v7.
v7.
New Hardware Trapeze Networks ,,,AAABELDEN ||| Proprietary and ||| 1/27/2010 Trapeze Networks, A BELDEN BrandBrand | Proprietary and Confidential | 1/27/2010 Trapeze Networks BELDEN Brand Proprietary and Confidential 1/27/2010 Trapeze Networks BELDEN Brand Proprietary andConfidential Confidential 1/27/2010 Slide Slide 3Slide Slide333
New Hardware • MP-82 • New high density deployment .11n AP • MP-622 • New outdoor .11a/b/g AP • MP-632 • New rugged outdoor .
MP -82: Indoor .11n AP MP-82: • Intended for dense deployment • More APs for similar budget • Lower cost per AP • Dual band 802.11n 5GHz & 2.4 GHz • 2x3 MIMO • RP-SMA connectors • Single Ethernet port • 802.
MP -622: 802.
MP -632: Outdoor 802.11n APs MP-632: • Designed for harsh environments • IP67/NEMA 4X • MP-632 dual radio 802.11 5GHz & 2.4 GHz • Supports 3x3 MIMO • Six antennas ports • • • • Single 1000BASE-T RJ-45 port External hardened PS included Supported from MSS v7.
LA -200E Location Appliance LA-200E • New Version of LA-200 Appliance the LA-200E • More Powerful (same hardware as the RM-200) • Higher Scalability • Can receive data from up to 200 APs • Can track up to 4,000 devices • Integrated RF-firewall Application (licensed separately) • Future integration With RingMaster (v7.
RM -200 Enhancement RM-200 • Automatic Backup to an External FTP/TFTP Site • Port Bonding • Enable port bonding allows second port as backup • Remote Authentication via RADIUS • Utilize Access Control feature in RM v7.
MSS v7.
MSS v7.
Advanced Feature Licensing • Licenses loaded onto and applied to the MXs to enable support for these advanced features • High Availability license: enable Cluster configuration • Advanced Voice license: enable advanced voice capabilities • Licenses loaded onto the MX to enable advanced feature support for the specified count of APs • Mesh/Bridging license: enable Mesh and bridging between APs – Mesh/Bridging AP increments: 4, 12, 32 • WAPI license: enable WAPI & other China-specific features (China only) –
Advanced Feature Licensing Examples • Advanced Voice License • Purchased for each MX that is to support the advanced voice capabilities • High Availability License • Purchased for each MX that is to participate in a Cluster • E.g. Licenses required for a cluster of 2 x MX-200R supporting 128 APs – 2 x MX-2xx-U32: to provide support for 64 additional APs – 2 x MX-2xx-HA-LIC: to enable clustering on both MXs • E.g.
Voice/SIP Awareness • Stateful protocol inspection at the AP • Regardless of the switching model (central or local) • Dynamic Call Admission Control (CAC) Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 P SI marked with 802.
Voice/SIP Awareness Details • QOS-Profile • A v7.1 QoS-profile can set the CoS for a ‘traffic class’ – A traffic class is a kind of predefined traffic filter – ‘voip-data’ is the only traffic-class defined in v7.
Cluster AP Affinity Groups • AP Affinity Groups can be defined to specify a preferred PAM for a specific pool of APs specified by a CIDR-like variable length Subnet mask (VLSM) • SAMs are chosen from a non Affinity Group MX or a different Affinity Group • Affinity Groups are specified on the Cluster Seed MX and associated to the appropriate member MXs Affinity Group 10.9.4.0/24 Affinity Group 10.9.3.32/28 MX-1 (Seed MX) MX-2 ry (2 Seed) MX-3 Affinity Group 10.9.3.
Cluster In-Service Upgrade • Hitless upgrade of the SW on the Cluster MXs and APs • A secondary Seed MUST be available on the Cluster • All MXs must be at and upgraded to the same SW version • Upgrade order: 1. Primary Seed 2. Secondary Seed 3. Member MXs 4. & 5. APs Note: APs are upgraded where possible with no impact to connected users 1ry Seed MX 1. 2ry Seed MX 2. 5. 3. Member MXs 4.
Other Cluster Enhancements • Additions to the Cluster configuration settings • RADIUS/LDAP configuration • System and Network Access rules • Global 802.
LDAP Support • LDAPv3 AAA support for: • • • • Web Portal authentication Console access Telnet & SSH access MAC authentication • Supported Operations • Authentication ONLY • ‘bindRequest’ | ‘bindResponse’ | ‘unbindRequest’ • No support for search or admin proxy search operations • Configurable LDAP server groups • LDAP server configuration is part of the Cluster configuration • For redundancy and load balancing • Configurable server timeouts • Configuration Interfaces • RingMaster and CLI only (not avai
Command Auditing • Log all CLI commands to an external server for auditing purposes • • • • All commands which complete successfully are logged Commands may be logged to an external RADIUS server The enable password is obscured Configuration is handled as an additional RADIUS accounting type – VSA 13 • Each accounting command message contains: – Timestamp – tty port – Username – Source IP address – Command issued – Command status (success/failure) Note: Incorrect commands are not logged Trapeze Networks,
IPSEC for Radius • Basic IPSEC support in MSS only (no RingMaster support) • Static key for encryption and authentication (no IKE) • Transport mode with encryption between the IP source and destination addresses • Encapsulating Security Payload (ESP) mechanism • Encryption ciphers available: AES, 3DES • Integrity checking using HMAC-SHA1* • The IPSEC tunnel must be established between an MX and RADIUS server before RADIUS communications are started • The RADIUS server must support IPSec • A RADIUS server i
AP LED and MIB Enhancements • AP LED Control • Allow the customer to set the LED behavior on an AP by AP basis • The LED setting becomes active after the AP receives its configuration • LEDs may be set in three ways: – Auto (default): LEDS behave in Trapeze standard way – Static: LEDS do not flash when traffic flows (all other LED behavior is as normal) – Off: All LEDs are off once the AP is active • A range of APs may be set at the same time • AP MIBs • Provides more complete AP configuration MIB informa
Other MSS Features • Mesh Enhancements • Multi hop Bridging is now supported • Bridging and Mesh can now support 802.
Other MSS Features • Other improvements • • • • • • • • • • Authenticate admin HTTPs requests via AAA ‘Service-type’ based Access to Privileged CLI mode Wired authentication idle session timeout Ad-hoc Countermeasures Trap Log MIB 802.
Ringmaster v7.
RingMaster v7.
SIP Awareness & Monitoring • Voice Service Profile • Step 1: User starts Voice Service Wizard and enables stateful inspection of Voice protocols • Step 2: User configures Voice Call Admission Control, specifying the number of allowed active calls.
SIP Awareness & Monitoring • Voice Service Profile • Step 3: User configures QoS settings for the identified Voice flows (CoS and Max-BW). • Step 4: User completes wizard by supplying standard SSID information i.e.
Voice Monitoring Features Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 29
Voice Specific Monitoring Panel Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 30
Troubleshoot Voice Clients – 1 • Find Voice Clients Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 31
Troubleshoot Voice Clients – 2 • View Voice Details Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 32
Voice Alarms and Call Detail Records • Voice Alarms • The Alarms detail panel shows all current voice related alarms e.g.
Cluster Enhancements • AP Affinity Wizard • Specify Affinity Group by CIDRlike Variable Length Subnet Mask • Associate Affinity Group with appropriate MX(s) • Cluster Upgrade Wizard • Manages the hitless Cluster upgrade Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 34
Cluster Settings • AAA Settings now configured at the Cluster level • • • • • RADIUS servers LDAP Servers 802.
LDAP Support • LDAP support • Configure LDAP servers • Found under AAA settings on an MX or Cluster Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 36
Grouping and Access Control • Create Equipment Group Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 37
Grouping and Access Control • Equipment Group created • Location Groups may also be created (in RF Planning) • Configuration and/or monitoring access may be granted to RingMaster users by Equipment/ Location Group Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 38
Grouping and Access Control • Create User Access Group Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 39
Grouping and Access Control • Multiple User Access Groups Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 40
Grouping and Access Control • Create Users Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 41
Single System -wide Login System-wide • AAA Authentication for RingMaster users • e.g.
Audit Trail • Audit Trail settings • Local auditing is enabled by default • External auditing to a RADIUS server may also be enabled • Use the new Audit Trail report to view the entries Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 43
Enhanced Reports • New Reports • • • • • • • • • • • Alarm History Alarm Summary AP Availability AP Availability Details AP Inventory Audit Trail Call Details Call Summary Degraded Network Uplink Low Power POE PCI Compliance Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 44
Enhanced Reports Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 45
Other RingMaster Features • Monitoring improvements • New SNMP traps • Top BW by client monitoring • AP and Session scaling • 5,000 APs in a Cluster • 10,000 Sessions for MX-2800 • Other Features • Configurable RingMaster port • MX access control – Enable Password – Username/Password • Client Blacklist and countermeasures enhancements • Server certificate management • Configurable MX management port Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 46
Ringmaster Global v7.
RingMaster Global (RMG) Overview • Centralized Management for Large-scale Implementations • Manager of Managers – single Management Console for: – Up to 20 RingMaster servers – Up to 100,000 APs Note: RingMaster Global communicates with RingMaster servers using the RingMaster Agent Web API • Single sign-on access control with optional AAA login • Network Wide Monitoring Dashboard, Search Capability and Reports • Licensing: – RMTS-GLOBAL – RMTS-GLOBAL-4 – RMTS-GLOBAL-16 – RMTS-GLOBAL-EVAL Trapeze Networks,
RMG Management Architecture MX Controllers RingMaster Global RingMaster Server Web API WAN MX Controller RingMaster Server MX Controllers RingMaster Server Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 49
Network-wide Monitoring • RingMaster Global (RMG) • Network-wide Monitoring Dashboard • RMG communicates with RM Servers using the RMAGENT Web API Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 50
Network-wide Search • Network Wide Search Capability • Find Equipment (MXs/APs) • Find Locale (Site/Building/Floor) • Find Clients • Launch RM UI for further diagnosis Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 51
Network-wide Reporting • Network Wide Reports Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 52
SmartPass v7.
SmartPass v7.
RADIUS Proxy • Configure Proxy authentication to a RADIUS server • Configure and apply AAA attributes locally using Proxy filters Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 55
RADIUS Proxy • Create Proxy Rule Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 56
RADIUS Proxy • Global RADIUS Proxy settings Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 57
MAC Authentication • Import MAC Address List from CSV file • MAC Address User • MAC Address Bonded User • Blacklist a list of MAC Users Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 58
Session Monitoring • Real Time Session Monitoring • All sessions that SmartPass is tracking are displayed • Advanced Sorting and filtering capability Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 59
Other Features • Linux installer • SmartPass v7.1 now also installs on Linux platforms • Supported Linux versions are: Red Hat Enterprise Linux (RHEL) 5.0; SuSe 10.2 • Server certificate import • The new SmartPass v7.1 MR1 feature will now allow Administrators to replace the current server certificate with a web certificate.
Trapeze Networks Education Services USA: Steven Elliott, Training Manager +1 925 474 2261, selliott@trapezenetworks.com EMEA: Pete Dahl, International Training Manager +31 (0)35 6464 422, pdahl@trapezenetworks.com Gerben Camp, Field Trainer EMEA +31 (0)35 6464 427, gcamp@trapezenetworks.
MSS v7.
Advanced Licenses #set license XXXX-XXXX-XXXX-XXXX-XXXX success: license accepted Note: where ‘XXXX-XXXX-XXXX-XXXX-XXXX’ is the license activation key returned by the Trapeze Networks license server at http://www.trapezenetworks.
Voice / SIP Awareness #set qos-profile cos <0..7> #set qos-profile max-bw #set qos-profile traffic-class voip-data cos <0..
Clustering • AP Affinity #set mobility-domain ap-affinity-group address netmask #set mobility-domain ap-affinity-group address #clear mobility-domain ap-affinity-group address netmask #clear mobility-domain ap-affinity-group address #show mobility-domain ap-affinity-groups • Hitless Software Upgrade/Downgrade #show cluster upgrade #upgrade cluster [force] • AP Status # Show ap status cluster [member-ip] Options: apnum, boot-state, ip, mac,
AP to AP Tunneling #set ap apnum tunnel-affinity affinity #set ap auto tunnel-affinity affinity #set vlan-profile vlan [mode ] #set ap local-switching mode enable [vlan-profile ] #show ap config #show tunnel ap #show roaming vlan #show ap vlan #show vlan-profile Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 66
LDAP ‘set’ Commands #set ldap server server-name [ address ip-address] { [auth-port port number ] [timeout seconds ] [deadtime minutes] [bind-mode [simple-auth|sasl-md5]] [fdqn dns-name] [mac-addr-format [hyphens|colons|one-hyphen-raw]] [base-dn basednstring] } #set ldap server group {[server_2 … server_4]] #set ldap server group load-balance [enable|disable] #set authentication [web|mac] [ssid ssid_name | wired] { [ldap_group2] [ldap_group3] [l
LDAP ‘set’ and ‘show’ Commands #set ldap deadtime #set ldap timeout #set ldap auth-port #set ldap bind-mode [ simple-auth | sasl-md5] #set ldap mac-addr-format [hyphens|colons|one-hyphen-raw] #set ldap base-dn #ldap-ping [server | group] login password #show ldap – displays all of the above LDAP settings Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 68
LDAP ‘‘clear’ clear’ Commands #clear ldap server #clear ldap server group #clear authentication [web|mac] [ssid ssid_name | wired] #clear authentication [admin|console] #clear ldap deadtime #clear ldap timeout #clear ldap auth-port #clear ldap bind-mode #clear ldap mac-addr-format #clear ldap base-dn Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 69
Command Auditing #Set accounting #Clear accounting • No changes to show commands • Radius STOP accounting record send for each logged command with the following attributes • Acct-Status-Type • User-Name • Event-Timestamp • Calling-Station-Id • Acct-Session-Id • Acct-Multi-Session-Id • NAS-Port • NAS-Port-Type • NAS-IP-Address • NAS-Identifier Always set to STOP value TTY Name, No name, RM, SNMP or WV IP Address of the user Unique accounting session id for each entry Unique value for same session id TTY po
Command Auditing • Radius STOP accounting record send for each logged command with the following attributes continued • Trapeze-Audit String VSA Containing the audit info – ‘cmd=’: the Logged CLI command – ‘xml=’: the Logged XML command – ‘status=’: command/transaction execution status ‘Success’ or ‘Fail’ – ‘version=’: MSS Version string – ‘platform=’: MSS Platform string – ‘serial=’: the serial number of the platform • Long Audit information is fragmented into multiple accounting audit packets – ‘fragment
AP LED Control #set ap apnum led-mode { auto|static|off} #set ap led-mode {auto|static|off} #set ap auto led-mode {auto|static|off} #show ap config • Now displays the led-mode Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 72
Enhancement to Dynamic RF Blacklist #set rfdetect black-list dynamic {enable | disable } #set rfdetect black-list dynamic duration #Set rfdetect black-list {dynamic} #show rfdetect black-list reflects cluster-wide information #clear rfdetect black-list Trapeze Networks, A BELDEN Brand | Proprietary and Confidential | 1/27/2010 Slide 73
802.1x TKIP/CCMP Rekey Timers #set/clear dot1x unicast-rekey-period [30..86400] #set/clear dot1x multicast-rekey-period [30..
