Override MiNT Protocol Configuration

About this task

MiNT provides the means to secure profile communications at the transport layer. Using MiNT, a device can be configured to only communicate with other authorized (MiNT enabled) devices. Keys can also be generated externally using any application (like openssl). These keys must be present on the device managing the domain for key signing to be integrated with the UI. A device needing to communicate with another first negotiates a security context with that device.

The security context contains the transient keys used for encryption and authentication. A secure network requires users to know about certificates and PKI. However, administrators do not need to define security parameters for Access Points to be adopted (secure WISPe being an exception, but that isn‘t a commonly used feature). Also, users can replace any device on the network or move devices around and they continue to work. Default security parameters for MiNT are such that these scenarios continue to function as expected, with minimal user intervention required only when a new network is deployed

To define or override a profile's MiNT configuration:

Procedure

  1. Select Configuration → Devices → Device Configurationfrom the web UI.
  2. Select Advanced to expand its sub-menu items.
  3. Select MiNT Protocol.
    The Settings tab displays by default.
    Click to expand in new window
    Advanced Profile Overrides MiNT Screen - Settings Tab
  4. Refer to the Area Identifier field to define or override the Level 1 and Level 2 Area IDs used by the profile‘s MiNT configuration.
    Level 1 Area ID Select this option to either use a spinner control for setting the Level 1 Area ID (1 - 16,777,215) or create an alias for the ID. An alias enables an administrator to define a configuration item, such as a this area ID, as an alias once and use the alias across different configuration items. The default value is disabled.
  5. Define or override the following Priority Adjustments settings in respect to devices supported by the profile:
    Designated IS Priority Adjustment Use the spinner control to set a Designated IS Priority Adjustment setting from -255 - +255. This is the value added to the base level DIS priority to influence the Designated IS (DIS) election. A value of +1 or greater increases DISiness. The default setting is 0.
  6. Select the Latency of Routing Recalculation option, in the Shortest Path First (SPF) field, to enable the spinner control used for defining or overriding a latency period (from 0 - 60 seconds).
    The option is disabled by default.
  7. Define or override the following MiNT Link Settings in respect to devices supported by the profile:
    MLCP IP Select this option to enable MiNT Link Creation Protocol (MLCP) by IP Address. MLCP is used to create a UDP/IP link from the device to a neighbor.

    The neighboring device does not need to be a controller or service platform. It can be another access point with a path to the controller or service platform. This setting is enabled by default.
    MLCP IPv6

    Select this option to enable MLCP for automated MiNT UDP/IP link creation. This setting is enabled by default.
    MLCP VLAN Select this option to enable MiNT MLCP by VLAN. MLCP is used to create one VLAN link from the device to a neighbor.

    The neighboring device does not need to be a controller or service platform, it can be another access point with a path to the controller or service platform. This setting is enabled by default.
    Tunnel MiNT across extended VLAN Select this option to tunnel MiNT protocol packets across an extended VLAN. This setting is disabled by default.
  8. Select Tunnel Controller Load Balancing (Level 1) to enable load balancing through a WLAN tunnel controller.
    This setting is disabled by default.
  9. Select Inter Tunnel Bridging (Level 2) to enable inter tunnel bridging.
    This setting is disabled by default.
  10. Enter a 64-character maximum Tunnel Controller Name for this tunneled-WLAN-controller interface.
  11. Enter a 64-character maximum Preferred Tunnel Controller Name to which this access point prefers to tunnel traffic over an extended VLAN..
  12. Click OK to save the changes made to the MiNT protocol configuration.
    Click Reset to revert to the last saved configuration.
  13. Select the IP tab to display the link IP network address information shared by the devices managed by the MiNT configuration.
    Click to expand in new window
    Advanced Profile Overrides MiNT Screen - IP Tab

    The IP tab displays the IP address, Routing Level, Listening Link, Port, Forced Link, Link Cost, Hello Packet Interval, Adjacency Hold Time, IPSec Secure, and IPSec GW information that managed devices use to communicate securely with each other.

  14. Click Add to create a new link IP configuration or Edit to override an existing configuration.
    Click to expand in new window
    Advanced Profile Overrides MiNT Screen - Add IP MiNT Link
  15. Set the following Link IP parameters for the MiNT network address configuration:
    IP

    Define or override the IP address used by peers for inter-operation when supporting the MiNT protocol. Use the drop-down list to select the type of IP address provided. The available options are IPv4 Address and IPv6 Address.
    Port To specify a custom port for MiNT links, select this option and use the spinner control to define or override the port number from 1 - 65,535.
    Routing Level Define or override a routing level of either 1 or 2.
    Listening Link Specify a listening link of either 0 or 1. UDP/IP links can be created by configuring a matching pair of links, one on each end point. However, that is error prone and does not scale. So UDP/IP links can also listen (in the TCP sense), and dynamically create connected UDP/IP links when contacted.

    The typical configuration is to have a listening UDP/IP link on the IP address S.S.S.S, and for all the APs to have a regular UDP/IP link to S.S.S.S.
    Forced Link Select this option to specify the MiNT link as a forced link.
    Link Cost Define or override a link cost from 1 - 10,000. The default value is 100.
    Hello Packet Interval Set or override an interval in either seconds (1 - 120) or minutes (1 - 2) for the transmission of hello packets. The default interval is 15 seconds.
    Adjacency Hold Time Set or override a hold time interval in either seconds (2 - 600) or minutes (1 - 10) for the transmission of hello packets. The default interval is 46 seconds.
    IPSec Secure Select this option to use a secure link for IPSec traffic. This setting is disabled by default.
    IPSec GW

    Select the numerical IP address or administrator defined hostname of the IPSec gateway. Hostnames cannot include an underscore character.
  16. Click OK to save the changes made to the MiNT protocol network address configuration.
    Click Reset to revert to the last saved configuration.
  17. Select the VLAN tab to display the link IP VLAN information shared by the access points managed by the MiNT configuration.
    Click to expand in new window
    Advanced Profile Overrides MiNT Screen - VLAN Tab

    The VLAN tab displays the VLAN, Routing Level, Link Cost, Hello Packet Interval, and Adjacency Hold Time managed devices use to communicate securely with each another.

  18. Click Add to create a new VLAN link configuration or Edit to override an existing configuration.
    Click to expand in new window
    Advanced Profile Overrides MiNT Screen - Add/Edit VLAN
  19. Set the following VLAN parameters for the MiNT configuration:
    VLAN Define a VLAN ID from 1 - 4094 used by peer controllers for inter-operation when supporting the MiNT protocol
    Routing Level Define or override a routing level of either 1 or 2.
    Link Cost Use the spinner control to define or override a link cost from 1 - 10,000. The default value is 10.
    Hello Packet Interval Set or override an interval in either seconds (1 - 120) or minutes (1 - 2) for the transmission of hello packets. The default interval is 4 seconds.
    Adjacency Hold Time Set or override a hold time interval in either seconds (2 - 600) or minutes (1 - 10) for the transmission of hello packets. The default interval is 13 seconds.
  20. Click OK to save the changes made to the MiNT protocol configuration.
    Click Reset to revert to the last saved configuration.
  21. Select the Rate Limits tab.

    The Rate Limits tab displays data rate limits configured on extended VLANs and optionally add or edit rate limit configurations.

    Excessive traffic can cause performance issues on an extended VLAN. Excessive traffic can be caused by numerous sources including network loops, faulty devices, or malicious software such as a worm or virus that has infected on one or more devices. Rate limiting reduces the maximum rate sent or received per wireless client. It prevents any single user from overwhelming the wireless network. It can also provide differential service for service providers. Uplink and downlink rate limits are usually configured on a RADIUS server using vendor specific attributes. Rate limits are extracted from the RADIUS server‘s response. When such attributes are not present, the settings defined on the controller, service platform, or access point are applied. An administrator can set separate QoS rate limit configurations for data types transmitted from the network (upstream) and data transmitted from a wireless clients back to associated radios (downstream). Existing rate limit configurations display along with their virtual connection protocols and data traffic QoS customizations.

    Click to expand in new window
    Advanced Profile Overrides MiNT Screen - Rate Limits Tab
  22. Click Add to create a new MiNT rate limiting configuration or Edit to override an existing configuration.
    Click to expand in new window
    Advanced Profile Overrides MiNT Screen - Add/Edit Rate Limit
  23. Set the following Rate Limits to complete the MiNT configuration:
    Level Select level2 to apply rate limiting for all links on level 2.
    Protocol Select either mlcp or link as this configuration‘s rate limit protocol. MiNT Link Creation Protocol (MLCP) creates a UDP/IP link from the device to a neighbor. The neighboring device does not need to be a controller or service platform; it can be an access point with a path to the controller or service platform. Select link to rate limit using statically configured MiNT links.
    Link Type Select either VLAN, to configure a rate limit configuration on a specific virtual LAN, or IP to set rate limits on a static IP address/port configuration.
    VLAN When Protocol is set to link and Link Type is set to VLAN, select a virtual LAN from 1 - 4094 to refine the rate limiting configuration to a specific VLAN.
    IP When Protocol is set to link and Link Type is set to VLAN, enter the IP address as the network target for rate limiting.
    Port When Protocol is set to link and Link Type is set to VLAN, set the virtual port (1 - 65,535) used for rate limiting traffic.
    Rate Define a rate limit between 50 - 1,000,000 kbps. This limit constitutes a threshold for the maximum the number of packets transmitted or received (from all access categories). Traffic that exceeds the defined rate is dropped and a log message is generated. The default setting is 5000 kbps.
    Max Burst Size Set the maximum burst size from 0 - 1024 kb. The smaller the burst, the less likely the upstream packet transmission will result in congestion for the WLAN‘s client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should add a 10% margin (minimally) to allow for traffic bursts. The default burst size is 320 kbytes.
    Background Configure the random early detection threshold (as a percentage) for low priority background traffic. Background packets are dropped and a log message generated if the rate exceeds the set value. Background traffic consumes the least bandwidth of any access category, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis). The default setting is 50%.
    Best-Effort Configure the random early detection threshold (as a percentage) for low priority best effort traffic. Best-effort packets are dropped and a log message generated if the rate exceeds the set value. Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 50%.
    Video Configure the random early detection threshold (as a percentage) for high priority video traffic. Video packets are dropped and a log message generated if the rate exceeds the set value. Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 25%
    Voice Configure the random early detection threshold (as a percentage) for high priority voice traffic. Voice packets are dropped and a log message generated if the rate exceeds the set value. Voice applications consume significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 0%.
  24. Click OK to save the changes made to the MiNT protocol rate limit configuration.
    Click Reset to revert to the last saved configuration.
9036512-01 Rev AB