Download Table of Contents Print this page

HP MSM7xx Management And Configuration Manual

Hide thumbs Also See for MSM7xx:

Advertisement

Quick Links

Table of Contents
HP MSM7xx Controllers Management and Configuration Guide
5400zl Switches
HP MSM7xx Controllers
Installation and Getting Started Guide
Management and Configuration Guide

Advertisement

Table of Contents
loading

Related Manuals for HP MSM7xx

Summary of Contents for HP MSM7xx

  • Page 1 HP MSM7xx Controllers Management and Configuration Guide 5400zl Switches HP MSM7xx Controllers Installation and Getting Started Guide Management and Configuration Guide...
  • Page 3 HP MSM7xx Controllers Management and Configuration Guide...
  • Page 4 Hewlett-Packard. connection with the furnishing, performance, or use of this material. Publication Number The only warranties for HP products and services are set forth 5998-1136 in the express warranty statements accompanying such January 2011 products and services. Nothing herein should be construed as constituting an additional warranty.
  • Page 5: Table Of Contents

    About this guide ......................1-2 Products covered....................1-2 Important terms .....................1-3 Conventions ......................1-4 New in this release ......................1-6 Introducing the MSM7xx Controllers ................1-7 Simplified configuration, deployment, and operation ........1-7 Controller teaming ....................1-8 Seamless mobility....................1-9 Best-in-class public/guest network access service .........1-11 Safety information......................1-12 HP support ........................1-13...
  • Page 6 Contents SNMP ...........................2-13 Configuring the SNMP agent................2-13 SOAP ..........................2-16 Configuring the SOAP server ................2-16 CLI ..........................2-17 Configuring CLI support ..................2-18 System time.........................2-19 Network configuration Port configuration ......................3-3 LAN port configuration..................3-4 Internet port configuration...................3-5 PPPoE client ......................3-6 DHCP client......................3-8 Static addressing....................3-9 Network profiles ......................3-12 About the default network profiles ..............3-12 To define a network profile ................3-12...
  • Page 7 Contents IP routes ........................3-27 Configuration .......................3-28 Network address translation (NAT).................3-30 NAT security and static mappings..............3-30 VPN One-to-one NAT...................3-33 RIP..........................3-33 IP QoS ..........................3-34 Configuration .......................3-34 Example........................3-35 IGMP proxy .........................3-37 Wireless configuration Wireless coverage......................4-2 Factors limiting wireless coverage..............4-2 Configuring overlapping wireless cells...............4-3 Supporting 802.11n and legacy wireless clients ..........4-7 Radio configuration .....................4-8 Radio configuration parameters ................4-18...
  • Page 8 Contents Summary of VSC configuration options .............5-8 Access control......................5-9 Virtual AP......................5-10 VSC ingress mapping...................5-16 VSC egress mapping ....................5-17 Bandwidth control....................5-17 Default user data rates..................5-18 Wireless mobility ....................5-18 Fast wireless roaming ..................5-20 Wireless security filters..................5-20 Wireless protection....................5-23 802.1X authentication ..................5-26 RADIUS authentication realms................5-26 HTML-based user logins ..................5-27 VPN-based authentication ..................5-28 MAC-based authentication .................5-28...
  • Page 9 Contents Creating a new VSC....................5-44 Assigning a VSC to a group ..................5-44 Working with controlled APs Key concepts.........................6-3 Key controlled-mode events ..................6-4 Discovery of controllers by controlled APs..............6-6 Discovery overview ....................6-6 Discovery methods....................6-7 Discovery order .....................6-9 Discovery recommendations ................6-10 Discovery priority....................6-11 Discovery considerations ...................6-13 Monitoring the discovery process ..............6-13 Authentication of controlled APs................6-19...
  • Page 10 Contents AeroScout RTLS ......................6-40 Software retrieval/update..................6-42 Monitoring........................6-42 Working with VLANs Key concepts.........................7-2 VLAN usage ......................7-2 Defining a VLAN ......................7-3 Creating a network profile ...................7-3 Defining a VLAN ....................7-4 Defining a VLAN on a controller port ..............7-4 User-assigned VLANs ....................7-6 Traffic flow for wireless users ..................7-6 Traffic flow examples ....................7-10 Example 1: Overriding the VSC egress on a controller with a user-assigned VLAN ........................7-10...
  • Page 11 Contents Viewing all team members ..................8-16 Team configuration ....................8-17 Accessing the team manager................8-18 Team configuration options ................8-18 Removing a controller from a team ..............8-19 Editing team member settings ................8-20 Discovery of a controller team by controlled APs ..........8-22 Failover........................8-22 Supporting N + N redundancy ................8-22 Primary team manager failure ................8-24 Mobility support ......................8-26 Single controller team operating alone.............8-27...
  • Page 12 Contents Scenario 1: Centralizing traffic on a controller ............9-21 How it works ......................9-21 Configuration overview ..................9-21 Scenario 2: Centralized traffic on a controller with VLAN egress .......9-24 How it works ......................9-24 Configuration overview ..................9-24 Scenario 3: Centralized traffic on a controller with per-user traffic routing ..9-28 How it works ......................9-28 Configuration overview ..................9-28 Scenario 4: Assigning home networks on a...
  • Page 13 Contents Configuring MAC-based authentication on a VSC.........10-17 Configuring MAC-based authentication on an MSM317 switch port ..10-19 Configuring MAC-based filters on a VSC............10-19 Configuring MAC-based filters on an MSM317 switch port ......10-20 HTML-based authentication..................10-22 Configuring HTML-based authentication on a VSC ........10-22 VPN-based authentication..................10-24 Configuring VPN-based authentication on a VSC..........10-24 No authentication.....................10-26...
  • Page 14 Contents Customizing the firewall..................12-4 Working with certificates ..................12-5 Trusted CA certificate store ................12-5 Certificate and private key store ...............12-7 Certificate usage ....................12-9 About certificate warnings ................12-10 IPSec certificates ....................12-11 MAC lockout ......................12-13 Local mesh Key concepts.......................13-2 Simultaneous AP and local mesh support............13-2 Using 802.11a/n for local mesh ................13-3 Quality of service....................13-3 Maximum range (ack timeout) ................13-4...
  • Page 15 Contents The public access interface................14-5 Location-aware ....................14-7 Configuring global access control options .............14-8 User authentication .....................14-9 Client polling ......................14-10 User agent filtering ....................14-10 Zero configuration .....................14-11 Location configuration..................14-12 Display advertisements..................14-12 Public access interface control flow ..............14-13 Customizing the public access interface...............14-14 Sample public access pages ................14-15 Common configuration tasks................14-15 Setting site configuration options ................14-19...
  • Page 16 Contents Billing records log .....................14-47 Location-aware authentication................14-48 How it works ......................14-48 Example......................14-50 Security .......................14-50 Working with RADIUS attributes Introduction ........................15-3 Controller attributes overview .................15-4 Customizing the public access interface using the site attribute ....15-4 Defining and retrieving site attributes ..............15-5 Controller attribute definitions................15-8 User attributes ......................15-13 Customizing user accounts with the user attribute ........15-13...
  • Page 17 Contents Redirect URL......................15-59 NOC authentication...................15-62 HP WISPr support .....................15-62 Traffic forwarding (dnat-server)..............15-63 Multiple DNAT servers..................15-64 Colubris AV-Pair - User attribute values..............15-67 Access list ......................15-67 Advertising ......................15-68 Bandwidth level ....................15-68 Data rate ......................15-69 One-to-one NAT ....................15-69 Public IP address ....................15-70 Quotas .........................15-70 Redirect URL......................15-71...
  • Page 18 Contents Working with VPNs Overview ........................16-2 Securing wireless client sessions with VPNs............16-3 Configure an IPSec profile for wireless client VPN ........16-4 Configure L2TP server for wireless client VPN ..........16-5 Configure PPTP server for wireless client VPN ..........16-5 VPN address pool ....................16-5 Securing controller communications to remote VPN servers ......16-6 Configure an IPSec policy for a remote VPN server ........16-7 Configure PPTP client for a remote VPN server ..........16-8...
  • Page 19 Contents Configuring and activating sFlow ................18-3 Advanced sFlow configuration................18-5 Working with autonomous APs Key concepts.......................19-2 Autonomous AP detection .................19-3 Viewing autonomous AP information ...............19-3 Switching a controlled AP to autonomous mode..........19-4 Configuring autonomous APs...................19-5 VSC definitions ....................19-5 Working with third-party autonomous APs ............19-6 VSC selection .......................19-6 Maintenance Config file management.....................20-2...
  • Page 20 Contents Safety and EMC regulatory statements Safety Information ...................... A-2 Informations concernant la sécurité................. A-2 Hinweise zur Sicherheit....................A-3 Considerazioni sulla sicurezza .................. A-4 Consideraciones sobre seguridad ................A-5 Safety Information (Japan) ..................A-6 Safety Information (China) ..................A-7 EMC Regulatory Statements..................A-8 U.S.A........................
  • Page 21 Contents NOC authentication Main benefits ....................... D-2 How it works........................ D-2 Activating a remote login page with NOC authentication ........D-4 Addressing security concerns..................D-5 Securing the remote login page ................D-5 Authenticating with the login application ............D-6 Authenticating the controller................D-6 NOC authentication list ..................
  • Page 22 Contents...
  • Page 23 About this guide ......................1-2 Products covered....................1-2 Important terms .....................1-3 Conventions ......................1-4 New in this release .......................1-6 Introducing the MSM7xx Controllers ................1-7 Simplified configuration, deployment, and operation ........1-7 Controller teaming ....................1-8 Seamless mobility....................1-9 Best-in-class public/guest network access service .........1-11 Safety information......................1-12 HP support ........................1-13...
  • Page 24: Introduction

    About this guide About this guide This guide explains how to configure, and operate the MSM7xx Controllers. It also provides controlled-mode information for MSM3xx and MSM4xx Access Points, and the MSM317 Access Device. For information on the operation of access points that support autonomous mode, see the MSM3xx/MSM4xx Access Points Management and Configuration Guide.
  • Page 25: Important Terms

    The following terms are used in this guide. Term Description Refers to any HP MSM3xx or MSM4xx Access Point or the MSM317 Access Device which is an AP with integrated Ethernet switch. Specific model references are used where appropriate. Non-HP access points are identified as third-party APs.
  • Page 26: Conventions

    Example directions in this guide What to do in the user interface Select Controller >> Security > Firewall. On a non-teamed MSM7xx controller In the Network Tree select the Controller element, then on the main menu select Security, and then select Firewall on the sub-menu.
  • Page 27 Introduction About this guide Commands and program listings Monospaced text identifies commands and program listings as follows: Example Description Command name. Specify it as shown. use-access-list Items in italics are parameters for which you must supply ip_address a value. Items enclosed in square brackets are optional. You can ssl-certificate=URL [%s] either include them or not.
  • Page 28: New In This Release

    Introduction New in this release New in this release The following new features and enhancements have been added in releases 5.5.x: New feature or enhancement For information see... New APs This release supports the following new 802.11n dual-radio access points: E-MSM430, E-MSM460, and E-MSM466. For information, see the Quickstarts for these products.
  • Page 29: Introducing The Msm7Xx Controllers

    Introducing the MSM7xx Controllers Introducing the MSM7xx Controllers MSM7xx Controllers provide centralized management and control of intelligent HP MSM APs for a wide range of deployments, from small Internet cafes and businesses, to large corporations and institutions, and even entire towns.
  • Page 30: Controller Teaming

    Introduction Introducing the MSM7xx Controllers Controller managing APs installed in different areas at a single location Controller Backbone Network Secure management tunnels Area #1 Area #2 Area #3 Controller teaming Controller teaming enables you to easily configure and monitor multiple controllers and their APs.
  • Page 31: Seamless Mobility

    Introduction Introducing the MSM7xx Controllers APs, including newly discovered APs. It also displays status information for all team members and their APs, as well as APs directly connected to the manager. The team manager is responsible for enforcing and updating the firmware of team members.
  • Page 32 Introduction Introducing the MSM7xx Controllers The following diagram shows a deployment where the wireless traffic for each user is egressed onto a specific network segment by assigning a home network to each user. Traffic is sent to a different wired network based on the...
  • Page 33: Best-In-Class Public/Guest Network Access Service

    Introduction Introducing the MSM7xx Controllers Best-in-class public/guest network access service Designed to deliver the best possible user experience, the public/guest network access feature adapts to any client device IP address and Web proxy settings, enabling users to connect without reconfiguring their computers.
  • Page 34: Safety Information

    (except for outdoor models / antennas), including all PoE- powered network connections as described by Environment A of the IEEE 802.3af standard. Servicing There are no user-serviceable parts inside HP MSM7xx products. Any servicing, adjustment, maintenance, or repair must be performed only by trained service personnel. 1-12...
  • Page 35: Hp Support

    ProCurve. Additionally, your HP-authorized networking products reseller can provide you with assistance. Before contacting support To make the support process most efficient, before calling your networking dealer or HP Support, you first should collect the following information: Collect this information Where to find it Product identification.
  • Page 36 Introduction Online documentation 1-14...
  • Page 37 Chapter 2: Management Management Contents Management tool......................2-2 Management scenarios ..................2-2 Management station ....................2-2 Starting the management tool................2-2 Customizing management tool settings..............2-3 Password security policies...................2-7 Management tool security features ..............2-8 Web server ......................2-8 Auto-refresh ......................2-9 Device discovery ......................2-9 Mobility controller discovery................2-10 Controlled AP discovery..................2-11 SNMP ...........................2-13 Configuring the SNMP agent................2-13...
  • Page 38: Management

    Management Management tool Management tool The management tool is a Web-based interface to the controller that provides easy access to all configuration and monitoring functions. Management scenarios For complete flexibility, you can manage the controller both locally and remotely. The following management scenarios are supported: Local management using a computer that is connected to the LAN or Internet port on the ...
  • Page 39: Customizing Management Tool Settings

    Management Management tool Customizing management tool settings To customize management tool settings, select Controller >> Management > Management tool.
  • Page 40 Management Management tool Administrative user authentication Login credentials for administrative users can be verified using local account settings and/or an external RADIUS sever.  Local account settings: A single manager and operator account can be configured locally under Manager account and Operator account on this page. ...
  • Page 41 Management Management tool Manager and Operator accounts Two types of administrative accounts are defined: manager and operator.  The manager account provides full management tool rights.  The operator account provides read-only rights plus the ability to disconnect wireless clients and perform troubleshooting. Only one administrator (manager or operator) can be logged in at any given time.
  • Page 42 Management Management tool Passwords Passwords must be 6 to 16 printable ASCII characters in length with at least 4 different characters. Passwords are case sensitive. Space characters and double quotes ( “ ) cannot be used. Passwords must also conform to the selected security policy as described below. Manager username/password reset Not supported on the MSM-765.
  • Page 43: Password Security Policies

    Management Management tool A typical session looks like this: 127.0.0.1 login: emergency -------------------------- Emergency Menu -------------------------- Device information Serial number: SG9603P004 IP address: 16.90.48.186 Select one of the following options: 1. Reset both the manager username and password to "admin" 0.
  • Page 44: Management Tool Security Features

    Management Management tool  The settings under Account inactivity logout must be configured as follows: Timeout must be set to 15 minutes or less.  For more information on these guidelines, refer to the Payment Card Industry Data Security Standard v1.2 document. Management tool security features The management tool is protected by the following security features: ...
  • Page 45: Auto-Refresh

    Management Device discovery Auto-refresh This option controls how often the controller updates the information in group boxes that show the auto-refresh icon in their title bar. Under Interval, specify the number of seconds between refreshes. Auto-refresh icon Device discovery Use this page to define discovery options for: ...
  • Page 46: Mobility Controller Discovery

    Management Device discovery On a controller team Mobility controller discovery The wireless mobility feature defines a mobility domain, which is an interconnection between multiple controllers for the purpose of exchanging mobility information on wireless users. For more information, see Chapter 9: Mobility traffic manager.
  • Page 47: Controlled Ap Discovery

    Management Device discovery Controller discovery and teaming When teaming is active, several configuration scenarios are possible:  Teamed controllers operating in conjunction with one or more non-teamed controllers: Set the team as the primary mobility controller. On the other controllers, set the IP address of primary mobility controller parameter to the team IP address.
  • Page 48 Management Device discovery The following table shows how discovery would occur for several teamed and non-teamed controllers. Configured discovery Actual order of Controller or Team priority setting discovery by APs Controller 1 Controller 2 Controller 3 Team 1 Team 2 Team 3 Active interfaces Select the physical interfaces on which the controller or team manager will listen for...
  • Page 49: Snmp

    Management SNMP SNMP The controller provides a SNMP implementation supporting both industry-standard and custom MIBs. For information on supported MIBs, see the MSM SNMP MIB Reference Guide. Configuring the SNMP agent Select Controller >> Management > SNMP to open the SNMP agent configuration page. By default, the SNMP agent is enabled (SNMP agent configuration in title bar is checked) and is active on the LAN port.
  • Page 50 Management SNMP Attributes System name Specify a name to identify the controller. By default, this is set to the serial number of the controller. Location Specify a descriptive name for the location where the controller is installed. Contact Contact information for the controller. Port Specify the UDP port and protocol the controller uses to respond to SNMP requests.
  • Page 51 Management SNMP v3 users This table lists all defined SNMP v3 users. To add a new user, select Add New User. Up to five users are supported. To edit a user, select its link in the Username column. Username The SNMP v3 username. Security Security protocol defined for the user.
  • Page 52: Soap

    The controller provides a SOAP interface that can be used by SOAP-compliant client applications to perform configuration and management tasks. An MSM SOAP/XML SDK zip file is available at www.hp.com/networking/SOAP-XML-SDK. Look for the file corresponding to your MSM software version.
  • Page 53: Cli

    Management TCP port Specify the number of the TCP port that SOAP uses to communicate with remote applications. Default is 448. Security Use these settings to control access to the SOAP interface.  Allowed addresses: List of IP address from which access to the SOAP interface is permitted.
  • Page 54: Configuring Cli Support

    Management Configuring CLI support Select Controller >> Management > CLI to open the Command Line Interface (CLI) configuration page. Secure shell access Enable this option to allow access to the CLI via an SSH session. The CLI supports SSH on the standard TCP port (22).
  • Page 55: System Time

    Management System time Local manager account The login username and password are the same as those defined for the local manager account. If this account is disabled, the last known username and password for this account are used. Administrative user authentication settings The login username and password use the same settings (Local and/or RADIUS) as defined for the manager account under Administrative user authentication.
  • Page 56 By default, the list contains two ntp vendor zone pools that are reserved for HP devices. By using these pools, you will get better service and keep from overloading the standard ntp.org server. For more information refer to: pool.ntp.org.
  • Page 57 Chapter 3: Network configuration Network configuration Contents Port configuration ......................3-3 LAN port configuration..................3-4 Internet port configuration...................3-5 PPPoE client ......................3-6 DHCP client......................3-8 Static addressing....................3-9 Network profiles ......................3-12 About the default network profiles ..............3-12 To define a network profile ................3-12 Address allocation......................3-13 DHCP server......................3-14 DHCP relay agent ....................3-16 VLAN support ......................3-19...
  • Page 58 Network configuration IP routes ........................3-27 Configuration .......................3-28 Network address translation (NAT).................3-30 NAT security and static mappings..............3-30 VPN One-to-one NAT...................3-33 RIP..........................3-33 IP QoS ..........................3-34 Configuration .......................3-34 Example ........................3-35 IGMP proxy .........................3-37...
  • Page 59: Port Configuration

    Network configuration Port configuration Port configuration The Port configuration page displays summary information about all ports, VLANs, and GRE tunnels. Open this page by selecting Controller >> Network > Ports. Port configuration information  Status indicator: Operational state of each port, as follows: ...
  • Page 60: Lan Port Configuration

    Network configuration Port configuration LAN port configuration The LAN port is used to connect the controller to a wired network. To verify and possibly adjust LAN port configuration, select Controller >> Network > Ports > LAN port. Addressing options The LAN port must be configured with a static IP address, because the controller cannot function as a DHCP client on the LAN port.
  • Page 61: Internet Port Configuration

    Network configuration Port configuration Internet port configuration To verify and possibly adjust Internet port configuration, select Controller >> Network > Ports > Internet port. Addressing options The Internet port supports the following addressing options:  PPPoE client on page 3-6 ...
  • Page 62: Pppoe Client

    Network configuration Port configuration Note If you enable this feature you should not assign static NAT mappings in the range 5000 to 10000. Size of port range Sets the number of TCP and UDP ports reserved for each user. PPPoE client To configure the PPPoE client on the Internet port, select Controller >>...
  • Page 63 Network configuration Port configuration Un-numbered mode This feature is useful when the controller is connected to the Internet and NAT is not being used. Instead of assigning two IP addresses to the controller, one to the Internet port and one to the LAN port, both ports can share a single IP address.
  • Page 64: Dhcp Client

    Network configuration Port configuration DHCP client To configure the PPPoE client on the Internet port, select Controller >> Network > Ports and then select DHCP Client and then Configure. Settings DHCP client ID Specify an ID to identify the controller to the DHCP server. Assigned by DHCP server These settings are assigned to the controller by your service provider DHCP server.
  • Page 65: Static Addressing

    Network configuration Port configuration Release Select to release the controller IP address. Renew Select to renew the controller IP address. Static addressing To configure the PPPoE client on the Internet port, select Controller >> Network > Ports and then select Static and then Configure. Port settings IP address Specify the static IP address you want to assign to the port.
  • Page 66 Network configuration Port configuration To reduce the number of addresses that need to be defined, the controller will use the same address for multiple users as long as they are establishing a connection with different VPN servers. Use this feature when all of the following conditions are true: Users intend to make IPSec or PPTP VPN connections with a remote site via the Internet ...
  • Page 67 Network configuration Port configuration Public IP addresses are assigned by the integrated DHCP server using the addresses specified in the Address pool. Whenever possible, this feature will assign the same public IP address to a user each time they connect. When you enable public IP address support in a subscription plan, an additional setting is available called Reserve public IP address.
  • Page 68: Network Profiles

    Network configuration Network profiles Network profiles Network profiles let you define the characteristic of a network and assign a friendly name to it. Profiles make it easy to configure the same settings in multiple places on the controller. For example, if you define a profile with a VLAN ID of 10, you could use that profile to: ...
  • Page 69: Address Allocation

    Network configuration Address allocation 2. Select Add New Profile. 3. Configure profile settings as follows:  Under Settings, specify a Name for the profile.  To assign a VLAN, select VLAN and then specify an ID. If the profile will be used on an Ethernet port, you can also define a range of VLANs. This enables a single VLAN definition to span a large number of contiguously assigned VLANs.
  • Page 70: Dhcp Server

    Network configuration Address allocation DHCP server The DHCP server can be used to automatically assign IP addresses to devices that are connected to the controller via the LAN port or client data tunnel. Note  Do not enable the DHCP server if the LAN port is connected to a network that already has an operational DHCP server.
  • Page 71 Network configuration Address allocation Addresses Start / End Specify the starting and ending IP addresses that define the range of addresses the DHCP server can assign to client stations. The address assigned to the controller is automatically excluded from the range. Gateway Specify the IP address of the default gateway the controller will assign to DHCP users.
  • Page 72: Dhcp Relay Agent

    This list is sent to all devices that request an IP address, encoded as DHCP option 43 (Vendor- specific information). However, this information is only interpreted by HP ProCurve APs that are operating in controlled mode. Controlled mode APs use these addresses to connect with the controllers in the order that they appear in the list.
  • Page 73 Network configuration Address allocation Note For additional flexibility, separate DHCP relay agents can be enabled on access-controlled VSCs. See DHCP relay agent on page 5-31. Use the following guidelines when configuring DHCP relay:  Routes must be defined on the DHCP server, so that the DHCP server can successfully send DHCP response packets back to the DHCP relay agent running on the controller.
  • Page 74 Network configuration Address allocation The following two fields let you attach information to the DHCP request (as defined by DHCP relay agent information option 82) which lets the DHCP server identify the controller.  Circuit ID: Use this field to identify the user that issued the DHCP request. ...
  • Page 75: Vlan Support

    Network configuration VLAN support For L2 connected APs operating in controlled mode: Enable the Client data tunnel option under Settings. (If teaming is active, the client  data tunnel is automatically used.)  Enable the Always tunnel client traffic option on the VSC profile page under Virtual AP >...
  • Page 76 Network configuration GRE tunnels To add a tunnel, select Add New GRE Tunnel. The Add/Edit GRE tunnel page opens. Define tunnel settings as follows:  Name: Tunnel name.  Local tunnel IP address: Specify the IP address of the controller inside the tunnel. ...
  • Page 77: Bandwidth Control

    Network configuration Bandwidth control Bandwidth control The controller incorporates a bandwidth management feature that enables control of all user traffic flowing through the controller. To configure Bandwidth management, select Controller >> Network > Bandwidth Control. Bandwidth control has two separate components: Internet port data rate limits and bandwidth levels.
  • Page 78: Internet Port Data Rate Limits

    Network configuration Bandwidth control Internet port data rate limits These settings enable you to limit the total incoming or outgoing data rate on the Internet port. If traffic exceeds the rate you set for short bursts, it is buffered. Long overages will result in data being dropped.
  • Page 79: Example

    Network configuration Bandwidth control Note Management traffic (which includes RADIUS, SNMP, and administrative sessions) is  assigned to bandwidth level Very High and cannot be changed.  All traffic assigned to a particular bandwidth level shares the allocated bandwidth for that level across all VSCs.
  • Page 80: Discovery Protocols

    Network configuration Discovery protocols Since both High and Normal require bandwidth in excess of their guaranteed minimum, each is allocated their guaranteed minimum. This leaves 40% of the bandwidth free to be assigned on a priority basis. High has more priority than Normal, so it takes as much bandwidth as needed.
  • Page 81: Dns

    Network configuration The controller always listens for CDP information on the LAN and Internet ports, even when this option is disabled, to build a list of autonomous APs. CDP information from third-party devices and controlled APs is ignored. Note Controlled APs always send CDP information. The controller provides several options to customize DNS handling.
  • Page 82: Dns Servers

    Network configuration Note When using Active Directory for user authentication, set the DNS servers to be the Active Directory servers or the devices that provide SRV records. DNS servers Dynamically assigned servers Shows the DNS servers that are dynamically assigned to the controller when PPPoE or DHCP is used to obtain an IP address on the Internet port.
  • Page 83: Ip Routes

    Network configuration IP routes DNS switch over Controls how the controller switches back to the primary server.  When enabled, the controller switches back to the primary server once the primary server becomes available again. When disabled, the controller switches back to the primary server only when the ...
  • Page 84: Configuration

    Network configuration IP routes Configuration To view and configure IP routes, select Controller >> Network > IP routes. Active routes This table shows all active routes on the controller. You can add routes by specifying the appropriate parameters and then selecting Add. The routing table is dynamic and is updated as needed.
  • Page 85 Network configuration IP routes The routing table is dynamic and is updated as needed. If more than one default route exists, the first route in the table is used. The following information is shown for each default route:  Interface: The port through which traffic is routed. When you add a route, the controller automatically determines the interface to be used based on the Gateway address.
  • Page 86: Network Address Translation (Nat)

    Network configuration Network address translation (NAT) Network address translation (NAT) Network address translation is an address mapping service that enables one set of IP addresses to be used on an internal network, and a second set to be used on an external network.
  • Page 87 Network configuration Network address translation (NAT) A static NAT mapping allows only one internal IP address to act as the destination for a particular protocol (unless you map the protocol to a nonstandard port). For example, you can run only one Web server on the internal network. Note If you use a NAT static mapping to enable a secure (HTTPS) Web server on the internal ...
  • Page 88 Network configuration Network address translation (NAT) NAT example The following example shows you how to configure static NAT mappings to run a Web server and an FTP server on the internal network. This scenario might occur if you use the controller in an enterprise environment.
  • Page 89: Vpn One-To-One Nat

    Network configuration 6. To support the FTP server, create two additional mappings with the following values: Set Standard Services to ftp-data (TCP 20) and set IP address to 192.168.1.3.   Set Standard Services to ftp-control (TCP 21) and set IP address to 192.168.1.3.
  • Page 90: Ip Qos

    Network configuration IP QoS IP QoS To ensure that critical applications have access to the required amount of wireless bandwidth, you can classify packets destined for the wireless interface into priority queues based on a number of criteria. For example, you can use any of the following to place data packets in one of four priority queues for transmission onto the wireless interface: ...
  • Page 91: Example

    Network configuration IP QoS Settings Profile name: Specify a unique name to identify the profile.   Protocol: Specify an IP protocol to use to classify traffic by specifying its Internet Assigned Numbers Authority (IANA) protocol number. Protocol numbers are pre-defined for a number of common protocols.
  • Page 92 Network configuration IP QoS 5. Under Priority, from the drop-down list select Very High. 6. Select Save. Note You could also create another profile using the same parameters but for UDP to cope with any kind of SIP traffic. 7. On the IP QoS Profile page select Add New Profile. 8.
  • Page 93: Igmp Proxy

    Network configuration IGMP proxy Assign the profiles to a VSC 1. In the Network Tree select VSCs (if not visible, first select the + symbol to the left of Controller), and then select one of the VSC profiles in the Name column. Scroll down to the Quality of service section of the Virtual AP box.
  • Page 94 Network configuration IGMP proxy 3-38...
  • Page 95 Chapter 4: Wireless configuration Wireless configuration Contents Wireless coverage......................4-2 Factors limiting wireless coverage..............4-2 Configuring overlapping wireless cells...............4-3 Supporting 802.11n and legacy wireless clients ..........4-7 Radio configuration .....................4-8 Radio configuration parameters ................4-18 Advanced wireless settings ................4-29 Wireless neighborhood ....................4-34 Scanning modes ....................4-34 Viewing wireless information ...................4-35 Viewing all wireless clients ................4-35 Viewing info for a specific wireless client............4-36...
  • Page 96: Wireless Configuration

    AP. The following sections provide information on wireless coverage. A tool that can help simplify planning a secure wireless network is the HP ProCurve RF Planner. For more information, see the RF Planner Admin Guide.
  • Page 97: Configuring Overlapping Wireless Cells

    Wireless configuration Wireless coverage  Select Controlled APs >> Overview > Wireless rates to view information about data rates for all connected client stations. This makes it easy to determine if low-speed clients are affecting network performance. To prevent low-speed clients from connecting, you can use the Allowed wireless rates option when defining a VSC.
  • Page 98 Wireless configuration Wireless coverage The following example shows two overlapping wireless cells operating on the same channel (frequency). Since both APs are within range of each other, the number of deferred transmissions can be large. The solution to this problem is to configure the two AP to operate on different channels. Unfortunately, in the 2.4 GHz band, adjacent channels overlap.
  • Page 99 Wireless configuration Wireless coverage The number of channels available for use in a particular country are determined by the regulations defined by the local governing body and are automatically configured by the AP based on the Country setting you define. (See Assigning country settings to a group on page 6-30.) This means that the number of non-overlapping channels available to you varies...
  • Page 100 Wireless configuration Wireless coverage Using only three frequencies across multiple cells in North America. This strategy can be expanded to cover an even larger area using three channels, as shown in the following figure. Using three frequencies to cover a large area in North America. Gray areas indicate overlap between two cells that use the same frequency.
  • Page 101: Supporting 802.11N And Legacy Wireless Clients

    APs more frequently. Automatic transmit power control The automatic power control feature enables the AP to dynamically adjust its transmission power to avoid causing interference with neighboring HP ProCurve APs. For information see Transmit power control on page 4-32.
  • Page 102: Radio Configuration

    Wireless configuration Radio configuration Radio configuration To define configuration settings for a radio, select Controller > Controlled APs >> Configuration > Radio list. This opens the Product radios page which lists all radios on all AP models. For example: To configure the radios for a product, select the product in the list. This opens the Radio(s) configuration page.
  • Page 103 Wireless configuration Radio configuration E-MSM466...
  • Page 104 Wireless configuration Radio configuration E-MSM460 and E-MSM430 4-10...
  • Page 105 Wireless configuration Radio configuration MSM422 4-11...
  • Page 106 Wireless configuration Radio configuration MSM410 4-12...
  • Page 107 Wireless configuration Radio configuration MSM335 (radio 1 and 2) 4-13...
  • Page 108 Wireless configuration Radio configuration MSM335 (radio 3) 4-14...
  • Page 109 Wireless configuration Radio configuration MSM320 4-15...
  • Page 110 Wireless configuration Radio configuration MSM317 4-16...
  • Page 111 Wireless configuration Radio configuration MSM310 4-17...
  • Page 112: Radio Configuration Parameters

    Controlled APS >> Overview > Neighborhood.  Sensor: Enables RF sensor functionality on the radio. HP APs are smart APs, and do not forward broadcast packets when no client stations are connected. Therefore, the RF sensor function will not be able to detect these APs unless they have at least one connected wireless client station.
  • Page 113 Wireless configuration Radio configuration Access point Access point Local mesh Product and Local Monitor Sensor only only mesh ✔ ✔ ✔ ✔ ✕ MSM422 ✕ ✔ ✕ ✔ ✕ MSM317 ✔ ✔ ✔ ✔ ✕ E-MSM430 ✔ ✔ ✔ ✔ ✕...
  • Page 114 Wireless configuration Radio configuration Wireless mode Supported wireless modes are determined by the regulations of the country in which the AP is operating, and are controlled by the country setting on the AP. To configure the country setting, see Assigning country settings to a group on page 6-30.
  • Page 115 Data rates Up to 300 Mbps. HP refers to this mode as Pure 802.11n. When operating in this mode, the AP does not permit non-802.11n clients to associate. Legacy clients can see the access point, and may attempt to associate, but they will be rejected. The AP makes this determination based on the supported rates that the client presents during its association request.
  • Page 116 Note This mode is sometimes incorrectly called Greenfield. Greenfield is an 802.11n-specific preamble that can be used by clients and APs. HP APs do not support this preamble and therefore do not support Greenfield mode. When to use this mode...
  • Page 117 For 802.11g clients: Up to 54 Mbps. For 802.11b clients: Up to 11 Mbps. HP refers to this mode as Compatibility mode because the AP allows both 802.11n and legacy clients to associate. The AP advertises protection in the beacon when legacy clients are associated or operating on the same channel.
  • Page 118 Wireless configuration Radio configuration 802.11g Supported on MSM310, MSM317, MSM320, MSM335, MSM410, MSM422 Frequency band 2.4 GHz Data rates Up to 54 Mbps. This is a legacy mode that can be used to support older wireless client stations. 802.11a Supported on MSM310, MSM317, MSM320, MSM335, MSM410, MSM422 Frequency band 5 GHz...
  • Page 119 Wireless configuration Radio configuration The channel selected on the radio page is the primary channel and the secondary (or extension) channel is located adjacent to it. The secondary channel is either above or below depending on which channel was selected as the primary. In the 5 GHz band, the channels are paired: 36 and 40 are always used together, 44 and 48 are always used together, etc.
  • Page 120 When operating in 802.11a or 802.11n (5 GHz) modes, channels do not interfere with each other, enabling APs to operate on two adjacent channels without interference. HP APs support Dynamic Frequency Selection (802.11h) and Transmit Power Control (802.11d) for 802.11a operation in European countries. These options are automatically enabled as required.
  • Page 121 Wireless configuration Radio configuration best to select channels as follows, according to the number of 2.4 GHz channels available in your region. Available 2.4 Channel GHz channels width Recommended non-overlapping channels 1 to 13 20 MHz 1, 7, 13 1 to 13 40 MHz 1, 13 (If both are used, there will be some performance degradation.)
  • Page 122 Wireless configuration Radio configuration Antenna selection Supported on: MSM310, MSM320, MSM335, MSM422 Not available in Monitor or Sensor modes. Select the antenna(s) to use for each radio. Antenna support varies on each AP. For a list of supported external antennas, see Connecting external antennas in the MSM3xx / MSM4xx Access Points Management and Configuration Guide.
  • Page 123: Advanced Wireless Settings

    Wireless configuration Radio configuration  For point-to-point local mesh links on Radio 1, install two directional antennas on connectors A and B. Installing a third directional antenna on connector C will increase performance only on the receive side.  Radio 2 supports diversity via its two internal antennas. but not when using an external antenna.
  • Page 124 Wireless configuration Radio configuration HP APs support the following two explicit beamforming techniques: Non-compressed beamforming, in which the client station calculates and sends the  steering matrix to the AP.  Compressed beamforming, in which the client station sends a compressed steering matrix to the AP.
  • Page 125 Wireless configuration Radio configuration  No MAC protection: This setting gives the best performance for 802.11n clients in the presence of 802.11g or 802.11a legacy clients or APs. No protection frames (CTS- to-self or RTS/CTS) are sent at the MAC layer by the AP. PHY-based protection remains active, which alerts legacy clients to stay off the air while the AP is transmitting data to 802.11n clients.
  • Page 126 Wireless configuration Radio configuration Distance between APs Not supported on: E-MSM430, E-MSM460, E-MSM466 Not available in Monitor or Sensor modes. Use this parameter to adjust the receiver sensitivity of the AP only if:  You have more than one wireless AP installed in your location. ...
  • Page 127 Caution For specific power limits according to your regulatory domain, consult the Antenna Power-Level Settings Guide available at www.hp.com/networking/support (for Product Brand, select ProCurve and search for your antenna). For example, if you install an external 8 dBi directional antenna, and the maximum allowed power level for your country is 15 dBm, you may have to reduce the transmit power level to be in compliance.
  • Page 128: Wireless Neighborhood

    Wireless configuration Wireless neighborhood Wireless neighborhood Select Controlled APs >> Overview > Neighborhood to view information on APs operating in your area. This page presents a list of all APs that have been detected by all of the controlled APs. For example: You can also view the list detected by a specific controlled AP by selecting in the Network Tree.
  • Page 129: Viewing Wireless Information

    Wireless configuration Viewing wireless information  On the MSM310, MSM320, MSM335, MSM410, MSM422: Scanning is continuously performed on all the channels in the currently selected Operating mode, even though the channel is only re-evaluated each time the channel selection interval expires. (If the interval is set to Disabled, continuous scanning is not performed.) Continuous scanning can cause interruptions to voice calls.
  • Page 130: Viewing Info For A Specific Wireless Client

    Wireless configuration Viewing wireless information Duration Indicates how long the client station has been authorized. Signal Indicates the strength of the radio signal received from client stations. Signal strength is expressed in decibel milliwatt (dBm). The higher the number the stronger the signal. Noise Indicates how much background noise exists in the signal path between client stations and the AP.
  • Page 131 Wireless configuration Viewing wireless information The information you see will vary depending on the AP to which the client is connected. For example, the following shows the status page for a client connected to an MSM317. For a complete description of all fields see the online help. 4-37...
  • Page 132: Viewing Wireless Client Data Rates

    Wireless configuration Viewing wireless information Viewing wireless client data rates To view information on all wireless client stations currently connected to the AP, select Controlled APs >> Overview > Wireless rates. This page shows the volume of traffic sent and received at each data rate for each client station.
  • Page 133: Wireless Access Points

    Wireless configuration Viewing wireless information Wireless access points To view wireless information for an AP, select Controlled APs > [group] > [AP] >> Status > Wireless. The information you see will vary depending on the AP. For example, this is the status page for an MSM317: Access point status Wireless port...
  • Page 134 Wireless configuration Viewing wireless information Tx power Current transmission power. Transmit protection status  Disabled: HT protection / G protection is disabled.  B clients: G protection is enabled because a B client is connected to the AP.  B APs: G protection is enabled because a B client is connected to another AP on the same channel used by the AP.
  • Page 135 Wireless configuration Viewing wireless information Tx retry limit exceeded The number of times an MSDU is not transmitted successfully because the retry limit is reached, due to no acknowledgment or no CTS received. Tx multiple retry frames The number of MSDUs successfully transmitted after more than one retransmission (on the total of all associated fragments).
  • Page 136 Wireless configuration Viewing wireless information Rx packets (Not shown on the E-MSM460) The total number of packets received. Rx dropped (Not shown on the E-MSM460) The number of received packets that were dropped due to lack of resources on the AP. This should not occur under normal circumstances.
  • Page 137 Wireless configuration Viewing wireless information Rx MSG in msg fragments The number of MPDUs of type Data or Management received successfully, while there was another good reception going on above the carrier detect threshold (the message-in-message path #2 in the modem). Rx WEP undecryptable The number of received MPDUs, with the WEP subfield in the Frame Control field set to one, that were discarded because it should not have been encrypted or due to the receiving station...
  • Page 138 Wireless configuration Viewing wireless information 4-44...
  • Page 139: Working With Vscs

    Chapter 5: Working with VSCs Working with VSCs Contents Key concepts.........................5-3 Viewing and editing VSC profiles ................5-4 The default VSC .....................5-4 VSC configuration options ..................5-5 About access control and authentication............5-6 Summary of VSC configuration options .............5-8 Access control......................5-9 Virtual AP......................5-10 VSC ingress mapping...................5-16 VSC egress mapping ....................5-17 Bandwidth control....................5-17...
  • Page 140 Working with VSCs VSC data flow ......................5-32 Access control enabled..................5-32 Access control disabled..................5-34 Using multiple VSCs....................5-36 About the default VSC ....................5-36 Quality of service (QoS) ....................5-37 Priority mechanisms ...................5-38 IP QoS profiles .....................5-40 Upstream DiffServ tagging .................5-41 Upstream/downstream traffic marking ............5-41 QoS example ......................5-43 Creating a new VSC....................5-44 Assigning a VSC to a group ..................5-44...
  • Page 141: Key Concepts

    Working with VSCs Key concepts Key concepts A VSC (virtual service community) is a collection of configuration settings that define key operating characteristics of the controller and controlled APs. In most cases, a VSC is used to define the characteristics of a wireless network and to control how wireless user traffic is distributed onto the wired network.
  • Page 142: Viewing And Editing Vsc Profiles

    The VSC profiles list shows all VSCs are that are currently defined on the controller. To open the list, select VSCs in the Network Tree. The HP VSC profile is defined by default.  To add a VSC, select VSCs >> Overview > Add New VSC Profile.
  • Page 143: Vsc Configuration Options

    Working with VSCs VSC configuration options VSC configuration options This section provides an overview of all the configuration options available for a VSC. It will give you a good idea on how the features can be used. The default VSC is pre-configured as described in the following pages. Below, is an overview of the entire VSC configuration page.
  • Page 144: About Access Control And Authentication

    Working with VSCs VSC configuration options About access control and authentication The availability of certain VSC features and their functionality is controlled by the settings of two important parameters in the Global box. These parameters determine how authentication and access control are handled by the VSC: Use Controller for: Authentication Determines if user authentication services (802.1X, WPA, WPA2, MAC-based) are provided by the controller.
  • Page 145 Working with VSCs VSC configuration options When only authentication is enabled In this configuration, the controlled AP forwards authentication requests from users on the VSC to the controller. The controller resolves these requests using the local user list, or the services of a third-party authentication server (Active Directory or RADIUS server).
  • Page 146: Summary Of Vsc Configuration Options

    Working with VSCs VSC configuration options Summary of VSC configuration options The following table lists the VSC configuration options that are available depending on how access control and authentication are configured. Use Controller for: Authentication Authentication VSC configuration option Access control only Neither ✔...
  • Page 147: Access Control

    Working with VSCs VSC configuration options Access control The settings only apply to access-controlled VSCs. Present session and welcome page to 802.1X users Enable this option to have the public access interface present the Welcome, Transport, and Session pages to 802.1X users. When disabled, these pages are not sent to 802.1X users.
  • Page 148: Virtual Ap

    Working with VSCs VSC configuration options Virtual AP The virtual AP settings define the characteristics of the wireless network created by the VSC, including its name, the number of clients supported, and QoS settings. Access control enabled Access control disabled Select the Virtual AP checkbox to enable the wireless network defined by this VSC.
  • Page 149 Working with VSCs VSC configuration options DTIM count Specify the DTIM period in the wireless beacon sent by controlled APs. Client stations use the DTIM to wake up from low-power mode to receive multicast traffic. APs transmit a beacon every 100 ms. The DTIM counts down with each beacon that is sent. Therefore if the DTIM is set to 5, then client stations in low-power mode will wake up every 500 ms (.5 second) to receive multicast traffic.
  • Page 150 Working with VSCs VSC configuration options  If the AP has learned that a client is capable of transmitting at 5 GHz, the AP refuses the first association request sent by the client at 2.4 GHz.  Once a client is associated at 5 GHz, the AP will not respond to any 2.4 GHz probes from the client as long as the client’s signal strength at 5 GHz is greater than -80 dBm (decibel milliwatt).
  • Page 151 Working with VSCs VSC configuration options  Unicast traffic exchanged between VSCs on different radios is controlled by the setting of the sender’s VSC.  Multicast traffic exchanged between VSCs is always controlled by the setting of the sender’s VSC. Generally, most clients will be involved in the bidirectional exchange of unicast packets.
  • Page 152 Working with VSCs VSC configuration options  High security/less performance: This option uses HMAC (Hash based message authentication code) to ensure the data integrity and authenticity of each packet. Performance is reduced due to the overhead needed to calculate HMAC. Regardless of the security method used, the client tunnel does not encrypt the data stream.
  • Page 153 Working with VSCs VSC configuration options Allowed wireless rates Select the wireless transmission speeds (in Mbps) that this VSC will support for each wireless mode. Clients will only be able to connect at the rates that you select. If a client does not support the selected rate and mode, it will not be able to connect to this VSC.
  • Page 154: Vsc Ingress Mapping

    Working with VSCs VSC configuration options Notes on 802.11n 802.11n supports legacy rates (1 to 54), as well as high-throughput (HT) rates MCS 0 to MSC  MCS 0 to MCS 15 are supported by the MSM410, MSM422, E-MSM430, E-MSM460, and E-MSM466.
  • Page 155: Vsc Egress Mapping

    Working with VSCs VSC configuration options If a VSC is bound to the MSM317 Ethernet Switch, it cannot handle traffic from wireless clients on the MSM317 or other APs. For more information, see VSC data flow on page 5-32 Traffic flow for wireless users on page 7-6.
  • Page 156: Default User Data Rates

    Working with VSCs VSC configuration options For more information on setting the appropriate RADIUS attributes to accomplish this, refer to the Management and Configuration Guide for this product. Default user data rates These options enable you to set the default data rates for authenticated users that do not have a data rate set in their RADIUS accounts, and for unauthenticated users.
  • Page 157 Working with VSCs VSC configuration options To use wireless mobility, you must: Disable the Access control option under Global.   Install a Mobility or Premium license on the controller.  Bind the same VSC to all APs that will support roaming. Configure the Wireless security filters so that they do not interfere with roaming ...
  • Page 158: Fast Wireless Roaming

    Working with VSCs VSC configuration options One issue with using this method to determine the home subnet is that a user’s IPv4 address is typically retrieved through DHCP. If a user connects to an AP in a new location (rather than roaming to the AP), the IP address assigned through DHCP may identify the user as local to the network, and not roaming.
  • Page 159 HTTPS traffic not addressed to the AP (or upstream device) is also blocked, which means wireless users cannot access the management tool on other HP ProCurve APs. Outgoing wireless traffic filters Applies to traffic sent from the AP to wireless users.
  • Page 160 To use the default filters as a starting point, select Get Default Filters. Filters are specified using standard pcap syntax with the addition of a few HP ProCurve- specific placeholders. These placeholders can be used to refer to specific MAC addresses and are expanded by the AP when the filter is activated.
  • Page 161: Wireless Protection

    Working with VSCs VSC configuration options Wireless protection Two types of wireless protection are offered. WPA and WEP. On the MSM410 and MSM422 When using 802.11n, wireless protection settings are enforced as follows: WEP protection is never permitted. If selected, WPA or WPA2 protection is used instead. ...
  • Page 162 Working with VSCs VSC configuration options Authentication can occur via the local user accounts and a remote authentication server (Active Directory, or third-party RADIUS server). If both options are enabled, the local accounts are checked first.  Preshared Key: The controller uses the key you specify in the Key field to generate the TKIP keys that encrypt the wireless data stream.
  • Page 163 Working with VSCs VSC configuration options  When disabled, WPA/WPA2 sessions are terminated at the AP. This means that wireless communication between the client station and AP is secure, but traffic between the AP and controller is not. This is normally sufficient since outsiders do not have access to your wired network.
  • Page 164: 802.1X Authentication

    Working with VSCs VSC configuration options When encryption is enabled, wireless stations that do not support encryption cannot communicate with the AP. The definition for each encryption key must be the same on the AP and all client stations.  Key format: Select the format used to specify the encryption key: ASCII: ASCII keys are much weaker than carefully chosen HEX keys.
  • Page 165: Html-Based User Logins

    Working with VSCs VSC configuration options For added flexibility, regular expressions can be used in realm names, enabling a single realm name to match many users. For example, if a realm name is defined with the regular expression ^abc.* then all usernames beginning with abc followed by any number of characters will match.
  • Page 166: Vpn-Based Authentication

    Working with VSCs VSC configuration options Note The global MAC-based authentication feature only applies on VSCs that have HTML-based user logins enabled. See Configuring global MAC-based authentication on page 10-16. VPN-based authentication VPN-based authentication can be used to provide secure access for client stations on VSCs that do not have encryption enabled.
  • Page 167: Location-Aware

    Working with VSCs VSC configuration options Location-aware This option enables you to control logins to the public access network based on the AP, or group of APs, to which a user is connected. It is automatically enabled when a VSC is set to Access control.
  • Page 168: Wireless Ip Filter

    Working with VSCs VSC configuration options Wireless IP filter When this option is enabled, the VSC only allows wireless traffic that is addressed to an IP address that is defined in the list. All other traffic is blocked, except for: ...
  • Page 169: Dhcp Relay Agent

    Working with VSCs VSC configuration options A separate DHCP server can be enabled on each VSC to provide custom addressing that is different from the base DHCP subnet that is determined by the LAN port IP address. To receive traffic from users, the controller assigns the Gateway address you specify to its LAN port.
  • Page 170: Vsc Data Flow

    Working with VSCs VSC data flow Note These DHCP relay agent options do not appear for the default VSC. The default VSC uses the same settings as defined on the Controller >> Network > Address allocation page. VSC data flow Each VSC provides a number of configurable options, some of which apply exclusively on controlled APs or the controller.
  • Page 171 Working with VSCs VSC data flow VSC on controlled AP Ingress The AP only handles traffic from wireless users, except for the MSM317 which can handle traffic from both wireless and wired users. The SSID is the name of the wireless network with which the user associates.
  • Page 172: Access Control Disabled

    Working with VSCs VSC data flow Features  Authentication: The controller supports 802.1X, MAC, or HTML authentication. To validate user login credentials the controller can use the local user accounts or make use of third-party authentication servers (Active Directory and/or RADIUS). See Chapter 10: User authentication, accounts, and addressing.
  • Page 173 Working with VSCs VSC data flow  Wireless security filters: Enables the AP to block traffic unless it is addressed to a specific destination (like the controller). See Wireless security filters on page 5-20.  Wireless MAC filter: Enables the AP to allow or deny access to the wireless network based on specific wireless user MAC addresses.
  • Page 174: Using Multiple Vscs

    About the default VSC The default VSC is automatically created by the controller. It is identified with the label (Default) in the VSC list. Initially, this VSC is named HP and has the following properties:  Wireless network name: HP ...
  • Page 175: Quality Of Service (Qos)

    Working with VSCs Quality of service (QoS) This means that when a user connects to the default VSC: Unauthenticated users cannot access the protected network, except for: procurve.com  (for product registration) and windowsupdate.com (for IE, which tries to get to a windows update on a fresh start).
  • Page 176: Priority Mechanisms

    Working with VSCs Quality of service (QoS) The QoS feature defines four traffic queues based on the Wi-Fi Multimedia (WMM) access categories. In order of priority, these queues are: Queue access category Typically used for AC_VO Voice traffic AC_VI Video traffic AC_BE Best effort data traffic AC_BK...
  • Page 177 Quality of service (QoS) VSC-based priority This mechanism is unique to HP. It enables you to assign a single priority level to all traffic on a VSC. If you enable the VSC-based priority mechanism, it takes precedence regardless of the priority mechanism supported by associated client stations.
  • Page 178: Ip Qos Profiles

    Working with VSCs Quality of service (QoS) IP QoS This option lets you assign traffic to the queues based on the criteria in one or more IP QoS profiles. Each profile lets you target traffic on specific ports or using specific protocols. Disabled When QoS traffic prioritization is disabled, all traffic is sent to queue 3.
  • Page 179: Upstream Diffserv Tagging

    Working with VSCs Quality of service (QoS) Protocol Specify an IP protocol to use to classify traffic by specifying its Internet Assigned Numbers Authority (IANA) protocol number. Protocol numbers are pre-defined for a number of common protocols. If the protocol you require does not appear in the list, select Other and specify the appropriate number manually.
  • Page 180 Working with VSCs Quality of service (QoS) Upstream traffic marking This table describes the marking applied to wireless traffic sent by connected client stations to an AP and then forwarded onto the wired network by the AP. OUTGOING TRAFFIC Traffic sent by the AP to the network INCOMING L3 marking TRAFFIC...
  • Page 181: Qos Example

    Working with VSCs Quality of service (QoS) Downstream traffic marking This table describes the marking applied to traffic received from the wired network by an AP and then sent to connected wireless client stations. OUTGOING TRAFFIC Wireless traffic sent from the INCOMING controller to client stations TRAFFIC...
  • Page 182: Creating A New Vsc

    Working with VSCs Creating a new VSC Creating a new VSC To add a VSC, select Controller > VSCs >>VSC Profiles > Add New VSC Profile. Define VSC parameters and select Save. Familiarize yourself with sections of interest in configuration options on page 5-5.
  • Page 183 Chapter 6: Working with controlled APs Working with controlled APs Contents Key concepts.........................6-3 Key controlled-mode events ..................6-4 Discovery of controllers by controlled APs..............6-6 Discovery overview ....................6-6 Discovery methods....................6-7 Discovery order .....................6-9 Discovery recommendations ................6-10 Discovery priority....................6-11 Discovery considerations ...................6-13 Monitoring the discovery process ..............6-13 Authentication of controlled APs................6-19 Building the AP authentication list ..............6-20 Configuring APs......................6-22...
  • Page 184 Working with controlled APs Provisioning discovery..................6-37 Provisioning summary ..................6-38 Provisioning example..................6-39 AeroScout RTLS ......................6-40 Software retrieval/update..................6-42 Monitoring........................6-42...
  • Page 185: Key Concepts

    Working with controlled APs Key concepts Key concepts The controller provides centralized management of APs operating in controlled mode. Controlled mode greatly simplifies the set up and maintenance of a Wi-Fi infrastructure by centralizing the configuration and management of distributed APs. Note Starting with software version 5.x, APs operate in controlled mode by default.
  • Page 186: Key Controlled-Mode Events

    Working with controlled APs Key controlled-mode events AP authentication The controller can be configured to authenticate APs by their MAC address before they are managed. The authentication can be defined locally on the controller, via a third-party RADIUS server, or using a remote text-based control file. Key controlled-mode events The following diagram provides an overview of key events that occur when working with APs in controlled mode.
  • Page 187 Working with controlled APs Key controlled-mode events Controller The controller receives a discovery request. When started, the AP attempts to discover all controllers that are operating on the local network.  Discovery of controllers by controlled APs on page 6-6 The controller sends a discovery reply.
  • Page 188: Discovery Of Controllers By Controlled Aps

    Working with controlled APs Discovery of controllers by controlled APs Controller Discovery complete. Wireless services become available. For the MSM317, the switch ports also become active. Discovery of controllers by controlled APs This section describes how the discovery process works and how it can be customized. Discovery is the process by which a controlled AP finds a controller (or controller team) on a network and establishes a secure management tunnel with it.
  • Page 189: Discovery Methods

    Working with controlled APs Discovery of controllers by controlled APs 2. Discovered controllers send a discovery reply to the AP. If the controller is configured to require AP authentication, the reply is only sent after the AP is authenticated by the controller.
  • Page 190 Working with controlled APs Discovery of controllers by controlled APs Note A controller listens for discovery requests on its LAN port and/or Internet port as configured on the Controller >> Management > Device Discovery page. (See Device discovery on page 2-9).
  • Page 191: Discovery Order

    Working with controlled APs Discovery of controllers by controlled APs The AP appends the default domain name returned by a DHCP server (when it assigns an IP address to the AP) to the controller name. For example, if the DHCP server returns mydomain.com, then the AP will search for the following controllers in this order: ...
  • Page 192: Discovery Recommendations

    Working with controlled APs Discovery of controllers by controlled APs Discovery recommendations Note When controller teaming is active, controlled APs discover a team in the same way that they discover non-teaming controllers.  If the AP is on the same subnet as the controller, then UDP discovery will work with no configuration required on either the AP or controller.
  • Page 193: Discovery Priority

    Working with controlled APs Discovery of controllers by controlled APs Discovery priority Each controller or controller team that receives a discovery request sends the requesting AP a discovery reply. If the AP authentication option is enabled, the AP needs to be authenticated first.
  • Page 194 Working with controlled APs Discovery of controllers by controlled APs On a non-teamed controller On a controller team If only connectivity settings are provisioned, then the AP attempts to discover a controller using the same methods as for unprovisioned APs, namely: ...
  • Page 195: Discovery Considerations

    Working with controlled APs Discovery of controllers by controlled APs Discovery considerations If controlled APs are behind a firewall or NAT device, refer to the following sections. Firewall If the network path between an AP and a controller traverses a firewall the following ports must be opened for management and discovery to work: Protocol Open these ports...
  • Page 196 Working with controlled APs Discovery of controllers by controlled APs Viewing all discovered APs To display information about APs discovered by the controller, select Controlled APs >> Overview > Discovered APs. The Discovered APs page provides the following information:  Number of access points: Indicates the number of APs that were discovered.
  • Page 197 Working with controlled APs Discovery of controllers by controlled APs  Diagnostic: Indicates the status of the AP with regards to management by the controller, as shown in the following table. Diagnostic Description Detected The AP was detected by the controller. Enabling VSC services The AP is enabling wireless services for all VSCs.
  • Page 198 Working with controlled APs Discovery of controllers by controlled APs Diagnostic Description Rebooting The AP is restarting. Resetting configuration The AP configuration is being reset to factory defaults. This is normal and will occur when the firmware version on the controller is changed or if the AP is not synchronized.
  • Page 199 Working with controlled APs Discovery of controllers by controlled APs Diagnostic Description Unsynchronized/License The AP is not synchronized but can continue operation. violation However, if synchronized, it will become non-functional as described above for Synchronized/License violation. Before synchronizing, either change the configuration to omit the affected licensed feature or acquire and install a valid license.
  • Page 200 Working with controlled APs Discovery of controllers by controlled APs Viewing all configured APs To display information about APs configured by the controller, select Controlled APs >> Overview > Configured APs. The Configured APs page provides the following information:  Number of displayed access points: Number of configured APs that were discovered.
  • Page 201: Authentication Of Controlled Aps

    Working with controlled APs Authentication of controlled APs  Creation mode: Local: AP was added manually, or was manually authenticated after being  discovered.  RADIUS: AP was successfully authenticated via RADIUS and then created.  External file: AP was successfully authenticated using the external file option. ...
  • Page 202: Building The Ap Authentication List

    Working with controlled APs Authentication of controlled APs If authentication fails (for example, this is a new AP), and the Use the local authentication list option is enabled, then the AP is added to the Default Group and flagged as requiring authentication.
  • Page 203 Working with controlled APs Authentication of controlled APs Use file authentication list When this option is selected, the controller retrieves authentication list entries from a file. This must be an ASCII file with one or more MAC addresses in it. Each address must be entered on a separate line.
  • Page 204: Configuring Aps

    Working with controlled APs Configuring APs Use the local authentication list When this option is selected, the controller creates authentication list entries based on the set of APs that are currently defined on the controller. For reference purposes, the table shows the AP name, Serial number and MAC address of all APs that are defined and will be included in the authentication list.
  • Page 205: Inheritance

    Working with controlled APs Configuring APs  Group: Group-level configuration enables you to define settings that are shared by APs with similar characteristics. For example, if you have several APs at a location that are all providing the same service, putting them in the same group makes them easier to manage.
  • Page 206: Configuration Strategy

    Working with controlled APs Configuring APs Any changes to a bound VSC affect all groups (and APs) to which the VSC is bound, making it easy to manage configuration changes network-wide. A key setting when binding a VSC to a group is the Egress network. If you enable this option, it can alter where the APs send user traffic.
  • Page 207: Working With Groups

    Working with controlled APs Configuring APs 2. Manually define each AP in the appropriate group. 3. Deploy the APs in their default configuration on the network. 4. Allow the discovery process to find the APs and place them in the pre-configured groups.
  • Page 208: Working With Aps

    Working with controlled APs Configuring APs Binding a VSC to a group To bind a VSC to a group, do the following: 1. Select the target group under Controlled APs. 2. In the right pane, select VSC bindings, then select Add New Binding. 3.
  • Page 209 Working with controlled APs Configuring APs 3. In the Device box, identify the new AP, specifying at a minimum, Device Name, Ethernet BASE MAC (printed on the label affixed to each AP), and Group. Select Save. The AP is added to the selected group in the Network tree and will also be shown in the Configured APs list.
  • Page 210 Working with controlled APs Configuring APs Deleting an AP Note When the AP authentication feature is disabled, a deleted AP may automatically rediscover the controller if the AP is left connected to the network. Therefore, before deleting, disconnect the AP unless you want it to rediscover the controller. 1.
  • Page 211 Working with controlled APs Configuring APs Moving multiple APs between groups To move one or more APs between groups, do the following: 1. Use the check boxes in the table to select one or more APs. Select the check box in the table header to select all the APs in the table.
  • Page 212: Assigning Egress Vlans To A Group

    Working with controlled APs Configuring APs 2. Select a Synch link in the Action column to synchronize a single AP. Or, to synchronize all unsynchronized APs in the group, select Synchronize Configuration in the Select the action to apply to all listed APs list, and select Apply.
  • Page 213: Provisioning Aps

    Working with controlled APs Provisioning APs The country configuration for the Base group looks like this: After changing the country setting, APs must be synchronized. Note In some regions, APs are delivered with a fixed country setting. If you place an AP with a fixed country setting into a group that has a different country configuration, the AP will fail to be synchronized.
  • Page 214: Provisioning Methods

    Working with controlled APs Provisioning APs Provisioning methods Provisioning can be done in two ways: provision settings using the controller or provision settings directly on APs. Using the controller to provision APs On the controller, provisioning can be done at the group or AP level for added flexibility. Provisioning via the controller enables you to quickly provision many APs at once.
  • Page 215: Displaying The Provisioning Pages

    Working with controlled APs Provisioning APs Displaying the provisioning pages To display the provisioning pages, do the following: On a controller 1. Select one of the following in the Network tree:  Controlled APs  A group An AP  2.
  • Page 216: Provisioning Connectivity

    Working with controlled APs Provisioning APs Provisioning connectivity Use the Provisioning > Connectivity page to provision connectivity settings for a controlled AP. The following page will appear on all APs except for the MSM317. Enable provisioning here: 6-34...
  • Page 217 Working with controlled APs Provisioning APs The following page will appear on the MSM317. Enable provisioning here: Interface Select the interface you want to configure and then define its settings using the other options on this page. Set VLAN ID if applicable. Assign IP address via ...
  • Page 218 Working with controlled APs Provisioning APs Country Select the country in which the AP is operating. Caution  Selecting the wrong country may result in illegal operation and may cause harmful interference to other systems. Please consult with a professional installer who is trained in RF installation and knowledgeable about local regulations to ensure that the service controller is operating in accordance with channel, power, indoor/outdoor restrictions and license requirements for the intended country.
  • Page 219: Provisioning Discovery

    Working with controlled APs Provisioning APs Password / Confirm password Password assigned to the AP. Anonymous Name used outside the TLS tunnel by all three EAP methods. If this field is blank, then the value specified for Username is used instead. Provisioning discovery Use the Provisioning >...
  • Page 220: Provisioning Summary

    Working with controlled APs Provisioning APs If you define a name that contains a dot, then the domain name is not appended . For example, if the name is controller.yourdomain.com, no domain name is appended. If the AP is operating as a DHCP client, the DHCP server will generally return a domain name when it assigns an IP address to the AP.
  • Page 221: Provisioning Example

    Working with controlled APs Provisioning APs Provisioning example The following example shows how to use the default group as a staging area, where APs are discovered and then provisioned before being moved into their actual production group. 1. Select Controller >> Controlled APs > Provisioning. 2.
  • Page 222: Aeroscout Rtls

    Controller Devices being tracked by their RFID tags Note HP does not sell or promote AeroScout products. Contact AeroScout for information on  obtaining its MobileView software, Wi-Fi RFID tags, and associated hardware. Consult the AeroScout documentation for deployment information.
  • Page 223 All AeroScout management and monitoring is performed in the AeroScout software itself. Aeroscout documentation and AeroScout software must be used to operate and monitor the tags. AP name Name of the AP on which HP RTLS is enabled. AP MAC address MAC address of the AP. Radio Radio on the AP to which the AeroScout tag is connected.
  • Page 224: Software Retrieval/Update

    Working with controlled APs Software retrieval/update Mu report Number of Mu reports sent to the Aeroscout engine. Software retrieval/update Software management of controlled APs is automatically performed by the controller after the AP is discovered (see Key controlled-mode events on page 6-4).
  • Page 225 Chapter 7: Working with VLANs Working with VLANs Contents Key concepts.........................7-2 VLAN usage ......................7-2 Defining a VLAN ......................7-3 Creating a network profile ...................7-3 Defining a VLAN ....................7-4 Defining a VLAN on a controller port ..............7-4 User-assigned VLANs ....................7-6 Traffic flow for wireless users ..................7-6 Traffic flow examples ....................7-10 Example 1: Overriding the VSC egress on a controller with a user-assigned VLAN....................
  • Page 226: Working With Vlans

    Working with VLANs Key concepts Key concepts The controller provides a robust and flexible virtual local area network (VLAN) implementation that supports a wide variety of scenarios. Up to 80 VLAN definitions can be created on the controller. VLAN ranges are supported, enabling a single definition to span a range of VLAN IDs.
  • Page 227: Defining A Vlan

    Working with VLANs Defining a VLAN Defining a VLAN To create a new VLAN definition, first you must define a network profile with the required VLAN ID. Next, you use the profile to define a VLAN on a port, VSC interface, or user account.
  • Page 228: Defining A Vlan

    Working with VLANs Defining a VLAN Defining a VLAN Once you have created a network profile with a VLAN ID, you can use the profile to define a VLAN on the controller and APs. Some of the more frequently defined VLANs are listed in the following table.
  • Page 229 Working with VLANs Defining a VLAN 2. Select Add New VLAN. The Add/Edit VLAN page opens. 3. Under General, select the port to which the VLAN will be bound. Once a VLAN has been defined on a port, the port assignment cannot be changed. To assign the VLAN to a different port, delete the VLAN definition and create a new one on the required port.
  • Page 230: User-Assigned Vlans

    Working with VLANs User-assigned VLANs User-assigned VLANs VLANs can be assigned on a per-user basis using attributes defined in a user’s RADIUS account, or via VLAN definitions in a local user account profile. These user-assigned VLANs are also called dynamic VLANs because they are applied dynamically after a user is authenticated and override the static definitions on VSCs or VSC bindings.
  • Page 231 Working with VLANs Traffic flow for wireless users Binding to a VSC that has Wireless mobility disabled User-assigned VLAN is assigned via RADIUS or local user accounts Egress User-assigned VLAN User-assigned VLAN does not exist network Client is not assigned via on AP or controller in VSC data...
  • Page 232 Working with VLANs Traffic flow for wireless users User-assigned VLAN is assigned via RADIUS or local user accounts Egress User-assigned VLAN User-assigned VLAN does not exist network Client is not assigned via on AP or controller in VSC data RADIUS or local user User-assigned VLAN VSC type binding...
  • Page 233 Working with VLANs Traffic flow for wireless users Binding to a VSC that has Wireless mobility and Subnet-based mobility enabled User-assigned VLAN is assigned via RADIUS or local user account User-assigned VLAN does Egress not exist in the mobility network User-assigned VLAN is not domain in VSC...
  • Page 234: Traffic Flow Examples

    Working with VLANs Traffic flow examples Terms used in the tables Egress network in VSC binding: This column refers to the Egress network option that  can be configured when an AP group is bound to a VSC. The egress network can be used to assign a specific VLAN.
  • Page 235 Working with VLANs Traffic flow examples  Egress network in VSC binding: Defined VLAN = 10 Client data tunnel: Disabled   User-assigned VLAN is assigned via RADIUS or local user accounts: Assigned VLAN = 30  User-assigned VLAN exists on AP or controller: VLAN 30 is defined on the controller’s Internet port ...
  • Page 236: Example 2: Overriding The Egress Network In A Vsc Binding With A User-Assigned Vlan

    Working with VLANs Traffic flow examples Example 2: Overriding the egress network in a VSC binding with a user-assigned VLAN In this scenario, a non-access-controller VSC is used to illustrate how a user-assigned VLAN can override the egress network defined for a VSC binding. Configuration summary ...
  • Page 237 Working with VLANs Traffic flow examples P o r t r o l l e r L A N C o n t P o r t S w i t c U s e r R A D I S e r v e o r k 1 N e t w...
  • Page 238 Working with VLANs Traffic flow examples 7-14...
  • Page 239 Chapter 8: Controller teaming Controller teaming Contents Key concepts.........................8-2 Centralized configuration management .............8-2 Centralized monitoring and operation..............8-2 Redundancy and failover support ...............8-3 Scalability .......................8-3 Deployment considerations .................8-3 Limitations......................8-5 Creating a team......................8-5 Configuration example ..................8-6 Controller discovery ....................8-10 Monitoring the discovery process ..............8-11 Viewing all discovered controllers ..............8-14 Viewing all team members ..................8-16 Team configuration ....................8-17...
  • Page 240: Controller Teaming

    Controller teaming Key concepts Key concepts Controller teaming enables you to easily configure and monitor multiple controllers and their access points, providing the following key benefits: centralized management and monitoring, service scalability, and redundancy in case of controller failure. Up to five controllers can be combined into a team enabling support for up to 800 APs (four controllers x 200 APs per controller plus one additional controller for backup/redundancy).
  • Page 241: Redundancy And Failover Support

    Controller teaming Key concepts Redundancy and failover support The team provides for service redundancy in case of failure. If one of the controllers in a team becomes inoperative (due to network problems, hardware failure, etc.), its APs will automatically migrate to another controller in the team allowing for continuation of services. For this to work, sufficient capacity must be available on the remaining controllers in the team to support the APs from the inoperative controller.
  • Page 242 Controller teaming Key concepts IMPORTANT: All team members must have an IP address assigned to their LAN port. This must be done even if the LAN port is not connected or not used in your setup.  The DHCP server feature is not supported when controller teaming is active, therefore an external DHCP server needs to be installed to support dynamic addresses assignment to controlled APs and their users.
  • Page 243: Limitations

    Controller teaming Creating a team Limitations The following features are not supported when teaming is enabled:  DHCP server  Billing records  L2TP server  Ingress VLAN on a VSC and untagged traffic on the LAN port (All APs use the client data tunnel to send traffic to ...
  • Page 244: Configuration Example

    Controller teaming Creating a team  Install APs: Connect all APs. The APs will automatically discover the team (if on the same subnet) and be synchronized with the firmware and configuration settings on the manager. If APs are installed on a different subnet than the controller, their discovery settings may need to be provisioned for them to successfully discovery the team.
  • Page 245 Controller teaming Creating a team Configure connectivity and licenses on each controller Use the management station to connect to each controller in turn and do the following: 1. Select Controller >> Maintenance > Licenses. Install the Premium license and any required AP licenses.
  • Page 246 Controller teaming Creating a team 2. Select the Controller teaming checkbox. 3. Under Connectivity, set Communicate using to LAN port. 4. Select the Team manager checkbox, and configure the following settings under it:  Set Team name to a name that identifies the team. This example uses 1st Floor. The team name provides a convenient way to identify a team.
  • Page 247 Controller teaming Creating a team 7. Under Network Tree, select Controllers to view more detailed information about the discovery process. The two new controllers should be listed in red. Select Authorize in the Action column for each controller. 8. The manager will now attempt to authorize and synchronize controllers 2 and 3. Once synchronized, their status will change to green.
  • Page 248: Controller Discovery

    Controller teaming Controller discovery Controller discovery The following is an overview of key events that occur when a controller attempts to discover and join a team for the first time. Manager Controller The team manager receives a discovery request. The controller sends a discovery request onto the local network.
  • Page 249: Monitoring The Discovery Process

    Controller teaming Controller discovery Manager Controller The manager updates the controller’s The controller receives new configuration. configuration settings. Once this is done, the controller will always attempt to discover this team manager and will not join any other teams until it is manually removed from this team.
  • Page 250 Controller teaming Controller discovery Controllers This section shows the number of controllers that are active in each management state. A controller may be active in more than one state at the same time. For example, a controller may be both Detected and Synchronized. Select the state name to display information about all controllers in that state.
  • Page 251 Controller teaming Controller discovery Network Tree The network tree provides access to configuration options for the team. And shows a status light for each controller. Team: team name Select Team: [name] to access configuration items that apply to all members of the team and their controlled APs.
  • Page 252: Viewing All Discovered Controllers

    Controller teaming Controller discovery Status lights Controllers that are part of the team are listed under Controllers in the Network Tree. The status lights provide an indication of their state as follows:  Green: The controller has joined the team and its configuration is synchronized with the settings defined on the team manager.
  • Page 253 Controller teaming Controller discovery  Serial number: Unique serial number assigned to the controller at the factory. Cannot be changed.  Access points: Indicates number of APs connected to the controller.  Diagnostic: Indicates the status of the controller as shown in the following table. Diagnostic Description Detected...
  • Page 254: Viewing All Team Members

    Controller teaming Viewing all team members Diagnostic Description Uploading configuration Configuration settings are currently being sent to the controller. Uploading firmware The team manager is uploading new software to the controller. Wait until the operation completes. Validating capabilities The capabilities of the controller are being identified by the team manager.
  • Page 255: Team Configuration

    Controller teaming Team configuration Select the title of a column to sort the table according to the values in the column. The Team members page provides the following information:  Number of controllers: Number of controllers that are configured as members of the team.
  • Page 256: Accessing The Team Manager

    Controller teaming Team configuration Accessing the team manager To reach the management tool on the team manager, you should always point your browser to the team IP address, and not the physical address assigned to the manager. In case of failover, the team IP address will be assigned to the interim manager.
  • Page 257: Removing A Controller From A Team

    Controller teaming Team configuration Configuration option Notes Public Access > Web content The Site file archive, FTP server, and Current site files options are not available at the team level. Public Access > Attributes New attributes cannot be added to the Configured attributes table at the team level.
  • Page 258: Editing Team Member Settings

    Controller teaming Team configuration 4. Select Save. Disable teaming on the controller 1. Open the management tool directly on the controller. 2. Select Management > Teaming. 3. Disable the Controller teaming option. 4. Select Save. Editing team member settings To change settings for a team member: 1.
  • Page 259 Controller teaming Team configuration 4. Select Save. Manually adding a controller to a team Instead of using the automatic discovery to find controllers and add controllers to the team, you can manually preconfigure one or more controllers as team members. The main advantages of doing this is that manually added controllers do not have to be manually authorized the first time they are discovered.
  • Page 260: Discovery Of A Controller Team By Controlled Aps

    Controller teaming Discovery of a controller team by controlled APs 4. Select Save. 5. The new controller will appear in the team members list with a red status light until it is discovered on the network. Discovery of a controller team by controlled For a complete discussion of controller discovery, see Discovery of controllers by controlled APs.
  • Page 261 Controller teaming Failover Where: APs is the total number of APs you want to deploy. You must buy one license for each  controlled AP. Although licenses are installed on individual team members, licenses are pooled across the entire team and are automatically re-allocated when a team member becomes inoperative.
  • Page 262: Primary Team Manager Failure

    Controller teaming Failover Primary team manager failure The controller that is designated as the team manager on the Controllers > [team- manager] >> Management > Teaming page is called the primary team manager. If the primary team manager becomes inoperative, an interim team manager is automatically selected by the existing team members.
  • Page 263 Controller teaming Failover 3. Enable the Team manager option. The settings for this option should already be defined with the values that were set on the primary team manager. 4. Select Save. 8-25...
  • Page 264: Mobility Support

    Controller teaming Mobility support Mobility support Mobility support when controller teaming is active is very similar to mobility support on non- teamed controllers. This section discusses the differences and configuration issues involved. For an explanation of mobility concepts used in this section, see Chapter 9: Mobility traffic manager on page 9-1.
  • Page 265: Single Controller Team Operating Alone

    Controller teaming Mobility support Single controller team operating alone If you have a single controller team, the mobility domain is automatically created when you do the following: 1. Start the management tool on the team manager by pointing your browser to the team IP address.
  • Page 266: Single Controller Team Operating With Non-Teamed Controllers

    Controller teaming Mobility support Single controller team operating with non-teamed controllers In this type of setup, the team is configured as the primary mobility controller and the non- teamed controllers set the IP address of primary controller parameter to the team IP address.
  • Page 267: Multiple Teamed And Non-Teamed Controllers

    Controller teaming Mobility support 5. Select Save. Configure controller #3 and #4 1. Start the management tool each independent controller by pointing your browser to appropriate IP address. 2. Select Management > Device discovery. 3. Select Mobility controller discovery. 4. Set IP address of the primary mobility controller to 192.168.1.99. 5.
  • Page 268 Controller teaming Mobility support 8-30...
  • Page 269: Mobility Traffic Manager

    Chapter 9: Mobility traffic manager Mobility traffic manager Contents Key concepts.........................9-4 The mobility domain .....................9-6 Home networks......................9-7 Local networks ......................9-8 Configuring Mobility Traffic Manager ...............9-9 Defining the mobility domain ................9-9 Defining network profiles...................9-10 Assigning a home network to a user ..............9-11 Defining local networks on a controller ............9-12 Assigning local networks to an AP..............9-13 Configuring the mobility settings for a VSC.............9-14...
  • Page 270 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing ..9-28 How it works ......................9-28 Configuration overview ..................9-28 Scenario 4: Assigning home networks on a per-user basis ........9-38 How it works ......................9-38 Configuration overview ..................9-39 Scenario 5: Traffic routing using VLANs ..............9-44 How it works ......................9-44 Configuration overview ..................9-45 Scenario 6: Distributing traffic using VLAN ranges ..........9-52...
  • Page 271 Mobility traffic manager...
  • Page 272: Key Concepts

    Mobility traffic manager Key concepts Key concepts Note This chapter discusses how to use and configure Mobility traffic manager (MTM) with non- teamed controllers. If you are working with a controller team, most of the same information applies. Essentially, a controller team is treated the same way as a single non-teamed controller.
  • Page 273 Mobility traffic manager Key concepts The following diagram shows a deployment where the wireless traffic for each user is egressed onto a specific network segment by assigning a home network to each user. Traffic is sent to a different wired network based on the home network assigned to each user in their account LAN port...
  • Page 274: The Mobility Domain

    Mobility traffic manager Key concepts  Automatic traffic distribution: VLAN ranges can be used to automatically spread wireless user traffic across multiple VLANs on the wired infrastructure. See Scenario 6: Distributing traffic using VLAN ranges. Important  MTM is only available on non-access-controlled VSCs. ...
  • Page 275: Home Networks

    Mobility traffic manager Key concepts Note All controllers in the mobility domain must be running the same software version. This  means that the first two numbers in the software revision must be the same. For example: All controllers running 5.4.x, or all controllers running 5.5.x. Discovery automatically takes place on both the LAN port and Internet port.
  • Page 276: Local Networks

    Mobility traffic manager Key concepts Example In following example, User A roams between AP # 1 and AP #2. When connected to AP #2, User A is identified as roaming and traffic is tunneled back to subnet 10.0 via controller 1 and controller 2.
  • Page 277: Configuring Mobility Traffic Manager

    Mobility traffic manager Configuring Mobility Traffic Manager Configuring Mobility Traffic Manager MTM configuration can be separated into the following tasks:  Define the mobility domain.  Define network profiles.  Assign home networks to users.  Define local networks on controllers and APs. ...
  • Page 278: Defining Network Profiles

    Mobility traffic manager Configuring Mobility Traffic Manager Connect to the management tool on all other controllers, that will be part of the mobility domain and do the following: 1. Select Controller >> Management > Device discovery. 2. Select Mobility controller discovery. 3.
  • Page 279: Assigning A Home Network To A User

    Mobility traffic manager Configuring Mobility Traffic Manager About the default profiles Two network profiles are created by default: LAN port network and Internet port network. These profiles are associated with the two physical Ethernet ports on the controller. You can rename these profiles, but you cannot assign a VLAN to them or delete them.
  • Page 280: Defining Local Networks On A Controller

    Mobility traffic manager Configuring Mobility Traffic Manager Defining local networks on a controller Local networks on a controller are composed of the following interfaces:  The network connected to the LAN port. Identified by the network profile LAN port network. ...
  • Page 281: Assigning Local Networks To An Ap

    Mobility traffic manager Configuring Mobility Traffic Manager 6. Select Save. Assigning local networks to an AP Each AP can be configured to support one (or more) local networks. By comparing the home network assigned to a user with the list of local networks associated with an AP, MTM can determine if the user is at home or roaming.
  • Page 282: Configuring The Mobility Settings For A Vsc

    Mobility traffic manager Configuring Mobility Traffic Manager  If a user’s home network matches a local network on the AP, the user is considered to be at home, and their traffic is bridged onto the wired network via the Ethernet port on the AP.
  • Page 283: Binding A Vsc To An Ap

    Mobility traffic manager Configuring Mobility Traffic Manager 5. Configure the Wireless security filters so that they do not interfere with roaming functionality. In most cases, these filters should be disabled. If you need to use them, note that:  The Restrict wireless traffic to: Custom option can be used provided that it restricts traffic to destinations that are reachable from all subnets in the mobility domain.
  • Page 284: Monitoring The Mobility Domain

    Mobility traffic manager Monitoring the mobility domain Monitoring the mobility domain The mobility overview page displays status information for the mobility domain. For example: To view this page: On a non-teamed controller, select Controller >> Status > Mobility.   On a controller team, select Team:[Team-name] >...
  • Page 285: Networks In The Mobility Domain

    Mobility traffic manager Monitoring the mobility domain Networks in the mobility domain This table lists all networks that are defined in the mobility domain and indicates the address of the Handler (AP or controller) that provides the data path to each network. This list should be identical on all controllers that are part of the mobility domain.
  • Page 286: Forwarding Table

    Mobility traffic manager Monitoring the mobility domain Network The name of the user’s home network. Status Possible values are:  Connected: The client is connected to their home network.  Blocked: Client data transfer is blocked because the home network could not be found. Forwarding table Port Identifies the logical or physical port on which traffic is being forwarded.
  • Page 287: Mobility Client Event Log

    Mobility traffic manager Monitoring the mobility domain Mobility client event log This page lists all events for a roaming client. Date and time Date and time that the even occurred. Category Always set to Mobility. Operation Possible values are:  Client tunneling: Client tunneling events indicate activities related to establishing the data tunnel to a remote controller or AP for the purposes of transporting client data to its home network.
  • Page 288 Mobility traffic manager Monitoring the mobility domain  Client Unicast Tunneling Off: The unicast tunneling path to the indicated device (either AP or another controller) has been removed. This is normally done only when the client has disassociated or its home network has changed. ...
  • Page 289: Scenario 1: Centralizing Traffic On A Controller

    In this scenario, a single controller manages several APs deployed on different subnets. The default VSC (named HP) is assigned to each AP and is used to provide wireless services for users. All traffic on this VSC is tunneled to the controller by MTM, where it is egressed onto the wired network.
  • Page 290 Mobility traffic manager Scenario 1: Centralizing traffic on a controller VSC configuration Enable MTM support on the VSC. 1. Select Controller > VSCs > HP.  Under Global, clear Access control. (For complete screenshot see VSC configuration options on page 5-5.)
  • Page 291 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears.  Under VSC Profile, set VSC profile to HP. Select Egress network, and under it, set Network profile to LAN port network. ...
  • Page 292: Scenario 2: Centralized Traffic On A Controller With Vlan Egress

    In this scenario, a single controller manages several APs deployed on different subnets. The default VSC (named HP) is assigned to each AP and is used to provide wireless services for users. All traffic on this VSC is tunneled to the controller by MTM, where it is egressed onto the wired network on VLAN 40.
  • Page 293 Mobility traffic manager Scenario 2: Centralized traffic on a controller with VLAN egress VSC configuration Enable MTM support on the VSC. 1. Select Controller > VSCs > HP.  Under Global, clear Access control. (For complete screenshot see VSC configuration options on page 5-5.)
  • Page 294 Mobility traffic manager Scenario 2: Centralized traffic on a controller with VLAN egress 4. Select VLAN, and under it, set ID to 40. 5. Select Save. Create the VLAN Create a VLAN on the Internet port using the network profile you just defined. 1.
  • Page 295 This scenario assumes that all APs are part of the Default Group. 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. Under VSC Profile, set VSC profile to HP.  ...
  • Page 296: Scenario 3: Centralized Traffic On A Controller With Per-User Traffic Routing

    In this scenario, a single controller manages several APs deployed on different subnets. The default VSC (named HP) is assigned to each AP and is used to provide wireless services for users. All traffic on this VSC is tunneled to the controller by MTM, where it is egressed onto different VLANs for different user groups.
  • Page 297 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing VSC configuration Enable MTM support on the VSC. 1. Select Controller > VSCs > HP.  Under Global, clear Access control. (For complete screenshot see VSC configuration options on page 5-5.)
  • Page 298 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing This will automatically enable the 802.1X authentication option and set it to use the local user accounts. 2. Either disable Wireless security filters or set it to Custom. 3.
  • Page 299 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 8. Select VLAN, and under it, set ID to 40. 9. Select Save. Create the VLANs Create VLANs on the Internet port using the network profiles you just defined. 1.
  • Page 300 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 4. Select Add New VLAN.  Under General, set Port to Internet port.  Under VLAN, set VLAN ID to 40 (Network 4).  Under Assign IP address via, let the setting None. An address is not needed. 5.
  • Page 301 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 4. Select Egress interface, and under it select Egress VLAN ID and set it to 30. 5. Select Save. 6. Select Add New Profile. 7. Under General, set Profile name to Network 4 and disable Access-controlled profile.
  • Page 302 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 8. Select Egress interface, and under it select Egress VLAN ID and set it to 40. 9. Select Save. The profiles list should now look like this: 10.
  • Page 303 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 11. Select Add New Account. 12. Under General:  Set User name to User A.  Set Password to a secure password.  Clear Access-controlled account. 13.
  • Page 304 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 15. Select Add New Account. 16. Under General:  Set User name to User B.  Set Password to a secure password.  Clear Access-controlled account. 17.
  • Page 305 This scenario assumes that all APs are part of the Default Group. 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. Under VSC Profile, set VSC profile to HP.  2. Select Save.
  • Page 306: Scenario 4: Assigning Home Networks On A Per-User Basis

    Mobility traffic manager Scenario 4: Assigning home networks on a per-user basis Scenario 4: Assigning home networks on a per-user basis This scenario illustrates how to assign home networks on a per-user basis using RADIUS attributes. How it works In this scenario, wireless services have been added to two wired networks. A single controller and multiple APs are installed on each network.
  • Page 307: Configuration Overview

    Mobility traffic manager Scenario 4: Assigning home networks on a per-user basis A single VSC is used in this scenario. It is configured with the Wireless mobility, Mobility traffic manager option enabled. Home network assignment for users is done by setting RADIUS VLAN attributes which map users to one of two network profiles: Network profile name Assigned to Net1...
  • Page 308 Select This is the primary mobility controller.  (For complete screenshot see Defining the mobility domain on page 9-9.) 2. Select Save. 1. Select Controller > VSCs > HP. Under Global  Clear Access control. (For complete screenshot see VSC configuration options on page 5-5.)
  • Page 309 Mobility traffic manager Scenario 4: Assigning home networks on a per-user basis Network profiles 1. Select Controller > Network > Network profiles. 2. Select LAN port network. 3. Under Settings, change Name to Net1. 4. Select Save. Controller 2 configuration Mobility domain 1.
  • Page 310 3. Under Settings, change Name to Net2. 4. Select Save. AP configuration VSC binding 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. (For complete screenshot see VSC configuration options on page 5-5.) ...
  • Page 311 Mobility traffic manager Scenario 4: Assigning home networks on a per-user basis Local network assignment 1. Select Controller > Controlled APs > Default group >> Configuration > Home networks.  For each AP on network 1, double-click Net1 to add it to the Local networks list. ...
  • Page 312: Scenario 5: Traffic Routing Using Vlans

    Mobility traffic manager Scenario 5: Traffic routing using VLANs Scenario 5: Traffic routing using VLANs This scenario explains how to route the traffic from users onto specific VLANs on the wired network. How it works In this scenario, traffic on a corporate network is routed using VLANs, creating several logical networks to isolate the network resources for each workgroup.
  • Page 313: Configuration Overview

    Mobility traffic manager Scenario 5: Traffic routing using VLANs A single VSC is used. It is configured with th