53-1003100-01
®
20 January 2014
Brocade Mobility Access
Point
System Reference Guide
Supporting software release 5.5.0.0 and later
Copyright © 2014 Brocade Communications Systems, Inc. All Rights Reserved.
ADX, AnyIO, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, ICX, MLX, MyBrocade, OpenScript, VCS, VDX, and
Vyatta are registered trademarks, and HyperEdge, The Effortless Network, and The On-Demand Data Center are trademarks of
Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names
mentioned may be trademarks of their respective owners.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning
any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to
this document at any time, without notice, and assumes no responsibility for its use. This informational document describes
features that may not be currently available. Contact a Brocade sales office for information on feature and product availability.
Export of technical data contained in this document may require an export license from the United States government.
The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with
respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that
accompany it.
The product described by this document may contain “open source” software covered by the GNU General Public License or other
open source license agreements. To find out which open source software is included in Brocade products, view the licensing
terms applicable to the open source software, and obtain a copy of the programming source code, please visit
http://www.brocade.com/support/oscd.
Brocade Communications Systems, Incorporated
Corporate and Latin American Headquarters
Brocade Communications Systems, Inc.
130 Holger Way
San Jose, CA 95134
Tel: 1-408-333-8000
Fax: 1-408-333-8101
E-mail: info@brocade.com
European Headquarters
Brocade Communications Switzerland Sàrl
Centre Swissair
Tour B - 4ème étage
29, Route de l'Aéroport
Case Postale 105
CH-1215 Genève 15
Switzerland
Tel: +41 22 799 5640
Fax: +41 22 799 5641
E-mail: emea-info@brocade.com
Asia-Pacific Headquarters
Brocade Communications Systems China HK, Ltd.
No. 1 Guanghua Road
Chao Yang District
Units 2718 and 2818
Beijing 100020, China
Tel: +8610 6588 8888
Fax: +8610 6588 9999
E-mail: china-info@brocade.com
Asia-Pacific Headquarters
Brocade Communications Systems Co., Ltd. (Shenzhen WFOE)
Citic Plaza
No. 233 Tian He Road North
Unit 1308 – 13th Floor
Guangzhou, China
Tel: +8620 3891 2000
Fax: +8620 3891 2111
E-mail: china-info@brocade.com
Document History
Title Publication number Summary of changes Date
Brocade Mobility Access Point System
Reference Guide
53-1003100-01 New Additions for software
version 5.5.0.0
January 2014
Contents
About This Document
Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Notes, cautions, and warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Getting technical help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Chapter 1 Overview
About the Brocade Mobility Software . . . . . . . . . . . . . . . . . . . . . . . . . 2
Chapter 2 Web User Interface Features
Accessing the Web UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Browser and System Requirements . . . . . . . . . . . . . . . . . . . . . . . 5
Connecting to the Web UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Icon Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Chapter 3 Quick Start
Using the Initial Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 4 Dashboard
Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Network View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Global Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Dialog Box Icons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Table Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Status Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Configurable Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Configuration Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Configuration Operation Icons . . . . . . . . . . . . . . . . . . . . . . . . . .12
Access Type Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Administrative Role Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Device Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Typical Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Advanced Setup Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Dashboard Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Network View Display Options. . . . . . . . . . . . . . . . . . . . . . . . . . .53
Device Specific Information . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Chapter 5 Device Configuration
Brocade Mobility Access Point System Reference Guide iii
53-1003100-01
RF Domain Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
RF Domain Sensor Configuration . . . . . . . . . . . . . . . . . . . . . . . .57
RF Domain Alias Configuration . . . . . . . . . . . . . . . . . . . . . . . . . .59
System Profile Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
General Profile Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Profile Radio Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Profile Adoption (Auto Provisioning) Configuration . . . . . . . . . .72
Profile Wired 802.1X Configuration . . . . . . . . . . . . . . . . . . . . . . 74
Profile Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . .75
Profile Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . .110
Profile Security Configuration . . . . . . . . . . . . . . . . . . . . . . . . . .156
Virtual Router Redundancy Protocol (VRRP) Configuration . . 187
Profile Critical Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Profile Services Configuration. . . . . . . . . . . . . . . . . . . . . . . . . .194
Profile Management Configuration. . . . . . . . . . . . . . . . . . . . . .196
Mesh Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
Advanced Profile Configuration. . . . . . . . . . . . . . . . . . . . . . . . .210
Environmental Sensor Configuration . . . . . . . . . . . . . . . . . . . .221
Managing Virtual Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Overriding a Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . .225
Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Certificate Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
RF Domain Overrides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
Wired 802.1X Overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Device Overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Managing an Event Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Chapter 6 Wireless Configuration
Wireless LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
Basic WLAN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
Configuring WLAN Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
Configuring WLAN Firewall Support . . . . . . . . . . . . . . . . . . . . .415
Configuring Client Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
Configuring WLAN Accounting Settings . . . . . . . . . . . . . . . . . .425
Configuring Service Monitoring Settings . . . . . . . . . . . . . . . . .427
Configuring Client Load Balancing . . . . . . . . . . . . . . . . . . . . . .428
Configuring Advanced WLAN Settings . . . . . . . . . . . . . . . . . . .430
Configuring Auto Shutdown Settings . . . . . . . . . . . . . . . . . . . .435
WLAN QoS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437
Configuring QoS WMM Settings . . . . . . . . . . . . . . . . . . . . . . . .439
Configuring a WLAN’s QoS Rate Limit Settings . . . . . . . . . . . .444
Configuring Multimedia Optimizations . . . . . . . . . . . . . . . . . . .449
Radio QoS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451
Configuring a Radio’s QoS Policy . . . . . . . . . . . . . . . . . . . . . . .453
Association ACL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
Association ACL Deployment Considerations . . . . . . . . . . . . .463
SMART RF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464
Smart RF Configuration and Deployment Considerations . . .475
iv Brocade Mobility Access Point System Reference Guide
53-1003100-01
MeshConnex Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475
Mesh QoS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
Passpoint Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488
Chapter 7 Network configuration
Policy Based Routing (PBR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491
L2TP V3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .497
AAA Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500
AAA TACACS Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .509
Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .520
Network Basic Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .521
Network Group Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .524
Network Service Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527
Network Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . .528
Chapter 8 Getting Started with the Mobile Computer
Wireless Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531
Defining a Firewall Configuration . . . . . . . . . . . . . . . . . . . . . . .532
Configuring IP Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .542
Device Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .547
Configuring MAC Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . .553
Wireless IPS (WIPS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556
Device Categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565
Security Deployment Considerations. . . . . . . . . . . . . . . . . . . . . . . .568
Chapter 9 Getting Started with the Mobile Computer
Configuring Captive Portal Policies . . . . . . . . . . . . . . . . . . . . . . . . .569
Configuring a Captive Portal Policy. . . . . . . . . . . . . . . . . . . . . .569
Setting the DNS Whitelist Configuration . . . . . . . . . . . . . . . . . . . . .582
Setting the DHCP Server Configuration . . . . . . . . . . . . . . . . . . . . . .583
Defining DHCP Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583
Defining DHCP Server Global Settings . . . . . . . . . . . . . . . . . . .591
DHCP Class Policy Configuration . . . . . . . . . . . . . . . . . . . . . . .593
Setting the RADIUS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . .594
Creating RADIUS Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .595
Defining User Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599
Configuring the RADIUS Server. . . . . . . . . . . . . . . . . . . . . . . . .603
Services Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . .613
Chapter 10 Getting Started with the Mobile Computer
Creating Administrators and Roles . . . . . . . . . . . . . . . . . . . . . . . . .615
Setting the Access Control Configuration . . . . . . . . . . . . . . . . . . . .618
Brocade Mobility Access Point System Reference Guide v
53-1003100-01
Setting the Authentication Configuration . . . . . . . . . . . . . . . . . . . .621
Setting the SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .623
SNMP Trap Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625
Management Access Deployment Considerations . . . . . . . . . . . . .626
Chapter 11 Diagnostics
Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .629
Crash Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .633
Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .634
UI Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .635
View UI Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .637
View Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .639
Chapter 12 Getting Started with the Mobile Computer
Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .641
Managing Firmware and Configuration Files . . . . . . . . . . . . . .642
Rebooting the Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .649
Locating a Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .650
Upgrading Device Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . .652
Viewing Device Summary Information . . . . . . . . . . . . . . . . . . .653
Adopted Device Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655
File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663
Adopted Device Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .669
Captive Portal Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .670
Re-elect Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .675
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .676
Certificate Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .677
RSA Key Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .682
Certificate Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687
Generating a Certificate Signing Request (CSR) . . . . . . . . . . .689
Smart RF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .691
Managing Smart RF for a RF Domain. . . . . . . . . . . . . . . . . . . .691
Operations Deployment Considerations . . . . . . . . . . . . . . . . . . . . .694
Chapter 13 Statistics
System Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .695
Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .695
Inventory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .697
Adopted Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .699
Pending Adoptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .700
Offline Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .701
Device Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .703
Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .704
vi Brocade Mobility Access Point System Reference Guide
53-1003100-01
RF Domain Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .707
Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .708
Inventory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
AP Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
Wireless Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .715
Device Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
Wireless LANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .718
Radios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .719
Mesh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .723
Mesh Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .724
SMART RF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
WIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .746
Captive Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
Access Point Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .750
Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .752
Device Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755
Adoption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .756
AP Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .760
Wireless Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .761
Wireless LANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .763
Policy Based Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .764
Radios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .766
Mesh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .770
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
RTLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .775
PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .777
OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .778
L2TPv3 Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .787
VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .789
Critical Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .791
LDAP Agent Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .792
GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .793
Dot1x. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .794
Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .796
DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .804
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .808
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .815
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .817
WIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .821
Sensor Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .823
Captive Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .824
Network Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .825
Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .828
Environmental Sensors (AP8132 Models Only) . . . . . . . . . . . .829
Brocade Mobility Access Point System Reference Guide vii
53-1003100-01
Wireless Client Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .834
Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .834
Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .837
Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .840
WMM TSPEC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .841
Association History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .843
Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .844
viii Brocade Mobility Access Point System Reference Guide
53-1003100-01
About This Document
Supported hardware and software
This manual supports the following Access Point, controller and service platform models:
• Wireless Controllers – Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade
Mobility RFS7000
• Service Platforms - Brocade Mobility RFS9510
• Access Points – Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point,
Brocade Mobility 1220 Access Point, Brocade Mobility 7131 Access Point, Brocade Mobility
1240 Access Point
Document conventions
This section describes text formatting conventions and important notice formats used in this
document.
Text formatting
The narrative-text formatting conventions that are used are as follows:
bold text Identifies command names
Identifies the names of user-manipulated GUI elements
Identifies keywords
Identifies text to enter at the GUI or CLI
italic text Provides emphasis
Identifies variables
Identifies document titles
code text Identifies CLI output
For readability, command names in the narrative portions of this guide are presented in mixed
lettercase: for example, controllerShow. In actual examples, command lettercase is often all
lowercase. Otherwise, this manual specifically notes those cases in which a command is case
sensitive.
Brocade Mobility Access Point System Reference Guide ix
53-1003100-01
Notes, cautions, and warnings
NOTE
CAUTION
DANGER
The following notices and statements are used in this manual. They are listed below in order of
increasing severity of potential hazards.
A note provides a tip, guidance or advice, emphasizes important information, or provides a reference
to related information.
A Caution statement alerts you to situations that can be potentially hazardous to you or cause
damage to hardware, firmware, software, or data.
A Danger statement indicates conditions or situations that can be potentially lethal or extremely
hazardous to you. Safety labels are also attached directly to products to warn of these conditions
or situations.
Related publications
The following Brocade Communications Systems, Inc. documents supplement the information in
this guide and can be located at http://www.brocade.com/ethernetproducts.
• Brocade Mobility RFS Controller System Reference Guide
(this document) - Describes configuration of the Brocade wireless controllers using the Web UI.
• Brocade Mobility RFS Controller CLI Reference Guide - Describes the Command Line Interface
(CLI) and Management Information Base (MIB) commands used to configure the Brocade
controllers.
If you find errors in the guide, send an e-mail to documentation@brocade.com.
Getting technical help
To contact Technical Support, go to http://www.brocade.com/services-support/index.page for the
latest e-mail and telephone contact information.
x Brocade Mobility Access Point System Reference Guide
53-1003100-01
Chapter
NOTE
NOTE
Overview
1
Brocade’ family of Mobility 5.5 supported access points enable high performance with secure and
resilient wireless voice and data services to remote locations with the scalability required to meet
the needs of large distributed enterprises.
Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 7131
Access Point, and Brocade Mobility 1240 Access Points can now use Mobility software as its
onboard operating system. The unique Mobility software enables the access point to function as a
Standalone “thick” access point, or a Virtual Controller AP capable of adopting and managing up to
24 access points of the same model.
When deploying an access point as a pure Virtual Controller AP, with no RFS Series controllers
available anywhere on the network, the access point itself is a controller supporting other access
points of the same model. The Virtual Controller AP can:
• Provide firmware upgrades for connected access point
• Aggregate statistics for the group of access points the Virtual Controller is managing
• Be the single point of configuration for that deployment location
The recommended way to administer a network populated by numerous access points is to
configure them directly from the Virtual Controller AP. If a single access point configuration requires
an update from the Virtual Controller AP’s assigned profile configuration, the administrator should
apply a Device Override to change just that access point’s configuration. For more information on
applying an override to an access point’s Virtual Controller AP assigned configuration and profile,
see Device Overrides on page 5-244.
The Mobility architecture is a solution designed for 802.11n networking. It leverages the best
aspects of independent and dependent architectures to create a smart network that meets the
connectivity, quality and security needs of each user and their applications, based on the
availability of network resources including wired networks. By distributing intelligence and control
amongst access points, a Mobility network can route directly via the best path, as determined by
factors including the user, location, the application and available wireless and wired resources.
Mobility extends the differentiation Brocade s offer to the next level, by making available services
and security at every point in the network. managed traffic flow is optimized to prevent wired
congestion and wireless congestion. Traffic flows dynamically, based on user and application, and
finds alternate routes to work around network choke points.
This guide describes the installation and use of the Mobility software designed specifically for
Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 7131
Access Point, and Brocade Mobility 1240 Access Points. It does not describe the version of the
Mobility software designed for use with the Brocade Mobility RFS4000, Brocade Mobility RFS6000,
Brocade Mobility RFS7000, and Brocade Mobility RFS9510. For information on using Mobility in a
controller managed network, go to
http://supportcentral.motorolasolutions.com/support/product/manuals.do
Brocade Mobility Access Point System Reference Guide 1
53-1003100-01
1
About the Brocade Mobility Software
The Mobility architecture is a solution designed for 802.11n networking. It leverages the best
aspects of independent and dependent architectures to create a smart network that meets the
connectivity, quality and security needs of each user and their applications, based on the
availability of network resources including wired networks. By distributing intelligence and control
amongst access points, a Mobility network can route directly via the best path, as determined by
factors including the user, location, the application and available wireless and wired resources.
Mobility extends the differentiation Brocade offer to the next level, by making available services
and security at every point in the network. Access point managed traffic flow is optimized to
prevent wired congestion and wireless congestion. Traffic flows dynamically, based on user and
application, and finds alternate routes to work around network choke points.
With this latest Mobility release, the network can use access points to adapt to the dynamic
circumstances of their deployment environment. The Mobility architecture provides a customized
site-specific deployment, supporting the best path and routes based on the user, location,
application and the best route available (both wireless and wired). A Mobility access point managed
network assures end-to-end quality, reliability and security without latency and performance
degradation. A Mobility access point managed network supports rapid application delivery,
mixed-media application optimization and quality assurance.
Deploying a new Mobility access point managed network does not require the replacement of
existing Brocade access points. Mobility enables the simultaneous use of existing architectures
from Brocade and other vendors, even if those other architectures are centralized models. A
wireless network administrator can retain and optimize legacy infrastructure while evolving to
Mobility as needed.
By distributing intelligence and control amongst access points, a Mobility network can route data
directly using the best path. As a result, the additional load placed on the wired network from
802.11n support is significantly reduced, as traffic does not require an unnecessary backhaul.
Within a Mobility network, up to 80% of the network traffic can remain on the wireless mesh, and
never touch the wired network, so the 802.11n load impact on the wired network is negligible. In
addition, latency and associated costs are reduced while reliability and scalability are increased. A
Mobility network enables the creation of dynamic wireless traffic flows, so bottlenecks can be
avoided, and the destination is reached without latency or performance degradation. This behavior
delivers a significantly better quality of experience for the end user.
The same distributed intelligence enables more resilience and survivability, since access points
keep users connected and traffic flowing with full QoS, security and mobility even if a connection is
interrupted due to a wired network or backhaul problem.
When the network is fully operational, sources of interference or unbalanced wireless network
loading can be automatically corrected by the access point’s Smart RF functionality. Smart RF
senses interference or potential client connectivity problems and makes the required changes to
the channel and access point radio power while minimizing the impact to latency sensitive
applications like VoIP. Using Smart RF, the network can continuously adjust power and channel
assignments for self-recovery if an access point radio fails or a coverage hole is detected.
Additionally, integrated access point sensors, in conjunction with AirDefense Network Assurance,
alerts administrators of interference and network coverage problems, which shortens response
times and boosts overall reliability and availability of the access point managed network.
2 Brocade Mobility Access Point System Reference Guide
53-1003100-01
1
Network traffic optimization protects the network from broadcast storms and minimizes congestion
on the wired network. The access point managed network provides VLAN load balancing, WAN
traffic shaping and optimizations in dynamic host configuration protocol (DHCP) responses and
Internet group management protocol (IGMP) snooping for multicast traffic flows in wired and
wireless networks. Thus, users benefit from an extremely reliable network that adapts to meet their
needs and delivers mixed-media applications.
Firmware and configuration updates are supported from one access point to another, over the air
or wire, and can be centrally managed by an access point in Virtual Controller AP mode. Controllers
no longer need to push firmware and configurations to individual access point, thus reducing
unnecessary network congestion.
Brocade Mobility Access Point System Reference Guide 3
53-1003100-01
1
4 Brocade Mobility Access Point System Reference Guide
53-1003100-01
Chapter
Web User Interface Features
The access point’s resident user interface contains a set of features specifically designed to enable
either Virtual Controller AP, Standalone AP or Adopt to Controller functionality. In Virtual Controller
AP mode, an access point can manage up to 24 other access points of the same model and share
data amongst managed access points. In Standalone mode, an access point functions as an
autonomous, non adopted, access point servicing wireless clients. If adopted to controller, an
access point is reliant on its connected controller for its configuration and management.
For information on how to access and use the access point’s Web UI, see:
• Accessing the Web UI
• Icon Glossary
Accessing the Web UI
The access point uses a Graphical User Interface (GUI) which can be accessed using any
supported Web browser on a client connected to the subnet the Web UI is configured on.
2
Browser and System Requirements
To access the GUI, a browser supporting Flash Player 11 is recommended. The system accessing
the GUI should have a minimum of 1 GB of RAM for the UI to display and function properly. The Web
UI is based on Flex, and does not use Java as the underlying UI framework. Brocade recommends
using a resolution of 1280 x 1024 pixels for using the GUI.
The following browsers have been validated with the Web UI:
• Firefox 3.0 or higher
• Internet Explorer 7 or higher
• Google Chrome 2.0 or higher
• Safari 3 and higher
• Opera 9.5 and higher
Connecting to the Web UI
Connect one end of an Ethernet cable to an access point LAN port and connect the other end to a
computer with a working Web browser.
Set the computer to use an IP address between 192.168.0.10 and 192.168.0.250 on the
connected port. Set a subnet/network mask of 255.255.255.0.
Brocade Mobility Access Point System Reference Guide 5
53-1003100-01
2
NOTE
The access point’s IP address is optimally provided using DHCP. A zero config IP address can also
be derived if DHCP resources are unavailable. Using zero config, the last two octets in the IP address
are the decimal equivalent of the last two bytes in the access point’s hardcoded MAC address.
For example:
MAC address - 00:C0:23:00:F0:0A
Zero-config IP address - 169.254.240.10
To derive the access point’s IP address using its MAC address:
1. Open the Windows calculator be selecting Start > All Programs > Accessories > Calculator. This
menu path may vary slightly depending on your version of Windows.
2. With the Calculator displayed, select View > Scientific. Select the Hex radio button.
3. Enter a hex byte of the access point’s MAC address. For example, F0.
4. Select the Dec radio button. The calculator converts F0 into 240. Repeat this process for the
last access point MAC address octet.
Once obtained, point the Web browser to the access point’s IP address. The following login screen
displays:
FIGURE 1 Access Point Web UI Login screen
5. Enter the default username admin in the Username field.
6. Enter the default password admin123 in the Password field.
7. Select the Login button to load the management interface.
If this is the first time the management interface has been accessed, the first screen to display will
prompt for a change of the default access point password. Then, a dialogue displays to start the
initial setup wizard. For more information on using the initial setup wizard see Using the Initial
Setup Wizard on page 3-15.
Icon Glossary
The access point interface utilizes a number of icons designed to interact with the system, gather
information from managed devices and obtain status. This chapter is a compendium of the icons
used, and is organized as follows:
• Global Icons
6 Brocade Mobility Access Point System Reference Guide
53-1003100-01
• Dialog Box Icons
• Table Ico ns
• Status Icons
• Configurable Objects
• Configuration Objects
• Configuration Operation Icons
• Access Type Icons
• Administrative Role Icons
• Device Icons
Global Icons
Icon Glossary
This section lists global icons available throughout the interface.
Logout – Select this icon to log out of the system. This icon is always available and is located
at the top right-hand corner of the UI.
2
Add – Select this icon to add a row in a table. When this icon is selected, a new row is
created in the table, or a dialog box opens where you can enter values for that particular list.
Delete – Select this icon to remove a row from a table. When this icon is clicked, the selected
row is immediately deleted.
More Information – Select this icon to display a pop-up with supplementary information that
may be available for an item.
Tra sh – Select this icon to remove a row from a table. When this icon is clicked, the selected
row is immediately deleted.
Create new policy – Select this icon to create a new policy. Policies define different
configuration parameters that can be applied to device configurations, and device profiles.
Edit policy – Select this icon to edit an existing configuration item or policy. To edit a policy,
select the policy and this icon.
Dialog Box Icons
Icon Glossary
Brocade Mobility Access Point System Reference Guide 7
53-1003100-01
2
These icons indicate the current state of various controls in a dialog. These icons enables you to
gather, at a glance, the status of all the controls in a dialog. The absence of any of these icons next
to a control indicates the value in that control has not been modified from its last saved
configuration.
Entry Updated – Indicates a value has been modified from its last saved configuration.
Entry Update – States that an override has been applied to a device’s profile
configuration.
Mandatory Field – Indicates the control’s value is a mandatory configuration item. You
will not be allowed to proceed further without providing all mandatory values in the
dialog or the screen.
Error in Entry – Indicates there is an error in a supplied value. A small red popup
provides a likely cause of the error.
Table Icons
Icon Glossary
The following two override icons are status indicators for transactions that need to be committed.
Table Row Overridden – Indicates a change (profile configuration override) has been
made to a table row, and the change will not be implemented until saved. This icon
represents a change from this device’s profile assigned configuration.
Tab le R ow Ad de d – Indicates a new row has been added to a table, and the change will
not be implemented until saved. This icon represents a change from this device’s
profile assigned configuration.
Status Icons
Icon Glossary
8 Brocade Mobility Access Point System Reference Guide
53-1003100-01
These icons define device status, operations on the wireless controller, or any other action that
requires a status being returned to the user.
Fatal Error – States there is an error causing a managed device to stop functioning.
Error – Indicates an error exits requiring intervention. An action has failed, but the error
is not system wide.
Warning – States a particular action has completed, but some errors were detected
that did not stop the process from completing. Intervention might still be required to
resolve subsequent warnings.
Success – Indicates everything is well within the network or a process has completed
successfully without error.
Information – This icon always precedes information displayed to the user. This may
either be a message displaying progress for a particular process, or may just be a
message from the system.
2
Configurable Objects
Icon Glossary
These icons define configurable items within the UI.
Device Configuration – Represents a configuration file applicable to a device category.
Auto Provisioning Policy – Represents a provisioning policy. Provisioning policies are a
set of configuration parameters that define how Access Points and wireless clients are
adopted and their management configuration supplied.
Wireless LANs – States an action impacting a WLAN has occurred.
WLAN QoS Policy – States a Quality of Service (QoS) policy configuration has been
impacted.
Radio QoS Policy – Indicates a QoS policy configuration has been impacted.
Brocade Mobility Access Point System Reference Guide 9
53-1003100-01
2
AAA Policy – Indicates an Authentication, Authorization and Accounting (AAA) policy
has been impacted. AAA policies define RADIUS authentication and accounting
parameters.
Association ACL – Indicates an Association Access Control List (ACL) configuration has
been impacted. An ACL is a set of configuration parameters used to set access to
managed resources. The association ACL configures the parameters for controlling
device associations.
Smart RF Policy – States a Smart RF policy has been impacted. Smart RF enables
neighboring APs to take over for an AP that suddenly becomes unavailable. This is
accomplished by increasing the power of radios on nearby APs to cover the hole
created by the non-functioning AP.
Profile – States a device profile configuration has been impacted. A profile is a
collection of configuration parameters used to configure a device or a feature.
Bridging Policy – Indicates a bridging policy configuration has been impacted. A
bridging policy defines which VLANs are bridged and how local VLANs are bridged
between the wired and wireless sides of the network.
RF Domain – States an RF Domain configuration has been impacted. RF Domain
implement location based security restrictions applicable to all VLANs in a particular
physical location.
Firewall Policy – Indicates a Firewall policy has been impacted. Firewalls provide a
barrier that prevent unauthorized access to secure resources while allowing authorized
access to external and internal resources.
IP Firewall Rules – Indicates an IP Firewall rule has been applied. An IP based firewall
rule implements firewall restrictions based on the IP address in a received packet.
MAC Firewall Rules – States a MAC based Firewall Rule has been applied. A MAC based
firewall rule implements firewall restrictions based on the MAC address in a received
packet.
Wireless Client Role – Indicates a wireless client role has been applied to a managed
client. The role could be either sensor or client.
WIPS Policy – States the conditions of a WIPS policy have been invoked. WIPS prevents
unauthorized access to the network by checking for (and removing) rogue APs and
wireless clients.
Advanced WIPS Policy – States the conditions of an advanced WIPS policy have been
invoked. WIPS prevents unauthorized access to the system by checking for and
removing rogue access points and wireless clients.
10 Brocade Mobility Access Point System Reference Guide
53-1003100-01
Device Categorization – Indicates a device categorization policy is being applied. This is
used by the intrusion prevention system to categorize APs or wireless clients as either
neighbors or sanctioned devices. This enables these devices to bypass the intrusion
prevention system.
Captive Portal – States a captive portal is being applied. Captive portal is used to
provide temporary controller, service platform, or access point access to requesting
wireless clients.
DNS Whitelist – A DNS whitelist is used in conjunction with captive portal to provide
captive portal services to wireless clients.
DHCP Server Policy – Indicates a DHCP server policy is being applied. DHCP provides IP
addresses to wireless clients. A DHCP server policy configures how DHCP provides
these IP addresses.
RADIUS Group – Indicates the configuration of RADIUS Group is being defined and
applied. A RADIUS group is a collection of RADIUS users with the same set of
permissions.
2
RADIUS User Pools – States a RADIUS user pool is being applied. RADIUS user pools
are a set of IP addresses that can be assigned to an authenticated RADIUS user.
RADIUS Server Policy – Indicates a RADIUS server policy is being applied. RADIUS
server policy is a set of configuration attributes used when a RADIUS server is
configured for AAA.
Smart Caching Policy – Smart Caching enables NX4500 and NX6500 series service
platforms to temporarily store frequently accessed Web content on network
infrastructure devices.
Management Policy – Indicates a management policy is being applied. Management
policies are used to configure access control, authentication, traps and administrator
permissions.
MeshConnex Policy – Indicates a mesh connex policy is being applied. MeshConnex is
a hybrid proactive/on-demand path selection protocol to form efficient mesh paths.
Mesh QoS Policy – Indicates a mesh quality of service policy is being applied. This
policy ensures that each mesh point in the network receives a fair share of overall
bandwidth for its use.
Virtual Controller APs – Indicates an AP is configured as a Virtual Controller access
point. A Virtual Controller access point can manage up to 24 access points of similar
type deployed in a network.
Brocade Mobility Access Point System Reference Guide 11
53-1003100-01
2
Configuration Objects
Icon Glossary
Configuration icons are used to define the following:
Configuration – Indicates an item capable of being configured by the access point’s
interface.
View Events / Event History – Defines a list of events. Select this icon to view events or
view the event history.
Core Snapshots – Indicates a core snapshot has been generated. A core snapshot is a
file that records the status of all the processes and memory when a process fails.
Panic Snapshots – Indicates a panic snapshot has been generated. A panic snapshot
is a file that records the status of all the processes and memory when a failure occurs.
UI Debugging – Select this icon/link to view current NETCONF messages.
View UI Logs – Select this icon/link to view the different logs generated by the user
interface, FLEX and the error logs.
Configuration Operation Icons
Icon Glossary
The following icons are used to define configuration operations:
Revert – When selected, any unsaved changes are reverted back to their last saved
configuration.
Commit – When selected, all changes made to the configuration are written to the
access point. Once committed, changes cannot be reverted.
Commit and Save – When selected, changes are saved to the access point’s
configuration.
12 Brocade Mobility Access Point System Reference Guide
53-1003100-01
Access Type Icons
Icon Glossary
The following icons display a user access type:
Web UI – Defines a Web UI access permission. A user with this permission is permitted
to access an associated device’s Web UI.
Tel net – Defines a TELNET access permission. A user with this permission is permitted
to access an access point using TELNET.
SSH – Indicates a SSH access permission. A user with this permission is permitted to
access an access point using SSH.
Console – Indicates a console access permission. A user with this permission is
permitted to access the access point using the device’s serial console.
2
Administrative Role Icons
Icon Glossary
The following icons identify the different administrative roles allowed on the system:
Superuser – Indicates superuser privileges. A superuser has complete access to all
configuration aspects of the access point to which they are connected.
System – Indicates system user privileges. A system user is allowed to configure some
general settings like boot parameters, licenses, auto install, image upgrades etc.
Network – Indicates network user privileges. A network user is allowed to configure all
wired and wireless parameters, like IP configuration, VLANs,
L2/L3 security, WLANs, radios etc.
Security – Indicates security user privileges. A security level user is allowed to
configure all security related parameters.
Brocade Mobility Access Point System Reference Guide 13
53-1003100-01
2
Monitor – Indicates a monitor role. This role provides no configuration privileges. A user
with this role can view all system configuration but cannot modify them.
Help Desk – Indicates help desk privileges. A help desk user is allowed to use
troubleshooting tools like sniffers, execute service commands, view or retrieve logs and
reboot an access point.
Web User – Indicates a Web user privilege. A Web user is allowed accessing the access
point’s Web user interface.
Device Icons
Icon Glossary
The following icons indicate the different device types managed by the system:
System – This icon indicates the entire Mobility supported system and all of its
members including wireless controller, service platforms, and access points that may
be interacting at any one time.
Cluster – This icon indicates a cluster. A cluster is a set of access points that work
collectively to provide redundancy and load sharing amongst its members.
Service Platform – This icon indicates an NX45xx, NX65xx or NX9000 series service
platform that’s part of the managed network
RF Domain - This icon indicates a RF Domain. RF Domains allow administrators to
assign configuration data to multiple devices deployed in a common coverage area,
such as in a floor, a building or a site. Each RF Domain also contains policies that can
determine a Smart RF or WIPS configuration.
Access Point – This icon indicates any access point that is a part of the network.
Wireless Client – This icon indicates any wireless client connected within the access
point managed network.
14 Brocade Mobility Access Point System Reference Guide
53-1003100-01
Chapter
NOTE
NOTE
Quick Start
Access Points can utilize an initial setup wizard to streamline the process of initially accessing the
wireless network. The wizard defines the access point’s operational mode, deployment location,
basic security, network and WLAN settings. For instructions on how to use the initial setup wizard,
see Using the Initial Setup Wizard on page 3-15.
Using the Initial Setup Wizard
Quick Start
Once the access point is installed and powered on, complete the following steps to get the access
point up and running and access management functions:
Point the Web browser to the access point’s IP address. The following login screen displays:
3
FIGURE 1 Web UI Login screen
1. Enter the default username admin in the Username field.
2. Enter the default password admin123 in the Password field.
3. Select the Login button to load the management interface.
When logging in for the first time, you are prompted to change the password to enhance device
security in subsequent logins.
If you get disconnected when running the wizard, you can connect again with the access point’s
actual IP address (once obtained) and resume the wizard.
If this is the first time the access point’s management interface has been accessed, the Initial
Setup Wizard automatically displays.
Brocade Mobility Access Point System Reference Guide 15
53-1003100-01
3
NOTE
FIGURE 2 Initial Setup Wizard
The Initial Setup Wizard displays the same pages and content for each access point model
supported. The only difference being the number of radios configurable by model, as an Brocade
Mobility 7131 Access Point model can support up to three radios, Brocade Mobility 1220 Access
Point, Brocade Mobility 1240 Access Point models support two radios and Brocade Mobility 6511
Access Point model support a single radio.
4. The Introduction screen displays the various actions that can be performed using the wizard
under the Function Highlight field.
5. Use the Choose One type to Setup the Access Point field options to select the type of wizard to
run. The Typ ical S et up is the recommended wizard. This wizard uses the default parameters for
most of the configuration parameters and sets up a working network with the least amount of
manual configuration.
6. The Advanced Setup wizard is for administrators who prefer more control over the different
configuration parameters. A few more configuration screens are available for customization
when the Advanced Setup wizard is used.
16 Brocade Mobility Access Point System Reference Guide
53-1003100-01
3
7. The first page of the Initial Setup Wizard displays the Navigation Panel and Function Highlights
for the configuration activities comprising the access point's initial setup. This page also
displays options to select the typical or advanced mode for the wizard.
FIGURE 3 Initial Setup Wizard - Navigation Panel - Typical Setup Wizard
8. A green check mark to the left of an item in the Navigation Panel defines the listed task as
having its minimum required configuration parameters set correctly. A red X defines the task
as still requiring at least one parameter be defined correctly. Figure 3 displays the navigation
panel for the Typic al Set up Wiz ard.
FIGURE 4 Initial Setup Wizard - Navigation Panel - Advanced Setup Wizard
Figure 4 displays the navigation panel for the Advanced Setup Wizard.
Brocade Mobility Access Point System Reference Guide 17
53-1003100-01
3
NOTE
NOTE
Note the difference in the number of steps between the Typical Setup and Advanced Setup Wizards.
9. Select Save/Commit within each page to save the updates made to that page's configuration.
Select Next to proceed to the next page listed in the Navigation Panel. Select Back to revert to
the previous screen without saving your updates.
While you can navigate to any page in the navigation panel, you cannot complete the Initial Setup
Wizard until each task in the Navigation Panel has a green check mark.
The following sections describe the two different wizards and their parameters. The available
wizards are:
• Typical Setup Wizard
• Advanced Setup Wizard
Typical Setup Wizard
Using the Initial Setup Wizard
The Typ ical Set up is the recommended wizard. This wizard uses default parameters for most of the
configuration parameters and creates a working network with the fewest steps.
The Typical S etup wizard consists of the following:
• Network Topology Selection
• LAN Configuration
• WAN Configuration
• Wireless LAN Setup
• Summary And Commit Screen
To configure the access point using the Typical Setup Wizard:
1. Select Ty pical Se tup from the Choose One type to Setup the Access Point field.
2. Select Next.
The Initial Setup Wizard displays the Access Point Settings screen to define the access point's
Standalone versus Virtual Controller AP functionality. This screen also enables selection of the
country of operation for the access point.
18 Brocade Mobility Access Point System Reference Guide
53-1003100-01
3
NOTE
FIGURE 5 Initial Setup Wizard - Access Point Settings screen for Typical Setup Wizard
3. Select an Access Point Type from the following options:
• Virtual Controller AP - When more than one access points are deployed, a single access
point can function as a Virtual Controller AP. Up to 24 access points can be connected to,
and managed by a single Virtual Controller AP. These connected access points must be the
same model as the Virtual Controller AP. For more information, see Virtual Controller AP
Mode on page 3-20.
• Standalone AP - Select this option to deploy this access point as an autonomous access
point. A standalone AP is not managed by a Virtual Controller AP, or adopted by a RFS
series wireless controller. For more information, see Standalone Mode on page 3-20.
If designating the access point as a Standalone AP, Brocade recommends the access point’s UI be
used exclusively to define its device configuration, and not the CLI. The CLI provides the ability to
define more than one profile and the UI does not. Consequently, the two interfaces cannot be used
collectively to manage profiles without an administrator encountering problems.
Brocade Mobility Access Point System Reference Guide 19
53-1003100-01
3
NOTE
CAUTION
• Adopted to Controller - Select this option when deploying the access point as a controller
managed (Dependent mode) access point. Selecting this option closes the Initial AP Setup
Wizard. An adopted access point obtains its configuration from a profile stored on its
managing controller. Any manual configuration changes are overwritten by the controller
upon reboot. For more information on configuring the access point in the Adopted to
Controller mode, see Adopt to a controller on page 3-42.
The option Adopted to Controller is only available for the Advanced Setup Wizard.
4. Select the Country Code where the access point is deployed. Selecting a proper country of
operation is a very critical task while configuring the access point as it defines the correct
channels of operations and ensures compliance to the regulations for the selected country.
This field is only available for the Typical Setup Wizard.
5. Select the Next button to start configuring the access point in the selected mode.
Virtual Controller AP Mode
Using the Initial Setup Wizard
When more than one access point is deployed, a single access point can function as a Virtual
Controller AP. Up to 24 access points can be connected to, and managed by a single Virtual
Controller AP of the same access point model. These connected access points must be of the same
model as the Virtual Controller AP.
To designate an access point as a Virtual Controller AP:
1. From the Access Point Settings screen, select Virtual Controller AP.
2. Select Next.
The remainder of a Virtual Controller AP configuration is the same as a Standalone Access Point.
Standalone Mode
Using the Initial Setup Wizard
In the Standalone mode, the access point is not adopted to a wireless controller. Select this option
to deploy this access point as an autonomous fat access point.
If designating the access point as a Standalone AP, Brocade recommends the access point’s UI
be used exclusively to define its device configuration, and not the CLI. The CLI provides the ability
to define more than one profile and the UI does not. Consequently, the two interfaces cannot be
used collectively to manage profiles without an administrator encountering problems.
To configure the access point to work in the Standalone mode:
1. From the Access Point Settings screen, select Standalone AP.
2. Select Next.
The remainder of a Standalone AP configuration is the same as a Virtual Controller Access Point.
20 Brocade Mobility Access Point System Reference Guide
53-1003100-01
Network Topology Selection
Typical Setup Wizard
Use the Network Topology screen to define how the access point manages network traffic. The
available modes are:
3
FIGURE 6 Initial Setup Wizard - Network Topology screen for Typical Setup Wizard
• Router Mode - In Router Mode, the access point routes traffic between the local network
(LAN) and the Internet or external network (WAN). Router mode is recommended in a
deployment supported by just a single access point.
• Bridge Mode - In Bridge Mode, the access point depends on an external router for routing
LAN and WAN traffic. Routing is generally used on one device, whereas bridging is typically
used in a larger density network. Select Bridge Mode when deploying this access point
with numerous peer access points supporting clients on both the 2.4 GHz and 5.0 GHz
radio bands.
Brocade Mobility Access Point System Reference Guide 21
53-1003100-01
3
NOTE
When Bridge Mode is selected, WAN configuration cannot be performed and the Initial Setup Wizard
does not display the WAN configuration screen.
3. Select Next. The Typical Setup Wizard displays the LAN Configuration screen to set the access
point's LAN interface configuration. For more information, see LAN Configuration on page
3-22.
LAN Configuration
Typical Setup Wizard
Use the LAN Configuration screen to set the access point's DHCP and LAN network address
configuration.
FIGURE 7 Initial Setup Wizard - LAN Configuration screen for Typical Setup Wizard
Set the following DHCP and Static IP Address/Subnet information:
22 Brocade Mobility Access Point System Reference Guide
53-1003100-01
3
NOTE
• Use DHCP - Select the option to enable an automatic network address configuration using
DHCP server.
• Static IP Address/Subnet - Enter an IP Address and a subnet for the access point's LAN
interface. If Use DHCP is selected, this field is not available. When selecting this option,
define the following DHCP Server and Domain Name Server (DNS) resources, as those
fields will become enabled on the bottom portion of the screen.
• Use on-board DHCP server to assign IP addresses to wireless clients - Select the
check box to enable the access point’s DHCP server to provide IP and DNS information
to clients on the LAN interface.
• Range - Enter a starting and ending IP Address range for client assignments on the
access point's LAN interface. Avoid assigning IP addresses from x.x.x.1 - x.x.x.10 and
x.x.x.255, as they are often reserved for standard network services. This is a required
parameter.
• Default Gateway - Define a default gateway address for use with the default gateway.
This is a required parameter.
• DNS Forwarding - Select this option to allow a DNS server to translate domain names
into IP addresses. If this option is not selected, a primary and secondary DNS
resource must be specified. DNS forwarding is useful when a request for a domain
name is made but the DNS server, responsible for converting the name into its
corresponding IP address, cannot locate the matching IP address.
• Primary DNS - Enter an IP Address for the main Domain Name Server providing DNS
services for the access point's LAN interface.
• Secondary DNS - Enter an IP Address for the backup Domain Name Server providing
DNS services for the access point's LAN interface
4. Select Next. The Typical Setup Wizard displays the Wireless LAN Setup screen to set the access
point's Wireless LAN interface configuration. For more information see Wireless LAN Setup on
page 3-25.
5. If Router Mode is selected as the Network Topology, the Typical Setup Wizard displays the WAN
configuration screen. For more information, see WAN Configuration on page 3-23.
WAN Configuration
Typical Setup Wizard
This option is only available when Router Mode is selected in the Network Topology screen.
Use the WAN Setting screen to define network address settings for the WAN interface. The WAN
interface connects the access point to a wired local area network or backhaul.
Brocade Mobility Access Point System Reference Guide 23
53-1003100-01
3
FIGURE 8 Initial Setup Wizard - WAN Configuration screen of the Typical Setup Wizard
Set the following WAN parameters:
• Use DHCP - Select the radio control to enable an automatic network address configuration
using external DHCP servers. An automatic IP address is configured to the access point’s
WAN port using DHCP servers located on the WAN side of the network.
• Static IP Address/Subnet - Enter an IP Address and a subnet for the access point's WAN
interface. If Use DHCP is selected, this field is not available. When selecting this option,
define Default Gateway information, as the field will become enabled on the bottom
portion of the screen. The provided IP address is assigned to the WAN interface of the
access point. The Default Gateway is a router that serves as a access to other networks.
• Select the port that is connected to the WAN – Select the port connected to the WAN.
• Enable NAT on the WAN Interface – Select the option to enable Network Address
Tra nslati on (NAT) on the selected GE interface.
1. Select Next. The Typical Setup Wizard displays the Wireless LAN Setup screen to set the access
point's wireless LAN configuration. For more information, see Wireless LAN Setup on page
3-25.
24 Brocade Mobility Access Point System Reference Guide
53-1003100-01
3
Wireless LAN Setup
Typical Setup Wizard
A Wireless Local Area Network (WLAN) is a data-communications system and local area network
that flexibly extends the functionality of a wired LAN. A WLAN links two or more computers or
devices using spread-spectrum or OFDM modulation based technology. WLANs do not require
lining up devices for line-of-sight transmission, and are thus, desirable for wireless networking.
Roaming users can be handed off from one access point to another, like a cellular phone system.
WLANs can therefore be configured around the needs of specific user groups, even when they are
not in physical proximity.
Up to two (2) WLANs can be configured for the access point using the wizard.
FIGURE 9 Initial Setup Wizard - Wireless LAN Setup screen for Typical Setup Wizard
Set the following WLAN1 configuration parameters:
• SSID – Configure the SSID for the WLAN.
Brocade Mobility Access Point System Reference Guide 25
53-1003100-01
3
• WLAN Type – Configure the encryption and authentication to use with this WLAN.
• No Authentication and No Encryption – Configures a network without any authentication.
This means any device can access the network. This option also configures the network
without encryption. This means any data transmitted through the network is in plain text.
• Captive Portal Authentication and No Encryption – Configures a network that uses a
RADIUS server to authenticate users before allowing them on to the network. Once on the
network, no encryption is used for the data being transmitted through the network. Select
this option to use a Web page (either internally or externally hosted) to authenticate users
before access is granted to the network
• External RADIUS Server – When this option is selected, provide the IP address of the
external RADIUS server used for user authentication. Also provide the shared secret in
the RADIUS Shared Secret field.
• Onboard RADIUS Server – When this option is selected, a new screen is displayed
where additional updates can be made. For more information on configuring the
onboard RADIUS server, see RADIUS Server Configuration on page 3-26.
• PSK authentication, WPA2 encryption – Configures a network that uses PSK
authentication and WPA2 encryption. Select this option to implement a pre-shared key
that must be correctly shared between the access point and requesting clients using this
WLAN
• WPA Key – Provide a 64 character HEX key or 8-63 character ASCII key. Use the
drop-down to specify the type of key being provided. Select ASCII or HEX to specify the
key type being provided in the WPA Key field.
1. Select Next. The Typical Setup Wizard displays the RADIUS Server Configuration screen if
required. For more information, see RADIUS Server Configuration on page 3-26
2. Otherwise, the Typical Setup Wizard displays the Summary and Commit screen. For more
information, see Summary And Commit Screen on page 3-28.
RADIUS Server Configuration
Wireless LAN Setup
1. Use the RADIUS Server Configuration screen to configure the users for the onboard RADIUS
server. Use the screen to add, modify and remove RADIUS users.
26 Brocade Mobility Access Point System Reference Guide
53-1003100-01
3
FIGURE 10 Initial Setup Wizard - RADIUS Server Configuration screen for Typical Setup Wizard
2. Use the Add User button to add a new RADIUS user. A dialog displays where details about the
user is entered.
Brocade Mobility Access Point System Reference Guide 27
53-1003100-01
3
FIGURE 11 Initial Setup Wizard - RADIUS Server Configuration - Add User screen for Typical Setup
Wizard
3. Use the Add User dialog to provide user information to add to the RADIUS server user
database.
• Username – Provide a user name to authenticate the user
• Password – Provide a password to authenticate the user
• Confirm Password – Confirm the password by entering the same password entered in the
Password field
• Description – Provide a description for the user created in the RADIUS server user
database
4. To create the user and continue with creating another user, select Create. To create the user
and close this dialog, click Create & Close. To close the dialog and abandon the operation,
select Cancel.
5. Use the Modify User button to modify the details for an existing user in the RADIUS user
database. Select the user to modify details for and then click Modify User. The username for
the user cannot be modified using this dialog.
6. Use the Delete User button to remove the details of an existing user from the RADIUS user
database. Select the user to remove and then click Delete User. A confirmation dialog appears.
Once confirmed, the user is removed from the RADIUS user database.
7. C li c k Next The Typical Setup Wizard displays the Summary and Commit screen. For more
information, see Summary And Commit Screen on page 3-28.
Summary And Commit Screen
Typical Setup Wizard
The Summary And Commit screen displays a complete overview of the configurations made in the
previous screens.
There is no user intervention or additional settings required. The Summary and Commit screen is
an additional means of validating the configuration before it is deployed.
28 Brocade Mobility Access Point System Reference Guide
53-1003100-01
3
FIGURE 12 Initial Setup Wizard - Summary And Commit Screen of the Typical Setup Wizard
If the configuration displays as intended, select the Save/Commit button to implement these
settings to the access point’s configuration. If additional changes are warranted based on the
summary, either select the target page from the Navigation Panel, or use the Back button.
Advanced Setup Wizard
Using the Initial Setup Wizard
The Advanced Setup is the recommended wizard for users who want more control on how the
access point is configured beyond minimum default settings. This wizard provides additional radio
and system information settings.
The Advanced Setup wizard consists of the following:
• Network Topology Selection
• LAN Configuration
• WAN Configuration
Brocade Mobility Access Point System Reference Guide 29
53-1003100-01
3
• Radio Configuration
• Wireless LAN Setup
• System Information
• Summary And Commit Screen
To configure the access point using the Advanced Setup Wizard:
1. Select Advanced Setup from the Choose One type to Setup the Access Point field.
2. Select Next.
The Advanced Setup Wizard displays the Access Point Settings screen to define the access point's
Standalone versus Virtual Controller AP versus functionality. This screen also enables selection of
the country of operation.
FIGURE 13 Initial Setup Wizard - Access Point Settings screen for Advanced Setup Wizard
3. Select an Access Point Type from the following options:
30 Brocade Mobility Access Point System Reference Guide
53-1003100-01
3
NOTE
• Virtual Controller AP - When more than one access point is deployed, a single access point
can function as a Virtual Controller AP. Up to 24 access points can be connected to, and
managed by, a single Virtual Controller AP. These connected access points must be the
same model as the Virtual Controller AP. For more information, see Virtual Controller AP
Mode on page 3-20.
• Standalone AP - Select this option to deploy this access point as an autonomous fat
access point. A standalone AP is not managed by a Virtual Controller AP, or adopted by a
RFS series wireless controller. For more information see Standalone Mode on page 3-20.
If designating the access point as a Standalone AP, Brocade recommends the access point’s UI be
used exclusively to define its device configuration, and not the CLI. The CLI provides the ability to
define more than one profile and the UI does not. Consequently, the two interfaces cannot be used
collectively to manage profiles without an administrator encountering problems.
• Adopted to Controller - Select this option when deploying the access point as a controller
managed (Dependent mode) access point. Selecting this option closes the Initial AP Setup
Wizard. An adopted access point obtains its configuration from a profile stored on its
managing controller. Any manual configuration changes are overwritten by the controller
upon reboot. For more information on configuring the access point in the Adopted to
Controller mode, see Adopt to a controller on page 3-42.
4. Select the Next button to start configuring the access point in the selected mode. If the Access
Point Type is Virtual Controller AP or Standard AP, see Network Topology Selection on page
3-31
5. If the Access Point Type is Adopted to Controller, see Adopt to a controller on page 3-42.
Network Topology Selection
Advanced Setup Wizard
Use the Network Topology screen to define how the access point manages network traffic. The
available modes are:
Brocade Mobility Access Point System Reference Guide 31
53-1003100-01
3
NOTE
FIGURE 14 Initial Setup Wizard - Access Point Mode screen for Advanced Setup Wizard
• Router Mode - In Router Mode, the access point routes traffic between the local network
(LAN) and the Internet or external network (WAN). Router mode is recommended in a
deployment supported by just a single access point.
• Bridge Mode - In Bridge Mode, the access point depends on an external router for routing
LAN and WAN traffic. Routing is generally used on one device, whereas bridging is typically
used in a larger density network. Select Bridge Mode when deploying this access point
with numerous peer access points supporting clients on both the 2.4 GHz and 5.0 GHz
radio bands.
When Bridge Mode is selected, WAN configuration cannot be performed and the Initial Setup Wizard
does not display the WAN configuration screen.
6. Select Next. The Advanced Setup Wizard displays the LAN Configuration screen to set the
access point's LAN interface. For more information, see LAN Configuration on page 3-33.
32 Brocade Mobility Access Point System Reference Guide
53-1003100-01
LAN Configuration
Advanced Setup Wizard
Use the LAN Configuration screen to configure the parameters required for setting a Local Area
Network (LAN) on the access point.
3
FIGURE 15 Initial Setup Wizard - LAN Configuration screen for Advanced Setup Wizard
1. Set the following DHCP and Static IP Address/Subnet information for the LAN interface:
• Use DHCP - Select the option to enable an automatic network address configuration using
DHCP server.
• Static IP Address/Subnet - Enter an IP Address and a subnet for the access point's LAN
interface. If Use DHCP is selected, this field is not available. When selecting this option,
define the following DHCP Server and Domain Name Server (DNS) resources, as those
fields will become enabled on the bottom portion of the screen.
• Use on-board DHCP server to assign IP addresses to wireless clients - Select the
check box to enable the access point’s DHCP server to provide IP and DNS information
to clients on the LAN interface.
Brocade Mobility Access Point System Reference Guide 33
53-1003100-01
3
NOTE
• Range - Enter a starting and ending IP Address range for client assignments on the
access point's LAN interface. Avoid assigning IP addresses from x.x.x.1 - x.x.x.10 and
x.x.x.255, as they are often reserved for standard network services. This is a required
parameter.
• Default Gateway - Define a default gateway address for use with the default gateway.
This is a required parameter.
• DNS Forwarding - Select this option to allow a DNS server to translate domain names
into IP addresses. If this option is not selected, a primary and secondary DNS
resource must be specified. DNS forwarding is useful when a request for a domain
name is made but the DNS server, responsible for converting the name into its
corresponding IP address, cannot locate the matching IP address.
• Primary DNS - Enter an IP Address for the main Domain Name Server providing DNS
services for the access point's LAN interface.
• Secondary DNS - Enter an IP Address for the backup Domain Name Server providing
DNS services for the access point's LAN interface.
2. Select Next. The Advanced Setup Wizard displays the Radio Configuration screen to set the
access point's radios. For more information, see Radio Configuration on page 3-36.
3. If Router Mode is selected as the Network Topology, then the Advanced Setup Wizard displays
the WAN configuration screen. For more information, see WAN Configuration on page 3-23.
WAN Configuration
Advanced Setup Wizard
This option is only available when Router Mode is selected in the Network Topology screen of the
Advanced Setup Wizard.
The Advanced Setup Wizard displays the WAN Setting screen to define DHCP and network address
information for the WAN interface. The WAN interface is used to connect the access point to a wired
local area network or backhaul.
34 Brocade Mobility Access Point System Reference Guide
53-1003100-01
3
FIGURE 16 Initial Setup Wizard - WAN Configuration screen of the Advanced Setup Wizard
Set the following WAN parameters:
• Use DHCP - Select the radio control to enable an automatic network address configuration
using external DHCP servers. An automatic IP address is configured to the access point’s
WAN port using DHCP servers located on the WAN side of the network.
• Static IP Address/Subnet - Enter an IP Address and a subnet for the access point's WAN
interface. If Use DHCP is selected, this field is not available. When selecting this option,
define the following Default Gateway information as the field will become enabled on the
bottom portion of the screen. The IP address defined in this field is assigned to the WAN
interface. The Default Gateway is a router that serves as a access to other networks.
• Select the port that’s connected to the WAN – Select the port that is connected to the
WAN.
• Enable NAT on the WAN Interface – Select the option to enable Network Address
Tra nslati on on the selected GE interface.
Select Next. The Advanced Setup Wizard displays the Radio Configuration screen to set the access
point's radios. For more information, see Radio Configuration on page 3-36.
Brocade Mobility Access Point System Reference Guide 35
53-1003100-01
3
NOTE
Radio Configuration
Advanced Setup Wizard
Use the Radio Configuration screen to define radio support for the 2.4 GHz radio band, 5.0 GHz
radio band or set the radio as a dedicated sensor.
The Radio Configuration screen displays separate configurable fields for each access point radio.
Supported access point models can have from one to three (Brocade Mobility 7131 Access Point)
radios. The ADSP Sensor Server field displays at the bottom of the screen only if one of the radios
has been dedicated as a sensor.
FIGURE 17 Initial Setup Wizard - Radio Configuration screen of the Advanced Setup Wizard
Set the following for each radio:
• Configure as a Data Radio - Select this option to dedicate this radio to WLAN client support
in the selected 2.4 GHz or 5.0 GHz radio band.
36 Brocade Mobility Access Point System Reference Guide
53-1003100-01
3
NOTE
• Radio Frequency Band - Select the 2.4 GHz or 5.0 GHz radio band to use with the radio
when selected as a Data Radio. The selected band is used for WLAN client support.
Consider selecting one radio for 2.4 GHz and another for
5.0 GHz support (if using a dual or three radio model) when supporting clients in both the
802.11bg and 802.11n bands.
• Power Level - Use the spinner control to select a 1 - 23 dBm minimum power level to
assign to this radio in selected 2.4 GHz or 5.0 GHz band. 1 dBm is the default setting.
• Channel Mode - Select either Random, Best or Static. Select Random for use with a
802.11a/n radio. To comply with Dynamic Frequency Selection (DFS) requirements in the
European Union, the 802.11a/n radio uses a randomly selected channel each time the
access point is powered on. Select Best to enable the access point to scan
non-overlapping channels and listen for beacons from other access points. After the
channels are scanned, it will select the channel with the fewest access points. In the case
of multiple access points on the same channel, it will select the channel with the lowest
average power level. When Constantly Monitor is selected, the access point will
continuously scan the network for excessive noise and sources of interference. Select
Static to assign the access point a permanent channel and scan for noise and interference
only when initialized.
• Configure as a Sensor Radio - Select this option to dedicate the radio to sensor support
exclusively. When functioning as a sensor, the radio scans in sensor mode across all
channels within the 2.4 and 5.0 GHz bands to identify potential threats. If dedicating a
radio as a sensor resource, a primary and secondary ADSP server must be specified as an
ADSP management resource.
If configuring an Brocade Mobility 6511 Access Point as a sensor, the access point will require a
reboot before its sensor functionality is invoked. The reboot can take place at the completion of the
Initial Setup Wizard.
• Disable the Radio - Select this option to disable this radio, thus prohibiting it from either
providing WLAN or sensor support. Verify this course action with your network
administrator before rendering the radio offline.
Select Next. The Advanced Setup Wizard displays the Wireless LAN Setup screen to set the access
point's Wireless LAN interface configuration. For more information, see Wireless LAN Setup on
page 3-37.
Wireless LAN Setup
Advanced Setup Wizard
A Wireless Local Area Network (WLAN) is a data-communications system and wireless local area
network that flexibly extends the functionality of a wired LAN. A WLAN links two or more computers
or devices using spread-spectrum or OFDM modulation based technology. WLANs do not require
lining up devices for line-of-sight transmission, and are thus, desirable for wireless networking.
Roaming users can be handed off from one access point to another, like a cellular phone system.
WLANs can therefore be configured around the needs of specific user groups, even when they are
not in physical proximity.
Use the Wireless LAN Setup screen to configure the WLAN parameters. Up to two (2) WLANs can be
configured for the access point.
Brocade Mobility Access Point System Reference Guide 37
53-1003100-01
3
FIGURE 18 Initial Setup Wizard - WAN Configuration screen for Advanced Setup Wizard
Set the following WLAN1 Configuration parameters:
• SSID – Configure the SSID for the WLAN.
• WLAN Type – Configure the encryption and authentication to use with this WLAN.
• No Authentication and No Encryption – Configures a network without any authentication.
This means any device can access the network. This option also configures the network
without encryption. This means any data transmitted through the network is in plain text.
• Captive Portal Authentication and No Encryption – Configures a network using a RADIUS
server to authenticate users before allowing them on to the network. Once on the network,
no encryption is used for the data transmitted through the network. Select this option to
use a Web page (either internally or externally hosted) to authenticate users before access
is granted to the network
• External RADIUS Server – When selected, provide the IP address of the external
RADIUS server used for user authentication. Also enter the shared secret in the
RADIUS Shared Secret field.
38 Brocade Mobility Access Point System Reference Guide
53-1003100-01
• Onboard RADIUS Server – When selected, a new screen displays where further
configuration can be performed. For more information, see RADIUS Server
Configuration on page 3-26.
• PSK authentication, WPA2 encryption – Configures a network that uses PSK
authentication and WPA2 encryption. Select this option to implement a pre-shared key
that must be correctly shared between the access point and requesting clients on the
WLAN
• WPA Key – Provide a 64 character HEX key or 8-63 character ASCII key. Use the
drop-down to specify the type of key provided. Select ASCII or HEX to specify the key
type provided in the WPA Key field.
• EAP Authentication and WPA2 Encryption – Configures a network that uses EAP
authentication and WPA2 encryption.Select this option to authenticate clients within this
WLAN through the exchange and verification of certificates.
• External RADIUS Server – When selected, provide the IP address of the external
RADIUS server used for user authentication. Also provide the shared secret in the
RADIUS Shared Secret field.
• Onboard RADIUS Server – When selected, a new screen is displayed where further
configuration can be performed. For more information, see RADIUS Server
Configuration on page 3-26.
3
Select Next. The Advanced Setup Wizard displays the RADIUS Server Configuration screen if
required. This screen is only displayed when Onboard RADIUS Server is selected for either Captive
Portal Authentication And No Encryption or for EAP Authentication and WPA2 Encryption fields. For
more information, see RADIUS Server Configuration on page 3-26.
Otherwise, the Advanced Setup Wizard displays the System Information screen. For more
information, see System Information on page 3-39.
System Information
Advanced Setup Wizard
Use the System Information screen to define the device’s location, contact information for an
administrator, and the country where this access point is deployed.
Brocade Mobility Access Point System Reference Guide 39
53-1003100-01
3
FIGURE 19 Initial Setup Wizard - System Information screen for the Advanced Setup Wizard
• Location - Provide the location of the access point.
• Contact - Specify the contact information for the administrator. The credentials provided
should accurately reflect the individual responding to service queries.
• Country - Select the country where the access point is deployed. The access point prompts
for the correct country code on the first login. A warning message also displays stating an
incorrect country setting may result in illegal radio operation. Selecting the correct country
is central to legal operation. Each country has its own regulatory restrictions concerning
electromagnetic emissions and the maximum RF signal strength that can be transmitted.
This is a required parameter.
• Time Zone - Set the time zone where the access point is deployed. This is a required
parameter. The setting should be complimentary with the selected deployment country.
Select Next. The Advanced Setup Wizard displays the Summary and Commit screen to summarize
the screens (pages) and settings updated using the Initial AP Setup Wizard. For more information,
see Summary And Commit Screen on page 3-41.
40 Brocade Mobility Access Point System Reference Guide
53-1003100-01
3
Summary And Commit Screen
Advanced Setup Wizard
The Summary And Commit screen displays an overview of the updates made using the Advanced
Setup Wizard.
There is no user intervention or additional settings required. This screen is an additional means of
validating the configuration before it is deployed. However, if a screen displays settings not
intended as part of the initial configuration, the screen can be selected from within the Navigation
Panel and its settings modified accordingly.
FIGURE 20 Initial Setup Wizard - Summary and Commit screen for the Advanced Setup Wizard
If the configuration displays as intended, select Save/Commit to implement these settings to the
access point. If additional changes are warranted, either select the target page from the
Navigational Panel, or use the Back button.
Brocade Mobility Access Point System Reference Guide 41
53-1003100-01
3
NOTE
Adopt to a controller
Advanced Setup Wizard
When the access point is powered on for the first time, it looks for a wireless controller on the
default subnet running the same firmware version and automatically adopts to it.
When Adopted to Controller is selected, further configuration settings are displayed in the same
screen. Select Automatic controller discovery to enable the access point to be discovered and
adopted using layer 2 settings.
If preferring layer 3 adoption, select Static Controller Configuration, and define the addresses of
the preferred controllers. When using the static method, define whether the access point receives
an IP address using DHCP or if IP resources are provided statically. Up to two (2) controllers can be
defined. The access point will try to adopt to the controller defined in the Controller 1 field first.
Should the controller not be found, the access point tries to adopt to the controller defined in
Controller 2 field.
When preferring layer 3 adoption, configure how an IP is assigned to this access point. Select Use
DHCP to use DHCP to assign an IP address to this access point. If this access point requires a static
IP, select Static IP Address/Subnet and provide the appropriate IP address and net mask. For your
convenience, the netmask is automatically set to 24. Also assign the Default Gateway for
forwarding traffic.
FIGURE 21 Initial Setup Wizard - Adoption Settings
The best way to administer a network populated by numerous access points is to configure them
directly from their managing controller or Virtual Controller AP. If an access point’s configuration
requires an exception from the wireless controller or Virtual Controller AP’s assigned profile
configuration, the administrator should apply a Device Override to change just that access point’s
configuration.
Select the Save/Commit button to save the current configuration. Select the Cancel button to exit
the Initial Setup Wizard without making any changes. Select the Back button to go back to the
previous screen of the Initial Setup Wizard.
42 Brocade Mobility Access Point System Reference Guide
53-1003100-01
Chapter
Dashboard
Dashboard
4
The dashboard allows network administrators to review and troubleshoot the operation of the
devices comprising the access point managed network. Use the dashboard to review the current
network topology, assess the network’s component health and diagnose problematic device
behavior.
By default, the Dashboard screen displays the System Dashboard, which is the top level in the
device hierarchy.
The dashboard provides the following tools and diagnostics:
• Dashboard
• Network View
Dashboard
The Dashboard screen displays device information organized by device association and
inter-connectivity between an access point and connected wireless clients.
To review dashboard information:
1. Select Dashboard. Expand the System menu item on the upper, left-hand, side of the UI and
select either an access point or connected client.
The Dashboard screen displays the Health tab by default.
Brocade Mobility Access Point System Reference Guide 43
53-1003100-01
4
FIGURE 1 Dashboard - Health tab
Dashboard Conventions
The Dashboard screen displays device information using the following conventions:
• Health – Displays the state of the access point managed network.
• Inventory – Displays the physical devices managed by the access point.
Health
Dashboard Conventions
The Health tab displays performance and utilization data for the access point managed network.
44 Brocade Mobility Access Point System Reference Guide
53-1003100-01
4
FIGURE 2 Dashboard - Health tab
For more information see:
• Device Details
• Radio RF Quality Index
• Radio Utilization Index
• Client RF Quality Index
Device Details
Health
The Device Details field displays model and version information.
Brocade Mobility Access Point System Reference Guide 45
53-1003100-01
4
FIGURE 3 Dashboard - Health tab - Device Details field
The Device Details field displays the name assigned to the selected access point, factory encoded
MAC address, primary IP address, model type, RF Domain, software version, uptime, CPU and RAM
information and system clock. Use this data to determine whether a software upgrade is
warranted, or if the system clock needs adjustment.
Periodically select Refresh (at the bottom of the screen) to update the data displayed.
Radio RF Quality Index
Dashboard Conventions
The Radio RF Quality Index displays a RF quality table for the access point’s single default RF
Domain. It is a percentage of the overall effectiveness of the RF environment. It is a function of the
data rate in both directions, the retry rate and the error rate.
FIGURE 4 Dashboard - Health tab - Radio RF Quality Index field
RF Quality displays as the average quality index for the single RF Domain utilized by the access
point. The table lists the bottom five (5) RF quality values for the RF Domain.
The quality is measured as:
• 0-20 – Very poor quality
• 20-40 – Poor quality
• 40-60 – Average quality
• 60-100 – Good quality
46 Brocade Mobility Access Point System Reference Guide
53-1003100-01
4
The access point’s RF Domain allows an administrator to assign configuration data to multiple
devices deployed in a common coverage area, such as in a floor, building or site. The RF Domain
contains policies that can determine a Smart RF or WIPS configuration.
Use this diagnostic information to define measures to improve radio performance in respect to
wireless client load and radio band.
Periodically select Refresh (at the bottom of the screen) to update the RF quality data.
Radio Utilization Index
Dashboard Conventions
The Radio Utilization Index displays how efficiently the RF medium is used by the access point.
Traffic utilization is defined as the percentage of throughput relative to the maximum possible
throughput.
Refer to the number or errors and dropped packets to assess radio performance relative to the
number of packets both transmitted and received.
Periodically select Refresh (at the bottom of the screen) to update the radio utilization information
displayed.
FIGURE 5 Dashboard - Health tab - Radio Utilization Index field
Client RF Quality Index
Dashboard Conventions
The Client RF Quality Index displays a list of the worst 5 performing clients managed by the
selected access point.
Brocade Mobility Access Point System Reference Guide 47
53-1003100-01
4
FIGURE 6 Dashboard - Health tab - Client RF Quality Index field
1. The Client RF Quality Index displays the following:
Worst 5
Client MAC
Retry Rate
Lists the worst 5 performing client radios connected to the access point. The RF Quality Index
measures the overall effectiveness of the RF environment as a percentage. Its a function of the
connect rate in both directions, as well as the retry rate and the error rate.
The quality is measured as:
• 0-20 – Very poor quality
• 20-40 – Poor quality
• 40-60 – Average quality
• 60-100 – Good quality
Displays the factory encoded MAC address assigned to each connected radio listed. Use this
information to assist in the identification of poorly performing radios.
Lists the number of retries attempted to re-connect with the listed radio.
2. Periodically select Refresh (at the bottom of the screen) to update client RF quality.
Inventory
Dashboard Conventions
The Inventory tab displays information relative to the devices managed by the selected access
point. The Inventory screen affords a system administrator an overview of the number and state of
managed devices. The screen contains links to display more granular data specific to a radio.
48 Brocade Mobility Access Point System Reference Guide
53-1003100-01
4
FIGURE 7 Dashboard - Inventory tab
The Inventory tab is partitioned into the following fields:
• Radio Types
• WLAN Utilization
• Wireless Clients
• Clients by Radio Type
Radio Types
Inventory
The Radio Types field displays the total number and types of radios managed by the selected
access point.
Brocade Mobility Access Point System Reference Guide 49
53-1003100-01
4
FIGURE 8 Dashboard - Inventory tab - Radio Types field
Refer to the Total Radio s column to review the number of managed radios. Additionally, use the bar
graphs to assess the number WLANs utilized by supported radio bands.
Periodically select Refresh (at the bottom of the screen) to update the radio information.
WLAN Utilization
Inventory
The WLAN Utilization field displays the top 5 WLANs utilized by this access point in respect to client
support. The utilization index measures how efficiently the RF medium is utilized. It is defined as a
percentage of the current throughput relative to the maximum throughput possible.
The quality is measured as:
• 0-20 – Very low utilization
• 20-40 – Low utilization
• 40-60 – Moderate utilization
• 60 and above – High utilization
FIGURE 9 Dashboard - Inventory tab - WLAN Utilization field
Periodically select Refresh (at the bottom of the screen) to update WLAN utilization information.
Wireless Clients
Inventory
The Wireless Clients field displays information about the wireless clients managed by the selected
access point.
50 Brocade Mobility Access Point System Reference Guide
53-1003100-01
4
NOTE
FIGURE 10 Dashboard - Inventory tab - Wireless Clients field
Information within the Wireless Clients field is presented in two tables. The first table lists the total
number of wireless clients managed by this access point. The second table lists an ordered ranking
of radios based on their supported client count. Use this information to assess if an access point
managed radio is optimally deployed in respect to its radio type and intended client support
requirements.
Brocade Mobility 1220 Access Point, Brocade Mobility 1220 Access PointM, Brocade Mobility 1240
Access Point, and Brocade Mobility 7131 Access Points can support up to 256 client connections to
a single access point. Brocade Mobility 6511 Access Point (both single radio models) can support
up to 128 client connections per access point.
Clients by Radio Type
Inventory
The Clients by Radio Type field displays a bar graph illustrating the number of connected clients
currently operating on supported radio bands.
FIGURE 11 Dashboard - Inventory tab - Clients by Radio Type field
For 5.0 GHz, clients are displayed supporting the 802.11a and 802.11an radio bands. For 2.4 GHz,
clients are displayed supporting the 802.11b, 802.11bg, and 802.11bgn radio bands. Use this
information to determine if all the access point’s client radio bands are optimally supported for the
access point’s radio coverage area.
Brocade Mobility Access Point System Reference Guide 51
53-1003100-01
4
Network View
Dashboard
The Network View displays device topology association between a selected access point, its RF
Domain and its connected clients.
Access points and clients can be selected and viewed using various color schemes in respect to
neighboring access points, connected devices and performance criteria. Display options can be
utilized to review device performance and utilization, as well as the RF band, channel and vendor.
For more information, see Network View Display Options on page 4-53.
To review a device’s Network Topology, select Dashboard > Network View.
FIGURE 12 Network View Topology
The left-hand side of the Network View screen contains an expandable System Browser where
access points can be selected and expanded to display connected clients. Navigate the System
Browser to review device connections within the access point managed network. Many of these
peer access points are available for connection to access points in Virtual Controller AP mode.
FIGURE 13 Network View - System Browser
52 Brocade Mobility Access Point System Reference Guide
53-1003100-01
Network View Display Options
Network View
1. Select the blue Options link right under the Network View banner to display a menu for
different device interaction display options.
4
FIGURE 14 Network View - Display Options
2. The following display filter options are available:
• None - Select this option to keep the Network View display as it currently appears, without
any additional color or device interaction adjustments.
• Utilization – Select this option to filter based on the percentage of current throughput
relative to maximum throughput. Utilization results include: Red (Bad Utilization), Orange
(Poor Utilization), Yellow (Fair Utilization) and Green (Good Utilization).
• Quality – Select this option to filter based on the overall RF health. RF health is a ratio of
connection rate, retry rates, and error rates. Quality results include: Red (Bad Quality),
Orange (Poor Quality), Yellow (Fair Quality) and Green (Good Quality).
• Vendor – Displays the device manufacturer.
• Band – Select this option to filter based on the 2.4 or 5.0 GHz radio band of connected
clients. Results include: Yellow (2.4 GHz radio band) and Blue (5.0 GHz radio band).
Selecting Band is a good way to determine whether 2.4 and 5.0 GHz radios are optimally
deployed in respect to the access point client loads on both bands.
• Channel - Use the drop-down menu to filter whether device connections should be
displayed in either the 2.4 or 5.0 GHz band.
• Search - Enter search criteria in the provided text field and select the Update button to
isolate located variables in blue within the Network View display.
3. Select the Update button to update the display with the changes made to the filter options.
Select Close to close the options field and remove it from the Network View.
Brocade Mobility Access Point System Reference Guide 53
53-1003100-01
4
Device Specific Information
Network View
A device specific information screen is available for individual devices selected from within the
Network View (not the System Browser). The screen displays the name assigned to the device, its
model, factory encoded MAC address, number of radios within the device, number of connected
clients, as well as the highest and lowest reported quality, utilization and Signal to Noise Ratio
(SNR). This information cannot be modified by the administrator.
FIGURE 15 Network View - Device Specific Information
Optionally select the Statistics link at the bottom of the display to open a screen where access
point device data can be reviewed on a much more granular level. For more information, see Health
on page 4-44.
54 Brocade Mobility Access Point System Reference Guide
53-1003100-01
Chapter
Device Configuration
Access points can either be assigned unique configurations to support a particular deployment
objective or have an existing RF Domain or profile configuration modified (overridden) to support a
requirement that deviates its configuration from the configuration shared by its peer access points.
Refer to the following to set an access point’s sensor functionality, Virtual Controller AP
designation, and license and certificate usage configuration:
• RF Domain Configuration
• System Profile Configuration
• Managing Virtual Controllers
• Overriding a Device Configuration
• Managing an Event Policy
An RF Domain allows an administrator to assign comparable configuration data to multiple access
points deployed in a common coverage area (floor, building or site). In such instances, there are
many configuration attributes these devices share, as their general client support roles are quite
similar. However, access point configurations may need periodic refinement and overrides from
their original RF Domain administered design. For more information, see RF Domain Overrides on
page 5-242.
5
Profiles enable administrators to assign a common set of configuration parameters and policies to
access points of the same model. Profiles can be used to assign shared network, wireless and
security parameters to access points across a large, multi segment, site. The configuration
parameters within a profile are based on the hardware model the profile was created to support. To
define a configuration profile for a specific access point model, refer to System Profile
Configuration on page 5-67.
However, device Profile configurations may need periodic refinement from their original
administered design. Consequently, a device profile could be applied an override from a
configuration shared amongst numerous peer devices deployed within a particular site. For more
information, see Device Overrides on page 5-244.
RF Domain Configuration
Device Configuration
An access point’s configuration composes of numerous elements including a RF Domain, WLAN
and device specific settings. RF Domains are used to assign regulatory, location and relevant
policies to access points of the same model.
An access point RF Domain allows an administrator to assign configuration data to multiple access
points deployed in a common coverage area (floor, building or site). In such instances, there are
many configuration attributes these access points share, as their general client support roles are
quite similar.
Brocade Mobility Access Point System Reference Guide 55
53-1003100-01
5
However, an access point’s RF Domain configuration may need periodic refinement from its original
RF Domain designation. Unlike a RFS series wireless controller, an access point supports just a
single RF domain. Thus, administrators should be aware that overriding an access point’s RF
Domain configuration results in a separate configuration that must be managed in addition to the
RF Domain configuration. Thus, a configuration should only be overridden when needed. For more
information, see RF Domain Overrides on page 5-242.
The access point’s RF Domain can have a WIPS sensor configuration applied. For more information
on defining a WIPS sensor configuration for use with the access point’s RF Domain, see RF Domain
Sensor Configuration on page 5-57.
To set a RF Domain configuration:
1. Select the Configuration tab from the Web UI.
2. Select Devices.
3. Select RF Domains from the options on left-hand side of the UI.
The RF Domain Basic Configuration tab displays by default with the access point RF Domain
activated.
FIGURE 1 RF Domain - Basic Configuration tab
56 Brocade Mobility Access Point System Reference Guide
53-1003100-01
4. Define the following Basic Configuration values for the access point RF Domain:
5
Location
Contact
Time Zone
Country
Controller Managed
Refer to the Smart Scan field to define the channels for smart scan.
Enable Dynamic Channel
2.4 GHz Channels
5.0 GHz Channels
Assign the physical location of the RF Domain. This name could be as specific as the floor of a
building, or as generic as an entire site. The location defines the physical area where a common set
of access point configurations are deployed and managed by the RF Domain policy.
Provide the name of the contact E-mail (or administrator) assigned to respond to events created by
or impacting the RF Domain.
Set the geographic time zone for the RF Domain. The RF Domain can contain unique country codes
and time zone information to access points deployed across different states or countries, thus
making them ideal for managing device configurations across different geographical deployments.
Define the two-digit country code set for the RF Domain. The country code must be set accurately
to avoid the policy’s illegal operation, as device radios transmit in specific channels unique to the
country of operation.
Select the option to indicate this RF Domain is managed by adopting controllers or service
platforms. This option is disabled by default.
Select the option to enable dynamic channel scan.
Use the Select drop-down to select channels to scan in the 2.4 GHz band. Selected channels are
highlighted with a grey background. Unselected channels are highlighted with a white background.
Multiple channels can be selected at the same time.
Use the Select drop-down to select channels to scan in the 5.0 GHz band. Selected channels are
highlighted with a grey background. Unselected channels are highlighted with a white background.
Multiple channels can be selected at the same time.
Update Interval
Window Index
Sample Interval
Window Size
Refer to the Statistics field to define how RF Domain statistics are updated.
Set a statistics update interval of 0 or 5-3600 seconds for updates retrieved from the access point.
Select the Add Row button to add a new row to the Statistics update table.
Use the spinner control to set a numerical index used as an identifier for each RF Domain statistic
defined.
Use the spinner control to define the interval (in seconds) used by the access point to capture
windowed statistics supporting the RF Domain configuration. The default is 5 seconds.
Use the spinner control to set the number of samples used by the controller to define RF Domain
statistics. The default value is 3.
To delete a row in the Statistics update table, select the Delete icon next to the row in the table.
Use the Initial Setup Wizard to configure the device. For more information on using the Initial Setup
Wizard, see Using the Initial Setup Wizard.
Select OK to save the changes to the Basic Configuration, or select Reset to revert to the last saved
configuration.
RF Domain Sensor Configuration
RF Domain Configuration
Brocade Mobility Access Point System Reference Guide 57
53-1003100-01
5
The Brocade’ Wireless Intrusion Protection System (WIPS) protects wireless client and access point
radio traffic from attacks and unauthorized access. WIPS provides tools for standards compliance
and around-the-clock wireless network security in a distributed environment. WIPS allows
administrators to identify and accurately locate attacks, rogue devices and network vulnerabilities
in real time and permits both a wired and wireless lockdown of wireless device connections upon
acknowledgement of a threat.
In addition to dedicated Brocade AirDefense sensors, an access point radio can function as a
sensor and upload information to a dedicated WIPS server (external to the access point). Unique
WIPS server configurations can be used to ensure a WIPS server configuration is available to
support the unique data protection needs of a RF Domain.
WIPS is not supported on a WLAN basis, rather, sensor functionality is supported on the access
point radio(s) available to each managed WLAN. When an access point radio is functioning as a
WIPS sensor, it is able to scan in sensor mode across all legal channels within the 2.4 and 5.0 GHz
band. Sensor functionality is not provided by the access point alone. The access point works in
conjunction with a dedicated WIPS server.
To define a WIPS server configuration used with the access point’s RF Domain:
1. Select the Configuration tab from the Web UI.
2. Select Devices.
3. Select RF Domains from the options on left-hand side of the UI.
Select the Sensor Configuration tab.
FIGURE 2 RF Domain - Sensor Configuration tab
4. Either select the + Add Row button to create a new WIPS server configuration or highlight an
existing Sensor Server Configuration and select the Delete icon to remove it.
5. Use the spinner control to assign a numerical Server ID to each WIPS server defined. The
server with the lowest defined ID is the first reached by the access point. The default ID is 1.
58 Brocade Mobility Access Point System Reference Guide
53-1003100-01
5
6. Provide the numerical (non DNS) IP Address of each server used as a WIPS sensor server by
the RF Domain.
7. Use the spinner control to specify the Port of each WIPS server. The default port is 443.
8. Select OK to save the changes to the AirDefense WIPS configuration, or select Reset to revert
to the last saved configuration.
RF Domain Alias Configuration
RF Domain Configuration
With large deployments, the configuration of remote sites utilizes a set of shared attributes, of
which a small set of attributes are unique for each location. For such deployments, maintaining
separate configuration (WLANs, profiles, policies and ACLs) for each remote site is complex.
Migrating any global change to a particular configuration item to all the remote sites is a complex
and time consuming operation.
Also, this practice does not scale gracefully for quick growing deployments.
An alias enables an administrator to define a configuration item, such as a hostname, as an alias
once and use the defined alias across different configuration items such as multiple ACLs.
Once a configuration item, such as an ACL, is utilized across remote locations, the alias used in the
configuration item (ACL) is modified to meet local deployment requirement. Any other ACL or other
configuration items using the modified alias also get modified, simplifying maintenance at the
remote deployment.
Aliases have scope depending on where the Alias is defined. Alias are defined with the following
scopes:
• Global aliases are defined from the Configuration > Network > Alias screen. Global aliases are
available for use globally across all devices, profiles and RF Domains in the system.
• Profiles aliases are defined from Configuration > Devices > System Profile > Network > Alias
screen. These aliases are available for use to a specific group of wireless controllers or access
points. Alias values defined in this profile override alias values defined within global aliases.
• RF Domain aliases are defined from Configuration > Devices > RF Domain > Alias screen.
These aliases are available for use for a site as a RF Domain is site specific. RF Domain alias
values override alias values defined in a global alias or a profile alias configuration.
• Device aliases are defined from Configuration > Devices > Device Overrides > Network > Alias
screen. Device alias are utilized by a single device only. Device alias values override alias
values defined in a global alias, profiles alias or RF Domain alias configuration.
Using an alias, configuration changes made at a remote location override any updates at the
management center. For example, if an Network Alias defines a network range as
192.168.10.0/24 for the entire network, and at a remote deployment location, the local network
range is 172.16.10.0/24, the network alias can be overridden at the deployment location to suit
the local requirement. For the remote deployment location, the network alias works with the
172.16.10.0/24 network. Existing ACLs using this network alias need not be modified and will work
with the local network for the deployment location. This simplifies ACL definition and management
while taking care of specific local deployment requirements.
Alias can be classified as:
• Network Basic Alias
• Network Group Alias
Brocade Mobility Access Point System Reference Guide 59
53-1003100-01
5
• Network Service Alias
Network Basic Alias
RF Domain Configuration
A basic alias is a set of configurations that consist of VLAN, Host, Network and Address Range alias
configurations. VLAN configuration is a configuration for optimal VLAN re-use and management for
local and remote deployments. A host alias configuration is for a particular host device’s IP
address. A network alias configuration is utilized for an IP address on a particular network. An
address range alias is a configuration for a range of IP addresses.
A basic alias configuration can contain multiple instances for each of the five (5) alias types.
To edit or delete a basic alias configuration:
1. Select Configuration tab from the Web user interface.
2. Select Devices.
3. Select RF Domain.
4. Select the Basic Alias tab. The Basic Alias screen displays.
60 Brocade Mobility Access Point System Reference Guide
53-1003100-01
5
FIGURE 3 RF Domain - Basic Alias screen
5. Select + Add Row to define VLAN Alias settings:
Use the VLAN Alias field to create unique aliases for VLANs that can be used at different
deployments. For example, if a named VLAN is defined as 10 for the central network, and the VLAN
is set at 26 at a remote location, the VLAN can be overridden at the deployment location with an
alias. At the remote deployment location, the network is functional with a VLAN ID of 26 but utilizes
the name defined at the centrally managed network. A new VLAN need not be created specifically
for the remote deployment.
Name
VLAN
A VLAN alias can be used to replace VLANs in the following locations:
If adding a new VLAN Alias, provide it a distinguishing name up to 32 characters. The alias name
always starts with a dollar sign ($).
Use the spinner control to set a numeric VLAN from 1 - 4094.
• Bridge VLAN
Brocade Mobility Access Point System Reference Guide 61
53-1003100-01
5
• IP Firewall Rules
• L2TPv3
• Switchport
• Wireless LANs
6. Select + Add Row to define Address Range Alias settings:
Use the Address Range Alias field to create aliases for IP address ranges that can be
utilized at different deployments. For example, if an ACL defines a pool of network
addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a
remote location’s network range is 172.16.13.20 through 172.16.13.110, the remote
location’s ACL can be overridden using an alias. At the remote location, the ACL works with
the 172.16.13.20-110 address range. A new ACL need not be created specifically for the
remote deployment location.
Name
Start IP
End IP
Name
Host
If adding a new Address Alias, provide it a distinguishing name up to 32 characters. The alias name
always starts with a dollar sign ($).
Set a starting IP address used with a range of addresses utilized with the address range alias.
Set a ending IP address used with a range of addresses utilized with the address range alias.
An address range alias can be used to replace an IP address range in IP firewall rules.
7. S el e c t + Add Row to define Host Alias settings:
Use the Host Alias field to create aliases for hosts that can be utilized at different
deployments. For example, if a central network DNS server is set a static IP address, and a
remote location’s local DNS server is defined, this host can be overridden at the remote
location. At the remote location, the network is functional with a local DNS server, but uses
the name set at the central network. A new host need not be created at the remote
location. This simplifies creating and managing hosts and allows an administrator to better
manage specific local requirements
If adding a new Host Alias, provide it a distinguishing name up to 32 characters. The alias name always
starts with a dollar sign ($).
Set the IP address of the host machine.
A host alias can be used to replace hostnames in the following locations:
• IP Firewall Rules
• DHCP
8. Select + Add Row to define Network Alias settings:
62 Brocade Mobility Access Point System Reference Guide
53-1003100-01
5
Use the Network Alias field to create aliases for IP networks that can be utilized at different
deployments. For example, if a central network ACL defines a network as 192.168.10.0/24, and a
remote location’s network range is 172.16.10.0/24, the ACL can be overridden at the remote
location to suit their local (but remote) requirement. At the remote location, the ACL functions with
the 172.16.10.0/24 network. A new ACL need not be created specifically for the remote
deployment. This simplifies ACL definition and allows an administrator to better manage specific
local requirements.
Name
Network
Name
Value
If adding a new Network Alias, provide it a distinguishing name up to 32 characters. The alias name
always starts with a dollar sign ($).
Provide a network address in the form of host/mask.
A network alias can be used to replace network declarations in the following locations:
• IP Firewall Rules
• DHCP
9. Select + Add Row to define String Alias settings:
Use the String Alias field to create aliases for strings that can be utilized at different deployments.
For example, if the main domain at a remote location is called loc1.domain.com and at another
deployment location it is called loc2.domain.com, the alias can be overridden at the remote
location to suit the local (but remote) requirement. At one remote location, the alias functions with
the loc1.domain.com domain and at the other with the loc2.domain.com domain.
If adding a new String Alias, provide it a distinguishing name up to 32 characters. The alias name always
starts with a dollar sign ($).
Provide a string value to use in the alias.
A string alias can be used to replace a domain name string in DHCP.
10. Select OK when completed to update the basic alias rules. Select Reset to revert the screen
back to its last saved configuration.
Network Group Alias
RF Domain Configuration
A network group alias is a set of configurations that consist of host and network configurations.
Network configurations are complete networks in the form 192.168.10.0/24 or IP address range in
the form 192.168.10.10-192.168.10.20. Host configuration is in the form of single IP address,
192.168.10.23.
A network group alias can contain multiple definitions for host, network, and IP address range. A
maximum of eight (8) host entries, eight (8) network entries and eight (8) IP addresses range
entries can be configured inside a network group alias. A maximum of 32 network group alias
entries can be created.
A network group alias is used in IP firewall rules to substitute hosts, subnets and IP address
ranges:
To edit or delete a network alias configuration:
1. Select Configuration tab from the Web user interface.
2. Select Devices.
Brocade Mobility Access Point System Reference Guide 63
53-1003100-01
5
3. Select RF Domain.
4. Select the Network Group Alias tab. The following screen displays:
Name
Host
Network
FIGURE 4 RF Domain - Network Group Alias screen
Displays the administrator assigned name of the network group alias.
Displays all host aliases configured in this network group alias. Displays a blank column if no host alias is
defined.
Displays all network aliases configured in this network group alias. Displays a blank column if no network
alias is defined.
5. Select Edit to modify the attributes of an existing policy or Delete to remove obsolete policies
from the list of those available. Select Add to create a new Network Group Alias. Copy to copy
an existing policy or Rename to rename an existing policy.
64 Brocade Mobility Access Point System Reference Guide
53-1003100-01
5
NOTE
FIGURE 5 RF Domain - Network Group Alias Add screen
6. If adding a new Network Group Alias, provide it a name of up to 32 characters.
The Network Group Alias Name always starts with a dollar sign ($).
7. Define the following network group alias parameters:
Host
Network
Specify the Host IP address for up to eight IP addresses supporting network aliasing. Select the down
arrow to add the IP address to the table.
Specify the netmask for up to eight IP addresses supporting network aliasing. Subnets can improve
network security and performance by organizing hosts into logical groups. Applying the subnet mask to an
IP address separates the address into a host address and an extended network address. Select the down
arrow to add the mask to the table.
8. Within the Range table, use the + Add Row button to specify the Start IP address and End IP
address for the alias range or double-click on an existing an alias range entry to edit it.
9. Select OK when completed to update the network group alias rules. Select Reset to revert the
screen back to its last saved configuration.
Brocade Mobility Access Point System Reference Guide 65
53-1003100-01
5
Network Service Alias
RF Domain Configuration
A network service alias is a set of configurations that consist of protocol and port mappings. Both
source and destination ports are configurable. For each protocol, up to 2 source port ranges and
up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be
configured per network service alias.
Use a service alias to associate more than one IP address to a network interface, providing multiple
connections to a network from a single IP node.
Network Service Alias can be used in the following location to substitute protocols and ports:
• IP Firewall Rules
To edit or delete a service alias configuration:
1. Select Configuration tab from the Web user interface.
2. Select Devices.
3. Select RF Domain.
4. Select the Network Service Alias tab. The following screen displays:
FIGURE 6 RF Domain - Network Service Alias screen
5. Select Edit to modify the attributes of an existing policy or Delete to remove obsolete policies
from the list of those available. Select Add to create a new Network Service Alias.
66 Brocade Mobility Access Point System Reference Guide
53-1003100-01
FIGURE 7 RF Domain - Network Service Alias Add screen
NOTE
5
Protocol
Source Port
(Low and High)
Destination Port
(Low and High)
6. If adding a new Network Service Alias, provide it a name up to 32 characters.
The Network Service Alias Name always starts with a dollar sign ($).
7. Within the Range field, use the + Add Row button to specify the Start IP address and End IP
address for the service alias range or double-click on an existing service alias range entry to
edit it.
Specify the protocol for which the alias has to be created. Use the drop-down menu to select the protocol
(eigrp, gre, icmp, igmp, ip, vrrp, igp, ospf, tcp and udp). Select other if the protocol is not listed. When a
protocol is selected, its protocol number is automatically selected.
Use this field only if the protocol is tcp or udp.
Specify the source ports for this protocol entry. A range of ports can be specified. Select the Enter Range
button next to the field to enter a lower and higher port range value. Up to eight (8) such ranges can be
specified.
Use this field only if the protocol is tcp or udp.
Specify the destination ports for this protocol entry. A range of ports can be specified. Select the Enter
Range button next to the field to enter a lower and higher port range value. Up to eight (8) such ranges
can be specified.
8. Select OK when completed to update the network service alias rules. Select Reset to revert the
screen back to its last saved configuration.
System Profile Configuration
Device Configuration
Brocade Mobility Access Point System Reference Guide 67
53-1003100-01
5
NOTE
An access point profile enables an administrator to assign a common set of configuration
parameters and policies to access points of the same model. Profiles can be used to assign
common or unique network, wireless and security parameters to across a large, multi segment,
site. The configuration parameters within a profile are based on the hardware model the profile
was created to support. All Mobility supported access point models supported a single profile that
is either shared amongst multiple access point or not. The central benefit of a profile is its ability to
update access points collectively without having to modify individual configurations.
A profile allows access point administration across large wireless network segments. However, an
administrator cannot manage more than one model’s profile and its set configuration policies at
any one time. Therefore, an administrator should manage multiple access points directly from the
Virtual Controller AP. As individual access point updates are made, the access point no longer
shares the profile based configuration it previously deployed. Changes made to the profile are
automatically inherited by all member access points, but not those who have had their
configuration overridden from their previous profile designation. These devices require careful
administration, as they no longer can be tracked and as profile members. Their customized
configurations overwrite their profile assignments until the profile can be re-applied to the access
point.
Each access point model is automatically assigned a default profile. The default profile is available
within the access point’s configuration file. Default profiles are ideal for single site deployments
where several access points may need to share a common configuration.
A central difference compared to the default-radio configurations in previous Mobility releases is
default profiles are used as pointers for an access point’s configuration, not just templates from
which the configuration is copied. Therefore, if a change is made in one of the parameters in a
profile, the change is reflected across all access points using that profile.
For more information, refer to the following:
• General Profile Configuration
• Profile Radio Power
• Profile Adoption (Auto Provisioning) Configuration
• Profile Wired 802.1X Configuration
• Profile Interface Configuration
• Profile Network Configuration
• Profile Security Configuration
• Virtual Router Redundancy Protocol (VRRP) Configuration
• Profile Critical Resources
• Profile Services Configuration
• Profile Management Configuration
• Mesh Point Configuration
• Advanced Profile Configuration
• Environmental Sensor Configuration
General Profile Configuration
System Profile Configuration
68 Brocade Mobility Access Point System Reference Guide
53-1003100-01
5
An access point profile requires unique clock synchronization settings as part of its general
configuration.
Network time protocol (NTP) manages time and/or network clock synchronization within the access
point managed network. NTP is a client/server implementation. The access point periodically
synchronizes its clock with a master clock (an NTP server). For example, the access point resets its
clock to 07:04:59 upon reading a time of 07:04:59 from its designated NTP server.
Use the General screen of System Profile configuration screen to define whether the access point
can act as a RF Domain manager for its RF Domain.
To define a profile’s general configuration:
1. Select the Configuration tab from the Web UI.
2. Select Devices.
3. Select System Profile from the options on left-hand side of the UI.
General configuration options display by default, with the profile activated for use with this access
point model.
FIGURE 8 General Profile screen
Brocade Mobility Access Point System Reference Guide 69
53-1003100-01
5
4. Select + Add Row below the Network Time Protocol (NTP) table to define the configurations of
NTP server resources used to obtain system time. Up to 3 NTP servers can be configured. Set
the following parameters to define the NTP configuration:
AutoKey
Key
Preferred
Server IP
Version
Capable
Priority
Select this option to enable an autokey configuration for the NTP resource. The default setting is
disabled.
If an autokey is not being used, manually enter a 64 character maximum key the access point and
NTP resource share to securely interoperate.
Select this option designate this particular NTP resource as preferred. If designating multiple NTP
resources, preferred resources are given first opportunity to connect and provide NTP calibration.
Set the IP address of each server added as a potential NTP resource.
Use the spinner control to specify the version number used by this NTP server resource. The default
setting is 0.
Use the RF Domain Manager field to configure how this access point behaves in standalone mode.
Set the following parameters:
Select to enable this access point to act as a RF Domain Manager in a particular RF Domain.
Select to prioritize this access point in becoming a RF Domain Manager in its; particular RF
Domain. The higher the value, the more likely the device becomes the RF Domain Manager for the
domain.
5. Select OK to save the changes made to the general profile configuration. Select Reset to revert
to the last saved configuration.
Profile Radio Power
System Profile Configuration
Use the Power screen to set one of two power modes (3af or Auto) for the access point profile.
When Automatic is selected, the access point safely operates within available power. Once the
power configuration is determined, the access point configures its operating power characteristics
based on its model and power configuration.
An access point uses a complex programmable logic device (CPLD) to manage power. The CPLD
determines proper supply sequencing, the maximum power available and other status information.
One of the primary functions of the CPLD is to determine the maximum power budget. When an
access point is powered on (or performing a cold reset), the CPLD determines the maximum power
provided by the POE device and the budget available to the access point. The CPLD also
determines the access point hardware SKU (model) and the number of radios.
If the access point’s POE resource cannot provide sufficient power to run the access point (with all
intended interfaces enabled), some of the following interfaces could be disabled or modified:
• The access point’s transmit and receive algorithms could be negatively impacted
• The access point’s transmit power could be reduced due to insufficient power
• The access point’s WAN port configuration could be changed (either enabled or disabled)
To define an access point’s power configuration:
1. Select the Configuration tab from the Web UI.
2. Select Devices.
70 Brocade Mobility Access Point System Reference Guide
53-1003100-01
3. Select System Profile from the options on left-hand side of the UI.
NOTE
4. Select Power.
A screen displays where the access point profile’s power mode can be defined.
5
FIGURE 9 Profile - Power screen
5. Use the Power Mode drop-down menu to set the Power Mode Configuration on this AP.
Single radio model access points always operate using a full power configuration. The power
management configurations described in this section do not apply to single radio access point
models.
When an access point is powered on for the first time, it determines the power budget available.
Using the Automatic setting, the access point automatically determines the best power
configuration based on the available power budget. Automatic is the default setting.
If 802.3af is selected, the access point assumes 12.95 watts are available. If the mode is changed,
the access point requires a reset to implement the change. If 802.3at is selected, the access point
assumes 23 - 26 watts are available.
6. Set the access point radio’s 802.3af Power Mode and the radio’s 802.3at Power Mode.
Use the drop-down menu for each power mode to define a mode of either Range or Throughput.
7. S el e c t Throughput to transmit packets at the radio’s highest defined basic rate (based on the
radio’s current basic rate settings). This option is optimal in environments where the
transmission range is secondary to broadcast/multicast transmission performance.
Brocade Mobility Access Point System Reference Guide 71
53-1003100-01
5
NOTE
8. Select Range when range is preferred over performance for broadcast/multicast (group)
traffic. The data rates used for range are the lowest defined basic rates. Throughput is the
default setting for both 802.3af and 802.3at.
9. Select OK to save the changes made to the access point power configuration. Select Reset to
revert to the last saved configuration
Profile Adoption (Auto Provisioning) Configuration
System Profile Configuration
Adoption is the process an access point uses to discover Virtual Controller APs available in the
network, pick the most desirable Virtual Controller, establish an association with the Virtual
Controller and optionally obtain an image upgrade, obtains its configuration and considers itself
provisioned. This is a configurable activity that can be supported within an access point profile and
applied to other access points (of the same model) supported by the profile.
At adoption, an access point solicits and receives multiple adoption responses from Virtual
Controller APs available on the network. These adoption responses contain loading policy
information the access point uses to select the optimum Virtual Controller AP for adoption.
An access point configuration does not need to be present for an auto provisioning (adoption) policy
to take effect. Once adopted, and the access point’s configuration is defined and applied by the
Virtual Controller. The auto provisioning policy mapping does not have impact on subsequent
adoptions by the same device.
To define the access point profile’s adoption configuration:
1. Select the Configuration tab from the Web UI.
2. Select Devices.
3. Select System Profile from the options on left-hand side of the UI.
4. Select Adoption.
72 Brocade Mobility Access Point System Reference Guide
53-1003100-01
5
FIGURE 10 Profile Adoption screen
5. Define the Preferred Group used as optimal group of Virtual Controller for adoption. The name
of the preferred group cannot exceed 64 characters.
6. Select the VLAN option to define a VLAN the access point’s associating Virtual Controller AP is
reachable on. VLANs 0 and 4,095 are reserved and cannot be used. This setting is disabled by
default.
Define the Hello Interval value in seconds.
The Hello interval is the interval between two consecutive hello keep alive messages exchanged
between the access point and the adopting wireless controller. These messages serve as a
connection validation mechanism to ensure the availability of the adopting wireless controller. Use
the spinner to set a value from 1 - 120 seconds.
Define the Adjacency Hold Time value. This value sets the time after which the preferred controller
group is considered down and unavailable to provide services. Use the spinner to set a value from
2 - 600 seconds.
Brocade Mobility Access Point System Reference Guide 73
53-1003100-01
5
7. E nt e r Controller Hostnames as needed to define resources for adoption. Click +Add Row to add
controllers. Set the following parameters to define Controller Hostnames:
Host
Pool
Routing Level
IPSec Support
IPSec GW
Force
Use the drop-down menu to specify whether the controller adoption resource is defined as a (non
DNS) IP address or a hostname. Once defined, provide the numerical IP or hostname. A hostname
cannot exceed 64 characters.
Use the spinner controller to set a pool of either 1 or 2. This is the pool the target Virtual Controller
belongs to. The default setting is 1.
Use the spinner controller to set the routing level for the Virtual Controller link. The default setting is
1.
Select to enable secure communication between the access point and wireless controllers.
Use the drop-down menu to specify if the IPSec gateway resource is defined as a (non DNS) IP
address or a hostname. Once defined, provide the numerical IP or hostname. A hostname cannot
exceed 64 characters.
Select to enable the link to the adopting controller or the controller group to be created even when
not required.
8. Select + Add Row as needed to populate the table with IP addresses or hostnames of adoption
resources.
9. Select OK to save the changes made to the general profile configuration. Select Reset to revert
to the last saved configuration.
Profile Wired 802.1X Configuration
System Profile Configuration
802.1X provides administrators secure, identity based access control as another data protection
option to utilize with a device profile.
802.1X is an IEEE standard for media-level (Layer 2) access control, offering the capability to
permit or deny network connectivity based on the identity of the user or device.
1. Select the Configuration tab from the Web UI.
2. Select Devices.
3. Select System Profile from the options on left-hand side of the UI.
4. Select Wired 802.1x.
74 Brocade Mobility Access Point System Reference Guide
53-1003100-01
FIGURE 11 Profile Wired 802.1X screen
5. Set the following Wired 802.1x Settings:
5
Dot1x Authentication
Control
Dot1x AAA Policy
Dot1x Guest VLAN Control
MAC Authentication AAA
Policy
6. Select OK to save the changes to the 802.1x configuration. Select Reset to revert to the last
Profile Interface Configuration
System Profile Configuration
A access point profile can support customizable Ethernet port, virtual interface, port channel, radio
and PPPoE configurations unique to each supported access point model.
A profile’s interface configuration process consists of the following:
• Ethernet Port Configuration
• Virtual Interface Configuration
• Port Channel Configuration
• Access Point Radio Configuration
• WAN Backhaul Configuration
• PPPoE Configuration
Select this option to globally enable 802.1x authentication for the selected device. This setting is
disabled by default.
Use the drop-down menu to select an AAA policy to associate with wired 802.1x traffic. If a suitable
AAA policy does not exist, click the Create icon to create a new policy or the Edit icon to modify an
existing policy.
Select this option to globally enable 802.1x guest VLANs for the selected device. This setting is
disabled by default.
Use the drop-down menu to select an AAA authentication policy for MAC address authentication. If a
suitable MAC AAA policy does not exist, click the Create icon to create a new policy or the Edit icon to
modify an existing policy.
saved configuration.
Additionally, deployment considerations and guidelines for profile interface configurations are
available for review prior to defining a configuration that could significantly impact the performance
of the network. For more information, see WAN Backhaul Deployment Considerations on page
5-107.
Ethernet Port Configuration
Profile Interface Configuration
Displays the physical port reporting runtime data and statistics. The following ports are available
depending on model:
• Brocade Mobility 6511 Access Point - fe1, fe2, fe3, fe4, up1
• Brocade Mobility 1220 Access Point/Brocade Mobility 1220 Access Point - GE1/POE (LAN)
• Brocade Mobility 7131 Access Point - GE1/POE (LAN), GE2 (WAN)
• Brocade Mobility 1240 Access Point - GE1/POE (LAN), GE2 (WAN)
To define a profile’s Ethernet port configuration:
Brocade Mobility Access Point System Reference Guide 75
53-1003100-01
5
1. Select the Configuration tab from the Web UI.
2. Select Devices.
3. Select System Profile from the options on left-hand side of the UI.
4. Expand the Interface menu and select Ethernet Ports.
Name
Typ e
Description
Admin Status
FIGURE 12 Profile Interfaces - Ethernet Ports screen
5. Refer to the following to assess port status, mode and VLAN configuration:
Displays the physical port name reporting runtime data and statistics. Supported ports vary
depending on model.
Displays the physical port type.
Displays an administrator defined description for each listed port.
A green check mark defines the port as active and currently enabled with the profile. A red “X”
defines the port as currently disabled and not available for use. The interface status can be
modified with the port configuration as required.
76 Brocade Mobility Access Point System Reference Guide
53-1003100-01
5
Mode
Native VLAN
Tag Native VLAN
Allowed VLANs
Displays the profile’s current switching mode as either Access or Tru nk. If Access is listed, the port
accepts packets only from the native VLAN. Frames are forwarded out the port untagged with no
802.1Q header. All frames received on the port are expected as untagged and mapped to the
native VLAN. If set to Trun k, the port allows packets from a list of VLANs added to the trunk. A port
configured as Tru nk supports multiple 802.1Q tagged VLANs and one Native VLAN which can be
tagged or untagged.
Lists the numerical VLAN ID (1 - 4094) set for the native VLAN. The native VLAN allows an Ethernet
device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame.
Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk
mode.
A green check mark defines the native VLAN as tagged. A red “X” defines the native VLAN as
untagged. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so
upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12 bit
VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q
header, the upstream device classifies the frame using the default or native VLAN assigned to the
Trunk port. A native VLAN allows an Ethernet device to associate untagged frames to a VLAN when
no 802.1Q frame is included in the frame.
Displays the VLANs allowed to send packets over the listed port. Allowed VLANs are only listed when
the mode has been set to Trunk .
6. To edit an access point profile’s port configuration, select it from amongst those displayed and
then select the Edit button. The Ethernet port Basic Configuration screen displays by default.
FIGURE 13 Ethernet Ports - Basic Configuration screen
Brocade Mobility Access Point System Reference Guide 77
53-1003100-01
5
7. Set the following Ethernet port Properties:
Description
Admin Status
Speed
Duplex
8. Define the following Cisco Discovery Protocol (CDP) and LLDP parameters to apply to the
Cisco Discover Protocol
Receive
Cisco Discover Protocol
Tra nsmit
Link Layer Discovery
Protocol Receive
Link Layer Discovery
Protocol Transmit
Enter a brief description for the port (64 characters maximum). The description should reflect the
port’s intended function to differentiate it from others with similar configurations.
Select the Enabled radio button to define this port as active to the profile it supports. Select the
Disabled radio button to disable this physical port in the profile. It can be activated at any future
time when needed.
Select the speed at which the port can receive and transmit the data. Select either 10 Mbps, 100
Mbps, 1000 Mbps. Select either of these options to establish a 10, 100 or 1000 Mbps data
transfer rate for the selected half duplex or full duplex transmission over the port. These options
are not available if Auto is selected. Select Automatic to enable the port to automatically exchange
information about data transmission speed and duplex capabilities. Auto negotiation is helpful
when in an environment where different devices are connected and disconnected on a regular
basis. Automatic is the default setting.
Select either half, full or automatic as the duplex option. Select Half duplex to send data over the
port, then immediately receive data from the same direction in which the data was transmitted.
Like a full-duplex transmission, a half-duplex transmission can carry data in both directions, just
not at the same time. Select Full duplex to transmit data to and from the port at the same time.
Using full duplex, the port can send data while receiving data as well. Select Automatic to enable to
the access point to dynamically duplex as port performance needs dictate. Automatic is the default
setting.
Ethernet port configuration:
Select this option to allow the Cisco discovery protocol for receiving data on this port. If enabled,
the port sends out periodic interface updates to a multicast address to advertise its presence to
neighbors. This option is enabled by default.
Select this option to allow the Cisco discovery protocol for transmitting data on this port. If enabled,
the port sends out periodic interface updates to a multicast address to advertise its presence to
neighbors. This option is enabled by default.
Select this option to snoop LLDP on this port. If enabled, the port sends out periodic interface
updates to a multicast address to advertise its presence to neighbors. This option is enabled by
default.
Select this option to transmit LLDP PDUs on this port. If enabled, the port sends out periodic
interface updates to a multicast address to advertise its presence to neighbors.
78 Brocade Mobility Access Point System Reference Guide
53-1003100-01
5
9. Define the following Switching Mode parameters to apply to the Ethernet port configuration:
Mode
Native VLAN
Tag Native VLAN
Allowed VLANs
Select either the Access or Trunk radio button to set the VLAN switching mode over the port. If
Access is selected, the port accepts packets only form the native VLANs. Frames are forwarded out
the port untagged with no 802.1Q header. All frames received on the port are expected as
untagged and are mapped to the native VLAN. If the mode is set to Trunk, the port allows packets
from a list of VLANs you add to the trunk. A port configured as Trunk supports multiple 802.1Q
tagged VLANs and one Native VLAN which can be tagged or untagged. Access is the default mode.
Use the spinner control to define a numerical Native VLAN ID from 1 - 4094. The native VLAN allows
the access point to associate untagged frames to a VLAN when no 802.1Q frame is included in the
frame. Additionally, the native VLAN is the VLAN which untagged traffic will be directed over when
using a port in trunk mode. The default VLAN is 1.
Select this option to tag the native VLAN. The IEEE 802.1Q specification is supported for tagging
frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame
identifying the VLAN ID for upstream devices that the frame belongs. If the upstream Ethernet
device does not support IEEE 802.1Q tagging, it does not interpret the tagged frames. When VLAN
tagging is required between devices, both devices must support tagging and be configured to
accept tagged VLANs. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q
header so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads
the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with
no 802.1Q header, the upstream device classifies the frame using the default or native VLAN
assigned to the Trunk port. The native VLAN allows an Ethernet device to associate untagged
frames to a VLAN when no 802.1Q frame is included in the frame. This feature is disabled by
default.
Selecting Trunk as the mode enables the Allowed VLANs parameter. Add VLANs that exclusively
send packets over the listed port.
10. Optionally select the Port Channel option and define a setting from 1 - 8 using the spinner
control. This sets the channel group for the port.
11. Select OK to save the changes made to the Ethernet Port Basic Configuration. Select Reset to
revert to the last saved configuration.
12. Select the Security tab.
Brocade Mobility Access Point System Reference Guide 79
53-1003100-01
5
FIGURE 14 Ethernet Ports - Security tab
13. Refer to the Access Control field. As part of the port’s security configuration, Inbound IP and
Use the Inbound IP Firewall Rules and Inbound MAC Firewall Rules drop-down menus to select the
firewall rules to apply to this profile’s Ethernet port configuration.
The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional
wired firewall appliances.
14. If a firewall rule does not exist suiting the data protection needs of the target port
15. Refer to the Trust field to define the following:
Trust ARP Responses
Trust DHCP Responses
ARP header Mismatch
Validation
Tru st 8021p CO S values
Tru st IP D SCP
MAC address firewall rules are required.
configuration, select the Create icon to define a new rule configuration.
Select this option to enable ARP trust on this access point port. ARP packets received on this
port are considered trusted and information from these packets is used to identify rogue devices
within the network. The default value is disabled.
Select this option to enable DHCP trust on this port. If enabled, only DHCP responses are trusted
and forwarded on this port, and a DHCP server can be connected only to a DHCP trusted port.
The default value is enabled.
Select this option to enable a mismatch check for the source MAC in both the ARP and Ethernet
header. The default value is disabled.
Select this option to enable 802.1p COS values on this port. The default value is enabled.
Select this option to enable IP DSCP values on this port. The default value is enabled.
80 Brocade Mobility Access Point System Reference Guide
53-1003100-01
5
NOTE
Some vend or solutions with VRRP enable d send ARP packets with Ethernet SMAC as a physical MAC
and inner ARP SMAC as VRRP MAC. If this configuration is enabled, a packet is allowed, despite a
conflict existing.
16. Set the following 802.1X Settings:
Host Mode
Guest VLAN
Port Control
Re Authenticate
Max Reauthenticate
Count
Maximum Request
Quiet Period
Reauthenticate
Period
Port MAC
Authentication
Use the drop-down menu to select the host mode configuration to apply to this port. Options include
single-host or multi-host. The default setting is single-host.
Specify a guest VLAN for this port from 1 - 4094. This is the VLAN traffic is bridged on if this port is
unauthorized and the guest VLAN is globally enabled.
Use the drop-down menu to set the port control state to apply to this port. Options include
force-authorized, force-unauthorized and automatic. The default setting is port-authorized.
Select this setting to force clients to reauthenticate on this port. The default setting is disabled, thus
clients do not need to reauthenticate for connection over this port until this setting is enabled.
Set the maximum reauthentication attempts (1 - 10) before this port is moved to unauthorized. The
default setting is 2.
Set the maximum number of authentication requests (1 - 10) before returning a failed message to the
requesting client. The default setting is 2.
Set the quiet period for this port from 1 - 65,535 seconds. This is the maximum wait time 802.1x waits
upon a failed authentication attempt. The default setting is 60 seconds.
Use the spinner control to set the reauthentication period for this port from 1 - 65,535 seconds. The
default setting is 60 seconds.
When enabled, a port’s MAC address is authenticated, as only one MAC address is supported per wired
port. When successfully authenticated, packets from the source are processed. Packets from all other
sources are dropped. Port MAC authentication is supported on RFS4000, RFS6000 model controllers.
Port MAC authentication may be enabled on ports in conjunction with Wired 802.1x settings for a MAC
Authentication AAA policy.
802.1x is a IEEE protocol that defines port based network access control to wired LANs. Refer to
the 802.1x Settings to configure the following:
Host Mode
Guest VLAN
Port Control
Reauthenticate
Brocade Mobility Access Point System Reference Guide 81
53-1003100-01
Configures the Port mode for 802.1x authentication. Select single-host to bridge traffic from a
single authenticated host. Select multi-host to bridge traffic from any host the wired port.
Set the Guest VLAN on which traffic is bridged from the wired port, if the port is unauthorized.
Configures how the port is controlled. When set to Automatic, the port is set to a state as
received from the authentication server. When set to force-authorized, any traffic on the port is
said to be authorized and is bridged. When set to force-unauthorized, any traffic on the port is
said to be unauthorized and is not bridged.
Enables reauthentication of authorized ports. Reauthentication is used primarily to refresh the
current state of controlled ports. When enabled, and device using the controlled port is forced to
reauthenticate. When this happens, the controlled port is still in the authorized state. If
reauthentication fails, the port is set as being unauthorized and the device(s) using the port are
not allowed access.
5
Max Reauthenticate Count
Maximum Request
Quiet Period
Reauthentication Period
17. Select the Enable option within the 802.1x supplicant (client) feature to enable a username
and password pair to be used when authenticating users on this port. Select the Show option
to display the password being typed in the Password field.
18. Select the Spanning Tree tab.
Spanning Tree Protocol (STP) (IEEE 802.1D standard) configures a meshed network for robustness
by eliminating loops within the network and calculating and storing alternate paths to provide fault
tolerance.
STP calculation happens when a port comes up. As the port comes up and STP calculation happen,
the port is set to Blocked state. In this state, no traffic can pass through the port. Since STP
calculations take up to a minute to complete, the port is not operational there by effecting the
network behind the port. Once the STP calculation is complete, the port's state is changed to
Forwarding and traffic is allowed.
Configures the number of times an attempt is made to reauthenticate a controlled port. When
exceeded, the controlled port is set as unauthorized.
Configures the number of times an attempt is made to authenticate with the EAP server before
returning an authentication failed message to the device requesting authorization using the
controlled port.
Configures the duration in seconds where no attempt is made to reauthenticate a controlled
port. Set a value from 0 - 65535 seconds.
Configures the duration after which a controlled port is forced to reauthenticate. Set a value from
0 - 65535 seconds.
Rapid Spanning Tree Protocol (RSTP) (IEEE 802.1w standard) is an evolution over the standard STP
where the primary aim was to reduce the time taken to respond to topology changes while being
backward compatible with STP. PortFast quickly changes the port state from Blocked to
Forwarding toallow traffic while the STP calculation occurs.
Multiple Spanning Tree Protocol (MSTP) provides an extension to RSTP to optimize the usefulness
of VLANs. MSTP allows for a separate spanning tree for each VLAN group, and blocks all but one of
the possible alternate paths within each spanning tree topology.
If there is just one VLAN in the access point managed network, a single spanning tree works fine.
However, if the network contains more than one VLAN, the network topology defined by single STP
would work, but it is possible to make better use of the alternate paths available by using an
alternate spanning tree for different VLANs or groups of VLANs.
A MSTP supported deployment uses multiple MST regions with multiple MST instances (MSTI).
Multiple regions and other STP bridges are interconnected using one single common spanning tree
(CST)
MSTP includes all of its spanning tree information in a single Bridge Protocol Data Unit (BPDU)
format. BPDUs are used to exchange information bridge IDs and root path costs. Not only does this
reduce the number of BPDUs required to communicate spanning tree information for each VLAN,
but it also ensures backward compatibility with RSTP. MSTP encodes additional region information
after the standard RSTP BPDU as well as a number of MSTI messages. Each MSTI messages
conveys spanning tree information for each instance. Each instance can be assigned a number of
configured VLANs. The frames assigned to these VLANs operate in this spanning tree instance
whenever they are inside the MST region. To avoid conveying their entire VLAN to spanning tree
mapping in each BPDU, the access point encodes an MD5 digest of their VLAN to an instance table
in the MSTP BPDU. This digest is used by other MSTP supported devices to determine if the
neighboring device is in the same MST region as itself.
82 Brocade Mobility Access Point System Reference Guide
53-1003100-01
5
FIGURE 15 Ethernet Ports - Spanning Tree tab
Refer to the PortFast field to define the following:
Enable PortFast
Enable PortFast BPDU Filter
Enable PortFast BPDU Guard
PortFast reduces the time taken for a port to complete STP. PortFast must only be enabled on
ports on the wireless controller which are directly connected to a server/workstation and not to
another hub or controller. PortFast can be left unconfigured on the access point.
Select this option to enable drop-down menus for both the Enable PortFast BPDU Filter and
Enable PortFast BPDU Guard options. This setting is disabled by default.
MSTP BPDUs are messages exchanged when controllers gather information about the network
topology during STP scan. When enabled, PortFast enabled ports do not transmit or receive
BPDU messages. 'Default' sets the PortFast BPDU Filter value to the bridge's BPDU filter value.
Select Enable to invoke a BPDU filter for this PortFast enabled port channel.
When enabled, PortFast enabled ports are forced to shut down when they receive BPDU
messages. When set to Default sets the PortFast BPDU Guard value to the bridge's BPDU guard
value.
Brocade Mobility Access Point System Reference Guide 83
53-1003100-01
5
Refer to the MSTP Configuration field to define the following:
Enable as Edge Port
Link Type
Cisco MSTP Interoperability
Force Protocol Version
Guard
19. Refer to the Spanning Tree Port Cost table.
Define an Instance Index using the spinner control and then set the cost. The default path cost
depends on the user defined port speed. The cost helps determine the role of the port channel in
the MSTP network. The designated cost is the cost for a packet to travel from this port to the root in
the MSTP configuration. The slower the media, the higher the cost.
Speed Default Path Cost
<=100000 bits/sec 200000000
<=1000000 bits/sec 20000000
<=10000000 bits/sec 2000000
<=100000000 bits/sec 200000
<=1000000000 bits/sec 20000
<=10000000000 bits/sec 2000
<=100000000000 bits/sec 200
<=1000000000000 bits/sec 20
>1000000000000 bits/sec 2
Select to enable the port as an Edge Port for MSTP. An Edge Port is a port known to connect to a
LAN which has no other bridges attached to it or is directly connected to an user device.
Select either the Point-to-Point or Shared radio button. Selecting Point-to-Point indicates the port
should be treated as connected to a point-to-point link. Selecting Shared means this port should
be treated as having a shared connection. A port connected to a hub is on a shared link, while
one connected to a access point is a point-to-point link. Point-to-Point is the default setting.
Select to enable or disable interoperability with CISCO’s implementation of MSTP which is
incompatible with standard MSTP.
Select the STP protocol to use with this port. Select Not Supported to disable STP on this port.
The Root Guard mechanism prevents election of roots other than those designated as roots in a
network. When this port receives a better BPDU, port state becomes Blocked. It retains this state
till the port no longer receives the better BPDUs and the state is changed to Forwarding.
Select Root to enable this feature. Select None to disable this feature.
20. Select + Add Row as needed to include additional indexes.
21. Refer to the Spanning Tree Port Priority table.
Define an Instance Index using the spinner control and then set the Priority. The lower the priority,
the greater the likelihood of the port becoming a designated port.
22. Select + Add Row needed to include additional indexes.
Select OK to save the changes made to the Ethernet port’s security configuration. Select Reset to
revert to the last saved configuration.
Virtual Interface Configuration
Profile Interface Configuration
84 Brocade Mobility Access Point System Reference Guide
53-1003100-01
5
A Virtual Interface is required for layer 3 (IP) access to provide layer 3 service on a VLAN. The Virtual
Interface defines which IP address is associated with each VLAN ID the access point is connected
to. A Virtual Interface is created for the default VLAN (VLAN 1) to enable remote administration. A
Virtual Interface is also used to map VLANs to IP address ranges. This mapping determines the
destination networks for routing.
To review existing Virtual Interface configurations and either create a new Virtual Interface
configuration, modify an existing configuration or delete an existing configuration:
1. Select the Configuration tab from the Web UI.
2. Select Devices.
3. Select System Profile from the options on left-hand side of the UI.
4. Expand the Interface menu and select Virtual Interfaces.
FIGURE 16 Profile Interfaces - Virtual Interfaces screen
5. Review the following parameters unique to each virtual interface configuration:
Name
Typ e
Description
Admin Status
VLAN
IP Address
Displays the name of each listed Virtual Interface assigned when it was created. The name is from
1 - 4094, and cannot be modified as part of a Virtual Interface edit.
Displays the type of Virtual Interface for each listed access point interface.
Displays the description defined for the Virtual Interface when it was either initially created or
edited.
A green check mark defines the listed Virtual Interface configuration as active and enabled with its
supported profile. A red “X” defines the Virtual Interface as currently disabled. The interface status
can be modified when a new Virtual Interface is created or an existing one modified.
Displays the numerical VLAN ID associated with each listed interface.
Defines whether DHCP was used to obtain the primary IP address used by the Virtual Interface
configuration.
Once the configurations of existing Virtual Interfaces have been reviewed, determine whether a
new interface requires creation, or an existing Virtual Interface requires edit or deletion.
Brocade Mobility Access Point System Reference Guide 85
53-1003100-01
5
6. Select Add to define a new Virtual Interface configuration, Edit to modify the configuration of
an existing Virtual Interface or Delete to permanently remove a selected Virtual Interface.
Description
Admin Status
FIGURE 17 Virtual Interfaces - Basic Configuration tab
The Basic Configuration screen displays by default regardless of a whether a new Virtual Interface
is being created or an existing one is being modified.
7. If creating a new Virtual Interface, use the Name spinner control to define a numeric ID from 1
- 4094.
8. Define the following parameters from within the Properties field:
Provide or edit a description (up to 64 characters) for the Virtual Interface that helps differentiate it
from others with similar configurations.
Either select the Disabled or Enabled radio button to define this interface’s current status within
the network. When set to Enabled, the Virtual Interface is operational and available. The default
value is Disabled.
86 Brocade Mobility Access Point System Reference Guide
53-1003100-01
9. Set the following network information from within the IP Addresses field:
5
Enable Zero Configuration
Primary IP Address
Use DHCP to Obtain IP
Use DHCP to obtain
Gateway/DNS Servers
Secondary Addresses
10. Define the Network Address Translation (NAT) direction.
11. Select either the Inside, Outside or None radio buttons.
The access point can use Zero Config for IP assignments on an individual virtual interface basis.
Select Primary to use Zero Config as the designated means of providing an IP address, this
eliminates the means to assign one manually. Selecting Secondary is preferred when wanting the
option to either use Zero Config or manual assignments.
Zero Configuration (or Zero Config) is a wireless connection utility included with Microsoft Windows
XP and later as a service that dynamically selects a network to connect based on a user’s
preference and various default settings. Zero config can be used instead of a wireless network
utility from the manufacturer of a computer’s wireless networking device.
Define the IP address for the VLAN associated Virtual Interface.
Select this option to allow DHCP to provide the IP address for the Virtual Interface. Selecting this
option disables the Primary IP address field.
Select this option to allow DHCP to obtain a default gateway address, and DNS resource for one
virtual interface. This setting is disabled by default and only available when the Use DHCP to Obtain
IP option is selected.
Use the Secondary Addresses parameter to define additional IP addresses to associate with VLAN
IDs. The address provided in this field is used if the primary IP address is unreachable.
• Inside - The inside network is transmitting data over the network to its intended
destination. On the way out, the source IP address is changed in the header and replaced
by the (public) IP address.
• Outside - Packets passing through the NAT on the way back to the LAN are searched
against the records kept by the NAT engine. There the destination IP address is changed
back to the specific internal private class IP address in order to reach the LAN over the
network.
• None - No NAT activity takes place. This is the default setting.
12. Select OK button to save the changes to the Basic Configuration screen. Select Reset to revert
to the last saved configuration.
13. Select the Security tab.
Brocade Mobility Access Point System Reference Guide 87
53-1003100-01
5
FIGURE 18 Virtual Interfaces - Security tab
14. Use the Inbound IP Firewall Rules drop-down menu to select the firewall rule configuration to
apply to this Virtual Interface.
The firewall inspects and packet traffic to and from connected clients.
If a firewall rule does not exist suiting the data protection needs of this Virtual Interface, select the
Create icon to define a new firewall rule configuration or the Edit icon to modify an existing
configuration. For more information, see Wireless Firewall on page 8-531.
Use the VPN Crypto Map drop-down menu to select and assign a VPN crypto map entry to this
virtual interface. The VPN Crypto Map entry defines the type of VPN connection and its parameters.
For more information, see Defining Profile VPN Settings.
15. Select the OK button located at the bottom right of the screen to save the changes to the
Security screen. Select Reset to revert to the last saved configuration.
Port Channel Configuration
Profile Interface Configuration
The access point’s profile can be applied to customize the port channel configurations as part of its
interface configuration.
To define a port channel configuration for an access point profile:
88 Brocade Mobility Access Point System Reference Guide
53-1003100-01
5
Name
Typ e
Description
Admin Status
FIGURE 19 Profile Interfaces - Port Channels screen
1. Select the Configuration tab from the Web UI.
2. Select Devices.
3. Select System Profile from the options on left-hand side of the UI.
4. Expand the Interface menu and select Port Channels.
5. Refer to the following to review existing port channel configurations and their current status:
Displays the port channel’s numerical identifier assigned to it when it was created. The numerical
name cannot be modified as part of the edit process.
Displays whether the type is port channel.
Lists a a short description (64 characters maximum) describing the port channel or differentiating
it from others with similar configurations.
A green check mark defines the listed port channel as active and currently enabled with the access
point’s profile. A red “X” defines the port channel as currently disabled and not available for use.
The interface status can be modified with the port channel configuration as required
6. To edit the configuration of an existing port channel, select it from amongst those displayed
and select the Edit button. The Port Channel Basic Configuration screen displays by default.
Brocade Mobility Access Point System Reference Guide 89
53-1003100-01
5
Description
Admin Status
Speed
Duplex
FIGURE 20 Port Channels - Basic Configuration tab
7. Set the following port channel Properties:
Enter a brief description for the port channel (64 characters maximum). The description should
reflect the port channel’s intended function.
Select the Enabled radio button to define this port channel as active to the controller profile it
supports. Select the Disabled radio button to disable this port channel configuration within the
profile. It can be activated at any future time when needed. The default setting is disabled.
Select the speed at which the port channel can receive and transmit the data. Select either 10
Mbps, 100 Mbps, 1000 Mbps. Select either of these options to establish a 10, 100 or 1000 Mbps
data transfer rate for the selected half duplex or full duplex transmission over the port. These
options are not available if Auto is selected. Select Automatic to enable the port channel to
automatically exchange information about data transmission speed and duplex capabilities. Auto
negotiation is helpful when in an environment where different devices are connected and
disconnected on a regular basis. Automatic is the default setting.
Select either Half, Full or Automatic as the duplex option. Select Half duplex to send data over the
port channel, then immediately receive data from the same direction in which the data was
transmitted. Like a Full duplex transmission, a Half duplex transmission can carry data in both
directions, just not at the same time. Select Full duplex to transmit data to and from the port
channel at the same time. Using Full duplex, the port channel can send data while receiving data
as well. Select Automatic to enable to the access point to dynamically duplex as port channel
performance needs dictate. Automatic is the default setting.
8. Use the Port Channel Load Balance drop-down menu within the Client Load Balancing field to
define whether port channel load balancing is conducted using a Source/Destination IP or a
Source/Destination MAC as criteria. Source/Destination IP is the default setting.
90 Brocade Mobility Access Point System Reference Guide
53-1003100-01
Loading...