Extreme Networks A3502A User Manual
6 Availability, mobility, and controller
functionality
This chapter describes the availability and mobility concepts, including:
● Availability overview
● Mobility manager
● Defining management users
● Configuring network time
● Configuring Check Point event logging
● Enabling SNMP
● Using controller utilities
● Configuring Web session timeouts
The Summit WM series switch provides additional functionality including:
● Availability – Maintains service availability in the event of a Summit WM series switch outage
● Mobility – Allows multiple Summit WM series switches on a network discover each other and
exchange information about a client session. A maximum of up to 8 controllers can be linked to
allow users to transparently roam across controllers in the mobility domain.
Availability overview
The Summit WM series switch, access points, and WLAN switch software system provides this feature
to maintain service availability in the event of a Summit WM series switch outage.
The availability feature links two Summit WM series switches as a pair, to share information about their
Altitude APs. If one controller fails, its Altitude APs are allowed to connect to the backup controller.
The second Summit WM series switch provides the wireless network and a pre-assigned WM Access
Domain Service (WM-AD) for the Altitude AP.
NOTE
The Summit WM series switch's mobility domain licence (MDL) limits the number of APs that are allowed to
connect to the controller. During a failover event, the maximum number of failover APs a backup controller can
accommodate is equal to the number of MDLs that are purchased for that system.
NOTE
Altitude APs that attempt to connect to a backup controller during a failover event are assigned to the WM-AD that
is defined in the system’s default AP configuration. If a system default AP configuration does not exist for the
controller, the failover AP will not be assigned to any WM-AD.
Also, the default AP configuration assignment is only applicable to new APs that failover to the backup controller.
Any AP that has previously failed-over and is already known to the backup system will receive the configuration
already present on that system.
For more information, see “Configuring the default AP settings” on page 66.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
153
Availability, mobility, and controller functionality
From the viewpoint of an Altitude AP, if a Summit WM series switch or the connection to it fails, the
Altitude AP begins its discovery process. The Altitude AP is directed to the appropriate backup
controller of the pair. This connection may require the Altitude AP to reboot. Users on the Altitude AP
must log in again and be authenticated on the second Summit WM series switch.
NOTE
The availability feature provides APs with a list of interfaces to which the AP should attempt to automatically
connect to when a connection with an active controller link is lost. The provided list identifies the local active
interfaces (enabled on the primary and backup controllers) for the active controller as well as the active interfaces
for the backup controller. The list is sorted by top-down priority. If the active link is lost (poll failure), the AP
automatically scans (pings) all addresses in its availability interface list. The AP will then connect to the highest
priority interface that responds to its probe.
Availability prerequisites
Before you begin, ensure you have completed the following:
● Choose the primary and secondary Summit WM series switches.
● Verify the network accessibility for the TCP/IP connection between the two switches. The
availability link is established as a TCP session on port 13907.
● Set up a DHCP server for AP subnets to support Option 78 for SLP, so that it points to the IP
addresses of the physical interfaces on both Summit WM series switches.
Now set up each Summit WM series switch separately. One method is as follows:
1 In the AP Registration screen, set up each Summit WM series switch in Stand-alone Mode and
Secure Mode (allow only approved Altitude APs to connect).
2 In the To p o lo g y tab, define a WM-AD on each Summit WM series switch with the same SSID. The
IP addresses must be unique. For more information, “Topology for a WM-AD” on page 98. A
Summit WM series switch WM200/2000 VLAN Bridged WM-AD can permit two controllers to share
the same subnet (different IP addresses). This setup provides support for mobility users in a VLAN
Bridged WM-AD.
3 On both Summit WM series switches, set the Registration Mode to Allow only approved so that no
more Altitude APs can register unless they are approved by the administrator.
4 In the AP Registration screen, enable the two Summit WM series switches as an availability pair.
5 On each Summit WM series switch, in the Access Approval screen, check the status of the Altitude
APs and approve any APs that should be connected to that controller.
System AP defaults can be used to assign a group of WM-ADs to the foreign APs:
● If the APs are not yet known to the system, the AP will be initially configured according to AP
default settings. To ensure better transition in availability, it is recommended that the AP default
settings match the desired WM-AD assignment for failover APs.
● AP assignment to WM-ADs according to the AP default settings can be overwritten by manually
modifying the AP WM-AD assignment. (For example, select and assign each WM-AD that the AP
should connect to.)
● If specific foreign APs have been assigned to a WM-AD, those specific foreign AP assignments
are used.
154
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
Availability overview
An alternate method to setting up APs includes:
1 Add each Altitude AP manually to each Summit WM series switch.
2 From the AP Properties screen, click Add Altitude AP.
3 Define the Altitude AP and click Add Altitude AP.
Manually defined APs will inherit the default AP configuration settings.
WARNING!
If two Summit WM series switches are paired and one has the Allow All option set for Altitude AP registration,
all Altitude APs will register with that Summit WM series switch.
To set the primary or secondary Summit WM series switches for availability:
1 From the main menu, click Altitude AP Configuration. The Altitude APs screen is displayed.
2 In the left pane, click AP Registration. The Altitude AP Registration screen is displayed.
3 To enable availability, select the Paired option.
4 Do one of the following:
● For a primary controller, in the Summit Switch IP Address box, type the IP address of the
physical port of the secondary Summit WM series switch. This IP address must be on a routable
subnet between the two Summit WM series switches.
● For a secondary controller, in the Summit Switch IP Address box, type the IP address of the
Management port or physical port of the primary Summit WM series switch.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
155
Availability, mobility, and controller functionality
5 Do one of the following:
● To set this Summit WM series switch as the primary connection point, select the Current Summit
Switch is primary connect point checkbox.
● To set this Summit WM series switch as the secondary connection point, clear the Current
Summit Switch is primary connect point checkbox.
If the Current Wireless Switch is primary connect point checkbox is selected, the specified switch
waits for a request. If the Current Wireless Switch is primary connect point checkbox is cleared, the
specified switch sends a connection request. Confirm that one switch has this checkbox selected, and
the second switch has this checkbox cleared, since improper configuration of this option will result
in incorrect network configuration.
6 To set the security mode for the Summit WM series switch, select one of the following options:
● Allow all Altitude APs to connect – If the Summit WM series switch does not recognize the
serial number, it sends a default configuration to the Altitude AP. Or, if the Summit WM series
switch recognizes the serial number, it sends the specific configuration (port and binding key) set
for that Altitude AP.
● Allow only approved Altitude APs to connect – If the Summit WM series switch does not
recognize the serial number, the operator is prompted to create a configuration. Or, if the Summit
WM series switch recognizes the serial number, it sends the configuration for that Altitude AP.
NOTE
During the initial setup of the network, it is recommended to select the Allow all Altitude APs to connect option.
This option is the most efficient way to get a large number of Altitude APs registered with the Summit WM
series switch.
Once the initial setup is complete, it is recommended that the security mode is reset to the Allow only approved
Altitude APs to connect option. This option ensures that no unapproved Altitude APs are allowed to connect. For
more information, see “Modifying Altitude AP settings” on page 64.
7 To save your changes, click Save.
NOTE
When two Summit WM series switches have been paired as described above, each Summit WM series switch's
registered Altitude APs will appear as foreign on the other controller in the list of available Altitude APs when
configuring a WM-AD topology.
Viewing the Altitude AP availability display
For more information, see “Viewing the Altitude AP availability display” on page 193.
Viewing SLP activity
156
In normal operations, the primary Summit WM series switch registers as an SLP service called
ac_manager. The controller service directs the Altitude APs to the appropriate Summit WM series
switch. During an outage, if the remaining Summit WM series switch is the secondary controller, It
registers as the SLP service ru_manager.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
Availability overview
To view SLP activity:
1 From the main menu, click Altitude AP Configuration. The Altitude APs screen is displayed.
2 In the left pane, click AP Registration. The Altitude AP Registration screen is displayed.
3 To confirm SLP registration, click the View SLP Registration button. A pop-up screen displays the
results of the diagnostic slpdump tool, to confirm SLP registration.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
157
Availability, mobility, and controller functionality
Events and actions during a failover
If one of the Summit WM series switches in a pair fails, the connection between the two Summit WM
series switches is lost. This triggers a failover mode condition, and a critical message is displayed in the
information log of the remaining Summit WM series switch.
158
After the Altitude AP on the failed Summit WM series switch loses its connection, it will try to connect
to all enabled interfaces on both controllers without rebooting. If the Altitude AP is unsuccessful, it will
begin the discovery process. If the Altitude AP is not successful in connecting to the Summit WM series
switch after five minutes of attempting, the Altitude AP will reboot.
If the AP is assigned to different WM-ADs on the two controllers, it will reboot. Because of the pairing
of the two Summit WM series switches, the Altitude AP will then register with the other Summit WM
series switch.
All user sessions using the AP that fails over will terminate unless the Maintain client sessions in
event of poll failure option is enabled on the AP Properties tab or AP Default Settings screen.
NOTE
An Altitude AP connects first to a Summit WM series switch registered as ac_manager and, if not found, then seeks
an ru_manager. If the primary Summit WM series switch fails, the secondary one registers as ru_manager. This
enables the secondary Summit WM series switch to be found by Altitude APs after they reboot.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
Mobility manager
When the Altitude APs connect to the second Summit WM series switch, they will be assigned to the
WM-AD that is defined in the system’s default AP configuration. The wireless device users will log in
again and be authenticated on the second Summit WM series switch.
When the failed Summit WM series switch recovers, each Summit WM series switch in the pair goes
back to normal mode. They exchange information that includes the latest lists of registered Altitude
APs. The administrator must release the Altitude APs manually on the second Summit WM series
switch, so that they may re-register with their home Summit WM series switch. Foreign APs can now all
be released at once by using the Foreign button on the Access Approval screen to select all foreign APs,
and then clicking Released.
To support the availability feature during a failover event, administrators need to do the following:
1 Monitor the critical messages for the failover mode message, in the information log of the remaining
Summit WM series switch (in the Reports and Displays section of the Summit WM series switch).
2 After recovery, on the Summit WM series switch that did not fail, select the foreign Altitude APs and
click on the Release button on the Access Approval screen.
Mobility manager
The Summit WM series switch, access points, and WLAN switch software system allows multiple
Summit WM series switches (up to 8) on a network discover each other and exchange information
about a client session. This technique enables a wireless device user to roam seamlessly between
different Altitude APs on different Summit WM series switches.
The solution introduces the concept of a mobility manager, where one Summit WM series switch on the
network is designated as the mobility manager and all others are designated as mobility agents.
The wireless device keeps the IP address, WM-AD assignment, and filtering rules it received from its
home Summit WM series switch—the Summit WM series switch that it first connected to. The WM-AD
on each Summit WM series switch must have the same SSID and RF privacy parameter settings.
NOTE
For the mobility manager you have two options:
> Rely on SLP with DHCP Option 78.
> Define at the agent the IP address of the mobility manager. By explicitly defining the IP address, the agent and
the mobility manager are able to find each other directly without using the SLP discovery mechanisms. Direct IP
definition is recommended in order to provide tighter control of the registration steps for multi-domain installations.
The Summit WM series switch designated as the mobility manager:
● The mobility manager is explicitly identified as the manager for a specific mobility domain. Agents
will connect to this manager to establish a mobility domain.
● Defines at the agent the IP address of the mobility manager, which allows for the bypass of SLP.
Agents directly find and attempt to register with the mobility manager.
● Uses SLP, if this method is preferred, to register itself with the SLP Directory Agent as ExtremeNet
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
159
Availability, mobility, and controller functionality
● Defines the registration behavior for a multi-controller mobility domain set:
● Open mode – A new agent is automatically able to register itself with the mobility manager and
immediately becomes part of the mobility domain
● Secure mode – The mobility manager does not allow a new agent to automatically register.
Instead, the connection with the new agent is placed in pending state until the administrator
approves the new device.
● Listens for connection attempts from mobility agents
● Establishes connection and sends a message to the mobility agent specifying the Heartbeat interval,
and the mobility manager's IP address if it receives a connection attempt from the agent
● Sends regular Heartbeat messages containing wireless device session changes and agent changes to
the mobility agents and waits for a returned update message
The Summit WM series switch designated as a mobility agent:
● Uses SLP or a statically configured IP address to locate the mobility manager
● Defines at the agent the IP address of the mobility manager, which allows for the bypass of SLP.
Agents directly find and attempt to register with the mobility manager.
● Attempts to establish a TCP/IP connection with the mobility manager
● Updates its tables, and sets up data tunnels to and between all Summit WM series switches it has
been informed of when it receives the connection-established message
● Uses the information from every Heartbeat message received to update its own tables and updates
the mobility manager with information on the wireless device users and data tunnels it is managing
If a controller configured as the mobility manager is lost, the following occurs:
● Agent to agent connections will remain active.
● Mobility agents will continue to operate based on the mobility information last coordinated before
the manager link was lost. The mobility location list remains relatively unaffected by the controller
failure. Only entries associated with the failed controller are cleared from the registration list, and
users that have roamed from the manager controller to other agents are terminated and required to
re-register as local users with the agent where they are currently located.
● Participant controllers are reset to nodal operation
● Any user sessions that roamed away from their home AP are terminated and must reconnect
● Users need to reconnect to network, re-authenticate, and obtain new IP address
● The data link between active controllers remains active after the loss of a mobility manager
● Mobility agents continue to use the last set of mobility location list to service known users
● Existing users:
● Existing users remain in mobility scenario, and if the users are known to mobility domain, they
continue to be able to roam between connected controllers
● New users:
● New users become local at attaching controller
● Roaming to another controller resets session
160
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
Mobility manager
To designate a mobility manager:
1 From the main menu, click Summit Switch Configuration. The Summit Switch Configuration
screen is displayed.
2 In the left pane, click Mobility Manager. The Mobility Manager Settings screen is displayed.
3 To enable mobility for this controller, select the Enable Mobility checkbox. The controller mobility
options appear.
4 Select the This Summit Switch is a Mobility Manager option. The mobility manager options
appear.
5 In the Port drop-down list, select the interface on the Summit WM series switch to be used for the
mobility manager process. Ensure that the selected interface is routable on the network.
6 In the Heartbeat box, type the time interval (in seconds) at which the mobility manager sends a
Heartbeat message to a mobility agent. The default is 5 seconds.
7 In the SLP Registration drop-down list, select whether to enable or disable SLP registration.
8 In the Permission list, select the agent IP addresses you want to approve that are in pending state,
by selecting the agent and clicking Approve. New agents are only added to the domain if they are
approved.
You can also add or delete controllers that you want to be part of the mobility domain. To add a
controller, type the agent IP address in the box, and then click Add. To delete a controller, select the
controller in the list, and then click Delete.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
161
Availability, mobility, and controller functionality
9 Select the Security Mode option:
● Allow all mobility agents to connect – All mobility agents can connect to the mobility manager.
● Allow only approved mobility agents to connect – Only approved mobility agents can connect
to the mobility manager.
10 To save your changes, click Save.
NOTE
If you set up one Summit WM series switch on the network as a mobility manager, all other Summit WM series
switches must be set up as mobility agents.
To designate a mobility agent:
1 From the main menu, click Summit Switch Configuration. The Summit Switch Configuration
screen is displayed.
2 In the left pane, click Mobility Manager. The Mobility Manager Settings screen is displayed.
3 To enable mobility for this controller, select the Enable Mobility checkbox. The controller mobility
options appear,
4 Select the This Summit Switch is a Mobility Agent option. The mobility agent options appear.
162
5 In the Port drop-down list, select the port on the Summit WM series switch to be used for the
mobility agent process. Ensure that the port selected is routable on the network.
6 In the Heartbeat box, type the time interval (in seconds) to wait for a connection establishment
response before trying again. The default is 60 seconds.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
Defining management users
7 From the Discovery Method drop-down list, select one of the following:
● SLPD – Service Location Protocol Daemon is a background process acting as a SLP server. It
provides the functionality of the Directory Agent and Service Agent for SLP. Use SLP to support
the discovery of extremeNET service to attempt to locate the area mobility manager controller.
● Static Configuration – Select Static Configuration if you want to enter the IP address of the
mobility manager manually. Defining a static configuration for a mobility manager IP address
bypasses SLP discovery.
8 In the Mobility Manager Address box, type the IP address for the designated mobility manager.
9 To save your changes, click Save.
Displays for the mobility manager
For more information, see “Viewing displays for the mobility manager” on page 196.
Defining management users
In this screen you define the login user names that have access to the Summit Wireless Assistant, either
for Summit WM series switch, access points, and WLAN switch software administrators with read/
write privileges, or users with read only privileges. For each user added, you can also define and
modify a user ID and password.
To add a Summit WM series switch management user:
1 From the main menu, click Summit Switch Configuration. The Summit Switch Configuration
screen is displayed.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
163
Availability, mobility, and controller functionality
2 In the left pane, click the Management Users option. The Management Users screen is displayed.
The user_admin list displays Admin users who have read/write privileges. The user_read list is for
users who have read only privileges.
3 From the Group pull-down list, select Admin or Read only.
4 In the User ID box, type the user ID for the new user. A User ID can only be used once, in only one
category.
5 In the Password box, type the password for the new user.
6 In the Confirm Password, retype the password. The $ character is not permitted.
7 Click on the Add User button. The new user is added to the appropriate user list.
To modify a Summit WM series switch management user:
1 From the main menu, click Summit Switch Configuration. The Summit Switch Configuration
screen is displayed.
2 In the left pane, click the Management Users option. The Management Users screen is displayed.
3 To select a user to be modified, click it.
4 In the Password box, type the new password for the user.
5 In the Confirm Password, retype the new password.
6 To change the password, click Change Password.
164
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
Configuring network time
To remove a Summit WM series switch management user:
1 From the main menu, click Summit Switch Configuration. The Summit Switch Configuration
screen is displayed.
2 In the left pane, click the Management Users option. The Management Users screen is displayed.
3 To select a user to be removed, click it.
4 To remove the user, click Remove user. The user if removed from the list.
Configuring network time
You can synchronize the elements on the network to a universal clock. This ensures accuracy in usage
logs. Network time is synchronized in one of two ways:
● using system time
● using Network Time Protocol (NTP), an Internet standard protocol that synchronizes client
workstation clocks.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
165
Availability, mobility, and controller functionality
To apply time zone settings:
1 From the main menu, click Summit Switch Configuration. The Summit Switch Configuration
screen is displayed.
2 In the left pane, click Network Time. The Network Time screen is displayed.
166
3 From the Continent or Ocean drop-down list, select the appropriate large-scale geographic grouping
for the time zone.
4 From the Country drop-down list, select the appropriate country for the time zone. The contents of
the drop-down list change based on the selection in the Continent or Ocean drop-down list.
5 From the Time Zone Region drop-down list, select the appropriate time zone region for the selected
country.
6 To apply your changes, click Apply Time Zone.
To set system time parameters:
1 From the main menu, click Summit Switch Configuration. The Summit Switch Configuration
screen is displayed.
2 In the left pane, click Network Time. The Network Time screen is displayed.
3 To use system time, select the Use System Time radio button.
4 Type the time setting in the Use System TIme box, using the mm-dd-yyyy hh:mm format.
5 To apply your changes, click Apply.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
Configuring Check Point event logging
To set Network Time Protocol:
1 From the main menu, click Summit Switch Configuration. The Summit Switch Configuration
screen is displayed.
2 In the left pane, click Network Time. The Network Time screen is displayed.
3 To use Network Time Protocol, select the Use NTP radio button.
4 In the Use System TIme box, type the time setting using the mm-dd-yyyy hh:mm format.
5 In the Time Server 1 box, type the IP address or FQDN of a standard NTP Time Server. You can
repeat this step for the Time Server 2 and Time Server 3 boxes.
6 To apply your changes, click Apply.
Configuring Check Point event logging
The Summit WM series switch can forward specified event messages to an ELA server using the OPSEC
ELA protocol - Event Logging API (Application Program Interface). On the ELA server, the event
messages are tracked and analyzed, so suspicious messages can be forwarded to a firewall application
that can take corrective action.
Check Point created the OPSEC (Open Platform for Security) alliance program for security application
and appliance vendors to enable an open industry-wide framework for inter operability.
When ELA is enabled on the Summit WM series switch, it forwards the specified event messages from
its internal event server to the designated ELA Management Station on the enterprise network.
NOTE
Before you set up the Summit WM series switch, you must first create OPSEC objects for Summit WM series switch
in the Check Point management software. The name and password you define must also be entered into the Summit
WM series switch Check Point configuration screen.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
167
Availability, mobility, and controller functionality
To enable and configure Check Point:
1 From the main menu, click Summit Switch Configuration. The Summit Switch Configuration
screen is displayed.
2 In the left pane, click Check Point. The Check Point Configuration screen is displayed.
168
3 To enable check point logging, select the Enable Check Point Logging checkbox.
4 Type the following information:
● Check Point Server IP – Specifies the IP address of the ELA Management Station
● ELA Port – Specifies the port to use for ELA. The default port is 18187.
● ELA Log Interval – Specifies the amount of time (in milliseconds) you want the system to wait
before attempting to log once there is a connection between Summit WM series switch and the
Check Point gateway. The default is 100 milliseconds.
● ELA Retry Interval – Specifies the amount of time (in milliseconds) you want the system to wait
before attempting a re-connection between Summit WM series switch and the Check Point
gateway. The default is 2000 milliseconds.
● ELA Message Queue Size – Specifies the number of messages the log queue holds if the Summit
WM series switch and the Check Point gateway become disconnected. The default is 1000 log
entries.
● SIC Name – Specifies the Secure Internal Communication (SIC) Name, your security-based ID.
● SIC Password – Specifies your Secure Internal Communication (SIC) password. You can use the
Unmask button to display the password.
5 To save your changes, click Save.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
Enabling SNMP
6 To create the certificate to be sent to the ELA Management Station, click Generate Certificate button.
If the certificate is properly generated and the connection with the ELA Management Station is
made, the Connection Status section displays the following message:
OPSEC Connection OK
If there is an error in generating the certificate or establishing the connection, the Connection Status
section displays the following message:
OPSEC Connection Error
ELA Management Station events
The events for the ELA Management Station are grouped under Extreme Networks and are mapped as
info events and alert events. The alerts include:
● Altitude AP registration and/or authentication failed
● Authentication User Request unsuccessful
● RADIUS server rejected login (Access Rejected)
● An unknown AP has attempted to connect. AP authentication failure.
● A connection request failed to authenticate with the CM messaging server. This may indicate port-
scanning of the Summit WM series switch, or a back-door access attempt.
● Unauthorized client attempting to connect
Enabling SNMP
The Summit WM series switch, access points, and WLAN switch software system supports Simple
Network Management Protocol (SNMP), Version 1 and 2c. SNMP, a set of protocols for managing
complex networks, is used to retrieve Summit WM series switch statistics and configuration
information.
SNMP sends messages, called protocol data units (PDUs), to different parts of a network. Devices on
the network that are SNMP-compliant, called agents, store data about themselves in Management
Information Bases (MIBs) and return this data to the SNMP requesters.
MIB support
The Summit WM series switch, access points, and WLAN switch software system accepts SNMP Get
commands and generates Trap messages. Support is provided for the retrieval information from the
router MIB-II (SNMP_GET) as well as SNMP traps. The supported MIBs include:
● SNMPv2-MIB
● IF-MIB
● IEEE802dot11-MIB
● RFC1213-MIB
NOTE
The Summit WM series switch is not fully compliant with MIB II. For example, esa/IXP ports only provide interface
statistics.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
169
Availability, mobility, and controller functionality
The Extreme Networks Enterprise MIB includes:
● EXTREME-SUMMIT-WM-MIB.my
● EXTREME-SUMMIT-WM-SMI
● EXTREME-SUMMIT-DOT11-EXTNS-MIB
● EXTREME-SUMMIT-WM-BRANCH-OFFICE-MIB
The MIB is provided for compilation into an external NMS. No support has been provided for
automatic device discovery by an external NMS.
The Summit WM series switch is the only point of SNMP access for the entire system. In effect, the
Summit WM series switch proxies sets, gets, and alarms from the associated Altitude APs.
Enabling SNMP on the Summit WM series switch
You can enable SNMP on the Summit WM series switch to retrieve statistics and configuration
information.
To enable SNMP Parameters:
1 From the main menu, click Summit Switch Configuration. The Summit Switch Configuration
screen is displayed.
2 In the left pane, click SNMP. The Simple Network Management Protocol screen is displayed.
170
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
Using controller utilities
3 Type: the following information:
● Contact Name – Specifies the name of SNMP administrator.
● Location – Specifies the location of the SNMP administration machine.
● Read Community Name – Specifies the community name for users with read privileges.
● Read/Write Community Name – Specifies the community name for users with read and write
privileges.
● SNMP Trap Port – Specifies the destination port for SNMP traps. The industry standard is 162. If
left blank, no traps are generated.
● Forward Traps – Specifies the security level of the traps to be forwarded. From the drop-down
list, select Informational, Minor, Major, or Critical.
● Manager A – Specifies the IP address of the specific machine on the network where the SNMP
traps are monitored.
● Manager B – Specifies the IP address of a second machine on the network where the SNMP traps
are monitored, if Manager A is not available.
NOTE
For security purposes, it is recommended that you immediately change the Read Community Name (public) and
the Read/Write Community Name (private) to names that are less obvious and more secure.
Using controller utilities
You can use Summit WM series switch utilities to test a connection to the target IP address or to record
the route through the Internet between your computer and the target IP address.
To test or record IP address connections:
1 From the main menu, click Summit Switch Configuration. The Summit Switch Configuration
screen is displayed.
2 In the left pane, click Utilities. The Summit Switch Utilities screen is displayed.
3 In the Target IP Address box, type the IP address of the destination computer.
4 To test a connection to the target IP address, click Ping.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
171
Availability, mobility, and controller functionality
5 To record the route through the Internet between your computer and the target IP address, click
Trace Route.
The following is an example of a screen after clicking the Trace Route button.
172
Configuring Web session timeouts
You can configure the time period to allow Web sessions to remain inactive before timing out.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
Configuring Web session timeouts
To configure Web session timeouts:
1 From the main menu, click Summit Switch Configuration. The Summit Switch Configuration
screen is displayed.
2 In the left pane, click Web Settings. The Summit Switch Web Management Settings screen is
displayed.
3 In the Web Session Timeout box, type the time period to allow the Web session to remain inactive
before it times out. This can be entered as hour:minutes, or as minutes. The range is 1 minute to 168
hours.
4 Select the Show WM-AD names on the Altitude AP SSID list checkbox to allow the names of the
WM-ADs to appear in the SSID list for Altitude APs.
5 To save your settings, click Save.
NOTE
Screens that auto-refresh will time out, unless a manual action takes place prior to the end of the timeout
period.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
173
Availability, mobility, and controller functionality
174
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
7 Working with third-party APs
You can set up the Summit WM series switch to handle wireless device traffic from third-party access
points, providing the same policy and network access control. This process requires the following steps:
● Step 1 – Define a data port as a third party AP port:
● Step 2 – Define a WM-AD for the third-party AP port:
● Step 3 – Define authentication by Captive Portal and RAD policy for the third-party AP WM-AD:
● Step 4 – Define filtering rules for the third-party APs:
To set up third-party APs:
Step 1 – Define a data port as a third party AP port:
1 From the main menu, click Summit Switch Configuration. The Summit Switch Configuration
screen is displayed.
2 From the left pane, click IP Address. The Management Port Settings and Interfaces screen is
displayed.
3 Highlight the appropriate port, and in the Function box, select 3rd-party AP from the drop-down
list. Make sure that Management Traffic and SLP are disabled for this port.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
175
Working with third-party APs
4 Connect the third-party access point to this port, via a switch.
Step 2 – Define a WM-AD for the third-party AP port:
1 From the main menu, click WM-AD Configuration. The WM-AD Configuration screen is displayed.
2 In the left pane, type a name that will identify the new WM-AD in the Add subnet box, and then
click Add subnet. The name is displayed in the WM Access Domains list. The To p o l og y tab is
displayed.
176
3 In the Assignment by drop-down list, click SSID.
4 To define a WM-AD for a third-party AP, select the Use 3rd Party AP checkbox.
5 Continue configuring your WM-AD as described in “Configuring topology for a WM-AD for
Captive Portal” on page 98.
NOTE
Bridge Traffic at AP and MAC-based authentication are not available for Third Party WM-ADs.
Step 3 – Define authentication by Captive Portal and RAD policy for the third-party AP
WM-AD:
1 Click the Auth & Acct tab.
2 In the Authentication Configuration screen, click Configure Captive Portal Settings.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
3 In the Captive Portal Settings screen, define the Captive Portal configuration.
4 Click the RAD Policy tab.
5 Define the filter IDs to match those in RADIUS server.
Step 4 – Define filtering rules for the third-party APs:
1 Because the third-party APs are mapped to a physical port, you must define the Exception filters on
the physical port, using the Port Exception Filters screen. For more information, see “Configuring
filtering rules for a WM-AD” on page 123.
2 Define filtering rules that allow access to other services and protocols on the network such as HTTP,
FTP, Telnet, SNMP.
In addition, modify the following functions on the third-party access point:
● Disable the access point's DHCP server, so that the IP address assignment for any wireless device on
the AP is from the DHCP server at the Summit WM series switch with WM-AD information.
● Disable the third-party access point's layer-3 IP routing capability and set the access point to work as
a layer-2 bridge.
Here are the differences between third-party access points and Altitude APs on the Summit WM series
switch, access points, and WLAN switch software system:
● A third-party access point exchanges data with the Summit WM series switch's data port using
standard IP over Ethernet protocol. The third-party access points do not support the tunnelling
protocol for encapsulation.
● For third-party access points, the WM-AD is mapped to the physical data port and this is the default
gateway for mobile units supported by the third-party access points.
● A Summit WM series switch cannot directly control or manage the configuration of a third-party
access point.
● Third-party access points are required to broadcast an SSID unique to their segment. This SSID
cannot be used by any other WM-AD.
● Roaming from third-party access points to Altitude APs and vice versa is not supported.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
177
Working with third-party APs
178
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
8 Working with the Summit WM Series Spy
This chapter describes Summit spy concepts, including:
● Summit spy overview
● Enabling the Analysis and data collector engines
● Running Summit Spy scans
● Analysis engine overview
● Working with Summit spy scan results
● Working with friendly APs
● Viewing the Summit spy list of third-party APs
● Maintaining the Summit spy list of APs
● Viewing the Scanner Status report
Summit spy overview
The Summit spy is a mechanism that assists in the detection of rogue APs. Summit spy functionality
does the following:
Altitude AP:
● Runs a radio frequency (RF) scanning task.
● Alternating between scan functions, providing its regular service to the wireless devices on the
network.
Summit WM series switch:
● Runs a data collector application that receives and manages the RF scan messages sent by the
Altitude AP. RF data collector data includes lists of all connected Altitude APs, third-party APs, and
the RF scan information that has been collected from the Altitude APs selected to perform the scan.
● Runs an Analysis Engine that processes the scan data from the data collector through algorithms that
make decisions about whether any of the detected APs or clients are rogue APs or are running in an
unsecure environment (for example, ad-hoc mode).
NOTE
In a network with more than one Summit WM series switch, it is not necessary for the data collector to be
running on the same controller as the Analysis Engine. One controller can be a dedicated Analysis Engine while
the other controllers run data collector functionality. No more than one Analysis Engine can be running at a time.
You must ensure that the controllers are all routable.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
179
Working with the Summit WM Series Spy
Enabling the Analysis and data collector engines
Before using the Summit spy, you must enable and define the Analysis and data collector engines.
To enable the Analysis engine:
1 From the main menu, click Summit Switch Configuration. The Summit Switch Configuration
screen is displayed.
2 In the left pane, click Summit Spy. The Summit Spy Configuration screen is displayed.
180
3 To enable the Summit Spy Analysis Engine, select the Enable Summit Spy Analysis Engine
checkbox.
4 To enable the Summit Spy Data Collection Engine on this Summit WM series switch, select the
Enable Local Summit Spy Data Collection Engine checkbox.
5 To identify the remote RF Data Collector Engine that the Analysis Engine will poll for data, type the
IP address of the Summit WM series switch on which the remote Data Collector resides in the IP
Address box.
6 For the data collection engine:
● In the Poll interval box, type (in seconds) the interval that the Analysis Engine will poll the RF
Data Collector to maintain connection status. The default is 30 seconds.
● In the Poll retry count box, type the number of times the Analysis Engine will attempt to poll the
RF Data Collector to maintain connection status, before it stops sending requests. The default is 2
attempts.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
Running Summit Spy scans
7 Click Add. The IP address of the Data Collection Engine, with its Poll Interval and Poll Retry
parameters is displayed in the list.
NOTE
For each remote RF Data Collection Engine defined here, you must:
> Enable it by selecting the Enable Summit Spy Analysis Engine checkbox on the remote Summit WM series
switch
> Ensure that the controllers are routable by whatever means you use (for example, static routes, or OSPF).
8 To add a new collection engine, click Add Collection Engine.
9 Repeat steps 4 to 7.
10 To save your changes, click Apply.
Running Summit Spy scans
The Summit Spy feature allows you to view the following:
● Scan Groups
● Friendly APs
● Third-party APs
● AP Maintenance
NOTE
A scan will not run on an inactive AP, even though it is displayed as part of the Scan Group. If it becomes
active, it will be sent a scan request during the next periodic scan.
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
181
Working with the Summit WM Series Spy
To run the Summit Spy scan task mechanism:
1 From the main menu, click Summit Spy. The Summit Spy screen is displayed.
2 Click the Scan Groups tab.
3 In the Scan Group Name box, type a unique name for this scan group.
4 In the Altitude APs list, select the checkbox corresponding to the Altitude APs you want included in
the new scan group, which will perform the scan function.
NOTE
An Altitude AP can participate in only one Scan Group at a time. It is recommended that the Scan Groups
represent geographical groupings of Altitude APs.
5 In the Radio drop-down list, select one of the following:
● Both – The a and b/g radios both perform the scan function.
● a – Only the a radio performs the scan function.
● b/g – Only the b/g radio performs the scan function.
6 In the Channel List drop-down list, select one of the following:
● All – Scanning is performed on all channels.
● Current – Scanning is performed on only the current channel.
7 In the Scan Type drop-down list, select one of the following:
● Active – The Altitude AP sends out ProbeRequests and waits for ProbeResponse messages from
any access points.
182
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 User Guide
Loading...