622

Click here to load reader

Aerohive Configuration guide

Embed Size (px)

DESCRIPTION

CONFIGURATION HELP FOR THE AEROHIVE DEVICES.

Citation preview

Page 1: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

AEROHIVE CERTIFIED NETWORKING PROFESSIONAL (ACNP)

1

Page 2: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 2

Introductions

•What is your name?•What is your organizations name?•How long have you worked in networking?

•What was your 1st computer?

Page 3: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 3

Facilities Discussion

• Course Material Distribution

• Course Times

• Restrooms

• Break room

• Smoking Area

• Break Schedule› Morning Break› Lunch Break› Afternoon Break

Page 4: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 4

Aerohive Switching & Routing Configuration (ACNP) – Course Overview

Each student connects to HiveManager, a remote PC, and a Aerohive AP over the Internet from their wireless enabled laptop in the classroom, and then performs hands on labs the cover the following topics:

• Overview of Switching and Routing Platforms• Unified Network Policy Management• Spanning Tree• Device Templates• Port Types (802.1Q Ports, Phone and Data Ports, Secure Access Ports, Guest

Access Ports and WAN ports)• Aggregate Channels• PoE• VLAN to Network mapping• Router templates• Parent networks and branch subnets• Layer 3 VPN with VPN Gateway Virtual Appliance• Policy Based Routing• Router Firewall• Cookie Cutter Branch Networking 2 Day Hands on

Class

Page 5: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

Aerohive Training Remote Lab

5

Aerohive Access Points using external antenna connections and RF cables to

connect to USB Wi-Fi client cards(Black cables)

Access Points are connected from eth0 to Aerohive Managed Switches

with 802.1Q VLAN trunk support providing PoE to

the APs (Yellow cables)

Firewall with routing support, NAT, and multiple Virtual Router Instances

Access Points are connected from their console port to a console server

(White Cables)

Console server to permit SSH access into the serial console of Aerohive

Access Points

Server running VMware ESXi running Active Directory, RADIUS, NPS and hosting the virtual clients used for

testing configurations to support the labs

Page 6: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 6

Aerohive CBT Learning

http://www.aerohive.com/cbt

Page 7: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 7

The 20 Minute Getting Started VideoExplains the Details

Please view the Aerohive Getting Started Videos:

http://www.aerohive.com/330000/docs/help/english/cbt/Start.htm

Page 8: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 8

Aerohive Technical Documentation

All the latest technical documentation is available for download at:

http://www.aerohive.com/techdocs

Page 9: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 9

Aerohive Instructor Led Training

• Aerohive Education Services offers a complete curriculum that provides you with the courses you will need as a customer or partner to properly design, deploy, administer, and troubleshoot all Aerohive WLAN solutions.

• Aerohive Certified WLAN Administrator (ACWA) – First-level course

• Aerohive Cerified WLAN Professional (ACWP) – Second-level course

• Aerohive Certified Network Professional (ACNP) – Switching/Routing course

• www.aerohive.com/training – Aerohive Class Schedule

Page 10: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 10

Over 20 books about networking have been writtenby Aerohive Employees

CWNA Certified Wireless Network Administrator Official Study Guide by David D. Coleman and David A. Westcott

CWSP Certified Wireless Security Professional Official Study Guide by David D. Coleman, David A. Westcott, Bryan E. Harkins and Shawn M. Jackman

CWAP Certified Wireless Analysis Professional Official Study Guide by David D. Coleman, David A. Westcott, Ben Miller and Peter MacKenzie

802.11 Wireless Networks: The Definitive Guide, Second Edition by Matthew Gast

802.11n: A Survival Guide by Matthew Gast

Aerohive Employees

802.11ac: A Survival Guide by Matthew Gast

Over 20 books about networking have been written by Aerohive Employees

Page 11: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Aerohive Exams and Certifications

11

• Aerohive Certified Wireless Administrator (ACWA) is a first- level certification that validates your knowledge and understanding about Aerohive Network’s WLAN Cooperative Control Architecture. (Based upon Instructor Led Course)

• Aerohive Certified Wireless Professional (ACWP) is the second-level certification that validates your knowledge and understanding about Aerohive advanced configuration and troubleshooting. (Based upon Instructor Led Course)

• Aerohive Certified Network Professional (ACNP) is another second-level certification that validates your knowledge about Aerohive switching and branch routing. (Based upon Instructor Led Course)

Page 12: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Aerohive Forums

12

• Aerohive’s online community – HiveNationHave a question, an idea or praise you want to share? Join the HiveNation Community - a place where customers, evaluators, thought leaders and students like yourselves can learn about Aerohive and our products while engaging with like-minded individuals.

• Please, take a moment and register during class if you are not already a member of HiveNation.Go to http://community.aerohive.com/aerohive and sign up!

Page 13: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 13

Aerohive Social Media

The HiveMind Blog:http://blogs.aerohive.com

Follow us on Twitter: @AerohiveInstructor: David Coleman: @mistermultipathInstructor: Bryan Harkins: @80211UniversityInstructor: Gregor Vucajnk: @GregorVucajnkInstructor: Metka Dragos: @MetkaDragos

Please feel free to tweet about #Aerohive training during class.

Page 14: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 14Copyright ©2011

Aerohive Technical Support – General

I want to talk to somebody live. Call us at 408-510-6100 / Option 2. We also provide service toll-free from within the US & Canada by dialing (866) 365-9918. Aerohive has Support Engineers in the US, China, and the UK, providing coverage 24 hours a day.

Support Contracts are sold on a yearly basis, with discounts for multi-year purchases. Customers can opt to purchase Support in either 8x5 format or in a 24 hour format.

How do I buy Technical Support?

I have different expiration dates on several Entitlement keys, may I combine all my support so it all expires on the same date?

Your Aerohive Sales Rep can help you set-up Co-Term, which allows you to select matching expiration dates for all your support.

Page 15: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 15Copyright ©2011

Aerohive Technical Support – The Americas

Aerohive Technical Support is available 24 hours a day. This can be via the Aerohive Support Portal or by calling. For the Support Portal, an authorized customer can open a Support Case. Communication is managed via the portal with new messages and replies. Once the issue is resolved, the case is closed, and can be retrieved at any time in the future.

How do I reach Technical Support?

I want to talk to somebody live. For those who wish to speak with an engineer call us

at 408-510-6100 / Option 2. We also provide service toll-free from within the US & Canada by dialing (866) 365-9918.I need an RMA in The AmericasAn RMA is generated via the Support Portal, or by calling our Technical Support group. After troubleshooting, should the unit require repair, we will overnight* a replacement to the US and Canada. Other countries are international. If the unit is DOA, it’s replaced with a brand new item, if not it is replaced with a like new reburbished item.

*Restrictions may apply: time of day, location, etc.

Page 16: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 16Copyright ©2011

Aerohive Technical Support – International

Aerohive international Partners provide dedicated Technical Support to their customers. The Partner has received specialized training on Aerohive Networks’ product line, and has access to 24 hour Internal Aerohive Technical Support via the Support Portal, or by calling 408-510-6100 / Option 2.

How Do I get Technical Support outside The Americas?

World customer’s defective units are quickly replaced by our Partners, and Aerohive replaces the Partner’s stock once it arrives at our location. Partners are responsible for all shipping charges, duties, taxes, etc.

I need an RMA internationally

Page 17: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Copyright Notice

17

Copyright © 2013 Aerohive Networks, Inc. All rights reserved.

Aerohive Networks, the Aerohive Networks logo, HiveOS, Aerohive AP, HiveManager, and GuestManager are trademarks of Aerohive Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.

Page 18: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL

QUESTIONS?

Page 19: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Overview of hardware and software platforms

SWITCHING & ROUTING PRODUCT LINE

19

Page 20: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

Aerohive Switching Platforms

20

SR2124P SR2148P

24 Gigabit Ethernet48 Gbps Ethernet

4 Ports 1G SFP Uplinks 4 Ports 10 G SFP/SFP+ Uplinks

24 PoE+ (408 W)

128 Gbps switch56Gbps switching 176 Gbps switch

48 PoE+ (779 W)

Routing with 3G/4G USB support and Line rate switching

Redundant Power Supply CapableSingle Power Supply

24 PoE+ (195 W)

SR2024P

Switching Only

Page 21: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Class Switches Deployed in Data Center

• SR2024› Line Rate Layer 2 Switch› 8 Ports of PoE› Multi-authentication

access ports» 802.1X with fallback to

MAC auth or open

› Client Visibility» View client information

by port

› RADIUS Server› Internet Router › DHCP Server › USB 3G/4G Backup › Policy-based routing with Identity

Internet

3G/4G LTE

AP

AP

PoE

SR2024

AP

Provides Access For:• Employees• Guests• Contractors• Phones• APs• Servers

Note: The switch model (2024) used in the lab has been superseded by improved models.

Page 22: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Express Mode• Optimized for ease of use• Uniform company-wide policy• One user profile per SSID

Enterprise Mode• Enterprise sophistication• Multiple Network policies• Multiple user profiles/SSID

HiveManager Appliance 2U • Redundant power& fans• HA redundancy• 5000 APs

HiveManager Virtual Appliance• VMware ESX & Player• HA redundancy• 1500 APs with minimum configuration

HiveManager Form Factors

22

HiveManager Appliance• Redundant power & fans• HA redundancy• 8000 APs

HiveManager Virtual Appliance• VMware ESX & Player• HA redundancy• 5000 APs with minimum configuration

HiveManager Online• Cloud-based SaaS management

Seamless

Upgrade Path

•Increasing

deployme

nt size

•Increasing

network

complexity

Topology Reporting Heat Maps SLA ComplianceRF PlannerSW, Config, & Policy Guest Mgmt

Page 23: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

HiveManager Appliance

23

Page 24: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

HiveManager Databases

24

Page 25: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

Aerohive Routing Platforms

25

BR 100 BR 200 AP 330

AP 350

Single Radio Dual Radio

2X 10/100/1000 Ethernet

5-10 Mbps FW/VPN

30-50Mbps FW/VPN

1x1 11bgn 3x3:3 450 Mbps 11abgn

5X 10/100 5X

10/100/1000

0 PoE PSE0 PoE PSE 2X PoE PSE

*

* Also available as a non-Wi-Fi device

L3 IPSec VPN

Gateway

~500 MbpsVPN

4000/1024Tunnels

Physical/Virtual

VPN Gateways

Page 26: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

BR100 vs. BR200

26

BR100 BR200/BR200WP

5x FastEthernet 5x Gigabit Ethernet

1x1 11bgn (2.4Ghz) single radio 3x3:3 11abgn dual-band single radio (WP)

No integrated PoE PoE (in WP model)

No console port Console Port

No Spectrum Analysis Integrated Spectrum Analysis (WP)

No Wireless Intrusion Detection Full Aerohive WIPS (WP)

No local RADIUS or AD integration Full Aerohive RADIUS, proxy, and AD

No SNMP logging SNMP Support

Page 27: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

2x2:2 300 Mbps 11n

High Power Radios

1X Gig.E

-40 to 55°C

PoE (802.3at)

N/A

Outdoor

Water Proof (IP 68)

Aerohive AP Platforms

AP170

2X Gig E/w PoE Failover

3x3:3 450 + 1300 Mbps High Power Radios

Dual Radio 802.11ac/n

Plenum/Plenum Dust Proof

-20 to 55°C

AP390

Indoor Industrial

Dual Radio 802.11n

AP230

Dual Radio 802.11n

2X Gig.E - 10/100 link aggregation

-20 to 55°C

0 to 40°C

3x3:3 450 Mbps High Power

Radios

TPM Security Chip

PoE (802.3af + 802.3at) and AC Power

Indoor Industrial

Indoor

Plenum/Dust

Plenum Rated

AP121 AP330 AP350

1X Gig.E

2x2:2 300 Mbps High Power Radios

USB for 3G/4G Modem

AP141

USB for future use

Indoor

2X Gig.E w/ link

aggregation

Plenum Rated

0 to 40°C

USB for future use

AP370*

* Includes 5 GHz Transmit Beamforming and in 2.4 GHz has TurboQAM

Page 28: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 28

VPN Gateway Virtual Appliance

• Supports the following› GRE Tunnel Gateway› L2 IPSec VPN Gateway› L3 IPSec VPN Gateway› RADIUS Authentication Server› RADIUS Relay Agent› Bonjour Gateway› DHCP server

• Use a VPN Gateway Virtual Appliance instead of an AP when higher scalability for these features are required

Function Scale

VPN Tunnels 1024 Tunnels

RADIUS – Local users per VPN Gateway

9999

# Users Cache (RADIUS Server) 1024

# Simultaneous (RADIUS Server) authentications

256

Page 29: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 29

VPN Gateway Physical Appliance

• Supports the following› GRE Tunnel Gateway› L2 IPSec VPN Gateway› L3 IPSec VPN Gateway› RADIUS Authentication Server› RADIUS Relay Agent› Bonjour Gateway› DHCP server

• Use a VPN Gateway Appliance instead of an AP when higher scalability for these features are required

Function Scale

VPN Tunnels 4000 Tunnels

RADIUS – Local users per VPN Gateway

9999

# Users Cache (RADIUS Server) 1024

# Simultaneous (RADIUS Server) authentications

256

Ports: One 10/100/1000 WAN portFour LAN ports two support

PoE

Page 30: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL

QUESTIONS?

Page 31: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab Infrastructure

31

PC

PoE

SR2024

APPC

PoE

SR2024

AP

Core

Access

Student Space

Instructor Space

Student 2 Student X

Distribution

HiveManager

RouterVLAN 1 ip address 10.100.1.1/24VLAN 2 ip address 10.100.2.1/24VLAN 8 ip address 10.100.8.1/24VLAN10 ip address 10.100.10.1/24

Page 32: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

SWITCHING

32

Page 33: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Setting up a Wireless Network1. Connect to the Hosted Training HiveManager

33

• Securely browse to the appropriate HiveManager for class

› TRAINING LAB 1https://training-hm1.aerohive.comhttps://72.20.106.120

› TRAINING LAB 2https://training-hm2.aerohive.comhttps://72.20.106.66

› TRAINING LAB 3https://training-hm3.aerohive.comhttps://209.128.124.220

› TRAINING LAB 4https://training-hm4.aerohive.comhttps://203.214.188.200

› TRAINING LAB 5https://training-hm5.aerohive.comhttps://209.128.124.230

• Supported Browsers:› Firefox, Internet Explorer, Chrome, Safari

• Class Login Credentials:› Login: adminX

X = Student ID 2 - 29› Password: aerohive123

NOTE: In order to access the HiveManager, someone at your location needs to enter the training firewall credentials given to them by the instructor first.

Page 34: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Setting Up a Wireless Network2. Create a Network Policy

34

• Go to Configuration

• Click the New Button

Page 35: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Setting Up a Wireless Network3. Enable network policy options

35

• Name: Access-X

• Check the options for› Wireless Access

› Switching› Bonjour Gateway

• Click Create

• Note, enabling Branch Routing:»Enables L3 VPN Configuration »Disable L2 VPN Configuration»Enable L3 Router Firewall Policy»Policy-Based Routing with Identity»Enables Router configuration settings in

Additional Settings

Page 36: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Network Policy Components

36

• Wireless Access – Use when you have an AP only deployment, or you require specific wireless policies for APs in a mixed AP and router deployment

• Branch Routing– Use when you are managing routers, or APs behind routers that do not require different Network Policies than the router they connect through

BR100

BR200

AP

AP

Mesh

PoEPoE

InternetInternet

Small Branch Office or Teleworker Site Small to Medium Size Branch Office

that may have APs behind the router

3G/4G LTE3G/4G

LTE

Page 37: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

• Bonjour Gateway› Allows Bonjour services to be seen in multiple subnets

• Switching› Used to manage wired traffic using Aerohive Switches

Network Policy Components

37

Internet

3G/4G LTE

AP

AP

PoE

SR2024

AP

Page 38: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Setting Up a Wireless Network4. Create a New SSID Profile

38

Network Configuration

• Next to SSIDs click Choose

• Then click New

Page 39: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Setting Up a Wireless Network5. Configure Employee SSID

39

• SSID Profile: Class-PSK-XX = 2 – 29 (Student ID)

• SSID: Class-PSK-X

• Select WPA/WPA2 PSK (Personal)

• Uncheck the Obscure Password checkbox

• Key Value: aerohive123

• Confirm Value: aerohive123

• Click Save

• Click OK

For the ALL labs, please follow the class naming convention.

Page 40: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Setting Up a Wireless Network6. Create a User Profile

40

• To the right of your SSID, under User Profile, click Add/Remove

In Choose User Profiles

• Click the New button

Page 41: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Setting Up a Wireless Network7. Define User Profile Settings

41

•Name: Employee-X

•Attribute Number:10

Default VLAN:From the drop down box, •Select Create new VLAN,type:10

•Click Save

Page 42: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Setting Up a Wireless Network8. Choose User Profile and Save

42

•Ensure Employee-X User Profile is highlighted

•Click Save

Page 43: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Setting Up a Wireless Network9. Review your policy and save

43

• From the Configure Interfaces & User Access bar, click Save

Page 44: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

SPANNING TREE BEHAVIOR

44

Page 45: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

How loops happen

1. Client sends broadcast such as ARP request

2. Switch A forwards packet on all interfaces, except source interface

3. Switch B receives the broadcast twice, but does not know it is the same broadcast. It forwards the broadcast from interface 1 on interface 24 and vice versa

4. Switch A again receives the broadcast twice and does the same at Switch B. (It also sends both broadcasts back to the client5. Rinse and repeat. The broadcast never leaves the network

B

A

Page 46: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 46

Easy to solve, right?Just disconnect one cable…

But now there is no redundancy…Have no fear!

There was once a loop to be,In a redundant path for everyone to

see.The packets went round and round,Until a new sheriff was found.His name? Well, Spanning Tree!

Spanning Tree

Page 47: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 47

So what does the Spanning Tree Protocol (STP)

do? High level overview:

1. All interfaces are blocked (for non STP traffic) while the switches elect a root bridge (switch)

2. After the root bridge is elected, switches calculate the lowest cost path to the root bridge

3. Unblock corresponding ports and keep redundant ports blocked

4. If an active link fails, unblock redundant port

I am root!

Speed 1GbitCost: 20,000

Speed 100MbitCost: 200,000

Root doesn’t have to calculate

Spanning Tree

Page 48: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Spanning Tree – extra reading

Found in the class materials: Spanning-Tree-Overview.pptx

• STP

• RSTP

• MSTP

• (R)PVST

Page 49: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Switch Spanning Tree Settings

49

• By default, spanning tree is disabled on Aerohive switches› Why?› If you plug an edge switch into a network, and the switch priority

is a lower number (higher priority) on our switch, than what is configured on the existing network, our switch will become the root switch

› This means that the optimal path and links that are available through a network will be chosen based on getting to your edge switch!

› This most likely is not what a customer wants to do! ;-)

• What is the downside of not enabling spanning tree by default?› If you plug two cables from our switch to the distribution switch

network, and the ports are not configured as an aggregate, you can cause a loop!

› This is far less of a concern than enabling spanning tree by default and possibly rerouting all traffic through our switch, so we will disable spanning tree by default

Page 50: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Verify Existing NetworkSpanning Tree Priorities

50

• Before installing an Aerohive switch into an existing switch network, have the company determine the root switch and backup root switch priority

• Ensure our spanning tree priority is set to a higher number• For example, on a Cisco Catalyst switch you can type:CS-Dist-2#show spanning-tree MST0 Spanning tree enabled protocol mstp Root ID Priority 12288 Address 000f.23b9.0d80 Cost 0 Port 25 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 16384 (priority 16384 sys-id-ext 0) Address 001f.274c.5180 Hello Time 2 sec Max Age 20 sec Forward Delay 15 secInterface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- -----Fa0/24 Desg FWD 200000 128.24 P2p Gi0/1 Root FWD 200000 128.25 P2p

Page 51: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Verify Existing NetworkSpanning Tree Priorities

51

CS-Dist-2#show spanning-tree MST0 Spanning tree enabled protocol mstp Root ID Priority 12288 Address 000f.23b9.0d80 Cost 0 Port 25 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 16384 (priority 16384 sys-id-ext 0) Address 001f.274c.5180 Hello Time 2 sec Max Age 20 sec Forward Delay 15 secInterface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- -----Fa0/24 Desg FWD 200000 128.24 P2p Gi0/1 Root FWD 200000 128.25 P2p

• Here you can see the Root Priority is: 12288• The switch this command is run on shows a priority of 16384• So most likely our switch default priority of: 32768 will not

cause any harm

Page 52: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Enable Spanning Tree1. Enable Spanning Tree

52

From the network policy that has switching enabled

• Go to Additional Settings and click Edit

Page 53: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Enable Spanning Tree2. Enable RSTP

53

Enable Rapid Spanning Tree

• Expand Switch Settings

• Expand STP Settings

• Check the box to Enable STP (Spanning Tree Protocol)

• Select the radio button to enable RSTP (Rapid Spanning Tree)

• Click Save

Page 54: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Enable Spanning Tree3. Save your Network Policy

54

• From the Configure Interfaces & User Access bar, click Save

Page 55: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Spanning Tree – Switch specific settings

55

More detailed Spanning Tree settings can be configured on an individual switch in device level settings should that be required.

Page 56: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

DEVICE TEMPLATESFOR DEFINING SWITCH PORTSETTINGS

56

Page 57: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Device Templates

57

• HiveManager Device Templates are used to assign switches at the same or different sites to a common set of port configurations

• For example, ports 1, 2 are for APs, ports 3-6 arefor phones, etc…

AP

PoE

SR2024

APAP

PoE

SR2024

AP

Distribution

Access/Edge

HiveManager – SR2024 as switch device template

Page 58: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Device Templates

58

• Device templates are used to define ports for the same device, devices with the same number of ports, and device function

• Device templates do not set device function, i.e. switch, router, or AP, but will only match devices configured with the matching function

• You configure a devices function in the device specific configuration

Apply to SR2024 switchesconfigured as switches

Apply to SR2024 switchesconfigured as routers.Requires WAN port – icon depicted as a cloud

Page 59: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Device TemplatesFor Devices Requiring Different Port Settings

59

• If devices require different port configurations for the same type of device and function, you can› 1. Configure device

classification tags to have different device templates for different devices

› 2. Create a new network policy with a different device template

PoE

SR2024

APAP

PoE

SR2024

AP

SR2024 as Switch Default Sites

Default Site DeviceClassificationTag: Small Site

SR2024 as Switch

Small Sites

Note: The switch model (2024) used in the lab has been superseded by improved models.

Page 60: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CONFIGURE DEVICE TEMPLATESFOR DEFINING SWITCH PORTSETTINGS

60

Page 61: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Device Templates1. Create device template

61

• Next to Device templates, click Choose

• Click New

Page 62: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Device Templates2. Create switch template

62

• Name:SR2024-Default-X

• Click Device Models

• Select SR2024• Click OK• For SR2024, when

functioning as:› Select Switch

• Click SaveNote: Here you are not setting the SR2024 to function as a switch. Instead, you are only specifying that this template applies to SR2024s when they are configured to function as a switch. The switch/router function is configured in switch device settings.

Note: You only see switch as an optionand not Switch and Router, because Routing was not enabled in the selection box whencreating this Network Policy.

Page 63: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Device Templates3. Save switch template

63

• Ensure your device template is selected and click OK

• The device template will appear in the Device Templates section

• You can show or hide the individual device template by clicking the triangle

Shows you that this is a templatefor your switch as a switch

Page 64: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Device Templates4. Save your Network Policy

64

• From the Configure Interfaces & User Access bar, click Save

Page 65: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LINK AGGREGATION

65

Page 66: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab InfrastructureAggregate Links for Connection to Distribution

66

Aggregate is statically configured similar to EtherChannel

There is no LACP (Link Aggregation Control Protocol) in this release.

• You can have 8 ports in one channel› The ports do not have to be

contiguous

• Every port on the SR2024 can be configured into port channels except the USB and console port

• The switch hardware creates a hash of the the header fields in frames selected for load balancing, for determining the ports in an aggregate to send a frame› Load balancing options are:

» Source & Destination MAC, IP, and Port

» Source & Destination IP Port

» Source & Destination IP

» Source & Destination MAC

PC

SR2024

AP

Page 67: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab InfrastructureAggregate Links for Connection to Distribution

67

• Load balance of broadcast, multicast, and unknown unicast traffic between ports in an aggregate is based on Src/Dst MAC/IP.

• You cannot configure a 802.1X port in an EtherChannel

• mac learning is on the port channel port, instead of member port

• Only ports with same physical media type and speed can be grouped into one aggregate.

• Supports LLDP per port but not per channel

PC

SR2024

AP

Page 68: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab InfrastructureDo not do this with aggregates

68

• In this case, distribution switch 1 and switch 2 will see the same MAC addresses and cause MAC flapping› i.e. traffic from PC A for example might be

load balanced to Switch 1 and Switch 2• In this case, there will also be a loop!• Aggregates must be built between a pair of

switches only!

PC

SR2024

AP

Aggregate 1

Distribution Switch 1

Distribution Switch 2

Page 69: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

AGGREGATION –CONFIGURATION EXAMPLE

69

Page 70: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Aggregate Links for Switch Connections to Distribution Layer Switches

70

Each access switch will have two aggregates:

• Aggregate 1: Port 17, 18

• Aggregate 2: Port 19, 20

These ports are not connected in this classroom, this is only a configuration example

PC

PoE

SR2024

AP

Core

Access

Aggregates

ESXi Server

Distribution

HMOL

Page 71: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

Lab: Link Aggregation1. Select ports 17 and 18

Select ports that will be used to connect to the distribution layer switches (example only, aggregates are not used in class)

NOTE: Recommended not to use the first 8 ports on the SR2024 which provide PoE.

• Select port 17, and 18• Check the box for Aggregate selected ports…• Enter 1• Click Configure

71

Page 72: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Link Aggregation2. Create Trunk Port policy

72

• Click New• Name: Trunk-X• Port Type: 802.1Q• QoS Classification:

Trusted Traffic SourceNote: This means we are trusting the upstream network infrastructure markings› Map to DSCP or

802.1p• QoS Marking:Map

Aerohive.. › Map to DSCP or

802.1p• Click Save

Page 73: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Link Aggregation2. Save Trunk Port policy

73

• Ensure that Trunk-X is selected, click OK

Page 74: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Link Aggregation3. Select ports 19 and 20

74

• Select port 19 and 20• Check aggregate selected ports… and enter 2

Page 75: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Link Aggregation4. Assign Trunk policy

75

• Click Configure• For choose port type, select your 802.Q trunk that you created previously: Trunk-X

• Click OK

Page 76: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Link Aggregation5. Review port settings

76

Port 17, 18, 19, and 20 will now display an 802.1Q trunk icon and should all appear the same, even though there are two different aggregates

Page 77: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Link Aggregation6. Save your Network Policy

77

• From the Configure Interfaces & User Access bar, click Save

Page 78: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CONFIGURE UPLINKS USED IN THE CLASSROOM

78

Page 79: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Classroom Links for Switch Connections to Distribution Layer Switches

79

For the class, we are going to configure single uplinks without aggregation to connect to the distribution switches

• Single Uplinks : Port 23, 24

Port 23 will be connected to Distribution switch 1, and port 24 will be connected to Distribution switch 2

PC

PoE

SR2024

AP

Core

Access

ESXi Server

Distribution

HMOL

• 3CX IP PBX10.100.1.?

Page 80: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

Lab: Configure Uplink Ports1. Select Ports 23 and 24

Select ports that will be used to connect to the distribution layer switches

• Select port 23, and 24• Click Configure

80

Page 81: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Uplink Ports2. Assign port policy and save

81

• For choose port type, select your 802.Q trunk that you created previously: Trunk-X

• Click OK• Ports 23 and 24 should now be the same color as the other Trunk ports

Page 82: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Uplink Ports3. Save your Network Policy

82

• From the Configure Interfaces & User Access bar, click Save

Page 83: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CONFIGURE PORTS FOR APS

83

Page 84: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab InfrastructureConfigure PoE Ports for APs

84

Configure two of the PoE ports for APs

• Use Port 1 and 2 for APs

NOTE: For class there is an AP connected to port 1 of every switch

PoE

SR2024

Core

Access

ESXi Server

Distribution

HMOL

APAP

IP Phones

Page 85: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

Lab: Configure Access Point ports1. Select ports 1 and 2

Select ports that will be used to connect to APs

NOTE: The first 8 ports on an SR2024 provide power

• Select port 1, and 2• Click Configure

85

Page 86: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Access Point ports2. Create Trunk Policy

86

• Click New• Name: AP-Trunk-X• Port Type: 802.1Q• QoS Classification:

Trusted Traffic SourceNote: This means we are trusting the upstream network infrastructure markings› Map to DSCP or

802.1p• QoS Marking:Map

Aerohive.. › Map to DSCP or

802.1p• Click Save

Page 87: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Access Point ports3. Assign AP-Trunk Policy to ports 1 and 2

87

• Ensure that that AP-Trunk-X is selected• Click OK• Port 1and 2 will now display an 802.1Q trunk

icon, but this time, a power symbol appears as well because ports 1 through 8 can provide power

• Notice that Ports 1 and 2 are a different color because there is a different port policy than the other ports

Page 88: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Access Point ports3. Save your Network Policy

88

• From the Configure Interfaces & User Access bar, click Save

Page 89: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CONFIGURE POWER SOURCING EQUIPMENT (PSE) PORTS FOR POWER OVER ETHERNET (POE)

89

Page 90: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

PoE Overview

90

• PoE standards define the capabilities of the power sourcing equipment (PSE) and the powered device (PD).

• The PSE is an Aerohive switch. Aerohive access points would be considered PDs.

• The 802.3af PoE standard defines 15.4 Watts from the PSE• All 802.11n Aerohive APs will work with 802.3af - CAT5e cabling or

better is required. • The maximum draw of an Aerohive AP-330 is14.95 Watts.

NOTE: You will only see the Interfaces(Ports) that have been assign to a port type

Page 91: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

PoE Overview

91

• The 802.3at standard (PoE+) defines 32 Watts from the PSE

• 802.11ac Aerohive AP230 is fully functional using 802.3af• However, the older 802.11ac Aerohive APs (AP370 and AP390) require PoE+ for full functionality

• The AP370 and AP390 will function with 802.3af PoE however the 80 MHz channels capability is restricted.

Page 92: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

PoE Power Budgets

92

• Careful PoE power budget planning is a must.• Access points will randomly reboot if a power budget has been exceeded and the APs cannot draw their necessary power.

SR2124P SR2148P

24 PoE+ (408 W)48 PoE+ (779

W)24 PoE+ (195 W)

SR2024P

Page 93: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure PoE ports 1. Select additional port settings

93

• Select Additional port settings to configure› Port Channel Load-Balance Mode Settings

› PoE port (PSE) Settings

Additional Port Settingslink is available if no ports arecurrently selected

Page 94: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure PoE ports 2. Aggregate channel settings

94

• For Port Channel Load-Balance Mode, please selecting the headers in a frame that will be used in creating a hash to determine which port a frame should egress› NOTE: If you are testing a single client, especially for a demo, the

more fields you use you will have a better opportunity to egress multiple ports

Page 95: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure PoE ports 3. PSE settings

95

• Expand PSE Settings• Because only the first two ports have been configured, you will only have the ability to configure PSE (Provides PoE) to the first two ports

• Next to Eth1/1 Click +

Page 96: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure PoE ports 4. PSE settings

96

• Name: af-high-X• Power Mode: 802.3af• Power Limit: 15400 mW

• Priority: high•Save

Note: Default PoE port settings is 802.3at (PoE+)Power priority can be low, high or critical

Page 97: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure PoE ports5. PSE settings

97

• Assign Eth1/1 and Eth1/2 to: af-high-X• Save

NOTE: You will only see the Interfaces(Ports) that have been assign to a port type

Page 98: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure PoE ports 5. Save your Network Policy

98

• From the Configure Interfaces & User Access bar, click Save

Page 99: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CONFIGURE PORTS FOR IP PHONES

99

Page 100: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab InfrastructureConfigure PoE Ports for IP Phones

100

Configure 6 of the PoE ports for IP Phones

• Use Port 3 - 8 for IP PhonesPoE

SR2024

Core

Access

ESXi Server

Distribution

HMOL

APAP

IP Phones

Page 101: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CONFIGURE PHONE PORTS IN SWITCH DEVICE TEMPLATE

101

Page 102: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

Lab: Configure PoE ports for IP phones1. Select ports 3-8

Select ports that will be used to connect to IP Phones

NOTE: The first 8 ports on an SR2024 provide power

• Select port 3, 4, 5, 6, 7, and 8 (Yes, you can multi-select)

• Click Configure

102

Page 103: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure PoE ports for IP phones2. Phone & Data ports

103

•Click New

Page 104: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure PoE ports for IP phones3. Phone & Data ports

104

• Name: Phone-and-Data-X

• Port Type: Phone & Data• Check Primary

authentication using: MAC via PAP

• QoS Classification: Trusted Traffic SourcesNote: This means we are trusting the upstream network infrastructure markings› Map to DSCP or 802.1p

• QoS Marking:Map Aerohive.. › Map to DSCP or 802.1p

• Click Save

Page 105: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure PoE ports for IP phones4. Phone & Data ports

105

• For choose port type, select Phone-and-Data-X

• Click OK• Port 3 – 8 will now display with a phone icon

Page 106: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure PoE ports for IP phones5. Save your network policy

106

• From the Configure Interfaces & User Access bar, click Save

Page 107: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CONFIGURE PORTS FOR OPEN GUEST ACCESS

107

Page 108: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab InfrastructureConfigure Ports for Employee Computer Access

108

Configure 2 of the switch ports for open access

(switch ports are in a secured room – for testing purposes)

• Use Port 9 and 10

PoE

SR2024

Core

Access

ESXi Server

Distribution

HMOL

APAP

IP Phones

GuestComputers

Page 109: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

Lab: Configure Open Guest Ports1. Select ports 9 and 10

Select ports that will be used to connect to guest computers

• Select port 9 and 10

• Click Configure109

Page 110: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Open Guest Ports2. Create access port

110

•Click New

Page 111: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Open Guest Ports3. Create access port

111

• Name: Guest-X• Port Type: Access• Most likely you will not be trusting the DSCP settings on guest devices, so click Untrusted Traffic Sources

• There is no need to mark the traffic for QoS marking

• Click Save

Page 112: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Open Guest Ports4. Assign access port policy

112

• For choose port type, select Guest-X

• Click OK• Port 9 and 10 will now display with a world icon

Page 113: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Open Guest Ports5. Save your network policy

113

• From the Configure Interfaces & User Access bar, click Save

Page 114: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

For switch ports in a secure location

CONFIGURE PORTS FOR SECURE EMPLOYEE ACCESS WITH 802.1X

114

Page 115: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab InfrastructureConfigure Ports for Employee Computer Access

115

Configure six of the switch ports for 802.1X authentication

• Use Ports 11-16

PoE

SR2024

Core

Access

ESXi Server

Distribution

HMOL

APAP

IP Phones

EmployeeComputers

802.1X

Page 116: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

Lab: Configure Secure Access Ports1. Select ports 11 - 16

Select ports that will be used to connect to employee computers that support 802.1X

• Select port 11,12,13,14,15,16• Click Configure

116

Page 117: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Secure Access Ports2. Create secure port policy

117

• Click New

Page 118: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Secure Access Ports3. Create secure port policy

118

• Name: Secure-X• Port Type: Access• Check the box for:

Primary Authentication using 802.1X

• Uncheck ☐Allow multiple hosts (same VLAN)

• For the ability to preserve markings on PCs for softphones or other important applications, select QoS Classification:

Trusted Traffic Sources• Check the box for QoS

Marking Map Aerohive QoS …

• Select DSCP or 802.1p depending on the upstream switch architecture

• Click Save

Page 119: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Secure Access Ports4. Assign secure port policy

119

• For choose port type, select Secure-X• Click OK• Ports 11-16 will now display with a

world icon

Page 120: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Secure Access Ports5. Save your network policy

120

• From the Configure Interfaces & User Access bar, click Save

Page 121: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CONFIGURE MIRROR PORTS

121

Page 122: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

Lab: Configure Mirror Ports1. Select ports 21 - 22

Select ports that will be used for port mirroring

• Select ports 21 and 22• Click Configure

122

Page 123: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Mirror Ports2. Create mirror port policy

123

• Click New• Name: Mirror-X• Port Type: Mirror• Click Save

Page 124: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Mirror Ports3. Assign mirror port policy

124

• For choose port type, select Mirror-X

• Click OK• Check Port-Based

Note: VLAN-Based port mirroring can only be enabled on a single port

Page 125: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Mirror Ports4. Choose ports to mirror

125

• Eth1/21, Egress – click Choose• Select Eth1/1 and Click OK• Eth1/22, Ingress – click Choose• Select Eth1/12 and Click OK

Page 126: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Mirror Ports5. Verify and save mirror port policy

126

• All downstream traffic destined for the WLAN clients of the Aerohive AP on port Eth1/1 will be mirrored to port Eth1/21.

• All upstream traffic destined for the network from the host on Eth1/12 will be mirrored to port Eth1/22.

• Click Save

Page 127: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Mirror Ports6. Verify and save mirror port policy

127

Ports 21 and 22 will now display a magnifying glass icon.

Page 128: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 128

• From the Configure Interfaces & User Access bar, click Save

Lab: Configure Mirror Ports7. Save your network policy

Page 129: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

GENERAL DEVICE TEMPLATE INFO

129

Page 130: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

General Port Template Info

130

If you have more than one port selected, you can clear port selections here so you do not have to click all the selected ports to deselect them.

Page 131: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

General Port Template Info

131

• If you move your mouse over one of the defined ports, an option appears to select all ports using this port type

Click Here

Page 132: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Guest Access

CONFIGURE PORT TYPES

132

Page 133: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports – Guest Access1. Port Types

133

• Configure the authentication, user profile, and VLAN information for the port types defined in the device templates

Page 134: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports – Guest Access2. Create user profile

134

Similar to SSIDs, you need to configure User Profiles (user policy) for the access ports• For your Guest-X port type, under User Profile click Add/Remove

• Click New

Page 135: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports – Guest Access3. Assign VLAN

135

User profiles are used to assign policy to devices connected to the network.NOTE: Switches use the VLAN in a user profile. Switches functioning as routers use the VLAN, but may also make layer 3 firewall and policy-based routing decisions based on the user profile. In either case, user profile information is carried with user information throughout an Aerohive network infrastructure.

• Name: Guest-X• Attribute: 100• Default VLAN: 8• Click Save

The optional settings are utilized when the user profile is enforced on an AP. The switch, because it is forwarding packets at line speed in silicon, does not utilize the optional settings. If the switch is configured to be a branch router, the user profile is used for decisions in layer 3 firewall policies, IPSec VPN policies, and identity-based routing.

Page 136: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports – Guest Access4. Save user profile

136

• Ensure Guest-X is selected

• Click Save• Verify your settings

Page 137: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 137

• From the Configure Interfaces & User Access bar, click Save

Lab: Configure Ports - Guest Access5. Save your network policy

Page 138: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Employee Access Secured wit 802.1X

CONFIGURE PORT TYPES

138

Page 139: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports - Secure Access1. Configure RADIUS

139

Configure the RADIUS sever for the ports secured with 802.1X• For your Secure-X port type, under Authentication click <RADIUS Settings>

• Click New

Page 140: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports - Secure Access2. Configure RADIUS

140

Define the external RADIUS server settings• RADIUS name: RADIUS-X

• IP address: 10.5.1.10

• Shared Secret: aerohive123

• Confirm Secret:aerohive123

• Click Apply!!• Click Save

Page 141: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports - Secure Access3. Configure user profile

141

Assign user profiles to the secure 802.1X ports• Next to your Secure-X port type, under User Profile click Add/Remove

Page 142: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Port Types

142

There are three user profile assignment methods:1. (Auth) Default – If a

client authenticates successfully, but no user profile attribute is returned, or if a user profile attribute is returned matching the default user profile selected

2. Auth OK – If a client authenticates successfully, and a user profile attribute is returned, it must match one the selected user profiles you select here

3. Auth Fail – If a client fails authentication, use this user profile

Page 143: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports - Secure Access4. Configure default user profile

143

Define the Default User Profile assigned If a client authenticates successfully, but no user profile attribute is returned, or if a user profile attribute is returned matching the default user profile selected

• Select the Default tab • Select the user profile: Employee-Default(1)› Created by the instructor…

› Assigns VLAN 1

Page 144: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports - Secure Access5. Configure Auth OK user profile

144

Define a user profile for Auth OK – If a client authenticates successfully, and a user profile attribute is returned, it must match one the selected user profiles you select here.You can have up to 63 Auth OK user profiles.

• Select the Auth OK tab

• Select Employee-X(10)› Assigns VLAN 10

Page 145: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports - Secure Access6. Configure Auth Fail user profile

145

Define a user profile for Auth Fail – If a clients fails authentication several times, assign the Auth Fail user profile• Select Auth Fail• Select Guest-X(100)

› Assigns VLAN 8• Verify the Default, Auth OK, and Auth Fail settings one more time

• Click Save

Page 146: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports - Secure Access7. Verify settings

146

•Verify the settings

Page 147: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 147

• From the Configure Interfaces & User Access bar, click Save

Lab: Configure Ports - Secure Access8. Save your network policy

Page 148: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

PHONE & DATA PORTSWITH NO AUTHENTICATION

148

Page 149: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Phone & Data Port TypeWith Open Access

149

• Switch Port is assigned to a Phone & Data Port Type• For this example, no authentication is selected in Phone & Data

SR2024IP Phone

Phone & Datauses 802.1Q

DataSwitch

Page 150: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Phone & Data Port TypeWith Open Access

150

• You can then select a Default Voice, and Default Data user profile• The Phone & Data port is an 802.1Q port• The Phone VLAN will be tagged and sent to the IP phone via LLDP-MED

• The switch port will assign the Data VLAN as the native VLAN› This way, the phone traffic is tagged, and data traffic is untagged

SR2024IP Phone

LLDP assignsPhone to taggedVoice VLAN

Phone & Datauses 802.1Q

DataSwitch

Note: For default data, only the VLAN is used,not the user profile

Page 151: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CLI Commands forPhone & Data Port without Authentication

151

• interface eth1/3 switchport mode trunk• interface eth1/3 switchport user-profile-attribute 2• interface eth1/3 switchport trunk native vlan 10• interface eth1/3 switchport trunk voice-vlan 2• interface eth1/3 switchport trunk allow vlan 2 • interface eth1/3 switchport trunk allow vlan 10 • interface eth1/3 qos-classifier Phone-and-Net-2• interface eth1/3 qos-marker Phone-and-Net-2• interface eth1/3 pse profile QS-PSE

Page 152: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

PHONE & DATA PORTSWITH 802.1X/PEAP AUTHENTICATION OR MAC AUTHENTICATION

152

Page 153: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Phone & Data Port TypeWith 802.1X/PEAP or MAC Authentication

153

• Switch Port is assigned to a Phone & Data Port Type• For this example, 802.1X authentication is selected in Phone & Data

SR2024

Phone & Datauses 802.1Q, and 802.1X

Switch

IP Phone

Data

RADIUS ServerPhone Policy Returns Cisco AV Pair: device-traffic-class=voice User Profile and/or VLANData (Employee) Policy Returns User Profile and/or VLAN

Employees

Page 154: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Phone & Data Port TypeWith 802.1X/PEAP

154

• You can connect a single client, or multiple clients behind an IP phone data port

• Phones and clients authenticate independent of each other and the order in which they authenticate does not matter› However, the VLAN assigned to the first data device (Employee)

that authenticates is assigned as the data VLAN, all other devices will be assigned to the same VLAN, even if they have different user profiles with other VLANs assigned, or even if RADIUS returns a different VLAN.

SR2024

Phone & Datauses 802.1Q, and 802.1X

Switch

IP Phone

Data

RADIUS ServerPhone Policy Returns Cisco AV Pair: device-traffic-class=voice User Profile and/or VLANData (Employee) Policy Returns User Profile and/or VLAN

Employees

Page 155: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Phone & Data Port TypeWith Primary and Secondary Authentication

155

• If a secondary authentication is used, if the first authentication is not available, or fails three times, the second authentication will be tried

SR2024

Phone & Datauses 802.1Q, and 802.1X

Switch

IP Phone

Data

RADIUS ServerPhone Policy Returns Cisco AV Pair: device-traffic-class=voice User Profile and/or VLANData (Employee) Policy Returns User Profile and/or VLAN

Employees

Page 156: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CLI Commands forPhone & Data Port with 802.1X

156

• security-object Phone-and-Data-2• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1

shared-secret *** • security-object Phone-and-Data-2 security protocol-suite 802.1x• security-object Phone-and-Data-2 default-user-profile-attr 1• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain• interface eth1/3 security-object Phone-and-Data-2

• interface eth1/3 switchport mode trunk• interface eth1/3 switchport user-profile-attribute 1• interface eth1/3 qos-classifier Phone-and-Data-2• interface eth1/3 qos-marker Phone-and-Data-2• interface eth1/3 pse profile QS-PSE• no interface eth1/3 spanning-tree enable• no interface eth1/3 link-discovery cdp receive enable• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100

Page 157: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CLI Commands forPhone & Data Port with MAC AUTH

157

• security-object Phone-and-Data-2• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1

shared-secret *** • security-object Phone-and-Data-2 security additional-auth-method mac-based-auth • security-object Phone-and-Data-2 default-user-profile-attr 1• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain• security-object Phone-and-Data-2 security initial-auth-method mac-based-auth• interface eth1/3 security-object Phone-and-Data-2

• interface eth1/3 switchport mode trunk• interface eth1/3 switchport user-profile-attribute 1• interface eth1/3 qos-classifier Phone-and-Data-2• interface eth1/3 qos-marker Phone-and-Data-2• interface eth1/3 pse profile QS-PSE• no interface eth1/3 spanning-tree enable• no interface eth1/3 link-discovery cdp receive enable• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100

Page 158: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Overview

CONFIGURING NPS FOR PHONE AND EMPLOYEE AUTHENTICATION WITH 802.1X/PEAP

158

Page 159: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

159

• Create a network policy for voice

Page 160: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

160

• Enter a name for the voice policy, and click next

Page 161: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

161

• Click add to specify a condition

Page 162: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

162

• Select Windows Groups

• Click Add

Page 163: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

163

• Click Add Groups…

• A voice group was created by IT for IP phones – enter voice and click OK

• Click OK

Page 164: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

164

• Click Next

Page 165: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

165

• Select Access granted

Page 166: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

166

• Click Add

• Select Microsoft: Protected EAP (PEAP)

• Click OK

Page 167: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

167

• Click Next

• For constraints click Next

Page 168: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

168

• Remove attributes that are not needed:› Select Frame-

Protocol, and Click Remove

› Select Service-Type, and Click Remove

Page 169: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

169

Add the three attribute value pairs needed to assign a user profile

• Tunnel-Medium-Type: IP v4 (value found in the others section)

• Tunnel-Type: Generic Route Encapsulation (GRE)

• Tunnel-Pvt-Group-ID: (String) 2› 2 is the voice user

profile in this case

• Click Next

Page 170: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

170

• Under RADIUS Attributes, select Vendor Specific

Page 171: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

RETURN A CISCO AV PAIR TO LET THE AEROHIVE SWITCH KNOW WHICH USER PROFILE SHOULD BE ASSIGNED AS THE VOICE USER PROFILE

171

Page 172: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

172

In order for a switch to know a specific user profile is for voice, Aerohive devices can accept the Cisco AV Pair: device-traffic-class=voice. This is sent to the switch, and the switch uses LLDP to send the voice VLAN any phone that supports LLDP-MED

• Under RADIUS Attributes, select Vendor Specific

• Click Add

Page 173: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

173

• Under Vendor, Select Cisco

Page 174: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

174

• Click Add

• Click Add again

Page 175: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

175

• Attribute value:device-traffic-class=voice

• Click OK• Click OK• Click Close (The value does not

show up on this screen. Do not worry, it is there.)

Page 176: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

176

• Attribute value:device-traffic-class=voice

• Click OK• Click OK• Click Next

Page 177: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configure NPS for Phone & Data Authentication

177

• Click Finish

Page 178: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

DEFINE CLIENT ACCESS

178

Page 179: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CLI Commands forPhone & Data Port without Authentication

179

Create a new policy for employee access

• Policy name: Wireless or Wired Employee Access

Page 180: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CLI Commands forPhone & Data Port without Authentication

180

• For the condition, select the windows group that contains your employees

• Add the three attribute value pairs needed to assign a user profile› Tunnel-Medium-Type: IP v4

(value found in the others section)

› Tunnel-Type: Generic Route Encapsulation (GRE)

› Tunnel-Pvt-Group-ID: (String) 10» 10 is the voice user profile in

this case

• Click Next

Page 181: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Phone and Data

CONFIGURE PORT TYPES

181

Page 182: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports - Phone & Data1. Configure RADIUS

182

Configure the RADIUS sever for the ports secured with 802.1X• For your Phone-and-Data-X port type, under Authentication click <RADIUS Settings>

• Select RADIUS-X which is an external Microsoft NPS RADIUS server

• Click OK

Page 183: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Port Types

183

Assign user profiles to your 802.1X ports• For your Phone-and-Data-X port type, under User Profile click Add/Remove

Page 184: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Port Types (Reminder)Must Verify

184

There are three user profile settings:1. Default – Default for data if

no user profile attribute, or a user profile attribute is returned and matches the user profile configured here

2. Auth OK (Voice) – If a client authenticates successfully, and a user profile attribute is returned matching a selected user profile, and the Cisco AV Pair is also returned

3. Auth OK (Data) – Client passes authentication, and a user profile attribute is returned, but no Cisco AV pair

Page 185: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports - Phone & Data2. Configure user profile – Auth OK (Voice)

185

• Click Auth OK (Voice)

• Click New

Page 186: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports - Phone & Data3. Configure user profile – Auth OK (Voice) VLAN

186

User profiles are used to assign policy to devices connected to the network.• Name: Voice-X• Attribute: 2• Default VLAN: 2• Click Save

Page 187: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports - Phone & Data4. Configure user profile – Auth OK (Voice)

187

• For the Auth OK (Voice) tab select: Voice-X(2)› Assigns VLAN 2

Page 188: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports - Phone & Data5. Configure user profile – Default

188

Assign the Default user profile:• Select the Default tab

• Select Employee-Default(1)› Assigns VLAN 1

Page 189: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports - Phone & Data6. Configure user profile – Auth OK (Data)

189

Define a user profile for Auth OK (Data)– for clients connected through an IP Phone• Select Auth OK (Data)• Select Employee-X(10)

› Assigns VLAN 10• Verify the Default, Auth OK (Voice), and Auth OK (Data) settings one more time

• Click Save

Page 190: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Ports - Phone & Data7. Verify your settings

190

• Verify the settings

Page 191: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 191

• From the Configure Interfaces & User Access bar, click Save

Lab: Configure Ports - Phone and Data8. Save your network policy

Page 192: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CONFIGURE 802.1Q TRUNK PORTS

192

Page 193: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Trunk Ports1. Configure AP-Trunk-X port policy VLANs

193

Define the allowed VLANs on a trunk port• Next to AP-Trunk-X Click Add/Remove

• Add the specific VLANs: 1,2,8,10

• Click OK

Page 194: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Trunk Ports2. Configure Trunk-X port policy VLANs

194

Define the allowed VLANs on a trunk port• Next to Trunk-X Click Add/Remove

• Type all• Click OK

Page 195: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Configure Trunk Ports3. Verify your settings

195

Verify Settings

Page 196: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 196

• From the Configure Interfaces & User Access bar, click Save

Lab: Configure Ports - Phone and Data8. Save your network policy and continue

Page 197: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

UPDATE DEVICES

197

Page 198: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Update Devices1. Modify your AP

198

From the Configure & Update Devices section, modify your AP specific settings• Click the Name column to sort the APs• Click the link for your AP: 0X-A-######

Page 199: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Update Devices2. Update the configuration of your Aerohive AP

199

• Location: <FirstName_LastName>

• Topology Map: Classroom• Network Policy:

Access-X

Note: Leave this set to default so you can see how it is automatically set to your new network policy when you update the configuration.

• Set the power down to 1dBm on both radios because the APs are stacked in a rack in the data center› 2.4GHz(wifi0) Power: 1› 5GHz (wifi1) Power: 1

• Click Save

Page 200: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Update Devices3. Select AP and switch

200

• Select your AP and switch and click Update

Click Yes

Page 201: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 201

• Select Update Devices

• Select Perform a complete configuration update for all selected devices

• Click Update

For this class, ALL Updates should be Complete configuration updates

Lab: Update Devices4. Update the AP and switch

Page 202: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Update Devices5. Update the AP and switch

202

• Should the Reboot warning box appear, select OK

Click OK

Page 203: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL

QUESTIONS?

Page 204: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CREATE AN AEROHIVE DEVICE DISPLAY FILTER

204

Page 205: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Display Filter from Monitor View1. Create a filter

205

• To create a display filter go to Monitor Filter: Select +

• Network Policy, select: Access-X

• Remember this Filter, type: Access-X

• Click Search

Page 206: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Display Filter from Monitor View2. Verify the display filter

206

Page 207: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL

QUESTIONS?

Page 208: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

TEST YOUR WI-FI CONFIGURATIONUSING THE HOSTED PC

208

Page 209: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client Access to SSIDTest SSID Access at Hosted Site

209

• Use VNC client to access Hosted PC:› password: aerohive

• From the hosted PC, you can test connectivity to your SSID

PoE

SR2024

Core

Access

ESXi Server - HM VA

Distribution

Internet

Hosted PC

AP

Ethernet

Wi-Fi

Page 210: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client Access to SSID1. For Windows: Use TightVNC client

210

• If you are using a windows PC› Use TightVNC › TightVNC has good compression so

please use this for class instead of any other application

• Start TightVNC › For Lab 1

lab1-pcX.aerohive.com› For Lab 2

lab2-pcX.aerohive.com› For Lab 3

lab3-pcX.aerohive.com› For Lab 4

lab4-pcX.aerohive.com› For Lab 5

lab5-pcX.aerohive.com› Select Low-bandwidth

connection› Click Connect› Password: aerohive. › Click OK

Page 211: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client Access to SSID2. For Mac: Use the Real VNC client

211

• If you are using a Mac› RealVNC has good compression so

please use this for class instead of any other application

• Start RealVNC › For Lab 1

lab1-pcX.aerohive.com› For Lab 2

lab2-pcX.aerohive.com› For Lab 3

lab3-pcX.aerohive.com› For Lab 4

lab4-pcX.aerohive.com› For Lab 5

lab5-pcX.aerohive.com› Click Connect› Password: aerohive. › Click OK

Page 212: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client Access to SSID3. In case the PCs are not logged in

212

If you are not automatically logged in to your PC

• If you are using the web browser client› Click the button to Send Ctrl-Alt-Del

• If you are using the TightVNC client

• Click to send a

control alt delete

• Login: AH-LAB\user

• Password: Aerohive1

• Click the right arrow to login

Page 213: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client Access to SSID4. Remove any Wireless Networks on Hosted PC

213

From the bottom task bar, click the locate wireless networks icon

› Select Open Network and Sharing Center

› Click Manage wireless Networks› Select a network, then click Remove› Repeat until all the networks are

removed› Click [x] to close the window

Page 214: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client Access to SSID5. Connect to Your Class-PSK-X SSID

214

• Single-click the wireless icon on the bottom right corner of the windows task bar

• Click your SSIDClass-PSK-X

• Click Connect› Security Key: aerohive123

› Click OK

Page 215: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client Access to SSID6. View Active Clients List

215

• After associating with your SSID, you should see your connection in the active clients list Wireless Clients

• Your IP address should be from the 10.5.10.0/24 network which is from VLAN 10

Go to MonitorClientsWireless Clients and locate your PC’s entry

Page 216: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL

QUESTIONS?

Page 217: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

TESTING SWITCH PORT CONNECTIONS WITH WINDOWS 7

217

Page 218: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client to Wired NetworkTest Guest and 802.1X Access

218

• Use VNC client to access Hosted PC:› password: aerohive

• From the hosted PC, you can test connectivity to your SSID

PoE

SR2024

Core

Access

ESXi Server - HM VA

Distribution

Internet

Hosted PC

AP

Ethernet

Wi-Fi

Page 219: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Three Different VLANs are Possible In this configuration

219

• Default - Auth OK, and RADIUS does not returned user profile or matching user profile to default

• Auth OK – and RADIUS returns a user profile that matches one of the user profiles configured here

• Auth Fail – RADIUS authentication fails (Guest)

Page 220: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client to Wired Network1. Verify IP address of Ethernet adapter

220

• Locate Local Area Connection 3

• Right click

• Click Status

• Click Details

Page 221: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client to Wired Network2. Verify IP address of Ethernet adapter

221

Why do you see an IP from the 10.5.1.0/24 subnet?

This is the IP address the device received on VLAN 1 before the switch was configured

Page 222: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client to Wired Network3. Reset Ethernet Adapter

222

Because the PC has the wrong IP it will not work, you can remedy this by

• Right click on Local Area Connection 3

• Click Diagnose

or

•Disable then Enable Local Area Connection 3

•Do NOT Disable Local Area Connection 2

Page 223: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client to Wired Network4. Verify IP address of Ethernet adapter

223

• Locate Local Area Connection 3

• Right click

• Click Status

• Click Details

Page 224: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client to Wired Network5. Verify IP address of Ethernet adapter

224

Why do you see an IP from the 10.5.8.0/24 subnet?

This is the guest network that is assigned if authentication is not supported or fails

Page 225: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client to Wired Network6. Verify VLAN of wired client

225

Go to MonitorClientsWired Clients and locate your PC’s entry

• Note the IP, Client Auth Mode, User Profile Attribute and VLAN

•VLAN 8 is the guest VLAN assigned because 802.1X authentication was not supported or failed. The host was assigned to the Auth Fail user profile.

Page 226: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client to Wired Network7. Enable 802.1X for wired clients

226

• In windows 7, you must enable 802.1X support

• As an administrator, from the start menu type services

• Then click services

Page 227: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client to Wired Network8. Enable 802.1X for wired clients

227

• Click the Standard tab on the bottom of the services panel

• Locate Wired AutoConfig and right-click

• Click Properties

Page 228: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client to Wired Network9. Enable 802.1X for wired clients

228

• The Wired AutoConfig (DOT3SVC) service is responsible for performing IEEE 802.1X authentication on Ethernet interfaces

• If your current wired network deployment enforces 802.1X authentication, the DOT3SVC service should be configured to run for establishing Layer 2 connectivity and/or providing access to network resources

• Wired networks that do not enforce 802.1X authentication are unaffected by the DOT3SVC service

Page 229: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client to Wired Network10. Enable 802.1X for wired clients

229

• Click Automatic

• Click Start

Page 230: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client to Wired Network11. Enable 802.1X for wired clients

230

• Click OK

Page 231: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client to Wired Network12. Verify IP address of Ethernet adapter

231

• Locate Local Area Connection 3

• Right click

• Click Status

• Click Details

Page 232: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client to Wired Network13. Verify IP address of Ethernet adapter

232

Why do you see an IP from the 10.5.10.0/24 subnet?

The user has authenticated with 802.1X/EAP and RADIUS is returning the user profile attribute: 10

Page 233: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Hosted Client to Wired Network14. Verify authentication and VLAN of wired client

233

Go to MonitorClientsWired Clients and locate your entry

• Note the IP, Client Auth Mode, User Profile Attribute and VLAN

• VLAN 10 is the employee VLAN assigned because 802.1X authentication was successful and the host was assigned to the Auth OK user profile.

Page 234: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

For Reference: Switch CLI

234

SR-04-866380# show auth int eth1/12

Authentication Entities:

if=interface; UID=User profile group ID; AA=Authenticator Address;

if=eth1/12; idx=16; AA=08ea:4486:638c; Security-obj=Secure-2; default-UID=1;

Protocol-suite=802.1X;Auth-mode=port-based; Failure-UID=100; Dynamic-VLAN=10;

No. Supplicant UID Life State DevType User-Name Flag

--- -------------- ---- ----- -------------- ------- -------------------- ----

0 000c:2974:aa8e 10 0 done data AH-LAB\user4 000b

Page 235: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Enable 802.1X for Wired Connections

235

If you need to troubleshoot you can view Local Area Connection 3

• From the start menu, type view network

• Right-click Local Area Connection 3, and click Diagnose› This will reset the adapter, clear the caches, etc…

Page 236: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Clearing Authentication CacheFor Testing or Troubleshooting

236

• From the Wired Clients list, you can select and Deauth a client› Clear the All the caches for the client on the switch

• Then on the hosted PC, you will need to disable then enable Local Area Connection 3 to force a reauth

Page 237: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

MISC MONITORING

237

Page 238: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Switch Monitoring

238

• MonitorSwitches• Click on the hostname of the switch

Page 239: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Switch Monitoring

239

• Hover with your mouse over the switch ports

Page 240: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Switch Monitoring

240

System Details

Page 241: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Switch Monitoring

241

Port Details and PSE Details

Page 242: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Power Cycle Devices via PoE

242

• To configure this feature for selected ports on a switch, navigate to Monitor Switches in the Managed Devices tab, click the name of the switch, and scroll down to PSE Details.

• Select the check box or boxes for the port or ports that you want to cycle, and then click Cycle Power.

This is useful in the event that an AP or multiple APs are locked up and need to be rebooted remotely. Bouncing the PoE port forces the AP reboot.

Page 243: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Switch Monitoring

243

• MonitorActive ClientsWired Clients• Add User Profile Attribute, and move it up, it is useful

Page 244: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Switch Monitoring

244

• Click on the MAC address for a wired client to see more information

Page 245: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Switch Monitoring

245

• Utilities…StatisticsInterface

Page 246: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Switch Monitoring

246

• Utilities…DiagnosticsShow PSE

Page 247: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

VLAN ProbeUse VLAN Probe to verify VLANs and DHCP Service

247

• MonitorSwitches – Select your device, and go to Utilities…DiagnosticVLAN probe

NOTE: If you get the same IP subnet for each of the VLANs, that is a sign that the switch uplink port is connected to an access port, not a trunk port like it should be.

Page 248: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Client Monitor

248

• Tools Client Monitor

• Client Monitor can be used to troubleshoot 802.1X/EAP authentication for wired clients

Page 249: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Switch CLI

249

• SR-02-66ec00#show interface switchport

Name: gigabitethernet1/1 Switchport: enable Port Mode: access Port Mirror: disable Port User-profile ID: 0 Static Access VLAN: 1 Dynamic Auth VLAN: 0

Name: gigabitethernet1/2 Switchport: enable Port Mode: access Port Mirror: disable Port User-profile ID: 10Static Access VLAN: 10 Dynamic Auth VLAN: 0

Page 250: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Switch CLI

250

• show client-report client

Page 251: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

GENERAL SWITCHING

251

Page 252: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Storm Control

252

• Aerohive switches can mitigate traffic storms due to a variety of causes by tracking the source and type of frames to determine whether they are legitimately required.

• The switches can then discard frames that are determined to be the products of a traffic storm. You can configure thresholds for broadcast, multicast, unknown unicast, and TCP-SYN packets as a function of the percentage of interface capacity, number of bits per second, or number of packets per second.

From your network policy with Switching enabled: Go to Additional Settings>Switch Settings>Storm Control

Page 253: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

IGMP Snooping MAC Addresses

253

• Aerohive switches are capable of monitoring IGMP transactions between multicast routers and client devices, and maintaining a local table of IGMP groups and group members

• Aerohive switches use this information to track the status of multicast clients attached to the switch ports so that it can forward multicast traffic efficiently

From your network policy with Switching enabled: Go to Additional Settings>Switch Settings>IGMP Settings

Page 254: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

IGMP Snooping MAC Addresses

254

• Aerohive switches are capable of monitoring IGMP transactions between multicast routers and client devices, and maintaining a local table of IGMP groups and group members

• Aerohive switches use this information to track the status of multicast clients attached to the switch ports so that it can forward multicast traffic efficiently

From your network policy with Switching enabled: Go to Additional Settings>Switch Settings>IGMP Settings

Page 255: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

IGMP Snooping MAC Addresses

255

• IGMP device specific options available in the switch device configuration

• Users can enable/disable IGMP snooping to all VLAN or to a specified VLAN. When IGMP snooping disabled, all multicast dynamic mac-address should be deleted.

Page 256: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Required When Aerohive Devices are Configured as RADIUS Servers

GENERATE AEROHIVE SWITCH RADIUSSERVER CERTIFICATES

256

Page 257: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

HiveManager Root CA CertificateLocation and Uses

• This root CA certificate is used to:› Sign the CSR (certificate signing request)

that the HiveManager creates on behalf of the AP acting as a RADIUS or VPN server

› Validate Aerohive AP certificates to remote client» 802.1X clients (supplicants) will need a

copy of the CA Certificate in order to trust the certificates on the Aerohive AP RADIUS server(s)

• Root CA Cert Name: Default_CA.pem

• Root CA key Name: Default_key.pem

Note: The CA key is only ever used or seen by HiveManager

• To view certificates, go to: Configuration, click Show Nav, then go to Advanced Configuration Keys and CertificatesCertificate Mgmt

257

Page 258: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Use the Existing HiveManager CA Certificate, Do not Create a New One!

258

• For this class, please do not create a new HiveManager CA certificate, otherwise it will render all previous certificates invalid.

• On your own HiveManager, you can create your own HiveManager CA certificate by going to: Configuration, then go toAdvanced ConfigurationKeys and CertificatesHiveManager CA

Page 259: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: Aerohive Switch Server Certificate and Key1. Generate Aerohive switch server certificate

259

• Go to Configuration, click Show NavAdvanced ConfigurationKeys and CertificatesServer CSR

• Common Name: server-X

• Organizational Name: Company

• Organization Unit: Department

• Locality Name: City

• State/Province: <2 Characters>

• Country Code: <2 Characters>

• Email Address: [email protected]• Subject Alternative Name:

User FQDN: [email protected]: This lets you add an extra step of validating the User FQDN in a certificate during IKE phase 1 for IPSec VPN. This way, the Aerohive AP needs a valid signed certificate, and the correct user FQDN.

• Key Size: 2048

• Password & Confirm: aerohive123

• CSR File Name: Switch-X

• Click CreateNotes Below

Enter Switch-X

Page 260: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 260

• Select Sign by HiveManager CA› The HiveManager CA will sign the Aerohive AP Server certificate

• The validity period should be the same as or less than the number of days the HiveManager CA Certificate is valid› Enter the Validity: 3650 – approximately 10 years

• Check Combine key and certificate into one file• Click OK

Enabling this setting helps prevent certificate and key mismatches when configuring the RADIUS settings

Use this option to send a signing request to an external certification authority.

LAB: Aerohive Switch Server Certificate and Key2. Sign and combine

Page 261: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 261

• To view certificates, go to:Configuration, click Show NavThen go to Advanced ConfigurationKeys and CertificatesCertificate Mgmt

• The certificate and key file name is:switch-X_key_cert.pem

• QUIZ › Which CA signed this

Aerohive switch server key?

› What devices need to install the CA public cert?

LAB: Aerohive Switch Server Certificate and Key3. View server certificate and key

Page 262: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL

QUESTIONS?

Page 263: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch as a RADIUS server1. Edit existing policy

263

• From Configuration,• Select your Network policy: Access-X

• Click OK and then Continue

Page 264: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

Lab: Switch Active Directory Integration2. Select your Network Policy

To configure the Aerohive device as a RADIUS server...

Select the Configure & Update Devices bar

• Select the Filter: Current Policy

• Click the link for your Switch – SR-0X-######

264

Page 265: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch Active Directory Integration3. Create a RADIUS Service Object

265

Create a Aerohive AP RADIUS Service Object• Under Optional Settings, expand Service Settings

• Next to Device RADIUS Service click +

Page 266: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch AP Active Directory Integration4. Create a RADIUS Service Object

266

• Name: SR-radius-X• Expand Database Settings

• Uncheck Local Database

• Check External Database

• Under Active Directory, click + to define the RADIUS Active Directory Integration Settings

Page 267: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch Active Directory Integration5. Select a switch to test AD integration

267

• Name: AD-X• Aerohive device for Active Directory connection setup,select your Switch: SR-0X-#####› This will be used to test Active Directory integration› Once this switch is working, it can be used as a template for configuring other Aerohive device RADIUS servers with Active Directory integration

• The IP settings for the selected Aerohive switch are gathered and displayed

Page 268: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch Active Directory Integration6. Modify DNS settings

268

• Set the DNS server to: 10.5.1.10› This DNS server should be the Active Directory DNS server or an internal DNS server aware of the Active Directory domain

• Click Update › This applies the DNS settings to the Network Policy and to the Aerohive device so that it can test Active Directory connectivity

Page 269: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch Active Directory Integration7. Specify Domain and Retrieve Directory Information

269

• Domain: ah-lab.local

• Click Retrieve Directory Information› The Active Directory Server IP will be populated as well as the BaseDN used for LDAP user lookups

Page 270: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch Active Directory Integration8. Specify Domain and Retrieve Directory Information

270

• Domain Admin: hiveapadmin(The delegated admin)• Password and Confirm Password: Aerohive1• Click Join• Check Save Credentials

› NOTE: By saving credentials you can automatically join Aerohive devices to the domain without manual intervention

Page 271: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch Active Directory Integration9. Specify A User to Perform LDAP User Searches

271

• Domain User [email protected] (a standard domain user )

• Password and Confirm Password: Aerohive1• Click Validate User

› You should see the message: The user was successfully authenticated.

› These user credentials will remain and be used to perform LDAP searches to locate user accounts during authentication.

Page 272: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch Active Directory Integration10. Save the AD Settings

272

• Click Save

Page 273: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch Active Directory Integration11. Apply the AD settings

273

• Select AD-X with priority: Primary

• Click Apply …Please make sure you click apply

• Do not save yet..

Page 274: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch Active Directory Integration12. Enable LDAP credential caching

274

Enable the ability for an Switch RADIUS server to cache user credentials in the event that the AD server is not reachable, if the user has previously authenticated

• Check Enable RADIUS Server Credentials Caching

• Do not save yet...

Page 275: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch Active Directory Integration13. Assign server certificate

275

• CA Cert File: Default_CA.pem• Server Cert File:

switch-X_key_cert.pem• Server Key File:

switch-X_key_cert.pem• Key File Password & confirm password: aerohive123• Click Save

Optional Settings > RADIUS Settings:

Assign the switch RADIUS server to the newly created switch server certificate and key

Page 276: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch Active Directory Integration14. Verify the RADIUS service object

276

• Ensure that the Aerohive AP RADIUS Service is set to: switch-radius-X

• Do not save yet…

Page 277: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch Active Directory Integration15. Set Static IP address on MGT0 interface

277

• Expand MGT0 Interface Settings

• Select Static IP

• Static IP Address: 10.5.1.7X

X = student number 02 = 72, 03 = 73… 12 = 82, 13 = 83

• Netmask: 255.255.255.0

• Default Gateway: 10.5.1.1

Note: Aerohive devices that function as a server must have a static IP address.

Page 278: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch Active Directory Integration16. Save the switch settings

278

• Click Save

NOTE: Your Aerohive switch will have an icon displayed showing that it is a RADIUS server.

Page 279: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL

QUESTIONS?

Page 280: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

SSID FOR 802.1X/EAP AUTHENTICATIONUSING AEROHIVE DEVICE RADIUS WITH AD KERBEROS INTEGRATION

280

Page 281: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch RADIUS w/ AD Integration1. Edit your WLAN Policy and Add SSID Profile

281

Configure an SSID that uses the 802.1X/EAP with AD (Kerberos) Integration

• Select the Configure Interfaces & User Access bar

• Next to SSIDs click Choose

• In Chose SSIDs› Select New

Page 282: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

Lab: Switch RADIUS w/ AD Integration2. Configure a 802.1X/EAP SSID

• Profile Name: Class-AD-X

• SSID: Class-AD-X

• Under SSID Access Security select WPA/WPA2 802.1X (Enterprise)

• Click Save

282

Page 283: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch RADIUS w/ AD Integration3. Select new Class-AD-X SSID

283

• Click to deselect the Class-PSK-X SSID

• Ensure the AD-X SSIDis selected

• Click OK

Click to deselect

Class-PSK-X

Ensure Class-AD-X is

highlighted then click OK

Page 284: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch RADIUS w/ AD Integration4. Create a RADIUS object

284

• Under Authentication, click <RADIUS Settings>

• In Choose RADIUS, click New

Click

Click

Page 285: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch RADIUS w/ AD Integration 5. Define the RADIUS Server IP settings

285

• RADIUS Name:SWITCH-RADIUS-X

• IP Address/Domain Name: 10.5.1.7X

02 = 72, 03 = 73…

12 = 82, 13 = 83

• Leave the Shared Secret EmptyNOTE: When the Aerohive device is a RADIUS server, devices in the same Hive automatically generate a shared secret

• Click Apply

• Click Save

Click Apply When Done!

Page 286: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch RADIUS w/ AD Integration6. Select User Profiles

286

• Verify that under Authentication, SWITCH-RADIUS-X is assigned

• Under User Profile click Add/Remove

Page 287: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch RADIUS w/ AD Integration7. Assign User Profile as Default for the SSID

287

• With the Default tab select (highlight) theEmployee-Default user profile

• IMPORTANT: This user profile will be assigned if no attribute value is returned from RADIUS after successful authentication, or if attribute value 1 is returned.

• Click the Authentication tab

Default Tab

Authentication Tab

Page 288: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch RADIUS w/ AD Integration8. Assign User Profile to be Returned by RADIUS Attribute

288

• In the Authentication tab

• Select (highlight)Employee-X› NOTE: The (User Profile Attribute) is appended to the User Profile Name

• Click Save

Authentication Tab

Page 289: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Switch RADIUS w/ AD Integration 9. Verify and Continue

289

• Ensure Employee-Default-1 and Employee-X user profiles are assigned to the Class-AD-X SSID

• Click Continueor click the bar toConfigure & Update Devices

Page 290: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 290

In the Configure & Update Devices section• Select the Filter: Current Policy• Select your devices • Click Update

Lab: Switch RADIUS w/ AD Integration 10. Upload the config to the switch and AP

Page 291: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 291

• Select Update Devices

• Select Perform a complete configuration update for all selected devices

• Click Update

For this class, ALL Updates should be Complete configuration updates

Lab: Switch RADIUS w/ AD Integration 10. Upload the config to the switch and AP

Page 292: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 292

• Should the Reboot Warning box appear, select OK

Lab: Switch RADIUS w/ AD Integration 11. Upload the config to the switch and AP

Click OK

Page 293: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL

QUESTIONS?

Page 294: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CLIENT ACCESS PREPARATION -DISTRIBUTING CA CERTIFICATESTO WIRELESS CLIENTS

294

Page 295: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: Exporting CA Cert for Server Validation1. Go to HiveManager from the Remote PC

295

• From the VNC connection to the hosted PC, open a connection to:

• For HM 1 – 10.5.1.20

• For HM 2 – 10.5.1.23

• For HM 3 – 10.5.1.20

• For HM 5 – 10.5.1.20

• Login with: adminX

• Password: aerohive123

NOTE: Here you are accessing HiveManager via the PCs Ethernet connection

Page 296: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: Exporting CA Cert for Server Validation2. Download Default CA Certificate to the Remote PC

296

NOTE: The HiveManager Root CA certificate should be installed on the client PCs that will be using the RADIUS service on the Aerohive device for 802.1X authentication

• From the Remote PC,go to Configuration, then click Show Nav,Advanced ConfigurationKeys and Certificates Certificate Mgmt

• Select Default_CA.pem

• Click Export

Page 297: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: Exporting CA Cert for Server Validation3. Rename HiveManager Default CA Cert

297

• Export the public root Default_CA.pem certificate to the Desktop of your hosted PC› This is NOT your Aerohive AP server certificate, this IS the HiveManager public root CA certificate

• Rename the extension of the Default_CA.pem file to Default_CA.cer › This way, the certificate will automatically be recognized by Microsoft Windows

• Click Save

Make the Certificate name:Default_CA.cer

Save as type: All Files

Page 298: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: Exporting CA Cert for Server Validation4. Install HiveManager Default CA Cert

298

• Find the file that was just exported to your hosted PC

• Double-click the certificate file on the Desktop: Default_CA

• Click Install Certificate

Issued to: HiveManagerThis is the name of the certificate if you wish to find it in the certificate store, or if you want to select it in the windows supplicant PEAP configuration.

Page 299: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: Exporting CA Cert for Server Validation5. Finish certification installation

299

• In the Certificate Import Wizard click Next

• Click Place all certificate in the following store

• Click Browse

Page 300: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: Exporting CA Cert for Server Validation6. Select Trusted Root Certification Authorities

300

• Click Trusted Root Certification Authorities

• Click OK

• Click Next

Page 301: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: Exporting CA Cert for Server Validation7. Finish Certificate Import

301

• Click Finish

• Click Yes

• Click OK

Page 302: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: Exporting CA Cert for Server Validation8. Verify certificate is valid

302

• Click OK to Close the certificate

• Double-click Default_CA to reopen the certificate

• You will see that the certificate is valid and it valid from a start and end date

• Click the Details tab

Page 303: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: Exporting CA Cert for Server Validation9. View the Certificate Subject

303

• In the details section, view the certificate Subject

• This Subject: HiveManager is what will appear in the list of trusted root certification authorities in your supplicant configured later in this lab. Protected EAP (PEAP)

PropertiesIn supplicant (802.1X client)

Page 304: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL

QUESTIONS?

Page 305: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

For Windows 7Supplicants

CONFIGURING AND TESTING YOUR802.1X SUPPLICANT

305

Page 306: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Testing Switch RADIUS w/ AD Integration1. Connect to Secure Wireless Network

306

On the hosted PC, from the bottom task bar, click the wireless networks icon • Click Class-AD-X• Click Connect • A windows security alert should appear, click Details to verify this certificate if from HiveManager, then click Connect

server-2 is the AP cert, and HiveManager is the

trusted CA

Page 307: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

NOTE: User Profile Attribute is the Employee-Default-1 user profile for the SSID. This user profile is being assigned because no User Profile Attribute Value was returned from RADIUS.

Lab: Testing Switch RADIUS w/ AD Integration2. View Active Clients

307

• After associating with your SSID, you should see your connection in the active clients list in HiveManager› Go to MonitorClientWireless Clients

• IP Address: 10.5.1.#• User Name: DOMAIN\user• VLAN: 1User Profile Attribute: 1

Page 308: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL

QUESTIONS?

Page 309: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

MAPPING ACTIVE DIRECTORY MEMBEROF ATTRIBUTETO USER PROFILES

309

Page 310: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Aerohive AP as a RADIUS Server - Using AD Member Of for User Profile Assignment

310

• In your Network policy, you defined an SSID with two user profiles› Employees(1)-1 – Set if no RADIUS attribute is returned

»This use profile for example is for general employee staff, and they get assigned to VLAN 1

› Employee(10)-X – Set if a RADIUS attribute is returned»This user profile for example is for privileged employees, and they get

assigned to VLAN 10

• Because the switch RADIUS server is using AD to authenticate the users, and AD does not return RADIUS attributes, how can we assign users to different user profiles?

• Though AD does not return RADIUS attributes, it does return other attribute values, like MemberOf which is a list of AD groups to which the user belongs

Page 311: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Instructor Only: Confirm User is a member of the Wireless AD Group

311

Right click the username userX and click Properties

Click on the Member Of tab

The user account userX should belong to the Wireless AD Group

Click OK

Page 312: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Use AD to Assign User Profile1. Map memberOf attribute to user profile

312

• From Configuration, Show Nav,

Advanced ConfigurationAuthentication Aerohive AAA Server SettingsSR-radius-X

• Expand Database Settings

• Check LDAP server attribute Mapping

• Select Manually map LDAP user groups to user profiles

• LDAP User Group Attribute: memberOf

• Domain: dc=AH-LAB,dc=LOCAL

• Click + to expand the LDAP tree

Page 313: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Use AD to Assign User Profile2. Add group to user profile mapping

313

• Expand the tree structure to locate› Expand CN=Users

› SelectCN = Wireless

• For Maps to, from the drop down list, select the user profile: Employee-X

• Click Apply• The mapping appears below the LDAP directory

• Click Save

Click the LDAP Group

Map group to Employee(10)-X

NOTE: The CN in Active Directory does not have to match the name of the user profile, this is just by choice, not necessity.

Page 314: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 314

• Select Update Devices

• Select Perform a complete configuration update for all selected devices Click Update

For this class, ALL Updates should be Complete configuration updates

Lab: Use AD to Assign User Profile3. Update devices

Page 315: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 315

• Should the Reboot Warning box appear, select OK

Lab: Use AD to Assign User Profile4. Update devices

Click OK

Page 316: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Use AD to Assign User Profile SSID5. Disconnect and Reconnect to the Class-AD SSID

316

To test the mapping of the memberOf attribute to your user profile

• Disconnect from the Class-AD-X SSID

• Connect to the Class-AD-X SSID

Page 317: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Use AD to Assign User Profile SSID6. Verify your active client settings

317

• From MonitorClientsActive Clients› Your client should now be assigned to

»IP Address: 10.5.10.#»User Profile Attribute: 10»VLAN: 10

NOTE: In the previous lab, without the LDAP group mapping, the user was assigned to attribute 1 in VLAN 1

Page 318: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL

QUESTIONS?

Page 319: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

AEROHIVE SWITCHES ASBRANCH ROUTERS

319

Page 320: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Medium Size Branch or Regional Office

• SR2024 as Branch Router› Line Rate Layer 2 Switch› 8 Ports of PoE› Multi-authentication

access ports» 802.1X with fallback to

MAC auth or open

› Client Visibility» View client information by port

› RADIUS Server› Routing between local VLANs› Layer 3 IPSec VPN› NAT for Subnets through VPN› NAT port forwarding on WAN› DHCP Server › USB 3G/4G Backup› and more…

Internet

3G/4G LTE

AP

AP

PoE

SR2024

AP

Provides Access For:• Employees• Guests• Contractors• Phones• APs• Servers

Page 321: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

For Wireless, Switching, and Routing

CREATE A ROUTING NETWORK POLICY – YOU CAN CLONE YOUR EXISTING ACCESS POLICY

321

Page 322: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Add Routing to Network Policy1. Edit existing policy

322

• From Configuration,• Next to your Network policy: Access-X

• Click the sprocket icon • Click Edit

Page 323: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Add Routing to Network Policy2. Edit select Branch Routing

323

Add the option for Branch Routing to your Network Policy• Check Branch Routing so you have:› Wireless Access› Switching› Branch Routing› Bonjour Gateway

• Click Save• Click OK

• NOTE: Enabling Branch Routing:»Enables L3 VPN Configuration »Disable L2 VPN Configuration»Enable L3 Router Firewall Policy»Policy-Based Routing with Identity»Enables Router configuration settings in Additional

Settings

Page 324: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CLONE SWITCH DEVICE TEMPLATE AS SWITCH AND ADD NEW SWITCH DEVICE TEMPLATE AS BRANCH ROUTER

324

Page 325: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Switch Template for Routing1. Select and clone your existing device template

325

• Next to Device Templates, click Choose

• Select your SR2024-Default-X device template (configured as switch)

• Click the sprocket icon

• Click Clone

Page 326: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Switch Template for Routing2. Define router function of the device template

326

• Click Device Models• Notice all the devices that you can create templates when the network policy includes routing

• Ensure that SR2024 is selected

• Click OK

Page 327: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Switch Template for Routing3. Define router function of the device template

327

• Name: SR2024-Router-Default-X

• Change the function to Router• Click Save

Page 328: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Switch Template for Routing4. Select both templates

328

• Ensure both of your SR2024 policies are selected.

• Click OK• Hide the SR2024-Default-X (Switch) template

• Expand the SR2024-Router-Default-X (Router) template

Page 329: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Switch Template for Routing5. Remove configuration of existing uplink ports

329

Next you can change your uplink ports and add a WAN port instead• Select ports 23 and 24, and click Configure

• Remove the port type by clicking on the port type you have selected to ensure it is no longer highlighted

• Click OK• Click OK again to the Warning

Page 330: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Examples of templates for other devices

330

BR200-WP

AP330 as Router

Page 331: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CONFIGURE ROUTER WAN PORTS- PORTS THAT CONNECT TO THE INTERNET AND PROVIDE NAT

331

Page 332: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Router WAN Ports

•SR2024 as Branch RouterWAN Port example

DSL – WANBackup 1

3G/4G LTE

USB Wireless –

WANBackup 2

Corp ISP (Fast) – WANPrimary

Page 333: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Switch Template for Routing1. Add necessary WAN port for router

333

• Select Port 23, and Port 24

(USB is always a WAN port)

• Click Configure

Note: You can have up to 3 WAN ports: 1 primary and 2 backup.2 Ports can be Ethernet, and one can be USB. If you select multiple ports as WAN ports, you can select which ones are primary and backup in the switch specific settings.

When the switch is a router, you must configure at least one port as a WAN port

Page 334: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Switch Template for Routing2. Add necessary WAN port for router

334

• Click New• Name: WAN-X• Select WAN • Click Save• With WAN-X selected, click OK

Page 335: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

• The USB Port, Port 23, and Port 24 will now display a WAN (Cloud) icon (USB does not display cloud icon in this version of code)

Lab: Create a Switch Template for Routing3. Review WAN port settings

335

The ports will display a WAN (Cloud) icon

Page 336: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Switch Template for Routing4. Save your Network Policy

336

• From the Configure Interfaces & User Access bar, click Save

Page 337: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Note: Switch Port SettingsTo be configured later, not now.

337

• At a later point in this lab, you will configure the priority of the WAN ports for primary and backup

Switch Settings:These will be configured later.

Page 338: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

PORT TYPES

338

Page 339: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

6.0 Network Policy

339

Besides the addition of the WAN port, all port types are identical in network policies with and without branch routing selected!

This means the same port types can be used in both switching (layer 2) and branch routing (layer 3) network policies.

Page 340: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

VLAN-TO-SUBNET ASSIGNMENTSFOR ROUTER INTERFACES

340

Page 341: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

VLAN-to-subnet assignmentsfor router interfaces

341

• If the network policy is configured with Routing, then for every VLAN configured for SSIDs or port types, you must define the IP subnets that will be assigned to the branch routers or switches as branch routers

• The VLANs are automatically populated from the VLANs assigned to user profiles for SSIDs and port types

• If you have additional VLANs to define, you can click Add

Page 342: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Network and Sub NetworksInternal Use

• HiveManager assigns a unique subnet from the network to each router, including the DHCP settings

Cloud VPN Gateway

HQNetwork 10.102.0.0/16

BR100BR10

0

Sub Network 10.102.0.0/24DHCP: IP Range 10.102.0.10 – 10.102.0.244

Default Gateway: 10.102.0.1DNS: 10.102.0.1 (Router is DNS

Proxy)

Sub Network 10.102.1.0/24DHCP: IP Range 10.102.1.10 – 10.102.1.244

Default Gateway: 10.102.1.1DNS: 10.102.1.1 (Router is DNS

Proxy)

Sub Network 10.102.2.0/24DHCP: IP Range 10.102.2.10 – 10.102.2.244

Default Gateway: 10.102.2.1DNS: 10.102.2.1 (Router is DNS

Proxy)

BR100

Internet

342

Page 343: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Networks and Hosts Per NetworkA Little Bit of Subnet Theory – Yay!

Calculating a network using an IP address and a netmask

Conversion chart between binary and decimal

27 26 25 24 23 22 21 20

128 64 32 16 8 4 2 1 Decimal value for bit position 0 0 0 0 1 0 1 0 = 8 + 2 = 10 for example

When you assign IP addresses, you can determine how many networks and how many hosts per network you need.

Example: Create subnets for network: 10.102.0.0/16 8 bits 8 bits 8 bits 8 bits

IP Address in binary: 00001010.01100110.00000000.00000000Netmask in binary: X 11111111.11111111.11111111.00000000Multiply each column: 00001010.01100110.00000000.00000000Convert back to decimal: 10. 102 . 0 . 0

IP Network Subnet Hosts

8 bits = 8 bits 256 subnets 256 hosts – 2 = 254

Page 344: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Networks and Hosts Per NetworkIP Address Management

8 bits 8 bits 8 bits 8 bitsIP Address in binary: 00001010.01100110.00000000.00000000Netmask in binary: X 11111111.11111111.11111111.00000000Multiply each column: 00001010.01100110.00000000.00000000Convert back to decimal: 10. 102 . 0 . 0

IP Network Subnet Hosts

8 bits = 8 bits 256 branches 256 clients/branch

– 3 = 253

Note: HiveManager lets you reserve the first or last IP in the subnets as the default gateway for the subnet.

Example 1: Move Subnet slider bar to 256 Branches

Network Mask: /16 Subnet Mask: /24

344

Page 345: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

10.102.0000000=0. 1-25410.102.0000001=1. 1-25410.102.0000010=2. 1-25410.102.0000011=3. 1-25410.102.0000100=4. 1-25410.102.0000101=5. 1-25410.102.0000110=6. 1-25410.102.0000111=7. 1-25410.102.0001000=8. 1-254

..10.102.1111111=255.1-254

Networks and Hosts Per NetworkAutomatic Subnet Creation

8 bits 8 bits 8 bits 8 bitsIP Address in binary: 00001010.01100110.00000000.00000000Netmask in binary: X 11111111.11111111.11111111.00000000Multiply each column: 00001010.01100110.00000000.00000000Convert back to decimal: 10. 102 . 0 . 0

IP Network Subnet Hosts

345

Page 346: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Networks and Hosts Per NetworkIP Address Management

8 bits 8 bits 9 bits 7 bitsIP Address in binary: 00001010.01100110.00000000.00000000Netmask in binary: X 11111111.11111111.11111111.10000000Multiply each column: 00001010.01100110.00000000.00000000Convert back to decimal: 10. 102 . 0 . 0

IP Network Subnet Hosts

9 bits = 7 bits 512 branches 128 clients/branch

– 3 = 125

Example 2: Move Subnet slider bar to 512 Branches

Network Mask: /16 Subnet Mask: /25

Note: HiveManager lets you reserve the first or last IP in the subnets as the default gateway for the subnet.

346

Page 347: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

10.102.0000000.0 = 0.0 1-12610.102.0000000.1 = 0.128 129-25410.102.0000001.0 = 1.0 1-12610.102.0000001.1 = 1.128 129-25410.102.0000010.0 = 2.0 1-12610.102.0000010.1 = 2.128 129-25410.102.0000011.0 = 3.0 1-12610.102.0000011.1 = 3.128 129-25410.102.0000100.0 = 4.0 1-126

..10.102.1111111.1 = 255.128 129-254

Networks and Hosts Per NetworkAutomatic Subnet Creation

8 bits 8 bits 9 bits 7 bitsIP Address in binary: 00001010.01100110.00000000.10000000Netmask in binary: X 11111111.11111111.11111111.10000001Multiply each column: 00001010.01100110.00000000.00000000Convert back to decimal: 10. 102 . 0 . 0

IP Network Subnet Hosts

347

Page 348: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Network and Sub NetworksInternal Use

• HiveManager assigns a unique subnet from the network to each router, including the DHCP settings

Cloud VPN Gateway

HQNetwork 10.102.0.0/16

BR100BR10

0

Sub Network 10.102.0.0/24DHCP: IP Range 10.102.0.10 – 10.102.0.244

Default Gateway: 10.102.0.1DNS: 10.102.0.1 (Router is DNS

Proxy)

Sub Network 10.102.1.0/24DHCP: IP Range 10.102.1.10 – 10.102.1.244

Default Gateway: 10.102.1.1DNS: 10.102.1.1 (Router is DNS

Proxy)

Sub Network 10.102.2.0/24DHCP: IP Range 10.102.2.10 – 10.102.2.244

Default Gateway: 10.102.2.1DNS: 10.102.2.1 (Router is DNS

Proxy)

BR100

Internet

348

Page 349: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: Assign VLAN-to-subnet – router interfaces

349

• If the network policy is configured with Routing, then for every VLAN configured for SSIDs or port types, you must define the IP subnets that will be assigned to the branch routers or switches as branch routers

• The VLANs are automatically populated from the VLANs assigned to user profiles for SSIDs and port types

• If you have additional VLANs to define, you can click Add

Page 350: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 350

• Next to VLAN 10, click Choose

• Click New

LAB: Assign VLAN-to-subnet – router interfaces1. Select VLAN 10 and create network

Page 351: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 351

• Name: Net-Employee-1XX

XX=02,03,..15,16• Web Security: None• DNS Service: Class• Network Type: Internal Use

• Do not save yet

LAB: Assign VLAN-to-subnet – router interfaces2. Create internal employee network

Page 352: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

NOTE: This Quick Start DNS Service object sets clients to use the router interface IP as the DNS server, and will proxy the DNS requests to the DNS server learned statically or by DHCP on the WAN interface. Separate DNS servers can also be used for internal and external domain resolution.

352

Note: DNS Service Objects

Page 353: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 353

• Click NEW to create a parent network

LAB: Assign VLAN-to-subnet – router interfaces3. Create internal employee network

Page 354: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 354

• IP Network:10.1XX.0.0/16

• 10.1XX.0.0/16

• Move the slider bar to select 256 branches and 253 clients per branch

NOTE: This is the parent network that will be partitioned to create a number of IP subnets determined by moving the slider bar. The slider bar is used to set the number of branches vs. clients per branch which defines the subnet mask for each subnet. Moving the slider bar changes the

number of bits in the subnet mask.

The clients per branch = 253 in this case because 1 IP is reserved for the router, and then 0 and 255 are not used.

LAB: Assign VLAN-to-subnet – router interfaces4. Define the Parent Network and subnetworks

Page 355: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 355

• Check Enable DHCP server

• For the DHCP Address Pool, move the slider bar to reserve 10 IP addresses at the start of the address pool that can be defined statically.

NOTE: In most cases, the router will be the DHCP server. However, if it is not, you can disable the DHCP service and this network definition will only be used to configure the router interface IP addresses.

LAB: Assign VLAN-to-subnet – router interfaces5. Enable DHCP

Please do not save yet!!!

Page 356: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Note: Custom Options Example

356

• Note that you can define custom DHCP options if needed

• For example, you can set the custom DHCP options for the hostname of HiveManager (option 225) or the IP address of HiveManager (option 226) or options required by certain IP phones

Page 357: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

DEFINE SPECIFIC SUBNETS FOR EACH SITE BY USING DEVICE CLASSIFICATION

357

Page 358: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

What is the goal?

• Define subnets from the IP address space to specific sites

• For example, define the subnets that will be used for Site-1a and Site-1b, but let HiveManager allocate one for Site-1c

Network 10.101.0.0/16

BR100BR10

0

Sub Network 10.101.25.0/24DHCP: IP Range 10.101.25.11 – 10.102.25.254

Default Gateway: 10.101.25.1

Sub Network 10.101.1.0/24DHCP: IP Range 10.101.1.11 – 10.102.1.254

Default Gateway: 10.101.1.1

Sub Network 10.101.2.0/24DHCP: IP Range 10.101.2.11 – 10.102.2.254

Default Gateway: 10.101.2.1

BR100

Internet

Site-1a Site-1b

Site-1c

Page 359: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 359

By default, each branch router will be assigned one subnet from the Local IP Address Space• To define specific

subnets of the Local IP address space to assign to sites› Check Allocate local subnetworks by specific IP addresses at sites and click

• IP Address: 10.1XX.1.1(XX=01,02,03,..18)

• Type: Device Tag• Tag1: Site-Xa (Xa=2a,3a,4a,..,18a)

• Click Apply

LAB: Assign VLAN-to-subnet – router interfaces1. Define subnet to be assigned to Site-Xa

Page 360: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 360

Define the next subnet• Click New• IP Address: 10.1XX.2.1

• Type: Device Tag• Tag1: Site-Xb (Xb = 2b, 3b, 4b,..,18b)

• Click Apply• Click Save

LAB: Assign VLAN-to-subnet – router interfaces2. Define subnet to be assigned to Site-Xb

Note: You can specify up to 256 tags

Page 361: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: Assign VLAN-to-subnet – router interfaces3. Save the Network

361

Verify you have all the setting needed for the network

• DNS: Class

• Network Type: Internal Use

• Subnetwork:10.1XX.0.0/16

• Verify the IP Allocation Statements

• Click Save

Note: (T) = True or Match the tag(F) = False, and no match required

Here you can see: 10.102.1.1 must have a router with Tag1 set to: Site-2a, and 10.102.2.1 must have a router with Tag1 set to: Site-2b.

361

Page 362: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 362

• Ensure your policy is highlighted and click OK

LAB: Assign VLAN-to-subnet – router interfaces4. Choose the Network

Page 363: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 363

• In a later lab, you will need to define Device Classification Tag1 on your switch with the same entry that was used in the network configuration: Site-Xa

Note: Device Classification SettingsOn Your Device

Device Specific Settings

Page 364: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

What did you just do?

• You specified that certain sites had or will require specific IP addresses in them, for example Site-1a (10.101.1.1) and Site-1b (10.101.2.1)› These can be any IP in the

subnet. We chose the IP of default gateways.

• Therefore HiveManager will allocate the subnets that match the IP addresses that are specified for two of the sites

Network 10.101.0.0/16

BR100

BR100

Sub Network 10.101.25.0/24DHCP: IP Range 10.101.25.11 – 10.101.25.254

Default Gateway: 10.101.25.1*This subnet was chosen by HiveManagerbecause an IP at the site was not defined.

Sub Network 10.101.1.0/24DHCP: IP Range 10.101.1.11 – 10.101.1.254

Default Gateway: 10.101.1.1

Sub Network 10.101.2.0/24DHCP: IP Range 10.101.2.11 – 10.101.2.254

Default Gateway: 10.101.2.1

BR100

Internet

Site-1a Site-1b

Site-1c

Page 365: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

ADD NETWORKS FOR THE OTHER VLANS

365

Page 366: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Add More Networks

366

• Create networks for VLAN 2 and VLAN 8

• If the VLAN is not in the list, click Add› Enter the VLAN› Then proceed to configuring the networks

Page 367: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 367

• Next to VLAN 2, click Choose

• Click New

LAB: Assign VLAN-to-subnet – router interfaces1. Select VLAN 2 and create network

Page 368: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 368

• Create another Internal Network for VLAN 2:

10.2XX.0.0-Voice-X

• Web Security: None

• DNS service: Class

• Network Type: Internal Use

• Do not save yet

LAB: Assign VLAN-to-subnet – router interfaces2. Create internal voice network

Page 369: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 369

• Click NEW to create a parent network

LAB: Assign VLAN-to-subnet – router interfaces3. Create internal voice network

Page 370: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 370

LAB: Assign VLAN-to-subnet – router interfaces4. Define the Parent Network and subnetworks

• IP Network:10.2XX.0.0/16

• 10.1XX.0.0/16

• Move the slider bar to select 256 branches and 253 clients per branch

NOTE: This is the parent network that will be partitioned to create a number of IP subnets determined by moving the slider bar. The slider bar is used to set the number of branches vs. clients per branch which defines the subnet mask for each subnet. Moving the slider bar changes the

number of bits in the subnet mask.

The clients per branch = 253 in this case because 1 IP is reserved for the router, and then 0 and 255 are not used.

Page 371: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 371

LAB: Assign VLAN-to-subnet – router interfaces5. Enable DHCP

371

• Check Enable DHCP server

• For the DHCP Address Pool, move the slider bar to reserve 10 IP addresses at the start of the address pool that can be defined statically.

• Click Save

NOTE: In most cases, the router will be the DHCP server. However, if it is not, you can disable the DHCP service and this network definition will only be used to configure the router interface IP addresses.

Page 372: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 372

• Click Save

• Ensure your policy is highlighted and click OK

LAB: Assign VLAN-to-subnet – router interfaces6. Verify and save the Subnetwork

Page 373: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Networks for Guest Use

• All guest stations at each branch office use the same IP subnet• All guest traffic destined to the Internet is network address translated to

the unique IP address of the router WAN interface

Cloud VPN Gateway

HQNetwork: Guest Use

BR100

BR100

Network 192.168.83.0/24 (Guest Use)DHCP: IP Range 192.168.83.10 – 192.168.83.244

Default Gateway: 192.168.83.1DNS: 192.168.83.1 (Router is DNS

Proxy)

BR100

Internet

Network 192.168.83.0/24 (Guest Use)DHCP: IP Range 192.168.83.10 – 192.168.83.244

Default Gateway: 192.168.83.1DNS: 192.168.83.1 (Router is DNS

Proxy)

Network 192.168.83.0/24 (Guest Use)DHCP: IP Range 192.168.83.10 – 192.168.83.244

Default Gateway: 192.168.83.1DNS: 192.168.83.1 (Router is

DNS Proxy)

WAN:2.1.1.20

WAN:2.50.33.5

WAN:1.3.2.90

Page 374: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 374

• Next to VLAN , click Choose

• Click New

LAB: Assign VLAN-to-subnet – router interfaces7. Select VLAN 8 and create guest network

Page 375: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 375

• Name:192.168.83.0-Guest-X

• Web Security: None• DNS Service: Class• Network Type to: Guest Use

• Guest Use Network:192.168.83.0/24

• DHCP Address Pool, reserve the first 10

• Check Enable DHCP server

NOTE: Devices assigned to a Guest Use network are restricted from access the corporate VPN or from initiating communication to corporate devices

LAB: Assign VLAN-to-subnet – router interfaces8. Create the Guest network

Page 376: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 376

• Verify your settings

• Click Save• Click OK

LAB: Assign VLAN-to-subnet – router interfaces9. Save the Guest network

Page 377: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Verify Subnet Assignments for Router Interfaces

377

• You should have a network defined for each of the VLANs specified

Page 378: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 378

• From the Configure Interfaces & User Access bar, click Save

LAB: Assign VLAN-to-subnet – router interfaces10. Save your Network Policy

Page 379: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CHANGE SSID PROFILES

379

Page 380: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Change SSID Profiles1. Change SSIDs

380

• Configure Interface & User Access

• Next to SSIDs, click: Choose

Page 381: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Change SSID Profiles2. Select Class-PSK-X SSID

381

• Click to deselect the AD-X SSID

• Ensure the Class-PSK-X SSIDis selected

• Click OK

Ensure Class-PSK-X is highlighted then

click OK

Page 382: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Change SSID Profiles3. Verify settings

382

• Verify settings

• Click Continue

Page 383: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CREATING FILTERS

383

Page 384: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Device Filters1. From Configure & Update Devices

384

Create filters to limit the number of devices displayed

• Click the Configure & Update Devices bar

• Next to Filter, click +

Page 385: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Device Filters2. Create a filter

385

You can create and save filters based on a lot of criteria• For this filter

› Set the Device Model to SR2024

› Set the hostname to: SR-XX-

› XX is your two digit student ID: 02-15

› Do not forget the dash – at the end, this will ensure your student ID is the match

• For Remember This Filter, enter: XX-switch-router

• Click Search

Page 386: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Device Filters3. View your Real and Simulated Switch/Routers

386

• We will be using real and simulated devices in this lab

• With the filter selected, you will see your real, and simulated switch/routers that all start with SR-XX-

Page 387: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

UPDATE THE DEVICE CONFIGURATIONOF YOUR SWITCH/ROUTERS

387

Page 388: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 388

Lab: Update your Switch Configuration1. Modify your switch

• Check next to your switch SR-XX-#######

• Click Modify

Page 389: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 389

Make the following settings• Device Function:Router (IMPORTANT)

• Location: First-Name_Last-Name

• Network Policy:Access-X

• When the warning box appears, click: OK

• Do NOT save yet

Lab: Update your Switch Configuration2. Change switch to function as a router

Page 390: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 390

Set the Device Classification Tag1 so that this device will be assigned to networks with matching tag definitions • Under Device Classification› Tag1: Site-XaNote: The tag you entered in the network will automatically show up in the list

• Do NOT save yet

Lab: Update your Switch Configuration3. Specify the Device Classification Tag1

Page 391: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 391

• Expand Interface and Network Settings• Set the following priorities:

› USB WAN: Backup2› Eth1/23 WAN: Backup1› Eth1/24 WAN: Primary (Please verify that 1/24 is Primary)

• Ensure NAT is enabled on the WAN Interfaces• Do Not save yet

NOTE: Check Enable NAT

Lab: Update your Switch Configuration4. Change WAN port priority settings

Page 392: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Update your Switch Configuration5. Disable RADIUS services

392

Remove the RADIUS object from earlier lab• Under Optional Settings, expand Service Settings

• Uncheck ☐Enable the router as a RADIUS Server

Page 393: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Update Router Configuration6. Save your device settings

393

• Click Save

Page 394: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 394

• Select Routers to select all three routers

• Click Update

Lab: Update Router Configuration7. Update your device settings

Page 395: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 395

• Select Update Devices

• Select Perform a complete configuration update for all selected devices

• Click Update

For this class, ALL Updates should be Complete configuration updates

Lab: Update Router Configuration7. Update your device settings

Page 396: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 396

• Should the Reboot Warning box appear, select OK

Click OK

Lab: Update Router Configuration8. Update your device settings

Page 397: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

VIEW SUBNET ALLOCATION REPORT

397

Page 398: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Network and Sub NetworksInternal Use

• HiveManager assigns a unique subnet from the network to each router, including the DHCP settings

Cloud VPN Gateway

HQNetwork 10.102.0.0/16

BR100BR10

0

Sub Network 10.102.0.0/24DHCP: IP Range 10.102.0.10 – 10.102.0.244

Default Gateway: 10.102.0.1DNS: 10.102.0.1 (Router is DNS

Proxy)

Sub Network 10.102.1.0/24DHCP: IP Range 10.102.1.10 – 10.102.1.244

Default Gateway: 10.102.1.1DNS: 10.102.1.1 (Router is DNS

Proxy)

Sub Network 10.102.2.0/24DHCP: IP Range 10.102.2.10 – 10.102.2.244

Default Gateway: 10.102.2.1DNS: 10.102.2.1 (Router is DNS

Proxy)

BR100

Internet

Page 399: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Subnet Allocation Report1. View the IP addresses assigned to the routers

399

• From Monitor, in the navigation tree, click Subnetwork Allocation

• Under Network Name, selectNetwork-1XX

• From the10.102.0.0/16 parent network, a different subnet and DHCP Pool was allocated to each branch router.

Note: One subnet was assigned via classification. The others assigned dynamically.

Page 400: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CLI ROUTER COMMANDS

400

Page 401: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

SHOW L3 INTERFACE

401

From Monitor Utilities SSH Client:

show L3 interface

Page 402: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

TEST WIRELESS LAN ACCESS

402

Page 403: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 403

• Single-click the wireless icon on the bottom right corner of the windows task bar

• Click your SSIDClass-PSK-X

• Click Connect› Security Key: aerohive123

› Click OK

Lab: Test Wireless LAN Access1. Connect your computer to the SSID: Class-PSK-X

Page 404: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test Wireless LAN Access2. View your client information in Wireless Clients

404

• View your client in the Active Clients list by going to: MonitorClientsWireless Clients

• Notice the VLAN and network address

Page 405: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

TEST WIRED LAN SECURE ACCESS

405

Page 406: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 406

• View your client in the Active Clients list by going to: MonitorClientsWired Clients

• Notice the VLAN and network address and client authentication method

Lab: Test LAN Port Access- Secure1. View your client information in Active Clients

Page 407: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test LAN Port Access2. Disable 802.1X for wired clients

407

• In windows 7, you must enable 802.1X support

• As an administrator, from the start menu type services

• Then click services

Page 408: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test LAN Port Access3. Disable 802.1X for wired clients

408

• Click the Standard tab on the bottom of the services panel

• Locate Wired AutoConfig and right-click

• Click Properties

Page 409: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test LAN Port Access4. Disable 802.1X for wired clients

409

• Startup type: Disabled

• Click Stop

Page 410: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test LAN Port Access5. Disable 802.1X for wired clients

410

• Click OK

Page 411: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test LAN Port Access6. Clear wired client cache

411

• Monitor/Clients/Operation: Deauth Client

• Check Clear Cache

• Click OK

• Click Yes

Page 412: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test LAN Port Access7. Clear wired client cache

412

• Monitor/Clients/Operation: Deauth Client

• Check Clear Cache

• Click OK

• Click Yes

Page 413: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test LAN Port Access8. Reset Ethernet adapter

413

Because the PC has the wrong IP it will not work, you can remedy this by

• Right click on Local Area Connection 3

• Click Diagnose

or

•Disable then Enable Local Area Connection 3

•Do NOT Disable Local Area Connection 2

Page 414: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test LAN Port Access9. Verify Auth Fail – Guest Network

414

• Locate Local Area Connection 3

• Right click

• Click Status

• Click Details

• Why do you see an IP from the 192.168.83.0 subnet?› This is the guest network that is assigned if authentication is not support or fails

Page 415: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

ROUTE-BASED IPSEC VPN

Page 416: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Internet

Headquarters

Aerohive Layer 2 VPN

416

Remote Site

Notes Below

Layer 2 VPN client devices

AP-100 series

AP-300 series

BR-100 (AP mode)

AP-300 series128 tunnels

VPN Gateway Virtual Appliance (L2 Gateway mode)1024 tunnels

Note: Layer 2 VPNs are taught in the Aerohive Certified WLAN Professional (ACWP) class

Layer 2 VPN server devices

Page 417: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Internet

Headquarters

Aerohive Layer 3 VPN

417

Remote Site

Notes Below

Layer 3 VPN client devices

BR-100 router

BR-200 router

AP 330/350(router mode)

Aerohive switch(router mode)

VPN Gateway (L3 Gateway mode)1024 tunnels

Layer 3 VPN server

Page 418: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Aerohive Route-Based IPSec VPNComponents

418

HiveAP 330 Configured as a Router

BR100 BR200

VPN Gateway VAA HiveOS-based Layer 3IPSec VPN serverthat is a Virtual Appliance which runs on VMware ESXi

1 VA supports up to 1024IPSec VPN tunnels

HiveAP 350 Configured as a Router

Aerohive Routers are Layer 3 IPSec VPN clients, and provide DHCP, DNS Proxy, route synchronization, and RADIUS service, along with many other features.

Aerohive SwitchConfigured as a Router

Page 419: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Corporate VPN – HiveManager Allocates Unique Network Settings For Each Site

VPN Gateway

HQ

Branch Network 172.28.0.0/16

BR100

BR100

Sub Network 172.28.0.0/24DHCP: IP Range 172.28.0.10 – 172.28.0.244

Default Gateway: 172.28.0.1DNS: 172.28.0.1 (Router is DNS

Proxy)

Sub Network 172.28.1.0/24DHCP: IP Range 172.28.1.10 – 172.28.1.244

Default Gateway: 172.28.1.1DNS: 172.28.1.1 (Router is

DNS Proxy)

Sub Network 172.28.2.0/24DHCP: IP Range 172.28.2.10 – 172.28.2.244

Default Gateway: 172.28.2.1DNS: 172.28.2.1 (Router is DNS

Proxy)

BR100

Internet

CorporateNetwork10.1.0.0/16

Branch Network

Branch Network

Branch Network

Page 420: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Corporate VPN – HiveManager Allocates Unique Network Settings For Each Site

• Each router builds a VPN to one or two VPN Gateways• Routes are synchronized between the routers and VPN Gateways over the

VPN using a TCP-based route exchange mechanism

VPN Gateway

HQ

BR100

BR100

Sub Network 172.28.0.0/24

Sub Network 172.28.1.0/24

Sub Network 172.28.2.0/24

BR100

Internet

CorporateNetwork10.1.0.0/16

Branch Network

Branch Network

Branch Network

Page 421: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Route-based VPN

• Routers (VPN clients) ask the VPN Gateway for updated route information and provide their own route changes over the VPN tunnel every minute by default using a TCP request

VPN Gateway

HQ

BR100

BR100

Local network: 172.28.0.0/24Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.1.0/24 though VPN tunnelRoute: 172.28.2.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway

Local network: 172.28.2.0/24 Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.0.0/24 though VPN tunnelRoute: 172.28.1.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway

BR100

Internet

CorporateNetwork10.1.0.0/16

Route: 10.1.0.0/16 to Corp RouterRoute: 172.28.0.0/24 to VPN tunnel ARoute: 172.28.1.0/24 to VPN tunnel BRoute: 172.28.2.0/24 to VPN tunnel CRoute: 0.0.0.0/0 to Internet Gateway

Tunnel A

Tunnel B

Tunnel C

Local network: 172.28.1.0/24Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.0.0/24 though VPN tunnelRoute: 172.28.2.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway

Page 422: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

VPN GATEWAY VIRTUAL APPLIANCE

422

Page 423: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

VPN Gateway Virtual ApplianceGeneral Information

423

• What is a VPN Gateway Virtual Appliance?› It is a virtualized version of HiveOS that runs on VMware ESXi which supports IPSec VPN service, and routing protocols

• How do you upgrade a VPN Gateway VA?› VAs can be upgraded using a standard HiveOS software upgrade from HiveManager, TFTP, or SCP

• How many interfaces does a VPN Gateway VA have - Two»WAN – used to terminate the VPN from the router VPN clients, and can be used as a one-armed VPN where it connects to both the branch networks through the VPN, and the internal corporate networks.

»LAN – an optional interface that can be used to connect to an internal network and be the gateway IP address for corporate traffic to access branch networks through the VPN

Page 424: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

VPN Gateway Virtual Appliance on VMware (ESXi)

424

• The VA uses the HiveOS, and looks just like an AP when you log in to it

Page 425: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

VPN GatewayDeployment Scenarios – Two Interfaces

425

• VPN Gateway with two interfaces configured› The LAN interface is connected to the inside network

»Traffic from the inside network destined for an IP address in a branch office is sent to the LAN interface on the VPN Gateway to be encrypted and sent through a VPN to a branch office

»Routing protocols, OSPF or RIPv2, can be run on the LAN interface so that the VPN Gateway can exchange routes with the inside network router

› The WAN interface is connected to the DMZ or outside network and is used to terminate the VPNs

Headquarters

LAN (Eth1)Interface

Firewall

WAN (Eth0)Interface

DMZVPN Gateway

Branch Office

Internet

RouterInside

IPSec VPN

Page 426: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

VPN GatewayDeployment Scenarios – One Interface

426

• VPN Gateway with one interface configured (One Arm)› The WAN interface is connected to a firewall interface in the DMZ

»Traffic from the inside network destined for an IP address in a branch office is sent to the firewall which forwards the traffic to the VPN Gateway as the next hop to the branch office routers

»The VPN Gateway encrypts the traffic and sends the traffic back to the firewall destined to a branch office router

»You can run statically enter routes, or run a dynamic routing protocol, OSPF or RIPv2, on the WAN interface to exchange routes with the firewall

HeadquartersFirewall

WAN (Eth0) Interface

DMZVPN Gateway

Branch Office

InternetIPSec VPN

Router Inside(Clear)

Page 427: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Internet

Router IPSec VPN LabUses a Single VPN Gateway Interface

427

• In the training lab, the VPN Gateways learn routes via OSPF from the firewall, which are: 10.5.2.0/24, 10.5.8.0/24, & 10.5.10.0/24

• The firewall learns the routes from the VPN Gateways to all the branch office routers via OSPF

• The branch office routers exchange their routes with their VPN Gateways

Headquarters

DMZVPN Gateway

Branch Office

IPSec VPN

Switch Inside

Bridge Group Interface: 10.5.1.1

Port1

Port2

Firewall Outside Interfaceeth0/0 – 1.2.2.1/24NAT – 1.2.2.X to 10.200.2.X

HiveManager10.5.1.20

Internal 10.102.1.0/24

Public 2.1.1.10

WAN InterfaceEth0- 10.200.2.X/24Gateway: 10.200.2.1

X=2,3,..,14,15

Page 428: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

THE NEXT STEPS ARE FOR EXAMPLE ONLY, DO NOT DOWNLOAD THE VPN GATEWAY VA IMAGES IN CLASS, OTHERWISE IT WILL TAKE TOO LONG

428

Page 429: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Downloaded HiveOS-VA Image From HiveManager

429

• Please do not download in class!› To download the VPN Gateway Virtual Appliance image from HiveManager, go to ConfigurationAll Devices

› Click UpdateAdvancedDownload HiveOS Virtual Appliance

Page 430: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Downloaded HiveOS-VA Image From HiveManager

430

› Save the VPN Gateway VA image to a directory of your choice on your hard drive

› Note, the default name is: AH_HiveOS.ova, but you can rename the file if you like

Page 431: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

If time permits the instructor will demonstrate the process

THE NEXT STEPS ARE FOR EXAMPLE ONLY, DO NOT DEPLOY A VPN GATEWAY IN CLASS, YOUR VPN GATEWAY VA IMAGES HAVE ALREADY BEEN DEPLOYED

431

Page 432: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

VPN Gateway Virtual ApplianceRecommended Hardware Configuration

432

VPN Gateway Virtual Appliance Recommended Hardware Configurations

Page 433: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Deploy a VPN Gateway in VMware ESXi

433

• From the VMware vSphere client, log into your ESX/ESXi server

• Go to FileDeploy OVF Template

• Locate the AH_HiveOS.ova file and click Open

Page 434: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Deploy a VPN Gateway in VMware ESXi

434

• With the AH_HiveOS.ova file selected click Next

Page 435: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Deploy a VPN Gateway in VMware ESXi

435

• View the product information and ensure you have enough disk space for a think provisioned install› Note: Thick provisioning reserves all the disk space needed during the install

• Click Next

Page 436: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Deploy a VPN Gateway in VMware ESXi

436

• Provide a name for the VPN Gateway, for example:

HiveOS-VAXX XX=02,03,..14,15

› Note: It is a good idea to keep this name relatively small so it fits better in the vSphere client display

• Click Next

Page 437: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Deploy a VPN Gateway-VA in VMware ESXi

437

• Select Thick Provisioned Lazy Zeroed› Note: You can choose Eager Zeroed, but it will take more time because it will fill the complete disk space with 0’s, lazy fills only as space is needed.

• Click Next

Page 438: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Deploy a VPN Gateway in VMware ESXi

438

In this example, the VPN Gateways will only be using the WAN interface, so you can use the same destination network (virtual switch port group) for both

• Select VM Network for the WAN and LAN interfaces

• Click Next

Page 439: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Deploy a VPN Gateway inVMware ESXi

439

• Optionally, check the box to Power on after deployment

• Click Finish

Page 440: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Deploy a VPN Gateway inVMware ESXi

440

In a moment, the new VPN Gateway will be up and running

• Click Close when the deployment has completed successfully

Page 441: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

EXAMPLE: INITIAL CONFIGURATION OF A VPN GATEWAY VIRTUAL APPLIANCE

441

Page 442: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Initial configuration

of a VPN Gateway Virtual Appliance

442

• In the vSphere console for the new VPN Gateway Virtual Appliance› Type 1 to change the Network Settings and press enter

Page 443: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Initial configuration

of a VPN Gateway Virtual Appliance

443

• Type 2 to Manually configure interface settings and press Enter

Page 444: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Initial configuration

of a VPN Gateway Virtual Appliance

444

• The startup CLI wizard is used to set up the IP address for the WAN interface on the VA

• The VPN Gateway VA will need access to the Internet to access the license server to obtain a valid and unique serial number

• IP for eth0: 10.200.2X

• Netmask Length: [24]

• Gateway: 10.200.2.1

• DNS: 8.8.8.8

• Apply Changes: Yes

Page 445: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Initial configuration

of a VPN Gateway Virtual Appliance

445

• The VPN Gateway will check its connection its default gateway and the Aerohive License server

• For the question: Do you want to reset the networking? press enter, or type no and press enter

Page 446: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Initial configuration

of a VPN Gateway Virtual Appliance

446

• When a VPN Gateway VA is purchased, Aerohive generates an activation code, and associates it with a unique serial number

• You will be emailed your activation code

• When the activation code is entered, the VPN Gateway VA will contact the Aerohive license server and obtain a serial number associated with the activation key.

Optionally you can use an HTTP

proxy

Page 447: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Initial configuration

of a VPN Gateway Virtual Appliance

447

• If the activation code is valid, the VPN Gateway VA will obtain a valid and unique serial number

• You must then VPN Gateway by pressing enter, or by typing yes then enter

Page 448: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Initial configuration

of a VPN Gateway Virtual Appliance

448

• After the VPN Gateway VA has been rebooted, you can login with:› Login: admin› Password: aerohive

• Enter a hostname if you like:› Hostname HiveOS-VA-X

• If the Serial Number for the VPN Gateway is not entered into myhive, then you can configure the location of its HiveManager› capwap client server name 10.5.1.20

• Save the configuration› save config

Page 449: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Initial configuration

of a VPN Gateway Virtual Appliance

449

• Just like on an Aerohive AP or router, you can verify CAPWAP status by typing› show capwap client

• After a minute, you should see the run state show that the VPN Gateway is Connected securely to the CAPWAP server

• The CAPWAP server IP should be your HiveManager IP: 10.5.1.20

Page 450: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Example Only: Initial configuration

of a VPN Gateway Virtual Appliance

450

Your new VPN gateway will be displayed in MonitorVPN Gateways

Page 451: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: CREATE A ROUTE-BASED LAYER 3 IPSEC VPN

451

Page 452: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Route-Based IPSec VPN1. Create a Layer 3 IPSec VPN

452

To create a route-based IPSec VPN• Go to Configuration

• Select your Network policy: Access-X and click OK

• Next to Layer 3 IPSec VPN click Choose

• In Choose VPN Profile click New

Page 453: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Route-Based IPSec VPN2. Assign your VPN Gateway to the VPN policy

453

• Enter a profile name: VPN-X and choose Layer 3 IPSec VPN

• For VPN Gateway, select: Hive-OS-VA-XX from the drop-down

• External IP address of the VA: 1.2.2.X• X= your student number

› Note: The external IP is the public address the routers will contact to access the Virtual Appliance

• Click Apply

Click Apply

Page 454: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Route-Based IPSec VPN3. Certificate settings

454

Optionally you can add an additional VA for disaster recovery

• Expand IPSec VPN Certificate Authority Settings

• VPN Certificate Authority: Default_CA.pem• VPN Server Certificate: VPN-cert_key_cert.pem• VPN Server Cert Private Key: VPN-cert_key_cert.pem

Note: Server certificates for the VPN were created in the HiveManager Certificate Authority

Click

Page 455: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Route-Based IPSec VPN4. Verify VPN Settings Then Go To Configure & Update

455

• Verify the Layer 3 IPSec VPN settings

Note: The WAN IP and Protocol will be updated after the configuration update is performed

• Click Configure & Update Devices

Page 456: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Internet

Example: Dynamic Routing on the VAWith OSPF or RIPv2

456

• In a one-armed configuration, OSPF or RIPv2 can be enabled on the WAN interface to dynamically learn routes from the network (e.g. firewall), and advertise the routes it learns from the branch sites to the network (e.g. firewall)

WAN InterfaceEth0- 10.200.2.X/24Gateway: 10.200.2.1OSPF area 0.0.0.0(same as 0)

DMZVA

Firewall Inside Interfacesbgroup0 : 10.5.1.1/24 VLAN 1 OSPF area 0bgroup0.2: 10.5.2.1/24 VLAN 2 OSPF area 0bgroup0.8: 10.5.8.1/24 VLAN 8 OSPF area 0bgroup0.10: 10.5.10.1/24 VLAN 10 OSPF area 0

Sub Network 10.102.1.0/24

BR100

Headquarters Branch Office

Page 457: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Internet

Example: Routes Learned via OSPF and Between the VA and Branch Routers

457

WAN InterfaceEth0- 10.200.2.2/24Gateway: 10.200.2.1OSPF area 0.0.0.0(same as 0)Routes - Branch 1 Through VPN:10.102.1.0/24Routes - Network:10.5.1.0/24 to 10.200.2.110.5.2.0/24 to 10.200.2.110.5.8.0/24 to 10.200.2.110.5.10.0/24 to 10.200.2.10.0.0.0/0 to 10.200.2.1

DMZVA

Firewall Inside Interfacesbgroup0 : 10.5.1.1/24 VLAN 1 OSPF area 0bgroup0.2: 10.5.2.1/24 VLAN 2 OSPF area 0bgroup0.8: 10.5.8.1/24 VLAN 8 OSPF area 0bgroup0.10: 10.5.10.1/24 VLAN 10 OSPF area 0Routes to Branch 110.102.1.0/24 to 10.200.2.2

Sub Network 10.102.1.0/24Routes to Headquarters through VPN10.5.1.0/24 to VPN10.5.2.0/24 to VPN10.5.8.0/24 to VPN10.5.10.0/24 to VPNLocal Routes0.0.0.0/0 to Internet

BR100

HeadquartersBranch Office 1

IPSec VPN to Branch Office 1

Note: Aerohive uses a TCP-based mechanism through the VPN tunnel to check for route updates between branch sites and the VPN Gateways every minute by default.

Page 458: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Route-Based IPSec VPN5. Modify the settings for your VPN Gateway

458

• Choose the Current Policy filter

• Under L3 VPN Gateway, click the link to modify your VPN Gateway: HiveOS-VA-XX

Page 459: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Route-Based IPSec VPN6. Modify the IP settings on the VPN Gateway

459

• By default the management Network is set to the Quick Start Management Network: QS-MGT-172.18.0.0

• Set the IP address of the Eth0 (WAN) Interface: 10.200.2.X/24X=2,3,..,14,15

• Set the Default Gateway:10.200.2.1 Do not save yet..

00

Page 460: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Route-Based IPSec VPN7. Enable OSPF on the VPN Gateway

460

• Check the box to: Enable dynamic routing and select OSPF

• Set the Eth0 (WAN) interface to run OSPF so that it can advertise and learn routes from the network, check Eth0 (WAN)

• Uncheck Eth1(LAN) because the eth1 interface is not in use

• Use the default Area: 0.0.0.0 (which is compatible with area 0)

• Click Save

Page 461: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Note: Internal Networks – Required if a Dynamic Routing Protocol is Not Enabled

461

• If the VPN Gateway is configured with static routes, or just has a single default gateway to a router, you can specify which networks to advertise to the branch office networks by specifying Internal Networks

• Any Internal Network defined here will be advertised to the branch office networks through the VPN tunnels so the branch offices routers know which networks to route through the VPN to headquarters

Page 462: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 462

• Select the Filter: Current Policy• Select all your devices • Click Update

Lab: Create a Route-Based IPSec VPN8. Upload the Configuration of Your Devices

Page 463: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 463

• Select Update Devices

• Select Perform a complete configuration update for all selected devices

• Click Update

For this class, ALL Updates should be Complete configuration updates

Lab: Create a Route-Based IPSec VPN9. Upload the Configuration of Your Devices

Page 464: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 464

• When the Reboot Warning box appear, select OK

Click OK

Lab: Create a Route-Based IPSec VPN10. Upload the Configuration of Your Devices

Page 465: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Create a Route-Based IPSec VPN11. Wait for the update to complete and verify VPN

465

When the VPN Server and Client Icons are green, then you know the VPN is up.

Page 466: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

VPN TROUBLESHOOTING

466

Page 467: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: VPN Troubleshooting1. Aerohive device VPN Diagnostics

467

• Go to Monitor Devices All Devices

• Select one of the VPN devices: SR-0X-######

• Click Utilities...Diagnostics Show IKE Event

• Verify that both Phase 1 an Phase 2 are successful

Page 468: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: VPN Diagnostics2. Aerohive device VPN Diagnostics – Phase 1

468

• Select one of the VPN devices: SR-0X-######

• Click Tools...Diagnostics Show IKE Event

Possible problems if Phase 1 fails:

• Certificate problems

• Incorrect Networking settings

• Incorrect NAT settings on external firewall

Possible problems if Phase 2 fails:

• Mismatched transform sets between the client and server (encryption algorithm, hash algorithm, etc.)

Page 469: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: VPN Diagnostics3. Aerohive device VPN Diagnostics – Phase 1

469

• Click Tools...DiagnosticsShow IKE Event

• If you see that phase 1 failed due to a certificate problem› Check the time on

the Aerohive devices» show clock

» show time

› Ensure you have the correct certificates loaded on the Aerohive APs in the VPN services policy

Page 470: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: VPN Diagnostics4. Aerohive device VPN Diagnostics – Phase 1

470

• Click Tools...DiagnosticsShow IKE Event

• If you see that phase 1 failed due to wrong network settings› Check the IP

settings in the VPN services policy

› Check the NAT settings on the external firewall

Page 471: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: VPN Diagnostics5. Aerohive device VPN Diagnostics – Phase 1

471

• Click Utilities...Diagnostics Show IKE SA

• Phase 1 has completed successfully if you reach step #9

• If Step #9 is not established then one of these problems exists:Certificate problemsIncorrect Networking

settingsIncorrect NAT settings

on external firewall

Page 472: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: VPN Diagnostics6. Aerohive device VPN Diagnostics – Phase 2

472

• Click Utilities...DiagnosticsShow IPSec SA

Note: It is clear to see that a VPN is functional if you see the tunnel from the MGT0 IP of the VPN client to the (NAT) Address of the MGT0 of the VPN Server, and the reverse. Both use different SAs (Security Associations)

› State: Mature

• If Phase 2 fails: Check the encryption & hash settings on the VPN client and the VPN server

Page 473: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: VPN Diagnostics7. View the VPN Topology to Verify VPN Status

473

• In the Layer 3 IPSec VPN section, click VPN Topology

• If the devices show up green with a line between them, the VPN is operational

• Click Refresh if the devices are not green after a moment

Please Be Patient, it will take a minute or two for the

VPNs to establish

Page 474: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

VERIFY VPN STATUS AND DYNAMIC ROUTING

474

Page 475: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Verify VPN and Dynamic Routing2. View the VPN Topology to Verify VPN Status

475

To verify the routes learned via OSPF

• Go to MonitorVPN Gateways

• Check the box next to your HiveOS-VA-XX

• Select Utilities...SSH Client

Page 476: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Verify VPN and Dynamic Routing3. Use CLI Commands to Verify OSPF Routes

476

• show OSPF route (wait about 10 seconds – press enter twice)› You should see four OSPF routes in this lab

• show OSPF neighbor (press enter twice) › You should see at a minimum the firewall at 209.128.124.196

as a neighbor with a Full/DR state

Page 477: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Verify VPN and Dynamic Routing4. View the routes on a branch router

477

To verify the routes learned through the VPN on a branch router

• Go to MonitorRouters

• Check the box next to your router: SR-XX-######

• Select Utilities...DiagnosticsShow IP Routes

Page 478: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

Lab: Verify VPN and Dynamic Routing5. View the routes on a branch router

• You should see at a minimum routes to: 10.5.1.0/24,10.5.2.0/24, 10.5.8.0/24, and 10.5.10.0/24 all through the VPNtunnel0 interface

• High metrics are used for routes learned from OSPF and advertised though the VPN so that if the network exists locally, that will be preferredNote: Higher metrics have more cost and are not preferred

• You will also learn the routes for networks at the other branch sites though the VPN tunnel

478

Page 479: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

For Information: This is the OSPF configuration on the training Juniper SSG

479

• ssg5-3-lab-> set vr trust

• ssg5-3-lab(trust-vr)-> set protocol OSPF

• ssg5-3-lab(trust-vr/OSPF)-> set enable

• ssg5-3-lab(trust-vr/OSPF)-> exit

• ssg5-3-lab(trust-vr)-> exit

• ssg5-3-lab-> set int bgroup0 protocol OSPF area 0

• ssg5-3-lab-> set int bgroup0 protocol OSPF enable

• ssg5-3-lab-> set int bgroup0.2 protocol OSPF area 0

• ssg5-3-lab-> set int bgroup0.2 protocol OSPF enable

• ssg5-3-lab-> set int bgroup0.8 protocol OSPF area 0

• ssg5-3-lab-> set int bgroup0.8 protocol OSPF enable

• ssg5-3-lab-> set int bgroup0.10 protocol OSPF area 0

• ssg5-3-lab-> set int bgroup0.10 protocol OSPF enable

Page 480: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

The steps for LAN access are similar

TEST WLAN ACCESS THROUGH THE VPN

480

Page 481: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 481

• Single-click the wireless icon on the bottom right corner of the windows task bar

• Click your SSIDClass-PSK-X

• Click Connect› Security Key: aerohive123

› Click OK

Lab: Test Wireless LAN Access1. Connect your computer to the SSID: Class-PSK-X

Page 482: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test WLAN VPN Access2. Ping a server through the VPN

482

From your PC, ping 10.5.1.20, which is a server in Santa Clara California data center

Internet

DMZVPN Gateway

BR100

HeadquartersBranch Office 1

IPSec VPN to Branch Office 1

Page 483: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test WLAN VPN Access3. View your client information in Wireless Clients

483

• From your virtual PC connect to HiveManager through VPN https://10.5.1.20

• View your client in the Active Clients list by going to: MonitorClientsWireless Clients

Page 484: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Not this PBR:

POLICY-BASED ROUTING (PBR)

484

*A low costAmerican beer that has been around a long time, but was not popular. However, over the last few years it has become more popular in bars and grocery stores.

Page 485: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Aerohive Policy-Based Routing

485

• Policy-based routing is used mainly in conjunction with the layer 3 IPSec VPN tunneling capabilities› Though it does not require VPN

PoE

3G/4G LTE

3G/4G/LTE

Employees

Guests

Internet

VPNHQ

Page 486: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Aerohive Policy-Based Routing

486

• Policy-based routing lets you decide how traffic is forwarded out of a router› Decisions are made based on IP reachability of tracked IP addresses and user profiles

› Forwarding can be out any WAN port, USB wireless, Wi-Fi connection, or VPN

PoE

3G/4G LTE

3G/4G/LTE

Employees

Guests

Internet

VPNHQ

Page 487: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Route-based VPNPrivate vs. Internet Traffic

• Three types of routes in a branch office are› Private routes – learned over the VPN from the VPN gateway, such as 10.1.0.0/16 in this example

› Branch routes – to other routers in the branch office, which can be advertised to HQ over the VPN tunnel

› Internet routes – Essentially the default route 0.0.0.0/0 used to send traffic to the Internet locally from the branch office

Cloud VPN

Gateway

HQ

Local network: 172.28.2.0/24 Route: 10.1.0.0/16 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway

BR100

Internet

CorporateNetwork10.1.0.0/16(Internal)Route: 10.1.0.0/16 to Corp RouterRoute 172.28.2.0/24 to VPN Tunnel ARoute: 0.0.0.0/0 to Internet Gateway

Tunnel A

Branch Office

Page 488: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

POLICY-BASED ROUTING

488

Page 489: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Policy-Based Routing: Custom RulesOverview of Fields

489

• Forwarding actions determine where to send the packet

• Source and Destination are used to match a packet

Page 490: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Policy-Based Routing: Forwarding and Backup Forwarding Actions

490

• The backup forwarding action occurs when the interface used for the forwarding action goes down or….

• If specific IP addresses are not reachable via the interface used for the forwarding, using track IP

Page 491: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: CREATE A WAN IP TRACKING POLICY

491

Page 492: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Track IP for Router WAN Connectivity

492

• Uses Ping to track IP addresses you specify on the Internet› For example, you can track ntp1.aerohive.com206.80.44.205

• If no response is received, you can make routing decisions such as failing over to wireless USB (3G/4G LTE)

PoE

3G/4G LTE

3G/4G LTE

Employees

Guests

Internet

VPNHQ

ntp1.aerohive.com206.80.44.205

Track IP

Page 493: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: WAN IP Tracking1. Create an IP tracking policy

493

To configure Policy-Based routing:Go to Configuration• Select your Network policy: Access-X and click OK

• Next to Additional Settings click Edit

Page 494: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 494

• Expand Service Settings

• For Track IP Groups for WAN Interface, there are two backup track IP groups and one primary

• Next to Primary, click +

Lab: WAN IP Tracking2. Create an IP tracking policy

Page 495: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 495

• Track IP Group Name: Track-X

• Under Tracking group type select For WAN interface

• Ensure Enable IP tracking is checked

• For the IP addresses, enter: 8.8.8.8,4.2.2.2

• Take action when: all targets become unresponsive

• Click Save

Lab: WAN IP Tracking3. Create an IP tracking policy

Page 496: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 496

• In Track IP Groups for WAN Interface

• Select the Primary Track IP Group: Track-X

• Click Save• Next you will configure the routing policy

Note: You can specify Track IP Groups for Backup1 and Backup2 as well. The policy-based routing policy determines if backup1 fails to backup2, or backup2 fails to a Wi-Fi client connection for example.

Lab: WAN IP Tracking4. Create an IP tracking policy

Page 497: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: CONFIGURE POLICY-BASED ROUTES

497

Page 498: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 498

• Expand Router Settings

• Next to Routing Policy, click +

Lab: Policy-Based Routing1. Create a Routing Policy

Page 499: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Note: Policy-Based Routing: Type of Rules

499

• Here you can specify the type of routing policy rules› Split Tunnel: Tunnel non-guest traffic to internal (HQ) routes, drop guest traffic for internal (HQ) routes, and route all other traffic the local Internet gateway

› Tunnel All: Tunnel all non-guest traffic regardless of its destination and drop all guest traffic.

› Custom: Define a custom routing policy

Page 500: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 500

• Name: PBR-X• Under Routing Policies, select Custom• Click + to add a new policy

Create New

Lab: Policy-Based Routing2. Create a Routing Policy

Page 501: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 501

• Source - Type: User Profile, Value: Employee-X• Destination - Type: Private (routes learned via VPN)

• Forwarding Action: Corporate Network (VPN)• Backup Forwarding Action: Drop• Click the save icon next to the right of the policy

Lab: Policy-Based Routing3. Create a Routing Policy

Page 502: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 502

• Click + to create a new policy• Source - Type: User Profile, Value: Employee-X• Destination- Type: Any (All other routes)• Forwarding Action: Primary WAN• Backup Forwarding Action: Backup WAN-1 (e.g. DSL)

• Click the save icon next to the right of the policy

Lab: Policy-Based Routing4. Create a Routing Policy

Page 503: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 503

• Click + to create a new policy• Source - Type: User Profile, Value: Voice-X• Destination – Type: Private (routes learned via VPN)

• Forwarding Action: Corporate Network (VPN)• Backup Forwarding Action: USB (USB Wireless - LTE)

• Click the save icon next to the right of the policy

Lab: Policy-Based Routing5. Create a Routing Policy

Page 504: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 504

• Click + to create a new policy• Source - Type: User Profile, Value: Guest-X• Destination - Type: Private (routes via VPN)• Forwarding Action: Drop• Click the save icon next to the right of the policy

Lab: Policy-Based Routing6. Create a Routing Policy

Page 505: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 505

• Click + on top (Note: This is to show an important point)

• Source - Type: User Profile, Value: Guest-X• Destination - Type: Any • Forwarding Action: Primary WAN• Backup Forwarding Action: Drop• Click the save icon next to the right of the policy

Click the top +

Lab: Policy-Based Routing7. Create a Routing Policy

Page 506: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 506

• Question: What is wrong with this policy?• Answer: All guest traffic will match the first policy, and no other policy will be used. Guest traffic may be able to access the local branch network if not blocked by firewall policy.

Lab: Policy-Based Routing8. Create a Routing Policy

Page 507: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 507

• Click the User Profile(Guest-X), Any, Primary WAN policy and drag it to the bottom

• Click Save• Additional Settings – Save• Save your Network Policy

Lab: Policy-Based Routing9. Create a Routing Policy

Page 508: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Policy-Based RoutingAnalysis

508

• Processed top down: 1. User Profile(Employee) when going to a private route

learned through the VPN, send to the VPN2. User Profile(Employee) when not sending to the VPN

will be sent out through the primary WAN, and if that fails, out the Backup WAN

Page 509: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Policy-Based RoutingAnalysis

509

3. User Profile(Voice) if destined to a route learned through the VPN, forward through VPN

4. User Profile(Guest) if destined to a route learned through the VPN, drop

5. User Profile(Guest) when not sending to the VPN will be sent out through the primary WAN, and if that fails, drop

Page 510: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Policy-Based RoutingPolicy Used For No Matching Routes

510

• Question: What happens to traffic that does not match a policy-base routing rule?

• Answer: The router uses its main destination routing table. (i.e. standard routing)

Page 511: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Policy-Based RoutingCaution in 6.0r2a if not using VPN

511

• If you are not using VPN, do not create a policy-based routing using: Source: Any, Destination: Any

• If you do, traffic may get sent back out the WAN as primary instead instead of being sent to a local route.

• This will be resolved in an upcoming release.

Page 512: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

POLICY-BASED ROUTINGSIMPLE TEST

512

Page 513: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Instructor Classroom demo

513

If time permits:

If the instructor has a 3G/4G USB dongle available:

• Start a continuous ping from a classroom laptop that is communicating through an Aerohive BR-200

• Remove the Ethernet cable from the primary WAN port

• Wait for up to 60 seconds for the connection to failover to the cellular network

• Reconnect the Ethernet cable from the primary WAN port

• Wait for up to 60 seconds for the connection to fallback to the primary WAN network

Page 514: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Use if you do not want to create a custom policy and you have VPN configured

POLICY-BASED ROUTINGDEFAULT SPLIT TUNNEL

514

Page 515: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 515

• Source - User Profile› Any Guest - applies to users or devices connected to a user profile assigned to a network with the network type set to Guest Use

› Any –all other non-guest user profiles

Policy-based routing – Split Tunnel Policy

Page 516: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 516

• Processed top down1. Traffic from any guest user profile, going to a route

learned through the VPN or local interface on the router, drop

2. Any non-guest traffic destined to a route learned through the VPN, forward through the VPN

3. All other traffic, forward out the Primary WAN interface, and if that fails, send out the backup WAN interface

Policy-based routing – Split Tunnel PolicyAnalysis

Page 517: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

BRANCH ROUTER 3G/4G MODEM SETTINGS

517

Page 518: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 518

• Wide range of USB modems are supported• USB modem can be used when triggered by an IP-tracking policy or can always stay connected

Branch Router USB Modem Settings

Page 519: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Generic USB Modem Support

519

• Generic USB modem support for BR200, BR100 and the 300 series APs functioning as routers

• Configurable through NetConfig UI

Page 520: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

COOKIE-CUTTER VPN

520

Page 521: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Cookie Cutter Branch Deployments

521

• Each site, even with the same IP network, can build a VPN to the corporate network

HQ

CorporateNetwork10.0.0.0/8

Branch 1: 10.1.1.0/24

Branch 2: 10.1.1.0/24

Branch 3: 10.1.1.0/24

Page 522: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Cookie Cutter Branch Deployments

522

• Each site in a branch can be assigned to the same IP network

• How can HQ access the remote sites?

HQ

CorporateNetwork10.0.0.0/8

Branch 1: 10.1.1.0/24

Branch 2: 10.1.1.0/24

Branch 3: 10.1.1.0/24

Page 523: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Cookie Cutter Branch Deployments

523

• Each network can have a unique subnet allocated for each site to perform one to one night for every host each branch office through the VPN

HQ

CorporateNetwork10.0.0.0/8

Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24

Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24

Branch 3: NAT 10.102.3.0/24 to 10.1.1.0/24

Page 524: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Cookie Cutter Branch DeploymentsRouting on the VPN Gateway

524

• The branch routers advertise their NAT subnets to the VPN Gateways

HQ

Corporate Network10.0.0.0/8 Local

Tunnel Routes10.102.1.0/24 tunnel 110.102.2.0/24 tunnel 210.102.3.0/24 tunnel 3

Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24

Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24

Branch 3: NAT 10.102.3.0/24 to 10.1.1.0/24

Page 525: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

• NAT subnets are unique subnets per site (non cookie-cutter), and can be mapped to sites dynamically, or via device classification

• Each NAT IP address can be access from corporate through the VPN

• Each NAT mapping is bidirectional, so traffic to HQ will be sourced from each NAT address

Cookie Cutter Branch Deployments

HQ

CorporateNetwork10.0.0.0/8 Branch 1: NAT 10.102.0.0/24 to

10.1.1.0/24which NATs:

10.102.1.1 to 10.1.1.110.102.1.2 to 10.1.1.2

. .10.102.1.255 to 10.1.1.255

Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24which NATs:

10.102.2.1 to 10.1.1.110.102.2.2 to 10.1.1.2

. .10.102.2.255 to 10.1.1.255

etc….

Page 526: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: COOKIE-CUTTER VPN

526

Page 527: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Cookie Cutter1. Create a new Employee Network

527

• Next to VLAN 10, click on your network: Network-Employee-1XX

• Choose Network, click New

Page 528: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Cookie Cutter2. Create a new Employee Network

528

• Enter the network name: 10.1.1.0-Employee-X

• DNS Service, select the quick start automatically generated object: Class

• Network Type: Internal Use

• Under subnetworks click New

NOTE: This Quick Start DNS Service object sets clients to use the router interface IP as the DNS server, and will proxy the DNS requests to the DNS server learned statically or by DHCP on the WAN interface

Page 529: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Cookie Cutter3. Replicate the Network

529

• Select Replicate the same subnetwork at each site

• Local Subnetwork:10.1.1.0/24

• Select Use the first IP address of the partitioned subnetwork for the default gateway

• Do not save yetNOTE: You can now use the first or last IP address for each branch subnet for the default gateway assigned to the routers for these subnets

Page 530: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Cookie Cutter4. Enable DHCP

530

• Check Enable DHCP server

• For the DHCP Address Pool, move the slider bar to reserve 10 IP addresses at the start and end of the address pool that can be defined statically.

NOTE: In most cases, the router will be the DHCP server. However, if it is not, you can disable the DHCP service and this network definition will only be used to configure the router interface IP addresses.

Page 531: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

Lab: Cookie Cutter5. NAT settings

• Check Enable NAT through the VPN tunnels• Number of branches: 256 • NAT IP Address Space Pool: 1.1XX.0.0 Mask 16XX=102,103,..,114,115

• Note: We are using 1.1XX.0.0 instead of 10.1XX,0.0, because the lab has no more IP space)

531

Page 532: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011

Lab: Cookie Cutter6. NAT settings

• Check Allocate NAT subnetworks by specific IP addresses at sites

• Click New› IP Address: 1.1XX.1.1

› Type: Device Tags› Value: Site-Xa(Your Switch)

• Click ApplyNOTE: Any device tag you have defined elsewhere is automatically populated. You can also start typing to narrow the value list

With these settings, each site will get assigned to one of the /24 NAT subnets in 1.1XX.0.0/16. Entering a single IP address locks the NAT IP address and the NAT subnet to which it belongs to a specific site.

532

Page 533: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Cookie Cutter7. Save cookie cutter network

533

Verify your settings

• Click Save

Page 534: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Cookie Cutter7. Review and save

534

Your network will have one NAT subnetwork: 1.1XX.0.0/16 that will support 256 branches with 253 clients per branch, and subnet 10.1.1.0/24 will be assigned to each site for DHCP

• Click Save

• Click OK

Page 535: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Cookie Cutter8. Save your network policy and continue

535

• From the Configure Interfaces & User Access bar, click Continue

Page 536: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

PERFORM A COMPLETE UPLOAD

536

Page 537: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 537

• Select the Filter: Current Policy• Select all your Routers • Click Update

Lab: Update Router Configuration1. Update your routers

Page 538: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 538

• Select Update Devices

• Select Perform a complete configuration update for all selected devices

• Click Update

For this class, ALL Updates should be Complete configuration updates

Lab: Update Router Configuration2. Update your routers

Page 539: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 539

• When the Reboot Warning box appear, select OK

Click OK

Lab: Update Router Configuration3. Update your routers

Page 540: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

VIEW SUBNET ALLOCATION REPORT

540

Page 541: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Cookie Cutter Branch DeploymentsRouting on the VPN Gateway

541

• The branch routers advertise their NAT subnets to the VPN Gateways

HQ

Corporate Network10.0.0.0/8 Local

Tunnel Routes10.102.1.0/24 tunnel 110.102.2.0/24 tunnel 210.102.3.0/24 tunnel 3

Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24

Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24

Branch 3: NAT 10.102.3.0/24 to 10.1.1.0/24

Page 542: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Subnet Allocation Report1. View the IP addresses assigned to the routers

542

• From Monitor, in the navigation tree, click Subnetwork Allocation

• Under Network Name, select10.1.1.0-Employee-X

• Note the unique NAT networks and the cookie-cutter network

Note: One subnet was assigned via classification. The others assigned dynamically.

Page 543: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

SIMULATED ROUTER CLEANUP

543

Page 544: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Remove Simulated Routers1. Select and remove your simulated routers

544

The simulated routers were used to show the subnet allocation report

Now that you have seen how subnetworks are allocated to routers, we can remove the simulated routers

• From ConfigurationRouters, check the box next to your simulated devices that start with: SR-02-SIMU-XXXXXX

• Warning: Do NOT remove the real router

• Click Device Inventory and click Remove

• Click Remove from the warning popup

Page 545: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAYER 3 IPSEC VPN – REDUNDANT VPN GATEWAYS

545

Page 546: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Router IPSec VPN LabUsing Two VPN Gateways

546

Headquarters

DMZ

802.1Q

Inside

Firewall eth0/0 – 209.128.76.30 NAT – 209.128.76.28 to 10.1.101.2 NAT – 209.128.76.29 to 10.1.102.2Firewall eth0/1.1 - 10.1.101.1/24 vlan 101 Protocol OSPF area 0.0.0.1 Firewall eth0/1.2 - 10.1.102.1/24 vlan 102 Protocol OSPF area 0.0.0.2 Protocol OSPF cost 1000

Internal NetworkAD Server 10.5.1.10

VPN Gateway 1LAN 1: 10.1.101.2/24Protocol OSPF area 0.0.0.1

VPN Gateway 2LAN 1: 10.1.102.2/24Protocol OSPF area 0.0.0.2

VLAN 102

VLAN 101

eth0/1

eth0/2eth0/0

LAN1

LAN 1

Firewall eth0/2 – 10.5.1.1/24 Protocol OSPF area 0.0.0.0

Branch OfficeTunnel 1 to 209.128.76.28 pref

1 Tunnel 2 to 209.128.76.29 pref 2VLAN 10 – 10.1.1.0/24 Employee NetOne-to-One Subnet NAT Through VPN: 10.102.1.0/24 to 10.1.1.0/24 (HQ visible IPs) (local IPs)

Page 547: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Router IPSec VPN LabUsing Two VPN Gateways

547

• VPN tunnels are built from branch offices to the VPN gateways• Traffic from the branch offices is decrypted at the VPN gateways and sent to

the DMZ firewall for access to the Internet network• Traffic destined to IP addresses at branch offices is sent to the firewall,

which looks up the IP and finds the route to VPN gateway which encrypts and sends through a tunnel to a branch office

DMZ802.1Q

Inside

Firewall FW eth0/0 – 209.128.76.30 NAT – 209.128.76.28 to 10.1.101.2 NAT – 209.128.76.29 to 10.1.102.2FW eth0/1.1 - 10.1.101.1/24 vlan 101 Protocol OSPF area 0.0.0.1 FW eth0/1.2 - 10.1.102.1/24 vlan 102 Protocol OSPF area 0.0.0.2 Protocol OSPF cost 1000

Internal NetworkAD Server 10.5.1.10

FW eth0/2 – 10.5.1.1/24 Protocol OSPF area 0.0.0.0

VPN Gateway 1LAN 1: 10.1.101.2/24Protocol OSPF area 0.0.0.1

VPN Gateway 2LAN 1: 10.1.102.2/24Protocol OSPF area 0.0.0.2

VPN Gateways

VLAN 102

VLAN 101

eth0/1

eth0/2

eth0/0

eth 0

eth 0

Headquarters

Page 548: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Corporate Network10.0.0.0/8 Local

Tunnel Routes10.102.1.0/24 tunnel 110.102.2.0/24 tunnel 2

Cookie Cutter Branch DeploymentsRouting on the VPN Gateway

• The branch routers advertise their NAT subnets to the VPN Gateways

HQ

Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24

Branch 2: NAT 10.102.1.0/24 to 10.1.1.0/24

Page 549: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

FW Configuration for Accessing VPN Gateways 1 and 2

549

set interface bgroup0.5 tag 101 zone Trustset interface bgroup0.6 tag 102 zone Trustset interface bgroup0.5 ip 10.1.101.1/24set interface bgroup0.6 ip 10.1.102.1/24set interface bgroup0.5 routeset interface bgroup0.6 routeset int bgroup0.5 protocol OSPF area 0.0.0.1set int bgroup0.5 protocol OSPF enableset int bgroup0.6 protocol OSPF area 0.0.0.2set int bgroup0.6 protocol OSPF enableset interface "ethernet0/0" mip 209.128.76.28 host 10.1.101.2set interface "ethernet0/0" mip 209.128.76.29 host 10.1.102.2 set interface "ethernet0/0" mip 209.128.76.28 host 10.1.101.2 netmask 255.255.255.255 vr "trust-vr”set interface "ethernet0/0" mip 209.128.76.29 host 10.1.102.2 netmask 255.255.255.255 vr "trust-vr”set policy id 18 from "Untrust" to "Trust" "Any" "MIP(209.128.76.28)" "ANY" permitset policy id 19 from "Untrust" to "Trust" "Any" "MIP(209.128.76.29)" "ANY" permit

Page 550: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

CONFIGURING LAYER 3 IPSEC VPNWITH REDUNDANCYINSTRUCTOR ONLY – THESE STEPS HAVE ALREADY BEEN PERFORMED

550

Page 551: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Layer 3 VPN – Instructor Only Steps

551

• Under Layer 3 IPSec VPN, click Choose

Page 552: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Layer 3 VPN – Instructor Only Steps

552

• Name: Corp-VPN (shared by all network policies in class)• Layer 3 VPN• VPN Gateway: VPN-Gateway-1• External IP: 1.2.2.241• Click Apply

Page 553: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Layer 3 VPN – Instructor Only Steps

553

Under VPN Gateway Settings• Click New• VPN Gateway: VPN-Gateway-2• External IP: 1.2.2.242• Click Apply

Page 554: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Layer 3 VPN – Instructor Only Steps

554

• Two new certificates were created for this lab, you can use those or the defaults if the root CA did not change

• Click Save

Page 555: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Layer 3 VPN – Instructor Only Steps

555

• From ConfigurationShow Nav VPN Gateways• Modify VPN-Gateway-1

Page 556: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Layer 3 VPN – Instructor Only Steps

556

Note: VPN Gateways are not assigned to a Network policy, they just use a Management network• ETH0 (WAN) 10.200.2.241/24

• Default Gateway10.200.2.1

• Enable Dynamic Routing

• Select OSPF• Route Advertisement

Select Eth0(WAN)☐ Deselect Eth1 (LAN)

• Area: 0.0.0.0• Click Save

Page 557: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Layer 3 VPN – Instructor Only Steps

557

• From Configuration VPN Gateways

• Modify VPN-Gateway-2

Page 558: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Layer 3 VPN – Instructor Only Steps

558

Note: VPN Gateways are not assigned to a Network policy, they just use a Management network• ETH0 (WAN) 10.200.2.242/24

• Default Gateway10.200.2.1

• Enable Dynamic Routing

• Select OSPF• Route Advertisement

Select Eth0(WAN)☐ Deselect Eth1 (LAN)

• Area: 0.0.0.0• Click Save

Page 559: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 559

• Select Update Devices

• Select Perform a complete configuration update for all selected devices

• Click Update

For this class, ALL Updates should be Complete configuration updates

Layer 3 VPN – Instructor Only Steps

Page 560: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: TWO VPN GATEWAYS

STUDENTS ADD CORP VPN TO THEIR NETWORK POLICY

560

Page 561: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 561

• In your network policy next to Layer 3 IPSec VPN click Choose

• In your network policy next to Layer 3 IPSec VPN click Choose

• Select Corp-VPN

• Click OK

• Save the Network Policy

• Click Continue

Lab: Two VPN Gateways1. Add the Corp-VPN policy

Page 562: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 562

• Choose the current policy filter and select your router

• Click Update Devices and perform a complete upload

Lab: Two VPN Gateways2. Select the router

Page 563: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 563

• Wait about 5 minutes

• When the VPNs are established, you can click the VPN Topology link to see live VPN status

• Click Refresh to update the screen

Lab: Two VPN Gateways4. Verify the VPN toplogy

Page 564: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

BRANCH ROUTERWAN INTERFACE NAT PORT FORWARDING

564

Page 565: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Branch Router WAN InterfaceNAT Port Forwarding

565

• Use port forwarding from a public WAN interface on a branch router to reach a server within a private network

• This works very well for cookie cutter deployments!!

AP

PoE

SR2024as

Branch

Router

AP

Web Server1 10.1.1.5Port 80

http://2.1.1.100:8005

Internet

WAN: 2.1.1.100

NAT Port Forwarding RulesOutside: 2.1.1.100:8005 Inside: 10.1.1.5:80

(IP# 5)Outside: 2.1.1.100:8006 Inside: 10.1.1.6:80

(IP #6)Web Server2 10.1.1.6Port 80

Page 566: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: CONFIGURE BRANCH ROUTERWAN INTERFACE NAT PORT FORWARDING

566

Page 567: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: WAN Interface NAT Port Forwarding1. Modify the Cookie-Cutter Network

567

• From your network policy, under VLAN-to-Subnet Assignments for Router Interfaces› Modify your 10.1.1.0-Employee-X network

› Click the icon and select Edit

Page 568: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 568

• Click the link to edit the subnet: 1.1XX.0.0/16

LAB: WAN Interface NAT Port Forwarding2. Modify the Cookie-Cutter/NAT Network

Page 569: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 569

• In the Network Address Translation (NAT) Settings section

• Check Enable port forwarding through the WAN interfaces

LAB: WAN Interface NAT Port Forwarding3. Enable port forwarding

Page 570: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 570

• Click View Aerohive Ports to see the ports that are already in use on Aerohive routers that you cannot use for port forwarding

LAB: WAN Interface NAT Port Forwarding4. View Aerohive Ports

Page 571: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 571

• In order for port forwarding to work, you must have addresses excluded at the start of the DHCP pool

• For example, if you have a web server at every site that will be the 5th IP address from the start of the pool, e.g. 10.1.1.5, then you must have the DHCP exclusion for the first 5 IP addresses so that 10.1.1.5 can be statically assigned to the web server

NOTE: Always have excludes from the DHCP pool

Page 572: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 572

• Click New to create a port forwarding rule

LAB: WAN Interface NAT Port Forwarding5. Create port forwarding rules

Page 573: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 573

• Destination Port Number: 8005

• Local Host IP Address Position: 1

• Internal Host Port Number: 80

• Traffic Protocol: TCP

• Click Apply

LAB: WAN Interface NAT Port Forwarding6. Create port forwarding rules

Page 574: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 574

• Create several more rules

LAB: WAN Interface NAT Port Forwarding7. Create port forwarding rules

Page 575: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 575

• Destination Port: 8005This is the port clients will use from the Internet to access the internal server: https://WAN-IP:8005

• Click on IP Address Mapping to see how each position maps to an internal cookie-cutter IP address

• Local host IP address› The position of the IP

address from the start of the IP address block

› For /24 subnets, position 1 = .2, position 2 = .3, etc…

LAB: WAN Interface NAT Port Forwarding8. Create port forwarding rules

Page 576: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 576

• Review your port forwarding rules

• Click Save

• Click OK

LAB: WAN Interface NAT Port Forwarding9. Review your port forwarding rules

Page 577: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 577

LAB: WAN Interface NAT Port Forwarding10. Save the network

• Review your Network

• Click Save

• Click OK

Page 578: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 578

• Click Continue to save your Network Policy and proceed to device updates

LAB: WAN Interface NAT Port Forwarding11. Save your Network Policy

Page 579: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 579

• Choose the current policy filter and select your router

• Click Update Devices and perform a complete upload

LAB: WAN Interface NAT Port Forwarding12. Select the router

Page 580: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 580

• Monitor Routers• Select your Router • Click on Utilities… SSH Client• Click on Connect• Type: show ip iptables nat

LAB: WAN Interface NAT Port Forwarding13. Verify port forwarding rules

Page 581: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 581

LAB: WAN Interface NAT Port Forwarding14. Verify port forwarding rules

Note: Resize the window to see the port-forwarding rules

• CLI command: sh ip iptables nat

Page 582: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

THE MANAGEMENT NETWORK

582

Page 583: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Aerohive Management Network

583

• Management Network – Every AP, router, and VPN gateway, has a logical management interface for:› CAWAP communication with HiveManager; › cooperative control protocols like AMRP, and DNXP; › and management services like SNMP, SYSLOG, SCP, and SSH.

BR200

AP

AP

Mesh

PoE

Internet

interface mgt0

172.18.0.1/24VLAN 1

interface mgt0

172.18.0.2/24VLAN 1

interface mgt0

172.18.0.3/24VLAN 1

Mesh

Cable

Page 584: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Aerohive Management Network

• Management subnets can be assigned to a VLAN within the unified network policy

Page 585: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Aerohive Management Network

• Just like internal networks, management subnets can partitioned from a parent network and then assigned dynamically by HiveManager.

• Management subnets can also be assigned with device classification.

Page 586: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Aerohive Router Interfaces

586

Router WAN PortEth0 192.168.1.10/24No VLAN

Logical IP Interfacesmgt0 (Management)172.18.0.1/24VLAN 1

mgt0.1 10.102.0.1/24VLAN 102 - Employee

mgt0.2 172.16.102.1/24VLAN 202 -Guest

Ethernet Switch Ports Eth1 – Eth4Layer 2

• Assigned to VLANs and Networks by LAN Profiles

• May be 802.1Q VLAN Trunk ports or access ports

Interfaces mgt0.1 through mgt0.16 may be created, each supporting routing for a different IP network.

Page 587: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

ENABLE 802.1Q VLAN TRUNKINGON A LAN PORT

587

Page 588: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Configuring 802.1Q on a Router Port Policies

588

Logical IP Interfacesmgt0 (Management)172.18.0.1/24VLAN 1

mgt0.110.102.0.1/24Employee - VLAN 10

mgt0.210.202.0.1/24Voice – VLAN 2

mgt0.3 192.168.83.1/24Guest - VLAN 8

mgt0.4 172.28.0.1/25VLAN 1 (Native)

Note: You should define a native network using VLAN 1, which much match the native VLAN configured for the management interface, which by default is 1.

BR100

Logical IP Interfacemgt0 (Management)172.18.0.1/24VLAN 1

Layer 2 InterfacesVLAN 1 (Native)

SSID: Class-PSKEmployee - VLAN 10SSID: Class-VoiceVoice – VLAN 2SSID: Class-GuestGuest – VLAN 8

AP

802.1QVLANTrunkVLANs:1 (Native), 2, 8, 10

Page 589: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

ROUTER STATEFUL FIREWALL POLICYMORE THAN JUST THE 5-TUPLE

589

Page 590: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Router FirewallGeneral Guidelines

590

• Router firewall is not the same firewall used in User Profiles for Aerohive access points

• Firewall rules are applied in the branch router for both wireless and wired traffic

• AP firewall can still be used for wireless clients is so desired

• L7 not yet supported in the router firewall

Branch Router

AP

PoE

Internet Router firewall for wired and wireless traffic

AP firewall for wireless traffic only

Page 591: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Router FirewallGeneral Guidelines

591

• Rules are processed top down and the first matching rule is used

• After a rule is matched a stateful session is created using:› Source IP, Destination IP, IP Protocol, Source Port, Destination Port

› The reverse session is also created for return traffic

• More than just an IP firewall, the router firewall can look at:› Traffic Source:

»IP Network, IP Range, Network Object, User Profile, VPN, or IP Wildcard

› Traffic Destination: »IP Network, IP Range, Network Object,VPN, IP Wildcard, Hostname

Page 592: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Aerohive Stateful Firewall

592

Web ServerRouter

10.5.1.10272.20.106.66

Firewall Policies:Default Action: Deny

Inside

HTTP– Initiated from inside the Network to a web server on the InternetSource IP, Dest IP, Proto, Source Port, Dest Port, Data10.5.1.102 72.20.106.66 6(TCP) 3456 80 HTTP Get

HTTP Response is permitted because firewall in router is stateful (Shown after NAT)Source IP, Dest IP, Proto, Source Port, Dest Port, Data72.20.106.66 10.5.1.102 6(TCP) 80 3456 HTTP Reply

The stateful firewall engine opens a pinhole for this session allowing return traffic for this session

Internet

Page 593: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Router Firewall for Guests1. Create a Router Firewall Profile

593

To implement a router firewall

• In your network policy, next to Router Firewall, click Choose

• In Choose Firewall click New

Page 594: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Router Firewall for Guests2. Create a user profile rule

594

• Enter a Policy Name: Firewall-X

• Configure a user profile-based firewall policy rule

• Select a source:User ProfileGuests-X

• Select a destination:IP Network10.0.0.0/255.0.0.0

• Service: [-any-]• Action: Deny• Logging: Disable• Click Apply

Page 595: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Router Firewall for Guests3. Create another user profile rule

595

Your rule should appear

• Under Policy Rules, click New

• Configure a user profile-based firewall policy rule

• Select a source:User ProfileGuests-X

• Select a destination:IP Network172.16.0.0/255.240.0.0

• Service: [-any-]• Action: Deny• Logging: Disable• Click Apply

Page 596: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Router Firewall for Guests4. Create one more user profile rule

596

Your rule should appear

• Under Policy Rules, click New

• Configure a user profile-based firewall policy rule

• Select a source:User ProfileGuest-X

• Select a destination:IP Network192.168.0.0/255.255.255.0

• Service: [-any-]• Action: Deny• Logging: Disable• Click Apply

Page 597: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Router Firewall for Guests5. Create a clean-up allow all rule

597

Create a clean up rule

• Under Policy Rules, click New

• Configure a user profile-based firewall policy rule

• Select a source:[-any-]

• Select a destination:[-any-]

• Service: [-any-]• Action: Permit• Logging: Disable• Click Apply

Page 598: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Router Firewall for Guests6. Verify your firewall policy rules and save

598

• Select the radio button for the Default Rule to Deny all› Note: This is not needed, but it is a good general practice.

• This policy denies access to any private IP address through the router, and allows everything else

• Also, you can drag and drop the rules to change their order• Click Save

Page 599: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Router Firewall for Guests7. Create a Router Firewall Profile

599

• Verify that your Router Firewall is applied:Firewall-X

• Click Save

Page 600: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Remember this? - Routes Learned via OSPF and Between the VA and Branch Routers

• Routers (VPN clients) ask the VPN Gateway for updated route information and provide their own route changes over the VPN tunnel every minute by default using a TCP request

VPN Gateway

HQ

BR100

BR100

Local network: 172.28.0.0/24Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.1.0/24 though VPN tunnelRoute: 172.28.2.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway

Local network: 172.28.2.0/24 Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.0.0/24 though VPN tunnelRoute: 172.28.1.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway

BR100

Internet

CorporateNetwork10.1.0.0/16

Route: 10.1.0.0/16 to Corp RouterRoute: 172.28.0.0/24 to VPN tunnel ARoute: 172.28.1.0/24 to VPN tunnel BRoute: 172.28.2.0/24 to VPN tunnel CRoute: 0.0.0.0/0 to Internet Gateway

Tunnel A

Tunnel B

Tunnel C

Local network: 172.28.1.0/24Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.0.0/24 though VPN tunnelRoute: 172.28.2.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway

Page 601: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Router Firewall can be used to block communications between branch offices

• Routers (VPN clients) ask the VPN Gateway for updated route information and provide their own route changes over the VPN tunnel every minute by default using a TCP request

VPN Gateway

HQ

BR100

BR100

Local network: 172.28.0.0/24Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.1.0/24 though VPN tunnelRoute: 172.28.2.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway

Local network: 172.28.2.0/24 Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.0.0/24 though VPN tunnelRoute: 172.28.1.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway

BR100

Internet

CorporateNetwork10.1.0.0/16

Route: 10.1.0.0/16 to Corp RouterRoute: 172.28.0.0/24 to VPN tunnel ARoute: 172.28.1.0/24 to VPN tunnel BRoute: 172.28.2.0/24 to VPN tunnel CRoute: 0.0.0.0/0 to Internet Gateway

Tunnel A

Tunnel B

Tunnel C

Local network: 172.28.1.0/24Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.0.0/24 though VPN tunnelRoute: 172.28.2.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway

Page 602: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

WEB PROXY FOR SECURING WEB-BASED TRAFFIC

602

Page 603: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Cloud Proxy – How does it work?

1 Client makes a HTTP/HTTP request

2Aerohive BR checks if client network is configured to use web security

3Aerohive BR confirms traffic is not destined for resources across the tunnel and is not whitelisted as trusted

4

Traffic is forwarded with client identity to the cloud security partner and processed based on identity

Page 604: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Web Security Using Websense Cloud Web Proxy

To configure Cloud Web Security, from HiveManager go to HomeAdministrationHiveManager Services• Check the box next to

Websense Server Settings

• Check the box next to Enable Websense Server Settings

• Enter the Account ID and Security key that were displayed for your Websense account

• Default Domain: ah-lab.com

• Click Update

Note: The default domain is only used if users do not authenticate to access the network using a mechanism that requires a domain name for login

Page 605: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Web Security Using Websense Cloud Web Proxy

You can use the default Web Security Whitelist to specify safe URLs that do not need to be sent though web security• Next to Web Security

Whitelist, select QS-WebSense-Whitelist

• Click UpdateNote: To create your own whitelist or clone the quick start whitelists to make your own additions, go to: Configuration Show NavAdvanced ConfigurationCommon ObjectsDevice Domain Objects

Page 606: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Web Security Using Cloud Proxy

To get started with Cloud Web Security, from HiveManager go to HomeAdministrationHiveManager Services

• Check the box next to Websense Server Settings

• Click the “here” link to sign up for a free 30-day trial

• Sign up for a free 30-day Websense trial

Page 607: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: CLOUD PROXY

607

Page 608: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: Cloud proxy1. Edit employee network settings

608

• Cloud Web Proxy is enabled within a Network Policy

• You may only want to enable this service for corporate employees

• Next to your Class-PSK-X SSID, under Network(VLAN) click your network: 10.1.1.0-Employee-X

• Click on the icon to edit your network

Page 609: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 609

• In the network for employees, next to Web Security, select Websense from the drop-down menu

• You can keep the option to Deny all outbound HTTP and HTTPS traffic if connectivity to the web security server is lost

• Click Save and then OK

LAB: Cloud proxy2. Enable web security

Page 610: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

LAB: Cloud proxy3. Edit guest network settings

610

• Cloud Web Proxy is enabled within a Network Policy

• You may only want to enable this service for corporate employees

• Next to your Class-PSK-X SSID, under Network(VLAN) click your network: 192.168.83.0-Guest-X

• Click on the icon to edit your network

Page 611: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 611

• In the network for employees, next to Web Security, select Websense from the drop-down menu

• You can keep the option to Deny all outbound HTTP and HTTPS traffic if connectivity to the web security server is lost

• Click Save and then OK

LAB: Cloud proxy4. Enable web security

Page 612: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 612

• Note that web security is enabled

• Click Continue to save and go to updates

LAB: Cloud proxy5. Verify web security

Page 613: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL 613

• Update the configuration of your router• Click Settings to perform a complete update

LAB: Cloud proxy6. Upload policy to branch router

Page 614: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

TEST CLOUD WEB SECURITYINSTRUCTOR DEMO – INSTRUCTOR MUST HAVE CONFIGURED THE CLASSROOM ROUTER FOR CLOUD PROXY

614

Page 615: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test LAN Port Web Security1. Connect your computer to Eth1 on the Router

615

• Connect the Ethernet Port 2 of your computer to the ETH2 interface on the router

BR100

Class Switch

Page 616: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test LAN Port Web Security2. Open web browser to a website

616

• Open a web browser on your remote computer to a respectable website

• You will be redirected to a captive web portal

BR100

Class Switch

Page 617: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test LAN Port Web Security3. Login through the captive web portal

617

• Enter a user name: lanuser• Password: Aerohive1• Click Log In

Page 618: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Lab: Test LAN Port Web Security4. Test a web site that is forbidden

618

• Open a web browser an try going to: www.guns.com

• You should be redirected to a web page informing that you were denied from accessing the site

• This will be denied because the Websense policy used has a rule against sites that provide information about, promote, or support the sale of weapons and related items

Page 619: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Websense Cloud Web Security Policies

619

• From the Websense Cloud Web Security login, you can set the web categories policies, web content security, and much more...

Note: Here you can see that there is a rule blocking Weapons sites

Page 620: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

MISC

620

Page 621: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

Overwrite protection for NetConfig UI WAN settings

621

• The default behavior of of a branch router originally set up using the NetConfig UI is protected from being overwritten by updates pushed to it from HiveManager at a later date.

• To disable the NetConfig UI settings protection for the BRs, click Configuration Devices, select one or multiple BRs, and then click Utilities Disable NetConfig UI WAN Configuration.

Protects the NetConfig UI based WAN port configuration of BR’s and routing devices

Page 622: Aerohive Configuration guide

© 2013 Aerohive Networks CONFIDENTIAL

THANK YOU – REALLY!!

622