Professional Documents
Culture Documents
WLAN 3.x Training
WLAN 3.x Training
x Training
OAW Products
Agenda
1. Products Overview
2. Wireless Basic
3. CLI Configuration Overview
4. GUI Configuration Overview
5. Basic System Setup
6. AP Configuration
7. Managing System Images
8. Basic Configuration Sample
9. Lab : Basic System Configuration
1. Products Overview
Why Alcatel-Lucent
Market leadership in key data, voice, video and fixed mobile convergence
technologies
turnkey solutions
over 500,000 customers
data/IP
broadband
Presence invoice
over 130 countries
satellite
outsourcing
optical
submarine
Communications
Applications
Voice over IP
IP Network
Infrastructure
Distributed Layer/
Medium Scale
Access Layer/
Small Scale
Router(WAN)
OmniStack 6200
OmniPCX Office
7750/7450
OmniSwitch
7800
OmniSwitch
6600/ 6602
OmniSwitch
9800/9700
OmniSwitch
9600
OmniSwitch
6400
OAW 6000s/SUP-III
OmniAccess 780
OmniSwitch
6855
OmniSwitch
7700
WLAN
VoIP
OAW4x04
OAW 4324/08/04
OmniPCX Enterprise
OmniAccess 740
OmniSwitch
6850/ 6850Lite
OmniAccess 720s
IP Phone
OAW-AP 4x/6x/70/12x/85
OmniVista 2500
Mobile
NAC
Brick Family
Vital Suite/QIP
Safeguard
Cybergatekeeper
Firewall/ VPN
Performance Management
Quarantine Manager
NLG3500
vs.
OmniAccess WLAN solution
Access points
Site survey
Access points
Packet capture
Air monitors
WiFi IDS / IPS
WLAN switches
WLAN switches/blades
Captive portal
VPN concentrator
LAN-speed firewall
QoS devices
WiFi
Adaptive RF, Packet Capture, Location Tracking
Roaming, SSID Mgmt, RF Fingerprinting
WiFi
WiFi
WiFi IDS/IPS, Rogue AP Defense
WiFi
Network
Service Provisioning
Network Integration
QoS/Priority/Bandwidth Contracts
Routing, VLANS, NAT, DHCP, Switching
Policy Control
Management
WiFi IDS/IPS
Radius
LDAP
Active Dir.
Access Point
AP
802.11 a, b/g/n
User access and air monitoring
Linux
Alcatel
Wireless
Control
Processor
Wireless
Packet
Processor
Wireless
Security
Processor
Wireless
Switching
Processor
4 Slot
Data Remote AP
64 ~ 2048 AP
Line card 24 10/100 PoE 2 GE uplink
SUP-III 2 10GE 10 1GE
802.11 a/b/g/n
8x 10GBase-X (XFP)
Redundant PSUs
Up to 4 M3 Modules
Capacity
OAW-4504
Up to 32 Campus Connected APs
Up to 128 Remote APs
Up to 512 Users
OAW-4604
Up to 64 Campus Connected APs
Up to 256 Remote APs
Up to 1,024 Users
OAW-4704
Up to 128 Campus Connected APs
Up to 512 Remote APs
Up to 2,048 Users
Performance
1.6 Gbps, 4 Gbps and 8 Gbps crypto performance
(3DES, AESCBC256)
800 Mbps, 2 Gbps, 4 Gbps crypto performance (AESCCM)
3 Gbps, 4 Gbps, and 4 Gbps wired Non-encrypted
Throughput Performance (full-duplex)
Interfaces
4x Dual personality ports 10/100/1000Base-T (RJ-45)
or 1000Base-X (SFP)
1 x RJ-45 Serial Console Port
Programmable Architecture
Multi-core, Multi-threaded Network Processor
Dedicated Crypto cores
13 | Presentation Title | Month 2009
Dedicated
Network Processors
Dedicated Hardware
Crypto Cores
Multiple
Dedicated
Control
Processors
1RU 19
Enclosure
Serial Console
Port
Status LEDs
Regional HQ
Large Branch
Medium-802.11n
Large 802.11n
2048
OAW-6000-2048
(with Supervisor III)
512
OAW-6000-512
(Dual Supervisor II)
256
128
OAW-4704
64
OAW-4604
OAW-4324
48
32
16
OAW-4504
OAW-4308
OAW-4304
1 Gbps /
200 Mbps
6 Gbps /
1.6 Gbps
8 Gbps /
4 Gbps
8 Gbps /
8 Gbps
8 Gbps /
7.2 Gbps
80 Gbps /
32 Gbps
OAW-AP61
OAW-AP65
OAW-AP85
OAW-AP120 abg
OAW-AP121 abg
OAW-AP125
Enterprise WLAN
The Business Benefits
Mobility
Location tracking
enterprise-wide WLAN
users
guest access
equipment assets
security
Enterprise WLAN
Requirements / Challenges
Deployment
no disruption of existing network
RF engineering
new infrastructure
network redesign and upgrades
Management
design and configuration
monitoring
troubleshooting
growth
Security
authentication and encryption
identity-based security and guest access
rogues, ad-hoc networks, hacks and
attacks
firewalling
Availability
coverage
reliability
mobility
performance
Convergence
QoS
security
load balancing
voice-aware
Split-second
VRRP
Failover
Data
DataCenter
Center
Built-in
Site-tosite
IPSec
VPN
Internet
Branch Office
Branch Office
Remote AP
with IPSec
VPN
Regional
RegionalOffice
Office
Auto-awareness of
Redundant
topology
(No priming
needed)
HotStandby
Home
HomeOffice
Office
Public
PublicHotspot
Hotspot
OAW
Client
Direct Interface
to Microsoft
Active Directory
Active
Directory
Wireless Controller
Centralized
Encryption
Keys
Rights,
QoS, VLAN
Built-in Rogue
Detection &
Containment
Wired L2 / L3
Transport
Access Point
Quarantine Manager
SSID: GUEST
SSID: CORP
SSID:
VOICE
Rogue
AP
Scan & Quarantine
Un-trusted Users
Employees
Voice
Guest
2802.1p or DSCP
prioritized voice
packets
Protocol-aware
voice flow
classification and
security
Call admission
control distributes
call volume
between access
points
Converged
voice and data
packet stream
with WMM tags
RF management
stops channel
scanning when voice
clients are present
Wired
Data Packets
Wireless
Single
ESSID
for
Voice &
Data
OMNI VISTA3600
MOBILITY
MANAGER
OmniVista
Air Manager
Centralized visibility of the mobile edge
Key benefits
Firewall permit/deny/drop/log
(ICSA certified to version 4.1
corporate standard)
Role-based services for user /
group class of service
differentiation, bandwidth
contracts
QoS - priority traffic queues, BW
contracts, traffic marking
802.1p/DSCP
Time-of-day
Device type
Authentication method
26 | Presentation Title | Month 2009
Key benefits
Detection of:
Network probing and DoS attacks, impersonation and man-in-the-middle
attacks
Unauthorized devices (ad-hoc networks,Windows bridging, wireless bridges)
Prevention of:
Clients roaming to unauthorized APs
Attempted intrusion
off-hook
active- phones
on-hook
phone
Key benefits
Improved end user experience
QoS mechanisms such as CAC ensures optimum audio quality even as network
load increases
Mechanism such as voice-aware QoS and stateful load balancing minimizes call
drops
Improved troubleshooting and security
Voice Clients are identified by phone numbers, key call quality metrics are
availblr to network administrator
WMM and T-Spec security is enforced by stateful firewall
28 | Presentation Title | Month 2009
Mesh Link
Mesh Path
OmniAccess
Mesh Point
OmniAccess
Mesh Portal
Mesh AP module
Wire-line network
Securely extend wireless network beyond the reach of wire-line
infrastructure
Mesh Points and Mesh Portals allow seamless, campus-like WLAN
connectivity
Mesh Points support Ethernet bridging over the mesh network
Key benefits
Allows for coverage of areas such as university campuses, docks, ship yards,
warehouses where wires cannot be used
Consistent services and management model with regular APs
Survivability survives mesh points / mesh portal through dynamic L2 routing
protocols
X-Sec Tunnel
X-Sec Tunnel
Layer 2 Connectivity
Key benefits
Client/server xSec: termination of AES layer 2 xSec secure VPN sessions
Point/point xSec: termination of AES layer 2 xSec secure VPN switch port
session
Enhanced security
unique support of 802.1x authentication
not recognition but authentication
Hardware
2 servers to support the OV3600 applications (OV3600-HWPRO, OV3600-HWENT)
Software
Centralized network management (Network Discovery, Firmware distribution, Real-time
and historical trend reports)
Granular administrative access (Role-based, Network segment based)
Rogue Access Point Detection and Classification
Display of location information for all wireless users and devices
Up-to-date heatmaps and channel maps for RF diagnostics
mobility
location tracking
Easy to deploy
Easy to secure
Easy to manage
Easy to scale
Easy to add voice
security
availability
convergence services
2. Wireless Basic
,
(Radio Frequency) Network
, , ISM UNII Band
Spread Spectrum
, , LAN
ISM and UNII Spectra
(802.11 a/b/g)
Protocol
802.11
802.11a
802.11b
802.11g
2.4 Ghz
5 Ghz
2.4 Ghz
2.4 Ghz
1, 2 Mbps
54 Mbps
11 Mbps
54 Mbps
OFDM
DSSS
OFDM
1.2 Mbps
25 Mbps
5 Mbps
20 Mbps
100 M
70 M
100 M
100 M
Yes
Yes
Yes
Yes
FHSS
DSSS
40 bit
40 bit
40 bit
104 bit
104 bit
104 bit
40 bit
RC4
No
RC4
RC4
RC4
802.1X
802.1X
802.1X
(802.11n)
SISO -> MIMO
SISO (Single Input Single Outpur) MIMO (Multiple Input Multiple Output)
, MIMO
.
MAC
100Mbps ( 600Mbps
(ACK)
. ACK
. 802.11n (Focusing)
ACK .
( 3 )
2010
(802.11n)
802.11n
Protocol
5 Ghz
2.4 Ghz
600Mbps
300 Mbps
300 Mbps
150 Mbps
210 M
300 M
Yes
Yes
802.1X
802.1X
PEAP
EAP-TTLS
EAP-MD5
Authentication
Shared Key
Static WEP
Default
WPA
Dynamic WEP
TKIP
AES
MAC Filtering
etc
Not Secure
MAC Authentication
Open
Encryption
EAP-TLS
SSID Disabled
Authentication server
Most secure
EAP - MD5
EAP - TLS
EAP - TTLS
P EAP
LEAP
Cisco O nly
N/A
N/A
N/A
N/A
( Credential)
Active Directory
Active Directory
Active Directory
NT Domains
NT Domains
Token,SQ L,LDAP Token,SQ L,LDAP
Active Directory
NT Domains
AP
STA
IEEE802.11&11i
Radius
802.11 Beacon
802.11 Associate-Request
802.11 Associate-Response
IEEE802.1X
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
RADIUS-Access-Request
EAP-Request
EAP-Response(Credentials)
RADIUS-Access-Request
EAP-Success
EAPOL-Key(P, ANonce)
IEEE802.11i
EAPOL-Key(P, Snonce, MIC, RSN IE)
IEEE802.11aa
44 | Presentation Title | Month 2009
RADIUS-Access-Challenge
Access Allowed
All Rights Reserved Alcatel-Lucent 2009
Application Security
Network-Layer Security
Link-Layer Security
Centralized Wireless
ACCESS
DISTRIBUTION
CORE
DATA
CENTER
FLOOR x
EMPLOYEE
GUEST
GRE Tunnel
WLAN Controller
AP Communications
1. AP Switch port AP IP Controller .(AP
DHCP DHCP IP )
2. AP Boot Image(TFTP) Controller Control Protocol PAPI (UDP 8211)
.
3. AP WLAN controller AP Controller GRE Tunnel .
4. Clent GRE tunnel Controller .
Corp Backbone
5
3
2
1
RADIUS
8
Ver
HL
16
TOS
Total Length
Identification
TTL
31
IP packet
Protocol
Header Checksum
Delivery Header
GRE packet
Src Address
Dest Address
C
Reserved
Checksum (opt.)
Protocol Type
Reserved1(opt.)
Payload
GRE Header
Payload Packet
Payload packet
(original)
Radio Distance
134 ft = 40 m
90 ft = 27 m
44 ft = 14 m
CLI Access
Default Serial Console or SSH
Serial
Cisco-compatible RJ-45 serial cable
9600, N, 8, 1, No flow control
SSH
Version 2
Password based
Telnet
(Alcatel 4324) (config) #telnet cli
User mode
Display or changing of any info that might be a security risk, such as ACLs,
Policies, SNMP, IP addressing, etc.
Entry into Configuration mode
Must enter Enable mode first
enable Enable mode
running config
Config Startup (NVRAM)
(Alcatel 4324) (config) # copy running-config startup-config
Context-sensitive help
?
(Alcatel 4324) #cl?
clear
Clear configuration
clock
Configure the system clock
(Alcatel 4324) #clock ?
set
Set the time and date
exclude
include
Switch configuration
flash:
ftp:
Log
running-config
startup-config
system:
tftp:
All Rights Reserved Alcatel-Lucent 2009
Exception
port-channel - Etherchannel - port-channel <#>
GUI Access
Initial configuration Web browser GUI
http://switchip
https://switchip:4343
Plan Screen
Access Control
Vlan Configuration
VLAN GUI
Configuration/Network/VLAN
VLANs can be:
Created
Deleted
Add L3 VLAN Interfaces
Assign DHCP Helper addresses
In the CLI:
Vlan Configuration
Port Configuration
Port GUI
Configuration/Switch/Port
One or more ports can be selected and:
Enabled or disabled
Assigned to VLANs
Made trusted or untrusted
Enable 802.3af POE (default) or Cisco POE
Assign a Firewall Policy (not used for AP connectivity)
Made an 802.1q trunk port
GUI Apply click switch
update Save Configuration button click running config
startup config
Port Configuration
Port Mirroring
Port Mirroring CLI
(Alcatel 4324) (config) #interface fastethernet 1/22
(Alcatel 4324) (config-if)#port monitor fastethernet 1/0
DHCP Configuration
Two modes:
External DHCP Server (recommended)
DHCP Relay (Helper Address)
Configured on a per-VLAN basis at: Configuration/Network/VLAN
Internal DHCP Server
Configured via: Configuration/Network/IP/DHCP Server
Configured independently of VLANs - Subnet will match VLAN to DHCP scope
Recommend naming scope after VLAN - ie vlan-4
Must assign a complete subnet, then exclude ranges of addresses
DHCP Configuration
ESSID Configuration
AP Provisioning
AOS-W <3.0
Location code (1-256).(1-256).(1-163
bldg . floor . location
Controller configuration
ap location 0.0.0
All APs
ap location 2.3.0
ap location 2.3.6
Bldg 2, floor 3, AP 6
AOS-W 3.0
ap-name 63 +
ap-group 63 +
All controller config done through ap-group and ap-name statements
AP Provisioning
AP default values
ap-name == AP wired MAC address
ap-group == default
AP ap-group
AP Provisioning
Radio Configuration
Configuration/Advanced Services/All Profile Management/RF Management
Spanning Tree
Switch port Vlan1 STP & RSTP spanning tree
Spanning tree can be modified globally through the GUI at:
Configuration/Network/Switch
Profile Configuration
2.5 3.0 OS Wireless function Profile
Profile AP Configuration
Profile Hierarchy
apgroup
apname
ap
rf
wlan
virtualap
qos
ssidprofile
ids
aaaprofile
dot1xauth
macauth
6. AP Configuration
AP Connectivity
AP switch
Direct Attach
The AP physically plugs into the Alcatel Switch.
Power and Serial over Ethernet are available with this setup.
Indirect Attach
The AP physically plugs into some other network device (switch or router)
with L2 or L3 connectivity back to the Alcatel Switch.
Power over Ethernet is available if the network device attached to the AP
supports it. Serial over Ethernet is not supported.
AP Boot Sequence
AP booting
IP Address, Netmask, Default Gateway
Location ID
IP Address of Alcatel WLAN Switch
AP 2
Static
All parameters manually configured
Dynamic
AP only configured with a location ID (optional on first boot)
2.
3.
4.
5.
2.
3.
4.
5.
6.
7.
AP Configuration
AP config Switch
AP Switch ,
GUI
AP Switch ,
AP OAW switch SOE (Serial over Ethernet)
SPOE adapter(AP console) serial port
Post-deployment Method
GUI Reprovision
AP Configuration Network OAW switch Unprovisioned
Alcatel AP AP Reprovision Config
Unprovisioned AP
Provisioning the AP
Pre-deployment Configuration
SOE configuration
OAW switch CLI SOE Enable
(Alcatel 4234) # configure terminal
(Alcatel 4234) (config)# telnet soe
Switch IP Telnet port 2300 Swithc 1/0 port AP
connect 1/0
telnet x.x.x.x 2300
AP CLI
AP CLI AP booting stop autoboot enter
bootrom mode booting
Commands:
printenv
Display
setenv variable <value>
Setenv value (ex. ip, netmask etc..)
save
AP flash configuration
boot
AP booting
AP CLI
Dynamic AP configuration location
setenv location x.x.x
save
Static AP configuration:
setenv ipaddr x.x.x.x
setenv netmask x.x.x.x
Save
reset
System Backup
To backup the system:
Config file
(Alcatel 4324) #copy running-config tftp: x.x.x.x filename
WMS database
(Alcatel 4324) #wms export-db wms.db
(Alcatel 4324) #copy flash: wms.db tftp: x.x.x.x filename
(Alcatel 4324) #local-userdb export-db user.db
(Alcatel 4324) #copy flash: user.db tftp: x.x.x.x filename
RF Plan
Plan/Building List/Export
System Restore
To restore the system:
Databases
(Alcatel 4324) #copy tftp: x.x.x.x filename flash: wms.db
(Alcatel 4324) #wms import-db wms.db
(Alcatel 4324) ) #copy tftp: x.x.x.x filename flash: user.db
(Alcatel 4324) #local-userdb import-db user.db
Config file
(Alcatel 4324) #copy tftp: x.x.x.x filename flash: default.bak
(Alcatel 4324) #copy flash: default.bak flash: default.cfg
RF Plan
Plan/Building List/Import
Reload
GUI Backup/Restore
Profile AP
7. Lab
Basic System Configuration
Lab Diagram - 1
SSID : Test10
AP1
Backbone
10.3
vlan 1
10.10.10.1/24
WLAN Switch
Vlan 1
10.10.10.2/24
Open
Lab Diagram - 2
SSID : Test10
SSID : Test20
vlan 10
10.10.10.1/24
AP1
Backbone
SSID 2 Test10
vlan10 Test20 vlan20
Network
AP
WLAN Switch
Vlan 10
10.10.10.2/24
vlan 20
10.10.20.2/24
AP2
V10, 20
vlan 30
10.10.30.1/24
30.3
Open
10.3
802.1q
vlan 20
10.10.20.1/24
OS6600-P24
Vlan 30
10.10.30.2/24
Lab Diagram -3
vlan 10
10.10.10.1/24
Backbone
vlan 20
10.10.20.1/24
WLAN#2
WLAN#3
10.12ssid test-3
APs
20.x
WLAN#1
PoE
Vlan 20
10.10.20.2/24
AP1
Ba
80
vl
SS
www.alcatel-lucent.com