Unified Wired & Wireless Access System Configuration Guide Product Model: DWS-3000 Series, Version 2.
Table of Contents 1. Scenario 1 - Basic L2 Edge Setup: 1 Unified Switch + 2 APs .................................. 4 1.1 Configure AP Network Settings ......................................................................... 5 1.1. Configure the DHCP Server ............................................................................... 6 1.1.1. Global DHCP Configuration....................................................................... 6 1.1.2. Pool Configuration........................................
.6.1. Simulated Roam via Power Down of AP ................................................. 41 3.6.2. Simulated Roam via Disabling Radios ..................................................... 42 3.6.3. Real Roam................................................................................................. 42 3.7. Logs & Traps .................................................................................................... 42 3.8. Syslog Configuration ...................................................
1. Scenario 1 - Basic L2 Edge Setup: 1 Unified Switch + 2 APs The diagram in this scenario shows a very basic L2 edge network configuration with one Unified Switch and two access points. All devices are in the same L2 domain. The objectives in this setup are as follows: • Set up the minimum configuration for multiple APs • Configure an AP with a static IP • Configure an ACL to prevent wireless clients from accessing the Unified Switch1 management interface.
The table below gives the IP addresses used in this scenario. The following steps will guide you through the configuration of the Unified Switch and the Access Point. Device Unified Switch AP1 AP2 Client Address Pool Subnet 10.90.90.90/8 (default) 10.90.90.91/8 (default) 10.90.90.92/8 10.90.91.1 – 10.90.91.254 To begin the Unified Switch configuration, connect to port 12 (or any other unused port) from a PC that is on the same subnet (10.0.0.0/8) and launch the web browser using this IP address, 10.90.90.
1.1. Configure the DHCP Server The Unified Switch can function as a DHCP server to assign addresses to wireless (or wired) clients that connect to each AP. To configure the DHCP Server, you must configure global settings and the address pool for the clients. For this scenario, wireless clients will be assigned addresses in the range of 10.90.91.1/8 – 10.90.91.254/8.
1. Select Pool Configuration in the Navigation tree. 2. Select create and specify the following settings: a. Pool Name – GuestPool b. Type of Binding - Dynamic c. Network Number – 10.0.0.0 d. Network Mask - 255.0.0.0 e. Days - 1 day f. Hours - 0 g. Minutes - 0 h. Default Router Addresses – 10.90.90.90 1.2. ACL Configuration The ACL in this scenario prevents wireless clients from accessing the web management interface of the switch. All other types of traffic is allowed. 1.
• Destination IP Mask: 0.0.0.255 • Destination L4 Port: http 6. Create a new rule, enter 2 as the Rule ID, Permit as the Action, and True for Match Every, then click Submit. The reason for this second rule is that an ACL has an implicit “deny all” rule at the end. ACL rules are checked in order and the action of the first to match the flow is taken. If no match occurs, the packet will be dropped.
1.3. Wireless Configuration You configure and monitor all wireless settings from the WLAN tab on the navigation panel. Since the deployment is an L2 Edge and there are no subnet boundaries to cross, the switch can use the network management IP address for the wireless functions (Note: the Unified Switch component uses an IP address to manage the APs and peer-switches. In a L2 environment like this scenario no inter-subnet routing is required.
1.4. Device Connections At this point, all the devices are ready to be connected. After the switch discovers the APs, they will appear on the Failed list because the MAC addresses of the APs are not configured in the Valid AP database (i.e. the switch has not been configured to accept any valid APs). 1. Connect AP1 to port 1 of the switch 2. Connect AP2 to port 13 of the switch 3. Wait about 60 seconds and click Monitoring Æ Access Points Æ Authentication Failed Access Points. 4.
1.5. Save Configuration To save the switch configuration, select Save Changes from the tool bar.
1.6. Verify the Configuration 1. 2. 3. 4. From a wireless client, verify that you can see the “Guest Network” SSID. Using a wireless client, connect to the “Guest Network”. Check the IP address that the switch DHCP server assigned. Try pinging from a client on the Guest Network to the switch or AP IP address. The ping should pass. Try web browsing to the switch IP address. The browse should fail because of the ACL. 1.7.
The Channel adjustment algorithm may be triggered periodically or manually. To manually adjust the channel plan, use the following steps: 1. Select the WLAN tab from the navigation panel and navigate to Administration Æ AP Management Æ RF Management. 2. Choose the 802.11 b/g and select the Manual Channel Plan tab and then the Start button to start the process. Use the Refresh button to check the results of the channel plan. 3. Apply the suggested channel plan by clicking on “Apply” button.
You may also manually change the operational channel from the Administration Æ AP Management Æ Advanced page. Select the appropriate channel of the AP radio and change it to the desired channel on the next screen. 1.7.3. Rogue AP Detection To check the rogue AP list, select the WLAN tab from the navigation panel and navigate to Monitoring Æ Access Points Æ Rogue/RF Scan Access Points.
1.7.4. Power Adjustment To check power level, select the WLAN tab from the navigation panel and click Monitoring Æ Access Points Æ Managed Access Points. Select Radio Details tab to check the power level. The Automatic Power Adjustment algorithm works by setting the initial power of the AP to the value specified in the AP profile. The power is then periodically adjusted to a level based on presence or absence of packet transmission errors. The power is changed in increments of 10%.
1.7.4.1. Self Healing Cell Recovery When a Managed AP is powered down, the power of its neighboring AP(s) managed by the same switch is immediately increased by 20%. Power Adjustment Mode should be Interval to see an increase in power of neighboring AP. By default, Initial Power is 100%, so decrease power of APs below 80% or less to see 20% increase before powering down one AP. The power level can be verified in the Radio detail on the Monitoring ÆAccess Points Æ Managed Access Points page.
To reset the AP configuration, you will need to telnet into the AP CLI and use the “factory-reset” command. As mentioned earlier, you can place the AP into “debug” mode from the switch if the AP is currently managed to gain access to the UI.
2. Scenario 2 – L2/L3 Edge: 1 Unified Switch + 2 AP The diagram in this section shows a L2/L3 edge/overlay setup. In this scenario, a Unified Switch acts as an L3 device. Although the two APs are directly connected to the switch, they are in different subnets. Both the APs are managed by the D-LINK Unified Switch. Since the Unified Switch supports VLAN routing, L2 paths can be established between the AP switch ports although they are on different IP subnets such that L3 Tunneling is not required.
To begin the Unified Switch configuration, connect to port 12 from a PC on the 10.0.0.0 network and launch the web browser using the default IP address: 10.90.90.90/8. You connect the APs after you complete the entire switch configuration. The IP address information for this scenario is as follows: Device Unified Switch Management Interface Unified Switch Loopback Interface AP1 AP2 Wireless Clients on D-LINK-NET1 Wireless Clients on D-LINK-NET2 2.1 IP Address 10.90.90.0/8 192.168.10.254/32 192.168.20.
3. Enter the VLAN ID. 4. Enter VLAN Name. 5. On the Slot/Port row for the port to include in the VLAN, select Include from the Participation drop-down menu. 6. For VLAN 100 and VLAN 200, select Tagging from the drop-down menu for port 0/1 and 0/13. This configuration tells the switch to add an 802.1Q VLAN Tag to the packets that egress the port on those VLANs. This is so that the AP knows which Network (or SSID) to forward the traffic on. 7. Click Submit. 8. Repeat for each of the VLANs in the above table.
After you have repeated the steps to configure all four VLANs, use the Monitoring Æ VLAN SummaryÆ VLAN Status and VLAN Port Status pages to verify that the VLANs and the ports are configured properly.
VLAN Port Status 1.1.2. Configure VLAN Routing To configure the VLAN routing interfaces for AP1, AP2, and the two D-LINK-NET networks, use the following steps. 1. Select the LAN tab from the navigation panel and click L3 Features Æ VLAN Routing Configuration. 2. Enter the VLAN ID for VLAN 20 in the VLAN ID field and select Create to create a VLAN routing interface for VLAN 20. This creates a logical routing interface with the slot/port designation of 4/1 for VLAN 20. 3.
a. IP Address: 192.168.20.254 b. Subnet Mask: 255.255.255.0 c. Routing Mode: Enable 6. Click Submit. 7. Repeat the steps for interface 4/2 (VLAN 30), 4/3 (VLAN 100), and 4/4 (VLAN 200). Refer to the following table for IP address information: Interface Interface 4/1 Interface 4/2 Interface 4/3 Interface 4/4 IP Address 192.168.20.254 192.168.30.254 192.168.100.254 192.168.200.254 Subnet Mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 8.
1.1.3. Enable Global Routing You need to enable the routing mode to allow the switch to operate as a L3 device in this scenario. To do this, navigate to the L3 Features Æ IP Æ Configuration page. Select Enable from the Routing Mode drop-down menu and click Submit. 1.1.4. Configure Static Routing Since all routes are local to the switch, you do not need to configure any static routes for this scenario. 1.1.5.
1. Click L3 Features -> Loopbacks -> Configuration 2. If they are not already selected, select Create from the Loopback field and 0 in the Loopback Interface field. 3. Click Submit. 4. After the screen refreshes, enter the following information for the new interface: a. Loopback Interface: 0 b. IP Address: 192.168.10.254 c. Mask: 255.255.255.0 5. Click Submit. 1.1.6.
1.1.7. ACL Configuration The ACL in this scenario blocks IP traffic between wireless clients who access the network through D-LINK-NET1 and D-LINK-NET2. 1. From the LAN menu, navigate to the Access Control Lists > IP ACL > Access Profile Settings page. 2. From the IP ACL field, select Create New Extended ACL from the drop-down menu. 3. Enter 100 in the ACL ID field, then click Submit. 4. From the Rule Configuration page, enter 1 as the Rule ID, Deny as the Action, and click Submit. 5.
Rule 1 6. From the Rule drop-down menu, select Create, and enter 2 into the Rule ID field, then click Submit. 7. The screen refreshes with additional fields. Click the Configure button associated with the appropriate fields and enter the following criteria to deny IP traffic from clients on the DLINK-NET2 network to clients on the D-LINK-NET1 network: • Protocol Keyword: IP • Source IP Address: 192.168.200.0 • Source IP Mask: 0.0.0.255 (This is a wildcard mask) • Destination IP Address: 192.168.100.
8. Create Rule 3 to allow all other type of traffic between any source and any destination since as mentioned earlier, there is an implicit “deny all” rule at the end of every ACL. 9. From the Rule drop-down menu, select Create. 10. Enter 3 into the Rule ID field, Permit into the Action field, and True in the Match Every field, and then click Submit.
1.2. Configuring WLAN Settings All of the features you configure in this section are within the WLAN tab on the D-LINK Unified Switch. Use the following steps to configure the Unified Switch and the APs. 1. On the Global tab of the Administration Æ Basic Setup page, make sure the switch IP address is the Loopback interface address (192.168.10.254), the country code is correct, and that the WLAN Switch Operational Status is Enabled. 2. Click Next to go to the Discovery tab on the Basic Setup page. 3.
4. Click the SSID tab to configure the VAP and Network settings for the APs. 5. Select the 802.11b/g radio. 6. Select the check box next to Managed SSID 2 and click Edit. 7. Change the following Network parameters and select Submit: a. SSID – D-LINK-NET1 b. VLAN – 100 c. Security – WEP • • • • Authentication – Open System WEP Key Type – ASCII WEP Key Length – 64 WEP Key 1 – 98765 Note: For convenience, the SSID created under one radio is propagated to the second radio.
1.3. Save Configuration Use the Tool menu to save the switch configuration. 1.4. Device Connections This section outlines the connections needed between the Unified Switches and the APs. At this point, all the devices are ready to be connected.
different subnet. Fast roams will not function on the Guest Network SSID because the client will be forced to acquire a new IP address.
3. Scenario 3 – L3 Overlay: 1 Unified Switch + 1 AP + 1 Remote AP The diagram in this section shows a network configuration with a D-LINK Unified Switch connected to an L3 Device/Router. One AP is connected to the D-LINK Unified Switch, and the other is connected to the L3 device. Both APs are managed by the D-LINK Unified Switch. This scenario uses L3 tunneling so that a client that associated with AP1 initiates an audio conversation and roams to a different subnet.
This scenario builds on the configuration from Scenario 2. Although some of the information configured in Scenario 2 does not apply to Scenario 3, you do not need to delete any of the preexisting configurations. In addition to the VLAN, DHCP, ACL and Unified Switch configuration performed in Scenario 2, the configuration for this scenario involves the following steps: 1.
VLAN ID VLAN 20 (Interface 4/1) VLAN 30 (Interface 4/2) VLAN 100 (Interface 4/3) VLAN 200 (Interface 4/4) VLAN 5 (Interface 4/5) VLAN 250 (Interface 4/6) VLAN Name AP1 AP2 D-LINK-NET1 D-LINK-NET2 Customer-NET L3-Tunnel-NET Include Ports Port 0/1 Port 0/13 Ports 0/1 and 0/13 Ports 0/1 and 0/13 Port 0/24 (Untag) Ports 0/21 and 0/22 (Untag) IP Address 192.168.20.254 192.168.30.254 192.168.100.254 192.168.200.254 172.17.5.253 192.168.250.
2. 3. 4. 5. 6. 7. 8. 9. To create a routing interface for VLAN 5, enter 5 into the VLAN ID field and select Create. This creates a logical routing interface with the slot/port designation of 4/5 for VLAN 5. To create a routing interface for VLAN 250, enter 250 into the VLAN ID field and select Create. This creates a logical routing interface with the slot/port designation of 4/6 for VLAN 250. Navigate to L3 Features Æ IP Æ Interface Configuration.
Proper static routes to Unified Switch must be also configured on the “customer” L3 device as well. In a customer environment, you would need to configure the following static routes on the customer’s L3 device. Network Address 192.168.10.0 Mask 255.255.255.0 Next Hop IP Address 172.17.5.253 Note: The above static route provides an IP path back to the loopback interface on the Unified Switch for the remote AP to access to become managed by the Unified Access System.
3.1.4. DHCP Server You need to configure a new IP address pool for the clients that connect to the L3 Tunnel network (the FTP/Audio/Video server and the wireless clients that connect to the L3 Tunnel SSID). The DHCP server should already be enabled from Scenario 2. 1. 2. 3. 4. 5. From the LAN menu, click Administration Æ DHCP Server Æ Global Configuration In the Admin Mode field, select Enable, then click Submit to enable the DHCP server.. Select Pool Configuration in the Navigation tree.
3.2. Configuring WLAN Settings All of the features you configure in this section are within the WLAN tab on the D-LINK Unified Switch. 3.2.1. Configure the Basic Settings Use the following steps to configure the Unified Switch and the APs. 1. On the Global tab of the Administration Æ Basic Setup page, make sure the switch IP address is the Loopback interface address (192.168.10.254), the country code is correct, and that the WLAN Switch Operational Status is Enabled. 2.
i. Passphrase: 1234567890 3.2.2. Apply the AP Profile Because the AP profile that the APs use has changed and you have not disconnected AP1, you can manually re-apply the AP profile settings in order to update it with the new L3-Tunnel network. The new profile will automatically be applied to AP2 after you connect it to the L3 device and the D-LINK Unified Switch discovers and validates it.
1. To apply the updated AP profile, access the Administration Æ Advanced Configuration Æ AP Profiles page under the WLAN tab. 2. Select the check box next to Profile1 – Default. 3. Click Apply to apply the new profile to AP1. 3.3. Save Configuration Save the switch configuration. 3.4. Device Connections This section outlines the connections needed between the Unified Switches and the APs. At this point, all the devices are ready to be connected.
4. Disconnect the AP which your laptop is associated with and see how soon you can roam to the other AP. Normally 1 ping loss is observed when roaming. (Note: Please see section 3.6.1 below for an alternative mechanism for simulating a roam) 5. You can repeat step 2-4 and observe your laptop roam from AP to AP without changing IP, and with limited packet loss.
Note: All traps are disabled by default. WS Traps 1. WS Enabled 2. WS Disabled 3. WS Managed AP Database Full 4. WS Managed AP – AP Neighbor List Full 5. WS Managed AP – Client Neighbor List Full 6. WS-AP Failure List Full 7. RF Scan AP List Full 8. Client Association Database Full 9. Client Failure List Full Peer WS Traps 10. Peer WS Discovered 11. Peer WS Failed 12. Peer WS Unknown Protocol Discovered AP State Traps 13. WS Managed AP Discovered 14. WS Managed AP Failed 15.
3.8. Syslog Configuration Enable Syslog by traversing to DWS-3026 -> Administration -> System Log Configuration and selecting submit. Then, configure syslog server by providing the server IP Address and selecting the level of Severity Filter and selecting submit. 3.9. Debug This section outlines information required for engineering debugging. Connect your laptop/PC to Unified Switch’s serial console or telnet to the IP address of the switch and capture the following information: 1. show running-config 2.
3.
4. Scenario 4 – L3 Edge: 2 Switches + 2 APs This scenario involves a larger Unified Switch managed network, which consists of multiple Unified Switches (in this example there are two) connected over a L3 core network. Also, in this scenario, the L3-Tunnel network is updated to require WPA2 authentication for “fast authenticated roaming.” The security is WPA Enterprise, which requires a RADIUS server.
4.1. Overview The following tables show a summary of the interfaces on the devices you configure, along with their IP address and port information as well as the VLANs, DHCP pools, etc. This configuration starts from scratch and therefore you should clear the configuration on the unified switches from the previous scenarios.
DHCP Clients on D-LINKNET2 SSID NA 192.168.3.x/24 Wireless 4.2. Switch1 & Switch2 LAN Configuration The configuration in this section takes place on Unified Switch1 and Unified Switch2, and all features are under the LAN tab on the navigation panel. Please follow the steps you have learned from previous scenarios to configure the VLANs, interfaces, and addresses on the systems. 4.2.1.
roam will occur because of client movement. If an AP does fail and the routes are configured in the manner described above, a short interruption of service could be observed. (Please see section 4.6.1 for a description of how to demonstrate a roam without the chance of a routing loop). 4.2.3. Set the MTU Size Configure the interface MTU size appropriate throughout the network to support the larger frames potentially involved in L3 Tunneling. 4.3.
1. Add a client entry for AP1 to the clients.conf file: client 192.168.101.0/24 { secret = secret shortname = my-ap1 } Note: The secret is the same as the one added to the RADIUS Secret field in the D-LINK-NET1 Wireless Network Configuration. Similarly add client entry for AP2. 2. Add the user dlink with password admin to the users file as: dlink Auth-Type := EAP, User-Password == "admin" 3. Restart the RADIUS server (you must restart it after you make any changes to the configuration file). 4.5.
5. You can repeat step 2-4 and observe your laptop roam from AP to AP without changing IP, and with limited packet loss. (Note: If you use this method for simulating a roam, when you roam back to the original AP the client was associated with a re-authentication with the RADIUS server will be required since power-cycling the AP will cause it to lose its security key cache.) 4.6.2.
representation of your wireless network. From each object on the WLAN Visualization graph, you can access information about the object and links to configuration pages on the Web interface. WLAN Visualization can help administrators do the following: • Track how managed APs are deployed graphically • Monitor the wireless network status via the dynamic updated diagram.
Then go to ‘Edit’ and select ‘New Graph’, and you can input the following then press ‘Save’
After above, you should be able to see the following You can start to drag and drop from items from left hand side tab including Switches, Managed APs and Rogue APs. Then you can go to ‘View’ ‘AP Power Display’ and select ‘Show 802.11b/g’, you’ll be able to see the following Then you can move your cursor to any of the object and with right click, you can see more detail information of that object like device/RF information.
Appendix 1. - You can use the following to make console connection Select the appropriate serial port (COM port 1 or COM port 2). Set the data rate to 115200 baud. Set the data format to 8 data bits, 1 stop bit, and no parity. Set flow control to none. Under Properties, select VT100 for Emulation mode. 2. The CLI commands of DWS-3000 series are more Cisco-Like, default username is ‘admin’, and password is none. While you get into the 1st level of system access, the command prompt is “>” (ex.
Troubleshooting 1. Several known issues have been identified in the current version, and they’ll be solved in the coming release. Those issues include in certain conditions it might not be able to display auto power adjustment. 2.
