Motorola WS5100 Series Migration Giude
  1. Manuals
  2. Brands
  3. Motorola Manuals
  4. Switch
  5. WS5100 Series
  6. Migration giude

Motorola WS5100 Series Migration Giude

Hide thumbs Also See for WS5100 Series:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Troubleshooting Manual, Reference Manual
WS5100 Series Switch
Migration Guide

Advertisement

Table of Contents
loading

Related Manuals for Motorola WS5100 Series

Summary of Contents for Motorola WS5100 Series

  • Page 1 WS5100 Series Switch Migration Guide...
  • Page 2 © 2007 Motorola, Inc. All rights reserved. MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. Symbol is a registered trademark of Symbol Technologies, Inc. All other product or service names are the property of their respective owners.

  • Page 3: Table Of Contents

    Contents Chapter 1. Overview Chapter 2. Switch Web UI and Image Upgrades 2.1 Accessing the Switch Web UI..............2-1 2.1.1 Web UI Requirements .
  • Page 4 TOC-2 WS5100 Series Switch Migration Guide 3.4.7 Configuring IPSec Security Associations (Crypto Map)........3-24 3.4.7.1 Creating Crypto Map Entry for Establishing Manual Security Associations .
  • Page 5 TOC-3 6.5.2 wsSWDhcpClient..............6-6 6.5.2.1 wsSWDhcpClient Sub Objects .
  • Page 6 TOC-4 WS5100 Series Switch Migration Guide 6.6.4.23 wsSwDhcpSvrPoolLeaseTime ........... 6-25 6.6.4.24 wsSwDhcpSvrPoolRowStatus .
  • Page 7 TOC-5 9.1.5 LDAP................9-3 9.1.6 Accounting .
  • Page 8 TOC-6 WS5100 Series Switch Migration Guide 11.2.1 Traffic Secured in VPN..............11-3 11.3 Configuring VPN using CLI .

  • Page 9: About This Guide

    NOTE: Screens and windows pictured in this guide are samples and can differ from actual screens. Documentation Set The documentation set for the WS5100 Series Switch is partitioned into the following guides to provide information for specific user needs. • WS5100 System Reference Guide - describes advanced setup and configuration activities for all facets of the the WS5100 Series Switch.

  • Page 10: Notational Conventions

    WS5100 Series Switch Migration Guide Notational Conventions The following additional notational conventions are used in this document: • Italics are used to highlight the following: • Chapters and sections in this and related documents • Dialog box, window and screen names •...
  • Page 11 Overview This WS5100 Series Switch Migration Guide is designed to provide users familiar with the 1.4.x and 2.x switch baselines an overview of the significant changes to the switch Web UI and switch LED activity. The Web UI used for the new 3.0 baseline shares almost no similarities with the applet used in previous releases.
  • Page 12 1-2 WS5100 Series Switch Migration Guide...

  • Page 13: Chapter 2. Switch Web Ui And Image Upgrades

    Switch Web UI and Image Upgrades This chapter provides information about the following: • Accessing the Switch Web • Switch Password Recovery. • Shutting Down the Switch. • Upgrading the Switch Image. • Downgrading the Switch Image from Version 3.0 to 1.4.x or 2.x.
  • Page 14 This warning sceen will continue to display on future login attempts until a self-signed certificate is implemented. Motorola recommends only using the default certificate for the first few login attempts until a self-signed certficiate can be generated.

  • Page 15: Switch Password Recovery

    Switch Web UI and Image Upgrades 2.2 Switch Password Recovery With the release of the 3.0 version switch software, your Web UI login password can be recovered, but at the expense of updates you have made to your configuration file since the default image was updated. If the switch Web UI password is lost, you cannot get passed the Web UI login screen for any viable switch configuration activity.

  • Page 16: Shutting Down The Switch

    2-4 WS5100 Series Switch Migration Guide Username: restore When prompted to enter a password enter restoreDefaultPassword and press Enter. For security reasons the password you enter is not displayed. Password: 4. When the warning prompt appears type and press Enter.

  • Page 17: Shutting Down The Switch Using The 3.0 Halt Command

    2.3.2 Shutting Down the Switch using the 3.0 Halt Command To shut down the WS5100 from the CLI, issue a halt command, as the halt command is now used to shut down the WS5100 Series Switch with the release of the 3.0 version WS5100 baseline: WS5100#halt...

  • Page 18: Upgrading The Switch Image From 1.4.X Or 2.X To Version 3.0

    This is the configuration that will be upgraded to the new 3.0 baseline. NOTE: Motorola recommends saving a copy of the switch configurartion to a secure location before the upgrade. If an error occurs with the upgrade a viable configuration will be needed to restore on the switch.

  • Page 19: Downgrading The Switch Image From Version 3.0 To 1.4.X Or 2.X

    Switch Web UI and Image Upgrades 2.5 Downgrading the Switch Image from Version 3.0 to 1.4.x or 2.x If for some reason you want to downgrade your WS5100 back down to a 1.4.x or 2.x version firmware image, use one of the two following image files: •...
  • Page 20 2-8 WS5100 Series Switch Migration Guide...

  • Page 21: Chapter 3. Use Cases

    The University decided to standardize on Motorola’s WS5100 and AP300 Access Port. The first switches and access ports were deployed at the University network in December 2002 and the system provided students with wireless networking speeds of up to 54 Mbps.

  • Page 22: Migrating The Existing Configuration To The 3.0 Baseline

    3.3 Migrating the Existing Configuration to the 3.0 Baseline Tempest University wants to update their switches to the new Motorola 3.0 baseline, add support for its increasing student population and create hotspots strategically on campus that optimize data, video and or wireless traffic depending on the requirement for specific campus segments.

  • Page 23: Porting A Ws5100 2.0 Configuration To A 3.0 Migrated Ws5100

    Use Cases 6. Select the config file copied on to the windows system and run it. A folder having the same name as the config file is created. The folder contains the converted startup- config file (in the new upgraded format) along with other log files. 7.
  • Page 24 3-4 WS5100 Series Switch Migration Guide 1. The Tempest University IT team selects Network > Switch Virtual Interface from the main menu tree and ensures the Configuration tab is selected. 2. The team clicks the button to create a new switch virtual interface.
  • Page 25 Use Cases 4. The Tempest University IT team selects Network > Layer 2 Virtual LANs from the main menu tree. 5. The Tempest University IT team highlights eth2 (from within the Name column) and clicks the Edit button. Port VLAN Change Warning message displays, The team clicks to continue.
  • Page 26 3-6 WS5100 Series Switch Migration Guide 8. The Tempest University IT team selects Security > ACLs from the main menu tree, and clicks the button within the Configuration tab. 9. The Tempest University IT team selects Extended IP List from the ACL Type drop-down menu.
  • Page 27 Use Cases 13.With the changes complete, the Tempest University IT team clicks to continue. The Tempest University IT team is now ready to apply the ACL to the VLAN interface created for the Humanities department hotspot. 14.From the ACLs screen the team selects the Attach tab and clicks the button.
  • Page 28 3-8 WS5100 Series Switch Migration Guide 16.The Tempest University IT team selects Network > Wireless LANs from the switch main menu tree. 17.The IT team selects an available ESSID (not already enabled) and clicks the Edit button at the bottom of the screen.
  • Page 29 Use Cases 20.The Tempest University IT team selects Hotspot from the Authentication options. The team is now ready to define the properties of the external hotspot’s configuration.
  • Page 30 3-10 WS5100 Series Switch Migration Guide 21.The Tempest University IT team clicks the Config button next to the hotspot authentication item. 22.The Tempest University IT team selects External from the drop-down menu and enters the URL locations for the 3 HTML pages as displayed above.
  • Page 31 3-11 Use Cases 25.The Tempest University IT team clicks on Radius Config button to display the Network Wireless LANs Edit Radius Configuration sub screen. 26.The Tempest University IT team enters 157.235.10.1 as the Radius Server IP address for the Primary Radius server and 157.235.10.2 as the address for the secondary server.
  • Page 32 3-12 WS5100 Series Switch Migration Guide 30.The Edit button is selected, and the AIFSN, Transmit Ops, CW Minimum and CW Maximum are adjusted to provide Background traffic priority. When completed, the team clock the button. The Tempest University IT team is now ready to enable (activate) the Humanities WLAN and begin...

  • Page 33: Configuring A Windows 2003 Iis Server For Hotspot Support

    3-13 Use Cases 31.Still within the Network > screen, the team switches from the WMM tab to the Wireless LANs Configuration tab. 32.The Tempest University IT team selects the Humanities Hotspot WLAN from those displayed within the table and clicks the Enable button.
  • Page 34 3-14 WS5100 Series Switch Migration Guide 2. The Tempest University IT team selects Add/Remove Windows Components from the left-hand side of the screen. 3. The Tempest University IT team selects the Application Server checkbox (if not already selected). Click Details...

  • Page 35: Iis Server Configuration

    3-15 Use Cases 4. The Tempest University IT team selects the Internet Information Services (IIS) checkbox and clicks OK. They then click Next. This will start the IIS installation. The Tempest University IT team may be prompted to insert their Windows 2003 Server CD to complete installation.

  • Page 36: Sample Html Pages / Cgi Script For External Hotspots

    3-16 WS5100 Series Switch Migration Guide 4. The Tempest University IT team copies these 3 htm files onto their Windows IIS Servers root directory, launch Windows file explorer and copy the files under C:\Inetpub\wwwroot directory. 3.3.5 Sample HTML Pages / CGI Script for External Hotspots Login.htm...
  • Page 37 3-17 Use Cases Welcome.htm <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <html> <head> <title>Authentication success.222</title></head><body link="#FFFF77" alink="#FFF F77" vlink="#FFFF77" bgcolor="#225599"><font face="Verdana" color="#EEEEFF"> <center><img src="222"></center><center><h2>Authentication Success. 222 </ h2><br><center><h4>You now have network access.<BR>Click the disconnect link below to end this session 222.</h4></center><br><br><br><center><a href="https://10.0.1.77:444/cgi-bin/hslogout.cgi"><h4>Disconnect</h4></a></ center><center><img src="222"> </center><center><h5><i>222</i></h5></center></font></body></html>...

  • Page 38: Use Case: Remote Vpn

    (trusted network) securely using the switch’s IPSec VPN functionality. In the above diagram, a Motorola client is associated to WLAN 1 that is attached to VLAN1 on the switch. VLAN1 is on the 157.235.188.x subnet and is running a DHCP Server that supplies IP addresses for this subnet.

  • Page 39: Configuring Dhcp Sever To Serve Public Ip Addresses

    3-19 Use Cases Once the client has received a virtual IP (192.168.0.11), additional packets from the client within the IPSec tunnel are routed to the corresponding interface (VLAN3) and the client gains access to the corporate network. NOTE: The IPSec tunnel is only between the client and the switch Once the tunnel is established the packets on the trusted network are sent without any encryption.

  • Page 40: Adding A New Dhcp Pool

    3-20 WS5100 Series Switch Migration Guide 3.4.2.2 Adding a New DHCP Pool 1. Click the button at the bottom of the screen. 2. In the Pool Name field, enter the name of the IP pool from which IP addresses can be issued to client requests on this interface.

  • Page 41: Create Ike Policies

    3-21 Use Cases • Allows you to specify a lifetime for the IPSec security association. • Allows encryption keys to change during IPSec sessions. • Permits Certification Authority (CA) support for a manageable, scalable IPSec implementation. • Allows dynamic authentication of peers. If you do not want IKE to be used with your IPSec implementation, you can disable it for all IPSec peers.

  • Page 42: Configure Pre-Shared Keys

    3-22 WS5100 Series Switch Migration Guide Diffie-Hellman Group Identifier 768-bit Diffie-Hellman 768-bit Diffie-Hellman 1024-bit Diffie-Hellman Navigate to the Security > IKE Settings > IKE Policy screen. For this example set those parameters as follows: 1. Enter a Priority value of 1.

  • Page 43: Enable Or Disable Ike

    3-23 Use Cases 4. Click to return to the Configuration screen. 5. Click Apply to save the new pre-shared key. 6. You must then set up the pre-shared key of test12345 on the client. Refer to the client’s documentation for information on adding an IKE Pre-shared key. 3.4.3.3 Enable or Disable IKE IKE is enabled by default.

  • Page 44: Configuring Ipsec Security Associations (Crypto Map)

    3-24 WS5100 Series Switch Migration Guide 2. After the IKE SA is successfully established, and if the switch is configured for Xauth, the client waits for a "username/password" challenge and then responds to the challenge of the switch. 3. The information that is entered is checked against authentication entities (either configured on the switch or using radius server).

  • Page 45: Apply Crypto Map Sets To Interfaces

    3-25 Use Cases 3.4.8 Apply Crypto Map Sets to Interfaces You need to apply a crypto map set to each interface through which IPSec traffic will flow. Applying the crypto map set to an interface instructs the switch to evaluate all the interface's traffic against the crypto map set and to use the specified policy during connection or security association negotiation on behalf of traffic to be protected by crypto (either CET or IPSec).
  • Page 46 3-26 WS5100 Series Switch Migration Guide...

  • Page 47: Chapter 4. Web Ui Menu Path Comparison

    CLI differences for each Web UI function described. For information on the implications of configuring your WS5100, see the WS5100 System Reference Guide available from the Motorola Web site. For an extensive description of the new CLI commands available to the new WS5100 3.0 baseline, see WS5100 CLI Reference Guide.
  • Page 48 4-2 WS5100 Series Switch Migration Guide From the 1.4.x and 2.x WS5100 baselines, accessing high-level device information (such as the quick start and chassis information) is accomplished from submenu items within the View parent menu. Table 4.1 High-Level Device Information...

  • Page 49: Configuring The System Time (Ntp) Settings

    Web UI Menu Path Comparison 4.1.2 Configuring the System Time (NTP) Settings This section describes the differences in menu path navigation amongst the WS5100 1.4.x, 2.x and 3.0 baselines when using the Web UI to define the switch system time. Table 4.2 Configuring the System Time (NTP) Settings Configuration Option/Feature...

  • Page 50: Ws5100 Switch Configuration Files

    4-4 WS5100 Series Switch Migration Guide 4.1.3.2 WS5100 Switch Configuration Files This section describes the differences in menu path navigation amongst the WS5100 1.4.x, 2.x and 3.0 baselines when using the Web UI to manage switch configuration files. Table 4.4 WS5100 Switch Configuration Files...

  • Page 51: Vlan Configuration

    Web UI Menu Path Comparison Table 4.5 WS5100 Log Files (Continued) Configuration Option/Feature 1.4.x Location 2.x Location 3.0 Location Manipulating System Settings > System Settings > Diagnostics > Individual Log System Logging > Event Notification > Event Notification > Files -------------------------------------- -------------------------------------- --------------------------------------...

  • Page 52: Configuring Switch Security

    4-6 WS5100 Series Switch Migration Guide Table 4.6 VLAN Configuration (Continued) Configuration Option/Feature 1.4.x Location 2.x Location 3.0 Location Adding a New Create > Ethernet > New Create > Ethernet > New Network > VLAN ID Policy Policy Wireless LANs...
  • Page 53 Web UI Menu Path Comparison Table 4.7 ACL Configuration (Continued) Configuration Option/Feature 1.4.x Location 2.x Location 3.0 Location Adding an ACL Create > Create > Security > Rule Access Port > Access Port > ACLs Access Control List > Access Control List > -------------------------------------- -------------------------------------- --------------------------------------...

  • Page 54: Encryption And Authentication

    4-8 WS5100 Series Switch Migration Guide 4.1.5.2 Encryption and Authentication This section describes the differences in menu path navigation amongst the WS5100 1.4.x, 2.x and 3.0 baselines when using the Web UI to define an encryption or authentication based security policy.
  • Page 55 Web UI Menu Path Comparison Table 4.8 Encryption and Authentication (Continued) Configuration Option/Feature 1.4.x Location 2.x Location 3.0 Location Configure WEP Create > Create > Network> Access Port > Access Port > Wireless LANs> Security Policy Security Policy -------------------------------------- -------------------------------------- Configuration -------------------------------------- •...
  • Page 56 4-10 WS5100 Series Switch Migration Guide Table 4.8 Encryption and Authentication (Continued) Configuration Option/Feature 1.4.x Location 2.x Location 3.0 Location Configure TKIP Create > Create > Network> Access Port > Access Port > Wireless LANs> Security Policy Security Policy --------------------------------------...
  • Page 57 4-11 Web UI Menu Path Comparison Table 4.8 Encryption and Authentication (Continued) Configuration Option/Feature 1.4.x Location 2.x Location 3.0 Location Configure Create > Create > Network > Kerberos Access Port > Access Port > Wireless LANs > Security Policy Security Policy -------------------------------------- -------------------------------------- --------------------------------------...

  • Page 58: Rouge Ap Detection

    4-12 WS5100 Series Switch Migration Guide 4.1.5.3 Rouge AP Detection This section describes the differences in menu path navigation amongst the WS5100 1.4.x, 2.x and 3.0 baselines when using the Web UI to manage Rouge AP Detection. Rogue AP is not available in the 1.4.x switch software Table 4.9 Rouge AP Detection...

  • Page 59: Configuring The On-Board Radius Server

    4-13 Web UI Menu Path Comparison 4.1.5.4 Configuring the On-Board Radius Server This section describes the differences in menu path navigation amongst the WS5100 1.4.x, 2.x and 3.0 baselines when accessing the switch’s on-board Radius server. Table 4.10 Configuring the On-Board Radius Server Configuration Option/Feature 1.4.x Location...

  • Page 60: Viewing Switch Statistics

    4-14 WS5100 Series Switch Migration Guide Table 4.10 Configuring the On-Board Radius Server (Continued) Configuration Option/Feature 1.4.x Location 2.x Location 3.0 Location Configuring No On-Board Radius Support. System Settings > Radius > Security > Radius Server Radius Users and Users...

  • Page 61: Switch Certificate Management

    4-15 Web UI Menu Path Comparison Table 4.11 Viewing Switch Statistics (Continued) Configuration Option/Feature 1.4.x Location 2.x Location 3.0 Location Display Use a “show rfstats” CLI Use a “show rfstats” CLI Network > Detailed Radio command. command. Access Port Radio Statistics -------------------------------------- Statistics...
  • Page 62 4-16 WS5100 Series Switch Migration Guide Table 4.12 Switch Certificate Management (Continued) Configuration Option/Feature 1.4.x Location 2.x Location 3.0 Location Revert to Default System Settings > System Settings > Security > Certificate Server Certificate > Server Certificate > Server Certificates...
  • Page 63 4-17 Web UI Menu Path Comparison Table 4.12 Switch Certificate Management (Continued) Configuration Option/Feature 1.4.x Location 2.x Location 3.0 Location Restart Web System Settings > System Settings > Not supported. Request Server Certificate > Server Certificate > Restart Web Request Restart Web Request -------------------------------------- --------------------------------------...
  • Page 64 4-18 WS5100 Series Switch Migration Guide...

  • Page 65: Chapter 5. Ws5100 Led Behavior Comparison

    WS5100 LED Behavior Comparison The 1.4.x and 2.x version WS5100 switches have LED behavior that differs from the new 3.o baseline switch. The 3.0 version switch does not have the same “standby” switch LED functionality that was present in the 1.4.x and 2.x baselines.

  • Page 66: Configured As A Standby Switch

    5-2 WS5100 Series Switch Migration Guide 5.1.3 Configured as a Standby Switch Event Top LED Bottom LED Active (acting as primary) Blue blinking Blue blinking Monitoring Blue blinking Amber solid Standby not enabled Blue blinking Inactive Amber blinking Amber blinking NOTE: The Primary and Standby LED activity described above is unique to the WS5100 1.4.x and 2.x baselines.

  • Page 67: Primary

    WS5100 LED Behavior Comparison 5.2.2 Primary Event Top LED Bottom LED Active (Continually Adopting Access Ports) Blue blinking Blue solid No License to Adopt Amber blinking Amber blinking 5.2.3 Standby Event Top LED Bottom LED Active (Failed Over and Adopting Ports) Blue blinking Blue blinking Active (Not Failed Over)
  • Page 68 5-4 WS5100 Series Switch Migration Guide...

  • Page 69: Chapter 6. Dhcp

    DHCP This chapter provides detailed feature and configuration information for the DHCP features in the WS5100 switch. • Overview • Managing the DHCP Server • Configuring DHCP Server using the CLI • Configuring DHCP Client using SNMP • Configuring DHCP using the WebUI 6.1 Overview DHCP (Dynamic Host Configuration Protocol) automatically assigns temporary IP addresses to client stations logging onto an IP network.

  • Page 70: Managing The Dhcp Server

    6-2 WS5100 Series Switch Migration Guide Figure 6.1 DHCP service running on a WS5100. DHCP allows hosts on an IP network to request and be assigned IP addresses and discover information about the network to which they are attached. The Network administrator configures address pools for each subnet.

  • Page 71: Creating Network Pool

    DHCP 6.3.1 Creating network pool Follow the steps below to create a network pool using the CLI: 1. Create a DHCP Server dynamic address pool. WS5100(config)#ip dhcp pool test 2. Map the DHCP pool to the network pool. WS5100(config-dhcp)#network 192.168.0.0/24 3.
  • Page 72 6-4 WS5100 Series Switch Migration Guide 2. Use the CLI command to map the network pool to interface. network network 192.168.0.0/24 In the above example, 192.168.0.0/24 represents the L3 interface. When you execute this command, no check is performed to verify whether any interface with the specified IP/Netmask exists. The verification is not performed because you can create a pool and map it to non existing L3 interface.

  • Page 73: Creating Dhcp Option

    DHCP 6.3.4 Creating DHCP option 1. To create a non standard option named “tftp-server”. WS5100(config)#ip dhcp option tftp-server 183 ip 2. Enter the DHCP pool —”test”. WS5100(config)#ip dhcp pool test 3. Assign a value to the DHCP option configured above. WS5100(config-dhcp)#option tftp-server 192.168.0.100 4.

  • Page 74: Wsswdhcpmodule

    6-6 WS5100 Series Switch Migration Guide The objects under WS-SW-DHCP-MIB can be classified into Scalar Objects or Tabular Objects. Table 6.1 lists the Scalar objects and Table 6.2 the Tabular objects. Table 6.1 Scalar Objects for DHCP Client MIB wsDhcpClientDomainName 1.3.6.1.4.1.388.14.2.3.4.1.1.1...

  • Page 75: Wsswdhcpclientsvrinfor

    DHCP 6.5.2.2 wsSWDhcpClientSvrInfor The wsSWDhcpClientSvrInfor object is a sub-object of wsSWDhcpClient object. It is defined as: Object Identifier (OID) 1.3.6.1.4.1.388.14.2.3.4.1.1 Parent Object wsDhcpClient Object Number Description Defines the OID for the DHCP Client Server Information object The following objects are contained in the wsSWDhcpClientSvrInfor object. •...
  • Page 76 6-8 WS5100 Series Switch Migration Guide The wsDhcpClientNameSvrTable is defined as: Object Identifier (OID) 1.3.6.1.4.1.388.14.2.3.4.1.1.3 Parent Object wsDhcpClientSvrInfor Object Number Type Conceptual Table made up of a sequence of WsDhcpClientNameSvrEntry objects Access Not accessible Status Current Description Defines the OID for a table that contains the DHCP Client Name Server information The wsDhcpClientNameSvrTable is made up of a number of wsDhcpClientNameSvrEntry objects.

  • Page 77: Ws-Sw-Dhcp-Server-Mib

    DHCP Object Number Type Integer with values between 1 and 8 (both inclusive) Access Not accessible Status Current Description Index of the entry in the wsDhcpClientNameSvrTable table object wsDhcpClientNameSvrIP The object wsDhcpClientNameSvrIP is defined as: Object Identifier (OID) 1.3.6.1.4.1.388.14.2.3.4.1.1.3.1.2 Parent Object wsDhcpClientNameSvrEntry Object Number Type...

  • Page 78: Wsswdhcpservermodule

    6-10 WS5100 Series Switch Migration Guide Table 6.3 Scalar Objects for DHCP Server MIB wsSwDhcpSvrEnable 1.3.6.1.4.1.388.14.2.3.5.1.3 Read-Write wsSwDhcpSvrRestart 1.3.6.1.4.1.388.14.2.3.5.1.4 Read-Write Table 6.4 Tabular Objects for DHCP Server MIB wsSwDhcpSvrExcludeTable 1.3.6.1.4.1.388.14.2.3.5.2 wsSwDhcpSvrPoolTable 1.3.6.1.4.1.388.14.2.3.5.3 wsSwDhcpSvrIncludeTable 1.3.6.1.4.1.388.14.2.3.5.4 wsSwDhcpSvrPoolOptionTable 1.3.6.1.4.1.388.14.2.3.5.5 wsSwDhcpSvrBindingStatusTab 1.3.6.1.4.1.388.14.2.3.5.6 wsSwDhcpSvrGlobalOptionTabl 1.3.6.1.4.1.388.14.2.3.5.7 wsSwDhcpSvrRelayTable 1.3.6.1.4.1.388.14.2.3.5.8...

  • Page 79: Wsswdhcpsvrexcludetable

    6-11 DHCP Object Number Description Defines the OID for the Server Global object For the sub objects under this OID, refer wsSWDhcpClient Sub Objects. 6.6.1.2 wsSwDhcpSvrExcludeTable This OID defines the Server Exclude Table object. Object Identifier (OID) 1.3.6.1.4.1.388.14.2.3.5.2 Parent Object wsSwDhcpServerModule Object Number Description...

  • Page 80: Wsswdhcpbindingstatustable

    6-12 WS5100 Series Switch Migration Guide For the sub objects under this OID, refer to wsSwDhcpSvrPoolOptionTable. 6.6.1.6 wsSwDhcpBindingStatusTable This OID defines the Binding Status Table object. Object Identifier (OID) 1.3.6.1.4.1.388.14.2.3.5.6 Parent Object wsSwDhcpServerModule Object Number Description Defines the OID for the Binding Status Table For the sub objects under this OID, refer to wsSwDhcpBindingStatusTable.

  • Page 81: Wsswdhcpsvrbootp

    6-13 DHCP 6.6.2.1 wsSwDhcpSvrBootp The wsSwDhcpSvrBoop object sets the access for bootp requests. Access can be Allow / Ignore Bootp requests. It is defined as: Object Identifier (OID) 1.3.6.1.4.1.388.14.2.3.5.1.1 Parent Object wsDhcpSvrGlobal Object Number Type TruthValue Access Read-Write Status Current Description Defines the OID for the Bootp access 6.6.2.2 wsSwDhcpSvrPingInterval...

  • Page 82: Wsswdhcpsvrexcludetable

    6-14 WS5100 Series Switch Migration Guide Object Number Type Integer Array. Defined as: restart(1), idle(2) Access Read-Write Status Current Description Defines the OID for the time interval before the DHCP Server restarts 6.6.3 wsSwDhcpSvrExcludeTable This OID defines the table that stores IP addresses unavailable to the DHCP Server when assigning IP addresses.

  • Page 83: Wsswdhcpsvrexcludelowipaddr

    6-15 DHCP Parent Object wsSwDhcpSvrExcludeTable Object Number Type WsSwDhcpSvrExcludeEntry object definition Access Not accessible Status Current Index wsSwDhcpSvrExcludeLowIpAddr, wsSwDhcpSvrExcludeHighIpAddr Description Defines the IP addresses excluded from assignmnet by the DHCP server. 6.6.3.2 wsSwDhcpSvrExcludeLowIpAddr The object wsSwDhcpSvrExcludeLowIpAddr defines the OID for the low IP address excluded from assignment by the DHCP server.

  • Page 84: Wsswdhcpsvrpooltable

    6-16 WS5100 Series Switch Migration Guide Parent Object wsSwDhcpSvrExcludeEntry Object Number Type Row Status Access Read-Create Status Current Description Status of the row for the wsSwDhcpSvrExcludeEntry object 6.6.4 wsSwDhcpSvrPoolTable The wsSwDhcpSvrPoolTable is described as: Object Identifier (OID) 1.3.6.1.4.1.388.14.2.3.5.3 Parent Object...

  • Page 85: Wsswdhcpsvrpoolentry

    6-17 DHCP • wsSwDhcpSvrPoolNameIndex • wsSwDhcpSvrPoolType • wsSwDhcpSvrPoolHostIp • wsSwDhcpSvrPoolSubnetIpAndMask • wsSwDhcpSvrPoolClientId • wsSwDhcpSvrPoolClientName • wsSwDhcpSvrPoolHardWareAddrAndType • wsSwDhcpSvrPoolDomainName • wsSwDhcpSvrPoolNetBiosNodeType • wsSwDhcpSvrPoolBootfile • wsSwDhcpSvrPoolDdnsUpdate • wsSwDhcpSvrPoolDdnsUpdateAll • wsSwDhcpSvrPoolDdnsIp • wsSwDhcpSvrPoolDdnsDomainName • wsSwDhcpSvrPoolDdnsTtl • wsSwDhcpSvrPoolDdnsMultiUserClass • wsSwDhcpSvrPoolDefaultRouter • wsSwDhcpSvrPoolBootpNextSvrIp • wsSwDhcpSvrPoolDnsSvrIp •...

  • Page 86: Wsswdhcpsvrpoolnameindex

    6-18 WS5100 Series Switch Migration Guide 6.6.4.2 wsSwDhcpSvrPoolNameIndex The object wsSwDhcpSvrPoolNameIndex defines the OID for the index value for unique identification of each row in the wsSwDhcpSvrPoolTable. It is defined as: Object Identifier (OID) 1.3.6.1.4.1.388.14.2.3.5.3.1.1 Parent Object wsSwDhcpSvrPoolEntry Object Number...

  • Page 87: Wsswdhcpsvrpoolsubnetipandmask

    6-19 DHCP 6.6.4.5 wsSwDhcpSvrPoolSubnetIpAndMask The object wsSwDhcpSvrPoolSubnetIpAndMask defines the OID for the Subnet IP address and the Subnet Mask used. It is defined as: Object Identifier (OID) 1.3.6.1.4.1.388.14.2.3.5.3.1.4 Parent Object wsSwDhcpSvrPoolEntry Object Number Display String Type Access Read-Create Status Current Description Defines the OID for the Subnet IP address and the Subnet Mask used 6.6.4.6 wsSwDhcpSvrPoolClientId...

  • Page 88: Wsswdhcpsvrpoolhardwareaddrandtype

    6-20 WS5100 Series Switch Migration Guide 6.6.4.8 wsSwDhcpSvrPoolHardWareAddrAndType The object wsSwDhcpSvrPoolHardWareAddrAndType defines the OID for Hardware Address and its type. It is defined as: Object Identifier (OID) 1.3.6.1.4.1.388.14.2.3.5.3.1.7 Parent Object wsSwDhcpSvrPoolEntry Object Number Display String Type Access Read-Create Status Current Description Defines the OID for the Hardware address and the Hardware type.

  • Page 89: Wsswdhcpsvrpoolbootfile

    6-21 DHCP Access Read-Create Status Current Description Defines the OID for the Netbios node type 6.6.4.11 wsSwDhcpSvrPoolBootfile The object wsSwDhcpSvrPoolDomainName defines the OID for the boot file name. It is defined as: Object Identifier (OID) 1.3.6.1.4.1.388.14.2.3.5.3.1.10 Parent Object wsSwDhcpSvrPoolEntry Object Number Display String Type Access...

  • Page 90: Wsswdhcpsvrpoolddnsip

    6-22 WS5100 Series Switch Migration Guide Integer with the syntax Type updateAll(1), idle(2) Access Read-Create Status Current Description Defines the settings used by the mobility domain to pass layer 2 and layer 3 traffic amongst peer switches. 6.6.4.14 wsSwDhcpSvrPoolDdnsIp The object wsSwDhcpSvrPoolDdnsIp defines the OID for the DDNS Ip addresses. This OID can take a maximum of two (2) IP addresses.

  • Page 91: Wsswdhcpsvrpoolddnsttl

    6-23 DHCP 6.6.4.16 wsSwDhcpSvrPoolDdnsTtl The object wsSwDhcpSvrPoolDdnsTtl defines the OID for the DDNS TTL (Time To Live) value. It is defined as: Object Identifier (OID) 1.3.6.1.4.1.388.14.2.3.5.3.1.15 Parent Object wsSwDhcpSvrPoolEntry Object Number Integer with values between 0 and 65535 (both inclusive) Type Access Read-Create...

  • Page 92: Wsswdhcpsvrpoolbootpnextsvrip

    6-24 WS5100 Series Switch Migration Guide 6.6.4.19 wsSwDhcpSvrPoolBootpNextSvrIP The object wsSwDhcpSvrPoolBootpNextSvrIP defines the OID for the address of the next Bootp Server. It is defined as: Object Identifier (OID) 1.3.6.1.4.1.388.14.2.3.5.3.1.18 Parent Object wsSwDhcpSvrPoolEntry Object Number IP Address Type Access Read-Create...

  • Page 93: Wsswdhcpsvrpoolnodefault

    6-25 DHCP Description Defines the OID for the address for the Netbios Server. The values have to be in the format xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy The maximum number of entries is 8 6.6.4.22 wsSwDhcpSvrPoolNoDefault The object wsSwDhcpSvrPoolNoDefault defines the OID for No Default. It is defined as: Object Identifier (OID) 1.3.6.1.4.1.388.14.2.3.5.3.1.21 Parent Object...

  • Page 94: Configuring Dhcp Using The Webui

    6-26 WS5100 Series Switch Migration Guide Parent Object wsSwDhcpSvrPoolEntry Object Number Type Row Status Access Read-Create Status Current Description Status of the row for the wsSwDhcpSvrPoolEntry object 6.7 Configuring DHCP using the WebUI 6.7.1 Creating a Network Pool To configure DHCP and create a network pool using the Web UI: 1.
  • Page 95 6-27 DHCP 2. Click on the button at the bottom of the screen. a. Enter the name of the IP pool from which IP addresses can be issued to client requests on this interface. b. Provide the Domain name as appropriate for the interface using the pool. c.
  • Page 96 6-28 WS5100 Series Switch Migration Guide requests between the DHCP Server and DHCP clients, are populated with the details based on the selection of the associated VLAN. NOTE: To avoid multiple restarts of DHCP Server, restart the DHCP Server only after making all the required configuration updates.

  • Page 97: Creating A Host Pool

    6-29 DHCP 6.7.2 Creating a Host Pool 1. Select Service > DHCP Server from the main menu tree. Select the Host Pool tab to create and add a new host pool. A host pools reserve IP addresses for specific MAC addresses. This information can be an asset in determining if a new pool needs to be created or an existing pool requires modification.
  • Page 98 6-30 WS5100 Series Switch Migration Guide 2. Click on button at the bottom of the window. a. Enter a unique name to the server host pool in the Pool Name field. b. Enter the domain name for the host pool in the Domain field.

  • Page 99: Chapter 7. Dynamic Dns

    Dynamic DNS This chapter provides detailed feature and configuration information for the Dynamic DNS feature: • Overview • Managing DDNS • Configuring DDNS using the CLI • Configuring DDNS using SNMP • Configuring DDNS using the Web UI 7.1 Overview The Domain Name System or Domain Name Server (DNS) is a system that stores information associated with domain names in a distributed database on networks, such as the Internet.

  • Page 100: Configuring Ddns Using The Cli

    7-2 WS5100 Series Switch Migration Guide for a given name. Dynamic DNS is a service, which updates the DNS database to reflect the correct mapping of a given name to an IP address in the scenario of non-static (dynamic) IP addresses for domain-names.

  • Page 101: Important Ddns Configurations

    Dynamic DNS 2. Map the pool to a network. WS5100(config-dhcp)#network 192.168.0.0/24 3. Add the address range to the DHCP network pool. WS5100(config-dhcp)#address range 192.168.0.30 192.168.0.60 4. Enable the DDNS Server update. WS5100(config-dhcp)#update dns override indicates that the DDNS updates will be sent by DHCP Server for the clients update dns override to which it issues IP address.

  • Page 102: Configuring Ddns Using Snmp

    7-4 WS5100 Series Switch Migration Guide 3. A DDNS update will not occur when neither DDNS domain-name nor domain-name is configured. 4. The will send DDNS updates only for those DHCP leases for which DDNS update was ddns update-all sent earlier. This command does not require for the DDNS update to happen.

  • Page 103: Wsswdnsmodule

    Dynamic DNS Tabular Objects Table 7.2 Object Name Object Identifier (OID) wsSwDNSNameSvrTable 1.3.6.1.4.1.388.14.2.2.1.2 7.5.1 wsSwDNSModule This OID defines module object for the DNS MIBs. Object Identifier (OID) 1.3.6.1.4.1.388.14.2.2.1 Parent Module wsSwDNS Object Number Description This OID defines the module object for the DNS MIBs1 The following objects are defined under the wsSwDNSModule •...

  • Page 104: Wsswdnsdomainnamestatic

    7-6 WS5100 Series Switch Migration Guide • wsSwDNSDomainNameLookup 7.5.2.1 wsSwDNSDomainNameStatic This OID defines the object for storing the static domain name information. Object Identifier (OID) 1.3.6.1.4.1.388.14.2.2.1.1.1 Parent Module wsSwDNSDomainName Object Number Type Display String Access Read-Write Status Current Description This OID defines an object to store the static domain name 7.5.2.2 wsSwDNSDomainNameLookup...

  • Page 105: Wsswdnsnamesvrentry

    Dynamic DNS Access Not Accessible Status Current Description Table containing entries that are the DNS Name Server entries The wsSwDNSNameSvrTable is made up of sequence of WsSwDNSNameSvrEntry objects. The WsSwDNSNameSvrEntry is a sequence of these objects: • wsSwDNSNameSvrEntry • wsSwDNSNameSvrIp •...

  • Page 106: Wsswdnsnamesvrpriority

    7-8 WS5100 Series Switch Migration Guide 7.5.3.3 wsSwDNSNameSvrPriority This OID defines the priority object for the DNS Name Server Table. Object Identifier (OID) 1.3.6.1.4.1.388.14.2.2.1.2.1.2 Parent Module wsSwDNSNameSvrEntry Object Number Type Unsigned 32-bit Integer Access Read-Only Status Current Description Defines the OID that stores the priority level for the DNS entry 7.5.3.4 wsSwDNSNameSvrType...

  • Page 107: Configuring Ddns Using The Web Ui

    Dynamic DNS 7.6 Configuring DDNS using the Web UI To create a dynamic DNS, first create a DHCP network pool as described in Creating network pool on page 6-3. 1. Select Service > DHCP Server from the main menu tree. By default, the Configuration tab is displayed with network pool details.
  • Page 108 7-10 WS5100 Series Switch Migration Guide For more information on DHCP Network Pool configuration, refer Configuring DHCP using the WebUI on page 6-26.

  • Page 109: Chapter 8. Certificate Management

    Certificate Management This chapter provides detailed feature and configuration information for the Certificate Manger. • Overview • Configuring the Certificate Manager using CLI • Configuring Trustpoint using the Web UI 8.1 Overview Certificates are of two types: a. CA root certificate b.

  • Page 110: Configuring The Certificate Manager Using Cli

    8-2 WS5100 Series Switch Migration Guide 8.2 Configuring the Certificate Manager using CLI Certificate Management configuration involves the following • Configuration of Trustpoint. • Configuration of RSA Key pairs. • Generation of Self signed Certificate. • Generation of Certificate Request.

  • Page 111: Importing Ca Certificate

    Certificate Management 2. Generate Certificate Request for the trustpoint external. WS5100(config)#crypto pki enroll external request This generates a Certificate Request. 3. Send the request to the ftp server specified.Get the request signed by Appropriate CA.( Windows 2003 Server will also do). WS5100(config)#crypto pki export external request ftp://<user:password>@ IP/ Path/File 4.

  • Page 112: Importing The Certificate To Another Switch

    8-4 WS5100 Series Switch Migration Guide 2. Create a trustpoint tpt1 and associate a keypair using command. rsakeypair WS5100(config)#crypto pki trustpoint tpt1 WS5100(config-trustpoint)#subject-name ws5100 us kkk sj symbol wid WS5100(config-trustpoint)#ip-address 111.222.111.x WS5100(config-trustpoint)#fqdn www.symbol.com WS5100(config-trustpoint)#email sym@symbol.com WS5100(config-trustpoint)#rsakeypair key1 WS5100(config-trustpoint)#exit 3. Generate Certificate Request for the trustpoint tpt1.

  • Page 113: Creating A Trustpoint

    Certificate Management 8.2.5.1 Creating a Trustpoint To configure a trustpoint using Web UI, follow the steps mentioned below: 1. Create an trustpoint using Security > Server Certificate from the main menu tree. By default the Server Certificate window displays the Trustpoint tab.
  • Page 114 8-6 WS5100 Series Switch Migration Guide a. Select Create a new certificate option in the first page of the wizard and click on button. Next b. Use the second page of the wizard to configure a trustpoint and create a private key for the certificate.
  • Page 115 Certificate Management • Click on the Next button to continue. c. Use the third page of the wizard to enter the mandatory details required to create a certificate.All fields marked with an astreik (*) are mandatory. • Select the Configure the trustpoint checkbox to enable the new self signed certificate to be configured as a trustpoint.
  • Page 116 8-8 WS5100 Series Switch Migration Guide • Provide a Company name to be used on behalf of the certificate. • Select the Enroll the trustpoint checkbox to enroll the certificate request with the CA. • Click on Next button to continue.

  • Page 117: Uploading The Server Certificate/Ca Certificate

    Certificate Management 3. To generate a self-signed certificate, select Generate a self-signed certificate option in the Page 2 of the wizard. 8.2.5.2 Uploading the Server Certificate/CA Certificate You need to upload the Server Certificate request generated for trustpoint testTP to the CA. The CA generates the Server certificate by signing the server certificate request.
  • Page 118 8-10 WS5100 Series Switch Migration Guide 3. Select the Upload an external certificate radio button to upload an existing Server Certificate or CA Root Certificate. and click on Next button to continue. 4. Use this page of the wizard to upload the Server Certificate an/or CA Root Certificate to a trustpoint on...
  • Page 119 8-11 Certificate Management 5. This complete the creation of CA/Server certificate.
  • Page 120 8-12 WS5100 Series Switch Migration Guide...

  • Page 121: Chapter 9. Radius

    Radius This chapter provides detailed feature and configuration information for the Radius features. • Overview • Configuring Onboard Radius Server using CLI • Configuring Radius using GUI • Configuring Radius Server • Configuring WLAN • Configuring LDAP 9.1 Overview The Radius server is used to define authentication and authorization schemes in the WS5100 switch for granting the access to the wireless clients.

  • Page 122: User Database

    9-2 WS5100 Series Switch Migration Guide the WS5100 switch processes the EAP messages that it receives. It encapsulates them to RADIUS access requests and sends it to the configured RADIUS server, in this case the local Radius server. The RADIUS server investigates the user credentials and the challenge information received in the RADIUS access request frames.

  • Page 123: Proxy To External Radius Server

    Radius Each user group can be configured to be a part of one vlan. All the users in that particular group will be assigned with the same vlan id. If the vlan-type is user-based then the users will become the part of a configured vlan.
  • Page 124 9-4 WS5100 Series Switch Migration Guide 4. Configure the CA/Server certificates. Execute the following commands with the corresponding trust point names. Trust point must be configured before executing these commands. For more details refer to Configuring the Certificate Manager using CLI.

  • Page 125: Sending An Access Request To The Local Radius Server

    Radius a. Add a proxy realm, WS5100(config-radsrv)# proxy realm symbol.com server 157.235.207.16 port 1812 secret 0 symbol 14.Configure LDAP servers. If the users are configured in the remote database, then use the LDAP server for user authentications. For this, a. Configure the authentication data source as ldap. WS5100(config-radsrv)# authentication datasource ldap b.

  • Page 126: Enable Debug Logs For Radius

    9-6 WS5100 Series Switch Migration Guide 2. Connect the MU to the ssid of the wlan 1, with proper user profile. The user profile in the MU should have the following parameters to connect to the wlan1. The user name bob...

  • Page 127: Configuring A Radius Server

    Radius 9.3.1.1 Configuring a Radius Server 1. Click on Security > Radius Server from the main menu tree. By default, the Radius Server window displays the details of Configuration tab. By default, the Radius server is set in Start mode. 2.

  • Page 128: Authenticating A Local Radius Server

    9-8 WS5100 Series Switch Migration Guide 9.3.1.2 Authenticating a Local Radius Server 1. Click on Authentication tab in the main Radius Server window, to configure the authentication for the local Radius server. a. Refer to the Authentication section to define the following Radius authentication information.

  • Page 129: Creating A Group

    Radius • If Local is selected, the switch’s internal user database serves as the data source for user authentication. Refer to the Users and Groups tabs to define user and group permissions for the switch’s local Radius server. • If LDAP is selected, the switch uses the data within an LDAP server.

  • Page 130: Creating A User

    9-10 WS5100 Series Switch Migration Guide c. Use Time of Access Start field to set the time the group is authenticated to interoperate within the switch managed network. Each user within the group will be authenticated with the local Radius server. Those group members successfully authenticated are allowed access to the switch managed network using the restrictions defined for the group.
  • Page 131 9-11 Radius a. In the Name field, enter a unique user ID that differentiates this user from others with similar attributes. b. Enter the password used to add the user to the list of approved users displayed within the Users tab.

  • Page 132: Configuring Wlan

    9-12 WS5100 Series Switch Migration Guide 9.3.2 Configuring WLAN Follow the steps mentioned below to create and configure a WLAN. 1. Click on Network > Wireless LANs from the main menu tree. The Wireless LANs window by default displays the Configuration tab details.
  • Page 133 9-13 Radius 3. Click on the Radius Config Button. a. In the Server section, enter WS5100 switch’s IP address in the Radius Server Address field. b. In the Server section, assign the Radius Shared Secret.

  • Page 134: Configuring Ldap

    9-14 WS5100 Series Switch Migration Guide c. In the Accounting section, enter the Accounting Server IP Address. • This should be the same as mentioned in Step 4, Configuring a Radius Server for using Local Radius server accounting (or) • As mentioned in Step 3a above.

  • Page 135: Use Case - Configuring Onboard Radius To Use Active Directory As User Database?9-15

    9-15 Radius Attribute Value Comments Group Membership radiusGroupName Copy this Value as is. Attribute Net Timeout 6. Enter the Primary LDAP Server details looking at the LDAP configuration table above. Click Apply. 9.4 Use Case – Configuring Onboard RADIUS to use Active Directory as user database? This use case refers to the Active Directory configuration displayed in Figure...
  • Page 136 9-16 WS5100 Series Switch Migration Guide WS5100 has primary and secondary LADAP servers. The table below displays the LDAP configuration used to access Active Directory. The parameters used within the parenthesis are WS5100 CLI parameters. Parameter Used Value Description LDAP Server IP (host) 192.192.4.42...
  • Page 137 9-17 Radius Parameter Used Value Description LDAP Server IP (host) 192.192.4.42 The IP address of the server PC running the Active Directory Service. LDAP Password Attribute UserPassword This password attribute is used by the LDAP (passwd-attr) server for authentication. LDAP Group Name This group attribute is used by the LDAP server.
  • Page 138 9-18 WS5100 Series Switch Migration Guide 3. In the Active directory, user1 is used for RADIUS Authencation. User1 is part of group6 as displayed in Figure 9.3. Hence, you have to now create the same group (group6) in the local RADIUS database and allow access for WLAN in use.
  • Page 139 9-19 Radius 4. Select Security >Radius Server >Authentication Tab from the main menu to view the LDAP configuration details using the WS5100’s applet.
  • Page 140 9-20 WS5100 Series Switch Migration Guide...

  • Page 141: Chapter 10. Acl

    This chapter provides detailed feature and configuration information for the ACL features. • Overview • Firewall • Network Address Translation • Configuring ACL using CLI • Configuring ACL using the Web UI 10.1 Overview An Access Control List (ACL) is a sequential collection of permit and deny conditions that apply to packets. When a packet is received on an interface, the WS5100 Switch compares the fields in the packet against any applied ACLs.

  • Page 142: Router Acls

    10-2 WS5100 Series Switch Migration Guide Destination MAC, Ethertype, VLAN-ID, 802.1p bits (OR) Layer 3 parameters like– Source IP, Destination IP, Protocol, Port Number. NOTE: WS5100 Switch does not support applying ACLs in the outbound direction for both Layer 2 and Layer 3 interfaces.

  • Page 143: Port Acls

    10-3 10.1.1.2 Port ACLs WS5100 supports Port ACLs on physical interfaces and inbound traffic only. The following types of Port ACLs are supported based on the matching criteria: • Standard IP ACL — It uses Source IP address as matching criteria. •...

  • Page 144: Precedence Order

    10-4 WS5100 Series Switch Migration Guide • TOS/DSCP bits in the IP header. NOTE: In WS5100, only Port ACL supports the mark action. In Router ACL, the mark action is treated as a permit action and the packet is allowed to its destination without performing any modifications.

  • Page 145: Network Address Translation

    10-5 Apart from detecting the above attacks, this feature also performs sanity checks on every packet. These sanity checks can drop a packet if the packet is malformed. A syslog message is generated whenever a packet gets dropped due to these sanity checks. It provides details as to why the packet was dropped along with the other packet information like –...

  • Page 146: Port Nat

    10-6 WS5100 Series Switch Migration Guide IP Protocol and Port options are valid only for Destination NAT. This helps the switch administrator to host servers ( HTTP, FTP and DNS servers) in the inside network and map all of them to a single public IP address.

  • Page 147: Configuring Ip Standard Acl Using Cli

    10-7 ACLs are identified by either a number or a name. Numbers are predefined for IP Standard and Extended ACLs whereas name can be any valid alphanumeric string not exceeding 64 characters. In numbered ACLs, the rule parameters have to be specified on the same command line along with the ACL identifier. This section explains the following: •...

  • Page 148: Configuring Mac Extended Acl Using Cli

    10-8 WS5100 Series Switch Migration Guide 1. To configure numbered IP Extended ACL. WS5100(config)#access-list 2 deny ip host 1.2.3.4 any rule-precedence 10 WS5100(config)#access-list 2 permit tcp any host 2.3.4.5 eq 80 rule-precedence WS5100(config)#access-list 2 deny icmp any host 2.3.4.5 rule-precedence 30 2.

  • Page 149: Configuring Router Acls

    10-9 1. Creating a IP ACL (Standard/Extended) ws5100(config)#access-list 1 permit 192.168.1.0/24 rule-precedence 10 ws5100(config)#access-list 101 pemit ip 192.168.1.0/24 any rule-precedence 10 2. Creating a MAC Extended ACL. WS5100(config)#mac access-list extended macacl WS5100(config-ext-macl)#permit any any type arp 3. Apply Port ACL to an interface. WS5100(config)#interface eth1 WS5100(config-if)#ip access-group 1 in WS5100(config-if)#ip access-group macacl in...

  • Page 150: Configuring Wireless Lan Acls

    10-10 WS5100 Series Switch Migration Guide 4. Apply the ACL(30) on VLAN interface WS5100(config)#interface vlan2 WS5100(config-if)#ip access-group 30 in WS5100(config-if)#exit 10.4.2.3 Configuring Wireless LAN ACLs Follow the procedure mentioned below to upgrade Wireless LAN ACL from 3.0/3.0.1 to 3.0.2 : WLAN index in ACL rules are configurable in WS5100 3.0/3.0.1.
  • Page 151 10-11 NOTE: All ACLs which had WLAN index are now replaced with ones that don't have WLAN index. In the above process, the acl "110" had two rules which got replaced by only one rule because after removal of WLAN index selector, both the rules look similar.

  • Page 152: Configuring Acl Using The Web Ui

    10-12 WS5100 Series Switch Migration Guide WS5100(config)#wlan-acl 2 150 out WS5100(config)# 10.5 Configuring ACL using the Web UI The following types of ACL configuration scenarios are explained below: • Configuring IP Standard ACL • Configuring MAC Extended ACL • 10.5.1 Configuring IP Standard ACL To configure IP Standard ACL using Web UI, follow the steps mentioned below: 1.
  • Page 153 10-13 3. To apply a rule to the ACL created in step 2 above, select it from the ACLs section and click on the button in the Associated Rules section. a. Enter a precedence (priority) value between 1 and 5000 in the Precedence field.

  • Page 154: Configuring Mac Extended Acl

    10-14 WS5100 Series Switch Migration Guide a. Use the Interface drop-down menu to select the interface to configure on the switch. Available options include – Ethernet 1, Ethernet 2, VLAN 1 and VLAN 1. b. Use the IP ACL drop-down menu to select an IP ACL used as the inbound IP for the layer 2 or layer 3 interface.
  • Page 155 10-15 3. To apply a rule to the ACL created in step 2 above, select it from the ACLs section and click on the button in the Associated Rules section. a. Enter a precedence (priority) value between 1 and 5000 in the Precedence field.

  • Page 156: Attaching An Acl On A Wlan Interface/Port

    10-16 WS5100 Series Switch Migration Guide 4. Click on the Attach tab in the ACLs window and click on the button to attach the ACL to an interface. a. Use the Interface drop-down menu to select the interface to configure on the switch. Available options include –...

  • Page 157: Adding A New Acl Wlan Configuration

    10-17 2. Click the Attach - WLAN tab. 3. Refer to the following information as displayed within the Attach -WLAN tab: WLAN Index The WLAN Index displays the list of WLANs attached with ACLs. IP ACL Displays the IP ACL configured. MAC ACL Displays the MAC ACL configured.
  • Page 158 10-18 WS5100 Series Switch Migration Guide 3. Click the button. 4. Define a WLAN Index between 1 and 32. 5. Use the IP ACL drop-down menu to select an IP ACL to configure for the WLAN interface. 6. Use the MAC ACL drop-down menu to select the MAC ACL to configure for the WLAN interface.

  • Page 159: Chapter 11. Vpn

    This chapter provides detailed feature and configuration information for the VPN features: • Overview • Managing VPN in WS5100 • Configuring VPN using CLI • Special Configuration for Windows XP Client • Configuring VPN using the WebUI • Use Case for Remote VPN •...

  • Page 160: Types Of Vpn

    11-2 WS5100 Series Switch Migration Guide 11.1.1 Types of VPN VPNs can be broadly classified as: • Secured VPNs – This uses cryptographic tunneling protocols to provide: • Intended confidentiality – blocks snooping and thus preventing packet sniffing. • Sender authentication – blocks identity spoofing.

  • Page 161: Traffic Secured In Vpn

    11-3 The concept of crypto-map entries is used to configure IPSec security associations. Crypto map entries created for IPSec pull together the various parts used to set up IPSec security associations. Crypto map entries also include transform sets. A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IPSec protected traffic.

  • Page 162: Configure Peer Properties

    Configuring for Remote VPN Client for more details. 11.3.1 Configure Peer Properties Different peer require different authentication, encryption and security algorithms. Hence WS5100 Series Wireless Switch supports per peer configuration model. The following configuration process helps you to specify how peer is authenticated.

  • Page 163: Create Ike Polices

    11-5 If you do not want IKE to be used with your IPSec implementation, you can disable it at all IPSec peers. NOTE: IKE must be enabled or disabled at all IPSec peers; you cannot have a mix of IKE- enabled and IKE-disabled peers within your IPSec network you must manually specify all the IPSec security associations in the crypto maps at all peers To configure IKE, perform the following tasks:...

  • Page 164: Configuring Isakmp Using Cli

    11-6 WS5100 Series Switch Migration Guide 11.3.2.4 Configuring ISAKMP using CLI To configure a ISAKMP policy, follow the CLI commands mentioned below: 1. Create an IKE Policy. WS5100(config)# crypto isakmp policy 10 2. Assign an encryption type to the IKE policy.

  • Page 165: Define Transform Sets

    11-7 • ESP Authentication Transform — esp - md5 - hmac, esp - sha - hmac NOTE: You can also configure the mode for data traffic. AH and ESP authentication cannot be used together. The mode for data traffic can be either •...

  • Page 166: Set Global Lifetimes For Ipsec Security Associations

    11-8 WS5100 Series Switch Migration Guide 2. Create a mode for data traffic. WS5100(config-crypto-ipsec)# mode tunnel NOTE: Set if you creating a transform set for site-to-site VPN. mode tunnel Set mode to if you are using remote VPN with WindowXP client.

  • Page 167: Binding All Parameters To A Remote Peer Using Crypto Map

    11-9 Follow the CLI commands mentioned below, to configure IPSec traffic between local subnet 10.1.1.0/24 and remote subnet 192.168.0/24. 1. Create an Extended ACL WS5100(config)#ip access-list extended 101 2. Configure the local subnet and the remote subnet to allow IP Sec traffic between them. WS5100(config-ext-nacl)# permit ip 10.1.1.0/24 192.168.0/24 To establish an IPSec, the local subnet must always appear before remote subnet.

  • Page 168: Activating Ipsec To A Remote Peer

    11-10 WS5100 Series Switch Migration Guide You can create Cypto Map Set if: • Connection is required for multiple remote peers OR • Different types of protection is required to the same peer A crypto map entry has sequence number associated with it.

  • Page 169: Configuring For Remote Vpn Client

    2. Specify the authentication type – either RADIUS or local authentication. WS5100(config)# vpn-authentication [radius|local] • For RADIUS authentication, you can configure upto two radius servers. WS5100(config)# aaa vpn-authentication primary 10.1.1.103 key motorola WS5100(config)# aaa vpn-authentication secondary 10.1.1.105 key motorola123 • Create username/password if you use local authentication...

  • Page 170: Apply Crypto Map Sets To Interfaces

    11-12 WS5100 Series Switch Migration Guide 4. Create an Extended ACL. WS5100(config)#ip access-list extended 101 Configure the local subnet and the remote subnet to allow IP Sec traffic between them. WS5100(config-ext-nacl)# permit ip 10.1.1.0/24 any WS5100(config-ext-nacl)# permit ip 192.168.0.0/24 any 5.

  • Page 171: Special Configuration For Windows Xp Client

    11-13 • The IPSec Authentication Header protects entire IP packets including IP headers, against modification in transit. NAT will modify the IP header so inherently NAT is incompatible with AH. • The IPSec Encapsulating Security Payload (ESP) usually encrypts IP packets. NAT modifies TCP and UDP ports, but clearly can't do so when the packet is encrypted.
  • Page 172 11-14 WS5100 Series Switch Migration Guide • Pre - shared key Follow the steps below to configure the VPN Client in Windows XP: 1. From your computer, click Start > Control Panel > Network Connection and then click on Create a connection.
  • Page 173 11-15 3. Select Connect to the network at my workplace option and click on the Next button to proceed further. 4. Select the Virtual Private Network connection and click on the Next button to proceed further. 5. Type a descriptive name for your VPN connection and click on Next button.
  • Page 174 11-16 WS5100 Series Switch Migration Guide 6. Select Do not dial the initial connection option and click on the Next button. 7. Type either a host name of IP address of the computer to which you wish to connect and click on the Next button.
  • Page 175 11-17 9. Click on the Finish button to complete the creation of VPN Client on a Windows XP machine. Follow the steps below to configure the Pre - shared key in Windows XP: 1. From your computer, click Start > Control Panel >...

  • Page 176: Configuring Vpn Using The Webui

    11-18 WS5100 Series Switch Migration Guide 4. Click on the IPSec Setting button.Click to select Use pre-shared key for authentication checkbox and enter the pre-shared key in the text field. This value must match the pre-shared kay value that is entered on the VPN-based server.
  • Page 177 11-19 a. Click on the button. • Select the Peer IP Address option to associate an IP address with the specific tunnel used by a group of peers. • Enter a Key. The key is used by the peer to interact with other peers within the tunnel. •...
  • Page 178 11-20 WS5100 Series Switch Migration Guide 2. Create an IKE (ISAKMP) policy using Security > IKE Setting from the main menu tree. Select the Policies tab from the IKE Settings window. The table displays the default IKE Policy values. a. Click on the button.
  • Page 179 11-21 defines future IPSec security associations quickly. Encryption strength is great enough to ensure security without using fast rekey times. • Set the DH Group identifier. IPSec peers use the defined value to derive a shared secret without transmitting it to one another. •...
  • Page 180 11-22 WS5100 Series Switch Migration Guide a. Click on the button. • Create a Name describing this new transform set. • Define the AH Transform Authentication scheme ESP Encryption Transform scheme. • Define the ESP Authentication Transform scheme. • Define the Transform Set Mode used with the transform set.
  • Page 181 11-23 4. Create an Extended ACL using Security > ACLs from the main menu tree. By Default, the ACLs window displays the Configuration tab. a. In the ACLs section, click on the button. • Select Extended IP List from the ACL Type drop down box.
  • Page 182 11-24 WS5100 Series Switch Migration Guide b. In the main ACLs window, select the Extended ACL, created above, from the ACLs section and click on the Add button in the Associated Rules section. • Enter a Precedence (priority) value between 1 and 500. The rules within an ACL will be applied to packets based on their precedence value.
  • Page 183 11-25 c. The ACL window will now have the following content: For more details on configuring Extended ACLs, refer Configuring ACL using CLI on page 10-6. 5. Create a Crypto Map entry using Security > IPSec VPN from the main menu tree. A crypto map binds the ISAKMP Peer, IPSec Transform Set and the Extended ACL.
  • Page 184 11-26 WS5100 Series Switch Migration Guide a. Click on button to define the attributes of a new crypto map. • Assign a Seq # (sequence number) distinguishes one from the other. The sequence number determines its priority among the other crypto maps. The lower the number, the higher the priority.
  • Page 185 11-27 6. Create a crypto map peer using Security > IPSec VPN from the main menu tree. Select Crypto Map > Peers tab. a. Click on button to create a new peer. • Enter the Seq # for the new peer. This seq # should be the same as used when creating the crypto map Entry in step 5.
  • Page 186 11-28 WS5100 Series Switch Migration Guide • Click on button to save the configuration of the new crypto map peer. For more details on configuring a IPSec Transform set, refer Activating IPSec to a Remote Peer on page 11-10. 7. Create a crypto map transform set using Security >...
  • Page 187 11-29 a. Click on button to create an crypto map transform set. • Enter the Seq # for the new transform set. This seq # should be the same as used when creating the crypto map entry in step 5. The sequence number determines its priority among crypto maps. The lower the number, the higher the priority.
  • Page 188 11-30 WS5100 Series Switch Migration Guide 8. Create a crypto map interface using Security > IPSec VPN from the main menu tree. Select Crypto Map > Interfaces tab. This assigns a VLAN interface to the crypto map created in earlier steps. The table displays the crypto map binded values.

  • Page 189: Use Case For Remote Vpn

    In the Figure 11.2, a Motorola client is associated to a WLAN (say wlan1) that is attached to vlan2 on the switch. vlan2 is on a subnet10.1.1.x and is running a DHCP Server that dishes out IP addresses for this subnet.
  • Page 190 11-32 WS5100 Series Switch Migration Guide The use case described above can be configured with the following CLI commands: NOTE: The CLI configuration shown below are for IPSec-L2TP connection over an mobile unit. Use a windows default client for this configuration.

  • Page 191: Use Case For Site-To- Site Vpn

    11-33 6. Create a transform set. WS5100(config)#crypto ipsec transform-set windows esp-3des esp-sha-hmac WS5100(config-crypto-ipsec)#mode transport 7. Specify dynamic crypto map. WS5100(config)#crypto map TestMap 30 ipsec-isakmp dynamic WS5100(config-crypto-map)#set peer 0.0.0.0 WS5100(config-crypto-map)#match address 101 WS5100(config-crypto-map)#set transformset windows WS5100(config-crypto-map)#set remote-type ipsec-l2tp 8. Apply the cryto map to interface vlan2. WS5100(config)#interface vlan2 WS5100(config-if)cryto map TestMap NOTE: Configure the default WIndows-XP client on the mobile unit, refer to...
  • Page 192 11-34 WS5100 Series Switch Migration Guide The site-to-site VPN allows branch office mobility controllers to connect back to the central office using a secure, encrypted tunnel, for all site-to-site traffic. This allows a wired LAN in the branch office to be bridged directly to the central site while marinating the full security.
  • Page 193 11-35 e. Create and configure a crypto map. WS5100(config)#crypto map THIRDMAP 435 isakmp WS5100(config-crypto-map)#set peer 15.1.1.20 WS5100(config-crypto-map)#match address 150 WS5100(config-crypto-map)#set transformset TFSET WS5100(config-crypto-map)#set security-association lifetime seconds 3600 f. Associate the crypto map with a VLAN interface. WS5100(config)#interface vlan1 WS5100(config-if)#ip address 11.1.1.10/24 WS5100(config-if)#crypto map THIRDMAP WS5100(config-if)#interface vlan2100 WS5100(config-if)#ip address 12.1.1.10/24...
  • Page 194 11-36 WS5100 Series Switch Migration Guide WS5100(config-crypto-map)#set transformset TFSET WS5100(config-crypto-map)#set security-association lifetime seconds 3600 f. Associate the crypto map with a VLAN interface. WS5100(config)#interface vlan1 WS5100(config-if)#ip address 15.1.1.20/24 WS5100(config-if)#crypto map THIRDMAP WS5100(config-if)#interface vlan2100 WS5100(config-if)#ip address 13.1.1.20/24 WS5100(config-if)#ip route 0.0.0.0/0 15.1.1.2...

  • Page 195: Technical Support

    Technical Support Motorola provides its customers with prompt and accurate customer support. Use the Motorola Support Center as the primary contact for any technical problem, question or support issue involving Motorola products. If the Motorola Customer Support specialists cannot solve a problem, access to all technical disciplines within Motorola becomes available for further assistance and support.
  • Page 196 2 WS5100 Series Switch Migration Guide Web Support Sites MySymbolCare http://www.symbol.com/services/msc/msc.html Symbol Services Homepage http://symbol.com/services Symbol Developer Program http://devzone.symbol.com Additional Information Obtain additional information by contacting Symbol at: 1-800-722-6234, inside North America +1-516-738-5200, in/outside North America http://www.symbol.com/...
  • Page 198 MOTOROLA INC. 1303 E. ALGONQUIN ROAD SCHAUMBURG, IL 60196 http://www.motorola.com 72E-100960-01 Revision A June 2007...

Table of Contents