Professional Documents
Culture Documents
Omnivista 2500 Nms & Omniaccess - Alcatel-Lucent Enterprise
Omnivista 2500 Nms & Omniaccess - Alcatel-Lucent Enterprise
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless LAN
OmniVista 2500 NMS & OmniAccess Stellar WLAN
DT00CTE270
Agenda
1
Topics
Administration – Class Schedule
Course Description
Course Agenda
Internet Resources
2
Administration – Class schedule
3
Course Description
Welcome to the OmniVista 2500 NMS & OmniAccess Stellar WLAN Training Course
• Title: OmniVista 2500 NMS & OmniAccess Stellar WLAN
• Reference: DT00CTE270
Through successful completion of this course, students will gain the required knowledge and
experience to successfully
• Install & Configure the OmniVista 2500 NMS Server
• Deploy & Configure Stellar APs in Enterprise Mode
• Configure SSID using different Authentication Methods
• Understand & Configure Additional Features (Mobility & Roaming, WIPS)
Day 1
• Introduction • OmniVista 2500 & Stellar APs • If you want to know more
• Course Agenda ‐ Solution Overview ‐ Lab
‐ Stellar Hardware Presentation ‐ OmniVista Upgrade Procedure from R3.5.7 to
• OmniVista Presentation ‐ Wifi Enterprise requirements
R4.2.1
‐ Overview
• OmniVista Installation and System
Setup
‐ Overview
‐ Labs
‐ OmniVista installation
‐ OmniSwitches discovery in OmniVista
5
Agenda
Day 2
• OmniVista 2500 & Stellar APs ‐ UPAM Guest SSID • If you want to know more
‐ AP Registration ‐ User Role and Bandwidth Control ‐ WLAN Service – Advanced Option
‐ Lab: Stellar AP discovery ‐ Lab: Creation of a Guest SSID ‐ Troubleshooting a Stellar AP
6
Agenda
Day 3
• OmniAccess Stellar WLAN – Additional • OmniVista 2500 Additional Features • Conclusion
Features ‐ Operation and Maintenance ‐ Course Review
‐ Mobility and Roaming ‐ Lab: Backup, Restore & Upgrade
‐ Monitoring the network devices
• Spacewalkers
‐ Layer 3 Mobility and Roaming
‐ Heat Map & Floor Plan
‐ Lab: Heat Map & Floor Plan
‐ WIPS
‐ Wireless MESH
‐ PALM
‐ Lab
‐ Administrative Users and Groups
‐ Control Panel
‐ Preference
7
Internet Ressources
• Alcatel-Lucent Enterprise Web Site
https://www.al-enterprise.com/en
8
Internet Ressources
• Partner Portal https://www.alenterprise.com/en/products/network
https://businessportal2.alcatel-lucent.com/
Spacewalkers Community
www.spacewalkers.com
9
Data sheets for all the products!
LAN Switches Management Platform
• OmniSwitch 2200 SMB WebSmart switch: datasheet • OmniVista 2500 (on prem) datasheet
• OmniSwitch 6350 SMB LAN switch: datasheet • OmniVista Cirrus (cloud) datasheet
• OmniSwitch 6450 L2+ LAN switch: general datasheet, 10 port datasheet
• OmniSwitch 6465 L2+ Hardened LAN Switch datasheet
• OmniSwitch 6560 L2+ Multigig LAN switch: datasheet
• OmniSwitch 6860 L3 LAN switch with multigig and DPI option datasheet
• OmniSwitch 6865 L3 Hardened Switch datasheet
• OmniSwitch 6900 L3 core switch datasheet
• OmniSwitch 9900 Chassis core switch datasheet
Stellar WLAN
• OmniAccess AP1101 SMB 802.11ac AP: datasheet
• OmniAccess AP1201 entry-level 802.11ac wave 2 AP: datasheet
• OmniAccess AP1201H resident 802.11ac wave 2 AP: datasheet
• OmniAccess Stellar AP1220 high performance wave 2 AP: datasheet
• OmniAccess Stellar AP1230 ultra high performance wave 2 AP: datasheet
• OmniAccess Stellar AP1251 hardened wave 2 AP: datasheet
10
Bonus foldout poster
Evaluation links are available to you as of the last day of the session and can therefore be filled in
at the end of the session before leaving the classroom or virtual class.
Two main situations have to be considered to access to the course evaluation, and this depends
on the Knowledge Hub session status (while still being in “In progress”, and as of it has switched
to “Completed”).
The status switches usually the next Monday after the session has ended.
12
Reach the session evaluation
•if “Evaluate” is not proposed, click on “Open Curriculum” and after, on “Evaluate”
13
OmniAccess Stellar Wireless Lan – Training offer for newcomers
Provisioning
• Provides access to network wide activities
• Optimal network usage between
users/devices/apps securely
• Provides applications for extended NMS
capabilities (QoS, Security,...)
• Selection & Sketching of paths in SPB topology view (switches end points)
SERVICE
• Periodic monitoring of each path for any changes
INTELLIGENCE • Display of SPB topology view showing each outcome and degradation visually
Full Screen
mode button
OmniVista 2500 NMS
High Availability
Main/standby instances through VM/VA
instances
• Packaged as VA/VM
Main and standby supporting the
complete set of features for L2
• All OV services -> topology, trap
• Extending for UPAM resiliency
Operates over L2 with OV4.3R1,
expanded to L3 with OV4.3R2 (no
Wireless...)
Single server deployment to
Primary/secondary operation controlled
by optional software license
OmniVista 2500 NMS
High Availability
Before introducing HA, if OmniVista became unavailable due to either loss of connectivity or a
server failure then:
- The network administrator would no longer be able to monitor or make configuration changes
- If using UPAM, no new additional clients would be able to authenticate
HA creates a redundant OmniVista that takes over if the primary (Main) OV becomes unavailable.
Two instances of OV are constantly running:
- All functions are handled by the Main OV
- The Main OV keeps the standby OV in sync
- If the Main OV becomes unavailable then the Standby OV takes over
When control is moved from Main to Standby, all services and operations are transferred
- E.g. UPAM with BYOD and Guest Access is taken over by Standby
- All network monitoring services are taken over by Standby
Omnivista 2500 NMS
HIGH AVAILABILITY Use cases Improvements
FEATURES
• Simpler & reduced installation settings
• Settings entered only once for both instances
HA installation • Allows conversion from Standalone to HA
• Disk synchronization is done in background
LAN/WLAN Menu
Displays application drop-down menus specific to WLAN devices (e.g., SSIDs, APs)
Available by clicking on the LAN/WLAN Menu drop-down at the top of the screen
By default, all application drop-down menus (for both LAN and WLAN Devices) are displayed ("LAN+WLAN Menu")
Select "WLAN Menu" to display application drop-down menus specific to WLAN devices (e.g., SSIDs, APs).
Alarm Status Bar
A real-time display of unacknowledged alarms is displayed at the bottom of all screens in OmniVista.
The number of alarms in each category (e.g., Critical, Major, Minor, Warning) is displayed.
Click on a category to go to the Notifications application and view all alarms in the selected category.
Application Updates / Enhancements
Topology
Geo Map View
Displays devices in their physical location on a geographical map.
When a device is added to OmniVista, you have the option of specifying a Geo Map location for the device using either
street address or Latitude/Longitude.
You can also create Map Sites (e.g., Street/City, Data Center, Campus Building), place them in a specific Geo Location
and add devices to those sites.
A toggle switch in the upper-right corner of the screen enables you to switch between the Geo Map View and the
Traditional Topology View.
Custom Notes
You can now add custom sticky notes to any Topology map. The notes can be placed anywhere on a map, and can be
edited or deleted.
Click on the Map Level Actions drop-down and select Add Note. You can also go to the Topology Configuration Screen to
set a default option to display notes on maps or hide them.
NMS Components
Simple Network Management Protocol (SNMP)
Traps
RMON
Network Management
Systems
Managed Devices
Agents Agents
Alcatel-Lucent Ease of Use
Management Interface Options
Preferences
• CLI vs. GUI
• CLI Pros
- Proficiency
- Scripting
- Familiarity
• GUI Pros
- Color-coding
- Easier to spot problems
- Fewer “fat-fingered” mistakes
- Bulk operations
Groups
• Create LDAP service Groups
• Groups are used by policy conditions in
- PolicyView QoS
- SecureView ACL
• Groups enables you to create:
- MAC Groups
- L2 VLAN Groups
- Network (IP) Groups
- Multicast (IP) Groups
- Service Groups
Unified Access
OmniVista
Unified Profile, Policy, Multimedia and Premium
Service
Unified Profile/Policy
• Create/Modify QoS Server Profiles and Access Roles, Authentication, Classification and Port Groups
mDNS
• Resolve host names to IP addresses within small networks without a Name Server.
Paid Account Services
• Enables Bring Your Own Device (BYOD) access to the network
• Allows a wired or wireless guest, device or authenticated user to connect to the network through an AOS
switch
• Only supported for AOS devices running 6.4.6R01 and 8.1.1 later
Security Group
OmniVista
Security - Centralized Features
Users and User Groups
• Controls user access to OmniVista
• Manages user access to network switches from OmniVista
• Sets the login authentication server for OmniVista (only Local and Radius servers are currently
supported)
Authentication Servers
• Configuration of authentication servers
• LDAP, RADIUS, ACE and TACACS+ servers are supported
Quarantine Manager
• Protects the network from attacks
• Works with an external IPS or an AOS switch, which sends a Syslog message or SNMP trap containing the
IP or MAC address of the offending device.
• The attacker is immediately quarantined or placed in a Candidate List that can be reviewed for further
action
Administration Group
OmniVista
Server Administration - Centralized Features
Audit
• Monitors client and server activity
- when a user logged into OmniVista
- when an item was added to the discovery database
- when a configuration file was saved
- when a particular application was launched, etc.
• Administrator can
- Configure the maximum number of entries in the log
files
- Export and/or Archive a particular log file
WLAN and UPAM Groups
Stellar OmniAccess WLAN
Connection to the Stellar Remote Lab
Objective
✓ Learn how to connect to the Stellar Remote Lab (R-Lab)
✓ Discover the equipment available in the Stellar Remote Lab (R-Lab)
Contents
1 Connecting to the Remote Desktop......................................................... 1
1.1. Windows 10 ............................................................................................. 1
1.1. Windows 7 ............................................................................................... 4
1.2. MAC OS X ................................................................................................ 6
1.3. Linux (Ubuntu) ......................................................................................... 8
2 Discovering the Remote Lab Environment ................................................. 9
2.1. Remote Lab > Windows Desktop .................................................................... 9
2.1.1. Keyboard layout ............................................................................................ 9
2.1. Topology of the Stellar Remote Lab Pod ........................................................ 10
2.1.1. Switch/Access Point Console ........................................................................... 11
2.1.2. VMware Client ............................................................................................ 11
2.2. Resources .............................................................................................. 12
2.2.1. Firmware .................................................................................................. 12
2.2.2. Applications & Tools ..................................................................................... 12
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Connection to the Stellar Remote Lab
1.1. Windows 10
Windows Desktop
Click on the Start button >
Windows Accessories >
Remote Desktop Connection
1.1. Windows 7
Windows Desktop
Click on the Start button > All
Programs > Accessories >
Remote Desktop Connection
1.2. MAC OS X
Notes
To connect to your WLAN Remote Lab from the MAC OS X operating system, we will use the Microsoft Remote
Desktop application. You can, of course, use another one if you prefer.
MAC OS X Desktop
Download the Microsoft
Remote Desktop from the
Apple Store (free)
on Start
8
Connection to the Stellar Remote Lab
Click on Continue to
acknowledge the certificate
validity warning
Notes
To connect to your WLAN Remote Lab from the Ubuntu operating system, we will use the freerdp application.
You can, of course, use another one if you prefer (note: the chosen application must support TS gateway.
Ubuntu Desktop
To install FreeRDP, refer to
this link
http://ifconfig.dk/freerdp/.
Launch an RDP session with xfreerdp /cert-ignore /v:StellarPodX /d:REMOTE-LAB /u:stellaruserX /p:YYYYY
the following command from a /g: remotelab.education.al-enterprise.com
terminal
Notes
If it’s not the correct layout, log off and log in again:
Notes
Don’t leave the Remote Desktop Connection by using the “X” button available in the top bar, as it will leave
the Remote Desktop session active, with all its parameters (keyboard layout, screen resolution, applications
opened…):
Notes
At this stage, the Access Points are not powered on, so it is not possible to access them for now, but you will
have to do it later in this training.
Tips
If you get a message “Hunting Group Busy” when you open a TeraTerm console, it means that another
TeraTerm session has already been opened.
Tips
All the virtual machines are configured with an English US keyboard, your current keyboard layout is not taken
into account. Take care of that when you’re typing a command.
2.2. Resources
Files and application are available in the R-Lab Windows OS.
2.2.1. Firmware
In case you need to upgrade a switch or access point, different firmware can be found on the directory
C:\Resources\
Objective
✓ Reinitialize the R-Lab equipment to its default configuration
Contents
1 Reinitializing the Switches & Access Points ............................................... 1
2 Reinitializing the OmniVista 2500........................................................... 3
3 Reinitializing the PC Client .................................................................. 5
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Reinitialization of the Stellar Remote Lab
In the diagram below, in red, you can see all the equipment that will be reinitialized by using this shortcut:
Warning
THE SWITCHES DEFAULT CONFIGURATION IS NOT AN EMPTY CONFIGURATION!
WHEN CLICKING ON THE SHORTCUT:
- A SPECIFIC CONFIGURATION IS APPLIED TO THE SWITCHES
- ALL THE INTERFACES ARE PUT DOWN. DURING THE LABS, IT WILL BE ASKED TO ENABLE THE INTERFACES
THAT YOU WILL USE.
Reset all the R-Lab Pod’s equipment by using the Reset_PodX script
2
Reinitialization of the Stellar Remote Lab
Notes
It is also possible to reset each equipment (switch/access point) separately. Check the dedicated addon parts
(Switch Reinitialization / Access Point Reinitialization) if you want to learn more.
3
Reinitialization of the Stellar Remote Lab
The OmniVista 2500 is installed in a virtual machine. Therefore, to access and reinitialize it, we will have to
use the VMware vSphere Client.
4
Reinitialization of the Stellar Remote Lab
We will continue to configure the OmniVista 2500 in a dedicated lab, later in this course.
Tips
All VM are configured with an English US keyboard, your current keyboard layout is not taken into account.
Take care of that when you’re typing a command.
Like the OmniVista 2500, the Wi-Fi PC Client is a virtual machine. Therefore, to access and reinitialize it, we
will have to use the VMware vSphere Client.
OmniVista 2500 NMS Enterprise 4.4R1 (OV 2500 NMS-E 4.4R1) is installed as a Virtual Appliance,
and can be deployed to these hypervisors: VMware ESXi, VirtualBox, and MS Hyper-V:
- Service Licenses - Manage a specific number of devices for the following services:
• VMs - Virtual Machines (VMs). VMs can be deployed on VMware vCenters, Citrix XenServers, and MS Hyper-V
Servers; and OmniVista 2500 NMS supports a mixture of Hypervisor types with no limit on the number of Hypervisors.
However, the VM Manager application supports a maximum of 5,000 VMs from all Hypervisors..
• Alcatel Lucent Enterprise Guest Devices - Guest Devices authentication through UPAM. The following licenses
are available: 20, 50, 100, 500, or 1000 Guest Devices.
• Alcatel-Lucent Enterprise On-Boarding Devices - BYOD Devices authentication through UPAM. The following
licenses are available: 20, 50, 100, 500, or 1000 Guest Devices.
• High-Availability – Licenses the High-Availability Feature.
Omnivista 2500 NMS
License Types
There are three types of Device Licenses:
• Starter Pack - Free and enables you to use OmniVista on a limited basis without expiration. You can manage up
to 30 devices (10 AOS, 10 Third Party, 10 Stellar APs).
• Evaluation - Free and gives you full use of OmniVista, but for a limited time (90 days). You can manage up to
60 devices (20 AOS, 20 Third Party, 20 Stellar APs)
• Production - Gives you full use of OmniVista without expiration. Number of devices is chosen at license
generation (Up to 1000 devices)
▪ OS 6900, 6350, 6860, 6860E, 6560, 6865, 6450 ▪OS6900 or OS6860 in VC All units
1 License Unit per Physical Unit
need to be licensed i.e. VC of 4 = 4
license counts
▪ OmniAccess Wireless Legacy Access Points ▪Same rule applicable for AOS6.x
Not a licensable item before or after R3.5.7 stacks
- 8. The list of backup files will display, choose a Backup File by selecting the number (e.g., 1) in the list and pressing
Enter.
- 9. Press y at the confirmation prompt, and press Enter. Then press y at the warning confirmation prompt and press
Enter.
- 10. Wait for all OV 2500 R4 Services start up.
- 11. Log into OmniVista R4 WebUI and enter the License Keys.
- 12. You must now restart all services. Go to the Watchdog Screen (Administrator - Control Panel – Watchdog) and
click on the Restart All button to restart all services. When all services restart, you will be able to log into OV 2500
R4
VM Appliance Installation Process
Deploying the Virtual Appliance
1. Log into vCenter and open the vSphere client.
2. Select File > Deploy OVF Template. The Deploy OVF Template Wizard appears.
3. Follow additional steps in the Virtual Appliance deployment wizard. The wizard may prompt
the following steps:
• Review VM details.
• Review and accept end user license agreement.
• Specify a name and location for the deployed template.
• Select the host or cluster where the template is to be deployed
• Storage location of VM files.
• Disk formatting (Thin or Thick Provision). (Thick provision is recommended.)
• Network mapping.
4. If the new Virtual Appliance was not powered on via the deployment wizard, power on the VM
now.
Configuring Omnivista 2500NMS VM
The Keyboard Layout prompt will appear.
Press Enter if you do not want to change the default keyboard layout, or enter y then press
Enter to change the default keyboard layout.
The Technical Support Code Password Screen appears. This is a password that will be used by
Technical Support to access the VM, if necessary
Configuring OmniVista 2500 NMS VM
Specify an administrative password for the cliadmin user, then re-enter it to confirm the new
password. Follow the guidelines on the screen when creating the password.
If you select 1 in this step, UPAM IP and Ports configuration must be completed
Configuring OmniVista 2500 NMS VM
Select the number of devices OV 2500 NMS-E 4.3R2 will manage
• Optional
- trap 1/1-24 port link enable (for AOS R6 switches)
- interfaces 1/1-24 link-trap enable (for AOS R7 switches)
- snmp trap to webview enable
Switch – SNMPv3 Set-up
aaa authentication snmp local
user test1234 password public99 read-write all read-only [md5+des, sha, md5, sha+des]
Security Level SNMP requests
Security Level
snmp security options accepted by the switch
Watchdog can
• Start/Stop Services
• View Service info
Stellar OmniAccess WLAN
Installing the OmniVista 2500 NMS
Objective
✓ Install the OmniVista 2500 NMS
Contents
1 Briefing ......................................................................................... 1
2 Accessing the VMware ESXi .................................................................. 2
3 Configuring the OmniVista 2500 NMS Settings ............................................ 2
3.1. Post Installation Wizard .............................................................................. 2
3.2. First Login ............................................................................................... 4
4 Generating & Installing an Evaluation License ............................................ 5
4.1. Generating the Evaluation License ................................................................. 5
4.2. Installing the Evaluation License .................................................................... 6
4.2.1. Inserting the License File.................................................................................. 6
4.2.2. Inserting the License Keys................................................................................. 6
5 Debriefing ...................................................................................... 7
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Installing the OmniVista 2500 NMS
1 Briefing
The OmniVista 2500 NMS is distributed as a Virtual Appliance only. There are no other standalone installers
(e.g., Windows/Linux).
The OmniVista 2500 Virtual Appliance has already been downloaded from the Business Partner Website
(BPWS, official ALE website to download software and documentations) and deployed on a VMware ESXi
server.
In this lab, you will learn how to perform the post installation of the OmniVista 2500 NMS.
CURRENT
TOPOLOGY
END OF LAB
TOPOLOGY
2
Installing the OmniVista 2500 NMS
Follow the installation wizard to continue with the OmniVista 2500 installation.
Press Enter
Press Enter
- [y|n]: y
Press Enter
Select:
- Option 1
- IPv4: 10.130.5.7X (X=R-Lab
Number)
- Subnet mask: 255.255.255.0
– IPv6: n
Additional OV Web IP
- Option 2: Disable Additional
OV Web IP
- Confirm (y) then press Enter
Press Enter
4
Installing the OmniVista 2500 NMS
- Option 1: English
- Confirm (y) then press Enter
Configure the Default Gateway
- Choose Option: [4]
- Default gateway:
10.130.5.253
- [y|n]: y
Press Enter
Configure the Hostname
Press Enter
- Choose Option: [6]
- dns server 1: 10.130.5.130
- dns server 2: 10.0.0.51
Press Enter
Username: admin
Password: switch
Warning
BEFORE THIS STEP, ENSURE THAT NO LICENSE GENERATED IN A PREVIOUS TRAINING IS AVAILABLE TO AVOID ANY
POSSIBLE CONFUSION.
ON THIS WINDOWS DESKTOP, DELETE ANY FILES WITH THE NAME “-EVAL-OV2500…”
Don’t do both!
Warning
COPY AND PASTE ONLY THE LICENSE KEYS AND NOT THE ENTIRE LINES! (HIGHLIGHTED THE INFO THAT YOU HAVE
TO COPY AND PASTE):
EVAL-NM-EX-20-N, KEQWEXRH-VXDJBEUM-4EX$299Z-BBXS7G#4-JC!GW81R-$C8YWB1K-DBE#$LDX-AXVRMLM#
EVAL-VMM-100-N, WWITUJ#W-EWBU@BSM-@EX$299Z-BBXS7G#4-JC!GWL1R-$CFYWB1L-X5#PC4WT-5UDJU7B#
EVAL-AP-NM-20-N, G1CUNONJ-YFZ%JX2W-JEX$299Z-BB@S7G#4-JC!GW81R-$CHYWB1L-WAPB3U7!-GDFXMHV&
EVAL-GA-20-N, VTP@GOKN-E53P8#@E-NEX$299Z-BB@S7G#4-JC!GW81R-$C#YWB1L-CJD%PRTF-9GTXNX!1
EVAL-BYOD-20-N, JSQRU%HH-GFFCJUGB-ZEX$299Z-BB@S7G#4-JC!GW81R-$CRYWB1L-EBX5WUFB-8X7HF@5G
Click on OK
5 Debriefing
During this lab, we have learned how to install the OmniVista 2500 NMS. We have also learned how to
generate an evaluation license.
Remember that you can use the last part (Generating an Evaluation License) if you want to get a license for
your own lab! This is not reserved for training purpose.
OmniAccess Stellar WLAN
AOS OmniSwitches Discovery in the OmniVista 2500 NMS
Objective
✓ Learn how to discover the OmniSwitches in the OmniVista 2500 NMS
Contents
1 Briefing ......................................................................................... 1
2 Creating the Backbone VLAN ................................................................ 2
2.1. Configuring the Backbone VLAN ..................................................................... 2
2.2. Configuring the Backbone VLAN IP Interfaces .................................................... 3
3 Configuring the SNMP v3 ..................................................................... 4
4 Discovering the OmniSwitches on the OmniVista 2500 NMS ............................. 5
5 Debriefing ...................................................................................... 6
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
AOS OmniSwitches Discovery in the OmniVista 2500 NMS
1 Briefing
Before using all the features offered by the OmniVista 2500 NMS, the network devices must be discovered
first. In this lab, we are going to discover the 2 OmniSwitches in the OmniVista 2500 NMS. The discovery of
the 2 Access Points will be covered in another lab.
CURRENT
SITUATION
END OF LAB
SITUATION
2
AOS OmniSwitches Discovery in the OmniVista 2500 NMS
Notes
The VLAN 1305 is already assigned to the OmniVista 2500 and the DHCP Server.
3
AOS OmniSwitches Discovery in the OmniVista 2500 NMS
OS6560
6560 -> ip interface int_backbone address 10.130.5.22X/24 vlan 1305
OS6860
6860 -> ip interface int_backbone address 10.130.5.20X/24 vlan 1305
Check that the 2 OmniSwitches can now reach each other, and can reach the servers:
OS6560
6560 -> ping 10.130.5.20X (OmniSwitch 6860)
6560 -> ping 10.130.5.7 (DHCP Server)
6560 -> ping 10.130.5.5X (OmniVista 2500 NMS)
OS6860
6860 -> ping 10.130.5.22X (OmniSwitch 6560)
6860 -> ping 10.130.5.7 (DHCP Server)
6860 -> ping 10.130.5.5X (OmniVista 2500 NMS)
4
AOS OmniSwitches Discovery in the OmniVista 2500 NMS
To create the SNMP v3 profile on the OmniSwitches, use the following command:
OS6560
6560 -> aaa authentication default local
6560 -> user snmpuserv3 read-write all password snmpuserv3 sha+des
6560 -> snmp station 10.130.5.5X 162 snmpuserv3 v3 enable
OS6860
6860 -> aaa authentication default local
6860 -> user snmpuserv3 read-write all password snmpuserv3 sha+des
6860 -> snmp station 10.130.5.5X 162 snmpuserv3 v3 enable
5
AOS OmniSwitches Discovery in the OmniVista 2500 NMS
> Choose Discovery Profiles: select the SNMPv3 profile, click on + to move it to the right
> Click on Create
At the end of this part, the 2 OmniSwitches are discovered and are now manageable from the OmniVista
2500 NMS:
6
AOS OmniSwitches Discovery in the OmniVista 2500 NMS
5 Debriefing
In this lab, we have created the “Backbone” VLAN. This VLAN will be used to interconnect the network
equipment together (OmniSwitches, OmniVista 2500, DHCP Server). Then, we have configured the SNMP
settings in the OmniSwitches. And finally, we have discovered the OmniSwitches in the OmniVista 2500 NMS.
These OmniSwitches can now be managed from the OmniVista 2500 GUI.
OmniAccess Stellar Wireless Lan
Solution Overview
Lesson summary
Solution Overview
At the end of this module, you will be able to:
• Understand and choose the Stellar mode on the APs
• Understand the planes of operation and the traffic
generated by the AP
• Understand the network topology recommended
• Identify the network limitations
Stellar WLAN - Modes
Stellar Modes
Evolutive design
grow your WiFi at your own pace
Market position
WiFi Express WiFi Enterprise
Mutually exclusive with WiFi Enterprise Mutually exclusive with WiFi Express
All APs models supported All APs models supported
Virtual Controller Management with Web Interface Centralized Management with OmniVista 2500
Cluster of 255 APs (cluster limitation of 32 AP1101) 4000 APs managed
Access Switch required (PoE model if possible) Access Switch required (PoE model if possible)
DHCP server required DHCP server required
OmniVista 2500 server and licenses required
✓ GuestOperator Restricted ✓ Authentication 802.1X, WPA, ✓ Dynamic Frequency Selection ✓ Daylight-Saving time
Role GUI WPA2, WPA3 ✓ Transmit Power Control ✓ Syslog support
✓ HTTP and Secure Access via ✓ Encryption WEP, TKIP, AES ✓ Extensive Country Code list ✓ NTP Client
HTTPS ✓ Built-in User Database ✓ Channel & Transmission power ✓ Built-in DHCP/DNS/NAT
✓ English, simplified Chinese, ✓ External Radius Server Support manual assignment
German , French, Spanish ✓ Wireless MESH
Korean, Turkish Language ✓ ACLs per SSID ✓ Certificate Management
Support ✓ Disconnect/ Blacklist Clients
✓ OXO Connect R2.1 ZTP ✓ WIPS protection
integration using secure HTTPS
✓ Scale up to 32 Aps
(AP1101 ONLY Cluster)
✓ Scale up to 255 APs in mixed AP
Cluster (minimum: 8 x
AP122x/123x/1251)
✓ Remote Cluster Management
✓ OmniVista 2500
▪ Cloud ready (OmniVista Cirrus)
▪ Unified wired-wireless
▪ Access Management (Guest/BYOD)
▪ Role based policy enforcement
✓ Smart Analytics
✓ Distributed intelligence control
▪ Up to 4000 APs
▪ Scale to support 100K clients per devices
Option 138
dhcpd.conf
Perform a factory reset/reboot or change the mode manually
Mgmt
Plane Mgmt
Data Control Plane
Plane Plane
PVC
Control
Control
Plane
Plane Control Data
Plane Plane
Data Data Control
Data Plane Plane
Plane Plane
Control Data
Plane Plane
Management Plane
Management plane – Type of Traffic
Configuration traffic (SSID creation,..)
Monitoring and troubleshooting (client monitoring,…)
AP management traffic is always untagged
Use the native vlan of the upstream switch and the subnet got from the DHCP scope
OmniVista
“Management” VLAN
“Management” VLAN Untagged
Untagged
WiFi WiFi
Express PVC
Enterprise
Management Plane – AP Group OmniVista
AP Group: Group 1, Group2
AP-Group
PVC
AP Group 1 AP Group 2
WiFi-Express WiFi-Enterprise
Control Plane
Control Plane – Type of Traffic
Manages network protocols, Forwarding Information Base (FIB)
Manages authentication, packet inspection, load balancing
Over the Air
Control Plane
Usedfor
RF Management
Roaming client context sharing
Layer 2/3
Network Infrastructure
Internal traffic, managed by the Stellar APs
Data Plane
Data Plane – Type of traffic
Forward data user traffic Guest
Manages the QoS and ACLs SSID
Employee Voice
SSID SSID
LAN
IP interfaces / Routers for
Distribution •All AP Mgt VLANs
•All SSID VLANs
Access
Stellar Access
Points
OmniSwitch LAN – Value Added
Stellar deployment with OmniSwitch recommended
OmniVista UPAM
Key Benefits
Unified Access for ALE wired and wireless networks
OV Unified Policy Access Manager (UPAM) RADIUS Guest / BYOD
Server Access Policies
UPAM acts a the main RADIUS Server for both wired and wireless users
Unified Guest and BYOD access policies for both wired and wireless users
WLAN VLANs
Same VLAN ID could be used for both wireless and
wired clients
However, it is recommended to have reserved "Employee" VLAN
VLAN ID for wireless clients
Network Resiliency
Implementation
AP plugged on 2 switches with one active uplink
Active uplink POE goes down: AP reboot
Linkagg supported
Active
OmniSwitch
Convergence time
IPv6 Client Support – Express Mode
IPv6 required for specific verticals IPv6 supported on Client side
Education (Research)
Healthcare (IoT) IPv6 Policies supported
Government (Security) IPv6 QoS/ACL rules to filter client traffic
AeroScout tags
AeroScout solution utilize standard WiFi (802.11) technologies as a
communication infrastructure
Customers use the Stellar AP to communicate with AeroScout tags and
deliver information to the AeroScout Location Engine
DHCP Pool
subnet 192.168.10.0 netmask 255.255.255.0 {
…
# Pool for OmniAccess Stellar AP
pool {
allow members of "STELLAR";
range 192.168.10.10 192.168.10.20;
option ovwma 192.168.0.61;
}
}
Appendix
Example Configuration (OmniSwitch DHCPD)
OmniSwitch used as DHCP server
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless Lan
Stellar Hardware Presentation
Lesson summary
Stellar Hardware Presentation
At the end of this module, you will able to:
• List the Stellar Access points per capacity
• Position the Stellar Access Point in the market
OmniAccess Stellar WLAN
Access Points Overview
OmniAccess Stellar AP Lineup
AP1101
802.11ac: Wave 1
Selection Criteria
OAW-AP1101 OAW-AP1201 OAW-AP1201H OAW-AP1220 OAW-AP1230 OAW-AP1251
Series Series (-40C to 65C)
# of Radios 2 2 2 2 3 2
Client per
128 256 128 256 256 256
band/radio
DPI (App Mon) No Yes No Yes Yes Yes
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless Lan
WiFi Enterprise – Requirements
Lesson summary
WiFi Enterprise – Requirements
At the end of this module you will be able to:
• Identify the setup required in the WiFi Enterprise mode
• Configure the OmniVista 2500 server
• Configure the OmniSwitch
Initial Setup
Initial Setup
Hardware requirement
Alcatel OmniSwitch
PoE
Management VLAN
"ip helper" for external DHCP server
DHCP server
Option 138 on Management VLAN
Address Plan for Service VLAN
+
Initial AP Additional AP Updated AP
License count License count License count
= 100 = 50 = 150
OmniVista 2500 Configuration
Minimal configuration
IP address and network mask
OmniVista Network size configuration
Default Gateway
Timezone, DNS server,… (optional)
Services Services
Databases Databases
Sync
Services Services
Databases Databases
Main OV Stand-by OV
High Availability (HA) creates a redundant (Stand-by) OmniVista which will take aver if the
primary (Main) OmniVista becomes unavailable
When control is moved from Main to Stand-by all services and operations are transferred
E.g. UPAM functions including BYOD and Guest Access is handled by Stand-by
All network monitoring services are taken over by Stand-by
ACCESS CORE
How?
Configure Access ports as UNP port –type bridge
Required to accept tag/untag traffic from the AP
Disable the trust-tag
Security reasons. Can’t accept any tagged traffic.
Create an UNP classification rule to classify the AP in a role
Based on the AP LLDP traffic
Map a VLAN ID to the role received by the AP
Management VLAN assigned to the AP
OmniSwitch Automatic Configuration – AP Provisioning DHCP
LAN Scope 10.255.125.0/24
Scope 10.255.10.0/24
Stellar AP OS 6860-A OS 6860-B
1/1/1 1/1/24
1 AP sends LLDP
By default
=> AP Location = “Chassis ID”:“PortID”
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless Lan
AP Registration
Objectives
AP Registration
At the end of this presntation you will be able to:
• Register an AP with the manual Trust method
• Register an AP with the white list method
• Use the Discovery and Topology application
AP Discovery
In case of Network growth, new APs are seen under the Unmanaged AP tab
The Trusted APs are then displayed under the Managed AP tab.
AP Registration - Trust
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Stellar Access Points Discovery in the OmniVista 2500 NMS
Objective
✓ Learn how to discover the Stellar Access Points in the OmniVista 2500 NMS
Contents
1 Briefing ......................................................................................... 1
2 Configuring the VLANs & IP Interface ...................................................... 2
2.1. Creating the VLANs .................................................................................... 2
2.1.1. Creating the MANAGEMENT VLAN (VLAN 40) ............................................................ 2
2.1.2. Verifying the VLAN Creation .............................................................................. 3
2.2. Configuring an IP Interface ........................................................................... 3
2.2.1. Creating the IP Interfaces on the OS6860 ............................................................... 4
2.2.2. Verifying the IP interface Creation ...................................................................... 4
3 Activating the IP Helper & Power over Ethernet (PoE) Features ....................... 5
3.1. About the IP Helper ................................................................................... 5
3.2. About the Interfaces .................................................................................. 5
3.3. Configuring the Features ............................................................................. 5
3.3.1. On the OS6860 .............................................................................................. 5
3.3.2. On the OS6560 .............................................................................................. 6
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Stellar Access Points Discovery in the OmniVista 2500 NMS
1 Briefing
Both OmniSwitches are now discovered by the OmniVista 2500, and ready to be configured. During this lab,
we will first setup some basic settings (VLAN, IP Interface, PoE…) on the OmniSwitches, then we will launch
the discovery process for the Access Points to be discovered in the OmniVista 2500.
CURRENT
TOPOLOGY
END OF LAB
TOPOLOGY
2
Stellar Access Points Discovery in the OmniVista 2500 NMS
Notes
The VLAN 1305 (BACKBONE) has already been created in a previous lab. It contains all the management
equipment (OV2500, DHCP Server…).
To create these VLANs on the OmniSwitches, we will use the OmniVista 2500 VLAN Manager feature.
1. Devices Selection
> VLAN IDs: 40
> VLAN(s) Description: MANAGEMENT
> Click on the Add/Remove Devices
> Click on Add All to select both OmniSwitches
> Click on OK
> Click on Next
2. VLAN Configuration
> Check that Admin Status = Enabled
> Click on Next
5. Review
> Review the information
> Click on Create
Tips
The VLANs can also be created on the OmniSwitches via command lines (CLI). Hence, the VLAN Manager feature
can be very interesting to use if the infrastructure is composed of a lot of OmniSwitches, and the same VLANs
must be created on some (or all) of them.
Notes
No IP interface is configured on the OmniSwitch 6560 for the VLAN 40 (it will act as a “level 2” switch and will
redirect all the level 3 traffic to the OmniSwitch 6860).
Tips
The IP interfaces can also be created on the OmniSwitches via the Command Line Interface (CLI).
Notes
The IP Helper feature is not configured on the OmniSwitch 6560. The OmniSwitch 6560 will act as a “level 2”
switch and will send the DHCP request to the OmniSwitch 6860, which will relay it to the DHCP Server.
The OmniSwitches are now completely configured. In the next part, we will discover the Stellar Access Points
in the OmniVista 2500 NMS.
Warning
DO NOT CHOOSE THE COUNTRY CODE USA, JAPAN OR ISRAEL AS THE STELLAR ACCESS POINTS USED IN THE
REMOTE LAB ARE NOT COMPATIBLE WITH THESE COUNTRY CODES.
When an AP initially registers with OmniVista, the AP is placed into a pre-configured Default AP Group.
Let’s begin by creating the AP Group:
Tips
As you can see, several settings can be managed in the AP Group properties. Take the time to learn more about
each of them by clicking on the Help button
5 Debriefing
During this lab, we have created the Management VLAN, which contains all the management data used by the
Access Points. We have also created a “trash” VLAN, which will contain all the “faulty” devices (not
authenticated, quarantined…). Then, we have enabled the PoE on the OmniSwitches to provide power to the
Access Points, and the IP Helper feature to redirect the APs DHCP requests to the DHCP Server. And finally,
we have discovered the Stellar Access Points in the OmniVista 2500 NMS. These Access Points can now be
managed from the OmniVista 2500 GUI.
9
Stellar Access Points Discovery in the OmniVista 2500 NMS
Simple SSID
Wizard driven tool.
Pre-defined Usage (Guest, Employee, BYOD,…).
All the configuration is performed from the
wizard.
Recommended mode
Enterprise Protected
Employee BYOD Protected
Guest Network Network for Network for
Network Network
Employees Employees (BYOD)
PSK followed by
Captive Portal 802.1X followed by
Captive Portal
Guest Captive Portal BYOD
Guest
Y Y Y
Captive Portal PSK followed by
Captive Captive
BYOD BYOD? Captive Portal BYOD
Portal? Portal?
N N N
802.1X
Open Pre-Shared Key
or MAC followed by
or MAC 802.1X (PSK)
Default VLAN/Network
VLAN assigned to the SSID
Optional - ACL/QoS rules applied to the SSID
Authentication Strategy
Select the Authentication source in « Advanced
Configuration » (Local Database, External Radius, LDAP/AD)
Optional - Use the links « Manage Guest Accounts » to create
new users in the local database
Optional – Select the RADIUS server used for the Guest SSIDs
SSID Wizard – Step 2 « Customize SSID »
Based on the SSID Usage, optional strategies:
Level of Trust
Cons: MAC can be spoofed, no traffic encryption
Pros: Available for basic wireless devices (printers,
scanners,…)
WPA/WPA2/WPA3 Personal = Pre-Shared Key (PSK)
Pros: Easy set up, strong keys can be difficult to hack
Cons: But all keys can be hacked or stolen (key shared by
Authentication Method
all users)
WPA/WPA2/WPA3 Enterprise = 802.1X
Pros: Strongest security, ease of Management, scalability
Cons: More configuration during initial setup (server,
users)
Security – WPA3
Wi-Fi Alliance new Security Standard
AP Group
RF Profile
Specific
RF Profile
Both Stellar Express and Enterprise supports External Captive Portal with External Captive Portal
and MAC authentication enabled.
CONFIGURATION REQUIRED
Both External Captive Portal and MAC authentication enabled
If MAC authentication fails : Captive Portal Enforcement
If MAC authentication succeeds : No Captive Portal enforcement
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Creation of a Secured Employee SSID
Objective
✓ Learn how to create a secured Employee SSID
Contents
1 Briefing ......................................................................................... 2
2 Creating the Service VLAN & IP Interface ................................................. 3
2.1. Creating the Service VLAN ........................................................................... 3
2.2. Configuring IP Interface .............................................................................. 4
3 Creating the Employee SSID ................................................................. 4
3.1. Creating the EmployeeX SSID ........................................................................ 5
3.2. Creating an Employee Account ...................................................................... 5
3.3. Back to… Creating the EmployeeX SSID ............................................................ 6
3.4. Assigning the SSID to the AP Group ................................................................. 6
4 Testing the Employee SSID ................................................................... 7
4.1. Checking the “Client PC” Virtual Machine Status ................................................ 7
4.2. Setting Up the VM Client to Connect to the EmployeeX SSID .................................. 8
4.3. Verifying the connection ........................................................................... 10
5 Monitoring the Connections................................................................ 11
5.1. UPAM Monitoring ..................................................................................... 11
5.2. Using the Locator .................................................................................... 11
6 Debriefing .................................................................................... 12
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Creation of a Secured Employee SSID
1 Briefing
Now that all the devices have been discovered in the OmniVista 2500 NMS, let’s create multiple SSIDs
(employee, guest…). In this first lab, we will focus on how to create a secured Employee SSID.
CURRENT
TOPOLOGY
END OF LAB
TOPOLOGY
3
Creation of a Secured Employee SSID
To create the VLAN 20 on both OmniSwitches, we will use the OmniVista 2500 VLAN Manager feature:
1. Devices Selection
> VLAN IDs: 20
> VLAN(s) Description: EMPLOYEES
> Click on the Add/Remove Devices
> Click on Add All to select both OmniSwitches
> Click on OK
> Click on Next
2. VLAN Configuration
> Check that Admin Status = Enabled
> Click on Next
5. Review
> Review the information
> Click on Create
Tips
The VLANs can also be created on the OmniSwitches via command lines (CLI). Hence, the VLAN Manager feature
can be very interesting to use if the infrastructure is composed of several OmniSwitches, and the same VLANs
must be created on some/all of them.
Tips
The IP Interfaces can also be created on the OmniSwitches via command lines (CLI).
Authentication Strategy
> RADIUS Server: UPAMRadiusServer
> Click on Manage Employee Accounts
Assign the freshly created SSID EmployeeX to the AP Group APGX created in the
previous lab
Now that the SSID EmployeeX has been created, the last step consists in assigning it to one or several AP
Group(s):
Now that we have finished the configuration of the SSID, let’s test it!
7
Creation of a Secured Employee SSID
Manually connect to a
wireless network
Click Next
Click Next
Go to Security tab
Uncheck Remember my
credential for this
connection each time I’m
logged on
Click on Settings
Click Close
10
Creation of a Secured Employee SSID
Click on Connect
Username: EmployeeX (X = R-
Lab Number)
Password: password
Click on OK
The Authentication Record Screen displays authentication information for all devices authenticated
through UPAM:
In the Authentication Record List information, find the Stellar Access Point where your
Client Virtual machine (StellarClientX) is connected.
Another interesting feature that the OmniVista 2500 NMS offers is the ability to locate the AP, Switch
and/or slot/port that is directly connected to a user-specified station: it is the Locator application.
You want to locate where is connected (i.e. on which AP) the employee EmployeeX. One solution could be
to use the UPAM Authentication Record, or the WLAN Client List, but if there are several authentication
requests, finding the one that corresponds to EmployeeX could be difficult…
12
Creation of a Secured Employee SSID
From the Results screen, find on which Stellar Access Point the employee EmployeeX is
connected
6 Debriefing
During this lab, you have learned how to create a secured Employee SSID, and an Employee account. You
have also used the OmniVista 2500 features to get more information about the account that are connected to
the Employee SSID.
13
Creation of a Secured Employee SSID
-ANNEXES-
Notes: AAA server and Access role profiles can be created first prior to setup WLAN services but for
this exercise you will create specific profiles through the WLAN Service configuration screen.
Tips: UPAM supports both captive portal and RADIUS server and can be used to implement multiple
authentication methods: MAC, 802.1X and captive portal authentication. User Profiles can be
supported in the OmniVista database or on external servers.
Authentication Servers
802.1X
Primary: UPAMRadiusServer
Captive Portal
Primary: UPAMRadiusServer
MAC
Primary: UPAMRadiusServer
Accounting Servers
802.1X
Primary: UPAMRadiusServer
Captive Portal
Primary: UPAMRadiusServer
MAC
Primary: UPAMRadiusServer
Notes: In UPAM, there is a system-defined NAS Client Item (All Managed Devices). It cannot be
deleted and is used to indicate that all the devices managed by OmniVista are automatically added
into the NAS Client Database of UPAM and perform the AAA process.
The shared secret in the system-defined “All Managed Devices” NAS profile is “123456”.
- In the Security section, click on the “Default Access Role Profile” field, select “+ Add New” and create
the Access Role Profile Access-role-employeeX.
- Keep the default values for all parameters.
- Click on the Create icon.
- Back to the WLAN Service page, in the Security section, select “Access-role-employeeX” as the Default
Access Role Profile.
- Click on the Create icon.
- Do not change the Mapping method and enter the Vlan number “20” which is the EmployeeX VLAN.
- Click on Apply.
16
Creation of a Secured Employee SSID
- This is how the AP will map the Employee VLAN (20) to the EmployeeX SSID.
When the SSID uses Enterprise authentication, assign a AAA Server Profile and then create an Authentication
Strategy and Access Policy.
At this step, the AAA Server Profile is already assigned to the SSID. The Authentication policy and Access Policy
must be created.
Notes: Authentication Strategy is used to set up a user profile source and login method (web page
or not) for authentication, as well as the network attributes applied after a successful
authentication.
OV2500 -> UPAM -> Authentication -> Authentication Strategy -> + (Create icon)
- Name the Strategy “User-PODX”, select the Authentication source as “local database”, “Access-role-
employeeX” as the default Access role profile and keep Web Authentication to none:
17
Creation of a Secured Employee SSID
Notes: Authentication Access Policies are used to define the mapping conditions for an
authentication strategy. Through Access Policy configuration, authentication strategy can be
applied to different user groups, which can be divided by SSID or other attributes.
OV2500 -> UPAM -> Authentication -> Access Policy -> + (Create icon)
- Create the access policy “User-PODX” that will define the previous strategy to apply for employee
authentication connected to SSID “EmployeeX”. The employeeX profile will use 802.1X with the UPAM
internal RADIUS server.
- In the Mapping Condition, select the SSID attribute and EmployeeX. Click on the + button.
- Keep “User-PODX” as the Authentication Strategy and click on Create.
Stellar OmniAccess WLAN
Microsoft Active Directory Authentication
Objective
✓ Learn how to configure Microsoft Active Directory Authentication
Contents
1 Briefing ......................................................................................... 1
2 Declaring the Active Directory Server ...................................................... 2
3 Modifying the Authentication Strategy ..................................................... 2
4 Testing the AD Authentication .............................................................. 3
4.1. Verifying the connection ............................................................................. 3
5 Monitoring the Connections.................................................................. 4
5.1. UPAM Monitoring ....................................................................................... 4
6 Debriefing ...................................................................................... 4
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Microsoft Active Directory Authentication
1 Briefing
In the previous lab, we have learned how to create an Employee SSID, with the UPAM Server (embedded in
the OmniVista 2500) in charge of authenticating the clients.
In this lab, we will learn how to declare the Active Directory in the OmniVista 2500, and we will use it during
the authentication of clients on the SSID Employee.
CURRENT
SITUATION
END OF LAB
SITUATION
2
Microsoft Active Directory Authentication
Modify the Employee SSID’s authentication strategy to use the Active Directory as
Authentication Server.
Modify the Employee SSID’s authentication strategy to use the Active Directory as
Authentication Server.
Then, login with the account Employee, already created in the Active Directory database.
Click on Connect
Username: Employee
Password: Alcatel.0
Click on OK
6 Debriefing
In this lab, we have learned how to declare the Active Directory in the OmniVista 2500. Then, we have
modified the Employee SSID settings in order to use the Active Directory to authenticate the clients which
connect to this SSID.
OmniAccess Stellar Wireless Lan
Unified Policy Authentication Manager (UPAM) - Guest
Lesson summary
Unified Policy Authentication Manager
(UPAM) – Guest
At the end of this module, you will be able to:
• Understand the UPAM application
• Configure a UPAM Guest access and the Guest operator
UPAM
Overview
Unified Policy Authentication Manager - UPAM
UPAM applications
Guest Access – Guest License required
BYOD Access – BYOD License required
UPAM consists of
Guest Access
BYOD Access
A built-in RADIUS Server
A built-in MAC Authentication Server
UPAM – Guest and BYOD Access
Employee user access the corporate Guest user are granted limited access
network with it’s personnal device to the corporate network
Authentication via a « BYOD » Captive Authentication via « Guest » Captive
Portal Portal
Captive Portal and employee users Captive Portal and guests users
managed in UPAM BYOD managed in UPAM Guest
UPAM - Services
Authentication Server
Internal RADIUS server used to authenticate both Guest and BYOD users
E-mail server configuration
Guest sponsor approval
External Log Server
UPAM logs can be redirected to an external syslog server
Guest Access Management
Dedicated Captive Portal and database
Guest Access License : per device license model (not per account)
BYOD Access Management
Dedicated Captive Portal and database
BYOD Access License : per device license model (not per account)
UPAM – Authentication Strategy
In Authentication Strategy, specify the authentication server that will be used
UPAM – Authentication Strategy
Advanced Options
Network Enforcement
Default Role of the user if the Authentication server
doesn’t return a role
User session details (timeout, bandwidth,…)
Web Redirection
Web Authentication – which Captive Portal template
is returned
Guest Access Strategy
How the guest is managed (login strategy, self-
registration,…)
UPAM
Guest Access Strategy
UPAM – Guest Access Strategy
Guest Access Strategy defines:
Login Strategy
How the Guest is authenticated: credentials, access code,
Terms & conditions.
Self-registration strategy
The sponsor can create it’s own username & password
An Employee can validate the guest account creation
UPAM Guest
SSID Creation
UPAM – Guest Access SSID
How it works Workflow
Create a Guest SSID with the usage « Guest
Network » Guest SSID
Activate the Captive portal option Usage « Guest Network »
Optional
Assign a VLAN to the Guest SSID
Guest account creation in the local DB
Guest Tunneling
Guest Tunneling
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless Lan
User Role and Bandwidth Control
Lesson summary
User Role and Bandwidth Control
At the end of this module, you will be able to:
• Understand a user role
• Configure the bandwidth contracts and understand the
precedence system
User Role
User Role - Overview
Policy List:
User Role = Policy List
"Policy-Guest"
List of Policy Rules (QoS, ACLs)
Action can be • Rule : "http-traffic"
Accept/drop ➢ Action: Accept
Bandwidth control • Rule: "Network-traffic"
Priority, 802.1p, DSCP marking ➢ Action: Deny
Application Policy Rules (DPI) • Rule: "Guest-speed"
In Application Visibility, application/application ➢ Action: 1Mb/s
group Policy Rules can be set in a Policy List • Rule: "Guest-priority"
Enforcement is bidirectional ➢ Action: 802.1p=3
Policy List Assignment
From RADIUS
From Access Role Profile (Default Policy List)
Built-in roles
Redirection (UPAM)
Access Role
Unauthorized (Time and Location based policy) Profile
RADIUS Server
User Role - Considerations
Policy List configuration
From the application Unified Access – Unified Policy
From the SSID wizard – in Default WLAN Support “ACL/QoS”
AP support
Policy Rules / ACL
User Context
• Role / Policy List
• Access Role Profile
• SSID
Matches a
Matches N
DPI N Access Role N N
User an ACL in SSID set with No BW
application set with BW
Traffic the Policy BW Control ? Limitation
in the Policy Control ?
List ?
List? All User
Other User Other User
Traffic Traffic Y Traffic Y
Y
Y
User BW
Application Specific ACL Specific BW Enforcement Shared BW Enforced
BW Enforcement Enforcement
as per DPI Rule as per Access Role as per WLAN Service/SSID
as per Policy List Profile
User Role /Policy List Access Role Profile WLAN Service / SSID
Per User & Application BW Control Per User BW Control All Users shared BW
Follow us on…
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Creation of a Guest SSID
Objective
✓ Learn how to create a Guest SSID
Contents
1 Briefing ......................................................................................... 2
2 Creating the Guest VLAN & IP Interface ................................................... 3
2.1. Creating the Service VLAN ........................................................................... 3
2.2. Configuring the IP Interface ......................................................................... 4
3 Creating the Guest SSID ...................................................................... 4
3.1. Creating the GuestX SSID ............................................................................. 5
3.2. Creating a Guest Account ............................................................................ 5
3.1. Back to… Creating the GuestX SSID ................................................................. 6
3.2. Assigning the SSID to the AP Group ................................................................. 6
4 Testing the Guest SSID ....................................................................... 7
4.1. Connecting to the “Client PC” Virtual Machine .................................................. 7
4.2. Setting Up the VM Client to Connect to the GuestX SSID ....................................... 7
4.3. Verifying the connection ............................................................................. 8
5 Monitoring the Connections.................................................................. 8
5.1. UPAM Monitoring ....................................................................................... 8
5.1.1. Authentication Record ..................................................................................... 8
5.1.2. Captive Portal Access Record ............................................................................. 9
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Creation of a Guest SSID
1 Briefing
In the previous Lab, we have learned how to create a secured Employee SSID, dedicated for the company’s
employee. Now, let’s see how to create a Guest SSID, dedicated for the guests.
CURRENT
TOPOLOGY
END OF LAB
TOPOLOGY
3
Creation of a Guest SSID
Creating an SSID can be decomposed in several steps (same way as in the previous lab “Creation of a Secured
Employee SSID”):
1. Create the VLAN 30. This VLAN will service the SSID “GuestX” (X = R-Lab Number). It will be tagged
from the Access Points to the OmniSwitches, and over the link between the 2 OmniSwitches.
2. Create the SSID and configure its options.
To create the VLAN 30 on both OmniSwitches, we will use the OmniVista 2500 VLAN Manager feature:
1. Devices Selection
> VLAN IDs: 30
> VLAN(s) Description: GUESTS
> Click on the Add/Remove Devices
> Click on Add All to select both OmniSwitches
> Click on OK
> Click on Next
2. VLAN Configuration
> Check that Admin Status = Enabled
> Click on Next
5. Review
> Review the information
> Click on Create
Tips
The VLANs can also be created on the OmniSwitches via command lines (CLI). Hence, the VLAN Manager feature
can be very interesting to use if the infrastructure is composed of several OmniSwitches, and the same VLANs
must be created on some/all of them.
Tips
The IP Interfaces can also be created on the OmniSwitches via command lines (CLI).
Authentication Strategy
> RADIUS Server: UPAMRadiusServer
> Click on Manage Guest Accounts
Default VLAN/Network
> VLAN ID: 30
> Click on Save and Apply to AP Group
Assign the freshly created SSID GuestX to the AP Group APGX created in the previous lab
Now that the SSID GuestX has been created, assign it to the AP Group(s) APGX:
Now that we have finished the configuration of the SSID, let’s test it!
7
Creation of a Guest SSID
Click on Connect
In the Authentication Record List information, find the Stellar Access Point where your
Client Virtual machine (StellarClientX) is connected.
You will find the GuestX account that you have created previously. From there, you can easily create a new
Guest account.
> Select UPAM > AUTHENTICATION > Captive Portal Access Record
Another interesting feature that the OmniVista 2500 NMS offers is the ability to locate the AP, Switch
and/or slot/port that is directly connected to a user-specified station: it is the Locator application.
You want to locate where is connected (i.e. on which AP) the guest GuestX. One solution could be to use
the UPAM Authentication Record, or the WLAN Client List, but if there are several authentication
requests, finding the one that corresponds to GuestX could be difficult…
From the Results screen, find on which Stellar Access Point the guest GuestX is
connected;
Verify this information with the diagram available in the part below (7 – End of Lab
Diagram)
6 Kicking/Banning a Device
Now that we are sure that the StellarClient virtual machine is correctly connected to the Guest SSID, let’s see
how to kick him from the network, and ban it (blacklist it).
- Try to kick the StellarClient. Check that you can reconnect to the Guest SSID
- Try to ban/blacklist the StellarClient. Check that it is not possible to reconnect to
the Guest SSID until the StellarClient is removed from the blacklist.
10
Creation of a Guest SSID
7 Debriefing
During this lab, we have created a VLAN dedicated for the Guests data traffic. Then, we have created the
Guest SSID and configured it to force the Guests to authenticate via a Captive Portal. Finally, we have
monitored the Guest (StellarClient virtual machine) connection, and we’ve seen that it was possible de
kick/ban a device from the OmniVista 2500.
11
Creation of a Guest SSID
-ANNEXES-
Create a policy which will regroup the forbidden services: telnet, SSH
Let’s begin with the creation of the Policy. In this Policy, we will deny the telnet and SSH protocols:
1. Config
> Name: DeniedServ
> Click on Next
2. Device Selection
> Click on both ADD buttons to apply the policy on all the network devices (OmniSwitches and AP
Group)
> Click on Next
3. Set Condition
> Select L4 Services
> Select Group
> Service Group: click on
Service Group
> Group Name: DeniedSrv
Services
> Click on
> Service Name: telnet
> Destination Port: select TELNET (23)
> Click on Create
> Click on Finish
12
Creation of a Guest SSID
Services
> Click on
> Service Name: SSH
> Protocol: UDP
> Destination Port: select
> Name: SSH
> Port Number: 22
> Click on Create
> Click on Finish
Service Group
> Select Services: Click on to add all the services
> Click on Create
3. Set Condition
> Service Group: DeniedSrv
> Click on Next
4. Set Action
> Click on QOS
> Disposition: DROP
> Click on Next
5. Validity Period
> Validity Periods: AllTheTime
> Click on Next
6. Review
> Review the information, then click on Create
> Click on OK
At the end of this step, a Policy has been created. This Policy contains the services that will be denied to
the users, when they will be authenticated. Creating a list of authorized services is not necessary, as one
“AcceptAllPolicy” is created by default (we will use it in the next part).
> In the drop-down list at the bottom of the area (“Device-Default”), select OV-L3-AcceptAllPolicy
> Click on Next
2. Device Selection
> Click on ADD, then add all the devices (OmniSwitches and the AP Group APGX)
> Click on Create, then OK
8.4. Pushing the Policy List & Policies in the Network Devices
Once the Policies and the Policy List created, they must be pushed to the network devices:
We have also pushed them on the network devices (OmniSwitches and Stellar APs contained in the AP
Group APGX).
14
Creation of a Guest SSID
Now that we have created Policies and inserted them in a Policy List, we must configure the OmniVista
2500 to apply this Policy List to a User when he/she has authenticated:
> Select UPAM > Guest Access > Guest Access Strategy
> Fixed Policy List: GuestsPolicy
> Click on Apply
WIRELESS CLIENT VM
> Use Teraterm or CMD
> Choose Telnet > 10.7.X.62 (X = R-Lab Number)
> Choose SSH > 10.7.X.62 (X = R-Lab Number)
Warning
BEFORE PERFORMING THE TEST, BE SURE TO DISCONNECT AND RECONNECT THE VIRTUAL MACHINE FROM THE
NETWORK TO FORCE THE RE AUTHENTICATION AS THE POLICY IS APPLIED WHEN THE AUTHENTICATION IS
SUCCESSFUL.
OmniAccess Stellar Wireless Lan
Unified Policy Authentication Manager (UPAM) - BYOD
Objectives
Unified Policy Authentication Manager
(UPAM) – BYOD
At the end of this module, you will be able to:
• Understand and configure a BYOD access for employee
personal devices.
UPAM
BYOD Access
UPAM – BYOD Access
How it works Workflow
Employee connects to the BYOD SSID and is
redirected to the Captive Portal BYOD SSID
BYOD SSID is open with network access restrictions Usage « Employee BYOD Network »
Optional
Employee account creation in the local
DB
UPAM – BYOD Access and Employee Property
Alternate solution to Employee Account, BYOD device (MAC address) can be created by admin
Referred as Company Property
Login Strategy
What is the Redirection URL after the
successful authentication.
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Creation of an Employee SSID for BYOD
Objective
✓ Learn how to create an SSID dedicated for Employees with personal
devices (BYOD: Bring Your Own Device)
Contents
1 Briefing ......................................................................................... 1
2 Creating the BYOD SSID ...................................................................... 2
2.1. Creating the BYODX SSID ............................................................................. 2
2.2. Back to… Creating the BYODX SSID ................................................................. 3
2.3. Assigning the SSID to the AP Group ................................................................. 3
3 Testing the BYOD SSID ........................................................................ 4
3.1. Connecting to the “Client PC” Virtual Machine .................................................. 4
3.2. Connecting the VM Client to the BYODX SSID ..................................................... 4
3.3. Verifying the connection > After the Web Authentication ..................................... 5
4 Monitoring the Connections.................................................................. 5
4.1. UPAM Monitoring ....................................................................................... 5
4.1.1. Authentication Record ..................................................................................... 5
4.1.2. Captive Portal Access Record ............................................................................. 5
4.2. Using the Locator ...................................................................................... 6
5 Debriefing ...................................................................................... 6
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Creation of an Employee SSID for BYOD
1 Briefing
In the previous Labs, we have learned how to create a secured Employee SSID and a Guest SSID. Now, let’s
see how to create an Employees BYOD SSID, dedicated for the employees who want to bring and use their
personal device within the company network.
CURRENT
TOPOLOGY
END OF LAB
TOPOLOGY
2
Creation of an Employee SSID for BYOD
Assign the freshly created SSID BYODX to the AP Group APGX created in the previous lab
Now that the SSID BYODX has been created, assign it to one or several AP Group(s):
Now that we have finished the configuration of the SSID, let’s test it!
4
Creation of an Employee SSID for BYOD
Click on Connect
Username: EmployeeX (X = R-
Lab Number)
Password: password
Another interesting feature that the OmniVista 2500 NMS offers is the ability to locate the AP, Switch
and/or slot/port that is directly connected to a user-specified station: it is the Locator application.
6
Creation of an Employee SSID for BYOD
5 Debriefing
In this Lab, we have learned how to create an Employee SSID, dedicated for the employees who want to use
their personal device within the company network (BYOD, Bring Your Own Device).
OmniAccess Stellar Wireless Lan
RF Management and Optimization
Lesson Summary
RF Management and Optimization
At the end of this module, you will be able to:
• Understand and configure the RF profile
RF Management
Distributed Radio Management - DRM
Fully distributed control Plane
Over the Air
Each AP communicates with its neighbor APs Control Plane
Over to air protocol : neighbor AP discovery
Over the LAN protocol : RF management
RF context sharing Stellar AP Stellar AP
Channel utilization & interference, number or clients per
band, radio & AP, power… Over the LAN
Control Plane
Each AP can take RF action (try, wait, retry mechanism)
Limited to neighbor APs Edge Switche Edge Switche
AP Group 2
AP 2
AP 1
AP 3 AP 5
AP 4
AP 6 AP 7
AP Group 1
Scanning
RF Profile
Dynamic Radio Management
(DRM) channel list selection
DUAL RADIO
Diff. = 5G Client Number – 2.4G Client Number
(Threshold:10)
AP
TRI RADIO
• Pri-Diff. = 5G High Client # – 2.4G Client #
(Threshold:10)
• Sec-Diff. = 5G Low Client # – 2.4G Client #
(Threshold:10)
Overloaded: A channel is considered overloaded when its average medium utilization over the span of a minute exceeds 70%.
SMART Load Balance – Dynamic Load Balance
AP 2. Reply to Client
3. New Client joins AP2
1. Broadcast Join Request
CLI
-> wlanconfig ath01 list
CLIENT LIST
RSSI values
RSSI dBm RSSI dBm RSSI dBm
10 -86 21 -75 29 -67
11 -85 22 -74 30 -66
12 -84 23 -73 31 -65
13 -83 24 -72 32 -64
14 -82 25 -71 33 -63
15 -81 26 -70 34 -62
16 -80 27 -69 35 -61
17 -79 28 -68 36 -60
18 -78 37 -59
OK – not bad
19 -77 38 -58
20 -76 39 -57
40 -56
Bad
Not recommended for Video or Audio 41 -55
applications 42 -54
Desired and recommended 43 -53
Follow us on…
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Radio Frequency Settings Configuration
Objective
✓ Learn how to configure the RF (Radio Frequency) Settings
Contents
1 Briefing ......................................................................................... 1
2 Creating an RF Profile ........................................................................ 1
2.1. General Settings ....................................................................................... 1
2.2. Smart Load Balance ................................................................................... 1
2.2.1. Band Steering ............................................................................................... 1
2.2.2. Exclude MAC OUI ........................................................................................... 1
2.2.3. Force 5 GHz ................................................................................................. 1
2.2.4. Association RSSI Threshold ................................................................................ 2
2.2.5. Roaming RSSI Threshold ................................................................................... 3
2.3. Per Band Info ........................................................................................... 3
2.3.1. Default Setting .............................................................................................. 3
2.3.2. Band .......................................................................................................... 3
2.3.3. Channel Setting ............................................................................................. 3
2.3.4. Channel DRM ................................................................................................ 3
2.3.5. Channel List ................................................................................................. 3
2.3.6. Channel Width .............................................................................................. 3
2.3.7. Power Setting ............................................................................................... 3
2.3.8. Short Guard Interval ....................................................................................... 3
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Radio Frequency Settings Configuration
1 Briefing
In the OmniVista 2500, and for Stellar Access Points, the Radio Frequency settings management is done via
“RF Profiles”. A RF Profile contains all the radio frequency settings. Once created, it must be assigned to an
AP or AP Group.
2 Creating an RF Profile
It can also cause problems. For example, a 5 GHz-capable device is automatically redirected to the 5 Ghz band
by the band steering feature, even if the 5 GHz signal is low.
Solution:
- Design your networks for simultaneous 5 GHz and 2.4 GHz coverage.
- For existing deployments where this may not be feasible, and your coverage is quite different on both bands,
avoid using band steering or use the Exclude MAC OUI feature explained below.
- Find the RSSI value of your StellarClient virtual machine (we will consider in the lab
that this RSSI value is too low to connect to the SSIDs created previously)
- Modify the Association RSSI Threshold to make StellarClient RSSI too low to connect
the SSIDs created previously
> Before doing this, be sure that the StellarClientX virtual machine is connected to one of the SSIDs
created in the previous labs!
- Now, we are going to assume that the StellarClient signal strength (ex. -18 dBm) must be considered
too weak to connect to the AP. To do so, we will set the Association RSSI Threshold to a value greater
than the client RSSI value:
Notes > RSSI vs dBm
dBm and RSSI are different units of measurement that both represent the same thing: signal strength. The
difference is that RSSI is a relative index, while dBm is an absolute number representing power levels in mW
(milliwatts).
For this exercise, we need to translate the client signal strength from dBm to RSSI. To do so, please refer to
the following table (to convert the RSSI value to dBm you just need to rest 96 to the RSSI value):
Notes
We will test this management in the next part, as the RF Profile must be first applied to the desired AP or AP
Group.
3
Radio Frequency Settings Configuration
2.3.2. Band
Configure the working radio for the AP.
Notes
Note that it is also possible to assign an RF Profile to a specific AP (instead of an AP Group). To do so, go to the
NETWORK > AP REGISTRATION > Access Points menu.
Tips
The RF Profile can also be created directly from the AP/AP Group, in the Edit mode, by clicking on Add New:
Now that the RF Profile My_RF_Profile is applied to the APGX Group, try to connect to
one SSID from the StellarClient virtual machine.
Notes
StellarClient RSSI = 70 < Association RSSI Threshold = 90, so it is not possible for the StellarClient (and other
devices with an RSSI less than 90) to connect to any SSID broadcasted by the APGX Group.
PENDING …
4 Debriefing
During this lab, we have learned that the OmniVista 2500 provides an easy way to manage the Stellar Access
Points radio frequency settings.
We have also learned that a lot of settings are available and can be enabled or disabled depending on the
infrastructure deployed.
OmniAccess Stellar Wireless Lan
Layer 2 Mobility and Roaming
Lesson summary
Layer 2 Mobility and Roaming
At the end of this module, you will be able to:
• Understand the Layer 2 Roaming.
• Configure the Fast Roaming
Overview
Overview
WiFi Enterprise only
In WiFi Express, roaming is limited to L2 only within the same cluster
Fast Roaming
L2 Roaming L2 Roaming
L3 Roaming
Roaming relies on client context sharing between over the air adjacent APs
L2 or L3 Roaming selection based on the client VLAN between "home" and "foreign" AP
L3 Roaming based on L2 GRE tunnel between "home" and "foreign" AP
Configuration
L2 Roaming always enabled
Network OmniVista
Over-the-LAN Client
Context sharing
Edge Switch
Access Point
Over-the-air AP discovery
Client
Client Context
Client Context Content
Client Context exists on WLAN service and Access Client Context VLAN ID = Roaming Results
the new AP? Role Profile exist in the VLAN ID mapped to the
Client Context on the Access Role Profile on
new AP? the new AP?
No - - No Roaming, new client
Yes No - No Roaming, new client
Yes Yes Yes L2 Roaming
Yes Yes No L3 Roaming
Layer 2 and Layer 3 selection based on the management VLAN between the "home" and "foreign"
AP.
FAST Roaming
FAST Roaming
Improve handoff times during roaming
Remove RADIUS authentication
Optimize authentication handshake
Require key caching
No overlap
Overlap
KO OK
No Radio overlap, no Roaming Radio overlap, Roaming available
Neighbor AP
Radio
coverage
In some cases, the Stellar APs are hole
geographical neighbors but can't see each
other through the air (i.e: corridor with right No client
context
angles,…). sharing
The client context can't be shared. No roaming.
Solution:
On both AP, add statically the neighbor Stellar AP
from the list of known AP.
The client context can be shared through the LAN
and the client can roam.
Select the AP in the AP Registration > Access
Point view and click on the hyperlink
"Neighbor AP"
Click on the Edit button and select the neighbor
AP from the list
Repeat the process for the second AP
Sticky client avoidance
The roaming decision is made by the client device.
But some devices will stick to the AP they were previously associated to.
The Roaming RSSI Threshold controls the signal strength a client needs to see before searching for
another site.
If the RSSI threshold is too low, the client remains on a low signal strength site, even with a
stronger site nearby.
If the RSSI threshold is too high, the client roams too much that could result to packet loss.
Miscellaneous
Background scanning
When a user roams, his real time traffic can be
interrupted if the new AP on which he is
connected is using the background scanning.
No impact on the voice traffic.
The AP is voice aware and will deactivate the background
scanning when a voice call is detected.
Other real-time traffic can be impacted.
Solution:
Deactivate the Background scanning on the
Stellar APs
Install new Stellar APs in the network, acting as
dedicated scanning APs
Please note that this solution requires
additional Stellar APs in the network
Follow us on…
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless Lan
Layer 3 Mobility and Roaming
Lesson Summary
L3 Roaming
L3 Client Roaming
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless Lan
WIPS
Lesson Summary
Wireless Intrusion Prevention System
At the end of this module, you will be able to:
• Classify an AP as Interfering, Rogue or Friendly
• Configure the WIPS
WIPS Overview
Stellar APs monitors the radio spectrum for the presence of unauthorized
AP
Users
Automatically take countermeasures
Global configuration applied to all APs managed by OV
Require AP with scanning activated
WIPS – Interfering / Rogue / Friendly AP
Interfering AP
The “scanning” Stellar AP discovers any other AP over the air
Such AP are marked as Interfering
AP managed by the same OV are excluded
Rogue AP
An interfering AP is marked as Rogue based on the
configuration of Rogue AP Policy
AP managed by the same OV are excluded
Rogue AP Containment – enabled by default
The scanning Stellar AP sends de-auth request to all clients associated to the
rogue AP
Friendly AP
Friendly AP is not reported as Interfering or Rogue
An Interfering or Rogue AP can be set as Friendly AP manually
Friendly AP OUI can be set – ALE OUI set by default
Friendly AP can be added
WIPS – Rogue AP Policy
Policy Description
Signal Strength Threshold The detected AP signal in dbm is too strong and above the threshold
Default: – 70 dbm ; Range -95 to -50 dbm
Detect Valid SSID The detected AP is advertising a SSID that is configured in OmniVista and set in your WLAN network
(An AP not managed by OV is adverting a SSID set in OV)
Detect Rogue SSID Keyword The detected AP is advertising a SSID name that matches a string set in this policy
(SSID blacklist)
Rogue OUI The detected AP has a OUI that matches one of the OUI set in this policy
Limitations
The attacker source MAC can be anything (an AP mac, a BSSID mac, a wireless NIC card mac..)
Blacklisting the attacker source MAC is only relevant when the source MAC is an actual wireless client
Follow us on…
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless Lan
Operation and Maintenance
Lesson Summary
Operation and Maintenance
At the end of this module, you will be able to:
• Monitor the clients, APs, guest and BYOD devices
• Maintain the AP and upgrade its firmware
Monitoring
Monitoring – Clients
Wireless Clients Monitoring
List of clients connected to any AP Group
Client details
Radio
Authentication status
IP configuration
Monitoring – Client Behavior Tracking
Administrator tool for effective monitoring & troubleshooting of clients
Parameters tracked
View user ONLINE/OFFLINE status
View TCP/UDP flow context
View HTTP(S) domain flow context
ONLINE/OFFLINE LOG
Monitoring - APs
APs Monitoring
AP details
Name, AP Group, MAC address
Client count
IP configuration
Radio details
Monitoring – Guest and BYOD Devices
Dedicated monitoring for either Guest ou BYOD clients
Basic
Enforcement Policy
Authentication
Accounting
Monitoring – Summary
Maintenance
Maintenance – Topology Map
In Network > Topology
Edit Device
AP name
Group Name
RF Profile
Reboot
Save to Running
Backup Device
View AP Logs
Maintenance – Resource Manager
Backup / Restore
Backup
Full
Config
Image
Restore
Maintenance – Resource Manager
In Configuration > Resource Manager > Upgrade Image
Import AOS or Stellar AP Firmware (.zip)
Step 2 – Stellar AP
Start/Stop the capture
Log in on the Stellar AP
In RF Environment, select the Radio to capture
Step 3 – PC/laptop
Open the file on Wireshark
Appendix
Client Behavior Tracking
Procedure
Appendix
Monitoring – Client Behavior Tracking How To
In Unified Access Unified Profile
Template Access Role Profile
Enable/Disable "Client Session
Logging" per Access Role Profile
Choose "HTTP/HTTPS", AP will log
client HTTP/HTTPS connections.
Choose "ALL", AP will log client all
TCP/UDP connections including
HTTP/HTTPS connection
Appendix
Monitoring – Client Behavior Tracking How To
In Unified Access Unified Profile
Template Access Role Profile
Enable/Disable "Client Session
Logging" per Access Role Profile
Choose "HTTP/HTTPS", AP will log
client HTTP/HTTPS connections.
Choose "ALL", AP will log client all
TCP/UDP connections including
HTTP/HTTPS connection
In Network AP Registration AP
Group
Control per AP Group Client
Behavior Tracking – Upload to
Appendix
Monitoring – Client Behavior Tracking How To
In Unified Access Unified Profile
Template Access Role Profile
Enable/Disable "Client Session
Logging" per Access Role Profile
Choose "HTTP/HTTPS", AP will log
client HTTP/HTTPS connections.
Choose "ALL", AP will log client all
TCP/UDP connections including
HTTP/HTTPS connection
In Network AP Registration AP
OR
Group
Control per AP Group Client
Behavior Tracking – Upload to
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Backup, Restore & Upgrade
Objective
✓ Backup & Restore and Upgrade the Network Devices
Contents
1 Briefing ......................................................................................... 2
2 Saving the Current Configuration ........................................................... 3
2.1. From the Menu ......................................................................................... 3
2.2. From the Notification Area ........................................................................... 3
3 Backing Up the Devices Configuration ..................................................... 4
3.1.1. Backing Up AOS OmniSwitches............................................................................ 4
3.1.2. Backing Up Stellar APs Devices ........................................................................... 5
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Backup, Restore & Upgrade
1 Briefing
At this stage of the training, we have a fully operational infrastructure with the devices deployed, SSID
broadcasted, and QoS & ACLs setup. In this lab, we will learn how to backup and restore the devices
configuration.
CURRENT
SITUATION
END OF LAB
SITUATION
3
Backup, Restore & Upgrade
Save all the management done during this training as Running configuration
Notes
It is also possible to save the management of each device (one by one):
OMNISWITCH
> Click on the OmniSwitch
> Click on Actions > Device
> Click on Copy Working/Running to Certified
> Check that the save process has been completed successfully
> Click on Finish
> Click on the bell icon on the top right and corner
> Click on the floppy icon
> Click on OK to confirm
Check that the operation has been successfully completed. Then click on Finish
4
Backup, Restore & Upgrade
1. Backup Method
> Select Backup By Devices
> Click on Next
2. Device Selection
> Click on ADD > Use Switch Picker
> Click on Add All to add all the OmniSwitches
> Click on OK
> Click on Add FTP Authentication
> Username: admin
> Password: switch
> Check Apply FTP Authentication for all missed devices
> Click on Apply
> Click on Close
> Click on Next
3. Configuration
> Backup Type: Configuration Only
> Click on Next
4. Review
> Review the information, then click on Backup to launch the backup process
Check that the 2 lines “SUCCESS” appear in the Result screen. Click on OK.
Tips > Summary View
The CONFIGURATION > RESOURCE MANAGER > Backup/Restore > Summary View displays the list of the backups
that have been performed on each device, and their result.
1. Backup Method
> Select Backup By AP Groups
> Click on Next
2. AP Group Selection
> Click on ADD
> Select the APGX (X = R-Lab Number), then click on Add >
> Click on OK
3. Configuration
> Backup Type: Configuration Only
> Click on Next
4. Review
> Review the information, then click on Backup to launch the backup process
Check that the 2 lines “SUCCESS” appear in the Result screen. Click on OK.
4.1.1. Briefing
In this part, we are going to:
- Create VLANs 70 to 80 on both OmniSwitches
- Restore the backup
- Check that the VLANs 70 to 80 have been removed
6
Backup, Restore & Upgrade
1. Devices Selection
> VLAN IDs: 70-80
> VLAN(s) Description: TEMP-VLANS
> Click on the Add/Remove Devices
> Select the Add All
> Click on OK
> Click on Next
2. VLAN Configuration
> Check that Admin Status = Enabled
> Click on Next
5. Review
> Review the information
> Click on Create
Tips
You can check that the VLANs have been created by connecting on the OS6860 CLI console, or via the CLI
Scripting.
1. File Selection
> Click on OmniSwitch 6860
> Select only the 2 vcboot.cfg files
> Click on Restore
Check that the restore is successful in the Result page, then click OK
As you may have guessed, the configuration files are transferred in the WORKING and CERTIFIED folders
but are NOT applied on the RUNNING configuration (could cause major problems in real cases scenarios if
it was the case).
To force the configuration restored in the WORKING directory to be used by the OmniSwitch, launch the
following command (via the console, or the OV 2500 CLI SCRIPTING application):
Wait for the OmniSwitch to reboot (~3 min), then use the VLAN Manager application to check that the
VLANs 70-80 have been correctly removed:
5 Debriefing
During this lab, we have learned how to backup the configuration of each device (AOS or Stellar) available in
the network. We have also learned that it is possible to schedule the backup operation, and that the restore
operation can be done only on AOS Devices (not on Stellar APs).
9
Backup, Restore & Upgrade
-ANNEXES-
The list of uploaded firmware is displayed in the Upgrade Image main page:
2. Devices Selection
> In case of AP upgrade
> To install a firmware only on specific AP(s): Click on ADD > Use Switch Picker
> To install a firmware on all the APs of an AP Group: Click on ADD
> In case of OmniSwitch upgrade
> Select one or several OmniSwitch(es)
3. Software Installation
> Review the information, then click on Install Software
10
Backup, Restore & Upgrade
> Go to System
> Select Image File (or Image File URL if the Image File/Firmware is located on a web server)
> Click on Browse, then select the firmware/image file
OmniAccess Stellar WLAN
Monitoring the Network Infrastructure
Objective
✓ Monitor the Network Devices from the OmniVista 2500
Contents
1 Briefing ......................................................................................... 1
2 Checking the Topology & Devices Status .................................................. 2
2.1. Saving the Configuration ............................................................................. 3
2.2. Monitoring the Devices & Links Status ............................................................. 4
2.2.1. Device Information ......................................................................................... 4
2.2.2. Device Status................................................................................................ 4
2.2.3. Notification Status ......................................................................................... 5
2.2.4. Links Status.................................................................................................. 5
4 Debriefing .................................................................................... 10
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Monitoring the Network Infrastructure
1 Briefing
Let’s see how to monitor all the network devices from one platform, the OmniVista 2500. 2 applications will
be used:
- The Topology Application which provides a view of all discovered devices in the network;
- The Notification Application which displays the notification generated by the network devices.
CURRENT
TOPOLOGY
END OF LAB
TOPOLOGY
2
Monitoring the Network Infrastructure
The network topology containing all the previously discovered devices is displayed:
3
Monitoring the Network Infrastructure
Save all the management done during this training as Running configuration
Notes
It is also possible to save the management of each device (one by one):
OMNISWITCH
> Click on the OmniSwitch
> Click on Actions > Device
> Click on Copy Working/Running to Certified
> Check that the save process has been completed successfully
> Click on Finish
Notes
You have maybe noticed that the links between the OmniSwitches and the Stellar Access
Points don’t appear in the diagram. This “problem” is easily solved by manually polling
the links:
Display the MAC Address, version and device model of the OmniSwitch 6560.
To display detailed device information, click on the device. A Detail panel appears on the right. A list of
information is displayed. The information displayed may vary depending on the device:
- Discover why the OmniSwitch are in Warning state, and solve the problem;
- Display the OmniSwitches & Access Points notifications
- Check that the links are ups, and that the correct ports are used;
Device status is displayed by the device status circle around the device:
• Green = Up (Device is up)
• Orange = Warning (indicates that traps have been received on the device. The highest level of
trap received by the device is displayed (Green, Orange, Red) in the Notifications Status).
• Red = Down (Device is down)
Notice that your OmniSwitches are in the Orange “Warning” state, meaning that a notification has been
generated on these devices. The Notification Status part (next part) shows how to acknowledge the(se)
notification(s).
5
Monitoring the Network Infrastructure
To clear/acknowledge the notification and pass the Device & Notification status to Green status:
OMNISWITCH
> Click on the OmniSwitch
> Click on Actions > Notifications > View Traps
> Select the first checkbox to select all the lines
> Click on ACK (blue button) to acknowledge the notifications or CLEAR (red button) to delete the
notifications from the database
You may have to repeat the operation to acknowledge/clear all the notifications. A maximum of 1000
notifications can be acknowledged/cleared at the same time.
To display link information, move the mouse over the link until the pointer turns into a finger. Link
information will be displayed in table form as shown below:
Tips
Several shortcuts to the other OmniVista 2500
applications are available when a device (OmniSwitch,
Access Point) is selected or by right clicking on a device.
We will discover these applications and learn
how to use them in the next labs.
7
Monitoring the Network Infrastructure
The Notifications Home Screen displays all traps received from network devices and provides basic trap
information (e.g., severity level, date/time received). You can also use this screen to acknowledge,
renounce, and clear traps, as well as poll devices for traps.
In the result, the reboot operations done during this training should be displayed.
8
Monitoring the Network Infrastructure
1. Agent
> Agent Type: AP Group
> AP Group Selection: APGX (X=Remote-Lab Number)
> Click on Next
2. Trap Type
> Traps which match these severities: Critical
> Click on Next
3. Response
> Action: Send an e-mail
> E-mail To: adminX@company.com (X = R-Lab Number)
> Click on Next
For example, you can use the following fields and variables:
- E-mail Subject: Warning! Critical Trap Received on $TrapAgent$ ($TrapAgentName$)!
The “test” mail sent by the OmniVista 2500 should be in the Inbox:
9
Monitoring the Network Infrastructure
Check that a notification has been generated by the AP and sent to the OmniVista 2500:
Now, check that a mail has been send to adminX@company.com (wait a few minutes if needed, as the
mail server doesn’t send mails in real time):
10
Monitoring the Network Infrastructure
4 Debriefing
In this lab, we saw that the OmniVista 2500 provides powerful application to monitor the network devices
(OmniSwitches/Access Points).
OmniAccess Stellar Wireless Lan
Heat Map & Floor Plan
Lesson Summary
Heat Map and Floor Plan
Wireless Monitoring Applications
Heat Map
Visual Heat Map of Deployed AP
Floor Plan
Visual Heat Map of Estimated Aps before Deployment
Heat Map – Use Case
Insufficient Radio coverage
Identify network weaknesses and fix it (move/add APs)
Custom
obstacle
Manual AP
deployment
Heat Map
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar WLAN
Configuring Heat Map & Floor Plan
Objective
✓ Learn how to create and configure a Heat Map and a Floor Plan
Contents
1 Configuring a Heat Map ...................................................................... 1
1.1. Creating the Building Hierarchy ..................................................................... 1
1.2. Configuring the Plan Map ............................................................................. 1
1.2.1. Scaling the Plan ............................................................................................. 1
1.2.2. Laying Down the Obstacles ................................................................................ 2
1.2.3. Placing the Access Points .................................................................................. 2
1.2.4. Displaying the Result ....................................................................................... 3
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by AL
1
Configuring Heat Map & Floor Plan
Campus
> Click on the + button
> Campus Name: My_Campus
> Double click on the My_Campus that is now displayed
Building
> Click on the + button
> Building Name: My_Building
> Double click on the My_Building that is now displayed
Floor
> Click on the + button
> Floor Name: First_Floor
> Floor Number: 1
> File Name: click on Select File > Select the Office-Plan.jpg file in the C:\Resources folder
> Click on OK
> Double click on the First_Floor that is now displayed to access the Floor map
Tips
Pre-defined obstacles can be selected by clicking on the button and each one with a different absorption
coefficient (dB).
It is also possible to create custom obstacles via the Operation > Obstacle Manage link.
Notes
Go back to Edit Floor Map and place the APs in different places to cover the cold areas.
Changing the APs on the map will simulate the new Wi-Fi coverage based on the real
band and power of emission of the APs.
> File Name: click on Select File > Select the Office-Plan.jpg file in the C:\Resources folder
> Click on Create
Tips
Pre-defined obstacles can be selected by clicking on the button and each one with a different absorption
coefficient (dB).
It is also possible to create custom obstacles via the Operation > Obstacle Manage link.
Tips
The result will vary based on the following parameters:
- Scale of the map
- Number and type of obstacles placed
- AP Model
- Quality (General, Good, Excellent)
Change some of these parameters (AP Model, Quality…) and click on Save the Layout.
Notes
In Edit Floor Plan, APs can be added manually on the map to fill the cold areas. After clicking on
“Save The Layout”, the Floor Plan application will process and display the Wi-Fi coverage based on
all the APs located on the map.
OmniAccess Stellar Wireless LAN
MESH
Lesson Summary
MESH
At the end of this module, you will be able to:
• Understand the difference between Mesh and Bridge
topology
• Configure the Mesh and Bridge topology
Wireless MESH
2,4 GHz
Reaching areas where 5 GHz high
cabling is not available
5 GHz low
Mesh link
Root
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniSwitch AOS R6/R8
OmniVista 2500 NMS-E R4.4
Administrative Users and Groups
How to
✓ Create user accounts and manage the read-write capabilities for certain
users.
Contents
1 The Users and Groups Application .......................................................... 2
2 Summary ........................................................................................ 6
3 Lab Check ...................................................................................... 6
2
Administrative Users and Groups
Implementation
- Provide the new group with the name Training and give it a description.
- Check on the Group Rights and choose Read to provide read-only access.
- Users could be added at this point, but we’ll create a new user.
- Click Create when done to save the new group.
- Enter the new user training_user with a password of training_user and make it part of the Training
group.
- Log out and log back in from Omnivista using the account you have just created and try performing
various tasks. Notice that you are limited to view information but you are not allowed to modify the
switch.
2 Summary
OmniVista provides the capability to limit the rights of users logged into the OmniVista server. This
feature can be used to provide read-only access or even to prevent certain users from seeing all of the
discovered devices.
3 Lab Check
1. What are the default accounts and what privileges do each of them have?
2. OmniVista can be configured to allow users to only make modifications on edge devices. T/F
3. What was different about the OmniVista interface when you logged in with an account having
read-only privileges?
OmniSwitch AOS R6/R8
OmniVista 2500 NMS-E
Control Panel
How to
✓ View services currently running on OmniVista
View Asset Management History
Shut Down server processes on OmniVista.
Contents
1 Control Panel .................................................................................. 2
1.1. Watchdog Service ...................................................................................... 2
2 Summary ........................................................................................ 3
2
Control Panel
Implementation
1 Control Panel
This lab will provide the steps required to view services and shutdown the OmniVista server.
- You can start/stop all services or shutdown OmniVista using the buttons at the top of the screen:
(Do not modify or stop any process unless directed by your instructor!)
2 Summary
The OmniVista Control Panel can be used to start and stop services and the OmniVista server.
OmniSwitch AOS R6/R8
OmniVista 2500 NMS-E R4.4
Preference
How to
✓ Manage the default settings of OmniVista Web GUI
Contents
1 Preference ..................................................................................... 2
1.1. User Settings ............................................................................................ 2
1.2. System Settings ........................................................................................ 3
2 Summary ........................................................................................ 3
3 Lab Check ...................................................................................... 3
2
Preference
Implementation
1 Preference
This lab will provide the instructions for making OmniVista Web GUI modifications using Preferences.
- Make sure the LAN+WLAN menu is selected.
- Select Administration -> Preferences.
Continue exploring the various options that can be configured using Preferences.
2 Summary
Preferences allows an administrator to change the default behavior of the OmniVista Web GUI and
change the look and feel of OmniVista.
3 Lab Check
1. What are the two different areas that can be modified using Preferences.
..............................................................................................................
..............................................................................................................
..............................................................................................................
OmniAccess Stellar Wireless Lan
ProActive Lifecycle Management
Lesson Summary
ProActive Lifecycle Management
At the end of this module, you will be able to:
• Understand the benefits of PALM
• Use the Inventory
• Send an email to your Sales representative for getting a
support contract renewal quotation for your End-
Customer.
Asset Tracking main Challenges
• Do you know what • Is it time for a • Does the vendor still • Can you afford, with
LAN switches/ WLAN end-customer support equipment technical experts, to
controllers, WLAN network refresh ? (HW/SW support) ? manually complete an
APs are running on inventory of
• Does it take you too
networks ? equipment ?
long to know when
• Do you know support expires on
LAN/WLAN each equipment ?
equipment partners
have in stock ?
Key Benefits
Ease of management
Full inventory view of ALE Wi-Fi and LAN products
PALM – First steps
Cloud based application
Gather equipment and lifecycle information
from the OmniVista NMS
Fill in the:
Support model, type, duration
Follow us on…
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar
Wireless LAN
OmniVista 2500 NMS &
OmniAccess Stellar WLAN
Conclusion
1
Course Objectives Review
During this course, you have learned how to:
• Install & Configure the OmniVista 2500 NMS Server
• Deploy & Configure Stellar APs in Enterprise Mode
• Configure an SSID using different Authentication Methods
• Understand & Configure Additional Features (Mobility &
Roaming, WIPS)
2
SPACEWALKERS
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
What it is for?
Knowledge
through
the BLOGs
Community
activity Stats
Connections
through
the FORUM
Top active
Members
The Forum sub-menu details
HELP
for forum rules Forum
categories
for quick
access
Quick access to
Stats
latest answers &
associated
comment
to the post
Question and answer space
Sharing your passion around ALE technologies with all members to answer any question,
provide guidance, help or getting information
https://www.spacewalkers.com/
Thank you…
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniVista™ 2500 NMS Release 4.4
Unified Access
Objectives
Lesson Summary
Unified Profile
• Unified security for Edge Ports for both wired
and wireless devices
Unified Policy
• Contains Unified Policy and Policy List
applications
• Configure QoS policies for both wired and
wireless devices
Multimedia Services
• mDNS application
Paid Account Services
• Tie-in with CP BYOD applications and locator
Unified Profile
Home
Unified Profile
Workflows
Unified Profile
Templates
Access Auth Profile . Enables the assignment of a pre-defined UNP port configuration to an edge port
WLAN Service. Assigns SSID, Security, QoS and Priority to Wireless Devices
Access Role Profiles. Contains the various UNP properties, (e.g., QoS Policy List attached to the UNP, Access Policies, Captive
Portal Authentication)
AAA Server Profile. Defines specific AAA parameters that can be used in an Access Auth Profile or a Captive Portal Profile
Access Classification. If authentication is not available or does not return a profile name, these rules are applied to
determine the profile assignment
Customer Domain. Additional method for segregating device traffic. Once a UNP port is assigned to a specific customer
domain ID, only classification rules associated with the same domain ID are applied.
SPB Profile. Dynamically assign devices to a specific SPB Service using a device's MAC Address
Far End IP - Edit/Delete Far End IP Lists. Far End IP Lists allow multiple far-end nodes to be associated with the service created
for the VXLAN Network ID (VNID) specified in a VXLAN Profile.
Global Configuration. This can be assigned and automatically applied to all UNP ports which have not been assigned an Access
Authentication Profile
AAA Server Profile
Access Role Profile
Assigning an Access Role Profile
After the profile is created, click on the Apply to Devices button to associate the VLAN and
assign the profile to a switch/wireless device on the network
Access Auth Profile
Enables a user to assign a pre-defined UNP port configuration to a UNP Edge Port or Linkagg
Configures 802.1x and MAC authentication for both wired and wireless devices, Access
Classification and the default AAA Server and/or UNP Profile to be used once a user is
authenticated.
Access Auth Profile
Default Settings
Port Bounce. Required to handle scenarios where a client is switched from one VLAN to other
after COA. If it is enabled, the port will be administratively put down. This is to trigger DHCP
renewal and re-authentication, if necessary.
802.1X Auth and MAC Auth only applies to wired devices.
Access Auth Profile
No Auth/ Failure/ Alternate
802.1X Authentication
• 802.1X Pass Alt - The user shall be assigned a Pass-Alternate UNP in case the 802.1X authentication does not result in a valid UNP for
the pass branch.
• Bypass Status - When it is enabled, the user's 802.1X authentication method is skipped. The user enters directly MAC-authentication or
Access Classification.
• Failure Policy - The authentication method used if 802.1X authentication fails.
MAC Authentication
• MAC Pass Alt - The Access Role Profile the user is assigned to after passing authentication
• MAC Allow EAP - Enables/Disables Extensible Authentication Protocol (EAP).
Access Classification
Access Classification Rules are defined and associated with a UNP Access Role Profile to provide
an additional method for classifying a device.
• If authentication is not available or does not return a profile name for whatever reason, Access
Classification rules are applied to determine the profile assignment.
Access Classification
Rule Types
Analytics
Lesson Summary
BYOD Trend
User mobility and the need to have the same type of access on any device
Bottlenecks can affect the network and disappear before the source of the
problem is even identified
Network Planning is required
From Real-time to Long-term needs
Analytics Application
Overview
• Reports.
Provides a comprehensive view of network resource utilization.
Two types of reports:
- "Visibility" Reports can be configured to show network utilization over
different time periods.
- "Availability" Reports provide a "real-time" view of all discovered
network switches.
• Profiles.
Used to create Analytics Profiles. To generate an Analytics Report for
any of the "Visibility“ Reports, you must first create an Analytics Profile
that defines the switches/ports that you want to view and the type of
information that you want to view on those switches/ports.
Analytics
Overview
• Summary View
Displays basic information on all supported network devices,
including any Analytics Profiles defined for a device.
• Applications Management
When generating a Top N Applications Report, the Analytics
application uses port numbers to identify application traffic. This
screen is used to create port/application mappings to identify
applications traffic.
• Anomalies
Displays any port utilization anomalies. An anomaly is an utilization
data point that fall outside of expected norms based on past usage.
Reports
Reports
Types
Top N Applications
Displays information about the top applications being accessed on the network,
including which users are using an application, and which switches have the most
traffic for an application.
Top N Clients
Displays information for the Top Network Users including the number of traffic flows
for each user.
Reports
Types
Network Health
Displays information for the top devices on the network in terms of the device's
resource usage. Devices are ranked based on the device's CPU usage, memory usage,
and temperature.
Network Availability
Displays the current operational state of network devices (Up/Warning/Down).
Alarms
Displays network alarms by severity level.
Reports
Measurements & OPERATIONS
Ports
Widgets &
Source IP
Graphical
Top N Users Sflow sampling address/ Sflow Reporting
sampling OV412.R02
Top N Switches/ “Index” derived
Value /gravity
Resources from CPU, Mem
scale
Utilization use, Temp
Availability
Store analytical
data
Right-click on a section of the Pie Chart and select the appropriate option.
Switches
Top N Applications
Detail View
Provides a detailed view of the specified time interval.
For example, if a report displays data for the last 24 hours, the Summary View will
display a summary of the data for the last 24 hours; and the Detail View will then
display data for each hour within those 24 hours.
Top N Applications
Trending information
When in the Detail View, you can click on a bar in the chart to view usage
trends for each application for the selected time interval by "drilling down" on
a data set to see a subset of that data.
The trend for an hour would be displayed in 15-minute increments.
Top N Clients
Summary View
Displays information for the top network clients including the number of traffic
flows for each client.
OmniVista uses the source IP address in the sFlow packet to determine the
client.
Each client is displayed as a percentage of the total for the configured time interval
(e.g., last 24 hours).
List View
Pie Chart
Top N Clients
Detail View and Trending information
Detail view provides a detailed view of In the Detail View, you can click on a bar
the specified time interval in the chart to view usage trends for
If a report displays data for the last 24 each client for the selected time interval
hours, the Detail View will display data for Displayed in 15 minute increments.
each hour within those 24 hours.
Click on a data point in the trending
Information is displayed in a bar chart view for more detailed information.
view
Network Health
Displays information for the top switches on the network in terms of the
switch's resource usage.
Based on switch's CPU usage, memory usage, and temperature.
Top N Ports
Summary View
Displays the top network ports based on utilization.
Displayed as a percentage of the total utilization for all monitored ports.
In this view, switches/ports are displayed in a list view from highest to lowest
utilization for the configured time period (e.g., day, week).
Top N Ports
Detail View
Depending on the number of ports you configured for display (e.g., top 10
ports, top 15 ports), any monitored ports that qualify during the configured
time interval (e.g., last 24 hours) are displayed.
Ports are simply stacked numerically in each bar by IP address and port number
(the order is not based on utilization).
Top N Ports
Trending View
Used to view predicted future port utilization based on past utilization.
Predictions can provide valuable insight for capacity management.
Current Predicted
Top N Reports
Customization
Click on the Configuration icon in the upper right corner of the screen to
configure how information is displayed in the report.
Default Devices - By default, all top switches/ports are displayed. However, you can
click on the Select Devices button to display only information from specific switches.
The reported alarms in each severity level are displayed as a percentage of the
total alarms reported.
Click on a severity level in the pie chart to view the switch(es) from which the alarms
originated, and the number of those alarms received.
Profiles
Displays currently configured Analytics Profiles.
Used to create, edit, and delete profiles.
The first step in generating analytics information for any of the "Visibility"
Reports (Top N Applications, Top N Clients, Top N Switches, and Top N Ports
Utilization) is to create an Analytics Profile.
A profile consists of the type of information you want to view (Profile Type)
and the switches/ports that you want to analyze.
Create Profile
Profiles
Configuration
Configuration Screen
Profile Name - User-configured name for the profile.
Profile Type - Select a Profile Type from the drop-down menu:
Top N Apps & Clients
Top N Ports Utilization
Sampling Rate (Top N Apps & Clients Only) - Ratio of packets observed at the data
source to the samples generated. For example, a sampling rate of 100 specifies that,
on average, 1 sample will be generated for every 100 packets observed.
Profiles
Configuration
Device/Port Selection Screen
Add/Remove Switches - From the list of switches, select those you want to analyze.
Add/Remove Ports - Select a switch and click on the Add/Remove Ports button. From
the list of ports, select the port(s) that you want to analyze.
An existing application ports mapping file (.json file) can be imported into
OmniVista 2500 NMS.
Note that this new mapping will override the existing mapping.
Anomalies
Displays any anomalies that are discovered in established port utilization
trends.
The information is displayed in a list that describes the anomaly and its origins (e.g.,
IP address, Port).
Anomaly detection uses Z-Score to check for anomalies in the latest port
utilization data gathered from hourly polling over the past 30 days.
Z-Score is a statistical measurement of a score's relationship to the mean in a group of
scores.
It measures utilization for a port for a specific hour to determine its relationship with
utilization for the same hour over the sampling period (30 days).
A data point that deviates considerably from an established pattern is flagged as an
anomaly and displayed on the Anomalies Screen.
Z-Score parameters are configured on the Preferences - Analytics Screen.
Anomalies
Create Report
Report
Configuration
A report is created in two steps:
1) In the Report Configuration screen, click on the Create icon and complete the
fields as described below:
Report Title
Schedule Settings
Purging Policy – The report will be removed from the server at the selected interval. Select
"None" to never purge the report.
Schedule – "Now” generates the report immediately.
“Periodically” creates the report at specific times/intervals.
- "Simple” schedules the report generation every "x" number of days, hours,
minutes, seconds (e.g., every 5 days, every 5 minutes).
- "Cron” schedules the report generation as a cron job (e.g., every minute,
every hour, every year).
Other Settings - Optional report parameters (e.g., page size, orientation).
Report
Configuration
Report
Configuration
2) In the Analytics Application, go to the report that you want to include (e.g.
Alarms). In the upper right corner of the screen, click on the Export icon and
select Add to Report.
▪ On the Add to Report Window, select the Report from the Report Configuration drop-
down list and click OK.
▪ You can open different views (e.g., Summary View, Detailed View) and repeat
the procedure to include those views in the report.
Report
List
Displays all generated reports.
To download/view a report in PDF format, select the report and click on the
Download button.
To delete a report(s), select the report(s) and click on the Delete icon , then
click OK at the confirmation prompt.
Application Visibility
Application Visibility
Devices Management
Displays all network switches that support Application Visibility.
Name, IP address, and operational status of each switch,
Indicates whether or not an Application Visibility Profile has been assigned to the
switch.
Application Visibility
Signature Files
Application Visibility
Signature Profile Creation
Application Visibility
Signature Profile Creation
Select one of the predefined groups or a custom application group can be
configured
Two different types of groups can be created:
Monitoring group: Used for the Analytics Reports
Enforcement group: used for the QoS and Access Role applications
Application Visibility
Signature Profile Assignment
After the profile is created, it has to be assigned to the switches and its ports.
Application Visibility
Displaying Application Reports
In the Analytics screen, select Top N Applications – Advanced to display the
reports
Then, the Policy List is included as part of the Access Role Profile configuration
OMNIVISTA 2500
How-to Setup Application Visibility
Abstract
Quick configuration guide on how to enable Application Monitoring on the OmniSwitch 6860E
and configure Application Visibility and Reporting on OmniVista.
OmniVista 2500
How-to setup Application Visibility
Table of Contents
1 INTRODUCTION 3
2 REFERENCES 3
3 APPLICATION MONITORING 3
3.1 OMNISWITCH 3
3.2 OMNIVISTA 2500 3
3.3 APPLICATION SIGNATURE DATA BASE 3
4 PREREQUISITES 4
4.1 OV 2500 5
4.2 SWITCH 5
6 SWITCH CONFIGURATION 5
7 OV 2500 CONFIGURATION 5
7.1 IMPORT SIGNATURE FILES 5
7.2 CREATE SIGNATURE PROFILE AND ADD SWITCH/PORTS 7
7.3 APPLYING SIGNATURE PROFILE TO DEVICES 11
7.4 ADDING WIDGETS TO DASHBOARD 15
7.5 DISPLAY OUTPUT 16
7.5.1 FLOW DATA COUNT 16
7.5.2 FLOW DATA USAGE STATISTICS 18
7.6 VERIFY CONFIGURATION ON SWITCH 21
7.6.1 SHOW APP-MON CONFIG 21
7.6.2 SHOW APP-MON PORT 21
7.6.3 SHOW APP-MON STATS 22
7.6.4 SHOW APP-MON APP-RECORD 22
7.6.5 SHOW APP-MON FLOW TABLE 24
2 References
1. OmniVista User Guide
2. AOS 8x Network Configuration Guide
3. AOS 8x CLI Reference Guide
3 Application Monitoring
Application Monitoring (app-mon) feature is available on the OS6860E’s. Since app-mon looks deeper into packets
received, it can detect application flows (e.g., YouTube, Netflix, Facebook etc.,).
App-mon has three components to work: a capable OmniSwith, OmniVista 2500 and an application signature data
base.
3.1 OmniSwitch
The OmniSwitch 6860E’s ASIC has Flow Tracker and a co-processor to accomplish app-mon. When a new flow is
received on the switch, a new entry is added to flow tracker (The flow tracker is 8K in size). When a port is enabled
st
for app-mon, the 1 few packets of the flow are trapped and sent to the co-processor. The co-processor runs a
regex pattern matching algorithm on the received packet to see if any patterns match with the application
signatures. When packet’s pattern match with application signatures, they are logged if Monitoring is enabled. If
Enforcement is enabled additional controls in the form of ACL’s can be applied to control the traffic.
Multiple signatures may be needed to detect a particular application. The signatures in OV 2500 are grouped into
individual applications (YouTube, Facebook, twitter etc.,) and application groups (Audio/Video, Game, Peer to Peer,
ERP etc.,). OV 2500 allows for groups to be created based on need. There are 3 constructs in AOS app-mon
• App Pool – This is the set of all signatures (An application may need multiple signatures)
• App Group – Logical group of signatures
o AOS has pre-defined groups
o User can create groups according to need
• Monitoring
• Enforcement
Monitoring counts the number of flows that are detected per application.
§ Enabling enforcement will start collection statistics (traffic counters) for application traffic. For
each flow the amount of bandwidth will be collected (e.g., 30MB for YouTube traffic 5 MB of
Twitter traffic).
§ Enforcement can also be used to apply QOS (ACL) on a per flow basis.
4 Prerequisites
4.2 Switch
1. Time and Date should be set
2. SNMP should be configured for OV 2500 to discover it
3. Switch should be setup to be accessed through OV 2500
4. Advanced Licenses should be applied to the switch(s)
5.1 Hardware
OS6860E-24
5.2 Software
AOS Software Release: 8.2.1.304
OV 25000 Release: 4.2.1.R01 (Build 69)
6 Switch Configuration
Since most of the configuration is done using OV 2500. There is not much to be done on the switch with respect to
app-mon.
The IPV6 Flow management has to be disabled. This has been fixed in future releases.
7 OV 2500 Configuration
The DPI configurations from OV 2500 can be modified at any time based on customer need. Any number of
switches and ports can be added. The configuration applied during runtime will be applied immediately to the
switch (no need for a reboot of the switch). The data collection from OV 2500 relies on the hourly data collected
on the switch. The users might have to wait for an hour to see the display on the Dashboard.
Select Signature Profile on the left side and click on the “+” to create a new profile
Enter the Profile Name any String and the Description and click on Next
Application groups can be searched and selected or “+” sign can be clicked to add the groups to the profile.
For the purposes of this document, we will select the entire list (all application groups).
Select the Ports in the Switch by clicking on Add Port and selecting the ports on that switch
SPB Service statistics have to be disabled for App Mon Statistics to work (since they use the same counters).
This completes the assignment of Signature profiles to switches and enabling of app-mon on port(s) on the
switch(s).
Click on the Widget Icon on the top right corner of the OV 2500 dashboard (main page)
Click on “Add Widget”
This Widget shows the total network bandwidth. This is collected using the hardware statistics (as one part of
enforcement).
This command shows app-records for current hour, hourly and a twenty four hour period. This is what is collected
in OV 2500 and displayed.
google Web
2
twitter Web
1
google_analytics Web
1
gstatic Web
21
hulu Audio/Video
1
instagram Web
4
--------------------------------
Number of Applications: 6
This command provided Flow Table for monitoring/Enforcement. For the purposes of this document we only do
monitoring
SNMP
• SNMP Version that OmniVista will use to communicate with the device. Default version for AOS devices is
v2, but v1 and v3 are also supported
• Timeout (msec) that OmniVista will wait for a switch to respond before assuming that the request has
timed-out (Default = 5,000)
• Read Community. The device's "get" community name. This enables OmniVista to read information from
the device
• Write Community - The device's "set" community name. This enables OmniVista to write information to
the device
• Retry Count - Number of times that OmniVista will attempt to connect to a switch (Default = 3).
Discovery Profile - Advanced
Advanced Services
• Trap Station Name - The device user name that will be used when an AOS device is configured to send
traps to OmniVista.
• Discover Link - Specifies how OmniVista will discover the physical links associated with the discovered
devices.
• Shell Preference - Specifies the default command line interface to be used for discovered devices: Telnet
or SSH
• Use Get Bulk - When enabled, the "Get Bulk" operation is used for retrieving large amounts of data,
particularly from large tables
• Max Repetitions - The number of rows of table data that the "Get Bulk" operation will request in each
"Get Next" operation.
Discover New Devices – IP Ranges
Define address ranges to discover devices
Associate Address Ranges to SNMP Setups
Discovery – Start Discovering
After creating the IP Range, click on the Discover Now button
Discovery – Managed Devices
Displays a list of all network devices that are currently being managed by OmniVista.
There are two tabs.
• "ALL“ displays all managed devices (LAN Devices and APs).
• "OAW“ displays only managed APs.
Discovery – Hardware Inventory
Displays inventory information (e.g., CMM, Chassis, Power Supplies) for any discovered device
Discovery - Links
Displays existing links in the network
• Automatically discovered using AMAP or LLDP
• Links can also be added manually
Discovery – Manual Link
Manual links are persistent and displayed in RED when the link goes down.
Recommended to configure critical links providing better monitoring capabilities.
Useful to create links between ALE devices and external devices.
Discovery - Ports
Displays information about ports on network devices
• Enables/Disables device ports
Discovery – SPB Ports
Displays information about SPB Services Ports on network devices. SPB Services are configured on
edge devices, so only edge devices are displayed.
Discovery – Third-Party Devices Support
Discovery and support of third-party (non-AOS) devices.
Once third-party devices have been discovered, OV supports the following:
• Web Browser, Telnet or SSH
• Custom MIBs
• Custom Icons
• Traps
• Locator
Discovery – Adding Third-party Device Support
Create Mibset
• OID: Device’s Object ID
• Display Name: Name to be used for the device
• Mib Directory Name: If you want to use MIB-2 level support for third-party devices, enter mib-2. This
generic directory already exists in OV. If you are not using standard MIB-2, enter a directory name.
Discovery – Import MIBs
Imports new or updated MIB files to Omnivista
All MIB files must have an file extension of .mib
If you create a new MIB directory, you must import a complete set of MIBs into that directory.
Select the Mibset to be updated from the drop-down box and click on the Import button
Topology
Topology – Geo Map View
Google Maps for Topology
• Display of Google Maps for geolocating sites
• Zoom-In / Zoom-Out on for displaying Countries / Cities / Sites
• Switch to Topology application for moving to floor plans
Select Switches
Schedule and
send the script
View Log
View Script Log
• Success / Error
• Syntax errors
SSH/Telnet
SSH/Telnet to a New Device
How to
✓ Configure routing using OmniVista and WebView.
Contents
1 Monitoring RIP/RIP v2 ........................................................................ 2
2 Summary ........................................................................................ 5
3 Lab Check ...................................................................................... 5
2
Basic Routing Configuration
Implementation
1 Monitoring RIP/RIP v2
- In this lab we are going to monitor L3 routing by using WebView.
- Right-click on the 6900A (192.168.200.1) on the map, in the Topology application, and select Device -
WebPage to launch Web-View.
- Verify that the different interfaces are part of the RIP protocol.
- Verify all RIP routes including local, RIP and redistributed routes. Go to RIP/RIPv2 -> Routes
4
Basic Routing Configuration
- Finally, remember to save your configuration. Go back to OmniVista. Select a switch from the Topology
map. Right-click the device and Select CLI Scripting – SSH/Telnet, it will open a new window, log in and
enter the command write memory flash-synchro.
- You can also use the SSH connection to make sure that your configuration is in order.
5
Basic Routing Configuration
2 Summary
Not all features are supported directly from OmniVista. At times it may be necessary to launch either
WebView, Telnet, or SSH to configure some options.
3 Lab Check
1. Is it necessary to enter a username and password each time a Telnet or SSH session is open on
the switch?
2. Once changes are made using WebView, OmniVista can be used to save those changes to the
boot.cfg file. T/F
OmniAccess Stellar Wlan
VoWLAN
Portfolio for Voice
Enterprise Handset
Enterprise and industrial handsets Handset management & alarm tools
Voice applications:
Rainbow UCaaS client
Rainbow mobility with OXO/OXE integration
OTC mobile application
Non-ALE softphones applications (Facetime,…)
AP1251
AP1231/AP1232 802.11ac Wave 2
802.11ac Wave 2 2 radios
AP1221/AP1222
AP1201 3 radios 2×2:2 @ 2.4GHz
802.11ac Wave 2
AP1201H 802.11ac Wave 2 4×4:4 @ 2.4GHz 2×2:2 @ 5GHz
2 radios
802.11ac Wave 2 2 radios Dual 4×4:4 @ 5GHz 2xGE
AP1101 2 radios
2×2:2 @ 2.4GHz
2×2:2 @ 2.4GHz BLE DPI
802.11ac Wave 1 4×4:4 @ 5GHz
2×2:2 @ 2.4GHz 2x2:2 @ 5GHz 1xGE + 1x2.5GbE
2 radios BLE w/USB
2x2:2 @ 5GHz BLE, Zigbee DPI
2×2:2 @ 2.4GHz 1 GE Port
BLE w/USB 1 GE port
2x2:2 @ 5GHz DPI
1 GE port DPI
1 GE port
3x GE downlink
RJ45 Passthrough
Voice on Stellar WLAN – Feature List
Features OmniAccess Stellar ap1101 OmniAccess Stellar ap12xx OmniAccess WLAN
Management mode Express/Enterprise/OV Cirrus Express/Enterprise/OV Cirrus Instant AP/Central/Controller-based
High Avaibility PVM+SVM/ov2500 HA redundancy PVM+SVM/ov2500 HA redundancy
PoE/PoE+ support
P P PoE+/HPoE for ap123X P
Technology 802.11g/a/n/ac wave 1 802.11g/a/n/ac wave 2 802.11g/a/n/ac wave 1 & wave 2
Client control Airtime fairness/Datarates/Band steering/load Airtime fairness/Datarates/Band steering/load Airtime fairness/Datarates/Band
balancing balancing steering/load balancing
Roaming 802.11/Okc 802.11/Okc 802.11/Okc
802.11r/k/v 802.11r/k/v 802.11r/k/v
L2/L3 with OS6860/E/6900 L2/L3 with OS6860/E/6900 L2/L3 with 4XXX controller
Sticky device avoidance Sticky device avoidance Sticky device avoidance
QoS 802.11e/WMM - DSCP/802.1p 802.11e/WMM - DSCP/802.1p 802.11e/WMM - DSCP/802.1p
Policies designed for Voice operations (VoIP real-time) WMM Tagged DSCP, 802.1p Tagged DSCP, 802.1p
(Fig.1) Collaborative apps
Best effort traffic Figure 1
Policies designed for real-time conferencing
(Collaborative apps) (Fig.1) Deep Packet Inspection Network Analytics
(AP12XXs)
Voice enforcement (optional) with Stellar DPI/app Voice Signatures Kits
802.11ac data throughput requires Gigabit user ports Tagged Voice Bandwidth enforcement
Professional services
Professional Services cover the build and run phases of all projects, including plan & design, integrate &
deploy, asses & migrate, and project management.
Ekahau 3D site survey tool can be delivered as service by PS to design WLAN deployments
enterprise.alcatel-lucent.com
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
OmniVista™ 2500 NMS Release 4.4
PolicyView
Objectives
Lesson Summary
OmniVista 2500
Used to configure network-wide QoS policies
Infrastructure
Operation modes
• OneTouch for Voice, Data & ACL
- QoS for one or more subnets of VoIP phones
- QoS priorities for selected data servers
- Accept/ Drop traffic for selected groups
• Wizard Expert Mode
- Advanced QoS controls for complex policies (including validation scheme)
PolicyView Home
QOS Rule configuration steps
Set Conditions
LDAP LDAP
Policy Flow
2
Policy
Directory
Server
3
Policy Enabled
Switches
OmniAccess Stellar Wireless Lan
SSID Creation – Advanced options
Lesson summary
SSID Creation – Advanced options
At the end of this module, you will be able to:
• Understand and configure the advanced options of the
SSID wizard.
Default VLAN/Network
Access Role Profile configuration
Network:
VLAN ID
Tunnel ID and Tunnel Termination Switch (TTS) IP
Walled Garden
Wireless Client Social Login
Wireless client authenticates through a social media vendor
(FaceBook Wi-Fi or Google)
Whitelist Domain
Allow a wireless client to access the URLs of the whitelist
without authentication
SSID SETTING
802.11b & 802.11g support
Hide SSID Legacy clients are allowed/denied access to the network
Classification Status
Maximum number of clients per Band
Role assignement if 802.1X/MAC authentication does not
Maximum clients per band for this SSID
return a role
Client Isolation
Traffic between clients on the same AP (in the SSID) is
blocked
Broadcast Optimization
Broadcast Filter All
Drop all broadcast packets except DHCP & ARP.
Broadcast Filter ARP
Convert broadcast ARP to unicast ARP
Recommended if no specific multicast application is used
Advanced WLAN Service Configuration
Multicast Optimization
Enabling Multicast Optimization = Convert
multicast to unicast
Unicast key PTK used
Uses the highest data rate (unicast)
Four categories
QOS treatment per category
Uplink802.1p/DSCP
Downlink 802.1p/DSCP
DSCP=56
DSCP=56 DSCP=46
Default OV Settings
WMM 802.1p DSCP
Best Effort 0,3 0x00, 0x18 – 0, 24
Background 1,2 0x08, 0x10 – 8, 16
Voice 6,7 0x30, 0x38 – 48, 56
Video 4,5 0x20, 0x28 – 32, 40
Follow us on…
facebook.com/ALUEnterprise
linkedin.com/company/alcatellucententerprise
twitter.com/ALUEnterprise
youtube.com/user/enterpriseALU
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniAccess Stellar Wireless Lan
WiFi Express - Troubleshooting
At the end of this presentation, you will be able to
Troubleshoot AP based issues
Troubleshoot client based issues
Troubleshoot performance based issues
AP Troubleshooting
AP Troubleshooting - Case 1 : AP can't be powered up
When the AP is powered up, the AP LED is “Green”. However, if the LED is off or LED has a different color,
please perform the following troubleshooting:
Step 1: If LED is off, please check POE or adapter power output, OAW-AP will
comply with below standard or rule.
Maximum (worst-case) power consumption: 12 W (802.3at PoE or DC)
48 V DC (nominal) 802.3af/802.3at compliant source
When both power sources are available, DC power takes priority
Step 2: If LED isn't green, please check the LED color per below.
Step 1: Connect to the AP, using the web GUI with the default IP address 192.168.1.254.
Configure the IP address of the PC in the same subnet than the AP.
If the AP can be joined on the web GUI, ensure that the IP address is set to DHCP.
AP Troubleshooting - Case 2 : AP fails to get an IP address from the DHCP server
Step 2: If you can't access the AP using the web GUI,
access the AP using the console.
If the "option proto" is set to static, use the command "ifconfig br-wan" to get the AP's IP address. Access
the web GUI of the AP using this IP and modify the IP type to DHCP (refer to the Step 1).
AP Troubleshooting - Case 2 : AP fails to get an IP address from the DHCP server
Step 3: If the AP still does not get an IP from the DHCP server, use "cd /tmp" and "ssudo tcpdump –i br-wan
–s0 –w X.pcap" commands to capture the DHCP messages. Send the file X.pcap to the tftp server using "tftp
–pl X.pcap <server-IP>", then open the X.pcap file using wireshark:
If you see the following DHCP messages, check the configuration of the DHCP server as well as the link
between the AP and the DHCP server:
AP Troubleshooting - Case 3 : Cannot ping or access the AP using web GUI, SSH or
console
If a PC cannot access the AP using the web GUI:
Ping the AP's IP address. If ping fails, check the AP's IP address. If the IP is incorrect, refer to the case "AP
fails to get an IP address from the DHCP server".
If the AP has a correct IP address, check the gateway using the command "route –n".
If the PC can't ping the AP, or the AP can't ping the gateway, check the presence of the following process
using the command "ps | grep lighttpd".
AP Troubleshooting - Case 3 : Cannot ping or access the AP using web GUI, SSH or
console
If there is no lighttpd process, create the process using the command "/etc/init.d/lighttpd start".
If the process already exists, reboot it, using the commands "/etc/init.d/lighttpd stop" and
"/etc/init.d/lighttpd stop".
If you still can't access the AP using the web GUI, check the CPU usage with the command "top":
If the idle is very low, kill the process using too much CPU or reboot the AP.
AP Troubleshooting - Case 3 : Cannot ping or access the AP using web GUI, SSH or
console
If you can't access the AP using SSH, check If you can't access the AP using console, check
the link following the previous steps and the quality of the serial port and the connection
check if the correct AP's IP address has been configuration:
used:
AP Troubleshooting - Case 4 : AP can't join a cluster
The cluster management module builds the cluster and set the role of the APs in the cluster: Primary
Virtual Manager (PVM), Secondary Virtual Manager (SVM) and MEMBER. A cluster is limited to a maximum of
32 AP1101 only or 64 mixed APs.
Check that the cluster ID value is similar on the AP and on the PVM.
Access the AP using the console and use the command "cluster_mgt –x show=self" to check the cluster ID:
If the AP stays in "Initializing" state for too long, reboot the AP.
AP Troubleshooting - Case 4 : AP can't join a cluster
Check if the AP is in a "joining" state.
Access the PVM using the web GUI, and if the AP is in "joining" state, it must be joined manually.
If the AP still can't join the cluster, check if the cluster has already reached the maximum number of APs
allowed (32 or 64 APs).
Use the command "ssudo tcpdump –i br-wan –s 0 port 32768" to capture the messages sent by the AP to the
PVM.
802.1X authentication involves the user (Access Client), the Access Point (or RADIUS client) and the RADIUS
server.
If authentication fails, check the following steps:
User Side
Whether the username and password are correct, if not, please reenter them
again
Whether the terminal settings on the wireless network is correct, such as
security type, certificate and other required configuration.
Make sure the terminals match the RADIUS Server authentication type.
AP Side
Check the WLAN's configuration
Client Troubleshooting - Case 5 : 802.1X authentication not working
Whether it is reachable between AP and RADIUS Server using "tools-ping" on the web page:
Ifabove tests have been performed and the authentication still fails, capture the data packets on the
AP using the command "ssudo tcpdump –i br-wan –s 0 dst <RadiusIP@>" to check the detailed
authentication process.
Server Side
Check the RADIUS Server Client configuration, such as the shared key,
RADIUS client IP or IP range, authentication port, certificate.
If above items have been done, please capture the data packets on the
RADIUS server
Client Troubleshooting - Case 6 : Captive Portal redirection not working
If guest portal cannot pop up after connecting to the "Guest" SSID (open & portal), check the following:
Whether the Captive Portal function in the WLAN is enabled. If not, enable it.
Whether the Captive Portal authentication switch is turned on. If not, enable it.
Client Troubleshooting - Case 6 : Captive Portal redirection not working
Check if the client MAC address is in the white list or if the client IP is in the walled garden list. If one or
both cases are true, the client cannot be redirected to the captive portal web page.
Check if the client enters https URL. If so, enter a http URL because the https redirect for captive portal
web page is not yet supported.
If you have checked the previous points and you are still not redirected to the captive portal web page,
use the console and enter the command "ps | grep eag" to check if the EAG process is running.
Client Troubleshooting - Case 7 : Client can't get an IP
Capture the DHCP messages from the AP and client. Use the command "cd /tmp" and "ssudo tcpdump –i br-
wan –s 0 –w X.pcap" to capture DHCP messages on the AP and send the file "X.pcap" to the tftp server using
the command "tftp –pl X.pcap <tftpIP@>". Then open the file "X.pcap" using wireshark.
If the DHCP messages of the client are incomplete and if the wireshark trace shows the same DHCP
message repeated multiple times:
Client Troubleshooting - Case 7 : Client can't get an IP
Check that the VLAN ID of the WLAN is
correct. Access the AP using the web
GUI and check the VLAN ID.
If the channel is
different, modify the
channel configuration:
Client Troubleshooting - Case 8 : Client is unable to connect to AP/Cluster
Client is unable to connect to the AP/cluster using WLAN and access the AP/cluster using web GUI.
If the client is in the blacklist, click the red cross to delete the AP from the blacklist
Client Troubleshooting - Case 8 : Client is unable to connect to AP/Cluster
If the client is not in the blacklist, check if the clients count reached the maximum number of clients
allowed .
If there are no process for athXX, use the command "wam –P /var/run/wifi-athXX.pid –B /var/run/wam-
athXX.conf –d –f /var/log/wam-athXX.log" to recreate that process.
If the client is still not connected to AP/cluster, use the command "cat /proc/kes_syslog | grep
<clientMAC@>" to check the process when a client connects to an AP/cluster
Client Troubleshooting - Case 9 : Captive Portal authentication fails
If the authentication fails after using a username/password, check the following points:
Check if the username/password is correct. If not, enter the correct credentials.
Check if the valid period of the user account has expired. If so, the user account is invalid and shall
disappear from the account list
Client Troubleshooting - Case 9 : Captive Portal authentication fails
If the authentication fails after using an access code, reenter the correct one:
If the previous changes did not resolve the problem, use the console and enter the command "ps | grep
eag" to check whether the EAG module is up and running. Enter "cat /proc/kes_syslog | grep eag" or "cat
/var/log/eag.log" to debug the problem.
Performance Troubleshooting
Performance Troubleshooting - Case 10 : How to check connection frames, signal
strength, PHY errors, etc
There are two ways to check the connection frames:
The cable is too long. Replace it with a shorter cable, less than 100m.
The crystal heads of the cable are not up to standard. Replace the cable.
The PoE Switch does not meet the 802.3af or 802.3af standard. Change the PoE Switch.
Swap the AP by another one in order to check if the issue is caused by the AP.
Performance Troubleshooting - Case 14 : Track a wireless client session on the AP
Enter the command "sfe" on the AP's console in order to track the wireless client session.
The command result output format is the following
Src ip: Sport -> dest ip: Dport protocol type(TCP/UDP) Direction(O/R) flags packet number byte number
Performance Troubleshooting - Case 15 : Capture 802.11 management frames
between clients and AP
Capturing 802.11 management frames is
possible by using the Omnipeek tool on
the Wireless Network Card.
Troubleshooting Guide
This document is classified into several modules: reboot, setup wizard, cluster,
clients, wireless configuration, syslog, ACL, system management,
upload/download files, packet capture, portal, black list and user access etc.
Reboot
support@AP-0A:F0:~$ tech_support_command 10
Show the reboot cause of the last ten times, which includes the following:Power off
reboot,Button-reboot,Button-firstreboot,Clear all configuration,Restore all
configuration,Update firmware,Web-reboot,ZTP-reboot.
support@AP-0A:F0:~$ ssudo reboot
Show the cluster member information: who is PVC, SVC and VC , and their MAC/IP address,
priority, state, and authentication state.
support@AP-0A:F0:~$ cluster_mgt -x show=self
Check the role of the AP, and display its cluster ID, status in the cluster.
Check who is PVC of the cluster it belongs to. And show the PVC’s IP/MAC address, priority and
status.
Clients
support@AP-0C:A0:~$ sta_list
Check how many and which clients are connected to the AP. Show their MAC/IP address, online
time, RX value, TX value, frequency and authentication way.
support@AP-0C:A0:~$ wlanconfig athxx list
Show the clients list of athxx interface, which includes MAC address, channel, TXRATE, RXRATE,
RSSI, ASSOCIATION TIME etc.
Wireless configuration
support@AP-09:70:~$ iwconfig
Syslog
support@AP-0C:A0:~$ cat /proc/kes_syslog
ACL
support@AP-0C:A0:~$ iptables -nvL
System management
support@AP-09:70:~$ uptime
Show how long time the AP has been running for, the information display is as follows: current time, the run
time, and the average load in the past 1 minutes, 5 minutes and 15 minutes.
support@AP-09:70:~$ date
support@AP-09:70:~$ free
support@AP-09:70:~$ sar 1
support@AP-09:70:~$ route -n
Show the network configuration The option “ula_prefix” is Local IPv6 Unicast Address, and the rest of the
parameters are the configuration of the interface.
support@AP-09:70:~$ ifconfig
Show all the interface information such as link encap, MAC address, packets and etc.
Upload/Download files
support@AP-09:70:~$ tftp -h
Show the parameters of tftp command. Use the “tftp” command to download/upload files, For example:
Show the parameters of “tcpdump” command. Use the “tcpdump” command to capture packets, for example:
Capture the packets that br-wan received and sent, and save the packets named 1.pcap.
Portal
support@AP-09:70:~$ ssudo userm_cli -s
Black list
support@AP-0C:A0:~$ iwpriv athxx getmac