VIEW: Aruba Mobility Controller - · PDF fileenabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information. Command, Comment, and Screen
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Aruba Mobility Controller Configuration and Deployment Guide
SpectraLink's Voice Interoperability for Enterprise Wireless (VIEW) Certification Program is designed to ensure interoperability and high performance between NetLink Wireless Telephones and WLAN infrastructure products. The products listed below have been thoroughly tested in SpectraLink’s lab and have passed VIEW Certification. This document details how to configure the Aruba Mobility Controller for use with NetLink Wireless Telephones.
RF technology: Spread spectrum direct sequence (DS)
Radio: 2.4 – 2.484 GHz
Antenna diversity: Bi-directional
Security : WPA-PSK and WPA2-PSK
Software version tested: 2.4.1.0 Release 10695
NetLink Wireless Telephone software version tested: Version 2.0 (89.119)
Maximum telephone calls per AP: 12
Recommended network topology: Switched Ethernet (required) † Denotes products directly used in Certification Testing
Service Information
The AP must support SpectraLink Voice Priority (SVP). Contact your AP vendor if you need to upgrade the AP software.
If you encounter difficulties or have questions regarding the configuration process, please contact Aruba Networks Support at 1-800-943-4526, or visit http://www.arubanetworks.com/support.
PN:72-9965-00-C.doc Page 2
Network Topology The following topology was tested during VIEW Certification. It is important to note that these do not necessarily represent all "Certified" configurations.
Both layer 2 and layer 3 roaming was tested in a single switch and multi-switch deployment scenario within the scope of VIEW testing.
Known Limitations No limitations were discovered during VIEW Certification testing.
Access Point Features Enabled The purpose of VIEW testing is to verify that the handset and the access point (AP) interoperate at the packet level; therefore, no add-on vendor features were tested.
The exception to this is the Voice Aware ARM Scanning (RF Scanning) feature, which was enabled for a targeted set of tests during VIEW Certification. This is the only feature that was verified.
PN:72-9965-00-C.doc Page 3
Access Point Setup and Configuration Before starting, please ensure that the Policy Enforcement Firewall module license is enabled on the Aruba controller. Please contact Aruba Networks for licenses and installation information.
Command, Comment, and Screen Text Key In the sections below you will find commands, comments, prompts, system responses, or other screen-displayed information involved in the configuration process. This key explains the text styles and symbols used to denote them.
Text Style Denotes:
xxxxxxxx Typed command
<xxxxxxxx> Encryption key, domain name or other information specific to your system that needs to be entered
(xxxxxxxx) Comment about a command or set of commands
xxxxxxxx Prompt, system response or other displayed information
Installing a New Image The latest firmware release can be obtained through Aruba Networks. Upgrading the switch to the new image can be done using the web interface or the command line interface (CLI). Place the image on the TFTP server or the FTP server depending on the file transfer mechanism chosen.
Loading the image via the CLI using TFTP:
After logging onto the switch, issue the command: (Aruba) > enable
Password: <enable password>
(Aruba) # copy TFTP: <ip of server> <file name> system: partition <0 or 1>
(Aruba) # write memory (to save the current switch configuration) (Aruba) # reload (to reboot the switch) (Aruba) # Do you really want to reset the system(y/n): y
See below for instructions on how to connect the switch to a PC.
PN:72-9965-00-C.doc Page 4
Uploading an image using the web interface:
1. Navigate to the Switch > Maintenance > Image Management page.
2. Enter the TFTP Server IP Address and the Image File Name.
3. Set the Partition to upgrade as required to 0 or 1.
4. Set the Reboot Switch After Upgrade and the Save Current Configuration Before Reset to Yes.
5. Click Upgrade. Do not navigate to other pages while the image is being upgraded.
Once the image upgrades, the configuration will be saved and the switch will be rebooted as part of the process.
Configuring the Access Points SpectraLink recommends that voice users be placed on a separate VLAN (e.g., VLAN 10) than data users (e.g., VLAN 25) for best results, although testing was done in a mixed environment. These VLANs reside on the Aruba mobility controller switch and not on the access points. The edge network thus does not have to be modified to accommodate the voice network. Each VLAN requires a unique IP address. The switch IP address needs to be set via the loopback interface setting. The loopback address must be a routable address so that the APs can reach this address.
Interface Setting Identify the mobility controller port that serves as the uplink port for the data VLAN. The port used in this example is Fast Ethernet 1/0 and is a trunk port with both the voice and data VLAN.
Default Route Configure the default route to the next-hop gateway connected to the controller.
PN:72-9965-00-C.doc Page 5
Physical Interface Identify the interface connected to the routers, servers and gateways and set these interfaces as trusted.
Connecting the APs The APs need an IP address to communication with the mobility controller. They can connect to the controller over a L2 or L3 network. Ensure that DHCP is enabled on the subnets the APs are connected to and can ping the Aruba mobility controller’s “switch IP address” from their current subnet.
AP Network Parameters The APs need to be provisioned. The Aruba APs can be provisioned manually or be configured for automatic provisioning. When using manual provisioning, the web-based AP provisioning is easier to use. Refer to the Aruba AP Provisioning User Guide for instructions on provisioning the AP.
Note: SpectraLink recommends that you use the CLI for all other configurations.
Mobility Controller Switch Configuration
Connecting to the Aruba Mobility Controller via the Console 1. Using a standard RS-232 cable, connect the Mobility Controller Switch to the serial
port of a terminal or PC.
2. Run a terminal emulation program (such as HyperTerminal) or use a VT-100 terminal with the following configuration:
Bits per second: 9600
Data bits: 8
Parity: None
Stop bits: 1
Flow control: None
3. Press Enter to display the Mobility Controller Switch login screen.
4. Enter the default login: admin and default password: admin. These are case sensitive.
5. Enter enable and default password: admin to get into the command mode.
Initial Switch Configuration 1. On power up, the user is presented with the startup wizard:
Enter System name [Aruba800]: Aruba
Enter VLAN 1 interface IP address [172.16.0.254]: 172.16.0.254
Enter VLAN 1 interface subnet mask [255.255.255.0]: 255.255.255.0
Enter IP Default gateway [none]: none
Enter Switch Role, (master|local) [master]: master
Enter Country code (ISO-3166), <ctrl-I> for supported list: US
You have chosen Country code US for United States (yes|no)?: yes
Enter Password for admin login (up to 32 chars): admin
Re-type Password for admin login: admin
Enter Password for enable mode (up to 15 chars): enable
PN:72-9965-00-C.doc Page 6
Re-type Password for enable mode: enable
Do you wish to shutdown all the ports (yes|no)? [no]: no
Current choices are: System name: Aruba
VLAN 1 interface IP address: 172.16.0.254
VLAN 1 interface subnet mask: 255.255.255.0
IP Default gateway: none
Switch Role: master
Country code: US
Ports shutdown: no
If you accept the changes the switch will restart!
2. Type <ctrl-P> to go back and change answer for any question.
3. Do you wish to accept the changes (yes|no)yes . . . . .
<<<<< Welcome to Aruba Wireless Networks - Aruba 800 >>>>> Performing CompactFlash fast test... passed. Reboot Cause: User reboot. Crash information available. Restoring the database...done. Reading configuration from default.cfg (Aruba) User:
4. Login to the switch using username aruba and password configured using the startup menu.
5. Configure the VLAN interface, IP address and default gateway to access the switch over the network.
User: admin
Password: *****
(Aruba) >en
Password:******
(Aruba) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
6. Ping the default gateway from the switch’s console. Ping the switch’s IP address from the management station.
7. Once the connectivity to the switch is verified, open a web browser and enter the switch’s IP address in the navigator bar.
The switch can be accessed using http, http://<switch IP Address>; or https, https://<switch IP Address>:4343.
8. Enter the username and password. On successful login the following Network Summary page is displayed:
PN:72-9965-00-C.doc Page 8
Radio Settings • Radio Setting .11b or .11g - Most VoWLAN phones employ the 802.11b radio,
therefore, VIEW Certification testing was done with the radio set to the 802.11b only mode and not the b/g mixed mode.
• SpectraLink recommends the 802.11b/g radio setting be set to 802.11b. When using a single radio AP, the radio will have to be set to operate as an 802.11b radio for both the voice and data network. When using the dual radio APs, the data devices can use the 802.11a network and share the 802.11b network with the voice devices.
Setting the Encryption to WPA2-PSK APs can be configured using the CLI or the web interface. Each AP is identified by a unique location code. The APs can either be configured per location with unique settings using the AP’s unique location code or globally using the wildcard location. 0 is used as the wildcard. Example: ap location 0.0.0 will configure all Aruba APs on the WLAN system.
1. The following sequence of commands is used to configure AP settings using the CLI:
configure terminal
ap location x.y.z
phy-type g
2. Type ? for list of available commands. Type exit to move up a level.
3. The following commands are used to setup WPA2-PSK encryption: opmode wpa2-aes-psk
wpa-passphrase <passphrase>
4. (Conditional) If a hex-key has already been configured, delete the hex-key using the command:
no wpa-hexkey <hexkey>
5. To save changes, enter: write mem
PN:72-9965-00-C.doc Page 9
Recommended AP Configuration Settings Commands Required Settings Default Settings Description
max-clients <x> 24 0 Max clients that can associate with the AP
Beacon-interval <x> Set to default 100 milliseconds The interval at which beacons are sent out
Dtim-period <x> 3 1 Delivery traffic indication message interval in terms of beacon interval
hide-essid <enable / disable>
Enable Disable To disable the essid from being broadcasted.
Max-retries 2 4 Maximum number of times the AP tries to send a packet to the client before discarding the packet.
bg-mode b-only Mixed The radio mode of the b/g radio
tx-power <0-4> 0 As per the environment. This need not be set if ARM is enabled
Channel <x> 1 This is the channel assigned to the radio. Need not be set if ARM is enabled.
Rates 1,2,5,11 1,2 The basic rates that need to be enabled
Tx-rates 1,2,5,11 5,11 The supported tx-rates
Essid <voice ssid as configured>
Aruba This is the essid that the voice devices would associate with.
Enable Set the short-preamble to disable to enable long-preamble only support.
PN:72-9965-00-C.doc Page 10
To configure the above AP settings using the web interface:
1. Open the link to the switch using the web browser. Navigate to the Configuration > WLAN > Network.
2. To add a new SSID click Add or click Edit to edit an existing ESSID.
3. Apply the changes. Navigate to the Configuration > WLAN > Radio page. Select the
802.11 b/g tab.
4.
4. Click Apply to apply the changes made.
PN:72-9965-00-C.doc Page 11
ARM Aware Scanning If ARM Aware Scanning (RF scanning) is included in your firmware release, it can be enabled through the command line interface (CLI) as follows:
configure terminal
ap location x.y.z
phy-type g
arm scanning enable
arm assignment single-band
arm voip-aware-scan enable
write mem
This feature was enabled during VIEW Certification for a targeted test only.
Security Policies and Quality of Service (QoS) Once the basic infrastructure is configured, it is necessary to configure the security policies to ensure that the data network and the voice network are secured and access to these networks is limited as required. The steps are as follows:
1. Setup aliases for the SVP Server.
2. Set policies for the NetLink Wireless Telephone User to the required voice server, DHCP and TFTP servers. Add other ACLs as required to permit other traffic from the NetLink Wireless Telephones.
3. Assign policies to the role.
Create Alias for the SVP Server Navigate to the Configuration > Advanced (under the Security sub-heading). Select Destination. To add a new destination, click Add. Create a new net-destination, for example, svp_server, and add the SVP Servers as hosts.
For more details on configuring the net-destinations refer to the Aruba User Guide.
PN:72-9965-00-C.doc Page 12
Create policies for the NetLink Wireless Telephone User The policies shown in the above example can be configured using the web interface as follows:
Assign Policies to the Role Create a role, for example phones, and assign the policies to this role. This is the role that will be assigned to the handsets when they are authenticated successfully.
PN:72-9965-00-C.doc Page 13
The Security Policies and QoS can also be configured through the command line interface (CLI). The CLI commands corresponding to this section are as follows:
configure terminal
netdestination tftp-server
host 10.168.0.20
!
netdestination svp_server
host 10.168.0.11
host 10.168.0.12
!
netdestination dhcp-server
host 10.168.0.21
!
ip access-list session phone_acl
user user any deny
user alias svp_server svc-svp permit queue high
alias svp_server user svc-svp permit queue high
user alias tftp-server svc-tftp permit
user alias dhcp-server svc-dhcp permit
user host 224.0.1.116 any permit
!
user-role phones
session-acl phone_acl
!
Authentication In addition to the encryption, it is recommended that you use MAC authentication to authenticate the NetLink Wireless Telephones. On the Aruba System, the roles for NetLink Wireless Telephones are derived using MAC-authentication. The NetLink Wireless Telephones can be authenticated individually using MAC-authentication or as a group using the vendor OUI and derivation rules. For instruction on enabling MAC-authentication refer to Aruba’s User Guide.
For the OUI-based derivation rule, configure the following from the CLI: aaa derivation rules user
set role condition macaddr starts-with "00:90:7a" set-value phone
Quality of Service (QoS) Quality of service is achieved by prioritizing the voice traffic over data traffic. To prioritize the voice traffic over data traffic in the AP traffic queues, the “queue high” tag is used at the end of each ACL to prioritize the traffic matching the ACL over all other traffic. In the example shown above:
user alias svp_server svc-svp permit queue high
alias svp_server user svc-svp permit queue high
PN:72-9965-00-C.doc Page 14
The traffic that matches the above two rules is prioritized over all other traffic. In addition, a DiffServ tag or a Dot1p tag can be configured at the end of each ACL to indicate the relative priority of the traffic to the traffic to the network.
Example: user alias svp_server svc-svp permit dot1p 4 queue high dot1p-priority 4 tos 4 queue high
alias svp_server user svc-svp permit queue high dot1p-priority 4 tos 4 queue high
By default, the packets are not tagged.
Subnet Roaming The Aruba system can be set up to support inter-switch inter-subnet roaming. The topology is as shown in the figure on page 2.
When two or more switches are used in the Aruba WLAN system, one switch has to be identified as the master and the others as the local switch. During VIEW Certification testing, the Aruba 800 was configured as the master and the Aruba 6000 was configured as a local switch, therefore, this configuration is used in the following examples.
For instructions on setting up a switch as a local switch refer to Aruba’s User Guides.
Ensure that both switches have IP connectivity. A simple ping from each of the switches to the other switch can be used to verify connectivity. In a master local setup all AP, authentication, and firewall configurations will be made on the master and pushed down to the local switch.
In the configuration tested, all APs with location code 1.1.0 were configured to boot off of the master switch and all APs with location code 1.2.0 were configured to boot off of the local switch.
To use the web interface to configure the switches for subnet roaming, do the following:
1. From the master switch navigate to the Configuration > WLAN > Advanced tab.
2. Add a new location 1.1.0 and click Apply. In the next page click General and set the LMSIP to the switch IP address of the master. Apply the configurations.
3. Configure location 1.2.0 in a similar manner and set the LMSIP address to the switch IP address of the local switch.
4. Create a default route for multicast traffic re-direction on the switch that acts as the Mobility Home Agent for the Voice group (this was done on the master switch in the test example).
PN:72-9965-00-C.doc Page 15
To use the CLI to configure the switches for subnet roaming, do the following:
1. Commands for the master switch (the Aruba 800): Configure terminal
ip default-gateway <ip_addr of router>
ap location 1.1.0 (AP connected to the Aruba 800)
lms-ip <ip_addr of 800 switch>
ap location 1.2.0 (AP connected to the Aruba 6000)
lms-ip <ip_addr of 6000 switch>
ip route 224.0.0.0 255.0.0.0 <ip_addr of netlink telephony gateway>
exit
write mem
2. Commands for the local switch (the Aruba 6000):
Note: The AP's IP address must be on same sub-net as the switch. Configure terminal
masterip <ip address of the master>
interface loopback
ip address <ip_addr of the 6000>
vlan 1
interface vlan 1
ip address <ip_addr of the 6000> <netmask>
interface fastethernet <port>
switchport access vlan 1 (only if the port is an access port)
trusted
no shut
!
ip default-gateway <ip_addr of router>
!
exit
write mem
After the master IP and the switch IP address are configured on the local switch, the switch needs to be rebooted prior to use.
It is also necessary to set the default gateway of the NetLink SVP Server and NetLink Telephony Gateway to the IP address of the router connected to the master switch.
PN:72-9965-00-C.doc Page 16
To verify setup for sub-net routing:
1. Commands from the Aruba 800:
show master ip (should be 800’s ip)
show stm connectivity (shows the APs connected to 800 switch)
Ping the local switch. Pings should be successful.
2. Commands from the Aruba 6000:
show master ip (should be 800’s ip) show stm connectivity (shows the APs connected to 6000 switch)
show running configuration (shows ap & aaa rules are carried from the master to the slave)
Checking the Configuration Verify connectivity by pinging between the switches, the AP’s, and the NetLink SVP Server and NetLink Telephony Gateway.
The switch and AP are now ready for use with NetLink Wireless Telephones.
To show AP settings: show ap config location x.y.z
To show all APs connected to a switch: show stm connectivity
To show clients associated all APs show station-table
To show clients associated to a specific AP show ap status <ip of ap>
PN:72-9965-00-C.doc Page 17
Configuration File Example (For Reference Only) The following configuration file was used during VIEW Certification testing with the settings mentioned above in this document bolded:
Please note: The configuration used in VIEW Certification involved static IP address on the APs and handsets for most tests and these configurations reflect the same.
any any svc-papi permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ! ip access-list session validuser any any any permit ! ip access-list session svp user host 10.2.0.67 svc-svp permit queue high host 10.2.0.67 user svc-svp permit queue high any any svc-svp permit queue high any any svc-dhcp permit queue high any any svc-tftp permit queue high user host 224.0.1.116 any permit queue high any any any deny ! ip access-list session captiveportal user alias mswitch svc-https permit user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 ! ip access-list session allowall any any any permit ! ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ! ip access-list session srcnat user any any src-nat ! ip access-list session cplogout user alias mswitch svc-https permit ! ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-snmp-trap permit user any svc-ntp permit ! vpn-dialer default-dialer ike authentication PRE-SHARE 55460a3edd87049c0f86d3bb62f6bd9964b7afdc6a2bf497 ! user-role ap-role session-acl control session-acl ap-acl ! user-role trusted-ap session-acl allowall ! user-role default-vpn-role
Firewall policies for the NetLink Wireless Telephones that permit SVP traffic, multicast, dhcp and tftp traffic.
PN:72-9965-00-C.doc Page 19
session-acl allowall ! user-role phone session-acl svp ! user-role guest session-acl control session-acl cplogout ! user-role stateful-dot1x ! user-role stateful session-acl control ! user-role logon session-acl control session-acl captiveportal session-acl vpnlogon session-acl allowall ! aaa derivation-rules server Internal set role condition Role value-of ! aaa derivation-rules user set role condition macaddr starts-with "00:90:7a" set-value phone ! aaa vpn-authentication default-role default-vpn-role aaa pubcookie-authentication ! aaa dot1x mode enable aaa dot1x enforce-machine-authentication mode disable ! interface mgmt shutdown ! interface fastethernet 1/0 description "fe1/0" trusted port monitor fastethernet 1/3 ! interface fastethernet 1/1 description "fe1/1" trusted ! interface fastethernet 1/2 description "fe1/2" trusted ! interface fastethernet 1/3 description "fe1/3" trusted
The roles that the handsets would assume. The policies applied to the roles apply to the devices assuming this role. In this case it is the SVP policy defined above.
The devices assume their roles using MAC authentication. Any device beginning with MAC “00:90:7a” is assigned the role phone.