M Motorola RFS Series Wireless LAN Switches WiNG System Reference Guide
© 2009 Motorola, Inc. All rights reserved. MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. Symbol is a registered trademark of Symbol Technologies, Inc. All other product or service names are the property of their respective owners.
About This Guide Introduction This guide provides information about using the following Motorola switches and version numbers: • RFS6000 4.0 • RFS7000 4.0 NOTE: Screens and windows pictured in this guide are samples and can differ from actual screens. Documentation Set The documentation set for the Motorola RF Series Switches is partitioned into the following guides to provide information for specific user needs.
viii Motorola RF Switch System Reference ! CAUTION: Indicates conditions that can cause equipment damage or data loss. WARNING! Indicates a condition or procedure that could result in personal injury or equipment damage.
Contents Chapter 1.Overview 1.1 Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.1.1 Physical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.2 Software Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-2 Motorola RF Switch System Reference Guide 3.4.3 Updating the Switch Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28 3.5 Switch File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29 3.5.1 Transferring Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-3 4.8.2 Configuring Layer 3 Access Port Adoption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-136 4.8.3 Configuring WLAN Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-136 4.8.4 Configuring WMM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-138 4.9 Configuring Access Ports . . . . . . .
TOC-4 Motorola RF Switch System Reference Guide 5.6.1 Configuring Self Healing Neighbor Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-55 5.7 Configuring Switch Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-57 5.7.1 Configuring Discovery Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-5 6.7.1 Defining the IPSec Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-66 6.7.2 Defining the IPSec VPN Remote Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-71 6.7.3 Configuring IPSEC VPN Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-72 6.7.4 Configuring Crypto Maps. . . . . . . . . . .
TOC-6 Motorola RF Switch System Reference Guide 8.2 Configuring System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7 8.2.1 Log Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7 8.2.2 File Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-7 Appendix C Troubleshooting C.1 General Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1 C.1.1 Wireless Switch Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1 C.1.2 Access Port Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-8 Motorola RF Switch System Reference Guide D.7.1 Unauthorized Access Point Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-93 D.7.2 Unauthorized Access Point Containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-94 D.7.3 Wireless Intrusion Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-94 D.
Overview A Motorola RF Switch is a centralized management solution for wireless networking. It connects to non-legacy Access Ports through Layer 2 or Layer 3 (Layer 2 is preferable, if the situation allows it). Access ports function as radio antennas for data traffic management and routing. System configuration and intelligence for the wireless network resides with the switch. The switch uses Access Ports to bridge data to and from wireless devices.
1-2 Motorola RF Switch Systen Reference 1.1 Hardware Overview The RFS6000 and RFS7000 are rack-mountable devices that manage all inbound and outbound traffic on the wireless network. They provide security, network service and system management applications. Unlike traditional wireless infrastructure devices that reside at the edge of a network, the switch uses centralized, policy-based management to apply sets of rules or actions to all devices on the wireless network.
Overview 1-3 1.1.1.1 Power Protection To best protect the switch from unexpected power surges or other power-related problems, ensure the switch installation meets the following guidelines: • If possible, use a dedicated circuit to protect data processing equipment. Commercial electrical contractors are familiar with wiring for data processing equipment and can help with the load balancing of dedicated circuits. • Install surge protection.
1-4 Motorola RF Switch Systen Reference • Licensing Support • Configuration Management • Diagnostics • Serviceability • Tracing / Logging • Process Monitor • Hardware Abstraction Layer and Drivers • Redundancy • Secure Network Time Protocol (SNTP) • Password Recovery 1.2.1.
Overview 1-5 • Software – CPU load, memory usage, etc. • Environmental – CPU and air temperature, fans speed, etc. 2. Out-of-service Diagnostics – Out-of-service diagnostics are a set of intrusive tests run from the user interface. Out-of-service diagnostics cannot be run while the switch is in operation. Intrusive tests include: • Ethernet loopback tests • RAM tests, Real Time Clock tests, etc. 3.
1-6 Motorola RF Switch Systen Reference 1.2.1.9 Redundancy Using the switch redundancy, up to 12 switches can be configured in a redundancy group (and provide group monitoring). In the event of a switch failure, an existing cluster member assumes control. Therefore, the switch supported network is always up and running even if a switch fails or is removed for maintenance or a software upgrade.
Overview 1-7 • Rate Limiting • Proxy-ARP • HotSpot / IP Redirect • IDM (Identity Driven Management) • Voice Prioritization • Self Healing • Wireless Capacity • AP and MU Load Balancing • Wireless Roaming • Power Save Polling • QoS • Wireless Layer 2 Switching • Automatic Channel Selection • WMM-Unscheduled APSD • Multiple VLANs per WLAN 1.2.2.1 Adaptive AP An adaptive AP (AAP) is an AP-5131 or AP-7131 Access Point adopted by a wireless switch.
1-8 Motorola RF Switch Systen Reference • Maintain local WLAN's for specific applications - WLANs created and supported locally can be concurrently supported with your existing infrastructure. For an overview of AAP and how it is configured and deployed using the switch and Access Point, see Adaptive AP Overview. 1.2.2.2 Physical Layer Features 802.
Overview 1-9 address of switch). Thus, the MU does not awaken to send ARP replies (increasing MU battery life and conserving wireless bandwidth). If an MU goes into PSP without transmitting at least one packet, its Proxy ARP will not work. 1.2.2.5 HotSpot / IP Redirect A hotspot is a Web page users are forced to visit before they are granted access to the Internet.
1-10 Motorola RF Switch Systen Reference 1.2.2.7 Voice Prioritization The switch has the capability of having its QoS policy configured to prioritize network traffic requirements for associated MUs. Use QoS to enable voice prioritization for devices using voice as its transmission priority. Voice prioritization allows you to assign priority to voice traffic over data traffic, and (if necessary) assign legacy voice supported devices (non WMM supported voice devices) additional priority.
Overview 1-11 Self Healing Actions If AP1 detects AP2 and AP3 as its neighbors, you can assign failure actions to AP2 and AP3 whenever AP1 fails. Assign up to four self healing actions: 1. No action 2. Decrease supported rates 3. Increase Tx power 4. Both 2 and 3. You can specify the Detector AP (AP2 or AP3) to stop detecting and adopt the RF settings of the failed AP. For more information on configuring self healing, see Configuring Self Healing on page 5-53. 1.2.2.
1-12 Motorola RF Switch Systen Reference AP Balancing Across Multiple Switches At adoption, the AP solicits and receives multiple adoption responses from the switches on the network. These adoption responses contain preference and loading information the AP uses to select the optimum switch to be adopted by. Use this mechanism to define which APs are adopted by which switches. By default, the adoption algorithm generally distributes AP adoption evenly among the switches available.
Overview 1-13 MU Move Command As a value added proprietary feature between Motorola infrastructure products and Motorola MUs, a move command has been introduced. The move command permits an MU to roam between ports connected to the same switch without the need to perform the full association and authentication defined by the 802.11 standard. The move command is a simple packet up/packet back exchange with the Access Port.
1-14 Motorola RF Switch Systen Reference disconnect. With QoS, a VoIP conversation (a real-time session), receives priority, maintaining a high level of voice quality.
Overview 1-15 with UPSD enabled. After the AP acknowledges the trigger frame, it transmits the frames in its UPSD power save buffer addressed to the triggering switch. UPSD is well suited to support bi-directional frame exchanges between a voice STA and its AP. 1.2.2.17 Multiple VLANs per WLAN The switch permits the mapping of a WLAN to more than one VLAN. When a MU associates with a WLAN, the MU is assigned a VLAN by means of load balance distribution. The VLAN is picked from a pool assigned to the WLAN.
1-16 Motorola RF Switch Systen Reference switches. This ensures a VLAN MU association is maintained even while the MU roams amongst cluster members. Roaming across a Layer 3 Mobility Domain When an MU roams amongst switches in different Layer 3 mobility domains, Layer 3 ensures traffic is tunneled back to the correct VLAN (on the home switch). Interaction with Radius Assigned VLANs Multiple VLANs per WLAN can co-exist with VLANs assigned by a Radius server.
Overview 1-17 Multiple IP addresses for a single VLAN allow the configuration of multiple IP addresses, each belonging to different subnet. Class configuration allows a DHCP client to obtain an address from the first pool to which the class is assigned. For more information, see Configuring the DHCP User Class on page 5-19. 1.2.3.3 DDNS Dynamic DNS (DDNS) keeps a domain name linked to a changing IP address.
1-18 Motorola RF Switch Systen Reference • Heat map support for RF deployment • Secure guest access with specific permission intervals • Switch discovery enabling users to discover each Motorola switch on the specified network. 1.2.5 Security Features Switch security can be classified into wireless security and wired security. The switch includes the following wireless security features: • Encryption and Authentication • MU Authentication • Secure Beacon • MU to MU Disallow • 802.
Overview 1-19 WPA WPA is designed for use with an 802.1X authentication server, which distributes different keys to each user. However, it can also be used in a less secure pre-shared key (PSK) mode, where every user is given the same passphrase. WPA uses Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used. When combined with the much larger Initialization Vector, it defeats well-known key recovery attacks on WEP.
1-20 Motorola RF Switch Systen Reference uses the MAC address of the MU as both the username and password (this configuration is also expected on the Radius server). MAC-Auth supports all encryption types, and (in case of 802.11i) the handshake is completed before the Radius lookup begins. For information on configuring 802.1x EAP for a WLAN, see Configuring MAC Authentication on page 4-48. 1.2.5.3 Secure Beacon Devices in a wireless network use Service Set Identifiers (SSIDs) to communicate.
Overview 1-21 Change Username/Password after AP Adoption Once the AP300 is adopted using 802.1x authentication (say default username/password) OR using a nonsecure access method (hub or switch without 802.1x enabled), use the CLI/SNMP/UI to reconfigure the username/password combination. Reset Username/Password to Factory Defaults To restore the AP300 username/password to factory defaults, adopt the AP300 using a non-secure access method (a hub or switch without 802.
1-22 Motorola RF Switch Systen Reference RF scan by Access Port on one channel This process requires an Access Port to assist in Rogue AP detection. It functions as follows: • The switch sends a new configuration message to the adopted AP informing it to detect Rogue APs. • The Access Port listens for beacons on its present channel. • It passes the beacons to the switch as it receives them without any modification.
Overview 1-23 allowed. If the action is to mark, the packet is tagged for priority. The switch supports the following types of ACLs: • IP Standard ACLs • IP Extended ACLs • MAC Extended ACLs • Wireless LAN ACLs For information on creating an ACL, see Configuring Firewalls and Access Control Lists on page 6-14. 1.2.5.9 Local Radius Server Radius is a common authentication protocol utilized by the 802.1x wireless security standard.
1-24 Motorola RF Switch Systen Reference 1.2.5.11 NAT Network Address Translation (NAT) is supported for packets routed by the switch. The following types of NAT are supported: • Port NAT– Port NAT (also known as NAPT) entails multiple local addresses are mapped to single global address and a dynamic port number. The user is not required to configure any NAT IP address.
Switch Web UI Access and Image Upgrades The content of this chapter is segregated amongst the following: • Accessing the Switch Web UI • Switch Password Recovery • Upgrading the Switch Image • Auto Installation • AP-4131 Access Point to Access Port Conversion 2.1 Accessing the Switch Web UI 2.1.1 Web UI Requirements The switch Web UI is accessed using Internet Explorer version 5.5 (or later) and SUN JRE (Java Runtime Environment) 1.5 (or later).
2-2 Motorola RF Switch System Reference To display the switch Web UI: 1. Point the browser to the IP address assigned to the wired Ethernet port (port 2). Specify a secure connection using the https:// protocol. The switch login screen displays: 2. Enter the Username admin, and Password superuser. Both are case-sensitive. Click the Login button. NOTE: If using HTTP to login into the switch, you may encounter a Warning screen if a self-signed certificate has not been created and implemented for the switch.
Switch Web UI Access and Image Upgrades 2.2 Switch Password Recovery The switch has a means of restoring its password to its default value. Doing so also reverts the switch’s security, radio and power management configuration to their default settings. Only an installation professional should reset the switch password and promptly define a new restrictive password. To contact Motorola Support in the event of a password reset requirement, go to http://www.symbol.com/contactsupport.
2-4 Motorola RF Switch System Reference 2.3 Upgrading the Switch Image The switch ships with a factory installed firmware image with the full feature functionality described in this System Reference Guide. However, Motorola periodically releases switch firmware that includes enhancements or resolutions to known issues. Verify your current switch firmware version with the latest version available from the Motorola Web site before determining if your system requires an upgrade. 2.
Switch Web UI Access and Image Upgrades • image file URL • expected image version To set default to no, and the URLs and the version default to "" (blank): RF Switch(config)#show autoinstall feature enabled config no --not-set-- cluster cfg no --not-set-- image no --not-set-- expected image version URL --not-set-- Enables are set using the autoinstall command: RF Switch>en RF Switch#conf t RF Switch(config)#autoinstall image RF Switch(config)#autoinstall config RF Switch(config)#aut
2-6 Motorola RF Switch System Reference 2.5 AP-4131 Access Point to Access Port Conversion SWITCH NOTE: AP-4131 Access Point to Access Port Conversion is only available on the RFS6000 platform. To convert an AP-4131 fat Access Point to a thin AP-4131 Access Port you need to load the port conversion version firmware. Refer to the files available with you Motorola Web site download package. To convert an AP-4131 Access Point 1.
Switch Web UI Access and Image Upgrades 5. Reset the AP if you changed the AP's IP address, buy displaying the System Summary and selecting the Reset AP option. If you reset the AP-4131 you will need to login as Admin again. 6. Select the Special Functions main menu item. 7. Select the Firmware Update Menu-[F3] menu item 8. Select the Alter Filename(s)/HELP URL/TFTP Server menu item. a. Confirm that the Firmware File Name is correct, make changes as needed. b.
2-8 Motorola RF Switch System Reference
Switch Information This chapter describes the Switch main menu information used to configure the switch. This chapter consists of the following sections: • Viewing the Switch Interface • Viewing Switch Port Information • Viewing Switch Configurations • Viewing Switch Firmware Information • Switch File Management • Configuring Automatic Updates • Viewing the Switch Alarm Log • Viewing Switch Licenses • How to use the Filter Option 3.
3-2 Motorola RF Switch System Reference NOTE: When the switch’s configuration is successfully updated (using the Web UI), the effected screen is closed without informing the user their change was successful. However, if an error were to occur, the error displays within the effected screen’s Status field and the screen remains displayed. With file transfer operations, the transfer screen remains open during the transfer and remains open upon completion (with status displayed within the Status field). 3.1.
Switch Information 3-3 System Name Displays the designated system name. Provide a system name serving as a reminder of the user base the switch supports (engineering, retail, etc.). Location The Location parameter serves as a reminder of where the switch can be found. Define the System Name as a specific identifier of the switch’s location. Use the System Name and Location parameters together to optionally define the switch name by the radio coverage type it supports and physical location.
3-4 Motorola RF Switch System Reference Enter the new password within the Password and Confirm Password fields and click OK. NOTE: When entering a new password for the switch, please note that the password must be a minimum of 8 characters long. 8. Click the Revert button to undo any changes. The Revert button must be clicked before hitting the Apply button for any changes to be reverted. 9. Click the Apply button to save the updates (to the Time Zone or Country parameters specifically). 3.1.
Switch Information 3-5 3.1.3.
3-6 Motorola RF Switch System Reference Apart from the sections mentioned above, it also displays the following status: Redundancy State Displays the Redundancy State of the switch. The status can be either Enabled or Disabled. • Enabled - Defined a green state. • Disabled - Defined by a yellow state. Firmware Displays the Firmware version of the current software running on the wireless switch. Management IP Displays the Management IP address of the switch.
Switch Information 3-7 Speed Displays the speed at which the port transmits or receives data. Duplex Displays the status of the port, either— Full Duplex or Unknown. 3. The Environment section displays the CPU temperature. It displays the valid threshold range set by the user. 4. The CPU/Memory section displays the free memory available with the RAM. 5. The File Systems section displays the free file system available for: • flash • nvram • system 3.1.3.
3-8 Motorola RF Switch System Reference 1. Refer to the Alarms field for details of all the unacknowledged alarms generated during the past 48 hours. The alarms are classified as: • Critical — Denoted by a red indicator. These alarms warrant immediate attention. • Major — Denoted by a yellow indicator. These alarms warrant attention. • Others — Denoted by a blue indicator.
Switch Information 3-9 3.1.4 Viewing Switch Statistics The Switch Statistics tab displays an overview of the recent network traffic and RF status for the switch. To display the Switch Statistics tab: 1. Select Switch from the main menu tree. 2. Click the Switch Statistics tab at the top of the Switch screen. 3. Refer to the following read-only information about associated MUs: Number of MUs Associated Displays the total number of MUs currently associated to the switch.
3-10 Motorola RF Switch System Reference Avg. Bit Speed Displays the average bit speed for the switch over last 30 seconds and 1 hour. Use the average bit speed value to help determine overall network speeds and troubleshoot network congestion. % Non-unicast pkts Displays the percentage of non-unicast packets seen (received & transmitted) by the switch over last 30 seconds and 1 hour. Non-unicast traffic includes both multicast and broadcast traffic.
Switch Information 3-11 3.2 Viewing Switch Port Information The Port screen displays configuration, runtime status and statistics of the ports on the switch. SWITCH NOTE: The ports available vary by switch platform. RFS6000: ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8, me1, up1 RFS7000: ge1, ge2, ge3, ge4, me1 The port types are defined as follows: GE# GE ports are available on the RFS6000 and RFS7000 platforms. GE ports on the RFS6000 are RJ-45 which support 10/100/1000Mbps.
3-12 Motorola RF Switch System Reference Name Displays the current port name. The port names available vary by switch. RFS6000: ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8, me1, up1 RFS7000: ge1, ge2, ge3, ge4, me1 MAC Address Displays the port’s MAC Address. This value is read-only, set at the factory and cannot be modified. Admin Status Displays whether the port is currently Up or Down. Speed Displays the current speed of the data transmitted and received over the port.
Switch Information 3-13 2. Click the Edit button. A Port Change Warning screen displays, stating any change to the port setting could disrupt access to the switch. Communication errors may occur even if modifications made are successful. 3. Click the OK button to continue. Optionally, select the Don’t show this message again for the rest of the session checkbox to disable the pop-up. 4. Use the Edit screen to modify the following port configurations for the selected port.
3-14 Motorola RF Switch System Reference Name Displays the read-only name assigned to the port. Speed Select the speed at which the port can receive and transmit the data. Select from the following range: • 10 Mbps • 100 Mbps • 1000 Mbps • Auto Duplex Modify the duplex status by selecting one of the following options: • Half • Full • Auto Channel Group Optionally, set the Channel Group defined for the port.
Switch Information 3-15 2. Select the Runtime tab to display the following read-only information: Name Displays the port’s current name. MAC Address Displays the port’s MAC Address. This value is read-only, set at the factory and cannot be modified. Oper Status Displays the link status of the port. The port status can be either Up or Down. Speed Displays the current speed of the data transmitted and received over the port. Duplex Displays the port as either half duplex, full duplex or Unknown.
3-16 Motorola RF Switch System Reference 3. Refer to the Statistics tab to display the following read-only information: Name Defines the port name. Bytes In Displays the total number of bytes received by the port. Packets In Displays the total number of packets received by the port. Packets In Dropped Displays the number of packets dropped by the port. If the number appears excessive, a different port could be required.
Switch Information 3-17 3. The Interface Statistics screen displays. This screen displays the following statistics for the selected port: Name Displays the port name. MAC Address Displays physical address information associated with the interface. This address is read-only (hard-coded at the factory) and cannot be modified. Input Bytes Displays the number of bytes received on the interface.
3-18 Motorola RF Switch System Reference Output Total Packets Displays the total number of packets transmitted from the interface. Output Packets Dropped Displays the number of transmitted packets dropped from the interface. Output Packets Dropped are packets dropped when the output queue of the device associated with the interface is saturated. Output Packets Error Displays the number of transmitted packets with errors.
Switch Information 3-19 • Input Bytes • Input Pkts Dropped • Output Pkts Total • Output Pkts Error • Input Pkts Total • Input Pkts Error • Output Pkts NUCast • Input Pkts NUCast • Output Bytes • Output Pkts Dropped 3. Display any of the above by selecting the checkbox associated with it. NOTE: You are not allowed to select (display) more than four parameters at any given time. 4. Click on the Close button to exit out of the screen. 3.2.
3-20 Motorola RF Switch System Reference SWITCH NOTE: The PoE screen is only available on the RF6000 switch. The RFS7000 switch does not have Power over Ethernet on any ports and will not display the PoE tab. The PoE Global Configuration section displays the following power information. Power Budget Displays the total watts available for Power over Ethernet on the switch. Power Consumption Displays the total watts in use by Power over Ethernet on the switch.
Switch Information 3-21 Priority Displays the priority mode for each of the PoE ports. The priority options are: • Critical • High • Low Limit (watts) Displays the power limit in watts for each of the PoE ports. The maximum power limit per port is 29.7 watts. Power (watts) Displays each PoE ports power usage in watts. Voltage (volts) Displays each PoE ports voltage usage in volts. Current (mA) Displays each PoE ports current usage in miliAmps.
3-22 Motorola RF Switch System Reference 3.3 Viewing Switch Configurations Use the Configurations screen to review the configuration files available to the switch. The details of each configuration can be viewed individually. Optionally, edit the file to modify its name or use the file as the switch startup configuration. A file can be deleted from the list of available configurations or transferred to a user specified location.
Switch Information 3-23 Modified Displays the date and time each configuration file was last modified. Compare this column against the Created column to discern which files were modified and make informed decisions whether existing files should be further modified or deleted. Path Displays the path (location) to the configuration file. 2. To view the contents of a config file in detail, select a config file by selecting a row from the table and click the View button.
3-24 Motorola RF Switch System Reference Use the up and down navigation facilities on the right-hand side of the screen to view the entire page. 3. The Page parameter displays the portion of the configuration file in the main viewing area. The total number of pages in the file are displayed to the right of the current page. The total number of lines in the file display in the Status field at the bottom of the screen. Scroll to corresponding pages as required to view the entire contents of the file.
Switch Information 3-25 2. Refer to the Source field to define the location and address information for the source config file. From Select the location representing the source file’s current location using the From drop-down menu. Options include Server, Local Disk and Switch. File Specify a source file for the file transfer. If the switch is selected, the file used at startup automatically displays within the File parameter.
3-26 Motorola RF Switch System Reference To view the firmware files available to the switch: 1. Select Switch > Firmware from the main menu tree. 2. Refer to the following information displayed within the Firmware screen: Image Displays whether a firmware image is the primary image or a secondary image. The primary image is typically the image loaded when the switch boots. Version Displays a unique alphanumeric version for each firmware file listed.
Switch Information 3-27 6. Click on the Update Firmware button to update the firmware file loaded onto the switch. For more information, see Updating the Switch Firmware. NOTE: To apply a patch to the switch follow the same instructions for updating the switch’s firmware. 7. To remove a patch, select it from amongst those displayed within the Patch field and click the Remove Patch button. 3.4.
3-28 Motorola RF Switch System Reference 4. Refer to the Status field for the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet. The Status field displays error messages if something goes wrong in the transaction between the applet and the switch. 5. Click OK to save and add the changes to the running configuration and close the dialog. 3.4.
Switch Information 3-29 8. Enter the password for FTP server login in the Password field. 9. Enter the complete file path for the file that contains the firmware update in the Path field. 10.Click the Do Update button to initiate the update. A warning prompt displays. Upon confirming the firmware update, the switch reboots and completes the firmware update. ! CAUTION: When restarting or rebooting the switch, the Radius server is restarted regardless of its state before the reboot. 11.
3-30 Motorola RF Switch System Reference 2. Refer to the Source field to specify the details of the source file. From Use the From drop-down menu to select the source file’s current location. The options include Wireless Switch and Server. The following transfer options are possible: • Wireless Switch to Wireless Switch • Wireless Switch to Server • Server to Wireless Switch The parameters displayed in the Source and Target fields differ based on the above selection.
Switch Information 3-31 2. Use the Browse button to locate a target file for the file transfer. 3. Use the To drop-down menu (within the Target field) and select Wireless Switch. This defines the location of the file. 4. Use the Browse button to define a location for the transferred file. 5. Click the Transfer button to complete the file transfer. 6. The Message section in the main menu area displays the file transfer message. 7.
3-32 Motorola RF Switch System Reference 1. Refer to the Source field to specify the source file. Use the From drop-down menu and select Wireless Switch. 2. Use the Browse button and select a file for transfer. 3. Use the To drop-down menu (within the Target field) and select Server. This defines the transfer location of the configuration file. Enter the file location marked to store the transferred file. 4.
Switch Information 3-33 2. Provide the name of the File. 3. Use the Using drop-down menu to configure whether the file transfer is conducted using FTP, TFTP or HTTP. FTP transfers require a valid user ID and password. 4. Enter an IP Address of the server receiving the configuration file. Ensure the IP address is valid or risk jeopardizing the success of the file transfer. 5. Enter the User ID credentials required to transfer the configuration file from a FTP server. 6.
3-34 Motorola RF Switch System Reference • USB 2 SWITCH NOTE: USB 1 is available on the RFS6000 and RFS7000 switches. USB2 and Compact Flash are only available on the RFS7000 switch. Transfer files between the switch and the server from any one of the above mentioned locations. Since compact flash (CF) and USB are external memory locations, the File System window displays the status of these devices. Transfer files to compact flash and USB only if they are connected and available.
Switch Information 3-35 3.6 Configuring Automatic Updates Use the Automatic Updates screen to enable a facility that will poll a server address (you designate) when the switch is booted. If updates are found since the last time the switch was booted, the updated version is uploaded to the switch the next time the switch is booted. Enable this option for either the firmware, configuration file or cluster configuration file.
3-36 Motorola RF Switch System Reference Protocol Use the Protocol drop-down menu to specify the FTP, TFTP, HTTP, SFTP or resident switch FLASH medium used for the file update from the server. FLASH is the default setting. Password Enter the password required to access the server. SWITCH NOTE: In addition to the Protocols listed, on the RFS7000 users can also autoupdate using USB or Compact Flash. On the RFS6000 users can also auto-update using USB. 3.
Switch Information 3-37 5. Select the Start Update button to begin the file updates for the enabled switch configuration, cluster configuration or firmware facilities. 6. Click the Apply button to save the changes to the configuration. 7. Click the Revert button to revert back to the last saved configuration. 3.7 Viewing the Switch Alarm Log Use the Alarm Log screen as an initial snapshot for alarm log information.
3-38 Motorola RF Switch System Reference 4. Refer to the table within the Alarm Log screen for the following information: Index Displays the unique numerical identifier for trap events (alarms) generated in the system. Use the index to help differentiate an alarm from others with similar attributes. Status Displays the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet.
Switch Information 3-39 3. Refer to the Alarm Details and Alarm Message for the following information: Description Displays the details of the alarm log event. This information can be used in conjunction with the Solution and Possible Causes items to troubleshoot the event and determine how the event can be avoided in the future. Solution Displays a possible solution to the alarm event. The solution should be attempted first to rectify the described problem.
3-40 Motorola RF Switch System Reference 4. Refer to the Feature Licenses table for the following license specific information: Feature Name Displays the name of the feature either installed or upgraded on the switch. License Count Displays the number of licenses applied while entering the license key. License Usage Lists the number of license in use. Determine whether this number adequately represents the number of switches needed to deploy.
Switch Information 3-41 3.9 How to use the Filter Option Use the Filter Option to sort the display details of screen that employ the filtering option as a means of sorting how data is displayed within the screen. 1. Click the Show Filtering Option to expand the Filter Option zone, whenever it appears in any screen. 2. Enter the filter criteria as per the options provided in the Filter Option zone.
3-42 Motorola RF Switch System Reference
Network Setup This chapter describes the Network Setup menu information used to configure the switch.
4-2 Motorola RF Switch System Reference Guide 4.1 Displaying the Network Interface The main Network interface displays a high-level overview of the configuration (default or otherwise) as defined within the Network main menu. Use the information to determine if items require additional configuration using the sub-menu items under the main Network menu item.
Network Setup 4-3 2. Refer to the following information to discern if configuration changes are warranted: DNS Servers Displays the number of DNS Servers configured thus far for use with the switch. For more information, see Viewing Network IP Information on page 4-4. IP Routes Displays the number of IP routes for routing packets to a defined destination. For information on defining IP Routes, see Configuring IP Forwarding on page 4-6.
4-4 Motorola RF Switch System Reference Guide 4.2 Viewing Network IP Information Use the Internet Protocol screen to view and configure network associated IP details. The Internet Protocol screen contains tabs supporting the following configuration activities: • Configuring DNS • Configuring IP Forwarding • Viewing Address Resolution 4.2.1 Configuring DNS Use the Domain Name System tab to view Server address information and delete or add severs to the list of servers available. To configure DNS: 1.
Network Setup 4-5 5. Click the Add button to display a screen used to add another domain name server. For more information, see Adding an IP Address for a DNS Server on page 4-5. 6. Click the Global Settings button to open a screen that allows the domain lookup to be enabled/disabled and the domain name to be specified. For more information, see Configuring Global Settings on page 4-5. 4.2.1.1 Adding an IP Address for a DNS Server Add an IP address for a new domain server using the Add screen. 1.
4-6 Motorola RF Switch System Reference Guide 2. Select the Domain Look Up checkbox to enable the switch to query domain name servers to resolve domain names to IP addresses. NOTE: The order of look up is determined by the order of the servers within Domain Name System tab. The first server queried is the first server displayed. 3. Enter a Domain Name in the text field. This is the switch’s domain. 4. Refer to the Status field for the current state of the requests made from applet.
Network Setup 4-7 Destination Subnet Displays the mask used for destination subnet entries. The Subnet Mask is the IP mask used to divide internet addresses into blocks (known as subnets). A value of 255.255.255.0 will support 256 IP addresses. Subnet Mask Displays the mask used for destination subnet entries. The Subnet Mask is the IP mask used to divide internet addresses into blocks (known as subnets). A value of 255.255.255.0 will support 256 IP addresses.
4-8 Motorola RF Switch System Reference Guide 2. In the Destination Subnet field, enter an IP address to route packets to a specific destination address. 3. Enter a subnet mask for the destination subnet in the Subnet Mask field. The Subnet Mask is the IP mask used to divide internet addresses into blocks known as subnets. A value of 255.255.255.0 support 256 IP addresses. 4. In the Gateway Address field, enter the IP address of the gateway used to route the packets to the specified destination subnet.
Network Setup 4-9 3. Refer to the Address Resolution table for the following information: Interface Displays the name of the actual interface where the IP address was found (typically a VLAN). IP Address Displays the IP address being resolved. MAC Address Displays the MAC address corresponding to the IP address being resolved. Type Defines whether the entry was added statically or created dynamically in respect to network traffic. Entries are typically static. 4.
4-10 Motorola RF Switch System Reference Guide 4.3 Viewing and Configuring Layer 2 Virtual LANs A virtual LAN (VLAN) is similar to a Local Area Network (LAN), however devices do not need to be connected to the same segment physically. Devices operate as if connected to the same LAN, but could be connected at different physical connections across the LAN segment. The VLAN can be connected at various physical points but react as if it were connected directly.
Network Setup 4-11 Allowed VLANs Displays VLAN tags allowed on this interface Native VLAN Tagged Displays if the Native VLAN for each port is tagged or not. The column displays a green check mark if the Native VLAN is tagged. If the Native VLAN is not tagged the column will display a red “x”. A Native VLAN is the VLAN which untagged traffic will be directed over when using a port in trunk mode.
4-12 Motorola RF Switch System Reference Guide 5. Use the Edit screen to modify the following: Name Displays a read only field and with the name of the Ethernet to which the VLAN is associated. Mode Use the drop-down menu to select the mode. It can be either: • Access – This Ethernet interface accepts packets only form the native VLANs. If this mode is selected, the Allowed VLANs field is unavailable. • Trunk–The Ethernet interface allows packets from the given list of VLANs you can add to the trunk.
Network Setup 4-13 3. Highlight an existing VLAN and click the Edit button. The system displays a Port VLAN Change Warning message. Be advised, changing VLAN designations could disrupt access to the switch. 4. Click OK to continue. A new window displays wherein the VLAN assignments can be modified for the selected VLAN.
4-14 Motorola RF Switch System Reference Guide SWITCH NOTE: The ports available vary by switch. On the RFS6000, the available ports are ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8 and up1. On the RFS7000, the available ports are ge1, ge2, ge3 and ge4. 5. Change VLAN port designations as required. 6. Click OK to use the changes to the running configuration and close the dialog. 7. Click Cancel to close the dialog without committing updates to the running configuration. 4.
Network Setup 4-15 The following configuration details display in the table: Name Displays the name of the virtual interface. VLAN ID Displays the VLAN ID associated with the interface. DHCP Enabled Displays whether the DHCP client is enabled or not. A green check mark defines the DHCP client as enabled for the interface. A red X means the interface is disabled. Primary IP Address Displays the IP address for the virtual interface.
4-16 Motorola RF Switch System Reference Guide 5. Click the Add button to add a new configuration to the switch virtual interface. For more information, see Adding a Virtual Interface on page 4-16. 6. Select an interface as click the Startup button to invoke the selected interface the next time the switch is booted. 7. Select an interface as click the Shutdown button to disable the selected interface. 4.4.1.1 Adding a Virtual Interface To add a new switch virtual interface: 1.
Network Setup 4-17 9. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 10.Click OK to use the changes to the running configuration and close the dialog. 11.Click Cancel to close the dialog without committing updates to the running configuration. 4.4.1.2 Modifying a Virtual Interface To modify an existing virtual interface.
4-18 Motorola RF Switch System Reference Guide 8. Use the Secondary IP Addresses field to define/modify additional IP addresses to associate with VLAN IDs. The addresses provided will be used if the primary IP address is unreachable. Select the Add button (within the Secondary IP Addresses field) to define/modify additional addresses from a sub screen. Select an existing secondary address and select Edit or Delete to revise or remove a secondary address as needed. 9.
Network Setup 4-19 Packets In Dropped Displays the number of dropped packets coming into the interface. Packets are dropped if: 1. The input queue for the hardware device/software module handling the interface definition is saturated/full. 2. Packets In Error Overruns occur when the interface receives packets faster than it can transfer them to a buffer. Displays the number of error packets coming into the interface. • Runt frames — Packets shorter than the minimum Ethernet frame length (64 bytes).
4-20 Motorola RF Switch System Reference Guide 3. The Interface Statistics screen displays with the following content: Name Displays the title of the logical interface selected. MAC Address Displays physical address information associated with the interface. This address is read-only (hard-coded at the factory) and cannot be modified. Input Bytes Displays the number of bytes received by the interface.
Network Setup 4-21 Output Packets Dropped Displays the number of transmitted packets dropped at the interface. Output Packets Dropped are packets dropped when the output queue of the physical device associated with interface is saturated. Output Packets Error Displays the number of transmitted packets with errors. Output Packet Errors are the sum of all the output packet errors, malformed packets and misaligned packets received on an interface. 4.
4-22 Motorola RF Switch System Reference Guide NOTE: Only four parameters may be selected at any given time. 4. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 5. Click Close to close the dialog. 4.5 Viewing and Configuring Switch WLANs A wireless LAN (WLAN) is a local area network (LAN) without wires.
Network Setup 4-23 updates to a WLAN’s description and their current authentication and encryption schemes. Be careful to properly map BSS WLANs and security schemes. SWITCH NOTE: The RFS6000 supports a maximum of 32 WLANs. The RFS7000 supports a maximum of 256 WLANS. To configure a WLAN: 1. Select Network > Wireless LANs from the main menu tree. 2. Click the Configuration tab. The Configuration tab displays the following details: Index Displays the WLAN’s numerical identifier.
4-24 Motorola RF Switch System Reference Guide Authentication Displays the type of authentication used with the specified WLAN. Click the Edit button to modify the WLAN’s current authentication scheme. For information on configuring an authentication scheme for a WLAN, see Configuring Authentication Types on page 4-33. Encryption Displays the type of wireless encryption used on the specified WLAN. When no encryption is used, the field displays none.
Network Setup 4-25 MU Proxy ARP handling Enables Proxy ARP handling for MUs. Proxy ARP is provided for MU’s in PSP mode whose IP address is known. The WLAN generates an ARP reply on behalf of a MU, if the MU’s IP address is known. The ARP reply contains the MAC address of the MU (not the MAC address of WLAN Module). Thus, the MU does not awaken to send ARP replies (helping to increase battery life and conserve bandwidth).
4-26 Motorola RF Switch System Reference Guide MU Rate Limiting Down Enter an downstream rate limit in kbps for all MUs associated with the switch across all WLANs. MU Load Balance Mode Configure a method for distributing traffic across MUs using the MU Load Balancing Mode. Select Count to set load balancing based on number of MUs. Select By Throughput to set load balancing based on total throughput of MUs. 4.5.1.
Network Setup 4-27 The Wireless LANs Edit screen is divided into the following user-configurable fields: • Configuration • Authentication • Encryption • Advanced 5. Refer to the Configuration field to define the following WLAN values ESSID Displays the Extended Service Set ID (ESSID) associated with each WLAN. If changing the ESSID, ensure the value used is unique. Description If editing an existing WLAN, ensure its description is updated accordingly to best describe the intended function of the WLAN.
4-28 Motorola RF Switch System Reference Guide Independent Mode (AAP Only) Determines whether the WLAN is functioning as an independent or extended WLAN in regards its support of adaptive AP (AAP) operation. Select the checkbox to designate the WLAN as independent and prevent traffic from being forwarded to the switch. Independent WLANs behave like WLANs as used on a a standalone Access Point.
Network Setup 4-29 6. Refer to the Authentication field to select amongst the following options: 802.1X EAP A Radius server is used to authenticate users. For detailed information on configuring EAP for the WLAN, see Configuring 802.1x EAP on page 4-33. Kerberos A Kerberos server is used to authenticate users. For detailed information on configuring Kerberos for the WLAN, see Configuring Kerberos on page 4-34. Hotspot A Hotspot is used to authenticate users in a unique network segment (hotspot).
4-30 Motorola RF Switch System Reference Guide 8. Refer to the Advanced field for the following information: Accounting Mode If using a Syslog server to conduct accounting for the switch, select the Syslog option from the Accounting Mode drop-down menu. Once selected, a Syslog Config button is enabled on the bottom of the Network > Wireless LANs > Edit screen. Use this sub screen to provide the Syslog Server IP address and port for the Syslog Server performing the accounting function.
Network Setup 4-31 MCast Addr 2 The second address also takes packets (where the first 4 bytes match the first 4 bytes of the mask) and sends them immediately over the air instead of waiting for the DTIM period. Any multicast/broadcast that does not match this mask will go out only on DTIM Intervals. NAC Mode Using Network Access Control (NAC), the switch only grants access to specific network resources. NAC restricts access to only compliant and validated devices (printers, phones, PDAs etc.
4-32 Motorola RF Switch System Reference Guide 6. Configure the Multiple VLAN Mapping for WLAN table as required to add or remove multiple VLANS for the selected WLAN. Multiple VLAN’s per WLAN are mapped (by default) to a regular VLAN and are not supported on an adaptive AP. Refer to Editing the WLAN Configuration on page 4-26 to select and define an independent VLAN for adaptive AP support VLAN Displays the VLANs currently mapped to the WLAN. By default, VLAN 1 is configured for any selected WLAN.
Network Setup 4-33 4.5.1.3 Configuring Authentication Types Refer to the following to configure the WLAN authentication options available on the switch: • Configuring 802.1x EAP • Configuring Kerberos • Configuring Hotspots • Configuring an Internal Hotspot • Configuring an External Hotspot • Configuring an Advanced Hotspot • Configuring an Advanced Hotspot (Using the Local Radius Server) • Managing Hotspot Files • Custom Pages • Configuring MAC Authentication Configuring 802.1x EAP The IEEE 802.
4-34 Motorola RF Switch System Reference Guide 5. Define MU timeout and retry information for the authentication server. MU Timeout Define the time (between 1- 60 seconds) for the switch’s retransmission of EAPRequest packets. The default is 5 seconds. MU Max Retries Specify the maximum number of times the switch retransmits an EAP-Request frame to the client before it times out the authentication session. The default is 3 retries, with a maximum of 100 supported. 6.
Network Setup 4-35 6. Specify a case-sensitive Realm Name. The realm name is the name domain/realm name of the KDC Server. A realm name functions similarly to a DNS domain name. In theory, the realm name is arbitrary. However, in practice a Kerberos realm is named by uppercasing the DNS domain name associated with hosts in the realm. 7. Provide the password required to effectively update Kerberos authentication credentials. 8.
4-36 Motorola RF Switch System Reference Guide 2. External Web-pages 3. Customized internal Web page (using the Advanced feature in hotspot configuration) When a user visits a public hotspot and wants to browse a Web page, they can boot up their laptop and associate with the local Wi-Fi network by entering the correct SSID. They then start a browser.
Network Setup 4-37 see Configuring an Advanced Hotspot on page 4-43. NOTE: The appearance of the Hotspot screen differs depending on which option is selected from the drop-down menu. You may want to research the options available before deciding which hotspot option to select. NOTE: As part of the hotspot configuration process, ensure a primary and optional secondary Radius Server have been properly configured to authenticate the users requesting access to the hotspot supported WLAN.
4-38 Motorola RF Switch System Reference Guide 4. Click the Login tab and enter the title, header, footer Small Logo URL, Main Logo URL and Descriptive Text you would like to display when users login to the switch maintained hotspot. Title Text Displays the HTML text displayed on the Welcome page when using the switch’s internal Web server. This option is only available if Internal is chosen from the drop-down menu.
Network Setup 4-39 Main Logo URL Displays the URL for the main logo image displayed on the Failed page when using the switch’s internal Web server. This option is only available if Internal is chosen from the drop-down menu above. Descriptive Text Specify any additional text containing instructions or information for the users who access the Failed page. This option is only available if Internal is chosen from the drop-down menu above.
4-40 Motorola RF Switch System Reference Guide Main Logo URL The Main Logo URL is the URL for the main logo image displayed on the Failed page when using the internal Web server. This option is only available if Internal is chosen from the drop-down menu above. Descriptive Text Specify any additional text containing instructions or information for the users who access the Failed page on the internal Web server. This option is only available if Internal is chosen from the drop-down menu above.
Network Setup 4-41 4. Refer to the External Web Pages field and provide the Login, Welcome and Failed Page URLs used by the external Web server to support the hotspot. Login Page URL Define the complete URL for the location of the Login page. The Login screen will prompt the hotspot user for a username and password to access the Welcome page. Ensure the RADIUS server port number is included in the URL using the following format: https://192.168.0.70:444/wlan2/login.
4-42 Motorola RF Switch System Reference Guide Welcome Page URL Define the complete URL for the location of the Welcome page. The Welcome page assumes the hotspot user has logged in successfully and can access the Internet. Ensure the RADIUS server port number is included in the URL using the following format: https://192.168.0.70:444/wlan2/login.html Failed Page URL Define the complete URL for the location of the Failed page.
Network Setup 4-43 Configuring an Advanced Hotspot A customer may wish to use advanced Web content (XML, Flash) but might not have (or would not want to use) an external Web server, choosing instead to host the Web pages on the switch's HTTP Web server. Selecting the Advanced option allows for importing the Web pages from an external source (like an FTP server) and hosting them on the switch. To use the Advanced option to define the hotspot: 1. Select Network > Wireless LANs from the main menu tree. 2.
4-44 Motorola RF Switch System Reference Guide NOTE: Advanced hotspot configuration is not permissible using the switch Web UI. Refer to the switch CLI or other advanced configuration options to define a hotspot with advanced properties. However, the switch can still install and maintain directories containing Web page content. 5. Once the properties of the advanced hotspot have been defined, the file can be installed on the switch and used to support the hotspot.
Network Setup 4-45 6. Ensure Advanced is selected from within the This WLAN’s Web Pages are of the drop-down menu. Define the advanced hotspot configuration following step 5 onward in Configuring an Advanced Hotspot on page 4-43. NOTE: For information on configuring external Radius server support for supporting a advanced hotspot, see Configuring External Radius Server Support on page 4-49. 7. Use the switch CLI to define the attributes of the local Radius server configuration.
4-46 Motorola RF Switch System Reference Guide ca trust-point ESELAB server trust-point ESELAB group "Guests" guest-group enable policy vlan 70 policy wlan 2 ! radius-server local rad-user "guest" password 0 password group "Guests" guest expiry-time 20:27 expiry-date 11:17:2009 start-time 20: 27 start-date 11:16:2008 Managing Hotspot Files When creating a new hotspot, the switch builds a directory in flash named hotspot with a subdirectory named wlanX (where X is the WLAN ID).
Network Setup 4-47 RFS6000#dir flash:/hotspot/wlan2/ Directory of flash:/hotspot/wlan2/ -rw6383 Wed Sep 24 12:44:09 -rw18320 Wed Sep 24 12:23:21 -rw2456 Wed Sep 24 12:39:28 -rw1512 Wed Sep 24 12:38:16 -rw3866 Wed Sep 24 12:23:20 -rw1601 Wed Sep 24 12:38:15 -rw672 Wed Sep 24 12:23:20 -rw2688 Wed Sep 24 12:21:50 -rw2608 Wed Sep 24 12:38:15 2008 2008 2008 2008 2008 2008 2008 2008 2008 header_bg.png bg_nav.jpg logo.png fail.html bg_footer.jpg welcome.html bg_body.jpg mainstyle.css login.
4-48 Motorola RF Switch System Reference Guide Failed Page The failed page is presented to users who fail authentication or enter incorrect login information. On this page you can include support information, a link to sign-up for service (assuming the external server is included in the allowed list) as well as a URL to re-attempt authentication. PAGE 135
Network Setup 4-49 • Middle Dash delimiter: The 12 digit MAC Address is in a format separated in the middle by a dash. 7. Click OK to use the changes to the running configuration and close the dialog. 8. Click Cancel to close the dialog without committing updates to the running configuration. Configuring External Radius Server Support If either the EAP 802.1x, Hotspot or Dynamic MAC ACL options have been selected as an authentication scheme for a WLAN, the Radius Config...
4-50 Motorola RF Switch System Reference Guide The Radius Configuration screen contains tabs for defining both the Radius and NAC server settings. For NAC overview and configuration information, see Configuring NAC Server Support on page 4-53. 6. Refer to the Server field and define the following credentials for a primary and secondary Radius server. RADIUS Server Address Enter the IP address of the primary and secondary server acting as the Radius user authentication data source.
Network Setup 4-51 Server Retries Enter a value between 1 and 100 to indicate the number of times the switch attempts to reach the primary or secondary Radius server before giving up. Dynamic Authorization Authorization amongst the Radius servers is conducted dynamically as they connect and disconnect periodically. NOTE: The Radius or NAC server’s Timeout and Retries should be less than what is defined for an MU’s timeout and retries.
4-52 Motorola RF Switch System Reference Guide 11.Click Cancel to revert back to the last saved configuration and move back to the Network > Wireless LANs > Edit screen. Configuring an External Radius Server for Optimal Switch Support The switch’s external Radius Server should be configured with Motorola RF Switch specific attributes to best utilize the user privilege values assignable by the Radius Server.
Network Setup 4-53 3. Specify multiple access sources by using different values. The privilege values can be ORed and specified once. For example, if a user needs access from both the console and Web, configure the Radius Server with the 100 attribute twice, once with value 128 for console and next with value 16 for Web access. Configuring NAC Server Support There is an increasing proliferation of insecure devices (laptops, mobile computers, PDA, smart-phones) accessing WiFi networks.
4-54 Motorola RF Switch System Reference Guide 7. Refer to the Server field and define the following credentials for a primary and secondary NAC server. NAC Server Address Enter the IP address of the primary and secondary NAC server. NAC Server Port Enter the TCP/IP port number for the primary and secondary server. The default port is 1812. NAC Shared Secret Provide a shared secret (password) for user credential authentication with the primary or secondary NAC server.
Network Setup 4-55 ! CAUTION: The server’s Timeout and Retries should be less than what is defined for an MU’s timeout and retries. If the MU’s time is less than the server’s, a fall back to the secondary server will not work. 8. Refer to the Accounting field and define the following credentials for a primary and secondary NAC Server. Accounting Server Address Enter the IP address of the primary and secondary server acting as the NAC accounting server.
4-56 Motorola RF Switch System Reference Guide • Configuring WEP 64 • Configuring WEP 128 / KeyGuard • Configuring WPA/WPA2 using TKIP and CCMP Configuring WEP 64 Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard. WEP is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN.
Network Setup 4-57 6. Use the Key #1-4 areas to specify key numbers. The key can be either a hexadecimal or ASCII. For WEP 64 (40-bit key), the keys are 10 hexadecimal characters in length or 5 ASCII characters. Select one of these keys for activation by clicking its radio button. Default (hexadecimal) keys for WEP 64 include: Key 1 1011121314 Key 2 2021222324 Key 3 3031323334 Key 4 4041424344 7.
4-58 Motorola RF Switch System Reference Guide 5. Specify a 4 to 32 character Pass Key and click the Generate button. The pass key can be any alphanumeric string. The switch and Motorola MUs use the algorithm to convert an ASCII string to the same hexadecimal number. MUs without Motorola adapters need to use WEP keys manually configured as hexadecimal numbers. 6. Use the Key #1-4 areas to specify key numbers. The key can be either a hexadecimal or ASCII.
Network Setup 4-59 Configuring WPA/WPA2 using TKIP and CCMP Wi-Fi Protected Access (WPA) is a robust encryption scheme specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11i. WPA provides more sophisticated data encryption than WEP. WPA is designed for corporate networks and small-business environments where more wireless traffic allows quicker discovery of encryption keys by an unauthorized person. WPA's encryption method is Temporal Key Integrity Protocol (TKIP).
4-60 Motorola RF Switch System Reference Guide 5. Select the Broadcast Key Rotation checkbox to enable periodically changing the broadcast key for this WLAN. Only broadcast key changes when required by associated MUs to reduce the transmissions of sensitive key information. This value is enabled by default. 6. Refer to the Update broadcast keys every field to specify a time period (in seconds) for broadcasting encryption-key changes to MUs.
Network Setup 4-61 Opportunistic Key Caching Opportunistic Key Caching allows the switch to use a PMK derived with a client on one Access Port with the same client when it roams over to another Access Port. Upon roaming, the client does not have to conduct 802.1x authentication and can start sending/receiving data sooner. Pre-Authentication Selecting the Pre-Authentication option enables an associated MU to carry out an 802.1x authentication with another switch (or device) before it roams to it.
4-62 Motorola RF Switch System Reference Guide 3. Refer to the following details displayed within the table: Last 30s Click the Last 30s radio button to display statistics for the WLAN over the last 30 seconds. This option is helpful when troubleshooting issues as they actually occur. Last Hr Click the Last Hr radio button to displays statistics for the WLAN over the last 1 hour. This metric is helpful in baselining events over a one hour interval.
Network Setup 4-63 3. Select a WLAN from the table displayed in the Statistics screen. and click the Details button. The Details screen displays the WLAN statistics of the selected WLAN. The Details screen contains the following fields: • Information • Traffic • RF Status • Errors Information in black represents the statistics from the last 30 seconds and information in blue represents statistics from the last hour. 4.
4-64 Motorola RF Switch System Reference Guide 5. Refer to the Traffic field for the following information (both received and transmitted): Pkts per second Displays the average total packets per second that cross the selected WLAN. The Rx column displays the average total packets per second received on the selected WLAN. The Tx column displays the average total packets per second sent on the selected WLAN.
Network Setup 4-65 4.5.2.2 Viewing WLAN Statistics in a Graphical Format The switch Web UI continuously collects WLAN statistics even when the graph is not displayed. Periodically display the WLAN statistics graph for the latest WLAN throughput and performance information. To view detailed graphical statistics for a WLAN: 1. Select a WLAN from the table displayed in the Statistics screen. 2. Click the Graph button. The WLAN Statistics screen displays for the select port.
4-66 Motorola RF Switch System Reference Guide • Avg Retries • Avg SNR (dB) • # Radios NOTE: You cannot select (and trend) more than four parameters at any given time. 3. Select any of the above listed parameters by clicking on the checkbox associated with it. 4. Click the Close button to exit the screen. 4.5.2.3 Viewing WLAN Switch Statistics The Switch Statistics screen displays the sum of all WLAN statistics.
Network Setup 4-67 rate, then perhaps the switch is not adequately positioned or configured to support the MUs within that WLAN. NOTE: The Motorola RF Management Software is recommended to plan the deployment of the switch. Motorola RFMS can help optimize the positioning and configuration of a switch in respect to a WLAN’s MU throughput requirements. For more information, refer to the Motorola Web site. 5.
4-68 Motorola RF Switch System Reference Guide Description Displays a brief description of the WLAN. WLAN enabled Displays the status of the WLAN. A Green check defines the WLAN as enabled and a Red "X" means it is disabled. The enable/disable setting can be defined using the WLAN Configuration screen. WMM enabled Displays WLAN-WMM status. It can be enabled (for a WLAN) from the WLAN Configurations Edit screen by selecting the Enable WMM checkbox.
Network Setup 4-69 With a drastic increase in bandwidth absorbing network traffic (VOIP, multimedia etc.), the importance of data prioritization is critical to effective network management. Refer to the following fields within the QoS Mapping screen to optionally revise the existing settings to in respect to the data traffic requirements for this WLAN. Access Category to 802.1p Optionally revise the 802.1p Prioritization for each access category to prioritize the network traffic expected on this WLAN.
4-70 Motorola RF Switch System Reference Guide 4.5.3.1 Editing WMM Settings WLAN WMM configuration affects your upstream traffic parameters. Use Configuring WMM on page 4-110 to configure downstream traffic parameters. Use the WMM Edit screen to modify existing Access Category settings for the WLAN selected within the WMM screen. This could be necessary in instances when data traffic has changed and high-priority traffic (video and voice) must be accounted for by modifying AIFSN Transmit Ops and CW values.
Network Setup 4-71 AIFSN Define the current Arbitrary Inter-frame Space Number (AIFSN). Higher-priority traffic categories should have lower AIFSNs than lower-priority traffic categories. This will causes lower-priority traffic to wait longer before trying to access the medium. Transmit Ops Define the maximum duration a device can transmit after obtaining a transmit opportunity. For higher-priority traffic categories, this value should be set to a low number.
4-72 Motorola RF Switch System Reference Guide • Conduct a NAC check for MU's connecting to the WLAN as well as perform an additional exclude function, by attaching an exclude list to the WLAN. • Do not perform NAC validation for MUs connecting to the WLAN. • Include a few MU’s for NAC validation and bypass the rest of the MU’s. To view the attributes of a NAC Include list: 1. Select Network > Wireless LANs from the main menu tree. 2.
Network Setup 4-73 8. To delete any list configuration for a particular device, select the row from the List Configuration section and click on the Delete button. 4.5.4.1 Adding an Include List to a WLAN To add a device to a WLAN’s include list configuration: 1. Select Network > Wireless LANs from the main menu tree. 2. Select the NAC Include tab to view and configure NAC Include enabled devices. 3. Click on the Add button in the Include Lists area. 4.
4-74 Motorola RF Switch System Reference Guide 4. Enter the Host Name for the device you wish to add. 5. Enter a valid MAC Address of the device you wish to add. 6. Optionally, enter the MAC Mask for the device you wish to add. 7. Refer to the Status field. It displays the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet. The Status field displays error messages if something goes wrong in the transaction between the applet and the switch. 8.
Network Setup 4-75 4.5.5 Configuring the NAC Exclusion List The switch provides a means to bypass NAC for 802.1x devices without a NAC agent. For Motorola handheld devices (like the MC9000), authentication is achieved using an exclusion list. A list of MAC addresses (called an exclusion list) can be added to each WLAN. Each has a separate configuration for the Radius server (which only conducts EAP authentication). An exclusion list is a global index-based configuration.
4-76 Motorola RF Switch System Reference Guide entries maximum per list. For more information, see Configuring Devices on the Exclude List on page 476. 5. The Configured WLANs field displays the available switch WLANs. Associate a list item in the Exclude Lists field with multiple WLANs. For information on mapping NAC Exclude list’s items to WLANs, see Mapping Exclude List Items to WLANs on page 4-77. 6. To delete a device, select a device from the Exclude List and click the Delete button. 7.
Network Setup 4-77 4. The List Name displays the read-only name of the list for which you wish to add more devices. 5. Enter the Host Name for the device you wish to add for the selected exclude list. 6. Enter a valid MAC Address for the device you wish to add. 7. Optionally, enter the MAC Mask for the device you wish to add. 8. Refer to the Status field. It displays the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet.
4-78 Motorola RF Switch System Reference Guide 4. Map the selected list item with as many WLANs as needed (be selecting the WLAN’s checkbox). Use the Select All button to associate each WLAN with the selected list item. 5. To remove the WLAN Mappings, select the Deselect All button to clear the mappings. 6. Refer to the Status field for a display of the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet.
Network Setup 4-79 2. Add a host entry to the include list. This adds a specified MAC entry/MAC range into the client’s include list. RF Switch(config-wireless-client-list) #station pc1 AA:BB:CC:DD:EE:FF RF Switch(config-wireless-client-list) # 3. Associate the include list to a WLAN. This adds the client’s include list into the WLAN. RF Switch(config-wireless-client-list) #wlan 1 RF Switch(config-wireless-client-list) # 4.5.6.2 Creating an Exclude List To create a NAC Exclude List: 1.
4-80 Motorola RF Switch System Reference Guide RF Switch(config-wireless) #wlan 1 nac-server secondary 192.168.1.20 RF Switch(config-wireless) # d. Configure the secondary NAC Server’s Radius Key. RF Switch(config-wireless) #wlan 1 nac-server secondary radius-key my secret-2 RF Switch(config-wireless) # 3. MUs not NAC authenticated use Radius for authentication. To configure the WLAN’s Radius settings: a. Configure the Radius server’s IP address.
Network Setup 4-81 4.6 Viewing Associated MU Details The Mobile Units screen displays read-only device information for MUs interoperating with the switch managed network. The Mobile Units screen consists of the following tabs: • Viewing MU Status • Configuring Mobile Units • Viewing MU Statistics • Viewing Voice Statistics NOTE: The Motorola RF Management Software is a recommended utility to plan the deployment of the switch and view its configuration once operational.
4-82 Motorola RF Switch System Reference Guide MAC Name Displays the MAC name associated with each MU's MAC Address. The MAC Name is a user created name used to identify individual mobile unit MAC Addresses with a user friendly name. IP Address Displays the unique IP address for the MU. Use this address as necessary throughout the applet for filtering and device intrusion recognition and approval. Ready Displays whether the MU is ready for switch interoperation. Values are Yes and No.
Network Setup 4-83 4. Refer to the following read-only MU’s transmit and receive statistics:. MAC Address Displays the Hardware or Media Access Control (MAC) address for the MU. IP Address Displays the unique IP address for the MU. Use this address as necessary throughout the applet for filtering and device intrusion recognition and approval. Power Save Displays the current PSP state of the MU. This field has two potential settings. PSP indicates if the MU is operating in PSP mode.
4-84 Motorola RF Switch System Reference Guide Voice Displays whether or not the MU is a voice capable device. Traffic from a voice enabled MU is handled differently than traffic from MUs without this capability. MUs grouped to particular WLANs can be prioritized to transmit and receive voice traffic over data traffic. WMM Displays WMM usage status for the MU, including the Access Category currently in use.
Network Setup 4-85 MAC Address Each MU has a unique Media Access Control (MAC) address through which it is identified. This address is burned into the ROM of the MU. MAC Name The MAC Name is a user created name used to identify individual mobile unit MAC Addresses with a user friendly name. To edit an existing entry, double click the MAC Name and type in the new name. 4.
4-86 Motorola RF Switch System Reference Guide 4.6.3 Viewing MU Statistics The Statistics screen displays read-only statistics for each MU. Use this information to assess if configuration changes are required to improve network performance. If a more detailed set of MU statistics is required, select a MU from the table and click the Details button. NOTE: The RFS6000 supports a maximum of 4096 MUs. The RFS7000 supports 8192 MUs. To view MU statistics details: 1.
Network Setup 4-87 WLAN Displays the name of the WLAN the MU is currently associated with. Use this information to determine if the MU/WLAN placement best suits the intended operation and MU coverage area. Throughput Mbps Displays the average throughput in Mbps between the selected MU and the Access Port. The Rx column displays the average throughput in Mbps for packets received on the selected MU from the Access Port.
4-88 Motorola RF Switch System Reference Guide Voice Displays whether the MU is a voice capable device. Traffic from voice enabled MUs is handled differently (higher priority) than traffic from MUs without this capability. WLAN Displays the name of the WLAN the MU is currently associated with. WMM Displays WMM usage status for the MU, including the access category currently in use.
Network Setup 4-89 1. Select a Network > Mobile Units from the main menu tree. 2. Click the Statistics tab. 3. Select a MU from the table displayed in the Statistics screen and click the Graph button. 4. Select a checkbox to display that metric charted within the graph. Do not select more than four checkboxes at any one time. 5. Refer to the Status field for the current state of the requests made from applet.
4-90 Motorola RF Switch System Reference Guide Media Control Displays the protocol for the control of Voice over IP (VoIP) calls by external callcontrol elements known as media gateway controllers (MGCs) or call agents (CAs Call State Displays the call state of the MU’s call session. Call Codec Displays the call codec. Codec complexity refers to the amount of processing required to perform compression.
Network Setup 4-91 • Configuring Access Point Radio Bandwidth • Configuring Radio Groups for MU Load Balancing • Viewing Active Calls (VCAC) Statistics • Viewing Mesh Statistics • Smart RF • Voice Statistics 4.7.1 Configuring Access Port Radios Refer to the Configuration tab to view existing radio configurations available to the switch.
4-92 Motorola RF Switch System Reference Guide Adopted Displays the radio’s adoption status. If the radio is adopted, a green check displays. If the radio is not adopted, a red X displays. Parent AP MAC Address Displays the Access Port's Ethernet MAC (the device MAC address that is printed on the casing of the unit). Please do not confuse this BSSID MAC with the Access Port's Ethernet MAC address. MAC Address The Base Radio MAC is the radio's first MAC address when it is adopted by the Switch.
Network Setup 4-93 6. Click the Delete button to remove a radio. However, before a radio can be removed, the radio’s BSS mapping must be removed. 7. Click the Add button to add a radio. The radio must be added before the radio can be adopted. For more information, see Adding APs on page 4-101. 8. Click the Reset button to reset an individual radio. 9. Click the Tools > button to displays a submneu with Reset, Run ACS and Export options. Select the Reset option to reset the Access Port radio.
4-94 Motorola RF Switch System Reference Guide 4. Set an Adoption Preference ID value between 1 and 65535. To define a radio as preferred, the Access Port preference ID should be same as the adoption preference ID. The adoption preference ID is used for AP load-balancing. A switch will preferentially adopt Access Ports having the same adoption-preference-id as the switch itself. The Adoption Preference ID defines the switch preference ID. The value can be between 1 and 65535.
Network Setup 4-95 7. Check the Use Default Values option checkbox to set the Username and Password to factory default values. The Access Port can get disconnected if the 802.1x authenticator is not configured accordingly. NOTE: 802.1x username and password information is only passed to adopted Access Ports when the Username and Password are set. Any AP adopted after this does not automatically receive a username and password.
4-96 Motorola RF Switch System Reference Guide 5. The Switch field displays the IP address of the cluster member associated with each Access Port radio. When clustering is enabled on the switch and Cluster GUI is enabled the Switch field will be available on the Access Port Radio edit screen. For information on configuring enabling Cluster GUI, see Managing Clustering Using the Web UI. 6. In the Radio Descr. field, enter a brief description to differentiate the radio.
Network Setup 4-97 11.The following read only information is displayed: MAC Address The Base Radio MAC is the radio's first MAC address when it is adopted by the Switch. Radio Type Radio type identifies whether the radio is an 802.11an radio or a 802.11 bgn radio. Config Method The Config Method displays whether the radio has been configured using static or dynamic settings. 12.To add the radio to a Radio Group enter the Group ID for the radio group you wish to add it to.
4-98 Motorola RF Switch System Reference Guide 17.In most cases, the default settings for the Advanced Properties are sufficient. If needed, additional Advanced Properties can be modified for the following: Antenna Diversity Use the drop-down menu to configure the Antenna Diversity settings for Access Ports using external antennas. Options include: • Full Diversity - Utilizes both antennas to provide antenna diversity. • Primary Only - Enables only the primary antenna.
Network Setup 4-99 RTS Threshold Specify a Request To Send (RTS) threshold (in bytes) for use by the WLAN's adopted Access Ports. RTS is a transmitting station's signal that requests a Clear To Send (CTS) response from a receiving station. This RTS/CTS procedure clears the air where many MUs are contending for transmission time. Benefits include fewer data collisions and better communication with nodes that are hard to find (or hidden) because of other active nodes in the transmission path.
4-100 Motorola RF Switch System Reference Guide Self Healing Offset When an Access Port increases its power to compensate for a failure, power is increased to the country's regulatory maximum. Set the Self Healing Offset to reduce the country's regulatory maximum power if Access Ports are situated close to each other or if an Access Port uses an external antenna. DTIM Periods Select the DTIM periods button to specify a period for Delivery Traffic Indication Messages (DTIM) for BSS IDs 1-4.
Network Setup 4-101 1. Click the Rate Settings button within the radio edit screen to launch a new screen with rate setting information. 2. Check the boxes next to all the Basic Rates you want supported. Basic Rates are used for management frames, broadcast traffic and multicast frames. If a rate is selected as a basic rate it is automatically selected as a supported rate. 3. Check the boxes next to all the Supported Rates you want supported. Supported rates allow an 802.
4-102 Motorola RF Switch System Reference Guide 4. Enter the device AP MAC Address (the physical MAC address of the radio). Ensure this address is the actual hard-coded MAC address of the device. 5. Use the AP Type drop-down menu to define the radio type you would like to add. If adding an AP-4131, AP-5131 or AP-7131 model Access Point, the Access Port conversion will render the Access Point a “thin” Access Port. 6.
Network Setup 4-103 4. Select the AP Mesh button at the bottom of the Configuration screen. Base Bridge Select the Base Bridge checkbox to allow the AP radio to accept client bridge connections from other access points in client bridge mode. The base bridge is the acceptor of mesh network data from those client bridges within the mesh network and never the initiator. Maximum no. of Client Bridges Define the client bridge load on this particular base bridge.
4-104 Motorola RF Switch System Reference Guide Mesh Network Name If the Client Bridge checkbox has been selected, enter a Mesh Network Name to define the WLAN (ESS) the client bridge uses to establish a wireless link. Motorola recommends creating (and naming) a WLAN specifically for mesh networking support to differentiate the Mesh supported WLAN from non-Mesh supported WLANs. Mesh Time Out Define whether one of the radio’s beacons uses an uplink connection.
Network Setup 4-105 3. To select the time frame for the radio statistics, select either Last 30s or Last Hr above the statistics table. • Select the Last 30s radio button to display statistics for the last 30 seconds for the radio. • Select the Last Hr radio button to display statistics from the last hour for the radio. 4. Refer to the table for the following information: Index Displays the numerical index (device identifier) used with the radio.
4-106 Motorola RF Switch System Reference Guide % Non-UNI Displays the percentage of packets for the selected radio that are non-unicast packets. Non-unicast packets include broadcast and multicast packets. Retries Displays the average number of retries for all MUs associated with the selected radio. 5. Select a radio from those displayed and click the Details button for additional radio information in rae data format. For more information, see Viewing AP Statistics in Detail on page 4-106. 6.
Network Setup 4-107 5. Refer to the Traffic field for the following information: Pkts per second Displays the average total packets per second that cross the selected radio. The Rx column displays the average total packets per second received on the selected radio. The Tx column displays the average total packets per second sent on the selected radio. The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour.
4-108 Motorola RF Switch System Reference Guide 10.Click Cancel to close the dialog without committing updates to the running configuration. 4.7.2.2 Viewing AP Statistics in Graphical Format The Access Port Radios Statistics tab has an option for displaying detailed Access Port radio statistics in a graph. This information can be used to chart associated switch radio performance and help diagnose radio performance issues. To view the MU Statistics in a graphical format: 1.
Network Setup 4-109 The WLAN Assignment tab is divided into two fields; Select Radios and Assigned WLANs. 4. Refer to the Select Radios field for the following information: Index Displays the numerical index (device identifier) used with the radio. Use this index (along with the radio description) to differentiate the radio from other radios with similar configurations. Description Displays a description of the Radio.
4-110 Motorola RF Switch System Reference Guide 3. Select a radio from the table and click the Edit button. The Select Radio/BSS field displays the WLANs associated to each of the BSSIDs used by the radios within the radio table. Use Select/Change Assigned WLANs field to edit the WLAN assignment. 4. Select any of the WLANs from the table to unassign/disable it from the list of available WLANs. 5. Refer to the Status field for the current state of the requests made from applet.
Network Setup 4-111 WMM information displays per radio with the following information: Index Displays the identifier assigned to each Radio index, each index is assigned a unique identifier such as (1/4, 1/3, etc.). AP Displays the name of the Access Port associated with the index. The Access Port name comes from the description field in the Radio Configuration screen. Access Category Displays the Access Category currently in use. There are four categories: Video, Voice, Best Effort and Background.
4-112 Motorola RF Switch System Reference Guide 4. Select a radio and click the Edit button to modify its properties. For more information, see Editing WMM Settings on page 4-112. 4.7.4.1 Editing WMM Settings Use the Edit screen to modify a WMM profile's properties (AIFSN, Tx Op, Cw Min and CW Max). Modifying these properties may be necessary as Access Categories are changed and transmit intervals need to be adjusted to compensate for larger data packets and contention windows.
Network Setup 4-113 7. Enter a value between 0 and 15 for the Extended Contention Window maximum (ECW Max) value. The ECW Max is combined with the ECW Min to make the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority (video or voice) traffic. 8. Refer to the Status field for the current state of the requests made from applet.
4-114 Motorola RF Switch System Reference Guide Description The displayed name is the name used with the device radio. Use this name (along with the radio index) to differentiate the radio from other device radios. QoS Weight Displays the Quality of Service weight for the AP. The default value for the weight is 1. AP QoS will be applied based on the QoS weight value with the higher values given priority. 4.7.
Network Setup 4-115 4.7.6.1 Viewing Access Point Radio Groups Refer to the Groups tab to view the Group ID and Index associated with each radio when added to a WLAN. To view existing radio group settings: 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Group tab. Group information displays per radio with the following data: Group Id Displays the Group Id associated with each adopted radio.
4-116 Motorola RF Switch System Reference Guide 3. The following statistics are displayed: Index Displays the numerical identifier assigned to each Access Port. Description Displays the names assigned to each of the APs. The AP name can be configured on the Access Port Radios Configuration page. Total Voice Calls Displays the total number of voice calls attempted for each Access Port. Roamed Calls Displays the total number of voice calls that were roamed from each Access Port.
Network Setup 4-117 2. Click the Mesh Statistics tab. 3. The following statistics are displayed: Mesh Index Displays the numerical identifier assigned to each mesh member AP. MAC Address Displays the Media Access Control (MAC) address for each Access Port. Connection Type Displays the connection type for each Access Port. Radio Index The Radio Index is a numerical value assigned to the radio as a unique identifier. For example; 1, 2, or 3.
4-118 Motorola RF Switch System Reference Guide 4. Select a mesh index from amongst those displayed and select the Details button for additional (more granular) information on the mesh index selected. 5. Select a mesh index from those displayed and click the Graph button for additional radio performance information in graphical format. 4.7.
Network Setup 4-119 4.7.9.3 Viewing Smart RF Information To view Smart RF information: 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Smart RF tab. 3. The following Smart RF details are displayed: MAC Address Displays the Media Access Control (MAC) Address of each of the APs in the table. Index Displays the numerical identifier assigned to each detector AP used in Smart RF calibration. AP Name Displays the names assigned to each of the APs.
4-120 Motorola RF Switch System Reference Guide Lock Detector Displays whether or not each Access Port is locked in detector status. Lock Channel Displays whether or not each Access Port is locked to a specific channel. Lock Power Displays whether or not each Access Port is locked to a specific power level. Lock Rescuers Displays whether or not each Access Port is locked to group of rescuer APs. Switch IP Displays the IP address of the 4.
Network Setup 4-121 Radio Type Displays the radio type of the corresponding APs. Available type are: • 802.11a • 802.11an • 802.11b • 802.11bg • 802.11bgn AP Location Displays the current location for the selected AP. The location can be configured on the Access Port Radios Configuration page. 6. The Neighbor Details section allows you to select detected neighbor radios and view the following information: MAC Address Displays the Media Access Control (MAC) Address of the selected AP.
4-122 Motorola RF Switch System Reference Guide 4. The Properties section displays the following information: Description Displays a description of the Radio. Modify the description as required to name the radio by its intended coverage area or function. MAC Address Displays the Media Access Control (MAC) Address of the selected AP. AP Name Displays the name assigned to the AP. The AP name can be configured on the Access Port Radios Configuration page.
Network Setup 4-123 Lock Channel Check this box to lock the channel for the selected radio. Lock Rescuer Check this box to lock the rescuer radio for the selected radio. 7. Click OK to use the changes to the running configuration and close the dialog. 8. Click Cancel to close the dialog without committing updates to the running configuration. 4.7.9.5 Viewing Smart RF History To view Smart RF history: 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Smart RF tab 3.
4-124 Motorola RF Switch System Reference Guide 4. Click the Check All Boxes option in the Smart RF Global Settings dialogue to check every box in the configuration window. To uncheck all boxes click this box a second time. 5. Check the Enable Smart RF Module box to enable Smart RF functions on the switch.
Network Setup 4-125 Assign - Tx Power Check this box to enable automatic assignment of transmit power. Assign - Rescuers Check this box to enable automatic assignment of rescuers along with rescuing power. Available The Available box lists all available channels for Smart RF. Configured The Configured box lists all channels enabled for Smart RF. Add To add a channel to the configured list, select one or more channel from the Available box and click the Add button.
4-126 Motorola RF Switch System Reference Guide Start Time If scheduled RF Calibration is enabled, enter a start time in HH:MM:SS format for the start time of scheduled calibration. Interval If scheduled RF Calibration is enabled, enter an interval in days for how long the scheduled calibration should continue after its start date. 10.Once the settings have been configured, click the Run Calibration button to start a Smart RF calibration. 11.
Network Setup 4-127 4.7.10 Voice Statistics To view Voice Statistics: 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Voice Statistics tab. 3. The following statistics are displayed: Index Displays the numerical identifier assigned to each Access Port. Description Displays the names assigned to each of the APs. The AP name can be configured on the Access Port Radios Configuration page. Type Displays the radio type of the corresponding APs. Available type are: • 802.
4-128 Motorola RF Switch System Reference Guide Packets Dropped (%) Displays a percentage of the packets that each Access Port has dropped in comparison to the total number of packets. Packets Dropped Displays the total number of packets dropped by each Access Port. Delay to AP Displays the current delay time for each Access Port. MUs Associated Displays the total number of mobile units associated with each Access Port. 4.
Network Setup 4-129 4.8.1 Configuring AP Adoption Defaults The Configuration tab displays the current radio adoption configuration including radio type, placement, channel setting and power settings. Many of these settings can be modified (as well as radio’s current rate settings) by selecting a radio and clicking the Edit button. These settings are the default configurations when the radios are set to auto-adopt. To view existing Radio Configuration information: 1.
4-130 Motorola RF Switch System Reference Guide 4. To modify a radio’s adoption defaults, select a radio and click the Edit button. For more information, see Editing Default Access Port Adoption Settings on page 4-130. ! CAUTION: An Access Port is required to have a DHCP provided IP address before attempting layer 3 adoption, otherwise it will not work. Additionally, the Access Port must be able to find the IP addresses of the switches on the network.
Network Setup 4-131 The Properties field displays the Model family for the selected Access Port. The Model is read only and cannot be modified. The Radio Type displays the radio type (802.11a or 802.11bg). This value is read only and cannot be modified 5. To use this radio as a detector to identify rogue APs on your network, check the box titled Dedicate this AP as Detector AP. Setting this radio as a detector will dedicate this radio to detecting rogue APs on the network.
4-132 Motorola RF Switch System Reference Guide can be a specific channel, Random, or ACS. Random assigns each radio a random channel. ACS (Automatic Channel Selection) allows the switch to systematically assign channels. Default is Random. 11.After first selecting a channel, select a power level in dBm for RF signal strength in the Desired Power (dBm) field. The optimal power level for the specified channel is best determined by a site survey prior to installation.
Network Setup 4-133 RTS Threshold Specify a Request To Send (RTS) threshold (in bytes) for use by the WLAN's adopted Access Ports. RTS is a transmitting station's signal that requests a Clear To Send (CTS) response from a receiving station. This RTS/CTS procedure clears the air where many MUs (or nodes) are contending for transmission time. Benefits include fewer data collisions and better communication with nodes that are hard to find (or hidden) because of other active nodes in the transmission path.
4-134 Motorola RF Switch System Reference Guide DTIM Period Specify a period for the Delivery Traffic Indication Message (DTIM). This is a divisor of the beacon interval (in milliseconds), for example, 10 : 100. (See "Beacon Interval," above). A DTIM is periodically included in the beacon frame transmitted from adopted Access Ports. The DTIM period determines how often the beacon contains a DTIM, for example, 1 DTIM for every 10 beacons.
Network Setup 4-135 Supported Rates allow an 802.11 network to specify the data rate it supports. When a station attempts to join the network, it checks the data rate used on the network. If a rate is selected as a basic rate it is automatically selected as a supported rate. 4. Click the Clear all rates button to uncheck all of the Basic and Supported rates. 5. Refer to the Status field for the current state of the requests made from applet.
4-136 Motorola RF Switch System Reference Guide 4.8.2 Configuring Layer 3 Access Port Adoption The configuration activity required for adopting Access Ports in a layer 3 environment is unique. In a layer 3 environment, switch discovery is attempted in the following ways: • On the local VLAN • Through the DHCP Server Initially, the Access Port attempts to find its wireless switch by broadcasting a Hello packet on its local VLAN. During this activity: 1.
Network Setup 4-137 The Assigned WLANs tab displays two fields: Select Radios/BSS and Select/Change Assigned WLANs. 3. With the Select Radios/BSS field, select the radio type to configure (802.11a or 802.11bg) from the Select Radio drop-down menu. 4. Select the desired BSS from the BSS list or select a Radio (802.11a or 802.11bg) to modify. 5.
4-138 Motorola RF Switch System Reference Guide 6. Click Apply to save the changes made within the screen. 7. Click Revert to cancel the changes made and revert back to the last saved configuration. 4.8.4 Configuring WMM Use the WMM tab to review each radio type, as well as the Access Category that defines the data (Video, Voice, Best Effort and Background) the radio has been configured to process. Additionally, the WMM tab displays the transmit intervals defined for the target access category.
Network Setup 4-139 ECW Min The ECW Min is combined with the ECW Max to define the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. ECW Max The ECW Max is combined with the ECW Min to make the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. 4.
4-140 Motorola RF Switch System Reference Guide 4.9 Configuring Access Ports Use the Access Port screen to view device hardware address and software version information for adopted and unadopted Access Ports. For more information, refer to the following Access Port configuration sections: • Viewing Adopted Access Ports • Viewing Unadopted Access Ports • Viewing Sensor Information • Configuring Secure WiSPe • Configuring Adaptive AP Firmware 4.9.
Network Setup 4-141 Model Displays the model number of the Access Port. AP Type Displays the Access Port type. Serial Displays the serial number of the Access Port, and is used for switch management purposes. It is read-only and cannot be modified. HW Version Displays the hardware version of the Access Port. This information can be helpful when troubleshooting problems with the Access Port. IP Address Displays the IP address of the adopted Access Port.
4-142 Motorola RF Switch System Reference Guide • Use of encryption and authentication • Vendor identification of all devices • Total data transferred Preprocessing data centrally ensures a reduced reliance on network bandwidth to perform wireless network management. 7. Click the Location LED button to flash the LEDs on the AP to assist in locating and identifying a selected AP within an installation. 4.9.
Network Setup 4-143 Last Seen (In Seconds) Displays the time the Access Port was last seen (observed within the switch managed network). This value is expressed in seconds. Use this value to assess if the Access Port is no longer in communications with the switch. Number of Unadopted APs Displays the total number of Access Ports (at the bottom of the screen) that have been recognized, but not adopted by the switch. 3.
4-144 Motorola RF Switch System Reference Guide 3. Refer to the Configuration field to define the following information: VLAN ID Enter a global default VLAN ID for all radios configured as sensors. Ping Interval Define the ping interval (in seconds) the switch uses to contact the radios defined as sensors. Use DHCP to obtain IP address automatically Select this option to allow the switch’s DHCP managed services to assign an IP address to a WIPS sensor.
Network Setup 4-145 3. Enter a Default Pre-Shared Secret used for Secure WiSPe authentication. The shared secret must be between 8 and 64 characters. 4. The Secure WiSPe Table displays the following information on each configured AP: MAC Address Displays the MAC Addresses for each of the Access Ports. AP Type The AP Type displays the Access Port model (AP100, AP300, AP-5131 or AP-7131). Secure Mode Enabled Indicates if Secure Mode is enabled for each of the listed Access Ports.
4-146 Motorola RF Switch System Reference Guide 4.9.5 Configuring Adaptive AP Firmware Refer to the AP Firmware tab to view the Access Port and Adaptive AP firmware image associated with each adopted Access Port or Adaptive AP. The screen allows you to update the firmware image for Adaptive APs that associate with the switch. To view AP firmware information: 1. Select Network > Access Port from the main menu tree. 2. Click the AP Firmware tab. 1.
Network Setup 4-147 2. View the firmware information displayed per Adaptive AP type with the following data: AP Image Type The AP image type is the model of Access Port or Adaptive AP which the firmware is used with. Available image types are: • ap300Wisp • ap300Wispe • ap300lpsSensor • ap100 • ap4131 • ap4131Revert • ap5131 • ap5181 • ap7131 • ap7181 AP Image File Displays the filename of the image file associated with the AP Image Type. 3. To add a new AP firmware image, click the Add button.
4-148 Motorola RF Switch System Reference Guide 4.9.5.2 Editing an Existing AP Firmware Image To modify the AP Firmware Image settings: 1. Select Network Setup > Access Port from the main menu tree. 2. Click the AP Firmware tab. 3. Select an AP Image Type from the AP Image Upload table. 4. Click the Edit button to display a screen to change the AP Image Type or AP Image File. 5. Modify the AP Image Type as necessary. 6. Modify the AP Image File as necessary.
Network Setup 4-149 on the VLAN to instance mapping), region name and revision-level. If you need to have two bridges in the same region, the two bridges must have identical VLAN to instance mappings, region names and revision-levels. To configure the switch for MSTP support, configure the region name and the revision on each switch being configured. This region name is unique to each region. Then create one or more instances and assign IDs. VLANs are then assigned to instances.
4-150 Motorola RF Switch System Reference Guide Max Hop Count Displays the maximum allowed hops for a BPDU (Bridge Protocol Data Unit) in an MSTP region. This value is used by all the MSTP instances. Supported Versions Displays the different versions of STP supported. Protocol Version Displays the current protocol version in use. Available MSTP protocol versions are: • forceNonStp • forceLegacyDot1d • forceDot1w • autoDot1s • unknown MST Config. Name Enter a name for the MST region.
Network Setup 4-151 CIST Bridge Priority Set the bridge priority for the common instance. The value entered, determines the likelihood this bridge is selected as the root. The lower the priority the greater the likelihood of the bridge becoming a root. CIST Bridge HelloTime Set the CIST Hello Time (in seconds). After the defined interval all bridges in a bridged LAN exchange BPDUs. The hello time is the time interval (in seconds) the device waits between BPDU transmissions.
4-152 Motorola RF Switch System Reference Guide The Bridge Instance tab displays the following: ID Displays the ID of the MSTP instance. Bridge Priority Displays the bridge priority for the associated instance. The Bridge Priority is assigned to an individual bridge based on whether it is selected as the root bridge. The lower the priority, the greater likelihood the bridge becoming the root for this instance. Bridge ID Bridge ID Displays the bridge id of the bridge for this instance.
Network Setup 4-153 4. Enter a value between 1 and 15 as the Instance ID. 5. Click OK to save and commit the changes. 6. The Bridge Instance tab with now display the new instance ID. 7. Click Cancel to disregard the new Bridge Instance ID. 4.10.2.2 Associating VLANs to a Bridge Instance 1. Select Network > Multiple Spanning Tree from the main menu tree. 2. Select the Bridge Instance tab. 3. Select an ID from the table within the Bridge Instance tab and click on the Add VLANs button. 4.
4-154 Motorola RF Switch System Reference Guide The Port tab displays the following information (ensure you scroll to the right to view the numerous port variables described): Index Displays the port index. Admin MAC Enable Displays the status of the Admin MAC. Change the status using the Edit button. A green check mark indicates the Admin MAC Enable status is active/enabled. Oper MAC Enable This field displays the status of the Oper MAC Enable. You can change the status using the Edit button.
Network Setup 4-155 AdminPort PortFast Bpdu Guard Displays the whether BPDU Guard is currently enabled for this port. When set for a bridge, all portfast-enabled ports having the bpdu-guard set to default shut down the port on receiving the BPDU. When this occurs, the BPDU is not processed. OperPort PortFast Bpdu Guard Displays the whether BPDU Guard is currently enabled for this port.
4-156 Motorola RF Switch System Reference Guide Admin Edge Port A green checkmark defines the listed index enabled as an Admin Edge Port, and a red “X” defines the listed index as not being an Admin Edge Port. Enable it only on ports that connect to a single location. Oper Edge Port Oper Edge Port Displays whether the port is currently an edge port. Admin Point-to-Point Displays the point-to-point status as ForceTrue or ForceFalse.
Network Setup 4-157 Port Guard Root Port Guard Root Select this checkbox to enable guard root for this port. Typically, each guard root port is a designated port, unless two or more ports (within the root bridge) are connected together. If the bridge receives superior (BPDUs) on a guard root-enabled port, the guard root moves the port to a root-inconsistent STP state. This state is equivalent to a listening state. No data is forwarded across the port.
4-158 Motorola RF Switch System Reference Guide The Port Instance table displays the following: ID Displays the instance ID. Index Displays the port index. State Displays the MSTP state for the port for that instance. Role Displays the MSTP state of the port. Internal Root Cost Displays the Internal Root Cost of a path associated with an interface. The lower the path cost, the greater likelihood of the interface becoming the root.
Network Setup 4-159 4.10.4.1 Editing a Port Instance Configuration To edit and reconfigure Port Instance parameters. 1. Select a row from the port table and click the Edit button. Most of the MSTP Port Instance parameters can be reconfigured, as indicated below. Port Instance ID Read only indicator of the instance ID used as a basis for other modifications. Port Index Read only indicator of the port index used as a basis for other modifications.
4-160 Motorola RF Switch System Reference Guide • One router periodically broadcasts IGMP query messages onto a link • Hosts respond to the query messages by sending IGMP report messages indicating their group memberships • All routers receive the report messages and note the memberships of hosts on the link • If a router doesn't receive a report message for a particular group for a period of time, the router assumes there are no more members of the group on the link The IGMP Snooping screen is partitioned
Network Setup 4-161 6. Review to the following to discern whether an existing snoop configuration requires revision. Vlan Index Lists the VLAN interfaces upon which snooping and unknown multicast forward is enabled or disabled Snoop Enable Displays whether IGMP snooping is enabled/disabled on the VLAN Index listed. Unknown Multicast Forward Displays whether unknown multicast traffic is enabled/disabled on the VLAN Index listed.
4-162 Motorola RF Switch System Reference Guide NOTE: IGMP snooping does not detect link layer topology. The only thing it can detect is that a query loss has happened and activates the IGMP querier if enabled in the configuration. To view and potentially modify an IGMP snooping querier configuration: 1. Select Network > IGMP Snooping from the main menu tree. 2. Select the IGMP Snoop Querier Config tab. 3.
Network Setup 4-163 Interval (1 - 18000) Secs Configures the interval for group specific IGMP queries sent by the switch. Valid range is 1 to 18000 seconds. Enable Select this option to enable the Apply/Revert buttons in order to save an updated configuration. Once a parameter has been enabled, the red “X” in the enabled column of the Igmp Snoop Querier Vlan Config table displays a green checkmark, designating the configuration as enabled. 4.
4-164 Motorola RF Switch System Reference Guide Operational State Displays whether a particular configuration has been enabled/disabled. Once a parameter has been enabled, the red “X” in the enabled column of the Igmp Snoop Querier Vlan Config table displays a green checkmark, designating the configuration as enabled. IpAddress Displays the configured querier IP address on the switch used while generating the general IGMP query. 6. Select OK to save the edits to the configuration.
Switch Services This chapter describes the Services main menu information available for the following switch configuration activities.
5-2 Motorola RF Switch System Reference 5.1 Displaying the Services Interface Refer to the Services main menu interface to review a summary describing the availability of several central features within the Services main menu item. NOTE: When the switch’s configuration is successfully updated (using the Web UI), the effected screen is closed without informing the user their change was successful. However, if an error were to occur, the error displays within the effected screen’s Status field.
Switch Services 5-3 Layer 3 Mobility Displays whether Layer 3 Mobility is currently enabled or disabled. Layer 3 mobility is a mechanism which enables a MU to maintain the same Layer 3 address while roaming throughout a multi-VLAN network. This enables the transparent routing of IP datagrams to MUs during their movement, so data sessions can be initiated while they roam (in for voice applications in particular).
5-4 Motorola RF Switch System Reference 5.2.1 Configuring the Switch DHCP Server The switch contains an internal Dynamic Host Configuration Protocol (DHCP) Server. DHCP can provide the dynamic assignment of IP addresses automatically. DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. Some of these parameters are IP address, network mask and gateway.
Switch Services 5-5 5. Refer to the following as displayed within Network Pool field. Pool Name Displays the name of the IP pool from which IP addresses can be issued to DHCP client requests on the current interface. The pool is the range of IP addresses available. Network Displays the network address for the clients. Lease Time (dd:hh:mm) When a DHCP server allocates an address for a DHCP client, the client is assigned a lease (which expires after a designated interval defined by the administrator).
5-6 Motorola RF Switch System Reference • A p-peer (peer-to-peer node) uses directed calls to communicate with a known NetBIOS name server, such as a Windows Internet Name Service (WINS) server, for the IP address of a NetBIOS machine. • A m-mixed is a mixed node that uses broadcasted queries to find a node and queries a known p-node name server for the address. • A h-hybrid is a combination of two or all of the nodes mentioned above. 6.
Switch Services 5-7 3. Enter the name of the IP pool from which IP addresses can be issued to client requests on this interface. 4. Provide the Domain name as appropriate for the interface using the pool. 5. Enter the NetBios Node used with this particular pool. The NetBios Node could have one of the following types: • A b-broadcast (broadcast node) uses broadcasting to query nodes on the network for the owner of a NetBIOS name.
5-8 Motorola RF Switch System Reference 7. From the Network field, use the Associated Interface drop-down menu to define the switch interface is used for the newly created DHCP configuration. Use VLAN1 as a default interface if no others have been defined. Additionally, define the IP Address and Subnet Mask used for DHCP discovery and requests between the DHCP Server and DHCP clients.
Switch Services 5-9 3. Click the Insert button to display an editable field wherein the name and value of the DHCP option can be added. 4. Name the option as appropriate, assign a Code (numerical identifier) and use the Type drop-down options to specify a value of ip or ascii to the DHCP global option. 5. Highlight an entry from within the Global Options screen and click the Remove button to delete the name and value. 6.
5-10 Motorola RF Switch System Reference 3. Enter a Domain Name which represents the forward zone in the DNS server. For example test.net. 4. Define the TTL (Time to Live) to specify the validity of DDNS records. The maximum value is 864000 seconds. 5. Use the Automatic Update drop-down menu to specify whether the automatic update feature is on or off. Select Server update to enable a DDNS update from the DHCP server. Select Client update to get the DDNS updates from DHCP clients. 6.
Switch Services 5-11 3. Refer to the following information to assess whether the existing group of DHCP pools is sufficient: Pool Name Displays the name of the IP pool from which IP addresses can be issued to DHCP client requests on this interface. The pool is the range of IP addresses for which addresses can be assigned. IP Address Displays the IP address for the client on this interface using the pool name listed.
5-12 Motorola RF Switch System Reference 5.2.3 Configuring Excluded IP Address Information The DHCP Server may have some IP addresses unavailable when assigning IP address ranges for a pool. If IP addresses have been manually assigned and fixed, they need to be made available for the administrator to exclude from possible selection. To view excluded IP address ranges: 1. Select Services > DHCP Server from the main menu tree. 2. Click the Excluded tab.
Switch Services 5-13 5.2.4 Configuring the DHCP Server Relay Refer to the Relay tab to view the current DHCP Relay configurations for available switch VLAN interfaces. The Relay tab also displays the VLAN interfaces for which the DHCP Relay is enabled/configured. The Gateway Interface address information is helpful in selecting the interface suiting the data routing requirements between the External DHCP Server and DHCP client (present on one of the switch’s available VLANs).
5-14 Motorola RF Switch System Reference 3. Refer to the Interfaces field for the names of the interfaces available to route information between the DHCP Server and DHCP clients. If this information is insufficient, consider creating a new IP pool or edit an existing pool. 4. Refer to the Gateway Information field for DHCP Server and Gateway Interface IP addresses. Ensure these address are not in conflict with the addresses used to route data between the DHCP Server and client.
Switch Services 5-15 a. Use the Interface drop-down menu to assign the interface used for the DHCP relay. As VLANs are added to the switch, the number of interfaces available grows. b. Add Servers as needed to supply DHCP relay resources. As Servers are added, use the Gateway drop-down menu associated with each Server to supply the interface used to route data. The gateway address should not be set to any VLAN interface used by the switch. c.
5-16 Motorola RF Switch System Reference 3. Refer to the contents of the DDNS Bindings tab for the following information: IP Address Displays the IP address assigned to the client. Domain Name Displays the domain name mapping corresponding to the IP address listed in the left-hand side of the tab. 4. Click the Export button to display a screen used to export DDNS Binding information to a secure location. 5.2.6 Viewing DHCP Bindings The Bindings tab displays addresses and expiration times.
Switch Services 5-17 3. Refer to the contents of the Bindings tab for the following information: IP Address Displays a IP address for each client with a listed MAC address. This column is read-only and cannot be modified. MAC Address / Client ID Displays the MAC address (client hardware ID) of the client using the switch’s DHCP Server to access switch resources. The MAC address is read-only and cannot be modified. 4.
5-18 Motorola RF Switch System Reference 3. Refer to the contents of the Dynamic Bindings tab for the following: IP Address Displays the IP address for each client whose MAC Address is listed in the MAC Address / Client ID column. This column is read-only and cannot be modified. MAC Address / Client ID Displays the MAC address (client hardware ID) of the client using the switch’s DHCP Server to access switch resources. The MAC address is read-only and cannot be modified.
Switch Services 5-19 5.2.8 Configuring the DHCP User Class The DHCP server assigns IP addresses to clients based on user class option names. Clients with a defined set of user class option names are identified by their user class name. The DHCP server assigns IP addresses from multiple IP address ranges. The DHCP user class associates a particular range of IP addresses to a device in such a way that all devices of that type are assigned IP addresses from the defined range.
5-20 Motorola RF Switch System Reference 3. Click the Add button from the User Class Name field. The DHCP server groups clients based on user class option values. DHCP Clients with the defined set of user class option values are identified by class. a. Enter the User Class Name to create a new client. The DHCP user class name should not exceed 32 characters. b. Enter Option Values for the devices associated with the DHCP user class name. The value should not exceed 32 characters. c.
Switch Services 5-21 c. Select the Multiple User Class Option checkbox to enable multiple option values for the user class. This allows the user class to transmit multiple option values to DHCP servers which support multiple user class options. d. Click OK to save and add the new configuration and close the dialog window. e. Refer to the Status field. It displays the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet.
5-22 Motorola RF Switch System Reference 6. Click the Add button create a new pool class name. For more information, see Adding a New DHCP Pool Class on page 5-22. 5.2.9.1 Editing an Existing DHCP Pool Class The Edit DHCP Pool Class Configuration dialog is used to edit the association of a DHCP pool name to a DHCP class name. It is also used to configure a maximum of 4 pool class address range. To revise an existing DHCP pool class name: 1. Select Services > DHCP Server from the main menu tree. 2.
Switch Services 5-23 4. Use the Pool Name field to define a new pool name. Enter the pool name created using Adding a New DHCP Pool on page 5-6. 5. Use the Class Name field to associate an existing class, created using Adding a New DHCP User Class on page 5-19. 6. The Pool Class Address Range field is used to assign address range to the class inside the pool. A maximum of 4 address ranges can be assigned to a class. a. Use the Insert button to enter the Start IP and End IP address range for a class. b.
5-24 Motorola RF Switch System Reference 5.3 Configuring Secure NTP Secure Network Time Protocol (SNTP) is central for networks that rely on their switch to supply system time. Without an SNTP implementation, switch time is unpredictable, which can result in data loss, failed processes and compromised security. With network speed, memory and capability increasing at an exponential rate, the accuracy, precision and synchronization of network time is essential in a switch managed enterprise network.
Switch Services 5-25 3. An ACL Id must be created before it is selectable from any of the drop-down menus. Refer to the Access Group field to define the following: Full Access Supply a numeric ACL ID from the drop-down menu to provide the ACL full access. Only Control Queries Supply a numeric ACL ID from the drop-down menu to provide the ACL only control query access to SNTP resources.
5-26 Motorola RF Switch System Reference Broadcast Delay Auto Key Enter the estimated round-trip delay (between 1 and 999999 seconds) for SNTP broadcasts between the SNTP broadcast server and the switch. Define the interval based on the priority of receiving accurate system time frequently. Typically, no more than one packet per minute is necessary to synchronize the switch to within a millisecond of the SNTP broadcast server.
Switch Services 5-27 Key Value Displays the authentication value used to secure the credentials of the server providing system time to the switch. Trusted Key If a checkmark appears, a trusted key has been associated with a domain name. A trusted key is added when a public key is known, but cannot be securely obtained. Adding the trusted key allows information from the server to be considered secure.
5-28 Motorola RF Switch System Reference Refer to the NTP Neighbor tab to assess the switch’s existing configurations (both peer and server) and, if necessary, modify the attributes of an existing peer or server configuration or create a new neighbor peer or server SNTP configuration. To review the switch’s existing NTP neighbor configurations: 1. Select Services > Secure NTP from the main menu tree. 2. Select the NTP Neighbor tab. 3.
Switch Services 5-29 5. Select an existing entry and click the Delete button to remove it from the table. 6. Click the Add button to define a new peer or server configuration that can be added to the existing configurations displayed within the NTP Neighbor tab.For more information, see Adding an NTP Neighbor on page 5-29. 5.3.4 Adding an NTP Neighbor To add a new NTP peer or server neighbor configuration to those available for synchronization: 1. Select Services > Secure NTP from the main menu tree. 2.
5-30 Motorola RF Switch System Reference on the same subnet. NTP broadcasts reduce configuration complexity since both the switch and its NTP resources can be configured to send and receive broadcast messages. NOTE: If this checkbox is selected, the AutoKey Authentication checkbox is disabled, and the switch is required to use Symmetric Key Authentication for credential verification with its NTP resource.
Switch Services 5-31 5.3.5 Viewing NTP Associations The interaction between the switch and a SNTP server constitutes an association. SNTP associations can be either a peer association (the switch synchronizes to the another system or allows another system to synchronize to it), or a server association (only the switch synchronizes to the SNTP resource, not the other way around). To review the switch’s current SNTP associations: 1. Select Services > Secure NTP from the main menu tree. 2.
5-32 Motorola RF Switch System Reference Delay (sec) Displays the round-trip delay (in seconds) for SNTP broadcasts between the SNTP server and the switch. Offset (sec) Displays the calculated offset between the switch and SNTP server. The switch adjusts its clock to match the server's time value. The offset gravitates toward zero over time, but never completely reduces its offset to zero.
Switch Services 5-33 5.3.6 Viewing NTP Status Refer to the NTP Status tab to display performance (status) information relative to the switch’s current NTP association. Verifying the switch’s SNTP status is important to assess which resource the switch is currently getting its system time from, as well as the time server’s current differences in time attributes as compared to the current switch time.
5-34 Motorola RF Switch System Reference Root delay The total round-trip delay in seconds. This variable can take on both positive and negative values, depending on the relative time and frequency offsets. The values that normally appear in this field range from negative values of a few milliseconds to positive values of several hundred milliseconds. Root Dispersion Displays the nominal error relative to the primary time source in seconds.
Switch Services 5-35 on the other switches at the same time. This is done by the cluster-protocol running on WS1, by duplicating the commands and sending them to the group over the virtual connection: After sending the command to other members, the cluster-management protocol (at WS1) waits for a response from the members of the redundancy group. Upon receiving a response from each member, WS1 updates the user’s screen and allows the user to enter/execute the next command.
5-36 Motorola RF Switch System Reference 5.4.1 Configuring Redundancy Settings To configure switch redundancy: 1. Select Services > Redundancy from the main menu tree. The Redundancy screen displays with the Configuration tab selected. NOTE: MUs on an independent WLAN will not see any disruptions on a switch fail-over. 2. Refer to the Configuration field to define the following: Enable Redundancy Select this checkbox to enable/disable clustering.
Switch Services 5-37 Heartbeat Period The Heartbeat Period is the interval heartbeat messages are sent. Heartbeat messages discover the existence and status of other members within the group. Configure an interval between 1 and 255 seconds. The default value is 5seconds. Hold Time Define the Hold Time for a redundancy group. If there are no heartbeats received from a peer during the hold time, the peer is considered down. In general, the hold period is configured for three times the heartbeat period.
5-38 Motorola RF Switch System Reference NOTE: Redundancy uses UDP port 51515 for both source and destination port. The TCP connection uses 51515 as the destination port, the source port is selected from the range of 32768 to 61000. 3. To enable Dynamic AP Load Balancing, check the Enable Dynamic AP Load Balancing option and define the parameters below: Runtime/Schedule Select Runtime or Schedule to determine when load balancing will run.
Switch Services 5-39 5.4.2 Reviewing Redundancy Status The switch is capable of displaying the status of the collective membership of the cluster. Use this information to assess the overall health and performance of the group. NOTE: When ETH2 of one of the group members is unplugged, the other members report that this member as gone, but an AP will continue to be adopted by the switch with no ETH2 connectivity. To configure switch redundancy memberships: 1.
5-40 Motorola RF Switch System Reference AAP Licenses Displays the number of Adaptive APs that can be adopted in the redundancy group. This value is calculated when a member starts-up, is added, is deleted or a license changes (downgrade and upgrade.) This value is equal to the highest license level of its members. It is NOT the sum of the license level of its members.
Switch Services 5-41 Adoption capacity on this switch Displays the AP adoption capability for this switch. Compare this value with the adoption capacity for the entire cluster to determine if the cluster members (or this switch) have adequate adoption capabilities. For information on licensing rules impacting redundancy group members, see Redundancy Group License Aggregation Rules on page 5-46. Rogue Access Ports on this switch Displays the number of rogue APs detected by this switch.
5-42 Motorola RF Switch System Reference 5.4.3 Configuring Redundancy Group Membership The redundancy group should be disabled to conduct an Add/Delete operation. There are a minimum of 2 members needed to comprise a Redundancy Group, including the initiating switch To configure switch redundancy memberships: 1. Select Services > Redundancy from the main menu tree. The Redundancy screen displays with the Configuration tab selected. 2. Select the Member tab. 3.
Switch Services 5-43 AP License Count Displays the number of Access Port licenses installed on this member. AAP License Count Displays the number of Adaptive AP licenses installed on this member. Mode The Redundancy Mode could be Active or Standby depending on the mode configuration on the member. Refer to the Configuration screen to change the mode. 4. Select a row, and click the Details button to display additional details for this member.
5-44 Motorola RF Switch System Reference 4. Refer to the following redundancy member information: IP Address Displays the IP addresses of the members of the redundancy group. There are a minimum of 2 members needed to define a redundancy group, including this current module. Status Displays the current status of this group member. This status could have the following values: • Configured - The member is configured on the current wireless service module.
Switch Services 5-45 Updates Received Displays the number of updates received by the current switch from this member since the last reboot. Radio Portals Displays the number of radio portals detected on each redundancy member listed. Associated MUs Display the number of MUs associated with each member listed. Rogue APs Displays the number of Rogue APs detected by each member. Use this information to discern whether these radios represent legitimate threats to other members of the redundancy group.
5-46 Motorola RF Switch System Reference 7. Click Cancel to close the dialog without committing updates to the running configuration. 5.4.4 Redundancy Group License Aggregation Rules The following are rules governing license usage amongst members of a redundancy group: • A redundancy group license is determined by adding individual switch licenses. • Do not allow different port speed/duplex settings on members. Each members should have the settings.
Switch Services 5-47 2. Configure redundancy settings using the Command Line Interface or the using the Web UI as described in Configuring Redundancy Settings on page 5-36. 3. Add any redundancy group members using the Command Line Interface or using the Web UI as described in Configuring Redundancy Group Membership on page 5-42. 4. On the Configuration tab, check the Enable Redundancy checkbox and then check the Enable Cluster GUI box. 5. Click the Apply button to enable the Cluster GUI feature. 6.
5-48 Motorola RF Switch System Reference 5.5 Layer 3 Mobility Refer to the following sections to configure Layer 3 Mobility: • Configuring Layer 3 Mobility • Defining the Layer 3 Peer List • Reviewing Layer 3 Peer List Statistics • Reviewing Layer 3 MU Status 5.5.1 Configuring Layer 3 Mobility Layer 3 mobility is a mechanism enabling a MU to maintain the same Layer 3 address while roaming throughout a multi-VLAN network.
Switch Services 5-49 • A full mesh of GRE tunnels can be established between mobility peers. Each tunnel is between a pair of switches and can handle data traffic for all MUs (for all VLANs) associated directly or indirectly with the MU. • Data traffic for roamed MUs is tunneled between switches by encapsulating the entire Layer 2 packet inside GRE with a proprietary code-point.
5-50 Motorola RF Switch System Reference 5. Refer to the table of WLANs and select the checkboxes of those WLANs you wish to enable Layer 3 mobility for. Once the settings are applied, MUs within these WLANs can roam amongst different subnets. 6. Select the Enable Mobility checkbox to enable a MU to maintain the same Layer 3 address while roaming throughout a multi-VLAN network. 7. Select the All WLANs On button to enable mobility for each WLAN listed.
Switch Services 5-51 4. Select an IP address from those displayed and click the Delete button to remove the address from the list available for MU Layer 3 roaming amongst subnets. 5. Click the Add button to display a screen used for adding the IP address to the list of addresses available for MU Layer 3 roaming. Enter the IP addresses in the area provided and click the OK button to add the addresses to the list displayed within the Peer List screen. 5.5.
5-52 Motorola RF Switch System Reference 3. Refer to the following information within the Peer Statistics tab: Peer IP Displays the IP addresses of the peer switches within the mobility domain. Each peer can support up to 500 MUs. JOIN Events sent/rcvd Displays the number of JOIN messages sent and received. JOIN messages advertise the presence of MUs entering the mobility domain for the first time.
Switch Services 5-53 L2-ROAMs sent/rcvd Displays the number of Layer 2 ROAM messages sent and received. When a MU roams to a new switch on a different layer 3 network (MU is mapped to a different VLAN ID), it sends a L3-ROAM message to the home switch with the new IP information for the current switch it is associated with. The L3-ROAM message is then forwarded by the home switch to each peer. L3-ROAMs sent/rcvd Displays the number of Layer 3 ROAM messages sent and received.
5-54 Motorola RF Switch System Reference one goes down. The neighbor radios do not have to be of the same type. Therefore, an 11bg radio can be the neighbor of a 11a radio and either of them can self heal when one of them fails. The switch initiates self healing when it looses communication with the Access Port or when another radio (configured in detector mode) informs the switch a particular radio is not transmitting beacons. To configure self-healing on the switch: 1.
Switch Services 5-55 5.6.1 Configuring Self Healing Neighbor Details The Neighbor Details page displays all the radios configured on the switch and their neighbor designations. To configure self-healing on the switch: 1. Select Services > Self Healing from the main menu tree. The Self Healing page launches with the Configuration tab displayed. 2. Select the Neighbor Details tab. The top right-hand corner displays whether neighbor recovery is currently enabled or disabled.
5-56 Motorola RF Switch System Reference Action Displays the self healing action configured for the radio. Options include: • Raise Power - The transmit power of the radio is increased when a neighbor radio is not functioning as expected. • Open Rates - Radio rates are decreased to support all rates when a neighbor radio is not functioning as expected. • Both - Increases power and increases rates when a neighbor radio is not functioning as expected.
Switch Services 5-57 6. Select a radio and click <- Remove to move the radio from the Neighbor Radios list to the Available Radios list. 7. Refer to the Status field for an update of the edit process. The Status is the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet. The Status field displays error messages if something goes wrong in the transaction between the applet and the switch. 8.
5-58 Motorola RF Switch System Reference 2. Refer to the following information within the Discovery Profiles tab to discern whether an existing profile can be used as is, requires modification (or deletion) or if a new discovery profile is required. Index Displays the numerical identifier used to differentiate this profile from others with similar configurations. The index is supplied to new profiles sequentially. Profile Name Displays the user-assigned name for the profile.
Switch Services 5-59 credentials must be verified before the switch displays discovered devices within the Recently Found Devices table. If SNMP v2 is used with a discovering profile, a Read Community String screen displays.The Community String entered is required to match the name used by the remote network management software of the discovered switch . If SNMP v3 is used with a discovering profile, a V3 Authentication screen displays.
5-60 Motorola RF Switch System Reference 3. Define the following parameters for the new switch discovery profile: Profile Name Define a user-assigned name used to title the profile. The profile name should associate the profile with the group of devices or area where the discovered devices should be located. Start IP Address Enter the starting numeric (non DNS) IP address from where the search for available network devices is conducted.
Switch Services 5-61 3. Refer to the following within the Recently Found Devices screen to discern whether a located device should be deleted from the list or selected to have its Web UI launched and its current configuration modified. IP Address Displays the IP address of the discovered switch. This IP address obviously falls within the range of IP addresses specified for the discovery profile used for the device search.
5-62 Motorola RF Switch System Reference 4. If a discovered switch is of no interest, select it from amongst the discovered devices displayed and click the Delete button. Once removed, the located device cannot be selected and its Web UI displayed. 5. Select a discovered device from amongst those located and displayed within the Recently Found Devices screen and click the Launch button to display the Web UI for that switch.
Switch Services 5-63 5.8 Locationing 5.8.1 RTLS Overview The Motorola Real Time Locationing System (RTLS) is a wireless radio frequency solution that continually monitors and reports the real-time location of tracked resources. Unlike competing solutions, which are based solely on WI-Fi, the Motorola solution is RF agnostic and supports passive RFID, active RFID and other emerging RF and non-RF technologies.
5-64 Motorola RF Switch System Reference SOLE is capable of receiving input of location from external 3rd party location engines such as Aeroscout, and Ekahau. SOLE also has a self learning process that adapts with a changing environment. SOLE also provides an open platform for supporting new architectures, future algorithms or newer asset types. 5.8.3 Defining Site Parameters In order for the locationing engine to function properly the site parameters must first be defined.
Switch Services 5-65 5. Define the Dimensions used to define the site size: Length Enter the length of the site. This is the X axis of your site map based on the origin point of 0,0. The size is either in feet or meters depending on which unit of measure is selected below. The valid range for length is 1-3000m or 1-9000ft. Width Enter the width of the site. This is the Y axis of your site map based on the origin point of 0,0.
5-66 Motorola RF Switch System Reference 2. Select the Site tab. 3. Click the Add button 4. Provide the AP’s MAC address and X, Y, and Z coordinates. 5. Select OK when completed to save your AP configuration. 5.8.4 Configuring SOLE Parameters To configure the switch’s internal SOLE locationing engine: 1. Services > RTLS from the main menu tree. 2. Select the SOLE tab. 3. Check the Locate All Mobile-Units checkbox to locate all MUs known to the switch across all WLANs.
Switch Services 5-67 5. Click the Apply button to save the MU Locate Interval value. 6. Click the Revert button to cancel any changes made within MU Locate Interval value and revert back to the last saved configuration. NOTE: AP coordinates can only be configured in the Command Line Interface. For more information on configuring AP coordinates please consult the Motorola RF Switch CLI Reference. 7. The MU MAC table allows you to manually add or remove MAC Addresses which can be located by the SOLE engine.
5-68 Motorola RF Switch System Reference 2. Select the Aeroscout tab. 3. Check the Enable checkbox to globally enable Aeroscout RTLS support on the switch. This takes effect immediately when the box is checked. 4. Enter the Multicast MAC Address used for all Aeroscout tags to send updates via multicast to the MAC address specified. Typically the MAC address will start with 01-0C-CC-XX-XX-XX.
Switch Services 5-69 If the onboard SOLE engine is enabled to locate Aeroscout tags the following information will be displayed for each located MU: MAC Lists the MAC Addresses of all MUs which have been located by the switch. Location: X Coordinate Displays the value of the X Coordinate for each located MU. The X coordinate is relative to the origin point of 0,0 in the upper left corner of the site map. Location: Y Coordinate Displays the value of the Y Coordinate for each located MU.
5-70 Motorola RF Switch System Reference 4. Enter the Multicast MAC Address used for all Ekahau tags to send updates via multicast to the MAC address specified. Typically the MAC address will start with 01-0C-CC-XX-XX-XX. NOTE: To use the onboard SOLE engine to locate Ekahau tags, site parameters, AP location (Command Line Interface only) and Zone configuration (optional, Command Line Interface only) must be configured. 5. Specify the IP Address of the Ekahau RTLS engine server. 6.
Switch Security This chapter describes the security mechanisms available to the switch. This chapter describes the following security configuration activities: • Displaying the Main Security Interface • AP Intrusion Detection • MU Intrusion Detection • Configuring Firewalls and Access Control Lists • Configuring NAT Information • Configuring IKE Settings • Configuring IPSec VPN • Configuring the Radius Server • Creating Server Certificates • Configuring Enhanced Beacons and Probes 6.
6-2 Motorola RF Switch System Reference Guide 2. Refer to the following information to discern if configuration changes are warranted: Rogue AP Intrusion Detection Displays the enabled or disabled switch state to detect potentially hostile Access Ports (the definition of which is defined by you). Once detected, rogue devices can be added to a list of devices either approved or denied from interoperating within the switch managed network. For more information, see AP Intrusion Detection on page 6-2.
Switch Security 6-3 • Enabling and Configuring AP Detection • Approved APs • Unapproved APs (AP Reported) • Unapproved APs (MU Reported) • AP Containment 6.2.1 Enabling and Configuring AP Detection Use the Configuration screen to allow the switch to detect potentially hostile Access Points, set the number of detected APs allowed and define the timeout and threshold values used for detection. The switch can enable both Access Ports and MUs to scan and detect Access Points within the switch managed network.
6-4 Motorola RF Switch System Reference Guide Approved AP timeout Define a value (in seconds) the switch uses to timeout (previously approved) Access Points that have not communicated with the switch. The range is from 165535 seconds, with a default of 300 seconds. This value is helpful for continually re-validating Access Points that interoperate within the switch managed network.
Switch Security 6-5 10.Click the Add button to display a screen used to enter device information for a new AP added to the Allowed AP list. For more information, see Adding or Editing an Allowed AP on page 6-5. 6.2.1.1 Adding or Editing an Allowed AP To add a new address range or modify the address range used to designate devices as allowed: 1. Select Security > Access Point Intrusion Detection from the main tree menu. 2. Click the Configuration tab. 3.
6-6 Motorola RF Switch System Reference Guide 7. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 8. Click OK to use the changes to the running configuration and close the dialog. 9. Click Cancel to close the dialog without committing updates to the running configuration. 6.2.
Switch Security 6-7 5. Click on the Export button to export the contents of the table to a Comma Separated Values file (CSV). 6.2.3 Unapproved APs (AP Reported) Use the Unapproved APs (AP Reported) tab to review Access Points detected by associated switch Access Port radios and are restricted from operation within the switch managed network. The criteria for restriction was defined using the Security > Access Port Intrusion Detection > Configuration screen.
6-8 Motorola RF Switch System Reference Guide 4. The Number of Unapproved APs is simply the sum of all of Unapproved Radio MAC Addresses detected. 5. If a radio’s MAC address is listed incorrectly, highlight the MAC Address and click the Allow button. Assign an Index and define the required device address information to move the device into the list of approved Access Point MAC addresses. The number of Unapproved APs updates accordingly as devices are added and removed. 6.
Switch Security 6-9 4. The Number of Unapproved APs is simply the sum of all of Unapproved Radio MAC Addresses detected. 5. Click the Export button to export the contents of the table to a Comma Separated Values file (CSV). 6.2.5 AP Containment Use the rogue AP Containment feature to provide protection from rogue Access Points by disrupting traffic to mobile units associated with the Rogue AP and prevents new mobile units from getting associated to the Rogue AP.
6-10 Motorola RF Switch System Reference Guide 7. To remove an AP from the rogue AP table, select that AP and click the Delete button. 6.3 MU Intrusion Detection Unauthorized attempts to access the switch managed LAN by MUs is a significant threat to the network, and one that is very pervasive currently. The switch has several means to protect against threats from MUs trying to find network vulnerabilities.
Switch Security 6-11 4. Refer to the Violation Parameters field to define threshold values that trigger an alarm: Violation Type Displays the name of the violation for which threshold values are set in the MU, radio and switch columns. Mobile Unit Set the MU threshold value for each violation type. If exceeded, the MU will be filtered and displayed within the Filtered MUs screen. For non-threshold violations, setting the value to 1 enables detection.
6-12 Motorola RF Switch System Reference Guide 6.3.2 Viewing Filtered MUs Periodically check the Filtered MUs tab to review MUs filtered by the switch for incurring a violation based on the settings defined within the Configuration tab. Each MU listed can be deleted from the list or its attributes exported to a user defined location. To view status of those MUs filtered using the settings defined within the Configuration tab: 1. Select Security > Mobile Unit Intrusion Detection from the main tree menu. 2.
Switch Security 6-13 Violation Type Displays the reason the violation occurred for each detected MU. Use the Violation Type to discern whether the detected MU is truly a threat on the switch managed network (and must be removed) or can be interpreted as a non threat. The following violation types are possible: • Excessive Probes • Excessive Association • Excessive Disassociation • Excessive Authentication failure • Excessive Crypto replays • Excessive 802.
6-14 Motorola RF Switch System Reference Guide applied ACLs to verify the packet has the required permissions to be forwarded, based on the criteria specified in the access lists. NOTE: If a packet does not meet any of the criteria specified in the ACL, the packet is dropped. Use the Wireless Firewall screen to view, add and configure access control configurations. Typically, an ACL consists of series of entries called an Access Control Entry (ACE).
Switch Security 6-15 6.4.1.1 Router ACLs Router ACLs are applied to Layer 3 or VLAN interfaces. If an ACL is already applied in a particular direction on an interface, applying a new one will replace the existing ACL. Router ACLs are applicable only if the switch acts as a gateway, and traffic is inbound only. The switch supports two types of Router ACLs: • Standard IP ACL—Uses the source IP address as matching criteria.
6-16 Motorola RF Switch System Reference Guide • Extended IP ACL— Uses a source IP address, destination IP address and IP protocol type as basic matching criteria. It can also include other parameters specific to a protocol type, like the source and destination ports for TCP/UDP protocols. • MAC Extended ACL— Uses source and destination MAC addresses and VLAN ID. It optionally, also uses Ethertype information. Port ACLs are also stateful and are not applied on every packet switched through the switch.
Switch Security 6-17 In general, a Wireless-LAN ACL can be used to filter wireless to wireless, wireless to wired and wired to wireless traffic. Typical wired to wired traffic can be filtered using a Layer 2 port based ACL rather than a WLAN ACL. Each WLAN is assumed to be a virtual Layer 2 port. Configure one IP and one MAC ACL on the virtual WLAN port. In contrast to Layer 2 ACLs, a WLAN ACL can be enforced on both the Inbound and Outbound direction. 6.4.1.
6-18 Motorola RF Switch System Reference Guide 6.4.2 Configuring the Firewall Configure the Firewall to create either standard/extended ip or extended MAC access control lists. To configure the Firewall: 1. Select Security > Wireless Firewall from the main tree menu. 2. Select the Configuration tab. 3. Select the ACL tab. 4. Add a new ACL entry as explained in Adding a New ACL on page 6-19. 5.
Switch Security 6-19 6.4.2.1 Adding a New ACL When a packet is received by the switch, the switch compares the packet against the ACL to verify the packet has the required permissions to be forwarded. Often, ACLs need to be added as client permission changes during switch operation. To create a new ACL: 1. Select Security > Wireless Firewall from the main tree menu. 2. Click the Configuration tab. 3. Click on the ACL tab to view the list of ACLs currently associated with the switch. 4.
6-20 Motorola RF Switch System Reference Guide 4. Click the Add button within the Associated Rules field. 5. Use the Precedence field to enter a precedence (priority) value between 1 and 5000. The rules within an ACL will be applied to packets based on their precedence value. Rules with lower precedence are always applied first. NOTE: If adding an access control entry to an ACL using the switch SNMP interface, Precedence is a required parameter. 6.
Switch Security 6-21 6.4.2.3 Editing an Existing Rule As network and access permission requirements change, existing ACL rules need to be modified to be relevant with new client access requests. To modify an existing ACL rule: 1. Select Security > Wireless Firewall from the main tree menu. 2. Click the Configuration tab. 3. Click the ACL tab. 4. Select an ACL from the ACLs field. The rules associated with the selected ACL display in the Associated Rules section. 5.
6-22 Motorola RF Switch System Reference Guide 10.From the Filters field, enter the Source Address where the packets are sourced. 11.Select a Source Wildcard/Mask from the drop-down menu. The Source Wildcard/Mask is the size of the network or host (in mask format). The mask length defines a match based on the Network / Host. NOTE: If an Extended IP ACL is used, a Destination Wildcard/Mask and Destination Address are required. 12.Refer to the Status field for the state of the requests made from applet.
Switch Security 6-23 4. Refer to the following information as displayed within the Attach-WLAN tab: WLAN Index Displays the list of WLANs attached with ACLs. IP ACL Displays the IP ACL configured. MAC ACL Displays the MAC ACL configured. Direction Displays whether the WLAN ACL is configured to work in an inbound or outbound direction. 5. Select a WLAN (by row) and click Edit to modify the WLAN Index, IP ACL and MAC ACL values. 6.
6-24 Motorola RF Switch System Reference Guide 6.4.4 Attaching an ACL Layer 2/Layer 3 Configuration Use the Attach-L2/L3 screen to view and assign the ACL to a physical interface or VLAN. To attach an interface: 1. Select Security > Wireless Firewall from the main menu tree. 2. Click the Security Policy tab. 3. Click the Attach-L2/L3 tab. 4. Refer to the following information as displayed within the Attach tab: Interface The interface to which the switch is configured.
Switch Security 6-25 2. Click the Security Policy tab. 3. Click the Attach-L2/L3 tab. 4. Click the Add button. 5. Use the Interface drop-down menu to select the interface to configure on the switch. Available options include – ge 1-8, up 1, VLAN 1 (plus those VLANs created thus far) and Tunnel n (where n equals the name(s) of those tunnels created thus far). 6. Use the IP ACL drop-down menu to select an IP ACL used as the inbound IP for the layer 2 or layer 3 interface. 7.
6-26 Motorola RF Switch System Reference Guide 3. Click the Attach Role tab. 4. Refer to the following information as displayed within the Attach Role tab: Role Priority Displays the priority assigned to the role as determined by the Sequence Number associated with the role. Role Name Displays the role name assigned to each role. Role names are assigned when they are added from the Security > Wireless Firewall > Configuration > Role tab.
Switch Security 6-27 4. Click the Add button. 5. Select a Role Name from the drop-down menu. Role Names can be added in the Configuration > Role tab. 6. Use the ACL drop-down menu to select an ACL to associate with the Role Name. 7. Select Inbound or Outbound to apply the new role to the appropriate interface. 8. Set a Precedence level for the ACL. The valid range is between 1 and 100 with the lower the precedence numbers getting higher priority. 9.
6-28 Motorola RF Switch System Reference Guide 3. Click the Role tab. 4. Role configuration screen displays the following information: Sequence Number Displays the sequence number associated with each role. Sequence numbers determine the order that role are applied. Roles with lower sequence numbers are applied before those with higher sequence numbers. Sequence numbers are assigned when a role is created and cannot be edited. Role Name Displays the name of each role.
Switch Security 6-29 1. Select Security > Wireless Firewall from the main tree menu. 2. Click the Configuration tab. 3. Click the Role tab. 4. Click the Add button. 5. To create a new role configure the following information: Sequence Number Enter a sequence number to be associated with each role. Sequence numbers determine the order that role are applied. Roles with lower sequence numbers are applied before those with higher sequence numbers.
6-30 Motorola RF Switch System Reference Guide ESSID Select an ESSID filter, if any, to apply to the role.
Switch Security 6-31 be selected from those available and edited or deleted. Additionally, a new filter can be added if an existing filter does not adequately express the MU’s address range required. To display the Wireless Filters main page: 1. Select Security > Wireless Firewall from the main menu tree. 2. Click on the Security Policy tab. 3. Click on the Wireless Filters tab. 4.
6-32 Motorola RF Switch System Reference Guide 7. Click the Add button to create a new filter. For more information, see Adding a new Wireless Filter on page 6-33. 8. Click the Memberships button to display a screen wherein a selected index can be added to one or more existing WLANs. For more information see, Associating an ACL with a WLAN on page 6-34 9. Click on the Export button to export the contents of the table to a Comma Separated Values file (CSV). 6.4.
Switch Security 6-33 9. To associate a zone with the ACL select a Zone ID from the drop-down menu. Zone numbers range from 1 to 48. Creating zones allows you to associate firewall policies to each zone. All members of the same zone will have the same firewall policies applied to them. It should be set to an ID only if locationing is enabled, otherwise it should be set to not in use. 10.Use the drop-down menu to select Allow or Deny.
6-34 Motorola RF Switch System Reference Guide 7. Enter the a hex value for the Ending MAC address. Enter the same Starting MAC address within the Ending MAC field to use only the Starting MAC address as either allowed or denied access to the switch managed network. 8. To modify the zone associated with the ACL select a Zone ID from the drop-down menu. Zone numbers range from 1 to 48. Creating zones allows you to associate firewall policies to each zone.
Switch Security 6-35 6. Select the box to the right of each WLAN you want associated with the ACL. Selecting a WLAN maps it the MAC address range and allow or deny designation assigned to it. Consequently, be sure you are not restricting MU traffic for a WLAN that requires those MAC addresses to interact with the switch. 7. Refer to the Status field for the state of the requests made from applet.
6-36 Motorola RF Switch System Reference Guide 4. The L2 tab contains the following information: Interface Name Displays the interface associated with the Layer 2 firewall. Available Layer 2 interfaces are ge 1-8 and up1. ARP Rate Displays the Address Resolution Protocol (ARP) rate. Rates can be between 1 and 1000000 DHCP Trust Displays whether or not the DHCP servers configured on the switch are trusted by the Layer 2 firewall.
Switch Security 6-37 6.4.11.1 Port Level Configuration To configure new Layer 2 firewall rules: 1. Select Security > Wireless Firewall from the main tree menu. 2. Click the Configuration tab. 3. Click the L2 tab. 4. Click the Add button. 5. Configure the following values for each new Layer 2 configuration: Interface Name Assign the interface to be associated with the Layer 2 firewall. Available Layer 2 interfaces are ge 1-8 and up1. ARP Rate Specify the Address Resolution Protocol (ARP) rate.
6-38 Motorola RF Switch System Reference Guide Multicast Storm Threshold Configure the Multicast Storm Threshold for each interface. When the rate of multicast packets exceeds the high threshold configured for an interface, packets are throttled till the rate falls below the configured rate. Thresholds are configured in terms of packets per second. The threshold range is 1-1000000 packets per second. Unknown Unicast Storm Configure the Unknown Unicast Storm Threshold for each interface.
Switch Security 6-39 WLAN Index Displays the WLAN index number. This number is configured on the wireless LAN configuration page. Broadcast Storm Threshold Displays the Broadcast Storm Threshold for each interface. When the rate of broadcast packets exceeds the high threshold configured for an interface, packets are throttled till the rate falls below the configured rate. Thresholds are configured in terms of packets per second. The threshold range is 0-1000000 packets per second.
6-40 Motorola RF Switch System Reference Guide DHCP Trust Displays whether the Interface is DHCP trusted or not, If the interface is DHCP trusted then the DHCP Request will forward to the External DHCP Server otherwise it will not. Always the Internal DHCP servers are trusted in nature. When ever the interface is DHCP trusted, then it is marked as GREEN and if it not DHCP trusted it will mark in RED “X”. ARP Trust Displays whether or not the ARP is trusted by the Layer 2 firewall.
Switch Security 6-41 5. To create a new WLAN Firewall rule configure the following information: WLAN Index Select a WLAN index number from the drop-down menu. This number is configured on the wireless LAN configuration page. Broadcast Storm Threshold Enter the Broadcast Storm Threshold for each interface. When the rate of broadcast packets exceeds the high threshold configured for an interface, packets are throttled till the rate falls below the configured rate.
6-42 Motorola RF Switch System Reference Guide 2. Click the Configuration tab. 3. Click the DoS Attack tab. 4. The DoS Attack tab contains the following information: Type Displays the Denial of Service attack type. The switch currently supports enabling or disabling 28 types of DoS attack filters. Check Enabled This field will show a green checkmark next to the Denial of Service Attack filters that are enabled on the switch firewall.
Switch Security 6-43 Attack Count Displays the number of times that each DoS attack have been observed by the switch firewall. Clicking the Clear Stats button on this page will reset all Attack Counts to 0. Last Occurrence Displays the amount of time since each DoS attack has been observed by the switch firewall. Clicking the Clear Stats button on this page will reset all Last Occurrence timers to 0:00:00.00. 5.
6-44 Motorola RF Switch System Reference Guide 4. Select the Syslog logging levels for each of the following log types: ARP Log The ARP Log field displays the level of Syslog logging enabled for excessive ARP on an interface. The logging level uses standard Syslog levels of: • Emergency • Alert • Critical • Error • Warning • Notice • Info • Debug • None To change the logging level, click on the specific field and choose the logging level from the drop-down menu.
Switch Security 6-45 Multicast Log The Multicast Log field displays the level of syslog logging enabled for excessive multicast on an interface. The logging level uses the same standard Syslog levels. To change the logging level, click on the specific field and choose the logging level from the drop-down menu. Unknown Unicast Log The Unknown Unicast Log field displays the level of syslog logging enabled for excessive unknown unicasts on an interface.
6-46 Motorola RF Switch System Reference Guide Protocol Displays the permit, deny or mark designation for the ACL. If the action is to mark, the packet is tagged for priority or type of service. Low Source IP Displays the Low Source IP Address from where the packets are sourced. High Source IP Displays the High Source (highest address in available range) IP Address from where the packets are sourced. Low Destination IP Displays the Low Destination (lowest address in available range) IP Address.
Switch Security 6-47 MAC Address Displays the MAC Address of each DHCP Client, DHCP Server or Router in the table. Type Displays the type for each DHCP Snoop Entry. Available entry types include: • DHCP Client • DHCP Server • Router • DHCP Server Router • DHCP Client Router Lease Time Displays the DHCP remaining Lease Time for each entry in the table. Ingress Source Displays the MU port number for each entry in the table. 6.4.15.
6-48 Motorola RF Switch System Reference Guide 6.5 Configuring NAT Information Network Address Translation NAT provides the translation of an Internet Protocol (IP) address within one network to a different, known IP address within another network. One network is designated as the private network, while the other is public. NAT provides a layer of security by translating private (local) network addresses to one or more public IP addresses.
Switch Security 6-49 3. Refer to the following information as displayed within the Dynamic Translation tab. Type Displays the NAT type as either: • Inside - Applies NAT on packets arriving on interfaces marked as inside. These interfaces should be private networks not accessible from outside (public) networks. • Outside - Applies NAT on packets coming in on interfaces marked as outside. These switch interfaces should be public or outside networks accessible from anywhere on the Internet.
6-50 Motorola RF Switch System Reference Guide 6. Click the Add button to display a screen to create a new NAT configuration and add it to the list of available configurations. For more information, see Adding a New Dynamic NAT Configuration on page 6-50. 6.5.1.1 Adding a New Dynamic NAT Configuration If the existing NAT configurations displayed with the Configuration prove unsuitable for translation, consider creating a new one. To define a new NAT configuration: 1.
Switch Security 6-51 9. Click OK to use the changes to the running configuration and close the dialog. 10.Click Cancel to close the dialog without committing updates to the running configuration. 6.5.2 Defining Static NAT Translations Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network.
6-52 Motorola RF Switch System Reference Guide 3. Refer to the following information as displayed within the Static Translation tab. Type Displays the NAT type as either: • Inside - The set of networks subject to translation. These are the internal addresses you are trying to prevent from being exposed to the outside world. • Outside - All other addresses. Usually valid addresses located on the Internet. Outside addresses pose no risk if exposed over a publicly accessible network.
Switch Security 6-53 3. Click the Add button. 4. Define the NAT Type from the drop-down menu. Options include: • Inside - The set of networks subject to translation. These are the internal addresses you are trying to prevent from being exposed to the outside world. • Outside - All other addresses (usually valid addresses located on the Internet). Outside addresses pose no risk if exposed over a publicly accessible network. 5. Define the NAT Direction from the drop-down menu.
6-54 Motorola RF Switch System Reference Guide 13.Click Cancel to close the dialog without committing updates to the running configuration. 6.5.3 Configuring NAT Interfaces The NAT Interface is the VLAN used to route switch data traffic between the source and destination address locations within the switch-managed network. Any of the default VLANs is available as the NAT interface, in addition to any other VLANs created. In addition to selecting the VLAN, specify the Inside or Outside NAT type.
Switch Security 6-55 6. If modifying an existing interface is not a valid option, consider configuring a new interface. To define a new NAT interface: a. Click the Add button from within the Interfaces tab. b. Use the Interface drop-down menu to select the VLAN used as the communication medium between the switch managed network and its destination (within the insecure outside world). c.
6-56 Motorola RF Switch System Reference Guide 2. Click on the Status tab. 3. Refer to the following to assess the validity and total NAT translation configurations available to the switch. Inside-Global Displays the internal global pool of addresses (allocated out of the switch’s private address space but relevant to the outside) you are trying to prevent from being exposed to the outside world.
Switch Security 6-57 6.6 Configuring IKE Settings IKE (also known as ISAKMP) is the negotiation protocol enabling two hosts to agree on how to build an IPSec security association. To configure the security appliance for virtual private networks, set global IKE parameters that apply system wide and define IKE policies peers negotiate to establish a VPN tunnel. IKE protocol is an IPSec standard protocol used to ensure security for VPN negotiation, and remote host or network access.
6-58 Motorola RF Switch System Reference Guide During IKE negotiations, peers must identify themselves to one another. Thus, the configuration you define is the identification medium for device recognition. 3. Set a Keep Alive interval (in seconds) the switch uses for monitoring the continued presence of a peer and report of the client's continued presence. The client notifies you when the peer is no longer present. The default interval is 10 seconds. 4.
Switch Security 6-59 9. If the properties of an existing peer IP address, key and aggressive mode designation are no longer relevant and cannot be edited, click the Add button to create a new pre-shared key a.
6-60 Motorola RF Switch System Reference Guide A IKE policy matches when they have the same encryption, hash, authentication and Diffie-Hellman settings. The SA lifetime must also be less than or equal to the lifetime in the policy sent. If the lifetimes do not match, the shorter lifetime applies. If no match exists, IKE refuses negotiation. To view the current set of IKE policies: 1. Select Security > IKE Settings from the main menu tree. 2. Click the IKE Policies tab. 3.
Switch Security 6-61 Authentication Type Displays the authentication scheme used to validate the identity of each peer. Preshared keys do not scale accurately with a growing network but are easier to maintain in a small network. Options include: • Pre-shared Key - Uses pre-shared keys. • RSA Signature - Uses a digital certificate with keys generated by the RSA signatures algorithm. SA Lifetime (sec.) Displays an integer for the SA lifetime. The default is 60 seconds.
6-62 Motorola RF Switch System Reference Guide 6. If the properties of an existing policy are no longer relevant and cannot be edited to be useful, click the Add button to define a new policy. a. Configure a set of attributes for the new IKE policy: Sequence Number Define the sequence number for the IKE policy. The available range is from 1 to 10,000 with 1 being the highest priority value. Encryption Set the encryption method used to protect the data transmitted between peers.
Switch Security 6-63 b. Refer to the Status field for the state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. c. Click OK to use the changes to the running configuration and close the dialog. d. Click Cancel to close the dialog without committing updates to the running configuration. 6.6.
6-64 Motorola RF Switch System Reference Guide 4. Select an index and click the Details button to display a more robust set of statistics for the selected index. Use this information to discern whether changes to an existing IKE configuration is warranted or if a new configuration is required. 5. Click the Stop Connection button to terminate the statistic collection of the selected IKE peer. 6.7 Configuring IPSec VPN Use IPSec Virtual Private Network (VPN) to define secure tunnels between two peers.
Switch Security 6-65 With manually established security associations, there is no negotiation with the peer. Both sides must specify the same transform set. If you change a transform set definition, the change is only applied to Crypto Map entries that reference the transform set. The change is not applied to existing security associations, but is used in subsequent negotiations to establish new security associations.
6-66 Motorola RF Switch System Reference Guide 2. Click the Configuration tab. 3. Refer to the Configuration field to define the following: SA Lifetime (secs) For IKE based security associations, define a SA Lifetime (in seconds) forcing the periodic expiration and re-negotiation of peer credentials. Thus, continually validating the peer relationship. The default value is 3600 seconds.
Switch Security 6-67 ESP Encryption Scheme Displays the ESP Encryption Transform used with the index. Options include: • None - No ESP encryption is used with the transform set. • ESP-DES - ESP with the 56-bit DES encryption algorithm. • ESP-3DES - ESP with 3DES, ESP with AES. • ESP-AES - ESP with 3DES, ESP with AES (128 bit key). • ESP-AES 192 - ESP with 3DES, ESP with AES (192 bit key).
6-68 Motorola RF Switch System Reference Guide 4. Revise the following information as required to render the existing transform set useful. Name The name is read-only and cannot be modified unless a new transform set is created. AH Authentication Scheme Select the Use AH checkbox (if necessary) to modify the AH Transform Authentication scheme. Options include: • None - No AH authentication is used. • AH-MD5-HMAC - AH with the MD5 (HMAC variant) authentication algorithm.
Switch Security 6-69 4. Define the following information as required for the new transform set. Name Create a name describing this new transform set. AH Authentication Scheme Select the Use AH checkbox to define the AH Transform Authentication scheme. Options include: • None - No AH authentication is used. • AH-MD5-HMAC - AH with the MD5 (HMAC variant) authentication algorithm. • AH-SHA-HMAC - AH with the SHA (HMAC variant) authentication algorithm.
6-70 Motorola RF Switch System Reference Guide 6.7.2 Defining the IPSec VPN Remote Configuration Use the IPSec VPN Remote tab to configure the DNS and/or WINS Servers used to route packets to the remote end of the IPSec VPN tunnel. The Remote tab is also used for defining the IP address range used within the IPSec VPN tunnel and configuring the authentication scheme for user permissions within the IPSec VPN tunnel. To define the IPSEc VPN’s remote configuration: 1.
Switch Security 6-71 Starting IP Address Enter the numerical IP address used as the starting address for the range defined. If the Ending IP address is left blank, only the starting address is used for the remote destination. Ending IP Address Enter a numerical IP address to complete the range. If the Ending IP address is blank, only the starting address is used as the destination address. 5. Click the Edit button (within the IP Range tab) to modify the range of existing IP addresses displayed. 6.
6-72 Motorola RF Switch System Reference Guide 2. Select the Authentication tab. 3. Define whether IPSec VPN user authentication is conducted using a Radius Server (by selecting the Radius radio button), by a user-defined set of names and password (by selecting the User Table radio button) or if no authentication is used for credential verification (by selecting the No Authentication radio button). 4. Enter a NAS ID for the NAS port.
Switch Security 6-73 8. If you require a new Radius Server be configured, click the Add button. Set this server’s designation as a primary or secondary Radius Server (using the checkboxes), define the server IP address, port and shared secret password. Click OK when completed to save the changes. 9. If the User Table checkbox was selected from within the Configuration field, select the User Table tab to review the User Name and Passwords defined for use. 10.
6-74 Motorola RF Switch System Reference Guide 2. Click the Crypto Maps tab and select Crypto Map Entries. 3. Review the following Crypto Map attributes to determine if an existing Crypto Map requires revision, deletion or if a new Crypto Map needs to be created. Priority / Seq Displays the numerical priority assigned to each Crypto Map. Name Displays the user-assigned name for this specific Crypto Map.
Switch Security 6-75 6. Click the Add button to define the attributes of a new Crypto Map. a. Assign a Seq # (sequence number) to distinguish one Crypto Map from the another. b. Assign the Crypto Map a Name to differentiate from others with similar configurations. c. Use the None, Domain Name or Host Name radio buttons to select and enter the fully qualified domain name (FQDN) or host name of the host exchanging identity information. d.
6-76 Motorola RF Switch System Reference Guide l. Refer to the Peers (add choices) field and use the Add and Delete functions as necessary to add or remove existing peers. For information on adding or modifying peers, see Crypto Map Peers on page 6-76. m. Refer to the Transform Sets (select one) field to select and assign a transform set for v with Crypto Map. Again, a transform set represents a combination of security protocols and algorithms.
Switch Security 6-77 a. Define the Seq # /Name for the new peer. b. Enter the name of the IKE Peer used with the Crypto Map to build an IPSec security association. 7. Click OK to save the configuration of the new Crypto Map peer. 6.7.4.3 Crypto Map Manual SAs To review, revise or add a Crypto Map using a manually defined security association: 1. Select Security > IPSec VPN from the main menu tree. 2. Click the Crypto Maps tab and select Manual SAs. 3.
6-78 Motorola RF Switch System Reference Guide IKE Peer Displays the IKE peer used with the Crypto Map to build an IPSec security association. ACL ID Displays the ACL ID the Crypto Map’s data flow uses to establish access permissions. Transform Set Displays the transform set representing a combination of security protocols and algorithms. During the security association negotiation, peers agree to use a particular transform set for protecting the data flow. 4.
Switch Security 6-79 f. Define the In AH SPI and Auth Keys or In Esp and Cipher Keys depending on which option has been selected. g. Use the Transform Set drop-down menu to select the transform set representing a combination of security protocols and algorithms. During the IPSec security association negotiation, peers agree to use the transform set for protecting the data flow. A new manual security association cannot be generated without the selection of a transform set.
6-80 Motorola RF Switch System Reference Guide a. Select the Seq #/Name. b. Enter the name of the Transform set used with the Crypto Map. 7. Click OK when completed to save the configuration of the Crypto Map transform set. 6.7.4.5 Crypto Map Interfaces To review the interfaces currently available to the Crypto Maps or assign an interface: NOTE: A Crypto Map cannot get applied to more than one interface at a time.
Switch Security 6-81 3. Refer to the following read-only information displayed within the Interfaces tab. Name Lists the name of the Crypto Maps available for the interface. Interface Name Displays the name of the interface through which IPSec traffic flows.
6-82 Motorola RF Switch System Reference Guide 3. Refer to the following security association data: Index Displays the numerical (if defined) ID for the security association. Use the index to differentiate the index from others with similar configurations. Local Peer Displays the name of the local peer at the near side of the VPN connection. Remote Peer Displays the name of the remote peer at the far side of the VPN connection.
Switch Security 6-83 6.8 Configuring the Radius Server Remote Authentication Dial-In User Service (Radius) is a client/server protocol and software enabling remote access servers to communicate with the switch to authenticate users and authorize their access to the switch managed network. For an overview on the switch’s Radius deployment, see Radius Overview on page 6-83.
6-84 Motorola RF Switch System Reference Guide Apart from EAP authentication, the switch allows the enforcement of user-based policies. User-based policies include dynamic VLAN assignment and access based on time of day. The switch uses a default trustpoint. A certificate is required for EAP TTLS,PEAP and TLS Radius authentication (configured with the Radius service). Dynamic VLAN assignment is achieved based on the Radius server response.
Switch Security 6-85 6.8.1.3 Access Policy Access policies are defined for a group created in the local database. Each user is authorized based on the access policies defined for the groups to which the user belongs. Access policies allow the administrator to control access to a set of users based on the WLANs (ESSID). Group to WLAN access is controlled using a “Time of the day” access policy. Consider User1 (part of Group 1), which is mapped to WLAN1 (ESSID of WLAN1).
6-86 Motorola RF Switch System Reference Guide 6.8.3 Defining the Radius Configuration To configure Radius support on the switch: 1. Select Security > Radius Server from the main menu. 2. Ensure the Configuration tab is selected. 3. Click the Start the RADIUS server link to use the switch’s own Radius server to authenticate users accessing the switch managed network. Again, this is recommended as the secondary means of authenticating users. 4.
Switch Security 6-87 6.8.3.1 Radius Client Configuration A Radius client implements a client/server mechanism enabling the switch to communicate with a central server to authenticate users and authorize access to the switch managed network. A Radius client is often an embedded device since it alleviates the need to store detailed user information locally. To configure Radius client support: 1. Select Security > Radius Server from the main menu. 2. Ensure the Configuration tab is selected. 3.
6-88 Motorola RF Switch System Reference Guide To configure Radius proxy server support: 1. Select Security > Radius Server from the main menu. 2. Ensure the Configuration tab is selected. 3. Select the Proxy Servers tab from the bottom of the Configuration tab. The Proxy Servers tab displays the user ID suffix (index), IP address and port number of the switch’s existing proxy server configurations. 4.
Switch Security 6-89 To define the Radius authentication and accounting configuration: 1. Select Security > Radius Server from the main menu. 2. Select the Authentication tab. 3. Refer to the Authentication field to define the following Radius authentication information: EAP and Auth Type Specify the EAP type for the Radius server. • PEAP uses a TLS layer on top of EAP as a carrier for other EAP modules. PEAP is an ideal choice for networks using legacy EAP authentication methods.
6-90 Motorola RF Switch System Reference Guide Cert Trustpoint Click the View/Change button to specify the trustpoint from which the Radius server automatically grants certificate enrollment requests. A trustpoint is a representation of a CA or identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate. If the server certificate trustpoint is not used, the default trustpoint is used instead.
Switch Security 6-91 6.8.5 Configuring Radius Users Refer to the Users tab to view the current set of users and groups assigned for the Radius server. The Users tab is employed when Local is selected as the Auth Data Source within the Authentication & Accounting tab. The user information is ignored if an LDAP server is used for authentication. To define the Radius user permissions for switch access: 1. Select Security > Radius Server from the main menu. 2. Select the Users tab. 3.
6-92 Motorola RF Switch System Reference Guide Modify the existing user’s guest designation, password, expiry date and group assignments as required to reflect the user’s current local Radius authentication requirements. 5. If an existing user is no longer needed, select the user from those displayed and click the Delete button to permanently remove the user. 6. To create a new user for use with the local Radius server, click the Add button and provide the following information.
Switch Security 6-93 a. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. b. Click OK to use the changes to the running configuration and close the dialog. c. Click Cancel to close the dialog without committing updates to the running configuration 6.8.
6-94 Motorola RF Switch System Reference Guide 3. Refer to the user groups listed to review the following read-only attributes for each group: Name Displays the unique name assigned to each group. The group name should be indicative of the user population within and their shared activity within the switch managed network. Guest Group Displays whether a specific group has been defined as a guest group (indicated with a green check mark) or has been configured as permanent group (indicated with a red X).
Switch Security 6-95 5. Refer to the Time of access in days field to assess the intervals (which days) the group has been assigned access to the switch managed network (after each user has been authenticated). At least one day is required. This value is read-only within the Groups tab. Click Edit to modify the access assignments of an existing group or click Add to create a new group with unique access assignments. 6.
6-96 Motorola RF Switch System Reference Guide 8. To create a new group, click the Add button and provide the following information. Name Define a unique group name that differentiates this new group from others with similar attributes. Guest Group Select the Guest Group checkbox to assign this particular group (and the users within) only temporary access to the local Radius server, thus restricting their authentication period to a user defined access interval.
Switch Security 6-97 6.8.7 Viewing Radius Accounting Logs Accounting logs contain information about the use of remote access services by users. This information is of great assistance in partitioning local versus remote users and how to best accommodate each. Remote user information can be archived to a location outside of the switch for periodic network and user permission administration. To display the Radius accounting logs: 1. Select Security > Radius Server from the main menu. 2.
6-98 Motorola RF Switch System Reference Guide • upload an external certificate • delete a server certificate and/or root certificate of a trustpoint • create a new key • upload/download keys to and from the switch to and from a server or local disk • delete all the keys in the switch. Server certificates are issued to Web Servers and used to authenticate Web Servers to browsers while establishing a Secure Socket Layer (SSL) connection.
Switch Security 6-99 The Server Certificate and CA Root Certificate tabs display read-only credentials for the certificates in use by the switch. A table displays the following Issued To and Issued By details for each: Issued To Country (C) Displays the country of usage for which the certificate was assigned. State (ST) Displays the state (if within the US) or province within the country listed above wherein the certificate was issued.
6-100 Motorola RF Switch System Reference Guide 2. Click the Certificate Wizard button on the bottom of the screen. 3. Use this wizard for: • Creating a new self-signed certificate or certificate request • Uploading an external certificate • Delete Operations 4. Select the Create new certificate radio button to generate a new self-signed certificate or prepare a certificate request which can be sent to a Certificate Authority (CA).
Switch Security 6-101 . The second page of the wizard contains three editable fields, Select Certificate Operation, Select a Trustpoint, and Specify a key for you new certificate. 2. Use the second page to create either a self signed certificate or prepare a certificate request. For certificate creation, select one of the following options: • Generate a self signed certificate — Configure the properties of a new self-signed certificate.
6-102 Motorola RF Switch System Reference Guide Select a trustpoint for the new certificate. • Use existing trustpoint - Select an existing trustpoint from the drop-down menu. • Create a new trustpoint - Provide a name for the new trustpoint in the space provided. To specify a key for a new certificate, select one of the following: • Automatically generate a key — Automatically generates a key for the trustpoint. • Use existing key — Specify an existing key using the drop-down menu.
Switch Security 6-103 3. Select the Configure the trustpoint checkbox to enable the new self signed certificate configured as a trustpoint. 4. Select the Automatically generate certificate with default values checkbox to create a certificate using values the switch assigns by default. This option is recommended for generic certificates that do not represent a unique or custom switch configuration. 5. Select the Enter certificate credentials radio button to manually enter the values of a unique certificate.
6-104 Motorola RF Switch System Reference Guide Organization Unit Enter an Org. Unit for the name of the organization unit used in the Self-Signed Certificate. By default, it is Wireless Switch Division. This is a required field. Email Address Provide an email address used as the contact address for issues relating to this certificate request. FQDN Enter a fully qualified domain name (FQDN) is an unambiguous domain name that specifies the node's position in the DNS tree hierarchy absolutely.
Switch Security 6-105 10.Check the Save the certificate request option to save the certificate request to an external server.and provide the server information in the fields below: To Use the To field to define whether the target certificate is to be sent to the system's local disk (Local Disk) or to an external server (Server). File Specify a filename for the certificate to be save as on the target server or local disk.
6-106 Motorola RF Switch System Reference Guide 2. Select and use the Delete trustpoint and all certificates inside it drop-down menu to define the target trustpoint for removal. 3. Select and use the Remove certificates from this trustpoint drop-down menu define the trustpoint that will have either its Server Certificate or CA Root Certificate removed 4. Click the Next button to proceed and complete the trustpoint removal. 6.9.
Switch Security 6-107 The Keys tab displays the following: Key Name Displays the name of the key pair generated separately, or automatically when selecting a certificate. Specify the option within the wizard. Key Size (Bytes) Displays the size of the desired key. If not specified, a default key size of 1024 bytes is used. 3. Highlight a Key from the table and click the Delete button to delete it from the switch. 4. Click on Add button to add a new key label to the list of keys available to the switch.
6-108 Motorola RF Switch System Reference Guide 4. Enter a Key Label in the space provided to specify a name for the new key pair. 5. Define the Key Size between 1024 and 2048 bytes. 6. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 7. Click OK to save the changes to the running configuration and close the dialog. 8.
Switch Security 6-109 The drop-down menu contains the log files listed within the Server Certificate screen. 6. Use the To drop-down menu to define whether the target log file is to be sent to the system's local disk (Local Disk) or to an external server (Server). 7. Provide the name of the file to be transferred to the location specified within the Target field. 8. Use the Using drop down-menu to configure whether the log file transfer is sent using FTP or TFTP. 9.
6-110 Motorola RF Switch System Reference Guide When enabling an Enhanced Beacon, the switch allows adopted Access Ports to periodically scan for rogue APs on different channels without disassociating MUs. The beacons collected in the scan are passed on to the switch so required information is gathered to locate a particular rogue AP. Refer to Editing AP Settings on page 4-95 to enable an AP to forward beacons and association information for AP radios to detect a rouge.
Switch Security 6-111 5. Use the Scan Time value to enter the duration of the scan. The radio scans each channel for the defined interval. The default value is 100 milliseconds. 6. Define a Max Number of APs value to set the number of detected APs displayed in the Beacon Found table. The available range is from 0 to 512. 7. Refer to the 802.11a Channel Set and 802.11an Channel Set fields to select channels for the 802.11a and 802.11 an transmission bands.
6-112 Motorola RF Switch System Reference Guide 9. Click Apply to save changes to the screen. Navigating away from the screen without clicking the Apply button results in changes being discarded. 10.Click the Revert button to undo the changes to the screen and revert to the last saved configuration. 6.10.2 Configuring the Probe Table Define enhanced probes to detect rogue MUs within the network. An AP300 transmits beacons and the MUs sends a probe request to the AP for association.
Switch Security 6-113 9. 802.11a AP300 Radios: Click the Enable all button to allow an AP’s 802.11a radio to receive MU probe requests and forward them to the switch. Click the Disable all button to stop AP’s 802.11a radios from forwarding MU probe requests to the switch. 10. 802.11bg AP300 Radios: Click the Enable all button to allow the AP’s 802.11bg radios to receive MU probe requests and forward them to the switch. Click the Disable all button to stop AP’s 802.
6-114 Motorola RF Switch System Reference Guide Heard Channel Displays the channel frequency when the unadopted AP was detected. Heard Time Displays the time when the unadopted AP was detected. 4. Select the Clear Report button to clear the statistic counters and begin a new data calculation. 6.10.4 Reviewing Found Probes Refer to the Probes Found tab to view the enhanced Probe report created by the switch. The table displays probe information collected during the AP’s channel scan.
Switch Management This chapter describes the Management Access main menu items used to configure the switch. This chapter consists of the following switch management activities: • Displaying the Management Access Interface • Configuring Access Control • Configuring SNMP Access • Configuring SNMP Traps • Configuring SNMP Trap Receivers • Configuring Management Users NOTE: HTTPS must be enabled to access the switch applet.
7-2 Motorola RF Switch System Reference Guide 2. Refer to the Current Status field to review the following read-only information: Firmware In Use The Firmware In Use value displays the software version currently running on the switch. Use this information to assess whether a firmware update would improve the switch feature set and functionality. Log Output The Log Output value displays the target location for log files output by the switch.
Switch Management 7-3 2. Refer to the Management Settings field to enable or disable the following switch interfaces: Secure Management (on Management VLAN only) Select this checkbox to allow management VLAN access to switch resources. The management VLAN is used to establish an IP connection to the switch from a workstation connected to a port in the VLAN. By default, the active management VLAN is VLAN 1, but you can designate any VLAN as the management VLAN.
7-4 Motorola RF Switch System Reference Guide Enable FTP Select this checkbox to enable FTP access to the switch. File Transfer Protocol (FTP) is the language used for file transfers across the Web. This setting is disabled by default. Port Displays the port number used for the FTP session with the switch (if using FTP). Username Displays the read-only name of the user whose credentials are used for the FTP session.
Switch Management 7-5 NOTE: When accessing the switch via a SNMP client ensure that UDP traffic is allowed on port 161 for the network being used for the switch and the SNMP client. 7.3.1 Configuring SNMP v1/v2 Access SNMP version 2 (SNMPv2) is an evolution of SNMPv1. The Get, GetNext, and Set operations used in SNMPv1 are exactly the same as those used in SNMPv2. However, SNMPv2 adds and enhances some protocol operations.
7-6 Motorola RF Switch System Reference Guide 3. Highlight an existing entry and click the Edit button to modify the properties of an existing SNMP V1/v2 community and access control definition. For more information, see Editing an Existing SNMP v1/v2 Community Name on page 7-6. 7.3.1.1 Editing an Existing SNMP v1/v2 Community Name The Edit screen allows the user to modify a community name and change its read-only or read/write designation.
Switch Management 7-7 1. Select Management Access > SNMP Access from the main menu tree. 2. Select the V3 tab from within the SNMP Access screen. 3. Refer to the fields within the V3 screen for the following information: User Name Displays a read-only SNMP v3 username of operator or Admin. An operator typically has an Access Control of read-only and an Admin typically has an Access Control of read/write. Access Control Displays a read-only (R) access or read/write (RW) access for the v3 user.
7-8 Motorola RF Switch System Reference Guide 7.3.2.1 Editing a SNMP v3 Authentication and Privacy Password The Edit screen enables the user to modify the password required to change the authentication keys. Updating the password requires logging off of the system. Updating the existing password creates new authentication and encryption keys. To edit an SNMP v3 user profile: 1. Select Management Access > SNMP Access from the main menu tree. 2. Select the v3 tab from within the SNMP Access screen. 3.
Switch Management 7-9 3. Define the following vales as required to define how SNMP Access messages are received: Retries Define the number of times the switch polls for SNMP values before giving up.The default retry value is 3. Timeout Define a timeout interval (in seconds) the switch uses to timeout SNMP connection attempts. the default value is 10 seconds. Rows per Request Set the number of data rows returned per SNMP connection. The default value is 10 rows. 7.3.
7-10 Motorola RF Switch System Reference Guide 3. Refer to the following read-only statistics displayed within the SNMP Access Statistics screen: V2/V3 Metrics Displays the individual SNMP Access events capable of having a value tracked for them. The metrics range from general SNMP events (such as the number of SNMP packets in and out) to specific error types that can be used for troubleshooting SNMP events (such as Bad Value and Read-Only errors).
Switch Management 7-11 • Enabling Trap Configuration • Configuring Trap Thresholds 7.4.1 Enabling Trap Configuration If unsure whether to enable a specific trap, select it and view a brief description that may help your decision. Use Expand all items to explode each trap category and view all the traps that can be enabled. Traps can either be enabled by group or as individual traps within each parent category. To configure SNMP trap definitions: 1.
7-12 Motorola RF Switch System Reference Guide 4. Select an individual trap, by expanding the node in the tree view, to view a high-level description of this specific trap within the Trap Description field. You can also select a trap family category heading (such as "Redundancy" or "NSM") to view a high-level description of the traps within that trap category. Redundancy Displays a list of sub-items (trap options) specific to the Redundancy (clustering) configuration option.
Switch Management 7-13 7. Highlight a specific trap and click the Disable button to disable the item as an active SNMP trap. The items previously enabled (with a check to the left) now display with an "X" to the left of it. 8. Highlight a sub-menu header (such as Redundancy or Update Server) and click the Enable all sub-items button to enable the item as an active SNMP trap. Those sub-items previously disabled (with an "X" to the left) now display with a check to the left of them.
7-14 Motorola RF Switch System Reference Guide 3. Check the Enable SMTP box to enable the outgoing mail server on the switch. In order to use E-mail notification on the switch, this box must be checked. Configure the SMTP mail server properties as follows: Name Enter the hostname of your outgoing SMTP mail server. This is the server that is used to deliver outgoing mail. Port Specify the port number used by your outgoing SMTP server. In many cases this is port 25.
Switch Management 7-15 3. Refer to the following information for thresholds descriptions, conditions, editable threshold values and units of measurement. Threshold Name (Description) Displays the target metric for the data displayed to the right of the item. It defines a performance criteria used as a target for trap configuration. Threshold Conditions Displays the criteria used for generating a trap for the specific event.
7-16 Motorola RF Switch System Reference Guide 4. Select a threshold and click the Edit button to display a screen wherein threshold settings for the MU, AP and WLAN can be modified. Adjust the values as needed (between 0 -100) to initiate a trap when the value is exceeded for the MU, AP or WLAN. Ensure the value set is realistic, in respect to the number of MUs and APs supporting WLANs within the switch managed network. 5.
Switch Management 7-17 7.4.2.1 Wireless Trap Threshold Values The table below lists the Wireless Trap threshold values for the switch: # Threshold Name Condition Station Range Radio Range WLAN Range Wireless Service Range Units 1 Packets per Second Greater than A decimal number greater than 0.00 and less than or equal to 100000.00 A decimal number greater than 0.00 and less than or equal to 100000.00 A decimal number greater than 0.00 and less than or equal to 100000.
7-18 Motorola RF Switch System Reference Guide 7.5 Configuring SNMP Trap Receivers Refer to the Trap Receivers screen to review the attributes of existing SNMP trap receivers (including destination address, port, community and trap version). A new v2c or v3 trap receiver can be added to the existing list by clicking the Add button. To configure the attributes of SNMP trap receivers: 1. Select Management Access > SNMP Trap Receivers from the main menu tree. 2.
Switch Management 7-19 5. Click the Add button to display a sub-screen used to assign a new Trap Receiver IP Address, Port Number and v2c or v3 designation to the new trap. Add trap receivers as needed if the existing trap receiver information is insufficient. For more information, see Adding SNMP Trap Receivers on page 7-19. 7.5.1 Editing SNMP Trap Receivers Use the Edit screen to modify the trap receiver’s IP Address, Port Number and v2c or v3 designation.
7-20 Motorola RF Switch System Reference Guide 3. Create a new (non DNS name) destination IP Address for the new trap receiver to be used for receiving the traps sent by the SNMP agent. 4. Define a Port Number for the trap receiver. 5. Use the Protocol Options drop-down menu to specify the trap receiver as either a SNMP v2c or v3 receiver. 6. Click OK to save and add the changes to the running configuration and close the dialog. 7.
Switch Management 7-21 The Local User window consists of 2 fields: • Users – Displays the users currently authorized to use the switch. By default, the switch has two default user types, Admin and Operator. • Privileges – This frame displays the privileges assigned to different type of user. 3. Select the user (Admin, Operator or user defined) from the Users frame. The Privilege frame displays the rights authorized to the user. 4.
7-22 Motorola RF Switch System Reference Guide 3. Enter the login name for the user in the Username field. Ensure this name is practical and identifiable to the user. 4. Enter the authentication password for the new user in the Password field and reconfirm the same again in the Confirm Password field. 5. Select the role you want to assign to the new user from the options provided in the Associated Roles panel.
Switch Management 7-23 NOTE: There are some basic operations/CLI commands (exit, logout and help) available to all user roles. All the roles except Monitor can perform Help Desk role operations. NOTE: By default, the switch is HTTPS enabled with a self signed certificate. This is required since the Web UI uses HTTPS for user authentication. 6. Select the access modes to assign to the new user from the options provided in the Access Modes panel.
7-24 Motorola RF Switch System Reference Guide Network Administrator The Network Administrator provides configures all wired and wireless parameters like IP config, VLANs, Layer 2/Layer 3 security, WLANs, radios, IDS and hotspot. System Administrator Select System Administrator (if necessary) to allow the user to configure general settings like NTP, boot parameters, licenses, perform image upgrade, auto install, manager redundancy/clustering and control access.
Switch Management 7-25 7.6.1.3 Creating a Guest Admin and Guest User Optionally, create a guest administrator for creating guest users with specific usernames, start and expiry times and passwords. Each guest user can be assigned access to specific user groups to ensure they are limited to just the group information they need, and nothing additional. NOTE: A guest user added from switch Web UI will be 5 minutes ahead of the switch's current time. To create a guest administrator: 1.
7-26 Motorola RF Switch System Reference Guide 7. Optionally, click the Generate button to automatically create a username and password for each guest user. 8. Repeat this process as necessary until all required guest users have been created with relevant passwords and start/end guest group permissions. 7.6.2 Configuring Switch Authentication The switch provides the capability to proxy authenticate requests to a remote Radius Server.
Switch Management 7-27 5. Click the Revert button to rollback to the previous authentication configuration. 6. Refer to the bottom half of the Authentication screen to view the Radius Servers configured for switch authentication. The servers are listed in order of their priority. Index Displays a numerical Index for the Radius Server to help distinguish this Radius Server from other servers with a similar configuration. The maximum number that can be assigned is 32.
7-28 Motorola RF Switch System Reference Guide 4. Modify the following Radius Server attributes as necessary: Radius Server Index Displays the read-only numerical Index value for the Radius Server to help distinguish this server from other servers with a similar configuration (if necessary). This is not an editable value. Radius Server IP Address Modify the IP address of the external Radius Server (if necessary). Ensure this address is a valid IP address and not a DNS name.
Switch Management 7-29 1. Select Management Access > Users from the main menu tree. The Users screen displays. 2. Select the Authentication tab. 3. Click the Add button at the bottom of the screen. 4. Configure the following Radius Server attributes: Radius Server IP Address Provide the IP address of the external Radius Server. Ensure this address is a valid IP address and not a DNS name. Radius Server Port Enter the TCP/IP port number for the Radius Server.
7-30 Motorola RF Switch System Reference Guide Vendor ID Vendor ID The Motorola vendor ID is 388 Radius VSAs There are two radius VSAs used for management user authentication. VSA Name Attribute Number Type Values Symbol-Service-Type 1 Integer (Decimal) • Monitor Role - Value is 1. (read-only access to the switch) • Helpdesk Role - Value is 2 (helpdesk/support access to the switch) • Nwadmin Role - Value is 4 (all wired and wireless access to the switch) • Sysadmin Role - Value is 8.
Diagnostics This chapter describes the various diagnostic features available for monitoring switch performance. This chapter consists of the following switch diagnostic activities: • Displaying the Main Diagnostic Interface • Configuring System Logging • Reviewing Core Snapshots • Reviewing Panic Snapshots • Debugging the Applet • Configuring a Ping NOTE: HTTPS must be enabled to access the switch applet. Ensure HTTPS access has been enabled before using the login screen to access the switch applet.
8-2 Motorola RF Switch System Reference Guide NOTE: When the switch’s configuration is successfully updated (using the Web UI), the effected screen is closed without informing the user their change was successful. However, if an error were to occur, the error displays within the effected screen’s Status field and the screen remains displayed.
Diagnostics 8-3 5. Use the Temperature Sensors field to monitor the CPU and system temperatures. This information is extremely useful in assessing if the switch exceeds its critical limits. SWITCH NOTE: A RF7000 Series Switch has six sensors. 6. Refer to the Fans field to monitor the CPU and system fan speeds. 7. Click the Apply button to commit and apply the changes. 8. Click the Revert button to revert back to the last saved configuration. 8.1.
8-4 Motorola RF Switch System Reference Guide 6. Click the Apply button to commit and apply the changes. 7. Click the Revert button to revert back to the last saved configuration. 8.1.3 Switch Memory Allocation Use the Memory tab to periodically assess the switch’s memory load. 1. Select Diagnostics from the main tree menu. 2. Select the Memory tab. The Memory tab is partitioned into the following two fields: • RAM • Buffer 3.
Diagnostics 8-5 8.1.4 Switch Disk Allocation The Disk tab contains parameters related to the various disk partitions on the switch. It also displays available space in the external drives (compact flash etc). 1. Select Diagnostics from the main tree menu. 2. Select the Disk tab. 3. This Disk tab displays the status of the switch flash, nvram and system disk resources. Each field displays the following: • Free Space Limit • Free INodes • Free INode Limit 4.
8-6 Motorola RF Switch System Reference Guide 3. The Processes tab has two fields: • General • Processes by highest memory consumption 4. Refer to the General field to review the number of processes in use and percentage of memory usage per process. The value defined is the maximum limit per process during periods of increased and network activity and is negotiated amongst the other process as needed during normal periods of switch activity. 5.
Diagnostics 8-7 Keep the Cache allocation in line with cache expectations required within the switch managed network. 3. Define the maximum limit for each resource accordingly as you expect these resources to be utilized within the switch managed network. 4. Click the Apply button to commit and apply any changes to any of the resources maximum limit. 5. Click the Revert button to revert back to the last saved configuration 8.
8-8 Motorola RF Switch System Reference Guide 3. Select the Enable Logging Module checkbox to enable the switch to log system events to a user defined log file or a syslog server. 4. Select the Enable Logging to Buffer checkbox to enable the switch to log system events to a buffer. The log levels are categorized by their severity. The default level is 3, (errors detected by the switch).
Diagnostics 8-9 8. Click Apply to save the changes made to the screen. This will overwrite the previous configuration. 9. Click the Revert button to move the display back to the last saved configuration. 8.2.2 File Management Use the File Mgt tab to view existing system logs. Select a file to display its details in the Preview field. Click the View button to display the file’s entire contents. Once viewed, the user has the option of clearing the file or transferring the file to a user-defined location.
8-10 Motorola RF Switch System Reference Guide 5. Highlight a file from the list of log files available within the File Mgt tab and click the View button to display a detailed description of the entire contents of the log file. To view the entire content of an individual log file, see Viewing the Entire Contents of Individual Log Files on page 8-10. 6. Click the Clear Buffer button to remove the contents of the File Mgt tab.
Diagnostics 8-11 4. Refer to the following for information on the elements that can be viewed within a log file: Timestamp Displays the date, year and time of day the log file was initially created. This value only states the time the file was initiated, not the time it was modified or appended. Module Displays the name of the switch logging the target event. This metric is important for troubleshooting issues of a more serious priority, as it helps isolate the switch resource detecting the problem.
8-12 Motorola RF Switch System Reference Guide Severity The Severity level coincides with the logging levels defined within the Log Options tab. Use these numeric identifiers to assess the criticality of the displayed event. The severity levels include: • 0 - Emergency • 1 - Alert • 2 - Critical • 3 - Errors • 4 - Warning • 5 - Notice • 6 - Info • 7 - Debug Mnemonic Use the Mnemonic as a text version of the severity code information.
Diagnostics 8-13 9. If Server has been selected as the source, enter the IP Address of the destination server or system receiving the log file. Ensure the IP address is valid or risk jeopardizing the success of the log file transfer. 10.If Server has been selected as the source, enter the User ID credentials required to send the log file to the target location. 11.
8-14 Motorola RF Switch System Reference Guide 2. Refer to the following table headings within the Core Snapshots screen: Name Displays the title of the process, process ID (pid) and build number separated by underscores. The file extension is always .core for core files. Size (Bytes) Displays the size of the core file in bytes. Created Displays the date and time the core file was generated. This information may be useful in troubleshooting issues. 3.
Diagnostics 8-15 14.If a problem condition is discovered during the file transfer, click the Abort button to terminate the transfer. 15.Click the Close button to exit the screen after a transfer. There are no changes to save or apply. 8.4 Reviewing Panic Snapshots Refer to the Panic Snapshots screen for an overview of the panic files available. Typically, panic files refer to switch events interpreted as critical conditions (and thus requiring prompt attention).
8-16 Motorola RF Switch System Reference Guide 4. Select a target panic file and click the Delete button to remove the file. 5. Select a target panic file and click the View button to open a separate viewing screen to display the panic information in greater detail. For more information, see Viewing Panic Details on page 8-16. 6. Click the Transfer Files button to open the transfer dialogue to transfer the file to another location. For more information, see Transferring Panic Files on page 8-16. 8.4.
Diagnostics 8-17 9. If Server has been selected as the source, enter the User ID credentials required to send the file to the target location. The User ID is required for FTP transfers only. 10.If Server has been selected as the source, enter the Password required (for FTP transfers) to send the file to the target location. 11.Specify the appropriate path name to the target directory on the local system disk or server as configured using the "To" parameter.
8-18 Motorola RF Switch System Reference Guide • What kinds of message should be seen. 3. Select the Send log message to a file checkbox if you wish to store the log message. Enabling this checkbox allows you to select the file location where you wish to store the log message. 4. Select the Use SNMP V2 only checkbox to use SNMP v2 to debug the applet. Check whether you have access to SNMP v2 by clicking on the Test SNMP V2 access button.
Diagnostics 8-19 2. Refer to the following information displayed within the Configuration tab: Description Displays the user assigned description of the ping test. The name is read-only. Use this title to determine whether this test can be used as is or if a new ping test is required. Destination IP Displays the IP address of the target device. This is the numeric destination for the device sent the ping packets.
8-20 Motorola RF Switch System Reference Guide 1. Select Diagnostics > Ping from the main menu. 2. Highlight an existing ping test within the Configuration tab and select the Edit button. 3. Modify the following information (as needed) to edit the existing ping test: Description If necessary, modify the description for the ping test. Ensure this description is representative of the test, as this is the description displaying within the Configuration tab.
Diagnostics 8-21 1. Select Diagnostics > Ping from the main menu. 2. Click the Add button at the bottom of the Configuration tab. 3. Enter the following information to define the properties of the new ping test: Test Name Enter a short name for the ping test to describe either the target destination of the ping packet or the ping test’s expected result. Use the name provided in combination with the ping test description to convey the overall function of the test.
8-22 Motorola RF Switch System Reference Guide 8.6.3 Viewing Ping Statistics Refer to the Statistics tab for an overview of the overall success of the ping test with the destination IP addresses displayed within the screen. Use this information to determine whether the destination IP represents a device offering the switch a viable connection to either extend the switch’s existing radio coverage area or provide support for additional MUs within an existing network segment. To view ping test statistics: 1.
Diagnostics 8-23 Average RTT Displays the average round trip time for ping packets transmitted between the switch and its destination IP address. Use this value as a general baseline (along with packets sent vs packets received) for the overall connection and association potential between the switch and target device. Last Response Displays the time (in seconds) the switch last “heard” the destination IP address over the switch managed network.
8-24 Motorola RF Switch System Reference Guide
Appendix A Customer Support Motorola’s Enterprise Mobility Support Center If you have a problem with your equipment, contact Enterprise Mobility support for your region. Contact information is available by visiting http://www.motorola.com/customersupport and after selecting your region, click on the appropriate link under Support for Business.
A-2 Motorola RF Switch System Reference Guide
Appendix B Adaptive AP B.1 Adaptive AP Overview An adaptive AP (AAP) is an Access Point that can adopt like an AP300 (Layer 3). The management of an AAP is conducted by the switch, once the Access Point connects to a Motorola RFS6000 or RFS7000 model switch and receives its AAP configuration. An AAP provides: • local 802.
B-2 Motorola RF Switch System Reference Guide • Licensing • Switch Discovery • Securing a Configuration Channel Between Switch and AP • Adaptive AP WLAN Topology • Configuration Updates • Securing Data Tunnels between the Switch and AAP • Adaptive AP Switch Failure • Remote Site Survivability (RSS) • Adaptive Mesh Support For an understanding of how AAP support should be configured for the Access Point and its connected switch, see How the AP Receives its Adaptive Configuration.
B-3 A dependent mode AP cannot be converted into a standalone AP-5131 through a firmware change. Refer to the AP-5131 Hardware/ Software Compatibility Matrix within the release notes bundled with the Access Point firmware. AP-5131-13040-D-WR Dependent AP-5131 Dual Radio (Switch Required) AP-5131-40020-D-WR Dependent AP-5131 Single Radio (Switch Required) B.1.4 Licensing An AAP uses the same licensing scheme as a thin Access Port.
B-4 Motorola RF Switch System Reference Guide B.1.5.2 Manual Adoption Configuration A manual switch adoption of an AAP can be conducted using: • Static FQDN - A switch fully qualified domain name can be specified to perform a DNS lookup and switch discovery. • Static IP addresses - Up to 12 switch IP addresses can be manually specified in an ordered list the AP can choose from. When providing a list, the AAP tries to adopt based on the order in which they are listed (from 1-12).
B-5 • Independent WLANs - Independent WLANs are local to an AAP and can be configured from the switch. You must specify a WLAN as independent to stop traffic from being forwarded to the switch. Independent WLANs behave like WLANs on a standalone Access Point. • Both - Extended and independent WLANs are configured from the switch and operate simultaneously.
B-6 Motorola RF Switch System Reference Guide RSS Enabled WLAN continues beaconing WLAN continues beaconing but AP does allow clients to associate on that WLAN RSS Disabled WLAN stops beaconing WLAN stops beaconing NOTE: For a dependant AAP, independent WLANs continue to beacon for three days in the absence of a switch. B.1.12 Adaptive Mesh Support An AAP can extend an AP51x1's existing mesh functionality to a switch managed network.
B-7 Client Bridge Back Haul WLAN Configuration: RFS7000(config-wireless)#wlan 1 enable RFS7000(config-wireless)#wlan 1 ssid meshWlan RFS7000(config-wireless)#wlan 1 independent RFS7000(config-wireless)#wlan 1 client-bridge-backhaul enable Base Bridge Radio Configuration: (AP5131 that is wired to the switch) RFS7000(config-wireless)#radio add 1 “base bridge radio mac” 11bg aap51x1 RFS7000(config-wireless)#radio add 2 “base bridge radio mac” 11a aap51x1 RFS7000(config-wireless)#radio 1 base-bridge enable RFS
B-8 Motorola RF Switch System Reference Guide NOTE: If AAP Proxy Radius is configured, the onboard Radius server has to be enabled. By default the onboard Radius server is disabled. To enable the onboard Radius server use the Web UI or issue the “service radius” command in the CLI. B.2 Supported Adaptive AP Topologies The following AAP topologies are supported: • Extended WLANs Only • Independent WLANs Only • Extended WLANs with Independent WLANs • Extended VLAN with Mesh Networking B.2.
B-9 B.2.2 Extended WLANs Only An extended WLAN configuration forces all MU traffic through the switch. No wireless traffic is locally bridged by the AAP. Each extended WLAN is mapped to the Access Point's virtual LAN2 subnet. By default, the Access Point's LAN2 is not enabled and the default configuration is set to static with IP addresses defined as all zeros.
B-10 Motorola RF Switch System Reference Guide After the AP downloads a configuration file from the switch, it obtains the version number of the image it should be running. The switch does not have the capacity to hold the Access Point’s firmware image and configuration. The Access Point image must be downloaded using a means outside the switch. If there is still an image version mismatch between what the switch expects and what the AAP is running, the switch will deny adoption.
B-11 radio basis. WLANs can be assigned to a radio as done today for an AP300 model Access Port. Optionally, configure WLANs as independent and assign to AAPs as needed. 3. Configure each VPN tunnel with the VLANs to be extended to it. If you do not attach the target VLAN, no data will be forwarded to the AAP, only control traffic required to adopt and configure the AP. NOTE: For additional information (in greater detail) on the switch configuration activities described above, see Switch Configuration.
B-12 Motorola RF Switch System Reference Guide 2. Select the Auto Discovery Enable checkbox. Enabling auto discovery will allow the AAP to be detected by a switch once its connectivity medium has been configured (by completing steps 3-6). NOTE: Auto discovery must be enabled for a switch to detect an AP. 3. Enter up to 12 Switch IP Addresses constituting the target switches available for AAP connection. The AAP will begin establishing a connection with the first addresses in the list.
B-13 2. Export the AAP’s configuration to a secure location. Either import the configuration manually to other APs or the same AP later (if you elect to default its configuration). Use DHCP option 186 and 187 to force a download of the configuration file during startup (when it receives a DHCP offer). NOTE: When an Adaptive AP is adopted over an IP Sec Tunnel you cannot export the configuration file to a system on the other side of the IP Sec Tunnel.
B-14 Motorola RF Switch System Reference Guide 3. Ensure the Adopt unconfigured radios automatically option is NOT selected. When disabled, there is no automatic adoption of non-configured radios on the network. Additionally, default radio settings will NOT be applied to Access Ports when automatically adopted. NOTE: For IPSec deployments, refer to Sample Switch Configuration File for IPSec and Independent WLAN and take note of the CLI commands in red and associated comments in green.
B-15 NOTE: For AAP to work properly with RFS7000, you need to have independent and extended WLANs mapped to a different VLAN than the ge port. Once an AAP is adopted by the switch, it displays within the switch Access Port Radios screen (under the Network parent menu item) as an AP-5131, AP-5181 or AP-7131 within the AP Type column. B.4.
B-16 Motorola RF Switch System Reference Guide B.4.4 Sample Switch Configuration File for IPSec and Independent WLAN The following constitutes a sample switch configuration file supporting an AAP IPSec with Independent WLAN configuration. Please note new AAP specific CLI commands in red and relevant comments in blue.
B-17 xyxyxyxxyxyxyx ! wireless no adopt-unconf-radio enable manual-wlan-mapping enable wlan 1 enable wlan 1 ssid qs5-ccmp wlan 1 vlan 200 wlan 1 encryption-type ccmp wlan 1 dot11i phrase 0 Symbol123 wlan 2 enable wlan 2 ssid qs5-tkip wlan 2 vlan 210 wlan 2 encryption-type tkip wlan 2 dot11i phrase 0 Symbol123 wlan 3 enable wlan 3 ssid qs5-wep128 wlan 3 vlan 220 wlan 3 encryption-type wep128 wlan 4 enable wlan 4 ssid qs5-open wlan 4 vlan 230 wlan 5 enable wlan 5 ssid Mesh wlan 5 vlan 111 wlan 5 encryption-t
B-18 Motorola RF Switch System Reference Guide radio 4 channel-power indoor 48 4 radio 4 rss enable radio 4 client-bridge bridge-select-mode auto radio 4 client-bridge ssid Mesh radio 4 client-bridge mesh-timeout 0 radio 4 client-bridge enable radio default-11a rss enable radio default-11bg rss enable radio default-11b rss enable no ap-ip default-ap switch-ip ! radius-server local ! To create an IPSEC Transform Set ! crypto ipsec transform-set AAP-TFSET esp-aes-256 esp-sha-hmac mode tunnel ! To create a Cr
B-19 ! ! ! interface vlan1 ip address dhcp ! To attach a Crypto Map to a VLAN Interface ! crypto map AAP-CRYPTOMAP ! sole ! ip route 157.235.0.0/16 157.235.92.2 ip route 172.0.0.0/8 157.235.92.2 ! ntp server 10.10.10.
B-20 Motorola RF Switch System Reference Guide
Appendix C Troubleshooting Information This appendix provides basic troubleshooting information and workarounds to known conditions the user may encounter. Wherever possible, it includes possible suggestions or solutions to resolve the issues. It is divided into the following section: • General Troubleshooting • Troubleshooting SNMP Issues • Security Issues C.1 General Troubleshooting This section describes common system issues and what to look for while diagnosing the cause of a problem.
C-2 Motorola RF Switch System Reference Guide C.1.1.1 Switch Does Not Boot Up The Motorola RF Series Switch does not boot up to a username prompt via CLI console or Telnet. The table below provides suggestions to troubleshoot this issue. Possible Problem Suggestions to Correct Switch has no power • Verify power cables, fuses, UPS power The front panel LEDs lights up when power is applied to the switch. • Have a qualified electrician check the power source to which the switch is connected. All else...
C-3 C.1.1.4 Web UI is Sluggish, Does Not Refresh Properly, or Does Not Respond When configuring the switch, it is easy to overlook the fact that the host computer is running the browser while the Motorola RF Series Switch is providing the data to the browser. Occasionally, while using the Web UI the switch does not respond or appears to be running very slow; this could be a symptom of the host computer or the network, and not the switch itself.
C-4 Motorola RF Switch System Reference Guide Possible Problem Suggestions to Correct Settings in terminal emulation program are incorrectly set Check the serial port settings in the serial terminal emulation program being used. The correct settings are: All else... Terminal Type VT-100 Port Any COM port Terminal Settings 19200 bps transfer rate 8 data bits no parity 1 stop bit no flow control Contact Motorola Support. C.1.
C-5 C.1.2.2 Access Ports are Not Responding Access Ports are not responding. The table below provides suggestions to troubleshoot this issue. Possible Problem Suggestions to Correct Access Port not responding after converting to a Detector AP When converting an AP300 to an Intrusion Detection Sensor, the conversion requires approximately 60 seconds. All else... Contact Motorola Support C.1.2.
C-6 Motorola RF Switch System Reference Guide C.1.3.2 MUs Cannot Associate and/or Authenticate with Access Ports MUs cannot associate and/or authenticate with Access Ports. The table below provides suggestions to troubleshoot this issue. Possible Problem Suggestions to Correct Preamble differences Verify the preamble type matches between switch and MUs. Try a different setting. Device key issues Verify in Syslog there is not a high rate of decryption error messages.
C-7 The table below provides suggestions to troubleshoot this issue. Possible Problem Suggestions to Correct Fragmentation • Do not allow VoIP traffic when operating on a flat network (no routers or smart switches). • Move to a trunked Ethernet port. • Move to a different configuration. All else... Contact Motorola Support C.1.4.2 Excessive Memory Leak Excessive memory leak. The table below provides suggestions to troubleshoot this issue.
C-8 Motorola RF Switch System Reference Guide C.2.2 Not able to SNMP WALK for a GET • Check whether the MIB browser has IP connectivity to the SNMP agent on the the switch. Use IP Ping from the client system which has the MIB Browser. • Check if the community string is the same at the agent side and the manager (MIB Browser) side. The community name is case sensitive. C.2.3 MIB not visible in the MIB browser The filename.mib file should be first compiled using a MIB compiler, which creates a smidb file.
C-9 To access the Motorola RF Series Switch using password recovery: ! CAUTION: Using this recovery procedure erases the switch’s current configuration and data files from the switch /flash dir. Only the switch’s license keys are retained. You should be able to log in using the default username and password (admin/superuser) and restore the switch’s previous configuration (only if it has been exported to a secure location before the password recovery procedure was invoked). 1.
C-10 Motorola RF Switch System Reference Guide • Add a Radius client in AAA context • Ensure that key password in AAA/EAP context is set to the key used to generate imported certificates • DO NOT forget to SAVE! C.3.2.
C-11 C.3.2.8 VPN Authentication using onboard RADIUS server fails Ensure the following have been attempted: • Ensure that the VPN user is present in AAA users • This VPN user MUST NOT added to any group. • Save the current configuration C.3.2.9 Accounting does not work with external RADIUS Accounting server Ensure that accounting is enabled.
C-12 Motorola RF Switch System Reference Guide • If you have enabled AP Scan, ensure that at least a single radio is active. AP scan does not send a scan request to an inactive or unavailable radio. • Just enabling detectorscan will not send any detectorscan request to any adopted AP. User should also configure at least a single radio as a detectorAP. This can be done using the set detectorap command in rogueap context. C.
C-13 3. Ensure that "network policy" and "Ethernet port" set to the LAN is correct. C.5.2.2 How to block the request from host on untrusted to host on trusted side based on packet classification. 1. Add a new Classification Element with required Matching Criteria 2. Add a new Classification Group and assigned the newly created Classification Element. Set the action required. 3. Add a new Policy Object. This should match the direction of the packet flow i.e. Inbound or Outbound. 4.
C-14 Motorola RF Switch System Reference Guide
Appendix D “How To” Tutorials This appendix provides “How To” style tutorials for many of the more important features supported by the switch: • Adopted AP300 Sensor Conversion • Integrated WLAN RTLS • MU to MU Disallow • Secure Beacons • Secure Device Management • Secure WISPe • Wireless IDS • Wireless Filters • 802.11i Support D.
D-2 Motorola RF Switch System Reference Guide • Administrators can launch the AirDefense UI from within RFMS • The AirDefense Enterprise server can forward SMNP traps to RFMS to provide centralized alarm reporting and correlation D.1.1 About the Motorola AirDefense System The Motorola AirDefense System is intended for customer environments with Motorola or third-party WLAN infrastructure to provide dedicated threat and performance monitoring and compliance.
D-3 • A Windows XP workstation is available with Microsoft Internet Explorer or Mozilla Firefox to perform Web UI configuration D.1.2.2 Components The information in this section is based on the following Motorola hardware and software versions: • 1 RFS6000 model switch • 1 AirDefense Enterprise Server Version 7.3 (or higher) • 5 AP300 model Access Ports D.1.2.
D-4 Motorola RF Switch System Reference Guide ! CAUTION: For the AP300 sensor conversion process to work, an AP300s must be L2 adopted to the RF Switch. L3 adopted AP300s cannot be converted into AirDefense sensors. To convert the AP300s into sensors: 1. From the switch menu tree select Network > Access Port. 2. Select the Sensor tab. 3. In the VLAN ID field, enter the VLAN ID where sensors are installed. In this example sensors are located on VLAN 12. Click Apply. 4.
D-5 5. Select the Configuration tab then click Global Settings in the bottom right-hand side of the screen. 6. Enter the Primary WIPS Server Address. If applicable, enter a Secondary WIPS Server Address. In this example, a single AirDefense Enterprise server has been deployed using 192.168.10.34 as the IP address. Click OK. 7. From the switch menu tree select Network > Access Port. 8. Select the Adopted AP tab. 9. Highlight the AP300s to convert into sensors and select the Convert to sensor button.
D-6 Motorola RF Switch System Reference Guide A confirmation screen displays the following message: Converting the AP will UNADOPT all its radios. Do you want to continue? 10.Select Yes to confirm the conversion. A Conversion in progress.....screen displays. 11.Select OK to proceed. 12.Select Save (from the lower left-hand corner) to apply the changes. After several minutes, select Network > Access Port Radios from the switch menu tree. 13.Select the Sensor tab.
D-7 3. Highlight the sensor MAC address to convert back to an AP, then select the Revert to AP button. A Do you really want to revert selected Sensor(s)? message displays. 4. Select Yes to confirm the conversion.
D-8 Motorola RF Switch System Reference Guide D.1.3 RF Switch Running Configuration The following is the running configuration on the RFS6000 switch used to create this AP300 sensor conversion tutorial: RFS6000# show running-config ! ! configuration of RFS6000 version 3.3.0.0-029R ! version 1.
D-9 snmp-server user snmptrap v3 encrypted auth md5 0xe3e4b0c4acafa27f6a23ad77d69ac182 snmp-server user snmpmanager v3 encrypted auth md5 0xe3e4b0c4acafa27f6a23ad77d69ac182 snmp-server user snmpoperator v3 encrypted auth md5 0x4fc3ccf48e7c1c7780f936f8cb3fcc64 ip http server ip http secure-trustpoint ESELAB ip http secure-server ip ssh ip telnet no service pm sys-restart timezone America/New_York service radius license AP fc781051ebf9d99ced010a4dab46a63a760c66f54b1c496da322d3cd41d04677 7fbed80f433b68ea ! wi
D-10 Motorola RF Switch System Reference Guide wlan 3 enable wlan 3 description MOTO-VOICE wlan 3 ssid MOTO-VOICE wlan 3 vlan 80 wlan 3 encryption-type tkip wlan 3 dot11i phrase 0 motovoicetest wlan 3 dot11i preauthentication radio add 1 00-15-70-78-F5-23 11a ap300 radio 1 description AP300-1-A radio 1 bss 1 1 radio 1 channel-power indoor 36 15 radio 1 on-channel-scan radio 1 adoption-pref-id 100 radio add 2 00-15-70-78-F5-23 11bg ap300 radio 2 description AP300-1-BG radio 2 bss 1 1 radio 2 bss 2 2 radio 2
D-11 radio add 6 00-15-70-B2-FD-D0 11bg ap300 radio 6 description AP300-3-BG radio 6 bss 1 1 radio 6 bss 2 2 radio 6 bss 3 3 radio 6 channel-power indoor 11 18 radio 6 on-channel-scan radio 6 short-preamble radio 6 adoption-pref-id 100 radio add 7 00-15-70-D5-DA-CE 11a ap300 radio 7 description AP300-4-A radio 7 channel-power indoor 48 17 radio 7 on-channel-scan radio add 8 00-15-70-D5-DA-CE 11bg ap300 radio 8 description AP300-4-BG radio 8 channel-power indoor 1 4 radio 8 on-channel-scan radio 8 short-pre
D-12 Motorola RF Switch System Reference Guide ! radius-server local authentication eap-auth-type all nas 192.168.10.
D-13 interface vlan1 no ip address shutdown ! interface vlan10 management description SERVICES ip address 192.168.10.14/24 ! interface vlan70 description GUEST ip address 192.168.70.14/24 ! ! ! rtls rfid espi sole ! ip route 0.0.0.0/0 192.168.10.1 ! ntp server 192.168.10.5 prefer line con 0 line vty 0 24 ! end D.
D-14 Motorola RF Switch System Reference Guide D.2.1 Wi-Fi Location Determination To provide 802.11 locationing, the integrated RTLS engine uses a signal propagation model which is constantly updated using real time values of RSSI measurements from APs and trilateration to determine client location. Using this signal propagation model, the integrated RTLS engine can avoid time consuming calibration. The RTLS processing consists of several discrete steps: • Devices transmit probe requests to APs.
D-15 The computed X/Y coordinate and zone for each client can be viewed directly on the RF Switch using CLI or Web-UI or exported to a third-party application for visualization on a floor plan using the standards based ALE application interface. Location Attribute Description MAC Address The MAC Address for each client discovered by the switch. X coordinate The estimated X coordinate for each client in relation to the defined origin point (0,0) of the site.
D-16 Motorola RF Switch System Reference Guide NOTE: The configuration outlined in the Network Topology is not necessarily applicable to all customer environments. D.2.
D-17 • A Windows XP workstation is available with Microsoft Internet Explorer or Mozilla Firefox to perform Web UI configuration D.2.4.2 Components The information in this section is based on the following Motorola hardware and software versions: • 1 RFS7000 model switch (version 2.3 or higher) • 4 AP300 model Access Ports D.2.4.3 Site Information The first step for enabling the real-time locationing engine is to provide information about the site where clients are to be located.
D-18 Motorola RF Switch System Reference Guide Defining the Site Name and Dimensions For a listing of the radio, switch and Ethernet switch configurations used in the development of this tutorial, see Baseline Configurations on page D-27. The following steps demonstrate how to define a location sites name and dimensions using the switch CLI: 1. Enter the global configuration context by issuing a configure terminal command. RFS7000# configure terminal RFS7000(config)# 2.
D-19 1. From the switch menu tree select Services > RTLS. 2. Provide a Name and Description for the site as well as the site’s Length, Width, Height and Unit dimensional information. Click Apply when completed. D.2.4.4 Access Point Location Once initial site information has been defined, the location of deployed APs need to be entered. The location of any deployed APs is important, as the location engine uses AP location when estimating the locations of tracked devices.
D-20 Motorola RF Switch System Reference Guide AP Number MAC Address X Axis Y Axis Z Axis 1 00-15-70-78-F5-23 30 10 16 2 00-15-70-D5-DA-FB 10 30 16 3 00-15-70-B2-FD-CF 50 50 16 4 00-15-70-B2-FD-D0 75 20 8 Defining the AP Information The following steps demonstrate how to define AP location using the switch CLI: 1. In the RTLS configuration context, add each Access Point and specify the MAC Address and X,Y,Z coordinates by issuing the ap command.
D-21 2. Verify the location site AP configuration by issuing the show rtls site command. RFS7000# show rtls site Switch Web UI Configuration The following steps demonstrate how to define access point information for the site: 1. From the switch menu tree select Services > RTLS. 2. Select the Add button.
D-22 Motorola RF Switch System Reference Guide 3. Enter the APs MAC address and X,Y, Z Coordinates. Click OK. 4. Repeat for each additional AP. Once completed, the four APs display in the AP Information table. D.2.4.5 Location Zones The final step for defining the site is specifying zones where tracked clients are placed. When tracking clients, the integrated location engine associates each tracked client with a zone and provides a more specific X, Y coordinate zone estimation for the client.
D-23 Defining Zone Perimeters The following steps demonstrate how to name and define the perimeter of three zones at the site: 1. In the RTLS configuration context, define the name for zone 1 by issuing a zone command. Syntax: zone RFS7000(config-rtls)# zone 1 name Office 2. Enter each point on the perimeter for zone 1 (in order). In this example, zone 1 includes 6 points which will each be entered in order (counterclockwise).
D-24 Motorola RF Switch System Reference Guide 3. Define the name for zone 2 by issuing a zone command. Syntax: zone RFS7000(config-rtls)# zone 2 name Secure Area 4. Using the zone command, enter each point on the perimeter for zone 2 (in order). In this example, zone 2 includes 4 points which should each be entered in order (counterclockwise).
D-25 7. Verify location site zone information and configuration by issuing a show rtls zone detail command.
D-26 Motorola RF Switch System Reference Guide 5. View client location by issuing a show rtls tags command. This command displays each clients X,Y coordinate and zone. RFS7000(config-rtls-sole)# show rtls tags Switch Web UI Configuration The following steps demonstrate how to enable the integrated RTLS engine and track Wi-Fi clients at a site: 1. From the switch menu tree select Services > RTLS. 2. Select the SOLE tab 3. Enable locationing for all clients by clicking the Locate All Mobile-Units checkbox.
D-27 Location information for each associated MU (including X,Y coordinates and zone) display in the Located MU's table. D.2.5 Baseline Configurations This section displays the radio, switch and Ethernet switch configurations used in for this tutorial. D.2.5.
D-28 Motorola RF Switch System Reference Guide service prompt crash-info ! username "admin" password 1 b6b6ccabdb85763872c7fbdf436ec2ed86bf931e username "admin" privilege superuser username "operator" password 1 b6b6ccabdb85763872c7fbdf436ec2ed86bf931e ! ! ! spanning-tree mst configuration name My Name ! crypto pki trustpoint ESELAB subject-name "rfs6000" US "TN" "Johnson City" "Motorola Inc." "WLAN Enterprise Division" fqdn "rfs6000.eselab.com" ip-address 192.168.10.
D-29 service radius license AP fc781051ebf9d99ced010a4dab46a63a760c66f54b1c496da322d3cd41d046777fbed8 0f433b68ea ! wireless secure-wispe-default-secret 0 defaultS adoption-pref-id 100 no adopt-unconf-radio enable manual-wlan-mapping enable wlan 1 enable wlan 1 description MOTO-DATA wlan 1 ssid MOTO-DATA wlan 1 vlan 40 wlan 1 encryption-type tkip wlan 1 authentication-type eap wlan 1 radius server primary 192.168.10.
D-30 Motorola RF Switch System Reference Guide radio 3 on-channel-scan radio 3 adoption-pref-id 200 radio add 4 00-15-70-B2-FD-CF 11bg ap300 radio 4 description AP300-2-BG radio 4 bss 1 1 radio 4 bss 2 2 radio 4 bss 3 3 radio 4 channel-power indoor 6 18 radio 4 on-channel-scan radio 4 short-preamble radio 4 adoption-pref-id 200 radio add 5 00-15-70-B2-FD-D0 11a ap300 radio 5 description AP300-3-A radio 5 bss 1 1 radio 5 channel-power indoor 44 15 radio 5 on-channel-scan radio 5 adoption-pref-id 100 radio a
D-31 radio 8 adoption-pref-id 200 no ap-ip default-ap switch-ip ap-detection enable ! smart-rf radio 1 radio-mac 00-15-70-7E-27-6C radio 2 radio-mac 00-15-70-7E-3F-1C radio 3 radio-mac 00-15-70-CD-82-BC radio 4 radio-mac 00-15-70-CD-83-84 radio 5 radio-mac 00-15-70-CD-83-6C radio 6 radio-mac 00-15-70-CD-83-24 radio 7 radio-mac 00-15-70-D0-25-64 radio 8 radio-mac 00-15-70-D0-26-54 ! ! interface ge1 switchport access vlan 10 ! interface ge2 switchport access vlan 10 ! interface ge3 switchport access vlan 10
D-32 Motorola RF Switch System Reference Guide no ip address ! interface up1 description Uplink switchport mode trunk switchport trunk native vlan 10 switchport trunk native tagged switchport trunk allowed vlan none switchport trunk allowed vlan add 10,40, ! interface vlan1 no ip address ! interface vlan10 management description SERVICES ip address 192.168.10.
D-33 site name Acme Inc. site description Acme Inc. San Jose CA site dimension length 80 width 60 height 18 ap 00-15-70-D5-DA-FB coordinates x 10 y 30 z 16 ap 00-15-70-B2-FD-CF coordinates x 50 y 50 z 16 ap 00-15-70-78-F5-23 coordinates x 30 y 10 z 16 ap 00-15-70-B2-FD-D0 coordinates x 75 y 20 z 8 sole locate mobile-unit enable ! ip route 0.0.0.0/0 192.168.10.1 ! ntp server 192.168.10.5 prefer line con 0 line vty 0 24 ! end D.2.5.
D-34 Motorola RF Switch System Reference Guide spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface GigabitEthernet1/0/1 description INTERNET switchport access vlan 10 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/2 description DHCP SERVER switchport access vlan 10 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/3 description RFS6000 switchport trunk encapsulation dot1q switchport mode trun
D-35 ! interface GigabitEthernet1/0/11 ! interface GigabitEthernet1/0/12 description AP300-1 switchport access vlan 11 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/13 description AP300-2 switchport access vlan 11 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/14 description AP300-3 switchport access vlan 11 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/15 description AP300-4 switchport access vlan 11 switchport mod
D-36 Motorola RF Switch System Reference Guide ! interface GigabitEthernet1/0/21 ! interface GigabitEthernet1/0/22 ! interface GigabitEthernet1/0/23 ! interface GigabitEthernet1/0/24 ! interface GigabitEthernet1/0/25 ! interface GigabitEthernet1/0/26 ! interface GigabitEthernet1/0/27 ! interface GigabitEthernet1/0/28 ! interface Vlan1 no ip address ! interface Vlan10 ip address 192.168.10.1 255.255.255.0 ! interface Vlan11 ip address 192.168.11.1 255.255.255.0 ! interface Vlan40 ip address 192.168.40.
D-37 line vty 5 15 login ! ntp clock-period 36028926 ntp server 192.168.0.5 prefer end D.3 MU to MU Disallow The MU to MU disallow feature allows the RF Switch to block communications exchanged between clients associated to a WLAN. With the Motorola WLAN architecture, all MU traffic is forwarded to the RF Switch from adopted Access Ports (APs). When MUs communicate with other MUs, traffic is forwarded from the source AP to the RF Switch and then onto the AP when the destination MU resides.
D-38 Motorola RF Switch System Reference Guide D.3.1 Defining an MU to MU Disallow Configuration The following sections outline the requirements, components and steps required to disable MU to MU communications for a WLAN configured on a RF Switch. To view the running configuration on the RFS6000 switch used to create this MU to MU disallow tutorial, refer to RF Switch Running Configuration on page D-40. D.3.1.
D-39 SSID Authentication Encryption MU-MU Traffic MOTO-DATA 802.1x WPA2-CCMP Allow MOTO-GUEST Hotspot None Drop MOTO-VOICE PSK WPA2-CCMP Allow To disable MU to MU communications: 1. From the switch menu tree select Network > Wireless LANs. 2. Select the Configuration tab. 3. Select an available SSID (to modify) and select the Edit button.
D-40 Motorola RF Switch System Reference Guide 4. Change the default MU to MU Traffic option from Allow Packets to Drop Packets. This will disable MU to MU communications for all users associated with the SSID. Click OK. 5. Select Save (from the lower left-hand corner) to apply the changes. D.3.
D-41 username "admin" password 1 b6b6ccabdb85763872c7fbdf436ec2ed86bf931e username "admin" privilege superuser username "operator" password 1 b6b6ccabdb85763872c7fbdf436ec2ed86bf931e ! ! ! spanning-tree mst configuration name My Name ! crypto pki trustpoint ESELAB subject-name "rfs6000" US "TN" "Johnson City" "Motorola Inc." "WLAN Enterprise Division" fqdn "rfs6000.eselab.com" ip-address 192.168.10.14 ! management secure ip domain-name eselab.com ip name-server 192.168.10.
D-42 Motorola RF Switch System Reference Guide license AP fc781051ebf9d99ced010a4dab46a63a760c66f54b1c496da322d3cd41d04677 7fbed80f433b68ea ! wireless secure-wispe-default-secret 0 defaultS no adopt-unconf-radio enable manual-wlan-mapping enable wlan 1 enable wlan 1 description MOTO-DATA wlan 1 ssid MOTO-DATA wlan 1 vlan 40 wlan 1 encryption-type tkip wlan 1 authentication-type eap wlan 1 radius server primary 192.168.10.
D-43 radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio 1 adoption-pref-id 100 add 2 00-15-70-78-F5-23 11bg ap300 2 description AP300-1-BG 2 bss 1 1 2 bss 2 2 2 bss 3 3 2 channel-power indoor 1 18 2 on-channel-scan 2 short-preamble 2 adoption-pref-id 100 add 3 00-15-70-B2-FD-CF 11a ap300 3 description
D-44 Motorola RF Switch System Reference Guide radio 7 on-channel-scan radio add 8 00-15-70-D5-DA-CE 11bg ap300 radio 8 description AP300-4-BG radio 8 channel-power indoor 1 4 radio 8 on-channel-scan radio 8 short-preamble radio add 9 00-15-70-D5-DA-FB 11a ap300 radio 9 description AP300-5-A radio 9 channel-power indoor 149 20 radio 9 on-channel-scan radio add 10 00-15-70-D5-DA-FB 11bg ap300 radio 10 description AP300-5-BG radio 10 channel-power indoor 6 4 radio 10 on-channel-scan no ap-ip default-ap switc
D-45 interface ge3 switchport access vlan 10 ! interface ge4 switchport access vlan 10 ! interface ge5 switchport access vlan 10 ! interface ge6 switchport access vlan 10 ! interface ge7 switchport access vlan 10 ! interface ge8 switchport access vlan 10 ! interface me1 no ip address ! interface up1 description Uplink switchport mode trunk switchport trunk native vlan 10 switchport trunk native tagged switchport trunk allowed vlan none switchport trunk allowed vlan add 10,12,40,70,80, ! interface vlan1 no
D-46 Motorola RF Switch System Reference Guide ! rtls rfid espi sole ! ip route 0.0.0.0/0 192.168.10.1 ! ntp server 192.168.10.5 prefer line con 0 line vty 0 24 ! end D.4 Secure Beacons Secure beacons allows a SSID name to be masked for a WLAN (in the beacon) so MUs are unable to see or view the SSID. MUs discover WLAN services by listening to beacons advertised from APs.
D-47 Secure Beacon Frame Example With certain applications (such as a hotspot uses guest access), it may be desirable to mask the SSID name to make it harder for casual eavesdroppers to discover the SSID and connect to a WLAN. It is not recommended secure beacons be used for real-time applications (such a Voice) requiring fast roaming. The SSID name is not intended as a password and should not be used as one. If security is required, the appropriate authentication and encryption should be used.
D-48 Motorola RF Switch System Reference Guide ! ! BSSID SSID Secure Beacon 1 MOTO-DATA Disabled 2 MOTO-GUEST Enabled 3 MOTO-VOICE Disabled CAUTION: The SSID is not designed nor intended as a security mechanism. Motorola does not recommend using the SSID as a mode of security. CAUTION: Disabling SSID broadcasts may have adverse effects on Wi-Fi interoperability for mixed-client deployments.
D-49 3. Highlight a SSID to modify and select Edit. 4. Select the Secure Beacon checkbox. This disables the SSID advertised in the beacon. Click OK. 5. Select Save (from the lower left-hand corner) to apply the changes. D.4.2 RF Switch Running Configuration The following is the running configuration on the RFS6000 switch used to create this secure beacon tutorial: RFS6000# show running-config ! ! configuration of RFS6000 version 3.3.0.
D-50 Motorola RF Switch System Reference Guide version 1.2 ! ! aaa authentication login default local none service prompt crash-info ! username "admin" password 1 b6b6ccabdb85763872c7fbdf436ec2ed86bf931e username "admin" privilege superuser username "operator" password 1 b6b6ccabdb85763872c7fbdf436ec2ed86bf931e ! ! ! spanning-tree mst configuration name My Name ! crypto pki trustpoint ESELAB subject-name "rfs6000" US "TN" "Johnson City" "Motorola Inc." "WLAN Enterprise Division" fqdn "rfs6000.eselab.
D-51 ip telnet no service pm sys-restart timezone America/New_York service radius license AP fc781051ebf9d99ced010a4dab46a63a760c66f54b1c496da322d3cd41d04677 7fbed80f433b68ea ! wireless secure-wispe-default-secret 0 defaultS no adopt-unconf-radio enable manual-wlan-mapping enable wlan 1 enable wlan 1 description MOTO-DATA wlan 1 ssid MOTO-DATA wlan 1 vlan 40 wlan 1 encryption-type tkip wlan 1 authentication-type eap wlan 1 radius server primary 192.168.10.
D-52 Motorola RF Switch System Reference Guide radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio 1 description AP300-1-A 1 bss 1 1 1 channel-power indoor 36 15 1 on-channel-scan 1 adoption-pref-id 100 add 2 00-15-70-78-F5-23 11bg ap300 2 description AP300-1-BG 2 bss 1 1 2 bss 2 2 2 bss 3 3 2 channel-p
D-53 radio 6 adoption-pref-id 100 radio add 7 00-15-70-D5-DA-CE 11a ap300 radio 7 description AP300-4-A radio 7 channel-power indoor 48 17 radio 7 on-channel-scan radio add 8 00-15-70-D5-DA-CE 11bg ap300 radio 8 description AP300-4-BG radio 8 channel-power indoor 1 4 radio 8 on-channel-scan radio 8 short-preamble radio add 9 00-15-70-D5-DA-FB 11a ap300 radio 9 description AP300-5-A radio 9 channel-power indoor 149 20 radio 9 on-channel-scan radio add 10 00-15-70-D5-DA-FB 11bg ap300 radio 10 description AP3
D-54 Motorola RF Switch System Reference Guide ! interface ge2 switchport access vlan 10 ! interface ge3 switchport access vlan 10 ! interface ge4 switchport access vlan 10 ! interface ge5 switchport access vlan 10 ! interface ge6 switchport access vlan 10 ! interface ge7 switchport access vlan 10 ! interface ge8 switchport access vlan 10 ! interface me1 no ip address ! interface up1 description Uplink switchport mode trunk switchport trunk native vlan 10 switchport trunk native tagged switchport trunk all
D-55 description GUEST ip address 192.168.70.14/24 ! ! ! rtls rfid espi sole ! ip route 0.0.0.0/0 192.168.10.1 ! ntp server 192.168.10.5 prefer line con 0 line vty 0 24 ! end D.5 Secure Device Management A RF Switch can be managed by multiple interfaces, including SNMP, CLI and Web UI. By default, management access to the RF Switch is unrestricted, allowing management access to any enabled IP interface from any host using any enabled management service.
D-56 Motorola RF Switch System Reference Guide Management restrictions can be applied to meet specific company policies or industry requirements mandating only certain devices or staff be granted access to critical infrastructure devices. Management restrictions can also be applied to reduce the attack footprint of a device when guest credentials are used. D.5.
D-57 • One or more RF Switches are installed and operational on the network • One or more AP300 Access Ports configured and adopted by the switch • One (or more) WLAN profiles are configured and assigned to adopted radios • A Windows XP workstation with Microsoft Internet Explorer or Mozilla Firefox to perform Web UI configuration and verify secure network management D.5.1.
D-58 Motorola RF Switch System Reference Guide 1. From the switch menu tree select Network > Switch Virtual Interface. 2. Select the Configuration tab. 3. Highlight the interface used for management and select Edit. 4. Select the Set as Management Interface checkbox. 5. Click OK. 6. From the switch menu tree select Management Access > Access Control.
D-59 7. Select the Secure Management (on Management VLAN only) checkbox then click Apply. 8. Select Save (from the lower left-hand corner) to apply the changes. Access Control Lists Secure management is an effective way to limit management access to a specific IP interface on the RF Switch. However secure management does not restrict access to specific hosts or VLANs which have IP access through a router or routing switch.
D-60 Motorola RF Switch System Reference Guide The RF Switch has a standard IP ACL applied to interface vlan10 which permits IP access from the Services / Management and Access Point subnets but denies access from all other subnets. This example provides IP access for management servers, clients and APs while restricting access to all other users and devices. Switch Web UI Configuration The following demonstrates how to create a standard IP ACL and apply it to the management IP interface: 1.
D-61 6. From back in the Configuration tab, select the ACL created in steps 3 and 4 7. Click Add under the Associated Rules field. 8. Within the Add Rule window, create the first required permit rule for the subnet or host then click OK. Create additional permit rules as required. 9. Lastly, create the deny rule to deny access to all other hosts and click OK. 10.From back at the Security > Firewall screen, select the Attach-L2/L3 tab click Add. 11.Select the management Interface.
D-62 Motorola RF Switch System Reference Guide 12.Select the IP ACL you created previously. Click OK. 13.Select Save (from the lower left-hand corner) to apply the changes. D.5.1.4 Disabling Insecure Management Interfaces Network administrators can secure management access to the RF Switch by disabling less secure management interfaces. By default, the switch enables all CLI, SNMP and Web UI management interfaces, of which some do not support encryption or authentication.
D-63 Switch Web UI Configuration The following demonstrates how to disable insecure telnet, HTTP and SNMPv2 management interfaces: 1. From the switch menu tree select Management Access > Access Control. 2. Select the Enable Telnet, Enable SNMP v2, Enable HTTP and Enable FTP checkboxes. 3. Click Apply button. 4. Select Save (from the lower left-hand corner) to apply the changes. D.5.1.
D-64 Motorola RF Switch System Reference Guide • If Radius authentication is used, associated role information is supplied to the Radius server, except when using vendor specific return attributes. For availability, the RF Switch also supports multiple Radius server definitions and fallback to provide authentication in the event of failure or communication issues. If the primary Radius server is unavailable, the RF Switch attempts authentication with the next RADIUS sever.
D-65 Associated Role Description Web User Provides privileges to add users for Hotspot authentication. Super User Provides full administrative access rights. Access modes can be assigned to management user accounts to restrict the management interfaces a user can access. As with associated roles, a management user can be assigned a single access role to restrict access to a specific management interface or assign multiple access roles to allow access to multiple management interfaces.
D-66 Motorola RF Switch System Reference Guide 5. Within the Associated Roles field, deselect the Monitor role and select WebUser Administrator. 6. In the Access Modes field, deselect the Console, Telnet and SSHv2 roles and leave the WEB-UI role enabled. Click OK. 7. Select Save (from the lower left-hand corner) to apply the changes. Radius Management Authentication The RF Switch can optionally authenticate management users against a Radius server.
D-67 Associated role information is forwarded to the RF Switch from the Radius server as a vendor specific attribute. One or more associated roles must be defined for each management user on the Radius server so the RF Switch knows what permissions to assign the user upon successful authentication. If no associated role is assigned, the user is provided read-only access.
D-68 Motorola RF Switch System Reference Guide 3. Set the Preferred method to radius. Click Add. 4. Enter the Radius Server IP Address and Radius shared key. Click OK. 5. Select Save (from the lower left-hand corner) to apply the changes. D.5.
D-69 ! configuration of RFS6000 version 3.3.0.0-029R ! version 1.2 ! ! aaa authentication login default radius local service prompt crash-info ! username username username username username username "admin" password 1 b6b6ccabdb85763872c7fbdf436ec2ed86bf931e "admin" privilege superuser "operator" password 1 b6b6ccabdb85763872c7fbdf436ec2ed86bf931e "webadmin" password 1 3f6e90d89b7cc608717b77f8d49cda24a1c4c518 "webadmin" access web "webadmin" privilege webadmin ! ! ip access-list standard 1 permit 192.
D-70 Motorola RF Switch System Reference Guide snmp-server user snmptrap v3 encrypted auth md5 0xe3e4b0c4acafa27f6a23ad77d69ac182 snmp-server user snmpmanager v3 encrypted auth md5 0xe3e4b0c4acafa27f6a23ad77d69ac182 snmp-server user snmpoperator v3 encrypted auth md5 0x4fc3ccf48e7c1c7780f936f8cb3fcc64 ip http server ip http secure-trustpoint ESELAB ip http secure-server ip ssh no service pm sys-restart timezone America/New_York service radius license AP fc781051ebf9d99ced010a4dab46a63a760c66f54b1c496da322d
D-71 wlan 3 description MOTO-VOICE wlan 3 ssid MOTO-VOICE wlan 3 vlan 80 wlan 3 encryption-type tkip wlan 3 dot11i phrase 0 motovoicetest wlan 3 dot11i preauthentication radio add 1 00-15-70-78-F5-23 11a ap300 radio 1 description AP300-1-A radio 1 bss 1 1 radio 1 channel-power indoor 36 15 radio 1 on-channel-scan radio 1 adoption-pref-id 100 radio add 2 00-15-70-78-F5-23 11bg ap300 radio 2 description AP300-1-BG radio 2 bss 1 1 radio 2 bss 2 2 radio 2 bss 3 3 radio 2 channel-power indoor 1 18 radio 2 on-ch
D-72 Motorola RF Switch System Reference Guide radio 6 description AP300-3-BG radio 6 bss 1 1 radio 6 bss 2 2 radio 6 bss 3 3 radio 6 channel-power indoor 11 18 radio 6 on-channel-scan radio 6 short-preamble radio 6 adoption-pref-id 100 radio add 7 00-15-70-D5-DA-CE 11a ap300 radio 7 description AP300-4-A radio 7 channel-power indoor 48 17 radio 7 on-channel-scan radio add 8 00-15-70-D5-DA-CE 11bg ap300 radio 8 description AP300-4-BG radio 8 channel-power indoor 1 4 radio 8 on-channel-scan radio 8 short-pr
D-73 nas 192.168.10.
D-74 Motorola RF Switch System Reference Guide ! interface vlan10 management description SERVICES ip address 192.168.10.14/24 ip access-group 1 in ! interface vlan70 description GUEST ip address 192.168.70.14/24 ! ! ! rtls rfid espi sole ! ip route 0.0.0.0/0 192.168.10.1 ! ntp server 192.168.10.5 prefer radius-server host 192.168.10.5 key 0 sharedkey line con 0 line vty 0 24 ! end D.
D-75 D.6.1 Shared Secrets Encryption and authentication is provided by defining an 8 to 64 character shared secret on the RF Switch for each AP300 profile. The shared secret authenticates the AP300 during adoption, and derives a unique session key to encrypt the management and control frames. Depending on customer requirements, the same shared secret can be defined for all AP300s on a RF Switch, or a unique shared secret can be configured for each AP.
D-76 Motorola RF Switch System Reference Guide and control frames. If pre staging mode is not enabled for the AP300, the AP300 does not have the correct shared secret and will fail to authenticate to the RF Switch. Once the shared secret is applied to an AP300, pre staging can be disabled on the AP. Subsequent changes to the shared secret, once secure WiSPe is enabled, are applied over secured management and control frames, and pre staging mode is not required.
D-77 D.6.5.2 Components The information in this section is based on the following Motorola hardware and software versions: • 1 RFS6000 model switch • 5 AP300 model access ports D.6.5.3 Enabling Secure WISPe on Existing AP300s As depicted in the illustration below, an RF Switch is deployed at a site with four AP300s adopted (at L3). An administrator wants to enable secure WiSPe on the existing AP300s to secure management and control frames and provide authentication.
D-78 Motorola RF Switch System Reference Guide 3. Highlight and select the AP300s then click Edit. 4. Check the Secure Mode and Pre Staging Mode options. This enables secure WiSPe on existing AP300s and allows the AP300s to receive the new shared key upon re-adoption. 5. In the Shared Secret field enter the new shared secret to be applied to the AP300s. In this example, the shared secret new-pre-shared-key is defined. Click OK. The updates are reflected within the Secure WISPe table. 6.
D-79 7. Highlight and select the radios to reset. 8. Select Tools and Reset. 9. Select Reset entire Access Port. This resets adopted AP300s. During re-adoption with the switch, this action applies the new shared key to each AP300 and enable secure WiSPe. 10.From the switch menu tree select Network > Access Port. 11.Select the WISPe tab.
D-80 Motorola RF Switch System Reference Guide 12.Highlight and select the AP300s then select Edit. 13.Un-check the Pre Staging Mode option and select OK. The updates are reflected within the Secure WISPe table. 14.Select Save (from the lower left-hand corner) to apply the changes. D.6.5.4 Enabling Secure WISPe on New AP300s As depicted in the illustration below, a new AP300 is added to an RF Switch with four existing AP300s with secure WiSPe enabled.
D-81 • A default pre shared secret be defined on the RF Switch.
D-82 Motorola RF Switch System Reference Guide 3. In the Default Pre Shared Secret field enter the new shared secret to be applied to new AP300s added to the RF Switch. In this example the shared secret new-pre-shared-key is used. Click Apply. 4. From the switch menu tree select Network > Access Port Radios. 5. Select the Configuration tab. 6. Select Add.
D-83 7. In the AP MAC Address field enter the MAC address for the new AP. 8. Set the AP Type to AP300. 9. Enable the 802.11a and 802.11bg radios and specify a Radio Index. Click OK. The results of the updates are reflected within the From the switch menu tree select Network > Access Port Radios > Configuration screen. 10.From the switch menu tree select Network > Access Port. 11.Select the WISPe tab.
D-84 Motorola RF Switch System Reference Guide 12.Highlight and select the newly added AP300. Click Edit. 13.Select the Secure Mode and Pre Staging Mode options. The Shared Secret does not need to be defined, as the AP300 are configured with the default shared secret. Click OK. The updates reflect as displayed above. 14.Connect the new AP300 to the network and verify it’s adopted by the RF Switch.
D-85 15.From the switch menu tree select Network > Access Port. 16.Select the WISPe tab. 17.Highlight and select the newly added AP300. Click Edit. 18.Un-check the Pre Staging Mode option. Click OK. 19.Select Save (from the lower left-hand corner) to apply the changes.
D-86 Motorola RF Switch System Reference Guide D.6.6 RF Switch Running Configuration The following shows the running configuration of the RFS6000 switch used to create this tutorial: RFS6000# show running-config ! ! configuration of RFS6000 version 3.3.0.0-029R ! version 1.
D-87 snmp-server user snmptrap v3 encrypted auth md5 0xe3e4b0c4acafa27f6a23ad77d69ac182 snmp-server user snmpmanager v3 encrypted auth md5 0xe3e4b0c4acafa27f6a23ad77d69ac182 snmp-server user snmpoperator v3 encrypted auth md5 0x4fc3ccf48e7c1c7780f936f8cb3fcc64 ip http server ip http secure-trustpoint ESELAB ip http secure-server ip ssh ip telnet no service pm sys-restart timezone America/New_York service radius license AP fc781051ebf9d99ced010a4dab46a63a760c66f54b1c496da322d3cd41d046777fbed8 0f433b68ea ! w
D-88 Motorola RF Switch System Reference Guide wlan 2 radius accounting server primary 192.168.10.
D-89 radio 5 description AP300-3-A radio 5 bss 1 1 radio 5 channel-power indoor 44 15 radio 5 on-channel-scan radio 5 adoption-pref-id 100 radio add 6 00-15-70-B2-FD-D0 11bg ap300 radio 6 description AP300-3-BG radio 6 bss 1 1 radio 6 bss 2 2 radio 6 bss 3 3 radio 6 channel-power indoor 11 18 radio 6 on-channel-scan radio 6 short-preamble radio 6 adoption-pref-id 100 radio add 7 00-15-70-D5-DA-CE 11a ap300 radio 7 description AP300-4-A radio 7 channel-power indoor 48 17 radio 7 on-channel-scan radio add 8
D-90 Motorola RF Switch System Reference Guide radio 1 radio-mac 00-15-70-7E-27-6C radio 2 radio-mac 00-15-70-7E-3F-1C radio 3 radio-mac 00-15-70-CD-82-BC radio 4 radio-mac 00-15-70-CD-83-84 radio 5 radio-mac 00-15-70-CD-83-6C radio 6 radio-mac 00-15-70-CD-83-24 radio 7 radio-mac 00-15-70-D0-24-4C radio 8 radio-mac 00-15-70-D0-23-EC radio 9 radio-mac 00-15-70-D0-25-64 radio 10 radio-mac 00-15-70-D0-26-54 ! ! radius-server local authentication eap-auth-type all nas 192.168.10.
D-91 interface ge8 switchport access vlan 10 ! interface me1 no ip address ! interface up1 description Uplink switchport mode trunk switchport trunk native vlan 10 switchport trunk native tagged switchport trunk allowed vlan none switchport trunk allowed vlan add 10,12,40,70,80, ! interface vlan1 no ip address shutdown ! interface vlan10 management description SERVICES ip address 192.168.10.14/24 ! interface vlan70 description GUEST ip address 192.168.70.14/24 ! ! ! rtls rfid espi sole ! ip route 0.0.0.
D-92 Motorola RF Switch System Reference Guide end D.7 Wireless IDS Threats to WLANs are numerous and are potentially devastating to business and day to day operations. Security issues ranging from unauthorized Access Points or 802.11 attacks can plague a WLAN and jeopardize sensitive information as well as performance.
D-93 D.7.1 Unauthorized Access Point Detection Unauthorized AP detection is a feature directly integrated into the RF Switch. When enabled, it allows the switch to monitor the RF environment for unauthorized APs. Unauthorized APs can be reported to the RF Switch from managed radios configured to perform scanning or from Motorola Mobile Units (MUs) detecting and reporting visible APs when roaming.
D-94 Motorola RF Switch System Reference Guide D.7.2 Unauthorized Access Point Containment APs categorized as unapproved represent a potential threat to the network. Unauthorized AP containment can provide temporary mitigation against unauthorized APs by attempting to disrupt communications with any associated MUs as well as attempting to prevent new MUs from associating with the AP. Unauthorized AP containment can be performed by adding APs in the unauthorized AP list to a containment list.
D-95 Excessive Probes TKIP Countermeasures Excessive EAP Start Frames Frames with Non-Changing WEP IV Null Destination Detect Adhoc Networks Same Source / Destination MAC De-Authentication from Broadcast Source MAC Source Multicast MAC Invalid Sequence Number Wireless Intrusion Detection Violations As shown in table above, the RF Switch can detect numerous violations, each with a configurable threshold for monitoring the specific violation on an MU, radio and switch.
D-96 Motorola RF Switch System Reference Guide • Multiple Detection Technologies - Provides accurate and comprehensive detection by applying multiple detection technologies including signature analysis, protocol abuse and anomalous behavior in conjunction with correlation across multiple sensors. • Location Based Security - Provides location of unauthorized devices and activities using Motorola WLAN infrastructure.
D-97 • 5 AP300 model Access Ports D.7.6.3 Unauthorized AP Detection As shown in the figure below, a switch is deployed at a site with four AP300s. The administrator wants to enable unauthorized AP detection to be proactively alerted when any APs are added or removed from the site. To support the detection of unauthorized APs, three AP300sare configured to perform single channel scanning while simultaneously providing WLAN services to users. The three APs monitor 2.
D-98 Motorola RF Switch System Reference Guide 4. Within the Network > Access Port Radio > Configuration screen, refer to the Properties field and check the option Single-channel scan for Unapproved APs (for radios 1- 4 and 7-8) and Dedicate this AP as a Detector AP (for radios 5-6). In this example radios 1-4 and 7-8 will be configured for single channel scanning and radios 5-6 are configured as dedicated detectors. 5. From the switch menu tree select Security > Access Point Detection. 6.
D-99 7. Select the Enable to checkbox globally enable unauthorized AP detection on the switch. Click Apply. NOTE: If Motorola devices are being deployed, you can optionally enable MU Assisted Scanning, which leverages Motorola client extensions on Motorola devices to provide additional detection. 8. From the switch menu tree select Security > Access Point Detection. 9. Select the Unapproved APs (AP Reported) tab. Detected APs are listed in this table. 10.
D-100 Motorola RF Switch System Reference Guide D.7.6.4 Unauthorized AP Containment Unauthorized AP containment can be enabled on the RF Switch to provide temporary remediation if an unauthorized AP is placed at the site. Once enabled, the RF Switch provides RF countermeasures against any unauthorized AP MAC addresses added to the containment list.
D-101 3. Select the Enable Containment checkbox. Select Apply. 4. Select the Unapproved APs (AP Reported) tab. ! CAUTION: Care should be taken when using unauthorized AP containment to ensure containment is not being performed on authorized neighboring APs. 5. To contain an unauthorized AP, select an entry from the Unapproved APs list and click Contain. This adds the MAC address of the unauthorized AP to the AP Containment list. 6. Select the AP Containment tab.
D-102 Motorola RF Switch System Reference Guide 7. Select Save (from the lower left-hand corner) to apply the changes. D.7.6.5 Mobile Unit Intrusion Detection Mobile unit (MU) intrusion detection can enabled on the RF Switch to provide proactive protection against active intrusion attempts. The switch can detect numerous intrusion violations and can alert administrators of intrusion attempts and attacks. The switch can mitigate by automatically blacklisting MUs triggering the violation.
D-103 3. In the Detection Window field, specify the detection window interval (in seconds) the RF Switch uses to scan for violations. In this example, a 60 second detection window is defined. Click Apply. 4. Within the Violation Parameters table, locate Excessive Authentication failure then enter a threshold value in the Mobile Unit, Radio and Switch fields. 5. Additionally, in the Time to Filter field enter a value (in seconds) the MU will be blacklisted for when violations occur.
D-104 Motorola RF Switch System Reference Guide Any MUs violating an event are listed in the table. 7. Select Save (from the lower left-hand corner) to apply the changes. D.7.6.6 SNMP Traps To alert users of unauthorized APs and intrusion events, an RFMS server should defined on the RF Switch as an SNMP trap receiver, and the detection of unauthorized APs and intrusion detection traps should be enabled.
D-105 1. From the switch menu tree select Management Access > SNMP Trap Receivers. 2. Select Add. 3. Go to Management Access > SNMP Traps. 4. Enter the IP Address of the RFMS server. 5. Under Protocol Options, select the SNMP version. Click OK. 6. From the menu tree select Management Access > SNMP Trap Configuration. 7. Select the Configuration tab.
D-106 Motorola RF Switch System Reference Guide 8. In the All Traps tree, locate Wireless > AP Detection, then select the Unapproved AP detected and Unapproved AP removed traps. Select Enable Trap. 9. Click Apply. 10.From the menu tree select Management Access > SNMP Trap Configuration. 11.Select the Configuration tab. 12.
D-107 14.From within the Configuration tab, select the Allow Traps to be generated option then click Apply. 15.Select Save (from the lower left-hand corner) to apply the changes. SNMP traps for unauthorized APs and MU intrusion detection violations are forwarded to RFMS.
D-108 Motorola RF Switch System Reference Guide D.7.6.7 RF Switch Running Configuration The following is the running configuration on the RFS6000 switch used to create this Wireless IDS tutorial: RFS6000# show running-config ! ! configuration of RFS6000 version 3.3.0.0-029R ! version 1.
D-109 snmp-server sysname RFS6000 snmp-server manager v2 snmp-server manager v3 snmp-server user snmptrap v3 encrypted auth md5 0xe3e4b0c4acafa27f6a23ad77d69ac182 snmp-server user snmpmanager v3 encrypted auth md5 0xe3e4b0c4acafa27f6a23ad77d69ac182 snmp-server user snmpoperator v3 encrypted auth md5 0x4fc3ccf48e7c1c7780f936f8cb3fcc64 snmp-server host 192.168.10.
D-110 Motorola RF Switch System Reference Guide wlan 1 dot11i preauthentication wlan 2 enable wlan 2 description MOTO-GUEST wlan 2 ssid MOTO-GUEST wlan 2 vlan 70 wlan 2 authentication-type hotspot wlan 2 hotspot webpage-location advanced wlan 2 radius server primary 192.168.10.14 wlan 2 radius server primary radius-key 0 ESELAB wlan 2 radius accounting server primary 192.168.10.
D-111 radio 4 bss 3 3 radio 4 channel-power indoor 6 18 radio 4 on-channel-scan radio 4 short-preamble radio 4 adoption-pref-id 200 radio add 5 00-15-70-B2-FD-D0 11a ap300 radio 5 description AP300-3-A radio 5 bss 1 1 radio 5 channel-power indoor 44 15 radio 5 detector radio 5 adoption-pref-id 100 radio add 6 00-15-70-B2-FD-D0 11bg ap300 radio 6 description AP300-3-BG radio 6 bss 1 1 radio 6 bss 2 2 radio 6 bss 3 3 radio 6 channel-power indoor 11 18 radio 6 detector radio 6 short-preamble radio 6 adoption-
D-112 Motorola RF Switch System Reference Guide smart-rf radio 1 radio-mac 00-15-70-7E-27-6C radio 2 radio-mac 00-15-70-7E-3F-1C radio 3 radio-mac 00-15-70-CD-82-BC radio 4 radio-mac 00-15-70-CD-83-84 radio 5 radio-mac 00-15-70-CD-83-6C radio 6 radio-mac 00-15-70-CD-83-24 radio 7 radio-mac 00-15-70-D0-24-4C radio 8 radio-mac 00-15-70-D0-23-EC radio 9 radio-mac 00-15-70-D0-25-64 radio 10 radio-mac 00-15-70-D0-26-54 ! ! radius-server local authentication eap-auth-type all nas 192.168.10.
D-113 ! interface me1 no ip address ! interface up1 description Uplink switchport mode trunk switchport trunk native vlan 10 switchport trunk native tagged switchport trunk allowed vlan none switchport trunk allowed vlan add 10,12,40,70,80, ! interface vlan1 no ip address shutdown ! interface vlan10 management description SERVICES ip address 192.168.10.14/24 ! interface vlan70 description GUEST ip address 192.168.70.14/24 ! ! ! rtls rfid espi sole ! ip route 0.0.0.0/0 192.168.10.1 ! ntp server 192.168.10.
D-114 Motorola RF Switch System Reference Guide D.8 Wireless Filters Wireless filters can be applied to specific WLANs to grant or deny access to MUs based on individual or ranges of MAC addresses. Wireless filters may be applied to one or more WLANs and are used to grant or deny access to MUs during association.
D-115 • One (or more) WLAN profiles are configured and assigned to adopted radios • A Windows XP workstation is available with Microsoft Internet Explorer or Mozilla Firefox to perform Web UI configuration and verify secure management operations • One (or more) wireless workstations are available to test and verify the wireless filters D.8.1.
D-116 Motorola RF Switch System Reference Guide 2. Select Add. 3. Enter 1 in the MU-ACL Index field. 4. In the Starting MAC and Ending MAC fields enter the MAC address of the client to block. 5. Set the Allow/Deny option to Deny. Click OK.
D-117 6. Highlight the MU-ACL created in steps 3-5 and select Memberships. 7. Check the WLAN index number(s) to associate the MAC-ACL with. In this example the MAC-ACL is associated with MOTO-GUEST WLAN-2. Click OK. 8. Select Save (from the lower left-hand corner) to apply the changes. D.8.1.4 Wireless Filters that Allow Wireless filters can also be used to allow access to a specific group of devices such as mobile handhelds or VoIP handsets while blocking associations to other devices.
D-118 Motorola RF Switch System Reference Guide ACL Index Start MAC End MAC Allow / Deny WLAN 1 00-40-96-4b-00-00 00-40-96-4b-ff-ff Allow MOTO-VOICE 2 00-00-00-00-00-01 ff-ff-ff-ff-ff-f2 Deny MOTO-VOICE As illustrated in the figure above, wireless filtering is deployed on a voice WLAN named MOTO-VOICE to only allow select SpectraLink VoIP handsets to associate with the WLAN.
D-119 2. Select Add. 3. Enter 1 in the MU-ACL Index field. 4. In the Starting MAC field enter the first MAC address in the range. In the Ending MAC field enter the last MAC address in the range. 5. Set the Allow/Deny option to Allow. Click OK.
D-120 Motorola RF Switch System Reference Guide 6. Highlight the MU-ACL created in steps 3-5 and select Memberships. 7. Check the WLAN index number(s) to associate the MAC-ACL with. In this example the MAC-ACL has been associated with MOTO-VOICE WLAN-3. Click OK. 8. Select Save (from the lower left-hand corner) to apply the changes. D.8.1.
D-121 ! ! aaa authentication login default local none service prompt crash-info ! username "admin" password 1 b6b6ccabdb85763872c7fbdf436ec2ed86bf931e username "admin" privilege superuser username "operator" password 1 b6b6ccabdb85763872c7fbdf436ec2ed86bf931e ! ! ! spanning-tree mst configuration name My Name ! crypto pki trustpoint ESELAB subject-name "rfs6000" US "TN" "Johnson City" "Motorola Inc." "WLAN Enterprise Division" fqdn "rfs6000.eselab.com" ip-address 192.168.10.
D-122 Motorola RF Switch System Reference Guide ip ssh ip telnet no service pm sys-restart timezone America/New_York service radius license AP fc781051ebf9d99ced010a4dab46a63a760c66f54b1c496da322d3cd41d04677 7fbed80f433b68ea ! wireless secure-wispe-default-secret 0 new-pre-shared-key no adopt-unconf-radio enable manual-wlan-mapping enable wlan 1 enable wlan 1 description MOTO-DATA wlan 1 ssid MOTO-DATA wlan 1 vlan 40 wlan 1 encryption-type tkip wlan 1 authentication-type eap wlan 1 radius server primary 19
D-123 radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio 1 description AP300-1-A 1 bss 1 1 1 channel-power indoor 36 15 1 on-channel-scan 1 adoption-pref-id 100 add 2 00-15-70-78-F5-23 11bg ap300 2 description AP300-1-BG 2 bss 1 1 2 bss 2 2 2 bss 3 3 2 channel-power indoor 1 18 2 on-channel-scan 2 shor
D-124 Motorola RF Switch System Reference Guide radio 6 adoption-pref-id 100 radio add 7 00-15-70-D5-DA-CE 11a ap300 radio 7 description AP300-4-A radio 7 channel-power indoor 48 17 radio 7 on-channel-scan radio add 8 00-15-70-D5-DA-CE 11bg ap300 radio 8 description AP300-4-BG radio 8 channel-power indoor 1 4 radio 8 on-channel-scan radio 8 short-preamble radio add 9 00-15-70-D5-DA-FB 11a ap300 radio 9 description AP300-5-A radio 9 channel-power indoor 149 20 radio 9 on-channel-scan radio add 10 00-15-70-D
D-125 interface ge1 switchport access vlan 10 ! interface ge2 switchport access vlan 10 ! interface ge3 switchport access vlan 10 ! interface ge4 switchport access vlan 10 ! interface ge5 switchport access vlan 10 ! interface ge6 switchport access vlan 10 ! interface ge7 switchport access vlan 10 ! interface ge8 switchport access vlan 10 ! interface me1 no ip address ! interface up1 description Uplink switchport mode trunk switchport trunk native vlan 10 switchport trunk native tagged switchport trunk allo
D-126 Motorola RF Switch System Reference Guide ! interface vlan70 description GUEST ip address 192.168.70.14/24 ! ! ! rtls rfid espi sole ! ip route 0.0.0.0/0 192.168.10.1 ! ntp server 192.168.10.5 prefer line con 0 line vty 0 24 ! end D.9 802.11i Support The IEEE 802.11i standard (ratified in 2004) provides enhanced security for WLANs. 802.11i supersedes the initial 802.11Wired Equivalent Privacy (WEP) security specification, which was shown to have severe security weaknesses. The 802.
D-127 D.9.1 Applications 802.11i with AES should be considered for new WLAN applications, as it represents the strongest encryption scheme available today for data privacy. 802.11i with AES encryption is supported by all new WLAN client devices including workstations, handhelds and voice handsets. For legacy deployments, which include devices that cannot support AES, Motorola recommends TKIP with 802.1x or pre-shared-keys be utilized.
D-128 Motorola RF Switch System Reference Guide D.9.3.2 Components The information in this section is based on the following Motorola hardware and software versions: • 1 RFS6000 model switch • 5 AP300 model Access Ports D.9.3.3 802.11i with 802.1x Authentication As depicted in the illustration below, five AP300s have been deployed at a site supported by a single RF Switch. A WLAN named MOTO-DATA has been created to provide secure 802.11i 802.1X authenticated access for Enterprise data users.
D-129 3. Highlight an unused WLAN in the table and select Edit. 4. Enter an ESSID and Description.
D-130 Motorola RF Switch System Reference Guide 5. Specify one or more VLAN IDs. Optionally enable Dynamic Assignment to enable dynamic VLAN assignments from a Radius server. 6. In the Encryption field, enable WPA2-CCMP then select the Config button. 7. Optionally enable the Broadcast Key Rotation and Pre-Authentication options. Select OK to save the updates. 8. Navigate back to the Network > Wireless LANs > Edit screen. 9. Enable the 802.1X EAP Authentication option and select the Radius... button.
D-131 10.Enter the RADIUS Server Address and RADIUS Shared Secret. 11.Select the Re-authentication option then select OK.
D-132 Motorola RF Switch System Reference Guide 12.From back at the Network > Wireless LANs > Configuration screen, highlight (select) the newly created WLAN and select Enable. If global WLAN manual mapping is enabled, manually assign the new WLAN to each radio you wish to support. If this global option is disabled, the switch automatically assigns the WLAN to each adopted radio. 13.Select Save (from the lower left-hand corner) to apply the changes. D.9.3.4 802.
D-133 WLAN ESSID VLAN(s) Authentication Encryption 3 MOTO-VOICE 80 Pre-Shared Key CCMP NOTE: For optimal security, Motorola recommends selecting an ASCII passphrase of 20 - 63 characters that contains a mix of numerical, alpha numerical, case and special characters. Switch Web UI Configuration To configure 802.11i with pre-shared keys on a RF Switch: 1. From the menu tree select Network > Wireless LANs. 2. Select the Configuration tab. 3. Highlight an unused WLAN and select Edit.
D-134 Motorola RF Switch System Reference Guide 4. Enter an ESSID name and Description. 5. Specify one or more VLAN IDs. 6. In the Encryption field enable WPA2-CCMP and click the Config button. 7. Optionally enable the Broadcast Key Rotation option.
D-135 8. In the ASCII Passphrase field, enter the strong passphrase used for device authentication. Select OK to save the updates. 9. From back at the Network > Wireless LANs > Configuration screen, highlight (select) the newly created WLAN and select Enable. If global WLAN manual mapping is enabled, manually assign the new WLAN to each radio you wish to support. If this global option is disabled, the RF Switch automatically assigns the WLAN to each adopted radio. 10.
D-136 Motorola RF Switch System Reference Guide ! ! spanning-tree mst configuration name My Name ! crypto pki trustpoint ESELAB subject-name "rfs6000" US "TN" "Johnson City" "Motorola Inc." "WLAN Enterprise Division" fqdn "rfs6000.eselab.com" ip-address 192.168.10.14 ! management secure ip domain-name eselab.com ip name-server 192.168.10.5 no bridge multiple-spanning-tree enable bridge-forward country-code us logging buffered 7 logging console 4 logging host 192.168.10.
D-137 wireless secure-wispe-default-secret 0 defaultS adoption-pref-id 100 no adopt-unconf-radio enable manual-wlan-mapping enable wlan 1 enable wlan 1 description MOTO-DATA wlan 1 ssid MOTO-DATA wlan 1 vlan 40 wlan 1 encryption-type ccmp wlan 1 authentication-type eap wlan 1 radius server primary 192.168.10.
D-138 Motorola RF Switch System Reference Guide radio 1 adoption-pref-id 100 radio add 2 00-15-70-78-F5-23 11bg ap300 radio 2 description AP300-1-BG radio 2 bss 1 1 radio 2 bss 2 2 radio 2 bss 3 3 radio 2 channel-power indoor 1 18 radio 2 on-channel-scan radio 2 short-preamble radio 2 adoption-pref-id 100 radio add 3 00-15-70-B2-FD-CF 11a ap300 radio 3 description AP300-2-A radio 3 bss 1 1 radio 3 channel-power indoor 40 15 radio 3 on-channel-scan radio 3 adoption-pref-id 200 radio add 4 00-15-70-B2-FD-CF
D-139 radio add 7 00-15-70-D5-DA-CE 11a ap300 radio 7 description AP300-4-A radio 7 bss 1 1 radio 7 channel-power indoor 48 17 radio 7 on-channel-scan radio add 8 00-15-70-D5-DA-CE 11bg ap300 radio 8 description AP300-4-BG radio 8 bss 1 1 radio 8 bss 2 2 radio 8 bss 3 3 radio 8 channel-power indoor 1 4 radio 8 on-channel-scan radio 8 short-preamble radio add 9 00-15-70-D5-DA-FB 11a ap300 radio 9 description AP300-5-A radio 9 bss 1 1 radio 9 channel-power indoor 149 20 radio 9 on-channel-scan radio add 10 0
D-140 Motorola RF Switch System Reference Guide ! radius-server local authentication eap-auth-type all nas 192.168.10.
D-141 switchport trunk allowed vlan none switchport trunk allowed vlan add 10,12,40,70,80, ! interface vlan1 no ip address shutdown ! interface vlan10 management description SERVICES ip address 192.168.10.14/24 ! interface vlan70 description GUEST ip address 192.168.70.14/24 ! ! ! rtls rfid espi sole ! ip route 0.0.0.0/0 192.168.10.1 ! ntp server 192.168.10.
D-142 Motorola RF Switch System Reference Guide
MOTOROLA INC. 1303 E. ALGONQUIN ROAD SCHAUMBURG, IL 60196 http://www.motorola.
