Avaya Vena Unified Access For Ers 8800/8600

Transcript

Unified Access 1.0 Engineering Avaya VENA Unified Access for ERS 8800/8600 and WLAN 8100 Technical Configuration Guide Avaya Networking Document Date: November 2012 Document Number: NN48500-643 Document Version: 1.0 avaya.com © 2012 Avaya Inc. All Rights Reserved. Notices While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes. Documentation disclaimer Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of this documentation unless such modifications, additions, or deletions were performed by Avaya. End User agree to indemnify and hold harmless Avaya, Avaya‘s agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation, to the extent made by End User. Link disclaimer Avaya is not responsible for the contents or reliability of any linked Web sites referenced within this site or documentation(s) provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that these links will work all the time and has no control over the availability of the linked pages. Warranty Avaya provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avaya‘s standard warranty language, as well as information regarding support for this product, while under warranty, is available to Avaya customers and other parties through the Avaya Support Web site: http://www.avaya.com/support Please note that if you acquired the product from an authorized reseller, the warranty is provided to you by said reseller and not by Avaya. Licenses THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ ARE APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER (AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER, AND AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER REFERRED TO INTERCHANGEABLY AS "YOU" AND "END USER"), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE ("AVAYA"). Copyright Except where expressly stated otherwise, no use should be made of the Documentation(s) and Product(s) provided by Avaya. All content in this documentation(s) and the product(s) provided by Avaya including the selection, arrangement and design of the content is owned either by Avaya or its licensors and is protected by copyright and other intellectual property laws including the sui generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in whole or in part, including any code and software. Unauthorized reproduction, transmission, dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil offense under the applicable law. Third Party Components Certain software programs or portions thereof included in the Product may contain software distributed under third party agreements ("Third Party Components"), which may contain terms that expand or limit rights to use certain portions of the Product ("Third Party Terms"). Information regarding distributed Linux OS source code (for those Products that have distributed the Linux OS source code), and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply to them is available on the Avaya Support Web site: http://support.avaya.com/Copyright. Trademarks The trademarks, logos and service marks ("Marks") displayed in this site, the documentation(s) and product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its affiliates, or other third parties. Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the documentation(s) and product(s) should be construed as granting, by implication, estoppel, or otherwise, any license or right in and to the Marks without the express written permission of Avaya or the applicable third party. Avaya is a registered trademark of Avaya Inc. All non-Avaya trademarks are the property of their respective owners. Downloading documents For the most current versions of documentation, see the Avaya Support. Web site: http://www.avaya.com/support Contact Avaya Support Avaya provides a telephone number for you to use to report problems or to ask questions about your product. The support telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see the Avaya Web site: http:// www.avaya.com/support. November 2012 Avaya VENA Unified Access Technical Configuration Guide 2 avaya.com Abstract This Technical Configuration Guide describes how to configure an Avaya VENA Unified Access solution. Avaya implemented this solution by combining the functionality of the Avaya WLAN Controller 8100 (WC 8100) with the Avaya Ethernet Routing Switch 8800/8600 (ERS 8800/8600). This document also provides an overview of the Unified Access solution, which describes the technology, components, configuration considerations, and best design practices. Information in this Technical Configuration Guide has been obtained through Avaya Networking interoperability testing and additional technical discussions. Testing was conducted at the Avaya Networking Test Lab. The audience for this Technical Configuration Guide is intended to be Avaya Sales teams, Partner Sales teams and end-user customers. All of these groups can benefit from understanding the common design practices and recommended components for an Avaya VENA Unified Access solution. Acronym Key Throughout this guide the following acronyms will be used: AT: access tunnel HCF Hybrid Coordination Function MD: mobility domain MT: mobility tunnel MU: mobile unit MVLAN: mobility VLAN RF radio frequency RSSI receive signal strength indication SMLT: Split MultiLink Trunking SSID service set identifiers SVP SpectraLink Voice Priority VoWLAN Voice over WLAN WIDS: wireless intrusion detection system WIPS: wireless intrusion prevention system WCP: wireless control point WMS: WLAN management system WSP: wireless switching point November 2012 Avaya VENA Unified Access Technical Configuration Guide 3 avaya.com Table of Contents Figures .......................................................................................................................................................... 6 Tables............................................................................................................................................................ 6 1. 2. 3. Introduction to Avaya VENA Unified Access ........................................................................................ 8 1.1 Unified Access Component Overview ........................................................................................... 8 1.2 Tunnels Types ............................................................................................................................. 11 1.3 Licensing ..................................................................................................................................... 12 1.4 Implementation and configuration considerations....................................................................... 12 1.4.1 Recommendations for Medium Enterprises ........................................................................................... 12 1.4.2 Recommendations for Large Enterprises ............................................................................................... 12 1.4.3 Trusted Edge Ports ................................................................................................................................ 13 1.4.4 WSP VLAN Server ................................................................................................................................. 13 1.4.5 Jumbo Frames and MTU Size ................................................................................................................ 13 1.4.6 Access Tunnel Support .......................................................................................................................... 13 1.4.7 MGID Usage........................................................................................................................................... 14 Upgrade paths to Avaya VENA Unified Access .................................................................................. 14 2.1 Required Components ................................................................................................................ 15 2.2 Network Upgrade Procedures ..................................................................................................... 15 2.3 WCP Upgrade Procedures .......................................................................................................... 15 2.4 WSP Upgrade Procedures .......................................................................................................... 17 2.5 Upgrade Verification Procedures ................................................................................................ 19 2.5.1 AMDC Verification: ................................................................................................................................. 19 2.5.2 WSP Verification: ................................................................................................................................... 19 2.5.3 Mobility Unit Verification: ........................................................................................................................ 20 Testing Methodology ........................................................................................................................... 21 3.1 Test Results ................................................................................................................................ 21 4. Configuration Examples ...................................................................................................................... 23 5. Wireless LAN Configuration ................................................................................................................ 24 5.1 WCP Configuration – Part 1 ........................................................................................................ 24 5.1.1 VLAN and IP configuration ..................................................................................................................... 24 5.1.2 Wireless Configuration ........................................................................................................................... 27 5.2 WSP Configuration ...................................................................................................................... 28 5.3 Connect APs to network .............................................................................................................. 39 5.3.1 Stackable PoE Switch ............................................................................................................................ 39 5.3.2 8007 Switch – ERS 8800 switch connected to the PoE switch above .................................................... 39 5.3.3 DHCP Server – DHCP Scope for AP ..................................................................................................... 40 November 2012 Avaya VENA Unified Access Technical Configuration Guide 4 avaya.com 5.4 WCP Configuration – Part 2 ........................................................................................................ 41 6. Wireless Clients .................................................................................................................................. 61 7. Verify Client Connectivity .................................................................................................................... 63 8. 7.1 Normal operations ....................................................................................................................... 63 7.2 Roaming ...................................................................................................................................... 64 Reference Documentation .................................................................................................................. 66 November 2012 Avaya VENA Unified Access Technical Configuration Guide 5 avaya.com Figures Figure 1 – Unified Access Model ................................................................................................................ 10 Figure 2 – Unified Access Tunnels (Access and Mobility) .......................................................................... 11 Figure 3 – Configuration Example Topology............................................................................................... 23 Tables Table 1 – Test Results ................................................................................................................................ 22 November 2012 Avaya VENA Unified Access Technical Configuration Guide 6 avaya.com Conventions This section describes the text, image, and command conventions used in this document. Symbols    Tip – Highlights a configuration or technical tip. Note – Highlights important information to the reader. Warning – Highlights important information about an action that may result in equipment damage, configuration or data loss. Text Bold text indicates emphasis. Italic text in a Courier New font indicates text the user must enter or select in a menu item, button or command: ERS5520-48T# show running-config Output examples from Avaya devices are displayed in a Lucida Console font: ERS5520-48T# show sys-info Operation Mode: Switch MAC Address: 00-12-83-93-B0-00 PoE Module FW: 6370.4 Reset Count: 83 Last Reset Type: Management Factory Reset Power Status: Primary Power Autotopology: Enabled Pluggable Port 45: None Pluggable Port 46: None Pluggable Port 47: None Pluggable Port 48: None Base Unit Selection: Non-base unit using rear-panel switch sysDescr: Ethernet Routing Switch 5520-48T-PWR HW:02 FW:6.0.0.10 Mfg Date:12042004 November 2012 SW:v6.2.0.009 HW Dev:H/W rev.02 Avaya VENA Unified Access Technical Configuration Guide 7 avaya.com 1. Introduction to Avaya VENA Unified Access Enterprises have to address the rapid growth in mobile traffic and high bandwidth video applications. The Avaya VENA Unified Access solution solves this problem that is stretching the limits of existing WLAN networks. Avaya‘s next generation architecture integrates the wired and wireless networks so that Enterprises no longer have to build out separate wired and WLAN networks. The Unified Access solution splits the control and data forwarding functions and implements each of them in the most logical and cost effective place in the network. This splitting of functions enables Unified Access to accomplish its primary goal of unifying wired and wireless switching with unprecedented scaling and performance. • Control operations such as managing APs are still performed by the WLAN 8100 Controller, which is referred to as the Wireless Control Point (WCP) • Data forwarding functions are now implemented in the ERS 8800/8600, which is referred to as the Wireless Switching Point (WSP). Splitting the control and data forwarding functions reduces the packet processing scalability requirement on the WLAN 8100 Controller and transfers the data forwarding to the ERS 8800/8600. Because the ERS 8800/8600 forwards both wired and wireless traffic, the Unified Access solution fully integrates your network infrastructure without adding more switching equipment. To implement this solution, simply add APs and enable the data forwarding function for WLAN on the ERS 8800/8600. This solution also scales much higher and is more resilient than traditional WLAN overlay models because the ERS 8800/8600 is much more robust at forwarding.  Note – It is important to note that the Unified Access solution does not impact any traditional WLAN services such as E911, Ekahau location, Site Survey, RF resiliency, Voice over WLAN, Captive Portal, ID Engine Guest Portal, and wireless intrusion detection and prevention systems (WIDS/WIPS). 1.1 Unified Access Component Overview The following are the minimum requirements of this solution: WLAN 8100 Controller Release 2.0 Ethernet Routing Switch 8800/8600 Release 7.2 The WLAN 8100 Controller serves strictly as a WCP in the Unified Access solution. In this role, the WCP supports the following management functions: Associates APs to WSPs and reassigns APs to WSPs to maintain load balance. Manages all AP functions such as: auto-RF, User Authentication, Captive Portal, AP configuration. These functions are identical in both Unified Access and traditional WLAN overlay solutions. Manages the WSPs, which is a new function that puts the WCP in charge of configuring the wireless functions of the WSPs. When authentication or roaming occurs, the WCP is responsible for communicating any change in mobility context to WSPs and handling the WSP-to-WSP handover. November 2012 Avaya VENA Unified Access Technical Configuration Guide 8 avaya.com Manages all auxiliary functions that are part of either wireless solution such as Guest Portals, WIDS/WIPS collection, User Authentication, Location Management, Load Sharing, Roaming Management, and Session Tracking.  Note – The WLAN 8100 Controller can serve as both a WCP and WSP in a traditional WLAN or as strictly a WCP in a Unified Access solution. In Release 2.0, if the WLAN 8180 Controller is configured as a WCP-only device, then all the controllers in the mobility domain must be WCPonly mode controllers. The ERS 8800/8600 serves as the WSP, which unifies wireless and wired switching in a single device. In this role, the WSP communicates with the WCP to manage the mobility context of a mobile client. This means that the WSP manages all user data from an AP onto the network. It terminates the access tunnel from an AP, decapsulates traffic, and inserts traffic onto the wired network. The WSP also maintains mobility tunnels with other WSPs (at the control of the WCP) to allow for user mobility across APs inside a mobility domain. The Access Point functions change the least in a Unified Access solution. APs maintain all of their traditional functions, at the direction of the WCP, and they are still powered by a Power over Ethernet (PoE) switch such as the ERS 5520. The only significant difference is that APs now communicate with both the WCP (for control traffic) and with a WSP (for data traffic). The following figure and scenarios show how traffic from the Building 1 and Building 2 terminate: If the destination of the associated client or roamed client is within the distribution layer, the mobility traffic is L2 switched within the distribution layer. If the destination is associated to the other building's Mobility VLAN (MVLAN), the mobility traffic is switched using the mobility tunnel to the destination WSP. If the destination is not local and not associated to the other building's MVLAN, then the mobility traffic gets L3 routed by the core. November 2012 Avaya VENA Unified Access Technical Configuration Guide 9 avaya.com Figure 1 – Unified Access Model November 2012 Avaya VENA Unified Access Technical Configuration Guide 10 avaya.com 1.2 Tunnels Types APs use control channels to send control traffic to the WCP and access tunnels to send data traffic to a WSP. This traffic split is the defining feature of Unified Access. For the data traffic, the WSP supports two types of tunnels: • Access tunnels provide a logical connection between the AP and the WSP. • Mobility tunnels provide a logical connection between two WSPs. You do not have to manage any of these tunnels. All of that is taken care of by the Mobility Agent in the Unified Access software. The Mobility Agent is in constant communication between the WSP and WCP to create, configure, load balance, and maintain the tunnels. The maximum number of tunnels is 2000. However, for SMLT configurations Avaya supports half of the maximum tunnels, therefore 1000 tunnels. This is a combined number that includes WLAN access, WLAN mobility, and IPv6 tunnels. The ERS 8800/8600 WSP supports up to 1024 Access Tunnels and 16 Mobility Tunnels to other WSPs.  Note – A WSP serves a particular mobility VLAN if that mobility VLAN is mapped to one of the local VLANs on that WSP. "Serving" in this case means bridging traffic on this VLAN or IProuting it. Figure 2 – Unified Access Tunnels (Access and Mobility) November 2012 Avaya VENA Unified Access Technical Configuration Guide 11 avaya.com 1.3 Licensing Unified Access does not require any additional licensing. • For the WLAN 8100 Controller, the Release 2.0 licensing model is the same as in previous releases. The license is AP-count based and is offered with 16 (locked), 64, 128, and 256 increments. You can also pool licenses as before to allow customers to grow their network by adding licenses to whichever WLAN 8100 Controller they prefer. • For the WLAN 8100 Wireless Management Software (WMS), you must have a valid Base License Certificate. • For the ERS 8800/8600, no additional license beyond the Base License is required. • Avaya separately offers 3rd party licensing for applications such as Ekahau location service. 1.4 Implementation and configuration considerations This section describes some factors to consider as you set up your Unified Access network. 1.4.1 Recommendations for Medium Enterprises For scaling purposes, Avaya defines a medium enterprise as having approximately 2500 network devices and half of those are mobile (1250 devices). In an enterprise of this size, apply the following deployment recommendations: • 512 Access Points • 2 ERS 8800/8600 WSPs (balanced and redundant) • 2 WLAN 8180 WCPs (Redundant) • No more than 10 APs per 1 GbE uplink capacity from edge to core (100 APs per 10 GbE) that is shared with other edge ports 1.4.2 Recommendations for Large Enterprises For scaling purposes, Avaya defines a large enterprise as having approximately 5000 network devices and half of those are mobile (2500 devices). In an enterprise of this size, apply the following deployment recommendations: • 1024 Access Points • 4 ERS 8800/8600 WSPs (balanced and redundant) • 2 WLAN 8180 WCPs (scale WCPs as you add more WSPs) • No more than 10 APs per 1 GbE uplink capacity from edge to core (100 APs per 10 GbE) that is shared with other edge ports November 2012 Avaya VENA Unified Access Technical Configuration Guide 12 avaya.com 1.4.3 Trusted Edge Ports The AP and WSP send WLAN control traffic that is exchanged between them with the high priority bit set. This is to ensure that the control traffic is not dropped even if there is line rate traffic flowing on the port between the AP and the WSP. By default, the ports on the ERS 8800/8600 where the WSP resides are untrusted so they discard the priority bit. This may result in loss of control traffic and bring down the tunnel.  Note – Avaya strongly recommends that you configure any port that carries control traffic as trusted so that the priority bits are honored. To determine if a port is trusted or untrusted, enter the following command: • In the CLI, enter show port info 802.1p-override • In the ACLI, enter show qos 802.1p-override If a port is untrusted, enter the following command to make it trusted: • In the CLI, enter config ethernet 802.1p-override disable • In the ACLI Interface Configuration mode, enter default qos 802.1p-override 1.4.4 WSP VLAN Server VLAN servers are learned dynamically. However, if a WSP is part of an SMLT Switch Cluster, it is a good design practice and Avaya recommends mapping the same VLAN server to both the WSP and its SMLT peer. 1.4.5 Jumbo Frames and MTU Size In networks supporting Unified Access, you must set the maximum transmission unit (MTU) size on all PoE switches to 1572. If the MTU size of 1572 is not supported, you must enable jumbo frames on all the PoE switches. 1.4.6 Access Tunnel Support Access tunnels must send and receive periodic keepalive hellos to keep them active. However, when there are a lot of tunnels on a single physical interface, it causes large bursts of high priority keepalive packets to be sent out of the physical interface. This causes control packet drops, which in turn cause tunnels to drop.  Note – If the tunnels are formed over an MLT, the tunnels are distributed over individual MLT members. Therefore, this limitation is less likely to happen. To avoid dropping any tunnels, see the Release Notes — Software Release 7.2 (NN46205–402) for the recommended maximum number of tunnels to configure per physical interface. November 2012 Avaya VENA Unified Access Technical Configuration Guide 13 avaya.com 1.4.7 MGID Usage Multicast Group ID (MGID) is a hardware mechanism that the switch uses to send data to several ports simultaneously. Instead of sending the data to a specific port number, the data is directed to an MGID. The switch maintains a table that maps MGIDs to their member ports. VLANs and IP Multicast use MGIDs, and the system also reserves a small number of MGIDs for system functions. There are 4000 MGIDs in the system and they are used as follows: • There are two pools by default: 2000 MGIDs for VLANs and 2000 MGIDs for IP Multicast. • Each VLAN consumes 1 MGID (2 MGIDs if an IST exists). • IP Multicast consumes 1 MGID for each flow. Depending on which services are running on the switch, MGIDs may become limited. In Unified Access, this is a concern for roaming users that dynamically need MGIDs. To ensure that there are adequate MGIDs available, use the following command to monitor MGID usage: show sys mgid-usage Number of MGIDs used for VLANs : (524) Number of MGIDs used for multicast : (0) Number of MGIDs remaining for VLANs : (1512) Number of MGIDs remaining for multicast : (2048) If necessary, use the following command to reduce the IP Multicast MGID pool, which increases the number for the remote VLAN pool: config sys set multicast-resource-reservation The above command reserves MGIDs for IP Multicast and the is a number between 64 and 4083. 2. Upgrade paths to Avaya VENA Unified Access This section lists the high-level configuration procedures in the order that they should be performed to deploy your WLAN network. The specific configuration procedures used in the Avaya Networking Test Lab are in Configuration Examples. You can upgrade your network to install the Avaya VENA Unified Access solution in the following deployments: • Greenfield, which includes brand new installations as well as installations upgrading from the WLAN 2300 Series switches to the ERS 8800/8600 • ERS 8800/8600 with no WLAN solution • ERS 8800/8600 with an existing WLAN solution  Tip – For information on how to design your WLAN network, see Design Guide for WLAN 8100 Series (NN48500–587). This guide provides recommended designs, best practices, and an explanation of common deployment issues. November 2012 Avaya VENA Unified Access Technical Configuration Guide 14 avaya.com 2.1 Required Components The following components are the minimum requirements to implement the Unified Access solution: • WC 8180 with software Release 2.0 or later running in the WCP operating mode, not in the default WC (combined WCP+WSP) mode. Controllers must match in one mobility domain. For example, a WC (WCP+WSP) controller cannot be in the same domain as a WCP controller. This may require an interim upgrade to a pre-2.0 release depending upon the existing revision of SW on the WLAN 8180s and APs. • ERS Power over Ethernet switch such as an ERS 8300, ERS 5520, or ERS 4548 • 8120 AP with software Release 2.0 or later • DHCP server • RADIUS server • ERS 8600/8800 with software Release 7.2 or later (only a Base license is required) • ERS 8800/8600 hardware that supports Release 7.2. This includes an 8895 SF/CPU or an 8692 SF/CPU with SuperMezz. Release 7.2 or later supports R and RS modules only. • Wireless clients 2.2 Network Upgrade Procedures Complete the following procedures to upgrade to a Unified Access network: 1. Refer to the Design Guide for WLAN 8100 Series (NN48500–587) to design your WLAN network. 2. If this is a new data network, install an Ethernet network that includes the recommended number of ERS 8800/8600 switches to serve as WSPs. Otherwise, go to the next step. 3. Upgrade the targeted ERS 8800/8600 WSP devices to Release 7.2. 4. Verify that the existing data network has full connectivity after upgrading to Release 7.2 code. 5. Install and configure PoE switches to provide PoE to the APs. (For information, refer to the specific configuration guide for the ERS switch you choose to install: ERS 8300, ERS 5520, or ERS 4548.) 6. Install and configure a DHCP server for the MUs and APs in your network. 7. Install and configure a RADIUS server for user authentication, if required by your design. 2.3 WCP Upgrade Procedures Complete the following procedures to configure the Avaya WLAN Controller 8180 (WC 8180) devices as WCPs in a Unified Access network. These procedures outline the steps to configure the AMDC, BMDC and other controllers that join the domain and sync to the AMDC. For detailed configuration steps, refer to the WCP chapters in this document.  Note – Avaya does not support mixed domains where some WC 8180s are in WCP-only mode and other WC 8180s are in the overlay WCP-WSP mode. 1. Install and configure the planned number of WC 8180s to serve as WCPs. 2. Configure all WC 8180s in your network for IP connectivity. November 2012 Avaya VENA Unified Access Technical Configuration Guide 15 avaya.com 3. Configure the wireless domain by configuring automatic promote of discovered APs (load balance) or add APs to the AP database manually. 4. Add mobility VLANs to the WC 8180 controller. 5. Configure wireless network profiles. 6. Configure wireless radio profiles. 7. Configure wireless AP-Profiles. 8. Configure the wireless domain WSPs by adding the base MAC address of each WSP. (To learn the base MAC address, enter show sys info on each WSP.) 9. Use the following commands to have other controllers join the domain and be synced to the AMDC: wireless controller join-domain domain-name mdc-address wireless controller config-sync  Note – The AMDC and BMDC are the only controllers that are Mobility Domain Controller (MDC) capable. 10. Verify that each controller is synced and has joined the domain by entering the following command: show wireless controller domain-membership. 11. Verify that one of the controllers has the domain role of backup MDC by entering the following command: show wireless controller status. 12. Verify on the WC 8180 that the base MAC address of each WSP was added to the WC 8180 WSP Database so they can be managed by the WC 8180. On the AMDC, enter the show wireless wsp status command to make sure all the WSP base MAC addresses were added to the WC 8180 WSP Database. If you have to add a WSP to the database, use the show sys info command on the ERS 8800/8600 to learn its base MAC address. Then on the WC 8180, use the domain wsp command to add the WSP.  Note – Before configuring your ERS 8800/8600s as WSPs, you must first verify connectivity of the DHCP server and all the WC 8180 controllers within your data network. Ping each controller and DHCP server from every potential WSP to verify connectivity is correct. November 2012 Avaya VENA Unified Access Technical Configuration Guide 16 avaya.com 2.4 WSP Upgrade Procedures Complete the following procedures to configure ERS 8800/8600s as WSPs in a Unified Access network. These procedures outline the steps to configure the WSPs. Tips: Avaya recommends enabling the WSP functionality on the ERS 8800/8600 switches that are physically closest to the APs. This design configuration is the most efficient and it improves WLAN switching performance.  Adding the WSP function to an existing ERS 8800/8600 does not interrupt any traffic. However, the APs may experience a brief interruption (less than 3 seconds). Ideally, you should perform this upgrade during a maintenance window. Before configuring your ERS 8800/8600s as WSPs, you must first verify connectivity of the DHCP server and all the WC 8180 controllers within your data network. Ping each controller and DHCP server from every potential WSP to verify connectivity is correct. 1. On every WSP, create a circuitless IP address and use this address as the interface IP under WLAN config. Use a routing protocol to route the CLIP address. The other controllers and WSPs will use this address for connectivity.  Note – Avaya recommends using OSPF to route CLIP addresses. For example, use the following commands: config ip circuitless-ip-int 1 create 3.3.3.3/255.255.255.255 config ip circuitless-ip-int 1 ospf enable config wireless-switch interface-ip 3.3.3.3 2. To serve mobility VLANs remotely in your domain, use the following command to add a remote VLAN MSTP/STP for remote vlans: wireless-switch remote-vlan-mstp  Note – Avaya recommends using an available STG/MSTI for WLAN. Do not use a provisioned STG/MSTI. 3. To serve mobility VLANs remotely in your domain, add VLANs to VLAN reservation. This allows the WSP to dynamically create remote VLANs and use mobility tunnels for remotely served VLANs. For example, use the following command to reserve VLANs 700–709 and 4092 for remote VLANs. config wireless-switch vlan-reservation add 700-709,4092 4. On every WSP, add each WC 8180 controller to the configuration. You can configure up to four controllers, but their order is significant. The WSP tries to connect to the WCP in the order in which they are configured. For example, in the following configuration, the WSP would try to connect to WCP 1 at 104.30.10.11: config wireless-switch lb-controller add 1 104.30.10.11 config wireless-switch lb-controller add 2 104.30.10.12 config wireless-switch lb-controller add 3 104.30.10.13 config wireless-switch lb-controller add 4 104.30.10.14 November 2012 Avaya VENA Unified Access Technical Configuration Guide 17 avaya.com 5. Create VLAN servers on the appropriate WSPs based on WLAN configuration strategy. Use the following example to map the mobility VLANs that were created on the WC 8180 controller during the wireless domain configuration to local VLANs: config wireless-switch vlan-map MV-ENG create l3-mobility server lvid 400 weight 1 config wireless-switch vlan-map MV-SALES create l3-mobility server lvid 200 weight 1 One VLAN server can have a higher priority over the other by changing the weight value.  Note – If the WSP is part of an SMLT cluster, configure the WLAN VLAN Server on the WSP and its SMLT peer in the same way. 6. Leave the value of tcp-udp-base-port set to its default of 61000. If you need to change the value, use the following command and make sure you change all WSPs in the network. config wireless-switch tcp-udp-port  Note – If this port number does not match on all WSPs in the network, the Mobility Tunnels will not form between WSPs. 7. Enable wireless on all configured WSPs: config wireless-switch enable 8. Install each AP into your network connecting to the PoE switches. If necessary, upgrade the APs to the latest software release. November 2012 Avaya VENA Unified Access Technical Configuration Guide 18 avaya.com 2.5 Upgrade Verification Procedures Complete the following procedures to verify connectivity of the AMDC, WSPs, and mobility units. These procedures outline the steps to configure the WSPs. 2.5.1 AMDC Verification: On the AMDC, use the following commands to verify connectivity: 1. Verify that every WSP has a status of Managed: show wireless wsp status 2. Verify that each AP in the network is managed and connected: show wireless ap status 3. Verify that the status of each MU is Authenticated and that its IP address and Mobility VLAN are correct: show wireless client status 4. Verify that the AMDC status is enabled and the operation mode is WCP: show wireless 5. Verify that the Sync State is Master: show wireless controller config-sync-status 6. Verify that the Domain Name is correct and the Domain Role is Active MDC: show wireless controller domain-membership 7. Verify that MDC-Capable is enabled and Domain Role is Active MDC: show wireless controller status 8. Verify that all Mobility VLANs are active: show wireless domain mobility-vlan 2.5.2 WSP Verification: On each WSP, use the following commands to verify connectivity: 1. Verify that you have an active controller: show wireless lb-controller 2. Verify that the status is enabled: show wireless info 3. Verify that the mobility VLANs are advertised by the correct peers: show wireless peer-advertised-vlans by-advertiser 4. Verify that all the access tunnels and mobility tunnels are running: show wireless peer-devices November 2012 Avaya VENA Unified Access Technical Configuration Guide 19 avaya.com 5. Verify that there are mobility tunnels to all of the other WSPs in the domain, and that there is an access tunnel for each AP on the appropriate WSP: show wireless tunnel 6. Verify that the correct VLAN server is on the appropriate WSP and active: show wireless vlan-map 7. After an MU is logged in, verify that a remote VLAN is reserved and serving remote mobility: show wireless vlan-reservation 8. Verify that each mobility VLAN has the correct priority: show wireless vlan-servers 9. Verify that each tunnel increments keepalives: show wireless tunnel-statistics keepalive 2.5.3 Mobility Unit Verification: Use the following commands to verify that the MUs can log into each Service Set Identifier (SSID): 1. On the WC 8180, verify that the status of each MU is Authenticated and that its IP address and Mobility VLAN are correct: show wireless client status 2. On the WSP, after an MU is logged in, verify that a remote VLAN is reserved and serving remote mobility: show wireless vlan-reservation 3. Verify connectivity to each VLAN server with traffic. November 2012 Avaya VENA Unified Access Technical Configuration Guide 20 avaya.com 3. Testing Methodology The Avaya Networking Test Lab started their testing by deploying the Unified Access solution in three different scenarios: Greenfield installation ERS 8800 installation with no WLAN network WLAN installation with no ERS 8800 network After establishing a steady-state environment where all the components in the solution were properly configured and connected as shown in the network topology figure, the lab conducted comprehensive tests using a methodology that verified connectivity under normal conditions and under various fault conditions. From this steady state, links and switches were failed to simulate network outages. These links and switches were then recovered simulating the restoration of the network. The results of each of these tests are detailed in the following Test Results section. 3.1 Test Results The following table summarizes the test results: Test Case Test Result Verify that control traffic and data traffic are separated by the VRFs. Pass Verify that an ERS 8800 configured as a WSP does not interrupt any existing non-WSP traffic. Pass Verify that APs rebalance across WSPs after upgrading to Unified Access. Pass Create SSIDs without authentication to verify that MUs are still associated to an AP without authentication. Pass Verify that MUs can be authenticated correctly through IDE. Pass Configure different AP profiles to verify that the client supports a and bg modes. Pass Move clients from one AP area to another to verify that roaming happens properly between the different-PHY radio profiles. This test case includes testing voice quality, video quality, data traffic, push-to-talk, and E911. Pass Verify that roaming happens properly between APs connected to the same WSP. Pass Verify that roaming happens properly between APs connected to different WSPs within the same domain. Pass November 2012 Avaya VENA Unified Access Technical Configuration Guide 21 avaya.com Verify that roaming happens properly between APs connected to different WSPs within the same domain but with different VLAN mapping. Pass The remote VLAN was automatically created on the new WSP and all data traffic from the roamed MU is tunneled to the VLAN server WSP and then forwarded out. Configure WIDS to verify that a rogue AP is reported as "rogue" in the rf-scan table and that APs associated to other WSPs are not labeled as ―rogue.‖ Pass Fail over an SMLT link between the WSP and its SMLT edge to verify that APs associated through this SMLT link do not lose any traffic. Pass Recover the failed SMLT link to verify that APs associated through this SMLT link do not lose any traffic. Pass Fail over all SMLT links between one WSP and all of its peer WSPs to verify that APs associated through this SMLT link do not lose any traffic. Pass Recover the failed SMLT link to verify that APs associated through this SMLT link do not lose any traffic. Pass Fail over all the uplinks between a WSP and then recover them back to verify that the peer WSP takes over when one WSP peer is unreachable. Pass Table 1 – Test Results November 2012 Avaya VENA Unified Access Technical Configuration Guide 22 avaya.com 4. Configuration Examples The following figure shows the topology of the network described in this example. Figure 3 – Configuration Example Topology For this example, we will configure the following: AP o Although the AP can be placed anywhere in the work, for this example, we will use two APs (AP-1 and AP-2) connected via an Avaya PoE switch as illustrated in the above diagram. o The Avaya PoE switch in turn is connected to an ERS 8800 switch, named 8007, as shown in the diagram above for connectivity to the OSPF routed core. Wireless Control Point (WCP) 8180 o Core VLAN 60 with IP address of 10.5.60.5/24 o The following Mobility VLANs all provisioned with security mode of wpa-enterprise and to authenticate against Avaya‘s Ignition Server.  Sales1: SSID Sales-Ott  Guest1: SSID Guest  Eng1: SSID Eng-Ott  labott: SSID Lab-Ott November 2012 Avaya VENA Unified Access Technical Configuration Guide 23 avaya.com o Setup AP Profile 2 using Radio Profiles 3 and 4  o Note that you can omit this step. It just demonstrates show to set up new AP and Radio profiles. Manually set up the AP configuration so that AP #1 uses WSP-1 and AP#2 uses WSP-2. RADIUS server using Avaya‘s Ignition Server o IDE in turn is setup to authenticate all users against Windows Active Directory Wireless Switch Point (WSP) o WSP-1 with VLANs 1001 and 1002 VLAN mapping to mobility VLANs Sales1 and Guest1 respectively o WSP-2 with VLANs 1003 and 1004 VLAN mapping to mobility VLANs Eng1 and labott respectively 5. Wireless LAN Configuration 5.1 WCP Configuration – Part 1 5.1.1 1 VLAN and IP configuration Power on the WC 8180, connect the console cable, press Ctrl+Y to start, select Command Line Interface to go to the CLI: WC8180>enable WC8180#configure terminal You can disable the main menu if you like by entering the cmd-interface cli command. 2 Configure the VLAN, in our example VLAN 60, as the management and wireless services VLAN: WC8180(config)#vlan create 60 name wlan_data-60 type port WC8180(config)#vlan configcontrol automatic WC8180(config)#vlan ports 23-24 tagging tagall WCP8180(config)#vlan mem remove 1 23-24 WC8180(config)#vlan members add 60 23-24 WC8180(config)#vlan mgmt 60 3 As the WCP 8180 is connected to an SMLT cluster, create an MLT and disable Spanning Tree: WCP8180(config)#mlt 1 name smltcore enable member 23-24 learning disable WCP8180(config)#mlt 1 loadbalance advance November 2012 Avaya VENA Unified Access Technical Configuration Guide 24 avaya.com 4 Enable VLACP and discard untagged frames as per the SMLT recommendations: WCP8180(config)#vlacp macaddress 01:80:c2:00:00:0f WCP8180(config)#vlacp enable WCP8180(config)#interface fastEthernet 23-24 WCP8180(config-if)#vlacp timeout short WCP8180(config-if)#vlacp timeout-scale 5 WCP8180(config-if)#vlacp enable WCP8180(config-if)#exit WCP8180(config)#vlan ports 23,24 filter-untagged-frame enable WCP8180(config)#show vlacp interface 23,24 =============================================================================== VLACP Information =============================================================================== PORT ADMIN OPER HAVE FAST SLOW TIMEOUT TIMEOUT ETH ENABLED ENABLED PARTNER TIME TIME TYPE SCALE MAC TYPE ADDRESS ------------------------------------------------------------------------------23 true true yes 500 30000 short 5 8103 00:00:00:00:00:00 24 true true yes 500 30000 short 5 8103 00:00:00:00:00:00 5 Add the management IP address: WC8180(config)#interface vlan 60 WC8180(config-if)#ip address 10.5.60.5 255.255.255.0 WC8180(config-if)#exit 6 Add IP routes and enable IP routing: WC8180(config)#ip route 0.0.0.0 0.0.0.0 10.5.60.1 1 WC8180(config)#ip route 0.0.0.0 0.0.0.0 10.5.60.1 enable WC8180(config)#ip routing 7 Verify IP configuration and routes: WC8180(config)#show vlan ip ============================================================================== Vid ifIndex Address Mask MacAddress Offset Routing ============================================================================== Primary Interfaces -----------------------------------------------------------------------------60 10060 10.5.60.5 255.255.255.0 2C:F4:C5:E9:B6:81 2 Enabled ------------------------------------------------------------------------------ November 2012 Avaya VENA Unified Access Technical Configuration Guide 25 avaya.com % Total of Primary Interfaces: 1 WC8180(config)#show ip route =============================================================================== Ip Route =============================================================================== DST MASK NEXT COST VLAN PORT PROT TYPE PRF ------------------------------------------------------------------------------0.0.0.0 0.0.0.0 10.5.60.1 1 60 T#1 S IB 5 10.5.60.0 255.255.255.0 10.5.60.5 1 60 ---- C DB 0 Total Routes: 2 ------------------------------------------------------------------------------TYPE Legend: I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Route, U=Unresolved Route, N=Not in HW 8 Verify IP connectivity: WCP8180(config)#ping 10.5.60.1 Host is reachable 9 Enable Telnet and SNMP: WC8180(config)#telnet-access enable WC8180(config)#snmp-server enable November 2012 Avaya VENA Unified Access Technical Configuration Guide 26 avaya.com 5.1.2 1 Wireless Configuration Configure the wireless system interface. This example uses VLAN 60’s IP address: WC8180(config)#wireless WC8180(config-wireless)#interface-ip 10.5.60.5 2 Change the mode of operation to control-plane only (wcp) mode: WC8180(config-wireless)#operation-mode wcp  Before you change the operation mode of the control to WCP, verify that the controller is not wireless enabled using the command show wireless and verify that the Status is Disabled. Also verify that the controller is not a member of a mobility domain using the command show wireless controller domain-membership. 3 Enable the wireless system interface: WCP8180(config-wireless)#enable 4 Verify that the wireless system interface is configured and enabled. Also verify that the operation mode of the controller is set to WCP: WCP8180(config-wireless)#show wireless Operation Mode : WCP Status : Enabled Interface IP : 10.5.60.5 TCP/UDP base port : 61000 Base MAC Address 5 : 2C:F4:C5:E9:B6:00 Configure the controller to be Mobility Domain Controller (MDC) capable. This example uses the following domain password - Avaya@1234WLAN# WCP8180(config-wireless)#controller mdc-capable % Domain password should be between 10-15 characters long. % Password must contain a minimum of 2 upper, 2 lowercase letters % 2 numbers and 2 special characters like !@#$%^&*() Enter domain password: Avaya@1234WLAN# Verify Domain password: ********** November 2012 Avaya VENA Unified Access Technical Configuration Guide 27 avaya.com 5 Verify that the controller is MDC capable: WCP8180(config-wireless)#show wireless controller info MDC-Capable  6 : Enabled The controller is now provisioned for wireless services and to act as a wireless control point (WCP) in the mobility domain Create a mobility domain and join the WCP with the mobility domain. In this example, the mobility domain is named AVAYA: WCP8180(config-wireless)#exit WCP8180(config)#exit WCP8180#wireless controller join-domain domain-name ottlab mdc-address 10.5.60.5 Enter Domain Secret: Avaya@1234WLAN# Use 'show wireless controller domain-membership' to see join status. WCP8180#show wireless controller domain-membership Domain Name : ottlab Domain Role : Active MDC Domain Action Status : Join Success Action Failure Reason : None 5.2 WSP Configuration In this example, we will be configuring WSP1 and WSP2 using CLI on WSP1 and ACLI on WSP2. 1 Log on to the ERS 8800 (WSP2) and enter configuration mode: ERS-8606:5>enable ERS-8606:5#configure terminal 2 Log on to the ERS 8800 (WSP) CLI and add CLI prompts if you wish: WSP 1: ERS-8606:5# config cli prompt WSP1 WSP 2: ERS-8606:5(config)#snmp-server name WSP2 3 Create a core VLAN on WSP1 and WSP2. This example enables OSPF in the core VLAN: WSP 1: WSP1:5# config vlan 25 create byport-mstprstp 0 WSP1:5# config vlan 25 ports add 1/1 November 2012 Avaya VENA Unified Access Technical Configuration Guide 28 avaya.com WSP1:5# config vlan 25 ip create 10.16.1.2/30 WSP1:5# config vlan 25 ip ospf enable WSP 2: WSP2:5(config)#vlan create 27 type port-mstprstp 0 WSP2:5(config)#vlan member add 27 1/1 WSP2:5(config)#interface vlan 27 WSP2:5(config-if)#ip address 10.16.1.6 255.255.255.252 WSP2:5(config-if)#ip ospf enable WSP2:5(config-if)#exit 4 Verify VLAN creation using the following command: WSP1:5# show vlan info port 25 ================================================================================ Vlan Port ================================================================================ VLAN PORT ACTIVE STATIC NOT_ALLOW ID MEMBER MEMBER MEMBER MEMBER -------------------------------------------------------------------------------25 1/1 1/1 WSP2:5(config)#show vlan members 27 ================================================================================ Vlan Port ================================================================================ VLAN PORT ACTIVE STATIC NOT_ALLOW ID MEMBER MEMBER MEMBER MEMBER -------------------------------------------------------------------------------- 27 5 1/1 1/1 Create local VLANs on the WSP for the wireless clients. This example creates VLANs 1001 and 1002 on WSP1 and 1003 and 1004 on WSP2: WSP 1: WSP1:5# config vlan 1001 create byport-mstprstp 0 name "Sales1" WSP1:5# config vlan 1001 ip create 10.16.101.1/24 WSP1:5# config vlan 1001 ip dhcp-relay enable WSP1:5# config vlan 1001 ip ospf interface-type passive WSP1:5# config vlan 1002 ip ospf advertise-when-down enable November 2012 Avaya VENA Unified Access Technical Configuration Guide 29 avaya.com WSP1:5# config vlan 1001 ip ospf enable WSP1:5# config vlan 1002 create byport-mstprstp 0 name "Guest1" WSP1:5# config vlan 1002 ip create 10.16.102.1/24 WSP1:5# config vlan 1002 ip dhcp-relay enable WSP1:5# config vlan 1002 ip ospf interface-type passive WSP1:5# config vlan 1002 ip ospf advertise-when-down enable WSP1:5# config vlan 1002 ip ospf enable WSP1:5# config ip dhcp-relay create-fwd-path agent 10.16.101.1 server 10.12.100.10 mode dhcp state enable WSP1:5# config ip dhcp-relay create-fwd-path agent 10.16.102.1 server 10.12.100.10 mode dhcp state enable WSP 2: WSP2:5(config)#vlan create 1003 name Eng1 type port-mstprstp 0 WSP2:5(config)#interface vlan 1003 WSP2:5(config-if)#ip address 10.17.103.1 255.255.255.0 WSP2:5(config-if)#ip dhcp-relay WSP2:5(config-if)#ip ospf network passive WSP2:5(config-if)#ip ospf advertise-when-down enable WSP2:5(config-if)#ip ospf enable WSP2:5(config-if)#ip dhcp-relay fwd-path 10.12.100.10 WSP2:5(config-if)#ip dhcp-relay fwd-path 10.12.100.10 mode dhcp WSP2:5(config-if)#ip dhcp-relay fwd-path 10.12.100.10 enable WSP2:5(config-if)#exit WSP2:5(config)#vlan create 1004 name labott type port-mstprstp 0 WSP2:5(config)#interface vlan 1004 WSP2:5(config-if)#ip address 10.17.104.1 255.255.255.0 WSP2:5(config-if)#ip dhcp-relay WSP2:5(config-if)#ip ospf network passive WSP2:5(config-if)#ip ospf advertise-when-down enable WSP2:5(config-if)#ip ospf enable WSP2:5(config-if)#ip dhcp-relay fwd-path 10.12.100.10 WSP2:5(config-if)#ip dhcp-relay fwd-path 10.12.100.10 mode dhcp WSP2:5(config-if)#ip dhcp-relay fwd-path 10.12.100.10 enable WSP2:5(config-if)#exit  Since there are no port members for the local WLAN VLANs, it is recommended to enable the OSPF advertise when down option. Note that we will still see an OSPF state delay until the first wireless client connects to the WSP as the OSPF advertise-when-down option requires the interface to at least once have an up state. November 2012 Avaya VENA Unified Access Technical Configuration Guide 30 avaya.com 6 Verify local VLANs creation: WSP1:5# show vlan members ================================================================================ Vlan Port ================================================================================ VLAN PORT ACTIVE STATIC NOT_ALLOW ID MEMBER MEMBER MEMBER MEMBER -------------------------------------------------------------------------------25 1/1 1/1 1001 1002 WSP2:5(config)#show vlan members ================================================================================ Vlan Port ================================================================================ VLAN PORT ACTIVE STATIC NOT_ALLOW ID MEMBER MEMBER MEMBER MEMBER -------------------------------------------------------------------------------27 1/1 1/1 1003 1004 7 Configure a loopback/circuitless IP address to be used for both the OSPF router-id and wireless switch: WSP 1: WSP1:5# config ip circuitless-ip-int 1 create 10.1.1.16/32 WSP1:5# config ip circuitless-ip-int 1 ospf enable WSP 2: WSP2:5(config)#interface loopback 1 WSP2:5(config-if)#ip address 10.1.1.17/32 WSP2:5(config-if)#ip ospf WSP2:5(config-if)#exit 8 Enable OSPF routing and use the loopback address created above as the OSPF router-id and wireless interface IP address: WSP 1: WSP1:5# config ip ospf router-id 10.1.1.16 November 2012 Avaya VENA Unified Access Technical Configuration Guide 31 avaya.com WSP1:5# config ip ospf enable WSP 2: WSP2:5(config)#router ospf WSP2:5(config-ospf)#router-id 10.1.1.17 WSP2:5(config-ospf)#exit WSP2:5(config)#router ospf enable  9 It is recommended that you save configuration on the WSP at regular intervals using the command save config. Verify the IP address assigned to the VLAN interface: WSP1:5# show ip interface ================================================================================ IP Interface - GlobalRouter ================================================================================ INTERFACE IP NET BCASTADDR REASM VLAN BROUTER ADDRESS MASK FORMAT MAXSIZE ID PORT -------------------------------------------------------------------------------Clip1 10.1.1.16 255.255.255.255 ones 1500 -- false Vlan25 10.16.1.2 255.255.255.252 ones 1500 25 false Vlan1001 10.16.101.1 255.255.255.0 ones 1500 1001 false Vlan1002 10.16.102.1 255.255.255.0 ones 1500 1002 false Response from WSP2: WSP2:5(config)#show ip interface ================================================================================ IP Interface - GlobalRouter ================================================================================ INTERFACE IP NET BCASTADDR REASM VLAN BROUTER ADDRESS MASK FORMAT MAXSIZE ID PORT -------------------------------------------------------------------------------Clip1 10.1.1.17 255.255.255.255 ones 1500 -- false Vlan27 10.16.1.6 255.255.255.252 ones 1500 27 false Vlan1003 10.17.103.1 255.255.255.0 ones 1500 1003 false Vlan1004 10.17.104.1 255.255.255.0 ones 1500 1004 false November 2012 Avaya VENA Unified Access Technical Configuration Guide 32 avaya.com 10 Verify the IP OSPF interfaces: WSP1:5# show ip ospf interface ================================================================================ OSPF Interface - GlobalRouter ================================================================================ INTERFACE AREA ADM IFST MET PRI DR/ TYPE AUTH BDR TYPE ID MTU IGNO -------------------------------------------------------------------------------10.1.1.16 0.0.0.0 en DR 10 1 10.1.1.16 pass none dis pass none dis pass none dis brdc none dis 0.0.0.0 10.16.102.1 0.0.0.0 en Down 10 1 0.0.0.0 0.0.0.0 10.16.101.1 0.0.0.0 en DR 10 1 10.16.101.1 0.0.0.0 10.16.1.2 0.0.0.0 en DR 10 1 10.16.1.2 10.16.1.1 WSP2:5(config)#show ip ospf interface ================================================================================ OSPF Interface - GlobalRouter ================================================================================ INTERFACE AREA ADM IFST MET PRI DR/ TYPE AUTH BDR TYPE ID MTU IGNO -------------------------------------------------------------------------------10.1.1.17 0.0.0.0 en DR 10 1 10.1.1.17 pass none dis pass none dis pass none dis brdc none dis 0.0.0.0 10.17.104.1 0.0.0.0 en Down 10 1 0.0.0.0 0.0.0.0 10.17.103.1 0.0.0.0 en Down 10 1 0.0.0.0 0.0.0.0 10.16.1.6  0.0.0.0 en DR 10 1 10.16.1.6 The mobility VLAN OSPF state will be down as ‗Down‘ until a wireless client has successfully authenticated and connected to the network. As shown above, for the local VLAN 1001 on WSP1, the OSPF network of 10.16.101.1 is shown as with a state of ‗DR‘ as a wireless client has successfully connected to the network. November 2012 Avaya VENA Unified Access Technical Configuration Guide 33 avaya.com 11 Verify WSP connectivity with the L2/L3 switch 8000-1: WSP1 WSP2> ping 10.16.1.1 Response from WSP1: 10.16.1.1 is alive Response from WSP2: 10.16.1.1 is alive WSP1 WSP2> ping 10.16.1.5 Response from WSP1: 10.16.1.5 is alive Response from WSP2: 10.16.1.5 is alive 12 Configure the list of controllers on the WSP. In this example, 10.5.60.5 is the WCP IP address: WSP 1: WSP1:5# config wireless-switch lb-controller add 1 10.5.60.5 WSP 2: WSP2:5(config)#wireless WSP2:5(config-wireless)#switch WSP2:5(config-wireless-switch)#lb-controller 1 10.5.60.5 WSP2:5(config-wireless-switch)#exit WSP1:5# show wireless-switch lb-controller Response from WSP1: WC ID WC IP ADDRESS STATUS -------------------------------------------------------------------------------1 10.5.60.5 Configured WSP2:5(config-wireless)#show wireless switch lb-controller WC ID WC IP ADDRESS STATUS -------------------------------------------------------------------------------1 10.5.60.5 November 2012 Configured Avaya VENA Unified Access Technical Configuration Guide 34 avaya.com 13 Assign the loopback/CLIP as the wireless interface IP address: WSP 1: WSP1:5# config wireless-switch interface-ip 10.1.1.16 WSP 2: WSP2:5(config-wireless)#interface-ip 10.1.1.17 14 On the WSP, create a remote VLAN spanning tree group (STG) Id / Instance. This Id is required for wireless clients during an L3 roam: WSP 1: WSP1:5# config wireless-switch remote-vlan-mstp 1 WSP 2: WSP2:5(config-wireless)#switch WSP2:5(config-wireless-switch)#remote-vlan-mstp 1 15 Configure the WSP management interface IP address using the core VLAN IP address: WSP 1: WSP1:5# config wireless-switch mgmt-ip 10.16.1.2 WSP 2: WSP2:5(config-wireless-switch)#mgmt-ip 10.16.1.6 16 Verify the WSP management interface IP address: WSP1:5# show wireless-switch info Response from WSP1: TCP UDP IP ADDRESS BASE PORT STATUS REMOTE MANAGEMENT VLAN MSTP IP -------------------------------------------------------------------------------10.1.1.16 61000 Disable 1 10.16.1.2 WSP2:5(config-wireless-switch)#show wireless TCP UDP IP ADDRESS BASE PORT STATUS -------------------------------------------------------------------------------10.1.1.17 61000 Disable WSP2:5(config-wireless-switch)#show wireless switch REMOTE MANAGEMENT November 2012 Avaya VENA Unified Access Technical Configuration Guide 35 avaya.com VLAN MSTP IP -------------------------------------------------------------------------------1 17 10.16.1.6 Enable wireless on the WSP: WSP 1: WSP1:5# config wireless-switch enable WSP 2: WSP2:5(config-wireless-switch)#exit WSP2:5(config-wireless)#enable  18 Ensure that you assign the CLIP as the wireless interface IP address before you attempt to enable wireless on the WSP. Otherwise the system displays an error Verify the WCP status is enabled and the WLAN interface IP is the CLIP/Loopback address configured above: WSP1:5# show wireless-switch info Response from WSP1: TCP UDP IP ADDRESS BASE PORT STATUS REMOTE MANAGEMENT VLAN MSTP IP -------------------------------------------------------------------------------10.1.1.16 61000 Enable 1 10.16.1.2 WSP2:5(config-wireless)#show wireless TCP UDP IP ADDRESS BASE PORT STATUS -------------------------------------------------------------------------------10.1.1.17 19 61000 Enable Map the mobility VLAN to the local VLAN on the WSP: WSP 1: WSP1:5# config wireless-switch vlan-map Guest1 create l3-mobility server lvid 1002 weight 1 WSP1:5# config wireless-switch vlan-map Sales1 create l3-mobility server lvid 1001 weight 1 WSP 2: WSP2:5(config-wireless)#switch November 2012 Avaya VENA Unified Access Technical Configuration Guide 36 avaya.com WSP2:5(config-wireless-switch)#vlan-map Eng1 l3-mobility server lvid 1003 weight 2 WSP2:5(config-wireless-switch)#vlan-map labott l3-mobility server lvid 1004 weight 2 WSP2:5(config-wireless-switch)#exit WSP2:5(config-wireless)#exit  20 Mobility VLAN to local VLAN mapping must be configured for all controllers in a mobility domain. The mobility VLAN Mobile-Clients is not yet created on the WCP. You can create it at a later point on the controller, using either the CLI, the WMS or the EDM. You can however, map the mobility VLAN Mobile-Clients to the local VLAN on the WSP as an offline mobility VLAN Verify the VLAN mapping: WSP1:5# show wireless-switch vlan-map MOBILITY LOCAL L3 WEIGHT STATE VLAN NAME VLAN ID MOBILITY WCP-V ADMIN MAPPED -------------------------------------------------------------------------------Eng1 0 none 1 active yes no Guest1 1002 server 1 active yes yes Sales1 1001 server 1 active yes yes default-MVLAN 0 none 1 active yes no labott 0 none 1 active yes no WCP-V ADMIN 5 out of 5 entries in all displayed. WSP2:5(config)#show wireless switch vlan-map MOBILITY LOCAL L3 WEIGHT STATE VLAN NAME VLAN ID MOBILITY MAPPED -------------------------------------------------------------------------------Eng1 1003 server 2 active yes yes Guest1 0 none 1 active yes no Sales1 0 none 1 active yes no default-MVLAN 0 none 1 active yes no labott 1004 server 2 active yes yes 21 After completing the WCP configuration steps, verify the client and AP status: WSP1:5# show wireless-switch peer-devices switch Response from WSP1: PEER PEER PEER PEER PEER TYPE MAC ADDR UDP PORT STATUS LOCAL TUNNEL UDP PORT INTERFACE -------------------------------------------------------------------------------- November 2012 Avaya VENA Unified Access Technical Configuration Guide 37 avaya.com MT 00:21:ea:bc:90:00 10.1.1.17 61012 up 61012 WT-1 LOCAL TUNNEL 1 out of 1 entries in all displayed. WSP2:5(config)#show wireless switch peer-device switch PEER PEER PEER PEER PEER TYPE MAC ADDR UDP PORT STATUS UDP PORT INTERFACE -------------------------------------------------------------------------------MT 00:21:ea:bb:d0:00 10.1.1.16 61012 up 61012 WT-1 1 out of 1 entries in all displayed. November 2012 Avaya VENA Unified Access Technical Configuration Guide 38 avaya.com 5.3 Connect APs to network The AP 8120 is powered by Power over Ethernet (PoE). You can connect a PoE switch or an external power injector to the AP. In our example, two APs are connected to an Avaya Stackable PoE switch which in turn is connected to an ERS 8000 switch (named 8007). Through 8007, add VLAN, IP subnet, and enable DHCP relay to the VLAN provisioned on the APs in this example. For this example, we used VLAN 1500 on 8007. 5.3.1 1 Stackable PoE Switch PoE Stackable Switch Configuration: ! ! *** VLAN *** ! vlan ports 24 tagging tagAll filter-untagged-frame enable vlan name 1500 "wlan_ap_vlan1500" vlan configcontrol flexible vlan members 1500 19-20,24 5.3.2 1 8007 Switch – ERS 8800 switch connected to the PoE switch above 8007 Configuration – VLAN and DHCP: # # PORT CONFIGURATION - PHASE I # ethernet 4/35 perform-tagging enable # # VLAN CONFIGURATION - PHASE I # vlan vlan vlan vlan vlan 1500 1500 1500 1500 1500 create byport-mstprstp 0 name "wlan_ap_vlan1500" ports add 4/35 ip create 10.7.115.1/255.255.255.128 ip dhcp-relay enable ip ospf enable # # DHCP CONFIGURATION - GlobalRouter # ip dhcp-relay create-fwd-path agent 10.7.115.1 server 10.12.100.10 mode dhcp state enable November 2012 Avaya VENA Unified Access Technical Configuration Guide 39 avaya.com 5.3.3 1 DHCP Server – DHCP Scope for AP Configure the DHCP server for AP discovery: The Avaya AP 8120 discovers the controller IP addresses using DHCP option 43 or DNS. This example uses the DHCP Option 43. The Option 43 setting must be 08 08 41 56 41 59 41 20 41 50 01 04 0A 05 3C 05, where 0a 05 3c 05 is the HEX representation of the controller IP 10.5.60.5. Example taken from a Windows DHCP server: November 2012 Avaya VENA Unified Access Technical Configuration Guide 40 avaya.com 5.4 WCP Configuration – Part 2 1 Verify that the WSP is discovered by the controller: WCP8180#show wireless domain wsp discovered ------------------------------------------------------------------------WSP MAC WSP IP -------------------- ------------------ Discovery Reason ------------------------------- 00:21:EA:BB:D0:00 10.1.1.16 Not present in WSP DB 00:21:EA:BC:90:00 10.1.1.17 Not present in WSP DB ------------------------------------------------------------------------- 2 Manually promote all discovered WSPs to be managed by the controller: WCP8180#wireless domain discovered-wsp approve-all 3 View the WSP status where a status of Managed indicates that the WSP is managed by the controller: WCP8180#show wireless wsp status Status - Managed(Managed),PeerManagd(Peer Managed) Failed(Connection Failed),Disconcted(Disconnected), Unknown(Unknown) ------------------------------------------------------------------------------Family MAC WSP IP WCP IP Status AP Peer WSP ------- ----------------- --------------- --------------- ---------- ----- ---ERS8800 00:21:EA:BB:D0:00 10.1.1.16 10.5.60.5 Managed 1 1 ERS8800 00:21:EA:BC:90:00 10.1.1.17 10.5.60.5 Managed 1 1 ------------------------------------------------------------------------------Status - Managed(Managed),PeerManagd(Peer Managed) Failed(Connection Failed),Disconcted(Disconnected), Unknown(Unknown) Total number of WSPs: 2 November 2012 Avaya VENA Unified Access Technical Configuration Guide 41 avaya.com 4 Discover the APs by powering on the APs and connecting them to the PoE switch or external power injector: WCP8180#show wireless domain ap discovered Total number of discovered APs = 2 -----------------------------------------------------------------------------AP MAC AP IP AP Model Country Reason ----------------- --------------- -------- ------- ----------------------- 00:1B:4F:6C:07:40 10.7.115.51 AP8120 US Not present in AP DB 00:1B:4F:6C:1F:80 10.7.115.50 AP8120 US Not present in AP DB ------------------------------------------------------------------------------  5 When the AP receives the WC information from the DHCP server, the AP automatically connects to the controller. All discovered APs are placed in the Discovered AP table on the controller. Auto-promote discovered APs to be managed by the controller. All APs managed by the controller are populated in the Domain AP database. You can also, if required, manually add APs to the Domain AP database: WCP8180(config)#wireless WCP8180(config-wireless)#domain auto-promote-discovered-ap % Warning: AP database will be synchronized after running config-sync command.  6 Auto promotion enables all discovered APs to be automatically promoted to the controller managed state as soon as they are discovered Display the AP status. The following commands display the status of the APs and other relevant information. Verify that all APs have a status of Managed to provide the configured wireless services: WCP8180(config-wireless)#show wireless ap status Total APs: 2, Managed APs: 2, Failed APs: 0 ------------------------------------------------------------------------------AP MAC WCP IP WSP IP WCP WSP Need Img Status Status Upgrd ----------------- --------------- --------------- ---------- ---------- ---- 00:1B:4F:6C:07:40 10.5.60.5 10.1.1.16 Managed Connected Yes 00:1B:4F:6C:1F:80 10.5.60.5 10.1.1.17 Managed Connected Yes ------------------------------------------------------------------------------- November 2012 Avaya VENA Unified Access Technical Configuration Guide 42 avaya.com 7 Perform either a bulk or single AP image upgrade. This step is optional. Perform this step if an image upgrade is required: Bulk AP image upgrade WCP8180(config-wireless)#exit WCP8180(config)#exit WCP8180#wireless domain ap image-update start Single AP image upgrade WCP8180# WCP8180#wireless ap image-update ? H.H.H AP MAC Address WCP8180#wireless ap image-update 00:1B:4F:6C:07:40 After you have applied the image upgrade to the APs, verify the upgrade status. Verify that the Need Image Upgrade field displays as No; note you need to wait for the AP to reboot, which takes a couple of minutes: 8 WCP8180#show wireless ap status Total APs: 2, Managed APs: 2, Failed APs: 0 ------------------------------------------------------------------------------AP MAC WCP IP WSP IP WCP WSP Need Img Status Status Upgrd ----------------- --------------- --------------- ---------- ---------- ---- 00:1B:4F:6C:07:40 10.5.60.5 10.1.1.16 Managed Connected No 00:1B:4F:6C:1F:80 10.5.60.5 10.1.1.17 Managed Connected No ------------------------------------------------------------------------------- 9 Verify that the connected APs are discovered by the WSPs: WSP1:5# show wireless-switch peer-devices ap PEER PEER PEER PEER PEER TYPE MAC ADDR UDP PORT STATUS LOCAL TUNNEL UDP PORT INTERFACE -------------------------------------------------------------------------------AT 00:1b:4f:6c:1f:80 10.7.115.50 61012 up 61012 WT-2 1 out of 1 entries in all displayed. WSP2:5#show wireless switch peer-devices ap November 2012 Avaya VENA Unified Access Technical Configuration Guide 43 avaya.com PEER PEER PEER PEER PEER TYPE MAC ADDR UDP PORT STATUS LOCAL TUNNEL UDP PORT INTERFACE -------------------------------------------------------------------------------AT 00:1b:4f:6c:07:40 10.7.115.51 61012 up 61012 WT-2 1 out of 1 entries in all displayed. 10 Create mobility VLAN(s). In this example, we will create mobility VLANs Sales1, Guest1, Eng1, and labott: WCP8180#config term WCP8180(config)#wireless WCP8180(config-wireless)#domain mobility-vlan Sales1 WCP8180(config-wireless)#domain mobility-vlan Guest1 WCP8180(config-wireless)#domain mobility-vlan Eng1 WCP8180(config-wireless)#domain mobility-vlan labott WCP8180(config)#show wireless domain mobility-vlan --------------------------------------------------Mobility VLAN Name Status -------------------------------- ----------------- default-MVLAN Active Sales1 Active Guest1 Active Eng1 Active labott Active --------------------------------------------------Total Number of Mobility VLANs = 5 November 2012 Avaya VENA Unified Access Technical Configuration Guide 44 avaya.com 11 Using Identify Engines (IDE), add the WCP as an Authenticator. For more details on setting up IDE, please refer to the Ignition Server Microsoft NAP with Active Directory Authentication Technical Configuration Guide, publication number NN48500-625: 1. Within Ignition Dashboard, select Configuration > Authenticators > default. Click New. 2. Enter the IP address of the WSP (10.5.60.5), select Authenticator Type Wireless, Vendor Avaya, Device Template ers-switches-avaya, the same RADIUS Shared Secret used on the WCP, applicable Access Policy (in this case, simple authenticate against Microsoft Active Directory), and finally click on OK when done. November 2012 Avaya VENA Unified Access Technical Configuration Guide 45 avaya.com 12 Create a RADIUS profile named ide. In this example, we are using IDE as our RADIUS server which has an IP address of 10.12.120.5: WCP8180(config-wireless)#security WCP8180(config-security)#radius profile ide WCP8180(config-security)#radius server 10.12.120.5 ide WCP8180(config-security)#radius server 10.12.120.5 ide secret WCP8180(config-security)#radius server 10.12.120.5 ide health-check-interval 0 Enter server secret: avaya Verify server secret: ***** WCP8180(config-security)#exit Provided that IDE has been provisioned with the WCP as an authenticator, use the following command to confirm the RADIUS server is up and running: WCP8180(config-wireless)#show wireless security radius server Total radius servers: 1 Server IP Radius Profile Port# Priority Status --------------- -------------------------------- ----- -------- ------10.12.120.5  13 ide 1812 1 Up Please note that by default, a health check using a user name of admin will be forwarded to determine if the RADIUS server is available for authentication. This is useful where multiple RADIUS servers are used where, if the health check mechanism fails on a RADIUS server, a new RADIUS server will be selected. In our example, as we only have one RADIUS server, we simply set the interval to 0 to disable this feature. If you do wish to use this feature, you will need to add a user of admin or a new user and change the configuration of the WCP 8180. Create a network profile. In this example, we will create four network profiles and mobility VLAN associations all authenticated against Identity Engines (IDE) RADIUS server WCP8180(config-wireless)#network-profile 1 Entering network-profile (id = 1) ... WCP8180(config-network-profile)#profile-name Sales WCP8180(config-network-profile)#ssid Sales-Ott WCP8180(config-network-profile)#mobility-vlan Sales1 WCP8180(config-network-profile)#user-validation radius WCP8180(config-network-profile)#radius accounting authentication-profile ide WCP8180(config-network-profile)#security-mode wpa-enterprise WCP8180(config-network-profile)#wpa2 key-type ascii key Avaya1234 WCP8180(config-network-profile)#no dot1x session-key-refresh-period group-key-refreshperiod WCP8180(config-network-profile)#exit November 2012 Avaya VENA Unified Access Technical Configuration Guide 46 avaya.com WCP8180(config-wireless)#network-profile 2 Entering network-profile (id = 2) ... WCP8180(config-network-profile)#profile-name engineering WCP8180(config-network-profile)#ssid Eng-Ott WCP8180(config-network-profile)#mobility-vlan Eng1 WCP8180(config-network-profile)#user-validation radius WCP8180(config-network-profile)#radius accounting authentication-profile ide WCP8180(config-network-profile)#security-mode wpa-enterprise WCP8180(config-network-profile)#wpa2 key-type ascii key Avaya1234 WCP8180(config-network-profile)#no dot1x session-key-refresh-period group-key-refreshperiod WCP8180(config-network-profile)#exit WCP8180(config-wireless)#network-profile 3 Creating network-profile (id = 3) ... WCP8180(config-network-profile)#ssid Guest WCP8180(config-network-profile)#mobility-vlan Guest1 WCP8180(config-network-profile)#user-validation radius WCP8180(config-network-profile)#radius accounting authentication-profile ide WCP8180(config-network-profile)#security-mode wpa-enterprise WCP8180(config-network-profile)#wpa2 key-type ascii key Avaya1234 WCP8180(config-network-profile)#exit WCP8180(config-wireless)#network-profile 4 WCP8180(config-network-profile)#ssid Lab-Ott WCP8180(config-network-profile)#mobility-vlan labott WCP8180(config-network-profile)#user-validation radius WCP8180(config-network-profile)#radius accounting authentication-profile ide WCP8180(config-network-profile)#security-mode wpa-enterprise WCP8180(config-network-profile)#wpa2 key-type ascii key Avaya1234 WCP8180(config-network-profile)#no dot1x session-key-refresh-period group-key-refreshperiod exit WCP8180(config-wireless)#show wireless network-profile ------------------------------------------------------------------------Id Profile Name Mobility VLAN Security Mode Captive Portal --- ------------------- ------------------- -------------- -------------1 Sales Sales1 WPA-Enterprise Disabled 2 engineering Eng1 WPA-Enterprise Disabled 3 network_003 Guest1 WPA-Enterprise Disabled 4 network_004 labott WPA-Enterprise Disabled ------------------------------------------------------------------------- November 2012 Avaya VENA Unified Access Technical Configuration Guide 47 avaya.com 14 Create the Access radio profiles. You can create an a-n or a bg-n radio profile based on the supported radio frequency. This example creates an a-n and bg-n radio profile: WCP8180(config-wireless)#radio-profile 3 access-wids a-n Creating a radio-profile (id = 3) with country-code = US and ap-model AP8120/E. .. Creating a radio-profile (id = 3) ... WCP8180(config-radio-profile)#profile-name A-N WCP8180(config-radio-profile)#exit WCP8180(config-wireless)#radio-profile 4 access-wids bg-n Creating a radio-profile (id = 4) with country-code = US and ap-model AP8120/E. .. Creating a radio-profile (id = 4) ... WCP8180(config-radio-profile)#profile-name BG-N WCP8180(config-radio-profile)#exit 15 Enable Client band steering and load balancing on the configured Access radio profiles: Client Band Steering is a technique used to increase the overall capacity of a dual-band wireless network composed of multiple APs that use both the 2.4 GHz and 5.0 GHz radios. Client stations predominantly support 2.4GHz. Many modern client stations have dual-band support that tends to favor connection to 2.4GHz networks (although some popular modern clients still only support 2.4GHz, e.g. the Apple iPhone 4). As a result, dual-band networks have the 2.4GHz band heavily utilized, and the 5GHz band underutilized. The objective of Client Band Steering is to encourage 5GHz capable client stations to use the 5GHz radio instead of the 2.4GHz radio, leaving the 2.4GHz radio for stations that only support 2.4GHz. As part of Client load-balancing configuration, you enable/disable the Load balancing. After you enable load balancing, you configure the following parameters: utilization-start (%) — Utilization level at which client association load balancing begins utilization-cutoff (%) — Client association load balancing cutoff. If this threshold is exceeded, all further client associations are refused.  This cutoff is useful so that controller CPU utilization is maintained at an optimum level. If CPU utilization goes beyond 100%, it causes the controller to restart which in turn results in an unprecedented controller outage. Enable client band steering and load balancing using the following commands: WC8180(config-wireless)#radio-profile 3 Entering radio-profile (id = 3) configuration mode... WC8180(config-radio-profile)#band-steering enable WC8180(config-radio-profile)#load-balance enable WC8180(config-radio-profile)#load-balance utilization-start 30 WC8180(config-radio-profile)#load-balance utilization-cutoff 60 November 2012 Avaya VENA Unified Access Technical Configuration Guide 48 avaya.com WCP8180(config-radio-profile)#exit WC8180(config-wireless)#radio-profile 4 Entering radio-profile (id = 3) configuration mode... WC8180(config-radio-profile)#band-steering enable WC8180(config-radio-profile)#load-balance enable WC8180(config-radio-profile)#load-balance utilization-start 30 WC8180(config-radio-profile)#load-balance utilization-cutoff 60 WCP8180(config-radio-profile)#exit 16 View the created radio profiles: WCP8180(config-wireless)#show wireless radio-profile 3 detail Radio Profile Id: 3 Name : A-N Configuration Model : AP8120/E Country Code : US Operation Mode : access-wids IEEE 802.11 Mode : 802.11a/n RF Scan - Other Channels : No Broadcast/Multicast Rate Limiting : Disabled Broadcast/Multicast Rate Limit (Normal): 50 pkts/sec Broadcast/Multicast Rate Limit (Burst) : 75 pkts/sec Beacon Interval : 100 msec DTIM Period : 3 Fragmentation Threshold : 2346 RTS Threshold : 2347 Short Retry Limit : 7 Long Retry Limit : 4 Max Transmit Lifetime : 512 msec Max Receive Lifetime : 512 msec Max Clients : 200 Auto Channel Adjustment Mode : Yes Auto Power Adjustment Mode : Yes Non-Auto Transmit Power : 80 % WMM(Wi-Fi Multimedia Mode) : Enabled Band Steering Mode : Enabled Load Balancing Mode : Enabled Load Balance Utilization Start : 30 % Load Balance Utilization Threshold : 60 % November 2012 Avaya VENA Unified Access Technical Configuration Guide 49 avaya.com Station Isolation Mode : Disabled Channel Bandwidth : 40 MHz Primary Channel : Lower 802.11n Protection Mode : Auto SGI(Short Guard Interval) : Disabled STBC(Space Time Block Code) Mode : Enabled Multicast Transmit Rate : Auto APSD(Auto Power Save Delivery) Mode : Enabled No ACK for Incorrectly Received Frames : Disabled RRM(Radio Resource Measurement) : Enabled WCP8180(config-wireless)#show wireless radio-profile 4 detail Radio Profile Id: 4 Name : BG-N Configuration Model : AP8120/E Country Code : US Operation Mode : access-wids IEEE 802.11 Mode : 802.11bg/n RF Scan - Other Channels : No Broadcast/Multicast Rate Limiting : Disabled Broadcast/Multicast Rate Limit (Normal): 50 pkts/sec Broadcast/Multicast Rate Limit (Burst) : 75 pkts/sec Beacon Interval : 100 msec DTIM Period : 3 Fragmentation Threshold : 2346 RTS Threshold : 2347 Short Retry Limit : 7 Long Retry Limit : 4 Max Transmit Lifetime : 512 msec Max Receive Lifetime : 512 msec Max Clients : 200 Auto Channel Adjustment Mode : Yes Auto Power Adjustment Mode : Yes Non-Auto Transmit Power : 80 % WMM(Wi-Fi Multimedia Mode) : Enabled Band Steering Mode : Enabled Load Balancing Mode : Enabled Load Balance Utilization Start : 30 % November 2012 Avaya VENA Unified Access Technical Configuration Guide 50 avaya.com Load Balance Utilization Threshold : 60 % Station Isolation Mode : Disabled Channel Bandwidth : 20 MHz Primary Channel : Lower 802.11n Protection Mode : Auto SGI(Short Guard Interval) : Disabled STBC(Space Time Block Code) Mode : Enabled Multicast Transmit Rate : Auto APSD(Auto Power Save Delivery) Mode : Enabled No ACK for Incorrectly Received Frames : Disabled RRM(Radio Resource Measurement) November 2012 : Enabled Avaya VENA Unified Access Technical Configuration Guide 51 avaya.com 17 Optionally, configure one or more capture profiles for a mobility domain: Capture profiles are used for remote packet capture. Remote packet capture enables live debugging to troubleshoot client related issues. It can also be used to monitor traffic in a wireless network. After you configure a capture profile, you must apply these profiles to specific access points (AP) within the mobility domain to start a packet capture. A default capture profile with profile Id 1 is automatically created. You can choose to use this profile or configure a suitable one using the following steps. WCP8180 (config-wireless)#capture-profile 2 Verify configuration of the capture profile(s). WCP8180(config-capture-profile)#? Capture Profile Configuration Commands default Set a command to its default values direction Filter capture by flow direction duration Stop after elapsed duration in seconds end End wireless capture configuration mode exit Exit from wireless capture configuration mode filters Set filters for the packet capture profile interface Specify the capture interface(s) for the packet capture no Disable capture profile parameters observer-ip IP address of the observer host observer-port L4 port on the observer host profile-name Name of the profile promisc-mode Enable promiscuous capture on selected interfaces snap-length Truncate capture to a specified length (in bytes) WCP8180(config-capture-profile)#exit WCP8180(config-wireless)#show wireless capture-profile <1-4> detail  18 You can configure up to 4 capture profiles. Create an AP profile and assign network and radio profiles to it. This example creates an AP profile named AP-Profile-2 using Radius Index 2 with VAP IDs 1 to 4 for each corresponding Network Profile 1 to 4 configured in step 14 above. For each radio, select the Radio Profiles created in step 15 & 16 (Radio Profiles 3 and 4): WCP8180(config-wireless)#ap-profile 2 Creating ap-profile (id = 2) with country-code = US and ap-model AP8120/E.. WCP8180(config-ap-profile)#profile-name AP-Profile-2 WCP8180(config-ap-profile)#network 2 1 profile-id 1 WCP8180(config-ap-profile)#network 2 2 profile-id 2 November 2012 Avaya VENA Unified Access Technical Configuration Guide 52 avaya.com WCP8180(config-ap-profile)#network 2 3 profile-id 3 WCP8180(config-ap-profile)#network 2 4 profile-id 4 WCP8180(config-ap-profile)#radio 1 profile-id 3 enable WCP8180(config-ap-profile)#radio 2 profile-id 4 enable WCP8180(config-ap-profile)#exit  The network configuration consists of network [<1-2> Radio Index] [<1-16> VAP ID] profile-id [<1-64> Network Profile ID>. WCP8180(config-wireless)#show wireless ap-profile network 2 -------------------------------------------------------------------AP Profile Id Radio Id VAP Id Network Profile Id Radio Operation ------------- -------- ------ ------------------ --------------- 2 1 1 1 On 2 2 1 1 On 2 2 2 2 On 2 2 3 3 On 2 2 4 4 On -------------------------------------------------------------------- WCP8180(config-wireless)#show wireless ap-profile radio 2 ------------------------------------------------------------------------AP Profile Id Radio Id Radio Profile Id Radio Status Supported Model ------------- -------- ---------------- ------------ ---------------- 2 1 3 On AP8120/E 2 2 4 On AP8120/E ----------------------------------------------------------------------- 19 Manually add APs to the Domain AP database. APs (specifically the AP MAC addresses) must be added to the Domain AP database to provide wireless services: WCP8180(config-wireless)#domain ap 00:1B:4F:6C:07:40 Entering domain AP (mac = 00:1B:4F:6C:07:40) configuration mode... WCP8180(config-domain-ap)#profile-id 2 WCP8180(config-domain-ap)#exit WCP8180(config-wireless)#domain ap 00:1B:4F:6C:1F:80 Entering domain AP (mac = 00:1B:4F:6C:07:40) configuration mode... WCP8180(config-domain-ap)#profile-id 2 WCP8180(config-domain-ap)#exit November 2012 Avaya VENA Unified Access Technical Configuration Guide 53 avaya.com  This is an optional step. Perform this step if you need to manually promote an AP to be managed by the controller. If your system is configured for auto-promotion, all discovered APs are automatically added to the Domain AP database and are promoted to be managed by the controller. Using this command, you can also modify other AP parameters. Modification of other parameters is however not shown in the following command sequence. If you wish, you can also manually provision the preferred WCP and WSP such as the following for each AP: WCP8180(config-wireless)#domain ap 00:1B:4F:6C:07:40 Entering domain AP (mac = 00:1B:4F:6C:07:40) configuration mode... WCP8180(config-domain-ap)#profile-id 2 WCP8180(config-domain-ap)#preferred-controller 10.5.60.5 WCP8180(config-domain-ap)#preferred-wsp 10.1.1.16 WCP8180(config-domain-ap)#exit WCP8180(config-wireless)#domain ap 00:1B:4F:6C:1F:80 Entering domain AP (mac = 00:1B:4F:6C:07:40) configuration mode... WCP8180(config-domain-ap)#profile-id 2 WCP8180(config-domain-ap)#preferred-controller 10.5.60.5 WCP8180(config-domain-ap)#preferred-wsp 10.1.1.17 WCP8180(config-domain-ap)#exit 20 Apply the wireless configuration to all APs. Perform a config-sync to apply changes to AP: WCP8180(config-wireless)#exit WCP8180(config)#exit WCP8180#wireless controller config-sync 21 Reset the AP. If you changed the domain AP parameters (for example, if you changed the AP profile), you must reset all APs for the configuration to take effect: WC8180#wireless domain ap reset start November 2012 Avaya VENA Unified Access Technical Configuration Guide 54 avaya.com 22 Display the AP status. The following commands show the status and other relevant information, of the APs. All APs must have the status as Managed to be able to provide the configured wireless services: WCP8180#show wireless ap status Total APs: 2, Managed APs: 2, Failed APs: 0 ------------------------------------------------------------------------------AP MAC WCP IP WSP IP WCP WSP Need Img Status Status Upgrd ----------------- --------------- --------------- ---------- ---------- ---- 00:1B:4F:6C:07:40 10.5.60.5 10.1.1.16 Managed Connected No 00:1B:4F:6C:1F:80 10.5.60.5 10.1.1.17 Managed Connected No ------------------------------------------------------------------------------- WCP8180#show wireless ap status detail Total APs: 2, Managed APs: 2, Failed APs: 0 --------------------------------------------------------------AP (MAC=00:1B:4F:6C:07:40) IP Address : 10.7.115.51 WCP Status : Managed WSP Status : Connected WCP Assignment-Method : Preferred WSP Assignment-Method : Preferred AP Label : Hardware Type : Avaya AP8120 Software Version : 2.0.0.061 Serial Number : LBNNTMJXAD0FTR Location : Country Code : US Band Plan : FCC Locale : US/40 Age (since last update) : 0d:00:00:03 System Up Time : 0d:00:03:23 Discovery Reason : Controller IP via DHCP Managing Controller : Local Controller WCP System IP Address : 10.5.60.5 Profile Id : 2 WCP Managed Time : 0d:00:02:40 November 2012 Avaya VENA Unified Access Technical Configuration Guide 55 avaya.com WSP System IP Address : 10.1.1.16 WSP Connected Time : 0d:00:02:45 Profile Name : AP-Profile-2 Configuration Apply Status : Success Authenticated Clients : 0 Configuration Failure Error : Reset status : Not Started Code Download Status : Not Started Image Upgrade Needed : No Ap Techdump Status : Not Started --------------------------------------------------------------AP (MAC=00:1B:4F:6C:1F:80) IP Address : 10.7.115.50 WCP Status : Managed WSP Status : Connected WCP Assignment-Method : Preferred WSP Assignment-Method : Preferred AP Label : Hardware Type : Avaya AP8120 Software Version : 2.0.0.061 Serial Number : LBNNTMJXAD0FPC Location : Country Code : US Band Plan : FCC Locale : US/40 Age (since last update) : 0d:00:00:04 System Up Time : 0d:00:03:26 Discovery Reason : Controller IP via DHCP Managing Controller : Local Controller WCP System IP Address : 10.5.60.5 Profile Id : 2 WCP Managed Time : 0d:00:02:44 WSP System IP Address : 10.1.1.17 WSP Connected Time : 0d:00:02:49 Profile Name : AP-Profile-2 Configuration Apply Status : Success Authenticated Clients : 0 Configuration Failure Error : Reset status : Not Started November 2012 Avaya VENA Unified Access Technical Configuration Guide 56 avaya.com Code Download Status : Not Started Image Upgrade Needed : No Ap Techdump Status : Not Started --------------------------------------------------------------- 23 Display the AP VAP (SSID) status: WCP8180#show wireless ap vap status AP MAC Address: 00:1B:4F:6C:07:40 -----------------------------------------------------------------------Radio/ # of Auth VAP Id VAP MAC Address SSID Clients -------- ----------------- -------------------------------- 1 / 1 00:1B:4F:6C:07:40 Sales-Ott 0 2 / 1 00:1B:4F:6C:07:50 Sales-Ott 0 2 / 2 00:1B:4F:6C:07:51 Eng-Ott 0 2 / 3 00:1B:4F:6C:07:52 Guest 0 2 / 4 00:1B:4F:6C:07:53 Lab-Ott 0 --------- AP MAC Address: 00:1B:4F:6C:1F:80 -----------------------------------------------------------------------Radio/ # of Auth VAP Id VAP MAC Address SSID Clients -------- ----------------- -------------------------------- 1 / 1 00:1B:4F:6C:1F:80 Sales-Ott 0 2 / 1 00:1B:4F:6C:1F:90 Sales-Ott 0 2 / 2 00:1B:4F:6C:1F:91 Eng-Ott 0 2 / 3 00:1B:4F:6C:1F:92 Guest 0 2 / 4 00:1B:4F:6C:1F:93 Lab-Ott 0 --------- ------------------------------------------------------------------------  The SSID configured in the SSID Settings pane identifies your wireless network to which mobility clients connect to. November 2012 Avaya VENA Unified Access Technical Configuration Guide 57 avaya.com 24 Display the AP radio status: WCP8180#show wireless ap radio status ---------------------------------------------------------------------------AP MAC Radio Operation Channel Power 802.11 Mode Auth Clients ----------------- ----- --------- ------- ----- --------------- -----------00:1B:4F:6C:07:40 1 On 44 80 802.11a/n 0 2 On 11 80 802.11b/g/n 0 ---------------------------------------------------------------------------00:1B:4F:6C:1F:80 1 On 36 80 802.11a/n 0 2 On 11 80 802.11b/g/n 1 ---------------------------------------------------------------------------- 25 Verify wireless client connectivity. At this point the wireless network is ready for client connectivity. Scan for wireless networks and connect a wireless client to the network SalesOtt and Guest1. Verify the client status and details on the WC: WCP8180#show wireless client status Total number of clients: 2 ------------------------------------------------------------------------------Client Client Associated Mobility MAC Address IP Address AP MAC VLAN Status ----------------- --------------- ----------------- --------------- ----------00:13:46:EA:CC:12 10.16.101.102 00:1B:4F:6C:1F:80 Sales1 Auth 14:7D:C5:68:7C:94 10.16.102.111 00:1B:4F:6C:1F:80 Guest1 Auth ------------------------------------------------------------------------------- WCP8180#show wireless client status detail Total number of clients: 2 Client (MAC=00:13:46:EA:CC:12) Client IP Address : 10.16.101.102 SSID : Sales-Ott Mobility Vlan : Sales1 Status : Authenticated Captive Portal Authenticated User : No Transmit Data Rate : 54 Mbps Inactive Period : 0d:00:00:00 November 2012 Avaya VENA Unified Access Technical Configuration Guide 58 avaya.com Age (since last update) : 0d:00:00:01 Network Time : 0d:00:06:19 Associating Controller : Local Controller Controller IP Address : 10.5.60.5 WSP IP Address : 10.1.1.17 802.11n Capable : No STBC Capable : No AP MAC Address : 00:1B:4F:6C:1F:80 BSSID : 00:1B:4F:6C:1F:90 Radio Interface : 2 Channel : 11 Network Profile ID : 1 NetBios Name : Radio Resource Measurement (RRM) : Unsupported Location Report Requests : Unsupported AP Detection via Beacon Table Report : Unsupported Beacon Active Scan Capability : Unsupported Beacon Passive Scan Capability : Unsupported Channel Load Measurement : Unsupported ------------------------------------------------------------Client (MAC=14:7D:C5:68:7C:94) Client IP Address : 10.16.102.111 SSID : Guest Mobility Vlan : Guest1 Status : Disassociated Captive Portal Authenticated User : No Transmit Data Rate : 1 Mbps Inactive Period : 0d:00:00:43 Age (since last update) : 0d:00:00:26 Network Time : 0d:00:01:52 Associating Controller : Local Controller Controller IP Address : 10.5.60.5 WSP IP Address : 10.1.1.17 802.11n Capable : Yes STBC Capable : No AP MAC Address : 00:1B:4F:6C:1F:80 BSSID : 00:1B:4F:6C:1F:92 Radio Interface : 2 Channel : 11 November 2012 Avaya VENA Unified Access Technical Configuration Guide 59 avaya.com Network Profile ID : 3 NetBios Name : Radio Resource Measurement (RRM) : Unsupported 26 Location Report Requests : Unsupported AP Detection via Beacon Table Report : Unsupported Beacon Active Scan Capability : Unsupported Beacon Passive Scan Capability : Unsupported Channel Load Measurement : Unsupported You can also monitor wireless client in the mobility domain using the remote packet capture feature. You must assign the capture profile configured in step 18, to an AP and then start a packet capture instance on the AMDC. You need an observer host PC to view the packet capture:  Before you start a packet capture, ensure that you do the following on the Observer host PC. Download the Netcat application from http://www.downloadnetcat.com/. Launch the Netcat application to open the UDP port for listening. On a Windows PC, download netcat.exe to a folder. On the command prompt navigate to the folder where the executable is saved and enter the command nc.exe -l -p 37008 –u . Launch Wireshark application to capture frames. In this example, 00:1B:4F:6C:07:40 is the MAC address of the AP to which you want to associate the capture profile. 1 is the profile ID of the Capture profile configured in step 18. WC8180# wireless capture-instance start ap 00:1B:4F:6C:07:40 profile 1 View capture instances as follows: To view capture instances for a specific AP: WC8180# show wireless capture-instance ap To view capture instances for a specific profile: WC8180# show wireless capture-instance profile To view all capture instances: WC8180# show wireless capture-instance all For more information on debugging wireless clients using remote packet capture, including further details on instructions and procedure steps for the configuration of capture profiles and capture instances, see Avaya WLAN 8100 WC 8180 CLI Reference (NN47251–107). November 2012 Avaya VENA Unified Access Technical Configuration Guide 60 avaya.com 6. Wireless Clients For a wireless client to connect, at minimum, ensure the following on your wireless client. Since we are using PEAP, there is no need to manually download certificates. 1. Security type is set to WPS-Enterprise. 2. Encryption type is set to AES. 3. Authentication method is set to PEAP. 4. All users have been added; as in our example, all valid users are entered via Microsoft‘s Active Directory For example, assuming we are using a Microsoft Windows 7 client, clicking on the wireless icon located via the bottom right on the screen show display all for SSID‘s advertised as shown below. If any of the SSIDs do not have a green bar and it has a red ―X‖, right-click the corresponding SSID and select properties as shown below. November 2012 Avaya VENA Unified Access Technical Configuration Guide 61 avaya.com Double check the security settings as shown below. November 2012 Avaya VENA Unified Access Technical Configuration Guide 62 avaya.com Verify Client Connectivity 7. 7.1 Normal operations Assuming we have two wireless clients connected to SSID Lab-Ott (WSP-1) and Sales-Ott (WSP-2): 1 Based on the configuration in this example (Section 5.4, step 19), AP-1 (001b.4f6c.0749) would connect to WSP-2 while AP-2 (001b.4f6c.1f80) should connect to WSP-1: WSP1:5# show wireless-switch peer-device ap PEER PEER PEER PEER PEER LOCAL TYPE MAC ADDR UDP PORT STATUS TUNNEL UDP PORT INTERFACE -------------------------------------------------------------------------------AT 00:1b:4f:6c:07:40 10.7.115.51 61012 up 61012 WT-2 PEER LOCAL TUNNEL 1 out of 1 entries in all displayed. WSP2:5#show wireless switch peer-device ap PEER PEER PEER PEER TYPE MAC ADDR UDP PORT STATUS UDP PORT INTERFACE -------------------------------------------------------------------------------AT 00:1b:4f:6c:1f:80 10.7.115.50 61012 up 61012 WT-2 1 out of 1 entries in all displayed. 2 VLANs 1001 (Guest1) and 1002 (Sales1) should be displayed on WSP-1 while VLANs 1003 (Eng1) and 1004 (labott) should be displayed on WSP-2: WSP1:5# show wireless-switch vlan-map MOBILITY LOCAL L3 VLAN NAME VLAN ID MOBILITY WEIGHT STATE WCP-V ADMIN MAPPED -------------------------------------------------------------------------------Eng1 0 none 1 active yes no Guest1 1002 server 1 active yes yes Sales1 1001 server 1 active yes yes default-MVLAN 0 none 1 active yes no labott 0 none 1 active yes no L3 WEIGHT STATE WCP-V ADMIN WSP2:5#show wireless switch vlan-map MOBILITY November 2012 LOCAL Avaya VENA Unified Access Technical Configuration Guide 63 avaya.com VLAN NAME VLAN ID MOBILITY MAPPED -------------------------------------------------------------------------------Eng1 1003 server 2 active yes yes Guest1 0 none 1 active yes no Sales1 0 none 1 active yes no default-MVLAN 0 none 1 active yes no labott 1004 server 2 active yes yes 7.2 Roaming We simulate a roaming move by simply powering off AP-2 (001b.4f6c.1f80). It in turn will result in: The wireless client will connect from AP-2 to AP-1 (001b.4f6c.0740) The wireless client connected to SSID Lab-Ott will tunnel over to WSP-1 o 1 VLAN labott should now be a client on WSP-1 Verify mobility VLAN labott is now a client on WSP-1: WSP1:5#show wireless-switch vlan-map MOBILITY LOCAL L3 WEIGHT STATE VLAN NAME VLAN ID MOBILITY WCP-V ADMIN MAPPED -------------------------------------------------------------------------------Eng1 0 none 1 active yes no Guest1 1002 server 1 active yes yes Sales1 1001 server 1 active yes yes default-MVLAN 0 none 1 active yes no labott 0 client 1 active yes no WCP8180#show wireless client status Total number of clients: 1 ------------------------------------------------------------------------------Client Client Associated Mobility MAC Address IP Address AP MAC VLAN Status ----------------- --------------- ----------------- --------------- ----------00:13:46:EA:CC:12 10.17.104.51 00:1B:4F:6C:07:40 labott Auth 70:05:14:63:A9:F9 10.16.101.101 00:1B:4F:6C:07:40 Sales1 Auth ------------------------------------------------------------------------------- November 2012 Avaya VENA Unified Access Technical Configuration Guide 64 avaya.com 2 We should also see traffic via the tunnel from WSP-2 to WSP-1: WSP1:5#show wireless-switch tunnel ================================================================================ WLAN Tunnels ================================================================================ TUNNEL PEER INTERFACE DEVICE ID PEER IP :UDP PORT TYPE STATUS -------------------------------------------------------------------------------WT-1 00:21:ea:bc:90:00 10.1.1.17 :61012 MT up WT-2 00:1b:4f:6c:07:40 10.7.115.51 :61012 AT up WSP1:5#show wireless-switch tunnel-statistics all ===================================================================================== TUNNEL STATISTICS ===================================================================================== TUNNEL PEER IN OUT IN OUT IN INTERFACE DEVICE ID FRAME FRAME KEEPALIVE KEEPALIVE DISCARD OUT DISCARD ------------------------------------------------------------------------------------WT-1 00:21:ea:bc:90:00 18802 22025 940680 940696 0 0 WT-2 00:1b:4f:6c:07:40 147 116 6684 6684 14 0 November 2012 Avaya VENA Unified Access Technical Configuration Guide 65 avaya.com 8. Reference Documentation For more information on any WLAN 8100 or ERS 8800/8600 feature, go to www.avaya.com/support and download the configuration guide for the relevant feature. Document Title Publication Number Description Avaya VENA Unified Access Technical Configuration Guide NN48500-643 This document shows how to configure the Unified Access network described in this Technical Solution Guide. Design Guide for WLAN 8100 Series NN48500–587 This guide provides recommended designs, best practices, and an explanation of common deployment issues for the WLAN 8100. Avaya WLAN 8100 Quick Start NN47251-111 This document provides a configuration example to get your Unified Access network up and running as soon as possible. Avaya WLAN 8100 Configuration NN47251-305 This document provides detailed information on configuring the WLAN 8100. Avaya ERS 8800/8600 Configuration – Unified Access NN46205-526 This document provides detailed information on the configuration commands in the Unified Access solution. © 2012 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. and are registered in the United States and other countries. All trademarks identified by ®, TM or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. Avaya may also have trademark rights in other terms used herein. References to Avaya include the Nortel Enterprise business, which was acquired as of December 18, 2009. November 2012 Avaya VENA Unified Access Technical Configuration Guide 66