WiNG 5.X How to - Mesh Connex

WiNG 5.2.2 MeshConnex tm

How To

January 2012 Revision V1.8

MOTOROLA, MOTO, MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings, LLC and are used under license. All other trademarks are the property of their respective owners.

© 2012 Motorola Solutions, Inc. All Rights Reserved.

1. Table Of Contents 1. Table Of Contents .................................................................................................................... 2

2. Preface .................................................................................................................................... 3

2.1.1 How to Guide Pre-‐Requisites: ..................................................................................... 3

2.1.2 Product and Technical Requirements: .......................................................................... 3

2.1.3 What is Meshing & Mesh Connex™ ............................................................................. 4

2.1.4 Mesh Connex™ (MCX) Terminology ............................................................................. 4

3. MeshConnex™ and VLANs ......................................................................................................... 6

3.1 Non Bridged VLANs ........................................................................................................... 6

3.2 Bridged VLANs .................................................................................................................. 6

3.3 Hybrid / Bridge and Non Bridged ........................................................................................ 7

4. Configuring MeshConnex™ ....................................................................................................... 7

4.1 Configuring MeshConnex™ / Non Bridged VLANs ................................................................. 8

4.1.1 Configure a MeshConnex™ Policy ................................................................................ 8

4.1.2 Profile Configuration ................................................................................................ 12

4.2 Smart-‐RF policy configuration and assignment .................................................................. 18

4.3 Adding Profiles ............................................................................................................... 21

4.4 Configuring MeshConnex™ / Bridged VLANs ...................................................................... 26

4.4.1 Configure a MeshConnex™ Policy .............................................................................. 26

4.4.2 Profile Configurations .............................................................................................. 28

4.5 Configuring MeshConnex™ / Bridge & Non Bridged ........................................................... 41

4.5.1 Configure a MeshConnex™ Policy .............................................................................. 41

4.5.2 Profile Configurations .............................................................................................. 42

5. RFS 6000 Running-‐Configuration ............................................................................................. 46

5.1 Non Bridged ................................................................................................................... 46

5.2 Bridged .......................................................................................................................... 50

5.3 Bridged / Non Bridged ..................................................................................................... 55

Motorola Solutions Motorola Solutions How To – WiNG 5.2.2 MeshConnex 3

2. Preface This HOW TO guide is designed to aid the configuration of Mesh Connex within the WiNG 5 architecture and supported devices and controllers and should be used as a tool to understand configuration parameters to allow supported devices to mesh successfully using Mesh Connex. This document does not represent any form of network design criteria nor operation considerations for mesh networking. The guide is focused on configuring Mesh Connex with the use of a WiNG 5.2.2 controlled management appliance (RFS Switch). Mesh Connex can be configured as a Stand-‐Alone AP, or Virtual Controller. Neither of these modes is covered in this guide.

2.1.1 How to Guide Pre-‐Requisites:

Before using this guide it is important that the following pre-‐requisites are completed at minimum; -‐ Training and certification on WiNG Architecture http://support.symbol.com. -‐ You should have a working knowledge of WiNG 5.x profiles and Device Over-‐Ride Features -‐ Have a Windows 2008 server Enterprise or Existing LAN infrastructure for client data

transactions -‐ Your network and devices should be upgraded to WiNG 5.2.2 firmware. This HOW TO guide

does not cover upgrading of devices to the appropriate firmware revision. Product requirements and support are detailed below.

-‐ The reader has read the appropriate WiNG documentation for the release and at minimum, Release Notes, Motorola RFS Series Wireless LAN Switches -‐ WiNG System Reference Guide.

Registered users may download the latest software and firmware from the Motorola Technical Support Site http://support.symbol.com.

2.1.2 Product and Technical Requirements:

NOTE :WiNG 5.2.2 is only supported on the following platforms

-‐ AP 71XX platforms – AP 7131 / AP 7161 -‐ RFS 4000, 6000, 7000 Switches

Prior to attempting the configuration steps below at minimum you should have the following working network to attempt this configuration:

-‐ 2 or more AP71XX 802.11n Access Points installed, configured and running WiNG 5.2.2. -‐ Optional RFS Switch installed and running WiNG 5.2.2. as per the above supported platforms -‐ One (or more) wireless workstations/device(s) for testing operation.

The equipment and devices utilized for this guide were based on the following Motorola hardware and software versions:

• RFS-‐6000

• (2) AP7161 and (1) 7131 Access Point


• WiNG 5.2.2 Firmware

2.1.3 What is Meshing & Mesh Connex™

When Wireless Access Points (AP’s) are “meshed,” they turn into a powerful, interconnected network that can blanket a coverage area that has no wired access such as a parking lot, industrial facility or even an entire city with wireless broadband access. Mesh-‐enabled access points not only deliver WiFi to users, they also act as router/repeaters for other access points in the network. The result is a self-‐forming, self-‐healing wireless cloud that reduces the cost of backhaul, deployment and system engineering.

WiNG v5.2.2 delivers key enhancements focusing on the integration of Motorola’s patented MeshConnex™ Routing Engine into the WiNG architecture. The MeshConnex™ Routing Engine provides efficient routing, low hop latency, low routing overhead, high-‐speed handoffs and proven scalability. MeshConnex™ uses Motorola’s patented Layer 2 routing technology to find and establish throughput-‐optimized connections. Mesh Connex compliments the existing MiNT based hop meshing which is an alternative meshing option. In addition ORLA, the Opportunistic Radio Link Adaptation, is a new rate control selection method introduced in WiNG5.2.2, which is an improved element of rate selection for AP7161 outdoor deployments. The guide will talk to how to enable this rate selection algorithm when configuring devices.

2.1.4 Mesh Connex™ (MCX) Terminology

When using MCX (Mesh Connex) The APs in an (MCX) mesh are called nodes. A node with a wired connection back to the network is called a root node. The function of the MCX software is to determine the shortest path from a node, to a root node and passing packets along the path, which is the link(s) being utilized to allow communications between two nodes /or mesh points. Paths are dynamically created in MCX. The path to the root is selected by the MCX algorithm based on path metrics which are dictated by device topology and RF environment. A sample diagram showing this concept is shown in figure below.

The Opportunistic Radio Link Adaptation (ORLA) algorithm is a key decision-‐making element designed to select data rates that will provide the best throughput. Instead of using local conditions to decide whether a data rate is acceptable or not, ORLA is designed to proactively probe other rates to determine if greater throughput is available. If these other rates do provide improved throughput, ORLA intelligently adjusts its selection tables to favor higher performance. ORLA provides improvements both on the client side of a mesh network as well as in the backhaul capabilities.



3. MeshConnex™ and VLANs Before configuring MeshConnex™ routing it is important to understand the different configuration options possible when working with VLANs. Each option will require slightly different configurations.

3.1 Non Bridged VLANs

With this option, WLAN traffic and Ethernet traffic from a meshed AP is forwarded via MeshConnex™. Traffic is not tunneled over MINT. VLANs must be added to the Allowed VLAN filter in the MeshConnex™ Policy. It is not necessary to define any VLANs in the node’s bridge VLANs settings unless other bridging functions are required.

3.2 Bridged VLANs

With this option VLANs will be created and the bridging mode set to tunnel.

The user also has the option to tunnel the WLAN separately (the user would will not create a separate bridge VLAN for the WLAN since it is tunneled directly).


3.3 Hybrid / Bridge and Non Bridged

With this option the WLAN is configured with a VLAN that is marked tunnel. The Ethernet traffic is not tunneled. It is important to note that the WLAN VLAN should NOT be included in the allowed VLAN list.

4. Configuring MeshConnex™ This is a 3 step process. There is an additional 4th step for auto assignment of channels for the radios in mesh.

1. Configure a mesh point (node).

2. Create profiles for AP71xx device types – (AP7131 and AP7161). In the section below we describe creating 2 profiles, one profile for devices to be configured as ROOT nodes (wired Access Points) and one more profile for Non Root nodes.

3. Auto assign the above configured profiles for new AP71XX devices plugged into the network. Or manually assign these profiles to the respective APs.

4. If the user intends to use automatic channel assignment (smart channel assignment) in the mesh then additional configuration is required. A Smart RF policy would need to be created and assigned to the RF Domain.

Note: In the configuration steps below perform a “commit and save” after each configuration change unless otherwise noted. Note: Once all of the configuration steps below have been completed on the RFSx000 controller; connect all of the APs to the Ethernet switch. The controller will then configure the APs once they are adopted by the controller. Once configurations have been pushed to all APs, disconnect the Ethernet cables of all non-‐root nodes.


4.1 Configuring MeshConnex™ / Non Bridged VLANs

4.1.1 Configure a MeshConnex™ Policy

1. Access the GUI of the RFS x000 controller (https://<ipaddress of controller>) and click on:

ConfigurationWirelessMeshConnex Policy.

2. Click on the “Add” button at the bottom right which will take you to the MeshConnex policy

configuration page. On this page configure the following items:

a. Configure the Mesh Point Name.

b. Configure the Mesh ID. (This value is sent out in beacons which identify the Mesh Point).

c. Mesh Point status should be set to: “Enabled”

d. Use the Beacon Format drop-‐down menu to select “mesh-‐point” or “access-‐point”. Select “mesh-‐point” for new installations. Select “access-‐point” to support compatibility with legacy mesh devices like the MotoMesh DUO.


e. Leave the setting “is Root” unchecked.

f. Set the control VLAN to “VLAN 1” for the purpose of this example.

g. The allowed VLAN list should contain all VLANs that you wish to allow on the Mesh link (in this example all VLANs are available 1-‐4094).

h. Set the “Neighbor Idle Timeout” value to 1 minute

i. Provide description as required. (Optional)

• Click on OK to continue the configuration process. The “Security” and “Radio Rates”

tabs should now be available.


3. Click on the “Security” tab for MeshConnex™ security settings.

• By default the “Security Mode” configuration parameter is set to “None” • Set this to PSK so traffic on the Mesh Links will be encrypted.


• Once PSK is selected, you can configure the Pre-‐Shared key. • Keep the Unicast and Broadcast key rotation interval at their default values. • Click on OK and exit this configuration page.


• The configured parameters can be verified from the Policy page.

4.1.2 Profile Configuration

Profiles will be configured for your Root APs and Non-‐Root APs. A Root AP is an AP which has its GE1 interface connected to the LAN (core network). In this first configuration example there is only one difference between the Root and Non-‐Root profiles (in the Non Root Profile the “is Root” option will not be selected under Mesh Point settings. Note that Mesh Point settings is a different configuration item from the Mesh Connex Policy).

1. Click on ConfigurationProfiles. Select to “Add” a new profile

• Configure a profile name that we intend to use for Root APs.

• Set the AP type to AP71XX

2. Click on OK to active the other tabs on the page. 3. Click on InterfaceRadios and select the 5 GHz radio. 4. Under Radio Settings, set the Channel to a static channel (in this example 149+ was chosen). 5. Select the Radio Placement.


NOTE: Set the “rate selection method” as opportunistic. This is the recommended setting for outdoor deployments. The recommendation is based on the outdoor tests carried out proving opportunistic rate selection performing better in outdoor environments over standard rate selection.

6. Click on OK.

7. Select the WLAN/Mesh Mapping tab. 8. Map the Mesh Point configured, to the radio. Click on OK and ext this change.


9. Select Mesh Point from the profile configuration page and click on “Add”. 10. Set the MeshConnex™ policy to the earlier configured policy name. 11. Set “Is Root” to true. Click OK.


12. Repeat the above steps to configure the Profile for the Non Root.


NOTE: The “Is Root” option should be set to None.


An additional recommended step for the Non-‐Root AP profile is the configuration of misconfiguration recovery time. This configuration is currently available from CLI in WiNG 5.2.2 This configuration would delay the rejection of the newest configuration push from the controller which might have caused the loss of adopting. The additional delay added is to handle cases when the new configuration from the controller causes the root AP to move from current operation channel to other channels resulting in mesh link going down and in turn non-‐root APs losing adoption. This delay is to accommodate the time needed for the non-‐root AP to scan all the channels, and find the best root node and start operation on the new channel and then establish the mesh link re-‐ adopt to the switch. (For countries that use DFS, the scan time is also factored in for the configured value). If the AP fails to find a suitable root node within this time then this new config is a misconfiguration and the device would reject the latest config. For outdoor APs running V5.2.2.0 it is recommended that the misconfiguration-‐recovery-‐time be disabled. This can be accomplished by setting the value to 0. Using an appropriate console terminal and or connection to your device log on to the CLI and follow these steps: ap7131-‐xxxxxx>enable ap7131-‐xxxxxx#configure terminal Enter configuration commands, one per line. End with CNTL/Z. ap7131-‐ xxxxxx (config)#profile ap71xx Non-‐Root AP71xx ap7131-‐ xxxxxx (config-‐profile-‐Non-‐Root-‐AP71xx)#misconfiguration-‐recovery-‐time 0 ap7131-‐xxxxxx(config-‐profile-‐Non-‐Root-‐AP71xx)#


4.2 Smart-‐RF policy configuration and assignment

If you intend to use Channel type as “Smart”, you have to configure a Smart RF policy first. Then you need to apply this policy to the RF Domain configured in your device profiles. Once configured and applied nodes will scan for the best available channels. Root nodes will pick the cleanest channel in the channel list (configured in your smart-‐rf policy). Non-‐root APs will also scan the channels in the channel-‐list to find the best Root AP.

1. Select the Smart RF Policy tab from Configuration Wireless

2. Click on “Add” to take you to the Smart RF configuration page. - Configure the Smart RF policy name. - Enable the policy by clicking the check box.


3. Click OK to confirm this configuration. 4. The other parameters can be left to their default values unless and until they require to be

changed. 5. “Exit’ this configuration page.

6. Select or configure a new RF Domain from Configuration RF Domains - Map the configured Smart RF Policy into the same.



4.3 Adding Profiles

1. Connect the AP that will be used as a root node to the wired network.

2. Go to InterfaceConfigurationDevices

3. After the AP is adopted click edit.

4. Under Profile select the Root profile previously created and click OK.

5. Repeat these steps for all of the Root nodes.


After the Root Profile has been applied to all of the Root nodes the process is repeated on the Non Root nodes using the Non Root profile.

6. Connect the Non Root AP that will be used as a root node to the wired network.

7. Go to InterfaceConfigurationDevices

8. After the AP is adopted click edit.

1. Under Profile select the Non Root profile previously created and click OK.


Important: Make sure that after commiting your profile that a save is performed. Verify that the save has been performed by either the CLI (show startup-‐config) or viewing the startup configuration from the Operations tab in the RFS GUI. After the Non Root profile is applied (commit / save) remove the wired connection to the Non Root AP. Failure to remove the wired connection could result in a bridging loop.

2. Repeat these steps for all Non Root nodes

In this example network we have (1) Root node and (2) Non Root Nodes.

Under to StatisticsMesh Point for the Root node we see both our Non Root nodes in the Path table.


Reminder

In this example Non Bridge VLANs were used.

In our MeshConnex™ Policy we configured the Mesh Point to pass all VLANs 1-‐4094 in the Allowed VLANs box.



4.4 Configuring MeshConnex™ / Bridged VLANs

In the next example MeshConnex™ will be configured to support Bridged VLANs. The previously configured Policy and Profiles will be edited.

This example will use the following VLAN configuration: Device Management 10.0.4.0/26 -‐ VLAN 4 WLAN 10.0.20.0/26 -‐ VLAN 20 Non Root GE1 Ethernet 10.0.30.0/26 -‐ VLAN 30 Note: The RFS6000 and each AP71xx node has already been configured with virtual interface VLAN 4. A DHCP server has also been configured on the RFS6000 to support these VLANs.


1. Access the GUI of the device (https://<ipaddress of controller>) and click on

ConfigurationWirelessMeshConnex™ Policy and edit the MeshConnex™ Policy.


2. Make sure the Allowed VLANs box is empty.

3. Neighbor Idle Timeout should be 1 minute

4. Click OK.

Note: In this example the control VLAN utilized by Mesh is set for VLAN 1. Make sure that the data VLANs used are not same same as the control VLAN. In this example our data VLANs are 20 and 30.


4.4.2 Profile Configurations

In the next several steps the previously created profiles will be edited.

4.4.2.1 Configure Bridge VLANs

First edit the RFS switch profile. 1. In the default-‐rfs6000 profile select Bridge VLAN and click Add.

2. Add VLAN 4 and set the bridge mode to tunnel. Click OK.


3. Next add VLAN 20 and set the bridging mode to tunnel. Click OK.

4. Add VLAN 30 and set the bridging mode to tunnel. Click OK.


You should now see all three VLANs in the default-‐rfs6000 profile. Commit/Save.

5. Edit the Non Root 71xx profile Click on Bridge VLAN and click Add.

Repeat the process and add VLANs 4, 20, and 30.



You should now see all three VLANs added in the AP71xx Non Root profile. Commit/Save.

6. Edit the Root AP71xx profile Click on Bridge VLAN and click Add.

Repeat the process and add VLANs 4, 20, and 30.


You should now see all three VLANs added in the AP71xx Root profile. Commit/Save.


4.4.2.2 Configure WLAN

Create a WLAN with PSK security and configure it to use VLAN 20. 1. Click ConfigurationWireless and select Wireless LANs. Click Add.

2. Add a WLAN name (e.g. Test). Set the bridging mode to Local (it will be tunneled by the bridge). Set the VLAN to 20.


3. Click Security. 4. Select PSK, WPA2-‐CCMP, and configure a Pre-‐Shared Key.

In this example we will be adding this WLAN to our Non Root nodes. 5. Edit the Non Root 71xx profile. Select ConfigurationProfilesNon Root 71xx and click edit.


6. Select InterfaceRadios. Select radio1 and click edit.


7. Under WLAN Mapping / Mesh Mapping add WLAN test to the radio. 8. Commit / Save.

Now any wireless station connecting to WLAN Test will be using VLAN 20.

4.4.2.3 Configure Non Root Ethernet ports to use VLAN 30

Next edit the Non Root Profile and configure the GE1 interface to use VLAN 30. In this example we are not going to trunk VLAN 30 since the devices connected to VLAN 30 will not be VLAN aware. 1. Edit the Non Root 71xx profile. Select ConfigurationProfilesNon Root 71xx and click edit.

2. Select Ethernet PortsGE1 and click edit.


3. Change the Native VLAN to 30. Click ok.


You should now see VLAN 30 on GE1. Commit/Save.

Now any device connected to GE1 on any Non Root node will use VLAN 30 e.g. a laptop connected would receive an IP address from the DHCP pool on 10.0.30.0/26.

Below is a screenshot of the DHCP Server Policy on the RFS6000.


Reminder

In this example Non Bridged VLANs were used.

In our MeshConnex™ Policy we removed all VLANs from the Allowed VLANs box.


4.5 Configuring MeshConnex™ / Bridge & Non Bridged

In this example the existing MeshConnex™ Policy and device profiles will be edited to tunnel the WLAN VLAN 20 and configure VLAN 4 and 30 to pass straight to MCX.

Note: Since we will be editing the previous configured profiles which include bridge VLANs we will make all of the required changes first. After all of the changes have been made a commit/save will be performed.


1. Access the GUI of the device (https://<ipaddress of controller>) and click on

ConfigurationWirelessMeshConnex™ Policy and edit the MeshConnex™ Policy.


2. Add VLAN 4 and VLAN 30 to the allowed VLAN list. Click OK.

4.5.2 Profile Configurations

1. Edit the default-‐rfs6000 profile. Click on NetworkBridge VLAN. Delete VLAN 4 and VLAN 30. Click Exit.


2. Edit the Non Root 71xx profile. Click on NetworkBridge VLAN. Delete VLAN 4 and VLAN 30. Click Exit.

3. Edit the Root AP71xx profile. Click on NetworkBridge VLAN. Delete VLAN 4 and VLAN 30. Click Exit.


4. Edit WLAN test. Click on ConfigurationWirelessWireless LANs. Change the Bridging Mode to tunnel. Click OK.

Click commit / save.

Reminder

In this example a combination of Bridge and Non Bridged VLANs were used.

In our MeshConnex™ Policy we configured the Mesh Point to pass VLAN 4 and VLAN 30 in the Allowed VLANs box.



5. RFS 6000 Running-‐Configuration 5.1 Non Bridged ! ! Configuration of RFS6000 version 5.2.2.0-‐073R ! ! version 2.1 ! ! ip access-‐list BROADCAST-‐MULTICAST-‐CONTROL permit tcp any any rule-‐precedence 10 rule-‐description "permit all TCP traffic" permit udp any eq 67 any eq dhcpc rule-‐precedence 11 rule-‐description "permit DHCP replies" deny udp any range 137 138 any range 137 138 rule-‐precedence 20 rule-‐description "deny windows netbios" deny ip any 224.0.0.0/4 rule-‐precedence 21 rule-‐description "deny IP multicast" deny ip any host 255.255.255.255 rule-‐precedence 22 rule-‐description "deny IP local broadcast" permit ip any any rule-‐precedence 100 rule-‐description "permit all IP traffic" ! mac access-‐list PERMIT-‐ARP-‐AND-‐IPv4 permit any any type ip rule-‐precedence 10 rule-‐description "permit all IPv4 traffic" permit any any type arp rule-‐precedence 20 rule-‐description "permit all ARP traffic" ! firewall-‐policy default no ip dos tcp-‐sequence-‐past-‐window ! firewall-‐policy no_firewall no ip dos smurf no ip dos twinge no ip dos invalid-‐protocol no ip dos router-‐advt no ip dos router-‐solicit no ip dos option-‐route no ip dos ascend no ip dos chargen no ip dos fraggle no ip dos snork no ip dos ftp-‐bounce no ip dos tcp-‐intercept no ip dos broadcast-‐multicast-‐icmp no ip dos land no ip dos tcp-‐xmas-‐scan no ip dos tcp-‐null-‐scan no ip dos winnuke no ip dos tcp-‐fin-‐scan no ip dos udp-‐short-‐hdr no ip dos tcp-‐post-‐syn no ip dos tcphdrfrag no ip dos ip-‐ttl-‐zero no ip dos ipspoof no ip dos tcp-‐bad-‐sequence no ip dos tcp-‐sequence-‐past-‐window no firewall enable ! ! mint-‐policy global-‐default ! meshpoint-‐qos-‐policy default ! wlan-‐qos-‐policy default qos trust dscp qos trust wmm !


radio-‐qos-‐policy default ! wlan Test ssid Test vlan 20 bridging-‐mode local encryption-‐type ccmp authentication-‐type none wpa-‐wpa2 psk 0 symbol@123 ! ap300 default-‐ap300 interface radio1 interface radio2 ! meshpoint Mesh-‐Connex meshid Mesh beacon-‐format mesh-‐point control-‐vlan 1 allowed-‐vlans 1-‐4094 neighbor inactivity-‐timeout 60 security-‐mode psk wpa2 psk 0 symbol@123 no root ! smart-‐rf-‐policy Smart\ RF ! dhcp-‐server-‐policy Telemetry dhcp-‐pool WLAN network 10.0.20.0/26 address range 10.0.20.10 10.0.20.62 domain-‐name cqe.mesh.net default-‐router 10.0.20.1 dns-‐server 10.0.2.4 dhcp-‐pool Ethernet network 10.0.30.0/26 address range 10.0.30.10 10.0.30.62 domain-‐name cqe.mesh.net default-‐router 10.0.30.1 dns-‐server 10.0.2.4 dhcp-‐pool Devices network 10.0.4.0/26 address range 10.0.4.10 10.0.4.62 domain-‐name cqe.mesh.net default-‐router 10.0.4.1 dns-‐server 10.0.2.4 ! ! management-‐policy default telnet http server https server ssh user admin password 1 e44b419340d0b973a154eddb646a572b59170594ee7112e3758e5e044a76dd35 role superuser access all user operator password 1 c1b5ac3b680b9f622eed6a6a9b482a998f81b67c190d6e15eacf2503b85a5a9e role monitor access all no snmp-‐server manager v2 snmp-‐server community public ro snmp-‐server community private rw snmp-‐server user snmpoperator v3 encrypted des auth md5 0 operator snmp-‐server user snmptrap v3 encrypted des auth md5 0 motorola snmp-‐server user snmpmanager v3 encrypted des auth md5 0 motorola idle-‐session-‐timeout 0 ! profile rfs6000 default-‐rfs6000 ip name-‐server 10.0.2.4 ip domain-‐name cqe.mesh.net autoinstall configuration


autoinstall firmware crypto isakmp policy default crypto ipsec transform-‐set default esp-‐aes-‐256 esp-‐sha-‐hmac interface me1 ip address 10.1.1.100/24 interface up1 ip dhcp trust qos trust dscp qos trust 802.1p interface ge1 ip dhcp trust qos trust dscp qos trust 802.1p no power interface ge2 ip dhcp trust qos trust dscp qos trust 802.1p interface ge3 ip dhcp trust qos trust dscp qos trust 802.1p interface ge4 ip dhcp trust qos trust dscp qos trust 802.1p interface ge5 ip dhcp trust qos trust dscp qos trust 802.1p interface ge6 ip dhcp trust qos trust dscp qos trust 802.1p interface ge7 ip dhcp trust qos trust dscp qos trust 802.1p interface ge8 ip dhcp trust qos trust dscp qos trust 802.1p interface vlan1 ip address dhcp interface wwan1 use dhcp-‐server-‐policy Telemetry use firewall-‐policy default service pm sys-‐restart ! profile ap71xx Non\ Root\ 71xx no autoinstall configuration no autoinstall firmware interface radio1 wlan Test bss 1 primary interface radio2 channel 149+ rate-‐selection opportunistic placement outdoor meshpoint Mesh-‐Connex bss 1 interface radio3 interface ge1 switchport mode access switchport access vlan 30 ip dhcp trust qos trust dscp qos trust 802.1p


interface ge2 ip dhcp trust qos trust dscp qos trust 802.1p interface vlan4 ip address dhcp interface wwan1 use firewall-‐policy default service pm sys-‐restart meshpoint-‐device Mesh-‐Connex name Mesh-‐Connex ! profile ap71xx Root\ AP71xx no autoinstall configuration no autoinstall firmware interface radio1 interface radio2 channel 149+ rate-‐selection opportunistic placement outdoor meshpoint Mesh-‐Connex bss 1 interface radio3 interface ge1 switchport mode trunk switchport trunk native vlan 1 no switchport trunk native tagged switchport trunk allowed vlan 1,4,20,30 ip arp trust ip dhcp trust qos trust dscp qos trust 802.1p interface ge2 ip dhcp trust qos trust dscp qos trust 802.1p interface vlan4 ip address dhcp interface wwan1 use firewall-‐policy default service pm sys-‐restart meshpoint-‐device Mesh-‐Connex name Mesh-‐Connex root ! rf-‐domain default timezone America/New_York country-‐code us use smart-‐rf-‐policy Smart\ RF ! rfs6000 5C-‐0E-‐8B-‐18-‐F5-‐7A use profile default-‐rfs6000 use rf-‐domain default hostname rfs6000-‐18F57A license AP ip default-‐gateway 10.0.4.1 interface ge1 switchport mode trunk switchport trunk native vlan 1 no switchport trunk native tagged switchport trunk allowed vlan 1-‐4094 ip arp trust interface vlan4 ip address 10.0.4.3/26 no ip dhcp client request options all interface vlan30 ip address 10.0.30.2/26


use dhcp-‐server-‐policy Telemetry use firewall-‐policy no_firewall ! ap71xx 00-‐15-‐70-‐C7-‐93-‐58 use profile Non\ Root\ 71xx use rf-‐domain default hostname ap7161-‐C79358 ! ap71xx 00-‐15-‐70-‐E5-‐A7-‐F8 use profile Root\ AP71xx use rf-‐domain default hostname AP7161-‐Root-‐49:20 ! ap71xx 00-‐23-‐68-‐0B-‐FA-‐FC use profile Non\ Root\ 71xx use rf-‐domain default hostname ap7131-‐0BFAFC ! ! end rfs6000-‐18F57A#

5.2 Bridged ! ! Configuration of RFS6000 version 5.2.2.0-‐073R ! ! version 2.1 ! ! ip access-‐list BROADCAST-‐MULTICAST-‐CONTROL permit tcp any any rule-‐precedence 10 rule-‐description "permit all TCP traffic" permit udp any eq 67 any eq dhcpc rule-‐precedence 11 rule-‐description "permit DHCP replies" deny udp any range 137 138 any range 137 138 rule-‐precedence 20 rule-‐description "deny windows netbios" deny ip any 224.0.0.0/4 rule-‐precedence 21 rule-‐description "deny IP multicast" deny ip any host 255.255.255.255 rule-‐precedence 22 rule-‐description "deny IP local broadcast" permit ip any any rule-‐precedence 100 rule-‐description "permit all IP traffic" ! mac access-‐list PERMIT-‐ARP-‐AND-‐IPv4 permit any any type ip rule-‐precedence 10 rule-‐description "permit all IPv4 traffic" permit any any type arp rule-‐precedence 20 rule-‐description "permit all ARP traffic" ! firewall-‐policy default no ip dos tcp-‐sequence-‐past-‐window ! firewall-‐policy no_firewall no ip dos smurf no ip dos twinge no ip dos invalid-‐protocol no ip dos router-‐advt no ip dos router-‐solicit no ip dos option-‐route no ip dos ascend no ip dos chargen no ip dos fraggle no ip dos snork no ip dos ftp-‐bounce no ip dos tcp-‐intercept no ip dos broadcast-‐multicast-‐icmp no ip dos land no ip dos tcp-‐xmas-‐scan no ip dos tcp-‐null-‐scan no ip dos winnuke no ip dos tcp-‐fin-‐scan


no ip dos udp-‐short-‐hdr no ip dos tcp-‐post-‐syn no ip dos tcphdrfrag no ip dos ip-‐ttl-‐zero no ip dos ipspoof no ip dos tcp-‐bad-‐sequence no ip dos tcp-‐sequence-‐past-‐window no firewall enable ! ! mint-‐policy global-‐default ! meshpoint-‐qos-‐policy default ! wlan-‐qos-‐policy default qos trust dscp qos trust wmm ! radio-‐qos-‐policy default ! wlan Test ssid Test vlan 20 bridging-‐mode local encryption-‐type ccmp authentication-‐type none wpa-‐wpa2 psk 0 symbol@123 ! ap300 default-‐ap300 interface radio1 interface radio2 ! meshpoint Mesh-‐Connex meshid Mesh beacon-‐format mesh-‐point control-‐vlan 1 neighbor inactivity-‐timeout 60 security-‐mode psk wpa2 psk 0 symbol@123 no root ! smart-‐rf-‐policy Smart\ RF ! dhcp-‐server-‐policy Telemetry dhcp-‐pool WLAN network 10.0.20.0/26 address range 10.0.20.10 10.0.20.62 domain-‐name cqe.mesh.net default-‐router 10.0.20.1 dns-‐server 10.0.2.4 dhcp-‐pool Ethernet network 10.0.30.0/26 address range 10.0.30.10 10.0.30.62 domain-‐name cqe.mesh.net default-‐router 10.0.30.1 dns-‐server 10.0.2.4 dhcp-‐pool Devices network 10.0.4.0/26 address range 10.0.4.10 10.0.4.62 domain-‐name cqe.mesh.net default-‐router 10.0.4.1 dns-‐server 10.0.2.4 ! ! management-‐policy default telnet


http server https server ssh user admin password 1 e44b419340d0b973a154eddb646a572b59170594ee7112e3758e5e044a76dd35 role superuser access all user operator password 1 c1b5ac3b680b9f622eed6a6a9b482a998f81b67c190d6e15eacf2503b85a5a9e role monitor access all no snmp-‐server manager v2 snmp-‐server community public ro snmp-‐server community private rw snmp-‐server user snmpoperator v3 encrypted des auth md5 0 operator snmp-‐server user snmptrap v3 encrypted des auth md5 0 motorola snmp-‐server user snmpmanager v3 encrypted des auth md5 0 motorola idle-‐session-‐timeout 0 ! profile rfs6000 default-‐rfs6000 bridge vlan 4 bridging-‐mode tunnel ip igmp snooping ip igmp snooping querier bridge vlan 20 bridging-‐mode tunnel ip igmp snooping ip igmp snooping querier bridge vlan 30 bridging-‐mode tunnel ip igmp snooping ip igmp snooping querier ip name-‐server 10.0.2.4 ip domain-‐name cqe.mesh.net autoinstall configuration autoinstall firmware crypto isakmp policy default crypto ipsec transform-‐set default esp-‐aes-‐256 esp-‐sha-‐hmac interface me1 ip address 10.1.1.100/24 interface up1 ip dhcp trust qos trust dscp qos trust 802.1p interface ge1 ip dhcp trust qos trust dscp qos trust 802.1p no power interface ge2 ip dhcp trust qos trust dscp qos trust 802.1p interface ge3 ip dhcp trust qos trust dscp qos trust 802.1p interface ge4 ip dhcp trust qos trust dscp qos trust 802.1p interface ge5 ip dhcp trust qos trust dscp qos trust 802.1p interface ge6 ip dhcp trust qos trust dscp qos trust 802.1p interface ge7 ip dhcp trust qos trust dscp


qos trust 802.1p interface ge8 ip dhcp trust qos trust dscp qos trust 802.1p interface vlan1 ip address dhcp interface wwan1 use dhcp-‐server-‐policy Telemetry use firewall-‐policy default service pm sys-‐restart ! profile ap71xx Non\ Root\ 71xx bridge vlan 4 bridging-‐mode tunnel ip igmp snooping ip igmp snooping querier bridge vlan 20 bridging-‐mode tunnel ip igmp snooping ip igmp snooping querier bridge vlan 30 bridging-‐mode tunnel ip igmp snooping ip igmp snooping querier no autoinstall configuration no autoinstall firmware interface radio1 wlan Test bss 1 primary interface radio2 channel 149+ rate-‐selection opportunistic placement outdoor meshpoint Mesh-‐Connex bss 1 interface radio3 interface ge1 switchport mode access switchport access vlan 30 ip dhcp trust qos trust dscp qos trust 802.1p interface ge2 ip dhcp trust qos trust dscp qos trust 802.1p interface vlan4 ip address dhcp interface wwan1 use firewall-‐policy default service pm sys-‐restart meshpoint-‐device Mesh-‐Connex name Mesh-‐Connex ! profile ap71xx Root\ AP71xx bridge vlan 4 bridging-‐mode tunnel ip igmp snooping ip igmp snooping querier bridge vlan 20 bridging-‐mode tunnel ip igmp snooping ip igmp snooping querier bridge vlan 30 bridging-‐mode tunnel ip igmp snooping ip igmp snooping querier


no autoinstall configuration no autoinstall firmware interface radio1 interface radio2 channel 149+ rate-‐selection opportunistic placement outdoor meshpoint Mesh-‐Connex bss 1 interface radio3 interface ge1 switchport mode trunk switchport trunk native vlan 1 no switchport trunk native tagged switchport trunk allowed vlan 1,4,20,30 ip arp trust ip dhcp trust qos trust dscp qos trust 802.1p interface ge2 ip dhcp trust qos trust dscp qos trust 802.1p interface vlan4 ip address dhcp interface wwan1 use firewall-‐policy default service pm sys-‐restart meshpoint-‐device Mesh-‐Connex name Mesh-‐Connex root ! rf-‐domain default timezone America/New_York country-‐code us use smart-‐rf-‐policy Smart\ RF ! rfs6000 5C-‐0E-‐8B-‐18-‐F5-‐7A use profile default-‐rfs6000 use rf-‐domain default hostname rfs6000-‐18F57A license AP 96a945bf56a7eba8a410d4594797fecd2c4f7b55dd6d11179921fc5f1912f4a4d4482e94b9ee0d26 ip default-‐gateway 10.0.4.1 interface ge1 switchport mode trunk switchport trunk native vlan 1 no switchport trunk native tagged switchport trunk allowed vlan 1-‐4094 ip arp trust interface vlan4 ip address 10.0.4.3/26 no ip dhcp client request options all interface vlan30 ip address 10.0.30.2/26 use dhcp-‐server-‐policy Telemetry use firewall-‐policy no_firewall ! ap71xx 00-‐15-‐70-‐C7-‐93-‐58 use profile Non\ Root\ 71xx use rf-‐domain default hostname ap7161-‐C79358 ! ap71xx 00-‐15-‐70-‐E5-‐A7-‐F8 use profile Root\ AP71xx use rf-‐domain default hostname AP7161-‐Root-‐49:20 !


ap71xx 00-‐23-‐68-‐0B-‐FA-‐FC use profile Non\ Root\ 71xx use rf-‐domain default hostname ap7131-‐0BFAFC ! ! end rfs6000-‐18F57A#

5.3 Bridged / Non Bridged ! ! Configuration of RFS6000 version 5.2.2.0-‐073R ! ! version 2.1 ! ! ip access-‐list BROADCAST-‐MULTICAST-‐CONTROL permit tcp any any rule-‐precedence 10 rule-‐description "permit all TCP traffic" permit udp any eq 67 any eq dhcpc rule-‐precedence 11 rule-‐description "permit DHCP replies" deny udp any range 137 138 any range 137 138 rule-‐precedence 20 rule-‐description "deny windows netbios" deny ip any 224.0.0.0/4 rule-‐precedence 21 rule-‐description "deny IP multicast" deny ip any host 255.255.255.255 rule-‐precedence 22 rule-‐description "deny IP local broadcast" permit ip any any rule-‐precedence 100 rule-‐description "permit all IP traffic" ! mac access-‐list PERMIT-‐ARP-‐AND-‐IPv4 permit any any type ip rule-‐precedence 10 rule-‐description "permit all IPv4 traffic" permit any any type arp rule-‐precedence 20 rule-‐description "permit all ARP traffic" ! firewall-‐policy default no ip dos tcp-‐sequence-‐past-‐window ! firewall-‐policy no_firewall no ip dos smurf no ip dos twinge no ip dos invalid-‐protocol no ip dos router-‐advt no ip dos router-‐solicit no ip dos option-‐route no ip dos ascend no ip dos chargen no ip dos fraggle no ip dos snork no ip dos ftp-‐bounce no ip dos tcp-‐intercept no ip dos broadcast-‐multicast-‐icmp no ip dos land no ip dos tcp-‐xmas-‐scan no ip dos tcp-‐null-‐scan no ip dos winnuke no ip dos tcp-‐fin-‐scan no ip dos udp-‐short-‐hdr no ip dos tcp-‐post-‐syn no ip dos tcphdrfrag no ip dos ip-‐ttl-‐zero no ip dos ipspoof no ip dos tcp-‐bad-‐sequence no ip dos tcp-‐sequence-‐past-‐window no firewall enable ! !


mint-‐policy global-‐default ! meshpoint-‐qos-‐policy default ! wlan-‐qos-‐policy default qos trust dscp qos trust wmm ! radio-‐qos-‐policy default ! wlan Test ssid Test vlan 20 bridging-‐mode tunnel encryption-‐type ccmp authentication-‐type none wpa-‐wpa2 psk 0 symbol@123 ! ap300 default-‐ap300 interface radio1 interface radio2 ! meshpoint Mesh-‐Connex meshid Mesh beacon-‐format mesh-‐point control-‐vlan 1 allowed-‐vlans 4,30 neighbor inactivity-‐timeout 60 security-‐mode psk wpa2 psk 0 symbol@123 no root ! smart-‐rf-‐policy Smart\ RF ! dhcp-‐server-‐policy Telemetry dhcp-‐pool WLAN network 10.0.20.0/26 address range 10.0.20.10 10.0.20.62 domain-‐name cqe.mesh.net default-‐router 10.0.20.1 dns-‐server 10.0.2.4 dhcp-‐pool Ethernet network 10.0.30.0/26 address range 10.0.30.10 10.0.30.62 domain-‐name cqe.mesh.net default-‐router 10.0.30.1 dns-‐server 10.0.2.4 dhcp-‐pool Devices network 10.0.4.0/26 address range 10.0.4.10 10.0.4.62 domain-‐name cqe.mesh.net default-‐router 10.0.4.1 dns-‐server 10.0.2.4 ! ! management-‐policy default telnet http server https server ssh user admin password 1 e44b419340d0b973a154eddb646a572b59170594ee7112e3758e5e044a76dd35 role superuser access all user operator password 1 c1b5ac3b680b9f622eed6a6a9b482a998f81b67c190d6e15eacf2503b85a5a9e role monitor access all no snmp-‐server manager v2 snmp-‐server community public ro snmp-‐server community private rw snmp-‐server user snmpoperator v3 encrypted des auth md5 0 operator


snmp-‐server user snmptrap v3 encrypted des auth md5 0 motorola snmp-‐server user snmpmanager v3 encrypted des auth md5 0 motorola idle-‐session-‐timeout 0 ! profile rfs6000 default-‐rfs6000 bridge vlan 20 bridging-‐mode tunnel ip igmp snooping ip igmp snooping querier ip name-‐server 10.0.2.4 ip domain-‐name cqe.mesh.net autoinstall configuration autoinstall firmware crypto isakmp policy default crypto ipsec transform-‐set default esp-‐aes-‐256 esp-‐sha-‐hmac interface me1 ip address 10.1.1.100/24 interface up1 ip dhcp trust qos trust dscp qos trust 802.1p interface ge1 ip dhcp trust qos trust dscp qos trust 802.1p no power interface ge2 ip dhcp trust qos trust dscp qos trust 802.1p interface ge3 ip dhcp trust qos trust dscp qos trust 802.1p interface ge4 ip dhcp trust qos trust dscp qos trust 802.1p interface ge5 ip dhcp trust qos trust dscp qos trust 802.1p interface ge6 ip dhcp trust qos trust dscp qos trust 802.1p interface ge7 ip dhcp trust qos trust dscp qos trust 802.1p interface ge8 ip dhcp trust qos trust dscp qos trust 802.1p interface vlan1 ip address dhcp interface wwan1 use dhcp-‐server-‐policy Telemetry use firewall-‐policy default service pm sys-‐restart ! profile ap71xx Non\ Root\ 71xx bridge vlan 20 bridging-‐mode tunnel ip igmp snooping ip igmp snooping querier


no autoinstall configuration no autoinstall firmware interface radio1 wlan Test bss 1 primary interface radio2 channel 149+ rate-‐selection opportunistic placement outdoor meshpoint Mesh-‐Connex bss 1 interface radio3 interface ge1 switchport mode access switchport access vlan 30 ip dhcp trust qos trust dscp qos trust 802.1p interface ge2 ip dhcp trust qos trust dscp qos trust 802.1p interface vlan4 ip address dhcp interface wwan1 use firewall-‐policy default service pm sys-‐restart meshpoint-‐device Mesh-‐Connex name Mesh-‐Connex ! profile ap71xx Root\ AP71xx bridge vlan 20 bridging-‐mode tunnel ip igmp snooping ip igmp snooping querier no autoinstall configuration no autoinstall firmware interface radio1 interface radio2 channel 149+ rate-‐selection opportunistic placement outdoor meshpoint Mesh-‐Connex bss 1 interface radio3 interface ge1 switchport mode trunk switchport trunk native vlan 1 no switchport trunk native tagged switchport trunk allowed vlan 1,4,20,30 ip arp trust ip dhcp trust qos trust dscp qos trust 802.1p interface ge2 ip dhcp trust qos trust dscp qos trust 802.1p interface vlan4 ip address dhcp interface wwan1 use firewall-‐policy default service pm sys-‐restart meshpoint-‐device Mesh-‐Connex name Mesh-‐Connex root ! rf-‐domain default timezone America/New_York


country-‐code us use smart-‐rf-‐policy Smart\ RF ! rfs6000 5C-‐0E-‐8B-‐18-‐F5-‐7A use profile default-‐rfs6000 use rf-‐domain default hostname rfs6000-‐18F57A license AP ip default-‐gateway 10.0.4.1 interface ge1 switchport mode trunk switchport trunk native vlan 1 no switchport trunk native tagged switchport trunk allowed vlan 1-‐4094 ip arp trust interface vlan4 ip address 10.0.4.3/26 no ip dhcp client request options all interface vlan30 ip address 10.0.30.2/26 use dhcp-‐server-‐policy Telemetry use firewall-‐policy no_firewall ! ap71xx 00-‐15-‐70-‐C7-‐93-‐58 use profile Non\ Root\ 71xx use rf-‐domain default hostname ap7161-‐C79358 ! ap71xx 00-‐15-‐70-‐E5-‐A7-‐F8 use profile Root\ AP71xx use rf-‐domain default hostname AP7161-‐Root-‐49:20 ! ap71xx 00-‐23-‐68-‐0B-‐FA-‐FC use profile Non\ Root\ 71xx use rf-‐domain default hostname ap7131-‐0BFAFC ! ! end

Documents

WiNG 5.X How to - Mesh Connex