Professional Documents
Culture Documents
Contents
About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN
Module Web-Based Configuration Guide 1
Typical network scenarios 1
HP 10500/7500 20G unified wired-WLAN module network scenario 1
HP 830 series PoE+ unified wired-WLAN switch network scenario 2
Feature matrix 3
Web overview 5
Web interface 5
Web user level 5
Web-based NM functions 6
Common items on the Web pages 17
Logging in to the Web interface 23
Restrictions and guidelines 23
Operating system requirements 23
Web browser requirements 23
Others 26
Logging in to the Web interface 27
Logging out of the Web interface 28
Quick Start 29
Quick Start wizard home page 29
Basic configuration 29
Admin configuration 30
IP configuration 31
Wireless configuration 32
RADIUS configuration 33
Portal configuration 35
Encryption configuration 36
AP configuration 37
Configuration summary 39
Displaying information summary 40
Device information 40
Device info 41
System resource state 41
Device interface information 41
Recent system logs 42
Displaying WLAN service 42
Displaying detailed information about WLAN service 42
Displaying statistics of WLAN service 45
Displaying connection history information of the WLAN service 45
Displaying AP 46
Displaying WLAN service information of an AP 46
Displaying AP connection history information 46
Displaying AP radio information 47
Displaying AP detailed information 50
Displaying clients 54
Displaying client detailed information 55
Displaying client statistics 57
i
Managing licenses 61
Configuring enhanced licenses 61
Registering an enhanced license 61
Displaying registered enhanced licenses 62
Configuring basic device settings 63
Configuring system name 63
Configuring Web idle timeout 63
Maintaining devices 64
Upgrading software 64
Rebooting the device 65
Generating the diagnostic information file 66
Configuring the system time 67
Configuration guidelines 67
Displaying the system time 67
Configuring the system time 67
Configuring the network time 68
System time configuration example 70
Managing logs 72
Displaying syslog 72
Setting the log host 73
Setting buffer capacity and refresh interval 74
Managing the configuration 76
Backing up the configuration 76
Restoring the configuration 76
Saving the configuration 77
Initializing the configuration 78
Managing files 79
Displaying file list 79
Downloading a file 80
Uploading a file 80
Removing a file 80
Specifying the main boot file 80
Managing interfaces 81
Interface management overview 81
Displaying interface information and statistics 81
Creating an interface 83
Modifying a Layer 2 interface 85
Modifying a Layer 3 interface 88
Interface management configuration example 90
Managing users 92
Creating a user 92
Setting the super password 93
Switching the user access level to the management level 94
Configuring SNMP 95
SNMP overview 95
SNMP configuration task list 95
Enabling SNMP 96
ii
iii
vii
xi
Feature matrix
The HP 10500/7500 20G unified wired-WLAN module adopts the OAA architecture. It works as an
OAP card on a switch to exchange data and status and control information with the switch through their
internal interfaces. Do not configure services such as QoS rate limit and 802.1X authentication on the
internal interfaces.
The controller engine and switching engine of an HP 830 series PoE+ unified wired-WLAN switch adopt
the OAA architecture. The switching engine is integrated on the controller engine as OAP software. You
actually log in to the controller engine when you log in to the switch by default.
HP recommends not configuring QoS rate limiting or 802.1X authentication on the internal aggregate
interfaces (BAGG1) between the switching engine and the controller engine on an HP 830 switch.
Inappropriate rate limiting or authentication settings on the internal aggregate interfaces can cause
communication problems between the switching engine and the controller engine.
On the HP 830 24-port switch, the switching engine's internal aggregate interface is formed by
GigabitEthernet 1/0/29 and GigabitEthernet 1/0/30. On the HP 830 8-port switch, the switching
engine's internal aggregate interface is formed by GigabitEthernet 1/0/10 and GigabitEthernet
1/0/11. On all HP 830 switches, the controller engine's internal aggregate interface is formed by
GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
This document only describes the feature matrix for the controller engine of an HP 830 series PoE+
unified wired-WLAN switch. For feature and configuration information about the switching engine of an
HP 830 series PoE+ unified wired-WLAN switch, see HP 830 Series PoE+ Unified Wired-WLAN Switch
Switching Engine Configuration Guides.
Table 1 Feature matrix
Module
Device
Network
Feature
HP 10500/7500
20G unified
wired-WLAN
module
HP 830 24-port
PoE+ unified
wired-WLAN
switch controller
engine
HP 830 8-port
PoE+ unified
wired-WLAN
switch controller
engine
License management
Supports 128
concurrent APs by
default, and can be
extended to support
1024 concurrent
APs.
Supports 24
concurrent APs by
default, and can be
extended to support
60 concurrent APs.
Supports 12
concurrent APs by
default, and can be
extended to support
24 concurrent APs.
File management
Flash supported.
CF card supported.
Loopback test
Internal loopback
testing only
supported on XGE
interfaces.
Internal loopback
testing only
supported on GE
interfaces.
Internal loopback
testing only
supported on GE
interfaces.
IGMP Snooping
The maximum
number of multicast
groups is in the range
of 1 to 256 and
defaults to 256.
The maximum
number of multicast
groups is in the range
of 1 to 64 and
defaults to 64.
The maximum
number of multicast
groups is in the range
of 1 to 64 and
defaults to 64.
HP 830 24-port
PoE+ unified
wired-WLAN
switch controller
engine
HP 830 8-port
PoE+ unified
wired-WLAN
switch controller
engine
Module
Feature
HP 10500/7500
20G unified
wired-WLAN
module
AP
AP group (licenses
must be fully
configured to reach
the maximum number
of group IDs)
AC backup
Supported.
Not supported.
Not supported.
Supported (a hello
interval of 30 to
2000, and the
default is 2000).
Not supported.
Not supported.
1+1 AC backup
Supported.
Not supported.
Not supported.
Stateful failover
Supported.
Not supported.
Not supported.
Advanced
settings
High
availability
Web overview
This chapter describes the Web interface, functions available on the Web interface, Web user levels you
must have to perform a function, and common icons and buttons on the Web pages.
Web interface
The Web interface consists of the navigation tree, title area, and body area.
Figure 3 Web-based configuration interface
Navigation areaOrganizes the Web-based NM function menus in the form of a navigation tree,
where you can select function menus as needed. The result is displayed in the body area. The Web
network management functions not supported by the device are not displayed in the navigation
area.
Body areaThe area where you can configure and display a function.
Title areaOn the left, displays the path of the current configuration interface in the navigation
area; on the right, provides the Save button to quickly save the current configuration, the Help button
to display the Web related help information, and the Logout button to log out of the Web interface.
VisitorUsers can use the network diagnostic tools ping and Trace Route, but they can neither
access the device data nor configure the device.
5
MonitorUsers can only access the device data, but they cannot configure the device.
ConfigureUsers can access device data and configure the device, but they cannot upgrade the
host software, add/delete/modify users, or backup/restore configuration files.
Web-based NM functions
Support for the configuration items depends on the device model. For more information, see "About the
HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN
Module Web-Based Configuration Guide."
A user level in Table 2 indicates that users of this level or users of a higher level can perform the
corresponding operations.
Table 2 Web-based NM function description
Function menu
Description
User level
Quick Start
Configure
Device Info
Monitor
Wireless Service
Monitor
Monitor
Reboot an AP.
Configure
Monitor
Configure
Monitor
Add licenses.
Configure
Monitor
Configure
System Name
Configure
Configure
Summary
AP
Client
License
License
Enhanced License
Device
Basic
Function menu
Device
Maintenance
Description
User level
Software Upgrade
Management
Reboot
Management
Diagnostic
Information
Management
Monitor
Configure
Monitor
Configure
Monitor
Configure
Loghost
Configure
Log Setup
Configure
Backup
Management
Restore
Management
Save
Configure
Initialize
Configure
Management
Monitor
Configure
Summary
Monitor
Super Password
Configure
Create
Configure
System Time
System Time
Net Time
Loglist
Syslog
Configuration
File management
Interface
Users
Function menu
Description
User level
Modify
Configure
Remove
Configure
Switch To
Management
Monitor
Setup
Monitor
Configure SNMP.
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Configure
Monitor
Configure
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Community
Group
SNMP
User
Trap
View
Loopback
MAC
MAC
Setup
VLAN
Network
VLAN
Port
ARP
Management
ARP Table
Function menu
Description
User level
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Summary
Monitor
Create
Configure
Remove
Configure
Summary
Monitor
Create
Configure
Remove
Configure
Monitor
Configure
Gratuitous ARP
ARP Detection
ARP
Anti-Attack
Advanced
Configuration
Basic
IGMP
Snooping
Advance
IPv4 Routing
IPv6 Routing
DHCP
DHCP Server
Function menu
Description
User level
Monitor
Configure
Monitor
Configure
Static
Configure
Dynamic
Configure
Monitor
Management
IPv4 Ping
Visitor
IPv6 Ping
Visitor
Trace Route
Visitor
Monitor
Configure
Monitor
Configure
DHCP Relay
DHCP Snooping
DNS
Service
Diagnostic
Tools
AP Setup
AP
Auto AP
10
Function menu
AP Group
Access Service
Mesh Service
Mesh Policy
Wireless
Service
Global Setup
Mesh
Service
Mesh Channel
Optimize
Roam Group
Roam
Roam Client
Radio
Radio
Rate
11
Description
User level
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Monitor
Monitor
Configure
Monitor
Configure
Monitor
Monitor
Configure
Monitor
Function menu
Channel Scan
Operation
Calibration
Parameters
Radio Group
Antenna Switch
802.1X
Portal Server
Portal
Free Rule
Authenticat
ion
Domain Setup
AAA
Authentication
Authorization
12
Description
User level
Configure
Monitor
Configure
Monitor
Manual calibration
Configure
Monitor
Configure
Monitor
Configure
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Management
Monitor
Management
Monitor
Management
Function menu
Accounting
RADIUS
Local User
User Group
Users
Guest
User Profile
Entity
Domain
Certificate
Management
Certificate
CRL
AP Monitor
Security
Rogue
detection
Rule List
13
Description
User level
Monitor
Management
Management
Monitor
Configure
Monitor
Management
Monitor
Management
Monitor
Management
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Function menu
Description
User level
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Management
Summary
Monitor
Add
Configure
Remove
Configure
Summary
Monitor
Add
Configure
Basic Setup
Configure
Advanced Setup
Configure
Link Setup
Configure
Remove
Configure
Monitor Record
History Record
WIDS Setup
WIDS
History Record
Statistics
Blacklist
Filter
White List
User Isolation
Time Range
QoS
ACL IPv4
14
Function menu
ACL IPv6
Description
User level
Summary
Monitor
Add
Configure
Basic Setup
Configure
Advanced Setup
Configure
Remove
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Summary
Monitor
Setup
Configure
Monitor
Configure
Management
Wireless QoS
Radio Statistics
Wireless
QoS
Client Statistics
Bandwidth
Guarantee
Line Rate
Port Priority
Trust Mode
15
Function menu
Classifier
Behavior
QoS Policy
Port Policy
Description
User level
Management
Summary
Monitor
Add
Create a class.
Configure
Setup
Configure
Remove
Configure
Summary
Monitor
Add
Configure
Setup
Configure
Remove
Configure
Summary
Monitor
Add
Configure
Setup
Configure
Remove
Configure
Summary
Monitor
Setup
Configure
Remove
Configure
Monitor
Configure
Monitor
Configure
Service Policy
Country/Region Code
AC Backup
Advanced
Monitor
Setup
Configure
Status
Monitor
Monitor
Configure
Monitor
Configure
Continuous Transmit
16
Function menu
Load Balance
Load
Balancing
Load Balance Group
AP Module
AP
Switch to fat AP
Wireless Location
Wireless Sniffer
Band Navigation
Multicast Optimization
High
Reliability
Stateful Failover
Description
User level
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Description
Applies the configuration on the current page.
Cancels the configuration on the current page, and returns to the
corresponding list page or the Device Info page.
17
Description
Refreshes the current page.
Clears all entries in a list or all statistics.
Adds an item.
Removes the selected items.
Selects all the entries in a list, or selects all ports on the device panel.
Clears all the entries in a list, or clears all ports on the device panel.
Restores the values of all the entries on the current page to the default.
Buffers settings you made and proceeds to the next step without applying
the settings.
This button is typically present on the configuration wizard.
Buffers settings you made and returns to the previous step without applying
the settings.
This button is typically present on the configuration wizard.
Applies all settings you made at each step and finishes the configuration
task.
This button is typically present on the configuration wizard.
Accesses a configuration page to modify settings.
This icon is typically present in the Operation column in a list,
Deletes an entry.
This icon is typically present in the Operation column in a list,
Page display
The Web interface can display contents by pages, as shown in Figure 4. You can set the number of
entries displayed per page, and view the contents on the first, previous, next, and last pages, or go to any
page that you want to check.
NOTE:
A list can contain a maximum of 20000 entries if displayed in pages.
18
Searching function
The Web interface provides you with the basic and advanced searching functions to display only the
entries that match specific searching criteria.
Basic searchAs shown in Figure 4, input the keyword in the text box above the list, select a search
item from the list and click Search to display the entries that match the criteria. Figure 5 shows an
example of searching for entries with 00e0 included in the MAC address.
Advanced searchAdvanced search function: As shown in Figure 4, you can click the Advanced
Search link to open the advanced search page, as shown in Figure 6. Specify the search criteria,
and click Apply to display the entries that match the criteria.
19
Take the ARP table shown in Figure 4 as an example. If you want to search for the ARP entries with 000f
at the beginning of the MAC address, and IP address range being 192.168.1.50 to 192.168.1.59, follow
these steps:
1.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 7, and click Apply. The ARP entries with 000f at the beginning of the MAC address are
displayed.
2.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 8, and click Apply. The ARP entries with 000f at the beginning of the MAC address and
IP address range 192.168.1.50 to 192.168.1.59 are displayed as shown in Figure 9.
20
Sorting function
The Web interface provides you with the basic functions to display entries in certain orders.
On a list page, you can click the blue heading item of each column to sort the entries based on the
heading item you selected. After your clicking, the heading item is displayed with an arrow beside it as
shown in Figure 10. The upward arrow indicates the ascending order, and the downward arrow
indicates the descending order.
21
Figure 10 Basic sorting function example (based on IP address in the descending order)
22
If you are using a Windows operating system, turn off the Windows firewall. The Windows firewall
limits the number TCP connections. When the limit is reached, you cannot log in to the Web
interface.
If you are using a Microsoft Internet Explorer browser, you must enable the security settings (see
"Enabling securing settings in a Microsoft Internet Explorer browser"), including Run ActiveX
controls and plug-ins, Script ActiveX controls marked safe for scripting, and Active scripting.
23
If you are using a Mozilla Firefox browser, you must enable JavaScript (see "Enabling JavaScript in
a Firefox browser").
Launch the Internet Explorer, and select Tools > Internet Options from the main menu.
2.
Select the Security tab, and select the content zone where the target Website resides, as shown
in Figure 12.
3.
4.
In the Security Settings dialog box, enable Run ActiveX controls and plug-ins, Script ActiveX
controls marked safe for scripting, and Active scripting.
24
5.
2.
In the Options dialog box, click the Content icon, and select Enable JavaScript.
25
3.
Others
Make sure the management PC and the device can reach each other.
Do not use the Back, Next, Refresh buttons provided by the browser. Using these buttons might
result in Web page display problems.
To ensure correct display of Web page contents after software upgrade or downgrade, clear data
cached by the browser before you log in.
You cannot log in to the Web interface while the device is performing spanning tree calculation.
If you click the verification code displayed on the Web login page, you can get a new verification
code.
Up to 24 users can concurrently log in to the device through the Web interface.
After logging in to the Web interface, you can select Device > Users from the navigation tree, create
a new user, and select Wizard or Network > VLAN interface to configure the IP address of the
VLAN interface acting as the management interface.
26
Usernameadmin
Passwordadmin
Connect the GigabitEthernet interface of the device to a PC by using a crossover Ethernet cable.
By default, all interfaces belong to VLAN 1.
The PC in this procedure is used for configuring basic device settings, and it is not necessarily the
PC you use for Web-based management.
2.
Configure an IP address for the PC and make sure the PC and device can reach each other.
For example, assign the PC an IP address 192.168.0.0/24 (excluding 192.168.0.100,
192.168.0.2 for example).
3.
c. Select a country/region code from the Country/Region list, and click Apply.
27
2.
28
Quick Start
Quick Start wizard home page
From the navigation tree, select Quick Start to enter the home page of the Quick Start wizard.
Figure 17 Home page of the Quick Start wizard
Basic configuration
1.
29
2.
Description
Specify the name of the current device.
By default, the system name of the device is HP.
Country/Region Code
Select the code of the country in which you are located. This field defines the radio
frequency characteristics, such as the power and the total number of channels for
frame transmission. Before configuring the device, you need to configure the
country code correctly. If the Country Code field is grayed out, it cannot be
modified.
Time Zone
Time
Admin configuration
1.
30
2.
Description
Password
Specify the password for user Admin to use to log into the device, in cipher text.
Confirm Password
Password Encryption
Reversible
Irreversible
IP configuration
1.
31
2.
Description
IP Address
Specify the IP address of VLAN-interface 1. This IP address is used for logging into
the device.
The default is 192.168.0.100.
Mask
Default Gateway
Wireless configuration
1.
32
2.
Description
Select the authentication type for the wireless service:
Primary Service
Authentication type
NonePerforms no authentication.
User authentication (802.1X)Performs 802.1X authentication.
PortalPerforms Portal authentication.
Wireless Service
Encrypt
RADIUS configuration
1.
On the wireless configuration page, select User authentication (802.1X) or Portal for the Primary
Service Authentication Type field.
2.
Click Next.
3.
33
4.
Description
Select the type of the RADIUS server:
In this case, the RADIUS client (access device) and the RADIUS server exchange
packets based on the specifications and packet format definitions of a private
RADIUS protocol.
client (access device) and the RADIUS server exchange packets based on the
specifications and packet format definitions of the standard RADIUS protocols
(RFC 2138, RFC 2139, and the updates).
Authentication IP
Authentication Key
Accounting IP
Accounting Key
34
Portal configuration
1.
On the wireless configuration page, select Portal for the Primary Service Authentication Type field.
2.
Click Next.
The RADIUS Configuration page appears.
3.
4.
Description
Server-name
Server-IP
Port
Redirect-URL
35
Item
Description
Specify the portal authentication method to be used:
directly obtains a public IP address through DHCP, and can access only the
portal server and predefined free websites. After passing authentication, the
user can access the network resources. The authentication process of direct
authentication is simpler than that of the re-DHCP authentication.
Method
and can access only the portal server and predefined free websites. After
passing authentication, the user is allocated a public IP address and can access
the network resources.
Encryption configuration
On the wireless configuration page, select User authentication (802.1X) for Primary Service
Authentication Type, and click Next to enter the encryption configuration page, as shown in Figure 24.
Figure 24 Encryption Configuration page
36
Description
Specify whether to use WEP keys provided automatically or use static WEP keys.
WEP
Key ID
Select the key type of the WEP encryption mechanism: WEP40, WEP104, or WEP
128.
Select the WEP key index: 1, 2, 3, or 4. Each number represents one of the four
static keys of WEP. The selected key index will be used for frame encryption and
decryption.
IMPORTANT:
If you select the option to enable Provide Key Automatically, only 1, 2, and 3 are
available for the Key ID option.
Select the key length.
When the key type is WEP40, the key length can be five alphanumeric
characters or ten hexadecimal characters.
Key Length
When the key type is WEP104, the key length can be 13 alphanumeric
characters or 26 hexadecimal characters.
When the key type is WEP128, the key length can be 16 alphanumeric
characters or 32 hexadecimal characters.
WEP Key
AP configuration
1.
2.
37
3.
Description
AP Name
Model
If the Auto box is not selected, you need to manually enter a serial ID.
If the Auto box is selected, the AC automatically searches the serial ID of the AP.
Serial ID
By default, no country/region code is configured for the AP and the AP uses the
global country/region code (which is configured on the AC). If the country/region
code is specified on this page, the AP uses this configuration. For information
about the country/region code configured on the AC, see "Configuring advanced
settings."
Radio
Mode
Select the radio mode. The radio mode depends on the AP model.
38
Item
Description
Select the working channel.
The channel list for the radio depends on the country/region code and radio
mode, and it varies with device models.
Channel
Auto: Specifies the automatic channel mode. With Auto specified, the AC
evaluates the quality of channels in the wireless network, and selects the best
channel as the working channel.
After the channel is changed, the power list is refreshed.
Select the transmission power.
Power
The maximum power of the radio depends on the country/region code, working
channel, AP model, radio mode, and antenna type. If 802.11n is specified as the
radio mode, the maximum power of the radio also depends on the bandwidth
mode.
Configuration summary
1.
2.
39
Device information
After logging in to the Web interface, you enter the Summary > Device Info page.
Figure 27 Device info page
If you select a specific refresh period (for example, 1 minute), the system periodically refreshes the
Device Info page according to the selected refresh period.
If you select Manual, you need to click Refresh to refresh the page.
40
Device info
Table 12 Field description
Field
Description
Device Name
Product Information
Device Location
To configure the device location information, select Device > SNMP > Setup.
For more information, see "Configuring SNMP."
Display the contact information for device maintenance.
Contact Information
To configure the contact information, select Device > SNMP > Setup. For more
information, see "Configuring SNMP."
SerialNum
Software Version
Hardware Version
Bootrom Version
Running Time
Display the running time after the latest boot of the device.
Description
CPU Usage
Memory Usage
Display the real-time memory usage and the total memory size.
Temperature
Description
Interface
IP Address/Mask
Status
41
For more information about device interfaces, click More below the Device Interface Information area to
enter the Device > Interface page to view and operate the interfaces. For more information, see
"Managing interfaces."
Description
Time
Level
Description
For more information about system logs, click More below the Recent System Operation Logs area to
enter the Device > Syslog > Loglist page to view the logs. For more information, see "Managing logs."
2.
Click the specified WLAN service to view the detailed information, statistics, or connection history.
42
Description
SSID
Binding Interface
Authentication Method
Authentication Mode
SSID-hide
Bridge Mode
Figure 29 shows the page that displays detailed information about crypto-type WLAN services. Table 17
describes the fields on the page.
Figure 29 Displaying detailed information about the WLAN service (crypto type)
43
Description
SSID
Binding Interface
Security IE
Authentication Method
SSID-hide
Cipher Suite
GTK Rekey
of time.
Forwarding mode:
Bridge Mode
44
45
Displaying AP
Select Summary > AP from the navigation tree to enter the AP page, as shown in Figure 32. You can
display the WLAN service information, connection history, radio, and detailed information of an AP by
clicking the tabs on the page.
46
47
The Noise Floor item in the table indicates various random electromagnetic waves that occur during the
wireless communication. For an environment with a high noise floor, you can improve the signal-to-noise
ratio (SNR) by increasing the transmit power or reducing the noise floor.
The Service Type item in the table has two options: Access and Mesh.
Resource Usage represents the resource utilization of a radio within a certain period. For example, in a
period of 10 seconds, if a radio has occupied the channel for five seconds, the resource utilization of the
radio is 5 seconds divided by 10 seconds: 50%.
48
Description
AP name
Radio Id
Radio ID.
Total Frames
Unicast Frames
Broadcast/Multicast Frames
Others
Discard Frames
Retry Count
Authentication Frames
Failed RTS
Successful RTS
Failed ACK
Association Frames
Total Frames
Unicast Frames
Broadcast/Multicast Frames
Fragmented Frames
FCS Failures
Authentication Frames
Duplicate Frames
Decryption Errors
Association Frames
49
Description
APID
AP System Name
Map Configuration
50
Field
Description
Current state of the AP:
IdleThe AP is idle. If the Idle state persists, check the following: 1) If the
State
ConfigThe AC is delivering a configuration file to the fit AP, and the fit
AP is collecting radio information through the radio interface and
reporting to the AC. This state is an instantaneous state.
Up Time(hh:mm:ss)
Time duration for which the AP has been connected to the AC. NA indicates
AP is not connected to the AC.
Model
AP model name.
Serial-ID
IP Address
H/W Version
S/W Version
Boot-Rom version
Description
Connection Type
Priority Level
AP connection priority.
Echo Interval(s)
Cir (Kbps)
Cbs (Bytes)
Jumboframe Threshold
Field
Description
Last reboot reason of the AP:
Latest IP Address
No ReasonOther reasons.
Connection count between the AP and AC. This field is reset in one of the
following situations:
Connection Count
AC is rebooted.
You re-configure an AP template after deleting the old one.
If you click Reboot on this page to reboot the AP, the connection count will
not be reset.
AP Mode
Mode supported by the AP. Currently only the split MAC mode is supported.
AP operation mode
Portal Service
Device Detection
Interval to detect clients segregated from the system due to various reasons
(such as power failure or crash) and disconnect them from the AP.
If the client is idle for more than the specified interval (if the AP does not
receive any data from the client within the specified interval), the client will
be removed from the network.
Basic BSSID
Wireless Mode
Client Dot11n-only
Field
Description
Channel Band-width
802.11n mode, but non-802.11n wireless devices exist within the coverage
of the AP.
associated with the AP and the wireless devices within the coverage of the
AP operate in 802.11n mode, and at least one 802.11n client operating in
20 MHz mode is associated with the radio of the AP.
A-MSDU
A-MPDU
Configured Channel
power is displayed.
If auto TPC is adopted, two values are displayed, with the first being the
maximum power, and the second auto (number), where number in the
brackets represents the actual power.
Interference (%)
Utilization (%)
Channel Health
Field
Description
Preamble Type
Radio Policy
Service Template
SSID
Port
Mesh Policy
ANI Support
11g Protection
Admin State
Physical State
Antenna Type
Noise Floor
Displaying clients
Select Summary > Client from the navigation tree to enter the page, as shown in Figure 36
Figure 36 Displaying clients
Description
Refresh
Add to Blacklist
Add the selected client to the static blacklist, which you can display by
selecting Security > Filter from the navigation tree.
Reset Statistic
Disconnect
54
Description
MAC address
AID
uses the portal authentication method, the field does not display the
portal username of the client.
AP Name
Radio Id
SSID
BSSID
Port
VLAN
Field
State
Description
State of the client.
Backup indicates a backup client.
Wireless Mode
Channel Band-width
Not Supported.
Supported.
Whether the client supports short GI when its channel bandwidth is 40
MHz:
Not Supported.
Supported.
MCS supported by the client.
BLOCK ACK is negotiated based on QoS priority ID 0:
BLOCK ACK-TID 0
OUTOutbound direction.
INInbound direction.
BOTHBoth directions.
QoS Mode
Specifies how often the client wakes up to receive frames saved in the
AP and is expressed in units of beacon intervals.
RSSI
Rx/Tx Rate
Client Type
Authentication Method
AKM Method
56
Field
Description
Displays the group key states:
Roam Status
Roam Count
For inter-AC roaming, this field is reset after the client leaves the
mobility group to which the AC belongs.
Up Time
Time for which the client has been associated with the AP.
Description
AP Name
Radio Id
Radio ID.
SSID
Field
Description
BSSID
MAC Address
RSSI
Received signal strength indication. This value indicates the client signal
strength detected by the AP.
Transmitted Frames
Back Ground(Frames/Bytes)
Best Effort(Frames/Bytes)
Video(Frames/Bytes)
Voice(Frames/Bytes)
Received Frames
Discarded Frames
You can collect statistics of priority queues such as Back Ground, Best Effort, Video and Voice on a QoS
client only. The Best Effort priority queue includes traffic including SVP packets sent and received on a
client where QoS is not enabled. Therefore, the queues collected might be different from the queues
actually sent. You can collect statistics of priority queues carried in Dot11E or WMM packets. Otherwise,
statistics collection of priority queues on the receive end might fail.
58
Description
BSSID
Online-time
AC-IP-address
The IP address of the AC connected with the client. When the configured roaming
channel type is IPv6, the IPv6 address of the AC is displayed.
Description
No./MCS
Rate(Mbps)
TxCnt
RxCnt
Number of wireless ping frames that the radio interface received from the client.
RSSI
Received signal strength indication. This value indicates the client signal strength
detected by the AP.
59
Field
Description
Retries
RTT(ms)
60
Managing licenses
A license controls the maximum number of online APs. You can add a license on a device to increase the
maximum number of online APs that the device supports. The upper limit of online APs that a device
supports is restricted by its specification and varies by device model. For more information, see "About
the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN
Module Web-Based Configuration Guide."
61
2.
3.
Click Add.
Description
Select the name of the feature to be registered.
For example, AP allows you to increase the number of APs.
Activation key of the license.
2.
View the registered enhanced licenses at the lower part of the page.
Description
Feature Name
License Key
Time left for the license. After the time elapses, the license expires.
The value Forever means that the license is an official version.
Number of APs that the license supports.
62
Set the system name of the device. The configured system name will be displayed at the top of the
navigation bar.
Set the idle timeout period for a logged-in user. The system logs an idle user off the Web for security
purposes after the configured period.
2.
3.
Click Apply.
2.
3.
4.
Click Apply.
63
Maintaining devices
Upgrading software
IMPORTANT:
During a software upgrade, avoid performing any operation on the Web interface. Otherwise, the
upgrade operation may be interrupted.
A boot file, also known as the system software or device software, is an application file used to boot the
device. Software upgrade allows you to obtain a target application file from the local host and set the file
as the boot file to be used at the next reboot. You can keep or change the original filename (do not
change the extension name, for example, .bin) after you obtain the target application file from the local
host. In addition, you can select whether to reboot the device to make the upgrade software take effect.
To upgrade software:
1.
2.
3.
Click Apply.
Description
File
File Type
Specify the type of the boot file for the next boot:
unavailable.
64
Item
Description
Specify whether to overwrite the file with the same name.
If you do not select the option, when you rename a file with
the same name, the system prompts "The file has existed.",
and you cannot upgrade the software.
Specify whether to reboot the device to make the upgraded
software take effect after the application file is uploaded.
2.
3.
Clear the box before "Check whether the current configuration is saved in the next startup
configuration file" or keep it selected.
4.
Click Apply.
A confirmation dialog box appears.
5.
Click OK.
If you select the box next to Check whether the current configuration is saved in the next startup
configuration file, the system checks the configuration before rebooting the device. If the check
succeeds, the system reboots the device. If the check fails, the system displays a dialog box to
inform you that the current configuration and the saved configuration are inconsistent, and does
not reboot the device. You must save the current configuration manually before you can reboot
the device.
If you do not select the box next to Check whether the current configuration is saved in the next
startup configuration file, the system reboots the device automatically.
6.
65
2.
3.
4.
NOTE:
During the generation of the diagnostic file, do not perform any operation on the Web interface.
To view this file after the diagnostic file is generated successfully, select Device > File Management, or
download this file to the local host. For more information, see "Managing files."
66
Configuration guidelines
A device can act as a server to synchronize the clock of other devices only after its clock has been
synchronized. If the clock of a server has a stratum level higher than or equal to that of a client's
clock, the client will not synchronize its clock to the server's clock.
Because the synchronization process takes a period of time, the clock status may be displayed as
unsynchronized after your configuration. Refresh the page to update the clock status.
If the system time of the NTP server is ahead of the system time of the device, and the difference
between them exceeds the Web idle time specified on the device, all online Web users are logged
out because of timeout.
2.
2.
3.
Modify the system time either in the System Time Configuration field, or through the calendar
page.
You can perform the following operations on the calendar page:
a. Click Today to set the current date on the calendar to the current system date of the local host.
The time is not changed.
b. Set the year, month, date and time, and then click OK.
4.
Click Apply in the system time configuration page to save your configuration.
2.
68
3.
4.
Click Apply.
Description
Clock status
If the IP address of the local clock source is specified, the local clock
Local Reference Source
is used as the reference clock, and can provide time for other
devices.
If the IP address of the local clock source is not specified, the local
clock is not used as the reference clock.
The stratum level of the local clock determines the precision of the local
clock. A higher value indicates a lower precision. A stratum 1 clock has
the highest precision, and a stratum 16 clock is not synchronized and
cannot be used as a reference clock.
Set the source interface for an NTP message.
Source Interface
69
Item
Description
Set NTP authentication key.
The NTP authentication feature should be enabled for a system running
NTP in a network where there is a high security demand. This feature
enhances the network security by means of client-server key
authentication, which prohibits a client from synchronizing with a
device that has failed authentication.
Key 1
Key 2
ID is the ID of a key.
Key string is a character string for MD5 authentication key.
NTP Server
1/Reference
Key ID
You can configure two NTP servers. The clients will choose the optimal
reference source.
External
Reference Source
NTP Server
2/Reference
Key ID
TimeZone
IMPORTANT:
As shown in Figure 51, the local clock of the switch is set as the reference clock.
The AC operates in client mode, and uses the switch as the NTP server.
Configuring the AC
To configure the switch as the NTP server of the AC:
1.
2.
3.
Enter 24 for the ID of key 1, and aNiceKey for the key string. Enter 1.0.1.12 in the NTP Server 1
box and 24 in the Reference Key ID box.
4.
Click Apply.
71
Managing logs
System logs contain a large amount of network and device information, including running status and
configuration changes. System logs allow administrators to access network and device status. With
system logs, administrators can take corresponding actions against network and security problems.
The system sends system logs to the following destinations:
Console.
Monitor terminal, which is a user terminal that has login connections through the AUX, VTY, or TTY
user interface.
Log buffer.
Loghost.
Web interface.
Displaying syslog
The Web interface provides abundant search and sorting functions for viewing logs.
To display syslog:
1.
TIP:
You can click Reset to clear all system logs saved in the log buffer on the Web interface.
You can click Refresh to manually refresh the page, or you can set the refresh interval on the Log Setup
page to enable the system to automatically refresh the page. For more information, see "Setting buffer
capacity and refresh interval."
2.
72
Description
Time/Date
Source
Level
Digest
Description
2.
73
3.
4.
Click Apply.
Description
IPv4/Domain
IPv6
Loghost IP/Domain
2.
74
3.
4.
Click Apply.
Description
Buffer Capacity
Set the number of logs that can be stored in the log buffer of the Web interface.
Set the refresh period on the log information displayed on the Web interface.
You can select manual refresh or automatic refresh:
Refresh Interval
75
Open and view the configuration file (.cfg file or .xml file) for the next startup
Back up the configuration file (.cfg file or .xml file) for the next startup to the host of the current user
2.
3.
Upload the .cfg file on the host of the current user to the device for the next startup
Upload the .xml file on the host of the current user to the device for the next startup, and delete the
previous .xml configuration file that was used for the next startup
76
2.
3.
4.
5.
Click Apply.
Fast
Click the Save button at the upper right of the auxiliary area, and you can save the configuration to the
configuration file.
77
Common
1.
2.
3.
Click Save Current Settings to save the current configuration to the configuration file.
2.
3.
78
Managing files
IMPORTANT:
There are different types of storage media, such as flash and compact flash (CF). Different devices support
different types of storage device. For more information, see "About the HP 830 Series PoE+ Unified
Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN Module Web-Based
Configuration Guide."
The device saves critical files, such as host, software and configuration files, into the storage device, and
the system provides the file management function for the users to manage those files.
2.
Select a disk from the Please select disk list on the top of the page.
3.
View the used space, free space and capacity of the disk at the right of the list.
4.
View all files saved in this disk (in the format of path + filename), file sizes, and the boot file types
(Main or Backup is displayed if the file is an application file, with the extension of .bin or .app).
79
Downloading a file
1.
2.
3.
Uploading a file
IMPORTANT:
HP recommends that you do not perform any operation on the Web interface during the upgrade
procedure.
1.
2.
Select the disk to save the file in the Upload File box.
3.
4.
Click Apply.
Removing a file
1.
2.
3.
NOTE:
You can also remove a file by clicking the
icon.
2.
Select the box to the left of an application file (with the extension of .bin or .app).
You can set one file at a time.
3.
Click Set as Main Boot File to set the main boot file to be used at the next startup.
80
Managing interfaces
Interface management overview
An interface is the point of interaction for exchanging data between entities. There are two types of
interfaces: physical and logical. A physical interface refers to an interface that physically exists as a
hardware component, for example, Ethernet interfaces. A logical interface is an interface that can
implement data switching but does not exist physically, and must be created manually, for example,
VLAN interfaces.
You can use the interface management feature on the Web-based configuration interface to manage the
following types of interfaces:
Layer 2 Ethernet interfacePhysical interface operating on the data link layer for forwarding Layer
2 protocol packets.
Management Ethernet interfacePhysical interface operating on the network layer. You can
configure IP addresses for a management Ethernet interface. To manage the device, you can log in
to the device through a management Ethernet interface.
Loopback interfaceA loopback interface is a software-only virtual interface. The physical layer
state and link layer protocols of a loopback interface are always up unless the loopback interface
is manually shut down. You can enable routing protocols on a loopback interface, and a loopback
interface can send and receive routing protocol packets. When you assign an IPv4 address whose
mask is not 32-bit, the system automatically changes the mask into a 32-bit mask.
Null interfaceA null interface is a completely software-based logical interface, and is always up.
However, you cannot use it to forward data packets or configure an IP address or link layer protocol.
With a null interface specified as the next hop of a static route to a specific network segment, any
packets routed to the network segment are dropped. The null interface provides a method to filter
packets than ACL. You can filter uninteresting traffic by transmitting it to a null interface instead of
applying an ACL.
VLAN interfaceVirtual Layer 3 interface used for Layer 3 communications between VLANs. A
VLAN interface corresponds to a VLAN. You can assign an IP address to a VLAN interface and
specify it as the gateway of the corresponding VLAN to forward traffic destined for an IP network
segment different from that of the VLAN.
Virtual template (VT) interfaceTemplate used for configuring virtual access (VA) interfaces.
With the interface management feature, you can view interface information, create/remove logical
interfaces, change interface status, and reset interface parameters.
2.
Click an interface name in the Name column to display the statistics of that interface.
The page for displaying interface statistics appears.
82
Creating an interface
1.
2.
Click Add.
The page for creating an interface appears.
3.
4.
Click Apply.
Description
Interface Name
VID
83
Item
Description
Set the maximum transmit unit (MTU) of the interface.
The MTU value affects fragmentation and reassembly of IP packets.
MTU
IMPORTANT:
Support for this configuration item depends on the interface type. All Layer 3 interfaces
support MTU.
Set the maximum segment size (MSS) for IP packets on the interface.
The TCP MSS value affects fragmentation and reassembly of IP packets.
TCP MSS
IMPORTANT:
Support for this configuration item depends on the interface type. All Layer 3 interfaces
support MTU.
Set the way for the interface to obtain an IP address, include:
NoneSelect this option if you do not want to assign an IP address for the
interface.
Static AddressSelect the option to manually assign an IP address and mask for
the interface. If this option is selected, you must set the IP Address and Mask
fields.
DHCPSelect the option for the interface to obtain an IP address through DHCP
automatically.
IP Config
the same device for the interface. If this option is selected, you must select the
interface whose IP address you want to borrow in the Unnumbered Interfaces list.
IMPORTANT:
Support for the way of obtaining an IP address depends on the interface type.
IP Address/Mask
After selecting the Static Address option for the IP Config configuration item, you
need to set the primary IP address and mask, and secondary IP addresses and
masks for the interface.
IMPORTANT:
Secondary IP
Address/Mask
Unnumbered Interface
If the Unnumbered option is selected as the way for the interface to obtain an IP
address, you must set the interface whose IP address is to be borrowed.
Set the option for the interface to obtain an IPv6 link-local address, include.
NoneSelect this option if you do not want to assign an IPv6 link-local address
to the interface.
IPv6 Config
AutoSelect this option for the system to automatically assign an IPv6 link-local
address to the interface.
interface. If this option is selected, you must set the IPv6 Link Local Address field.
84
Item
Description
If the Manual option is selected for the interface to obtain an IPv6 link-local address,
you must set an IPv6 link-local address for the interface.
2.
Click the
3.
Modify the information about the Layer 2 physical interface as described in Table 33.
4.
Click Apply.
Description
Enable or disable the interface.
Port State
In some cases, modification to the interface parameters does not take effect
immediately. You need to shut down and then bring up the interface to make the
modification take effect.
85
Item
Description
Set the transmission rate of the interface.
Available options include:
Speed
1010 Mbps.
100100 Mbps.
10001000 Mbps.
AutoAuto-negotiation.
Auto 10The auto-negotiation rate of the interface is 10 Mbps.
Auto 100The auto-negotiation rate of the interface is 100 Mbps.
Auto 1000The auto-negotiation rate of the interface is 1000 Mbps.
Auto 10 100The auto-negotiation rate of the interface is 10 Mbps or 100 Mbps.
Auto 10 1000The auto-negotiation rate of the interface is 10 Mbps or 1000
Mbps.
Auto 100 1000The auto-negotiation rate of the interface is 100 Mbps or 1000
Mbps.
AutoAuto-negotiation.
FullFull duplex.
HalfHalf duplex.
Set the link type of the current interface, which can be access, hybrid, or trunk. For
more information, see Table 34.
Link Type
IMPORTANT:
To change the link type of a port from trunk to hybrid or vice versa, you must first set its
link type to access.
Set the default VLAN ID of the hybrid or trunk port.
PVID
IMPORTANT:
The trunk ports at the two ends of a link must have the same PVID.
86
Item
Description
Set the Medium Dependent Interface (MDI) mode for the interface.
Two types of Ethernet cables can be used to connect Ethernet devices: crossover and
straight-through. To accommodate these two types of cables, an Ethernet interface
on the device can operate in one of the following MDI modes:
Across mode.
Normal mode.
Auto mode.
An Ethernet interface is composed of eight pins. By default, each pin has its
particular role. For example, pin 1 and pin 2 are used for transmitting signals; pin 3
and pin 6 are used for receiving signals. Pin roles are set as a result of how you set
the MDI mode:
MDI
In across mode, pin 1 and pin 2 are used for transmitting signals, and pin 3 and
pin 6 are used for receiving signals.
In auto mode, the pin roles are determined through auto negotiation.
In normal mode, pin 1 and pin 2 are used for receiving signals while pin 3 and
pin 6 are used for transmitting signals.
Configure the MDI mode depending on the cable types:
Typically, the auto mode is recommended. The other two modes are useful only
when the device cannot determine the cable types.
When straight-through cables are used, the local MDI mode must be different
from the remote MDI mode.
When crossover cables are used, the local MDI mode must be the same as the
remote MDI mode, or the MDI mode of at least one end must be set to auto.
Flow Control
If there is traffic congestion on the device on the local end after flow control is
enabled on both ends, the device sends information to notify the peer end to stop
sending packets temporarily. To avoid packet loss, the peer end and the device stop
sending packets when the device receives the information.
IMPORTANT:
Flow control can be realized only when it is enabled on both ends.
Jumbo Frame
Forwarding
87
Item
Description
Set multicast suppression. You can suppress multicast traffic by percentage or by
PPS:
Set unicast suppression. You can suppress unicast traffic by percentage or by PPS:
Description
Access
An access port can belong to only one VLAN and is typically used to connect a user
device.
Hybrid
A hybrid port can be assigned to multiple VLANs to receive and send packets for the
VLANs. A hybrid port allows packets of multiple VLANs to pass through untagged.
Hybrid ports can be used to connect network devices and user devices.
Trunk
A trunk port can be assigned to multiple VLANs to receive and send packets for the
VLANS. A trunk port allows only packets of the default VLAN to pass through
untagged.
Trunk ports are typically used to connect network devices.
2.
Click the
88
3.
4.
Click Apply.
Description
Interface Type
Set the interface type, which can be Electrical port, Optical port, or None.
Display and set the interface status.
Connected indicates that the current status of the interface is up and connected.
You can click Disable to shut down the interface.
Not connected indicates that the current status of the interface is up but not
connected. You can click Disable to shut down the interface.
Interface Status
After you click Enable or Disable, the page displaying interface information appears.
IMPORTANT:
For an interface whose status cannot be changed, the Enable or Disable button is not
available.
Working Mode
89
Configuration procedure
1.
90
c. Select Vlan-interface from the Interface Name list, enter the interface ID 100, select the Static
Address option in the IP Config area, enter the IP address 10.1.1.2, and select 24
(255.255.255.0) from the Mask list.
d. Click Apply.
91
Managing users
In the user management part, you can perform the following configuration:
Create a local user, and set the password, access level, and service type for the user.
Set the super password for switching the current Web user level to the management level.
Switch the current Web user access level to the management level.
Creating a user
1.
2.
3.
4.
Click Apply.
Description
Username
92
Item
Description
Set the access level for a user. Users of different levels can perform different operations.
The following Web user levels, from low to high, are available:.
VisitorUsers of this level can perform the ping and traceroute operations, but they
cannot access the device data or configure the device.
Access Level
MonitorUsers of this level can only access the device data but cannot configure the
device.
ConfigureUsers of this level can access data on the device and configure the
device, but they cannot upgrade the host software, add/delete/modify users, or back
up/restore the application file.
Confirm Password
Enter the same password again. Otherwise, the system prompts that the two passwords
are not consistent when you apply the configuration.
Service Type
Set the service type, including Web, FTP, and Telnet services. This option is required.
Select at least one of the service types.
2.
3.
4.
Click Apply.
93
Description
Set the operation type:
Create/Remove
Password
Confirm Password
Enter the same password again. Otherwise, the system prompts that the two passwords
are not consistent when you apply the configuration.
Before switching, make sure that the super password is already configured. A user cannot switch to
the management level without a super password.
The access level switchover of a user is valid for the current login only. The access level configured
for the user is not changed. When the user logs in again to the Web interface, the access level of
the user is still the original level.
2.
3.
4.
Click Login.
94
Configuring SNMP
SNMP overview
Simple Network Management Protocol (SNMP) provides the communication rules between a
management device and the managed devices on the network. It defines a series of messages, methods
and syntaxes to implement the access and management from the management device to the managed
devices. SNMP shields the physical differences between various devices and realizes automatic
management of products from different manufacturers.
An SNMP enabled network comprises the network management system (NMS) and agents.
The NMS manages agents by exchanging management information through SNMP. The NMS and
managed agents must use the same SNMP version.
SNMP agents support SNMPv1, SNMPv2c, and SNMPv3.
SNMPv1Uses community names for authentication. To access an SNMP agent, an NMS must use
the same community name as the one that is set on the SNMP agent. If the community name used
by the NMS is different from that set on the agent, the NMS cannot establish an SNMP session to
access the agent or receive traps from the agent.
SNMPv2cUses community names for authentication. SNMPv2c is compatible with SNMPv1 but
supports more operation modes, data types, and error codes.
SNMPv3Uses a user-based security model (USM) to secure SNMP communication. You can
configure authentication and privacy mechanisms to authenticate and encrypt SNMP packets for
integrity, authenticity, and confidentiality.
For more information about SNMP, see HP 830 Series PoE+ Unified Wired-WLAN Switch and HP
10500/7500 20G Unified Wired-WLAN Module Network Management and Maintenance
Configuration Guide.
Remarks
Required.
The SNMP agent function is disabled by default.
Enabling SNMP
IMPORTANT:
If SNMP agent is disabled, all SNMP agent-related configurations are
removed.
95
Task
Remarks
Optional.
After creating SNMP views, you can specify an SNMP view for an
SNMP group to limit the MIB objects that can be accessed by the
SNMP group.
Required.
Optional.
Allows you to configure that the agent can send SNMP traps to the
NMS, and configure information about the target host of the SNMP
traps.
By default, an agent is allowed to send SNMP traps to the NMS.
Optional.
Remarks
Required.
The SNMP agent function is disabled by default.
Enabling SNMP
IMPORTANT:
If SNMP agent is disabled, all SNMP agent-related configurations are
removed.
Optional.
After creating SNMP views, you can specify an SNMP view for an SNMP
group to limit the MIB objects that can be accessed by the SNMP group.
Required.
After creating an SNMP group, you can add SNMP users to the group
when creating the users. Therefore, you can realize centralized
management of users in the group through the management of the group.
Required.
Before creating an SNMP user, you need to create the SNMP group to
which the user belongs.
Optional.
Allows you to configure that the agent can send SNMP traps to the NMS,
and configure information about the target host of the SNMP traps
By default, an agent is allowed to send SNMP traps to the NMS.
Optional.
Enabling SNMP
1.
2.
Configure SNMP settings on the upper part of the page as described in Table 40.
3.
Click Apply.
Description
SNMP
Local Engine ID
The validity of a user after it is created depends on the engine ID of the SNMP
agent. If the engine ID when the user is created is not identical to the current
engine ID, the user is invalid.
Configure the maximum size of an SNMP packet that the agent can
receive/send.
97
Item
Description
Contact
Location
SNMP Version
2.
3.
Click Add.
The Add View window appears.
4.
5.
Click Apply.
The page in Figure 74 appears.
98
6.
7.
Click Add.
8.
Repeat steps 6 and 7 to add more rules for the SNMP view.
9.
Click Apply.
To cancel the view, click Cancel.
Description
View Name
Rule
Select to exclude or include the objects in the view range determined by the MIB
subtree OID and subtree mask.
Set the MIB subtree OID (such as 1.4.5.3.1) or name (such as system).
MIB subtree OID identifies the position of a node in the MIB tree, and it can
uniquely identify a MIB subtree.
Set the subtree mask.
Subtree Mask
If no subtree mask is specified, the default subtree mask (all Fs) will be used for
mask-OID matching.
2.
3.
Click the
99
4.
5.
Click Apply.
NOTE:
You can modify the rules of a view in the page you enter by clicking the
2.
3.
Click Add.
The Add SNMP Community page appears.
100
4.
5.
Click Apply.
Description
Community Name
Access Right
Read onlyThe NMS can perform read-only operations to the MIB objects
when it uses this community name to access the agent.
Read and writeThe NMS can perform both read and write operations to
the MIB objects when it uses this community name to access the agent.
View
Specify the view associated with the community to limit the MIB objects that
can be accessed by the NMS.
ACL
Associate the community with a basic ACL to allow or prohibit the access to the
agent from the NMS with the specified source IP address.
2.
101
3.
Click Add.
The Add SNMP Group page appears.
4.
5.
Click Apply.
Description
Group Name
Security Level
Read View
Write View
If no write view is configured, the NMS cannot perform the write operations to all MIB
objects on the device.
102
Item
Notify View
Description
Select the notify view of the SNMP group. The notify view can send trap messages.
If no notify view is configured, the agent does not send traps to the NMS.
Associate a basic ACL with the group to restrict the source IP address of SNMP packets.
You can configure to allow or prohibit SNMP packets with a specific source IP address
to restrict the intercommunication between the NMS and the agent.
ACL
2.
3.
Click Add.
The Add SNMP User page appears.
103
4.
5.
Click Apply.
Description
User Name
Security Level
Group Name
When the security level is Auth/Priv, you can select an SNMP group
of any security level.
Authentication Mode
104
Item
Description
Authentication Password
Privacy Mode
Privacy Password
ACL
Associate a basic ACL with the user to restrict the source IP address of
SNMP packets. You can configure to allow or prohibit SNMP packets
with a specific source IP address to allow or prohibit the specified
NMS to access the agent by using name of the associated user.
2.
3.
4.
Click Apply.
5.
Click Add.
The page for adding a target host of SNMP traps appears.
105
6.
Configure the settings for the target host as described in Table 45.
7.
Click Apply.
Description
Set the destination IP address or domain.
Destination IP Address
Security Name
Select the IP address type: IPv4/Domain or IPv6, and then type the corresponding IP
address or domain in the field according to the IP address type.
Set the security name, which can be an SNMPv1 community name, an SNMPv2c
community name, or an SNMPv3 user name.
Set UDP port number.
IMPORTANT:
UDP Port
The default port number is 162, which is the SNMP-specified port used for receiving
traps on the NMS. Typically (such as using IMC or MIB Browser as the NMS), you can
use the default port number. To change this parameter to another value, you need to
make sure that the configuration is the same as the configuration on the NMS.
Security Model
Select the security model, which is the SNMP version. The model must be the same
as the model running on the NMS. Otherwise, the NMS cannot receive any trap.
Security Level
Set the authentication and privacy mode for SNMP traps when the security model is
selected as v3. The available security levels are: no authentication no privacy,
authentication but no privacy, and authentication and privacy.
106
2.
108
3.
4.
d. Click Apply.
Figure 90 Creating an SNMP user
5.
6.
After the configuration, an SNMP connection is established between the NMS and the agent. The
NMS can get and configure the values of some parameters on the agent through MIB nodes.
If an idle interface on the agent is shut down or brought up, the NMS receives a trap information
sent by the agent.
111
Configuring loopback
You can check whether an Ethernet port works normally by performing the Ethernet port loopback test.
During the test the port cannot correctly forward data packets.
Ethernet port loopback test can be an internal loopback test or an external loopback test.
In an internal loopback test, self loop is established in the switching chip to check whether there is
a chip failure related to the functions of the port.
In an external loopback test, a self-loop header is used on the port. Packets forwarded by the port
will be received by itself through the self-loop header. The external loopback test can be used to
check whether there is a hardware failure on the port.
Configuration guidelines
When you perform a loopback test, follow these guidelines:
You can perform an internal loopback test but not an external loopback test on a port that is
physically down, while you can perform neither test on a port that is manually shut down.
The system does not allow Rate, Duplex, Cable Type, and Port Status configuration on a port under
a loopback test.
An Ethernet port operates in full duplex mode when the loopback test is performed, and restores its
original duplex mode after the loopback test.
Loopback operation
1.
112
2.
3.
Description
External
Internal
113
114
Overview
A device maintains a MAC address table for frame forwarding. Each entry in this table indicates the
MAC address of a connected device, to which interface this device is connected and to which VLAN the
interface belongs. A MAC address table consists of two types of entries: static and dynamic. Static
entries are manually configured and never age out. Dynamic entries can be manually configured or
dynamically learned and will age out.
When a frame arrives at a port, Port A for example, the device performs the following tasks:
1.
Checks the frame for the source MAC address (MAC-SOURCE for example).
2.
When receiving a frame destined for MAC-SOURCE, the device looks up the MAC address in the MAC
address table and forwards the frame from port A.
NOTE:
Dynamically learned MAC addresses cannot overwrite static MAC address entries, but the static MAC
address entries can overwrite dynamically learned MAC addresses.
When forwarding a frame, the device uses the following forwarding modes based on the MAC address
table:
Unicast modeIf an entry matching the destination MAC address exists, the device forwards the
frame directly from the sending port recorded in the entry.
Broadcast modeIf the device receives a frame with a destination address of all Fs, or no entry
matches the destination MAC address, the device broadcasts the frame to all the ports except the
receiving port.
115
Port
MAC A
MAC B
MAC C
MAC D
MAC A
MAC C
MAC B
MAC D
Port 1
Port 2
Select Network > MAC from the navigation tree. The system automatically displays the MAC tab,
which shows all the MAC address entries on the device.
2.
Click Add in the bottom to enter the page for creating MAC address entries.
116
3.
4.
Click Apply.
Description
MAC
Port
2.
117
3.
4.
Click Apply.
Description
No-aging
Aging Time
Configuration procedure
1.
118
119
Configuring VLANs
Overview
Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect
(CSMA/CD) mechanism. The medium is shared, so collisions and excessive broadcasts are common on
an Ethernet. To address this issue, virtual LAN (VLAN) was introduced to break a LAN down into
separate VLANs. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all
broadcast traffic is contained within it, as shown in Figure 100.
Figure 100 A VLAN diagram
VLAN 2
Router
Switch A
Switch B
VLAN 5
You can implement VLANs based on a variety of criteria. However, the Web interface, is available only
for port-based VLANs, which group VLAN members by port. A port forwards traffic for a VLAN only after
it is assigned to the VLAN.
For more information about VLAN, see HP 830 Series PoE+ Unified Wired-WLAN Switch and HP
10500/7500 20G Unified Wired-WLAN Module Layer 2 Configuration Guide.
Configuration guidelines
When you configure VLAN, follow these guidelines:
Some VLANs are reserved for special purposes. You cannot manually create or remove them.
120
Remarks
1.
Creating a VLAN
Required.
2.
Modifying a VLAN
Required.
Select either task.
3.
Modifying a port
Creating a VLAN
1.
Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab
and enters the page shown in Figure 101.
TIP:
To easily configure a specific range of VLANs within a large number of VLANs, enter a VLAN range in the
VLAN Range field and click Select, and all undesired VLANs will be filtered out. If you click Remove, all
VLANs within this range will be deleted.
2.
3.
On the page that appears, enter the ID of the VLAN you want to create.
4.
Click Apply.
121
Modifying a VLAN
1.
Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab
and enters the page shown in Figure 101.
2.
Click the
icon of the VLAN you want to modify to enter the page shown in Figure 103.
3.
Configure the description and port members for the VLAN as described in Table 49.
4.
Click Apply.
Description
ID
Description
122
Item
Description
Untagged Member
Find the port to be modified and select the Untagged Member, Tagged Member,
or Not a Member option for the port:
UntaggedIndicates that the port sends the traffic of the VLAN with the
VLAN tag removed.
TaggedIndicates that the port sends the traffic of the VLAN without
Port
Tagged Member
Not a Member
When you configure an access port as a tagged member of a VLAN, the link type
of the port is automatically changed into hybrid.
Modifying a port
1.
2.
3.
Click the
4.
5.
Click Apply.
123
Description
Port
Untagged Member
Tagged Member
Untagged
UntaggedIndicates that the port sends the traffic of the VLAN with the VLAN
tag removed.
TaggedIndicates that the port sends the traffic of the VLAN without removing
the VLAN tag.
Member
Type
Tagged
configure a trunk port as an untagged member of multiple VLANs in bulk, the link
type of the port is automatically changed into hybrid.
VLAN ID
GigabitEthernet 3/0/1 of the switch installed with an HP 10500/7500 20G unified wired-WLAN
module is connected to GigabitEthernet 1/0/1 of Switch.
Ten-GigabitEthernet 1/0/1 on both devices are access ports with VLAN 1 as their default VLAN.
Configure Ten-GigabitEthernet 1/0/1 to permit packets of VLAN 2, VLAN 6 through VLAN 50,
and VLAN 100 to pass through.
AC
GE1/0/1
Switch
2.
c. Click the
d. On the page that appears, select the Untagged Member option for port Ten-GigabitEthernet
1/0/1.
e. Click Apply.
125
3.
c. On the page that appears, select the Tagged option, and enter VLAN IDs 2, 6-50.
Figure 110 Modifying a port
d. Click Apply. A dialog box appears asking you to confirm the operation.
e. Click OK in the dialog box.
Configuring Switch
The configuration on Switch is similar to the configuration on the module.
126
Configuring ARP
Overview
Introduction to ARP
The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or
physical address).
In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding
MAC address.
For more information about ARP, see HP 830 Series PoE+ Unified Wired-WLAN Switch and HP
10500/7500 20G Unified Wired-WLAN Module Layer 3 Configuration Guide.
Determine whether its IP address is already used by another device. If the IP address is already used,
the device will be informed of the conflict by an ARP reply.
127
Select Network > ARP Management from the navigation tree to enter the default ARP Table page
shown in Figure 111.
2.
Click Add .
The New Static ARP Entry page appears.
3.
4.
Click Apply.
128
Description
IP Address
MAC Address
Advanced
Options
VLAN ID
Port
Enter a VLAN ID and specify a port for the static ARP entry.
The VLAN ID must be the ID of the VLAN that has already been created,
and the port must belong to the VLAN. The corresponding VLAN
interface must have been created.
Select Network > ARP Management from the navigation tree to enter the default ARP Table page
shown in Figure 111.
2.
2.
3.
Description
129
Item
Description
Enable the device to send gratuitous ARP packets when it receives ARP
requests from another network segment.
Disabled by default.
Configuration procedure
1.
2.
130
3.
131
4.
132
133
ARP detection
The ARP detection feature enables access devices to block ARP packets from unauthorized clients to
prevent user spoofing and gateway spoofing attacks.
ARP detection provides the following functions:
User validity checkThe device compares the sender IP and MAC addresses of a received ARP
packet against the static IP source guard binding entries, DHCP snooping entries, 802.1X security
entries, or OUI MAC addresses. If no match is found, the ARP packet is discarded.
ARP packet validity checkThe device does not check ARP packets received from an ARP trusted
port. Upon receiving an ARP packet from an ARP untrusted port, the device checks the ARP packet
based on source MAC address, destination MAC address, or source and destination IP addresses.
ARP packets that fail the check are discarded.
For more information about ARP detection, see HP 830 Series PoE+ Unified Wired-WLAN Switch and HP
10500/7500 20G Unified Wired-WLAN Module Security Configuration Guide.
134
Select Network > ARP Anti-Attack from the navigation tree to enter the default ARP Detection page
shown in Figure 119.
2.
3.
Click Apply.
Description
Select VLANs on which ARP detection is to be enabled.
VLAN Settings
To add VLANs to the Enabled VLANs list box, select one or multiple VLANs from the
Disabled VLANs list box and click the << button.
To remove VLANs from the Enabled VLANs list box, select one or multiple VLANs from the
list box and click the >> button.
Select trusted ports and untrusted ports.
Trusted Ports
To add ports to the Trusted Ports list box, select one or multiple ports from the Untrusted
Ports list box and click the << button.
To remove ports from the Trusted Ports list box, select one or multiple ports from the list box
and click the >> button.
135
Item
Description
Select the ARP packet validity check mode:
Discard the ARP packet whose sender MAC address is different from the source MAC
address in the Ethernet header.
Discard the ARP packet whose target MAC address is all 0s, all 1s, or inconsistent with
ARP Packet
Validity Check
Discard the ARP request whose source IP address is all 0s, all 1s, or a multicast address,
and discard the ARP reply whose source and destination IP addresses are all 0s, all 1s,
or multicast addresses.
ARP packet validity check takes precedence over user validity check. If none of the ARP
packet validity check modes are selected, the system does not check the validity of ARP
packets
2.
3.
4.
Click Apply.
136
Description
Select the detection mode for source MAC address based ARP attack
detection:
Detection Mode
sourced from a MAC address if the number of ARP packets received from
the MAC address within five seconds exceeds the specified value.
The device only generates an alarm if the number of ARP packets sent
Source
MAC
Address
Attack
Detection
from a MAC address within five seconds exceeds the specified value.
Aging Time
Enter the aging time of the source MAC address based ARP attack detection
entries.
Threshold
Enter the threshold of source MAC address based ARP attack detection.
To add a protected MAC address:
Protected MAC
Configuration
1.
2.
3.
Click Add.
137
IGMP snooping sends Layer 2 multicast packets to the intended receivers only. This mechanism provides
the following advantages:
For more information about IGMP snooping, see HP 830 Series PoE+ Unified Wired-WLAN Switch and
HP 10500/7500 20G Unified Wired-WLAN Module IP Multicast Configuration Guide.
138
Remarks
Enabling IGMP snooping globally
Required.
By default, IGMP snooping is disabled.
Required.
Enable IGMP snooping in the VLAN and configure the IGMP
snooping version and querier feature.
2.
Optional.
Configure the maximum number of multicast groups allowed and the
fast leave function for ports in the specified VLAN.
3.
IMPORTANT:
4.
Optional.
2.
139
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
shown in Figure 123.
2.
Click the
icon corresponding to the VLAN to enter the page where you can configure IGMP
snooping in the VLAN, as shown in Figure 124.
140
3.
4.
Click Apply.
Description
VLAN ID
IGMP snooping
Version
IGMP snooping version 2 can process IGMPv1 and IGMPv2 messages, but
not IGMPv3 messages, which will be flooded in the VLAN.
With the function of dropping unknown multicast data enabled, the device
drops all the received unknown multicast data.
With the function of dropping unknown multicast data disabled, the device
floods unknown multicast data in the VLAN to which the unknown multicast
data belong.
141
Item
Description
Enable or disable the IGMP snooping querier function.
On a network without Layer 3 multicast devices, no IGMP querier-related
function can be implemented because a Layer 2 device does not support
IGMP. To implement IGMP querier-related function, you can enable IGMP
snooping querier on a Layer 2 device so that the device can generate and
maintain multicast forwarding entries at data link layer.
Querier
Query interval
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.
2.
3.
4.
Click Apply.
Description
Port
After a port is selected, advanced features configured on this port are displayed at
the lower part of the page.
Select the port on which advanced IGMP snooping features are to be configured.
142
Item
Description
VLAN ID
Specify a VLAN in which you can configure the fast leave function for the port or the
maximum number of multicast groups allowed on the port.
Configure the maximum number of multicast groups that the port can join.
With this feature, you can regulate multicast traffic on the port.
IMPORTANT:
When the number of multicast groups a port has joined reaches the configured
Group Limit
threshold, the system deletes all the forwarding entries persistent on that port from
the IGMP snooping forwarding table, and the hosts on the port must join the
multicast groups again.
Support for the maximum number of multicast groups that a port can join may
vary depending on your device model. For more information, see "About the HP
830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G
Unified Wired-WLAN Module Web-Based Configuration Guide."
Fast Leave
When receiving an IGMP leave message on the port with the fast leave function
enabled, the device immediately deletes that port from the outgoing port list of the
corresponding forwarding table entry. Then, when receiving IGMP group-specific
queries for that multicast group, the device will not forward them to that port. In
VLANs where only one host is attached to each port, the fast leave function helps
improve bandwidth and resource usage.
IMPORTANT:
When one host leaves a multicast group with fast leave enabled for a port to which
more than one host is attached, the other hosts listening to the same multicast group will
fail to receive multicast data.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
shown in Figure 123.
2.
Click the plus sign (+) in front of Show Entries to display IGMP snooping multicast entries, as shown
in Figure 126.
3.
Click the
icon corresponding to an entry to display the detailed information of the entry, as
shown in Figure 127.
143
Description
VLAN ID
Source
Group
Router port
Member port
As shown in Figure 128, a switch installed with an HP 10500/7500 20G unified wired-WLAN
module to serve as an AC. Router A connects to a multicast source (Source) through Ethernet 1/2,
and to the switch through Ethernet 1/1.
The multicast source sends multicast data to group 224.1.1.1. Host A is a receiver of the multicast
group.
The function of dropping unknown multicast packets is enabled on AC to prevent AC from flooding
multicast packets in the VLAN if no corresponding Layer 2 forwarding entry exists.
The fast leave function is enabled for Ten-GigabitEthernet 1/0/1 on the AC to improve bandwidth
and resource usage.
Configuring IP addresses
Configure the IP address for each interface, as shown in Figure 128. (Details not shown.)
144
Configuring Router A
Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet 1/1.
(Details not shown.)
Configuring the AC
1.
2.
b. Select the Untagged Member option for Ten-GigabitEthernet 1/0/1, as shown in Figure 130.
c. Click Apply.
Figure 130 Adding a port to the VLAN
3.
4.
Enable IGMP snooping and enable the function for dropping unknown multicast data on VLAN 1:
a. Click the
b. On the page that appears, select the Enable option for IGMP Snooping, select the 2 option for
Version, and select the Enable option for Drop Unknown.
c. Click Apply.
Figure 132 Configuring the VLAN
5.
b. Select GigabitEthernet 1/0/2 from the Port list, enter the VLAN ID 100, and select the Enable
option for Fast Leave.
c. Click Apply.
Figure 133 Configuring advanced settings
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.
2.
Click the plus sign (+) in front of Show Entries to view IGMP snooping multicast entries, as shown
in Figure 134.
3.
Click the
icon corresponding to the multicast entry to view information about this entry, as
shown in Figure 135. The page shows that Ten-GigabitEthernet 1/0/1 of AC is added to multicast
group 224.1.1.1.
147
148
Overview
Upon receiving a packet, a router determines the optimal route based on the destination address and
forwards the packet to the next router in the path. When the packet reaches the last router, it forwards the
packet to the destination host. Routing provides the path information that guides the forwarding of
packets.
A router selects optimal routes from the routing table, and sends them to the forwarding information base
(FIB) table to guide packet forwarding. Each router maintains a routing table and a FIB table.
Static routes are manually configured. If a network's topology is simple, you only need to configure static
routes for the network to work correctly. Static routes cannot adapt to network topology changes. If a fault
or a topological change occurs in the network, the network administrator must modify the static routes
manually.
For more information about routing table and static routing, see HP 830 Series PoE+ Unified
Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN Module Layer 3 Configuration
Guide.
Configuration guidelines
When you configure a static route, follow these guidelines:
1.
If you do not specify the preference when you configure a static route, the default preference is
used. Reconfiguration of the default preference applies only to newly created static routes. The
Web interface does not support configuration of the default preference.
2.
When you configure a static route, the static route does not take effect if you specify the next hop
address first and then configure it as the IP address of a local interface, such as an Ethernet
interface and VLAN interface.
3.
When specifying the output interface, note that the following guidelines:
If NULL 0 or a loopback interface is specified as the output interface, you do not need to
configure the next hop address.
If a point-to-point interface is specified as the output interface, you do not need to specify the
next hop or change the configuration after the peer address has changed. For example, a PPP
interface obtains the peer's IP address through PPP negotiation, and you only need to specify it
as the output interface.
If the output interface is an NBMA or P2MP interface, which supports point-to-multipoint
networks, the IP address-to-link layer address mapping must be established. Therefore, HP
recommends that you specify the next hop IP address when you configure it as the output
interface.
149
If you want to specify a broadcast interface (such as an Ethernet interface, virtual template, or
VLAN interface) as the output interface, which may have multiple next hops, you must specify
the next hop at the same time.
Description
Destination IP address and subnet mask of the IPv4 route.
Protocol that discovered the IPv4 route.
Preference value for the IPv4 route.
The smaller the number, the higher the preference.
Next Hop
Interface
Outgoing interface of the IPv4 route. Packets destined for the specified
network segment will be sent out of the interface.
2.
150
3.
4.
Click Apply.
Description
Destination IP Address
Mask
Preference
For example, specifying the same preference for multiple static routes to the
same destination enables load sharing on the routes, while specifying different
preferences enables route backup.
Next Hop
Interface
You can select any available Layer 3 interface of the device, for example, a
virtual interface. If you select NULL 0, the destination IP address is unreachable.
If you select this option, leave the Next Hop field blank. Otherwise, your
configuration does not take effect.
151
Description
Destination IP address and prefix length of the IPv6 route.
Protocol that discovered the IPv6 route.
Preference value for the IPv6 route.
The smaller the number, the higher the preference.
Next Hop
Interface
2.
152
3.
4.
Click Apply.
Description
Destination IP Address
Enter the destination host or network IP address, in the X:X::X:X format. The 128-bit
destination IPv6 address is a hexadecimal address with eight parts separated by
colons (:). Each part is represented by a 4-digit hexadecimal integer.
Prefix Length
Preference
For example, specifying the same preference for multiple static routes to the same
destination enables load sharing on the routes, while specifying different priorities
for them enables route backup.
Next Hop
Enter the next hop address, in the same format as the destination IP address.
Select the outgoing interface.
Interface
You can select any available Layer 3 interface, for example, a virtual interface, of
the device. If you select NULL 0, the destination IPv6 address is unreachable.
153
Configuration outlines
1.
2.
On Switch B, configure one static route with Switch A as the next hop and the other with AC as the
next hop.
3.
Configuration procedure
1.
Configure a default route with the next hop address 1.1.4.2 on Switch A.
2.
Configure two static routes on Switch B: one with destination address 1.1.2.0/24 and next hop
address 1.1.4.1, and the other with destination address 1.1.3.0/24 and next hop address
1.1.5.6.
3.
154
2.
Ping Host B from Host A (assuming both hosts run Windows XP):
C:\Documents and Settings\Administrator>ping 1.1.3.2
Vlan-int300
5::2/64
Switch B
Vlan-int200
4::1/64
Vlan-int300
5::1/64
Vlan-int500
3::1/64
Vlan-int100
1::1/64
Host A 1::2/64
AC
Switch A
AP
Host B 3::2/64
Configuration outlines
1.
2.
On Switch B, configure one static route with Switch A as the next hop and the other with AC as the
next hop.
3.
Configuration procedure
1.
Configure a default route with the next hop address 4::2 on Switch A.
2.
Configure two static routes on Switch B: one with destination address 1::/64 and next hop
address 4::1, and the other with destination address 3::/64 and next hop address 5::1.
3.
2.
time = 63 ms
time = 62 ms
time = 62 ms
time = 63 ms
time = 63 ms
156
DHCP overview
After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and
other configuration parameters from the DHCP server. This facilitates configuration and centralized
management. For more information about the DHCP client configuration, see "Managing interfaces."
For more information about DHCP, see HP 830 Series PoE+ Unified Wired-WLAN Switch and HP
10500/7500 20G Unified Wired-WLAN Module Layer 3 Configuration Guide.
The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration
information to network devices.
DHCP uses the client/server model. Figure 144 shows a typical a DHCP application.
Figure 144 A typical DHCP application
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on
another subnet through a DHCP relay agent.
Figure 145 DHCP relay agent application
DHCP client
DHCP client
IP network
DHCP relay agent
DHCP client
DHCP client
DHCP server
157
2.
UntrustedAn untrusted port discards the DHCP-ACK or DHCP-OFFER messages received from
any DHCP server.
Remarks
Required.
1.
Enabling DHCP
2.
IMPORTANT:
If the DHCP server and DHCP clients are on the same subnet,
make sure the address pool is on the same network segment
as the interface with the DHCP server enabled. Otherwise, the
clients will fail to obtain IP addresses.
158
Step
Remarks
Optional.
When receiving a client's request on an interface with the DHCP
server enabled, the DHCP server will assign an IP address from its
address pool to the DHCP client.
3.
4.
Optional.
Enabling DHCP
1.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 146.
2.
Select the Enable option on the upper part of the page to enable DHCP globally.
159
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 146.
2.
Select the Static option in the Address Pool field to view all static address pools.
3.
Click Add.
160
4.
5.
Click Apply.
Description
IP Pool Name
IP Address
Enter an IP address and select a subnet mask for the static address pool.
Mask
The IP address cannot be the IP address of any interface on the DHCP server.
Otherwise, an IP address conflict may occur and the bound client cannot obtain an
IP address correctly.
You can enter a mask length or a mask in dotted decimal notation..
Configure the client MAC address or the client ID for the static address pool.
IMPORTANT:
Client ID
The client ID must be identical to the ID of the client to be bound. Otherwise, the client
cannot obtain an IP address.
Enter the domain name suffix for the client.
With the suffix assigned, the client only needs to enter part of a domain name, and
the system adds the domain name suffix for name resolution.
Enter the gateway addresses for the client.
Gateway Address
A DHCP client that wants to access an external host needs to send requests to a
gateway. You can specify gateways in each address pool and the DHCP server will
assign gateway addresses while assigning an IP address to the client.
Up to eight gateways can be specified in a DHCP address pool, separated by
commas.
Enter the DNS server addresses for the client.
To allow the client to access a host on the Internet through DNS, you need to specify
a DNS server address.
Up to eight DNS servers can be specified in a DHCP address pool, separated by
commas.
161
Item
Description
Enter the WINS server addresses for the client.
If b-node is specified for the client, you do not need to specify any WINS server
address.
Up to eight WINS servers can be specified in a DHCP address pool, separated by
commas.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 146.
2.
Select the Dynamic option in the Address Pool field to view all dynamic address pools.
3.
Click Add.
4.
5.
Click Apply.
Description
IP Pool Name
162
Item
Description
Enter an IP address segment for dynamic allocation.
IP Address
To avoid address conflicts, the DHCP server excludes the IP addresses used
by gateways or FTP servers from dynamic allocation.
Mask
Lease
Duration
With the suffix assigned, the client only needs to enter part of a domain
name, and the system will add the domain name suffix for name resolution.
Enter the gateway addresses for the client.
DHCP clients that want to access hosts outside the local subnet request
gateways to forward data. You can specify gateways in each address pool
for clients and the DHCP server will assign gateway addresses while
assigning an IP address to the client.
Gateway Address
To allow the client to access a host on the Internet via the host name, you need
to specify DNS server addresses.
Up to eight DNS servers can be specified in a DHCP address pool, separated
by commas.
Enter the WINS server addresses for the client.
If b-node is specified for the client, you do not need to specify any WINS
server address.
Up to eight WINS servers can be specified in a DHCP address pool,
separated by commas.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 146.
2.
Click the
3.
4.
Click Apply.
icon next to a specific interface to enter the page shown in Figure 149.
163
Select Network > DHCP > DHCP Server from the navigation tree to enter the page, as shown
in Figure 146.
2.
Click Addresses in Use in the Address In Use field on the lowest part of the page to view
information about the IP address assigned from the address pool.
Description
IP Address
Assigned IP address.
Pool Name
Lease Expiration
164
Remarks
Enabling DHCP and configuring
advanced parameters for the
DHCP relay agent
Required.
Enable DHCP globally and configure advanced DHCP parameters.
By default, global DHCP is disabled.
Required.
2.
3.
An interface cannot serve as both the DHCP server and the DHCP
relay agent. The most recent configuration takes effect.
Optional.
Create a static IP-to-MAC binding, and view static and dynamic
bindings.
4.
165
2.
3.
4.
Click Display Advanced Configuration to expand the advanced DHCP relay agent configuration
field, as shown in Figure 152.
166
5.
Configure the advanced DHCP relay agent parameters as described in Table 65.
6.
Click Apply. You must also click Apply for enabling the DHCP service.
Description
Enable or disable unauthorized DHCP server detection.
There are unauthorized DHCP servers on networks, which reply to DHCP clients with
incorrect IP addresses.
Unauthorized Server
Detect
When this feature is enabled, the DHCP relay agent will record the IP address of any
DHCP server that assigned an IP address to the DHCP client and the receiving
interface when it receives a DHCP request. The administrator can use this information
to monitor and performs subsequent actions for DHCP unauthorized servers. The
device creates a record once for each DHCP server for the administrator to determine
unauthorized DHCP servers. After the information of recorded DHCP servers is
cleared, the relay agent will record server information again.
Enable or disable periodic refresh of dynamic client entries, and set the refresh
interval.
Dynamic Bindings
Refresh
Through the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast
message to the DHCP server to relinquish its IP address. The DHCP relay agent
conveys the message to the DHCP server, but does not remove the IP address from
dynamic client entries. To solve this problem, use the periodic refresh of dynamic
client entries feature.
When this feature is enabled, the DHCP relay agent uses the IP address of a client
and the MAC address of the DHCP relay agent interface to periodically send a
DHCP-REQUEST message to the DHCP server.
If the server returns a DHCP-ACK message or does not return any message within
Track Timer Interval
a specified interval, which means that the IP address is assignable, the DHCP
relay agent will age out the client entry.
If the server returns a DHCP-NAK message, which means the IP address is still in
use, the relay agent will not age it out.
If the Auto option is selected, the refresh interval is calculated by the relay agent
according to the number of client entries.
167
2.
Click the DHCP Relay tab to enter the page shown in Figure 151.
3.
4.
5.
Click Apply.
Description
Enter the ID of a DHCP server group.
You can create up to 20 DHCP server groups.
Enter the IP address of a server in the DHCP server group.
IP Address
The server IP address cannot be on the same subnet as the IP address of the DHCP
relay agent. Otherwise, the client cannot obtain an IP address.
2.
Click the DHCP Relay tab to enter the page shown in Figure 151.
3.
4.
5.
Click Apply.
Description
Interface Name
DHCP Relay
If the DHCP relay agent is disabled, the DHCP server is enabled on the
interface.
Enable or disable IP address check.
Server Group ID
With this function enabled, the DHCP relay agent checks whether a requesting
client's IP and MAC addresses match a binding (dynamic or static) on the
DHCP relay agent. If not, the client cannot access outside networks via the
DHCP relay agent. This prevents invalid IP address configuration.
Correlate the interface with a DHCP server group.
A DHCP server group can be correlated with multiple interfaces.
2.
Click the DHCP Relay tab to enter the page shown in Figure 151.
3.
In the User Information field, click User Information to view static and dynamic bindings.
4.
Click Add.
169
5.
6.
Click Apply.
Description
IP Address
MAC Address
Interface Name
The interface of a static binding entry must be configured as a DHCP relay agent.
Otherwise, address entry conflicts may occur.
Remarks
Enabling DHCP snooping
Required.
By default, DHCP snooping is disabled.
Required.
Specify an interface as trusted and configure DHCP snooping to support
Option 82.
2.
3.
Optional.
Display clients' IP-to-MAC bindings recorded by DHCP snooping.
2.
3.
170
2.
Click the DHCP Snooping tab to enter the page shown in Figure 157.
3.
4.
5.
Click Apply.
Description
Interface Name
171
Item
Description
Interface State
Option 82 Support
Option 82 Strategy
2.
Click the DHCP Snooping tab to enter the page shown in Figure 157.
3.
Click User Information to enter the DHCP snooping user information page, as shown in Figure
159.
4.
View clients' IP-to-MAC bindings recorded by DHCP snooping as described in Table 70.
Description
IP Address
This field displays the IP address assigned by the DHCP server to the client.
MAC Address
Type
Interface Name
This field displays the device interface to which the client is connected.
VLAN
172
Host
DHCP client
AP
DHCP client
AC
DHCP server
Configuration procedure
1.
Enable DHCP:
a. Select Network > DHCP from the navigation tree to enter the default DHCP Server page.
b. Select the Enable option for DHCP Service.
173
2.
Enable the DHCP server on VLAN-interface 2: (This operation can be omitted because the DHCP
server is enabled on the interface by default.)
a. In the Interface Config field, click the
icon of VLAN-interface 2.
3.
Figure 163 Configuring a dynamic address pool for the DHCP server
Configuration procedure
Because the DHCP relay agent and server are on different subnets, you must configure a static route or
dynamic routing protocol so they can communicate.
1.
Enable DHCP:
a. Select Network > DHCP from the navigation tree.
b. Click the DHCP Relay tab.
c. Select the Enable option for DHCP Service.
d. Click Apply.
175
2.
3.
icon of VLAN-interface 1.
b. Select the Enable option for DHCP Relay, and select 1 for Server Group ID.
c. Click Apply.
Figure 167 Enabling the DHCP relay agent on an interface and correlate it with a server group
Configure the AC to record clients' IP-to-MAC address bindings in DHCP-REQUEST messages and
DHCP-ACK messages received from a trusted port.
176
Host
DHCP client
AP
DHCP client
GE3/0/2
AC
DHCP snooping
DHCP server
Configuration procedure
1.
2.
177
3.
178
Configuring DNS
Overview
Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain
names into corresponding IP addresses. With DNS, you can use simple domain names in some
applications and the DNS server translates them into correct IP addresses.
There are two types of DNS services: static and dynamic. After a user specifies a name, the device checks
the local static name resolution table for an IP address. If no IP address is available, it contacts the DNS
server for dynamic name resolution, which takes more time than static name resolution. Therefore, to
improve efficiency, frequently queried name-to-IP address mappings are stored in the local static name
resolution table.
DNS proxy
A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server.
A DNS client considers the DNS proxy as the DNS server and sends a DNS request to the DNS proxy.
The DNS proxy forwards the request to the designated DNS server, and conveys the reply from the DNS
server to the client.
The DNS proxy simplifies network management. When the DNS server address is changed, you only
need to change the configuration on the DNS proxy, instead of on each DNS client.
For more information about DNS, see HP 830 Series PoE+ Unified Wired-WLAN Switch and HP
10500/7500 20G Unified Wired-WLAN Module Layer 3 Configuration Guide.
179
Remarks
Required.
Remarks
1.
2.
3.
4.
Required.
This function is disabled by default.
Required.
Not configured by default.
Optional.
Not configured by default.
Optional.
Remarks
1.
2.
Required.
By default, the device is not a DNS proxy.
Required.
Not configured by default.
Select Network > DNS from the navigation tree to enter the default static domain name resolution
configuration page shown in Figure 172.
180
2.
Click Add.
3.
4.
Click Apply.
Description
Host Name
Configure the mapping between a host name and an IP address in the static domain
mane table.
Host IP Address
Each host name corresponds to only one IP address. If you configure multiple IP
addresses for a host name, the most recently configured IP address takes effect..
2.
3.
4.
Click Apply.
181
2.
Click the Dynamic tab to enter the page shown in Figure 174.
3.
4.
Click Apply.
2.
Click the Dynamic tab to enter the page shown in Figure 174.
3.
4.
5.
Click Apply.
182
2.
Click the Dynamic tab to enter the page shown in Figure 174.
3.
4.
5.
Click Apply.
2.
Click the Dynamic tab to enter the page shown in Figure 174.
3.
4.
Click Apply.
183
NOTE:
Before performing the following configuration, make sure the AC and the host are reachable to each
another, and the IP addresses of the interfaces are configured. See Figure 177.
This configuration may vary with DNS servers. The following configuration is performed on a PC
running Windows Server 2000.
2.
184
b. In the dialog box shown in Figure 180, enter host name host and IP address 3.1.1.1.
c. Click Add Host.
Figure 180 Adding a mapping between domain name and IP address
Configuring the AC
1.
2.
3.
Click Apply.
186
Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.
2.
3.
4.
187
Managing services
Overview
The service management module provides the following types of services: FTP, Telnet, SSH, SFTP, HTTP
and HTTPS. You can enable or disable the services as needed to enhance the performance and security
of the system, and achieve secure management of the device.
The service management module also provides the function to modify HTTP and HTTPS port numbers,
and the function to associate the FTP, HTTP, or HTTPS service with an ACL, which reduces attacks of
illegal users on these services.
FTP service
The File Transfer Protocol (FTP) is an application-layer protocol for sharing files between server and client
over a TCP/IP network.
Telnet service
The Telnet protocol is an application layer protocol that provides remote login and virtual terminal
functions on the network.
SSH service
Secure Shell (SSH) offers an approach to securely log in to a remote device. It protects devices against
attacks such as IP spoofing and plain text password interception using encryption and authentication.
SFTP service
The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to
provide secure data transfer. The device can serve as the SFTP server, allowing a remote user to log in to
the SFTP server for secure file management and transfer. The device can also serve as an SFTP client,
enabling a user to login from the device to a remote device for secure file transfer.
HTTP service
The Hypertext Transfer Protocol (HTTP) is used for transferring Web page information across the Internet.
It is an application-layer protocol in the TCP/IP protocol suite.
You can log in to the device using the HTTP protocol with HTTP service enabled, accessing and
controlling the device with Web-based network management.
HTTPS service
The Secure HTTP (HTTPS) refers to the HTTP protocol that supports the Security Socket Layer (SSL)
protocol.
The SSL protocol of HTTPS enhances the security of the device in the following ways:
Uses the SSL protocol to ensure legal clients' secure access to the device and prohibit illegal clients.
Encrypts the data exchanged between the HTTPS client and the device to ensure the data security
and integrity.
Defines certificate attribute-based access control policy for the device to control the access right of
the client, to avoid attacks from illegal clients.
188
Select Network > Service from the navigation tree to enter the service management configuration
page.
2.
3.
Click Apply.
Description
Enable FTP
service
FTP
ACL
Telnet
Enable Telnet
service
SSH
Enable SSH
service
SFTP
Enable SFTP
service
HTTP
Enable HTTP
service
189
Item
Description
Set the port number for HTTP service.
Port Number
You can view this configuration item by clicking the expanding button in
front of HTTP.
IMPORTANT:
When you modify a port, make sure the port is not used by another service.
ACL
Enable HTTPS
service
Associate the HTTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTP service.
You can view this configuration item by clicking the expanding button in
front of HTTP.
Specify whether to enable the HTTPS service.
The HTTPS service is disabled by default.
Set the port number for HTTPS service.
Port Number
You can view this configuration item by clicking the expanding button in
front of HTTPS.
IMPORTANT:
When you modify a port, make sure the port is not used by another service.
ACL
HTTPS
Associate the HTTPS service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTPS service.
You can view this configuration item by clicking the expanding button in
front of HTTPS.
Set the local certificate for the HTTPS service. The list displays certificate
subjects.
Certificate
You can configure the available PKI domains by selecting Authentication >
Certificate Management from the navigation tree at the left side of the
interface. For more information, see "Managing certificates."
IMPORTANT:
The service management, portal authentication and local EAP service
modules always reference the same PKI domain. Changing the referenced
PKI domain in any of the three modules also changes the PKI domain
referenced in the other two modules.
190
The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device.
2.
The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source
device after receiving the ICMP echo request.
3.
The source device displays related statistics after receiving the reply.
The ping command can be applied to the destination's host name or IP address. If the destination's
host name is unknown, the prompt information is displayed.
If the source device does not receive an ICMP echo reply within the timeout time, it displays the
prompt information and the statistics during the ping operation. If the source device receives an
ICMP echo reply within the timeout time, it displays the number of bytes of the echo reply, the
message sequence number, Time to Live (TTL), the response time, and the statistics during the ping
operation. Statistics displayed during the ping operation include number of packets sent, number of
echo reply messages received, percentage of messages not received, and the minimum, average,
and maximum response time.
Trace route
By using the trace route command, you can display the Layer 3 devices involved in delivering a packet
from source to destination. In the event of network failure, this function can identify failed nodes.
The trace route command includes the following steps in its execution:
1.
The source device sends a packet with a TTL value of 1 to the destination device.
2.
The first hop (the Layer 3 device that first receives the packet) responds by sending a TTL-expired
ICMP message to the source, with its IP address encapsulated. In this way, the source device can
obtain the address of the first Layer 3 device.
3.
The source device sends a packet with a TTL value of 2 to the destination device.
4.
The second hop responds with a TTL-expired ICMP message, which gives the source device the
address of the second Layer 3 device.
5.
This process continues until the ultimate destination device is reached. In this way, the source
device can trace the addresses of all the Layer 3 devices involved in reaching the destination
device.
The traceroute command can be applied to the destination's host name or IP address. If the destination's
host name is unknown, the prompt information is displayed.
191
Ping operation
IPv4 ping operation
1.
Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.
2.
Click the expansion button before Advanced Setup to display the configurations of the advanced
parameters of IPv4 ping operation.
3.
Enter the IPv4 address or host name of the destination device in the Destination IP address or host
name field.
4.
5.
6.
192
2.
3.
Expand Advanced Setup to display the configurations of the advanced parameters of IPv6 ping
operation.
193
4.
Enter the IPv6 address or host name of the destination device in the Destination IP address or host
name field.
5.
6.
7.
194
Select Diagnostic Tools > Trace Route from the navigation tree.
2.
Click the Trace Route tab to enter the Trace Route configuration page.
3.
4.
5.
195
196
Configuring APs
The AP configuration module allows you to perform the following configurations:
Configure auto AP
Configure an AP group
AC-AP connection
An AP and an AC establish a tunnel connection based on UDP.
An AP uses a data tunnel to encapsulate data packets to be sent to the AC. These packets can be raw
802.11 packets or 802.11 to 802.3 translated packets. An AC provides a control tunnel to support remote
AP configuration and management, and WLAN and mobile management.
The AC can dynamically configure an AP based on the information provided by the administrator.
Auto AP
The auto AP feature allows an AP to automatically connect to an AC. When you deploy a wireless
network with multiple APs, the auto AP function avoids configuration of many AP serial IDs, simplifying
configuration.
AP group
Some wireless service providers need to control the access positions of clients. For example, as shown in
the figure below, to meet security or billing needs, it is required to connect wireless clients 1, 2 and 3 to
the wired network through APs 1, 2 and 3 respectively. To achieve this, you can configure an AP group
that the clients can be associated with and then apply the AP group in a user profile.
Figure 192 Client access control
197
Configuring an AP
Creating an AP
1.
2.
3.
4.
Click Apply.
Description
AP Name
AP name.
Model
AP model.
AutoIf selected, the AC automatically searches the AP serial ID. This function is
used together with the auto AP function. For more information about configuring auto
AP, see "Configuring auto AP."
Serial ID
Configuring an AP
1.
2.
Click the
icon corresponding to the target AP to enter the page for configuring an AP.
198
3.
4.
Click Apply.
Description
AP Name
199
Item
Description
By default, the country/region code of an AP depends on the AP model. If no
country/region code is configured for an AP, the AP uses the global country/region code.
If both country/region code and global country/region code are configured, the AP uses its
own country/region code. For how to configure the global country/region code, see
"Configuring advanced settings".
Follow these guidelines when you configure a country/region code:
If the global country/region code you have configured conflicts with the country/region
code supported by the AP, the connection between the AP and AC is terminated. To
enable the AP to connect with the AC again, the administrator must configure a correct
country/region code for the AP.
Country/Region
code
Some ACs and fit APs use locked country/region codes, depending on the following
scenarios:
An AC's locked global country/region code cannot be changed, and all managed fit
APs whose country/region codes are not locked must use the AC's locked global
country/region code.
A fit AP's locked country/region code cannot be changed and the fit AP can only use the
country/region code.
If an AC and a managed fit AP use different locked country/region codes, the fit AP uses
its own locked country/region code.
If an AP model contains IL, the default country/region code of the AP is IL. You cannot
modify it.
If an AP model contains JP, the default country/region code of the AP is JP. You cannot
modify it.
default. You can only configure a country/region code other than IL, JP, and North
America.
Radio Number
Select the number of the radios on the AP. The value depends on the AP model.
Select the radio type, which can be one of the following values:
Radio Type
802.11a.
802.11b.
802.11g.
802.11n (2.4 GHz)
802.11n (5 GHz)
AutoIf selected, the AP serial ID is automatically found. This option is used together
with the auto AP function. For more information about configuring auto AP, see
"Configuring auto AP."
Serial ID
Item
Description
Description
2.
Click the
3.
On the page that appears, expand Advanced Setup to enter the page for advanced AP setup.
4.
5.
Click Apply.
Description
AP connection priority.
AP Connection
Priority
Specify the AP connection priority on the AC. For more information, see "AP connection
priority configuration example." It can also be used together with the backup function.
For more information, see "Configuring advanced settings."
201
Item
Description
EnableEnable the AP to respond to broadcast probe requests. The AP will respond
to broadcast probe requests with the SSID null.
Broadcast Probe
Configuration File
When local forwarding is enabled, you can use the configuration file to configure the
AP. For example, when you configure a user profile when local forwarding is enabled,
you must write the user profile, QoS policy, and ACL commands to the configuration
file, and download the configuration file to the AP.
IMPORTANT:
The commands in the configuration file must be in their complete form.
Set the maximum size of jumbo frames.
When this function is enabled, the AC can send frames whose size does not exceed the
maximum size to the AP.
By default, the AC cannot send jumbo frames to the AP.
Set the interval for sending echo requests.
AP Echo Interval
There is a keep-live mechanism between AP and AC, to confirm whether or not the
tunnel is working. An AP periodically sends echo requests to an AC. The AC responds
to echo requests by sending echo responses, which indicate that the tunnel is up.
Set the client keep alive interval.
The keep-alive mechanism is used to detect clients segregated from the system due to
reasons such as power failure or crash, and disconnect them from the AP.
By default, the client keep-alive functionality is disabled.
Maximum interval for which the link between the AP and a client can be idle. A
connection that remains idle for the specified period of time is removed.
Backup AC IPv4
Address
Backup AC IPv6
Address
Band Navigation
202
Item
Description
Configure the LED flashing mode. All LEDs on the AP are steady on when an error
occurs.
awakeFlashes the power LED every 1 minute and turns off the Ethernet port LEDs
and radio LEDs.
building the list of VLANs on which to perform discovery. The management tool is
available until discovery occurs.
The power, Ethernet, and radio LEDs flash in sequence from left to rightThe AP has
obtained an IP address and is attempting to discover a controller.
The power LED is on. The Ethernet and radio LEDs flash alternativelyThe AP has
found a controller and is attempting to establish a secure management tunnel with it.
The power and Ethernet LEDs flash alternatively and quicklyThe AP has received a
discovery reply from two or more controllers with the same priority setting. It is
unstable to connect with either controller until the conflict is resolved.
The power and radio LEDs flash slowlyThe AP is attempting to establish a local
mesh link to a master node.
The power and Ethernet LEDs flash slowlyThe AP is attempting to establish wired
connectivity.
AP CAR
Remote AP
When this function is enabled, the AP automatically enables local forwarding (whether
or not local forwarding is configured on the AC) to provide wireless access for logged-in
clients when the tunnel between the AP and AC is terminated. However, it does not
allow new clients. When a tunnel is established between the AP and AC again, the AP
automatically switches to centralized forwarding mode and logs off all clients on the
remote AP.
IMPORTANT:
If a tunnel has been established between the remote AP and AC, the remote AP uses the
backup tunnel to provide wireless access for logged-in clients when the tunnel between the
AP and AC is terminated. For more information about AC backup, see "Configuring
advanced settings."
CIR
CBS
By default, the CBS is the number of bytes transmitted in 500 ms at the rate of CIR. For
example, if CIR is 100, CBS is 50000 bits, or, 6250 bytes by default.
203
Configuring auto AP
Enabling auto AP
1.
2.
Description
enableEnable the auto AP function. You must also select Auto from the Serial ID
list on the AP setup page to use the auto AP function.
Renaming an AP
1.
2.
204
3.
4.
Click Apply.
Description
Old AP Name
AP Rename
Select the AP Rename check box, and type the new AP name.
Batch conversion
If you do not need to modify the automatically found AP names, you can select the AP Name box, and
then click Transmit All AP to complete auto AP setup.
Configuring an AP group
Creating an AP group
1.
2.
Click Add.
3.
205
Description
AP group ID.
The value range varies with devices. For more information, see "About the HP 830 Series
PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN
Module Web-Based Configuration Guide."
AP Group ID
Configuring an AP group
1.
2.
Click the
group.
icon corresponding to the target AP group to enter the page for configuring an AP
3.
4.
Click Apply.
Description
AP Group ID
Description
To add the APs to the Selected AP List, click the APs to be added to the AP group, and click
Exist AP List
To delete the selected APs from the AP group, select the APs to be deleted in the Selected AP
List, and click the < button.
The APs to be added in AP Group ID should be created by selecting AP > AP Setup first.
206
AC 1
Switch
AP
Client
AC 2
Configuring AC 1
1.
2.
c. Expand Advanced Setup to enter the page shown in Figure 201 and set the AP connection
priority to 6.
d. Click Apply.
207
Configuring AC 2
1.
2.
208
Wireless clientA handheld computer or laptop with a wireless Network Interface Card (NIC) or
a terminal supporting WiFi can be a WLAN client.
Access controllerAn AC can control and manage APs associated with it in a WLAN. The AC
communicates with an authentication server for WLAN client authentication.
Service set identifierAn SSID identifies a wireless network. A client scans all networks at first, and
then selects a specific SSID to connect to a specific wireless network.
Client access
A client access process has three steps: active/passive scanning surrounding wireless services,
authentication, and association, as shown in Figure 202.
Figure 202 Establishing a client access
Scanning
Wireless clients use active scanning and passive scanning to obtain information about surrounding
wireless networks.
1.
Active scanning
209
A wireless client periodically sends probe request frames and obtains wireless network
information from received probe response frames. Active scanning includes the following modes:
Active scanning without an SSIDThe client periodically sends a probe request frame without
an SSID on each of its supported channels. APs that receive the probe request send a probe
response, which includes the available wireless network information. The client associates with
the AP with the strongest signal. This mode enables the client to find the optimal wireless
network.
Figure 203 Active scanning without an SSID
Client
no
(with
uest
q
e
r
e
e
Prob
pons
e res
b
o
r
P
AP 1
AC 1
AP 2
AC 2
)
SSID
Prob
e re q
uest
(with
no S
Prob
SID)
e re s
pons
e
Active scanning with an SSIDIf the wireless client is configured to access a wireless network
or has associated with a wireless network, the client periodically sends a probe request that
carries the SSID of that wireless network. When the target AP receives the probe request, it
sends a probe response. This mode enables the client to access a specified wireless network.
Figure 204 Active scanning with an SSID
2.
Passive scanning
A wireless client listens to the beacon frames periodically sent by APs to discover surrounding
wireless networks. Passive scanning is used when a client wants to save battery power. Typically,
VoIP clients adopt passive scanning.
210
Authentication
To secure wireless links, APs perform authentication on wireless clients. A wireless client must pass
authentication before it can access a wireless network. 802.11 define two authentication methods: open
system authentication and shared key authentication.
Client
AC
AP
Authentication request
Authentication response
211
Association
To access a wireless network via an AP, a client must associate with that AP. After the client passes
authentication on the AP, the client sends an association request to the AP. The AP checks the capability
information in the association request to determine the capability supported by the wireless client, and
sends an association response to notify the client of the association result. A client can associate with only
one AP at a time, and an association process is always initiated by the client.
Plain-text data.
It is a WLAN service without security protection. No data packets are encrypted.
WEP encryption.
Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized
users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream
encryption algorithm) for confidentiality. WEP encryption uses static and dynamic encryption
depending on how a WEP key is generated.
Static WEP encryption
With Static WEP encryption, all clients using the same SSID must use the same encryption key.
If the encryption key is deciphered or lost, attackers will access all encrypted data. In addition,
periodical manual key update enhances the management workload.
Dynamic WEP encryption
Dynamic WEP encryption is an improvement over static WEP encryption. With dynamic WEP
encryption, WEP keys are negotiated between the client and server through the 802.1X
protocol so that each client is assigned a different WEP key, which can be updated
periodically to further improve unicast frame transmission security.
Although WEP encryption increases the difficulty of network interception and session hijacking,
it has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.
TKIP encryption.
212
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP provides
advantages over WEP, and provides more secure protection for WLAN, as follows:
TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP
encryption uses 128bit RC4 encryption algorithm, and increases the length of IVs from 24 bits
to 48 bits.
TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a single
static key with a base key generated by an authentication server. TKIP dynamic keys cannot be
easily deciphered.
TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the MIC, the
data may be tampered, and the system may be attacked. If two packets fail the MIC in a specific
period, the AP automatically takes countermeasures. It will not provide services to prevent
attacks while it takes countermeasures.
CCMP encryption.
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM
combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the
integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The
AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP
contains a dynamic key negotiation and management method, so that each wireless client can
dynamically negotiate a key suite, which can be updated periodically to further enhance the
security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit
packet number (PN) to ensure that each encrypted packet uses a different PN, which improves
security.
PSK authentication
To implement PSK authentication, the client and the authenticator must have the same shared key
configured. Otherwise, the client cannot pass pre-shared key (PSK) authentication.
802.1X authentication
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at
the port level. A device connected to an 802.1X-enabled port of a WLAN access control device
can access the resources on the WLAN only after passing authentication.
The administrators of access devices can select to use RADIUS or local authentication to cooperate
with 802.1X for authenticating users. For more information about remote/local 802.1X
authentication, see "Configuring 802.1X."
MAC authentication
MAC authentication provides a method to authenticate users based on ports and MAC addresses.
You can configure permitted MAC address lists to filter MAC addresses of clients. However, the
efficiency will be reduced when the number of clients increases. Therefore, MAC authentication is
applicable to environments without high security requirements, for example, SOHO and small
offices.
MAC authentication includes the following modes:
Local MAC authenticationWhen this authentication mode is used, you need to configure a
permitted MAC address list on the device. If the MAC address of a client is not in the list, its
access request will be denied.
213
Permitted MAC
address list:
0009-5bcf-cce3
0011-9548-4007
000f-e200-00a2
Client: 0009-5bcf-cce3
Client: 0011-9548-4007
AC
L2 switch
AP
Client: 001a-9228-2d3e
When a RADIUS server is used for MAC authentication, you can specify a domain for each wireless
service, and send MAC authentication information of different SSIDs to different remote RADIUS servers.
802.11n
As the next generation wireless LAN technology, 802.11n supports both 2.4GHz and 5GHz bands. It
provides higher throughput to customers by using the following methods:
1.
Increasing bandwidth: 802.11n can bond two adjacent 20-MHz channels together to form a
40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with
214
one acting as the primary channel and the other acting as the secondary channel. They can also
work together as a 40-MHz channel, which provides a simple way to double the data rate.
2.
Remarks
1.
Required.
2.
Required.
3.
Required.
4.
Required.
5.
Enabling a radio
Required.
6.
Optional.
Select Wireless Service > Access Service from the navigation tree.
215
2.
Click Add.
3.
4.
Click Apply.
Description
Set the Service Set Identifier (SSID), a case-sensitive string of 1 to 32
characters, which can include letters, digits, underlines, and spaces.
216
Item
Description
Select the wireless service type:
icon.
1.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target clear-type wireless service to enter the page for
configuring wireless service.
3.
Configure basic settings for the clear-type wireless service as described in Table 81.
4.
Click Apply.
Description
Wireless Service
VLAN (Untagged)
Enter the ID of the VLAN whose packets are to be sent untagged. VLAN
(Untagged) indicates that the port sends the traffic of the VLAN with the VLAN tag
removed.
Set the default VLAN of a port.
Default VLAN
By default, the default VLAN of all ports is VLAN 1. After you set the new default
VLAN, VLAN 1 is the ID of the VLAN whose packets are to be sent untagged.
Delete VLAN
Remove the IDs of the VLANs whose packets are to be sent untagged and tagged.
217
Item
Description
EnableDisable the advertisement of the SSID in beacon frames.
DisableEnable the advertisement of the SSID in beacon frames.
By default, the SSID is advertised in beacon frames.
IMPORTANT:
SSID Hide
If the advertising of the SSID in beacon frames is disabled, the SSID must be
configured for the clients to associate with the AP.
Disabling the advertising of the SSID in beacon frames does not improve
wireless security.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target clear-type wireless service to enter the page for
configuring advanced settings for a clear-type wireless service.
Figure 213 Configuring advanced settings for the clear-type wireless service
3.
Configure advanced settings for the clear-type wireless service as described in Table 82.
4.
Click Apply.
218
Description
Local Forwarding
Clients using the same SSID may belong to different VLANs. You can configure
a local forwarding VLAN when configuring a local forwarding policy.
IMPORTANT:
When the number of clients of an SSID to be associated with the same radio of
the AP reaches the maximum, the SSID is automatically hidden.
Web interface management right of online clients.
Management Right
MAC VLAN
Unknown Client
Item
Description
Aging time for the cache that saves the PMK and authorized VLAN information
when a client logs off.
If you configure the aging time as 0, the AP clears the cache after logging off
the client. The client cannot roam between APs.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target clear-type wireless service to enter the page for
configuring security settings for the clear-type wireless service.
Figure 214 Configuring security settings for the clear-type wireless service
3.
Configure security settings for the clear-type wireless service as described in Table 83.
4.
Click Apply.
Description
Authentication Type
For the clear-type wireless service, you can select Open-System only.
220
Item
Description
mac-authenticationPerform MAC address authentication on users.
mac-else-userlogin-secureThis mode is the combination of the
for users. Multiple 802.1X authenticated users can access the port, but only one user
can be online.
mode, except that it supports multiple 802.1X and MAC authentication users on the
port.
The authentication modes before Or and after Or have the same priority. The device
determines the authentication mode according to the protocol type of the packets to
be authenticated. For wireless users, the 802.1X authentication mode is used
preferentially.
Max User
Maximum number of users that can be connected to the network through a specific
port.
a. Configure mac-authentication:
221
Description
mac-authenticationMAC-based authentication is performed on access users.
Port Mode
Select Wireless Service > Access Service from the navigation tree, click MAC
Authentication List, and enter the MAC address of the client.
Max User
Control the maximum number of users allowed to access the network through the
port.
MAC Authentication
Domain
The selected domain name applies to only the current wireless service, and all
clients accessing the wireless service use this domain for authentication,
authorization, and accounting.
Do not delete a domain name in use. Otherwise, the clients that access the
wireless service will be logged out.
b. Configure userlogin-secure/userlogin-secure-ext
222
Description
userlogin-securePerform MAC-based 802.1X authentication for access users.
Port Mode
In this mode, multiple 802.1X authenticated users can access the port, but only
one user can be online.
Max User
Control the maximum number of users allowed to access the network through the
port.
Select an existing domain from the list.
The default domain is system. To create a domain, select Authentication > AAA from
the navigation tree, click the Domain Setup tab, and enter a new domain name in
the Domain Name field.
Mandatory Domain
The selected domain name applies to only the current wireless service, and all
clients accessing the wireless service use this domain for authentication,
authorization, and accounting.
Do not delete a domain name in use. Otherwise, the clients that access the
wireless service will be logged out.
Authentication Method
default, CHAP is used. CHAP transmits usernames in simple text and passwords
in cipher text over the network. This method is safer than the other two methods.
EnableEnable the online user handshake function so that the device can
Handshake
223
Item
Description
EnableEnable the multicast trigger function of 802.1X to send multicast trigger
messages to the clients periodically for initiating authentication. By default, the
multicast trigger function is enabled.
IMPORTANT:
For a WLAN, the clients can actively initiate authentication, or the AP can discover
users and trigger authentication. Therefore, the ports do not need to send 802.1X
multicast trigger messages for initiating authentication periodically. HP recommends
that you disable the multicast trigger function in a WLAN because the multicast trigger
messages consume bandwidth.
224
Description
mac-else-userlogin-secureThis mode is the combination of the mac-authentication
and userlogin-secure modes. MAC authentication has a higher priority than the
userlogin-secure mode. Upon receiving a non-802.1X frame, a port in this mode
performs only MAC authentication. When it receives an 802.1X frame, the port
performs MAC authentication and if MAC authentication fails, the port performs
802.1X authentication.
mode, except that it supports multiple 802.1X and MAC authentication users on the
port.
mode, except that it supports multiple 802.1X and MAC authentication users on the
port.
Select Wireless Service > Access Service from the navigation tree, click MAC
Authentication List, and enter the MAC address of the client.
Max User
Mandatory
Domain
Control the maximum number of users allowed to access the network through the port.
Select an existing domain from the list. After a mandatory domain is configured, all
802.1X users accessing the port are forced to use the mandatory domain for
authentication, authorization, and accounting.
The default domain is system. To create a domain, select Authentication > AAA from the
navigation tree, click the Domain Setup tab, and enter a new domain name in the
Domain Name field.
EAPUse the Extensible Authentication Protocol (EAP). With EAP authentication, the
Authentication
Method
CHAP is used. CHAP transmits usernames in simple text and passwords in cipher text
over the network. This method is safer than the other two methods.
EnableEnable the online user handshake function so that the device can
Handshake
periodically send handshake messages to a user to check whether the user is online.
By default, the function is enabled.
225
Item
Description
EnableEnable the multicast trigger function of 802.1X to send multicast trigger
messages to the clients periodically to initiate authentication. By default, the multicast
trigger function is enabled.
IMPORTANT:
For a WLAN, the clients can actively initiate authentication, or the AP can discover users
and trigger authentication. Therefore, the ports do not need to send 802.1X multicast
trigger messages periodically for initiating authentication. HP recommends that you disable
the multicast trigger function in a WLAN because the multicast trigger messages consume
bandwidth.
MAC
Authentication
Domain
The selected domain name applies to only the current wireless service, and all clients
accessing the wireless service use this domain for authentication, authorization, and
accounting.
Do not delete a domain name in use. Otherwise, the clients that access the wireless
service will be logged out.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target crypto-type wireless service to enter the page for
configuring wireless service.
3.
Configure basic settings for the crypto-type wireless service as described in Table 81.
4.
Click Apply.
226
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target crypto-type wireless service to enter the page for
configuring wireless service.
Figure 219 Configuring advanced settings for the crypto-type wireless service
3.
Configure advanced settings for the crypto-type wireless service as described in Table 87.
4.
Click Apply.
Description
Local Forwarding
Clients using the same SSID may belong to different VLANs. You can configure a
local forwarding VLAN when configuring a local forwarding policy.
227
Item
Description
CentralThe AC authenticates clients. In this authentication mode, the data
forwarding mode is determined by the local forwarding settings.
When the connection fails, the AP authenticates clients, and performs local
forwarding. When the AP re-establishes a connection with the AC, the AP logs
out all clients and the AC re-authenticates clients. The clients can associate with
the AP only after they pass the authentication.
The clients use centralized authentication by default if they are not configured with
local authentication.
Maximum number of clients of an SSID to be associated with the same radio of the
AP.
Client Max Users
IMPORTANT:
When the number of clients of an SSID to be associated with the same radio of the AP
reaches the maximum, the SSID is automatically hidden.
Set the pairwise transient key (PTK) lifetime. A PTK is generated through a four-way
handshake.
Set the TKIP countermeasure time.
By default, the TKIP countermeasure time is 0 seconds and the TKIP countermeasure
policy is disabled.
TKIP CM Time
Message integrity check (MIC) is designed to avoid hacker tampering. It uses the
Michael algorithm and is very secure. When failures occur to MIC, the data may
have been tampered, and the system may be under attack. With the
countermeasure policy enabled, if more than two MIC failures occur within the
specified time, the TKIP associations are disassociated and no new associations are
allowed within the TKIP countermeasure time.
Web interface management right of online clients.
Management Right
MAC VLAN
Unknown Client
Configure the AP to deauthenticate the clients or drop the packets when it receives
the packets from unknown clients.
228
Item
Client Cache Aging-time
Description
Aging time for the cache that saves the PMK and authorized VLAN information
when a client logs off.
If you configure the aging time as 0, the AP clears the cache after logging off the
client. The client cannot roam between APs.
An AC generates a group transient key (GTK) and sends the GTK to a client during
the authentication process between an AP and the client through group key
handshake/the 4-way handshake. The client uses the GTK to decrypt broadcast and
multicast packets.
If Time is selected, the GTK will be refreshed after a specified period of time.
If Packet is selected, the GTK will be refreshed after a specified number of
packets are transmitted.
By default, the GTK rekeying method is time-based, and the interval is 86400
seconds.
GTK User Down Status
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target crypto-type wireless service to enter the page for
configuring crypto-type wireless service.
Figure 220 Configuring security settings for the crypto-type wireless service
3.
Configure security settings for the crypto-type wireless service as described in Table 88.
4.
Click Apply.
229
Description
Open-SystemNo authentication. With this authentication mode enabled, all
the clients will pass the authentication.
Shared-KeyThe two parties need to have the same shared key configured for
this authentication mode. You can select this option only when WEP encryption
mode is used.
Authentication Type
IMPORTANT:
WEP encryption can be used together with open system and shared-key
authentication.
key is used for both authentication and encryption. If the two parties do not use
the same key, the client cannot pass the authentication, and cannot access the
wireless network.
Cipher Suite
AES-CCMP and TKIPIndicates that you can select both CCMP and TKIP
encryption.
Wireless service type (IE information carried in the beacon or probe response
frame):
Security IE
WPA and RSNIndicates that you can select both WPA and RSN..
Encryption
IMPORTANT:
WEP
Item
Description
Key ID
1Key index 1.
2Key index 2.
3Key index 3.
4Key index 4.
There are four static keys in WEP. The key index can be 1, 2, 3 or 4. The key
corresponding to the specified key index will be used for encrypting and
decrypting broadcast and multicast frames.
WEP Key
pskAn access user must use the pre-shared key (PSK) that is preconfigured to
negotiate with the device. The access to the port is allowed only after the
negotiation succeeds.
231
Description
Port Mode
Max User
MAC Authentication
Domain
b. Configure psk
232
Description
Port Mode
psk: An access user must use the pre-shared key (PSK) that is pre-configured to negotiate
with the device. The access to the port is allowed only after the negotiation succeeds.
Max User
Control the maximum number of users allowed to access the network through the port.
pass-phraseEnter a PSK in the form of a character string. You must enter a string that
Pre-shared Key
raw-keyEnter a PSK in the form of a hexadecimal number. You must enter a valid
64-bit hexadecimal number.
c. Configure userlogin-secure-ext:
Perform the configurations shown in Configure userlogin-secure/userlogin-secure-ext.
Authenticati
on mode
Encryption
type
Security IE
WEP
encryption/key ID
Port mode
mac-authentication
mac-else-userlogin-secu
re
mac-else-userlogin-secu
Clear
Open-System
Unavailable
Unavailable
233
Unavailable
re-ext
userlogin-secure
userlogin-secure-ext
userlogin-secure-or-mac
userlogin-secure-or-mac
-ext
Service
type
Authenticati
on mode
Encryption
type
Selected
Security IE
Required
Open-System
Unselected
Crypto
Shared-Key
Unavailable
Selected
Unavailable
Unavailable
Required
Open-System
and
Shared-Key
Unselected
Unavailable
WEP
encryption/key ID
WEP encryption is
available
The key ID can be 2,
3, or 4.
WEP encryption is
required
The key ID can be 1,
2, or 3.
WEP encryption is
required
The key ID can be 1,
2, 3 or 4.
WEP encryption is
required
The key ID can be 1,
2, 3 or 4.
WEP encryption is
required
The key ID can be 1,
2, 3 or 4.
Port mode
mac and psk
psk
userlogin-secure-ext
mac-authentication
userlogin-secure
userlogin-secure-ext
mac-authentication
Select Wireless Service > Access Service from the navigation tree.
2.
3.
Click Enable.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target wireless service to enter the page for binding an AP
radio to a wireless service.
234
3.
4.
Click Bind.
A configuration progress dialog box appears.
5.
Users with the same SSID but accessing through different APs can be assigned to different VLANs
based on their configurations.
For a user roaming between ACs, if the local AC does not have a VLAN-interface, the user is
required to use an HA in the AC group for forwarding packets to avoid packet loss.
235
Figure 225 Schematic diagram for WLAN support for AP-based access VLAN recognition
RADIUS server
AC 1
HA
AC 2
IACTP tunnel
FA
VLAN 2
VLAN 3
VLAN 3
Intra AC roaming
VLAN 3
Inter AC roaming
AP 1
AP 2
AP 3
AP 4
Client 1
Client 1
Client 1
Client 2
As shown in Figure 225, Client 1 goes online through AP 1 and belongs to VLAN 3. When Client 1
roams within an AC or between ACs, Client 1 always belongs to VLAN 3. When Client 1 roams between
ACs, if FA, that is, AC 2, has VLAN-interface 3, AC 2 forwards packets from Client 1. Otherwise, packets
from Client 1 are sent to HA (AC 1) through the data tunnel and then HA forwards these packets.
Client 2 goes online through AP 4 and belongs to VLAN 2. A client going online through a different AP
is assigned to a different VLAN.
1.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target wireless service to enter the AP radio setup page, as
shown in Figure 224.
3.
4.
5.
Click Bind.
Enabling a radio
1.
236
2.
3.
Click Enable.
A configuration progress dialog box appears.
4.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the specified clear-type wireless service to see its detailed information.
237
Description
SSID
Binding Interface
Authentication Method
SSID-hide
Bridge Mode
Select Wireless Service > Access Service from the navigation tree.
2.
238
Figure 228 Displaying the detailed information about a crypto-type wireless service
Description
SSID
Binding Interface
Security IE
Authentication Method
SSID-hide
Cipher Suite
WEP Key
WEP key.
GTK Rekey
239
Field
Description
GTK rekey method configured:
Bridge Mode
Forwarding mode:
Configuration guidelines
Select a correct district code.
Configuring the AC
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select
the serial ID Manual, and enter the serial ID of the AP.
d. Click Apply.
240
2.
3.
4.
c. On the page that appears, select the box before ap with radio type 802.11n(2.4GHz).
d. Click Bind.
Figure 233 Binding an AP radio
5.
The client can successfully associate with the AP and access the WLAN network.
You can view the online clients on the page that you enter by selecting Summary > Client from the
navigation tree.
242
Configuration guidelines
Follow these guidelines when you configure an auto AP:
Select the renamed AP (AP 1 in the example) rather than the auto AP (ap in the example) when
enabling the radio. If you enable the radio of the automatically found AP, the radios of all the
automatically found APs are enabled.
Configuring the AC
1.
Create an AP:
243
2.
3.
244
4.
c. On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz), and
click Bind.
Figure 240 Binding an AP
d. To view the AP status, select AP > AP Setup from the navigation tree. The AP is in IDLE state.
Figure 241 AP status before auto AP is enabled
5.
Enable auto AP
a. Select AP > Auto AP from the navigation tree.
b. Select enable.
c. Click Apply.
245
6.
e. To view the renamed AP, select AP > AP Setup from the navigation tree.
246
7.
You can see that the AP is in the Run state on the page you enter by selecting AP > AP Setup from
the navigation tree.
The client can successfully associate with the AP and access the WLAN network.
You can view the online clients on the page that you enter by selecting Summary > Client from the
navigation tree.
247
802.11gn is used to work with the existing 802.11g network and protect the current investment.
Configuration guidelines
Follow these guidelines when you configure 802.11n:
Select Radio > Radio from the navigation tree, select the AP to be configured, and click
to enter
the page for configuring a radio. Then you can modify the 802.11n parameters, including
bandwidth mode, A-MPDU, A-MSDU, short GI and whether 802.11n clients are allowed.
Select Radio > Rate from the navigation tree to set 802.11n rates.
248
Configuring the AC
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to 11nap, select the AP model MSM460-WW,
select the serial ID Manual, enter the serial ID of the AP, and click Apply.
2.
3.
4.
Bind an AP radio:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the
The client can successfully associate with the AP and access the WLAN network.
You can view the online clients on the page you enter by selecting Summary > Client from the
navigation tree.
In this example, 0014-6c8a-43ff is an 802.11g user, and 001c-f0bf-9c92 is an 802.11n user. Both of the
two users can access the WLAN network because there is no limit on the user type. If you enable client
802.11n only, only 001c-f0bf-9c92 can access the WLAN network.
249
Configuring the AC
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select
the serial ID Manual, enter the AP serial ID, and click Apply.
2.
250
3.
4.
251
5.
c. On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz) and
click Bind.
A configuration progress dialog box appears.
d. After the configuration progress is complete, click Close.
Figure 254 Binding an AP radio
6.
252
2.
Select the configured service in Choose a wireless network (PSK in this example).
3.
Click Connect.
4.
In the popup dialog box, enter the key (12345678 in this example), and then click Connect.
253
The client has the same pre-shared PSK key as the AP, so the client can associate with the AP.
254
The client can successfully associate with the AP and access the WLAN network.
You can view the online clients on the page you enter by selecting Summary > Client from the
navigation tree.
Configuring the AC
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
255
b. Click Add.
c. On the page that appears, set the AP name to ap, select the AP model MSM460-WW, select
the serial ID Manual, enter the AP serial ID, and click Apply.
Figure 259 Creating an AP
2.
3.
256
4.
5.
a. Select Wireless Service > Access Service from the navigation tree.
b. Click MAC Authentication List.
c. On the page that appears, add a local user in the MAC Address field. 0014-6c8a-43ff is used
in this example.
d. Click Add.
Figure 263 Adding a MAC authentication list
6.
c. On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz) and
click Bind.
A configuration progress dialog box appears.
d. After the configuration process is complete, click Close.
Figure 264 Binding an AP radio
7.
2.
Select the configured service in Choose a wireless network (mac-auth in this example).
3.
Click Connect.
If the MAC address of the client is in the MAC address list, the client can pass the MAC
authentication and access the wireless network.
259
The client can successfully associate with the AP and access the WLAN network.
You can view the online clients on the page you enter by selecting Summary > Client.
Use the intelligent management center (IMC) as the RADIUS server for authentication, authorization,
and accounting (AAA). On the RADIUS server, configure the client's username and password as
the MAC address of the client and the shared key as expert. The IP address of the RADIUS server
is 10.18.1.88.
The IP address of the AC is 10.18.1.1. On the AC, configure the shared key for communication with
the RADIUS server as expert, and configure the AC to remove the domain name of a username
before sending it to the RADIUS server.
260
Configuring the AC
1.
2.
261
3.
Configure AAA:
a. From the navigation tree, select Authentication > AAA.
b. Optional: On the Domain Setup tab, create a new ISP domain.
This example uses the default domain system.
c. On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box,
select the authentication mode RADIUS, select the authentication scheme mac-auth from the
Name list, and click Apply.
A configuration progress dialog box appears.
d. After the configuration process is complete, click Close.
Figure 269 Configuring the AAA authentication method for the ISP domain
e. On the Authorization tab, select the ISP domain system, select the LAN-access AuthZ box,
select the authorization mode RADIUS, select the authorization scheme mac-auth from the
Name list, and click Apply.
A configuration progress dialog box appears.
f. After the configuration process is complete, click Close.
Figure 270 Configuring the AAA authorization method for the ISP domain
4.
Create an AP:
262
5.
6.
263
7.
264
8.
9.
265
2.
Add service:
a. Click the Service tab.
b. Select User Access Manager > Service Configuration from the navigation tree.
266
c. Click Add.
d. On the page that appears, set the service name to mac, keep the default values for other
parameters, and click Apply.
Figure 278 Adding service
3.
Add an account:
a. Click the User tab.
b. Select User > All Access Users from the navigation tree to enter the user page.
c. Click Add.
d. On the page that appears, enter username 00146c8a43ff, set the account name and
password both to 00146c8a43ff, select the service mac, and click Apply.
During authentication, the user does not need to enter the username or password. After passing
MAC authentication, the client can associate with the AP and access the WLAN.
You can view the online clients on the page you enter by selecting Summary > Client from the
navigation tree.
267
Use IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username as
user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is
10.18.1.88.
On the AC, configure the shared key as expert, and configure the AC to remove the domain name
of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.
Configuring the AC
1.
2.
268
3.
Configure AAA:
a. Select Authentication > AAA from the navigation tree.
b. Optional: On the Domain Setup tab, create a new ISP domain.
This example uses the default domain system.
c. On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box,
select the authentication mode RADIUS, select the authentication scheme system from the
Name list, and click Apply.
Figure 282 Configuring the AAA authentication method for the ISP domain
d. On the Authorization tab, select the domain name system, select the LAN-access AuthZ box,
select the authorization mode RADIUS, select the authorization scheme system from the Name
list, and click Apply.
4.
Create an AP:
269
5.
6.
270
7.
8.
9.
c. Click Add.
d. On the page that appears, enter 12345678 as the Shared Key, keep the default values for
other parameters, and select or manually add the access device with the IP address 10.18.1.1,
and click Apply.
Figure 289 Adding access device
2.
Add a service:
a. Click the Service tab.
b. Select User Access Manager > Service Configuration from the navigation tree.
c. Click Add.
d. On the page that appears, set the service name to dot1x, and set the Certificate Type to
EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click Apply.
273
3.
Add an account:
a. Click the User tab.
b. Select User > All Access Users from the navigation tree.
c. Click Add.
d. On the page that appears, enter username user, set the account name to user and password
to dot1x, and select the service dot1x, and click Apply.
3.
In the Wireless Networks tab, select wireless network with the SSID dot1x, and then click
Properties.
The dot1x Properties window appears.
4.
In the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
5.
In the popup window, clear Validate server certificate, and click Configure.
6.
In the popup dialog box, clear Automatically use my Windows logon name and password (and
domain if any).
274
275
276
After the user enters username user and password dot1x in the popup dialog box, the client can
associate with the AP and access the WLAN.
You can view the online clients on the page you enter by selecting Summary > Client.
Use IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username as
user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is
10.18.1.88.
On the AC, configure the shared key as expert, and configure the AC to remove the domain name
of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.
277
Configuration procedure
1.
2.
3.
Configure AAA:
See "Configure AAA."
4.
5.
6.
7.
8.
b. Click the
c. On the page that appears, select the box of the AP with the radio mode 802.11n(2.4GHz)
and click Bind.
Figure 299 Binding an AP radio to a wireless service
9.
2.
3.
Click Properties.
The Wireless Network window appears.
4.
Click Add.
5.
Click the Association tab, and enter dot1x in the Network name (SSID) field. Make sure that you
have selected The key is provided for me automatically.
280
6.
On the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
7.
In the popup window, clear Validate server certificate, and click Configure.
8.
In the popup dialog box, clear Automatically use my Windows logon name and password (and
domain if any), and then click OK.
281
282
After the user enters username user and password dot1x in the popup dialog box, the client can
associate with the AP and access the WLAN.
You can view the online clients on the page you enter by selecting Summary > Client.
283
Mesh overview
Basic concepts in WLAN mesh
Figure 303 Typical WLAN mesh network
AC
MPP
MP
MP
MP
MAP
MAP
MAP
MAP
Client
Client
Client
Client
As shown in Figure 303, the concepts involved in WLAN mesh are described below.
Concept
Description
Device that controls and manages all the APs in the WLAN.
Mesh link
284
High performance/price ratioIn a mesh network, only the MPPs need to connect to a wired
network. In this way, the dependency on the wired network is reduced to the minimum extent, and
the investment in wired devices, cabling, and installation is also reduced.
Excellent scalabilityIn a mesh network, the APs can automatically discover each other and initiate
wireless link setup. To add new APs to the mesh network, you need to install these new APs and
perform the related configurations.
Fast deploymentSince only the MPPs need to connect to a wired network, WLAN mesh reduces
the network deployment time.
Various application scenariosThe mesh network is applicable to enterprise, office, and campus
networks, which are common application scenarios of traditional WLANs, and also applicable to
large-sized warehouse, port, MAN, railway transportation, and crisis communication networks.
High reliabilityIn a traditional WLAN, when the wired upstream link of an AP fails, all clients
associated with the AP cannot access the WLAN. Comparatively, in a mesh network, all APs are
fully meshed. There are multiple available wireless links for a mesh AP to reach a portal node in the
wired network to effectively avoid single point failure.
Deployment scenarios
This section includes WLAN mesh deployment scenarios.
285
286
Deployment scenarios
Mesh link backhaul deployment is supported. As shown in Figure 307, the MAP is a dual-radio AP, with
one radio for WLAN access and the other for mesh link backhaul. You can configure the MAC address
of the MPP connected to the MAP to establish a mesh link between them.
Figure 307 Mesh link backhaul
AC
PC 1
Client 1
mesh-link
Client 2
MAP
MPP
Client 3
287
PC 2
Select Wireless Service > Mesh Service from the navigation tree.
2.
3.
Click Add.
4.
5.
Click Apply.
Description
Select Wireless Service > Mesh Service from the navigation tree.
2.
3.
Click the
service.
icon corresponding to the target mesh service to enter the page for configuring mesh
288
4.
5.
Click Apply.
Description
Mesh Service
VLAN (Tagged)
Enter the ID of the VLAN whose packets are to be sent tagged. VLAN (Tagged)
indicates that the port sends the traffic of the VLAN without removing the VLAN tag.
VLAN (Untagged)
Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged)
indicates that the ports send the traffic of the VLAN with the VLAN tag removed.
Set the default VLAN.
Default VLAN
By default, the default VLAN of all ports is VLAN 1. After you set the new default
VLAN, VLAN 1 is the ID of the VLAN whose packets are to be sent untagged.
Exclude VLAN
Remove the IDs of the VLANs whose packets are to be sent untagged and tagged.
Mesh Route
Security Configuration
Pass Phrase
Raw Key
Item
Description
Pre-shared key, which takes one of the following values:
Pre-shared Key
A string of 8 to 63 characters.
A valid hexadecimal number of 64 bits.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the
3.
4.
Click Bind.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Service tab to enter the mesh service configuration page.
3.
4.
Click Enable.
Select Wireless Service > Mesh Service from the navigation tree.
290
2.
Click the Mesh Service tab to enter the mesh service configuration page.
3.
Description
Mesh ID
Binding Interface
MKD Service
Select Wireless Service > Mesh Service from the navigation tree.
291
2.
Click the Mesh Service tab to enter the mesh policy configuration page.
3.
Click Add.
4.
5.
Click Apply.
Description
Name of the created mesh policy.
The created mesh policies use the contents of the default mesh policy
default_mp_plcy.
Select Wireless Service > Mesh Service from the navigation tree.
2.
3.
Click the
page.
icon corresponding to the target mesh policy to enter the mesh policy configuration
292
4.
5.
Click Apply.
Description
Mesh Policy
Link establishment
An active link remains up within the link hold time, even if the link
switch margin is reached. This mechanism is used to avoid
frequent link switch.
Set the maximum number of links that an MP can form in a mesh
network.
IMPORTANT:
When configuring mesh, if the number of mesh links configured on
an AP is greater than two, you need to configure the maximum links
that an MP can form as needed.
Set the link formation/link hold RSSI (received signal strength
indicator).
293
Item
Description
Set the link switch margin.
If the RSSI of the new link is greater than that of the current active
link by the link switch margin, active link switch will occur. This
mechanism is used to avoid frequent link switch.
Set link saturation RSSI.
This is the upper limit of RSSI on the active link. If the value is
reached, the chipset is saturated and link switch will occur.
Role as authenticator
ratemode
The Mobile Link Switch Protocol (MLSP) implements high-speed link switch with zero packet loss during train
movement (not supported).
Proxy MAC Address
Select the Proxy MAC Address option to specify the MAC address
of the peer device.
Proxy VLAN
Select Wireless Service > Mesh Service from the navigation tree.
2.
3.
Click the
4.
5.
Click Bind.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Policy tab to enter the mesh policy configuration page.
3.
294
Description
MP Policy Name
Mlsp
Authenticator Role
Max Links
Interval between probe requests sent by a device using this mesh policy.
Link rate-mode
295
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Global Setup tab to enter the mesh global setup page.
3.
4.
Click Apply.
Description
MKD-ID
Make sure the MAC address configured is unused and has the correct
vendor specific part.
The MAC address of an AC should not be configured as the MKD ID.
all mesh networks where the working channels of the radios are
automatically selected. With auto DFS enabled, an AC makes DFS
decisions at the calibrate interval automatically.
Select Wireless Service > Mesh Service from the navigation tree.
296
2.
Click the Global Setup tab to enter the mesh portal service configuration page.
3.
4.
Click Enable.
Manual
1.
2.
On the page that appears, select a specified channel from the Channel list.
3.
Click Apply.
297
NOTE:
Specify a working channel for the radios of the MAP and MPP. Specify the same working channel for the
radio of the MAP and the radio of the MPP.
Auto
Set the working channel mode on the MPP and MAP to auto so that the working channel is automatically
negotiated when a WDS link is established between the MPP and MAP.
NOTE:
If you configure the working channel mode of the radios of the MPP and MAP as auto, the automatically
selected working channel is a non-radar channel.
Enabling radio
1.
Select Radio > Radio from the navigation tree to enter the radio setup page.
2.
3.
Click Enable.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click
3.
298
4.
5.
Click Apply.
Description
The mesh feature supports three topologies. For more information, see
"Deployment scenarios." The mesh feature is implemented through configuration
of peer MAC addresses for each AP.
Sets the STP cost of the mesh link to the peer. If not configured, the STP cost is
automatically calculated by STP.
cos
You can view the cost of the mesh link on the page shown in Figure 322.
Mesh DFS
Displaying radio information
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Channel Optimize tab to enter the mesh optimization tab.
3.
Click the specified mesh network, and click the Radio Info tab to enter the page shown in Figure
323 to view radio information.
299
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Channel Optimize tab to enter the mesh optimization tab.
3.
Click the mesh network, and then select the Channel Switch Info tab to enter the page shown
in Figure 324 to view the channel switching information.
NOTE:
If you select Auto or Close for dynamic channel selection on the Global Setup tab, when you enter the
Mesh Channel Optimize page, the Channel Optimize button is grayed out, and you cannot perform
the operation.
If you select manual DFS on the Global Setup tab, select mesh networks where DFS will be performed,
and then click Channel Optimize to complete DFS. In auto mode, DFS is performed at the calibration
interval. In manual mode, DFS is performed one time.
300
Description
AP
Radio
Chl(After/Before)
Date(yyyy-mm-dd)
Time(hh:mm:ss)
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Link Info tab to enter the mesh link monitoring page.
You can monitor the mesh link status in real-time on the mesh link monitoring page.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Link Test tab to enter the mesh link test page.
301
3.
4.
Click Begin.
Establish a mesh link between the MPP and the MAP by following these steps:
Configure MAP and MPPSelect AP > AP Setup from the navigation tree, and click Add to
configure MAP and MPP. For more information, see "Create an MAP and MPP."
Configure mesh serviceAfter creating a mesh service and configuring a pre-shared key, you
can bind the mesh service to the AP and enable the mesh service. For more information, see
"Create a mesh service:."
Configure a mesh policyA mesh policy exists by default. You can create a mesh policy and
bind the mesh policy to an AP. For more information, see "(Optional) Configure a mesh policy."
Mesh global setupConfigure an MKD-ID (which exists by default), enable mesh portal service
for the MPP. For more information, see "Configure mesh service globally."
Configure the same working channel, and enable the radio. For more information, see
"Configure the same working channel and enable the radio on the MAP and MPP:."
2.
Configure 802.11n (5GHz) service on the MAP to enable the client to access the WLAN network.
302
Configuring the AC
1.
3.
4.
(Optional) Configure a mesh policy (by default, the default mesh policy default_mp_plcy already
exists.)
NOTE:
A mesh policy exists by default. You can create a mesh policy and bind the mesh policy to an AP as
needed. By default, the default_mp_plcy mesh policy is mapped to an AP.
6.
a. (Optional) Select Wireless Service > Mesh Service from the navigation tree, and click the
Global Setup tab to enter the mesh global setup page to set the MKD-ID (By default, the MKD-ID
exists.)
b. Select the MPP that has wired connectivity with the AC to enable mesh portal service.
c. Click Enable.
Figure 333 Configuring mesh portal service
7.
Configure the same working channel and enable the radio on the MAP and MPP:
a. Select Radio > Radio from the navigation tree.
b. Click the
icon corresponding to the target MAP to enter the radio setup page.
305
Enable radio:
a. Select Radio > Radio from the navigation tree.
b. Select the radio modes to be enabled for the MAP and MPP.
c. Click Enable.
The mesh link between the MAP and the MPP has been established, and they can ping each other.
After 802.11n(2.4GHz) is configured on the MAP, the client can access the network through the
mesh link.
As shown in Figure 336, establish an 802.11n (5Ghz) mesh link between the MAP and MPP. The
working channel is automatically selected.
Enable one-time DFS. After that, the AC performs DFS for the radios when certain trigger conditions
are met on the channel.
AC
MPP
MAP
306
Configuration guidelines
The mesh configuration in this example is similar to a common wireless mesh configuration. Note the
following guidelines:
Configure the working channel mode of the radios that provide mesh services as auto.
Do not configure any wireless service on radios that provide mesh services.
Configuration procedure
The mesh configuration is the same as the normal WLAN mesh configuration. For configuration
procedures, see "WLAN mesh configuration example." Perform the following operations after
completing mesh configuration:
1.
2.
3.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Channel Optimize tab to enter the Mesh Channel Optimize tab.
3.
4.
308
2.
3.
Click Apply.
309
Description
Service
IP Type
Source Address
Auth Mode
Auth Key
2.
3.
Click Add.
4.
Click Apply.
310
Description
Add the IP address of an AC to a roaming group.
IP Address
IMPORTANT:
When you configure a roaming group, the roaming group name configured
for the ACs in the same roaming group must be the same.
Configure the VLAN to which the roaming group member belongs.
VLAN
NOTE:
The user profile configurations of the ACs in a roaming group must be the same. For more information,
see "Managing users."
The ACs in a roaming group cannot be configured as hot backup ACs.
2.
View the detailed information and roaming information of the client by clicking a target client. For
more information, see "Summary."
311
Configuration guidelines
When you configure intra-AC roaming, the SSIDs of the two APs must be the same. The same wireless
service must be bound to the radios of the two APs in Bind AP radios to the wireless service.
Configuring the AC
If remote authentication is required in the authentication mode you select, configure the RADIUS server.
For information about how to configure the RADIUS server, see "Configuring AAA."
1.
2.
NOTE:
For information about how to configure the authentication mode, see "Configuring access services."
However, fast roaming can be implemented only when the RSN+802.1X authentication mode is adopted.
3.
4.
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the
radio.
icon to the right of the wireless service Roam to enter the page for binding AP
c. Select the box before ap1 with radio type 802.11n(2.4GHz), and the box before ap2 with
radio type 802.11n(2.4GHz).
d. Click Bind.
Figure 345 Binding AP radios
5.
313
314
2.
315
Configuration guidelines
Follow these guidelines when you configure inter-AC roaming:
The SSIDs and the authentication and encryption modes of two APs should be the same.
Configuring AC 1 and AC 2
If remote authentication is required in the authentication mode you select, configure the RADIUS server.
For information about how to configure the RADIUS server, see "Configuring AAA."
1.
NOTE:
For the configuration of authentication mode, see "Configuring access services." Fast roaming supporting
key caching can be implemented only when RSN+802.1X authentication is adopted.
316
2.
317
2.
3.
View connection information about the client that is associated with the AP, and the Roam Status
field in the client detailed information:
a. Before roaming, select Summary > Client from the navigation tree on AC 1.
You can see that the client is associated with AP 1.
b. After roaming: Select Summary > Client from the navigation tree on AC 1.
The client has roamed from AP 1 to AP 2, so no client information is displayed on the page.
c. Select Summary > Client from the navigation tree on AC 2.
You can view the client information.
d. Select the Detail Information tab, and then click the desired client.
318
Inter-AC roam association appears in the Roam Status field. This indicates that the client has
roamed to AP 2.
Figure 356 Verifying inter-AC roaming
4.
b. Select Summary > Client, from the navigation tree on AC 2, select the Detail Information tab,
and click the desired client to view the roaming information of the client.
319
The roaming information in Figure 358 shows that the client connects to the WLAN through AP
2, and the BSSID of AP 2 is 984b-e122-1410.
Figure 358 Client status after intra-AC roaming
320
RetransmissionAPs retransmit data if they do not receive ACK messages from the AC.
Radar signal detected on a working channelThe AC immediately notifies the AP to change its
working channel.
If the first three conditions are met, the AC calculates the channel quality. The AP does not use the new
channel until the channel quality difference between the new and old channels exceeds the tolerance
level.
321
322
As shown in Figure 361, when AP 3 fails or goes offline, the other APs increase their transmission power
to cover the signal blackhole.
323
Spectrum analysis
WLAN systems operate on shared bands. Many devices, such as microwave ovens, cordless phones,
and Bluetooth devices also operate on these bands and can negatively affect the WLAN systems.
The spectrum analysis feature is designed to solve this problem. Spectrum analysis delivers the following
functions:
Calculates the number of interferences on each channel and average and worst channel quality,
and provides channel quality reports.
The AP collects Fast Fourier Transform (FFT) data, including frequency, FFT power, maximum power,
and FFT duty cycle, and sends the data to the NMS through the AC.
324
With RRM collaboration enabled, if the detected channel quality is lower than the threshold, the AC
automatically adjusts the working channel upon detecting a channel with a higher quality.
Administrators can view the interference information on the AC, or view real-time spectrum analysis data
on the NMS to locate and remove the interferences.
For more information about WIDS, see "Configuring WLAN security."
Configuring radios
Configuring radio parameters
1.
2.
Click the
3.
Description
AP Name
Radio Unit
Radio Mode
Transmit Power
Item
Description
Specify the working channel of the radio, which varies with radio types and
country/region codes. The working channel list varies with device models.
Channel
auto: The working channel is automatically selected. If you select this mode,
the AP checks the channel quality in the WLAN network, and selects the
channel of the best quality as its working channel.
If you modify the working channel configuration, the transmit power is
automatically adjusted.
802.11n
bandwidth mode
Auto-switch
MIMO
Select this option to enable energy saving. The function is disabled by default.
Green Energy Management
client dot11n-only
IMPORTANT:
When this function is enabled, an AP automatically changes the MIMO of it s
radio to 1X1 if no clients are associated with the radio.
If you select the client dot11n-only option, non-802.11n clients are prohibited
from access. If you want to provide access for all 802.11a/b/g clients, you
must disable this function.
Select the A-MSDU option to enable A-MSDU.
A-MSDU
Multiple MAC Service Data Units (MSDU) can be aggregated into a single
A-MSDU. This reduces the MAC header overhead and thus improves MAC
layer forwarding efficiency.
At present, only A-MSDUs can be received.
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, ensure that they have the
same A-MSDU configuration.
326
Item
Description
Select the A-MPDU option to enable A-MPDU.
A-MPDU
802.11n introduces the A-MPDU frame format. By using only one PHY header,
each A-MPDU can accommodate multiple Message Protocol Data Units
(MPDUs) which have their PHY headers removed. This reduces the overhead in
transmission and the number of ACK frames to be used, and thus improves
network throughput.
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, ensure that they have the
same A-MPDU configuration.
Select short GI to enable short GI.
short GI
4.
The 802.11a/g GI is 800ns. You can configure a short GI, 400 ns for
802.11n. The short GI increases the throughput by 10 percent.
5.
6.
Click Apply.
327
Description
Preamble is a pattern of bits at the beginning of a frame so that the receiver
can sync up and be ready for the real data.
point and some legacy client devices. Therefore, you can select this option
to make legacy client devices support short preamble.
ANI
Adaptive Noise Immunity (ANI). After the ANI function is enabled, the device
automatically adjusts the noise immunity level according to the surrounding
signal environment to eliminate RF interference.
EnableEnable ANI.
DisableDisable ANI.
Specify the maximum length of frames that can be transmitted without
fragmentation. When the length of a frame exceeds the specified fragment
threshold value, it is fragmented.
In a wireless network where error rate is high, you can decrease the
Fragment Threshold
Beacon Interval
Interval for sending beacon frames. Beacon frames are transmitted at a regular
interval to allow mobile clients to join the network. Beacon frames are used for
a client to identify nearby APs or network control devices.
328
Item
Description
There are two data collision avoidance mechanisms, RTS/CTS and CTS-to-self.
RTS (CTS)
DTIM Period
Number of retransmission attempts for unicast frames larger than the RTS/CTS
threshold.
Interval for which a frame received by an AP can stay in the buffer memory.
Enabling a radio
1.
Select Radio > Radio from the navigation tree to enter the radio setup page.
329
2.
3.
Click Enable.
Select Radio > Radio from the navigation tree to enter the page shown in Figure 365.
2.
3.
When the AC detects any radar signals, it immediately selects another channel even if the
current channel is locked, and then locks the new channel.
If you lock the current channel first, and then enable channel adjustment, channel adjustment
does not work because the current channel is locked. Therefore, before enabling channel
adjustment, make sure that the current channel is not locked. If you enable channel adjustment
and then lock the current channel, the last selected channel is locked. For information about
channel adjustment, see "Dynamic frequency selection." For more information about channel
adjustment configuration, see "Setting parameters."
Select Radio > Radio from the navigation tree to enter the page shown in Figure 366.
2.
3.
Select Radio > Rate from the navigation tree to enter the rate setting page.
331
2.
3.
Click Apply.
Description
Configure rates (in Mbps) for 802.11a.
By default:
802.11a
of multicasts in a BSS is selected from the mandatory rates supported by all the clients.
of multicasts in a BSS is selected from the mandatory rates supported by all the clients.
332
Item
Description
Configure rates (in Mbps) for 802.11g.
By default:
802.11g
of multicasts in a BSS is selected from the mandatory rates supported by all the clients.
Number of
spatial streams
Modulation
400ns GI
BPSK
6.5
7.2
QPSK
13.0
14.4
QPSK
19.5
21.7
16-QAM
26.0
28.9
16-QAM
39.0
43.3
64-QAM
52.0
57.8
64-QAM
58.5
65.0
64-QAM
65.0
72.2
BPSK
13.0
14.4
QPSK
26.0
28.9
10
QPSK
39.0
43.3
11
16-QAM
52.0
57.8
12
16-QAM
78.0
86.7
13
64-QAM
104.0
115.6
14
64-QAM
117.0
130.0
15
64-QAM
130.0
144.4
333
Number of
spatial streams
Modulation
400ns GI
BPSK
13.5
15.0
QPSK
27.0
30.0
QPSK
40.5
45.0
16-QAM
54.0
60.0
16-QAM
81.0
90.0
64-QAM
108.0
120.0
64-QAM
121.5
135.0
64-QAM
135.0
150.0
BPSK
27.0
30.0
QPSK
54.0
60.0
10
QPSK
81.0
90.0
11
16-QAM
108.0
120.0
12
16-QAM
162.0
180.0
13
64-QAM
216.0
240.0
14
64-QAM
243.0
270.0
15
64-QAM
270.0
300.0
For example, if you specify the maximum MCS index as 5 for mandatory rates, rates corresponding to
MCS indexes 0 through 5 are configured as 802.11n mandatory rates.
Mandatory rates must be supported by the AP and the clients that want to associate with the AP.
Supported rates allow some clients that support both mandatory and supported rates to choose
higher rates when communicating with the AP.
Select Radio > Rate from the navigation tree to enter the rate setting page.
2.
3.
Click Apply.
334
Description
Set the maximum MCS index for 802.11n mandatory rates.
IMPORTANT:
If you select the client dot11n-only option, you must configure the mandatory
maximum MCS.
Set the multicast MCS for 802.11n.
The multicast MCS is adopted only when all the clients use 802.11n. If a non
802.11n client exists, multicast traffic is transmitted at a mandatory MCS data
rate.
Multicast MCS
IMPORTANT:
If you configure a multicast MCS index greater than the maximum MCS
index supported by the radio, the maximum MCS index is adopted.
When the multicast MCS takes effect, the corresponding data rates defined
for 20 MHz are adopted no matter whether the 802.11n radio operates in
40 MHz mode or in 20 MHz mode.
NOTE:
When 802.11n radios are used in a mesh WLAN, make sure that they have the same MCS configuration.
Select Radio > Channel Scan from the navigation tree to enter the page for setting channel
scanning.
2.
3.
Click Apply.
Description
Set the scan mode.
Scan Mode
Scan Type
If you set active scanning for the AP, it is more likely to discover devices in the
WLAN.
Set the scan report interval.
Scan Interval
If an AP has the monitoring function, the scan report interval will affect whether
the scanning results can be processed in time and the frequency of message
exchanges. Therefore, you need to set the interval properly according to the
actual network conditions.
336
Item
Description
To avoid selecting improper channels, you can exclude specific channels from
automatic channel selection. The excluded channels will not be available for
initial automatic channel selection, DFS, and mesh DFS. This feature does not
affect rogue detection and WIDS.
Select a channel and add it to the 5GHz Excluded Channel or 2.4GHz
Excluded Channel.
By default, no channels exist in the 5GHz Excluded Channel or 2.4GHz
Excluded Channel.
IMPORTANT:
The channel exclusion list is not restricted by the country/region code. You
5GHz Excluded
Channel/2.4GHz Excluded
Channel
can add channels not supported by the country/region code to the list, and
changing the country/region code does not change the channel list. The
device will select an available channel from the channels supported by the
country/region code and not in the channel exclusion list. When you
configure this feature, do not add all channels supported by the
country/region code to the channel exclusion list.
This feature takes effect only for initial automatic channel selection, DFS,
and mesh DFS.
If you add an automatically selected channel into the channel exclusion list,
the AC disables the radio, enables the radio, and then selects an available
channel from the channels supported by the country/region code and not
in the channel exclusion list.
exclusion list, the AC selects another available primary channel. If you add
a secondary channel into the channel exclusion list in this case, the AC
selects another secondary channel. If the AP cannot find an available
secondary channel, no channels are available for the wireless, mesh, and
WDS services.
Configuring calibration
Setting parameters
1.
2.
337
3.
4.
Click Apply.
NOTE:
Channel switching results in temporary service interruption, so use the dynamic channel adjustment
function with caution.
Table 112 Configuration items
Item
Basic Setup
Description
Calibration
Interval
338
Item
Description
RTS/CTSUse RTS/CTS mode to implement 802.11g protection. Before
802.11g
Protection
Mode
802.11n
Protection
Mode
or non 802.11n clients exist within the coverage of the AP, you need to
enable 802.11n protection.
Before configuring channel adjustment, make sure the AC adopts the auto channel
adjustment mode (for more information, see "Configuring radio parameters."). Otherwise,
channel adjustment does not work.
Channel
Setup
If you lock the channel first, and then enable channel adjustment (by selecting Dynamic
Channel Select), channel adjustment does not work because the channel is locked. Before
enabling channel adjustment, make sure that the channel is not locked.
If you enable channel adjustment and then lock the channel, the last selected channel is
locked.
For information about how to lock the channel, see "Locking the channel."
339
Item
Description
CloseDisables the DFS function.
AutoWith auto DFS enabled, an AC performs DFS for a radio when
Dynamic
Channel Select
certain trigger conditions are met on the channel, and returns the result to
the AP after a calibration interval (the default calibration interval is 8
minutes, which can be set through the Calibration Interval option). After
that, the AC will make DFS decisions at the calibration interval
automatically.
for the radio when certain trigger conditions are met on the channel, and
returns the result to the AP after a calibration interval. After that, if you
want the AC to perform DFS for the radio, you have to make this
configuration again.
IMPORTANT:
If you select the manual mode, click Calibration on the Calibration page every
time you perform channel calibration.
CRC Error
Threshold
Channel
Interference
Threshold
Tolerance
Factor
A new channel is selected when either the configured CRC error threshold or
interference threshold is exceeded on the current channel. However, the new
channel is not applied until the quality of the current channel is worse than
that of the new channel by the tolerance threshold.
Spectrum
Management
If you lock the power first, and then enable power adjustment (by selecting Dynamic
Power Setup
Channel Select), power adjustment does not work because the power is locked. Therefore,
before enabling power adjustment, make sure that the power is not locked.
If you enable power adjustment and then lock the power, the last selected power is locked.
For information about how to lock the power, see "Locking the power."
340
Item
Description
CloseDisables transmit power control (TPC).
AutoWith auto TPC enabled, the AC performs TPC for an AP upon
Dynamic
Power Select
If you select the manual mode, click Calibration on the Calibration page every
time you perform channel calibration.
Max Neighbor
Count
Power
Constraint
Specify the maximum number of neighbors, which are managed by the same
AC.
Set the power constraint for all 802.11a radios. After power constraint is set,
the transmission power of a client is the current transmission power minus the
configured power constraint value.
IMPORTANT:
Enable spectrum management before configuring the power constraint;
otherwise, the configuration does not take effect.
2.
3.
Click Add.
The Radio Group page appears.
341
4.
5.
Click Apply.
Description
Group ID
Description
Channel
Holddown
Interval
Power
Holddown
Interval
Select the target radios from the Radios Available area, and then click << to add them
Radio List
Select the radios to be removed from the Radios Selected, and the click >> to remove
them from the radio group.
Calibration operations
If RRM is not enabled, or the radio to be displayed works on a fixed channel, you can only view the work
channel and the power of the radio on the Operations tab in the Radio > Calibration page. Other
342
information such as interference observed and the number of neighbors is displayed when RRM is
enabled, that is, dynamic power selection or automatic dynamic frequency selection is enabled. For the
configuration of RRM parameters, see "Setting parameters."
2.
3.
Click the desired radio to enter the page for displaying channel status.
Description
Channel NO
Running channel.
Neighbor Num
Load (%)
Utilization (%)
Channel utilization.
Interference (%)
Radar Detect
2.
3.
Click the desired radio to enter the page for displaying neighbor information.
343
Description
AP MAC Address
Channel No
Running channel.
Interference (%)
RSSI (dBm)
AP Type
2.
3.
Click the desired radio to enter the page for displaying neighbor information.
344
Description
Radio
Basic BSSID
Chl
Channel on which the radio operates in case of the change of channel or power.
Power
Load
Load observed on the radio in percentage in case of the change of channel or power.
Util
Intf
Interference observed on the radio in percentage in case of the change of channel or power.
PER
Retry
Reason
Reason for the change of channel or power, such as Interference, packets discarded,
retransmission, radar or coverage.
Date
Time
Selecting an antenna
1.
Select Radio > Antenna Switch to select an appropriate antenna for the corresponding radio.
2.
Select either Internal Antenna or User-Default external antenna for a specific radio from the
Antenna list.
3.
Click Apply.
345
When operating in normal mode, an AP can only detect interference devices and channel quality,
and collect FFT data for its working channel.
When operating in monitor or hybrid mode, the channels that an AP can detect depend on the scan
channel command. If you configure the scan channel auto command, the AP detects interference
devices and channel quality, and collects FFT data for the channels supported by the country code.
If you configure the scan channel all command, the AP detects interference devices and channel
quality, and collects FFT data for all channels.
HP recommends that you enable spectrum analysis for APs operating in monitor or hybrid mode.
For information about how to configure the operating mode for an AP, see "Configuring WLAN IDS."
346
Description
Spectrum Analysis
Enable spectrum
analysis on a radio
IMPORTANT:
Spectrum analysis takes effect only
when enabled both globally and on a
radio.
To add a device type to the Device Types area, select a device type in the Device
Device Types to Detect
To remove a device type from the Device Types area, select a device type in this
area, and click >>.
By default, all device types in the Device Types to Detect area are detected.
347
Description
Sensitivity Threshold
Description
EnableThe AC sends SNMP traps to the NMS when the channel quality is
lower than the threshold.
Channel Quality Trap
DisableThe AC does not send SNMP traps to the NMS when the channel
quality is lower than the threshold.
By default, the AC sends SNMP traps to the NMS when the channel quality is
lower than the threshold.
Trap Threshold
Interference Trap
DisableThe AC does not send SNMP traps to the NMS when an interference
device is detected.
By default, the AC sends SNMP traps to the NMS when an interference device is
detected.
Configure the AC to send SNMP traps to the NMS when a specified interference
device is detected.
To add a device type to the Device Types area, select a device type in the Trap
on Device Types area, and click <<.
To remove a device type from the Device Types area, select a device type in this
area, and click >>.
By default, all device types in the Trap on Device Types area are detected.
IMPORTANT:
Before using this function, you must select the target devices in the Devices Types to
Detect area. Otherwise, interference device trap does not take effect.
348
2.
Click Radio.
3.
4.
Click Enable.
2.
Description
Severity Index
Interference severity level in the range of 1 to 100. A greater value indicates a stronger
interference.
Duty Cycle(%)
Signal Strength
349
2.
Configuration guidelines
If you select manual channel adjustment, click Channel Optimize on the Operation tab every time you
perform manual channel adjustment.
Configuration procedure
1.
2.
350
3.
351
You can view the channel status on the Operation tab you enter by selecting Radio > Calibration
from the navigation tree.
After you perform manual channel calibration, the AC informs the adjusted channel to the AP after
a calibration interval.
You can view the detailed information, such as the specific reason for channel adjustment on the
History Info tab you enter by selecting Radio > Calibration from the navigation tree, clicking
Operation, and then clicking History Info.
352
Configuration procedure
1.
2.
You can view the power of each AP on the Operation tab you enter by selecting Radio > Calibration
from the navigation tree.
353
When AP 4 joins (the adjacency number becomes 3), the maximum number of neighbors reaches
the upper limit (3 by default), and the AC performs power adjustment after the calibration interval.
You can view the detailed information, such as decrease of the Tx power value, on the History Info
tab you enter by selecting Radio > Calibration from the navigation tree, selecting the Operation tab,
and then selecting History Info.
Configure automatic channel adjustment so that the AC can automatically switch the channel when
the signal quality on a channel is degraded to a certain level.
Configure automatic power adjustment so that the AC can automatically adjust the power when the
third neighbor is discovered (or in other words, when AP 4 joins) to avoid interference.
Add radio 2 of AP 1 and radio 2 of AP 2 to a radio group to prevent frequent channel or power
adjustments for the radios.
Configuration procedure
1.
2.
354
3.
355
The working channel of radio 2 of AP 1 and that of radio 2 of AP 2 do not change within 20
minutes after each automatic channel adjustment.
The power of radio 2 of AP 1 and that of radio 2 of AP 2 do not change within 30 minutes after
each automatic power adjustment.
356
Client
AP 1
AC
Microwave
oven
Switch
Bluetooth device
AP 2
Configuration procedure
1.
Configure AP 1 to operate in normal mode. For more information, see "Configuring WLAN
access."
2.
Configure AP 2 to operate in monitor mode. For more information, see "Configuring WLAN
security."
3.
Select Radio > Spectrum Analysis from the navigation tree, and click Interference Info to display
information about the non-802.11 interferences detected by AP 2.
Select Radio > Spectrum Analysis from the navigation tree, and click Channel Quality Info to
display channel quality information detected by AP 2.
358
Configuring 802.1X
802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN
committee for the security of wireless LANs (WLANs). It has been widely used on Ethernet networks for
access control.
802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
You can also configure the port security feature to perform 802.1X. Port security combines and extends
802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different
authentication methods for different users on a port. Port security is beyond the scope of this chapter. It
is described in Security Configuration Guide for the product.
Overview
802.1X architecture
802.1X operates in the client/server model. It has three entities: the client (supplicant), the network
access device (authenticator), and the authentication server, as shown in Figure 391.
Figure 391 802.1X architecture
Device
Authentication server
Client
ClientA user terminal seeking access to the LAN. It must have 802.1X software to authenticate to
the network access device.
Network access deviceAuthenticates the client to control access to the LAN. In a typical 802.1X
environment, the network access device uses an authentication server to perform authentication.
Authentication serverProvides authentication services for the network access device. The
authentication server authenticates 802.1X clients by using the data sent from the network access
device, and returns the authentication results for the network access device to make access
decisions. The authentication server typically is a RADIUS server. In a small LAN, you can also use
the network access device as the authentication server.
For more information about the 802.1X protocol, see HP WX Series Access Controllers Security
Configuration Guide.
359
Port-based access controlOnce an 802.1X user passes authentication on a port, any subsequent
user can access the network through the port without authentication. When the authenticated user
logs off, all other users are logged off.
MAC-based access controlEach user is authenticated separately on a port. When a user logs off,
no other online users are affected.
802.1X timers
This section describes the timers used on an 802.1X device to guarantee that the client, the device, and
the RADIUS server can interact with each other properly.
Username request timeout timerStarts when the device sends an EAP-Request/Identity packet to
a client in response to an authentication request. If the device receives no response before this timer
expires, it retransmits the request. The timer also sets the interval at which the network device sends
multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.
Client timeout timerStarts when the access device sends an EAP-Request/MD5 Challenge packet
to a client. If no response is received when this timer expires, the access device retransmits the
request to the client.
Server timeout timerStarts when the access device sends a RADIUS Access-Request packet to the
authentication server. If no response is received when this timer expires, the access device
retransmits the request to the server.
Handshake timerSets the interval at which the access device sends client handshake requests to
check the online status of a client that has passed authentication. If the device receives no response
after sending the maximum number of handshake requests, it considers that the client has logged
off. For information about how to enable the online user handshake function, see "Configuring
802.1X on a port."
Quiet timerStarts when the access device sends a RADIUS Access-Request packet to the
authentication server. If no response is received when this timer expires, the access device
retransmits the request to the server.
Periodic online user re-authentication timerSets the interval at which the network device
periodically re-authenticates online 802.1X users. For information about how to enable periodic
online user re-authentication on a port, see "Configuring 802.1X on a port."
Configuration prerequisites
Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. For
more information, see "Configuring AAA" and "Configuring RADIUS."
If you use RADIUS authentication, create user accounts on the RADIUS server.
If you use local authentication, create local user accounts on the access device and use the LAN
access service.
If you want to use EAP relay when the RADIUS server does not support any EAP authentication
method or no RADIUS server is available, configure the EAP server function on your network access
device.
NOTE:
Configure 802.1X on a wired port. Wireless ports support only the port security feature, and the port
security is enabled by default on the wireless ports.
360
Configuration procedure
Task
Description
Required.
1.
2.
2.
3.
Select an authentication method for 802.1X users. Options include CHAP, PAP, and EAP.
CHAPSets the access device to perform EAP termination and use the CHAP to communicate
with the RADIUS server.
PAPSets the access device to perform EAP termination and use the PAP to communicate with
the RADIUS server.
361
EAPSets the access device to relay EAP packets, and supports any of the EAP authentication
methods to communicate with the RADIUS server.
When you configure EAP relay or EAP termination, consider the following factors:
The authentication methods supported by the 802.1X client and the RADIUS server.
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP
authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay.
To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay.
4.
5.
6.
Click Apply.
Description
Specify whether to enable the quiet timer.
Quiet
The quiet timer enables the network access device to wait a period of time before it
can process any authentication request from a client that has failed an 802.1X
authentication.
Quiet Period
Retry Times
TX Period
Handshake Period
Re-Authentication
Period
Supplicant Timeout
Time
Server Timeout Time
TIP:
You can set the client timeout timer to a high value in a low-performance network,
and adjust the server timeout timer to adapt to the performance of different
authentication servers. In most cases, the default settings are sufficient.
362
IMPORTANT:
Do not change the timer parameters of global 802.1X from their default values unless you have
determined that the changes would better the interaction process.
From the navigation tree, select Authentication > 802.1X to enter the page, as shown in Figure
392.
The Ports With 802.1X Enabled area shows the 802.1X configuration on ports.
2.
Click Add.
3.
4.
Click Apply.
Port
Description
Select the port to be enabled with 802.1X authentication. Only 802.1X-disabled ports
are available.
NOTE:
802.1X is mutually exclusive with link aggregation group configuration on a port.
Set the access control method for the port: MAC Based or Port Based.
Port Control
NOTE:
To use both 802.1X and portal authentication on a port, you must select MAC Based.
363
Item
Description
Select the port authorization state for 802.1X.
Options include:
AutoPlaces the port initially in unauthorized state to allow only EAPOL packets to
Port Authorization
pass, and after a user passes authentication, sets the port in authorized state to allow
access to the network. You can use this option in most scenarios.
Max Number of
Users
Enable Handshake
The online user handshake function checks the connectivity status of online 802.1X users.
The network access device sends handshake messages to online users at the interval
specified by the Handshake Period setting. If no response is received from an online user
after the maximum number of handshake attempts (set by the Retry Times setting) has
been made, the network access device sets the user in offline state. For information about
the timers, see "802.1X timers."
NOTE:
If the network has 802.1X clients that cannot exchange handshake packets with the network
access device, disable the online user handshake function to prevent their connections from
being inappropriately torn down.
Specify whether to enable periodic online user re-authentication on the port.
Periodic online user re-authentication tracks the connection status of online users and
updates the authorization attributes assigned by the server, such as the ACL, and VLAN.
The re-authentication interval is specified by the Re-Authentication Period setting in Table
121.
NOTE:
The periodic online user re-authentication timer can also be set by the authentication
Enable
Re-Authentication
server in the session-timeout attribute. The server-assigned timer overrides the timer
setting on the access device, and enables periodic online user re-authentication, even
if the function is not configured. Support for the server assignment of re-authentication
timer and the re-authentication timer configuration on the server vary with servers.
The VLAN assignment status must be consistent before and after re-authentication. If
the authentication server has assigned a VLAN before re-authentication, it must also
assign a VLAN at re-authentication. If the authentication server has assigned no VLAN
before re-authentication, it must not assign one at re-authentication. Violation of either
rule can cause the user to be logged off. The VLANs assigned to an online user before
and after re-authentication can be the same or different.
Guest VLAN
Specify an existing VLAN as the guest VLAN. For more information, see "Configuring an
802.1X guest VLAN."
Select the box to enable MAC-based VLAN.
NOTE:
Only hybrid ports support the feature.
Auth-Fail VLAN
Specify an existing VLAN as the Auth-Fail VLAN to accommodate users that have failed
802.1X authentication.
For more information, see "Configuring an Auth-Fail VLAN."
364
You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different
ports can be different.
Assign different IDs to the default VLAN and 802.1X guest VLAN on a port, so the port can correctly
process incoming VLAN tagged traffic.
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member.
After the assignment, do not re-configure the port as a tagged member in the VLAN.
Use Table 123 when you configure multiple security features on a port.
Table 123 Relationships of the 802.1X guest VLAN and other security features
Feature
Relationship description
Only the 802.1X guest VLAN take effect. A user that fails
MAC authentication will not be assigned to the MAC
authentication guest VLAN.
The 802.1X guest VLAN function has higher priority than the
block MAC action, but lower priority than the shutdown port
action of the port intrusion protection feature.
Configuration prerequisites
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger at
the CLI. (802.1X multicast trigger is enabled by default.)
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,
enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an
untagged member.
You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on
different ports can be different.
Assign different IDs to the default VLAN and 802.1X Auth-Fail VLAN on a port, so the port can
correctly process VLAN tagged incoming traffic.
Use Table 124 when you configure multiple security features on a port.
Table 124 Relationships of the 802.1X Auth-Fail VLAN with other features
Feature
Relationship description
365
Feature
Relationship description
The 802.1X Auth-Fail VLAN function has higher priority than the
block MAC action, but lower priority than the shutdown port
action of the port intrusion protection feature.
Configuration prerequisites
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger.
(802.1X multicast trigger is enabled by default.)
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port,
enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged
member.
366
Authentication client
Authentication client
Access device
Portal server
Authentication/accounting
server
Authentication client
When an unauthenticated user enters a website address in the browser's address bar to access the
Internet, an HTTP request is created and sent to the access device. The access device then redirects
the HTTP request to the portal server's Web authentication homepage. For extended portal
functions, authentication clients must run the portal client software.
367
2.
On the authentication homepage/authentication dialog box, the user enters and submits the
authentication information, which the portal server then transfers to the access device.
3.
Upon receipt of the authentication information, the access device communicates with the
authentication/accounting server for authentication and accounting.
4.
After successful authentication, the access device checks whether there is a corresponding security
policy for the user. If not, it allows the user to access the Internet. Otherwise, the client
communicates with the access device and the security policy server for security check. If the client
passes security check, the security policy server authorizes the user to access the Internet
resources.
NOTE:
The Web interface of the device supports configuring portal authentication only on Layer 3 interfaces. For
more information about portal authentication, see HP WX Series Access Controllers Security
Configuration Guide.
Configuration prerequisites
Although the portal feature provides a solution for user identity authentication and security checking, the
portal feature cannot implement this solution by itself. RADIUS authentication needs to be configured on
the access device to cooperate with the portal feature to complete user authentication.
The prerequisites for portal authentication configuration are as follows:
The portal server and the RADIUS server have been installed and configured properly. Local portal
authentication requires no independent portal server.
With re-DHCP authentication, the IP address check function of DHCP relay is enabled on the access
device, and the DHCP server is installed and configured properly.
The portal client, access device, and servers can reach each other.
With RADIUS authentication, usernames and passwords of the users are configured on the RADIUS
server, and the RADIUS client configurations are performed on the access device. For information
about RADIUS client configuration, see "Configuring RADIUS."
To implement extended portal functions, install and configure IMC EAD. Make sure the ACLs
configured on the access device correspond to those specified for the resources in the quarantined
area and for the restricted resources on the security policy server. For information about security
policy server configuration on the access device, see "Configuring RADIUS."
Configuration procedure
Step
Remarks
Required.
1.
368
Step
2.
Remarks
Configuring advanced
parameters for portal
authentication
Optional.
Specify an auto redirection URL, set the time that the device must wait
before redirecting an authenticated user to the auto redirection URL,
and add Web proxy server port numbers.
Optional.
Configure a portal-free rule, specifying the source and destination
information for packet filtering.
3.
369
TIP:
On the page shown in Figure 396, the portal service applied on a Layer 3 interface can be in either of the
following states:
RunningPortal authentication has taken effect on the interface.
EnabledPortal authentication has been enabled on the interface, but has not taken effect.
2.
370
3.
4.
Click Apply.
Description
Interface
Select ServerSelect an existing portal server from the Portal Server list.
New ServerIf you select Add under this option from the list, the portal server
Portal Server
configuration area, as shown in Figure 398, will be displayed at the lower part of the
page. You can add a remote portal server and apply the portal server to the interface.
For detailed configuration, see Table 126.
Enable Local ServerIf you select this option from the list, the local portal service
configuration area, as shown in Figure 399, will be displayed at the lower part of the
page. You can configure the parameters for local portal service. For detailed
configuration, see Table 127.
required to be present between the authentication client and the access device.
However, if they are present, you must select the cross-subnet portal authentication
mode.
In re-DHCP portal authentication mode, a client is allowed to send out packets using
If the local portal server is used, you can configure the re-DHCP mode but it does not
take effect.
371
Item
Description
Specify the IP address and mask of the authentication subnet. This field is configurable
when you select the Layer3 mode (cross-subnet portal authentication).
Auth Network IP
Network Mask
By configuring an authentication subnet, you specify that only HTTP packets from users on
the authentication subnet can trigger portal authentication. If an unauthenticated user is
not on any authentication subnet, the access device discards all the user's HTTP packets
that do not match any portal-free rule.
IMPORTANT:
The authentication subnet in direct mode is any source IP address, and that in re-DHCP
mode is the private subnet to which the interface's private IP address belongs.
Specify the authentication domain for Layer 3 portal users.
Authentication
Domain
After you specify an authentication domain on a Layer 3 interface, the device will use the
authentication domain for authentication, authorization, and accounting (AAA) of the
portal users on the interface, ignoring the domain names carried in the usernames. You
can specify different authentication domains for different interfaces as needed.
The available authentication domains are those specified on the page you enter by
selecting Authentication > AAA from the navigation tree. For more information, see
"Configuring AAA."
Description
Server Name
IP
Key
Enter the shared key to be used for communication between the device and the remote
portal server.
Port
URL
IMPORTANT:
Redirection URL supports domain name resolution. However, you must configure a
portal-free rule and add the DNS server address into the portal-free address range.
372
Description
Server Name
IP
Specify the IP address of the local portal server. You need to specify the IP address of
the interface where the local portal server is applied.
Specify the URL for HTTP packets redirection, in the format
http://ip-address/portal/logon.htm or https://ip-address/portal/logon.htm
(depending on the protocol type).
By default, the IP address of the local portal server is used in the URL.
URL
IMPORTANT:
To use the local portal server for stateful failover in a wireless environment, you must
specify the redirection URL, and the IP address of the URL must be the virtual IP
address of the VRRP group where the VRRP downlink resides.
URL redirection supports domain name resolution, but you need to configure a
portal-free rule and add the DNS server address into the portal-free address range.
Protocol
Specify the protocol to be used for authentication information exchange between the
local portal server and the client. It can be HTTP or HTTPS.
Specify the PKI domain for HTTPS. This field is configurable when you select HTTPS.
PKI Domain
The available PKI domains are those specified on the page you enter by selecting
Authentication > Certificate Management from the navigation tree. For more
information, see "Managing certificates."
IMPORTANT:
The service management, local portal authentication, and local EAP service modules
always reference the same PKI domain. Changing the referenced PKI domain in any of the
three modules will also change that referenced in the other two modules.
373
Item
Description
Specify the authentication page files to be bound with SSIDs as required.
Page Customization
SSID
Page File
After you bind SSIDs with authentication page files, when a user access the portal
page, the local portal server pushes the authentication pages according to the SSID of
the user login interface and the bound authentication page file.
By default, an SSID is not bound with any authentication page file. In this case, the
system pushes the default authentication pages.
You can edit an authentication page file as required and save it in the root directory or
the portal directory under the root directory of the access device. For rules of
customizing authentication pages, see "Customizing authentication pages."
2.
Expand the Advanced area to show the advanced parameters for portal authentication.
3.
4.
Click Apply.
374
Description
Add the Web proxy server ports to allow HTTP requests proxied by the specified proxy
servers to trigger portal authentication. By default, only HTTP requests that are not
proxied can trigger portal authentication.
Different clients may have different Web proxy configurations. To make sure that clients
using a Web proxy can trigger portal authentication, you must first complete some other
relevant configurations. When the IMC portal server is used, you must first complete the
following configurations:
If the client does not specify the portal server's IP address as a proxy exception, ensure
the IP connectivity between the portal server and the Web proxy server and perform
the following configurations on the IMC portal server:
Select NAT as the type of the IP group associated with the portal device.
Specify the proxy server's IP address as the IP address after NAT.
If the client specifies the portal server's IP address as an exception of the Web proxy
server, configure the IP group and port group to not support NAT.
IMPORTANT:
If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover
Web proxy servers, add the port numbers of the Web proxy servers on the device, and
configure portal-free rules to allow user packets destined for the IP address of the
WPAD server to pass without authentication.
If the Web proxy server port 80 is added on the device, clients that do not use a proxy
server can trigger portal authentication only when they access a reachable host
enabled with the HTTP service.
Authorized ACLs to be assigned to users who have passed portal authentication must
contain a rule that permits the Web proxy server's IP address. Otherwise, the user
cannot receive heartbeat packets from the remote portal server.
Specify the auto redirection URL to which users will be automatically redirected after they
pass portal authentication.
Redirection URL
Wait-Time
2.
375
3.
Click Add.
The page for adding a new portal-free rule appears.
4.
5.
Click Apply.
Description
Number
Source-interface
Source IP address
Mask
376
Item
Description
Specify the source MAC address of the portal-free rule.
Source MAC
IMPORTANT:
If you configure both the source IP address and the source MAC address, make sure
that the mask of the specified source IP address is 255.255.255.255. Otherwise, the
specified source MAC address will not take effect.
Specify the source VLAN of the portal-free rule.
Source-VLAN
Destination IP Address
Mask
IMPORTANT:
If you configure both a source interface and a source VLAN for a portal-free rule, make
sure that the source interface is in the source VLAN. Otherwise, the portal-free rule will
not take effect.
Specify the destination IP address and mask of the portal-free rule.
File name
Logon page.
logon.htm
logonSuccess.htm
logonFail.htm
377
File name
Online page.
Pushed after the user gets online for online notification.
System busy page.
Pushed when the system is busy or the user is in the logon process.
Logoff success page.
online.htm
busy.htm
logoffSuccess.htm
Get requestsUsed to get the static files in the authentication pages, and allow no recursion. For
example, if file logon.htm includes contents that perform Get action on file ca.htm, file ca.htm
cannot include any reference to file logon.htm.
Post requestsUsed when users submit usernames and passwords, log on to the system, and log off
the system.
2.
Authentication pages logon.htm and logonFail.htm must contain the logon Post request.
The following example shows part of the script in page logon.htm.
<form action=logon.cgi method = post >
<p>User name:<input type="text" name = "PtUser" style="width:160px;height:22px"
maxlength=64>
<p>Password :<input type="password" name = "PtPwd" style="width:160px;height:22px"
maxlength=32>
<p><input type=SUBMIT value="Logon" name = "PtButton" style="width:60px;"
onclick="form.action=form.action+location.search;>
</form>
3.
Authentication pages logonSuccess.htm and online.htm must contain the logoff Post request.
The following example shows part of the script in page online.htm.
<form action=logon.cgi method = post >
<p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;">
</form>
378
A set of authentication page files must be compressed into a standard .zip file. The name of a .zip
file can contain only letters, numbers, and underscores. The .zip file of the default authentication
pages must be saved with name defaultfile.zip.
The set of authentication pages must be located in the root directory of the .zip file.
Zip files can be transferred to the device through FTP or TFTP. The default authentication pages file
must be saved in the root directory of the device, and other authentication files can be saved in the
root directory or in the portal directory under the root directory of the device.
The size of the zip file of each set of authentication pages, including the main authentication pages
and the page elements, must be no more than 500 KB.
The size of an uncompressed page, including the main authentication page and its page elements,
must be no more than 50 KB.
Page elements can contain only static contents such as HTML, JS, CSS, and pictures.
Logging off a user who closes the logon success or online page
After a user passes authentication, the system pushes the logon success page named logonSuccess.htm.
If the user initiates another authentication through the logon page, the system pushes the online page
named online.htm. You can configure the device to forcibly log off the user when the user closes either
of these two pages. To do so, add the following contents in logonSuccess.htm and online.htm:
1.
2.
3.
4.
The following is a script example with the added contents highlighted in gray:
<html>
<head>
<script type="text/javascript" language="javascript" src="pt_private.js"></script>
</head>
<body onload="pt_init();" onbeforeunload="return pt_unload();">
... ...
<form action=logon.cgi method = post onsubmit="pt_submit()">
... ...
</body>
</html>
If a user refreshes the logon success or online page, or jumps to another website from either of the pages,
the device also logs off the user.
Google Chrome browsers do not support this function.
379
Make sure that the browser of an authentication client permits pop-ups or permits pop-ups from the
access device. Otherwise, the user cannot log off by closing the logon success or online page, and can
only click Cancel to return back to the logon success or online page
2.
380
Configuration prerequisites
Complete the follow tasks before you perform the portal configuration:
Configure IP addresses for the devices, as shown in Figure 403, and make sure they can reach each
other.
Configure PKI domain test, and make sure that a local certificate and a CA certificate are obtained
successfully. For more information, see "Managing certificates."
Complete the editing of the authentication page files to be bound with the client SSID.
Configure the RADIUS server properly to provide authentication and accounting functions for users.
Configuring the AC
1.
381
2.
382
3.
383
Figure 406 Configuring the authentication method for the ISP domain
4.
Figure 407 Configuring the authorization method for the ISP domain
5.
f. Click Apply.
The configuration progress dialog box appears
g. After the configuration process is complete, click Close.
Figure 408 Configuring the accounting method for the ISP domain
6.
Create an AP:
a. From the navigation tree, select AP > AP Setup.
b. Click Create.
c. Enter the AP name ap1.
d. Select model MSM460-WW.
e. Select the manual mode for serial ID, and then enter the serial ID CN2AD330S8.
f. Click Apply.
7.
385
d. On the page as shown in Figure 411, enter 2 in the VLAN (Untagged) field, enter 2 in the
Default VLAN field, and click Apply.
A configuration progress dialog box appears.
e. After the configuration process is complete, click Close.
Figure 411 Configuring parameters for the wireless service
8.
386
9.
b. On the page that appears, select the box before ap1 with the radio mode of 802.11n(5GHz).
c. Click Bind.
A configuration progress dialog box appears.
d. After the configuration process is complete, click Close.
387
388
d. Click Apply.
389
390
391
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. It provides the following security functions:
AuthorizationGrants user rights and controls user access to resources and services. For example,
a user who has successfully logged in to the device can be granted read and print permissions to
the files on the device.
AccountingRecords all network service usage information, including the service type, start time,
and traffic. The accounting function provides information required for charging and allows for
network security surveillance.
AAA can be implemented through multiple protocols. The device supports RADIUS. For more information,
see "Configuring RADIUS."
AAA typically uses a client/server model. The client runs on the network access server (NAS) and the
server maintains user information centrally. In an AAA network, the NAS is a server for users, but a client
for AAA servers.
Figure 417 AAA application scenario
LAN usersUsers on a LAN who must pass 802.1X or MAC address authentication to access the
network.
Login usersUsers who want to log in to the device, including SSH users, Telnet users, FTP users,
and terminal users.
Portal usersUsers who must pass portal authentication to access the network.
To improve device security, AAA provides command authorization for login users. Command
authorization enables the NAS to defer to the authorization server to determine whether a command
entered by a login user is permitted for the user, and allows login users to execute only authorized
commands.
392
For more information about AAA and ISP, see HP WX Series Access Controllers Security Configuration
Guide.
Configuration prerequisites
To deploy local authentication, configure local users on the access device. See "Configuring users."
Configuration procedure
Step
Remarks
Optional.
1.
2.
Configuring authentication
methods for the ISP domain
3.
4.
Configuring authorization
methods for the ISP domain
Configuring accounting
methods for the ISP domain
Create ISP domains and specify one of them as the default ISP domain.
By default, there is an ISP domain named system, which is the default ISP
domain.
Optional.
Configure authentication methods for various types of users.
By default, all types of users use local authentication.
Optional.
Specify the authorization methods for various types of users.
By default, all types of users use local authorization.
Required.
Specify the accounting methods for various types of users.
By default, all types of users use local accounting.
393
2.
3.
Click Apply.
Description
Enter an ISP domain name for uniquely identifying the domain.
Domain Name
You can enter a new domain name to create a domain, or specify an existing domain
to change its status (whether it is the default domain).
Specify whether to use the ISP domain as the default domain. Options include:
Default Domain
2.
Click the Authentication tab to enter the authentication method configuration page.
394
3.
Configure authentication methods for different types of users in the domain, as described in Table
132.
4.
Click Apply.
A configuration progress dialog box appears.
5.
Description
Select the ISP domain for which you want to specify authentication methods.
Configure the default authentication method and secondary authentication method for
all types of users.
Options include:
Default AuthN
Name
Secondary Method
LocalLocal authentication.
NoneNo authentication. This method trusts all users and is not for general use.
RADIUSRADIUS authentication. You must specify the RADIUS scheme to be used.
Not SetThe device uses the default authentication setting, which is local
authentication.
Configure the authentication method and secondary authentication method for LAN
users.
LAN-access AuthN
Options include:
Name
Secondary Method
LocalLocal authentication.
NoneNo authentication. This method trusts all users and is not for general use.
RADIUSRADIUS authentication. You must specify the RADIUS scheme to be used.
Not SetThe device uses the settings in the Default AuthN area for LAN users.
395
Item
Description
Configure the authentication method and secondary authentication method for login
users.
Options include:
Login AuthN
Name
Secondary Method
LocalLocal authentication.
NoneNo authentication. This method trusts all users and is not for general use.
RADIUSRADIUS authentication. You must specify the RADIUS scheme to be used.
Not SetThe device uses the settings in the Default AuthN area for login users.
Configure the authentication method and secondary authentication method for PPP
users.
Options include:
PPP AuthN
Name
Secondary Method
LocalLocal authentication.
NoneNo authentication. This method trusts all users and is not for general use.
RADIUSRADIUS authentication. You must specify the RADIUS scheme to be used.
Not SetThe device uses the settings in the Default AuthN area for PPP users.
Configure the authentication method and secondary authentication method for portal
users.
Portal AuthN
Options include:
Name
Secondary Method
LocalLocal authentication.
NoneNo authentication. This method trusts all users and is not for general use.
RADIUSRADIUS authentication. You must specify the RADIUS scheme to be used.
Not SetThe device uses the settings in the Default AuthN area for portal users.
2.
Click the Authorization tab to enter the authorization method configuration page.
396
3.
Configure authorization methods for different types of users in the domain, as described in Table
133.
4.
Click Apply.
A configuration progress dialog box appears.
5.
Description
Select the ISP domain for which you want to specify authorization methods.
Configure the default authorization method and secondary authorization method for
all types of users.
Options include:
Default AuthZ
Name
Secondary Method
LocalLocal authorization.
NoneThis method trusts all users and assigns default rights to them.
RADIUSRADIUS authorization. You must specify the RADIUS scheme to be used.
Not SetThe device uses the default authorization setting, which is local
authorization.
Configure the authorization method and secondary authorization method for LAN
users.
LAN-access AuthZ
Options include:
Name
Secondary Method
LocalLocal authorization.
NoneThis method trusts all users and assigns default rights to them.
RADIUSRADIUS authorization. You must specify the RADIUS scheme to be used.
Not SetThe device uses the settings in the Default AuthZ area for LAN users.
397
Item
Description
Configure the authorization method and secondary authorization method for login
users.
Options include:
Login AuthZ
Name
Secondary Method
LocalLocal authorization.
NoneThis method trusts all users and assigns default rights to them.
RADIUSRADIUS authorization. You must specify the RADIUS scheme to be used.
Not SetThe device uses the settings in the Default AuthZ area for login users.
Configure the authorization method and secondary authorization method for PPP
users.
Options include:
PPP AuthZ
Name
Secondary Method
LocalLocal authorization.
NoneThis method trusts all users and assigns default rights to them.
RADIUSRADIUS authorization. You must specify the RADIUS scheme to be used.
Not SetThe device uses the settings in the Default AuthZ area for PPP users.
Configure the authorization method and secondary authorization method for portal
users.
Portal AuthZ
Options include:
Name
Secondary Method
LocalLocal authorization.
NoneThis method trusts all users and assigns default rights to them.
RADIUSRADIUS authorization. You must specify the RADIUS scheme to be used.
Not SetThe device uses the settings in the Default AuthZ area for portal users.
Options include:
Not SetThe device uses the settings in the Default AuthZ area for command users.
2.
Click the Accounting tab to enter the accounting method configuration page.
398
3.
Configure accounting methods for different types of users in the domain, as described in Table
134.
4.
Click Apply.
A configuration progress dialog box appears.
5.
Description
Select the ISP domain for which you want to specify accounting methods.
Specify whether to enable the accounting optional feature.
Accounting Optional
With the feature enabled, a user that will be disconnected otherwise can use the
network resources even when there is no accounting server available or
communication with the current accounting server fails.
If accounting for such a user fails, the device will not send real-time accounting updates
for the user anymore.
Configure the default accounting method and secondary accounting method for all
types of users.
Options include:
Default Accounting
Name
Secondary Method
LocalLocal accounting.
NoneNo accounting.
RADIUSRADIUS accounting. You must specify the RADIUS scheme to be used.
Not SetThe device uses the default accounting setting, which is local accounting.
Configure the accounting method and secondary accounting method for LAN users.
LAN-access
Accounting
Name
Secondary Method
Options include:
LocalLocal accounting.
NoneNo accounting.
RADIUSRADIUS accounting. You must specify the RADIUS scheme to be used.
Not Set The device uses the settings in the Default Accounting area for LAN users.
399
Item
Description
Configure the accounting method and secondary accounting method for login users.
Options include:
Login Accounting
Name
Secondary Method
LocalLocal accounting.
NoneNo accounting.
RADIUSRADIUS accounting. You must specify the RADIUS scheme to be used.
Not SetThe device uses the settings in the Default Accounting area for login users.
Configure the accounting method and secondary accounting method for PPP users.
Options include:
PPP Accounting
Name
Secondary Method
LocalLocal accounting.
NoneNo accounting.
RADIUSRADIUS accounting. You must specify the RADIUS scheme to be used.
Not SetThe device uses the settings in the Default Accounting area for PPP users.
Configure the accounting method and secondary accounting method for portal users.
Portal Accounting
Name
Secondary Method
Options include:
LocalLocal accounting.
NoneNo accounting.
RADIUSRADIUS accounting. You must specify the RADIUS scheme to be used.
Not SetThe device uses the settings in the Default Accounting area for portal
users.
Configuration procedure
1.
b. Click Add.
c. Enter telnet as the username.
d. Enter abcd as the password.
e. Enter abcd again to confirm the password.
f. Select Common User as the user type.
g. Select Configure as the level.
h. Select Telnet as the service type.
i.
Click Apply.
2.
401
3.
Configure the ISP domain to use local authentication for login users:
a. From the navigation tree, select Authentication > AAA.
b. Click the Authentication tab.
c. Select the domain test.
d. Select the Login AuthN box, and then select the authentication method Local.
e. Click Apply.
A configuration progress dialog box appears.
f. After the configuration progress is complete, click Close.
4.
Configure the ISP domain to use local authorization for login users:
402
5.
At the CLI, enable the Telnet service and configure the AC to use AAA for Telnet users.
<AC> system-view
[AC] telnet server enable
[AC] user-interface vty 0 4
[AC-ui-vty0-4] authentication-mode scheme
[AC-ui-vty0-4] quit
403
Configuring RADIUS
Overview
The Remote Authentication Dial-In User Service (RADIUS) protocol implements Authentication,
Authorization, and Accounting (AAA). RADIUS uses the client/server model. It can protect networks
against unauthorized access, and is often used in network environments where both high security and
remote user access are required. RADIUS defines the packet format and message transfer mechanism,
and uses UDP as the transport layer protocol for encapsulating RADIUS packets. It uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL.
RADIUS provides access authentication and authorization services. Its accounting function collects and
records network resource usage information.
For more information about AAA and RADIUS, see HP WX Series Access Controllers Security
Configuration Guide.
Configuration guidelines
When you configure the RADIUS client, follow these guidelines:
If you remove the accounting server used for online users, the device cannot send real-time
accounting requests and stop-accounting messages for the users to the server, and the
stop-accounting messages are not buffered locally.
The status of RADIUS servers (blocked or active) determines which servers the device will
communicate with or turn to when the current servers are not available. In practice, you can specify
one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers
that function as the backup of the primary servers. Generally, the device chooses servers based on
these rules:
When the primary server is in active state, the device communicates with the primary server. If
the primary server fails, the device changes the state of the primary server to blocked, starts a
quiet timer for the server, and turns to a secondary server in active state (a secondary server
configured earlier has a higher priority). If the secondary server is unreachable, the device
changes the state of the secondary server to blocked, starts a quiet timer for the server, and
continues to check the next secondary server in active state. This search process continues until
the device finds an available secondary server or has checked all secondary servers in active
state. If the quiet timer of a server expires or an authentication or accounting response is
received from the server, the status of the server changes back to active automatically, but the
device does not check the server again during the authentication or accounting process. If no
server is found reachable during one search process, the device considers the authentication or
accounting attempt a failure.
Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove
404
the accounting server, real-time accounting requests and stop-accounting requests for the user
cannot be delivered to the server any more.
If you remove an authentication or accounting server in use, the communication of the device
with the server will soon time out, and the device will look for a server in active state from scratch:
it checks the primary server (if any) first and then the secondary servers in the order they are
configured.
When the primary server and secondary servers are all in blocked state, the device
communicates with the primary server. If the primary server is available, its statues changes to
active. Otherwise, its status remains to be blocked.
If one server is in active state, but all the others are in blocked state, the device only tries to
communicate with the server in active state, even if the server is unavailable.
After receiving an authentication/accounting response from a server, the device changes the
status of the server identified by the source IP address of the response to active if the current
status of the server is blocked.
It is a good practice to use the recommended real-time accounting intervals listed in Table 135.
1 to 99
100 to 499
500 to 999
12
1000
15
2.
Click Add.
405
3.
4.
Description
Select the type of the RADIUS servers supported by the device:
communicate by using the standard RADIUS protocol and packet format defined
in RFC 2865/2866 or later.
client and server communicate by using the proprietary RADIUS protocol and
packet format.
Username Format
Without domain nameConfigure the device to remove the domain name from
a username.
406
5.
Click the expand button before Advanced in the Common Configuration area to expand the
advanced configuration area.
6.
407
Description
Set the shared key for RADIUS authentication packets and that for RADIUS
accounting packets.
Authentication Key
Confirm Authentication Key
Accounting Key
Confirm Accounting Key
The RADIUS client and the RADIUS authentication/accounting server use MD5
to encrypt RADIUS packets. They verify the validity of packets through the
specified shared key. The client and the server can receive and respond to
packets from each other only when they use the same shared key.
IMPORTANT:
The shared keys configured on the device must be consistent with those
configured on the RADIUS servers.
The shared keys configured in the common configuration part are used only
when no corresponding shared keys are configured in the RADIUS server
configuration part.
Set the time the device keeps an unreachable RADIUS server in blocked state.
Quiet Time
If you set the quiet time to 0, when the device needs to send an authentication
or accounting request but finds that the current server is unreachable, it does
not change the server's status that it maintains. It simply sends the request to the
next server in active state. As a result, when the device needs to send a request
of the same type for another user, it still tries to send the request to the server
because the server is in active state.
You can use this parameter to control whether the device changes the status of
an unreachable server. For example, if you determine that the primary server
is unreachable because the device's port for connecting the server is out of
service temporarily or the server is busy, you can set the time to 0 so that the
device uses the primary server as much.
Set the RADIUS server response timeout time and the maximum number of
attempts for transmitting a RADIUS packet to a single RADIUS server.
Item
Description
Byte.
Kilo-byte.
Mega-byte.
Giga-byte.
Specify the unit for data packets sent to the RADIUS server:
Unit for Packets
One-packet.
Kilo-packet.
Mega-packet.
Giga-packet.
After receiving an EAP packet, the access device enabled with the EAP offload
function first converts the authentication information in the EAP packet into the
corresponding RADIUS attributes through the local EAP server, encapsulates
the EAP packet into a RADIUS request and then sends the request to the
RADIUS server for authentication. When the RADIUS server receives the
request, it analyzes the carried authentication information, encapsulates the
authentication result in a RADIUS packet, and then sends the packet to the
local EAP server on the access device for subsequent interaction with the client.
Specify the IP address of the security policy server.
Specify the source IP address for the device to use in RADIUS packets sent to
the RADIUS server.
Buffer stop-accounting
packets
409
Item
Description
Set the maximum number of stop-accounting attempts.
The maximum number of stop-accounting attempts, together with some other
parameters, controls how the NAS deals with stop-accounting request packets.
Stop-Accounting Attempts
Suppose that the RADIUS server response timeout period is three seconds, the
maximum number of transmission attempts is five, and the maximum number of
stop-accounting attempts is 20. For each stop-accounting request, if the device
receives no response within three seconds, it retransmits the request. If it
receives no responses after retransmitting the request five times, it considers
the stop-accounting attempt a failure, buffers the request, and makes another
stop-accounting attempt. If 20 consecutive attempts fail, the device discards
the request.
Enable or disable the accounting-on feature.
Accounting-On Interval
Set the interval for sending accounting-on packets. This field is configurable
only when the Send accounting-on packets option is selected.
Accounting-On Attempts
Attribute
Interpretation
7.
Enable or disable the device to interpret the RADIUS class attribute as CAR
parameters.
8.
Configure a RADIUS server for the RADIUS scheme as described in Table 138.
9.
10. Repeat step 7 through step 9 to add more RADIUS servers to the RADIUS scheme.
11. On the RADIUS scheme configuration page, click Apply.
410
Description
Server Type
Select the type of the RADIUS server to be configured. Possible values include
primary authentication server, primary accounting server, secondary
authentication server, and secondary accounting server.
IP Address
Port
Key
Specify the shared key for communication with the RADIUS server.
Confirm Key
If no shared key is specified here, the shared key specified in the common
configuration part is used.
Configuration procedure
1.
411
f. In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration
page again.
g. Select Primary Accounting as the server type, enter 10.1.1.1 as the IP address of the primary
accounting server, port number 1813, and the key expert, and click Apply, as shown in Figure
433.
The RADIUS scheme configuration page refreshes and the added servers appear in the server
list, as shown in Figure 434.
h. Click Apply to finish the scheme configuration.
Figure 433 RADIUS accounting server configuration page
412
2.
413
3.
414
4.
5.
Configure an accounting method for the ISP domain and enable accounting optional:
a. Click the Accounting tab.
b. Select the domain name bbb.
c. Select the Accounting Optional box, and then select Enable.
d. Select the Default Accounting box, and then select accounting mode RADIUS.
415
e. From the Name list, select the RADIUS scheme system to use it as the accounting scheme.
f. Click Apply.
A configuration progress dialog box appears.
g. After the configuration progress is complete, click Close.
Figure 438 Configuring an accounting method for the ISP domain
6.
7.
Log in to the CLI, and configure the VTY user interfaces to use AAA for user access control.
<AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] authentication-mode scheme
[AC-ui-vty0-4] quit
416
417
Configuration procedure
1.
From the navigation tree, select Authentication > Local EAP Server.
The local EAP service configuration page appears.
2.
3.
Click Apply.
Description
Enable or disable the EAP server.
Status
If the EAP server is enabled, the EAP authentication method and PKI domain
configurations are required.
418
Item
Description
Specify the EAP authentication methods:
When an EAP client and the local server communicate for EAP authentication, they first
negotiate the EAP authentication method to be used. During negotiation, the local
server prefers the authentication method with the highest priority from the EAP
authentication method list. If the client supports the authentication method, the
negotiation succeeds and they proceed with the authentication process. Otherwise, the
local server tries the one with the next highest priority until a supported one is found, or
if none of the authentication methods are found supported, the local server sends an
EAP-Failure packet to the client for notification of the authentication failure.
TIP:
You can select more than one authentication method. An authentication method
selected earlier has a higher priority.
PKI domain
The available PKI domains are those configured on the page you enter by selecting
Authentication > Certificate Management. For more information, see "Managing
certificates."
NOTE:
The service management, local portal authentication, and local EAP service modules
always reference the same PKI domain. Changing the referenced PKI domain in any of the
three modules will also change that referenced in the other two modules.
Configuration guidelines
To implement local EAP authentication and authorization for 802.1X users, make sure port security is
enabled and 802.1X authentication uses the EAP authentication mode.
419
To use the authentication method of EAP-TLS, configure the network properties of the connection and the
client certificate properly on the client.
For information about configuring PKI domain test, requesting a local certificate, and retrieving a CA
certificate, see "Managing certificates."
Configuration procedure
1.
2.
Configure the ISP domain system to use local authentication and local authorization.
The ISP domain system uses local authentication and local authorization by default. For the
configuration procedure, see "Configuring AAA."
3.
Enable the EAP server, configure the authentication method as TLS, and the PKI domain as test:
a. From the navigation tree, select Authentication > Local EAP Server.
b. Select Enabled for Status.
c. Select TLS from the Available methods list and click << to add TLS to the Selected methods list.
d. Select test from the PKI domain list.
e. Click Apply.
420
4.
5.
421
6.
j.
Click Apply.
A configuration progress dialog box appears.
k. When a dialog box appears asking for your confirmation to enable the EAP service, confirm
the operation to proceed.
l.
422
7.
423
8.
9.
Enable 802.11n(2.4GHz):
a. From the navigation tree, select Radio > Radio.
b. Select the AP of ap1 with the radio mode 802.11n(2.4GHz).
c. Click Enable.
424
425
Configuring users
Overview
This module allows you to configure local users, user groups, guests, and user profiles.
Local user
A local user represents a set of user attributes configured on a device (such as the user password, user
type, service type, and authorization attribute). It is uniquely identified by the username. For a user
requesting a network service to pass local authentication, you must add an entry as required in the local
user database of the device. For more information about local authentication, see "Configuring AAA."
User group
A user group consists of a group of local users and has a set of local user attributes. You can configure
local user attributes for a user group to implement centralized management of user attributes for the local
users in the group. All local users in a user group inherit the user attributes of the group, but if you
configure user attributes for a local user, the settings of the local user take precedence over the settings
for the user group.
By default, every newly added local user belongs to a user group named system, which is automatically
created by the system.
Guest
A guest is a local user for specific applications. You can create a guest account for portal and LAN users
to temporarily access the network.
User profile
A user profile is a configuration template for saving predefined configurations. You can configure
different items such as Quality of Service (QoS) policy, rate limit, wireless service, and AP group for
different user profiles to accommodate to different application scenarios.
During the authentication process for a user, the authentication server sends the user profile name to the
device, which then enables the configurations in the user profile. After the user passes the authentication
and accesses the device, the device restricts the user's access based on the configurations in the user
profile. When the user logs out, the device automatically disables the configurations in the user profile,
removing the restrictions on the user as a result. As the mechanism indicates, user profiles are for
restricting online users' access. If no user is online (no user is accessing the network, no user has passed
authentication, or all users have logged out), user profiles do not take effect.
With user profiles, you can:
Make use of system resources more granularly. For example, you can apply a QoS policy on a
per-user basis.
Restrict users' access rate more flexibly. For example, you can deploy traffic policing on a per-user
basis by defining a rate limit in user profiles.
Restrict users' access more specifically. For example, you can deploy user access control on a
per-wireless service basis by defining an SSID in user profiles. Or you can deploy user access
control on a per-AP basis by defining APs in the user profiles.
426
NOTE:
On the Local User tab, you can modify a guest user, but the user type changes to another one after your
modification.
Figure 450 Local user list
2.
Click Add.
The local user configuration page appears. On this page, you can create a local user of any type
except guest.
3.
4.
Click Apply.
Description
Username
Password
Confirm
Password Encryption
Group
Reversible
Irreversible
Select a user group for the local user.
For information about user group configuration, see "Configuring a user group."
Specify the user type for the local user:
User Type
Common User.
Security Log AdminUsers of this type can only manage security log files through
the Web interface. Only Users of this type can manage security log files.
Guest AdminUsers of this type can only manage guest accounts through the Web
interface, log in to the Authentication > User > Guest page to add, modify, or delete
a guest user.
Select an authorization level for the local user: Visitor, Monitor, Configure, or
Management, in ascending order of priority. A local user has the rights of the specified
level and all levels lower than the specified level (if any).
VisitorA user of this level can perform ping and trace route operations but cannot
read any data from the device or configure the device.
MonitorA user of this level can read data from the device but cannot configure the
Level
device.
ConfigureA user of this level can read data from the device and configure the
device but cannot upgrade the device software, add/delete/modify users, or
backup/restore configuration files.
ManagementA user of this level can perform all operations except for security log
file reading and management.
IMPORTANT:
This option is effective only for Web, FTP, Telnet, and SSH users.
Select the service types for the local user to use: FTP, Telnet, PPP, Portal, LAN access
(accessing through the Ethernet, such as 802.1X users), or SSH.
IMPORTANT:
Service Type
If you do not specify any service type for a local user who uses local authentication,
the user cannot pass authentication and cannot log in.
The service type of the guest administrator and security log administrator is Web.
The service type of the guest administrator and security log administrator is Portal
and LAN-Access.
428
Item
Description
Specify an expiration time for the local user.
Expire-time
When authenticating a local user with the expiration time configured, the access
device checks whether the expiration time has elapsed. If not, the device permits the
user to log in.
Specify the VLAN to be authorized to the local user after the user passes authentication.
VLAN
IMPORTANT:
This option is effective only for portal and LAN users.
Specify the ACL to be used by the access device to restrict the access of the local user
after the user passes authentication.
ACL
IMPORTANT:
This option is effective only for PPP, portal, and LAN users.
Specify the user profile for the local user.
User-profile
IMPORTANT:
This option is effective only for PPP, portal, and LAN users.
2.
Click the User Group tab to display the existing user groups.
3.
429
4.
5.
Click Apply.
Description
Group-name
Level
Select an authorization level for the user group: Visitor, Monitor, Configure, or
Management, in ascending order of priority.
VLAN
Specify the VLAN to be authorized to a user in the user group after the user passes
authentication.
ACL
Specify the ACL to be used by the access device to restrict the access of a user in the user
group after the user passes authentication.
User-profile
Allow Guest
Accounts
Configuring a guest
Two categories of administrators can configure guests: guest administrators and administrators of the
management level. A guest administrator can only manage guests through the Web interface. For
information about the user type and authorization level, see Table 140.
2.
3.
4.
5.
Click Apply.
Description
Username
Specify a name for the guest when users are not created in a batch.
Specify the username prefix and number for guests to be created in a batch.
User-name(prefix)
For example, if you specify the username prefix as abc and number as 50, 50 guests
will be created, with the usernames abc0 through abc49.
431
Item
Description
Specify a password for the guest.
Password
Same as the Username
Confirm
If you select this option, you do not need to enter the password and confirm
password, and the guest password is the same as the username.
If you do not select this option, you must enter the password and confirm password,
and they must be the same.
IMPORTANT:
If the password starts with a space, the space will be omitted.
Select the attribute for the password encryption method:
Password Encryption
Group
Reversible
Irreversible
Select a user group for the guest.
For information about user group configuration, see "Configuring a user group."
Specify a valid time range for the guest, including the start time and end time.
ValidTime
When authenticating a local user with the valid time configured, the access device
checks whether the valid time has elapsed. If it is not, the device permits the user to
log in.
Log in to the AC as a guest administrator, and then select Authentication > User from the
navigation tree.
The guest management page appears.
2.
432
3.
4.
Click Apply.
NOTE:
The guest accounts are also displayed in the local user list. You can click the icon
to edit the guest information and authorization attributes.
2.
Click the User Profile tab to display the existing user profiles
3.
433
4.
5.
Click Apply.
The user profile configuration page appears.
434
6.
7.
Click Apply.
Description
Userprofile name
435
Item
Description
Qos-out policy
Qos-in policy
limited-out rate
limited-in rate
Services permitted
Select the services in the Services list box and click the < button to add them to the
Selected services list box.
The available wireless services are those configured on the page you enter by
selecting Wireless Service > Access Service. For more information, see "Access
service configuration."
Specify the APs permitted in the user profile:
APs permitted
Select the APs in the APs list box and click the < button to add them to the Selected
APs list box.
The available APs are those you configured on the page you enter by selecting
AP > AP Group. For more information, see "AP configuration."
8.
From the page displaying the existing user profiles, select the option before the user profile to be
enabled.
9.
Click Enable.
436
Managing certificates
Overview
The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security
through public key technologies. It is the most widely applied encryption mechanism currently. HP's PKI
system provides certificate management for IP Security (IPsec), and Secure Sockets Layer (SSL).
PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt data. The key pair
consists of a private key and a public key. The private key must be kept secret, but the public key needs
to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.
A key problem of PKI is how to manage the public keys. Currently, PKI employs the digital certificate
mechanism to solve this problem. The digital certificate mechanism binds public keys to their owners,
helping distribute public keys in large networks securely.
With digital certificates, the PKI system provides network communication and e-commerce with security
services such as user authentication, data non-repudiation, data confidentiality, and data integrity.
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI
has a wide range of applications. Here are some application examples:
Web securityFor Web security, two peers can establish a Secure Sockets Layer (SSL) connection
first for transparent and secure communications at the application layer. With PKI, SSL enables
encrypted communications between a browser and a server. Both the communication parties can
verify the identity of each other through digital certificates.
For more information about PKI, see HP WX Series Access Controllers Security Configuration Guide.
Configuration guidelines
When you configure PKI, note the following guidelines:
Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of
certificates will be abnormal.
The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
PKI entity identity information in a certificate request goes beyond a certain limit, the server will not
respond to the certificate request.
The SCEP plug-in is required when you use the Windows Server as the CA. In this case, you need
to specify RA as the authority for certificate request when you configure the PKI domain.
The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case, you
need to specify CA as the authority for certificate request when you configure the PKI domain.
437
Configuration procedures
The system supports the following PKI certificate request modes:
ManualIn manual mode, you must retrieve a CA certificate, generate a local RSA key pair, and
submit a local certificate request for an entity.
AutoIn auto mode, an entity automatically requests a certificate through the Simple Certification
Enrollment Protocol (SCEP) when it has no local certificate or the existing certificate is about to
expire.
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes
require different configurations.
Remarks
Required.
Create a PKI entity and configure the identity information.
1.
A certificate is the binding of a public key and an entity, where an entity is the
collection of the identity information of a user. A CA identifies a certificate
applicant by entity.
The identity settings of an entity must be compliant to the CA certificate issue
policy. Otherwise, the certificate request might be rejected.
Required.
Create a PKI domain, setting the certificate request mode to Manual.
2.
3.
Generating an RSA key pair is an important step in certificate request. The key
pair includes a public key and a private key. The private key is kept by the
user, and the public key is transferred to the CA along with some other
information.
IMPORTANT:
If a local certificate already exists, you must remove the certificate before
generating a new key pair, so as to keep the consistency between the key pair
and the local certificate.
438
Step
Remarks
Required.
Certificate retrieval serves the following purposes:
Locally store the certificates associated with the local security domain for
improved query efficiency and reduced query count,
4.
Retrieving the CA
certificate
Requesting a local
certificate
IMPORTANT:
If a local certificate already exists, you cannot perform the local certificate
retrieval operation. This will avoid possible mismatch between the local
certificate and registration information resulting from relevant changes. To
retrieve a new local certificate, you must remove the CA certificate and local
certificate first.
Optional.
6.
If the certificate to be retrieved contains an RSA key pair, you must destroy the
existing RSA key pair. Otherwise, the certificate cannot be retrieved.
Destroying the existing RSA key pair also destroys the corresponding local
certificate.
Required if you request a certificate in offline mode.
Retrieve an existing certificate and display its contents.
7.
Retrieving and
displaying a certificate
IMPORTANT:
8.
Retrieving and
displaying a CRL
Optional.
Retrieve a CRL and display its contents.
439
Remarks
Required.
Create a PKI entity and configure the identity information.
1.
A certificate is the binding of a public key and an entity, where an entity is the
collection of the identity information of a user. A CA identifies a certificate
applicant by entity.
The identity settings of an entity must be compliant to the CA certificate issue
policy. Otherwise, the certificate request might be rejected.
Required.
Create a PKI domain, setting the certificate request mode to Auto.
2.
3.
If the certificate to be retrieved contains an RSA key pair, you must destroy the
existing RSA key pair. Otherwise, the certificate cannot be retrieved.
Destroying the existing RSA key pair also destroys the corresponding local
certificate.
Optional.
Retrieve an existing certificate and display its contents.
IMPORTANT:
4.
Retrieving and
displaying a certificate
5.
Retrieving and
displaying a CRL
Optional.
Retrieve a CRL and display its contents.
440
2.
3.
4.
Click Apply.
Description
Entity Name
Common Name
IP Address
FQDN
Country/Region Code
State
Item
Description
Locality
Organization
Organization Unit
2.
3.
4.
5.
Click Apply.
442
Description
Enter the name for the PKI domain.
By default, the device contains a PKI domain named local_domain.
Enter the identifier of the trusted CA.
CA Identifier
An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility
of certificate registration, distribution, and revocation, and query.
In offline mode, this item is optional. In other modes, this item is required.
Select the local PKI entity.
Entity Name
When submitting a certificate request to a CA, an entity needs to show its identity
information.
Available PKI entities are those that have been configured.
Select the authority for certificate request.
Institution
Requesting URL
The entity will submit the certificate request to the server at this URL through the SCEP
protocol. The SCEP protocol is intended for communication between an entity and an
authentication authority.
In offline mode, this item is optional. In other modes, this item is required.
IMPORTANT:
This item does not support domain name resolution.
LDAP IP
Enter the IP address, port number and version of the LDAP server.
Port
Version
In a PKI system, the storage of certificates and CRLs is a crucial problem, which is usually
addressed by deploying an LDAP server.
Request Mode
Password Encrypt
Password
443
Item
Description
Specify the fingerprint used for verifying the CA root certificate.
After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the
root certificate, namely, the hash value of the root certificate content. This hash value is
unique to every certificate. If the fingerprint of the root certificate does not match the one
configured for the PKI domain, the entity will reject the root certificate.
If you specify MD5 as the hash algorithm, enter an MD5 fingerprint. The fingerprint
must a string of 32 characters in hexadecimal notation.
Fingerprint Hash
Fingerprint
If you specify SHA1 as the hash algorithm, enter an SHA1 fingerprint. The fingerprint
must a string of 40 characters in hexadecimal notation.
If you do not specify the fingerprint hash, do not enter any fingerprint. The entity will
not verify the CA root certificate, and you yourself must make sure that the CA server
is trusted.
IMPORTANT:
The fingerprint must be configured if you specify the certificate request mode as Auto. If you
specify the certificate request mode as Manual, you can leave the fingerprint settings null. If
you do not configure the fingerprint, the entity will not verify the CA root certificate and you
yourself must make sure that the CA server is trusted.
Set the polling interval and attempt limit for querying the certificate request status.
Polling Count
Polling Interval
Enable CRL
Checking
After an entity makes a certificate request, the CA might need a long period of time if it
verifies the certificate request in manual mode. During this period, the applicant needs to
query the status of the request periodically to get the certificate as soon as possible after
the certificate is signed.
Click this box to specify that CRL checking is required during certificate verification.
By default, CRL checking is disabled in the default PKI domain local_domain.
Enter the interval at which the PKI entity downloads the latest CRLs.
This item is available when the Enable CRL Checking box is selected.
By default, the CRL update period depends on the next update field in the CRL file.
Enter the URL of the CRL distribution point.
This item is available when the Enable CRL Checking box is selected.
CRL URL
When the URL of the CRL distribution point is not set, you should acquire the CA
certificate and a local certificate, and then acquire a CRL through SCEP.
IMPORTANT:
This item does not support domain name resolution.
2.
444
3.
Click Create Key to enter RSA key pair parameter configuration page.
4.
5.
Click Apply.
2.
3.
4.
Click Apply to destroy the existing RSA key pair and the corresponding local certificate.
To retrieve a certificate:
1.
2.
3.
4.
5.
Click Apply.
Description
Select the PKI domain for the certificate.
By default, the list displays the default PKI domain local_domain.
Certificate Type
Enable Offline
Mode
Click this box to retrieve a certificate in offline mode (that is, by an out-of-band means
like FTP, disk, or email) and then import the certificate into the local PKI system.
Specify the path and name of the certificate file if you retrieve the certificate in offline
mode.
If the certificate file is saved on the device, select Get File From Device, and then
specify the path of the file on the device.
If the certificate file is saved on a local PC, select Get File From PC and then specify
the path to the file and select the partition of the device for saving the file.
Password
6.
Enter the password for protecting the private key if you retrieve the certificate in offline
mode. The password was specified when the certificate was exported.
After you retrieve a certificate, click View Cert corresponding to the certificate from the PKI
certificates list to display the contents of the certificate.
446
2.
3.
4.
Description
Select the PKI domain for the certificate.
By default, the list displays the default PKI domain local_domain.
Password
Click this box to request a certificate in offline mode, that is, by an out-of-band
means like FTP, disk, or email.
5.
Click Apply.
If you request the certificate in online mode, the system displays Certificate request has been
submitted. Click OK. If you request the certificate in offline mode, the system displays the offline
certificate request information. You can submit the information to the CA by an out-of-band means.
2.
3.
4.
Click View CRL for the domain to display the contents of the CRL.
448
The AC submits a local certificate request to the CA server, which runs the RSA Keon software.
2.
3.
Configuring the AC
1.
2.
Click the expansion button before Advanced Configuration to display the advanced
configuration items.
j.
Click Apply.
The system displays the following message: Fingerprint of the root certificate not specified. No
root certificate validation will occur. Continue?
m. Click OK.
Figure 476 Configuring a PKI domain
3.
4.
5.
452
6.
453
Rogue detection
Terminology
Rogue APAn unauthorized or malicious access point on the network, such as an employee setup
AP, misconfigured AP, neighbor AP or an attacker operated AP. Because it is not authorized, if there
is any vulnerability in the AP, the hacker will have a chance to compromise your network security.
Monitor APAn AP that scans or listens to 802.11 frames to detect rogue devices in the network.
Ad hoc modeA wireless client in ad-hoc mode can communicate directly with other stations
without support from any other device.
Monitor mode: In this mode, an AP scans all 802.11g frames in the WLAN, but cannot provide
WLAN services. As shown in Figure 481, AP 1 works as an access AP, and AP 2 works as a monitor
AP to listen to all 802.11g frames. AP 2 cannot provide wireless access services.
454
Hybrid mode: In this mode, an AP can both scan devices in the WLAN and provide WLAN data
services.
If the rogue device is a rogue AP, legal clients will not use the rogue AP to access the WLAN.
If the rogue device is an ad-hoc client, it is denied, and ad-hoc clients cannot communicate with
each other.
455
Functionalities supported
The rogue detection feature supports the following functionalities:
Rogue AP detection
Flood attack
Spoofing attack
Weak IV attack
Probe requests
Weak IV detection
Wired Equivalent Privacy (WEP) uses an Initialization Vector (IV) to encrypt each frame. The system uses
an IV and a key to generate a key stream, so encryptions using the same key have different results. Also,
when a WEP frame is sent, the IV used in encrypting the frame is sent as part of the frame header.
However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all
frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is
compromised, the attacker can access network resources.
Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a
weak IV is detected, it is immediately logged.
White listContains the MAC addresses of all clients allowed to access the WLAN. If the white list
is used, only permitted clients can access the WLAN, and all frames from other clients are
discarded.
Static blacklistContains the MAC addresses of clients forbidden to access the WLAN. This list is
configured manually.
Dynamic blacklistContains the MAC addresses of clients forbidden to access the WLAN. A client
is added dynamically to the list if it is considered sending attacking frames until the timer of the
entry expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects
any attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more
information about ARP detection, see "Configuring ARP attack defense."
When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the
frame as follows:
1.
If the source MAC address does not match any entry in the white list, the frame is dropped. If there
is a match, the frame is considered valid, and is processed further.
2.
If no white list entries exist, the static and dynamic blacklists are searched.
457
3.
If the source MAC address matches an entry in any of the two lists, the frame is dropped.
4.
If there is no match, or no blacklist entries exist, the frame is considered valid, and is processed
further.
A static blacklist or white list configured on an AC applies to all APs connected to the AC, while a
dynamic blacklist applies to APs that receive attack frames.
Figure 484 Network diagram for WLAN client access control
In the topology above, three APs are connected to an AC. Configure white list and static blacklist
entries on the AC, which will send all the entries to the APs. If the MAC address of a station, Client
1 for example, is present in the blacklist, it cannot access any of the APs. If only Client 1 is present
in the white list, it can access any of the APs, and other clients cannot access any of the APs.
Enable dynamic blacklist function on the AC. If AP 1 receives attack frames from Client 1, a dynamic
blacklist entry is generated in the blacklist. Client 1 cannot associate with AP 1, but can associate
with AP 2 or AP 3. If AP 2 or AP 3 receives attack frames from Client 1, a new dynamic blacklist
entry is generated in the blacklist.
Remarks
Required.
1.
2.
Required.
3.
Optional.
458
2.
3.
4.
Click Apply.
Description
Configure the AP operating mode:
In normal mode, an AP provides WLAN data services but does not perform scanning.
In monitor mode, an AP scans all 802.11g frames in the WLAN, but cannot provide
WLAN services.
Work mode
In hybrid mode, an AP can both scan devices in the WLAN and provide WLAN data
services.
IMPORTANT:
When an AP has its operating mode changed from normal to monitor, it does not
restart.
When an AP has its operating mode changed from monitor to normal, it restarts.
459
NOTE:
An AP operating in hybrid mode can provide WLAN data services as well as scanning devices in the
WLAN, so WLAN service configurations are needed.
An AP operating in monitor mode cannot provide WLAN data services, so WLAN service
configurations are not needed.
460
In the static
attack list?
Yes
In the permitted
MAC address list?
Yes
Check if AP (BSSID)
associated with the client
is legal
No
Yes
Legal client
(Friend)
Illegal client
(Rogue)
461
2.
Click the Rule List tab to enter detection rule list configuration page.
3.
Description
List Type
4.
Select MAC from the list and click Add to enter the MAC address configuration page.
462
5.
6.
Click Apply.
Description
MAC
If you select this option, the MAC address table displays MAC addresses of the
current devices. Select the MAC addresses to be permitted.
The operation to add other types of lists is similar to the add operation of a MAC address list, so the
description is omitted.
2.
463
3.
4.
Click Apply.
Description
Unlaw SetAllows you to take countermeasures against rogue devices
(including illegal APs and illegal clients).
Reverse Mode
Once a rogue device is detected, an entry for it is added to the monitor record and
the aging time starts. The aging time restarts if the device is detected again during
the time. When the aging time is reached, the entry is deleted from the monitor
record and added to the history record.
2.
Click the Monitor Record tab to enter the monitor record page.
464
Type
Description
rRogue device.
pPermitted device.
aAd hoc device.
wAP.
bWireless bridge.
cClient.
2.
Click the History Record tab to enter the history record page.
465
Configuring WIDS
Configuring WIDS
1.
2.
3.
Click Apply.
Description
If you select the option, flood attack detection is enabled.
It is disabled by default.
2.
Click the History Record tab to enter the history information page.
466
2.
467
2.
On the Blacklist tab, configure the dynamic blacklist as described in Table 154.
3.
Click Apply.
Description
Dynamic Blacklist
Lifetime
Configure the lifetime of the entries in the blacklist. When the lifetime of an entry
expires, the entry is removed from the blacklist.
NOTE:
These attacks can be detected through a dynamic blacklist: Assoc-Flood, Reassoc-Flood, Disassoc-Flood,
ProbeReq-Flood, Action-Flood, Auth-Flood, Deauth-Flood and NullData-Flood.
2.
On the Blacklist tab, click Static to enter the static blacklist configuration page.
468
3.
4.
5.
Click Apply.
Description
MAC Address
Select MAC Address, and then add a MAC address to the static blacklist.
If you select the option, the table below lists the current existing clients. Select the
options of the clients to add their MAC addresses to the static blacklist.
2.
3.
Click Add.
4.
5.
Click Apply.
Description
MAC Address
Select MAC Address, and then add a MAC address to the white list.
If you select the option, the table below this option lists the current existing clients.
Select the options of the clients to add their MAC addresses to the white list.
470
AP 2 operates in monitor mode, and scans all 802.11g frames in the WLAN.
Client 1 (MAC address 000f-e215-1515), Client 2 (MAC address 000f-e215-1530), and Client 3
(MAC address 000f-e213-1235) are connected to AP 1. They are configured as friends.
Configuration guidelines
The radio must be disabled so that the AP operation mode can be changed.
If you configure more than one detection rule, you need to specify the rogue device types (AP, client,
bridge, and ad hoc) and the rule matching order. For more information, see "Configuring user
isolation."
The wireless service configuration is needed for an AP operating in hybrid mode, and not needed
for an AP in monitor mode.
Configuration procedure
1.
2.
471
c. On the page that appears, set the AP name to ap2, select the AP model MSM460-WW, select
Manual, and enter the serial ID of AP 2.
d. Click Apply.
Figure 504 AP configuration
3.
472
4.
5.
473
474
If you add the MAC address of the gateway to the permitted MAC address list, Client A, Client B,
and Host A in the same VLAN are isolated, but they can access the Internet.
If you add the MAC address of a user (Client A, for example) to the permitted MAC address list,
Client A and Client B, and Client A and Host A can access each other directly, but Client B and Host
A cannot.
To enable all the users in the VLAN to access one another and the Internet, you need to add the MAC
address of the gateway and the MAC addresses of the users to the permitted MAC address list.
2.
Click Add .
The page for configuring user isolation appears.
3.
4.
Click Apply.
Description
VLAN ID
Item
Description
Specify the MAC addresses to be permitted by the AC. For more information, see
"After user isolation is enabled."
AccessMAC
476
Configuration procedure
1.
2.
477
478
ACL overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and
permits packets that match a permit rule. ACLs are also used by many modules for traffic identification,
for example, QoS and IP routing.
ACLs fall into the following categories.
Category
ACL number
Basic ACLs
2000 to 2999
Advanced ACLs
Ethernet frame
header ACLs
IP version
Match criteria
IPv4
IPv6
IPv4
IPv6
3000 to 3999
4000 to 4999
For more information about ACL, see ACL and QoS Configuration Guide.
QoS overview
Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to
meet customer needs. Generally, QoS does not focus on grading services precisely, but on improving
services under certain conditions.
In the Internet, QoS refers to the ability of the network to forward packets. The evaluation on QoS of a
network can be based on different aspects because the network may provide various services. Generally,
QoS refers to the ability to provide improved service by solving the core issues such as delay, jitter, and
packet loss ratio in the packet forwarding process.
This service policy is only suitable for applications insensitive to bandwidth and delay, such as WWW,
file transfer and email.
Configuration guidelines
When you configure an ACL and QoS, follow these guidelines:
You cannot add an ACL rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which case
the other settings remain the same.
When you configure rate limit and traffic policing for a behavior, make sure the ratio of CBS to CIR
is more than 100:16. Otherwise, the handling for bursty traffic may be affected.
If an ACL is referenced by a QoS policy for defining traffic classification rules, the operation of the
QoS policy varies by interface (the definition of software/hardware interface varies with device
models). The specific process is as follows:
If the QoS policy is applied to a software interface and the referenced ACL rule is a deny clause,
the ACL rule does not take effect and packets go to the next classification rule.
If the QoS policy is applied to a hardware interface, packets matching the referenced ACL rule
are organized as a class and the behavior defined in the QoS policy applies to the class
regardless of whether the referenced ACL rule is a deny or permit clause.
If a QoS policy is applied in the outbound direction of a port, the QoS policy cannot influence local
packets. Local packets refer to the important protocol packets that maintain the normal operation of
the device. QoS must not process such packets to avoid packet drop. Commonly used local packets
are: link maintenance packets, ISIS packets, OSPF packets, RIP packets, BGP packets, LDP packets,
RSVP packets, and SSH packets and so on.
480
In a policy, a traffic behavior with EF configured cannot be associated with the default class,
and a traffic behavior with WFQ configured can only be associated with the default class.
In a policy, the total bandwidth assigned to the AF and EF classes cannot be greater than the
available bandwidth of the interface to which the policy applies. The total bandwidth
percentage assigned to the AF and EF classes cannot be greater than 100%.
In the same policy, the same bandwidth unit must be used to configure bandwidth for AF classes
and EF classes, either absolute bandwidth value or percent.
Configuring an ACL
ACL configuration procedures
IPv4 ACL configuration procedure
Step
Remarks
Optional.
1.
2.
3.
Required.
4.
5.
Remarks
Optional.
1.
2.
3.
Required.
4.
2.
Click the Add tab to enter the time range adding page.
481
3.
4.
Click Apply.
Description
Sun, Mon, Tue, Wed, Thu, Fri, and SatSelect the day or days of the week on
which the periodic time range is valid. You can select any combination of the days
of the week.
NOTE:
These items are available after you select the Periodic Time Range option.
FromSet the start time of the absolute time range. The time of the day is in the
hh:mm format (24-hour clock), and the date is in the MM/DD/YYYY format.
ToSet the end time of the absolute time range. The time of the day is in the hh:mm
Absolute Time Range
format (24-hour clock), and the date is in the MM/DD/YYYY format. The end time
must be later than the start time.
NOTE:
These items are available after you select the Absolute Time Range option.
482
2.
Click the Add tab to enter the IPv4 ACL adding page, as shown in Figure 514.
3.
4.
Click Apply.
Description
ACL Number
Match Order
ConfigPackets are compared against ACL rules in the order that the rules are
configured.
AutoPackets are compared against ACL rules in the depth-first match order.
Description
483
2.
Click the Basic Setup tab to enter the rule configuration page for a basic IPv4 ACL, as shown
in Figure 515.
3.
4.
Click Add.
Description
Select the basic IPv4 ACL for which you want to configure rules.
Available ACLs are basic IPv4 ACLs.
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system assigns one automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, this procedure modifies the configuration
of the existing rule.
Select the action to be performed for IPv4 packets matching the rule:
Action
Check Fragment
If you do not select this option, the rule applies to all fragments and non-fragments.
NOTE:
Do not select this option for an AC, because an AC does not support fragmentation.
484
Item
Description
Select this option to keep a log of matched IPv4 packets.
Check Logging
A log entry contains the ACL rule number, operation for the matched packets,
protocol that IP carries, source/destination address, source/destination port
number, and number of matched packets.
NOTE:
Do not select this option for an AC, because an AC does not support logging.
Source IP Address
Source Wildcard
Select the Source IP Address option, and enter a source IPv4 address and source
wildcard, in dotted decimal notation.
Time Range
Select the time range during which the rule takes effect.
2.
Click the Advanced Setup tab to enter the rule configuration page for an advanced IPv4 ACL, as
shown in Figure 516.
485
3.
4.
Click Add.
Description
ACL
486
Item
Description
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system assigns one
automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, this procedure
modifies the configuration of the existing rule.
Select the action to be performed for IPv4 packets matching
the rule:
Action
Logging
NOTE:
Do not select this option for an AC, because an AC does not
support logging.
Source IP Address
IP Address Filter
Source Wildcard
Destination IP Address
Destination Wildcard
Protocol
ICMP Type
ICMP Message
ICMP Type
These items are available only when you select 1 ICMP from
the Protocol list.
ICMP Code
If you select Other from the ICMP Message list, you must enter
values in the ICMP Type and ICMP Code fields. Otherwise, the
two fields will take the default values, which cannot be
changed.
487
Item
Description
TCP Connection
Established
Operation
Source
Port
-
TCP/UDP Port
Operation
Port
Select this option to make the rule match packets used for
establishing and maintaining TCP connections.
These items are available only when you select 6 TCP from the
Protocol list.
Select the operations, and enter the source port numbers and
destination port numbers as required.
These items are available only when you select 6 TCP or 17
UDP from the Protocol list.
Different operations have different configuration
requirements for the port number fields:
Destination
-
Precedence
Filter
Time Range
DSCP
TOS
Precedence
2.
Click the Link Setup tab to enter the rule configuration page for an Ethernet frame header ACL, as
shown in Figure 517.
488
3.
4.
Click Add.
Description
Select the Ethernet frame header ACL for which you want to configure rules.
Available ACLs are Ethernet frame header ACLs.
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system assigns one automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, this procedure modifies the
configuration of the existing rule.
Select the action to be performed for Layer 2 frames matching the rule:
Action
489
Item
Description
Source MAC
Address
MAC
Address
Filter
Source Mask
Destination MAC
Address
Destination Mask
COS(802.1p priority)
LSAP Type
Type Filter
LSAP Mask
Protocol Type
Select the Source MAC Address option and enter a source MAC address
and wildcard.
Select the Destination MAC Address option and enter a destination MAC
address and wildcard.
Specify the 802.1p priority for the rule.
Select the LSAP Type option and specify the DSAP and SSAP fields in the LLC
encapsulation by configuring the following items:
Protocol MaskWildcard.
Select the time range during which the rule takes effect.
2.
Click the Add tab to enter the IPv6 ACL adding page, as shown in Figure 518.
490
3.
4.
Click Apply.
Description
ACL Number
Match Order
ConfigPackets are compared against ACL rules in the order the rules are
configured.
AutoPackets are compared against ACL rules in the depth-first match order.
Description
2.
Click the Basic Setup tab to enter the rule configuration page for a basic IPv6 ACL, as shown
in Figure 519.
491
3.
Configure the basic IPv6 ACL rule information, as described in Table 164.
4.
Click Add.
Description
Select the basic IPv6 ACL for which you want to configure rules.
Available ACLs are basic IPv6 ACLs.
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system assigns one automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, this procedure modifies the
configuration of the existing rule.
Select the operation to be performed for IPv6 packets matching the rule:
Operation
Check Fragment
If you do not select this option, the rule applies to all fragments and non-fragments.
NOTE:
Do not select this option for an AC, because an AC does not support fragmentation.
Select this option to keep a log of matched IPv6 packets.
Check Logging
A log entry contains the ACL rule number, operation for the matched packets,
protocol that IP carries, source/destination address, source/destination port
number, and number of matched packets.
NOTE:
Do not select this option for an AC, because an AC does not support logging.
492
Item
Description
Source IP Address
Select the Source IP Address option, and enter a source IPv6 address and prefix
length.
Source Prefix
Time Range
The IPv6 address must be in a format like X:X::X:X. An IPv6 address consists of eight
16-bit long fields, each of which is expressed with two hexadecimal numbers and
separated from its neighboring fields by colon (:).
Select the time range during which the rule takes effect.
2.
Click the Advanced Setup tab to enter the rule configuration page for an advanced IPv6 ACL.
493
3.
Configure the advanced IPv6 ACL rule information, as described in Table 165.
4.
Click Add.
Description
Select the advanced IPv6 ACL for which you want to configure rules.
Available ACLs are advanced IPv6 ACLs.
494
Item
Description
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system assigns one
automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, this procedure modifies the
configuration of the existing rule.
Select the operation to be performed for IPv6 packets matching the rule:
Operation
Check Fragment
If you do not select this option, the rule applies to all fragments and
non-fragments.
NOTE:
Do not select this option for an AC, because an AC does not support
fragmentation.
Select this option to keep a log of matched IPv6 packets.
Check Logging
A log entry contains the ACL rule number, operation for the matched
packets, protocol that IP carries, source/destination address,
source/destination port number, and number of matched packets.
NOTE:
Do not select this option for an AC, because an AC does not support
logging.
Source IP Address
Source Prefix
IP
Address
Filter
Destination IP Address
Destination Prefix
Select the Source IP Address option, and enter a source IPv6 address and
prefix length.
The IPv6 address must be in a format like X:X::X:X. An IPv6 address
consists of eight 16-bit long fields, each of which is expressed with two
hexadecimal numbers and separated from its neighboring fields by colon
(:).
Select the Destination IP Address option, and enter a destination IPv6
address and prefix length.
The IPv6 address must be in a format like X:X::X:X. An IPv6 address
consists of eight 16-bit long fields, each of which is expressed with two
hexadecimal numbers and separated from its neighboring fields by colon
(:).
Select the protocol to be carried by IP.
Protocol
If you select 58 ICMPv6, you can configure the ICMPv6 message type
and code. If you select 6 TCP or 17 UDP, you can configure the TCP or
UDP specific items.
495
Item
ICMPv6
Type
Description
Named ICMPv6 Type
ICMPv6 Type
These items are available only when you select 58 ICMPv6 from the
Protocol list.
ICMPv6 Code
Operator
Source
Port
To Port
Operator
TCP/UD
P Port
Port
Destinatio
n
Port
If you select Other from the Named ICMPv6 Type list, you must enter
values in the ICMPv6 Type and ICMPv6 Code fields. Otherwise, the two
fields will take the default values, which cannot be changed.
Select the operators, and enter the source port numbers and destination
port numbers as required.
These items are available only when you select 6 TCP or 17 UDP from the
Protocol list.
Different operators have different configuration requirements for the port
number fields:
Other valuesThe first port number field must be configured and the
second must not.
Time Range
Select the time range during which the rule takes effect.
2.
Click the Setup tab to enter the rate limit configuration page, as shown in Figure 521.
496
3.
4.
Click Apply.
Description
Select the types of interfaces to be configured with rate limit.
The interface types available for selection depend on your device model.
Select Enable or Disable to enable or disable rate limit on the specified port.
Select a direction to which the rate limit is to be applied:
CIR
Set the committed information rate (CIR), the average traffic rate.
CBS
Set the committed burst size (CBS), number of bits that can be sent in each
interval.
EBS
Click the ports to be configured with rate limit in the port list. You can select
one or more ports.
497
If packet priority is trusted, the device uses the specified priority field of the incoming packet to look
up the priority mapping tables for the set of QoS priority parameters to assign to the packet. Note
that, if a received packet does not carry the specified priority field, the device uses the port priority
to look up the priority mapping tables for the set of QoS priority parameters to assign to the packet.
If port priority is trusted, the device uses the port priority rather than packet priority to look up the
priority mapping tables for the set of QoS priority parameters to assign to the packet.
By using the first method, you can configure a port to use the 802.1p or 802.11e priority carried in
received packets for priority mapping. This method is supported for the WLAN-ESS interface in
addition to other types of interface.
By using the second method, more options are available. In addition, you can change port priority
(local precedence) of a port for priority mapping. This method is not supported on the WLAN-ESS
interface.
Select QoS > Trust Mode from the navigation tree to enter the priority trust mode configuration
page, as shown in Figure 522.
498
2.
Configure the priority trust mode of the interfaces, as described in Table 167.
3.
Click Apply.
Description
Select the type of the ports to be configured. The interface types available for
selection depend on your device model.
IMPORTANT:
If a WLAN-ESS interface in use has WLAN-DBSS interfaces created on it, its
priority cannot be modified. To modify the priority of the WLAN-ESS interface,
you must stop the service the interface provides (make the current users on the
interface offline).
499
Item
Description
Select the priority trust mode:
Trust Mode
Click the ports to be configured in the port list. You can select one or more
ports.
Select QoS > Port Priority from the navigation tree to enter the page shown in Figure 523.
2.
Click the
icon for a port to enter the page for configuring the priority and priority trust mode of
the port, as shown in Figure 524.
3.
4.
Click Apply.
Remarks
Interface Name
500
Item
Remarks
Set the local precedence value for the port.
Priority
Local precedence is allocated by the device and has only local significance. A local
precedence value corresponds to an output queue. A packet with higher local
precedence is assigned to a higher priority output queue to be preferentially
scheduled.
Set the priority trust mode of the port:
UntrustUses the port priority rather than a packet priority value for priority
mapping.
Trust Mode
Class
Classes identify traffic.
A class is identified by a class name and contains some match criteria for identifying traffic. The
relationship between the criteria can be:
ANDA packet is considered belonging to a class only when the packet matches all the criteria in
the class.
ORA packet is considered belonging to a class if it matches any of the criteria in the class.
Traffic behavior
A traffic behavior, identified by a name, defines a set of QoS actions for packets.
Policy
A policy associates a class with a traffic behavior to define what actions to take on which class of traffic.
You can define multiple class-traffic behavior associations in a policy.
501
You can apply a policy to a port to regulate traffic sent or received on the port. A QoS policy can be
applied to multiple ports, but in one direction (inbound or outbound) of a port, only one QoS policy can
be applied.
Remarks
1.
Adding a class
2.
3.
4.
5.
Adding a policy
Required.
Add a class and specify the operation of the class.
Required.
Configure match criteria for the class.
Required.
Add a traffic behavior.
Use either approach.
Configure various actions for the traffic behavior.
Required.
Add a policy.
Required.
6.
Configuring classifier-behavior
associations for the policy
7.
Adding a class
1.
2.
Click the Add tab to enter the page for adding a class, as shown in Figure 525.
502
3.
4.
Click Add.
Description
Classifier Name
AndSpecifies the relationship between the rules in a class as logic AND. The
Operation
device considers a packet belongs to a class only when the packet matches all the
rules in the class.
OrSpecifies the relationship between the rules in a class as logic OR. The device
considers a packet belongs to a class as long as the packet matches one of the
rules in the class.
2.
Click the Setup tab to enter the page for setting a class, as shown in Figure 526.
503
3.
4.
Click Apply.
A progress dialog box appears.
5.
Click Close on the progress dialog box when the progress dialog box prompts that the
configuration succeeds.
504
Description
Any
DSCP
If multiple rules are configured for a class, the new configuration does not
overwrite the previous.
You can configure up to eight DSCP values at a time. If multiple identical DSCP
values are specified, the system considers them as a single value. The
relationship between different DSCP values is OR. After configuration, all the
DSCP values are arranged in ascending order automatically.
Define a rule to match IP precedence values.
If multiple rules are configured for a class, the new configuration does not
overwrite the previous.
IP Precedence
Classifier
TIP:
This configuration item is not supported.
Define a rule to match inbound interfaces.
Inbound Interface
TIP:
This configuration item is not supported.
Define a rule to match a range of RTP ports.
RTP Port
Specify the start port in the from field and the end port in the to field.
TIP:
This configuration item is not supported.
505
Item
Description
Define a rule to match the service 802.1p precedence values.
If multiple rules are configured for a class, the new configuration does not
overwrite the previous.
Service 802.1p
You can configure up to eight Dot1p values at a time. If multiple identical Dot1p
values are specified, the system considers them as a single value. The
relationship between different Dot1p values is OR. After configuration, all the
Dot1p values are arranged in ascending order automatically.
TIP:
Dot1p
If multiple rules are configured for a class, the new configuration does not
overwrite the previous.
You can configure up to eight Dot1p values at a time. If multiple identical Dot1p
values are specified, the system considers them as a single value. The
relationship between different Dot1p values is OR. After configuration, all the
Dot1p values are arranged in ascending order automatically.
Define a rule to match a source MAC address.
Source MAC
If multiple rules are configured for a class, the new configuration does not
overwrite the previous.
A rule to match a source MAC address is significant only to Ethernet interfaces.
MAC
If multiple rules are configured for a class, the new configuration does not
overwrite the previous.
A rule to match a destination MAC address is significant only to Ethernet
interfaces.
Define a rule to match service VLAN IDs.
If multiple rules are configured for a class, the new configuration does not
overwrite the previous.
VLAN
Service VLAN
You can configure multiple VLAN IDs at a time. If the same VLAN ID is specified
multiple times, the system considers them as a single value. The relationship
between different VLAN IDs is logical OR. You can specify VLAN IDs by using
one of the following methods:
Enter a range of VLAN IDs, such as 10-500. The number of VLAN IDs in the
range is not limited.
506
Item
Description
Define a rule to match customer VLAN IDs.
If multiple rules are configured for a class, the new configuration does not
overwrite the previous.
Customer VLAN
You can configure multiple VLAN IDs at a time. If the same VLAN ID is specified
multiple times, the system considers them as a single value. The relationship
between different VLAN IDs is logical OR. You can specify VLAN IDs in two
ways:
Enter a range of VLAN IDs, such as 10-500. The number of VLAN IDs in the
range is not limited.
ACL
ACL IPv4
ACL IPv6
2.
Click the Add tab to enter the page for adding a traffic behavior, as shown in Figure 527.
3.
4.
Click Add.
2.
Click the Setup tab to enter the page for setting a traffic behavior, as shown in Figure 528.
507
3.
4.
Click Apply.
A progress dialog box appears.
5.
Click Close on the progress dialog box when the progress dialog box prompts that the
configuration succeeds.
508
Description
Enable/Disable
CIR
Set the committed information rate (CIR), the average traffic rate.
CBS
Set the committed burst size (CBS), number of bits that can be sent
in each interval.
CAR
Discard
Red
Pass
IP Precedence
Dot1p
Remark
Select the Local Precedence option and then select the local
precedence value to be marked for packets in the following list.
Select Not Set to cancel the action of marking local precedence.
Configure the action of marking DSCP values for packets.
Select the DSCP option and then select the DSCP value to be marked
for packets in the following list. Select Not Set to cancel the action of
marking DSCP values.
DSCP
TIP:
This configuration item is not supported.
EF
Queue
Max Bandwidth
CBS
Percent
CBS-Ratio
Min Bandwidth
Percent
AF
509
TIP:
These
configuration
items are not
supported.
Item
Description
WFQ
Filter
Accounting
Adding a policy
1.
2.
Click the Add tab to enter the page for adding a policy, as shown in Figure 529.
3.
4.
Click Add.
2.
Click the Setup tab to enter the page for setting a policy, as shown in Figure 530.
510
3.
4.
Click Apply.
Description
Classifier Name
Behavior Name
2.
Click the Setup tab to enter the page for applying a policy to a port, as shown in Figure 531.
511
3.
Select a policy and apply the policy to the specified ports, as described in Table 173.
4.
Click Apply.
Description
Direction
Select QoS > Service Policy from the navigation tree to enter the service policy page shown
in Figure 532.
512
2.
Click the
icon for a wireless service to enter the service policy setup page shown in Figure 532.
3.
4.
Click Apply.
Remarks
Wlan Service
Display the specified WLAN service to which you want to apply a QoS policy.
Inbound Policy
Apply the QoS policy to the packets received by the wireless service.
Outbound Policy
Apply the QoS policy to the packets sent by the wireless service.
Set the priority trust mode:
Trust Mode
513
Item
Remarks
QoS Priority
Add an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.
2.
3.
Apply the QoS policy in the inbound direction of the wireless service named service1.
10.1.1.1/24
Client 1
AP 1
L2 switch
Client 2
AC
FTP server
AP 2
Configuration procedure
Before performing the following configurations, make sure the AC has been configured with wireless
service service1. For more information about the wireless service configuration, see "Configuring access
services."
1.
Define a time range to cover the time range from 8:00 to 18:00 every day:
a. Select QoS > Time Range from the navigation tree.
b. Click the Add tab.
c. On the page as shown in Figure 535, enter the time range name test-time, select the Periodic
Time Range option, set the Start Time to 8:00 and the End Time to 18:00, and select the
options Sun through Sat.
d. Click Apply.
514
Figure 535 Defining a time range covering 8:00 to 18:00 every day
2.
515
3.
516
Figure 537 Defining an ACL rule for traffic to the FTP server
4.
Add a class:
a. Select QoS > Classifier from the navigation tree.
b. Click the Add tab.
c. On the page as shown in Figure 538, enter the class name class1.
d. Click Add.
517
5.
518
6.
519
7.
520
8.
Add a policy:
a. Select QoS > QoS Policy from the navigation tree.
b. Click the Add tab.
c. On the page as shown in Figure 542, enter the policy name policy1.
d. Click Add.
521
9.
10. Apply the QoS policy in the inbound direction of the wireless service named service1:
a. Select QoS > Service Policy from the navigation tree.
b. Click the
c. On the page as shown in Figure 544, select the Inbound Policy option, and select policy1 from
the following list.
522
d. Click Apply.
Figure 544 Applying the QoS policy in the inbound direction of WLAN service service1
523
Terminology
WMM
WMM is a wireless QoS protocol designed to preferentially transmit packets with high priority, and
guarantees better QoS services for voice and video applications in a wireless network.
EDCA
Enhanced distributed channel access (EDCA) is a channel contention mechanism designed by WMM to
preferentially transmit packets with high priority and allocate more bandwidth to such packets.
AC
WMM uses access categories (ACs) for handling channel contentions. WMM assigns WLAN data to
four access categories: AC-VO (voice), AC-VI (video), AC-BE (best-effort), and AC-BK (background), in
the descending order of priority. Each access category uses an independent priority queue for
transmitting data. When contention occurs, WMM guarantees that a high-priority access category
preempts a low-priority access category.
CAC
Connection admission control (CAC) limits the number of clients that are using high-priority access
categories (AC-VO and AC-VI) to guarantee sufficient bandwidth for existing high-priority traffic.
U-APSD
Unscheduled automatic power-save delivery (U-APSD) is a new power saving mechanism defined by
WMM to enhance the power saving capability of clients.
SVP
SpectraLink voice priority (SVP) is a voice priority protocol designed by the Spectralink company to
guarantee QoS for voice traffic.
524
EDCA parameters
WMM assigns data packets to four access categories. By allowing a high-priority access category to
have more channel contention opportunities than a low-priority access category, WMM offers different
service levels to access categories.
WMM define a set of EDCA parameters for each access category, covering the following:
Arbitration inter-frame spacing number (AIFSN)Different from the 802.11 protocol where the idle
duration (set using DIFS) is a constant value, WMM can define an idle duration per access category.
The idle duration increases as the AIFSN value increases (see Figure 545 for the AIFS durations).
Transmission opportunity limit (TXOPLimit)Indicates the maximum time for which a user can hold
a channel after a successful contention. The greater the TXOPLimit, the longer the user can hold the
channel. The value 0 indicates that the user can send only one packet each time it holds the
channel.
525
To use a high-priority access category, a client must send a request to the AP. The AP returns a positive
or negative response based on either of the following admission control policy:
Channel utilization-based admission policyThe AP calculates the total time that the existing
high-priority access categories occupy the channel in one second, and then calculates the time that
the requesting traffic will occupy the channel in one second. If the sum of the two values is smaller
than or equal to the maximum hold time of the channel, the client can use the requested access
category. Otherwise, the request is rejected.
Users-based admission policyIf the number of clients using high-priority access categories plus
the requesting clients is smaller than or equal to the maximum number of high-priority access
category clients, the request is accepted. Otherwise, the request is rejected. During calculation, a
client is counted once even if it is using both AC-VO and AC-VI.
SVP service
SVP service implements differentiated treatment of SVP packets by mapping each SVP packet (IP protocol
number 119) to an access category, which corresponds to a transmit queue with certain priority.
ACK policy
WMM defines the following ACK policies:
No ACKWhen the no acknowledgement (No ACK) policy is used, the recipient does not
acknowledge received packets during wireless packet exchange. This policy can improve
transmission efficiency in the environment where communication quality is good and interference is
weak. However, in the environment where communication quality is poor, it can cause increased
packet loss and deteriorated communication quality.
Normal ACKWhen the Normal ACK policy is used, the recipient acknowledges each received
unicast packet.
526
2.
3.
Click Enable.
By default, wireless QoS is enabled.
NOTE:
The WMM protocol is the foundation of the 802.11n protocol. When the radio operates in 802.11n (5
GHz) or 802.11n (2.4 GHz) radio mode, you must enable WMM. Otherwise, the associated 802.11n
clients may fail to communicate.
2.
Click the
icon in the Operation column for the desired AP to enter the page for mapping SVP
service to an access category, as shown in Figure 548.
527
3.
4.
Click Apply.
Description
AP Name
Radio
SVP Mapping
AC-VO.
AC-VI.
AC-BE.
AC-BK.
NOTE:
SVP mapping is applicable only to non-WMM clients.
2.
Click the
icon in the Operation column for the desired AP to enter the page for setting CAC
admission policy, as shown in Figure 549.
3.
4.
Click Apply.
Channel Utilization
Description
Users-based admission policy, or the maximum number of clients allowed to be
connected. A client is counted only once, even if it is using both AC-VO and AC-VI.
By default, the users-based admission policy applies, with the maximum number of
users being 20.
Channel utilization-based admission policy, or the rate of the medium time of the
accepted AC-VO and AC-VI traffic to the valid time during the unit time. The valid
time is the total time during which data is transmitted.
2.
Click the
icon in the Operation column for the desired AP to enter the page for configuring
wireless QoS.
3.
4.
5.
Click Apply.
Description
AP Name
Radio
Priority type
AIFSN
TXOP Limit
ECWmin
ECWmax
529
Item
Description
If you select the option before No ACK, the No ACK policy is used by the AP.
No ACK
TXOP Limit
AIFSN
ECWmin
ECWmax
AC-BK
10
AC-BE
AC-VI
94
AC-VO
47
NOTE:
ECWmin cannot be greater than ECWmax.
On an AP operating in 802.11b radio mode, HP recommends that you set the TXOP-Limit to 0, 0, 188,
and 102 for AC-BK, AC-BE, AC-VI, and AC-VO.
If all clients operate in 802.11b radio mode, set TXOPLimit to 188 and 102 for AC-VI and AC-VO.
If some clients operate in 802.11b radio mode and some clients operate in 802.11g radio mode in
the network, HP recommends the TXOPLimit parameters in Table 180.
Once you enable CAC for an access category, it is enabled automatically for all higher priority
access categories. For example, if you enable CAC for AC-VI, CAC is also enabled for AC-VO.
However, enabling CAC for AC-VO does not enable CAC for AC-VI.
Configuration procedure
1.
2.
Click the
icon in the Operation column for the desired AP to enter the page for configuring
wireless QoS.
3.
530
4.
5.
Click Apply.
Description
AP Name
Radio
Priority type
AIFSN
TXOP Limit
ECWmin
ECWmax
EnableEnable CAC.
DisableDisable CAC.
CAC
AC-VO and AC-VI support CAC, which is disabled by default. This item is not
available for AC-BE or AC-BK, because they do not support CAC.
TXOP Limit
AIFSN
ECWmin
ECWmax
AC-BK
10
AC-BE
10
AC-VI
94
AC-VO
47
2.
Click the Radio Statistics tab to enter the page displaying radio statistics.
3.
531
Description
AP ID
AP ID.
AP Name
AP name.
Radio
Radio ID.
QoS mode
Client accepted
Number of clients that have been admitted to access the radio, including the
number of clients that have been admitted to access the AC-VO and the AC-VI
queues.
Total request
mediumtime(us)
Total requested medium time, including that of the AC-VO and the AC-VI
queues.
532
Field
Description
2.
Click the Client Statistics tab to enter the page displaying client statistics.
3.
Description
MAC address
SSID
QoS Mode
Max SP length
AC
Access category.
APSD attribute of an access category:
State
Field
Description
Assoc State
APSD attribute of the four access categories when a client accesses the AP.
Downgrade packets
Downgrade bytes
Discard packets
Discard bytes
Configure the total bandwidth shared by all clients in the same BSS. This is called "dynamic mode".
The rate limit of a client is the configured total rate/the number of online clients. For example, if the
configure total rate is 10 Mbps and five clients are online, the rate of each client is 2 Mbps.
Configure the maximum bandwidth that can be used by each client in the BSS. This is called "static
mode". For example, if the configured rate is 1 Mbps, the rate limit of each user online is 1 Mbps.
When the set rate limit multiplied by the number of access clients exceeds the available bandwidth
provided by the AP, no clients can get the guaranteed bandwidth.
Select QoS > Wireless QoS from the navigation tree on the left.
2.
3.
Click Add in the Service-Based Configuration area to enter the page for setting wireless
service-based client rate limits, as shown in Figure 554.
534
4.
5.
Click Apply.
Description
Wireless Service
Direction
Mode
If you select the static mode, Per-Client Rate is displayed, and the rate is the rate
of each client.
Rate
If you select the dynamic mode, Total Rate is displayed, and the rate is the total
rate of all clients.
Select QoS > Wireless QoS from the navigation tree on the left.
2.
3.
Click Add in the Radio-Based Configuration area to enter the page for setting radio-based client
rate limiting, as shown in Figure 554.
535
4.
5.
Click Apply.
Description
Radio List
List of radios available. You can create the rate limiting rules for one or multiple radios.
Traffic direction:
Direction
If you select the static mode, Per-Client Rate is displayed, and the rate is the rate of each
client.
If you select the dynamic mode, Total Rate is displayed, and the rate is the total rate of all
clients.
536
To improve bandwidth use efficiency when ensuring bandwidth use fairness among wireless services, use
the bandwidth guarantee function. Bandwidth guarantee makes sure all traffic from each BSS can pass
through when the network is not congested, and each BSS can get the guaranteed bandwidth when the
network is congested. For example, suppose you guarantee SSID1, SSID2, and SSID3 25%, 25%, and
50% of the bandwidth. When the network is not congested, SSID1 can use all idle bandwidth in addition
to its guaranteed bandwidth. When the network is congested, SSID1 can use at least its guaranteed
bandwidth, 25% of the bandwidth.
NOTE:
Bandwidth guarantees apply only to the traffic from AP to client.
2.
Click the Bandwidth Guarantee tab to enter the page, as shown in Figure 556.
3.
4.
Click Apply.
Description
Set the reference radio bandwidth.
IMPORTANT:
Set the reference radio bandwidth slightly lower than the maximum available bandwidth.
NOTE:
After you set the reference radio bandwidth values, the new settings do not take effect for the radios with
bandwidth guarantee enabled. To make the new settings take effect, you must disable and then enable the
radios.
2.
Select a radio from the bandwidth guarantee setup list, and click the
icon for the radio in the
Operation column to enter the page for setting guaranteed bandwidth, as shown in Figure 557.
3.
4.
Click Apply.
Description
Guaranteed Bandwidth
Percent (%)
Allocate a percentage of the total radio bandwidth to each wireless service as the
guaranteed bandwidth. The total guaranteed bandwidth cannot exceed 100% of
the ratio bandwidth.
Select QoS > Wireless QoS from the navigation tree on the left.
2.
Click the Bandwidth Guarantee tab to enter the page for configuring bandwidth guarantee.
3.
Select the AP and the corresponding radio mode for which you want to enable bandwidth
guarantee on the list under the Bandwidth Guarantee title bar.
4.
Click Enable.
538
Select QoS > Wireless QoS from the navigation tree on the left.
2.
3.
Click the specified radio unit of the AP on the list under the Bandwidth Guarantee title bar to view
the wireless services bound to the radio unit and the guaranteed bandwidth setting for each
wireless service.
Configure the AP, and establish a connection between the AC and the AP.
For related configurations, see "Configuring access services." Follow the steps in the related
configuration example to establish a connection between the AC and the AP.
Configuring CAC
1.
2.
3.
As shown in Figure 561, select the AP to be configured on the list, and click the
in the Operation column to enter the page for configuring wireless QoS.
4.
On the Client EDCA list, select the priority type (AC_VO, for example) to be modified, and click the
icon for the priority type in the Operation column to enter the page for setting client EDCA
parameters.
5.
6.
Click Apply.
540
7.
Enable CAC for AC_VI in the same way. (Details not shown.)
8.
9.
Click the
icon in the Operation column for the desired AP to enter the page for configuring
wireless QoS.
10. Select the Client Number option, and then enter 10.
11. Click Apply.
Figure 563 Setting CAC client number
Limit the maximum bandwidth per wireless client to 128 kbps for traffic from the wireless clients to the AP.
Figure 564 Network diagram
2.
3.
Click Add in the Service-Based Configuration area to enter the page for configuring wireless
service-based rate limit settings for clients, as shown in Figure 565.
4.
5.
Click Apply.
Client1 and Client2 access the WLAN through the SSID named service1.
2.
Check that traffic from Client1 is rate limited to around 128 kbps, so is traffic from Client2.
542
2.
3.
Click Add in the Service-Based Configuration area to enter the page for configuring wireless
service-based rate limit settings for clients, as shown in Figure 567.
4.
5.
Click Apply.
543
When only Client1 accesses the WLAN through SSID service2, its traffic can pass through at a rate
as high as 8000 kbps.
2.
When both Client1 and Client2 access the WLAN through SSID service2, their traffic flows can
each pass through at a rate as high as 4000 kbps.
544
2.
Click Bandwidth Guarantee to enter the page for configuring bandwidth guarantee, as shown
in Figure 569.
3.
4.
Click Apply.
5.
Click the
icon in the Operation column for 802.11n (5 GHz) to enter the page for setting
guaranteed bandwidth, as shown in Figure 570.
6.
7.
Click Apply.
After you apply the guaranteed bandwidth settings, the page for enabling bandwidth guarantee
appears, as shown in Figure 571.
545
8.
9.
Click Enable.
546
Send traffic from the AP to the three wireless clients at a rate lower than 30000 kbps. The rate of
traffic from the AP to the three wireless clients is not limited.
Send traffic at a rate higher than 6000 kbps from the AP to Client 1 and at a rate higher than
24000 kbps from the AP to Client 2. The total rate of traffic rate from the AP to the two wireless
clients exceeds 30000 kbps. Because you have enabled bandwidth guarantee for wireless services
research and office, the AP forwards traffic to Client 1 and Client 2 at 6000 kbps and 24000 kbps,
respectively, and limits the traffic to Client 3.
NOTE:
Guaranteed bandwidth in kbps = reference radio bandwidth guaranteed bandwidth percent.
Set the reference radio bandwidth slightly lower than the available maximum bandwidth.
The guaranteed bandwidth configuration applies to only the traffic from the AP to clients.
547
1+1 AC backup
Support for the 1+1 backup feature might vary depending on your device model. For more information,
see "About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified
Wired-WLAN Module Web-Based Configuration Guide."
Dual-link backup
Dual links:
Dual links allow for AC backup. An AP establishes links with two different ACs. The active AC
provides services for APs in the network, and the standby AC provides backup service for the
active AC. If the active AC fails, the standby AC takes over to provide services for the APs.
548
Using fast link fault detection, you can configure 1+1 fast backup (see "1+1 fast backup") to
provide uninterrupted services.
Primary AC recovery:
Primary AC provides a mechanism to make sure the primary AC is chosen in precedence by APs
as an active AC. When the primary AC goes down, the APs switch to connect to the standby AC.
As soon as the active AC recovers, the APs automatically connect to the primary AC again.
AC 1 is the primary AC with the connection priority of 7, and it establishes a connection with the
AP. AC 2 acts as the secondary AC. If AC 1 goes down, AC 2 takes over to provide services to
AP until AC 1 recovers. Once the primary AC is reachable again, the AP automatically establishes
a connection with the primary AC. For more information about priority configuration, see
"Configuring AP connection priority."
1+N AC backup
1+N AC backup allows an AC to operate as a backup for multiple ACs. The active ACs independently
provide services for APs that connect to them, and only one standby AC provides backup service for the
active ACs. If an active AC goes down, the APs connecting to it can detect the failure quickly and make
connections to the standby AC. As soon as the active AC recovers, the APs automatically connect to the
original active AC again. This makes sure the standby AC operates as a dedicated backup for the active
ACs. 1+N AC backup delivers high reliability and saves network construction cost.
549
Load-balancing modes
The AC supports two load balancing modes: session mode and traffic mode.
550
As shown in Figure 575, Client 1 is associated with AP 1, and Client 2 through Client 6 are
associated with AP 2. The AC has session-mode load balancing configured: the maximum number
of sessions is 5, and the maximum session gap is 4. Then, Client 7 sends an association request
to AP 2. The maximum session threshold and session gap have been reached on AP 2, so AP 2
rejects the request. Finally, Client 7 associates with AP 1.
Figure 575 Network diagram for session-mode load balancing
551
Load-balancing methods
The AC supports AP-based load balancing and group-based load balancing.
1.
2.
AP version setting
A fit AP is a zero-configuration device. It can automatically discover an AC after it is powered on. To
make sure a fit AP can associate with an AC, their software versions must be consistent by default, which
complicates maintenance. This task allows you to designate the software version of an AP on the AC, so
that they can associate with each other even if their software versions are inconsistent.
Switching to fat AP
You can switch the working mode of an AP between the fit mode and the fat mode.
Wireless location
Wireless location is a technology to locate, track and monitor specified devices by using WiFi-based
Radio Frequency Identification (RFID) and sensors. With this function enabled, APs send Tag or MU
messages to an AeroScout Engine (referred to as AE hereinafter), which performs location calculation
and then sends the data to the graphics software. You can get the location information of the assets by
maps, forms, or reports. Meanwhile, the graphics software provides the search, alert and query functions
to facilitate your operations.
552
Wireless location can be applied to medical monitoring, asset management, and logistics, helping users
effectively manage and monitor assets.
Devices or sources to be located include Tags (small, portable RFIDs, which are usually placed or
glued to the assets to be located) of Aero Scout or Mobile Units (MU), and MUs (wireless terminals
or devices running 802.11). The tags and MUs can send wireless messages periodically.
Location systems include the location server, AE calculation software, and different types of
graphics software.
2.
NOTE:
For more information about monitor mode and hybrid mode, see "Configuring WLAN security."
An AP operates in normal mode when it functions as a WLAN access point. For more information, see
"Configuring access services."
After the processes, the AP begins to collect Tag and MU messages.
Upon receiving Tag messages (suppose that the Tags mode has been configured on the AC,
and the location server has notified the AP to report Tag messages), the AP checks the Tag
messages, encapsulates those passing the check, and reports them to the location server. The
AP encapsulates Tag messages by copying all the information (including the message header
and payload) except the multicast address, and adding the BSSID, channel, timestamp, data
553
rate, RSSI, SNR, and radio mode of the radio on which the relevant Tag messages were
received.
Upon receiving MU messages (suppose that the MUs mode has been configured on the AC,
and the location server has notified the AP to report MU messages), the AP checks the messages,
encapsulates those that pass the check, and reports the messages to the location server. The AP
encapsulates an MU message by copying its source address, Frame Control field, and
Sequence Control field, and adding the BSSID, channel, timestamp, data rate, RSSI, SNR, and
radio mode of the radio on which the relevant Tag messages were received.
3.
Wireless sniffer
IMPORTANT:
Wireless tracing is limited and is intended for support only and assisting additional troubleshooting tool
only.
In a wireless network, it is difficult to locate signal interference or packet collision by debugging
information or terminal display information of WLAN devices. To facilitate the troubleshooting, configure
an AP as a packet sniffer to listen to, capture, and record wireless packets. The sniffed packets are
recorded in the .dmp file for troubleshooting.
As shown in Figure 577, enable wireless sniffer on the Capture AP. The Capture AP is able to listen to the
wireless packets in the network, including the packets from other APs, rouge APs, and clients.
Administrators can download the .dmp file to the PC and make further analysis.
Figure 577 Network diagram
Client
AP 1
Switch
Capture AP
AC
Rogue AP
AP 2
PDA
PC
554
Band navigation
The 2.4 GHz band is often congested. Band navigation enables APs to accept dual-band (2.4 GHz and
5 GHz) clients on their 5 GHz radio, increasing overall network performance.
When band navigation is enabled, the AP directs clients to its 2.4 GHz or 5 GHz radio by following
these principles:
For a 2.4 GHz client, the AP associates with the client after rejecting it several times.
For a dual-band client, the AP directs the client to its 5 GHz radio.
For a 5 GHz client, the AP associates with the client on its 5 GHz radio.
The AP checks the RSSI of a dual-band client before directing the client to the 5 GHz radio. If the RSSI is
lower than the specified value, the AP does not direct the client to the 5 GHz band.
If the number of clients on the 5 GHz radio reaches the upper limit, and the gap between the number of
clients on the 5 GHz radio and that on the 2.4 GHz radio reaches the upper limit, the AP denies the
clients association to the 5 GHz radio and allows new clients to associate with the 2.4 GHz radio. If a
client has been denied more than the maximum number of times on the 5 GHz radio, the AP considers
that the client is unable to associate with any other AP, and it allows the 5 GHz radio to accept the client.
Source
AC
Switch
AP
Client 2
Client 3
With multicast optimization enabled, the AP listens to the IGMP reports and leave messages sent by
clients. When the AP receives an IGMP report, it adds or updates a multicast optimization entry and
updates the multicast source addresses allowed by the client (for IGMPv3 and MLDv2 packets). When
the AP receives an IGMP leave message or when a multicast optimization entry ages out, the AP removes
the entry. When the AP is disconnected from the AC, or when multicast optimization is disabled, all
multicast optimization entries are removed.
555
After creating multicast entries, the AP listens to non-IGMP and non-MLD multicast packets sent from the
multicast source to clients, and matches the multicast address of the packets to the multicast optimization
entries. If a match is found, the AP converts the multicast packets to unicast packets and sends the unicast
packets to all the clients in the multicast entries. If no match is found, the AP directly sends the multicast
packets.
To avoid performance degradation, you can configure the maximum number of clients that multicast
optimization can support. When the maximum number is reached, the AC takes either of the following
actions, depending on which one is configured:
HaltA new client can join a multicast group and receive multicast packets, and a multicast
optimization entry can be created for the client. However, the multicast optimization function for all
clients in the multicast group becomes invalid. When the number of clients drops below the upper
limit, the multicast optimization function takes effect again.
Reject-clientA new client can join a multicast group, but no new multicast optimization entries can
be created. If multicast optimization entries have been created for other clients in the multicast group,
the client cannot receive multicast packets. Otherwise, the client can receive multicast packets.
Select Advanced > Country/Region Code from the navigation tree to enter the page for setting a
country/region code.
2.
3.
Click Apply.
Description
Select a country/region code.
Country/Region Code
Configure the valid country/region code for a WLAN device to meet the
country regulations.
If the list is grayed out, the setting is preconfigured to meet the
requirements of the target market and is locked. It cannot be changed.
If you do not specify a country/region code for an AP, the AP uses the global country/region code
configured on this page. For information about how to specify the country/region code for an AP, see
"Quick start." If an AP is configured with a country/region code, the AP uses its own country code.
556
Some ACs and APs have fixed country/region codes. The codes to be used are determined as follows:
An AC's fixed country/region code cannot be changed, and all managed APs whose
country/region codes are not fixed must use the AC's fixed country/region code.
An AP's fixed country/region code cannot be changed, and the AP can only use the
country/region code.
If an AC and a managed AP use different fixed country/region codes, the AP uses its own fixed
country/region code.
2.
3.
4.
5.
Click Apply.
Description
AP Connection Priority
557
2.
Configure an IP address and switch delay time for the backup AC as described in Table 189.
3.
Click Apply.
Description
IPv4 address
IPv6 address
Switch Delay
Delay time for the AP to switch from the primary AC to the backup AC.
Select Advanced > AC Backup from the navigation tree to enter the page shown in Figure 581.
2.
3.
Click Apply.
558
Description
Hello Interval
The value range varies with devices. For more information, see "About the HP 830
Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified
Wired-WLAN Module Web-Based Configuration Guide."
VLAN ID
ID of the VLAN to which the port where the backup is performed belongs.
Backup Domain ID
2.
Click the Status tab to enter the page shown in Figure 582.
Description
AP Name
Status
Field
Description
Vlan ID
Domain ID
Link State
Hello Interval
2.
3.
560
4.
5.
Click Apply.
Description
AP Connection Priority
2.
Click the
3.
561
4.
5.
Click Apply.
Description
Select Advanced > Continuous Transmit from the navigation tree to enter the continuous
transmitting mode configuration page.
562
2.
Click the
icon corresponding to the target radio to enter the page for configuring transmission
rate. The transmission rate varies with radio mode.
When the radio mode is 802.11a/b/g, the page shown in Figure 586 appears. Select a
transmission rate from the list.
When the radio mode is 802.11n, the page shown in Figure 587 appears. Select an MCS index
value to specify the 802.11n transmission rate. For more information about MCS, see
"Configuring radios"
Figure 587 Selecting an MCS index (802.11n)
3.
Click Apply.
563
Select Advanced > Channel Busy Test from the navigation tree to enter the channel busy test
configuration page.
2.
Click the
3.
4.
Description
AP Name
Radio Unit
Radio Mode
NOTE:
During a channel busy test, the AP does not provide any WLAN services. All the connected clients are
disconnected.
Before the channel busy test completes, do not start another test for the same channel.
Configuration prerequisites
Before you configure load balancing, make sure of the following:
The fast association function is disabled. By default, the fast association function is disabled. For
more information about fast association, see "Configuring access services."
Remarks
Configuring a load balancing mode
Required.
Required.
2.
3.
4.
565
Description
Select Session.
The function is disabled by default.
Threshold
Load balancing is carried out for a radio when the session threshold
and session gap threshold are reached.
Gap
Load balancing is carried out for a radio when the session threshold
and session gap threshold are reached.
2.
566
Description
Select Traffic.
The function is disabled by default.
Traffic
Load balancing is carried out for a radio when the traffic threshold and traffic
gap threshold are reached.
Gap
Load balancing is carried out for a radio when the traffic threshold and traffic
gap threshold (the traffic gap between the two APs) are reached.
NOTE:
If you select traffic-mode load balancing, the maximum throughput of 802.11g/802.11a is 30 Mbps.
2.
Click the Load Balance Group tab to enter the page for configuring a load balancing group.
3.
Click Add.
4.
5.
Click Apply.
567
Remarks
Group ID
Description
In the Radios Available area, select the target radios, and then click << to add them to
Radio List
In the Radios Selected area, select the radios to be removed, and then click >> to remove
them from the load balancing group.
Select Advanced > Load Balance from the navigation tree. See Figure 590.
2.
3.
Click Apply.
Remarks
Maximum denial count of client association requests.
If a client has been denied more than the specified maximum times, the AP
considers that the client is unable to associate with any other AP and accepts the
association request from the client.
Load balancing RSSI threshold.
RSSI Threshold
Configuring AP
Upgrading AP version
1.
2.
3.
4.
5.
Click Apply.
Description
AP Model
Software Version
568
Switching to fat AP
1.
2.
3.
4.
NOTE:
Before you switch the work mode, you must download the fat AP software to the AP.
Select Advanced > Wireless Location from the navigation tree to enter the page for displaying and
configuring wireless location on an AC.
2.
3.
Click Apply.
569
Description
EnableEnables the wireless location function globally. The device begins to
listen to packets when wireless location is enabled.
message multicast address, and dilution factor on the location server. These
settings will be notified to the APs through the configuration message. For more
information about location server and configuration parameters, see the
location server manuals.
On the ACConfigure the AP mode settings, and enable the wireless location
function.
When configurations are made correctly, APs wait for the configuration message
sent by the location server. After receiving that message, the APs start to receive
and report Tag and MU messages.
Vendor Port
Set the listening port number for vendors. The port number must be the same as that
defined in AE.
Tag Mode
Select this option to enable the Tag report function on the radio (you must also
enable Tags mode on the AE).
MU Mode
Select this option to enable the MU report function on the radio (you must also
enable the MUs mode on the AE).
An AP reports IP address change and device reboot events to the location server so that the location
server is able to respond in time. The AP reports a reboot message according to the IP address and port
information of the location server recorded in its flash.
The AP updates the data in the flash after receiving a configuration message. To protect the flash,
the AP does not update the flash immediately after receiving a configuration message, but waits for
10 minutes. If the AP receives another configuration message within 10 minutes, it only updates the
configuration information in the cache, and when the 10-minute timer is reached, it saves the cache
information in the flash.
If the AP reboots within 10 minutes after receiving the first configuration message, and no
configuration is saved in the flash, it does not send a reboot message to the location server.
Select Advanced > Wireless Sniffer from the navigation tree to enter the wireless sniffer
configuration page.
570
2.
To enable the wireless sniffer function for a specified radio, click the
Before you enable wireless sniffer, make sure the AP operates in normal mode and in run state.
Wireless sniffer can be enabled for only one radio configured with a fixed channel.
When you configure wireless sniffer, follow these guidelines:
When the Capture AP is capturing packets, if the radio for which the wireless sniffer is disabled, the
Capture AP is deleted, the Capture AP is disconnected from the AC, or the number of captured
packets reaches the upper limit, the sniffer operation is stopped and the packets are saved to the
specified .dmp file. The default storage medium varies with device models.
You can click Stop to stop the wireless sniffer and choose whether to save the packets to a CAP file.
Otherwise, no CAP file is generated.
NOTE:
Do not enable or run wireless services for the radio with wireless sniffer enabled. Disable all wireless
services before enabling wireless sniffer.
3.
4.
Click Apply.
571
Capture Limit
Description
The maximum number of packets that can be captured. Once the limit is exceeded, the
device stops capturing packets.
IMPORTANT:
You cannot change the value when the device is capturing packets.
Name of the CAP file to which the packets are saved.
Filename
Configuration prerequisites
To enable band navigation to operate correctly, make sure of the following:
The fast association function is disabled. By default, the fast association function is disabled. For
more information about fast association, see "Configuring access services."
Band navigation is enabled for the AP. By default, band navigation is enabled for the AP.
The SSID is bound to the 2.4 GHz and 5 GHz radios of the AP.
572
2.
3.
Click Apply.
Description
Band Navigation
Session Threshold
Gap
If the number of clients on the 5 GHz radio has reached the upper limit, and the gap
between the number of clients on the 5 GHz radio and that on the 2.4 GHz radio has
reached the upper limit, the AP denies the clients association to the 5 GHz radio, and
allows new clients to associate with the 2.4 GHz radio.
When band navigation is enabled, the value is 0 by default. To restore the default value
0, delete the configured number.
Maximum denial count of client association requests.
If a client has been denied more than the maximum times on the 5 GHz radio, the AP
considers that the client is unable to associate with any other AP, and allows the 5 GHz
radio to accept the client.
When band navigation is enabled, the value is 0 by default. To restore the default value
0, delete the configured number.
Band navigation RSSI threshold.
RSSI Threshold
The AP checks the RSSI of a dual-band client before directing the client to the 5 GHz
radio. If the RSSI is lower than the value, the AP does not direct the client to the 5 GHz
band.
573
Item
Description
Client information aging time.
Aging Time
The AP records the client information when a client tries to associate with it. If the AP
receives the probe request or association request sent by the client before the aging time
expires, the AP refreshes the client information and restarts the aging timer. If not, the AP
removes the client information, and does not count the client during band navigation.
2.
3.
Click Apply.
574
Description
Aging Time
Specify the aging time for multicast optimization entries. If the AP does not receive an
IGMP report from a client within the aging time, the AP removes the client from the
multicast optimization entry.
If you enable IGMP snooping, configure the aging time of multicast optimization entries
to be greater than the aging time of IGMP snooping dynamic member ports.
Specify the maximum number of clients supported by multicast optimization.
Multicast
Optimization Max
Clients
function. A new client can join a multicast group and receive multicast packets, and
a multicast optimization entry can be created for the client. However, the multicast
optimization function for all clients in the multicast group becomes invalid. When the
number of clients drops below the upper limit, the multicast optimization function
takes effect again.
Exclude New Clients for Multicast OptimizationReject new clients. A new client
can join a multicast group, but no new multicast optimization entries can be created.
If multicast optimization entries have been created for other clients in the multicast
group, the client cannot receive multicast packets. Otherwise, the client can receive
multicast packets.
By default, the multicast optimization function becomes invalid when the maximum
number of clients supported by multicast optimization is reached.
4.
5.
Click Enable.
2.
575
Description
AP Name
Radio ID
Total Clients
Action
Multicast Address
MAC Address
MAC addresses of the clients that have joined the multicast group.
Assign a higher priority to the AP connection to AC 1 (which is 6 in this example) to make sure AP
will first establish a connection with AC 1. In this way, AC 1 acts as the active AC.
When AC 1 recovers, no switchover to AC 1 occurs, in which case AC 2 remains the active AC, and
AC 1 acts as the standby AC. This is because the AP connection on AC 1 does not have the highest
priority.
Configuration guidelines
AC backup has no relation to the access authentication method. However, the authentication
method of the two ACs must be the same.
Configuring AC 1
1.
Configure AP to establish a connection between AC 1 and AP. For more information about
configurations, see "Configuring access services."
2.
3.
4.
5.
6.
Click Apply.
577
7.
8.
On the page that appears, set the IP address of the backup AC to 1.1.1.5, and select enable to
enable the fast backup mode.
9.
Click Apply.
578
Configuring AC 2
1.
2.
Leave the default value of the AP connection priority unchanged. (Details not shown.)
3.
4.
On the page that appears, set the address of the backup AC to 1.1.1.4, and select enable to
enable the fast backup mode.
5.
Click Apply.
579
580
581
2.
When AC 1 operates correctly, display the client status on AC 1 and AC 2. The client establishes
connections with the AP through AC 1, and AC 2 has backed up the client status.
a. On AC 1, select Summary > Client from the navigation tree.
b. Click the Detail Information tab.
c. Click the name of the specified client to view the detailed information of the client.
The information shows that the client is running and is connecting to AC 1 through an active
link.
582
3.
When AC 1 goes down, the standby AC (AC 2) detects the failure immediately through the
heartbeat detection mechanism. Then AC 2 takes over to become the new active AC, providing
services to AP.
On AC 2 (the new active AC), display the AP status. (Details not shown.)
The information shows that AC 2 has become the active AC.
On AC 2, display the client information. (Details not shown.)
583
The value for the State field becomes Running, which indicates that the client is connecting to
AC 2 through an active link.
4.
When AC 1 recovers, AC 2 still acts as the active AC, and AC 1 becomes the standby AC. AC 1
establishes a backup link with the AP and backs up the client status.
If one of the two active AC is down, AC 3 becomes the new active AC.
When the faulty AC recovers, the AP that connects to AC 3 automatically connects to the original
active AC. This is because the AP connection priority on the active AC has the highest priority. In this
way, AC 3 can always act as a dedicated standby AC to provide backup services for AC 1 and AC
2.
Configuring AC 1
1.
2.
3.
4.
5.
6.
Click Apply.
584
Configuring AC 2
1.
2.
3.
585
i.
j.
k. Click Apply.
586
2.
As shown in Figure 610, all APs operate in 802.11g mode. Client 1 is associated with AP 1. Client
2 through Client 6 are associated with AP 2.
Configure session-mode load balancing on the AC. The threshold (the maximum number of sessions)
is 5, and the session gap is 4.
587
Configuration guidelines
An AP starts session-mode load balancing only when both the maximum sessions and maximum session
gap are reached.
Configuration procedure
1.
2.
588
As shown in Figure 612, all APs operate in 802.11g mode. Client 1 and Client 2 are associated with
AP 1, and no client is associated with AP 2.
Configure traffic-mode load balancing on the AC. The traffic threshold is 3 Mbps, which
corresponds to the threshold value of 10 in percentage, and the traffic gap is 12 Mbps, which
corresponds to the traffic gap value 40 in percentage.
589
Configuration guidelines
An AP starts traffic-mode load balancing only when both the maximum traffic threshold and maximum
traffic gap are reached.
Configuration procedure
1.
2.
As shown in Figure 614, all APs operate in 802.11g mode. Client 1 is associated with AP 1. Client
2 through Client 6 are associated with AP 2, and no client is associated with AP 3.
Configure session-mode load balancing on the AC. The maximum number of sessions is 5, and the
maximum session gap is 4.
590
L2 Switch
Client 1
AP 1
AP 3
AP 2
Client 2
Client 7
Client 5
Client 3
Client 4
Configuration procedure
1.
2.
591
3.
Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group. The radio of AP 3 does
not belong to any load balancing group. Because load balancing takes effect only on radios in a
load balancing group, AP 3 does not take part in load balancing.
Assume Client 7 wants to associate with AP 2. The number of clients associated with radio 2 of AP
2 reaches 5 and the session gap between radio 2 of AP 2 and AP 1 reaches 4, so Client 7 is
associated with AP 1.
As shown in Figure 617, all APs operate in 802.11g mode. Client 1 and Client 2 are associated with
AP 1, and no client is associated with AP 2 and AP 3.
Configure traffic-mode load balancing on the AC. The maximum traffic threshold is 10%, and the
maximum traffic gap is 20%.
592
Traffic-mode load balancing is required only on radio 2 of AP 1 and radio 2 of AP 2. Therefore, add
them to a load balancing group.
Configuration procedure
1.
2.
593
3.
594
Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group, and the radio of AP
3 does not belong to any load balancing group. Because load balancing takes effect only on
radios in a load balancing group, AP 3 does not take part in load balancing.
Assume Client 3 wants to associate with AP 1. Because the maximum traffic threshold and traffic
gap have been reached on radio 2 of AP 1, Client 3 is associated with AP 2.
Client
AP 1
AC
Switch
Rogue AP
AP 2
AP 3
AP
Configuration guidelines
Before you enable the wireless location function, make sure at least three APs operate in monitor or
hybrid mode so that the APs can detect Tags and clients not associated with them, and that the AE
can implement location calculation.
An AP monitors clients on different channels periodically, so if the Tag message sending interval is
configured as 1 second, the AP scans and reports Tag messages every half a minute. If higher
location efficiency is required, you can set the Tag sending interval to the smallest value, which is
124 milliseconds.
Configuring the AE
1.
Configure the IP addresses of AP 1, AP 2, and AP 3 on the AE, or select the broadcasting mode
for the AE to discover APs.
2.
1.
2.
Click Add.
3.
On the page that appears, enter the AP name ap1, select the model MSM460-WW, select Manual
from the Serial ID list, enter the AP serial ID in the field, and click Apply.
4.
5.
6.
7.
Click Apply.
Enabling 802.11n
1.
Select Radio > Radio from the navigation tree to enter the page for configuring radio.
2.
3.
Click Enable.
596
2.
On the page that appears, select Enable, and select the tag mode and MU mode for 802.11n (2.4
GHz).
3.
Click Apply.
597
Client
AP 1
Switch
Capture AP
AC
Rogue AP
AP 2
PDA
PC
Configuring Capture_AP
1.
2.
Click Add.
3.
On the page that appears, enter the AP name capture_ap, select the model MSM460-WW, select
Manual from the Serial ID list, enter the AP serial ID in the field, and click Apply.
4.
5.
Click the
6.
7.
Click Apply.
598
8.
9.
2.
On the page that appears, enter the capture limit 5000, enter the file name CapFile, and click
Apply.
3.
Click the
icon corresponding to the target radio to enable wireless sniffer for the radio.
599
Capture AP captures wireless packets and saves the packets to a CAP file in the default storage
medium. Administrators can download the file to the PC and get the packet information by using
tools such as Ethereal.
When the total number of captured packets reaches the upper limit, Capture AP stops capturing
packets.
600
Configuring the AC
To enable band navigation to operate correctly, make sure of the following:
The fast association function is disabled. By default, the fast association function is disabled.
Band navigation is enabled for the AP. By default, band navigation is enabled for the AP.
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click New.
c. On the page that appears, enter the AP name ap 1, select the model MSM460-WW, select
Manual from the Serial ID list, and enter the AP serial ID in the field.
d. Click Apply.
2.
3.
4.
icon for the wireless service band-navigation to enter the page for binding an AP
c. Select the boxes next to ap1 with radio types 802.11n(2.4GHz) and 802.11n(5GHz).
d. Click Bind.
601
5.
6.
limit 2, and the gap between the number of clients on the 5 GHz radio and 2.4 GHz radio has reached
the session gap 1, Client 3 will be associated with the 2.4 GHz radio of AP 1.
Configuring the AC
1.
2.
Set the Aging Time to 300 seconds, the Multicast Optimization Max Clients to 2, and Max Client
Limit Exceeded Action to Exclude New Clients for Multicast Optimization.
3.
Click Apply.
4.
5.
Click Enable.
603
604
Overview
Introduction to stateful failover
Some customers require their wireless networks to be highly reliable to ensure continuous data
transmission. In Figure 635, deploying only one AC (even with high reliability) risks a single point of
failure and therefore cannot meet the requirement.
Figure 635 Network with one AC deployed
The stateful failover feature (supporting portal service) was introduced to meet the requirement. In Figure
636, two ACs that are enabled with stateful failover are deployed in the network. You need to specify a
VLAN on the two ACs as the backup VLAN, and add the interfaces between the ACs to the backup
VLAN. The backup VLAN is like a failover link, through which the two ACs exchange state negotiation
messages periodically. After the two ACs enter the synchronization state, they back up the service entries
of each other to make sure that the service entries on them are consistent. If one AC fails, the other AC,
which has already backed up the service information, takes over to avoid service interruption.
605
SilenceThe device has just started, or is transiting from synchronization state to independence
state.
SynchronizationThe device has completed state negotiation with the other device and is ready for
data backup.
Configuration guidelines
When you configure stateful failover, follow these guidelines:
You must configure the 1+1 AC backup function to make sure that the traffic can automatically
switch to the other device if one device fails. For more information, see "Advanced settings."
To back up portal related information from the active device to the standby device, you must
configure portal to support stateful failover besides the configurations described in this chapter. For
606
more information, see HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500
20G Unified Wired-WLAN Module Security Configuration Guide.
Stateful failover can be implemented only between two devices rather than among more than two
devices.
From the navigation tree, select High reliability > Stateful Failover.
The stateful failover configuration page appears.
2.
View the current stateful failover state at the lower part of the page, as described in Table 206.
3.
Configure stateful failover parameters at the upper part of the page, as described in Table 205.
4.
Click Apply.
Description
through one device. The two devices operate in the active/standby mode.
through different devices to achieve load sharing. The two devices operate in
the active/active mode.
and broadcasts stateful failover packets to the peer within the backup VLAN.
Therefore, HP recommends that you not configure other services (such as voice
VLAN) for a backup VLAN to avoid impact on the operation of stateful failover.
An interface added to the backup VLAN can transmit other packets besides
stateful failover packets.
607
Description
Current Status
NOTE:
The portal group configuration on the two ACs must be consistent.
Configuring AC 1
1.
608
2.
3.
609
e. Select Primary Authentication for Server Type, specify an IPv4 address 8.1.1.16 and 1812 as
the port number.
f. Type expert for Key and expert for Confirm Key.
g. Click Apply.
Figure 642 Configuring a primary RADIUS authentication server
Select Primary Accounting for Server Type, and specify an IPv4 address 8.1.1.16 and 1813 as
the port number.
j.
k. Click Apply.
Figure 643 Configuring a RADIUS accounting server
l.
After the configurations are complete, click Apply on the RADIUS scheme configuration page.
610
4.
611
Figure 645 Configuring AAA authentication scheme for the ISP domain
5.
Figure 646 Configuring AAA authorization scheme for the ISP domain
6.
e. Click Apply.
A dialog box appears, showing the configuration progress.
f. After the configuration is successfully applied, click Close.
Figure 647 Configuring AAA accounting scheme for the ISP domain
7.
613
8.
614
9.
Configure portal to support stateful failover at the command line interface (CLI):
# Specify AC 1's device ID to be used in stateful failover mode as 1, and specify portal group 2
for interface VLAN-interface 1.
<AC1>system-view
[AC1]nas device-id 1
[AC1]interface Vlan-interface 1
[AC1-Vlan-interface1]portal backup-group 2
# Configure the virtual IP address of VRRP group 1 as 8.190.1.100, and specify the priority of AC
1 as 200. AC 2 uses the default priority.
[AC1-Vlan-interface1]vrrp vrid 1 virtual-ip 8.190.1.100
[AC1-Vlan-interface1]vrrp vrid 1 priority 200
[AC1-Vlan-interface1]quit
# Configure the source IP address for portal packets as 8.190.1.100 (same as the AC's IP address
configured on the IMC server for portal authentication).
[AC1-Vlan-interface1]portal nas-ip 8.190.1.100
Configuring AC 2
Configure AC 2 in the same way you configure AC 1 except that:
When you configure AC backup, specify AC 1's IP address as the backup AC address.
615
Error messages
Detailed questions
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.
Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
For related documentation, navigate to the Networking section, and select a networking category.
For a complete list of acronyms and their definitions, see HP FlexNetwork Technology Acronyms.
Websites
HP.com http://www.hp.com
HP Networking http://www.hp.com/go/networking
HP manuals http://www.hp.com/support/manuals
HP Education http://www.hp.com/learn
616
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention
Description
Boldface
Bold text represents commands and keywords that you enter literally as shown.
Italic
Italic text represents arguments that you replace with actual values.
[]
Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
{ x | y | ... } *
[ x | y | ... ] *
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in bold text. For
example, the New User window appears; click OK.
>
Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Convention
Description
Symbols
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
NOTE
TIP
617
618
Index
ABCDEFGILMOPQRSTUVW
Configuration prerequisites,393
Configuration procedure,368
Configuration procedure,361
AC-AP connection,197
Configuration procedure,393
Configuration procedure,418
Configuration procedures,438
ACL overview,479
Configuration summary,39
Configuring a guest,430
Admin configuration,30
AP configuration,37
AP group,197
Auto AP,197
Configuring an ACL,481
Basic configuration,29
Configuring an AP,198
Configuring an AP group,205
Configuration guidelines,67
Configuration guidelines,120
Configuration guidelines,480
Configuration guidelines,149
Configuration guidelines,437
Configuration guidelines,606
Configuring calibration,337
Configuration prerequisites,368
Configuration prerequisites,360
Displaying AP,46
Displaying clients,54
Configuring radios,325
Downloading a file,80
Contacting HP,616
Conventions,617
Enabling DHCP,159
Configuring WIDS,466
Enabling SNMP,96
Creating a user,92
Creating a VLAN,121
Encryption configuration,36
Creating an interface,83
Feature matrix,3
Device information,40
I
620
Ping operation,192
IACTP tunnel,309
IGMP snooping configuration examples,144
Portal configuration,35
QoS overview,479
Radio overview,321
RADIUS configuration,33
RADIUS configuration example,411
Loopback operation,112
M
Related information,616
Mesh overview,284
Modifying a port,123
Modifying a VLAN,122
Removing a file,80
Overview,359
Overview,115
Overview,404
Overview,149
Overview,437
Overview,367
Overview,392
Overview,426
Overview,138
Selecting an antenna,345
Overview,179
Overview,127
Overview,524
Overview,188
Overview,605
Overview,120
SNMP overview,95
Specifying the main boot file,80
Spectrum analysis,324
Web interface,5
Web-based NM functions,6
Wireless configuration,32
T
Trace route operation,195
Upgrading software,64
Uploading a file,80
622