Summary of Contents for Extreme Networks Summit WM3000 Series
Page 1
® Summit WM3000 Series Controller System Reference Guide, Software Version 4.0 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.com Published: December 2009 Part Number: 100352-00 Rev 01...
Page 2
ReachNXT, Sentriant, ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, and the Powered by ExtremeXOS logo are trademarks or registered trademarks of Extreme Networks, Inc.
Table of Contents Chapter 1: About This Guide ........................13 Introduction................................13 Documentation Set..............................13 Document Conventions............................13 Notational Conventions ............................14 Chapter 2: Overview ..........................15 Hardware Overview ...............................15 Power Protection .............................15 Cabling Requirements ..........................15 Software Overview ..............................16 Infrastructure Features ............................16 Installation Feature ..........................17 Licensing Support............................17 Configuration Management........................17 Diagnostics ..............................17...
Page 4
Table of Contents MU Authentication..........................29 Secure Beacon ............................30 MU to MU Disallow..........................30 802.1x Authentication ..........................30 WIPS................................30 Rogue AP Detection ..........................31 ACLs................................32 Local Radius Server ..........................32 IPSec VPN...............................32 NAT.................................33 Certificate Management ..........................33 NAC.................................33 Chapter 3: Controller Web UI Access and Image Upgrades ..............35 Web UI Requirements ............................35 Accessing the Summit WM Controller for the First Time ................35 Defining Basic Controller Settings.........................36...
Page 5
Table of Contents Viewing Files..............................77 Configuring Automatic Updates ..........................78 Viewing the Controller Alarm Log........................81 Viewing Alarm Log Details..........................82 Viewing Controller Licenses ..........................83 How to use the Filter Option..........................84 Chapter 5: Network Setup ........................85 Displaying the Network Interface..........................85 Viewing Network IP Information ..........................87 Configuring DNS............................87 Adding an IP Address for a DNS Server....................89 Configuring Global Settings........................89...
Page 6
Table of Contents Viewing Associated MU Details .........................166 Viewing MU Status ............................167 Viewing MU Details..........................169 Configuring Mobile Units ..........................170 MAC Naming of Mobile Units......................171 Viewing MU Statistics..........................171 Viewing MU Statistics in Detail......................173 View a MU Statistics Graph........................174 Viewing Voice Statistics..........................175 Viewing Access Point Information........................176 Configuring Access Point Radios.........................177 Configuring an AP Radio’s Global Settings ..................180...
Page 7
Table of Contents DHCP Server Settings ............................238 Configuring the Controller DHCP Server ....................238 Editing the Properties of an Existing DHCP Pool.................240 Adding a New DHCP Pool........................241 Configuring DHCP Global Options ......................243 Configuring DHCP Server DDNS Values ....................244 Viewing the Attributes of Existing Host Pools ....................245 Configuring Excluded IP Address Information....................247 Configuring the DHCP Server Relay ......................248 Viewing DDNS Bindings ..........................250...
Page 8
Table of Contents Displaying the Main Security Interface .......................309 AP Intrusion Detection ............................310 Enabling and Configuring AP Detection......................311 Adding or Editing an Allowed AP ......................313 Approved APs...............................315 Unapproved APs (Reported by APs)......................316 Unapproved APs (Reported by MUs)......................317 Configuring Firewalls and Access Control Lists ....................319 ACL Overview..............................319 Router ACLs............................320 Port ACLs..............................321...
Page 9
Table of Contents Defining the IPSec Configuration ........................375 Editing an Existing Transform Set ......................377 Adding a New Transform Set........................379 Defining the IPSec VPN Remote Configuration ..................380 Configuring IPSEC VPN Authentication .....................382 Configuring Crypto Maps..........................384 Crypto Map Entries ..........................385 Crypto Map Peers ..........................387 Crypto Map Manual SAs........................389 Crypto Map Transform Sets ........................392 Crypto Map Interfaces...........................393...
Page 10
Table of Contents Adding SNMP Trap Receivers ........................441 Configuring Management Users ..........................442 Configuring Local Users..........................442 Creating a New Local User ........................443 Modifying an Existing Local User ......................445 Creating a Guest Admin and Guest User ....................447 Configuring Controller Authentication......................448 Modifying the Properties of an Existing Radius Server................450 Adding an External Radius Server ......................452 External Radius Server Settings ......................453 Chapter 9: Diagnostics ..........................
Page 11
Table of Contents If Remote Site Survivability (RSS) is disabled, the independent WLAN is also disabled in the event of a con- troller failure..............................484 Remote Site Survivability (RSS) ........................484 Mesh Support..............................485 AP Radius Proxy Support..........................485 Supported AP Topologies ............................486 Topology Deployment Considerations ......................486 Extended WLANs Only..........................487 Independent WLANs Only ...........................487...
Page 12
Table of Contents RADIUS Troubleshooting ..........................507 Radius Server does not start upon enable....................507 Radius Server does not reply to my requests..................508 Radius Server is rejecting the user ......................508 Time of Restriction configured does not work..................508 Authentication fails at exchange of certificates..................508 When using another Summit WM3700 (controller 2) as RADIUS server, access is rejected ....508 Authentication using LDAP fails ......................508 VPN Authentication using onboard RADIUS server fails ..............509...
Screens and windows pictured in this guide are samples and can differ from actual screens. Documentation Set The documentation set for the Extreme Networks wireless LAN controllers is partitioned into the following guides to provide information for specific user needs.
About This Guide WARNING! Indicates a condition or procedure that could result in personal injury or equipment damage. Notational Conventions The following additional notational conventions are used in this document: Italics are used to highlight the following: ● Chapters and sections in this and related documents ●...
System configuration and intelligence for the wireless network resides with the controller once an AP is adopted and connects to an Extreme Networks Summit WM3600 or Summit WM3700 wireless LAN controller and receives its configuration.
The Extreme Networks Wireless LAN Controller Wireless Management Suite (WMS) is a recommended utility to plan the deployment of the controller and view its configuration once operational in the field. Extreme Networks WMS can help optimize the positioning and configuration of a controller in respect to a WLAN’s Mobile Unit (MU) throughput requirements and can help detect rogue devices.
Diagnostics ● Serviceability ● Tracing / Logging ● Process Monitor ● Hardware Abstraction Layer and Drivers ● Redundancy ● Secure Network Time Protocol (SNTP) ● Installation Feature The upgrade/downgrade of the controller can be performed using one of the following methods: Web UI ●...
A special set of Service CLI commands are available to provide additional troubleshooting capabilities for service personnel (access to Linux services, panic logs, etc.). Only authorized users or service personnel are provided access to the Service CLI. Contact Extreme Networks support at https://esupport.extremenetworks.com for information on accessing the controller’s service CLI.
or stuck in an endless loop) is detected when its heartbeat is not received. Such a process is terminated (if still running) and restarted (if configured) by the Process Monitor. Hardware Abstraction Layer and Drivers HAL) The Hardware Abstraction Layer ( provides an abstraction library with an interface hiding hardware/platform specific data.
Overview Wireless Switching The controller includes the following wireless switching features: Physical Layer Features ● Proxy-ARP ● HotSpot / IP Redirect ● IDM (Identity Driven Management) ● Voice Prioritization ● Wireless Capacity ● AP Load Balancing ● Wireless Roaming ● Power Save Polling ●...
Short slot protection – The slot time is 20 µs, except an optional 9 µs slot time may be used when the ● basic service set (BSS) consists of only ERP stations (STAs) capable of supporting this option. The optional 9 µs slot time should not be used if the network has one or more non-ERP STAs associated. For independent basic service sets (IBSS), the Short Slot Time field is set to 0, corresponding to a 20 µs slot time.
Overview User based VLAN assignment — Allows the controller to extract Virtual LAN (VLAN) information ● from the Radius server. User based QoS — Enables Quality of Service (QoS) for the MU based on settings within the Radius ● Server. Voice Prioritization The controller has the capability of having its QoS policy configured to prioritize network traffic requirements for associated MUs.
NOTE Port adoption per controller is determined by the number of licenses acquired. Wireless Roaming The following types of wireless roaming are supported by the controller: Intercontroller Layer 2 Roaming ● Intercontroller Layer 3 Roaming ● International Roaming ● Intercontroller Layer 2 Roaming An associated MU (connected to a controller) can roam to another Access Point connected to a different controller.
Overview 802.11e QoS 802.11e enables real-time audio and video streams to be assigned a higher priority over data traffic. The controller supports the following 802.11e features: Basic WMM ● WMM Linked to 802.1p Priorities ● WMM Linked to Differentiated Services Code Point (DSCP) Priorities ●...
1 When a new AP is adopted, it scans each channel. However, the controller does not forward traffic at this time. 2 The controller then selects the least crowded channel based on the noise and traffic detected on each channel. 3 The algorithm used is a simplified maximum entropy algorithm for each radio, where the signal strength from adjoining AP's/MU's associated to adjoining AP's is minimized.
Overview Roaming Across a Cluster MUs roam amongst controller cluster members. The controller must ensure a VLAN remains unchanged as an MU roams. This is accomplished by passing MU VLAN information across the cluster using the interface used by a hotspot. It automatically passes the username/password across the credential caches of the member controllers.
DHCP User Class Options A DHCP Server groups clients based on defined user-class option values. Clients with a defined set of user-class values are segregated by class. The DHCP Server can associate multiple classes to each pool. Each class in a pool is assigned an exclusive range of IP addresses. DHCP clients are compared against classes.
Heat map support for RF deployment ● Secure guest access with specific permission intervals ● Controller discovery enabling users to discover each Extreme Networks controller on the specified ● network. Security Features Controller security can be classified into wireless security and wired security.
Wired Equivalent Privacy (WEP) is an encryption scheme used to secure wireless networks. WEP was intended to provide comparable confidentiality to a traditional wired network, hence the name. WEP had many serious weaknesses and hence was superseded by Wi-Fi Protected Access (WPA). Regardless, WEP still provides a level of security that can deter casual snooping.
● WIPS The Motorola Wireless Intrusion Protection Software (WIPS) is supported by Extreme Networks WM3000 series WLAN controllers. The WIPS monitors for any presence of unauthorized rogue Access Points. Unauthorized attempts to access the WLAN is generally accompanied by anomalous behavior as intruding MUs try to find network vulnerabilities.
The Extreme Networks Wireless LAN Controller Management Software (WMS) is recommended to plan the deployment of the controller. Extreme Networks WMS can help optimize the positioning and configuration of a controller in respect to a WLAN’s MU throughput requirements and can help detect rogue devices. For more information, refer to the Extreme Networks documentation website at: http://www.extremenetworks.com/go/documentation.
After determining which are authorized APs and which are Rogue, the controller prepares a report. Extreme Networks WMS Support The controller can provide rogue device detection data to the Extreme Networks Wireless LAN Controller Wireless Management Suite application (or Extreme Networks WMS). Extreme Networks WMS uses this data to refine the position and display the rogue on a site map representative of the physical dimensions of the actual radio coverage area of the controller.
A VPN is used to provide secure access between two subnets separated by an unsecured network. There are two types of VPNs: Site-Site VPN — For example, a company branching office traffic to another branch office traffic with ● an unsecured link between the two locations. Remote VPN —...
Page 34
Overview NAC authentication for MU’s that do not have NAC 802.1x support (printers, phones, PDAs etc.). For information on configuring NAC support, see “Configuring NAC Server Support” on page 138. Summit WM3000 Series Controller System Reference Guide...
Controller Web UI Access and Image Upgrades The content of this chapter is segregated amongst the following: Web UI Requirements on page 35 ● Controller Password Recovery on page 38 ● Upgrading the Controller Image on page 39 ● Auto Installation on page 39 ●...
Controller Web UI Access and Image Upgrades 2 Launch your web browser. In the address bar, type http://10.1.1.100. The Summit WM GUI login screen is displayed. 3 Enter the Username admin, and Password admin123. Both are case-sensitive. Click the Login button. Once the Web UI is accessed, the controller main menu item displays a configuration tab with high-level controller information.
Page 37
Displays the current firmware version running on the controller. This Firmware version should be periodically compared to the most recent version available on the Extreme Networks Web site, as versions with increased functionality are periodically released. Displays the number of Access Point licenses currently available for the AP Licenses controller.
Controller Web UI Access and Image Upgrades Displays the day, month and year currently used with the controller. Date (MM/DD/YYYY) Displays the time of day used by the controller. Time (HH:MM:SS) Use the drop-down menu to specify the time zone used with the Time Zone controller.
However, Extreme Networks periodically releases controller firmware that includes enhancements or resolutions to known issues. Verify your current controller firmware version with the latest version available from the Extreme Networks Web site before determining if your system requires an upgrade.
Controller Web UI Access and Image Upgrades Configuring Auto Install via the CLI There are three compulsory and four optional configuration parameters. The compulsory parameters are: configuration upgrade enable ● cluster configuration upgrade enable ● image upgrade enable ● Optional (only for the static case): configuration file URL ●...
Page 41
WLANController(config)#autoinstall image version 4.0.0.0-XXXXX WLANController(config)#autoinstall config WLANController(config)#autoinstall cluster-config WLANController(config)#autoinstall image WLANController(config)#show autoinstall feature enabled config ftp://ftp:ftp@173.9.234.1/Controller/config cluster cfg ftp://ftp:ftp@173.9.234.1/Controller/cluster-config image ftp://ftp:ftp@147.11.1.11/Controller/images/WM3600.img expected image version 4.0.0.0-XXXXX Once again, for DHCP option based auto install the URLs is ignored and those passed by DHCP are not stored.
Page 42
Controller Web UI Access and Image Upgrades Summit WM3000 Series Controller System Reference Guide...
The Extreme Networks Wireless LAN Controller Wireless Management Suite (WMS) is a recommended utility to plan the deployment of the controller and view its interface statistics once operational in the field. Extreme Networks WMS can help optimize the positioning and configuration of a controller (and its associated radios) in respect to a WLAN’s MU throughput requirements and can help detect rogue devices.
Controller Information Setting the Controller Country Code When initially logging into the system, the controller requests that you enter the correct country code for your region. If a country code is not configured, a warning message will display stating that an incorrect country setting will lead to the illegal use of the controller.
Page 45
Displays the current firmware version running on the controller. This Firmware version should be periodically compared to the most recent version available on the Extreme Networks Web site, as versions with increased functionality are periodically released. Displays the number of Access Point licenses currently available for the AP Licenses controller.
9 Click the Apply button to save the updates (to the Time Zone or Country parameters specifically). Controller Dashboard Details Each Extreme Networks wireless LAN controller platform contains a dashboard which represents a high-level graphical overview of central controller processes and hardware. When logging into the controller, the dashboard should be the first place you go to assess overall controller performance and any potential performance issues.
Summit WM3600 Controller Dashboard The Dashboard screen displays the current health of the controller and is divided into fields representing the following important diagnostics: Alarms ● Ports ● Environment ● CPU/Memory ● File Systems ● Summit WM3000 Series Controller System Reference Guide...
Page 48
Controller Information Apart from the sections mentioned above, it also displays the following status: Displays the Redundancy State of the controller. The status can be either Redundancy State Enabled or Disabled. Enabled - Defined a green state. Disabled - Defined by a yellow state. Displays the Firmware version of the current software running on the Firmware wireless controller.
5 The File Systems section displays the free file system available for: flash ● nvram ● system ● Summit WM3700 Controller Dashboard The Dashboard screen displays the current health of the controller and is divided into fields representing the following important diagnostics: Alarms ●...
Page 50
Controller Information The alarms field also displays details (in a tabular format) of the 5 most recent unacknowledged critical/major alarms raised during the past 48 hours. The table displays the following details: Displays the severity of the alarm. It can be either Critical or Major. Severity Displays the time when the alarm was reported.
Viewing Controller Statistics The Controller Statistics tab displays an overview of the recent network traffic and RF status for the controller. To display the Controller Statistics tab: 1 Select Controller from the main menu tree. 2 Click the Controller Statistics tab at the top of the Controller screen. 3 Refer to the following read-only information about associated MUs: Displays the total number of MUs currently associated to the controller.
Page 52
Controller Information 5 The RF Status section displays the following read-only RF radio signal information for associated APs and radios: Displays the average signal strength for MUs associated with the Average Signal controller over the last 30 seconds and 1 hour. Typically, the higher the signal, the closer the MU.
Viewing Controller Port Information The Port screen displays configuration, runtime status and statistics of the ports on the controller. NOTE The ports available vary by controller platform. Summit WM3600: ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8, me1, up1 Summit WM3700: ge1, ge2, ge3, ge4, me1 The port types are defined as follows: Gigabit Ethernet (GE) ports are available on the Summit WM3600 and Summit WM3700 platforms.
Page 54
Controller Information To view configuration details for the uplink and downlink ports: 1 Select Controller > Port from the main menu tree. 2 Select the Configuration tab to display the following read-only information: Displays the current port name. The port names available vary by Name controller.
Editing the Port Configuration To modify the port configuration: 1 Select a port from the table displayed within the Configuration screen. 2 Click the Edit button. A Port Change Warning screen displays, stating any change to the port setting could disrupt access to the controller.
Page 56
Controller Information Displays the read-only name assigned to the port. Name Select the speed at which the port can receive and transmit the data. Speed Select from the following range: • 10 Mbps • 100 Mbps • 1000 Mbps • Auto Modify the duplex status by selecting one of the following options: Duplex •...
Viewing the Ports Runtime Status The Runtime tab displays read-only runtime configuration for uplink and downlink ports. To view the runtime configuration details of the uplink and downlink ports: 1 Select Controller > Port from the main menu tree. 2 Select the Runtime tab to display the following read-only information: Displays the port’s current name.
Page 58
Controller Information 3 Refer to the Statistics tab to display the following read-only information: Defines the port name. Name Displays the total number of bytes received by the port. Bytes In Displays the total number of packets received by the port. Packets In Displays the number of packets dropped by the port.
Detailed Port Statistics To view detailed statistics for a port: 1 Select a port from the table displayed within the Statistics screen. 2 Click the Details button. 3 The Interface Statistics screen displays. This screen displays the following statistics for the selected port: Displays the port name.
Controller Information Displays the number of unicast packets transmitted from the interface. Output NonUnicast Packets Output Total Packets Displays the total number of packets transmitted from the interface. Displays the number of transmitted packets dropped from the interface. Output Packets Output Packets Dropped are packets dropped when the output queue of Dropped the device associated with the interface is saturated.
Input Bytes ● Input Pkts Dropped ● Output Pkts Total ● Output Pkts Error ● Input Pkts Total ● Input Pkts Error ● Output Pkts NUCast ● Input Pkts NUCast ● Output Bytes ● Output Pkts Dropped ● 3 Display any of the above by selecting the checkbox associated with it. NOTE You are not allowed to select (display) more than four parameters at any given time.
Page 62
Controller Information NOTE The PoE screen is only available on the WM3600 controller. The Summit WM3700 controller does not have Power over Ethernet on any ports and will not display the PoE tab. The PoE Global Configuration section displays the following power information. Displays the total watts available for Power over Ethernet on the Power Budget controller.
Displays the IEEE Power Classification for each port: Class Class Number Maximum Power Required from Controller (unknown) 15.4 Watts 4 Watts 7 Watts 15.4 Watts Displays the priority mode for each of the PoE ports. Priority The priority options are: •...
The Extreme Networks Wireless LAN Controller Management Software (WMS) is a recommended utility to plan the deployment of the controller and view its configuration once operational in the field. Extreme Networks WMS can help optimize the positioning and configuration of a controller (and its associated radios) in respect to a WLAN’s MU throughput requirements and can help detect rogue devices.
Page 65
1 Select Controller > Configurations from the main menu tree. The following information is displayed in tabular format. Configuration files (with the exception of startup-config and running-config) can be edited, viewed in detail or deleted. Displays the name of each existing configuration file. Name Displays the size (in bytes) of each available configuration file.
Page 66
Controller Information NOTE Selecting either the startup-config or running-config does not enable the Edit button. A different configuration must be available to enable the Edit function for the purposes of replacing the existing startup-config. 4 To permanently remove a file from the list of configurations available to the controller, select a configuration file from the table and click the Delete button.
Viewing the Detailed Contents of a Config File The View screen displays the entire contents of a configuration file. Extreme Networks recommends a file be reviewed carefully before it is selected from the Config Files screen for edit or designation as the controller startup configuration.
Controller Information 4 Refer to the Status field for the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet. The Status field displays error messages if something goes wrong in the transaction between the applet and the controller. 5 Click the Refresh button to get the most recent updated version of the configuration file.
6 Click the Abort button to cancel the file transfer process before it is complete. 7 Click the Close button to exit the Transfer screen and return to the Config Files screen. Once a file is transferred, there is nothing else to be saved within the Transfer screen. Viewing Controller Firmware Information The controller can store (retain) two software versions (primary and secondary).
Controller Information A check mark within this column designates this version as the version Current Boot X” used by the controller the last time it was booted. An “ in this column means this version was not used the last time the controller was booted. A check mark within this column designates this version as the version to Next Boot be used the next time the controller is booted.
3 Select the checkbox to use this version on the next boot of the controller. 4 To edit the secondary image, select the secondary image, click the Edit button and select the Use this firmware on next reboot checkbox. This firmware version will now be invoked after the next reboot of the controller. 5 Refer to the Status field for the current state of the requests made from the applet.
Page 72
Controller Information 1 Select an image from the table in the Firmware screen. 2 Click the Update Firmware button. 3 Use the From drop-down menu to specify the location from which the file is sent. 4 Enter the name of the file containing the firmware update in the File text field. This is the file that will append the file currently in use.
Controller File Management Use the File Management screen to transfer configuration file to and from the controller and review the files available. Transferring Files Use the Transfer Files screen to transfer files to and from the controller.Transferring files is recommended to keep files in a secure location.
Controller Information 2 Refer to the Source field to specify the details of the source file. From Use the drop-down menu to select the source file’s current location. From The options include Wireless Controller and Server. The following transfer options are possible: •...
4 Use the Browse button to define a location for the transferred file. 5 Click the Transfer button to complete the file transfer. 6 The Message section in the main menu area displays the file transfer message. 7 Click Abort at any time during the transfer process to abort the file transfer. Transferring a file from a Wireless Controller to a Server To transfer a file from the controller to a Server: 1 Refer to the Source field to specify the source file.
Controller Information 5 Enter the Password required to send the configuration file from an FTP server. 6 Specify the appropriate Path name to the target directory on the server. The target options are different depending on the target selected. 7 Click the Transfer button to complete the file transfer. The Message section in the main menu area displays the file transfer message.
6 Specify the appropriate Path name to the target directory on the server. The Target options are different depending on the target selected. 7 Use the To drop-down menu (within the Target field) and select Wireless Controller. 8 Use the Browse button to browse and select the location to store the file marked for transfer. 9 Click the Transfer button to complete the file transfer.
Controller Information 3 Refer to the following File Systems information. Displays the memory locations available to the controller. Name Displays the current status of the memory resource. By default, nvram Available and system are always available. • A green check indicates the device is currently connected to the controller and is available.
Page 79
Enable this option for either the firmware, configuration file or cluster configuration file. Extreme Networks recommends leaving this setting disabled if a review of a new file is required before it is automatically uploaded by the controller.
Page 80
Controller Information Protocol FTP, TFTP, HTTP, SFTP Use the drop-down menu to specify the Protocol FLASH or resident controller medium used for the file update from the server. FLASH is the default setting. Enter the password required to access the server. Password NOTE In addition to the Protocols listed, on the Summit WM3700 users can also auto-update using USB or Compact...
Viewing the Controller Alarm Log Use the Alarm Log screen as an initial snapshot for alarm log information. Expand alarms (as needed) for greater detail, delete alarms, acknowledge alarms or export alarm data to a user-specified location for archive and network performance analysis. To view controller alarm log information: 1 Select Controller >...
Controller Information Displays the unique numerical identifier for trap events (alarms) Index generated in the system. Use the index to help differentiate an alarm from others with similar attributes. Displays the current state of the requests made from the applet. Requests Status are any “SET/GET”...
Displays the details of the alarm log event. This information can be used Description in conjunction with the Solution Possible Causes items to troubleshoot the event and determine how the event can be avoided in the future. Displays a possible solution to the alarm event. The solution should be Solution attempted first to rectify the described problem.
Controller Information Enter the license key required to install a particular feature. The license License Key key is returned when you supply the controller serial number to Extreme Networks support. Enter the name of the feature you wish to install/upgrade using the Feature Name license.
Network Setup This chapter describes the Network Setup menu information used to configure the controller. This chapter consists of the following controller Network configuration activities: Displaying the Network Interface on page 85 ● Viewing Network IP Information on page 87 ●...
Page 86
Network Setup 1 Select Network from the main menu tree. 2 Refer to the following information to discern if configuration changes are warranted: Displays the number of DNS Servers configured thus far for use with the controller. DNS Servers For more information, see “Viewing Network IP Information”...
Viewing Network IP Information Use the Internet Protocol screen to view and configure network associated IP details. The Internet Protocol screen contains tabs supporting the following configuration activities: Configuring DNS ● Configuring IP Forwarding ● Viewing Address Resolution ● Configuring DNS Use the Domain Name System tab to view Server address information and delete or add severs to the list of servers available.
Page 88
Network Setup 2 Select the Domain Network System tab (displayed by default). Use the Show Filtering Options link to view the details displayed in the table. 3 The Domain Name System tab displays DNS details in a tabular format. Displays the IP address of the domain name server(s) the system can use Server IP Address for resolving domain names to IP addresses.
Adding an IP Address for a DNS Server Add an IP address for a new domain server using the Add screen. 1 Click the Add button within the Domain Network System screen. The new Configuration screen displays enabling you to add IP address for the DNS Server. 2 Enter the Server IP Address to define the IP address of the new static domain name server.
Network Setup NOTE The order of look up is determined by the order of the servers within Domain Name System tab. The first server queried is the first server displayed. 3 Enter a Domain Name in the text field. This is the controller’s domain. 4 Refer to the Status field for the current state of the requests made from applet.
The following details display in the table: Displays the mask used for destination subnet entries. The Subnet Mask Destination Subnet is the IP mask used to divide internet addresses into blocks (known as subnets). Displays the mask used for destination subnet entries. The Subnet Mask Subnet Mask is the IP mask used to divide internet addresses into blocks (known as subnets).
Page 92
Network Setup 2 In the Destination Subnet field, enter an IP address to route packets to a specific destination address. 3 Enter a subnet mask for the destination subnet in the Subnet Mask field. The Subnet Mask is the IP mask used to divide internet addresses into blocks known as subnets. A value of 255.255.255.0 support 256 IP addresses.
Viewing Address Resolution The Address Resolution table displays the mapping of layer three (IP) addresses to layer two (MAC) addresses. To view address resolution details: 1 Select Network > Internet Protocol from the main tree menu. 2 Select the Address Resolution tab. 3 Refer to the Address Resolution table for the following information: Displays the name of the actual interface where the IP Interface...
Network Setup 4 Click the Clear button to remove the selected AP entry if no longer usable. Viewing and Configuring Layer 2 Virtual LANs A virtual LAN (VLAN) is similar to a Local Area Network (LAN), however devices do not need to be connected to the same segment physically.
2 Refer to following details within the table: Displays the name of the VLAN to which the controller is currently Name connected. It can be either Access or Trunk. Mode Access • – This ethernet interface accepts packets only from the native VLANs.
Network Setup 4 Use the Edit screen to modify the VLAN’s mode, access VLAN and allowed VLAN designation. 5 Use the Edit screen to modify the following: Displays a read only field and with the name of the Ethernet to which the Name VLAN is associated.
Page 97
flexibility and enable changes to the network infrastructure without physically disconnecting network equipment. To view VLAN by Port information: 1 Select Network > Layer 2 Virtual LANs from the main menu tree. 2 Select the Ports by VLAN tab. VLAN details display within the VLANs by Port tab. Summit WM3000 Series Controller System Reference Guide...
Page 98
Network Setup 3 Highlight an existing VLAN and click the Edit button. The system displays a Port VLAN Change Warning message. Be advised, changing VLAN designations could disrupt access to the controller. 4 Click OK to continue. A new window displays wherein the VLAN assignments can be modified for the selected VLAN.
Configuring Controller Virtual Interfaces A controller virtual interface (CVI) is required for layer 3 (IP) access to the controller or provide layer 3 service on a VLAN. The CVI defines which IP address is associated with each VLAN ID the controller is connected to.
Network Setup Configuring the Virtual Interface Use the Configuration screen to view and configure the virtual interface details. 1 Select Network > Controller Virtual Interface from the main tree menu. 2 Select the Configuration tab. The following configuration details display in the table: Displays the name of the virtual interface.
A green checkmark within this column defines this VLAN as currently Management used by the controller. This designates the interface settings used for Interface global controller settings in case of conflicts. For example, if multiple CVIs are configured with DHCP enabled on each, the controller could have multiple domain names assigned from different DHCP servers.The one assigned over the selected Management Interface would be the only one used by the controller.
Page 102
Network Setup 4 Enter the VLAN ID for the controller virtual interface. 5 Provide a Description for the VLAN, representative of the VLAN’s intended operation within the controller managed network. 6 The Primary IP Settings field consists of the following: a Select Use DHCP to obtain IP Address automatically to allow DHCP to provide the IP address for the virtual interface.
Modifying a Virtual Interface To modify an existing virtual interface: CAUTION When changing from a default DHCP address to a fixed IP address, set a static route first. This is critical when the controller is being accessed from a subnet not directly connected to the controller and the default route was set from DHCP.
Network Setup 9 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 10 Click OK to use the changes to the running configuration and close the dialog. 11 Click Cancel to close the dialog without committing updates to the running configuration.
Page 105
Displays the number of dropped packets coming into the interface. Packets In Dropped Packets are dropped if: 1 The input queue for the hardware device/software module handling the interface definition is saturated/full. 2 Overruns occur when the interface receives packets faster than it can transfer them to a buffer.
Network Setup Viewing Virtual Interface Statistics To view detailed virtual interface statistics: 1 Select a virtual interface from the Statistics tab 2 Click the Details button. 3 The Interface Statistics screen displays with the following content: Displays the title of the logical interface selected. Name Displays physical address information associated with the interface.
Displays the number of transmitted packets dropped at the interface. Output Packets Output Packets Dropped are packets dropped when the output queue of Dropped the physical device associated with interface is saturated. Output Packets Error Displays the number of transmitted packets with errors. Output Packet Errors are the sum of all the output packet errors, malformed packets and misaligned packets received on an interface.
Page 108
Network Setup NOTE Only four parameters may be selected at any given time. 4 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 5 Click Close to close the dialog.
Viewing and Configuring Controller WLANs A wireless LAN (WLAN) is a local area network (LAN) without wires. WLANs transfer data through the air using radio frequencies instead of cables. The WLAN screen displays a high-level overview of the WLANs created for the controller managed network. Use this data as necessary to the WLANs that are active, their VLAN assignments, updates to a WLAN’s description and their current authentication and encryption scheme.The Wireless LANs screen is partitioned into 5 tabs supporting the following configuration activities:...
Page 110
Network Setup The Configuration tab displays the following details: Displays the WLAN’s numerical identifier. The WLAN index range is from Index 1 to the maximum number of WLANs supported by the controller (32 for the WM3600 and 256 for the WM3700). An index can be helpful to differentiate a WLAN from other WLANs with similar configurations.
Page 111
Displays the type of wireless encryption used on the specified WLAN. Encryption none Edit When no encryption is used, the field displays . Click the button to modify the WLAN’s current encryption scheme. For information on configuring an authentication scheme for a WLAN, see “Configuring Different Encryption Types”...
Page 112
Network Setup 8 Click the Global Settings button to display a screen with WLAN settings applying to the all the WLANs on the system. Remember, changes made to any one value impact each WLAN. Click OK to save updates to the Global WLAN Settings screen. Click Cancel to disregard changes and revert back to the previous screen.
Use this option (its selected by default) for custom WLAN to Radio Manual mapping of mappings. When Advanced Configuration is disabled, the user cannot WLANs conduct Radio – WLAN mapping. Additionally, the user cannot enable WLANs with an index higher than 16. Once the Advanced Configuration option is enabled, the following conditions must be satisfied (to successfully disable it).
Page 114
Network Setup 4 Click the Edit button. The Wireless LANs Edit screen is divided into the following user-configurable fields: Configuration ● Authentication ● Encryption ● Advanced ● Summit WM3000 Series Controller System Reference Guide...
Page 115
5 Refer to the Configuration field to define the following WLAN values Extended Service Set ID Displays the (ESSID) associated with each ESSID WLAN. If changing the ESSID, ensure the value used is unique. If editing an existing WLAN, ensure its description is updated accordingly Description to best describe the intended function of the WLAN.
Page 116
Network Setup Wired Equivalent Privacy Use the WEP 64 checkbox to enable the (WEP) WEP 64 protocol with a 40-bit key. WEP is available in two encryption modes: 40 bit (also called WEP 64) and 104 bit (also called WEP 128). The 104-bit encryption mode provides a longer algorithm that takes longer to decode than that of the 40-bit encryption mode.
Page 117
Allows frames from one MU (where the destination MAC is of another MU to MU Traffic MU) are switched to a second MU. Use the drop-down menu to select one of the following options: • Drop Packets – This restricts MU to MU communication based on the WLAN’s configuration Allow Packets •...
Network Setup Assigning Multiple VLANs per WLAN The controller allows the mapping of a WLAN to more than one VLAN. When a MU associates with a WLAN, it is assigned a VLAN in such a way that users are load balanced across VLANs. The VLAN is assigned from the pool representative of the WLAN.
9 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 10 Click OK to use the changes to the running configuration and close the dialog. 11 Click Cancel to close the dialog without committing updates to the running configuration.
Page 120
Network Setup The Radius Config... button on the bottom of the screen will become enabled. Ensure a primary and optional secondary Radius Server have been configured to authenticate users requesting access to the EAP 802.1x supported WLAN. For more information, see “Configuring External Radius Server Support”...
Page 121
hotspot access controller forces this un-authenticated user to a Welcome page from the hotspot Operator that allows the user to login with a username and password. This form of IP-Redirection requires no special software on the client. To configure a hotspot, create a WLAN ESSID and select Hotspot as the authentication scheme from the WLAN Authentication menu.
Page 122
Network Setup NOTE As part of the hotspot configuration process, ensure a primary and optional secondary Radius Server have been properly configured to authenticate the users requesting access to the hotspot supported WLAN. For more information on configuring Radius Server support for the hotspot supported WLAN, see “Configuring External Radius Server Support”...
Page 123
4 Click the Login tab and enter the title, header, footer Small Logo URL, Main Logo URL and Descriptive Text you would like to display when users login to the controller maintained hotspot. Displays the HTML text displayed on the Welcome page when using the Title Text controller’s internal Web server.
Page 124
Network Setup Specify any additional text containing instructions or information for the Descriptive Text users who access the Failed page. This option is only available if Internal is chosen from the drop-down menu above. The default text is: “Either the username and password are invalid, or service is unavailable at this time.”...
Page 125
NOTE In multi-controller hotspot environments if a single controller’s internal pages are configured for authentication on the other controllers, those controllers will redirect to their own internal pages instead. In these environments is recommended to use an external server for all of the controllers. 8 Check the Use System Name in Hotspot URL to use the System Name specified on the main Controller configuration screen as part of the hotspot address.
Page 126
Network Setup 3 Select the Hotspot button from within the Authentication field. Ensure External is selected from within the This WLAN’s Web Pages are of the drop-down menu. 4 Refer to the External Web Pages field and provide the Login, Welcome and Failed Page URLs used by the external Web server to support the hotspot.
Page 127
Define the complete URL for the location of the Failed page. The Failed Failed Page URL screen assumes the hotspot authentication attempt has failed, you are not allowed to access the Internet and you need to provide correct login information to access the Web.Ensure the RADIUS server port number is included in the URL using the following format: http://192.168.0.70:444/wlan2/login.html NOTE...
Page 128
Network Setup To use the Advanced option to define the hotspot: 1 Select Network > Wireless LANs from the main menu tree. 2 Select an existing WLAN from those displayed within the Configuration tab. 3 Click the Edit button. 4 Select the Hotspot button from within the Authentication field. Ensure Advanced is selected from within the This WLAN’s Web Pages are of the drop-down menu.
Page 129
a Specify a source hotspot configuration file. The file used at startup automatically displays within the File parameter. b Refer to the Using drop-down menu to configure whether the hotspot file transfer is conducted using FTP or TFTP. c Enter the IP Address of the server or system receiving the source hotspot configuration. Ensure the IP address is valid or risk jeopardizing the success of the file transfer.
Page 130
Network Setup 6 Ensure Advanced is selected from within the This WLAN’s Web Pages are of the drop-down menu. Define the advanced hotspot configuration following step 5 onward in “Configuring an Advanced Hotspot” on page 127. NOTE For information on configuring external Radius server support for supporting a advanced hotspot, see “Configuring External Radius Server Support”...
Page 131
policy vlan 70 policy wlan 2 radius-server local rad-user "guest" password 0 password group "Guests" guest expiry-time 20:27 expiry- date 11:17:2009 start-time 20: 27 start-date 11:16:2008 Managing Hotspot Files. When creating a new hotspot, the controller builds a directory in flash named hotspot with a subdirectory named wlan X (where X is the WLAN ID).
Page 132
Network Setup -rw- 2688 Wed Sep 24 12:21:50 2008 mainstyle.css -rw- 2608 Wed Sep 24 12:38:15 2008 login.html Custom Pages. The critical required components for a customized login, welcome and failed page includes: Login Page. The login.html page is presented to all unauthenticated users when they connect to the hotspot.
Page 133
To configure the format of MAC addresses used in MAC Authentications: 1 Select Network > Wireless LANs from the main menu tree. 2 Select an existing WLAN from those displayed within the Configuration tab. 3 Click the Edit button. 4 Select the MAC Authentication button from within the Authentication field. This enables the Radius button at the bottom of the Network >...
Page 134
To configure an external Radius Server for EAP 802.1x, Hotspot or Dynamic MAC ACL WLAN support: NOTE To optimally use an external Radius Server with the controller, Extreme Networks recommends defining specific external Server attributes to best utilize user privilege values for specific controller permissions. For information on defining the external Radius Server configuration, see “Configuring an External Radius Server for Optimal Controller...
Page 135
The Radius Configuration screen contains tabs for defining both the Radius and NAC server settings. For NAC overview and configuration information, see “Configuring NAC Server Support” on page 138. 6 Refer to the Server field and define the following credentials for a primary and secondary Radius server.
Page 136
Network Setup Enter the IP address of the primary and secondary server acting as the RADIUS Server Radius user authentication data source. Address Enter the TCP/IP port number for the primary and secondary server acting RADIUS Port as the Radius user authentication data source. The default port is 1812. Provide a shared secret (password) for user credential authentication with RADIUS Shared the primary or secondary Radius server.
Page 137
Configuring an External Radius Server for Optimal Controller Support. The controller’s external Radius Server should be configured with Extreme Networks wireless LAN controller specific attributes to best utilize the user privilege values assignable by the Radius Server. The following two values should be...
Page 138
Network Setup b Set the Telnet Access value to 64 (user is allowed login privileges only from a Telnet session). c Set the SSH Access value to 32 (user is allowed login privileges only from ssh session). d Set the Web Access value to 16 (user is allowed login privileges only from Web/applet). 3 Specify multiple access sources by using different values.
Page 139
Summit WM3000 Series Controller System Reference Guide...
Network Setup 7 Refer to the Server field and define the following credentials for a primary and secondary NAC server. Enter the IP address of the primary and secondary NAC server. NAC Server Address Enter the TCP/IP port number for the primary and secondary server. The NAC Server Port default port is 1812.
Page 141
5 Specify a 4 to 32 character Pass Key and click the Generate button. The pass key can be any alphanumeric string. The controller, other proprietary routers and the Motorola MUs which are supported by the Summit WM3000 series controller. use the algorithm to convert an ASCII string to the same hexadecimal number.
Page 142
Network Setup Configuring WEP 128. WEP 128 provides a more robust encryption algorithm that WEP 64 by requiring a longer key length and pass key. Thus, making it harder to hack through the replication of WEP keys. WEP 128 may be all that a small-business user needs for the simple encryption of wireless data. To configure WEP 128: 1 Select Network >...
Page 143
Default (hexadecimal) keys for WEP 128 include: 101112131415161718191A1B1C Key 1 202122232425262728292A2B2C Key 2 303132333435363738393A3B3C Key 3 404142434445464748494A4B4C Key 4 7 If you feel it necessary to restore the WEP algorithm back to its default settings, click the Restore Default WEP Keys button. This may be the case if you feel the latest defined WEP algorithm has been compromised and no longer provides its former measure of data security.
Page 144
Network Setup 5 Select the Broadcast Key Rotation checkbox to enable periodically changing the broadcast key for this WLAN. Only broadcast key changes when required by associated MUs to reduce the transmissions of sensitive key information. This value is enabled by default. 6 Refer to the Update broadcast keys every field to specify a time period (in seconds) for broadcasting encryption-key changes to MUs.
1011121314151617 ● 18191A1B1C1D1E1F ● 2021222324252627 ● 28292A2B2C2D2E2F ● 8 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 9 Click OK to use the changes to the running configuration and close the dialog.
Page 146
Network Setup Click the Last 30s radio button to display statistics for the WLAN over Last 30s the last 30 seconds. This option is helpful when troubleshooting issues as they actually occur. Click the Last Hr radio button to displays statistics for the WLAN over the Last Hr last 1 hour.
7 To view WLAN packet data rates and retry counts, select a WLAN and click the Controller Statistics button. For more information, see “Viewing WLAN Controller Statistics” on page 150. Viewing WLAN Statistics in Detail When the WLAN Statistics screen does not supply adequate information for an individual WLAN, the Details screen is recommended for displaying more granular information for a single WLAN.
Page 148
Network Setup Displays the name of the VLAN the WLAN is associated with. VLAN Num Associated MUs Displays the total number of MUs currently associated with the selected WLAN. Displays the authentication method deployed on the WLAN. Authentication Type Displays the encryption type deployed on the selected WLAN. Encryption Type Displays the radios adopted by the selected WLAN.
8 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 9 Click OK to use the changes to the running configuration and close the dialog. 10 Click Cancel to close the dialog without committing updates to the running configuration.
Network Setup Pkts per sec ● Throughput (Mbps) ● Avg Bits per sec ● Avg Signal (dBm) ● Dropped Pkts ● TX Pkts per sec ● TX Tput (Mbps) ● NUcast Pkts ● Avg Noise (dBm) ● Undecr Pkts ● RXPkts per sec ●...
Page 151
Extreme Networks WMS can help optimize the positioning and configuration of a controller in respect to a WLAN’s MU throughput requirements. For more information, refer to the Extreme Networks Web site. 5 Refer to the Retry Counts field to review the number packets requiring retransmission from the controller.
Network Setup Configuring WMM Use the WMM tab to review a WLAN’s current index (numerical identifier), SSID, description, current enabled/disabled designation, and Access Category. To view existing WMM Settings: 1 Select Network > Wireless LANs from the main menu tree. 2 Click the WMM tab.
Page 153
Displays the Access Category for the intended radio traffic. Access Access Categories are the different WLAN-WMM options available. The four Access Category types are: • Background — Optimized for background traffic Best-effort • — Optimized for best effort traffic Video •...
Page 154
Network Setup With a drastic increase in bandwidth absorbing network traffic (VOIP, multimedia etc.), the importance of data prioritization is critical to effective network management. Refer to the following fields within the QoS Mapping screen to optionally revise the existing settings to in respect to the data traffic requirements for this WLAN.
Set the access category accordingly in respect to its DSCP importance for DSCP to Access this WLAN’s target network traffic. Category Differentiated Services Code Point (DSCP) is a field in an IP packet that enables different levels of service to be assigned to network traffic. This is achieved by marking each packet on the network with a DSCP code and appropriating to it the corresponding level of service or priority.
Network Setup Service Set ID Displays the (SSID) associated with the selected WMM SSID index. This SSID is read-only and cannot be modified within this screen. Displays the Access Category for the intended radio traffic. The Access Access Category Categories are the different WLAN-WMM options available to the radio. The four Access Category types are: Background - •...
Page 157
NAC Agent – NAC support is added in the controller to allow the controller to communicate with a ● LAN enforcer (a laptop with a NAC agent installed). No NAC Agent – NAC support is achieved using an exclude list. For more information, see ●...
Network Setup 4 Use the Add button (within the List Configuration field) to add more than one device to the WLAN. You can create 32 lists (both include and exclude combined together) and 64 MAC entries per list. For more information, see “Configuring Devices on the Include List”...
The List Name field displays the name of the device list used. This parameter is read-only. 4 Enter the Host Name for the device you wish to add. 5 Enter a valid MAC Address of the device you wish to add. 6 Optionally, enter the MAC Mask for the device you wish to add.
The controller provides a means to bypass NAC for 802.1x devices without a NAC agent. For Motorola handheld devices (like the MC9000) which are supported by the Extreme Networks Summit WM3000 series controller, authentication is achieved using an exclusion list.
Page 161
Whenever a host entry is added or deleted from/to the list, the associated WLAN is updated and deauthenticated. The de-authenticated MU can be re-authenticated once it receives the de-authentication information from the WLAN. For a NAC configuration example using the controller CLI, see “NAC Configuration Examples Using the Controller CLI”...
Network Setup 7 Use the Edit button to modify devices parameters. 8 To delete a list configuration for a device, select a row from the List Configuration field and click the Delete button. Adding an Exclude List to the WLAN To exclude a device from a WLAN: 1 Select Network >...
4 The List Name displays the read-only name of the list for which you wish to add more devices. 5 Enter the Host Name for the device you wish to add for the selected exclude list. 6 Enter a valid MAC Address for the device you wish to add. 7 Optionally, enter the MAC Mask for the device you wish to add.
The following are NAC include list, exclude list and WLAN configuration examples using the controller CLI interface: Creating an Include List Since few devices require NAC, Extreme Networks recommends using the "bypass-nac-except-include- list" option. Refer to the commands below to create a NAC Include List: 1 Create a NAC include list.
WLANController(config-wireless-client-list) # NOTE The instance changes from (config-wireless) to (config-wireless-client-list). 2 Add a host entry to the include list. This adds a specified MAC entry/MAC range into the client’s include list. WLANController(config-wireless-client-list) #station pc1 AA:BB:CC:DD:EE:FF WLANController(config-wireless-client-list) # 3 Associate the include list to a WLAN. This adds the client’s include list into the WLAN. WLANController(config-wireless-client-list) #wlan 1 WLANController(config-wireless-client-list) # Creating an Exclude List...
Network Setup NOTE Configure the secondary NAC server for redundancy. c Configure the secondary NAC server’s IP address. WLANController(config-wireless) #wlan 1 nac-server secondary 192.168.1.20 WLANController(config-wireless) # d Configure the secondary NAC Server’s Radius Key. WLANController(config-wireless) #wlan 1 nac-server secondary radius-key my secret-2 WLANController(config-wireless) # 3 MUs not NAC authenticated use Radius for authentication.
The Extreme Networks wireless LAN controller management software is a recommended utility to plan the deployment of the controller and view its configuration once operational. Extreme Networks WMS can help optimize controller positioning and configuration in respect to a WLAN’s MU throughput requirements and can help detect rogue devices.
Page 168
Network Setup Media Access Control Each MU has a unique (MAC) address through MAC Address which it is identified. This address is burned into the ROM of the MU. Displays the MAC name associated with each MU's MAC Address. The MAC Name MAC Name is a user created name used to identify individual mobile unit MAC Addresses with a user friendly name.
Viewing MU Details The MUs Details screen displays read-only MU transmit and receive statistics. To view MU Details: 1 Select a Network > Mobile Units from the main menu tree. 2 Click the Status tab. 3 Select a MU from the table in the Status screen and click the Details button. 4 Refer to the following read-only MU’s transmit and receive statistics: Displays the Hardware or Media Access Control (MAC) address for the MAC Address...
Network Setup Displays the radio type used by the adopted MU. The controller supports Radio Type 802.11b MUs as well as 802.11 a/b and 802.11 a/g dual-radio MUs. The radio also supports 802.11a only and 802.11g MUs. Displays the SSID of the Access Point when initially adopted by the Base Radio MAC controller.
MAC Name is a user created name used to identify individual mobile MAC Name unit MAC Addresses with a user friendly name. To edit an existing entry, MAC Name double click the and type in the new name. 4 When using clustering and the Cluster GUI feature is enabled a drop-down menu will be available to select which cluster members’...
Page 172
Network Setup To view MU statistics details: 1 Select Network > Mobile Units from the main menu tree. 2 Click the Statistics tab. 3 Select the Last 30s checkbox to display MU statistics gathered over the last 30 seconds. This option is helpful for assessing MU performance trends in real-time.
Displays the average throughput in Mbps between the selected MU and Throughput Mbps the Access Point. The Rx column displays the average throughput in Mbps for packets received on the selected MU from the Access Point. The Tx column displays the average throughput for packets sent on the selected MU from the Access Point.
Network Setup 5 Refer to the Traffic field for the following information: Displays the average packets per second received by the MU. The Rx Pkts per second column displays the average packets per second received on the selected MU. The Tx column displays the average packets per second sent on the selected MU.
6 Click Close to close the dialog without committing updates to the running configuration. Viewing Voice Statistics The Voice Statistics screen displays read-only voice data statistics for each MU. Use this information to assess if configuration changes are required to improve MU voice quality. If a more detailed set of voice statistics is required, select a call index from the table and click the Details button.
Network Setup Displays the call state of the MU’s call session. Call State Displays the call codec. Codec complexity refers to the amount of Call Codec processing required to perform compression. Codec complexity affects the number of calls, that can take place. Displays the average call quality using the R Factor scale.
The Extreme Networks wireless LAN controller management software is a recommended utility to plan the deployment of the controller and view its configuration once operational. Extreme Networks WMS can help optimize the positioning and configuration of a controller and Access Points in respect to a WLAN’s MU throughput requirements.
Page 178
Displays a user assigned name for the radio. Description Displays the type of Access Point detected. The controllers support AP Type Extreme Networks AP35XX model Access Points. Use the Type to identify whether the radio is 802.11a radio or an Type 802.11bg radio.
Page 179
The Base Radio MAC is the radio's first MAC address when it is adopted MAC Address by the Controller. Display the radio’s current operational mode. If the radio is set as a State Detector AP, the state is "Detector", otherwise the state is "Normal". Displays the name of the VLAN currently used with each Access Point VLAN radio.
Network Setup 6 Click the Edit button to launch a screen used to configure radio specific parameters. For more information, see “Editing AP Settings” on page 182. 7 Click the Delete button to remove a radio. However, before a radio can be removed, the radio’s BSS mapping must be removed.
Page 181
To define a radio as preferred, the Access Point preference ID should be same as the adoption preference ID. The adoption preference ID is used for AP load-balancing. A controller will preferentially adopt Access Points having the same adoption-preference-id as the controller itself. The Adoption Preference ID defines the controller preference ID.
Network Setup Editing AP Settings The Edit screen provides a means of modifying the properties of an existing radio. This is often necessary when the radio’s intended function has changed and its name needs modification or if the radio now needs to be defined as a detector radio. The Edit screen also enables you to modify placement, channel and power settings as well as a set of advanced properties in case its transmit and receive capabilities need to be adjusted.
Page 183
Setting this radio as a detector dedicates the radio to detect rogue APs on the network. Dedicated detectors do not connect to clients. NOTE If the radio adoption default settings for both 802.11a and 802.11bg radios are set to detector, both radios will be configured as a detector.
Page 184
Network Setup proximity of other Access Points. Overlapping RF coverage may cause lost packets and problems for roaming devices trying to connect to an Access Point. After setting a power level, channel and placement the RF output power for the Access Point is displayed in mW. The default is 20 dBm. NOTE After setting a power level, channel and placement, the RF output power for the Access Point displays in mW.
Page 185
Request To Send Specify a (RTS) threshold (in bytes) for use by the RTS Threshold WLAN's adopted Access Points. Clear To Send RTS is a transmitting station's signal that requests a (CTS) response from a receiving station. This RTS/CTS procedure clears the air where many MUs are contending for transmission time.
Page 186
Network Setup 15 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 16 If clustering is configured and the Cluster GUI feature is enabled the Apply to Cluster feature will be available.
4 Click the Clear all rates button to uncheck all of the Basic and Supported rates. 5 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 6 Click OK to use the changes to the running configuration and close the dialog.
Network Setup 6 From the Radio Settings section, select the radio type checkboxes corresponding to the type of AP radio used. Available radio types are dependant on the AP Type selected above. 7 Enter a numerical value in the Radio Index field for each selected radio. The Radio Index is a numerical value assigned to the radio as a unique identifier.
Mesh Network Name If the Client Bridge checkbox has been selected, enter a Mesh Network Name to define the WLAN (ESS) the client bridge uses to establish a wireless link. Extreme Networks recommends creating (and naming) a WLAN specifically for mesh networking support to differentiate the Mesh supported WLAN from non-Mesh supported WLANs.
Page 190
Network Setup 3 To select the time frame for the radio statistics, select either Last 30s or Last Hr above the statistics table. Select the Last 30s radio button to display statistics for the last 30 seconds for the radio. ●...
Displays the average number of retries for all MUs associated with the Retries selected radio. 5 Select a radio from those displayed and click the Details button for additional radio information in raw data format. For more information, see “Viewing AP Statistics in Detail” on page 191.
Page 192
Network Setup Displays the radio type of this AP. Available types are: Radio Type • 802.11a • 802.11an • 802.11bg • 802.11bgn Displays the channel on which the Access Point is currently passing Current Channel traffic. If the channel is displayed in red, it means the configured channel does not match the current channel.
Displays the percentage of packets the controller gave up on for all MUs % Gave Up Pkts associated with the selected radio. The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour.
Network Setup Configuring WLAN Assignment The WLAN Assignment tab displays a high-level description of the radio. It also displays the radios WLAN and BSSID assignments on a panel on the right-hand side of the screen. To view existing WLAN Assignments: 1 Select Network >...
Page 195
1 Select Network > Access Point Radios from the main menu tree. 2 Click the WLAN Assignment tab. 3 Select a radio from the table and click the Edit button. The Select Radio/BSS field displays the WLANs associated to each of the BSSIDs used by the radios within the radio table.
Network Setup Configuring WMM Use the WMM tab to review each radio’s current index (numerical identifier), the Access Category that defines the data type (Video, Voice, Best Effort and Background) as well as the transmit intervals defined for the target access category. To view existing WMM Settings: 1 Select Network >...
4 Select a radio and click the Edit button (at the bottom of the screen) to modify its properties. For more information, see “Editing WMM Settings” on page 197. Editing WMM Settings Use the Edit screen to modify a WMM profile's properties (AIFSN, Tx op, Cw Min and CW Max). Modifying these properties may be necessary as Access Categories are changed and transmit intervals need to be adjusted to compensate for larger data packets and contention windows.
Network Setup The ECW Max is combined with the ECW Min to make the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority (video or voice) traffic. 8 Refer to the Status field for the current state of the requests made from applet.
Page 199
3 Click the Last 30s radio button to display Mesh statistics for the last 30 seconds. This option is helpful when troubleshooting issues as they actually occur. 4 Click the Last Hr radio button to displays Mesh statistics for the last 1 hour. This metric is helpful in baselining events over a one hour interval.
Network Setup % Non-Uni is the percentage of the total packets for the selected radio % Non-UNI that are non-unicast packets. Non-unicast packets include broadcast and multicast packets. Displays the total number of retries for each Access Point. Retries 6 Select a mesh index from amongst those displayed and select the Details button for additional (more granular) information on the mesh index selected.
Page 201
Displays the names assigned to each of the APs. The AP name can be Description configured on the Access Point Radios Configuration page. Displays the radio type of the corresponding APs. Available type are: Type • 802.11a • 802.11an • 802.11bg •...
Network Setup And / Or - Use the And/Or drop down list to expand the selection criteria. Up to two selection ● criteria are supported. Filter Entire Table - Click Filter Entire Table to apply the filtering criteria on the information being ●...
Page 203
3 Refer to the following information as displayed within the Configuration tab: Displays whether the radio is an 802.11a radio or an 802.11 bg model Type radio Displays the default placement when an radio auto-adopts and takes on Placement the default settings. Options include Indoor or Outdoor. Default is Indoor. Displays the default channel when an radio auto-adopts and takes on the Channel default settings.
Network Setup CAUTION An Access Point is required to have a DHCP provided IP address before attempting layer 3 adoption, otherwise it will not work. Additionally, the Access Point must be able to find the IP addresses of the controllers on the network.
Page 205
The Properties field displays the Model family for the selected Access Point. The Model is read only and cannot be modified. The Radio Type displays the radio type (802.11a or 802.11bg). This value is read only and cannot be modified 5 To use this radio as a detector to identify rogue APs on your network, check the box titled Dedicate this AP as Detector AP.
Page 206
Network Setup The optimal power level for the specified channel is best determined by a site survey prior to installation. Available settings are determined according to the selected channel. Set a higher power level to ensure RF coverage in WLAN environments that have more electromagnetic interference or greater distances between the Access Point and MUs.
Page 207
Request To Send Specify a (RTS) threshold (in bytes) for use by the RTS Threshold WLAN's adopted Access Points. Clear To Send RTS is a transmitting station's signal that requests a (CTS) response from a receiving station. This RTS/CTS procedure clears the air where many MUs (or nodes) are contending for transmission time.
Page 208
Network Setup 12 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 13 Click OK to use the changes to the running configuration and close the dialog. 14 Click Cancel to close the dialog without committing updates to the running configuration.
Supported Rates allow an 802.11 network to specify the data rate it supports. When a station attempts to join the network, it checks the data rate used on the network. If a rate is selected as a basic rate it is automatically selected as a supported rate. 4 Click the Clear all rates button to uncheck all of the Basic and Supported rates.
Network Setup 5 Refer to the Select/Change Assigned WLAN field for the following information: Select Radio/BSS If a specific BSS was selected from the area, choose Primary WLAN one of the selected WLANs from the drop-down menu as the primary WLAN for the BSS.
3 Refer to the WMM table for the following information: Displays whether the radio is an 802.11a radio or an 802.11bg radio. AP Type This value is read-only and cannot be modified. Displays the Access Category currently in use. There are four categories: Access Category Video, Voice, Best Effort and Background.
Network Setup 1 Select Network Setup > Adoption Defaults from the main menu tree. 2 Click the WMM tab. 3 Select a radio from the table and click the Edit button. The AP Type identifies whether the radio is an 802.11a radio or an 802.11 bg radio. This value is read- only and cannot be modified.
Page 213
1 Select Network > Access Point from the main menu tree. 2 Click the Adopted AP tab. 3 Refer to the Adopted AP screen for the following information: Displays the radio's first MAC address when it is adopted by the MAC Address controller.
Network Setup 4 When using clustering and the Cluster GUI feature is enabled, a drop-down menu will be available to select which cluster members’ APs are displayed. To view APs from all cluster members, select All from the drop-down menu. To view APs radios from a specific cluster member, select that member’s IP address from the drop-down menu.
CAUTION An Access Point is required to have a DHCP provided IP address before attempting layer 3 adoption, otherwise it will not work. Additionally, the Access Point must be able to find the IP addresses of the controllers on the network.
Network Setup 1 Enable or disable AP Automatic Updates. Check this box to enable automatic updates of Access Point firmware AAP Automatic when an Access Point associates with the controller. The AP image file Update AP Image Upload Table used for automatic update are specified in the below.
4 Specify the AP Image Type. 5 Specify the AP Image File. You can browse the controller file systems using the browser icon. AP images must be on the flash, system, nvram or usb file systems in order for them to be selected. 6 Click the OK button to save the changes and return to the AP Firmware tab.
Network Setup architecture provides multiple forwarding links for data traffic, load balancing and therefore, reduces the number of spanning-tree instances required to support a large number of VLANs. Using MSTP, the network can be divided into regions. All controllers within a region use the same VLAN to instance mapping.
Page 219
To configure the MSTP bridge: 1 Select Network > Multiple Spanning Tree from the main menu tree. 2 Select the Bridge tab (should be the displayed tab by default). 3 Refer to the MSTP Parameter field to view or set the following: Use the drop-down menu to define MSTP status.
Page 220
Network Setup Enter a name for the MST region. This is used when configuring multiple MST Config. Name regions within the network. Each controller running MSTP is configured with a unique MST region name. This helps when keeping track of MSTP configuration changes.
Enter the CIST bridge forward delay value received from the root bridge. CIST Bridge Forward If this is the root bridge, the value will be equal to the Configured Delay Forward Delay. The forward delay value is the maximum time (in seconds) the root device waits before changing states (from a listening state to a learning state to a forwarding state).
Page 222
Network Setup The Bridge Instance tab displays the following: Displays the ID of the MSTP instance. Displays the bridge priority for the associated instance. Bridge Priority The Bridge Priority is assigned to an individual bridge based on whether it is selected as the root bridge. The lower the priority, the greater likelihood the bridge becoming the root for this instance.
Creating a Bridge Instance To create a VLAN instance and associate it with a bridge as a numerical identifier: 1 Select Network > Multiple Spanning Tree from the main menu tree. 2 Select the Bridge Instance tab. 3 Click the Add button. 4 Enter a value between 1 and 15 as the Instance ID.
Network Setup Configuring a Port Use the Port tab to view and configure MSTP port parameters, including enabling/disabling the spanning tree algorithm on one or more ports (displaying the designated bridge and port/root information). To view and configure MSTP port details: 1 Select Network >...
Page 225
Displays whether the listed port index enforces root bridge placement. Guard Root The guard root ensures the port is a designated port. Typically, each guard root port is a designated port, unless two or more ports (within the root bridge) are connected together. If the bridge receives superior (BPDUs) on a guard root-enabled port, the guard root moves the port to a root-inconsistent STP state.
Network Setup Defines the port connection used to send and receive packets. By having Designated Port only one designated port per segment, all looping issues should be resolved. Once the designated port has been selected, any other ports that connect to that segment become non-designated ports and block traffic from taking the defined path.
Page 227
1 Select a row from the port table and click the Edit button. The following MSTP Port parameters can be reconfigured. Displays the read-only Port Index. Port Index Displays the status of the Admin MAC Enable. A green check mark Admin MAC Enable indicates the status as enabled.
Network Setup Port Path Cost Displays the path cost for the specified port index. The Port Path Cost default path cost depends on the speed of the interface. Speed Default path cost <=100000 bits/sec 200000000 <=1000000 bits/sec 20000000 <=10000000 bits/sec 2000000 <=100000000 bits/sec 200000...
Page 229
The Port Instance table displays the following: Displays the instance ID. Displays the port index. Index Displays the MSTP state for the port for that instance. State Displays the MSTP state of the port. Role Displays the Internal Root Cost of a path associated with an interface. Internal Root Cost The lower the path cost, the greater likelihood of the interface becoming the root.
Network Setup Editing a Port Instance Configuration To edit and reconfigure Port Instance parameters. 1 Select a row from the port table and click the Edit button. Most of the MSTP Port Instance parameters can be reconfigured, as indicated below. Read only indicator of the instance ID used as a basis for other Port Instance ID modifications.
IGMP snooping allows the controller to manage multicast traffic based on groups of IGMP hosts on a per-portal basis. IGMP snooping keeps track of hosts interested in a multicast group and on the portal it is associated and forwards multicast packets to portal on which the host is connected. In the case of IP multicast traffic, an IGMP supported controller provides the benefit of conserving bandwidth on those network segments where no node has expressed interest in receiving packets addressed to the group address.
Page 232
Network Setup 5 Select Apply to save the changes to the Snoop Enable and Unknown Multicast Forward options. 6 Review to the following to discern whether an existing snoop configuration requires revision. Lists the VLAN interfaces upon which snooping and unknown multicast Vlan Index forward is enabled or disabled Displays whether IGMP snooping is enabled/disabled on the VLAN Index...
8 Select OK to save the edits to the IGMP configuration. Selecting Cancel reverts the IGMP snooping configuration to its previous settings. IGMP Snoop Querier Configuration The IGMP snoop querier functionality is used in absence of a multicast router in networks where there is a multicast streaming server and multicast listener hosts, but no IGMP querier.
Page 234
Network Setup 3 Refer to the Igmp Snoop Querier Global Config field and define the following values, once enabled these values display within the Igmp Snoop Querier Vlan Config field: Defines the maximum response time for the controller to receive a report. Max Response Time If the controller does not receive a report, it discards this port.
Page 235
4 Select Apply to save the changes to the Igmp Snoop Querier Global Config options. 5 Optionally, select a VLAN Index from amongst those listed, and select Edit to revise the following parameters: Select the enable checkbox to use this IGMP snoop querier configuration Enable with the VLAN listed.
Page 236
Network Setup 6 Select OK to save the edits to the configuration. Selecting Cancel reverts the configuration to its previous settings. Summit WM3000 Series Controller System Reference Guide...
Controller Services This chapter describes the Services main menu information available for the following controller configuration activities.: Displaying the Services Interface on page 237 ● DHCP Server Settings on page 238 ● Configuring Secure NTP on page 259 ● Configuring Controller Redundancy and Clustering on page 270 ●...
Controller Services Displays whether time management is currently enabled or disabled. NTP Time Network Time Protocol (NTP) manages time and/or network clock Management synchronization within the controller managed network. NTP is a client/ server implementation. Displays whether Redundancy is currently enabled or disabled. One or Redundancy Service more controllers can be configured as members of a redundancy group to significantly reduce the chance of a disruption in service to WLANs and...
Page 239
NOTE DHCP Server setting updates are only implemented when the controller is restarted. NOTE When using the controller’s internal DHCP server ensure that traffic can pass on UDP ports 67 & 68 between the controller and the clients receiving DHCP information. To configure DHCP: 1 Select Services >...
Controller Services Displays the network address for the clients. Network When a DHCP server allocates an address for a DHCP client, the client is Lease Time assigned a lease (which expires after a designated interval defined by the (dd:hh:mm) administrator). The lease time is the time an IP address is reserved for re-connection after its last use.
A b-broadcast (broadcast node) broadcasts to query network nodes for the owner of a NetBIOS ● name. A p-peer (peer-to-peer node) uses directed calls to communicate with a known NetBIOS name ● server, such as a Windows Internet Name Service (WINS) server, for the IP address of a NetBIOS machine.
Page 242
Controller Services 3 Enter the name of the IP pool from which IP addresses can be issued to client requests on this interface. 4 Provide the Domain name as appropriate for the interface using the pool. 5 Enter the NetBios Node used with this particular pool. The NetBios Node could have one of the following types: Summit WM3000 Series Controller System Reference Guide...
A b-broadcast (broadcast node) uses broadcasting to query nodes on the network for the owner of ● a NetBIOS name. A p-peer (peer-to-peer node) uses directed calls to communicate with a known NetBIOS name ● server, such as a Windows Internet Name Service (WINS) server, for the IP address of a NetBIOS machine.
Controller Services 1 Select Services > DHCP Server from the main menu tree. 2 Highlight an existing pool name from within either the Configuration or Host Pool tab and click the Options Setup button at the bottom of the screen. 3 Click the Insert button to display an editable field wherein the name and value of the DHCP option can be added.
3 Enter a Domain Name which represents the forward zone in the DNS server. For example test.net. 4 Define the TTL (Time to Live) to specify the validity of DDNS records. The maximum value is 864000 seconds. 5 Use the Automatic Update drop-down menu to specify whether the automatic update feature is on or off.
Page 246
Controller Services 1 Select Services > DHCP Server from the main menu tree. 2 Select the Host Pool tab. 3 Refer to the following information to assess whether the existing group of DHCP pools is sufficient: Displays the name of the IP pool from which IP addresses can be issued Pool Name to DHCP client requests on this interface.
6 Click the Add button to create a new DHCP pool. For more information, see “Adding a New DHCP Pool” on page 241. 7 Click the Options button to insert a global pool name into the list of available pools. For more information, see “Configuring DHCP Global Options”...
Controller Services 4 To delete an existing DHCP pool from the list of those available to the controller, highlight the pool from within the Network Pool field and click the Delete button. 5 Click the Add button to create a new IP address range for a target host pool. For more information, “Adding a New DHCP Pool”...
Page 249
3 Refer to the Interfaces field for the names of the interfaces available to route information between the DHCP Server and DHCP clients. If this information is insufficient, consider creating a new IP pool or edit an existing pool. 4 Refer to the Gateway Information field for DHCP Server and Gateway Interface IP addresses. Ensure these address are not in conflict with the addresses used to route data between the DHCP Server and client.
Controller Services a Use the Interface drop-down menu to assign the interface used for the DHCP relay. As VLANs are added to the controller, the number of interfaces available grows. b Add Servers as needed to supply DHCP relay resources. As Servers are added, use the Gateway drop-down menu associated with each Server to supply the interface used to route data.
3 Refer to the contents of the DDNS Bindings tab for the following information: Displays the IP address assigned to the client. IP Address Displays the domain name mapping corresponding to the IP address Domain Name listed in the left-hand side of the tab. 4 Click the Export button to display a screen used to export DDNS Binding information to a secure location.
Controller Services 3 Refer to the contents of the Bindings tab for the following information: Displays a IP address for each client with a listed MAC address. This IP Address column is read-only and cannot be modified. Displays the MAC address (client hardware ID) of the client using the MAC Address / Client controller’s DHCP Server to access controller resources.
Refer to the contents of the Dynamic Bindings tab for the following: Displays the IP address for each client whose MAC Address is listed in IP Address the MAC Address / Client ID column. This column is read-only and cannot be modified.
Controller Services 3 The User Class Name field displays the client names grouped by the class name. 4 The User Class Option Name field displays the names defined for a particular client. Select the Multiple User Class Options checkbox to associate the user class option names with a multiple user class.
The DHCP server groups clients based on user class option values. DHCP Clients with the defined set of user class option values are identified by class. a Enter the User Class Name to create a new client. The DHCP user class name should not exceed 32 characters.
Controller Services a The User Class Name is a display field and cannot be modified. b Either add or modify the Option Values as required to suit the changing needs of your network. The option values should not exceed 50 characters. c Select the Multiple User Class Option checkbox to enable multiple option values for the user class.
3 Refer to the Pool Class Names field to configure a pool class. A pre configured pool and class must exist to configure a pool class. The Address Ranges section displays the address ranges associated with the pool class. 4 Click the Edit button to modify the properties displayed for an existing DHCP Pool Class Name. For more information, see “Editing an Existing DHCP Pool Class”...
Controller Services 6 Refer to the Pool Class Address Range field to revise an address range. A maximum of 4 address ranges can be assigned to a class. a Use the Insert button to revise the Start IP and End IP address range for a class. b Select a address range and click Remove to delete that particular address range.
b Select a address range and click Remove to delete that particular address range. 7 Refer to the Status field. It displays the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet. The Status field displays error messages if something goes wrong in the transaction between the applet and the controller.
Page 260
Controller Services 3 An ACL Id must be created before it is selectable from any of the drop-down menus. Refer to the Access Group field to define the following: Supply a numeric ACL ID from the drop-down menu to provide the ACL Full Access full access.
Define how many hops (from 1 to 15) the controller is from a SNTP time Clock Stratum source. The controller automatically chooses the SNTP resource with the lowest stratum number. The SNTP supported controller is careful to avoid synchronizing to a server that may not be accurate. Thus, the SNTP enabled controller never synchronizes to a machine not synchronized itself.
Page 262
Controller Services 3 Refer to the Symmetric Key screen to view the following information. Displays a Key ID between 1-65534. The Key ID is a abbreviation Key ID allowing the controller to reference multiple passwords. This makes password migration easier and more secure between the controller and its NTP resource.
6 Enter a Key ID between 1-65534. The Key ID is a Key abbreviation allowing the controller to reference multiple passwords. This makes password migration easier and more secure between the controller and its NTP resource. 7 Enter an authentication Key Value used to secure the credentials of the NTP server providing system time to the controller.
Page 264
Controller Services 3 Refer to the following information (as displayed within the NTP Neighbor tab) to assess whether an existing neighbor configuration can be used as is, if an existing configuration requires modification or a new configuration is required. IP Address/Hostname Displays the numeric IP address of the resource (peer or server) providing controller SNTP resources.
6 Click the Add button to define a new peer or server configuration that can be added to the existing configurations displayed within the NTP Neighbor tab.For more information, see “Adding an NTP Neighbor” on page 265. Adding an NTP Neighbor To add a new NTP peer or server neighbor configuration to those available for synchronization: 1 Select Services >...
Controller Services synchronization packets within a network. To listen to NTP broadcast traffic, the broadcast server (and controller) must be on the same subnet. NTP broadcasts reduce configuration complexity since both the controller and its NTP resources can be configured to send and receive broadcast messages. NOTE If this checkbox is selected, the AutoKey Authentication checkbox is disabled, and the controller is required to use Symmetric Key Authentication for credential verification with its NTP resource.
Page 267
3 Refer to the following SNTP Association data for each SNTP association displayed: Displays the numeric IP address of the SNTP resource (Server) providing Address SNTP updates to the controller. Displays the address of the time source the controller is synchronized to. Reference Clock Displays how many hops the controller is from a SNTP time source.
Controller Services NOTE Select an existing NTP association and click the Details button to display additional information useful in discerning whether the association should be maintained Viewing NTP Status Refer to the NTP Status tab to display performance (status) information relative to the controller’s current NTP association.
Page 269
1 Select Services > Secure NTP from the main menu tree. 2 Select the NTP Status tab. 3 Refer to the SNTP Status field to review the accuracy and performance of the controller’s ability to synchronize with a NTP server: Indicates if a second will be added or subtracted to SNTP packet Leap transmissions, or if the transmissions are synchronized.
Controller Services Configuring Controller Redundancy and Clustering Configuration and network monitoring are two tasks a network administrator faces as a network grows in terms of the number of managed nodes (controllers, routers, wireless devices etc.). Such scalability requirements lead network administrators to look for managing and monitoring each node from a single centralized management entity.
Page 271
After sending the command to other members, the cluster-management protocol (at WS1) waits for a response from the members of the redundancy group. Upon receiving a response from each member, WS1 updates the user’s screen and allows the user to enter/execute the next command. The wait time required to collect responses from other controllers is predefined, so if any one or more members does not respond to a given command within the defined interval, the command originating controller displays whatever responses have been collected and ignores the delayed responses.
Controller Services To view status and membership data and define a redundancy group configuration, refer to the following: Configuring Redundancy Settings ● Reviewing Redundancy Status ● Configuring Redundancy Group Membership ● Redundancy Group License Aggregation Rules ● Managing Clustering Using the Web UI ●...
Page 273
2 Refer to the Configuration field to define the following: Select this checkbox to enable/disable clustering. Clustering must be Enable Redundancy disabled to set a redundancy related parameter. All the modifiable values are grayed out if enabled Define the destination IP address used to send heartbeats and update Redundancy messages.
Page 274
Controller Services Auto Revert Check this box to enable the feature and specify the time (in Auto Revert minutes) for the controller to revert. Configure the interval between 1 and 1800 minutes. The default revert time is 5 minutes. When a primary controller fails, the standby controller takes over APs adopted by the primary.
Displays the new state (status) of the redundancy group after a Trigger State event has occurred. Displays the Timestamp (time zone specific) when the state change Time occurred. Displays the event causing the redundancy group state change on the Trigger controller.
Page 276
Displays the controller firmware image version currently running on the Controller running controller. Compare this version with the latest version available from image version Extreme Networks to ensure the controller supports the latest feature set available. Displays the current connectivity status of the cluster membership. Connectivity Status...
Displays the number of MUs currently associated with the radio(s) used Mobile Units on this with this controller. Compare this number with the number of MUs within controller the group to determine how effectively MUs are distributed within the cluster. 4 The Apply and Revert buttons are unavailable (at the bottom of the screen) for use with the Status screen, as there are no editable parameters to save or revert.
Page 278
Controller Services 3 Refer to the following information within the Member tab: Displays the IP addresses of the redundancy group member. IP Address Summit WM3000 Series Controller System Reference Guide...
Displays the current status of this group member. This status could have Status the following values: Configured • - The member is configured on the current wireless service module. Seen • - Heartbeats can be exchanged between the current controller and this member.
Page 280
Controller Services 4 Refer to the following redundancy member information: Displays the IP addresses of the members of the redundancy group. There IP Address are a minimum of 2 members needed to define a redundancy group, including this current module. Displays the current status of this group member.
Displays the number of Access Point licenses available for this controller. AP License Count For information on licensing rules impacting redundancy group members, “Redundancy Group License Aggregation Rules” on page 282. Displays the image version currently running on this member. Is the Image Version selected version complimentary with this controller’s version? Displays the time this member was first seen by the controller.
Controller Services 4 Enter the IP Address of a new member. 5 Click OK to save and add the changes to the running configuration and close the dialog. 6 Refer to the Status field. The Status is the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet.
For example, for a cluster of three controllers (S1 = 6, S2 = 6 and S3 = 6 licenses), the group license count is 18. If S1 goes down, the license count is still 18, since the license calculation is not initiated if a member controller goes down.
Controller Services 4 On the Configuration tab, check the Enable Redundancy checkbox and then check the Enable Cluster GUI box. 5 Click the Apply button to enable the Cluster GUI feature. 6 Once Cluster GUI is enabled a Controller field will be available in many of the Access Point and mobile unit related screens.
Page 285
CAUTION An Access Point is required to have a DHCP provided IP address before attempting layer 3 adoption, otherwise it will not work. Additionally, the Access Point must be able to find the IP addresses of the controllers on the network.
Page 286
Controller Services 2 Select the Use Default Management Interface checkbox to use the controller’s default management interface IP address for MUs roaming amongst different Layer 3 subnets. The IP address displayed to the right of the checkbox is used by Layer 3 MU traffic. 3 If wanting to use a local IP addresses (non controller management interface) for MUs roaming amongst different Layer 3 subnets, select the Use this Local Address checkbox and enter an IP address.
Defining the Layer 3 Peer List The Layer 3 Peer List contains the IP addresses MUs are using to roam amongst various subnets. This screen is helpful in displaying the IP addresses available to those MUs requiring access to different subnet resources.
Controller Services Enter the IP addresses in the area provided and click the OK button to add the addresses to the list displayed within the Peer List screen. Reviewing Layer 3 Peer List Statistics When a MU roams to a current controller on the same layer 3 network, it sends a L2-ROAM message to the home controller to indicate the MU has roamed within the same VLAN.
Page 289
3 Refer to the following information within the Peer Statistics tab: Displays the IP addresses of the peer controllers within the mobility Peer IP domain. Each peer can support up to 500 MUs. Displays the number of JOIN messages sent and received. JOIN messages JOIN Events advertise the presence of MUs entering the mobility domain for the first sent/rcvd...
Controller Services Displays the number of Layer 2 ROAM messages sent and received. When L2-ROAMs a MU roams to a new controller on a different layer 3 network (MU is sent/rcvd mapped to a different VLAN ID), it sends a L3-ROAM message to the home controller with the new IP information for the current controller it is associated with.
3 Refer to the following information within the MU Status tab. Displays each listed Client’s factory coded hardware address. MU MAC Lists each Client’s assigned network IP address MU IP Address Displays each Client’s assigned home controller IP address. Home Ctlr IP Lists the controller VLAN the listed Client is a member of.
Controller Services to the Recently Found Devices tab to view a table of devices discovered by the current discovery process. Each discovered device compatible with the locating controller is displayed in a shaded color to distinguish it from non-compatible devices. CAUTION Controller discovery can be a time consuming operation.
Page 293
3 Select an existing profile and click the Edit button to modify the profile name starting and ending IP address and SNMP version. Extreme Networks recommends editing a profile only if some of its attributes are still valid, if the profile is obsolete, delete it and create a new one.
Page 294
Controller Services When the credentials of the V2 Read Community or V3 Authentication screens are satisfied, the controller discovery process begins. When completed, the Discovery Results screen displays listing the name and network address attributes of those discovered devices. Click Launch to make a discovered device’s configuration available to the detecting controller.
Lists the IP address of each discovered device. IP Address Displays the discovered device’s system assigned name. Device Name Lists the time each discovered device has been operating within the Device Uptime controller managed network. Displays the devices detected location if the discovered device is capable Device Location of sharing locationing information with the discovery profile.
Controller Services Define the following parameters for the new controller discovery profile: Define a user-assigned name used to title the profile. The profile name Profile Name should associate the profile with the group of devices or area where the discovered devices should be located. Enter the starting numeric (non DNS) IP address from where the search Start IP Address for available network devices is conducted.
Page 297
3 Refer to the following within the Recently Found Devices screen to discern whether a located device should be deleted from the list or selected to have its Web UI launched and its current configuration modified. Displays the IP address of the discovered controller. This IP address IP Address obviously falls within the range of IP addresses specified for the discovery profile used for the device search.
Unlike competing solutions, which are based solely on WI-Fi, the Extreme Networks solution is RF agnostic and supports passive RFID, active RFID and other emerging RF and non-RF technologies. Extreme Networks's location solution leverages standards based Wi-Fi access points and RFID readers, so no proprietary infrastructure is needed.
Applications (users) inform SOLE (wireless LAN controller) about a facility map, location of infrastructure and zones. A zone is an area of specific interest with respect to whenever an asset becomes visible or invisible in that area. SOLE uses the following input variables as needed for the specific tag type calculating location: User configurations ●...
Page 300
Controller Services 1 Select Services > RTLS from the main menu tree. 2 .Select the Site tab. 3 Enter a Name and optionally a Description for the site:. Enter a name for the site where locationing is deployed. This is for Name identification purposes only.
Enter the height of the site. The size is either in feet or meters Height depending on which unit of measure is selected below. The acceptable range for height is 0-60m or 0-180ft. Height is an optional parameter and is not taken into account by the locationing algorithm. Use the drop-down menu to select the unit of measure used for Unit dimensions.
Controller Services 4 Provide the AP’s MAC address and X, Y, and Z coordinates. 5 Select OK when completed to save your AP configuration. Configuring SOLE Parameters To configure the controller’s internal SOLE locationing engine: 1 Services > RTLS from the main menu tree. Summit WM3000 Series Controller System Reference Guide...
Page 303
2 Select the SOLE tab. 3 Check the Locate All Mobile-Units checkbox to locate all MUs known to the controller across all WLANs. This will also disable manual entry of MU MAC addresses in the field below. This takes effect immediately when the box is checked. 4 Enter a value for the MU Locate Interval in seconds.
Controller Services b To remove a MAC Address from the MU MAC table select a MAC Address from the table and click the Delete button to remove that MU. This table is disabled when the Locate All MUs checkbox is selected. Once SOLE has been enabled MUs found by the locationing engine will be displayed in the Located MUs table at the bottom of the page.
Page 305
2 Select the Aeroscout tab. 3 Check the Enable checkbox to globally enable Aeroscout RTLS support on the controller. This takes effect immediately when the box is checked. 4 Enter the Multicast MAC Address used for all Aeroscout tags to send updates via multicast to the MAC address specified.
Controller Services 10 Click the Apply button to save the Locate Interval value. 11 Click the Revert button to cancel any changes made within Locate Interval value and revert back to the last saved configuration. If the onboard SOLE engine is enabled to locate Aeroscout tags the following information will be displayed for each located MU: Lists the MAC Addresses of all MUs which have been located by the controller.
Page 307
2 Select the Ekahau tab. 3 Check the Enable checkbox to globally enable Ekahau support on the controller. This takes effect immediately when the box is checked. 4 Enter the Multicast MAC Address used for all Ekahau tags to send updates via multicast to the MAC address specified.
Page 308
Controller Services 10 To use the onboard SOLE engine to locate Ekahau tags check the Enable checkbox. This is enabled immediately after checking the box. 11 If the onboard SOLE engine is enabled to locate Ekahau tags, enter a Locate Interval in seconds to specify how often the known tags are located by the SOLE engine.
Controller Security This chapter describes the security mechanisms available to the controller. This chapter describes the following security configuration activities: Displaying the Main Security Interface on page 309 ● AP Intrusion Detection on page 310 ● Configuring Firewalls and Access Control Lists on page 319 ●...
Controller Security 1 Select Security from the main menu tree. 2 Refer to the following information to discern if configuration changes are warranted: Displays the enabled or disabled controller state to detect potentially Rogue AP Intrusion hostile Access Points (the definition of which is defined by you). Once Detection detected, rogue devices can be added to a list of devices either approved or denied from interoperating within the controller managed network.
AP detection is primarily conducted by the approved APs and may be assisted by certain Motorola MUs which are supported by Extreme Networks WM3000 series WLAN controller. The Access Point Detection screen consists of the following tabs: Enabling and Configuring AP Detection ●...
Page 312
Controller Security 3 Enable AP assisted scanning and timeout intervals as required. Enable Select the checkbox to enable associated Access Points to detect Enable potentially hostile Access Points. Once detected, the Access Points can be added to a list of APs either approved or denied from interoperating within the controller managed network.
Enable Select the checkbox to enable associated MUs to detect Enable potentially hostile Access Points (the definition of which defined by you). Once detected, these devices can be added to a list of Access Points either approved or denied from interoperating within the controller managed network.
Page 314
Controller Security 4 If adding a new Allowed AP, use the Index parameter to assign a numerical index value to this particular Access Point. The index range is from 1-200. If editing an existing Allowed AP, this is a read only field and cannot be modified. 5 Refer to the BSS MAC Address field to define the following: Any MAC Address Click the...
Approved APs Those Access Points detected and approved for operation within the controller managed network can be separately displayed to assess the reporting (detecting) AP, the channel of operation, the last time the AP was observed on the network and the ESSID. Use this information to assess if an approved Access Point was incorrectly defined as approved and requires categorization as an unapproved and disallowed AP.
Controller Security 4 The Number of Approved APs is simply the sum of all of approved Access Point MAC Addresses detected. 5 Click on the Export button to export the contents of the table to a Comma Separated Values file (CSV).
Displays the channel the Unapproved AP is currently transmitting on. Channel Relative Signal Strength Indicator Displays the (RSSI) for the detected Signal Strength (and unapproved) AP. AP’s with a strong signal may pose a more (dbm) significant risk within the controller managed network. Last Seen (Seconds) Displays the time (in seconds) the Unapproved AP was last seen on the network by the detecting AP.
Page 318
Controller Security 3 The Unapproved APs (Reported by MUs) table displays the following information: Displays the MAC Address of each Unapproved AP. These MAC addresses BSS MAC Address are Access Points observed on the network (by associated MUs), but have yet to be added to the list of approved APs, and are therefore interpreted as a threat on the network.
Configuring Firewalls and Access Control Lists An Access Control List (ACL) is a a sequential collection of permit and deny conditions that apply to controller packets. When a packet is received on an interface, the controller compares the fields in the packet against any applied ACLs to verify the packet has the required permissions to be forwarded, based on the criteria specified in the access lists.
Controller Security Wireless LAN ACLs - A Wireless LAN ACL is designed to filter/mark packets based on the wireless ● LAN from which they arrived rather than filtering the packets arrived on Layer 2 ports. For more information, see Router ACLs ●...
Each session has a default idle time-out interval. If no packets are received within this interval, the session is terminated and a new session must be initiated. These intervals are fixed and cannot be configured by the user. The default idle time-out intervals for different sessions are: ICMP and UDP sessions—...
Controller Security IP traffic by using IP ACL ● Non-IP traffic by using MAC addresses. ● Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface. You cannot apply more than one IP ACL and one MAC ACL to a Layer 2 interface.
Consider the following when adding rules: Every ACL entry in an ACL is associated with a precedence value unique for every entry. You ● cannot enter two different entries in an ACL with the same precedence value. This value can be between 1 and 5000.
Controller Security ACLs - existing access lists ● Associated Rules - allow/deny rules ● The ACLs field displays the list of ACLs currently associated with the controller. An ACL contains an ordered list of ACEs. Each ACE specifies a permit or deny designation and a set of conditions the packet must satisfy to match the ACE.
1 Select Security > Wireless Firewall from the main tree menu. 2 Click the Configuration tab. 3 Click on the ACL tab to view the list of ACLs currently associated with the controller. 4 Click the Add button. 5 Select an ACL Type from the drop-down menu. The following options are available: Standard IP List –...
Page 326
Controller Security 5 Use the Precedence field to enter a precedence (priority) value between 1 and 5000. The rules within an ACL will be applied to packets based on their precedence value. Rules with lower precedence are always applied first. NOTE If adding an access control entry to an ACL using the controller SNMP interface, Precedence is a required parameter.
11 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 12 Click OK to use the changes to the running configuration and close the dialog. 13 Click Cancel to close the dialog without committing updates to the running configuration.
Controller Security The rules within an ACL are applied to packets based on their precedence value. Rules with lower precedence are always applied first. NOTE If adding an access control entry to an ACL using the controller SNMP interface, Precedence is a required parameter.
4 Refer to the following information as displayed within the Attach-WLAN tab: Displays the list of WLANs attached with ACLs. WLAN Index Displays the IP ACL configured. IP ACL Displays the MAC ACL configured. MAC ACL Displays whether the WLAN ACL is configured to work in an inbound or Direction outbound direction.
Controller Security 5 Define a WLAN Index between 1 and 32. 6 Use the IP ACL drop-down menu to select an IP ACL for the WLAN. 7 Use the MAC ACL drop-down menu to select the MAC ACL for the WLAN interface. 8 Select either the Inbound or Outbound radio button to define which direction the ACL applies.
4 Refer to the following information as displayed within the Attach tab: The interface to which the controller is configured. It can be one of the Interface following: • ge 1-8 • up 1 • vlan1 (or any additional VLANs that have been created) Displays the IP ACL configured as the inbound IP for the layer 2 or layer IP ACL 3 interface.
Controller Security 4 Click the Add button. 5 Use the Interface drop-down menu to select the interface to configure on the controller. Available options include – ge 1-8, up 1, VLAN 1 (plus those VLANs created thus far) and Tunnel n (where n equals the name(s) of those tunnels created thus far).
4 Refer to the following information as displayed within the Attach Role tab: Sequence Displays the priority assigned to the role as determined by the Role Priority Number associated with the role. Displays the role name assigned to each role. Role names are assigned Role Name Security Wireless Firewall...
Controller Security 4 Click the Add button. 5 Select a Role Name from the drop-down menu. Role Names can be added in the Configuration > Role tab. 6 Use the ACL drop-down menu to select an ACL to associate with the Role Name. 7 Select Inbound or Outbound to apply the new role to the appropriate interface.
Page 335
4 Role configuration screen displays the following information: Displays the sequence number associated with each role. Sequence Sequence Number numbers determine the order that role are applied. Roles with lower sequence numbers are applied before those with higher sequence numbers. Sequence numbers are assigned when a role is created and cannot be edited.
Controller Security Creating a New Role To add new role: 1 Select Security > Wireless Firewall from the main tree menu. 2 Click the Configuration tab. 3 Click the Role tab. 4 Click the Add button. 5 To create a new role configure the following information: Summit WM3000 Series Controller System Reference Guide...
Page 337
Enter a sequence number to be associated with each role. Sequence Sequence Number numbers determine the order that role are applied. Roles with lower sequence numbers are applied before those with higher sequence numbers. Sequence numbers are assigned when a role is created and cannot be edited.
Controller Security Select an Encryption filter, if any, to apply to the role. Encryption Available Encryption filters are: Equals • : The role will only be applied when the Encryption type matches the exact Encryption method specified in the role Not Equals •...
Page 339
Displays a numerical identifier used to associate a particular ACL to a MU-ACL Index range of MAC addresses (or a single MAC address) that are either allowed or denied access to the controller managed network. Displays the beginning MAC Address (for this specific Index) either Starting MAC allowed or denied access to the controller managed network.
Controller Security Editing an Existing Wireless Filter Use the Edit screen to modify the properties of an existing filter. This is recommended if an existing filter contains adequate device address information, but the allow/deny permissions need to be changed or if only minor changes are required to the starting and ending MAC addresses. If significant changes are required to a usable filter, consider creating a new one.
the same zone will have the same firewall policies applied to them. It should be set to an ID only if locationing is enabled, otherwise it should be set to not in use. 10 Use the drop-down menu to select Allow or Deny. This rule applies to MUs within the specified Starting and Ending MAC Address range.
Controller Security network. Enter a new Index to define a new MAC Address range and allow/deny ACL Index designation. 6 Enter the a hex value for the Starting MAC address. This is the beginning MAC address either allowed or denied access to the controller managed network.
6 Select the box to the right of each WLAN you want associated with the ACL. Selecting a WLAN maps it the MAC address range and allow or deny designation assigned to it. Consequently, be sure you are not restricting MU traffic for a WLAN that requires those MAC addresses to interact with the controller.
Page 344
Controller Security 1 Select Security > Wireless Firewall from the main tree menu. 2 Select the Configuration tab. 3 Click the L2 tab. 4 The L2 tab contains the following information: Displays the interface associated with the Layer 2 firewall. Available Layer Interface Name 2 interfaces are ge 1-8 and up1.
Displays the Unknown Unicast Storm Threshold for each interface. When Unknown Unicast the rate of unknown unicast packets exceeds the high threshold Storm configured for an interface, packets are throttled till the rate falls below the configured rate. Thresholds are configured in terms of packets per second.
Controller Security Configure the Broadcast Storm Threshold for each interface. When the Broadcast Storm rate of broadcast packets exceeds the high threshold configured for an Threshold interface, packets are throttled till the rate falls below the configured rate. Thresholds are configured in terms of packets per second. The threshold range is 1-1000000 packets per second.
Page 347
Displays the WLAN index number. This number is configured on the WLAN Index wireless LAN configuration page. Displays the Broadcast Storm Threshold for each interface. When the rate Broadcast Storm of broadcast packets exceeds the high threshold configured for an Threshold interface, packets are throttled till the rate falls below the configured rate.
Controller Security Displays whether the Interface is DHCP trusted or not, If the interface is DHCP Trust DHCP trusted then the DHCP Request will forward to the External DHCP Server otherwise it will not. Always the Internal DHCP servers are trusted in nature.
Page 349
5 To create a new WLAN Firewall rule configure the following information: Select a WLAN index number from the drop-down menu. This number is WLAN Index configured on the wireless LAN configuration page. Enter the Broadcast Storm Threshold for each interface. When the rate of Broadcast Storm broadcast packets exceeds the high threshold configured for an interface, Threshold...
Controller Security Displays whether the Interface is DHCP trusted or not, If the interface is DHCP Trust DHCP trusted then the DHCP Request will forward to the External DHCP Server otherwise it will not. Always the Internal DHCP servers are trusted in nature.
Page 351
Displays the Denial of Service attack type. The controller currently Type supports enabling or disabling 28 types of DoS attack filters. This field will show a green checkmark next to the Denial of Service Check Enabled Attack filters that are enabled on the controller firewall. When a DoS Attack filter is disabled a red “X”...
Controller Security 9 To clear statistics for Denial of Service Attacks, click the Clear button. This will reset all Attack Counts to 0 and all Last Occurrence times to 0:00:00.00. 10 Click the Apply button to save the changes made within the DoS Attach screen. 11 Click the Revert button to cancel any changes made within the DoS Attach screen and revert back to the last saved configuration.
ARP Log field displays the level of Syslog logging enabled for ARP Log excessive ARP on an interface. The logging level uses standard Syslog levels of: • Emergency • Alert • Critical • Error • Warning • Notice • Info •...
Page 354
Controller Security 4 Refer to the following information as displayed within the Statistics tab: Interface displays the physical/virtual interfaces used to add the ACL Interface association to the controller. Displays the permit, deny or mark designation for the ACL. If the action Action is to mark, the packet is tagged for priority.
Viewing DHCP Snoop Entry Statistics To review DHCP Snoop Entry statistics: 1 Select Security > Wireless Firewall from the main menu tree. 2 Click the Statistics tab. 3 Select the DHCP Snoop Entry tab. 4 Refer to the following information as displayed within the DHCP Snoop Entry tab: Displays the DHCP Client IP Address for each entry.
Controller Security Displays the MU port number for each entry in the table. Ingress Source Viewing Role Based Firewall Statistics The Role Based Firewall statistics information displays a list of mobile units associated with each role name. To review Role Based Firewall statistics: 1 Select Security >...
network addresses to one or more public IP addresses. For example, when an administrator wants to allow individuals on the WAN side access to a particular FTP or Web server located on one of the LAN subnets but does not want to permit any other access, NAT is the appropriate solution. Using NAT, a user can mark one or more interfaces as inside or outside.
Page 358
Controller Security 3 Refer to the following information as displayed within the Dynamic Translation tab. Displays the NAT type as either: Type Inside • - Applies NAT on packets arriving on interfaces marked as inside. These interfaces should be private networks not accessible from outside (public) networks.
4 Select an existing NAT configuration and click the Edit button to modify the settings of this existing NAT configuration. The fields within the Edit screen are similar to those displayed when adding a new NAT configuration. 5 Select an existing NAT configuration and click the Delete button to remove it from the list of available configurations.
Controller Security changed back to the specific internal private class IP address in order to reach the LAN over the controller managed network. 6 Use the Access List drop-down menu to select the list of addresses used during NAT translation. These addresses (once translated) will not be exposed to the outside world when the translation address is used to interact with the remote destination 7 Use the Interface drop-down menu to select the VLAN used as the communication medium between...
Page 361
3 Refer to the following information as displayed within the Static Translation tab. Displays the NAT type as either: Type Inside • - The set of networks subject to translation. These are the internal addresses you are trying to prevent from being exposed to the outside world.
Controller Security Modifies the IP address of the matching packet to the specified value. NATed Address The IP address modified can be either source or destination based on the direction specified. Modifies the port number of the matching packet to the specified value. Global Port This option is valid only if the direction specified is destination.
Inside - The set of networks subject to translation. These are the internal addresses you are trying ● to prevent from being exposed to the outside world. Outside - All other addresses (usually valid addresses located on the Internet). Outside addresses ●...
Page 364
Controller Security 3 Refer to the following information as displayed within the Interface tab: Displays the VLAN used as the inside or outside NAT type. All defined Interface VLANs are available from the drop-down menu for use as the interface. Displays the NAT type as either: Type Inside...
b Use the Interface drop-down menu to select the VLAN used as the communication medium between the controller managed network and its destination (within the insecure outside world). c Use the Type drop-down menu to specific the Inside or Outside designation as follows: Inside - The set of controller-managed networks subject to translation.
Controller Security 3 Refer to the following to assess the validity and total NAT translation configurations available to the controller. Displays the internal global pool of addresses (allocated out of the Inside-Global controller’s private address space but relevant to the outside) you are trying to prevent from being exposed to the outside world.
Viewing SA Statistics ● NOTE By default, the IKE feature is enabled. Extreme Networks does not support disabling the IKE server. NOTE The default isakmp policy will not be picked up for IKE negotiation if another crypto isakmp policy is created. For the default isakmp policy to be picked up for AP adoption you must first create the default isakmp policy as a new policy with default parameters.
Page 368
Controller Security During IKE negotiations, peers must identify themselves to one another. Thus, the configuration you define is the identification medium for device recognition. 3 Set a Keep Alive interval (in seconds) the controller uses for monitoring the continued presence of a peer and report of the client's continued presence.
9 If the properties of an existing peer IP address, key and aggressive mode designation are no longer relevant and cannot be edited, click the Add button to create a new pre-shared key a Select the Peer IP Address checkbox to associate an IP address with the specific tunnel used by a group of peers or, select the Distinguished Name checkbox to configure the controller to restrict access to those peers with the same distinguished name, or select the Hostname checkbox to allow shared-key messages between corresponding hostnames.
Page 370
Controller Security its policies to the remote peer. The remote peer searches for a match with its own policies using the defined priority scheme. A IKE policy matches when they have the same encryption, hash, authentication and Diffie-Hellman settings. The SA lifetime must also be less than or equal to the lifetime in the policy sent. If the lifetimes do not match, the shorter lifetime applies.
Page 371
Displays an integer for the SA lifetime. The default is 60 seconds. With SA Lifetime (sec.) longer lifetimes, security defines future IPSec security associations quickly. Encryption strength is great enough to ensure security without using fast rekey times. Extreme Networks recommends using the default value. Diffie-Hellman Displays the (DH) group identifier.
Page 372
Controller Security 6 If the properties of an existing policy are no longer relevant and cannot be edited to be useful, click the Add button to define a new policy. a Configure a set of attributes for the new IKE policy: Define the sequence number for the IKE policy.
IPSec security associations quickly. Encryption strength is great enough to ensure security without using fast rekey times. Extreme Networks recommends using the default value. Set the Diffie-Hellman group identifier. IPSec peers use the defined value DH Group to derive a shared secret without transmitting it to one another.
Security associations are unidirectional and established per security protocol. To configure IPSec security associations, Extreme Networks uses the Crypto Map entries. Crypto Map entries created for IPSec pull together the various parts used to set up IPSec security associations.
security parameters in the Crypto Maps at both peers, allows you to specify a lifetime for the IPSec security association, allows encryption keys to change during IPSec sessions and permits Certification Authority (CA) support for a manageable, scalable IPSec implementation. If you do not want IKE with your IPSec implementation, disable it for IPSec peers.
Page 376
Controller Security 1 Select Security > IPSec VPN from the main menu tree. 2 Click the Configuration tab. 3 Refer to the Configuration field to define the following: For IKE based security associations, define a SA Lifetime (in seconds) SA Lifetime (secs) forcing the periodic expiration and re-negotiation of peer credentials.
Displays the ESP Encryption Transform used with the index. Options ESP Encryption include: Scheme None • - No ESP encryption is used with the transform set. • ESP-DES - ESP with the 56-bit DES encryption algorithm. ESP-3DES • - ESP with 3DES, ESP with AES. ESP-AES •...
Page 378
Controller Security 4 Revise the following information as required to render the existing transform set useful. The name is read-only and cannot be modified unless a new transform Name set is created. Use AH Select the checkbox (if necessary) to modify the AH Transform AH Authentication Authentication scheme.
Modify (if necessary) the current mode used with the transform set. The Mode mode is either Tunnel or Transport. 5 Refer to the Status field for the state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 6 Click OK to use the changes to the running configuration and close the dialog.
Controller Security Use AH Select the checkbox to define the AH Transform Authentication AH Authentication scheme. Options include: Scheme • None - No AH authentication is used. AH-MD5-HMAC • - AH with the MD5 (HMAC variant) authentication algorithm. AH-SHA-HMAC • - AH with the SHA (HMAC variant) authentication algorithm.
Page 381
3 Refer to the Configuration field to define the following: Enter the numerical IP address of the DNS Server used to route DNS Server information to the remote destination of the IPSec VPN. Enter the numerical IP address of the WINS Server used to route WINS Server information to the remote destination of the IPSec VPN.
Controller Security 7 To add a new range of IP addresses, click the Add button (within the IP Range tab) and define the range in the fields provided. Click OK when completed to save the changes. 8 Click Cancel to disregard the changes and revert to the last saved configuration. Configuring IPSEC VPN Authentication If IKE is not used for establishing security associations, there is no negotiation of security associations.
Page 383
6 Select an existing Radius Server and click the Edit button to modify its designation as a primary or secondary Radius Server, IP address, port, NAS ID and shared secret password. Extreme Networks recommends only modifying an existing Radius Server when its current configuration is no longer viable for providing user authentication. Otherwise, define a new Radius Server.
Controller Security 7 Select an existing server and click the Delete button to remove it from list of available Radius Servers. Only delete a server if its configuration does not provide a valid authentication medium. 8 If you require a new Radius Server be configured, click the Add button. Set this server’s designation as a primary or secondary Radius Server (using the checkboxes), define the server IP address, port and shared secret password.
Crypto Map Entries on page 385 ● Crypto Map Peers on page 387 ● Crypto Map Manual SAs on page 389 ● Crypto Map Transform Sets on page 392 ● Crypto Map Interfaces on page 393 ● Crypto Map Entries To review, revise or add Crypto Map entries: 1 Select Security >...
Page 386
Controller Security Causes the security association to time out after the specified amount of SA Lifetime (Kb) traffic (in kilobytes) has passed through the IPSec tunnel (using the security association). Displays the name of the ACL ID used for each Crypto Map. ACL ID Number of Interfaces Displays the number of interfaces each specific Crypto Map is used with.
c Use the None, Domain Name or Host Name radio buttons to select and enter the fully qualified domain name (FQDN) or host name of the host exchanging identity information. d Define a SA Lifetime (secs) to define an interval (in seconds) that (when expired) forces a new association negotiation.
Page 388
Controller Security 3 Refer to the read-only information displayed within the Peers tab to determine whether a peer configuration (among those listed) requires modification or a new peer requires creation. Displays each peer’s Seq # (sequence number) to distinguish one from Priority / Seq # the other.
a Define the Seq # /Name for the new peer. b Enter the name of the IKE Peer used with the Crypto Map to build an IPSec security association. 7 Click OK to save the configuration of the new Crypto Map peer. Crypto Map Manual SAs To review, revise or add a Crypto Map using a manually defined security association: 1 Select Security >...
Page 390
Controller Security 3 Refer to the read-only information displayed within the Manual SAs tab to determine whether a Crypto Map (with a manually defined security association) requires modification or if a new one requires creation. Displays the Seq # (sequence number) used to determine priority. the Priority / Seq # lower the number the higher the priority.
Page 391
a Define the Seq #. The sequence number determines priority among Crypto Maps. The lower the number, the higher the priority. b Provide a unique Name for this Crypto Map to differentiate it from others with similar configurations. c Enter the name of the IKE Peer used to build an IPSec security association. d Use the ACL ID drop-down menu to permit a Crypto Map data flow using the unique permissions within the selected ACL.
Controller Security Crypto Map Transform Sets A transform set is a combination of security protocols and algorithms defining how the controller protects data. To review, revise or add a Crypto Map transform set: 1 Select Security > IPSec VPN from the main menu tree. 2 Click the Crypto Maps tab and select Transform Sets.
a Select the Seq #/Name. b Enter the name of the Transform set used with the Crypto Map. 7 Click OK when completed to save the configuration of the Crypto Map transform set. Crypto Map Interfaces To review the interfaces currently available to the Crypto Maps or assign an interface: NOTE A Crypto Map cannot get applied to more than one interface at a time.
Controller Security 3 Refer to the following read-only information displayed within the Interfaces tab. Lists the name of the Crypto Maps available for the interface. Name Displays the name of the interface through which IPSec traffic flows. Interface Name Applying the Crypto Map set to an interface instructs the controller to evaluate all the interface's traffic against the Crypto Map set and to use the specified policy during connection or security association negotiation on behalf of traffic protected by crypto (either CET or IPSec).
Page 395
1 Select Security > IPSec VPN from the main menu tree. 2 Click the IPSec SAs tab. 3 Refer to the following security association data: Displays the numerical (if defined) ID for the security association. Use Index the index to differentiate the index from others with similar configurations.
Viewing Radius Accounting Logs ● NOTE For hotspot deployment, Extreme Networks recommends using the controller’s internal Radius server and built-in user database. This is the easiest setup option and offers a high degree of security and accountability. Radius Overview Radius enables centralized management of controller authentication data (usernames and passwords).
Page 397
The controller’s local Radius server stores the authentication data locally, but can also be configured to use a remote user database. A Radius server as the centralized authentication server is an excellent choice for performing accounting. Radius can significantly increase security by centralizing password management NOTE The controller can be configured to use its own local Radius server or an external Radius server you define and...
Controller Security User Database User group names and associated users (in each group) can be created in the local database. The User ID in the received access request is mapped to the associated wireless group for authentication. The controller supports the creation of 500 users and 100 groups within its local database. Each group can have a maximum of 500 users.
No secondary authentication source is specified. However, Extreme Networks recommends using an external Radius Server as the primary authentication source and the local controller Radius Server as the secondary user authentication source. For information on configuring an external Radius Server, see “Configuring External Radius Server Support”...
Controller Security 3 Click the Start the RADIUS server link to use the controller’s own Radius server to authenticate users accessing the controller managed network. Again, this is recommended as the secondary means of authenticating users. 4 Set a Timeout interval (between 5 and 10 seconds) to define how long the controller waits for a reply to a Radius request before retransmitting the request.
a Specify the IP Address/Mask of the subnet or host authenticating with the Radius client. b Specify a Radius Shared Secret for authenticating the RADIUS client. Shared secrets used to verify Radius messages (with the exception of the Access-Request message) are sent by a Radius -enabled device configured with the same shared secret. The shared secret is a case-sensitive string that can include letters, numbers, or symbols.
Controller Security a Create a new Realm Name as an abbreviation to differentiate the configuration from others with similar attributes. b Specify the IP Address of the new Radius proxy server. c Enter the TCP/IP Port Number used by the proxy Radius server. d Specify a Radius Shared Secret for authenticating the Radius client.
Page 403
3 Refer to the Authentication field to define the following Radius authentication information: Specify the EAP type for the Radius server. EAP and Auth Type PEAP • uses a TLS layer on top of EAP as a carrier for other EAP modules.
Controller Security View/Change Click the button to specify the CA certificate trustpoint from CA Cert Trustpoint which the Radius server automatically grants certificate enrollment requests. A trustpoint is a representation of a CA or identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate.
Page 405
3 Refer to the following to assess whether an existing user can be used with the local Radius server as is, requires modification or if a new user is required. Displays the username for this specific user. The name assigned should User ID reflect the user’s identity and perhaps their status within the controller managed network (guest versus secure user).
Page 406
Controller Security CAUTION If password encryption is not enabled, Radius user passwords are stored in the running configuration file in clear text. The user passwords are shown as encrypted if the global password encryption is enabled. The maximum for the file is 5000 users, 100 groups, 25 clients, 5 realms and 2 LDAP servers. Define a unique user ID that differentiates this user from others with User ID similar attributes.
a Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. b Click OK to use the changes to the running configuration and close the dialog. c Click Cancel to close the dialog without committing updates to the running configuration Configuring Radius User Groups The Groups tab displays a list of all groups in the local Radius server's database.
Page 408
Controller Security 3 Refer to the user groups listed to review the following read-only attributes for each group: Displays the unique name assigned to each group. The group name Name should be indicative of the user population within and their shared activity within the controller managed network.
Page 409
5 Refer to the Time of access in days field to assess the intervals (which days) the group has been assigned access to the controller managed network (after each user has been authenticated). At least one day is required. This value is read-only within the Groups tab. Click Edit to modify the access assignments of an existing group or click Add to create a new group with unique access assignments.
Controller Security Modify the existing group’s guest designation, VLAN ID, access period(s) and WLAN assignment(s). 7 If an existing group is no longer needed (perhaps obsolete in function), select the group and click the Delete button to permanently remove the group from the list. The group can only be removed if all the users in the group are removed first.
NOTE Refer to the following information as displayed within the Accounting Logs tab. Displays the name of each accounting log file. Use this information to Filename differentiate files with similar attributes. Displays the type of file each file is. Type Display the size of the file.
Controller Security upload an external certificate ● delete a server certificate and/or root certificate of a trustpoint ● create a new key ● upload/download keys to and from the controller to and from a server or local disk ● delete all the keys in the controller. ●...
If a unit exists within the organization that is representative of the Organizational Unit certificate issuer, that name should be displayed here. If there is a common name (IP address) for the organizational unit issuing Common Name the certificate, it displays here. Validity Displays the date the certificate was originally issued.
Page 414
Controller Security For more information, see “Using the Wizard to Create a New Certificate” on page 414. 5 Select the Upload an external certificate radio button to upload an existing Server Certificate or CA Root Certificate. For more information, see “Using the Wizard Delete Operation”...
Page 415
Generate a self signed certificate — Configure the properties of a new self-signed certificate. Once ● the values of the certificate are defined, the user can create and install the certificate. Prepare a certificate request to send to a Certificate Authority — Configure and save a valid certificate ●...
Page 416
Define an Organization for the organization used in the Self-Signed Organization Certificate. By default, it is Extreme Networks, Inc. The user is allowed to modify the Organization name. This is a required field. Summit WM3000 Series Controller System Reference Guide...
Page 417
Enter an Org. Unit for the name of the organization unit used in the Self- Organization Unit Signed Certificate. By default, it is VPG. This is a required field. Provide an email address used as the contact address for issues relating Email Address to this certificate request.
Page 418
Controller Security Use the field to define whether the target certificate is to be sent to Local Disk) Server the system's local disk ( or to an external server ( Specify a filename for the certificate to be save as on the target server or File local disk.
2 Select and use the Delete trustpoint and all certificates inside it drop-down menu to define the target trustpoint for removal. 3 Select and use the Remove certificates from this trustpoint drop-down menu define the trustpoint that will have either its Server Certificate or CA Root Certificate removed 4 Click the Next button to proceed and complete the trustpoint removal.
Controller Security The Keys tab displays the following: Displays the name of the key pair generated separately, or automatically Key Name when selecting a certificate. Specify the option within the wizard. Displays the size of the desired key. If not specified, a default key size of Key Size (Bytes) 1024 bytes is used.
4 Enter a Key Label in the space provided to specify a name for the new key pair. 5 Define the Key Size between 1024 and 2048 bytes. 6 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller.
Page 422
Controller Security 4 Use the From drop-down menu to specify the location from which the log file is sent. If only the applet is available as a transfer location, use the default controller option. 5 Select a target file for the file transfer from the File drop-down menu. The drop-down menu contains the log files listed within the Server Certificate screen.
Controller Management This chapter describes the Management Access main menu items used to configure the controller. This chapter consists of the following controller management activities: Displaying the Management Access Interface on page 423 ● Configuring Access Control on page 424 ●...
Controller Management NOTE The Apply and Revert functions are greyed out within the Management Access screen, as this screen is has no configurable parameters for the user to update and save. Configuring Access Control Refer to the Access Control screen to allow/deny management access to the controller using the different protocols (HTTP, HTTPS, Telnet, SSH or SNMP) available to users.
Page 425
Select this checkbox to allow the controller to use a Telnet session for Enable Telnet communicating over the network. This setting is enabled by default. Define the port number used for the Telnet session with the controller. Port This field is enabled as long as the Enable Telnet option remains enabled.
Controller Management 3 Click the Apply button to save changes made to the screen since the last saved configuration. 4 Click the Revert button to revert the screen back to its last saved configuration. Changes made since the contents of the screen were last applied are discarded. Configuring SNMP Access Use the SNMP Access menu to view and configure existing SNMP v1/v2 and SNMP v3 values and their current access control settings.
1 Select Management Access > SNMP Access > v1/v2 from the main menu tree. 2 Refer to the Community Name and Access Control parameters for the following information: Displays the read-only or read-write name used to associate a site- Community Name appropriate name for the community.
Controller Management 1 Select Management Access > SNMP Access > v1/v2 from the main menu tree. 2 Select an existing Community Name from those listed and click the Edit button. 3 Modify the Community Name used to associate a site-appropriate name for the community. The name revised from the original entry is required to match the name used within the remote network management software.
Page 429
3 Refer to the fields within the V3 screen for the following information: Displays a read-only SNMP v3 username of operator or Admin. An User Name operator typically has an Access Control of read-only and an Admin typically has an Access Control of read/write. read-only read/write Displays a...
Controller Management Editing a SNMP v3 Authentication and Privacy Password The Edit screen enables the user to modify the password required to change the authentication keys. Updating the password requires logging off of the system. Updating the existing password creates new authentication and encryption keys.
1 Select Management Access > SNMP Access from the main menu tree. 2 Select the Message Parameters tab from within the SNMP Access screen. 3 Define the following vales as required to define how SNMP Access messages are received: Define the number of times the controller polls for SNMP values before Retries giving up.The default retry value is 3.
Page 432
Controller Management 3 Refer to the following read-only statistics displayed within the SNMP Access Statistics screen: Displays the individual SNMP Access events capable of having a value V2/V3 Metrics tracked for them. The metrics range from general SNMP events (such as the number of SNMP packets in and out) to specific error types that can be used for troubleshooting SNMP events (such as Bad Value and Read- Only errors).
Configuring SNMP Traps Use the SNMP Trap Configuration screen to enable or disable individual traps or by functional trap groups. It is also used for modifying the existing threshold conditions values for individual trap descriptions. Refer to the tabs within the SNMP Trap Configuration screen to conduct the following configuration activities: Enabling Trap Configuration ●...
Page 434
Controller Management 4 Select an individual trap, by expanding the node in the tree view, to view a high-level description of this specific trap within the Trap Description field. You can also select a trap family category heading (such as "Redundancy" or "NSM") to view a high-level description of the traps within that trap category.
6 Highlight a specific trap and click the Enable Trap button to enable this specific trap as an active SNMP trap. The items previously disabled (with an "X" to the left) now display with a check to the left of it. 7 Highlight a specific trap and click the Disable Trap button to disable the item as an active SNMP trap.
Controller Management 3 Check the Enable SMTP box to enable the outgoing mail server on the controller. In order to use E- mail notification on the controller, this box must be checked. Configure the SMTP mail server properties as follows: Enter the hostname of your outgoing SMTP mail server.
Page 437
3 Refer to the following information for thresholds descriptions, conditions, editable threshold values and units of measurement. Displays the target metric for the data displayed to the right of the item. Threshold Name It defines a performance criteria used as a target for trap configuration. (Description) Threshold Conditions Displays the criteria used for generating a trap for the specific event.
Controller Management Displays the measurement value used to define whether a threshold value Unit of Threshold has been exceeded. Typical values include Mbps, retries and %. For Values information on specific values, see “Wireless Trap Threshold Values” on page 438. 4 Select a threshold and click the Edit button to display a screen wherein threshold settings for the MU, AP and WLAN can be modified.
Threshold Name Condition Station Range Radio Range WLAN Range Wireless Units Controller Range Non Unicast Greater than A decimal A decimal A decimal Packets number number number greater than greater than greater than 0.00 and less 0.00 and less 0.00 and less than or equal than or equal than or equal...
Page 440
Controller Management 1 Select Management Access > SNMP Trap Receivers from the main menu tree. 2 Refer to the following SNMP trap receiver data to assess whether modifications are required. Destination Address defines the numerical (non DNS name) Destination Address destination IP address for receiving traps sent by the SNMP agent.
Editing SNMP Trap Receivers Use the Edit screen to modify the trap receiver’s IP Address, Port Number and v2c or v3 designation. Consider adding a new receiver before editing an existing one or risk overwriting a valid receiver. Edit existing destination trap receivers as required to suit the various traps enabled and their function in supporting the controller managed network.
Controller Management 3 Create a new (non DNS name) destination IP Address for the new trap receiver to be used for receiving the traps sent by the SNMP agent. 4 Define a Port Number for the trap receiver. 5 Use the Protocol Options drop-down menu to specify the trap receiver as either a SNMP v2c or v3 receiver.
1 Select Management Access > Users from the main menu tree. 2 Click the Local Users tab. The Local User window consists of 2 fields: Users – Displays the users currently authorized to use the controller. By default, the controller has ●...
Page 444
Controller Management 3 Enter the login name for the user in the Username field. Ensure this name is practical and identifiable to the user. 4 Enter the authentication password for the new user in the Password field and reconfirm the same again in the Confirm Password field.
Super User Select to assign complete administrative rights. Super User NOTE There are some basic operations/CLI commands (exit, logout and help) available to all user roles. All the roles except Monitor can perform Help Desk role operations. 6 Select the access modes to assign to the new user from the options provided in the Access Modes panel.
Page 446
Controller Management If necessary, modify user permissions without any administrative rights. Monitor read-only The Monitor option provides permissions. Optionally assign this role to someone who typically troubleshoots and Help Desk Manager debugs problems reported by the customer. the Help Desk Manager typically runs troubleshooting utilities (like a sniffer), executes service commands, views/retrieves logs and reboots the controller.
Creating a Guest Admin and Guest User Optionally, create a guest administrator for creating guest users with specific usernames, start and expiry times and passwords. Each guest user can be assigned access to specific user groups to ensure they are limited to just the group information they need, and nothing additional. NOTE A guest user added from controller Web UI will be 5 minutes ahead of the controller's current time.
Controller Management NOTE To create guest users, a guest administrator must be assigned a WebUser Administrator access mode. None of the other modes launch the required Guest User Configuration screen upn login. When the guest-admin user logs in, they are redirected to a Guest User Configuration screen, wherein start and end user permissions can be defined in respect to specific users.
Page 449
3 Refer to the Authentication methods field for the following: Select the preferred method for authentication. Options include: Preferred Method None • - No authentication Local • - The user employs a local user authentication resource. This is the default setting. Radius •...
Controller Management Displays the shared secret used to verify Radius messages (with the Shared secret exception of the Access-Request message) are sent by a Radius-enabled device configured with the same shared secret. The shared secret is a case-sensitive string (password) that can include letters, numbers, or symbols.
Page 451
4 Modify the following Radius Server attributes as necessary: Index Displays the read-only numerical value for the Radius Server to Radius Server Index help distinguish this server from other servers with a similar configuration (if necessary). This is not an editable value. Modify the IP address of the external Radius Server (if necessary).
Controller Management Adding an External Radius Server The attributes of a new Radius Server can be defined by the controller to provide a new user authentication server. Once the server is configured and added, it displays within the Authentication tab as an option available to the controller.
When using an external Radius Server with the controller, ensure the following values are configured on your server to ensure maximum compatibility with the controller. Vendor ID. Radius VSAs. There are two radius VSAs used for management user authentication. Vendor ID The Extreme Networks vendor ID is 1916. VSA Name Attribute Number Type...
Page 454
Controller Management Other VSA’s include the following attributes: VSA Name Attribute Number Type Values Extreme-Current- String Extreme SSID Extreme-Wlan-Index 4 String Extreme Guest-User-Expiry- String Extreme Date-Time Guest-User-Start- String Extreme Date-Time Extreme-Downlink- Integer Extreme Limit-Kbps Extreme-Uplink- Integer Extreme Limit-Kbps Extreme-User-Group 12 String Extreme Summit WM3000 Series Controller System Reference Guide...
The Extreme Networks wireless LAN controller management software is a recommended utility to plan the deployment of the controller and view its configuration once operational. Extreme Networks WMS can help optimize the positioning and configuration of a controller and assist in the troubleshooting of performance issues as they are encountered in the field.
Page 456
Diagnostics 1 Select Diagnostics from the main tree menu. 2 Select the Environment tab (opened by default). 3 The Environment displays the following fields: Settings ● Temperature Sensors ● Fans ● 4 In the Settings field, select the Enable Diagnostics checkbox to enable/disable diagnostics and set the monitoring interval.
NOTE A Summit WM3700 Controller has six sensors. 6 Refer to the Fans field to monitor the CPU and system fan speeds. 7 Click the Apply button to commit and apply the changes. 8 Click the Revert button to revert back to the last saved configuration. CPU Performance Use the CPU tab to view and define the CPU’s load statistics.
Diagnostics 5 The CPU Usage field displays real time CPU consumption values. Use this information to periodically determine if performance is negatively impacted by the over usage of controller CPU resources. If CPU usage is substantial during periods of low network activity, then perhaps, the situation requires troubleshooting.
The name of the buffer. Name Buffers current usage Usage The buffer limit. Limit 6 Click the Apply button to commit and apply the changes. 7 Click the Revert button to revert back to the last saved configuration. Controller Disk Allocation The Disk tab contains parameters related to the various disk partitions on the controller.
Diagnostics Controller Memory Processes The Processes tab displays the number of processes in use and percentage of memory usage limit per process. 1 Select Diagnostics from the main tree menu. 2 Select the Processes tab. 3 The Processes tab has two fields: General ●...
1 Select Diagnostics from the main tree menu. 2 Select the Other Resources tab. Keep the Cache allocation in line with cache expectations required within the controller managed network. 3 Define the maximum limit for each resource accordingly as you expect these resources to be utilized within the controller managed network.
Page 462
Diagnostics To view the Log options available to the controller: 1 Select Diagnostics > System Logging from the main menu tree. 2 Select the Log Options tab. 3 Select the Enable Logging Module checkbox to enable the controller to log system events to a user defined log file or a syslog server.
d Optionally, use the Server 3 parameter to specify the numerical (non DNS name) IP address of a third syslog server to log system events if the first two syslog servers are unavailable. NOTE 255.255.255.255 is accepted as a valid entry for the IP address of a logging server. 7 Use the Logging aggregation time parameter to define the increment (or interval) system events are logged (0-60 seconds).
Viewing the Entire Contents of Individual Log Files Extreme Networks recommends the entire contents of a log file be viewed to make an informed decision whether to transfer the file or clear the buffer. The View screen provides additional details about a target file by allowing the entire contents of a log file to be reviewed.
Page 465
4 Refer to the following for information on the elements that can be viewed within a log file: Displays the date, year and time of day the log file was initially created. Timestamp This value only states the time the file was initiated, not the time it was modified or appended.
Diagnostics Mnemonic Use the as a text version of the severity code information. A Mnemonic mnemonic is convention for the classification, organization, storage and recollection of controller information. Displays a high-level overview of the event, and (when applicable) Description message type, error or completion codes for further clarification of the event.
15 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 16 Click the Close button to exit the screen. No values need to be saved once the transfer has been made.
Diagnostics 4 Click the Transfer Files button to open the transfer dialogue to enable a file to be copied to another location. For more information on transferring core snapshots, see “Transferring Core Snapshots” on page 468. Transferring Core Snapshots Use the Transfer screen to define a source for transferring core snapshot files to a secure location for potential archive.
Page 469
To review the current panic snapshots on the controller: 1 Select Diagnostics > Panic Snapshots from the main menu. 2 Refer to the following table headings within the Panic Snapshots screen: Displays the title of the panic file. Panic files are named n.panic where n Name is in the range 0-9.
Diagnostics Viewing Panic Details Use the View facility to review the entire contents of a panic snapshot before transferring or deleting the file. The view screen enables you to display the entire file. To review Panic Snapshots: 1 Select Diagnostics > Panic Snapshots from the main menu. 2 Select a panic from those available and click the View button.
12 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 13 Click the Transfer button when ready to move the target file to the specified location. Repeat the process as necessary to move each desired log file to the specified location.
Diagnostics Enabling this checkbox allows you to select the file location where you wish to store the log message. 4 Select the Use SNMP V2 only checkbox to use SNMP v2 to debug the applet. Check whether you have access to SNMP v2 by clicking on the Test SNMP V2 access button. If SNMP v2 access is available, the test icon will change from grey to green, indicating the SNMPv2 interface is viable on the controller.
Page 473
1 Select Diagnostics > Ping from the main menu. 2 Refer to the following information displayed within the Configuration tab: Displays the user assigned description of the ping test. The name is read- Description only. Use this title to determine whether this test can be used as is or if a new ping test is required.
Diagnostics Modifying the Configuration of an Existing Ping Test The properties of an existing ping tests can be modified to ping an existing (known) device whose network address attributes may have changed and require modification to connect (ping) to it. To modify the attributes of an existing ping test: 1 Select Diagnostics >...
6 Click Cancel to return back to the Configuration tab without implementing changes. Adding a New Ping Test If the attributes of an existing ping test do not satisfy the requirements of a new connection test, and you do not want to modify an existing test, a new test can be created and added to the list of existing ping tests displayed within the Configuration tab.
Diagnostics Configure the timeout value (in seconds) used to timeout the ping test if Timeout(sec) a round trip packet is not received from the target device. Ensure this interval is long enough to account for network congestion between the controller and its target device. Define the interval (in seconds) between ping packet transmissions.
Page 477
Displays the numeric (non DNS address) destination for the device Destination IP transmitted the ping packets. Displays the number of packets transmitted to the target device IP Packets Sent address. Compare this value with the number of packets received to assess the connection quality with the target device.
Page 478
Diagnostics Summit WM3000 Series Controller System Reference Guide...
Customer Support NOTE Services can be purchased from Extreme Networks or through one of its channel partners. If you are an end-user who has purchased service through an Extreme Networks channel partner, please contact your partner first for support. Extreme Networks Technical Assistance Centers (TAC) provide 24x7x365 worldwide coverage. These centers are the focal point of contact for post-sales technical and network-related questions or issues.
Page 480
Customer Support Summit WM3000 Series Controller System Reference Guide...
AP Management from Controller The management of an adopted AP is conducted by the controller, once the AP connects to an Extreme Networks Summit WM3600 or Summit WM3700 wireless LAN controller and receives its configuration. An adopted AP provides: local 802.11 traffic termination ●...
An AP's wireless configuration can also be configured from the controller. However, non-wireless features (DHCP, NAT, Firewall etc.) cannot be configured from the controller and must be defined using the access point's resident interfaces before its controller adoption or through Extreme Networks Wireless Management Suite (WMS).
Securing a Configuration Channel Between Controller and AP Once an access point obtains a list of available controllers, it begins connecting to the controller according to the priority list. The controller is discovered by the access point through several L3 discovery mechanisms even though the controller can be either on the same L2 network as the AP's or on the different network segment (L3).
AP Management from Controller NOTE For a review of some important considerations impacting the use of extended and independent WLANs within an AP deployment, see “AP Deployment Considerations” on page 493. Configuration Updates An AP receives its configuration from the controller initially as part of its adoption sequence. Subsequent configuration changes on the controller are reflected on an AP when applicable.
RSS State Independent WLANs Extended WLANs RSS Enabled WLAN continues beaconing WLAN continues beaconing but AP does allow clients to associate on that WLAN RSS Disabled WLAN stops beaconing WLAN stops beaconing Mesh Support An AP can extend existing mesh functionality to a controller managed network. Mesh topology is configured partly through the wireless controller (defining the role of each mesh node) and partly at the mesh AP (defining the connection weight of each backhaul link).
WLAN with AP Radius Proxy. NOTE The Extreme Networks wireless LAN controllers support AP Radius proxy without specifying realm information. If AP Proxy Radius is enabled without specifying realm information, the internal Radius server can no longer be used to authenticate users.
Extended WLANs Only An extended WLAN configuration forces all MU traffic through the controller (tunneled traffic). No wireless traffic is locally bridged at the AP. Each extended WLAN is mapped to the access point's virtual LAN2 subnet. By default, the access point's LAN2 is not enabled and the default configuration is set to static with IP addresses defined as all zeros.
2 Use the controller’s secret password on the AP for the controller to authenticate it. To avoid a lengthy broken connection with the controller, Extreme Networks recommends generating an SNMP trap when the AP loses adoption with the controller.
Configuring the Controller for AP Adoption The tasks described below are configured on an Extreme Networks wireless LAN controller. To adopt an AP on a controller: 1 Ensure enough licenses are available on the controller to adopt the required number of APs.
Vendor Specific Option 43 and sent in the DHCP Offer. Controller Configuration An Extreme Networks wireless LAN controller can use default values to adopt an AP, as long as a valid license is installed. In default mode, any AP adoption request is honored until the current controller license limit is reached.
Page 491
3 Ensure the Adopt unconfigured radios automatically option is NOT selected. When disabled, there is no automatic adoption of non-configured radios on the network. Additionally, default radio settings will NOT be applied to access points when automatically adopted. NOTE For IPSec deployments, refer to “Sample Controller Configuration File for IPSec and Independent WLAN”...
Page 492
AP Management from Controller NOTE Additionally, a WLAN can be defined as independent using the "wlan <index> independent" command from the config-wireless context NOTE Avoid mapping independent or extended WLANs to VLANs on the controller’s ge port. Once an AP is adopted by the controller, it displays within the controller’s Access Point Radios screen (under the Network parent menu item) as an AP3510 or AP3550.
AP Deployment Considerations Before deploying your controller/AP configuration, refer to the following usage caveats to optimize its effectiveness: Extended WLANs are mapped to the AP’s LAN2 interface and all independent WLANs are mapped ● to the AP’s LAN1 Interface. If deploying multiple independent WLANs mapped to different VLANs, ensure the AP’s LAN1 ●...
AP Management from Controller Sample Controller Configuration File for IPSec and Independent WLAN The following constitutes a sample controller configuration file supporting an AP IPSec with Independent WLAN configuration. Please note new AP specific CLI commands in and relevant comments in blue. The sample output is as follows: ! configuration of WM3600 aaa authentication login default none...
Page 496
AP Management from Controller radio add 4 00-15-70-00-79-12 11a aap35xx radio 4 bss 1 5 radio 4 bss 2 6 radio 4 channel-power indoor 48 4 radio 4 rss enable radio 4 client-bridge bridge-select-mode auto radio 4 client-bridge ssid Mesh radio 4 client-bridge mesh-timeout 0 radio 4 client-bridge enable radio default-11a rss enable...
Page 497
controllerport trunk native vlan 1 controllerport trunk allowed vlan none controllerport trunk allowed vlan add 1-9,100,110,120,130,140,150,160,170, controllerport trunk allowed vlan add 180,190,200,210,220,230,240,250, interface vlan1 ip address dhcp To attach a Crypto Map to a VLAN Interface crypto map AAP-CRYPTOMAP sole ip route 157.235.0.0/16 157.235.92.2 ip route 172.0.0.0/8 157.235.92.2 ntp server 10.10.10.100 prefer version 3...
Page 498
AP Management from Controller Summit WM3000 Series Controller System Reference Guide...
Console Port is Not Responding ● Controller Does Not Boot Up The Extreme Networks wireless LAN controller does not boot up to a username prompt via CLI console or Telnet. The table below provides suggestions to troubleshoot this issue. Summit WM3000 Series Controller System Reference Guide...
Contact Extreme Networks Support. Controller Does Not Obtain an IP Address through DHCP An Extreme Networks wireless LAN controller requires a routable IP address for the administrator to manage it via Telnet, SSH or a Web browser. The table below provides suggestions to troubleshoot this issue.
When configuring the controller, it is easy to overlook the fact that the host computer is running the browser while the Extreme Networks wireless LAN controller is providing the data to the browser. Occasionally, while using the Web UI the controller does not respond or appears to be running very slow;...
Access Points that are not being adopted. Miscellaneous other With a packet sniffer, look for 8375 (broadcast) packets issues Reset the Extreme Networks wireless LAN controller. If the controller is hung, it may begin to adopt Access Points properly once it has been reset. All else...
(going up and down) that the detection configuration is correct and that all cables are secure. All else... Contact Extreme Networks Support Mobile Unit Issues This section describes various issues that may occur when working with the mobile units associated with the wireless controller or associated Access Points.
Verify a long preamble is used with Spectralink phones. on Spectralink phones Miscellaneous Issues This section describes various miscellaneous issues related to the Extreme Networks wireless LAN controller which don’t fall into any of the previous categories. Possible issues include: Excessive Fragmented Data or Excessive Broadcast ●...
Contact Extreme Networks Support System Logging Mechanism The Extreme Networks wireless LAN controller provides subsystem logging to a Syslog server. There are two Syslog systems, local and remote. Local Syslog records system information locally, on the controller. The remote Syslog sends messages to a remote host. All Syslog messages conform to the RFC 3164 message format.
Consequently, a password recovery login must be used that will default your controller back to its factory default configuration. To access the Extreme Networks wireless LAN controller using password recovery: Summit WM3000 Series Controller System Reference Guide...
CAUTION Using this recovery procedure erases the controller’s current configuration and data files from the controller /flash dir. Only the controller’s license keys are retained. You should be able to log in using the default username and password (admin/admin123) and restore the controller’s previous configuration (only if it has been exported to a secure location before the password recovery procedure was invoked).
Troubleshooting Information Ensure that key password in AAA/EAP context is set to the key used to generate imported ● certificates DO NOT forget to SAVE! ● Radius Server does not reply to my requests Ensure the following have been attempted: Add a Radius client in Radius server configuration with the Controller’s VLAN interface, IP address ●...
If using the on-board RADIUS Accounting server, the files would be logged under the path: ● /flash/log/radius/radacct/ Rogue AP Detection Troubleshooting Extreme Networks recommends adhereing to the following guidelines when configuring Rogue AP detection: Basic configuration required for running Rogue AP detection: ●...
● status as "enable" and should also the status of the configured detection scheme. Check for the "Extreme Networks AP" flag in rulelist context. If it is set to "enable", then all the ● detected APs will be added in approved list context.
A wired Host (Host-1) on the trusted side is not able to connect to a Wireless Host (Host-2) or Wired Host (Host-3) on the untrusted side 1 Check that IP Ping from Host1 to the Interface on the Untrusted Side of the controller works. 2 If it works then there is no problem in connectivity.
Page 512
Troubleshooting Information Summit WM3000 Series Controller System Reference Guide...