WLAN 3.x Training OAW Products Alcatel-Lucent - Enterprise Solutions Division Agenda 1. Products Overview 2. Wireless Basic 3. CLI Configuration Overview 4. GUI Configuration Overview 5. Basic System Setup 6. AP Configuration 7. Managing System Images 8. Basic Configuration Sample 9. Lab : Basic System Configuration 2 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 1. Products Overview Why Alcatel-Lucent Complete communication solutions provider Market leadership in key data, voice, video and fixed mobile convergence technologies turnkey solutions over 500,000 customers data/IP Presence broadband invoice over 130 countries satellite outsourcing optical #1 in broadband, switching, optics, satellite, telecom, … 4 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 submarine What Can Alcatel-Lucent Enterprise Solutions Do For You? Build the IP Communications House Communications Applications Voice over IP IP Network Infrastructure 5 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Alcatel-Lucent EBG Product Portfolio IP Networking Core Layer/ Large Scale Distributed Layer/ Medium Scale Access Layer/ Small Scale Router(WAN) OmniStack 6200 OmniPCX Office 7750/7450 OmniSwitch 7800 OmniSwitch 6600/ 6602 OmniSwitch 9800/9700 OmniSwitch 9600 OmniSwitch 6400 WLAN VoIP OAW 6000s/SUP-III OAW4x04 OmniAccess 780 OAW 4324/08/04 OmniSwitch 6855 OmniPCX Enterprise OmniAccess 740 OmniSwitch 7700 OmniSwitch 6850/ 6850Lite OmniAccess 720s IP Phone OAW-AP 4x/6x/70/12x/85 OmniVista 2500 Mobile 보안과 관리 NAC Brick Family Vital Suite/QIP Safeguard Cybergatekeeper 6 | Presentation Title | Month 2009 Firewall/ VPN Performance Management All Rights Reserved © Alcatel-Lucent 2009 Quarantine Manager NLG3500 Alcatel-Lucent WLAN Solution 기존 무선랜 솔루션 vs. OmniAccess WLAN solution OmniAccess WLAN solution 기존 무선랜 솔루션 Access points Site survey Access points Packet capture Air monitors WiFi IDS / IPS WLAN switches WLAN switches/blades 통합된 토탈 솔루션 제공 향상된 보안성 Captive portal 확장 용이 VPN concentrator 풍부한 기능 지원 편리한 관리 기능 LAN-speed firewall 쉬운 설치 투자비 감소 QoS devices 8 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 OmniAccess Wireless Switches의 특징 WiFi 관리 Adaptive RF, Packet Capture, Location Tracking Roaming, SSID Mgmt, RF Fingerprinting WiFi 보안 WiFi 환경 Radius LDAP Active Dir. WiFi IDS/IPS, Rogue AP Defense 암호화 WEP, TKIP, AES, 3DES 인증과 사용자 무결성 체크(HIC) MAC, Captive Portal, 802.1x, VPN 권한 제어 User/Flow Stateful FW + Content Inspection re-direction Network 접속제어 Service Provisioning Network Integration 트래픽 관리 QoS/Priority/Bandwidth Contracts 네트워크 서비스 Routing, VLANS, NAT, DHCP, Switching 9 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Management WiFi 접속제어 Policy Control WiFi IDS/IPS Alcatel-Lucent WLAN System 소개 Alcatel-Lucent WLAN System 구조 Alcatel-Lucent WLAN Switch 무선랜을 위한 Alcatel 고유의 하드웨어 아키텍쳐를 통한 성능 향상 Performance 향상을 위해 각 기능별 4개의 별도 Processor사용 차세대 Access Point 두 개의 주파수 대역을 지원하는 다목적 AP 802.11 a, b/g/n 지원가능 User access and air monitoring 프로그래밍 가능 Linux 기반 응용 프로그램 사용 가능 - 무선 패킷 캡쳐 가능 - 위치 확인 설치의 용이성 Alcatel 스위치를 통한 자동설정 10 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Wireless Control Processor Wireless Packet Processor Wireless Security Processor Wireless Switching Processor Alcatel WLAN Switch 소개 Alcatel WLAN Switch 제품군 OmniAccess 6000 WLAN Switches 4 Slot의 샤시형 Data 센터 내에서 Remote AP의 중앙 관리 가능 64 ~ 2048 AP 관리 가능 Line card 당 24 10/100 PoE 지원 인터페이스 와 2 GE uplink 포트 제공 SUP-III당 2 10GE 와 10 1GE 지원 802.11 a/b/g/n 지원 OmniAccess 4504/4604/4704 Wireless Switches 4x Dual personality ports 10/100/1000Base-T (RJ-45) or 1000Base-X (SFP) 32/64/128 의 AP 관리 가능 802.11 a/b/g/n 지원 OmniAccess 4302/4308/4324 Wireless Switches 장비당 0/8/ 24 10/100 PoE 인터페이스 제공 1 or 2 port Gigabit uplink 포트 제공 6/16/48 AP의 AP 관리 가능 802.11b&g and 802.11a/b&g (multimode) 11 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 OAW6000 with Sup III Capacity 40x 1000Base-X (SFP) Up to 2,048 Campus Connected APs Up to 8,192 Remote APs Up to 32,768 Users Performance 80 Gbps Clear (full-duplex) 32 Gbps Crypto (3DES, AESCBC256) 16 Gbps Crypto (AES-CCM) Compatibility Up to 4 Sup III per 6000 chassis Supports legacy Line cards Requires 400 watt PSU All Components Modular, Hot-Swappable Fan Tray 8x 10GBase-X (XFP) Redundant PSUs Up to 4 M3 Modules 12 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 OAW 4504, 4604, 4704 • • • • Capacity • OAW-4504 • Up to 32 Campus Connected APs • Up to 128 Remote APs • Up to 512 Users • OAW-4604 • Up to 64 Campus Connected APs • Up to 256 Remote APs • Up to 1,024 Users • OAW-4704 • Up to 128 Campus Connected APs • Up to 512 Remote APs • Up to 2,048 Users Performance • 1.6 Gbps, 4 Gbps and 8 Gbps crypto performance (3DES, AESCBC256) • 800 Mbps, 2 Gbps, 4 Gbps crypto performance (AESCCM) • 3 Gbps, 4 Gbps, and 4 Gbps wired Non-encrypted Throughput Performance (full-duplex) Interfaces • 4x Dual personality ports 10/100/1000Base-T (RJ-45) or 1000Base-X (SFP) • 1 x RJ-45 Serial Console Port Programmable Architecture • Multi-core, Multi-threaded Network Processor • Dedicated Crypto cores 13 | Presentation Title | Month 2009 Dedicated Network Processors Dedicated Hardware Crypto Cores Multiple Dedicated Control Processors 1RU 19” Enclosure Serial Console Port Status LEDs All Rights Reserved © Alcatel-Lucent 2009 4x Dual personality ports 10/100/1000Base-T (RJ-45) or 1000Base-X (SFP) Alcatel-Lucent WLAN Switch 성능 Number of AP Branch Regional HQ Large Branch Medium-802.11n Large – 802.11n 2048 OAW-6000-2048 (with Supervisor III) 512 OAW-6000-512 (Dual Supervisor II) 256 128 OAW-4704 64 OAW-4604 OAW-4324 Pay as you grow capability 48 32 16 4 OAW-4504 OAW-4308 OAW-4304 1 Gbps / 200 Mbps 14 | Presentation Title | Month 2009 Performance (Clear text / encrypted) 2 Gbps / 400 Mbps 6 Gbps / 1.6 Gbps 8 Gbps / 4 Gbps 8 Gbps / 8 Gbps All Rights Reserved © Alcatel-Lucent 2009 8 Gbps / 7.2 Gbps 80 Gbps / 32 Gbps Alcatel-Lucent Access Point 소개 (11a/b/g) Single Radio APs Software Configurable 802.11a OR b/g AP / Air Monitor / Remote AP / Mesh Internal or External Antenna Options OAW-AP60 OAW-AP61 Dual Radio APs Dual-Radio 802.11 a AND b/g AP / Air Monitor / Remote AP / Mesh Dual Fast Ethernet Interfaces (OAW-AP70) for resiliency of secured RJ-45 port OAW-AP70 OAW-AP65 Extensible USB Interface Port (OAW-AP70) Weatherproof, Outdoor (OAW-AP85) OAW-AP85 15 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Alcatel-Lucent Access Point 소개 (11n) 802.11n Ready APs Single Radio 802.11a OR b/g AP / Air Monitor / Remote AP / Mesh Adaptive PoE (802.3af, PoE+, 802.3at) Dual Gigabit Ethernet Interfaces (resiliency and secured RJ-45 port) OAW-AP120 abg OAW-AP121 abg 802.11n SW upgrade for future 802.11n MIMO APs Dual Radio pre-802.11n a/n AND b/g/n 3x3 MIMO 300Mbps per radio AP / Air Monitor / Remote AP / Mesh Adaptive PoE (802.3af, PoE+, 802.3at) OAW-AP124 16 | Presentation Title | Month 2009 OAW-AP125 Dual Gigabit Ethernet Interfaces (resiliency and secured RJ-45 port) All Rights Reserved © Alcatel-Lucent 2009 Enterprise WLAN The Business Benefits Mobility Location tracking enterprise-wide WLAN users guest access equipment assets internal WLAN hotspots security remote / branch office access small office, home office access Converged communication services converged mobile devices fixed / mobile convergence 17 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Enterprise WLAN Requirements / Challenges Deployment no disruption of existing network RF engineering new infrastructure network redesign and upgrades Management design and configuration monitoring troubleshooting growth Security authentication and encryption identity-based security and guest access rogues, ad-hoc networks, hacks and attacks firewalling Availability coverage reliability mobility performance Convergence QoS security load balancing voice-aware 18 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Addressing the Management Challenges Planning, Deploying and Managing Simplest RF planning tool Zero-touch AP deployment model Adaptive radio management Real-time coverage maps Centralized configuration and monitoring Integrated packet capture for easy troubleshooting Integrated location tracking 19 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Addressing the Availability Challenges Reliability, Coverage and Mobility VRRP-based redundancy requires no AP Split-second VRRP Failover provisioning HotStandby APs automatically become aware of redundant topology when deployed across L3 boundary Data Center Modular architecture for scalability Remote office connectivity with site-tosite VPN Home office connectivity with remote AP Mobile office connectivity with client VPN Built-in Site-tosite IPSec VPN Internet Branch Office Remote AP with IPSec VPN Regional Office Auto-awareness of Redundant topology (No priming needed) Home Office Public Hotspot OAW Client 20 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Addressing the Security Challenges Authentication, Authorization and Control Integrated stateful firewall Role-based access control Built-in client integrity Centralized 802.11i security Built-in AAA services L1-L7 wireless IPS Direct Interface to Microsoft Active Directory Active Directory Wireless Controller Centralized Encryption Keys Rights, QoS, VLAN Built-in Rogue Detection & Containment Wired L2 / L3 Transport Rogue detection services Access Point Quarantine Manager SSID: GUEST SSID: CORP SSID: VOICE Rogue AP Scan & Quarantine Un-trusted Users Employees 21 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Voice Guest Addressing Enterprise Applications Convergence Services to Meet the Needs of Business QoS for application-aware traffic management Security to protect the network, users, and remote clients Load-balancing automatically distributes clients across multiple APs Application-aware design allows better management of time sensitive applications (voice) 22 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Adding VoIP is Easy with OmniAccess Wireless Bi-directional QoS on wired and wireless network 1 Protocol-aware voice Voice flow classification ensures QoS for converged devices with single SSID for voice and data flow classification and security 2 802.1p or DSCP prioritized voice packets Wired Data Packets 3 Call admission control Call admission control ensures QoS in the wireless environment Secure devices that support only MAC auth against spoofing distributes call volume between access points 4 Converged voice and data packet stream with WMM tags RF management stops 5 channel scanning when voice clients are present 23 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Wireless Single ESSID for Voice & Data OmniAccess Wireless Features and Services Base Feature Set OMNI VISTA MOBILITY MANAGER OmniAccess WLAN Switch Base Software Alcatel-Lucent’s standard WLAN software provides unprecedented control over the entire wireless environment, offering intelligent / centralized WLAN switching and advanced services. Services Included in Base Software WLAN switching and Dynamic RF management Embedded management Adaptive Radio resource Management (ARM) Authentication – MAC, 802.1x, Captive Portal Encryption – WEP, WPA, WPA2 / 802.11i Mobility – seamless hand-over – L2/L3 Rogue Access Point Detection, Classification, Containment Wireless QoS – WMM, SVP, T-Spec, U-APSD Per SSID AAA server selection Switch to switch IPSec encryption for control traffic 24 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 OmniAccess Wireless Features and Services Additional Hardware and Software Modules OMNI VISTA3600 MOBILITY MANAGER OmniVista Air Manager Centralized visibility of the mobile edge Switch level modules Policy Enforcement Firewall module Wireless Intrusion Protection (WIP) module Voice Service Module VPN Server Module Mesh AP License Module Remote AP License Module External Services Interface Module xSec Module 25 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 OmniAccess Wireless Features and Services Policy Enforcement Firewall Module Policy Enforcement Firewall module User and group policy enforcement through an integrated, ICSA-certified Key benefits Firewall permit/deny/drop/log (ICSA certified to version 4.1 stateful firewall corporate standard) Security policies can be centrally defined and enforced on a per-user Role-based services for user / group class of service or per-group basis differentiation, bandwidth Policies are enforced dynamically, following users as they move and taking into account a variety of contracts QoS - priority traffic queues, BW metrics such as: 802.1p/DSCP User location Time-of-day Device type Authentication method 26 | Presentation Title | Month 2009 contracts, traffic marking All Rights Reserved © Alcatel-Lucent 2009 OmniAccess Wireless Features and Services Wireless Intrusion Protection Module Wireless Intrusion Protection module Patented classification technology that identifies and protects against vulnerabilities and malicious attacks Ad-hoc networks Client and AP impersonation Denial of service attacks Man-in-the-middle attacks Key benefits Detection of: Network probing and DoS attacks, impersonation and man-in-the-middle attacks Unauthorized devices (ad-hoc networks,Windows bridging, wireless bridges) Prevention of: Clients roaming to unauthorized APs Attempted intrusion 27 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 OmniAccess Wireless Features and Services Voice Service Module Voice service module Stateful VoWLAN QoS Voice Connection Admission Control Stateful voice load balancing Voice-aware ARM, 802.1x Automatic Voice Prioritization Troubleshooting and security WMM, T-Spec enforcement Phone number awareness Voice flow quality measurement Key benefits “off-hook” – active- phones “on-hook” phone Improved end user experience • QoS mechanisms such as CAC ensures optimum audio quality even as network load increases • Mechanism such as voice-aware QoS and stateful load balancing minimizes call drops Improved troubleshooting and security • Voice Clients are identified by phone numbers, key call quality metrics are availblr to network administrator • WMM and T-Spec security is enforced by stateful firewall 28 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 OmniAccess Wireless Features and Services VPN Server Module VPN Server module Integration support for a variety of VPN implementations Eliminates need for discrete, external VPN concentrators Hardware acceleration provides LANspeed VPN connectivity Both client termination as well as site-tosite VPNs are supported Supported VPN protocols include: L2TP/IPSec IPSec/XAUTH PPTP Key benefits Complete client VPN services - PPTP, L2TP/IPSec Site-to-site VPN services - IPSec NAT-T transport mode tunnels between OmniAccess WLAN switches or third-party VPN concentrators 29 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 OmniAccess Wireless Features and Services Mesh AP License Module Mesh Link Mesh Path OmniAccess Mesh Point OmniAccess Mesh Portal OmniAccess WLAN switch Mesh AP module Wire-line network Securely extend wireless network beyond the reach of wire-line infrastructure Mesh Points and Mesh Portals allow seamless, campus-like WLAN connectivity Mesh Points support Ethernet bridging over the mesh network Key benefits Allows for coverage of areas such as university campuses, docks, ship yards, warehouses where wires cannot be used Consistent services and management model with regular APs Survivability – survives mesh points / mesh portal through dynamic L2 routing protocols 30 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 OmniAccess Wireless Features and Services Remote AP License Module Remote AP module Securely extend corporate wireless functionality to any location with an Internet connection Remote APs allow seamless, corporate-like WLAN connectivity Remote office Home Anywhere a mobile worker chooses to work Key benefits Remote access point - termination of remotely deployed APs using IPSec transport Flexible modes of operation: Tunnel mode – all traffic is tunneled to the WLAN switch Local bridging – all traffic is forwarded by the Remote AP at the remote location Split tunneling (requires PEF module) – policy-based forwarding of packets in the tunnel or locally Survivability – survives WAN failure with pre-shared key auth/encryption 31 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 OmniAccess Wireless Features and Services External Services Interface Module External Services Interface module Per FQDS AAA server selection Allows an OmniAccess WLAN switch to communicate with external service devices (Fortinet cluster) Supports advanced interaction with authentication, authorization, and accounting (AAA) services infrastructure Key benefits Choice of AAA server for authentication XML API for captive portal (external captive portal server support) Content inspection with external appliance, Fortinet integration Note: requires that the Policy Enforcement Firewall module is installed 32 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 OmniAccess Wireless Features and Services xSec Module xSec module Termination of highly secure xSec client sessions Link-layer 256-bit AES-CBC encryption with complete header obscuration for highly sensitive environments Enables encryption of trunk ports between WLAN switches based on the same strong encryption standard X-Sec Tunnel X-Sec Tunnel Layer 2 Connectivity Key benefits Client/server xSec: termination of AES layer 2 xSec secure VPN sessions Point/point xSec: termination of AES layer 2 xSec secure VPN switch port session 33 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Completing the Solution Benefits of Alcatel-Lucent’s Enterprise Portfolio End-to-end, highly available, consistent solution complete set of switching solutions sharing common feature set thus enabling the perfect fit for any need superior availability for better voice services Smart PoE for every need PoE flavors for all switching needs dynamic power allocation allowing maximized efficiency Enhanced security unique support of 802.1x authentication not recognition but authentication Best in class support for VoWLAN roaming, handover, QoS, security Single management platform wired, wireless and voice management on the same server same GUI and look and feel across applications 34 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Wireless Network Management Platform Supported Platforms: OmniVista 3600 Air Manager Hardware 2 servers to support the OV3600 applications (OV3600-HWPRO, OV3600-HWENT) Software Centralized network management (Network Discovery, Firmware distribution, Real-time and historical trend reports) Granular administrative access (Role-based, Network segment based) Rogue Access Point Detection and Classification Display of location information for all wireless users and devices Up-to-date heatmaps and channel maps for RF diagnostics 35 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Summary: The Alcatel-Lucent WLAN solution Delivering business benefits… Best-in-class functionality for lowest TCO mobility location tracking Easy to deploy converged communication services Easy to secure Easy to manage …by meeting the Wireless LAN challenges management Easy to scale Easy to add voice security availability convergence services 36 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 2. Wireless Basic 무선랜의 개요 네트웍 구축 시 기존의 트위스트 페어 케이블, 동축 케이블 등을 전송 신호로 이용하던 유선 랜 대신 고주파수의 전파 (Radio Frequency)나 적외선등을 이용하여 대기를 통신 채널로 이용하는 Network 데이터를 전송하는 방식은 여러가지 제품이 있으나 도달거리,성능,보안성을 고려하여 ISM 과 UNII Band를 이용하는 Spread Spectrum 방식의 무선랜이 가장 보편화되어 있음 사용자들에게 높은 이동성과 편의성, 구축 용이성, 확장성을 제공 함으로서 기존 LAN의 보완 및 대체를 통한 효율성 및 생산성 제고 측면에서 널리 사용되고 있음 ISM and UNII Spectra 국제 표준화는 1990년 10월부터 위원회에 IEEE 802.11에 의해 무선 매체 접근제어 물리계층 규격에 대한 표준화가 OSI참조모델에 준하여 진행되고 있다 . 38 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 무선랜 표준 (802.11 a/b/g) Protocol 주파수대역 최대전송속도 802.11 802.11a 802.11b 802.11g 2.4 Ghz 5 Ghz 2.4 Ghz 2.4 Ghz 1, 2 Mbps 54 Mbps 11 Mbps 54 Mbps OFDM DSSS OFDM 1.2 Mbps 25 Mbps 5 Mbps 20 Mbps 100 M 70 M 100 M 100 M Yes Yes Yes Yes 40 bit 40 bit 40 bit 104 bit 104 bit 104 bit RC4 RC4 RC4 802.1X 802.1X 802.1X FHSS 변조방식 DSSS 실제 최대 전송속도 평균 전송 거리 암호화 40 bit 암호화 형태 RC4 인증 방식 No 기 타 39 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 무선랜 표준 (802.11n) SISO -> MIMO SISO (Single Input Single Outpur)를 MIMO (Multiple Input Multiple Output) 다중 송수신 안테나 기술을 채택하여 송수신 데이터 효율을 높였으며, MIMO 방식의 스마트 안테나는 노이즈를 최소화하여 원활한 데이터 전송경로를 조정 한다. 효율성이 강화된 MAC 실제 데이터 처리 속도를 물리적 계층의 속도와 가깝게 만들어 사용자들에게 최소100Mbps의 속도 보장 (최대 600Mbps) 기존의 시스템은 통신의 확실성을 위해 하나의 패킷을 보낼 때마다 엑세스 포인트로 부터 수신 성공 패킷(ACK)를 기다려야 한다. 그리고 공평한 송수신권 할당을 위해 무선랜 단말이 패킷을 계속해서 보내려 할 때에도 ACK 수신기에 일정 시간을 기다리지 않으면 다음 패킷을 송출할 수 없다. 802.11n에서는 프레임 집속 (Focusing) 기능을 통해 ACK 빈도를 최소화 하고 그 효율성을 최대화 한다. 복수의 안테나와 첨단 코딩을 통한 더 늘어난 송수신 가능 거리 일정한 무선 스피드를 유지하면서 접속 가능 범위 확대 (현재의 약 3배 정도) 2010년 표준화 완료 예정 40 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 무선랜 표준 (802.11n) 802.11n Protocol 주파수대역 최대 전송속도 변조방식 실제 최대 전송속도 평균 전송 거리 암호화 암호화 형태 인증 방식 5 Ghz 2.4 Ghz 약 600Mbps 약 300 Mbps MIMO & 개선된 OFDM MIMO & 개선된 OFDM 300 Mbps 이상 150 Mbps 이상 약 210 M 약 300 M Yes Yes 40 bit, 104 bit, 152 bit, RC4 40 bit, 104 bit, 152 bit, RC4 802.1X 802.1X 기 타 41 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 무선랜 보안 기술 PEAP EAP-TTLS EAP-MD5 Authentication Shared Key Dynamic WEP TKIP AES MAC Filtering Default 42 | Presentation Title | Month 2009 WPA Static WEP etc Not Secure MAC Authentication Open Encryption EAP-TLS SSID Disabled Authentication server All Rights Reserved © Alcatel-Lucent 2009 Most secure Extensible Authentication Protocol (EAP) 인증 타입 [비교표] Topic EAP-MD5 EAP-TLS EAP-TTLS PEAP LEAP 보안표준 국제표준 국제표준 국제표준 국제표준 Cisco Only 사용자 인증서 N/A 필요 필요없음 필요없음 N/A 서버인증서 N/A 필요 필요 필요 N/A 신용증명 (Credential) 보안 없음 강함 강함 강함 약함 지원인증용 데이타베이스 평문기반 데이타베이스 Active Directory 동적 키 변경 지원안함 지원 지원 지원 지원 상호인증 지원안함 지원 지원 지원 지원 43 | Presentation Title | Month 2009 Active Directory Active Directory NT Domains NT Domains Token,SQL,LDAP Token,SQL,LDAP All Rights Reserved © Alcatel-Lucent 2009 Active Directory NT Domains 무선랜 보안 접속 흐름도 AP STA IEEE802.11&11i Radius 802.11 Beacon 802.11 Associate-Request 802.11 Associate-Response IEEE802.1X EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS-Access-Request EAP-Request EAP-Response(Credentials) RADIUS-Access-Request EAP-Success IEEE802.11i EAPOL-Key(P, ANonce) EAPOL-Key(P, Snonce, MIC, RSN IE) EAPOL-Key(P, ANonce, MIC, RSN IE) EAPOL-Key(P, MIC) EAPOL-Key(G, Index, GNonce, RSC, MIC, GTK) EAPOL-Key(G, MIC) IEEE802.11aa 44 | Presentation Title | Month 2009 RADIUS-Access-Challenge Access Allowed All Rights Reserved © Alcatel-Lucent 2009 RADIUS-Access-Accept & MS-MPPE(PMK) WLAN Switch - Multi-Layered Security Application Security Network-Layer Security Link-Layer Security Wireless Intrusion Protection 45 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Centralized Wireless ACCESS DISTRIBUTION CORE DATA CENTER FLOOR x EMPLOYEE GUEST GRE Tunnel WLAN Controller AP Communications 1. AP가 Switch port에 연결되어 있고 AP의 전원이 켜진다면 설정된 IP로 Controller를 찾는다.(AP가 DHCP를 사용하는 경우에는 DHCP 서버로부터 IP를 받게됨) 2. AP는 Boot Image(TFTP)를 Controller로부터 받게되고 Control Protocol을 위한 PAPI (UDP 8211) 연결을 생성한다. 3. AP는 WLAN controller로부터 인증이 되고 AP와 Controller간에 GRE Tunnel이 생성된다. 4. 모든 Clent의 통신은 GRE tunnel에서 암호화 되어 Controller로 전송된다. 46 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 WLAN Switch의 동작 Flow 1. Client는 802.11 association request을 보내고 그것은 자동적으로 AP를 통해서 WLAN switch로 전달된다. 2. WLAN switch는 association acknowledgement로 응답한다. 3. Client와 WLAN switch는 802.1x authentication 인증절차를 RADIUS server와 연동해서 진행한다. 4. Encryption key를 WLAN switch에 pass하고 user의 encryption keys를 획득 후 암호화된 data를 보내기 시작한다. 5. WLAN switch는 .11 MAC 기반으로 decrypts data, processes packet, applies services and forward packets들을 수행한다. Corp Backbone 5 3 4 2 1 RADIUS 47 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Generic Routing Encapsulation (GRE) 0 8 Ver HL 16 TOS Total Length Identification TTL 31 IP packet Flags Fragm. Offset Protocol Header Checksum Delivery Header GRE packet Src Address Dest Address C Reserved v Checksum (opt.) Protocol Type Reserved1(opt.) Payload 48 | Presentation Title | Month 2009 GRE Header Payload Packet All Rights Reserved © Alcatel-Lucent 2009 Payload packet (original) Radio Distance 49 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 134 ft = 40 m 2 (b) /36 (a/g) Mbps 90 ft = 27 m 5.5 (b) /48 (a/g) Mbps 44 ft = 14 m 11 (b) /54 (a/g) Mbps 3. CLI Configuration Overview CLI Configuration Overview OAW Switch는 CLI와 GUI(Web)을 이용한 Configuration 방식을 지원 CLI Access 방법 Local Serial Interface Remote Telnet or SSH session GUI Access 방법 Remote Web browser Internet Explorer and Netscape/Firefox 지원 CLI는 세가지 mode로 구성 User Enable or Privileged Configure 51 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 CLI Access Default 상태에서는 Serial Console or SSH를 통해 접근 가능 Serial Cisco-compatible RJ-45 serial cable 9600, N, 8, 1, No flow control SSH Version 2 Password based Telnet 접근을 가능하게 하기 위해서는 아래의 설정 필요 (Alcatel 4324) (config) #telnet cli 52 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 CLI User Mode User Mode ( > )의 prompt 상태 (Alcatel 4324) > Basic utilities (Ping, Traceroute, etc) 사용 가능 User mode에서 아래의 항목은 사용 불가능 Display or changing of any info that might be a security risk, such as ACLs, Policies, SNMP, IP addressing, etc. Entry into Configuration mode – Must enter Enable mode first “enable” 명령어에 의해 Enable mode로 변경 53 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 CLI Enable Mode Enable Mode (#)의 prompt 상태 (Alcatel 4324) # 모든 configuration information에 대해 display 가능 Configuration mode로 이동 가능 “configure terminal” 명령어에 의해 Configuration mode로 변경 “exit” 명령어에 의해 user mode로 return 54 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 CLI Configuration Mode Configuration Mode “(config) #” 의 prompt 상태 (Alcatel 4324) (config) # User는 OAW switch에 대해 Config가 가능한 상태 Enable mode에서만 Configuration mode로 변경 가능 ^Z 또는 “exit” 명령어에 의해 Enable mode로 return 가능 사용한 명령어들은 running config 바로 적용됨 Config를 Startup (NVRAM)로 저장하는 명령어 필요 (Alcatel 4324) (config) # copy running-config startup-config 55 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 CLI Feature Overview Command Completion <TAB> key를 이용한 명령어 완성 가능 Context-sensitive help “?” 명령어를 이용하여 다음에 사용 가능한 명령어 확인 가능 (Alcatel 4324) #cl? clear Clear configuration clock Configure the system clock (Alcatel 4324) #clock ? set Set the time and date 56 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 CLI Feature Overview Configuration을 확인하는 명령어 (Alcatel 4324) #show running-config (Alcatel 4324) #show startup-config Configuration 출력 시 다음의 Option 사용 가능 (Alcatel 4324) #show running-config | ? begin Begin with the Line that matches exclude Exclude Lines that match include Include Lines that match Switch configuration 삭제 명령어 (Alcatel 4324) #write erase all All the configuration will be deleted. Press 'y' to proceed :y Write Erase successful Write erase : 전체 Configuration만 삭제 Write erase all : 전체 Configuration와 등록된 License도 삭제 57 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 OmniAccess File System 256MB of Flash(기종별로 다름) 3 partition으로 분할 2 system partitions (45MB each) 1 user partition (165MB) System partitions Hold system software 2 copies - Active and Backup User partition Holds everything else Startup config Databases Log files 58 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 File System Commands File system 명령어 Dir flash file system의 file을 출력 Delete flash file system의 file을 삭제 Copy Enable or Config Mode에서 copy 명령어 사용 가능 (Alcatel 4324) #copy [source] [destination] Source and Destination can be: – – – – – – – 59 | Presentation Title | Month 2009 flash: ftp: Log running-config startup-config system: tftp: All Rights Reserved © Alcatel-Lucent 2009 CLI Copy Command TFTP server로 running configuration을 Backup 명령어 (Alcatel 4324) #copy running-config tftp: 172.16.1.50 2400.cfg Saved Configuration 60 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Rebooting the OmniAccess Switch ‘reload’ 명령어로 Switch reboot 가능 (Enable Mode) (Alcatel 4324) #reload Do you want to save the configuration(y/n): y Saving Configuration... Saved Configuration Do you really want to reset the system(y/n): y System will now restart! 61 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Port Naming Conventions CLI 에서 Port type format <port type> <slot number>/<port number> “FastEthernet” - 10/100 Ethernet port “GigabitEthernet” - Gigabit Ethernet port Exception “port-channel” - Etherchannel - port-channel <#> 62 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 4. GUI Configuration Overview GUI (Web) Management Access Initial setup후에는 GUI를 통해 모든 system management가 가능 GUI에서는 Wireless information의 변화에 대한 monitoring과 Wireless 구성에 대한 설정이 가능 64 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 GUI Access Initial configuration을 완료하면 Web browser를 통해 GUI 접속이 가능 http://switchip https://switchip:4343 65 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Monitoring / Network Summary Screen 66 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Configuration / Wireless Screen 67 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Diagnostics / Network Screen 68 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Maintenance / Switch Screen 69 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Plan Screen 70 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Events & Reports Screen 71 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 5. Basic System Setup Initial Setup Dialog 초기 Booting시 (또는 Config를 초기화 후), switch는 basic switch parameter를 설정할 수 있는 initial setup dialog가 제공됨 Initial setup는 Serial console에서만 사용 가능 Initial setup은 skip이 불가능함 •***************** Welcome to the OAW-4308 setup dialog ***************** •This dialog will help you to set the basic configuration for the switch. •These settings, except for the Country Code, can later be changed from the •Command Line Interface or Graphical User Interface. •Commands: <Enter> Submit input or use [default value], <ctrl-I> Help •<ctrl-B> Back, <ctrl-F> Forward, <ctrl-A> Line begin, <ctrl-E> Line end •<ctrl-D> Delete, <BackSpace> Delete back, <ctrl-K> Delete to end of line •<ctrl-P> Previous question <ctrl-X> Restart beginning 73 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Initial Setup Dialog Enter system name [Alcatel 4324]: Hostname은 CLI prompt 또는 SNMP system name으로 사용. GUI or Captive Portal에서 이 hostname으로 표시됨 Enter VLAN 1 interface IP address [172.16.0.254]: Switch의 default VLAN에 대한 interface IP address 설정 Enter VLAN 1 interface subnet mask [255.255.255.0]: VLAN interface subnet mask 설정 Enter IP Default gateway [none]: Switch의 Default Route 설정. ( uplink된 router의 IP) Enter Switch Role, (master|local) [master]: Switch의 Role 설정. single-switch network라면 master를 선택하고 만약 기존 Network에 추가하는 것이라면 local을 선택. 74 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Initial Setup Dialog Enter country code (ISO-3166), <ctrl-I> for supported list: Switch의 사용 국가 Country code 설정. 한국은 “ KR ”로 설정 Enter password for admin login (up to 32 chars): “admin”에 대한 Password 설정 Enter password for enable mode (up to 15 chars): Enable mode에 대한 password 설정 Do you wish to shutdown all the ports (yes|no)? [no]: 기본적으로 모든 port들을 shutdown할지 설정 75 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Initial Setup Dialog Current choices are: System name: OAW-4324 VLAN 1 interface IP address: 172.16.12.2 VLAN 1 interface subnet mask: 255.255.255.0 IP Default gateway: 172.16.12.1 Switch Role: master Country code: KR Ports shutdown: no If you accept the changes the switch will restart! Type <ctrl-P> to go back and change answer for any question Do you wish to accept the changes (yes|no) 설정된 Basic config를 확인 후 Reboot하면 Basic config로 load 됨 76 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Setting Date and Time Enable mode 에서 Date/Time Manual 설정 (Alcatel 4324) #clock set <year> <month> <day> <hour> <minute> <seconds> NTP Server (Alcatel 4324) (config) # ntp server x.x.x.x Timezone & DST 설정은 Config Mode에서 가능 (Alcatel 4324) (config) # clock timezone PST -8 (Alcatel 4324) (config) #clock summer-time PDT recurring first sunday april 02:00 last sunday october 02:00 -7 77 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Setting System Contact System Contact는 SNMP query시 또는 GUI login page에서 표시됨 (Alcatel 4324) (config) # syscontact ”John Smith x1234" 78 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Additional S/W Module License “license add”의 명령어로 Software module을 등록 (Alcatel 4324) (config) # license add xxxxxx-xxxxxx-xxxxx-xxxxx-xxxx “license add”후에는 반드시 reload 필요 79 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Switch Management Configuration GUI에서 SNMP, SYSLOG, and user administration 의 설정이 가능 Configuration/Management 80 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Access Control Management User에 대한 Role 설정 가능 Configuration/Management/Administration 81 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Vlan Configuration VLAN 설정은 GUI를 통해서도 가능 Configuration/Network/VLAN VLANs can be: Created Deleted Add L3 VLAN Interfaces Assign DHCP Helper addresses In the CLI: (Alcatel 4324) (config) #vlan 10 (Alcatel 4324) (config) #interface vlan 10 (Alcatel 4324) (config-subif)#ip address x.x.x.x <mask> (Alcatel 4324) (config) #interface FastEthernet 1/0 (Alcatel 4324) (config-if) #switchport access vlan 10 82 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Vlan Configuration 83 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Port Configuration Port 설정은 GUI를 통해서도 가능 Configuration/Switch/Port One or more ports can be selected and: Enabled or disabled Assigned to VLANs Made trusted or untrusted Enable 802.3af POE (default) or Cisco POE Assign a Firewall Policy (not used for AP connectivity) Made an 802.1q trunk port GUI를 사용시에는 설정 후 반드시 “Apply”를 click하여 switch에 변경된 명령어를 update해야 하며 “Save Configuration” button을 click하여 현재 running config를 startup config로 저장 필요 84 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Port Configuration 85 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Port Mirroring Port Mirroring 은 CLI를 통해서만 설정 가능 (Alcatel 4324) (config) #interface fastethernet 1/22 (Alcatel 4324) (config-if)#port monitor fastethernet 1/0 위의 설정으로 1/0의 모든 Traffic은 1/22로 copy됨 86 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 DHCP Configuration Two modes: External DHCP Server (recommended) DHCP Relay (Helper Address) Configured on a per-VLAN basis at: Configuration/Network/VLAN Internal DHCP Server Configured via: Configuration/Network/IP/DHCP Server Configured independently of VLANs - Subnet will match VLAN to DHCP scope Recommend naming scope after VLAN - ie “vlan-4” Must assign a complete subnet, then exclude ranges of addresses 87 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 DHCP Configuration 88 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 ESSID Configuration GUI에서 ESSID는 아래의 경로에서 먼저 profile을 생성 해야함 Configuration/Advanced Services/All Profile Management/Wireless LAN 89 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 AP Provisioning AOS-W <3.0 Location code (1-256).(1-256).(1-163 bldg . floor . location Controller configuration ap location 0.0.0 All APs ap location 2.3.0 Bldg 2, floor 3 APs ap location 2.3.6 Bldg 2, floor 3, AP 6 AOS-W 3.0 ap-name “63개 이상의 영문+숫자로 설정 가능” ap-group “63개 이상의 영문+숫자로 설정 가능” All controller config done through “ap-group” and “ap-name” statements 90 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 AP Provisioning 초기의 AP default values ap-name == AP wired MAC address ap-group == “default” 각 AP는 반드시 사용하는 ap-group에 속하도록 설정을 해야 함 91 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 AP Provisioning 92 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Radio Configuration Configuration/Advanced Services/All Profile Management/RF Management 93 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Spanning Tree 기본적으로 Switch의 모든 port들은 Vlan1에서 STP & RSTP spanning tree로 동작 Spanning tree can be modified globally through the GUI at: Configuration/Network/Switch To disable spanning tree in the CLI: Globally: (Alcatel 4324) (config) #no spanning-tree On a per-interface basis: (Alcatel 4324) (config) #interface fastethernet 1/0 (Alcatel 4324) (config-if)#no spanning-tree 94 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration 2.5에서 3.0으로 OS가 변경되며 Wireless function에 대한 설정은 Profile형식으로 변경됨 생성한 Profile을 AP Configuration에서 적용하는 방식으로 설정 GUI의 Configuration/Advanced Services/All Profile Management에서 각 Function별 Profile들을 생성 GUI의 Configuration/AP Group에서 All Profile Management에서 생성한 Profile을 지정하는 방식 95 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Hierarchy ap-group ap-name ap rf wlan virtual-ap qos ssid-profile ids aaa-profile dot1x auth mac auth 96 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 6. AP Configuration AP Connectivity AP들이 switch에 연결되는 방법은 아래의 두 가지 방법이 존재 Direct Attach The AP physically plugs into the Alcatel Switch. Power and Serial over Ethernet are available with this setup. Indirect Attach The AP physically plugs into some other network device (switch or router) with L2 or L3 connectivity back to the Alcatel Switch. Power over Ethernet is available if the network device attached to the AP supports it. Serial over Ethernet is not supported. 98 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 AP Boot Sequence AP는 booting시 아래의 정보가 필요 IP Address, Netmask, Default Gateway Location ID IP Address of Alcatel WLAN Switch AP 설정 방법은 아래의 2가지 방법이 존재 Static All parameters manually configured Dynamic AP only configured with a location ID (optional on first boot) 99 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 AP Static Boot Sequence 1. AP는 booting시 bootrom에서 저장된 설정값을 load 2. AP는 자신의 location ID를 OAW switch로 message 보냄 3. AP는 OAW switch로 TFTP request를 보내고 OS image download 4. AP의 Location ID를 기준으로 OAW switch에서 control 5. AP와 OAW siwtch간에 GRE tunnel이 생성 100 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 AP Dynamic Boot Sequence 1. AP는 booting시 bootrom에서 location ID를 loading 2. AP는 IP address에 대한 DHCP request를 보냄 3. 만약 vendor option 43 (masterip)이 포함된 DHCP response를 받으면 AP는 이것을 Master IP address로 사용 4. 만약 vendor option이 포함되지 않은 DHCP response를 받으면 AP는 “ADP” packet을 Multicast group 224.0.82.11 주소로 보냄 5. 만약 보낸 Multicast ADP에 대해 response가 없다면 AP는 “ADP” packet을 L2/L3 broadcast (configure Master OAW Switch as a DHCP helper recipient)로 보냄 6. 만약 그래도 response가 없다면 AP는 설정된 DNS 서버(“alcatelmaster.domain.com”) 로 DNS query를 보내고 domain에서는 DHCP를 주면 AP는 이것을 Master IP address로 사용 7. AP에 Master IP address가 결정되면 , Static config의 Step2로부터 booting이 진행됨 101 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 AP Configuration AP의 config는 Switch의 연결 전후에 따라 두 가지 방법이 필요 AP가 Switch에 연결된 후, GUI에서 설정 가능 AP가 Switch에 연결되기 전, AP가 직접 OAW switch에 연결되었다면 SOE (Serial over Ethernet)를 사용하여 설정 가능 SPOE adapter(AP console)을 이용하여 serial port를 통해 설정 가능 102 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 SPOE adapter (AP console) Pin-out 103 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Post-deployment Method GUI “Re”provision AP가 Configuration없이 Network에 연결되었다면 OAW switch에서 “Unprovisioned Alcatel AP” 부분에 표시되며 해당 AP를 선택하면 Reprovision 메뉴로 이동하며 Config 수정이 가능함 104 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Unprovisioned AP 105 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Provisioning the AP 106 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Pre-deployment Configuration SOE configuration OAW switch CLI에서 SOE를 Enable (Alcatel 4234) # configure terminal (Alcatel 4234) (config)# telnet soe Switch IP로 Telnet을 port 2300을 이용해 접속 후 Swithc에 1/0 port에 AP가 연결되었다면 connect 1/0을 입력 telnet x.x.x.x 2300 107 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 AP CLI AP CLI 접속한 후에 AP를 다시 booting 시키고 stop autoboot 화면에서 enter 를 입력해 bootrom mode booting Commands: printenv – 현재 설정을 Display setenv variable <value> – Setenv로 특정 value값들을 설정 (ex. ip, netmask etc..) save – AP flash에 configuration을 저장 boot – AP를 booting 108 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 AP CLI Dynamic AP configuration에서는 location 설정만 필요 setenv location x.x.x save Static AP configuration: AP configuration 최기화 : AP boot mode setenv ipaddr x.x.x.x Purge setenv netmask x.x.x.x Save setenv gatewayip x.x.x.x reset setenv serverip x.x.x.x setenv master x.x.x.x setenv name xxxxxxx setenv group xxxxxxx Save 109 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Verifying AP/AP Configuration From the CLI: From the GUI: Monitoring/Network/All Access Points Monitoring/Network/All Air Monitors 110 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 7. Managing System Images System Backup To backup the system: Config file (Alcatel 4324) #copy running-config tftp: x.x.x.x filename WMS database (Alcatel 4324) #wms export-db wms.db (Alcatel 4324) #copy flash: wms.db tftp: x.x.x.x filename (Alcatel 4324) #local-userdb export-db user.db (Alcatel 4324) #copy flash: user.db tftp: x.x.x.x filename RF Plan Plan/Building List/Export… 112 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 System Restore To restore the system: Databases (Alcatel 4324) #copy tftp: x.x.x.x filename flash: wms.db (Alcatel 4324) #wms import-db wms.db (Alcatel 4324) ) #copy tftp: x.x.x.x filename flash: user.db (Alcatel 4324) #local-userdb import-db user.db Config file (Alcatel 4324) #copy tftp: x.x.x.x filename flash: default.bak (Alcatel 4324) #copy flash: default.bak flash: default.cfg RF Plan Plan/Building List/Import… Reload 113 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 GUI Backup/Restore 114 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Adding System Images CLI를 통한 System image upgrade TFTP server로 IP connectivity 필요 VLAN에 IP interface 설정 필요 TFTP server IP로 switch에 ping이 가능해야 함 Running system의 impact를 최소화 하기 위해 switch는 2개의 system image partition을 사용 Active Backup 115 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Adding System Images Step 1: Active Partition 확인 116 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Adding System Images Step 2: Copy new image (Alcatel 4324) #copy tftp: 172.16.1.50 image_file_name system: partition 0 Upgrading partition 0 ................................................................................ ................................................................................ ................................................................................ .................... Copied image successfully. The system will boot from partition 1 during the next reboot. Step 3: Default Boot 변경 ([OAW4308]) #boot system partition 0 Step 4 : Reload 117 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 5. Basic Configuration Sample Profile Configuration Sample 인증 및 암호화를 하지 않는 All Open 구성 Sample Step 1 : Configuration/Advanced Services/All Profile Management 119 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample Step 2 : AAA Profile -> 새로운 AAA profile name 설정 후 Add 120 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample Step 3 : 생성한 test-open을 선택하면 해당 Default Profile이 표시됨 Step4 : Initial role을 allow all role인 default-vpn-role을 선택 후 apply Click 121 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample Step 5 : SSID Profile -> 새로운 SSID profile name 설정 후 Add Step 6 : 생성된 test-ssid를 선택 후 실제 사용할 SSID를 입력 후 apply click 122 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample Step 7 : Virtual AP Profile -> 새로운 Virtual AP profile name 설정 후 Add Step 8 : 설정된 Virtual AP Profile을 선택하면 SSID & AAA Profile 설정이 나타남 123 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample Step 9 : Virtual AP Profile -> SSID Profile에서 기존에 생성한 SSID Profile을 지정 후 apply click 124 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample Step 10 : Virtual AP Profile -> AAA Profile에서 기존에 생성한 AAA Profile을 지정 후 apply click 이것으로 Profile 설정은 종료되었으나 실제 AP에 적용은 되지 않은 상태임 125 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample [참고] WLAN switch가 이중화되어 AP에 LMS, B-LMS사용시에는 아래와 같이 AP System Profile을 생성해야 함 126 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample Step 11 : Configuration -> Wireless -> AP Configuration에서 New를 선택 후 새로운 AP Configuration name을 생성 후 Add Step 12 : 생성한 AP Configuration의 Edit를 선택하면 아래와 같이 기존에 All Profiles에서 설정한 것과 같은 Menu가 표시됨 127 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample Step 13 : Wireless LAN -> Virtual AP 선택 후 기존에 생생한 Virtual AP Profile을 지정 & Add 선택 후 Apply Step 14 : All Profiles에서 설정한 내용이 그대로 적용됨을 확인 128 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample Step 15 : 모든 AP들은 default AP-Group에 속해 있으므로 새로 생성한 AP-Group로 변경해야함. Wireless -> AP Installation -> Provisioning Step 16 : AP를 선택하고 Provision을 누른 후 AP-Group을 선택한다. 129 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample Step 17 : AP의 구성을 최종 확인 후 Apply and Reboot 선택한다. 130 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample Step 18 : PC에서 해당 SSID로 접속을 시도해서 구성내용을 최종확인한다. 131 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample [외부 인증 서버와 연동시 설정] - 앞장의 기본 설정에서 인증서버 부분의 수정이 필요하다. Step 1 : Advanced Services > All Profile Management > Wireless LAN -> RADIUS Server에서 Radius 이름을 입력하고 add를 선택한다. 132 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample [외부 인증 서버와 연동시 설정] Step 2 : 새로 생성된 이름을 선택후 자세한 인증서버 정보를 입력한다. 인증서버의 IP 그리고 인증 KEY값 그리고 인증 port number는 반드시 인증서버와 WLAN Switch간에 일치해야 한다. 133 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample [외부 인증 서버와 연동시 설정] Step 3 : Advanced Services > All Profile Management > Wireless LAN -> Server Group에서 새로운 이름을 입력하고 add를 선택한다. 생성된 Server Group을 선택해서 미리 지정한 Radius server를 지정 & Apply한다. 134 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample [외부 인증 서버와 연동시 설정] Step 4 : 802.1X Authentication Profile에서 Default 802.1x Profile을 확인한다. 기본값을 그대로 사용해도 됨. 135 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample [외부 인증 서버와 연동시 설정] Step 5 : AAA Profile로 이동후 새로운 Profile을 생성하고 그것을 선택한다. 해당 Profile에서 인증후에 사용자가 받게될 Role을 802.1X Authentication Default Role에서 설정한다. 136 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample [외부 인증 서버와 연동시 설정] Step 6 : 기존에 정의한 아래의 항목을 차례로 선택한다. 802.1X Authentication Profile -> Default 802.1X Authentication Server Group -> Radius RADIUS Accounting Server Group -> Radius 137 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample [외부 인증 서버와 연동시 설정] Step 7 : SSID Profile로 이동하여 802.1x인증에서 사용할 SSID와 Encryption 방법을 설정한다. 802.1x에서는 Open으로는 설정이 불가능하며 반드시 Encryption을 설정해야 한다. Encryption은 사용자의 Wilress 단말과 AP간의 설정이므로 사용자 단말에서 해당 방식을 지원하는지 확인 필요. 138 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 Profile Configuration Sample [외부 인증 서버와 연동시 설정] Step 8 : Virtual AP profile로 이동해서 SSID & AAA Profile에 기존에 생성한 Profile을 지정한다. 나머지 설정은 기본 설정과 동일하게 진행한다. 139 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 7. Lab Basic System Configuration Lab Diagram - 1 SSID : Test10 AP1 Backbone 10.3 vlan 1 10.10.10.1/24 WLAN Switch Vlan 1 10.10.10.2/24 141 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009 별도의 인증 없이 Open 구성 Lab Diagram - 2 SSID : Test10 SSID : Test20 AP1 별도의 인증 없이 Open 구성 Backbone과 WLAN switch간에는 802.1q 구성하여 vlan10과 vlan20 Backbone vlan 10 10.10.10.1/24 vlan 20 10.10.20.1/24 Test10에는 vlan10을 Test20에는 V10, 20 vlan20의 Network이 사용 가능 Vlan 10 10.10.10.2/24 vlan 20 10.10.20.2/24 AP2 해야 함 OS6600-P24 142 | Presentation Title | Month 2009 SSID는 2개를 생성하고 802.1q WLAN Switch vlan 30 10.10.30.1/24 30.3 사용 가능 해야 함 10.3 Vlan 30 10.10.30.2/24 All Rights Reserved © Alcatel-Lucent 2009 각 AP에 연결된 단말간에 통신이 가능한지 확인 Lab Diagram -3 vlan 10 10.10.10.1/24 별 Ba 80 WLAN#1 10.11 ssid test-1 Backbone 사 WLAN#2 10.12 ssid test-2 SS Te WLAN#3 vl 10.12ssid test-3 vlan 20 10.10.20.1/24 해 WLAN#4 10.14 ssid test-4 APs 20.x 143 | Presentation Title | Month 2009 각 가 PoE Vlan 20 10.10.20.2/24 AP1 All Rights Reserved © Alcatel-Lucent 2009 www.alcatel-lucent.com 144 | Presentation Title | Month 2009 All Rights Reserved © Alcatel-Lucent 2009