Module 3

Module 3 WiNG 5 Configuration Model Key Concepts

Objectives • Explain why the WiNG 5.x configuration model is well suited to plug-and-play deployments • Identify key aspects of the master and device configuration files • Identify the five WiNG 5.x configurations elements: RF domains, profiles, devices, polices and WLANs • Describe each element in terms of its components, use cases, UI and CLI examples, and key considerations

Configuration Model Overview

Configuration Model Overview RF Domains • Hierarchical configuration model • Centralized Management • Distributed Operation • Manage large number of devices • Share common configuration between devices • Replaces WiNG4 flat configuration model Profiles Configuration Parameters Policies WLANs Device Wireless Controller Access Point

Configuration Elements RF Domains Profiles Policies WLANs Devices

Master Configuration File • Master configuration file • Contains configuration for the whole WiNG5 network • Resides on a Wireless Controller(s) • Synchronized across cluster • Relevant portions applied to managed devices Policies • AAA • Adoption • Advanced WIPS • Association ACL • Captive Portal • Device Categorization • Device Discover • DHCP • Firewall • IGMP Snoop • ISAKMP • Management • NAT • Radio QoS • RADIUS Server • RADIUS User Pool • Role • Smart-RF • VPN • WIPS • WLAN QoS WLANs • WLAN 1 • WLAN 2 • WLAN 3 • WLAN 4 • WLAN 5 • WLAN 6 • .. • .. • .. • WLAN 256 RF Domains • default • User Defined Profiles • default-rfs7000 • default-rfs6000 • default-rfs4000 • default-ap650 • default-ap7131 • User Defined Devices • RFS7000 • RFS6000 • RFS4000 • AP-650 • AP-7131 Master Configuration File

Device Final Configuration RF Domain Profile • The final configuration of a Wireless Controller or Access Point is based on: • Regional and regulatory configuration parameters inherited from an RF Domain • Policies and configuration parameters inherited from a device profile which are assigned to groups of devices • Policies and configuration parameters assigned to the individual devices as overrides • Changes made to a RF Domain or Profile are automatically inherited by all assigned devices permitting bulk configuration changes • Changes made to individual devices (overrides) are only applied to the individual devices and override any duplicate configuration parameters or policies inherited from RF Domains or Profiles +  Device Overrides = Final Device Configuration

Master Configuration File RFS6000 RFS6000 Policies Policies • AAA • Adoption • Advanced WIPS • Association ACL • Captive Portal • Device Categorization • Device Discover • DHCP • Firewall • IGMP Snoop • ISAKMP • Management • NAT • Radio QoS • RADIUS Server • RADIUS User Pool • Role • Smart-RF • VPN • WIPS • WLAN QoS Policies Policies AP-7131 AP-7131 AP-7131 WLANs • WLAN 1 • WLAN 2 • WLAN 3 • WLAN 4 • WLAN 5 • WLAN 6 • .. • .. • .. • WLAN 256 Policies WLAN WLAN WLAN RF Domains • default • User Defined Profiles • default-rfs7000 • default-rfs6000 • default-rfs4000 • default-ap650 • default-ap7131 • User Defined AP-650 AP-650 AP-650 Devices • RFS7000 • RFS6000 • RFS4000 • AP-650 • AP-7131 Master Configuration File WLAN WLAN WLAN

RF Domains

RF Domains – Introduction • Allow assigning regional configuration, WIPS policies, Smart RF policies to Wireless Controllers and Access Points • By default all Wireless Controllers and Access Points are assigned to a RF Domain named default • User defined RF Domains can be manually assigned to Wireless Controllers and Access Points or automatically assigned to Access Points using an Adoption Policies • One RF Domain per Wireless Controller and Access Point RF Domain = Store1 RF Domain = Store2 RF Domain = Corp RF Domain = Store3 RF Domain = Store4

RF Domains – Elements • Default and user defined RF Domains contain applicable policies and configuration parameters • Changes made to policies or configuration parameters are automatically inherited by all the Wireless Controllers and Access Points assigned to the RF Domain Policies RF Domain Parameters Wireless Controllers Access Points

RF Domains – Example Use Case 1 • Common Smart RF and WIPS Policy across different floors or buildings Smart-RF Policy ‘Corp’ RF Domain ‘Corp’ WIPS Policy ‘Corp’

RF Domains – Example Use Case 2 • Different Smart RF or WIPS Policies across different floors or buildings Smart-RF Policy ‘Building1’ RF Domain ‘Building1’ Smart-RF Policy ‘Building4’ Smart-RF Policy ‘Building3’ WIPS Policy ‘Corp’ RF Domain ‘Building4’ RF Domain ‘Building3’ WIPS Policy ‘Corp’ WIPS Policy ‘Corp’ Smart-RF Policy ‘Building1’ RF Domain ‘Building2’ WIPS Policy ‘Corp’

RF Domains – Example Use Case 3 • Unique Country Codes and Location Information across different sites or countries RF Domain = Portland Country Code = US Time Zone = PST Smart-RF = Portland WIPS = Branch RF Domain = Toronto Country Code = CA Time Zone = EST Smart-RF = Toronto WIPS = Branch RF Domain = Chicago Country Code = US Time Zone = CST Smart-RF = Chicago WIPS = Regional RF Domain = LA Country Code = US Time Zone = PST Smart-RF = LA WIPS = Regional RF Domain = Atlanta Country Code = US Time Zone = EST Smart-RF = Atlanta WIPS = Branch RF Domain = Corp Country Code = US Time Zone = CST Smart-RF = Corp WIPS = Corp

RF Domains – Example Use Case 4 • Custom SSIDs and VLAN IDs across different sites assigned to a common WLAN ID WLAN 1 SSID = Corp VLAN = 1 WLAN 1 SSID = CorpON VLAN = 4 WLAN 1 SSID = CorpNE VLAN = 2 WLAN 1 SSID = Corp VLAN = 1 WLAN 1 SSID = CorpGA VLAN = 3 WLAN 1 SSID = CorpTX VLAN = 1 • Common WLAN ID • Common SSID • Common VLAN IDs • Common WLAN ID • Unique SSID • Unique VLAN IDs

RF Domains – RF Domain Manager • On remote sites w/o the controller one of the APs will be elected to become the RF Domain Manager (typically, the most powerful device) • Functions of RF Domain Manager • Roaming co-ordination • SMART RF • Smart Band Control and Load Balance • Statistics Sync • Statistics collection from APs in the RF Domain • If a controller is a part of RF Domain – if will always become RF Domain manager (even if it’s over the WAN link). • Remove the controller from local RF Domain if you want APs to perform RF Domain Manager functions WLAN Controller Branch Office DSL WAN

RF Domains – Web-UI & CLI Examples Configuration > RF Domains ! rf-domain Corp location New York timezone EST5EDT country-code us use smart-rf-policy Corp sensor server 1 192.168.10.31 sensor server 2 192.168.10.32 ! rf-domain Store1 location Nashville timezone CST6CDT country-code us use smart-rf-policy Store1 sensor server 1 192.168.10.31 sensor server 2 192.168.10.32 ! rf-domain Store2 location Los Angeles timezone PST8PDT country-code us use smart-rf-policy Store2 sensor server 1 192.168.10.31 sensor server 2 192.168.10.32 ! rf-domain default no country-code !

RF Domains – Considerations 1 A default or user defined RF Domain can be assigned to both Wireless Controllers and Access Points A Wireless Controller and Access Points can only be assigned to one (1) RF Domain at a time 2 A RF Domain can be simultaneously assigned to multiple Wireless Controllers and Access Points 3 All Wireless Controllers and Access Points are automatically assigned to a default RF Domain 4 Each user defined RF Domain requires a unique name 5 User defined RF Domains can be manually assigned to Wireless Controllers or Access Points 6 User defined RF Domains can be automatically assigned to Access Points using Adoption policies 7

Profiles

Profiles – Introduction • Allow assigning a common set of configuration parameters and Policies to groups of Wireless Controllers and Access Points • Available configuration parameters depend on the hardware model • Default and user defined • Quickly enable new features or change existing parameters for groups of devices Profile = ap7131-store1 Profile = ap7131-store2 Profile = corp-ap650 Profile = rfs7000-corp Profile = ap650-store3 Profile = rfs4000-store3 Profile = ap650-store4 Profile = rfs4000-store4

Profiles – Default Profiles • All Wireless Controllers and Access Points are automatically assigned to a default Profile unless an Adoption policy has been defined that specifically assigns Access Points to a user defined Profile • A default profile for each model is automatically added to the master configuration file as devices are discovered • Default Profiles may also be manually added prior to discovery if required • Default Profiles are ideal for single site deployments when all Wireless Controllers and Access Points at a site share common configuration

Profiles – User Defined Profiles • Are manually created for each model of Wireless Controllers and Access Points • Maybe manually assigned to Wireless Controllers or Access Points or automatically assigned to Access Points using an Adoption policy • User defined Profiles are useful in larger deployments using centralized Wireless Controllers when groups of devices on different floors, buildings or sites share a common configuration • AP Adoption Policies provide the means to easily assign Profiles to Access Points based on:

Profiles – Elements • Each default and user defined Profile contains Policies and configuration parameters • Changes made to Policies or configuration parameters are automatically inherited by the devices assigned to the Profile Policies Profile Parameters Device Device

Profiles – Example Use Case 1 • Common Network, Wireless and Security parameters in a campus WLAN ‘Corp’ WLAN ‘Voice’ WLAN ‘Guest’ VLANs 10,20,30 AP-650 Profile ‘Corp’ Firewall Policy ‘Corp’ Captive Portal Policy ‘Corp’ Management Policy ‘Corp’

Profiles – Example Use Case 2 • Unique Network, Wireless and Security parameters at each site in large distributed deployments Profile = ap7131-portland Management = Corp Guest Access = Portland DHCP = Portland Firewall = Corp WLANs = Corp, Voice, Guest VLANs = 10,20,30 Profile = ap650-toronto Management = Corp Guest Access = Toronto DHCP = Toronto Firewall = Corp WLANs = Corp, Voice, Guest VLANs = 130,140,150 Profile = ap650-chicago Management = Corp Guest Access = Chicago DHCP = Chicago Firewall = Corp WLANs = Corp, Voice, Guest VLANs = 70,80,90 Profile = ap7131-atlanta Management = Corp Guest Access = Atlanta DHCP = Atlanta Firewall = Corp WLANs = Corp, Voice, Guest VLANs = 170,180,190 Profile = ap650-la Management = Corp Guest Access = LA DHCP = LA Firewall = Corp WLANs = Corp, Voice, Guest VLANs = 40,50,60 Profile = ap7131-corp Management = Corp Guest Access = Corp DHCP = Corp Firewall = Corp WLANs = Corp, Voice, Guest VLANs = 100,110,120

Profiles – Web-UI and CLI Examples Configuration > Profiles ! profile rfs7000 rfs7000-default interface me1 interface ge1 interface ge2 interface ge3 interface ge4 use management-policy corp use firewall-policy default ! profile ap7131 ap7131-default interface radio1 interface radio2 interface radio3 interface ge1 interface ge2 use management-policy corp use firewall-policy default ! profile rfs7000 rfs7000-corp interface me1 interface ge1 description UPLINK switchport mode trunk switchport trunk native vlan 200 switchport trunk native tagged switchport trunk allowed vlan 200,202-204 interface ge2 interface ge3 interface ge4 use rf-domain corp use firewall-policy default ! profile ap7131 ap7131-store1 interface radio1 radio-band 5GHz interface radio2

Profiles – User Defined Profile Assignment Options Manual Profile Assignment Automatic Profile Assignment AP-7131 AP-7131 AP-650 Profile RFS6000 Profile AP-7131 Profile 3 Profile Assignment AP-7131 AP-7131 Profile AP-7131 2 Profile Selection AP-7131 AP-7131 AP Adoption Policy Match Conditions 1 Access Point Adoption RFS7000 RFS7000 Profile RFS7000 AP-7131

Profiles – Considerations 1 Profiles are hardware specific and can ONLY be assigned to devices of the same hardware model that the profile was created for A Wireless Controller and Access Points can only be assigned to one (1) Profile at a time 2 Only one default Profile per hardware model is supported 3 All Wireless Controllers and Access Points are automatically assigned to a default Profile based on their hardware model 4 Each user defined Profile requires a unique name 5 User defined Profiles can be manually assigned to Wireless Controllers or Access Points 6 User defined Profiles can be automatically assigned to Access Points using AP Adoption policies 7

Devices

Devices – Introduction • The master configuration file includes a device configuration for each discovered device • A discovered devices configuration is identified by a model and MAC address: • Example: rfs6000 00-15-70-81-7b-0d • Example: ap7131 00-15-70-c7-8f-f0 • A devices configuration may include individual configuration override parameters as well as WLAN, Policy, RF Domain and Profile override assignments • A devices final configuration is determined based on policies and configuration parameters inherited from RF Domains and Profiles along individual device override configuration parameters and policies • Individual configuration parameters for a device overrides the configuration parameters inherited from RF Domains and Profiles Configuration Parameters RF Domain Policies Configuration Parameters Profile Policies Configuration Parameters Device Policies Final Config

Devices – Elements • Each devices configuration may contain Policies and configuration parameters • Configuration parameters and Policies assigned to a devices configuration will override any inherited parameters applied from a Profile Policies Device Parameters

Devices – Final Device Configuration • Final device configuration consists of the configuration parameters and policies assigned to a Profile combined with the configuration parameters and Policies assigned to each individual device ! profile ap7131 ap7131-default interface radio1 radio-band 5GHz wlan wlan1 bss 1 primary wlan wlan2 bss 2 primary interface radio2 radio-band 2.4GHz wlan wlan1 bss 1 primary wlan wlan2 bss 2 primary interface radio3 interface ge1 interface ge2 use management-policy Corp use firewall-policy default ! ! ap7131 00-15-70-C7-2A-A2 use profile ap7131-default use rf-domain Corp hostname ap7131-1 interface radio1 description ap-7131-3-an channel 157+ power 20 data-rates an interface radio2 description ap-7131-3-bgn channel 11 power 6 data-rates bgn ! ! ap7131 00-15-70-C7-2A-A2 use rf-domain Corp hostname ap7131-1 interface radio1 description ap-7131-3-an radio-band 5GHz channel 157+ power 20 data-rates an wlan wlan1 bss 1 primary wlan wlan2 bss 2 primary interface radio2 description ap-7131-3-bgn radio-band 2.4GHz channel 11 power 6 data-rates bgn wlan wlan1 bss 1 primary wlan wlan2 bss 2 primary use management-policy Corp use firewall-policy default ! AP-7131 Profile AP-7131 Device Configuration Final Device Configuration

Devices – Final Device Configuration Cont… • Individual device configuration can override the configuration inherited from a Profile when unique configuration parameters need to be assigned ! profile ap7131 ap7131-default interface radio1 radio-band 5GHz wlan wlan1 bss 1 primary wlan wlan2 bss 2 primary interface radio2 radio-band 2.4GHz wlan wlan1 bss 1 primary wlan wlan2 bss 2 primary interface radio3 interface ge1 interface ge2 use management-policy Corp use firewall-policy default ! ! ap7131 00-15-70-C7-2A-A2 use profile ap7131-default use rf-domain Corp hostname ap7131-1 interface radio1 description ap-7131-3-an channel 157+ power 20 data-rates an interface radio2 description ap-7131-3-bgn channel 11 power 6 data-rates bgn wlan wlan3 bss 1 primary wlan wlan4 bss 2 primary ! ! ap7131 00-15-70-C7-2A-A2 use rf-domain Corp hostname ap7131-1 interface radio1 description ap-7131-3-an radio-band 5GHz channel 157+ power 20 data-rates an wlan wlan1 bss 1 primary wlan wlan2 bss 2 primary interface radio2 description ap-7131-3-bgn radio-band 2.4GHz channel 11 power 6 data-rates bgn wlan wlan1 bss 1 primary wlan wlan2 bss 2 primary use management-policy Corp use firewall-policy default ! AP-7131 Profile • wlan wlan3 bss 1 primary • wlan wlan4 bss 2 primary AP-7131 Device Configuration Final Device Configuration WLANs assigned by the Profile for radio 2 are overridden by the WLANs assigned to radio 2 on the device !

Devices – Example Use Case • Device level configuration is useful for assigning static IP addresses and hostnames has well as overriding VLAN, Wireless or Security parameters for individual devices Policies Profile WLANs WLANs = Corp, Voice VLANs = 10,20 Policies Device WLANs WLANs = Corp, Voice, Guest VLANs = 10,20,30

Devices – Web-UI and CLI Examples Configuration > Devices ! rfs6000 00-15-70-81-7B-0D use profile corp-rfs6000 use rf-domain Corp hostname rfs6000 ip route 0.0.0.0/0 172.16.200.1 interface ge1 switchport mode trunk switchport trunk native vlan 200 switchport trunk allowed vlan 200-204 interface vlan200 ip address 172.16.200.10/24 allow-management ! ap650 00-15-70-C7-2A-A2 use profile corp-ap650 use rf-domain Corp hostname ap650-1 ! ap650 00-15-70-C7-A7-20 use profile corp-ap650 use rf-domain Corp hostname ap650-2 ! ap650 00-15-70-C7-D5-30 use profile corp-ap650 use rf-domain Corp hostname ap650-3 ! ap650 00-15-70-C7-F2-A8 use profile corp-ap650 use rf-domain Corp hostname ap650-4 ! ap650 00-15-70-C7-70-4F use profile corp-ap650 use rf-domain Corp

Devices – Considerations 1 All configuration parameters and policies assigned to an individual Wireless Controller or Access Point will override any inherited configuration parameters and policies All configuration parameters and policy assignments made to an individual device will only apply to the individual device WLANs applied to a device radio will override the block of WLANs assigned to the radio inherited from a profile Certain parameters such as Hostnames, static IP addresses and licenses have to be defined as device overrides 2 3 4

Polices

Policies – Introduction • Policies are used to assign common configuration parameters for specific features or services • Allows reusing the same service configuration across multiple devices • Ex: deploying multiple instances of RADIUS server for redundancy • Ex: Defining DHCP server configuration across cluster for DHCP redundancy • Ex: defining the same parameters for managements access (interfaces, user roles) to multiple devices • Ex: Configuring multiple WLANs to use same AAA servers • Ex: Reusing ACLs • Generally, Policies that can be assigned to Profiles may also be assigned to Devices • Certain Policies may only be assigned to WLANs RF Domains Policies Profiles Policies Devices Policies WLANs Policies

Policies – Mappings • Policies that are assigned to RF Domains and Profiles can also be assigned to Devices • With the exception of Captive Portal Policies and Firewall Rules, all Policies assigned to WLANs are WLAN specific

Policies – Considerations 1 One supported Policy of each type can be assigned per RF Domain, Profile, WLAN or Device Each policy requires a unique name and can be assigned to multiple RF Domains, Profiles, WLANs or Devices A policy that is inherited from a RF Domain, Profile or WLAN will be over-ridden by a Policy assigned to the Device Certain Policies are Device specific. For example an Advanced WIPS Policy can only be assigned to a Wireless Controller and not an Access Point 2 3 4

WLAN

WLANs – Introduction • WLANs are defined separately • May be assigned to individual APs or groups of Access Points • Each WLAN contains configuration parameters and applicable Policies • WLAN Profiles provide an extremely flexible deployment model allowing administrators to quickly deploy new WLANs or make changes to existing WLANs across individual or large numbers of Access Points • RF Domain and device overrides provide additional flexibility by allowing an enterprise to assign a common WLAN Profile across multiple buildings or sites each with a unique SSID and VLAN assignment ESSIDs: Corp, Voice • ESSIDs: Corp • ESSIDs: Corp, Voice, Guest • ESSIDs: Corp, Voice, Guest • ESSIDs: Corp, Guest

WLANs – Elements • Each WLAN contains Policies and configuration parameters • Changes made to Policies or configuration parameters are automatically inherited by the devices using the WLAN Policies WLANs Parameters Device Profile

WLANs – Example Use Case 1 Policies WLAN Parameters • WLANs can be manually assigned to individual AP radios as overrides • WLANs assigned to radios will replace ALL WLANs assigned to the radio inherited from a Profile • This option is ideal for small customer deployments where Profiles provide no tangible benefits OR customer environments where a small subsets of Access Points require unique WLAN assignments (i.e. Guest WLAN in a lobby) AP-7131 AP-650 AP-650

WLANs – Example Use Case 2 Policies WLAN Parameters • WLANs can be automatically assigned to groups of Access Points using default or user defined Profiles • This option is ideal for customer deployments where common WLANs need to be assigned to large groups of Access Points radios AP-650 Profile AP-650 Profile AP-7131 Profile AP-650(s) AP-650(s) AP-7131(s)

WLANs – Example Use Case 3 Policies WLAN Parameters • WLANs can be automatically assigned to groups of Access Points using Adoption Policies • This option is ideal for plug-n-play deployments where Profiles and RF Domains are automatically assigned to Access Points during adoption which determines the WLANs assigned to the radios at each building, floor or site AP Adoption Policy AP Adoption Policy AP Adoption Policy AP-650 Profile AP-7131 Profile AP-7131 Profile AP-650(s) AP-7131(s) AP-7131(s)

WLANs – Web-UI and CLI Examples Configuration > Wireless ! wlan CORP-DATA ssid CORP-DATA VLAN 201 encryption-type ccmp authentication-type eap use aaa-policy Corp ! wlan CORP-VOICE ssid CORP-VOICE vlan 202 encryption-type ccmp wpa-wpa2 psk primary hellomoto ! wlan CORP-GUEST ssid CORP-GUEST vlan 203 encryption-type none authentication-type none use captive-portal Corp !

Considerations 1 Access Points must be assigned to a RF Domain with a country code defined before WLANs can be serviced WLANs can be manually assigned to multiple Access Points of the same model using default or user defined Profiles 2 WLANs can be automatically assigned to Access Points based on location with default or user defined Profiles assigned using AP Adoption policies 3 WLANs assigned directly to a devices radios as overrides will replace all WLANs assigned a radio from a Profile 4 SSIDs and VLANs for a common WLAN can be over-ridden from a RF Domain or device configuration using SSID and VLAN overrides 5 Each WLAN definition requires a unique name 6

Summary RF Domains RF Domain Profile + Profiles Configuration Parameters Policies WLANs  Device Device Overrides Wireless Controller Access Point = Final Device Configuration

Explain why the WiNG 5.x configuration model is well suited to plug-and-play deployments • Identify key aspects of the master and device configuration files • Identify the five WiNG 5.x configurations elements: RF domains, profiles, devices, polices and WLANs • Describe each element in terms of its components, use cases, UI and CLI examples, and key considerations • Module Summary

Module 3

Module 3

Presentation Transcript

Module 3

Module 3

Module 3

MODULE 3

MODULE 3

Module 3

Module 3

Module 3

MODULE 3

Module 3

Module 3

Module 3

Module 3:

Module 3

Module 3

MODULE 3

Module 3

Module 3:

Module 3