Академический Документы
Профессиональный Документы
Культура Документы
PROFESSIONAL (ACNP)
• Course Material
Distribution
• Course Times
• Restrooms
• Break room
• Smoking Area
• Break Schedule
› Morning Break
› Lunch Break
› Afternoon Break
http://www.aerohive.com/cbt
http://www.aerohive.com/techdocs
• Please, take a moment and register during class if you are not already a
member of HiveNation.
Go to http://community.aerohive.com/aerohive and sign up!
© 2013 Aerohive Networks CONFIDENTIAL *Restrictions may apply: time of day, location, etc . 15
Copyright ©2011
Aerohive Technical Support – International
Note: The switch model (2024) used in the lab has been superseded by improved models.
• SR2024 Internet
› Line Rate Layer 2 Switch SR2024
› 8 Ports of PoE
› Multi-authentication AP
PoE
access ports
» 802.1X with fallback to
MAC auth or open
› Client Visibility AP AP
» View client information
by port Provides Access For:
› RADIUS Server • Employees
› Internet Router • Guests
• Contractors
› DHCP Server • Phones
› USB 3G/4G Backup • APs
• Servers
› Policy-based routing with Identity
SW, Config, & Policy RF Planner Topology Reporting Heat Maps SLA Compliance Guest Mgmt
HiveManager Appliance 2U
• power&&fans
Redundant power fans
• HA redundancy
• 5000
8000 APs
HiveManager Virtual Appliance
•• VMware ESX &
VMware ESX & Player
Player
•• HA
HA redundancy
redundancy
•• 5000
1500 APs
APs with minimum configuration
with minimum configuration
HiveManager Online
• Cloud-based SaaS management
5X 4000/1024
5X 10/100 2X 10/100/1000 Ethernet
10/100/1000 Tunnels
Physical/Vi
0 PoE PSE 2X PoE PSE 0 PoE PSE
rtual
BR100 BR200/BR200WP
5x FastEthernet 5x Gigabit Ethernet
1x1 11bgn (2.4Ghz) single radio 3x3:3 11abgn dual-band single radio (WP)
No integrated PoE PoE (in WP model)
No console port Console Port
No Spectrum Analysis Integrated Spectrum Analysis (WP)
No Wireless Intrusion Detection Full Aerohive WIPS (WP)
No local RADIUS or AD integration Full Aerohive RADIUS, proxy, and AD
No SNMP logging SNMP Support
USB for future use USB for 3G/4G Modem USB for future use N/A
© 2013 Aerohive Networks CONFIDENTIAL * Includes 5 GHz Transmit Beamforming and in 2.4 GHz has TurboQAM
VPN Gateway Virtual Appliance
• Supports the following
› GRE Tunnel Gateway
› L2 IPSec VPN Gateway
› L3 IPSec VPN Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
› Bonjour Gateway
› DHCP server
• Use a VPN Gateway Virtual Appliance instead of an AP when higher
scalability for these features are required
Function Scale
VPN Tunnels 1024 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server) 256
authentications
© 2013 Aerohive Networks CONFIDENTIAL 28
VPN Gateway Physical Appliance
• Supports the following
› GRE Tunnel Gateway
› L2 IPSec VPN Gateway
› L3 IPSec VPN Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
Ports: One 10/100/1000 WAN port
› Bonjour Gateway Four LAN ports two support PoE
› DHCP server
• Use a VPN Gateway Appliance instead of an AP when higher scalability
for these features are required
Function Scale
VPN Tunnels 4000 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server) 256
authentications
© 2013 Aerohive Networks CONFIDENTIAL 29
QUESTIONS?
Core
HiveManager
Router
Distribution VLAN 1
Instructor Space ip address 10.100.1.1/24
VLAN 2
Student Space ip address 10.100.2.1/24
SR2024 VLAN 8
SR2024
ip address 10.100.8.1/24
Access VLAN10
ip address 10.100.10.1/24
PoE PoE
AP PC AP PC
Student 2 Student X
© 2013 Aerohive Networks CONFIDENTIAL 31
SWITCHING
32
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Setting up a Wireless Network
1. Connect to the Hosted Training HiveManager
• Go to
Configuration
• Click the New
Button
• Name:
Access-X
• Check the
options for
› Wireless Access
› Switching
• Note, enabling Branch Routing:
» Enables L3 VPN Configuration
› Bonjour
» Disable L2 VPN Configuration Gateway
» Enable L3 Router Firewall Policy • Click Create
» Policy-Based Routing with Identity
» Enables Router configuration settings in
Additional Settings
© 2013 Aerohive Networks CONFIDENTIAL 35
Network Policy Components
BR200 AP
BR100
AP
Small Branch Office
or Teleworker Site Small to Medium Size Branch Office
that may have APs behind the router
© 2013 Aerohive Networks CONFIDENTIAL 36
Network Policy Components
• Bonjour Gateway
› Allows Bonjour services to be seen in multiple subnets
• Switching
› Used to manage wired traffic using Aerohive Switches
Internet SR2024
PoE AP
AP AP
© 2013 Aerohive Networks CONFIDENTIAL 37
Lab: Setting Up a Wireless Network
4. Create a New SSID Profile
Network
Configuration
• Next to SSIDs click
Choose
• Then click New
• To the right of
your SSID, under
User Profile, click
Add/Remove
In Choose User
Profiles
• Click the New
button
•Ensure
Employee-X
User Profile is
highlighted
•Click Save
B
2. Switch A forwards packet on all interfaces,
except source interface
• STP
• RSTP
• MSTP
• (R)PVST
CS-Dist-2#show spanning-tree
MST0
Spanning tree enabled protocol mstp
Root ID Priority 12288
Address 000f.23b9.0d80
Cost 0
Port 25 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 16384 (priority 16384 sys-id-ext 0)
Address 001f.274c.5180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- -----
Fa0/24 Desg FWD 200000 128.24 P2p
Gi0/1 Root FWD 200000 128.25 P2p
• Here you can see the Root Priority is: 12288
• The switch this command is run on shows a priority of 16384
• So most likely our switch default priority of: 32768 will not cause
any harm
SR2024 SR2024
Access/Edge
PoE PoE
AP AP AP AP
SR2024 SR2024
AP AP AP
Note: The switch model (2024) used in the lab has been superseded by improved models.
© 2013 Aerohive Networks CONFIDENTIAL 59
CONFIGURE DEVICE TEMPLATES
FOR DEFINING SWITCH PORT
SETTINGS
• Next to Device
templates, click
Choose
• Click New
• Name:
SR2024-Default-X
• Click Device
Models
• Select SR2024
• Click OK
• For SR2024, when
functioning as:
› Select Switch
• Click Save
Note: Here you are not setting the SR2024
to function as a switch. Instead, you are
only specifying that this template applies to
SR2024s when they are configured to
function as a switch. The switch/router
Note: You only see switch as an option function is configured in switch device
and not Switch and Router, because Routing settings.
was not enabled in the selection box when
creating this Network Policy.
© 2013 Aerohive Networks CONFIDENTIAL 62
Lab: Configure Device Templates
3. Save switch template
AP PC
Aggregate 1
SR2024
• In this case, distribution switch 1 and switch 2
will see the same MAC addresses and cause
MAC flapping
› i.e. traffic from PC A for example might be
load balanced to Switch 1 and Switch 2
• In this case, there will also be a loop!
• Aggregates must be built between a pair of
switches only!
AP PC
ESXi Server
Core
HMOL
Distribution
Aggregates
• Click New
• Name: Trunk-X
• Port Type: 802.1Q
• QoS Classification:
Trusted Traffic
Source
Note: This means we
are trusting the
upstream network
infrastructure
markings
› Map to DSCP or
802.1p
• QoS Marking:Map
Aerohive..
› Map to DSCP or
802.1p
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 72
Lab: Link Aggregation
2. Save Trunk Port policy
• Click Configure
• For choose port type, select your
802.Q trunk that you created
previously: Trunk-X
• Click OK
ESXi Server
• 3CX IP PBX Core
10.100.1.?
HMOL
Distribution
ESXi Server
Core
HMOL
Distribution
• Click New
• Name: AP-Trunk-X
• Port Type: 802.1Q
• QoS Classification:
Trusted Traffic
Source
Note: This means we
are trusting the
upstream network
infrastructure
markings
› Map to DSCP or
802.1p
• QoS Marking:Map
Aerohive..
› Map to DSCP or
802.1p
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 86
Lab: Configure Access Point ports
3. Assign AP-Trunk Policy to ports 1 and 2
NOTE: You will only see the Interfaces(Ports) that have been
assign to a port type
© 2013 Aerohive Networks CONFIDENTIAL 97
Lab: Configure PoE ports
5. Save your Network Policy
ESXi Server
Core
HMOL
Distribution
AP AP
•Click New
© 2013 Aerohive Networks CONFIDENTIAL 103
Lab: Configure PoE ports for IP phones
3. Phone & Data ports
• Name: Phone-and-Data-X
• Port Type: Phone & Data
• Check Primary
authentication using:
MAC via PAP
• QoS Classification:
Trusted Traffic Sources
Note: This means we are
trusting the upstream
network infrastructure
markings
› Map to DSCP or 802.1p
• QoS Marking:Map
Aerohive..
› Map to DSCP or 802.1p
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 104
Lab: Configure PoE ports for IP phones
4. Phone & Data ports
ESXi Server
Core
HMOL
Distribution
SR2024
Guest
Access Computers
PoE
IP Phones
Configure 2 of the switch
ports for open access
AP AP
(switch ports are in a secured
room – for testing purposes)
• Use Port 9 and 10
© 2013 Aerohive Networks CONFIDENTIAL 108
Lab: Configure Open Guest Ports
1. Select ports 9 and 10
•Click New
© 2013 Aerohive Networks CONFIDENTIAL 110
Lab: Configure Open Guest Ports
3. Create access port
• Name: Guest-X
• Port Type: Access
• Most likely you will
not be trusting the
DSCP settings on
guest devices, so
click Untrusted
Traffic Sources
• There is no need to
mark the traffic for
QoS marking
• Click Save
ESXi Server
Core
HMOL
Distribution
SR2024
Employee
Access Computers
802.1X
PoE
IP Phones
Configure six of the switch
ports for 802.1X
AP AP authentication
• Use Ports 11-16
• Click New
• Name: Secure-X
• Port Type: Access
• Check the box for:
Primary Authentication
using 802.1X
• Uncheck ☐Allow multiple
hosts (same VLAN)
• For the ability to preserve
markings on PCs for
softphones or other
important applications,
select QoS Classification:
Trusted Traffic Sources
• Check the box for QoS
Marking
Map Aerohive QoS …
• Select DSCP or 802.1p
depending on the upstream
switch architecture
• Click Save
• Click New
• Name: Mirror-X
• Port Type: Mirror
• Click Save
• If you move
your mouse
over one of the
defined ports,
an option
appears to
select all ports
using this port
type
Click Here
Guest Access
• Ensure Guest-X is
selected
• Click Save
• Verify your settings
SR2024
IP Phone
Data
Switch
SR2024
IP Phone
Data
Switch
• security-object Phone-and-Data-2
• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret ***
• security-object Phone-and-Data-2 security protocol-suite 802.1x
• security-object Phone-and-Data-2 default-user-profile-attr 1
• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain
• interface eth1/3 security-object Phone-and-Data-2
• interface eth1/3 switchport mode trunk
• interface eth1/3 switchport user-profile-attribute 1
• interface eth1/3 qos-classifier Phone-and-Data-2
• interface eth1/3 qos-marker Phone-and-Data-2
• interface eth1/3 pse profile QS-PSE
• no interface eth1/3 spanning-tree enable
• no interface eth1/3 link-discovery cdp receive enable
• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1
• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10
• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2
• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100
• security-object Phone-and-Data-2
• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret ***
• security-object Phone-and-Data-2 security additional-auth-method mac-based-auth
• security-object Phone-and-Data-2 default-user-profile-attr 1
• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain
• security-object Phone-and-Data-2 security initial-auth-method mac-based-auth
• interface eth1/3 security-object Phone-and-Data-2
• interface eth1/3 switchport mode trunk
• interface eth1/3 switchport user-profile-attribute 1
• interface eth1/3 qos-classifier Phone-and-Data-2
• interface eth1/3 qos-marker Phone-and-Data-2
• interface eth1/3 pse profile QS-PSE
• no interface eth1/3 spanning-tree enable
• no interface eth1/3 link-discovery cdp receive enable
• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1
• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10
• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2
• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100
Overview
• Create a
network
policy for
voice
• Enter a name
for the voice
policy, and
click next
• Click add to
specify a
condition
• Select
Windows
Groups
• Click Add
• Click Next
• Select
Access
granted
• Click Add
• Select Microsoft:
Protected EAP
(PEAP)
• Click OK
• Click Next
• For constraints
click Next
• Remove attributes
that are not
needed:
› Select Frame-
Protocol, and
Click Remove
› Select Service-
Type, and Click
Remove
• Under RADIUS
Attributes, select
Vendor Specific
• Under
Vendor,
Select
Cisco
• Click Add
• Click Add again
• Attribute value:
device-traffic-
class=voice
• Click OK
• Click OK
• Click Next
• Click
Finish
Create a new
policy for
employee access
• Policy name:
Wireless or Wired
Employee Access
• Click Next
Verify
Settings
• Location:
<FirstName_LastName>
• Topology Map: Classroom
• Network Policy:
Access-X
Click Yes
Click OK
208
© 2013 Aerohive Networks CONFIDENTIAL
Lab: Test Hosted Client Access to SSID
Test SSID Access at Hosted Site
Core
ESXi Server
Internet - HM VA
Distribution
Access
SR2024
• Use VNC client to
access Hosted PC:
PoE Ethernet
› password: aerohive
• From the hosted PC,
AP Wi-Fi
you can test
connectivity to your
Hosted
PC
SSID
© 2013 Aerohive Networks CONFIDENTIAL 209
Lab: Test Hosted Client Access to SSID
1. For Windows: Use TightVNC client
• Click to send a
control alt delete
• Login: AH-LAB\user
• Password: Aerohive1
• Click the right arrow to login
• Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK
Core
ESXi Server
Internet - HM VA
Distribution
Access
SR2024
• Use VNC client to
access Hosted PC:
PoE Ethernet
› password: aerohive
• From the hosted PC,
AP Wi-Fi
you can test
connectivity to your
Hosted
PC
SSID
© 2013 Aerohive Networks CONFIDENTIAL 218
Three Different VLANs are Possible
In this configuration
• In windows 7, you
must enable 802.1X
support
• As an administrator,
from the start menu
type services
• Then click services
• Click the
Standard tab
on the
bottom of the
services
panel
• Locate Wired
AutoConfig
and right-
click
• Click
Properties
• Click Automatic
• Click Start
• Click OK
Authentication Entities:
Protocol-suite=802.1X;Auth-mode=port-based; Failure-UID=100;
Dynamic-VLAN=10;
If you need to
troubleshoot you can
view Local Area
Connection 3
• From the start menu,
type view network
• Right-click Local Area
Connection 3, and click
Diagnose
› This will reset the
adapter, clear the
caches, etc…
• MonitorSwitches
• Click on the hostname
of the switch
System Details
• Utilities…StatisticsInterface
• Utilities…DiagnosticsShow PSE
NOTE: If you get the same IP subnet for each of the VLANs, that is a sign
that the switch uplink port is connected to an access port, not a trunk port
like it should be.
© 2013 Aerohive Networks CONFIDENTIAL 247
Client Monitor
256
© 2013 Aerohive Networks CONFIDENTIAL
HiveManager Root CA Certificate
Location and Uses
• To view certificates, go to: Configuration, click Show Nav, then go to
Advanced Configuration Keys and CertificatesCertificate Mgmt
• This root CA certificate is used to:
› Sign the CSR (certificate signing
request) that the HiveManager
creates on behalf of the AP acting
as a RADIUS or VPN server
› Validate Aerohive AP certificates
to remote client
» 802.1X clients (supplicants) will need
a copy of the CA Certificate in order
to trust the certificates on the
Aerohive AP RADIUS server(s)
• Root CA Cert Name:
Default_CA.pem
• Root CA key Name:
Default_key.pem
• To view certificates,
go to:
Configuration, click
Show Nav
Then go to Advanced
Configuration
Keys and Certificates
Certificate Mgmt
• The certificate and key file
name is:
switch-X_key_cert.pem
• QUIZ
› Which CA signed this
Aerohive switch server key?
• From Configuration,
• Select your Network policy:
Access-X
• Click OK and then Continue
© 2013 Aerohive Networks CONFIDENTIAL 263
Lab: Switch Active Directory Integration
2. Select your Network Policy
• Name: SR-radius-X
• Expand Database
Settings
• Uncheck Local
Database
• Check External
Database
• Under Active
Directory, click + to
define the RADIUS
Active Directory
Integration Settings
• Name: AD-X
• Aerohive device for Active Directory connection setup,
select your Switch: SR-0X-#####
› This will be used to test Active Directory integration
› Once this switch is working, it can be used as a template for
configuring other Aerohive device RADIUS servers with Active
Directory integration
• The IP settings for the selected Aerohive switch are gathered
and displayed
© 2013 Aerohive Networks CONFIDENTIAL 267
Lab: Switch Active Directory Integration
6. Modify DNS settings
• Domain: ah-lab.local
• Click Retrieve Directory Information
› The Active Directory Server IP will be populated as well
as the BaseDN used for LDAP user lookups
© 2013 Aerohive Networks CONFIDENTIAL 269
Lab: Switch Active Directory Integration
8. Specify Domain and Retrieve Directory Information
• Click Save
• Click Save
NOTE: Your Aerohive
switch will have an
icon displayed
showing that it is a
RADIUS server.
• Profile Name:
Class-AD-X
• SSID:
Class-AD-X
• Under SSID
Access Security
select
WPA/WPA2
802.1X
(Enterprise)
• Click Save
Click to
deselect
Class-PSK-X
Click
Click
• RADIUS Name:
SWITCH-RADIUS-X
• IP Address/Domain
Name: 10.5.1.7X
02 = 72, 03 = 73…
Click Apply
12 = 82, 13 = 83
When Done!
• Leave the Shared
Secret Empty
NOTE: When the Aerohive
device is a RADIUS server,
devices in the same Hive
automatically generate a
shared secret
• Click Apply
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 285
Lab: Switch RADIUS w/ AD Integration
6. Select User Profiles
• In the Authentication
tab
• Select (highlight)
Employee-X
› NOTE: The (User
Profile Attribute) is
appended to the
Authentication Tab User Profile Name
• Click Save
Click OK
© 2013 Aerohive Networks CONFIDENTIAL 292
QUESTIONS?
• In the Certificate
Import Wizard click
Next
• Click Place all
certificate in the
following store
• Click Browse
• Click Finish
• Click Yes
• Click OK
For Windows 7
Supplicants
• In your Network policy, you defined an SSID with two user profiles
› Employees(1)-1 – Set if no RADIUS attribute is returned
» This use profile for example is for general employee staff, and they get
assigned to VLAN 1
› Employee(10)-X – Set if a RADIUS attribute is returned
» This user profile for example is for privileged employees, and they get
assigned to VLAN 10
• Because the switch RADIUS server is using AD to authenticate the
users, and AD does not return RADIUS attributes, how can we assign
users to different user profiles?
• Though AD does not return RADIUS attributes, it does return other
attribute values, like MemberOf which is a list of AD groups to which
the user belongs
© 2013 Aerohive Networks CONFIDENTIAL 310
Instructor Only: Confirm User is a
member of the Wireless AD Group
Click OK
© 2013 Aerohive Networks CONFIDENTIAL 315
Lab: Use AD to Assign User Profile SSID
5. Disconnect and Reconnect to the Class-AD SSID
• From Configuration,
• Next to your Network policy: Access-X
• Click the sprocket icon
• Click Edit
• Next to Device
Templates, click
Choose
• Select your
SR2024-Default-X
device template
(configured as
switch)
• Click the
sprocket icon
• Click Clone
• Name: SR2024-Router-Default-X
• Change the function to Router
• Click Save
BR200-WP
AP330 as Router
When the switch is a router, you must configure at least one port as a WAN port
• Click New
• Name: WAN-X
• Select WAN
• Click Save
• With WAN-X selected, click OK
• The USB Port, Port 23, and Port 24 will now display a WAN
(Cloud) icon (USB does not display cloud icon in this version of code)
Switch Settings:
These will be
configured later.
HQ
Network
10.102.0.0/16
BR100
Cloud VPN
Gateway
Sub Network 10.102.2.0/24
Internet DHCP: IP Range 10.102.2.10 – 10.102.2.244
Default Gateway: 10.102.2.1
DNS: 10.102.2.1 (Router is DNS Proxy)
BR100
BR100
HQ
Network
10.102.0.0/16
BR100
Cloud VPN
Gateway
Sub Network 10.102.2.0/24
Internet DHCP: IP Range 10.102.2.10 – 10.102.2.244
Default Gateway: 10.102.2.1
DNS: 10.102.2.1 (Router is DNS Proxy)
BR100
BR100
• Click New
• Name: Net-Employee-1XX
XX=02,03,..15,16
• Web Security: None
• DNS Service: Class
• Network Type: Internal Use
• Do not save yet
© 2013 Aerohive Networks CONFIDENTIAL 351
Note: DNS Service Objects
• IP Network:
10.1XX.0.0/16
Network
10.101.0.0/16
• Define subnets from the IP
address space to specific sites Site-1c
• For example, define the
subnets that will be used for BR100
Site-1a and Site-1b, but let
HiveManager allocate one for
Site-1c Sub Network 10.101.25.0/24
DHCP: IP Range 10.101.25.11 –
10.102.25.254
Default Gateway: 10.101.25.1
Internet
• Click New
• IP Network:
10.2XX.0.0/16
NOTE: This is the parent
network that will be
partitioned to create a
10.1XX.0.0/16
•number of IP subnets
determined by moving
the slider bar. The slider
bar is used to set the
number of branches vs.
clients per branch which
defines the subnet mask
for each subnet.
Moving the slider bar changes the
• Move the slider bar to number of bits in the subnet mask.
select 256 branches and The clients per branch = 253 in this case
253 clients per branch
because 1 IP is reserved for the router,
and then 0 and 255 are not used.
© 2013 Aerohive Networks CONFIDENTIAL 370
LAB: Assign VLAN-to-subnet – router interfaces
5. Enable DHCP
• Click Save
• Ensure your policy is highlighted and click OK
WAN:
HQ 1.3.2.90
Network:
Guest Use
BR100
Cloud VPN
Gateway Network 192.168.83.0/24 (Guest Use)
DHCP: IP Range 192.168.83.10 – 192.168.83.244
Internet Default Gateway: 192.168.83.1
DNS: 192.168.83.1 (Router is DNS Proxy)
WAN:
2.50.33.5
WAN:
2.1.1.20 BR100
BR100
• Click New
• Name:
192.168.83.0-Guest-X
• Web Security: None
• DNS Service: Class
• Network Type to:
Guest Use
• Guest Use Network:
192.168.83.0/24
• DHCP Address Pool,
reserve the first 10
• Check Enable
DHCP server
NOTE: Devices assigned to a Guest Use network are
restricted from access the corporate VPN or from
initiating communication to corporate devices
© 2013 Aerohive Networks CONFIDENTIAL 375
LAB: Assign VLAN-to-subnet – router interfaces
9. Save the Guest network
Ensure
Class-PSK-X is • Click to deselect
highlighted then the AD-X SSID
click OK
• Ensure the
Class-PSK-X SSID
is selected
• Click OK
• Verify settings
• Click Continue
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 393
Lab: Update Router Configuration
7. Update your device settings
Click OK
HQ
Network
10.102.0.0/16
BR100
Cloud VPN
Gateway
Sub Network 10.102.2.0/24
Internet DHCP: IP Range 10.102.2.10 – 10.102.2.244
Default Gateway: 10.102.2.1
DNS: 10.102.2.1 (Router is DNS Proxy)
BR100
BR100
• Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK
• In windows 7, you
must enable 802.1X
support
• As an administrator,
from the start menu
type services
• Then click services
• Click the
Standard
tab on the
bottom of
the services
panel
• Locate
Wired
AutoConfig
and right-
click
• Click
Properties
© 2013 Aerohive Networks CONFIDENTIAL 408
Lab: Test LAN Port Access
4. Disable 802.1X for wired clients
• Startup type:
Disabled
• Click Stop
• Click OK
• Monitor/Clients/Operation:
Deauth Client
• Check Clear Cache
• Click OK
• Click Yes
• Monitor/Clients/Operation:
Deauth Client
• Check Clear Cache
• Click OK
• Click Yes
Note: Layer 2 VPNs are taught in the Aerohive Certified WLAN Professional (ACWP)
class
VPN Gateway
(L3 Gateway mode)
BR-200 router 1024 tunnels
AP 330/350
(router mode)
Aerohive switch
(router mode)
Branch Network
HQ Branch
172.28.0.0/16
Corporate Network
Network BR100
10.1.0.0/16
VPN Sub Network 172.28.2.0/24
Gateway Internet DHCP: IP Range 172.28.2.10 – 172.28.2.244
Default Gateway: 172.28.2.1
DNS: 172.28.2.1 (Router is DNS Proxy)
Branch Branch
Network Network
BR100
BR100
Branch Network
HQ
Corporate
Network BR100
10.1.0.0/16
VPN Sub Network 172.28.2.0/24
Gateway Internet
BR100
BR100
Tunnel A
Local network: 172.28.0.0/24 Local network: 172.28.1.0/24
Route: 10.1.0.0/16 through VPN tunnel Route: 10.1.0.0/16 through VPN tunnel
Route: 172.28.1.0/24 though VPN tunnel Route: 172.28.0.0/24 though VPN tunnel
Route: 172.28.2.0/24 through VPN tunnel Route: 172.28.2.0/24 through VPN tunnel
Route: 0.0.0.0/0 to Internet Gateway Route: 0.0.0.0/0 to Internet Gateway
© 2013 Aerohive Networks CONFIDENTIAL
VPN GATEWAY VIRTUAL APPLIANCE
Port1 Internet
WAN Interface Internal
Eth0- 10.200.2.X/24 Port2
10.102.1.0/24
Gateway: 10.200.2.1 Bridge Group
Interface: 10.5.1.1
HiveManager
10.5.1.20 X=2,3,..,14,15
• In the training lab, the VPN Gateways learn routes via OSPF from the
firewall, which are: 10.5.2.0/24, 10.5.8.0/24, & 10.5.10.0/24
• The firewall learns the routes from the VPN Gateways to all the
branch office routers via OSPF
• The branch office routers exchange their routes with their VPN
Gateways
• With the
AH_HiveOS.ova file
selected click Next
• View the
product
information and
ensure you have
enough disk
space for a think
provisioned
install
› Note: Thick
provisioning
reserves all the
disk space
needed during
the install
• Click Next
• Provide a name
for the VPN
Gateway, for
example:
HiveOS-VAXX
XX=02,03,..14,15
› Note: It is a
good idea to
keep this name
relatively small
so it fits better
in the vSphere
client display
• Click Next
• Select Thick
Provisioned
Lazy Zeroed
› Note: You can
choose Eager
Zeroed, but it
will take more
time because
it will fill the
complete disk
space with
0’s, lazy fills
only as space
is needed.
• Click Next
• Optionally,
check the box to
Power on after
deployment
• Click Finish
• Type 2 to
Manually
configure
interface
settings and
press Enter
• If the
activation
code is valid,
the VPN
Gateway VA
will obtain a
valid and
unique serial
number
• You must then
VPN Gateway
by pressing
enter, or by
typing yes
then enter
To create a
route-based
IPSec VPN
• Go to
Configuration
• Select your
Network policy:
Access-X and
click OK
• Next to Layer 3
IPSec VPN click
Choose
• In Choose
VPN Profile
click New
Click
Apply
Internet BR100
WAN Interface Sub Network
Eth0- 10.200.2.X/24 Firewall Inside Interfaces 10.102.1.0/24
Gateway: bgroup0 : 10.5.1.1/24 VLAN 1 OSPF area 0
10.200.2.1 bgroup0.2: 10.5.2.1/24 VLAN 2 OSPF area 0
OSPF area 0.0.0.0 bgroup0.8: 10.5.8.1/24 VLAN 8 OSPF area 0
(same as 0) bgroup0.10: 10.5.10.1/24 VLAN 10 OSPF area 0
VA Headquarters
Branch Office 1
DMZ
IPSec VPN to Branch Office 1
Internet BR100
WAN Interface Sub Network
Eth0- 10.200.2.2/24 Firewall Inside Interfaces 10.102.1.0/24
Gateway: 10.200.2.1 bgroup0 : 10.5.1.1/24 VLAN 1 OSPF area 0
Routes to
OSPF area 0.0.0.0 bgroup0.2: 10.5.2.1/24 VLAN 2 OSPF area 0
Headquarters
(same as 0) bgroup0.8: 10.5.8.1/24 VLAN 8 OSPF area 0
through VPN
Routes - Branch 1 bgroup0.10: 10.5.10.1/24 VLAN 10 OSPF area 0
Routes to Branch 1 10.5.1.0/24 to VPN
Through VPN:
10.102.1.0/24 to 10.200.2.2 10.5.2.0/24 to VPN
10.102.1.0/24
10.5.8.0/24 to VPN
Routes - Network: Note: Aerohive uses a 10.5.10.0/24 to VPN
10.5.1.0/24 to 10.200.2.1 TCP-based mechanism through
Local Routes
10.5.2.0/24 to 10.200.2.1 the VPN tunnel to check for
0.0.0.0/0 to Internet
10.5.8.0/24 to 10.200.2.1 route updates between branch
10.5.10.0/24 to 10.200.2.1 sites and the VPN Gateways
0.0.0.0/0 to 10.200.2.1 every minute by default.
© 2013 Aerohive Networks CONFIDENTIAL 457
Lab: Create a Route-Based IPSec VPN
5. Modify the settings for your VPN Gateway
00
© 2013 Aerohive Networks CONFIDENTIAL 463
Lab: Create a Route-Based IPSec VPN
10. Upload the Configuration of Your Devices
Click OK
When the VPN Server and Client Icons are green, then
you know the VPN is up.
465
• Click Tools...
Diagnostics
Show IKE Event
• If you see that phase 1
failed due to a
certificate problem
› Check the time on
the Aerohive devices
» show clock
» show time
› Ensure you have the
correct certificates
loaded on the
Aerohive APs in the
VPN services policy
• Click Tools...
Diagnostics
Show IKE Event
• If you see that
phase 1 failed due
to wrong network
settings
› Check the IP
settings in the
VPN services
policy
› Check the NAT
settings on the
external firewall
• Click
Utilities...Diagnostics
Show IKE SA
• Phase 1 has completed
successfully if you reach
step #9
• If Step #9 is not
established then one of
these problems exists:
Certificate problems
Incorrect Networking
settings
Incorrect NAT settings on
external firewall
• Click Utilities...
Diagnostics
Show IPSec SA
Note: It is clear to see that a
VPN is functional if you see
the tunnel from the MGT0 IP
of the VPN client to the
(NAT) Address of the MGT0
of the VPN Server, and the
reverse. Both use different
SAs (Security Associations)
› State: Mature
• If Phase 2 fails: Check the
encryption & hash settings
on the VPN client and the
VPN server
To verify the
routes learned via
OSPF
• Go to Monitor
VPN Gateways
• Check the box
next to your
HiveOS-VA-XX
• Select
Utilities...
SSH Client
• Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK
Headquarters
VPN Gateway Branch Office 1
DMZ
IPSec VPN to Branch Office 1
Internet BR100
HQ
VPN
3G/4G/LTE
Internet • Policy-based routing is
used mainly in
conjunction with the
layer 3 IPSec VPN
tunneling capabilities
Guests
› Though it does not
require VPN
Employees
• Policy-based routing
lets you decide how
HQ
VPN traffic is forwarded out
of a router
3G/4G/LTE › Decisions are made
Internet
based on IP
reachability of
tracked IP
addresses and user
profiles
Guests
› Forwarding can be
out any WAN port,
USB wireless, Wi-Fi
Employees connection, or VPN
• Expand Service
Settings
• For Track IP Groups
for WAN Interface,
there are two
backup track IP
groups and one
primary
• Next to Primary,
click +
• Expand Router
Settings
• Next to Routing
Policy, click +
© 2013 Aerohive Networks CONFIDENTIAL 498
Note: Policy-Based Routing: Type of Rules
Create
New
• Name: PBR-X
• Under Routing Policies, select Custom
• Click + to add a new policy
If time permits:
If the instructor has a 3G/4G USB dongle available:
• Start a continuous ping from a classroom laptop that is
communicating through an Aerohive BR-200
• Remove the Ethernet cable from the primary WAN
port
• Wait for up to 60 seconds for the connection to
failover to the cellular network
• Reconnect the Ethernet cable from the primary WAN
port
• Wait for up to 60 seconds for the connection to
fallback to the primary WAN network
HQ
Corporate
Network
10.0.0.0/8 Branch 1: 10.1.1.0/24
HQ
Corporate
Network
10.0.0.0/8 Branch 1: 10.1.1.0/24
HQ
Corporate
Network
10.0.0.0/8 Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24
Corporate Network HQ
10.0.0.0/8 Local
HQ
Corporate
Network
10.0.0.0/8
• Select Replicate
the same
subnetwork at
each site
• Local
Subnetwork:10.1.1
.0/24
• Select Use the
first IP address of
the partitioned
subnetwork for the
default gateway NOTE: You can now use the first or last IP
• Do not save yet address for each branch subnet for the
default gateway assigned to the routers for
these subnets
Verify your
settings
• Click Save
• Click Save
• Click OK
© 2013 Aerohive Networks CONFIDENTIAL 534
Lab: Cookie Cutter
8. Save your network policy and continue
© 2013 Aerohive Networks CONFIDENTIAL 538
Lab: Update Router Configuration
3. Update your routers
Click OK
Corporate Network HQ
10.0.0.0/8 Local
Note: One subnet was assigned via classification. The others assigned dynamically.
© 2013 Aerohive Networks CONFIDENTIAL 542
SIMULATED ROUTER CLEANUP
Inside
Internal Network FW eth0/2 – 10.5.1.1/24
AD Server Protocol OSPF area 0.0.0.0
10.5.1.10
• VPN tunnels are built from branch offices to the VPN gateways
• Traffic from the branch offices is decrypted at the VPN gateways and sent to
the DMZ firewall for access to the Internet network
• Traffic destined to IP addresses at branch offices is sent to the firewall, which
looks up the IP and finds the route to VPN gateway which encrypts and sends
through a tunnel to a branch office
© 2013 Aerohive Networks CONFIDENTIAL 547
Cookie Cutter Branch Deployments
Routing on the VPN Gateway
Corporate Network HQ
10.0.0.0/8 Local
Branch 1:
NAT 10.102.1.0/24 to 10.1.1.0/24
Tunnel Routes
10.102.1.0/24 tunnel 1
10.102.2.0/24 tunnel 2
• Two new
certificates
were created
for this lab, you
can use those
or the defaults
if the root CA
did not
change
• Click Save
AP AP
• Click View Aerohive Ports to see the ports that are already
in use on Aerohive routers that you cannot use for port
forwarding
• Monitor Routers
• Select your Router
• Click on Utilities… SSH Client
• Click on Connect
• Type: show ip iptables nat
© 2013 Aerohive Networks CONFIDENTIAL 580
LAB: WAN Interface NAT Port Forwarding
14. Verify port forwarding rules
AP
interface mgt0
172.18.0.2/24
VLAN 1
© 2013 Aerohive Networks CONFIDENTIAL 583
Aerohive Management Network
BR100 AP
Logical IP Interfaces
mgt0 (Management)
172.18.0.1/24
VLAN 1 802.1Q
mgt0.1 VLAN Logical IP Interface
10.102.0.1/24 Trunk mgt0 (Management)
Employee - VLAN 10 VLANs: 172.18.0.1/24
1 (Native), VLAN 1
mgt0.2 2, 8, 10 Layer 2 Interfaces
10.202.0.1/24 VLAN 1 (Native)
Voice – VLAN 2 SSID: Class-PSK
Note: You should define
mgt0.3 a native network using Employee - VLAN 10
192.168.83.1/24 VLAN 1, which much SSID: Class-Voice
Guest - VLAN 8 match the native VLAN Voice – VLAN 2
mgt0.4 configured for the SSID: Class-Guest
172.28.0.1/25 management interface, Guest – VLAN 8
VLAN 1 (Native) which by default is 1.
© 2013 Aerohive Networks CONFIDENTIAL 588
ROUTER STATEFUL FIREWALL POLICY
MORE THAN JUST THE 5-TUPLE
Branch Router
AP firewall for wireless traffic only
AP
© 2013 Aerohive Networks CONFIDENTIAL 590
Router Firewall
General Guidelines
• Rules are processed top down and the first matching rule
is used
• After a rule is matched a stateful session is created using:
› Source IP, Destination IP, IP Protocol, Source Port,
Destination Port
› The reverse session is also created for return traffic
• More than just an IP firewall, the router firewall can look at:
› Traffic Source:
» IP Network, IP Range, Network Object,
User Profile, VPN, or IP Wildcard
› Traffic Destination:
» IP Network, IP Range, Network Object,
VPN, IP Wildcard, Hostname
© 2013 Aerohive Networks CONFIDENTIAL 591
Aerohive Stateful Firewall
Router
Inside Web Server
Internet
10.5.1.102 Firewall Policies:
Default Action: Deny 72.20.106.66
HTTP– Initiated from inside the Network to a web server on the Internet
Source IP, Dest IP, Proto, Source Port, Dest Port, Data
10.5.1.102 72.20.106.66 6(TCP) 3456 80 HTTP Get
To implement a
router firewall
• In your network
policy, next to
Router Firewall,
click Choose
• In Choose
Firewall click
New
• Select the radio button for the Default Rule to Deny all
› Note: This is not needed, but it is a good general practice.
• This policy denies access to any private IP address through the router,
and allows everything else
• Also, you can drag and drop the rules to change their order
• Click Save
© 2013 Aerohive Networks CONFIDENTIAL 598
Lab: Router Firewall for Guests
7. Create a Router Firewall Profile
Tunnel A
Local network: 172.28.0.0/24 Local network: 172.28.1.0/24
Route: 10.1.0.0/16 through VPN tunnel Route: 10.1.0.0/16 through VPN tunnel
Route: 172.28.1.0/24 though VPN tunnel Route: 172.28.0.0/24 though VPN tunnel
Route: 172.28.2.0/24 through VPN tunnel Route: 172.28.2.0/24 through VPN tunnel
Route: 0.0.0.0/0 to Internet Gateway Route: 0.0.0.0/0 to Internet Gateway
© 2013 Aerohive Networks CONFIDENTIAL
Router Firewall can be used to block
communications between branch offices
• Routers (VPN clients) ask the VPN Gateway for updated route
information and provide their own route changes over the VPN
tunnel every minute by default using a TCP request
HQ Tunnel C
Corporate
Network
BR100
10.1.0.0/16
VPN Gateway
Local network: 172.28.2.0/24
Route: 10.1.0.0/16 to Corp Router Internet Route: 10.1.0.0/16 through VPN tunnel
Route: 172.28.0.0/24 to VPN tunnel A Route: 172.28.0.0/24 though VPN tunnel
Route: 172.28.1.0/24 to VPN tunnel B Route: 172.28.1.0/24 through VPN tunnel
Route: 172.28.2.0/24 to VPN tunnel C Route: 0.0.0.0/0 to Internet Gateway
Route: 0.0.0.0/0 to Internet Gateway
Tunnel B
BR100
BR100
Tunnel A
Local network: 172.28.0.0/24 Local network: 172.28.1.0/24
Route: 10.1.0.0/16 through VPN tunnel Route: 10.1.0.0/16 through VPN tunnel
Route: 172.28.1.0/24 though VPN tunnel Route: 172.28.0.0/24 though VPN tunnel
Route: 172.28.2.0/24 through VPN tunnel Route: 172.28.2.0/24 through VPN tunnel
Route: 0.0.0.0/0 to Internet Gateway Route: 0.0.0.0/0 to Internet Gateway
© 2013 Aerohive Networks CONFIDENTIAL
WEB PROXY FOR SECURING
WEB-BASED TRAFFIC
Traffic is forwarded
with client identity
4 to the cloud
security partner
and processed
Aerohive BR confirms based on identity
traffic is not destined 3
2
for resources across Aerohive BR checks
the tunnel and is not if client network is
whitelisted as trusted configured to use
web security
1 Client makes a
HTTP/HTTP request
Class Switch
BR100
Class Switch
BR100
• From the
Websense
Cloud Web
Security login,
you can set
the web
categories
policies, web
content
security, and
much more...
Note: Here you
can see that
there is a rule
blocking
Weapons sites