VNS (Virtual Networks Services)/WLAN Service and Role
(Policy) creation and dependencies |
- Service types the system is expected to provide
- Controller services
- Topologies made up of VLANs and port assignments with the corresponding switch
ports
- Policies that will be bound to topologies
- Classes of Service
- WLAN Service and wireless user credentials authentication
- Creation of VNS that binds WLAN service to roles (policies)
- A tagged VLAN (Virtual LAN) for each bridge
in the controller, along with a network port on which the VLAN is assigned
- A virtual subnet on the controller for each VNS:
Topology type of bridged@controller, routed, or bridged@AP
Policy for network point of attachment: user network access policy, filtering
at the controller or also at the AP
Whether
bandwidth restrictions are imposed on users
WLAN
Service: type of SSID, advertised SSID by APs representing the service, AP
radios corresponding to band that will advertise the service, method of
authentication, wireless security method, and QoS (Quality of Service)
VNS: WLAN service the VNS represents, Default Non-Auth
Policy, Default Auth Policy, VNS mapping between the WLAN service and default
policies, method of AP controller discovery
|
|
Accessing the ExtremeWireless Appliance for the first time |
- Factory default IP address
of the ExtremeWireless Appliance – The factory default IP address is
https://192.168.10.1:5825. You must type this IP address in the address bar of
your web browser when you access the ExtremeWireless Appliance for the first
time.
- Unused IP address in the 192.168.10.0/24 subnet – This IP address must
be assigned to the Ethernet port of your laptop computer, for the initial
provisioning only. You can use any IP address from 192.168.10.2 to
192.168.10.254.
- Login Information – The login information is as follows:
|
|
System Settings |
- Hostname – Specifies the name of the ExtremeWireless Appliance.
- Domain – Specifies the IP domain name of the enterprise network.
- Primary DNS – The primary DNS server used by the network.
- Secondary DNS – The secondary DNS server used by the network.
|
|
Hardware information |
MAC Address – MAC address of the ExtremeWireless Appliance‘s
management port. |
|
License Key |
A license key is provided by redeeming an entitlement
voucher on the Extreme Networks website by selecting the Extreme Networks Activation
Key link at page: www.extremenetworks.com/support/.
Enter the license key for system activation, capacity upgrades, or feature
enablement. For more information about ExtremeWireless licensing, see Step 6. Apply the Activation License Key. |
|
Data Ports Physical Topology |
- IP address – IP address of the physical Ethernet port.
- Subnet mask – Subnet mask for the IP address, which separates the
network portion from the host portion of the address (typically 255.255.255.0).
- MTU – The maximum transmission unit or maximum packet size for this
port. The default setting is 1500. If you change this setting, and are using
OSPF, you must make sure that the MTU of each port in the OSPF link matches.
- Function – The port‘s function.
- Third-party AP Port – A port to which the third-party AP is connected.
- Router Port – A port that connects to an upstream, next-hop router in
the network.
- VLAN ID – The ID of the VLAN to which the AP is connected.
|
|
Static Routing |
Static IP address – The
static IP address that is assigned to the ExtremeWireless Appliance
when it is configured for static routing.
Configurable physical properties:
|
|
OSPF Routing |
Routed VNS – if you are planning to deploy a routed VNS, you may need to
enable OSPF on the controller. The OSPF option applies only to routed VNS.
- Router ID – The router ID is its own IP address.
- Area ID of OSPF – ID of OSPF‘s area. 0.0.0.0. is the main area in OSPF.
- OSPF Authentication Password – If you select Authentication type as
Password, you will need to provide a password.
|
|
DHCP service not hosted by controller |
Bridge traffic locally at AP – IP assignment is not applicable; all
traffic for users in that VNS will be directly bridged by the AP at the local
network point of attachment; disabled by default.
Local server – The ExtremeWireless Appliance's local DHCP server is used
for managing IP address allocation:
- Domain Name – The external enterprise domain name server to be used
- Lease default – The default time limit which dictates how long a
wireless device can keep the DHCP server assigned IP address
- DNS servers – The IP Address of the Domain Name servers to be used
- WINS – The IP address if the DHCP server uses Windows Internet Naming
Service (WINS)
- Enable DLS DHCP Option – An application that provides configuration
management and software deployment and licensing for optiPoint WL2 phones, if
you expect optiPoint WL2 wireless phone traffic on the VNS.
- Gateway – The ExtremeWireless Appliance‘s own IP address in the
topology, which is the default gateway for the topology
- Address Range – The range from which the IP address is distributed
across the network.
Address range from – The start IP address of the
range.
Address range to – The end IP address of the range.
DHCP Address exclusion – IP addresses to be excluded from
this range
- Broadcast Address – Automatically populates automatically based on
the Gateway IP address and subnet mask of the VNS
Use Relay – The ExtremeWireless Appliance forwards DHCP requests to an
external DHCP server on the enterprise network:
- DHCP servers – IP address of the DHCP server to which DHCP discover
and request messages are forwarded for clients on this VNS
|
|
Gateway for installing DHCP service |
Gateway – Determine the
gateway device for the DHCP service.
- For a physical topology or bridged@AC, the specified gateway must be a
connecting device on the same segment.
- For a routed topology, the segment is owned by the controller. The
controller's interface on the segment is defined as the default gateway
(option3) for the segment.
|
|
Domain name for devices on this network segment |
Domain name – Your organization‘s domain name. |
|
RADIUS Server‘s IP address |
IP address – The IP address of the RADIUS server. |
|
SLP DA‘s IP address |
Hexadecimal values of SLP DA‘s IP address – The Wireless APs use the SLP
DA to discover the ExtremeWireless Appliance.
The mobility agents use the SLP DA to discover the mobility manager.
SLP-DA is configured in hexadecimal on the target DHCP server (this element is
not provisioned on the controller). The value is configured in relation to option
78 on the segment definitions of the DHCP server that provides the IP addresses of
the APs or that the controller can query to determine the selected SLP-DA service
in the network. This provisioning is done per such segment.
|
|
Internet Protocol configuration for DNS service server |
- Static IP address – The DNS server‘s static IP address.
- Subnet Mask – Subnet mask of the DNS server‘s static IP address.
- Gateway – The DNS server‘s gateway.
- ISP‘s IP address – Your ISP‘s (Internet Service Provider) IP address.
- IP address – ExtremeWireless Appliance‘s IP address.
|
|
Port information for installing IAS on the server |
- Authentication Port – ExtremeWireless Appliance‘s port number used to
access the IAS service.
- Accounting Port – Type the ExtremeWireless Appliance‘s port number
that is used to access the accounting service.
The values must match what you define in the Acc &
Acct tab.
|
|
Wireless AP properties |
- ExtremeWireless Appliance‘s Port # – ExtremeWireless Appliance‘s
Ethernet port to which the Wireless AP is connected.
- Country – The country where the Wireless AP operates.
- Serial # – A unique identifier that is assigned during the
manufacturing process of the Wireless APs. When an AP discovers and registers
with a controller, its name defaults to its serial number, therefore tracking
the serial number for an AP helps identify the specific device, so as to ensure
proper configuration of location dependent settings.
- Hardware version – The current version of the Wireless AP hardware.
- Application version – The current version of the Wireless AP software.
- VLAN ID – The ID of the VLAN on which the Wireless AP operates.
|
|
Next Hop Routing for Routed VNS |
An optional configuration element that allows the customer to define an explicit
next hop router via which all the segment's traffic should be forwarded. If left
unspecified, the traffic is forwarded in accordance to the system's routing
table.
- Next hop IP address – The next-hop IP identifies the target device to
which all VNS (user traffic) is forwarded. Next-hop definition supersedes any
other possible definition in the routing table.
- OSPF routing cost – The OSPF cost value provides a relative cost
indication to allow upstream routers to calculate whether or not to use the
ExtremeWireless Appliance as a better fit, or lowest cost path to reach the
devices in a particular network. The higher the cost, the less likely that the
ExtremeWireless Appliance is chosen as a route for traffic, unless that
ExtremeWireless Appliance is the only possible route for that traffic.
|
|
VLAN Information for Bridge Traffic Locally at EWC topology |
VLAN ID – The VLAN ID to which traffic on the topology is bridged.
Wireless users referring to this topology become a natural extension of the
VLAN/segment. Traffic from the wireless is tagged with the corresponding ID when
bridging to the core.
Port – The name of the L2 port to which the VLAN is mapped.
Interface IP address – The interface‘s IP address.
Mask – The subnet mask of the topology.
The interface IP address and mask are not required if the controller and AP do
not provide L3 services (such as a Captive Portal web page) on the topology/VLAN
and are not managed on the VLAN.
L3 interface presence is required for several operations such as:
- If topology is to be used to support internal captive portal or guest portal
authentication for wireless users. The configuration is optional for external
captive topology is to provide DHCP service (local or relay) to the VLAN
(includes wireless and wired users)
- If the topology is to offer access to management functions (SSH, SNMP,
HTTPS) via wired or wireless users.
- If the topology is to offer AP registration.
L3 interface presence is not required if the topology is:
- Only expected to provide straight bridging of wireless traffic
- The topology is serviced by WLAN services that don't require authentication
(NONE) or that use EAP (AAA) authentication
- The DHCP server is provided by the infrastructure (VLAN).
|
|
VLAN ID for Bridge traffic locally at AP topology |
VLAN ID – The VLAN ID to which traffic is bridged directly at AP. The AP
tags traffic for users associated with this topology to the specified VLAN ID. The
VLAN must be configured/trunked on the switch port to which the AP is connected. |
|
Captive Portal |
Will this network segment have a captive portal service? If so, which type of
captive portal will be deployed:
- An external captive portal which is a web server provided by another host in
the network that authenticates stations and tells the controller whether the
station is authenticated and which policy to apply to it.
- A Guest Portal captive portal. The controller serves the Guest Portal login
page to unauthenticated stations. Station accounts are defined directly on the
controller through an interface designed for non-technical users.
- A Guest-Splash Screen Portal. The controller serves a splash screen web page
to unauthenticated users. Users are not considered authenticated until they
click a button on the page to acknowledge terms and conditions on the splash
screen page. Users are not required to provide a user ID and password to login.
- Internal Captive Portal. The controller serves the login page on an internal
captive portal to unauthenticated stations. The controller collects user IDs and
passwords from stations attempting to access the network and forwards them to a
configured RADIUS server for authentication.
|
|
Authentication and Accounting information for captive portal
configuration |
- Port – Used to access the RADIUS server. The default for authentication
is 1812 and for accounting is 1813.
- # of Retries – The number of times the ExtremeWireless Appliance
attempts to access the RADIUS server.
- Timeout – The maximum time for which ExtremeWireless Appliancereless Appliance waits
for a response from the RADIUS server before making a re-attempt.
- NAS Identifier – A RADIUS attribute that identifies the controller to
the RADIUS server for purposes of a specific WLAN service. This is
optional.
|
|
Internal Captive Portal, Guest Portal, and Guest splash screen portal settings
information |
- Login Page layout – The controller provides a default login page for
each internal captive portal, guest portal and guest splash screen portal it
serves. The controller contains a web page layout editor that allows the
administrator to fully customize the login page with custom layouts, graphics
and styles.
- Replace Gateway IP with FQDN – By default the controller explicitly
encodes the IP address of the corresponding topology (From Non-auth Policy
defined by the WLAN service). However, in some cases it is preferable to provide
the user with a Fully Qualified Domain Name (FQDN). Ensure that the DNS server
is configured to map the corresponding name to the topology's IP address.
- Default Redirection URL – By default, once the authentication
completes, the user is redirected back to the initial web site that was
intercepted for redirection to authentication. The customer can provide an
explicit override URL to which the user is redirected upon successful
authentication.
|
|
External Captive Portal (ECP) Type |
Select the type of captive portal configuration to provide authentication
services for the WLAN Service:
- No captive portal
- Internal captive portal – Controller provides the web server that operates as
the authentication portal. The controller is also responsible for the
credential's verification with a specified RADIUS server.
- External captive portal – You provide the web server that hosts the
authentication website. This option provides the most flexible approach in terms
of customization of the authentication service. Web server interfaces provide
alternate methods of user authentication, such as payment systems. Or, provide
the web service but rely on the controller to perform the credential
authentication via RADIUS.
- Internal Guest Portal Splash Screen
- Internal Guest Portal
|
|
Shared Secret Password for external captive portal configuration |
ECP privacy – Whether to
require traffic sent between the controller and the external captive portal host
to be encrypted and if so with MD5 (Message-Digest algorithm 5) or AES.
Password – When using ECP, define a Shared Secret (password) that can be
used to perform MD5 encryption of sensitive information on the exchange between
the authentication server and the controller (such as during credentials exchange
for authentication). This password encrypts the information exchanged between the
ExtremeWireless Appliancereless Appliance and the external captive portal server.
|
|
MAC-based authentication information |
See authentication and accounting information. |
|
Exception Filter Rules information |
IP/Port - By default, all controller interfaces, including those represented by
physical topologies and virtual topologies with L3 presence, are protected by a
set of rules that restrict the type of traffic allowed access to management plane
functions. The default set of rules allows only services that are explicitly of
use to the controller's operations.
This set of rules protects the controllers management plane from inadvertent
access to lower level functions and provides an effective DoS protection layer.
This set of rules however can be augmented or altogether overridden (not
recommended) so that additional services may be exposed or restricted. For
example, the default method to allow access to management services is to
explicitly enable the “Allow Management” property for the topology. Doing so
however automatically augments the exception filter rule set to allow
administration HTTPS (5825), SSH (22) or SNMP services. An alternate method to
enabling such a checkbox would be to manually add the corresponding set of rules
for each interested service to the exception rule set. That way you may elect to
enable only a subset of the services or to disable access to one of the services
the checkbox enabled.
|
|