Page 1 ® Summit WM3000 Series Controller System Reference Guide, Software Version 4.0 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.com Published: December 2009 Part Number: 100352-00 Rev 01...
Page 2 ReachNXT, Sentriant, ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, and the Powered by ExtremeXOS logo are trademarks or registered trademarks of Extreme Networks, Inc.
Page 3: Table Of Contents
Table of Contents Chapter 1: About This Guide ........................13 Introduction................................13 Documentation Set..............................13 Document Conventions............................13 Notational Conventions ............................14 Chapter 2: Overview ..........................15 Hardware Overview ...............................15 Power Protection .............................15 Cabling Requirements ..........................15 Software Overview ..............................16 Infrastructure Features ............................16 Installation Feature ..........................17 Licensing Support............................17 Configuration Management........................17 Diagnostics ..............................17...
Page 4 Table of Contents MU Authentication..........................29 Secure Beacon ............................30 MU to MU Disallow..........................30 802.1x Authentication ..........................30 WIPS................................30 Rogue AP Detection ..........................31 ACLs................................32 Local Radius Server ..........................32 IPSec VPN...............................32 NAT.................................33 Certificate Management ..........................33 NAC.................................33 Chapter 3: Controller Web UI Access and Image Upgrades ..............35 Web UI Requirements ............................35 Accessing the Summit WM Controller for the First Time ................35 Defining Basic Controller Settings.........................36...
Page 5 Table of Contents Viewing Files..............................77 Configuring Automatic Updates ..........................78 Viewing the Controller Alarm Log........................81 Viewing Alarm Log Details..........................82 Viewing Controller Licenses ..........................83 How to use the Filter Option..........................84 Chapter 5: Network Setup ........................85 Displaying the Network Interface..........................85 Viewing Network IP Information ..........................87 Configuring DNS............................87 Adding an IP Address for a DNS Server....................89 Configuring Global Settings........................89...
Page 6 Table of Contents Viewing Associated MU Details .........................166 Viewing MU Status ............................167 Viewing MU Details..........................169 Configuring Mobile Units ..........................170 MAC Naming of Mobile Units......................171 Viewing MU Statistics..........................171 Viewing MU Statistics in Detail......................173 View a MU Statistics Graph........................174 Viewing Voice Statistics..........................175 Viewing Access Point Information........................176 Configuring Access Point Radios.........................177 Configuring an AP Radio’s Global Settings ..................180...
Page 7 Table of Contents DHCP Server Settings ............................238 Configuring the Controller DHCP Server ....................238 Editing the Properties of an Existing DHCP Pool.................240 Adding a New DHCP Pool........................241 Configuring DHCP Global Options ......................243 Configuring DHCP Server DDNS Values ....................244 Viewing the Attributes of Existing Host Pools ....................245 Configuring Excluded IP Address Information....................247 Configuring the DHCP Server Relay ......................248 Viewing DDNS Bindings ..........................250...
Page 8 Table of Contents Displaying the Main Security Interface .......................309 AP Intrusion Detection ............................310 Enabling and Configuring AP Detection......................311 Adding or Editing an Allowed AP ......................313 Approved APs...............................315 Unapproved APs (Reported by APs)......................316 Unapproved APs (Reported by MUs)......................317 Configuring Firewalls and Access Control Lists ....................319 ACL Overview..............................319 Router ACLs............................320 Port ACLs..............................321...
Page 9 Table of Contents Defining the IPSec Configuration ........................375 Editing an Existing Transform Set ......................377 Adding a New Transform Set........................379 Defining the IPSec VPN Remote Configuration ..................380 Configuring IPSEC VPN Authentication .....................382 Configuring Crypto Maps..........................384 Crypto Map Entries ..........................385 Crypto Map Peers ..........................387 Crypto Map Manual SAs........................389 Crypto Map Transform Sets ........................392 Crypto Map Interfaces...........................393...
Page 10 Table of Contents Adding SNMP Trap Receivers ........................441 Configuring Management Users ..........................442 Configuring Local Users..........................442 Creating a New Local User ........................443 Modifying an Existing Local User ......................445 Creating a Guest Admin and Guest User ....................447 Configuring Controller Authentication......................448 Modifying the Properties of an Existing Radius Server................450 Adding an External Radius Server ......................452 External Radius Server Settings ......................453 Chapter 9: Diagnostics ..........................
Page 11 Table of Contents If Remote Site Survivability (RSS) is disabled, the independent WLAN is also disabled in the event of a con- troller failure..............................484 Remote Site Survivability (RSS) ........................484 Mesh Support..............................485 AP Radius Proxy Support..........................485 Supported AP Topologies ............................486 Topology Deployment Considerations ......................486 Extended WLANs Only..........................487 Independent WLANs Only ...........................487...
Page 12 Table of Contents RADIUS Troubleshooting ..........................507 Radius Server does not start upon enable....................507 Radius Server does not reply to my requests..................508 Radius Server is rejecting the user ......................508 Time of Restriction configured does not work..................508 Authentication fails at exchange of certificates..................508 When using another Summit WM3700 (controller 2) as RADIUS server, access is rejected ....508 Authentication using LDAP fails ......................508 VPN Authentication using onboard RADIUS server fails ..............509...
Page 13: Chapter 1: About This Guide
Screens and windows pictured in this guide are samples and can differ from actual screens. Documentation Set The documentation set for the Extreme Networks wireless LAN controllers is partitioned into the following guides to provide information for specific user needs.
Page 14: Notational Conventions
About This Guide WARNING! Indicates a condition or procedure that could result in personal injury or equipment damage. Notational Conventions The following additional notational conventions are used in this document: Italics are used to highlight the following: ● Chapters and sections in this and related documents ●...
Page 15: Chapter 2: Overview
System configuration and intelligence for the wireless network resides with the controller once an AP is adopted and connects to an Extreme Networks Summit WM3600 or Summit WM3700 wireless LAN controller and receives its configuration.
Page 16: Software Overview
The Extreme Networks Wireless LAN Controller Wireless Management Suite (WMS) is a recommended utility to plan the deployment of the controller and view its configuration once operational in the field. Extreme Networks WMS can help optimize the positioning and configuration of a controller in respect to a WLAN’s Mobile Unit (MU) throughput requirements and can help detect rogue devices.
Page 17: Installation Feature
Diagnostics ● Serviceability ● Tracing / Logging ● Process Monitor ● Hardware Abstraction Layer and Drivers ● Redundancy ● Secure Network Time Protocol (SNTP) ● Installation Feature The upgrade/downgrade of the controller can be performed using one of the following methods: Web UI ●...
Page 18: Serviceability
A special set of Service CLI commands are available to provide additional troubleshooting capabilities for service personnel (access to Linux services, panic logs, etc.). Only authorized users or service personnel are provided access to the Service CLI. Contact Extreme Networks support at https://esupport.extremenetworks.com for information on accessing the controller’s service CLI.
Page 19: Hardware Abstraction Layer And Drivers
or stuck in an endless loop) is detected when its heartbeat is not received. Such a process is terminated (if still running) and restarted (if configured) by the Process Monitor. Hardware Abstraction Layer and Drivers HAL) The Hardware Abstraction Layer ( provides an abstraction library with an interface hiding hardware/platform specific data.
Page 20: Wireless Switching
Overview Wireless Switching The controller includes the following wireless switching features: Physical Layer Features ● Proxy-ARP ● HotSpot / IP Redirect ● IDM (Identity Driven Management) ● Voice Prioritization ● Wireless Capacity ● AP Load Balancing ● Wireless Roaming ● Power Save Polling ●...
Page 21: Proxy-Arp
Short slot protection – The slot time is 20 µs, except an optional 9 µs slot time may be used when the ● basic service set (BSS) consists of only ERP stations (STAs) capable of supporting this option. The optional 9 µs slot time should not be used if the network has one or more non-ERP STAs associated. For independent basic service sets (IBSS), the Short Slot Time field is set to 0, corresponding to a 20 µs slot time.
Page 22: Voice Prioritization
Overview User based VLAN assignment — Allows the controller to extract Virtual LAN (VLAN) information ● from the Radius server. User based QoS — Enables Quality of Service (QoS) for the MU based on settings within the Radius ● Server. Voice Prioritization The controller has the capability of having its QoS policy configured to prioritize network traffic requirements for associated MUs.
Page 23: Wireless Roaming
NOTE Port adoption per controller is determined by the number of licenses acquired. Wireless Roaming The following types of wireless roaming are supported by the controller: Intercontroller Layer 2 Roaming ● Intercontroller Layer 3 Roaming ● International Roaming ● Intercontroller Layer 2 Roaming An associated MU (connected to a controller) can roam to another Access Point connected to a different controller.
Page 24: Wireless Layer 2 Switching
Overview 802.11e QoS 802.11e enables real-time audio and video streams to be assigned a higher priority over data traffic. The controller supports the following 802.11e features: Basic WMM ● WMM Linked to 802.1p Priorities ● WMM Linked to Differentiated Services Code Point (DSCP) Priorities ●...
Page 25: Wmm-Upsd
1 When a new AP is adopted, it scans each channel. However, the controller does not forward traffic at this time. 2 The controller then selects the least crowded channel based on the noise and traffic detected on each channel. 3 The algorithm used is a simplified maximum entropy algorithm for each radio, where the signal strength from adjoining AP's/MU's associated to adjoining AP's is minimized.
Page 26: Wired Switching
Overview Roaming Across a Cluster MUs roam amongst controller cluster members. The controller must ensure a VLAN remains unchanged as an MU roams. This is accomplished by passing MU VLAN information across the cluster using the interface used by a hotspot. It automatically passes the username/password across the credential caches of the member controllers.
Page 27: Dhcp User Class Options
DHCP User Class Options A DHCP Server groups clients based on defined user-class option values. Clients with a defined set of user-class values are segregated by class. The DHCP Server can associate multiple classes to each pool. Each class in a pool is assigned an exclusive range of IP addresses. DHCP clients are compared against classes.
Page 28: Security Features
Heat map support for RF deployment ● Secure guest access with specific permission intervals ● Controller discovery enabling users to discover each Extreme Networks controller on the specified ● network. Security Features Controller security can be classified into wireless security and wired security.
Page 29: Mu Authentication
Wired Equivalent Privacy (WEP) is an encryption scheme used to secure wireless networks. WEP was intended to provide comparable confidentiality to a traditional wired network, hence the name. WEP had many serious weaknesses and hence was superseded by Wi-Fi Protected Access (WPA). Regardless, WEP still provides a level of security that can deter casual snooping.
Page 30: Secure Beacon
● WIPS The Motorola Wireless Intrusion Protection Software (WIPS) is supported by Extreme Networks WM3000 series WLAN controllers. The WIPS monitors for any presence of unauthorized rogue Access Points. Unauthorized attempts to access the WLAN is generally accompanied by anomalous behavior as intruding MUs try to find network vulnerabilities.
Page 31: Rogue Ap Detection
The Extreme Networks Wireless LAN Controller Management Software (WMS) is recommended to plan the deployment of the controller. Extreme Networks WMS can help optimize the positioning and configuration of a controller in respect to a WLAN’s MU throughput requirements and can help detect rogue devices. For more information, refer to the Extreme Networks documentation website at: http://www.extremenetworks.com/go/documentation.
Page 32: Acls
After determining which are authorized APs and which are Rogue, the controller prepares a report. Extreme Networks WMS Support The controller can provide rogue device detection data to the Extreme Networks Wireless LAN Controller Wireless Management Suite application (or Extreme Networks WMS). Extreme Networks WMS uses this data to refine the position and display the rogue on a site map representative of the physical dimensions of the actual radio coverage area of the controller.
Page 33: Nat
A VPN is used to provide secure access between two subnets separated by an unsecured network. There are two types of VPNs: Site-Site VPN — For example, a company branching office traffic to another branch office traffic with ● an unsecured link between the two locations. Remote VPN —...
Page 34 Overview NAC authentication for MU’s that do not have NAC 802.1x support (printers, phones, PDAs etc.). For information on configuring NAC support, see “Configuring NAC Server Support” on page 138. Summit WM3000 Series Controller System Reference Guide...
Page 35: Chapter 3: Controller Web Ui Access And Image Upgrades
Controller Web UI Access and Image Upgrades The content of this chapter is segregated amongst the following: Web UI Requirements on page 35 ● Controller Password Recovery on page 38 ● Upgrading the Controller Image on page 39 ● Auto Installation on page 39 ●...
Page 36: Defining Basic Controller Settings
Controller Web UI Access and Image Upgrades 2 Launch your web browser. In the address bar, type http://10.1.1.100. The Summit WM GUI login screen is displayed. 3 Enter the Username admin, and Password admin123. Both are case-sensitive. Click the Login button. Once the Web UI is accessed, the controller main menu item displays a configuration tab with high-level controller information.
Page 37 Displays the current firmware version running on the controller. This Firmware version should be periodically compared to the most recent version available on the Extreme Networks Web site, as versions with increased functionality are periodically released. Displays the number of Access Point licenses currently available for the AP Licenses controller.
Page 38: Controller Password Recovery
Controller Web UI Access and Image Upgrades Displays the day, month and year currently used with the controller. Date (MM/DD/YYYY) Displays the time of day used by the controller. Time (HH:MM:SS) Use the drop-down menu to specify the time zone used with the Time Zone controller.
Page 39: Upgrading The Controller Image
However, Extreme Networks periodically releases controller firmware that includes enhancements or resolutions to known issues. Verify your current controller firmware version with the latest version available from the Extreme Networks Web site before determining if your system requires an upgrade.
Page 40: Configuring Auto Install Via The Cli
Controller Web UI Access and Image Upgrades Configuring Auto Install via the CLI There are three compulsory and four optional configuration parameters. The compulsory parameters are: configuration upgrade enable ● cluster configuration upgrade enable ● image upgrade enable ● Optional (only for the static case): configuration file URL ●...
Page 41 WLANController(config)#autoinstall image version 4.0.0.0-XXXXX WLANController(config)#autoinstall config WLANController(config)#autoinstall cluster-config WLANController(config)#autoinstall image WLANController(config)#show autoinstall feature enabled config ftp://ftp:ftp@173.9.234.1/Controller/config cluster cfg ftp://ftp:ftp@173.9.234.1/Controller/cluster-config image ftp://ftp:ftp@147.11.1.11/Controller/images/WM3600.img expected image version 4.0.0.0-XXXXX Once again, for DHCP option based auto install the URLs is ignored and those passed by DHCP are not stored.
Page 42 Controller Web UI Access and Image Upgrades Summit WM3000 Series Controller System Reference Guide...
Page 43: Chapter 4: Controller Information
The Extreme Networks Wireless LAN Controller Wireless Management Suite (WMS) is a recommended utility to plan the deployment of the controller and view its interface statistics once operational in the field. Extreme Networks WMS can help optimize the positioning and configuration of a controller (and its associated radios) in respect to a WLAN’s MU throughput requirements and can help detect rogue devices.
Page 44: Setting The Controller Country Code
Controller Information Setting the Controller Country Code When initially logging into the system, the controller requests that you enter the correct country code for your region. If a country code is not configured, a warning message will display stating that an incorrect country setting will lead to the illegal use of the controller.
Page 45 Displays the current firmware version running on the controller. This Firmware version should be periodically compared to the most recent version available on the Extreme Networks Web site, as versions with increased functionality are periodically released. Displays the number of Access Point licenses currently available for the AP Licenses controller.
Page 46: Controller Dashboard Details
9 Click the Apply button to save the updates (to the Time Zone or Country parameters specifically). Controller Dashboard Details Each Extreme Networks wireless LAN controller platform contains a dashboard which represents a high-level graphical overview of central controller processes and hardware. When logging into the controller, the dashboard should be the first place you go to assess overall controller performance and any potential performance issues.
Page 47: Summit Wm3600 Controller Dashboard
Summit WM3600 Controller Dashboard The Dashboard screen displays the current health of the controller and is divided into fields representing the following important diagnostics: Alarms ● Ports ● Environment ● CPU/Memory ● File Systems ● Summit WM3000 Series Controller System Reference Guide...
Page 48 Controller Information Apart from the sections mentioned above, it also displays the following status: Displays the Redundancy State of the controller. The status can be either Redundancy State Enabled or Disabled. Enabled - Defined a green state. Disabled - Defined by a yellow state. Displays the Firmware version of the current software running on the Firmware wireless controller.
Page 49: Summit Wm3700 Controller Dashboard
5 The File Systems section displays the free file system available for: flash ● nvram ● system ● Summit WM3700 Controller Dashboard The Dashboard screen displays the current health of the controller and is divided into fields representing the following important diagnostics: Alarms ●...
Page 50 Controller Information The alarms field also displays details (in a tabular format) of the 5 most recent unacknowledged critical/major alarms raised during the past 48 hours. The table displays the following details: Displays the severity of the alarm. It can be either Critical or Major. Severity Displays the time when the alarm was reported.
Page 51: Viewing Controller Statistics
Viewing Controller Statistics The Controller Statistics tab displays an overview of the recent network traffic and RF status for the controller. To display the Controller Statistics tab: 1 Select Controller from the main menu tree. 2 Click the Controller Statistics tab at the top of the Controller screen. 3 Refer to the following read-only information about associated MUs: Displays the total number of MUs currently associated to the controller.
Page 52 Controller Information 5 The RF Status section displays the following read-only RF radio signal information for associated APs and radios: Displays the average signal strength for MUs associated with the Average Signal controller over the last 30 seconds and 1 hour. Typically, the higher the signal, the closer the MU.
Page 53: Viewing Controller Port Information
Viewing Controller Port Information The Port screen displays configuration, runtime status and statistics of the ports on the controller. NOTE The ports available vary by controller platform. Summit WM3600: ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8, me1, up1 Summit WM3700: ge1, ge2, ge3, ge4, me1 The port types are defined as follows: Gigabit Ethernet (GE) ports are available on the Summit WM3600 and Summit WM3700 platforms.
Page 54 Controller Information To view configuration details for the uplink and downlink ports: 1 Select Controller > Port from the main menu tree. 2 Select the Configuration tab to display the following read-only information: Displays the current port name. The port names available vary by Name controller.
Page 55: Editing The Port Configuration
Editing the Port Configuration To modify the port configuration: 1 Select a port from the table displayed within the Configuration screen. 2 Click the Edit button. A Port Change Warning screen displays, stating any change to the port setting could disrupt access to the controller.
Page 56 Controller Information Displays the read-only name assigned to the port. Name Select the speed at which the port can receive and transmit the data. Speed Select from the following range: • 10 Mbps • 100 Mbps • 1000 Mbps • Auto Modify the duplex status by selecting one of the following options: Duplex •...
Page 57: Viewing The Ports Runtime Status
Viewing the Ports Runtime Status The Runtime tab displays read-only runtime configuration for uplink and downlink ports. To view the runtime configuration details of the uplink and downlink ports: 1 Select Controller > Port from the main menu tree. 2 Select the Runtime tab to display the following read-only information: Displays the port’s current name.
Page 58 Controller Information 3 Refer to the Statistics tab to display the following read-only information: Defines the port name. Name Displays the total number of bytes received by the port. Bytes In Displays the total number of packets received by the port. Packets In Displays the number of packets dropped by the port.
Page 59: Detailed Port Statistics
Detailed Port Statistics To view detailed statistics for a port: 1 Select a port from the table displayed within the Statistics screen. 2 Click the Details button. 3 The Interface Statistics screen displays. This screen displays the following statistics for the selected port: Displays the port name.
Page 60: Viewing The Port Statistics Graph
Controller Information Displays the number of unicast packets transmitted from the interface. Output NonUnicast Packets Output Total Packets Displays the total number of packets transmitted from the interface. Displays the number of transmitted packets dropped from the interface. Output Packets Output Packets Dropped are packets dropped when the output queue of Dropped the device associated with the interface is saturated.
Page 61: Power Over Ethernet (Poe)
Input Bytes ● Input Pkts Dropped ● Output Pkts Total ● Output Pkts Error ● Input Pkts Total ● Input Pkts Error ● Output Pkts NUCast ● Input Pkts NUCast ● Output Bytes ● Output Pkts Dropped ● 3 Display any of the above by selecting the checkbox associated with it. NOTE You are not allowed to select (display) more than four parameters at any given time.
Page 62 Controller Information NOTE The PoE screen is only available on the WM3600 controller. The Summit WM3700 controller does not have Power over Ethernet on any ports and will not display the PoE tab. The PoE Global Configuration section displays the following power information. Displays the total watts available for Power over Ethernet on the Power Budget controller.
Page 63: Editing Port Poe Settings
Displays the IEEE Power Classification for each port: Class Class Number Maximum Power Required from Controller (unknown) 15.4 Watts 4 Watts 7 Watts 15.4 Watts Displays the priority mode for each of the PoE ports. Priority The priority options are: •...
Page 64: Viewing Controller Configurations
The Extreme Networks Wireless LAN Controller Management Software (WMS) is a recommended utility to plan the deployment of the controller and view its configuration once operational in the field. Extreme Networks WMS can help optimize the positioning and configuration of a controller (and its associated radios) in respect to a WLAN’s MU throughput requirements and can help detect rogue devices.
Page 65 1 Select Controller > Configurations from the main menu tree. The following information is displayed in tabular format. Configuration files (with the exception of startup-config and running-config) can be edited, viewed in detail or deleted. Displays the name of each existing configuration file. Name Displays the size (in bytes) of each available configuration file.
Page 66 Controller Information NOTE Selecting either the startup-config or running-config does not enable the Edit button. A different configuration must be available to enable the Edit function for the purposes of replacing the existing startup-config. 4 To permanently remove a file from the list of configurations available to the controller, select a configuration file from the table and click the Delete button.
Page 67: Viewing The Detailed Contents Of A Config File
Viewing the Detailed Contents of a Config File The View screen displays the entire contents of a configuration file. Extreme Networks recommends a file be reviewed carefully before it is selected from the Config Files screen for edit or designation as the controller startup configuration.
Page 68: Transferring A Config File
Controller Information 4 Refer to the Status field for the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet. The Status field displays error messages if something goes wrong in the transaction between the applet and the controller. 5 Click the Refresh button to get the most recent updated version of the configuration file.
Page 69: Viewing Controller Firmware Information
6 Click the Abort button to cancel the file transfer process before it is complete. 7 Click the Close button to exit the Transfer screen and return to the Config Files screen. Once a file is transferred, there is nothing else to be saved within the Transfer screen. Viewing Controller Firmware Information The controller can store (retain) two software versions (primary and secondary).
Page 70: Editing The Controller Firmware
Controller Information A check mark within this column designates this version as the version Current Boot X” used by the controller the last time it was booted. An “ in this column means this version was not used the last time the controller was booted. A check mark within this column designates this version as the version to Next Boot be used the next time the controller is booted.
Page 71: Enabling Global Settings For The Image Failover
3 Select the checkbox to use this version on the next boot of the controller. 4 To edit the secondary image, select the secondary image, click the Edit button and select the Use this firmware on next reboot checkbox. This firmware version will now be invoked after the next reboot of the controller. 5 Refer to the Status field for the current state of the requests made from the applet.
Page 72 Controller Information 1 Select an image from the table in the Firmware screen. 2 Click the Update Firmware button. 3 Use the From drop-down menu to specify the location from which the file is sent. 4 Enter the name of the file containing the firmware update in the File text field. This is the file that will append the file currently in use.
Page 73: Controller File Management
Controller File Management Use the File Management screen to transfer configuration file to and from the controller and review the files available. Transferring Files Use the Transfer Files screen to transfer files to and from the controller.Transferring files is recommended to keep files in a secure location.
Page 74: Transferring A File From Wireless Controller To Wireless Controller
Controller Information 2 Refer to the Source field to specify the details of the source file. From Use the drop-down menu to select the source file’s current location. From The options include Wireless Controller and Server. The following transfer options are possible: •...
Page 75: Transferring A File From A Wireless Controller To A Server
4 Use the Browse button to define a location for the transferred file. 5 Click the Transfer button to complete the file transfer. 6 The Message section in the main menu area displays the file transfer message. 7 Click Abort at any time during the transfer process to abort the file transfer. Transferring a file from a Wireless Controller to a Server To transfer a file from the controller to a Server: 1 Refer to the Source field to specify the source file.
Page 76: Transferring A File From A Server To A Wireless Controller
Controller Information 5 Enter the Password required to send the configuration file from an FTP server. 6 Specify the appropriate Path name to the target directory on the server. The target options are different depending on the target selected. 7 Click the Transfer button to complete the file transfer. The Message section in the main menu area displays the file transfer message.
Page 77: Viewing Files
6 Specify the appropriate Path name to the target directory on the server. The Target options are different depending on the target selected. 7 Use the To drop-down menu (within the Target field) and select Wireless Controller. 8 Use the Browse button to browse and select the location to store the file marked for transfer. 9 Click the Transfer button to complete the file transfer.
Page 78: Configuring Automatic Updates
Controller Information 3 Refer to the following File Systems information. Displays the memory locations available to the controller. Name Displays the current status of the memory resource. By default, nvram Available and system are always available. • A green check indicates the device is currently connected to the controller and is available.
Page 79 Enable this option for either the firmware, configuration file or cluster configuration file. Extreme Networks recommends leaving this setting disabled if a review of a new file is required before it is automatically uploaded by the controller.
Page 80 Controller Information Protocol FTP, TFTP, HTTP, SFTP Use the drop-down menu to specify the Protocol FLASH or resident controller medium used for the file update from the server. FLASH is the default setting. Enter the password required to access the server. Password NOTE In addition to the Protocols listed, on the Summit WM3700 users can also auto-update using USB or Compact...
Page 81: Viewing The Controller Alarm Log
Viewing the Controller Alarm Log Use the Alarm Log screen as an initial snapshot for alarm log information. Expand alarms (as needed) for greater detail, delete alarms, acknowledge alarms or export alarm data to a user-specified location for archive and network performance analysis. To view controller alarm log information: 1 Select Controller >...
Page 82: Viewing Alarm Log Details
Controller Information Displays the unique numerical identifier for trap events (alarms) Index generated in the system. Use the index to help differentiate an alarm from others with similar attributes. Displays the current state of the requests made from the applet. Requests Status are any “SET/GET”...
Page 83: Viewing Controller Licenses
Displays the details of the alarm log event. This information can be used Description in conjunction with the Solution Possible Causes items to troubleshoot the event and determine how the event can be avoided in the future. Displays a possible solution to the alarm event. The solution should be Solution attempted first to rectify the described problem.
Page 84: How To Use The Filter Option
Controller Information Enter the license key required to install a particular feature. The license License Key key is returned when you supply the controller serial number to Extreme Networks support. Enter the name of the feature you wish to install/upgrade using the Feature Name license.
Page 85: Chapter 5: Network Setup
Network Setup This chapter describes the Network Setup menu information used to configure the controller. This chapter consists of the following controller Network configuration activities: Displaying the Network Interface on page 85 ● Viewing Network IP Information on page 87 ●...
Page 86 Network Setup 1 Select Network from the main menu tree. 2 Refer to the following information to discern if configuration changes are warranted: Displays the number of DNS Servers configured thus far for use with the controller. DNS Servers For more information, see “Viewing Network IP Information”...
Page 87: Viewing Network Ip Information
Viewing Network IP Information Use the Internet Protocol screen to view and configure network associated IP details. The Internet Protocol screen contains tabs supporting the following configuration activities: Configuring DNS ● Configuring IP Forwarding ● Viewing Address Resolution ● Configuring DNS Use the Domain Name System tab to view Server address information and delete or add severs to the list of servers available.
Page 88 Network Setup 2 Select the Domain Network System tab (displayed by default). Use the Show Filtering Options link to view the details displayed in the table. 3 The Domain Name System tab displays DNS details in a tabular format. Displays the IP address of the domain name server(s) the system can use Server IP Address for resolving domain names to IP addresses.
Page 89: Adding An Ip Address For A Dns Server
Adding an IP Address for a DNS Server Add an IP address for a new domain server using the Add screen. 1 Click the Add button within the Domain Network System screen. The new Configuration screen displays enabling you to add IP address for the DNS Server. 2 Enter the Server IP Address to define the IP address of the new static domain name server.
Page 90: Configuring Ip Forwarding
Network Setup NOTE The order of look up is determined by the order of the servers within Domain Name System tab. The first server queried is the first server displayed. 3 Enter a Domain Name in the text field. This is the controller’s domain. 4 Refer to the Status field for the current state of the requests made from applet.
Page 91: Adding A New Static Route
The following details display in the table: Displays the mask used for destination subnet entries. The Subnet Mask Destination Subnet is the IP mask used to divide internet addresses into blocks (known as subnets). Displays the mask used for destination subnet entries. The Subnet Mask Subnet Mask is the IP mask used to divide internet addresses into blocks (known as subnets).
Page 92 Network Setup 2 In the Destination Subnet field, enter an IP address to route packets to a specific destination address. 3 Enter a subnet mask for the destination subnet in the Subnet Mask field. The Subnet Mask is the IP mask used to divide internet addresses into blocks known as subnets. A value of 255.255.255.0 support 256 IP addresses.
Page 93: Viewing Address Resolution
Viewing Address Resolution The Address Resolution table displays the mapping of layer three (IP) addresses to layer two (MAC) addresses. To view address resolution details: 1 Select Network > Internet Protocol from the main tree menu. 2 Select the Address Resolution tab. 3 Refer to the Address Resolution table for the following information: Displays the name of the actual interface where the IP Interface...
Page 94: Viewing And Configuring Layer 2 Virtual Lans
Network Setup 4 Click the Clear button to remove the selected AP entry if no longer usable. Viewing and Configuring Layer 2 Virtual LANs A virtual LAN (VLAN) is similar to a Local Area Network (LAN), however devices do not need to be connected to the same segment physically.
Page 95: Editing The Details Of An Existing Vlan By Port
2 Refer to following details within the table: Displays the name of the VLAN to which the controller is currently Name connected. It can be either Access or Trunk. Mode Access • – This ethernet interface accepts packets only from the native VLANs.
Page 96: Viewing And Configuring Ports By Vlan
Network Setup 4 Use the Edit screen to modify the VLAN’s mode, access VLAN and allowed VLAN designation. 5 Use the Edit screen to modify the following: Displays a read only field and with the name of the Ethernet to which the Name VLAN is associated.
Page 97 flexibility and enable changes to the network infrastructure without physically disconnecting network equipment. To view VLAN by Port information: 1 Select Network > Layer 2 Virtual LANs from the main menu tree. 2 Select the Ports by VLAN tab. VLAN details display within the VLANs by Port tab. Summit WM3000 Series Controller System Reference Guide...
Page 98 Network Setup 3 Highlight an existing VLAN and click the Edit button. The system displays a Port VLAN Change Warning message. Be advised, changing VLAN designations could disrupt access to the controller. 4 Click OK to continue. A new window displays wherein the VLAN assignments can be modified for the selected VLAN.
Page 99: Configuring Controller Virtual Interfaces
Configuring Controller Virtual Interfaces A controller virtual interface (CVI) is required for layer 3 (IP) access to the controller or provide layer 3 service on a VLAN. The CVI defines which IP address is associated with each VLAN ID the controller is connected to.
Page 100: Configuring The Virtual Interface
Network Setup Configuring the Virtual Interface Use the Configuration screen to view and configure the virtual interface details. 1 Select Network > Controller Virtual Interface from the main tree menu. 2 Select the Configuration tab. The following configuration details display in the table: Displays the name of the virtual interface.
Page 101: Adding A Virtual Interface
A green checkmark within this column defines this VLAN as currently Management used by the controller. This designates the interface settings used for Interface global controller settings in case of conflicts. For example, if multiple CVIs are configured with DHCP enabled on each, the controller could have multiple domain names assigned from different DHCP servers.The one assigned over the selected Management Interface would be the only one used by the controller.
Page 102 Network Setup 4 Enter the VLAN ID for the controller virtual interface. 5 Provide a Description for the VLAN, representative of the VLAN’s intended operation within the controller managed network. 6 The Primary IP Settings field consists of the following: a Select Use DHCP to obtain IP Address automatically to allow DHCP to provide the IP address for the virtual interface.
Page 103: Modifying A Virtual Interface
Modifying a Virtual Interface To modify an existing virtual interface: CAUTION When changing from a default DHCP address to a fixed IP address, set a static route first. This is critical when the controller is being accessed from a subnet not directly connected to the controller and the default route was set from DHCP.
Page 104: Viewing Virtual Interface Statistics
Network Setup 9 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 10 Click OK to use the changes to the running configuration and close the dialog. 11 Click Cancel to close the dialog without committing updates to the running configuration.
Page 105 Displays the number of dropped packets coming into the interface. Packets In Dropped Packets are dropped if: 1 The input queue for the hardware device/software module handling the interface definition is saturated/full. 2 Overruns occur when the interface receives packets faster than it can transfer them to a buffer.
Page 106: Viewing Virtual Interface Statistics
Network Setup Viewing Virtual Interface Statistics To view detailed virtual interface statistics: 1 Select a virtual interface from the Statistics tab 2 Click the Details button. 3 The Interface Statistics screen displays with the following content: Displays the title of the logical interface selected. Name Displays physical address information associated with the interface.
Page 107: Viewing The Virtual Interface Statistics Graph
Displays the number of transmitted packets dropped at the interface. Output Packets Output Packets Dropped are packets dropped when the output queue of Dropped the physical device associated with interface is saturated. Output Packets Error Displays the number of transmitted packets with errors. Output Packet Errors are the sum of all the output packet errors, malformed packets and misaligned packets received on an interface.
Page 108 Network Setup NOTE Only four parameters may be selected at any given time. 4 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 5 Click Close to close the dialog.
Page 109: Viewing And Configuring Controller Wlans
Viewing and Configuring Controller WLANs A wireless LAN (WLAN) is a local area network (LAN) without wires. WLANs transfer data through the air using radio frequencies instead of cables. The WLAN screen displays a high-level overview of the WLANs created for the controller managed network. Use this data as necessary to the WLANs that are active, their VLAN assignments, updates to a WLAN’s description and their current authentication and encryption scheme.The Wireless LANs screen is partitioned into 5 tabs supporting the following configuration activities:...
Page 110 Network Setup The Configuration tab displays the following details: Displays the WLAN’s numerical identifier. The WLAN index range is from Index 1 to the maximum number of WLANs supported by the controller (32 for the WM3600 and 256 for the WM3700). An index can be helpful to differentiate a WLAN from other WLANs with similar configurations.
Page 111 Displays the type of wireless encryption used on the specified WLAN. Encryption none Edit When no encryption is used, the field displays . Click the button to modify the WLAN’s current encryption scheme. For information on configuring an authentication scheme for a WLAN, see “Configuring Different Encryption Types”...
Page 112 Network Setup 8 Click the Global Settings button to display a screen with WLAN settings applying to the all the WLANs on the system. Remember, changes made to any one value impact each WLAN. Click OK to save updates to the Global WLAN Settings screen. Click Cancel to disregard changes and revert back to the previous screen.
Page 113: Editing The Wlan Configuration
Use this option (its selected by default) for custom WLAN to Radio Manual mapping of mappings. When Advanced Configuration is disabled, the user cannot WLANs conduct Radio – WLAN mapping. Additionally, the user cannot enable WLANs with an index higher than 16. Once the Advanced Configuration option is enabled, the following conditions must be satisfied (to successfully disable it).
Page 114 Network Setup 4 Click the Edit button. The Wireless LANs Edit screen is divided into the following user-configurable fields: Configuration ● Authentication ● Encryption ● Advanced ● Summit WM3000 Series Controller System Reference Guide...
Page 115 5 Refer to the Configuration field to define the following WLAN values Extended Service Set ID Displays the (ESSID) associated with each ESSID WLAN. If changing the ESSID, ensure the value used is unique. If editing an existing WLAN, ensure its description is updated accordingly Description to best describe the intended function of the WLAN.
Page 116 Network Setup Wired Equivalent Privacy Use the WEP 64 checkbox to enable the (WEP) WEP 64 protocol with a 40-bit key. WEP is available in two encryption modes: 40 bit (also called WEP 64) and 104 bit (also called WEP 128). The 104-bit encryption mode provides a longer algorithm that takes longer to decode than that of the 40-bit encryption mode.
Page 117 Allows frames from one MU (where the destination MAC is of another MU to MU Traffic MU) are switched to a second MU. Use the drop-down menu to select one of the following options: • Drop Packets – This restricts MU to MU communication based on the WLAN’s configuration Allow Packets •...
Page 118: Assigning Multiple Vlans Per Wlan
Network Setup Assigning Multiple VLANs per WLAN The controller allows the mapping of a WLAN to more than one VLAN. When a MU associates with a WLAN, it is assigned a VLAN in such a way that users are load balanced across VLANs. The VLAN is assigned from the pool representative of the WLAN.
Page 119: Configuring Authentication Types
9 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 10 Click OK to use the changes to the running configuration and close the dialog. 11 Click Cancel to close the dialog without committing updates to the running configuration.
Page 120 Network Setup The Radius Config... button on the bottom of the screen will become enabled. Ensure a primary and optional secondary Radius Server have been configured to authenticate users requesting access to the EAP 802.1x supported WLAN. For more information, see “Configuring External Radius Server Support”...
Page 121 hotspot access controller forces this un-authenticated user to a Welcome page from the hotspot Operator that allows the user to login with a username and password. This form of IP-Redirection requires no special software on the client. To configure a hotspot, create a WLAN ESSID and select Hotspot as the authentication scheme from the WLAN Authentication menu.
Page 122 Network Setup NOTE As part of the hotspot configuration process, ensure a primary and optional secondary Radius Server have been properly configured to authenticate the users requesting access to the hotspot supported WLAN. For more information on configuring Radius Server support for the hotspot supported WLAN, see “Configuring External Radius Server Support”...
Page 123 4 Click the Login tab and enter the title, header, footer Small Logo URL, Main Logo URL and Descriptive Text you would like to display when users login to the controller maintained hotspot. Displays the HTML text displayed on the Welcome page when using the Title Text controller’s internal Web server.
Page 124 Network Setup Specify any additional text containing instructions or information for the Descriptive Text users who access the Failed page. This option is only available if Internal is chosen from the drop-down menu above. The default text is: “Either the username and password are invalid, or service is unavailable at this time.”...
Page 125 NOTE In multi-controller hotspot environments if a single controller’s internal pages are configured for authentication on the other controllers, those controllers will redirect to their own internal pages instead. In these environments is recommended to use an external server for all of the controllers. 8 Check the Use System Name in Hotspot URL to use the System Name specified on the main Controller configuration screen as part of the hotspot address.
Page 126 Network Setup 3 Select the Hotspot button from within the Authentication field. Ensure External is selected from within the This WLAN’s Web Pages are of the drop-down menu. 4 Refer to the External Web Pages field and provide the Login, Welcome and Failed Page URLs used by the external Web server to support the hotspot.
Page 127 Define the complete URL for the location of the Failed page. The Failed Failed Page URL screen assumes the hotspot authentication attempt has failed, you are not allowed to access the Internet and you need to provide correct login information to access the Web.Ensure the RADIUS server port number is included in the URL using the following format: http://192.168.0.70:444/wlan2/login.html NOTE...
Page 128 Network Setup To use the Advanced option to define the hotspot: 1 Select Network > Wireless LANs from the main menu tree. 2 Select an existing WLAN from those displayed within the Configuration tab. 3 Click the Edit button. 4 Select the Hotspot button from within the Authentication field. Ensure Advanced is selected from within the This WLAN’s Web Pages are of the drop-down menu.
Page 129 a Specify a source hotspot configuration file. The file used at startup automatically displays within the File parameter. b Refer to the Using drop-down menu to configure whether the hotspot file transfer is conducted using FTP or TFTP. c Enter the IP Address of the server or system receiving the source hotspot configuration. Ensure the IP address is valid or risk jeopardizing the success of the file transfer.
Page 130 Network Setup 6 Ensure Advanced is selected from within the This WLAN’s Web Pages are of the drop-down menu. Define the advanced hotspot configuration following step 5 onward in “Configuring an Advanced Hotspot” on page 127. NOTE For information on configuring external Radius server support for supporting a advanced hotspot, see “Configuring External Radius Server Support”...
Page 131 policy vlan 70 policy wlan 2 radius-server local rad-user "guest" password 0 password group "Guests" guest expiry-time 20:27 expiry- date 11:17:2009 start-time 20: 27 start-date 11:16:2008 Managing Hotspot Files. When creating a new hotspot, the controller builds a directory in flash named hotspot with a subdirectory named wlan X (where X is the WLAN ID).
Page 132 Network Setup -rw- 2688 Wed Sep 24 12:21:50 2008 mainstyle.css -rw- 2608 Wed Sep 24 12:38:15 2008 login.html Custom Pages. The critical required components for a customized login, welcome and failed page includes: Login Page. The login.html page is presented to all unauthenticated users when they connect to the hotspot.
Page 133 To configure the format of MAC addresses used in MAC Authentications: 1 Select Network > Wireless LANs from the main menu tree. 2 Select an existing WLAN from those displayed within the Configuration tab. 3 Click the Edit button. 4 Select the MAC Authentication button from within the Authentication field. This enables the Radius button at the bottom of the Network >...
Page 134 To configure an external Radius Server for EAP 802.1x, Hotspot or Dynamic MAC ACL WLAN support: NOTE To optimally use an external Radius Server with the controller, Extreme Networks recommends defining specific external Server attributes to best utilize user privilege values for specific controller permissions. For information on defining the external Radius Server configuration, see “Configuring an External Radius Server for Optimal Controller...
Page 135 The Radius Configuration screen contains tabs for defining both the Radius and NAC server settings. For NAC overview and configuration information, see “Configuring NAC Server Support” on page 138. 6 Refer to the Server field and define the following credentials for a primary and secondary Radius server.
Page 136 Network Setup Enter the IP address of the primary and secondary server acting as the RADIUS Server Radius user authentication data source. Address Enter the TCP/IP port number for the primary and secondary server acting RADIUS Port as the Radius user authentication data source. The default port is 1812. Provide a shared secret (password) for user credential authentication with RADIUS Shared the primary or secondary Radius server.
Page 137 Configuring an External Radius Server for Optimal Controller Support. The controller’s external Radius Server should be configured with Extreme Networks wireless LAN controller specific attributes to best utilize the user privilege values assignable by the Radius Server. The following two values should be...
Page 138 Network Setup b Set the Telnet Access value to 64 (user is allowed login privileges only from a Telnet session). c Set the SSH Access value to 32 (user is allowed login privileges only from ssh session). d Set the Web Access value to 16 (user is allowed login privileges only from Web/applet). 3 Specify multiple access sources by using different values.
Page 139 Summit WM3000 Series Controller System Reference Guide...
Page 140: Configuring Different Encryption Types
Network Setup 7 Refer to the Server field and define the following credentials for a primary and secondary NAC server. Enter the IP address of the primary and secondary NAC server. NAC Server Address Enter the TCP/IP port number for the primary and secondary server. The NAC Server Port default port is 1812.
Page 141 5 Specify a 4 to 32 character Pass Key and click the Generate button. The pass key can be any alphanumeric string. The controller, other proprietary routers and the Motorola MUs which are supported by the Summit WM3000 series controller. use the algorithm to convert an ASCII string to the same hexadecimal number.
Page 142 Network Setup Configuring WEP 128. WEP 128 provides a more robust encryption algorithm that WEP 64 by requiring a longer key length and pass key. Thus, making it harder to hack through the replication of WEP keys. WEP 128 may be all that a small-business user needs for the simple encryption of wireless data. To configure WEP 128: 1 Select Network >...
Page 143 Default (hexadecimal) keys for WEP 128 include: 101112131415161718191A1B1C Key 1 202122232425262728292A2B2C Key 2 303132333435363738393A3B3C Key 3 404142434445464748494A4B4C Key 4 7 If you feel it necessary to restore the WEP algorithm back to its default settings, click the Restore Default WEP Keys button. This may be the case if you feel the latest defined WEP algorithm has been compromised and no longer provides its former measure of data security.
Page 144 Network Setup 5 Select the Broadcast Key Rotation checkbox to enable periodically changing the broadcast key for this WLAN. Only broadcast key changes when required by associated MUs to reduce the transmissions of sensitive key information. This value is enabled by default. 6 Refer to the Update broadcast keys every field to specify a time period (in seconds) for broadcasting encryption-key changes to MUs.
Page 145: Viewing Wlan Statistics
1011121314151617 ● 18191A1B1C1D1E1F ● 2021222324252627 ● 28292A2B2C2D2E2F ● 8 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 9 Click OK to use the changes to the running configuration and close the dialog.
Page 146 Network Setup Click the Last 30s radio button to display statistics for the WLAN over Last 30s the last 30 seconds. This option is helpful when troubleshooting issues as they actually occur. Click the Last Hr radio button to displays statistics for the WLAN over the Last Hr last 1 hour.
Page 147: Viewing Wlan Statistics In Detail
7 To view WLAN packet data rates and retry counts, select a WLAN and click the Controller Statistics button. For more information, see “Viewing WLAN Controller Statistics” on page 150. Viewing WLAN Statistics in Detail When the WLAN Statistics screen does not supply adequate information for an individual WLAN, the Details screen is recommended for displaying more granular information for a single WLAN.
Page 148 Network Setup Displays the name of the VLAN the WLAN is associated with. VLAN Num Associated MUs Displays the total number of MUs currently associated with the selected WLAN. Displays the authentication method deployed on the WLAN. Authentication Type Displays the encryption type deployed on the selected WLAN. Encryption Type Displays the radios adopted by the selected WLAN.
Page 149: Viewing Wlan Statistics In A Graphical Format
8 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 9 Click OK to use the changes to the running configuration and close the dialog. 10 Click Cancel to close the dialog without committing updates to the running configuration.
Page 150: Viewing Wlan Controller Statistics
Network Setup Pkts per sec ● Throughput (Mbps) ● Avg Bits per sec ● Avg Signal (dBm) ● Dropped Pkts ● TX Pkts per sec ● TX Tput (Mbps) ● NUcast Pkts ● Avg Noise (dBm) ● Undecr Pkts ● RXPkts per sec ●...
Page 151 Extreme Networks WMS can help optimize the positioning and configuration of a controller in respect to a WLAN’s MU throughput requirements. For more information, refer to the Extreme Networks Web site. 5 Refer to the Retry Counts field to review the number packets requiring retransmission from the controller.
Page 152: Configuring Wmm
Network Setup Configuring WMM Use the WMM tab to review a WLAN’s current index (numerical identifier), SSID, description, current enabled/disabled designation, and Access Category. To view existing WMM Settings: 1 Select Network > Wireless LANs from the main menu tree. 2 Click the WMM tab.
Page 153 Displays the Access Category for the intended radio traffic. Access Access Categories are the different WLAN-WMM options available. The four Access Category types are: • Background — Optimized for background traffic Best-effort • — Optimized for best effort traffic Video •...
Page 154 Network Setup With a drastic increase in bandwidth absorbing network traffic (VOIP, multimedia etc.), the importance of data prioritization is critical to effective network management. Refer to the following fields within the QoS Mapping screen to optionally revise the existing settings to in respect to the data traffic requirements for this WLAN.
Page 155: Editing Wmm Settings
Set the access category accordingly in respect to its DSCP importance for DSCP to Access this WLAN’s target network traffic. Category Differentiated Services Code Point (DSCP) is a field in an IP packet that enables different levels of service to be assigned to network traffic. This is achieved by marking each packet on the network with a DSCP code and appropriating to it the corresponding level of service or priority.
Page 156: Configuring The Nac Inclusion List
Network Setup Service Set ID Displays the (SSID) associated with the selected WMM SSID index. This SSID is read-only and cannot be modified within this screen. Displays the Access Category for the intended radio traffic. The Access Access Category Categories are the different WLAN-WMM options available to the radio. The four Access Category types are: Background - •...
Page 157 NAC Agent – NAC support is added in the controller to allow the controller to communicate with a ● LAN enforcer (a laptop with a NAC agent installed). No NAC Agent – NAC support is achieved using an exclude list. For more information, see ●...
Page 158: Adding An Include List To A Wlan
Network Setup 4 Use the Add button (within the List Configuration field) to add more than one device to the WLAN. You can create 32 lists (both include and exclude combined together) and 64 MAC entries per list. For more information, see “Configuring Devices on the Include List”...
Page 159: Mapping Include List Items To Wlans
The List Name field displays the name of the device list used. This parameter is read-only. 4 Enter the Host Name for the device you wish to add. 5 Enter a valid MAC Address of the device you wish to add. 6 Optionally, enter the MAC Mask for the device you wish to add.
Page 160: Configuring The Nac Exclusion List
The controller provides a means to bypass NAC for 802.1x devices without a NAC agent. For Motorola handheld devices (like the MC9000) which are supported by the Extreme Networks Summit WM3000 series controller, authentication is achieved using an exclusion list.
Page 161 Whenever a host entry is added or deleted from/to the list, the associated WLAN is updated and deauthenticated. The de-authenticated MU can be re-authenticated once it receives the de-authentication information from the WLAN. For a NAC configuration example using the controller CLI, see “NAC Configuration Examples Using the Controller CLI”...
Page 162: Adding An Exclude List To The Wlan
Network Setup 7 Use the Edit button to modify devices parameters. 8 To delete a list configuration for a device, select a row from the List Configuration field and click the Delete button. Adding an Exclude List to the WLAN To exclude a device from a WLAN: 1 Select Network >...
Page 163: Mapping Exclude List Items To Wlans
4 The List Name displays the read-only name of the list for which you wish to add more devices. 5 Enter the Host Name for the device you wish to add for the selected exclude list. 6 Enter a valid MAC Address for the device you wish to add. 7 Optionally, enter the MAC Mask for the device you wish to add.
Page 164: Nac Configuration Examples Using The Controller Cli
The following are NAC include list, exclude list and WLAN configuration examples using the controller CLI interface: Creating an Include List Since few devices require NAC, Extreme Networks recommends using the "bypass-nac-except-include- list" option. Refer to the commands below to create a NAC Include List: 1 Create a NAC include list.
Page 165: Creating An Exclude List
WLANController(config-wireless-client-list) # NOTE The instance changes from (config-wireless) to (config-wireless-client-list). 2 Add a host entry to the include list. This adds a specified MAC entry/MAC range into the client’s include list. WLANController(config-wireless-client-list) #station pc1 AA:BB:CC:DD:EE:FF WLANController(config-wireless-client-list) # 3 Associate the include list to a WLAN. This adds the client’s include list into the WLAN. WLANController(config-wireless-client-list) #wlan 1 WLANController(config-wireless-client-list) # Creating an Exclude List...
Page 166: Viewing Associated Mu Details
Network Setup NOTE Configure the secondary NAC server for redundancy. c Configure the secondary NAC server’s IP address. WLANController(config-wireless) #wlan 1 nac-server secondary 192.168.1.20 WLANController(config-wireless) # d Configure the secondary NAC Server’s Radius Key. WLANController(config-wireless) #wlan 1 nac-server secondary radius-key my secret-2 WLANController(config-wireless) # 3 MUs not NAC authenticated use Radius for authentication.
Page 167: Viewing Mu Status
The Extreme Networks wireless LAN controller management software is a recommended utility to plan the deployment of the controller and view its configuration once operational. Extreme Networks WMS can help optimize controller positioning and configuration in respect to a WLAN’s MU throughput requirements and can help detect rogue devices.
Page 168 Network Setup Media Access Control Each MU has a unique (MAC) address through MAC Address which it is identified. This address is burned into the ROM of the MU. Displays the MAC name associated with each MU's MAC Address. The MAC Name MAC Name is a user created name used to identify individual mobile unit MAC Addresses with a user friendly name.
Page 169: Viewing Mu Details
Viewing MU Details The MUs Details screen displays read-only MU transmit and receive statistics. To view MU Details: 1 Select a Network > Mobile Units from the main menu tree. 2 Click the Status tab. 3 Select a MU from the table in the Status screen and click the Details button. 4 Refer to the following read-only MU’s transmit and receive statistics: Displays the Hardware or Media Access Control (MAC) address for the MAC Address...
Page 170: Configuring Mobile Units
Network Setup Displays the radio type used by the adopted MU. The controller supports Radio Type 802.11b MUs as well as 802.11 a/b and 802.11 a/g dual-radio MUs. The radio also supports 802.11a only and 802.11g MUs. Displays the SSID of the Access Point when initially adopted by the Base Radio MAC controller.
Page 171: Mac Naming Of Mobile Units
MAC Name is a user created name used to identify individual mobile MAC Name unit MAC Addresses with a user friendly name. To edit an existing entry, MAC Name double click the and type in the new name. 4 When using clustering and the Cluster GUI feature is enabled a drop-down menu will be available to select which cluster members’...
Page 172 Network Setup To view MU statistics details: 1 Select Network > Mobile Units from the main menu tree. 2 Click the Statistics tab. 3 Select the Last 30s checkbox to display MU statistics gathered over the last 30 seconds. This option is helpful for assessing MU performance trends in real-time.
Page 173: Viewing Mu Statistics In Detail
Displays the average throughput in Mbps between the selected MU and Throughput Mbps the Access Point. The Rx column displays the average throughput in Mbps for packets received on the selected MU from the Access Point. The Tx column displays the average throughput for packets sent on the selected MU from the Access Point.
Page 174: View A Mu Statistics Graph
Network Setup 5 Refer to the Traffic field for the following information: Displays the average packets per second received by the MU. The Rx Pkts per second column displays the average packets per second received on the selected MU. The Tx column displays the average packets per second sent on the selected MU.
Page 175: Viewing Voice Statistics
6 Click Close to close the dialog without committing updates to the running configuration. Viewing Voice Statistics The Voice Statistics screen displays read-only voice data statistics for each MU. Use this information to assess if configuration changes are required to improve MU voice quality. If a more detailed set of voice statistics is required, select a call index from the table and click the Details button.
Page 176: Viewing Access Point Information
Network Setup Displays the call state of the MU’s call session. Call State Displays the call codec. Codec complexity refers to the amount of Call Codec processing required to perform compression. Codec complexity affects the number of calls, that can take place. Displays the average call quality using the R Factor scale.
Page 177: Configuring Access Point Radios
The Extreme Networks wireless LAN controller management software is a recommended utility to plan the deployment of the controller and view its configuration once operational. Extreme Networks WMS can help optimize the positioning and configuration of a controller and Access Points in respect to a WLAN’s MU throughput requirements.
Page 178 Displays a user assigned name for the radio. Description Displays the type of Access Point detected. The controllers support AP Type Extreme Networks AP35XX model Access Points. Use the Type to identify whether the radio is 802.11a radio or an Type 802.11bg radio.
Page 179 The Base Radio MAC is the radio's first MAC address when it is adopted MAC Address by the Controller. Display the radio’s current operational mode. If the radio is set as a State Detector AP, the state is "Detector", otherwise the state is "Normal". Displays the name of the VLAN currently used with each Access Point VLAN radio.
Page 180: Configuring An Ap Radio's Global Settings
Network Setup 6 Click the Edit button to launch a screen used to configure radio specific parameters. For more information, see “Editing AP Settings” on page 182. 7 Click the Delete button to remove a radio. However, before a radio can be removed, the radio’s BSS mapping must be removed.
Page 181 To define a radio as preferred, the Access Point preference ID should be same as the adoption preference ID. The adoption preference ID is used for AP load-balancing. A controller will preferentially adopt Access Points having the same adoption-preference-id as the controller itself. The Adoption Preference ID defines the controller preference ID.
Page 182: Editing Ap Settings
Network Setup Editing AP Settings The Edit screen provides a means of modifying the properties of an existing radio. This is often necessary when the radio’s intended function has changed and its name needs modification or if the radio now needs to be defined as a detector radio. The Edit screen also enables you to modify placement, channel and power settings as well as a set of advanced properties in case its transmit and receive capabilities need to be adjusted.
Page 183 Setting this radio as a detector dedicates the radio to detect rogue APs on the network. Dedicated detectors do not connect to clients. NOTE If the radio adoption default settings for both 802.11a and 802.11bg radios are set to detector, both radios will be configured as a detector.
Page 184 Network Setup proximity of other Access Points. Overlapping RF coverage may cause lost packets and problems for roaming devices trying to connect to an Access Point. After setting a power level, channel and placement the RF output power for the Access Point is displayed in mW. The default is 20 dBm. NOTE After setting a power level, channel and placement, the RF output power for the Access Point displays in mW.
Page 185 Request To Send Specify a (RTS) threshold (in bytes) for use by the RTS Threshold WLAN's adopted Access Points. Clear To Send RTS is a transmitting station's signal that requests a (CTS) response from a receiving station. This RTS/CTS procedure clears the air where many MUs are contending for transmission time.
Page 186 Network Setup 15 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 16 If clustering is configured and the Cluster GUI feature is enabled the Apply to Cluster feature will be available.
Page 187: Adding Aps
4 Click the Clear all rates button to uncheck all of the Basic and Supported rates. 5 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 6 Click OK to use the changes to the running configuration and close the dialog.
Page 188: Defining The Ap Radios Mesh Configuration
Network Setup 6 From the Radio Settings section, select the radio type checkboxes corresponding to the type of AP radio used. Available radio types are dependant on the AP Type selected above. 7 Enter a numerical value in the Radio Index field for each selected radio. The Radio Index is a numerical value assigned to the radio as a unique identifier.
Page 189: Viewing Ap Statistics
Mesh Network Name If the Client Bridge checkbox has been selected, enter a Mesh Network Name to define the WLAN (ESS) the client bridge uses to establish a wireless link. Extreme Networks recommends creating (and naming) a WLAN specifically for mesh networking support to differentiate the Mesh supported WLAN from non-Mesh supported WLANs.
Page 190 Network Setup 3 To select the time frame for the radio statistics, select either Last 30s or Last Hr above the statistics table. Select the Last 30s radio button to display statistics for the last 30 seconds for the radio. ●...
Page 191: Viewing Ap Statistics In Detail
Displays the average number of retries for all MUs associated with the Retries selected radio. 5 Select a radio from those displayed and click the Details button for additional radio information in raw data format. For more information, see “Viewing AP Statistics in Detail” on page 191.
Page 192 Network Setup Displays the radio type of this AP. Available types are: Radio Type • 802.11a • 802.11an • 802.11bg • 802.11bgn Displays the channel on which the Access Point is currently passing Current Channel traffic. If the channel is displayed in red, it means the configured channel does not match the current channel.
Page 193: Viewing Ap Statistics In Graphical Format
Displays the percentage of packets the controller gave up on for all MUs % Gave Up Pkts associated with the selected radio. The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour.
Page 194: Configuring Wlan Assignment
Network Setup Configuring WLAN Assignment The WLAN Assignment tab displays a high-level description of the radio. It also displays the radios WLAN and BSSID assignments on a panel on the right-hand side of the screen. To view existing WLAN Assignments: 1 Select Network >...
Page 195 1 Select Network > Access Point Radios from the main menu tree. 2 Click the WLAN Assignment tab. 3 Select a radio from the table and click the Edit button. The Select Radio/BSS field displays the WLANs associated to each of the BSSIDs used by the radios within the radio table.
Page 196: Configuring Wmm
Network Setup Configuring WMM Use the WMM tab to review each radio’s current index (numerical identifier), the Access Category that defines the data type (Video, Voice, Best Effort and Background) as well as the transmit intervals defined for the target access category. To view existing WMM Settings: 1 Select Network >...
Page 197: Editing Wmm Settings
4 Select a radio and click the Edit button (at the bottom of the screen) to modify its properties. For more information, see “Editing WMM Settings” on page 197. Editing WMM Settings Use the Edit screen to modify a WMM profile's properties (AIFSN, Tx op, Cw Min and CW Max). Modifying these properties may be necessary as Access Categories are changed and transmit intervals need to be adjusted to compensate for larger data packets and contention windows.
Page 198: Configuring Access Point Radio Bandwidth
Network Setup The ECW Max is combined with the ECW Min to make the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority (video or voice) traffic. 8 Refer to the Status field for the current state of the requests made from applet.
Page 199 3 Click the Last 30s radio button to display Mesh statistics for the last 30 seconds. This option is helpful when troubleshooting issues as they actually occur. 4 Click the Last Hr radio button to displays Mesh statistics for the last 1 hour. This metric is helpful in baselining events over a one hour interval.
Page 200: Voice Statistics
Network Setup % Non-Uni is the percentage of the total packets for the selected radio % Non-UNI that are non-unicast packets. Non-unicast packets include broadcast and multicast packets. Displays the total number of retries for each Access Point. Retries 6 Select a mesh index from amongst those displayed and select the Details button for additional (more granular) information on the mesh index selected.
Page 201 Displays the names assigned to each of the APs. The AP name can be Description configured on the Access Point Radios Configuration page. Displays the radio type of the corresponding APs. Available type are: Type • 802.11a • 802.11an • 802.11bg •...
Page 202: Viewing Access Point Adoption Defaults
Network Setup And / Or - Use the And/Or drop down list to expand the selection criteria. Up to two selection ● criteria are supported. Filter Entire Table - Click Filter Entire Table to apply the filtering criteria on the information being ●...
Page 203 3 Refer to the following information as displayed within the Configuration tab: Displays whether the radio is an 802.11a radio or an 802.11 bg model Type radio Displays the default placement when an radio auto-adopts and takes on Placement the default settings. Options include Indoor or Outdoor. Default is Indoor. Displays the default channel when an radio auto-adopts and takes on the Channel default settings.
Page 204: Editing Default Access Point Adoption Settings
Network Setup CAUTION An Access Point is required to have a DHCP provided IP address before attempting layer 3 adoption, otherwise it will not work. Additionally, the Access Point must be able to find the IP addresses of the controllers on the network.
Page 205 The Properties field displays the Model family for the selected Access Point. The Model is read only and cannot be modified. The Radio Type displays the radio type (802.11a or 802.11bg). This value is read only and cannot be modified 5 To use this radio as a detector to identify rogue APs on your network, check the box titled Dedicate this AP as Detector AP.
Page 206 Network Setup The optimal power level for the specified channel is best determined by a site survey prior to installation. Available settings are determined according to the selected channel. Set a higher power level to ensure RF coverage in WLAN environments that have more electromagnetic interference or greater distances between the Access Point and MUs.
Page 207 Request To Send Specify a (RTS) threshold (in bytes) for use by the RTS Threshold WLAN's adopted Access Points. Clear To Send RTS is a transmitting station's signal that requests a (CTS) response from a receiving station. This RTS/CTS procedure clears the air where many MUs (or nodes) are contending for transmission time.
Page 208 Network Setup 12 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 13 Click OK to use the changes to the running configuration and close the dialog. 14 Click Cancel to close the dialog without committing updates to the running configuration.
Page 209: Configuring Wlan Assignment
Supported Rates allow an 802.11 network to specify the data rate it supports. When a station attempts to join the network, it checks the data rate used on the network. If a rate is selected as a basic rate it is automatically selected as a supported rate. 4 Click the Clear all rates button to uncheck all of the Basic and Supported rates.
Page 210: Configuring Wmm
Network Setup 5 Refer to the Select/Change Assigned WLAN field for the following information: Select Radio/BSS If a specific BSS was selected from the area, choose Primary WLAN one of the selected WLANs from the drop-down menu as the primary WLAN for the BSS.
Page 211: Editing Access Point Adoption Wmm Settings
3 Refer to the WMM table for the following information: Displays whether the radio is an 802.11a radio or an 802.11bg radio. AP Type This value is read-only and cannot be modified. Displays the Access Category currently in use. There are four categories: Access Category Video, Voice, Best Effort and Background.
Page 212: Configuring Access Points
Network Setup 1 Select Network Setup > Adoption Defaults from the main menu tree. 2 Click the WMM tab. 3 Select a radio from the table and click the Edit button. The AP Type identifies whether the radio is an 802.11a radio or an 802.11 bg radio. This value is read- only and cannot be modified.
Page 213 1 Select Network > Access Point from the main menu tree. 2 Click the Adopted AP tab. 3 Refer to the Adopted AP screen for the following information: Displays the radio's first MAC address when it is adopted by the MAC Address controller.
Page 214: Viewing Unadopted Access Points
Network Setup 4 When using clustering and the Cluster GUI feature is enabled, a drop-down menu will be available to select which cluster members’ APs are displayed. To view APs from all cluster members, select All from the drop-down menu. To view APs radios from a specific cluster member, select that member’s IP address from the drop-down menu.
Page 215: Configuring Ap Firmware
CAUTION An Access Point is required to have a DHCP provided IP address before attempting layer 3 adoption, otherwise it will not work. Additionally, the Access Point must be able to find the IP addresses of the controllers on the network.
Page 216: Adding A New Ap Firmware Image
Network Setup 1 Enable or disable AP Automatic Updates. Check this box to enable automatic updates of Access Point firmware AAP Automatic when an Access Point associates with the controller. The AP image file Update AP Image Upload Table used for automatic update are specified in the below.
Page 217: Editing An Existing Ap Firmware Image
4 Specify the AP Image Type. 5 Specify the AP Image File. You can browse the controller file systems using the browser icon. AP images must be on the flash, system, nvram or usb file systems in order for them to be selected. 6 Click the OK button to save the changes and return to the AP Firmware tab.
Page 218: Configuring A Bridge
Network Setup architecture provides multiple forwarding links for data traffic, load balancing and therefore, reduces the number of spanning-tree instances required to support a large number of VLANs. Using MSTP, the network can be divided into regions. All controllers within a region use the same VLAN to instance mapping.
Page 219 To configure the MSTP bridge: 1 Select Network > Multiple Spanning Tree from the main menu tree. 2 Select the Bridge tab (should be the displayed tab by default). 3 Refer to the MSTP Parameter field to view or set the following: Use the drop-down menu to define MSTP status.
Page 220 Network Setup Enter a name for the MST region. This is used when configuring multiple MST Config. Name regions within the network. Each controller running MSTP is configured with a unique MST region name. This helps when keeping track of MSTP configuration changes.
Page 221: Viewing And Configuring Bridge Instance Details
Enter the CIST bridge forward delay value received from the root bridge. CIST Bridge Forward If this is the root bridge, the value will be equal to the Configured Delay Forward Delay. The forward delay value is the maximum time (in seconds) the root device waits before changing states (from a listening state to a learning state to a forwarding state).
Page 222 Network Setup The Bridge Instance tab displays the following: Displays the ID of the MSTP instance. Displays the bridge priority for the associated instance. Bridge Priority The Bridge Priority is assigned to an individual bridge based on whether it is selected as the root bridge. The lower the priority, the greater likelihood the bridge becoming the root for this instance.
Page 223: Creating A Bridge Instance
Creating a Bridge Instance To create a VLAN instance and associate it with a bridge as a numerical identifier: 1 Select Network > Multiple Spanning Tree from the main menu tree. 2 Select the Bridge Instance tab. 3 Click the Add button. 4 Enter a value between 1 and 15 as the Instance ID.
Page 224: Configuring A Port
Network Setup Configuring a Port Use the Port tab to view and configure MSTP port parameters, including enabling/disabling the spanning tree algorithm on one or more ports (displaying the designated bridge and port/root information). To view and configure MSTP port details: 1 Select Network >...
Page 225 Displays whether the listed port index enforces root bridge placement. Guard Root The guard root ensures the port is a designated port. Typically, each guard root port is a designated port, unless two or more ports (within the root bridge) are connected together. If the bridge receives superior (BPDUs) on a guard root-enabled port, the guard root moves the port to a root-inconsistent STP state.
Page 226: Editing A Mstp Port Configuration
Network Setup Defines the port connection used to send and receive packets. By having Designated Port only one designated port per segment, all looping issues should be resolved. Once the designated port has been selected, any other ports that connect to that segment become non-designated ports and block traffic from taking the defined path.
Page 227 1 Select a row from the port table and click the Edit button. The following MSTP Port parameters can be reconfigured. Displays the read-only Port Index. Port Index Displays the status of the Admin MAC Enable. A green check mark Admin MAC Enable indicates the status as enabled.
Page 228: Viewing And Configuring Port Instance Details
Network Setup Port Path Cost Displays the path cost for the specified port index. The Port Path Cost default path cost depends on the speed of the interface. Speed Default path cost <=100000 bits/sec 200000000 <=1000000 bits/sec 20000000 <=10000000 bits/sec 2000000 <=100000000 bits/sec 200000...
Page 229 The Port Instance table displays the following: Displays the instance ID. Displays the port index. Index Displays the MSTP state for the port for that instance. State Displays the MSTP state of the port. Role Displays the Internal Root Cost of a path associated with an interface. Internal Root Cost The lower the path cost, the greater likelihood of the interface becoming the root.
Page 230: Editing A Port Instance Configuration
Network Setup Editing a Port Instance Configuration To edit and reconfigure Port Instance parameters. 1 Select a row from the port table and click the Edit button. Most of the MSTP Port Instance parameters can be reconfigured, as indicated below. Read only indicator of the instance ID used as a basis for other Port Instance ID modifications.
Page 231: Igmp Snooping Configuration
IGMP snooping allows the controller to manage multicast traffic based on groups of IGMP hosts on a per-portal basis. IGMP snooping keeps track of hosts interested in a multicast group and on the portal it is associated and forwards multicast packets to portal on which the host is connected. In the case of IP multicast traffic, an IGMP supported controller provides the benefit of conserving bandwidth on those network segments where no node has expressed interest in receiving packets addressed to the group address.
Page 232 Network Setup 5 Select Apply to save the changes to the Snoop Enable and Unknown Multicast Forward options. 6 Review to the following to discern whether an existing snoop configuration requires revision. Lists the VLAN interfaces upon which snooping and unknown multicast Vlan Index forward is enabled or disabled Displays whether IGMP snooping is enabled/disabled on the VLAN Index...
Page 233: Igmp Snoop Querier Configuration
8 Select OK to save the edits to the IGMP configuration. Selecting Cancel reverts the IGMP snooping configuration to its previous settings. IGMP Snoop Querier Configuration The IGMP snoop querier functionality is used in absence of a multicast router in networks where there is a multicast streaming server and multicast listener hosts, but no IGMP querier.
Page 234 Network Setup 3 Refer to the Igmp Snoop Querier Global Config field and define the following values, once enabled these values display within the Igmp Snoop Querier Vlan Config field: Defines the maximum response time for the controller to receive a report. Max Response Time If the controller does not receive a report, it discards this port.
Page 235 4 Select Apply to save the changes to the Igmp Snoop Querier Global Config options. 5 Optionally, select a VLAN Index from amongst those listed, and select Edit to revise the following parameters: Select the enable checkbox to use this IGMP snoop querier configuration Enable with the VLAN listed.
Page 236 Network Setup 6 Select OK to save the edits to the configuration. Selecting Cancel reverts the configuration to its previous settings. Summit WM3000 Series Controller System Reference Guide...
Page 237: Chapter 6: Controller Services
Controller Services This chapter describes the Services main menu information available for the following controller configuration activities.: Displaying the Services Interface on page 237 ● DHCP Server Settings on page 238 ● Configuring Secure NTP on page 259 ● Configuring Controller Redundancy and Clustering on page 270 ●...
Page 238: Dhcp Server Settings
Controller Services Displays whether time management is currently enabled or disabled. NTP Time Network Time Protocol (NTP) manages time and/or network clock Management synchronization within the controller managed network. NTP is a client/ server implementation. Displays whether Redundancy is currently enabled or disabled. One or Redundancy Service more controllers can be configured as members of a redundancy group to significantly reduce the chance of a disruption in service to WLANs and...
Page 239 NOTE DHCP Server setting updates are only implemented when the controller is restarted. NOTE When using the controller’s internal DHCP server ensure that traffic can pass on UDP ports 67 & 68 between the controller and the clients receiving DHCP information. To configure DHCP: 1 Select Services >...
Page 240: Editing The Properties Of An Existing Dhcp Pool
Controller Services Displays the network address for the clients. Network When a DHCP server allocates an address for a DHCP client, the client is Lease Time assigned a lease (which expires after a designated interval defined by the (dd:hh:mm) administrator). The lease time is the time an IP address is reserved for re-connection after its last use.
Page 241: Adding A New Dhcp Pool
A b-broadcast (broadcast node) broadcasts to query network nodes for the owner of a NetBIOS ● name. A p-peer (peer-to-peer node) uses directed calls to communicate with a known NetBIOS name ● server, such as a Windows Internet Name Service (WINS) server, for the IP address of a NetBIOS machine.
Page 242 Controller Services 3 Enter the name of the IP pool from which IP addresses can be issued to client requests on this interface. 4 Provide the Domain name as appropriate for the interface using the pool. 5 Enter the NetBios Node used with this particular pool. The NetBios Node could have one of the following types: Summit WM3000 Series Controller System Reference Guide...
Page 243: Configuring Dhcp Global Options
A b-broadcast (broadcast node) uses broadcasting to query nodes on the network for the owner of ● a NetBIOS name. A p-peer (peer-to-peer node) uses directed calls to communicate with a known NetBIOS name ● server, such as a Windows Internet Name Service (WINS) server, for the IP address of a NetBIOS machine.
Page 244: Configuring Dhcp Server Ddns Values
Controller Services 1 Select Services > DHCP Server from the main menu tree. 2 Highlight an existing pool name from within either the Configuration or Host Pool tab and click the Options Setup button at the bottom of the screen. 3 Click the Insert button to display an editable field wherein the name and value of the DHCP option can be added.
Page 245: Viewing The Attributes Of Existing Host Pools
3 Enter a Domain Name which represents the forward zone in the DNS server. For example test.net. 4 Define the TTL (Time to Live) to specify the validity of DDNS records. The maximum value is 864000 seconds. 5 Use the Automatic Update drop-down menu to specify whether the automatic update feature is on or off.
Page 246 Controller Services 1 Select Services > DHCP Server from the main menu tree. 2 Select the Host Pool tab. 3 Refer to the following information to assess whether the existing group of DHCP pools is sufficient: Displays the name of the IP pool from which IP addresses can be issued Pool Name to DHCP client requests on this interface.
Page 247: Configuring Excluded Ip Address Information
6 Click the Add button to create a new DHCP pool. For more information, see “Adding a New DHCP Pool” on page 241. 7 Click the Options button to insert a global pool name into the list of available pools. For more information, see “Configuring DHCP Global Options”...
Page 248: Configuring The Dhcp Server Relay
Controller Services 4 To delete an existing DHCP pool from the list of those available to the controller, highlight the pool from within the Network Pool field and click the Delete button. 5 Click the Add button to create a new IP address range for a target host pool. For more information, “Adding a New DHCP Pool”...
Page 249 3 Refer to the Interfaces field for the names of the interfaces available to route information between the DHCP Server and DHCP clients. If this information is insufficient, consider creating a new IP pool or edit an existing pool. 4 Refer to the Gateway Information field for DHCP Server and Gateway Interface IP addresses. Ensure these address are not in conflict with the addresses used to route data between the DHCP Server and client.
Page 250: Viewing Ddns Bindings
Controller Services a Use the Interface drop-down menu to assign the interface used for the DHCP relay. As VLANs are added to the controller, the number of interfaces available grows. b Add Servers as needed to supply DHCP relay resources. As Servers are added, use the Gateway drop-down menu associated with each Server to supply the interface used to route data.
Page 251: Viewing Dhcp Bindings
3 Refer to the contents of the DDNS Bindings tab for the following information: Displays the IP address assigned to the client. IP Address Displays the domain name mapping corresponding to the IP address Domain Name listed in the left-hand side of the tab. 4 Click the Export button to display a screen used to export DDNS Binding information to a secure location.
Page 252: Reviewing Dhcp Dynamic Bindings
Controller Services 3 Refer to the contents of the Bindings tab for the following information: Displays a IP address for each client with a listed MAC address. This IP Address column is read-only and cannot be modified. Displays the MAC address (client hardware ID) of the client using the MAC Address / Client controller’s DHCP Server to access controller resources.
Page 253: Configuring The Dhcp User Class
Refer to the contents of the Dynamic Bindings tab for the following: Displays the IP address for each client whose MAC Address is listed in IP Address the MAC Address / Client ID column. This column is read-only and cannot be modified.
Page 254: Adding A New Dhcp User Class
Controller Services 3 The User Class Name field displays the client names grouped by the class name. 4 The User Class Option Name field displays the names defined for a particular client. Select the Multiple User Class Options checkbox to associate the user class option names with a multiple user class.
Page 255: Editing The Properties Of An Existing Dhcp User Class
The DHCP server groups clients based on user class option values. DHCP Clients with the defined set of user class option values are identified by class. a Enter the User Class Name to create a new client. The DHCP user class name should not exceed 32 characters.
Page 256: Configuring Dhcp Pool Class
Controller Services a The User Class Name is a display field and cannot be modified. b Either add or modify the Option Values as required to suit the changing needs of your network. The option values should not exceed 50 characters. c Select the Multiple User Class Option checkbox to enable multiple option values for the user class.
Page 257: Editing An Existing Dhcp Pool Class
3 Refer to the Pool Class Names field to configure a pool class. A pre configured pool and class must exist to configure a pool class. The Address Ranges section displays the address ranges associated with the pool class. 4 Click the Edit button to modify the properties displayed for an existing DHCP Pool Class Name. For more information, see “Editing an Existing DHCP Pool Class”...
Page 258: Adding A New Dhcp Pool Class
Controller Services 6 Refer to the Pool Class Address Range field to revise an address range. A maximum of 4 address ranges can be assigned to a class. a Use the Insert button to revise the Start IP and End IP address range for a class. b Select a address range and click Remove to delete that particular address range.
Page 259: Configuring Secure Ntp
b Select a address range and click Remove to delete that particular address range. 7 Refer to the Status field. It displays the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet. The Status field displays error messages if something goes wrong in the transaction between the applet and the controller.
Page 260 Controller Services 3 An ACL Id must be created before it is selectable from any of the drop-down menus. Refer to the Access Group field to define the following: Supply a numeric ACL ID from the drop-down menu to provide the ACL Full Access full access.
Page 261: Configuring Symmetric Keys
Define how many hops (from 1 to 15) the controller is from a SNTP time Clock Stratum source. The controller automatically chooses the SNTP resource with the lowest stratum number. The SNTP supported controller is careful to avoid synchronizing to a server that may not be accurate. Thus, the SNTP enabled controller never synchronizes to a machine not synchronized itself.
Page 262 Controller Services 3 Refer to the Symmetric Key screen to view the following information. Displays a Key ID between 1-65534. The Key ID is a abbreviation Key ID allowing the controller to reference multiple passwords. This makes password migration easier and more secure between the controller and its NTP resource.
Page 263: Defining A Ntp Neighbor Configuration
6 Enter a Key ID between 1-65534. The Key ID is a Key abbreviation allowing the controller to reference multiple passwords. This makes password migration easier and more secure between the controller and its NTP resource. 7 Enter an authentication Key Value used to secure the credentials of the NTP server providing system time to the controller.
Page 264 Controller Services 3 Refer to the following information (as displayed within the NTP Neighbor tab) to assess whether an existing neighbor configuration can be used as is, if an existing configuration requires modification or a new configuration is required. IP Address/Hostname Displays the numeric IP address of the resource (peer or server) providing controller SNTP resources.
Page 265: Adding An Ntp Neighbor
6 Click the Add button to define a new peer or server configuration that can be added to the existing configurations displayed within the NTP Neighbor tab.For more information, see “Adding an NTP Neighbor” on page 265. Adding an NTP Neighbor To add a new NTP peer or server neighbor configuration to those available for synchronization: 1 Select Services >...
Page 266: Viewing Ntp Associations
Controller Services synchronization packets within a network. To listen to NTP broadcast traffic, the broadcast server (and controller) must be on the same subnet. NTP broadcasts reduce configuration complexity since both the controller and its NTP resources can be configured to send and receive broadcast messages. NOTE If this checkbox is selected, the AutoKey Authentication checkbox is disabled, and the controller is required to use Symmetric Key Authentication for credential verification with its NTP resource.
Page 267 3 Refer to the following SNTP Association data for each SNTP association displayed: Displays the numeric IP address of the SNTP resource (Server) providing Address SNTP updates to the controller. Displays the address of the time source the controller is synchronized to. Reference Clock Displays how many hops the controller is from a SNTP time source.
Page 268: Viewing Ntp Status
Controller Services NOTE Select an existing NTP association and click the Details button to display additional information useful in discerning whether the association should be maintained Viewing NTP Status Refer to the NTP Status tab to display performance (status) information relative to the controller’s current NTP association.
Page 269 1 Select Services > Secure NTP from the main menu tree. 2 Select the NTP Status tab. 3 Refer to the SNTP Status field to review the accuracy and performance of the controller’s ability to synchronize with a NTP server: Indicates if a second will be added or subtracted to SNTP packet Leap transmissions, or if the transmissions are synchronized.
Page 270: Configuring Controller Redundancy And Clustering
Controller Services Configuring Controller Redundancy and Clustering Configuration and network monitoring are two tasks a network administrator faces as a network grows in terms of the number of managed nodes (controllers, routers, wireless devices etc.). Such scalability requirements lead network administrators to look for managing and monitoring each node from a single centralized management entity.
Page 271 After sending the command to other members, the cluster-management protocol (at WS1) waits for a response from the members of the redundancy group. Upon receiving a response from each member, WS1 updates the user’s screen and allows the user to enter/execute the next command. The wait time required to collect responses from other controllers is predefined, so if any one or more members does not respond to a given command within the defined interval, the command originating controller displays whatever responses have been collected and ignores the delayed responses.
Page 272: Configuring Redundancy Settings
Controller Services To view status and membership data and define a redundancy group configuration, refer to the following: Configuring Redundancy Settings ● Reviewing Redundancy Status ● Configuring Redundancy Group Membership ● Redundancy Group License Aggregation Rules ● Managing Clustering Using the Web UI ●...
Page 273 2 Refer to the Configuration field to define the following: Select this checkbox to enable/disable clustering. Clustering must be Enable Redundancy disabled to set a redundancy related parameter. All the modifiable values are grayed out if enabled Define the destination IP address used to send heartbeats and update Redundancy messages.
Page 274 Controller Services Auto Revert Check this box to enable the feature and specify the time (in Auto Revert minutes) for the controller to revert. Configure the interval between 1 and 1800 minutes. The default revert time is 5 minutes. When a primary controller fails, the standby controller takes over APs adopted by the primary.
Page 275: Reviewing Redundancy Status
Displays the new state (status) of the redundancy group after a Trigger State event has occurred. Displays the Timestamp (time zone specific) when the state change Time occurred. Displays the event causing the redundancy group state change on the Trigger controller.
Page 276 Displays the controller firmware image version currently running on the Controller running controller. Compare this version with the latest version available from image version Extreme Networks to ensure the controller supports the latest feature set available. Displays the current connectivity status of the cluster membership. Connectivity Status...
Page 277: Configuring Redundancy Group Membership
Displays the number of MUs currently associated with the radio(s) used Mobile Units on this with this controller. Compare this number with the number of MUs within controller the group to determine how effectively MUs are distributed within the cluster. 4 The Apply and Revert buttons are unavailable (at the bottom of the screen) for use with the Status screen, as there are no editable parameters to save or revert.
Page 278 Controller Services 3 Refer to the following information within the Member tab: Displays the IP addresses of the redundancy group member. IP Address Summit WM3000 Series Controller System Reference Guide...
Page 279: Displaying Redundancy Member Details
Displays the current status of this group member. This status could have Status the following values: Configured • - The member is configured on the current wireless service module. Seen • - Heartbeats can be exchanged between the current controller and this member.
Page 280 Controller Services 4 Refer to the following redundancy member information: Displays the IP addresses of the members of the redundancy group. There IP Address are a minimum of 2 members needed to define a redundancy group, including this current module. Displays the current status of this group member.
Page 281: Adding A Redundancy Group Member
Displays the number of Access Point licenses available for this controller. AP License Count For information on licensing rules impacting redundancy group members, “Redundancy Group License Aggregation Rules” on page 282. Displays the image version currently running on this member. Is the Image Version selected version complimentary with this controller’s version? Displays the time this member was first seen by the controller.
Page 282: Redundancy Group License Aggregation Rules
Controller Services 4 Enter the IP Address of a new member. 5 Click OK to save and add the changes to the running configuration and close the dialog. 6 Refer to the Status field. The Status is the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet.
Page 283: Managing Clustering Using The Web Ui
For example, for a cluster of three controllers (S1 = 6, S2 = 6 and S3 = 6 licenses), the group license count is 18. If S1 goes down, the license count is still 18, since the license calculation is not initiated if a member controller goes down.
Page 284: Layer 3 Mobility
Controller Services 4 On the Configuration tab, check the Enable Redundancy checkbox and then check the Enable Cluster GUI box. 5 Click the Apply button to enable the Cluster GUI feature. 6 Once Cluster GUI is enabled a Controller field will be available in many of the Access Point and mobile unit related screens.
Page 285 CAUTION An Access Point is required to have a DHCP provided IP address before attempting layer 3 adoption, otherwise it will not work. Additionally, the Access Point must be able to find the IP addresses of the controllers on the network.
Page 286 Controller Services 2 Select the Use Default Management Interface checkbox to use the controller’s default management interface IP address for MUs roaming amongst different Layer 3 subnets. The IP address displayed to the right of the checkbox is used by Layer 3 MU traffic. 3 If wanting to use a local IP addresses (non controller management interface) for MUs roaming amongst different Layer 3 subnets, select the Use this Local Address checkbox and enter an IP address.
Page 287: Defining The Layer 3 Peer List
Defining the Layer 3 Peer List The Layer 3 Peer List contains the IP addresses MUs are using to roam amongst various subnets. This screen is helpful in displaying the IP addresses available to those MUs requiring access to different subnet resources.
Page 288: Reviewing Layer 3 Peer List Statistics
Controller Services Enter the IP addresses in the area provided and click the OK button to add the addresses to the list displayed within the Peer List screen. Reviewing Layer 3 Peer List Statistics When a MU roams to a current controller on the same layer 3 network, it sends a L2-ROAM message to the home controller to indicate the MU has roamed within the same VLAN.
Page 289 3 Refer to the following information within the Peer Statistics tab: Displays the IP addresses of the peer controllers within the mobility Peer IP domain. Each peer can support up to 500 MUs. Displays the number of JOIN messages sent and received. JOIN messages JOIN Events advertise the presence of MUs entering the mobility domain for the first sent/rcvd...
Page 290: Reviewing Layer 3 Mu Status
Controller Services Displays the number of Layer 2 ROAM messages sent and received. When L2-ROAMs a MU roams to a new controller on a different layer 3 network (MU is sent/rcvd mapped to a different VLAN ID), it sends a L3-ROAM message to the home controller with the new IP information for the current controller it is associated with.
Page 291: Configuring Controller Discovery
3 Refer to the following information within the MU Status tab. Displays each listed Client’s factory coded hardware address. MU MAC Lists each Client’s assigned network IP address MU IP Address Displays each Client’s assigned home controller IP address. Home Ctlr IP Lists the controller VLAN the listed Client is a member of.
Page 292: Configuring Discovery Profiles
Controller Services to the Recently Found Devices tab to view a table of devices discovered by the current discovery process. Each discovered device compatible with the locating controller is displayed in a shaded color to distinguish it from non-compatible devices. CAUTION Controller discovery can be a time consuming operation.
Page 293 3 Select an existing profile and click the Edit button to modify the profile name starting and ending IP address and SNMP version. Extreme Networks recommends editing a profile only if some of its attributes are still valid, if the profile is obsolete, delete it and create a new one.
Page 294 Controller Services When the credentials of the V2 Read Community or V3 Authentication screens are satisfied, the controller discovery process begins. When completed, the Discovery Results screen displays listing the name and network address attributes of those discovered devices. Click Launch to make a discovered device’s configuration available to the detecting controller.
Page 295: Adding A New Discovery Profile
Lists the IP address of each discovered device. IP Address Displays the discovered device’s system assigned name. Device Name Lists the time each discovered device has been operating within the Device Uptime controller managed network. Displays the devices detected location if the discovered device is capable Device Location of sharing locationing information with the discovery profile.
Page 296: Viewing Discovered Controllers
Controller Services Define the following parameters for the new controller discovery profile: Define a user-assigned name used to title the profile. The profile name Profile Name should associate the profile with the group of devices or area where the discovered devices should be located. Enter the starting numeric (non DNS) IP address from where the search Start IP Address for available network devices is conducted.
Page 297 3 Refer to the following within the Recently Found Devices screen to discern whether a located device should be deleted from the list or selected to have its Web UI launched and its current configuration modified. Displays the IP address of the discovered controller. This IP address IP Address obviously falls within the range of IP addresses specified for the discovery profile used for the device search.
Page 298: Locationing
Unlike competing solutions, which are based solely on WI-Fi, the Extreme Networks solution is RF agnostic and supports passive RFID, active RFID and other emerging RF and non-RF technologies. Extreme Networks's location solution leverages standards based Wi-Fi access points and RFID readers, so no proprietary infrastructure is needed.
Page 299: Defining Site Parameters
Applications (users) inform SOLE (wireless LAN controller) about a facility map, location of infrastructure and zones. A zone is an area of specific interest with respect to whenever an asset becomes visible or invisible in that area. SOLE uses the following input variables as needed for the specific tag type calculating location: User configurations ●...
Page 300 Controller Services 1 Select Services > RTLS from the main menu tree. 2 .Select the Site tab. 3 Enter a Name and optionally a Description for the site:. Enter a name for the site where locationing is deployed. This is for Name identification purposes only.
Page 301: Adding Ap Location Information
Enter the height of the site. The size is either in feet or meters Height depending on which unit of measure is selected below. The acceptable range for height is 0-60m or 0-180ft. Height is an optional parameter and is not taken into account by the locationing algorithm. Use the drop-down menu to select the unit of measure used for Unit dimensions.
Page 302: Configuring Sole Parameters
Controller Services 4 Provide the AP’s MAC address and X, Y, and Z coordinates. 5 Select OK when completed to save your AP configuration. Configuring SOLE Parameters To configure the controller’s internal SOLE locationing engine: 1 Services > RTLS from the main menu tree. Summit WM3000 Series Controller System Reference Guide...
Page 303 2 Select the SOLE tab. 3 Check the Locate All Mobile-Units checkbox to locate all MUs known to the controller across all WLANs. This will also disable manual entry of MU MAC addresses in the field below. This takes effect immediately when the box is checked. 4 Enter a value for the MU Locate Interval in seconds.
Page 304: Configuring Aeroscout Parameters
Controller Services b To remove a MAC Address from the MU MAC table select a MAC Address from the table and click the Delete button to remove that MU. This table is disabled when the Locate All MUs checkbox is selected. Once SOLE has been enabled MUs found by the locationing engine will be displayed in the Located MUs table at the bottom of the page.
Page 305 2 Select the Aeroscout tab. 3 Check the Enable checkbox to globally enable Aeroscout RTLS support on the controller. This takes effect immediately when the box is checked. 4 Enter the Multicast MAC Address used for all Aeroscout tags to send updates via multicast to the MAC address specified.
Page 306: Configuring Ekahau Parameters
Controller Services 10 Click the Apply button to save the Locate Interval value. 11 Click the Revert button to cancel any changes made within Locate Interval value and revert back to the last saved configuration. If the onboard SOLE engine is enabled to locate Aeroscout tags the following information will be displayed for each located MU: Lists the MAC Addresses of all MUs which have been located by the controller.
Page 307 2 Select the Ekahau tab. 3 Check the Enable checkbox to globally enable Ekahau support on the controller. This takes effect immediately when the box is checked. 4 Enter the Multicast MAC Address used for all Ekahau tags to send updates via multicast to the MAC address specified.
Page 308 Controller Services 10 To use the onboard SOLE engine to locate Ekahau tags check the Enable checkbox. This is enabled immediately after checking the box. 11 If the onboard SOLE engine is enabled to locate Ekahau tags, enter a Locate Interval in seconds to specify how often the known tags are located by the SOLE engine.
Page 309: Chapter 7: Controller Security
Controller Security This chapter describes the security mechanisms available to the controller. This chapter describes the following security configuration activities: Displaying the Main Security Interface on page 309 ● AP Intrusion Detection on page 310 ● Configuring Firewalls and Access Control Lists on page 319 ●...
Page 310: Ap Intrusion Detection
Controller Security 1 Select Security from the main menu tree. 2 Refer to the following information to discern if configuration changes are warranted: Displays the enabled or disabled controller state to detect potentially Rogue AP Intrusion hostile Access Points (the definition of which is defined by you). Once Detection detected, rogue devices can be added to a list of devices either approved or denied from interoperating within the controller managed network.
Page 311: Enabling And Configuring Ap Detection
AP detection is primarily conducted by the approved APs and may be assisted by certain Motorola MUs which are supported by Extreme Networks WM3000 series WLAN controller. The Access Point Detection screen consists of the following tabs: Enabling and Configuring AP Detection ●...
Page 312 Controller Security 3 Enable AP assisted scanning and timeout intervals as required. Enable Select the checkbox to enable associated Access Points to detect Enable potentially hostile Access Points. Once detected, the Access Points can be added to a list of APs either approved or denied from interoperating within the controller managed network.
Page 313: Adding Or Editing An Allowed Ap
Enable Select the checkbox to enable associated MUs to detect Enable potentially hostile Access Points (the definition of which defined by you). Once detected, these devices can be added to a list of Access Points either approved or denied from interoperating within the controller managed network.
Page 314 Controller Security 4 If adding a new Allowed AP, use the Index parameter to assign a numerical index value to this particular Access Point. The index range is from 1-200. If editing an existing Allowed AP, this is a read only field and cannot be modified. 5 Refer to the BSS MAC Address field to define the following: Any MAC Address Click the...
Page 315: Approved Aps
Approved APs Those Access Points detected and approved for operation within the controller managed network can be separately displayed to assess the reporting (detecting) AP, the channel of operation, the last time the AP was observed on the network and the ESSID. Use this information to assess if an approved Access Point was incorrectly defined as approved and requires categorization as an unapproved and disallowed AP.
Page 316: Unapproved Aps (Reported By Aps)
Controller Security 4 The Number of Approved APs is simply the sum of all of approved Access Point MAC Addresses detected. 5 Click on the Export button to export the contents of the table to a Comma Separated Values file (CSV).
Page 317: Unapproved Aps (Reported By Mus)
Displays the channel the Unapproved AP is currently transmitting on. Channel Relative Signal Strength Indicator Displays the (RSSI) for the detected Signal Strength (and unapproved) AP. AP’s with a strong signal may pose a more (dbm) significant risk within the controller managed network. Last Seen (Seconds) Displays the time (in seconds) the Unapproved AP was last seen on the network by the detecting AP.
Page 318 Controller Security 3 The Unapproved APs (Reported by MUs) table displays the following information: Displays the MAC Address of each Unapproved AP. These MAC addresses BSS MAC Address are Access Points observed on the network (by associated MUs), but have yet to be added to the list of approved APs, and are therefore interpreted as a threat on the network.
Page 319: Configuring Firewalls And Access Control Lists
Configuring Firewalls and Access Control Lists An Access Control List (ACL) is a a sequential collection of permit and deny conditions that apply to controller packets. When a packet is received on an interface, the controller compares the fields in the packet against any applied ACLs to verify the packet has the required permissions to be forwarded, based on the criteria specified in the access lists.
Page 320: Router Acls
Controller Security Wireless LAN ACLs - A Wireless LAN ACL is designed to filter/mark packets based on the wireless ● LAN from which they arrived rather than filtering the packets arrived on Layer 2 ports. For more information, see Router ACLs ●...
Page 321: Port Acls
Each session has a default idle time-out interval. If no packets are received within this interval, the session is terminated and a new session must be initiated. These intervals are fixed and cannot be configured by the user. The default idle time-out intervals for different sessions are: ICMP and UDP sessions—...
Page 322: Wireless Lan Acls
Controller Security IP traffic by using IP ACL ● Non-IP traffic by using MAC addresses. ● Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface. You cannot apply more than one IP ACL and one MAC ACL to a Layer 2 interface.
Page 323: Configuring The Firewall
Consider the following when adding rules: Every ACL entry in an ACL is associated with a precedence value unique for every entry. You ● cannot enter two different entries in an ACL with the same precedence value. This value can be between 1 and 5000.
Page 324: Adding A New Acl
Controller Security ACLs - existing access lists ● Associated Rules - allow/deny rules ● The ACLs field displays the list of ACLs currently associated with the controller. An ACL contains an ordered list of ACEs. Each ACE specifies a permit or deny designation and a set of conditions the packet must satisfy to match the ACE.
Page 325: Adding A New Acl Rule
1 Select Security > Wireless Firewall from the main tree menu. 2 Click the Configuration tab. 3 Click on the ACL tab to view the list of ACLs currently associated with the controller. 4 Click the Add button. 5 Select an ACL Type from the drop-down menu. The following options are available: Standard IP List –...
Page 326 Controller Security 5 Use the Precedence field to enter a precedence (priority) value between 1 and 5000. The rules within an ACL will be applied to packets based on their precedence value. Rules with lower precedence are always applied first. NOTE If adding an access control entry to an ACL using the controller SNMP interface, Precedence is a required parameter.
Page 327: Editing An Existing Rule
11 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 12 Click OK to use the changes to the running configuration and close the dialog. 13 Click Cancel to close the dialog without committing updates to the running configuration.
Page 328: Attaching An Acl On A Wlan Interface/Port
Controller Security The rules within an ACL are applied to packets based on their precedence value. Rules with lower precedence are always applied first. NOTE If adding an access control entry to an ACL using the controller SNMP interface, Precedence is a required parameter.
Page 329: Adding Or Editing A New Acl Wlan Configuration
4 Refer to the following information as displayed within the Attach-WLAN tab: Displays the list of WLANs attached with ACLs. WLAN Index Displays the IP ACL configured. IP ACL Displays the MAC ACL configured. MAC ACL Displays whether the WLAN ACL is configured to work in an inbound or Direction outbound direction.
Page 330: Attaching An Acl Layer 2/Layer 3 Configuration
Controller Security 5 Define a WLAN Index between 1 and 32. 6 Use the IP ACL drop-down menu to select an IP ACL for the WLAN. 7 Use the MAC ACL drop-down menu to select the MAC ACL for the WLAN interface. 8 Select either the Inbound or Outbound radio button to define which direction the ACL applies.
Page 331: Adding A New Acl Layer 2/Layer 3 Configuration
4 Refer to the following information as displayed within the Attach tab: The interface to which the controller is configured. It can be one of the Interface following: • ge 1-8 • up 1 • vlan1 (or any additional VLANs that have been created) Displays the IP ACL configured as the inbound IP for the layer 2 or layer IP ACL 3 interface.
Page 332: Configuring The Role Based Firewall
Controller Security 4 Click the Add button. 5 Use the Interface drop-down menu to select the interface to configure on the controller. Available options include – ge 1-8, up 1, VLAN 1 (plus those VLANs created thus far) and Tunnel n (where n equals the name(s) of those tunnels created thus far).
Page 333: Creating A Role Based Firewall Rule
4 Refer to the following information as displayed within the Attach Role tab: Sequence Displays the priority assigned to the role as determined by the Role Priority Number associated with the role. Displays the role name assigned to each role. Role names are assigned Role Name Security Wireless Firewall...
Page 334: Configuring A Role
Controller Security 4 Click the Add button. 5 Select a Role Name from the drop-down menu. Role Names can be added in the Configuration > Role tab. 6 Use the ACL drop-down menu to select an ACL to associate with the Role Name. 7 Select Inbound or Outbound to apply the new role to the appropriate interface.
Page 335 4 Role configuration screen displays the following information: Displays the sequence number associated with each role. Sequence Sequence Number numbers determine the order that role are applied. Roles with lower sequence numbers are applied before those with higher sequence numbers. Sequence numbers are assigned when a role is created and cannot be edited.
Page 336: Creating A New Role
Controller Security Creating a New Role To add new role: 1 Select Security > Wireless Firewall from the main tree menu. 2 Click the Configuration tab. 3 Click the Role tab. 4 Click the Add button. 5 To create a new role configure the following information: Summit WM3000 Series Controller System Reference Guide...
Page 337 Enter a sequence number to be associated with each role. Sequence Sequence Number numbers determine the order that role are applied. Roles with lower sequence numbers are applied before those with higher sequence numbers. Sequence numbers are assigned when a role is created and cannot be edited.
Page 338: Configuring Wireless Filters
Controller Security Select an Encryption filter, if any, to apply to the role. Encryption Available Encryption filters are: Equals • : The role will only be applied when the Encryption type matches the exact Encryption method specified in the role Not Equals •...
Page 339 Displays a numerical identifier used to associate a particular ACL to a MU-ACL Index range of MAC addresses (or a single MAC address) that are either allowed or denied access to the controller managed network. Displays the beginning MAC Address (for this specific Index) either Starting MAC allowed or denied access to the controller managed network.
Page 340: Editing An Existing Wireless Filter
Controller Security Editing an Existing Wireless Filter Use the Edit screen to modify the properties of an existing filter. This is recommended if an existing filter contains adequate device address information, but the allow/deny permissions need to be changed or if only minor changes are required to the starting and ending MAC addresses. If significant changes are required to a usable filter, consider creating a new one.
Page 341: Adding A New Wireless Filter
the same zone will have the same firewall policies applied to them. It should be set to an ID only if locationing is enabled, otherwise it should be set to not in use. 10 Use the drop-down menu to select Allow or Deny. This rule applies to MUs within the specified Starting and Ending MAC Address range.
Page 342: Associating An Acl With A Wlan
Controller Security network. Enter a new Index to define a new MAC Address range and allow/deny ACL Index designation. 6 Enter the a hex value for the Starting MAC address. This is the beginning MAC address either allowed or denied access to the controller managed network.
Page 343: L2 Level Attack Detection And Mitigation
6 Select the box to the right of each WLAN you want associated with the ACL. Selecting a WLAN maps it the MAC address range and allow or deny designation assigned to it. Consequently, be sure you are not restricting MU traffic for a WLAN that requires those MAC addresses to interact with the controller.
Page 344 Controller Security 1 Select Security > Wireless Firewall from the main tree menu. 2 Select the Configuration tab. 3 Click the L2 tab. 4 The L2 tab contains the following information: Displays the interface associated with the Layer 2 firewall. Available Layer Interface Name 2 interfaces are ge 1-8 and up1.
Page 345: Port Level Configuration
Displays the Unknown Unicast Storm Threshold for each interface. When Unknown Unicast the rate of unknown unicast packets exceeds the high threshold Storm configured for an interface, packets are throttled till the rate falls below the configured rate. Thresholds are configured in terms of packets per second.
Page 346: Configuring Wlan Firewall Rules
Controller Security Configure the Broadcast Storm Threshold for each interface. When the Broadcast Storm rate of broadcast packets exceeds the high threshold configured for an Threshold interface, packets are throttled till the rate falls below the configured rate. Thresholds are configured in terms of packets per second. The threshold range is 1-1000000 packets per second.
Page 347 Displays the WLAN index number. This number is configured on the WLAN Index wireless LAN configuration page. Displays the Broadcast Storm Threshold for each interface. When the rate Broadcast Storm of broadcast packets exceeds the high threshold configured for an Threshold interface, packets are throttled till the rate falls below the configured rate.
Page 348: Wlan Level Configuration
Controller Security Displays whether the Interface is DHCP trusted or not, If the interface is DHCP Trust DHCP trusted then the DHCP Request will forward to the External DHCP Server otherwise it will not. Always the Internal DHCP servers are trusted in nature.
Page 349 5 To create a new WLAN Firewall rule configure the following information: Select a WLAN index number from the drop-down menu. This number is WLAN Index configured on the wireless LAN configuration page. Enter the Broadcast Storm Threshold for each interface. When the rate of Broadcast Storm broadcast packets exceeds the high threshold configured for an interface, Threshold...
Page 350: Configuring Denial Of Service (Dos) Attack Firewall Rules
Controller Security Displays whether the Interface is DHCP trusted or not, If the interface is DHCP Trust DHCP trusted then the DHCP Request will forward to the External DHCP Server otherwise it will not. Always the Internal DHCP servers are trusted in nature.
Page 351 Displays the Denial of Service attack type. The controller currently Type supports enabling or disabling 28 types of DoS attack filters. This field will show a green checkmark next to the Denial of Service Check Enabled Attack filters that are enabled on the controller firewall. When a DoS Attack filter is disabled a red “X”...
Page 352: Configuring Firewall Logging Options
Controller Security 9 To clear statistics for Denial of Service Attacks, click the Clear button. This will reset all Attack Counts to 0 and all Last Occurrence times to 0:00:00.00. 10 Click the Apply button to save the changes made within the DoS Attach screen. 11 Click the Revert button to cancel any changes made within the DoS Attach screen and revert back to the last saved configuration.
Page 353: Reviewing Firewall And Acl Statistics
ARP Log field displays the level of Syslog logging enabled for ARP Log excessive ARP on an interface. The logging level uses standard Syslog levels of: • Emergency • Alert • Critical • Error • Warning • Notice • Info •...
Page 354 Controller Security 4 Refer to the following information as displayed within the Statistics tab: Interface displays the physical/virtual interfaces used to add the ACL Interface association to the controller. Displays the permit, deny or mark designation for the ACL. If the action Action is to mark, the packet is tagged for priority.
Page 355: Viewing Dhcp Snoop Entry Statistics
Viewing DHCP Snoop Entry Statistics To review DHCP Snoop Entry statistics: 1 Select Security > Wireless Firewall from the main menu tree. 2 Click the Statistics tab. 3 Select the DHCP Snoop Entry tab. 4 Refer to the following information as displayed within the DHCP Snoop Entry tab: Displays the DHCP Client IP Address for each entry.
Page 356: Viewing Role Based Firewall Statistics
Controller Security Displays the MU port number for each entry in the table. Ingress Source Viewing Role Based Firewall Statistics The Role Based Firewall statistics information displays a list of mobile units associated with each role name. To review Role Based Firewall statistics: 1 Select Security >...
Page 357: Defining Dynamic Nat Translations
network addresses to one or more public IP addresses. For example, when an administrator wants to allow individuals on the WAN side access to a particular FTP or Web server located on one of the LAN subnets but does not want to permit any other access, NAT is the appropriate solution. Using NAT, a user can mark one or more interfaces as inside or outside.
Page 358 Controller Security 3 Refer to the following information as displayed within the Dynamic Translation tab. Displays the NAT type as either: Type Inside • - Applies NAT on packets arriving on interfaces marked as inside. These interfaces should be private networks not accessible from outside (public) networks.
Page 359: Adding A New Dynamic Nat Configuration
4 Select an existing NAT configuration and click the Edit button to modify the settings of this existing NAT configuration. The fields within the Edit screen are similar to those displayed when adding a new NAT configuration. 5 Select an existing NAT configuration and click the Delete button to remove it from the list of available configurations.
Page 360: Defining Static Nat Translations
Controller Security changed back to the specific internal private class IP address in order to reach the LAN over the controller managed network. 6 Use the Access List drop-down menu to select the list of addresses used during NAT translation. These addresses (once translated) will not be exposed to the outside world when the translation address is used to interact with the remote destination 7 Use the Interface drop-down menu to select the VLAN used as the communication medium between...
Page 361 3 Refer to the following information as displayed within the Static Translation tab. Displays the NAT type as either: Type Inside • - The set of networks subject to translation. These are the internal addresses you are trying to prevent from being exposed to the outside world.
Page 362: Adding A New Static Nat Configuration
Controller Security Modifies the IP address of the matching packet to the specified value. NATed Address The IP address modified can be either source or destination based on the direction specified. Modifies the port number of the matching packet to the specified value. Global Port This option is valid only if the direction specified is destination.
Page 363: Configuring Nat Interfaces
Inside - The set of networks subject to translation. These are the internal addresses you are trying ● to prevent from being exposed to the outside world. Outside - All other addresses (usually valid addresses located on the Internet). Outside addresses ●...
Page 364 Controller Security 3 Refer to the following information as displayed within the Interface tab: Displays the VLAN used as the inside or outside NAT type. All defined Interface VLANs are available from the drop-down menu for use as the interface. Displays the NAT type as either: Type Inside...
Page 365: Viewing Nat Status
b Use the Interface drop-down menu to select the VLAN used as the communication medium between the controller managed network and its destination (within the insecure outside world). c Use the Type drop-down menu to specific the Inside or Outside designation as follows: Inside - The set of controller-managed networks subject to translation.
Page 366: Configuring Ike Settings
Controller Security 3 Refer to the following to assess the validity and total NAT translation configurations available to the controller. Displays the internal global pool of addresses (allocated out of the Inside-Global controller’s private address space but relevant to the outside) you are trying to prevent from being exposed to the outside world.
Page 367: Defining The Ike Configuration
Viewing SA Statistics ● NOTE By default, the IKE feature is enabled. Extreme Networks does not support disabling the IKE server. NOTE The default isakmp policy will not be picked up for IKE negotiation if another crypto isakmp policy is created. For the default isakmp policy to be picked up for AP adoption you must first create the default isakmp policy as a new policy with default parameters.
Page 368 Controller Security During IKE negotiations, peers must identify themselves to one another. Thus, the configuration you define is the identification medium for device recognition. 3 Set a Keep Alive interval (in seconds) the controller uses for monitoring the continued presence of a peer and report of the client's continued presence.
Page 369: Setting Ike Policies
9 If the properties of an existing peer IP address, key and aggressive mode designation are no longer relevant and cannot be edited, click the Add button to create a new pre-shared key a Select the Peer IP Address checkbox to associate an IP address with the specific tunnel used by a group of peers or, select the Distinguished Name checkbox to configure the controller to restrict access to those peers with the same distinguished name, or select the Hostname checkbox to allow shared-key messages between corresponding hostnames.
Page 370 Controller Security its policies to the remote peer. The remote peer searches for a match with its own policies using the defined priority scheme. A IKE policy matches when they have the same encryption, hash, authentication and Diffie-Hellman settings. The SA lifetime must also be less than or equal to the lifetime in the policy sent. If the lifetimes do not match, the shorter lifetime applies.
Page 371 Displays an integer for the SA lifetime. The default is 60 seconds. With SA Lifetime (sec.) longer lifetimes, security defines future IPSec security associations quickly. Encryption strength is great enough to ensure security without using fast rekey times. Extreme Networks recommends using the default value. Diffie-Hellman Displays the (DH) group identifier.
Page 372 Controller Security 6 If the properties of an existing policy are no longer relevant and cannot be edited to be useful, click the Add button to define a new policy. a Configure a set of attributes for the new IKE policy: Define the sequence number for the IKE policy.
Page 373: Viewing Sa Statistics
IPSec security associations quickly. Encryption strength is great enough to ensure security without using fast rekey times. Extreme Networks recommends using the default value. Set the Diffie-Hellman group identifier. IPSec peers use the defined value DH Group to derive a shared secret without transmitting it to one another.
Page 374: Configuring Ipsec Vpn
Security associations are unidirectional and established per security protocol. To configure IPSec security associations, Extreme Networks uses the Crypto Map entries. Crypto Map entries created for IPSec pull together the various parts used to set up IPSec security associations.
Page 375: Defining The Ipsec Configuration
security parameters in the Crypto Maps at both peers, allows you to specify a lifetime for the IPSec security association, allows encryption keys to change during IPSec sessions and permits Certification Authority (CA) support for a manageable, scalable IPSec implementation. If you do not want IKE with your IPSec implementation, disable it for IPSec peers.
Page 376 Controller Security 1 Select Security > IPSec VPN from the main menu tree. 2 Click the Configuration tab. 3 Refer to the Configuration field to define the following: For IKE based security associations, define a SA Lifetime (in seconds) SA Lifetime (secs) forcing the periodic expiration and re-negotiation of peer credentials.
Page 377: Editing An Existing Transform Set
Displays the ESP Encryption Transform used with the index. Options ESP Encryption include: Scheme None • - No ESP encryption is used with the transform set. • ESP-DES - ESP with the 56-bit DES encryption algorithm. ESP-3DES • - ESP with 3DES, ESP with AES. ESP-AES •...
Page 378 Controller Security 4 Revise the following information as required to render the existing transform set useful. The name is read-only and cannot be modified unless a new transform Name set is created. Use AH Select the checkbox (if necessary) to modify the AH Transform AH Authentication Authentication scheme.
Page 379: Adding A New Transform Set
Modify (if necessary) the current mode used with the transform set. The Mode mode is either Tunnel or Transport. 5 Refer to the Status field for the state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 6 Click OK to use the changes to the running configuration and close the dialog.
Page 380: Defining The Ipsec Vpn Remote Configuration
Controller Security Use AH Select the checkbox to define the AH Transform Authentication AH Authentication scheme. Options include: Scheme • None - No AH authentication is used. AH-MD5-HMAC • - AH with the MD5 (HMAC variant) authentication algorithm. AH-SHA-HMAC • - AH with the SHA (HMAC variant) authentication algorithm.
Page 381 3 Refer to the Configuration field to define the following: Enter the numerical IP address of the DNS Server used to route DNS Server information to the remote destination of the IPSec VPN. Enter the numerical IP address of the WINS Server used to route WINS Server information to the remote destination of the IPSec VPN.
Page 382: Configuring Ipsec Vpn Authentication
Controller Security 7 To add a new range of IP addresses, click the Add button (within the IP Range tab) and define the range in the fields provided. Click OK when completed to save the changes. 8 Click Cancel to disregard the changes and revert to the last saved configuration. Configuring IPSEC VPN Authentication If IKE is not used for establishing security associations, there is no negotiation of security associations.
Page 383 6 Select an existing Radius Server and click the Edit button to modify its designation as a primary or secondary Radius Server, IP address, port, NAS ID and shared secret password. Extreme Networks recommends only modifying an existing Radius Server when its current configuration is no longer viable for providing user authentication. Otherwise, define a new Radius Server.
Page 384: Configuring Crypto Maps
Controller Security 7 Select an existing server and click the Delete button to remove it from list of available Radius Servers. Only delete a server if its configuration does not provide a valid authentication medium. 8 If you require a new Radius Server be configured, click the Add button. Set this server’s designation as a primary or secondary Radius Server (using the checkboxes), define the server IP address, port and shared secret password.
Page 385: Crypto Map Entries
Crypto Map Entries on page 385 ● Crypto Map Peers on page 387 ● Crypto Map Manual SAs on page 389 ● Crypto Map Transform Sets on page 392 ● Crypto Map Interfaces on page 393 ● Crypto Map Entries To review, revise or add Crypto Map entries: 1 Select Security >...
Page 386 Controller Security Causes the security association to time out after the specified amount of SA Lifetime (Kb) traffic (in kilobytes) has passed through the IPSec tunnel (using the security association). Displays the name of the ACL ID used for each Crypto Map. ACL ID Number of Interfaces Displays the number of interfaces each specific Crypto Map is used with.
Page 387: Crypto Map Peers
c Use the None, Domain Name or Host Name radio buttons to select and enter the fully qualified domain name (FQDN) or host name of the host exchanging identity information. d Define a SA Lifetime (secs) to define an interval (in seconds) that (when expired) forces a new association negotiation.
Page 388 Controller Security 3 Refer to the read-only information displayed within the Peers tab to determine whether a peer configuration (among those listed) requires modification or a new peer requires creation. Displays each peer’s Seq # (sequence number) to distinguish one from Priority / Seq # the other.
Page 389: Crypto Map Manual Sas
a Define the Seq # /Name for the new peer. b Enter the name of the IKE Peer used with the Crypto Map to build an IPSec security association. 7 Click OK to save the configuration of the new Crypto Map peer. Crypto Map Manual SAs To review, revise or add a Crypto Map using a manually defined security association: 1 Select Security >...
Page 390 Controller Security 3 Refer to the read-only information displayed within the Manual SAs tab to determine whether a Crypto Map (with a manually defined security association) requires modification or if a new one requires creation. Displays the Seq # (sequence number) used to determine priority. the Priority / Seq # lower the number the higher the priority.
Page 391 a Define the Seq #. The sequence number determines priority among Crypto Maps. The lower the number, the higher the priority. b Provide a unique Name for this Crypto Map to differentiate it from others with similar configurations. c Enter the name of the IKE Peer used to build an IPSec security association. d Use the ACL ID drop-down menu to permit a Crypto Map data flow using the unique permissions within the selected ACL.
Page 392: Crypto Map Transform Sets
Controller Security Crypto Map Transform Sets A transform set is a combination of security protocols and algorithms defining how the controller protects data. To review, revise or add a Crypto Map transform set: 1 Select Security > IPSec VPN from the main menu tree. 2 Click the Crypto Maps tab and select Transform Sets.
Page 393: Crypto Map Interfaces
a Select the Seq #/Name. b Enter the name of the Transform set used with the Crypto Map. 7 Click OK when completed to save the configuration of the Crypto Map transform set. Crypto Map Interfaces To review the interfaces currently available to the Crypto Maps or assign an interface: NOTE A Crypto Map cannot get applied to more than one interface at a time.
Page 394: Viewing Ipsec Security Associations
Controller Security 3 Refer to the following read-only information displayed within the Interfaces tab. Lists the name of the Crypto Maps available for the interface. Name Displays the name of the interface through which IPSec traffic flows. Interface Name Applying the Crypto Map set to an interface instructs the controller to evaluate all the interface's traffic against the Crypto Map set and to use the specified policy during connection or security association negotiation on behalf of traffic protected by crypto (either CET or IPSec).
Page 395 1 Select Security > IPSec VPN from the main menu tree. 2 Click the IPSec SAs tab. 3 Refer to the following security association data: Displays the numerical (if defined) ID for the security association. Use Index the index to differentiate the index from others with similar configurations.
Page 396: Configuring The Radius Server
Viewing Radius Accounting Logs ● NOTE For hotspot deployment, Extreme Networks recommends using the controller’s internal Radius server and built-in user database. This is the easiest setup option and offers a high degree of security and accountability. Radius Overview Radius enables centralized management of controller authentication data (usernames and passwords).
Page 397 The controller’s local Radius server stores the authentication data locally, but can also be configured to use a remote user database. A Radius server as the centralized authentication server is an excellent choice for performing accounting. Radius can significantly increase security by centralizing password management NOTE The controller can be configured to use its own local Radius server or an external Radius server you define and...
Page 398: User Database
Controller Security User Database User group names and associated users (in each group) can be created in the local database. The User ID in the received access request is mapped to the associated wireless group for authentication. The controller supports the creation of 500 users and 100 groups within its local database. Each group can have a maximum of 500 users.
Page 399: Defining The Radius Configuration
No secondary authentication source is specified. However, Extreme Networks recommends using an external Radius Server as the primary authentication source and the local controller Radius Server as the secondary user authentication source. For information on configuring an external Radius Server, see “Configuring External Radius Server Support”...
Page 400: Radius Client Configuration
Controller Security 3 Click the Start the RADIUS server link to use the controller’s own Radius server to authenticate users accessing the controller managed network. Again, this is recommended as the secondary means of authenticating users. 4 Set a Timeout interval (between 5 and 10 seconds) to define how long the controller waits for a reply to a Radius request before retransmitting the request.
Page 401: Radius Proxy Server Configuration
a Specify the IP Address/Mask of the subnet or host authenticating with the Radius client. b Specify a Radius Shared Secret for authenticating the RADIUS client. Shared secrets used to verify Radius messages (with the exception of the Access-Request message) are sent by a Radius -enabled device configured with the same shared secret. The shared secret is a case-sensitive string that can include letters, numbers, or symbols.
Page 402: Configuring Radius Authentication And Accounting
Controller Security a Create a new Realm Name as an abbreviation to differentiate the configuration from others with similar attributes. b Specify the IP Address of the new Radius proxy server. c Enter the TCP/IP Port Number used by the proxy Radius server. d Specify a Radius Shared Secret for authenticating the Radius client.
Page 403 3 Refer to the Authentication field to define the following Radius authentication information: Specify the EAP type for the Radius server. EAP and Auth Type PEAP • uses a TLS layer on top of EAP as a carrier for other EAP modules.
Page 404: Configuring Radius Users
Controller Security View/Change Click the button to specify the CA certificate trustpoint from CA Cert Trustpoint which the Radius server automatically grants certificate enrollment requests. A trustpoint is a representation of a CA or identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate.
Page 405 3 Refer to the following to assess whether an existing user can be used with the local Radius server as is, requires modification or if a new user is required. Displays the username for this specific user. The name assigned should User ID reflect the user’s identity and perhaps their status within the controller managed network (guest versus secure user).
Page 406 Controller Security CAUTION If password encryption is not enabled, Radius user passwords are stored in the running configuration file in clear text. The user passwords are shown as encrypted if the global password encryption is enabled. The maximum for the file is 5000 users, 100 groups, 25 clients, 5 realms and 2 LDAP servers. Define a unique user ID that differentiates this user from others with User ID similar attributes.
Page 407: Configuring Radius User Groups
a Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. b Click OK to use the changes to the running configuration and close the dialog. c Click Cancel to close the dialog without committing updates to the running configuration Configuring Radius User Groups The Groups tab displays a list of all groups in the local Radius server's database.
Page 408 Controller Security 3 Refer to the user groups listed to review the following read-only attributes for each group: Displays the unique name assigned to each group. The group name Name should be indicative of the user population within and their shared activity within the controller managed network.
Page 409 5 Refer to the Time of access in days field to assess the intervals (which days) the group has been assigned access to the controller managed network (after each user has been authenticated). At least one day is required. This value is read-only within the Groups tab. Click Edit to modify the access assignments of an existing group or click Add to create a new group with unique access assignments.
Page 410: Viewing Radius Accounting Logs
Controller Security Modify the existing group’s guest designation, VLAN ID, access period(s) and WLAN assignment(s). 7 If an existing group is no longer needed (perhaps obsolete in function), select the group and click the Delete button to permanently remove the group from the list. The group can only be removed if all the users in the group are removed first.
Page 411: Creating Server Certificates
NOTE Refer to the following information as displayed within the Accounting Logs tab. Displays the name of each accounting log file. Use this information to Filename differentiate files with similar attributes. Displays the type of file each file is. Type Display the size of the file.
Page 412: Using Trustpoints To Configure Certificates
Controller Security upload an external certificate ● delete a server certificate and/or root certificate of a trustpoint ● create a new key ● upload/download keys to and from the controller to and from a server or local disk ● delete all the keys in the controller. ●...
Page 413: Creating A Server / Ca Root Certificate
If a unit exists within the organization that is representative of the Organizational Unit certificate issuer, that name should be displayed here. If there is a common name (IP address) for the organizational unit issuing Common Name the certificate, it displays here. Validity Displays the date the certificate was originally issued.
Page 414 Controller Security For more information, see “Using the Wizard to Create a New Certificate” on page 414. 5 Select the Upload an external certificate radio button to upload an existing Server Certificate or CA Root Certificate. For more information, see “Using the Wizard Delete Operation”...
Page 415 Generate a self signed certificate — Configure the properties of a new self-signed certificate. Once ● the values of the certificate are defined, the user can create and install the certificate. Prepare a certificate request to send to a Certificate Authority — Configure and save a valid certificate ●...
Page 416 Define an Organization for the organization used in the Self-Signed Organization Certificate. By default, it is Extreme Networks, Inc. The user is allowed to modify the Organization name. This is a required field. Summit WM3000 Series Controller System Reference Guide...
Page 417 Enter an Org. Unit for the name of the organization unit used in the Self- Organization Unit Signed Certificate. By default, it is VPG. This is a required field. Provide an email address used as the contact address for issues relating Email Address to this certificate request.
Page 418 Controller Security Use the field to define whether the target certificate is to be sent to Local Disk) Server the system's local disk ( or to an external server ( Specify a filename for the certificate to be save as on the target server or File local disk.
Page 419: Configuring Trustpoint Associated Keys
2 Select and use the Delete trustpoint and all certificates inside it drop-down menu to define the target trustpoint for removal. 3 Select and use the Remove certificates from this trustpoint drop-down menu define the trustpoint that will have either its Server Certificate or CA Root Certificate removed 4 Click the Next button to proceed and complete the trustpoint removal.
Page 420: Adding A New Key
Controller Security The Keys tab displays the following: Displays the name of the key pair generated separately, or automatically Key Name when selecting a certificate. Specify the option within the wizard. Displays the size of the desired key. If not specified, a default key size of Key Size (Bytes) 1024 bytes is used.
Page 421: Transferring Keys
4 Enter a Key Label in the space provided to specify a name for the new key pair. 5 Define the Key Size between 1024 and 2048 bytes. 6 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller.
Page 422 Controller Security 4 Use the From drop-down menu to specify the location from which the log file is sent. If only the applet is available as a transfer location, use the default controller option. 5 Select a target file for the file transfer from the File drop-down menu. The drop-down menu contains the log files listed within the Server Certificate screen.
Page 423: Chapter 8: Controller Management
Controller Management This chapter describes the Management Access main menu items used to configure the controller. This chapter consists of the following controller management activities: Displaying the Management Access Interface on page 423 ● Configuring Access Control on page 424 ●...
Page 424: Configuring Access Control
Controller Management NOTE The Apply and Revert functions are greyed out within the Management Access screen, as this screen is has no configurable parameters for the user to update and save. Configuring Access Control Refer to the Access Control screen to allow/deny management access to the controller using the different protocols (HTTP, HTTPS, Telnet, SSH or SNMP) available to users.
Page 425 Select this checkbox to allow the controller to use a Telnet session for Enable Telnet communicating over the network. This setting is enabled by default. Define the port number used for the Telnet session with the controller. Port This field is enabled as long as the Enable Telnet option remains enabled.
Page 426: Configuring Snmp Access
Controller Management 3 Click the Apply button to save changes made to the screen since the last saved configuration. 4 Click the Revert button to revert the screen back to its last saved configuration. Changes made since the contents of the screen were last applied are discarded. Configuring SNMP Access Use the SNMP Access menu to view and configure existing SNMP v1/v2 and SNMP v3 values and their current access control settings.
Page 427: Editing An Existing Snmp V1/V2 Community Name
1 Select Management Access > SNMP Access > v1/v2 from the main menu tree. 2 Refer to the Community Name and Access Control parameters for the following information: Displays the read-only or read-write name used to associate a site- Community Name appropriate name for the community.
Page 428: Configuring Snmp V3 Access
Controller Management 1 Select Management Access > SNMP Access > v1/v2 from the main menu tree. 2 Select an existing Community Name from those listed and click the Edit button. 3 Modify the Community Name used to associate a site-appropriate name for the community. The name revised from the original entry is required to match the name used within the remote network management software.
Page 429 3 Refer to the fields within the V3 screen for the following information: Displays a read-only SNMP v3 username of operator or Admin. An User Name operator typically has an Access Control of read-only and an Admin typically has an Access Control of read/write. read-only read/write Displays a...
Page 430: Editing A Snmp V3 Authentication And Privacy Password
Controller Management Editing a SNMP v3 Authentication and Privacy Password The Edit screen enables the user to modify the password required to change the authentication keys. Updating the password requires logging off of the system. Updating the existing password creates new authentication and encryption keys.
Page 431: Accessing Snmp V2/V3 Statistics
1 Select Management Access > SNMP Access from the main menu tree. 2 Select the Message Parameters tab from within the SNMP Access screen. 3 Define the following vales as required to define how SNMP Access messages are received: Define the number of times the controller polls for SNMP values before Retries giving up.The default retry value is 3.
Page 432 Controller Management 3 Refer to the following read-only statistics displayed within the SNMP Access Statistics screen: Displays the individual SNMP Access events capable of having a value V2/V3 Metrics tracked for them. The metrics range from general SNMP events (such as the number of SNMP packets in and out) to specific error types that can be used for troubleshooting SNMP events (such as Bad Value and Read- Only errors).
Page 433: Configuring Snmp Traps
Configuring SNMP Traps Use the SNMP Trap Configuration screen to enable or disable individual traps or by functional trap groups. It is also used for modifying the existing threshold conditions values for individual trap descriptions. Refer to the tabs within the SNMP Trap Configuration screen to conduct the following configuration activities: Enabling Trap Configuration ●...
Page 434 Controller Management 4 Select an individual trap, by expanding the node in the tree view, to view a high-level description of this specific trap within the Trap Description field. You can also select a trap family category heading (such as "Redundancy" or "NSM") to view a high-level description of the traps within that trap category.
Page 435: Configuring E-Mail Notifications
6 Highlight a specific trap and click the Enable Trap button to enable this specific trap as an active SNMP trap. The items previously disabled (with an "X" to the left) now display with a check to the left of it. 7 Highlight a specific trap and click the Disable Trap button to disable the item as an active SNMP trap.
Page 436: Configuring Trap Thresholds
Controller Management 3 Check the Enable SMTP box to enable the outgoing mail server on the controller. In order to use E- mail notification on the controller, this box must be checked. Configure the SMTP mail server properties as follows: Enter the hostname of your outgoing SMTP mail server.
Page 437 3 Refer to the following information for thresholds descriptions, conditions, editable threshold values and units of measurement. Displays the target metric for the data displayed to the right of the item. Threshold Name It defines a performance criteria used as a target for trap configuration. (Description) Threshold Conditions Displays the criteria used for generating a trap for the specific event.
Page 438: Wireless Trap Threshold Values
Controller Management Displays the measurement value used to define whether a threshold value Unit of Threshold has been exceeded. Typical values include Mbps, retries and %. For Values information on specific values, see “Wireless Trap Threshold Values” on page 438. 4 Select a threshold and click the Edit button to display a screen wherein threshold settings for the MU, AP and WLAN can be modified.
Page 439: Configuring Snmp Trap Receivers
Threshold Name Condition Station Range Radio Range WLAN Range Wireless Units Controller Range Non Unicast Greater than A decimal A decimal A decimal Packets number number number greater than greater than greater than 0.00 and less 0.00 and less 0.00 and less than or equal than or equal than or equal...
Page 440 Controller Management 1 Select Management Access > SNMP Trap Receivers from the main menu tree. 2 Refer to the following SNMP trap receiver data to assess whether modifications are required. Destination Address defines the numerical (non DNS name) Destination Address destination IP address for receiving traps sent by the SNMP agent.
Page 441: Editing Snmp Trap Receivers
Editing SNMP Trap Receivers Use the Edit screen to modify the trap receiver’s IP Address, Port Number and v2c or v3 designation. Consider adding a new receiver before editing an existing one or risk overwriting a valid receiver. Edit existing destination trap receivers as required to suit the various traps enabled and their function in supporting the controller managed network.
Page 442: Configuring Management Users
Controller Management 3 Create a new (non DNS name) destination IP Address for the new trap receiver to be used for receiving the traps sent by the SNMP agent. 4 Define a Port Number for the trap receiver. 5 Use the Protocol Options drop-down menu to specify the trap receiver as either a SNMP v2c or v3 receiver.
Page 443: Creating A New Local User
1 Select Management Access > Users from the main menu tree. 2 Click the Local Users tab. The Local User window consists of 2 fields: Users – Displays the users currently authorized to use the controller. By default, the controller has ●...
Page 444 Controller Management 3 Enter the login name for the user in the Username field. Ensure this name is practical and identifiable to the user. 4 Enter the authentication password for the new user in the Password field and reconfirm the same again in the Confirm Password field.
Page 445: Modifying An Existing Local User
Super User Select to assign complete administrative rights. Super User NOTE There are some basic operations/CLI commands (exit, logout and help) available to all user roles. All the roles except Monitor can perform Help Desk role operations. 6 Select the access modes to assign to the new user from the options provided in the Access Modes panel.
Page 446 Controller Management If necessary, modify user permissions without any administrative rights. Monitor read-only The Monitor option provides permissions. Optionally assign this role to someone who typically troubleshoots and Help Desk Manager debugs problems reported by the customer. the Help Desk Manager typically runs troubleshooting utilities (like a sniffer), executes service commands, views/retrieves logs and reboots the controller.
Page 447: Creating A Guest Admin And Guest User
Creating a Guest Admin and Guest User Optionally, create a guest administrator for creating guest users with specific usernames, start and expiry times and passwords. Each guest user can be assigned access to specific user groups to ensure they are limited to just the group information they need, and nothing additional. NOTE A guest user added from controller Web UI will be 5 minutes ahead of the controller's current time.
Page 448: Configuring Controller Authentication
Controller Management NOTE To create guest users, a guest administrator must be assigned a WebUser Administrator access mode. None of the other modes launch the required Guest User Configuration screen upn login. When the guest-admin user logs in, they are redirected to a Guest User Configuration screen, wherein start and end user permissions can be defined in respect to specific users.
Page 449 3 Refer to the Authentication methods field for the following: Select the preferred method for authentication. Options include: Preferred Method None • - No authentication Local • - The user employs a local user authentication resource. This is the default setting. Radius •...
Page 450: Modifying The Properties Of An Existing Radius Server
Controller Management Displays the shared secret used to verify Radius messages (with the Shared secret exception of the Access-Request message) are sent by a Radius-enabled device configured with the same shared secret. The shared secret is a case-sensitive string (password) that can include letters, numbers, or symbols.
Page 451 4 Modify the following Radius Server attributes as necessary: Index Displays the read-only numerical value for the Radius Server to Radius Server Index help distinguish this server from other servers with a similar configuration (if necessary). This is not an editable value. Modify the IP address of the external Radius Server (if necessary).
Page 452: Adding An External Radius Server
Controller Management Adding an External Radius Server The attributes of a new Radius Server can be defined by the controller to provide a new user authentication server. Once the server is configured and added, it displays within the Authentication tab as an option available to the controller.
Page 453: External Radius Server Settings
When using an external Radius Server with the controller, ensure the following values are configured on your server to ensure maximum compatibility with the controller. Vendor ID. Radius VSAs. There are two radius VSAs used for management user authentication. Vendor ID The Extreme Networks vendor ID is 1916. VSA Name Attribute Number Type...
Page 454 Controller Management Other VSA’s include the following attributes: VSA Name Attribute Number Type Values Extreme-Current- String Extreme SSID Extreme-Wlan-Index 4 String Extreme Guest-User-Expiry- String Extreme Date-Time Guest-User-Start- String Extreme Date-Time Extreme-Downlink- Integer Extreme Limit-Kbps Extreme-Uplink- Integer Extreme Limit-Kbps Extreme-User-Group 12 String Extreme Summit WM3000 Series Controller System Reference Guide...
Page 455: Chapter 9: Diagnostics
The Extreme Networks wireless LAN controller management software is a recommended utility to plan the deployment of the controller and view its configuration once operational. Extreme Networks WMS can help optimize the positioning and configuration of a controller and assist in the troubleshooting of performance issues as they are encountered in the field.
Page 456 Diagnostics 1 Select Diagnostics from the main tree menu. 2 Select the Environment tab (opened by default). 3 The Environment displays the following fields: Settings ● Temperature Sensors ● Fans ● 4 In the Settings field, select the Enable Diagnostics checkbox to enable/disable diagnostics and set the monitoring interval.
Page 457: Cpu Performance
NOTE A Summit WM3700 Controller has six sensors. 6 Refer to the Fans field to monitor the CPU and system fan speeds. 7 Click the Apply button to commit and apply the changes. 8 Click the Revert button to revert back to the last saved configuration. CPU Performance Use the CPU tab to view and define the CPU’s load statistics.
Page 458: Controller Memory Allocation
Diagnostics 5 The CPU Usage field displays real time CPU consumption values. Use this information to periodically determine if performance is negatively impacted by the over usage of controller CPU resources. If CPU usage is substantial during periods of low network activity, then perhaps, the situation requires troubleshooting.
Page 459: Controller Disk Allocation
The name of the buffer. Name Buffers current usage Usage The buffer limit. Limit 6 Click the Apply button to commit and apply the changes. 7 Click the Revert button to revert back to the last saved configuration. Controller Disk Allocation The Disk tab contains parameters related to the various disk partitions on the controller.
Page 460: Controller Memory Processes
Diagnostics Controller Memory Processes The Processes tab displays the number of processes in use and percentage of memory usage limit per process. 1 Select Diagnostics from the main tree menu. 2 Select the Processes tab. 3 The Processes tab has two fields: General ●...
Page 461: Configuring System Logging
1 Select Diagnostics from the main tree menu. 2 Select the Other Resources tab. Keep the Cache allocation in line with cache expectations required within the controller managed network. 3 Define the maximum limit for each resource accordingly as you expect these resources to be utilized within the controller managed network.
Page 462 Diagnostics To view the Log options available to the controller: 1 Select Diagnostics > System Logging from the main menu tree. 2 Select the Log Options tab. 3 Select the Enable Logging Module checkbox to enable the controller to log system events to a user defined log file or a syslog server.
Page 463: File Management
d Optionally, use the Server 3 parameter to specify the numerical (non DNS name) IP address of a third syslog server to log system events if the first two syslog servers are unavailable. NOTE 255.255.255.255 is accepted as a valid entry for the IP address of a logging server. 7 Use the Logging aggregation time parameter to define the increment (or interval) system events are logged (0-60 seconds).
Page 464: Viewing The Entire Contents Of Individual Log Files
Viewing the Entire Contents of Individual Log Files Extreme Networks recommends the entire contents of a log file be viewed to make an informed decision whether to transfer the file or clear the buffer. The View screen provides additional details about a target file by allowing the entire contents of a log file to be reviewed.
Page 465 4 Refer to the following for information on the elements that can be viewed within a log file: Displays the date, year and time of day the log file was initially created. Timestamp This value only states the time the file was initiated, not the time it was modified or appended.
Page 466: Transferring Log Files
Diagnostics Mnemonic Use the as a text version of the severity code information. A Mnemonic mnemonic is convention for the classification, organization, storage and recollection of controller information. Displays a high-level overview of the event, and (when applicable) Description message type, error or completion codes for further clarification of the event.
Page 467: Reviewing Core Snapshots
15 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 16 Click the Close button to exit the screen. No values need to be saved once the transfer has been made.
Page 468: Transferring Core Snapshots
Diagnostics 4 Click the Transfer Files button to open the transfer dialogue to enable a file to be copied to another location. For more information on transferring core snapshots, see “Transferring Core Snapshots” on page 468. Transferring Core Snapshots Use the Transfer screen to define a source for transferring core snapshot files to a secure location for potential archive.
Page 469 To review the current panic snapshots on the controller: 1 Select Diagnostics > Panic Snapshots from the main menu. 2 Refer to the following table headings within the Panic Snapshots screen: Displays the title of the panic file. Panic files are named n.panic where n Name is in the range 0-9.
Page 470: Viewing Panic Details
Diagnostics Viewing Panic Details Use the View facility to review the entire contents of a panic snapshot before transferring or deleting the file. The view screen enables you to display the entire file. To review Panic Snapshots: 1 Select Diagnostics > Panic Snapshots from the main menu. 2 Select a panic from those available and click the View button.
Page 471: Debugging The Applet
12 Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the controller. 13 Click the Transfer button when ready to move the target file to the specified location. Repeat the process as necessary to move each desired log file to the specified location.
Page 472: Configuring A Ping
Diagnostics Enabling this checkbox allows you to select the file location where you wish to store the log message. 4 Select the Use SNMP V2 only checkbox to use SNMP v2 to debug the applet. Check whether you have access to SNMP v2 by clicking on the Test SNMP V2 access button. If SNMP v2 access is available, the test icon will change from grey to green, indicating the SNMPv2 interface is viable on the controller.
Page 473 1 Select Diagnostics > Ping from the main menu. 2 Refer to the following information displayed within the Configuration tab: Displays the user assigned description of the ping test. The name is read- Description only. Use this title to determine whether this test can be used as is or if a new ping test is required.
Page 474: Modifying The Configuration Of An Existing Ping Test
Diagnostics Modifying the Configuration of an Existing Ping Test The properties of an existing ping tests can be modified to ping an existing (known) device whose network address attributes may have changed and require modification to connect (ping) to it. To modify the attributes of an existing ping test: 1 Select Diagnostics >...
Page 475: Adding A New Ping Test
6 Click Cancel to return back to the Configuration tab without implementing changes. Adding a New Ping Test If the attributes of an existing ping test do not satisfy the requirements of a new connection test, and you do not want to modify an existing test, a new test can be created and added to the list of existing ping tests displayed within the Configuration tab.
Page 476: Viewing Ping Statistics
Diagnostics Configure the timeout value (in seconds) used to timeout the ping test if Timeout(sec) a round trip packet is not received from the target device. Ensure this interval is long enough to account for network congestion between the controller and its target device. Define the interval (in seconds) between ping packet transmissions.
Page 477 Displays the numeric (non DNS address) destination for the device Destination IP transmitted the ping packets. Displays the number of packets transmitted to the target device IP Packets Sent address. Compare this value with the number of packets received to assess the connection quality with the target device.
Page 478 Diagnostics Summit WM3000 Series Controller System Reference Guide...
Page 479: Appendix A: Customer Support
Customer Support NOTE Services can be purchased from Extreme Networks or through one of its channel partners. If you are an end-user who has purchased service through an Extreme Networks channel partner, please contact your partner first for support. Extreme Networks Technical Assistance Centers (TAC) provide 24x7x365 worldwide coverage. These centers are the focal point of contact for post-sales technical and network-related questions or issues.
Page 480 Customer Support Summit WM3000 Series Controller System Reference Guide...
Page 481: Appendix B: Ap Management From Controller
AP Management from Controller The management of an adopted AP is conducted by the controller, once the AP connects to an Extreme Networks Summit WM3600 or Summit WM3700 wireless LAN controller and receives its configuration. An adopted AP provides: local 802.11 traffic termination ●...
Page 482: Ap Management
An AP's wireless configuration can also be configured from the controller. However, non-wireless features (DHCP, NAT, Firewall etc.) cannot be configured from the controller and must be defined using the access point's resident interfaces before its controller adoption or through Extreme Networks Wireless Management Suite (WMS).
Page 483: Securing A Configuration Channel Between Controller And Ap
Securing a Configuration Channel Between Controller and AP Once an access point obtains a list of available controllers, it begins connecting to the controller according to the priority list. The controller is discovered by the access point through several L3 discovery mechanisms even though the controller can be either on the same L2 network as the AP's or on the different network segment (L3).
Page 484: Configuration Updates
AP Management from Controller NOTE For a review of some important considerations impacting the use of extended and independent WLANs within an AP deployment, see “AP Deployment Considerations” on page 493. Configuration Updates An AP receives its configuration from the controller initially as part of its adoption sequence. Subsequent configuration changes on the controller are reflected on an AP when applicable.
Page 485: Mesh Support
RSS State Independent WLANs Extended WLANs RSS Enabled WLAN continues beaconing WLAN continues beaconing but AP does allow clients to associate on that WLAN RSS Disabled WLAN stops beaconing WLAN stops beaconing Mesh Support An AP can extend existing mesh functionality to a controller managed network. Mesh topology is configured partly through the wireless controller (defining the role of each mesh node) and partly at the mesh AP (defining the connection weight of each backhaul link).
Page 486: Supported Ap Topologies
WLAN with AP Radius Proxy. NOTE The Extreme Networks wireless LAN controllers support AP Radius proxy without specifying realm information. If AP Proxy Radius is enabled without specifying realm information, the internal Radius server can no longer be used to authenticate users.
Page 487: Extended Wlans Only
Extended WLANs Only An extended WLAN configuration forces all MU traffic through the controller (tunneled traffic). No wireless traffic is locally bridged at the AP. Each extended WLAN is mapped to the access point's virtual LAN2 subnet. By default, the access point's LAN2 is not enabled and the default configuration is set to static with IP addresses defined as all zeros.
Page 488: How The Ap Receives Its Configuration
2 Use the controller’s secret password on the AP for the controller to authenticate it. To avoid a lengthy broken connection with the controller, Extreme Networks recommends generating an SNMP trap when the AP loses adoption with the controller.
Page 489: Configuring The Controller For Ap Adoption
Configuring the Controller for AP Adoption The tasks described below are configured on an Extreme Networks wireless LAN controller. To adopt an AP on a controller: 1 Ensure enough licenses are available on the controller to adopt the required number of APs.
Page 490: Adopting An Ap Using Dhcp Options
Vendor Specific Option 43 and sent in the DHCP Offer. Controller Configuration An Extreme Networks wireless LAN controller can use default values to adopt an AP, as long as a valid license is installed. In default mode, any AP adoption request is honored until the current controller license limit is reached.
Page 491 3 Ensure the Adopt unconfigured radios automatically option is NOT selected. When disabled, there is no automatic adoption of non-configured radios on the network. Additionally, default radio settings will NOT be applied to access points when automatically adopted. NOTE For IPSec deployments, refer to “Sample Controller Configuration File for IPSec and Independent WLAN”...
Page 492 AP Management from Controller NOTE Additionally, a WLAN can be defined as independent using the "wlan <index> independent" command from the config-wireless context NOTE Avoid mapping independent or extended WLANs to VLANs on the controller’s ge port. Once an AP is adopted by the controller, it displays within the controller’s Access Point Radios screen (under the Network parent menu item) as an AP3510 or AP3550.
Page 493: Ap Deployment Considerations
AP Deployment Considerations Before deploying your controller/AP configuration, refer to the following usage caveats to optimize its effectiveness: Extended WLANs are mapped to the AP’s LAN2 interface and all independent WLANs are mapped ● to the AP’s LAN1 Interface. If deploying multiple independent WLANs mapped to different VLANs, ensure the AP’s LAN1 ●...
Page 494: Sample Controller Configuration File For Ipsec And Independent Wlan
AP Management from Controller Sample Controller Configuration File for IPSec and Independent WLAN The following constitutes a sample controller configuration file supporting an AP IPSec with Independent WLAN configuration. Please note new AP specific CLI commands in and relevant comments in blue. The sample output is as follows: ! configuration of WM3600 aaa authentication login default none...
Page 495 xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxx yxyxyx wireless no adopt-unconf-radio enable manual-wlan-mapping enable wlan 1 enable wlan 1 ssid qs5-ccmp wlan 1 vlan 200 wlan 1 encryption-type ccmp wlan 1 dot11i phrase 0 Extreme123 wlan 2 enable wlan 2 ssid qs5-tkip wlan 2 vlan 210 wlan 2 encryption-type tkip wlan 2 dot11i phrase 0 Extreme123 wlan 3 enable...
Page 496 AP Management from Controller radio add 4 00-15-70-00-79-12 11a aap35xx radio 4 bss 1 5 radio 4 bss 2 6 radio 4 channel-power indoor 48 4 radio 4 rss enable radio 4 client-bridge bridge-select-mode auto radio 4 client-bridge ssid Mesh radio 4 client-bridge mesh-timeout 0 radio 4 client-bridge enable radio default-11a rss enable...
Page 497 controllerport trunk native vlan 1 controllerport trunk allowed vlan none controllerport trunk allowed vlan add 1-9,100,110,120,130,140,150,160,170, controllerport trunk allowed vlan add 180,190,200,210,220,230,240,250, interface vlan1 ip address dhcp To attach a Crypto Map to a VLAN Interface crypto map AAP-CRYPTOMAP sole ip route 157.235.0.0/16 157.235.92.2 ip route 172.0.0.0/8 157.235.92.2 ntp server 10.10.10.100 prefer version 3...
Page 498 AP Management from Controller Summit WM3000 Series Controller System Reference Guide...
Page 499: Appendix C: Troubleshooting Information
Console Port is Not Responding ● Controller Does Not Boot Up The Extreme Networks wireless LAN controller does not boot up to a username prompt via CLI console or Telnet. The table below provides suggestions to troubleshoot this issue. Summit WM3000 Series Controller System Reference Guide...
Page 500: Controller Does Not Obtain An Ip Address Through Dhcp
Contact Extreme Networks Support. Controller Does Not Obtain an IP Address through DHCP An Extreme Networks wireless LAN controller requires a routable IP address for the administrator to manage it via Telnet, SSH or a Web browser. The table below provides suggestions to troubleshoot this issue.
Page 501: Web Ui Is Sluggish, Does Not Refresh Properly, Or Does Not Respond
When configuring the controller, it is easy to overlook the fact that the host computer is running the browser while the Extreme Networks wireless LAN controller is providing the data to the browser. Occasionally, while using the Web UI the controller does not respond or appears to be running very slow;...
Page 502: Access Point Issues
Access Points that are not being adopted. Miscellaneous other With a packet sniffer, look for 8375 (broadcast) packets issues Reset the Extreme Networks wireless LAN controller. If the controller is hung, it may begin to adopt Access Points properly once it has been reset. All else...
Page 503: Sensor Port Frequently Goes Up And Down
(going up and down) that the detection configuration is correct and that all cables are secure. All else... Contact Extreme Networks Support Mobile Unit Issues This section describes various issues that may occur when working with the mobile units associated with the wireless controller or associated Access Points.
Page 504: Poor Voice Quality Issues
Verify a long preamble is used with Spectralink phones. on Spectralink phones Miscellaneous Issues This section describes various miscellaneous issues related to the Extreme Networks wireless LAN controller which don’t fall into any of the previous categories. Possible issues include: Excessive Fragmented Data or Excessive Broadcast ●...
Page 505: System Logging Mechanism
Contact Extreme Networks Support System Logging Mechanism The Extreme Networks wireless LAN controller provides subsystem logging to a Syslog server. There are two Syslog systems, local and remote. Local Syslog records system information locally, on the controller. The remote Syslog sends messages to a remote host. All Syslog messages conform to the RFC 3164 message format.
Page 506: Mib Not Visible In The Mib Browser
Consequently, a password recovery login must be used that will default your controller back to its factory default configuration. To access the Extreme Networks wireless LAN controller using password recovery: Summit WM3000 Series Controller System Reference Guide...
Page 507: Radius Troubleshooting
CAUTION Using this recovery procedure erases the controller’s current configuration and data files from the controller /flash dir. Only the controller’s license keys are retained. You should be able to log in using the default username and password (admin/admin123) and restore the controller’s previous configuration (only if it has been exported to a secure location before the password recovery procedure was invoked).
Page 508: Radius Server Does Not Reply To My Requests
Troubleshooting Information Ensure that key password in AAA/EAP context is set to the key used to generate imported ● certificates DO NOT forget to SAVE! ● Radius Server does not reply to my requests Ensure the following have been attempted: Add a Radius client in Radius server configuration with the Controller’s VLAN interface, IP address ●...
Page 509: Vpn Authentication Using Onboard Radius Server Fails
If using the on-board RADIUS Accounting server, the files would be logged under the path: ● /flash/log/radius/radacct/ Rogue AP Detection Troubleshooting Extreme Networks recommends adhereing to the following guidelines when configuring Rogue AP detection: Basic configuration required for running Rogue AP detection: ●...
Page 510: Troubleshooting Firewall Configuration Issues
● status as "enable" and should also the status of the configured detection scheme. Check for the "Extreme Networks AP" flag in rulelist context. If it is set to "enable", then all the ● detected APs will be added in approved list context.
Page 511: A Wired Host (Host-1) On The Trusted Side Is Not Able To Connect To A Wireless Host (Host-2) Or Wired Host (Host-3) On The Untrusted Side
A wired Host (Host-1) on the trusted side is not able to connect to a Wireless Host (Host-2) or Wired Host (Host-3) on the untrusted side 1 Check that IP Ping from Host1 to the Interface on the Untrusted Side of the controller works. 2 If it works then there is no problem in connectivity.
Page 512 Troubleshooting Information Summit WM3000 Series Controller System Reference Guide...

This manual is also suitable for:

Summit wm3600 Summit wm3700

Extreme Networks Summit WM3000 Series Reference Manual

Quick Links

Troubleshooting

Related Manuals for Extreme Networks Summit WM3000 Series

Summary of Contents for Extreme Networks Summit WM3000 Series