
PoE (802.3af + 802.3at) and AC Power
Plenum/
Dust
-20 to
55C
USB for 3G/4G
Modem
AP390
2X Gig E
/w PoE Failover
Dual Radio
802.11n
2x2:2 300
Mbps 11n
High Power
Radios
1X Gig.E
PoE (802.3at)
Plenum Rated
Plenum/Plenum
Dust Proof
Water Proof (IP

68)
0 to 40C
-20 to 55C
-40 to 55C
USB for future use
N/A
* Includes 5 GHz Transmit Beamforming and in 2.4 GHz has TurboQAM
VPN Gateway Virtual

Appliance
Supports the following
GRE Tunnel Gateway
L2 IPSec VPN Gateway
RADIUS Authentication Server
RADIUS Relay Agent
Bonjour Gateway
DHCP server
Use a VPN Gateway Virtual Appliance instead of an AP when
higher scalability for these features are required
Function
Scale
VPN Tunnels
1024 Tunnels
RADIUS Local users per VPN

Gateway
9999
# Users Cache (RADIUS Server)
1024
# Simultaneous (RADIUS Server)

authentications
256
28
VPN Gateway Physical

Appliance
Supports the following
GRE Tunnel Gateway
RADIUS Authentication Server
RADIUS Relay Agent
Bonjour Gateway
Ports: One 10/100/1000 WAN port

Four LAN ports two support PoE
DHCP server
Use a VPN Gateway Appliance instead of an AP when higher
scalability for these features are required
Function
Scale
VPN Tunnels
4000 Tunnels
RADIUS Local users per VPN

Gateway
9999
# Users Cache (RADIUS Server)
1024
# Simultaneous (RADIUS Server)

authentications
256
29
QUESTIONS?
Lab Infrastructure
Core
HiveManager
Router
VLAN 1
ip address
VLAN 2
ip address
VLAN 8
SR20
ip address
24
VLAN10
ip address
Distribution
Instructor Space
Student Space
SR20
24
Access
PoE
PoE
AP
PC
Student 2
AP
PC
Student X
31
10.100.1.1/24
10.100.2.1/24
10.100.8.1/24
10.100.10.1/24
SWITCHING
32
Lab: Setting up a Wireless

Network
1. Connect to the Hosted Training

HiveManager
Securely browse to the appropriate HiveManager for class
TRAINING LAB 1
https://training-hm1.aerohive.comhttps:/
/72.20.106.120
TRAINING LAB 2
https://training-hm2.aerohive.com
https://72.20.106.66
TRAINING LAB 3
https://training-hm3.aerohive.com
https://209.128.124.220
TRAINING LAB 4
https://training-hm4.aerohive.comhttps
://203.214.188.200
TRAINING LAB 5
https://training-hm5.aerohive.comhttps://
209.128.124.230
NOTE: In order to access the

HiveManager, someone at your
location needs to enter the
training firewall credentials given
to them by the instructor first.
Supported Browsers:
Firefox, Internet Explorer, Chrome, Safari
Class Login Credentials:

Login: adminX
X = Student ID 2 - 29
Password: aerohive123
33
Lab: Setting Up a Wireless

Network
2. Create a Network Policy
Go to
Configuration
Click the New

Button
34

Network
3. Enable network policy options
Note, enabling Branch Routing:

Enables L3 VPN Configuration
Disable L2 VPN Configuration
Enable L3 Router Firewall Policy
Policy-Based Routing with Identity
Name:
Access-X
Check the options
for
Wireless
Access
Switching
Bonjour
Gateway
Click Create
Enables Router configuration settings in

Additional Settings
35
Network Policy Components

Wireless Access Use when you have an AP only
deployment, or you require specific wireless policies
for APs in a mixed AP and router deployment
Branch Routing Use when you are managing
routers, or APs behind routers that do not require
different Network Policies than the router they
Internet
connect through
Internet
3G
/4
G
LT
E
3G
/4
G
LT
E
BR10
0
Small Branch Office

or Teleworker Site
BR20
0
Po
E
Po
E
sh
e
M
AP
AP
Small to Medium Size Branch Office

that may have APs behind the router
36
Network Policy Components

Bonjour Gateway
Allows Bonjour services to be seen in multiple subnets
Switching
Used to manage wired traffic using Aerohive Switches
Internet
SR2024
AP
PoE
AP
AP
37

Network
4. Create a New SSID Profile
Network
Configuration
Next to SSIDs click
Choose
Then click New
38

Network
5. Configure Employee SSID
SSID Profile: Class-PSK-X

X = 2 29 (Student ID)
SSID: Class-PSK-X
Select WPA/WPA2 PSK
(Personal)
Uncheck the Obscure
Password checkbox
Key Value: aerohive123
Confirm Value: aerohive123
Click Save
Click OK
For the ALL labs, please follow the

class naming convention.
39

Network
6. Create a User Profile
To the right of your

SSID, under User
Profile, click
Add/Remove
In Choose User
Profiles
Click the New
button
40

Network
7. Define User Profile Settings
Name:
Employee-X
Attribute
Number:10
Default VLAN:
From the drop down box,
Select Create new
VLAN,
type:10
Click Save
41

Network
8. Choose User Profile and Save
Ensure
Employee-X
User Profile is
highlighted
Click Save
42

Network
9. Review your policy and save
From the Configure Interfaces &

User Access bar, click Save
43
SPANNING TREE BEHAVIOR
44
How loops happen

1. Client sends broadcast such as ARP request
2. Switch A forwards packet on all interfaces,
except source interface
3. Switch B receives the broadcast twice, but

does not know it is the same broadcast. It
forwards the broadcast from interface 1 on
interface 24 and vice versa
4. Switch A again receives the broadcast
twice and does the same at Switch B. (It
also sends both broadcasts back to the
client and repeat. The broadcast never
5. Rinse
leaves the network
Spanning Tree
Easy to solve, right?
Just disconnect one cable
But now there is no redundancy
Have no fear!
There was once a loop to be,
In a redundant path for everyone to
see.
The packets went round and round,
Until a new sheriff was found.
His name? Well, Spanning Tree!
46
Spanning Tree
So what does the Spanning Tree
Protocol (STP) do?
High level overview:
I am root!
1. All interfaces are blocked (for non STP
traffic) while the switches elect a root
bridge (switch)
Root doesnt
have to
calculate
2. After the root bridge is elected, switches

calculate the lowest cost path to the root
bridge
3. Unblock corresponding ports and keep
redundant ports blocked
4. If an active link fails, unblock redundant
port
Speed 1Gbit
Cost: 20,000
47
Speed
100Mbit
Cost:
200,000
Spanning Tree extra reading

Found in the class
materials: Spanning-TreeOverview.pptx
STP
RSTP
MSTP
(R)PVST
Switch Spanning Tree Settings

By default, spanning tree is disabled on Aerohive switches
Why?
If you plug an edge switch into a network, and the switch priority is a
lower number (higher priority) on our switch, than what is configured
on the existing network, our switch will become the root switch
This means that the optimal path and links that are available through
a network will be chosen based on getting to your edge switch!
This most likely is not what a customer wants to do! ;-)
What is the downside of not enabling spanning tree by default?
If you plug two cables from our switch to the distribution switch
network, and the ports are not configured as an aggregate, you can
cause a loop!
This is far less of a concern than enabling spanning tree by default
and possibly rerouting all traffic through our switch, so we will disable
spanning tree by default
49
Verify Existing Network

Spanning Tree Priorities
Before installing an Aerohive switch into an existing switch network,
have the company determine the root switch and backup root
switch priority
Ensure our spanning tree priority is set to a higher number
For example, on a Cisco Catalyst switch you can type:
CS-Dist-2#show spanning-tree
MST0
Spanning tree enabled protocol mstp
Root ID
Priority
12288
Address
000f.23b9.0d80
Cost
0
Port
25 (GigabitEthernet0/1)
Hello Time
2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority
16384 (priority 16384 sys-id-ext 0)
Address
001f.274c.5180
Hello Time
Interface
Role Sts Cost
Prio.Nbr Type
------------------- ---- --- --------- -------- ----Fa0/24
Desg FWD 200000
128.24
P2p
Gi0/1
Root FWD 200000
128.25
P2p
50
Verify Existing Network

Spanning Tree Priorities
CS-Dist-2#show spanning-tree
MST0
Spanning tree enabled protocol mstp
Root ID
Priority
12288
Address
000f.23b9.0d80
Cost
0
Port
25 (GigabitEthernet0/1)
Hello Time
Bridge ID Priority
16384 (priority 16384 sys-id-ext 0)
Address
001f.274c.5180
Hello Time
Interface
Role Sts Cost
Prio.Nbr Type
------------------- ---- --- --------- -------- ----Fa0/24
Desg FWD 200000
128.24
P2p
Gi0/1
Root FWD 200000
128.25
P2p
Here you can see the Root Priority is: 12288

The switch this command is run on shows a priority of 16384
So most likely our switch default priority of: 32768 will not cause
any harm
51
Lab: Enable Spanning Tree

1. Enable Spanning Tree
From the network policy that has switching enabled

Go to Additional Settings and click Edit
52

2. Enable RSTP
Enable Rapid Spanning

Tree
Expand Switch Settings
Expand STP Settings
Check the box to Enable
STP (Spanning Tree
Protocol)
Select the radio button to
enable RSTP (Rapid
Spanning Tree)
Click Save
53

3. Save your Network Policy
From the Configure Interfaces & User

Access bar, click Save
54
Spanning Tree Switch specific

settings
More detailed Spanning Tree settings can be

configured on an individual switch in device
level settings should that be required.
55
DEVICE TEMPLATES
FOR DEFINING SWITCH PORT
SETTINGS
56
Device Templates
HiveManager Device Templates
are used to assign switches at
the same or different sites to a
common set of port
configurations
HiveManager SR2024 as switch device

template
For example, ports 1, 2

are for APs, ports 3-6 are
for phones, etc
Distribution
Access/Edge
SR20
24
SR20
24
PoE
PoE
AP
AP
AP
AP
57
Device Templates
Device templates are
used to define ports for
the same device,
devices with the same
number of ports, and
device function
Device templates do not
set device function, i.e.
switch, router, or AP, but
will only match devices
configured with the
matching function
You configure a devices
function in the device
specific configuration
Apply to SR2024 switches

configured as switches
Apply to SR2024
switches
configured as routers.
Requires WAN port
58
Device Templates
For Devices Requiring Different Port
Settings
SR2024 as Switch
Default Sites
SR2024 as
Switch
Small Sites
AP
1. Configure device
classification tags to have
different device templates
for different devices
2. Create a new network
policy with a different device
template
SR20
SR20
24
PoE
If devices require different port

configurations for the same
type of device and function,
you can
24
Default Site Device

Classification PoE
Tag: Small Site
AP
AP
Note: The switch model (2024) used in the lab has been superseded by improved
59
models.
CONFIGURE DEVICE
TEMPLATES
FOR DEFINING SWITCH PORT
SETTINGS
60
Lab: Configure Device Templates

1. Create device template
Next to Device
templates, click
Choose
Click New
61

2. Create switch template
Name:
SR2024-DefaultX
Click Device
Models
Select SR2024
Click OK
For SR2024, when
functioning as:
Select Switch
Note:
Note: Here
Here you
you are
are not
not setting
setting the
the SR2024
SR2024
Click
Save
to
to function
function as
as aa switch.
switch. Instead,
Instead, you
you are
are
Note: You only see switch as an option
and not Switch and Router, because Routing
was not enabled in the selection box when
creating this Network Policy.
only
only specifying
specifying that
that this
this template
template applies
applies to
to
SR2024s
when
they
are
configured
to
SR2024s when they are configured to
function
function as
as aa switch.
switch. The
The switch/router
switch/router
function
function is
is configured
configured in
in switch
switch device
device
settings.
settings.
62

3. Save switch template
Ensure your device template is

selected and click OK
The device template will appear in
the Device Templates section
You can show or hide the individual
device template by clicking the
triangle
Shows you that this is a template

for your switch as a switch
63


64
LINK AGGREGATION
65
Lab Infrastructure
Aggregate Links for Connection to

Distribution
Aggregate is statically configured similar
to EtherChannel
There is no LACP (Link Aggregation
Control Protocol) in this release.
You can have 8 ports in one channel
The ports do not have to be
contiguous
SR20
24
Every port on the SR2024 can be

configured into port channels except the
USB and console port
The switch hardware creates a hash of
the the header fields in frames selected
for load balancing, for determining the
ports in an aggregate to send a frame
AP
PC
Load balancing options are:

Source & Destination MAC, IP, and Port
Source & Destination IP

Port
66
Lab Infrastructure
Aggregate Links for Connection to

Distribution
Load balance of broadcast, multicast,
and unknown unicast traffic between
ports in an aggregate is based on
Src/Dst MAC/IP.
You cannot configure a 802.1X port in an
EtherChannel
mac learning is on the port channel port,
instead of member port
Only ports with same physical media
type and speed can be grouped into one
aggregate.
Supports LLDP per port but not per
channel
SR20
24
AP
PC
67
Lab Infrastructure
Do not do this with

aggregates
Distribution
Switch 1
Distribution
Switch 2
Aggregate 1
SR20
24
In this case, distribution switch 1 and switch 2 will

see the same MAC addresses and cause MAC
flapping
i.e. traffic from PC A for example might be load
balanced to Switch 1 and Switch 2
In this case, there will also be a loop!
Aggregates must be built between a pair of switches
only!
AP
PC
68
AGGREGATION
CONFIGURATION EXAMPLE
69
Aggregate Links for Switch

Connections to Distribution Layer
Switches
ESXi Server
Core
HMOL
Distribution
Aggregates
Access
Each access switch will have

two aggregates:
SR20
24
Aggregate 1: Port 17, 18

PoE
AP
Aggregate 2: Port 19, 20

PC
These ports are not

connected in this
classroom, this is only a
configuration example
70
Lab: Link Aggregation

1. Select ports 17 and 18
Select ports that will be used to connect to the distribution

layer switches (example only, aggregates are not used in
class)
NOTE: Recommended not to use the first 8 ports on the SR2024 which provide
PoE.
Select port 17, and 18

Check the box for Aggregate selected ports
Enter 1
Click Configure
71
Copyright 2011
2. Create Trunk Port policy

Click New
Name: Trunk-X
Port Type: 802.1Q
QoS Classification:
Trusted Traffic
Source
Note: This means we
are trusting the
upstream network
infrastructure
markings
Map to DSCP or
802.1p
QoS Marking:Map
Aerohive..
Map to DSCP or
802.1p
Click Save
72

2. Save Trunk Port policy
Ensure that
Trunk-X is
selected, click OK
73

Select port 19 and 20

Check aggregate selected ports and
enter 2
74

4. Assign Trunk policy
Click Configure
For choose port type, select your
802.Q trunk that you created
previously: Trunk-X
Click OK
75

5. Review port settings
Port 17, 18, 19, and 20 will now

display an 802.1Q trunk icon
and should all appear the same,
even though there are two
different aggregates
76

77
CONFIGURE UPLINKS USED IN

THE CLASSROOM
78
Classroom Links for Switch

Connections to Distribution Layer
Switches
ESXi Server
3CX IP PBX
10.100.1.?
Core
HMOL
Distribution
Access
For the class, we are going to

configure single uplinks without
aggregation to connect to the
distribution switches
SR20
24
PoE
Single Uplinks : Port 23, 24

AP
PC
Port 23 will be connected to

Distribution switch 1, and
port 24 will be connected to
Distribution switch 2
79
Lab: Configure Uplink Ports

1. Select Ports 23 and 24
Select ports that will be used to connect to the

distribution layer switches

Click Configure
80
Copyright 2011

2. Assign port policy and save
For choose port type, select your

802.Q trunk that you created
previously: Trunk-X
Click OK
Ports 23 and 24 should now be
the same color as the other Trunk
ports
81


82
CONFIGURE PORTS FOR APS
83
Lab Infrastructure
Configure PoE Ports for APs

ESXi Server
Core
HMOL
Distribution
Access
Configure two of the PoE

ports for APs
SR20
24
PoE
AP
IP Phones
AP
Use Port 1 and 2 for APs

NOTE: For class there is an
AP connected to port 1 of
every switch
84
Lab: Configure Access Point ports

Select ports that will be used to connect to

APs
NOTE: The first 8 ports on an SR2024 provide power

Click Configure
85
Copyright 2011

2. Create Trunk Policy
Click New
Name: AP-Trunk-X
Port Type: 802.1Q
QoS Classification:
Trusted Traffic
Source
Note: This means we
are trusting the
upstream network
infrastructure
markings
Map to DSCP or
802.1p
QoS Marking:Map
Aerohive..
Map to DSCP or
802.1p
Click Save
86
3. Assign AP-Trunk Policy to ports 1 and 2

Ensure that that AP-Trunk-X is selected
Click OK
Port 1and 2 will now display an 802.1Q trunk
icon, but this time, a power symbol appears as
well because ports 1 through 8 can provide
power
Notice that Ports

1 and 2 are a
different color
because there is
a different port
policy than the
other ports
87


88
CONFIGURE POWER
SOURCING EQUIPMENT (PSE)
PORTS FOR POWER OVER
ETHERNET (POE)
89
PoE Overview
PoE standards define the capabilities of the power sourcing

equipment (PSE) and the powered device (PD).
The PSE is an Aerohive switch. Aerohive access points would be
considered PDs.
The 802.3af PoE standard defines 15.4 Watts from the PSE
All 802.11n Aerohive APs will work with 802.3af - CAT5e cabling or
better is required.
The maximum draw of an Aerohive AP-330 is14.95 Watts.
90
PoE Overview
The 802.3at standard (PoE+) defines 32 Watts from the PSE

802.11ac Aerohive AP230 is fully functional using 802.3af
However, the older 802.11ac Aerohive APs (AP370 and
AP390) require PoE+ for full functionality
The AP370 and AP390 will function with 802.3af PoE
however the 80 MHz channels capability is restricted.
91
PoE Power Budgets
SR2024P
24 PoE+ (195 W)
SR2124P
24 PoE+ (408 W)
SR2148P
48 PoE+ (779
W)
Careful PoE power budget planning is a must.

Access points will randomly reboot if a power budget
has been exceeded and the APs cannot draw their
necessary power.
92
Lab: Configure PoE ports

1. Select additional port settings
Additional Port Settings
link is available if no ports are
currently selected
Select Additional port settings to

configure
Port Channel Load-Balance Mode
Settings
PoE port (PSE) Settings
93
2. Aggregate channel settings
For Port Channel Load-Balance Mode, please selecting

the headers in a frame that will be used in creating a
hash to determine which port a frame should egress
NOTE: If you are testing a single client, especially for a demo, the
more fields you use you will have a better opportunity to egress
multiple ports
94

3. PSE settings
Expand PSE Settings

Because only the first two ports have been
configured, you will only have the ability to configure
PSE (Provides PoE) to the first two ports
Next to Eth1/1 Click +
95

4. PSE settings
Note: Default PoE port

settings is 802.3at
(PoE+)
Name: af-high-X
Power Mode: 802.3af Power priority can be
low, high or critical
Power Limit: 15400

mW
Priority: high
96

5. PSE settings
Assign Eth1/1 and Eth1/2 to: af-high-X

Save
NOTE: You will only see the Interfaces(Ports) that have been
assign to a port type
97


98
CONFIGURE PORTS FOR IP

PHONES
99
Lab Infrastructure
Configure PoE Ports for IP Phones

ESXi Server
Core
HMOL
Distribution
Access
Configure 6 of the PoE ports

for IP Phones
SR20
24
PoE
AP
IP
s
ne
o
h
Use Port 3 - 8 for IP Phones
AP
100
CONFIGURE PHONE PORTS IN

SWITCH DEVICE TEMPLATE
101
Lab: Configure PoE ports for IP

phones
1. Select ports 3-8
Select ports that will be used to connect to IP

Phones
NOTE: The first 8 ports on an SR2024 provide power
Select port 3, 4, 5, 6, 7, and 8

(Yes, you can multi-select)
Click Configure
102
Copyright 2011

phones
2. Phone & Data ports
Click New
103

phones
Name: Phone-and-Data-X
Port Type: Phone & Data
Check Primary
authentication using:
MAC via PAP
QoS Classification:
Trusted Traffic Sources
Note: This means we are
trusting the upstream
network infrastructure
markings
Map to DSCP or 802.1p
QoS Marking:Map
Aerohive..
Map to DSCP or 802.1p
Click Save
104

phones
For choose port type, select

Phone-and-Data-X
Click OK
Port 3 8 will now display with a
phone icon
105

phones
5. Save your network policy

106
CONFIGURE PORTS FOR OPEN

GUEST ACCESS
107
Lab Infrastructure
Configure Ports for Employee Computer

Access
ESXi Server
Core
HMOL
Distribution
Access
SR20
24
PoE
AP
Guest
Computers
IP Phones
AP
Configure 2 of the switch ports

for open access
(switch ports are in a secured
room for testing purposes)
Use Port 9 and 10
108
Lab: Configure Open Guest Ports

Select ports that will be used to connect to guest

computers
Select port 9 and

10
Click Configure
109
Copyright 2011

2. Create access port
Click New
110

3. Create access port
Name: Guest-X
Port Type: Access
Most likely you will
not be trusting the
DSCP settings on
guest devices, so
click Untrusted
Traffic Sources
There is no need to
mark the traffic for
QoS marking
Click Save
111

4. Assign access port policy
For choose port type, select

Guest-X
Click OK
Port 9 and 10 will now display with
a world icon
112


113
CONFIGURE PORTS FOR

SECURE EMPLOYEE ACCESS
WITH 802.1X
For switch ports in a secure location
114
Lab Infrastructure
Configure Ports for Employee Computer

Access
ESXi Server
Core
HMOL
Distribution
Access
SR20
24
PoE
AP
Employee
Computers
802.1X
IP Phones
AP
Configure six of the switch

ports for 802.1X
authentication
Use Ports 11-16
115
Lab: Configure Secure Access

Ports
1. Select ports 11 - 16
Select ports that will be used to connect to employee

computers that support 802.1X
Select port 11,12,13,14,15,16

Click Configure
116
Copyright 2011

Ports
2. Create secure port policy
Click New
117

Ports
3. Create secure port policy
Name: Secure-X
Port Type: Access
Check the box for:
Primary Authentication
using 802.1X
Uncheck Allow multiple
hosts (same VLAN)
For the ability to preserve
markings on PCs for
softphones or other important
applications, select QoS
Classification:
Trusted Traffic Sources
Check the box for QoS
Marking
Map Aerohive QoS
Select DSCP or 802.1p
depending on the upstream
switch architecture
Click Save
118

Ports
4. Assign secure port policy
For choose port type, select Secure-X

Click OK
Ports 11-16 will now display with a
world icon
119

Ports

120
CONFIGURE MIRROR PORTS
121
Lab: Configure Mirror Ports

1. Select ports 21 - 22
Select ports that will be used for port mirroring
Select ports 21 and 22

Click Configure
122
Copyright 2011

2. Create mirror port policy
Click New
Name: Mirror-X
Port Type: Mirror
Click Save
123

3. Assign mirror port policy
For choose port type, select MirrorX

Click OK
Check Port-Based
Note: VLAN-Based port
mirroring can only be
enabled on a single
port
124

4. Choose ports to mirror
Eth1/21, Egress click Choose

Select Eth1/1 and Click OK
Eth1/22, Ingress click Choose
Select Eth1/12 and Click OK
125
5. Verify and save mirror port policy
All downstream traffic destined for the WLAN clients

of the Aerohive AP on port Eth1/1 will be mirrored to
port Eth1/21.
All upstream traffic destined for the network from the
host on Eth1/12 will be mirrored to port Eth1/22.
Click Save
126
6. Verify and save mirror port policy
Ports 21 and 22 will now display a magnifying glass

icon.
127


128
GENERAL DEVICE TEMPLATE

INFO
129
General Port Template Info
If you have more than one port

selected, you can clear port
selections here so you do not
have to click all the selected
ports to deselect them.
130
General Port Template Info
Click Here
If you move
your mouse
over one of
the defined
ports, an
option appears
to select all
ports using
this port type
131
CONFIGURE PORT TYPES

Guest Access
132
Lab: Configure Ports Guest

Access
1. Port Types
Configure the authentication, user profile, and VLAN

information for the port types defined in the device templates
133

Access
2. Create user profile
Similar to SSIDs, you need to configure

User Profiles (user policy) for the access
ports
For your Guest-X port type,

under User Profile click
Add/Remove
Click New
134

Access
3. Assign VLAN
User profiles are used to

assign policy to devices
connected to the
network.
NOTE: Switches use the VLAN in a
user profile. Switches functioning as
routers use the VLAN, but may also
make layer 3 firewall and policybased routing decisions based on the
user profile. In either case, user
profile information is carried with
user information throughout an
Aerohive network infrastructure.
Name: Guest-X
Attribute: 100
Default VLAN: 8
Click Save
The optional settings are utilized when

the user profile is enforced on an AP. The
switch, because it is forwarding packets
at line speed in silicon, does not utilize
the optional settings. If the switch is
configured to be a branch router, the user
profile is used for decisions in layer 3
firewall policies, IPSec VPN policies, and
identity-based routing.
135

Access
4. Save user profile
Ensure Guest-X is
selected
Click Save
Verify your
settings
136
Lab: Configure Ports - Guest

Access

137

Employee Access Secured wit 802.1X
138
Lab: Configure Ports - Secure

Access
1. Configure RADIUS
Configure the RADIUS sever for the

ports secured with 802.1X
For your Secure-X port type,
under Authentication
click <RADIUS Settings>
Click New
139

Access
2. Configure RADIUS
Define the external

RADIUS server settings
RADIUS name:
RADIUS-X
IP address: 10.5.1.10
Shared Secret:
aerohive123
Confirm Secret:
aerohive123
Click Apply!!
Click Save
140

Access
3. Configure user profile
Assign user profiles to

the secure 802.1X ports
Next to your SecureX port type, under
User Profile click
Add/Remove
141
Port Types
There are three user profile
assignment methods:
1. (Auth) Default If a
client authenticates
successfully, but no user
profile attribute is
returned, or if a user
returned matching the
default user profile
selected
2. Auth OK If a client
authenticates
successfully, and a user
returned, it must match
one the selected user
profiles you select here
142

Access
4. Configure default user profile
Define the Default User
Profile assigned If a client
authenticates successfully,
but no user profile attribute
is returned, or if a user
profile attribute is returned
matching the default user
profile selected
Select the Default tab

Select the user profile:
Employee-Default(1)
Created by the
instructor
Assigns VLAN 1
143

Access
5. Configure Auth OK user profile
Define a user profile for

Auth OK If a client
authenticates
returned, it must match
one the selected user
profiles you select here.
You can have up to 63
Auth OK user profiles.
Select the Auth OK

tab
Select Employee 2013 Aerohive Networks CONFIDENTIAL
144

Access
6. Configure Auth Fail user profile
Define a user profile for

Auth Fail If a clients
fails authentication
several times, assign the
Auth Fail user profile
Select Auth Fail
Select Guest-X(100)
Assigns VLAN 8
Verify the Default, Auth
OK, and Auth Fail
settings one more time
Click Save
145

Access
7. Verify settings
Verify the settings
146

Access

147
PHONE & DATA PORTS

WITH NO AUTHENTICATION
148
Phone & Data Port Type

With Open Access
SR2024
IP Phone
Switch
Data
Phone & Data

uses 802.1Q
Switch Port is assigned to a Phone & Data Port Type

For this example, no authentication is selected in Phone & Data
149

With Open Access
SR2024
IP Phone
Switch
Data
Phone & DataLLDP assigns

uses 802.1Q Phone to tagged
Voice VLAN
Note: For default data,
only the VLAN is used,
not the user profile
You can then select a Default Voice, and Default Data user profile
The Phone & Data port is an 802.1Q port
The Phone VLAN will be tagged and sent to the IP phone via LLDP-MED
The switch port will assign the Data VLAN as the native VLAN
This way, the phone traffic is tagged, and data traffic is untagged
150
CLI Commands for

Phone & Data Port without
Authentication
interface
interface
interface
interface
interface
interface
interface
interface
interface
eth1/3
eth1/3
eth1/3
eth1/3
eth1/3
eth1/3
eth1/3
eth1/3
eth1/3
switchport mode trunk

switchport user-profile-attribute 2
switchport trunk native vlan 10
switchport trunk voice-vlan 2
switchport trunk allow vlan 2
switchport trunk allow vlan 10
qos-classifier Phone-and-Net-2
qos-marker Phone-and-Net-2
pse profile QS-PSE
151
PHONE & DATA PORTS

WITH 802.1X/PEAP
AUTHENTICATION OR
MAC AUTHENTICATION
152

With 802.1X/PEAP or MAC
Authentication
RADIUS Server
Phone Policy Returns
Cisco AV Pair: device-trafficclass=voice
User Profile and/or VLAN
Data (Employee) Policy Returns
SR2024
Employee
s
IP Phone
Data
Switch
Phone & Data

uses 802.1Q, and 802.1X
Switch Port is assigned to a Phone & Data Port Type

For this example, 802.1X authentication is selected in Phone & Data
153

With 802.1X/PEAP
RADIUS Server
SR2024
Employee
s
IP Phone
Data
Switch
Phone & Data

uses 802.1Q, and 802.1X
You can connect a single client, or multiple clients behind

an IP phone data port
Phones and clients authenticate independent of each other
and the order in which they authenticate does not matter
However, the VLAN assigned to the first data device (Employee) that
authenticates is assigned as the data VLAN, all other devices will be
assigned to the same VLAN, even if they have different user profiles
with other VLANs assigned, or even if RADIUS returns a different
VLAN.
154

With Primary and Secondary
Authentication
RADIUS Server
SR2024
Employee
s
IP Phone
Data
Switch
Phone & Data

uses 802.1Q, and 802.1X
If a secondary authentication is used, if the first authentication

is not available, or fails three times, the second authentication
will be tried
155
CLI Commands for

Phone & Data Port with 802.1X
security-object Phone-and-Data-2
security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret ***
security-object Phone-and-Data-2 security protocol-suite 802.1x
security-object Phone-and-Data-2 default-user-profile-attr 1
security-object Phone-and-Data-2 security auth-mode host-based multiple-domain
interface eth1/3 security-object Phone-and-Data-2
interface eth1/3 switchport mode trunk
interface eth1/3 switchport user-profile-attribute 1

interface eth1/3 qos-classifier Phone-and-Data-2
interface eth1/3 qos-marker Phone-and-Data-2
interface eth1/3 pse profile QS-PSE
no interface eth1/3 spanning-tree enable
no interface eth1/3 link-discovery cdp receive enable
user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1
user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10
user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2
user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100
156
CLI Commands for

Phone & Data Port with MAC AUTH
security-object Phone-and-Data-2
security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret ***
security-object Phone-and-Data-2 security additional-auth-method mac-based-auth
security-object Phone-and-Data-2 default-user-profile-attr 1
security-object Phone-and-Data-2 security auth-mode host-based multiple-domain
security-object Phone-and-Data-2 security initial-auth-method mac-based-auth
interface eth1/3 security-object Phone-and-Data-2
interface eth1/3 switchport mode trunk
interface eth1/3 switchport user-profile-attribute 1

interface eth1/3 qos-classifier Phone-and-Data-2
interface eth1/3 qos-marker Phone-and-Data-2
interface eth1/3 pse profile QS-PSE
no interface eth1/3 spanning-tree enable
no interface eth1/3 link-discovery cdp receive enable
user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1
user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10
user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2
user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100
157
CONFIGURING NPS FOR

PHONE AND EMPLOYEE
AUTHENTICATION WITH
802.1X/PEAP
Overview
158
Configure NPS for Phone & Data

Authentication
Create a
network
policy for
voice
159

Authentication
Enter a name
for the voice
policy, and
click next
160

Authentication
Click add to
specify a
condition
161

Authentication
Select
Windows
Groups
Click Add
162

Authentication
Click Add Groups

A voice group was created by IT for
IP phones enter voice and click
OK
Click OK
163

Authentication
Click Next
164

Authentication
Select
Access
granted
165

Authentication
Click Add
Select Microsoft:
Protected EAP
(PEAP)
Click OK
166

Authentication
Click Next
For
constraints
click Next
167

Authentication
Remove
attributes that
are not needed:
Select FrameProtocol, and
Click Remove
Select ServiceType, and Click
Remove
168

Authentication
Add the three attribute
value pairs needed to
assign a user profile
Tunnel-Medium-Type:
IP v4 (value found in
the others section)
Tunnel-Type: Generic
Route Encapsulation
(GRE)
Tunnel-Pvt-Group-ID:
(String) 2
2 is the voice user
profile in this case
Click Next
169

Authentication
Under RADIUS
Attributes, select
Vendor Specific
170
RETURN A CISCO AV PAIR TO

LET THE AEROHIVE SWITCH
KNOW WHICH USER PROFILE
SHOULD BE ASSIGNED AS THE
VOICE USER PROFILE
171

Authentication
In order for a switch to
know a specific user
profile is for voice,
Aerohive devices can
accept the Cisco AV
Pair: device-trafficclass=voice. This is
sent to the switch, and
the switch uses LLDP to
send the voice VLAN
any phone that
supports LLDP-MED
Under RADIUS
Attributes, select
Vendor Specific
Click Add
172

Authentication
Under
Vendor,
Select
Cisco
173

Authentication
Click Add
Click Add again
174

Authentication
Attribute value:
device-traffic-class=voice
Click OK
Click OK
Click Close (The value does not
show up on this screen. Do not
worry, it is there.)
175

Authentication
Attribute value:
device-trafficclass=voice
Click OK
Click OK
Click Next
176

Authentication
Click
Finish
177
DEFINE CLIENT ACCESS
178
CLI Commands for

Authentication
Create a new
policy for
employee access
Policy name:
Wireless or Wired
Employee Access
179
CLI Commands for

Authentication
For the condition, select the
windows group that contains
your employees
Add the three attribute value
pairs needed to assign a user
profile
Tunnel-Medium-Type: IP v4
(value found in the others
section)
Tunnel-Type: Generic Route
Encapsulation (GRE)
Tunnel-Pvt-Group-ID: (String)
10
10 is the voice user profile in this
case
Click Next
180

Phone and Data
181
Lab: Configure Ports - Phone &

Data
1. Configure RADIUS
Configure the RADIUS sever for

the ports secured with 802.1X
For your Phone-and-Data-X
port type, under
Authentication
click <RADIUS Settings>
Select RADIUS-X which is an
external Microsoft NPS
RADIUS server
Click OK
182
Port Types
Assign user profiles to your

802.1X ports
For your Phone-and-DataX port type, under User
Profile click Add/Remove
183
Port Types (Reminder)

Must Verify
There are three user profile
settings:
1. Default Default for data if

no user profile attribute, or a
user profile attribute is
returned and matches the
user profile configured here
2. Auth OK (Voice) If a
client authenticates
profile attribute is returned
matching a selected user
profile, and the Cisco AV Pair
is also returned
3. Auth OK (Data) Client
passes authentication, and a
user profile attribute is
184

Data
2. Configure user profile Auth OK
(Voice)
Click Auth OK
(Voice)
Click New
185

Data
(Voice) VLAN
User profiles are

used to assign
policy to devices
connected to the
network.
Name: Voice-X
Attribute: 2
Default VLAN: 2
Click Save
186

Data
(Voice)
For the Auth OK

(Voice) tab
select:
Voice-X(2)
Assigns VLAN
2
187

Data
5. Configure user profile Default
Assign the Default

user profile:
Select the
Default tab
Select
EmployeeDefault(1)
Assigns VLAN 1
188

Data
6. Configure user profile Auth OK (Data)
Define a user profile for Auth OK

(Data) for clients connected
through an IP Phone
Select Auth OK (Data)

Select Employee-X(10)
Assigns VLAN 10
Verify the Default, Auth OK
(Voice), and Auth OK (Data)
settings one more time
Click Save
189

Data
7. Verify your settings
Verify the settings
190
Lab: Configure Ports - Phone and

Data

191
CONFIGURE 802.1Q TRUNK

PORTS
192
Lab: Configure Trunk Ports
1. Configure AP-Trunk-X port policy VLANs
Define the allowed

VLANs on a trunk
port
Next to AP-TrunkX Click
Add/Remove
Add the specific
VLANs: 1,2,8,10
Click OK
193
2. Configure Trunk-X port policy VLANs
Define the allowed

VLANs on a trunk
port
Next to Trunk-X
Click Add/Remove
Type all
Click OK
194

3. Verify your settings
Verify
Settings
195
Lab: Configure Ports - Phone and

Data
8. Save your network policy and continue

196
UPDATE DEVICES
197
Lab: Update Devices

1. Modify your AP
From the Configure & Update Devices section,

modify your AP specific settings
Click the Name column to sort the APs
Click the link for your AP: 0X-A-######
198
Lab: Update Devices
2. Update the configuration of your

Aerohive AP
Location:
<FirstName_LastName>
Topology Map: Classroom
Network Policy:
Access-X
Note: Leave this set to default
so you can see how it is
automatically set to your new
network policy when you update
the configuration.
Set the power down to 1dBm on
both radios because the APs are
stacked in a rack in the data
center
2.4GHz(wifi0) Power: 1
5GHz (wifi1) Power: 1
Click Save
199
Lab: Update Devices

3. Select AP and switch
Select your AP and switch and click Update
Click Yes
200
Lab: Update Devices
4. Update the AP and switch
Select Update
Devices
Select Perform a
complete
configuration
update for all
selected devices
Click Update
For this class, ALL

Updates should
be Complete
configuration
updates
201
Lab: Update Devices
5. Update the AP and switch
Should the Reboot warning box appear, select OK
Click OK
202
QUESTIONS?
CREATE AN AEROHIVE DEVICE DISPLAY

FILTER
204
Lab: Create a Display Filter from

Monitor View
1. Create a filter
To create a display filter go to Monitor Filter: Select +

Network Policy, select: Access-X
Remember this Filter, type: Access-X
Click Search
205
Lab: Create a Display Filter from

Monitor View
2. Verify the display filter
206
QUESTIONS?
TEST YOUR WI-FI

CONFIGURATION
USING THE HOSTED PC
208
Lab: Test Hosted Client Access to

SSID
Test SSID Access at Hosted Site
Core
Internet
ESXi Server
- HM VA
Distribution
Access
SR20
24
PoE
AP
Use VNC client to

access Hosted PC:
password: aerohive
Ethernet
Wi-Fi
Hoste
d PC
From the hosted PC,

you can test
connectivity to your
SSID
209

SSID
1. For Windows: Use TightVNC client
If you are using a windows PC
Use TightVNC
TightVNC has good compression so please
use this for class instead of any other
application
Start TightVNC
For Lab 1
lab1-pcX.aerohive.com
For Lab 2
For Lab 3
For Lab 4
For Lab 5
Select Low-bandwidth connection
Click Connect
Password: aerohive.
Click OK
210

SSID
2. For Mac: Use the Real VNC client
If you are using a Mac
RealVNC has good compression so please
use this for class instead of any other
application
Start RealVNC
For Lab 1
For Lab 2
For Lab 3
For Lab 4
For Lab 5
Click Connect
Password: aerohive.
Click OK
211
Lab: Test Hosted Client Access to SSID

3. In case the PCs are not logged in
If you are not automatically
logged in to your PC
If you are using the web
browser client
Click the button to Send
Ctrl-Alt-Del
If you are using the TightVNC
client
Click
to send a
control alt delete

Login: AH-LAB\user
Password: Aerohive1
Click the right arrow to login
212

SSID
4. Remove any Wireless Networks on

Hosted PC
From the bottom task bar, click the locate
wireless networks icon
Select Open Network and Sharing
Center
Click Manage wireless Networks
Select a network, then click Remove
Repeat until all the networks are
removed
Click [x] to close the window
213

SSID
5. Connect to Your Class-PSK-X SSID
Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
Click your SSID
Class-PSK-X
Click Connect
Security Key:
aerohive123
Click OK
214

SSID
6. View Active Clients List
Go to MonitorClientsWireless Clients and

locate your PCs entry
After associating with your SSID, you should see

your connection in the active clients list Wireless
Clients
Your IP address should be from the 10.5.10.0/24
network which is from VLAN 10
215
QUESTIONS?
TESTING SWITCH PORT

CONNECTIONS WITH
WINDOWS 7
217
Lab: Test Hosted Client to Wired

Network
Test Guest and 802.1X Access
Core
Internet
ESXi Server
- HM VA
Distribution
Access
SR20
24
PoE
AP
Use VNC client to

access Hosted PC:
password: aerohive
Ethernet
Wi-Fi
Hoste
d PC
From the hosted PC,

you can test
connectivity to your
SSID
218
Three Different VLANs are

Possible
In this configuration
Default - Auth OK, and RADIUS does not returned
user profile or matching user profile to default
Auth OK and RADIUS returns a user profile that
matches one of the user profiles configured here
Auth Fail RADIUS authentication fails (Guest)
219

Network
1. Verify IP address of Ethernet adapter
Locate Local Area Connection 3

Right click
Click Status
Click Details
220

Network
Why do you see an

IP from the
10.5.1.0/24 subnet?
This is the IP
address the device
received on VLAN
1 before the switch
was configured
221

Network
3. Reset Ethernet Adapter
Because the PC has the

wrong IP it will not work,
you can remedy this by
Right click on Local Area
Connection 3
Click Diagnose
or
Disable then Enable
Local Area Connection 3
Do NOT Disable Local
Area Connection 2
222

Network

Right click
Click Status
Click Details
223

Network
Why do you see an

IP from the
10.5.8.0/24 subnet?
This is the guest
network that is
assigned if
authentication is
not supported or
fails
224

Network
6. Verify VLAN of wired client
Go to MonitorClientsWired Clients and locate your

PCs entry
Note the IP, Client Auth Mode, User Profile Attribute

and VLAN
VLAN 8 is the guest VLAN assigned because
802.1X authentication was not supported or failed.
The host was assigned to the Auth Fail user
profile.
225

Network
7. Enable 802.1X for wired clients
In windows 7, you
must enable
802.1X support
As an
administrator, from
the start menu
type services
Then click
services
226

Network
Click the
Standard tab
on the bottom
of the
services panel
Locate Wired
AutoConfig
and right-click
Click
Properties
227

Network
The Wired AutoConfig

(DOT3SVC) service is
responsible for performing
IEEE 802.1X authentication
on Ethernet interfaces
If your current wired
network deployment
enforces 802.1X
authentication, the
DOT3SVC service should be
configured to run for
establishing Layer 2
connectivity and/or
providing access to network
resources
Wired networks that do not
enforce 802.1X
authentication are
228

Network
Click Automatic
Click Start
229

Network
Click OK
230

Network

Right click
Click Status
Click Details
231

Network
Why do you see an IP

from the
10.5.10.0/24 subnet?
The user has
authenticated with
802.1X/EAP and
RADIUS is returning
the user profile
attribute: 10
232

Network
14. Verify authentication and VLAN of
wired client
Go to MonitorClientsWired Clients and locate

your entry
Note the IP, Client Auth Mode, User Profile Attribute

and VLAN
VLAN 10 is the employee VLAN assigned because
802.1X authentication was successful and the host
was assigned to the Auth OK user profile.
233
For Reference: Switch CLI
SR04866380#showauthinteth1/12
AuthenticationEntities:
if=interface;UID=UserprofilegroupID;AA=Authenticator
Address;
if=eth1/12;idx=16;AA=08ea:4486:638c;Securityobj=Secure2;
defaultUID=1;
Protocolsuite=802.1X;Authmode=portbased;FailureUID=100;
DynamicVLAN=10;
No.SupplicantUIDLifeStateDevTypeUserName
Flag
0000c:2974:aa8e100donedataAH
LAB\user4000b
234
Enable 802.1X for Wired

Connections
If you need to troubleshoot

you can view Local Area
Connection 3
From the start menu, type
view network
Right-click Local Area
Connection 3, and click
Diagnose
This will reset the
adapter, clear the
caches, etc
235
Clearing Authentication Cache

For Testing or Troubleshooting
From the Wired Clients

list, you can select
and Deauth a client
Clear the All the
caches for the client
on the switch
Then on the hosted
PC, you will need to
disable then enable
Local Area Connection
3 to force a reauth
236
MISC MONITORING
237
Switch Monitoring
MonitorSwitches
Click on the hostname
of the switch
238
Switch Monitoring
Hover with your mouse over the switch ports
239
Switch Monitoring
System Details
240
Switch Monitoring
Port Details and PSE Details
241
Power Cycle Devices via

PoE
To configure this feature for selected ports on a switch,
navigate to Monitor Switches in the Managed Devices
tab, click the name of the switch, and scroll down to PSE
Details.
Select the check box or boxes for the port or ports that you
want to cycle, and then click Cycle Power.
This is useful in the event that an AP or multiple APs are
locked up and need to be rebooted remotely. Bouncing
the PoE port forces the AP reboot.
242
Switch Monitoring
MonitorActive ClientsWired Clients
Add User Profile Attribute, and move it up, it is useful
243
Switch Monitoring
Click on the MAC address for a wired client to see
more information
244
Switch Monitoring
UtilitiesStatisticsInterface
245
Switch Monitoring
UtilitiesDiagnosticsShow PSE
246
VLAN Probe
Use VLAN Probe to verify VLANs and DHCP

Service
MonitorSwitches Select your device, and go to
UtilitiesDiagnosticVLAN probe
NOTE: If you get the same IP subnet for each of the VLANs, that is a sign that
the switch uplink port is connected to an access port, not a trunk port like it
should be.
247
Client Monitor
Tools Client Monitor
Client Monitor can be used to troubleshoot 802.1X/EAP
authentication for wired clients
248
Switch CLI
SR-02-66ec00#show interface switchport
Name: gigabitethernet1/1
Switchport: enable
Port Mode: access
Port Mirror: disable
Port User-profile ID: 0
Static Access VLAN: 1
Dynamic Auth VLAN: 0
Name: gigabitethernet1/2
Switchport: enable
Port Mode: access
Port Mirror: disable
Port User-profile ID: 10
Static Access VLAN: 10
Dynamic Auth VLAN: 0
249
Switch CLI
showclientreportclient
250
GENERAL SWITCHING
251
Storm Control
Aerohive switches can mitigate traffic storms due to a variety of

causes by tracking the source and type of frames to determine
whether they are legitimately required.
The switches can then discard frames that are determined to be the
products of a traffic storm. You can configure thresholds for broadcast,
multicast, unknown unicast, and TCP-SYN packets as a function of the
percentage of interface capacity, number of bits per second, or
number of packets per second.
From your network policy with Switching enabled: Go to Additional

Settings>Switch Settings>Storm Control
252
IGMP Snooping MAC Addresses

Aerohive switches are
capable of monitoring
IGMP transactions
between multicast
routers and client
devices, and
maintaining a local
table of IGMP groups
and group members
Aerohive switches
use this information
to track the status of
multicast clients
attached to the
switch ports so that it
can forward multicast
traffic efficiently
From your network policy with Switching

enabled: Go to Additional Settings>Switch
Settings>IGMP Settings
253

Aerohive switches are
capable of monitoring
IGMP transactions
between multicast
routers and client
devices, and
maintaining a local
table of IGMP groups
and group members
Aerohive switches
use this information
to track the status of
multicast clients
attached to the
switch ports so that it
can forward multicast
traffic efficiently
From your network policy with Switching

enabled: Go to Additional Settings>Switch
Settings>IGMP Settings
254

IGMP device specific options available in the switch device
configuration
Users can enable/disable IGMP snooping to all VLAN or to a
specified VLAN. When IGMP snooping disabled, all multicast
dynamic mac-address should be deleted.
255
GENERATE AEROHIVE SWITCH

RADIUS
SERVER CERTIFICATES
Required When Aerohive Devices are Configured as
RADIUS Servers
256
HiveManager Root CA Certificate

Location and Uses
To view certificates, go to: Configuration, click Show Nav, then go to
Advanced Configuration Keys and CertificatesCertificate Mgmt
This root CA certificate is used to:
Sign the CSR (certificate signing request) that
the HiveManager creates on behalf of the AP
acting as a RADIUS or VPN server
Validate Aerohive AP certificates to remote
client
802.1X clients (supplicants) will need a copy of
the CA Certificate in order to trust the
certificates on the Aerohive AP RADIUS server(s)
Root CA Cert Name:

Default_CA.pem
Root CA key Name:
Default_key.pem
Note: The CA key is only ever used or
seen by HiveManager
257
Copyright 2011
Use the Existing HiveManager CA

Certificate, Do not Create a New
One!
For this class, please do not create a new HiveManager

CA certificate, otherwise it will render all previous
certificates invalid.
On your own HiveManager, you can create your own HiveManager
CA certificate by going to: Configuration, then go to
Advanced ConfigurationKeys and
258
LAB: Aerohive Switch Server Certificate

and Key
1. Generate Aerohive switch server
certificate
Go to Configuration, click Show Nav

Advanced Configuration
Keys and CertificatesServer CSR
Common Name: server-X
Organizational Name: Company
Organization Unit: Department
Locality Name: City
State/Province: <2 Characters>
Country Code: <2 Characters>
Email Address: userX@ah-lab.com
Subject Alternative Name:
User FQDN: userX@ah-lab.com
Enter
Switch-X
Note: This lets you add an extra step of validating

the User FQDN in a certificate during IKE phase 1
for IPSec VPN. This way, the Aerohive AP needs a
valid signed certificate, and the correct user
FQDN.
Key Size: 2048

Password & Confirm: aerohive123
CSR File Name: Switch-X
Notes Below
Click Create
259

and Key
2. Sign and combine
Use this option to send

a signing request to an
external certification
authority.
Enabling this setting helps

prevent certificate and key
mismatches when
configuring the RADIUS
settings
Select Sign by HiveManager CA

The HiveManager CA will sign the Aerohive AP Server certificate
The validity period should be the same as or less than the number
of days the HiveManager CA Certificate is valid
Enter the Validity: 3650 approximately 10 years
Check Combine key and certificate into one file
Click OK
260

and Key
3. View server certificate and key
To view certificates,
go to:
Configuration, click
Show Nav
Then go to Advanced
Configuration
Keys and Certificates
Certificate Mgmt
The certificate and key file
name is:
switch-X_key_cert.pem
QUIZ
Which CA signed this
Aerohive switch server key?
What devices need to install
the CA public cert?
261
QUESTIONS?
Lab: Switch as a RADIUS server

1. Edit existing policy
From Configuration,
Select your Network policy:
Access-X
Click OK and then Continue
263
Lab: Switch Active Directory

Integration
2. Select your Network Policy
To configure the Aerohive device as a RADIUS server...

Select the Configure & Update Devices bar
Select the Filter: Current Policy
Click the link for your Switch SR-0X-######
264
Copyright 2011

Integration
3. Create a RADIUS Service Object
Create a Aerohive AP RADIUS Service Object

Under Optional Settings, expand Service
Settings
Next to Device RADIUS Service click +
265
Lab: Switch AP Active Directory

Integration
4. Create a RADIUS Service Object
Name: SR-radius-X
Expand Database
Settings
Uncheck Local
Database
Check External
Database
Under Active
Directory, click + to
define the RADIUS
Active Directory
Integration Settings
266

Integration
5. Select a switch to test AD integration
Name: AD-X
Aerohive device for Active Directory connection setup,
select your Switch: SR-0X-#####
This will be used to test Active Directory integration
Once this switch is working, it can be used as a template for configuring
other Aerohive device RADIUS servers with Active Directory integration
The IP settings for the selected Aerohive switch are gathered and
displayed
267

Integration
6. Modify DNS settings
Set the DNS server to: 10.5.1.10

This DNS server should be the Active Directory DNS server or
an internal DNS server aware of the Active Directory domain
Click Update
This applies the DNS settings to the Network Policy and to
the Aerohive device so that it can test Active Directory
connectivity
268

Integration
7. Specify Domain and Retrieve Directory

Information
Domain: ah-lab.local
Click Retrieve Directory Information
The Active Directory Server IP will be populated as
well as the BaseDN used for LDAP user lookups
269
Lab: Switch Active Directory Integration

8. Specify Domain and Retrieve Directory
Information
Domain Admin: hiveapadmin(The delegated admin)

Password and Confirm Password: Aerohive1
Click Join
Check Save Credentials
NOTE: By saving credentials you can automatically join Aerohive devices
to the domain without manual intervention
270

Integration
9. Specify A User to Perform LDAP User

Searches
Domain User user@ah-lab.local (a standard domain

user )
Password and Confirm Password: Aerohive1
Click Validate User
You should see the message: The user was
successfully authenticated.
These user credentials will remain and be used to
perform LDAP searches to locate user accounts
271

Integration
10. Save the AD Settings
Click Save
272

Integration
11. Apply the AD settings
Select AD-X with

priority: Primary
Click Apply
Please make sure
you click apply
Do not save yet..
273

Integration
12. Enable LDAP credential caching
Enable the ability for an

Switch RADIUS server
to cache user
credentials in the event
that the AD server is
not reachable, if the
user has previously
authenticated
Check Enable
RADIUS Server
Credentials Caching
Do not save yet...
274

Integration
13. Assign server certificate
Optional Settings >

RADIUS Settings:
Assign the switch
RADIUS server to the
newly created switch
server certificate and
key
CA Cert File: Default_CA.pem
Server Cert File:
Server Key File:
Key File Password & confirm password: aerohive123
Click Save
275

Integration
14. Verify the RADIUS service object
Ensure that the

Aerohive AP
RADIUS Service is
set to: switchradius-X
Do not save yet
276

Integration
15. Set Static IP address on MGT0
interface
Expand MGT0 Interface Settings

Select Static IP
Static IP Address: 10.5.1.7X
Note: Aerohive devices

that function as a server
must have a static IP
address.
X = student number 02 = 72, 03 = 73

82, 13 = 83
12 =
Netmask: 255.255.255.0
277

Integration
16. Save the switch settings
Click Save
NOTE: Your
Aerohive switch will
have an icon
displayed showing
that it is a RADIUS
server.
278
QUESTIONS?
SSID FOR 802.1X/EAP

AUTHENTICATION
USING AEROHIVE DEVICE
RADIUS WITH
AD KERBEROS INTEGRATION
280
Lab: Switch RADIUS w/ AD Integration

1. Edit your WLAN Policy and Add SSID Profile
Configure an SSID that

uses the 802.1X/EAP
with AD (Kerberos)
Integration
Select the Configure
Interfaces & User
Access bar
Next to SSIDs click
Choose
In Chose SSIDs
Select New
281
Lab: Switch RADIUS w/ AD

Integration
2. Configure a 802.1X/EAP SSID
Profile Name:
Class-AD-X
SSID:
Class-AD-X
Under SSID
Access Security
select
WPA/WPA2
802.1X
(Enterprise)
Click Save
282
Copyright 2011

Integration
3. Select new Class-AD-X SSID
Ensure
Class-AD-X is
highlighted then
click OK
Click to deselect
the Class-PSK-X
SSID
Ensure the
AD-X SSID
is selected
Click OK
Click to
deselect
Class-PSK-X
283

Integration
4. Create a RADIUS object
Under Authentication, click <RADIUS Settings>

In Choose RADIUS, click New
Click
Click
284

5. Define the RADIUS Server IP settings
RADIUS Name:
SWITCH-RADIUS-X
IP Address/Domain
Name: 10.5.1.7X
02 = 72, 03 = 73
12 = 82, 13 = 83
Leave the Shared
Secret Empty
Click Apply
When Done!
NOTE: When the Aerohive

device is a RADIUS server,
devices in the same Hive
automatically generate a
shared secret
Click Apply
Click Save
285

Integration
6. Select User Profiles
Verify that under Authentication, SWITCH-RADIUSX is assigned

Under User Profile click Add/Remove
286

Integration
7. Assign User Profile as Default for the

SSID
Default Tab
Authentication Tab
With the Default tab

select (highlight) the
Employee-Default
user profile
IMPORTANT: This
user profile will be
assigned if no attribute
value is returned from
RADIUS after
successful
authentication, or if
attribute value 1 is
returned.
287
8. Assign User Profile to be Returned by RADIUS

Attribute
In the
Authentication tab
Authentication Tab
Select (highlight)
Employee-X
NOTE: The (User
Profile Attribute) is
appended to the
User Profile Name
Click Save
288

Integration
9. Verify and Continue
Ensure Employee-Default- Click Continue

1 and Employee-X user
or click the bar to
profiles are assigned to the
Configure & Update
Class-AD-X SSID
Devices
289

Integration
10. Upload the config to the switch and AP
In the Configure & Update Devices section

Select your devices
Click Update
290

Integration
Select Update
Devices
Select Perform a
complete
configuration
update for all
selected devices
Click Update
For this class, ALL

Updates should
be Complete
configuration
updates
291

Integration
Should the Reboot Warning box appear, select OK
Click OK
292
QUESTIONS?
CLIENT ACCESS PREPARATION DISTRIBUTING CA CERTIFICATES

TO WIRELESS CLIENTS
294
LAB: Exporting CA Cert for Server

Validation
1. Go to HiveManager from the Remote PC

From the VNC connection
to the hosted PC, open a
connection to:
For HM 1 10.5.1.20
For HM 2 10.5.1.23
For HM 3 10.5.1.20
For HM 5 10.5.1.20
Login with: adminX
Password: aerohive123
NOTE: Here you are
accessing HiveManager via
the PCs Ethernet connection
295

Validation
2. Download Default CA Certificate to the

Remote PC
NOTE: The HiveManager Root
CA certificate should be
installed on the client PCs that
will be using the RADIUS
service on the Aerohive device
for 802.1X authentication
From the Remote PC,

go to Configuration,
then click Show Nav,
Keys and Certificates
Certificate Mgmt
Select Default_CA.pem
Click Export
296

Validation
3. Rename HiveManager Default CA Cert
Export the public root

Default_CA.pem
certificate to the Desktop
of your hosted PC
This is NOT your
Aerohive AP server
certificate, this IS the
HiveManager public root
CA certificate
Make the Certificate name:
Rename the extension of
Default_CA.cer
the Default_CA.pem file to
Default_CA.cer
Save as type:
This way, the certificate
All Files
will automatically be
recognized by Microsoft
297

Validation
4. Install HiveManager Default CA Cert
Find the file that was just

exported to your hosted PC
Double-click the certificate
file on the Desktop:
Default_CA
Click Install Certificate
Issued to: HiveManager
This is the name of the certificate if you
wish to find it in the certificate store, or if
you want to select it in the windows
supplicant PEAP configuration.
298

Validation
5. Finish certification installation
In the Certificate
Import Wizard click
Next
Click Place all
certificate in the
following store
Click Browse
299

Validation
6. Select Trusted Root Certification
Authorities
Click Trusted Root

Certification Authorities
Click OK
Click Next
300

Validation
7. Finish Certificate Import
Click Finish
Click Yes
Click OK
301

Validation
8. Verify certificate is valid
Click OK to Close the

certificate
Double-click Default_CA to
reopen the certificate
You will see that the certificate
is valid and it valid from a start
and end date
Click the Details tab
302

Validation
9. View the Certificate Subject
In the details section, view

the certificate Subject
This Subject:
HiveManager is what will
appear in the list of trusted
root certification authorities
in your supplicant
Protected EAP (PEAP)
configured
Properties later in this lab.
In supplicant (802.1X
client)
303
QUESTIONS?
CONFIGURING AND TESTING

YOUR
802.1X SUPPLICANT
For Windows 7
Supplicants
305
Lab: Testing Switch RADIUS w/ AD Integration

1. Connect to Secure Wireless Network
On the hosted PC,

from the bottom
task bar, click the
wireless networks
icon
Click Class-AD-X
Click Connect
A windows
security alert
should appear,
click Details to
verify this
certificate if from
HiveManager, then
click Connect
server-2 is the AP cert,

and HiveManager is the
trusted CA
306
Lab: Testing Switch RADIUS w/ AD

Integration
2. View Active Clients
After associating with your SSID, you should see your connection in
the active clients list in HiveManager
Go to MonitorClientWireless Clients
IP Address: 10.5.1.#
User Name: DOMAIN\user
VLAN: 1
User Profile Attribute: 1
NOTE:
NOTE: User
User Profile
Profile Attribute
Attribute is
is the
the Employee-Default-1
Employee-Default-1 user
user
profile
profile for
for the
the SSID.
SSID. This
This user
user profile
profile is
is being
being assigned
assigned
because
because no
no User
User Profile
Profile Attribute
Attribute Value
Value was
was returned
returned from
from
RADIUS.
RADIUS.
307
QUESTIONS?
MAPPING ACTIVE DIRECTORY

MEMBEROF ATTRIBUTE
TO USER PROFILES
309
Aerohive AP as a RADIUS Server - Using

AD
Member Of for User Profile Assignment
In your Network policy, you defined an SSID with two user profiles
Employees(1)-1 Set if no RADIUS attribute is returned
This use profile for example is for general employee staff, and they
get assigned to VLAN 1
Employee(10)-X Set if a RADIUS attribute is returned

This user profile for example is for privileged employees, and they get
assigned to VLAN 10
Because the switch RADIUS server is using AD to authenticate the

users, and AD does not return RADIUS attributes, how can we
assign users to different user profiles?
Though AD does not return RADIUS attributes, it does return other
attribute values, like MemberOf which is a list of AD groups to
310
Instructor Only: Confirm User is a

member of the Wireless AD Group
Right click the username userX

and click Properties
Click on the Member Of tab
The user account userX should
belong to the Wireless
AD Group
Click OK
311
Lab: Use AD to Assign User Profile
1. Map memberOf attribute to user profile
From Configuration, Show Nav,

Authentication
Aerohive AAA Server
Settings
SR-radius-X
Expand Database Settings
Check LDAP server attribute
Mapping
Select Manually map LDAP
user groups to user profiles
LDAP User Group Attribute:

memberOf
312

2. Add group to user profile mapping
Expand the tree

structure to locate
Click the LDAP
Group
Expand
Map group to
Employee(10)-X
CN=Users
Select
CN = Wireless
For Maps to, from
the drop down list,
select the user
profile:
NOTE: The CN in Active Directory
Employee-X
does not have to match the name Click Apply
of the user profile, this is just by
The mapping
choice, not necessity.
appears below the
313

3. Update devices
Select Update
Devices
Select Perform a
complete
configuration
update for all
selected devices
Click Update
For this class, ALL
Updates should
be Complete
configuration
updates
314

4. Update devices
Click OK
315
Lab: Use AD to Assign User Profile SSID

5. Disconnect and Reconnect to the Class-AD
SSID
To test the mapping of

the memberOf
attribute to your
user profile
Disconnect from the
Class-AD-X SSID
Connect to the
Class-AD-X SSID
316

SSID
6. Verify your active client settings
From MonitorClientsActive Clients

Your client should now be assigned to
IP Address: 10.5.10.#
User Profile Attribute: 10
VLAN: 10
NOTE: In the previous lab, without
the LDAP group mapping, the user
was assigned to attribute 1 in VLAN
1
317
QUESTIONS?
AEROHIVE SWITCHES AS
BRANCH ROUTERS
319
Medium Size Branch or Regional

Office
SR2024 as Branch Router
Line Rate Layer 2 Switch
Internet
8 Ports of PoE
Multi-authentication
access ports
SR20
24
3G
/4
G
LT
E
802.1X with fallback to

MAC auth or open
AP
PoE
Client Visibility
View client information by port
RADIUS Server
Routing between local VLANs
Layer 3 IPSec VPN
NAT for Subnets through VPN
NAT port forwarding on WAN
DHCP Server
USB 3G/4G Backup
and more
AP
AP
Provides Access For:

Employees
Guests
Contractors
Phones
APs
Servers
CREATE A ROUTING NETWORK

POLICY YOU CAN CLONE
YOUR EXISTING ACCESS
POLICY
For Wireless, Switching, and Routing
321
Lab: Add Routing to Network

Policy
1. Edit existing policy
From Configuration,
Next to your Network policy: Access-X
Click the sprocket icon
Click Edit
322
Lab: Add Routing to Network

Policy
2. Edit select Branch Routing
NOTE: Enabling Branch Routing:

Enables L3 VPN Configuration
Disable L2 VPN Configuration
Enable L3 Router Firewall Policy
Policy-Based Routing with Identity
Add the option for

Branch Routing to your
Network Policy
Check Branch Routing
so you have:
Wireless Access
Switching
Branch Routing
Bonjour Gateway
Click Save
Click OK
Enables Router configuration settings in Additional

Settings
323
CLONE SWITCH DEVICE

TEMPLATE AS SWITCH AND
ADD NEW SWITCH DEVICE
TEMPLATE AS BRANCH
ROUTER
324
Lab: Create a Switch Template for

Routing
1. Select and clone your existing device
template
Next to Device
Templates, click
Choose
Select your
SR2024Default-X
device template
(configured as
switch)
Click the
sprocket icon
Click Clone
325

Routing
2. Define router function of the device
template
Click Device Models

Notice all the devices that you
can create templates when the
network policy includes routing
Ensure that SR2024 is selected
Click OK
326

Routing
3. Define router function of the device
template
Name: SR2024-RouterDefault-X
Change the function to Router
Click Save
327

Routing
4. Select both templates
Ensure both of your SR2024

policies are selected.
Click OK
Hide the SR2024-Default-X
(Switch) template
Expand the SR2024Router-Default-X (Router)

template
328

Routing
5. Remove configuration of existing uplink

ports
Next you can change

your uplink ports and
add a WAN port instead
Select ports 23 and
24, and click
Configure
Remove the port type
by clicking on the port
type you have
selected to ensure it is
no longer highlighted
Click OK
Click OK again to the
Warning
329
Examples of templates for other

devices
BR200-WP
AP330 as Router
330
CONFIGURE ROUTER WAN

PORTS
- PORTS THAT CONNECT TO
THE
INTERNET AND PROVIDE NAT
331
Router WAN Ports
SR2024 as Branch
Router
WAN Port example
DSL
WAN
Backup 1
3G
/4
G
LT
E
USB Wireless
WAN
Backup 2
Corp ISP (Fast)

WAN
Primary

Routing
1. Add necessary WAN port for router
When the switch is a router, you must configure at least one port as a WAN port
Select Port 23,

and Port 24
(USB is always a
WAN port)
Click
Configure
Note: You can have up to 3 WAN ports: 1 primary and 2 backup.

2 Ports can be Ethernet, and one can be USB. If you select
multiple ports as WAN ports, you can select which ones are
primary and backup in the switch specific settings.
333

Routing
2. Add necessary WAN port for router
Click New
Name: WAN-X
Select WAN
Click Save
With WAN-X selected, click
OK
334

Routing
3. Review WAN port settings
The USB Port, Port 23, and Port 24 will now display a WAN
(Cloud) icon (USB does not display cloud icon in this version of code)
The
The ports
ports will
will
display
display aa WAN
WAN
(Cloud)
(Cloud) icon
icon
335

Routing

336
Note: Switch Port Settings

To be configured later, not now.
At a later point in this lab, you will

configure the priority of the WAN ports
for primary and backup
Switch Settings:
These will be
configured later.
337
PORT TYPES
338
6.0 Network Policy

Besides the addition
of the WAN port, all
port types are
identical in network
policies with and
without branch
routing selected!
This means the
same port types
can be used in
both switching
(layer 2) and
branch routing
(layer 3) network
policies.
339
VLAN-TO-SUBNET
ASSIGNMENTS
FOR ROUTER INTERFACES
340
VLAN-to-subnet assignments
for router interfaces
If the network policy is configured with Routing, then for
every VLAN configured for SSIDs or port types, you must
define the IP subnets that will be assigned to the branch
routers or switches as branch routers
The VLANs are automatically populated from the VLANs
assigned to user profiles for SSIDs and port types
If you have additional VLANs to define, you can click Add
341
Network and Sub Networks

Internal Use
HiveManager assigns a unique subnet from the network to
each router, including the DHCP settings
HQ
Network
10.102.0.0/
16
Cloud VPN
Gateway
Internet
BR10
0
Sub Network 10.102.0.0/24

DHCP: IP Range 10.102.0.10
10.102.0.244
Default Gateway: 10.102.0.1
DNS:
10.102.0.1
(Router is DNS
2013
Aerohive
Networks CONFIDENTIAL
BR10
0

10.102.2.244
DNS: 10.102.2.1 (Router is DNS
Proxy)
BR10
0

10.102.1.244
DNS: 10.102.1.1342
(Router is DNS
Networks and Hosts Per Network

A Little Bit of Subnet Theory Yay!
Calculating a network using an IP address and a netmask
Conversion chart between binary and decimal
27 26 25 24 23 22 21 20
128 64 32 16 8 4
2 1 Decimal value for bit position
0
0
0
0
1
0
1
0 = 8 + 2 = 10 for example
When you assign IP addresses, you can determine how many
networks and how many hosts per network you need.
Example: Create subnets for network: 10.102.0.0/16
8 bits
8 bits
8 bits
8 bits
IP Address in binary: 00001010.01100110.00000000.00000000
Netmask in binary:
X 11111111.11111111.11111111.00000000
Multiply each column:
00001010.01100110.00000000.00000000
Convert back to decimal:
10.
102 . 0
. 0

IP Address Management
Example 1: Move Subnet slider bar to 256 Branches
Network Mask: /16 Subnet Mask: /24

8 bits
8 bits
8 bits
8 bits
Netmask in binary:
X 11111111.11111111.11111111.00000000
00001010.01100110.00000000.00000000
10.
102 . 0
. 0
IP Network Subnet
8 bits =
Hosts
8 bits
256 or
branches
the first
last IP 256
in the
Note:
Note: HiveManager
HiveManager lets
lets you
you reserve
reserve the first or last IP in the
subnets
for
the subnet.
subnets as
as the
the default
default gateway
gateway
3 =for
253the subnet.
clients/branch
344

Automatic Subnet Creation
8 bits
8 bits
IP Address in binary:
Netmask in binary:
8 bits
8 bits
00001010.01100110.00000000.00000000
X
11111111.11111111.11111111.00000000
Multiply each column: 00001010.01100110.00000000.00000000

IP Network
10.
102 .
Subnet
. 0
Hosts
10.102.0000000=0. 1-254
10.102.0000001=1. 1-254
10.102.0000010=2. 1-254
10.102.0000011=3. 1-254
10.102.0000100=4. 1-254
10.102.0000101=5. 1-254
10.102.0000110=6. 1-254
10.102.0000111=7. 1-254
10.102.0001000=8. 1-254
..
10.102.1111111=255.1-254
345

IP Address Management
Example 2: Move Subnet slider bar to 512 Branches
Network Mask: /16 Subnet Mask: /25

8 bits
8 bits
9 bits
7 bits
Netmask in binary:
X 11111111.11111111.11111111.10000000
00001010.01100110.00000000.00000000
10.
102 . 0
IP Network Subnet
. 0
Hosts
9 bits =
7 bits
512 or
branches
Note:
last
in
Note: HiveManager
HiveManager lets
lets you
you reserve
reserve the
the first
first
or
last IP
IP 128
in the
the
clients/branch
subnets
subnets as
as the
the default
default gateway
gateway for
for the
the subnet.
subnet.
3 = 125
346

Automatic Subnet Creation
8 bits
8 bits
IP Address in binary:
Netmask in binary:
9 bits
7 bits
00001010.01100110.00000000.10000000
X
11111111.11111111.11111111.10000001
Multiply each column: 00001010.01100110.00000000.00000000

IP Network
10.
102 .
Subnet
. 0
Hosts
10.102.0000000.0
10.102.0000000.1
10.102.0000001.0
10.102.0000001.1
10.102.0000010.0
10.102.0000010.1
10.102.0000011.0
10.102.0000011.1
10.102.0000100.0
0.0
1-126
0.128 129-254
1.0
1-126
1.128 129-254
2.0
1-126
2.128 129-254
3.0
1-126
3.128 129-254
4.0
1-126
..
10.102.1111111.1 = 255.128 129-2
=
=
=
=
=
=
=
=
=
347

Internal Use
HQ
Network
10.102.0.0/1
6
Cloud VPN
Gateway
Internet
BR10
0

10.102.0.244
DNS:
10.102.0.1
(Router is DNS
2013
Aerohive
BR10
0

10.102.2.244
Proxy)
BR10
0

10.102.1.244
DNS: 10.102.1.1348
(Router is DNS
LAB: Assign VLAN-to-subnet router

interfaces
If the network policy is configured with Routing, then for
every VLAN configured for SSIDs or port types, you must
define the IP subnets that will be assigned to the branch
routers or switches as branch routers
The VLANs are automatically populated from the VLANs
assigned to user profiles for SSIDs and port types
If you have additional VLANs to define, you can click Add
349

interfaces
1. Select VLAN 10 and create network
Next to VLAN 10, click

Choose
Click New
350

interfaces
2. Create internal employee network
Name: Net-Employee1XX
XX=02,03,..15,16
Web Security: None
DNS Service: Class
Network Type: Internal
351
Note: DNS Service Objects
NOTE:
NOTE: This
This Quick
Quick Start
Start DNS
DNS Service
Service object
object sets
sets
clients
clients to
to use
use the
the router
router interface
interface IP
IP as
as the
the DNS
DNS
server,
server, and
and will
will proxy
proxy the
the DNS
DNS requests
requests to
to the
the DNS
DNS
server
server learned
learned statically
statically or
or by
by DHCP
DHCP on
on the
the WAN
WAN
interface.
interface. Separate
Separate DNS
DNS servers
servers can
can also
also be
be used
used for
for
internal
internal and
and external
external domain
domain resolution.
resolution.
352

interfaces
3. Create internal employee network
Click NEW to create a parent

network
353

interfaces
4. Define the Parent Network and subnetworks

IP Network:
10.1XX.0.0/16
NOTE:
NOTE: This
This is
is the
the
parent
parent network
network that
that will
will
be
be partitioned
partitioned to
to create
create
a
a number
number of
of IP
IP subnets
subnets
determined
10.1XX.0.0/16
determined by
by moving
moving
the
the slider
slider bar.
bar. The
The slider
slider
bar
bar is
is used
used to
to set
set the
the
number
number of
of branches
branches vs.
vs.
clients
clients per
per branch
branch
which
which defines
defines the
the
subnet
subnet mask
mask for
for each
each
subnet.
subnet.
Move the slider bar to
select 256 branches and
253 clients per branch
Moving
Moving the
the slider
slider bar
bar changes
changes the
the
number
number of
of bits
bits in
in the
the subnet
subnet mask.
mask.
The
The clients
clients per
per branch
branch =
= 253
253 in
in this
this
case
case because
because 1
1 IP
IP is
is reserved
reserved for
for the
the
router,
router, and
and then
then 0
0 and
and 255
255 are
are not
not
used.
used.
354

interfaces
5. Enable DHCP
Check Enable DHCP

server
NOTE: In most cases,
the router will be the
DHCP server. However,
if it is not, you can
disable the DHCP
service and this network
definition will only be
used to configure the
router interface IP
addresses.
For the DHCP Address

Pool, move the slider bar
to reserve 10 IP
addresses at the start of
the address pool that
Please do not save yet!!!
can be defined statically.
355
Note: Custom Options Example

Note that you can
define custom DHCP
options if needed
For example, you can
set the custom DHCP
options for the
hostname of
HiveManager (option
225) or the IP
address of
HiveManager (option
226) or options
required by certain IP
phones
356
DEFINE SPECIFIC SUBNETS

FOR EACH SITE BY USING
DEVICE CLASSIFICATION
357
What is the goal?

Network
10.101.0.0/1
6
Define subnets from the IP address

space to specific sites
For example, define the subnets that
will be used for Site-1a and Site-1b,
but let HiveManager allocate one for
Site-1c
BR10
0
Sub Network 10.101.25.0/24
Internet
Site-1a
Site-1c

10.102.25.254
Site-1b
BR10
0

10.102.1.254
BR10
0

10.102.2.254

interfaces
1. Define subnet to be assigned to Site-Xa
By default, each branch
router will be assigned one
subnet from the Local IP
Address Space
To define specific
subnets of the Local IP
address space to assign
to sites
Check Allocate
local subnetworks
by specific IP
addresses at sites
and click
IP Address: 10.1XX.1.1
(XX=01,02,03,..18)
Type: Device Tag
359

interfaces
2. Define subnet to be assigned to Site-Xb
Define the next subnet

Click New
IP Address:
10.1XX.2.1
Type: Device Tag
Tag1: Site-Xb
(Xb = 2b, 3b,Note: You can specify up to 256 tags
4b,..,18b)
360

interfaces
3. Save the Network
Verify you have all

the setting needed
for the network
DNS: Class
Network Type:
Internal Use
Subnetwork:
10.1XX.0.0/16
Verify the IP
Allocation
Statements
Click Save
Note: (T) = True or Match the tag

(F) = False, and no match required
Here you can see: 10.102.1.1 must have a router with
Tag1 set to: Site-2a, and 10.102.2.1 must have a router
with Tag1 set to: Site-2b.
361
361

interfaces
4. Choose the Network
Ensure your policy is

highlighted and click OK
362
Note: Device Classification Settings

On Your Device
In a later lab, you will need to define Device
Classification Tag1 on your switch with the same entry
that was used in the network configuration: Site-Xa
Device Specific Settings
363
What did you just do?

You specified that certain sites
had or will require specific IP
addresses in them, for example
Site-1a (10.101.1.1) and Site1b (10.101.2.1)
Network
10.101.0.0/1
6
Site-1c
These can be any IP in the subnet.

We chose the IP of default
gateways.
BR10
0
Therefore HiveManager will

allocate the subnets that match
the IP addresses
that are specified for
Internet
two of the sites
Site-1a
BR10
0
Sub Network 10.101.25.0/24

10.101.25.254
*This subnet was chosen by
HiveManager
because an IP at the site was not
defined.
Site-1b

10.101.1.254
BR10
0

10.101.2.254
ADD NETWORKS FOR

THE OTHER VLANS
365
Add More Networks
Create networks for VLAN 2 and VLAN 8

If the VLAN is not in the list, click Add
Enter the VLAN
Then proceed to configuring the networks
366

interfaces
1. Select VLAN 2 and create network
Next to VLAN 2, click

Choose
Click New
367

interfaces
2. Create internal voice network
Create another Internal Network for VLAN 2:

10.2XX.0.0-Voice-X
Web Security: None
DNS service: Class
Network Type: Internal Use
Do not save yet
368

interfaces
3. Create internal voice network
Click NEW to create a parent network
369

interfaces
4. Define the Parent Network and subnetworks

IP Network:
10.2XX.0.0/16
NOTE:
NOTE: This
This is
is the
the
parent
parent network
network that
that will
will
be
be partitioned
partitioned to
to create
create
a number
number of
of IP
IP subnets
subnets
a
10.1XX.0.0/16
determined
determined by
by moving
moving
the
the slider
slider bar.
bar. The
The slider
slider
bar
bar is
is used
used to
to set
set the
the
number
number of
of branches
branches vs.
vs.
clients
clients per
per branch
branch
which
which defines
defines the
the
subnet
subnet mask
mask for
for each
each
subnet.
subnet.
Move the slider bar to select
256 branches and 253
clients per branch
Moving
Moving the
the slider
slider bar
bar changes
changes the
the
number
number of
of bits
bits in
in the
the subnet
subnet mask.
mask.
The
The clients
clients per
per branch
branch =
= 253
253 in
in this
this
case
case because
because 1
1 IP
IP is
is reserved
reserved for
for the
the
router,
router, and
and then
then 0
0 and
and 255
255 are
are not
not
used.
used.
370

interfaces
5. Enable DHCP
Check Enable DHCP

server
disable the DHCP
service and this
network definition will
only be used to
configure the router
interface IP addresses.

to reserve 10 IP
addresses at the start of
the address pool that
can be defined statically.
371

interfaces
6. Verify and save the Subnetwork
Click Save
Ensure your policy is highlighted and click OK
372
Networks for Guest Use

All guest stations at each branch office use the same IP subnet
All guest traffic destined to the Internet is network address translated to the unique
IP address of the router WAN interface
HQ
Cloud VPN
Gateway
WAN:
Network 1.3.2.90
:
BR100
Guest
Use
Network 192.168.83.0/24 (Guest Use)
DHCP: IP Range 192.168.83.10
Internet 192.168.83.244
WAN:
Proxy)
2.50.33.5
BR100
WAN:
2.1.1.20

DHCP: IP Range 192.168.83.10
192.168.83.244
DNS:
192.168.83.1
(Router is DNS
2013 Aerohive
BR100

DHCP: IP Range 192.168.83.10
192.168.83.244

interfaces
7. Select VLAN 8 and create guest network
Next to VLAN , click

Choose
Click New
374

interfaces
8. Create the Guest network
Name:
192.168.83.0Guest-X
Web Security: None
DNS Service: Class
Network Type to:
Guest Use
Guest Use Network:
192.168.83.0/24
DHCP Address Pool,
reserve the first 10
Check Enable
DHCP server
NOTE:
NOTE: Devices
Devices assigned
assigned to
to aa Guest
Guest Use
Use network
network
are
are restricted
restricted from
from access
access the
the corporate
corporate VPN
VPN or
or
from
from initiating
initiating communication
communication to
to corporate
corporate
devices
devices
375

interfaces
9. Save the Guest network
Verify your
settings
Click Save
Click OK
376
Verify Subnet Assignments for

Router Interfaces
You should have a network defined for each of

the VLANs specified
377

interfaces

378
CHANGE SSID PROFILES
379
Lab: Change SSID Profiles

1. Change SSIDs
Configure Interface & User Access

Next to SSIDs, click: Choose
380

2. Select Class-PSK-X SSID
Ensure
Class-PSK-X is
highlighted then
click OK
Click to deselect
the AD-X SSID
Ensure the
Class-PSK-X SSID
is selected
Click OK
381

3. Verify settings
Verify settings
Click Continue
382
CREATING FILTERS
383
Lab: Device Filters
1. From Configure & Update Devices
Create filters to limit the number of devices displayed

Click the Configure & Update Devices bar
Next to Filter, click +
384
Lab: Device Filters

2. Create a filter
You can create and

save filters based on a
lot of criteria
For this filter
Set the Device

Model to SR2024
Set the hostname
to: SR-XX XX is your two digit
student ID: 02-15
Do not forget the
dash at the end,
this will ensure
your student ID is
the match
For Remember This
Filter, enter:
385
Lab: Device Filters
3. View your Real and Simulated

Switch/Routers
We will be using real and simulated devices in this lab

With the filter selected, you will see your real, and
simulated switch/routers that all start with SR-XX-
386
UPDATE THE DEVICE

CONFIGURATION
OF YOUR SWITCH/ROUTERS
387
Lab: Update your Switch

Configuration
1. Modify your switch
Check next to your switch SR-XX#######

Click Modify
388

Configuration
2. Change switch to function as a router
Make the following

settings
Device Function:
Router
(IMPORTANT)
Location:
FirstName_LastName
Network Policy:
Access-X
When the warning
box appears,
click: OK
389

Configuration
3. Specify the Device Classification Tag1
Set the Device

Classification Tag1 so
that this device will
be assigned to
networks with
matching tag
definitions
Under Device
Classification
Tag1: Site-Xa
Note: The tag you
entered in the
network will
automatically show
up in the list
Do NOT save yet
390

Configuration
4. Change WAN port priority settings
Expand Interface and Network Settings

Set the following priorities:
USB WAN: Backup2
Eth1/23 WAN: Backup1
NOTE:
NOTE: Check
Check Enable
Enable
NAT
NAT
Eth1/24 WAN: Primary (Please verify that 1/24 is Primary)

Ensure NAT is enabled on the WAN Interfaces
Do Not save yet
391

Configuration
5. Disable RADIUS services
Remove the RADIUS object from earlier lab

Under Optional Settings, expand Service
Settings
Uncheck Enable the router as a RADIUS
Server
392
Lab: Update Router Configuration

6. Save your device settings
Click Save
393

7. Update your device settings
Select Routers to select all three routers

Click Update
394

Select Update
Devices
Select Perform a
complete
configuration
update for all
selected devices
Click Update
For this class, ALL

Updates should
be Complete
configuration
updates
395

Click OK
396
VIEW SUBNET ALLOCATION

REPORT
397

Internal Use
HQ
Network
10.102.0.0/1
6
Cloud VPN
Gateway
Internet
BR10
0

10.102.0.244
DNS:
10.102.0.1
(Router is DNS
2013
Aerohive
BR10
0

10.102.2.244
Proxy)
BR10
0

10.102.1.244
Lab: Subnet Allocation Report
1. View the IP addresses assigned to the

routers
Note: One
subnet was
assigned via
classification
. The others
assigned
dynamically.
From Monitor, in the navigation

tree, click Subnetwork
Allocation
Under Network Name, select
Network-1XX
From the10.102.0.0/16 parent
network, a different subnet and
DHCP Pool was allocated to
each branch router.
399
CLI ROUTER COMMANDS
400
SHOW L3 INTERFACE
From Monitor Utilities SSH Client:

show L3 interface
401
TEST WIRELESS LAN ACCESS
402
Lab: Test Wireless LAN Access
1. Connect your computer to the SSID:

Class-PSK-X
Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
Click your SSID
Class-PSK-X
Click Connect
Security Key:
aerohive123
Click OK
403

2. View your client information in
Wireless Clients
View your client in the Active

Clients list by going to:
MonitorClientsWireles
s Clients
Notice the VLAN and
network address
404
TEST WIRED LAN SECURE

ACCESS
405
Lab: Test LAN Port Access- Secure

1. View your client information in Active
Clients
View your client in the Active

Clients list by going to:
MonitorClientsWired
Clients
Notice the VLAN and
network address and client
authentication method
406
Lab: Test LAN Port Access
2. Disable 802.1X for wired clients
In windows 7, you
must enable
802.1X support
As an
administrator, from
the start menu
type services
Then click
services
407
Click the
Standard
tab on the
bottom of the
services
panel
Locate
Wired
AutoConfig
and rightclick
Click
Properties
408
Startup type:
Disabled
Click Stop
409
Click OK
410

6. Clear wired client cache
Monitor/Clients/Operation
: Deauth Client
Check Clear Cache
Click OK
Click Yes
411

7. Clear wired client cache
Monitor/Clients/Operation
: Deauth Client
Check Clear Cache
Click OK
Click Yes
412

8. Reset Ethernet adapter
Because the PC has the

wrong IP it will not work,
you can remedy this by
Right click on Local Area
Connection 3
Click Diagnose
or
Disable then Enable
Local Area Connection 3
Do NOT Disable Local
Area Connection 2
413
9. Verify Auth Fail Guest Network
Locate Local Area

Connection 3
Right click
Click Status
Click Details
Why do you see an
IP from the
192.168.83.0
subnet?
This is the guest
network that is
assigned if
authentication is
not support or
fails
414
ROUTE-BASED IPSEC VPN
Aerohive Layer 2 VPN

Remote Site
Headquarters
Layer 2 VPN client

devices
AP-100 series
AP-300 series
BR-100 (AP
mode)
Layer 2 VPN server

devices
Internet
AP-300 series
128 tunnels
VPN Gateway Virtual
Appliance
(L2 Gateway mode)
1024 tunnels
Note: Layer 2 VPNs are taught in the Aerohive Certified WLAN

Professional (ACWP) class
Notes Below
416
Aerohive Layer 3 VPN

Remote Site
Headquarters
Layer 3 VPN client

devices
BR-100 router
BR-200 router
Layer 3 VPN
server
Internet
VPN Gateway
(L3 Gateway mode)
1024 tunnels
AP 330/350
(router mode)
Aerohive
switch
(router mode)
Notes Below
417
Aerohive Route-Based IPSec VPN

Components
Aerohive Routers are Layer 3
IPSec VPN clients, and
provide DHCP, DNS Proxy,
route synchronization, and
RADIUS service, along with
many other features.
VPN Gateway VA
A HiveOS-based Layer 3
IPSec VPN server
that is a Virtual Appliance BR100
which runs on VMware ESXi
BR200
1 VA supports up to 1024
IPSec VPN tunnels
HiveAP 330
Configured
as a Router
HiveAP 350
Configured
as a Router
418
Aerohive
Switch
Configure
d
as a
Router
Corporate VPN HiveManager

Allocates Unique Network Settings
For Each Site
H
Corporat
Q
e
Network
10.1.0.0/ VPN
Gateway
16
Branch
Networ
k
Branch
Network
172.28.0.0/1
6
Branch
Networ
k
BR10
0
Internet DHCP: IP Range 172.28.2.10
172.28.2.244
Proxy)
Branch
BR10
0
BR10
0
Networ
k

172.28.0.244
Proxy)

172.28.1.244
Proxy)
Corporate VPN HiveManager

Allocates Unique Network Settings
For Each Site
Each router builds a VPN to one or two VPN Gateways
Routes are synchronized between the routers and VPN Gateways over the VPN using a
TCP-based route exchange mechanism
Branch
Network
H
Corporat
Q
e
Network
10.1.0.0/ VPN
Gateway
16
Branch
Network
BR10
0
Sub Network
Internet 172.28.2.0/24
Branch
Network
BR10
0
Sub Network
172.28.0.0/24
BR10
0
Sub Network
172.28.1.0/24
Route-based VPN
Routers (VPN clients) ask the VPN Gateway for updated route
information and provide their own route changes over the VPN
tunnel every minute by default using a TCP request
Corporate
Network
10.1.0.0/1
6
HQ
VPN
Gateway
Route: 10.1.0.0/16 to Corp Router
Route: 172.28.0.0/24 to VPN
tunnel A
Route: 172.28.1.0/24 to VPN
tunnel B
Route: 172.28.2.0/24 to VPN
tunnel C
BR10
Route: 0.0.0.0/0 to Internet
0
Gateway
Tunnel C
BR10
0
Local network: 172.28.2.0/24

Route: 10.1.0.0/16 through VPN
tunnel
Route: 172.28.0.0/24 though VPN
tunnel
Tunnel Btunnel
Gateway
BR10
Internet
Tunnel A

tunnel
tunnel
Route: 172.28.2.0/24 through

tunnel
tunnel
VPN GATEWAY VIRTUAL

APPLIANCE
422
VPN Gateway Virtual Appliance

General Information
What is a VPN Gateway Virtual Appliance?
It is a virtualized version of HiveOS that runs on
VMware ESXi which supports IPSec VPN service, and
routing protocols
How do you upgrade a VPN Gateway VA?
VAs can be upgraded using a standard HiveOS
software upgrade from HiveManager, TFTP, or SCP
How many interfaces does a VPN Gateway VA have - Two
WAN used to terminate the VPN from the router
VPN clients, and can be used as a one-armed VPN
where it connects to both the branch networks
through the VPN, and the internal corporate
networks.
LAN an optional interface that can be used to
connect to an internal network and be the gateway
423
VPN Gateway Virtual Appliance on

VMware (ESXi)
The VA uses the HiveOS, and looks just like an AP
when you log in to it
424
VPN Gateway
Deployment Scenarios Two
Interfaces
Headquarters
Router
VPN Gateway
Inside
Firewall
DMZ
IPSec VPN
Branch
Office
Internet
LAN (Eth1)WAN (Eth0)
Interface Interface
VPN Gateway with two interfaces configured
The LAN interface is connected to the inside network
Traffic from the inside network destined for an IP address in a branch
office is sent to the LAN interface on the VPN Gateway to be
encrypted and sent through a VPN to a branch office
Routing protocols, OSPF or RIPv2, can be run on the LAN interface so
that the VPN Gateway can exchange routes with the inside network
router
The WAN interface is connected to the DMZ or outside network and is
used
to Networks
terminate
425
2013 Aerohive
CONFIDENTIALthe VPNs
VPN Gateway
Deployment Scenarios One
Interface
Headquarters
Router
VPN Gateway
Inside
(Clear)
Firewall
DMZ
Branch
Office
IPSec VPN
Internet
WAN (Eth0)
Interface
VPN Gateway with one interface configured (One Arm)
The WAN interface is connected to a firewall interface in the DMZ
Traffic from the inside network destined for an IP address in a branch
office is sent to the firewall which forwards the traffic to the VPN
Gateway as the next hop to the branch office routers
The VPN Gateway encrypts the traffic and sends the traffic back to the
firewall destined to a branch office router
You can run statically enter routes, or run a dynamic routing protocol,
OSPF or RIPv2, on the WAN interface to exchange routes with the
firewall
426
Router IPSec VPN Lab

Uses a Single VPN Gateway
Interface
Headquarters Firewall Outside Interface
VPN Gateway
Switch
Inside
DMZ
eth0/0 1.2.2.1/24
NAT 1.2.2.X to 10.200.2.X
Branch
Public 2.1.1.10
Office
IPSec VPN
Port1
Internet
WAN Interface
Port2
Eth0- 10.200.2.X/24
Gateway: 10.200.2.1 Bridge Group
Interface: 10.5.1.1
HiveManager
X=2,3,..,14,15
10.5.1.20
Internal
10.102.1.0/24
In the training lab, the VPN Gateways learn routes via OSPF from the
firewall, which are: 10.5.2.0/24, 10.5.8.0/24, & 10.5.10.0/24
The firewall learns the routes from the VPN Gateways to all the branch
office routers via OSPF
The branch office routers exchange their routes with their VPN Gateways
427
THE NEXT STEPS ARE FOR

EXAMPLE ONLY, DO NOT
DOWNLOAD THE VPN
GATEWAY VA IMAGES IN
CLASS, OTHERWISE IT WILL
TAKE TOO LONG
428
Example Only: Downloaded

HiveOS-VA Image From
HiveManager
Please do not download in class!
To download the VPN Gateway Virtual Appliance image
from HiveManager, go to ConfigurationAll Devices
Click UpdateAdvancedDownload HiveOS
Virtual Appliance
429
Example Only: Downloaded

HiveOS-VA Image From
HiveManager
Save the VPN Gateway VA image to a directory of
your choice on your hard drive
Note, the default name is: AH_HiveOS.ova, but
you can rename the file if you like
430
THE NEXT STEPS ARE FOR

EXAMPLE ONLY, DO NOT
DEPLOY A VPN GATEWAY IN
CLASS, YOUR VPN GATEWAY
VA IMAGES HAVE ALREADY
BEEN DEPLOYED
If time permits the instructor will
demonstrate the process
431
VPN Gateway Virtual Appliance

Recommended Hardware
Configuration
VPN Gateway Virtual Appliance Recommended Hardware Configurations
432
Example Only: Deploy a VPN

Gateway in
VMware ESXi
From the VMware
vSphere client, log
into your ESX/ESXi
server
Go to File
Deploy OVF
Template
Locate the
AH_HiveOS.ova
file and click Open
433

Gateway in
VMware ESXi
With the
AH_HiveOS.ova file
selected click Next
434

Gateway in
VMware ESXi
View the product
information and
ensure you have
enough disk
space for a think
provisioned install
Note: Thick
provisioning
reserves all the
disk space
needed during
the install
Click Next
435

Gateway in
VMware ESXi
Provide a name for
the VPN Gateway,
for example:
HiveOS-VAXX
XX=02,03,..14,15
Note: It is a
good idea to
keep this name
relatively small
so it fits better in
the vSphere
client display
Click Next
436
Example Only: Deploy a VPN GatewayVA in

VMware ESXi
Select Thick
Provisioned
Lazy Zeroed
Note: You can
choose Eager
Zeroed, but it
will take more
time because it
will fill the
complete disk
space with 0s,
lazy fills only as
space is needed.
Click Next
437
Example Only: Deploy a VPN Gateway

in
VMware ESXi
In this example, the
VPN Gateways will
only be using the
WAN interface, so
you can use the
same destination
network (virtual
switch port group)
for both
Select VM Network
for the WAN and
LAN interfaces
Click Next
438

Gateway in
VMware ESXi
Optionally,
check the box to
Power on
after
deployment
Click Finish
439

Gateway in
VMware ESXi
In a moment, the new VPN

Gateway will be up and
running
Click Close when the
deployment has
completed successfully
440
EXAMPLE: INITIAL
CONFIGURATION
OF A VPN GATEWAY VIRTUAL
APPLIANCE
441
Example Only: Initial configuration

of a VPN Gateway Virtual
Appliance
In the vSphere console for the new VPN Gateway Virtual

Appliance
Type 1 to change the Network Settings and press enter
442

Appliance
Type 2 to
Manually
configure
interface
settings and
press Enter
443

Appliance
The startup CLI

wizard is used to set
up the IP address for
the WAN interface on
the VA
The VPN Gateway VA
will need access to
the Internet to
access the license
server to obtain a
valid and unique
serial number
IP for eth0:
10.200.2X
Netmask Length:
[24]
444

Appliance
The VPN Gateway will check its connection its default gateway
and the Aerohive License server
For the question: Do you want to reset the networking? press
enter, or type no and press enter
445

Appliance
When a VPN Gateway VA

is purchased, Aerohive
generates an activation
code, and associates it
with a unique serial
number
You will be emailed your
activation code
Optionally
Optionally you
you
can
can use
use an
an HTTP
HTTP
proxy
proxy
When the activation

code is entered, the VPN
Gateway VA will contact
the Aerohive license
server and obtain a
serial number associated
with the activation key.
446

Appliance
If the
activation code
is valid, the
VPN Gateway
VA will obtain a
valid and
unique serial
number
You must then
VPN Gateway
by pressing
enter, or by
typing yes
then enter
447

Appliance
After the VPN Gateway VA has
been rebooted, you can login with:
Login: admin
Password: aerohive
Enter a hostname if you like:
Hostname HiveOS-VA-X
If the Serial Number for the VPN
Gateway is not entered into
myhive, then you can configure the
location of its HiveManager
capwap client server name
10.5.1.20
Save the configuration
save config
448

Appliance
Just like on an Aerohive AP
or router, you can verify
CAPWAP status by typing
show capwap client
After a minute, you should
see the run state show that
the VPN Gateway is
Connected securely to
the CAPWAP server
The CAPWAP server IP
should be your
HiveManager IP: 10.5.1.20
449

Appliance
Your new VPN gateway will be displayed in

MonitorVPN Gateways
450
LAB: CREATE A ROUTE-BASED

LAYER 3 IPSEC VPN
451
Lab: Create a Route-Based IPSec

VPN
1. Create a Layer 3 IPSec VPN
To create a routebased IPSec VPN

Go to
Configuration
Select your
Network policy:
Access-X and
click OK
Next to Layer 3
IPSec VPN click
Choose
In Choose
VPN Profile
click New
452

VPN
2. Assign your VPN Gateway to the VPN

policy
Click
Apply
Enter a profile name: VPN-X and choose Layer 3 IPSec

VPN
For VPN Gateway, select: Hive-OS-VA-XX from the dropdown
External IP address of the VA: 1.2.2.X
X= your student number
Note: The external IP is the public address the routers will
contact to access the Virtual Appliance
453

VPN
3. Certificate settings
Optionally you can add an additional

VA for disaster recovery
Expand IPSec VPN

Certificate Authority Settings
VPN Certificate Authority:
Default_CA.pem
VPN Server Certificate:
VPN-cert_key_cert.pem
VPN Server Cert Private Key:
VPN-cert_key_cert.pem
Click
Note: Server certificates for

the VPN were created in the
HiveManager Certificate
Authority
454
Lab: Create a Route-Based IPSec VPN
4. Verify VPN Settings Then Go To Configure &

Update
Verify the Layer 3 IPSec VPN settings

Note: The WAN IP and Protocol will be updated after
the configuration update is performed
Click Configure & Update Devices
455
Example: Dynamic Routing on the

VA
With OSPF or RIPv2
VA
Headquarters
Branch Office
DMZ
Internet
BR10
0
WAN Interface
Sub
Eth0Firewall Inside Interfaces
Network
10.200.2.X/24
bgroup0 :
10.5.1.1/24 VLAN 1 OSPF 10.102.1.0/
Gateway:
area 0
24
10.200.2.1
bgroup0.2: 10.5.2.1/24 VLAN 2 OSPF
OSPF area
area 0
0.0.0.0
bgroup0.8: 10.5.8.1/24 VLAN 8 OSPF
In as
a one-armed
configuration,
OSPF or RIPv2 can be
(same
0)
area
0
bgroup0.10:
10.5.10.1/24
VLAN 10 OSPF
enabled on the
WAN interface
to dynamically
learn
areanetwork
0
routes from the
(e.g. firewall), and advertise the
routes it learns from the branch sites to the network (e.g.

firewall)
456
Example: Routes Learned via OSPF

and Between the VA and Branch
Routers
Headquarters
VA
Branch Office 1
DMZ
IPSec VPN to Branch Office 1
Internet
BR10
0
WAN Interface
Sub Network
Eth0- 10.200.2.2/24
Firewall Inside Interfaces
10.102.1.0/24
Gateway: 10.200.2.1
bgroup0 :
10.5.1.1/24 VLAN 1 OSPF area
0
Routes
to
OSPF area 0.0.0.0 bgroup0.2: 10.5.2.1/24 VLAN 2 OSPF area 0
Headquarters
(same as 0)
bgroup0.8: 10.5.8.1/24 VLAN 8 OSPF area 0
VPN
Routes - Branch 1 bgroup0.10: 10.5.10.1/24 VLAN 10 OSPFthrough
area
10.5.1.0/24 to
Through VPN:
0
10.102.1.0/24
VPN
Routes to Branch 1
Routes - Network: 10.102.1.0/24
10.5.2.0/24 to
to 10.200.2.2
Note:
uses
Note: Aerohive
Aerohive
uses a
a
10.5.1.0/24 to
VPN
TCP-based
TCP-based mechanism
mechanism
10.200.2.1
10.5.8.0/24 to
through
through the
the VPN
VPN tunnel
tunnel to
to
10.5.2.0/24 to
VPN
check
check for
for route
route updates
updates
10.200.2.1
10.5.10.0/24 to
between
10.5.8.0/24 to
between branch
branch sites
sites and
and
VPN
10.200.2.1
the
the VPN
VPN Gateways
Gateways every
every
Local Routes
10.5.10.0/24 to
minute
by
default.
minute
by
default.
457
10.200.2.1
0.0.0.0/0 to

VPN
5. Modify the settings for your VPN
Gateway
Choose the Current Policy filter

Under L3 VPN Gateway, click the link to
modify your VPN Gateway: HiveOS-VA-XX
458

VPN
6. Modify the IP settings on the VPN
Gateway
00
By default the management Network is set to the Quick

Start Management Network: QS-MGT-172.18.0.0
Set the IP address of the Eth0 (WAN) Interface:
10.200.2.X/24
X=2,3,..,14,15
Set the Default Gateway:10.200.2.1
Do not
459

VPN
7. Enable OSPF on the VPN Gateway
Check the box to:

Enable dynamic
routing and select
OSPF
Set the Eth0 (WAN)
interface to run OSPF
so that it can advertise
and learn routes from
the network, check
Eth0 (WAN)
Uncheck
Eth1(LAN) because
the eth1 interface is
not in use
Use the default Area:

0.0.0.0 (which is
460
Note: Internal Networks

Required if a Dynamic Routing
Protocol is Not Enabled
If the VPN Gateway is
configured with static
routes, or just has a single
default gateway to a router,
you can specify which
networks to advertise to
the branch office networks
by specifying Internal
Networks
Any Internal Network

defined here will be
advertised to the branch
office networks through the
VPN tunnels so the branch
offices routers know which
networks to route through
the VPN to headquarters
461

VPN
8. Upload the Configuration of Your Devices

Select all your devices
Click Update
462

VPN
9. Upload the Configuration of Your Devices
Select Update
Devices
Select Perform a
complete
configuration
update for all
selected devices
Click Update
For this class, ALL

Updates should
be Complete
configuration
updates
463

VPN
10. Upload the Configuration of Your
Devices
When the Reboot Warning box appear, select OK
Click OK
464

VPN
11. Wait for the update to complete and

verify VPN
When the VPN Server and Client Icons are

green, then you know the VPN is up.
465
VPN TROUBLESHOOTING
466
LAB: VPN Troubleshooting
1. Aerohive device VPN Diagnostics
Go to Monitor Devices All Devices

Select one of the VPN devices: SR-0X-######
Click Utilities...Diagnostics Show IKE Event
Verify that both Phase 1 an Phase 2 are successful
467
LAB: VPN Diagnostics

Phase 1
Select one of the VPN devices: SR-0X-######

Click Tools...Diagnostics Show IKE Event
Possible problems if Phase 1 fails:
Certificate problems
Incorrect Networking settings
Incorrect NAT settings on external firewall
Possible problems if Phase 2 fails:
Mismatched transform sets between the client and
server (encryption algorithm, hash algorithm, etc.)
468
3. Aerohive device VPN Diagnostics Phase

1
Click Tools...
Diagnostics
Show IKE Event
If you see that phase 1
failed due to a
certificate problem
Check the time on
the Aerohive devices
show clock
show time
Ensure you have the

correct certificates
loaded on the
Aerohive APs in the
VPN services policy
469

1
Click Tools...
Diagnostics
Show IKE Event
If you see that
phase 1 failed due
to wrong network
settings
Check the IP
settings in the
VPN services
policy
Check the NAT
settings on the
external firewall
470

1
Click
Utilities...Diagnosti
cs Show IKE SA
Phase 1 has completed
successfully if you
reach step #9
If Step #9 is not
established then one of
these problems exists:
Certificate problems
Incorrect Networking
settings
Incorrect NAT settings
on external firewall
471

Phase 2
Click Utilities...
Diagnostics
Show IPSec SA
Note: It is clear to see that a
VPN is functional if you see
the tunnel from the MGT0 IP
of the VPN client to the
(NAT) Address of the MGT0
of the VPN Server, and the
reverse. Both use different
SAs (Security Associations)
State: Mature
If Phase 2 fails: Check the
encryption & hash settings
on the VPN client and the
VPN server
472
Lab: VPN Diagnostics
7. View the VPN Topology to Verify VPN

Status
In the Layer 3 IPSec

VPN section, click
VPN Topology
Please
Please Be
Be
Patient,
Patient, it
it will
will
take
take a
a minute
minute
or
or two
two for
for the
the
VPNs
VPNs to
to
establish
establish
If the devices show

up green with a line
between them, the
VPN is operational
Click Refresh if the
devices are not green
after a moment
473
VERIFY VPN STATUS AND

DYNAMIC ROUTING
474
Lab: Verify VPN and Dynamic

Routing
2. View the VPN Topology to Verify VPN

Status
To verify the
routes learned
via OSPF
Go to
Monitor
VPN Gateways
Check the box
next to your
HiveOS-VAXX
Select
Utilities...
SSH Client
475

Routing
3. Use CLI Commands to Verify OSPF

Routes
show OSPF route (wait about 10 seconds press enter twice)
You should see four OSPF routes in this lab
show OSPF neighbor (press enter twice)

You should see at a minimum the firewall at 209.128.124.196
as a neighbor with a Full/DR state
476

Routing
4. View the routes on a branch router
To verify the routes learned through the VPN on a branch

router
Go to MonitorRouters
Check the box next to your router:
SR-XX-######
Select Utilities...DiagnosticsShow IP Routes
477

Routing
5. View the routes on a branch router

You should see at a
minimum routes to:
10.5.1.0/24,
10.5.2.0/24,
10.5.8.0/24, and
10.5.10.0/24 all
through the VPN
tunnel0 interface
High metrics are
used for routes
learned from OSPF
and advertised
though the VPN so
that if the network
exists locally, that
will be preferred
Note: Higher
metrics have more
You will also learn the routes for

networks at the other branch sites
though the VPN tunnel
478
Copyright 2011
For Information: This is the OSPF

configuration on the training
Juniper SSG
ssg5-3-lab-> set vr trust
ssg5-3-lab(trust-vr)-> set protocol OSPF
ssg5-3-lab(trust-vr/OSPF)-> set enable
ssg5-3-lab(trust-vr/OSPF)-> exit
ssg5-3-lab(trust-vr)-> exit
ssg5-3-lab-> set int bgroup0 protocol OSPF area 0
ssg5-3-lab-> set int bgroup0 protocol OSPF enable
ssg5-3-lab-> set int bgroup0.2 protocol OSPF area 0
ssg5-3-lab-> set int bgroup0.2 protocol OSPF enable
ssg5-3-lab-> set int bgroup0.8 protocol OSPF enable
ssg5-3-lab-> set int bgroup0.10 protocol OSPF
enable
479
TEST WLAN ACCESS THROUGH

THE VPN
The steps for LAN access are similar
480
1. Connect your computer to the SSID:

Class-PSK-X
Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
Click your SSID
Class-PSK-X
Click Connect
Security Key:
aerohive123
Click OK
481
Lab: Test WLAN VPN Access

2. Ping a server through the VPN
Headquarters
Branch Office 1
VPN Gateway
DMZ
IPSec VPN to Branch Office 1
Internet
BR10
0
From your PC, ping 10.5.1.20, which is a server in

Santa Clara California data center
482
Lab: Test WLAN VPN Access
3. View your client information in

Wireless Clients
From your virtual

PC connect to
HiveManager
through VPN
https://10.5.1.20
View your client in
the Active Clients
list by going to:
MonitorClients
Wireless
Clients
483
POLICY-BASED ROUTING
(PBR)
Not this PBR:
484
*A low cost
American
beer that has
been
around a
long time,
but was not
popular.
However,
over the last
few years it
has become
more popular
in bars and
Aerohive Policy-Based Routing
VPN
HQ
Internet
3G/4G/LTE
3G
/4
G
LT
E
E
Po
Guests
Policy-based routing is
used mainly in
conjunction with the
layer 3 IPSec VPN
tunneling capabilities
Though it does not
require VPN
Employees
485
Aerohive Policy-Based Routing
VPN
HQ
Internet
3G/4G/LTE
3G
/4
G
LT
E
E
Po
Employees
Guests
Policy-based routing
lets you decide how
traffic is forwarded
out of a router
Decisions are made
based on IP
reachability of
tracked IP addresses
and user profiles
Forwarding can be
out any WAN port,
USB wireless, Wi-Fi
connection, or VPN
486
Route-based VPN
Private vs. Internet Traffic
H
Q
Internet
Branch Office
Corporate
Network
Tunnel A
BR10
0
10.1.0.0/1
Cloud
6
(Internal) VPN
Gateway to Corp
Route: 10.1.0.0/16
Router
Route 172.28.2.0/24 to VPN
VPN tunnel
Tunnel A
Route: office
0.0.0.0/0
Route:
Three0.0.0.0/0
types of
routes in a branch
areto Internet
to Internet
Gateway
Gateway
Private routes learned over the VPN from the
VPN gateway, such as 10.1.0.0/16 in this example

Branch routes to other routers in the branch
office, which can be advertised to HQ over the VPN
tunnel
Internet routes Essentially the default route
488
Policy-Based Routing: Custom

Rules
Overview of Fields
Source and
Destination are used
to match a packet
Forwarding actions
determine where to
send the packet
489
Policy-Based Routing: Forwarding

and Backup Forwarding Actions
The backup forwarding action

occurs when the interface used
for the forwarding action goes
down or.
If specific IP addresses are not
reachable via the interface used
for the forwarding, using track IP
490
LAB: CREATE A WAN IP TRACKING

POLICY
491
Track IP for Router WAN

Connectivity
VPN
Uses Ping to track IP

addresses you specify
on the Internet
For example, you
can track
ntp1.aerohive.com
206.80.44.205
HQ
Internet
3G/4G LTE
ntp1.aerohive.com
206.80.44.205
Track IP
3G
/4
G
LT
E
E
Po
Guests
If no response is
received, you can
make routing
decisions such as
failing over to wireless
USB (3G/4G LTE)
Employees
492
Lab: WAN IP Tracking
1. Create an IP tracking policy
To configure Policy-Based routing:

Go to Configuration
Select your Network policy: Access-X and click
OK
Next to Additional Settings click Edit
493
Expand Service
Settings
For Track IP
Groups for WAN
Interface, there
are two backup
track IP groups and
one primary
Next to Primary,
click +
494
Track IP Group Name:

Track-X
Under Tracking group
type select For WAN
interface
Ensure Enable IP tracking
is checked
For the IP addresses,
enter: 8.8.8.8,4.2.2.2
Take action when: all
targets become
unresponsive
Click Save
495
In Track IP Groups for WAN

Interface
Select the Primary Track IP
Group: Track-X
Click Save
Next you will configure the
routing policy
Note: You can specify Track IP Groups for Backup1

and Backup2 as well. The policy-based routing
policy determines if backup1 fails to backup2, or
backup2 fails to a Wi-Fi client connection for
example.
496
LAB: CONFIGURE POLICY-BASED

ROUTES
497
Lab: Policy-Based Routing

1. Create a Routing Policy
Expand Router
Settings
Next to Routing
Policy, click +
498
Note: Policy-Based Routing: Type of

Rules
Here you can specify the type of routing policy rules

Split Tunnel: Tunnel non-guest traffic to internal (HQ) routes,
drop guest traffic for internal (HQ) routes, and route all other
traffic the local Internet gateway
Tunnel All: Tunnel all non-guest traffic regardless of its
destination and drop all guest traffic.
Custom: Define a custom routing policy
499

Create
New
Name: PBR-X
Under Routing Policies, select Custom
Click + to add a new policy
500

Source - Type: User Profile, Value: Employee-X

Destination - Type: Private (routes learned via VPN)
Forwarding Action: Corporate Network (VPN)
Backup Forwarding Action: Drop
Click the save icon next to the right of the policy
501

Click + to create a new policy

Source - Type: User Profile, Value: Employee-X
Destination- Type: Any (All other routes)
Forwarding Action: Primary WAN
Backup Forwarding Action: Backup WAN-1 (e.g. DSL)
502


Source - Type: User Profile, Value: Voice-X
Destination Type: Private (routes learned via VPN)
Forwarding Action: Corporate Network (VPN)
Backup Forwarding Action: USB (USB Wireless - LTE)
503


Source - Type: User Profile, Value: Guest-X
Destination - Type: Private (routes via VPN)
Forwarding Action: Drop
504

Click
Click the
the top
top ++
Click + on top (Note: This is to show an important point)

Source - Type: User Profile, Value: Guest-X
Destination - Type: Any
Forwarding Action: Primary WAN
Backup Forwarding Action: Drop
505

Question: What is wrong with this policy?

Answer: All guest traffic will match the first policy, and no
other policy will be used. Guest traffic may be able to
access the local branch network if not blocked by firewall
policy.
506

Click the User Profile(Guest-X), Any, Primary WAN

policy and drag it to the bottom
Click Save
Additional Settings Save
Save your Network Policy
507
Policy-Based Routing
Analysis
Processed top down:

1. User Profile(Employee) when going to a private route learned
through the VPN, send to the VPN
2. User Profile(Employee) when not sending to the VPN will be
sent out through the primary WAN, and if that fails, out the
Backup WAN
508
Analysis
3. User Profile(Voice) if destined to a route learned through the

VPN, forward through VPN
4. User Profile(Guest) if destined to a route learned through the
VPN, drop
5. User Profile(Guest) when not sending to the VPN will be sent
out through the primary WAN, and if that fails, drop
509
Policy Used For No Matching
Routes
Question: What happens to traffic that does not

match a policy-base routing rule?
Answer: The router uses its main destination
routing table. (i.e. standard routing)
510
Caution in 6.0r2a if not using VPN
If you are not using VPN, do not create a policybased routing using: Source: Any, Destination: Any
If you do, traffic may get sent back out the WAN as
primary instead instead of being sent to a local
route.
511
SIMPLE TEST
512
Instructor Classroom demo

If time permits:
If the instructor has a 3G/4G USB dongle available:

Start a continuous ping from a classroom laptop that is
communicating through an Aerohive BR-200
Remove the Ethernet cable from the primary WAN port
Wait for up to 60 seconds for the connection to failover
to the cellular network
Reconnect the Ethernet cable from the primary WAN
port
Wait for up to 60 seconds for the connection to
fallback to the primary WAN network
513
DEFAULT SPLIT TUNNEL
Use if you do not want to create a custom policy and
you have VPN configured
514
Policy-based routing Split Tunnel

Policy
Source - User Profile

Any Guest - applies to users or
devices connected to a user profile
assigned to a network with the
network type set to Guest Use
Any all other non-guest user
profiles
515
Policy-based routing Split Tunnel

Policy
Analysis
Processed top down

1. Traffic from any guest user profile, going to a route
learned through the VPN or local interface on the
router, drop
2. Any non-guest traffic destined to a route learned
through the VPN, forward through the VPN
3. All other traffic, forward out the Primary WAN
interface, and if that fails, send out the backup WAN
516
BRANCH ROUTER 3G/4G

MODEM SETTINGS
517
Branch Router USB Modem

Settings
Wide range of USB modems are supported

USB modem can be used when triggered by an IPtracking policy or can always stay connected
518
Generic USB Modem Support
Generic USB modem support for BR200, BR100

and the 300 series APs functioning as routers
Configurable through NetConfig UI
519
COOKIE-CUTTER VPN
520
Cookie Cutter Branch

Deployments
H
Q
Corporat
e
Network
10.0.0.0/
8
Each site, even

with the same IP
network, can build
a VPN to the
corporate network
Branch 1:
10.1.1.0/24
Branch 2:
10.1.1.0/24
Branch
3:
521

Deployments
H
Q
Corporat
e
Network
10.0.0.0/
8
Each site in a branch

can be assigned to
the same IP network
How can HQ access
the remote sites?
Branch 1:
10.1.1.0/24
Branch 2:
10.1.1.0/24
Branch
3:
522

Deployments
H
Q
Corporat
e
Network
10.0.0.0/
8
Each network can

have a unique subnet
allocated for each site
to perform one to one
night for every host
each branch office
through the VPN
Branch 1: NAT 10.102.1.0/24 to

10.1.1.0/24
Branch 2: NAT 10.102.2.0/24 to

10.1.1.0/24
Branch 3: NAT 10.102.3.0/24

to
523

Deployments
Routing on the VPN Gateway
H
Corporate Network
10.0.0.0/8 Local Q
Tunnel Routes
10.102.1.0/24 tunnel
1
10.102.2.0/24 tunnel
2
10.102.3.0/24 tunnel
3 The branch routers
advertise their NAT

subnets to the VPN
Gateways
Branch 1: NAT 10.102.1.0/24 to

10.1.1.0/24
Branch 2: NAT 10.102.2.0/24 to

10.1.1.0/24
Branch 3: NAT 10.102.3.0/24

to
524

Deployments
H
Q
Corporat
e
Network
10.0.0.0/
Branch 1: NAT 10.102.0.0/24 to
8
NAT subnets are unique subnets
10.1.1.0/24
per site (non cookie-cutter), and
which NATs:
can be mapped to sites
10.102.1.1 to 10.1.1.1
dynamically, or via device
10.102.1.2 to 10.1.1.2
classification
..
10.102.1.255 to 10.1.1.255
Each NAT IP address can be
access from corporate through
Branch 2: NAT 10.102.2.0/24 to
the VPN
10.1.1.0/24
Each NAT mapping is
which NATs:
bidirectional, so traffic to HQ
10.102.2.1 to 10.1.1.1
will be sourced from each NAT
10.102.2.2 to 10.1.1.2
address
..
10.102.2.255 to 10.1.1.255
LAB: COOKIE-CUTTER VPN
526
Lab: Cookie Cutter
1. Create a new Employee Network
Next to VLAN 10, click on your network:

Network-Employee-1XX
Choose Network, click New
527
Lab: Cookie Cutter
2. Create a new Employee Network
Enter the network

name:
10.1.1.0-EmployeeX
DNS Service,
select the quick
start
automatically
generated object:
Class
NOTE:
NOTE: This
This Quick
Quick Start
Start DNS
DNS Service
Service
Network Type:
object
object sets
sets clients
clients to
to use
use the
the router
router
Internal Use
interface
interface IP
IP as
as the
the DNS
DNS server,
server, and
and will
will
proxy
proxy the
the DNS
DNS requests
requests to
to the
the DNS
DNS server
server Under
learned
learned statically
statically or
or by
by DHCP
DHCP on
on the
the WAN
WAN
subnetworks click
interface
interface
New
528
Lab: Cookie Cutter
3. Replicate the Network
Select Replicate the

same subnetwork at
each site
Local
Subnetwork:10.1.1.0/2
4
Select Use the first
IP address of the
partitioned
subnetwork for the
default gateway
Do not save yet
NOTE: You can now use the first or last IP

address for each branch subnet for the
default gateway assigned to the routers
for these subnets
529
Lab: Cookie Cutter

4. Enable DHCP
Check Enable DHCP

server
disable the DHCP
service and this
network definition will
only be used to
configure the router
interface IP addresses.

to reserve 10 IP
addresses at the start
and end of the address
530
Lab: Cookie Cutter

5. NAT settings
Check Enable NAT through the VPN

tunnels
Number of branches: 256
NAT IP Address Space Pool: 1.1XX.0.0 Mask 16
XX=102,103,..,114,115
Note: We are using 1.1XX.0.0 instead of
531
Copyright 2011
Lab: Cookie Cutter

6. NAT settings
Check Allocate
NAT subnetworks by
specific IP addresses
at sites
Click New
IP Address:
1.1XX.1.1
Type: Device Tags
Value: Site-Xa
(Your
Switch)
NOTE: Any device tag you have defined elsewhere is automatically
Clickpopulated.
Apply You can also start typing to narrow the value list
With these settings, each site will get assigned to one of the /24 NAT
subnets in 1.1XX.0.0/16. Entering a single IP address locks the NAT IP
address and the NAT subnet to which it belongs to a specific site.
532
Copyright 2011
Lab: Cookie Cutter
7. Save cookie cutter network
Verify your
settings
Click Save
533
Lab: Cookie Cutter

7. Review and save
Your network will have one NAT subnetwork:

1.1XX.0.0/16 that will support 256 branches with
253 clients per branch, and subnet 10.1.1.0/24
will be assigned to each site for DHCP
Click
Save
Click OK
534
Lab: Cookie Cutter
8. Save your network policy and continue
From the Configure Interfaces &

User Access bar, click Continue
535
PERFORM A COMPLETE
UPLOAD
536

1. Update your routers

Select all your Routers
Click Update
537

Select Update
Devices
Select Perform a
complete
configuration
update for all
selected devices
Click Update
For this class, ALL

Updates should
be Complete
configuration
updates
538

When the Reboot Warning box appear, select OK
Click OK
539
VIEW SUBNET ALLOCATION

REPORT
540

Deployments
Corporate NetworkH
10.0.0.0/8 Local Q
Tunnel Routes
10.102.1.0/24 tunnel
1
10.102.2.0/24 tunnel
2
10.102.3.0/24 tunnel
3 The branch routers
advertise their NAT

subnets to the VPN
Gateways
Branch 1: NAT 10.102.1.0/24 to

10.1.1.0/24
Branch 2: NAT 10.102.2.0/24 to

10.1.1.0/24
Branch 3: NAT 10.102.3.0/24

to
541
Lab: Subnet Allocation Report
1. View the IP addresses assigned to the

routers
From Monitor, in the navigation
tree, click Subnetwork
Allocation
Under Network Name, select
10.1.1.0-Employee-X
Note the unique NAT networks
and the cookie-cutter network
Note: One subnet was assigned via classification. The others assigned
dynamically.
542
SIMULATED ROUTER CLEANUP
543
Lab: Remove Simulated Routers

1. Select and remove your simulated
routers
The simulated routers were used to

show the subnet allocation report
Now that you have seen how
subnetworks are allocated to
routers, we can remove the
simulated routers
From
ConfigurationRouters,
check the box next to your
simulated devices that
start with: SR-02-SIMUXXXXXX
Warning: Do NOT remove
the real router
Click Device Inventory
and click Remove
Click Remove from the
warning popup
544
LAYER 3 IPSEC VPN

REDUNDANT VPN GATEWAYS
545

Using Two VPN Gateways
Firewall eth0/0 209.128.76.30

Headquarters NAT 209.128.76.28 to
10.1.101.2
VPN Gateway 1
NAT 209.128.76.29 to
LAN 1: 10.1.101.2/24
Protocol OSPF area 0.0.0.1 10.1.102.2
Firewall eth0/1.1 - 10.1.101.1/24
vlan 101
LAN1
DMZ Protocol OSPF area 0.0.0.1
Firewall eth0/1.2 - 10.1.102.1/24
vlan eth0/1
102
Protocol OSPF area 0.0.0.2
VLAN
802.1Q
LAN 1VLA 101
eth0/0
Protocol
OSPF
cost 1000
eth0/2
N
102
VPN Gateway 2
LAN 1: 10.1.102.2/24
Firewall eth0/2 10.5.1.1/24

Inside
Internal
Network
AD Server
10.5.1.10
Branch
Tunnel 1 to 209.128.76.28
pref
Office
1
Tunnel 2 to 209.128.76.29 pref
2
VLAN 10 10.1.1.0/24
Employee Net
One-to-One 546
Subnet NAT

Using Two VPN Gateways
Headquarters
Firewall
FW eth0/0 209.128.76.30
NAT 209.128.76.28 to
10.1.101.2
NAT 209.128.76.29 to
10.1.102.2
VPN Gateways
FW eth0/1.1 - 10.1.101.1/24 vlan
VPN Gateway 1
eth 0
101
LAN 1: 10.1.101.2/24
FW eth0/1.2 - 10.1.102.1/24 vlan
eth0/0
102 DMZeth0/1
VPN Gateway 2
VLAN Protocol OSPF area 0.0.0.2
LAN 1: 10.1.102.2/24
eth 0
802.1Q
VLAN 101
Protocol OSPF
eth0/2 cost 1000
102
Inside
Internal
FW eth0/2 10.5.1.1/24
Network
AD Server
10.5.1.10
VPN tunnels are built from branch offices to the VPN gateways
Traffic from the branch offices is decrypted at the VPN gateways and sent to
the DMZ firewall for access to the Internet network
Traffic destined to IP addresses at branch offices is sent to the firewall,
which looks up the IP and finds the route to VPN gateway which encrypts
and
sends
through
a tunnel to a branch office
547
2013
Aerohive Networks
CONFIDENTIAL

Deployments
Corporate NetworkH
Q
10.0.0.0/8 Local
Tunnel Routes
10.102.1.0/24
tunnel 1
10.102.2.0/24
tunnel 2
The branch routers

advertise their NAT
subnets to the VPN
Gateways
Branch 1:
NAT 10.102.1.0/24 to
10.1.1.0/24
Branch 2:
NAT 10.102.1.0/24 to
10.1.1.0/24
FW Configuration for Accessing VPN

Gateways 1 and 2
set interface bgroup0.5 tag 101 zone Trust
set interface bgroup0.6 tag 102 zone Trust
set interface bgroup0.5 ip 10.1.101.1/24
set interface bgroup0.6 ip 10.1.102.1/24
set interface bgroup0.5 route
set interface bgroup0.6 route
set int bgroup0.5 protocol OSPF area 0.0.0.1
set int bgroup0.5 protocol OSPF enable
set int bgroup0.6 protocol OSPF area 0.0.0.2
set int bgroup0.6 protocol OSPF enable
set interface "ethernet0/0" mip 209.128.76.28 host 10.1.101.2
set interface "ethernet0/0" mip 209.128.76.29 host 10.1.102.2
set interface "ethernet0/0" mip 209.128.76.28 host 10.1.101.2 netmask
255.255.255.255 vr "trust-vr
set interface "ethernet0/0" mip 209.128.76.29 host 10.1.102.2 netmask
255.255.255.255 vr "trust-vr
set policy id 18 from "Untrust" to "Trust" "Any" "MIP(209.128.76.28)" "ANY" permit
set policy id 19 from "Untrust" to "Trust" "Any" "MIP(209.128.76.29)" "ANY" permit
549
CONFIGURING LAYER 3 IPSEC

VPN
WITH REDUNDANCY
INSTRUCTOR ONLY THESE STEPS
HAVE ALREADY BEEN PERFORMED
550
Layer 3 VPN Instructor Only

Steps
Under Layer 3 IPSec VPN, click Choose
551

Steps
Name: Corp-VPN (shared by all network policies in class)

Layer 3 VPN
VPN Gateway: VPN-Gateway-1
External IP: 1.2.2.241
Click Apply
552

Steps
Under VPN Gateway Settings

Click New
VPN Gateway: VPN-Gateway-2
External IP: 1.2.2.242
Click Apply
553

Steps
Two new
certificates
were created
for this lab,
you can use
those or the
defaults if the
root CA did
not change
Click Save
554

Steps
From ConfigurationShow Nav VPN Gateways

Modify VPN-Gateway-1
555

Steps
Note: VPN Gateways

are not assigned to a
Network policy, they
just use a Management
network
ETH0 (WAN)
10.200.2.241/24
Default Gateway
10.200.2.1
Enable Dynamic
Routing
Select OSPF
Route Advertisement
Select
Eth0(WAN)
Deselect Eth1
556

Steps
From Configuration VPN

Gateways
Modify VPN-Gateway-2
557

Steps
Note: VPN Gateways are
not assigned to a Network
policy, they just use a
Management network
ETH0 (WAN)
10.200.2.242/24
Default Gateway
10.200.2.1
Enable Dynamic
Routing
Select OSPF
Route Advertisement
Select Eth0(WAN)
Deselect Eth1
(LAN)
Area: 0.0.0.0
Click Save
558

Steps
Select Update
Devices
Select Perform a
complete
configuration
update for all
selected devices
Click Update
For this class, ALL

Updates should
be Complete
configuration
updates
559
LAB: TWO VPN GATEWAYS

STUDENTS ADD CORP VPN TO
THEIR NETWORK POLICY
560
Lab: Two VPN Gateways

1. Add the Corp-VPN policy
In your network policy next to Layer 3 IPSec VPN

click Choose
In your network policy next to

Layer 3 IPSec VPN click Choose
Select Corp-VPN
Click OK
Save the Network Policy
Click Continue
561

2. Select the router
Choose the current policy filter and select your

router
Click Update Devices and perform a complete
upload
562

4. Verify the VPN toplogy
Wait about 5 minutes

When the VPNs are
established, you can
click the VPN Topology
link to see live VPN
status
Click Refresh to update
563
BRANCH ROUTER
WAN INTERFACE
NAT PORT FORWARDING
564
Branch Router WAN Interface

NAT Port Forwarding
Use port forwarding from a public WAN interface on a
branch router to reach a server within a private network
This works very well for cookie cutter deployments!!
NAT Port Forwarding Rules

Outside: 2.1.1.100:8005 Inside:
10.1.1.5:80
Internet
(IP# 5)
Outside: 2.1.1.100:8006 Inside:
http://2.1.1.100:80
10.1.1.6:80Web Server1
Web Server2
WAN:
2.1.1.100
05
(IP
#6)
10.1.1.5
10.1.1.6
Port 80
Port 80
SR20
24
as
Branc
h
Route
r
PoE
AP
AP
565
LAB: CONFIGURE BRANCH ROUTER

WAN INTERFACE NAT PORT
FORWARDING
566
LAB: WAN Interface NAT Port

Forwarding
1. Modify the Cookie-Cutter Network
From your network policy, under VLANto-Subnet Assignments for Router

Interfaces
Modify your 10.1.1.0-Employee-X
network
Click the icon and select Edit
567

Forwarding
2. Modify the Cookie-Cutter/NAT Network
Click the link to edit the subnet:

1.1XX.0.0/16
568

Forwarding
3. Enable port forwarding
In the Network Address Translation (NAT) Settings

section
Check Enable port forwarding through the
WAN interfaces
569

Forwarding
4. View Aerohive Ports
Click View Aerohive Ports to see the ports that are

already in use on Aerohive routers that you cannot use
for port forwarding
570
NOTE: Always have excludes from the DHCP

pool
In order for port
forwarding to work,
you must have
addresses excluded at
the start of the DHCP
pool
For example, if you
have a web server at
every site that will be
the 5th IP address from
the start of the pool,
e.g. 10.1.1.5, then
you must have the
DHCP exclusion for
the first 5 IP
addresses so that
10.1.1.5 can be
571

Forwarding
5. Create port forwarding rules
Click New to create a port forwarding

rule
572

Forwarding
Destination Port Number: 8005

Local Host IP Address Position: 1
Internal Host Port Number: 80
Traffic Protocol: TCP
Click Apply
573

Forwarding
Create several more rules

574

Forwarding
Destination Port: 8005
This is the port clients will
use from the Internet to
access the internal
server:
https://WAN-IP:8005
Click on IP Address
Mapping to see how
each position maps to an
internal cookie-cutter IP
address
Local host IP address
The position of the IP
address from the start
of the IP address block
For /24 subnets,
position 1 = .2, position
575

Forwarding
9. Review your port forwarding rules
Review your port

forwarding rules
Click Save
Click OK
576

Forwarding
10. Save the network
Review your Network

Click Save
Click OK
577

Forwarding
Click Continue to save your Network

Policy and proceed to device updates
578

Forwarding
12. Select the router
Choose the current policy filter and select your

router
Click Update Devices and perform a complete
upload
579

Forwarding
13. Verify port forwarding rules
Monitor Routers
Select your Router
Click on Utilities SSH Client
Click on Connect
Type: show ip iptables nat
580

Forwarding
14. Verify port forwarding rules
CLI command: sh ip iptables

nat
Note: Resize the window to see the port-forwarding

rules
581
THE MANAGEMENT NETWORK
582
Aerohive Management Network

Management Network Every AP, router, and VPN
gateway, has a logical management interface for:
CAWAP communication with HiveManager;
cooperative control protocols like AMRP, and DNXP;
and management services like SNMP, SYSLOG, SCP,
and SSH.
Internet
interface
mgt0
172.18.0.1/24
BR20
VLAN 1
0
Mesh
Po
E
Ca
ble
sh
e
M
AP
interface
mgt0
172.18.0.2/24
VLAN 1
interface
mgt0
172.18.0.3/24
AP
VLAN 1
583
Management subnets can be assigned to a VLAN within the

unified network policy
Just like internal

networks,
management
subnets can
partitioned from a
parent network and
then assigned
dynamically by
HiveManager.
Management
subnets can also be
assigned with
device
classification.
Aerohive Router Interfaces
Ethernet Switch
Ports Eth1 Eth4
Layer 2
Logical IP
Interfaces
Router WAN
Port
mgt0 (Management) Eth0
172.18.0.1/24
192.168.1.10/24
Assigned to VLANs and VLAN 1
No VLAN
Networks by LAN
mgt0.1
Profiles
10.102.0.1/24
VLAN 102 - Employee
May be 802.1Q VLAN
Trunk ports or access mgt0.2
172.16.102.1/24
ports
VLAN 202 -Guest
Interfaces
Interfaces mgt0.1
mgt0.1 through
through mgt0.16
mgt0.16 may
may be
be created,
created,
each
each supporting
supporting routing
routing for
for aa different
different IP
IP network.
network.
586
ENABLE 802.1Q VLAN

TRUNKING
ON A LAN PORT
587
Configuring 802.1Q on a Router Port

Policies
BR100
AP
Logical IP
Interfaces
mgt0 (Management)
172.18.0.1/24
VLAN 1
mgt0.1
10.102.0.1/24
Employee - VLAN 10
mgt0.2
10.202.0.1/24
Voice VLAN 2
mgt0.3
192.168.83.1/24
Guest - VLAN 8
mgt0.4
172.28.0.1/25
VLAN
1Aerohive
(Native)
2013
802.1Q
VLAN
Trunk
VLANs:
1
(Native),
2, 8, 10
Note:
Note: You
You should
should
define
define aa native
native network
network
using
using VLAN
VLAN 1,
1, which
which
much
much match
match the
the native
native
VLAN
VLAN configured
configured for
for the
the
management
management interface,
interface,
which
which by
by default
default is
is 1.
1.
Logical IP Interface
mgt0 (Management)
172.18.0.1/24
VLAN 1
Layer 2 Interfaces
VLAN 1 (Native)
SSID: Class-PSK
Employee - VLAN 10
SSID: Class-Voice
Voice VLAN 2
SSID: Class-Guest
Guest VLAN 8
588
ROUTER STATEFUL FIREWALL

POLICY
MORE THAN JUST THE 5TUPLE
589
Router Firewall
General Guidelines
Router firewall is not the same firewall used in User
Profiles for Aerohive access points
Firewall rules are applied in the branch router for both
wireless and wired traffic
AP firewall can still be used for wireless clients is so
desired
L7 notInternet
yet supported
infirewall
the router
firewall
Router
for wired
and
wireless traffic
Branch Router
AP firewall for wireless traffic

only
Po
E
AP
590
Router Firewall
General Guidelines
Rules are processed top down and the first matching
rule is used
After a rule is matched a stateful session is created
using:
Source IP, Destination IP, IP Protocol, Source Port,
Destination Port
The reverse session is also created for return traffic
More than just an IP firewall, the router firewall can look
at:
Traffic Source:
IP Network, IP Range, Network Object,
User Profile, VPN, or IP Wildcard
Traffic Destination:
591
Aerohive Stateful Firewall

Router
Web Server
Inside
Internet
10.5.1.102
Firewall Policies:
Default Action: Deny
72.20.106.66
HTTP Initiated from inside the Network to a web server on the Internet
Source IP, Dest IP,
Proto, Source Port, Dest Port, Data
10.5.1.102 72.20.106.66 6(TCP) 3456
80
HTTP Get
The stateful firewall engine opens a pinhole for this

session allowing return traffic for this session
HTTP Response is permitted because firewall in router is stateful (Shown after NAT)
Source IP,
Dest IP,
Proto, Source Port, Dest Port, Data
72.20.106.66
10.5.1.102 6(TCP) 80
3456
HTTP Reply
592
Lab: Router Firewall for Guests

1. Create a Router Firewall Profile
To implement a
router firewall
In your network
policy, next to
Router Firewall,
click Choose
In Choose
Firewall click
New
593

2. Create a user profile rule
Enter a Policy Name:

Firewall-X
Configure a user profilebased firewall policy rule
Select a source:
User Profile
Guests-X
Select a destination:
IP Network
10.0.0.0/255.0.0.0
Service: [-any-]
Action: Deny
Logging: Disable
Click Apply
594

3. Create another user profile rule
Your rule should appear

Under Policy Rules,
click New
Configure a user
profile-based firewall
policy rule
Select a source:
User Profile
Guests-X
IP Network
172.16.0.0/255.240.
0.0
Service: [-any-]
Action: Deny
Logging: Disable
595

4. Create one more user profile rule
Your rule should appear

Under Policy Rules, click
New
Configure a user profilebased firewall policy rule
Select a source:
User Profile
Guest-X
IP Network
192.168.0.0/255.255.255
.0
Service: [-any-]
Action: Deny
Logging: Disable
Click Apply
596

5. Create a clean-up allow all rule
Create a clean up rule

Under Policy Rules,
click New
Configure a user
profile-based firewall
policy rule
Select a source:
[-any-]
[-any-]
Service: [-any-]
Action: Permit
Logging: Disable
Click Apply
597
6. Verify your firewall policy rules and

save
Select the radio button for the Default Rule to Deny all
Note: This is not needed, but it is a good general practice.
This policy denies access to any private IP address through the router, and
allows everything else
Also, you can drag and drop the rules to change their order
Click Save
598

7. Create a Router Firewall Profile
Verify that your Router Firewall is applied:

Firewall-X
Click Save
599
Remember this? - Routes Learned via
OSPF and Between the VA and Branch

Routers
Corporate
Network
10.1.0.0/1
6
HQ
VPN
Gateway
Route: 172.28.0.0/24 to VPN
tunnel A
Route: 172.28.1.0/24 to VPN
tunnel B
Route: 172.28.2.0/24 to VPN
tunnel C
BR10
0
Gateway
Tunnel C
BR10
0

tunnel
tunnel
Tunnel Btunnel
Gateway
BR10
Internet
Tunnel A

tunnel
tunnel

tunnel
tunnel
Router Firewall can be used to block

communications between branch
offices
Corporate
Network
10.1.0.0/1
6
HQ
VPN
Gateway
Route: 172.28.0.0/24 to VPN
tunnel A
Route: 172.28.1.0/24 to VPN
tunnel B
Route: 172.28.2.0/24 to VPN
tunnel C
BR10
0
Gateway
Tunnel C
BR10
0

tunnel
tunnel
Tunnel Btunnel
Gateway
BR10
Internet
Tunnel A

tunnel
tunnel

tunnel
tunnel
WEB PROXY FOR SECURING

WEB-BASED TRAFFIC
602
Cloud Proxy How does it work?
Aerohive BR
confirms traffic is
not destined for
resources across the
tunnel and is not
whitelisted as
trusted
Traffic is
forwarded with
4 client identity to
the cloud security
partner and
processed based
on identity
Aerohive BR checks
if client network is
configured to use
web security
Client makes a
HTTP/HTTP
request
Web Security Using

Websense Cloud Web Proxy
Note: The default domain is only

used if users do not authenticate to
access the network using a
mechanism that requires a domain
name
for login
To configure Cloud Web

Security, from HiveManager
go to Home
Administration
HiveManager Services
Check the box next to
Websense Server
Settings
Check the box next to
Enable Websense Server
Settings
Enter the Account ID and
Security key that were
displayed for your
Websense account
Default Domain:
ah-lab.com
Click Update
Web Security Using

Websense Cloud Web Proxy
You can use the default Web
Security Whitelist to specify
safe URLs that do not need to
be sent though web security
Next to Web Security
Whitelist, select
QS-WebSense-Whitelist
Click Update
Note: To create your own
whitelist or clone the quick
start whitelists to make your
own additions, go to:
Configuration
Show Nav
Common Objects
Device Domain Objects
Web Security Using Cloud Proxy

To get started with
Cloud Web Security,
from HiveManager go
to Home
Administration
HiveManager
Services
Check the box next
to Websense Server
Settings
Click the here link
to sign up for a free
30-day trial
Sign up for a free
30-day Websense
trial
LAB: CLOUD PROXY
607
LAB: Cloud proxy
1. Edit employee network settings
Cloud Web Proxy is enabled within a Network Policy

You may only want to enable this service for corporate
employees
Next to your Class-PSK-X SSID, under Network(VLAN)
click your network: 10.1.1.0-Employee-X
Click on the icon to edit your network
608
LAB: Cloud proxy
2. Enable web security
In the network for employees, next to

Web Security, select Websense from
the drop-down menu
You can keep the option to Deny all
outbound HTTP and HTTPS traffic if
connectivity to the web security server
is lost
Click Save and then OK
609
LAB: Cloud proxy
3. Edit guest network settings
Cloud Web Proxy is enabled within a Network Policy

You may only want to enable this service for corporate
employees
Next to your Class-PSK-X SSID, under Network(VLAN)
click your network: 192.168.83.0-Guest-X
Click on the icon to edit your network
610
LAB: Cloud proxy
4. Enable web security
In the network for employees, next to

Web Security, select Websense from
the drop-down menu
You can keep the option to Deny all
outbound HTTP and HTTPS traffic if
connectivity to the web security server
is lost
Click Save and then OK
611
LAB: Cloud proxy
5. Verify web security
Note that web security is enabled

Click Continue to save and go to updates
612
LAB: Cloud proxy
6. Upload policy to branch router
Update the configuration of your router

Click Settings to perform a complete update
613
TEST CLOUD WEB SECURITY

INSTRUCTOR DEMO
INSTRUCTOR MUST HAVE
CONFIGURED THE
CLASSROOM ROUTER FOR
CLOUD PROXY
614
Lab: Test LAN Port Web Security
1. Connect your computer to Eth1 on the

Router
Connect the Ethernet Port 2 of your computer

to the ETH2 interface on the router
Class Switch
BR100
615

2. Open web browser to a website
Class Switch
BR100
Open a web browser on your remote

computer to a respectable website
You will be redirected to a captive web portal
616
3. Login through the captive web portal
Enter a user name: lanuser

Password: Aerohive1
Click Log In
617

4. Test a web site that is forbidden
Open a web browser an

try going to:
www.guns.com
You should be redirected
to a web page informing
that you were denied
from accessing the site
This will be denied
because the Websense
policy used has a rule
against sites that
provide information
about, promote, or
support the sale of
weapons and related
items
618
Websense Cloud Web Security

Policies
From the
Websense
Cloud Web
Security
login, you can
set the web
categories
policies, web
content
security, and
much more...
Note: Here
you can see
that there is a
rule blocking
Weapons sites
619
MISC
620
Overwrite protection for NetConfig

UI WAN settings
The default behavior of of a
branch router originally set
up using the NetConfig UI is
protected from being
overwritten by updates
pushed to it from
HiveManager at a later date.
Protects the NetConfig UI based WAN

port configuration of BRs and routing
devices
To disable the NetConfig UI

settings protection for the
BRs, click Configuration
Devices, select one or
multiple BRs, and then click
Utilities Disable
NetConfig UI WAN
Configuration.
621
THANK YOU REALLY!!
622

Acnp Class 6 140725151300 Phpapp01

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Acnp Class 6 140725151300 Phpapp01

Hochgeladen von

Copyright:

Verfügbare Formate

AEROHIVE CERTIFIED

2013 Aerohive Networks CONFIDENTIAL

What is your name?

2013 Aerohive Networks CONFIDENTIAL

Aerohive Switching & Routing

Aerohive Training Remote Lab

2013 Aerohive Networks CONFIDENTIAL

Server running VMware ESXi running

Aerohive CBT Learning

2013 Aerohive Networks CONFIDENTIAL

The 20 Minute Getting Started

2013 Aerohive Networks CONFIDENTIAL

Aerohive Technical Documentation

2013 Aerohive Networks CONFIDENTIAL

Aerohive Instructor Led Training

Aerohive Certified Network Professional (ACNP) Switching/Routing course

2013 Aerohive Networks CONFIDENTIAL

Over 20 books about networking have been written

CWNA Certified Wireless Network Administrator

CWSP Certified Wireless Security Professional

CWAP Certified Wireless Analysis Professional Official

802.11 Wireless Networks: The Definitive Guide,

Aerohive Exams and Certifications

Aerohives online community HiveNation

2013 Aerohive Networks CONFIDENTIAL

2013 Aerohive Networks CONFIDENTIAL

Aerohive Technical Support

I have different expiration dates on several Entitlement

I want to talk to somebody

Aerohive Technical Support The

I want to talk to somebody

at 408-510-6100 / Option 2. We also provide service

I need an RMA in The Americas

An RMA is generated via the Support Portal, or by calling our

Aerohive Technical Support

2013 Aerohive Networks CONFIDENTIAL

units are quickly replaced

Copyright 2013 Aerohive Networks, Inc. All rights

2013 Aerohive Networks CONFIDENTIAL

2013 Aerohive Networks CONFIDENTIAL

SWITCHING & ROUTING

2013 Aerohive Networks CONFIDENTIAL

4 Ports 1G SFP Uplinks

4 Ports 10 G SFP/SFP+ Uplinks

Routing with 3G/4G USB support and Line rate

2013 Aerohive Networks CONFIDENTIAL

128 Gbps switch

176 Gbps switch

Redundant Power Supply Capable

Class Switches Deployed in Data

Line Rate Layer 2 Switch

802.1X with fallback to

Provides Access For:

HiveManager Form Factors

SW, Config, & Policy

Optimized for ease of use

HiveManager Virtual Appliance

VMware ESX & Player

2013 Aerohive Networks CONFIDENTIAL

2013 Aerohive Networks CONFIDENTIAL

2013 Aerohive Networks CONFIDENTIAL

Aerohive Routing Platforms

3x3:3 450 Mbps 11abgn