Click here to load reader
Upload
armaan7139
View
1.833
Download
164
Tags:
Embed Size (px)
DESCRIPTION
CONFIGURATION HELP FOR THE AEROHIVE DEVICES.
Citation preview
© 2013 Aerohive Networks CONFIDENTIAL
AEROHIVE CERTIFIED NETWORKING PROFESSIONAL (ACNP)
1
© 2013 Aerohive Networks CONFIDENTIAL 2
Introductions
•What is your name?•What is your organizations name?•How long have you worked in networking?
•What was your 1st computer?
© 2013 Aerohive Networks CONFIDENTIAL 3
Facilities Discussion
• Course Material Distribution
• Course Times
• Restrooms
• Break room
• Smoking Area
• Break Schedule› Morning Break› Lunch Break› Afternoon Break
© 2013 Aerohive Networks CONFIDENTIAL 4
Aerohive Switching & Routing Configuration (ACNP) – Course Overview
Each student connects to HiveManager, a remote PC, and a Aerohive AP over the Internet from their wireless enabled laptop in the classroom, and then performs hands on labs the cover the following topics:
• Overview of Switching and Routing Platforms• Unified Network Policy Management• Spanning Tree• Device Templates• Port Types (802.1Q Ports, Phone and Data Ports, Secure Access Ports, Guest
Access Ports and WAN ports)• Aggregate Channels• PoE• VLAN to Network mapping• Router templates• Parent networks and branch subnets• Layer 3 VPN with VPN Gateway Virtual Appliance• Policy Based Routing• Router Firewall• Cookie Cutter Branch Networking 2 Day Hands on
Class
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
Aerohive Training Remote Lab
5
Aerohive Access Points using external antenna connections and RF cables to
connect to USB Wi-Fi client cards(Black cables)
Access Points are connected from eth0 to Aerohive Managed Switches
with 802.1Q VLAN trunk support providing PoE to
the APs (Yellow cables)
Firewall with routing support, NAT, and multiple Virtual Router Instances
Access Points are connected from their console port to a console server
(White Cables)
Console server to permit SSH access into the serial console of Aerohive
Access Points
Server running VMware ESXi running Active Directory, RADIUS, NPS and hosting the virtual clients used for
testing configurations to support the labs
© 2013 Aerohive Networks CONFIDENTIAL 6
Aerohive CBT Learning
http://www.aerohive.com/cbt
© 2013 Aerohive Networks CONFIDENTIAL 7
The 20 Minute Getting Started VideoExplains the Details
Please view the Aerohive Getting Started Videos:
http://www.aerohive.com/330000/docs/help/english/cbt/Start.htm
© 2013 Aerohive Networks CONFIDENTIAL 8
Aerohive Technical Documentation
All the latest technical documentation is available for download at:
http://www.aerohive.com/techdocs
© 2013 Aerohive Networks CONFIDENTIAL 9
Aerohive Instructor Led Training
• Aerohive Education Services offers a complete curriculum that provides you with the courses you will need as a customer or partner to properly design, deploy, administer, and troubleshoot all Aerohive WLAN solutions.
• Aerohive Certified WLAN Administrator (ACWA) – First-level course
• Aerohive Cerified WLAN Professional (ACWP) – Second-level course
• Aerohive Certified Network Professional (ACNP) – Switching/Routing course
• www.aerohive.com/training – Aerohive Class Schedule
© 2013 Aerohive Networks CONFIDENTIAL 10
Over 20 books about networking have been writtenby Aerohive Employees
CWNA Certified Wireless Network Administrator Official Study Guide by David D. Coleman and David A. Westcott
CWSP Certified Wireless Security Professional Official Study Guide by David D. Coleman, David A. Westcott, Bryan E. Harkins and Shawn M. Jackman
CWAP Certified Wireless Analysis Professional Official Study Guide by David D. Coleman, David A. Westcott, Ben Miller and Peter MacKenzie
802.11 Wireless Networks: The Definitive Guide, Second Edition by Matthew Gast
802.11n: A Survival Guide by Matthew Gast
Aerohive Employees
802.11ac: A Survival Guide by Matthew Gast
Over 20 books about networking have been written by Aerohive Employees
© 2013 Aerohive Networks CONFIDENTIAL
Aerohive Exams and Certifications
11
• Aerohive Certified Wireless Administrator (ACWA) is a first- level certification that validates your knowledge and understanding about Aerohive Network’s WLAN Cooperative Control Architecture. (Based upon Instructor Led Course)
• Aerohive Certified Wireless Professional (ACWP) is the second-level certification that validates your knowledge and understanding about Aerohive advanced configuration and troubleshooting. (Based upon Instructor Led Course)
• Aerohive Certified Network Professional (ACNP) is another second-level certification that validates your knowledge about Aerohive switching and branch routing. (Based upon Instructor Led Course)
© 2013 Aerohive Networks CONFIDENTIAL
Aerohive Forums
12
• Aerohive’s online community – HiveNationHave a question, an idea or praise you want to share? Join the HiveNation Community - a place where customers, evaluators, thought leaders and students like yourselves can learn about Aerohive and our products while engaging with like-minded individuals.
• Please, take a moment and register during class if you are not already a member of HiveNation.Go to http://community.aerohive.com/aerohive and sign up!
© 2013 Aerohive Networks CONFIDENTIAL 13
Aerohive Social Media
The HiveMind Blog:http://blogs.aerohive.com
Follow us on Twitter: @AerohiveInstructor: David Coleman: @mistermultipathInstructor: Bryan Harkins: @80211UniversityInstructor: Gregor Vucajnk: @GregorVucajnkInstructor: Metka Dragos: @MetkaDragos
Please feel free to tweet about #Aerohive training during class.
© 2013 Aerohive Networks CONFIDENTIAL 14Copyright ©2011
Aerohive Technical Support – General
I want to talk to somebody live. Call us at 408-510-6100 / Option 2. We also provide service toll-free from within the US & Canada by dialing (866) 365-9918. Aerohive has Support Engineers in the US, China, and the UK, providing coverage 24 hours a day.
Support Contracts are sold on a yearly basis, with discounts for multi-year purchases. Customers can opt to purchase Support in either 8x5 format or in a 24 hour format.
How do I buy Technical Support?
I have different expiration dates on several Entitlement keys, may I combine all my support so it all expires on the same date?
Your Aerohive Sales Rep can help you set-up Co-Term, which allows you to select matching expiration dates for all your support.
© 2013 Aerohive Networks CONFIDENTIAL 15Copyright ©2011
Aerohive Technical Support – The Americas
Aerohive Technical Support is available 24 hours a day. This can be via the Aerohive Support Portal or by calling. For the Support Portal, an authorized customer can open a Support Case. Communication is managed via the portal with new messages and replies. Once the issue is resolved, the case is closed, and can be retrieved at any time in the future.
How do I reach Technical Support?
I want to talk to somebody live. For those who wish to speak with an engineer call us
at 408-510-6100 / Option 2. We also provide service toll-free from within the US & Canada by dialing (866) 365-9918.I need an RMA in The AmericasAn RMA is generated via the Support Portal, or by calling our Technical Support group. After troubleshooting, should the unit require repair, we will overnight* a replacement to the US and Canada. Other countries are international. If the unit is DOA, it’s replaced with a brand new item, if not it is replaced with a like new reburbished item.
*Restrictions may apply: time of day, location, etc.
© 2013 Aerohive Networks CONFIDENTIAL 16Copyright ©2011
Aerohive Technical Support – International
Aerohive international Partners provide dedicated Technical Support to their customers. The Partner has received specialized training on Aerohive Networks’ product line, and has access to 24 hour Internal Aerohive Technical Support via the Support Portal, or by calling 408-510-6100 / Option 2.
How Do I get Technical Support outside The Americas?
World customer’s defective units are quickly replaced by our Partners, and Aerohive replaces the Partner’s stock once it arrives at our location. Partners are responsible for all shipping charges, duties, taxes, etc.
I need an RMA internationally
© 2013 Aerohive Networks CONFIDENTIAL
Copyright Notice
17
Copyright © 2013 Aerohive Networks, Inc. All rights reserved.
Aerohive Networks, the Aerohive Networks logo, HiveOS, Aerohive AP, HiveManager, and GuestManager are trademarks of Aerohive Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.
© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2013 Aerohive Networks CONFIDENTIAL
Overview of hardware and software platforms
SWITCHING & ROUTING PRODUCT LINE
19
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
Aerohive Switching Platforms
20
SR2124P SR2148P
24 Gigabit Ethernet48 Gbps Ethernet
4 Ports 1G SFP Uplinks 4 Ports 10 G SFP/SFP+ Uplinks
24 PoE+ (408 W)
128 Gbps switch56Gbps switching 176 Gbps switch
48 PoE+ (779 W)
Routing with 3G/4G USB support and Line rate switching
Redundant Power Supply CapableSingle Power Supply
24 PoE+ (195 W)
SR2024P
Switching Only
© 2013 Aerohive Networks CONFIDENTIAL
Class Switches Deployed in Data Center
• SR2024› Line Rate Layer 2 Switch› 8 Ports of PoE› Multi-authentication
access ports» 802.1X with fallback to
MAC auth or open
› Client Visibility» View client information
by port
› RADIUS Server› Internet Router › DHCP Server › USB 3G/4G Backup › Policy-based routing with Identity
Internet
3G/4G LTE
AP
AP
PoE
SR2024
AP
Provides Access For:• Employees• Guests• Contractors• Phones• APs• Servers
Note: The switch model (2024) used in the lab has been superseded by improved models.
© 2013 Aerohive Networks CONFIDENTIAL
Express Mode• Optimized for ease of use• Uniform company-wide policy• One user profile per SSID
Enterprise Mode• Enterprise sophistication• Multiple Network policies• Multiple user profiles/SSID
HiveManager Appliance 2U • Redundant power& fans• HA redundancy• 5000 APs
HiveManager Virtual Appliance• VMware ESX & Player• HA redundancy• 1500 APs with minimum configuration
HiveManager Form Factors
22
HiveManager Appliance• Redundant power & fans• HA redundancy• 8000 APs
HiveManager Virtual Appliance• VMware ESX & Player• HA redundancy• 5000 APs with minimum configuration
HiveManager Online• Cloud-based SaaS management
Seamless
Upgrade Path
•Increasing
deployme
nt size
•Increasing
network
complexity
Topology Reporting Heat Maps SLA ComplianceRF PlannerSW, Config, & Policy Guest Mgmt
© 2013 Aerohive Networks CONFIDENTIAL
HiveManager Appliance
23
© 2013 Aerohive Networks CONFIDENTIAL
HiveManager Databases
24
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
Aerohive Routing Platforms
25
BR 100 BR 200 AP 330
AP 350
Single Radio Dual Radio
2X 10/100/1000 Ethernet
5-10 Mbps FW/VPN
30-50Mbps FW/VPN
1x1 11bgn 3x3:3 450 Mbps 11abgn
5X 10/100 5X
10/100/1000
0 PoE PSE0 PoE PSE 2X PoE PSE
*
* Also available as a non-Wi-Fi device
L3 IPSec VPN
Gateway
~500 MbpsVPN
4000/1024Tunnels
Physical/Virtual
VPN Gateways
© 2013 Aerohive Networks CONFIDENTIAL
BR100 vs. BR200
26
BR100 BR200/BR200WP
5x FastEthernet 5x Gigabit Ethernet
1x1 11bgn (2.4Ghz) single radio 3x3:3 11abgn dual-band single radio (WP)
No integrated PoE PoE (in WP model)
No console port Console Port
No Spectrum Analysis Integrated Spectrum Analysis (WP)
No Wireless Intrusion Detection Full Aerohive WIPS (WP)
No local RADIUS or AD integration Full Aerohive RADIUS, proxy, and AD
No SNMP logging SNMP Support
© 2013 Aerohive Networks CONFIDENTIAL
2x2:2 300 Mbps 11n
High Power Radios
1X Gig.E
-40 to 55°C
PoE (802.3at)
N/A
Outdoor
Water Proof (IP 68)
Aerohive AP Platforms
AP170
2X Gig E/w PoE Failover
3x3:3 450 + 1300 Mbps High Power Radios
Dual Radio 802.11ac/n
Plenum/Plenum Dust Proof
-20 to 55°C
AP390
Indoor Industrial
Dual Radio 802.11n
AP230
Dual Radio 802.11n
2X Gig.E - 10/100 link aggregation
-20 to 55°C
0 to 40°C
3x3:3 450 Mbps High Power
Radios
TPM Security Chip
PoE (802.3af + 802.3at) and AC Power
Indoor Industrial
Indoor
Plenum/Dust
Plenum Rated
AP121 AP330 AP350
1X Gig.E
2x2:2 300 Mbps High Power Radios
USB for 3G/4G Modem
AP141
USB for future use
Indoor
2X Gig.E w/ link
aggregation
Plenum Rated
0 to 40°C
USB for future use
AP370*
* Includes 5 GHz Transmit Beamforming and in 2.4 GHz has TurboQAM
© 2013 Aerohive Networks CONFIDENTIAL 28
VPN Gateway Virtual Appliance
• Supports the following› GRE Tunnel Gateway› L2 IPSec VPN Gateway› L3 IPSec VPN Gateway› RADIUS Authentication Server› RADIUS Relay Agent› Bonjour Gateway› DHCP server
• Use a VPN Gateway Virtual Appliance instead of an AP when higher scalability for these features are required
Function Scale
VPN Tunnels 1024 Tunnels
RADIUS – Local users per VPN Gateway
9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server) authentications
256
© 2013 Aerohive Networks CONFIDENTIAL 29
VPN Gateway Physical Appliance
• Supports the following› GRE Tunnel Gateway› L2 IPSec VPN Gateway› L3 IPSec VPN Gateway› RADIUS Authentication Server› RADIUS Relay Agent› Bonjour Gateway› DHCP server
• Use a VPN Gateway Appliance instead of an AP when higher scalability for these features are required
Function Scale
VPN Tunnels 4000 Tunnels
RADIUS – Local users per VPN Gateway
9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server) authentications
256
Ports: One 10/100/1000 WAN portFour LAN ports two support
PoE
© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2013 Aerohive Networks CONFIDENTIAL
Lab Infrastructure
31
PC
PoE
SR2024
APPC
PoE
SR2024
AP
Core
Access
Student Space
Instructor Space
Student 2 Student X
Distribution
HiveManager
RouterVLAN 1 ip address 10.100.1.1/24VLAN 2 ip address 10.100.2.1/24VLAN 8 ip address 10.100.8.1/24VLAN10 ip address 10.100.10.1/24
© 2013 Aerohive Networks CONFIDENTIAL
SWITCHING
32
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting up a Wireless Network1. Connect to the Hosted Training HiveManager
33
• Securely browse to the appropriate HiveManager for class
› TRAINING LAB 1https://training-hm1.aerohive.comhttps://72.20.106.120
› TRAINING LAB 2https://training-hm2.aerohive.comhttps://72.20.106.66
› TRAINING LAB 3https://training-hm3.aerohive.comhttps://209.128.124.220
› TRAINING LAB 4https://training-hm4.aerohive.comhttps://203.214.188.200
› TRAINING LAB 5https://training-hm5.aerohive.comhttps://209.128.124.230
• Supported Browsers:› Firefox, Internet Explorer, Chrome, Safari
• Class Login Credentials:› Login: adminX
X = Student ID 2 - 29› Password: aerohive123
NOTE: In order to access the HiveManager, someone at your location needs to enter the training firewall credentials given to them by the instructor first.
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network2. Create a Network Policy
34
• Go to Configuration
• Click the New Button
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network3. Enable network policy options
35
• Name: Access-X
• Check the options for› Wireless Access
› Switching› Bonjour Gateway
• Click Create
• Note, enabling Branch Routing:»Enables L3 VPN Configuration »Disable L2 VPN Configuration»Enable L3 Router Firewall Policy»Policy-Based Routing with Identity»Enables Router configuration settings in
Additional Settings
© 2013 Aerohive Networks CONFIDENTIAL
Network Policy Components
36
• Wireless Access – Use when you have an AP only deployment, or you require specific wireless policies for APs in a mixed AP and router deployment
• Branch Routing– Use when you are managing routers, or APs behind routers that do not require different Network Policies than the router they connect through
BR100
BR200
AP
AP
Mesh
PoEPoE
InternetInternet
Small Branch Office or Teleworker Site Small to Medium Size Branch Office
that may have APs behind the router
3G/4G LTE3G/4G
LTE
© 2013 Aerohive Networks CONFIDENTIAL
• Bonjour Gateway› Allows Bonjour services to be seen in multiple subnets
• Switching› Used to manage wired traffic using Aerohive Switches
Network Policy Components
37
Internet
3G/4G LTE
AP
AP
PoE
SR2024
AP
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network4. Create a New SSID Profile
38
Network Configuration
• Next to SSIDs click Choose
• Then click New
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network5. Configure Employee SSID
39
• SSID Profile: Class-PSK-XX = 2 – 29 (Student ID)
• SSID: Class-PSK-X
• Select WPA/WPA2 PSK (Personal)
• Uncheck the Obscure Password checkbox
• Key Value: aerohive123
• Confirm Value: aerohive123
• Click Save
• Click OK
For the ALL labs, please follow the class naming convention.
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network6. Create a User Profile
40
• To the right of your SSID, under User Profile, click Add/Remove
In Choose User Profiles
• Click the New button
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network7. Define User Profile Settings
41
•Name: Employee-X
•Attribute Number:10
Default VLAN:From the drop down box, •Select Create new VLAN,type:10
•Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network8. Choose User Profile and Save
42
•Ensure Employee-X User Profile is highlighted
•Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting Up a Wireless Network9. Review your policy and save
43
• From the Configure Interfaces & User Access bar, click Save
© 2013 Aerohive Networks CONFIDENTIAL
SPANNING TREE BEHAVIOR
44
© 2013 Aerohive Networks CONFIDENTIAL
How loops happen
1. Client sends broadcast such as ARP request
2. Switch A forwards packet on all interfaces, except source interface
3. Switch B receives the broadcast twice, but does not know it is the same broadcast. It forwards the broadcast from interface 1 on interface 24 and vice versa
4. Switch A again receives the broadcast twice and does the same at Switch B. (It also sends both broadcasts back to the client5. Rinse and repeat. The broadcast never leaves the network
B
A
© 2013 Aerohive Networks CONFIDENTIAL 46
Easy to solve, right?Just disconnect one cable…
But now there is no redundancy…Have no fear!
There was once a loop to be,In a redundant path for everyone to
see.The packets went round and round,Until a new sheriff was found.His name? Well, Spanning Tree!
Spanning Tree
© 2013 Aerohive Networks CONFIDENTIAL 47
So what does the Spanning Tree Protocol (STP)
do? High level overview:
1. All interfaces are blocked (for non STP traffic) while the switches elect a root bridge (switch)
2. After the root bridge is elected, switches calculate the lowest cost path to the root bridge
3. Unblock corresponding ports and keep redundant ports blocked
4. If an active link fails, unblock redundant port
I am root!
Speed 1GbitCost: 20,000
Speed 100MbitCost: 200,000
Root doesn’t have to calculate
Spanning Tree
© 2013 Aerohive Networks CONFIDENTIAL
Spanning Tree – extra reading
Found in the class materials: Spanning-Tree-Overview.pptx
• STP
• RSTP
• MSTP
• (R)PVST
© 2013 Aerohive Networks CONFIDENTIAL
Switch Spanning Tree Settings
49
• By default, spanning tree is disabled on Aerohive switches› Why?› If you plug an edge switch into a network, and the switch priority
is a lower number (higher priority) on our switch, than what is configured on the existing network, our switch will become the root switch
› This means that the optimal path and links that are available through a network will be chosen based on getting to your edge switch!
› This most likely is not what a customer wants to do! ;-)
• What is the downside of not enabling spanning tree by default?› If you plug two cables from our switch to the distribution switch
network, and the ports are not configured as an aggregate, you can cause a loop!
› This is far less of a concern than enabling spanning tree by default and possibly rerouting all traffic through our switch, so we will disable spanning tree by default
© 2013 Aerohive Networks CONFIDENTIAL
Verify Existing NetworkSpanning Tree Priorities
50
• Before installing an Aerohive switch into an existing switch network, have the company determine the root switch and backup root switch priority
• Ensure our spanning tree priority is set to a higher number• For example, on a Cisco Catalyst switch you can type:CS-Dist-2#show spanning-tree MST0 Spanning tree enabled protocol mstp Root ID Priority 12288 Address 000f.23b9.0d80 Cost 0 Port 25 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 16384 (priority 16384 sys-id-ext 0) Address 001f.274c.5180 Hello Time 2 sec Max Age 20 sec Forward Delay 15 secInterface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- -----Fa0/24 Desg FWD 200000 128.24 P2p Gi0/1 Root FWD 200000 128.25 P2p
© 2013 Aerohive Networks CONFIDENTIAL
Verify Existing NetworkSpanning Tree Priorities
51
CS-Dist-2#show spanning-tree MST0 Spanning tree enabled protocol mstp Root ID Priority 12288 Address 000f.23b9.0d80 Cost 0 Port 25 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 16384 (priority 16384 sys-id-ext 0) Address 001f.274c.5180 Hello Time 2 sec Max Age 20 sec Forward Delay 15 secInterface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- -----Fa0/24 Desg FWD 200000 128.24 P2p Gi0/1 Root FWD 200000 128.25 P2p
• Here you can see the Root Priority is: 12288• The switch this command is run on shows a priority of 16384• So most likely our switch default priority of: 32768 will not
cause any harm
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Enable Spanning Tree1. Enable Spanning Tree
52
From the network policy that has switching enabled
• Go to Additional Settings and click Edit
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Enable Spanning Tree2. Enable RSTP
53
Enable Rapid Spanning Tree
• Expand Switch Settings
• Expand STP Settings
• Check the box to Enable STP (Spanning Tree Protocol)
• Select the radio button to enable RSTP (Rapid Spanning Tree)
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Enable Spanning Tree3. Save your Network Policy
54
• From the Configure Interfaces & User Access bar, click Save
© 2013 Aerohive Networks CONFIDENTIAL
Spanning Tree – Switch specific settings
55
More detailed Spanning Tree settings can be configured on an individual switch in device level settings should that be required.
© 2013 Aerohive Networks CONFIDENTIAL
DEVICE TEMPLATESFOR DEFINING SWITCH PORTSETTINGS
56
© 2013 Aerohive Networks CONFIDENTIAL
Device Templates
57
• HiveManager Device Templates are used to assign switches at the same or different sites to a common set of port configurations
• For example, ports 1, 2 are for APs, ports 3-6 arefor phones, etc…
AP
PoE
SR2024
APAP
PoE
SR2024
AP
Distribution
Access/Edge
HiveManager – SR2024 as switch device template
© 2013 Aerohive Networks CONFIDENTIAL
Device Templates
58
• Device templates are used to define ports for the same device, devices with the same number of ports, and device function
• Device templates do not set device function, i.e. switch, router, or AP, but will only match devices configured with the matching function
• You configure a devices function in the device specific configuration
Apply to SR2024 switchesconfigured as switches
Apply to SR2024 switchesconfigured as routers.Requires WAN port – icon depicted as a cloud
© 2013 Aerohive Networks CONFIDENTIAL
Device TemplatesFor Devices Requiring Different Port Settings
59
• If devices require different port configurations for the same type of device and function, you can› 1. Configure device
classification tags to have different device templates for different devices
› 2. Create a new network policy with a different device template
PoE
SR2024
APAP
PoE
SR2024
AP
SR2024 as Switch Default Sites
Default Site DeviceClassificationTag: Small Site
SR2024 as Switch
Small Sites
Note: The switch model (2024) used in the lab has been superseded by improved models.
© 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE DEVICE TEMPLATESFOR DEFINING SWITCH PORTSETTINGS
60
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Device Templates1. Create device template
61
• Next to Device templates, click Choose
• Click New
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Device Templates2. Create switch template
62
• Name:SR2024-Default-X
• Click Device Models
• Select SR2024• Click OK• For SR2024, when
functioning as:› Select Switch
• Click SaveNote: Here you are not setting the SR2024 to function as a switch. Instead, you are only specifying that this template applies to SR2024s when they are configured to function as a switch. The switch/router function is configured in switch device settings.
Note: You only see switch as an optionand not Switch and Router, because Routing was not enabled in the selection box whencreating this Network Policy.
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Device Templates3. Save switch template
63
• Ensure your device template is selected and click OK
• The device template will appear in the Device Templates section
• You can show or hide the individual device template by clicking the triangle
Shows you that this is a templatefor your switch as a switch
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Device Templates4. Save your Network Policy
64
• From the Configure Interfaces & User Access bar, click Save
© 2013 Aerohive Networks CONFIDENTIAL
LINK AGGREGATION
65
© 2013 Aerohive Networks CONFIDENTIAL
Lab InfrastructureAggregate Links for Connection to Distribution
66
Aggregate is statically configured similar to EtherChannel
There is no LACP (Link Aggregation Control Protocol) in this release.
• You can have 8 ports in one channel› The ports do not have to be
contiguous
• Every port on the SR2024 can be configured into port channels except the USB and console port
• The switch hardware creates a hash of the the header fields in frames selected for load balancing, for determining the ports in an aggregate to send a frame› Load balancing options are:
» Source & Destination MAC, IP, and Port
» Source & Destination IP Port
» Source & Destination IP
» Source & Destination MAC
PC
SR2024
AP
© 2013 Aerohive Networks CONFIDENTIAL
Lab InfrastructureAggregate Links for Connection to Distribution
67
• Load balance of broadcast, multicast, and unknown unicast traffic between ports in an aggregate is based on Src/Dst MAC/IP.
• You cannot configure a 802.1X port in an EtherChannel
• mac learning is on the port channel port, instead of member port
• Only ports with same physical media type and speed can be grouped into one aggregate.
• Supports LLDP per port but not per channel
PC
SR2024
AP
© 2013 Aerohive Networks CONFIDENTIAL
Lab InfrastructureDo not do this with aggregates
68
• In this case, distribution switch 1 and switch 2 will see the same MAC addresses and cause MAC flapping› i.e. traffic from PC A for example might be
load balanced to Switch 1 and Switch 2• In this case, there will also be a loop!• Aggregates must be built between a pair of
switches only!
PC
SR2024
AP
Aggregate 1
Distribution Switch 1
Distribution Switch 2
© 2013 Aerohive Networks CONFIDENTIAL
AGGREGATION –CONFIGURATION EXAMPLE
69
© 2013 Aerohive Networks CONFIDENTIAL
Aggregate Links for Switch Connections to Distribution Layer Switches
70
Each access switch will have two aggregates:
• Aggregate 1: Port 17, 18
• Aggregate 2: Port 19, 20
These ports are not connected in this classroom, this is only a configuration example
PC
PoE
SR2024
AP
Core
Access
Aggregates
ESXi Server
Distribution
HMOL
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Link Aggregation1. Select ports 17 and 18
Select ports that will be used to connect to the distribution layer switches (example only, aggregates are not used in class)
NOTE: Recommended not to use the first 8 ports on the SR2024 which provide PoE.
• Select port 17, and 18• Check the box for Aggregate selected ports…• Enter 1• Click Configure
71
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Link Aggregation2. Create Trunk Port policy
72
• Click New• Name: Trunk-X• Port Type: 802.1Q• QoS Classification:
Trusted Traffic SourceNote: This means we are trusting the upstream network infrastructure markings› Map to DSCP or
802.1p• QoS Marking:Map
Aerohive.. › Map to DSCP or
802.1p• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Link Aggregation2. Save Trunk Port policy
73
• Ensure that Trunk-X is selected, click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Link Aggregation3. Select ports 19 and 20
74
• Select port 19 and 20• Check aggregate selected ports… and enter 2
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Link Aggregation4. Assign Trunk policy
75
• Click Configure• For choose port type, select your 802.Q trunk that you created previously: Trunk-X
• Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Link Aggregation5. Review port settings
76
Port 17, 18, 19, and 20 will now display an 802.1Q trunk icon and should all appear the same, even though there are two different aggregates
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Link Aggregation6. Save your Network Policy
77
• From the Configure Interfaces & User Access bar, click Save
© 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE UPLINKS USED IN THE CLASSROOM
78
© 2013 Aerohive Networks CONFIDENTIAL
Classroom Links for Switch Connections to Distribution Layer Switches
79
For the class, we are going to configure single uplinks without aggregation to connect to the distribution switches
• Single Uplinks : Port 23, 24
Port 23 will be connected to Distribution switch 1, and port 24 will be connected to Distribution switch 2
PC
PoE
SR2024
AP
Core
Access
ESXi Server
Distribution
HMOL
• 3CX IP PBX10.100.1.?
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Configure Uplink Ports1. Select Ports 23 and 24
Select ports that will be used to connect to the distribution layer switches
• Select port 23, and 24• Click Configure
80
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Uplink Ports2. Assign port policy and save
81
• For choose port type, select your 802.Q trunk that you created previously: Trunk-X
• Click OK• Ports 23 and 24 should now be the same color as the other Trunk ports
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Uplink Ports3. Save your Network Policy
82
• From the Configure Interfaces & User Access bar, click Save
© 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE PORTS FOR APS
83
© 2013 Aerohive Networks CONFIDENTIAL
Lab InfrastructureConfigure PoE Ports for APs
84
Configure two of the PoE ports for APs
• Use Port 1 and 2 for APs
NOTE: For class there is an AP connected to port 1 of every switch
PoE
SR2024
Core
Access
ESXi Server
Distribution
HMOL
APAP
IP Phones
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Configure Access Point ports1. Select ports 1 and 2
Select ports that will be used to connect to APs
NOTE: The first 8 ports on an SR2024 provide power
• Select port 1, and 2• Click Configure
85
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Access Point ports2. Create Trunk Policy
86
• Click New• Name: AP-Trunk-X• Port Type: 802.1Q• QoS Classification:
Trusted Traffic SourceNote: This means we are trusting the upstream network infrastructure markings› Map to DSCP or
802.1p• QoS Marking:Map
Aerohive.. › Map to DSCP or
802.1p• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Access Point ports3. Assign AP-Trunk Policy to ports 1 and 2
87
• Ensure that that AP-Trunk-X is selected• Click OK• Port 1and 2 will now display an 802.1Q trunk
icon, but this time, a power symbol appears as well because ports 1 through 8 can provide power
• Notice that Ports 1 and 2 are a different color because there is a different port policy than the other ports
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Access Point ports3. Save your Network Policy
88
• From the Configure Interfaces & User Access bar, click Save
© 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE POWER SOURCING EQUIPMENT (PSE) PORTS FOR POWER OVER ETHERNET (POE)
89
© 2013 Aerohive Networks CONFIDENTIAL
PoE Overview
90
• PoE standards define the capabilities of the power sourcing equipment (PSE) and the powered device (PD).
• The PSE is an Aerohive switch. Aerohive access points would be considered PDs.
• The 802.3af PoE standard defines 15.4 Watts from the PSE• All 802.11n Aerohive APs will work with 802.3af - CAT5e cabling or
better is required. • The maximum draw of an Aerohive AP-330 is14.95 Watts.
NOTE: You will only see the Interfaces(Ports) that have been assign to a port type
© 2013 Aerohive Networks CONFIDENTIAL
PoE Overview
91
• The 802.3at standard (PoE+) defines 32 Watts from the PSE
• 802.11ac Aerohive AP230 is fully functional using 802.3af• However, the older 802.11ac Aerohive APs (AP370 and AP390) require PoE+ for full functionality
• The AP370 and AP390 will function with 802.3af PoE however the 80 MHz channels capability is restricted.
© 2013 Aerohive Networks CONFIDENTIAL
PoE Power Budgets
92
• Careful PoE power budget planning is a must.• Access points will randomly reboot if a power budget has been exceeded and the APs cannot draw their necessary power.
SR2124P SR2148P
24 PoE+ (408 W)48 PoE+ (779
W)24 PoE+ (195 W)
SR2024P
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports 1. Select additional port settings
93
• Select Additional port settings to configure› Port Channel Load-Balance Mode Settings
› PoE port (PSE) Settings
Additional Port Settingslink is available if no ports arecurrently selected
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports 2. Aggregate channel settings
94
• For Port Channel Load-Balance Mode, please selecting the headers in a frame that will be used in creating a hash to determine which port a frame should egress› NOTE: If you are testing a single client, especially for a demo, the
more fields you use you will have a better opportunity to egress multiple ports
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports 3. PSE settings
95
• Expand PSE Settings• Because only the first two ports have been configured, you will only have the ability to configure PSE (Provides PoE) to the first two ports
• Next to Eth1/1 Click +
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports 4. PSE settings
96
• Name: af-high-X• Power Mode: 802.3af• Power Limit: 15400 mW
• Priority: high•Save
Note: Default PoE port settings is 802.3at (PoE+)Power priority can be low, high or critical
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports5. PSE settings
97
• Assign Eth1/1 and Eth1/2 to: af-high-X• Save
NOTE: You will only see the Interfaces(Ports) that have been assign to a port type
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports 5. Save your Network Policy
98
• From the Configure Interfaces & User Access bar, click Save
© 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE PORTS FOR IP PHONES
99
© 2013 Aerohive Networks CONFIDENTIAL
Lab InfrastructureConfigure PoE Ports for IP Phones
100
Configure 6 of the PoE ports for IP Phones
• Use Port 3 - 8 for IP PhonesPoE
SR2024
Core
Access
ESXi Server
Distribution
HMOL
APAP
IP Phones
© 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE PHONE PORTS IN SWITCH DEVICE TEMPLATE
101
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Configure PoE ports for IP phones1. Select ports 3-8
Select ports that will be used to connect to IP Phones
NOTE: The first 8 ports on an SR2024 provide power
• Select port 3, 4, 5, 6, 7, and 8 (Yes, you can multi-select)
• Click Configure
102
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports for IP phones2. Phone & Data ports
103
•Click New
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports for IP phones3. Phone & Data ports
104
• Name: Phone-and-Data-X
• Port Type: Phone & Data• Check Primary
authentication using: MAC via PAP
• QoS Classification: Trusted Traffic SourcesNote: This means we are trusting the upstream network infrastructure markings› Map to DSCP or 802.1p
• QoS Marking:Map Aerohive.. › Map to DSCP or 802.1p
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports for IP phones4. Phone & Data ports
105
• For choose port type, select Phone-and-Data-X
• Click OK• Port 3 – 8 will now display with a phone icon
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure PoE ports for IP phones5. Save your network policy
106
• From the Configure Interfaces & User Access bar, click Save
© 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE PORTS FOR OPEN GUEST ACCESS
107
© 2013 Aerohive Networks CONFIDENTIAL
Lab InfrastructureConfigure Ports for Employee Computer Access
108
Configure 2 of the switch ports for open access
(switch ports are in a secured room – for testing purposes)
• Use Port 9 and 10
PoE
SR2024
Core
Access
ESXi Server
Distribution
HMOL
APAP
IP Phones
GuestComputers
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Configure Open Guest Ports1. Select ports 9 and 10
Select ports that will be used to connect to guest computers
• Select port 9 and 10
• Click Configure109
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Open Guest Ports2. Create access port
110
•Click New
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Open Guest Ports3. Create access port
111
• Name: Guest-X• Port Type: Access• Most likely you will not be trusting the DSCP settings on guest devices, so click Untrusted Traffic Sources
• There is no need to mark the traffic for QoS marking
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Open Guest Ports4. Assign access port policy
112
• For choose port type, select Guest-X
• Click OK• Port 9 and 10 will now display with a world icon
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Open Guest Ports5. Save your network policy
113
• From the Configure Interfaces & User Access bar, click Save
© 2013 Aerohive Networks CONFIDENTIAL
For switch ports in a secure location
CONFIGURE PORTS FOR SECURE EMPLOYEE ACCESS WITH 802.1X
114
© 2013 Aerohive Networks CONFIDENTIAL
Lab InfrastructureConfigure Ports for Employee Computer Access
115
Configure six of the switch ports for 802.1X authentication
• Use Ports 11-16
PoE
SR2024
Core
Access
ESXi Server
Distribution
HMOL
APAP
IP Phones
EmployeeComputers
802.1X
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Configure Secure Access Ports1. Select ports 11 - 16
Select ports that will be used to connect to employee computers that support 802.1X
• Select port 11,12,13,14,15,16• Click Configure
116
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Secure Access Ports2. Create secure port policy
117
• Click New
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Secure Access Ports3. Create secure port policy
118
• Name: Secure-X• Port Type: Access• Check the box for:
Primary Authentication using 802.1X
• Uncheck ☐Allow multiple hosts (same VLAN)
• For the ability to preserve markings on PCs for softphones or other important applications, select QoS Classification:
Trusted Traffic Sources• Check the box for QoS
Marking Map Aerohive QoS …
• Select DSCP or 802.1p depending on the upstream switch architecture
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Secure Access Ports4. Assign secure port policy
119
• For choose port type, select Secure-X• Click OK• Ports 11-16 will now display with a
world icon
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Secure Access Ports5. Save your network policy
120
• From the Configure Interfaces & User Access bar, click Save
© 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE MIRROR PORTS
121
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Configure Mirror Ports1. Select ports 21 - 22
Select ports that will be used for port mirroring
• Select ports 21 and 22• Click Configure
122
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Mirror Ports2. Create mirror port policy
123
• Click New• Name: Mirror-X• Port Type: Mirror• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Mirror Ports3. Assign mirror port policy
124
• For choose port type, select Mirror-X
• Click OK• Check Port-Based
Note: VLAN-Based port mirroring can only be enabled on a single port
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Mirror Ports4. Choose ports to mirror
125
• Eth1/21, Egress – click Choose• Select Eth1/1 and Click OK• Eth1/22, Ingress – click Choose• Select Eth1/12 and Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Mirror Ports5. Verify and save mirror port policy
126
• All downstream traffic destined for the WLAN clients of the Aerohive AP on port Eth1/1 will be mirrored to port Eth1/21.
• All upstream traffic destined for the network from the host on Eth1/12 will be mirrored to port Eth1/22.
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Mirror Ports6. Verify and save mirror port policy
127
Ports 21 and 22 will now display a magnifying glass icon.
© 2013 Aerohive Networks CONFIDENTIAL 128
• From the Configure Interfaces & User Access bar, click Save
Lab: Configure Mirror Ports7. Save your network policy
© 2013 Aerohive Networks CONFIDENTIAL
GENERAL DEVICE TEMPLATE INFO
129
© 2013 Aerohive Networks CONFIDENTIAL
General Port Template Info
130
If you have more than one port selected, you can clear port selections here so you do not have to click all the selected ports to deselect them.
© 2013 Aerohive Networks CONFIDENTIAL
General Port Template Info
131
• If you move your mouse over one of the defined ports, an option appears to select all ports using this port type
Click Here
© 2013 Aerohive Networks CONFIDENTIAL
Guest Access
CONFIGURE PORT TYPES
132
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports – Guest Access1. Port Types
133
• Configure the authentication, user profile, and VLAN information for the port types defined in the device templates
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports – Guest Access2. Create user profile
134
Similar to SSIDs, you need to configure User Profiles (user policy) for the access ports• For your Guest-X port type, under User Profile click Add/Remove
• Click New
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports – Guest Access3. Assign VLAN
135
User profiles are used to assign policy to devices connected to the network.NOTE: Switches use the VLAN in a user profile. Switches functioning as routers use the VLAN, but may also make layer 3 firewall and policy-based routing decisions based on the user profile. In either case, user profile information is carried with user information throughout an Aerohive network infrastructure.
• Name: Guest-X• Attribute: 100• Default VLAN: 8• Click Save
The optional settings are utilized when the user profile is enforced on an AP. The switch, because it is forwarding packets at line speed in silicon, does not utilize the optional settings. If the switch is configured to be a branch router, the user profile is used for decisions in layer 3 firewall policies, IPSec VPN policies, and identity-based routing.
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports – Guest Access4. Save user profile
136
• Ensure Guest-X is selected
• Click Save• Verify your settings
© 2013 Aerohive Networks CONFIDENTIAL 137
• From the Configure Interfaces & User Access bar, click Save
Lab: Configure Ports - Guest Access5. Save your network policy
© 2013 Aerohive Networks CONFIDENTIAL
Employee Access Secured wit 802.1X
CONFIGURE PORT TYPES
138
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Secure Access1. Configure RADIUS
139
Configure the RADIUS sever for the ports secured with 802.1X• For your Secure-X port type, under Authentication click <RADIUS Settings>
• Click New
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Secure Access2. Configure RADIUS
140
Define the external RADIUS server settings• RADIUS name: RADIUS-X
• IP address: 10.5.1.10
• Shared Secret: aerohive123
• Confirm Secret:aerohive123
• Click Apply!!• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Secure Access3. Configure user profile
141
Assign user profiles to the secure 802.1X ports• Next to your Secure-X port type, under User Profile click Add/Remove
© 2013 Aerohive Networks CONFIDENTIAL
Port Types
142
There are three user profile assignment methods:1. (Auth) Default – If a
client authenticates successfully, but no user profile attribute is returned, or if a user profile attribute is returned matching the default user profile selected
2. Auth OK – If a client authenticates successfully, and a user profile attribute is returned, it must match one the selected user profiles you select here
3. Auth Fail – If a client fails authentication, use this user profile
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Secure Access4. Configure default user profile
143
Define the Default User Profile assigned If a client authenticates successfully, but no user profile attribute is returned, or if a user profile attribute is returned matching the default user profile selected
• Select the Default tab • Select the user profile: Employee-Default(1)› Created by the instructor…
› Assigns VLAN 1
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Secure Access5. Configure Auth OK user profile
144
Define a user profile for Auth OK – If a client authenticates successfully, and a user profile attribute is returned, it must match one the selected user profiles you select here.You can have up to 63 Auth OK user profiles.
• Select the Auth OK tab
• Select Employee-X(10)› Assigns VLAN 10
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Secure Access6. Configure Auth Fail user profile
145
Define a user profile for Auth Fail – If a clients fails authentication several times, assign the Auth Fail user profile• Select Auth Fail• Select Guest-X(100)
› Assigns VLAN 8• Verify the Default, Auth OK, and Auth Fail settings one more time
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Secure Access7. Verify settings
146
•Verify the settings
© 2013 Aerohive Networks CONFIDENTIAL 147
• From the Configure Interfaces & User Access bar, click Save
Lab: Configure Ports - Secure Access8. Save your network policy
© 2013 Aerohive Networks CONFIDENTIAL
PHONE & DATA PORTSWITH NO AUTHENTICATION
148
© 2013 Aerohive Networks CONFIDENTIAL
Phone & Data Port TypeWith Open Access
149
• Switch Port is assigned to a Phone & Data Port Type• For this example, no authentication is selected in Phone & Data
SR2024IP Phone
Phone & Datauses 802.1Q
DataSwitch
© 2013 Aerohive Networks CONFIDENTIAL
Phone & Data Port TypeWith Open Access
150
• You can then select a Default Voice, and Default Data user profile• The Phone & Data port is an 802.1Q port• The Phone VLAN will be tagged and sent to the IP phone via LLDP-MED
• The switch port will assign the Data VLAN as the native VLAN› This way, the phone traffic is tagged, and data traffic is untagged
SR2024IP Phone
LLDP assignsPhone to taggedVoice VLAN
Phone & Datauses 802.1Q
DataSwitch
Note: For default data, only the VLAN is used,not the user profile
© 2013 Aerohive Networks CONFIDENTIAL
CLI Commands forPhone & Data Port without Authentication
151
• interface eth1/3 switchport mode trunk• interface eth1/3 switchport user-profile-attribute 2• interface eth1/3 switchport trunk native vlan 10• interface eth1/3 switchport trunk voice-vlan 2• interface eth1/3 switchport trunk allow vlan 2 • interface eth1/3 switchport trunk allow vlan 10 • interface eth1/3 qos-classifier Phone-and-Net-2• interface eth1/3 qos-marker Phone-and-Net-2• interface eth1/3 pse profile QS-PSE
© 2013 Aerohive Networks CONFIDENTIAL
PHONE & DATA PORTSWITH 802.1X/PEAP AUTHENTICATION OR MAC AUTHENTICATION
152
© 2013 Aerohive Networks CONFIDENTIAL
Phone & Data Port TypeWith 802.1X/PEAP or MAC Authentication
153
• Switch Port is assigned to a Phone & Data Port Type• For this example, 802.1X authentication is selected in Phone & Data
SR2024
Phone & Datauses 802.1Q, and 802.1X
Switch
IP Phone
Data
RADIUS ServerPhone Policy Returns Cisco AV Pair: device-traffic-class=voice User Profile and/or VLANData (Employee) Policy Returns User Profile and/or VLAN
Employees
© 2013 Aerohive Networks CONFIDENTIAL
Phone & Data Port TypeWith 802.1X/PEAP
154
• You can connect a single client, or multiple clients behind an IP phone data port
• Phones and clients authenticate independent of each other and the order in which they authenticate does not matter› However, the VLAN assigned to the first data device (Employee)
that authenticates is assigned as the data VLAN, all other devices will be assigned to the same VLAN, even if they have different user profiles with other VLANs assigned, or even if RADIUS returns a different VLAN.
SR2024
Phone & Datauses 802.1Q, and 802.1X
Switch
IP Phone
Data
RADIUS ServerPhone Policy Returns Cisco AV Pair: device-traffic-class=voice User Profile and/or VLANData (Employee) Policy Returns User Profile and/or VLAN
Employees
© 2013 Aerohive Networks CONFIDENTIAL
Phone & Data Port TypeWith Primary and Secondary Authentication
155
• If a secondary authentication is used, if the first authentication is not available, or fails three times, the second authentication will be tried
SR2024
Phone & Datauses 802.1Q, and 802.1X
Switch
IP Phone
Data
RADIUS ServerPhone Policy Returns Cisco AV Pair: device-traffic-class=voice User Profile and/or VLANData (Employee) Policy Returns User Profile and/or VLAN
Employees
© 2013 Aerohive Networks CONFIDENTIAL
CLI Commands forPhone & Data Port with 802.1X
156
• security-object Phone-and-Data-2• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret *** • security-object Phone-and-Data-2 security protocol-suite 802.1x• security-object Phone-and-Data-2 default-user-profile-attr 1• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain• interface eth1/3 security-object Phone-and-Data-2
• interface eth1/3 switchport mode trunk• interface eth1/3 switchport user-profile-attribute 1• interface eth1/3 qos-classifier Phone-and-Data-2• interface eth1/3 qos-marker Phone-and-Data-2• interface eth1/3 pse profile QS-PSE• no interface eth1/3 spanning-tree enable• no interface eth1/3 link-discovery cdp receive enable• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100
© 2013 Aerohive Networks CONFIDENTIAL
CLI Commands forPhone & Data Port with MAC AUTH
157
• security-object Phone-and-Data-2• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret *** • security-object Phone-and-Data-2 security additional-auth-method mac-based-auth • security-object Phone-and-Data-2 default-user-profile-attr 1• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain• security-object Phone-and-Data-2 security initial-auth-method mac-based-auth• interface eth1/3 security-object Phone-and-Data-2
• interface eth1/3 switchport mode trunk• interface eth1/3 switchport user-profile-attribute 1• interface eth1/3 qos-classifier Phone-and-Data-2• interface eth1/3 qos-marker Phone-and-Data-2• interface eth1/3 pse profile QS-PSE• no interface eth1/3 spanning-tree enable• no interface eth1/3 link-discovery cdp receive enable• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100
© 2013 Aerohive Networks CONFIDENTIAL
Overview
CONFIGURING NPS FOR PHONE AND EMPLOYEE AUTHENTICATION WITH 802.1X/PEAP
158
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
159
• Create a network policy for voice
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
160
• Enter a name for the voice policy, and click next
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
161
• Click add to specify a condition
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
162
• Select Windows Groups
• Click Add
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
163
• Click Add Groups…
• A voice group was created by IT for IP phones – enter voice and click OK
• Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
164
• Click Next
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
165
• Select Access granted
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
166
• Click Add
• Select Microsoft: Protected EAP (PEAP)
• Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
167
• Click Next
• For constraints click Next
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
168
• Remove attributes that are not needed:› Select Frame-
Protocol, and Click Remove
› Select Service-Type, and Click Remove
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
169
Add the three attribute value pairs needed to assign a user profile
• Tunnel-Medium-Type: IP v4 (value found in the others section)
• Tunnel-Type: Generic Route Encapsulation (GRE)
• Tunnel-Pvt-Group-ID: (String) 2› 2 is the voice user
profile in this case
• Click Next
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
170
• Under RADIUS Attributes, select Vendor Specific
© 2013 Aerohive Networks CONFIDENTIAL
RETURN A CISCO AV PAIR TO LET THE AEROHIVE SWITCH KNOW WHICH USER PROFILE SHOULD BE ASSIGNED AS THE VOICE USER PROFILE
171
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
172
In order for a switch to know a specific user profile is for voice, Aerohive devices can accept the Cisco AV Pair: device-traffic-class=voice. This is sent to the switch, and the switch uses LLDP to send the voice VLAN any phone that supports LLDP-MED
• Under RADIUS Attributes, select Vendor Specific
• Click Add
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
173
• Under Vendor, Select Cisco
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
174
• Click Add
• Click Add again
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
175
• Attribute value:device-traffic-class=voice
• Click OK• Click OK• Click Close (The value does not
show up on this screen. Do not worry, it is there.)
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
176
• Attribute value:device-traffic-class=voice
• Click OK• Click OK• Click Next
© 2013 Aerohive Networks CONFIDENTIAL
Configure NPS for Phone & Data Authentication
177
• Click Finish
© 2013 Aerohive Networks CONFIDENTIAL
DEFINE CLIENT ACCESS
178
© 2013 Aerohive Networks CONFIDENTIAL
CLI Commands forPhone & Data Port without Authentication
179
Create a new policy for employee access
• Policy name: Wireless or Wired Employee Access
© 2013 Aerohive Networks CONFIDENTIAL
CLI Commands forPhone & Data Port without Authentication
180
• For the condition, select the windows group that contains your employees
• Add the three attribute value pairs needed to assign a user profile› Tunnel-Medium-Type: IP v4
(value found in the others section)
› Tunnel-Type: Generic Route Encapsulation (GRE)
› Tunnel-Pvt-Group-ID: (String) 10» 10 is the voice user profile in
this case
• Click Next
© 2013 Aerohive Networks CONFIDENTIAL
Phone and Data
CONFIGURE PORT TYPES
181
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Phone & Data1. Configure RADIUS
182
Configure the RADIUS sever for the ports secured with 802.1X• For your Phone-and-Data-X port type, under Authentication click <RADIUS Settings>
• Select RADIUS-X which is an external Microsoft NPS RADIUS server
• Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Port Types
183
Assign user profiles to your 802.1X ports• For your Phone-and-Data-X port type, under User Profile click Add/Remove
© 2013 Aerohive Networks CONFIDENTIAL
Port Types (Reminder)Must Verify
184
There are three user profile settings:1. Default – Default for data if
no user profile attribute, or a user profile attribute is returned and matches the user profile configured here
2. Auth OK (Voice) – If a client authenticates successfully, and a user profile attribute is returned matching a selected user profile, and the Cisco AV Pair is also returned
3. Auth OK (Data) – Client passes authentication, and a user profile attribute is returned, but no Cisco AV pair
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Phone & Data2. Configure user profile – Auth OK (Voice)
185
• Click Auth OK (Voice)
• Click New
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Phone & Data3. Configure user profile – Auth OK (Voice) VLAN
186
User profiles are used to assign policy to devices connected to the network.• Name: Voice-X• Attribute: 2• Default VLAN: 2• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Phone & Data4. Configure user profile – Auth OK (Voice)
187
• For the Auth OK (Voice) tab select: Voice-X(2)› Assigns VLAN 2
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Phone & Data5. Configure user profile – Default
188
Assign the Default user profile:• Select the Default tab
• Select Employee-Default(1)› Assigns VLAN 1
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Phone & Data6. Configure user profile – Auth OK (Data)
189
Define a user profile for Auth OK (Data)– for clients connected through an IP Phone• Select Auth OK (Data)• Select Employee-X(10)
› Assigns VLAN 10• Verify the Default, Auth OK (Voice), and Auth OK (Data) settings one more time
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Ports - Phone & Data7. Verify your settings
190
• Verify the settings
© 2013 Aerohive Networks CONFIDENTIAL 191
• From the Configure Interfaces & User Access bar, click Save
Lab: Configure Ports - Phone and Data8. Save your network policy
© 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE 802.1Q TRUNK PORTS
192
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Trunk Ports1. Configure AP-Trunk-X port policy VLANs
193
Define the allowed VLANs on a trunk port• Next to AP-Trunk-X Click Add/Remove
• Add the specific VLANs: 1,2,8,10
• Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Trunk Ports2. Configure Trunk-X port policy VLANs
194
Define the allowed VLANs on a trunk port• Next to Trunk-X Click Add/Remove
• Type all• Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Configure Trunk Ports3. Verify your settings
195
Verify Settings
© 2013 Aerohive Networks CONFIDENTIAL 196
• From the Configure Interfaces & User Access bar, click Save
Lab: Configure Ports - Phone and Data8. Save your network policy and continue
© 2013 Aerohive Networks CONFIDENTIAL
UPDATE DEVICES
197
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Update Devices1. Modify your AP
198
From the Configure & Update Devices section, modify your AP specific settings• Click the Name column to sort the APs• Click the link for your AP: 0X-A-######
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Update Devices2. Update the configuration of your Aerohive AP
199
• Location: <FirstName_LastName>
• Topology Map: Classroom• Network Policy:
Access-X
Note: Leave this set to default so you can see how it is automatically set to your new network policy when you update the configuration.
• Set the power down to 1dBm on both radios because the APs are stacked in a rack in the data center› 2.4GHz(wifi0) Power: 1› 5GHz (wifi1) Power: 1
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Update Devices3. Select AP and switch
200
• Select your AP and switch and click Update
Click Yes
© 2013 Aerohive Networks CONFIDENTIAL 201
• Select Update Devices
• Select Perform a complete configuration update for all selected devices
• Click Update
For this class, ALL Updates should be Complete configuration updates
Lab: Update Devices4. Update the AP and switch
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Update Devices5. Update the AP and switch
202
• Should the Reboot warning box appear, select OK
Click OK
© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2013 Aerohive Networks CONFIDENTIAL
CREATE AN AEROHIVE DEVICE DISPLAY FILTER
204
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Display Filter from Monitor View1. Create a filter
205
• To create a display filter go to Monitor Filter: Select +
• Network Policy, select: Access-X
• Remember this Filter, type: Access-X
• Click Search
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Display Filter from Monitor View2. Verify the display filter
206
© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2013 Aerohive Networks CONFIDENTIAL
TEST YOUR WI-FI CONFIGURATIONUSING THE HOSTED PC
208
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSIDTest SSID Access at Hosted Site
209
• Use VNC client to access Hosted PC:› password: aerohive
• From the hosted PC, you can test connectivity to your SSID
PoE
SR2024
Core
Access
ESXi Server - HM VA
Distribution
Internet
Hosted PC
AP
Ethernet
Wi-Fi
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID1. For Windows: Use TightVNC client
210
• If you are using a windows PC› Use TightVNC › TightVNC has good compression so
please use this for class instead of any other application
• Start TightVNC › For Lab 1
lab1-pcX.aerohive.com› For Lab 2
lab2-pcX.aerohive.com› For Lab 3
lab3-pcX.aerohive.com› For Lab 4
lab4-pcX.aerohive.com› For Lab 5
lab5-pcX.aerohive.com› Select Low-bandwidth
connection› Click Connect› Password: aerohive. › Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID2. For Mac: Use the Real VNC client
211
• If you are using a Mac› RealVNC has good compression so
please use this for class instead of any other application
• Start RealVNC › For Lab 1
lab1-pcX.aerohive.com› For Lab 2
lab2-pcX.aerohive.com› For Lab 3
lab3-pcX.aerohive.com› For Lab 4
lab4-pcX.aerohive.com› For Lab 5
lab5-pcX.aerohive.com› Click Connect› Password: aerohive. › Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID3. In case the PCs are not logged in
212
If you are not automatically logged in to your PC
• If you are using the web browser client› Click the button to Send Ctrl-Alt-Del
• If you are using the TightVNC client
• Click to send a
control alt delete
• Login: AH-LAB\user
• Password: Aerohive1
• Click the right arrow to login
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID4. Remove any Wireless Networks on Hosted PC
213
From the bottom task bar, click the locate wireless networks icon
› Select Open Network and Sharing Center
› Click Manage wireless Networks› Select a network, then click Remove› Repeat until all the networks are
removed› Click [x] to close the window
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID5. Connect to Your Class-PSK-X SSID
214
• Single-click the wireless icon on the bottom right corner of the windows task bar
• Click your SSIDClass-PSK-X
• Click Connect› Security Key: aerohive123
› Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID6. View Active Clients List
215
• After associating with your SSID, you should see your connection in the active clients list Wireless Clients
• Your IP address should be from the 10.5.10.0/24 network which is from VLAN 10
Go to MonitorClientsWireless Clients and locate your PC’s entry
© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2013 Aerohive Networks CONFIDENTIAL
TESTING SWITCH PORT CONNECTIONS WITH WINDOWS 7
217
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired NetworkTest Guest and 802.1X Access
218
• Use VNC client to access Hosted PC:› password: aerohive
• From the hosted PC, you can test connectivity to your SSID
PoE
SR2024
Core
Access
ESXi Server - HM VA
Distribution
Internet
Hosted PC
AP
Ethernet
Wi-Fi
© 2013 Aerohive Networks CONFIDENTIAL
Three Different VLANs are Possible In this configuration
219
• Default - Auth OK, and RADIUS does not returned user profile or matching user profile to default
• Auth OK – and RADIUS returns a user profile that matches one of the user profiles configured here
• Auth Fail – RADIUS authentication fails (Guest)
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network1. Verify IP address of Ethernet adapter
220
• Locate Local Area Connection 3
• Right click
• Click Status
• Click Details
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network2. Verify IP address of Ethernet adapter
221
Why do you see an IP from the 10.5.1.0/24 subnet?
This is the IP address the device received on VLAN 1 before the switch was configured
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network3. Reset Ethernet Adapter
222
Because the PC has the wrong IP it will not work, you can remedy this by
• Right click on Local Area Connection 3
• Click Diagnose
or
•Disable then Enable Local Area Connection 3
•Do NOT Disable Local Area Connection 2
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network4. Verify IP address of Ethernet adapter
223
• Locate Local Area Connection 3
• Right click
• Click Status
• Click Details
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network5. Verify IP address of Ethernet adapter
224
Why do you see an IP from the 10.5.8.0/24 subnet?
This is the guest network that is assigned if authentication is not supported or fails
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network6. Verify VLAN of wired client
225
Go to MonitorClientsWired Clients and locate your PC’s entry
• Note the IP, Client Auth Mode, User Profile Attribute and VLAN
•VLAN 8 is the guest VLAN assigned because 802.1X authentication was not supported or failed. The host was assigned to the Auth Fail user profile.
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network7. Enable 802.1X for wired clients
226
• In windows 7, you must enable 802.1X support
• As an administrator, from the start menu type services
• Then click services
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network8. Enable 802.1X for wired clients
227
• Click the Standard tab on the bottom of the services panel
• Locate Wired AutoConfig and right-click
• Click Properties
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network9. Enable 802.1X for wired clients
228
• The Wired AutoConfig (DOT3SVC) service is responsible for performing IEEE 802.1X authentication on Ethernet interfaces
• If your current wired network deployment enforces 802.1X authentication, the DOT3SVC service should be configured to run for establishing Layer 2 connectivity and/or providing access to network resources
• Wired networks that do not enforce 802.1X authentication are unaffected by the DOT3SVC service
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network10. Enable 802.1X for wired clients
229
• Click Automatic
• Click Start
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network11. Enable 802.1X for wired clients
230
• Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network12. Verify IP address of Ethernet adapter
231
• Locate Local Area Connection 3
• Right click
• Click Status
• Click Details
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network13. Verify IP address of Ethernet adapter
232
Why do you see an IP from the 10.5.10.0/24 subnet?
The user has authenticated with 802.1X/EAP and RADIUS is returning the user profile attribute: 10
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client to Wired Network14. Verify authentication and VLAN of wired client
233
Go to MonitorClientsWired Clients and locate your entry
• Note the IP, Client Auth Mode, User Profile Attribute and VLAN
• VLAN 10 is the employee VLAN assigned because 802.1X authentication was successful and the host was assigned to the Auth OK user profile.
© 2013 Aerohive Networks CONFIDENTIAL
For Reference: Switch CLI
234
SR-04-866380# show auth int eth1/12
Authentication Entities:
if=interface; UID=User profile group ID; AA=Authenticator Address;
if=eth1/12; idx=16; AA=08ea:4486:638c; Security-obj=Secure-2; default-UID=1;
Protocol-suite=802.1X;Auth-mode=port-based; Failure-UID=100; Dynamic-VLAN=10;
No. Supplicant UID Life State DevType User-Name Flag
--- -------------- ---- ----- -------------- ------- -------------------- ----
0 000c:2974:aa8e 10 0 done data AH-LAB\user4 000b
© 2013 Aerohive Networks CONFIDENTIAL
Enable 802.1X for Wired Connections
235
If you need to troubleshoot you can view Local Area Connection 3
• From the start menu, type view network
• Right-click Local Area Connection 3, and click Diagnose› This will reset the adapter, clear the caches, etc…
© 2013 Aerohive Networks CONFIDENTIAL
Clearing Authentication CacheFor Testing or Troubleshooting
236
• From the Wired Clients list, you can select and Deauth a client› Clear the All the caches for the client on the switch
• Then on the hosted PC, you will need to disable then enable Local Area Connection 3 to force a reauth
© 2013 Aerohive Networks CONFIDENTIAL
MISC MONITORING
237
© 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
238
• MonitorSwitches• Click on the hostname of the switch
© 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
239
• Hover with your mouse over the switch ports
© 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
240
System Details
© 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
241
Port Details and PSE Details
© 2013 Aerohive Networks CONFIDENTIAL
Power Cycle Devices via PoE
242
• To configure this feature for selected ports on a switch, navigate to Monitor Switches in the Managed Devices tab, click the name of the switch, and scroll down to PSE Details.
• Select the check box or boxes for the port or ports that you want to cycle, and then click Cycle Power.
This is useful in the event that an AP or multiple APs are locked up and need to be rebooted remotely. Bouncing the PoE port forces the AP reboot.
© 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
243
• MonitorActive ClientsWired Clients• Add User Profile Attribute, and move it up, it is useful
© 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
244
• Click on the MAC address for a wired client to see more information
© 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
245
• Utilities…StatisticsInterface
© 2013 Aerohive Networks CONFIDENTIAL
Switch Monitoring
246
• Utilities…DiagnosticsShow PSE
© 2013 Aerohive Networks CONFIDENTIAL
VLAN ProbeUse VLAN Probe to verify VLANs and DHCP Service
247
• MonitorSwitches – Select your device, and go to Utilities…DiagnosticVLAN probe
NOTE: If you get the same IP subnet for each of the VLANs, that is a sign that the switch uplink port is connected to an access port, not a trunk port like it should be.
© 2013 Aerohive Networks CONFIDENTIAL
Client Monitor
248
• Tools Client Monitor
• Client Monitor can be used to troubleshoot 802.1X/EAP authentication for wired clients
© 2013 Aerohive Networks CONFIDENTIAL
Switch CLI
249
• SR-02-66ec00#show interface switchport
Name: gigabitethernet1/1 Switchport: enable Port Mode: access Port Mirror: disable Port User-profile ID: 0 Static Access VLAN: 1 Dynamic Auth VLAN: 0
Name: gigabitethernet1/2 Switchport: enable Port Mode: access Port Mirror: disable Port User-profile ID: 10Static Access VLAN: 10 Dynamic Auth VLAN: 0
© 2013 Aerohive Networks CONFIDENTIAL
Switch CLI
250
• show client-report client
© 2013 Aerohive Networks CONFIDENTIAL
GENERAL SWITCHING
251
© 2013 Aerohive Networks CONFIDENTIAL
Storm Control
252
• Aerohive switches can mitigate traffic storms due to a variety of causes by tracking the source and type of frames to determine whether they are legitimately required.
• The switches can then discard frames that are determined to be the products of a traffic storm. You can configure thresholds for broadcast, multicast, unknown unicast, and TCP-SYN packets as a function of the percentage of interface capacity, number of bits per second, or number of packets per second.
From your network policy with Switching enabled: Go to Additional Settings>Switch Settings>Storm Control
© 2013 Aerohive Networks CONFIDENTIAL
IGMP Snooping MAC Addresses
253
• Aerohive switches are capable of monitoring IGMP transactions between multicast routers and client devices, and maintaining a local table of IGMP groups and group members
• Aerohive switches use this information to track the status of multicast clients attached to the switch ports so that it can forward multicast traffic efficiently
From your network policy with Switching enabled: Go to Additional Settings>Switch Settings>IGMP Settings
© 2013 Aerohive Networks CONFIDENTIAL
IGMP Snooping MAC Addresses
254
• Aerohive switches are capable of monitoring IGMP transactions between multicast routers and client devices, and maintaining a local table of IGMP groups and group members
• Aerohive switches use this information to track the status of multicast clients attached to the switch ports so that it can forward multicast traffic efficiently
From your network policy with Switching enabled: Go to Additional Settings>Switch Settings>IGMP Settings
© 2013 Aerohive Networks CONFIDENTIAL
IGMP Snooping MAC Addresses
255
• IGMP device specific options available in the switch device configuration
• Users can enable/disable IGMP snooping to all VLAN or to a specified VLAN. When IGMP snooping disabled, all multicast dynamic mac-address should be deleted.
© 2013 Aerohive Networks CONFIDENTIAL
Required When Aerohive Devices are Configured as RADIUS Servers
GENERATE AEROHIVE SWITCH RADIUSSERVER CERTIFICATES
256
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
HiveManager Root CA CertificateLocation and Uses
• This root CA certificate is used to:› Sign the CSR (certificate signing request)
that the HiveManager creates on behalf of the AP acting as a RADIUS or VPN server
› Validate Aerohive AP certificates to remote client» 802.1X clients (supplicants) will need a
copy of the CA Certificate in order to trust the certificates on the Aerohive AP RADIUS server(s)
• Root CA Cert Name: Default_CA.pem
• Root CA key Name: Default_key.pem
Note: The CA key is only ever used or seen by HiveManager
• To view certificates, go to: Configuration, click Show Nav, then go to Advanced Configuration Keys and CertificatesCertificate Mgmt
257
© 2013 Aerohive Networks CONFIDENTIAL
Use the Existing HiveManager CA Certificate, Do not Create a New One!
258
• For this class, please do not create a new HiveManager CA certificate, otherwise it will render all previous certificates invalid.
• On your own HiveManager, you can create your own HiveManager CA certificate by going to: Configuration, then go toAdvanced ConfigurationKeys and CertificatesHiveManager CA
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Aerohive Switch Server Certificate and Key1. Generate Aerohive switch server certificate
259
• Go to Configuration, click Show NavAdvanced ConfigurationKeys and CertificatesServer CSR
• Common Name: server-X
• Organizational Name: Company
• Organization Unit: Department
• Locality Name: City
• State/Province: <2 Characters>
• Country Code: <2 Characters>
• Email Address: [email protected]• Subject Alternative Name:
User FQDN: [email protected]: This lets you add an extra step of validating the User FQDN in a certificate during IKE phase 1 for IPSec VPN. This way, the Aerohive AP needs a valid signed certificate, and the correct user FQDN.
• Key Size: 2048
• Password & Confirm: aerohive123
• CSR File Name: Switch-X
• Click CreateNotes Below
Enter Switch-X
© 2013 Aerohive Networks CONFIDENTIAL 260
• Select Sign by HiveManager CA› The HiveManager CA will sign the Aerohive AP Server certificate
• The validity period should be the same as or less than the number of days the HiveManager CA Certificate is valid› Enter the Validity: 3650 – approximately 10 years
• Check Combine key and certificate into one file• Click OK
Enabling this setting helps prevent certificate and key mismatches when configuring the RADIUS settings
Use this option to send a signing request to an external certification authority.
LAB: Aerohive Switch Server Certificate and Key2. Sign and combine
© 2013 Aerohive Networks CONFIDENTIAL 261
• To view certificates, go to:Configuration, click Show NavThen go to Advanced ConfigurationKeys and CertificatesCertificate Mgmt
• The certificate and key file name is:switch-X_key_cert.pem
• QUIZ › Which CA signed this
Aerohive switch server key?
› What devices need to install the CA public cert?
LAB: Aerohive Switch Server Certificate and Key3. View server certificate and key
© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch as a RADIUS server1. Edit existing policy
263
• From Configuration,• Select your Network policy: Access-X
• Click OK and then Continue
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Switch Active Directory Integration2. Select your Network Policy
To configure the Aerohive device as a RADIUS server...
Select the Configure & Update Devices bar
• Select the Filter: Current Policy
• Click the link for your Switch – SR-0X-######
264
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration3. Create a RADIUS Service Object
265
Create a Aerohive AP RADIUS Service Object• Under Optional Settings, expand Service Settings
• Next to Device RADIUS Service click +
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch AP Active Directory Integration4. Create a RADIUS Service Object
266
• Name: SR-radius-X• Expand Database Settings
• Uncheck Local Database
• Check External Database
• Under Active Directory, click + to define the RADIUS Active Directory Integration Settings
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration5. Select a switch to test AD integration
267
• Name: AD-X• Aerohive device for Active Directory connection setup,select your Switch: SR-0X-#####› This will be used to test Active Directory integration› Once this switch is working, it can be used as a template for configuring other Aerohive device RADIUS servers with Active Directory integration
• The IP settings for the selected Aerohive switch are gathered and displayed
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration6. Modify DNS settings
268
• Set the DNS server to: 10.5.1.10› This DNS server should be the Active Directory DNS server or an internal DNS server aware of the Active Directory domain
• Click Update › This applies the DNS settings to the Network Policy and to the Aerohive device so that it can test Active Directory connectivity
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration7. Specify Domain and Retrieve Directory Information
269
• Domain: ah-lab.local
• Click Retrieve Directory Information› The Active Directory Server IP will be populated as well as the BaseDN used for LDAP user lookups
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration8. Specify Domain and Retrieve Directory Information
270
• Domain Admin: hiveapadmin(The delegated admin)• Password and Confirm Password: Aerohive1• Click Join• Check Save Credentials
› NOTE: By saving credentials you can automatically join Aerohive devices to the domain without manual intervention
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration9. Specify A User to Perform LDAP User Searches
271
• Domain User [email protected] (a standard domain user )
• Password and Confirm Password: Aerohive1• Click Validate User
› You should see the message: The user was successfully authenticated.
› These user credentials will remain and be used to perform LDAP searches to locate user accounts during authentication.
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration10. Save the AD Settings
272
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration11. Apply the AD settings
273
• Select AD-X with priority: Primary
• Click Apply …Please make sure you click apply
• Do not save yet..
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration12. Enable LDAP credential caching
274
Enable the ability for an Switch RADIUS server to cache user credentials in the event that the AD server is not reachable, if the user has previously authenticated
• Check Enable RADIUS Server Credentials Caching
• Do not save yet...
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration13. Assign server certificate
275
• CA Cert File: Default_CA.pem• Server Cert File:
switch-X_key_cert.pem• Server Key File:
switch-X_key_cert.pem• Key File Password & confirm password: aerohive123• Click Save
Optional Settings > RADIUS Settings:
Assign the switch RADIUS server to the newly created switch server certificate and key
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration14. Verify the RADIUS service object
276
• Ensure that the Aerohive AP RADIUS Service is set to: switch-radius-X
• Do not save yet…
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration15. Set Static IP address on MGT0 interface
277
• Expand MGT0 Interface Settings
• Select Static IP
• Static IP Address: 10.5.1.7X
X = student number 02 = 72, 03 = 73… 12 = 82, 13 = 83
• Netmask: 255.255.255.0
• Default Gateway: 10.5.1.1
Note: Aerohive devices that function as a server must have a static IP address.
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch Active Directory Integration16. Save the switch settings
278
• Click Save
NOTE: Your Aerohive switch will have an icon displayed showing that it is a RADIUS server.
© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2013 Aerohive Networks CONFIDENTIAL
SSID FOR 802.1X/EAP AUTHENTICATIONUSING AEROHIVE DEVICE RADIUS WITH AD KERBEROS INTEGRATION
280
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration1. Edit your WLAN Policy and Add SSID Profile
281
Configure an SSID that uses the 802.1X/EAP with AD (Kerberos) Integration
• Select the Configure Interfaces & User Access bar
• Next to SSIDs click Choose
• In Chose SSIDs› Select New
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Switch RADIUS w/ AD Integration2. Configure a 802.1X/EAP SSID
• Profile Name: Class-AD-X
• SSID: Class-AD-X
• Under SSID Access Security select WPA/WPA2 802.1X (Enterprise)
• Click Save
282
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration3. Select new Class-AD-X SSID
283
• Click to deselect the Class-PSK-X SSID
• Ensure the AD-X SSIDis selected
• Click OK
Click to deselect
Class-PSK-X
Ensure Class-AD-X is
highlighted then click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration4. Create a RADIUS object
284
• Under Authentication, click <RADIUS Settings>
• In Choose RADIUS, click New
Click
Click
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration 5. Define the RADIUS Server IP settings
285
• RADIUS Name:SWITCH-RADIUS-X
• IP Address/Domain Name: 10.5.1.7X
02 = 72, 03 = 73…
12 = 82, 13 = 83
• Leave the Shared Secret EmptyNOTE: When the Aerohive device is a RADIUS server, devices in the same Hive automatically generate a shared secret
• Click Apply
• Click Save
Click Apply When Done!
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration6. Select User Profiles
286
• Verify that under Authentication, SWITCH-RADIUS-X is assigned
• Under User Profile click Add/Remove
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration7. Assign User Profile as Default for the SSID
287
• With the Default tab select (highlight) theEmployee-Default user profile
• IMPORTANT: This user profile will be assigned if no attribute value is returned from RADIUS after successful authentication, or if attribute value 1 is returned.
• Click the Authentication tab
Default Tab
Authentication Tab
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration8. Assign User Profile to be Returned by RADIUS Attribute
288
• In the Authentication tab
• Select (highlight)Employee-X› NOTE: The (User Profile Attribute) is appended to the User Profile Name
• Click Save
Authentication Tab
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Switch RADIUS w/ AD Integration 9. Verify and Continue
289
• Ensure Employee-Default-1 and Employee-X user profiles are assigned to the Class-AD-X SSID
• Click Continueor click the bar toConfigure & Update Devices
© 2013 Aerohive Networks CONFIDENTIAL 290
In the Configure & Update Devices section• Select the Filter: Current Policy• Select your devices • Click Update
Lab: Switch RADIUS w/ AD Integration 10. Upload the config to the switch and AP
© 2013 Aerohive Networks CONFIDENTIAL 291
• Select Update Devices
• Select Perform a complete configuration update for all selected devices
• Click Update
For this class, ALL Updates should be Complete configuration updates
Lab: Switch RADIUS w/ AD Integration 10. Upload the config to the switch and AP
© 2013 Aerohive Networks CONFIDENTIAL 292
• Should the Reboot Warning box appear, select OK
Lab: Switch RADIUS w/ AD Integration 11. Upload the config to the switch and AP
Click OK
© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2013 Aerohive Networks CONFIDENTIAL
CLIENT ACCESS PREPARATION -DISTRIBUTING CA CERTIFICATESTO WIRELESS CLIENTS
294
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation1. Go to HiveManager from the Remote PC
295
• From the VNC connection to the hosted PC, open a connection to:
• For HM 1 – 10.5.1.20
• For HM 2 – 10.5.1.23
• For HM 3 – 10.5.1.20
• For HM 5 – 10.5.1.20
• Login with: adminX
• Password: aerohive123
NOTE: Here you are accessing HiveManager via the PCs Ethernet connection
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation2. Download Default CA Certificate to the Remote PC
296
NOTE: The HiveManager Root CA certificate should be installed on the client PCs that will be using the RADIUS service on the Aerohive device for 802.1X authentication
• From the Remote PC,go to Configuration, then click Show Nav,Advanced ConfigurationKeys and Certificates Certificate Mgmt
• Select Default_CA.pem
• Click Export
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation3. Rename HiveManager Default CA Cert
297
• Export the public root Default_CA.pem certificate to the Desktop of your hosted PC› This is NOT your Aerohive AP server certificate, this IS the HiveManager public root CA certificate
• Rename the extension of the Default_CA.pem file to Default_CA.cer › This way, the certificate will automatically be recognized by Microsoft Windows
• Click Save
Make the Certificate name:Default_CA.cer
Save as type: All Files
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation4. Install HiveManager Default CA Cert
298
• Find the file that was just exported to your hosted PC
• Double-click the certificate file on the Desktop: Default_CA
• Click Install Certificate
Issued to: HiveManagerThis is the name of the certificate if you wish to find it in the certificate store, or if you want to select it in the windows supplicant PEAP configuration.
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation5. Finish certification installation
299
• In the Certificate Import Wizard click Next
• Click Place all certificate in the following store
• Click Browse
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation6. Select Trusted Root Certification Authorities
300
• Click Trusted Root Certification Authorities
• Click OK
• Click Next
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation7. Finish Certificate Import
301
• Click Finish
• Click Yes
• Click OK
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation8. Verify certificate is valid
302
• Click OK to Close the certificate
• Double-click Default_CA to reopen the certificate
• You will see that the certificate is valid and it valid from a start and end date
• Click the Details tab
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Exporting CA Cert for Server Validation9. View the Certificate Subject
303
• In the details section, view the certificate Subject
• This Subject: HiveManager is what will appear in the list of trusted root certification authorities in your supplicant configured later in this lab. Protected EAP (PEAP)
PropertiesIn supplicant (802.1X client)
© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2013 Aerohive Networks CONFIDENTIAL
For Windows 7Supplicants
CONFIGURING AND TESTING YOUR802.1X SUPPLICANT
305
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Testing Switch RADIUS w/ AD Integration1. Connect to Secure Wireless Network
306
On the hosted PC, from the bottom task bar, click the wireless networks icon • Click Class-AD-X• Click Connect • A windows security alert should appear, click Details to verify this certificate if from HiveManager, then click Connect
server-2 is the AP cert, and HiveManager is the
trusted CA
© 2013 Aerohive Networks CONFIDENTIAL
NOTE: User Profile Attribute is the Employee-Default-1 user profile for the SSID. This user profile is being assigned because no User Profile Attribute Value was returned from RADIUS.
Lab: Testing Switch RADIUS w/ AD Integration2. View Active Clients
307
• After associating with your SSID, you should see your connection in the active clients list in HiveManager› Go to MonitorClientWireless Clients
• IP Address: 10.5.1.#• User Name: DOMAIN\user• VLAN: 1User Profile Attribute: 1
© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2013 Aerohive Networks CONFIDENTIAL
MAPPING ACTIVE DIRECTORY MEMBEROF ATTRIBUTETO USER PROFILES
309
© 2013 Aerohive Networks CONFIDENTIAL
Aerohive AP as a RADIUS Server - Using AD Member Of for User Profile Assignment
310
• In your Network policy, you defined an SSID with two user profiles› Employees(1)-1 – Set if no RADIUS attribute is returned
»This use profile for example is for general employee staff, and they get assigned to VLAN 1
› Employee(10)-X – Set if a RADIUS attribute is returned»This user profile for example is for privileged employees, and they get
assigned to VLAN 10
• Because the switch RADIUS server is using AD to authenticate the users, and AD does not return RADIUS attributes, how can we assign users to different user profiles?
• Though AD does not return RADIUS attributes, it does return other attribute values, like MemberOf which is a list of AD groups to which the user belongs
© 2013 Aerohive Networks CONFIDENTIAL
Instructor Only: Confirm User is a member of the Wireless AD Group
311
Right click the username userX and click Properties
Click on the Member Of tab
The user account userX should belong to the Wireless AD Group
Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Use AD to Assign User Profile1. Map memberOf attribute to user profile
312
• From Configuration, Show Nav,
Advanced ConfigurationAuthentication Aerohive AAA Server SettingsSR-radius-X
• Expand Database Settings
• Check LDAP server attribute Mapping
• Select Manually map LDAP user groups to user profiles
• LDAP User Group Attribute: memberOf
• Domain: dc=AH-LAB,dc=LOCAL
• Click + to expand the LDAP tree
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Use AD to Assign User Profile2. Add group to user profile mapping
313
• Expand the tree structure to locate› Expand CN=Users
› SelectCN = Wireless
• For Maps to, from the drop down list, select the user profile: Employee-X
• Click Apply• The mapping appears below the LDAP directory
• Click Save
Click the LDAP Group
Map group to Employee(10)-X
NOTE: The CN in Active Directory does not have to match the name of the user profile, this is just by choice, not necessity.
© 2013 Aerohive Networks CONFIDENTIAL 314
• Select Update Devices
• Select Perform a complete configuration update for all selected devices Click Update
For this class, ALL Updates should be Complete configuration updates
Lab: Use AD to Assign User Profile3. Update devices
© 2013 Aerohive Networks CONFIDENTIAL 315
• Should the Reboot Warning box appear, select OK
Lab: Use AD to Assign User Profile4. Update devices
Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Use AD to Assign User Profile SSID5. Disconnect and Reconnect to the Class-AD SSID
316
To test the mapping of the memberOf attribute to your user profile
• Disconnect from the Class-AD-X SSID
• Connect to the Class-AD-X SSID
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Use AD to Assign User Profile SSID6. Verify your active client settings
317
• From MonitorClientsActive Clients› Your client should now be assigned to
»IP Address: 10.5.10.#»User Profile Attribute: 10»VLAN: 10
NOTE: In the previous lab, without the LDAP group mapping, the user was assigned to attribute 1 in VLAN 1
© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?
© 2013 Aerohive Networks CONFIDENTIAL
AEROHIVE SWITCHES ASBRANCH ROUTERS
319
© 2013 Aerohive Networks CONFIDENTIAL
Medium Size Branch or Regional Office
• SR2024 as Branch Router› Line Rate Layer 2 Switch› 8 Ports of PoE› Multi-authentication
access ports» 802.1X with fallback to
MAC auth or open
› Client Visibility» View client information by port
› RADIUS Server› Routing between local VLANs› Layer 3 IPSec VPN› NAT for Subnets through VPN› NAT port forwarding on WAN› DHCP Server › USB 3G/4G Backup› and more…
Internet
3G/4G LTE
AP
AP
PoE
SR2024
AP
Provides Access For:• Employees• Guests• Contractors• Phones• APs• Servers
© 2013 Aerohive Networks CONFIDENTIAL
For Wireless, Switching, and Routing
CREATE A ROUTING NETWORK POLICY – YOU CAN CLONE YOUR EXISTING ACCESS POLICY
321
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Add Routing to Network Policy1. Edit existing policy
322
• From Configuration,• Next to your Network policy: Access-X
• Click the sprocket icon • Click Edit
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Add Routing to Network Policy2. Edit select Branch Routing
323
Add the option for Branch Routing to your Network Policy• Check Branch Routing so you have:› Wireless Access› Switching› Branch Routing› Bonjour Gateway
• Click Save• Click OK
• NOTE: Enabling Branch Routing:»Enables L3 VPN Configuration »Disable L2 VPN Configuration»Enable L3 Router Firewall Policy»Policy-Based Routing with Identity»Enables Router configuration settings in Additional
Settings
© 2013 Aerohive Networks CONFIDENTIAL
CLONE SWITCH DEVICE TEMPLATE AS SWITCH AND ADD NEW SWITCH DEVICE TEMPLATE AS BRANCH ROUTER
324
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Switch Template for Routing1. Select and clone your existing device template
325
• Next to Device Templates, click Choose
• Select your SR2024-Default-X device template (configured as switch)
• Click the sprocket icon
• Click Clone
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Switch Template for Routing2. Define router function of the device template
326
• Click Device Models• Notice all the devices that you can create templates when the network policy includes routing
• Ensure that SR2024 is selected
• Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Switch Template for Routing3. Define router function of the device template
327
• Name: SR2024-Router-Default-X
• Change the function to Router• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Switch Template for Routing4. Select both templates
328
• Ensure both of your SR2024 policies are selected.
• Click OK• Hide the SR2024-Default-X (Switch) template
• Expand the SR2024-Router-Default-X (Router) template
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Switch Template for Routing5. Remove configuration of existing uplink ports
329
Next you can change your uplink ports and add a WAN port instead• Select ports 23 and 24, and click Configure
• Remove the port type by clicking on the port type you have selected to ensure it is no longer highlighted
• Click OK• Click OK again to the Warning
© 2013 Aerohive Networks CONFIDENTIAL
Examples of templates for other devices
330
BR200-WP
AP330 as Router
© 2013 Aerohive Networks CONFIDENTIAL
CONFIGURE ROUTER WAN PORTS- PORTS THAT CONNECT TO THE INTERNET AND PROVIDE NAT
331
© 2013 Aerohive Networks CONFIDENTIAL
Router WAN Ports
•SR2024 as Branch RouterWAN Port example
DSL – WANBackup 1
3G/4G LTE
USB Wireless –
WANBackup 2
Corp ISP (Fast) – WANPrimary
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Switch Template for Routing1. Add necessary WAN port for router
333
• Select Port 23, and Port 24
(USB is always a WAN port)
• Click Configure
Note: You can have up to 3 WAN ports: 1 primary and 2 backup.2 Ports can be Ethernet, and one can be USB. If you select multiple ports as WAN ports, you can select which ones are primary and backup in the switch specific settings.
When the switch is a router, you must configure at least one port as a WAN port
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Switch Template for Routing2. Add necessary WAN port for router
334
• Click New• Name: WAN-X• Select WAN • Click Save• With WAN-X selected, click OK
© 2013 Aerohive Networks CONFIDENTIAL
• The USB Port, Port 23, and Port 24 will now display a WAN (Cloud) icon (USB does not display cloud icon in this version of code)
Lab: Create a Switch Template for Routing3. Review WAN port settings
335
The ports will display a WAN (Cloud) icon
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Switch Template for Routing4. Save your Network Policy
336
• From the Configure Interfaces & User Access bar, click Save
© 2013 Aerohive Networks CONFIDENTIAL
Note: Switch Port SettingsTo be configured later, not now.
337
• At a later point in this lab, you will configure the priority of the WAN ports for primary and backup
Switch Settings:These will be configured later.
© 2013 Aerohive Networks CONFIDENTIAL
PORT TYPES
338
© 2013 Aerohive Networks CONFIDENTIAL
6.0 Network Policy
339
Besides the addition of the WAN port, all port types are identical in network policies with and without branch routing selected!
This means the same port types can be used in both switching (layer 2) and branch routing (layer 3) network policies.
© 2013 Aerohive Networks CONFIDENTIAL
VLAN-TO-SUBNET ASSIGNMENTSFOR ROUTER INTERFACES
340
© 2013 Aerohive Networks CONFIDENTIAL
VLAN-to-subnet assignmentsfor router interfaces
341
• If the network policy is configured with Routing, then for every VLAN configured for SSIDs or port types, you must define the IP subnets that will be assigned to the branch routers or switches as branch routers
• The VLANs are automatically populated from the VLANs assigned to user profiles for SSIDs and port types
• If you have additional VLANs to define, you can click Add
© 2013 Aerohive Networks CONFIDENTIAL
Network and Sub NetworksInternal Use
• HiveManager assigns a unique subnet from the network to each router, including the DHCP settings
Cloud VPN Gateway
HQNetwork 10.102.0.0/16
BR100BR10
0
Sub Network 10.102.0.0/24DHCP: IP Range 10.102.0.10 – 10.102.0.244
Default Gateway: 10.102.0.1DNS: 10.102.0.1 (Router is DNS
Proxy)
Sub Network 10.102.1.0/24DHCP: IP Range 10.102.1.10 – 10.102.1.244
Default Gateway: 10.102.1.1DNS: 10.102.1.1 (Router is DNS
Proxy)
Sub Network 10.102.2.0/24DHCP: IP Range 10.102.2.10 – 10.102.2.244
Default Gateway: 10.102.2.1DNS: 10.102.2.1 (Router is DNS
Proxy)
BR100
Internet
342
© 2013 Aerohive Networks CONFIDENTIAL
Networks and Hosts Per NetworkA Little Bit of Subnet Theory – Yay!
Calculating a network using an IP address and a netmask
Conversion chart between binary and decimal
27 26 25 24 23 22 21 20
128 64 32 16 8 4 2 1 Decimal value for bit position 0 0 0 0 1 0 1 0 = 8 + 2 = 10 for example
When you assign IP addresses, you can determine how many networks and how many hosts per network you need.
Example: Create subnets for network: 10.102.0.0/16 8 bits 8 bits 8 bits 8 bits
IP Address in binary: 00001010.01100110.00000000.00000000Netmask in binary: X 11111111.11111111.11111111.00000000Multiply each column: 00001010.01100110.00000000.00000000Convert back to decimal: 10. 102 . 0 . 0
IP Network Subnet Hosts
8 bits = 8 bits 256 subnets 256 hosts – 2 = 254
© 2013 Aerohive Networks CONFIDENTIAL
Networks and Hosts Per NetworkIP Address Management
8 bits 8 bits 8 bits 8 bitsIP Address in binary: 00001010.01100110.00000000.00000000Netmask in binary: X 11111111.11111111.11111111.00000000Multiply each column: 00001010.01100110.00000000.00000000Convert back to decimal: 10. 102 . 0 . 0
IP Network Subnet Hosts
8 bits = 8 bits 256 branches 256 clients/branch
– 3 = 253
Note: HiveManager lets you reserve the first or last IP in the subnets as the default gateway for the subnet.
Example 1: Move Subnet slider bar to 256 Branches
Network Mask: /16 Subnet Mask: /24
344
© 2013 Aerohive Networks CONFIDENTIAL
10.102.0000000=0. 1-25410.102.0000001=1. 1-25410.102.0000010=2. 1-25410.102.0000011=3. 1-25410.102.0000100=4. 1-25410.102.0000101=5. 1-25410.102.0000110=6. 1-25410.102.0000111=7. 1-25410.102.0001000=8. 1-254
..10.102.1111111=255.1-254
Networks and Hosts Per NetworkAutomatic Subnet Creation
8 bits 8 bits 8 bits 8 bitsIP Address in binary: 00001010.01100110.00000000.00000000Netmask in binary: X 11111111.11111111.11111111.00000000Multiply each column: 00001010.01100110.00000000.00000000Convert back to decimal: 10. 102 . 0 . 0
IP Network Subnet Hosts
345
© 2013 Aerohive Networks CONFIDENTIAL
Networks and Hosts Per NetworkIP Address Management
8 bits 8 bits 9 bits 7 bitsIP Address in binary: 00001010.01100110.00000000.00000000Netmask in binary: X 11111111.11111111.11111111.10000000Multiply each column: 00001010.01100110.00000000.00000000Convert back to decimal: 10. 102 . 0 . 0
IP Network Subnet Hosts
9 bits = 7 bits 512 branches 128 clients/branch
– 3 = 125
Example 2: Move Subnet slider bar to 512 Branches
Network Mask: /16 Subnet Mask: /25
Note: HiveManager lets you reserve the first or last IP in the subnets as the default gateway for the subnet.
346
© 2013 Aerohive Networks CONFIDENTIAL
10.102.0000000.0 = 0.0 1-12610.102.0000000.1 = 0.128 129-25410.102.0000001.0 = 1.0 1-12610.102.0000001.1 = 1.128 129-25410.102.0000010.0 = 2.0 1-12610.102.0000010.1 = 2.128 129-25410.102.0000011.0 = 3.0 1-12610.102.0000011.1 = 3.128 129-25410.102.0000100.0 = 4.0 1-126
..10.102.1111111.1 = 255.128 129-254
Networks and Hosts Per NetworkAutomatic Subnet Creation
8 bits 8 bits 9 bits 7 bitsIP Address in binary: 00001010.01100110.00000000.10000000Netmask in binary: X 11111111.11111111.11111111.10000001Multiply each column: 00001010.01100110.00000000.00000000Convert back to decimal: 10. 102 . 0 . 0
IP Network Subnet Hosts
347
© 2013 Aerohive Networks CONFIDENTIAL
Network and Sub NetworksInternal Use
• HiveManager assigns a unique subnet from the network to each router, including the DHCP settings
Cloud VPN Gateway
HQNetwork 10.102.0.0/16
BR100BR10
0
Sub Network 10.102.0.0/24DHCP: IP Range 10.102.0.10 – 10.102.0.244
Default Gateway: 10.102.0.1DNS: 10.102.0.1 (Router is DNS
Proxy)
Sub Network 10.102.1.0/24DHCP: IP Range 10.102.1.10 – 10.102.1.244
Default Gateway: 10.102.1.1DNS: 10.102.1.1 (Router is DNS
Proxy)
Sub Network 10.102.2.0/24DHCP: IP Range 10.102.2.10 – 10.102.2.244
Default Gateway: 10.102.2.1DNS: 10.102.2.1 (Router is DNS
Proxy)
BR100
Internet
348
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Assign VLAN-to-subnet – router interfaces
349
• If the network policy is configured with Routing, then for every VLAN configured for SSIDs or port types, you must define the IP subnets that will be assigned to the branch routers or switches as branch routers
• The VLANs are automatically populated from the VLANs assigned to user profiles for SSIDs and port types
• If you have additional VLANs to define, you can click Add
© 2013 Aerohive Networks CONFIDENTIAL 350
• Next to VLAN 10, click Choose
• Click New
LAB: Assign VLAN-to-subnet – router interfaces1. Select VLAN 10 and create network
© 2013 Aerohive Networks CONFIDENTIAL 351
• Name: Net-Employee-1XX
XX=02,03,..15,16• Web Security: None• DNS Service: Class• Network Type: Internal Use
• Do not save yet
LAB: Assign VLAN-to-subnet – router interfaces2. Create internal employee network
© 2013 Aerohive Networks CONFIDENTIAL
NOTE: This Quick Start DNS Service object sets clients to use the router interface IP as the DNS server, and will proxy the DNS requests to the DNS server learned statically or by DHCP on the WAN interface. Separate DNS servers can also be used for internal and external domain resolution.
352
Note: DNS Service Objects
© 2013 Aerohive Networks CONFIDENTIAL 353
• Click NEW to create a parent network
LAB: Assign VLAN-to-subnet – router interfaces3. Create internal employee network
© 2013 Aerohive Networks CONFIDENTIAL 354
• IP Network:10.1XX.0.0/16
• 10.1XX.0.0/16
• Move the slider bar to select 256 branches and 253 clients per branch
NOTE: This is the parent network that will be partitioned to create a number of IP subnets determined by moving the slider bar. The slider bar is used to set the number of branches vs. clients per branch which defines the subnet mask for each subnet. Moving the slider bar changes the
number of bits in the subnet mask.
The clients per branch = 253 in this case because 1 IP is reserved for the router, and then 0 and 255 are not used.
LAB: Assign VLAN-to-subnet – router interfaces4. Define the Parent Network and subnetworks
© 2013 Aerohive Networks CONFIDENTIAL 355
• Check Enable DHCP server
• For the DHCP Address Pool, move the slider bar to reserve 10 IP addresses at the start of the address pool that can be defined statically.
NOTE: In most cases, the router will be the DHCP server. However, if it is not, you can disable the DHCP service and this network definition will only be used to configure the router interface IP addresses.
LAB: Assign VLAN-to-subnet – router interfaces5. Enable DHCP
Please do not save yet!!!
© 2013 Aerohive Networks CONFIDENTIAL
Note: Custom Options Example
356
• Note that you can define custom DHCP options if needed
• For example, you can set the custom DHCP options for the hostname of HiveManager (option 225) or the IP address of HiveManager (option 226) or options required by certain IP phones
© 2013 Aerohive Networks CONFIDENTIAL
DEFINE SPECIFIC SUBNETS FOR EACH SITE BY USING DEVICE CLASSIFICATION
357
© 2013 Aerohive Networks CONFIDENTIAL
What is the goal?
• Define subnets from the IP address space to specific sites
• For example, define the subnets that will be used for Site-1a and Site-1b, but let HiveManager allocate one for Site-1c
Network 10.101.0.0/16
BR100BR10
0
Sub Network 10.101.25.0/24DHCP: IP Range 10.101.25.11 – 10.102.25.254
Default Gateway: 10.101.25.1
Sub Network 10.101.1.0/24DHCP: IP Range 10.101.1.11 – 10.102.1.254
Default Gateway: 10.101.1.1
Sub Network 10.101.2.0/24DHCP: IP Range 10.101.2.11 – 10.102.2.254
Default Gateway: 10.101.2.1
BR100
Internet
Site-1a Site-1b
Site-1c
© 2013 Aerohive Networks CONFIDENTIAL 359
By default, each branch router will be assigned one subnet from the Local IP Address Space• To define specific
subnets of the Local IP address space to assign to sites› Check Allocate local subnetworks by specific IP addresses at sites and click
• IP Address: 10.1XX.1.1(XX=01,02,03,..18)
• Type: Device Tag• Tag1: Site-Xa (Xa=2a,3a,4a,..,18a)
• Click Apply
LAB: Assign VLAN-to-subnet – router interfaces1. Define subnet to be assigned to Site-Xa
© 2013 Aerohive Networks CONFIDENTIAL 360
Define the next subnet• Click New• IP Address: 10.1XX.2.1
• Type: Device Tag• Tag1: Site-Xb (Xb = 2b, 3b, 4b,..,18b)
• Click Apply• Click Save
LAB: Assign VLAN-to-subnet – router interfaces2. Define subnet to be assigned to Site-Xb
Note: You can specify up to 256 tags
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Assign VLAN-to-subnet – router interfaces3. Save the Network
361
Verify you have all the setting needed for the network
• DNS: Class
• Network Type: Internal Use
• Subnetwork:10.1XX.0.0/16
• Verify the IP Allocation Statements
• Click Save
Note: (T) = True or Match the tag(F) = False, and no match required
Here you can see: 10.102.1.1 must have a router with Tag1 set to: Site-2a, and 10.102.2.1 must have a router with Tag1 set to: Site-2b.
361
© 2013 Aerohive Networks CONFIDENTIAL 362
• Ensure your policy is highlighted and click OK
LAB: Assign VLAN-to-subnet – router interfaces4. Choose the Network
© 2013 Aerohive Networks CONFIDENTIAL 363
• In a later lab, you will need to define Device Classification Tag1 on your switch with the same entry that was used in the network configuration: Site-Xa
Note: Device Classification SettingsOn Your Device
Device Specific Settings
© 2013 Aerohive Networks CONFIDENTIAL
What did you just do?
• You specified that certain sites had or will require specific IP addresses in them, for example Site-1a (10.101.1.1) and Site-1b (10.101.2.1)› These can be any IP in the
subnet. We chose the IP of default gateways.
• Therefore HiveManager will allocate the subnets that match the IP addresses that are specified for two of the sites
Network 10.101.0.0/16
BR100
BR100
Sub Network 10.101.25.0/24DHCP: IP Range 10.101.25.11 – 10.101.25.254
Default Gateway: 10.101.25.1*This subnet was chosen by HiveManagerbecause an IP at the site was not defined.
Sub Network 10.101.1.0/24DHCP: IP Range 10.101.1.11 – 10.101.1.254
Default Gateway: 10.101.1.1
Sub Network 10.101.2.0/24DHCP: IP Range 10.101.2.11 – 10.101.2.254
Default Gateway: 10.101.2.1
BR100
Internet
Site-1a Site-1b
Site-1c
© 2013 Aerohive Networks CONFIDENTIAL
ADD NETWORKS FOR THE OTHER VLANS
365
© 2013 Aerohive Networks CONFIDENTIAL
Add More Networks
366
• Create networks for VLAN 2 and VLAN 8
• If the VLAN is not in the list, click Add› Enter the VLAN› Then proceed to configuring the networks
© 2013 Aerohive Networks CONFIDENTIAL 367
• Next to VLAN 2, click Choose
• Click New
LAB: Assign VLAN-to-subnet – router interfaces1. Select VLAN 2 and create network
© 2013 Aerohive Networks CONFIDENTIAL 368
• Create another Internal Network for VLAN 2:
10.2XX.0.0-Voice-X
• Web Security: None
• DNS service: Class
• Network Type: Internal Use
• Do not save yet
LAB: Assign VLAN-to-subnet – router interfaces2. Create internal voice network
© 2013 Aerohive Networks CONFIDENTIAL 369
• Click NEW to create a parent network
LAB: Assign VLAN-to-subnet – router interfaces3. Create internal voice network
© 2013 Aerohive Networks CONFIDENTIAL 370
LAB: Assign VLAN-to-subnet – router interfaces4. Define the Parent Network and subnetworks
• IP Network:10.2XX.0.0/16
• 10.1XX.0.0/16
• Move the slider bar to select 256 branches and 253 clients per branch
NOTE: This is the parent network that will be partitioned to create a number of IP subnets determined by moving the slider bar. The slider bar is used to set the number of branches vs. clients per branch which defines the subnet mask for each subnet. Moving the slider bar changes the
number of bits in the subnet mask.
The clients per branch = 253 in this case because 1 IP is reserved for the router, and then 0 and 255 are not used.
© 2013 Aerohive Networks CONFIDENTIAL 371
LAB: Assign VLAN-to-subnet – router interfaces5. Enable DHCP
371
• Check Enable DHCP server
• For the DHCP Address Pool, move the slider bar to reserve 10 IP addresses at the start of the address pool that can be defined statically.
• Click Save
NOTE: In most cases, the router will be the DHCP server. However, if it is not, you can disable the DHCP service and this network definition will only be used to configure the router interface IP addresses.
© 2013 Aerohive Networks CONFIDENTIAL 372
• Click Save
• Ensure your policy is highlighted and click OK
LAB: Assign VLAN-to-subnet – router interfaces6. Verify and save the Subnetwork
© 2013 Aerohive Networks CONFIDENTIAL
Networks for Guest Use
• All guest stations at each branch office use the same IP subnet• All guest traffic destined to the Internet is network address translated to
the unique IP address of the router WAN interface
Cloud VPN Gateway
HQNetwork: Guest Use
BR100
BR100
Network 192.168.83.0/24 (Guest Use)DHCP: IP Range 192.168.83.10 – 192.168.83.244
Default Gateway: 192.168.83.1DNS: 192.168.83.1 (Router is DNS
Proxy)
BR100
Internet
Network 192.168.83.0/24 (Guest Use)DHCP: IP Range 192.168.83.10 – 192.168.83.244
Default Gateway: 192.168.83.1DNS: 192.168.83.1 (Router is DNS
Proxy)
Network 192.168.83.0/24 (Guest Use)DHCP: IP Range 192.168.83.10 – 192.168.83.244
Default Gateway: 192.168.83.1DNS: 192.168.83.1 (Router is
DNS Proxy)
WAN:2.1.1.20
WAN:2.50.33.5
WAN:1.3.2.90
© 2013 Aerohive Networks CONFIDENTIAL 374
• Next to VLAN , click Choose
• Click New
LAB: Assign VLAN-to-subnet – router interfaces7. Select VLAN 8 and create guest network
© 2013 Aerohive Networks CONFIDENTIAL 375
• Name:192.168.83.0-Guest-X
• Web Security: None• DNS Service: Class• Network Type to: Guest Use
• Guest Use Network:192.168.83.0/24
• DHCP Address Pool, reserve the first 10
• Check Enable DHCP server
NOTE: Devices assigned to a Guest Use network are restricted from access the corporate VPN or from initiating communication to corporate devices
LAB: Assign VLAN-to-subnet – router interfaces8. Create the Guest network
© 2013 Aerohive Networks CONFIDENTIAL 376
• Verify your settings
• Click Save• Click OK
LAB: Assign VLAN-to-subnet – router interfaces9. Save the Guest network
© 2013 Aerohive Networks CONFIDENTIAL
Verify Subnet Assignments for Router Interfaces
377
• You should have a network defined for each of the VLANs specified
© 2013 Aerohive Networks CONFIDENTIAL 378
• From the Configure Interfaces & User Access bar, click Save
LAB: Assign VLAN-to-subnet – router interfaces10. Save your Network Policy
© 2013 Aerohive Networks CONFIDENTIAL
CHANGE SSID PROFILES
379
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Change SSID Profiles1. Change SSIDs
380
• Configure Interface & User Access
• Next to SSIDs, click: Choose
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Change SSID Profiles2. Select Class-PSK-X SSID
381
• Click to deselect the AD-X SSID
• Ensure the Class-PSK-X SSIDis selected
• Click OK
Ensure Class-PSK-X is highlighted then
click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Change SSID Profiles3. Verify settings
382
• Verify settings
• Click Continue
© 2013 Aerohive Networks CONFIDENTIAL
CREATING FILTERS
383
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Device Filters1. From Configure & Update Devices
384
Create filters to limit the number of devices displayed
• Click the Configure & Update Devices bar
• Next to Filter, click +
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Device Filters2. Create a filter
385
You can create and save filters based on a lot of criteria• For this filter
› Set the Device Model to SR2024
› Set the hostname to: SR-XX-
› XX is your two digit student ID: 02-15
› Do not forget the dash – at the end, this will ensure your student ID is the match
• For Remember This Filter, enter: XX-switch-router
• Click Search
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Device Filters3. View your Real and Simulated Switch/Routers
386
• We will be using real and simulated devices in this lab
• With the filter selected, you will see your real, and simulated switch/routers that all start with SR-XX-
© 2013 Aerohive Networks CONFIDENTIAL
UPDATE THE DEVICE CONFIGURATIONOF YOUR SWITCH/ROUTERS
387
© 2013 Aerohive Networks CONFIDENTIAL 388
Lab: Update your Switch Configuration1. Modify your switch
• Check next to your switch SR-XX-#######
• Click Modify
© 2013 Aerohive Networks CONFIDENTIAL 389
Make the following settings• Device Function:Router (IMPORTANT)
• Location: First-Name_Last-Name
• Network Policy:Access-X
• When the warning box appears, click: OK
• Do NOT save yet
Lab: Update your Switch Configuration2. Change switch to function as a router
© 2013 Aerohive Networks CONFIDENTIAL 390
Set the Device Classification Tag1 so that this device will be assigned to networks with matching tag definitions • Under Device Classification› Tag1: Site-XaNote: The tag you entered in the network will automatically show up in the list
• Do NOT save yet
Lab: Update your Switch Configuration3. Specify the Device Classification Tag1
© 2013 Aerohive Networks CONFIDENTIAL 391
• Expand Interface and Network Settings• Set the following priorities:
› USB WAN: Backup2› Eth1/23 WAN: Backup1› Eth1/24 WAN: Primary (Please verify that 1/24 is Primary)
• Ensure NAT is enabled on the WAN Interfaces• Do Not save yet
NOTE: Check Enable NAT
Lab: Update your Switch Configuration4. Change WAN port priority settings
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Update your Switch Configuration5. Disable RADIUS services
392
Remove the RADIUS object from earlier lab• Under Optional Settings, expand Service Settings
• Uncheck ☐Enable the router as a RADIUS Server
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Update Router Configuration6. Save your device settings
393
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 394
• Select Routers to select all three routers
• Click Update
Lab: Update Router Configuration7. Update your device settings
© 2013 Aerohive Networks CONFIDENTIAL 395
• Select Update Devices
• Select Perform a complete configuration update for all selected devices
• Click Update
For this class, ALL Updates should be Complete configuration updates
Lab: Update Router Configuration7. Update your device settings
© 2013 Aerohive Networks CONFIDENTIAL 396
• Should the Reboot Warning box appear, select OK
Click OK
Lab: Update Router Configuration8. Update your device settings
© 2013 Aerohive Networks CONFIDENTIAL
VIEW SUBNET ALLOCATION REPORT
397
© 2013 Aerohive Networks CONFIDENTIAL
Network and Sub NetworksInternal Use
• HiveManager assigns a unique subnet from the network to each router, including the DHCP settings
Cloud VPN Gateway
HQNetwork 10.102.0.0/16
BR100BR10
0
Sub Network 10.102.0.0/24DHCP: IP Range 10.102.0.10 – 10.102.0.244
Default Gateway: 10.102.0.1DNS: 10.102.0.1 (Router is DNS
Proxy)
Sub Network 10.102.1.0/24DHCP: IP Range 10.102.1.10 – 10.102.1.244
Default Gateway: 10.102.1.1DNS: 10.102.1.1 (Router is DNS
Proxy)
Sub Network 10.102.2.0/24DHCP: IP Range 10.102.2.10 – 10.102.2.244
Default Gateway: 10.102.2.1DNS: 10.102.2.1 (Router is DNS
Proxy)
BR100
Internet
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Subnet Allocation Report1. View the IP addresses assigned to the routers
399
• From Monitor, in the navigation tree, click Subnetwork Allocation
• Under Network Name, selectNetwork-1XX
• From the10.102.0.0/16 parent network, a different subnet and DHCP Pool was allocated to each branch router.
Note: One subnet was assigned via classification. The others assigned dynamically.
© 2013 Aerohive Networks CONFIDENTIAL
CLI ROUTER COMMANDS
400
© 2013 Aerohive Networks CONFIDENTIAL
SHOW L3 INTERFACE
401
From Monitor Utilities SSH Client:
show L3 interface
© 2013 Aerohive Networks CONFIDENTIAL
TEST WIRELESS LAN ACCESS
402
© 2013 Aerohive Networks CONFIDENTIAL 403
• Single-click the wireless icon on the bottom right corner of the windows task bar
• Click your SSIDClass-PSK-X
• Click Connect› Security Key: aerohive123
› Click OK
Lab: Test Wireless LAN Access1. Connect your computer to the SSID: Class-PSK-X
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Wireless LAN Access2. View your client information in Wireless Clients
404
• View your client in the Active Clients list by going to: MonitorClientsWireless Clients
• Notice the VLAN and network address
© 2013 Aerohive Networks CONFIDENTIAL
TEST WIRED LAN SECURE ACCESS
405
© 2013 Aerohive Networks CONFIDENTIAL 406
• View your client in the Active Clients list by going to: MonitorClientsWired Clients
• Notice the VLAN and network address and client authentication method
Lab: Test LAN Port Access- Secure1. View your client information in Active Clients
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test LAN Port Access2. Disable 802.1X for wired clients
407
• In windows 7, you must enable 802.1X support
• As an administrator, from the start menu type services
• Then click services
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test LAN Port Access3. Disable 802.1X for wired clients
408
• Click the Standard tab on the bottom of the services panel
• Locate Wired AutoConfig and right-click
• Click Properties
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test LAN Port Access4. Disable 802.1X for wired clients
409
• Startup type: Disabled
• Click Stop
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test LAN Port Access5. Disable 802.1X for wired clients
410
• Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test LAN Port Access6. Clear wired client cache
411
• Monitor/Clients/Operation: Deauth Client
• Check Clear Cache
• Click OK
• Click Yes
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test LAN Port Access7. Clear wired client cache
412
• Monitor/Clients/Operation: Deauth Client
• Check Clear Cache
• Click OK
• Click Yes
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test LAN Port Access8. Reset Ethernet adapter
413
Because the PC has the wrong IP it will not work, you can remedy this by
• Right click on Local Area Connection 3
• Click Diagnose
or
•Disable then Enable Local Area Connection 3
•Do NOT Disable Local Area Connection 2
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test LAN Port Access9. Verify Auth Fail – Guest Network
414
• Locate Local Area Connection 3
• Right click
• Click Status
• Click Details
• Why do you see an IP from the 192.168.83.0 subnet?› This is the guest network that is assigned if authentication is not support or fails
© 2013 Aerohive Networks CONFIDENTIAL
ROUTE-BASED IPSEC VPN
© 2013 Aerohive Networks CONFIDENTIAL
Internet
Headquarters
Aerohive Layer 2 VPN
416
Remote Site
Notes Below
Layer 2 VPN client devices
AP-100 series
AP-300 series
BR-100 (AP mode)
AP-300 series128 tunnels
VPN Gateway Virtual Appliance (L2 Gateway mode)1024 tunnels
Note: Layer 2 VPNs are taught in the Aerohive Certified WLAN Professional (ACWP) class
Layer 2 VPN server devices
© 2013 Aerohive Networks CONFIDENTIAL
Internet
Headquarters
Aerohive Layer 3 VPN
417
Remote Site
Notes Below
Layer 3 VPN client devices
BR-100 router
BR-200 router
AP 330/350(router mode)
Aerohive switch(router mode)
VPN Gateway (L3 Gateway mode)1024 tunnels
Layer 3 VPN server
© 2013 Aerohive Networks CONFIDENTIAL
Aerohive Route-Based IPSec VPNComponents
418
HiveAP 330 Configured as a Router
BR100 BR200
VPN Gateway VAA HiveOS-based Layer 3IPSec VPN serverthat is a Virtual Appliance which runs on VMware ESXi
1 VA supports up to 1024IPSec VPN tunnels
HiveAP 350 Configured as a Router
Aerohive Routers are Layer 3 IPSec VPN clients, and provide DHCP, DNS Proxy, route synchronization, and RADIUS service, along with many other features.
Aerohive SwitchConfigured as a Router
© 2013 Aerohive Networks CONFIDENTIAL
Corporate VPN – HiveManager Allocates Unique Network Settings For Each Site
VPN Gateway
HQ
Branch Network 172.28.0.0/16
BR100
BR100
Sub Network 172.28.0.0/24DHCP: IP Range 172.28.0.10 – 172.28.0.244
Default Gateway: 172.28.0.1DNS: 172.28.0.1 (Router is DNS
Proxy)
Sub Network 172.28.1.0/24DHCP: IP Range 172.28.1.10 – 172.28.1.244
Default Gateway: 172.28.1.1DNS: 172.28.1.1 (Router is
DNS Proxy)
Sub Network 172.28.2.0/24DHCP: IP Range 172.28.2.10 – 172.28.2.244
Default Gateway: 172.28.2.1DNS: 172.28.2.1 (Router is DNS
Proxy)
BR100
Internet
CorporateNetwork10.1.0.0/16
Branch Network
Branch Network
Branch Network
© 2013 Aerohive Networks CONFIDENTIAL
Corporate VPN – HiveManager Allocates Unique Network Settings For Each Site
• Each router builds a VPN to one or two VPN Gateways• Routes are synchronized between the routers and VPN Gateways over the
VPN using a TCP-based route exchange mechanism
VPN Gateway
HQ
BR100
BR100
Sub Network 172.28.0.0/24
Sub Network 172.28.1.0/24
Sub Network 172.28.2.0/24
BR100
Internet
CorporateNetwork10.1.0.0/16
Branch Network
Branch Network
Branch Network
© 2013 Aerohive Networks CONFIDENTIAL
Route-based VPN
• Routers (VPN clients) ask the VPN Gateway for updated route information and provide their own route changes over the VPN tunnel every minute by default using a TCP request
VPN Gateway
HQ
BR100
BR100
Local network: 172.28.0.0/24Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.1.0/24 though VPN tunnelRoute: 172.28.2.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway
Local network: 172.28.2.0/24 Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.0.0/24 though VPN tunnelRoute: 172.28.1.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway
BR100
Internet
CorporateNetwork10.1.0.0/16
Route: 10.1.0.0/16 to Corp RouterRoute: 172.28.0.0/24 to VPN tunnel ARoute: 172.28.1.0/24 to VPN tunnel BRoute: 172.28.2.0/24 to VPN tunnel CRoute: 0.0.0.0/0 to Internet Gateway
Tunnel A
Tunnel B
Tunnel C
Local network: 172.28.1.0/24Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.0.0/24 though VPN tunnelRoute: 172.28.2.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway
© 2013 Aerohive Networks CONFIDENTIAL
VPN GATEWAY VIRTUAL APPLIANCE
422
© 2013 Aerohive Networks CONFIDENTIAL
VPN Gateway Virtual ApplianceGeneral Information
423
• What is a VPN Gateway Virtual Appliance?› It is a virtualized version of HiveOS that runs on VMware ESXi which supports IPSec VPN service, and routing protocols
• How do you upgrade a VPN Gateway VA?› VAs can be upgraded using a standard HiveOS software upgrade from HiveManager, TFTP, or SCP
• How many interfaces does a VPN Gateway VA have - Two»WAN – used to terminate the VPN from the router VPN clients, and can be used as a one-armed VPN where it connects to both the branch networks through the VPN, and the internal corporate networks.
»LAN – an optional interface that can be used to connect to an internal network and be the gateway IP address for corporate traffic to access branch networks through the VPN
© 2013 Aerohive Networks CONFIDENTIAL
VPN Gateway Virtual Appliance on VMware (ESXi)
424
• The VA uses the HiveOS, and looks just like an AP when you log in to it
© 2013 Aerohive Networks CONFIDENTIAL
VPN GatewayDeployment Scenarios – Two Interfaces
425
• VPN Gateway with two interfaces configured› The LAN interface is connected to the inside network
»Traffic from the inside network destined for an IP address in a branch office is sent to the LAN interface on the VPN Gateway to be encrypted and sent through a VPN to a branch office
»Routing protocols, OSPF or RIPv2, can be run on the LAN interface so that the VPN Gateway can exchange routes with the inside network router
› The WAN interface is connected to the DMZ or outside network and is used to terminate the VPNs
Headquarters
LAN (Eth1)Interface
Firewall
WAN (Eth0)Interface
DMZVPN Gateway
Branch Office
Internet
RouterInside
IPSec VPN
© 2013 Aerohive Networks CONFIDENTIAL
VPN GatewayDeployment Scenarios – One Interface
426
• VPN Gateway with one interface configured (One Arm)› The WAN interface is connected to a firewall interface in the DMZ
»Traffic from the inside network destined for an IP address in a branch office is sent to the firewall which forwards the traffic to the VPN Gateway as the next hop to the branch office routers
»The VPN Gateway encrypts the traffic and sends the traffic back to the firewall destined to a branch office router
»You can run statically enter routes, or run a dynamic routing protocol, OSPF or RIPv2, on the WAN interface to exchange routes with the firewall
HeadquartersFirewall
WAN (Eth0) Interface
DMZVPN Gateway
Branch Office
InternetIPSec VPN
Router Inside(Clear)
© 2013 Aerohive Networks CONFIDENTIAL
Internet
Router IPSec VPN LabUses a Single VPN Gateway Interface
427
• In the training lab, the VPN Gateways learn routes via OSPF from the firewall, which are: 10.5.2.0/24, 10.5.8.0/24, & 10.5.10.0/24
• The firewall learns the routes from the VPN Gateways to all the branch office routers via OSPF
• The branch office routers exchange their routes with their VPN Gateways
Headquarters
DMZVPN Gateway
Branch Office
IPSec VPN
Switch Inside
Bridge Group Interface: 10.5.1.1
Port1
Port2
Firewall Outside Interfaceeth0/0 – 1.2.2.1/24NAT – 1.2.2.X to 10.200.2.X
HiveManager10.5.1.20
Internal 10.102.1.0/24
Public 2.1.1.10
WAN InterfaceEth0- 10.200.2.X/24Gateway: 10.200.2.1
X=2,3,..,14,15
© 2013 Aerohive Networks CONFIDENTIAL
THE NEXT STEPS ARE FOR EXAMPLE ONLY, DO NOT DOWNLOAD THE VPN GATEWAY VA IMAGES IN CLASS, OTHERWISE IT WILL TAKE TOO LONG
428
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Downloaded HiveOS-VA Image From HiveManager
429
• Please do not download in class!› To download the VPN Gateway Virtual Appliance image from HiveManager, go to ConfigurationAll Devices
› Click UpdateAdvancedDownload HiveOS Virtual Appliance
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Downloaded HiveOS-VA Image From HiveManager
430
› Save the VPN Gateway VA image to a directory of your choice on your hard drive
› Note, the default name is: AH_HiveOS.ova, but you can rename the file if you like
© 2013 Aerohive Networks CONFIDENTIAL
If time permits the instructor will demonstrate the process
THE NEXT STEPS ARE FOR EXAMPLE ONLY, DO NOT DEPLOY A VPN GATEWAY IN CLASS, YOUR VPN GATEWAY VA IMAGES HAVE ALREADY BEEN DEPLOYED
431
© 2013 Aerohive Networks CONFIDENTIAL
VPN Gateway Virtual ApplianceRecommended Hardware Configuration
432
VPN Gateway Virtual Appliance Recommended Hardware Configurations
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Deploy a VPN Gateway in VMware ESXi
433
• From the VMware vSphere client, log into your ESX/ESXi server
• Go to FileDeploy OVF Template
• Locate the AH_HiveOS.ova file and click Open
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Deploy a VPN Gateway in VMware ESXi
434
• With the AH_HiveOS.ova file selected click Next
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Deploy a VPN Gateway in VMware ESXi
435
• View the product information and ensure you have enough disk space for a think provisioned install› Note: Thick provisioning reserves all the disk space needed during the install
• Click Next
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Deploy a VPN Gateway in VMware ESXi
436
• Provide a name for the VPN Gateway, for example:
HiveOS-VAXX XX=02,03,..14,15
› Note: It is a good idea to keep this name relatively small so it fits better in the vSphere client display
• Click Next
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Deploy a VPN Gateway-VA in VMware ESXi
437
• Select Thick Provisioned Lazy Zeroed› Note: You can choose Eager Zeroed, but it will take more time because it will fill the complete disk space with 0’s, lazy fills only as space is needed.
• Click Next
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Deploy a VPN Gateway in VMware ESXi
438
In this example, the VPN Gateways will only be using the WAN interface, so you can use the same destination network (virtual switch port group) for both
• Select VM Network for the WAN and LAN interfaces
• Click Next
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Deploy a VPN Gateway inVMware ESXi
439
• Optionally, check the box to Power on after deployment
• Click Finish
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Deploy a VPN Gateway inVMware ESXi
440
In a moment, the new VPN Gateway will be up and running
• Click Close when the deployment has completed successfully
© 2013 Aerohive Networks CONFIDENTIAL
EXAMPLE: INITIAL CONFIGURATION OF A VPN GATEWAY VIRTUAL APPLIANCE
441
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Initial configuration
of a VPN Gateway Virtual Appliance
442
• In the vSphere console for the new VPN Gateway Virtual Appliance› Type 1 to change the Network Settings and press enter
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Initial configuration
of a VPN Gateway Virtual Appliance
443
• Type 2 to Manually configure interface settings and press Enter
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Initial configuration
of a VPN Gateway Virtual Appliance
444
• The startup CLI wizard is used to set up the IP address for the WAN interface on the VA
• The VPN Gateway VA will need access to the Internet to access the license server to obtain a valid and unique serial number
• IP for eth0: 10.200.2X
• Netmask Length: [24]
• Gateway: 10.200.2.1
• DNS: 8.8.8.8
• Apply Changes: Yes
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Initial configuration
of a VPN Gateway Virtual Appliance
445
• The VPN Gateway will check its connection its default gateway and the Aerohive License server
• For the question: Do you want to reset the networking? press enter, or type no and press enter
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Initial configuration
of a VPN Gateway Virtual Appliance
446
• When a VPN Gateway VA is purchased, Aerohive generates an activation code, and associates it with a unique serial number
• You will be emailed your activation code
• When the activation code is entered, the VPN Gateway VA will contact the Aerohive license server and obtain a serial number associated with the activation key.
Optionally you can use an HTTP
proxy
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Initial configuration
of a VPN Gateway Virtual Appliance
447
• If the activation code is valid, the VPN Gateway VA will obtain a valid and unique serial number
• You must then VPN Gateway by pressing enter, or by typing yes then enter
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Initial configuration
of a VPN Gateway Virtual Appliance
448
• After the VPN Gateway VA has been rebooted, you can login with:› Login: admin› Password: aerohive
• Enter a hostname if you like:› Hostname HiveOS-VA-X
• If the Serial Number for the VPN Gateway is not entered into myhive, then you can configure the location of its HiveManager› capwap client server name 10.5.1.20
• Save the configuration› save config
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Initial configuration
of a VPN Gateway Virtual Appliance
449
• Just like on an Aerohive AP or router, you can verify CAPWAP status by typing› show capwap client
• After a minute, you should see the run state show that the VPN Gateway is Connected securely to the CAPWAP server
• The CAPWAP server IP should be your HiveManager IP: 10.5.1.20
© 2013 Aerohive Networks CONFIDENTIAL
Example Only: Initial configuration
of a VPN Gateway Virtual Appliance
450
Your new VPN gateway will be displayed in MonitorVPN Gateways
© 2013 Aerohive Networks CONFIDENTIAL
LAB: CREATE A ROUTE-BASED LAYER 3 IPSEC VPN
451
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Route-Based IPSec VPN1. Create a Layer 3 IPSec VPN
452
To create a route-based IPSec VPN• Go to Configuration
• Select your Network policy: Access-X and click OK
• Next to Layer 3 IPSec VPN click Choose
• In Choose VPN Profile click New
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Route-Based IPSec VPN2. Assign your VPN Gateway to the VPN policy
453
• Enter a profile name: VPN-X and choose Layer 3 IPSec VPN
• For VPN Gateway, select: Hive-OS-VA-XX from the drop-down
• External IP address of the VA: 1.2.2.X• X= your student number
› Note: The external IP is the public address the routers will contact to access the Virtual Appliance
• Click Apply
Click Apply
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Route-Based IPSec VPN3. Certificate settings
454
Optionally you can add an additional VA for disaster recovery
• Expand IPSec VPN Certificate Authority Settings
• VPN Certificate Authority: Default_CA.pem• VPN Server Certificate: VPN-cert_key_cert.pem• VPN Server Cert Private Key: VPN-cert_key_cert.pem
Note: Server certificates for the VPN were created in the HiveManager Certificate Authority
Click
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Route-Based IPSec VPN4. Verify VPN Settings Then Go To Configure & Update
455
• Verify the Layer 3 IPSec VPN settings
Note: The WAN IP and Protocol will be updated after the configuration update is performed
• Click Configure & Update Devices
© 2013 Aerohive Networks CONFIDENTIAL
Internet
Example: Dynamic Routing on the VAWith OSPF or RIPv2
456
• In a one-armed configuration, OSPF or RIPv2 can be enabled on the WAN interface to dynamically learn routes from the network (e.g. firewall), and advertise the routes it learns from the branch sites to the network (e.g. firewall)
WAN InterfaceEth0- 10.200.2.X/24Gateway: 10.200.2.1OSPF area 0.0.0.0(same as 0)
DMZVA
Firewall Inside Interfacesbgroup0 : 10.5.1.1/24 VLAN 1 OSPF area 0bgroup0.2: 10.5.2.1/24 VLAN 2 OSPF area 0bgroup0.8: 10.5.8.1/24 VLAN 8 OSPF area 0bgroup0.10: 10.5.10.1/24 VLAN 10 OSPF area 0
Sub Network 10.102.1.0/24
BR100
Headquarters Branch Office
© 2013 Aerohive Networks CONFIDENTIAL
Internet
Example: Routes Learned via OSPF and Between the VA and Branch Routers
457
WAN InterfaceEth0- 10.200.2.2/24Gateway: 10.200.2.1OSPF area 0.0.0.0(same as 0)Routes - Branch 1 Through VPN:10.102.1.0/24Routes - Network:10.5.1.0/24 to 10.200.2.110.5.2.0/24 to 10.200.2.110.5.8.0/24 to 10.200.2.110.5.10.0/24 to 10.200.2.10.0.0.0/0 to 10.200.2.1
DMZVA
Firewall Inside Interfacesbgroup0 : 10.5.1.1/24 VLAN 1 OSPF area 0bgroup0.2: 10.5.2.1/24 VLAN 2 OSPF area 0bgroup0.8: 10.5.8.1/24 VLAN 8 OSPF area 0bgroup0.10: 10.5.10.1/24 VLAN 10 OSPF area 0Routes to Branch 110.102.1.0/24 to 10.200.2.2
Sub Network 10.102.1.0/24Routes to Headquarters through VPN10.5.1.0/24 to VPN10.5.2.0/24 to VPN10.5.8.0/24 to VPN10.5.10.0/24 to VPNLocal Routes0.0.0.0/0 to Internet
BR100
HeadquartersBranch Office 1
IPSec VPN to Branch Office 1
Note: Aerohive uses a TCP-based mechanism through the VPN tunnel to check for route updates between branch sites and the VPN Gateways every minute by default.
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Route-Based IPSec VPN5. Modify the settings for your VPN Gateway
458
• Choose the Current Policy filter
• Under L3 VPN Gateway, click the link to modify your VPN Gateway: HiveOS-VA-XX
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Route-Based IPSec VPN6. Modify the IP settings on the VPN Gateway
459
• By default the management Network is set to the Quick Start Management Network: QS-MGT-172.18.0.0
• Set the IP address of the Eth0 (WAN) Interface: 10.200.2.X/24X=2,3,..,14,15
• Set the Default Gateway:10.200.2.1 Do not save yet..
00
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Route-Based IPSec VPN7. Enable OSPF on the VPN Gateway
460
• Check the box to: Enable dynamic routing and select OSPF
• Set the Eth0 (WAN) interface to run OSPF so that it can advertise and learn routes from the network, check Eth0 (WAN)
• Uncheck Eth1(LAN) because the eth1 interface is not in use
• Use the default Area: 0.0.0.0 (which is compatible with area 0)
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Note: Internal Networks – Required if a Dynamic Routing Protocol is Not Enabled
461
• If the VPN Gateway is configured with static routes, or just has a single default gateway to a router, you can specify which networks to advertise to the branch office networks by specifying Internal Networks
• Any Internal Network defined here will be advertised to the branch office networks through the VPN tunnels so the branch offices routers know which networks to route through the VPN to headquarters
© 2013 Aerohive Networks CONFIDENTIAL 462
• Select the Filter: Current Policy• Select all your devices • Click Update
Lab: Create a Route-Based IPSec VPN8. Upload the Configuration of Your Devices
© 2013 Aerohive Networks CONFIDENTIAL 463
• Select Update Devices
• Select Perform a complete configuration update for all selected devices
• Click Update
For this class, ALL Updates should be Complete configuration updates
Lab: Create a Route-Based IPSec VPN9. Upload the Configuration of Your Devices
© 2013 Aerohive Networks CONFIDENTIAL 464
• When the Reboot Warning box appear, select OK
Click OK
Lab: Create a Route-Based IPSec VPN10. Upload the Configuration of Your Devices
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Route-Based IPSec VPN11. Wait for the update to complete and verify VPN
465
When the VPN Server and Client Icons are green, then you know the VPN is up.
© 2013 Aerohive Networks CONFIDENTIAL
VPN TROUBLESHOOTING
466
© 2013 Aerohive Networks CONFIDENTIAL
LAB: VPN Troubleshooting1. Aerohive device VPN Diagnostics
467
• Go to Monitor Devices All Devices
• Select one of the VPN devices: SR-0X-######
• Click Utilities...Diagnostics Show IKE Event
• Verify that both Phase 1 an Phase 2 are successful
© 2013 Aerohive Networks CONFIDENTIAL
LAB: VPN Diagnostics2. Aerohive device VPN Diagnostics – Phase 1
468
• Select one of the VPN devices: SR-0X-######
• Click Tools...Diagnostics Show IKE Event
Possible problems if Phase 1 fails:
• Certificate problems
• Incorrect Networking settings
• Incorrect NAT settings on external firewall
Possible problems if Phase 2 fails:
• Mismatched transform sets between the client and server (encryption algorithm, hash algorithm, etc.)
© 2013 Aerohive Networks CONFIDENTIAL
LAB: VPN Diagnostics3. Aerohive device VPN Diagnostics – Phase 1
469
• Click Tools...DiagnosticsShow IKE Event
• If you see that phase 1 failed due to a certificate problem› Check the time on
the Aerohive devices» show clock
» show time
› Ensure you have the correct certificates loaded on the Aerohive APs in the VPN services policy
© 2013 Aerohive Networks CONFIDENTIAL
LAB: VPN Diagnostics4. Aerohive device VPN Diagnostics – Phase 1
470
• Click Tools...DiagnosticsShow IKE Event
• If you see that phase 1 failed due to wrong network settings› Check the IP
settings in the VPN services policy
› Check the NAT settings on the external firewall
© 2013 Aerohive Networks CONFIDENTIAL
LAB: VPN Diagnostics5. Aerohive device VPN Diagnostics – Phase 1
471
• Click Utilities...Diagnostics Show IKE SA
• Phase 1 has completed successfully if you reach step #9
• If Step #9 is not established then one of these problems exists:Certificate problemsIncorrect Networking
settingsIncorrect NAT settings
on external firewall
© 2013 Aerohive Networks CONFIDENTIAL
LAB: VPN Diagnostics6. Aerohive device VPN Diagnostics – Phase 2
472
• Click Utilities...DiagnosticsShow IPSec SA
Note: It is clear to see that a VPN is functional if you see the tunnel from the MGT0 IP of the VPN client to the (NAT) Address of the MGT0 of the VPN Server, and the reverse. Both use different SAs (Security Associations)
› State: Mature
• If Phase 2 fails: Check the encryption & hash settings on the VPN client and the VPN server
© 2013 Aerohive Networks CONFIDENTIAL
Lab: VPN Diagnostics7. View the VPN Topology to Verify VPN Status
473
• In the Layer 3 IPSec VPN section, click VPN Topology
• If the devices show up green with a line between them, the VPN is operational
• Click Refresh if the devices are not green after a moment
Please Be Patient, it will take a minute or two for the
VPNs to establish
© 2013 Aerohive Networks CONFIDENTIAL
VERIFY VPN STATUS AND DYNAMIC ROUTING
474
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Verify VPN and Dynamic Routing2. View the VPN Topology to Verify VPN Status
475
To verify the routes learned via OSPF
• Go to MonitorVPN Gateways
• Check the box next to your HiveOS-VA-XX
• Select Utilities...SSH Client
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Verify VPN and Dynamic Routing3. Use CLI Commands to Verify OSPF Routes
476
• show OSPF route (wait about 10 seconds – press enter twice)› You should see four OSPF routes in this lab
• show OSPF neighbor (press enter twice) › You should see at a minimum the firewall at 209.128.124.196
as a neighbor with a Full/DR state
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Verify VPN and Dynamic Routing4. View the routes on a branch router
477
To verify the routes learned through the VPN on a branch router
• Go to MonitorRouters
• Check the box next to your router: SR-XX-######
• Select Utilities...DiagnosticsShow IP Routes
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Verify VPN and Dynamic Routing5. View the routes on a branch router
• You should see at a minimum routes to: 10.5.1.0/24,10.5.2.0/24, 10.5.8.0/24, and 10.5.10.0/24 all through the VPNtunnel0 interface
• High metrics are used for routes learned from OSPF and advertised though the VPN so that if the network exists locally, that will be preferredNote: Higher metrics have more cost and are not preferred
• You will also learn the routes for networks at the other branch sites though the VPN tunnel
478
© 2013 Aerohive Networks CONFIDENTIAL
For Information: This is the OSPF configuration on the training Juniper SSG
479
• ssg5-3-lab-> set vr trust
• ssg5-3-lab(trust-vr)-> set protocol OSPF
• ssg5-3-lab(trust-vr/OSPF)-> set enable
• ssg5-3-lab(trust-vr/OSPF)-> exit
• ssg5-3-lab(trust-vr)-> exit
• ssg5-3-lab-> set int bgroup0 protocol OSPF area 0
• ssg5-3-lab-> set int bgroup0 protocol OSPF enable
• ssg5-3-lab-> set int bgroup0.2 protocol OSPF area 0
• ssg5-3-lab-> set int bgroup0.2 protocol OSPF enable
• ssg5-3-lab-> set int bgroup0.8 protocol OSPF area 0
• ssg5-3-lab-> set int bgroup0.8 protocol OSPF enable
• ssg5-3-lab-> set int bgroup0.10 protocol OSPF area 0
• ssg5-3-lab-> set int bgroup0.10 protocol OSPF enable
© 2013 Aerohive Networks CONFIDENTIAL
The steps for LAN access are similar
TEST WLAN ACCESS THROUGH THE VPN
480
© 2013 Aerohive Networks CONFIDENTIAL 481
• Single-click the wireless icon on the bottom right corner of the windows task bar
• Click your SSIDClass-PSK-X
• Click Connect› Security Key: aerohive123
› Click OK
Lab: Test Wireless LAN Access1. Connect your computer to the SSID: Class-PSK-X
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test WLAN VPN Access2. Ping a server through the VPN
482
From your PC, ping 10.5.1.20, which is a server in Santa Clara California data center
Internet
DMZVPN Gateway
BR100
HeadquartersBranch Office 1
IPSec VPN to Branch Office 1
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test WLAN VPN Access3. View your client information in Wireless Clients
483
• From your virtual PC connect to HiveManager through VPN https://10.5.1.20
• View your client in the Active Clients list by going to: MonitorClientsWireless Clients
© 2013 Aerohive Networks CONFIDENTIAL
Not this PBR:
POLICY-BASED ROUTING (PBR)
484
*A low costAmerican beer that has been around a long time, but was not popular. However, over the last few years it has become more popular in bars and grocery stores.
© 2013 Aerohive Networks CONFIDENTIAL
Aerohive Policy-Based Routing
485
• Policy-based routing is used mainly in conjunction with the layer 3 IPSec VPN tunneling capabilities› Though it does not require VPN
PoE
3G/4G LTE
3G/4G/LTE
Employees
Guests
Internet
VPNHQ
© 2013 Aerohive Networks CONFIDENTIAL
Aerohive Policy-Based Routing
486
• Policy-based routing lets you decide how traffic is forwarded out of a router› Decisions are made based on IP reachability of tracked IP addresses and user profiles
› Forwarding can be out any WAN port, USB wireless, Wi-Fi connection, or VPN
PoE
3G/4G LTE
3G/4G/LTE
Employees
Guests
Internet
VPNHQ
© 2013 Aerohive Networks CONFIDENTIAL
Route-based VPNPrivate vs. Internet Traffic
• Three types of routes in a branch office are› Private routes – learned over the VPN from the VPN gateway, such as 10.1.0.0/16 in this example
› Branch routes – to other routers in the branch office, which can be advertised to HQ over the VPN tunnel
› Internet routes – Essentially the default route 0.0.0.0/0 used to send traffic to the Internet locally from the branch office
Cloud VPN
Gateway
HQ
Local network: 172.28.2.0/24 Route: 10.1.0.0/16 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway
BR100
Internet
CorporateNetwork10.1.0.0/16(Internal)Route: 10.1.0.0/16 to Corp RouterRoute 172.28.2.0/24 to VPN Tunnel ARoute: 0.0.0.0/0 to Internet Gateway
Tunnel A
Branch Office
© 2013 Aerohive Networks CONFIDENTIAL
POLICY-BASED ROUTING
488
© 2013 Aerohive Networks CONFIDENTIAL
Policy-Based Routing: Custom RulesOverview of Fields
489
• Forwarding actions determine where to send the packet
• Source and Destination are used to match a packet
© 2013 Aerohive Networks CONFIDENTIAL
Policy-Based Routing: Forwarding and Backup Forwarding Actions
490
• The backup forwarding action occurs when the interface used for the forwarding action goes down or….
• If specific IP addresses are not reachable via the interface used for the forwarding, using track IP
© 2013 Aerohive Networks CONFIDENTIAL
LAB: CREATE A WAN IP TRACKING POLICY
491
© 2013 Aerohive Networks CONFIDENTIAL
Track IP for Router WAN Connectivity
492
• Uses Ping to track IP addresses you specify on the Internet› For example, you can track ntp1.aerohive.com206.80.44.205
• If no response is received, you can make routing decisions such as failing over to wireless USB (3G/4G LTE)
PoE
3G/4G LTE
3G/4G LTE
Employees
Guests
Internet
VPNHQ
ntp1.aerohive.com206.80.44.205
Track IP
© 2013 Aerohive Networks CONFIDENTIAL
Lab: WAN IP Tracking1. Create an IP tracking policy
493
To configure Policy-Based routing:Go to Configuration• Select your Network policy: Access-X and click OK
• Next to Additional Settings click Edit
© 2013 Aerohive Networks CONFIDENTIAL 494
• Expand Service Settings
• For Track IP Groups for WAN Interface, there are two backup track IP groups and one primary
• Next to Primary, click +
Lab: WAN IP Tracking2. Create an IP tracking policy
© 2013 Aerohive Networks CONFIDENTIAL 495
• Track IP Group Name: Track-X
• Under Tracking group type select For WAN interface
• Ensure Enable IP tracking is checked
• For the IP addresses, enter: 8.8.8.8,4.2.2.2
• Take action when: all targets become unresponsive
• Click Save
Lab: WAN IP Tracking3. Create an IP tracking policy
© 2013 Aerohive Networks CONFIDENTIAL 496
• In Track IP Groups for WAN Interface
• Select the Primary Track IP Group: Track-X
• Click Save• Next you will configure the routing policy
Note: You can specify Track IP Groups for Backup1 and Backup2 as well. The policy-based routing policy determines if backup1 fails to backup2, or backup2 fails to a Wi-Fi client connection for example.
Lab: WAN IP Tracking4. Create an IP tracking policy
© 2013 Aerohive Networks CONFIDENTIAL
LAB: CONFIGURE POLICY-BASED ROUTES
497
© 2013 Aerohive Networks CONFIDENTIAL 498
• Expand Router Settings
• Next to Routing Policy, click +
Lab: Policy-Based Routing1. Create a Routing Policy
© 2013 Aerohive Networks CONFIDENTIAL
Note: Policy-Based Routing: Type of Rules
499
• Here you can specify the type of routing policy rules› Split Tunnel: Tunnel non-guest traffic to internal (HQ) routes, drop guest traffic for internal (HQ) routes, and route all other traffic the local Internet gateway
› Tunnel All: Tunnel all non-guest traffic regardless of its destination and drop all guest traffic.
› Custom: Define a custom routing policy
© 2013 Aerohive Networks CONFIDENTIAL 500
• Name: PBR-X• Under Routing Policies, select Custom• Click + to add a new policy
Create New
Lab: Policy-Based Routing2. Create a Routing Policy
© 2013 Aerohive Networks CONFIDENTIAL 501
• Source - Type: User Profile, Value: Employee-X• Destination - Type: Private (routes learned via VPN)
• Forwarding Action: Corporate Network (VPN)• Backup Forwarding Action: Drop• Click the save icon next to the right of the policy
Lab: Policy-Based Routing3. Create a Routing Policy
© 2013 Aerohive Networks CONFIDENTIAL 502
• Click + to create a new policy• Source - Type: User Profile, Value: Employee-X• Destination- Type: Any (All other routes)• Forwarding Action: Primary WAN• Backup Forwarding Action: Backup WAN-1 (e.g. DSL)
• Click the save icon next to the right of the policy
Lab: Policy-Based Routing4. Create a Routing Policy
© 2013 Aerohive Networks CONFIDENTIAL 503
• Click + to create a new policy• Source - Type: User Profile, Value: Voice-X• Destination – Type: Private (routes learned via VPN)
• Forwarding Action: Corporate Network (VPN)• Backup Forwarding Action: USB (USB Wireless - LTE)
• Click the save icon next to the right of the policy
Lab: Policy-Based Routing5. Create a Routing Policy
© 2013 Aerohive Networks CONFIDENTIAL 504
• Click + to create a new policy• Source - Type: User Profile, Value: Guest-X• Destination - Type: Private (routes via VPN)• Forwarding Action: Drop• Click the save icon next to the right of the policy
Lab: Policy-Based Routing6. Create a Routing Policy
© 2013 Aerohive Networks CONFIDENTIAL 505
• Click + on top (Note: This is to show an important point)
• Source - Type: User Profile, Value: Guest-X• Destination - Type: Any • Forwarding Action: Primary WAN• Backup Forwarding Action: Drop• Click the save icon next to the right of the policy
Click the top +
Lab: Policy-Based Routing7. Create a Routing Policy
© 2013 Aerohive Networks CONFIDENTIAL 506
• Question: What is wrong with this policy?• Answer: All guest traffic will match the first policy, and no other policy will be used. Guest traffic may be able to access the local branch network if not blocked by firewall policy.
Lab: Policy-Based Routing8. Create a Routing Policy
© 2013 Aerohive Networks CONFIDENTIAL 507
• Click the User Profile(Guest-X), Any, Primary WAN policy and drag it to the bottom
• Click Save• Additional Settings – Save• Save your Network Policy
Lab: Policy-Based Routing9. Create a Routing Policy
© 2013 Aerohive Networks CONFIDENTIAL
Policy-Based RoutingAnalysis
508
• Processed top down: 1. User Profile(Employee) when going to a private route
learned through the VPN, send to the VPN2. User Profile(Employee) when not sending to the VPN
will be sent out through the primary WAN, and if that fails, out the Backup WAN
© 2013 Aerohive Networks CONFIDENTIAL
Policy-Based RoutingAnalysis
509
3. User Profile(Voice) if destined to a route learned through the VPN, forward through VPN
4. User Profile(Guest) if destined to a route learned through the VPN, drop
5. User Profile(Guest) when not sending to the VPN will be sent out through the primary WAN, and if that fails, drop
© 2013 Aerohive Networks CONFIDENTIAL
Policy-Based RoutingPolicy Used For No Matching Routes
510
• Question: What happens to traffic that does not match a policy-base routing rule?
• Answer: The router uses its main destination routing table. (i.e. standard routing)
© 2013 Aerohive Networks CONFIDENTIAL
Policy-Based RoutingCaution in 6.0r2a if not using VPN
511
• If you are not using VPN, do not create a policy-based routing using: Source: Any, Destination: Any
• If you do, traffic may get sent back out the WAN as primary instead instead of being sent to a local route.
• This will be resolved in an upcoming release.
© 2013 Aerohive Networks CONFIDENTIAL
POLICY-BASED ROUTINGSIMPLE TEST
512
© 2013 Aerohive Networks CONFIDENTIAL
Instructor Classroom demo
513
If time permits:
If the instructor has a 3G/4G USB dongle available:
• Start a continuous ping from a classroom laptop that is communicating through an Aerohive BR-200
• Remove the Ethernet cable from the primary WAN port
• Wait for up to 60 seconds for the connection to failover to the cellular network
• Reconnect the Ethernet cable from the primary WAN port
• Wait for up to 60 seconds for the connection to fallback to the primary WAN network
© 2013 Aerohive Networks CONFIDENTIAL
Use if you do not want to create a custom policy and you have VPN configured
POLICY-BASED ROUTINGDEFAULT SPLIT TUNNEL
514
© 2013 Aerohive Networks CONFIDENTIAL 515
• Source - User Profile› Any Guest - applies to users or devices connected to a user profile assigned to a network with the network type set to Guest Use
› Any –all other non-guest user profiles
Policy-based routing – Split Tunnel Policy
© 2013 Aerohive Networks CONFIDENTIAL 516
• Processed top down1. Traffic from any guest user profile, going to a route
learned through the VPN or local interface on the router, drop
2. Any non-guest traffic destined to a route learned through the VPN, forward through the VPN
3. All other traffic, forward out the Primary WAN interface, and if that fails, send out the backup WAN interface
Policy-based routing – Split Tunnel PolicyAnalysis
© 2013 Aerohive Networks CONFIDENTIAL
BRANCH ROUTER 3G/4G MODEM SETTINGS
517
© 2013 Aerohive Networks CONFIDENTIAL 518
• Wide range of USB modems are supported• USB modem can be used when triggered by an IP-tracking policy or can always stay connected
Branch Router USB Modem Settings
© 2013 Aerohive Networks CONFIDENTIAL
Generic USB Modem Support
519
• Generic USB modem support for BR200, BR100 and the 300 series APs functioning as routers
• Configurable through NetConfig UI
© 2013 Aerohive Networks CONFIDENTIAL
COOKIE-CUTTER VPN
520
© 2013 Aerohive Networks CONFIDENTIAL
Cookie Cutter Branch Deployments
521
• Each site, even with the same IP network, can build a VPN to the corporate network
HQ
CorporateNetwork10.0.0.0/8
Branch 1: 10.1.1.0/24
Branch 2: 10.1.1.0/24
Branch 3: 10.1.1.0/24
© 2013 Aerohive Networks CONFIDENTIAL
Cookie Cutter Branch Deployments
522
• Each site in a branch can be assigned to the same IP network
• How can HQ access the remote sites?
HQ
CorporateNetwork10.0.0.0/8
Branch 1: 10.1.1.0/24
Branch 2: 10.1.1.0/24
Branch 3: 10.1.1.0/24
© 2013 Aerohive Networks CONFIDENTIAL
Cookie Cutter Branch Deployments
523
• Each network can have a unique subnet allocated for each site to perform one to one night for every host each branch office through the VPN
HQ
CorporateNetwork10.0.0.0/8
Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24
Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24
Branch 3: NAT 10.102.3.0/24 to 10.1.1.0/24
© 2013 Aerohive Networks CONFIDENTIAL
Cookie Cutter Branch DeploymentsRouting on the VPN Gateway
524
• The branch routers advertise their NAT subnets to the VPN Gateways
HQ
Corporate Network10.0.0.0/8 Local
Tunnel Routes10.102.1.0/24 tunnel 110.102.2.0/24 tunnel 210.102.3.0/24 tunnel 3
Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24
Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24
Branch 3: NAT 10.102.3.0/24 to 10.1.1.0/24
© 2013 Aerohive Networks CONFIDENTIAL
• NAT subnets are unique subnets per site (non cookie-cutter), and can be mapped to sites dynamically, or via device classification
• Each NAT IP address can be access from corporate through the VPN
• Each NAT mapping is bidirectional, so traffic to HQ will be sourced from each NAT address
Cookie Cutter Branch Deployments
HQ
CorporateNetwork10.0.0.0/8 Branch 1: NAT 10.102.0.0/24 to
10.1.1.0/24which NATs:
10.102.1.1 to 10.1.1.110.102.1.2 to 10.1.1.2
. .10.102.1.255 to 10.1.1.255
Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24which NATs:
10.102.2.1 to 10.1.1.110.102.2.2 to 10.1.1.2
. .10.102.2.255 to 10.1.1.255
etc….
© 2013 Aerohive Networks CONFIDENTIAL
LAB: COOKIE-CUTTER VPN
526
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Cookie Cutter1. Create a new Employee Network
527
• Next to VLAN 10, click on your network: Network-Employee-1XX
• Choose Network, click New
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Cookie Cutter2. Create a new Employee Network
528
• Enter the network name: 10.1.1.0-Employee-X
• DNS Service, select the quick start automatically generated object: Class
• Network Type: Internal Use
• Under subnetworks click New
NOTE: This Quick Start DNS Service object sets clients to use the router interface IP as the DNS server, and will proxy the DNS requests to the DNS server learned statically or by DHCP on the WAN interface
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Cookie Cutter3. Replicate the Network
529
• Select Replicate the same subnetwork at each site
• Local Subnetwork:10.1.1.0/24
• Select Use the first IP address of the partitioned subnetwork for the default gateway
• Do not save yetNOTE: You can now use the first or last IP address for each branch subnet for the default gateway assigned to the routers for these subnets
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Cookie Cutter4. Enable DHCP
530
• Check Enable DHCP server
• For the DHCP Address Pool, move the slider bar to reserve 10 IP addresses at the start and end of the address pool that can be defined statically.
NOTE: In most cases, the router will be the DHCP server. However, if it is not, you can disable the DHCP service and this network definition will only be used to configure the router interface IP addresses.
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Cookie Cutter5. NAT settings
• Check Enable NAT through the VPN tunnels• Number of branches: 256 • NAT IP Address Space Pool: 1.1XX.0.0 Mask 16XX=102,103,..,114,115
• Note: We are using 1.1XX.0.0 instead of 10.1XX,0.0, because the lab has no more IP space)
531
© 2013 Aerohive Networks CONFIDENTIAL Copyright ©2011
Lab: Cookie Cutter6. NAT settings
• Check Allocate NAT subnetworks by specific IP addresses at sites
• Click New› IP Address: 1.1XX.1.1
› Type: Device Tags› Value: Site-Xa(Your Switch)
• Click ApplyNOTE: Any device tag you have defined elsewhere is automatically populated. You can also start typing to narrow the value list
With these settings, each site will get assigned to one of the /24 NAT subnets in 1.1XX.0.0/16. Entering a single IP address locks the NAT IP address and the NAT subnet to which it belongs to a specific site.
532
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Cookie Cutter7. Save cookie cutter network
533
Verify your settings
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Cookie Cutter7. Review and save
534
Your network will have one NAT subnetwork: 1.1XX.0.0/16 that will support 256 branches with 253 clients per branch, and subnet 10.1.1.0/24 will be assigned to each site for DHCP
• Click Save
• Click OK
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Cookie Cutter8. Save your network policy and continue
535
• From the Configure Interfaces & User Access bar, click Continue
© 2013 Aerohive Networks CONFIDENTIAL
PERFORM A COMPLETE UPLOAD
536
© 2013 Aerohive Networks CONFIDENTIAL 537
• Select the Filter: Current Policy• Select all your Routers • Click Update
Lab: Update Router Configuration1. Update your routers
© 2013 Aerohive Networks CONFIDENTIAL 538
• Select Update Devices
• Select Perform a complete configuration update for all selected devices
• Click Update
For this class, ALL Updates should be Complete configuration updates
Lab: Update Router Configuration2. Update your routers
© 2013 Aerohive Networks CONFIDENTIAL 539
• When the Reboot Warning box appear, select OK
Click OK
Lab: Update Router Configuration3. Update your routers
© 2013 Aerohive Networks CONFIDENTIAL
VIEW SUBNET ALLOCATION REPORT
540
© 2013 Aerohive Networks CONFIDENTIAL
Cookie Cutter Branch DeploymentsRouting on the VPN Gateway
541
• The branch routers advertise their NAT subnets to the VPN Gateways
HQ
Corporate Network10.0.0.0/8 Local
Tunnel Routes10.102.1.0/24 tunnel 110.102.2.0/24 tunnel 210.102.3.0/24 tunnel 3
Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24
Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24
Branch 3: NAT 10.102.3.0/24 to 10.1.1.0/24
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Subnet Allocation Report1. View the IP addresses assigned to the routers
542
• From Monitor, in the navigation tree, click Subnetwork Allocation
• Under Network Name, select10.1.1.0-Employee-X
• Note the unique NAT networks and the cookie-cutter network
Note: One subnet was assigned via classification. The others assigned dynamically.
© 2013 Aerohive Networks CONFIDENTIAL
SIMULATED ROUTER CLEANUP
543
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Remove Simulated Routers1. Select and remove your simulated routers
544
The simulated routers were used to show the subnet allocation report
Now that you have seen how subnetworks are allocated to routers, we can remove the simulated routers
• From ConfigurationRouters, check the box next to your simulated devices that start with: SR-02-SIMU-XXXXXX
• Warning: Do NOT remove the real router
• Click Device Inventory and click Remove
• Click Remove from the warning popup
© 2013 Aerohive Networks CONFIDENTIAL
LAYER 3 IPSEC VPN – REDUNDANT VPN GATEWAYS
545
© 2013 Aerohive Networks CONFIDENTIAL
Router IPSec VPN LabUsing Two VPN Gateways
546
Headquarters
DMZ
802.1Q
Inside
Firewall eth0/0 – 209.128.76.30 NAT – 209.128.76.28 to 10.1.101.2 NAT – 209.128.76.29 to 10.1.102.2Firewall eth0/1.1 - 10.1.101.1/24 vlan 101 Protocol OSPF area 0.0.0.1 Firewall eth0/1.2 - 10.1.102.1/24 vlan 102 Protocol OSPF area 0.0.0.2 Protocol OSPF cost 1000
Internal NetworkAD Server 10.5.1.10
VPN Gateway 1LAN 1: 10.1.101.2/24Protocol OSPF area 0.0.0.1
VPN Gateway 2LAN 1: 10.1.102.2/24Protocol OSPF area 0.0.0.2
VLAN 102
VLAN 101
eth0/1
eth0/2eth0/0
LAN1
LAN 1
Firewall eth0/2 – 10.5.1.1/24 Protocol OSPF area 0.0.0.0
Branch OfficeTunnel 1 to 209.128.76.28 pref
1 Tunnel 2 to 209.128.76.29 pref 2VLAN 10 – 10.1.1.0/24 Employee NetOne-to-One Subnet NAT Through VPN: 10.102.1.0/24 to 10.1.1.0/24 (HQ visible IPs) (local IPs)
© 2013 Aerohive Networks CONFIDENTIAL
Router IPSec VPN LabUsing Two VPN Gateways
547
• VPN tunnels are built from branch offices to the VPN gateways• Traffic from the branch offices is decrypted at the VPN gateways and sent to
the DMZ firewall for access to the Internet network• Traffic destined to IP addresses at branch offices is sent to the firewall,
which looks up the IP and finds the route to VPN gateway which encrypts and sends through a tunnel to a branch office
DMZ802.1Q
Inside
Firewall FW eth0/0 – 209.128.76.30 NAT – 209.128.76.28 to 10.1.101.2 NAT – 209.128.76.29 to 10.1.102.2FW eth0/1.1 - 10.1.101.1/24 vlan 101 Protocol OSPF area 0.0.0.1 FW eth0/1.2 - 10.1.102.1/24 vlan 102 Protocol OSPF area 0.0.0.2 Protocol OSPF cost 1000
Internal NetworkAD Server 10.5.1.10
FW eth0/2 – 10.5.1.1/24 Protocol OSPF area 0.0.0.0
VPN Gateway 1LAN 1: 10.1.101.2/24Protocol OSPF area 0.0.0.1
VPN Gateway 2LAN 1: 10.1.102.2/24Protocol OSPF area 0.0.0.2
VPN Gateways
VLAN 102
VLAN 101
eth0/1
eth0/2
eth0/0
eth 0
eth 0
Headquarters
© 2013 Aerohive Networks CONFIDENTIAL
Corporate Network10.0.0.0/8 Local
Tunnel Routes10.102.1.0/24 tunnel 110.102.2.0/24 tunnel 2
Cookie Cutter Branch DeploymentsRouting on the VPN Gateway
• The branch routers advertise their NAT subnets to the VPN Gateways
HQ
Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24
Branch 2: NAT 10.102.1.0/24 to 10.1.1.0/24
© 2013 Aerohive Networks CONFIDENTIAL
FW Configuration for Accessing VPN Gateways 1 and 2
549
set interface bgroup0.5 tag 101 zone Trustset interface bgroup0.6 tag 102 zone Trustset interface bgroup0.5 ip 10.1.101.1/24set interface bgroup0.6 ip 10.1.102.1/24set interface bgroup0.5 routeset interface bgroup0.6 routeset int bgroup0.5 protocol OSPF area 0.0.0.1set int bgroup0.5 protocol OSPF enableset int bgroup0.6 protocol OSPF area 0.0.0.2set int bgroup0.6 protocol OSPF enableset interface "ethernet0/0" mip 209.128.76.28 host 10.1.101.2set interface "ethernet0/0" mip 209.128.76.29 host 10.1.102.2 set interface "ethernet0/0" mip 209.128.76.28 host 10.1.101.2 netmask 255.255.255.255 vr "trust-vr”set interface "ethernet0/0" mip 209.128.76.29 host 10.1.102.2 netmask 255.255.255.255 vr "trust-vr”set policy id 18 from "Untrust" to "Trust" "Any" "MIP(209.128.76.28)" "ANY" permitset policy id 19 from "Untrust" to "Trust" "Any" "MIP(209.128.76.29)" "ANY" permit
© 2013 Aerohive Networks CONFIDENTIAL
CONFIGURING LAYER 3 IPSEC VPNWITH REDUNDANCYINSTRUCTOR ONLY – THESE STEPS HAVE ALREADY BEEN PERFORMED
550
© 2013 Aerohive Networks CONFIDENTIAL
Layer 3 VPN – Instructor Only Steps
551
• Under Layer 3 IPSec VPN, click Choose
© 2013 Aerohive Networks CONFIDENTIAL
Layer 3 VPN – Instructor Only Steps
552
• Name: Corp-VPN (shared by all network policies in class)• Layer 3 VPN• VPN Gateway: VPN-Gateway-1• External IP: 1.2.2.241• Click Apply
© 2013 Aerohive Networks CONFIDENTIAL
Layer 3 VPN – Instructor Only Steps
553
Under VPN Gateway Settings• Click New• VPN Gateway: VPN-Gateway-2• External IP: 1.2.2.242• Click Apply
© 2013 Aerohive Networks CONFIDENTIAL
Layer 3 VPN – Instructor Only Steps
554
• Two new certificates were created for this lab, you can use those or the defaults if the root CA did not change
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Layer 3 VPN – Instructor Only Steps
555
• From ConfigurationShow Nav VPN Gateways• Modify VPN-Gateway-1
© 2013 Aerohive Networks CONFIDENTIAL
Layer 3 VPN – Instructor Only Steps
556
Note: VPN Gateways are not assigned to a Network policy, they just use a Management network• ETH0 (WAN) 10.200.2.241/24
• Default Gateway10.200.2.1
• Enable Dynamic Routing
• Select OSPF• Route Advertisement
Select Eth0(WAN)☐ Deselect Eth1 (LAN)
• Area: 0.0.0.0• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Layer 3 VPN – Instructor Only Steps
557
• From Configuration VPN Gateways
• Modify VPN-Gateway-2
© 2013 Aerohive Networks CONFIDENTIAL
Layer 3 VPN – Instructor Only Steps
558
Note: VPN Gateways are not assigned to a Network policy, they just use a Management network• ETH0 (WAN) 10.200.2.242/24
• Default Gateway10.200.2.1
• Enable Dynamic Routing
• Select OSPF• Route Advertisement
Select Eth0(WAN)☐ Deselect Eth1 (LAN)
• Area: 0.0.0.0• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 559
• Select Update Devices
• Select Perform a complete configuration update for all selected devices
• Click Update
For this class, ALL Updates should be Complete configuration updates
Layer 3 VPN – Instructor Only Steps
© 2013 Aerohive Networks CONFIDENTIAL
LAB: TWO VPN GATEWAYS
STUDENTS ADD CORP VPN TO THEIR NETWORK POLICY
560
© 2013 Aerohive Networks CONFIDENTIAL 561
• In your network policy next to Layer 3 IPSec VPN click Choose
• In your network policy next to Layer 3 IPSec VPN click Choose
• Select Corp-VPN
• Click OK
• Save the Network Policy
• Click Continue
Lab: Two VPN Gateways1. Add the Corp-VPN policy
© 2013 Aerohive Networks CONFIDENTIAL 562
• Choose the current policy filter and select your router
• Click Update Devices and perform a complete upload
Lab: Two VPN Gateways2. Select the router
© 2013 Aerohive Networks CONFIDENTIAL 563
• Wait about 5 minutes
• When the VPNs are established, you can click the VPN Topology link to see live VPN status
• Click Refresh to update the screen
Lab: Two VPN Gateways4. Verify the VPN toplogy
© 2013 Aerohive Networks CONFIDENTIAL
BRANCH ROUTERWAN INTERFACE NAT PORT FORWARDING
564
© 2013 Aerohive Networks CONFIDENTIAL
Branch Router WAN InterfaceNAT Port Forwarding
565
• Use port forwarding from a public WAN interface on a branch router to reach a server within a private network
• This works very well for cookie cutter deployments!!
AP
PoE
SR2024as
Branch
Router
AP
Web Server1 10.1.1.5Port 80
http://2.1.1.100:8005
Internet
WAN: 2.1.1.100
NAT Port Forwarding RulesOutside: 2.1.1.100:8005 Inside: 10.1.1.5:80
(IP# 5)Outside: 2.1.1.100:8006 Inside: 10.1.1.6:80
(IP #6)Web Server2 10.1.1.6Port 80
© 2013 Aerohive Networks CONFIDENTIAL
LAB: CONFIGURE BRANCH ROUTERWAN INTERFACE NAT PORT FORWARDING
566
© 2013 Aerohive Networks CONFIDENTIAL
LAB: WAN Interface NAT Port Forwarding1. Modify the Cookie-Cutter Network
567
• From your network policy, under VLAN-to-Subnet Assignments for Router Interfaces› Modify your 10.1.1.0-Employee-X network
› Click the icon and select Edit
© 2013 Aerohive Networks CONFIDENTIAL 568
• Click the link to edit the subnet: 1.1XX.0.0/16
LAB: WAN Interface NAT Port Forwarding2. Modify the Cookie-Cutter/NAT Network
© 2013 Aerohive Networks CONFIDENTIAL 569
• In the Network Address Translation (NAT) Settings section
• Check Enable port forwarding through the WAN interfaces
LAB: WAN Interface NAT Port Forwarding3. Enable port forwarding
© 2013 Aerohive Networks CONFIDENTIAL 570
• Click View Aerohive Ports to see the ports that are already in use on Aerohive routers that you cannot use for port forwarding
LAB: WAN Interface NAT Port Forwarding4. View Aerohive Ports
© 2013 Aerohive Networks CONFIDENTIAL 571
• In order for port forwarding to work, you must have addresses excluded at the start of the DHCP pool
• For example, if you have a web server at every site that will be the 5th IP address from the start of the pool, e.g. 10.1.1.5, then you must have the DHCP exclusion for the first 5 IP addresses so that 10.1.1.5 can be statically assigned to the web server
NOTE: Always have excludes from the DHCP pool
© 2013 Aerohive Networks CONFIDENTIAL 572
• Click New to create a port forwarding rule
LAB: WAN Interface NAT Port Forwarding5. Create port forwarding rules
© 2013 Aerohive Networks CONFIDENTIAL 573
• Destination Port Number: 8005
• Local Host IP Address Position: 1
• Internal Host Port Number: 80
• Traffic Protocol: TCP
• Click Apply
LAB: WAN Interface NAT Port Forwarding6. Create port forwarding rules
© 2013 Aerohive Networks CONFIDENTIAL 574
• Create several more rules
LAB: WAN Interface NAT Port Forwarding7. Create port forwarding rules
© 2013 Aerohive Networks CONFIDENTIAL 575
• Destination Port: 8005This is the port clients will use from the Internet to access the internal server: https://WAN-IP:8005
• Click on IP Address Mapping to see how each position maps to an internal cookie-cutter IP address
• Local host IP address› The position of the IP
address from the start of the IP address block
› For /24 subnets, position 1 = .2, position 2 = .3, etc…
LAB: WAN Interface NAT Port Forwarding8. Create port forwarding rules
© 2013 Aerohive Networks CONFIDENTIAL 576
• Review your port forwarding rules
• Click Save
• Click OK
LAB: WAN Interface NAT Port Forwarding9. Review your port forwarding rules
© 2013 Aerohive Networks CONFIDENTIAL 577
LAB: WAN Interface NAT Port Forwarding10. Save the network
• Review your Network
• Click Save
• Click OK
© 2013 Aerohive Networks CONFIDENTIAL 578
• Click Continue to save your Network Policy and proceed to device updates
LAB: WAN Interface NAT Port Forwarding11. Save your Network Policy
© 2013 Aerohive Networks CONFIDENTIAL 579
• Choose the current policy filter and select your router
• Click Update Devices and perform a complete upload
LAB: WAN Interface NAT Port Forwarding12. Select the router
© 2013 Aerohive Networks CONFIDENTIAL 580
• Monitor Routers• Select your Router • Click on Utilities… SSH Client• Click on Connect• Type: show ip iptables nat
LAB: WAN Interface NAT Port Forwarding13. Verify port forwarding rules
© 2013 Aerohive Networks CONFIDENTIAL 581
LAB: WAN Interface NAT Port Forwarding14. Verify port forwarding rules
Note: Resize the window to see the port-forwarding rules
• CLI command: sh ip iptables nat
© 2013 Aerohive Networks CONFIDENTIAL
THE MANAGEMENT NETWORK
582
© 2013 Aerohive Networks CONFIDENTIAL
Aerohive Management Network
583
• Management Network – Every AP, router, and VPN gateway, has a logical management interface for:› CAWAP communication with HiveManager; › cooperative control protocols like AMRP, and DNXP; › and management services like SNMP, SYSLOG, SCP, and SSH.
BR200
AP
AP
Mesh
PoE
Internet
interface mgt0
172.18.0.1/24VLAN 1
interface mgt0
172.18.0.2/24VLAN 1
interface mgt0
172.18.0.3/24VLAN 1
Mesh
Cable
© 2013 Aerohive Networks CONFIDENTIAL
Aerohive Management Network
• Management subnets can be assigned to a VLAN within the unified network policy
© 2013 Aerohive Networks CONFIDENTIAL
Aerohive Management Network
• Just like internal networks, management subnets can partitioned from a parent network and then assigned dynamically by HiveManager.
• Management subnets can also be assigned with device classification.
© 2013 Aerohive Networks CONFIDENTIAL
Aerohive Router Interfaces
586
Router WAN PortEth0 192.168.1.10/24No VLAN
Logical IP Interfacesmgt0 (Management)172.18.0.1/24VLAN 1
mgt0.1 10.102.0.1/24VLAN 102 - Employee
mgt0.2 172.16.102.1/24VLAN 202 -Guest
Ethernet Switch Ports Eth1 – Eth4Layer 2
• Assigned to VLANs and Networks by LAN Profiles
• May be 802.1Q VLAN Trunk ports or access ports
Interfaces mgt0.1 through mgt0.16 may be created, each supporting routing for a different IP network.
© 2013 Aerohive Networks CONFIDENTIAL
ENABLE 802.1Q VLAN TRUNKINGON A LAN PORT
587
© 2013 Aerohive Networks CONFIDENTIAL
Configuring 802.1Q on a Router Port Policies
588
Logical IP Interfacesmgt0 (Management)172.18.0.1/24VLAN 1
mgt0.110.102.0.1/24Employee - VLAN 10
mgt0.210.202.0.1/24Voice – VLAN 2
mgt0.3 192.168.83.1/24Guest - VLAN 8
mgt0.4 172.28.0.1/25VLAN 1 (Native)
Note: You should define a native network using VLAN 1, which much match the native VLAN configured for the management interface, which by default is 1.
BR100
Logical IP Interfacemgt0 (Management)172.18.0.1/24VLAN 1
Layer 2 InterfacesVLAN 1 (Native)
SSID: Class-PSKEmployee - VLAN 10SSID: Class-VoiceVoice – VLAN 2SSID: Class-GuestGuest – VLAN 8
AP
802.1QVLANTrunkVLANs:1 (Native), 2, 8, 10
© 2013 Aerohive Networks CONFIDENTIAL
ROUTER STATEFUL FIREWALL POLICYMORE THAN JUST THE 5-TUPLE
589
© 2013 Aerohive Networks CONFIDENTIAL
Router FirewallGeneral Guidelines
590
• Router firewall is not the same firewall used in User Profiles for Aerohive access points
• Firewall rules are applied in the branch router for both wireless and wired traffic
• AP firewall can still be used for wireless clients is so desired
• L7 not yet supported in the router firewall
Branch Router
AP
PoE
Internet Router firewall for wired and wireless traffic
AP firewall for wireless traffic only
© 2013 Aerohive Networks CONFIDENTIAL
Router FirewallGeneral Guidelines
591
• Rules are processed top down and the first matching rule is used
• After a rule is matched a stateful session is created using:› Source IP, Destination IP, IP Protocol, Source Port, Destination Port
› The reverse session is also created for return traffic
• More than just an IP firewall, the router firewall can look at:› Traffic Source:
»IP Network, IP Range, Network Object, User Profile, VPN, or IP Wildcard
› Traffic Destination: »IP Network, IP Range, Network Object,VPN, IP Wildcard, Hostname
© 2013 Aerohive Networks CONFIDENTIAL
Aerohive Stateful Firewall
592
Web ServerRouter
10.5.1.10272.20.106.66
Firewall Policies:Default Action: Deny
Inside
HTTP– Initiated from inside the Network to a web server on the InternetSource IP, Dest IP, Proto, Source Port, Dest Port, Data10.5.1.102 72.20.106.66 6(TCP) 3456 80 HTTP Get
HTTP Response is permitted because firewall in router is stateful (Shown after NAT)Source IP, Dest IP, Proto, Source Port, Dest Port, Data72.20.106.66 10.5.1.102 6(TCP) 80 3456 HTTP Reply
The stateful firewall engine opens a pinhole for this session allowing return traffic for this session
Internet
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Router Firewall for Guests1. Create a Router Firewall Profile
593
To implement a router firewall
• In your network policy, next to Router Firewall, click Choose
• In Choose Firewall click New
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Router Firewall for Guests2. Create a user profile rule
594
• Enter a Policy Name: Firewall-X
• Configure a user profile-based firewall policy rule
• Select a source:User ProfileGuests-X
• Select a destination:IP Network10.0.0.0/255.0.0.0
• Service: [-any-]• Action: Deny• Logging: Disable• Click Apply
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Router Firewall for Guests3. Create another user profile rule
595
Your rule should appear
• Under Policy Rules, click New
• Configure a user profile-based firewall policy rule
• Select a source:User ProfileGuests-X
• Select a destination:IP Network172.16.0.0/255.240.0.0
• Service: [-any-]• Action: Deny• Logging: Disable• Click Apply
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Router Firewall for Guests4. Create one more user profile rule
596
Your rule should appear
• Under Policy Rules, click New
• Configure a user profile-based firewall policy rule
• Select a source:User ProfileGuest-X
• Select a destination:IP Network192.168.0.0/255.255.255.0
• Service: [-any-]• Action: Deny• Logging: Disable• Click Apply
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Router Firewall for Guests5. Create a clean-up allow all rule
597
Create a clean up rule
• Under Policy Rules, click New
• Configure a user profile-based firewall policy rule
• Select a source:[-any-]
• Select a destination:[-any-]
• Service: [-any-]• Action: Permit• Logging: Disable• Click Apply
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Router Firewall for Guests6. Verify your firewall policy rules and save
598
• Select the radio button for the Default Rule to Deny all› Note: This is not needed, but it is a good general practice.
• This policy denies access to any private IP address through the router, and allows everything else
• Also, you can drag and drop the rules to change their order• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Router Firewall for Guests7. Create a Router Firewall Profile
599
• Verify that your Router Firewall is applied:Firewall-X
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL
Remember this? - Routes Learned via OSPF and Between the VA and Branch Routers
• Routers (VPN clients) ask the VPN Gateway for updated route information and provide their own route changes over the VPN tunnel every minute by default using a TCP request
VPN Gateway
HQ
BR100
BR100
Local network: 172.28.0.0/24Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.1.0/24 though VPN tunnelRoute: 172.28.2.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway
Local network: 172.28.2.0/24 Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.0.0/24 though VPN tunnelRoute: 172.28.1.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway
BR100
Internet
CorporateNetwork10.1.0.0/16
Route: 10.1.0.0/16 to Corp RouterRoute: 172.28.0.0/24 to VPN tunnel ARoute: 172.28.1.0/24 to VPN tunnel BRoute: 172.28.2.0/24 to VPN tunnel CRoute: 0.0.0.0/0 to Internet Gateway
Tunnel A
Tunnel B
Tunnel C
Local network: 172.28.1.0/24Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.0.0/24 though VPN tunnelRoute: 172.28.2.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway
© 2013 Aerohive Networks CONFIDENTIAL
Router Firewall can be used to block communications between branch offices
• Routers (VPN clients) ask the VPN Gateway for updated route information and provide their own route changes over the VPN tunnel every minute by default using a TCP request
VPN Gateway
HQ
BR100
BR100
Local network: 172.28.0.0/24Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.1.0/24 though VPN tunnelRoute: 172.28.2.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway
Local network: 172.28.2.0/24 Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.0.0/24 though VPN tunnelRoute: 172.28.1.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway
BR100
Internet
CorporateNetwork10.1.0.0/16
Route: 10.1.0.0/16 to Corp RouterRoute: 172.28.0.0/24 to VPN tunnel ARoute: 172.28.1.0/24 to VPN tunnel BRoute: 172.28.2.0/24 to VPN tunnel CRoute: 0.0.0.0/0 to Internet Gateway
Tunnel A
Tunnel B
Tunnel C
Local network: 172.28.1.0/24Route: 10.1.0.0/16 through VPN tunnelRoute: 172.28.0.0/24 though VPN tunnelRoute: 172.28.2.0/24 through VPN tunnelRoute: 0.0.0.0/0 to Internet Gateway
© 2013 Aerohive Networks CONFIDENTIAL
WEB PROXY FOR SECURING WEB-BASED TRAFFIC
602
© 2013 Aerohive Networks CONFIDENTIAL
Cloud Proxy – How does it work?
1 Client makes a HTTP/HTTP request
2Aerohive BR checks if client network is configured to use web security
3Aerohive BR confirms traffic is not destined for resources across the tunnel and is not whitelisted as trusted
4
Traffic is forwarded with client identity to the cloud security partner and processed based on identity
© 2013 Aerohive Networks CONFIDENTIAL
Web Security Using Websense Cloud Web Proxy
To configure Cloud Web Security, from HiveManager go to HomeAdministrationHiveManager Services• Check the box next to
Websense Server Settings
• Check the box next to Enable Websense Server Settings
• Enter the Account ID and Security key that were displayed for your Websense account
• Default Domain: ah-lab.com
• Click Update
Note: The default domain is only used if users do not authenticate to access the network using a mechanism that requires a domain name for login
© 2013 Aerohive Networks CONFIDENTIAL
Web Security Using Websense Cloud Web Proxy
You can use the default Web Security Whitelist to specify safe URLs that do not need to be sent though web security• Next to Web Security
Whitelist, select QS-WebSense-Whitelist
• Click UpdateNote: To create your own whitelist or clone the quick start whitelists to make your own additions, go to: Configuration Show NavAdvanced ConfigurationCommon ObjectsDevice Domain Objects
© 2013 Aerohive Networks CONFIDENTIAL
Web Security Using Cloud Proxy
To get started with Cloud Web Security, from HiveManager go to HomeAdministrationHiveManager Services
• Check the box next to Websense Server Settings
• Click the “here” link to sign up for a free 30-day trial
• Sign up for a free 30-day Websense trial
© 2013 Aerohive Networks CONFIDENTIAL
LAB: CLOUD PROXY
607
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Cloud proxy1. Edit employee network settings
608
• Cloud Web Proxy is enabled within a Network Policy
• You may only want to enable this service for corporate employees
• Next to your Class-PSK-X SSID, under Network(VLAN) click your network: 10.1.1.0-Employee-X
• Click on the icon to edit your network
© 2013 Aerohive Networks CONFIDENTIAL 609
• In the network for employees, next to Web Security, select Websense from the drop-down menu
• You can keep the option to Deny all outbound HTTP and HTTPS traffic if connectivity to the web security server is lost
• Click Save and then OK
LAB: Cloud proxy2. Enable web security
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Cloud proxy3. Edit guest network settings
610
• Cloud Web Proxy is enabled within a Network Policy
• You may only want to enable this service for corporate employees
• Next to your Class-PSK-X SSID, under Network(VLAN) click your network: 192.168.83.0-Guest-X
• Click on the icon to edit your network
© 2013 Aerohive Networks CONFIDENTIAL 611
• In the network for employees, next to Web Security, select Websense from the drop-down menu
• You can keep the option to Deny all outbound HTTP and HTTPS traffic if connectivity to the web security server is lost
• Click Save and then OK
LAB: Cloud proxy4. Enable web security
© 2013 Aerohive Networks CONFIDENTIAL 612
• Note that web security is enabled
• Click Continue to save and go to updates
LAB: Cloud proxy5. Verify web security
© 2013 Aerohive Networks CONFIDENTIAL 613
• Update the configuration of your router• Click Settings to perform a complete update
LAB: Cloud proxy6. Upload policy to branch router
© 2013 Aerohive Networks CONFIDENTIAL
TEST CLOUD WEB SECURITYINSTRUCTOR DEMO – INSTRUCTOR MUST HAVE CONFIGURED THE CLASSROOM ROUTER FOR CLOUD PROXY
614
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test LAN Port Web Security1. Connect your computer to Eth1 on the Router
615
• Connect the Ethernet Port 2 of your computer to the ETH2 interface on the router
BR100
Class Switch
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test LAN Port Web Security2. Open web browser to a website
616
• Open a web browser on your remote computer to a respectable website
• You will be redirected to a captive web portal
BR100
Class Switch
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test LAN Port Web Security3. Login through the captive web portal
617
• Enter a user name: lanuser• Password: Aerohive1• Click Log In
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test LAN Port Web Security4. Test a web site that is forbidden
618
• Open a web browser an try going to: www.guns.com
• You should be redirected to a web page informing that you were denied from accessing the site
• This will be denied because the Websense policy used has a rule against sites that provide information about, promote, or support the sale of weapons and related items
© 2013 Aerohive Networks CONFIDENTIAL
Websense Cloud Web Security Policies
619
• From the Websense Cloud Web Security login, you can set the web categories policies, web content security, and much more...
Note: Here you can see that there is a rule blocking Weapons sites
© 2013 Aerohive Networks CONFIDENTIAL
MISC
620
© 2013 Aerohive Networks CONFIDENTIAL
Overwrite protection for NetConfig UI WAN settings
621
• The default behavior of of a branch router originally set up using the NetConfig UI is protected from being overwritten by updates pushed to it from HiveManager at a later date.
• To disable the NetConfig UI settings protection for the BRs, click Configuration Devices, select one or multiple BRs, and then click Utilities Disable NetConfig UI WAN Configuration.
Protects the NetConfig UI based WAN port configuration of BR’s and routing devices
© 2013 Aerohive Networks CONFIDENTIAL
THANK YOU – REALLY!!
622