M Motorola RFS Series Wireless LAN Switches WiNG System Reference Guide
© 2010 Motorola, Inc. All rights reserved. MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. Symbol is a registered trademark of Symbol Technologies, Inc. All other product or service names are the property of their respective owners.
Contents Chapter 1. Overview 1.1 Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.1.1 Physical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.2 Software Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-2 Motorola RF Switch System Reference Guide 3.4 Viewing Switch Firmware Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29 3.4.1 Editing the Switch Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30 3.4.2 Enabling Global Settings for the Image Failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-3 4.7.10 Voice Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-128 4.8 Viewing Access Port Adoption Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-130 4.8.1 Configuring AP Adoption Defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-130 4.8.
TOC-4 Motorola RF Switch System Reference Guide 5.5 Layer 3 Mobility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-47 5.5.1 Configuring Layer 3 Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-47 5.5.2 Defining the Layer 3 Peer List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-5 6.6 6.7 6.8 6.9 6.10 6.5.2 Defining Static NAT Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-61 6.5.3 Configuring NAT Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-64 6.5.4 Viewing NAT Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-6 Motorola RF Switch System Reference Guide Chapter 8. Diagnostics 8.1 Displaying the Main Diagnostic Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 8.1.1 Switch Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 8.1.2 CPU Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-7 B.3.3 Configuring the Switch for Adaptive AP Adoption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-13 B.4 Establishing Basic Adaptive AP Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-13 B.4.1 Adaptive AP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-13 B.4.2 Switch Configuration . . . . . .
TOC-8 Motorola RF Switch System Reference Guide
About This Guide Introduction This guide provides information about using the following Motorola switches and version numbers: • RFS4000 4.3 • RFS6000 4.3 • RFS7000 4.3 NOTE: Screens and windows pictured in this guide are samples and can differ from actual screens. Documentation Set The documentation set for the Motorola RF Series Switches is partitioned into the following guides to provide information for specific user needs.
viii Motorola RF Switch System Reference ! CAUTION: Indicates conditions that can cause equipment damage or data loss. WARNING! Indicates a condition or procedure that could result in personal injury or equipment damage.
Overview A Motorola RF Switch is a centralized management solution for wireless networking. It connects to non-legacy Access Ports through Layer 2 or Layer 3 (Layer 2 is preferable, if the situation allows it). Access ports function as radio antennas for data traffic management and routing. System configuration and intelligence for the wireless network resides with the switch. The switch uses Access Ports to bridge data to and from wireless devices.
1-2 Motorola RF Switch Systen Reference 1.1 Hardware Overview The RFS4000, RFS6000 and RFS7000 are rack-mountable devices that manage all inbound and outbound traffic on the wireless network. They provide security, network service and system management applications. Unlike traditional wireless infrastructure devices that reside at the edge of a network, the switch uses centralized, policy-based management to apply sets of rules or actions to all devices on the wireless network.
Overview 1-3 Operating Temperature 0°C - 40°C (32°F - 104°F) Operating Humidity 5% - 85% RH, non-condensing A power cord is not supplied with a RFS4000, RFS6000 or RFS7000 model switch. Use only a correctly rated power cord certified for the country of operation.
1-4 Motorola RF Switch Systen Reference 1.1.1.1 Power Consumption The power consumption for RFS7000, RFS6000, and RFS4000 are as follows: RFS7000 Maximum Power Consumption: 100W RFS6000 Maximum Power Consumption: 300W RFS4000 AC Input Voltage: 100-240 VAC 50/60 Hz Maximum Power Consumption: 120W 1.1.1.
Overview 1-5 NOTE: The Motorola RF Management Software is a recommended utility to plan the deployment of the switch and view its configuration once operational in the field. Motorola RFMS can help optimize the positioning and configuration of a switch in respect to a WLAN’s MU throughput requirements and can help detect rogue devices. For more information, refer to the Motorola Web site. 1.2.
1-6 Motorola RF Switch Systen Reference 1. In-service Diagnostics – In-service diagnostics provide a range of automatic health monitoring features ensuring both the system hardware and software are in working order. In-service-diagnostics continuously monitor available physical characteristics (as detailed below) and issue log messages when warning or error thresholds are reached.
Overview 1-7 1.2.1.7 Hardware Abstraction Layer and Drivers The Hardware Abstraction Layer (HAL) provides an abstraction library with an interface hiding hardware/ platform specific data. Drivers include platform specific components such as Ethernet, Flash Memory storage and thermal sensors. 1.2.1.8 Redundancy Using switch redundancy, up to 12 switches can be configured in a redundancy group (and provide group monitoring). In the event of a switch failure, an existing cluster member assumes control.
1-8 Motorola RF Switch Systen Reference To contact Motorola Support in the event of a password reset requirement, go to http://www.motorola.com/ Business/US-EN/Support ! CAUTION: Only a qualified installation professional should set or restore the access point’s radio and power management configuration in the event of a password reset. 1.2.
Overview 1-9 • DHCP • Switch fully qualified domain name (FQDN) • Static IP addresses The benefits of an AAP deployment include: • Centralized Configuration Management & Compliance - Wireless configurations across distributed sites can be centrally managed by the wireless switch or cluster. • WAN Survivability - Local WLAN services at a remote sites are unaffected in the case of a WAN outage.
1-10 Motorola RF Switch Systen Reference 1.2.2.3 Rate Limiting Rate Limiting limits the maximum rate sent to or received from the wireless network per mobile unit. It prevents any single user from overwhelming the wireless network. It can also provide differential service for service providers. The uplink and downlink rate limits are usually configured on the radius server using Motorola vendor specific attributes. The switch extracts the rate limits from radius server response.
Overview 1-11 • User based VLAN assignment — Allows the switch to extract VLAN information from the Radius server. • User based QoS — Enables QoS for the MU based on settings within the Radius Server.
1-12 Motorola RF Switch Systen Reference 1.2.2.7 Voice Prioritization The switch has the capability of having its QoS policy configured to prioritize network traffic requirements for associated MUs. Use QoS to enable voice prioritization for devices using voice as its transmission priority. Voice prioritization allows you to assign priority to voice traffic over data traffic, and (if necessary) assign legacy voice supported devices (non WMM supported voice devices) additional priority.
Overview 1-13 Self Healing Actions If AP1 detects AP2 and AP3 as its neighbors, you can assign failure actions to AP2 and AP3 whenever AP1 fails. Assign up to four self healing actions: 1. No action 2. Decrease supported rates 3. Increase Tx power 4. Both 2 and 3. You can specify the Detector AP (AP2 or AP3) to stop detecting and adopt the RF settings of the failed AP. For more information on configuring self healing, see Configuring Self Healing on page 5-53. 1.2.2.
1-14 Motorola RF Switch Systen Reference AP Balancing Across Multiple Switches At adoption, the AP solicits and receives multiple adoption responses from the switches on the network. These adoption responses contain preference and loading information the AP uses to select the optimum switch to be adopted by. Use this mechanism to define which APs are adopted by which switches. By default, the adoption algorithm generally distributes AP adoption evenly among the switches available.
Overview 1-15 MU Move Command As a value added proprietary feature between Motorola infrastructure products and Motorola MUs, a move command has been introduced. The move command permits an MU to roam between ports connected to the same switch without the need to perform the full association and authentication defined by the 802.11 standard. The move command is a simple packet up/packet back exchange with the Access Port.
1-16 Motorola RF Switch Systen Reference disconnect. With QoS, a VoIP conversation (a real-time session), receives priority, maintaining a high level of voice quality.
Overview 1-17 1.2.2.14 Wireless Layer 2 Switching The switch supports the following layer 2 wireless switching techniques: • WLAN to VLAN • MU User to VLAN • WLAN to GRE 1.2.2.15 Automatic Channel Selection Automatic channel selection works sequentially as follows: 1. When a new AP is adopted, it scans each channel. However, the switch does not forward traffic at this time. 2. The switch then selects the least crowded channel based on the noise and traffic detected on each channel. 3.
1-18 Motorola RF Switch Systen Reference Limiting Users Per VLAN Not all VLANs within a single WLAN must have the same DHCP pool size. Assign a user limit to each VLAN to allow the mapping of different pool sizes. Specify the VLAN user limit. This specifies the maximum number of MUs associated with a VLAN (for a particular WLAN). When the maximum MU limit is reached, no more MUs can be assigned to that VLAN.
Overview 1-19 for future VLAN assignment. To configure Multiple VLANs for a single WLAN, see Assigning Multiple VLANs per WLAN on page 4-31. 1.2.3 Wired Switching The switch includes the following wired switching features: • DHCP Servers • DHCP User Class Options • DDNS • VLAN Enhancements • Interface Management 1.2.3.
1-20 Motorola RF Switch Systen Reference • Network interfaces operate in either trunk or access modes. • A network interface in access mode can only send and receive untagged packets. • A trunk port can now receive both tagged and untagged packets. Each ethernet port is assigned a native VLAN. • You can now configure a set of allowed VLANs on a trunk port. Packets received on this port that belong to other VLANs are discarded. 1.2.3.
Overview 1-21 1.2.5 Security Features Switch security can be classified into wireless security and wired security. The switch includes the following wireless security features: • Encryption and Authentication • MU Authentication • Secure Beacon • MU to MU Disallow • 802.1x Authentication • WIPS • Rogue AP Detection The switch includes the following wired security features: • ACLs • Local Radius Server • IPSec VPN • NAT • Certificate Management 1.2.5.
1-22 Motorola RF Switch Systen Reference WPA WPA is designed for use with an 802.1X authentication server, which distributes different keys to each user. However, it can also be used in a less secure pre-shared key (PSK) mode, where every user is given the same passphrase. WPA uses Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used. When combined with the much larger Initialization Vector, it defeats well-known key recovery attacks on WEP.
Overview 1-23 uses the MAC address of the MU as both the username and password (this configuration is also expected on the Radius server). MAC-Auth supports all encryption types, and (in case of 802.11i) the handshake is completed before the Radius lookup begins. For information on configuring 802.1x EAP for a WLAN, see Configuring MAC Authentication on page 4-46. 1.2.5.3 Secure Beacon Devices in a wireless network use Service Set Identifiers (SSIDs) to communicate.
1-24 Motorola RF Switch Systen Reference Change Username/Password after AP Adoption Once the AP300 is adopted using 802.1x authentication (say default username/password) OR using a nonsecure access method (hub or switch without 802.1x enabled), use the CLI/SNMP/UI to reconfigure the username/password combination. Reset Username/Password to Factory Defaults To restore the AP300 username/password to factory defaults, adopt the AP300 using a non-secure access method (a hub or switch without 802.
Overview 1-25 RF scan by Access Port on one channel This process requires an Access Port to assist in Rogue AP detection. It functions as follows: • The switch sends a new configuration message to the adopted AP informing it to detect Rogue APs. • The Access Port listens for beacons on its present channel. • It passes the beacons to the switch as it receives them without any modification.
1-26 Motorola RF Switch Systen Reference allowed. If the action is to mark, the packet is tagged for priority. The switch supports the following types of ACLs: • IP Standard ACLs • IP Extended ACLs • MAC Extended ACLs • Wireless LAN ACLs For information on creating an ACL, see Configuring Firewalls and Access Control Lists on page 6-14. 1.2.5.9 Local Radius Server Radius is a common authentication protocol utilized by the 802.1x wireless security standard.
Overview 1-27 1.2.5.11 NAT Network Address Translation (NAT) is supported for packets routed by the switch. The following types of NAT are supported: • Port NAT– Port NAT (also known as NAPT) entails multiple local addresses are mapped to single global address and a dynamic port number. The user is not required to configure any NAT IP address. Instead IP address of the public interface of the switch is used to NAT packets going out from private network and vice versa for packets entering private network.
1-28 Motorola RF Switch Systen Reference 1.3 IEEE Standards Support IEEE Standard Supported Notes IEEE 802.11a Yes The IEEE 802.11a standard is fully supported on the following Switch Platforms: • WS2000 • WS5100 • RFS6000 • RFS7000 The IEEE 802.11a standard is fully supported on the following AP Platforms: • AP300 Access Port • AP5131 Access Point • AP5181 Access Point • AP7131 Access Point IEEE 802.11b Yes The IEEE 802.
Overview 1-29 IEEE Standard Supported Notes IEEE 802.11g Yes The IEEE 802.11g standard is fully supported on the following Switch Platforms: • WS2000 • WS5100 • RFS6000 • RFS7000 The IEEE 802.11g standard is fully supported on the following AP Platforms: • AP300 Access Port • AP5131 Access Point • AP5181 Access Point • AP7131 Access Point IEEE 802.11d Yes The IEEE 802.1d standard is implemented as part of the IEEE 802.
1-30 Motorola RF Switch Systen Reference IEEE Standard Supported Notes IEEE 802.11i Yes We fully support the 802.11i standard for encryption and authentication. Additionally we also implement 802.11i PMK Caching, Opportunistic PMK Caching and Pre-Authentication. The IEEE 802.11i standard is fully supported on the following Switch Platforms: • WS2000 • WS5100 • RFS6000 • RFS7000 The IEEE 802.
Overview 1-31 IEEE Standard Supported Notes IEEE 802.1x Yes Full support IEEE 802.1x authentication ether with a fully functional integrated RADIUS server built into our RF Switches and Access Points or an external RADIUS server such as Microsoft IAS, Microsoft NPS, Cisco Secure ACS, Free RADIUS and Juniper Steel Belted RADIUS (to name a few).
1-32 Motorola RF Switch Systen Reference IEEE Standard Supported Notes IEEE 802.3u Yes The IEEE 802.3u (100BASE-T) standard is fully supported on the following Switch Platforms: • WS2000 • WS5100 • RFS6000 • RFS7000 The IEEE 802.3u (100BASE-T) standard is fully supported on the following AP Platforms: • AP100 Access Port • AP4131 Access Port • AP300 Access Port • AP5131 Access Point • AP5181 Access Point • AP7131 Access Point IEEE 802.3ab Yes The IEEE 802.
Overview 1-33 IEEE Standard Supported Notes IEEE 802.1P Yes The IEEE 802.1P (QoS) standard is fully supported on the following Switch Platforms: • WS2000 • WS5100 • RFS6000 • RFS7000 The IEEE 802.1P (QoS) standard is fully supported on the following AP Platforms: • AP5131 Access Point • AP5181 Access Point • AP7131 Access Point IEEE 802.1Q Yes The IEEE 802.1Q (VLAN Tagging) standard is fully supported on the following Switch Platforms: • WS2000 • WS5100 • RFS6000 • RFS7000 The IEEE 802.
1-34 Motorola RF Switch Systen Reference Standard Supported Notes RFC 826 ARP Yes RFC 1122 Requirements for Internet Hosts Yes RFC 1519 CIDR Yes RFC 1542 BOOTP Yes BOOTP is implemented as part of the Integrated DHCP server. BOOTP clients are implemented on the AP5131, AP5181 and AP7131. RFC 2131 DHCP Yes DHCP client and server. RFC 1321 MD5 Message-Digest Algorithm Yes Implemented for IPSec VPN, SNMPv3 and EAP-TTLS.
Overview 1-35 Standard Supported Notes SSL and TLS: RC4 128-bit and RSA 1024- and 2048-bit Yes IPSec: DES-CBC, 3DES, AES-CBC Yes RFC 2548 Microsoft VendorSpecific RADIUS Attributes Yes RFC 2716 PPP EAP-TLS Yes RFC 2865 RADIUS Authentication Yes Integrated and Pass-through RFC 2866 RADIUS Accounting Yes Integrated and Pass-through RFC 2867 RADIUS Tunnel Accounting Yes RFC 2869 RADIUS Extensions Yes RFC 3576 Dynamic Authorization Extensions to RADIUS Yes RFC 3579 RADIUS Support for EAP
1-36 Motorola RF Switch Systen Reference Standard Supported Notes RFC 2674 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering, and Virtual LAN Extensions Yes We support everything except the pBridge MIB.
Switch Web UI Access and Image Upgrades The content of this chapter is segregated amongst the following: • Accessing the Switch Web UI • Switch Password Recovery • Upgrading the Switch Image • Auto Installation • AP-4131 Access Point to Access Port Conversion 2.1 Accessing the Switch Web UI This section provides information on how to access the controller's user interface. Typically, the controller's web user interface is accessed from a web browser.
2-2 Motorola RF Switch System Reference 2.1.2 Connecting to the Switch Web UI To display the Web UI, launch a Web browser on a computer with the capability of accessing the switch. NOTE: Ensure you have HTTP connectivity to the switch, as HTTP is a required to launch the switch Web UI from a browser. To display the switch Web UI: 1. Point the browser to the IP address assigned to the wired Ethernet port (port 2). Specify a secure connection using the https:// protocol. The switch login screen displays: 2.
Switch Web UI Access and Image Upgrades 2.2 Switch Password Recovery The access point has a means of restoring its password to its default value. Doing so also reverts the access point’s security, radio and power management configuration to their default settings. Only an installation professional should reset the access point’s password and promptly define a new restrictive password. To contact Motorola Support in the event of a password reset requirement, go to http://www.motorola.
2-4 Motorola RF Switch System Reference The compulsory parameters are: • configuration upgrade enable • cluster configuration upgrade enable • image upgrade enable Optional (only for the static case): • configuration file URL • cluster configuration file URL • image file URL • expected image version To set default to no, and the URLs and the version default to "" (blank): RF Switch(config)#show autoinstall feature enabled config no --not-set-- cluster cfg no --not-set-- image no --not-set-- expe
Switch Web UI Access and Image Upgrades cluster cfg yes image yes ftp://ftp:ftp@192.9.200.1/RFSwitch/cluster-config ftp://ftp:ftp@147.11.1.11/RFSwitch/images/RFS6000.img expected image version 4.3.0.0-XXXXX Once again, for DHCP option based auto install the URLs is ignored and those passed by DHCP are not stored. Whenever a string is blank it is shown as --not-set--. 2.
2-6 Motorola RF Switch System Reference 5. Reset the AP if you changed the AP's IP address, by displaying the System Summary and selecting the Reset AP option. If you reset the AP-4131 you will need to login as Admin again. 6. Select the Special Functions main menu item. 7. Select the Firmware Update Menu-[F3] menu item 8. Select the Alter Filename(s)/HELP URL/TFTP Server menu item. a. Confirm that the Firmware File Name is correct, make changes as needed. b.
Switch Web UI Access and Image Upgrades 10.Select yes when asked to confirm. 11.The AP-4131 will now reset, download and install the desired firmware. 12.Once the firmware download is complete, connect the AP-4131 to the PoE switch and the RF Switch The AP-4131 should adopt and operate as a “thin” Access Port.
2-8 Motorola RF Switch System Reference
Switch Information This chapter describes the Switch main menu information used to configure the switch. This chapter consists of the following sections: • Viewing the Switch Interface • Viewing Switch Port Information • Viewing Switch Configurations • Viewing Switch Firmware Information • Switch File Management • Configuring Automatic Updates • Viewing the Switch Alarm Log • Viewing Switch Licenses • How to use the Filter Option 3.
3-2 Motorola RF Switch System Reference NOTE: When the switch’s configuration is successfully updated (using the Web UI), the effected screen is closed without informing the user their change was successful. However, if an error were to occur, the error displays within the effected screen’s Status field and the screen remains displayed. With file transfer operations, the transfer screen remains open during the transfer and remains open upon completion (with status displayed within the Status field). 3.1.
Switch Information 3-3 System Name Displays the designated system name. Provide a system name serving as a reminder of the user base the switch supports (engineering, retail, etc.). Location The Location parameter serves as a reminder of where the switch can be found. Define the System Name as a specific identifier of the switch’s location. Use the System Name and Location parameters together to optionally define the switch name by the radio coverage type it supports and physical location.
3-4 Motorola RF Switch System Reference Enter the new password within the Password and Confirm Password fields and click OK. NOTE: When entering a new password for the switch, please note that the password must be a minimum of 8 characters long. 8. Click the Revert button to undo any changes. The Revert button must be clicked before hitting the Apply button for any changes to be reverted. 9. Click the Apply button to save the updates (to the Time Zone or Country parameters specifically). 3.1.
Switch Information 3-5 3.1.3.1 RFS4000 Switch Dashboard The Dashboard screen displays the current health of the switch and is divided into fields representing the following important diagnostics: • Alarms • Ports • Environment • CPU/Memory • File Systems Apart from the sections mentioned above, it also displays the following status: Redundancy State Displays the Redundancy State of the switch. The status can be either Enabled or Disabled. • Enabled - Defined a green state.
3-6 Motorola RF Switch System Reference Mobile Units Displays the total number of MUs associated with the switch. Up Time Displays the actual switch uptime. The Uptime is the current operational time of the device defined within the System Name field. Uptime is the cumulative time since the switch was last rebooted or lost power. 1. Refer to the Alarms field for details of all the unacknowledged alarms generated during the past 48 hours.
Switch Information 3-7 3.1.3.2 RFS6000 Switch Dashboard The Dashboard screen displays the current health of the switch and is divided into fields representing the following important diagnostics: • Alarms • Ports • Environment • CPU/Memory • File Systems Apart from the sections mentioned above, it also displays the following status: Redundancy State Displays the Redundancy State of the switch. The status can be either Enabled or Disabled. • Enabled - Defined a green state.
3-8 Motorola RF Switch System Reference Mobile Units Displays the total number of MUs associated with the switch. Up Time Displays the actual switch uptime. The Uptime is the current operational time of the device defined within the System Name field. Uptime is the cumulative time since the switch was last rebooted or lost power. 1. Refer to the Alarms field for details of all the unacknowledged alarms generated during the past 48 hours.
Switch Information 3-9 3.1.3.3 RFS7000 Switch Dashboard The Dashboard screen displays the current health of the switch and is divided into fields representing the following important diagnostics: • Alarms • Ports • Environment • CPU/Memory • File Systems Apart from the sections mentioned above, it also displays the following status: Redundancy State Displays the Redundancy State of the switch. The status can be either Enabled or Disabled. • Enabled - Defined by a green state.
3-10 Motorola RF Switch System Reference Mobile Units Displays the total number of MUs associated with the switch. Up Time Displays the actual switch uptime. The Uptime is the current operational time of the device defined within the System Name field. Uptime is the cumulative time since the switch was last rebooted or lost power. 1. Refer to the Alarms field for details of all the unacknowledged alarms generated during the past 48 hours.
Switch Information 3-11 3.1.4 Viewing Switch Statistics The Switch Statistics tab displays an overview of the recent network traffic and RF status for the switch. To display the Switch Statistics tab: 1. Select Switch from the main menu tree. 2. Click the Switch Statistics tab at the top of the Switch screen. 3. Refer to the Switch Statistics field for the following read-only information about associated MUs: Number of MUs Associated Displays the total number of MUs currently associated to the switch.
3-12 Motorola RF Switch System Reference Avg. Bit Speed Displays the average bit speed for the switch over last 30 seconds and 1 hour. Use the average bit speed value to help determine overall network speeds and troubleshoot network congestion. % Non-unicast pkts Displays the percentage of non-unicast packets seen (received & transmitted) by the switch over last 30 seconds and 1 hour. Non-unicast traffic includes both multicast and broadcast traffic.
Switch Information 3-13 3.2 Viewing Switch Port Information The Port screen displays configuration, runtime status, and statistics of the ports on the switch. SWITCH NOTE: The ports available vary by switch platform. RFS6000: ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8, me1, up1 RFS7000: ge1, ge2, ge3, ge4, me1 RFS4000: ge1, ge2, ge3, ge4, ge5, up1 The port types are defined as follows: GE# GE ports are available on the RFS6000 and RFS7000 platforms.
3-14 Motorola RF Switch System Reference 2. Select the Configuration tab to display the following read-only information: Name Displays the current port name. The port names available vary by switch. RFS6000: ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8, me1, up1, wan RFS7000: ge1, ge2, ge3, ge4, me1 RFS4000: ge1, ge2, ge3, ge4, ge5. up1 Aggregation Membership (RFS7000, RFS4000) The Aggregation Membership value displays the channel group the port is a member of. MAC Address Displays the port’s MAC Address.
Switch Information 3-15 1. Select a port from the table displayed within the Configuration screen. 2. Click the Edit button. A Port Change Warning screen displays, stating any change to the port setting could disrupt access to the switch. Communication errors may occur even if modifications made are successful. 3. Click the OK button to continue. Optionally, select the Don’t show this message again for the rest of the session checkbox to disable the pop-up. 4.
3-16 Motorola RF Switch System Reference Name Displays the read-only name assigned to the port. Speed Select the speed at which the port can receive and transmit the data. Select from the following range: • 10 Mbps • 100 Mbps • 1000 Mbps • Auto Duplex Modify the duplex status by selecting one of the following options: • Half • Full • Auto Channel Group Optionally, set the Channel Group defined for the port.
Switch Information 3-17 2. Select the Runtime tab to display the following read-only information: Name Displays the port’s current name. MAC Address Displays the port’s MAC Address. This value is read-only, set at the factory and cannot be modified. Oper Status Displays the link status of the port. The port status can be either Up or Down. Speed Displays the current speed of the data transmitted and received over the port. Duplex Displays the port as either half duplex, full duplex, or Unknown.
3-18 Motorola RF Switch System Reference 2. Select the Statistics tab. 3. Refer to the Statistics tab to display the following read-only information: Name Defines the port name. The port names available vary by switch. RFS6000: ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8, me1, up1, wan RFS7000: ge1, ge2, ge3, ge4, me1 RFS4000: ge1, ge2, ge3, ge4, ge5, up1 Bytes In Displays the total number of bytes received by the port. Packets In Displays the total number of packets received by the port.
Switch Information 3-19 3.2.3.1 Detailed Port Statistics To view detailed statistics for a port: 1. Select a port from the table displayed within the Statistics screen. 2. Click the Details button. 3. The Interface Statistics screen displays. This screen displays the following statistics for the selected port: Name Displays the port name. MAC Address Displays physical address information associated with the interface. This address is read-only (hard-coded at the factory) and cannot be modified.
3-20 Motorola RF Switch System Reference Output Unicast Packets Displays the number of unicast packets (packets directed towards a single destination address) transmitted from the interface. Output NonUnicast Packets Displays the number of unicast packets transmitted from the interface. Output Total Packets Displays the total number of packets transmitted from the interface. Output Packets Dropped Displays the number of transmitted packets dropped from the interface.
Switch Information 3-21 • Input Bytes • Input Pkts Dropped • Output Pkts Total • Output Pkts Error • Input Pkts Total • Input Pkts Error • Output Pkts NUCast • Input Pkts NUCast • Output Bytes • Output Pkts Dropped 3. Display any of the above by selecting the checkbox associated with it. NOTE: You are not allowed to select (display) more than four parameters at any given time. 4. Click on the Close button to exit out of the screen. 3.2.
3-22 Motorola RF Switch System Reference 2. Select the PoE tab SWITCH NOTE: The PoE screen is available on the RF6000 and RFS4000 switches. The RFS7000 switch does not have Power over Ethernet on any ports and will not display the PoE tab. The PoE Global Configuration section displays the following power information. Power Budget Displays the total watts available for Power over Ethernet on the switch. Power Consumption Displays the total watts in use by Power over Ethernet on the switch.
Switch Information 3-23 Priority Displays the priority mode for each of the PoE ports. The priority options are: • Critical • High • Low Limit (watts) Displays the power limit in watts for each of the PoE ports. The maximum power limit per port is 36 watts. Power (watts) Displays each PoE ports power usage in watts. Voltage (volts) Displays each PoE ports voltage usage in volts. Current (mA) Displays each PoE ports current usage in milliamps.
3-24 Motorola RF Switch System Reference 3.2.6 Configuring WAN Interface Cards The RFS6000 switch supports 3G Wireless WAN cards using the ExpressCard slot. In order to use a 3G Wireless WAN card with the switch, it must first be initialized on a laptop. For activation and initialization information, refer to the instructions included with the card.
Switch Information 3-25 NOTE: To use a 3G Wireless WAN card with the switch, it must first be initialized on a laptop. For activation and initialization information, refer to the instructions included with the WAN card. If your Wireless WAN Interface card service provider makes use of a PIN number for access to the network, disable the PIN number before using the card with the switch. 4. To reset the WAN Interface card configuration, click the Reset button and the configuration fields will be cleared. 3.
3-26 Motorola RF Switch System Reference Name Displays the name of each existing configuration file. Size (Bytes) Displays the size (in bytes) of each available configuration file. Created Displays the date and time each configuration file was created. Use this information as a baseline for troubleshooting problems by comparing event log data with configuration file creation data. Modified Displays the date and time each configuration file was last modified.
Switch Information 3-27 Use the up and down navigation facilities on the right-hand side of the screen to view the entire page. 3. The Page parameter displays the portion of the configuration file in the main viewing area. The total number of pages in the file are displayed to the right of the current page. The total number of lines in the file display in the Status field at the bottom of the screen. Scroll to corresponding pages as required to view the entire contents of the file.
3-28 Motorola RF Switch System Reference 1. Click the Transfer Files button on the bottom of the Configuration screen. 2. Refer to the Source field to define the location and address information for the source config file. From Select the location representing the source file’s current location using the From drop-down menu. Options include Server, Local Disk, and Switch. File Specify a source file for the file transfer.
Switch Information 3-29 3.4 Viewing Switch Firmware Information The switch can store (retain) two software versions (primary and secondary). Information supporting the two versions displays within the Firmware screen. The Version column displays the version string. The Build Time is the date and time each version was generated. Install represents the date and time the upgrade was performed. Next Boot indicates which version should be used on the next reboot.
3-30 Motorola RF Switch System Reference 3. Refer to the Patch field for a listing of the patches available to the switch. The name and version of each patch file is displayed. Each patch file has an associated .txt file designation. The text file describes nuances associated with the file that may make it optimal for use with the switch. 4. Select an existing firmware version and click the Edit button to change the firmware version used when the switch is booted next.
Switch Information 3-31 1. Select an image from the table in the Firmware screen. 2. Click the Global Settings button. 3. Select the Enable Image Failover checkbox to load an alternative firmware version if the WLAN module fails to load the selected version successfully after 2 reboot attempts. 4. Refer to the Status field for the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet.
3-32 Motorola RF Switch System Reference 5. From the Using drop down menu, select either FTP or TFTP as a medium to update the firmware. a. Use FTP to get the firmware update from a File Transfer Protocol (FTP) server. A user account must be established on the FTP server specified for the firmware update. b. Use TFTP to get the firmware update from a Trivial File Transfer Protocol (TFTP) server. c. Use HTTP to get the firmware update from a Hyper Text Transfer Protocol (HTTP) server. d.
Switch Information 3-33 1. Select Switch > File Management from the main menu tree. 2. Refer to the Status field to specify the details of the source file. From Use the From drop-down menu to select the source file’s current location. The options include Wireless Switch and Server. The following transfer options are possible: • Wireless Switch to Wireless Switch • Wireless Switch to Server • Server to Wireless Switch.
3-34 Motorola RF Switch System Reference 1. Select Wireless Switch from the From drop-down menu 2. Use the Browse button to locate a target file for the file transfer. 3. Use the To drop-down menu (within the Target field) and select Wireless Switch. This defines the location of the file. 4. Use the Browse button to define a location for the transferred file. 5. Click the Transfer button to complete the file transfer. 6. The Message section in the main menu area displays the file transfer message. 7.
Switch Information 3-35 1. Refer to the Source field to specify the source file. Use the From drop-down menu and select Wireless Switch. 2. Use the Browse button and select a file for transfer. 3. Use the To drop-down menu (within the Target field) and select Server. This defines the transfer location of the configuration file. Enter the file location marked to store the transferred file. 4. Use the Using drop down-menu to configure whether the log file transfer is conducted using FTP, TFTP, or SFTP.
3-36 Motorola RF Switch System Reference 1. Refer to the Source field to specify the details of the source file. Use the From drop-down menu and select Server. 2. Provide the name of the File. 3. Use the Using drop-down menu to configure whether the file transfer is conducted using FTP, TFTP, or SFTP. FTP transfers require a valid user ID and password. 4. Enter an IP Address of the server receiving the configuration file.
Switch Information 3-37 • Compact Flash • USB 1 • USB 2 SWITCH NOTE: USB 1 is available on the RFS6000 and RFS7000 switches. USB2 and Compact Flash are only available on the RFS7000 switch. Transfer files between the switch and the server from any one of the above mentioned locations. Since compact flash (CF) and USB are external memory locations, the File System window displays the status of these devices. Transfer files to compact flash and USB only if they are connected and available.
3-38 Motorola RF Switch System Reference 3.6 Configuring Automatic Updates Use the Automatic Updates screen to enable a facility that will poll a server address (you designate) when the switch is booted. If updates are found since the last time the switch was booted, the updated version is uploaded to the switch the next time the switch is booted. Enable this option for either the firmware, configuration file, or cluster configuration file.
Switch Information 3-39 Protocol Use the Protocol drop-down menu to specify the FTP, TFTP, HTTP, SFTP, or resident switch FLASH medium used for the file update from the server. FLASH is the default setting. Password Enter the password required to access the server. SWITCH NOTE: In addition to the Protocols listed on the RFS7000, users can also autoupdate using USB or Compact Flash. On the RFS6000, users can also auto-update using USB. 3.
3-40 Motorola RF Switch System Reference 5. Select the Start Update button to begin the file updates for the enabled switch configuration, cluster configuration, or firmware facilities. 6. Click the Apply button to save the changes to the configuration. 7. Click the Revert button to revert back to the last saved configuration.
Switch Information 3-41 3.7 Viewing the Switch Alarm Log Use the Alarm Log screen as an initial snapshot for alarm log information. Expand alarms (as needed) for greater detail, delete alarms, acknowledge alarms, or export alarm data to a user-specified location for archive and network performance analysis. To view switch alarm log information: 1. Select Switch > Alarm Log from the main menu tree. 2. Use the Alarm Log screen’s filtering options to view alarm log data by page or by its entire content. 3.
3-42 Motorola RF Switch System Reference Time Stamp Displays the date, year, and time the alarm was raised (as well as the time zone of the system). The time stamp only states the time the alarm was generated, not the time it was acknowledged. Severity Displays the severity level of the event. Use this (non numerical and verbal) description to assess the criticality of the alarms.
Switch Information 3-43 2. Select an alarm and click the Details button. 3. Refer to the Alarm Details and Alarm Message for the following information: Description Displays the details of the alarm log event. This information can be used in conjunction with the Solution and Possible Causes items to troubleshoot the event and determine how the event can be avoided in future. Solution Displays a possible solution to the alarm event. The solution should be attempted first to rectify the described problem.
3-44 Motorola RF Switch System Reference 1. Select Switch > Licenses from the main menu tree. 2. Refer to the Install License field for the following information: License Key Enter the license key required to install a particular feature. The license key is returned when you supply the switch serial number to Motorola support. Feature Name Enter the name of the feature you wish to install/upgrade using the license.
Switch Information 3-45 License Usage Lists the number of license in use. Determine whether this number adequately represents the number of switches needed to deploy. License Key The license key for the feature installed/upgraded.
3-46 Motorola RF Switch System Reference 3.9 How to use the Filter Option Use the Filter Option to sort the display details of screen that employ the filtering option as a means of sorting how data is displayed within the screen. 1. Click the Show Filtering Option to expand the Filter Option zone, whenever it appears in any screen. 2. Enter the filter criteria as per the options provided in the Filter Option zone.
Network Setup This chapter describes the Network Setup menu information used to configure the switch.
4-2 Motorola RF Switch System Reference Guide 4.1 Displaying the Network Interface The main Network interface displays a high-level overview of the configuration (default or otherwise) as defined within the Network main menu. Use the information to determine if items require additional configuration using the sub-menu items under the main Network menu item.
Network Setup 4-3 2. Refer to the following information to discern if configuration changes are warranted: DNS Servers Displays the number of DNS Servers configured thus far for use with the switch. For more information, see Viewing Network IP Information on page 4-4. IP Routes Displays the number of IP routes for routing packets to a defined destination. For information on defining IP Routes, see Configuring IP Forwarding on page 4-6.
4-4 Motorola RF Switch System Reference Guide 4.2 Viewing Network IP Information Use the Internet Protocol screen to view and configure network-associated IP details. The Internet Protocol screen contains tabs supporting the following configuration activities: • Configuring DNS • Configuring IP Forwarding • Viewing Address Resolution 4.2.1 Configuring DNS Use the Domain Name System tab to view Server address information and delete or add severs to the list of servers available. To configure DNS: 1.
Network Setup 4-5 6. Click the Global Settings button to open a screen that allows the domain lookup to be enabled/disabled and the domain name to be specified. For more information, see Configuring Global Settings on page 4-5. 4.2.1.1 Adding an IP Address for a DNS Server Add an IP address for a new domain server using the Add screen. 1. Click the Add button within the Domain Network System screen. The new Configuration screen displays enabling you to add IP address for the DNS Server. 2.
4-6 Motorola RF Switch System Reference Guide 6. Click Cancel to close the dialog without committing updates to the running configuration. 4.2.2 Configuring IP Forwarding The IP Forwarding table lists all the routing entries to route the packets to a specific destination. To view the IP forwarding configuration: 1. Select Network > Internet Protocol from the main tree menu. 2. Select the IP Forwarding tab. Use the Filtering Option to view the details displayed in the table. 3.
Network Setup 4-7 Protocol Displays the name of the routing protocol with which this route was obtained. Possible values are: • Static — Routes are statically added by the operator. • DHCP — Routes obtained from the DHCP server. • Connected — Routes automatically installed by the switch for directly connected networks based on interface IP addresses. • Kernel/ ICMP — Routes added as a result of receiving an ICMP redirect from an intermediate router.
4-8 Motorola RF Switch System Reference Guide 7. Click Cancel to close the dialog without committing updates to the running configuration. 4.2.3 Viewing Address Resolution The Address Resolution table displays the mapping of layer three (IP) addresses to layer two (MAC) addresses. To view address resolution details: 1. Select Network > Internet Protocol from the main tree menu. 2. Select the Address Resolution tab. 3.
Network Setup 4-9 4.3 Viewing and Configuring Layer 2 Virtual LANs A virtual LAN (VLAN) is similar to a Local Area Network (LAN), however devices do not need to be connected to the same segment physically. Devices operate as if connected to the same LAN, but could be connected at different physical connections across the LAN segment. The VLAN can be connected at various physical points but react as if it were connected directly.
4-10 Motorola RF Switch System Reference Guide Allowed VLANs Displays VLAN tags allowed on this interface Tagged Native VLAN Displays if the Native VLAN for each port is tagged or not. The column displays a green check mark if the Native VLAN is tagged. If the Native VLAN is not tagged, the column will display a red “x”. A Native VLAN is the VLAN which untagged traffic will be directed over when using a port in trunk mode.Not clear.
Network Setup 4-11 4. Use the Edit screen to modify the VLAN’s mode, access VLAN, and allowed VLAN designation. 5. Use the Edit screen to modify the following: Name Displays a read-only field and with the name of the Ethernet to which the VLAN is associated. Mode Use the drop-down menu to select the mode. It can be either: • Access – This Ethernet interface accepts packets only form the native VLANs. If this mode is selected, the Allowed VLANs field is unavailable.
4-12 Motorola RF Switch System Reference Guide 2. Select the Ports by VLAN tab. VLAN details are displayed within the VLANs by Port tab. 3. Highlight an existing VLAN and click the Edit button. The system displays a Port VLAN Change Warning message stating that changing VLAN designations could disrupt access to the switch. 4. Click OK to continue. A new window is displayed wherein the VLAN assignments can be modified for the selected VLAN. SWITCH NOTE: The ports available vary by switch.
Network Setup 4-13 6. Click OK to use the changes to the running configuration and close the dialog. 7. Click Cancel to close the dialog without committing updates to the running configuration. 4.4 Configuring Switch Virtual Interfaces A Switch Virtual Interface (SVI) is required for layer 3 (IP) access to the switch or to provide layer 3 service on a VLAN. The SVI defines which IP address is associated with each VLAN ID that the switch is connected to.
4-14 Motorola RF Switch System Reference Guide DHCP Displays whether the DHCP client is enabled or not. A green check mark defines the DHCP client as enabled for the interface. A red X means the interface is disabled. Primary IP Address Displays the IP address for the virtual interface. Primary Subnet Mask Displays the subnet mask assigned for this interface. Admin Status Displays whether the virtual interface is operational and available to the switch.
Network Setup 4-15 3. Click the Add button. 4. Enter the VLAN ID for the switch virtual interface. 5. Provide a Description for the VLAN, representative of the VLAN’s intended operation within the switch managed network. 6. The Primary IP Settings field consists of the following: a. Select Use DHCP to obtain IP Address automatically to allow DHCP to provide the IP address for the virtual interface. Selecting this option disables the IP address field. b.
4-16 Motorola RF Switch System Reference Guide 2. Select the Configuration tab and click the Edit button. The screen displays with the name of the VLAN in the upper left-hand side. The VLAN ID cannot be modified and should be used to associate the VLAN ID with the description and IP address assignments defined. 3. If necessary, modify the Description of the VLAN, to make it representative of the VLAN’s intended operation within the switch managed network. 4.
Network Setup 4-17 2. Select the Statistics tab. Refer to the following to assess the network throughput of existing virtual interfaces: Name Displays the user-defined interface name. The corresponding statistics are displayed along the row. The statistics are the total traffic to the interface since its creation. Bytes In Displays the number of bytes coming into the interface. The status is not selfupdated. To view the current status, click the Details button.
4-18 Motorola RF Switch System Reference Guide Packets In Error Displays the number of error packets coming into the interface. • Runt frames — Packets shorter than the minimum Ethernet frame length (64 bytes). • CRC errors — The Cyclical Redundancy Check (CRC) is the 4 byte field at the end of every frame. The receiving station uses to interpret if the frame is valid. If the CRC value computed by the interface does not match the value at the end of frame, it is considered as a CRC error.
Network Setup 4-19 3. The Interface Statistics screen displays the following content: Name Displays the title of the logical interface selected. MAC Address Displays physical address information associated with the interface. This address is read-only (hard-coded at the factory) and cannot be modified. Input Bytes Displays the number of bytes received by the interface. Input Unicast Packets Displays the number of unicast packets (packets directed towards the interface) received at the interface.
4-20 Motorola RF Switch System Reference Guide 4.4.2.2 Viewing the Virtual Interface Statistics Graph The switch Web UI continuously updates its virtual interface statistics, even when the graph is closed. Periodically display the virtual statistics graph for the latest information as network performance information is required. To view detailed graphical statistics for a selected interface: 1. Select a record from the table displayed in the Statistics screen. 2. Click the Graph button. 3.
Network Setup 4-21 4. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 5. Click Close to close the dialog. 4.5 Viewing and Configuring Switch WLANs A wireless LAN (WLAN) is a local area network (LAN) without wires. WLANs transfer data through the air using radio frequencies instead of cables.
4-22 Motorola RF Switch System Reference Guide 2. Click the Configuration tab. The Configuration tab displays the following details: Switch The Switch field displays the IP address of the cluster member associated with each WLAN. When clustering is enabled on the switch and Cluster GUI is enabled, the Switch field will be available on the Wireless LAN screen. For information on configuring enabling Cluster GUI, see Managing Clustering Using the Web UI. Index Displays the WLAN’s numerical identifier.
Network Setup 4-23 Authentication Displays the type of authentication used with the specified WLAN. Click the Edit button to modify the WLAN’s current authentication scheme. For information on configuring an authentication scheme for a WLAN, see Configuring Authentication Types on page 4-33. Encryption Displays the type of wireless encryption used on the specified WLAN. When no encryption is used, the field displays "none". Click the Edit button to modify the WLAN’s current encryption scheme.
4-24 Motorola RF Switch System Reference Guide 7. Click the Push Splash.. button to push the No Service page from the switch to all the adopted AAPs. The No Service page notifies the client user that a critical resource such as a RADIUS server is not available at that time. NOTE: This button gets active only when you enable a WLAN with a hotspot authentication. NOTE: This feature needs FTP enabled on the switch with ‘ftpuser’ as default username and password. 8.
Network Setup 4-25 Manual mapping of WLANs Use this option (it is selected by default) for custom WLAN to Radio mappings. When this option is disabled, the user cannot conduct Radio – WLAN mapping. Additionally, the user cannot enable WLANs with an index higher than 16. (The WLAN numbers will depend on the device on which this feature is enabled). Once the this option is enabled, the following conditions must be satisfied (to successfully disable it).
4-26 Motorola RF Switch System Reference Guide 4. Click the Edit button. The Wireless LANs Edit screen is divided into the following user-configurable fields: • Switch IP • Configuration • Authentication • Encryption • Advanced 5. The Switch field displays the IP address of the cluster member associated with each WLAN. When clustering is enabled on the switch and Cluster GUI is enabled, the Switch field will be available on the Wireless LAN screen.
Network Setup 4-27 Deny Static MU Enabling this option provides WLAN based configuration to allow only traffic from those mobile units whose IP is present in the layer 3 entity table. If the IP entry is not present in the layer 3 entity table, the event will be logged and the packet dropped. Enable URL Logging Enable URL Logging to log all HTTP GET requests.Along with the URL, a mobile unit IP address will also be logged.
4-28 Motorola RF Switch System Reference Guide NOTE: When configuring wireless settings for Adaptive APs, all configuration must be done through the switch and not from the AP management console. Making changes directly in the AP management console can lead to unstable operation of the Adaptive AP.
Network Setup 4-29 7. Refer to the Authentication field to select amongst the following options: 802.1X EAP A Radius server is used to authenticate users. For detailed information on configuring EAP for the WLAN, see Configuring 802.1x EAP on page 4-33. Kerberos A Kerberos server is used to authenticate users. For detailed information on configuring Kerberos for the WLAN, see Configuring Kerberos on page 4-34. Hotspot A Hotspot is used to authenticate users in a unique network segment (hotspot).
4-30 Motorola RF Switch System Reference Guide 9. Refer to the Advanced field for the following information: Accounting Mode If using a Syslog server to conduct accounting for the switch, select the Syslog option from the Accounting Mode drop-down menu. Once selected, a Syslog Config button is enabled on the bottom of the Network > Wireless LANs > Edit screen. Use this sub screen to provide the Syslog Server IP address and port for the Syslog Server performing the accounting function.
Network Setup 4-31 MCast Addr 2 The second address also takes packets (where the first 4 bytes match the first 4 bytes of the mask) and sends them immediately over the air instead of waiting for the DTIM period. Any multicast/broadcast that does not match this mask will go out only on DTIM Intervals. NAC Mode Using Network Access Control (NAC), the switch only grants access to specific network resources. NAC restricts access to only compliant and validated devices (printers, phones, PDAs, etc.
4-32 Motorola RF Switch System Reference Guide 6. Configure the Multiple VLAN Mapping for WLAN table as required to add or remove multiple VLANS for the selected WLAN. Multiple VLANs per WLAN are mapped (by default) to a regular VLAN and are not supported on an adaptive AP. Refer to Editing the WLAN Configuration on page 4-25 to select and define an independent VLAN for adaptive AP support. VLAN Displays the VLANs currently mapped to the WLAN. By default, VLAN 1 is configured for any selected WLAN.
Network Setup 4-33 4.5.1.3 Configuring Authentication Types Refer to the following to configure the WLAN authentication options available on the switch: • Configuring 802.1x EAP • Configuring Kerberos • Configuring Hotspots • Configuring an Internal Hotspot • Configuring External Hotspot • Configuring Advanced Hotspot • Configuring MAC Authentication Configuring 802.1x EAP The IEEE 802.1x standard ties the 802.1x EAP authentication protocol to both wired and wireless LAN applications.
4-34 Motorola RF Switch System Reference Guide 5. Configure the Advanced field as required to define MU timeout and retry information for the authentication server. MU Timeout Define the time (between 1- 60 seconds) for the switch’s retransmission of EAPRequest packets. The default is 5 seconds. MU Max Retries Specify the maximum number of times the switch retransmits an EAP-Request frame to the client before it times out the authentication session.
Network Setup 4-35 5. Click the Config... button to the right of the Kerberos checkbox. The Kerberos screen displays. 6. Specify a case-sensitive Realm Name. The realm name is the name domain/realm name of the KDC Server. A realm name functions similarly to a DNS domain name. In theory, the realm name is arbitrary. However, in practice a Kerberos realm is named by uppercasing the DNS domain name associated with hosts in the realm. 7.
4-36 Motorola RF Switch System Reference Guide 3. Customized internal web pages (using the Advanced feature in hotspot configuration) When users visit a public hotspot and wants to browse a Web page, they can boot up their laptop or device and associate with the local Wi-Fi network by entering the correct SSID. They then start a browser. The hotspot access controller forces this un-authenticated user to a Welcome page from the hotspot Operator that allows the user to log in with a username and password.
Network Setup 4-37 from an external source (like an FTP server) and hosting them on the switch. For more information, see Configuring Advanced Hotspot on page 4-44. NOTE: The appearance of the Hotspot screen differs depending on which option is selected from the drop-down menu. You may want to research the options available before deciding which hotspot option to select.
4-38 Motorola RF Switch System Reference Guide 3. Select the Hotspot button from within the Authentication field. Click the Config button to the right of the Hotspot checkbox. Ensure Internal is selected from within the This WLAN’s Web Pages are of the drop-down menu. The following dialog displays. 4. Click the Login tab and enter the title, header, footer, Small Logo URL, Main Logo URL, and Descriptive Text you would like to display when users log in to the switch-maintained hotspot.
Network Setup 4-39 Main Logo URL Displays the URL for the main logo image displayed on the Failed page when using the switch’s internal Web server. This option is only available if Internal is chosen from the drop-down menu above. Descriptive Text Specify any additional text containing instructions or information for the users who access the Failed page. This option is only available if Internal is chosen from the drop-down menu above.
4-40 Motorola RF Switch System Reference Guide Small Logo URL The Small Logo URL is the URL for a small logo image displayed on the Failed page when using the internal Web server. This option is only available if Internal is chosen from the drop-down menu above. Main Logo URL The Main Logo URL is the URL for the main logo image displayed on the Failed page when using the internal Web server. This option is only available if Internal is chosen from the drop-down menu above.
Network Setup 4-41 10.Refer to the Allow List field, and enter any IP address (for internal or external Web sites) that may be accessed by the Hotspot user without authentication. NOTE: In multi-switch hotspot environments if a single switch’s internal pages are configured for authentication on the other switches, those switches will redirect to their own internal pages instead. In these environments, it is recommended to use an external server for all of the switches. 11.
4-42 Motorola RF Switch System Reference Guide 3. Select the Hotspot button from within the Authentication field. Click the Config button to the right of the Hotspot checkbox. Ensure External is selected from within the This WLAN’s Web Pages are of the drop-down menu. 4. Refer to the External Web Pages field and provide the Login, Welcome, and Failed Page URLs used by the external Web server to support the hotspot. Login Page URL Define the complete URL for the location of the Login page.
Network Setup 4-43 Failed Page URL Define the complete URL for the location of the Failed page. The Failed screen assumes that the hotspot authentication attempt has failed, you are not allowed to access the Internet and you need to provide correct login information to access the Web. For example, the Failed page URL can be the following: http://192.168.150. 5/fail.html?ip_address=192. 168.30.1. Here, 192.168.150.5 is the Web server IP address and 192.168.30.1 is the switch IP address.
4-44 Motorola RF Switch System Reference Guide 16.Click Cancel to close the dialog without committing updates to the running configuration. NOTE: While using the External web pages option: 1. Configure the Internal Web pages for a particular WLAN. 2. Copy the Internal Web pages corresponding to the WLAN from the switch to the external Web server. 3. Change the WLAN Web pages option from “Internal” to “External”. 4.
Network Setup 4-45 4. Select the Hotspot button from within the Authentication field. Ensure Advanced is selected from within the This WLAN’s Web Pages are of the drop-down menu. Once the properties of the advanced hotspot have been defined, the file can be installed on the switch and used to support the hotspot. The following parameters are required to upload the file: a. Specify a source hotspot configuration file. The file used at startup automatically displays within the File parameter. b.
4-46 Motorola RF Switch System Reference Guide 5. Refer to the Allow List field, and enter any IP address (for internal or external Web sites) that may be accessed by the Hotspot user without authentication. 6. Check the Use System Name in Hotspot URL to use the System Name specified on the main Switch configuration screen as part of the hotspot address. 7. Specify the maximum Hotspot Simultaneous Users to set a limit on the number of concurrent unique hotspot users for the selected WLAN. 8.
Network Setup 4-47 5. Click the Config button next to the MAC Authentication option to open a dialogue where the format of MAC Addresses can be configured. The MAC Authentication Format setting determines the text format that MAC addresses are transmitted when using MAC-Auth authentication. 6. Select the MAC Auth in Upper Case option to transmit the 12 digit MAC address to the Radius server in upper case letters. The MAC address is transmitted in lower case letters if you disable this option.
4-48 Motorola RF Switch System Reference Guide To configure an external Radius Server for EAP 802.1x, Hotspot, or Dynamic MAC ACL WLAN support: NOTE: To optimally use an external Radius Server with the switch, Motorola recommends defining specific external Server attributes to best utilize user privilege values for specific switch permissions. For information on defining the external Radius Server configuration, see Configuring an External Radius Server for Optimal Switch Support on page 4-50. 1.
Network Setup 4-49 6. Refer to the Server field and define the following credentials for a primary and secondary Radius server. RADIUS Server Address Enter the IP address of the primary and secondary server acting as the Radius user authentication data source. RADIUS Port Enter the TCP/IP port number for the primary and secondary server acting as the Radius user authentication data source. The default port is 1812.
4-50 Motorola RF Switch System Reference Guide 9. Refer to the Advanced field to define the authentication protocol used with the Radius Server. PAP PAP - Password Authentication Protocol sends a username and password over a network to a server that compares the username and password to a table of authorized users. If the username and password are matched in the table, server access is authorized.
Network Setup 4-51 access, configure the Radius Server with two attributes. Once with a value 1 for monitor access and then with a value 2 for the helpdesk role. Multiple roles can also be defined by configuring the Radius Server with attribute 1 and value 3 (or monitor value 1 and helpdesk value 2). NOTE: If user privilege attributes are not defined for the Radius Server, users will be authenticated with a default privilege role of 1 (Monitor read-only access).
4-52 Motorola RF Switch System Reference Guide 1. Select Network > Wireless LANs from the main menu tree. 2. Select an existing WLAN from those displayed with the Configuration tab. 3. Click on the Edit button. 4. Select either the EAP 802.1x, Hotspot, or Dynamic MAC ACL button from within the Authentication field. This enables the Radius button at the bottom of the Network > Wireless LANs > Edit screen. 5. Click the Radius button.
Network Setup 4-53 Server Timeout Enter a value (between 1 and 300 seconds) to indicate the number of elapsed seconds causing the switch to time out on a request to the primary or secondary NAC server. Server Retries Enter a value between 1 and 100 to indicate the number of times the switch attempts to reach the primary or secondary server before giving up. ! CAUTION: The server’s Timeout and Retries should be less than what is defined for an MU’s timeout and retries.
4-54 Motorola RF Switch System Reference Guide 11.Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 12.Click OK to use the changes to the running configuration and close the dialog. 13.Click Cancel to close the dialog without committing updates to the running configuration. 4.5.1.
Network Setup 4-55 5. Specify a 4 to 32 character Pass Key and click the Generate button. The pass key can be any alphanumeric string. The switch, other proprietary routers, and Motorola MUs use the algorithm to convert an ASCII string to the same hexadecimal number. MUs without Motorola adapters need to use WEP keys manually configured as hexadecimal numbers. 6. Use the Key #1-4 areas to specify key numbers. The key can be either a hexadecimal or ASCII.
4-56 Motorola RF Switch System Reference Guide 5. Specify a 4 to 32 character Pass Key and click the Generate button. The pass key can be any alphanumeric string. The switch and Motorola MUs use the algorithm to convert an ASCII string to the same hexadecimal number. MUs without Motorola adapters need to use WEP keys manually configured as hexadecimal numbers. 6. Use the Key #1-4 areas to specify key numbers. The key can be either a hexadecimal or ASCII.
Network Setup 4-57 Configuring WPA/WPA2 using TKIP and CCMP Wi-Fi Protected Access (WPA) is a robust encryption scheme specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11i. WPA provides more sophisticated data encryption than WEP. WPA is designed for corporate networks and small-business environments where more wireless traffic allows quicker discovery of encryption keys by an unauthorized person. WPA's encryption method is Temporal Key Integrity Protocol (TKIP).
4-58 Motorola RF Switch System Reference Guide 5. Select the Broadcast Key Rotation checkbox to enable periodically changing the broadcast key for this WLAN. Only broadcast key changes when required by associated MUs to reduce the transmissions of sensitive key information. This value is enabled by default. 6. Refer to the Update broadcast keys every field to specify a time period (in seconds) for broadcasting encryption-key changes to MUs.
Network Setup 4-59 Opportunistic Key Caching Opportunistic Key Caching allows the switch to use a PMK derived with a client on one Access Port with the same client when it roams over to another Access Port. Upon roaming, the client does not have to conduct 802.1x authentication and can start sending/receiving data sooner. Pre-Authentication Selecting the Pre-Authentication option enables an associated MU to carry out an 802.1x authentication with another switch (or device) before it roams to it.
4-60 Motorola RF Switch System Reference Guide 4.5.2 Viewing WLAN Statistics The Statistics screen displays read-only statistics for each WLAN. Use this information to assess if configuration changes are required to improve network performance. If a more detailed set of WLAN statistics is required, select a WLAN from the table and click the Details button. To view WLAN configuration details: 1. Select Network > Wireless LANs from the main menu tree. 2. Click the Statistics tab. 3.
Network Setup 4-61 Avg BPS Displays the average bit speed in Mbps for the selected WLAN. This includes all packets sent and received. % Non-UNI Displays the percentage of the total packets for the selected WLAN that are nonunicast packets. Non-unicast packets include broadcast and multicast packets. Retries Displays the average number of retries for all MUs associated with the selected WLAN. 4. To view WLAN statistics in greater detail, select a WLAN and click the Statistics button.
4-62 Motorola RF Switch System Reference Guide The Details screen contains the following fields: • Information • Traffic • RF Status • Errors Information in black represents the statistics from the last 30 seconds and information in blue represents statistics from the last hour. 4. Refer to the Information field for the following information: ESSID Displays the Service Set ID (SSID) for the selected WLAN. VLAN Displays the name of the VLAN the WLAN is associated with.
Network Setup 4-63 6. Refer to the RF Status field for the following information: Avg MU Signal Displays the average RF signal strength in dBm for all MUs associated with the selected WLAN. The number in black represents this statistics for the last 30 seconds and the number in blue represents this statistics for the last hour. Avg MU Noise Displays the average RF noise for all MUs associated with the selected WLAN.
4-64 Motorola RF Switch System Reference Guide 2. Click the Graph button. The WLAN Statistics screen displays for the select port.
Network Setup 4-65 To view detailed statistics for a WLAN: 1. Select a Network > Wireless LANs from the main menu tree. 2. Click the Statistics tab. 3. Select a WLAN from the table displayed in the Statistics screen and click the Switch Statistics button. 4. Refer to the Packet Rates field to review the number of packets both transmitted (Tx) and received (Rx) at data rates from 1.0 to 54.0 Mbps.
4-66 Motorola RF Switch System Reference Guide 1. Select Network > Wireless LANs from the main menu tree. 2. Click the WMM tab. The WMM tab displays the following information: Idx Displays the WLANs numerical identifier. This field is displayed in a two part format. The first number is the WLAN index and the second number is a sub-index corresponding to the access category. Click the Edit button to modify this property. Note: The available WLAN index range is from 1-24 for RFS4000.
Network Setup 4-67 Transmit Ops Displays the maximum duration a device can transmit after obtaining a transmit opportunity. For higher-priority traffic categories, this value should be set to a low number. CW Min The CW Min is combined with the CW Max to make the Contention screen. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. CW Max The CW Max is combined with the CW Min to make the Contention screen.
4-68 Motorola RF Switch System Reference Guide 4. Select the QoS Mappings button to revise the existing mappings of access category to 802.1p and DSCP to access category settings. With a drastic increase in bandwidth absorbing network traffic (VOIP, multimedia, etc.), the importance of data prioritization is critical to effective network management.
Network Setup 4-69 4.5.3.1 Editing WMM Settings WLAN WMM configuration affects your upstream traffic parameters. Use Configuring WMM on page 4-111 to configure downstream traffic parameters. Use the WMM Edit screen to modify existing Access Category settings for the WLAN selected within the WMM screen. This could be necessary in instances when data traffic has changed and high-priority traffic (video and voice) must be accounted for by modifying AIFSN Transmit Ops and CW values.
4-70 Motorola RF Switch System Reference Guide Transmit Ops Defines the maximum duration a device can transmit after obtaining a transmit opportunity. For higher-priority traffic categories, this value should be set to a low number. CW Minimum The CW Minimum is combined with the CW Maximum to make the Contention screen. From this range, a random number is selected for the back off mechanism. Select a lower value for high priority traffic.
Network Setup 4-71 To view the attributes of a NAC Include list: 1. Select Network > Wireless LANs from the main menu tree. 2. Select the NAC Include List Configuration tab to view and configure NAC enabled devices. 3. The Include Lists field displays the list of devices that can be included on a WLAN (a printer for example). Use the Add button to add a device for configuration on a WLAN. A maximum of 6 MAC addressees are allowed per device.
4-72 Motorola RF Switch System Reference Guide 4.5.4.1 Adding an Include List to a WLAN To add a device to a WLAN’s include list configuration: 1. Select Network > Wireless LANs from the main menu tree. 2. Select the NAC Include tab to view and configure NAC Include enabled devices. 3. Click on the Add button in the Include Lists area. 4. Enter the name of the device to include for NAC authentication. 5. Refer to the Status field. It displays the current state of the requests made from the applet.
Network Setup 4-73 8. Click OK to save and add the new configuration and close the dialog window. 9. Click Cancel to close the dialog without committing updates to the running configuration. 4.5.4.3 Mapping Include List Items to WLANs To assign include list items to one or more WLANs: 1. Select Network > Wireless LANs from the main menu tree. 2. Select the NAC Include tab to view NAC Included devices. 3.
4-74 Motorola RF Switch System Reference Guide 4.5.5 Configuring the NAC Exclusion List The switch provides a means to bypass NAC for 802.1x devices without a NAC agent. For Motorola handheld devices (like the MC9000), authentication is achieved using an exclusion list. A list of MAC addresses (called an exclusion list) can be added to each WLAN. Each has a separate configuration for the Radius server (which only conducts EAP authentication). An exclusion list is a global index-based configuration.
Network Setup 4-75 5. The Configured WLANs field displays the available switch WLANs. Associate a list item in the Exclude Lists field with multiple WLANs. For information on mapping NAC Exclude list’s items to WLANs, see Mapping Exclude List Items to WLANs on page 4-76. 6. To delete a device, select a device from the Exclude List and click the Delete button. 7. Use the Edit button to modify devices parameters. 8.
4-76 Motorola RF Switch System Reference Guide 3. Click the Add button in the List Configuration field. 4. The List Name displays the read-only name of the list for which you wish to add more devices. 5. Enter the Host Name for the device you wish to add for the selected exclude list. 6. Enter a valid MAC Address for the device you wish to add. 7. Optionally, enter the MAC Mask for the device you wish to add. 8. Refer to the Status field. It displays the current state of the requests made from the applet.
Network Setup 4-77 4. Map the selected list item with as many WLANs as needed (be selecting the WLAN’s checkbox). Use the Select All button to associate each WLAN with the selected list item. 5. To remove the WLAN Mappings, select the Deselect All button to clear the mappings. 6. Refer to the Status field for a display of the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet.
4-78 Motorola RF Switch System Reference Guide 3. Associate the exclude list to a WLAN. RF Switch(config-wireless-client-list) #wlan 1 RF Switch(config-wireless-client-list) # 4.5.6.3 Configuring the WLAN for NAC Many handheld devices are required to bypass NAC, and a few laptops and desktops are required to be NAC validated. 1. Set the NAC mode for WLAN. A NAC validation is conducted for station entries in the include list. The station entries are authenticated using the Radius server.
Network Setup 4-79 RF Switch (config-wireless) #wlan 1 radius-server secondary radius-key my-rad-secret-2 RF Switch (config-wireless) # 4. Configure the NAC server’s timeout and re-transmit settings. The timeout parameter configures the duration for which the switch waits for a response from the Radius server before attempting a retry. This is a global setting for both the primary and secondary server. The re-transmit parameter defines the number of retries a switch attempts before dis-associating the MU.
4-80 Motorola RF Switch System Reference Guide 4.6 Viewing Associated MU Details The Mobile Units screen displays read-only device information for MUs interoperating with the switch managed network. The Mobile Units screen consists of the following tabs: • Viewing MU Status • Configuring Mobile Units • Viewing MU Statistics • Viewing MU Voice Statistics NOTE: The Motorola RF Management Software is a recommended utility to plan the deployment of the switch and view its configuration once operational.
Network Setup 4-81 MAC Name Displays the MAC name associated with each MU's MAC Address. The MAC Name is a user-created name used to identify individual mobile unit MAC Addresses with a user-friendly name. IP Address Displays the unique IP address for the MU. Use this address as necessary throughout the applet for filtering and device intrusion recognition and approval. Ready Displays whether the MU is ready for switch interoperation. Values are Yes and No.
4-82 Motorola RF Switch System Reference Guide 3. Select a MU from the table in the Status screen and click the Details button. 4. Refer to the following read-only MU’s transmit and receive statistics:. MAC Address Displays the Hardware or Media Access Control (MAC) address for the MU. IP Address Displays the unique IP address for the MU. Use this address as necessary throughout the applet for filtering and device intrusion recognition and approval.
Network Setup 4-83 Voice Displays whether or not the MU is a voice capable device. Traffic from a voice enabled MU is handled differently than traffic from MUs without this capability. MUs grouped to particular WLANs can be prioritized to transmit and receive voice traffic over data traffic. WMM Displays WMM usage status for the MU, including the Access Category currently in use. Use this information to assess whether the MU is using the correct WMM settings in relation to the operation of the switch.
4-84 Motorola RF Switch System Reference Guide 4. Check the Trigger Beacon Request box to enable Radio Resource Management services on the selected MU. 5. In the Measurement Duration field, enter a time interval between 500-1000(in K-us) to specify how often the Radio Resource Measurement services will poll the selected MU for traffic information. 6. Click OK to use the changes to the running configuration and close the dialog. 4.6.
Network Setup 4-85 4. When using clustering and the Cluster GUI feature is enabled, a pull-down menu will be available to select which cluster members’ MUs are displayed. To view MUs from all cluster members, select All from the pull-down menu. To view MUs from a specific cluster member, select that member’s IP address from the pull-down menu. 5. To add a MAC address to MU association, click the Add button. For more information on adding an association, see MAC Naming of Mobile Units. 6.
4-86 Motorola RF Switch System Reference Guide 2. Click the Statistics tab. 3. Select the Last 30s checkbox to display MU statistics gathered over the last 30 seconds. This option is helpful for assessing MU performance trends in real-time. 4. Select the Last HR checkbox to display MU statistics gathered over the last hour. This option is helpful for assessing performance trends over a measurable period. 5.
Network Setup 4-87 % Non Unicast Displays the percentage of the total packets for the selected MU that are nonunicast packets. Non-unicast packets include broadcast and multicast packets. Retries Displays the average number of retries per packet. A high number in this field could indicate possible network or hardware problems. 6. Click the Details button to launch a screen with additional information about the selected MU. For more information, see Viewing MU Statistics in Detail on page 4-87. 7.
4-88 Motorola RF Switch System Reference Guide Information in black represents the statistics from the last 30 seconds and information in blue represents statistics from the last hour. Use both sets of data to trend statistics in real time versus a measurable period (1 hour). 4. Refer to the Information field for the following information: MAC Address Displays the Hardware or Media Access Control (MAC) address for the MU. This address is hard-coded at the factory and cannot be modified.
Network Setup 4-89 % Gave Up Pkts Displays the percentage of packets the switch gave up on for the selected MU. % of Undecryptable Pkts Displays the percentage of undecryptable packets (packets that could not be processed) for the selected MU. 8. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 9.
4-90 Motorola RF Switch System Reference Guide 2. Click the Voice Statistics tab. The Voice Statistics table displays the following information: Call Index Displays the numerical identifier assigned to each Access Port. MAC Address Displays MAC Address Voice Protocol Displays which voice protocol is being used for the selected call. Voice protocols include: • SIP • TPSEC • Spectralink • H.323 Media Protocol The Media Transport Protocol used in the call (mostly RTP).
Network Setup 4-91 MOS-CQ Displays the average call quality using the Mean Opinion Score (MOS) call quality scale. The MOS scale rates call quality on a scale of 1-5 with higher scores being better. If the MOS score is lower than 3.5 it is likely that users will not be satisfied with the voice quality of calls. Lost Packets Displays the total number of voice packets lost for each MU. Average Jitter Displays the average jitter time for calls on the displayed MUs.
4-92 Motorola RF Switch System Reference Guide 2. Click the Configuration tab. 3. Refer to the table for the following information: Switch The Switch field displays the IP address of the cluster member associated with each Access Port radio. When clustering is enabled on the switch and Cluster GUI is enabled, the Switch field will be available on the Access Port radio configuration screen. For information on configuring enabling Cluster GUI, see Managing Clustering Using the Web UI.
Network Setup 4-93 State Displays the radio’s current operational mode. If the radio is set as a Detector AP, the state is "Detector", otherwise the state is "Normal". VLAN Displays the name of the VLAN currently used with each Access Port radio. 4. Refer to the Properties field for the following Desired Channel When the radio’s channel is configured statically, the Actual Channel and Desired Channel are the same. If using ACS (Automatic Channel Selection), the switch selects a channel for the radio.
4-94 Motorola RF Switch System Reference Guide 11.When using clustering and the Cluster GUI feature is enabled, a pull-down menu will be available to select which cluster members’ Access Port radios are displayed. To view Access Port radios from all cluster members, select All from the pull-down menu. To view Access Port radios from a specific cluster member, select that member’s IP address from the pull-down menu. 12.
Network Setup 4-95 5. To use the AP as a Client Bridge, check the Client Bridge checkbox and configure the following information: Mesh Network Name When Client Bridge is enabled, enter the name of the Mesh Network that the selected radio will be a Client Bridge on. Max Client Bridge Mesh Associations When Client Bridge is enabled, specify the maximum number of base bridges per client bridge in a an AP Mesh Network.
4-96 Motorola RF Switch System Reference Guide 5. To enable the automatic adoption of non-configured radios on the network, select the Adopt unconfigured radios automatically option. Default radio settings are applied to Access Ports when automatically adopted. Enable this option to allow adoption even when the Access Port is not configured. Default radio settings are applied to Access Ports adopted automatically. 6.
Network Setup 4-97 7. Check the Use Default Values option checkbox to set the Username and Password to factory default values. The Access Port can get disconnected if the 802.1x authenticator is not configured accordingly. NOTE: 802.1x username and password information is only passed to adopted Access Ports when the Username and Password are set. Any AP adopted after this does not automatically receive a username and password.
4-98 Motorola RF Switch System Reference Guide 4. Click the Edit button to display a screen containing settings for the selected radio. 5. The Switch field displays the IP address of the cluster member associated with each Access Port radio. When clustering is enabled on the switch and Cluster GUI is enabled, the Switch field will be available on the Access Port Radio edit screen. For information on configuring and enabling Cluster GUI, see Managing Clustering Using the Web UI. 6. In the Radio Descr.
Network Setup 4-99 11.The following read-only information is displayed: MAC Address The Base Radio MAC is the radio's first MAC address when it is adopted by the Switch. Radio Type Radio type identifies whether the radio is an 802.11b, 802.11bg and 802.11bgn or 802.11a and 802.11an radio. Config Method The Config Method displays whether the radio has been configured using static or dynamic settings. 12.To add the radio to a Radio Group, enter the Group Id for the radio group you wish to add it to.
4-100 Motorola RF Switch System Reference Guide 15.Antenna Gain relates the intensity of an antenna in a given direction to the intensity that would be produced by a hypothetical antenna that radiates equally in all directions and has no losses. 16.Radio-Mode displays the radio operating mode. NOTE: This field is available only with AP 7131, AP 7181, and AP 650. 17.To configure optional rate settings, click the Rate Settings button to display a new dialogue containing rate setting information.
Network Setup 4-101 RTS Threshold Specify a Request To Send (RTS) threshold (in bytes) for use by the WLAN's adopted Access Ports. RTS is a transmitting station's signal that requests a Clear To Send (CTS) response from a receiving station. This RTS/CTS procedure clears the air where many MUs are contending for transmission time. Benefits include fewer data collisions and better communication with nodes that are hard to find (or hidden) because of other active nodes in the transmission path.
4-102 Motorola RF Switch System Reference Guide DTIM Periods Select the DTIM periods button to specify a period for Delivery Traffic Indication Messages (DTIM) for BSS IDs 1-4. This is a divisor of the beacon interval (in milliseconds), for example, 10:100. (See "Beacon Interval“ above). A DTIM is periodically included in the beacon frame transmitted from adopted Access Ports. The DTIM period determines how often the beacon contains a DTIM, for example, 1 DTIM for every 10 beacons.
Network Setup 4-103 23.Click OK to use the changes to the running configuration and close the dialog. 24.Click Cancel to close the dialog without committing updates to the running configuration. Configuring Rate Settings Use the Rate Settings screen to define a set of basic and supported rates as well as the MCS data rates (only for AP 7131, AP 7181, and AP 650) for the target radio. To configure Rate Settings for a radio: 1.
4-104 Motorola RF Switch System Reference Guide NOTE: For AP 7131, AP 7181, and AP 650 the Rate Settings screen contains MCS data rates in addition to the basic rates. You can select the Enable Short Guard Interval option in the 11n Modulation Coding Schemes (MCS) section to increase the data rates. Checking the Enable Basic MCS0-7 option will allow only 11n capable clients to get connected to this radio. 5. Refer to the Status field for the current state of the requests made from applet.
Network Setup 4-105 3. Click the Add button to display a screen containing settings for adding a radio 4. Enter the device MAC Address (the physical MAC address of the radio). Ensure that this address is the actual hard-coded MAC address of the device. 5. Use the AP Type drop-down menu to define the radio type you would like to add. If adding an AP-4131, AP-5131, or AP-7131 model Access Point, the Access Port conversion will render the Access Point a “thin” Access Port. 6.
4-106 Motorola RF Switch System Reference Guide 2. Click the Statistics tab. 3. To select the time frame for the radio statistics, select either Last 30s or Last Hr above the statistics table. • Select the Last 30s radio button to display statistics for the last 30 seconds for the radio. • Select the Last Hr radio button to display statistics from the last hour for the radio. 4. Refer to the table for the following information: Index Displays the numerical index (device identifier) used with the radio.
Network Setup 4-107 % Non-UNI Displays the percentage of packets for the selected radio that are non-unicast packets. Non-unicast packets include broadcast and multicast packets. Retries Displays the average number of retries for all MUs associated with the selected radio. 5. Select a radio from those displayed and click the Details button for additional radio information. For more information, see Viewing AP Statistics in Detail on page 4-107. 6.
4-108 Motorola RF Switch System Reference Guide 5. Refer to the Traffic field for the following information: Pkts per second Displays the average total packets per second that cross the selected radio. The Rx column displays the average total packets per second received on the selected radio. The Tx column displays the average total packets per second sent on the selected radio.
Network Setup 4-109 10.Click Cancel to close the dialog without committing updates to the running configuration. 4.7.2.2 Viewing AP Statistics in Graphical Format The Access Port Radios Statistics tab has an option for displaying detailed Access Port radio statistics in a graph. This information can be used to chart associated switch radio performance and help diagnose radio performance issues. To view the MU Statistics in a graphical format: 1.
4-110 Motorola RF Switch System Reference Guide 3. Select a radio from the table to view WLAN assignment information. The WLAN Assignment tab is divided into two fields: Select Radios and Assigned WLANs. 4. Refer to the Select Radios field for the following information: Index Displays the numerical index (device identifier) used with the radio. Use this index (along with the radio description) to differentiate the radio from other radios with similar configurations.
Network Setup 4-111 3. Select a radio from the table and click the Edit button. The Select Radio/BSS field displays the WLANs associated to each of the BSSIDs used by the radios within the radio table. Use Select/Change Assigned WLANs field to edit the WLAN assignment. 4. Select any of the WLANs from the table to unassign/disable it from the list of available WLANs. 5. Refer to the Status field for the current state of the requests made from applet.
4-112 Motorola RF Switch System Reference Guide 2. Click the WMM tab. WMM information displays per radio with the following information: Index Displays the identifier assigned to each Radio index, each index is assigned a unique identifier such as (1/4, 1/3, etc.). AP Displays the name of the Access Port associated with the index. The Access Port name comes from the description field in the Radio Configuration screen. Access Category Displays the Access Category currently in use.
Network Setup 4-113 4.7.4.1 Editing WMM Settings Use the Edit screen to modify a WMM profile's properties (AIFSN, Tx Op, Cw Min, and CW Max). Modifying these properties may be necessary as Access Categories are changed and transmit intervals need to be adjusted to compensate for larger data packets and contention windows. Use Configuring WMM on page 4111 to configure downstream traffic parameters. WLAN WMM configuration affects your upstream traffic parameters. To edit existing WMM Settings: 1.
4-114 Motorola RF Switch System Reference Guide 9. Click OK to use the changes to the running configuration and close the dialog. 10.Click Cancel to close the dialog without committing updates to the running configuration. 4.7.5 Configuring Access Point Radio Bandwidth Refer to the Bandwidth tab to view the QoS weight associated with each radio when added to a WLAN. The weight represents the switch priority assigned to the traffic transmitted from the radio for the WLAN.
Network Setup 4-115 To configure a group of radios together: 1. Select Network > Access Port Radios from the main menu tree. 2. Go to the Configuration tab. 3. Select a radio you wish to add to a group and click the Edit button. 4. Enter the Group ID for the group you wish to add the selected radio to. 5. Click OK to save the changes. 6. Repeat steps 3 through 5 for each radio you wish to add to groups. 7.
4-116 Motorola RF Switch System Reference Guide 2. Click the Group tab. Group information displays per radio with the following data: Group Id Displays the Group Id associated with each adopted radio. Radio Configured Index The Index is the numerical index (device identifier) used with the device radio. Use this index (along with the radio name) to differentiate the radio from other device radios. 4.7.7 Viewing Active Calls (AC) Statistics To view Active Calls statistics: 1.
Network Setup 4-117 2. Click the VCAC Statistics tab. 3. The following statistics are displayed: Index Displays the numerical identifier assigned to each Access Port. Description Displays the names assigned to each of the APs. The AP name can be configured on the Access Port Radios Configuration page. Total Voice Calls Displays the total number of voice calls attempted for each Access Port. Roamed Calls Displays the total number of voice calls that were roamed from each Access Port.
4-118 Motorola RF Switch System Reference Guide 2. Click the Mesh Statistics tab. 3. The following statistics are displayed: Mesh Index Displays the numerical identifier assigned to each mesh member AP. MAC Address Displays the Media Access Control (MAC) address for each Access Port. Connection Type Displays the connection type for each Access Port. Radio Index The Radio Index is a numerical value assigned to the radio as a unique identifier. For example: 1, 2, or 3.
Network Setup 4-119 % Non-UNI % Non-Uni is the percentage of the total packets for the selected radio that are non-unicast packets. Non-unicast packets include broadcast and multicast packets. Retries Displays the total number of retries for each Access Port. 4.7.9 Smart RF When invoked by an administrator, Smart RF (or self-monitoring at run time) instructs radios to change to a specific channel and begin beaconing using their maximum available transmit power.
4-120 Motorola RF Switch System Reference Guide • Extensible to future smart-tuning. For example, distinguish between AP to AP interference and static interference 4.7.9.3 Viewing Smart RF Information To view Smart RF information: 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Smart RF tab. 3. The following Smart RF details are displayed: MAC Address Displays the Media Access Control (MAC) Address of each of the APs in the table.
Network Setup 4-121 Is Detector Displays whether or not an Access Port is a detector or not.Detector status is determined through Smart RF based on coverage and location of other APs in the network. Lock Detector Displays whether or not each Access Port is locked in detector status. Lock Channel Displays whether or not each Access Port is locked to a specific channel. Lock Power Displays whether or not each Access Port is locked to a specific power level.
4-122 Motorola RF Switch System Reference Guide Radio Type Displays the radio type of the corresponding APs. Available types are: • 802.11a • 802.11an • 802.11b • 802.11bg • 802.11bgn AP Location Displays the current location for the selected AP. The location can be configured on the Access Port Radios Configuration page. 6.
Network Setup 4-123 3. Select a radio from the table and click the Edit button. The radio settings are divided into the following three sections: • Properties • Radio Rescuer Settings • Advanced Properties 4. The Properties section displays the following information: Description Displays a description of the Radio. Modify the description as required to name the radio by its intended coverage area or function. MAC Address Displays the Media Access Control (MAC) Address of the selected AP.
4-124 Motorola RF Switch System Reference Guide Radio Type Displays the radio type of the corresponding APs. Available types are: • 802.11a • 802.11an • 802.11b • 802.11bg • 802.11bgn AP Location Displays the current location for the selected AP. The location can be configured on the Access Port Radios Configuration page. 5.
Network Setup 4-125 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Smart RF tab 3. Click the Smart RF History button 4. The Smart RF History window displays the Index number and Assignment History of Smart RF activity. 4.7.9.6 Configuring Smart RF Settings To configure Smart RF settings: 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Smart RF tab.
4-126 Motorola RF Switch System Reference Guide 3. Click the Smart RF Settings button 4. Click the Check All Boxes option in the Smart RF Global Settings dialogue to check every box in the configuration window. To uncheck all boxes, click this box a second time. 5. Check the Enable Smart RF Module box to enable Smart RF functions on the switch.
Network Setup 4-127 Remove To remove a channel from the configured list, select one or more channels from the Available box and click the Remove button. Number of Rescuers Assign a number of radios to dedicate as rescuers. The valid range is between 1 and 5. Default value is 3. Retry Threshold (avg attempts/pkt) Specify the retry threshold, which is the average number of retries per packet to cause a radio to re-run channel selection. The valid range is between 0.0 and 15.0.
4-128 Motorola RF Switch System Reference Guide 11.Click the Calibration Status button to open a dialogue with the following calibration status information: Last Calibration Start Time Displays the date and time that the last Smart RF calibration began. Last Calibration End Time Displays the date and time that the last Smart RF calibration ended. Next Calibration Start Time Displays the date and time scheduled for the next Smart RF calibration.
Network Setup 4-129 2. Click the Voice Statistics tab. 3. The following statistics are displayed: Index Displays the numerical identifier assigned to each Access Port. Description Displays the names assigned to each of the APs. The AP name can be configured on the Access Port Radios Configuration page. Type Displays the radio type of the corresponding APs. Available types are: • 802.11a • 802.11an • 802.11b • 802.11bg • 802.
4-130 Motorola RF Switch System Reference Guide 4. Selecting a radio from the table will display the following details of individual calls: Index Displays the numerical identifier assigned to each MU. Protocol Displays which voice protocol is being used for the selected call. Voice protocols include: • SIP • TPSEC • Spectralink • H.323 Successful Calls Displays the number of successful calls for the displayed MUs. Avg Call Quality Displays the average call quality using the R Factor scale.
Network Setup 4-131 1. Select Network > Access Port Adoption Defaults from the main menu tree. 2. Click the Configuration tab. 3. Refer to the following information as displayed within the Configuration tab: Type Displays whether the radio is an 802.11b, 802.11bg and 802.11bgn or 802.11a and 802.11an radio. Placement Displays the default placement when an radio auto-adopts and takes on the default settings. Options include Indoor or Outdoor. Default is Indoor.
4-132 Motorola RF Switch System Reference Guide ! CAUTION: An Access Port is required to have a DHCP provided IP address before attempting layer 3 adoption, otherwise it will not work. Additionally, the Access Port must be able to find the IP addresses of the switches on the network. To locate switch IP addresses on the network: • Configure DHCP option 189 to specify each switch IP address. • Configure a DNS Server to resolve an existing name into the IP of the switch.
Network Setup 4-133 4. Click the Edit button to display a screen to change the radio adoption default values for the currently selected radio type (802.11b, 802.11bg and 802.11bgn or 802.11a and 802.11an). The Properties field displays the Model family for the selected Access Port. The Model is read only and cannot be modified. The Radio Type displays the radio type (802.11b, 802.11bg and 802.11bgn or 802.11a and 802.11an). This value is read only and cannot be modified. 5.
4-134 Motorola RF Switch System Reference Guide 11.After first selecting a channel, select a power level in dBm for RF signal strength in the Desired Power (dBm) field. The optimal power level for the specified channel is best determined by a site survey prior to installation. Available settings are determined according to the selected channel.
Network Setup 4-135 RTS Threshold Specify a Request To Send (RTS) threshold (in bytes) for use by the WLAN's adopted Access Ports. RTS is a transmitting station's signal that requests a Clear To Send (CTS) response from a receiving station. This RTS/CTS procedure clears the air where many MUs (or nodes) are contending for transmission time. Benefits include fewer data collisions and better communication with nodes that are hard to find (or hidden) because of other active nodes in the transmission path.
4-136 Motorola RF Switch System Reference Guide DTIM Period Specify a period for the Delivery Traffic Indication Message (DTIM). This is a divisor of the beacon interval (in milliseconds), for example, 10:100. (See "Beacon Interval" above). A DTIM is periodically included in the beacon frame transmitted from adopted Access Ports. The DTIM period determines how often the beacon contains a DTIM, for example, 1 DTIM for every 10 beacons.
Network Setup 4-137 Supported Rates allow an 802.11 network to specify the data rate it supports. When a station attempts to join the network, it checks the data rate used on the network. If a rate is selected as a basic rate, it is automatically selected as a supported rate. 4. Click the Clear all rates button to uncheck all of the Basic and Supported rates. 5. Refer to the Status field for the current state of the requests made from applet.
4-138 Motorola RF Switch System Reference Guide 4.8.2 Configuring Layer 3 Access Port Adoption The configuration activity required for adopting Access Ports in a layer 3 environment is unique. In a layer 3 environment, switch discovery is attempted in the following ways: • On the local VLAN • Through the DHCP Server Initially, the Access Port attempts to find its wireless switch by broadcasting a Hello packet on its local VLAN. During this activity: 1.
Network Setup 4-139 2. Click the WLAN Assignment tab. The Assigned WLANs tab displays two fields: Select Radios/BSS and Select/Change Assigned WLANs. 3. With the Select Radios/BSS field, select the radio type to configure (802.11b, 802.11bg and 802.11bgn or 802.11a and 802.11an) from the Select Radio drop-down menu. 4. Select the desired BSS from the BSS list or select a Radio (802.11b, 802.11bg and 802.11bgn or 802.11a and 802.11an) to modify. 5.
4-140 Motorola RF Switch System Reference Guide 6. Click Apply to save the changes made within the screen. 7. Click Revert to cancel the changes made and revert back to the last saved configuration. 4.8.4 Configuring WMM Use the WMM tab to review each radio type, as well as the Access Category that defines the data (Video, Voice, Best Effort, and Background) the radio has been configured to process. Additionally, the WMM tab displays the transmit intervals defined for the target access category.
Network Setup 4-141 ECW Min The ECW Min is combined with the ECW Max to define the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. ECW Max The ECW Max is combined with the ECW Min to make the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. 4.
4-142 Motorola RF Switch System Reference Guide 6. Enter a value between 0 and 15 for the Contention Window minimum value. The CW Minimum is combined with the CW Maximum to make the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. 7. Enter a value between 0 and 15 for the Contention Window maximum value. The CW Maximum is combined with the CW Minimum to make the Contention Window.
Network Setup 4-143 3. Refer to the Adopted AP screen for the following information: Switch The Switch field displays the IP address of the cluster member associated with each AP. When clustering is enabled on the switch and Cluster GUI is enabled, the Switch field will be available on the AP configuration screen. For information on configuring enabling Cluster GUI, see Managing Clustering Using the Web UI. MAC Address Displays the radio's first MAC address when it is adopted by the switch.
4-144 Motorola RF Switch System Reference Guide 6. Click the Convert to Sensor button to convert the selected adopted AP300 to a sensor that can be used with the Wireless Intrusion Detection System (WIDS) application. NOTE: Both Access Ports and standalone Access Points can be converted to sensors. When converting an AP300 Access Port to a sensor, both the 802.11a and 802.11bg radios are converted to sensors.
Network Setup 4-145 . The Unadopted AP tab displays the following information: Index Displays a numerical identifier used to associate a particular Access Port with a set of statistics and can help differentiate the Access Port from other Access Ports with similar attributes. MAC Address Displays the unique Hardware or Media Access Control (MAC) address for the Access Port. Access ports with dual radios will have a unique MAC address for each radio.
4-146 Motorola RF Switch System Reference Guide 3. Click the Export button to export the contents of the table to a Comma Separated Values file (CSV). ! CAUTION: An Access Port is required to have a DHCP provided IP address before attempting layer 3 adoption, otherwise it will not work. Additionally, the Access Port must be able to find the IP addresses of the switches on the network. To locate switch IP addresses on the network: • Configure DHCP option 189 to specify each switch IP address.
Network Setup 4-147 Syslog Mode For the selected AAP, this option enables or disables logging to an external Syslog server. LLDP Settings Enables the Link Layer Discovery Protocol (LLDP), which is a protocol that enables devices to advertise their capabilities and media-specific configuration information. 4. To change the settings for a selected Access Port, select an Access Port from the table and click the Edit button. 5.
4-148 Motorola RF Switch System Reference Guide Native VLAN ID Assign a unique VLAN ID (from 1 to 4094) to each VLAN modified. The VLAN ID associates a frame with a specific VLAN and provides the information the access point needs to process the frame across the network. Therefore, it may be practical to assign a name to a VLAN representative or the area or type of network traffic it represents.
Network Setup 4-149 2. Click the Configuration tab. 3. Click the Syslog Config button. 4. Check the Enable Logging to Syslog Server option to enable logging to an external Syslog server. Select the logging level from the drop-down menu. 5. Enter the IP address of the external Syslog server in the Syslog Server IP Addr field. 6. Click the OK button. 4.9.3.
4-150 Motorola RF Switch System Reference Guide 2. Click the Sensor tab. 3. Specify the global default VLAN ID and the Ping Interval for all sensors and click the Apply button. 4. In the Default Configuration section, give the default configuration values of the WIPS server. Unselect the Use DHCP to obtain IP Address automatically option to assign IP address of the VLAN manually and do not want DHCP to provide them. Selecting this disables the IP address field and the Subnet Mask field.
Network Setup 4-151 4.9.5 Configuring Secure WiSPe To configure Secure WiSPe: 1. Select Network > Access Port from the main menu tree. 2. Click the Secure WiSPe tab. 3. Enter a Default Pre-Shared Secret used for Secure WiSPe authentication. The shared secret must be between 8 and 64 characters. 4. The Secure WiSPe Table displays the following information on each configured AP: Switch The Switch field displays the IP address of the cluster member associated with each AP.
4-152 Motorola RF Switch System Reference Guide 6. To enable Secure Mode, click the Enable Secure Mode button to enable secure-mode to a set of APs. The AP’s MAC Address and mode will be saved in the running configuration. If secure-mode is set to enable, it means that WISP-e transactions for this AP will be secured. 7. To disable Secure Mode, click the Disable Secure Mode button to disable secure-mode to a set of APs. The AP’s MAC Address and mode will be saved in the running configuration.
Network Setup 4-153 1. Enable or disable Adaptive AP Automatic Update (AAP Automatic Update). AAP Automatic Update Check this box to enable automatic update of Access Port or Adaptive AP firmware when an Access Port or Adaptive AP associates with the switch. The AP image file used for automatic update are specified in the AP Image Upload Table below. Firmware Update Mode Select FTP or SFTP for specifying the firmware update mode.
4-154 Motorola RF Switch System Reference Guide 5. Specify the AP Image File. You can browse the switch file systems using the browser icon. AP images must be on the flash, system, nvram, or usb file systems in order for them to be selected. 6. Click the OK button to save the changes and return to the AP Firmware tab. 4.9.6.1 Editing an Existing AP Firmware Image To modify the AP Firmware Image settings: 1. Select Network Setup > Access Port from the main menu tree. 2. Click the AP Firmware tab. 3.
Network Setup 4-155 3. Select an AP image from the AP Image Upload Table and click the Update AAP Image button. AP Type identifies the Access Port model. MAC Address is the MAC address of the AP selected. Fw Version gives you the current firmware version on the Access Port. Use this information to assess whether the software requires an upgrade for better compatibility with the Switch. 4.9.6.
4-156 Motorola RF Switch System Reference Guide server where all the AP images reside. User ID is the ID to log in to the SFTP server. Password is the SFTP password used while logging in. Path gives you the path of the AP image residing in the server. 4.10 Multiple Spanning Tree Multiple Spanning Tree Protocol (MSTP) provides a VLAN-aware protocol and algorithm to create and maintain a loop-free network. It allows the configuration of multiple spanning tree instances.
Network Setup 4-157 • Viewing and Configuring Bridge Instance Details • Configuring a Port • Viewing and Configuring Port Instance Details 4.10.1 Configuring a Bridge Use the Bridge tab to configure the Bridge. This window displays bridge configuration details for the switch To configure the MSTP bridge:. To configure the MSTP bridge: 1. Select Network > Multiple Spanning Tree from the main menu tree. 2. Select the Bridge tab (should be the displayed tab by default). 3.
4-158 Motorola RF Switch System Reference Guide MST Config. Name Enter a name for the MST region. This is used when configuring multiple regions within the network. Each switch running MSTP is configured with a unique MST region name. This helps when keeping track of MSTP configuration changes. Increment this number with each configuration change. The revision-level specifies the revision-level of the current configuration.
Network Setup 4-159 Bridge Hello Time Displays the configured Hello Time. If this is the root bridge, the value is equal to the configured Hello Time. CIST Bridge Forward Delay Enter the CIST bridge forward delay value received from the root bridge. If this is the root bridge, the value will be equal to the Configured Forward Delay. The forward delay value is the maximum time (in seconds) the root device waits before changing states (from a listening state to a learning state to a forwarding state).
4-160 Motorola RF Switch System Reference Guide 2. Select the Bridge Instance tab. The Bridge Instance tab displays the following: ID Displays the ID of the MSTP instance. Bridge Priority Displays the bridge priority for the associated instance. The Bridge Priority is assigned to an individual bridge based on whether it is selected as the root bridge. The lower the priority, the greater likelihood the bridge becoming the root for this instance.
Network Setup 4-161 3. Click the Add button. 4. Enter a value between 1 and 15 as the Instance ID. 5. Click OK to save and commit the changes. 6. The Bridge Instance tab will now display the new instance ID. 7. Click Cancel to disregard the new Bridge Instance ID. 4.10.2.2 Associating VLANs to a Bridge Instance 1. Select Network > Multiple Spanning Tree from the main menu tree. 2. Select the Bridge Instance tab. 3. Select an ID from the table within the Bridge Instance tab and click the Add VLANs button.
4-162 Motorola RF Switch System Reference Guide 2. Select the Port tab The Port tab displays the following information (ensure you scroll to the right to view the numerous port variables described): Index Displays the port index. Admin MAC Enable Displays the status of the Admin MAC. Change the status using the Edit button. A green check mark indicates the Admin MAC Enable status is active/enabled. Oper MAC Enable This field displays the status of the Oper MAC Enable.
Network Setup 4-163 AdminPort PortFast Bpdu Guard Displays the whether BPDU Guard is currently enabled for this port. When set for a bridge, all PortFast-enabled ports having the bpdu-guard set to default shut down the port on receiving the BPDU. When this occurs, the BPDU is not processed. OperPort PortFast Bpdu Guard Displays the whether BPDU Guard is currently enabled for this port.
4-164 Motorola RF Switch System Reference Guide Oper Edge Port Oper Edge Port Displays whether the port is currently an edge port. Admin Point-to-Point Displays the point-to-point status as ForceTrue or ForceFalse. ForceTrue indicates this port should be treated as connected to a point-to-point link. ForceFalse indicates this port should be treated as having a shared connection.
Network Setup 4-165 Port Path Cost Port Path Cost displays the path cost for the specified port index. The default path cost depends on the speed of the interface.
4-166 Motorola RF Switch System Reference Guide 2. Select the PortInstance tab. The Port Instance table displays the following: ID Displays the instance ID. Index Displays the port index. State Displays the MSTP state for the port for that instance. Role Displays the MSTP state of the port. Internal Root Cost Displays the Internal Root Cost of a path associated with an interface. The lower the path cost, the greater likelihood of the interface becoming the root.
Network Setup 4-167 4.10.4.1 Editing a Port Instance Configuration To edit and reconfigure Port Instance parameters. 1. Select a row from the port table and click the Edit button. Most of the MSTP Port Instance parameters can be reconfigured, as indicated below. Port Instance ID Read-only indicator of the instance ID used as a basis for other modifications. Port Index Read-only indicator of the port index used as a basis for other modifications.
4-168 Motorola RF Switch System Reference Guide 2. Select the IGMP Snoop Config tab The IGMP Snoop Config tab displays the following information: Snoop Enable Select to enable IGMP Snooping on the switch. If disabled, snooping on a per VLAN basis is also disabled. Unknown Multicast Forward Select to enable the switch to forward Multicast packets from unregistered Multicast Groups. If disabled, Unknown Multicast Forward on a per VLAN basis is also disabled.
Network Setup 4-169 To view and configure IGMP Snoop Querier Configuration details: 1. Select Network > IGMP Snooping from the main menu tree. 2. Select the IGMP Snoop Querier Config tab The IGMP Snoop Querier Config tab displays the following information: Max Response Time Specifies the maximum allowed time before sending a responding report. When no reports are received from a portal, that portal information is removed from the Snooping Table.
4-170 Motorola RF Switch System Reference Guide Max Response Time The maximum time allowed in seconds before sending a responding report for a host. Operational State The current operational state of IGMP Querier for this VLAN. Displays 'querier' if IGMP Snoop Querier is enabled on this VLAN. Displays 'disabled' otherwise. IP Address The IP address to be inserted in IGMP Query packets generated by the IGMP Querier for this VLAN. 4.
Network Setup 4-171 2. Select the Configuration tab. The Configuration tab displays the following information: Vlan Index Enter a Vlan index between 1 and 4094. Enable Click the Enable button to enable a hotspot. Vlan Index The Vlan index on which the hotspot is enabled. Primary RADIUS Server IP/ This is the IP address of the Primary RADIUS server and the port on which the Port Primary RADIUS server is listening.
4-172 Motorola RF Switch System Reference Guide 1. Select Network > Wired Hotspot from the main menu tree. Select an existing hotspot entry from those displayed within the Configuration tab and click the Edit button. The following screen is displayed. 2. Click the Login tab and enter the title, header, footer, Small Logo URL, Main Logo URL, and Descriptive Text you would like to display when users log in to the switch-maintained hotspot.
Network Setup 4-173 Main Logo URL Displays the URL for the main logo image displayed on the Login page when using the switch’s internal Web server. This option is only available if Internal is chosen from the drop-down menu above. Descriptive Text Specify any additional text containing instructions or information for the users who access the Login page. This option is only available if Internal is chosen from the drop-down menu above. The default text is: “Please enter your username and password.” 3.
4-174 Motorola RF Switch System Reference Guide Small Logo URL The Small Logo URL is the URL for a small logo image displayed on the Failed page when using the internal Web server. This option is only available if Internal is chosen from the drop-down menu above. Main Logo URL The Main Logo URL is the URL for the main logo image displayed on the Failed page when using the internal Web server. This option is only available if Internal is chosen from the drop-down menu above.
Network Setup 4-175 2. Select an existing hotspot entry from those displayed within the Configuration tab and click the Edit button. Ensure External is selected from within the This VLAN’s Web Pages are of the drop-down menu. 3. Refer to the External Web Pages field and provide the Login, Welcome, and Failed Page URLs used by the external Web server to support the hotspot. Login Page URL Define the complete URL for the location of the Login page.
4-176 Motorola RF Switch System Reference Guide NOTE: When using hotspot features in a cluster environment, additional steps must be taken when specifying the external URLs. In order for the browser to return the login iinformation correctly, the IP address and port must be specified as part of the URL in the following format: http://external_url.html?ip_address=a.b.c.d&port=x 4.
Network Setup 4-177 3. Click the Edit button. Ensure that Advanced is selected from the This WLAN’s Web Pages are of the drop-down menu. NOTE: Advanced hotspot configuration is not permissible using the switch Web UI. Refer to the switch CLI or other advanced configuration options to define a hotspot with advanced properties. However, the switch can still install and maintain directories containing Web page content. 4.
4-178 Motorola RF Switch System Reference Guide h. Once the location and settings for the advanced hotspot configuration have been defined, click the Install button to use the hotspot configuration with the switch. 5. Refer to the Allow List field, and enter any IP address (for internal or external Web sites) that may be accessed by the Hotspot user without authentication. 6.
Network Setup 4-179 4.12.1.4 Configuring a RADIUS Server 1. Select Network > Wired Hotspot > Edit > Radius Configuration. The Radius Configuration screen opens up. The Radius Configuration screen contains tabs for defining the Radius server settings. 2. Refer to the Radius field and define the following credentials for a primary and secondary Radius server. RADIUS Server Address Enter the IP address of the primary and secondary servers acting as the Radius user authentication data source.
4-180 Motorola RF Switch System Reference Guide Server Retries Enter a value between 1 and 100 seconds to indicate the number of times the switch attempts to reach the primary or secondary Radius server before giving up. Dynamic Authorization Check this option to enable RADIUS Dynamic Authorization. RADIUS Dynamic Authorization enables the RADIUS administrator to send the disconnect and change of authorization packets to the switch (NAS) for wired hosts.
Switch Services This chapter describes the Services main menu information available for the following switch configuration activities.
5-2 Motorola RF Switch System Reference 5.1 Displaying the Services Interface Refer to the Services main menu interface to review a summary describing the availability of several central features within the Services main menu item. NOTE: When the switch’s configuration is successfully updated (using the Web UI), the effected screen is closed without informing the user their change was successful. However, if an error were to occur, the error displays within the effected screen’s Status field.
Switch Services 5-3 Layer 3 Mobility Displays whether Layer 3 Mobility is currently enabled or disabled. Layer 3 mobility is a mechanism which enables a MU to maintain the same Layer 3 address while roaming throughout a multi-VLAN network. This enables the transparent routing of IP datagrams to MUs during their movement, so data sessions can be initiated while they roam (in for voice applications in particular).
5-4 Motorola RF Switch System Reference 5.2.1 Configuring the Switch DHCP Server The switch contains an internal Dynamic Host Configuration Protocol (DHCP) Server. DHCP can provide the dynamic assignment of IP addresses automatically. DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. Some of these parameters are IP address, network mask and gateway.
Switch Services 5-5 5. Refer to the following as displayed within Network Pool field. Pool Name Displays the name of the IP pool from which IP addresses can be issued to DHCP client requests on the current interface. The pool is the range of IP addresses available. Network Displays the network address for the clients. Lease Time (dd:hh:mm) When a DHCP server allocates an address for a DHCP client, the client is assigned a lease (which expires after a designated interval defined by the administrator).
5-6 Motorola RF Switch System Reference • A p-peer (peer-to-peer node) uses directed calls to communicate with a known NetBIOS name server, such as a Windows Internet Name Service (WINS) server, for the IP address of a NetBIOS machine. • A m-mixed is a mixed node that uses broadcasted queries to find a node and queries a known p-node name server for the address. • A h-hybrid is a combination of two or all of the nodes mentioned above. 6.
Switch Services 5-7 2. Click the Add button at the bottom of the screen. 3. Enter the name of the IP pool from which IP addresses can be issued to client requests on this interface. 4. Provide the Domain name as appropriate for the interface using the pool. 5. Enter the NetBios Node used with this particular pool. The NetBios Node could have one of the following types: • A b-broadcast (broadcast node) uses broadcasting to query nodes on the network for the owner of a NetBIOS name.
5-8 Motorola RF Switch System Reference 7. From the Network field, use the Associated Interface drop-down menu to define the switch interface is used for the newly created DHCP configuration. Use VLAN1 as a default interface if no others have been defined. Additionally, define the IP Address and Subnet Mask used for DHCP discovery and requests between the DHCP Server and DHCP clients.
Switch Services 5-9 3. Click the Insert button to display an editable field wherein the name and value of the DHCP option can be added. 4. Name the option as appropriate, assign a Code (numerical identifier) and use the Type drop-down options to specify a value of ip or ascii to the DHCP global option. Highlight an entry from within the Global Options screen and click the Remove button to delete the name and value. 5.
5-10 Motorola RF Switch System Reference 6. Select the Enable Multiple User Class checkbox if multiple user class support is needed. 7. Use the DDNS Servers field to define the IP addresses of the DNS servers. 8. Click OK to save and add the changes to the running configuration and close the dialog. 9. Refer to the Status field. The Status is the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet.
Switch Services 5-11 Client Name Displays the name of the client requesting DHCP Server support over this interface. This name is ready only cannot be modified using the host pool edit option. Client ID Displays the client Identifier, based on this identifier static IP is assigned. Hardware address and Client Identifier should not be configured on a same host pool. A pool name cannot have both a client ID and MAC address. 4.
5-12 Motorola RF Switch System Reference 3. Click the Edit button to modify the IP address range displayed. For more information, see Editing the Properties of an Existing DHCP Pool on page 5-5. 4. To delete an existing DHCP pool from the list of those available to the switch, highlight the pool from within the Network Pool field and click the Delete button. 5. Click the Add button to create a new IP address range for a target host pool. For more information, see Adding a New DHCP Pool on page 5-6.
Switch Services 5-13 5.2.4 Configuring the DHCP Server Relay Refer to the Relay tab to view the current DHCP Relay configurations for available switch VLAN interfaces. The Relay tab also displays the VLAN interfaces for which the DHCP Relay is enabled/configured. The Gateway Interface address information is helpful in selecting the interface suiting the data routing requirements between the External DHCP Server and DHCP client (present on one of the switch’s available VLANs).
5-14 Motorola RF Switch System Reference 2. Click the Relay tab. 3. Refer to the Interfaces field for the names of the interfaces available to route information between the DHCP Server and DHCP clients. If this information is insufficient, consider creating a new IP pool or edit an existing pool. 4. Click the Edit button to modify the properties displayed on an existing DHCP pool. Refer to step 7 for the information that can be modified for the DHCP relay. 5.
Switch Services 5-15 c. Click OK to save and add the changes to the running configuration and close the dialog. d. Click Cancel to close the dialog without committing updates to the running configuration. 5.2.5 Viewing DDNS Bindings The DDNS Bindings tab displays mappings between client IP addresses and domain names. DDNS keeps a domain name linked to a changing IP address.
5-16 Motorola RF Switch System Reference 5.2.6 Viewing DHCP Bindings The Bindings tab displays addresses and expiration times. There are two types of bindings, manual and automatic. Manual bindings map a hardware address to a IP address statically. Automatic bindings dynamically map a hardware address to an IP address from a pool of available addresses. To view detailed binding information: 1. Select Services > DHCP Server from the main menu tree. 2. Select the Bindings tab. 3.
Switch Services 5-17 2. Select the Dynamic Bindings tab. 3. Refer to the contents of the Dynamic Bindings tab for the following: IP Address Displays the IP address for each client whose MAC Address is listed in the MAC Address / Client ID column. This column is read-only and cannot be modified. MAC Address / Client ID Displays the MAC address (client hardware ID) of the client using the switch’s DHCP Server to access switch resources. The MAC address is read-only and cannot be modified.
5-18 Motorola RF Switch System Reference 5.2.8 Configuring the DHCP User Class The DHCP server assigns IP addresses to clients based on user class option names. Clients with a defined set of user class option names are identified by their user class name. The DHCP server assigns IP addresses from multiple IP address ranges. The DHCP user class associates a particular range of IP addresses to a device in such a way that all devices of that type are assigned IP addresses from the defined range.
Switch Services 5-19 3. Click the Add button from the User Class Name section. The DHCP server groups clients based on user class option values. DHCP Clients with the defined set of user class option values are identified by class. a. Enter the User Class Name to create a new client. The DHCP user class name should not exceed 32 characters. b. Enter Option Values for the devices associated with the DHCP user class name. The value should not exceed 32 characters. c.
5-20 Motorola RF Switch System Reference 3. Select an existing DHCP user class name from the list and click on the Edit button from the DHCP User Class Name section. a. The User Class Name is a display field and cannot be modified. b. Either add or modify the Option Values as required to suit the changing needs of your network. The option values should not exceed 50 characters. c. Select the Multiple User Class Option checkbox to enable multiple option values for the user class.
Switch Services 5-21 2. Select the Pool Class tab to view the DHCP pool class details. 3. Refer to the Pool Class Names field to configure a pool class. A pre configured pool and class must exist to configure a pool class. The Address Ranges section displays the address ranges associated with the pool class. 4. Click the Edit button to modify the properties displayed for an existing DHCP Pool Class Name. For more information, see Editing an Existing DHCP Pool Class on page 5-21. 5.
5-22 Motorola RF Switch System Reference 7. Refer to the Status field. It displays the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet. The Status field displays error messages if something goes wrong in the transaction between the applet and the switch. 8. Click OK to save the new configuration and close the dialog window. 9. Click Cancel to close the dialog without committing updates to the running configuration. 5.2.9.
Switch Services 5-23 5.3 Configuring Secure NTP Secure Network Time Protocol (SNTP) is central for networks that rely on their switch to supply system time. Without an SNTP implementation, switch time is unpredictable, which can result in data loss, failed processes and compromised security. With network speed, memory and capability increasing at an exponential rate, the accuracy, precision and synchronization of network time is essential in a switch managed enterprise network.
5-24 Motorola RF Switch System Reference 2. Select the Configuration tab. 3. An ACL Id must be created before it is selectable from any of the drop-down menus. Refer to the Access Group field to define the following: Full Access Supply a numeric ACL ID from the drop-down menu to provide the ACL full access. Only Control Queries Supply a numeric ACL ID from the drop-down menu to provide the ACL only control query access to SNTP resources.
Switch Services 5-25 Broadcast Delay Auto Key Enter the estimated round-trip delay (between 1 and 999999 seconds) for SNTP broadcasts between the SNTP broadcast server and the switch. Define the interval based on the priority of receiving accurate system time frequently. Typically, no more than one packet per minute is necessary to synchronize the switch to within a millisecond of the SNTP broadcast server.
5-26 Motorola RF Switch System Reference Key Value Displays the authentication value used to secure the credentials of the server providing system time to the switch. Trusted Key If a checkmark appears, a trusted key has been associated with a domain name. A trusted key is added when a public key is known, but cannot be securely obtained. Adding the trusted key allows information from the server to be considered secure.
Switch Services 5-27 necessary, modify the attributes of an existing peer or server configuration or create a new neighbor peer or server SNTP configuration. To review the switch’s existing NTP neighbor configurations: 1. Select Services > Secure NTP from the main menu tree. 2. Select the NTP Neighbor tab. 3.
5-28 Motorola RF Switch System Reference 6. Click the Add button to define a new peer or server configuration that can be added to the existing configurations displayed within the NTP Neighbor tab.For more information, see Adding an NTP Neighbor on page 5-28. 5.3.4 Adding an NTP Neighbor To add a new NTP peer or server neighbor configuration to those available for synchronization: 1. Select Services > Secure NTP from the main menu tree. 2. Select the NTP Neighbor tab. 3. Click the Add button. 4.
Switch Services 5-29 9. Use the NTP Version drop-down menu to select the version of SNTP to use with this configuration Currently version three and version four implementations of NTP are available. The latest version is NTPv4, but the official Internet standard is NTPv3. 10.If necessary, select the No Authentication checkbox to allow communications with the NTP resource without any form of security. This option should only be used with known NTP resources. 11.
5-30 Motorola RF Switch System Reference 5.3.5 Viewing NTP Associations The interaction between the switch and a SNTP server constitutes an association. SNTP associations can be either a peer association (the switch synchronizes to the another system or allows another system to synchronize to it), or a server association (only the switch synchronizes to the SNTP resource, not the other way around). To review the switch’s current SNTP associations: 1. Select Services > Secure NTP from the main menu tree. 2.
Switch Services 5-31 Delay (sec) Displays the round-trip delay (in seconds) for SNTP broadcasts between the SNTP server and the switch. Offset (sec) Displays the calculated offset between the switch and SNTP server. The switch adjusts its clock to match the server's time value. The offset gravitates toward zero over time, but never completely reduces its offset to zero.
5-32 Motorola RF Switch System Reference 5.3.6 Viewing NTP Status Refer to the NTP Status tab to display performance (status) information relative to the switch’s current NTP association. Verifying the switch’s SNTP status is important to assess which resource the switch is currently getting its system time from, as well as the time server’s current differences in time attributes as compared to the current switch time.
Switch Services 5-33 Root delay The total round-trip delay in seconds. This variable can take on both positive and negative values, depending on the relative time and frequency offsets. The values that normally appear in this field range from negative values of a few milliseconds to positive values of several hundred milliseconds. Root Dispersion Displays the nominal error relative to the primary time source in seconds.
5-34 Motorola RF Switch System Reference on the other switches at the same time. This is done by the cluster-protocol running on WS1, by duplicating the commands and sending them to the group over the virtual connection: After sending the command to other members, the cluster-management protocol (at WS1) waits for a response from the members of the redundancy group. Upon receiving a response from each member, WS1 updates the user’s screen and allows the user to enter/execute the next command.
Switch Services 5-35 • Managing Clustering Using the Web UI 5.4.1 Configuring Redundancy Settings To configure switch redundancy: 1. Select Services > Redundancy from the main menu tree. The Redundancy screen displays with the Configuration tab selected. NOTE: MUs on an independent WLAN will not see any disruptions on a switch fail-over. 2. Refer to the Configuration field to define the following: Enable Redundancy Select this checkbox to enable/disable clustering.
5-36 Motorola RF Switch System Reference Heartbeat Period The Heartbeat Period is the interval heartbeat messages are sent. Heartbeat messages discover the existence and status of other members within the group. Configure an interval between 1 and 255 seconds. The default value is 5seconds. Hold Time Define the Hold Time for a redundancy group. If there are no heartbeats received from a peer during the hold time, the peer is considered down.
Switch Services 5-37 3. To enable Dynamic AP Load Balancing check the Enable Dynamic AP Load Balancing box and configure the parameters below: Runtime/Schedule Select Runtime or Schedule to determine when load balancing will run. If Runtime is selected, load balancing will initiate anytime a new active switch is added to the redundancy group. If Schedule is selected you can configure a start date and time to execute load balancing. This feature is not available when Dynamic Load Balancing is enabled.
5-38 Motorola RF Switch System Reference 5.4.2 Reviewing Redundancy Status The switch is capable of displaying the status of the collective membership of the cluster. Use this information to assess the overall health and performance of the group. NOTE: When ETH2 of one of the group members is unplugged, the other members report that this member as gone, but an AP will continue to be adopted by the switch with no ETH2 connectivity. To configure switch redundancy memberships: 1.
Switch Services 5-39 AP Licenses in group Displays the number of Access Ports that can be adopted in the redundancy group. This value is calculated when a member starts-up, is added, is deleted or a license changes (downgrade and upgrade.) This value is equal to the highest license level of its members. It is NOT the sum of the license level of its members. For information on licensing rules impacting redundancy group members, see Redundancy Group License Aggregation Rules on page 5-44.
5-40 Motorola RF Switch System Reference Adoption capacity on this switch Displays the AP adoption capability for this switch. Compare this value with the adoption capacity for the entire cluster to determine if the cluster members (or this switch) have adequate adoption capabilities. For information on licensing rules impacting redundancy group members, see Redundancy Group License Aggregation Rules on page 5-44.
Switch Services 5-41 5.4.3 Configuring Redundancy Group Membership The redundancy group should be disabled to conduct an Add/Delete operation. There are a minimum of 2 members needed to comprise a Redundancy Group, including the initiating switch To configure switch redundancy memberships: 1. Select Services > Redundancy from the main menu tree. The Redundancy screen displays with the Configuration tab selected. 2. Select the Member tab. 3.
5-42 Motorola RF Switch System Reference AP License Count Displays the number of Access Port licenses installed on this member. AAP License Count Displays the number of Adaptive AP licenses installed on this member. Mode The Redundancy Mode could be Active or Standby depending on the mode configuration on the member. Refer to the Configuration screen to change the mode. 4. Select a row, and click the Details button to display additional details for this member.
Switch Services 5-43 4. Refer to the following redundancy member information: IP Address Displays the IP addresses of the members of the redundancy group. There are a minimum of 2 members needed to define a redundancy group, including this current module. Status Displays the current status of this group member. This status could have the following values: • Configured - The member is configured on the current wireless service module.
5-44 Motorola RF Switch System Reference Rogue APs Displays the number of Rogue APs detected by each member. Use this information to discern whether these radios represent legitimate threats to other members of the redundancy group. Self Healing Radios Displays the number of self healing radios on each detected member. These radios can be invaluable if other radios within the redundancy group were to experience problems requiring healing by another radio. 5. Refer to the Status field.
Switch Services 5-45 • In a redundancy group of three switches (S1, S2 and S3), if S1 has X licenses, S2 has Y licenses and S3 has Z licenses, the license count is X+Y+Z (the aggregation of each switch). • A cluster license is re-calculated whenever a new switch brings existing licenses to a group or an existing switch’s license value changes (increases or decreases).
5-46 Motorola RF Switch System Reference 5.4.5 Managing Clustering Using the Web UI Managing clustering in the Web UI is done through the Cluster GUI feature. The Cluster GUI feature updates many key screens in the Web UI allowing you to see APs and MUs managed by all active members of a cluster. To enable the Cluster GUI feature: 1. Select Services > Redundancy from the main menu tree The Redundancy screen displays with the Configuration tab selected 2.
Switch Services 5-47 5.5 Layer 3 Mobility Refer to the following sections to configure Layer 3 Mobility: • Configuring Layer 3 Mobility • Defining the Layer 3 Peer List • Reviewing Layer 3 Peer List Statistics • Reviewing Layer 3 MU Status 5.5.1 Configuring Layer 3 Mobility Layer 3 mobility is a mechanism enabling a MU to maintain the same Layer 3 address while roaming throughout a multi-VLAN network.
5-48 Motorola RF Switch System Reference • A full mesh of GRE tunnels can be established between mobility peers. Each tunnel is between a pair of switches and can handle data traffic for all MUs (for all VLANs) associated directly or indirectly with the MU. • Data traffic for roamed MUs is tunneled between switches by encapsulating the entire Layer 2 packet inside GRE with a proprietary code-point.
Switch Services 5-49 6. Select the Enable Mobility checkbox to enable a MU to maintain the same Layer 3 address while roaming throughout a multi-VLAN network. 7. Select the All WLANs On button to enable mobility for each WLAN listed. If unsure if you want to enable mobility for each WLAN, manually select just those you want to enable. 8. Select the All WLANs Off button to disable mobility for each WLAN listed. 9. Click the Apply button to save the changes made within this screen.
5-50 Motorola RF Switch System Reference 5. Click the Add button to display a screen used for adding the IP address to the list of addresses available for MU Layer 3 roaming. Enter the IP addresses in the area provided and click the OK button to add the addresses to the list displayed within the Peer List screen. 5.5.
Switch Services 5-51 3. Refer to the following information within the Peer Statistics tab: Peer IP Displays the IP addresses of the peer switches within the mobility domain. Each peer can support up to 500 MUs. JOIN Events sent/rcvd Displays the number of JOIN messages sent and received. JOIN messages advertise the presence of MUs entering the mobility domain for the first time.
5-52 Motorola RF Switch System Reference 2. Select the MU Status tab.
Switch Services 5-53 5.6 Configuring Self Healing The switch supports a feature called Self Healing that enables radios to take corrective action when one or more radios fail. To enable the feature the user must specify radio neighbors that would self heal if either one goes down. The neighbor radios do not have to be of the same type. Therefore, an 11bg radio can be the neighbor of a 11a radio and either of them can self heal when one of them fails.
5-54 Motorola RF Switch System Reference 5. Click the Revert button to disregard any changes made within this screen and revert back to the last saved configuration. 5.6.1 Configuring Self Healing Neighbor Details The Neighbor Details page displays all the radios configured on the switch and their neighbor designations. To configure self-healing on the switch: 1. Select Services > Self Healing from the main menu tree. The Self Healing page launches with the Configuration tab displayed. 2.
Switch Services 5-55 Action Displays the self healing action configured for the radio. Options include: • Raise Power - The transmit power of the radio is increased when a neighbor radio is not functioning as expected. • Open Rates - Radio rates are decreased to support all rates when a neighbor radio is not functioning as expected. • Both - Increases power and increases rates when a neighbor radio is not functioning as expected.
5-56 Motorola RF Switch System Reference 3. Select an existing neighbor and click the Edit button. The radio index and description display in the upper right corner of the screen. The Available Radios value represents the radios that can be added as a neighbor for the target radio. Neighbor Radios are existing radios (neighbors). 4. Select one of the following four actions from the Self Healing Action drop-down menu: • None - The radio takes no action at all when its neighbor radio fails.
Switch Services 5-57 the Recently Found Devices tab to view a table of devices discovered by the current discovery process. Each discovered device compatible with the locating switch is displayed in a shaded color to distinguish it from non-compatible devices. ! CAUTION: Switch discovery can be a time consuming operation. However, the switch discovery operation is a standalone process. This allows users to perform other configuration operations when discovery is running in the background. 5.7.
5-58 Motorola RF Switch System Reference 3. Select an existing profile and click the Edit button to modify the profile name starting and ending IP address and SNMP version. Motorola recommends editing a profile only if some of its attributes are still valid, if the profile is obsolete, delete it and create a new one. 4. Select an existing profile and click the Delete button to remove this profile from the list of available profiles. 5.
Switch Services 5-59 5.7.1.1 Adding a New Discovery Profile If the contents of an existing profile are no longer relevant to warrant modification using the Edit function, then a new switch discovery profile should be created To create a new switch discovery profile: 1. Select Services > Discovery from the main menu tree. 2. Click the Add button at the bottom of the screen. 3.
5-60 Motorola RF Switch System Reference displayed in a shaded color to distinguish it from non-compatible devices. The switch Web UI enables users display the Web UI of the discovered device in a separate browser window. To view the devices located by the switch: 1. Select Services > Discovery from the main menu tree. 2. Select the Recently Found Devices tab. 3.
Switch Services 5-61 Device Location Displays the device location defined to the discovered device. The location would have been assigned using the Switch > Configuration screen. Profile used for Discovery Displays the profile selected from within the Discovery Profiles tab and used with the Start Discovery function to discover devices within the switch managed network.
5-62 Motorola RF Switch System Reference 5.8 Locationing The Motorola WiNG Geofencing Architecture provides a very comprehensive and elegant solution for physical security to wireless without impacting the mobility. The Motorola WiNG Wireless ACLs allow protection based on the MAC address and location of clients within user defined boundaries.
Switch Services 5-63 provide accurate asset locationing information across multiple networks in real-time. This solution can also be packaged as a locationing appliance. 5.8.2 SOLE - Smart Opportunistic Location Engine SOLE is an on-board location engine using a combination of innovative algorithms to determine location based on asset type. SOLE fuses the location information reported by several technologies into one seamless environment to get more meaningful results.
5-64 Motorola RF Switch System Reference SOLE is capable of receiving input of location from external 3rd party location engines such as Aeroscout and Ekahau. SOLE also has a self learning process that adapts with a changing environment. SOLE also provides an open platform for supporting new architectures, future algorithms or newer asset types. 5.8.3 Defining Site Parameters In order for the locationing engine to function properly the site parameters must first be defined.
Switch Services 5-65 width of the site is then mapped out on the X and Y axes. Those length and width along with the height are entered into the field below. Define the Dimensions and Unit of measure used to define the site size: Length Enter the length of the site. This is the X axis of your site map based on the origin point of 0,0. The size is either in feet or meters depending on which unit of measure is selected below. The valid range for length is 1-1000m or 1-3000ft.
5-66 Motorola RF Switch System Reference 5.8.3.1 Adding AP Location Information 1. To add AP Location information for your site: Select Services > RTLS from the main menu tree. 2. Select the Site tab. 3. Click the Add button. 5.8.4 Configuring SOLE Parameters To configure the switch’s internal SOLE locationing engine: 1. .Services > RTLS from the main menu tree. 2. Select the SOLE tab. 3. Check the Locate All Mobile-Units checkbox to locate all MUs known to the switch across all WLANs.
Switch Services 5-67 6. Click the Revert button to cancel any changes made within MU Locate Interval value and revert back to the last saved configuration. NOTE: AP coordinates can only be configured in the Command Line Interface. For more information on configuring AP coordinates please consult the Motorola RF Switch CLI Reference. 7. The MU MAC table allows you to manually add or remove MAC Addresses which can be located by the SOLE engine. This supports a maximum of 512 MUs.
5-68 Motorola RF Switch System Reference Once SOLE has been enabled MUs found by the locationing engine will be displayed in the Located MUs table at the bottom of the page. For each located MU the following information is displayed: MAC Lists the MAC Addresses of all MUs which have been located by the switch. Location: X Coordinate Displays the value of the X Coordinate for each located MU. The X coordinate is relative to the origin point of 0,0 in the upper left corner of the site map.
Switch Services 5-69 4. Enter the Multicast MAC Address used for all Aeroscout tags to send updates via multicast to the MAC address specified. Typically the MAC address will start with 01-0C-CC-XX-XX-XX. NOTE: To use the onboard SOLE engine to locate Aeroscout tags, site parameters, AP location (Command Line Interface only) and Zone configuration (optional, Command Line Interface only) must be configured. 5. Click the Apply button to save the Multicast MAC Address value. 6.
5-70 Motorola RF Switch System Reference If the onboard SOLE engine is enabled to locate Aeroscout tags the following information will be displayed for each located MU: MAC Lists the MAC Addresses of all MUs which have been located by the switch. Location: X Coordinate Displays the value of the X Coordinate for each located MU. The X coordinate is relative to the origin point of 0,0 in the upper left corner of the site map.
Switch Services 5-71 4. Enter the Multicast MAC Address used for all Ekahau tags to send updates via multicast to the MAC address specified. Typically the MAC address will start with 01-0C-CC-XX-XX-XX. NOTE: To use the onboard SOLE engine to locate Ekahau tags, site parameters, AP location (Command Line Interface only) and Zone configuration (optional, Command Line Interface only) must be configured. 5. Specify the IP Address of the Ekahau RTLS engine server. 6.
5-72 Motorola RF Switch System Reference If the onboard SOLE engine is enabled to locate Ekahau tags the following information will be displayed for each located MU: MAC Lists the MAC Addresses of all MUs which have been located by the switch. Location: X Coordinate Displays the value of the X Coordinate for each located MU. The X coordinate is relative to the origin point of 0,0 in the upper left corner of the site map.
Switch Security This chapter describes the security mechanisms available to the switch. This chapter describes the following security configuration activities: • Displaying the Main Security Interface • Access Point Detection • Wireless Intrusion Detection / Protection • Configuring Firewalls and Access Control Lists • Configuring NAT Information • Configuring IKE Settings • Configuring IPSec VPN • Configuring the Radius Server • Creating Server Certificates • Configuring Enhanced Beacons and Probes 6.
6-2 Motorola RF Switch System Reference Guide To view main menu security information: 1. Select Security from the main menu tree. 2. Refer to the following information to discern if configuration changes are warranted: Access Port Intrusion Detection Displays the Enabled or Disabled state of the switch to detect potentially hostile Access Ports (the definition of which defined by you).
Switch Security 6-3 6.2 Access Point Detection Use the Access Point Detection menu options to view and configure the detection of other Access Points. The Access Point Detection screen consists of the following tabs: • Enabling and Configuring AP Detection • Authorized / Ignored APs • Unauthorized APs (AP Reported) • Unauthorized APs (MU Reported) • AP Containment 6.2.
6-4 Motorola RF Switch System Reference Guide 3. Enable AP assisted scanning and timeout intervals as required. Enable Select the Enable checkbox to enable associated Access Ports to detect potentially hostile Access Points (the definition of which defined by you). Once detected, the Access Points can be added to a list of APs either approved or denied from interoperating within the switch managed network.
Switch Security 6-5 BSS MAC Address Displays the MAC address of the Allowed AP(s). The MAC addresses displayed are defined by clicking the Add button and entering a specific MAC address or by allowing all MAC addresses to be allowed. The list of MAC addresses allowed can be modified by highlighting an existing entry, clicking the Edit button and revising the properties of the MAC address. ESSID Displays the ESSIDs of the Allowed AP(s).
6-6 Motorola RF Switch System Reference Guide 5. Refer to the BSS MAC Address field to define the following: Any MAC Address/ Specific MAC Address Click the Any MAC Address radio button to allow any MAC address detected on the network as an Allowed AP. This is not necessary if a specific MAC address is used with this index. Click the second radio button to enter a specific MAC address as an Allowed AP.
Switch Security 6-7 ESSID Displays the SSID of each approved AP. Authorized/Ignored Aps Displays authorized APs. 4. The Number of Approved APs is simply the sum of all of approved Access Point MAC Addresses detected. 5. Select the Display Adopted APs check box. 6. Click on the Export button to export the contents of the table to a Comma Separated Values file (CSV). 6.2.
6-8 Motorola RF Switch System Reference Guide Signal Strength (in dBm) Displays the Relative Signal Strength Indicator (RSSI) for the detected (and unapproved) AP. AP’s with a strong signal may pose a more significant risk within the switch managed network. Last Seen (in Seconds) Displays the time (in seconds) the Unapproved AP was last seen on the network by the detecting AP. ESSID Displays the ESSID of each Unapproved AP.
Switch Security 6-9 3. The Unauthorized APs (MU Reported) table displays the following information: BSS MAC Address Displays the MAC Address of each Unapproved AP. These MAC addresses are Access Points observed on the network (by associated MUs), but have yet to be added to the list of approved APs, and are therefore interpreted as a threat on the network. Reporting MU Displays the numerical value for the detecting MU.
6-10 Motorola RF Switch System Reference Guide 3. To enable the AP containment feature, check the Enable Containment checkbox and specify a Containment Interval between 20 and 5000 milliseconds. The Containment Interval field determines the interval after which broadcast 802.11 de-authentication messages will be sent. 4. When the containment feature has been enabled and a Containment Interval has been set, click the Apply button to enable the feature and save the interval value. 5.
Switch Security 6-11 2. Click the Configuration tab. The MU Intrusion Detection tab consists of the following two fields: • Collection Settings • Violation Parameters 3. Within the Collection Settings field, set the Detection Window interval (in seconds) the switch uses to scan for MU violations. The available range is from 5 - 300 seconds. 4.
6-12 Motorola RF Switch System Reference Guide ! CAUTION: Setting MU threshold values too low can jeopardize MU performance or break the MU’s connection. NOTE: Setting a violation parameter to 0 will disable that option. 5. When using the Frames with known bad ESSIDs violation parameter it is necessary to enter a list of known bad ESSIDs for the violation parameter.
Switch Security 6-13 2. Click on the Filtered MUs tab. The Filtered MUs tab displays the following read-only information for detected MUs: MAC Address Displays the MU’s MAC address. Defer to this address as the potentially hostile MU’s identifier. Radio Index The radio index displays the index of the detected MU. Use this information to discern whether the detected MU is known and whether is truly constitutes a threat.
6-14 Motorola RF Switch System Reference Guide Violation Type Displays the reason the violation occurred for each detected MU. Use the Violation Type to discern whether the detected MU is truly a threat on the switch managed network (and must be removed) or can be interpreted as a non threat. The following violation types are possible: • Excessive Probes • Excessive Association • Excessive Disassociation • Excessive Authentication failure • Excessive Crypto replays • Excessive 802.
Switch Security 6-15 applied ACLs to verify the packet has the required permissions to be forwarded, based on the criteria specified in the access lists. NOTE: If a packet does not meet any of the criteria specified in the ACL, the packet is dropped. Use the Wireless Firewall screen to view, add and configure access control configurations. Typically, an ACL consists of series of entries called an Access Control Entry (ACE).
6-16 Motorola RF Switch System Reference Guide 6.4.1.1 Router ACLs Router ACLs are applied to Layer 3 or VLAN interfaces. If an ACL is already applied in a particular direction on an interface, applying a new one will replace the existing ACL. Router ACLs are applicable only if the switch acts as a gateway, and traffic is inbound only. The switch supports two types of Router ACLs: • Standard IP ACL—Uses the source IP address as matching criteria.
Switch Security 6-17 • Extended IP ACL— Uses a source IP address, destination IP address and IP protocol type as basic matching criteria. It can also include other parameters specific to a protocol type, like the source and destination ports for TCP/UDP protocols. • MAC Extended ACL— Uses source and destination MAC addresses and VLAN ID. It optionally, also uses Ethertype information. Port ACLs are also stateful and are not applied on every packet switched through the switch.
6-18 Motorola RF Switch System Reference Guide In general, a Wireless-LAN ACL can be used to filter wireless to wireless, wireless to wired and wired to wireless traffic. Typical wired to wired traffic can be filtered using a Layer 2 port based ACL rather than a WLAN ACL. Each WLAN is assumed to be a virtual Layer 2 port. Configure one IP and one MAC ACL on the virtual WLAN port. In contrast to Layer 2 ACLs, a WLAN ACL can be enforced on both the Inbound and Outbound direction. 6.4.1.
Switch Security 6-19 6.4.2 Attaching an ACL on a WLAN Interface/Port Use the Attach-WLAN tab to view and assign an ACL to a WLAN on the switch. If a MAC ACL is being attached, create a ACL entry to allow arp with least precedence. NOTE: WLAN based ACLs allows users to enforce rules/ACLs on both the inbound and outbound direction, as opposed to Layer 2 ACLs, which just support the inbound direction. The ACL rules per AAP is <0-24> To configure a WLAN ACL: 1.
6-20 Motorola RF Switch System Reference Guide 6.4.2.1 Adding or Editing a New ACL WLAN Configuration After creating an ACL, it can be applied to one or more WLANs on the switch. To attach an ACL to a WLAN: 1. Select Security > Wireless Firewall from the main menu tree. 2. Click the Security Policy tab. 3. Click the Attach-WLAN tab. 4. Click the Add button to create a new ACL WLAN association or highlight an existing association and click the Edit button. 5. Define a WLAN Index between 1 and 32. 6.
Switch Security 6-21 3. Click the Attach-L2/L3 tab. 4. Refer to the following information as displayed within the Attach tab: Interface The interface to which the switch is configured. It can be one of the following: • ge 1-8 for RFS6000 and it is ge 1-5 RFS4000 • up 1 • vlan1 (or any additional VLANs that have been created) IP ACL Displays the IP ACL configured as the inbound IP for the layer 2 or layer 3 interface.
6-22 Motorola RF Switch System Reference Guide 4. Click the Add button. 5. Use the Interface drop-down menu to select the interface to configure on the switch. Available options include – ge 1-8, up 1, VLAN 1 (plus those VLANs created thus far) and Tunnel n (where n equals the name(s) of those tunnels created thus far). 6. Use the IP ACL drop-down menu to select an IP ACL used as the inbound IP for the layer 2 or layer 3 interface. 7.
Switch Security 6-23 3. Click the Attach Role tab. 4. Refer to the following information as displayed within the Attach Role tab: Role Priority Displays the priority assigned to the role as determined by the Sequence Number associated with the role. Role Name Displays the role name assigned to each role. Role names are assigned when they are added from the Security > Wireless Firewall > Configuration > Role tab. Direction Displays the direction which the role is associated with.
6-24 Motorola RF Switch System Reference Guide 3. Click the Attach Role tab. 4. Click the Add button. 5. Select a Role Name from the drop-down menu. Role Names can be added in the Configuration > Role tab. 6. Use the ACL drop-down menu to select an ACL to associate with the Role Name. 7. Select Inbound or Outbound to apply the new role to the appropriate interface. 8. Set a Precedence level for the ACL. The valid range is between 1 and 100 with the lower the precedence numbers getting higher priority. 9.
Switch Security 6-25 4. The Attach AAP WLAN tab contains the following read-only information: WLAN Index The WLAN Index displays the list of attached WLANs with ACLs. IP ACL Displays the IP ACL configured for the WLAN interface in the inbound/outbound direction. MAC ACL Displays the MAC ACL configured for the WLAN interface in the inbound/ outbound direction. 5. Select an interface and click on Edit to modify the WLAN Index, IP ACL and MAC ACL values.
6-26 Motorola RF Switch System Reference Guide 4. On the Attach AAP WLAN tab select a WLAN and click the Edit button: WLAN Index Enter the WLAN Index to attach the WLAN with ACLs. The range is <0-2>. IP ACL Select an IP ACL configured for the WLAN interface in the inbound/outbound direction. Inbound/Outbound Select either the Inbound or Outbound radio button to define which direction the ACL applies. 5. Refer to the Status field for the state of the requests made from applet.
Switch Security 6-27 IP ACL Select an IP ACL configured for the WLAN interface in the inbound/outbound direction. Inbound/Outbound Select either the Inbound or Outbound radio button to define which direction the ACL applies. 5. Refer to the Status field for the state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 6. Click OK to use the changes to the running configuration and close the dialog. 7.
6-28 Motorola RF Switch System Reference Guide 5. Select an interface and click on Edit to modify the LAN Index, IP ACL and MAC ACL values. For more information see,Editing an Adaptive AP LAN on page 6-28. 6.4.6.1 Editing an Adaptive AP LAN To Edit an AAP LANs page: 1. Select Security > Wireless Firewall from the main menu tree. 2. Click on the Security Policy tab. 3. Click on the Wireless Filters tab. 4.
Switch Security 6-29 4. The Wireless Filters tab contains the following read-only information: MU-ACL Index Displays a numerical identifier used to associate a particular ACL to a range of MAC addresses (or a single MAC address) that are either allowed or denied access to the switch managed network. Starting MAC Displays the beginning MAC Address (for this specific Index) either allowed or denied access to the switch managed network.
6-30 Motorola RF Switch System Reference Guide Authentication Displays the authentication scheme configured for the devices comprising this WLAN. Encryption Displays the encryption method configured for the devices comprising this WLAN. 6. If the properties of an existing filter fulfill to your needs but still require modification to better filter devices, select the Edit button. For more information see, Editing an Existing Wireless Filter on page 6-30. 7.
Switch Security 6-31 7. Modify the existing Starting MAC for the target Index or leave the Starting MAC value as is and just modify the Ending MAC Address or Allow/Deny designation. 8. Modify the existing Ending MAC for the target Index. Enter the same Starting MAC address within the Ending MAC field to use only the Starting MAC address as either allowed or denied access to the switch managed network. 9. To associate a zone with the ACL select a Zone ID from the pull-down menu.
6-32 Motorola RF Switch System Reference Guide 6. Enter the a hex value for the Starting MAC address. This is the beginning MAC address either allowed or denied access to the switch managed network. 7. Enter the a hex value for the Ending MAC address. Enter the same Starting MAC address within the Ending MAC field to use only the Starting MAC address as either allowed or denied access to the switch managed network. 8. To modify the zone associated with the ACL select a Zone ID from the pull-down menu.
Switch Security 6-33 5. Click the Memberships button. 6. Select the box to the right of each WLAN you want associated with the ACL. Selecting a WLAN maps it the MAC address range and allow or deny designation assigned to it. Consequently, be sure you are not restricting MU traffic for a WLAN that requires those MAC addresses to interact with the switch. 7. Refer to the Status field for the state of the requests made from applet.
6-34 Motorola RF Switch System Reference Guide The ACLs field displays the list of ACLs currently associated with the switch. An ACL contains an ordered list of ACEs. Each ACE specifies a permit or deny designation and a set of conditions the packet must satisfy to match the ACE. Because the switch stops testing conditions after the first match, the order of conditions in the list is critical. 6.
Switch Security 6-35 4. Click the Add button. 5. Select an ACL Type from the drop-down menu. The following options are available: • Standard IP List – Uses source IP addresses for matching operations. • Extended IP List – Uses source and destination IP addresses and optional protocol information for matching operations. • MAC Extended List – Uses source and destination MAC addresses, VLAN ID and optional protocol information. 6. Enter a numeric index name for the ACL in the ACL ID field. 7.
6-36 Motorola RF Switch System Reference Guide 4. Click the Add button within the Associated Rules field. 5. Use the Precedence field to enter a precedence (priority) value between 1 and 5000. The rules within an ACL will be applied to packets based on their precedence value. Rules with lower precedence are always applied first. NOTE: If adding an access control entry to an ACL using the switch SNMP interface, Precedence is a required parameter. 6.
Switch Security 6-37 1. Select Security > Wireless Firewall from the main tree menu. 2. Click the Configuration tab. 3. Click the ACL tab. 4. Select an ACL from the ACLs field. The rules associated with the selected ACL display in the Associated Rules section. 5. Click the Edit button within the Associated Rules field. 6. Use the Precedence field to modify the precedence (priority) between 1 and 5000. The rules within an ACL are applied to packets based on their precedence value.
6-38 Motorola RF Switch System Reference Guide 12.Refer to the Status field for the state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 13.Click OK to use the changes to the running configuration and close the dialog. 14.Click Cancel to close the dialog without committing updates to the running configuration. 6.4.12 Configuring Layer 2 Firewall To review Layer 2 firewall rules: 1.
Switch Security 6-39 ARP Trust Displays the ARP trust status for the selected L2 interface. Trusted ARP packets are also used to update the DHCP Snoop Table to prevent IP spoof and arp-cachepoisoning attacks. By default, none of the physical or aggregate interfaces are ARP trusted. Broadcast Storm Threshold Displays the Broadcast Storm Threshold for each interface.
6-40 Motorola RF Switch System Reference Guide 5. Configure the following values for each new Layer 2 configuration: Interface Name Assign the interface to be associated with the Layer 2 firewall. Available Layer 2 interfaces are ge 1-8 and up1. ARP Rate Specify the Address Resolution Protocol (ARP) rate. Rates can be between 1 and 1000000. DHCP Trust Select to enable DHCP trust on this interface. A DHCP server must always be connected to an interface that has its DHCP trust enabled.
Switch Security 6-41 4. The WLAN tab contains the following information: WLAN Index Displays the WLAN index number. This number is configured on the wireless LAN configuration page. Broadcast Storm Threshold Displays the Broadcast Storm Threshold for each interface. When the rate of broadcast packets exceeds the high threshold configured for an interface, packets are throttled till the rate falls below the configured rate. Thresholds are configured in terms of packets per second.
6-42 Motorola RF Switch System Reference Guide MU Deauthenticate Displays whether or not mobile unit de-authentication is enabled for each WLAN. If MU Deauthenticate is enabled any associated mobile unit which hit the thresholds configured for Allowed MU denies per second will be deauthenticated. If MU Deauthenticate is enabled a green checkmark will be displayed. When it is disabled a red “X” will be displayed. DHCP Trust Displays the DHCP trust status for the selected WLAN.
Switch Security 6-43 5. To create a new WLAN Firewall rule configure the following information: WLAN Index Select a WLAN index number from the pull-down menu. This number is configured on the wireless LAN configuration page. Broadcast Storm Threshold Enter the Broadcast Storm Threshold for each interface. When the rate of broadcast packets exceeds the high threshold configured for an interface, packets are throttled till the rate falls below the configured rate.
6-44 Motorola RF Switch System Reference Guide 4. The DoS Attack tab contains the following information: Type Displays the Denial of Service attack type. The switch currently supports enabling or disabling 28 types of DoS attack filters. Check Enabled This field will show a green checkmark next to the Denial of Service Attack filters that are enabled on the switch firewall. When a DoS Attack filter is disabled a red “X” will be shown in this column.
Switch Security 6-45 Attack Count Displays the number of times that each DoS attack have been observed by the switch firewall. Clicking the Clear Stats button on this page will reset all Attack Counts to 0. Last Occurrence Displays the amount of time since each DoS attack has been observed by the switch firewall. Clicking the Clear Stats button on this page will reset all Last Occurrence timers to 0:00:00.00. 5.
6-46 Motorola RF Switch System Reference Guide 3. Click the Role tab. 4. Select the checkbox Role Assignment Immediate and click Apply to assign the role immediately. 5. Role configuration screen displays the following information: Sequence Number Displays the sequence number associated with each role. Sequence numbers determine the order that role are applied. Roles with lower sequence numbers are applied before those with higher sequence numbers.
Switch Security 6-47 7. To edit an existing role, click the Edit button and modify the filter settings. 8. To remove a role, select that rule from the table and click the Delete button. A confirmation will be displayed before the rule is deleted from the switch. 6.4.15.1 Creating a new Role To add new role: 1. Select Security > Wireless Firewall from the main tree menu. 2. Click the Configuration tab. 3. Click the Role tab. 4. Click the Add button. 5.
6-48 Motorola RF Switch System Reference Guide AP Location Select an AP Location filter, if any, to apply to the role.
Switch Security 6-49 6. Refer to the Status field for the state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 7. Click OK to use the changes to the running configuration and close the dialog. 8. Click Cancel to close the dialog without committing updates to the running configuration. 6.4.16 Configuring Firewall Logging Options To view firewall logging rules: 1.
6-50 Motorola RF Switch System Reference Guide 4. Select the Syslog logging levels for each of the following log types: ARP Log The ARP Log field displays the level of Syslog logging enabled for excessive ARP on an interface. The logging level uses standard Syslog levels of: • Emergency • Alert • Critical • Error • Warning • Notice • Info • Debug • None To change the logging level, click on the specific field and choose the logging level from the pull-down menu.
Switch Security 6-51 Multicast Log The Multicast Log field displays the level of syslog logging enabled for excessive multicast on an interface. The logging level uses standard Syslog levels of: • Emergency • Alert • Critical • Error • Warning • Notice • Info • Debug • None To change the logging level, click on the specific field and choose the logging level from the pull-down menu.
6-52 Motorola RF Switch System Reference Guide 2. Click the Statistics tab. 3. From the Statistics section select the Statistics tab. 4. Refer to the following information as displayed within the Statistics tab: Interface Interface displays the physical/virtual interfaces used to add the ACL association to the switch. Action Displays the permit, deny or mark designation for the ACL. If the action is to mark, the packet is tagged for priority.
Switch Security 6-53 5. Select an interface and click the Details button to display a more robust set of statistics for the selected interface. 6. Click the Export to export the selected ACL attribute to a user specified location. 6.4.17.2 Viewing DHCP Snoop Entry Statistics To review DHCP Snoop Entry statistics: 1. Select Security > Wireless Firewall from the main menu tree. 2. Click the Statistics tab. 3. From the Statistics section select the DHCP Snoop Entry tab.
6-54 Motorola RF Switch System Reference Guide 4. Refer to the following information as displayed within the DHCP Snoop Entry tab: Client IP Address Displays the DHCP Client IP Address for each entry. VLAN ID Displays the VLAN ID number, if any, for each entry in the DHCP Snoop Entry table. The range is <1-4094>. The default value is 1. MAC Address Displays the MAC Address of each DHCP Client, DHCP Server or Router in the table. Type Displays the type for each DHCP Snoop Entry.
Switch Security 6-55 3. From the Statistics section select the Role tab. 4. Refer to the following information as displayed within the Role tab: Role Name Displays the Role Names for all roles that are active and have mobile units associated with them. Assigned MUs Clicking on a Role Name will display all mobile units that are associated with the selected role. 6.4.17.4 Viewing Adaptive AP LAN Statistics To review Adaptive AP LAN statistics: 1.
6-56 Motorola RF Switch System Reference Guide 3. From the Statistics section select the AAP LAN tab. 4. Refer to the following information as displayed within the AAP LAN tab: AP MAC Address Displays the MAC Address of all Adaptive APs. Inbound: ACL ID Displays the Inbound ACL ID for each attached Adaptive AP. ACL IDs can be modified in the Edit screen. Inbound: Hit Count Displays the number of times each AAP LAN Inbound ACL has been triggered.
Switch Security 6-57 3. From the Statistics section select the AAP WLAN tab. 4. Refer to the following information as displayed within the AAP WLAN tab: ACL ID Displays the ACL ID for each attached AAP WLAN ACL. ACL IDs can be modified in the Security Policy Edit screen. Direction Displays the direction either Inbound or Outbound for the AAP WLAN ACL. Hit Count Displays the number of times each AAP WLAN ACL has been triggered.
6-58 Motorola RF Switch System Reference Guide 6.5 Configuring NAT Information Network Address Translation NAT provides the translation of an Internet Protocol (IP) address within one network to a different, known IP address within another network. One network is designated as the private network, while the other is public. NAT provides a layer of security by translating private (local) network addresses to one or more public IP addresses.
Switch Security 6-59 3. Refer to the following information as displayed within the Dynamic Translation tab. Type Displays the NAT type as either: • Inside - Applies NAT on packets arriving on interfaces marked as inside. These interfaces should be private networks not accessible from outside (public) networks. • Outside - Applies NAT on packets coming in on interfaces marked as outside. These switch interfaces should be public or outside networks accessible from anywhere on the Internet.
6-60 Motorola RF Switch System Reference Guide 5. Select an existing NAT configuration and click the Delete button to remove it from the list of available configurations. 6. Click the Add button to display a screen to create a new NAT configuration and add it to the list of available configurations. For more information, see Adding a New Dynamic NAT Configuration on page 6-60. 6.5.1.
Switch Security 6-61 9. Enter the IP address to be used during NAT in the NAT Address text field. 10.Refer to the Status field for the state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 11.Click OK to use the changes to the running configuration and close the dialog. 12.Click Cancel to close the dialog without committing updates to the running configuration. 6.5.
6-62 Motorola RF Switch System Reference Guide 3. Refer to the following information as displayed within the Static Translation tab. Type Displays the NAT type as either: • Inside - The set of networks subject to translation. These are the internal addresses you are trying to prevent from being exposed to the outside world. • Outside - All other addresses. Usually valid addresses located on the Internet. Outside addresses pose no risk if exposed over a publicly accessible network.
Switch Security 6-63 3. Click the Add button. 4. Define the NAT Type from the drop-down menu. Options include: • Inside - The set of networks subject to translation. These are the internal addresses you are trying to prevent from being exposed to the outside world. • Outside - All other addresses (usually valid addresses located on the Internet). Outside addresses pose no risk if exposed over a publicly accessible network. 5. Define the NAT Direction from the drop-down menu.
6-64 Motorola RF Switch System Reference Guide 6.5.3 Configuring NAT Interfaces The NAT Interface is the VLAN used to route switch data traffic between the source and destination address locations within the switch-managed network. Any of the default VLANs is available as the NAT interface, in addition to any other VLANs created. In addition to selecting the VLAN, specify the Inside or Outside NAT type. To view and configure a NAT interface: 1. Select Security > NAT from the main menu tree. 2.
Switch Security 6-65 d. Refer to the Status field for the state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. e. Click OK to use the changes to the running configuration and close the dialog. f. Click Cancel to close the dialog without committing updates to the running configuration. 6.5.4 Viewing NAT Status Use the Status tab to review the NAT translations configured thus far for the switch.
6-66 Motorola RF Switch System Reference Guide 6.6 Configuring IKE Settings IKE (also known as ISAKMP) is the negotiation protocol enabling two hosts to agree on how to build an IPSec security association. To configure the security appliance for virtual private networks, set global IKE parameters that apply system wide and define IKE policies peers negotiate to establish a VPN tunnel. IKE protocol is an IPSec standard protocol used to ensure security for VPN negotiation, and remote host or network access.
Switch Security 6-67 2. Click the Configurations tab. During IKE negotiations, peers must identify themselves to one another. Thus, the configuration you define is the identification medium for device recognition. 3. Set a Keep Alive interval (in seconds) the switch uses for monitoring the continued presence of a peer and report of the client's continued presence. The client notifies you when the peer is no longer present. The default interval is 10 seconds. 4.
6-68 Motorola RF Switch System Reference Guide 9. If the properties of an existing peer IP address and key are no longer relevant and cannot be edited, click the Add button to create a new pre-shared key a.
Switch Security 6-69 2. Click the IKE Policies tab. 3. Refer to the values displayed within the IKE Policies tab to determine if an existing policy requires revision, removal or a new policy requires creation. Sequence Number Displays the sequence number for the IKE policy. The available range is from 1 to 10,000, with 1 being the highest priority value. Encryption Displays the encryption method protecting data transmitted between peers. Options include: • DES 56-bit DES-CBC. The default value.
6-70 Motorola RF Switch System Reference Guide SA Lifetime Displays an integer for the SA lifetime. With longer lifetimes, security defines future IPSec security associations quickly. Encryption strength is great enough to ensure security without using fast rekey times. Motorola recommends using the default value. DH Group Displays the Diffie-Hellman (DH) group identifier. IPSec peers use the defined value to derive a shared secret without transmitting it to one another.
Switch Security 6-71 a. Configure a set of attributes for the new IKE policy: Sequence Number Define the sequence number for the IKE policy. The available range is from 1 to 10,000 with 1 being the highest priority value. Encryption Set the encryption method used to protect the data transmitted between peers. Options include: • DES 56-bit DES-CBC. The default value. • 3DES - 168-bit Triple DES. • AES - 128-bit AES. • AES 192 - 192-bit AES. • AES 256 - 256-bit AES.
6-72 Motorola RF Switch System Reference Guide 2. Click the SA Statistics tab. 3. Refer to the information displayed within SA Statistics tab to discern the following: Index Displays the alpha-numeric name (index) used to identify individual SAs. Phase 1 done Displays whether this index is completed with the phase 1 (authentication) credential exchanged between peers. Created Date Displays the exact date the SA was configured for each index displayed.
Switch Security 6-73 6.7 Configuring IPSec VPN Use IPSec Virtual Private Network (VPN) to define secure tunnels between two peers. Configure which packets are sensitive and should be sent through secure tunnels, and what should be used to protect these sensitive packets. Once configured, an IPsec peer creates a secure tunnel and sends the packet through the tunnel to the remote peer. IPSec tunnels are sets of security associations (SA) established between two peers.
6-74 Motorola RF Switch System Reference Guide • Create Crypto Map entries When IKE is used to establish security associations, the IPSec peers can negotiate the settings they use for the new security associations. Therefore, specify lists (such as lists of acceptable transforms) within the Crypto Map entry. • Apply Crypto Map sets to Interfaces Assign a Crypto Map set to each interface through which IPSec traffic flows. The security appliance supports IPSec on all interfaces.
Switch Security 6-75 2. Click the Configuration tab. 3. Refer to the Configuration field to define the following: SA Lifetime (secs) For IKE based security associations, define a SA Lifetime (in seconds) forcing the periodic expiration and re-negotiation of peer credentials. Thus, continually validating the peer relationship. The default value is 3600 seconds.
6-76 Motorola RF Switch System Reference Guide ESP Encryption Scheme Displays the ESP Encryption Transform used with the index. Options include: • None - No ESP encryption is used with the transform set. • ESP-DES - ESP with the 56-bit DES encryption algorithm. • ESP-3DES - ESP with 3DES, ESP with AES. • ESP-AES - ESP with 3DES, ESP with AES (128 bit key). • ESP-AES 192 - ESP with 3DES, ESP with AES (192 bit key).
Switch Security 6-77 4. Revise the following information as required to render the existing transform set useful. Name The name is read-only and cannot be modified unless a new transform set is created. AH Authentication Scheme Select the Use AH checkbox (if necessary) to modify the AH Transform Authentication scheme. Options include: • None - No AH authentication is used. • AH-MD5-HMAC - AH with the MD5 (HMAC variant) authentication algorithm.
6-78 Motorola RF Switch System Reference Guide 3. Click the Add button. 4. Define the following information as required for the new transform set. Name Create a name describing this new transform set. AH Authentication Scheme Select the Use AH checkbox to define the AH Transform Authentication scheme. Options include: • None - No AH authentication is used. • AH-MD5-HMAC - AH with the MD5 (HMAC variant) authentication algorithm. • AH-SHA-HMAC - AH with the SHA (HMAC variant) authentication algorithm.
Switch Security 6-79 6.7.2 Defining the IPSec VPN Remote Configuration Use the IPSec VPN Remote tab to configure the DNS and/or WINS Servers used to route packets to the remote end of the IPSec VPN tunnel. The Remote tab is also used for defining the IP address range used within the IPSec VPN tunnel and configuring the authentication scheme for user permissions within the IPSec VPN tunnel. To define the IPSEc VPN’s remote configuration: 1. Select Security > IPSec VPN from the main menu tree. 2.
6-80 Motorola RF Switch System Reference Guide Starting IP Address Enter the numerical IP address used as the starting address for the range defined. If the Ending IP address is left blank, only the starting address is used for the remote destination. Ending IP Address Enter a numerical IP address to complete the range. If the Ending IP address is blank, only the starting address is used as the destination address. 5.
Switch Security 6-81 2. Select the Authentication tab. 3. Define whether IPSec VPN user authentication is conducted using a Radius Server (by selecting the Radius radio button), by a user-defined set of names and password (by selecting the User Table radio button) or if no authentication is used for credential verification (by selecting the No Authentication radio button). 4. Enter a NAS ID for the NAS port.
6-82 Motorola RF Switch System Reference Guide 8. If you require a new Radius Server be configured, click the Add button. Set this server’s designation as a primary or secondary Radius Server (using the checkboxes), define the server IP address, port and shared secret password. Click OK when completed to save the changes. 9. If the User Table checkbox was selected from within the Configuration field, select the User Table tab to review the User Name and Passwords defined for use. 10.
Switch Security 6-83 2. Click the Crypto Maps tab. The Crypto Maps screen is divided into 5 tabs, each serving a unique function in the overall Crypto Map configuration. Refer to the following: • Crypto Map Entries • Crypto Map Peers • Crypto Map Manual SAs • Crypto Map Transform Sets • Crypto Map Interfaces 6.7.4.1 Crypto Map Entries To review, revise or add Crypto Map entries: 1. Select Security > IPSec VPN from the main menu tree.
6-84 Motorola RF Switch System Reference Guide 2. Click the Crypto Maps tab and select Crypto Map Entries. 3. Review the following Crypto Map attributes to determine if an existing Crypto Map requires revision, deletion or if a new Crypto Map needs to be created. Priority / Seq Displays the numerical priority assigned to each Crypto Map. Name Displays the user-assigned name for this specific Crypto Map.
Switch Security 6-85 6. Click the Add button to define the attributes of a new Crypto Map. a. Assign a Seq # (sequence number) to distinguish one Crypto Map from the another. b. Assign the Crypto Map a Name to differentiate from others with similar configurations. c. Use the None, Domain Name or Host Name radio buttons to select and enter the fully qualified domain name (FQDN) or host name of the host exchanging identity information. d.
6-86 Motorola RF Switch System Reference Guide 7. Click OK to save the new Crypto Map and display it within the Crypto Map tab. 6.7.4.2 Crypto Map Peers To review, revise or add Crypto Map peers: 1. Select Security > IPSec VPN from the main menu tree. 2. Click the Crypto Maps tab and select Peers. 3. Refer to the read-only information displayed within the Peers tab to determine whether a peer configuration (among those listed) requires modification or a new peer requires creation.
Switch Security 6-87 6. If a new peer requires creation, click the Add button. a. Define the Seq # /Name for the new peer. b. Enter the name of the IKE Peer used with the Crypto Map to build an IPSec security association. 7. Click OK to save the configuration of the new Crypto Map peer. 6.7.4.3 Crypto Map Manual SAs To review, revise or add a Crypto Map using a manually defined security association: 1. Select Security > IPSec VPN from the main menu tree. 2.
6-88 Motorola RF Switch System Reference Guide IKE Peer Displays the IKE peer used with the Crypto Map to build an IPSec security association. ACL ID Displays the ACL ID the Crypto Map’s data flow uses to establish access permissions. Transform Set Displays the transform set representing a combination of security protocols and algorithms. During the security association negotiation, peers agree to use a particular transform set for protecting the data flow. 4.
Switch Security 6-89 use the transform set for protecting the data flow. A new manual security association cannot be generated without the selection of a transform set. A default transform set is available (if none are defined). 7. Click OK when completed to save the configuration of the Crypto Map security association.
6-90 Motorola RF Switch System Reference Guide 6.7.4.4 Crypto Map Transform Sets A transform set is a combination of security protocols and algorithms defining how the switch protects data. To review, revise or add a Crypto Map transform set: 1. Select Security > IPSec VPN from the main menu tree. 2. Click the Crypto Maps tab and select Transform Sets. 3.
Switch Security 6-91 a. Select the Seq #/Name. b. Enter the name of the Transform set used with the Crypto Map. 7. Click OK when completed to save the configuration of the Crypto Map transform set. 6.7.4.5 Crypto Map Interfaces To review the interfaces currently available to the Crypto Maps or assign an interface: NOTE: A Crypto Map cannot get applied to more than one interface at a time. To apply the same Crypto Map settings to multiple interfaces, create a unique Crypto Map for each interface. 1.
6-92 Motorola RF Switch System Reference Guide 6.7.5 Viewing IPSec Security Associations Refer to the IPSec SAs tab to review the various security associations (SAs) between the local and remote peers comprising an IPSec VPN connection. The IPSec SA tab displays the authentication and encryption schemes used between the VPN peers as well other device address information. To display IPSec VPN security associations: 1. Select Security > IPSec VPN from the main menu tree. 2. Click the IPSec SAs tab. 3.
Switch Security 6-93 The switch can display a maximum of 600 security associations. To enable a search through the list, the Security > IPSec VPN screen provides a page navigation facility. Up to 30 security associations display per page. The following navigation and pagination options are available: View All Displays all SAs in one screen. View By Page Use this option to split the list into pages and view them one page at a time.
6-94 Motorola RF Switch System Reference Guide 6.8 Configuring the Radius Server Remote Authentication Dial-In User Service (Radius) is a client/server protocol and software enabling remote access servers to communicate with the switch to authenticate users and authorize their access to the switch managed network. For an overview on the switch’s Radius deployment, see Radius Overview on page 6-94.
Switch Security 6-95 Apart from EAP authentication, the switch allows the enforcement of user-based policies. User-based policies include dynamic VLAN assignment and access based on time of day. The switch uses a default trustpoint. A certificate is required for EAP TTLS,PEAP and TLS Radius authentication (configured with the Radius service). Dynamic VLAN assignment is achieved based on the Radius server response.
6-96 Motorola RF Switch System Reference Guide 6.8.1.3 Access Policy Access policies are defined for a group created in the local database. Each user is authorized based on the access policies defined for the groups to which the user belongs. Access policies allow the administrator to control access to a set of users based on the WLANs (ESSID). Group to WLAN access is controlled using a “Time of the day” access policy. Consider User1 (part of Group 1), which is mapped to WLAN1 (ESSID of WLAN1).
Switch Security 6-97 6.8.3 Defining the Radius Configuration To configure Radius support on the switch: 1. Select Security > Radius Server from the main menu. 2. Ensure the Configuration tab is selected. 3. Click the Start the RADIUS server link to use the switch’s own Radius server to authenticate users accessing the switch managed network. Again, this is recommended as the secondary means of authenticating users. 4.
6-98 Motorola RF Switch System Reference Guide 6.8.3.1 Radius Client Configuration A Radius client implements a client/server mechanism enabling the switch to communicate with a central server to authenticate users and authorize access to the switch managed network. A Radius client is often an embedded device since it alleviates the need to store detailed user information locally. To configure Radius client support: 1. Select Security > Radius Server from the main menu. 2.
Switch Security 6-99 2. Ensure the Configuration tab is selected. 3. Select the Proxy Servers tab from the bottom of the Configuration tab. The Proxy Servers tab displays the user ID suffix (index), IP address and port number of the switch’s existing proxy server configurations. 4. To remove an existing Radius proxy server configuration from the table of configurations available to the switch, select the configuration and click the Delete button. 5.
6-100 Motorola RF Switch System Reference Guide 2. Select the Authentication tab. 3. Refer to the Authentication field to define the following Radius authentication information: EAP and Auth Type Specify the EAP type for the Radius server. • PEAP uses a TLS layer on top of EAP as a carrier for other EAP modules. PEAP is an ideal choice for networks using legacy EAP authentication methods.
Switch Security 6-101 Cert Trustpoint Click the View/Change button to specify the trustpoint from which the Radius server automatically grants certificate enrollment requests. A trustpoint is a representation of a CA or identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate. If the server certificate trustpoint is not used, the default trustpoint is used instead.
6-102 Motorola RF Switch System Reference Guide Domain Admin Password Enter the Administrator User password LDAP Agent Retry Timeout Defines the time interval after which the LDAP Agent will try to reconnect with the LDAP server if the previous join attempt had failed. LDAP Server Dead Period This is a period in seconds for which the RADIUS server does not attempt any connection with the LDAP server after the LDAP server was found to be unavailable.
Switch Security 6-103 3. Refer to the following to assess whether an existing user can be used with the local Radius server as is, requires modification or if a new user is required. User ID Displays the username for this specific user. The name assigned should reflect the user’s identity and perhaps their status within the switch managed network (guest versus secure user).
6-104 Motorola RF Switch System Reference Guide Access Duration Defines the authentication period set by the user. Check this option to enter a userdefined interval in the text field. NOTE: It is strictly recommended to set “Hotspot Simultaneous Users” to “1” in the Hotspot page while using the Guest User option. This denies authentication to the second MU when it uses a login already in use.
Switch Security 6-105 2. Select the Groups tab. 3. Refer to the user groups listed to review the following read-only attributes for each group: Name Displays the unique name assigned to each group. The group name should be indicative of the user population within and their shared activity within the switch managed network.
6-106 Motorola RF Switch System Reference Guide This value is read-only within the Groups tab. Click Edit to modify the access assignments of an existing group or click Add to create a new group with unique access assignments. 6. To modify the attributes of an existing group, select the group from the list of groups displayed and click the Edit button. Modify the existing group’s guest designation, VLAN ID, access period and WLAN assignment. 7.
Switch Security 6-107 Time of Access Start Set the time the group is authenticated to interoperate. Each user within the group is authenticated with the local Radius server. Those group members successfully authenticated are allowed access to the switch using the restrictions defined for the group. Time of Access End Set the time each group’s user base will loose access privileges within the switch managed network.
6-108 Motorola RF Switch System Reference Guide 2. Select the Accounting Logs tab. 3. Refer to the following information as displayed within the Accounting Logs tab. Filename Displays the name of each accounting log file. Use this information to differentiate files with similar attributes. Type Displays the type of file each file is. Size Display the size of the file. NOTE: An explicit purge operation is not supported, the accounting logs are purged automatically once they reach their limit. 6.
Switch Security 6-109 The Server Certificates screen displays two tabs supporting the following: • Using Trustpoints to Configure Certificates • Configuring Trustpoint Associated Keys 6.9.1 Using Trustpoints to Configure Certificates Each certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual.
6-110 Motorola RF Switch System Reference Guide Common Name (CN) If there is a common name (IP address) for the organizational unit making the certificate request, it displays here. Issued By Country (C) Displays the country of the certificate issuer. State (ST) Displays the state or province for the country the certificate was issued. City (L) Displays the city representing the state/province and country from which the certificate was issued.
Switch Security 6-111 3. Use this wizard for: • Creating a new self-signed certificate or certificate request • Uploading an external certificate • Delete Operations 4. Select the Create new certificate radio button to generate a new self-signed certificate or prepare a certificate request which can be sent to a Certificate Authority (CA). For more information, see Using the Wizard to Create a New Certificate on page 6-111. 5.
6-112 Motorola RF Switch System Reference Guide certificate request. Once the values of the certificate are defined, the user can configure and enroll the trustpoint. Select a trustpoint for the new certificate. • Use existing trustpoint - Select an existing trustpoint from the drop-down menu. • Create a new trustpoint - Provide a name for the new trustpoint in the space provided.
Switch Security 6-113 If generating a new self-signed certificate (as selected in page 2 of the wizard), the wizard continues the installation. Use the third page of the wizard to enter a unique trustpoint name and other credentials required to create the new certificate. 3. Select the Configure the trustpoint checkbox to enable the new self signed certificate configured as a trustpoint. 4.
6-114 Motorola RF Switch System Reference Guide Email Address Provide an email address used as the contact address for issues relating to this certificate request. FQDN Enter a fully qualified domain name (FQDN) is an unambiguous domain name that specifies the node's position in the DNS tree hierarchy absolutely. To distinguish an FQDN from a regular domain name, a trailing period is added. ex: somehost.example.com.
Switch Security 6-115 If you selected to prepare a certificate request in the page 2, the wizard continues, prompting the user for the required information to complete the certificate request. Click Next to continue. 9. Check the Copy the certificate request to clipboard option to add the contents of the certificate request to the clipboard which can then be copied to other locations. 10.Check the Save the certificate request option to save the certificate request to an external server.
6-116 Motorola RF Switch System Reference Guide Using the Wizard Delete Operation The wizard can also be used to delete entire trustpoints, the certificate used with a trustpoint or the CA root certificate use with a trustpoint. Delete trustpoint properties as they become obsolete or the properties of a certificate are no longer relevant to the operation of the switch. To use the wizard to delete trustpoint properties: 1. Select the Delete Operations radio button and click the Next button.
Switch Security 6-117 2. Select and use the Delete trustpoint and all certificates inside it drop-down menu to define the target trustpoint for removal. 3. Select and use the Remove certificates from this trustpoint drop-down menu define the trustpoint that will have either its Server Certificate or CA Root Certificate removed 4. Click the Next button to proceed and complete the trustpoint removal. 6.9.
6-118 Motorola RF Switch System Reference Guide 6.9.2.1 Adding a New Key If none of the keys listed within the Keys tab are suitable for use with a certificate, consider creating a new key pair. 1. Select Security > Server Certificates from the main menu tree. 2. Select the Keys tab. 3. Click the Add button at the bottom of the screen. 4. Enter a Key Label in the space provided to specify a name for the new key pair. 5. Define the Key Size between 1024 and 2048 bytes. 6.
Switch Security 6-119 The drop-down menu contains the log files listed within the Server Certificate screen. 6. Use the To drop-down menu to define whether the target log file is to be sent to the system's local disk (Local Disk) or to an external server (Server). 7. Provide the name of the file to be transferred to the location specified within the Target field. 8. Use the Using drop down-menu to configure whether the log file transfer is sent using FTP or TFTP. 9.
6-120 Motorola RF Switch System Reference Guide When enabling an Enhanced Beacon, the switch allows adopted Access Ports to periodically scan for rogue APs on different channels without disassociating MUs. The beacons collected in the scan are passed on to the switch so required information is gathered to locate a particular rogue AP. Refer to Editing AP Settings on page 4-97 to enable an AP to forward beacons and association information for AP radios to detect a rouge.
Switch Security 6-121 5. Use the Scan Time value to enter the duration of the scan. The radio scans each channel for the defined interval. The default value is 100 milliseconds. 6. Define a Max Number of APs value to set the number of detected APs displayed in the Beacon Found table. The available range is from 0 to 512. 7. Refer to 802.11a Channel Set field to select channels for the 802.11a transmission band. The channel information is provided to the switch, which then makes an 802.
6-122 Motorola RF Switch System Reference Guide 9. Click Apply to save changes to the screen. Navigating away from the screen without clicking the Apply button results in changes being discarded. 10.Click the Revert button to undo the changes to the screen and revert to the last saved configuration. 6.10.2 Configuring the Probe Table Define enhanced probes to detect rogue MUs within the network. An AP300 transmits beacons and the MUs sends a probe request to the AP for association.
Switch Security 6-123 9. 802.11a Radios: Click the Enable All button to allow an AP’s 802.11a radio to receive MU probe requests and forward them to the switch. 10. 802.11a Radios: Click the Disable button to stop AP’s 802.11a radios from forwarding MU probe requests to the switch. 11. 802.11bg Radios: Click the Enable button to allow the AP’s 802.11bg radios to receive MU probe requests and forward them to the switch. 12. 802.11bg Radios: Click the Disable button to stop AP’s 802.
6-124 Motorola RF Switch System Reference Guide Signal Strength (dBm) Displays the signal strength when the unadopted AP was detected. Heard Channel Displays the channel frequency when the unadopted AP was detected. Heard Time Displays the time when the unadopted AP was detected. 4. Select the Clear Report button to clear the statistic counters and begin a new data calculation. 6.10.4 Reviewing Found Probes Refer to the Probes Found tab to view the enhanced Probe report created by the switch.
Switch Management This chapter describes the Management Access main menu items used to configure the switch. This chapter consists of the following switch management activities: • Displaying the Management Access Interface • Configuring Access Control • Configuring SNMP Access • Message Parameters • Configuring SNMP Trap Receivers • Configuring Management Users NOTE: HTTPS must be enabled to access the switch applet.
7-2 Motorola RF Switch System Reference Guide To display the main Management screen: 1. Select Management Access from the main menu tree. 2. Refer to the Current Status field to review the following read-only information: Firmware In Use The Firmware In Use value displays the software version currently running on the switch. Use this information to assess whether a firmware update would improve the switch feature set and functionality.
Switch Management 7-3 1. Select Management Access > Access Control from the main menu tree. 2. Refer to the Management Settings field to enable or disable the following switch interfaces: Secure Management (on Management VLAN only) Select this checkbox to allow management VLAN access to switch resources. The management VLAN is used to establish an IP connection to the switch from a workstation connected to a port in the VLAN.
7-4 Motorola RF Switch System Reference Guide HTTPS Trustpoint Use the Trustpoint drop-down menu to select the local or default trustpoint used with a HTTPS session with the switch. For information on creating a new certificate, see Creating Server Certificates on page 6-108. Enable FTP Select this checkbox to enable FTP access to the switch. File Transfer Protocol (FTP) is the language used for file transfers across the Web. This setting is disabled by default.
Switch Management 7-5 NOTE: The SNMP facility cannot retrieve a configuration file directly from its SNMP interface. First deposit the configuration file to a computer, then FTP the file to the switch. NOTE: When accessing the switch via a SNMP client ensure that UDP traffic is allowed on port 161 for the network being used for the switch and the SNMP client. 7.3.1 Configuring SNMP v1/v2 Access SNMP version 2 (SNMPv2) is an evolution of SNMPv1.
7-6 Motorola RF Switch System Reference Guide 2. Refer to the Community Name and Access Control parameters for the following information: Community Name Displays the read-only or read-write name used to associate a site-appropriate name for the community. The name is required to match the name used within the remote network management software. Click the Edit button to modify an existing Community Name. The string length is <0-11>.
Switch Management 7-7 based Access Control Model (VACM) for access control. The architecture supports the concurrent use of different security, access control, and message processing techniques. Refer to the v3 screen to review the current SNMP v3 configuration. An Existing User Name can be selected and edited, enabled or disabled. . NOTE: The SNMP undo feature is not supported in this product. To review existing SNMP v3 definitions: 1. Select Management Access > SNMP Access from the main menu tree. 2.
7-8 Motorola RF Switch System Reference Guide 4. Highlight an existing v3 entry and click the Edit button to modify the password for the Auth Protocol and Priv Protocol. For additional information, see Editing an Existing SNMP v1/v2 Community Name on page 7-6 5. Highlight an existing SNMP v3 User Name and click the Enable button to enable the log-in for the specified user. When selected the status of the user is defined as active. 6.
Switch Management 7-9 To edit an SNMP v3 user profile: 1. Select Management Access > SNMP Access from the main menu tree. 2. Select the Statistics tab from within the SNMP Access screen. 3. Refer to the following read-only statistics displayed within the SNMP Access Statistics screen: V2/V3 Metrics Displays the individual SNMP Access events capable of having a value tracked for them.
7-10 Motorola RF Switch System Reference Guide 7.3.4 Message Parameters To view Message Parameters: 1. Select Management Access > SNMP Access from the main menu tree. 2. Select the Message Parameters tab from within the SNMP Access screen. 3. Refer to the following parameters displayed with in Message Parameters screen. Retries Displays the number of retries permitted Timeout Displays the timeout in seconds Rows per Request Displays the number of rows per request 4.
Switch Management 7-11 7.4.1 Enabling Trap Configuration If unsure whether to enable a specific trap, select it and view a brief description that may help your decision. Use Expand all items to explode each trap category and view all the traps that can be enabled. Traps can either be enabled by group or as individual traps within each parent category. To configure SNMP trap definitions: 1. Select Management Access > SNMP Trap Configuration from the main menu tree. 2.
7-12 Motorola RF Switch System Reference Guide Mobility Displays a list of sub-items (trap options) specific to the Mobility configuration option. Select an individual trap within this subsection and click the Enable button to enable this specific trap or highlight the Mobility trap family parent item and click Enable all sub-items to enable all traps within the Mobility category. DHCP Displays a list of sub-items (trap options) specific to the DHCP configuration option.
Switch Management 7-13 7.4.1.1 Configuring E-mail Notifications To enable e-mail notification: 1. Select Management Access > SNMP Trap Configuration from the main menu tree. 2. Click the Email Configuration button to launch a dialogue where you can configure outgoing E-mail servers and addresses for alerts. 3. Check the Enable SMTP box to enable the outgoing mail server on the switch. In order to use E-mail notification on the switch, this box must be checked.
7-14 Motorola RF Switch System Reference Guide 4. Configure the mail-to section of the page as follows: To Address(es) Specify an e-mail address or addresses that notifications will be sent to. To add an e-mail address to the list, enter the email address in the To Address(es) field and click the Add button. There is a maximum of 4 e-mail addresses allowed on the list. Add Click the Add button to add an e-mail address that is in the To Address(es) field to the list below.
Switch Management 7-15 3. Refer to the following information for thresholds descriptions, conditions, editable threshold values and units of measurement. Threshold Name (Description) Displays the target metric for the data displayed to the right of the item. It defines a performance criteria used as a target for trap configuration. Threshold Conditions Displays the criteria used for generating a trap for the specific event.
7-16 Motorola RF Switch System Reference Guide 6. Click the Apply button to save changes made to the screen since the last saved configuration. 7. Click the Revert button to revert the screen back to its last saved configuration. Changes made since the contents of the screen were last applied are discarded.
Switch Management 7-17 7.4.2.1 Wireless Trap Threshold Values The table below lists the Wireless Trap threshold values for the switch: # Threshold Name Condition Station Range Radio Range WLAN Range Wireless Service Range Units 1 Packets per Second Greater than A decimal number greater than 0.00 and less than or equal to 100000.00 A decimal number greater than 0.00 and less than or equal to 100000.00 A decimal number greater than 0.00 and less than or equal to 100000.
7-18 Motorola RF Switch System Reference Guide 7.5 Configuring SNMP Trap Receivers Refer to the Trap Receivers screen to review the attributes of existing SNMP trap receivers (including destination address, port, community and trap version). A new v2c or v3 trap receiver can be added to the existing list by clicking the Add button. To configure the attributes of SNMP trap receivers: 1. Select Management Access > SNMP Trap Receivers from the main menu tree. 2.
Switch Management 7-19 5. Click the Add button to display a sub-screen used to assign a new Trap Receiver IP Address, Port Number and v2c or v3 designation to the new trap. Add trap receivers as needed if the existing trap receiver information is insufficient. For more information, see Adding SNMP Trap Receivers on page 7-19. 7.5.1 Editing SNMP Trap Receivers Use the Edit screen to modify the trap receiver’s IP Address, Port Number and v2c or v3 designation.
7-20 Motorola RF Switch System Reference Guide 2. Click the Add button at the bottom of the screen. 3. Create a new (non DNS name) destination IP address for the new trap receiver to be used for receiving the traps sent by the SNMP agent. 4. Define a Port Number for the trap receiver. 5. Use the Protocol Options drop-down menu to specify the trap receiver as either a SNMP v2c or v3 receiver. 6. Click OK to save and add the changes to the running configuration and close the dialog. 7.
Switch Management 7-21 7.6 Configuring Management Users Refer to the Users screen to view the administrative privileges assigned to different switch users. You can modify the roles and access modes assigned to each user. The Users screen also allows you to configure the authentication methods used by the switch.
7-22 Motorola RF Switch System Reference Guide 4. Click on the Edit button to modify the associated roles and access modes of the selected user. By default, the switch has two default users – Admin and Operator. Admin’s role is that of a superuser and Operator the role will be monitored (read only). 5. Click on Add button to add and assign rights to a new user. 6. Click on Delete button to delete the selected user from the Users frame. 7.6.1.
Switch Management 7-23 Network Administrator The Network Administrator has privileges to configure all wired and wireless parameters like IP config, VLANs, Layer 2/Layer 3 security, WLANs, radios, IDS and hotspot. System Administrator Select System Administrator to allow the user to configure general settings like NTP, boot parameters, licenses, perform image upgrade, auto install, manager redundancy/clustering and control access.
7-24 Motorola RF Switch System Reference Guide 4. Enter the new authentication password for the user in the Password field and reconfirm within the Confirm Password field. 5. Select the user role from the options provided in the Associated Roles field. Select one or more of the following options: Monitor If necessary, modify user permissions without any administrative rights. The Monitor option provides read-only permissions.
Switch Management 7-25 7. Refer to the Status field for an indication of any problems that may have arisen. The Status is the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 8. Click on OK to complete the modification of the users privileges. 9. Click Cancel to revert back to the last saved configuration without saving any of your changes.
7-26 Motorola RF Switch System Reference Guide 7.6.1.3 Creating a Guest Admin and Guest User Optionally, create a guest administrator for creating guest users with specific usernames, start and expiry times and passwords. Each guest user can be assigned access to specific user groups to ensure they are limited to just the group information they need, and nothing additional. NOTE: A guest user added from switch Web UI will be 5 minutes ahead of the switch's current time. To create a guest administrator: 1.
Switch Management 7-27 7.6.2 Configuring Switch Authentication The switch provides the capability to proxy authenticate requests to a remote Radius server. Refer to the Authentication tab to view and configure the Radius Server used by the local user to log into the switch. NOTE: The Radius configuration described in this section is independent of other Radius Server configuration activities performed using other parts of the switch. 1. Select Management Access > Users from the main menu tree. 2.
7-28 Motorola RF Switch System Reference Guide 6. Refer to the bottom half of the Authentication screen to view the Radius Servers configured for switch authentication. The servers are listed in order of their priority. Index Displays a numerical Index for the Radius Server to help distinguish this Radius Server from other servers with a similar configuration. The maximum number that can be assigned is 32. IP Address Displays the IP address of the external Radius server.
Switch Management 7-29 3. Select an existing Radius Server from those listed and click the Edit button at the bottom of the screen. 4. Modify the following Radius Server attributes as necessary: Radius Server Index Displays the read-only numerical Index value for the Radius Server to help distinguish this server from other servers with a similar configuration (if necessary). The maximum number that can be assigned is 32.
7-30 Motorola RF Switch System Reference Guide 1. Select Management Access > Users from the main menu tree. The Users screen displays. 2. Select the Authentication tab. 3. Click the Add button at the bottom of the screen. 4. Configure the following Radius Server attributes: Radius Server IP Address Provide the IP address of the external Radius server. Ensure this address is a valid IP address and not a DNS name. Radius Server Port Enter the TCP/IP port number for the Radius Server.
Switch Management 7-31 Vendor ID Vendor ID The Motorola vendor ID is 388 Radius VSAs There are two radius VSAs used for management user authentication. VSA Name Attribute Number Type Values Symbol-Service-Type 1 Integer (Decimal) • Monitor Role: Value is 1. (read-only access to the switch) • Helpdesk Role: Value is 2 (helpdesk/support access to the switch) • Nwadmin Role: Value is 4 (all wired and wireless access to the switch) • Sysadmin Role: Value is 8.
7-32 Motorola RF Switch System Reference Guide
Diagnostics This chapter describes the various diagnostic features available for monitoring switch performance. This chapter consists of the following switch diagnostic activities: • Displaying the Main Diagnostic Interface • Configuring System Logging • Reviewing Core Snapshots • Reviewing Panic Snapshots • Debugging the Applet • Configuring a Ping NOTE: HTTPS must be enabled to access the switch applet. Ensure HTTPS access has been enabled before using the login screen to access the switch applet.
8-2 Motorola RF Switch System Reference Guide NOTE: When the switch’s configuration is successfully updated (using the Web UI), the effected screen is closed without informing the user their change was successful. However, if an error were to occur, the error displays within the effected screen’s Status field and the screen remains displayed.
Diagnostics 8-3 5. Use the Temperature Sensors field to monitor the CPU and system temperatures. This information is extremely useful in assessing if the switch exceeds its critical limits. SWITCH NOTE: A RF7000 Series Switch has six sensors. 6. Refer to the Fans field to monitor the CPU and system fan speeds. 7. Click the Apply button to commit and apply the changes. 8. Click the Revert button to revert back to the last saved configuration. 8.1.
8-4 Motorola RF Switch System Reference Guide 7. Click the Revert button to revert back to the last saved configuration. 8.1.3 Switch Memory Allocation Use the Memory tab to periodically assess the switch’s memory load. 1. Select Diagnostics from the main tree menu. 2. Select the Memory tab. The Memory tab is partitioned into the following two fields: • RAM • Buffer 3. Refer to the RAM field to view the percentage of CPU memory in use (in a pie chart format). 4.
Diagnostics 8-5 1. Select Diagnostics from the main tree menu. 2. Select the Disk tab. 3. This Disk tab displays the status of the switch flash, nvram, and system disk resources. Each field displays the following: • Free Space Limit • Free INodes • Free INode Limit 4. Define the Free Space Limit variable carefully, as disk space may be required during periods of high bandwidth traffic and file transfers. 5. Click the Apply button to commit and apply the changes. 6.
8-6 Motorola RF Switch System Reference Guide 2. Select the Processes tab 3. The Processes tab has 2 fields: • General • Processes by highest memory consumption 4. Refer to the General field to review the number of processes in use and percentage of memory usage per process. The value defined is the maximum limit per process during periods of increased and network activity and is negotiated amongst the other process as needed during normal periods of switch activity. 5.
Diagnostics 8-7 2. Select the Other Resources tab. Keep the Cache allocation in line with cache expectations required within the switch managed network. 3. Define the maximum limit for each resource accordingly as you expect these resources to be utilized within the switch managed network. 4. Click the Apply button to commit and apply any changes to any of the resources maximum limit. 5. Click the Revert button to revert back to the last saved configuration 8.
8-8 Motorola RF Switch System Reference Guide 2. Select the Log Options tab. 3. Select the Enable Logging Module checkbox to enable the switch to log system events to a user defined log file or a syslog server. 4. Select the Enable Logging to Buffer checkbox to enable the switch to log system events to a buffer. The log levels are categorized by their severity. The default level is 3, (errors detected by the switch).
Diagnostics 8-9 8. Click Apply to save the changes made to the screen. This will overwrite the previous configuration. 9. Click the Revert button to move the display back to the last saved configuration. 8.2.2 File Management Use the File Mgt tab to view existing system logs. Select a file to display its details in the Preview field. Click the View button to display the file’s entire contents. Once viewed, the user has the option of clearing the file or transferring the file to a user-defined location.
8-10 Motorola RF Switch System Reference Guide 5. Highlight a file from the list of log files available within the File Mgt tab and click the View button to display a detailed description of the entire contents of the log file. To view the entire content of an individual log file, see Viewing the Entire Contents of Individual Log Files on page 8-10. 6. Click the Clear Buffer button to remove the contents of the File Mgt tab.
Diagnostics 8-11 3. Select an individual log file whose properties you wish to display in detail and click the View button. 4. Refer to the following for information on the elements that can be viewed within a log file: Timestamp Displays the date, year and time of day the log file was initially created. This value only states the time the file was initiated, not the time it was modified or appended. Module Displays the name of the switch logging the target event.
8-12 Motorola RF Switch System Reference Guide Mnemonic Use the Mnemonic as a text version of the severity code information. A mnemonic is convention for the classification, organization, storage and recollection of switch information. Description Displays a high-level overview of the event, and (when applicable) message type, error or completion codes for further clarification of the event. Use this information for troubleshooting or for data collection. 5.
Diagnostics 8-13 10.If Server has been selected as the source, enter the User ID credentials required to send the log file to the target location. 11.If Server has been selected as the source, use the Password parameter to enter the password required to send the log file to the target location. 12.Specify the appropriate Path name to the target directory on the local system disk or server as configured using the To parameter. If the local disk is selected, a browse button is available. 13.
8-14 Motorola RF Switch System Reference Guide Size (Bytes) Displays the size of the core file in bytes. Created Displays the date and time the core file was generated. This information may be useful in troubleshooting issues. 3. Select a target file and click the Delete button to remove the selected file. This option is not recommended until the severity of the core snapshot has been assessed. 4.
Diagnostics 8-15 11.Specify the appropriate Path to the target directory on the local system disk or server as configured using the To parameter. If the local disk option is selected, use the browse button to specify the location on the local disk. 12.Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 13.
8-16 Motorola RF Switch System Reference Guide Size Displays the size of the panic file in bytes. Created Displays the date and time the panic file was created. The panic file is created after the system reboots, however the panic information within the file contains the date and time the panic actually occurred. 3. Refer to the Preview field for panic information in ASCII text. When a panic file is selected, the corresponding text is displayed in the preview screen and the name of the file displays.
Diagnostics 8-17 2. Select a record from those available and click the Transfer button. 3. Use the From drop-down menu to specify the location from which the file is sent. If only the applet is available as a transfer location, use the default switch option. 4. Select a file for the file transfer from the File drop-down menu. The drop-down menu contains the panic files listed within the File-Mgmt screen. 5.
8-18 Motorola RF Switch System Reference Guide 8.5 Debugging the Applet Refer to the Applet Debugging screen to debug the applet. This screen allows you to view and debug system events by a criticality level you define. 1. Select Diagnostics > Applet Debugging from the main menu. 2. To use this window, select the Enable Web-UI Debug Mode checkbox.
Diagnostics 8-19 • None - no impact. 6. Select the message deployed when a bug is raised. The What Kind of message should be seen field allows you to select a range of parameters for returned messages while debugging. Move your mouse pointer over a message checkbox for a message description. a. Click the Advanced button to display the entire list of message categories when bugs are raised. Select the checkboxes corresponding to the message types you would like to receive.
8-20 Motorola RF Switch System Reference Guide 2. Refer to the following information displayed within the Configuration tab: Description Displays the user assigned description of the ping test. The name is read-only. Use this title to determine whether this test can be used as is or if a new ping test is required. Destination IP Displays the IP address of the target device. This is the numeric destination for the device sent the ping packets.
Diagnostics 8-21 3. Modify the following information (as needed) to edit the existing ping test: Description If necessary, modify the description for the ping test. Ensure this description is representative of the test, as this is the description displaying within the Configuration tab. Destination IP If necessary, modify the IP address of the target device. This is the numeric (non DNS address) destination for the device transmitted the ping packets. No.
8-22 Motorola RF Switch System Reference Guide 3. Enter the following information to define the properties of the new ping test: Test Name Enter a short name for the ping test to describe either the target destination of the ping packet or the ping test’s expected result. Use the name provided in combination with the ping test description to convey the overall function of the test.
Diagnostics 8-23 2. Select the Statistics tab. 3. Refer to the following content within the Statistics tab to assess the connection with the target device: Destination IP Displays the numeric (non DNS address) destination for the device transmitted the ping packets. Packets Sent Displays the number of packets transmitted to the target device IP address. Compare this value with the number of packets received to assess the connection quality with the target device.
8-24 Motorola RF Switch System Reference Guide
Appendix A Customer Support A.1 Motorola’s Enterprise Mobility Support Center If you have a problem with your equipment, contact Enterprise Mobility support for your region. Contact information is available by visiting http://www.motorola.com/Business/US-EN/Support and after selecting your region, click on the appropriate link under Support for Business.
A-2 Motorola RF Switch System Reference Guide A.3.1 Outdoor SKU Support for AP650 AP650-OUS is the new hardware SKU introduced on AP650 for outdoor placements in the US.If the AP model is an outdoor SKU, you can specify the placement to be either Indoor or Outdoor. Channels are allowed based on this configuration. If the AP is an indoor SKU (AP650-US), it can only be used indoor. For Outdoor SKU: You can select either Indoor or Outdoor from the drop-down menu.
Appendix B Adaptive AP B.1 Adaptive AP Overview An adaptive AP (AAP) is an AP-5131 Access Point that can adopt like an AP300 (Layer 3). The management of an AAP is conducted by the switch, once the Access Point connects to a Motorola RFS6000 or RFS7000 model switch and receives its AAP configuration. An AAP provides: • local 802.
B-4 Motorola RF Switch System Reference Guide • Adaptive AP Management • Types of Adaptive APs • Licensing • Switch Discovery • Securing a Configuration Channel Between Switch and AP • Adaptive AP WLAN Topology • Configuration Updates • Securing Data Tunnels between the Switch and AAP • Adaptive AP Switch Failure • Remote Site Survivability (RSS) • Adaptive Mesh Support For an understanding of how AAP support should be configured for the Access Point and its connected switch, see How the AP Receives its Ad
B-5 These dependent mode AP configurations are a software variant of the AP-5131 and will be functional only after the Access Point is adopted by a wireless switch. After adoption, the dependent mode AP receives its configuration from the switch and starts functioning like other adaptive Access Points. For ongoing operation, the dependent mode AP-5131 needs to maintain connectivity with the switch.
B-6 Motorola RF Switch System Reference Guide ** The AP-5131 uses an encryption key to hash passphrases and security keys. To obtain the encryption passphrase, configure an AP-5131 with the passphrase and export the configuration file. B.1.5.2 Manual Adoption Configuration A manual switch adoption of an AAP can be conducted using: • Static FQDN - A switch fully qualified domain name can be specified to perform a DNS lookup and switch discovery.
B-7 • Independent WLANs - Independent WLANs are local to an AAP and can be configured from the switch. You must specify a WLAN as independent to stop traffic from being forwarded to the switch. Independent WLANs behave like WLANs on a standalone Access Point. • Both - Extended and independent WLANs are configured from the switch and operate simultaneously.
B-8 Motorola RF Switch System Reference Guide B.1.11 Remote Site Survivability (RSS) RSS can be used to turn off RF activity on an AAP if it loses adoption (connection) to the switch.
B-9 3. Configure the client bridge back haul WLAN, base bridge and client bridge radios on the switch using the Command Line Interface (CLI) commands listed below.
B-10 Motorola RF Switch System Reference Guide a realm are forwarded to the external radius server, as configured for the WLAN with Adaptive AP Radius Proxy. NOTE The Motorola RF Series Wireless Switches support Adaptive AP Radius proxy without specifying realm information. If AAP Proxy Radius is enabled without specifying realm information, the onboard Radius server can no longer be used to authenticate users.
B-11 B.2.1 Topology Deployment Considerations When reviewing the AAP topologies describes in the section, be cognizant of the following considerations to optimize the effectiveness of the deployment: • An AAP firmware upgrade will not be performed at the time of adoption from the wireless switch. Instead, the firmware is upgraded using the AP-51x1’s firmware update procedure (manually or using the DHCP Auto Update feature). • An AAP can use its LAN1 interface or WAN interface for adoption.
B-12 Motorola RF Switch System Reference Guide B.2.5 Extended VLAN with Mesh Networking Mesh networking is an extension of the existing wired network. There is no special configuration required, with the exception of setting the mesh and using it within one of the two extended VLAN configurations. NOTE The mesh backhaul WLAN must be an independent WLAN mapped to LAN2. The switch enforces the WLAN be defined as an independent WLAN by automatically setting the WLAN to independent when backhaul is selected.
B-13 To avoid a lengthy broken connection with the switch, Motorola recommends generating an SNMP trap when the AAP loses adoption with the switch. NOTE For additional information (in greater detail) on the AP configuration activities described above, see Adaptive AP Configuration. B.3.3 Configuring the Switch for Adaptive AP Adoption The tasks described below are configured on a Motorola RF switch. For information on configuring the switch for AAP support, see http://www.motorola.
B-14 Motorola RF Switch System Reference Guide 1. Select System Configuration -> Adaptive AP Setup from the Access Point’s menu tree. 2. Select the Auto Discovery Enable checkbox. Enabling auto discovery will allow the AAP to be detected by a switch once its connectivity medium has been configured (by completing steps 3-6). NOTE Auto discovery must be enabled for a switch to detect an AP. 3. Enter up to 12 Switch IP Addresses constituting the target switches available for AAP connection.
B-15 2. Export the AAP’s configuration to a secure location. Either import the configuration manually to other APs or the same AP later (if you elect to default its configuration). Use DHCP option 186 and 187 to force a download of the configuration file during startup (when it receives a DHCP offer). NOTE When an Adaptive AP is adopted over an IP Sec Tunnel you cannot export the configuration file to a system on the other side of the IP Sec Tunnel.
B-16 Motorola RF Switch System Reference Guide 3. Ensure the Adopt unconfigured radios automatically option is NOT selected. 4. When disabled, there is no automatic adoption of non-configured radios on the network. Additionally, default radio settings will NOT be applied to Access Ports when automatically adopted. NOTE For IPSec deployments, refer to Sample Switch Configuration File for IPSec and Independent WLAN and take note of the CLI commands in red and associated comments in green.
B-17 NOTE Additionally, a WLAN can be defined as independent using the "wlan independent" command from the config-wireless context. SWITCH NOTE For AAP to work properly with RFS7000 you need to have independent and extended WLANs mapped to a different VLAN than the ge port.
B-18 Motorola RF Switch System Reference Guide Once an AAP is adopted by the switch, it displays within the switch Access Port Radios screen (under the Network parent menu item) as an AP-5131, AP-5181 or AP-7131 within the AP Type column. B.4.
B-19 The sample output is as follows: ! ! configuration of RFS6000 ! version 1.0 ! ! aaa authentication login default none service prompt crash-info ! hostname RFS6000-1 ! username admin password 1 8e67bb26b358e2ed20fe552ed6fb832f397a507d username admin privilege superuser username operator password 1 fe96dd39756ac41b74283a9292652d366d73931f ! ! To configure the ACL to be used in the CRYPTO MAP ! ip access-list extended AAP-ACL permit ip host 10.10.10.
B-20 Motorola RF Switch System Reference Guide xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxxyxyxyx ! wireless no adopt-unconf-radio enable manual-wlan-mapping enable wlan 1 enable wlan 1 ssid qs5-ccmp wlan 1 vlan 200 wlan 1 encryption-type ccmp wlan 1 dot11i phrase 0 Symbol123 wlan 2 enable wlan 2 ssid qs5-tkip wlan 2 vlan 210 wlan 2 encryption-type tkip wlan 2 dot11i phrase 0 Symbol123 wlan 3 enable wlan 3 ssid qs5-wep128 wlan 3 vlan 220 wlan 3 encryption-type wep1
B-21 radio add 3 00-15-70-00-79-12 11bg aap5131 radio 3 bss 1 3 radio 3 bss 2 4 radio 3 bss 3 2 radio 3 channel-power indoor 6 8 radio 3 rss enable radio add 4 00-15-70-00-79-12 11a aap5131 radio 4 bss 1 5 radio 4 bss 2 6 radio 4 channel-power indoor 48 4 radio 4 rss enable radio 4 client-bridge bridge-select-mode auto radio 4 client-bridge ssid Mesh radio 4 client-bridge mesh-timeout 0 radio 4 client-bridge enable radio default-11a rss enable radio default-11bg rss enable radio default-11b rss enable no a
B-22 Motorola RF Switch System Reference Guide switchport trunk allowed vlan add 1-9,100,110,120,130,140,150,160,170, switchport trunk allowed vlan add 180,190,200,210,220,230,240,250, static-channel-group 1 ! interface ge4 switchport access vlan 1 ! interface me1 ip address dhcp ! interface sa1 switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan none switchport trunk allowed vlan add 1-9,100,110,120,130,140,150,160,170, switchport trunk allowed vlan add 180,190,200,210,220,2
Appendix C Troubleshooting Information This appendix provides basic troubleshooting information and workarounds to known conditions the user may encounter. Wherever possible, it includes possible suggestions or solutions to resolve the issues. It is divided into the following section: • General Troubleshooting • Troubleshooting SNMP Issues • Security Issues C.1 General Troubleshooting This section describes common system issues and what to look for while diagnosing the cause of a problem.
C-2 Motorola RF Switch System Reference Guide C.1.1.1 Switch Does Not Boot Up The Motorola RF Series Switch does not boot up to a username prompt via CLI console or Telnet. The table below provides suggestions to troubleshoot this issue. Possible Problem Suggestions to Correct Switch has no power • Verify power cables, fuses, UPS power. The front panel LEDs lights up when power is applied to the switch. • Have a qualified electrician check the power source to which the switch is connected. All else...
C-3 C.1.1.4 Web UI is Sluggish, Does Not Refresh Properly, or Does Not Respond When configuring the switch, it is easy to overlook the fact that the host computer is running the browser while the Motorola RF Series Switch is providing the data to the browser. Occasionally, while using the Web UI the switch does not respond or appears to be running very slow; this could be a symptom of the host computer or the network, and not the switch itself.
C-4 Motorola RF Switch System Reference Guide Possible Problem Suggestions to Correct Settings in terminal emulation program are incorrectly set Check the serial port settings in the serial terminal emulation program being used. The correct settings are: All else... Terminal Type VT-100 Port Any COM port Terminal Settings 19200 bps transfer rate 8 data bits no parity 1 stop bit no flow control Contact Motorola Support. C.1.
C-5 C.1.2.2 Access Ports are Not Responding Access Ports are not responding. The table below provides suggestions to troubleshoot this issue. Possible Problem Suggestions to Correct Access Port not responding after converting to a Detector AP When converting an AP300 to an Intrusion Detection Sensor, the conversion requires approximately 60 seconds. All else... Contact Motorola Support. C.1.2.
C-6 Motorola RF Switch System Reference Guide C.1.3.2 MUs Cannot Associate and/or Authenticate with Access Ports MUs cannot associate and/or authenticate with Access Ports. The table below provides suggestions to troubleshoot this issue. Possible Problem Suggestions to Correct Preamble differences Verify that the preamble type matches between switch and MUs. Try a different setting. Device key issues Verify in Syslog that there is not a high rate of decryption error messages.
C-7 The table below provides suggestions to troubleshoot this issue. Possible Problem Suggestions to Correct Fragmentation • Do not allow VoIP traffic when operating on a flat network (no routers or smart switches). • Move to a trunked Ethernet port. • Move to a different configuration. All else... Contact Motorola Support. C.1.4.2 Excessive Memory Leak Excessive memory leak. The table below provides suggestions to troubleshoot this issue.
C-8 Motorola RF Switch System Reference Guide C.2.2 Not able to SNMP WALK for a GET • Check whether the MIB browser has IP connectivity to the SNMP agent on the switch. Use IP Ping from the client system which has the MIB Browser. • Check if the community string is the same at the agent side and the manager (MIB Browser) side. The community name is case sensitive. C.2.3 MIB not visible in the MIB browser The filename.mib file should be first compiled using a MIB compiler, which creates a smidb file.
C-9 To access the Motorola RF Series Switch using password recovery: ! CAUTION: Using this recovery procedure erases the switch’s current configuration and data files from the switch /flash dir. Only the switch’s license keys are retained. You should be able to log in using the default username and password (admin/superuser) and restore the switch’s previous configuration (only if it has been exported to a secure location before the password recovery procedure was invoked). 1.
C-10 Motorola RF Switch System Reference Guide • Add a Radius client in AAA context • Ensure that key password in AAA/EAP context is set to the key used to generate imported certificates • DO NOT forget to SAVE! C.3.2.
C-11 C.3.2.8 VPN Authentication using onboard RADIUS server fails Ensure the following have been attempted: • Ensure that the VPN user is present in AAA users • This VPN user MUST NOT added to any group. • Save the current configuration C.3.2.9 Accounting does not work with external RADIUS Accounting server Ensure that accounting is enabled.
C-12 Motorola RF Switch System Reference Guide • If you have enabled AP Scan, ensure that at least a single radio is active. AP scan does not send a scan request to an inactive or unavailable radio. • Just enabling detectorscan will not send any detectorscan request to any adopted AP. User should also configure at least a single radio as a detectorAP. This can be done using the set detectorap command in rogueap context. C.
C-13 C.5.0.2 How to block the request from host on untrusted to host on trusted side based on packet classification. 1. Add a new Classification Element with required Matching Criteria 2. Add a new Classification Group and assigned the newly created Classification Element. Set the action required. 3. Add a new Policy Object. This should match the direction of the packet flow i.e. Inbound or Outbound. 4. Add the newly created PO to the active Network Policy. 5.
C-14 Motorola RF Switch System Reference Guide
Appendix D Open Source Software Information Product Name: AP650 For instructions on obtaining a copy of any source code being made publicly available by Motorola related to software used in this Motorola product, you may send a request in writing to: MOTOROLA, INC. OSS Management 600 North US Hwy 45 Libertyville, IL 60048 USA The Motorola website http://opensource.motorola.com also contains information regarding Motorola's use of open source.
D-2 Motorola RF Switch System Reference Guide Name Version URL License dropbear 0.51 http://matt.ucc.asn.au/dropbear/dropbear.html Drop Bear License e2fsprogs 1.40.11 http://e2fsprogs.sourceforge.net/ GNU General Public License 2.0 gcc 4.1.2 http://gcc.gnu.org/ GNU General Public License 2.0 gdb 6.8 http://www.gnu.org/software/gdb/ GNU General Public License 2.0 genext2fs 1.4.1 http://genext2fs.sourceforge.net/ GNU General Public License 2.0 glibc 2.7 http://www.gnu.
D-3 Name Version URL License openwrt truck-r15025 http://www.openwrt.org/ GNU General Public License 2.0 opkg truck-r4564 http://code.google.com/p/opkg/ GNU General Public License 2.0 pkg-config 0.22 http://pkg-config.freedesktop.org/wiki/ GNU General Public License 2.0 ppp 2.4.3 http://ppp.samba.org/ppp/ BSD Style Licenses quilt 0.47 http://savannah.nongnu.org/projects/quilt/ GNU General Public License 2.0 sed 4.1.2 http://www.gnu.org/software/sed/ GNU General Public License 2.
D-4 Motorola RF Switch System Reference Guide D.2 OSS Licenses D.2.1 GNU General Public License 2.0 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it.
D-5 any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".
D-6 Motorola RF Switch System Reference Guide a. Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b.
D-7 directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.
D-8 Motorola RF Switch System Reference Guide THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS D.2.2 GNU Lesser General Public License 2.1 GNU LESSER GENERAL PUBLIC LICENSE Version 2.
D-9 Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License.
D-10 Motorola RF Switch System Reference Guide "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope.
D-11 refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.
D-12 Motorola RF Switch System Reference Guide modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b. Use a suitable shared library mechanism for linking with the Library.
D-13 11.If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License.
D-14 Motorola RF Switch System Reference Guide TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16.
D-15 D.2.5 Open SSL License LICENSE ISSUES ============== The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
D-16 Motorola RF Switch System Reference Guide This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, hash, DES, etc., code; not just the SSL code.
D-17 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-loup Gailly Mark Adler jloup@gzip.org madler@alumni.
D-18 Motorola RF Switch System Reference Guide loginrec.h atomicio.h atomicio.c and strlcat() (included in util.c) are from OpenSSH 3.6.1p2, and are licensed under the 2 point BSD license. loginrec is written primarily by Andre Lucas, atomicio.c by Theo de Raadt. strlcat() is (c) Todd C. Miller ===== Import code in keyimport.c is modified from PuTTY's import.c, licensed as follows: PuTTY is copyright 1997-2003 Simon Tatham.
MOTOROLA INC. 1303 E. ALGONQUIN ROAD SCHAUMBURG, IL 60196 http://www.motorola.
