Controller based AP Training

Transcript

1. Wireless Controller and Fit Access Point Training C.K.Ng

2. Agenda • AC/AP Basic Setup • Switch Configuration • 802.1x/MAC

   Authentication • Captive Portal • Mitigate Wireless Interference and Improve Performance • AC Cluster

3. Controller-based Product List Model EWS4502 EWS4606 Product Type Wireless Access

   Controller Wireless Access Controller Description - 2 x GE, manage 500 pcs AP - Support 3+1 clustering backup - 6 x GE with 2 x USB, manage 2000pcs AP - Support 3+1 clustering backup Wireless Access Controller Model ECW7220-L Product Type Indoor AP Description 11ac, dual band 3x3 MIMO Controller-based AP

4. Controller based Wireless Network Scenario

5. Scenario ECS2100-10P 192.168.1.10 EWS4502 WiFi Controller 192.168.1.1 192.168.1.2 ECW7220L 11ac

   AP 192.168.1.11 Internet Laptop HQ_Staff Vlan 10 Smart Phone HQ_Guest Vlan 20 PVID =1 Vid=10,20 tagged PVID =1 Vid=10,20 tagged PVID =1 Vid=1 untagged DHCP Server 192.168.1.200 PVID =1 Vid=1 untagged PVID =1 Vid=1,10,20 tagged ECS4620-28P/52P GE L3 PoE Switch 192.168.2.1 ECW7220L 11ac AP 192.168.1.11 Laptop HQ_Staff Vlan 30 Smart Phone HQ_Guest Vlan 40 PVID =1 Vid=30,40 tagged PVID =1 Vid=30,40 tagged HQ Branch Office ECS4620-28F GE L3 Fiber Switch 192.168.2.1

6. HQ Topology ECS2100-10P 192.168.1.10 EWS4502 WiFi Controller 192.168.1.1 192.168.1.2 ECW7220L

   11ac AP 192.168.1.11 Internet Laptop HQ_Staff Vlan 10 Smart Phone HQ_Guest Vlan 20 PVID =1 Vid=10,20 tagged PVID =1 Vid=10,20 tagged PVID =1 Vid=1 untagged DHCP Server 192.168.1.200 PVID =1 Vid=1 untagged PVID =1 Vid=1,10,20 tagged HQ ECS4620-28F GE L3 Fiber Switch 192.168.2.1

7. Basic Setup of AC

8. Clear Config (Reset to Factory Default)

9. Set IP address on AC

10. Check IP Address on AC

11. Login to AC Web GUI Default Username: admin, No Password

12. Set Country Code Set the country code

13. Modify Band_plan & Country_code for AP • From AP Console,

    check band plan and country code ECW7220-L-ff68c0# nvram show : band_plan=ETSI : country_code=TR : • Change Band plan & Country code ECW7220-L-ff68c0# nvram set band_plan=FCC ECW7220-L-ff68c0# nvram set country_code=US ECW7220-L-ff68c0# nvram commit ECW7220-L-ff68c0# factory-reset Are you sure you want to reset the system to factory defaults (y/n)? y

14. Configure Wireless Network

15. Create New Wireless Network (HQ_Staff)

16. Configure Wireless Network (HQ_Staff)

17. Create New Wireless Network (HQ_Guest)

18. Configure Wireless Network (HQ_Guest)

19. 2 Wireless Networks (SSID) Created

20. Create AP Profile

21. Modify Default Profile Enable: Data will keep on forwarding even

    when AP disconnected from AC

22. Modify Radio Configuration of Default Profile

23. Add SSID to Default Profile (5 GHz Radio )

24. Add SSID to Default Profile (2.4 GHz Radio)

25. Manage AP by AC

26. Manage the Discovered AP

27. Managed AP in Local AP Database

28. Reset Managed AP

29. Configuration Provision Successfully

30. Radio Status of Managed AP

31. VAP(SSID) of Managed AP 2 SSID Discovered by WiFi Client

32. Associated Client

33. Save Configuration

34. Save Configuration

35. Configuration of Switch

36. L3 Switch Play DHCP Server Role ECS2100-10P 192.168.1.10 EWS4502 WiFi

    Controller 192.168.1.1 192.168.1.2 ECW7220L 11ac AP 192.168.1.11 Internet Laptop HQ_Staff Vlan 10 Smart Phone HQ_Guest Vlan 20 PVID =1 Vid=10,20 tagged PVID =1 Vid=10,20 tagged PVID =1 Vid=1 untagged PVID =1 Vid=1 untagged PVID =1 Vid=1,10,20 tagged HQ ECS4620-28F GE L3 Fiber Switch 192.168.2.1

37. Configuration of Switch • Create HQ_Staff VLAN & HQ_Guest VLAN

    • Add Port 7 connected to AP VLAN 10, 20 Tagged port • Default VLAN 1 for communication between AP & AC

38. VLAN Configuration of Port Connected to AP

39. Configure HQ_Staff VLAN member port • Configure Port 1 VLAN

    10 member port, Wireless client associated to SSID HQ_Staff can communicate with device connected to port 1

40. Configure HQ_Guest VLAN member port • Configure Port 1 VLAN

    20 member port, Wireless client associated to SSID HQ_Guest can communicate with device connected to port 2

41. Configure IP Interfaces on L3 Switch • Set IP address

    (default gateway) for 3 VLANs (Subnets), so traffic can be routed from one subnet to the other

42. Create DHCP Server IP Pool for Management VLAN • Create

    DHCP server IP pool for management VLAN • Exclude the IP range for static IP such as IP of the AC and Switches • AP will be assigned IP address dynamically after configuration auto- provision from AC

43. Managed AP Obtained IP • AP obtained IP address from

    DHCP Server so will not have IP address conflict with default IP (192.168.1.10)

44. Create DHCP Server IP Pool for HQ_Staff VLAN • Create

    DHCP Server IP Pool for HQ_Staff VLAN so wireless clients associated to HQ_Staff SSID will obtain IP from corresponding subnet dynamically

45. Create DHCP Server IP Pool for HQ_Guest VLAN • Create

    DHCP Server IP Pool for HQ_Guest VLAN so wireless clients associated to HQ_Guest SSID will obtain IP from corresponding subnet dynamically

46. L3 Switch Play DHCP Relay Role ECS2100-10P 192.168.1.10 EWS4502 WiFi

    Controller 192.168.1.1 192.168.1.2 ECW7220L 11ac AP 192.168.1.11 Internet Laptop HQ_Staff Vlan 10 Smart Phone HQ_Guest Vlan 20 PVID =1 Vid=10,20 tagged PVID =1 Vid=10,20 tagged PVID =1 Vid=1 untagged DHCP Server 192.168.1.200 PVID =1 Vid=1 untagged PVID =1 Vid=1,10,20 tagged HQ ECS4620-28F GE L3 Fiber Switch 192.168.2.1

47. DHCP Relay • If there is a DHCP Server in

    the network, configure L3 for DHCP relay, so clients for all subnet will get IP address from DHCP Server

48. Branch Office AC/AP Configuration

49. Branch Office Topology Internet ECS4620-28P/52P GE L3 PoE Switch 192.168.2.1

    ECW7220L 11ac AP 192.168.1.11 Laptop HQ_Staff Vlan 30 Smart Phone HQ_Guest Vlan 40 PVID =1 Vid=30,40 tagged PVID =1 Vid=30,40 tagged Branch Office

50. Remote Fit AP Configuration • AP default IP mode is

    DHCP, default IP is 192.168.1.10 • Need specify AC IP address if they not at the same network • Remember save configuration

51. Set Static IP on Remote AP • Disable DHCP mode

    and set static IP and default gateway on AP • Ping default GW and Remote AC to make sure it can be reachable

52. Set Remote AC IP • Set IP address of the

    Remote AC on Fit AP

53. Remote AP Discovered

54. Create 2 Wireless Network for Branch Office

55. Create Branch Office Profile

56. Add Wireless Network to Profile

57. Select Profile for Managed AP

58. Reboot the AP to change the Profile

59. AP Reboot

60. New Profile Applied

61. Auto-Upgrade Firmware of AP From AC

62. Upload Firmware of AP to AC

63. Upload Firmware of AP to AC

64. Set AP Auto Upgrade

65. Upgrade Firmware of AC

66. Upload AC Firmware

67. Upload AC Firmware

68. Reset Factory Default

69. Reset to Factory Default

70. Captive Portal

71. Captive Portal Topology ECS2100-10P 192.168.1.10 EWS4502 WiFi Controller 192.168.1.1 ECW7220-L

    11ac AP 192.168.1.11 Internet Smart Phone HQ_Guest Vlan 1 PVID =1 Vid=1 untagged PVID =1 Vid=1 untagged PVID =1 Vid=1 untagged DHCP Server 192.168.1.200

72. Enable Captive Portal

73. Enable Captive Portal

74. Set Verification Mode Local

75. Create New User Account

76. Auto Generation User Account

77. Account Generator

78. Account Generated

79. Local User Summary

80. Associate Interface for Captive Portal

81. Associate Interface for Captive Portal

82. Configure the Network for Captive Portal as Native VLAN 1

83. Captive Portal Login Web Page

84. How to set 802.1x/Mac Authentication

85. 802.1x Authentication Scenario EWS4502/EWS4606 RADIUS Server Radius Frames

86. WPA/WPA2 Enterprise with 802.1x Authentication AC: • 1. Add RADIUS

    server and Accounting Server • 2. Go to AP profiles, enabled Security with WPA/WPA2 Enterprise

87. RADIUS Configuration Enabled Accounting Mode

88. RADIUS Server Configuration Add RADIUS server

89. Accounting Server Configuration Add Accounting Server

90. AP Profiles Enabled Security with WPA/WPA2 Enterprise at AP Profiles

91. Remote RADIUS MAC Authentication Scenario EWS4502/EWS4606 Radius Frames CAPWAP Frames

    RADIUS Server

92. Remote RADIUS MAC Authentication Radius Server: • 1. Create account

    username with client MAC address, password with NOPASSWORD AC: • 1. At WLAN Configuration>Global, set MAC Authentication Mode to white-list • 2. Go to AP Profiles, set MAC Authentication as RADIUS at the VAP

93. Global At WLAN Configuration>Global, set MAC Authentication Mode to white-list

94. AP Profiles Set MAC Authentication as RADIUS at the AP

    Profile

95. Local MAC Authentication Scenario EWS4502/EWS4606 CAPWAP Frames

96. Local MAC Authentication • 1. At WLAN Configuration>Global, set MAC

    Authentication Mode to white-list • 2. At WLAN Configuration>Known Client, add client MAC address and select Authentication Action as Global Action • 3. Go to AP Profiles, set MAC Authentication as Local at VAP

97. Known Client Add client MAC address and select Authentication Action

    as Global Action

98. AP Profiles Set MAC Authentication as Local at AP Profiles

99. Tip • Accounting can work independence with others authentication method

100. Radius Accounting Frames

101. Mitigate Wireless Interface And Improve Performance

102. Automatic Channel

103. Automatic Power

104. RF Management Go to RF Management, modify Channel Plan Mode

     and Power Adjustment Mode

105. AP Profiles Make sure Automatic Channel and Automatic Power is

     enabled

106. Band Steering 2.4Ghz 5Ghz SSID : Taipei-Free SSID : Taipei-Free

     Dual Band User

107. AP Profiles Enabled Band Steering Configuration

108. AP Load Balance and Maximum Clients AP 1 AP 2

     AP 3 Full !! Full !! Wireless Clients

109. AP Profile Enabled AP Load Balance

110. AP Profiles Set maximum Clients at Radio

111. AP Profiles Or set Maximum Clients at VAP

112. Client Bandwidth Limitation 512kbps 512kbps New User

113. AP Profiles Set Client Bandwidth Limitation

114. VAP Bandwidth Limitation & Equal Share Bandwidth 51200kbps/2 51200kbps/3 New

     User VAP Bandwidth Limitation 51200kbps 51200kbps/3

115. AP Profiles Set VAP Bandwidth Limitation and enabled Equal Share

     Bandwidth

116. AC Cluster

117. AC Cluster • The switch with highest priority in a

     cluster becomes the Cluster Controller. If the priority is the same then the switch with lowest IP address becomes the Cluster Controller. • The highest cluster priority is 255. • The Cluster Controller collects status and statistics from all the other AC in the cluster, including information about the APs peer switches manage and the clients associated to those APs

118. EWS4502-2 192.168.1.31 EWS4502-1 192.168.1.30 Cluster Controller Peer Group ID :

     1 Cluster Priority : 225 Slave AC Peer Group ID : 1 Cluster Priority : 1 AP managed by Cluster Controller.

119. Status of Cluster Controller

120. Status of slave AC

121. Managed AP Status of slave AC 192.168.1.31 Managed AP Status

     of Cluster Controller 192.168.1.30

122. Slave AC Peer Group ID : 1 Cluster Priority :

     1 Cluster Controller Peer Group ID : 1 Cluster Priority : 225 EWS4502-2 192.168.1.31 EWS4502-1 192.168.1.30 AP managed by slave AC.

123. Status of slave AC 192.168.1.30

124. Status of Cluster Controller 192.168.1.31

125. Managed AP Status of slave AC 192.168.1.30 Managed AP Status

     of Cluster Controller 192.168.1.31
126. None