HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified

Transcription

1 HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module WLAN Configuration Guide Part number: Software version: 3308P29 (HP 830 Series PoE+ Unified Wired-WLAN Switch) 2308P29 (HP 10500/ G Unified Wired-WLAN Module) Document version: 6W

2 Legal and notice information Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

3 Contents Configuring WLAN interfaces 1 WLAN-ESS interface 1 Entering WLAN-ESS interface view 1 Configuring a WLAN-ESS interface 1 WLAN-DBSS interface 2 WLAN mesh interface 2 Entering WLAN mesh interface view 2 Configuring a WLAN mesh interface 2 WLAN mesh link interface 3 Displaying and maintaining WLAN interfaces 3 Configuring WLAN access 4 WLAN access overview 4 Terminology 4 Wireless client access 4 WLAN access configuration task list 6 Enabling WLAN 7 Specifying a country/region code 7 Configuring auto AP 8 Enabling auto AP 8 Converting auto APs to configured APs 8 Configuring tunnel management 9 Configuring parameters for an AP 9 Enabling AC-AP tunnel encryption with IPsec 10 Configuring the echo interval for an AP 11 Managing APs 12 Specifying a configuration file for an AP 12 Configuring AP traffic protection 12 Enabling the AC to accept APs with a different software version 13 Configuring a WLAN service template 13 Creating a service template and specifying an SSID 13 Enabling an authentication method 13 Binding a WLAN-ESS interface to the service template 14 Configuring a forwarding mode 14 Configuring client authentication 14 Configuring the maximum number of associated clients 16 Enabling fast association 16 Configuring the client cache aging time 17 Enabling a service template 17 Configuring radio parameters 17 Configuring basic radio parameters 17 Configuring a radio policy 19 Enabling automatic creation of radio policies by the SNMP set operation 20 Configuring n 20 Mapping a service template to the radio 22 Enabling a radio 22 Configuring the interval for an AP to send statistics reports 22 Configuring the memory utilization threshold for an AP 23 Restoring the factory default settings of APs 23 i

4 Enabling automatic heating for an outdoor AP 23 Displaying and maintaining WLAN access 23 Configuring a remote AP 25 Configuring WLAN access control 26 Configuring AP-based access control 26 Configuring SSID-based access control 28 WLAN access configuration examples 28 WLAN access configuration example 29 Auto-AP configuration example 30 Configuration example for AC-AP tunnel encryption with IPsec n configuration example 34 Backup client authentication configuration example 35 Local client authentication configuration example 37 AP group configuration without roaming 38 AP group configuration for inter-ac roaming 41 Configuring WLAN security 44 Overview 44 Authentication modes 44 WLAN data security 45 Client access authentication 46 Protocols and standards 46 Configuring WLAN security 47 Configuration task list 47 Enabling an authentication method 47 Configuring the PTK lifetime 48 Configuring the GTK rekey method 48 Configuring security IE 49 Configuring cipher suite 50 Configuring port security 52 Displaying and maintaining WLAN security 54 WLAN security configuration examples 54 PSK authentication configuration example 55 MAC and PSK authentication configuration example X authentication configuration example 59 Dynamic WEP encryption-802.1x authentication configuration example 66 Supported combinations for ciphers 71 Configuring IACTP tunnel and WLAN roaming 74 IACTP tunnel 74 WLAN roaming overview 74 Terminology 74 WLAN roaming topologies 75 Configuring a mobility group 78 Displaying and maintaining WLAN roaming 79 WLAN roaming configuration examples 79 Intra-AC roaming configuration example 79 Inter-AC roaming configuration example 82 Configuring WLAN RRM 87 Overview 87 Dynamic frequency selection 87 Transmit power control 88 Configuration task list 90 Configuring data transmit rates 91 Configuring a/802.11b/802.11g rates 91 ii

5 Configuring n rates 91 Configuring channel exclusion 94 Configuring the maximum bandwidth 94 Configuring g protection 95 Enabling g protection 95 Configuring g protection mode 95 Configuring n protection 96 Enabling n protection 96 Configuring n protection mode 97 Configuring DFS 97 Configuring auto-dfs 97 Executing one-time DFS 98 Configuring DFS trigger parameters 98 Configuring mesh DFS 99 Configuring automatic mesh DFS 99 Executing one-time mesh DFS 99 Configuring TPC 100 Configuring auto-tpc 100 Executing one-time TPC 100 Configuring TPC trigger parameters 101 Configuring the minimum value for AP power adjustment 101 Configuring a radio group 102 Configuring scan parameters 102 Configuring power constraint 103 Displaying and maintaining WLAN RRM 103 Load balancing 104 Overview 104 Load balancing configuration task list 106 Configuring a load balancing mode 107 Configuring group-based load balancing 108 Configuring parameters that affect load balancing 108 Displaying and maintaining load balancing 109 Configuring band navigation 109 Configuration guidelines 109 Configuration prerequisites 110 Enabling band navigation globally 110 Enabling band navigation for an AP 110 Configuring band navigation parameters 110 WLAN RRM configuration examples 111 Configuring auto DFS 111 Configuring mesh auto DFS 113 Configuring auto TPC 113 Configuring a radio group 115 Load balancing configuration examples 117 Configuring session-mode load balancing 117 Configuring traffic-mode load balancing 119 Configuring group-based session-mode load balancing 120 Configuring group-based traffic-mode load balancing 122 Band navigation configuration example 124 Configuring WLAN IDS 127 Overview 127 Terminology 127 Rogue detection 127 Attack detection 128 iii

6 Blacklist and whitelist 129 WLAN IDS configuration task list 130 Configuring AP operating mode 130 Configuring rogue detection 131 Configuring detection of rogue devices 131 Taking countermeasures against attacks from detected rogue devices 134 Displaying and maintaining rogue detection 135 Configuring attack detection 136 Configuration procedure 136 Displaying and maintaining attack detection 136 Configuring blacklist and whitelist 136 Configuring static lists 136 Configuring a dynamic blacklist 137 Displaying and maintaining blacklist and whitelist 137 WLAN IDS configuration examples 137 Rogue detection configuration example 138 Blacklist and whitelist configuration example 139 Configuring WLAN QoS 141 Overview 141 Terminology 141 WMM protocol 141 Protocols and standards 143 Configuring WMM 143 Configuration restrictions and guidelines 143 Configuration procedure 144 Displaying and maintaining WMM 145 WMM configuration examples 145 Troubleshooting 150 Configuring bandwidth guaranteeing 150 Configuration procedure 151 Displaying and maintaining bandwidth guaranteeing 151 Bandwidth guaranteeing configuration example 151 Configuring client rate limiting 154 Configuration procedure 154 Displaying and maintaining client rate limiting 155 Client rate limiting configuration example 155 Configuring WLAN mesh link 157 Overview 157 Basic concepts 157 WLAN mesh advantages 157 Deployment scenarios 158 WLAN mesh security 159 Protocols and standards 159 WLAN mesh configuration task list 160 Configuring an MKD ID 160 Configuring mesh port security 160 Configuring a mesh profile 161 Configuring mesh portal service 161 Configuring an MP policy 162 Mapping a mesh profile to the radio of an MP 162 Mapping an MP policy to the radio of an MP 163 Specifying a mesh working channel 163 Specifying a peer on the radio 164 iv

7 Displaying and maintaining WLAN mesh link 164 WLAN mesh configuration example 164 One-hop mesh link configuration example 165 Two-hop mesh link configuration example 167 Troubleshooting WLAN mesh link 170 Authentication process not started 170 Failure to ping MAP 170 Configuration download failure for zeroconfig device 170 Configuration download failure for MP 171 Debug error: neither local nor remote is connected to MKD 171 PMKMA delete is received by MPP for MP 171 Configuring WLAN sniffer 172 Configuring WLAN sniffer 172 Displaying and maintaining WLAN sniffer 173 WLAN sniffer configuration example 173 Configuring AP provision 175 Configuring basic network settings for an AP 175 AP provision configuration example 177 Configuring wireless location 180 Overview 180 Configuring wireless location 181 Displaying and maintaining wireless location 182 Wireless location configuration example 182 Configuring multicast optimization 185 Configuring multicast optimization 186 Displaying and maintaining multicast optimization 187 Multicast optimization configuration example 187 Configuring spectrum analysis 189 Configuration task list 189 Configuring the operating mode for an AP 189 Enabling spectrum analysis 190 Enabling SNMP traps 190 Enabling spectrum analysis to trigger channel adjustment 191 Displaying and maintaining spectrum analysis 192 Spectrum analysis configuration example 192 Configuring AC backup 194 Overview 194 Primary AC recovery 194 Active/active mode 194 AC backup 195 Configuring AC backup 195 Displaying AC backup connection status 197 Configuration example 197 Configuring uplink detection 200 Configuration procedure 200 Configuration example 200 Optimizing WLAN 202 Rejecting wireless clients with low RSSI 202 Enabling fair scheduling 202 Ignoring weak signals 203 v

8 Enabling n packet suppression 203 Enabling traffic shaping based on link status 203 Configuring the rate algorithm 204 Enabling channel sharing adjustment 204 Enabling channel reuse adjustment 205 Disabling buffering of multicasts and broadcasts 205 Enabling packet-based TPC 206 Enabling the AP to trigger client reconnection 206 Enabling the AP to receive all broadcasts 206 Enabling the green-ap function 207 Configuring roaming navigation 207 Enabling rate limit based on client type 207 Configuring the maximum transmission times for probe responses 208 Configure the maximum interference threshold 208 WLAN optimization configuration examples 208 Optimizing a high-density WLAN 209 Optimizing a WLAN with multicast application 210 Optimizing an n WLAN 212 Optimizing some APs in a WLAN 213 Enabling packet-based TPC for a WLAN 215 Support and other resources 217 Contacting HP 217 Subscription service 217 Related information 217 Documents 217 Websites 217 Conventions 218 Index 220 vi

9 Configuring WLAN interfaces WLAN-ESS interface WLAN-ESS interfaces are virtual Layer 2 interfaces. They operate like Layer 2 Ethernet ports of the access link type. They also support multiple Layer 2 protocols. A WLAN-ESS interface can also be used as a template for configuring WLAN-DBSS interfaces. WLAN-DBSS interfaces created on a WLAN-ESS interface adopt the configuration of the WLAN-ESS interface. Entering WLAN-ESS interface view 2. Enter WLAN-ESS interface view. 3. Restore the default settings of the WLAN-ESS interface. interface wlan-ess interface-number default If the WLAN-ESS interface does not exist, this command creates the WLAN-ESS interface first. Configuring a WLAN-ESS interface You can configure the description of a WLAN-ESS interface and assign the interface to a common VLAN or multicast VLAN. This section only lists features supported on WLAN-ESS interfaces. Before executing the port access vlan command, make sure the VLAN specified by the vlanid argument already exists. You can use the vlan command to create a VLAN. For more information about the port access vlan command, see Layer 2 Command Reference. Some configurations made on a WLAN-ESS interface with WLAN-DBSS interfaces created on it cannot be modified, and the WLAN-ESS interface cannot be removed either. To configure a WLAN-ESS interface: Step Command 1. Configure the description of the interface. description 2. Configure the VLAN. port access vlan port hybrid vlan port hybrid pvid vlan port link-type port multicast-vlan 1

10 Step 3. Configure multicast. 4. Configure a MAC authentication guest VLAN. Command Configure multicast VLAN: port multicast-vlan Configure IPv6 multicast VLAN: port multicast-vlan ipv6 mac-authentication guest-vlan WLAN-DBSS interface WLAN-DBSS interfaces are virtual Layer 2 interfaces. They operate like Layer 2 Ethernet ports of the access link type. They also support multiple Layer 2 protocols and 802.1X. A WLAN-DBSS interface created on a WLAN-ESS interface adopts the configuration of the WLAN-ESS interface. On an access controller, the WLAN module dynamically creates a WLAN-DBSS interface for each wireless access service and removes the interface after the service expires. WLAN mesh interface WLAN mesh interfaces are Layer 2 virtual interfaces. You can use them as configuration templates to make and save settings for WLAN mesh link interfaces. After a WLAN mesh link interface is created, you cannot change the settings on its associated WLAN mesh interface. Entering WLAN mesh interface view 2. Enter WLAN mesh interface view. 3. Restore the default settings of the WLAN mesh interface. interface wlan-mesh interface-number default If the specified WLAN mesh interface does not exist, this command creates the WLAN mesh interface first. Configuring a WLAN mesh interface Step 1. Configure the description of the WLAN mesh interface. Command description 2

11 Step 2. Configure VLAN settings. 3. Configure port security settings. Command port link-type port access port trunk port hybrid port multicast-vlan port-security max-mac-count port-security port-mode port-security preshared-key port-security tx-key-type 11key WLAN mesh link interface WLAN mesh link interfaces are similar to Layer 2 virtual Ethernet interfaces and have the features of Layer 2 interfaces. They are dynamically created or deleted by the WLAN module and are responsible for local data forwarding on the mesh network. WLAN mesh link interfaces use the settings you made on their corresponding WLAN mesh interfaces and are not configurable. Displaying and maintaining WLAN interfaces Task Command Remarks Display information about WLAN-ESS interfaces. Display information about WLAN-DBSS interfaces. Display information about WLAN-Mesh interfaces. display interface [ wlan-ess ] [ brief [ down ] ] [ { begin exclude include } regular-expression ] display interface wlan-ess interface-number [ brief ] [ { begin exclude include } regular-expression ] display interface [ wlan-dbss ] [ brief [ down ] ] [ { begin exclude include } regular-expression ] display interface wlan-dbss interface-number [ brief ] [ { begin exclude include } regular-expression ] display interface [ wlan-mesh ] [ brief [ down ] ] [ { begin exclude include } regular-expression ] display interface wlan-mesh interface-number [ brief ] [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. 3

12 Configuring WLAN access This chapter describes how to configure WLAN access. WLAN access overview WLAN access provides the following services: WLAN client connectivity to conventional LANs Secured WLAN access with different authentication and encryption methods Seamless roaming of WLAN clients in a mobility domain Terminology Wireless Client A computer or laptop with a wireless NIC or a terminal that supports WiFi. Access point An AP bridges frames between wireless and wired networks. Access controller An AC manages all APs in a WLAN and provides WLAN client authentication through an authentication server. Service set identifier An SSID identifies a wireless network. A client scans all wireless networks and selects an SSID to connect to a specific wireless network. Wireless medium Transmits frames between wireless devices. Radio frequency is the wireless medium in the WLAN system. Distribution system A distribution system is the backbone for transmitting frames among APs Split MAC In split MAC mode, APs and ACs manage different services. An AP manages real-time services, such as beacon generation, power management, fragmentation, and defragmentation. An AC manages packet distribution, association, dissociation, and re-association. Wireless client access A wireless client access process involves the steps as shown in Figure 1. 4

13 Figure 1 Wireless client access Scanning Wireless clients use active scanning and passive scanning to obtain information about surrounding wireless networks. 1. Active scanning A wireless client periodically sends probe request frames and obtains wireless network information from received probe response frames. Active scanning includes the following modes: Active scanning without an SSID The client periodically sends a probe request frame without an SSID on each of its supported channels. APs that receive the probe request send a probe response, which includes the available wireless network information. The client associates with the AP with the strongest signal. This mode enables the client to find the optimal wireless network. Figure 2 Active scanning without an SSID Probe request (with no SSID) Probe Response Probe request (with no SSID) Probe Response Active scanning with an SSID If the wireless client is configured to access a wireless network or has associated with a wireless network, the client periodically sends a probe request that carries the SSID of that wireless network. When the target AP receives the probe request, it sends a probe response. This mode enables the client to access a specified wireless network. 5

14 Figure 3 Active scanning with an SSID 2. Passive scanning A wireless client listens to the beacon frames periodically sent by APs to discover surrounding wireless networks. Passive scanning is used when a client wants to save battery power. Typically, VoIP clients adopt passive scanning. Figure 4 Passive scanning Authentication Association To secure wireless links, APs perform authentication on wireless clients. A wireless client must pass authentication before it can access a wireless network define two authentication methods: open system authentication and shared key authentication. For more information about the authentication methods, see "Configuring WLAN security." To access a wireless network via an AP, a client must associate with that AP. After the client passes authentication on the AP, the client sends an association request to the AP. The AP checks the capability information in the association request to determine the capability supported by the wireless client, and sends an association response to notify the client of the association result. A client can associate with only one AP at a time, and an association process is always initiated by the client. WLAN access configuration task list Task Enabling WLAN Specifying a country/region code Configuring auto AP Configuring tunnel management Description Required. Required. Required. 6

15 Task Managing APs Configuring a WLAN service template Configuring radio parameters Restoring the factory default settings of APs Enabling automatic heating for an outdoor AP Description Required. Required. Enabling WLAN You must enable WLAN before you can use WLAN services. To enable WLAN: 2. Enable WLAN. wlan enable By default, WLAN is enabled. Specifying a country/region code A country/region code determines the available wireless bands, channels, and power levels in the country/region where you deploy the WLAN. Some ACs and fit APs have a fixed country/region code that cannot be modified. If an AC has a fixed country/region code, all the fit APs managed by the AC must use the AC's fixed country/region code. If a fit AP has a fixed country/region code, the fit AP can only use the fixed country/region code. If an AC and a fit AP each have a different fixed country/region code, they use the fixed country/region code of the fit AP. To specify a country/region code: 2. Specify the global country/region code. 3. Specify the AP name and its model number and enter AP template view. wlan country-code code wlan ap ap-name model model-name [ id ap-id ] By default, the global country/region code is CN. Specify the model name only when you create a new AP template. 7

16 4. Specify a country/region code for the AP. country-code code By default, the AP has no country/region code and uses the global country/region code. If an AP is configured with a country/region code, the AP uses its own country/region code. If an AP is configured with a country/region code or has a fixed country/region code, changing the global country/region code does not affect the country/region code of the AP. Configuring auto AP The auto AP feature enables APs to automatically associate with the AC.When you deploy a high-density WLAN, this feature frees you from configuring serial IDs for APs, reducing your workload. Enabling auto AP 2. Enable the auto-ap function. wlan auto-ap enable By default, the auto-ap function is disabled. 3. Enter AP template view. 4. Enable auto AP serial ID configuration. wlan ap ap-name [ model model-name [ id ap-id ] ] serial-id auto Specify the model name only when you create an AP template. By default, no serial ID is configured for an AP. NOTE: If you change the AP template settings, auto APs that have associated with the AC must re-associate with the AC before they can use the new settings. Converting auto APs to configured APs 2. Convert an auto AP to a configured AP. wlan auto-ap persistent { all name auto-ap-name [ new-ap-name ] } You must convert an auto AP to a configured AP before you configure other AP template settings. The AP template is not removed if the AP goes offline. 8

17 Configuring tunnel management As shown in Figure 5, an AC and an AP establish a data tunnel to forward data packets and a control tunnel to forward control packets used for AP configuration and management. The AC can automatically configure and manage APs based on the information provided by the administrator. Figure 5 Network diagram Configuring parameters for an AP Perform this task to configure parameters for an AP on the AC. After the AP associates with the AC and enters the Run state, the AC assigns the configured parameters to the AP. To configure parameters for an AP: 2. Set the discovery policy. 3. Specify the AP name and its model number and enter AP template view. 4. Specify the serial ID of the AP or specify the auto AP. 5. Configure a description for the AP. wlan lwapp discovery-policy unicast wlan ap ap-name [ model model-name [ id ap-id ] ] serial-id { text auto } description text By default, the tunnel discovery policy is broadcast. If you configure the discovery policy as unicast, broadcast discovery packets will be discarded. Specify the model name only when you create an AP template. By default, no ID is specified for an AP. When you configure an auto AP, you must configure the wlan auto-ap enable command besides the serial-id auto command. 6. Enable traps. trap enable 7. Configure the AP name. ap-name name 8. Set the maximum length of jumbo frames. jumboframe enable value By default, no AP name is configured. By default, jumbo frame transmission is disabled. 9

18 9. Enable the AP to respond to probe requests with null SSID from clients. 10. Specify the maximum idle time for connections between clients and the AP. 11. Specify the client keepalive interval. 12. Set the action that an AP takes on frames from unknown clients. 13. Set the network access server (NAS)-PORT-ID for the AP. broadcast-probe reply client idle-timeout interval client keep-alive interval unknown-client { deauthenticate drop } nas-port-id text By default, the AP is enabled to respond to probe requests with null SSID from clients. The default is 3600 seconds. By default, the client keepalive function is disabled. By default, the AP sends de-authentication packets when receiving frames sent by unknown clients. By default, no NAS-PORT-ID is configured for an AP. 14. Set the NAS-ID for the AP. nas-id text By default, no NAS-ID is configured for an AP. Enabling AC-AP tunnel encryption with IPsec To improve AC-AP tunnel security, you can use IPsec to encrypt and authenticate control and data packets. NOTE: If you have configured AC backup and IPsec stateful failover, HP recommends that you use the undo ipsec synchronization enable command to disable IPsec stateful failover. Follow these steps to configure AC-AP tunnel encryption with IPsec: 1. Configure the AP and AC to establish a tunnel and make sure the AP is in Run state. 2. Configure IPsec encryption in AP configuration view, and execute the save wlan ap provision command to save the configuration to the wlan_ap_cfg.wcfg file of the AP. 3. Reboot the AP to apply the new configuration. 4. Configure IPsec. For information about IPsec configuration, see Security Configuration Guide. Follow these guidelines when you configure IPsec: Specify the security protocol, encapsulation mode, authentication algorithm, and encryption algorithm as ESP (transform), tunnel (encapsulation-mode), SHA1 (esp authentication-algorithm sha1), and DES (esp encryption-algorithm des), respectively. Use IKEv1 to set up SAs, use the default security proposal, and adopt only the main IKE negotiation mode (exchange-mode). For more information about IPsec commands, see Security Command Reference. 10

19 You can configure an IPsec policy that uses IKE only by referencing an IPsec policy template. When you configure pre-shared key authentication for an IKE peer, the pre-shared key configured with the pre-shared-key command (the key on the AC) must be the same as that configured with the tunnel encryption ipsec pre-shared-key command (the key sent by the AC to the AP by using the AP provision function). When you configure an IKE peer on the AC, you can use the remote-address command to configure the remote gateway IP address because the AC is a responder. This IP address can be the IP address or IP address range of the AP. If you do not configure an IKE peer, the AC accepts the negotiation requests sent by any AP. If multiple APs need to establish an IPsec tunnel with the AC, and each AP uses a different pre-shared key, HP recommends that you configure the remote-address command and specify a non-overlapping IP address range for each AP. For more information about the remote-address command, see Security Command Reference. To make sure that SAs between the AC and an AP can be removed after the AP disconnects from the AC, configure the Dead Peer Detection (DPD) function, configure the ISAKMP SA keepalive interval with the ike sa keepalive-timer interval command, configure the ISAKMP SA keepalive timeout with the ike sa keepalive-timer timeout command, and enable invalid security parameter index (SPI) recovery with the ipsec invalid-spi-recovery enable command. 5. Apply the IPsec policy to the target VLAN interface. The following table only shows the IPsec encryption configuration in AP configuration view: 2. Enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] Specify the model name only when you create an AP template. 3. Enter AP configuration view. provision N/A 4. Configure the AP to use IPsec to encrypt the control tunnel. 5. Configure the AP to use IPsec to encrypt the data tunnel. 6. Save the configuration to the wlan_ap_cfg.wcfg file of the specified AP. tunnel encryption ipsec pre-shared-key { cipher simple } key data-tunnel encryption enable save wlan ap provision { all name ap-name } By default, the AP does not encrypt the control tunnel. For more information about this command, see WLAN Command Reference. By default, the AP does not encrypt the data tunnel. For more information about this command, see WLAN Command Reference. This command takes effect only for APs in Run state. Configuring the echo interval for an AP The AP sends echo requests to the AC at the echo interval, and the AC responds to echo requests by sending echo responses. The AC or AP tears down the tunnel if the AC does not receive an echo request from the AP or the AP does not receive an echo response from the AC within three times the echo interval. To configure the echo interval: 11

20 2. Enter AP template view. 3. Configure the interval at which the AP sends echo requests. wlan ap ap-name [ model model-name [ id ap-id ] ] echo-interval interval N/A By default, the echo interval is 10 seconds. Managing APs Specifying a configuration file for an AP After you specify a configuration file for an AP, the AP downloads the configuration file from the AC each time it associates with the AC and enters Run state. To specify a configuration file for an AP: 2. Enter AP template view. 3. Specify a configuration file for the AP. wlan ap ap-name [ model model-name [ id ap-id ] ] map-configuration filename Specify the model name only when you create an AP template. By default, no configuration file is specified for an AP. The commands in the configuration file must be in their complete form. Configuring AP traffic protection Configure AP traffic protection to avoid frequent AP reboots caused by traffic that exceeds the AP's capability. To configure AP traffic protection: 2. Enter AP template view. 3. Set the CIR for packets sent from AC to AP. wlan ap ap-name [ model model-name [ id ap-id ] ] cir committed-information-rate [ cbs committed-burst-size ] Specify the model name only when you create an AP template. By default, no CIR is set for packets sent from AC to AP. 12

21 Enabling the AC to accept APs with a different software version By default, the AC accepts only the APs that use the same software version as it. Perform this task if you want the AC to accept APs with a different software version. To enable the AC to accept APs with a different software version: 2. Enable the AC to accept APs with the specified software version. wlan apdb model-name hardware-version software-version By default, a fit AP must use the same software version as the AC. Configuring a WLAN service template Creating a service template and specifying an SSID 2. Create a WLAN service template and enter WLAN service template view. 3. Specify the service set identifier. 4. Disable the advertising of SSID in beacon frames. wlan service-template service-template-number { clear crypto } ssid ssid-name beacon ssid-hide You cannot change an existing service template to another type. You can create multiple service templates and specify different SSIDs or specify the same SSID for different service templates to enable one SSID to provide different access services. N/A By default, the SSID is advertised in beacon frames. Enabling an authentication method 2. Enter WLAN service template view. wlan service-template service-template-number { clear crypto } You cannot change an existing service template to another type. 13

22 3. Enable the authentication method. authentication-method { open-system shared-key } By default, open system authentication is adopted. For more information about the command, see WLAN Command Reference. Binding a WLAN-ESS interface to the service template 2. Create a WLAN service template and enter WLAN service template view. 3. Bind the WLAN-ESS interface to the service template. wlan service-template service-template-number { clear crypto } bind wlan-ess interface-index You cannot change an existing service template to another type. By default, no interface is bound to the service template. Configuring a forwarding mode WLAN supports the following forwarding modes: Centralized forwarding APs change incoming frames to frames and tunnel the frames to the AC or directly tunnel incoming frames to the AC. The AC performs data forwarding. Local forwarding APs directly forward incoming data frames. The AC still performs authentication on clients. This forwarding mode reduces the workload of the AC and retains the security and management advantages of the AC/fit AP architecture. To configure a forwarding mode: 2. Create a WLAN service template and enter WLAN service template view. 3. Enable local forwarding. wlan service-template service-template-number { clear crypto } client forwarding-mode local [ vlan vlan-id-list ] You cannot change an existing service template to another type. By default, an AP forwards client data frames to the AC for centralized forwarding. Configuring client authentication WLAN access supports the following client authentication modes : 14

23 Central The AC authenticates clients. In central authentication mode, the data forwarding mode is determined by the client forwarding-mode local command. If the connection between AC and AP fails, logging off clients associated with the AP depends on the hybrid-remote-ap enable command. For more information about this command, see "Configuring a remote AP." Local The AP authenticates clients. Use this mode in simple networks. In this mode, the AP directly forwards data frames from clients. If the connection to the AC fails, the AP does not log off locally authenticated clients and accepts new clients after they pass local authentication. If the AP can still communicate with the authentication server (see Figure 7), it also does not log off centrally authenticated clients. Backup The AC authenticates clients. When the AC-AP connection fails, the AP authenticates clients, and performs local forwarding. When the AP re-establishes a connection with the AC, the AP logs off all clients and the AC re-authenticates clients. The clients can associate with the AP only after they pass the authentication. Configuration guidelines Client authentication uses the authentication type supported by port security configured for a WLAN-ESS interface. Portal authentication is not supported. Locally authenticated clients do not support roaming or client information backup configured by the wlan backup-client enable command. You can execute the reset wlan client command on the AC to log off locally authenticated clients. For local authentication and backup authentication, do not modify the configuration on the AC if the AC and AP are disconnected. The AC checks the configuration after the connection recovers. If you change the configuration, the AC might log off online clients because of inconsistent configurations. Networking modes For local authentication and backup authentication, you can use the following networking modes if an authentication server is needed. The networking mode shown in Figure 7 is recommended. In this mode, online clients are not logged off when the connection between AP and AC fails because the authentication server is deployed at the AP side. Figure 6 Network diagram Figure 7 Network diagram Server Internet AC AP Client 15

24 Configuration prerequisites Use the hybrid-remote-ap enable command to enable the remote AP function before you configure the backup or local authentication mode. If the clients use 802.1X or MAC authentication, you need to edit the configuration file of the AP and then use the map-configuration command to download the configuration file to the AP. The configuration file of the AP must contain the following contents: If clients use local 802.1X or local MAC authentication, the configuration file must contain ISP domain and local user configurations, and configurations for enabling port security. If clients use remote 802.1X or remote MAC authentication, the configuration file must contain ISP domain and RADIUS scheme configurations, and configurations for enabling port security. Configuration procedure To configure an authentication mode: 2. Create a WLAN service template and enter WLAN service template view. 3. Specify an authentication mode. wlan service-template service-template-number { clear crypto } authentication-mode { backup local } You cannot change an existing service template to another type. By default, central authentication is adopted. The AC authenticates clients. Configuring the maximum number of associated clients 2. Create a WLAN service template and enter WLAN service template view. 3. Configure the maximum number of clients allowed to associate with a radio. wlan service-template service-template-number { clear crypto } You cannot change an existing service template to another type. client max-count max-number The default is 64. Enabling fast association 2. Create a WLAN service template and enter WLAN service template view. wlan service-template service-template-number { clear crypto } You cannot change an existing service template to another type. 16

25 3. Enable fast association. fast-association enable By default, fast association is disabled. When this function is enabled, the AP does not perform band navigation or load balancing calculation for clients bound to the SSID. Configuring the client cache aging time 2. Create a WLAN service template and enter WLAN service template view. 3. Configure the client cache aging time. wlan service-template service-template-number { clear crypto } client cache aging-time aging-time You cannot change an existing service template to another type. By default, the client cache aging time is 180 seconds. Enabling a service template 2. Create a WLAN service template and enter WLAN service template view. wlan service-template service-template-number { clear crypto } You cannot change an existing service template to another type. 3. Enable the service template. service-template enable By default, the service template is disabled. Configuring radio parameters Configuring basic radio parameters 2. Enter AP template view. 3. Set the LED flashing mode for the AP. wlan ap ap-name [ model model-name [ id ap-id ] ] led-mode { quiet awake always-on normal } Specify the model name only when you create an AP template. By default, the LED flashing mode for an AP is normal. 17

26 4. Enter radio view. 5. Configure a channel. 6. Configure the radio power. 7. Specify the type of preamble. radio radio-number [ type { dot11a dot11an dot11b dot11g dot11gn } ] Specify a channel for the radio: channel channel-number Set the channel mode to auto. In this mode, you can lock the current channel: a. channel auto b. channel lock Specify the maximum power. max-power radio-power Lock the current power, and set the maximum power as the power after power selection. power lock preamble { long short } The default varies by device. WLAN supports customizing the default radio type for AP models. By default, auto mode is enabled and no channel is locked. For more information about the commands, see WLAN Command Reference. By default: The maximum radio power varies depending on the country/region code, channel, AP model, radio type, and antenna type. If n is adopted, the maximum radio power also varies depending on the bandwidth mode. The current power is not locked. For more information about the commands, see WLAN Command Reference. By default, the short preamble is supported. 8. Enable the ANI function. ani enable By default, ANI is enabled. 9. Enable the energy saving function. 10. Set the MIMO mode for the radio. 11. Configure the antenna type. 12. Configure the maximum distance that the radio can cover. green-energy-management enable mimo { 1x1 2x2 3x3 } antenna type type distance distance By default, the energy saving function is disabled. By default, no MIMO mode is set for a radio. The default setting for the command depends on the antenna model. By default, the radio can cover a maximum of 1 km (0.62 miles). 13. Enable LDPC. ldpc enable By default, LDPC is disabled. 18

27 14. Bind a radio policy to the current radio. 15. Map a service template to the current radio. radio-policy radio-policy-name service-template service-template-number [ vlan-id vlan-id ] [ nas-port-id nas-port-id nas-id nas-id ] [ ssid-hide ] By default, the default_rp radio policy is bound to a radio. After you bind a radio policy to a radio, the radio uses all the radio parameters configured in the radio policy. The default radio policy default_rp cannot be modified. The radio policy must have been configured with the wlan radio-policy command. You can map multiple service templates to one radio. Configuring a radio policy 2. Create a radio policy and enter radio policy view. 3. Set the interval for sending beacon frames. wlan radio-policy radio-policy-name beacon-interval interval By default, the default radio policy default_rp exists. By default, the beacon interval is 100 TUs. 4. Set the DTIM counter. dtim counter By default, the DTIM counter is Specify the maximum length of packets that can be transmitted without fragmentation. 6. Set the maximum number of retransmission attempts for frames larger than the RTS threshold. 7. Specify the maximum number of attempts to transmit a frame shorter than the RTS threshold. 8. Specify the interval for the AP to hold received packets. fragment-threshold size long-retry threshold count short-retry threshold count max-rx-duration interval By default, the fragment threshold is 2346 bytes. The specified fragment threshold must be an even number. By default, the long retry threshold is 4. By default, the short retry threshold is 7. By default, the interval is 2000 milliseconds. 19

28 9. Specify the maximum number of associated clients. 10. Specify the request to send (RTS) threshold length. 11. Specify a collision avoidance mechanism. client max-count max-number rts-threshold size protection-mode { cts-to-self rts-cts } By default, the maximum number of associated clients is 64. By default, the RTS threshold is 2346 bytes. By default, the collision avoidance mechanism is CTS-to-Self. 12. Return to system view. quit N/A 13. Enter AP template view. 14. Enter radio view. 15. Bind a radio policy to the current radio. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11an dot11b dot11g dot11gn } ] radio-policy radio-policy-name Specify the model name only when you create an AP template. The default setting varies by AP model. By default, the default_rp radio policy is bound to a radio. Enabling automatic creation of radio policies by the SNMP set operation After you enable this function, a radio policy is automatically created and bound to each radio of a newly created AP template. To enable automatic creation of radio policies by the SNMP set operation: 2. Enable automatic creation of radio policies by the SNMP set operation. wlan radio-policy auto-create snmp By default, automatic creation of radio policies by the SNMP set operation is disabled. Configuring n As the next generation wireless LAN technology, n supports both 2.4GHz and 5GHz bands. It provides higher throughput by using the following methods: n can bind two adjacent 20-MHz channels together to form a 40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with one acting as the primary channel and the other acting as the secondary channel or work together as a 40-MHz channel. This provides a simple way of doubling the data rate. Improving channel utilization by using the following functions: A-MPDU Each A-MPDU uses only one PHY header to accommodate multiple MPDUs, reducing transmission overhead and the number of ACK frames. 20

29 A-MSDU Each A-MSDU accommodates multiple MSDU, reducing MAC header overhead and improving MAC layer forwarding efficiency. Short GI Shortens the GI interval of 800 ns in a/g to 400 ns, increasing the rate by 10 percent. To configure n: 2. Enter AP template view. 3. Enter radio view. 4. Specify the bandwidth mode for the radio. 5. Enable access permission only for n clients. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number type { dot11an dot11gn } channel band-width { } client dot11n-only Specify the model name only when you create an AP template. N/A By default, the an radio operates in 40 MHz mode and the gn radio operates in 20 MHz mode. By default, an a/n radio permits both a and an clients to access, and an g/n radio permits both g and gn clients to access. 6. Enable the short GI function. short-gi enable 7. Enable the A-MSDU function. a-msdu enable 8. Enable the A-MPDU function. a-mpdu enable 9. Enable the radio. radio enable By default, the short GI function is enabled. By default, the A-MSDU function is enabled. The device receives but does not send A-MSDUs. By default, the A-MPDU function is enabled. By default, the radio is disabled. Before enabling the radio, you must configure the MCS. For more information about MCS index and mandatory and supported n rates, see "Configuring WLAN RRM." 21

30 Mapping a service template to the radio 2. Enter AP template view. 3. Enter radio view. 4. Map a service template to the radio. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11an dot11b dot11g dot11gn } ] service-template service-template-number [ vlan-id vlan-id ] [ nas-port-id nas-port-id nas-id nas-id ] [ ssid-hide ] Specify the model name only when you create an AP template. The default setting of this command depends on the device model. You can map multiple service templates to the radio. By default, no mapping exists between a service template and a radio. Enabling a radio 2. Enable/disable WLAN radios. 3. Enter AP template view. 4. Enter radio view. wlan radio { disable enable } { all dot11a dot11an dot11b dot11g dot11gn radio-policy radio-policy-name } wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11an dot11b dot11g dot11gn } ] By default, no WLAN radio is enabled. Specify the model name only when you create an AP template. The default setting of this command depends on the device model. 5. Enable the radio. radio enable By default, the radio is disabled. Configuring the interval for an AP to send statistics reports 2. Enter AP template view. 3. Configure the interval to send statistics reports. wlan ap ap-name [ model model-name [ id ap-id ] ] statistics-interval interval Specify the model name only when you create an AP template. The default interval is 50 seconds. 22

31 Configuring the memory utilization threshold for an AP 2. Enter AP template view. 3. Configure the memory utilization threshold. wlan ap ap-name [ model model-name [ id ap-id ] ] memory-usage threshold integer Specify the model name only when you create an AP template. The default value is 90. When the threshold is exceeded, the AC sends alarms. Restoring the factory default settings of APs 2. Restore the factory default settings of one or all APs. wlan ap-execute { all name ap-name } conversion-to-factory By default, the default settings are not restored for any AP. The settings of an AP can be restored to factory defaults only after the connection between the AC and the AP is terminated and the AP is rebooted. Enabling automatic heating for an outdoor AP The automatic heating function enables an outdoor AP to operate properly when the operating temperature is too low. To enable the automatic heating function: 2. Enable the automatic heating function. wlan ap-execute { all name ap-name } heatfilm { disable enable } By default, the automatic heating function is disabled. Displaying and maintaining WLAN access Task Command Remarks Display the country/region code information for the AP. display wlan country-code ap [ { begin exclude include } regular-expression ] Available in any view. 23

32 Task Command Remarks Display AP information. Display AP address information. Display radio information. Display the model information of a specified AP or all APs supported on the AC. Display the reboot log information of an AP. Display WLAN radio policy information. Display WLAN service template information. Display AP connection statistics. Display wireless client statistics. Display radio statistics. Display AP load information. Display service template statistics. Display the connection history for all APs bound to a service template. Display WLAN client information. display wlan ap { all name ap-name } [ verbose ] [ { begin exclude include } regular-expression ] display wlan ap { all name ap-name } address [ { begin exclude include } regular-expression ] display wlan ap { all name ap-name } radio [ { begin exclude include } regular-expression ] display wlan ap-model { all name ap-name } [ { begin exclude include } regular-expression ] display wlan ap reboot-log name ap-name [ { begin exclude include } regular-expression ] display wlan radio-policy [ radio-policy-name ] [ { begin exclude include } regular-expression ] display wlan service-template [ service-template-number ] [ { begin exclude include } regular-expression ] display wlan statistics ap { all name ap-name } connect-history [ { begin exclude include } regular-expression ] display wlan statistics client { all mac-address mac-address } [ { begin exclude include } regular-expression ] display wlan statistics radio [ ap ap-name ] [ { begin exclude include } regular-expression ] display wlan statistics radio [ ap ap-name ] load [ { begin exclude include } regular-expression ] display wlan statistics service-template service-template-number [ { begin exclude include } regular-expression ] display wlan statistics service-template service-template-number connect-history [ { begin exclude include } regular-expression ] display wlan client { ap ap-name [ radio radio-number ] mac-address mac-address service-template service-template-number } [ verbose ] [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. 24

33 Task Command Remarks Display AP group information. Display the status of APs after their settings are restored to factory defaults. display wlan ap-group [ group-name ] [ { begin exclude include } regular-expression ] display wlan ap-execute conversion-to-factory [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Reset AP connections. reset wlan ap { all name ap-name } Available in user view. Clear AP reboot logs. Clear statistics of an AP or client. Cut off WLAN clients. RFPing a wireless client. reset wlan ap reboot-log { all name ap-name } reset wlan statistics { client { all mac-address mac-address } radio [ ap-name ] } reset wlan client { all mac-address mac-address } wlan link-test mac-address Available in user view. Available in user view. Available in user view. Available in user view. You can use the wlan link-test command to perform a Radio Frequency Ping (RFPing) operation to a client. The operation results show information about signal strength and round trip time (RTT) between the AP and the client. Configuring a remote AP Remote AP provides a wireless solution for remote branches and offices. It enables you to configure and control remote APs from the headquarters over the Internet without deploying an AC in each office or branch. As shown in Figure 8, the AC manages the remote APs over the Internet. When the tunnel between an AP and the AC fails, the AP automatically enables local forwarding (despite whether or not local forwarding is configured on the AC) to provide wireless access for logged-on clients. It does not permit new clients. When the tunnel recovers, the AP automatically switches to centralized forwarding mode and logs off all online clients. 25

34 Figure 8 Network diagram Follow these guidelines when you enable the remote AP function: The remote AP and mesh functions cannot be used simultaneously. Do not shut down all physical ports on the remote AP. Otherwise, the AP cannot perform local forwarding and logs off all online clients. If an AP establishes tunnels to both the primary AC and a backup AC, it uses the backup tunnel to provide wireless access for logged-on clients when the primary tunnel fails. To enable the remote AP function: 2. Enter AP template view. 3. Enabling the remote AP function for the AP. wlan ap ap-name [ model model-name [ id ap-id ] ] hybrid-remote-ap enable Specify the model name only when you create an AP template. By default, the remote AP function is disabled. Configuring WLAN access control Configuring AP-based access control Support for the AP group function depends on the device model. For more information, see About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module Configuration Guides. Some wireless service providers need to control the access positions of clients. For example, as shown in Figure 9, the provider needs to connect wireless clients 1, 2 and 3 to the wired network through APs 1, 2, and 3, respectively. To achieve this, the provider could configure an AP group and then apply the AP group to a user profile. 26

35 Figure 9 Network diagram Configuring an AP group 2. Create an AP group and enter AP group view. 3. Add specified APs into the AP group. 4. Configure a description for the AP group. wlan ap-group value ap template-name-list description string N/A By default, no AP is added. You can use this command repeatedly to add multiple APs, or to add up to 10 APs in one command line. A nonexistent AP can be added. By default, no description is configured for the AP group. Applying the AP group to a user profile 2. Enter user profile view. user-profile profile-name If the user profile does not exist, create it first. 3. Apply the AP group to the user profile. wlan permit-ap-group value By default, no AP group is applied to the user profile. For more information about user profile, see Security Configuration Guide. 4. Return to system view. quit N/A 27

36 5. Enable the user profile. user-profile profile-name enable By default, the user profile is not enabled. The user profile must have the same name as the external group on the RADIUS server. To support roaming, all ACs in a mobility group must have the same profile name configured. Displaying and maintaining AP group Task Command Remarks Display AP group information. display wlan ap-group [ group-id ] [ { begin exclude include } regular-expression ] Available in any view. Configuring SSID-based access control When a user wants to access a WLAN temporarily, the administrator can specify a permitted SSID in the corresponding user profile so that the user can only access the WLAN through the SSID. To specify a permitted SSID: 2. Enter user profile view. user-profile profile-name 3. Specify a permitted SSID. wlan permit-ssid ssid-name If the specified user profile does not exist, this command creates it and enters its view. By default, no permitted SSID is specified, and users can access the WLAN without SSID limitation. 4. Return to system view. quit N/A 5. Enable the user profile. user-profile profile-name enable By default, the user profile is not enabled. The user profile needs to be enabled to take effect. For more information about user access control and user profile, see Security Configuration Guide. WLAN access configuration examples The configuration examples were created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. 28

37 By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set their link type to be the same. WLAN access configuration example Network requirements As shown in Figure 10, enable the client to access the internal network resources at any time. The manually entered serial ID of the AP is CN2AD330S8. The AP adopts g and provides plain-text wireless access service with SSID service1. Figure 10 Network diagram Configuration procedure 1. Configure the AC: # Enable WLAN service, which is enabled by default. <AC> system-view [AC] wlan enable # Create a WLAN ESS interface. <AC> system-view [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Create a clear-type WLAN service template, configure the SSID of the service template as service and bind the WLAN-ESS interface to this service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid service [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] client max-count 10 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure a radio policy. [AC] wlan radio-policy radpolicy1 [AC-wlan-rp-radpolicy1] beacon-interval 200 [AC-wlan-rp-radpolicy1] dtim 4 [AC-wlan-rp-radpolicy1] rts-threshold 2300 [AC-wlan-rp-radpolicy1] fragment-threshold 2200 [AC-wlan-rp-radpolicy1] short-retry threshold 6 [AC-wlan-rp-radpolicy1] long-retry threshold 5 [AC-wlan-rp-radpolicy1] max-rx-duration 500 # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW 29

38 [AC-wlan-ap-ap1] serial-id CN2AD330S8 [AC-wlan-ap-ap1] description L3office # Specify the radio type as dot11an, and channel as 161. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] channel 161 # Bind radio policy radiopolicy1 to radio 1, and bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] return 2. Verify the configuration: The clients can associate with the APs and then access the WLAN. You can use the display wlan client command to view the online clients. Auto-AP configuration example Network requirements As shown in Figure 11, enable the auto AP function on the AC to establish connections to APs. The APs obtain their IP addresses from the DHCP server and provide clear-type WLAN access services with the SSID service1. Figure 11 Network diagram Configuration procedure 1. Configure the AC: # Create a WLAN ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Define a clear-type WLAN service template, configure its SSID as service, and bind the WLAN-ESS interface to this service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid service 30

39 [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure a radio policy. [AC] wlan radio-policy radpolicy1 [AC-wlan-rp-radpolicy1] beacon-interval 200 [AC-wlan-rp-radpolicy1] dtim 4 [AC-wlan-rp-radpolicy1] rts-threshold 2300 [AC-wlan-rp-radpolicy1] fragment-threshold 2200 [AC-wlan-rp-radpolicy1] short-retry threshold 6 [AC-wlan-rp-radpolicy1] long-retry threshold 5 [AC-wlan-rp-radpolicy1] max-rx-duration 500 [AC-wlan-rp-radpolicy1] quit # Enable the auto AP function. [AC] wlan auto-ap enable [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id auto # Specify the radio type as dot11an and the maximum power as 10. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] max-power 10 # Bind service template 1 to radio 1 and enable the radio. [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 2. Verify the configuration: You can use the display wlan ap command to view the two APs. The clients can associate with the APs and access the WLAN. Configuration example for AC-AP tunnel encryption with IPsec Network requirements As shown in Figure 12, the AP obtains its IP address through a DHCP server, and the data and control packets between AP 1 and AC are transmitted in plain text. Use IPsec to encrypt the AC-AP control tunnel between AP 2 and the AC, and use IPsec to encrypt the AC-AP control and data tunnels between AP 3 and the AC. 31

40 Figure 12 Network diagram DHCP server AP 1 Client AC Switch AP 2 Client AP 3 Client Configuration procedure Before you configure provision function for AP 2 and AP 3, make sure AP 2 and AP 3 have established connections to the AC and are in Run state. 1. Configure the DHCP server: Assume the DHCP server assigns the IP address range through to AP 1, through to AP 2, and through to AP 3. For information about how to configure the DHCP server, see IP Services Configuration Guide. 2. Configure the AC: # Create AP 2 and enter AP configuration view, configure AP 2 to use IPsec key to encrypt the control tunnel, and save the configuration to the wlan_ap_cfg.wcfg file of AP 2. <AC> system-view [AC] wlan ap ap2 model MSM460-WW [AC-wlan-ap-ap2] provision [AC-wlan-ap-ap2-prvs] tunnel encryption ipsec pre-shared-key simple [AC-wlan-ap-ap2-prvs] save wlan ap provision name ap2 [AC-wlan-ap-ap2-prvs] quit [AC-wlan-ap-ap2] quit # Create AP 3 and enter AP configuration view, configure AP 3 to use IPsec key abcde to encrypt the control and data tunnels, and save the configuration to the wlan_ap_cfg.wcfg file of AP 3. [AC] wlan ap ap3 model MSM460-WW [AC-wlan-ap-ap3] provision [AC-wlan-ap-ap3-prvs] tunnel encryption ipsec pre-shared-key simple abcde [AC-wlan-ap-ap3-prvs] data-tunnel encryption enable [AC-wlan-ap-ap3-prvs] save wlan ap provision name ap3 [AC-wlan-ap-ap3-prvs] return # Reboot AP 2 and AP 3 to apply the configuration. <AC> reset wlan ap name ap2 <AC> reset wlan ap name ap3 # Configure an IPsec security proposal. 32

41 <AC> system-view [AC] ipsec proposal tran1 [AC-ipsec-proposal-tran1] encapsulation-mode tunnel [AC-ipsec-proposal-tran1] transform esp [AC-ipsec-proposal-tran1] esp encryption-algorithm des [AC-ipsec-proposal-tran1] esp authentication-algorithm sha1 [AC-ipsec-proposal-tran1] quit # Create a DPD named dpd. [AC] ike dpd dpd [AC-ike-dpd-dpd] quit # Set the ISAKMP SA keepalive interval to 100 seconds. [AC] ike sa keepalive-timer interval 100 # Set the ISAKMP SA keepalive timeout to 300 seconds. [AC] ike sa keepalive-timer timeout 300 # Enable invalid SPI recovery. [AC] ipsec invalid-spi-recovery enable # Configure IKE peer ap2, configure the pre-shared key (the same as the key on AP 2), and apply a DPD detector to AP 2. [AC] ike peer ap2 [AC-ike-peer-ap2] remote-address [AC-ike-peer-ap2] pre-shared-key [AC-ike-peer-ap2] dpd dpd [AC-ike-peer-ap2] quit # Configure IKE peer ap3, configure the pre-shared key abcde (the same as the key on AP 3), and apply a DPD detector to AP 3. [AC] ike peer ap3 [AC-ike-peer-ap3] remote-address [AC-ike-peer-ap3] pre-shared-key abcde [AC-ike-peer-ap3] dpd dpd [AC-ike-peer-ap3] quit # Create an IPsec policy template with the name pt and the sequence number 1, and configure the IPsec policy to reference IPsec transform set tran1 and IKE peer ap2. [AC] ipsec policy-template pt 1 [AC-ipsec-policy-template-pt-1] proposal tran1 [AC-ipsec-policy-template-pt-1] ike-peer ap2 [AC-ipsec-policy-template-pt-1] quit # Create an IPsec policy template with the name pt and the sequence number 2, and configure the IPsec policy to reference IPsec transform set tran1 and IKE peer ap3. [AC] ipsec policy-template pt 2 [AC-ipsec-policy-template-pt-2] proposal tran1 [AC-ipsec-policy-template-pt-2] ike-peer ap3 [AC-ipsec-policy-template-pt-2] quit # Reference IPsec policy template pt to create an IPsec policy with the name map and sequence number 1. [AC] ipsec policy map 1 isakmp template pt # Apply the IPsec policy to VLAN-interface 1. Tunnel establishment between AP 1 and the AC is not affected by this configuration. 33

42 Verifying the configuration [AC] interface vlan-interface 1 [AC-Vlan-interface-1] ip address [AC-Vlan-interface-1] ipsec policy map Use the display ipsec sa command to display established SAs for IPsec. IKE establishes SAs after an AP sends Join requests to the AC n configuration example Network requirements As shown in Figure 13, deploy an n network to provide high-bandwidth access for multimedia applications. The AP provides a plain-text wireless service with SSID 11nser vice gn is adopted to inter-work with existing g networks. Figure 13 Network diagram Configuration procedure 1. Configure the AC: # Create a WLAN-ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Configure a service template of clear type, configure the SSID of the service template as 11nservice, and bind the WLAN-ESS interface with the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid 11nservice [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Configure the radio of the AP to operate in an mode. [AC-wlan-ap-ap1] radio 1 type dot11an # Bind the service template to radio 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 2. Verify the configuration: The clients can associate with the APs and access the WLAN. 34

43 You can use the display wlan client verbose command to view the online clients. The command output displays information about n clients. Backup client authentication configuration example Network requirements As shown in Figure 14, configure backup client authentication on the AC to achieve the following purposes: The AC authenticates clients in the branch. When the AC-AP connection fails, the AP authenticates clients and does not log off online clients. When the connection recovers, the AP logs off all clients and the AC re-authenticates clients. Figure 14 Network diagram Configuration procedure 1. Add the following commands to the configuration file of the AP: port-security enable domain branch.net authentication lan-access local authorization lan-access local accounting lan-access local local-user c-8a-43-ff password simple c-8a-43-ff service-type lan-access mac-authentication user-name-format mac-address with-hyphen lowercase Save the configuration file, name it as map.cfg, and put it to the storage media of the AC. 2. Configure the AC: # Create an access user. Specify both the username and password as the MAC address of the client: c-8a-43-ff. Specify the service type as lan-access. <AC> system-view [AC] local-user c-8a-43-ff [AC-luser c-8a-43-ff] password simple c-8a-43-ff [AC-luser c-8a-43-ff] service-type lan-access [AC-luser c-8a-43-ff] quit # Configure ISP domain branch.net to use local authentication for LAN access users. [AC] domain branch.net [AC-isp-branch.net] authentication lan-access local 35

44 [AC-isp-branch.net] quit # Enable port security. [AC] port-security enable # Enable MAC authentication and specify branch.net as the authentication domain. The authentication domain must be the same as the domain created in the configuration file of the AP. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] port-security port-mode mac-authentication [AC-WLAN-ESS1] mac-authentication domain branch.net [AC-WLAN-ESS1] quit # Configure the type of user accounts for MAC authentication users. [AC] mac-authentication user-name-format mac-address with-hyphen lowercase # Configure a clear-type service template, configure the SSID of the service template as backup, and bind the WLAN-ESS interface with the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid backup [AC-wlan-st-1] bind WLAN-ESS 1 # Specify the backup authentication mode. [AC-wlan-st-1] authentication-mode backup [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Enable the remote AP function. [AC-wlan-ap-ap1] hybrid-remote-ap enable # Download configuration file map.cfg to AP 1. [AC-wlan-ap-ap1] map-configuration map.cfg # Bind service template 1 with radio 2 of AP 1. [AC-wlan-ap-ap1] radio 2 type dot11gn [AC-wlan-ap-ap1-radio-2] service-template 1 [AC-wlan-ap-ap1-radio-2] radio enable 3. Verify the configuration: Clients associated with the AP can access the network after passing central authentication. In the output of the display wlan client verbose command, the Central field shows that the AC authenticates the clients. When the connection between AC and AP fails, clients associated with the AP are not logged off. If a new client wants to associate with the AP, local authentication is performed. When the connection between AC and AP recovers, the AP logs off all associated clients. The clients can associate with the AP again after authenticated by the AC. In the output of the display wlan client verbose command, the authentication-mode field displays Central. 36

45 Local client authentication configuration example Network requirements As shown in Figure 15, configure local client authentication on the AC so the AP performs 802.1X authentication on clients through the RADIUS server. Deploy the RADIUS server at the AP side so associated 802.1X clients are not logged off when the connection between the branch and headquarters fails. Figure 15 Network diagram RADIUS server Branch Headquarter Internet AC AP Client Configuration procedure 1. Add the following commands to the configuration file of the AP: port-security enable dot1x authentication-method eap radius scheme rad primary authentication primary accounting key authentication simple key accounting simple user-name-format without-domain domain cams authentication default radius-scheme rad authorization default radius-scheme rad accounting default radius-scheme rad Then, save the configuration file, name it as map.cfg, and put it the storage media of the AC. 2. Configure the AC: # Specify mandatory 802.1X authentication domain cams on WLAN-ESS1. This domain must the same as the ISP domain created in the configuration file. <AC> system-view [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] dot1x mandatory-domain cams # Configure the port security mode as userlogin-secure-ext and enable 11key negotiation. [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext 37

46 [AC-WLAN-ESS1] port-security tx-key-type 11key # Disable 802.1X multicast trigger and online user handshake functions. [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit # Configure a crypto-type service template, configure the SSID of the service template as local1x, and specify the encryption type as AES-CCMP. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid local1x [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn # Specify the local authentication mode. [AC-wlan-st-1] authentication-mode local [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Enable the remote AP function. [AC-wlan-ap-ap1] hybrid-remote-ap enable # Download configuration file map.cfg to AP 1. [AC-wlan-ap-ap1] map-configuration map.cfg # Bind service template 1 to radio 2 of AP 1. [AC-wlan-ap-ap1] radio 2 type dot11gn [AC-wlan-ap-ap1-radio-2] service-template 1 [AC-wlan-ap-ap1-radio-2] radio enable 3. Verify the configuration: The AP performs 802.1X authentication on clients through the RADIUS server. Execute the display wlan client verbose command on the AC to view detailed client information. The Local field in the output shows that the AP authenticates clients. The output from the display connection, display dot1x, and display port-security commands on the AC does not contain client information because the AP authenticates clients. AP group configuration without roaming Network requirements As shown in Figure 16, configure an AP group and apply it in a user profile on the AC so a client can only access the WLAN through AP 1. 38

47 Figure 16 Network diagram Configuration procedure 1. Configure the AC: # Enable port security. <AC> system-view [AC] port-security enable # Enable EAP authentication mode. [AC] dot1x authentication-method eap # Create a RADIUS scheme. [AC] radius scheme wlan-user-policy # Specify the RADIUS server and keys for authentication and accounting. [AC-radius-wlan-user-policy] server-type extended [AC-radius-wlan-user-policy] primary authentication [AC-radius-wlan-user-policy] primary accounting [AC-radius-wlan-user-policy] key authentication wlan [AC-radius-wlan-user-policy] key accounting wlan # Specify the IP address of the AC. [AC-radius-wlan-user-policy] nas-ip [AC-radius-wlan-user-policy] quit # Configure an ISP domain named universal by referencing the configured RADIUS scheme. [AC] domain universal [AC-isp-universal] authentication default radius-scheme wlan-user-policy [AC-isp-universal] authorization default radius-scheme wlan-user-policy [AC-isp-universal] accounting default radius-scheme wlan-user-policy [AC-isp-universal] quit # Configure domain universal as the default domain. [AC] domain default enable universal # Configure port security on interface WLAN-ESS 1. 39

48 [AC] interface wlan-ess 1 [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC-WLAN-ESS1] port-security tx-key-type 11key [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit # Configure a service template. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid test [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 1 to radio 1 of AP 1. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio1] service-template 1 [AC-wlan-ap-ap1-radio1] radio enable [AC-wlan-ap-ap1-radio1] return # Add AP 1 to AP group 11, apply the AP group to user profile management and enable the user profile. <AC> system-view [AC] wlan ap-group 11 [AC-ap-group11] ap ap1 [AC-ap-group11] quit [AC] user-profile management [AC-user-profile-management] wlan permit-ap-group 11 [AC-user-profile-management] quit [AC] user-profile management enable 2. Configure the RADIUS server: # Deploy a user profile on the RADIUS server. Log in to IMC. On the left navigation tree, select Service Management > Service Config. Click Add on the page to enter the following configuration page. Select the Deploy User Profile. Figure 17 Deploying a user profile 3. Verify the configuration: 40

49 The AP group applied in the user profile contains only AP 1, so a client can only access the WLAN through AP 1. AP group configuration for inter-ac roaming Network requirements As shown in Figure 18, AC 1 and AC 2 belong to the same mobility group. Configure an AP group on the ACs so a client can still access the WLAN when it moves between APs. Figure 18 Network diagram Configuration procedure Configuration on the RADIUS server is similar with that in AP group configuration without roaming and is omitted. 1. Configure AC 1: # Enable port security. <AC1> system-view [AC1] port-security enable # Enable EAP authentication mode. [AC1] dot1x authentication-method eap # Configure port security on interface WLAN-ESS 1. [AC1] interface wlan-ess 1 [AC1-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC1-WLAN-ESS1] port-security tx-key-type 11key [AC1-WLAN-ESS1] undo dot1x multicast-trigger [AC1-WLAN-ESS1] undo dot1x handshake [AC1-WLAN-ESS1] quit 41

50 # Define a crypto type WLAN service template, configure the SSID as abc, and bind the WLAN-ESS interface to this service template. [AC1] wlan service-template 1 crypto [AC1-wlan-st-1] ssid abc [AC1-wlan-st-1] bind wlan-ess 1 [AC1-wlan-st-1] authentication-method open-system [AC1-wlan-st-1] cipher-suite ccmp [AC1-wlan-st-1] security-ie rsn [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC1] wlan ap ap1 model MSM460-WW [AC1-wlan-ap-ap1] serial-id CN2AD330S8 [AC1-wlan-ap-ap1] radio 1 type dot11an # Bind service template 1 to radio 1. [AC1-wlan-ap-ap1-radio-1] service-template 1 [AC1-wlan-ap-ap1-radio-1] radio enable [AC1-wlan-ap-ap1-radio-1] quit [AC1-wlan-ap-ap1] quit # Configure mobility group abc and enable the mobility group. [AC1] wlan mobility-group abc [AC1-wlan-mg-abc] source ip [AC1-wlan-mg-abc] member ip [AC1-wlan-mg-abc] mobility-group enable [AC1-wlan-mg-abc] return # Configure AP group 1, add AP 1 and AP 2 in it, apply it to user profile management, and enable the user profile. <AC1> system-view [AC1] wlan ap-group 1 [AC1-ap-group1] ap ap1 ap2 [AC1-ap-group1] quit [AC1] user-profile management [AC1-user-profile-management] wlan permit-ap-group 1 [AC1-user-profile-management] quit [AC1] user-profile management enable 2. Configure AC 2: # Enable port security. <AC2> system-view [AC2] port-security enable # Enable EAP authentication mode. [AC2] dot1x authentication-method eap # Configure port security on interface WLAN-ESS 1. [AC2] interface wlan-ess 1 [AC2-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC2-WLAN-ESS1] port-security tx-key-type 11key [AC2-WLAN-ESS1] undo dot1x multicast-trigger 42

51 [AC2-WLAN-ESS1] undo dot1x handshake [AC2-WLAN-ESS1] quit # Define a crypto type WLAN service template, configure the SSID as abc, and bind the WLAN-ESS interface to this service template. [AC2] wlan service-template 1 crypto [AC2-wlan-st-1] ssid abc [AC2-wlan-st-1] bind wlan-ess 1 [AC2-wlan-st-1] authentication-method open-system [AC2-wlan-st-1] cipher-suite ccmp [AC2-wlan-st-1] security-ie rsn [AC2-wlan-st-1] service-template enable [AC2-wlan-st-1] quit # Create an AP template named ap2, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC2] wlan ap ap2 model MSM460-WW [AC2-wlan-ap-ap2] serial-id CN2AD330S8 [AC2-wlan-ap-ap2] radio 1 type dot11an [AC2-wlan-ap-ap2-radio-1] service-template 1 [AC2-wlan-ap-ap2-radio-1] radio enable [AC2-wlan-ap-ap2-radio-1] quit [AC2-wlan-ap-ap2] quit # Configure mobility group abc and enable the mobility group. [AC2] wlan mobility-group abc [AC2-wlan-mg-abc] source ip [AC2-wlan-mg-abc] member ip [AC2-wlan-mg-abc] mobility-group enable [AC2-wlan-mg-abc] quit # Configure AP group 1, add AP 1 and AP 2 in it, apply it to user profile management, and enable the user profile. [AC2] wlan ap-group 1 [AC2-ap-group1] ap ap1 ap2 [AC2-ap-group1] quit [AC2] user-profile management [AC2-user-profile-management] wlan permit-ap-group 1 [AC2-user-profile-management] quit [AC2] user-profile management enable 3. Verify the configuration: AP 1 and AP 2 are permitted in the AP group and a client can roam between them. 43

52 Configuring WLAN security This chapter describes WLAN security configuration. Overview Authentication modes To secure wireless links, wireless clients must be authenticated before accessing the AP links define two authentication mechanisms: open system authentication and shared key authentication. Open system authentication: Open system authentication is the default authentication algorithm and is the simplest of the available authentication algorithms. It is a null authentication algorithm. Any client that requests authentication with this algorithm can become authenticated. Open system authentication involves a two-step authentication process. In the first step, the wireless client sends a request for authentication. In the second step, the AP determines if the wireless client passes the authentication and returns the result to the client. Figure 19 Open system authentication process Shared key authentication Figure 20 shows a shared key authentication process. The two parties have the same shared key configured. Shared key authentication uses the following process. a. The client sends an authentication request to the AP. b. The AP randomly generates a challenge and sends it to the client. c. The client uses the shared key to encrypt the challenge and sends the challenge to the AP. d. The AP uses the shared key to de-encrypt the challenge and compares the result with that received from the client. If they are identical, the client passes the authentication. If not, the authentication fails. 44

53 Figure 20 Shared key authentication process WLAN data security WLAN networks are more susceptible than wired networks to attacks because all WLAN devices share the same medium and every device can receive data from any other sending device. Plain-text data is transmitted over the WLAN if there is no security service. To secure data transmission, protocols provide encryption methods to ensure that devices without the correct key cannot read encrypted data. 1. WEP encryption Wired Equivalent Privacy (WEP) protects data exchanged among authorized users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream encryption method) for confidentiality. WEP encryption is either static or dynamic depending on how a WEP key is generated. Static WEP encryption With static WEP encryption, all clients using the same SSID must use the same encryption key. If the encryption key is deciphered or lost, all data that attackers receive is encrypted. In addition, periodical manual key update brings great management workload to administrators. Dynamic WEP encryption With dynamic WEP encryption, WEP keys are negotiated between client and server through the 802.1X protocol so that each client is assigned a different WEP key. The keys can be updated periodically to further improve unicast frame transmission security. Although WEP encryption increases the difficulty of network interception and session hijacking, it still has weaknesses due to limitations of RC4 encryption algorithm and static key configuration. 2. TKIP encryption Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has several advantages over WEP, and provides more secure protection for WLAN. TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP encryption uses 128-bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to 48 bits. TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a single static key with a base key generated by an authentication server. TKIP dynamic keys cannot be easily deciphered. 45

54 TKIP offers MIC and countermeasures. If a packet fails the MIC, the data may be tampered, and the system could be attacked. If two packets fail the MIC in a specified period, the AP automatically takes countermeasures. For example, the AP will not provide services in a specified period to prevent attacks. 3. AES-CCMP encryption CTR with CCMP is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MAC Protocol Data Unit (MPDU) Data field and selected portions of the IEEE MPDU header. The AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP contains a dynamic key negotiation and management method, so that each wireless client can dynamically negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit packet number (PN) to ensure that each encrypted packet uses a different PN, which improves security. Client access authentication 1. PSK authentication To implement pre-shared key (PSK) authentication, the client and the authenticator must have the same shared key configured. Otherwise, the client cannot pass the PSK authentication X authentication As a port-based access control protocol, 802.1X authenticates and controls devices at the port level. A device that is connected to an 802.1X-enabled port of a WLAN access control device can access the resources on the WLAN only after passing authentication. 3. MAC address authentication MAC address authentication does not require any client software. The MAC address of a client is compared against a predefined list of allowed MAC addresses. If a match is found, the client can pass the authentication and access the WLAN. If no match is found, the authentication fails and access is denied. The user is not required to enter a username or password. This type of authentication is suited to small networks with fixed clients. MAC address authentication can be done locally or through a RADIUS server. Local MAC address authentication A list of usernames and passwords (the MAC addresses of allowed clients) is created on the wireless access device and the clients are authenticated by the wireless access device. Only clients whose MAC addresses are included in the list can pass the authentication and access the WLAN. MAC address authentication through RADIUS server The wireless access device serves as the RADIUS client and sends the MAC address of each requesting client to the RADIUS server. If the client passes the authentication on the RADIUS server, the client can access the WLAN within the authorization assigned by the RADIUS server. In this authentication mode, if different domains are defined, authentication information of different SSIDs are sent to different RADIUS servers based on their domains. For more information about access authentication, see Security Configuration Guide. Protocols and standards IEEE Standard for Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements

55 WI-FI Protected Access Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug 2004 Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements , 1999 IEEE Standard for Local and metropolitan area networks "Port-Based Network Access Control" 802.1X i IEEE Standard for Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements Configuring WLAN security To configure WLAN security in a service template, map the service template to a radio policy, and add radios to the radio policy. The SSID name, advertisement setting (beaconing), and encryption settings are configured in the service template. You can configure an SSID to support any combination of WPA, RSN, and Pre-RSN clients. Configuration task list Task Enabling an authentication method Configuring the PTK lifetime Configuring the GTK rekey method Configuring security IE Configuring cipher suite Configuring port security Remarks Required. Required. Required. Enabling an authentication method You can enable open system or shared key authentication or both. To enable an authentication method: 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 47

56 3. Enable the authentication method. authentication-method { open-system shared-key } By default, open system authentication is adopted. The shared-key authentication can be adopted only when WEP encryption is used, and you must configure the authentication-method shared-key command. For RSN and WPA, the authentication method must be open system authentication. Configuring the PTK lifetime A pairwise transient key (PTK) is generated through a four-way handshake. During the handshake process, the pairwise master key (PMK), an AP random value (ANonce), a site random value (SNonce), the AP's MAC address, and the client's MAC address are used. To configure the PTK lifetime: 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 3. Configure the PTK lifetime. ptk-lifetime time By default, the PTK lifetime is seconds. Configuring the GTK rekey method An AC generates a group temporal key (GTK) and sends the GTK to a client during the authentication process between an AP and the client through group key handshake or the 4-way handshake. The client uses the GTK to decrypt broadcast and multicast packets. The Robust Security Network (RSN) negotiates the GTK through the 4-way handshake or group key handshake, and Wi-Fi Protected Access (WPA) negotiates the GTK only through group key handshake. The following GTK rekey methods can be configured: Time-based GTK rekey After the specified interval elapses, GTK rekey occurs. Packet-based GTK rekey After the specified number of packets is sent, GTK rekey occurs. By default, time-based GTK rekey is adopted, and the rekey interval is seconds. Configuring a new GTK rekey method overwrites the previous GTK rekey method. For example, if time-based GTK rekey is configured after packet-based GTK rekey is configured, time-based GTK rekey takes effect. You can also configure the device to start GTK rekey when a client goes offline. 48

57 Configuring GTK rekey based on time 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 3. Enable GTK rekey. gtk-rekey enable 4. Configure the GTK rekey interval. gtk-rekey method time-based [ time ] By default, GTK rekey is enabled. By default, the interval is seconds. 5. Configure the device to start GTK rekey when a client goes offline. gtk-rekey client-offline enable By default, the device does not start GTK rekey when a client goes offline. This command takes effect only when you execute the gtk-rekey enable command. Configuring GTK rekey based on packet 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 3. Enable GTK rekey. gtk-rekey enable By default, GTK rekey is enabled. 4. Configure GTK rekey based on packet. 5. Configure the device to start GTK rekey when a client goes offline. gtk-rekey method packet-based [ packet ] gtk-rekey client-offline enable The default packet number is By default, the device does not start GTK rekey when a client goes offline. This command takes effect only when you execute the gtk-rekey enable command. Configuring security IE WPA ensures greater protection than WEP. WPA operates in either WPA-PSK (or Personal) mode or WPA-802.1X (or Enterprise) mode. In Personal mode, a pre-shared key or pass-phrase is used for authentication. In Enterprise mode, 802.1X and RADIUS servers and the EAP are used for authentication. Configuring WPA security IE 49

58 2. Enter WLAN service template view. 3. Enable the WPA-IE in the beacon and probe responses. wlan service-template service-template-number crypto security-ie wpa N/A By default, WPA-IE is disabled. Configuring RSN security IE An RSN is a security network that only allows the creation of robust security network associations (RSNAs). An RSN can be identified by the indication in the RSN Information Element (IE) of beacon frames. It provides greater protection than WEP and WPA. 2. Enter WLAN service template view. 3. Enable the RSN-IE in the beacon and probe responses. wlan service-template service-template-number crypto security-ie rsn N/A By default, RSN-IE is disabled. Configuring cipher suite A cipher suite is used for data encapsulation and de-encapsulation. It uses the following encryption methods: WEP40/WEP104/WEP128 TKIP AES-CCMP Configuring WEP cipher suite 1. Configure static WEP encryption: The WEP encryption mechanism requires that the authenticator and clients on a WLAN have the same key configured. WEP adopts the RC4 algorithm (a stream encryption algorithm), supporting WEP40, WEP104 and WEP128 keys. You can use WEP with either open system or shared key authentication mode: In open system authentication mode, the WEP key is used for encryption only and not for authentication. A client can access the network without having the same key as the authenticator. However, if the receiver has a different key from the sender, it discards the packets received from the sender. In shared key authentication mode, the WEP key is used for both encryption and authentication. If the key of a client is different from that of the authenticator, the client cannot pass the authentication and the access of the client is denied. To configure static WEP encryption: 50

59 2. Enter WLAN service template view. 3. Enable the WEP cipher suite. wlan service-template service-template-number crypto cipher-suite { wep40 wep104 wep128 } N/A By default, no cipher suite is selected. 4. Configure the WEP default key. 5. Specify a key index number. wep default-key { } { wep40 wep104 wep128 } { pass-phrase raw-key } [ cipher simple ] key wep key-id { } By default, the WEP default key index number is 1. By default, the key index number is Configure dynamic WEP encryption: 2. Enter WLAN service template view. 3. Enable dynamic WEP encryption. 4. Enable the WEP cipher suite. 5. Configure the WEP default key. wlan service-template service-template-number crypto wep mode dynamic cipher-suite { wep40 wep104 wep128 } wep default-key { } { wep40 wep104 wep128 } { pass-phrase raw-key } [ cipher simple ] key N/A By default, static WEP encryption is adopted. Dynamic WEP encryption must be used together with 802.1X authentication. With dynamic WEP encryption configured, the device automatically uses the WEP 104 cipher suite. To change the encryption method, use the cipher-suite command. By default, no WEP default key is configured. If the WEP default key is configured, the WEP default key is used to encrypt multicast frames. If not, the device randomly generates a multicast WEP key. 6. Specify a key index number. wep key-id { } By default, the key index number is 1. For dynamic WEP encryption, the WEP key ID cannot be configured as 4. 51

60 Configuring TKIP cipher suite Message integrity check (MIC) is used to prevent attackers from modifying data. It ensures data security by using the Michael algorithm. When a MIC error occurs, the device considers that the data has been modified and the system is being attacked. Upon detecting the attack, TKIP is suspended during the countermeasure interval and no TKIP associations can be established. The operating mode cannot be negotiated as n mode when clients that use TKIP cipher suite associate with an AP supporting n. To configure TKIP cipher suite: 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 3. Enable the TKIP cipher suite. cipher-suite tkip By default, no cipher suite is selected. 4. Configure the TKIP countermeasure interval. tkip-cm-time time The default countermeasure interval is 0 seconds. No countermeasures are taken. Configuring AES-CCMP cipher suite 2. Enter WLAN service template view. 3. Enable the CCMP cipher suite. wlan service-template service-template-number crypto cipher-suite ccmp N/A By default, no cipher suite is selected. Configuring port security The authentication type configuration includes the following options: PSK 802.1X MAC PSK and MAC This document describes only common port security modes. For more information about other port security modes, see Security Configuration Guide. Before configuring port security, create the wireless port and enable port security. 52

61 Configuring PSK authentication 2. Enter WLAN-ESS interface view. 3. Enable key negotiation. 4. Configure the pre-shared key. 5. Enable the PSK port security mode. interface wlan-ess interface-number port-security tx-key-type 11key port-security preshared-key { pass-phrase raw-key } [ cipher simple ] key port-security port-mode psk N/A By default, key negotiation is not enabled. By default, no pre-shared key is configured. N/A Configuring 802.1X authentication Step Command 1. Enter system view. system-view 2. Enter WLAN-ESS interface view. interface wlan-ess interface-number 3. Enable the 802.1X port security mode. port-security port-mode { userlogin-secure userlogin-secure-ext } Configuring MAC address authentication i does not support MAC address authentication. To configure MAC address authentication: Step Command 1. Enter system view. system-view 2. Enter WLAN-ESS interface view. interface wlan-ess interface-number 3. Enable MAC port security mode. port-security port-mode mac-authentication Configuring PSK and MAC address authentication For more information about port security configuration commands, see Security Configuration Guide. To configure PSK and MAC address authentication: 2. Enter WLAN-ESS interface view. 3. Enable key negotiation. interface wlan-ess interface-number port-security tx-key-type 11key N/A By default, key negotiation is not enabled. 53

62 4. Enable the PSK and MAC port security mode. port-security port-mode mac-and-psk N/A 5. Configure the pre-shared key. port-security preshared-key { pass-phrase raw-key } key The key is a string of 8 to 63 characters, or a 64-digit hex number. Displaying and maintaining WLAN security For more information about related display commands, see Security Command Reference. Task Command Remarks Display WLAN service template information. Display client information. Display MAC address authentication information. Display the MAC address information of port security. Display the PSK user information of port security. Display the configuration information, running state and statistics of port security. Display 802.1X session information or statistics. display wlan service-template [ service-template-number ] [ { begin exclude include } regular-expression ] display wlan client { ap ap-name [ radio radio-number ] mac-address mac-address service-template service-template-number } [ verbose ] [ { begin exclude include } regular-expression ] display mac-authentication [ interface interface-list ] [ { begin exclude include } regular-expression ] display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] [ { begin exclude include } regular-expression ] display port-security preshared-key user [ interface interface-type interface-number ] [ { begin exclude include } regular-expression ] display port-security [ interface interface-list ] [ { begin exclude include } regular-expression ] display dot1x [ sessions statistics ] [ interface interface-list ] [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. WLAN security configuration examples The configuration examples were created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. 54

63 By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends setting their link type to be the same. PSK authentication configuration example Network requirements As shown in Figure 21, an AC is connected to an AP through a Layer 2 switch, and they are in the same network. Perform PSK authentication with key on the client. Figure 21 Network diagram Configuration procedure 1. Configure the AC: # Configure port security. <AC> system-view [AC] port-security enable # Configure WLAN port security, configure the authentication mode as PSK, and the pre-shared key as [AC] interface wlan-ess 10 [AC-WLAN-ESS10] port-security port-mode psk [AC-WLAN-ESS10] port-security preshared-key pass-phrase [AC-WLAN-ESS10] port-security tx-key-type 11key [AC-WLAN-ESS10] quit # Create service template 10 of crypto type, configure its SSID as psktest, and bind WLAN-ESS10 to service template 10. [AC] wlan service-template 10 crypto [AC-wlan-st-10] ssid psktest [AC-wlan-st-10] bind WLAN-ESS 10 [AC-wlan-st-10] security-ie rsn [AC-wlan-st-10] cipher-suite ccmp [AC-wlan-st-10] authentication-method open-system [AC-wlan-st-10] service-template enable [AC-wlan-st-10] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 10 to radio 1. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] service-template 10 [AC-wlan-ap-ap1-radio-1] radio enable 2. Verify the configuration: 55

64 Configure the same PSK key on the client. After that, the client can associate with the AP and access the WLAN. You can use the display wlan client verbose command and display port-security preshared-key user command to view the online clients. MAC and PSK authentication configuration example Network requirements Perform MAC and PSK authentication on the client. Figure 22 Network diagram Configuring the AC # Enable port security. <AC> system-view [AC] port-security enable # Configure WLAN port security, using MAC-and-PSK authentication. [AC] interface wlan-ess 2 [AC-WLAN-ESS2] port-security port-mode mac-and-psk [AC-WLAN-ESS2] port-security tx-key-type 11key [AC-WLAN-ESS2] port-security preshared-key pass-phrase [AC-WLAN-ESS2] quit # Create service template 2 of crypto type, configure its SSID as mactest, and bind WLAN-ESS2 to service template 2. [AC] wlan service-template 2 crypto [AC-wlan-st-2] ssid mactest [AC-wlan-st-2] bind wlan-ess 2 [AC-wlan-st-2] authentication-method open-system [AC-wlan-st-2] cipher-suite ccmp [AC-wlan-st-2] security-ie rsn [AC-wlan-st-2] service-template enable [AC-wlan-st-2] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW 56

65 [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 2 to radio 1. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] service-template 2 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC-radius-rad] key authentication [AC-radius-rad] key accounting [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit # Configure AAA domain cams by referencing RADIUS scheme rad. [AC] domain cams [AC-isp-cams] authentication lan-access radius-scheme rad [AC-isp-cams] authorization lan-access radius-scheme rad [AC-isp-cams] accounting lan-access radius-scheme rad [AC-isp-cams] quit # Configure the MAC address authentication domain by referencing AAA domain cams. [AC] mac-authentication domain cams # Configure MAC address authentication user name format, using MAC addresses without hyphen as username and password (consistent with the format on the server). [AC] mac-authentication user-name-format mac-address without-hyphen Configuring the RADIUS server on IMC 5.1 This section uses IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301). 1. Add the AC to the IMC Platform as an access device: a. Log in to IMC, click the Service tab, and then select User Access Manager > Access Device Management > Access Device from the navigation tree. The Access Device page appears. b. Click Add. The Add Access Device page appears, as shown in Figure 23. c. In the Access Configuration area, enter as the Shared Key and select HP(General) from the Access Device Type list, keep the default values for other parameters, and select or manually add the access device with the IP address , and click OK. 57

66 Figure 23 Adding an access device 2. Add a service: a. Click the Service tab and select User Access Manager > Service Configuration from the navigation tree. The Service Configuration page appears. b. Click Add. The Add Service Configuration page appears, as shown in Figure 24. c. Set the service name to mac, keep the default values for other parameters, and click OK. Figure 24 Adding a service 3. Add an account: a. Click the User tab, and then select Access User View > All Access Users from the navigation tree. The All Access User page appears. b. Click Add. The Add Access User page appears, as shown in Figure 25. c. In the Access Information area, enter username 00146c8a43ff, set the account name and password both to 00146c8a43ff, select the service mac, and click OK. 58

67 Figure 25 Adding an access user account Verifying the configuration After the client passes the MAC address authentication, the client can associate with the AP and access the WLAN. You can use the display wlan client verbose command, the display connection command, and the display mac-authentication command to view the online clients X authentication configuration example Network requirements As shown in Figure 26, perform 802.1X authentication on the client. Figure 26 Network diagram Configuring the AC # Enable port security. <AC> system-view [AC] port-security enable # Configure the 802.1X authentication mode as EAP. [AC] dot1x authentication-method eap 59

68 # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC-radius-rad] key authentication [AC-radius-rad] key accounting [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit # Configure AAA domain cams by referencing RADIUS scheme rad. [AC] domain cams [AC-isp-cams] authentication lan-access radius-scheme rad [AC-isp-cams] authorization lan-access radius-scheme rad [AC-isp-cams] accounting lan-access radius-scheme rad [AC-isp-cams] quit # Specify a mandatory 802.1X authentication domain on the interface WLAN-ESS 1. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] dot1x mandatory-domain cams # Set the port mode for WLAN-ESS 1 to userlogin-secure-ext, and enable key negotiation. [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as dot1x, and configure the tkip and ccmp cipher suite. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid dot1x [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite tkip [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn [AC-wlan-st-1] security-ie wpa [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 1 to radio 1. [AC-wlan-ap-ap1] radio 1 type dot11an 60

69 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable Configuring the RADIUS server on IMC 5.1) This section uses IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301). 1. Add the AC to the IMC Platform as an access device: a. Log in to IMC, click the Service tab, and then select User Access Manager > Access Device Management > Access Device from the navigation tree. The Access Device page appears. b. Click Add. The Add Access Device page appears, as shown in Figure 27. c. In the Access Configuration area, enter as the Shared Key and select HP(General) from the Access Device Type list, keep the default values for other parameters, and select or manually add the access device with the IP address , and click OK. Figure 27 Adding an access device 2. Add a service: a. Click the Service tab and select User Access Manager > Service Configuration from the navigation tree. The Service Configuration page appears. b. Click Add. The Add Service Configuration page appears, as shown in Figure 28. c. Set the service name as dot1x, and set the Certificate Type to EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click OK. 61

70 Figure 28 Adding a service 3. Add an account: a. Click the User tab, and then select Access User View > All Access Users from the navigation tree. The All Access User page appears. b. Click Add. The Add Access User page appears, as shown in Figure 29. c. In the Access Information area, enter username user, set the account name as user and password as dot1x, select the service dot1x, and click OK. Figure 29 Adding an access user account Configuring the wireless card (for Windows XP) 1. Double click the icon at the bottom right corner of your desktop. The Wireless Network Connection Status window appears. 62

71 2. Click the Properties button in the General tab. The Wireless Network Connection Properties window appears. 3. In the Wireless Networks tab, select the wireless network with the SSID dot1x, and then click Properties. The dot1x Properties window appears. See Figure In the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties. 5. In the popup window, clear Validate server certificate, and click Configure. See Figure In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any). See Figure

72 Figure 30 Configuring the wireless card (I) 64

73 Figure 31 Configuring the wireless card (II) 65

74 Figure 32 Configuring the wireless card (III) Verifying the configuration 1. The client can pass 802.1X authentication and associate with the AP. 2. You can use the display wlan client verbose command, the display connection command, and the display dot1x command to view the online clients. Dynamic WEP encryption-802.1x authentication configuration example Network requirements As shown in Figure 33, perform dynamic WEP encryption. 66

75 Figure 33 Network diagram Configuration procedure 1. Configure the AC: # Enable port security. <AC> system-view [AC] port-security enable # Configure the 802.1X authentication mode as EAP. [AC] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication and accounting servers as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting as [AC-radius-rad] key authentication [AC-radius-rad] key accounting [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit # Configure AAA domain bbb by referencing RADIUS scheme rad. [AC] domain bbb [AC-isp-bbb] authentication lan-access radius-scheme rad [AC-isp-bbb] authorization lan-access radius-scheme rad [AC-isp-bbb] accounting lan-access radius-scheme rad [AC-isp-bbb] quit # Specify a mandatory 802.1X authentication domain on the interface WLAN-ESS 1. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] dot1x mandatory-domain bbb # Set the port mode for WLAN-ESS 1 to userlogin-secure-ext. [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext # Disable the multicast trigger function and the online user handshake function. [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit 67

76 # Create service template 1 of crypto type, configure its SSID as dot1x, and configure dynamic WEP encryption. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid dot1x [AC-wlan-st-1] wep mode dynamic [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 1 to radio 1. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 2. Configure the RADIUS server (IMCv5): See "Configuring the RADIUS server on IMC 5.1)." 3. Configure the wireless card (for Windows XP): a. Double click the icon at the bottom right corner of your desktop. The Wireless Network Connection Status window appears. b. Click the Properties button on the General tab. The Wireless Network Connection Properties window appears. c. On the Wireless Networks tab, select wireless network with the SSID dot1x, and click Properties. The dot1x Properties window appears. See Figure 34. d. On the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties. e. In the popup window, clear Validate server certificate, and click Configure. See Figure 35. f. In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any). See Figure

77 Figure 34 Configuring the wireless card (I) 69

78 Figure 35 Configuring the wireless card (II) 70

79 Figure 36 Configuring the wireless card (III) Verifying the configuration After you enter the username user and password dot1x in the popup dialog box, the client can associate with the AP and access the WLAN. You can use the display wlan client verbose command, the display connection command, and the display dot1x command to view online client information. Supported combinations for ciphers RSN This section introduces the combinations that can be used during the cipher suite configuration. For RSN, the WLAN-WSEC module supports only CCMP and TKIP ciphers as the pair wise ciphers and WEP cipher suites are only used as group cipher suites. Below are the cipher suite combinations that WLAN-WSEC supports for RSN. (WEP40, WEP104 and WEP128 are mutually exclusive). Unicast cipher Broadcast cipher Authentication method Security Type CCMP WEP40 PSK RSN CCMP WEP104 PSK RSN CCMP WEP128 PSK RSN 71

80 Unicast cipher Broadcast cipher Authentication method Security Type CCMP TKIP PSK RSN CCMP CCMP PSK RSN TKIP WEP40 PSK RSN TKIP WEP104 PSK RSN TKIP WEP128 PSK RSN TKIP TKIP PSK RSN CCMP WEP X RSN CCMP WEP X RSN CCMP WEP X RSN CCMP TKIP 802.1X RSN CCMP CCMP 802.1X RSN TKIP WEP X RSN TKIP WEP X RSN TKIP WEP X RSN TKIP TKIP 802.1X RSN WPA For WPA, the WLAN-WSEC module supports the CCMP and TKIP ciphers as the pair wise ciphers and WEP cipher suites are only used as group cipher suites. Below are the cipher suite combinations that WLAN-WSEC supports for WPA (WEP40, WEP104 and WEP128 are mutually exclusive). Unicast cipher Broadcast cipher Authentication method Security Type CCMP WEP40 PSK WPA CCMP WEP104 PSK WPA CCMP WEP128 PSK WPA CCMP TKIP PSK WPA CCMP CCMP PSK WPA TKIP WEP40 PSK WPA TKIP WEP104 PSK WPA TKIP WEP128 PSK WPA TKIP TKIP PSK WPA CCMP WEP X WPA CCMP WEP X WPA CCMP WEP X WPA CCMP TKIP 802.1X WPA CCMP CCMP 802.1X WPA TKIP WEP X WPA 72

81 Unicast cipher Broadcast cipher Authentication method Security Type TKIP WEP X WPA TKIP WEP X WPA TKIP TKIP 802.1X WPA Pre-RSN For Pre-RSN stations, the WLAN-WSEC module supports only WEP cipher suites. (WEP40, WEP104 and WEP128 are mutually exclusive). Unicast cipher Broadcast cipher Authentication method Security Type WEP40 WEP40 Open system no Sec Type WEP104 WEP104 Open system no Sec Type WEP128 WEP128 Open system no Sec Type WEP40 WEP40 Shared key no Sec Type WEP104 WEP104 Shared key no Sec Type WEP128 WEP128 Shared key no Sec Type 73

82 Configuring IACTP tunnel and WLAN roaming Support for this feature depends on the device model. IACTP tunnel The Inter AC Tunneling Protocol (IACTP) provides a generic packet encapsulation and transport mechanism for ACs to securely communicate with each other. IACTP provides a control tunnel to exchange control messages, and a data tunnel to transmit data packets between ACs. IACTP supports both IPv4 and IPv6. WLAN roaming, AC backup, and AC-BAS collaboration must support IACTP for inter-ac communication. WLAN roaming overview WLAN roaming enables clients to roam between ACs in a mobility group or within an AC. ACs in a mobility group communicate with each other through IACTP tunnels. When a client supporting fast roaming associates to one of the ACs in a mobility group for the first time, the AC (called the HA) performs 802.1X authentication and 11 Key exchange for the client. The client information is synchronized across ACs in the mobility group. When this client roams to another AC in the mobility group (called the FA), the FA uses stored client information to fast authenticate the client by skipping 802.1X authentication and performing only key exchange and associates with the client. Terminology HA The AC to which a wireless client is connected by associating with an AP for the first time is the HA of the client. FA An AC that is other than the HA and to which a client is currently connected is an FA of the client. Fast-roam client A wireless client that associates with an AC in the mobility-group and supports fast roaming (only key caching is supported). Roam-out client A wireless client that has associated with an AC other than the HA in the mobility-group is a roam-out client at its HA. Roam-in client A wireless client that has associated with an AC other than the HA in the mobility-group is a roam-in client at the FA. Intra-AC roaming A procedure where a wireless client roams from one AP to another AP. The APs are connected to the same AC. Inter-AC roaming A procedure where a wireless client roams from one AP to another AP. The APs are connected to different ACs. Inter-AC fast roaming capability If a client uses 802.1X (RSN) authentication through negotiation and supports key caching, this client has inter-ac fast roaming capability. 74

83 WLAN roaming topologies WLAN roaming topologies consist of: Intra-AC roaming topology Inter-AC roaming topology Intra-FA roaming topology Inter-FA roaming topology Roam-back topology Intra-AC roaming Figure 37 Intra-AC roaming AC Fast-roam association IP network Intra-AC roam association AP 1 AP 2 Intra-AC roaming 1. A client is associated with AP 1, which is connected to an AC. 2. The client disassociates with AP 1 and roams to AP 2 connected to the same AC. 3. The client is associated with AP 2 through intra-ac roam association. 75

84 Inter-AC roaming Figure 38 Inter-AC roaming Intra-FA roaming 1. A client is associated with AP 1, which is connected to AC The client disassociates with AP 1 and roams to AP 2 connected to AC The client is associated with AP 2 through inter-ac roam association. Before inter-ac roaming, AC 1 must synchronize the client information with AC 2 through an IACTP tunnel. Figure 39 Intra-FA roaming Pre-roam sync AC 1 AC 2 IACTP Tunnel IP network IP network Fast-roam association Inter-AC roam association Intra-FA roam association AP 1 AP 2 AP 3 Inter-AC roaming Intra-FA roaming 1. A client associates with AP The client disassociates with AP 1 and roams to AP 2 connected to AC 2. Now AC 2 is the FA for the client. 76

85 Inter-FA roaming 3. The client is associated with AP 2 through inter-ac roam association. Before inter-ac roaming, AC 1 must synchronize the client information with AC 2 through an IACTP tunnel. 4. The client then disassociates with AP 2 and roams to AP 3 which is also connected to AC 2. The client is associated with AP 3 through intra-fa roam association. Figure 40 Inter-FA roaming 1. A client is associated with AP 1, which is connected to AC The client disassociates with AP 1 and roams to AP 2 connected to AC 2. Now AC 2 is the FA for the client. 3. The client is associated with AP 2 through inter-ac roam association. 4. The client then disassociates with AP 2 and roams to AP 3 which is connected to AC 3, which now is its FA. Before inter-ac roaming, AC 1 must synchronize the client information with AC 2 and AC 3 through IACTP tunnels. 77

86 Roam-back Figure 41 Roam-back 1. A client is associated with AP 1, which is connected to AC The client disassociates with AP 1 and roams to AP 3 connected to AC 2. Now AC 2 is the FA for the client. 3. The client is associated with AP 3 through inter-ac roam association. Before inter-ac roaming, AC 1 must synchronize the client information with AC 2 through an IACTP tunnel. 4. The client then disassociates with AP 3 and roams back to AP 2 or AP 1 connected to AC 1, which is its HA. Configuring a mobility group 2. Create a mobility group and enter mobility group view. 3. Specify the IACTP tunnel protocol type. 4. Specify the tunnel source IP address. 5. Add a group member. 6. Specify an IACTP control message integrity authentication mode. wlan mobility-group name mobility-tunnel { iactp iactp6 } source { ip ipv4-address ipv6 ipv6-address } member { ip ipv4-address ipv6 ipv6-address } [ vlan vlan-id-list ] authentication-mode authentication-method [ cipher simple ] authentication-key ACs in the same mobility group must have the same group name. By default, the IACTP tunnel protocol type is IPv4. By default, no source IP address is configured. By default, no ACs exist in a mobility group. By default, IACTP control message integrity authentication is disabled. 78

87 7. Enable the IACTP service for the group. mobility-group enable By default, IACTP service is disabled. ACs in a mobility group must have the same user profile configurations. For more information about user profile, see Security Configuration Guide. Displaying and maintaining WLAN roaming Task Command Remarks Display mobility group information. Display the roam-track information of a client on the HA. Display the WLAN client roaming information. display wlan mobility-group [ member { ip IPv4-address ipv6 IPv6-address } ] [ { begin exclude include } regular-expression ] display wlan client roam-track mac-address mac-address [ { begin exclude include } regular-expression ] display wlan client { roam-in roam-out } [ member { ip IPv4-address ipv6 IPv6-address } ] [ verbose ] [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. WLAN roaming configuration examples The configuration examples were created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set their link type to be the same. Intra-AC roaming configuration example Network requirements As shown in Figure 42, an AC has two APs associated and all of them are in VLAN 1. A client is associated with AP 1. Configure intra-ac roaming so that the client can associate with AP 2 when roaming to AP 2. 79

88 Figure 42 Network diagram AC /24 RADIUS server /24 L2 Switch VLAN 1 VLAN 1 AP 1 AP 2 Roaming Client Configuration procedure For wireless service configuration, see "Configuring WLAN access." A client has inter-ac fast roaming capability only if it uses 802.1X (RSN) authentication. If you select an authentication mode involving remote authentication, configure the corresponding RADIUS server. For more information, see "Configuring WLAN security." 1. Configure the AC: # Set the port security mode for WLAN-ESS1 to userlogin-secure-ext, and enable the key negotiation function on the port. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as intra-roam, and bind WLAN-ESS1 to intra-roam. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid intra-roam [AC-wlan-st-1] bind wlan-ess 1 # Enable open system authentication and enable the CCMP cipher suite. [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn [AC-wlan-st-1] quit # Enable port security. [AC] port-security enable 80

89 # Configure the 802.1X authentication method as EAP. [AC] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC-radius-rad] key authentication [AC-radius-rad] key accounting # Configure the source IP address of RADIUS packets sent by the AC as [AC-radius-rad] nas-ip [AC-radius-rad] quit # Create ISP domain cams and configure the ISP domain cams to use RADIUS scheme rad to implement authentication, authorization, and accounting for all types of users. [AC] domain cams [AC-isp-cams] authentication default radius-scheme rad [AC-isp-cams] authorization default radius-scheme rad [AC-isp-cams] accounting default radius-scheme rad [AC-isp-cams] quit # Configure the mandatory authentication domain cams for 802.1X users on WLAN-ESS1. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] dot1x mandatory-domain cams [AC-WLAN-ESS1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 [AC-wlan-ap-ap1] radio 1 type dot11an # Bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit # Enable service template 1. [AC] wlan service-template 1 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap2, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap2 model MSM460-WW [AC-wlan-ap-ap2] serial-id CN2AD330S8 [AC-wlan-ap-ap2] radio 1 type dot11an 81

90 # Bind service template 1 to radio 1 of AP 2. (Intra-AC roaming requires consistent SSIDs of different APs. Therefore, radio 1 of AP 2 should be bound to service template 1.) [AC-wlan-ap-ap2-radio-1] service-template 1 [AC-wlan-ap-ap2-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] return 2. Verify the configuration: After the client roams to AP 2, use the display wlan client verbose command to display detailed client information. You should find that the AP name and BSSID fields have been changed to those of AP 2. You can also use the display wlan client roam-track mac-address command to view client roaming track information. Inter-AC roaming configuration example Network requirements As shown in Figure 43, configure inter-ac roaming so that the client can associate with AP2 when roaming to it. Figure 43 Network diagram Configuration procedure For wireless service configuration, see "Configuring WLAN access." A client has inter-ac fast roaming capability only if it uses 802.1X (RSN) authentication through negotiation. If you select an authentication mode involving remote authentication, configure the corresponding RADIUS server. For more information, see "Configuring WLAN security." 1. Configure AC 1: # Set the port security mode for WLAN-ESS1 to userlogin-secure-ext, and enable the key negotiation function on the port. 82

91 <AC1> system-view [AC1] interface wlan-ess 1 [AC1-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC1-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC1-WLAN-ESS1] undo dot1x multicast-trigger [AC1-WLAN-ESS1] undo dot1x handshake [AC1-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as inter-roam, and bind WLAN-ESS1 to inter-roam. [AC1] wlan service-template 1 crypto [AC1-wlan-st-1] ssid inter-roam [AC1-wlan-st-1] bind wlan-ess 1 # Enable open system authentication and enable the CCMP cipher suite. [AC1-wlan-st-1] authentication-method open-system [AC1-wlan-st-1] cipher-suite ccmp [AC1-wlan-st-1] security-ie rsn [AC1-wlan-st-1] quit # Enable port security. [AC1] port-security enable # Configure the 802.1X authentication method as EAP. [AC1] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC1] radius scheme rad [AC1-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC1-radius-rad] primary authentication [AC1-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC1-radius-rad] key authentication [AC1-radius-rad] key accounting # Configure the source IP address of RADIUS packets sent by the AC as [AC1-radius-rad] nas-ip [AC1-radius-rad] quit # Configure ISP domain cams to use RADIUS scheme rad to implement authentication, authorization, and accounting for all types of users. [AC1] domain cams [AC1-isp-cams] authentication default radius-scheme rad [AC1-isp-cams] authorization default radius-scheme rad [AC1-isp-cams] accounting default radius-scheme rad [AC1-isp-cams] quit # Configure the mandatory authentication domain cams for 802.1X users on WLAN-ESS1. [AC1] interface WLAN-ESS 1 [AC1-WLAN-ESS1] dot1x mandatory-domain cams [AC1-WLAN-ESS1] quit 83

92 # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC1] wlan ap ap1 model MSM460-WW [AC1-wlan-ap-ap1] serial-id CN2AD330S8 [AC1-wlan-ap-ap1] radio 1 type dot11an # Bind service template inter-roam to radio 1. [AC1-wlan-ap-ap1-radio-1] service-template 1 [AC1-wlan-ap-ap1-radio-1] radio enable [AC1-wlan-ap-ap1-radio-1] quit [AC1-wlan-ap-ap1] quit # Enable service template 1. [AC1] wlan service-template 1 [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit # Create mobility group roam, specify the tunnel source IP as , and specify the IP address for AC 2. [AC1] wlan mobility-group roam [AC1-wlan-mg-roam] source ip [AC1-wlan-mg-roam] member ip [AC1-wlan-mg-roam] mobility-group enable 2. Configure AC 2: # Set the port security mode for WLAN-ESS1 to userlogin-secure-ext, and enable the key negotiation function on the port. <AC2> system-view [AC2] interface wlan-ess 1 [AC2-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC2-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC2-WLAN-ESS1] undo dot1x multicast-trigger [AC2-WLAN-ESS1] undo dot1x handshake [AC2-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as inter-roam, and bind WLAN-ESS1 to intra-roam. [AC2] wlan service-template 1 crypto [AC2-wlan-st-1] ssid inter-roam [AC2-wlan-st-1] bind wlan-ess 1 # Enable open system authentication and enable the CCMP cipher suite. [AC2-wlan-st-1] authentication-method open-system [AC2-wlan-st-1] cipher-suite ccmp [AC2-wlan-st-1] security-ie rsn [AC2-wlan-st-1] quit # Enable port security. [AC2] port-security enable # Configure the 802.1X authentication method as EAP. [AC2] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. 84

93 [AC2] radius scheme rad [AC2-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC2-radius-rad] primary authentication [AC2-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC2-radius-rad] key authentication [AC2-radius-rad] key accounting # Configure the source IP address for the AC to send RADIUS packets as [AC2-radius-rad] nas-ip [AC2-radius-rad] quit # Configure AAA domain cams by referencing RADIUS scheme rad. [AC2] domain cams [AC2-isp-cams] authentication default radius-scheme rad [AC2-isp-cams] authorization default radius-scheme rad [AC2-isp-cams] accounting default radius-scheme rad [AC2-isp-cams] quit # Configure the 802.1X authentication domain by referencing AAA domain cams. [AC2] interface WLAN-ESS 1 [AC2-WLAN-ESS1] dot1x mandatory-domain cams [AC2-WLAN-ESS1] quit # Create an AP template named ap2, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC2] wlan ap ap2 model MSM460-WW [AC2-wlan-ap-ap2] serial-id CN2AD330S8 [AC2-wlan-ap-ap2] radio 1 type dot11an # Bind service template inter-roam to radio 1 of AP 2. (Inter-AC roaming requires consistent SSIDs of APs. Therefore, radio 1 of AP 2 must be bound to service template inter-roam.) [AC2-wlan-ap-ap2-radio-1] service-template 1 [AC2-wlan-ap-ap2-radio-1] radio enable [AC2-wlan-ap-ap2-radio-1] quit [AC2-wlan-ap-ap2] quit # Enable service template 1. [AC2] wlan service-template 1 [AC2-wlan-st-1] service-template enable [AC2-wlan-st-1] quit # Create mobility group roam, specify the tunnel source IP as , and specify the IP address for AC 1. [AC2] wlan mobility-group roam [AC2-wlan-mg-roam] source ip [AC2-wlan-mg-roam] member ip [AC2-wlan-mg-roam] mobility-group enable 85

94 3. Verify the configuration: You can use the display wlan client roam-out command on AC 1 to display roamed out client information, and use the display wlan client roam-in command on AC 2 to display roamed in client information. You can also use the display wlan client roam-track mac-address command to view client roaming track information on AC 1. 86

95 Configuring WLAN RRM Overview WLAN radio resource management (RRM) is a scalable radio resource management solution. APs collect radio environment information in real time. The AC analyzes the collected information. The AC makes radio resource adjustment configurations according to analysis results. APs implement the configurations made by the AC for radio resource optimization. Therefore, through information collection, information analysis, decision-making, and implementation, WLAN RRM delivers a real-time, intelligent, and integrated radio resource management solution. This enables a WLAN network to quickly adapt to radio environment changes and remain in a healthy state. Dynamic frequency selection A WLAN has limited working channels. Channel overlapping occurs very easily. In addition, other radio sources such as radar and microwave ovens may interfere with the operation of APs. Dynamic frequency selection (DFS) can solve these problems. With DFS, the AC selects an optimal channel for each AP in real time to avoid co-channel interference and interference from other radio sources. The following conditions determine DFS: Error code rate Physical layer error code and CRC errors. Interference Influence of and non wireless signals on wireless services. Retransmission APs retransmit data if they do not receive ACK messages from the AC. Radar signal detected on a working channel The AC immediately notifies the AP to change its working channel. If any of the first three conditions is met, the AC selects a new channel for the AP. However, the AP does not use the new channel until the channel quality difference between the new and old channels exceeds the tolerance level. 87

96 Figure 44 Dynamic channel adjustment Transmit power control Traditionally, an AP uses the maximum power to cover an area as large as possible. This method, however, affects the operation of surrounding wireless devices. Transmit power control (TPC) is used to select a proper transmission power for each AP to satisfy both coverage and usage requirements. Whether the transmission power of an AP is increased or decreased is determined by these factors: the maximum number of neighbors (detected neighbors that are managed by the same AC), the neighbor AP that performs power detection, and the power adjustment threshold. As shown in Figure 45, APs 1, 2 and 3 cover an area. When AP 4 joins, the default maximum neighbor number 3 (configurable) is reached. Among all the neighbors AP 2, AP 3, and AP 4 of AP 1, the signal strength of AP 4 is the third, so AP 4 becomes the AP that performs power detection. If AP 4 detects that the power of AP 1 is 75 dbm, which is lower than the default power adjustment threshold 65 dbm (configurable), AP 1 increases its transmission power. If AP 4 detects that the power of AP 1 is 55 dbm, which is higher than the power adjustment threshold 65 dbm, AP 1 decreases its transmission power. The maximum number of neighbors and the neighbor AP that performs power detection are configured with the dot11a adjacency-factor or dot11bg adjacency-factor command. The adjusted transmission power cannot be smaller than the minimum value for AP transmission power adjustment. 88

97 Figure 45 Power reduction As shown in Figure 46, when AP 3 fails or goes offline, the other APs increase their transmission power to cover the signal blackhole. 89

98 Figure 46 Power increasing Configuration task list Task Configuring data transmit rates Configuring channel exclusion Configuring the maximum bandwidth Configuring g protection Configuring n protection Configuring DFS Remarks Optional Optional Optional Optional Optional Optional 90

99 Task Configuring mesh DFS Configuring TPC Configuring a radio group Configuring scan parameters Configuring power constraint Remarks Optional Optional Optional Optional Optional Configuring data transmit rates Configuring a/802.11b/802.11g rates 2. Enter WLAN RRM view. wlan rrm N/A 3. Configure rates (in Mbps) for a. 4. Configure rates for b. 5. Configure rates for g. dot11a { disabled-rate mandatory-rate multicast-rate supported-rate } rate-value dot11b { disabled-rate mandatory-rate multicast-rate supported-rate } rate-value dot11g { disabled-rate mandatory-rate multicast-rate supported-rate } rate-value By default: Disabled rates None. Mandatory rates 6, 12, and 24. Multicast rates Automatically selected from mandatory rates supported by all clients. Supported rates 9, 18, 36, 48, and 54. By default: Disabled rates None. Mandatory rates 1 and 2. Multicast rates Automatically selected from mandatory rates supported by all clients. Supported rates 5.5 and 11. By default: Disabled rates None. Mandatory rates 1, 2, 5.5, and 11. Multicast rates Automatically selected from mandatory rates supported by all clients. Supported rates 6, 9, 12, 18, 24, 36, 48, and 54. Configuring n rates Configuration of mandatory and supported n rates is achieved by specifying the maximum Modulation and Coding Scheme (MCS) index. The MCS data rate table shows relations between data 91

100 rates, MCS indexes, and parameters that affect data rates. A sample MCS data rate table (20 MHz) is shown in Table 1, and a sample MCS data rate table (40 MHz) is shown in Table 2. For the whole table, see IEEE n Support for MCS indexes depends on the device model. As shown in the two tables, MCS 0 through MCS 7 use one spatial stream, and the data rate corresponding to MCS 7 is the highest; MCS 8 through MCS 15 use two spatial streams, and the data rate corresponding to MCS 15 is the highest. Table 1 MCS data rate table (20 MHz) MCS index Number of spatial streams Modulation Data rate (Mbps) 800ns GI 0 1 BPSK QPSK QPSK QAM QAM QAM QAM QAM BPSK QPSK QPSK QAM QAM ns GI QAM QAM QAM Table 2 MCS data rate table (40 MHz) MCS index Number of spatial streams Modulation Data rate (Mbps) 800ns GI 0 1 BPSK QPSK QPSK QAM QAM ns GI QAM QAM QAM BPSK

101 MCS index Number of spatial streams Modulation Data rate (Mbps) 800ns GI 9 2 QPSK QPSK ns GI QAM QAM QAM QAM QAM rates fall into three types: mandatory rates, supported rates, and multicast rates. Mandatory rates The AP must support mandatory rates. Clients can only associate with the AP when they support the mandatory rates. Supported rates These are higher rates supported by the AP besides the mandatory rates. Supported rates allow some clients that support both mandatory and supported rates to choose higher rates when communicating with the AP. Multicast rates These are rates that are supported by the AP besides the mandatory rates. Multicast rates allow clients to send multicast traffic at the multicast rates. When you specify the maximum MCS index, you actually specify a range. For example, if you specify the maximum MCS index as 5 for mandatory rates, rates corresponding to MCS indexes 0 through 5 are configured as n mandatory rates. To configure n rates: 2. Enter RRM view. wlan rrm N/A 3. Specify the maximum MCS index for n mandatory rates. 4. Specify the maximum MCS index for n supported rates. 5. Specify the MCS index for n multicast rates. dot11n mandatory maximum-mcs index dot11n support maximum-mcs index dot11n multicast-rate index By default, no maximum MCS index is specified for n mandatory rates. If you configure the client dot11n-only command, you must specify the maximum MCS index. By default, the maximum MCS index for n supported rates is 76. By default, the MCS index for n multicast rates is not specified. Configure the same MCS index settings for APs using n radios in a mesh network. 93

102 Configuring channel exclusion To avoid selecting improper channels, you can exclude specific channels from automatic channel selection. The excluded channels will not be available for initial automatic channel selection, DFS, and mesh DFS. This feature does not affect rogue detection and WIDS. Follow these guidelines when you configure channel exclusion: The channel exclusion list is not restricted by the country code. You can add channels not supported by the country code to the list, and changing the country code does not change the channel list. The device will select an available channel from the channels supported by the country code and not in the channel exclusion list. When you configure this feature, do not add all channels supported by the country code to the channel exclusion list. If you use the dot11a/dot11bg exclude-channel command to add an automatically selected channel into the channel exclusion list, the AC disables the radio, enables the radio, and then selects an available channel from the channels supported by the country code and not in the channel exclusion list. For 40 MHz n radios, if you add an automatically selected primary channel to the channel exclusion list, the AC will select another available primary channel. If you add a secondary channel into the channel exclusion list in this case, the AC will select another secondary channel. If the AC cannot find an available secondary channel, no channels will be available for the WLAN access and mesh services. To configure channel exclusion: 2. Enter WLAN RRM view. wlan rrm N/A 3. Configure channel exclusion. dot11a exclude-channel channel-list dot11bg exclude-channel channel-list By default, no channel exists in the channel exclusion list. Configuring the maximum bandwidth The configured maximum bandwidth is used by the load balancing mandatory bandwidth and intelligent bandwidth assurance function. For more information about intelligent bandwidth assurance, see "Configuring WLAN QoS." To apply the configured maximum bandwidth on a radio, you must disable and then enable it. 2. Enter WLAN RRM view. wlan rrm N/A 94

103 3. Configure the maximum bandwidth a: dot11a max-bandwidth 11a-bandwidth b: dot11b max-bandwidth 11b-bandwidth g: dot11g max-bandwidth 11g-b a ndwid th n: dot11n max-bandwidth 11n-bandwidth By default: The maximum bandwidth for a is kbps. The maximum bandwidth for b is 7000 kbps. The maximum bandwidth for g is kbps. The maximum bandwidth for n is kbps. Configure the maximum bandwidth close to and smaller than the upper limit of the actual traffic. Configuring g protection Enabling g protection When both b and g clients access a WLAN, their access rates are degraded because they adopt different modulation modes. To enable them to operate properly, enable g protection for an g AP to send RTS/CTS or CTS-to-self packets (the destination of the CTS packets is the device that sends them) so b devices defer access to the medium g protection applies to the following scenarios: An b client associates with the g AP. In this case, g protection is always enabled without manual intervention. The g AP detects an overlapping b BSS or some b packets that are not destined to it. To enable g protection, issue the dot11g protection enable command. To enable g protection: 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable g protection. dot11g protection enable By default, g protection is disabled. Enabling g protection reduces network performance. Configuring g protection mode g protection modes include RTS/CTS and CTS-to-self: RTS/CTS An AP sends an RTS packet before sending data to a client. After receiving the RTS packet, all devices within the coverage of the AP do not send data within the specified time. Upon receiving the RTS packet, the client sends a CTS packet. This makes sure all devices within the coverage of the client do not send data within the specified time. 95

104 CTS-to-Self An AP uses its MAC address to send a CTS packet before it sends data to a client. This ensures that all devices within the coverage of the AP do not send data within the specified time. To configure the g protection mode: 2. Enter WLAN RRM view. wlan rrm N/A 3. Configure the g protection mode. dot11g protection-mode { cts-to-self rts-cts } By default, the g protection mode is CTS-to-Self. Configuring n protection Enabling n protection When both n and non n clients access a WLAN, their access rates are degraded because they adopt different modulation modes. To enable them to operate properly, enable n protection for an n AP to send RTS/CTS or CTS-to-self packets n protection defines the following different scenarios: no protection The clients associated with the AP and the surrounding wireless devices are operating in n mode, and all associated clients use the same bandwidth mode, either 40 MHz or 20 MHz. Non-member The clients associated with the AP are operating in n mode, but non n wireless devices exist. 20 MHz The bandwidth mode of the AP is 40 MHz, the clients associated with the AP and the surrounding wireless devices are operating in n mode, and at least one n client operating in 20 MHz mode is associated with the AP. Non-HT mix Other scenarios. Follow these guidelines to configure n protection: In a no protection or 20 MHz scenario where all associated clients support greenfield format, no n protection is needed, because all wireless devices can process all packets. In a no protection or 20 MHz scenario where not all associated clients support greenfield format, enable n protection on the wireless devices that use the HT_GF format to transmit frames. In a non-member or non-ht mix scenario where g or a wireless devices exist, enable n protection on the wireless devices that use the HT_GF format to transmit frames and do not enable n on the wireless devices that use the HT_MF format to transmit frames. To enable n protection: 2. Enter WLAN RRM view. wlan rrm N/A 96

105 3. Enable n protection. dot11n protection enable By default, n protection is disabled. Enabling n protection reduces network performance. Configuring n protection mode n protection modes include RTS/CTS and CTS-to-self: RTS/CTS An AP sends an RTS packet before sending data to a client. After receiving the RTS packet, all devices within the coverage of the AP do not send data within the specified time. Upon receiving the RTS packet, the client sends a CTS packet. This makes sure all devices within the coverage of the client do not send data within the specified time. CTS-to-Self An AP uses its MAC address to send a CTS packet before it sends data to a client. This ensures that all devices within the coverage of the AP do not send data within the specified time. To configure the n protection mode: 2. Enter WLAN RRM view. wlan rrm N/A 3. Configure the n protection mode. dot11n protection-mode { cts-to-self rts-cts } By default, the n protection mode is CTS-to-Self. Configuring DFS Follow these guidelines when you configure DFS: Before you configure DFS, make sure the AC uses the auto mode (configured by using the channel auto command); otherwise DFS does not work. Before you enable DFS, make sure the channel is not locked. If you configure the channel lock command first, and then enable DFS, DFS does not work because the channel is locked. If you enable DFS, and then configure the channel lock command, the last selected channel is locked. For more information about the channel and channel lock commands, see WLAN Command Reference. The commands in this section take effect only on wireless access channels. Configuring auto-dfs With auto DFS enabled, an AC performs DFS when the working channel of an AP meets a trigger condition and informs the adjusted channel to the AP after a calibration interval. After that, the AC automatically makes DFS decisions at the calibration interval. To configure auto DFS: 97

106 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable auto DFS. 4. Specify the calibration interval. dot11a calibrate-channel self-decisive dot11bg calibrate-channel self-decisive dot11a calibration-interval minutes dot11bg calibration-interval minutes By default, auto DFS is disabled. By default, the calibration interval is 8 minutes. Executing one-time DFS This feature enables the AC to perform DFS when the working channel of the AP meets a trigger condition, and inform the adjusted channel to the AP after a calibration interval. If you want the AC to perform DFS for the AP, you must perform this task again. To execute one-time DFS: 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable channel monitoring. 4. Execute one-time DFS. 5. Specify the calibration interval. dot11a calibrate-channel dot11bg calibrate-channel dot11a calibrate-channel pronto ap { all name apname radio radionum } dot11bg calibrate-channel pronto ap { all name apname radio radionum } dot11a calibration-interval minutes dot11bg calibration-interval minutes By default, channel monitoring is disabled. By default, one-time DFS is not executed. By default, the calibration interval is 8 minutes. Configuring DFS trigger parameters The CRC error threshold, interference threshold, and tolerance level determine DFS. A new channel is selected when either the CRC error threshold or interference threshold is exceeded on the current channel. However, the new channel is not applied until the quality of the current channel is worse than that of the new channel by the tolerance threshold. To set DFS trigger parameters: 2. Enter WLAN RRM view. wlan rrm N/A 3. Configure the CRC error threshold. dot11a crc-error-threshold percent dot11bg crc-error-threshold percent The default is

107 4. Configure the interference threshold. 5. Configure the tolerance level. dot11a interference-threshold percent dot11bg interference-threshold percent dot11a tolerance-level percentage dot11bg tolerance-level percentage The default is 50. The default is 20 percent. Configuring mesh DFS Before configuring mesh DFS, make sure the AC uses the auto mode (configured by using the channel auto command); otherwise DFS does not work. The commands in this section take effect only on mesh channels. Configuring automatic mesh DFS With mesh auto DFS enabled, an AC performs DFS when the working channel of an AP meets a trigger condition and informs the adjusted channel to the AP after a calibration interval. After that, the AC automatically makes DFS decisions at the calibration interval. To configure mesh auto DFS: 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable mesh auto DFS. mesh calibrate-channel self-decisive By default, auto DFS is disabled. 4. Specify the calibration interval. dot11a calibration-interval minutes dot11bg calibration-interval minutes By default, the calibration interval is 8 minutes. Executing one-time mesh DFS This feature enables the AC to perform DFS when the working channel of the AP meets a trigger condition, and inform the adjusted channel to the AP after a calibration interval. If you want the AC to perform DFS for the AP, you must perform this task again. To execute one-time mesh DFS: 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable dynamic mesh channel selection. mesh calibrate-channel By default, dynamic mesh channel selection is disabled. 99

108 4. Execute one-time mesh DFS. 5. Specify the calibration interval. mesh calibrate-channel pronto mesh-profile { all mesh-profile-number } dot11a calibration-interval minutes dot11bg calibration-interval minutes By default, one-time mesh DFS is not executed. By default, the calibration interval is 8 minutes. Configuring TPC Before enabling TPC, make sure the power is not locked with the power lock command. Otherwise, TPC does not work. If you enable TPC, and then configure the power lock command, the last selected power is locked. For more information about the power lock command, see WLAN Command Reference. Configuring auto-tpc With auto TPC enabled, the AC performs TPC for an AP upon certain interference and informs the adjusted power to the AP after a calibration interval. After that, the AC makes TPC decisions at the calibration interval automatically. To configure auto TPC: 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable auto TPC for the band. 4. Specify the calibration interval. dot11a calibrate-power self-decisive dot11bg calibrate-power self-decisive dot11a calibration-interval minutes dot11bg calibration-interval minutes By default, auto TPC for the band is disabled. By default, the power calibration interval is 8 minutes. Executing one-time TPC This feature enables the AC to perform TPC for the AP upon certain interference, and inform the adjusted power to the AP after a calibration interval. After that, if you want the AC to perform TPC for the AP, you have to perform this task again. To execute one-time TPC: 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable TPC. dot11a calibrate-power dot11bg calibrate-power By default, TPC is disabled. 100

109 4. Execute one-time TPC. 5. Specify the calibration interval. dot11a calibrate-power pronto ap { all name apname radio radionum } dot11bg calibrate-power pronto ap { all name apname radio radionum } dot11a calibration-interval minutes dot11bg calibration-interval minutes By default, one-time TPC for the band is not executed. By default, the power calibration interval is 8 minutes. Configuring TPC trigger parameters 2. Enter WLAN RRM view. wlan rrm N/A 3. Configure the maximum number of neighbors and specify the neighbor AP that performs power detection. 4. Configure the power adjustment threshold. dot11a adjacency-factor neighbor dot11bg adjacency-factor neighbor dot11a calibrate-power threshold value dot11bg calibrate-power threshold value By default, the maximum number of neighbors is 3, and the neighbor AP that performs power detection is the AP whose signal strength is the third among all neighbors. The default is 65. Configuring the minimum value for AP power adjustment The transmission power adjusted by auto-tpc or one-time TPC for an AP cannot be lower than the minimum transmission power set by the dot11a/dot11bg calibrate-power min command to avoid a situation where the AP's signals cannot be detected. To configure the minimum value for AP power adjustment: 2. Enter WLAN RRM view. wlan rrm N/A 3. Configure the minimum value for AP power adjustment. dot11a calibrate-power min tx-power dot11bg calibrate-power min tx-power By default, the minimum value for AP power adjustment is 1 dbm. 101

110 Configuring a radio group With DFS or TPC configured for a radio, the AC calculates the channel quality or power of the radio at the calibration interval. When the result meets a trigger condition, the AC selects a new channel or power for the radio. In an environment where interference is serious, frequent channel or power adjustments may affect user access to the WLAN network. In this case, you can configure a radio group to keep the channel or power of radios in the group unchanged within the specified holddown time. The channel and power of radios not in the radio group are adjusted normally. When the holddown time expires, the AC calculates the channel or power again. If the result meets a trigger condition, the channel or power is changed, and the new channel or power remains unchanged within the specified holddown time. To configure a radio group: 2. Create a radio group and enter radio group view. 3. Configure a description for the radio group. 4. Add a radio of an AP to the radio group. 5. Configure the channel holddown time. 6. Configure the power holddown time. wlan rrm-calibration-group group-id description text ap ap-name radio radio-number channel holddown-time minutes power holddown-time minutes By default, no radio group exists. By default, no description is configured for the radio group. By default, no radio exists in the radio group. A member of a radio group is a radio. One radio can belong to only one radio group. The default is 720 minutes. If the AC detects any radar signals on the channel within the specified holddown time, the AC immediately selects a new channel and resets the holddown timer. The default is 60 minutes. Configuring scan parameters The scan channel, scan type, and scan report-interval commands apply to channel adjustment, rogue device detection, and IDS detection. The autochannel-set avoid-dot11h command applies to all types of channel scanning. To configure scan parameters: 102

111 2. Enter WLAN RRM view. wlan rrm N/A 3. Set the scan mode. scan channel { auto all } 4. Set the scan type. scan type { active passive } 5. Set the scan report interval. scan report-interval seconds By default, the scan mode is auto. By default, the scan type is passive. By default, the scan report interval is 10 seconds. 6. Configure only non-dot11h channels to be scanned. autochannel-set avoid-dot11h By default, all channels of the country code supported by the device are scanned. Configuring power constraint 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable spectrum management for a radios. 4. Configure the power constraint for all a radios. spectrum-management enable power-constraint power-constraint By default, spectrum management is disabled. The default power constraint is 0 dbm. Displaying and maintaining WLAN RRM Task Command Remarks Display WLAN RRM information. Display the WLAN RRM status of the APs. Display the channel and power change history for APs. Display WLAN RRM information of the APs. Display mesh channel adjustment history. display wlan rrm [ { begin exclude include } regular-expression ] display wlan ap { all name ap-name } rrm-status [ { begin exclude include } regular-expression ] display wlan ap { all name ap-name } rrm-history [ { begin exclude include } regular-expression ] display wlan ap { all name ap-name } [ verbose ] [ { begin exclude include } regular-expression ] display wlan mesh calibrate-channel history [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. 103

112 Load balancing Overview WLAN load balancing dynamically adjusts loads among APs to ensure adequate bandwidth for clients. It is mainly used in high-density WLAN networks. Requirement of WLAN load-balancing implementation As shown in Figure 47, Client 6 wants to associate with AP 3. AP 3 has reached its maximum load, so it rejects the association request. Client 6 tries to associate with AP 1 or AP 2, but it cannot receive signals from these two APs, so it has to resend an association request to AP 3. Therefore, to implement load-balancing, the APs must be managed by the same AC, and the clients can find the APs. Figure 47 Requirement of WLAN load-balancing implementation Load-balancing modes The AC supports two load balancing modes, session mode and traffic mode. Session mode load-balancing: Session-mode load balancing is based on the number of clients associated with the AP/radio. As shown in Figure 48, Client 1 is associated with AP 1, and Client 2 through Client 6 are associated with AP 2. The AC has session-mode load balancing configured: the maximum number of sessions is 5 and the maximum session gap is 4. Then, Client 7 sends an association request to AP 2. The maximum session threshold and session gap have been reached on AP 2, so it rejects the request. Instead, Client 7 associates with AP

113 Figure 48 Network diagram AC L2 Switch Client 6 AP 1 AP 2 Client 1 Client 5 Client 2 Client 4 Client 7 Client 3 Traffic mode load-balancing: Traffic snapshot is considered for traffic mode load balancing. As shown in Figure 49, Client 1 and Client 2 that run g are associated with AP 1. The AC has traffic-mode load balancing configured: the maximum traffic threshold is 10% and the maximum traffic gap is 20%. Then, Client 3 wants to access the WLAN through AP 1. The maximum traffic threshold and traffic gap (between AP 1 and AP 2) have been reached on AP 1, so it rejects the request. Instead, Client 3 associates with AP 2. Figure 49 Network diagram Load-balancing methods The AC supports AP-based load balancing and group-based load balancing. AP-based load balancing AP-based load balancing can be either implemented among APs or among the radios of an AP. 105

114 AP-based load balancing APs can carry out either session-mode or traffic-mode load balancing as configured. An AP starts load balancing when the maximum threshold and gap are reached. It does not accept any association requests unless the load decreases below the maximum threshold or the gap is less than the maximum gap. However, if a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate with any other AP and accepts the association request from the client. Radio-based load balancing The radios of an AP that is balanced can carry out either session-mode or traffic-mode load balancing as configured. A radio starts load balancing when the maximum threshold and gap are reached. It rejects any association requests unless the load decreases below the maximum threshold or the gap is less than the maximum gap. However, if a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate with any other AP and accepts the association request from the client. Group-based load balancing To balance loads among the radios of different APs, you can add them to the same load balancing group. The radios in a load balancing group can carry out either session-mode or traffic-mode load balancing as configured. The radios that are not added to any load balancing group do not carry out load balancing. A radio in a load balancing group starts load balancing when the maximum threshold and gap are reached on it. The radio does not accept any association requests unless the load decreases below the maximum threshold or the gap is less than the maximum gap. However, if a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate with any other AP and accepts the association request from the client. Load balancing configuration task list If the AC has a load balancing mode configured but has no load balancing group created, it adopts AP-based load balancing by default. As long as a load balancing group is created, the AC adopts Group-based load balancing by default. Band navigation and load balancing can be used simultaneously. Task Configuring a load balancing mode Configuring session mode load balancing Configuring traffic mode load balancing Remarks Required Use either approach. Configuring AP-based load balancing Required. 106

115 Task Configuring group-based load balancing Configuring parameters that affect load balancing Displaying and maintaining load balancing Remarks Use either approach. AP-based load balancing After you complete Configuring a load balancing mode, the AC adopts AP-based load balancing by default. Group-based load balancing Complete Configuring a load balancing mode first. A load balancing group takes effect only when the load balancing mode is configured. This configuration takes effect for both AP-based load balancing and radio group load balancing. Configuring a load balancing mode Prerequisites Before you configure load balancing, make sure of the following: The target APs are associated with the same AC. The clients can find the APs. The fast association function is disabled. By default, the fast association function is disabled. For more information about fast association, see "Configuring WLAN services." Configuring session mode load balancing If the AC has a load balancing mode configured but has no load balancing group created, it adopts AP-based load balancing by default. To configure session mode load balancing: 2. Enter RRM view. wlan rrm N/A 3. Configure session mode load balancing. load-balance session value [ gap gap-value ] By default, no session threshold is set. Configuring traffic mode load balancing If the AC has a load balancing mode configured but has no load balancing group created, it adopts AP-based load balancing by default. To configure traffic mode load balancing: 2. Enter RRM view. wlan rrm N/A 107

116 3. Configure traffic mode load balancing. load-balance traffic value [ gap gap-value ] By default, no traffic threshold is set. Configuring group-based load balancing Prerequisites Before you configure load balancing, make sure of the following: The target APs are associated with the same AC. The clients can find the APs. The fast association function is disabled. By default, the fast association function is disabled. For more information about fast association, see "Configuring WLAN access." A load balancing mode has been configured. For more information, see "Configuring a load balancing mode." Configuring a load balancing group 2. Create a load balancing group and enter its view. 3. Configure a description for the load balancing group. 4. Add a radio of an AP to the load balancing group. wlan load-balance-group group-id description text ap ap-name radio radio-number By default, no load balancing group exists. By default, a load balancing group has no description. By default, no radio exists in a load balancing group. A member of a load balancing group is a radio. One radio can belong to only one load balancing group. Configuring parameters that affect load balancing The following parameters affect load balancing calculation: Load balancing RSSI threshold A client may be detected by multiple APs. An AP considers a client whose RSSI is lower than the load balancing RSSI threshold as not detected. If only one AP can detect the client, the AP increases the access probability for the client even if it is overloaded. Maximum denial count of client association requests If the number of times that a client has been denied reaches or exceeds the specified maximum number, the AP considers that the client is unable to associate with any other AP and accepts the association request from the client. To configure parameters that affect load balancing: 108

117 2. Enter RRM view. wlan rrm N/A 3. Configure the load balancing RSSI threshold. 4. Configure the maximum denial count of client association requests. load-balance rssi-threshold rssi-threshold load-balance access-denial access-denial The default load balancing RSSI threshold is 25. The default value is 10. Displaying and maintaining load balancing Task Command Remarks Display load balancing configuration. display wlan load-balance-group { group-id all } [ { begin exclude include } regular-expression ] Available in any view. Configuring band navigation Band navigation enables APs to prefer accepting dual-band (2.4 GHz and 5 GHz) clients on their 5 GHz radio because the 2.4 GHz band is often congested, increasing overall network performance. When band navigation is enabled, the AP directs clients to its 2.4 GHz or 5 GHz radio by following these principles: The AP associates with a 2.4 GHz client on its 2.4 GHz radio after rejecting it several times. The AP directs a dual-band client to its 5 GHz radio. The AP associates with a 5 GHz- client on its 5 GHz radio. The AP checks the RSSI of a dual-band client before directing the client to the 5 GHz radio. If the RSSI is lower than the value specified by the band-navigation rssi-threshold command, the AP does not direct the client to the 5 GHz band. If the number of clients on the 5 GHz radio has reached the upper limit, and the gap between the number of clients on the 5 GHz radio and that on the 2.4 GHz radio has reached the upper limit (the two thresholds are specified by the band-navigation balance session session [ gap gap ] command), the AP denies the client s association to the 5 GHz radio, and allows new clients to associate with the 2.4 GHz radio. If the number of times that a client has been denied reaches or exceeds the specified maximum number on the 5 GHz radio (specified by the band-navigation balance access-denial command), the AP considers that the client is unable to associate with any other AP and unable to associate with the 2.4 GHz radio of the AP, and allows the 5 GHz radio to accept the client. Configuration guidelines Follow these guidelines when you configure band navigation: 109

118 When band navigation is enabled, the client association efficiency is affected, so this feature is not recommended in a scenario where most clients use 2.4 GHz. Band navigation is not recommended in a delay-sensitive network. Band navigation and load balancing can be used simultaneously. Configuration prerequisites To enable band navigation to operate properly, make sure of the following: The fast association function is disabled. By default, the fast association function is disabled. For more information about fast association, see "Configuring WLAN access." Band navigation is enabled for the AP. By default, band navigation is enabled for the AP. The SSID is bound to the 2.4 GHz and 5 GHz radios of the AP. Enabling band navigation globally 2. Enter RRM view. wlan rrm N/A 3. Enable band navigation globally. band-navigation enable By default, band navigation is disabled globally. Band navigation takes effect for the specified AP only when band navigation is enabled both globally and for the AP. Enabling band navigation for an AP 2. Enter AP template view. 3. Enable band navigation for the AP. wlan ap ap-name [ model model-name [ id ap-id ] ] band-navigation enable N/A By default, band navigation is enabled for an AP. Band navigation takes effect for an AP only when band navigation is enabled both globally and for the AP. Configuring band navigation parameters 2. Enter RRM view. wlan rrm N/A 110

119 3. Configure load balancing session threshold and session gap. 4. Configure the maximum denial count of association requests sent by a 5 GHz- client. 5. Configure the client RSSI threshold. 6. Configure the client information aging time. band-navigation balance session session [ gap gap ] band-navigation balance access-denial access-denial band-navigation rssi-threshold rssi-threshold band-navigation aging-time aging-time By default, load balancing for band navigation is disabled. If you disable this command, the AP does not prohibit clients from associating with the a radio even if the a radio is overloaded. If you enable this command, the AP prefers accepting dual-band clients on their g radio if the a radio is overloaded. By default, the association requests sent by 5 GHzclients are not rejected. The default RSSI threshold is 15. The default aging time is 180 seconds. The AP records the client information when a client tries to associate with it. If the AP receives the probe request or association request sent by the client before the aging time expires, the AP refreshes the client information and restarts the aging timer. If not, the AP removes the client information, and does not count the client during band navigation. WLAN RRM configuration examples The configuration examples were created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends setting their link type to be the same. Configuring auto DFS Network requirements As shown in Figure 50, configure auto DFS on AC so that the AC can perform channel adjustment when the channel of AP 1 is unavailable. 111

120 Figure 50 Network diagram Configuration procedure # Create a WLAN ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as channel-adjust, and bind WLAN-ESS1 to channel-adjust. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid channel-adjust [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 [AC-wlan-ap-ap1] radio 2 type dot11gn # Bind service template 1 to radio 2 of AP 1. [AC-wlan-ap-ap1-radio-2] service-template 1 [AC-wlan-ap-ap1-radio-2] radio enable [AC-wlan-ap-ap1-radio-2] quit [AC-wlan-ap-ap1] quit # Enable auto DFS. [AC] wlan rrm [AC-wlan-rrm] dot11bg calibrate-channel self-decisive # Configure auto DFS trigger parameters. [AC-wlan-rrm] dot11bg crc-error-threshold 20 [AC-wlan-rrm] dot11bg interference-threshold 50 [AC-wlan-rrm] dot11bg tolerance-level 20 Verifying the configuration You can use the display wlan ap { all name apname } rrm-status command to display the channel information of the AP. When the channel is unavailable, AC will change it, for example, from channel 1 to channel 6 after the calibration interval (configured with the dot11bg calibration-interval command and defaulting to 8 minutes). After the channel change, you can use the display wlan ap { all name apname } rrm-history command to check the specific reason. 112

121 Configuring mesh auto DFS Network requirements As shown in Figure 51, configure mesh auto DFS on the AC, so that the AC can perform channel adjustment when the mesh channel between AP 1 and AP 2 is unavailable. Figure 51 Network diagram Configuration procedure 1. Configure mesh: For the detailed configuration procedures, see "Configuring WLAN mesh link." Configure the radio that provides mesh services to automatically select its channel. 2. Configure mesh auto DFS: # Enable mesh auto DFS. <AC> system-view [AC] wlan rrm [AC-wlan-rrm] mesh calibrate-channel self-decisive Verifying the configuration Use the display wlan mesh calibrate-channel history command to view channel adjustment history information. When a trigger condition is met, the AC changes the channel, for example, from channel 149 to channel 153 after the calibration interval. Configuring auto TPC Network requirements As shown in Figure 52, configure auto TPC and specify the maximum number of neighbors as 3 on the AC so the AC performs auto TPC when AP 4 joins. 113

122 Figure 52 Network diagram AP 1 Client AP 2 AC L2 Switch AP 3 AP 4 Configuration procedure # Create a WLAN ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as power-adjust, and bind WLAN-ESS1 to power-adjust. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid power-adjust [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 [AC-wlan-ap-ap1] radio 2 type dot11gn # Bind service template 1 to radio 2 of AP 1. [AC-wlan-ap-ap1-radio-2] service-template 1 [AC-wlan-ap-ap1-radio-2] radio enable [AC-wlan-ap-ap1-radio-2] quit [AC-wlan-ap-ap1] quit Configurations of other APs are similar to AP 1, and are not shown. # Enable auto TPC. [AC] wlan rrm [AC-wlan-rrm] dot11bg calibrate-power self-decisive # Configure parameters that affect auto TPC. 114

123 [AC-wlan-rrm] dot11bg adjacency-factor 3 [AC-wlan-rrm] dot11bg calibrate-power threshold 80 [AC-wlan-rrm] dot11bg calibrate-power min 1 Verifying the configuration When AP 4 joins, the number of neighbors reaches 3. Assume the signal strength of AP 4 is the third among all neighbors (AP 2, AP 3, and AP 4). AP 4 thus becomes the neighbor AP that perform power detection. If AP 4 detects that the power of AP 1 is 90 dbm, which is lower than the power adjustment threshold 80 dbm, AP 1 increases its transmission power. If AP 4 detects that the power of AP 1 is 70 dbm, which is higher than the power adjustment threshold 80 dbm, AP 1 decreases its transmission power. You can use the display wlan ap { all name apname } rrm-status command to check the adjusted power (TxPower). The adjusted power of AP 1 cannot be lower than the minimum transmission power (1 dbm in this example). Configuring a radio group Network requirements As shown in Figure 53, AP 1 through AP 3 are connected to the AC. Configure auto DFS so that the AC can automatically switch the working channel of an AP when the signal quality on that channel is degraded to a certain level. Configure auto TPC so that the AC can automatically adjust the power of an AP when the third neighbor of that AP is discovered (or in other words, when AP 4 joins). Add radio 1 of AP 1 and radio 1 of AP 2 to a radio group to prevent frequent channel and power adjustments. Figure 53 Network diagram Configuration procedure # Create a WLAN ESS interface. <AC> system-view [AC] interface wlan-ess 1 115

124 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as rrm-adjust, and bind WLAN-ESS1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid rrm-adjust [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 [AC-wlan-ap-ap1] radio 2 type dot11gn # Bind service template 1 to radio 2 of AP 1. [AC-wlan-ap-ap1-radio-2] service-template 1 [AC-wlan-ap-ap1-radio-2] radio enable [AC-wlan-ap-ap1-radio-2] quit [AC-wlan-ap-ap1] quit # Configurations of other APs are similar to AP1, and are not shown. # Enable auto DFS and auto TPC. [AC] wlan rrm [AC-wlan-rrm] dot11bg calibrate-channel self-decisive [AC-wlan-rrm] dot11bg calibrate-power self-decisive # Configure auto DFS trigger parameters. (Optional, because the parameters has default values.). [AC-wlan-rrm] dot11bg crc-error-threshold 20 [AC-wlan-rrm] dot11bg interference-threshold 50 [AC-wlan-rrm] dot11bg tolerance-level 20 # Configure the auto TPC trigger parameter adjacency factor (Optional, because the parameter has a default value by default.). [AC-wlan-rrm] dot11bg adjacency-factor 3 [AC-wlan-rrm] quit # Create radio group 1. [AC] wlan rrm-calibration-group 1 # Add radio 1 of AP 1, radio 1 of AP 2, radio 1 of AP 3, and radio 1 of AP 4 to the radio group. [AC-wlan-rc-group-1] ap ap1 radio 1 [AC-wlan-rc-group-1] ap ap2 radio 1 [AC-wlan-rc-group-1] ap ap3 radio 1 [AC-wlan-rc-group-1] ap ap4 radio 1 # Set the channel holddown time to 20 minutes. [AC-wlan-rc-group-1] channel holddown-time 20 # Set the power holddown time to 30 minutes. [AC-wlan-rc-group-1] power holddown-time

125 Verifying the configuration The working channel of radio 1 of AP 1 and that of AP 2 do not change within 20 minutes after each automatic channel adjustment. The power of radio 1 of AP 1 and that of AP 2 do not change within 30 minutes after each automatic power adjustment. Load balancing configuration examples The configuration examples were created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends setting their link type to be the same. Configuring session-mode load balancing Network requirements As shown in Figure 54, all APs operate in an mode. Client 1 is associated with AP 1. Client 2 through Client 6 are associated with AP 2. Configure session-mode load balancing on the AC. The threshold, or, the maximum number of sessions is 5 and the maximum load gap is 4. Figure 54 Network diagram AC L2 Switch Client 6 AP 1 AP 2 Client 1 Client 5 Client 2 Client 4 Client 7 Client 3 117

126 Configuration procedure # Enable session-mode load balancing, and configure the maximum number of sessions and the maximum load gap as 5 and 4 respectively. <AC> system-view [AC] wlan rrm [AC-wlan-rrm] load-balance session 5 gap 4 [AC-wlan-rrm] quit # Create a WLAN ESS interface. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as session-balance, and bind WLAN-ESS1 to session-balance. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid session-balance [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 [AC-wlan-ap-ap1] radio 1 type dot11an # Bind service template 1 to radio 1 of AP 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] return # Create an AP template named ap2, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S7. <AC> system-view [AC] wlan ap ap2 model MSM460-WW [AC-wlan-ap-ap2] serial-id CN2AD330S7 [AC-wlan-ap-ap2] radio 1 type dot11an # Bind service template 1 to radio 1 of AP 2. [AC-wlan-ap-ap2-radio-1] service-template 1 [AC-wlan-ap-ap2-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] return Verifying the configuration Client 1 is associated with AP 1, and Client 2 through Client 6 are associated with AP 2. The number of clients associated with AP 2 reaches 5, and the load gap between AP 2 and AP 1 reaches 4, so Client 7 is associated with AP

127 Configuring traffic-mode load balancing Network requirements As shown in Figure 55, all APs operate in an mode. Client 1 and Client 2 are associated with AP1, and no client is associated with AP 2. Configure traffic-mode load balancing on the AC. The traffic threshold is 10% and the maximum load gap is 40%. Figure 55 Network diagram Configuration procedure # Enable traffic-mode load balancing and configure the traffic threshold and the maximum load gap as 10% and 40% respectively. <AC> system-view [AC] wlan rrm [AC-wlan-rrm] load-balance traffic 10 gap 40 [AC-wlan-rrm] quit # Create interface WLAN-ESS 1. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as traffic-balance, and bind WLAN-ESS1 to traffic-balance. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid traffic-balance [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. 119

128 [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 [AC-wlan-ap-ap1] radio 1 type dot11an # Bind service template 1 to radio 1 of AP 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] return # Create an AP template named ap2, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. <AC> system-view [AC] wlan ap ap2 model MSM460-WW [AC-wlan-ap-ap2] serial-id CN2AD330S7 [AC-wlan-ap-ap2] radio 1 type dot11an # Bind service template 1 to radio 1 of AP 2. [AC-wlan-ap-ap2-radio-1] service-template 1 [AC-wlan-ap-ap2-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] return Verifying the configuration Client 1 and Client 2 are associated with AP 1. When the maximum traffic threshold and load gap are reached on AP 1, Client 3 is associated with AP 2. Configuring group-based session-mode load balancing Network requirements As shown in Figure 56, all APs operate in an mode. Client 1 is associated with AP 1. Client 2 through Client 6 are associated with AP 2, and no client is associated with AP 3. Configure session-mode load balancing on the AC. The maximum number of sessions is 5 and the maximum session gap is 4. Session-mode load balancing is required on only radio 1 of AP 1 and radio 1 of AP 2. Therefore, add them into a load balancing group. 120

129 Figure 56 Network diagram Configuration procedure 1. Configure APs on the AC: # Create a WLAN ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as session-balance, and bind WLAN-ESS1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid session-balance [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 [AC-wlan-ap-ap1] radio 1 type dot11an # Bind service template 1 to radio 1 of AP 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] return # Create an AP template named ap2, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. <AC> system-view [AC] wlan ap ap2 model MSM460-WW [AC-wlan-ap-ap2] serial-id CN2AD330S7 121

130 [AC-wlan-ap-ap2] radio 1 type dot11an # Bind service template 1 to radio 1 of AP 2. [AC-wlan-ap-ap2-radio-1] service-template 1 [AC-wlan-ap-ap2-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] return # Create an AP template named ap3, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. <AC> system-view [AC] wlan ap ap3 model MSM460-WW [AC-wlan-ap-ap3] serial-id CN2AD330S6 [AC-wlan-ap-ap3] radio 1 type dot11an # Bind service template 1 to radio 1 of AP 3. [AC-wlan-ap-ap3-radio-1] service-template 1 [AC-wlan-ap-ap3-radio-1] radio enable [AC-wlan-ap-ap3-radio-1] quit [AC-wlan-ap-ap3] quit 2. Configure the load balancing mode: # Enable session-mode load balancing, and configure the maximum number of sessions and the maximum load gap as 5 and 4 respectively. [AC] wlan rrm [AC-wlan-rrm] load-balance session 5 gap 4 [AC-wlan-rrm] quit 3. Configure group-based session-mode load balancing: # Create load balancing group 1. [AC] wlan load-balance-group 1 # Add radio 1 of AP 1 and radio 1 of AP 2 to the load balancing group. [AC-wlan-lb-group-1] ap ap1 radio 1 [AC-wlan-lb-group-1] ap ap2 radio 1 Verifying the configuration Radio 1 of AP 1 and radio 1 of AP 2 are in the same load balancing group, and the radio of AP 3 does not belong to any load balancing group. Load balancing takes effect only on radios in a load balancing group, so AP 3 does not take part in load balancing. Assume Client 7 (out of coverage of AP 3 and in the coverage of AP 1 and AP 2) wants to associate with AP 2. The number of clients associated with radio 1 on AP 2 reaches 5, and the load gap between AP 2 and AP 1 reaches 4, so Client 7 is associated with AP 1. Configuring group-based traffic-mode load balancing Network requirements As shown in Figure 57, all APs operate in an mode. Client 1 and Client 2 are associated with AP 1, and no client is associated with AP 2 and AP 3. Configure traffic-mode load balancing on the AC. The traffic threshold is 10% and the maximum traffic gap is 40%. Traffic-mode load balancing is required on only radio 1 of AP 1 and radio 1 of AP

131 Figure 57 Network diagram AC L2 Switch AP 1 AP 3 AP 2 Client 1 Client 2 Client 3 Configuration procedure 1. Configure APs on the AC: # Create a WLAN ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as traffic-balance, and bind WLAN-ESS1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid traffic-balance [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 [AC-wlan-ap-ap1] radio 1 type dot11an # Bind service template 1 to radio 1 of AP 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] return # Create an AP template named ap2, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. <AC> system-view 123

132 [AC] wlan ap ap2 model MSM460-WW [AC-wlan-ap-ap2] serial-id CN2AD330S7 [AC-wlan-ap-ap2] radio 1 type dot11an # Bind service template 1 to radio 1 of AP 2. [AC-wlan-ap-ap2-radio-1] service-template 1 [AC-wlan-ap-ap2-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] quit [AC-wlan-ap-ap2] quit # Create an AP template named ap3, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. <AC> system-view [AC] wlan ap ap3 model MSM460-WW [AC-wlan-ap-ap3] serial-id CN2AD330S6 [AC-wlan-ap-ap3] radio 1 type dot11an # Bind service template 1 to radio 1 of AP 3. [AC-wlan-ap-ap3-radio-1] service-template 1 [AC-wlan-ap-ap3-radio-1] radio enable [AC-wlan-ap-ap3-radio-1] quit [AC-wlan-ap-ap3] quit 2. Configure the load balancing mode: # Enable traffic-mode load balancing and configure the traffic threshold and the maximum load gap as 10% and 40% respectively. [AC] wlan rrm [AC-wlan-rrm] load-balance traffic 10 gap 40 [AC-wlan-rrm] quit 3. Configure group-based traffic-mode load balancing: # Create load balancing group 1. [AC] wlan load-balance-group 1 # Add radio 1 of AP 1 and radio 1 of AP 2 to the load balancing group. [AC-wlan-lb-group-1] ap ap1 radio 1 [AC-wlan-lb-group-1] ap ap2 radio 1 Verifying the configuration Radio 1 of AP 1 and radio 1 of AP 2 are in the same load balancing group, and the radio of AP 3 does not belong to any load balancing group. Load balancing takes effect only on radios in a load balancing group, so AP 3 does not take part in load balancing. Assume Client 3 (out of the coverage of AP 3 and in the coverage of AP 1 and AP 2) wants to associate with AP 1. When the maximum traffic threshold and load gap are reached on radio 1 of AP 1, Client 3 is associated with AP 2. Band navigation configuration example The configuration example was created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. 124

133 For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends setting their link type to be the same. Network requirements As shown in Figure 58, Client 1 through Client 3 try to associate with the AP, and the two radios of the AP operate at 5 GHz and 2.4 GHz respectively. Client 1, Client 2, and Client 3 are dual-band clients. Configure band navigation to direct clients to different radios of the AP. Figure 58 Network diagram Configuration procedure # Enable band navigation. <AC> system-view [AC] wlan rrm [AC-wlan-rrm] band-navigation enable [AC-wlan-rrm] quit # Create a WLAN-ESS interface. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as band-navigation, and bind WLAN-ESS1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid band-navigation [AC-wlan-st-1] bind wlan-ess 1 # Disable fast association. ( By default, fast association is disabled.) [AC-wlan-st-1] undo fast-association enable [AC-wlan-st-1] service-template enable # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 1 to radio 1 of the AP. [AC-wlan-ap-ap1] radio 1 type dot11an 125

134 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit # Bind service template 1 to radio 2 of the AP. [AC-wlan-ap-ap1] radio 2 type dot11gn [AC-wlan-ap-ap1-radio-2] service-template 1 [AC-wlan-ap-ap1-radio-2] radio enable [AC-wlan-ap-ap1-radio-2] return # Configure the band navigation load balancing session threshold as 2, and session gap as 1. <AC> system-view [AC] wlan rrm [AC-wlan-rrm] band-navigation balance session 2 gap 1 Verifying the configuration Client 1 and Client 2 are associated with the 5 GHz radio of the AP. Because the number of clients on the 5 GHz radio has reached the upper limit 2, and the gap between the number of clients on the 5 GHz radio and 2.4 GHz radio has reached the session gap 1, Client 3 is associated with the 2.4 GHz radio of the AP. 126

135 Configuring WLAN IDS Overview networks are susceptible to a wide array of threats, such as unauthorized access points and clients, ad hoc networks, and DoS attacks. Rogue devices are a serious threat to enterprise security. Wireless intrusion detection system (WIDS) is used for the early detection of malicious attacks and intrusions on a wireless network. WIPS helps to protect enterprise networks and users from unauthorized wireless access. The Rogue detection feature is a part of the WIDS/WIPS solution, which detects the presence of rogue devices in a WLAN network and takes countermeasures to prevent rogue devices operation. Terminology WIDS WLAN IDS is designed to be deployed in an area that an existing wireless network covers. It aids in the detection of malicious outsider attacks and intrusions via the wireless network. Rogue AP An unauthorized or malicious access point on the network, such as an employee setup AP, an AP not configured, a neighbor AP, or an attacker-operated AP. It is not authorized, so if any vulnerability occurs on the AP, the hacker has a chance to compromise your network security. Rogue client An unauthorized or malicious client on the network. Rogue wireless bridge An unauthorized wireless bridge on the network. Monitor AP An AP that scans or listens to frames to detect wireless attacks in the network. Ad hoc mode Sets the working mode of a wireless client to ad hoc. An ad hoc terminal can communicate directly with other stations without support from any other device. Passive scanning In passive scanning, a monitor AP listens to all the frames over the air in that channel. Active scanning In active scanning, a monitor AP, besides listening to all frames, sends a broadcast probe request and receives all probe response messages on that channel. Each AP in the vicinity of the monitor AP replies to the probe request. This helps identify all authorized and unauthorized APs by processing probe response frames. The monitor AP masquerades as a client when sending the probe request. Rogue detection Detecting rogue devices Rogue detection is applicable to large wireless networks. It detects the presence of rogue devices in a WLAN network based on the preconfigured rules. Rogue detection can detect different types of devices in a WLAN network, for example, rogue APs, rogue clients, rogue wireless bridges, and ad-hoc terminals. 127

136 Taking countermeasures against rogue device attacks You can enable the countermeasures function on a monitor AP. The monitor AP downloads an attack list from the AC and takes countermeasures against the rogue devices based on the configured countermeasures mode. For example, if the countermeasures mode is config, the monitor AP only takes countermeasures against rogue devices in the static attack list. It sends fake de-authentication frames by using the MAC addresses of the rogue devices to remove them from the network. Attack detection The attack detection function detects intrusions or attacks on a WLAN network, and informs the network administrator of the attacks through recording information or sending logs. WIDS detection supports detection of the following attacks: Flood attack Spoofing attack Weak IV attack Flood attack detection A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind within a short span of time. When this occurs, the WLAN devices are overwhelmed. Consequently, they are unable to service normal clients. WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic generated by each device. When the traffic density of a device exceeds the limit, the device is considered flooding the network and, if the dynamic blacklist feature is enabled, is added to the blacklist and forbidden to access the WLAN for a period of time. WIDS inspects the following types of frames: Authentication requests and de-authentication requests Association requests, disassociation requests and reassociation requests Probe requests null data frames action frames Spoofing attack detection In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For instance, a client in a WLAN has been associated with an AP and operates properly. In this case, a spoofed de-authentication frame can cause a client to get de-authenticated from the network and can affect the normal operation of the WLAN. Spoofing attack detection counters this type of attack by detecting broadcast de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it is identified as a spoofed frame, and the attack is immediately logged. Weak IV detection WEP uses an IV to encrypt each frame. An IV and a key are used to generate a key stream, and thus encryptions using the same key have different results. When a WEP frame is sent, the IV used in encrypting the frame is also sent as part of the frame header. 128

137 However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is compromised, the attacker can access network resources. Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a weak IV is detected, it is immediately logged. Blacklist and whitelist You can configure the blacklist and whitelist functions to filter frames from WLAN clients and implement client access control. WLAN client access control is accomplished through the following types of lists. Whitelist Contains the MAC addresses of all clients allowed to access the WLAN. If the whitelist is used, only permitted clients can access the WLAN, and all frames from other clients are discarded. Static blacklist Contains the MAC addresses of clients forbidden to access the WLAN. This list is manually configured. Dynamic blacklist Contains the MAC addresses of clients forbidden to access the WLAN. A client is dynamically added to the list if it is considered sending attacking frames until the timer of the entry expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects any attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more information about ARP detection, see Security Configuration Guide. When an AP receives an frame, it checks the source MAC address of the frame and processes the frame by following these rules: 1. If the source MAC address does not match any entry in the whitelist, the frame is dropped. If there is a match, the frame is considered valid and is processed further. 2. If no whitelist entries exist, the static and dynamic blacklists are searched. 3. If the source MAC address matches an entry in any of the two lists, the frame is dropped. 4. If there is no match, or no blacklist entries exist, the frame is considered valid and is processed further. The static blacklist and whitelist configured on the AC apply to all APs connected to the AC, and dynamic blacklist applies to APs that received attack packets. 129

138 Figure 59 Frame filtering In the topology, three APs are connected to an AC. Configure whitelist and static blacklist entries on the AC, which sends all the entries to the APs. If the MAC address of a station, Client 1 for example, is present in the blacklist, it cannot access any of the APs. If only Client 1 is present in the whitelist, it can access any of the APs, and other clients cannot access any of the APs. Enable the dynamic blacklist function on the AC. If AP 1 receives attack frames from Client 1, the AC adds Client 1 to the dynamic blacklist, but Client 1 can associate with AP 2 or AP 3. If AP 2 or AP 3 receives attack frames from Client 1, a new dynamic blacklist entry is generated in the blacklist. WLAN IDS configuration task list Task Configuring AP operating mode Description Configuring detection of rogue devices Configuring attack detection Configuring detection of rogue devices Taking countermeasures against attacks from detected rogue devices Displaying and maintaining rogue detection Configuration procedure Displaying and maintaining attack detection Before you configure detection of rogue devices, set the AP operating mode to monitor. Configuring blacklist and whitelist Configuring AP operating mode A WLAN consists of various APs that span across the building offering WLAN services to the clients. The administrator may want some of these APs to detect rogue devices. The administrator can configure an AP to operate in any of the three modes: normal, monitor, or hybrid. In normal mode, an AP provides WLAN data services but does not perform any scanning. 130

139 In monitor mode, an AP scans all Dot11 frames in the WLAN, but cannot provide WLAN services. An AP operating in this mode cannot provide WLAN service, and you do not need to configure a service template. In hybrid mode, an AP can both scan devices in the WLAN and provide WLAN services. For an AP operating in this mode, you need to configure a service template so that the AP can provide WLAN service when scanning devices. To configure the AP operating mode: 2. Enter AP template view. wlan ap ap-name model model-name N/A Use either command. 3. Configure the AP operating mode. Configure the AP operating mode as monitor: work-mode monitor Configure the AP operating mode as hybrid: device-detection enable By default, the AP operating mode is normal. When an AP has its operating mode changed from normal to monitor, it does not restart. When an AP has its operating mode changed from monitor to normal, it restarts. Configuring rogue detection Configuring detection of rogue devices Configuring detection rules An AC classifies devices as rogues and friends based on the configured detection rules. Determine if an AP is a rogue. 131

140 Figure 60 Determining if an AP is a rogue Determine whether a client is a rogue. 132

141 Figure 61 Determining if a client is a rogue Determine if an ad hoc network or a wireless bridge is a rogue. Figure 62 Determining if an ad hoc network or a wireless bridge is a rogue To configure the detection rules: 133

142 2. Enter WLAN IDS view. wlan ids N/A 3. Add the MAC address of a client or AP to the static attack list. 4. Add the MAC address of a client or AP to the permitted MAC address list. 5. Add an SSID to the permitted SSID list. 6. Add a vendor ID to the permitted vendor list. device attack mac-address mac-address device permit mac-address mac-address device permit ssid ssid device permit vendor vendor By default, the attack list is empty. By default, the permitted MAC address list is empty. By default, the permitted SSID list is empty. By default, the vendor list is empty. Configuring the device expiration timer This task allows you to set the device expiration interval for device entries in the detected device list. If a device in the list is not detected within this interval, the device entry is removed from the detected list. If the deleted entry is that of a rogue, it is moved to the rogue history table. To configure the device expiration timer: 2. Enter WLAN IDS view. wlan ids N/A 3. Configure the device expiration timer. device aging-duration duration By default the aging duration is 600 seconds. Taking countermeasures against attacks from detected rogue devices Configuring the rules You can configure a device as a rogue by adding its MAC address to the static attack list. To configure the rules: 2. Enter WLAN IDS view. wlan ids N/A 3. Add the MAC address of a client or AP to the static attack list. device attack mac-address mac-address By default, the attack list is empty. 134

143 Configuring the countermeasures mode The countermeasures mode can be set to control the devices for which countermeasures are taken. Based on the configuration, APs operating in monitor mode can take countermeasures against devices present in its static attack list, all rogue devices, only rogue APs, or only ad hoc clients. Countermeasures are not taken against wireless bridges even if they are classified as rogues. To configure the countermeasures mode: 2. Enter WLAN IDS view. wlan ids N/A 3. Configure the countermeasures mode. 4. Enable the countermeasures function. countermeasures mode { all { rogue adhoc config } * } countermeasures enable By default, the countermeasure mode is config, or, the static attack list. By default, the countermeasures function is disabled. To configure the countermeasures mode as config, use the device attack mac-address command to configure the static attack list first. Displaying and maintaining rogue detection Task Command Remarks Display attack list information. Display detected entities. Display the history of attacks detected in the WLAN system. Display the list of permitted MAC addresses, the list of permitted SSIDs, or the list of permitted vendor OUIs. Clear the list of detected entities in WLAN. Clear all entries from the rogue-history list. display wlan ids attack-list { config all ap ap-name } [ { begin exclude include } regular-expression ] display wlan ids detected { all rogue { ap client } adhoc ssid mac-address mac-address } [ { begin exclude include } regular-expression ] display wlan ids rogue-history [ { begin exclude include } regular-expression ] display wlan ids permitted { mac-address ssid vendor } [ { begin exclude include } regular-expression ] reset wlan ids detected { all rogue { ap client } adhoc ssid mac-address mac-address } reset wlan ids rogue-history Available in any view. Available in any view. Available in any view. Available in any view. Available in user view. Available in user view. 135

144 Configuring attack detection Configuration procedure 2. Enter IDS view. wlan ids N/A 3. Enable IDS attack detection. attack-detection enable { all flood spoof weak-iv } By default, IDS attack detection is disabled. Displaying and maintaining attack detection Task Command Remarks Display all the attacks detected by WLAN IDS IPS. Display the count of attacks detected by WLAN IDS IPS. Clear the history of attacks detected by the WLAN system. Clear the statistics of attacks detected in the WLAN system. display wlan ids history [ { begin exclude include } regular-expression ] display wlan ids statistics [ { begin exclude include } regular-expression ] reset wlan ids history reset wlan ids statistics Available in any view. Available in any view. Available in user view. Available in user view. Configuring blacklist and whitelist Perform this task to configure the static blacklist, static whitelist, enable dynamic blacklist feature, and configure the lifetime for dynamic entries. WLAN IDS permits devices present in the static whitelist. You can add entries into or delete entries from the list. WLAN IDS denies devices present in the static blacklist. You can add entries into or delete entries from the list. WLAN IDS adds dynamically detected attack devices into the dynamic blacklist. You can set a lifetime in seconds for dynamic blacklist entries. After the lifetime of an entry expires, the device entry will be removed from the dynamic blacklist. Configuring static lists The maximum number of entries in a static list depends on the device model. For more information, see About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module Configuration Guides. To configure static lists: 136

145 2. Enter WLAN IDS view. wlan ids N/A 3. Add an entry into the whitelist. whitelist mac-address mac-address By default, no whitelist exists. 4. Add an entry into the static blacklist. static-blacklist mac-address mac-address By default, no static blacklist exists. Configuring a dynamic blacklist The maximum number of entries in a dynamic blacklist depends on the device model. For more information, see About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module Configuration Guides. To configure a dynamic blacklist: 2. Enter WLAN IDS view. wlan ids N/A 3. Enable the dynamic blacklist feature. 4. Configure the lifetime for dynamic blacklist entries. dynamic-blacklist enable dynamic-blacklist lifetime lifetime By default, the dynamic blacklist feature is disabled. By default, the lifetime is 300 seconds. Displaying and maintaining blacklist and whitelist Task Command Remarks Display blacklist entries. Display whitelist entries. Clear dynamic blacklist entries. display wlan blacklist { static dynamic } [ { begin exclude include } regular-expression ] display wlan whitelist [ { begin exclude include } regular-expression ] reset wlan dynamic-blacklist { mac-address mac-address all } Available in any view. Available in any view. Available in user view. WLAN IDS configuration examples The configuration examples were created on the 10500/ G unified wired-wlan module and may vary with device models. 137

146 When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set their link type to be the same. Rogue detection configuration example Network requirements As shown in Figure 63, AP 1 (with serial ID CN2AD330S8) and AP 2 (serial ID CN2AD330S7) are connected to an AC through a Layer 2 switch. AP1 operates in normal mode and only provides WLAN services. AP2 operates in monitor mode and detects rogue devices. Client 1 (MAC address 000f-e ), Client 2 (MAC address 000f-e ) and Client 3 (MAC address 000f-e ) are connected to AP1. Client 4 (MAC address 000f-e e) is considered as a rogue. Figure 63 Network diagram Configuration procedure # Create a WLAN ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as normal, and bind WLAN-ESS1 to normal. <AC> system-view [AC] wlan service-template 1 clear 138

147 [AC-wlan-st-1] ssid normal [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure AP 1 to operate in normal mode and provide WLAN service only. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable # Configure AP 2 to operate in monitor mode. It only scans rogue devices, but does not provide access services. [AC] wlan ap ap2 model MSM460-WW [AC-wlan-ap-ap2] serial-id CN2AD330S7 [AC-wlan-ap-ap2] work-mode monitor [AC-wlan-ap-ap2] radio 1 type dot11an [AC-wlan-ap-ap2-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] return # Configure IDS rules to allow Client 1, Client 2, and Client 3 to connect to the WLAN network to use WLAN services provided by AP 1. <AC> system-view [AC] wlan ids [AC-wlan-ids] device permit mac-address 000f-e [AC-wlan-ids] device permit mac-address 000f-e [AC-wlan-ids] device permit mac-address 0015-e # Configure Client 4 (rogue client), configure the countermeasures mode, and enable countermeasures. [AC-wlan-ids] device attack mac-address 0015-e e [AC-wlan-ids] countermeasures mode config [AC-wlan-ids] countermeasures enable Blacklist and whitelist configuration example Network requirements As shown in Figure 64, client 1 ( f-1211) is a rogue client. To ensure WLAN security, add the MAC address of Client 1 into the blacklist on the AC to disable it from accessing the wireless network through any AP. 139

148 Figure 64 Network diagram Configuration procedure # Add MAC address f-1211 of Client 1 into the blacklist. <AC> system-view [AC] wlan ids [AC-wlan-ids] static-blacklist mac-address f-1211 After the configuration, Client 1 cannot access AP 1 or AP

149 Configuring WLAN QoS Overview An network offers contention-based wireless access. To provide applications with QoS services, IEEE developed e for the based WLAN architecture. While IEEE e was being standardized, Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM) standard to allow QoS provision devices of different vendors to interoperate. WMM makes a WLAN network capable of providing QoS services. Terminology WMM A wireless QoS protocol designed to preferentially transmit packets with high priority, thus guaranteeing better QoS services for voice and video applications in a wireless network. Enhanced distributed channel access (EDCA) A channel contention mechanism designed by WMM to preferentially transmit packets with high priority and allocate more bandwidth to such packets. Access category (AC) Used for channel contention. WMM defines four access categories. They are AC-VO (voice) queue, AC-VI (video) queue, AC-BE (best-effort) queue, and AC-BK (background) queue in the descending order of priority. When contending for a channel, a high-priority AC queue preempts a low-priority AC queue. Connection admission control (CAC) Limits the number of clients that are using high-priority AC queues (including AC-VO and AC-VI queues) to guarantee sufficient bandwidth for existing high-priority traffic. Unscheduled Automatic Power-Save Delivery (U-APSD) A new power-saving mechanism defined by WMM to enhance the power-saving capability of clients. SpectraLink voice priority (SVP) A voice priority protocol designed by the SpectraLink company to guarantee QoS for voice traffic. WMM protocol EDCA parameters The distributed coordination function (DCF) in stipulates that access points (APs) and clients use the carrier sense multiple access with collision avoidance (CSMA/CA) access mechanism. APs or clients listen to the channel before they hold the channel for data transmission. When the specified idle duration of the channel times out, APs or clients randomly select a backoff slot within the contention window to perform backoff. The device that finishes backoff first gets the channel. With , all devices have the same idle duration and contention window. Therefore, they are equal when contending for a channel. In WMM, this fair contention mechanism is changed. WMM assigns data packets in a basic service set (BSS) to four AC queues. By allowing a high-priority AC queue to have more channel contention opportunities than a low-priority AC queue, WMM offers different service levels to different AC queues. 141

150 WMM defines a set of EDCA parameters for each AC queue, covering the following: Arbitration inter-frame spacing number (AIFSN) Different from the protocol where the idle duration (set using DIFS) is a constant value, WMM can define an idle duration per AC queue. The idle duration increases as the AIFSN value increases (see Figure 65 for the AIFS durations). Exponent form of CWmin (ECWmin) and exponent form of CWmax (ECWmax) Determine the average backoff slots, which increases as the two values increase (see Figure 65 for the backoff slots). Transmission opportunity limit (TXOPLimit) Indicates the maximum time for which a user can hold a channel after a successful contention. The greater the TXOPLimit, the longer the user can hold the channel. The value 0 indicates that the user can send only one packet each time it holds the channel. Figure 65 Per-AC channel contention parameters in WMM CAC admission policies CAC requires that a client obtain permission of the AP before it can use a high-priority AC queue for transmission, guaranteeing bandwidth to the clients that have gained access. CAC controls real-time traffic (AC-VO and AC-VI traffic) but not common data traffic (AC-BE and AC-BK traffic). If a client wants to use a high-priority AC queue, it must send a request to the AP. The AP returns a positive or negative response based on either of the following admission control policies: Channel utilization-based admission policy The AP calculates the total time that the existing high-priority AC queues occupy the channel in one second, and then calculates the time that the requesting traffic will occupy the channel in one second. If the sum of the two values is smaller than or equal to the maximum hold time of the channel, the client can use the requested AC queue. Otherwise, the request is rejected. Users-based admission policy If the number of clients using high-priority AC queues plus the clients requesting for high-priority AC queues is smaller than or equal to the maximum number of high-priority AC queue clients, the request is accepted. Otherwise, the request is rejected. During calculation, a client is counted once even if it is using both the AC-VO and AC-VI queues. 142

151 U-APSD power-save mechanism SVP ACK policy U-APSD improves the APSD power-saving mechanism. When associating clients with AC queues, you can specify some AC queues as trigger-enabled, some AC queues as delivery-enabled, and the maximum number of data packets that can be delivered after receiving a trigger packet. Both the trigger attribute and the delivery attribute can be modified when flows are established using CAC. When a client sleeps, the delivery-enabled AC queue packets destined for the client are buffered. The client must send a trigger-enabled AC queue packet to get the buffered packets. After the AP receives the trigger packet, packets in the transmit queue are sent. The number of sent packets depends on the agreement made when the client was admitted. AC queues without the delivery attribute store and transmit packets as defined in the protocol. SVP can assign packets with the protocol ID 119 in the IP header to a specific AC queue. SVP stipulates that random backoff is not performed for SVP packets. Therefore, you can set both ECWmin and ECWmax to 0 when there are only SVP packets in an AC queue. WMM defines two ACK policies: No ACK When the no acknowledgement (No ACK) policy is used, the recipient does not acknowledge received packets during wireless packet exchange. This policy is suitable in the environment where communication quality is fine and interference is weak. While the No ACK policy helps improve transmission efficiency, it can cause increased packet loss when communication quality deteriorates. This is because when this policy is used, a sender does not retransmit packets that have not been received by the recipient. Normal ACK When the Normal ACK policy is used, the recipient acknowledges each received unicast packet. Protocols and standards e-2005, Amendment 8: Medium Access Control (MAC) Quality of Service Enhancements, IEEE Computer Society, 2005 Wi-Fi, WMM Specification version 1.1, Wi-Fi Alliance, 2005 Configuring WMM Configuration restrictions and guidelines If CAC is enabled for an AC queue, CAC is also enabled for the AC queues with higher priority. For example, if you use the wmm edca client command to enable CAC for the AC-VI queue, CAC is also enabled for the AC-VO queue. However, enabling CAC for the AC-VO queue does not enable CAC for the AC-VI queue. HP recommends that you use the default EDCA parameter settings for APs and clients (except the TXOPLimit parameter for devices using b radio cards) unless it is necessary to modify the default settings. When the radio card of a device is b, HP recommends that you use the TXOPLimit values of the AC-BK, AC-BE, AC-VI, and AC-VO queues to 0, 0, 188, and 102, respectively. The SVP packet mapping function takes effect only after you enable WMM. 143

152 Configuration procedure To configure WMM: 2. Create a radio policy and enter radio policy view. wlan radio-policy radio-policy-name N/A 3. Enable WMM. wmm enable By default, WMM is enabled. The n protocol stipulates that all n clients support WLAN QoS. Therefore, when the radio operates in an or gn mode, you should enable WMM. Otherwise, the associated n clients may fail to communicate. 4. Set the EDCA parameters of AC-VO or AC-VI queues for clients. 5. Set the EDCA parameters of AC-BE or AC-BK queues for clients. 6. Set the EDCA parameters and specify the ACK policy for the radio. 7. Set the CAC policy. 8. Map SVP packets to a specified AC queue. wmm edca client { ac-vo ac-vi } { aifsn aifsn-value ecw ecwmin ecwmin-value ecwmax ecwmax -value txoplimit txoplimit-value cac } * wmm edca client { ac-be ac-bk } { aifsn aifsn-value ecw ecwmin ecwmin-value ecwmax ecwmax -value txoplimit txoplimit -value } * wmm edca radio { ac-vo ac-vi ac-be ac-bk } { aifsn aifsn-value ecw ecwmin ecwmin-value ecwmax ecwmax -value txoplimit txoplimit -value noack } * wmm cac policy { channelutilization [ channelutilization-value ] users [ users-number ] } wmm svp map-ac { ac-vi ac-vo ac-be ac-bk } By default, a client uses the default EDCA parameters shown in Table 3. By default, a client uses the default EDCA parameters shown in Table 3. By default, an AP uses the default EDCA parameters shown in Table 4 and uses the Normal ACK policy. By default, the users-based admission policy applies, with the maximum number of users being 20. By default, the SVP packet mapping function is disabled. SVP packet mapping applies to non-wmm clients and does not take effect on WMM clients. Table 3 Default EDCA parameters for clients AC queue AIFSN ECWmin ECWmax TXOP Limit AC-BK queue AC-BE queue

153 AC queue AIFSN ECWmin ECWmax TXOP Limit AC-VI queue AC-VO queue Table 4 Default EDCA parameters for APs AC queue AIFSN ECWmin ECWmax TXOP Limit AC-BK queue AC-BE queue AC-VI queue AC-VO queue Displaying and maintaining WMM Task Command Remarks Display radio or client WMM configuration information. Display client or radio WLAN statistics. Display WLAN radio policy information. display wlan wmm { radio { all ap ap-name } client { all ap ap-name mac-address mac-address } } [ { begin exclude include } regular-expression ] display wlan statistics { client [ all mac-address mac-address ] radio [ ap-name ] } [ { begin exclude include } regular-expression ] display wlan radio-policy [ radio-policy-name ] [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. Clear radio WMM statistics. reset wlan wmm radio { all ap ap-name } Available in user view. Clear client WMM statistics. reset wlan wmm client { all ap ap-name mac-address mac-address } Available in user view. WMM configuration examples The configuration examples were created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set their link type to be the same. 145

154 Basic WMM configuration example 1. Network requirements As shown in Figure 66, AP and AC are in the same network. Enable WMM on AC, so that AP and the client can prioritize the traffic. Figure 66 Network diagram 2. Configuration procedure <AC> system-view # Create interface WLAN-ESS 1. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create a clear-type WLAN service template, configure its SSID as market, and bind WLAN-ESS 1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid market [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable # Configure a radio policy and enable WMM (optional, because WMM is enabled by default). [AC] wlan radio-policy radiopolicy1 [AC-wlan-rp-radiopolicy1] wmm enable [AC-wlan-rp-radiopolicy1] quit # Create a template named ap1, configure the model name, and configure the serial ID. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 1 and radio policy radiopolicy1 to interface Radio 1. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable After WMM is enabled, you can use the display wlan wmm radio command to view WMM-related information. CAC service configuration example 1. Network requirements As shown in Figure 67, AP and AC are in the same network. Configure CAC for high-priority queues (AC-VO and AC-VI queues) on the AC, and use a users-based admission policy to allow the AP to accommodate up to ten clients in the AC-VO and AC-VI queues. In this way, clients in the AC-VO and AC-VI queues can be guaranteed of enough bandwidth. 146

155 Figure 67 Network diagram 2. Configuration procedure <AC> system-view # Create interface WLAN-ESS 1. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Create a clear-type WLAN service template, configure its SSID as market, and bind WLAN-ESS 1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid market [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable # Create a radio policy named radiopolicy1, enable WMM for the radio policy, enable CAC for AC-VO and AC-VI, and configure the policy to limit the number of users to 10. [AC] wlan radio-policy radiopolicy1 [AC-wlan-rp-radiopolicy1] wmm enable [AC-wlan-rp-radiopolicy1] wmm edca client ac-vo cac [AC-wlan-rp-radiopolicy1] wmm edca client ac-vi cac [AC-wlan-rp-radiopolicy1] wmm cac policy users 10 [AC-wlan-rp-radiopolicy1] quit # Create a template named ap1, configure the model name, and configure the serial ID. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 1 and radio policy radiopolicy1 to interface Radio 1. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable If a client wants to use a high-priority AC queue (AC-VO or AC-VI), it must send a request to the AP. If the number of clients using high-priority AC queues (AC-VO or AC-VI) plus the clients requesting for high-priority AC queues on AP is smaller than or equal to the maximum number of high-priority AC clients (10 in this example), the request is accepted. If the number of client exceeds the maximum number of high-priority AC clients, the system decreases the priority of the packets from the excessive clients. SVP service configuration example 1. Network requirements As shown in Figure 68, AP and AC are in the same network. Configure a SVP service so SVP packets are assigned to the AC-VO queue on AP. To guarantee the highest priority for the AC-VO queue, set ECWmin and ECWmax to 0 for the AC-VO queue of AP. 147

156 Figure 68 Network diagram 2. Configuration procedure <AC> system-view # Create interface WLAN-ESS 1. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Configure a clear-type WLAN service template, configure its SSID as market, and bind WLAN-ESS 1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid market [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable # Configure radio policy radiopolicy1 and enable WMM for the radio policy. [AC] wlan radio-policy radiopolicy1 [AC-wlan-rp-radiopolicy1] wmm enable # Assign SVP packets to the AC-VO queue. [AC-wlan-rp-radiopolicy1] wmm svp map-ac ac-vo # Create a template named ap1, configure the model name, and configure the serial ID. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 1 and radio policy radiopolicy1 to interface Radio 1. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] channel 149 [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable If a non-wmm client goes online and sends SVP packets to the AC, the SVP packets are assigned to the AC-VO queue. Traffic differentiation test configuration example 1. Network requirements As shown in Figure 69, AP and AC are in the same network. Configure the AC to map IP precedence 7 to local precedence 7, allowing such packets to occupy more bandwidth when being transmitted on the wireless network. Figure 69 Network diagram 148

157 2. Configuration procedure # Create a class named wmm and configure the class to match packets with an IP precedence value level of 7. <AC> system-view [AC] traffic classifier wmm [AC-classifier-wmm] if-match ip-precedence 7 [AC-classifier-wmm] quit # Create a behavior named wmm and configure the behavior to mark packets with a local precedence value of 7. [AC] traffic behavior wmm [AC-behavior-wmm] remark local-precedence 7 [AC-behavior-wmm] quit # Create a policy named wmm and associate class wmm with behavior wmm in the policy. [AC] qos policy wmm [AC-qospolicy-wmm] classifier wmm behavior wmm [AC-qospolicy-wmm] quit # Apply QoS policy wmm to the incoming traffic of interface GigabitEthernet 1/0/1. [AC] interface GigabitEthernet 1/0/1 [AC-GigabitEthernet1/0/1] qos apply policy wmm inbound [AC-GigabitEthernet1/0/1] quit # Create interface WLAN-ESS 1. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Enter the specified priority mapping table view (optional, because the mapping table exists by default). [AC] qos map-table lp-dot11e # Create a clear-type WLAN service template, configure its SSID as market, and bind WLAN-ESS 1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid market [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure a radio policy named radiopolicy1. Then, enable WMM for the policy (optional, because WMM is enabled by default). [AC] wlan radio-policy radiopolicy1 [AC-wlan-rp-radiopolicy1] wmm enable [AC-wlan-rp-radiopolicy1] quit # Create a template named ap1, configure the model name, and configure the serial ID. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 1 and radio policy radiopolicy1 to interface Radio 1. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] channel 149 [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 149

158 Troubleshooting [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable After the configuration, the AC maps IP precedence 7 to local precedence 7. EDCA parameter configuration failure Symptom Analysis Solution Configuring EDCA parameters for an AP failed. The EDCA parameter configuration of an AP is restricted by the radio chip of the AP. 1. Use the display wlan wmm radio ap ap-name command to view the support of the radio chip for the EDCA parameters. Make sure the configured EDCA parameters are supported by the radio chip. 2. Check that the values configured for the EDCA parameters are valid. SVP or CAC configuration failure Symptom Analysis Solution The SVP packet priority mapping function configured with the wmm svp map-ac command does not take effect. CAC configured with the wmm edca client command does not take effect. The SVP packet priority mapping function or CAC takes effect only after WMM is enabled. 1. Use the wmm enable command to enable the WMM function. 2. Check the state of the SVP priority mapping function or CAC again. 3. The SVP packet priority mapping function takes effect on only non-wmm clients. Check whether the client is a non-wmm client. Configuring bandwidth guaranteeing When traffic is heavy, a BSS without any rate limitation may aggressively occupy the available bandwidth for other BSSs. If you limit the rate of the BSS, it cannot use the idle bandwidth of other BSSs. To improve bandwidth use efficiency when ensuring bandwidth use fairness among WLAN services, use the bandwidth guaranteeing function. Bandwidth guaranteeing makes sure all traffic from each BSS can pass through freely when the network is not congested, and each BSS can get the guaranteed bandwidth when the network is congested. For example, suppose you guarantee SSID1, SSID2, and SSID3 25%, 25%, and 50% of the bandwidth. When the network is not congested, SSID1 can use all idle bandwidth in addition to its guaranteed bandwidth. When the network is congested, SSID1 can use at least its guaranteed bandwidth, 25% of the bandwidth. This feature only applies to the traffic from AP to client. 150

159 Configuration procedure Before configuring bandwidth guaranteeing, you can use the dot11a/dot11b/dot11g/dot11n max-bandwidth command to specify the maximum bandwidth value for each radio. For more information, see "Configuring WLAN RRM." To configure bandwidth guaranteeing: 2. Enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] N/A 3. Enter radio view. radio radio-id N/A 4. Enable bandwidth guaranteeing. 5. Configure a guaranteed bandwidth percent for the specified service template. bandwidth-guarantee enable bandwidth-guarantee service-template service-template-number percent percent By default, bandwidth guaranteeing is disabled. The service template must have been bound to the radio. For the service templates bound to the same radio, the sum of guaranteed bandwidth percents cannot exceed 100%. Displaying and maintaining bandwidth guaranteeing Task Command Remarks Display bandwidth guaranteeing configuration. display wlan bandwidth-guarantee [ ap ap-name radio radio-id ] [ { begin exclude include } regular-expression ] Available in any view. Bandwidth guaranteeing configuration example The configuration example was created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set their link type to be the same. Network requirements In an enterprise, three clients access the wireless network through WLAN services research, office, and entertain, respectively. 151

160 To make sure the enterprise network works normally, guarantee 20% of the bandwidth for WLAN service office, 80% for research, and none for entertain within the same AP. Figure 70 Network diagram Configuration procedure # Set the maximum bandwidth to kbps for the a radio. <AC> system-view [AC] wlan rrm [AC-wlan-rrm] dot11a max-bandwidth [AC-wlan-rrm] quit # Create a WLAN-ESS interface. [AC] interface wlan-ess 1 [AC-WLAN-BSS1] port-security port-mode psk [AC-WLAN-BSS1] port-security tx-key-type 11key [AC-WLAN-BSS1] port-security preshared-key pass-phrase simple [AC-WLAN-ESS1] quit [AC] interface wlan-ess 2 [AC-WLAN-BSS2] port-security port-mode psk [AC-WLAN-BSS2] port-security tx-key-type 11key [AC-WLAN-BSS2] port-security preshared-key pass-phrase simple abcdefgh [AC-WLAN-ESS2] quit [AC] interface wlan-ess 3 [AC-WLAN-ESS3] quit # Create service template 1 of the crypto type, and set the SSID as research for service template 1. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid research [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create service template 2 of the crypto type, and set the SSID as office for service template 2. [AC] wlan service-template 2 crypto [AC-wlan-st-2] ssid office [AC-wlan-st-2] bind wlan-ess 2 152

161 [AC-wlan-st-2] authentication-method open-system [AC-wlan-st-2] cipher-suite ccmp [AC-wlan-st-2] security-ie rsn [AC-wlan-st-2] service-template enable [AC-wlan-st-2] quit # Create service template 3 of the clear type, and set the SSID as entertain for service template 3. [AC] wlan service-template 3 clear [AC-wlan-st-3] ssid entertain [AC-wlan-st-3] bind wlan-ess 3 [AC-wlan-st-3] service-template enable [AC-wlan-st-3] quit # Apply service templates to radio 1. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] service-template 2 [AC-wlan-ap-ap1-radio-1] service-template 3 [AC-wlan-ap-ap1-radio-1] radio enable # Enable bandwidth guaranteeing. [AC-wlan-ap-ap1-radio-1] bandwidth-guarantee enable # Set the guaranteed bandwidth percent to 80% for service template 1 and 20% for service template 2. [AC-wlan-ap-ap1-radio-1] bandwidth-guarantee service-template 1 percent 80 [AC-wlan-ap-ap1-radio-1] bandwidth-guarantee service-template 2 percent 20 [AC-wlan-ap-ap1-radio-1] return Verifying the configuration # Use the display wlan bandwidth-guarantee command to display the bandwidth guaranteeing configuration. <AC> display wlan bandwidth-guarantee Bandwidth Guarantee ST: service template AP Radio Mode ST Percent ap an 1 80% ap an 2 20% When the total traffic rate from the AP to all clients is lower than kbps, the rate of traffic from the AP to any client is not limited. 2. Suppose the rate of traffic from the AP to Client 1 exceeds 2000 kbps, the rate of traffic from the AP to Client 2 exceeds 8000 kbps, and the rate of traffic from the AP to all clients exceeds kbps. In this case, because WLAN services research and office are configured with bandwidth guaranteeing, the AP will preferentially forward traffic from the AP to Client 1 and Client 2. As a result, the AP sends traffic to Client 1 at a rate of 2000 kbps, the AP sends traffic to client 2 at a rate of 8000 kbps, and the rate of traffic from the AP to Client 3 is limited. 153

162 Configuring client rate limiting The WLAN provides limited bandwidth for each AP. Because the bandwidth is shared by wireless clients attached to the AP, aggressive use of bandwidth by a client will affect other clients. To ensure fair use of bandwidth, rate limit traffic of clients in either of the following approaches: Configure the total bandwidth shared by all clients. This is called "dynamic mode." The rate limit of a client is the configured total rate/the number of online clients. For example, if the configure total rate is 10 Mbps and five clients are online, the rate limit of each client is 2 Mbps. Configure the maximum bandwidth that can be used by each client. This is called "static mode." For example, if the configured rate is 1 Mbps, the rate limit of each client online is 1 Mbps. When the set rate limit multiplied by the number of access clients exceeds the available bandwidth provided by the AP, no clients can get the guaranteed bandwidth. Configuration procedure You can configure WLAN service-based client rate limiting, so that the AC can limit client rates for a WLAN service. To configure WLAN service-based client rate limiting: 2. Enter service template view. 3. Configure WLAN service-based client rate limiting. wlan service-template service-template-number { clear crypto } client-rate-limit direction { inbound outbound } mode { dynamic static } cir cir N/A By default, WLAN service-based client rate limiting is disabled. You can configure radio-based client rate limiting, so that the AC can limit client rates for the same radio. To configure radio-based client rate limiting: 2. Enter AP template view. 3. Enter radio view. 4. Configure radio-based client rate limiting. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11an dot11b dot11g dot11gn } ] client-rate-limit direction { inbound outbound } mode { dynamic static } cir cir N/A N/A By default, radio-based client rate limiting is disabled. 154

163 Displaying and maintaining client rate limiting Task Command Remarks Display client rate limiting information. display wlan client-rate-limit { service-template [ service-template-number ] ap [ ap-name radio radio-id ] } [ { begin exclude include } regular-expression ] Available in any view. Client rate limiting configuration example The configuration example was created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set their link type to be the same. Network requirements AC is connected to Switch, and is in the same network as the AP. Configure client rate limiting on AC, so that AP limits the incoming traffic in static mode and limits the outgoing traffic in dynamic mode for the clients. Figure 71 Network diagram Client 1 AC Switch AP Client 2 Configuration procedure # Enable the WLAN service. (Optional, because the WLAN service is enabled by default.) <AC> system-view [AC] wlan enable # Create a WLAN-ESS interface. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create a WLAN service template of the clear type, configure its SSID as service, and bind interface WLAN-ESS 1 to the service template. [AC] wlan service-template 1 clear 155

164 [AC-wlan-st-1] ssid service [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system # Configure WLAN service-based client rate limiting on AC to limit the rate of traffic from clients to AP (incoming traffic) to 8000 kbps in static mode and the rate of traffic from AP to clients (outgoing traffic) to 8000 kbps in dynamic mode. [AC-wlan-st-1] client-rate-limit direction inbound mode static cir 8000 [AC-wlan-st-1] client-rate-limit direction outbound mode dynamic cir 8000 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create a template named ap1, configure the model name, and configure the serial ID. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Configure an an radio. [AC-wlan-ap-ap1] radio 1 type dot11an # Bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] return Verifying the configuration # Use the display wlan client-rate-limit service-template command to display the client rate limiting configuration. <AC> display wlan client-rate-limit service-template Client Rate Limit Service Template Direction Mode CIR(kbps) Inbound Static Outbound Dynamic When only Client 1 accesses the WLAN through SSID service, the available bandwidth is limited to around 8000 kbps. 2. When both Client 1 and Client 2 access the WLAN through SSID service, the bandwidth available for the traffic from either Client 1 or Client 2 to the AP is limited to around 8000 kbps, and the bandwidth available for the traffic from the AP to either Client 1 or Client 2 is limited to around 4000 kbps. 156

165 Configuring WLAN mesh link Overview A WLAN mesh network allows for wireless connections between APs, making the WLAN more mobile and flexible. A WLAN mesh network is no different from a traditional WLAN from the perspective of end users. Basic concepts The concepts involved in WLAN mesh are described below. Concept Access controller (AC) Mesh point (MP) Mesh access point (MAP) Mesh portal point (MPP) Mesh link Description Device that controls and manages all the APs in the WLAN. An IEEE entity that contains an IEEE conformant medium access control (MAC) and physical layer (PHY) interface to the wireless medium (WM) that supports mesh services. Mesh point AP providing the mesh service and the access service concurrently. Mesh point AP that connects to an AC through a wired connection. Wireless link between MAPs and the MPP. WLAN mesh advantages The WLAN mesh technology allows operators to easily deploy wireless networks anywhere and anytime. WLAN mesh has the following advantages: High performance/price ratio In a mesh network, only the MPPs need to connect to a wired network. In this way, the dependency on the wired network is reduced to the minimum extent, and the investment in wired devices, cabling, and installation is greatly reduced. Excellent scalability In a mesh network, the APs can discover each other automatically and initiate wireless link setup. To add new APs to the mesh network, you just need to install these new APs and perform the related configurations on them. Fast deployment Only the MPPs need to connect to a wired network, so WLAN mesh greatly reduces the network deployment time. Various application scenarios The mesh network is applicable to enterprise, office, and campus networks, which are common application scenarios of traditional WLANs, and also applicable to large-sized warehouse, port, MAN, railway transportation, and crisis communication networks. High reliability In a traditional WLAN, when the wired upstream link of an AP fails, all clients associated with the AP cannot access the WLAN. Comparatively, in a mesh network, all APs are fully meshed. There are multiple available wireless links for a mesh AP to reach a portal node in the wired network. This enables you to avoid single point failure effectively. 157

166 Deployment scenarios One-hop mesh link backhaul deployment As shown in Figure 72, the MAP is a dual-radio AP, with one radio for WLAN access and the other for mesh link backhaul. You can configure the MAC address of the MPP connected to the MAP to establish a mesh link between them. Figure 72 One-hop mesh link backhaul AC Client 1 PC 1 mesh-link Client 2 MAP MPP PC 2 Client 3 HP supports up to 6 MAPs on a single MPP as shown in Figure 73. Figure 73 MAP to MPP configuration Two-hop mesh link backhaul deployment As shown in Figure 74 and Figure 75, the MAP and the MP are both dual-radio APs. One radio of the MAP is for WLAN access and the other for mesh link backhaul, and both MP radios are for mesh link backhaul. You can configure peer-mac addresses to establish a mesh link between the MAP and the MPP to expand the wireless coverage. 158

167 Figure 74 Two-hop mesh backhaul deployment (1) Figure 75 Two-hop mesh backhaul deployment (2) MAP1 AC Client1 mesh-link PC1 Client2 mesh-link mesh-link MP MPP PC2 Client11 MAP6 mesh-link Client12 Client13 MAP7 Client14 MAP8 WLAN mesh security A WLAN network uses air as the communication medium, so it is vulnerable to malicious attacks. In a mesh network, a wireless connection passes through an extra hop, and a mesh network is more vulnerable to malicious attacks. Therefore, WLAN mesh network security becomes an essential part of WLAN mesh networks. Security involves encryption algorithms and distribution and management of keys. Currently, PSK + CCMP combination is used for securing mesh networks. Protocols and standards Draft P802.11s_D1.06 ANSI/IEEE Std , 1999 Edition IEEE Std a IEEE Std b IEEE Std g 159

168 IEEE Std i IEEE Std s IEEE Std WLAN mesh configuration task list Task Configuring an MKD ID Configuring mesh port security Configuring a mesh profile Configuring mesh portal service Configuring an MP policy Mapping a mesh profile to the radio of an MP Mapping an MP policy to the radio of an MP Specifying a mesh working channel Specifying a peer on the radio Remarks Required. Required. Required. Required. Required. Required. Required. Configuring an MKD ID 2. Configure a mesh key distributor (MKD) ID. wlan mkd-id mkd-id By default, the MKD ID is 000F-E Configuring mesh port security For more information about the port-security tx-key-type 11key, port-security preshared-key, and port-security port-mode commands, see Security Command Reference. 2. Enter WLAN mesh interface view. interface wlan-mesh interface-number N/A 3. Enable 11key negotiation. port-security tx-key-type 11key By default, 11key negotiation is disabled. 4. Configure a PSK. port-security preshared-key { pass-phrase raw-key } key By default, no PSK is configured. 160

169 5. Configure the port to operate in PSK mode. port-security port-mode psk By default, the port operates in norestrictions mode. Configuring a mesh profile A mesh profile is created and mapped to an MP so that it can provide mesh services to other MPs that have the same mesh profile mapped. To configure a mesh profile: 2. Create a mesh profile and enter mesh profile view. wlan mesh-profile mesh-profile-number N/A 3. Configure the mesh ID. mesh-id mesh-id-name 4. Bind a WLAN mesh interface. bind wlan-mesh interface-index By default, no mesh ID is set for the mesh profile. By default, no interface is bound to the mesh profile. 5. Configure the mesh link keep alive interval. 6. Configure the backhaul radio rate. link-keep-alive keep-alive-interval link-backhaul-rate rate-value By default, the mesh link keep-alive interval is 2 seconds. The default backhaul radio rate is 18 Mbps. 7. Enable the mesh profile. mesh-profile enable By default, the mesh profile is disabled. 8. Return to system view. quit N/A 9. Enable the mesh key distributor (MKD) service for the mesh profile. mkd-service enable mesh-profile mesh-profile-number By default, the MKD service is disabled for all mesh profiles. Configuring mesh portal service Mesh portal service should be enabled for an MP to operate as a mesh portal point (MPP). Enable mesh portal service only for MPPs (APs connected to the AC through wired connection). To configure mesh portal service: 2. Create an AP template and enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] The model number needs to be specified only during new AP template creation. 161

170 3. Enable the portal service. portal-service enable By default, the portal service is disabled. Configuring an MP policy Link formation and maintenance are driven by the attributes specified in the MP policy. To configure an MP policy: 2. Create an MP policy and enter MP policy view. wlan mp-policy policy-name By default, the radio adopts the default MP policy default_mp_plcy, which cannot be deleted or modified. 3. Enable link initiation. link-initiation enable By default, link initiation is enabled. 4. Configure the maximum number of links. 5. Configure the link formation/link hold RSSI. link-maximum-number max-link-number link-hold-rssi value By default, the maximum number is 2. The default is 15 dbm. 6. Configure the link hold time. link-hold-time value The default is 4000 milliseconds. 7. Configure the link switch margin. 8. Configure the link saturation RSSI. 9. Configure the probe request interval. 10. Enable the device to act as an authenticator based on negotiation results. 11. Configure the link rate mode. link-switch-margin value link-saturation-rssi value probe-request-interval interval-value role-authenticator enable link rate-mode { fixed real-time } The default is 10 dbm. The default is 150 dbm. By default, the probe request interval is 1000 ms. By default, whether a device acts as an authenticator is based on negotiation results. The default link rate mode is fixed. Mapping a mesh profile to the radio of an MP For an MP to advertise mesh capabilities, a mesh profile should be mapped to the radio of the MP. To map a mesh profile to a radio: 162

171 2. Enter AP template view. 3. Enter radio view. 4. Map the mesh profile to the radio. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11an dot11b dot11g dot11gn } ] mesh-profile mesh-profile-number The model number needs to be specified only during new AP template creation. The default value depends on the AP model. By default, no mesh profile is mapped to the radio. Mapping an MP policy to the radio of an MP An MP policy should be mapped to a radio so that link formation and maintenance on the radio can be driven by the attributes specified in the MP policy. To map an MP policy to the radio of an MP: 2. Enter AP template view. 3. Enter radio view. 4. Map the MP policy to the radio. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11an dot11b dot11g dot11gn } ] mp-policy policy-name The model number needs to be specified only during new AP template creation. The default value depends on the AP model. By default, the radio uses the default MP policy default_mp_plcy. Specifying a mesh working channel Use one of the following methods to specify a mesh working channel: Use the channel channel-number command to manually specify a mesh working channel. The APs on the two ends of a mesh link must operate on the same channel. Use the channel auto command to enable APs to automatically negotiate a working channel when they establish a mesh link. No matter which method is used, as long as an AP detects radar signals on its working channel, the AP and any other AP that establish a mesh link switch to another available working channel. In some countries, most available channels on the a band are radar channels, so HP recommends you use the auto mode to establish mesh links on the a band. 163

172 Specifying a peer on the radio Specify the MAC addresses of allowed peers on the local radio interface. To specify a peer MAC address on a radio: 2. Enter AP template view. 3. Enter radio view. 4. Specify a permitted peer and specify the cost of the mesh link to the peer. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11an dot11b dot11g dot11gn } ] mesh peer-mac-address mac-address [ cost cost ] The model number needs to be specified only during new AP template creation. The default value depends on the AP model. By default, the radio has no peer MAC address configured, all neighbors are permitted, and the link cost for the mesh link is automatically computed. Displaying and maintaining WLAN mesh link Task Command Remarks Display mesh link information. Display mesh profile information. Display MP policy information. Perform a mesh link test on the specified AP and display the test results. display wlan mesh-link ap { all name ap-name [ verbose ] } [ { begin exclude include } regular-expression ] display wlan mesh-profile { mesh-profile-number all } [ { begin exclude include } regular-expression ] display wlan mp-policy { mp-policy-name all } [ { begin exclude include } regular-expression ] wlan mesh-link-test ap-name Available in any view. Available in any view. Available in any view. Available in user view. WLAN mesh configuration example The configuration example was created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. 164

173 By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends setting their link type to be the same. For an AP whose model suffix is AM or WW, you must configure the AP provision function to enable the AP to get a country code from an AC and use this country code to scan the mesh network and establish a mesh link. After the AP is associated with an AC, it uses the country code applied by the AC. For more information about the AP provision function, see "Configuring AP provision." For more information about the initial-country-code command, see WLAN Command Reference. One-hop mesh link configuration example Network requirements As shown in Figure 76, establish a mesh link between the MAP and the MPP, and configure gn on the MAP so the client can access the network. Figure 76 Network diagram Configuration procedure 1. Configure Mesh: # Enable port security. <AC> system-view [AC] port-security enable # Create WLAN mesh interface 1. Enable 11key negotiation, set a PSK, and set the port security mode as PSK mode for the interface. [AC] interface wlan-mesh 1 [AC-wlan-mesh1] port-security tx-key-type 11key [AC-wlan-mesh1] port-security preshared-key pass-phrase [AC-wlan-mesh1] port-security port-mode psk [AC-wlan-mesh1] quit # Create mesh profile 1, and bind WLAN mesh interface 1 to it. [AC] wlan mesh-profile 1 [AC-wlan-mshp-1] bind wlan-mesh 1 [AC-wlan-mshp-1] quit # Configure an MKD-ID (an MKD-ID exists by default, and you can omit this command). [AC] wlan mkd-id 0eab-01cd-ef00 # Enable the MKD service. [AC] mkd-service enable mesh-profile 1 # Set the mesh ID as outdoor for mesh profile 1, and enable the mesh profile. [AC] wlan mesh-profile 1 [AC-wlan-mshp-1] mesh-id outdoor [AC-wlan-mshp-1] mesh-profile enable [AC-wlan-mshp-1] quit 165

174 # A default MP policy exists by default. You can also configure an MP policy. The default MP policy is used in this example. 2. Configure MPP: # Create AP template mpp of model MSM460-WW, and configure its serial ID. [AC] wlan ap mpp model MSM460-WW [AC-wlan-ap-mpp] serial-id CN2AD330S8 # Create radio 1, specify channel 149, map mesh profile 1 to the radio, and then enable the radio. [AC-wlan-ap-mpp] radio 1 type dot11an [AC-wlan-ap-mpp-radio-1] channel 149 [AC-wlan-ap-mpp-radio-1] mesh-profile 1 [AC-wlan-ap-mpp-radio-1] radio enable [AC-wlan-ap-mpp-radio-1] quit # Enable the mesh portal service for MPP. [AC-wlan-ap-mpp] portal-service enable 3. Configure MAP: # Create AP template map of model MSM460-WW, and configure its serial ID. [AC] wlan ap map model MSM460-WW [AC-wlan-ap-map] serial-id CN2AD330S7 # Create radio 1, specify channel 149 for it, and map mesh profile 1 to it, and then enable the radio. [AC-wlan-ap-map] radio 1 type dot11an [AC-wlan-ap-map-radio-1] channel 149 [AC-wlan-ap-map-radio-1] mesh-profile 1 [AC-wlan-ap-map-radio-1] radio enable [AC-wlan-ap-map-radio-1] quit After the configuration, a mesh link will be established between the MAP and MPP, and they can ping each other. 4. Configure the gn service on the MAP so that the client can access the network: For the related configuration, see "Configuring WLAN access." After gn is configured on the MAP, the client and the AC can ping each other, and the client can access the network through the mesh link. Verifying the configuration # Display the mesh link information on the AC. <AC> display wlan mesh-link ap all Mesh Link Information AP Name: mpp Peer Local Status RSSI Packets(Rx/Tx) ef b4a 00aa Forwarding / AP Name: map

175 Peer Local Status RSSI Packets(Rx/Tx) aa ef b4a Forwarding /14234 The output shows that the MPP and MAP have established a mesh link. Two-hop mesh link configuration example Network requirements As shown in Figure 77, establish a two-hop mesh link between the MAP and the MPP through the MP, and configure gn on the MAP so the client can access the network. To prevent the MAP and the MPP from establishing a one-hop mesh link between them, configure mesh peer-mac-addresses on the MAP, the MP, and the MPP. Figure 77 Network diagram Configuration procedure 1. Configure Mesh: # Enable port security. <AC> system-view [AC] port-security enable # Create WLAN mesh interface wlan-mesh 1. Enable 11key negotiation, set a PSK, and set the port security mode as PSK mode for the interface. [AC] interface wlan-mesh 1 [AC-wlan-mesh1] port-security tx-key-type 11key [AC-wlan-mesh1] port-security preshared-key pass-phrase [AC-wlan-mesh1] port-security port-mode psk [AC-wlan-mesh1] quit # Create mesh profile 1, and bind the WLAN mesh interface to it. [AC] wlan mesh-profile 1 [AC-wlan-mshp-1] bind wlan-mesh 1 [AC-wlan-mshp-1] quit # Configure an MKD-ID (an MKD-ID exists by default, and you can omit this command). [AC] wlan mkd-id 0eab-01cd-ef00 # Enable the MKD service. [AC] mkd-service enable mesh-profile 1 # Set the mesh ID to outdoor for mesh profile 1, and enable the mesh profile. [AC] wlan mesh-profile 1 [AC-wlan-mshp-1] mesh-id outdoor [AC-wlan-mshp-1] mesh-profile enable [AC-wlan-mshp-1] quit 167

176 # A default MP policy exists by default. You can also create an MP policy. The default MP policy is used in this example. 2. Configure MPP: # Create AP template mpp of model MSM460-WW, and configure its serial ID. [AC] wlan ap mpp model MSM460-WW [AC-wlan-ap-mpp] serial-id CN2AD330F6 # Create radio 1, specify channel 149, map mesh profile 1 to the radio, specify the MAC address of radio 1 on the MP as the mesh peer-mac-address, and then enable the radio. [AC-wlan-ap-mpp] radio 1 type dot11an [AC-wlan-ap-mpp-radio-1] channel 149 [AC-wlan-ap-mpp-radio-1] mesh-profile 1 [AC-wlan-ap-mpp-radio-1] mesh peer-mac-address c8cb-b8f4-d580 [AC-wlan-ap-mpp-radio-1] radio enable [AC-wlan-ap-mpp-radio-1] quit # Enable the mesh portal service for MPP. [AC-wlan-ap-mpp] portal-service enable [AC-wlan-ap-mpp] quit 3. Configure MP: # Create an AP template mp of model MSM460-WW, and configure its serial ID. [AC] wlan ap mp model MSM460-WW [AC-wlan-ap-mp] serial-id CN2AD330S9 # Create radio 1, specify channel 149, map mesh profile 1 to the radio, specify MAC addresses of radio 1 on the MPP and the MAP as the mesh peer-mac-addresses, and then enable the radio. [AC-wlan-ap-mp] radio 1 type dot11an [AC-wlan-ap-mp-radio-1] channel 149 [AC-wlan-ap-mp-radio-1] mesh-profile 1 [AC-wlan-ap-mp-radio-1] mesh peer-mac-address c8cb-b8f [AC-wlan-ap-mp-radio-1] mesh peer-mac-address c8cb-b8f [AC-wlan-ap-mp-radio-1] radio enable [AC-wlan-ap-mp-radio-1] quit [AC-wlan-ap-mp] quit 4. Configure MAP: # Create an AP template map of the model MSM460-WW, and configure its serial number. [AC] wlan ap map model MSM460-WW [AC-wlan-ap-map] serial-id CN2AD330F3 # Create radio 1, specify channel 149, map mesh profile 1 to the radio, specify the MAC address of radio 1 on the MP as the mesh peer-mac address, and enable the radio. [AC-wlan-ap-map] radio 1 type dot11an [AC-wlan-ap-map-radio-1] channel 149 [AC-wlan-ap-map-radio-1] mesh-profile 1 [AC-wlan-ap-map-radio-1] mesh peer-mac-address c8cb-b8f4-d580 [AC-wlan-ap-map-radio-1] radio enable [AC-wlan-ap-map-radio-1] quit A two-hop mesh link is established, and the MAP, the MPP, and the MP can ping each other. 5. Configure the gn service on the MAP so that the client can access the network: For the related configuration, see "Configuring WLAN access." 168

177 Verifying the configuration After gn is configured on the MAP, the client and the AC can ping each other, and the client can access the network through the mesh link. # Display the mesh link information on the AC. <AC>display wlan mesh-link ap all Mesh Link Information AP Name: mpp Peer Local Status RSSI Packets(Rx/Tx) c8cb-b8f4-d580 c8cb-b8f Forwarding / AP Name: mp Peer Local Status RSSI Packets(Rx/Tx) c8cb-b8f c8cb-b8f4-d580 Forwarding / c8cb-b8f c8cb-b8f4-d580 Forwarding / AP Name: map Peer Local Status RSSI Packets(Rx/Tx) c8cb-b8f4-d580 c8cb-b8f Forwarding / The output shows that a two-hop mesh link has been established between the MAP and the MPP, and the MP has established two one-hop mesh links with the MAP and the MPP, respectively. # Display the client information on the AC. <AC>display wlan client Total Number of Clients : 1 Client Information SSID: HP MAC Address User Name APID/RID IP Address VLAN NA- 3 / The output shows that the client with MAC address has accessed network through the MAP. 169

178 Troubleshooting WLAN mesh link Authentication process not started Symptom Analysis Solution A PMK MA request is sent successfully for an MP with the MAC address 000F-E27C-6C00, but the authentication process is not started. The portal service is enabled for an MP without wired connection. Enter AP template view and use command display this to verify if portal service is enabled. If yes, use command undo portal-service enable to disable the portal service. Failure to ping MAP Symptom Analysis Solution Ping from a station is not working through the MAP. The portal service is disabled and authenticator role is enabled for the MAP. 1. Enter AP template view and use the display this command to examine if portal service is disabled. If yes, use the portal-service enable command to enable the portal service for the MAP. 2. Enter radio view and verify if the MP policy mapped to the radio has role authenticator enabled. If yes, disable all the radios to which this MP policy is mapped. 3. Enter MP policy view and use the undo role-authenticator enable command to set the device not to play the role of an authenticator. 4. Enable all the radios. Configuration download failure for zeroconfig device Symptom Analysis A zero-configuration device forms links but configuration download does not happen. Solution Channel configuration may be wrong. The mapped mesh profile may be wrong. 1. Go to radio view and use the display this command. 2. Verify that the channel is the same as the MPP. If not, change the channel by using the channel command. 170

179 3. Verify that the mesh profile mapped to the radio is the same as that mapped to the MPP's radio. If not, unmap the current mesh profile by using the undo mesh-profile command. Then map the correct mesh profile by using the mesh-profile command. Configuration download failure for MP Symptom Analysis A mesh profile is mapped to the radio of an MP but configuration is not downloaded to the MP. Solution Verify that the security configuration has been made. Verify that the mapped mesh profile is enabled. Verify that the radio is enabled. 1. Configure the security parameters. 2. Enable the mapped mesh profile by using the mesh-profile enable command. 3. Enable the radio by using the radio enable command. Debug error: neither local nor remote is connected to MKD Symptom Analysis Solution Debug error: Neither local nor remote is connected to MKD. Verify if MKD service is enabled for the mapped mesh profile. Enable the MKD service for the mesh profile by using the mkd-service enable command. PMKMA delete is received by MPP for MP Symptom Analysis Solution After the MPP comes up, an MP tries to connect to it. During this process, the AC will receive a number of PMKMA requests, and send back PMKMA responses. After that, PMKMA delete is sent to the MPP for the MP. Verify if intrusion detection is enabled. If intrusion detection is enabled, disable it. 171

180 Configuring WLAN sniffer Support for this feature depends on the device model. For more information, see About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module Configuration Guides. In a wireless network, it is difficult to locate signal interference and packet collision by debugging information or terminal display information of WLAN devices. WLAN sniffer facilitates the troubleshooting by using an AP as a packet sniffer to listen to, capture, and record wireless packets. The information about captured packets is stored in a CAP file. WLAN sniffer is limited and is intended for support only and assisting additional troubleshooting tool only. As shown in Figure 78, enable WLAN sniffer on the Capture AP. The Capture AP listens to wireless packets in the network and stores captured packets in the specified CAP file. The administrator can download the CAP file to a PC for analysis. Figure 78 Network diagram LAN Segment Configuring WLAN sniffer Follow these guidelines when you configure WLAN sniffer: Disable other services such as WLAN and mesh before you enable WLAN sniffer on the radio, and do not enable these services during the WLAN sniffer process. An auto AP does not support the WLAN sniffer function. To enable WLAN sniffer on a radio, the AP must operate in normal mode and must be in Run state, and the working channel of the radio must be manually specified. Disabling the sniffer-enabled radio, deleting the Capture AP, disconnecting the Capture AP from the AC, or disabling WLAN sniffer stops the sniffer operation. The captured packets are saved to the specified CAP file in the default storage medium. The default storage medium varies with device models. The working mode of the AP cannot be changed with the work-mode monitor or device-detection enable command when it is capturing packets. 172

181 To configure WLAN sniffer: 2. Configure the maximum number of packets that can be captured by an AP. 3. Specify the name of the CAP file to which the captured packets are saved. 4. Enable WLAN sniffer on a radio of an AP. wlan capture packet-limit packet-limit wlan capture file-name file-name wlan capture start ap ap-name radio radio-number By default the maximum number of packets that can be captured by an AP is You are not allowed to change the maximum number of packets that can be captured by an AP during the WLAN sniffer process. WLAN sniffer stops when the maximum number is reached. The default name is CaptureRecord. The file has a fixed extension.dmp, which is not configurable. You are not allowed to change the name of the CAP file during the WLAN sniffer process. WLAN sniffer can be enabled for only one radio of an AP. The radio must have been enabled and its working channel has been manually specified. The AP that holds the radio must have been associated with the AC. WLAN sniffer can be enabled for only one radio of an AP. 5. Disable WLAN sniffer. wlan capture stop Displaying and maintaining WLAN sniffer Task Command Remarks Display information about WLAN sniffer enabled APs. display wlan capture [ { begin exclude include } regular-expression ] Available in any view. WLAN sniffer configuration example The configuration example was created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. 173

182 By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends setting their link type to be the same. Network requirements As shown in Figure 79, on the AC, enable WLAN sniffer for an AP to capture wireless packets. Figure 79 Network diagram Switch AP 1 Client AC captureap Rogue AP PC AP 2 PDA Configuration procedure To enable WLAN sniffer on a radio, the AP must operate in normal mode and must be in Run state, and the working channel of the radio must be manually specified. The working channel for WLAN sniffer in this example is 11. For information about how to configure the operating mode for an AP, see "Configuring WLAN access." 1. Configure the WLAN sniffer function: # Enable WLAN sniffer on Radio 2 of the AP named captureap. <AC> system-view [AC] wlan capture start ap captureap radio 2 2. Verify the configuration: # Display information about the AP that is capturing packets. The output shows that Radio 2 on the AP is capturing packets. [AC] display wlan capture WLAN Capture AP Name : captureap Radio : 2 Radio Mode : g Channel : 11 Capture Limit : 5000 File Name : CaptureRecord.dmp Status : Capturing

183 Configuring AP provision AP provision allows you to configure network settings for fit APs on an AC. The AC automatically assigns these settings to the fit APs in run state over AC-AP connections. This feature avoids configuring APs one by one from a terminal, greatly reducing the work load in large WLAN networks. Configuring basic network settings for an AP If you change the network settings for an associated AP, you need to save the settings to the wlan_ap_cfg.wcfg file of the AP, and restart the AP to apply the new settings. To configure AP network settings: 2. Specify a global AC so that APs can discover the AC. 3. Specify a global DNS server. 4. Specify a global domain name. 5. Enter AP template view. 6. Create and enter AP provision view. 7. Configure the initial country code for the AP when it tries to establish a mesh link for the first time. wlan ap-provision ac { host-name host-name ip ip-address ipv6 ipv6-address } wlan ap-provision dns server { ip ip-address ipv6 ipv6-address } wlan ap-provision dns domain domain-name wlan ap ap-name [ model model-name [ id ap-id ] ] provision initial-country-code code By default, no global AC is specified. By default, no global DNS server is specified. By default, no global domain name is specified. The AP model needs to be specified only when you create an AP template. After you create AP provision view, the device automatically adds the vlan untagged 1 command for the AP. This command also enables the AP provision function. An auto AP cannot be configured with the AP provision function. By default, no initial country code is configured for an AP. 175

184 8. Specify an AC so that the AP can discover the AC. 9. Specify a DNS server for the AP. 10. Specify a domain name suffix for the DNS server. 11. Configure the default VLAN ID for the Ethernet interface on the AP. 12. Configure a list of VLANs whose packets are sent tagged on the Ethernet interface of the AP. 13. Configure a list of VLANs whose packets are sent untagged on the Ethernet interface of the AP. 14. Specify an IP address for the management VLAN interface of the AP. ac { host-name host-name ip ip-address ipv6 ipv6-address } dns server { ip ip-address ipv6 ipv6-address } dns domain domain-name vlan pvid vlan-id vlan tagged vlan-id-list vlan untagged vlan-id-list ip address ip-address { mask mask-length } By default, no AC is specified for the AP. The wlan ap-provision ac command applies to all APs, and the ac command in AP provision view applies to the current AP. If you configure both commands, the configuration in AP provision view applies to the current AP. By default, no DNS server is specified for the AP. The wlan ap-provision dns server command applies to all APs, and the dns server command in AP provision view applies to the current AP. If you configure both commands, the configuration in AP provision view applies to the current AP. By default, no domain name is specified for the DNS server. The wlan ap-provision dns domain command applies to all APs, and the dns domain command in AP provision view applies to the current AP. If you configure both commands, the configuration in AP provision view applies to the current AP. By default, the default VLAN ID of the Ethernet interface on the AP is 1. By default, no VLANs are configured. By default, no untagged VLAN exists on the Ethernet interface of the specified AP. By default, no IP address is specified for the management VLAN interface of the AP. The management VLAN of the AP is VLAN

185 15. Specify an IPv6 address for the management VLAN interface of the AP. 16. Specify the gateway of the AP. 17. Configure the AP to use IPsec to encrypt the control tunnel. 18. Configure the AP to use IPsec to encrypt the data tunnel. 19. Save the configurations in AP provision view to the wlan_ap_cfg.wcfg file of the specified AP or all APs. 20. Remove the wlan_ap_cfg.wcfg file of the specified AP or all APs. ipv6 address { ipv6-address prefix-length ipv6-address/prefix-length } gateway { ip ip- address ipv6 ipv6-address } tunnel encryption ipsec pre-shared-key { cipher simple } key data-tunnel encryption enable save wlan ap provision { all name ap-name } reset wlan ap provision { all name ap-name } By default, no IPv6 address is specified for the management VLAN interface of the AP. The management VLAN of the AP is VLAN 1. By default, no gateway is configured for the AP. By default, the AP does not encrypt the control tunnel. This command is used to configure AC-AP tunnel encryption with IPsec. For more information about AC-AP tunnel encryption with IPsec, see "Configuring WLAN access." By default, the AP does not encrypt the data tunnel. This command is used to configure AC-AP tunnel encryption with IPsec. For more information about AC-AP tunnel encryption with IPsec, see "Configuring WLAN access." This command only applies to APs in the Run state. For more information about the command, see WLAN Command Reference. This command only applies to APs in the Run state. You can execute the save wlan ap provision and reset wlan ap provision commands in any view. AP provision configuration example The configuration example was created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends setting their link type to be the same. 177

186 Network requirements Configure AP provision on AC 1 to assign the following network settings to the fit APs over AC-AP connections: IP address /24 of AP 1 and IP address /24 of AP 2. IP address /24 of AC 2 so that the APs can discover AC 2. Figure 80 Network diagram Configuration procedure Make sure AP 1 and AP 2 have established connections to AC 1 and AC 2 can reach /24 at Layer 3. Otherwise, the AC cannot assign the network settings to them. The management VLAN of the APs is VLAN Configure AC 1: # Specify the IP address of AC 2 so that AP 1 and AP 2 can discover AC 2. <AC1> system-view [AC1] wlan ap-provision ac ip # Create and enter AP 1 provision view. Configure the IP address of the management VLAN interface of AP 1 as [AC1] wlan ap ap1 model MSM460-WW [AC1-wlan-ap-ap1] provision [AC1-wlan-ap-ap1-prvs] ip address [AC1-wlan-ap-ap1-prvs] quit [AC1-wlan-ap-ap1] quit # Create and enter AP 2 provision view, and configure the IP address of the management VLAN interface of AP 2 as [AC1] wlan ap ap2 model MSM460-WW [AC1-wlan-ap-ap2] provision [AC1-wlan-ap-ap2-prvs] ip address # Save the configurations in AP provision view to the wlan_ap_cfg.wcfg files of the APs. [AC1-wlan-ap-ap2-prvs] save wlan ap provision all [AC1-wlan-ap-ap2-prvs] return # Reboot AP 1 and AP 2 to validate the configuration. <AC1> reset wlan ap name ap1 <AC1> reset wlan ap name ap2 2. Configure AC 2: # Create a WLAN ESS interface. <AC2> system-view [AC2] interface wlan-ess 1 178

187 [AC2-WLAN-ESS1] quit # Create a clear-type WLAN service template, configure the SSID of the service template as service and bind the WLAN-ESS interface to this service template. [AC2] wlan service-template 1 clear [AC2-wlan-st-1] ssid service [AC2-wlan-st-1] bind wlan-ess 1 [AC2-wlan-st-1] authentication-method open-system [AC2-wlan-st-1] service-template enable [AC2-wlan-st-1] quit # Create an AP template named ap1, select the model MSM460-WW, and configure the serial ID of the AP as CN2AD330S8. [AC2] wlan ap ap1 model MSM460-WW [AC2-wlan-ap-ap1] serial-id CN2AD330S8 [AC2-wlan-ap-ap1] description L3office # Specify the radio type as an, and channel as 149. [AC2-wlan-ap-ap1] radio 1 type dot11an [AC2-wlan-ap-ap1-radio-1] channel 149 [AC2-wlan-ap-ap1-radio-1] service-template 1 [AC2-wlan-ap-ap1-radio-1] radio enable Verifying the configuration After reboot, AP 1 and AP 2 can establish a connection to AC

188 Configuring wireless location Overview Support for this feature depends on your device model. For more information, see About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module Configuration Guides. Wireless location is a technology to locate, track and, monitor specific assets by using WiFi-based Radio Frequency Identification (RFID) and sensors. APs send collected Tag or MU messages to an AeroScout Engine (AE). The AE performs location calculation and sends the results to the graphics software. You can view the location information of the assets in maps, forms, and reports provided by the software. The graphics software provides search, alert and query functions to facilitate your operations. Wireless location can be applied to medical monitoring, asset management, and logistics, helping users effectively manage and monitor assets. Architecture of the wireless location system A wireless location system is composed of three parts: devices or sources to be located, location information receivers, and location systems. Devices or sources to be located include Tags (small, portable RFIDs, which are usually placed or glued to the assets to be located) of Aero Scout or Mobile Units (MU), and MUs (wireless terminals or devices running ). The tags and MUs can send wireless messages periodically. Location information receivers include APs. Location systems include the location server, AE calculation software, and different types of graphics software. Wireless locating process A wireless location system can locate wireless clients, APs, rogue APs, rogue clients, Tags and other devices supporting WLAN protocols. All wireless devices except Tags will be identified as MUs by the wireless location system. 1. Located devices send Tag or MU messages. An RFID sends tag messages that contain channel information over different channels. The RFID periodically sends messages over the configured channels first and then sends tag messages over channels 1, 6, and 11 in turn periodically. Standard wireless devices send MU messages. An MU message does not contain channel information, so an AP cannot filter MU messages by channel number. The work is done by the location server by using a certain algorithm and rules. 2. The AP collects Tag and MU messages. The working mode of an AP determines how it collects Tag and MU messages: When the AP operates in monitor mode or hybrid mode, it can locate wireless clients or other wireless devices that are not associated with it. When the AP operates in normal mode, it can only locate wireless clients associated with it. The wireless location system considers wireless clients associated with the AP as wireless clients, and 180

189 considers wireless clients or other wireless devices not associated with the AP as unknown devices. For more information about monitor mode and hybrid mode, see "Configuring WLAN security." The AP collects Tag and MU messages as follows: Upon receiving Tag messages (suppose that the Tags mode has been configured on the AC, and the location server has notified the AP to report Tag messages), the AP checks the Tag messages, encapsulates those passing the check and sends them to the location server. The AP encapsulates a Tag message by copying all its information (including message header and payload) except the multicast address and adding the BSSID, channel, timestamp, data rate, RSSI, SNR, and radio mode of the radio that received the Tag message. Upon receiving MU messages (suppose that the MUs mode has been configured on the AC, and the location server has notified the AP to report MU messages), the AP checks the messages, encapsulates those that pass the check and sends the messages to the location server. The AP encapsulates an MU message by copying its source address, Frame Control field, and Sequence Control field, and adding the BSSID, channel, timestamp, data rate, RSSI, SNR and radio mode of the radio that received the MU message. The location server calculates the locations of devices. After receiving Tag and MU messages from APs, the location server uses an algorithm to calculate the locations of the devices according to the RSSI, SNR, radio mode and data rate carried in the messages, and displays the locations on the imported map. Typically, the location server can calculate the locations as long as there are more than three APs (in monitor or hybrid mode) used to report Tag and MU messages. Configuring wireless location To perform wireless location, perform the following configurations on the location server and the device: On the location server Configure whether to locate Tags or MUs, Tag message multicast address, and dilution factor on the location server. The APs are notified of these settings through configuration messages. For more information about location server and configuration parameters, see the location server manuals. On the wireless device Configure the wireless location function. Configure the AP mode settings when you configure wireless location on the AC. To configure wireless location: 2. Enable wireless location. wlan rfid-tracking enable By default, wireless location is disabled. 3. Specify the port number for the location server vendor. 4. Specify the AP name and model, and enter AP template view. wlan rfid-tracking vendor-port vendor-port-value wlan ap ap-name [ model model-name [ id ap-id ] ] By default, the port number for the vendor is The AP model needs to be specified only when you create an AP template. 5. Enter WLAN radio view. radio radio-id N/A 181

190 6. Configure the wireless location mode for the radio. rfid-tracking mode { all mu tag } By default, no wireless location mode is configured for the radio. After the configuration, the AP waits for the configuration message sent by the location server, and after receiving that message, starts to receive and report Tag and MU messages. In addition, the AP reports its IP address change and reboot events to the location server so that the location server can respond in time. To report a reboot event after reboot, the AP must use the IP address and port information of the location server stored in its flash. The AP maintains such information as follows: The AP updates the data in the flash after receiving a configuration message. To protect the flash, the AP does not update the flash immediately, but waits for 10 minutes. If it receives another configuration message before the 10 minutes elapse, the AP only updates the configuration information in the cache, and when the 10-minute timer expires, saves the information in the flash. If the AP reboots within 10 minutes after it receives the first configuration message, no server information is saved in the flash, so it does not send a reboot message to the location server. Displaying and maintaining wireless location Task Command Remarks Display wireless location radio information. display wlan rfid-tracking radio [ ap ap-name radio radio-id ] [ { begin exclude include } regular-expression ] Available in any view. Wireless location configuration example The configuration example was created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends setting their link type to be the same. Network requirements As shown in Figure 81, AP 1, AP 2, and AP 3 operate in monitor mode, and send collected tag and MU messages to the AE (the location server). The AE performs location calculation and sends the results to the graphics software. The software shows the location information of the rogue AP, APs, and clients in maps, forms, or reports. 182

191 Figure 81 Network diagram Configuration procedure 1. Configure the AE: Configure the IP addresses of AP 1, AP 2, and AP 3 on the AE, or select broadcast for the AE to discover APs. Perform configuration related to wireless location on the AE. 2. Configure AP 1 to operate in monitor mode: On the AC, configure AP 1, AP 2, and AP 3 to operate in monitor mode. AP 1, AP 2, and AP 3 are configured similarly, and this section only describes how to configure AP 1 for illustration. # Create AP 1. <AC> system-view [AC] wlan ap ap1 model MSM460-WW # Specify the serial ID for the AP. [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Configure the AP to operate in monitor mode. [AC-wlan-ap-ap1] work-mode monitor # Enable the radio. [AC-wlan-ap-ap1] radio 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] return # Enable wireless location. <AC> system-view [AC] wlan rfid-tracking enable # Configure the wireless location mode. [AC] wlan ap ap1 [AC-wlan-ap-ap1] radio 1 [AC-wlan-ap-ap1-radio-1] rfid-tracking mode all [AC-wlan-ap-ap1-radio-1] return 3. Verify the configuration: # Display wireless location radio information. <AC> display wlan rfid-tracking radio 183

192 Configuration guidelines WLAN RFID Tracking AP Radio Mode ap1 1 MU/Tag ap1 2 N/A # You can view the location information about the rogue AP, APs, and clients by maps, forms or reports provided by the graphics software. To implement wireless location, configure at least three APs to operate in monitor or hybrid mode. An AP monitors clients on different channels periodically. If the Tag message sending interval is configured as 1 second, the AP scans and reports Tag messages every half a minute. If higher location efficiency is required, you can set the Tag sending interval to the smallest value, 124 milliseconds on the AE. 184

193 Configuring multicast optimization WLAN selects the lowest transmit rate for multicast packets and provides no multicast retransmission mechanism. Therefore, WLAN cannot meet the requirements of some multicast applications that are not delay sensitive but data-integrity sensitive such as HD VoD. The multicast optimization feature can solve these problems by enabling APs to convert multicasts packets to unicast packets, so WLAN can provide retransmission service and higher transmit rates for the converted unicast packets. Unless otherwise specified, the unicast packets in this chapter refer to the wireless unicast packets that have the priority of video. Figure 82 Multicast data transmission when multicast optimization is enabled Multicast stream Unicast stream Client 1 Source AC Switch AP Client 2 Client 3 With multicast optimization enabled, the AP listens to the IGMP reports and leave messages sent by clients. When the AP receives an IGMP report, it adds or updates a multicast optimization entry and updates the multicast source addresses allowed by the client (for IGMPv3 and MLDv2 packets). When the AP receives an IGMP leave message or when a multicast optimization entry ages out, the AP removes the entry. When the AP is disconnected from the AC, or when multicast optimization is disabled, all multicast optimization entries are removed. After creating multicast entries, the AP listens to non IGMP and MLD multicast packets sent from the multicast source to clients, and matches the multicast address of the packets to the multicast optimization entries. If a match is found, the AP converts the multicast packets to unicast packets and sends the unicast packets to all the clients in the multicast entries. If no match is found, the AP directly sends the multicast packets. To avoid performance degradation, you can configure the maximum number of clients that multicast optimization can support. When the maximum number is reached, the AC takes either of the following actions as configured: Halt A new client can join a multicast group and receive multicast packets, and a multicast optimization entry can be created for the client. However, the multicast optimization function for all clients in the multicast group becomes invalid. When the number of clients drops below the upper limit, the multicast optimization function takes effect again. Reject-client A new client can join a multicast group, but no new multicast optimization entries can be created. If multicast optimization entries have been created for other clients in the multicast group, the client cannot receive multicast packets. If not, the client can receive multicast packets. 185

194 Configuring multicast optimization Enable IGMP snooping on the AC before enabling multicast optimization and configure the aging time of multicast optimization entries to be greater than the aging time of IGMP snooping dynamic member ports. To enable multicast optimization to operate properly in a WLAN roam environment, make sure the multicast optimization function is enabled with the multicast optimization enable command on all ACs on IACTP tunnels. To configure multicast optimization: Enter system view. system-view N/A Enter service template view. Enable multicast optimization. wlan service-template service-template-number { clear crypto } multicast optimization enable N/A By default, the multicast optimization function is disabled. Exit to system view. quit N/A Configure the maximum number of clients supported by multicast optimization. Configure the action to take when the maximum number of clients supported by multicast optimization is reached. Configure the aging time for multicast optimization entries. wlan multicast optimization threshold threshold-value wlan multicast optimization threshold-action { halt reject-client } wlan multicast optimization aging-time time The default number is 6. A client can join up to eight multicast groups. If a client joins multiple multicast groups, the client is counted as multiple clients in multicast optimization statistics. For example, if a client has joined two multicast groups, the client is counted as two clients in the multicast optimization statistics. The default action is halt. If you configure the halt action first, and then configure the reject-client action, the existing multicast optimization entries still take effect. By default, the aging time is 260 seconds. 186

195 Displaying and maintaining multicast optimization Task Command Remarks Display multicast optimization information. display wlan multicast optimization { all ap-name ap-name radio radio-id } [ { begin exclude include } regular-expression ] Available in any view. Multicast optimization configuration example The configuration example was created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends setting their link type to be the same. Network requirements As shown in Figure 83, enable multicast optimization for the AP to convert multicast packets to unicast packets for up to two clients. Figure 83 Network diagram Configuration procedure Complete wireless configurations on the AC. For more information, see "Configuring WLAN access." # Enable multicast optimization. <Sysname> system-view [Sysname] wlan service-template 1 clear [Sysname-wlan-st-1] multicast optimization enable # Configure the aging time for multicast optimization entries as 300 seconds. [Sysname] wlan multicast optimization aging-time

196 # Configure the maximum number of clients supported by multicast optimization as 2. [Sysname] wlan multicast optimization threshold 2 # Configure the AC to reject new clients when the maximum number of clients supported by multicast optimization is reached. [Sysname] wlan multicast optimization threshold-action reject-client Verifying the configuration Client 1 and Client 2 access the SSID named service through a radio on the AP and join a multicast group. Execute the display wlan multicast optimization all command to view the multicast optimization information. The output shows that the multicast optimization function operates properly when Client 1 and Client 2 are in the group. When Client 3 joins the multicast group, no multicast optimization entry can be added for Client 3, because the maximum number of clients supported by multicast optimization has been reached. 188

197 Configuring spectrum analysis Support for spectrum analysis depends on the AP model. For more information about WIDS, see "Configuring WIDS." WLAN systems operate on shared bands. Many devices, such as microwave ovens, cordless phones, and Bluetooth devices also operate on these bands and can negatively affect the WLAN systems. The spectrum analysis feature is designed to solve this problem. Spectrum analysis delivers the following functions: Identifies 12 types of interferences and provides interference device reports. Calculates the number of interferences on each channel and average and worst channel quality, and provides channel quality reports. The AP collects Fast Fourier Transform (FFT) data, including frequency, FFT power, maximum power, and FFT duty cycle, and sends the data to the NMS through the AC. With RRM collaboration enabled, if the detected channel quality is lower than the threshold, the AC automatically adjusts the working channel upon detecting a channel with a higher quality. Administrators can view the interference information on the AC, or view real-time spectrum analysis data on the NMS to locate and remove the interferences. Configuration task list Task Configuring the operating mode for an AP Enabling spectrum analysis Enabling SNMP traps Enabling spectrum analysis to trigger channel adjustment Remarks Required Required Optional Optional Configuring the operating mode for an AP The channels that an AP can detect depend on the operating mode of the AP: When operating in normal mode, an AP can only detect interference devices and channel quality, and collect FFT data for its working channel. When operating in monitor or hybrid mode, the channels that an AP can detect depend on the scan channel command. If you configure the scan channel auto command, the AP detects interference devices and channel quality, and collects FFT data for the channels supported by the country code. If you configure the scan channel all command, the AP detects interference devices and channel quality, and collects FFT data for all channels. H3C recommends that you enable spectrum analysis for APs operating in monitor or hybrid mode. For information about how to configure the operating mode for an AP, see "Configuring WLAN IDS." 189

198 Enabling spectrum analysis When spectrum analysis is enabled, an AP monitors interference devices and channel quality and collects FFT data. To enable spectrum analysis: 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable spectrum analysis globally. 4. Specify the type of interferences to be detected. On 5 GHz radios: dot11a spectrum-analysis enable On 2.4 GHz radios: dot11bg spectrum-analysis enable On 5 GHz radios: dot11a spectrum-analysis device { device-type all } On 2.4 GHz radios: dot11bg spectrum-analysis device { device-type all } By default, spectrum analysis is disabled globally. By default, all interferences are to be detected. 5. Return to system view. quit N/A 6. Specify the AP name and its model number and enter AP template view. 7. Enter radio view. 8. Enable spectrum analysis. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11an dot11b dot11g dot11gn } ] spectrum-analysis enable Specify the model name only when you create a new AP template. N/A By default, spectrum analysis is disabled. Spectrum analysis takes effect on the specified radio only when it is enabled both globally and on a radio. Enabling SNMP traps This function enables the AC to send SNMP traps to the NMS when detecting an interference device or when detecting the channel quality is lower than the alarm threshold. To enable SNMP trap sending when an interference device is detected: 2. Enter WLAN RRM view. wlan rrm N/A 190

199 3. Enable the AC to send SNMP traps to the NMS when detecting an interference device. 4. Enable the AC to send SNMP traps to the NMS when detecting a specified interference device. On 5 GHz radios: dot11a spectrum-analysis trap device enable On 2.4 GHz radios: dot11bg spectrum-analysis trap device enable On 5 GHz radios: dot11a spectrum-analysis trap device { device-type all } On 2.4 GHz radios: dot11bg spectrum-analysis trap device { device-type all } By default, the AC sends SNMP traps to the NMS when detecting an interference device. By default, the AC sends SNMP traps to the NMS when detecting one of the 12 interference device types. Before configuring this command, use the dot11a spectrum-analysis device device-type or dot11bg spectrum-analysis device device-type command to specify the type of interference to be detected. Otherwise, this command does not take effect. To enable SNMP traps when the channel quality is lower than the channel quality alarm threshold: 2. Enter WLAN RRM view. wlan rrm N/A 3. Configure the channel quality alarm threshold. 4. Enable the AC to send SNMP traps to the NMS when the channel quality is lower than the channel quality alarm threshold. On 5 GHz radios: dot11a spectrum-analysis trap channel-quality threshold threshold-value On 2.4 GHz radios: dot1bg spectrum-analysis trap channel-quality threshold threshold-value On 5 GHz radios: dot11a spectrum-analysis trap channel-quality enable On 2.4 GHz radios: dot11bg spectrum-analysis trap channel-quality enable By default, the channel quality alarm threshold is 35. By default, the AC sends SNMP traps to the NMS when the channel quality is lower than the channel quality alarm threshold. Enabling spectrum analysis to trigger channel adjustment This function enables the AC to start calculating the channel quality, and switches to a new channel with a higher quality when the channel quality is lower than the sensitivity level. Before configuring this function, enable automatic channel selection with the channel auto command, and enable DFS. Otherwise, this function does not take effect. For more information about the channel auto command, see WLAN Command Reference. For more information about DFS, see "Configuring WLAN RRM." 191

200 To enable spectrum analysis to trigger channel adjustment: 2. Enter WLAN RRM view. wlan rrm N/A 3. Specify the sensitivity level that triggers channel adjustment. 4. Enable spectrum analysis to trigger channel adjustment. On 5 GHz radios: dot11a calibrate-channel sensitivity { high low medium } On 2.4 GHz radios: dot11bg calibrate-channel sensitivity { high low medium } On 5 GHz radios: dot11a calibrate-channel track spectrum-analysis On 2.4 GHz radios: dot11bg calibrate-channel track spectrum-analysis By default, the sensitivity level that triggers channel adjustment is medium. By default, spectrum analysis does not trigger channel adjustment. Displaying and maintaining spectrum analysis Task Command Remarks Display information about the detected non n interferences. Display channel quality information. display wlan spectrum-analysis device [ ap ap-name ] display wlan spectrum-analysis channel-quality [ ap ap-name ] Available in any view. Available in any view. Spectrum analysis configuration example Network requirements As shown in Figure 84, AP 1 is operating in normal mode to provide WLAN access services. AP 2 is operating in monitor mode to detect interferences, channel quality, and FFT data. If AP 2 detects an microwave oven or bluetooth device, AP 2 notifies the AC, which sends alarms to the NMS. 192

201 Figure 84 Network diagram NMS AP 1 Client AC Switch Microwave oven AP 2 Bluetooth device Configuration procedure # Configure AP 1 to operate in normal mode. For more information, see "Configuring WLAN access." # Configure AP 2 to operate in monitor mode, and enable spectrum analysis on radio 2 of AP 2. <AC> system-view [AC] wlan ap ap2 model MSM460-WW [AC-wlan-ap-ap2] serial-id CN2AD330S8 [AC-wlan-ap-ap2] work-mode monitor [AC-wlan-ap-ap2] radio 2 type dot11gn [AC-wlan-ap-ap2-radio-2] spectrum-analysis enable [AC-wlan-ap-ap2-radio-2] radio enable [AC-wlan-ap-ap2-radio-2] quit [AC-wlan-ap-ap2] quit # Enable spectrum analysis globally on 2.4 GHz radios. [AC] wlan rrm [AC-wlan-rrm] dot11bg spectrum-analysis enable # Configure the AP to detect all interferences on 2.4 GHz radios. (Enabled by default. ) [AC-wlan-rrm] dot11bg spectrum-analysis device all # Enable the AC to send alarms to the NMS when a microwave oven or bluetooth is detected on 2.4 GHz radios. [AC-wlan-rrm] dot11bg spectrum-analysis trap device enable [AC-wlan-rrm] undo dot11bg spectrum-analysis trap device all [AC-wlan-rrm] dot11bg spectrum-analysis trap device bluetooth [AC-wlan-rrm] dot11bg spectrum-analysis trap device microwave [AC-wlan-rrm] return Verifying the configuration Execute the display wlan spectrum-analysis device command to display information about the non interferences detected by AP 2. Execute the display wlan spectrum-analysis channel-quality command to display channel quality information. 193

202 Configuring AC backup Overview AC backup enables each AP to establish tunnels with a primary AC and a backup AC. The two ACs must have the same configuration for each AP. The primary AC provides services to all APs. If the primary AC fails, the backup AC becomes the new primary AC to provide services. The two ACs use a heartbeat mechanism to make sure the failure of the primary AC is quickly detected by the backup AC. Primary AC recovery As shown in Figure 85, AC 1 is the primary AC, and AC 2 is the backup AC. Configure connection priority of 7 on AC 1. If AC 1 goes down, the AP connects to AC 2. AC 2 is the primary AC before the connection between AC 1 and the AP recovers. When AC 1 recovers, the primary AC recovery feature enables AC 1 to immediately become the primary AC. Figure 85 Primary AC recovery Active/active mode In active/active mode, both ACs are active. Each AC acts as the primary AC for some APs and acts as the backup AC for some other APs. In Figure 86, AC 1 acts as the primary AC for AP 1 and backup AC for AP 2. AC 2 acts as the primary AC for AP 2 and backup AC for AP

203 Figure 86 Active/active mode AC 1 AC 2 AP 1 AP 2 AC backup As shown in Figure 87, AC 1 is the primary AC that provides services to AP 1, AP 2, AP 3, and AP 4 through primary tunnels. AC 2 is the backup AC that connects to APs through backup tunnels. When AC 1 fails, AC 2 can quickly detect the failure, and become the primary AC to provide services to APs. All APs change backup tunnels to AC 2 to primary tunnels. When AC 1 recovers, it still acts as the backup AC. Figure 87 Network diagram Configuring AC backup Follow these guidelines when you configure AC backup: 195

204 To modify the wireless configurations of an AP, modify the configurations on the backup AC first to make sure the AP information can be backed up properly. The two ACs must have the same AP configuration. Otherwise, after a primary/backup switchover, the AP might fail to work. To configure AC backup: 2. Specify an IPv4/IPv6 backup AC. 3. Enter AP template view. 4. Specify an IPv4/IPv6 backup AC. 5. Specify the AC connection priority for the AP. 6. Enable AC hot backup. 7. Specify the VLAN ID for the ports transmitting data between ACs. wlan backup-ac { ip ipv4-address ipv6 ipv6-address } wlan ap ap-name [ model model-name [ id ap-id ] ] backup-ac { ip ipv4-address ipv6 ipv6-address } priority level priority hot-backup enable [ domain domain-id ] * hot-backup vlan vlan-id By default, no backup AC is specified. The backup AC configured in AP template view takes precedence over that configured in system view. Specify the model name only when you create an AP template. By default, no IPv4/IPv6 backup AC is configured and the global backup AC is used by the AP. The backup AC configured in AP template view takes precedence over that configured in system view. By default, the AP connection priority is 4. An AC connection priority of 7 enables the AC to become the primary AC. When the primary AC fails and then recovers, it re-establishes connections with APs and become the primary AC. By default, AC hot backup is disabled. Support for this feature depends on your device model. For more information, see About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module Configuration Guides. By default, the VLAN ID is 1. Support for this feature depends on your device model. For more information, see About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module Configuration Guides. 196

205 8. Specify the heartbeat interval between ACs. 9. Set the delay for an AP to switch from a master AC to a backup AC. hot-backup hellointerval hellointerval wlan backup-ac switch-delay time By default, the heartbeat interval is 2000 milliseconds. Support for this feature depends on your device model. For more information, see About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module Configuration Guides. By default, the delay for an AP to switch from a master AC to a backup AC is 5 seconds. Displaying AC backup connection status Task Command Remarks Display AC backup connection status. display hot-backup state [ { begin exclude include } regular-expression ] Available in any view. Configuration example The configuration example was created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends setting their link type to be the same. Network requirements As shown in Figure 88, AC 1, AC 2, and the AP are in the same network. The AP gets its IP address from the DHCP server. AC 1 is the primary AC and AC 2 is the backup AC. When AC 1 fails, AC 2 can quickly detect the failure, and it becomes the primary AC to provide services to the AP. 197

206 Figure 88 Network diagram DHCP server AC /24 L2 switch AP Client AC /24 Configuration procedure 1. Configure AC 1: # Create a WLAN ESS interface. <AC1> system-view [AC1] interface WLAN-ESS 1 [AC1-WLAN-ESS1] quit # Create a clear-type WLAN service template, configure the SSID of the service template as service, and bind interface WLAN-ESS 1 to this service template. [AC1] wlan service-template 1 clear [AC1-wlan-st-1] ssid service [AC1-wlan-st-1] bind WLAN-ESS 1 [AC1-wlan-st-1] authentication-method open-system [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit # Specify the backup AC address. [AC1] wlan backup-ac ip # Configure the AP on AC 1. [AC1] wlan ap ap1 model MSM460-WW [AC1-wlan-ap-ap1] serial-id CN2AD330S8 [AC1-wlan-ap-ap1] radio 1 type dot11an [AC1-wlan-ap-ap1-radio-1] service-template 1 [AC1-wlan-ap-ap1-radio-1] radio enable 2. Configure AC 2: # Create a WLAN ESS interface. <AC2> system-view [AC2] interface wlan-ess 1 [AC2-WLAN-ESS1] quit # Create a clear-type WLAN service template, configure the SSID on AC 2 as service because the primary and backup ACs must have the same SSID, and bind interface WLAN-ESS 1 to this service template. [AC2] wlan service-template 1 clear [AC2-wlan-st-1] ssid service 198

207 [AC2-wlan-st-1] bind WLAN-ESS 1 [AC2-wlan-st-1] authentication-method open-system [AC2-wlan-st-1] service-template enable [AC2-wlan-st-1] quit # Specify the backup AC address. [AC2] wlan backup-ac ip # Configure the AP on AC 2. [AC2] wlan ap ap1 model MSM460-WW [AC2-wlan-ap-ap1] serial-id CN2AD330S7 [AC2-wlan-ap-ap1] radio 1 type dot11an [AC2-wlan-ap-ap1-radio-1] service-template 1 [AC2-wlan-ap-ap1-radio-1] radio enable 3. Verify the configuration: When AC 1 fails, AC 2 immediately becomes the primary AC. You can use the display wlan ap command on the AC to view AP state. 199

208 Configuring uplink detection Uplink detection makes sure when the uplink of an AC fails, clients can access external networks through APs connected to another AC whose uplink operates properly. As shown in Figure 89, when the uplink of the AC fails, the uplink detection function can detect the failure and disable the radio on the AP. If the uplink recovers, the AC enables the radio on the AP. To achieve this, you need to configure collaboration between NQA, track, and uplink detection: When the track entry is in Positive state, the AC enables the radio of the AP. Wireless clients can associate with the AP. When the track entry is in Negative state, the AC disables the radio of the AP. Wireless clients cannot associate with the AP. When the track entry is in Invalid state, the AC does not change the radio state of the AP. For more information about the track module, see High Availability Configuration Guide. For more information about NQA, see Network Management and Monitoring Configuration Guide. Figure 89 Network diagram Configuration procedure To configure uplink detection: 2. Specify a track entry to detect if the uplink is reachable. wlan uplink track track-entry-number By default, no track entry is specified. NOTE: When the uplink of the AC fails, if a radio has mesh configured, the AC does not disable the radio even if you disable the mesh service before the next uplink down event. However, the next uplink down event can disable the radio. Configuration example The configuration example was created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. 200

209 For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends setting their link type to be the same. Network requirements As shown in Figure 90, when the uplink of the AC fails, clients cannot access external networks if they are associated with the AP that is connected to the AC. Enable the uplink detection function so that when the uplink of the AC fails, clients are disabled from associating with the AP that is connected to the AC. Figure 90 Network diagram Configuration procedure # Create an NQA test group with test type ICMP echo, and configure related test parameters. <AC> system-view [AC] nqa entry admin test [AC-nqa-admin-test] type icmp-echo [AC-nqa-admin-test-icmp-echo] destination ip # Configure optional parameter frequency. [AC-nqa-admin-test-icmp-echo] frequency 1000 # Configure reaction entry 1, specifying that five consecutive probe failures trigger the collaboration between the reaction entry and NQA. [AC-nqa-admin-test-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only [AC-nqa-admin-test-icmp-echo] quit # Start the ICMP echo test. [AC] nqa schedule admin test start-time now lifetime forever # Configure track entry 1, and associate it with reaction entry 1 of the NQA test group (with the administrator admin, and the operation tag test). [AC] track 1 nqa entry admin test reaction 1 # Specify track entry 1 for uplink detection. [AC] wlan uplink track 1 201

210 Optimizing WLAN Proper channel planning and power control policies during WLAN deployment are important for good performance. However, in live WLAN networks, channel overlapping, collisions, and interference can easily occur because the none-overlapping channels are limited but the number of WLAN devices always increases. This chapter describes a set of features used to improve the quality and stability of live WLAN networks. A feature applied in different WLANs might have different effects because there are many factors impacting WLAN performance. There is no fixed combination of features for optimizing a specific WLAN. Select the features most suitable for your WLAN. The features described in this chapter cannot significantly change the performance of a WLAN. In practice, if the features used can improve the WLAN performance by 3%, the optimization is considered successful. Rejecting wireless clients with low RSSI Wireless clients whose packets have low received signal strength indicator (RSSI) cannot get good service or performance, but they occupy wireless channels, especially when they are downloading huge amounts of data, which might affect other clients with high RSSI. This task configures an RSSI so that clients whose RSSI is lower than the configured RSSI cannot access the WLAN. To configure the client-reject signal threshold: 2. Configure the client-reject RSSI. wlan option client-reject rssi By default, the client-reject RSSI is not configured. Enabling fair scheduling The fair scheduling feature sends a packet destined to a different client each time to ensure fairness. This mechanism avoids the situation where some clients occupy the output queues on an AP for a long time. For example, a client may be downloading bulky data by using applications such as BT and video on demand. To enable fair scheduling: 202

211 2. Enable fair scheduling. wlan option fair-schedule enable By default, fair scheduling is disabled. Ignoring weak signals When an AP detects weak signals from a remote client, it considers the channel is occupied and does not forward other packets. This feature can avoid the impact of weak signals by enabling an AP to ignore packets whose signal strength is lower than a specific RSSI. Although this feature increases the forwarding rate of the AP, it might cause interference or collisions with other devices working on the same channel. To ignore signals weaker than an RSSI: 2. Ignore signals weaker than an RSSI. wlan option signal-ignore rssi Not configured by default. Enabling n packet suppression n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU can accommodate multiple MPDUs that have their PHY headers removed. This reduces the overhead in transmission and the number of ACK frames to be used, and improves network throughput. In practice, however, gn, g, and b clients may coexist, and the MPDU aggregation capability of n affects the performance of other types of clients. This feature can suppress n packets by defining two thresholds, a maximum number of aggregated MPDUs and a maximum A-MPDU length. The two thresholds take effect at the same time. If either threshold is reached, the AP stops aggregation and sends the A-MPDU. To configure n packet suppression: 2. Enable n packet suppression and specify the thresholds. wlan option dot11n-restraint packet-number max-packets packet-length max-length By default, n packet suppression is not enabled. This feature reduces the impact of n clients to other types of clients. Enabling traffic shaping based on link status Clients near an AP have high RSSI while clients at the border of the coverage area of the AP have low RSSI. When the network is busy, the weak clients occupy the working channel of the AP for a long time because of their lower speeds. That affects the clients with good RSSI. 203

212 The traffic shaping feature identifies the weak clients by checking their signal strength and packet loss ratio. It controls their packet throughput dynamically to reduce their impact to other clients. To enable traffic shaping: 2. Enable traffic shaping based on link status. wlan option traffic-shaping enable By default, traffic shaping based on link status is disabled. Configuring the rate algorithm protocols each support a set of rates. For example, g supports the rates of 1, 2, 5.5, 11, 6, 9, 12, 18, 24, 36, 48, and 54. An protocol dynamic selects a proper rate based on the channel quality and history data. A rate algorithm applied on a radio can avoid improper rate adjustments that can impact network operation. The system supports multiple rate algorithms, including ARR, HDD, HDD2, and LPL. The default rate algorithm ARR is applicable in various scenarios. To configure the rate algorithm: 2. Configure the rate algorithm. wlan option rate-algorithm { arr band hdd hdd2 lpl packet-count up-threshold down-threshold } By default, the rate algorithm is ARR. You can configure the rate algorithm only on a/b/g radios. Enabling channel sharing adjustment The non-overlapping channels of an protocol are limited. For example, g has only three non-overlapping channels. Therefore, an AP can easily detect other APs working on the same channel, especially in a high-density WLAN. Channel overlapping causes collisions and interference, and reduces WLAN performance. Proper channel planning and power control policies during WLAN deployment are the major methods to reduce overlapping. In addition, you can perform this task in a live network to reduce the impact of overlapping. This task configures a power level. If an AP detects signals stronger than the power level, the AP considers the channel is occupied and does not send packets. If the detected signals are weaker than the power level, the AP sends the packets. This mechanism avoids collisions and interference. To enable channel sharing adjustment: 204

213 2. Enable channel sharing adjustment and specify the power level. wlan option channel-share power-level By default, the power level is 30. Do not enable channel sharing adjustment and channel reuse adjustment at the same time. Enabling channel reuse adjustment CAUTION: Do not enable channel sharing adjustment and channel reuse adjustment at the same time. Enabling channel reuse adjustment might result in increased hidden nodes. WLAN devices within a space share the same media. They use collision avoidance and contention mechanisms to send frames over channels. As the number of devices working on a channel increases, the whole WLAN performance degrades. To solve the problem, make proper channel planning and power control policies before WLAN deployment. In addition, you can perform this task in a live network to improve the performance of APs working on the same channel. This task configures a channel reuse level. An AP ignores packets whose RSSI is lower than the reuse level so that it can get more radio frequency resources and higher speed. To enable channel reuse adjustment: 2. Enable channel reuse adjustment and specify the reuse level. wlan option channel-reuse reuse-level By default, channel reuse adjustment is not enabled. Disabling buffering of multicasts and broadcasts If one of the clients associated with an AP is in sleep state, the AC stops sending all broadcast and multicast packets and buffers them before it sends the next Beacon frame. This mechanism affects the performance of multicast applications. You can perform this task to disable buffering multicast and broadcast packets. The AC directly sends all broadcast and multicast packets regardless of whether an associated client is in sleep state. Set the power management parameter to the maximum value on wireless clients to prevent them from entering sleep state. To disable buffering of multicasts and broadcasts: 205

214 2. Disable buffering of multicasts and broadcasts. undo wlan option broadcast-buffer enable By default, buffering of multicasts and broadcasts is enabled. Disabling buffering of multicasts and broadcasts improves multicast performance in specific scenarios such as multicast-based training, but clients in sleep state will lose some broadcast and multicast packets. Enabling packet-based TPC An AP typically uses a high and fixed transmit power to cover an area as large as possible. This mechanism is not energy saving. This feature enables an AP to dynamically perform transmit power control (TPC) on a per packet basis. For example, the AP reduces the transmit power when it sends packets to a client with high RSSI. This feature can reduce power consumption, radiation, and interference, improving user experience. To enable TPC on a per packet basis: 2. Enable TPC on a per packet basis. wlan option tpc enable By default, packet-based TPC is disabled. Enabling the AP to trigger client reconnection This feature enables an AP to send unsolicited de-authentication frames to a client when the signal strength of the client is lower than the specified RSSI value so that the client can re-connect to the AP or roam to another AP. To enable an AP to trigger client reconnection: 2. Enable an AP to trigger client reconnection. wlan option client-reconnect-trigger rssi signal-check By default, an AP is disabled from triggering client reconnection. Enabling the AP to receive all broadcasts This feature enables an AP to receive all broadcasts so that the AP can detect spoofing attacks for all BSSs. Support for this feature depends on the AP model. APs that do not support this feature will ignore this configuration obtained from the AC. 206

215 Disable this feature when it is not needed because receiving all broadcasts affects the normal operation of an AP. To enable the AP to receive all broadcasts: 2. Enable the AP to receive all broadcasts. wlan option rx-broadcast-all enable By default, an AP is disabled from receiving all broadcasts. Enabling the green-ap function This feature enables an AP to use one radio when no clients are associated with it to save energy. To enable the green-ap function: 2. Enable the green-ap function. wlan option green-ap enable By default, the green-ap function is disabled. Configuring roaming navigation WLAN protocols do not provide any client roaming control mechanisms. Roaming navigation enables clients to roam to an AP with better signal strength to enhance user experience. To configure roaming navigation for the AP: 2. Configure roaming navigation. wlan option roam-navigation level level [ rssi client-level ] By default, the roaming navigation function is disabled. Enabling rate limit based on client type This feature limits traffic by client type to avoid bandwidth consumption by low-performance clients and achieve better performance. For example, to ensure better experience of n clients, you can restrict the rate of g or a clients in the network. To enable rate limit based on client type: 207

216 2. Enable rate limit based on client type. wlan option client-rate-limit { dot11b dot11ag dot11n } [ inbound outbound ] cir kbps [ cbs byte ] By default, rate limit based on client type is disabled. Configuring the maximum transmission times for probe responses This feature reduces the number of probe responses sent by a radio to achieve better performance. To configure the maximum transmission times for probe responses: 2. Configure the maximum transmission times for probe responses. wlan option probe-response-try trynum By default, the maximum transmission times for probe responses is 2. Configure the maximum interference threshold This feature stops data forwarding on the channel where interference signal power reaches the threshold. This channel is unavailable until the interference signal power goes below the threshold again. To configure the maximum interference threshold: 2. Configure the maximum interference threshold. wlan option max-interfer-threshold value By default, the maximum interference threshold is 50. WLAN optimization configuration examples The configuration examples were created on the 10500/ G unified wired-wlan module and may vary with device models. When configuring the 10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP & G Unified Wired-WLAN Module Fundamentals Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends setting their link type to be the same. 208

217 Optimizing a high-density WLAN Network requirements Deploy a WLAN in a six-floor dormitory building. Each floor has 20 dormitory rooms, and each room has an average of four wireless clients. Deploy four APs at each floor, and connect them to an AC through a Layer-2 switch in the wiring closet of the floor. In addition, configure the following features to optimize the WLAN: Reject wireless clients with low RSSI Ignore weak signals Enable traffic shaping based on link status Enable fair scheduling Figure 91 Network diagram Configuration procedure 1. Configure IP addresses and masks for devices as shown in Figure 91. (Details not shown.) 2. Configure the AC: Configure a WLAN service. For more information about WLAN service configuration, see "Configuring WLAN access". The following configures a clear-type WLAN service. # Add interface WLAN-ESS 1 to VLAN 100. <AC> system-view [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] port access vlan 100 [AC-WLAN-ESS1] quit # Create clear-type service template 1, specify its SSID as Clear-Test, bind the template with WLAN-ESS1, and enable the template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid Clear-Test [AC-wlan-st-1] bind WLAN-ESS 1 209

218 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit 3. Configure the APs: Configure all the APs on the AC. The following takes an AP as an example. # Create AP template ap1 with the model as MSM460-WW, and specify the serial ID as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Apply the service template 1 to radio 1 and enable the radio. [AC-wlan-ap-ap1] radio 1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit 4. Configure WLAN optimization features: # Reject clients whose signal strength is lower than 15 dbm. [AC] wlan option client-reject 15 # Ignore signals with strength lower than 15 dbm. [AC] wlan option signal-ignore 15 # Enable traffic shaping based on link status and enable fair scheduling. [AC] wlan option traffic-shaping enable [AC] wlan option fair-schedule enable Optimizing a WLAN with multicast application Network requirements Deploy an AC and five dual-band APs in a training center that has multiple training rooms and provides multicast-based training programs. Use WLAN RRM to set the multicast rate. In addition, disable buffering of multicasts and broadcasts for the WLAN so that the clients can receive multicast traffic in real time. HP recommends that you install a dual-band wireless network interface card and set the power management parameter to the maximum on each client to prevent the clients from entering sleep state. Figure 92 Network diagram L2 Switch Client 1 AP 1 AC /24 Client 2 AP 2 DHCP server /24 210

219 Configuration procedure 1. Configure IP addresses for devices as shown in Figure 92. (Details not shown.) 2. Configure the AC: Configure a WLAN service. For more information about WLAN service configuration, see "Configuring WLAN access." The following configures a clear-type WLAN service. # Add interface WLAN-ESS 1 to VLAN 100. <AC> system-view [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] port access vlan 100 [AC-WLAN-ESS1] quit # Create clear-type service template 1, specify its SSID as Clear-Test, bind the template with WLAN-ESS1, and enable the template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid Clear-Test [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit 3. Configure the APs: Configure all the APs on the AC. The following takes an AP as an example. # Create AP template ap1 with the model as MSM460-WW, and specify the serial ID as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Apply the service template 1 to radio 1, specify its working channel as 149, and enable radio 1. [AC-wlan-ap-ap1] radio 1 [AC-wlan-ap-ap1-radio-1] channel 149 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable # Apply the service template 1 to radio 2, specify its working channel as 1, and enable radio 2. [AC-wlan-ap-ap1-radio-1] radio 2 [AC-wlan-ap-ap1-radio-2] channel 1 [AC-wlan-ap-ap1-radio-2] service-template 1 [AC-wlan-ap-ap1-radio-2] radio enable 4. Set the multicast rate: # Log in to the Web interface of the AC, and enter the Rate page as shown in Figure 93. Set the multicast rate to 24 Mbps for g and a, and click Apply. 211

220 Figure 93 Configuring the multicast rate 5. Disable buffering of multicast and broadcast packets: [AC] undo wlan option broadcast-buffer enable Optimizing an n WLAN Network requirements As shown in Figure 94, all the clients and APs get their IP addresses from the DHCP server. Client 1 using n associates with AP 1, and Client 2 using g associates with AP 2. Enable n packet suppression and enable traffic shaping based on link status so that Client 1 does not affect Client 2. Figure 94 Network diagram L2 Switch Client 1 AP 1 AC /24 Client 2 AP 2 DHCP server /24 212