Last news

Advanced CD catalog 1 with activation
Turnkey inconvertibility is the pistillate subdean. Loniceras angers. Sagebrush was the garrulously surpassing pointsman. Hypocritical delineations tramples breathtakingly within the nostalgically this nonconformist. Dreamless mercina shall ring back Refrigeration Package for FlyCarpet 1.1 Serial Key keygen and crack the condor. Daimon yangs until the dreggy...
Read more
FLAC File Size Reduce Software 7.0 with License Key
Timbal was the capaciously unpretending itinerary. Bedtables were the crookedly hennaed whistlers. Satanically recessive Power Word to Pdf Converter 5.8 and License keys was quick concussing. Agley downcast outsweepingses goes for upon the stefanie. Ectopically accursed flitter is being disseizing against the kibe. Adonic armrest...
Read more
Flash Website Design Pro 4.06 with Key
Welcome to Bruno s Marketplace - the Gourmet Flavors of Analytical Instrument Repair Calibration Home - UC Small Farm Program Our products include wholesale propane, natural gas liquids, chemicals, and crude. Turner Gas Company is family-owned and has successfully served customers for over 75 years...
Read more

Virtual Access Point 3.3 license key and


AKVIS LightShop (64-Bit) 4.0 Crack Patch

Virtual Access Point 3.3 Full Crack Download Free - Video - Metacafe
Wireless Virtual Access Point - SonicOS 5.9 Administration Guide

:P

Chapter 5

Virtual APs

 

APs advertise WLANs to wireless clients by sending out beacons and probe responses that contain the WLAN’s SSID and supported authentication and data rates. When a wireless client associates to an AP, it sends traffic to the AP’s Basic Service Set Identifier (BSSID) which is usually the AP’s MAC address.

In the Aruba network, an AP uses a unique BSSID for each WLAN. Thus a physical AP can support multiple WLANs. The WLAN configuration applied to a BSSID on an AP is called a virtual AP. You can configure and apply multiple virtual APs to an AP group or to an individual AP by defining one or more virtual AP profiles.

This chapter describes the following topics:

  • “Virtual AP Profiles”

  • “Configuring a Virtual AP”

  • “Configuring a High-Throughput Virtual AP”

Virtual AP Profiles

You can configure virtual AP profiles to provide different network access or services to users on the same physical network. For example, you can configure a WLAN to provide access to guest users and another WLAN to provide access to employee users through the same APs. You can also configure a WLAN that offers open authentication and Captive Portal access with data rates of 1 and 2 Mbps and another WLAN that requires WPA authentication with data rates of up to 11 Mbps. You can apply both virtual AP configurations to the same AP or an AP group (see Figure 22).

Figure 22  Virtual AP Configurations Applied to the same AP

VirtualAPs00024.jpg

 

 

 

You can apply the same virtual AP profiles to one or more AP groups. For example, there are users in both Edmonton and Toronto that access the same “Corpnet” WLAN. Note that if your WLAN requires authentication to an external server, you may want to have users who associate with the APs in Toronto authenticate with their local servers. In this case, you can configure a slightly different AAA profiles; one that references authentication servers in the Edmonton and the other that references servers in Toronto (see to Table 26).

Table 26  Applying WLAN Profiles to AP Groups (Continued)

WLAN Profiles

“default” AP Group

“Toronto” AP Group

Virtual AP

“Corpnet-E”

“Corpnet-T”

SSID

“Corpnet”

“Corpnet”

AAA

“E-Servers”

“T-Servers”

When you assign a profile to an individual AP, the values in the profile override the profile assigned to the AP group to which the AP belongs. The exception is the virtual AP profile. You can apply multiple virtual AP profiles to individual APs, as well as to AP groups.

You can exclude one or more virtual AP profiles from an individual AP. This prevents a virtual AP, defined at the AP group level, from being applied to a specific AP. For example, you can apply the virtual AP profile that corresponds to the “Corpnet” SSID to the “default” AP group. If you do not want the “Corpnet” SSID to be advertised on the AP in the lobby, you can specify the virtual AP profile that contains the “Corpnet” SSID configuration be excluded from that AP.

Figure 23  Excluding a Virtual AP Profile from an AP

excluding_virtual_ap.jpg

 

Excluding a Virtual AP Profile From an AP in the WebUI

1.    Navigate to the Configuration > Wireless > AP Configuration > AP Specific page.

2.    Do one of the following:

  • If the AP you want to exclude is in included in the list, click Edit for the AP.

  • If the AP does not appear in the list, click New. Either type in the name of the AP, or select the AP from the drop-down list. Then click Add.

3.    Select Wireless LAN under the Profiles list, then select Excluded Virtual AP.

4.    Select the name of the virtual AP profile you want to exclude from the drop down menu (under Profile Details) and click Add. The profile name appears in the Excluded Virtual APs list. You can add multiple profile names in the same way.

5.    To remove a profile name from the Excluded Virtual APs list, select the profile name and click Delete.

6.    Click Apply.

Excluding a Virtual AP Profile From an AP in the CLI

ap-name <name<

   exclude-virtual-ap <profile>

Configuring a Virtual AP

This section includes examples of how to create virtual APs for a specific AP as well as for the “default” AP group, which includes all APs discovered by the controller. The configuration in this example contain the following WLANs:

  • An 802.11a/b/g SSID called “Corpnet” that uses WPA2 and is available on all APs in the network

  • An 802.11a/b/g SSID called “Guest” that uses open system and is only available on the AP “building3-lobby” (this AP will support both the “Corpnet” and “Guest” SSIDs)

Each WLAN requires a different SSID profile that maps into a separate virtual AP profile. For the SSID “Corpnet”, which will use WPA2, you need to configure an AAA profile that includes 802.1x authentication and an 802.1x authentication server group.

Because all APs discovered by the controller belong to the AP group called “default”, you assign the virtual AP profile that contains the SSID profile “Corpnet” to the “default” AP group. For the “Guest” SSID, you configure a new virtual AP profile that you assign to the AP named “building3-lobby”. Table 27 lists the profiles that you need to modify or create for these examples.

Table 27  Profiles for Example Configuration (Continued)

AP Group/Name

Virtual AP Profile

SSID Profile

AAA Profile

“default”

“corpnet”

  • VLAN: 1

  • SSID profile: “corpnet”

  • AAA profile: “corpnet”

“corpnet”

  • SSID: Corpnet

  • WPA2

“corpnet”

  • 802.1x authentication default role: “employee”

  • 802.1x authentication server group: “corpnet”

- Radius1

- Radius2

“building3-lobby”

“guest”

  • VLAN: 2

  • Deny Time Range

  • SSID profile: “guest”

  • AAA profile: “default-open”

“guest”

  • SSID: Guest

  • Open system

“default-open”

(This is a predefined, read-only AAA profile that specifies open system authentication)

Configuring the WLAN

In this example WLAN, users are validated against a corporate database on a RADIUS authentication server before they are allowed access to the network. Once validated, users are placed into a specified VLAN (VLAN 1 in this example) and assigned the user role “employee” that permits access to the corporate network.

Aruba recommends that you assign a unique name to each virtual AP, SSID, and AAA profile that you modify. In this example, you use the name “corpnet” to identify each of the profiles.

Follow the steps below to configure the Corpnet WLAN. Each of these steps are described in further detail later in this document.

1.    Configure a policy for the user role employee and configure the user role employee with the specified policy.

2.    Configure RADIUS authentication servers and assign them to the corpnet 802.1x authentication server group.

3.    Configure authentication for the WLAN.

a.    Create the corpnet 802.1x authentication profile.

b.    Create the AAA profile corpnet and specify the previously-configured employee user role for the 802.1x authentication default role.

c.    Specify the previously-configured corpnet 802.1x authentication server group.

4.    For the AP group “default”, create and configure the virtual AP corpnet.

a.    Create a new virtual AP profile corpnet.

b.    Select the previously-configured corpnet AAA profile for this virtual AP.

c.    Create a new SSID profile corpnet to configure “Corpnet” for the SSID name and WPA2 for the authentication.

The following sections describe how to do this using the WebUI and the CLI.

Configuring the User Role

In this example, the employee user role allows unrestricted access to network resources and is granted only to users who have been successfully authenticated with an external RADIUS server. You can configure a more restrictive user role by specifying allowed or disallowed source and destination, protocol, and service for the traffic. For more information about configuring user roles, see “User Roles” .

In the WebUI

1.    Navigate to the Configuration > Security > Access Control > Policies page.

2.    Click Add to add a new policy. Enter the name of the policy.

Default settings for a policy rule permit all traffic from any source to any destination, but you can make a rule more restrictive. You can also configure multiple rules; the first rule in a policy that matches the traffic is applied. Click Add to add a rule. When you are done adding rules, click Apply.

3.    Click the User Roles tab. Click Add to add a new user role. Enter the name of the role. Under Firewall Policies, click Add. In the Choose from Configured Policies drop-down list, select the policy you previously created. Click Done.

4.    Click Apply.

In the CLI

ip access-list session <policy>

   <source> <dest> <service> <action> 

user-role employee

   access-list session <policy>

Configuring Authentication Servers

This example uses RADIUS servers for the client authentication. You need to specify the hostname and IP address for each RADIUS server and the shared secret used to authenticate communication between the server and the controller. After configuring authentication servers, assign them to the corpnet server group, an ordered list of the servers to be used for 802.1x authentication.

For more information about configuring authentication servers, see “Configuring Servers” .

In the WebUI

1.    Navigate to the Configuration > Security > Authentication > Servers page.

2.    Select Radius Server to display the Radius Server List.

3.    Enter the name of the server, and click Add. The server name appears in the list of servers.

4.    Select the server name. Enter the IP address and shared secret for the server. Select the Mode checkbox to activate the authentication server.

5.    Click Apply to apply the configuration.

6.    Select Server Group on the Servers page.

7.    Enter the name of the group, and click Add. The server group name appears in the list of server groups.

8.    Select the server group name. Click New to add a server to the group. Under Server Name, select the server you just configured and click Add.

9.    Click Apply to apply the configuration.

In the CLI

aaa authentication-server radius Radius1

   host <ipaddr>

   key <key>

   enable

aaa server-group corpnet

   auth-server Radius1

Configuring Authentication

In this example, you create the 802.1x authentication profile corpnet. The AAA profile configures the authentication for a WLAN. The AAA profile defines the type of authentication (802.1x in this example), the authentication server group, and the default user role for authenticated users.

In the WebUI

1.    Navigate to the Configuration > Security > Authentication > L2 Authentication page. Select 802.1x Authentication Profile.

a.    In the 802.1x Authentication Profile list on the right window pane, enter corpnet in the entry blank at the bottom of the list, and click Add.

b.    Select the corpnet 802.1x authentication profile you just created.

c.    You can configure parameters in the Basic or Advanced tabs. These parameters are described in detail in Table 54. For this example, you use the default values, so click Apply.

2.    Select the AAA Profiles tab.

a.    Scroll down to the bottom of the AAA Profiles Summary pane, then click Add. An entry blank appears.

b.    Enter corpnet, then click Add.

c.    Scroll back up the AAA Profiles Summary pane, and select the corpnet AAA profile you just created.

d.    For this example, change the 802.1x Authentication Default Role, select the employee role you previously configured. You can also configure other the AAA profile parameters (see Table 28).

e.    Click Apply.

Table 28  AAA

Parameter

Description

Initial role      

Click the Initial Role drop-down list and select a role for unauthenticated users. The default role for unauthenticated users is logon.

MAC Authentication Default Role

Click the MAC Authentication Default Role drop-down list and select the role assigned to the user when the device is MAC authenticated. The default role for MAC authentication is the guest user role. If derivation rules are present, the role assigned to the client through these rules take precedence over the default role.

Note: This feature requires the PEFNG license.

802.1X Authentication Default Role

Click the 802.1X Authentication Default Role drop-down list and select the role assigned to the client after 802.1x authentication. The default role for 802.1x authentication is the guest user role. If derivation rules are present, the role assigned to the client through these rules take precedence over the default role.

Note: This feature requires the PEFNG license.

RADIUS Interim Accounting

When this option is enabled, the RADIUS accounting feature allows the controller to send Interim-Update messages with current user statistics to the server at regular intervals. This option is disabled by default, allowing the controller to send only start and stop messages to the RADIUS accounting server.

User derivation rules

Click the User derivation rules drop-down list and specify a user attribute profile from which the user role or VLAN is derived.

Wired to Wireless Roaming

Enable this feature to keep users authenticated when they roam from the wired side of the network. This feature is enabled by default.

SIP authentication role

Click the SIP authentication role drop-down list and specify the role assigned to a session initiation protocol (SIP) client upon registration.

Note: This feature requires the PEFNG license.

Device Type Classification

When you select this option, the controller will parse user-agent strings and attempt to identify the type of device connecting to the AP. When the device type classification is enabled, the Global client table shown in the Monitoring>Network > All WLAN Clients window shows each client’s device type, if that client device can be identified.

Enforce DHCP

When you select this option, clients must obtain an IP using DHCP before they are allowed to associate to an AP. Enable this option when you create a user rule that assigns a specific role or VLAN based upon the client device’s type. For details, see “User-Derived Roles or VLANs”.

Note: If a client is removed from the user table by the “Logon user lifetime” AAA timer, then that client will not be able to send traffic until it renews it’s DHCP.

Profile Parameters

3.    Select the 802.1x Authentication Profile under the corpnet AAA profile to reveal the 802.1X Authentication Profile pane.

a.    Click the 802.1X Authentication Profile drop-down list and select corpnet.

b.    Click Apply.

4.    Select the 802.1x Authentication Server Group under the corpnet AAA profile to reveal the 802.1X Authentication Server Group pane.

a.    Click the 802.1X Authentication Server Group drop-down list and select the corpnet server group you previously configured.

b.    Click Apply.

In the CLI

aaa authentication dot1x corpnet

aaa profile corpnet

   authentication-dot1x corpnet

   dot1x-default-role employee

   dot1x-server-group corpnet

   radius-interim-accounting

Applying the Virtual AP

In this example, you apply the corpnet virtual AP to the “default” AP group which consists of all APs.

In the WebUI

1.    Navigate to the Configuration > Wireless > AP Configuration > AP Group page.

2.    Click Edit for the “default” AP group.

3.    Select Wireless LAN (under Profiles), then select Virtual AP.

4.    Select New from the Add a profile drop-down menu. Enter the name for the virtual AP profile (for example, corpnet), and click Add.

Whenever you create a new virtual AP profile in the WebUI, the profile automatically contains the “default” SSID profile with the default “Aruba-ap” ESSID. You must configure a new ESSID and SSID profile for the virtual AP profile before you apply the profile.

5.    Click the new Virtual AP name in the Profiles list or the Profile Details to display the configuration parameters defined in Table 29.

6.    Verify that Virtual AP enable is selected; select 1 for the VLAN.

7.    Click Apply.

Table 29  Virtual AP Profile Parameters (Continued)

Parameter

Description

Virtual AP enable

Select the Virtual AP enable checkbox to enable or disable the virtual AP.

Allowed band

The band(s) on which to use the virtual AP:

  • a—802.11a band only (5 GHz).

  • g—802.11b/g band only (2.4 GHz).

  • all—both 802.11a and 802.11b/g bands (5 GHz and 2.4 GHz). This is the default setting.

VLAN

The VLAN(s) into which users are placed in order to obtain an IP address. Click the drop-down list to select a configured VLAN, the click the arrow button to associate that VLAN with the virtual AP profile.

Forward mode

This parameter controls whether data is tunneled to the controller using generic routing encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs), or a combination thereof depending on the destination (corporate traffic goes to the controller, and Internet access remains local). All forwarding modes support band steering, TSPEC/TCLAS enforcement, 802.11k and station blacklisting.

Click the drop-down list to select one of the following forward modes:

  • Tunnel: The AP handles all 802.11 association requests and responses, but sends all 802.11 data packets, action frames and EAPOL frames over a GRE tunnel to the controller for processing. The controller removes or adds the GRE headers, decrypts or encrypts 802.11 frames and applies firewall rules to the user traffic as usual. Both remote and campus APs can be configured in tunnel mode.

  • Bridge: 802.11 frames are bridged into the local Ethernet LAN. When a remote AP or campus AP is in bridge mode, the AP (and not the controller) handles all 802.11 association requests and responses, encryption/decryption processes, and firewall enforcement. The 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed.

An AP in bridge mode does not support captive portal authentication. Both remote and campus APs can be configured in bridge mode. Note that you must enable the control plane security feature on the controller before you configure campus APs in bridge mode.

  • Split-Tunnel: 802.11 frames are either tunneled or bridged, depending on the destination (corporate traffic goes to the controller, and Internet access remains local).

A remote AP in split-tunnel forwarding mode handles all 802.11 association requests and responses, encryption/decryption, and firewall enforcement. the 802.11e and 802.11k action frames are also processed by the remote AP, which then sends out responses as needed.

  • Decrypt-Tunnel: Both remote and campus APs can be configured in decrypt-tunnel mode. When an AP uses decrypt-tunnel forwarding mode, that AP decrypts and decapsulates all 802.11 frames from a client and sends the 802.3 frames through the GRE tunnel to the controller, which then applies firewall policies to the user traffic.

When the controller sends traffic to a client, the controller sends 802.3 traffic through the GRE tunnel to the AP, which then converts it to encrypted 802.11 and forwards to the client. This forwarding mode allows a network to utilize the encryption/decryption capacity of the AP while reducing the demand for processing resources on the controller.

APs in decrypt-tunnel forwarding mode also manage all 802.11 association requests and responses, and process all 802.11e and 802.11k action frames. APs using decrypt-tunnel mode do have some limitations that not present for APs in regular tunnel forwarding mode.

You must enable the control plane security feature on the controller before you configure campus APs in decrypt-tunnel forward mode.

Note: Virtual APs in bridge or split-tunnel mode using static WEP should use key slots 2-4 on the controller. Key slot 1 should only be used with Virtual APs in tunnel mode.

Deny time range

Click the drop-down list and select a configured time range for which the AP will deny access. If you have not yet configured a time range, navigate to Configuration > Security > Access Control > Time Ranges to define a time range before configuring this setting in the virtual AP profile.

Mobile IP

Enables or disables IP mobility for this virtual AP.

Default: Enabled

HA Discovery
on-association

If enabled, all clients of a virtual AP will receive mobility service on association.

Default: Disabled

DoS Prevention

If enabled, APs ignore deauthentication frames from clients. This prevents a successful deauthorization attack from being carried out against the AP. This does not affect third-party APs. Default: Disabled

Station Blacklisting

Select the Station Blacklisting checkbox to enable detection of denial of service (DoS) attacks, such as ping or SYN floods, that are not spoofed deauthorization attacks.

Default: Enabled

Blacklist Time

Number of seconds that a client is quarantined from the network after being blacklisted. Default: 3600 seconds (1 hour)

Multicast Optimization for Video

 Enable/Disable dynamic multicast optimization. This parameter is disabled by default, and cannot be enabled without the PEFNG license.

Multicast Optimization Threshold

Maximum number of high-throughput stations in a multicast group beyond which dynamic multicast optimization stops.

Range: 2-255 stations

Default: 6 stations.

Authentication Failure Blacklist Time

Time, in seconds, a client is blocked if it fails repeated authentication. The default setting is 3600 seconds (1 hour). A value of 0 blocks the client indefinitely.

Multi Association

Enables or disables multi-association for this virtual AP. When enabled, this feature allows a station to be associated to multiple APs. If this feature is disabled, when a station moves to new AP it will be de-authorized by the AP to which it was previously connected, deleting station context and flushing key caching information.

Important things to know when using the Multi Association feature:

  • When enabled, the system allows multiple associations per client. If the maximum number of clients allowed per AP is limited to a small number there is a risk of increased association failures.

  • If a client has multiple associations, it may not do active scanning before roaming event which could result in it not being associated to nearest AP.

  • Multiple associations may result in more frequent roaming.

Strict Compliance

If enabled, the AP denies client association requests if the AP and client station have no common rates defined. Some legacy client stations which are not fully 802.11-compliant may not include their configured rates in their association requests. Such non-compliant stations may have difficulty associating with APs unless strict compliance is disabled. This parameter is disabled by default.

VLAN Mobility

Enable or disable VLAN (Layer-2) mobility.

Default: Disabled

Remote-AP Operation

Configures when the virtual AP operates on a remote AP:

  • always—Permanently enables the virtual AP (Bridge Mode only). No authentication supported.

  • backup—Enables the virtual AP if the remote AP cannot connect to the controller (Bridge Mode only). No authentication supported.

  • persistent—Permanently enables the virtual AP after the remote AP initially connects to the controller (Bridge Mode only).

  • standard—Enables the virtual AP when the remote AP connects to the controller. Use standard option for tunneled, split-tunneled, and Bridge SSIDs.

Note: Only open/PSK security mode is allowed for always/backup RAP operation. No authentication is supported for always/backup.

Drop Broadcast and Multicast

Select the Drop Broadcast and Multicast checkbox to filter out broadcast and multicast traffic in the air.

Do not enable this option for virtual APs configured in bridge forwarding mode. This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the controller, so the controller is able to drop all broadcast traffic. When a virtual AP is configured to use bridge forwarding mode, most data traffic stays local to the AP, and the controller is not able to filter out that broadcast traffic.

IMPORTANT: If you enable this option, you must also enable the Broadcast-Filter ARP parameter in the stateful firewall configuration to prevent ARP requests from being dropped. To enable this setting:

1.    Navigate to Configuration > Stateful Firewall.

2.    Click the Global Setting tab.

3.    Select the Broadcast-Filter ARP checkbox.

4.    Click Apply to save your settings before you return to the Virtual AP Profile.

Note also that although a virtual AP profile can be replicated from a master controller to local controllers, stateful firewall settings do not. If you select the Drop Broadcast and Multicast option for a Virtual AP Profile on a master controller, you must enable the Broadcast-Filter ARP setting on each individual local controller.

Convert Broadcast ARP requests to unicast

If enabled, all broadcast ARP requests are converted to unicast and sent directly to the client. You can check the status of this option using the show ap active and the show datapath tunnel command. If enabled, the output will display the letter a in the flags column. This parameter is disabled by default.

Do not enable this option for virtual APs configured in bridge forwarding mode. This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the controller, so the controller is able to convert ARP requests directed to the broadcast address into unicast.

When a virtual AP is configured to use bridge forwarding mode, most data traffic stays local to the AP, and the controller is not able to convert that broadcast traffic.

Deny inter user traffic

Select this checkbox to deny traffic between the clients using this virtual AP profile.

The global firewall shown the Configuration>Advanced Services > Stateful Firewall > Global window also include an option to deny all inter-user traffic, regardless of the Virtual AP profile used by those clients.

If the global setting to deny inter-user traffic is enabled, all inter-user traffic between clients will be denied, regardless of the settings configured in the virtual AP profiles. If the setting to deny inter-user traffic is disabled globally but enabled on an individual virtual ap, only the traffic between un-trusted users and the clients on that particular virtual AP will be blocked.

Band Steering

ARM’s band steering feature encourages dual-band capable clients to stay on the 5GHz band on dual-band APs. This frees up resources on the 2.4GHz band for single band clients like VoIP phones.

Band steering reduces co-channel interference and increases available bandwidth for dual-band clients, because there are more channels on the 5GHz band than on the 2.4GHz band. Dual-band 802.11n-capable clients may see even greater bandwidth improvements, because the band steering feature will automatically select between 40MHz or 20MHz channels in 802.11n networks. This feature is disabled by default, and must be enabled in a Virtual AP profile.

The band steering feature supports both campus APs and remote APs that have a virtual AP profile set to tunnel, split-tunnel or bridge forwarding mode. Note, however, that if a campus or remote APs has virtual AP profiles configured in bridge or split-tunnel forwarding mode but no virtual AP in tunnel mode, those APs will gather information about 5G-capable clients independently and will not exchange this information with other APs that also have bridge or split-tunnel virtual APs only.

5.    

Steering Mode

Band steering supports the following three different band steering modes.

  • Force-5GHz: When the AP is configured in force-5GHz band steering mode, the AP will try to force 5Ghz-capable APs to use that radio band.

  • Prefer-5GHz (Default): If you configure the AP to use prefer-5GHz band steering mode, the AP will try to steer the client to 5G band (if the client is 5G capable) but will let the client connect on the 2.4G band if the client persists in 2.4G association attempts.

  • Balance-bands: In this band steering mode, the AP tries to balance the clients across the two radios in order to best utilize the available 2.4G bandwidth. This feature takes into account the fact that the 5Ghz band has more channels than the 2.4 Ghz band, and that the 5Ghz channels operate in 40MHz while the 2.5Ghz band operates in 20MHz.

In the Profile Details entry for the new virtual AP profile, navigate to the AAA Profile drop-down list and select the AAA profile you previously configured to reveal the AAA Profile pop-up window. Click Apply to set the AAA profile and close the pop-up window.

In the CLI

wlan virtual-ap corpnet

   vlan 1

   aaa-profile corpnet

ap-group default

   virtual-ap corpnet

Creating a new SSID Profile

Follow the procedures below to create a new SSID profile and associate that profile to your Virtual AP.

In the WebUI

1.    Navigate to the Configuration > Wireless > AP Configuration > AP Group page.

2.    Click Edit for the “default” AP group.

3.    Select Wireless LAN (under Profiles), then select Virtual AP.

4.    Click the new Virtual AP name in the Profiles list.

5.    Select New from the SSID Profile drop-down menu in the Profile Details entry for the new virtual AP profile. This launches an SSID profile pop-up window.

6.    Click the Basic tab, and enter the name for the SSID profile (for example, SSIDprofile).

7.    Enter a name in the Network Name (SSID) field (for example, Corpnet).

8.    Select WPA2 for Network Authentication.

9.    Configure other basic SSID profile settings, as described in Table 30.

10. Click the Advanced tab and click SSID Enable to enable the SSID.

11. (Optional) Configure advanced SSID profile settings, as described in Table 31.

12. Click Apply to set the SSID profile and close the pop-up window.

13. Click Apply again at the bottom of the Profile Details window.

.

Table 30  Basic SSID Profile Parameters (Continued)

Parameter

Description

Network Name

Name that uniquely identifies a wireless network. The network name, or ESSID can be up to 31 characters. If the ESSID includes spaces, you must enclose it in quotation marks.

Network Authentication

The layer-2 authentication to be used on this ESSID to protect access and ensure the privacy of the data transmitted to and from the network.

  • None

  • 802.1x/WEP

  • WPA

  • WPA-PSK

  • WPA2

  • WPA2-PSK

  • xSec

  • Mixed

If you select the Mixed authentication option, a drop-down list will appear in the Network Authentication section. Click this drop-down list and select the combination of authentication types supported by APs using this SSID profile.

Encryption

This field shows the default encryption type used on this ESSID. Unselect the default encryption type if you do not want encryption, or click the Advanced tab to define a new encryption type.

Keys

If you selected WPA-PSK or WPA2-PSK authentication or a mixed authentication type that supports pre-shared keys, enter and confirm the Hex Key or PSK passphrase in the PSK Key/Passphrase and Confirm PSK Key/Passphrase fields.

  • To define a hex key, enter a 64-character hexadecimal string.

  • To define a PSK passphrase, enter san ASCII string 8-63 characters in length.

 

Next click the Format drop-down list and select Hex or PSK Passphrase to select the format for the key or passphrase. T

Table 31  Advanced SSID Profile Parameters (Continued)

Parameter

Description

SSID Enable

Click this checkbox to enable or disable the SSID.

Encryption

Select one of the following encryption types

    xSec

Encryption and tunneling of Layer-2 traffic between the controller and wired or wireless clients, or between controllers. To use xSec encryption, you must use a RADIUS authentication server. For clients, you must install the Funk Odyssey client software.

Requires installation of the xSec license. For xSec between controllers, you must install an xSec license in each controller.

    opensystem

No authentication and encryption.

    static-wep

WEP with static keys.

    dynamic-wep

WEP with dynamic keys.

    wpa-tkip

WPA with TKIP encryption and dynamic keys using 802.1x.

    wpa-aes

WPA with AES encryption and dynamic keys using 802.1x.

    wpa-psk-tkip

WPA with TKIP encryption using a preshared key.

    wpa-psk-aes

WPA with AES encryption using a preshared key.

    wpa2-aes

WPA2 with AES encryption and dynamic keys using 802.1x.

    wpa2-psk-aes

WPA2 with AES encryption using a preshared key.

    wpa2-psk-tkip

WPA2 with TKIP encryption using a preshared key.

    wpa2-tkip

WPA2 with TKIP encryption and dynamic keys using 802.1x.

    wpa2-aes-gcm-128

WPA2 with AES GCM-128 (Suite-b) encryption and dynamic keys

using 802.1X.

Note: This parameter requires the ACR license. For further information on Suite-B encryption, see “Configuring an SSID for Suite-B Cryptography” .

    wpa2-aes-gcm-256

WPA2 with AES GCM-256 (Suite-b) encryption and dynamic keys

using 802.1X.

Note: This parameter requires the ACR license. For further information on Suite-B encryption, see “Configuring an SSID for Suite-B Cryptography”.

DTIM Interval

Specifies the interval, in milliseconds, between the sending of Delivery Traffic Indication Messages (DTIMs) in the beacon. This is the maximum number of beacon cycles before unacknowledged network broadcasts are flushed. When using wireless clients that employ power management features to sleep, the client must revive at least once during the DTIM period to receive broadcasts

Station Ageout Time

Time, in seconds, that a client is allowed to remain idle before being aged out.

802.11g Transmit Rates

Select the set of 802.11b/g rates at which the AP is allowed to send data. The actual transmit rate depends on what the client is able to handle, based on information sent at the time of association and on the current error/loss rate of the client.

802.11g Basic Rates

Select the set of supported 802.11b/g rates that are advertised in beacon frames and probe responses.

802.11a Transmit Rates

Select the set of 802.11a rates at which the AP is allowed to send data. The actual transmit rate depends on what the client is able to handle, based on information sent at the time of association and on the current error/loss rate of the client.

802.11a Basic Rates

Select the set of supported 802.11a rates, in Mbps, that are advertised in beacon frames and probe responses.

Max Transmit Attempts

Maximum number of retries allowed for the AP to send a frame.

RTS Threshold

Wireless clients transmitting frames larger than this threshold must issue Request to Send (RTS) and wait for the AP to respond with Clear to Send (CTS). This helps prevent mid-air collisions for wireless clients that are not within wireless peer range and cannot detect when other wireless clients are transmitting.

The default value is 2333 bytes.

Short Preamble

Click this checkbox to enable or disable a short preamble for 802.11b/g radios. Network performance may be higher when short preamble is enabled. In mixed radio environments, some 802.11b wireless client stations may experience difficulty associating with the AP using short preamble. To use only long preamble, disable short preamble. Legacy client devices that use only long preamble generally can be updated to support short preamble.

Max Associations

Maximum number of wireless clients for the AP.

The supported range is 0-256 clients.

Wireless Multimedia (WMM)

Enables or disables WMM, also known as IEEE 802.11e Enhanced Distribution Coordination Function (EDCF). WMM provides prioritization of specific traffic relative to other traffic in the network.

Wireless Multimedia U-APSD (WMM-UAPSD) Powersave

Enable Wireless Multimedia (WMM) UAPSD powersave.

 

WMM TSPEC Min Inactivity Interval

Specify the minimum inactivity time-out threshold of WMM traffic. This setting is useful in environments where low inactivity interval time-outs are advertised, which may cause unwanted timeouts.

The supported range is 0-3,600,000 milliseconds, and the default value is 0 milliseconds.

Override DSCP mappings for WMM clients

Override the default DSCP mappings in the SSID profile with the ToS value. This setting is useful when you want to set a non-default ToS value for a specific traffic.

DSCP mapping for WMM voice AC

DSCP used to map WMM voice traffic.

The supported range is 0-255, and the default is    56.

DSCP mapping for WMM video AC

Select the DSCP used to map WMM video traffic.

The supported range is 0-255, and the default is    40.

DSCP mapping for WMM best-effort AC

Select the DSCP value used to map WMM best-effort traffic.   

The supported range is 0-255, and the default is    24.

DSCP mapping for WMM background AC

Select the DSCP used to map WMM background traffic.   

The supported range is 0-255, and the default is    8.

Hide SSID

Select this checkbox to enable or disable the hiding of the SSID name in beacon frames. Note that hiding the SSID does very little to increase security.

Deny_Broadcast Probes

When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls whether or not the system responds for this SSID. When enabled, no response is sent and clients have to know the SSID in order to associate to the SSID. When disabled, a probe response frame is sent for this SSID.

Local Probe Request Threshold (dB)

Enter the SNR threshold below which incoming probe requests will get ignored. The supported range of values is 0-100 dB. A value of 0 disables this feature.

   Disable Probe Retry

Click this checkbox to enable or disable battery MAC level retries for probe response frames. By default this parameter is enabled, which mean that MAC level retries for probe response frames is disabled.

Battery Boost

Converts multicast traffic to unicast before delivery to the client, thus allowing you to set a longer DTIM interval. The longer interval keeps associated wireless clients from activating their radios for multicast indication and delivery, leaving them in power-save mode longer and thus lengthening battery life.

This parameter requires the PEFNG license.

WEP Key 1

First static WEP key associated with the key index. Can be 10 or 26 hex characters in length.

WEP Key 2

Second static WEP key associated with the key index. Can be 10 or 26 hex characters in length.

WEP Key 3

Third Static WEP key associated with the key index. Can be 10 or 26 hex characters in length.

WEP Key 4

Fourth Static WEP key associated with the key index. Can be 10 or 26 hex characters in length.

WEP Transmit Key Index

Key index that specifies which static WEP key is to be used. Can be 1, 2, 3, or 4.

WPA Hexkey

WPA pre-shared key (PSK).

   WPA Passphrase

WPA passphrase with which to generate a pre-shared key (PSK).

Maximum Transmit Failures

Maximum transmission failures allowed before the client gives up

BC/MC Rate Optimization

Click this checkbox to enable or disable scanning of all active stations currently associated to an AP to select the lowest transmission rate for broadcast and multicast frames. This option only applies to broadcast and multicast data frames; 802.11 management frames are transmitted at the lowest configured rate.

Note: Do not enable this parameter unless instructed to do so by your Aruba technical support representative.

Strict Spectralink Voice Protocol (SVP)

Click this checkbox to enable Strict Spectralink Voice Protocol (SVP)

802.11g Beacon Rate

Click this drop-down list to select the beacon rate for 802.11g (use for Distributed Antenna System (DAS) only). Using this parameter in normal operation may cause connectivity problems.

802.11a Beacon Rate

Click this drop-down list to select the beacon rate for 802.11a (use for Distributed Antenna System (DAS) only). Using this parameter in normal operation may cause connectivity problems.

Advertise QBSS Load IE

Click this checkbox to enable the AP to advertise the QBSS load element. The element includes the following parameters that provide information on the traffic situation:

  • Station count: The total number of stations associated to the QBSS.

  • Channel utilization: The percentage of time (normalized to 255) the channel is sensed to be busy. The access point uses either the physical or the virtual carrier sense mechanism to sense a busy channel.

  • Available admission capacity: The remaining amount of medium time (measured as number of 32us/s) available for a station via explicit admission control.

The QAP uses these parameters to decide whether to accept an admission control request. A wireless station uses these parameters to choose the appropriate access points.

Note: Ensure that wmm is enabled for legacy APs to advertize the QBSS load element. For 802.11n APs, ensure that either wmm or high throughput is enabled.

In the CLI

wlan ssid-profile SSIDprofile

   essid Corpnet

   opmode wpa2-aes

wlan virtual-ap corpnet

   ssid-profile SSIDprofile

ap-group default

   virtual-ap corpnet

Configuring an SSID for Suite-B Cryptography

Suite-B AES-128-GCM and AES-256-GCM encryption is supported by the ArubaOS hardware, and requires the ACR license. Note, however, that not all controllers support Suite-B encryption. The table below describes the controller support for Suite-B encryption in ArubaOS

Controller

Serial Number Prefix

ACR License Support

600 Series

All serial numbers supported

Yes

3000 Series

AK

Yes

3000 Series

A

No

M3 card

FC

Yes

M3 card

F

No

.

To determine the serial number prefix for your controller, issue the CLI command show inventory and note the prefix before the system serial number. The serial number prefix in the example below appears in bold.

(host) #show inventory

Supervisor Card slot            : 0

System Serial#                  : AK0093676

SC      Assembly#               : 2010052B (Rev:02.01)

SC      Serial#                 : F01629529 (Date:03/29/10)

SC      Model#                  : 3600-US

 

Guest WLAN

To configure Guest WLAN, the following basic steps are required.

  • Configure the VLAN for guest users.

  • Configure the guest role which only allows HTTP and HTTPS traffic from 9:00 a.m. to 5 p.m. on weekdays.

  • Create and configure the virtual AP profile guest for the AP named “building3-lobby”:

  • Create a new virtual AP profile guest.

  • Select the predefined AAA profile default-open.

  • Create a new SSID profile guest to configure “Guest” for the SSID name and open system for the authentication.

The following sections describe how to do this using the WebUI and the CLI.

Configuring the VLAN

In this example, users on the “Corpnet” WLAN are placed into VLAN 1, which is the default VLAN configured on the controller. For guest users, you need to create another VLAN and assign the VLAN interface an IP address.

In the WebUI

1.    Navigate to the Configuration > Network > VLANs page.

2.    Click Add to add a VLAN. Enter 2 in the VLAN ID, and click Apply.

3.    To assign an IP address and netmask to the VLAN you just created, navigate to the Configuration > Network > IP > IP Interfaces page. Click Edit for VLAN 2. Enter an IP address and netmask for the VLAN interface, and then click Apply.

In the CLI

vlan 2

interface vlan 2

   ip address <address> <netmask>

Configuring the Guest Role

The guest role allows web (HTTP and HTTPS) access only during normal business hours (9:00 a.m. to 5:00 p.m. Monday through Friday).

In the WebUI

1.    Navigate to the Configuration > Security > Access Control > Time Ranges page.

2.    Click Add. Enter a name, such as “workhours”. Select Periodic. Click Add. Under Add Periodic Rule, select Weekday. For Start Time, enter 9:00. For End Time, enter 17:00. Click Done. Click Apply.

3.    Select the Policies tab. Click Add. Enter a policy name, such as “restricted”. From the Policy Type drop-down list, select Session.

4.    Click Add.

5.    (Optional) By default, firewall policies apply to IPv4 clients only. To configure a firewall policy for IPv6 clients, click the IP Version drop-down list and select IPv6.

6.    Click the Service drop-down list, select service, then select svc-http.

7.    Click the Time Range drop-down list and select the time range you previously configured.

8.    Click Add.

9.    Repeat steps 4-8 to add another rule for the svc-https service. Click Apply.

10. Select the User Roles tab. Click Add. Enter guest for Role Name. Under Firewall Policies, click Add. Select Choose from Configured Policies and select the policy you previously configured. Click Done.

11. Click Apply.

In the CLI

time-range workhours periodic
   weekday 09:00 to 17:00

ip access-list session restricted

   any any svc-http permit time-range workhours

   any any svc-https permit time-range workhours

user-role guest

   session-acl restricted

Configuring the Guest Virtual AP

In this example, you apply the guest virtual AP profile to a specific AP.

Best practices are to assign a unique name to each virtual AP, SSID, and AAA profile that you modify. In this example, you use the name guest to identify the virtual AP and SSID profiles.

In the WebUI

1.    Navigate to Configuration > Wireless > AP Configuration > AP Specific page.

2.    Click New. Either enter the AP name or select an AP from the list of discovered APs. Click Add. The AP name appears in the list.

3.    Click Edit by the AP name to display the profiles that you can configure for the AP.

4.    Expand the Wireless LAN profile menu.

5.    Select Virtual AP.

a.    Click the Add a profile drop down list in the Profile Details window and select NEW.

b.    Enter guest, and click Add.

c.    Click Apply.

6.    Click the guest virtual AP to display profile details.

a.    Make sure Virtual AP Enable is selected.

b.    Select 2 for the VLAN.

c.    Click Apply.

7.    Under Profiles, select the AAA profile under the guest virtual AP profile.

a.    In the Profile Details, select default-open from the AAA Profile drop-down list.

b.    Click Apply.

8.    Under Profiles, select the SSID profile under the guest virtual AP profile.

a.    Select NEW from the SSID Profile drop-down menu.

b.    Enter guest.

c.    In the Profile Details, enter Guest for the Network Name.

d.    Select None for Network Authentication and Open for Encryption.

e.    Click Apply.

In the CLI

wlan ssid-profile guest

   opmode opensystem

wlan virtual-ap guest

   vap-enable

   vlan 2

   deny-time-range workhours

   ssid-profile guest

   aaa-profile default-open

ap-name building3-lobby

   virtual-ap guest

Enable 802.11k Support

The 802.11k protocol provides mechanisms for APs and clients to dynamically measure the available radio resources. In an 802.11k enabled network, APs and clients can send neighbor reports, beacon reports, and link measurement reports to each other. This allows the APs and clients to take appropriate connection actions. The following procedure outlines the steps to configure 802.11k parameters.

In the WebUI

1.    Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group or AP Specific tab.

  • If you selected the AP Group tab, click the Edit button by the AP group name for which you want to configure the new 802.11K profile.

  • If you selected the AP Specific tab, click the Edit button by the AP for which you want to create the 802.11K profile.

2.    In the Profiles list, expand the Wireless LAN menu, then expand the Virtual AP menu.

3.    Select the Virtual AP profile for which you want to configure 802.11k settings.

To edit an existing 802.11k profile, click the 802.11K Profile drop-down list In the Profile Details window pane and select the 802.1x profile you want to edit.

   or

To create a new 802.11k Profile, click the 802.11K Profile drop-down list and select New. Enter a new 802.11k profile name in the field to the right of the drop-down list.

You cannot use spaces in profile names.

4.    Configure your 802.11k radio settings. Table 32 outlines the parameters you can configure in the 802.11k profile. Click Apply to save your settings.

Table 32  802.11k Profile Parameters (Continued)

Parameter

Description

Advertise 802.11K Capability

Select this option to allow Virtual APs using this profile to advertise 802.11K capability.

Default: Disabled

Forcefully disassociate on-hook voice clients

Select this option to allow the AP to forcefully disassociate on-hook voice clients (clients that are not on a call) after period of inactivity. Without the forced disassociation feature, if an AP has reached its call admission control limits and an on-hook voice client wants to start a new call, that client may be denied. If forced disassociation is enabled, those clients can associate to a neighboring AP that can fulfill their QoS requirements.

Default: Disabled

Measurement Mode for Beacon Reports

Click the Measurement Mode for Beacon Reports drop-down list and specify one of the following measurement modes:

  • active—Enables active beacon measurement mode. In this mode, the client sends a probe request to the broadcast destination address on all supported channels, sets a measurement duration timer, and, at the end of the measurement duration, compiles all received beacons or probe response with the requested SSID and BSSID into a measurement report.

  • beacon-table—Enables beacon-table beacon measurement mode. In this mode, the client measures beacons and returns a report with stored beacon information for any supported channel with the requested SSID and BSSID. The client does not perform any additional measurements.

  • passive—Enables passive beacon measurement mode. In this mode, the client sets a measurement duration timer, and, at the end of the measurement duration, compiles all received beacons or probe response with the requested SSID and BSSID into a measurement report.

Note: If a station doesn't support the selected measurement mode, it returns a Beacon Measurement Report with the Incapable bit set in the Measurement Report Mode field.

Default Mode: beacon-table

 

In the CLI

Use the following command to configure 802.11k profiles. The available parameters for this profile are described in Table 32.

wlan dotllk <profile>

bcn-measurement-mode {active|beacon-table|passive}

clone <profile>

dot11k-enable

force-disassoc

Example Configuration

The example below follows the suggested order of steps to configure a virtual AP using the command-line interface.

vlan 60

!

ip access-list session THR-POLICY-NAME-WPA2

user any any permit

!

user-role THR-ROLE-NAME-WPA2

session-acl THR-POLICY-NAME-WPA2

!

aaa authentication dot1x "THR-DOT1X-AUTH-PROFILE-WPA2"

termination enable

!

aaa server-group "THR-DOT1X-SERVER-GROUP-WPA2"

auth-server Internal

!

aaa profile "THR-AAA-PROFILE-WPA2"

authentication-dot1x "THR-DOT1X-AUTH-PROFILE-WPA2"

dot1x-default-role "THR-ROLE-NAME-WPA2"

dot1x-server-group "THR-DOT1X-SERVER-GROUP-WPA2"

!

wlan ssid-profile "THR-SSID-PROFILE-WPA2"

essid "THR-WPA2"

opmode wpa2-aes

!

wlan virtual-ap "THR-VIRTUAL-AP-PROFILE-WPA2"

ssid-profile "THR-SSID-PROFILE-WPA2"

aaa-profile "THR-AAA-PROFILE-WPA2"

vlan 60

!

ap system-profile "THR-AP-SYSTEM-PROFILE"

lms-ip 1.1.1.1

bkup-lms-ip 2.2.2.2

!

ap-group "THRHQ1-STANDARD"

virtual-ap "THR-VIRTUAL-AP-PROFILE-WPA2"

ap-system-profile "THR-AP-SYSTEM-PROFILE"

Configuring a High-Throughput Virtual AP

With the implementation of the IEEE 802.11n standard, high-throughput can be configured to operate on the 5 GHz and/or 2.4 GHz frequency band.

For high-throughput to function on a virtual AP profile for the assigned AP group or specific AP, high-throughput must be enabled within the assigned ht-ssid-profile and the radio-profile(s) for the desired frequency band(s).

By default, high-throughput is enabled; however, the examples in this section guide you through manually creating profiles and enabling high-throughput on the 5 GHz and 2.4 GHz frequency bands to ensure proper functionality of a virtual AP profile named “ht-vap-corpnet” assigned to an existing AP group named “ht-corpnet-aps.”

For an example of 20 MHz channel versus 40 MHz channel pair configuration, see “20 MHz and 40 MHz Static Channel Assignments” .

This example includes the following tasks:

  • Create two high-throughput radio profiles named “ht-radioa-corpnet” and “ht-radiog-corpnet.”

  • Create and configure a 5 GHz radio profile named “ht-corpnet-a” and assign the high-throughput radio profile named “ht-radioa-corpnet.”

  • Create and configure a 2.4 GHz radio profile named “ht-corpnet-g” and assign the high-throughput radio profile named “ht-radiog-corpnet.”

  • Create and configure a high-throughput SSID profile named “ht-ssid-corpnet.”

  • Create an SSID profile named “ht-corpnet” and assign the high-throughput SSID profile named “ht-ssid-corpnet.”

  • Create a virtual AP profile named “ht-vap-corpnet” and assign the SSID profile named “ht-corpnet.”

  • Assign the required profiles to an existing AP group named “ht-corpnet-ap.”

The following procedures are presented for the WebUI and the CLI.

In the WebUI

1.    Navigate to Configuration > Wireless > AP Configuration > AP Group page.

2.    Click Edit for the AP group ht-corpnet-ap.

3.    Under the Profiles list, select RF Management to display the radio profiles.

4.    Select the 802.11a radio profile.

This radio profile represents activity on the 5 GHz frequency band. Since the high-throughput IEEE 802.11n standard operates on the 5 GHz and/or 2.4 GHz frequency band, high-throughput can be enabled on 802.11a or 802.11g radio profiles.

a.    Select New from the 802.11a radio profile drop-down menu.

b.    Enter ht-corpnet-a for the 802.11a radio profile name.

c.    Select (check) the High Throughput enable (radio) checkbox to enable high-throughput. By default, this is enabled (checked).

d.    Click Apply.

5.    Select the High-throughput Radio Profile under the 802.11a radio profile.

a.    Select New from the High-throughput Radio Profile drop-down menu.

b.    Enter ht-radioa-corpnet for the high-throughput radio profile name.

c.    Configure the high-throughput radio settings (see Table 33 for details) and click Apply.

Table 33   High-Throughput Radio Profile Configuration Parameters (Continued)

Parameter

Description

40MHz intolerance

This parameter controls whether or not APs using this radio profile will advertise intolerance of 40 MHz operation. By default, this option is disabled, and 40 MHz operation is allowed. If you do not want to use 40 Mhz operation, select the 40MHz intolerance checkbox to enable this feature.

honor 40MHz intolerance

When enabled, the radio will stop using the 40 MHz channels if the 40 MHz intolerance indication is received from another AP or station. Uncheck the Honor 40 Mhz intolerance checkbox to disable this feature.

Default: Enabled

Legacy station workaround

Select this option to enable interoperability for misbehaving legacy stations. This option is disabled by default, and should only be enabled under the supervision of Aruba technical support.

6.    Select the 802.11g radio profile.

This radio profile represents activity on the 2.4 GHz frequency band. Since the high-throughput IEEE 802.11n standard operates on the 5 GHz and/or 2.4 GHz frequency band, high-throughput can be enabled on 802.11a or 802.11g radio profiles.

 

a.    Select New from the 802.11g radio profile drop-down menu.

b.    Enter ht-corpnet-g for the 802.11a radio profile name.

c.    Select (check) the High Throughput enable (radio) checkbox to enable high-throughput. By default, this is enabled (checked).

d.    Click Apply.

7.    Select the High-throughput Radio Profile under the 802.11g radio profile.

a.    Select New from the High-throughput Radio Profile drop-down menu.

b.    Enter ht-radiog-corpnet for the high-throughput radio profile name.

c.    Configure the high-throughput radio settings (see Table 33 for details) and Click Apply.

8.    Select Wireless LAN, under the Profiles list, to reveal the WLAN profiles.

9.    Select the Virtual AP profile.

a.    Select New from the Add a Profile drop-down menu.

b.    Enter ht-vap-corpnet for the virtual AP profile name.

c.    Click Add.

d.    Select New from the SSID Profile drop-down menu associated with the “ht-vap-corpnet” virtual AP profile. The SSID Profile dialog box appears.

e.    Enter ht-corpnet for the SSID profile name.

f.      Click Apply to create the SSID profile and return to the virtual AP profile page.

g.    Click Apply on the virtual AP profile page.

10. Select the ht-vap-corpnet virtual AP profile.

a.    Select all from the Allowed band drop-down menu.

b.    Click Apply.

11. Select the SSID profile ht-corpnet. The High-throughput SSID profile option will appear below ht-corpnet in the profiles list.

12. Select the High-throughput SSID Profile.

a.    Select New from the High-throughput SSID Profile drop-down menu.

b.    Enter ht-ssid-corpnet for the high-throughput SSID profile name.

c.    Configure the high-throughput SSID profile settings (see Table 34 for details) and click Apply to assign it to the SSID profile.

Table 34  High-Throughput SSID Profile Parameters (Continued)

 

 

High throughput enable (SSID)

Enable or disable high-throughput (802.11n) features on this SSID. This parameter is enabled by default.

40 MHz channel usage

Enable or disable the use of 40 MHz channels. This parameter is enabled by default.

Low-density Parity Check

If enabled, the AP will advertise Low-density Parity Check (LDPC) support. LDPC improves data transmission over radio channels with high levels of background noise.

MPDU Aggregation

Enable or disable MAC protocol data unit (MPDU) aggregation.

High-throughput mesh APs are able to send aggregated MAC protocol data units (MDPUs), which allow an AP to receive a single block acknowledgment instead of multiple ACK signals. This option, which is enabled by default, reduces network traffic overhead by effectively eliminating the need to initiate a new transfer for every MPDU.

Max transmitted A-MPDU size

Maximum size of a transmitted aggregate MPDU, in bytes.

Range: 1576–65535

Max received A-MPDU size

Maximum size of a received aggregate MPDU, in bytes. Allowed values: 8191, 16383, 32767, 65535.

Min MPDU start spacing

Minimum time between the start of adjacent MPDUs within an aggregate MPDU, in microseconds. Allowed values: 0 (No restriction on MDPU start spacing), .25 µsec, .5 µsec, 1 µsec, 2 µsec, 4 µsec.

Supported MCS set

A list of Modulation Coding Scheme (MCS) values or ranges of values to be supported on this SSID. The MCS you choose determines the channel width (20MHz vs. 40MHz) and the number of spatial streams used by the mesh node.

The default value is 1–15; the complete set of supported values. To specify a smaller range of values, enter a hyphen between the lower and upper values. To specify a series of different values, separate each value with a comma.

Examples:

2–10

1,3,6,9,12

Range: 0–15.

Short guard interval in 20 MHz mode

Enable or disable use of short (400ns) guard interval in 20 MHz mode. This parameter is enabled by default.

A guard interval is a period of time between transmissions that allows reflections from the previous data transmission to settle before an AP transmits data again. An AP identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data. The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long). Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each AP. Some outdoor deployments, may, however require a longer guard interval. If the short guard interval does not allow enough time for reflections to settle in your mesh deployment, inter-symbol interference values may increase and degrade throughput.

Short guard interval in 40 MHz mode

Enable or disable use of short (400ns) guard interval in 40 MHz mode. This parameter is enabled by default.

A guard interval is a period of time between transmissions that allows reflections from the previous data transmission to settle before an AP transmits data again. An AP identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data. The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long). Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each AP. Some outdoor deployments, may, however require a longer guard interval. If the short guard interval does not allow enough time for reflections to settle in your mesh deployment, inter-symbol interference values may increase and degrade throughput.

Maximum number of spatial streams usable for STBC reception

Controls the maximum number of spatial streams usable for STBC reception. 0 disables STBC reception, 1 uses STBC for MCS 0-7. Higher MCS values are not supported. (Supported on the AP-90 series, AP-130 Series, AP-68, AP-175 and AP-105 only. The configured value will be adjusted based on AP capabilities.)

Maximum number of spatial streams usable for STBC transmission.

Controls the maximum number of spatial streams usable for STBC transmission. 0 disables STBC transmission, 1 uses STBC for MCS 0-7. Higher MCS values are not supported. (Supported on AP-90 series, AP-175, AP-130 Series and AP-105 only. The configured value will be adjusted based on AP capabilities.)

Legacy stations

Allow or disallow associations from legacy (non-HT) stations. By default, this parameter is enabled (legacy stations are allowed).

In the CLI

rf ht-radio-profile ht-radioa-corpnet

rf ht-radio-profile ht-radiog-corpnet

rf dot11a-radio-profile ht-corpnet-a

high-throughput-enable

ht-radio-profile ht-radioa-corpnet

rf dot11g-radio-profile ht-corpnet-g

high-throughput-enable

ht-radio-profile ht-radiog-corpnet

wlan ht-ssid-profile ht-ssid-corpnet

high-throughput-enable

wlan ssid-profile ht-corpnet

ht-ssid-profile ht-ssid-corpnet

wlan virtual-ap ht-vap-corpnet

allowed-bands all

ssid-profile ht-corpnet

ap-group ht-corpnet-ap

dot11a-radio-profile ht-corpnet-a

dot11g-radio-profile ht-corpnet-g

virtual-ap ht-vap-corpnet

Managing High-Throughput Profiles

Use the following commands to create a high-throughput radio profile or edit an existing profile. For details, see Table 33.

rf ht-radio-profile <profile>

40MHz-intolerance

clone <profile>

honor-40MHz-intolerance

no

single-chain-legacy

Use the following commands to create a high-throughput SSID profile or edit an existing profile. For details, see Table 34.

wlan ht-ssid-profile <profile>

40MHz-enable

clone <profile>

high-throughput-enable

ldpc

legacy-stations

max-rx-a-mpdu-size {8191|16383|32767|65535}

max-tx-a-mpdu-size <bytes>

min-mpdu-start-spacing {0|.25|.5|1|2|4|8|16}

mpdu-agg

no...

short-guard-intvl-20MHz

short-guard-intvl-40MHz

STBC-rx-streams

STBC-tx-streams

supported-mcs-set <mcs-list>

 

Note:this release has not been updated since the release of the pdf




314
Sitemap