wlan 3.x training oaw products
DESCRIPTION
WLAN 3.x Training OAW Products. Alcatel-Lucent - Enterprise Solutions Division. Agenda. Products Overview Wireless Basic CLI Configuration Overview GUI Configuration Overview Basic System Setup AP Configuration Managing System Images Basic Configuration Sample - PowerPoint PPT PresentationTRANSCRIPT
WLAN 3.x TrainingOAW Products
Alcatel-Lucent - Enterprise Solutions Division
All Rights Reserved © Alcatel-Lucent 20092 | Presentation Title | Month 2009
1. Products Overview
2. Wireless Basic
3. CLI Configuration Overview
4. GUI Configuration Overview
5. Basic System Setup
6. AP Configuration
7. Managing System Images
8. Basic Configuration Sample
9. Lab : Basic System Configuration
Agenda
1. Products Overview
All Rights Reserved © Alcatel-Lucent 20094 | Presentation Title | Month 2009
Why Alcatel-Lucent
Complete communication solutions provider
Market leadership in key data, voice, video and fixed mobile convergence technologies
turnkey solutions
over 500,000 customers
Presence in over 130 countries
#1 in broadband, switching, optics, satellite, telecom, …
satellite
submarineopticalbroadbandvoice outsourcingdata/IP
All Rights Reserved © Alcatel-Lucent 20095 | Presentation Title | Month 2009
What Can Alcatel-Lucent Enterprise Solutions Do For You?Build the IP Communications House
Communications Applications
Voice over IP
IP NetworkInfrastructure
All Rights Reserved © Alcatel-Lucent 20096 | Presentation Title | Month 2009
Alcatel-Lucent EBG Product Portfolio
보안과 관리
IP Networking
OmniVista 2500
Quarantine Manager
Brick Family Vital Suite/QIP
Performance Management
NAC
Safeguard
Firewall/ VPN
Mobile
NLG3500Cybergatekeeper
Core Layer/Large Scale
Distributed Layer/Medium Scale Router(WAN)
Access Layer/Small Scale VoIP WLAN
OmniSwitch7800
OmniSwitch7700
OmniPCX Office
OmniPCX Enterprise
IP Phone
OAW 6000s/SUP-III
OAW 4324/08/04
OAW-AP 4x/6x/70/12x/85
OmniAccess 780
OmniAccess 740
OmniAccess 720s
OmniSwitch6600/ 6602
OmniSwitch6850/ 6850Lite
OmniSwitch9800/9700
OmniStack 62007750/7450
OmniSwitch9600
OmniSwitch6400
OmniSwitch6855
OAW4x04
Alcatel-Lucent WLAN Solution
All Rights Reserved © Alcatel-Lucent 20098 | Presentation Title | Month 2009
Access points
WLAN switches
Access points
QoS devices
VPN concentrator
LAN-speed firewall
Captive portal
Site survey
WiFi IDS / IPS
Packet captureAir monitors
WLAN switches/blades 통합된 토탈 솔루션 제공향상된 보안성
확장 용이풍부한 기능 지원편리한 관리 기능
쉬운 설치투자비 감소
기존 무선랜 솔루션 vs.OmniAccess WLAN solution
기존 무선랜 솔루션OmniAccess WLAN solution
All Rights Reserved © Alcatel-Lucent 20099 | Presentation Title | Month 2009
Polic
y Co
ntro
l M
anag
emen
t
권한 제어User/Flow Stateful FW + Content Inspection re-
direction트래픽 관리
QoS/Priority/Bandwidth Contracts
네트워크 서비스Routing, VLANS, NAT, DHCP, Switching
Network 접속제어
Service ProvisioningNetwork Integration
RadiusLDAP
Active Dir.
WiFi 관리 Adaptive RF, Packet Capture, Location Tracking
Roaming, SSID Mgmt, RF Fingerprinting
암호화WEP, TKIP, AES, 3DES
WiFi 보안 WiFi IDS/IPS, Rogue AP DefenseWiFi 환경
WiFi IDS/IPSWiFi 접속제어
인증과 사용자 무결성 체크 (HIC)MAC, Captive Portal, 802.1x, VPN
OmniAccess Wireless Switches 의 특징
All Rights Reserved © Alcatel-Lucent 200910 | Presentation Title | Month 2009
Alcatel-Lucent WLAN System 구조 Alcatel-Lucent WLAN Switch
무선랜을 위한 Alcatel 고유의 하드웨어 아키텍쳐를 통한 성능 향상
Performance 향상을 위해 각 기능별 4개의 별도 Processor 사용
차세대 Access Point 두 개의 주파수 대역을 지원하는 다목적 AP
802.11 a, b/g/n 지원가능 User access and air monitoring
프로그래밍 가능 Linux 기반 응용 프로그램 사용 가능 - 무선 패킷 캡쳐 가능 - 위치 확인
설치의 용이성 Alcatel 스위치를 통한 자동설정
Alcatel-Lucent WLAN System 소개
WirelessControl
ProcessorWirelessPacket
ProcessorWirelessSecurity Processor
WirelessSwitchingProcessor
All Rights Reserved © Alcatel-Lucent 200911 | Presentation Title | Month 2009
Alcatel WLAN Switch 소개
Alcatel WLAN Switch 제품군 OmniAccess 6000 WLAN Switches
4 Slot 의 샤시형 Data 센터 내에서 Remote AP 의 중앙 관리 가능 64 ~ 2048 AP 관리 가능 Line card 당 24 10/100 PoE 지원 인터페이스 와 2 GE uplink
포트 제공 SUP-III 당 2 10GE 와 10 1GE 지원 802.11 a/b/g/n 지원
OmniAccess 4504/4604/4704 Wireless Switches 4x Dual personality ports 10/100/1000Base-T (RJ-45) or 1000Base-X (SFP) 32/64/128 의 AP 관리 가능 802.11 a/b/g/n 지원
OmniAccess 4302/4308/4324 Wireless Switches 장비당 0/8/ 24 10/100 PoE 인터페이스 제공 1 or 2 port Gigabit uplink 포트 제공 6/16/48 AP 의 AP 관리 가능 802.11b&g and 802.11a/b&g (multimode)
All Rights Reserved © Alcatel-Lucent 200912 | Presentation Title | Month 2009
OAW6000 with Sup III Capacity
Up to 2,048 Campus Connected APs Up to 8,192 Remote APs Up to 32,768 Users
Performance 80 Gbps Clear (full-duplex) 32 Gbps Crypto (3DES, AESCBC256) 16 Gbps Crypto (AES-CCM)
Compatibility Up to 4 Sup III per 6000 chassis Supports legacy Line cards Requires 400 watt PSU
All Components Modular, Hot-Swappable Fan Tray Up to 4 M3 Modules
Redundant PSUs
40x 1000Base-X (SFP)8x 10GBase-X (XFP)
All Rights Reserved © Alcatel-Lucent 200913 | Presentation Title | Month 2009
OAW 4504, 4604, 4704• Capacity
• OAW-4504 • Up to 32 Campus Connected APs• Up to 128 Remote APs• Up to 512 Users
• OAW-4604 • Up to 64 Campus Connected APs• Up to 256 Remote APs• Up to 1,024 Users
• OAW-4704 • Up to 128 Campus Connected APs• Up to 512 Remote APs• Up to 2,048 Users
• Performance• 1.6 Gbps, 4 Gbps and 8 Gbps crypto performance
(3DES, AESCBC256)• 800 Mbps, 2 Gbps, 4 Gbps crypto performance (AES-
CCM) • 3 Gbps, 4 Gbps, and 4 Gbps wired Non-encrypted
Throughput Performance (full-duplex)• Interfaces
• 4x Dual personality ports 10/100/1000Base-T (RJ-45) or 1000Base-X (SFP)
• 1 x RJ-45 Serial Console Port• Programmable Architecture
• Multi-core, Multi-threaded Network Processor• Dedicated Crypto cores
1RU 19”Enclosure
4x Dual personality ports 10/100/1000Base-T (RJ-45)
or 1000Base-X (SFP)
Serial ConsolePort
Dedicated Hardware
Crypto Cores
DedicatedNetwork Processors
Multiple Dedicated
Control Processors
Status LEDs
All Rights Reserved © Alcatel-Lucent 200914 | Presentation Title | Month 2009
Number of AP
Performance (Clear text / encrypted)OAW-4304
OAW-4308
OAW-4324
OAW-6000-512(Dual Supervisor II)
4
16
1 Gbps / 200 Mbps
48
128
256
512
2 Gbps / 400 Mbps
6 Gbps / 1.6 Gbps
8 Gbps / 4 Gbps
8 Gbps / 7.2 Gbps
Pay as you grow
capability
Branch Regional HQLarge Branch Medium-
802.11n
Alcatel-Lucent WLAN Switch 성능
2048
OAW-6000-2048(with Supervisor III)
OAW-4504
OAW-4604
OAW-4704
32
64
8 Gbps / 8 Gbps
80 Gbps / 32 Gbps
Large – 802.11n
All Rights Reserved © Alcatel-Lucent 200915 | Presentation Title | Month 2009
Alcatel-Lucent Access Point 소개 (11a/b/g)Single Radio APs
Dual Radio APs
Software Configurable 802.11a OR b/g AP / Air Monitor / Remote AP / Mesh Internal or External Antenna Options
Dual-Radio 802.11 a AND b/g AP / Air Monitor / Remote AP / Mesh Dual Fast Ethernet Interfaces (OAW-AP70) for
resiliency of secured RJ-45 port Extensible USB Interface Port (OAW-AP70) Weatherproof, Outdoor (OAW-AP85)
OAW-AP70
OAW-AP85
OAW-AP60
OAW-AP61
OAW-AP65
All Rights Reserved © Alcatel-Lucent 200916 | Presentation Title | Month 2009
Alcatel-Lucent Access Point 소개 (11n)
802.11n Ready APs Single Radio 802.11a OR b/g AP / Air Monitor / Remote AP / Mesh Adaptive PoE (802.3af, PoE+, 802.3at) Dual Gigabit Ethernet Interfaces (resiliency and
secured RJ-45 port) 802.11n SW upgrade for futureOAW-AP120
abgOAW-AP121 abg
802.11n MIMO APs Dual Radio pre-802.11n a/n AND b/g/n 3x3 MIMO 300Mbps per radio AP / Air Monitor / Remote AP / Mesh Adaptive PoE (802.3af, PoE+, 802.3at) Dual Gigabit Ethernet Interfaces (resiliency and
secured RJ-45 port)OAW-AP124
OAW-AP125
All Rights Reserved © Alcatel-Lucent 200917 | Presentation Title | Month 2009
Enterprise WLANThe Business Benefits
Mobility enterprise-wide WLAN guest access internal WLAN hotspots remote / branch office access small office, home office access
Location tracking users equipment assets security
Converged communication services
converged mobile devices fixed / mobile convergence
All Rights Reserved © Alcatel-Lucent 200918 | Presentation Title | Month 2009
Security authentication and encryption identity-based security and guest
access rogues, ad-hoc networks, hacks and
attacks firewalling
Availability coverage reliability mobility performance
Convergence QoS security load balancing voice-aware
Deployment no disruption of existing network RF engineering new infrastructure network redesign and upgrades
Management design and configuration monitoring troubleshooting growth
Enterprise WLANRequirements / Challenges
All Rights Reserved © Alcatel-Lucent 200919 | Presentation Title | Month 2009
Addressing the Management ChallengesPlanning, Deploying and Managing
Simplest RF planning tool Zero-touch AP deployment model Adaptive radio management Real-time coverage maps Centralized configuration and monitoring Integrated packet capture for easy
troubleshooting Integrated location tracking
All Rights Reserved © Alcatel-Lucent 200920 | Presentation Title | Month 2009
Addressing the Availability Challenges Reliability, Coverage and Mobility
VRRP-based redundancy requires no AP provisioning
APs automatically become aware of redundant topology when deployed across L3 boundary
Modular architecture for scalability Remote office connectivity with site-
to-site VPN Home office connectivity with remote
AP Mobile office connectivity with client
VPN
Data Center
Hot-Hot-StandbyStandby
Public Hotspot
Branch Office
Regional Office
Split-second VRRP
Failover
Home Office
Remote AP with IPSec
VPN
OAW Client
InternetInternetBuilt-in
Site-to-site
IPSec VPN
Auto-awareness of Redundant topology
(No priming needed)
All Rights Reserved © Alcatel-Lucent 200921 | Presentation Title | Month 2009
Addressing the Security Challenges Authentication, Authorization and Control
SSID: CORP
Active Directory
Access Point
GuestVoiceEmployees
Rights,QoS, VLAN
SSID: GUEST
SSID: VOICE
Wireless Controller
Wired L2 / L3 Transport
Integrated stateful firewall Role-based access control Built-in client integrity Centralized 802.11i security Built-in AAA services L1-L7 wireless IPS Rogue detection services Quarantine Manager
Centralized Encryption
Keys
Scan & Quarantine Un-trusted Users
Direct Interface to Microsoft
Active Directory
Rogue AP
Built-in Rogue Detection & Containment
All Rights Reserved © Alcatel-Lucent 200922 | Presentation Title | Month 2009
Addressing Enterprise Applications Convergence Services to Meet the Needs of Business
QoS for application-aware traffic management
Security to protect the network, users, and remote clients
Load-balancing automatically distributes clients across multiple APs
Application-aware design allows better management of time sensitive applications (voice)
All Rights Reserved © Alcatel-Lucent 200923 | Presentation Title | Month 2009
Adding VoIP is Easy with OmniAccess Wireless
Bi-directional QoS on wired and wireless network
Voice flow classification ensures QoS for converged devices with single SSID for voice and data
Call admission control ensures QoS in the wireless environment
Secure devices that support only MAC auth against spoofing
Wireless
Wired
Converged voice and data packet stream with WMM tags
802.1p or DSCP prioritized voice
packetsData Packets
Protocol-aware voice flow
classification and security
RF management stops channel
scanning when voice clients are present
Call admission control distributes
call volume between access
points Single Single ESSID ESSID
for for Voice Voice
& Data& Data
1
2
3
4
5
All Rights Reserved © Alcatel-Lucent 200924 | Presentation Title | Month 2009
WLAN switching and Dynamic RF management Embedded management Adaptive Radio resource Management (ARM) Authentication – MAC, 802.1x, Captive PortalEncryption – WEP, WPA, WPA2 / 802.11iMobility – seamless hand-over – L2/L3 Rogue Access Point Detection, Classification,
ContainmentWireless QoS – WMM, SVP, T-Spec, U-APSDPer SSID AAA server selectionSwitch to switch IPSec encryption for control traffic
Services Included in Base Software
Alcatel-Lucent’s standard WLAN software provides unprecedented control over the entire wireless environment, offering intelligent / centralized WLAN switching and advanced services.
OMNI VISTA MOBILITY MANAGEROmniAccess WLAN Switch Base Software
OmniAccess Wireless Features and ServicesBase Feature Set
All Rights Reserved © Alcatel-Lucent 200925 | Presentation Title | Month 2009
Policy Enforcement Firewall module Wireless Intrusion Protection (WIP) module Voice Service Module VPN Server Module Mesh AP License Module Remote AP License Module External Services Interface Module xSec Module
Switch level modules
Centralized visibility of the mobile edge
OMNI VISTA MOBILITY MANAGEROmniVista 3600 Air Manager
OmniAccess Wireless Features and ServicesAdditional Hardware and Software Modules
All Rights Reserved © Alcatel-Lucent 200926 | Presentation Title | Month 2009
OmniAccess Wireless Features and ServicesPolicy Enforcement Firewall Module
Policy Enforcement Firewall module User and group policy
enforcement through an integrated, ICSA-certified stateful firewall
Security policies can be centrally defined and enforced on a per-user or per-group basis
Policies are enforced dynamically, following users as they move and taking into account a variety of metrics such as:
User location Time-of-day Device type Authentication method
Key benefits Firewall permit/deny/drop/log
(ICSA certified to version 4.1 corporate standard)
Role-based services for user / group class of service differentiation, bandwidth contracts
QoS - priority traffic queues, BW contracts, traffic marking 802.1p/DSCP
All Rights Reserved © Alcatel-Lucent 200927 | Presentation Title | Month 2009
Key benefits Detection of:
Network probing and DoS attacks, impersonation and man-in-the-middle attacks
Unauthorized devices (ad-hoc networks,Windows bridging, wireless bridges)
Prevention of: Clients roaming to unauthorized APs Attempted intrusion
OmniAccess Wireless Features and ServicesWireless Intrusion Protection Module
Wireless Intrusion Protection module Patented classification technology
that identifies and protects against vulnerabilities and malicious attacks
Ad-hoc networks Client and AP impersonation Denial of service attacks Man-in-the-middle attacks
All Rights Reserved © Alcatel-Lucent 200928 | Presentation Title | Month 2009
Key benefits Improved end user experience
• QoS mechanisms such as CAC ensures optimum audio quality even as network load increases
• Mechanism such as voice-aware QoS and stateful load balancing minimizes call drops
Improved troubleshooting and security• Voice Clients are identified by phone numbers, key call quality metrics
are availblr to network administrator• WMM and T-Spec security is enforced by stateful firewall
OmniAccess Wireless Features and ServicesVoice Service ModuleVoice service module
Stateful VoWLAN QoS Voice Connection Admission Control Stateful voice load balancing Voice-aware ARM, 802.1x Automatic Voice Prioritization
Troubleshooting and security WMM, T-Spec enforcement Phone number awareness Voice flow quality measurement
“off-hook” – active- phones “on-hook”
phone
All Rights Reserved © Alcatel-Lucent 200929 | Presentation Title | Month 2009
Key benefits
Complete client VPN services - PPTP, L2TP/IPSec Site-to-site VPN services - IPSec NAT-T transport mode tunnels between
OmniAccess WLAN switches or third-party VPN concentrators
OmniAccess Wireless Features and ServicesVPN Server Module
VPN Server module Integration support for a variety of
VPN implementations Eliminates need for discrete,
external VPN concentrators Hardware acceleration provides LAN-
speed VPN connectivity Both client termination as well as site-
to-site VPNs are supported Supported VPN protocols include:
L2TP/IPSec IPSec/XAUTH PPTP
All Rights Reserved © Alcatel-Lucent 200930 | Presentation Title | Month 2009
OmniAccess Wireless Features and ServicesMesh AP License Module
Key benefits Allows for coverage of areas such as university campuses, docks, ship
yards, warehouses where wires cannot be used Consistent services and management model with regular APs Survivability – survives mesh points / mesh portal through dynamic L2
routing protocols
Mesh AP module Securely extend wireless network beyond the reach of wire-line
infrastructure Mesh Points and Mesh Portals allow seamless, campus-like WLAN
connectivity Mesh Points support Ethernet bridging over the mesh network
OmniAccess WLAN switch
Wire-line network
OmniAccess Mesh Portal
Mesh Link
Mesh PathOmniAccess Mesh Point
All Rights Reserved © Alcatel-Lucent 200931 | Presentation Title | Month 2009
OmniAccess Wireless Features and ServicesRemote AP License Module
Key benefits Remote access point - termination of remotely deployed APs using IPSec
transport Flexible modes of operation:
Tunnel mode – all traffic is tunneled to the WLAN switch Local bridging – all traffic is forwarded by the Remote AP at the remote
location Split tunneling (requires PEF module) – policy-based forwarding of
packets in the tunnel or locally Survivability – survives WAN failure with pre-shared key auth/encryption
Remote AP module Securely extend corporate wireless
functionality to any location with an Internet connection
Remote APs allow seamless, corporate-like WLAN connectivity
Remote office Home Anywhere a mobile worker
chooses to work
All Rights Reserved © Alcatel-Lucent 200932 | Presentation Title | Month 2009
Key benefits
Choice of AAA server for authentication XML API for captive portal (external captive portal server support) Content inspection with external appliance, Fortinet integration
OmniAccess Wireless Features and ServicesExternal Services Interface Module
External Services Interface module Per FQDS AAA server selection Allows an OmniAccess WLAN
switch to communicate with external service devices (Fortinet cluster)
Supports advanced interaction with authentication, authorization, and accounting (AAA) services infrastructure
Note: requires that the Policy Enforcement Firewall module is installed
All Rights Reserved © Alcatel-Lucent 200933 | Presentation Title | Month 2009
Key benefits
Client/server xSec: termination of AES layer 2 xSec secure VPN sessions Point/point xSec: termination of AES layer 2 xSec secure VPN switch
port session
OmniAccess Wireless Features and ServicesxSec Module
xSec module Termination of highly secure xSec
client sessions Link-layer 256-bit AES-CBC
encryption with complete header obscuration for highly sensitive environments
Enables encryption of trunk ports between WLAN switches based on the same strong encryption standard
Layer 2 Connectivity
X-Sec TunnelX-Sec Tunnel
All Rights Reserved © Alcatel-Lucent 200934 | Presentation Title | Month 2009
Completing the SolutionBenefits of Alcatel-Lucent’s Enterprise Portfolio
End-to-end, highly available, consistent solution complete set of switching solutions sharing common feature set thus enabling the perfect fit for
any need superior availability for better voice services
Smart PoE for every need PoE flavors for all switching needs dynamic power allocation allowing maximized efficiency
Enhanced security unique support of 802.1x authentication not recognition but authentication
Best in class support for VoWLAN roaming, handover, QoS, security
Single management platform wired, wireless and voice management on the same server same GUI and look and feel across applications
All Rights Reserved © Alcatel-Lucent 200935 | Presentation Title | Month 2009
Supported Platforms: OmniVista 3600 Air Manager
Wireless Network Management Platform
Hardware 2 servers to support the OV3600 applications (OV3600-HWPRO, OV3600-
HWENT)
Software Centralized network management (Network Discovery, Firmware distribution,
Real-time and historical trend reports) Granular administrative access (Role-based, Network segment based) Rogue Access Point Detection and Classification
Display of location information for all wireless users and devices
Up-to-date heatmaps and channel maps for RF diagnostics
All Rights Reserved © Alcatel-Lucent 200936 | Presentation Title | Month 2009
Summary: The Alcatel-Lucent WLAN solution
Delivering business benefits…
mobility location tracking converged communication
services
…by meeting the Wireless LAN challenges
management security availability convergence services
Best-in-class functionality for lowest TCO
Easy to deploy Easy to secure Easy to manage Easy to scale Easy to add voice
2. Wireless Basic
All Rights Reserved © Alcatel-Lucent 200938 | Presentation Title | Month 2009
무선랜의 개요
네트웍 구축 시 기존의 트위스트 페어 케이블 , 동축 케이블 등을 전송 신호로 이용하던 유선 랜 대신 고주파수의 전파 (Radio Frequency) 나 적외선등을 이용하여 대기를 통신 채널로 이용하는 Network
데이터를 전송하는 방식은 여러가지 제품이 있으나 도달거리 , 성능 , 보안성을 고려하여 ISM 과 UNII Band 를 이용하는 Spread Spectrum 방식의 무선랜이 가장 보편화되어 있음
사용자들에게 높은 이동성과 편의성 , 구축 용이성 , 확장성을 제공 함으로서 기존 LAN 의 보완 및 대체를 통한 효율성 및 생산성 제고 측면에서 널리 사용되고 있음
ISM and UNII Spectra
국제 표준화는 1990 년 10 월부터 위원회에 IEEE 802.11 에 의해 무선 매체 접근제어 물리계층 규격에 대한 표준화가 OSI 참조모델에 준하여 진행되고 있다 .
All Rights Reserved © Alcatel-Lucent 200939 | Presentation Title | Month 2009
무선랜 표준 (802.11 a/b/g)
Protocol 802.11 802.11a 802.11b 802.11g
주파수대역 2.4 Ghz 5 Ghz 2.4 Ghz 2.4 Ghz
최대전송속도 1, 2 Mbps 54 Mbps 11 Mbps 54 Mbps
변조방식FHSS
DSSSOFDM DSSS OFDM
실제 최대 전송속도 1.2 Mbps 25 Mbps 5 Mbps 20 Mbps
평균 전송 거리 100 M 70 M 100 M 100 M
암호화 Yes Yes Yes Yes
암호화 형태40 bit
RC4
40 bit
104 bit
RC4
40 bit
104 bit
RC4
40 bit
104 bit
RC4
인증 방식 No 802.1X 802.1X 802.1X
기 타
All Rights Reserved © Alcatel-Lucent 200940 | Presentation Title | Month 2009
무선랜 표준 (802.11n)
SISO -> MIMOSISO (Single Input Single Outpur) 를 MIMO (Multiple Input Multiple Output) 다중 송수신 안테나 기술을 채택하여 송수신 데이터 효율을 높였으며 , MIMO 방식의 스마트 안테나는 노이즈를 최소화하여 원활한 데이터 전송경로를 조정한다 .
효율성이 강화된 MAC실제 데이터 처리 속도를 물리적 계층의 속도와 가깝게 만들어 사용자들에게 최소 100Mbps 의 속도 보장 ( 최대 600Mbps)기존의 시스템은 통신의 확실성을 위해 하나의 패킷을 보낼 때마다 엑세스 포인트로 부터 수신 성공 패킷 (ACK) 를 기다려야 한다 . 그리고 공평한 송수신권 할당을 위해 무선랜 단말이 패킷을 계속해서 보내려 할 때에도 ACK 수신기에일정 시간을 기다리지 않으면 다음 패킷을 송출할 수 없다 . 802.11n 에서는 프레임 집속 (Focusing) 기능을 통해ACK 빈도를 최소화 하고 그 효율성을 최대화 한다 .
복수의 안테나와 첨단 코딩을 통한 더 늘어난 송수신 가능 거리일정한 무선 스피드를 유지하면서 접속 가능 범위 확대 ( 현재의 약 3 배 정도 )
2010 년 표준화 완료 예정
All Rights Reserved © Alcatel-Lucent 200941 | Presentation Title | Month 2009
무선랜 표준 (802.11n)
Protocol 802.11n
주파수대역 5 Ghz 2.4 Ghz
최대 전송속도 약 600Mbps 약 300 Mbps
변조방식 MIMO & 개선된 OFDM MIMO & 개선된 OFDM
실제 최대 전송속도 300 Mbps 이상 150 Mbps 이상
평균 전송 거리 약 210 M 약 300 M
암호화 Yes Yes
암호화 형태 40 bit, 104 bit, 152 bit, RC4 40 bit, 104 bit, 152 bit, RC4
인증 방식 802.1X 802.1X
기 타
All Rights Reserved © Alcatel-Lucent 200942 | Presentation Title | Month 2009
WPAOpen
PEAP
EAP-TTLS
EAP-TLSEAP-MD5
MAC AuthenticationShared Key
Authentication
EncryptionTKIPDynamic WEPStatic WEP
etc MAC Filtering
SSID DisabledDefault
Not Secure Authentication server Most secure
AES
무선랜 보안 기술
All Rights Reserved © Alcatel-Lucent 200943 | Presentation Title | Month 2009
Extensible Authentication Protocol (EAP) 인증 타입 [ 비교표 ]
Topic EAP- MD5 EAP- TLS EAP- TTLS PEAP LEAP보안표준 국제표준 국제표준 국제표준 국제표준 Cisco Only
사용자 인증서 N/A 필요 필요없음 필요없음 N/A서버인증서 N/A 필요 필요 필요 N/A신용증명
(Credential) 보안 없음 강함 강함 강함 약함
지원인증용데이타베이스
평문기반데이타베이스 Active Directory
Active DirectoryNT Domains
Token,SQL,LDAP
Active DirectoryNT Domains
Token,SQL,LDAPActive Directory
NT Domains
동적 키 변경 지원안함 지원 지원 지원 지원
상호인증 지원안함 지원 지원 지원 지원
All Rights Reserved © Alcatel-Lucent 200944 | Presentation Title | Month 2009
STA AP RadiusIEEE802.11&11i
IEEE802.11i
IEEE802.11aa Access Allowed
IEEE802.1X
802.11 Associate-Request
802.11 Beacon
802.11 Associate-Response
EAPOL-StartEAP-Request/Identity
EAP-Response/Identity
EAP-RequestEAP-Response(Credentials)
EAP-Success
RADIUS-Access-Request
RADIUS-Access-ChallengeRADIUS-Access-Request
RADIUS-Access-Accept & MS-MPPE(PMK)
EAPOL-Key(P, Snonce, MIC, RSN IE)
EAPOL-Key(P, ANonce)
EAPOL-Key(P, ANonce, MIC, RSN IE)EAPOL-Key(P, MIC)
EAPOL-Key(G, Index, GNonce, RSC, MIC, GTK)EAPOL-Key(G, MIC)
무선랜 보안 접속 흐름도
All Rights Reserved © Alcatel-Lucent 200945 | Presentation Title | Month 2009
WLAN Switch - Multi-Layered Security
Link-Layer Security
Application Security
Wireless Intrusion Protection
Network-Layer Security
All Rights Reserved © Alcatel-Lucent 200946 | Presentation Title | Month 2009
Centralized Wireless
COREDATA
CENTERDISTRIBUTIONFLOOR x
ACCESS
EMPLOYEE
GUEST
WLAN Controller
GRE Tunnel
AP Communications
1. AP 가 Switch port 에 연결되어 있고 AP 의 전원이 켜진다면 설정된 IP 로 Controller 를 찾는다 .(AP 가 DHCP 를 사용하는 경우에는 DHCP 서버로부터 IP 를 받게됨 )
2. AP 는 Boot Image(TFTP) 를 Controller 로부터 받게되고 Control Protocol 을 위한 PAPI (UDP 8211) 연결을 생성한다 .
3. AP 는 WLAN controller 로부터 인증이 되고 AP 와 Controller 간에 GRE Tunnel 이 생성된다 .
4. 모든 Clent 의 통신은 GRE tunnel 에서 암호화 되어 Controller 로 전송된다 .
All Rights Reserved © Alcatel-Lucent 200947 | Presentation Title | Month 2009
WLAN Switch 의 동작 Flow
5. WLAN switch 는 .11 MAC 기반으로 decrypts data, processes
packet, applies services and forward packets 들을 수행한다 .
1
1. Client 는 802.11 association request 을 보내고 그것은 자동적으로 AP 를 통해서 WLAN switch 로 전달된다 .
2. WLAN switch 는 association acknowledgement 로 응답한다 .
3. Client 와 WLAN switch 는 802.1x authentication 인증절차를 RADIUS server 와 연동해서 진행한다 .
4. Encryption key 를 WLAN switch 에 pass 하고 user 의 encryption keys 를 획득 후 암호화된 data 를 보내기 시작한다 .
2
3
RADIUS
Corp Backbone
5
4
All Rights Reserved © Alcatel-Lucent 200948 | Presentation Title | Month 2009
Generic Routing Encapsulation (GRE)
C Reserved Protocol Type
Checksum (opt.) Reserved1(opt.)
Dest Address
Src Address
TTL Protocol Header Checksum
Identification Fragm. OffsetFlags
Total LengthTOSVer HL
Delivery Header
GRE Header
Payload Packet
0 8 16 31
IP packet
GRE packet
Payload packet(original)
v
Payload
All Rights Reserved © Alcatel-Lucent 200949 | Presentation Title | Month 2009
Radio Distance
44 ft = 14 m
90 ft = 27 m
134 ft = 40 m
11 (b) /54 (a/g) Mbps
5.5 (b) /48 (a/g) Mbps
2 (b) /36 (a/g) Mbps
3. CLI Configuration Overview
All Rights Reserved © Alcatel-Lucent 200951 | Presentation Title | Month 2009
OAW Switch 는 CLI 와 GUI(Web) 을 이용한 Configuration 방식을 지원
CLI Access 방법
Local Serial Interface Remote Telnet or SSH session
GUI Access 방법
Remote Web browser Internet Explorer and Netscape/Firefox 지원
CLI 는 세가지 mode 로 구성
User Enable or Privileged Configure
CLI Configuration Overview
All Rights Reserved © Alcatel-Lucent 200952 | Presentation Title | Month 2009
Default 상태에서는 Serial Console or SSH 를 통해 접근 가능
Serial Cisco-compatible RJ-45 serial cable 9600, N, 8, 1, No flow control
SSH Version 2 Password based
Telnet 접근을 가능하게 하기 위해서는 아래의 설정 필요
(Alcatel 4324) (config) #telnet cli
CLI Access
All Rights Reserved © Alcatel-Lucent 200953 | Presentation Title | Month 2009
User Mode ( > ) 의 prompt 상태
(Alcatel 4324) >
Basic utilities (Ping, Traceroute, etc) 사용 가능
User mode 에서 아래의 항목은 사용 불가능
Display or changing of any info that might be a security risk, such as ACLs, Policies, SNMP, IP addressing, etc.
Entry into Configuration mode– Must enter Enable mode first
“enable” 명령어에 의해 Enable mode 로 변경
CLI User Mode
All Rights Reserved © Alcatel-Lucent 200954 | Presentation Title | Month 2009
Enable Mode (#) 의 prompt 상태
(Alcatel 4324) #
모든 configuration information 에 대해 display 가능
Configuration mode 로 이동 가능
“configure terminal” 명령어에 의해 Configuration mode 로 변경
“exit” 명령어에 의해 user mode 로 return
CLI Enable Mode
All Rights Reserved © Alcatel-Lucent 200955 | Presentation Title | Month 2009
Configuration Mode “(config) #” 의 prompt 상태
(Alcatel 4324) (config) #
User 는 OAW switch 에 대해 Config 가 가능한 상태
Enable mode 에서만 Configuration mode 로 변경 가능
^Z 또는 “ exit” 명령어에 의해 Enable mode 로 return 가능
사용한 명령어들은 running config 바로 적용됨
Config 를 Startup (NVRAM) 로 저장하는 명령어 필요
(Alcatel 4324) (config) # copy running-config startup-config
CLI Configuration Mode
All Rights Reserved © Alcatel-Lucent 200956 | Presentation Title | Month 2009
Command Completion <TAB> key 를 이용한 명령어 완성 가능
Context-sensitive help “?” 명령어를 이용하여 다음에 사용 가능한 명령어 확인 가능
(Alcatel 4324) #cl?clear Clear configurationclock Configure the system clock
(Alcatel 4324) #clock ?set Set the time and date
CLI Feature Overview
All Rights Reserved © Alcatel-Lucent 200957 | Presentation Title | Month 2009
Configuration 을 확인하는 명령어
(Alcatel 4324) #show running-config(Alcatel 4324) #show startup-config
Configuration 출력 시 다음의 Option 사용 가능
(Alcatel 4324) #show running-config | ?begin Begin with the Line that matchesexclude Exclude Lines that matchinclude Include Lines that match
Switch configuration 삭제 명령어
(Alcatel 4324) #write erase allAll the configuration will be deleted. Press 'y' to proceed :yWrite Erase successfulWrite erase : 전체 Configuration 만 삭제
Write erase all : 전체 Configuration 와 등록된 License 도 삭제
CLI Feature Overview
All Rights Reserved © Alcatel-Lucent 200958 | Presentation Title | Month 2009
256MB of Flash( 기종별로 다름 )
3 partition 으로 분할
2 system partitions (45MB each) 1 user partition (165MB)
System partitions Hold system software 2 copies - Active and Backup
User partition Holds everything else Startup config Databases Log files
OmniAccess File System
All Rights Reserved © Alcatel-Lucent 200959 | Presentation Title | Month 2009
File system 명령어
Dir flash file system 의 file 을 출력
Delete flash file system 의 file 을 삭제
Copy Enable or Config Mode 에서 copy 명령어 사용 가능 (Alcatel 4324) #copy [source] [destination]
Source and Destination can be:– flash:– ftp:– Log– running-config– startup-config– system:– tftp:
File System Commands
All Rights Reserved © Alcatel-Lucent 200960 | Presentation Title | Month 2009
TFTP server 로 running configuration 을 Backup 명령어
(Alcatel 4324) #copy running-config tftp: 172.16.1.50 2400.cfgSaved Configuration
CLI Copy Command
All Rights Reserved © Alcatel-Lucent 200961 | Presentation Title | Month 2009
‘reload’ 명령어로 Switch reboot 가능 (Enable Mode)
(Alcatel 4324) #reloadDo you want to save the configuration(y/n): ySaving Configuration...
Saved Configuration
Do you really want to reset the system(y/n): ySystem will now restart!
Rebooting the OmniAccess Switch
All Rights Reserved © Alcatel-Lucent 200962 | Presentation Title | Month 2009
CLI 에서 Port type format <port type> <slot number>/<port number> “FastEthernet” - 10/100 Ethernet port “GigabitEthernet” - Gigabit Ethernet port
Exception “port-channel” - Etherchannel - port-channel <#>
Port Naming Conventions
4. GUI Configuration Overview
All Rights Reserved © Alcatel-Lucent 200964 | Presentation Title | Month 2009
Initial setup 후에는 GUI 를 통해 모든 system management 가 가능
GUI 에서는 Wireless information 의 변화에 대한 monitoring 과 Wireless 구성에 대한 설정이 가능
GUI (Web) Management Access
All Rights Reserved © Alcatel-Lucent 200965 | Presentation Title | Month 2009
Initial configuration 을 완료하면 Web browser 를 통해 GUI 접속이 가능
http://switchip https://switchip:4343
GUI Access
All Rights Reserved © Alcatel-Lucent 200966 | Presentation Title | Month 2009
Monitoring / Network Summary Screen
All Rights Reserved © Alcatel-Lucent 200967 | Presentation Title | Month 2009
Configuration / Wireless Screen
All Rights Reserved © Alcatel-Lucent 200968 | Presentation Title | Month 2009
Diagnostics / Network Screen
All Rights Reserved © Alcatel-Lucent 200969 | Presentation Title | Month 2009
Maintenance / Switch Screen
All Rights Reserved © Alcatel-Lucent 200970 | Presentation Title | Month 2009
Plan Screen
All Rights Reserved © Alcatel-Lucent 200971 | Presentation Title | Month 2009
Events & Reports Screen
5. Basic System Setup
All Rights Reserved © Alcatel-Lucent 200973 | Presentation Title | Month 2009
초기 Booting 시 ( 또는 Config 를 초기화 후 ), switch 는 basic switch parameter를 설정할 수 있는 initial setup dialog 가 제공됨
Initial setup 는 Serial console 에서만 사용 가능
Initial setup 은 skip 이 불가능함
•***************** Welcome to the OAW-4308 setup dialog *****************•This dialog will help you to set the basic configuration for the switch.•These settings, except for the Country Code, can later be changed from the•Command Line Interface or Graphical User Interface.
•Commands: <Enter> Submit input or use [default value], <ctrl-I> Help•<ctrl-B> Back, <ctrl-F> Forward, <ctrl-A> Line begin, <ctrl-E> Line end•<ctrl-D> Delete, <BackSpace> Delete back, <ctrl-K> Delete to end of line•<ctrl-P> Previous question <ctrl-X> Restart beginning
Initial Setup Dialog
All Rights Reserved © Alcatel-Lucent 200974 | Presentation Title | Month 2009
Enter system name [Alcatel 4324]:
Hostname 은 CLI prompt 또는 SNMP system name 으로 사용 . GUI or Captive Portal 에서 이
hostname 으로 표시됨
Enter VLAN 1 interface IP address [172.16.0.254]:
Switch 의 default VLAN 에 대한 interface IP address 설정
Enter VLAN 1 interface subnet mask [255.255.255.0]:
VLAN interface subnet mask 설정
Enter IP Default gateway [none]:
Switch 의 Default Route 설정 . ( uplink 된 router 의 IP)
Enter Switch Role, (master|local) [master]:
Switch 의 Role 설정 . single-switch network 라면 master 를 선택하고 만약 기존 Network 에
추가하는 것이라면 local 을 선택 .
Initial Setup Dialog
All Rights Reserved © Alcatel-Lucent 200975 | Presentation Title | Month 2009
Enter country code (ISO-3166), <ctrl-I> for supported list:
Switch 의 사용 국가 Country code 설정 . 한국은 “ KR ” 로 설정
Enter password for admin login (up to 32 chars):
“admin” 에 대한 Password 설정
Enter password for enable mode (up to 15 chars):
Enable mode 에 대한 password 설정
Do you wish to shutdown all the ports (yes|no)? [no]:
기본적으로 모든 port 들을 shutdown 할지 설정
Initial Setup Dialog
All Rights Reserved © Alcatel-Lucent 200976 | Presentation Title | Month 2009
Current choices are:
System name: OAW-4324
VLAN 1 interface IP address: 172.16.12.2
VLAN 1 interface subnet mask: 255.255.255.0
IP Default gateway: 172.16.12.1
Switch Role: master
Country code: KR
Ports shutdown: no
If you accept the changes the switch will restart!
Type <ctrl-P> to go back and change answer for any question
Do you wish to accept the changes (yes|no)
설정된 Basic config 를 확인 후 Reboot 하면 Basic config 로 load 됨
Initial Setup Dialog
All Rights Reserved © Alcatel-Lucent 200977 | Presentation Title | Month 2009
Enable mode 에서 Date/Time Manual 설정
(Alcatel 4324) #clock set <year> <month> <day> <hour> <minute> <seconds>
NTP Server
(Alcatel 4324) (config) # ntp server x.x.x.x Timezone & DST 설정은 Config Mode 에서 가능
(Alcatel 4324) (config) # clock timezone PST -8
(Alcatel 4324) (config) #clock summer-time PDT recurring first sunday april 02:00 last sunday october 02:00 -7
Setting Date and Time
All Rights Reserved © Alcatel-Lucent 200978 | Presentation Title | Month 2009
System Contact 는 SNMP query 시 또는 GUI login page 에서 표시됨
(Alcatel 4324) (config) # syscontact ”John Smith x1234"
Setting System Contact
All Rights Reserved © Alcatel-Lucent 200979 | Presentation Title | Month 2009
“license add” 의 명령어로 Software module 을 등록
(Alcatel 4324) (config) # license add xxxxxx-xxxxxx-xxxxx-xxxxx-xxxx “license add” 후에는 반드시 reload 필요
Additional S/W Module License
All Rights Reserved © Alcatel-Lucent 200980 | Presentation Title | Month 2009
GUI 에서 SNMP, SYSLOG, and user administration 의 설정이 가능 Configuration/Management
Switch Management Configuration
All Rights Reserved © Alcatel-Lucent 200981 | Presentation Title | Month 2009
Management User 에 대한 Role 설정 가능
Configuration/Management/Administration
Access Control
All Rights Reserved © Alcatel-Lucent 200982 | Presentation Title | Month 2009
VLAN 설정은 GUI 를 통해서도 가능
Configuration/Network/VLAN VLANs can be:
Created Deleted Add L3 VLAN Interfaces Assign DHCP Helper addresses
In the CLI:(Alcatel 4324) (config) #vlan 10(Alcatel 4324) (config) #interface vlan 10(Alcatel 4324) (config-subif)#ip address x.x.x.x <mask>(Alcatel 4324) (config) #interface FastEthernet 1/0(Alcatel 4324) (config-if) #switchport access vlan 10
Vlan Configuration
All Rights Reserved © Alcatel-Lucent 200983 | Presentation Title | Month 2009
Vlan Configuration
All Rights Reserved © Alcatel-Lucent 200984 | Presentation Title | Month 2009
Port 설정은 GUI 를 통해서도 가능
Configuration/Switch/Port One or more ports can be selected and:
Enabled or disabled Assigned to VLANs Made trusted or untrusted Enable 802.3af POE (default) or Cisco POE Assign a Firewall Policy (not used for AP connectivity) Made an 802.1q trunk port
GUI 를 사용시에는 설정 후 반드시 “ Apply” 를 click 하여 switch 에 변경된 명령어를 update 해야 하며 “ Save Configuration” button 을 click 하여 현재 running config 를 startup config 로 저장 필요
Port Configuration
All Rights Reserved © Alcatel-Lucent 200985 | Presentation Title | Month 2009
Port Configuration
All Rights Reserved © Alcatel-Lucent 200986 | Presentation Title | Month 2009
Port Mirroring 은 CLI 를 통해서만 설정 가능
(Alcatel 4324) (config) #interface fastethernet 1/22(Alcatel 4324) (config-if)#port monitor fastethernet 1/0
위의 설정으로 1/0 의 모든 Traffic 은 1/22 로 copy 됨
Port Mirroring
All Rights Reserved © Alcatel-Lucent 200987 | Presentation Title | Month 2009
Two modes: External DHCP Server (recommended)
DHCP Relay (Helper Address) Configured on a per-VLAN basis at: Configuration/Network/VLAN
Internal DHCP Server Configured via: Configuration/Network/IP/DHCP Server Configured independently of VLANs - Subnet will match VLAN to
DHCP scope Recommend naming scope after VLAN - ie “vlan-4” Must assign a complete subnet, then exclude ranges of addresses
DHCP Configuration
All Rights Reserved © Alcatel-Lucent 200988 | Presentation Title | Month 2009
DHCP Configuration
All Rights Reserved © Alcatel-Lucent 200989 | Presentation Title | Month 2009
GUI 에서 ESSID 는 아래의 경로에서 먼저 profile 을 생성 해야함
Configuration/Advanced Services/All Profile Management/Wireless LAN
ESSID Configuration
All Rights Reserved © Alcatel-Lucent 200990 | Presentation Title | Month 2009
AP Provisioning
AOS-W <3.0 Location code (1-256).(1-256).(1-163 bldg . floor . location Controller configuration
ap location 0.0.0 All APs ap location 2.3.0 Bldg 2, floor 3 APs ap location 2.3.6 Bldg 2, floor 3, AP 6
AOS-W 3.0 ap-name “63 개 이상의 영문 + 숫자로 설정 가능”
ap-group “63 개 이상의 영문 + 숫자로 설정 가능”
All controller config done through “ap-group” and “ap-name” statements
All Rights Reserved © Alcatel-Lucent 200991 | Presentation Title | Month 2009
초기의 AP default values ap-name == AP wired MAC address ap-group == “default”
각 AP 는 반드시 사용하는 ap-group 에 속하도록 설정을 해야 함
AP Provisioning
All Rights Reserved © Alcatel-Lucent 200992 | Presentation Title | Month 2009
AP Provisioning
All Rights Reserved © Alcatel-Lucent 200993 | Presentation Title | Month 2009
Radio Configuration
Configuration/Advanced Services/All Profile Management/RF Management
All Rights Reserved © Alcatel-Lucent 200994 | Presentation Title | Month 2009
기본적으로 Switch 의 모든 port 들은 Vlan1 에서 STP & RSTP spanning tree 로 동작
Spanning tree can be modified globally through the GUI at: Configuration/Network/Switch
To disable spanning tree in the CLI: Globally:
(Alcatel 4324) (config) #no spanning-tree On a per-interface basis:
(Alcatel 4324) (config) #interface fastethernet 1/0(Alcatel 4324) (config-if)#no spanning-tree
Spanning Tree
All Rights Reserved © Alcatel-Lucent 200995 | Presentation Title | Month 2009
2.5 에서 3.0 으로 OS 가 변경되며 Wireless function 에 대한 설정은 Profile형식으로 변경됨
생성한 Profile 을 AP Configuration 에서 적용하는 방식으로 설정
GUI 의 Configuration/Advanced Services/All Profile Management 에서 각 Function 별 Profile 들을 생성
GUI 의 Configuration/AP Group 에서 All Profile Management 에서 생성한 Profile을 지정하는 방식
Profile Configuration
All Rights Reserved © Alcatel-Lucent 200996 | Presentation Title | Month 2009
ap-group
ap-name
ap
rf
wlan
qos
ids
virtual-ap
ssid-profile
aaa-profile
dot1x auth
mac auth
Profile Hierarchy
6. AP Configuration
All Rights Reserved © Alcatel-Lucent 200998 | Presentation Title | Month 2009
AP 들이 switch 에 연결되는 방법은 아래의 두 가지 방법이 존재
Direct Attach The AP physically plugs into the Alcatel Switch. Power and Serial over Ethernet are available with this setup.
Indirect Attach The AP physically plugs into some other network device (switch or
router) with L2 or L3 connectivity back to the Alcatel Switch. Power over Ethernet is available if the network device attached to
the AP supports it. Serial over Ethernet is not supported.
AP Connectivity
All Rights Reserved © Alcatel-Lucent 200999 | Presentation Title | Month 2009
AP 는 booting 시 아래의 정보가 필요
IP Address, Netmask, Default Gateway Location ID IP Address of Alcatel WLAN Switch
AP 설정 방법은 아래의 2 가지 방법이 존재
Static All parameters manually configured
Dynamic AP only configured with a location ID (optional on first boot)
AP Boot Sequence
All Rights Reserved © Alcatel-Lucent 2009100 | Presentation Title | Month 2009
1. AP 는 booting 시 bootrom 에서 저장된 설정값을 load
2. AP 는 자신의 location ID 를 OAW switch 로 message 보냄
3. AP 는 OAW switch 로 TFTP request 를 보내고 OS image download
4. AP 의 Location ID 를 기준으로 OAW switch 에서 control
5. AP 와 OAW siwtch 간에 GRE tunnel 이 생성
AP Static Boot Sequence
All Rights Reserved © Alcatel-Lucent 2009101 | Presentation Title | Month 2009
1. AP 는 booting 시 bootrom 에서 location ID 를 loading2. AP 는 IP address 에 대한 DHCP request 를 보냄
3. 만약 vendor option 43 (masterip) 이 포함된 DHCP response 를 받으면 AP 는 이것을 Master IP address 로 사용
4. 만약 vendor option 이 포함되지 않은 DHCP response 를 받으면 AP 는 “ ADP” packet 을 Multicast group 224.0.82.11 주소로 보냄
5. 만약 보낸 Multicast ADP 에 대해 response 가 없다면 AP 는 “ ADP” packet 을 L2/L3 broadcast (configure Master OAW Switch as a DHCP helper recipient)로 보냄
6. 만약 그래도 response 가 없다면 AP 는 설정된 DNS 서버 (“alcatel-master.domain.com”) 로 DNS query 를 보내고 domain 에서는 DHCP 를 주면 AP 는 이것을 Master IP address 로 사용
7. AP 에 Master IP address 가 결정되면 , Static config 의 Step2 로부터 booting이 진행됨
AP Dynamic Boot Sequence
All Rights Reserved © Alcatel-Lucent 2009102 | Presentation Title | Month 2009
AP 의 config 는 Switch 의 연결 전후에 따라 두 가지 방법이 필요
AP 가 Switch 에 연결된 후 , GUI 에서 설정 가능
AP 가 Switch 에 연결되기 전 , AP 가 직접 OAW switch 에 연결되었다면 SOE (Serial over Ethernet) 를
사용하여 설정 가능
SPOE adapter(AP console) 을 이용하여 serial port 를 통해 설정 가능
AP Configuration
All Rights Reserved © Alcatel-Lucent 2009103 | Presentation Title | Month 2009
SPOE adapter (AP console) Pin-out
All Rights Reserved © Alcatel-Lucent 2009104 | Presentation Title | Month 2009
GUI “Re”provision AP 가 Configuration 없이 Network 에 연결되었다면 OAW switch 에서
“ Unprovisioned Alcatel AP” 부분에 표시되며 해당 AP 를 선택하면 Reprovision 메뉴로 이동하며 Config 수정이 가능함
Post-deployment Method
All Rights Reserved © Alcatel-Lucent 2009105 | Presentation Title | Month 2009
Unprovisioned AP
All Rights Reserved © Alcatel-Lucent 2009106 | Presentation Title | Month 2009
Provisioning the AP
All Rights Reserved © Alcatel-Lucent 2009107 | Presentation Title | Month 2009
SOE configuration OAW switch CLI 에서 SOE 를 Enable
(Alcatel 4234) # configure terminal(Alcatel 4234) (config)# telnet soe
Switch IP 로 Telnet 을 port 2300 을 이용해 접속 후 Swithc 에 1/0 port 에 AP가 연결되었다면 connect 1/0 을 입력
telnet x.x.x.x 2300
Pre-deployment Configuration
All Rights Reserved © Alcatel-Lucent 2009108 | Presentation Title | Month 2009
AP CLI 접속한 후에 AP 를 다시 booting 시키고 stop autoboot 화면에서 enter 를 입력해 bootrom mode booting
Commands: printenv
– 현재 설정을 Display setenv variable <value>
– Setenv 로 특정 value 값들을 설정 (ex. ip, netmask etc..) save
– AP flash 에 configuration 을 저장 boot
– AP 를 booting
AP CLI
All Rights Reserved © Alcatel-Lucent 2009109 | Presentation Title | Month 2009
Dynamic AP configuration 에서는 location 설정만 필요
setenv location x.x.xsave
Static AP configuration:setenv ipaddr x.x.x.xsetenv netmask x.x.x.xsetenv gatewayip x.x.x.xsetenv serverip x.x.x.xsetenv master x.x.x.xsetenv name xxxxxxxsetenv group xxxxxxxSave
AP CLI
AP configuration 최기화 : AP boot mode
PurgeSavereset
All Rights Reserved © Alcatel-Lucent 2009110 | Presentation Title | Month 2009
From the CLI:
From the GUI: Monitoring/Network/All Access Points
Monitoring/Network/All Air Monitors
Verifying AP/AP Configuration
7. Managing System Images
All Rights Reserved © Alcatel-Lucent 2009112 | Presentation Title | Month 2009
To backup the system: Config file
(Alcatel 4324) #copy running-config tftp: x.x.x.x filename WMS database
(Alcatel 4324) #wms export-db wms.db
(Alcatel 4324) #copy flash: wms.db tftp: x.x.x.x filename
(Alcatel 4324) #local-userdb export-db user.db
(Alcatel 4324) #copy flash: user.db tftp: x.x.x.x filename RF Plan
Plan/Building List/Export…
System Backup
All Rights Reserved © Alcatel-Lucent 2009113 | Presentation Title | Month 2009
To restore the system: Databases
(Alcatel 4324) #copy tftp: x.x.x.x filename flash: wms.db
(Alcatel 4324) #wms import-db wms.db
(Alcatel 4324) ) #copy tftp: x.x.x.x filename flash: user.db
(Alcatel 4324) #local-userdb import-db user.db
Config file(Alcatel 4324) #copy tftp: x.x.x.x filename flash: default.bak
(Alcatel 4324) #copy flash: default.bak flash: default.cfg
RF Plan Plan/Building List/Import…
Reload
System Restore
All Rights Reserved © Alcatel-Lucent 2009114 | Presentation Title | Month 2009
GUI Backup/Restore
All Rights Reserved © Alcatel-Lucent 2009115 | Presentation Title | Month 2009
CLI 를 통한 System image upgrade TFTP server 로 IP connectivity 필요
VLAN 에 IP interface 설정 필요
TFTP server IP 로 switch 에 ping 이 가능해야 함
Running system 의 impact 를 최소화 하기 위해 switch 는 2 개의 system image partition 을 사용
Active Backup
Adding System Images
All Rights Reserved © Alcatel-Lucent 2009116 | Presentation Title | Month 2009
Step 1: Active Partition 확인
Adding System Images
All Rights Reserved © Alcatel-Lucent 2009117 | Presentation Title | Month 2009
Step 2: Copy new image
Step 3: Default Boot 변경
([OAW4308]) #boot system partition 0
Step 4 : Reload
(Alcatel 4324) #copy tftp: 172.16.1.50 image_file_name system: partition 0Upgrading partition 0....................................................................................................................................................................................................................................................................Copied image successfully.The system will boot from partition 1 during the next reboot.
Adding System Images
5. Basic Configuration Sample
All Rights Reserved © Alcatel-Lucent 2009119 | Presentation Title | Month 2009
인증 및 암호화를 하지 않는 All Open 구성 Sample Step 1 : Configuration/Advanced Services/All Profile Management
Profile Configuration Sample
All Rights Reserved © Alcatel-Lucent 2009120 | Presentation Title | Month 2009
Step 2 : AAA Profile -> 새로운 AAA profile name 설정 후 Add
Profile Configuration Sample
All Rights Reserved © Alcatel-Lucent 2009121 | Presentation Title | Month 2009
Step 3 : 생성한 test-open 을 선택하면 해당 Default Profile 이 표시됨
Step4 : Initial role 을 allow all role 인 default-vpn-role 을 선택 후 apply Click
Profile Configuration Sample
All Rights Reserved © Alcatel-Lucent 2009122 | Presentation Title | Month 2009
Step 5 : SSID Profile -> 새로운 SSID profile name 설정 후 Add
Step 6 : 생성된 test-ssid 를 선택 후 실제 사용할 SSID 를 입력 후 apply click
Profile Configuration Sample
All Rights Reserved © Alcatel-Lucent 2009123 | Presentation Title | Month 2009
Step 7 : Virtual AP Profile -> 새로운 Virtual AP profile name 설정 후 Add
Step 8 : 설정된 Virtual AP Profile 을 선택하면 SSID & AAA Profile 설정이 나타남
Profile Configuration Sample
All Rights Reserved © Alcatel-Lucent 2009124 | Presentation Title | Month 2009
Step 9 : Virtual AP Profile -> SSID Profile 에서 기존에 생성한 SSID Profile 을 지정 후 apply click
Profile Configuration Sample
All Rights Reserved © Alcatel-Lucent 2009125 | Presentation Title | Month 2009
Step 10 : Virtual AP Profile -> AAA Profile 에서 기존에 생성한 AAA Profile 을 지정 후 apply click
이것으로 Profile 설정은 종료되었으나 실제 AP 에 적용은 되지 않은 상태임
Profile Configuration Sample
All Rights Reserved © Alcatel-Lucent 2009126 | Presentation Title | Month 2009
[ 참고 ] WLAN switch 가 이중화되어 AP 에 LMS, B-LMS 사용시에는 아래와 같이 AP System Profile 을 생성해야 함
Profile Configuration Sample
All Rights Reserved © Alcatel-Lucent 2009127 | Presentation Title | Month 2009
Step 11 : Configuration -> Wireless -> AP Configuration 에서 New 를 선택 후 새로운 AP Configuration name 을 생성 후 Add
Step 12 : 생성한 AP Configuration 의 Edit 를 선택하면 아래와 같이 기존에 All Profiles 에서 설정한 것과 같은 Menu 가 표시됨
Profile Configuration Sample
All Rights Reserved © Alcatel-Lucent 2009128 | Presentation Title | Month 2009
Step 13 : Wireless LAN -> Virtual AP 선택 후 기존에 생생한 Virtual AP Profile 을 지정 & Add 선택 후 Apply
Step 14 : All Profiles 에서 설정한 내용이 그대로 적용됨을 확인
Profile Configuration Sample
All Rights Reserved © Alcatel-Lucent 2009129 | Presentation Title | Month 2009
Step 15 : 모든 AP 들은 default AP-Group 에 속해 있으므로 새로 생성한 AP-Group 로 변경해야함 . Wireless -> AP Installation -> Provisioning
Step 16 : AP 를 선택하고 Provision 을 누른 후 AP-Group 을 선택한다 .
Profile Configuration Sample
All Rights Reserved © Alcatel-Lucent 2009130 | Presentation Title | Month 2009
Step 17 : AP 의 구성을 최종 확인 후 Apply and Reboot 선택한다 .
Profile Configuration Sample
All Rights Reserved © Alcatel-Lucent 2009131 | Presentation Title | Month 2009
Step 18 : PC 에서 해당 SSID 로 접속을 시도해서 구성내용을 최종확인한다 .
Profile Configuration Sample
All Rights Reserved © Alcatel-Lucent 2009132 | Presentation Title | Month 2009
- 앞장의 기본 설정에서 인증서버 부분의 수정이 필요하다 .
Step 1 : Advanced Services > All Profile Management > Wireless LAN -> RADIUS Server 에서 Radius 이름을 입력하고 add 를 선택한다 .
Profile Configuration Sample [ 외부 인증 서버와 연동시 설정 ]
All Rights Reserved © Alcatel-Lucent 2009133 | Presentation Title | Month 2009
Step 2 : 새로 생성된 이름을 선택후 자세한 인증서버 정보를 입력한다 .
인증서버의 IP 그리고 인증 KEY 값 그리고 인증 port number 는 반드시 인증서버와 WLAN Switch 간에 일치해야 한다 .
Profile Configuration Sample [ 외부 인증 서버와 연동시 설정 ]
All Rights Reserved © Alcatel-Lucent 2009134 | Presentation Title | Month 2009
Step 3 : Advanced Services > All Profile Management > Wireless LAN -> Server Group 에서 새로운 이름을 입력하고 add 를 선택한다 . 생성된 Server Group 을 선택해서 미리 지정한 Radius server 를 지정 & Apply 한다 .
Profile Configuration Sample [ 외부 인증 서버와 연동시 설정 ]
All Rights Reserved © Alcatel-Lucent 2009135 | Presentation Title | Month 2009
Step 4 : 802.1X Authentication Profile 에서 Default 802.1x Profile 을 확인한다 . 기본값을 그대로 사용해도 됨 .
Profile Configuration Sample [ 외부 인증 서버와 연동시 설정 ]
All Rights Reserved © Alcatel-Lucent 2009136 | Presentation Title | Month 2009
Step 5 : AAA Profile 로 이동후 새로운 Profile 을 생성하고 그것을 선택한다 . 해당 Profile 에서 인증후에 사용자가 받게될 Role 을 802.1X Authentication Default Role에서 설정한다 .
Profile Configuration Sample [ 외부 인증 서버와 연동시 설정 ]
All Rights Reserved © Alcatel-Lucent 2009137 | Presentation Title | Month 2009
Step 6 : 기존에 정의한 아래의 항목을 차례로 선택한다 .
802.1X Authentication Profile -> Default
802.1X Authentication Server Group -> Radius
RADIUS Accounting Server Group -> Radius
Profile Configuration Sample [ 외부 인증 서버와 연동시 설정 ]
All Rights Reserved © Alcatel-Lucent 2009138 | Presentation Title | Month 2009
Step 7 : SSID Profile 로 이동하여 802.1x 인증에서 사용할 SSID 와 Encryption 방법을 설정한다 . 802.1x 에서는 Open 으로는 설정이 불가능하며 반드시 Encryption 을 설정해야 한다 . Encryption 은 사용자의 Wilress 단말과 AP 간의 설정이므로 사용자 단말에서 해당 방식을 지원하는지 확인 필요 .
Profile Configuration Sample [ 외부 인증 서버와 연동시 설정 ]
All Rights Reserved © Alcatel-Lucent 2009139 | Presentation Title | Month 2009
Step 8 : Virtual AP profile 로 이동해서 SSID & AAA Profile 에 기존에 생성한 Profile을 지정한다 . 나머지 설정은 기본 설정과 동일하게 진행한다 .
Profile Configuration Sample [ 외부 인증 서버와 연동시 설정 ]
7. Lab Basic System Configuration
All Rights Reserved © Alcatel-Lucent 2009141 | Presentation Title | Month 2009
WLAN Switch
AP1
Vlan 110.10.10.2/24
10.3
Lab Diagram - 1
별도의 인증 없이 Open 구성 SSID : Test10
Backbone
vlan 110.10.10.1/24
All Rights Reserved © Alcatel-Lucent 2009142 | Presentation Title | Month 2009
Backbonevlan 10
10.10.10.1/24
vlan 2010.10.20.1/24
vlan 30 10.10.30.1/24
WLAN Switch
OS6600-P24
AP1
AP2
Vlan 1010.10.10.2/24
vlan 2010.10.20.2/24
10.3
Vlan 3010.10.30.2/24
30.3
Lab Diagram - 2
별도의 인증 없이 Open 구성
Backbone 과 WLAN switch간에는 802.1q 구성하여 vlan10 과 vlan20 사용 가능 해야 함
SSID 는 2 개를 생성하고 Test10에는 vlan10 을 Test20 에는 vlan20 의 Network 이 사용 가능 해야 함
각 AP 에 연결된 단말간에 통신이 가능한지 확인
802.1q
V10, 20
SSID : Test10SSID : Test20
All Rights Reserved © Alcatel-Lucent 2009143 | Presentation Title | Month 2009
Backbone
vlan 1010.10.10.1/24
vlan 2010.10.20.1/24
WLAN#1
PoE
AP1
APs
10.11 ssid test-1
Vlan 2010.10.20.2/24
20.x
Lab Diagram -3
별도의 인증 없이 Open 구성
Backbone 과 WLAN switch간에는 802.1q 구성하여 vlan10 과 vlan20 사용 가능 해야 함
SSID 는 2 개를 생성하고 Test10에는 vlan10 을 Test20 에는 vlan20 의 Network 이 사용 가능 해야 함
각 AP 에 연결된 단말간에 통신이 가능한지 확인
WLAN#2
WLAN#3
WLAN#4
10.12 ssid test-2
10.12ssid test-3
10.14 ssid test-4
All Rights Reserved © Alcatel-Lucent 2009144 | Presentation Title | Month 2009
www.alcatel-lucent.com