Вы находитесь на странице: 1из 622

AEROHIVE CERTIFIED NETWORKING

PROFESSIONAL (ACNP)

© 2013 Aerohive Networks CONFIDENTIAL 1


Introductions

•What is your name?


•What is your organizations name?
•How long have you worked in
networking?
•What was your 1st computer?

© 2013 Aerohive Networks CONFIDENTIAL 2


Facilities Discussion

• Course Material
Distribution
• Course Times
• Restrooms
• Break room
• Smoking Area
• Break Schedule
› Morning Break
› Lunch Break
› Afternoon Break

© 2013 Aerohive Networks CONFIDENTIAL 3


Aerohive Switching & Routing
Configuration (ACNP) – Course Overview

Each student connects to HiveManager, a remote PC, and a Aerohive AP


over the Internet from their wireless enabled laptop in the classroom, and then
performs hands on labs the cover the following topics:

• Overview of Switching and Routing Platforms


• Unified Network Policy Management
• Spanning Tree
• Device Templates
• Port Types (802.1Q Ports, Phone and Data Ports, Secure Access Ports, Guest
Access Ports and WAN ports)
• Aggregate Channels
• PoE
• VLAN to Network mapping
• Router templates
• Parent networks and branch subnets
• Layer 3 VPN with VPN Gateway Virtual Appliance
• Policy Based Routing
• Router Firewall
• Cookie Cutter Branch Networking
2 Day Hands on Class
© 2013 Aerohive Networks CONFIDENTIAL 4
Aerohive Training Remote Lab

Aerohive Access Points using external


antenna connections and RF cables to
connect to USB Wi-Fi client cards
(Black cables)

Access Points are connected from eth0 to


Aerohive Managed Switches with 802.1Q
VLAN trunk support providing PoE to the APs
(Yellow cables)
Access Points are connected from their
console port to a console server
(White Cables)
Console server to permit SSH access into the
serial console of Aerohive Access Points
Firewall with routing support, NAT, and
multiple Virtual Router Instances
Server running VMware ESXi running Active
Directory, RADIUS, NPS and hosting the
virtual clients used for testing configurations
to support the labs
© 2013 Aerohive Networks CONFIDENTIAL 5
Copyright ©2011
Aerohive CBT Learning

http://www.aerohive.com/cbt

© 2013 Aerohive Networks CONFIDENTIAL 6


The 20 Minute Getting Started Video
Explains the Details

Please view the Aerohive Getting Started Videos:


http://www.aerohive.com/330000/docs/help/english/cbt/Start
.htm

© 2013 Aerohive Networks CONFIDENTIAL 7


Aerohive Technical Documentation

All the latest technical documentation is available for


download at:

http://www.aerohive.com/techdocs

© 2013 Aerohive Networks CONFIDENTIAL 8


Aerohive Instructor Led Training

• Aerohive Education Services offers a complete curriculum that provides


you with the courses you will need as a customer or partner to properly
design, deploy, administer, and troubleshoot all Aerohive WLAN solutions.
• Aerohive Certified WLAN Administrator (ACWA) – First-level course
• Aerohive Cerified WLAN Professional (ACWP) – Second-level course
• Aerohive Certified Network Professional (ACNP) – Switching/Routing course
• www.aerohive.com/training – Aerohive Class Schedule

© 2013 Aerohive Networks CONFIDENTIAL 9


Over 20 books about networking have been written
by Aerohive Employees

CWNA Certified Wireless Network Administrator


Official Study Guide by David D. Coleman and David
A. Westcott

CWSP Certified Wireless Security Professional


Official Study Guide by David D. Coleman, David A.
Westcott, Bryan E. Harkins and Shawn M.
Jackman
CWAP Certified Wireless Analysis Professional Official
Study Guide by David D. Coleman, David A. Westcott,
Ben Miller and Peter MacKenzie

802.11 Wireless Networks: The Definitive Guide,


Second Edition by Matthew Gast
802.11n: A Survival Guide by Matthew Gast
802.11ac: A Survival Guide by Matthew Gast

Over 20 books about networking have


Aerohive
been written by Aerohive Employees
Employees
© 2013 Aerohive Networks CONFIDENTIAL 10
Aerohive Exams and Certifications

• Aerohive Certified Wireless Administrator


(ACWA) is a first- level certification that
validates your knowledge and
understanding about Aerohive Network’s
WLAN Cooperative Control Architecture.
(Based upon Instructor Led Course)
• Aerohive Certified Wireless Professional
(ACWP) is the second-level certification
that validates your knowledge and
understanding about Aerohive
advanced configuration and
troubleshooting. (Based upon Instructor
Led Course)
• Aerohive Certified Network Professional
(ACNP) is another second-level
certification that validates your
knowledge about Aerohive switching
and branch routing. (Based upon
Instructor Led Course)
© 2013 Aerohive Networks CONFIDENTIAL 11
Aerohive Forums

• Aerohive’s online community – HiveNation


Have a question, an idea or praise you want to share? Join the HiveNation
Community - a place where customers, evaluators, thought leaders and students
like yourselves can learn about Aerohive and our products while engaging with
like-minded individuals.

• Please, take a moment and register during class if you are not already a
member of HiveNation.
Go to http://community.aerohive.com/aerohive and sign up!

© 2013 Aerohive Networks CONFIDENTIAL 12


Aerohive Social Media
The HiveMind Blog:
http://blogs.aerohive.com

Follow us on Twitter: @Aerohive


Instructor: David Coleman: @mistermultipath
Instructor: Bryan Harkins: @80211University
Instructor: Gregor Vucajnk: @GregorVucajnk
Instructor: Metka Dragos: @MetkaDragos

Please feel free to tweet about #Aerohive training


during class.

© 2013 Aerohive Networks CONFIDENTIAL 13


Aerohive Technical Support – General

How do I buy Technical Support?


Support Contracts are sold on a yearly basis, with
discounts for multi-year purchases. Customers can opt
to purchase Support in either 8x5 format or in a 24
hour format.

I have different expiration dates on several Entitlement keys, may


I combine all my support so it all expires on the same date?
Your Aerohive Sales Rep can help you set-up Co-Term, which allows
you to select matching expiration dates for all your support.

I want to talk to somebody live.


Call us at 408-510-6100 / Option 2. We also provide service
toll-free from within the US & Canada by dialing (866) 365-9918.
Aerohive has Support Engineers in the US, China, and the UK,
providing coverage 24 hours a day.

© 2013 Aerohive Networks CONFIDENTIAL 14


Copyright ©2011
Aerohive Technical Support – The
Americas

How do I reach Technical Support?


Aerohive Technical Support is available 24 hours a
day. This can be via the Aerohive Support Portal or
by calling. For the Support Portal, an authorized
customer can open a Support Case.
Communication is managed via the portal with
new messages and replies. Once the issue is
resolved, the case is closed, and can be retrieved
at any time in the future.
I want to talk to somebody live.
For those who wish to speak with an engineer call us at 408-
510-6100 / Option 2. We also provide service toll-free from
within the US & Canada by dialing (866) 365-9918.
I need an RMA in The Americas
An RMA is generated via the Support Portal, or by calling our Technical
Support group. After troubleshooting, should the unit require repair, we will
overnight* a replacement to the US and Canada. Other countries are
international. If the unit is DOA, it’s replaced with a brand new item, if not it is
replaced with a like new reburbished item.

© 2013 Aerohive Networks CONFIDENTIAL *Restrictions may apply: time of day, location, etc . 15
Copyright ©2011
Aerohive Technical Support – International

How Do I get Technical Support outside The Americas?


Aerohive international Partners provide dedicated
Technical Support to their customers. The Partner has
received specialized training on Aerohive Networks’
product line, and has access to 24 hour Internal
Aerohive Technical Support via the Support Portal, or
by calling 408-510-6100 / Option 2.

I need an RMA internationally


World customer’s defective
units are quickly replaced by
our Partners, and Aerohive
replaces the Partner’s stock
once it arrives at our location.
Partners are responsible for all
shipping charges, duties, taxes,
etc.
© 2013 Aerohive Networks CONFIDENTIAL 16
Copyright ©2011
Copyright Notice

Copyright © 2013 Aerohive Networks, Inc. All rights


reserved.

Aerohive Networks, the Aerohive Networks logo,


HiveOS, Aerohive AP, HiveManager, and
GuestManager are trademarks of Aerohive Networks,
Inc. All other trademarks and registered trademarks
are the property of their respective companies.

© 2013 Aerohive Networks CONFIDENTIAL 17


QUESTIONS?

© 2013 Aerohive Networks CONFIDENTIAL


SWITCHING & ROUTING PRODUCT LINE

Overview of hardware and software platforms

© 2013 Aerohive Networks CONFIDENTIAL 19


Aerohive Switching Platforms

SR2024P SR2124P SR2148P


24 Gigabit Ethernet 48 Gbps Ethernet

24 PoE+ (195 W) 24 PoE+ (408 W) 48 PoE+ (779 W)

4 Ports 1G SFP Uplinks 4 Ports 10 G SFP/SFP+ Uplinks


Routing with 3G/4G USB support and Line rate
switching
Switching Only

56Gbps switching 128 Gbps switch 176 Gbps switch

Single Power Supply Redundant Power Supply Capable

© 2013 Aerohive Networks CONFIDENTIAL 20


Copyright ©2011
Class Switches Deployed in Data Center

Note: The switch model (2024) used in the lab has been superseded by improved models.

• SR2024 Internet
› Line Rate Layer 2 Switch SR2024

› 8 Ports of PoE
› Multi-authentication AP
PoE
access ports
» 802.1X with fallback to
MAC auth or open
› Client Visibility AP AP
» View client information
by port Provides Access For:
› RADIUS Server • Employees
› Internet Router • Guests
• Contractors
› DHCP Server • Phones
› USB 3G/4G Backup • APs
• Servers
› Policy-based routing with Identity

© 2013 Aerohive Networks CONFIDENTIAL


HiveManager Form Factors

SW, Config, & Policy RF Planner Topology Reporting Heat Maps SLA Compliance Guest Mgmt

Express Mode Enterprise Mode


• Optimized for ease of use • Enterprise sophistication
• Uniform company-wide policy • Multiple Network policies
• One user profile per SSID • Multiple user profiles/SSID

HiveManager Appliance 2U
• power&&fans
Redundant power fans
• HA redundancy
• 5000
8000 APs
HiveManager Virtual Appliance
•• VMware ESX &
VMware ESX & Player
Player
•• HA
HA redundancy
redundancy
•• 5000
1500 APs
APs with minimum configuration
with minimum configuration

HiveManager Online
• Cloud-based SaaS management

© 2013 Aerohive Networks CONFIDENTIAL 22


HiveManager Appliance

© 2013 Aerohive Networks CONFIDENTIAL 23


HiveManager Databases

© 2013 Aerohive Networks CONFIDENTIAL 24


Aerohive Routing Platforms

BR 100 BR 200 AP 330 AP 350 VPN Gateways

Single Radio Dual Radio


L3 IPSec
VPN
1x1 11bgn 3x3:3 450 Mbps 11abgn Gateway

5-10 Mbps ~500 Mbps


30-50Mbps FW/VPN
FW/VPN VPN

5X 4000/1024
5X 10/100 2X 10/100/1000 Ethernet
10/100/1000 Tunnels
Physical/Vi
0 PoE PSE 2X PoE PSE 0 PoE PSE
rtual

© 2013 Aerohive Networks CONFIDENTIAL * Also available as a non-Wi-Fi device 25


Copyright ©2011
BR100 vs. BR200

BR100 BR200/BR200WP
5x FastEthernet 5x Gigabit Ethernet
1x1 11bgn (2.4Ghz) single radio 3x3:3 11abgn dual-band single radio (WP)
No integrated PoE PoE (in WP model)
No console port Console Port
No Spectrum Analysis Integrated Spectrum Analysis (WP)
No Wireless Intrusion Detection Full Aerohive WIPS (WP)
No local RADIUS or AD integration Full Aerohive RADIUS, proxy, and AD
No SNMP logging SNMP Support

© 2013 Aerohive Networks CONFIDENTIAL 26


Aerohive AP Platforms

AP121 AP141 AP330 AP350 AP230 * AP370 AP390 AP170


Indoor
Indoor Indoor Indoor Industrial Outdoor
Industrial
Dual Radio
Dual Radio 802.11n Dual Radio 802.11ac/n
802.11n
2x2:2 3x3:3 2x2:2 300 Mbps
300 Mbps High 450 Mbps High Power 3x3:3 450 + 1300 Mbps High Power Radios 11n High
Power Radios Radios Power Radios

TPM Security Chip

2X Gig.E - 10/100 link 2X Gig.E w/ link 2X Gig E


1X Gig.E 1X Gig.E
aggregation aggregation /w PoE Failover

PoE (802.3af + 802.3at) and AC Power PoE (802.3at)

Plenum/D Plenum/Plenum Water Proof (IP


Plenum Rated Plenum Rated
ust Dust Proof 68)
-20 to
0 to 40°C 0 to 40°C -20 to 55°C -40 to 55°C
55°C

USB for future use USB for 3G/4G Modem USB for future use N/A

© 2013 Aerohive Networks CONFIDENTIAL * Includes 5 GHz Transmit Beamforming and in 2.4 GHz has TurboQAM
VPN Gateway Virtual Appliance
• Supports the following
› GRE Tunnel Gateway
› L2 IPSec VPN Gateway
› L3 IPSec VPN Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
› Bonjour Gateway
› DHCP server
• Use a VPN Gateway Virtual Appliance instead of an AP when higher
scalability for these features are required

Function Scale
VPN Tunnels 1024 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server) 256
authentications
© 2013 Aerohive Networks CONFIDENTIAL 28
VPN Gateway Physical Appliance
• Supports the following
› GRE Tunnel Gateway
› L2 IPSec VPN Gateway
› L3 IPSec VPN Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
Ports: One 10/100/1000 WAN port
› Bonjour Gateway Four LAN ports two support PoE
› DHCP server
• Use a VPN Gateway Appliance instead of an AP when higher scalability
for these features are required
Function Scale
VPN Tunnels 4000 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server) 256
authentications
© 2013 Aerohive Networks CONFIDENTIAL 29
QUESTIONS?

© 2013 Aerohive Networks CONFIDENTIAL


Lab Infrastructure

Core
HiveManager

Router
Distribution VLAN 1
Instructor Space ip address 10.100.1.1/24
VLAN 2
Student Space ip address 10.100.2.1/24
SR2024 VLAN 8
SR2024
ip address 10.100.8.1/24
Access VLAN10
ip address 10.100.10.1/24
PoE PoE

AP PC AP PC

Student 2 Student X
© 2013 Aerohive Networks CONFIDENTIAL 31
SWITCHING

32
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting up a Wireless Network
1. Connect to the Hosted Training HiveManager

• Securely browse to the appropriate HiveManager for class


› TRAINING LAB 1
https://training-hm1.aerohive.com
https://72.20.106.120
› TRAINING LAB 2
https://training-hm2.aerohive.com
https://72.20.106.66
› TRAINING LAB 3
https://training-hm3.aerohive.com
https://209.128.124.220
› TRAINING LAB 4
https://training-hm4.aerohive.com
https://203.214.188.200
› TRAINING LAB 5
https://training-hm5.aerohive.com
https://209.128.124.230
• Supported Browsers:
› Firefox, Internet Explorer, Chrome, Safari
NOTE: In order to access the
HiveManager, someone at your • Class Login Credentials:
location needs to enter the › Login: adminX
X = Student ID 2 - 29
training firewall credentials given › Password: aerohive123
to them by the instructor first.
© 2013 Aerohive Networks CONFIDENTIAL 33
Lab: Setting Up a Wireless Network
2. Create a Network Policy

• Go to
Configuration
• Click the New
Button

© 2013 Aerohive Networks CONFIDENTIAL 34


Lab: Setting Up a Wireless Network
3. Enable network policy options

• Name:
Access-X
• Check the
options for
› Wireless Access
› Switching
• Note, enabling Branch Routing:
» Enables L3 VPN Configuration
› Bonjour
» Disable L2 VPN Configuration Gateway
» Enable L3 Router Firewall Policy • Click Create
» Policy-Based Routing with Identity
» Enables Router configuration settings in
Additional Settings
© 2013 Aerohive Networks CONFIDENTIAL 35
Network Policy Components

• Wireless Access – Use when you have an AP only


deployment, or you require specific wireless policies
for APs in a mixed AP and router deployment
• Branch Routing– Use when you are managing routers,
or APs behind routers that do not require different
Network Policies than the router they connect through
Internet
Internet

BR200 AP
BR100

AP
Small Branch Office
or Teleworker Site Small to Medium Size Branch Office
that may have APs behind the router
© 2013 Aerohive Networks CONFIDENTIAL 36
Network Policy Components

• Bonjour Gateway
› Allows Bonjour services to be seen in multiple subnets

• Switching
› Used to manage wired traffic using Aerohive Switches

Internet SR2024

PoE AP

AP AP
© 2013 Aerohive Networks CONFIDENTIAL 37
Lab: Setting Up a Wireless Network
4. Create a New SSID Profile

Network
Configuration
• Next to SSIDs click
Choose
• Then click New

© 2013 Aerohive Networks CONFIDENTIAL 38


Lab: Setting Up a Wireless Network
5. Configure Employee SSID

• SSID Profile: Class-PSK-X


X = 2 – 29 (Student ID)
• SSID: Class-PSK-X
• Select WPA/WPA2 PSK
(Personal)
• Uncheck the Obscure
Password checkbox
• Key Value: aerohive123
• Confirm Value: aerohive123
• Click Save
• Click OK

For the ALL labs, please follow the


class naming convention.
© 2013 Aerohive Networks CONFIDENTIAL 39
Lab: Setting Up a Wireless Network
6. Create a User Profile

• To the right of
your SSID, under
User Profile, click
Add/Remove

In Choose User
Profiles
• Click the New
button

© 2013 Aerohive Networks CONFIDENTIAL 40


Lab: Setting Up a Wireless Network
7. Define User Profile Settings

• Name: Default VLAN:


Employee-X From the drop down
box,
• Attribute • Select Create new
Number:10 VLAN,
type:10
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 41


Lab: Setting Up a Wireless Network
8. Choose User Profile and Save

•Ensure
Employee-X
User Profile is
highlighted
•Click Save

© 2013 Aerohive Networks CONFIDENTIAL 42


Lab: Setting Up a Wireless Network
9. Review your policy and save

• From the Configure Interfaces &


User Access bar, click Save

© 2013 Aerohive Networks CONFIDENTIAL 43


SPANNING TREE BEHAVIOR

© 2013 Aerohive Networks CONFIDENTIAL 44


How loops happen

1. Client sends broadcast such as ARP request

B
2. Switch A forwards packet on all interfaces,
except source interface

3. Switch B receives the broadcast twice, but


does not know it is the same broadcast. It
forwards the broadcast from interface 1 on
interface 24 and vice versa

4. Switch A again receives the broadcast twice


and does the same at Switch B. (It also
sends both broadcasts back to the client
5. Rinse and repeat. The broadcast never
leaves the network

© 2013 Aerohive Networks CONFIDENTIAL


Spanning Tree

Easy to solve, right?


Just disconnect one cable…
But now there is no redundancy…
Have no fear!

There was once a loop to be,


In a redundant path for everyone to see.
The packets went round and round,
Until a new sheriff was found.
His name? Well, Spanning Tree!

© 2013 Aerohive Networks CONFIDENTIAL 46


Spanning Tree

So what does the Spanning Tree


Protocol (STP) do?
High level overview:
I am root!
1. All interfaces are blocked (for non STP traffic) Root doesn’t
while the switches elect a root bridge have to
(switch) calculate

2. After the root bridge is elected, switches


calculate the lowest cost path to the root
bridge
3. Unblock corresponding ports and keep
redundant ports blocked Speed 1Gbit Speed 100Mbit
4. If an active link fails, unblock redundant port Cost: 20,000 Cost: 200,000

© 2013 Aerohive Networks CONFIDENTIAL 47


Spanning Tree – extra reading

Found in the class materials:


Spanning-Tree-Overview.pptx

• STP
• RSTP
• MSTP
• (R)PVST

© 2013 Aerohive Networks CONFIDENTIAL


Switch Spanning Tree Settings

• By default, spanning tree is disabled on Aerohive switches


› Why?
› If you plug an edge switch into a network, and the switch priority is
a lower number (higher priority) on our switch, than what is
configured on the existing network, our switch will become the
root switch
› This means that the optimal path and links that are available
through a network will be chosen based on getting to your edge
switch!
› This most likely is not what a customer wants to do! ;-)
• What is the downside of not enabling spanning tree by default?
› If you plug two cables from our switch to the distribution switch
network, and the ports are not configured as an aggregate, you
can cause a loop!
› This is far less of a concern than enabling spanning tree by default
and possibly rerouting all traffic through our switch, so we will
disable spanning tree by default

© 2013 Aerohive Networks CONFIDENTIAL 49


Verify Existing Network
Spanning Tree Priorities

• Before installing an Aerohive switch into an existing switch


network, have the company determine the root switch and
backup root switch priority
• Ensure our spanning tree priority is set to a higher number
• For example, on a Cisco Catalyst switch you can type:
CS-Dist-2#show spanning-tree
MST0
Spanning tree enabled protocol mstp
Root ID Priority 12288
Address 000f.23b9.0d80
Cost 0
Port 25 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 16384 (priority 16384 sys-id-ext 0)
Address 001f.274c.5180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- -----
Fa0/24 Desg FWD 200000 128.24 P2p
Gi0/1 Root FWD 200000 128.25 P2p

© 2013 Aerohive Networks CONFIDENTIAL 50


Verify Existing Network
Spanning Tree Priorities

CS-Dist-2#show spanning-tree
MST0
Spanning tree enabled protocol mstp
Root ID Priority 12288
Address 000f.23b9.0d80
Cost 0
Port 25 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 16384 (priority 16384 sys-id-ext 0)
Address 001f.274c.5180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- -----
Fa0/24 Desg FWD 200000 128.24 P2p
Gi0/1 Root FWD 200000 128.25 P2p
• Here you can see the Root Priority is: 12288
• The switch this command is run on shows a priority of 16384
• So most likely our switch default priority of: 32768 will not cause
any harm

© 2013 Aerohive Networks CONFIDENTIAL 51


Lab: Enable Spanning Tree
1. Enable Spanning Tree

From the network policy that has switching enabled


• Go to Additional Settings and click Edit
© 2013 Aerohive Networks CONFIDENTIAL 52
Lab: Enable Spanning Tree
2. Enable RSTP

Enable Rapid Spanning


Tree
• Expand Switch Settings
• Expand STP Settings
• Check the box to
Enable STP (Spanning
Tree Protocol)
• Select the radio button
to enable RSTP (Rapid
Spanning Tree)
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 53


Lab: Enable Spanning Tree
3. Save your Network Policy

• From the Configure Interfaces & User


Access bar, click Save

© 2013 Aerohive Networks CONFIDENTIAL 54


Spanning Tree – Switch specific settings

More detailed Spanning Tree settings can be


configured on an individual switch in device
level settings should that be required.
© 2013 Aerohive Networks CONFIDENTIAL 55
DEVICE TEMPLATES
FOR DEFINING SWITCH PORT
SETTINGS

© 2013 Aerohive Networks CONFIDENTIAL 56


Device Templates

HiveManager – SR2024 as switch device template


• HiveManager Device Templates
are used to assign switches at the
same or different sites to a
common set of port
configurations
• For example, ports 1, 2
are for APs, ports 3-6 are
for phones, etc…
Distribution

SR2024 SR2024
Access/Edge

PoE PoE

AP AP AP AP

© 2013 Aerohive Networks CONFIDENTIAL 57


Device Templates

• Device templates are


used to define ports for
the same device, devices
with the same number of
ports, and device
function
• Device templates do not
Apply to SR2024 switches
set device function, i.e.
configured as switches
switch, router, or AP, but
will only match devices
configured with the
matching function
• You configure a devices
function in the device
specific configuration
Apply to SR2024 switches
configured as routers.
Requires WAN port – icon
depicted as a cloud
© 2013 Aerohive Networks CONFIDENTIAL 58
Device Templates
For Devices Requiring Different Port Settings
SR2024 as Switch • If devices require different port
Default Sites configurations for the same type
of device and function, you can
SR2024 as Switch
Small Sites
› 1. Configure device
classification tags to have
different device templates for
different devices
› 2. Create a new network
policy with a different device
template

SR2024 SR2024

Default Site Device


PoE Classification PoE
Tag: Small Site

AP AP AP
Note: The switch model (2024) used in the lab has been superseded by improved models.
© 2013 Aerohive Networks CONFIDENTIAL 59
CONFIGURE DEVICE TEMPLATES
FOR DEFINING SWITCH PORT
SETTINGS

© 2013 Aerohive Networks CONFIDENTIAL 60


Lab: Configure Device Templates
1. Create device template

• Next to Device
templates, click
Choose
• Click New

© 2013 Aerohive Networks CONFIDENTIAL 61


Lab: Configure Device Templates
2. Create switch template

• Name:
SR2024-Default-X
• Click Device
Models
• Select SR2024
• Click OK
• For SR2024, when
functioning as:
› Select Switch
• Click Save
Note: Here you are not setting the SR2024
to function as a switch. Instead, you are
only specifying that this template applies to
SR2024s when they are configured to
function as a switch. The switch/router
Note: You only see switch as an option function is configured in switch device
and not Switch and Router, because Routing settings.
was not enabled in the selection box when
creating this Network Policy.
© 2013 Aerohive Networks CONFIDENTIAL 62
Lab: Configure Device Templates
3. Save switch template

• Ensure your device template is


selected and click OK
• The device template will appear in
the Device Templates section
• You can show or hide the individual
device template by clicking the
triangle

Shows you that this is a template


for your switch as a switch

© 2013 Aerohive Networks CONFIDENTIAL 63


Lab: Configure Device Templates
4. Save your Network Policy

• From the Configure Interfaces & User


Access bar, click Save
© 2013 Aerohive Networks CONFIDENTIAL 64
LINK AGGREGATION

© 2013 Aerohive Networks CONFIDENTIAL 65


Lab Infrastructure
Aggregate Links for Connection to Distribution

Aggregate is statically configured similar to


EtherChannel
There is no LACP (Link Aggregation Control
Protocol) in this release.
• You can have 8 ports in one channel
› The ports do not have to be contiguous
SR2024 • Every port on the SR2024 can be
configured into port channels except the
USB and console port
• The switch hardware creates a hash of
the the header fields in frames selected
for load balancing, for determining the
ports in an aggregate to send a frame
› Load balancing options are:
» Source & Destination MAC, IP, and Port

PC » Source & Destination IP Port


AP
» Source & Destination IP
» Source & Destination MAC
© 2013 Aerohive Networks CONFIDENTIAL 66
Lab Infrastructure
Aggregate Links for Connection to Distribution

• Load balance of broadcast, multicast,


and unknown unicast traffic between
ports in an aggregate is based on Src/Dst
MAC/IP.
• You cannot configure a 802.1X port in an
EtherChannel
• mac learning is on the port channel port,
instead of member port
SR2024 • Only ports with same physical media type
and speed can be grouped into one
aggregate.
• Supports LLDP per port but not per
channel

AP PC

© 2013 Aerohive Networks CONFIDENTIAL 67


Lab Infrastructure
Do not do this with aggregates
Distribution Distribution
Switch 1 Switch 2

Aggregate 1
SR2024
• In this case, distribution switch 1 and switch 2
will see the same MAC addresses and cause
MAC flapping
› i.e. traffic from PC A for example might be
load balanced to Switch 1 and Switch 2
• In this case, there will also be a loop!
• Aggregates must be built between a pair of
switches only!

AP PC

© 2013 Aerohive Networks CONFIDENTIAL 68


AGGREGATION –
CONFIGURATION EXAMPLE

© 2013 Aerohive Networks CONFIDENTIAL 69


Aggregate Links for Switch Connections
to Distribution Layer Switches

ESXi Server
Core

HMOL

Distribution
Aggregates

Each access switch will have two


SR2024 aggregates:
Access
• Aggregate 1: Port 17, 18
PoE
• Aggregate 2: Port 19, 20
These ports are not connected in
AP this classroom, this is only a
PC
configuration example

© 2013 Aerohive Networks CONFIDENTIAL 70


Lab: Link Aggregation
1. Select ports 17 and 18

Select ports that will be used to connect to the distribution layer


switches (example only, aggregates are not used in class)
NOTE: Recommended not to use the first 8 ports on the SR2024 which provide
PoE.

• Select port 17, and 18


• Check the box for Aggregate selected ports…
• Enter 1
• Click Configure
© 2013 Aerohive Networks CONFIDENTIAL 71
Copyright ©2011
Lab: Link Aggregation
2. Create Trunk Port policy

• Click New
• Name: Trunk-X
• Port Type: 802.1Q
• QoS Classification:
Trusted Traffic
Source
Note: This means we
are trusting the
upstream network
infrastructure
markings
› Map to DSCP or
802.1p
• QoS Marking:Map
Aerohive..
› Map to DSCP or
802.1p
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 72
Lab: Link Aggregation
2. Save Trunk Port policy

• Ensure that Trunk-X


is selected, click
OK

© 2013 Aerohive Networks CONFIDENTIAL 73


Lab: Link Aggregation
3. Select ports 19 and 20

• Select port 19 and 20


• Check aggregate selected ports… and
enter 2
© 2013 Aerohive Networks CONFIDENTIAL 74
Lab: Link Aggregation
4. Assign Trunk policy

• Click Configure
• For choose port type, select your
802.Q trunk that you created
previously: Trunk-X
• Click OK

© 2013 Aerohive Networks CONFIDENTIAL 75


Lab: Link Aggregation
5. Review port settings

Port 17, 18, 19, and 20 will now


display an 802.1Q trunk icon and
should all appear the same, even
though there are two different
aggregates

© 2013 Aerohive Networks CONFIDENTIAL 76


Lab: Link Aggregation
6. Save your Network Policy

• From the Configure Interfaces & User


Access bar, click Save

© 2013 Aerohive Networks CONFIDENTIAL 77


CONFIGURE UPLINKS USED IN THE
CLASSROOM

© 2013 Aerohive Networks CONFIDENTIAL 78


Classroom Links for Switch Connections
to Distribution Layer Switches

ESXi Server
• 3CX IP PBX Core
10.100.1.?

HMOL

Distribution

SR2024 For the class, we are going to


configure single uplinks without
Access
aggregation to connect to the
PoE
distribution switches
• Single Uplinks : Port 23, 24

AP Port 23 will be connected to


PC
Distribution switch 1, and
port 24 will be connected to
Distribution switch 2
© 2013 Aerohive Networks CONFIDENTIAL 79
Lab: Configure Uplink Ports
1. Select Ports 23 and 24

Select ports that will be used to connect to the distribution layer


switches

• Select port 23, and 24


• Click Configure

© 2013 Aerohive Networks CONFIDENTIAL 80


Copyright ©2011
Lab: Configure Uplink Ports
2. Assign port policy and save

• For choose port type, select your


802.Q trunk that you created
previously: Trunk-X
• Click OK
• Ports 23 and 24 should now be the
same color as the other Trunk ports

© 2013 Aerohive Networks CONFIDENTIAL 81


Lab: Configure Uplink Ports
3. Save your Network Policy

• From the Configure Interfaces & User


Access bar, click Save

© 2013 Aerohive Networks CONFIDENTIAL 82


CONFIGURE PORTS FOR APS

© 2013 Aerohive Networks CONFIDENTIAL 83


Lab Infrastructure
Configure PoE Ports for APs

ESXi Server
Core

HMOL

Distribution

SR2024 Configure two of the PoE


Access ports for APs
IP Phones
PoE • Use Port 1 and 2 for APs
NOTE: For class there is an AP
connected to port 1 of every
AP AP switch

© 2013 Aerohive Networks CONFIDENTIAL 84


Lab: Configure Access Point ports
1. Select ports 1 and 2

Select ports that will be used to connect to APs


NOTE: The first 8 ports on an SR2024 provide power

• Select port 1, and 2


• Click Configure
© 2013 Aerohive Networks CONFIDENTIAL 85
Copyright ©2011
Lab: Configure Access Point ports
2. Create Trunk Policy

• Click New
• Name: AP-Trunk-X
• Port Type: 802.1Q
• QoS Classification:
Trusted Traffic
Source
Note: This means we
are trusting the
upstream network
infrastructure
markings
› Map to DSCP or
802.1p
• QoS Marking:Map
Aerohive..
› Map to DSCP or
802.1p
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 86
Lab: Configure Access Point ports
3. Assign AP-Trunk Policy to ports 1 and 2

• Ensure that that AP-Trunk-X is selected


• Click OK
• Port 1and 2 will now display an 802.1Q trunk
icon, but this time, a power symbol appears as
well because ports 1 through 8 can provide
power

• Notice that Ports


1 and 2 are a
different color
because there is
a different port
policy than the
other ports

© 2013 Aerohive Networks CONFIDENTIAL 87


Lab: Configure Access Point ports
3. Save your Network Policy

• From the Configure Interfaces & User


Access bar, click Save

© 2013 Aerohive Networks CONFIDENTIAL 88


CONFIGURE POWER SOURCING
EQUIPMENT (PSE) PORTS FOR
POWER OVER ETHERNET (POE)

© 2013 Aerohive Networks CONFIDENTIAL 89


PoE Overview

• PoE standards define the capabilities of the power sourcing


equipment (PSE) and the powered device (PD).
• The PSE is an Aerohive switch. Aerohive access points would be
considered PDs.
• The 802.3af PoE standard defines 15.4 Watts from the PSE
• All 802.11n Aerohive APs will work with 802.3af - CAT5e cabling or
better is required.
• The maximum draw of an Aerohive AP-330 is14.95 Watts.

© 2013 Aerohive Networks CONFIDENTIAL 90


PoE Overview

• The 802.3at standard (PoE+) defines 32 Watts from the


PSE
• 802.11ac Aerohive AP230 is fully functional using 802.3af
• However, the older 802.11ac Aerohive APs (AP370 and
AP390) require PoE+ for full functionality
• The AP370 and AP390 will function with 802.3af PoE
however the 80 MHz channels capability is restricted.
© 2013 Aerohive Networks CONFIDENTIAL 91
PoE Power Budgets

SR2024P SR2124P SR2148P

24 PoE+ (195 W) 24 PoE+ (408 W) 48 PoE+ (779 W)

• Careful PoE power budget planning is a must.


• Access points will randomly reboot if a power budget
has been exceeded and the APs cannot draw their
necessary power.

© 2013 Aerohive Networks CONFIDENTIAL 92


Lab: Configure PoE ports
1. Select additional port settings

Additional Port Settings


link is available if no ports are
currently selected

• Select Additional port settings to configure


› Port Channel Load-Balance Mode
Settings
› PoE port (PSE) Settings

© 2013 Aerohive Networks CONFIDENTIAL 93


Lab: Configure PoE ports
2. Aggregate channel settings

• For Port Channel Load-Balance Mode, please


selecting the headers in a frame that will be used
in creating a hash to determine which port a frame
should egress
› NOTE: If you are testing a single client, especially for a demo,
the more fields you use you will have a better opportunity to
egress multiple ports

© 2013 Aerohive Networks CONFIDENTIAL 94


Lab: Configure PoE ports
3. PSE settings

• Expand PSE Settings


• Because only the first two ports have been
configured, you will only have the ability to
configure PSE (Provides PoE) to the first two ports
• Next to Eth1/1 Click +

© 2013 Aerohive Networks CONFIDENTIAL 95


Lab: Configure PoE ports
4. PSE settings

Note: Default PoE port


settings is 802.3at (PoE+)
• Name: af-high-X Power priority can be
low, high or critical
• Power Mode: 802.3af
• Power Limit: 15400 mW
• Priority: high
• Save
© 2013 Aerohive Networks CONFIDENTIAL 96
Lab: Configure PoE ports
5. PSE settings

• Assign Eth1/1 and Eth1/2 to: af-high-X


• Save

NOTE: You will only see the Interfaces(Ports) that have been
assign to a port type
© 2013 Aerohive Networks CONFIDENTIAL 97
Lab: Configure PoE ports
5. Save your Network Policy

• From the Configure Interfaces & User


Access bar, click Save

© 2013 Aerohive Networks CONFIDENTIAL 98


CONFIGURE PORTS FOR IP PHONES

© 2013 Aerohive Networks CONFIDENTIAL 99


Lab Infrastructure
Configure PoE Ports for IP Phones

ESXi Server
Core

HMOL

Distribution

SR2024 Configure 6 of the PoE ports


Access for IP Phones
PoE • Use Port 3 - 8 for IP Phones

AP AP

© 2013 Aerohive Networks CONFIDENTIAL 100


CONFIGURE PHONE PORTS IN
SWITCH DEVICE TEMPLATE

© 2013 Aerohive Networks CONFIDENTIAL 101


Lab: Configure PoE ports for IP phones
1. Select ports 3-8

Select ports that will be used to connect to IP Phones


NOTE: The first 8 ports on an SR2024 provide power

• Select port 3, 4, 5, 6, 7, and 8


(Yes, you can multi-select)
• Click Configure
© 2013 Aerohive Networks CONFIDENTIAL 102
Copyright ©2011
Lab: Configure PoE ports for IP phones
2. Phone & Data ports

•Click New
© 2013 Aerohive Networks CONFIDENTIAL 103
Lab: Configure PoE ports for IP phones
3. Phone & Data ports

• Name: Phone-and-Data-X
• Port Type: Phone & Data
• Check Primary
authentication using:
MAC via PAP
• QoS Classification:
Trusted Traffic Sources
Note: This means we are
trusting the upstream
network infrastructure
markings
› Map to DSCP or 802.1p
• QoS Marking:Map
Aerohive..
› Map to DSCP or 802.1p
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 104
Lab: Configure PoE ports for IP phones
4. Phone & Data ports

• For choose port type, select


Phone-and-Data-X
• Click OK
• Port 3 – 8 will now display with a
phone icon

© 2013 Aerohive Networks CONFIDENTIAL 105


Lab: Configure PoE ports for IP phones
5. Save your network policy

• From the Configure Interfaces & User


Access bar, click Save

© 2013 Aerohive Networks CONFIDENTIAL 106


CONFIGURE PORTS FOR OPEN
GUEST ACCESS

© 2013 Aerohive Networks CONFIDENTIAL 107


Lab Infrastructure
Configure Ports for Employee Computer Access

ESXi Server
Core

HMOL

Distribution

SR2024
Guest
Access Computers

PoE
IP Phones
Configure 2 of the switch
ports for open access
AP AP
(switch ports are in a secured
room – for testing purposes)
• Use Port 9 and 10
© 2013 Aerohive Networks CONFIDENTIAL 108
Lab: Configure Open Guest Ports
1. Select ports 9 and 10

Select ports that will be used to connect to guest computers

• Select port 9 and 10


• Click Configure
© 2013 Aerohive Networks CONFIDENTIAL 109
Copyright ©2011
Lab: Configure Open Guest Ports
2. Create access port

•Click New
© 2013 Aerohive Networks CONFIDENTIAL 110
Lab: Configure Open Guest Ports
3. Create access port

• Name: Guest-X
• Port Type: Access
• Most likely you will
not be trusting the
DSCP settings on
guest devices, so
click Untrusted
Traffic Sources
• There is no need to
mark the traffic for
QoS marking
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 111


Lab: Configure Open Guest Ports
4. Assign access port policy

• For choose port type, select


Guest-X
• Click OK
• Port 9 and 10 will now display with a
world icon

© 2013 Aerohive Networks CONFIDENTIAL 112


Lab: Configure Open Guest Ports
5. Save your network policy

• From the Configure Interfaces & User


Access bar, click Save

© 2013 Aerohive Networks CONFIDENTIAL 113


CONFIGURE PORTS FOR SECURE
EMPLOYEE ACCESS WITH 802.1X

For switch ports in a secure location

© 2013 Aerohive Networks CONFIDENTIAL 114


Lab Infrastructure
Configure Ports for Employee Computer Access

ESXi Server
Core

HMOL

Distribution

SR2024
Employee
Access Computers
802.1X
PoE
IP Phones
Configure six of the switch
ports for 802.1X
AP AP authentication
• Use Ports 11-16

© 2013 Aerohive Networks CONFIDENTIAL 115


Lab: Configure Secure Access Ports
1. Select ports 11 - 16

Select ports that will be used to connect to employee computers


that support 802.1X

• Select port 11,12,13,14,15,16


• Click Configure
© 2013 Aerohive Networks CONFIDENTIAL 116
Copyright ©2011
Lab: Configure Secure Access Ports
2. Create secure port policy

• Click New

© 2013 Aerohive Networks CONFIDENTIAL 117


Lab: Configure Secure Access Ports
3. Create secure port policy

• Name: Secure-X
• Port Type: Access
• Check the box for:
Primary Authentication
using 802.1X
• Uncheck ☐Allow multiple
hosts (same VLAN)
• For the ability to preserve
markings on PCs for
softphones or other
important applications,
select QoS Classification:
Trusted Traffic Sources
• Check the box for QoS
Marking
 Map Aerohive QoS …
• Select DSCP or 802.1p
depending on the upstream
switch architecture
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 118


Lab: Configure Secure Access Ports
4. Assign secure port policy

• For choose port type, select Secure-X


• Click OK
• Ports 11-16 will now display with a world
icon

© 2013 Aerohive Networks CONFIDENTIAL 119


Lab: Configure Secure Access Ports
5. Save your network policy

• From the Configure Interfaces & User


Access bar, click Save

© 2013 Aerohive Networks CONFIDENTIAL 120


CONFIGURE MIRROR PORTS

© 2013 Aerohive Networks CONFIDENTIAL 121


Lab: Configure Mirror Ports
1. Select ports 21 - 22

Select ports that will be used for port mirroring

• Select ports 21 and 22


• Click Configure
© 2013 Aerohive Networks CONFIDENTIAL 122
Copyright ©2011
Lab: Configure Mirror Ports
2. Create mirror port policy

• Click New
• Name: Mirror-X
• Port Type: Mirror
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 123


Lab: Configure Mirror Ports
3. Assign mirror port policy

• For choose port type, select


Mirror-X
• Click OK
• Check  Port-Based

Note: VLAN-Based port


mirroring can only be
enabled on a single port

© 2013 Aerohive Networks CONFIDENTIAL 124


Lab: Configure Mirror Ports
4. Choose ports to mirror

• Eth1/21, Egress – click Choose


• Select Eth1/1 and Click OK
• Eth1/22, Ingress – click Choose
• Select Eth1/12 and Click OK
© 2013 Aerohive Networks CONFIDENTIAL 125
Lab: Configure Mirror Ports
5. Verify and save mirror port policy

• All downstream traffic destined for the WLAN clients of


the Aerohive AP on port Eth1/1 will be mirrored to port
Eth1/21.
• All upstream traffic destined for the network from the
host on Eth1/12 will be mirrored to port Eth1/22.
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 126


Lab: Configure Mirror Ports
6. Verify and save mirror port policy

Ports 21 and 22 will now display a magnifying glass icon.

© 2013 Aerohive Networks CONFIDENTIAL 127


Lab: Configure Mirror Ports
7. Save your network policy

• From the Configure Interfaces & User


Access bar, click Save

© 2013 Aerohive Networks CONFIDENTIAL 128


GENERAL DEVICE TEMPLATE INFO

© 2013 Aerohive Networks CONFIDENTIAL 129


General Port Template Info

If you have more than one port


selected, you can clear port
selections here so you do not
have to click all the selected
ports to deselect them.

© 2013 Aerohive Networks CONFIDENTIAL 130


General Port Template Info

• If you move
your mouse
over one of the
defined ports,
an option
appears to
select all ports
using this port
type
Click Here

© 2013 Aerohive Networks CONFIDENTIAL 131


CONFIGURE PORT TYPES

Guest Access

© 2013 Aerohive Networks CONFIDENTIAL 132


Lab: Configure Ports – Guest Access
1. Port Types

• Configure the authentication, user profile, and VLAN information


for the port types defined in the device templates

© 2013 Aerohive Networks CONFIDENTIAL 133


Lab: Configure Ports – Guest Access
2. Create user profile

Similar to SSIDs, you need to


configure User Profiles (user
policy) for the access ports
• For your Guest-X port
type, under User Profile
click Add/Remove
• Click New

© 2013 Aerohive Networks CONFIDENTIAL 134


Lab: Configure Ports – Guest Access
3. Assign VLAN

User profiles are used


to assign policy to
devices connected
to the network.
NOTE: Switches use the VLAN in a
user profile. Switches functioning
as routers use the VLAN, but may
also make layer 3 firewall and
policy-based routing decisions
based on the user profile. In
either case, user profile The optional settings are utilized when
information is carried with user
information throughout an the user profile is enforced on an AP. The
Aerohive network infrastructure. switch, because it is forwarding packets
• Name: Guest-X at line speed in silicon, does not utilize
the optional settings. If the switch is
• Attribute: 100 configured to be a branch router, the user
• Default VLAN: 8 profile is used for decisions in layer 3
• Click Save firewall policies, IPSec VPN policies, and
identity-based routing.

© 2013 Aerohive Networks CONFIDENTIAL 135


Lab: Configure Ports – Guest Access
4. Save user profile

• Ensure Guest-X is
selected
• Click Save
• Verify your settings

© 2013 Aerohive Networks CONFIDENTIAL 136


Lab: Configure Ports - Guest Access
5. Save your network policy

• From the Configure Interfaces & User


Access bar, click Save

© 2013 Aerohive Networks CONFIDENTIAL 137


CONFIGURE PORT TYPES

Employee Access Secured wit 802.1X

© 2013 Aerohive Networks CONFIDENTIAL 138


Lab: Configure Ports - Secure Access
1. Configure RADIUS

Configure the RADIUS sever for


the ports secured with 802.1X
• For your Secure-X port type,
under Authentication
click <RADIUS Settings>
• Click New

© 2013 Aerohive Networks CONFIDENTIAL 139


Lab: Configure Ports - Secure Access
2. Configure RADIUS

Define the external


RADIUS server settings
• RADIUS name:
RADIUS-X
• IP address: 10.5.1.10
• Shared Secret:
aerohive123
• Confirm Secret:
aerohive123
• Click Apply!!
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 140


Lab: Configure Ports - Secure Access
3. Configure user profile

Assign user profiles to


the secure 802.1X ports
• Next to your Secure-X
port type, under User
Profile click
Add/Remove

© 2013 Aerohive Networks CONFIDENTIAL 141


Port Types

There are three user profile


assignment methods:
1. (Auth) Default – If a client
authenticates successfully,
but no user profile attribute
is returned, or if a user
profile attribute is returned
matching the default user
profile selected
2. Auth OK – If a client
authenticates successfully,
and a user profile attribute
is returned, it must match
one the selected user
profiles you select here
3. Auth Fail – If a client fails
authentication, use this
user profile

© 2013 Aerohive Networks CONFIDENTIAL 142


Lab: Configure Ports - Secure Access
4. Configure default user profile

Define the Default User Profile


assigned If a client
authenticates successfully, but
no user profile attribute is
returned, or if a user profile
attribute is returned matching
the default user profile
selected
• Select the Default tab
• Select the user profile:
Employee-Default(1)
› Created by the
instructor…
› Assigns VLAN 1

© 2013 Aerohive Networks CONFIDENTIAL 143


Lab: Configure Ports - Secure Access
5. Configure Auth OK user profile

Define a user profile for


Auth OK – If a client
authenticates successfully,
and a user profile attribute
is returned, it must match
one the selected user
profiles you select here.
You can have up to 63
Auth OK user profiles.

• Select the Auth OK tab


• Select Employee-X(10)
› Assigns VLAN 10

© 2013 Aerohive Networks CONFIDENTIAL 144


Lab: Configure Ports - Secure Access
6. Configure Auth Fail user profile

Define a user profile for


Auth Fail – If a clients fails
authentication several
times, assign the Auth Fail
user profile
• Select Auth Fail
• Select Guest-X(100)
› Assigns VLAN 8
• Verify the Default, Auth
OK, and Auth Fail
settings one more time
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 145


Lab: Configure Ports - Secure Access
7. Verify settings

•Verify the settings

© 2013 Aerohive Networks CONFIDENTIAL 146


Lab: Configure Ports - Secure Access
8. Save your network policy

• From the Configure Interfaces & User


Access bar, click Save

© 2013 Aerohive Networks CONFIDENTIAL 147


PHONE & DATA PORTS
WITH NO AUTHENTICATION

© 2013 Aerohive Networks CONFIDENTIAL 148


Phone & Data Port Type
With Open Access

SR2024
IP Phone

Data
Switch

Phone & Data


uses 802.1Q

• Switch Port is assigned to a Phone & Data Port Type


• For this example, no authentication is selected in Phone &
Data

© 2013 Aerohive Networks CONFIDENTIAL 149


Phone & Data Port Type
With Open Access

SR2024
IP Phone

Data
Switch

Phone & Data LLDP assigns


uses 802.1Q Phone to tagged
Voice VLAN

Note: For default data,


only the VLAN is used,
not the user profile
• You can then select a Default Voice, and Default Data user profile
• The Phone & Data port is an 802.1Q port
• The Phone VLAN will be tagged and sent to the IP phone via LLDP-MED
• The switch port will assign the Data VLAN as the native VLAN
› This way, the phone traffic is tagged, and data traffic is untagged

© 2013 Aerohive Networks CONFIDENTIAL 150


CLI Commands for
Phone & Data Port without Authentication

• interface eth1/3 switchport mode trunk


• interface eth1/3 switchport user-profile-attribute 2
• interface eth1/3 switchport trunk native vlan 10
• interface eth1/3 switchport trunk voice-vlan 2
• interface eth1/3 switchport trunk allow vlan 2
• interface eth1/3 switchport trunk allow vlan 10
• interface eth1/3 qos-classifier Phone-and-Net-2
• interface eth1/3 qos-marker Phone-and-Net-2
• interface eth1/3 pse profile QS-PSE

© 2013 Aerohive Networks CONFIDENTIAL 151


PHONE & DATA PORTS
WITH 802.1X/PEAP
AUTHENTICATION OR
MAC AUTHENTICATION

© 2013 Aerohive Networks CONFIDENTIAL 152


Phone & Data Port Type
With 802.1X/PEAP or MAC Authentication
RADIUS Server Employees
Phone Policy Returns SR2024
IP Phone
Cisco AV Pair: device-traffic-class=voice
User Profile and/or VLAN
Data (Employee) Policy Returns
User Profile and/or VLAN Switch Data
Phone & Data
uses 802.1Q, and 802.1X

• Switch Port is assigned to a Phone & Data Port Type


• For this example, 802.1X authentication is selected in Phone
& Data

© 2013 Aerohive Networks CONFIDENTIAL 153


Phone & Data Port Type
With 802.1X/PEAP
Employees
RADIUS Server SR2024
Phone Policy Returns IP Phone
Cisco AV Pair: device-traffic-class=voice
User Profile and/or VLAN
Data (Employee) Policy Returns Switch Data
User Profile and/or VLAN
Phone & Data
uses 802.1Q, and 802.1X

• You can connect a single client, or multiple clients


behind an IP phone data port
• Phones and clients authenticate independent of each
other and the order in which they authenticate does
not matter
› However, the VLAN assigned to the first data device (Employee)
that authenticates is assigned as the data VLAN, all other
devices will be assigned to the same VLAN, even if they have
different user profiles with other VLANs assigned, or even if
RADIUS returns a different VLAN.

© 2013 Aerohive Networks CONFIDENTIAL 154


Phone & Data Port Type
With Primary and Secondary Authentication
RADIUS Server Employees
Phone Policy Returns SR2024
IP Phone
Cisco AV Pair: device-traffic-class=voice
User Profile and/or VLAN
Data (Employee) Policy Returns
User Profile and/or VLAN Switch Data
Phone & Data
uses 802.1Q, and 802.1X

• If a secondary authentication is used, if the first authentication is


not available, or fails three times, the second authentication will be
tried

© 2013 Aerohive Networks CONFIDENTIAL 155


CLI Commands for
Phone & Data Port with 802.1X

• security-object Phone-and-Data-2
• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret ***
• security-object Phone-and-Data-2 security protocol-suite 802.1x
• security-object Phone-and-Data-2 default-user-profile-attr 1
• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain
• interface eth1/3 security-object Phone-and-Data-2
• interface eth1/3 switchport mode trunk
• interface eth1/3 switchport user-profile-attribute 1
• interface eth1/3 qos-classifier Phone-and-Data-2
• interface eth1/3 qos-marker Phone-and-Data-2
• interface eth1/3 pse profile QS-PSE
• no interface eth1/3 spanning-tree enable
• no interface eth1/3 link-discovery cdp receive enable
• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1
• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10
• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2
• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100

© 2013 Aerohive Networks CONFIDENTIAL 156


CLI Commands for
Phone & Data Port with MAC AUTH

• security-object Phone-and-Data-2
• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret ***
• security-object Phone-and-Data-2 security additional-auth-method mac-based-auth
• security-object Phone-and-Data-2 default-user-profile-attr 1
• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain
• security-object Phone-and-Data-2 security initial-auth-method mac-based-auth
• interface eth1/3 security-object Phone-and-Data-2
• interface eth1/3 switchport mode trunk
• interface eth1/3 switchport user-profile-attribute 1
• interface eth1/3 qos-classifier Phone-and-Data-2
• interface eth1/3 qos-marker Phone-and-Data-2
• interface eth1/3 pse profile QS-PSE
• no interface eth1/3 spanning-tree enable
• no interface eth1/3 link-discovery cdp receive enable
• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1
• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10
• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2
• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100

© 2013 Aerohive Networks CONFIDENTIAL 157


CONFIGURING NPS FOR PHONE
AND EMPLOYEE AUTHENTICATION
WITH 802.1X/PEAP

Overview

© 2013 Aerohive Networks CONFIDENTIAL 158


Configure NPS for Phone & Data
Authentication

• Create a
network
policy for
voice

© 2013 Aerohive Networks CONFIDENTIAL 159


Configure NPS for Phone & Data
Authentication

• Enter a name
for the voice
policy, and
click next

© 2013 Aerohive Networks CONFIDENTIAL 160


Configure NPS for Phone & Data
Authentication

• Click add to
specify a
condition

© 2013 Aerohive Networks CONFIDENTIAL 161


Configure NPS for Phone & Data
Authentication

• Select
Windows
Groups
• Click Add

© 2013 Aerohive Networks CONFIDENTIAL 162


Configure NPS for Phone & Data
Authentication

• Click Add Groups…


• A voice group was created by IT for
IP phones – enter voice and click OK
• Click OK

© 2013 Aerohive Networks CONFIDENTIAL 163


Configure NPS for Phone & Data
Authentication

• Click Next

© 2013 Aerohive Networks CONFIDENTIAL 164


Configure NPS for Phone & Data
Authentication

• Select
Access
granted

© 2013 Aerohive Networks CONFIDENTIAL 165


Configure NPS for Phone & Data
Authentication

• Click Add
• Select Microsoft:
Protected EAP
(PEAP)
• Click OK

© 2013 Aerohive Networks CONFIDENTIAL 166


Configure NPS for Phone & Data
Authentication

• Click Next
• For constraints
click Next

© 2013 Aerohive Networks CONFIDENTIAL 167


Configure NPS for Phone & Data
Authentication

• Remove attributes
that are not
needed:
› Select Frame-
Protocol, and
Click Remove
› Select Service-
Type, and Click
Remove

© 2013 Aerohive Networks CONFIDENTIAL 168


Configure NPS for Phone & Data
Authentication

Add the three attribute


value pairs needed to
assign a user profile
• Tunnel-Medium-Type:
IP v4 (value found in
the others section)
• Tunnel-Type: Generic
Route Encapsulation
(GRE)
• Tunnel-Pvt-Group-ID:
(String) 2
› 2 is the voice user
profile in this case
• Click Next

© 2013 Aerohive Networks CONFIDENTIAL 169


Configure NPS for Phone & Data
Authentication

• Under RADIUS
Attributes, select
Vendor Specific

© 2013 Aerohive Networks CONFIDENTIAL 170


RETURN A CISCO AV PAIR TO LET
THE AEROHIVE SWITCH KNOW
WHICH USER PROFILE SHOULD BE
ASSIGNED AS THE VOICE USER
PROFILE

© 2013 Aerohive Networks CONFIDENTIAL 171


Configure NPS for Phone & Data
Authentication

In order for a switch to


know a specific user
profile is for voice,
Aerohive devices can
accept the Cisco AV
Pair: device-traffic-
class=voice. This is sent
to the switch, and the
switch uses LLDP to send
the voice VLAN any
phone that supports
LLDP-MED
• Under RADIUS
Attributes, select
Vendor Specific
• Click Add

© 2013 Aerohive Networks CONFIDENTIAL 172


Configure NPS for Phone & Data
Authentication

• Under
Vendor,
Select
Cisco

© 2013 Aerohive Networks CONFIDENTIAL 173


Configure NPS for Phone & Data
Authentication

• Click Add
• Click Add again

© 2013 Aerohive Networks CONFIDENTIAL 174


Configure NPS for Phone & Data
Authentication
• Attribute value:
device-traffic-class=voice
• Click OK
• Click OK
• Click Close (The value does not show
up on this screen. Do not worry, it is
there.)

© 2013 Aerohive Networks CONFIDENTIAL 175


Configure NPS for Phone & Data
Authentication

• Attribute value:
device-traffic-
class=voice
• Click OK
• Click OK
• Click Next

© 2013 Aerohive Networks CONFIDENTIAL 176


Configure NPS for Phone & Data
Authentication

• Click
Finish

© 2013 Aerohive Networks CONFIDENTIAL 177


DEFINE CLIENT ACCESS

© 2013 Aerohive Networks CONFIDENTIAL 178


CLI Commands for
Phone & Data Port without Authentication

Create a new
policy for
employee access
• Policy name:
Wireless or Wired
Employee Access

© 2013 Aerohive Networks CONFIDENTIAL 179


CLI Commands for
Phone & Data Port without Authentication

• For the condition, select the


windows group that contains
your employees
• Add the three attribute value
pairs needed to assign a user
profile
› Tunnel-Medium-Type: IP v4
(value found in the others
section)
› Tunnel-Type: Generic
Route Encapsulation (GRE)
› Tunnel-Pvt-Group-ID:
(String) 10
» 10 is the voice user profile in this
case

• Click Next

© 2013 Aerohive Networks CONFIDENTIAL 180


CONFIGURE PORT TYPES

Phone and Data

© 2013 Aerohive Networks CONFIDENTIAL 181


Lab: Configure Ports - Phone & Data
1. Configure RADIUS

Configure the RADIUS sever


for the ports secured with
802.1X
• For your Phone-and-Data-X
port type, under
Authentication
click <RADIUS Settings>
• Select RADIUS-X which is an
external Microsoft NPS
RADIUS server
• Click OK
© 2013 Aerohive Networks CONFIDENTIAL 182
Port Types

Assign user profiles to your


802.1X ports
• For your Phone-and-Data-X
port type, under User Profile
click Add/Remove

© 2013 Aerohive Networks CONFIDENTIAL 183


Port Types (Reminder)
Must Verify
There are three user profile settings:
1. Default – Default for data if no
user profile attribute, or a user
profile attribute is returned
and matches the user profile
configured here
2. Auth OK (Voice) – If a client
authenticates successfully,
and a user profile attribute is
returned matching a selected
user profile, and the Cisco AV
Pair is also returned
3. Auth OK (Data) – Client
passes authentication, and a
user profile attribute is
returned, but no Cisco AV
pair

© 2013 Aerohive Networks CONFIDENTIAL 184


Lab: Configure Ports - Phone & Data
2. Configure user profile – Auth OK (Voice)

• Click Auth OK (Voice)


• Click New

© 2013 Aerohive Networks CONFIDENTIAL 185


Lab: Configure Ports - Phone & Data
3. Configure user profile – Auth OK (Voice) VLAN

User profiles are


used to assign
policy to devices
connected to the
network.
• Name: Voice-X
• Attribute: 2
• Default VLAN: 2
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 186


Lab: Configure Ports - Phone & Data
4. Configure user profile – Auth OK (Voice)

• For the Auth OK


(Voice) tab
select:
Voice-X(2)
› Assigns VLAN 2

© 2013 Aerohive Networks CONFIDENTIAL 187


Lab: Configure Ports - Phone & Data
5. Configure user profile – Default

Assign the Default


user profile:
• Select the
Default tab
• Select Employee-
Default(1)
› Assigns VLAN 1

© 2013 Aerohive Networks CONFIDENTIAL 188


Lab: Configure Ports - Phone & Data
6. Configure user profile – Auth OK (Data)

Define a user profile for Auth


OK (Data)– for clients
connected through an IP
Phone
• Select Auth OK (Data)
• Select Employee-X(10)
› Assigns VLAN 10
• Verify the Default, Auth
OK (Voice), and Auth
OK (Data) settings one
more time
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 189


Lab: Configure Ports - Phone & Data
7. Verify your settings

• Verify the settings

© 2013 Aerohive Networks CONFIDENTIAL 190


Lab: Configure Ports - Phone and Data
8. Save your network policy

• From the Configure Interfaces & User


Access bar, click Save

© 2013 Aerohive Networks CONFIDENTIAL 191


CONFIGURE 802.1Q TRUNK PORTS

© 2013 Aerohive Networks CONFIDENTIAL 192


Lab: Configure Trunk Ports
1. Configure AP-Trunk-X port policy VLANs

Define the allowed


VLANs on a trunk port
• Next to AP-Trunk-X
Click Add/Remove
• Add the specific
VLANs: 1,2,8,10
• Click OK

© 2013 Aerohive Networks CONFIDENTIAL 193


Lab: Configure Trunk Ports
2. Configure Trunk-X port policy VLANs

Define the allowed


VLANs on a trunk port
• Next to Trunk-X Click
Add/Remove
• Type all
• Click OK

© 2013 Aerohive Networks CONFIDENTIAL 194


Lab: Configure Trunk Ports
3. Verify your settings

 Verify
Settings

© 2013 Aerohive Networks CONFIDENTIAL 195


Lab: Configure Ports - Phone and Data
8. Save your network policy and continue

• From the Configure Interfaces & User


Access bar, click Save

© 2013 Aerohive Networks CONFIDENTIAL 196


UPDATE DEVICES

© 2013 Aerohive Networks CONFIDENTIAL 197


Lab: Update Devices
1. Modify your AP

From the Configure & Update Devices section,


modify your AP specific settings
• Click the Name column to sort the APs
• Click the link for your AP: 0X-A-######

© 2013 Aerohive Networks CONFIDENTIAL 198


Lab: Update Devices
2. Update the configuration of your Aerohive AP

• Location:
<FirstName_LastName>
• Topology Map: Classroom
• Network Policy:
Access-X

Note: Leave this set to default


so you can see how it is
automatically set to your new
network policy when you
update the configuration.

• Set the power down to


1dBm on both radios
because the APs are
stacked in a rack in the data
center
› 2.4GHz(wifi0) Power: 1
› 5GHz (wifi1) Power: 1
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 199
Lab: Update Devices
3. Select AP and switch

• Select your AP and switch and click Update

Click Yes

© 2013 Aerohive Networks CONFIDENTIAL 200


Lab: Update Devices
4. Update the AP and switch

• Select Update Devices


• Select  Perform a
complete configuration
update for all selected
devices
• Click Update

For this class, ALL


Updates should be
Complete
configuration
updates

© 2013 Aerohive Networks CONFIDENTIAL 201


Lab: Update Devices
5. Update the AP and switch

• Should the Reboot warning box appear, select OK

Click OK

© 2013 Aerohive Networks CONFIDENTIAL 202


QUESTIONS?

© 2013 Aerohive Networks CONFIDENTIAL


CREATE AN AEROHIVE DEVICE DISPLAY FILTER

© 2013 Aerohive Networks CONFIDENTIAL 204


Lab: Create a Display Filter from Monitor View
1. Create a filter

• To create a display filter go to Monitor  Filter: Select +


• Network Policy, select: Access-X
• Remember this Filter, type: Access-X
• Click Search
© 2013 Aerohive Networks CONFIDENTIAL 205
Lab: Create a Display Filter from Monitor View
2. Verify the display filter

© 2013 Aerohive Networks CONFIDENTIAL 206


QUESTIONS?

© 2013 Aerohive Networks CONFIDENTIAL


TEST YOUR WI-FI CONFIGURATION
USING THE HOSTED PC

208
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
Test SSID Access at Hosted Site

Core

ESXi Server
Internet - HM VA

Distribution

Access
SR2024
• Use VNC client to
access Hosted PC:
PoE Ethernet
› password: aerohive
• From the hosted PC,
AP Wi-Fi
you can test
connectivity to your
Hosted
PC
SSID
© 2013 Aerohive Networks CONFIDENTIAL 209
Lab: Test Hosted Client Access to SSID
1. For Windows: Use TightVNC client

• If you are using a windows PC


› Use TightVNC
› TightVNC has good compression so
please use this for class instead of
any other application
• Start TightVNC
› For Lab 1
lab1-pcX.aerohive.com
› For Lab 2
lab2-pcX.aerohive.com
› For Lab 3
lab3-pcX.aerohive.com
› For Lab 4
lab4-pcX.aerohive.com
› For Lab 5
lab5-pcX.aerohive.com
› Select  Low-bandwidth connection
› Click Connect
› Password: aerohive.
› Click OK

© 2013 Aerohive Networks CONFIDENTIAL 210


Lab: Test Hosted Client Access to SSID
2. For Mac: Use the Real VNC client

• If you are using a Mac


› RealVNC has good compression
so please use this for class
instead of any other application
• Start RealVNC
› For Lab 1
lab1-pcX.aerohive.com
› For Lab 2
lab2-pcX.aerohive.com
› For Lab 3
lab3-pcX.aerohive.com
› For Lab 4
lab4-pcX.aerohive.com
› For Lab 5
lab5-pcX.aerohive.com
› Click Connect
› Password: aerohive.
› Click OK

© 2013 Aerohive Networks CONFIDENTIAL 211


Lab: Test Hosted Client Access to SSID
3. In case the PCs are not logged in

If you are not automatically


logged in to your PC
• If you are using the web
browser client
› Click the button to Send
Ctrl-Alt-Del
• If you are using the
TightVNC client

• Click to send a
control alt delete
• Login: AH-LAB\user
• Password: Aerohive1
• Click the right arrow to login

© 2013 Aerohive Networks CONFIDENTIAL 212


Lab: Test Hosted Client Access to SSID
4. Remove any Wireless Networks on Hosted PC

From the bottom task bar, click the locate


wireless networks icon
› Select Open Network and Sharing Center
› Click Manage wireless Networks
› Select a network, then click Remove
› Repeat until all the networks are removed
› Click [x] to close the window

© 2013 Aerohive Networks CONFIDENTIAL 213


Lab: Test Hosted Client Access to SSID
5. Connect to Your Class-PSK-X SSID

• Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK

© 2013 Aerohive Networks CONFIDENTIAL 214


Lab: Test Hosted Client Access to SSID
6. View Active Clients List

Go to MonitorClientsWireless Clients and


locate your PC’s entry

• After associating with your SSID, you should


see your connection in the active clients list
Wireless Clients
• Your IP address should be from the
10.5.10.0/24 network which is from VLAN 10

© 2013 Aerohive Networks CONFIDENTIAL 215


QUESTIONS?

© 2013 Aerohive Networks CONFIDENTIAL


TESTING SWITCH PORT
CONNECTIONS WITH WINDOWS 7

© 2013 Aerohive Networks CONFIDENTIAL 217


Lab: Test Hosted Client to Wired Network
Test Guest and 802.1X Access

Core

ESXi Server
Internet - HM VA

Distribution

Access
SR2024
• Use VNC client to
access Hosted PC:
PoE Ethernet
› password: aerohive
• From the hosted PC,
AP Wi-Fi
you can test
connectivity to your
Hosted
PC
SSID
© 2013 Aerohive Networks CONFIDENTIAL 218
Three Different VLANs are Possible
In this configuration

• Default - Auth OK, and RADIUS does not returned user


profile or matching user profile to default
• Auth OK – and RADIUS returns a user profile that
matches one of the user profiles configured here
• Auth Fail – RADIUS authentication fails (Guest)

© 2013 Aerohive Networks CONFIDENTIAL 219


Lab: Test Hosted Client to Wired Network
1. Verify IP address of Ethernet adapter

• Locate Local Area Connection 3


• Right click
• Click Status
• Click Details
© 2013 Aerohive Networks CONFIDENTIAL 220
Lab: Test Hosted Client to Wired Network
2. Verify IP address of Ethernet adapter

Why do you see an IP


from the 10.5.1.0/24
subnet?
This is the IP address
the device
received on VLAN 1
before the switch
was configured

© 2013 Aerohive Networks CONFIDENTIAL 221


Lab: Test Hosted Client to Wired Network
3. Reset Ethernet Adapter

Because the PC has the


wrong IP it will not work,
you can remedy this by
• Right click on Local Area
Connection 3
• Click Diagnose
or
• Disable then Enable
Local Area Connection 3
• Do NOT Disable Local
Area Connection 2
© 2013 Aerohive Networks CONFIDENTIAL 222
Lab: Test Hosted Client to Wired Network
4. Verify IP address of Ethernet adapter

• Locate Local Area Connection 3


• Right click
• Click Status
• Click Details
© 2013 Aerohive Networks CONFIDENTIAL 223
Lab: Test Hosted Client to Wired Network
5. Verify IP address of Ethernet adapter

Why do you see an IP


from the 10.5.8.0/24
subnet?
This is the guest
network that is
assigned if
authentication is
not supported or
fails

© 2013 Aerohive Networks CONFIDENTIAL 224


Lab: Test Hosted Client to Wired Network
6. Verify VLAN of wired client

Go to MonitorClientsWired Clients and locate your


PC’s entry

• Note the IP, Client Auth Mode, User Profile


Attribute and VLAN
• VLAN 8 is the guest VLAN assigned because
802.1X authentication was not supported or
failed. The host was assigned to the Auth Fail
user profile.

© 2013 Aerohive Networks CONFIDENTIAL 225


Lab: Test Hosted Client to Wired Network
7. Enable 802.1X for wired clients

• In windows 7, you
must enable 802.1X
support
• As an administrator,
from the start menu
type services
• Then click services

© 2013 Aerohive Networks CONFIDENTIAL 226


Lab: Test Hosted Client to Wired Network
8. Enable 802.1X for wired clients

• Click the
Standard tab
on the
bottom of the
services
panel
• Locate Wired
AutoConfig
and right-
click
• Click
Properties

© 2013 Aerohive Networks CONFIDENTIAL 227


Lab: Test Hosted Client to Wired Network
9. Enable 802.1X for wired clients

• The Wired AutoConfig


(DOT3SVC) service is
responsible for performing
IEEE 802.1X authentication on
Ethernet interfaces
• If your current wired network
deployment enforces 802.1X
authentication, the DOT3SVC
service should be configured
to run for establishing Layer 2
connectivity and/or providing
access to network resources
• Wired networks that do not
enforce 802.1X
authentication are
unaffected by the DOT3SVC
service
© 2013 Aerohive Networks CONFIDENTIAL 228
Lab: Test Hosted Client to Wired Network
10. Enable 802.1X for wired clients

• Click Automatic
• Click Start

© 2013 Aerohive Networks CONFIDENTIAL 229


Lab: Test Hosted Client to Wired Network
11. Enable 802.1X for wired clients

• Click OK

© 2013 Aerohive Networks CONFIDENTIAL 230


Lab: Test Hosted Client to Wired Network
12. Verify IP address of Ethernet adapter

• Locate Local Area Connection 3


• Right click
• Click Status
• Click Details
© 2013 Aerohive Networks CONFIDENTIAL 231
Lab: Test Hosted Client to Wired Network
13. Verify IP address of Ethernet adapter

Why do you see an IP


from the 10.5.10.0/24
subnet?
The user has
authenticated with
802.1X/EAP and
RADIUS is returning
the user profile
attribute: 10

© 2013 Aerohive Networks CONFIDENTIAL 232


Lab: Test Hosted Client to Wired Network
14. Verify authentication and VLAN of wired client

Go to MonitorClientsWired Clients and locate


your entry

• Note the IP, Client Auth Mode, User Profile Attribute


and VLAN
• VLAN 10 is the employee VLAN assigned because
802.1X authentication was successful and the host
was assigned to the Auth OK user profile.

© 2013 Aerohive Networks CONFIDENTIAL 233


For Reference: Switch CLI

SR-04-866380# show auth int eth1/12

Authentication Entities:

if=interface; UID=User profile group ID; AA=Authenticator


Address;

if=eth1/12; idx=16; AA=08ea:4486:638c; Security-obj=Secure-2;


default-UID=1;

Protocol-suite=802.1X;Auth-mode=port-based; Failure-UID=100;
Dynamic-VLAN=10;

No. Supplicant UID Life State DevType User-Name


Flag

--- -------------- ---- ----- -------------- ------- -----------


--------- ----

0 000c:2974:aa8e 10 0 done data AH-


LAB\user4 000b

© 2013 Aerohive Networks CONFIDENTIAL 234


Enable 802.1X for Wired Connections

If you need to
troubleshoot you can
view Local Area
Connection 3
• From the start menu,
type view network
• Right-click Local Area
Connection 3, and click
Diagnose
› This will reset the
adapter, clear the
caches, etc…

© 2013 Aerohive Networks CONFIDENTIAL 235


Clearing Authentication Cache
For Testing or Troubleshooting

• From the Wired


Clients list, you can
select and Deauth a
client
› Clear the All the
caches for the
client on the switch
• Then on the hosted
PC, you will need to
disable then enable
Local Area
Connection 3 to force
a reauth
© 2013 Aerohive Networks CONFIDENTIAL 236
MISC MONITORING

© 2013 Aerohive Networks CONFIDENTIAL 237


Switch Monitoring

• MonitorSwitches
• Click on the hostname
of the switch

© 2013 Aerohive Networks CONFIDENTIAL 238


Switch Monitoring

• Hover with your mouse over the switch ports

© 2013 Aerohive Networks CONFIDENTIAL 239


Switch Monitoring

System Details

© 2013 Aerohive Networks CONFIDENTIAL 240


Switch Monitoring

Port Details and PSE Details

© 2013 Aerohive Networks CONFIDENTIAL 241


Power Cycle Devices via PoE

• To configure this feature for selected ports on a switch, navigate


to Monitor  Switches in the Managed Devices tab, click the
name of the switch, and scroll down to PSE Details.
• Select the check box or boxes for the port or ports that you want
to cycle, and then click Cycle Power.
This is useful in the event that an AP or multiple APs are locked up
and need to be rebooted remotely. Bouncing the PoE port forces
the AP reboot.

© 2013 Aerohive Networks CONFIDENTIAL 242


Switch Monitoring

• MonitorActive ClientsWired Clients


• Add User Profile Attribute, and move it up, it is useful

© 2013 Aerohive Networks CONFIDENTIAL 243


Switch Monitoring

• Click on the MAC address for a wired client to see more


information

© 2013 Aerohive Networks CONFIDENTIAL 244


Switch Monitoring

• Utilities…StatisticsInterface

© 2013 Aerohive Networks CONFIDENTIAL 245


Switch Monitoring

• Utilities…DiagnosticsShow PSE

© 2013 Aerohive Networks CONFIDENTIAL 246


VLAN Probe
Use VLAN Probe to verify VLANs and DHCP Service

• MonitorSwitches – Select your device, and go to


Utilities…DiagnosticVLAN probe

NOTE: If you get the same IP subnet for each of the VLANs, that is a sign
that the switch uplink port is connected to an access port, not a trunk port
like it should be.
© 2013 Aerohive Networks CONFIDENTIAL 247
Client Monitor

• Tools  Client Monitor


• Client Monitor can be used to troubleshoot 802.1X/EAP
authentication for wired clients

© 2013 Aerohive Networks CONFIDENTIAL 248


Switch CLI

• SR-02-66ec00#show interface switchport


Name: gigabitethernet1/1
Switchport: enable
Port Mode: access
Port Mirror: disable
Port User-profile ID: 0
Static Access VLAN: 1
Dynamic Auth VLAN: 0
Name: gigabitethernet1/2
Switchport: enable
Port Mode: access
Port Mirror: disable
Port User-profile ID: 10
Static Access VLAN: 10
Dynamic Auth VLAN: 0

© 2013 Aerohive Networks CONFIDENTIAL 249


Switch CLI

• show client-report client

© 2013 Aerohive Networks CONFIDENTIAL 250


GENERAL SWITCHING

© 2013 Aerohive Networks CONFIDENTIAL 251


Storm Control

• Aerohive switches can mitigate traffic storms due to a variety of causes by


tracking the source and type of frames to determine whether they are
legitimately required.
• The switches can then discard frames that are determined to be the
products of a traffic storm. You can configure thresholds for broadcast,
multicast, unknown unicast, and TCP-SYN packets as a function of the
percentage of interface capacity, number of bits per second, or number
of packets per second.

From your network policy with Switching enabled: Go to Additional


Settings>Switch Settings>Storm Control

© 2013 Aerohive Networks CONFIDENTIAL 252


IGMP Snooping MAC Addresses

• Aerohive switches are


capable of monitoring
IGMP transactions
between multicast
routers and client
devices, and
maintaining a local
table of IGMP groups
and group members
• Aerohive switches use
this information to
track the status of
multicast clients
attached to the
switch ports so that it From your network policy with Switching
can forward multicast enabled: Go to Additional Settings>Switch
traffic efficiently Settings>IGMP Settings

© 2013 Aerohive Networks CONFIDENTIAL 253


IGMP Snooping MAC Addresses

• Aerohive switches are


capable of monitoring
IGMP transactions
between multicast
routers and client
devices, and
maintaining a local
table of IGMP groups
and group members
• Aerohive switches use
this information to
track the status of
multicast clients
attached to the
switch ports so that it From your network policy with Switching
can forward multicast enabled: Go to Additional Settings>Switch
traffic efficiently Settings>IGMP Settings

© 2013 Aerohive Networks CONFIDENTIAL 254


IGMP Snooping MAC Addresses

• IGMP device specific options available in the switch device


configuration
• Users can enable/disable IGMP snooping to all VLAN or to a
specified VLAN. When IGMP snooping disabled, all multicast
dynamic mac-address should be deleted.

© 2013 Aerohive Networks CONFIDENTIAL 255


GENERATE AEROHIVE SWITCH RADIUS
SERVER CERTIFICATES

Required When Aerohive Devices are Configured as


RADIUS Servers

256
© 2013 Aerohive Networks CONFIDENTIAL
HiveManager Root CA Certificate
Location and Uses
• To view certificates, go to: Configuration, click Show Nav, then go to
Advanced Configuration Keys and CertificatesCertificate Mgmt
• This root CA certificate is used to:
› Sign the CSR (certificate signing
request) that the HiveManager
creates on behalf of the AP acting
as a RADIUS or VPN server
› Validate Aerohive AP certificates
to remote client
» 802.1X clients (supplicants) will need
a copy of the CA Certificate in order
to trust the certificates on the
Aerohive AP RADIUS server(s)
• Root CA Cert Name:
Default_CA.pem
• Root CA key Name:
Default_key.pem

Note: The CA key is only ever used


or seen by HiveManager

© 2013 Aerohive Networks CONFIDENTIAL 257


Copyright ©2011
Use the Existing HiveManager CA
Certificate, Do not Create a New One!

• For this class, please do not create a new HiveManager


CA certificate, otherwise it will render all previous
certificates invalid.
• On your own HiveManager, you can create your own HiveManager
CA certificate by going to: Configuration, then go to
Advanced ConfigurationKeys and CertificatesHiveManager CA
© 2013 Aerohive Networks CONFIDENTIAL 258
LAB: Aerohive Switch Server Certificate and Key
1. Generate Aerohive switch server certificate

• Go to Configuration, click Show Nav


Advanced Configuration
Keys and CertificatesServer CSR
• Common Name: server-X
• Organizational Name: Company
• Organization Unit: Department
• Locality Name: City
• State/Province: <2 Characters>
• Country Code: <2 Characters>
• Email Address: userX@ah-lab.com
• Subject Alternative Name:
User FQDN: userX@ah-lab.com
Note: This lets you add an extra step of validating
the User FQDN in a certificate during IKE phase 1
for IPSec VPN. This way, the Aerohive AP needs a
valid signed certificate, and the correct user
Enter FQDN.
Switch-X • Key Size: 2048
• Password & Confirm: aerohive123
• CSR File Name: Switch-X
• Click Create
© 2013 Aerohive Networks CONFIDENTIAL 259
Notes Below
LAB: Aerohive Switch Server Certificate and Key
2. Sign and combine

Use this option to send Enabling this setting helps


a signing request to an prevent certificate and key
external certification mismatches when
authority. configuring the RADIUS
settings

• Select Sign by HiveManager CA


› The HiveManager CA will sign the Aerohive AP Server
certificate
• The validity period should be the same as or less than the
number of days the HiveManager CA Certificate is valid
› Enter the Validity: 3650 – approximately 10 years
• Check Combine key and certificate into one file
• Click OK

© 2013 Aerohive Networks CONFIDENTIAL 260


LAB: Aerohive Switch Server Certificate and Key
3. View server certificate and key

• To view certificates,
go to:
Configuration, click
Show Nav
Then go to Advanced
Configuration
Keys and Certificates
Certificate Mgmt
• The certificate and key file
name is:
switch-X_key_cert.pem
• QUIZ
› Which CA signed this
Aerohive switch server key?

› What devices need to install


the CA public cert?

© 2013 Aerohive Networks CONFIDENTIAL 261


QUESTIONS?

© 2013 Aerohive Networks CONFIDENTIAL


Lab: Switch as a RADIUS server
1. Edit existing policy

• From Configuration,
• Select your Network policy:
Access-X
• Click OK and then Continue
© 2013 Aerohive Networks CONFIDENTIAL 263
Lab: Switch Active Directory Integration
2. Select your Network Policy

To configure the Aerohive device as a RADIUS server...


Select the Configure & Update Devices bar
• Select the Filter: Current Policy
• Click the link for your Switch – SR-0X-######

© 2013 Aerohive Networks CONFIDENTIAL 264


Copyright ©2011
Lab: Switch Active Directory Integration
3. Create a RADIUS Service Object

Create a Aerohive AP RADIUS Service Object


• Under Optional Settings, expand Service Settings
• Next to Device RADIUS Service click +

© 2013 Aerohive Networks CONFIDENTIAL 265


Lab: Switch AP Active Directory Integration
4. Create a RADIUS Service Object

• Name: SR-radius-X
• Expand Database
Settings
• Uncheck  Local
Database
• Check  External
Database
• Under Active
Directory, click + to
define the RADIUS
Active Directory
Integration Settings

© 2013 Aerohive Networks CONFIDENTIAL 266


Lab: Switch Active Directory Integration
5. Select a switch to test AD integration

• Name: AD-X
• Aerohive device for Active Directory connection setup,
select your Switch: SR-0X-#####
› This will be used to test Active Directory integration
› Once this switch is working, it can be used as a template for
configuring other Aerohive device RADIUS servers with Active
Directory integration
• The IP settings for the selected Aerohive switch are gathered
and displayed
© 2013 Aerohive Networks CONFIDENTIAL 267
Lab: Switch Active Directory Integration
6. Modify DNS settings

• Set the DNS server to: 10.5.1.10


› This DNS server should be the Active Directory DNS server or
an internal DNS server aware of the Active Directory domain
• Click Update
› This applies the DNS settings to the Network Policy and to the
Aerohive device so that it can test Active Directory
connectivity
© 2013 Aerohive Networks CONFIDENTIAL 268
Lab: Switch Active Directory Integration
7. Specify Domain and Retrieve Directory Information

• Domain: ah-lab.local
• Click Retrieve Directory Information
› The Active Directory Server IP will be populated as well
as the BaseDN used for LDAP user lookups
© 2013 Aerohive Networks CONFIDENTIAL 269
Lab: Switch Active Directory Integration
8. Specify Domain and Retrieve Directory Information

• Domain Admin: hiveapadmin(The delegated admin)


• Password and Confirm Password: Aerohive1
• Click Join
• Check  Save Credentials
› NOTE: By saving credentials you can automatically join
Aerohive devices to the domain without manual intervention
© 2013 Aerohive Networks CONFIDENTIAL 270
Lab: Switch Active Directory Integration
9. Specify A User to Perform LDAP User Searches

• Domain User user@ah-lab.local (a standard domain user )


• Password and Confirm Password: Aerohive1
• Click Validate User
› You should see the message: The user was successfully
authenticated.
› These user credentials will remain and be used to
perform LDAP searches to locate user accounts during
authentication.
© 2013 Aerohive Networks CONFIDENTIAL 271
Lab: Switch Active Directory Integration
10. Save the AD Settings

• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 272


Lab: Switch Active Directory Integration
11. Apply the AD settings

• Select AD-X with


priority: Primary
• Click Apply
…Please make sure
you click apply
• Do not save yet..

© 2013 Aerohive Networks CONFIDENTIAL 273


Lab: Switch Active Directory Integration
12. Enable LDAP credential caching

Enable the ability for


an Switch RADIUS
server to cache user
credentials in the
event that the AD
server is not
reachable, if the user
has previously
authenticated
• Check  Enable
RADIUS Server
Credentials Caching
• Do not save yet...

© 2013 Aerohive Networks CONFIDENTIAL 274


Lab: Switch Active Directory Integration
13. Assign server certificate

Optional Settings >


RADIUS Settings:
Assign the switch
RADIUS server to the
newly created switch
server certificate and
key

• CA Cert File: Default_CA.pem


• Server Cert File:
switch-X_key_cert.pem
• Server Key File:
switch-X_key_cert.pem
• Key File Password & confirm password: aerohive123
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 275
Lab: Switch Active Directory Integration
14. Verify the RADIUS service object

• Ensure that the


Aerohive AP RADIUS
Service is set to:
switch-radius-X
• Do not save yet…

© 2013 Aerohive Networks CONFIDENTIAL 276


Lab: Switch Active Directory Integration
15. Set Static IP address on MGT0 interface

• Expand MGT0 Interface Settings


Note: Aerohive devices that
• Select Static IP function as a server must
have a static IP address.
• Static IP Address: 10.5.1.7X
X = student number 02 = 72, 03 = 73… 12 = 82, 13 = 83
• Netmask: 255.255.255.0
• Default Gateway: 10.5.1.1
© 2013 Aerohive Networks CONFIDENTIAL 277
Lab: Switch Active Directory Integration
16. Save the switch settings

• Click Save
NOTE: Your Aerohive
switch will have an
icon displayed
showing that it is a
RADIUS server.

© 2013 Aerohive Networks CONFIDENTIAL 278


QUESTIONS?

© 2013 Aerohive Networks CONFIDENTIAL


SSID FOR 802.1X/EAP AUTHENTICATION
USING AEROHIVE DEVICE RADIUS WITH
AD KERBEROS INTEGRATION

© 2013 Aerohive Networks CONFIDENTIAL 280


Lab: Switch RADIUS w/ AD Integration
1. Edit your WLAN Policy and Add SSID Profile

Configure an SSID that


uses the 802.1X/EAP
with AD (Kerberos)
Integration
• Select the Configure
Interfaces & User
Access bar
• Next to SSIDs click
Choose
• In Chose SSIDs
› Select New

© 2013 Aerohive Networks CONFIDENTIAL 281


Lab: Switch RADIUS w/ AD Integration
2. Configure a 802.1X/EAP SSID

• Profile Name:
Class-AD-X
• SSID:
Class-AD-X
• Under SSID
Access Security
select
 WPA/WPA2
802.1X
(Enterprise)
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 282


Copyright ©2011
Lab: Switch RADIUS w/ AD Integration
3. Select new Class-AD-X SSID

Ensure • Click to deselect


Class-AD-X is the Class-PSK-X
highlighted then SSID
click OK
• Ensure the
AD-X SSID
is selected
• Click OK

Click to
deselect
Class-PSK-X

© 2013 Aerohive Networks CONFIDENTIAL 283


Lab: Switch RADIUS w/ AD Integration
4. Create a RADIUS object

• Under Authentication, click <RADIUS Settings>


• In Choose RADIUS, click New

Click

Click

© 2013 Aerohive Networks CONFIDENTIAL 284


Lab: Switch RADIUS w/ AD Integration
5. Define the RADIUS Server IP settings

• RADIUS Name:
SWITCH-RADIUS-X
• IP Address/Domain
Name: 10.5.1.7X
02 = 72, 03 = 73…
Click Apply
12 = 82, 13 = 83
When Done!
• Leave the Shared
Secret Empty
NOTE: When the Aerohive
device is a RADIUS server,
devices in the same Hive
automatically generate a
shared secret

• Click Apply
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 285
Lab: Switch RADIUS w/ AD Integration
6. Select User Profiles

• Verify that under Authentication, SWITCH-RADIUS-X is


assigned
• Under User Profile click Add/Remove

© 2013 Aerohive Networks CONFIDENTIAL 286


Lab: Switch RADIUS w/ AD Integration
7. Assign User Profile as Default for the SSID

Default Tab • With the Default tab


select (highlight) the
Employee-Default user
profile
• IMPORTANT: This user
profile will be assigned if
no attribute value is
returned from RADIUS
after successful
Authentication Tab authentication, or if
attribute value 1 is
returned.
• Click the Authentication
tab
© 2013 Aerohive Networks CONFIDENTIAL 287
Lab: Switch RADIUS w/ AD Integration
8. Assign User Profile to be Returned by RADIUS Attribute

• In the Authentication
tab
• Select (highlight)
Employee-X
› NOTE: The (User
Profile Attribute) is
appended to the
Authentication Tab User Profile Name
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 288


Lab: Switch RADIUS w/ AD Integration
9. Verify and Continue

• Ensure Employee-Default-1 • Click Continue


and Employee-X user or click the bar to
profiles are assigned to the Configure & Update
Class-AD-X SSID Devices

© 2013 Aerohive Networks CONFIDENTIAL 289


Lab: Switch RADIUS w/ AD Integration
10. Upload the config to the switch and AP

In the Configure & Update Devices section


• Select the Filter: Current Policy
• Select your devices 
• Click Update

© 2013 Aerohive Networks CONFIDENTIAL 290


Lab: Switch RADIUS w/ AD Integration
10. Upload the config to the switch and AP

• Select Update Devices


• Select  Perform a
complete configuration
update for all selected
devices
• Click Update

For this class, ALL


Updates should be
Complete
configuration
updates

© 2013 Aerohive Networks CONFIDENTIAL 291


Lab: Switch RADIUS w/ AD Integration
11. Upload the config to the switch and AP

• Should the Reboot Warning box appear, select OK

Click OK
© 2013 Aerohive Networks CONFIDENTIAL 292
QUESTIONS?

© 2013 Aerohive Networks CONFIDENTIAL


CLIENT ACCESS PREPARATION -
DISTRIBUTING CA CERTIFICATES
TO WIRELESS CLIENTS

© 2013 Aerohive Networks CONFIDENTIAL 294


LAB: Exporting CA Cert for Server Validation
1. Go to HiveManager from the Remote PC

• From the VNC


connection to the
hosted PC, open a
connection to:
• For HM 1 – 10.5.1.20
• For HM 2 – 10.5.1.23
• For HM 3 – 10.5.1.20
• For HM 5 – 10.5.1.20
• Login with: adminX
• Password: aerohive123
NOTE: Here you are
accessing HiveManager
via the PCs Ethernet
connection

© 2013 Aerohive Networks CONFIDENTIAL 295


LAB: Exporting CA Cert for Server Validation
2. Download Default CA Certificate to the Remote PC

NOTE: The HiveManager Root


CA certificate should be
installed on the client PCs
that will be using the RADIUS
service on the Aerohive
device for 802.1X
authentication
• From the Remote PC,
go to Configuration,
then click Show Nav,
Advanced Configuration
Keys and Certificates
Certificate Mgmt
• Select Default_CA.pem
• Click Export

© 2013 Aerohive Networks CONFIDENTIAL 296


LAB: Exporting CA Cert for Server Validation
3. Rename HiveManager Default CA Cert

• Export the public root


Default_CA.pem certificate
to the Desktop of your
hosted PC
› This is NOT your Aerohive
AP server certificate, this
IS the HiveManager
public root CA certificate
• Rename the extension of
Make the Certificate name: the Default_CA.pem file to
Default_CA.cer Default_CA.cer
› This way, the certificate
will automatically be
Save as type: recognized by Microsoft
All Files Windows
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 297
LAB: Exporting CA Cert for Server Validation
4. Install HiveManager Default CA Cert

• Find the file that was just


exported to your hosted PC
• Double-click the certificate
file on the Desktop:
Default_CA
• Click Install Certificate

Issued to: HiveManager


This is the name of the certificate if you
wish to find it in the certificate store, or if
you want to select it in the windows
supplicant PEAP configuration.

© 2013 Aerohive Networks CONFIDENTIAL 298


LAB: Exporting CA Cert for Server Validation
5. Finish certification installation

• In the Certificate
Import Wizard click
Next
• Click  Place all
certificate in the
following store
• Click Browse

© 2013 Aerohive Networks CONFIDENTIAL 299


LAB: Exporting CA Cert for Server Validation
6. Select Trusted Root Certification Authorities

• Click Trusted Root


Certification Authorities
• Click OK
• Click Next

© 2013 Aerohive Networks CONFIDENTIAL 300


LAB: Exporting CA Cert for Server Validation
7. Finish Certificate Import

• Click Finish
• Click Yes
• Click OK

© 2013 Aerohive Networks CONFIDENTIAL 301


LAB: Exporting CA Cert for Server Validation
8. Verify certificate is valid

• Click OK to Close the


certificate
• Double-click Default_CA to
reopen the certificate
• You will see that the
certificate is valid and it valid
from a start and end date
• Click the Details tab

© 2013 Aerohive Networks CONFIDENTIAL 302


LAB: Exporting CA Cert for Server Validation
9. View the Certificate Subject

• In the details section, view


the certificate Subject
• This Subject: HiveManager is
what will appear in the list of
trusted root certification
authorities in your supplicant
configured later in this lab.
Protected EAP (PEAP) Properties
In supplicant (802.1X client)

© 2013 Aerohive Networks CONFIDENTIAL 303


QUESTIONS?

© 2013 Aerohive Networks CONFIDENTIAL


CONFIGURING AND TESTING YOUR
802.1X SUPPLICANT

For Windows 7
Supplicants

© 2013 Aerohive Networks CONFIDENTIAL 305


Lab: Testing Switch RADIUS w/ AD Integration
1. Connect to Secure Wireless Network

On the hosted PC,


from the bottom
task bar, click the
wireless networks
icon
• Click Class-AD-X
• Click Connect
• A windows
security alert
should appear,
click Details to
verify this
certificate if from
HiveManager,
then click
Connect server-2 is the AP cert,
and HiveManager is the
© 2013 Aerohive Networks CONFIDENTIAL trusted CA 306
Lab: Testing Switch RADIUS w/ AD Integration
2. View Active Clients

• After associating with your SSID, you should see your


connection in the active clients list in HiveManager
› Go to MonitorClientWireless Clients
• IP Address: 10.5.1.#
• User Name: DOMAIN\user
• VLAN: 1
User Profile Attribute: 1

NOTE: User Profile Attribute is the Employee-Default-1 user profile


for the SSID. This user profile is being assigned because no User
Profile Attribute Value was returned from RADIUS.

© 2013 Aerohive Networks CONFIDENTIAL 307


QUESTIONS?

© 2013 Aerohive Networks CONFIDENTIAL


MAPPING ACTIVE DIRECTORY
MEMBEROF ATTRIBUTE
TO USER PROFILES

© 2013 Aerohive Networks CONFIDENTIAL 309


Aerohive AP as a RADIUS Server - Using AD
Member Of for User Profile Assignment

• In your Network policy, you defined an SSID with two user profiles
› Employees(1)-1 – Set if no RADIUS attribute is returned
» This use profile for example is for general employee staff, and they get
assigned to VLAN 1
› Employee(10)-X – Set if a RADIUS attribute is returned
» This user profile for example is for privileged employees, and they get
assigned to VLAN 10
• Because the switch RADIUS server is using AD to authenticate the
users, and AD does not return RADIUS attributes, how can we assign
users to different user profiles?
• Though AD does not return RADIUS attributes, it does return other
attribute values, like MemberOf which is a list of AD groups to which
the user belongs
© 2013 Aerohive Networks CONFIDENTIAL 310
Instructor Only: Confirm User is a
member of the Wireless AD Group

 Right click the username userX


and click Properties

 Click on the Member Of tab

 The user account userX should


belong to the Wireless
AD Group
 Click OK

© 2013 Aerohive Networks CONFIDENTIAL 311


Lab: Use AD to Assign User Profile
1. Map memberOf attribute to user profile

• From Configuration, Show Nav,


Advanced Configuration
Authentication 
Aerohive AAA Server Settings
SR-radius-X
• Expand Database Settings
• Check  LDAP server attribute
Mapping
• Select  Manually map LDAP user
groups to user profiles
• LDAP User Group Attribute:
memberOf
• Domain: dc=AH-LAB,dc=LOCAL
• Click + to expand the LDAP tree
© 2013 Aerohive Networks CONFIDENTIAL 312
Lab: Use AD to Assign User Profile
2. Add group to user profile mapping

• Expand the tree


Click the LDAP
structure to locate
Group
Map group to
› Expand
Employee(10)-X CN=Users
› Select
CN = Wireless
• For Maps to, from
the drop down list,
select the user
profile: Employee-X
• Click Apply
NOTE: The CN in Active Directory • The mapping
does not have to match the name appears below the
of the user profile, this is just by LDAP directory
choice, not necessity. • Click Save
© 2013 Aerohive Networks CONFIDENTIAL 313
Lab: Use AD to Assign User Profile
3. Update devices

• Select Update Devices


• Select Perform a
complete configuration
update for all selected
devices Click Update

For this class, ALL


Updates should be
Complete
configuration
updates

© 2013 Aerohive Networks CONFIDENTIAL 314


Lab: Use AD to Assign User Profile
4. Update devices

• Should the Reboot Warning box appear, select OK

Click OK
© 2013 Aerohive Networks CONFIDENTIAL 315
Lab: Use AD to Assign User Profile SSID
5. Disconnect and Reconnect to the Class-AD SSID

To test the mapping


of the memberOf
attribute to your user
profile
• Disconnect from the
Class-AD-X SSID
• Connect to the
Class-AD-X SSID

© 2013 Aerohive Networks CONFIDENTIAL 316


Lab: Use AD to Assign User Profile SSID
6. Verify your active client settings

• From MonitorClientsActive Clients


› Your client should now be assigned to
» IP Address: 10.5.10.#
» User Profile Attribute: 10
» VLAN: 10

NOTE: In the previous lab, without the


LDAP group mapping, the user was
assigned to attribute 1 in VLAN 1

© 2013 Aerohive Networks CONFIDENTIAL 317


QUESTIONS?

© 2013 Aerohive Networks CONFIDENTIAL


AEROHIVE SWITCHES AS
BRANCH ROUTERS

© 2013 Aerohive Networks CONFIDENTIAL 319


Medium Size Branch or Regional Office

• SR2024 as Branch Router


› Line Rate Layer 2 Switch
› 8 Ports of PoE Internet SR2024
› Multi-authentication
access ports
» 802.1X with fallback to AP
PoE
MAC auth or open
› Client Visibility
» View client information by port
AP AP
› RADIUS Server
› Routing between local VLANs
Provides Access For:
› Layer 3 IPSec VPN • Employees
› NAT for Subnets through VPN • Guests
• Contractors
› NAT port forwarding on WAN • Phones
› DHCP Server • APs
› USB 3G/4G Backup • Servers
› and more…
© 2013 Aerohive Networks CONFIDENTIAL
CREATE A ROUTING NETWORK
POLICY – YOU CAN CLONE YOUR
EXISTING ACCESS POLICY

For Wireless, Switching, and Routing

© 2013 Aerohive Networks CONFIDENTIAL 321


Lab: Add Routing to Network Policy
1. Edit existing policy

• From Configuration,
• Next to your Network policy: Access-X
• Click the sprocket icon
• Click Edit

© 2013 Aerohive Networks CONFIDENTIAL 322


Lab: Add Routing to Network Policy
2. Edit select Branch Routing

Add the option for


Branch Routing to your
Network Policy
• Check Branch Routing
so you have:
› Wireless Access
› Switching
› Branch Routing
• NOTE: Enabling Branch Routing: › Bonjour Gateway
» Enables L3 VPN Configuration
» Disable L2 VPN Configuration
• Click Save
» Enable L3 Router Firewall Policy • Click OK
» Policy-Based Routing with Identity
» Enables Router configuration settings in Additional Settings

© 2013 Aerohive Networks CONFIDENTIAL 323


CLONE SWITCH DEVICE TEMPLATE
AS SWITCH AND ADD NEW SWITCH
DEVICE TEMPLATE AS BRANCH
ROUTER

© 2013 Aerohive Networks CONFIDENTIAL 324


Lab: Create a Switch Template for Routing
1. Select and clone your existing device template

• Next to Device
Templates, click
Choose
• Select your
SR2024-Default-X
device template
(configured as
switch)
• Click the
sprocket icon
• Click Clone

© 2013 Aerohive Networks CONFIDENTIAL 325


Lab: Create a Switch Template for Routing
2. Define router function of the device template

• Click Device Models


• Notice all the devices that
you can create templates
when the network policy
includes routing
• Ensure that SR2024 is selected
• Click OK

© 2013 Aerohive Networks CONFIDENTIAL 326


Lab: Create a Switch Template for Routing
3. Define router function of the device template

• Name: SR2024-Router-Default-X
• Change the function to Router
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 327


Lab: Create a Switch Template for Routing
4. Select both templates

• Ensure both of your SR2024


policies are selected.
• Click OK
• Hide the SR2024-Default-X
(Switch) template
• Expand the SR2024-
Router-Default-X (Router)
template

© 2013 Aerohive Networks CONFIDENTIAL 328


Lab: Create a Switch Template for Routing
5. Remove configuration of existing uplink ports

Next you can change


your uplink ports and
add a WAN port
instead
• Select ports 23 and
24, and click
Configure
• Remove the port
type by clicking on
the port type you
have selected to
ensure it is no longer
highlighted
• Click OK
• Click OK again to the
Warning
© 2013 Aerohive Networks CONFIDENTIAL 329
Examples of templates for other devices

BR200-WP

AP330 as Router

© 2013 Aerohive Networks CONFIDENTIAL 330


CONFIGURE ROUTER WAN PORTS
- PORTS THAT CONNECT TO THE
INTERNET AND PROVIDE NAT

© 2013 Aerohive Networks CONFIDENTIAL 331


Router WAN Ports

• SR2024 as Branch Router DSL –


WAN Port example WAN
Backup 1

Corp ISP (Fast) –


USB Wireless –
WAN
WAN
Primary
Backup 2
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Create a Switch Template for Routing
1. Add necessary WAN port for router

When the switch is a router, you must configure at least one port as a WAN port

• Select Port 23,


and Port 24
(USB is always a
WAN port)
• Click
Configure

Note: You can have up to 3 WAN ports: 1 primary and 2 backup.


2 Ports can be Ethernet, and one can be USB. If you select
multiple ports as WAN ports, you can select which ones are
primary and backup in the switch specific settings.
© 2013 Aerohive Networks CONFIDENTIAL 333
Lab: Create a Switch Template for Routing
2. Add necessary WAN port for router

• Click New
• Name: WAN-X
• Select WAN
• Click Save
• With WAN-X selected, click OK

© 2013 Aerohive Networks CONFIDENTIAL 334


Lab: Create a Switch Template for Routing
3. Review WAN port settings

• The USB Port, Port 23, and Port 24 will now display a WAN
(Cloud) icon (USB does not display cloud icon in this version of code)

The ports will


display a WAN
(Cloud) icon

© 2013 Aerohive Networks CONFIDENTIAL 335


Lab: Create a Switch Template for Routing
4. Save your Network Policy

• From the Configure Interfaces & User


Access bar, click Save
© 2013 Aerohive Networks CONFIDENTIAL 336
Note: Switch Port Settings
To be configured later, not now.

• At a later point in this lab, you will


configure the priority of the WAN ports
for primary and backup

Switch Settings:
These will be
configured later.

© 2013 Aerohive Networks CONFIDENTIAL 337


PORT TYPES

© 2013 Aerohive Networks CONFIDENTIAL 338


6.0 Network Policy

Besides the addition


of the WAN port, all
port types are
identical in network
policies with and
without branch
routing selected!
This means the
same port types
can be used in
both switching
(layer 2) and
branch routing
(layer 3) network
policies.
© 2013 Aerohive Networks CONFIDENTIAL 339
VLAN-TO-SUBNET ASSIGNMENTS
FOR ROUTER INTERFACES

© 2013 Aerohive Networks CONFIDENTIAL 340


VLAN-to-subnet assignments
for router interfaces

• If the network policy is configured with Routing, then for


every VLAN configured for SSIDs or port types, you must
define the IP subnets that will be assigned to the branch
routers or switches as branch routers
• The VLANs are automatically populated from the VLANs
assigned to user profiles for SSIDs and port types
• If you have additional VLANs to define, you can click Add

© 2013 Aerohive Networks CONFIDENTIAL 341


Network and Sub Networks
Internal Use
• HiveManager assigns a unique subnet from the network to each
router, including the DHCP settings

HQ
Network
10.102.0.0/16
BR100

Cloud VPN
Gateway
Sub Network 10.102.2.0/24
Internet DHCP: IP Range 10.102.2.10 – 10.102.2.244
Default Gateway: 10.102.2.1
DNS: 10.102.2.1 (Router is DNS Proxy)

BR100
BR100

Sub Network 10.102.0.0/24 Sub Network 10.102.1.0/24


DHCP: IP Range 10.102.0.10 – 10.102.0.244 DHCP: IP Range 10.102.1.10 – 10.102.1.244
Default Gateway: 10.102.0.1 Default Gateway: 10.102.1.1
DNS: 10.102.0.1 (Router is DNS Proxy) DNS: 10.102.1.1 (Router is DNS Proxy)
© 2013 Aerohive Networks CONFIDENTIAL 342
Networks and Hosts Per Network
A Little Bit of Subnet Theory – Yay!
Calculating a network using an IP address and a netmask

Conversion chart between binary and decimal


27 26 25 24 23 22 21 20
128 64 32 16 8 4 2 1 Decimal value for bit position
0 0 0 0 1 0 1 0 = 8 + 2 = 10 for example
When you assign IP addresses, you can determine how many
networks and how many hosts per network you need.
Example: Create subnets for network: 10.102.0.0/16
8 bits 8 bits 8 bits 8 bits
IP Address in binary: 00001010.01100110.00000000.00000000
Netmask in binary: X 11111111.11111111.11111111.00000000
Multiply each column: 00001010.01100110.00000000.00000000
Convert back to decimal: 10. 102 . 0 . 0
IP Network Subnet Hosts
8 bits = 8 bits
© 2013 Aerohive Networks CONFIDENTIAL 256 subnets 256 hosts – 2 = 254
Networks and Hosts Per Network
IP Address Management
Example 1: Move Subnet slider bar to 256 Branches

Network Mask: /16 Subnet Mask: /24


8 bits 8 bits 8 bits 8 bits
IP Address in binary: 00001010.01100110.00000000.00000000
Netmask in binary: X 11111111.11111111.11111111.00000000
Multiply each column: 00001010.01100110.00000000.00000000
Convert back to decimal: 10. 102 . 0 . 0
IP Network Subnet Hosts
8 bits = 8 bits
256 branches 256 clients/branch
– 3 = 253
Note: HiveManager lets you reserve the first or last IP in the
subnets as the default gateway for the subnet.
© 2013 Aerohive Networks CONFIDENTIAL 344
Networks and Hosts Per Network
Automatic Subnet Creation
8 bits 8 bits 8 bits 8 bits
IP Address in binary: 00001010.01100110.00000000.00000000
Netmask in binary: X 11111111.11111111.11111111.00000000
Multiply each column: 00001010.01100110.00000000.00000000
Convert back to decimal: 10. 102 . 0 . 0
IP Network Subnet Hosts
10.102.0000000=0. 1-254
10.102.0000001=1. 1-254
10.102.0000010=2. 1-254
10.102.0000011=3. 1-254
10.102.0000100=4. 1-254
10.102.0000101=5. 1-254
10.102.0000110=6. 1-254
10.102.0000111=7. 1-254
10.102.0001000=8. 1-254
..
10.102.1111111=255.1-254
© 2013 Aerohive Networks CONFIDENTIAL 345
Networks and Hosts Per Network
IP Address Management
Example 2: Move Subnet slider bar to 512 Branches

Network Mask: /16 Subnet Mask: /25


8 bits 8 bits 9 bits 7 bits
IP Address in binary: 00001010.01100110.00000000.00000000
Netmask in binary: X 11111111.11111111.11111111.10000000
Multiply each column: 00001010.01100110.00000000.00000000
Convert back to decimal: 10. 102 . 0 . 0
IP Network Subnet Hosts
9 bits = 7 bits
512 branches 128 clients/branch
– 3 = 125
Note: HiveManager lets you reserve the first or last IP in the
subnets as the default gateway for the subnet.
© 2013 Aerohive Networks CONFIDENTIAL 346
Networks and Hosts Per Network
Automatic Subnet Creation
8 bits 8 bits 9 bits 7 bits
IP Address in binary: 00001010.01100110.00000000.10000000
Netmask in binary: X 11111111.11111111.11111111.10000001
Multiply each column: 00001010.01100110.00000000.00000000
Convert back to decimal: 10. 102 . 0 . 0
IP Network Subnet Hosts
10.102.0000000.0 =
0.0 1-126
10.102.0000000.1 =
0.128 129-254
10.102.0000001.0 =
1.0 1-126
10.102.0000001.1 =
1.128 129-254
10.102.0000010.0 =
2.0 1-126
10.102.0000010.1 =
2.128 129-254
10.102.0000011.0 =
3.0 1-126
10.102.0000011.1 =
3.128 129-254
10.102.0000100.0 =
4.0 1-126
..
10.102.1111111.1 = 255.128 129-254
© 2013 Aerohive Networks CONFIDENTIAL 347
Network and Sub Networks
Internal Use
• HiveManager assigns a unique subnet from the network to each
router, including the DHCP settings

HQ
Network
10.102.0.0/16
BR100

Cloud VPN
Gateway
Sub Network 10.102.2.0/24
Internet DHCP: IP Range 10.102.2.10 – 10.102.2.244
Default Gateway: 10.102.2.1
DNS: 10.102.2.1 (Router is DNS Proxy)

BR100
BR100

Sub Network 10.102.0.0/24 Sub Network 10.102.1.0/24


DHCP: IP Range 10.102.0.10 – 10.102.0.244 DHCP: IP Range 10.102.1.10 – 10.102.1.244
Default Gateway: 10.102.0.1 Default Gateway: 10.102.1.1
DNS: 10.102.0.1 (Router is DNS Proxy) DNS: 10.102.1.1 (Router is DNS Proxy)
© 2013 Aerohive Networks CONFIDENTIAL 348
LAB: Assign VLAN-to-subnet – router interfaces

• If the network policy is configured with Routing, then for


every VLAN configured for SSIDs or port types, you must
define the IP subnets that will be assigned to the branch
routers or switches as branch routers
• The VLANs are automatically populated from the VLANs
assigned to user profiles for SSIDs and port types
• If you have additional VLANs to define, you can click Add

© 2013 Aerohive Networks CONFIDENTIAL 349


LAB: Assign VLAN-to-subnet – router interfaces
1. Select VLAN 10 and create network

• Next to VLAN 10, click Choose

• Click New

© 2013 Aerohive Networks CONFIDENTIAL 350


LAB: Assign VLAN-to-subnet – router interfaces
2. Create internal employee network

• Name: Net-Employee-1XX
XX=02,03,..15,16
• Web Security: None
• DNS Service: Class
• Network Type: Internal Use
• Do not save yet
© 2013 Aerohive Networks CONFIDENTIAL 351
Note: DNS Service Objects

NOTE: This Quick Start DNS Service object sets clients to


use the router interface IP as the DNS server, and will
proxy the DNS requests to the DNS server learned
statically or by DHCP on the WAN interface. Separate
DNS servers can also be used for internal and external
domain resolution.
© 2013 Aerohive Networks CONFIDENTIAL 352
LAB: Assign VLAN-to-subnet – router interfaces
3. Create internal employee network

• Click NEW to create a parent network

© 2013 Aerohive Networks CONFIDENTIAL 353


LAB: Assign VLAN-to-subnet – router interfaces
4. Define the Parent Network and subnetworks

• IP Network:
10.1XX.0.0/16

NOTE: This is the parent


network that will be
partitioned to create a
• number of IP subnets
10.1XX.0.0/16
determined by moving
the slider bar. The slider
bar is used to set the
number of branches vs.
clients per branch which
defines the subnet mask
for each subnet.
Moving the slider bar changes the
• Move the slider bar to number of bits in the subnet mask.
select 256 branches and
253 clients per branch The clients per branch = 253 in this case
because 1 IP is reserved for the router,
and then 0 and 255 are not used.
© 2013 Aerohive Networks CONFIDENTIAL 354
LAB: Assign VLAN-to-subnet – router interfaces
5. Enable DHCP

• Check  Enable DHCP


server
NOTE: In most cases, the
router will be the DHCP
server. However, if it is
not, you can disable the
DHCP service and this
network definition will
only be used to
configure the router
interface IP addresses.

• For the DHCP Address


Pool, move the slider bar
to reserve 10 IP addresses
at the start of the address
pool that can be defined
statically.
Please do not save yet!!!
© 2013 Aerohive Networks CONFIDENTIAL 355
Note: Custom Options Example

• Note that you can


define custom
DHCP options if
needed
• For example, you
can set the custom
DHCP options for
the hostname of
HiveManager
(option 225) or the
IP address of
HiveManager
(option 226) or
options required by
certain IP phones

© 2013 Aerohive Networks CONFIDENTIAL 356


DEFINE SPECIFIC SUBNETS FOR
EACH SITE BY USING DEVICE
CLASSIFICATION

© 2013 Aerohive Networks CONFIDENTIAL 357


What is the goal?

Network
10.101.0.0/16
• Define subnets from the IP
address space to specific sites Site-1c
• For example, define the
subnets that will be used for BR100
Site-1a and Site-1b, but let
HiveManager allocate one for
Site-1c Sub Network 10.101.25.0/24
DHCP: IP Range 10.101.25.11 –
10.102.25.254
Default Gateway: 10.101.25.1
Internet

Site-1a Site-1b BR100


BR100

Sub Network 10.101.1.0/24 Sub Network 10.101.2.0/24


DHCP: IP Range 10.101.1.11 – 10.102.1.254 DHCP: IP Range 10.101.2.11 – 10.102.2.254
Default Gateway: 10.101.1.1 Default Gateway: 10.101.2.1
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Assign VLAN-to-subnet – router interfaces
1. Define subnet to be assigned to Site-Xa

By default, each branch


router will be assigned one
subnet from the Local IP
Address Space
• To define specific subnets
of the Local IP address
space to assign to sites
› Check  Allocate local
subnetworks by
specific IP addresses at
sites and click
• IP Address: 10.1XX.1.1
(XX=01,02,03,..18)
• Type: Device Tag
• Tag1: Site-Xa
(Xa=2a,3a,4a,..,18a)
• Click Apply
© 2013 Aerohive Networks CONFIDENTIAL 359
LAB: Assign VLAN-to-subnet – router interfaces
2. Define subnet to be assigned to Site-Xb

Define the next subnet


• Click New
• IP Address: 10.1XX.2.1
• Type: Device Tag
• Tag1: Site-Xb
(Xb = 2b, 3b, 4b,..,18b)
• Click Apply
Note: You can specify up to 256 tags
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 360
LAB: Assign VLAN-to-subnet – router interfaces
3. Save the Network

Verify you have


all the setting
needed for the
network
• DNS: Class
• Network Type:
Internal Use
• Subnetwork:
10.1XX.0.0/16
• Verify the IP
Allocation
Statements Note: (T) = True or Match the tag
(F) = False, and no match required
• Click Save Here you can see: 10.102.1.1 must have a router with
Tag1 set to: Site-2a, and 10.102.2.1 must have a router
with Tag1 set to: Site-2b. 361
© 2013 Aerohive Networks CONFIDENTIAL 361
LAB: Assign VLAN-to-subnet – router interfaces
4. Choose the Network

• Ensure your policy is


highlighted and click OK

© 2013 Aerohive Networks CONFIDENTIAL 362


Note: Device Classification Settings
On Your Device

• In a later lab, you will need to define Device


Classification Tag1 on your switch with the same entry
that was used in the network configuration: Site-Xa
Device Specific Settings

© 2013 Aerohive Networks CONFIDENTIAL 363


What did you just do?
• You specified that certain sites Network
had or will require specific IP 10.101.0.0/16
addresses in them, for
example Site-1a (10.101.1.1)
and Site-1b (10.101.2.1)
› These can be any IP in the
Site-1c
subnet. We chose the IP of
default gateways. BR100

• Therefore HiveManager will


allocate the subnets that Sub Network 10.101.25.0/24
match the IP addresses DHCP: IP Range 10.101.25.11 –
that are specified for 10.101.25.254
two of the sites Default Gateway: 10.101.25.1
Internet *This subnet was chosen by HiveManager
because an IP at the site was not defined.

Site-1a Site-1b BR100


BR100

Sub Network 10.101.1.0/24 Sub Network 10.101.2.0/24


DHCP: IP Range 10.101.1.11 – 10.101.1.254 DHCP: IP Range 10.101.2.11 – 10.101.2.254
Default Gateway: 10.101.1.1 Default Gateway: 10.101.2.1
© 2013 Aerohive Networks CONFIDENTIAL
ADD NETWORKS FOR
THE OTHER VLANS

© 2013 Aerohive Networks CONFIDENTIAL 365


Add More Networks

• Create networks for VLAN 2 and VLAN 8


• If the VLAN is not in the list, click Add
› Enter the VLAN
› Then proceed to configuring the networks

© 2013 Aerohive Networks CONFIDENTIAL 366


LAB: Assign VLAN-to-subnet – router interfaces
1. Select VLAN 2 and create network

• Next to VLAN 2, click Choose

• Click New

© 2013 Aerohive Networks CONFIDENTIAL 367


LAB: Assign VLAN-to-subnet – router interfaces
2. Create internal voice network

• Create another Internal Network for VLAN 2:


10.2XX.0.0-Voice-X
• Web Security: None
• DNS service: Class
• Network Type: Internal Use
• Do not save yet
© 2013 Aerohive Networks CONFIDENTIAL 368
LAB: Assign VLAN-to-subnet – router interfaces
3. Create internal voice network

• Click NEW to create a parent network

© 2013 Aerohive Networks CONFIDENTIAL 369


LAB: Assign VLAN-to-subnet – router interfaces
4. Define the Parent Network and subnetworks

• IP Network:
10.2XX.0.0/16
NOTE: This is the parent
network that will be
partitioned to create a
10.1XX.0.0/16
•number of IP subnets
determined by moving
the slider bar. The slider
bar is used to set the
number of branches vs.
clients per branch which
defines the subnet mask
for each subnet.
Moving the slider bar changes the
• Move the slider bar to number of bits in the subnet mask.
select 256 branches and The clients per branch = 253 in this case
253 clients per branch
because 1 IP is reserved for the router,
and then 0 and 255 are not used.
© 2013 Aerohive Networks CONFIDENTIAL 370
LAB: Assign VLAN-to-subnet – router interfaces
5. Enable DHCP

• Check  Enable DHCP


server
NOTE: In most cases, the
router will be the DHCP
server. However, if it is
not, you can disable the
DHCP service and this
network definition will
only be used to
configure the router
interface IP addresses.
• For the DHCP Address
Pool, move the slider bar
to reserve 10 IP addresses
at the start of the address
pool that can be defined
statically.
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 371
LAB: Assign VLAN-to-subnet – router interfaces
6. Verify and save the Subnetwork

• Click Save
• Ensure your policy is highlighted and click OK

© 2013 Aerohive Networks CONFIDENTIAL 372


Networks for Guest Use
• All guest stations at each branch office use the same IP subnet
• All guest traffic destined to the Internet is network address translated
to the unique IP address of the router WAN interface

WAN:
HQ 1.3.2.90
Network:
Guest Use
BR100

Cloud VPN
Gateway Network 192.168.83.0/24 (Guest Use)
DHCP: IP Range 192.168.83.10 – 192.168.83.244
Internet Default Gateway: 192.168.83.1
DNS: 192.168.83.1 (Router is DNS Proxy)

WAN:
2.50.33.5
WAN:
2.1.1.20 BR100
BR100

Network 192.168.83.0/24 (Guest Use) Network 192.168.83.0/24 (Guest Use)


DHCP: IP Range 192.168.83.10 – 192.168.83.244 DHCP: IP Range 192.168.83.10 – 192.168.83.244
Default Gateway: 192.168.83.1 Default Gateway: 192.168.83.1
DNS: 192.168.83.1 (Router is DNS Proxy) DNS: 192.168.83.1 (Router is DNS Proxy)
© 2013 Aerohive Networks CONFIDENTIAL
LAB: Assign VLAN-to-subnet – router interfaces
7. Select VLAN 8 and create guest network

• Next to VLAN , click Choose

• Click New

© 2013 Aerohive Networks CONFIDENTIAL 374


LAB: Assign VLAN-to-subnet – router interfaces
8. Create the Guest network

• Name:
192.168.83.0-Guest-X
• Web Security: None
• DNS Service: Class
• Network Type to:
Guest Use
• Guest Use Network:
192.168.83.0/24
• DHCP Address Pool,
reserve the first 10
• Check  Enable
DHCP server
NOTE: Devices assigned to a Guest Use network are
restricted from access the corporate VPN or from
initiating communication to corporate devices
© 2013 Aerohive Networks CONFIDENTIAL 375
LAB: Assign VLAN-to-subnet – router interfaces
9. Save the Guest network

• Verify your settings


• Click Save
• Click OK
© 2013 Aerohive Networks CONFIDENTIAL 376
Verify Subnet Assignments for
Router Interfaces

• You should have a network defined for each


of the VLANs specified

© 2013 Aerohive Networks CONFIDENTIAL 377


LAB: Assign VLAN-to-subnet – router interfaces
10. Save your Network Policy

• From the Configure Interfaces &


User Access bar, click Save
© 2013 Aerohive Networks CONFIDENTIAL 378
CHANGE SSID PROFILES

© 2013 Aerohive Networks CONFIDENTIAL 379


Lab: Change SSID Profiles
1. Change SSIDs

• Configure Interface & User Access


• Next to SSIDs, click: Choose

© 2013 Aerohive Networks CONFIDENTIAL 380


Lab: Change SSID Profiles
2. Select Class-PSK-X SSID

Ensure
Class-PSK-X is • Click to deselect
highlighted then the AD-X SSID
click OK
• Ensure the
Class-PSK-X SSID
is selected
• Click OK

© 2013 Aerohive Networks CONFIDENTIAL 381


Lab: Change SSID Profiles
3. Verify settings

• Verify settings
• Click Continue

© 2013 Aerohive Networks CONFIDENTIAL 382


CREATING FILTERS

© 2013 Aerohive Networks CONFIDENTIAL 383


Lab: Device Filters
1. From Configure & Update Devices

Create filters to limit the number of devices displayed


• Click the Configure & Update Devices bar
• Next to Filter, click +

© 2013 Aerohive Networks CONFIDENTIAL 384


Lab: Device Filters
2. Create a filter
You can create and
save filters based on a
lot of criteria
• For this filter
› Set the Device
Model to SR2024
› Set the hostname
to: SR-XX-
› XX is your two digit
student ID: 02-15
› Do not forget the
dash – at the end,
this will ensure your
student ID is the
match
• For Remember This
Filter, enter:
XX-switch-router
© 2013 Aerohive Networks CONFIDENTIAL • Click Search 385
Lab: Device Filters
3. View your Real and Simulated Switch/Routers

• We will be using real and simulated devices in this lab


• With the filter selected, you will see your real, and
simulated switch/routers that all start with SR-XX-

© 2013 Aerohive Networks CONFIDENTIAL 386


UPDATE THE DEVICE
CONFIGURATION
OF YOUR SWITCH/ROUTERS

© 2013 Aerohive Networks CONFIDENTIAL 387


Lab: Update your Switch Configuration
1. Modify your switch

• Check  next to your switch SR-XX-#######


• Click Modify

© 2013 Aerohive Networks CONFIDENTIAL 388


Lab: Update your Switch Configuration
2. Change switch to function as a router

Make the following


settings
• Device Function:
Router
(IMPORTANT)
• Location:
First-Name_Last-
Name
• Network Policy:
Access-X
• When the warning
box appears, click:
OK
• Do NOT save yet

© 2013 Aerohive Networks CONFIDENTIAL 389


Lab: Update your Switch Configuration
3. Specify the Device Classification Tag1

Set the Device


Classification Tag1
so that this device
will be assigned to
networks with
matching tag
definitions
• Under Device
Classification
› Tag1: Site-Xa
Note: The tag you
entered in the
network will
automatically
show up in the list
• Do NOT save yet

© 2013 Aerohive Networks CONFIDENTIAL 390


Lab: Update your Switch Configuration
4. Change WAN port priority settings

NOTE: Check Enable NAT


• Expand Interface and Network Settings
• Set the following priorities:
› USB WAN: Backup2
› Eth1/23 WAN: Backup1
› Eth1/24 WAN: Primary (Please verify that 1/24 is Primary)
• Ensure NAT is enabled on the WAN Interfaces
• Do Not save yet

© 2013 Aerohive Networks CONFIDENTIAL 391


Lab: Update your Switch Configuration
5. Disable RADIUS services

Remove the RADIUS object from earlier lab


• Under Optional Settings, expand Service Settings
• Uncheck ☐Enable the router as a RADIUS Server

© 2013 Aerohive Networks CONFIDENTIAL 392


Lab: Update Router Configuration
6. Save your device settings

• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 393
Lab: Update Router Configuration
7. Update your device settings

• Select  Routers to select all three routers


• Click Update

© 2013 Aerohive Networks CONFIDENTIAL 394


Lab: Update Router Configuration
7. Update your device settings

• Select Update Devices


• Select Perform a
complete configuration
update for all selected
devices
• Click Update

For this class, ALL


Updates should be
Complete
configuration
updates

© 2013 Aerohive Networks CONFIDENTIAL 395


Lab: Update Router Configuration
8. Update your device settings

• Should the Reboot Warning box appear, select OK

Click OK

© 2013 Aerohive Networks CONFIDENTIAL 396


VIEW SUBNET ALLOCATION REPORT

© 2013 Aerohive Networks CONFIDENTIAL 397


Network and Sub Networks
Internal Use
• HiveManager assigns a unique subnet from the network to each
router, including the DHCP settings

HQ
Network
10.102.0.0/16
BR100

Cloud VPN
Gateway
Sub Network 10.102.2.0/24
Internet DHCP: IP Range 10.102.2.10 – 10.102.2.244
Default Gateway: 10.102.2.1
DNS: 10.102.2.1 (Router is DNS Proxy)

BR100
BR100

Sub Network 10.102.0.0/24 Sub Network 10.102.1.0/24


DHCP: IP Range 10.102.0.10 – 10.102.0.244 DHCP: IP Range 10.102.1.10 – 10.102.1.244
Default Gateway: 10.102.0.1 Default Gateway: 10.102.1.1
DNS: 10.102.0.1 (Router is DNS Proxy) DNS: 10.102.1.1 (Router is DNS Proxy)
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Subnet Allocation Report
1. View the IP addresses assigned to the routers

• From Monitor, in the navigation


tree, click Subnetwork Allocation
Note: One
subnet was • Under Network Name, select
assigned via Network-1XX
classification.
The others • From the10.102.0.0/16 parent
assigned network, a different subnet and
dynamically. DHCP Pool was allocated to
each branch router.

© 2013 Aerohive Networks CONFIDENTIAL 399


CLI ROUTER COMMANDS

© 2013 Aerohive Networks CONFIDENTIAL 400


SHOW L3 INTERFACE

From Monitor  Utilities  SSH Client:


show L3 interface

© 2013 Aerohive Networks CONFIDENTIAL 401


TEST WIRELESS LAN ACCESS

© 2013 Aerohive Networks CONFIDENTIAL 402


Lab: Test Wireless LAN Access
1. Connect your computer to the SSID: Class-PSK-X

• Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK

© 2013 Aerohive Networks CONFIDENTIAL 403


Lab: Test Wireless LAN Access
2. View your client information in Wireless Clients

• View your client in the Active


Clients list by going to:
MonitorClientsWireless
Clients
• Notice the VLAN and
network address

© 2013 Aerohive Networks CONFIDENTIAL 404


TEST WIRED LAN SECURE ACCESS

© 2013 Aerohive Networks CONFIDENTIAL 405


Lab: Test LAN Port Access- Secure
1. View your client information in Active Clients

• View your client in the Active


Clients list by going to:
MonitorClientsWired
Clients
• Notice the VLAN and
network address and client
authentication method

© 2013 Aerohive Networks CONFIDENTIAL 406


Lab: Test LAN Port Access
2. Disable 802.1X for wired clients

• In windows 7, you
must enable 802.1X
support
• As an administrator,
from the start menu
type services
• Then click services

© 2013 Aerohive Networks CONFIDENTIAL 407


Lab: Test LAN Port Access
3. Disable 802.1X for wired clients

• Click the
Standard
tab on the
bottom of
the services
panel
• Locate
Wired
AutoConfig
and right-
click
• Click
Properties
© 2013 Aerohive Networks CONFIDENTIAL 408
Lab: Test LAN Port Access
4. Disable 802.1X for wired clients

• Startup type:
Disabled
• Click Stop

© 2013 Aerohive Networks CONFIDENTIAL 409


Lab: Test LAN Port Access
5. Disable 802.1X for wired clients

• Click OK

© 2013 Aerohive Networks CONFIDENTIAL 410


Lab: Test LAN Port Access
6. Clear wired client cache

• Monitor/Clients/Operation:
Deauth Client
• Check  Clear Cache
• Click OK
• Click Yes

© 2013 Aerohive Networks CONFIDENTIAL 411


Lab: Test LAN Port Access
7. Clear wired client cache

• Monitor/Clients/Operation:
Deauth Client
• Check  Clear Cache
• Click OK
• Click Yes

© 2013 Aerohive Networks CONFIDENTIAL 412


Lab: Test LAN Port Access
8. Reset Ethernet adapter

Because the PC has the


wrong IP it will not work,
you can remedy this by
• Right click on Local Area
Connection 3
• Click Diagnose
or
• Disable then Enable
Local Area Connection 3
• Do NOT Disable Local
Area Connection 2
© 2013 Aerohive Networks CONFIDENTIAL 413
Lab: Test LAN Port Access
9. Verify Auth Fail – Guest Network

• Locate Local Area


Connection 3
• Right click
• Click Status
• Click Details
• Why do you see an
IP from the
192.168.83.0
subnet?
› This is the guest
network that is
assigned if
authentication is
not support or fails

© 2013 Aerohive Networks CONFIDENTIAL 414


ROUTE-BASED IPSEC VPN

© 2013 Aerohive Networks CONFIDENTIAL


Aerohive Layer 2 VPN

Remote Site Headquarters

Layer 2 VPN client devices Layer 2 VPN server devices

AP-100 series Internet AP-300 series


128 tunnels

AP-300 series VPN Gateway Virtual Appliance


(L2 Gateway mode)
1024 tunnels

BR-100 (AP mode)

Note: Layer 2 VPNs are taught in the Aerohive Certified WLAN Professional (ACWP)
class

© 2013 Aerohive Networks CONFIDENTIAL 416


Notes Below
Aerohive Layer 3 VPN

Remote Site Headquarters

Layer 3 VPN client devices Layer 3 VPN server

BR-100 router Internet

VPN Gateway
(L3 Gateway mode)
BR-200 router 1024 tunnels

AP 330/350
(router mode)

Aerohive switch
(router mode)

© 2013 Aerohive Networks CONFIDENTIAL 417


Notes Below
Aerohive Route-Based IPSec VPN
Components
Aerohive Routers are Layer 3 IPSec
VPN clients, and provide DHCP,
DNS Proxy, route synchronization,
and RADIUS service, along with
many other features.
VPN Gateway VA
A HiveOS-based Layer 3
IPSec VPN server
that is a Virtual Appliance BR100 BR200
which runs on VMware ESXi Aerohive
Switch
1 VA supports up to 1024 Configured
IPSec VPN tunnels as a Router

HiveAP 330 HiveAP 350


Configured Configured
as a Router as a Router

© 2013 Aerohive Networks CONFIDENTIAL 418


Corporate VPN – HiveManager Allocates
Unique Network Settings For Each Site

Branch Network
HQ Branch
172.28.0.0/16
Corporate Network
Network BR100
10.1.0.0/16
VPN Sub Network 172.28.2.0/24
Gateway Internet DHCP: IP Range 172.28.2.10 – 172.28.2.244
Default Gateway: 172.28.2.1
DNS: 172.28.2.1 (Router is DNS Proxy)

Branch Branch
Network Network
BR100
BR100

Sub Network 172.28.0.0/24 Sub Network 172.28.1.0/24


DHCP: IP Range 172.28.0.10 – 172.28.0.244 DHCP: IP Range 172.28.1.10 – 172.28.1.244
Default Gateway: 172.28.0.1 Default Gateway: 172.28.1.1
DNS: 172.28.0.1 (Router is DNS Proxy) DNS: 172.28.1.1 (Router is DNS Proxy)

© 2013 Aerohive Networks CONFIDENTIAL


Corporate VPN – HiveManager Allocates
Unique Network Settings For Each Site
• Each router builds a VPN to one or two VPN Gateways
• Routes are synchronized between the routers and VPN Gateways
over the VPN using a TCP-based route exchange mechanism

Branch Network
HQ
Corporate
Network BR100
10.1.0.0/16
VPN Sub Network 172.28.2.0/24
Gateway Internet

Branch Network Branch Network

BR100
BR100

Sub Network 172.28.0.0/24 Sub Network 172.28.1.0/24


© 2013 Aerohive Networks CONFIDENTIAL
Route-based VPN
• Routers (VPN clients) ask the VPN Gateway for updated route
information and provide their own route changes over the VPN
tunnel every minute by default using a TCP request
HQ Tunnel C
Corporate
Network
BR100
10.1.0.0/16
VPN
Gateway Local network: 172.28.2.0/24
Route: 10.1.0.0/16 to Corp Router Internet Route: 10.1.0.0/16 through VPN tunnel
Route: 172.28.0.0/24 to VPN tunnel A Route: 172.28.0.0/24 though VPN tunnel
Route: 172.28.1.0/24 to VPN tunnel B Route: 172.28.1.0/24 through VPN tunnel
Route: 172.28.2.0/24 to VPN tunnel C Route: 0.0.0.0/0 to Internet Gateway
Route: 0.0.0.0/0 to Internet Gateway
Tunnel B
BR100
BR100

Tunnel A
Local network: 172.28.0.0/24 Local network: 172.28.1.0/24
Route: 10.1.0.0/16 through VPN tunnel Route: 10.1.0.0/16 through VPN tunnel
Route: 172.28.1.0/24 though VPN tunnel Route: 172.28.0.0/24 though VPN tunnel
Route: 172.28.2.0/24 through VPN tunnel Route: 172.28.2.0/24 through VPN tunnel
Route: 0.0.0.0/0 to Internet Gateway Route: 0.0.0.0/0 to Internet Gateway
© 2013 Aerohive Networks CONFIDENTIAL
VPN GATEWAY VIRTUAL APPLIANCE

© 2013 Aerohive Networks CONFIDENTIAL 422


VPN Gateway Virtual Appliance
General Information
• What is a VPN Gateway Virtual Appliance?
› It is a virtualized version of HiveOS that runs on VMware
ESXi which supports IPSec VPN service, and routing
protocols
• How do you upgrade a VPN Gateway VA?
› VAs can be upgraded using a standard HiveOS software
upgrade from HiveManager, TFTP, or SCP
• How many interfaces does a VPN Gateway VA have - Two
» WAN – used to terminate the VPN from the router VPN
clients, and can be used as a one-armed VPN where it
connects to both the branch networks through the
VPN, and the internal corporate networks.
» LAN – an optional interface that can be used to
connect to an internal network and be the gateway IP
address for corporate traffic to access branch
networks through the VPN
© 2013 Aerohive Networks CONFIDENTIAL 423
VPN Gateway Virtual Appliance on
VMware (ESXi)

• The VA uses the HiveOS, and looks just like an AP when


you log in to it

© 2013 Aerohive Networks CONFIDENTIAL 424


VPN Gateway
Deployment Scenarios – Two Interfaces
Headquarters
Router VPN Gateway Firewall
Inside DMZ Branch Office
IPSec VPN
Internet
LAN (Eth1) WAN (Eth0)
Interface Interface

• VPN Gateway with two interfaces configured


› The LAN interface is connected to the inside network
» Traffic from the inside network destined for an IP address in a branch
office is sent to the LAN interface on the VPN Gateway to be
encrypted and sent through a VPN to a branch office
» Routing protocols, OSPF or RIPv2, can be run on the LAN interface so
that the VPN Gateway can exchange routes with the inside network
router
› The WAN interface is connected to the DMZ or outside network and is
used to terminate the VPNs
© 2013 Aerohive Networks CONFIDENTIAL 425
VPN Gateway
Deployment Scenarios – One Interface
Headquarters
Router VPN Gateway Firewall
Inside
(Clear) DMZ Branch Office
IPSec VPN
Internet
WAN (Eth0) Interface

• VPN Gateway with one interface configured (One Arm)


› The WAN interface is connected to a firewall interface in the DMZ
» Traffic from the inside network destined for an IP address in a
branch office is sent to the firewall which forwards the traffic to
the VPN Gateway as the next hop to the branch office routers
» The VPN Gateway encrypts the traffic and sends the traffic back
to the firewall destined to a branch office router
» You can run statically enter routes, or run a dynamic routing
protocol, OSPF or RIPv2, on the WAN interface to exchange
routes with the firewall
© 2013 Aerohive Networks CONFIDENTIAL 426
Router IPSec VPN Lab
Uses a Single VPN Gateway Interface
Headquarters Firewall Outside Interface
VPN Gateway eth0/0 – 1.2.2.1/24
NAT – 1.2.2.X to 10.200.2.X
Switch Inside DMZ Branch Office
Public 2.1.1.10
IPSec VPN

Port1 Internet
WAN Interface Internal
Eth0- 10.200.2.X/24 Port2
10.102.1.0/24
Gateway: 10.200.2.1 Bridge Group
Interface: 10.5.1.1
HiveManager
10.5.1.20 X=2,3,..,14,15

• In the training lab, the VPN Gateways learn routes via OSPF from the
firewall, which are: 10.5.2.0/24, 10.5.8.0/24, & 10.5.10.0/24
• The firewall learns the routes from the VPN Gateways to all the
branch office routers via OSPF
• The branch office routers exchange their routes with their VPN
Gateways

© 2013 Aerohive Networks CONFIDENTIAL 427


THE NEXT STEPS ARE FOR EXAMPLE
ONLY, DO NOT DOWNLOAD THE
VPN GATEWAY VA IMAGES IN
CLASS, OTHERWISE IT WILL TAKE
TOO LONG

© 2013 Aerohive Networks CONFIDENTIAL 428


Example Only: Downloaded HiveOS-VA
Image From HiveManager
• Please do not download in class!
› To download the VPN Gateway Virtual Appliance image
from HiveManager, go to ConfigurationAll Devices
› Click UpdateAdvancedDownload HiveOS Virtual
Appliance

© 2013 Aerohive Networks CONFIDENTIAL 429


Example Only: Downloaded HiveOS-VA
Image From HiveManager
› Save the VPN Gateway VA image to a directory of
your choice on your hard drive
› Note, the default name is: AH_HiveOS.ova, but you
can rename the file if you like

© 2013 Aerohive Networks CONFIDENTIAL 430


THE NEXT STEPS ARE FOR EXAMPLE
ONLY, DO NOT DEPLOY A VPN
GATEWAY IN CLASS, YOUR VPN
GATEWAY VA IMAGES HAVE
ALREADY BEEN DEPLOYED

If time permits the instructor will


demonstrate the process

© 2013 Aerohive Networks CONFIDENTIAL 431


VPN Gateway Virtual Appliance
Recommended Hardware Configuration

VPN Gateway Virtual Appliance Recommended Hardware Configurations

© 2013 Aerohive Networks CONFIDENTIAL 432


Example Only: Deploy a VPN Gateway in
VMware ESXi

• From the VMware


vSphere client, log
into your ESX/ESXi
server
• Go to File
Deploy OVF
Template
• Locate the
AH_HiveOS.ova file
and click Open

© 2013 Aerohive Networks CONFIDENTIAL 433


Example Only: Deploy a VPN Gateway in
VMware ESXi

• With the
AH_HiveOS.ova file
selected click Next

© 2013 Aerohive Networks CONFIDENTIAL 434


Example Only: Deploy a VPN Gateway in
VMware ESXi

• View the
product
information and
ensure you have
enough disk
space for a think
provisioned
install
› Note: Thick
provisioning
reserves all the
disk space
needed during
the install
• Click Next

© 2013 Aerohive Networks CONFIDENTIAL 435


Example Only: Deploy a VPN Gateway in
VMware ESXi

• Provide a name
for the VPN
Gateway, for
example:
HiveOS-VAXX
XX=02,03,..14,15
› Note: It is a
good idea to
keep this name
relatively small
so it fits better
in the vSphere
client display
• Click Next

© 2013 Aerohive Networks CONFIDENTIAL 436


Example Only: Deploy a VPN Gateway-VA in
VMware ESXi

• Select  Thick
Provisioned
Lazy Zeroed
› Note: You can
choose Eager
Zeroed, but it
will take more
time because
it will fill the
complete disk
space with
0’s, lazy fills
only as space
is needed.
• Click Next

© 2013 Aerohive Networks CONFIDENTIAL 437


Example Only: Deploy a VPN Gateway in
VMware ESXi

In this example, the


VPN Gateways will
only be using the
WAN interface, so
you can use the
same destination
network (virtual
switch port group)
for both
• Select VM
Network for the
WAN and LAN
interfaces
• Click Next

© 2013 Aerohive Networks CONFIDENTIAL 438


Example Only: Deploy a VPN Gateway in
VMware ESXi

• Optionally,
check the box to
 Power on after
deployment
• Click Finish

© 2013 Aerohive Networks CONFIDENTIAL 439


Example Only: Deploy a VPN Gateway in
VMware ESXi

In a moment, the new VPN


Gateway will be up and
running
• Click Close when the
deployment has
completed successfully

© 2013 Aerohive Networks CONFIDENTIAL 440


EXAMPLE: INITIAL CONFIGURATION
OF A VPN GATEWAY VIRTUAL
APPLIANCE

© 2013 Aerohive Networks CONFIDENTIAL 441


Example Only: Initial configuration
of a VPN Gateway Virtual Appliance

• In the vSphere console for the new VPN Gateway


Virtual Appliance
› Type 1 to change the Network Settings and press
enter

© 2013 Aerohive Networks CONFIDENTIAL 442


Example Only: Initial configuration
of a VPN Gateway Virtual Appliance

• Type 2 to
Manually
configure
interface
settings and
press Enter

© 2013 Aerohive Networks CONFIDENTIAL 443


Example Only: Initial configuration
of a VPN Gateway Virtual Appliance
• The startup CLI wizard
is used to set up the IP
address for the WAN
interface on the VA
• The VPN Gateway VA
will need access to
the Internet to access
the license server to
obtain a valid and
unique serial number
• IP for eth0: 10.200.2X
• Netmask Length: [24]
• Gateway: 10.200.2.1
• DNS: 8.8.8.8
• Apply Changes: Yes
© 2013 Aerohive Networks CONFIDENTIAL 444
Example Only: Initial configuration
of a VPN Gateway Virtual Appliance

• The VPN Gateway will check its connection its default


gateway and the Aerohive License server
• For the question: Do you want to reset the networking?
press enter, or type no and press enter
© 2013 Aerohive Networks CONFIDENTIAL 445
Example Only: Initial configuration
of a VPN Gateway Virtual Appliance
• When a VPN Gateway
VA is purchased,
Aerohive generates an
activation code, and
associates it with a
unique serial number
• You will be emailed
your activation code
• When the activation
code is entered, the
VPN Gateway VA will
contact the Aerohive
license server and
obtain a serial number
associated with the
Optionally you can activation key.
use an HTTP proxy

© 2013 Aerohive Networks CONFIDENTIAL 446


Example Only: Initial configuration
of a VPN Gateway Virtual Appliance

• If the
activation
code is valid,
the VPN
Gateway VA
will obtain a
valid and
unique serial
number
• You must then
VPN Gateway
by pressing
enter, or by
typing yes
then enter

© 2013 Aerohive Networks CONFIDENTIAL 447


Example Only: Initial configuration
of a VPN Gateway Virtual Appliance

• After the VPN Gateway VA has


been rebooted, you can login
with:
› Login: admin
› Password: aerohive
• Enter a hostname if you like:
› Hostname HiveOS-VA-X
• If the Serial Number for the VPN
Gateway is not entered into
myhive, then you can configure
the location of its HiveManager
› capwap client server name
10.5.1.20
• Save the configuration
› save config

© 2013 Aerohive Networks CONFIDENTIAL 448


Example Only: Initial configuration
of a VPN Gateway Virtual Appliance

• Just like on an Aerohive


AP or router, you can
verify CAPWAP status by
typing
› show capwap client
• After a minute, you
should see the run state
show that the VPN
Gateway is Connected
securely to the CAPWAP
server
• The CAPWAP server IP
should be your
HiveManager IP: 10.5.1.20

© 2013 Aerohive Networks CONFIDENTIAL 449


Example Only: Initial configuration
of a VPN Gateway Virtual Appliance

Your new VPN gateway will be displayed in


MonitorVPN Gateways

© 2013 Aerohive Networks CONFIDENTIAL 450


LAB: CREATE A ROUTE-BASED
LAYER 3 IPSEC VPN

© 2013 Aerohive Networks CONFIDENTIAL 451


Lab: Create a Route-Based IPSec VPN
1. Create a Layer 3 IPSec VPN

To create a
route-based
IPSec VPN
• Go to
Configuration
• Select your
Network policy:
Access-X and
click OK
• Next to Layer 3
IPSec VPN click
Choose
• In Choose
VPN Profile
click New

© 2013 Aerohive Networks CONFIDENTIAL 452


Lab: Create a Route-Based IPSec VPN
2. Assign your VPN Gateway to the VPN policy

Click
Apply

• Enter a profile name: VPN-X and choose  Layer 3 IPSec VPN


• For VPN Gateway, select: Hive-OS-VA-XX from the drop-down
• External IP address of the VA: 1.2.2.X
• X= your student number
› Note: The external IP is the public address the routers will
contact to access the Virtual Appliance
• Click Apply
© 2013 Aerohive Networks CONFIDENTIAL 453
Lab: Create a Route-Based IPSec VPN
3. Certificate settings

Optionally you can add an


additional VA for disaster recovery
• Expand IPSec VPN
Certificate Authority Settings
• VPN Certificate Authority:
Default_CA.pem
• VPN Server Certificate:
VPN-cert_key_cert.pem
• VPN Server Cert Private Key:
VPN-cert_key_cert.pem

Note: Server certificates for the


VPN were created in the
Click HiveManager Certificate Authority

© 2013 Aerohive Networks CONFIDENTIAL 454


Lab: Create a Route-Based IPSec VPN
4. Verify VPN Settings Then Go To Configure & Update

• Verify the Layer 3 IPSec VPN settings


Note: The WAN IP and Protocol will be updated after
the configuration update is performed
• Click Configure & Update Devices

© 2013 Aerohive Networks CONFIDENTIAL 455


Example: Dynamic Routing on the VA
With OSPF or RIPv2

VA Headquarters Branch Office


DMZ

Internet BR100
WAN Interface Sub Network
Eth0- 10.200.2.X/24 Firewall Inside Interfaces 10.102.1.0/24
Gateway: bgroup0 : 10.5.1.1/24 VLAN 1 OSPF area 0
10.200.2.1 bgroup0.2: 10.5.2.1/24 VLAN 2 OSPF area 0
OSPF area 0.0.0.0 bgroup0.8: 10.5.8.1/24 VLAN 8 OSPF area 0
(same as 0) bgroup0.10: 10.5.10.1/24 VLAN 10 OSPF area 0

• In a one-armed configuration, OSPF or RIPv2 can be


enabled on the WAN interface to dynamically learn
routes from the network (e.g. firewall), and advertise
the routes it learns from the branch sites to the
network (e.g. firewall)
© 2013 Aerohive Networks CONFIDENTIAL 456
Example: Routes Learned via OSPF and
Between the VA and Branch Routers

VA Headquarters
Branch Office 1
DMZ
IPSec VPN to Branch Office 1
Internet BR100
WAN Interface Sub Network
Eth0- 10.200.2.2/24 Firewall Inside Interfaces 10.102.1.0/24
Gateway: 10.200.2.1 bgroup0 : 10.5.1.1/24 VLAN 1 OSPF area 0
Routes to
OSPF area 0.0.0.0 bgroup0.2: 10.5.2.1/24 VLAN 2 OSPF area 0
Headquarters
(same as 0) bgroup0.8: 10.5.8.1/24 VLAN 8 OSPF area 0
through VPN
Routes - Branch 1 bgroup0.10: 10.5.10.1/24 VLAN 10 OSPF area 0
Routes to Branch 1 10.5.1.0/24 to VPN
Through VPN:
10.102.1.0/24 to 10.200.2.2 10.5.2.0/24 to VPN
10.102.1.0/24
10.5.8.0/24 to VPN
Routes - Network: Note: Aerohive uses a 10.5.10.0/24 to VPN
10.5.1.0/24 to 10.200.2.1 TCP-based mechanism through
Local Routes
10.5.2.0/24 to 10.200.2.1 the VPN tunnel to check for
0.0.0.0/0 to Internet
10.5.8.0/24 to 10.200.2.1 route updates between branch
10.5.10.0/24 to 10.200.2.1 sites and the VPN Gateways
0.0.0.0/0 to 10.200.2.1 every minute by default.
© 2013 Aerohive Networks CONFIDENTIAL 457
Lab: Create a Route-Based IPSec VPN
5. Modify the settings for your VPN Gateway

• Choose the Current Policy filter


• Under L3 VPN Gateway, click the link to
modify your VPN Gateway: HiveOS-VA-XX
© 2013 Aerohive Networks CONFIDENTIAL 458
Lab: Create a Route-Based IPSec VPN
6. Modify the IP settings on the VPN Gateway

00

• By default the management Network is set to the Quick Start


Management Network: QS-MGT-172.18.0.0
• Set the IP address of the Eth0 (WAN) Interface: 10.200.2.X/24
X=2,3,..,14,15
• Set the Default Gateway:10.200.2.1 Do not save yet..
© 2013 Aerohive Networks CONFIDENTIAL 459
Lab: Create a Route-Based IPSec VPN
7. Enable OSPF on the VPN Gateway

• Check the box to: 


Enable dynamic routing
and select OSPF
• Set the Eth0 (WAN)
interface to run OSPF so
that it can advertise
and learn routes from
the network, check 
Eth0 (WAN)
• Uncheck
 Eth1(LAN) because
the eth1 interface is not
in use
• Use the default Area:
0.0.0.0 (which is
compatible with area 0)
• Click Save 460
© 2013 Aerohive Networks CONFIDENTIAL
Note: Internal Networks – Required if a
Dynamic Routing Protocol is Not Enabled

• If the VPN Gateway is


configured with static
routes, or just has a single
default gateway to a router,
you can specify which
networks to advertise to the
branch office networks by
specifying Internal Networks
• Any Internal Network defined
here will be advertised to the
branch office networks
through the VPN tunnels so
the branch offices routers
know which networks to
route through the VPN to
headquarters

© 2013 Aerohive Networks CONFIDENTIAL 461


Lab: Create a Route-Based IPSec VPN
8. Upload the Configuration of Your Devices

• Select the Filter: Current Policy


• Select all your devices 
• Click Update

© 2013 Aerohive Networks CONFIDENTIAL 462


Lab: Create a Route-Based IPSec VPN
9. Upload the Configuration of Your Devices

• Select Update Devices


• Select  Perform a
complete configuration
update for all selected
devices
• Click Update

For this class, ALL


Updates should be
Complete
configuration
updates


© 2013 Aerohive Networks CONFIDENTIAL 463
Lab: Create a Route-Based IPSec VPN
10. Upload the Configuration of Your Devices

• When the Reboot Warning box appear, select OK

Click OK

© 2013 Aerohive Networks CONFIDENTIAL 464


Lab: Create a Route-Based IPSec VPN
11. Wait for the update to complete and verify VPN

When the VPN Server and Client Icons are green, then
you know the VPN is up.

465

© 2013 Aerohive Networks CONFIDENTIAL


VPN TROUBLESHOOTING

© 2013 Aerohive Networks CONFIDENTIAL 466


LAB: VPN Troubleshooting
1. Aerohive device VPN Diagnostics

• Go to Monitor Devices All Devices


• Select one of the VPN devices:  SR-0X-######
• Click Utilities...Diagnostics Show IKE Event
• Verify that both Phase 1 an Phase 2 are successful

© 2013 Aerohive Networks CONFIDENTIAL 467


LAB: VPN Diagnostics
2. Aerohive device VPN Diagnostics – Phase 1

• Select one of the VPN devices:  SR-0X-######


• Click Tools...Diagnostics Show IKE Event
Possible problems if Phase 1 fails:
• Certificate problems
• Incorrect Networking settings
• Incorrect NAT settings on external firewall
Possible problems if Phase 2 fails:
• Mismatched transform sets between the client and
server (encryption algorithm, hash algorithm, etc.)

© 2013 Aerohive Networks CONFIDENTIAL 468


LAB: VPN Diagnostics
3. Aerohive device VPN Diagnostics – Phase 1

• Click Tools...
Diagnostics
Show IKE Event
• If you see that phase 1
failed due to a
certificate problem
› Check the time on
the Aerohive devices
» show clock
» show time
› Ensure you have the
correct certificates
loaded on the
Aerohive APs in the
VPN services policy

© 2013 Aerohive Networks CONFIDENTIAL 469


LAB: VPN Diagnostics
4. Aerohive device VPN Diagnostics – Phase 1

• Click Tools...
Diagnostics
Show IKE Event
• If you see that
phase 1 failed due
to wrong network
settings
› Check the IP
settings in the
VPN services
policy
› Check the NAT
settings on the
external firewall

© 2013 Aerohive Networks CONFIDENTIAL 470


LAB: VPN Diagnostics
5. Aerohive device VPN Diagnostics – Phase 1

• Click
Utilities...Diagnostics
Show IKE SA
• Phase 1 has completed
successfully if you reach
step #9
• If Step #9 is not
established then one of
these problems exists:
Certificate problems
Incorrect Networking
settings
Incorrect NAT settings on
external firewall

© 2013 Aerohive Networks CONFIDENTIAL 471


LAB: VPN Diagnostics
6. Aerohive device VPN Diagnostics – Phase 2

• Click Utilities...
Diagnostics
Show IPSec SA
Note: It is clear to see that a
VPN is functional if you see
the tunnel from the MGT0 IP
of the VPN client to the
(NAT) Address of the MGT0
of the VPN Server, and the
reverse. Both use different
SAs (Security Associations)
› State: Mature
• If Phase 2 fails: Check the
encryption & hash settings
on the VPN client and the
VPN server

© 2013 Aerohive Networks CONFIDENTIAL 472


Lab: VPN Diagnostics
7. View the VPN Topology to Verify VPN Status

• In the Layer 3 IPSec


VPN section, click
VPN Topology
• If the devices show
up green with a line
Please Be between them, the
Patient, it will VPN is operational
take a minute or
• Click Refresh if the
two for the VPNs devices are not
to establish green after a
moment

© 2013 Aerohive Networks CONFIDENTIAL 473


VERIFY VPN STATUS AND
DYNAMIC ROUTING

© 2013 Aerohive Networks CONFIDENTIAL 474


Lab: Verify VPN and Dynamic Routing
2. View the VPN Topology to Verify VPN Status

To verify the
routes learned via
OSPF
• Go to Monitor
VPN Gateways
• Check the box
next to your
 HiveOS-VA-XX
• Select
Utilities...
SSH Client

© 2013 Aerohive Networks CONFIDENTIAL 475


Lab: Verify VPN and Dynamic Routing
3. Use CLI Commands to Verify OSPF Routes

• show OSPF route (wait about 10 seconds – press enter twice)


› You should see four OSPF routes in this lab
• show OSPF neighbor (press enter twice)
› You should see at a minimum the firewall at 209.128.124.196 as a
neighbor with a Full/DR state

© 2013 Aerohive Networks CONFIDENTIAL 476


Lab: Verify VPN and Dynamic Routing
4. View the routes on a branch router

To verify the routes learned through the VPN on a branch


router
• Go to MonitorRouters
• Check the box next to your router:
 SR-XX-######
• Select Utilities...DiagnosticsShow IP Routes
© 2013 Aerohive Networks CONFIDENTIAL 477
Lab: Verify VPN and Dynamic Routing
5. View the routes on a branch router

• You should see at a


minimum routes to:
10.5.1.0/24,
10.5.2.0/24,
10.5.8.0/24, and
10.5.10.0/24 all
through the VPN
tunnel0 interface
• High metrics are
used for routes
learned from OSPF
and advertised
though the VPN so
that if the network
exists locally, that will • You will also learn the routes for
be preferred networks at the other branch sites
Note: Higher metrics though the VPN tunnel
have more cost and
are not preferred
© 2013 Aerohive Networks CONFIDENTIAL 478
Copyright ©2011
For Information: This is the OSPF
configuration on the training Juniper SSG

• ssg5-3-lab-> set vr trust


• ssg5-3-lab(trust-vr)-> set protocol OSPF
• ssg5-3-lab(trust-vr/OSPF)-> set enable
• ssg5-3-lab(trust-vr/OSPF)-> exit
• ssg5-3-lab(trust-vr)-> exit
• ssg5-3-lab-> set int bgroup0 protocol OSPF area 0
• ssg5-3-lab-> set int bgroup0 protocol OSPF enable
• ssg5-3-lab-> set int bgroup0.2 protocol OSPF area 0
• ssg5-3-lab-> set int bgroup0.2 protocol OSPF enable
• ssg5-3-lab-> set int bgroup0.8 protocol OSPF area 0
• ssg5-3-lab-> set int bgroup0.8 protocol OSPF enable
• ssg5-3-lab-> set int bgroup0.10 protocol OSPF area 0
• ssg5-3-lab-> set int bgroup0.10 protocol OSPF enable

© 2013 Aerohive Networks CONFIDENTIAL 479


TEST WLAN ACCESS THROUGH THE VPN

The steps for LAN access are similar

© 2013 Aerohive Networks CONFIDENTIAL 480


Lab: Test Wireless LAN Access
1. Connect your computer to the SSID: Class-PSK-X

• Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK

© 2013 Aerohive Networks CONFIDENTIAL 481


Lab: Test WLAN VPN Access
2. Ping a server through the VPN

Headquarters
VPN Gateway Branch Office 1
DMZ
IPSec VPN to Branch Office 1
Internet BR100

From your PC, ping 10.5.1.20, which is a server in Santa


Clara California data center

© 2013 Aerohive Networks CONFIDENTIAL 482


Lab: Test WLAN VPN Access
3. View your client information in Wireless Clients

• From your virtual


PC connect to
HiveManager
through VPN
https://10.5.1.20
• View your client
in the Active
Clients list by
going to:
MonitorClients
Wireless Clients

© 2013 Aerohive Networks CONFIDENTIAL 483


POLICY-BASED ROUTING (PBR)
*A low cost
American beer
that has been
around a long

Not this PBR: time, but was


not popular.
However, over
the last few
years it has
become more
popular in bars
and grocery
stores.
© 2013 Aerohive Networks CONFIDENTIAL 484
Aerohive Policy-Based Routing

HQ
VPN

3G/4G/LTE
Internet • Policy-based routing is
used mainly in
conjunction with the
layer 3 IPSec VPN
tunneling capabilities
Guests
› Though it does not
require VPN

Employees

© 2013 Aerohive Networks CONFIDENTIAL 485


Aerohive Policy-Based Routing

• Policy-based routing
lets you decide how
HQ
VPN traffic is forwarded out
of a router
3G/4G/LTE › Decisions are made
Internet
based on IP
reachability of
tracked IP
addresses and user
profiles
Guests
› Forwarding can be
out any WAN port,
USB wireless, Wi-Fi
Employees connection, or VPN

© 2013 Aerohive Networks CONFIDENTIAL 486


Route-based VPN
Private vs. Internet Traffic
HQ Internet
Branch Office
Corporate
Network Tunnel A BR100
10.1.0.0/16
(Internal) Cloud VPN
Gateway
Route: 10.1.0.0/16 to Corp Router Local network: 172.28.2.0/24
Route 172.28.2.0/24 to VPN Tunnel A Route: 10.1.0.0/16 through VPN tunnel
Route: 0.0.0.0/0 to Internet Gateway Route: 0.0.0.0/0 to Internet Gateway
• Three types of routes in a branch office are
› Private routes – learned over the VPN from the VPN
gateway, such as 10.1.0.0/16 in this example
› Branch routes – to other routers in the branch office,
which can be advertised to HQ over the VPN tunnel
› Internet routes – Essentially the default route 0.0.0.0/0
used to send traffic to the Internet locally from the
branch office
© 2013 Aerohive Networks CONFIDENTIAL
POLICY-BASED ROUTING

© 2013 Aerohive Networks CONFIDENTIAL 488


Policy-Based Routing: Custom Rules
Overview of Fields

• Source and Destination • Forwarding actions


are used to match a determine where to
packet send the packet

© 2013 Aerohive Networks CONFIDENTIAL 489


Policy-Based Routing: Forwarding and
Backup Forwarding Actions

• The backup forwarding action


occurs when the interface used
for the forwarding action goes
down or….
• If specific IP addresses are not
reachable via the interface
used for the forwarding, using
track IP

© 2013 Aerohive Networks CONFIDENTIAL 490


LAB: CREATE A WAN IP TRACKING POLICY

© 2013 Aerohive Networks CONFIDENTIAL 491


Track IP for Router WAN Connectivity

• Uses Ping to track IP


HQ addresses you specify
VPN on the Internet
› For example, you
can track
Internet ntp1.aerohive.com
3G/4G LTE
ntp1.aerohive.com 206.80.44.205
206.80.44.205
• If no response is
received, you can
Track IP make routing
Guests
decisions such as
failing over to wireless
USB (3G/4G LTE)
Employees
© 2013 Aerohive Networks CONFIDENTIAL 492
Lab: WAN IP Tracking
1. Create an IP tracking policy

To configure Policy-Based routing:


Go to Configuration
• Select your Network policy: Access-X and click OK
• Next to Additional Settings click Edit

© 2013 Aerohive Networks CONFIDENTIAL 493


Lab: WAN IP Tracking
2. Create an IP tracking policy

• Expand Service
Settings
• For Track IP Groups
for WAN Interface,
there are two
backup track IP
groups and one
primary
• Next to Primary,
click +

© 2013 Aerohive Networks CONFIDENTIAL 494


Lab: WAN IP Tracking
3. Create an IP tracking policy

• Track IP Group Name:


Track-X
• Under Tracking group
type select For WAN
interface
• Ensure Enable IP tracking
is checked
• For the IP addresses,
enter: 8.8.8.8,4.2.2.2
• Take action when: all
targets become
unresponsive
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 495


Lab: WAN IP Tracking
4. Create an IP tracking policy

• In Track IP Groups for


WAN Interface
• Select the Primary Track
IP Group: Track-X
• Click Save
• Next you will configure the
routing policy

Note: You can specify Track IP Groups for Backup1


and Backup2 as well. The policy-based routing policy
determines if backup1 fails to backup2, or backup2
fails to a Wi-Fi client connection for example.

© 2013 Aerohive Networks CONFIDENTIAL 496


LAB: CONFIGURE POLICY-BASED ROUTES

© 2013 Aerohive Networks CONFIDENTIAL 497


Lab: Policy-Based Routing
1. Create a Routing Policy

• Expand Router
Settings
• Next to Routing
Policy, click +
© 2013 Aerohive Networks CONFIDENTIAL 498
Note: Policy-Based Routing: Type of Rules

• Here you can specify the type of routing policy rules


› Split Tunnel: Tunnel non-guest traffic to internal (HQ)
routes, drop guest traffic for internal (HQ) routes, and
route all other traffic the local Internet gateway
› Tunnel All: Tunnel all non-guest traffic regardless of its
destination and drop all guest traffic.
› Custom: Define a custom routing policy
© 2013 Aerohive Networks CONFIDENTIAL 499
Lab: Policy-Based Routing
2. Create a Routing Policy

Create
New

• Name: PBR-X
• Under Routing Policies, select Custom
• Click + to add a new policy

© 2013 Aerohive Networks CONFIDENTIAL 500


Lab: Policy-Based Routing
3. Create a Routing Policy

• Source - Type: User Profile, Value: Employee-X


• Destination - Type: Private (routes learned via VPN)
• Forwarding Action: Corporate Network (VPN)
• Backup Forwarding Action: Drop
• Click the save icon next to the right of the policy
© 2013 Aerohive Networks CONFIDENTIAL 501
Lab: Policy-Based Routing
4. Create a Routing Policy

• Click + to create a new policy


• Source - Type: User Profile, Value: Employee-X
• Destination- Type: Any (All other routes)
• Forwarding Action: Primary WAN
• Backup Forwarding Action: Backup WAN-1 (e.g. DSL)
• Click the save icon next to the right of the policy
© 2013 Aerohive Networks CONFIDENTIAL 502
Lab: Policy-Based Routing
5. Create a Routing Policy

• Click + to create a new policy


• Source - Type: User Profile, Value: Voice-X
• Destination – Type: Private (routes learned via VPN)
• Forwarding Action: Corporate Network (VPN)
• Backup Forwarding Action: USB (USB Wireless - LTE)
• Click the save icon next to the right of the policy
© 2013 Aerohive Networks CONFIDENTIAL 503
Lab: Policy-Based Routing
6. Create a Routing Policy

• Click + to create a new policy


• Source - Type: User Profile, Value: Guest-X
• Destination - Type: Private (routes via VPN)
• Forwarding Action: Drop
• Click the save icon next to the right of the policy
© 2013 Aerohive Networks CONFIDENTIAL 504
Lab: Policy-Based Routing
7. Create a Routing Policy

Click the top +

• Click + on top (Note: This is to show an important point)


• Source - Type: User Profile, Value: Guest-X
• Destination - Type: Any
• Forwarding Action: Primary WAN
• Backup Forwarding Action: Drop
• Click the save icon next to the right of the policy
© 2013 Aerohive Networks CONFIDENTIAL 505
Lab: Policy-Based Routing
8. Create a Routing Policy

• Question: What is wrong with this policy?


• Answer: All guest traffic will match the first policy,
and no other policy will be used. Guest traffic may
be able to access the local branch network if not
blocked by firewall policy.
© 2013 Aerohive Networks CONFIDENTIAL 506
Lab: Policy-Based Routing
9. Create a Routing Policy

• Click the User Profile(Guest-X), Any, Primary WAN


policy and drag it to the bottom
• Click Save
• Additional Settings – Save
• Save your Network Policy
© 2013 Aerohive Networks CONFIDENTIAL 507
Policy-Based Routing
Analysis

• Processed top down:


1. User Profile(Employee) when going to a private route
learned through the VPN, send to the VPN
2. User Profile(Employee) when not sending to the VPN will
be sent out through the primary WAN, and if that fails,
out the Backup WAN
© 2013 Aerohive Networks CONFIDENTIAL 508
Policy-Based Routing
Analysis

3. User Profile(Voice) if destined to a route learned


through the VPN, forward through VPN
4. User Profile(Guest) if destined to a route learned
through the VPN, drop
5. User Profile(Guest) when not sending to the VPN will be
sent out through the primary WAN, and if that fails, drop
© 2013 Aerohive Networks CONFIDENTIAL 509
Policy-Based Routing
Policy Used For No Matching Routes

• Question: What happens to traffic that does


not match a policy-base routing rule?
• Answer: The router uses its main destination
routing table. (i.e. standard routing)
© 2013 Aerohive Networks CONFIDENTIAL 510
Policy-Based Routing
Caution in 6.0r2a if not using VPN

• If you are not using VPN, do not create a policy-based


routing using: Source: Any, Destination: Any
• If you do, traffic may get sent back out the WAN as
primary instead instead of being sent to a local route.
• This will be resolved in an upcoming release.
© 2013 Aerohive Networks CONFIDENTIAL 511
POLICY-BASED ROUTING
SIMPLE TEST

© 2013 Aerohive Networks CONFIDENTIAL 512


Instructor Classroom demo

If time permits:
If the instructor has a 3G/4G USB dongle available:
• Start a continuous ping from a classroom laptop that is
communicating through an Aerohive BR-200
• Remove the Ethernet cable from the primary WAN
port
• Wait for up to 60 seconds for the connection to
failover to the cellular network
• Reconnect the Ethernet cable from the primary WAN
port
• Wait for up to 60 seconds for the connection to
fallback to the primary WAN network

© 2013 Aerohive Networks CONFIDENTIAL 513


POLICY-BASED ROUTING
DEFAULT SPLIT TUNNEL

Use if you do not want to create a custom policy and


you have VPN configured

© 2013 Aerohive Networks CONFIDENTIAL 514


Policy-based routing – Split Tunnel Policy

• Source - User Profile


› Any Guest - applies to users or
devices connected to a user profile
assigned to a network with the
network type set to Guest Use
› Any –all other non-guest user profiles

© 2013 Aerohive Networks CONFIDENTIAL 515


Policy-based routing – Split Tunnel Policy
Analysis

• Processed top down


1. Traffic from any guest user profile, going to a route
learned through the VPN or local interface on the
router, drop
2. Any non-guest traffic destined to a route learned
through the VPN, forward through the VPN
3. All other traffic, forward out the Primary WAN interface,
and if that fails, send out the backup WAN interface 516
© 2013 Aerohive Networks CONFIDENTIAL
BRANCH ROUTER 3G/4G MODEM
SETTINGS

© 2013 Aerohive Networks CONFIDENTIAL 517


Branch Router USB Modem Settings

• Wide range of USB modems are supported


• USB modem can be used when triggered by an IP-
tracking policy or can always stay connected
© 2013 Aerohive Networks CONFIDENTIAL 518
Generic USB Modem Support

• Generic USB modem support for BR200, BR100 and the


300 series APs functioning as routers
• Configurable through NetConfig UI
© 2013 Aerohive Networks CONFIDENTIAL 519
COOKIE-CUTTER VPN

© 2013 Aerohive Networks CONFIDENTIAL 520


Cookie Cutter Branch Deployments

HQ

Corporate
Network
10.0.0.0/8 Branch 1: 10.1.1.0/24

• Each site, even with


the same IP
network, can build
a VPN to the Branch 2: 10.1.1.0/24
corporate network

© 2013 Aerohive Networks CONFIDENTIAL


Branch 3: 10.1.1.0/24 521
Cookie Cutter Branch Deployments

HQ

Corporate
Network
10.0.0.0/8 Branch 1: 10.1.1.0/24

• Each site in a branch


can be assigned to
the same IP network Branch 2: 10.1.1.0/24
• How can HQ access
the remote sites?

© 2013 Aerohive Networks CONFIDENTIAL


Branch 3: 10.1.1.0/24 522
Cookie Cutter Branch Deployments

HQ

Corporate
Network
10.0.0.0/8 Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24

• Each network can


have a unique
subnet allocated for
each site to perform
one to one night for Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24
every host each
branch office
through the VPN

© 2013 Aerohive Networks CONFIDENTIAL


Branch 3: NAT 10.102.3.0/24 to 10.1.1.0/24
523
Cookie Cutter Branch Deployments
Routing on the VPN Gateway

Corporate Network HQ
10.0.0.0/8 Local

Tunnel Routes Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24


10.102.1.0/24 tunnel 1
10.102.2.0/24 tunnel 2
10.102.3.0/24 tunnel 3

• The branch routers


advertise their NAT Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24
subnets to the VPN
Gateways

© 2013 Aerohive Networks CONFIDENTIAL


Branch 3: NAT 10.102.3.0/24 to 10.1.1.0/24
524
Cookie Cutter Branch Deployments

HQ
Corporate
Network
10.0.0.0/8

Branch 1: NAT 10.102.0.0/24 to 10.1.1.0/24


• NAT subnets are unique
subnets per site (non cookie- which NATs:
cutter), and can be mapped 10.102.1.1 to 10.1.1.1
to sites dynamically, or via 10.102.1.2 to 10.1.1.2
device classification ..
10.102.1.255 to 10.1.1.255
• Each NAT IP address can be
access from corporate
through the VPN Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24
which NATs:
• Each NAT mapping is 10.102.2.1 to 10.1.1.1
bidirectional, so traffic to HQ 10.102.2.2 to 10.1.1.2
will be sourced from each ..
NAT address
10.102.2.255 to 10.1.1.255
etc….
© 2013 Aerohive Networks CONFIDENTIAL
LAB: COOKIE-CUTTER VPN

© 2013 Aerohive Networks CONFIDENTIAL 526


Lab: Cookie Cutter
1. Create a new Employee Network

• Next to VLAN 10, click on your network:


Network-Employee-1XX
• Choose Network, click New
© 2013 Aerohive Networks CONFIDENTIAL 527
Lab: Cookie Cutter
2. Create a new Employee Network

• Enter the network


name:
10.1.1.0-Employee-X
• DNS Service, select
the quick start
automatically
generated object:
Class
• Network Type:
Internal Use
• Under subnetworks
NOTE: This Quick Start DNS Service object click New
sets clients to use the router interface IP as
the DNS server, and will proxy the DNS
requests to the DNS server learned statically
or by DHCP on the WAN interface
© 2013 Aerohive Networks CONFIDENTIAL 528
Lab: Cookie Cutter
3. Replicate the Network

• Select Replicate
the same
subnetwork at
each site
• Local
Subnetwork:10.1.1
.0/24
• Select Use the
first IP address of
the partitioned
subnetwork for the
default gateway NOTE: You can now use the first or last IP
• Do not save yet address for each branch subnet for the
default gateway assigned to the routers for
these subnets

© 2013 Aerohive Networks CONFIDENTIAL 529


Lab: Cookie Cutter
4. Enable DHCP

• Check  Enable DHCP


server
NOTE: In most cases, the
router will be the DHCP
server. However, if it is
not, you can disable the
DHCP service and this
network definition will
only be used to
configure the router
interface IP addresses.

• For the DHCP Address


Pool, move the slider bar
to reserve 10 IP addresses
at the start and end of
the address pool that
can be defined statically.
© 2013 Aerohive Networks CONFIDENTIAL 530
Lab: Cookie Cutter
5. NAT settings

• Check  Enable NAT through the VPN tunnels


• Number of branches: 256
• NAT IP Address Space Pool: 1.1XX.0.0 Mask 16
XX=102,103,..,114,115
• Note: We are using 1.1XX.0.0 instead of 10.1XX,0.0,
because the lab has no more IP space)
© 2013 Aerohive Networks CONFIDENTIAL 531
Copyright ©2011
Lab: Cookie Cutter
6. NAT settings

• Check  Allocate NAT


subnetworks by specific
IP addresses at sites
• Click New
› IP Address: 1.1XX.1.1
› Type: Device Tags
› Value: Site-Xa
(Your Switch)
• Click Apply
NOTE: Any device tag you have defined elsewhere is
automatically populated. You can also start typing to narrow
the value list
With these settings, each site will get assigned to one of the /24
NAT subnets in 1.1XX.0.0/16. Entering a single IP address locks
the NAT IP address and the NAT subnet to which it belongs to a
specific site.

© 2013 Aerohive Networks CONFIDENTIAL 532


Copyright ©2011
Lab: Cookie Cutter
7. Save cookie cutter network

Verify your
settings
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 533


Lab: Cookie Cutter
7. Review and save

Your network will have one NAT subnetwork:


1.1XX.0.0/16 that will support 256 branches with
253 clients per branch, and subnet 10.1.1.0/24
will be assigned to each site for DHCP

• Click Save
• Click OK
© 2013 Aerohive Networks CONFIDENTIAL 534
Lab: Cookie Cutter
8. Save your network policy and continue

• From the Configure Interfaces & User


Access bar, click Continue

© 2013 Aerohive Networks CONFIDENTIAL 535


PERFORM A COMPLETE UPLOAD

© 2013 Aerohive Networks CONFIDENTIAL 536


Lab: Update Router Configuration
1. Update your routers

• Select the Filter: Current Policy


• Select all your Routers 
• Click Update

© 2013 Aerohive Networks CONFIDENTIAL 537


Lab: Update Router Configuration
2. Update your routers

• Select Update Devices


• Select  Perform a
complete configuration
update for all selected
devices
• Click Update

For this class, ALL


Updates should be
Complete
configuration
updates


© 2013 Aerohive Networks CONFIDENTIAL 538
Lab: Update Router Configuration
3. Update your routers

• When the Reboot Warning box appear, select OK

Click OK

© 2013 Aerohive Networks CONFIDENTIAL 539


VIEW SUBNET ALLOCATION REPORT

© 2013 Aerohive Networks CONFIDENTIAL 540


Cookie Cutter Branch Deployments
Routing on the VPN Gateway

Corporate Network HQ
10.0.0.0/8 Local

Tunnel Routes Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24


10.102.1.0/24 tunnel 1
10.102.2.0/24 tunnel 2
10.102.3.0/24 tunnel 3

• The branch routers


advertise their NAT Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24
subnets to the VPN
Gateways

© 2013 Aerohive Networks CONFIDENTIAL


Branch 3: NAT 10.102.3.0/24 to 10.1.1.0/24
541
Lab: Subnet Allocation Report
1. View the IP addresses assigned to the routers

• From Monitor, in the navigation


tree, click Subnetwork Allocation
• Under Network Name, select
10.1.1.0-Employee-X
• Note the unique NAT networks
and the cookie-cutter network

Note: One subnet was assigned via classification. The others assigned dynamically.
© 2013 Aerohive Networks CONFIDENTIAL 542
SIMULATED ROUTER CLEANUP

© 2013 Aerohive Networks CONFIDENTIAL 543


Lab: Remove Simulated Routers
1. Select and remove your simulated routers

The simulated routers were


used to show the subnet
allocation report
Now that you have seen how
subnetworks are allocated to
routers, we can remove the
simulated routers
• From
ConfigurationRouters,
check the box next to
your simulated devices
that start with: SR-02-
SIMU-XXXXXX
• Warning: Do NOT
remove the real router
• Click Device Inventory
and click Remove
• Click Remove from the
warning popup
© 2013 Aerohive Networks CONFIDENTIAL 544
LAYER 3 IPSEC VPN – REDUNDANT
VPN GATEWAYS

© 2013 Aerohive Networks CONFIDENTIAL 545


Router IPSec VPN Lab
Using Two VPN Gateways
Firewall eth0/0 – 209.128.76.30
Headquarters NAT – 209.128.76.28 to 10.1.101.2
VPN Gateway 1 NAT – 209.128.76.29 to 10.1.102.2
LAN 1: 10.1.101.2/24 Firewall eth0/1.1 - 10.1.101.1/24 vlan 101
Protocol OSPF area 0.0.0.1 Protocol OSPF area 0.0.0.1
Firewall eth0/1.2 - 10.1.102.1/24 vlan 102
LAN1 Protocol OSPF area 0.0.0.2
DMZ Protocol OSPF cost 1000
eth0/1
VLAN
LAN 1 VLAN 101 802.1Q eth0/0
102 eth0/2

VPN Gateway 2 Firewall eth0/2 – 10.5.1.1/24


LAN 1: 10.1.102.2/24 Protocol OSPF area 0.0.0.0
Protocol OSPF area 0.0.0.2
Branch Office
Inside Tunnel 1 to 209.128.76.28 pref 1
Tunnel 2 to 209.128.76.29 pref 2
VLAN 10 – 10.1.1.0/24 Employee Net
Internal Network One-to-One Subnet NAT
AD Server Through VPN:
10.5.1.10 10.102.1.0/24 to 10.1.1.0/24
© 2013 Aerohive Networks CONFIDENTIAL (HQ visible IPs) (local IPs) 546
Router IPSec VPN Lab
Using Two VPN Gateways
Firewall
Headquarters FW eth0/0 – 209.128.76.30
NAT – 209.128.76.28 to 10.1.101.2
NAT – 209.128.76.29 to 10.1.102.2
FW eth0/1.1 - 10.1.101.1/24 vlan 101
VPN Gateways Protocol OSPF area 0.0.0.1
VPN Gateway 1 FW eth0/1.2 - 10.1.102.1/24 vlan 102
eth 0 Protocol OSPF area 0.0.0.2
LAN 1: 10.1.101.2/24
Protocol OSPF area 0.0.0.1 Protocol OSPF cost 1000

VPN Gateway 2 DMZ eth0/1 eth0/0


VLAN
LAN 1: 10.1.102.2/24 eth 0 802.1Q
VLAN 101
Protocol OSPF area 0.0.0.2 102
eth0/2

Inside
Internal Network FW eth0/2 – 10.5.1.1/24
AD Server Protocol OSPF area 0.0.0.0
10.5.1.10
• VPN tunnels are built from branch offices to the VPN gateways
• Traffic from the branch offices is decrypted at the VPN gateways and sent to
the DMZ firewall for access to the Internet network
• Traffic destined to IP addresses at branch offices is sent to the firewall, which
looks up the IP and finds the route to VPN gateway which encrypts and sends
through a tunnel to a branch office
© 2013 Aerohive Networks CONFIDENTIAL 547
Cookie Cutter Branch Deployments
Routing on the VPN Gateway

Corporate Network HQ
10.0.0.0/8 Local

Branch 1:
NAT 10.102.1.0/24 to 10.1.1.0/24
Tunnel Routes
10.102.1.0/24 tunnel 1
10.102.2.0/24 tunnel 2

• The branch routers


Branch 2:
advertise their NAT NAT 10.102.1.0/24 to 10.1.1.0/24
subnets to the VPN
Gateways
© 2013 Aerohive Networks CONFIDENTIAL
FW Configuration for Accessing VPN
Gateways 1 and 2

set interface bgroup0.5 tag 101 zone Trust


set interface bgroup0.6 tag 102 zone Trust
set interface bgroup0.5 ip 10.1.101.1/24
set interface bgroup0.6 ip 10.1.102.1/24
set interface bgroup0.5 route
set interface bgroup0.6 route
set int bgroup0.5 protocol OSPF area 0.0.0.1
set int bgroup0.5 protocol OSPF enable
set int bgroup0.6 protocol OSPF area 0.0.0.2
set int bgroup0.6 protocol OSPF enable
set interface "ethernet0/0" mip 209.128.76.28 host 10.1.101.2
set interface "ethernet0/0" mip 209.128.76.29 host 10.1.102.2
set interface "ethernet0/0" mip 209.128.76.28 host 10.1.101.2 netmask
255.255.255.255 vr "trust-vr”
set interface "ethernet0/0" mip 209.128.76.29 host 10.1.102.2 netmask
255.255.255.255 vr "trust-vr”
set policy id 18 from "Untrust" to "Trust" "Any" "MIP(209.128.76.28)" "ANY" permit
set policy id 19 from "Untrust" to "Trust" "Any" "MIP(209.128.76.29)" "ANY" permit

© 2013 Aerohive Networks CONFIDENTIAL 549


CONFIGURING LAYER 3 IPSEC VPN
WITH REDUNDANCY
INSTRUCTOR ONLY – THESE STEPS HAVE
ALREADY BEEN PERFORMED

© 2013 Aerohive Networks CONFIDENTIAL 550


Layer 3 VPN – Instructor Only Steps

• Under Layer 3 IPSec VPN, click Choose

© 2013 Aerohive Networks CONFIDENTIAL 551


Layer 3 VPN – Instructor Only Steps

• Name: Corp-VPN (shared by all network policies in class)


• Layer 3 VPN
• VPN Gateway: VPN-Gateway-1
• External IP: 1.2.2.241
• Click Apply
© 2013 Aerohive Networks CONFIDENTIAL 552
Layer 3 VPN – Instructor Only Steps

Under VPN Gateway Settings


• Click New
• VPN Gateway: VPN-Gateway-2
• External IP: 1.2.2.242
• Click Apply

© 2013 Aerohive Networks CONFIDENTIAL 553


Layer 3 VPN – Instructor Only Steps

• Two new
certificates
were created
for this lab, you
can use those
or the defaults
if the root CA
did not
change
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 554


Layer 3 VPN – Instructor Only Steps

• From ConfigurationShow Nav  VPN Gateways


• Modify VPN-Gateway-1

© 2013 Aerohive Networks CONFIDENTIAL 555


Layer 3 VPN – Instructor Only Steps

Note: VPN Gateways


are not assigned to a
Network policy, they just
use a Management
network
• ETH0 (WAN)
10.200.2.241/24
• Default Gateway
10.200.2.1
•  Enable Dynamic
Routing
• Select OSPF
• Route Advertisement
 Select Eth0(WAN)
☐ Deselect Eth1 (LAN)
• Area: 0.0.0.0
© 2013 Aerohive Networks CONFIDENTIAL
• Click Save 556
Layer 3 VPN – Instructor Only Steps

• From Configuration VPN Gateways


• Modify VPN-Gateway-2
© 2013 Aerohive Networks CONFIDENTIAL 557
Layer 3 VPN – Instructor Only Steps

Note: VPN Gateways


are not assigned to a
Network policy, they
just use a Management
network
• ETH0 (WAN)
10.200.2.242/24
• Default Gateway
10.200.2.1
•  Enable Dynamic
Routing
• Select OSPF
• Route Advertisement
 Select Eth0(WAN)
☐ Deselect Eth1 (LAN)
• Area: 0.0.0.0
• Click Save

© 2013 Aerohive Networks CONFIDENTIAL 558


Layer 3 VPN – Instructor Only Steps

• Select Update Devices


• Select Perform a
complete configuration
update for all selected
devices
• Click Update

For this class, ALL


Updates should be
Complete
configuration
updates

© 2013 Aerohive Networks CONFIDENTIAL 559


LAB: TWO VPN GATEWAYS

STUDENTS ADD CORP VPN TO THEIR


NETWORK POLICY

© 2013 Aerohive Networks CONFIDENTIAL 560


Lab: Two VPN Gateways
1. Add the Corp-VPN policy

• In your network policy next to Layer 3 IPSec VPN click


Choose

• In your network policy next to


Layer 3 IPSec VPN click Choose
• Select Corp-VPN
• Click OK
• Save the Network Policy
• Click Continue

© 2013 Aerohive Networks CONFIDENTIAL 561


Lab: Two VPN Gateways
2. Select the router

• Choose the current policy filter and select your router


• Click Update Devices and perform a complete upload

© 2013 Aerohive Networks CONFIDENTIAL 562


Lab: Two VPN Gateways
4. Verify the VPN toplogy

• Wait about 5 minutes


• When the VPNs are
established, you can
click the VPN Topology
link to see live VPN status
• Click Refresh to update
the screen
© 2013 Aerohive Networks CONFIDENTIAL 563
BRANCH ROUTER
WAN INTERFACE
NAT PORT FORWARDING

© 2013 Aerohive Networks CONFIDENTIAL 564


Branch Router WAN Interface
NAT Port Forwarding
• Use port forwarding from a public WAN interface on a
branch router to reach a server within a private network
• This works very well for cookie cutter deployments!!
NAT Port Forwarding Rules
Outside: 2.1.1.100:8005  Inside: 10.1.1.5:80
(IP# 5)
Internet Outside: 2.1.1.100:8006  Inside: 10.1.1.6:80
(IP #6)
http://2.1.1.100:8005 Web Server1 Web Server2
WAN: 2.1.1.100
10.1.1.5 10.1.1.6
SR2024 Port 80 Port 80
as
Branc
h
Router PoE

AP AP

© 2013 Aerohive Networks CONFIDENTIAL 565


LAB: CONFIGURE BRANCH ROUTER
WAN INTERFACE NAT PORT FORWARDING

© 2013 Aerohive Networks CONFIDENTIAL 566


LAB: WAN Interface NAT Port Forwarding
1. Modify the Cookie-Cutter Network

• From your network policy, under VLAN-to-


Subnet Assignments for Router Interfaces
› Modify your 10.1.1.0-Employee-X
network
› Click the  icon and select Edit

© 2013 Aerohive Networks CONFIDENTIAL 567


LAB: WAN Interface NAT Port Forwarding
2. Modify the Cookie-Cutter/NAT Network

• Click the link to edit the subnet: 1.1XX.0.0/16

© 2013 Aerohive Networks CONFIDENTIAL 568


LAB: WAN Interface NAT Port Forwarding
3. Enable port forwarding

• In the Network Address Translation (NAT) Settings


section
• Check  Enable port forwarding through the WAN
interfaces

© 2013 Aerohive Networks CONFIDENTIAL 569


LAB: WAN Interface NAT Port Forwarding
4. View Aerohive Ports

• Click View Aerohive Ports to see the ports that are already
in use on Aerohive routers that you cannot use for port
forwarding

© 2013 Aerohive Networks CONFIDENTIAL 570


NOTE: Always have excludes from the DHCP pool

• In order for port


forwarding to work,
you must have
addresses excluded at
the start of the DHCP
pool
• For example, if you
have a web server at
every site that will be
the 5th IP address from
the start of the pool,
e.g. 10.1.1.5, then you
must have the DHCP
exclusion for the first 5
IP addresses so that
10.1.1.5 can be
statically assigned to
the web server
© 2013 Aerohive Networks CONFIDENTIAL 571
LAB: WAN Interface NAT Port Forwarding
5. Create port forwarding rules

• Click New to create a port forwarding


rule

© 2013 Aerohive Networks CONFIDENTIAL 572


LAB: WAN Interface NAT Port Forwarding
6. Create port forwarding rules

• Destination Port Number: 8005


• Local Host IP Address Position: 1
• Internal Host Port Number: 80
• Traffic Protocol: TCP
• Click Apply
© 2013 Aerohive Networks CONFIDENTIAL 573
LAB: WAN Interface NAT Port Forwarding
7. Create port forwarding rules

• Create several more rules


© 2013 Aerohive Networks CONFIDENTIAL 574
LAB: WAN Interface NAT Port Forwarding
8. Create port forwarding rules

• Destination Port: 8005


This is the port clients will
use from the Internet to
access the internal server:
https://WAN-IP:8005
• Click on IP Address
Mapping to see how each
position maps to an
internal cookie-cutter IP
address
• Local host IP address
› The position of the IP
address from the start of
the IP address block
› For /24 subnets, position
1 = .2, position 2 = .3,
etc…
© 2013 Aerohive Networks CONFIDENTIAL 575
LAB: WAN Interface NAT Port Forwarding
9. Review your port forwarding rules

• Review your port


forwarding rules
• Click Save
• Click OK

© 2013 Aerohive Networks CONFIDENTIAL 576


LAB: WAN Interface NAT Port Forwarding
10. Save the network

• Review your Network


• Click Save
• Click OK

© 2013 Aerohive Networks CONFIDENTIAL 577


LAB: WAN Interface NAT Port Forwarding
11. Save your Network Policy

• Click Continue to save your Network


Policy and proceed to device updates
© 2013 Aerohive Networks CONFIDENTIAL 578
LAB: WAN Interface NAT Port Forwarding
12. Select the router

• Choose the current policy filter and select your router


• Click Update Devices and perform a complete upload

© 2013 Aerohive Networks CONFIDENTIAL 579


LAB: WAN Interface NAT Port Forwarding
13. Verify port forwarding rules

• Monitor  Routers
•  Select your Router
• Click on Utilities… SSH Client
• Click on Connect
• Type: show ip iptables nat
© 2013 Aerohive Networks CONFIDENTIAL 580
LAB: WAN Interface NAT Port Forwarding
14. Verify port forwarding rules

• CLI command: sh ip iptables nat

Note: Resize the window to see the port-forwarding rules

© 2013 Aerohive Networks CONFIDENTIAL 581


THE MANAGEMENT NETWORK

© 2013 Aerohive Networks CONFIDENTIAL 582


Aerohive Management Network

• Management Network – Every AP, router, and VPN


gateway, has a logical management interface for:
› CAWAP communication with HiveManager;
› cooperative control protocols like AMRP, and DNXP;
› and management services like SNMP, SYSLOG, SCP,
and SSH.
Internet
interface mgt0 interface mgt0
172.18.0.1/24 172.18.0.3/24
VLAN 1 VLAN 1
BR200 AP

AP
interface mgt0
172.18.0.2/24
VLAN 1
© 2013 Aerohive Networks CONFIDENTIAL 583
Aerohive Management Network

• Management subnets can be assigned to a VLAN


within the unified network policy
© 2013 Aerohive Networks CONFIDENTIAL
Aerohive Management Network

• Just like internal


networks,
management
subnets can
partitioned from a
parent network and
then assigned
dynamically by
HiveManager.
• Management
subnets can also be
assigned with
device classification.

© 2013 Aerohive Networks CONFIDENTIAL


Aerohive Router Interfaces

Ethernet Switch Ports Logical IP Interfaces Router WAN Port


Eth1 – Eth4 mgt0 (Management) Eth0
Layer 2 172.18.0.1/24 192.168.1.10/24
VLAN 1 No VLAN
• Assigned to VLANs and
mgt0.1
Networks by LAN
10.102.0.1/24
Profiles
VLAN 102 - Employee
• May be 802.1Q VLAN mgt0.2
Trunk ports or access 172.16.102.1/24
ports VLAN 202 -Guest

Interfaces mgt0.1 through mgt0.16 may be created,


each supporting routing for a different IP network.
© 2013 Aerohive Networks CONFIDENTIAL 586
ENABLE 802.1Q VLAN TRUNKING
ON A LAN PORT

© 2013 Aerohive Networks CONFIDENTIAL 587


Configuring 802.1Q on a Router Port Policies

BR100 AP
Logical IP Interfaces
mgt0 (Management)
172.18.0.1/24
VLAN 1 802.1Q
mgt0.1 VLAN Logical IP Interface
10.102.0.1/24 Trunk mgt0 (Management)
Employee - VLAN 10 VLANs: 172.18.0.1/24
1 (Native), VLAN 1
mgt0.2 2, 8, 10 Layer 2 Interfaces
10.202.0.1/24 VLAN 1 (Native)
Voice – VLAN 2 SSID: Class-PSK
Note: You should define
mgt0.3 a native network using Employee - VLAN 10
192.168.83.1/24 VLAN 1, which much SSID: Class-Voice
Guest - VLAN 8 match the native VLAN Voice – VLAN 2
mgt0.4 configured for the SSID: Class-Guest
172.28.0.1/25 management interface, Guest – VLAN 8
VLAN 1 (Native) which by default is 1.
© 2013 Aerohive Networks CONFIDENTIAL 588
ROUTER STATEFUL FIREWALL POLICY
MORE THAN JUST THE 5-TUPLE

© 2013 Aerohive Networks CONFIDENTIAL 589


Router Firewall
General Guidelines

• Router firewall is not the same firewall used in User Profiles


for Aerohive access points
• Firewall rules are applied in the branch router for both
wireless and wired traffic
• AP firewall can still be used for wireless clients is so desired
• L7 not yet supported in the router firewall
Internet Router firewall for wired and wireless traffic

Branch Router
AP firewall for wireless traffic only

AP
© 2013 Aerohive Networks CONFIDENTIAL 590
Router Firewall
General Guidelines

• Rules are processed top down and the first matching rule
is used
• After a rule is matched a stateful session is created using:
› Source IP, Destination IP, IP Protocol, Source Port,
Destination Port
› The reverse session is also created for return traffic
• More than just an IP firewall, the router firewall can look at:
› Traffic Source:
» IP Network, IP Range, Network Object,
User Profile, VPN, or IP Wildcard
› Traffic Destination:
» IP Network, IP Range, Network Object,
VPN, IP Wildcard, Hostname
© 2013 Aerohive Networks CONFIDENTIAL 591
Aerohive Stateful Firewall

Router
Inside Web Server

Internet
10.5.1.102 Firewall Policies:
Default Action: Deny 72.20.106.66

HTTP– Initiated from inside the Network to a web server on the Internet
Source IP, Dest IP, Proto, Source Port, Dest Port, Data
10.5.1.102 72.20.106.66 6(TCP) 3456 80 HTTP Get

The stateful firewall engine opens a pinhole for this


session allowing return traffic for this session
HTTP Response is permitted because firewall in router is stateful (Shown after NAT)
Source IP, Dest IP, Proto, Source Port, Dest Port, Data
72.20.106.66 10.5.1.102 6(TCP) 80 3456 HTTP Reply

© 2013 Aerohive Networks CONFIDENTIAL 592


Lab: Router Firewall for Guests
1. Create a Router Firewall Profile

To implement a
router firewall
• In your network
policy, next to
Router Firewall,
click Choose
• In Choose
Firewall click
New

© 2013 Aerohive Networks CONFIDENTIAL 593


Lab: Router Firewall for Guests
2. Create a user profile rule

• Enter a Policy Name:


Firewall-X
• Configure a user
profile-based firewall
policy rule
• Select a source:
User Profile
Guests-X
• Select a destination:
IP Network
10.0.0.0/255.0.0.0
• Service: [-any-]
• Action: Deny
• Logging: Disable
• Click Apply

© 2013 Aerohive Networks CONFIDENTIAL 594


Lab: Router Firewall for Guests
3. Create another user profile rule

Your rule should appear


• Under Policy Rules,
click New
• Configure a user
profile-based firewall
policy rule
• Select a source:
User Profile
Guests-X
• Select a destination:
IP Network
172.16.0.0/255.240.0.0
• Service: [-any-]
• Action: Deny
• Logging: Disable
• Click Apply
© 2013 Aerohive Networks CONFIDENTIAL 595
Lab: Router Firewall for Guests
4. Create one more user profile rule

Your rule should appear


• Under Policy Rules, click
New
• Configure a user profile-
based firewall policy rule
• Select a source:
User Profile
Guest-X
• Select a destination:
IP Network
192.168.0.0/255.255.255.0
• Service: [-any-]
• Action: Deny
• Logging: Disable
• Click Apply

© 2013 Aerohive Networks CONFIDENTIAL 596


Lab: Router Firewall for Guests
5. Create a clean-up allow all rule

Create a clean up rule


• Under Policy Rules,
click New
• Configure a user
profile-based firewall
policy rule
• Select a source:
[-any-]
• Select a destination:
[-any-]
• Service: [-any-]
• Action: Permit
• Logging: Disable
• Click Apply

© 2013 Aerohive Networks CONFIDENTIAL 597


Lab: Router Firewall for Guests
6. Verify your firewall policy rules and save

• Select the radio button for the Default Rule to Deny all
› Note: This is not needed, but it is a good general practice.
• This policy denies access to any private IP address through the router,
and allows everything else
• Also, you can drag and drop the rules to change their order
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 598
Lab: Router Firewall for Guests
7. Create a Router Firewall Profile

• Verify that your Router Firewall is applied:


Firewall-X
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 599
Remember this? - Routes Learned via OSPF and
Between the VA and Branch Routers
• Routers (VPN clients) ask the VPN Gateway for updated route
information and provide their own route changes over the VPN
tunnel every minute by default using a TCP request
HQ Tunnel C
Corporate
Network
BR100
10.1.0.0/16
VPN Gateway
Local network: 172.28.2.0/24
Route: 10.1.0.0/16 to Corp Router Internet Route: 10.1.0.0/16 through VPN tunnel
Route: 172.28.0.0/24 to VPN tunnel A Route: 172.28.0.0/24 though VPN tunnel
Route: 172.28.1.0/24 to VPN tunnel B Route: 172.28.1.0/24 through VPN tunnel
Route: 172.28.2.0/24 to VPN tunnel C Route: 0.0.0.0/0 to Internet Gateway
Route: 0.0.0.0/0 to Internet Gateway
Tunnel B
BR100
BR100

Tunnel A
Local network: 172.28.0.0/24 Local network: 172.28.1.0/24
Route: 10.1.0.0/16 through VPN tunnel Route: 10.1.0.0/16 through VPN tunnel
Route: 172.28.1.0/24 though VPN tunnel Route: 172.28.0.0/24 though VPN tunnel
Route: 172.28.2.0/24 through VPN tunnel Route: 172.28.2.0/24 through VPN tunnel
Route: 0.0.0.0/0 to Internet Gateway Route: 0.0.0.0/0 to Internet Gateway
© 2013 Aerohive Networks CONFIDENTIAL
Router Firewall can be used to block
communications between branch offices
• Routers (VPN clients) ask the VPN Gateway for updated route
information and provide their own route changes over the VPN
tunnel every minute by default using a TCP request
HQ Tunnel C
Corporate
Network
BR100
10.1.0.0/16
VPN Gateway
Local network: 172.28.2.0/24
Route: 10.1.0.0/16 to Corp Router Internet Route: 10.1.0.0/16 through VPN tunnel
Route: 172.28.0.0/24 to VPN tunnel A Route: 172.28.0.0/24 though VPN tunnel
Route: 172.28.1.0/24 to VPN tunnel B Route: 172.28.1.0/24 through VPN tunnel
Route: 172.28.2.0/24 to VPN tunnel C Route: 0.0.0.0/0 to Internet Gateway
Route: 0.0.0.0/0 to Internet Gateway
Tunnel B
BR100
BR100

Tunnel A
Local network: 172.28.0.0/24 Local network: 172.28.1.0/24
Route: 10.1.0.0/16 through VPN tunnel Route: 10.1.0.0/16 through VPN tunnel
Route: 172.28.1.0/24 though VPN tunnel Route: 172.28.0.0/24 though VPN tunnel
Route: 172.28.2.0/24 through VPN tunnel Route: 172.28.2.0/24 through VPN tunnel
Route: 0.0.0.0/0 to Internet Gateway Route: 0.0.0.0/0 to Internet Gateway
© 2013 Aerohive Networks CONFIDENTIAL
WEB PROXY FOR SECURING
WEB-BASED TRAFFIC

© 2013 Aerohive Networks CONFIDENTIAL 602


Cloud Proxy – How does it work?

Traffic is forwarded
with client identity
4 to the cloud
security partner
and processed
Aerohive BR confirms based on identity
traffic is not destined 3
2
for resources across Aerohive BR checks
the tunnel and is not if client network is
whitelisted as trusted configured to use
web security

1 Client makes a
HTTP/HTTP request

© 2013 Aerohive Networks CONFIDENTIAL


Web Security Using
Websense Cloud Web Proxy

To configure Cloud Web


Security, from
HiveManager go to
Home
Administration
HiveManager Services
• Check the box next to 
Websense Server Settings
• Check the box next to 
Enable Websense Server
Settings
• Enter the Account ID and
Security key that were
displayed for your
Websense account
• Default Domain:
Note: The default domain is only used if ah-lab.com
users do not authenticate to access • Click Update
the network using a mechanism that
requires a domain name for login
© 2013 Aerohive Networks CONFIDENTIAL
Web Security Using
Websense Cloud Web Proxy
You can use the default
Web Security Whitelist to
specify safe URLs that do
not need to be sent
though web security
• Next to Web Security
Whitelist, select
QS-WebSense-Whitelist
• Click Update
Note: To create your own
whitelist or clone the quick
start whitelists to make your
own additions, go to:
Configuration
Show Nav
Advanced Configuration
Common Objects
Device Domain Objects

© 2013 Aerohive Networks CONFIDENTIAL


Web Security Using Cloud Proxy

To get started with


Cloud Web
Security, from
HiveManager go to
Home
Administration
HiveManager
Services
• Check the box
next to Websense
Server Settings
• Click the “here”
link to sign up for
a free 30-day trial
• Sign up for a free
30-day Websense
trial

© 2013 Aerohive Networks CONFIDENTIAL


LAB: CLOUD PROXY

© 2013 Aerohive Networks CONFIDENTIAL 607


LAB: Cloud proxy
1. Edit employee network settings

• Cloud Web Proxy is enabled within a Network Policy


• You may only want to enable this service for corporate
employees
• Next to your Class-PSK-X SSID, under Network(VLAN) click
your network: 10.1.1.0-Employee-X
• Click on the  icon to edit your network
© 2013 Aerohive Networks CONFIDENTIAL 608
LAB: Cloud proxy
2. Enable web security

• In the network for employees, next to


Web Security, select Websense from the
drop-down menu
• You can keep the option to Deny all
outbound HTTP and HTTPS traffic if
connectivity to the web security server is
lost
• Click Save and then OK
© 2013 Aerohive Networks CONFIDENTIAL 609
LAB: Cloud proxy
3. Edit guest network settings

• Cloud Web Proxy is enabled within a Network Policy


• You may only want to enable this service for corporate
employees
• Next to your Class-PSK-X SSID, under Network(VLAN) click
your network: 192.168.83.0-Guest-X
• Click on the  icon to edit your network
© 2013 Aerohive Networks CONFIDENTIAL 610
LAB: Cloud proxy
4. Enable web security

• In the network for employees, next to


Web Security, select Websense from the
drop-down menu
• You can keep the option to Deny all
outbound HTTP and HTTPS traffic if
connectivity to the web security server is
lost
• Click Save and then OK
© 2013 Aerohive Networks CONFIDENTIAL 611
LAB: Cloud proxy
5. Verify web security

• Note that web security is enabled


• Click Continue to save and go to updates

© 2013 Aerohive Networks CONFIDENTIAL 612


LAB: Cloud proxy
6. Upload policy to branch router

• Update the configuration of your router


• Click Settings to perform a complete update

© 2013 Aerohive Networks CONFIDENTIAL 613


TEST CLOUD WEB SECURITY
INSTRUCTOR DEMO – INSTRUCTOR
MUST HAVE CONFIGURED THE
CLASSROOM ROUTER FOR CLOUD
PROXY

© 2013 Aerohive Networks CONFIDENTIAL 614


Lab: Test LAN Port Web Security
1. Connect your computer to Eth1 on the Router

• Connect the Ethernet Port 2 of your computer to the


ETH2 interface on the router

Class Switch

BR100

© 2013 Aerohive Networks CONFIDENTIAL 615


Lab: Test LAN Port Web Security
2. Open web browser to a website

Class Switch

BR100

• Open a web browser on your remote


computer to a respectable website
• You will be redirected to a captive web portal

© 2013 Aerohive Networks CONFIDENTIAL 616


Lab: Test LAN Port Web Security
3. Login through the captive web portal

• Enter a user name: lanuser


• Password: Aerohive1
• Click Log In
© 2013 Aerohive Networks CONFIDENTIAL 617
Lab: Test LAN Port Web Security
4. Test a web site that is forbidden

• Open a web browser


an try going to:
www.guns.com
• You should be
redirected to a web
page informing that
you were denied from
accessing the site
• This will be denied
because the
Websense policy used
has a rule against sites
that provide
information about,
promote, or support
the sale of weapons
and related items

© 2013 Aerohive Networks CONFIDENTIAL 618


Websense Cloud Web Security Policies

• From the
Websense
Cloud Web
Security login,
you can set
the web
categories
policies, web
content
security, and
much more...
Note: Here you
can see that
there is a rule
blocking
Weapons sites

© 2013 Aerohive Networks CONFIDENTIAL 619


MISC

© 2013 Aerohive Networks CONFIDENTIAL 620


Overwrite protection for NetConfig UI
WAN settings

• The default behavior of of a


branch router originally set up
using the NetConfig UI is
protected from being
overwritten by updates
pushed to it from
HiveManager at a later date.
• To disable the NetConfig UI
settings protection for the BRs,
click Configuration 
Devices, select one or
multiple BRs, and then click
Utilities  Disable NetConfig
UI WAN Configuration.

Protects the NetConfig UI based WAN port


configuration of BR’s and routing devices

© 2013 Aerohive Networks CONFIDENTIAL 621


THANK YOU – REALLY!!

© 2013 Aerohive Networks CONFIDENTIAL 622