Aerohive Deployment Guide
Copyright Notice Copyright © 2007 Aerohive Networks, Inc. All rights reserved. Aerohive Networks, the Aerohive Networks logo, HiveOS, HiveAP, and HiveManager are trademarks of Aerohive Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies. Information in this document is subject to change without notice.
HiveAP Compliance Information Federal Communication Commission Interference Statement This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
HiveAP Compliance Information – In Italy the end-user must apply for a license from the national spectrum authority to operate this device outdoors. German – In Belgium outdoor operation is only permitted using the 2.46 2.4835 GHz band: Channel 13. Hiermit erklärt Edgecore die Übereinstimmung des Gerätes Radio LAN device mit den grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie 1999/5/EG. (Wien) – In France outdoor operation is only permitted using the 2.4 2.
HIVEAP COMPLIANCE INFORMATION Le cordon doit être en mesure d'acheminer un courant nominal d'au moins 10 A. Power Cord Set U.S.A. and Canada The cord set must be UL-approved and CSA certified. La prise femelle de branchement doit être du type à mise à la terre (mise à la masse) et respecter la configuration NEMA 5-15P (15 A, 125 V) ou NEMA 615P (15 A, 250 V). Minimum specifications for the flexible cord: - No.
HiveAP Compliance Information 6 Aerohive
Contents Chapter 1 The HiveAP Platform ................................................................9 Product overview ...........................................................................................10 Ethernet and Console Ports ...................................................................................... 12 Status LEDs ......................................................................................................... 13 Antennas .................................................
Contents Example 6: Setting AAA RADIUS Settings ................................................................55 Example 7: Creating Two Device Groups ................................................................57 Example 8: Creating Three Hive Profiles................................................................60 Example 9: Assigning HiveAPs to a Device Group, Radio Profile, Hive Profile, and Topology Map...........................................................................
Chapter 1 The HiveAP Platform The Aerohive HiveAP 20 ag is a new generation wireless access point. HiveAPs offer unique abilities to self-organize and coordinate with each other, creating a distributed-control WLAN solution that offers greater mobility, security, quality of service, and radio control. This guide combines product information with installation instructions.
Chapter 1 The HiveAP Platform PRODUCT OVERVIEW The HiveAP is a multi-channel wireless AP (access point). It is compatible with IEEE 802.11b/g (2.4 GHz) and IEEE 802.11a (5 GHz) standards and supports a variety of Wi-Fi (wireless fidelity) security protocols, including WPA (Wi-Fi Protected Access) and WPA2. You can see the hardware components on the HiveAP in Figure 1. Each component is described in Table 1.
PRODUCT OVERVIEW Component Description Power Connector The 48-volt DC power connector (0.38 amps) is one of two methods through which you can power a HiveAP. To connect it to a 100 – 240-volt AC power source, use the AC/DC power adaptor that ships with the product as an option. Because that the HiveAP does not have an on/off switch, connecting it to a power source automatically powers on the device.
Chapter 1 The HiveAP Platform Ethernet and Console Ports There are two ports on the HiveAP: a 10/100Base-T/TX Ethernet port and a male DB-9 console port. Both ports use standard pin assignments. The pin assignments in the PoE (Power over Ethernet) Ethernet port follow the TIA/EIA-568-B standard (see Figure 2). The PoE port accepts standard types of Ethernet cable—cat3, cat5, cat5e, or cat6—and receives power over this cable from power sourcing equipment (PSE) that is 802.3af-compatible.
PRODUCT OVERVIEW The pin assignments in the male DB-9 console port follow the EIA (Electronic Industries Alliance) RS-232 standard. To make a serial connection between your management system and the console port on the HiveAP, you can use a null modem serial cable, use another serial cable that complies with the RS-232 standard, or refer to the pin-to-signal mapping shown in Figure 3 to make your own serial cable.
Chapter 1 The HiveAP Platform Antennas The HiveAP includes two fixed dual-band antennas. These antennas are omnidirectional, providing fairly equal coverage in all directions in a toroidal (donut-shaped) pattern around each antenna. When the antennas are positioned vertically, coverage expands primarily on the horizontal plane, extending horizontally much more than vertically. See Figure 4, which shows the toroidal pattern emanating from a single vertically positioned antenna.
MOUNTING THE HIVEAP After connecting an external antenna, you must enter the following command to move subinterfaces from the fixed antennas to the external antenna: interface subinterface radio antenna external where subinterface stems from an interface (wifi0 or wifi1) linked to the radio to which the external antenna connects: radio 1 (frequency = 2.4 GHz for IEEE 802.11b/g) or radio 2 (frequency = 5 GHz for IEEE 802.11a). Note that you link interfaces to radios, and subinterfaces to antennas.
Chapter 1 The HiveAP Platform DEVICE, POWER, AND ENVIRONMENTAL SPECIFICATIONS Understanding the range of specifications for the HiveAP is necessary for optimal deployment and operation of the device. The following specifications describe the physical features and hardware components, the power adapter and PoE (Power over Ethernet) electrical requirements, and the temperature and humidity range in which the device can operate.
Chapter 2 The HiveManager Platform The HiveManager is a management appliance that provides centralized configuration, monitoring, and reporting for multiple HiveAPs.
Chapter 2 The HiveManager Platform PRODUCT OVERVIEW The Aerohive HiveManager is a central management system for configuring and monitoring HiveAPs. You can see its hardware components in Figure 1 and read a description of each component in Table 1.
PRODUCT OVERVIEW Component Description USB Port The USB port is reserved for internal use. Status LEDs The status LEDs convey operational states for the system power and hard disk drive. For details, see "Status LEDs" on page 20. MGT and LAN Ethernet Ports The MGT and LAN Ethernet ports are compatible with 10/100/1000-Mbps connections, automatically negotiate half- and full-duplex mode with the connecting devices, and support RJ-45 connectors.
Chapter 2 The HiveManager Platform The pin assignments in the male DB-9 console port follow the EIA (Electronic Industries Alliance) RS-232 standard. To make a serial connection between your management system and the console port on the HiveManager, you can use a null modem serial cable, use another serial cable that complies with the RS-232 standard, or refer to the pin-to-signal mapping shown in Figure 3 to make your own serial cable.
RACK MOUNTING THE HIVEMANAGER RACK MOUNTING THE HIVEMANAGER You can mount the HiveManager in a standard 19" (48 cm) equipment rack with two rack screws—typically 3/4", 1/2", or 3/8" long with 10-32 threads. The HiveManager ships with mounting brackets already attached to its left and right sides near the front panel (see Figure 1 on page 18). In this position, you can front mount the HiveManager as shown in Figure 5.
Chapter 2 The HiveManager Platform DEVICE, POWER, AND ENVIRONMENTAL SPECIFICATIONS Understanding the range of specifications for the HiveAP is necessary for optimal deployment and operation of the device. The following specifications describe the physical features and hardware components, the power adapter and PoE (Power over Ethernet) electrical requirements, and the temperature and humidity range in which the device can operate.
Chapter 3 Using HiveManager You can conceptualize the Aerohive cooperative control architecture as consisting of three broad planes of communication. On the data plane, wireless clients gain network access by forming associations with HiveAPs. On the control plane, HiveAPs communicate with each other to coordinate functions such as best-path forwarding, fast roaming, and automatic RF (radio frequency) management.
Chapter 3 Using HiveManager This chapter introduces the HiveManager GUI and explains how to do the following basic tasks: • Using the console port to change the network settings for the MGT and LAN interfaces • Powering on the HiveManager and connecting it to a network • Installing the GUI client on your management system and logging in It then introduces the HiveManager GUI, including a summary of the configuration workflow.
INSTALLING AND CONNECTING TO THE HIVEMANAGER GUI INSTALLING AND CONNECTING TO THE HIVEMANAGER GUI To begin using the HiveManager GUI, you must first configure one or both of its interfaces to be accessible on the network, put the HiveManager and your management system (that is, your computer) on the network, and then make an HTTP connection from your system to the MGT port of the HiveManager and download the GUI application for use with JWS (Java Web Start).
Chapter 3 Using HiveManager When deciding to use one interface (MGT) or both (MGT and LAN), keep in mind that there are two main types of traffic to and from the HiveManager: • HiveManager management traffic for admin access and FTP uploads • HiveAP management traffic for CAPWAP, SNMP monitoring and notifications, and TFTP configuration and software downloads When you enable both interfaces, HiveManager management traffic uses the MGT interface while HiveAP management traffic uses the LAN interface, as
INSTALLING AND CONNECTING TO THE HIVEMANAGER GUI Installing the GUI Client and Connecting to the MGT Interface 1. Connect Ethernet cables from the MGT interface and LAN interface—if you are using it—to the network. 2. Connect an Ethernet cable from your management system to the network so that you can make an Ethernet connection to the IP address you set for the MGT interface. 3.
Chapter 3 Using HiveManager INTRODUCTION THE THE HIVEMANAGER GUI Using the HiveManager GUI, you can set up the configurations needed to deploy large numbers of HiveAPs. The configuration workflow is described in "HiveManager Configuration Workflow" on page 31. The GUI consists of several important sections, which are shown in Figure 4. Figure 4 Important Sections of the HiveManager GUI Shortcut Toolbar: The buttons displayed in this toolbar are for commonly performed actions.
INTRODUCTION THE THE HIVEMANAGER GUI Detaching Windows When a HiveManager window contains so much information that you cannot display everything you want to see, you can detach it from the confines of its framed area. Click the Detach Current Window button in the toolbar. Then you can resize and reshape it to the dimensions you want, essentially customizing your work space. Figure 5 Detaching the Predefined Services Window To detach a window, click the Detach button in the toolbar.
Chapter 3 Using HiveManager Sorting Displayed Data You can control how the GUI displays data in the main window by clicking a column header. This causes the displayed content to reorder itself alphabetically or numerically in either ascending or descending order. Clicking the header a second time reverses the order in which the data is displayed. Figure 7 Sorting User Profiles by Name and then by Weight By default, displayed objects are sorted alphabetically by name.
HIVEMANAGER CONFIGURATION WORKFLOW HIVEMANAGER CONFIGURATION WORKFLOW Assuming that you have already installed your HiveAPs, uploaded maps (see "Setting Up Topology Maps" on page 37), and decided on the features and settings you want them to use, you are now ready to start configuring the HiveAPs through the HiveManager2. When using the HiveManager to configure HiveAPs, you first define objects that you later reference when configuring other objects.
Chapter 3 Using HiveManager UPDATING HIVEAP FIRMWARE The HiveManager makes it easy to update firmware running on managed HiveAPs. First, you obtain new HiveAP firmware from Aerohive support and upload it to the HiveManager. Then you push the firmware to the HiveAPs and activate it by rebooting the HiveAPs. 1. Contact Aerohive support to obtain a new HiveOS image. 2. Save the HiveOS image file to a directory on your local management system or network. 3.
UPDATING SOFTWARE ON THE HIVEMANAGER UPDATING SOFTWARE ON THE HIVEMANAGER You can update the software running on the HiveManager from one of three sources: a local directory on your management system, an FTP server (File Transfer Protocol), or a TFTP (Trivial File Transfer Protocol) server. If you download an image and save it to a local directory, you can load it from there.
Chapter 3 Using HiveManager TFTP Server To load a HiveOS image file from a TFTP server: 1. On the Software Upgrade page, select TFTP, enter the following, and then click OK: • TFTP IP Address: (select); enter the IP address and port number of the TFTP server (the default port number for TFTP is 69) • Image Path: Enter the path to the HiveOS image file. If the file is in the root directory of the TFTP server, you can leave this field empty. • Image Name: Type the name of the HiveOS image file. 2.
Chapter 4 HiveManager Examples The following examples in this chapter show how to install over 70 HiveAPs at three locations in a corporate network, use the HiveManager to create configurations for them, and then push the configurations to them over the corporate network.
Chapter 4 HiveManager Examples This chapter contains a sequential flow of examples that show how to import and organize maps, configure typically needed features, assign these features to HiveAPs, and associate HiveAPs with maps. The examples are as follows: • "Example 1: Mapping Locations and Installing HiveAPs" on page 37 Use one of two ways to associate physical HiveAPs with their corresponding icons on topology maps.
EXAMPLE 1: MAPPING LOCATIONS AND INSTALLING HIVEAPS The HiveManager allows you to mark the location of HiveAPs on maps that you can then use to track devices and monitor their status. First, you must upload the maps to the HiveManager, and then name and arrange them in a structured hierarchy (see "Setting Up Topology Maps"). After that, you can follow one of two ways to install HiveAPs so that you can later put their corresponding icons on the right maps (see "Preparing the HiveAPs" on page 40).
Chapter 4 HiveManager Examples The selected .png file is transferred from your management system to the HiveManager as shown in Figure 3. Figure 3 Uploading a Map of a Building Floor Plan Map showing one of the floor plans Uploads map to HiveManager Management System HiveManager 5. Repeat this for all the .png files that you need to load.
4. Select the icon, drag it to the position where you want it to be, and then click Save . 5. Click HiveAP Maps > CorpOffices > Topology > Add Submap. 6. In the Add HQ-B1-F1 dialog box, enter the following, and then click OK: • Name: HQ-B1-F2 • Icon: • Background Map: HQ-B1-F2.png • Location: HQ-B1-F2 floor A green floor icon ( ) labeled "HQ-B1-F2" appears on the CorpOffices image, and a new entry named "HQ-B1-F2" appears nested under "CorpOffices" in the menu tree. 7.
Chapter 4 HiveManager Examples Preparing the HiveAPs There are several approaches that you can take when mapping the location of installed HiveAP devices. Two possible approaches are presented below. With the first approach ("Using SNMP"), the HiveManager automatically assigns HiveAPs to maps.
Using MAC Addresses With this approach, you write down the MAC address labelled on the underside of each HiveAP and its location while installing the HiveAPs throughout the buildings. The MAC address on the label is for the mgt0 interface. Because the MAC addresses of all HiveAPs begin with the Aerohive MAC OUI 00:19:77, you only need to record the last six numbers in the address.
Chapter 4 HiveManager Examples EXAMPLE 2: DEFINING NETWORK OBJECTS Network objects are the most basic elements that you can configure through the HiveManager and only function when other configured items such as QoS classifiers, SSID profiles, and hive profiles make reference to them. IP addresses, MAC addresses, MAC OUIs (organizationally unique identifiers), and network services (HTTP, SMTP, FTP, …) are network objects that make no reference to any other previously defined object.
Defining a MAC OUI 1. Log in to the HiveManager GUI. 2. Click HiveAP Configuration > Network Objects > MAC Address/OUI > (Add button). 3. Enter the following, and then click OK: • MAC OUI: (select) • MAC Entry Name: Type a name such as "VoIP_Phones". You cannot include any spaces when defining a MAC entry name. • MAC OUI: Type the OUI for the VoIP phones used in the network; that is, type the first six numbers constituting the vendor prefix of the MAC address.
Chapter 4 HiveManager Examples 5. Click the Service tab, right-click in the Network Service to QoS Class Mapping field, and choose New from the shortcut list that appears. 6. Enter the following in the New Network Service to QoS Class Mapping dialog box, and then click OK: • Service: DNS • Action: Permit • Map to Class: 5 - Video • Comment: Enter a meaningful comment for future reference, such as "DNS for VoIP phones".
EXAMPLE 3: DEFINING USER PROFILES AND QOS SETTINGS User profiles contain a grouping of settings that determine the QoS (Quality of Service) for users. In this example, you define four user profiles and their companion QoS forwarding rates and priorities. The four groups of users are VoIP phone users, IT staff, corporate employees, and visiting guests. The user profile settings, maximum traffic forwarding rates, and the WRR (weighted round robin) weights for each user profile is shown in Figure 7.
Chapter 4 HiveManager Examples VoIP User Profile 1. Click HiveAP Configuration > User Profiles > (Add button). The New User Profile dialog box appears. 2. On the General page, enter the following: • User Profile Name: VoIP (You cannot include any spaces when defining a user profile name.) • User Profile ID: 2 Each user profile must have a unique ID number.
IT Staff User Profile 1. Click HiveAP Configuration > QoS Policies > User Profiles > (Add button). The New User Profile dialog box appears. 2. On the General page, enter the following: • User Profile Name: IT (You cannot include any spaces when defining a user profile name.) • User Profile ID: 3 • Comment: QoS for the IT staff 3.
Chapter 4 HiveManager Examples Guests User Profile 1. Click HiveAP Configuration > QoS Policies > User Profiles > Emp > (Clone button). The Clone User Profile dialog box appears. 2. In the Profile Name field, type Guests, and then click OK. The Guests User Profile dialog box appears with the same values you entered for the IT profile, except that the user profile ID has already been changed to 5. 3.
EXAMPLE 4: SETTING SSID PROFILES An SSID (service set identifier) is an alphanumeric string that identifies a set of authentication and encryption services that wireless clients and access points use when communicating with each other. In this example, you define the following three SSID profiles, which are also shown in Figure 9: SSID Name Security Protocol Other voip Key method: WPA2-PSK A MAC filter restricting access only to VoIP phones specified in the filter.
Chapter 4 HiveManager Examples Figure 9 SSID Profiles Providing Network Access to Different Users Ø·ª»ßÐ Ë-»® Ю±º·´»- ÍÍ×Ü Ð®±º·´» Ü»º·²·¬·±²- ʱ×Рʱ×Ри±²»- ×Ì Û³°´±§»»Ý±®°±®¿¬» Ò»¬©±®µ Ù«»-¬Ê·-·¬·²¹ Ù«»-¬ ¿¬ ݱ®°±®¿¬» Í·¬» ÍÍ×Üæ ª±·° Õ»§ Ó»¬¸±¼æ ÉÐßîóÐÍÕ Û²½®§°¬·±² Ó»¬¸±¼æ ÌÕ×РЮ»-¸¿®»¼ Õ»§ øßÍÝ××÷æ ݳک¾±ïïîï ß«¬¸»²¬·½¿¬·±² Ó»¬¸±¼æ Ñ°»² ÍÍ×Üæ ½±®° Õ»§ Ó»¬¸±¼æ ÉÐßîóÛßÐ øèðîòïÈ÷ Û²½®§°¬·±² Ó»¬¸±¼æ ÝÝÓÐ øßÛÍ÷ ß«¬¸»²¬·½¿¬·±² Ó»¬¸±¼æ ÛßÐ øèðîòïÈ÷ ÎßÜ×ËÍ Í»®ª»®- º±® èðîòïÈ ß«¬¸»²¬·½¿¬·±² ÍÍ×Üæ ¹
corp SSID 1. Click HiveAP Configuration > SSID Profiles > (Add button). The New SSID Profile dialog box appears. 2. On the General page, enter the following, and then click OK: • Name: corp • Comment: SSID for corporate employees • Key Management: WPA2-EAP (802.1X) • Encryption Method: CCMP (AES) • Authentication Method: EAP (802.1X) (This is read-only because the key management choice requires this authentication method.) guest SSID 1. Click HiveAP Configuration > SSID Profiles > (Add button).
Chapter 4 HiveManager Examples EXAMPLE 5: SETTING MANAGEMENT SERVICE PARAMETERS A management service set consists of DNS, syslog, SNMP, and NTP services. HiveAPs use these services for network communications and logging activities. In this example, you configure two management service sets, one for each of the device groups that are explained in "Example 7: Creating Two Device Groups" on page 57.
Management Services Set: hq 1. Click HiveAP Configuration > Management Services > (Add button). The New Management Services dialog box appears. 2. On the General page, enter the following: • Profile Name: hq (You cannot include spaces in the name of a management services profile.) • Comment: Mgt settings for hq HiveAPs DNS Server Configuration: • • • Domain Name: apis.com (This is the domain name of the corporation in this example.
Chapter 4 HiveManager Examples get – get commands sent from the management system to a HiveAP to retrieve MIBs (Management Information Bases), which are data objects indicating the settings or operational status of various HiveOS components trap – messages sent from HiveAPs to notify the management system of events of interest get and trap – permit both get commands and traps none – cancel all activity, disabling SNMP activity for the specified management system — Privilege: At the time of this release, "
EXAMPLE 6: SETTING AAA RADIUS SETTINGS In this example, you define the connection settings for a RADIUS server so that HiveAPs can send RADIUS authentication requests—encapsulated in EAP (Extensible Authentication Protocol) packets—to the proper destination. After corporate employees associate with HiveAPs, they gain network access by authenticating themselves to a RADIUS server. The authentication process makes use of the IEEE 802.1X standard.
Chapter 4 HiveManager Examples server. The default is 600 seconds (or 10 minutes). The minimum is 60 seconds and there is no maximum. Generally, you want to make the retry interval fairly large so that supplicants (that is, wireless clients requesting 802.1X authentication) do not have to wait unnecessarily as a HiveAP repeatedly tries to connect to a primary server that is down for an extended length of time.
EXAMPLE 7: CREATING TWO DEVICE GROUPS Through the HiveManager, you can configure two broad types of features: • Policy-based features – In combination, these features form policies that control how users access the network: QoS (Quality of Service) forwarding mechanisms and rates, user profiles, SSID profiles, management services (DNS, NTP, syslog), AAA (authentication, authorization, accounting) RADIUS settings, and VLAN assignments.
Chapter 4 HiveManager Examples • Configuration Settings: • Network Management Settings: hq The management services set was previously created. For details, see "Example 5: Setting Management Service Parameters" on page 52. • AAA RADIUS Settings: auth-1 The AAA RADIUS settings were previously defined in "Setting AAA RADIUS Settings" on page 55. • QoS Enabled: (select) QoS Classification and Marking Policy: VoIP-QoS The QoS classification policy was previously defined.
9. Click in the empty User Profile cell to activate the drop-down list, choose Emp, select Default for Employees user profile, set the VLAN ID as 1, and then click Add. 10. Click in the new empty User Profile cell to activate the drop-down list, choose IT, set the VLAN ID as 1, and then click OK. The New SSID-User Profile-VLAN Mapping dialog box closes. 11. In the Profile Mappings section in the New Device Group dialog box, click Add. The New SSID-User Profile-VLAN Mapping dialog box appears again. 12.
Chapter 4 HiveManager Examples EXAMPLE 8: CREATING THREE HIVE PROFILES A hive is a set of HiveAPs that exchange information with each other over a layer-2 switched network to form a collaborative whole. In this example, you define three hive profiles: one for each building. Later, in "Example 9: Assigning HiveAPs to a Device Group, Radio Profile, Hive Profile, and Topology Map" on page 61, you assign HiveAP devices to these profiles. Note: A device group is different from a hive.
EXAMPLE 9: ASSIGNING HIVEAPS TO A DEVICE GROUP, RADIO PROFILE, HIVE PROFILE, AND TOPOLOGY MAP After completing the steps in the previous examples, you can now assign the following device settings as appropriate to each detected HiveAP: • Device group (created in "Example 7: Creating Two Device Groups" on page 57) • Radio profile (default radio profiles) • Hive profile (created in "Example 8: Creating Three Hive Profiles" on page 60) • Map (uploaded in "Example 1: Mapping Locations and Installing Hive
Chapter 4 HiveManager Examples Assigning Device Settings 1. Click HiveAP Management > New HiveAPs > Automatically Discovered. 2. Select a group of HiveAPs associated with the same map to assign their device settings. If you defined SNMP sysLocation MIB objects as you installed the HiveAPs as explained in "Using SNMP" on page 40, each HiveAP listed in the HiveAP Management > New HiveAPs > Automatically Discovered window will now include a map title in the Topology Map column.
The HiveManager automatically assigns SSIDs voip, corp, and guest to the wifi0.1, wifi0.2, and wifi0.3 subinterfaces respectively. 6. Repeat this procedure with the HiveAPs associated with all the other maps until they are all configured. 7. To accept all the HiveAPs for management through the HiveManager, select all the HiveAPs in the HiveAP Management > New HiveAPs > Automatically Discovered window, and then click (Accept button).
Chapter 4 HiveManager Examples 64 Aerohive
Chapter 5 HiveOS You can deploy a single HiveAP and it will provide wireless access as an autonomous AP (access point). However, if you deploy two or more HiveAPs in a hive, you can provide superior wireless access with many benefits. A hive is a set of HiveAPs that exchange information with each other over a layer-2 switched network to form a collaborative whole (see Figure 1).
Chapter 5 HiveOS COMMON DEFAULT SETTINGS AND COMMANDS Many major components of HiveOS are automated and typically require no further configuration. For example, radio power and frequency selection occurs automatically, as does route learning. Also, after defining a hive and its security protocol suite, all HiveAPs belonging to that hive automatically initiate and maintain communications with each other.
CONFIGURATION OVERVIEW CONFIGURATION OVERVIEW The amount of configuration depends on the complexity of your deployment. As you can see in "Deployment Examples (CLI)" on page 69, you can enter a minimum of three commands to deploy a single HiveAP, and just a few more to deploy a hive. However, for cases when you need to fine tune access control for more complex environments, HiveOS offers a rich set of CLI commands.
Chapter 5 HiveOS Policy-Level Configurations Policies control how wireless clients access the network. The following list contains some key areas of policy-level configurations and relevant commands. • QoS settings qos { classifier-map | classifier-profile | marker-map | marker-profile | policy } … • User profiles user-profile string … • SSIDs ssid string … • AAA (authentication, authorization, and accounting) settings for IEEE 802.
Chapter 6 Deployment Examples (CLI) This chapter presents several deployment examples to introduce the primary tasks involved in configuring HiveAPs through the HiveOS CLI. In "Deploying a Single HiveAP" on page 70, you deploy one HiveAP as an autonomous access point. This is the simplest configuration: you only need to enter and save three commands. In "Deploying a Hive" on page 73, you add two more HiveAPs to the one deployed in the first example to form a hive with three members.
Chapter 6 Deployment Examples (CLI) EXAMPLE 1: DEPLOYING A SINGLE HIVEAP In this example, you deploy one HiveAP (HiveAP-1) to provide network access to a small office with 15 – 20 wireless clients.
2. Connect one end of an RS-232 serial (or "null modem") cable to the serial port (or Com port) on your management system. 3. Connect the other end of the cable to the male DB-9 console port on the HiveAP. 4. On your management system, run a VT100 terminal emulation program, such as Tera Term Pro© (a free terminal emulator) or Hilgraeve Hyperterminal® (provided with Windows® operating systems).
Chapter 6 Deployment Examples (CLI) Step 3 Configure the wireless clients Define the "employee" SSID on all the wireless clients. Specify WPA-PSK for network authentication, AES or TKIP for data encryption, and the preshared key N38bu7Adr0n3. Step 4 Position and power on the HiveAP 1. Place the HiveAP within range of the wireless clients and, optionally, mount it as explained in "Mounting the HiveAP" on page 15. 2. Connect an Ethernet cable from the PoE port to the network switch. 3.
EXAMPLE 2: DEPLOYING A HIVE Building on "Deploying a Single HiveAP" on page 70, the office network has expanded and requires more HiveAPs to provide greater coverage. In addition to the basic configuration covered in the previous example, you configure all three HiveAPs to form a hive within the same layer 2 switched network.
Chapter 6 Deployment Examples (CLI) Step 1 Configure HiveAP-1 1. Using the connection settings described in the first example, log in to HiveAP-1. 2. Configure HiveAP-1 as a member of "hive1" and set the security protocol suite.
Step 2 Configure HiveAP-2 and HiveAP-3 1. Power on HiveAP-2 and log in through its console port. 2. Configure HiveAP-2 with the same commands that you used for HiveAP-1: ssid employee ssid employee security protocol-suite wpa-auto-psk ascii-key N38bu7Adr0n3 interface wifi0.1 ssid employee hive hive1 hive hive1 password s1r70ckH07m3s interface mgt0 hive hive1 3. (Optional) Change the name and password of the superuser. admin superuser mwebster password 3fF8ha 4.
Chapter 6 Deployment Examples (CLI) 6. Check that HiveAP-3 has associated with the other members at the wireless level.
7. To check that the hive members have full data connectivity with each other, associate a client in wireless network-1 with HiveAP-1 (the SSID "employee" is already defined on clients in wireless network-1; see "Deploying a Single HiveAP"). Then check if HiveAP-1 forwards the client’s MAC address to the others to store in their roaming caches.
Chapter 6 Deployment Examples (CLI) Step 4 Configure wireless clients Define the "employee" SSID on all the wireless clients in wireless network-2 and -3. Specify WPA-PSK for network authentication, AES or TKIP for data encryption, and the preshared key N38bu7Adr0n3. The setup of hive1 is complete. Wireless clients can now associate with the HiveAPs using SSID "employee" and access the network.
Note: This example assumes that the RADIUS and AD servers were previously configured and populated with user accounts that have been in use on a wired network (not shown). The only additional configuration on these servers is to enable the RADIUS server to accept authentication requests from the HiveAPs. Step 1 Define the RADIUS server on the HiveAP-1 Configure the settings for the RADIUS server (IP address and shared secret) on HiveAP-1. aaa radius-server first 10.1.1.
Chapter 6 Deployment Examples (CLI) Step 5 Configure the RADIUS Server to accept authentication requests from the HiveAPs Log in to the RADIUS server and define the three HiveAPs as access devices. Enter their mgt0 IP addresses and shared secret. Step 6 Check that clients can form associations and access the network 1. To check that a client can associate with a HiveAP and access the network, open a wireless client application and connect to the "employee" SSID.
EXAMPLE 4: APPLYING QOS In this example, you want the hive members to prioritize voice, streaming media, and e-mail traffic. First, you map distinguishing elements of these traffic types to three Aerohive QoS (Quality of Service) classes: Class 6: voice traffic from VoIP phones with MAC OUI 00:12:3b (the OUI for all phones in the network) Voice traffic is very sensitive to delay and cannot tolerate packet loss without loss of voice quality.
Chapter 6 Deployment Examples (CLI) Note: The HiveAP assigns all traffic that you do not specifically map to an Aerohive class to class 2, which by default uses WRR with a weight of 30 and a rate of 54,000 Kbps.
Step 1 Map traffic types to Aerohive QoS classes on HiveAP-1 1. Map the MAC OUI (organizational unit identifier) of network users’ VoIP phones to Aerohive class 6. qos classifier-map oui 00:12:3b qos 6 In this example, all network users use VoIP phones from the same vendor whose OUI (that is, the MAC address prefix ) is 00:12:3b. When HiveAP-1 receives traffic from a client whose source MAC address contains this OUI, it assigns it to Aerohive class 6. 2. Define the custom services that you need.
Chapter 6 Deployment Examples (CLI) 2. Associate the classifier profiles with the wifi0.1 subinterface and the eth0 interface so that HiveAP-1 can classify incoming traffic arriving at these two interfaces. interface wifi0.1 qos-classifier wifi0.1-voice interface eth0 qos-classifier eth0-voice By creating two QoS classifiers and associating them with the wifi0.
Figure 5 QoS Policy "voice" ̸» «-»® °®±º·´» ®¿¬» ¼»º·²»- ¬¸» ¬±¬¿´ ¿³±«²¬ ±º ¾¿²¼©·¼¬¸ º±® ¿´´ «-»®- ¬± ©¸·½¸ ¬¸·- °±´·½§ ¿°°´·»-ò ̸» «-»® ®¿¬» ¼»º·²»- ¬¸» ³¿¨·³«³ ¿³±«²¬ º±® ¿²§ -·²¹´» «-»®ò ̸» «-»® ®¿¬» ½¿² ¾» »¯«¿´ ¬± ¾«¬ ²±¬ ¹®»¿¬»® ¬¸¿² ¬¸» «-»® °®±º·´» ®¿¬»ò -¸±© ¯±- °±´·½§ ª±·½» ª±·½» «-»® °®±º·´» ®¿¬»æëìðððµ¾°- «-»® °®±º·´» ©»·¹¸¬æïð «-»® ®¿¬» ´·³·¬æëìðððµ¾°½´¿--æð ³±¼»æ©®® ©»·¹¸¬æïð ´·³·¬æëìðððµ¾°½´¿--æï ³±¼»æ©®® ©»·¹¸¬æîð ´·³·¬æëìðððµ¾°½´¿--æî ³±¼»æ©®® ©»·¹¸¬æíð ´·³·¬æëìðððµ¾°½´¿--æí ³±¼»æ©®®
Chapter 6 Deployment Examples (CLI) Step 4 Configure HiveAP-2 and HiveAP-3 1. Log in to HiveAP-2 through its console port. 2. Configure HiveAP-2 with the same commands that you used for HiveAP-1: qos classifier-map oui 00:12:3b qos 6 service mms tcp 1755 service smtp tcp 25 service pop3 tcp 110 qos classifier-map service mms qos 5 qos classifier-map service smtp qos 3 qos classifier-map service pop3 qos 3 qos classifier-profile wifi0.1-voice mac qos classifier-profile wifi0.
CLI COMMANDS FOR EXAMPLES CLI COMMANDS FOR EXAMPLES This section includes all the CLI commands for configuring the HiveAPs in the previous examples. The CLI configurations are presented in their entirety (without explanations) for easy copying and pasting. Simply copy the blocks of text for configuring the HiveAPs in each example and paste them at the command prompt.
Chapter 6 Deployment Examples (CLI) HiveAP-3 ssid employee ssid employee security protocol-suite wpa-auto-psk ascii-key N38bu7Adr0n3 interface wifi0.1 ssid employee hive hive1 hive hive1 password s1r70ckH07m3s interface mgt0 hive hive1 save config Commands for Example 3 Enter the following commands to configure the hive members to support IEEE 802.1X authentication in "Using IEEE 802.1X Authentication" on page 78: HiveAP-1 aaa radius-server first 10.1.1.
CLI COMMANDS FOR EXAMPLES Commands for Example 4 Enter the following commands to configure the hive members to apply QoS (Quality of Service) to voice, streaming media, and data traffic in "Applying QoS" on page 81: HiveAP-1 qos classifier-map oui 00:12:3b qos 6 service mms tcp 1755 service smtp tcp 25 service pop3 tcp 110 qos classifier-map service mms qos 5 qos classifier-map service smtp qos 3 qos classifier-map service pop3 qos 3 qos classifier-profile wifi0.1-voice mac qos classifier-profile wifi0.
Chapter 6 Deployment Examples (CLI) qos classifier-profile eth0-voice service interface wifi0.1 qos-classifier wifi0.
