Extreme Networks Summit WM3000 Series, Summit WM3600, Summit WM3700 Reference Manual
Summit® WM3000 Series Controller System
Reference Guide, Software Version 4.0
Extreme Networks, Inc.
3585 Monroe Street
Santa Clara, California 95051
(888) 257-3000
(408) 579-2800
http://www.extremenetworks.com
Published: December 2009
Part Number: 100352-00 Rev 01
AccessAdapt, Alpine, Altitude, BlackDiamond, EPICenter, ExtremeWorks Essentials, Ethernet Everywhere, Extreme
Enabled, Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router Protocol, Extreme Turbodrive,
Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, Go Purple Extreme Solution, ExtremeXOS ScreenPlay,
ReachNXT, Sentriant, ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access
RF Manager, UniStack, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme
Turbodrive logo, the Summit logos, and the Powered by ExtremeXOS logo are trademarks or registered trademarks
of Extreme Networks, Inc. or its subsidiaries in the United States and/or other countries.
sFlow is a registered trademark of InMon Corporation.
Specifications are subject to change without notice.
All other registered trademarks, trademarks, and service marks are property of their respective owners.
© 2009 Extreme Networks, Inc. All Rights Reserved.
Summit WM3000 Series Controller System Reference Guide2
Table of Contents
Chapter 1: About This Guide...................................................................................................................13
Introduction............................................................................................................................................................13
Documentation Set.................................................................................................................................................13
Document Conventions..........................................................................................................................................13
Notational Conventions .........................................................................................................................................14
Chapter 2: Overview.................................................................................................................................15
Hardware Overview...............................................................................................................................................15
Power Protection ............................................... ...... ................................................................................15
Cabling Requirements........... ..... .................................................................... ...... ..... ..............................15
Software Overview................................................................................................................................................16
Infrastructure Features....................................................................................................................................16
Installation Feature..................................................................................................................................17
Licensing Support....................................................................................................................................17
Configuration Management.....................................................................................................................17
Diagnostics..............................................................................................................................................17
Serviceability...........................................................................................................................................18
Tracing / Logging....................................................................................................................................18
Process Monitor.......................................................................................................................................18
Hardware Abstraction Layer and Drivers................................. ...............................................................19
Redundancy.............................................................................................................................................19
Secure Network Time Protocol (SNTP)..................................................................................................19
Wireless Switching...... ...... ..... ........................................................................................................................20
Physical Layer Features...........................................................................................................................20
Proxy-ARP ..............................................................................................................................................21
HotSpot / IP Redirect...............................................................................................................................21
IDM (Identity Driven Management).......................................................................................................21
Voice Prioritization .................................................................................................................................22
Wireless Capacity ....................................................................................................................................22
AP Load Balancing..................................................................................................................................22
Wireless Roaming ...................................................................................................................................23
Power Save Polling...................................... ...... ......................................................................................23
QoS..........................................................................................................................................................23
Wireless Layer 2 Switching.....................................................................................................................24
Automatic Channel Selection..................................................................................................................24
WMM-UPSD...........................................................................................................................................25
Dynamic VLAN Support.........................................................................................................................25
Wired Switching............................................................. ..... ...........................................................................26
DHCP Servers .........................................................................................................................................26
DHCP User Class Options.......................................................................................................................27
DDNS......................................................................................................................................................27
VLAN Enhancements..............................................................................................................................27
Interface Management.............................................................................................................................27
Management Features.............................. ...... ..... ............................................................................................27
Security Features ............................................................................................................................................28
Encryption and Authentication...............................................................................................................28
Summit WM3000 Series C ont rol le r Syst em Reference Guide 3
Table of Contents
MU Authentication..................................................................................................................................29
Secure Beacon......................................................................................................................................... 30
MU to MU Disallow................................................................................................................................30
802.1x Authentication.............................................................................................................................30
WIPS........................................................................................................................................................30
Rogue AP Detection................................................................................................................................31
ACLs........................................................................................................................................................32
Local Radius Server ................................................................................................................................32
IPSec VPN...............................................................................................................................................32
NAT.........................................................................................................................................................33
Certificate Management ..........................................................................................................................33
NAC.........................................................................................................................................................33
Chapter 3: Controller Web UI Access and Image Upgrades ................................................................ 35
Web UI Requirements ...........................................................................................................................................35
Accessing the Summit WM Controller for the First Time.............................................................................35
Defining Basic Controller Settings.................................................................................................................36
Controller Password Recovery ..............................................................................................................................38
Upgrading the Controller Image............................................................................................................................39
Auto Installation ....................................................................................................................................................39
Configuring Auto Install via the CLI..............................................................................................................40
Chapter 4: Controller Information..........................................................................................................43
Viewing the Controller Interface...........................................................................................................................43
Setting the Controller Country Code..............................................................................................................44
Viewing the Controller Configuration............................................................................................................44
Controller Dashboard Details.........................................................................................................................46
Summit WM3600 Controller Dashboard................................................................................................47
Summit WM3700 Controller Dashboard................................................................................................49
Viewing Controller Statistics............................................... ...... .....................................................................51
Viewing Controller Port Information ............................................... ...... ..... ..........................................................53
Viewing the Port Configuration......................................................................................................................53
Editing the Port Configuration................................................................................................................55
Viewing the Ports Runtime Status..................................................................................................................57
Reviewing Port Statistics................................................................................................................................57
Detailed Port Statistics ............................................................................................................................59
Viewing the Port Statistics Graph ...........................................................................................................60
Power over Ethernet (PoE).............................................................................................................................61
Editing Port PoE Settings...............................................................................................................................63
Viewing Controller Configurations................ .................................................................... ..... ..... .........................64
Viewing the Detailed Contents of a Config File............................................................................................67
Transferring a Config File..............................................................................................................................68
Viewing Controller Firmware Information............................................................................................................69
Editing the Controller Firmware.....................................................................................................................70
Enabling Global Settings for the Image Failover...........................................................................................71
Updating the Controller Firmware..................................................................................................................71
Controller File Management ..................................................................................................................................73
Transferring Files............................................................................................................................................73
Transferring a file from Wireless Controller to Wireless Controller......................................................74
Transferring a file from a Wireless Controller to a Server......................................................................75
Transferring a file from a Server to a Wireless Controller......................................................................76
Summit WM3000 Series Controller System Reference Guide4
Table of Content s
Viewing Files............................................................ ...... ..... ...........................................................................77
Configuring Automatic Updates............................................................................................................................78
Viewing the Controller Alarm Log........................................................................................................................81
Viewing Alarm Log Details............................................................................................................................82
Viewing Controller Licenses.......................... ...... ................................................................... . .............................83
How to use the Filter Option..................................................................................................................................84
Chapter 5: Network Setup........................................................................................................................85
Displaying the Network Interface..........................................................................................................................85
Viewing Network IP Information..........................................................................................................................87
Configuring DNS................................................................................................................ ............................87
Adding an IP Address for a DNS Server.................................................................................................89
Configuring Global Settings....................................................................................................................89
Configuring IP Forwarding.............................................................................................................................90
Adding a New Static Route.............. ...... ..... .................................................................... ...... ... ...............91
Viewing Address Resolution........................................................... ..... ..........................................................93
Viewing and Configuring Layer 2 Virtual LANs..................................................................................................94
Viewing and Configuring VLANs by Port.....................................................................................................94
Editing the Details of an Existing VLAN by Port..........................................................................................95
Viewing and Configuring Ports by VLAN.....................................................................................................96
Configuring Controller Virtual Interfaces.............................................................................................................99
Configuring the Virtual Interface.................................................................................................................100
Adding a Virtual Interface.....................................................................................................................101
Modifying a Virtual Interface................................................................................................................103
Viewing Virtual Interface Statistics..............................................................................................................104
Viewing Virtual Interface Statistics ......................................................................................................106
Viewing the Virtual Interface Statistics Graph .....................................................................................107
Viewing and Configuring Controller WLANs ....................................................................................................109
Configuring WLANs....................................................................................................................................109
Editing the WLAN Configuration.........................................................................................................113
Assigning Multiple VLANs per WLAN...............................................................................................118
Configuring Authentication Types ........................................................................................................119
Configuring Different Encryption Types ..............................................................................................140
Viewing WLAN Statistics............ ..... ...... ...... ...............................................................................................145
Viewing WLAN Statistics in Detail......................................................................................................147
Viewing WLAN Statistics in a Graphical Format.................................................................................149
Viewing WLAN Controller Statistics ...................................................................................................150
Configuring WMM.......................................................................................................................................152
Editing WMM Settings..........................................................................................................................155
Configuring the NAC Inclusion List............................................................................................................156
Adding an Include List to a WLAN......................................................................................................158
Configuring Devices on the Include List...............................................................................................158
Mapping Include List Items to WLANs................................................................................................159
Configuring the NAC Exclusion List............................................................................................. ..............160
Adding an Exclude List to the WLAN..................................................................................................162
Configuring Devices on the Exclude List.............................................................................................162
Mapping Exclude List Items to WLANs...............................................................................................163
NAC Configuration Examples Using the Controller CLI............................................................................164
Creating an Include List........................................................................................................................164
Creating an Exclude List.......................................................................................................................165
Configuring the WLAN for NAC..........................................................................................................165
Summit WM3000 Series C ont rol le r Syst em Reference Guide 5
Table of Contents
Viewing Associated MU Details .........................................................................................................................166
Viewing MU Status ..................................................................................................... ..... .... ........................167
Viewing MU Details.......................................... ...... ..... .........................................................................169
Configuring Mobile Units ............................................................................................................................170
MAC Naming of Mobile Units..............................................................................................................171
Viewing MU Statistics.................................................... ..... ...... ...................................................................171
Viewing MU Statistics in Detail.................................................... ...... ...... ............................................173
View a MU Statistics Graph..................................................................................................................174
Viewing Voice Statistics........................................... ....................................................................................175
Viewing Access Point Information......................................................................................................................176
Configuring Access Point Radios.................................................................................................................177
Configuring an AP Radio’s Global Settings.........................................................................................180
Editing AP Settings ...............................................................................................................................182
Adding APs .......................................................................................................... ..... ...... ......................187
Defining the AP Radios Mesh Configuration.......................................................................................188
Viewing AP Statistics.. ...... ..... ...... ................................................................................................................189
Viewing AP Statistics in Detail................................................................. ............................................191
Viewing AP Statistics in Graphical Format..........................................................................................193
Configuring WLAN Assignment..................................................................................................................194
Editing a WLAN Assignment ...............................................................................................................194
Configuring WMM.......................................................................................................................................196
Editing WMM Settings..........................................................................................................................197
Configuring Access Point Radio Bandwidth................................................................................................198
Viewing Mesh Statistics.......................... ...... ........................................................................ .......................198
Voice Statistics .............................................................................................................................................200
Viewing Access Point Adoption Defaults...........................................................................................................202
Configuring AP Adoption Defaults..............................................................................................................202
Editing Default Access Point Adoption Settings...................................................................................204
Configuring WLAN Assignment..................................................................................................................209
Configuring WMM.......................................................................................................................................210
Editing Access Point Adoption WMM Settings....................................................................................2 11
Configuring Access Points...................................................................................................................................212
Viewing Adopted Access Points ..................................................................................................................212
Viewing Unadopted Access Points............................................ ...... ..... ........................................................214
Configuring AP Firmware............................................................................................................................215
Adding a New AP Firmware Image......................................................................................................216
Editing an Existing AP Firmware Image...............................................................................................217
Multiple Spanning Tree.......................................................................................................................................217
Configuring a Bridge....................................................................................................................................218
Viewing and Configuring Bridge Instance Details.......................................................................................221
Creating a Bridge Instance....................................................................................................................223
Associating VLANs to a Bridge Instance.............................................................................................223
Configuring a Port........................................................................................................................................224
Editing a MSTP Port Configuration......................................................................................................226
Viewing and Configuring Port Instance Details...........................................................................................228
Editing a Port Instance Configuration...................................................................................................230
Configuring IGMP Snooping...............................................................................................................................230
IGMP Snooping Configuration ....................................................................................................................231
IGMP Snoop Querier Configuration............................................................................................................233
Chapter 6: Controller Services............................................................................................................... 237
Displaying the Services Interface........................................................................................................................237
Summit WM3000 Series Controller System Reference Guide6
Table of Content s
DHCP Server Settings .........................................................................................................................................238
Configuring the Controller DHCP Server....................................................................................................238
Editing the Properties of an Existing DHCP Pool.................................................................................240
Adding a New DHCP Pool................................ ...... ................................................................... ...........241
Configuring DHCP Global Options......................................................................................................243
Configuring DHCP Server DDNS Values ............................................................................................244
Viewing the Attributes of Existing Host Pools ............................................................................................245
Configuring Excluded IP Address Information............................................................................................247
Configuring the DHCP Server Relay ................................................... ........................................................248
Viewing DDNS Bindings........................ ...... ...............................................................................................250
Viewing DHCP Bindings ......................................... ...... ..............................................................................251
Reviewing DHCP Dynamic Bindings..........................................................................................................252
Configuring the DHCP User Class...............................................................................................................253
Adding a New DHCP User Class.................................................. ...... ..................................................254
Editing the Properties of an Existing DHCP User Class.......................................................................255
Configuring DHCP Pool Class.....................................................................................................................256
Editing an Existing DHCP Pool Class...................................................................................................257
Adding a New DHCP Pool Class................ ...... ....................................................................................258
Configuring Secure NTP .....................................................................................................................................259
Defining the SNTP Configuration................................................................................................................259
Configuring Symmetric Keys .......................................................................................................................261
Defining a NTP Neighbor Configuration.....................................................................................................263
Adding an NTP Neighbor.............................................................................................................................265
Viewing NTP Associations................................. ...... ...... ..............................................................................266
Viewing NTP Status.......................... ...... .................................................................... ..... .... ........................268
Configuring Controller Redundancy and Clustering...........................................................................................270
Configuring Redundancy Settings................................................................................................................272
Reviewing Redundancy Status.....................................................................................................................275
Configuring Redundancy Group Memb ership .............................................................................................277
Displaying Redundancy Member Details..............................................................................................279
Adding a Redundancy Group Member.................... ..... ...... ...................................................................281
Redundancy Group License Aggregation Rules...........................................................................................282
Managing Clustering Using the Web UI......................................................................................................283
Layer 3 Mobility..................................................................................................................................................284
Configuring Layer 3 Mobility......................................................................................................................284
Defining the Layer 3 Peer List......................................................................................................................287
Reviewing Layer 3 Peer List Statistics.........................................................................................................288
Reviewing Layer 3 MU Status .....................................................................................................................290
Configuring Controller Discovery.......................................................................................................................291
Configuring Discovery Profiles....................................................................................................................292
Adding a New Discovery Profile .................................................. ...... ..................................................295
Viewing Discovered Controllers ............................................................................................ ..... .................296
Locationing..........................................................................................................................................................298
RTLS Overview............................................................................................................................................298
SOLE - Smart Opportunistic Location Engine.............................................................................................298
Defining Site Parameters..............................................................................................................................299
Adding AP Location Information..........................................................................................................301
Configuring SOLE Parameters.....................................................................................................................302
Configuring Aeroscout Parameters...............................................................................................................304
Configuring Ekahau Parameters...................................................................................................................306
Chapter 7: Controller Security...............................................................................................................309
Summit WM3000 Series C ont rol le r Syst em Reference Guide 7
Table of Contents
Displaying the Main Security Interface...............................................................................................................309
AP Intrusion Detection ........................................................................................................................................310
Enabling and Configuring AP Detection......................................................................................................311
Adding or Editing an Allowed AP........................................................................................................313
Approved APs...............................................................................................................................................315
Unapproved APs (Reported by APs)............................................................................................................316
Unapproved APs (Reported by MUs)...........................................................................................................317
Configuring Firewalls and Access Control Lists.................................................................................................319
ACL Overview..............................................................................................................................................319
Router ACLs........................................... ......................................................................... ......................320
Port ACLs..............................................................................................................................................321
Wireless LAN ACLs .............................................................................................................................322
ACL Actions..........................................................................................................................................322
Precedence Order...................................................................................................................................322
Configuring the Firewall...............................................................................................................................323
Adding a New ACL................................ ..... .......................................................................... ................324
Adding a New ACL Rule ...................................................................................................... ................325
Editing an Existing Rule........................................................................................................................327
Attaching an ACL on a WLAN Interface/Port .............................................................................................328
Adding or Editing a New ACL WLAN Configuration.........................................................................329
Attaching an ACL Layer 2/Layer 3 Configuration.......................................................................................330
Adding a New ACL Layer 2/Layer 3 Configur ation.............................................................................331
Configuring the Role Based Firewall...........................................................................................................332
Creating a Role Based Firewall Rule....................................................................................................333
Configuring a Role .......................................................................................................................................334
Creating a New Role .................................................... ...... ...... .............................................................336
Configuring Wireless Filters.........................................................................................................................338
Editing an Existing Wireless Filter...............................................................................................................340
Adding a new Wireless Filter.......................................................................................................................341
Associating an ACL with a WLAN..............................................................................................................342
L2 Level Attack Detection and Mitigation...................................................................................................343
Port Level Configuration................................... ...... ..............................................................................345
Configuring WLAN Firewall Rules.............................................................................................................346
WLAN Level Configuration.............................. .................................................................... ..... ...........348
Configuring Denial of Service (DoS) Attack Firewall Rules.......................................................................350
Configuring Firewall Logging Options........................................................................................................352
Reviewing Firewall and ACL Statistics .......................................................................................................353
Reviewing ACL Statistics .....................................................................................................................353
Viewing DHCP Snoop Entry Statistics............. ...... ......................................................................... .....355
Viewing Role Based Firewall Statistics................................................................................................356
Configuring NAT Information.............................................................................................................................356
Defining Dynamic NAT Translations ..........................................................................................................357
Adding a New Dynamic NAT Configuration .......................................................................................359
Defining Static NAT Translations................................................................................................................360
Adding a New Static NAT Configuration .............................................................................................362
Configuring NAT Interfaces.........................................................................................................................363
Viewing NAT Status................................ ...... ..... ..........................................................................................365
Configuring IKE Settings....................................................................................................................................366
Defining the IKE Configuration...................................................................................................................367
Setting IKE Policies......................................................................................................................................369
Viewing SA Statistics..........................................................................................................
.........................373
Configuring IPSec VPN.......................................................................................................................................374
Summit WM3000 Series Controller System Reference Guide8
Table of Content s
Defining the IPSec Configuration ................................................................................................................375
Editing an Existing Transform Set........................................................................................................377
Adding a New Transform Set.................................. ..... ...... ...................................................................379
Defining the IPSec VPN Remote Configuration..........................................................................................380
Configuring IPSEC VPN Authentication.....................................................................................................382
Configuring Crypto Maps.............................................................................................................................384
Crypto Map Entries...............................................................................................................................385
Crypto Map Peers..................................................................................................................................387
Crypto Map Manual SAs.......................................................................................................................389
Crypto Map Transform Sets..................................................................................................................392
Crypto Map Interfaces...........................................................................................................................393
Viewing IPSec Security Associations ..........................................................................................................394
Configuring the Radius Server ............................................................................................................................396
Radius Overview ..........................................................................................................................................396
User Database........................................................................................................................................398
Authentication of Terminal/Management User(s).................................................................................398
Access Policy.............................. ...... .....................................................................................................398
Proxy to External Radius Server...........................................................................................................398
LDAP.....................................................................................................................................................398
Accounting ............................................................................................................................................398
Using the Controller’s Radius Server Versus an External Radius ...............................................................398
Defining the Radius Configuration...............................................................................................................399
Radius Client Configuration..................................................................................................................400
Radius Proxy Server Configuration.......................................................................................................401
Configuring Radius Authentication and Accounting ...................................................................................402
Configuring Radius Users.............................................................................................................................404
Configuring Radius User Groups.................................................................................................................407
Viewing Radius Accounting Logs................................................................................................................410
Creating Server Certificates.................................................................................................................................411
Using Trustpoints to Configure Certificates.................................................................................................412
Creating a Server / CA Root Certificate........................................ ........................................................413
Configuring Trustpoint Associated Keys.....................................................................................................419
Adding a New Key................................................................................................................................420
Transferring Keys ..................................................................................................................................421
Chapter 8: Controller Management...................................................................................................... 423
Displaying the Management Access Interface.....................................................................................................423
Configuring Access Control................................................................................................................................424
Configuring SNMP Access..................................................................................................................................426
Configuring SNMP v1/v2 Access .................................................................................................. ..............426
Editing an Existing SNMP v1/v2 Community Name............................................................................427
Configuring SNMP v3 Access......................................................................................................................428
Editing a SNMP v3 Authentication and Privacy Password................................................... ..... ...........430
Setting SNMP Access Message Parameters.................................................................................................430
Accessing SNMP v2/v3 Statistics ................................................................................................................431
Configuring SNMP Traps ....................................................................................................................................433
Enabling Trap Configuration........................................................... ..... ........................................................433
Configuring E-mail Notifications..........................................................................................................435
Configuring Trap Thresholds.......................................................................................................................436
Wireless Trap Threshold Values...........................................................................................................438
Configuring SNMP Trap Receivers.....................................................................................................................439
Editing SNMP Trap Receivers.....................................................................................................................441
Summit WM3000 Series C ont rol le r Syst em Reference Guide 9
Table of Contents
Adding SNMP Trap Receivers.....................................................................................................................441
Configuring Management Users..........................................................................................................................442
Configuring Local Users...............................................................................................................................442
Creating a New Local User ................................................ ...... .............................................................443
Modifying an Existing Local User........................................................................................................445
Creating a Guest Admin and Guest User ..............................................................................................447
Configuring Controller Authentication.........................................................................................................448
Modifying the Properties of an Existing Radius Server........................................................................450
Adding an External Radius Server........................................................................................................452
External Radius Server Settings............................................................................................................453
Chapter 9: Diagnostics............................................................................................................................ 455
Displaying the Main Diagnostic Interface...........................................................................................................455
Controller Environment ................................................................................................................................455
CPU Performance.........................................................................................................................................457
Controller Memory Allocation.....................................................................................................................458
Controller Disk Allocation ...........................................................................................................................459
Controller Memory Processes.......................................................................................................................460
Other Controller Resources..........................................................................................................................460
Configuring System Logging...............................................................................................................................461
Log Options..................................................................................................................................................461
File Management..........................................................................................................................................463
Viewing the Entire Contents of Individual Log Files ...........................................................................464
Transferring Log Files...........................................................................................................................466
Reviewing Core Snapshots..................................................................................................................................467
Transferring Core Snapshots........................................................................................................................468
Reviewing Panic Snapshots.................................................................................................................................468
Viewing Panic Details .................................................................................................................................470
Transferring Panic Files................................................................................................................................470
Debugging the Applet..........................................................................................................................................471
Configuring a Ping...............................................................................................................................................472
Modifying the Configuration of an Existing Ping Test................................................................................474
Adding a New Ping Test................................ ................................................................... ...... ......................475
Viewing Ping Statistics.................................................................... .............................................................476
Appendix A: Customer Support.............................................................................................................479
Registration..........................................................................................................................................................479
Documentation.....................................................................................................................................................479
Appendix B: AP Management from Controller...................................................................................481
Where to Go From Here...............................................................................................................................481
AP Management...........................................................................................................................................482
Licensing.......................................................................................................................................................482
Controller Discovery ....................................................................................................................................482
Auto Discovery using DHCP................................................................................................................482
Securing a Configuration Channel Between Controller and AP..................................................................483
AP WLAN Topology....................................................................................................................................483
Configuration Updates..................................................................................................................................484
Securing Data Tunnels between the Controller and AP...............................................................................484
Managing an AP’s Controller Failure...........................................................................................................484
If a new controller is located, the AP synchronizes its configuration with the located controller once adopted.
Summit WM3000 Series Controller System Reference Guide10
Table of Content s
If Remote Site Survivability (RSS) is disabled, the independent WLAN is also disabled in the event of a con-
troller failure.................................................................................................................................................484
Remote Site Survivability (RSS)..................................................................................................................484
Mesh Support................................................................................................................................................485
AP Radius Proxy Support.............................................................................................................................485
Supported AP Topologies....................................................................................................................................486
Topology Deployment Considerations.........................................................................................................486
Extended WLANs Only................................................................................................................................487
Independent WLANs Only...........................................................................................................................487
Extended WLANs with Independent WLANs.............................................................................................487
Extended VLAN on Mesh Networking........................................................................................................487
How the AP Receives its Configuration..............................................................................................................488
AP Adoption Pre-requisites..........................................................................................................................488
Configuring the AP for Adoption by the Controller.....................................................................................488
Configuring the Controller for AP Adoption................................................................................................489
Establishing Controller Managed AP Connectivity................................ ..... ...... ..................................................489
AP Configuration..........................................................................................................................................489
Adopting an AP Using a Configuration File.........................................................................................489
Adopting an AP Using DHCP Options.................................................................................................490
Controller Configuration ..............................................................................................................................490
AP Deployment Considerations ...................................................................................................................493
Sample Controller Configuration File for IPSec and Independent WLAN............................................. .....494
Appendix C: Troubleshooting Information..........................................................................................499
General Troubleshooting .....................................................................................................................................499
Wireless Controller Issues............................................................................................................................499
Controller Does Not Boot Up................................................................................................................499
Controller Does Not Obtain an IP Address through DHCP..................................................................500
Unable to Connect to the Controller using Telnet or SSH....................................................................500
Web UI is Sluggish, Does Not Refresh Properly, or Does Not Respond..............................................501
Console Port is Not Responding............................................................................................................501
Access Point Issues.......................................................................................................................................502
Access Points are Not Adopted.............................................................................................................502
Access Points are Not Responding........................................................................................................502
Sensor Port frequently goes up and down.............................................................................................503
Mobile Unit Issues........................................................................................................................................503
Access Point Adopted, but MU is Not Being Associated.....................................................................503
MUs Cannot Associate and/or Authenticate with Access Points..........................................................503
Poor Voice Quality Issues.....................................................................................................................504
Miscellaneous Issues ....................................................................................................................................504
Excessive Fragmented Data or Excessive Broadcast............................................................................504
Excessive Memory Leak.......................................................................................................................504
System Logging Mechanism........................................................................................................................505
Troubleshooting SNMP Issues ............................................................................................................................505
MIB Browser not able to contact the agent..................................................................................................505
Not able to SNMP WALK for a GET ..........................................................................................................505
MIB not visible in the MIB browser.............................................................................................................506
SNMP SETs not working.............................................................................................................................506
Not receiving SNMP traps............................................................................................................................506
Additional Configuration..............................................................................................................................506
Security Issues .....................................................................................................................................................506
Controller Password Recovery.....................................................................................................................506
Summit WM3000 Series C ont rol le r Syst em Reference Guide 11
Table of Contents
RADIUS Troubleshooting............................................................................................................................507
Radius Server does not start upon enable..............................................................................................507
Radius Server does not reply to my requests.........................................................................................508
Radius Server is rejecting the user........................................................................................................508
Time of Restriction configured does not work......................................................................................508
Authentication fails at exchange of certificates.....................................................................................508
When using another Summit WM3700 (controller 2) as RADIUS server, access is rejected..............508
Authentication using LDAP fails..........................................................................................................508
VPN Authentication using onboard RADIUS server fails....................................................................509
Accounting does not work with external RADIUS Accounting server................................................509
Troubleshooting RADIUS Accounting Issues..............................................................................................509
Rogue AP Detection Troubleshooting.................................................................................................................509
Troubleshooting Firewall Configuration Issues ..................................................................................................510
A Wired Host (Host-1) or Wireless Host (Host-2) on the untrusted side is not able to connect to the Wired
Host (Host-3) on the trusted side..................................................................................................................510
A wired Host (Host-1) on the trusted side is not able to connect to a Wireless Host (Host-2) or Wired Host
(Host-3) on the untrusted side.......................................................................................................................511
Disabling of telnet, ftp and web traffic from hosts on the untrusted side does not work......................511
How to block the request from host on untrusted to host on trusted side based on packet classification...
511
Summit WM3000 Series Controller System Reference Guide12
1 About This Guide
NOTE
NOTE
CAUTION
Introduction
This guide provides information about using the following Extreme Networks® wireless LAN
controllers:
● Summit
● Summit WM3700 wireless LAN controller
Screens and windows pictured in this guide are samples and can differ from actual screens.
Documentation Set
The documentation set for the Extreme Networks wireless LAN controllers is partitioned into the
following guides to provide information for specific user needs.
● Installation Guides - Each controller has a unique Installation Guide which describes the basic
hardware setup and configuration required to transition to more advanced configuration of the
controllers.
● Summit WM3000 Series Controller System Reference Guide - Describes configuration of the Extreme
Networks Summit Wireless LAN Controllers using the Web UI.
● Summit WM3000 Series Controller CLI Reference Guide - Describes the Command Line Interface (CLI)
and Management Information Base (MIB) commands used to configure the Extreme Networks Summit
Wireless LAN Controllers.
®
WM3600 wireless LAN controller
Document Conventions
The following conventions are used in this document to draw your attention to important information:
Indicate tips or special requirements.
Indicates conditions that can cause equipment damage or data loss.
Summit WM3000 Series Controller System Reference Guide 13
About This Guide
WARNING!
Indicates a condition or procedure that could result in personal injury or equipment damage.
Notational Conventions
The following additional notational conventions are used in this document:
● Italics are used to highlight the following:
● Chapters and sections in this and related documents
● Dialog box, window and screen names
● Drop-down list and list box names
● Check box and radio button names
● Icons on a screen.
● GUI text is used to highlight the following:
● Screen names
● Menu items
● Button names on a screen.
● bullets (•) indicate:
● Action items
● Lists of alternatives
● Lists of required steps that are not necessarily sequential
● Sequential lists (e.g., those that describe step-by-step procedures) appear as numbered lists.
Summit WM3000 Series Controller System Reference Guide14
2 Overview
NOTE
An Extreme Networks wireless LAN controller is a centralized management solution for wireless
networking. The wireless data to and from wireless client devices can be locally bridged at the AP and/
or tunneled to the controller. System configuration and intelligence for the wireless network resides
with the controller once an AP is adopted and connects to an Extreme Networks Summit WM3600 or
Summit WM3700 wireless LAN controller and receives its configuration.
Access point configuration is managed by the controller through a Web UI Graphical User Interface (GUI),
SNMP or the controller Command Line Interface (CLI).
The discussion of the controller Web UI within this guide is presented generically, making it equally relevant to both
the Summit WM3600 and Summit WM3700 controller platforms. However, some subtle differences do exist
between these baselines. These differences are noted within the specific GUI elements impacted. When these
differences are noted, the options available to each controller baseline are described in detail.
Hardware Overview
The Summit WM3600 and Summit WM3700 are rack-mountable devices that manage all inbound and
outbound traffic on the wireless network. They provide security, network service and system
management applications.
Access points are 48V Power-over-Ethernet devices. The Altitude 3510 AP is powered by standard
802.3af POE source. The Altitude 3550 outdoor AP must by powered by a special Extreme Networks
POE injector (Power Tap). the AP receives configurations from the controller once it is adopted. The AP
firmware upgrade may be accomplished centrally from the controller or locally at the AP.
Power Protection
To best protect the controller from unexpected power surges or other power-related problems, ensure
the controller installation meets the following guidelines:
● If possible, use a dedicated circuit to protect data processing equipment. Commercial electrical contractors
are familiar with wiring for data processing equipment and can help with the load balancing of
dedicated circuits.
● Install surge protection. Use a surge protection device between the electricity source and the controller.
● Install an Uninterruptible Power Supply (UPS). A UPS provides continuous power during a power
outage. Some UPS devices have integral surge protection. UPS equipment requires periodic
maintenance to ensure reliability.
Cabling Requirements
A minimum of one category 6 Ethernet cables (not supplied) is required to connect the controller to the
LAN. The cable(s) are used with the Ethernet ports on the front panel of the controller.
Summit WM3000 Series Controller System Reference Guide 15
Overview
NOTE
NOTE
NOTE
NOTE
A category 5 Ethernet cable will work with the controller, but it is not recommended because it does not provide the
gigabit support the controller optimally requires.
Extreme Networks recommends connecting via the Management Ethernet (ME) interface to better ensure secure and
easy controller management. The ME interface is connected to the management VLAN, and is therefore separate
from production VLANs.
On the Summit WM3600, the Uplink (UP) port is the preferred method of connecting the controller to the network.
The Uplink port has its own dedicated 1Gbps connection which is unaffected by internal traffic across the GE ports.
The console cable included with the controller connects the controller to a computer running a serial
terminal emulator program to access the controller’s Command Line Interface (CLI) for initial
configuration. An initial configuration is described within the Installation Guide shipped with each
controller.
Software Overview
The controller includes a robust set of features. The features are listed and described in the following
sections:
● Infrastructure Features on page 16
● Wireless Switching on page 20
● Wired Switching on page 26
● Management Features on page 27
● Security Features on page 28
The Extreme Networks Wireless LAN Controller Wireless Management Suite (WMS) is a recommended utility to plan
the deployment of the controller and view its configuration once operational in the field. Extreme Networks WMS can
help optimize the positioning and configuration of a controller in respect to a WLAN’s Mobile Unit (MU) throughput
requirements and can help detect rogue devices. For more information, refer to the Extreme Networks documentation
website at: http://www.extremenetworks.com/go/documentation.
Infrastructure Features
The controller includes the following Infrastructure features:
● Installation Feature
● Licensing Support
● Configuration Management
Summit WM3000 Series Controller System Reference Guide16
● Diagnostics
● Serviceability
● Tracing / Logging
● Process Monitor
● Hardware Abstraction Layer and Drivers
● Redundancy
● Secure Network Time Protocol (SNTP)
Installation Feature
The upgrade/downgrade of the controller can be performed using one of the following methods:
● Web U I
● DHCP
● CLI
● SNMP
● Patches
The controller has sufficient non-volatile memory to store two firmware images. Having a second
firmware image provides a backup in case of failure of the primary image. It also allows for testing of
new firmware on a controller with the ability to easily revert to a previous image.
Licensing Support
The following licensing information is utilized when upgrading the controller:
● The maximum numbers of AP licenses a controller can adopt is dependant on the number purchased
Configuration Management
The controller supports the redundant storage of configuration files to protect against corruption during
a write operation and ensure (at any given time) a valid configuration file exists. If writing the
configuration file fails, it is rolled back and a pre-write file is used.
Text Based Configuration
The configuration is stored a in human readable format (as a set of CLI commands).
Diagnostics
The following diagnostics are available:
1 In-service Diagnostics – In-service diagnostics provide a range of automatic health monitoring features
ensuring both the system hardware and software are in working order. In-service-diagnostics
Summit WM3000 Series Controller System Reference Guide 17
Overview
continuously monitor available physical characteristics (as detailed below) and issue log messages
when warning or error thresholds are reached. There are three types of in-service diagnostics:
● Hardware – Ethernet ports, chip failures, system temperature via the temperature sensors
provided by the hardware, etc.
● Software – CPU load, memory usage, etc.
● Environmental – CPU and air temperature, fans speed, etc.
2 Out-of-service Diagnostics – Out-of-service diagnostics are a set of intrusive tests run from the user
interface. Out-of-service diagnostics cannot be run while the controller is in operation. Intrusive tests
include:
● Ethernet loopback tests
● RAM tests, Real Time Clock tests, etc.
3 Manufacturing Diagnostics – Manufacturing diagnostics are a set of diagnostics used by
manufacturing to inspect quality of hardware.
Serviceability
A special set of Service CLI commands are available to provide additional troubleshooting capabilities
for service personnel (access to Linux services, panic logs, etc.). Only authorized users or service
personnel are provided access to the Service CLI. Contact Extreme Networks support at
https://esupport.extremenetworks.com for information on accessing the controller’s service CLI.
A built-in Packet Sniffer enables service personnel and users to capture incoming and outgoing packets
in a buffer.
The controller also collects statistics for RF activity, Ethernet port activity etc. RF statistics include
roaming stats, packet counters, octets tx/rx, signal, noise SNR, retry, and information for each MU.
Tracing / Logging
Log messages are well-defined and documented system messages with various destinations. They are
numbered and referenced by ID. Each severity level group, can be configured separately to go to either
the serial console, telnet interface, log file or remote syslog server.
Trace messages are more free-form and are used mainly by support personnel for tracking problems.
They are enabled or disabled via CLI commands. Trace messages can go to a log file, the serial console,
or the current tty.
Log and trace messages are interleaved in the same log file, so chronological order is preserved. Log
and trace messages from different processes are similarly interleaved in the same file for the same
reason.
Log message format is similar to the format used by syslog messages (RFC 3164). Log messages include
message severity, source (facility), the time the message was generated and a textual message describing
the situation triggering the event. For more information on using the controller logging functionality,
see “Configuring System Logging” on page 461.
Process Monitor
The controller Process Monitor checks to ensure processes under its control are up and running. Each
monitored process sends periodic heartbeat messages. A process that is down (due to a software crash
Summit WM3000 Series Controller System Reference Guide18
or stuck in an endless loop) is detected when its heartbeat is not received. Such a process is terminated
(if still running) and restarted (if configured) by the Process Monitor.
Hardware Abstraction Layer and Drivers
The Hardware Abstraction Layer (HAL) provides an abstraction library with an interface hiding
hardware/platform specific data. Drivers include platform specific components such as Ethernet, Flash
Memory storage and thermal sensors.
Redundancy
Using the controller redundancy, up to 12 controllers can be configured in a redundancy group or
cluster (and provide group monitoring). In the event of a controller failure, an existing cluster member
assumes control. Therefore, the controller supported network is always up and running even if a
controller fails or is removed for maintenance or a software upgrade.
The following redundancy features are supported:
● Up to 12 controller redundancy members are supported in a single group. Each member is capable
of tracking statistics for the entire group in addition to their own.
● Each redundancy group is capable of supporting an Active/Active configuration responsible for
group load sharing.
● Members within the same redundancy group can be deployed across different subnets.
● APs are load balanced across members of the group.
● Licenses are aggregated across the group. When a new member joins the group, the new member
can leverage the Access Point adoption license(s) of existing members.
● Each member of the redundancy group (including the reporting controller) is capable of displaying
cluster performance statistics for all members in addition to their own.
● Centralized redundancy group management using the controller CLI.
For more information on configuring the controller for redundancy support, see
“Configuring Controller Redundancy and Clustering” on page 270.
Secure Network Time Protocol (SNTP)
Secure Network Time Protocol (SNTP) manages time and/or network clock synchronization within the
controller managed network. SNTP is a client/server implementation. The controller (a SNTP client)
periodically synchronizes its clock with a master clock (an NTP server). For example, the controller
resets its clock to 07:04:59 upon reading a time of 07:04:59 from its designated NTP server. Time
synchronization is recommended for the controller’s network operations. The following holds true:
● The controller can be configured to provide NTP services to NTP clients.
● The controller can provide NTP support for user authentication.
● Secure Network Time Protocol (SNTP) clients can be configured to synchronize controller time with an
external NTP server.
For information on configuring the controller to support SNTP, see “Configuring Secure NTP” on
page 259.
Summit WM3000 Series Controller System Reference Guide 19
Overview
Wireless Switching
The controller includes the following wireless switching features:
● Physical Layer Features
● Proxy-ARP
● HotSpot / IP Redirect
● IDM (Identity Driven Management)
● Voi ce Pri ori tiz at ion
● Wireless Capacity
● AP Load Balancing
● Wireless Roaming
● Power Save Polling
● QoS
● Wireless Layer 2 Switching
● Automatic Channel Selection
● WMM-UPSD
● Dynamic VLAN Support
Physical Layer Features
802.11a
● DFS Radar Avoidance – Dynamic Frequency Selection (DFS) is mandatory for WLAN equipment
intended to operate in the frequency bands 5150 MHz to 5350 MHz and 5470 MHz to 5725 MHz
when in countries of the EU.
The purpose of DFS is:
● Detect interference from other systems and avoid co-channeling with those systems (most notably
radar systems).
● Provide uniform spectrum loading across all devices.
This feature is enabled automatically when the country code indicates that DFS is required for at
least one of the frequency bands that are allowed in the country.
● TPC – Tra ns mi t Po wer Co ntr ol (TPC) meets the regulatory requirement for maximum power and
mitigation for each channel. TPC functionality is enabled automatically for every AP that operates
on the channel.
802.11bg
● Dual mode b/g protection – (Effective Radiated Power) ERP builds on the payload data rates of 1 and 2
Mbit/s that use direct-sequence spread spectrum (DSSS) modulation and builds on the payload data
rates of 1, 2, 5.5, and 11 Mbit/s, that use DSSS, complementary code keying (CCK), and optional
packet binary convolutional coding (PBCC) modulations. ERP provides additional payload data rates
of 6, 9, 12, 18, 24, 36, 48, and 54 Mbit/s. The transmission and reception capability for 1, 2, 5.5, 11, 6,
12, and 24 Mbit/s data rates is mandatory.
Two additional optional ERP-PBCC modulation modes with payload data rates of 22 and 33 Mbit/s
are defined. An ERP-PBCC station may implement 22 Mbit/s alone or 22 and 33 Mbit/s. An optional
modulation mode (known as DSSS-OFDM) is also incorporated with payload data rates of 6, 9, 12,
18, 24, 36, 48, and 54 Mbit/s.
Summit WM3000 Series Controller System Reference Guide20
● Short slot protection – The slot time is 20 µs, except an optional 9 µs slot time may be used when the
basic service set (BSS) consists of only ERP stations (STAs) capable of supporting this option. The
optional 9 µs slot time should not be used if the network has one or more non-ERP STAs associated.
For independent basic service sets (IBSS), the Short Slot Time field is set to 0, corresponding to a 20
µs slot time.
Proxy-ARP
Proxy address resolution protocol (ARP) is provided for MU's whose IP address is known. The WLAN
generates an ARP reply on behalf of a MU (if the MU's IP address is known). The ARP reply contains
the MAC address of the MU (not the MAC address of controller). Thus, the MU does not awaken to
send ARP replies (increasing MU battery life and conserving wireless bandwidth).
If an MU goes into power save mode without transmitting at least one packet, its Proxy ARP will not
work.
HotSpot / IP Redirect
A hotspot is a Web page users are forced to visit before they are granted access to the Internet. With the
advent of Wi-Fi enabled client devices (such as laptops and PDAs) commercial hotspots are common
and can be found at many airports, hotels and coffee shops. The hotspot redirects the user’s traffic on
hotspot enabled WLANs to a web page that requires them to authenticate before granting access to the
WLAN. The following is a typical sequence for hotspot access:
1 A visitor with a laptop requires hotspot access at a site.
2 A user ID/ Password and hotspot extended service set ID (ESSID) is issued by the site receptionist
or IT staff.
3 The user connects their laptop to this ESSID.
4 The laptop receives its IP configuration via DHCP.
5 The user opens a Web browser and connects to their home page.
6 The controller re-directs them to the hotspot Web page for authentication.
7 The user enters their User ID/ Password.
8 A Radius server authenticates the user.
9 Upon successful authentication, the user is directed to a Welcome Page that lists (among other
things) an Acceptable Use Policy.
10 The user agrees to the usage terms and is granted access to the Internet. (or other network services).
To setup a hotspot, create a WLAN ESSID and select Hotspot authentication from the Authentication
menu. This is simply another way to authenticate a WLAN user, as it would be impractical to
authenticate visitors using 802.1x. For information on configuring a hotspot, see “Configuring Hotspots”
on page 120.
IDM (Identity Driven Management)
Radius authentication is performed for all protocols using a Radius-based authentication scheme (such
as EAP). Identity driven management is provided using a Radius client. The following IDMs are
supported:
● User based SSID authentication — Denies authentication to MUs if associated to a ESSID configured
differently by their Radius server.
Summit WM3000 Series Controller System Reference Guide 21
Overview
● User based VLAN assignment — Allows the controller to extract Virtual LAN (VLAN) information
from the Radius server.
● User based QoS — Enables Quality of Service (QoS) for the MU based on settings within the Radius
Server.
Voice Prioritization
The controller has the capability of having its QoS policy configured to prioritize network traffic
requirements for associated MUs. Use QoS to enable voice prioritization for devices using voice as its
transmission priority.
Voice prioritization allows you to assign priority to voice traffic over data traffic, and (if necessary)
assign legacy voice supported devices (non Wi-Fi Multimedia (WMM) supported voice devices)
additional priority.
Currently voice support implies the following:
● Spectralink voice prioritization - Spectralink sends packets that allow the controller to identify these
MU's as voice MU's. Thereafter, any UDP packet sent by these MU's is prioritized ahead of data.
● Strict priority - The prioritization is strict.
● Multicast prioritization - Multicast frames that match a configured multicast mask bypass the PSP
queue. This features permits intercom mode operation without delay (even in the presence of PSP
MU's).
For more information on configuring voice prioritization for a target WLAN, see “Configuring WMM”
on page 196.
Wireless Capacity
Wireless capacity specifies the maximum numbers of MUs, Access Points and wireless networks usable
by a controller. Wireless capacity is largely independent of performance. Aggregate controller
performance is divided among the controller clients (MUs and Access Points) to find the performance
experienced by a given user. Each controller platform is targeted at specific market segments, so the
capacity of each platform is chosen appropriately. Wireless controller capacity is measured by:
● The maximum number of WLANs per controller
● The maximum number of Access Points adopted per controller
● The maximum number of MUs per controller
● The maximum number of MUs per Access Point
The actual number of Access Points adoptable by a controller is defined by the controller licenses or the
total licenses in the cluster in which this controller is a member.
AP Load Balancing
At adoption, the AP solicits and receives multiple adoption responses from the controllers on the
network. These adoption responses contain preference and loading information the AP uses to select the
optimum controller to be adopted by. Use this mechanism to define which APs are adopted by which
controllers. By default, the adoption algorithm generally distributes AP adoption evenly among the
controllers available.
Summit WM3000 Series Controller System Reference Guide22
NOTE
Port adoption per controller is determined by the number of licenses acquired.
Wireless Roaming
The following types of wireless roaming are supported by the controller:
● Intercontroller Layer 2 Roaming
● Intercontroller Layer 3 Roaming
● International Roaming
Intercontroller Layer 2 Roaming
An associated MU (connected to a controller) can roam to another Access Point connected to a different
controller. Both controllers must be on the same Layer 2 domain. Authentication information is not
shared between the controllers, nor are buffered packets on one controller transferred to the other. Preauthentication between the controller and MU allows faster roaming.
Intercontroller Layer 3 Roaming
Intercontroller Layer 3 roaming allows MUs to roam between controllers which are not on the same
LAN or IP subnet without the MUs or the rest of the network noticing. This allows controllers to be
placed in different locations on the network without having to extend the MU VLANs to every
controller.
International Roaming
The wireless controller supports international roaming per the 802.11d specification.
Power Save Polling
An MU uses Power Save Polling (PSP) to reduce power consumption. When an MU is in PSP mode, the
controller buffers its packets and delivers them using the delivery traffic indication message (DTIM)
interval. The PSP-Poll packet polls the AP for buffered packets. The PSP null data frame is used by the
MU to signal the current PSP state to the AP.
QoS
QoS provides a data traffic prioritization scheme. QoS reduces congestion from excessive traffic.
If there is enough bandwidth for all users and applications, then applying QoS has very little value.
QoS provides policy enforcement for mission-critical applications and/or users that have critical
bandwidth requirements when the controller’s bandwidth is shared by different users and applications.
QoS helps ensure each WLAN on the controller receives a fair share of the overall bandwidth, either
equally or as per the proportion configured. Packets directed towards MUs are classified into categories
such as Management, Voice and Data. Packets within each category are processed based on the weights
defined for each WLAN.
The controller supports the following QoS mechanisms:
Summit WM3000 Series Controller System Reference Guide 23
Overview
802.11e QoS
802.11e enables real-time audio and video streams to be assigned a higher priority over data traffic. The
controller supports the following 802.11e features:
● Basic WMM
● WMM Linked to 802.1p Priorities
● WMM Linked to Differentiated Services Code Point (DSCP) Priorities
● Fully Configurable WMM
● Admission Control
● WMM-UPSD ((Unscheduled Power Save Delivery))
● Block ACKQBSS Beacon Element
802.1p Support
802.1p is a standard for providing QoS in 802-based networks. 802.1p uses three bits to allow controllers
to re-order packets based on priority level.
Voice QoS
When controller resources are shared between a Voice over IP (VoIP) conversation and a file transfer,
bandwidth is normally exploited by the file transfer, possibly reducing the quality of the conversation.
With QoS, a VoIP conversation (a real-time session), receives priority, maintaining a high level of voice
quality. Voice QoS ensures:
● Strict Priority
● Spectralink Prioritization
● VOIP Prioritization (IP ToS Field)
● Multicast Prioritization
Data QoS
The controller supports the following data QoS techniques:
● Egress Prioritization by WLAN
● Egress Prioritization by ACL
DSCP to AC Mapping
The controller provides arbitrary mapping between Differentiated Services Code Point (DSCP) values and
WMM Access Categories. This mapping can be set manually.
Wireless Layer 2 Switching
The controller supports the following layer 2 wireless switching techniques:
● WLAN to VLAN
● MU User to VLAN
● WLAN to generic routing encapsulation (GRE)
Automatic Channel Selection
Automatic channel selection works sequentially as follows:
Summit WM3000 Series Controller System Reference Guide24
1 When a new AP is adopted, it scans each channel. However, the controller does not forward traffic at
NOTE
this time.
2 The controller then selects the least crowded channel based on the noise and traffic detected on each
channel.
3 The algorithm used is a simplified maximum entropy algorithm for each radio, where the signal
strength from adjoining AP's/MU's associated to adjoining AP's is minimized.
4 The algorithm ensures adjoining AP's are as far away from each other as possible (in terms of
channel assignment).
Individual radios can be configured to perform automatic channel selection.
WMM-UPSD
This feature is also known as WMM Power Save or WMM-UPSD. WMM-UPSD defines an unscheduled
service period, which are contiguous periods of time during which the controller is expected to be
awake. If the controller establishes a downlink flow and specifies UPSD power management, it requests
(and the AP delivers) buffered frames associated with that flow during an unscheduled service period.
The controller initiates an unscheduled service period by transmitting a trigger frame. A trigger frame is
defined as a data frame (e.g. an uplink voice frame) associated with an uplink flow with UPSD enabled.
After the AP acknowledges the trigger frame, it transmits the frames in its UPSD power save buffer
addressed to the triggering controller.
UPSD is well suited to support bi-directional frame exchanges between a voice STA and its AP.
Dynamic VLAN Support
There are four packet flows supported when the controller is configured to operate with multiple VLAN
per WLAN:
● Unicast From Mobile Unit - Frames are decrypted, converted from 802.11 to 802.3 and switched to the
wired side of the VLAN dynamically assigned to the mobile device. If the destination is another
mobile device on the wireless side, the frame is encrypted and switched over the air.
● Unicast To Mobile Unit - The frame is checked to ensure the VLAN is same as that assigned to the
mobile device. It is then converted to an 802.11 frame, encrypted, and sent over the air.
● Multicast/Broadcast From Mobile Unit - The frame is treated as a unicast frame from the MU, with the
exception that it is encrypted with the per-VLAN broadcast key and then transmitted over the air.
● Multicast/Broadcast from Wired Side - If the frame comes from a VLAN mapped to the WLAN, it’s
encrypted using a per-VLAN broadcast key and transmitted over the air. Only MUs on that VLAN
have a broadcast key that can decrypt this frame. Other MUs receive it, but discard it.
In general, when there are multiple VLANs mapped to the same WLAN, the broadcast buffer queue
size scales linearly to accommodate a potential increase in the broadcast packet stream.
Roaming within the Controller
When a MU is assigned to a VLAN, the controller registers the VLAN assignment in its credential
cache. If the MU roams, it is assigned back to its earlier assigned VLAN. The cache is flushed upon
detected MU inactivity or if the MU associates over a different WLAN (on the same controller).
Summit WM3000 Series Controller System Reference Guide 25
Overview
Roaming Across a Cluster
MUs roam amongst controller cluster members. The controller must ensure a VLAN remains unchanged
as an MU roams. This is accomplished by passing MU VLAN information across the cluster using the
interface used by a hotspot. It automatically passes the username/password across the credential caches
of the member controllers. This ensures a VLAN MU association is maintained even while the MU
roams amongst cluster members.
Roaming across a Layer 3 Mobility Domain
When an MU roams amongst controllers in different Layer 3 mobility domains, Layer 3 ensures traffic is
tunneled back to the correct VLAN (on the home controller).
Interaction with Radius Assigned VLANs
Multiple VLANs per WLAN can co-exist with VLANs assigned by a Radius server. Upon association,
an MU is assigned to a VLAN from a pool of available VLANs. When the Radius server assigns the
user another VLAN, MU traffic is forwarded to that VLAN.
When 802.1x is used, traffic from the MU is dropped until authentication is completed. None of the MU
data is switched onto the temporarily VLAN. A Radius assigned VLAN overrides the statically assigned
VLAN.
If the Radius assigned VLAN is among the VLANs assigned to a WLAN, it is available for VLAN
assignment in the future. If the Radius assigned VLAN is not one of the VLANs assigned to a WLAN, it
is not available for future VLAN assignment. To configure Multiple VLANs for a single WLAN, see
“Assigning Multiple VLANs per WLAN” on page 118.
Wired Switching
The controller includes the following wired switching features:
● DHCP Servers
● DHCP User Class Options
● DDNS
● VLAN Enhancements
● Interface Management
DHCP Servers
Dynamic Host Configuration Protocol (DHCP) allows hosts on an IP network to request and be assigned
IP addresses as well as discover information about the network to which they are attached. Each subnet
may be configured with its own address pool. Whenever a DHCP client requests an IP address, the
DHCP server assigns an IP address from that subnet’s address pool.
When a DHCP server allocates an address for a DHCP client, the client is assigned a lease, which
expires after an pre-determined interval. Before a lease expires, clients (to which leases are assigned) are
expected to renew them to continue to use the addresses. Once the lease expires, the client is no longer
permitted to use the leased IP address. For information on defining the controller DHCP configuration,
see “DHCP Server Settings” on page 238.
Summit WM3000 Series Controller System Reference Guide26
DHCP User Class Options
A DHCP Server groups clients based on defined user-class option values. Clients with a defined set of
user-class values are segregated by class. The DHCP Server can associate multiple classes to each pool.
Each class in a pool is assigned an exclusive range of IP addresses.
DHCP clients are compared against classes. If the client matches one of the classes assigned to the pool,
it receives an IP address from the range assigned to the class. If the client doesn't match any of the
classes in the pool, it receives an IP address from a default pool range (if defined).
Multiple IP addresses for a single VLAN allow the configuration of multiple IP addresses, each
belonging to different subnet. Class configuration allows a DHCP client to obtain an address from the
first pool to which the class is assigned. For more information, see “Configuring the DHCP User Class”
on page 253.
DDNS
Dynamic DNS (DDNS) keeps a domain name linked to a changing IP address. Typically, when a user
connects to a network, the user is assigned an unused IP address from a pool of IP addresses. This
address may only be valid for a short period. Dynamically assigning IP addresses increases the pool of
assignable IP addresses. DNS maintains a database to map a given name to an IP address used for
communication on the Internet. The dynamic assignment of IP addresses makes it necessary to update
the DNS database to reflect the current IP address for a given name. Dynamic DNS updates the DNS
database to reflect the correct mapping of a given name to an IP address.
VLAN Enhancements
The controller has incorporated the following VLAN enhancements:
● Network interfaces operate in either trunk or access modes.
● A network interface in access mode can only send and receive untagged packets.
● A trunk port can now receive both tagged and untagged packets. Each ethernet port is assigned a
native VLAN.
● You can now configure a set of allowed VLANs on a trunk port. Packets received on this port that
belong to other VLANs are discarded.
Interface Management
The controller’s physical interfaces auto-negotiate speed and duplex. The controller also allows:
● Manual bandwidth configuration of a physical interface speed to 10/100/1000Mbps.
● Manual duplex configuration of a physical interface to Full Duplex or Half Duplex.
● Manual configuration of administrative shutdown of a physical interface.
Management Features
The controller supports the following management features:
● A secure, browser-based management console
● A Command Line Interface (CLI) accessible via the serial port or through Telnet or a Secure Shell (SSH)
application
Summit WM3000 Series Controller System Reference Guide 27
Overview
● A CLI Service mode enabling the capture of system status information that can be sent to Extreme
Networks personnel for use in problem resolution
● The support for Simple Network Management Protocol (SNMP) version 3 as well as SNMP version 2
● Upload and download of Access Point firmware and configuration files using TFTP, FTP, SFTP and
HTTP.
● Transfer of firmware and configuration files using Compact Flash (Summit WM3700 only) or USB
● The graphing of wireless statistics
● A GUI dashboard summary of system status
● Heat map support for RF deployment
● Secure guest access with specific permission intervals
● Controller discovery enabling users to discover each Extreme Networks controller on the specified
network.
Security Features
Controller security can be classified into wireless security and wired security.
The controller includes the following wireless security features:
● Encryption and Authentication
● MU Authentication
● Secure Beacon
● MU to MU Disallow
● 802.1x Authentication
● WIPS
● Rogue AP Detection
The controller includes the following wired security features:
● ACLs
● Local Radius Server
● IPSec VPN
● NAT
● Certificate Management
● NAC
Encryption and Authentication
The controller can implement the following encryption and authentication types:
● WEP
● WPA
● WPA2
Summit WM3000 Series Controller System Reference Guide28
WEP
Wired Equivalent Privacy (WEP) is an encryption scheme used to secure wireless networks. WEP was
intended to provide comparable confidentiality to a traditional wired network, hence the name. WEP
had many serious weaknesses and hence was superseded by Wi-Fi Protected Access (WPA). Regardless,
WEP still provides a level of security that can deter casual snooping. For more information on
configuring WEP for a target WLAN, see “Configuring WEP 64” on page 140 or “Configuring WEP
128” on page 142.
WEP uses passwords entered manually at both ends (Pre Shared Keys). Using the RC4 encryption
algorithm, WEP originally specified a 40-bit key, but was later boosted to 104 bits. Combined with a 24bit initialization vector, WEP is often touted as having a 128-bit key.
WPA
WPA is designed for use with an 802.1X authentication server, which distributes different keys to each
user. However, it can also be used in a less secure pre-shared key (PSK) mode, where every user is given
the same passphrase.
WPA uses Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used.
When combined with the much larger Initialization Vector, it defeats well-known key recovery attacks
on WEP. For information on configuring WPA for a WLAN, see “Configuring WPA/WPA2 using TKIP
and CCMP” on page 143.
WPA2
WPA2 uses a sophisticated key hierarchy that generates new encryption keys each time a MU associates
with an Access Point. Protocols including 802.1X, EAP and Radius are used for strong authentication.
WPA2 also supports the TKIP and the AES-Counter Mode CBC-MAC Protocol (AES-CCMP) encryption
protocols. For information on configuring WPA for a WLAN, see “Configuring WPA/WPA2 using
TKIP and CCMP” on page 143.
MU Authentication
The controller uses the following authentication schemes for MU association:
● 802.1x EAP
● MAC ACL
Refer to “Editing the WLAN Configuration” on page 113 for additional information.
802.1x EAP
802.1x EAP is the most secure authentication mechanism for wireless networks and includes
EAP-TLS, EAP-TTLS and PEAP. The controller is a proxy for Radius packets. An MU does a full 802.11
authentication and association and begins transferring data frames. The controller realizes the MU
needs to authenticate with a Radius server and denies any traffic not Radius related. Once Radius
completes its authentication process, the MU is allowed to send other data traffic. You can use either an
internal Radius server or internal Radius Server for authentication. For information on configuring
802.1x EAP for a WLAN, see “Configuring 802.1x EAP” on page 119.
MAC ACL
The MAC ACL feature is basically a dynamic MAC ACL where MUs are allowed/denied access to the
network based on their configuration on the Radius server. The controller allows 802.11 authentication
and association, then checks with the Radius server to see if the MAC address is allowed on the
network. The Radius packet uses the MAC address of the MU as both the username and password (this
Summit WM3000 Series Controller System Reference Guide 29
Overview
NOTE
configuration is also expected on the Radius server). MAC-Auth supports all encryption types, and (in
case of 802.11i) the handshake is completed before the Radius lookup begins. For information on
configuring 802.1x EAP for a WLAN, see “Configuring MAC Authentication” on page 132.
Secure Beacon
Devices in a wireless network use Service Set Identifiers (SSIDs) to communicate. An SSID is a text string
up to 32 bytes long. An AP in the network announces its status by using beacons. To avoid others from
accessing the network, the most basic security measure adopted is to change the default SSID to one not
easily recognizable, and disable the broadcast of the SSID.
The SSID is a code attached to all packets on a wireless network to identify each packet as part of that
network. All wireless devices attempting to communicate with each other must share the same SSID.
Apart from identifying each packet, the SSID also serves to uniquely identify a group of wireless
network devices used in a given service set.
MU to MU Disallow
Use MU to MU Disalllow to restrict MU to MU communication within a WLAN. The default is ‘no’,
which allows MUs to exchange packets with other MUs. It does not prevent MUs on other WLANs
from sending packets to this WLAN. You would have to enable MU to MU Disallow on the other
WLAN. To define how MU to MU traffic is permitted for a WLAN, see “Editing the WLAN
Configuration” on page 113.
802.1x Authentication
802.1x Authentication cannot be disabled (its always enabled).
802.1x authentication is conducted:
● At power up
● When re-authentication is initiated by the Authenticator (say the controller in between)
WIPS
The Motorola Wireless Intrusion Protection Software (WIPS) is supported by Extreme Networks WM3000
series WLAN controllers. The WIPS monitors for any presence of unauthorized rogue Access Points.
Unauthorized attempts to access the WLAN is generally accompanied by anomalous behavior as
intruding MUs try to find network vulnerabilities. Basic forms of this behavior can be monitored and
reported without needing a dedicated WIPS. When the parameters exceed a configurable threshold, the
controller generates an SNMP trap and reports the result via the management interfaces. Basic WIPS
functionality does not require monitoring APs and does not perform off-channel scanning.
When using an AP35XX for use with WIPS and as a sensor you must first configure the WIPS server IP Addresses
before converting the AP35XX to a sensor.
Summit WM3000 Series Controller System Reference Guide30
Loading...