Top Banner
Copyright © 2006 SpectraLink Corporation. All rights reserved. PN: 72-9965-00-C.doc Page 1 Aruba Mobility Controller Configuration and Deployment Guide SpectraLink's Voice Interoperability for Enterprise Wireless (VIEW) Certification Program is designed to ensure interoperability and high performance between NetLink Wireless Telephones and WLAN infrastructure products. The products listed below have been thoroughly tested in SpectraLink’s lab and have passed VIEW Certification. This document details how to configure the Aruba Mobility Controller for use with NetLink Wireless Telephones. Certified Product Summary Manufacturer: Aruba Networks: www.arubanetworks.com Mobility Controllers Access Points Approved products: 800 † / 800-4 6000 † / 5000 2400 AP60 † / 61 AP70 † RF technology: Spread spectrum direct sequence (DS) Radio: 2.4 – 2.484 GHz Antenna diversity: Bi-directional Security : WPA-PSK and WPA2-PSK Software version tested: 2.4.1.0 Release 10695 NetLink Wireless Telephone software version tested: Version 2.0 (89.119) Maximum telephone calls per AP: 12 Recommended network topology: Switched Ethernet (required) † Denotes products directly used in Certification Testing Service Information The AP must support SpectraLink Voice Priority (SVP). Contact your AP vendor if you need to upgrade the AP software. If you encounter difficulties or have questions regarding the configuration process, please contact Aruba Networks Support at 1-800-943-4526, or visit http://www.arubanetworks.com/support .
27

VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

Mar 07, 2018

Download

Documents

buidien
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

Copyright © 2006 SpectraLink Corporation. All rights reserved.

PN: 72-9965-00-C.doc Page 1

Aruba Mobility Controller Configuration and Deployment Guide

SpectraLink's Voice Interoperability for Enterprise Wireless (VIEW) Certification Program is designed to ensure interoperability and high performance between NetLink Wireless Telephones and WLAN infrastructure products. The products listed below have been thoroughly tested in SpectraLink’s lab and have passed VIEW Certification. This document details how to configure the Aruba Mobility Controller for use with NetLink Wireless Telephones.

Certified Product Summary Manufacturer: Aruba Networks: www.arubanetworks.com

Mobility Controllers Access Points Approved products:

800 † / 800-4 6000 † / 5000 2400

AP60 † / 61 AP70 †

RF technology: Spread spectrum direct sequence (DS)

Radio: 2.4 – 2.484 GHz

Antenna diversity: Bi-directional

Security : WPA-PSK and WPA2-PSK

Software version tested: 2.4.1.0 Release 10695

NetLink Wireless Telephone software version tested: Version 2.0 (89.119)

Maximum telephone calls per AP: 12

Recommended network topology: Switched Ethernet (required) † Denotes products directly used in Certification Testing

Service Information

The AP must support SpectraLink Voice Priority (SVP). Contact your AP vendor if you need to upgrade the AP software.

If you encounter difficulties or have questions regarding the configuration process, please contact Aruba Networks Support at 1-800-943-4526, or visit http://www.arubanetworks.com/support.

Page 2: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 2

Network Topology The following topology was tested during VIEW Certification. It is important to note that these do not necessarily represent all "Certified" configurations.

Both layer 2 and layer 3 roaming was tested in a single switch and multi-switch deployment scenario within the scope of VIEW testing.

Known Limitations No limitations were discovered during VIEW Certification testing.

Access Point Features Enabled The purpose of VIEW testing is to verify that the handset and the access point (AP) interoperate at the packet level; therefore, no add-on vendor features were tested.

The exception to this is the Voice Aware ARM Scanning (RF Scanning) feature, which was enabled for a targeted set of tests during VIEW Certification. This is the only feature that was verified.

Page 3: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 3

Access Point Setup and Configuration Before starting, please ensure that the Policy Enforcement Firewall module license is enabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information.

Command, Comment, and Screen Text Key In the sections below you will find commands, comments, prompts, system responses, or other screen-displayed information involved in the configuration process. This key explains the text styles and symbols used to denote them.

Text Style Denotes:

xxxxxxxx Typed command

<xxxxxxxx> Encryption key, domain name or other information specific to your system that needs to be entered

(xxxxxxxx) Comment about a command or set of commands

xxxxxxxx Prompt, system response or other displayed information

Installing a New Image The latest firmware release can be obtained through Aruba Networks. Upgrading the switch to the new image can be done using the web interface or the command line interface (CLI). Place the image on the TFTP server or the FTP server depending on the file transfer mechanism chosen.

Loading the image via the CLI using TFTP:

After logging onto the switch, issue the command: (Aruba) > enable

Password: <enable password>

(Aruba) # copy TFTP: <ip of server> <file name> system: partition <0 or 1>

(Aruba) # write memory (to save the current switch configuration) (Aruba) # reload (to reboot the switch) (Aruba) # Do you really want to reset the system(y/n): y

See below for instructions on how to connect the switch to a PC.

Page 4: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 4

Uploading an image using the web interface:

1. Navigate to the Switch > Maintenance > Image Management page.

2. Enter the TFTP Server IP Address and the Image File Name.

3. Set the Partition to upgrade as required to 0 or 1.

4. Set the Reboot Switch After Upgrade and the Save Current Configuration Before Reset to Yes.

5. Click Upgrade. Do not navigate to other pages while the image is being upgraded.

Once the image upgrades, the configuration will be saved and the switch will be rebooted as part of the process.

Configuring the Access Points SpectraLink recommends that voice users be placed on a separate VLAN (e.g., VLAN 10) than data users (e.g., VLAN 25) for best results, although testing was done in a mixed environment. These VLANs reside on the Aruba mobility controller switch and not on the access points. The edge network thus does not have to be modified to accommodate the voice network. Each VLAN requires a unique IP address. The switch IP address needs to be set via the loopback interface setting. The loopback address must be a routable address so that the APs can reach this address.

Interface Setting Identify the mobility controller port that serves as the uplink port for the data VLAN. The port used in this example is Fast Ethernet 1/0 and is a trunk port with both the voice and data VLAN.

Default Route Configure the default route to the next-hop gateway connected to the controller.

Page 5: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 5

Physical Interface Identify the interface connected to the routers, servers and gateways and set these interfaces as trusted.

Connecting the APs The APs need an IP address to communication with the mobility controller. They can connect to the controller over a L2 or L3 network. Ensure that DHCP is enabled on the subnets the APs are connected to and can ping the Aruba mobility controller’s “switch IP address” from their current subnet.

AP Network Parameters The APs need to be provisioned. The Aruba APs can be provisioned manually or be configured for automatic provisioning. When using manual provisioning, the web-based AP provisioning is easier to use. Refer to the Aruba AP Provisioning User Guide for instructions on provisioning the AP.

Note: SpectraLink recommends that you use the CLI for all other configurations.

Mobility Controller Switch Configuration

Connecting to the Aruba Mobility Controller via the Console 1. Using a standard RS-232 cable, connect the Mobility Controller Switch to the serial

port of a terminal or PC.

2. Run a terminal emulation program (such as HyperTerminal) or use a VT-100 terminal with the following configuration:

Bits per second: 9600

Data bits: 8

Parity: None

Stop bits: 1

Flow control: None

3. Press Enter to display the Mobility Controller Switch login screen.

4. Enter the default login: admin and default password: admin. These are case sensitive.

5. Enter enable and default password: admin to get into the command mode.

Initial Switch Configuration 1. On power up, the user is presented with the startup wizard:

Enter System name [Aruba800]: Aruba

Enter VLAN 1 interface IP address [172.16.0.254]: 172.16.0.254

Enter VLAN 1 interface subnet mask [255.255.255.0]: 255.255.255.0

Enter IP Default gateway [none]: none

Enter Switch Role, (master|local) [master]: master

Enter Country code (ISO-3166), <ctrl-I> for supported list: US

You have chosen Country code US for United States (yes|no)?: yes

Enter Password for admin login (up to 32 chars): admin

Re-type Password for admin login: admin

Enter Password for enable mode (up to 15 chars): enable

Page 6: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 6

Re-type Password for enable mode: enable

Do you wish to shutdown all the ports (yes|no)? [no]: no

Current choices are: System name: Aruba

VLAN 1 interface IP address: 172.16.0.254

VLAN 1 interface subnet mask: 255.255.255.0

IP Default gateway: none

Switch Role: master

Country code: US

Ports shutdown: no

If you accept the changes the switch will restart!

2. Type <ctrl-P> to go back and change answer for any question.

3. Do you wish to accept the changes (yes|no)yes . . . . .

<<<<< Welcome to Aruba Wireless Networks - Aruba 800 >>>>> Performing CompactFlash fast test... passed. Reboot Cause: User reboot. Crash information available. Restoring the database...done. Reading configuration from default.cfg (Aruba) User:

4. Login to the switch using username aruba and password configured using the startup menu.

5. Configure the VLAN interface, IP address and default gateway to access the switch over the network.

User: admin

Password: *****

(Aruba) >en

Password:******

(Aruba) #configure terminal

Enter Configuration commands, one per line. End with CNTL/Z

(Aruba) (config) #vlan 25

(Aruba) (config) #interface vlan 25

(Aruba) (config-subif)#ip address 10.168.10.2 255.255.255.0

Page 7: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 7

(Aruba) (config-subif)#!

(Aruba) (config) #interface loopback

(Aruba) (config-loop)#ip address 10.168.10.1

Switch IP Address is Modified. Switch should be rebooted now

(Aruba) (config-loop)#!

(Aruba) (config) #ip default-gateway 10.168.10.10

(Aruba) (config) #interface fastethernet 1/0

(Aruba) (config-if)#trusted

(Aruba) (config-if)#no shutdown

(Aruba) (config-if)#switchport mode trunk

(Aruba) (config-if)#switchport trunk allowed vlan add 10,25

(Aruba) (config-if)#!

(Aruba) (config)#

6. Ping the default gateway from the switch’s console. Ping the switch’s IP address from the management station.

7. Once the connectivity to the switch is verified, open a web browser and enter the switch’s IP address in the navigator bar.

The switch can be accessed using http, http://<switch IP Address>; or https, https://<switch IP Address>:4343.

8. Enter the username and password. On successful login the following Network Summary page is displayed:

Page 8: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 8

Radio Settings • Radio Setting .11b or .11g - Most VoWLAN phones employ the 802.11b radio,

therefore, VIEW Certification testing was done with the radio set to the 802.11b only mode and not the b/g mixed mode.

• SpectraLink recommends the 802.11b/g radio setting be set to 802.11b. When using a single radio AP, the radio will have to be set to operate as an 802.11b radio for both the voice and data network. When using the dual radio APs, the data devices can use the 802.11a network and share the 802.11b network with the voice devices.

Setting the Encryption to WPA2-PSK APs can be configured using the CLI or the web interface. Each AP is identified by a unique location code. The APs can either be configured per location with unique settings using the AP’s unique location code or globally using the wildcard location. 0 is used as the wildcard. Example: ap location 0.0.0 will configure all Aruba APs on the WLAN system.

1. The following sequence of commands is used to configure AP settings using the CLI:

configure terminal

ap location x.y.z

phy-type g

2. Type ? for list of available commands. Type exit to move up a level.

3. The following commands are used to setup WPA2-PSK encryption: opmode wpa2-aes-psk

wpa-passphrase <passphrase>

4. (Conditional) If a hex-key has already been configured, delete the hex-key using the command:

no wpa-hexkey <hexkey>

5. To save changes, enter: write mem

Page 9: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 9

Recommended AP Configuration Settings Commands Required Settings Default Settings Description

max-clients <x> 24 0 Max clients that can associate with the AP

Beacon-interval <x> Set to default 100 milliseconds The interval at which beacons are sent out

Dtim-period <x> 3 1 Delivery traffic indication message interval in terms of beacon interval

hide-essid <enable / disable>

Enable Disable To disable the essid from being broadcasted.

Max-retries 2 4 Maximum number of times the AP tries to send a packet to the client before discarding the packet.

bg-mode b-only Mixed The radio mode of the b/g radio

tx-power <0-4> 0 As per the environment. This need not be set if ARM is enabled

Channel <x> 1 This is the channel assigned to the radio. Need not be set if ARM is enabled.

Rates 1,2,5,11 1,2 The basic rates that need to be enabled

Tx-rates 1,2,5,11 5,11 The supported tx-rates

Essid <voice ssid as configured>

Aruba This is the essid that the voice devices would associate with.

Short-preamble Tested: Enable Recommended: Disable

Enable Set the short-preamble to disable to enable long-preamble only support.

Page 10: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 10

To configure the above AP settings using the web interface:

1. Open the link to the switch using the web browser. Navigate to the Configuration > WLAN > Network.

2. To add a new SSID click Add or click Edit to edit an existing ESSID.

3. Apply the changes. Navigate to the Configuration > WLAN > Radio page. Select the

802.11 b/g tab.

4.

4. Click Apply to apply the changes made.

Page 11: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 11

ARM Aware Scanning If ARM Aware Scanning (RF scanning) is included in your firmware release, it can be enabled through the command line interface (CLI) as follows:

configure terminal

ap location x.y.z

phy-type g

arm scanning enable

arm assignment single-band

arm voip-aware-scan enable

write mem

This feature was enabled during VIEW Certification for a targeted test only.

Security Policies and Quality of Service (QoS) Once the basic infrastructure is configured, it is necessary to configure the security policies to ensure that the data network and the voice network are secured and access to these networks is limited as required. The steps are as follows:

1. Setup aliases for the SVP Server.

2. Set policies for the NetLink Wireless Telephone User to the required voice server, DHCP and TFTP servers. Add other ACLs as required to permit other traffic from the NetLink Wireless Telephones.

3. Assign policies to the role.

Create Alias for the SVP Server Navigate to the Configuration > Advanced (under the Security sub-heading). Select Destination. To add a new destination, click Add. Create a new net-destination, for example, svp_server, and add the SVP Servers as hosts.

For more details on configuring the net-destinations refer to the Aruba User Guide.

Page 12: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 12

Create policies for the NetLink Wireless Telephone User The policies shown in the above example can be configured using the web interface as follows:

Assign Policies to the Role Create a role, for example phones, and assign the policies to this role. This is the role that will be assigned to the handsets when they are authenticated successfully.

Page 13: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 13

The Security Policies and QoS can also be configured through the command line interface (CLI). The CLI commands corresponding to this section are as follows:

configure terminal

netdestination tftp-server

host 10.168.0.20

!

netdestination svp_server

host 10.168.0.11

host 10.168.0.12

!

netdestination dhcp-server

host 10.168.0.21

!

ip access-list session phone_acl

user user any deny

user alias svp_server svc-svp permit queue high

alias svp_server user svc-svp permit queue high

user alias tftp-server svc-tftp permit

user alias dhcp-server svc-dhcp permit

user host 224.0.1.116 any permit

!

user-role phones

session-acl phone_acl

!

Authentication In addition to the encryption, it is recommended that you use MAC authentication to authenticate the NetLink Wireless Telephones. On the Aruba System, the roles for NetLink Wireless Telephones are derived using MAC-authentication. The NetLink Wireless Telephones can be authenticated individually using MAC-authentication or as a group using the vendor OUI and derivation rules. For instruction on enabling MAC-authentication refer to Aruba’s User Guide.

For the OUI-based derivation rule, configure the following from the CLI: aaa derivation rules user

set role condition macaddr starts-with "00:90:7a" set-value phone

Quality of Service (QoS) Quality of service is achieved by prioritizing the voice traffic over data traffic. To prioritize the voice traffic over data traffic in the AP traffic queues, the “queue high” tag is used at the end of each ACL to prioritize the traffic matching the ACL over all other traffic. In the example shown above:

user alias svp_server svc-svp permit queue high

alias svp_server user svc-svp permit queue high

Page 14: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 14

The traffic that matches the above two rules is prioritized over all other traffic. In addition, a DiffServ tag or a Dot1p tag can be configured at the end of each ACL to indicate the relative priority of the traffic to the traffic to the network.

Example: user alias svp_server svc-svp permit dot1p 4 queue high dot1p-priority 4 tos 4 queue high

alias svp_server user svc-svp permit queue high dot1p-priority 4 tos 4 queue high

By default, the packets are not tagged.

Subnet Roaming The Aruba system can be set up to support inter-switch inter-subnet roaming. The topology is as shown in the figure on page 2.

When two or more switches are used in the Aruba WLAN system, one switch has to be identified as the master and the others as the local switch. During VIEW Certification testing, the Aruba 800 was configured as the master and the Aruba 6000 was configured as a local switch, therefore, this configuration is used in the following examples.

For instructions on setting up a switch as a local switch refer to Aruba’s User Guides.

Ensure that both switches have IP connectivity. A simple ping from each of the switches to the other switch can be used to verify connectivity. In a master local setup all AP, authentication, and firewall configurations will be made on the master and pushed down to the local switch.

In the configuration tested, all APs with location code 1.1.0 were configured to boot off of the master switch and all APs with location code 1.2.0 were configured to boot off of the local switch.

To use the web interface to configure the switches for subnet roaming, do the following:

1. From the master switch navigate to the Configuration > WLAN > Advanced tab.

2. Add a new location 1.1.0 and click Apply. In the next page click General and set the LMSIP to the switch IP address of the master. Apply the configurations.

3. Configure location 1.2.0 in a similar manner and set the LMSIP address to the switch IP address of the local switch.

4. Create a default route for multicast traffic re-direction on the switch that acts as the Mobility Home Agent for the Voice group (this was done on the master switch in the test example).

Page 15: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 15

To use the CLI to configure the switches for subnet roaming, do the following:

1. Commands for the master switch (the Aruba 800): Configure terminal

ip default-gateway <ip_addr of router>

ap location 1.1.0 (AP connected to the Aruba 800)

lms-ip <ip_addr of 800 switch>

ap location 1.2.0 (AP connected to the Aruba 6000)

lms-ip <ip_addr of 6000 switch>

ip route 224.0.0.0 255.0.0.0 <ip_addr of netlink telephony gateway>

exit

write mem

2. Commands for the local switch (the Aruba 6000):

Note: The AP's IP address must be on same sub-net as the switch. Configure terminal

masterip <ip address of the master>

interface loopback

ip address <ip_addr of the 6000>

vlan 1

interface vlan 1

ip address <ip_addr of the 6000> <netmask>

interface fastethernet <port>

switchport access vlan 1 (only if the port is an access port)

trusted

no shut

!

ip default-gateway <ip_addr of router>

!

exit

write mem

After the master IP and the switch IP address are configured on the local switch, the switch needs to be rebooted prior to use.

It is also necessary to set the default gateway of the NetLink SVP Server and NetLink Telephony Gateway to the IP address of the router connected to the master switch.

Page 16: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 16

To verify setup for sub-net routing:

1. Commands from the Aruba 800:

show master ip (should be 800’s ip)

show stm connectivity (shows the APs connected to 800 switch)

Ping the local switch. Pings should be successful.

2. Commands from the Aruba 6000:

show master ip (should be 800’s ip) show stm connectivity (shows the APs connected to 6000 switch)

show running configuration (shows ap & aaa rules are carried from the master to the slave)

Checking the Configuration Verify connectivity by pinging between the switches, the AP’s, and the NetLink SVP Server and NetLink Telephony Gateway.

The switch and AP are now ready for use with NetLink Wireless Telephones.

To show AP settings: show ap config location x.y.z

To show all APs connected to a switch: show stm connectivity

To show clients associated all APs show station-table

To show clients associated to a specific AP show ap status <ip of ap>

Page 17: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 17

Configuration File Example (For Reference Only) The following configuration file was used during VIEW Certification testing with the settings mentioned above in this document bolded:

Please note: The configuration used in VIEW Certification involved static IP address on the APs and handsets for most tests and these configurations reflect the same.

#General Configuration show configuration version 2.4 enable secret "267315ec92ebccfc296456d33650b91b" enable "0R1v1^0b1d" telnet soe hostname "Aruba" logging level warnings stm clock timezone PST -8 netservice svc-snmp-trap udp 162 netservice svc-dhcp udp 67 68 netservice svc-smb-tcp tcp 445 netservice svc-https tcp 443 netservice svc-ike udp 500 netservice svc-l2tp udp 1701 netservice svc-syslog udp 514 netservice svc-pptp tcp 1723 netservice svc-telnet tcp 23 netservice svc-sccp tcp 2000 netservice svc-tftp udp 69 netservice svc-sip-tcp tcp 5060 netservice svc-kerberos udp 88 netservice svc-pop3 tcp 110 netservice svc-adp udp 8200 netservice svc-dns udp 53 netservice svc-msrpc-tcp tcp 135 139 netservice svc-rtsp tcp 554 netservice svc-http tcp 80 netservice svc-vocera udp 5002 netservice svc-nterm tcp 1026 1028 netservice svc-sip-udp udp 5060 netservice svc-papi udp 8211 netservice svc-ftp tcp 21 netservice svc-natt udp 4500 netservice svc-svp 119 netservice svc-gre 47 netservice svc-smtp tcp 25 netservice svc-smb-udp udp 445 netservice svc-esp 50 netservice svc-bootp udp 67 69 netservice svc-snmp udp 161 netservice svc-icmp 1 netservice svc-ntp udp 123 netservice svc-msrpc-udp udp 135 139 netservice svc-ssh tcp 22 ip access-list session control any any svc-icmp permit any any svc-dns permit

Page 18: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 18

any any svc-papi permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ! ip access-list session validuser any any any permit ! ip access-list session svp user host 10.2.0.67 svc-svp permit queue high host 10.2.0.67 user svc-svp permit queue high any any svc-svp permit queue high any any svc-dhcp permit queue high any any svc-tftp permit queue high user host 224.0.1.116 any permit queue high any any any deny ! ip access-list session captiveportal user alias mswitch svc-https permit user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 ! ip access-list session allowall any any any permit ! ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ! ip access-list session srcnat user any any src-nat ! ip access-list session cplogout user alias mswitch svc-https permit ! ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-snmp-trap permit user any svc-ntp permit ! vpn-dialer default-dialer ike authentication PRE-SHARE 55460a3edd87049c0f86d3bb62f6bd9964b7afdc6a2bf497 ! user-role ap-role session-acl control session-acl ap-acl ! user-role trusted-ap session-acl allowall ! user-role default-vpn-role

Firewall policies for the NetLink Wireless Telephones that permit SVP traffic, multicast, dhcp and tftp traffic.

Page 19: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 19

session-acl allowall ! user-role phone session-acl svp ! user-role guest session-acl control session-acl cplogout ! user-role stateful-dot1x ! user-role stateful session-acl control ! user-role logon session-acl control session-acl captiveportal session-acl vpnlogon session-acl allowall ! aaa derivation-rules server Internal set role condition Role value-of ! aaa derivation-rules user set role condition macaddr starts-with "00:90:7a" set-value phone ! aaa vpn-authentication default-role default-vpn-role aaa pubcookie-authentication ! aaa dot1x mode enable aaa dot1x enforce-machine-authentication mode disable ! interface mgmt shutdown ! interface fastethernet 1/0 description "fe1/0" trusted port monitor fastethernet 1/3 ! interface fastethernet 1/1 description "fe1/1" trusted ! interface fastethernet 1/2 description "fe1/2" trusted ! interface fastethernet 1/3 description "fe1/3" trusted

The roles that the handsets would assume. The policies applied to the roles apply to the devices assuming this role. In this case it is the SVP policy defined above.

The devices assume their roles using MAC authentication. Any device beginning with MAC “00:90:7a” is assigned the role phone.

Page 20: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 20

! interface fastethernet 1/4 description "fe1/4" trusted ! interface fastethernet 1/5 description "fe1/5" trusted ! interface fastethernet 1/6 description "fe1/6" trusted ! interface fastethernet 1/7 description "fe1/7" trusted ! interface gigabitethernet 1/8 description "gig1/8" trusted ! interface vlan 1 ip address 10.30.0.1 255.0.0.0 ! ip default-gateway 10.0.0.165 country US ap location 0.0.0 ap-logging level informational snmpd double-encrypt disable ap-logging level warnings stm max-imalive-retries 10 ap-logging level informational sapd ap-logging level warnings am forward-mode tunnel native-vlan-id 1 mode ap_mode authalgo opensystem rts-threshhold 2333 tx-power 2 max-retries 4 dtim-period 1 max-clients 64 beacon-period 100 ap-enable enable power-mgmt enable ageout 1000 hide-ssid disable deny-bcast disable

Page 21: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 21

bkplms-ip 0.0.0.0 rf-band g bootstrap-threshold 7 radio-off-threshold 3 local-probe-response disable max-tx-fail 0 arm assignment disable arm client-aware enable arm scanning disable arm scan-time 110 arm scan-interval 10 arm multi-band-scan disable arm voip-aware-scan enable arm max-tx-power 4 arm rogue-ap-aware disable essid "BBK" opmode wpa2-aes-psk phy-type a ap-enable disable channel 52 rates 6,12,24 txrates 6,9,12,18,24,36,48,54 ! phy-type g essid BBK wpa-passphrase 5361ce88387b45947428582bf403bb6f1e79bfbd482d14e5 max-clients 20 max-retries 2 max-tx-fail 20 dtim-period 3 arm assignment disable arm scanning disable mode ap_mode bg-mode b-only vlan-id 1 opmode wpa2-aes-psk ageout 60 channel 10 short-preamble disable rates 1,2,5,11 txrates 1,2,5,11 ! ! ap location 0.0.0 phy-type enet1 mode active-standby switchport mode access switchport access vlan 1 switchport trunk native vlan 1 switchport trunk allowed vlan 1-4094 trusted disable ! ! ap location 1.0.0 lms-ip 10.30.0.1 ! ap location 1.1.0 lms-ip 10.30.0.1

The address defines the switch the AP connects to. Refer to Aruba documentation for details on lms-ip configuration.

To enable auto RF or ARM: arm assignment single-band arm scanning enable arm voip-aware-scan enable

The VLAN the associated clients would be assigned is configured using the vlan-id command.

Page 22: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 22

! ap location 1.1.1 tx-power 0 lms-ip 10.30.0.1 phy-type g essid "BBK" tx-power 0 max-clients 50 ageout 60 bg-mode mixed beacon-period 100 short-preamble disable dtim-period 3 wpa2-preauth enable opmode wpa2-aes-psk wpa-passphrase bf8870417b0ecd64034b7a535260f31177f5b5ef8ac579e8 ap-enable enable rates 11 txrates 1,2,5,11 channel 10 ! ! ap location 1.1.2 phy-type g channel 2 tx-power 0 rates 1,2,5,11 ! ! ap location 1.2.0 lms-ip 172.17.1.2 ! ap location 1.2.2 telnet enable lms-ip 172.17.1.2 phy-type g tx-power 2 channel 2 bg-mode mixed arm scanning disable max-clients 50 ! ! wms general poll-interval 60000 general poll-retries 2 general ap-ageout-interval 30 general sta-ageout-interval 30 general ap-inactivity-timeout 5 general sta-inactivity-timeout 60 general grace-time 2000 general laser-beam enable general laser-beam-debug disable general wired-laser-beam disable general stat-update enable ap-policy learn-ap disable ap-policy classification enable ap-policy protect-unsecure-ap disable

Page 23: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 23

ap-policy detect-misconfigured-ap disable ap-policy protect-misconfigured-ap disable ap-policy protect-mt-channel-split disable ap-policy protect-mt-ssid disable ap-policy detect-ap-impersonation disable ap-policy protect-ap-impersonation disable ap-policy beacon-diff-threshold 50 ap-policy beacon-inc-wait-time 3 ap-policy min-pot-ap-beacon-rate 25 ap-policy min-pot-ap-monitor-time 3 ap-policy protect-ibss disable ap-policy ap-load-balancing disable ap-policy ap-lb-max-retries 8 ap-policy ap-lb-util-high-wm 90 ap-policy ap-lb-util-low-wm 80 ap-policy ap-lb-util-wait-time 30 ap-policy ap-lb-user-high-wm 255 ap-policy ap-lb-user-low-wm 230 ap-config short-preamble enable ap-config privacy enable ap-config wpa disable station-policy protect-valid-sta disable station-policy handoff-assist disable station-policy rssi-falloff-wait-time 4 station-policy low-rssi-threshold 20 station-policy rssi-check-frequency 3 station-policy detect-association-failure disable global-policy detect-bad-wep disable global-policy detect-interference disable global-policy interference-inc-threshold 100 global-policy interference-inc-timeout 30 global-policy interference-wait-time 30 event-threshold fer-high-wm 0 event-threshold fer-low-wm 0 event-threshold frr-high-wm 16 event-threshold frr-low-wm 8 event-threshold flsr-high-wm 16 event-threshold flsr-low-wm 8 event-threshold fnur-high-wm 0 event-threshold fnur-low-wm 0 event-threshold frer-high-wm 16 event-threshold frer-low-wm 8 event-threshold ffr-high-wm 16 event-threshold ffr-low-wm 8 event-threshold bwr-high-wm 0 event-threshold bwr-low-wm 0 valid-11b-channel 1 mode enable valid-11b-channel 6 mode enable valid-11b-channel 11 mode enable valid-11a-channel 36 mode enable valid-11a-channel 40 mode enable valid-11a-channel 44 mode enable valid-11a-channel 48 mode enable valid-11a-channel 52 mode enable valid-11a-channel 56 mode enable valid-11a-channel 60 mode enable valid-11a-channel 64 mode enable valid-11a-channel 149 mode enable

Page 24: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 24

valid-11a-channel 153 mode enable valid-11a-channel 157 mode enable valid-11a-channel 161 mode enable ids-policy signature-check disable ids-policy rate-check disable ids-policy dsta-check disable ids-policy sequence-check disable ids-policy mac-oui-check disable ids-policy eap-check disable ids-policy ap-flood-check disable ids-policy adhoc-check disable ids-policy wbridge-check disable ids-policy sequence-diff 100 ids-policy sequence-time-tolerance 500 ids-policy sequence-quiet-time 900 ids-policy eap-rate-threshold 10 ids-policy eap-rate-time-interval 60 ids-policy eap-rate-quiet-time 900 ids-policy ap-flood-threshold 50 ids-policy ap-flood-inc-time 3 ids-policy ap-flood-quiet-time 900 ids-policy signature-quiet-time 900 ids-policy dsta-quiet-time 900 ids-policy adhoc-quiet-time 900 ids-policy wbridge-quiet-time 900 ids-policy mac-oui-quiet-time 900 ids-policy rate-frame-type-param assoc channel-threshold 30 ids-policy rate-frame-type-param assoc channel-inc-time 3 ids-policy rate-frame-type-param assoc channel-quiet-time 900 ids-policy rate-frame-type-param assoc node-threshold 30 ids-policy rate-frame-type-param assoc node-time-interval 60 ids-policy rate-frame-type-param assoc node-quiet-time 900 ids-policy rate-frame-type-param disassoc channel-threshold 30 ids-policy rate-frame-type-param disassoc channel-inc-time 3 ids-policy rate-frame-type-param disassoc channel-quiet-time 900 ids-policy rate-frame-type-param disassoc node-threshold 30 ids-policy rate-frame-type-param disassoc node-time-interval 60 ids-policy rate-frame-type-param disassoc node-quiet-time 900 ids-policy rate-frame-type-param deauth channel-threshold 30 ids-policy rate-frame-type-param deauth channel-inc-time 3 ids-policy rate-frame-type-param deauth channel-quiet-time 900 ids-policy rate-frame-type-param deauth node-threshold 20 ids-policy rate-frame-type-param deauth node-time-interval 60 ids-policy rate-frame-type-param deauth node-quiet-time 900 ids-policy rate-frame-type-param probe-request channel-threshold 200 ids-policy rate-frame-type-param probe-request channel-inc-time 3 ids-policy rate-frame-type-param probe-request channel-quiet-time 900 ids-policy rate-frame-type-param probe-request node-threshold 200 ids-policy rate-frame-type-param probe-request node-time-interval 15 ids-policy rate-frame-type-param probe-request node-quiet-time 900 ids-policy rate-frame-type-param probe-response channel-threshold 200 ids-policy rate-frame-type-param probe-response channel-inc-time 3 ids-policy rate-frame-type-param probe-response channel-quiet-time 900 ids-policy rate-frame-type-param probe-response node-threshold 150 ids-policy rate-frame-type-param probe-response node-time-interval 15 ids-policy rate-frame-type-param probe-response node-quiet-time 900 ids-policy rate-frame-type-param auth channel-threshold 30 ids-policy rate-frame-type-param auth channel-inc-time 3

Page 25: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 25

ids-policy rate-frame-type-param auth channel-quiet-time 900 ids-policy rate-frame-type-param auth node-threshold 30 ids-policy rate-frame-type-param auth node-time-interval 60 ids-policy rate-frame-type-param auth node-quiet-time 900 ids-signature "ASLEAP" mode enable frame-type beacon ssid asleap ! ids-signature "Null-Probe-Response" mode enable frame-type probe-response ssid-length 0 ! ids-signature "AirJack" mode enable frame-type beacon ssid AirJack ! ids-signature "NetStumbler Generic" mode enable payload 0x00601d 3 payload 0x0001 6 ! ids-signature "NetStumbler Version 3.3.0x" mode enable payload 0x00601d 3 payload 0x000102 12 ! ids-signature "Deauth-Broadcast" mode enable frame-type deauth dst-mac ff:ff:ff:ff:ff:ff ! ! site-survey calibration-max-packets 256 site-survey calibration-transmit-rate 500 site-survey rra-max-compute-time 600000 site-survey max-ha-neighbors 3 site-survey neighbor-tx-power-bump 2 site-survey ha-compute-time 60000 arm min-scan-time 8 arm ideal-coverage-index 5 arm acceptable-coverage-index 2 arm wait-time 15 arm free-channel-index 25 arm backoff-time 240 arm error-rate-threshold 0 arm error-rate-wait-time 30 arm noise-threshold 0 arm noise-wait-time 120 crypto isakmp groupname changeme vpdn group l2tp ppp authentication PAP ! masterip 127.0.0.1 location "Building1.floor1"

Page 26: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 26

mobility parameters 60 buffer 32 manager enable proxy-dhcp enable station-masquerade enable on-association enable trusted-roam disable ignore-l2-broadcast disable new-user-roaming max-dhcp-requests 4 secure 1000 shared-secret 602be956fea86d0e1ae4ecc00f19ff7a ! mobility-local local-ha disable ! mobagent home-agent parameters 1000 bindings 300 secure-mobile spi 1000 10ec13e087251d6378963fdbba214815 foreign-agent parameters 1100 bindings 300 pending 0 pending-time 300 ! vpdn group pptp no ppp authentication PAP ppp authentication MSCHAPv2 ! stm dos-prevention disable stm strict-compliance disable stm fast-roaming disable stm sta-dos-prevention disable stm sta-dos-block-time 3600 stm auth-failure-block-time 0 stm coverage-hole-detection disable stm good-rssi-threshold 20 stm poor-rssi-threshold 10 stm hole-detection-interval 180 stm good-sta-ageout 30 stm idle-sta-ageout 90 stm ap-inactivity-timeout 15 mux-address 0.0.0.0 adp discovery enable adp igmp-join enable adp igmp-vlan 0 mgmt-role root description "This is Default Super User Role" permit super-user ! mgmt-user admin root 25ec9eabea3613e948f5c9f1e37f1ee6 no database synchronize database synchronize rf-plan-data ip igmp !

Page 27: VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen

PN:72-9965-00-C.doc Page 27

ip router pim ! ads netad mode disable packet-capture-defaults tcp disable udp disable sysmsg disable other disable end