20090219_WLAN 3.x training

advertisement
WLAN 3.x Training
OAW Products
Alcatel-Lucent - Enterprise Solutions Division
Agenda
1. Products Overview
2. Wireless Basic
3. CLI Configuration Overview
4. GUI Configuration Overview
5. Basic System Setup
6. AP Configuration
7. Managing System Images
8. Basic Configuration Sample
9. Lab : Basic System Configuration
2 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
1. Products Overview
Why Alcatel-Lucent

Complete communication solutions provider

Market leadership in key data, voice, video and fixed mobile convergence
technologies
 turnkey solutions
 over 500,000 customers
data/IP
 Presence
broadband
invoice
over 130 countries
satellite
outsourcing
optical
#1 in broadband, switching, optics, satellite, telecom, …
4 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
submarine
What Can Alcatel-Lucent Enterprise Solutions Do For You?
Build the IP Communications House
Communications
Applications
Voice over IP
IP Network
Infrastructure
5 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Alcatel-Lucent EBG Product Portfolio
IP Networking
Core Layer/
Large Scale
Distributed Layer/
Medium Scale
Access Layer/
Small Scale
Router(WAN)
OmniStack 6200
OmniPCX Office
7750/7450
OmniSwitch
7800
OmniSwitch
6600/ 6602
OmniSwitch
9800/9700
OmniSwitch
9600
OmniSwitch
6400
WLAN
VoIP
OAW 6000s/SUP-III OAW4x04
OmniAccess 780
OAW 4324/08/04
OmniSwitch
6855
OmniPCX Enterprise
OmniAccess 740
OmniSwitch
7700
OmniSwitch
6850/ 6850Lite
OmniAccess 720s
IP Phone
OAW-AP 4x/6x/70/12x/85
OmniVista 2500
Mobile
보안과 관리
NAC
Brick Family
Vital Suite/QIP
Safeguard
Cybergatekeeper
6 | Presentation Title | Month 2009
Firewall/ VPN
Performance Management
All Rights Reserved © Alcatel-Lucent 2009
Quarantine Manager
NLG3500
Alcatel-Lucent WLAN Solution
기존 무선랜 솔루션 vs.
OmniAccess WLAN solution
OmniAccess WLAN solution
기존 무선랜 솔루션
Access points
Site survey
Access points
Packet capture
Air monitors
WiFi IDS / IPS
WLAN switches
WLAN switches/blades
통합된 토탈 솔루션 제공
향상된 보안성
Captive portal
확장 용이
VPN concentrator
풍부한 기능 지원
편리한 관리 기능
LAN-speed firewall
쉬운 설치
투자비 감소
QoS devices
8 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
OmniAccess Wireless Switches의 특징
WiFi 관리
Adaptive RF, Packet Capture, Location Tracking
Roaming, SSID Mgmt, RF Fingerprinting
WiFi 보안
WiFi 환경
Radius
LDAP
Active Dir.
WiFi IDS/IPS, Rogue AP Defense
암호화
WEP, TKIP, AES, 3DES
인증과 사용자 무결성 체크(HIC)
MAC, Captive Portal, 802.1x, VPN
권한 제어
User/Flow Stateful FW + Content Inspection re-direction
Network 접속제어
Service Provisioning
Network Integration
트래픽 관리
QoS/Priority/Bandwidth Contracts
네트워크 서비스
Routing, VLANS, NAT, DHCP, Switching
9 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Management
WiFi 접속제어
Policy Control
WiFi IDS/IPS
Alcatel-Lucent WLAN System 소개

Alcatel-Lucent WLAN System 구조


Alcatel-Lucent WLAN Switch
 무선랜을 위한 Alcatel 고유의 하드웨어
아키텍쳐를 통한 성능 향상
 Performance 향상을 위해 각 기능별 4개의
별도 Processor사용
차세대 Access Point

두 개의 주파수 대역을 지원하는 다목적 AP
 802.11 a, b/g/n 지원가능

User access and air monitoring

프로그래밍 가능
 Linux 기반
 응용 프로그램 사용 가능

- 무선 패킷 캡쳐 가능

- 위치 확인

설치의 용이성
 Alcatel 스위치를 통한 자동설정
10 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Wireless
Control
Processor
Wireless
Packet
Processor
Wireless
Security
Processor
Wireless
Switching
Processor
Alcatel WLAN Switch 소개

Alcatel WLAN Switch 제품군
 OmniAccess 6000 WLAN Switches





4 Slot의 샤시형
Data 센터 내에서 Remote AP의 중앙 관리 가능
64 ~ 2048 AP 관리 가능
Line card 당 24 10/100 PoE 지원 인터페이스 와 2 GE uplink 포트 제공
SUP-III당 2 10GE 와 10 1GE 지원

802.11 a/b/g/n 지원
 OmniAccess 4504/4604/4704 Wireless Switches




4x Dual personality ports 10/100/1000Base-T (RJ-45) or
1000Base-X (SFP)
32/64/128 의 AP 관리 가능
802.11 a/b/g/n 지원
 OmniAccess 4302/4308/4324 Wireless Switches




장비당 0/8/ 24 10/100 PoE 인터페이스 제공
1 or 2 port Gigabit uplink 포트 제공
6/16/48 AP의 AP 관리 가능
802.11b&g and 802.11a/b&g (multimode)
11 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
OAW6000 with Sup III
 Capacity
40x 1000Base-X (SFP)
 Up to 2,048 Campus Connected APs
 Up to 8,192 Remote APs
 Up to 32,768 Users
 Performance
 80 Gbps Clear (full-duplex)
 32 Gbps Crypto (3DES, AESCBC256)
 16 Gbps Crypto (AES-CCM)
 Compatibility
 Up to 4 Sup III per 6000 chassis
 Supports legacy Line cards
 Requires 400 watt PSU
 All Components Modular, Hot-Swappable
Fan Tray
8x 10GBase-X (XFP)
Redundant PSUs
Up to 4 M3 Modules
12 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
OAW 4504, 4604, 4704
•
•
•
•
Capacity
• OAW-4504
• Up to 32 Campus Connected APs
• Up to 128 Remote APs
• Up to 512 Users
• OAW-4604
• Up to 64 Campus Connected APs
• Up to 256 Remote APs
• Up to 1,024 Users
• OAW-4704
• Up to 128 Campus Connected APs
• Up to 512 Remote APs
• Up to 2,048 Users
Performance
• 1.6 Gbps, 4 Gbps and 8 Gbps crypto performance
(3DES, AESCBC256)
• 800 Mbps, 2 Gbps, 4 Gbps crypto performance (AESCCM)
• 3 Gbps, 4 Gbps, and 4 Gbps wired Non-encrypted
Throughput Performance (full-duplex)
Interfaces
• 4x Dual personality ports 10/100/1000Base-T (RJ-45)
or 1000Base-X (SFP)
• 1 x RJ-45 Serial Console Port
Programmable Architecture
• Multi-core, Multi-threaded Network Processor
• Dedicated Crypto cores
13 | Presentation Title | Month 2009
Dedicated
Network Processors
Dedicated Hardware
Crypto Cores
Multiple
Dedicated
Control
Processors
1RU 19”
Enclosure
Serial Console
Port
Status LEDs
All Rights Reserved © Alcatel-Lucent 2009
4x Dual personality ports
10/100/1000Base-T (RJ-45)
or 1000Base-X (SFP)
Alcatel-Lucent WLAN Switch 성능
Number of AP
Branch
Regional HQ
Large Branch
Medium-802.11n
Large – 802.11n
2048
OAW-6000-2048
(with Supervisor III)
512
OAW-6000-512
(Dual Supervisor II)
256
128
OAW-4704
64
OAW-4604
OAW-4324
Pay as you grow
capability
48
32
16
4
OAW-4504
OAW-4308
OAW-4304
1 Gbps /
200 Mbps
14 | Presentation Title | Month 2009
Performance (Clear text / encrypted)
2 Gbps /
400 Mbps
6 Gbps /
1.6 Gbps
8 Gbps /
4 Gbps
8 Gbps /
8 Gbps
All Rights Reserved © Alcatel-Lucent 2009
8 Gbps /
7.2 Gbps
80 Gbps /
32 Gbps
Alcatel-Lucent Access Point 소개 (11a/b/g)
Single Radio APs
 Software Configurable 802.11a OR b/g
 AP / Air Monitor / Remote AP / Mesh
 Internal or External Antenna Options
OAW-AP60
OAW-AP61
Dual Radio APs
 Dual-Radio 802.11 a AND b/g
 AP / Air Monitor / Remote AP / Mesh
 Dual Fast Ethernet Interfaces (OAW-AP70) for resiliency
of secured RJ-45 port
OAW-AP70
OAW-AP65
 Extensible USB Interface Port (OAW-AP70)
 Weatherproof, Outdoor (OAW-AP85)
OAW-AP85
15 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Alcatel-Lucent Access Point 소개 (11n)
802.11n Ready APs
 Single Radio 802.11a OR b/g
 AP / Air Monitor / Remote AP / Mesh
 Adaptive PoE (802.3af, PoE+, 802.3at)
 Dual Gigabit Ethernet Interfaces (resiliency and secured
RJ-45 port)
OAW-AP120 abg
OAW-AP121 abg
 802.11n SW upgrade for future
802.11n MIMO APs
 Dual Radio pre-802.11n a/n AND b/g/n
 3x3 MIMO 300Mbps per radio
 AP / Air Monitor / Remote AP / Mesh
 Adaptive PoE (802.3af, PoE+, 802.3at)
OAW-AP124
16 | Presentation Title | Month 2009
OAW-AP125
 Dual Gigabit Ethernet Interfaces (resiliency and secured
RJ-45 port)
All Rights Reserved © Alcatel-Lucent 2009
Enterprise WLAN
The Business Benefits
Mobility
Location tracking
 enterprise-wide WLAN
 users
 guest access
 equipment assets
 internal WLAN hotspots
 security
 remote / branch office access
 small office, home office access
Converged communication services
 converged mobile devices
 fixed / mobile convergence
17 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Enterprise WLAN
Requirements / Challenges
Deployment
 no disruption of existing network
 RF engineering
 new infrastructure
 network redesign and upgrades
Management
 design and configuration
 monitoring
 troubleshooting
 growth
Security
 authentication and encryption
 identity-based security and guest access
 rogues, ad-hoc networks, hacks and
attacks
 firewalling
Availability
 coverage
 reliability
 mobility
 performance
Convergence
 QoS
 security
 load balancing
 voice-aware
18 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Addressing the Management Challenges
Planning, Deploying and Managing

Simplest RF planning tool

Zero-touch AP deployment model

Adaptive radio management

Real-time coverage maps

Centralized configuration and monitoring

Integrated packet capture for easy troubleshooting

Integrated location tracking
19 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Addressing the Availability Challenges
Reliability, Coverage and Mobility

VRRP-based redundancy requires no AP
Split-second
VRRP Failover
provisioning

HotStandby
APs automatically become aware of
redundant topology when deployed
across L3 boundary
Data Center

Modular architecture for scalability

Remote office connectivity with site-tosite VPN

Home office connectivity with remote AP

Mobile office connectivity with client
VPN
Built-in
Site-tosite
IPSec
VPN
Internet
Branch Office
Remote AP
with IPSec
VPN
Regional Office
Auto-awareness of
Redundant topology
(No priming needed)
Home Office
Public Hotspot
OAW
Client
20 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Addressing the Security Challenges
Authentication, Authorization and Control

Integrated stateful firewall

Role-based access control

Built-in client integrity

Centralized 802.11i security

Built-in AAA services


L1-L7 wireless IPS
Direct Interface
to Microsoft
Active Directory
Active
Directory
Wireless Controller
Centralized
Encryption
Keys
Rights,
QoS, VLAN
Built-in Rogue
Detection &
Containment
Wired L2 / L3
Transport
Rogue detection services
Access Point

Quarantine Manager
SSID: GUEST
SSID: CORP
SSID:
VOICE
Rogue AP
Scan & Quarantine
Un-trusted Users
Employees
21 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Voice
Guest
Addressing Enterprise Applications
Convergence Services to Meet the Needs of Business

QoS for application-aware traffic management

Security to protect the network, users, and remote clients

Load-balancing automatically distributes clients across
multiple APs

Application-aware design allows better management of time
sensitive applications (voice)
22 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Adding VoIP is Easy with OmniAccess Wireless

Bi-directional QoS on wired and
wireless network
1 Protocol-aware voice

Voice flow classification ensures
QoS for converged devices with
single SSID for voice and data
flow classification and
security
2 802.1p or DSCP
prioritized voice
packets
Wired
Data Packets
3 Call admission control


Call admission control ensures QoS
in the wireless environment
Secure devices that support only
MAC auth against spoofing
distributes call volume
between access points
4
Converged voice
and data packet
stream with WMM
tags
RF management stops
5 channel
scanning when
voice clients are present
23 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Wireless
Single
ESSID
for Voice
& Data
OmniAccess Wireless Features and Services
Base Feature Set
OMNI VISTA MOBILITY
MANAGER
OmniAccess
WLAN Switch
Base Software
 Alcatel-Lucent’s standard WLAN software provides unprecedented control
over the entire wireless environment, offering intelligent / centralized
WLAN switching and advanced services.
Services Included in Base Software










WLAN switching and Dynamic RF management
Embedded management
Adaptive Radio resource Management (ARM)
Authentication – MAC, 802.1x, Captive Portal
Encryption – WEP, WPA, WPA2 / 802.11i
Mobility – seamless hand-over – L2/L3
Rogue Access Point Detection, Classification, Containment
Wireless QoS – WMM, SVP, T-Spec, U-APSD
Per SSID AAA server selection
Switch to switch IPSec encryption for control traffic
24 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
OmniAccess Wireless Features and Services
Additional Hardware and Software Modules
OMNI VISTA3600
MOBILITY
MANAGER
OmniVista
Air Manager
 Centralized visibility of the mobile edge
Switch level modules








Policy Enforcement Firewall module
Wireless Intrusion Protection (WIP) module
Voice Service Module
VPN Server Module
Mesh AP License Module
Remote AP License Module
External Services Interface Module
xSec Module
25 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
OmniAccess Wireless Features and Services
Policy Enforcement Firewall Module
Policy Enforcement Firewall module
 User and group policy enforcement
through an integrated, ICSA-certified
Key benefits
 Firewall permit/deny/drop/log
(ICSA certified to version 4.1
stateful firewall
corporate standard)
 Security policies can be centrally
defined and enforced on a per-user
 Role-based services for user /
group class of service
or per-group basis
differentiation, bandwidth
 Policies are enforced dynamically,
following users as they move and
taking into account a variety of
contracts
 QoS - priority traffic queues, BW
metrics such as:
802.1p/DSCP
 User location
 Time-of-day
 Device type
 Authentication method
26 | Presentation Title | Month 2009
contracts, traffic marking
All Rights Reserved © Alcatel-Lucent 2009
OmniAccess Wireless Features and Services
Wireless Intrusion Protection Module
Wireless Intrusion Protection module
 Patented classification technology that
identifies and protects against
vulnerabilities and malicious attacks
 Ad-hoc networks
 Client and AP impersonation
 Denial of service attacks
 Man-in-the-middle attacks
Key benefits

Detection of:
 Network probing and DoS attacks, impersonation and man-in-the-middle
attacks
 Unauthorized devices (ad-hoc networks,Windows bridging, wireless bridges)

Prevention of:
 Clients roaming to unauthorized APs
 Attempted intrusion
27 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
OmniAccess Wireless Features and Services
Voice Service Module
Voice service module
 Stateful VoWLAN QoS
 Voice Connection Admission Control
 Stateful voice load balancing
 Voice-aware ARM, 802.1x
 Automatic Voice Prioritization
 Troubleshooting and security
 WMM, T-Spec enforcement
 Phone number awareness
 Voice flow quality measurement
Key benefits
“off-hook” –
active- phones
“on-hook”
phone
 Improved end user experience
• QoS mechanisms such as CAC ensures optimum audio quality even as network
load increases
• Mechanism such as voice-aware QoS and stateful load balancing minimizes call
drops
 Improved troubleshooting and security
• Voice Clients are identified by phone numbers, key call quality metrics are
availblr to network administrator
• WMM and T-Spec security is enforced by stateful firewall
28 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
OmniAccess Wireless Features and Services
VPN Server Module
VPN Server module
 Integration support for a variety of VPN
implementations
 Eliminates need for discrete, external
VPN concentrators
 Hardware acceleration provides LANspeed VPN connectivity
 Both client termination as well as site-tosite VPNs are supported
 Supported VPN protocols include:
 L2TP/IPSec
 IPSec/XAUTH
 PPTP
Key benefits
 Complete client VPN services - PPTP, L2TP/IPSec
 Site-to-site VPN services - IPSec NAT-T transport mode tunnels between
OmniAccess WLAN switches or third-party VPN concentrators
29 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
OmniAccess Wireless Features and Services
Mesh AP License Module
Mesh Link
Mesh Path
OmniAccess
Mesh Point
OmniAccess
Mesh Portal
OmniAccess WLAN switch
Mesh AP module
Wire-line network
 Securely extend wireless network beyond the reach of wire-line
infrastructure
 Mesh Points and Mesh Portals allow seamless, campus-like WLAN
connectivity
 Mesh Points support Ethernet bridging over the mesh network
Key benefits
 Allows for coverage of areas such as university campuses, docks, ship yards,
warehouses where wires cannot be used
 Consistent services and management model with regular APs
 Survivability – survives mesh points / mesh portal through dynamic L2 routing
protocols
30 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
OmniAccess Wireless Features and Services
Remote AP License Module
Remote AP module
 Securely extend corporate wireless
functionality to any location with an
Internet connection
 Remote APs allow seamless,
corporate-like WLAN connectivity
 Remote office
 Home
 Anywhere a mobile worker
chooses to work
Key benefits
 Remote access point - termination of remotely deployed APs using IPSec transport
 Flexible modes of operation:
 Tunnel mode – all traffic is tunneled to the WLAN switch
 Local bridging – all traffic is forwarded by the Remote AP at the remote
location
 Split tunneling (requires PEF module) – policy-based forwarding of packets in
the tunnel or locally
 Survivability – survives WAN failure with pre-shared key auth/encryption
31 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
OmniAccess Wireless Features and Services
External Services Interface Module
External Services Interface module
 Per FQDS AAA server selection
 Allows an OmniAccess WLAN switch
to communicate with external
service devices (Fortinet cluster)
 Supports advanced interaction with
authentication, authorization, and
accounting (AAA) services
infrastructure
Key benefits
 Choice of AAA server for authentication
 XML API for captive portal (external captive portal server support)
 Content inspection with external appliance, Fortinet integration
Note: requires that the Policy Enforcement Firewall module is installed
32 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
OmniAccess Wireless Features and Services
xSec Module
xSec module
 Termination of highly secure xSec
client sessions
 Link-layer 256-bit AES-CBC
encryption with complete header
obscuration for highly sensitive
environments
 Enables encryption of trunk ports
between WLAN switches based on
the same strong encryption
standard
X-Sec Tunnel
X-Sec Tunnel
Layer 2 Connectivity
Key benefits
 Client/server xSec: termination of AES layer 2 xSec secure VPN sessions
 Point/point xSec: termination of AES layer 2 xSec secure VPN switch port
session
33 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Completing the Solution
Benefits of Alcatel-Lucent’s Enterprise Portfolio

End-to-end, highly available, consistent solution
 complete set of switching solutions sharing common feature set thus enabling
the perfect fit for any need
 superior availability for better voice services

Smart PoE for every need
 PoE flavors for all switching needs
 dynamic power allocation allowing maximized efficiency

Enhanced security
 unique support of 802.1x authentication
 not recognition but authentication

Best in class support for VoWLAN
 roaming, handover, QoS, security

Single management platform
 wired, wireless and voice management on the same server
 same GUI and look and feel across applications
34 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Wireless Network Management Platform
Supported Platforms: OmniVista 3600 Air Manager

Hardware
 2 servers to support the OV3600 applications (OV3600-HWPRO, OV3600-HWENT)
Software
 Centralized network management (Network Discovery, Firmware distribution, Real-time
and historical trend reports)
 Granular administrative access (Role-based, Network segment based)
 Rogue Access Point Detection and Classification
 Display of location information for all wireless users and devices
 Up-to-date heatmaps and channel maps for RF diagnostics
35 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Summary: The Alcatel-Lucent WLAN solution
Delivering business benefits…
Best-in-class functionality for lowest TCO
 mobility
 location tracking
 Easy to deploy
 converged communication services
 Easy to secure
 Easy to manage
…by meeting the Wireless LAN challenges
 management
 Easy to scale
 Easy to add voice
 security
 availability
 convergence services
36 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
2. Wireless Basic
무선랜의 개요
네트웍 구축 시 기존의 트위스트 페어 케이블, 동축 케이블 등을 전송 신호로 이용하던 유선 랜 대신 고주파수의 전파
(Radio Frequency)나 적외선등을 이용하여 대기를 통신 채널로 이용하는 Network
데이터를 전송하는 방식은 여러가지 제품이 있으나 도달거리,성능,보안성을 고려하여 ISM 과 UNII Band를 이용하는
Spread Spectrum 방식의 무선랜이 가장 보편화되어 있음
사용자들에게 높은 이동성과 편의성, 구축 용이성, 확장성을 제공 함으로서 기존 LAN의 보완 및 대체를 통한 효율성
및 생산성 제고 측면에서 널리 사용되고 있음
ISM and UNII Spectra
국제 표준화는 1990년 10월부터 위원회에 IEEE 802.11에 의해 무선 매체 접근제어 물리계층 규격에 대한 표준화가
OSI참조모델에 준하여 진행되고 있다 .
38 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
무선랜 표준 (802.11 a/b/g)
Protocol
주파수대역
최대전송속도
802.11
802.11a
802.11b
802.11g
2.4 Ghz
5 Ghz
2.4 Ghz
2.4 Ghz
1, 2 Mbps
54 Mbps
11 Mbps
54 Mbps
OFDM
DSSS
OFDM
1.2 Mbps
25 Mbps
5 Mbps
20 Mbps
100 M
70 M
100 M
100 M
Yes
Yes
Yes
Yes
40 bit
40 bit
40 bit
104 bit
104 bit
104 bit
RC4
RC4
RC4
802.1X
802.1X
802.1X
FHSS
변조방식
DSSS
실제 최대 전송속도
평균 전송 거리
암호화
40 bit
암호화 형태
RC4
인증 방식
No
기 타
39 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
무선랜 표준 (802.11n)
SISO -> MIMO
SISO (Single Input Single Outpur)를 MIMO (Multiple Input Multiple Output) 다중 송수신 안테나 기술을 채택하여
송수신 데이터 효율을 높였으며, MIMO 방식의 스마트 안테나는 노이즈를 최소화하여 원활한 데이터 전송경로를 조정
한다.
효율성이 강화된 MAC
실제 데이터 처리 속도를 물리적 계층의 속도와 가깝게 만들어 사용자들에게 최소100Mbps의 속도 보장 (최대 600Mbps)
기존의 시스템은 통신의 확실성을 위해 하나의 패킷을 보낼 때마다 엑세스 포인트로 부터 수신 성공 패킷(ACK)를
기다려야 한다. 그리고 공평한 송수신권 할당을 위해 무선랜 단말이 패킷을 계속해서 보내려 할 때에도 ACK 수신기에
일정 시간을 기다리지 않으면 다음 패킷을 송출할 수 없다. 802.11n에서는 프레임 집속 (Focusing) 기능을 통해
ACK 빈도를 최소화 하고 그 효율성을 최대화 한다.
복수의 안테나와 첨단 코딩을 통한 더 늘어난 송수신 가능 거리
일정한 무선 스피드를 유지하면서 접속 가능 범위 확대 (현재의 약 3배 정도)
 2010년 표준화 완료 예정
40 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
무선랜 표준 (802.11n)
802.11n
Protocol
주파수대역
최대 전송속도
변조방식
실제 최대 전송속도
평균 전송 거리
암호화
암호화 형태
인증 방식
5 Ghz
2.4 Ghz
약 600Mbps
약 300 Mbps
MIMO & 개선된 OFDM
MIMO & 개선된 OFDM
300 Mbps 이상
150 Mbps 이상
약 210 M
약 300 M
Yes
Yes
40 bit, 104 bit, 152 bit, RC4
40 bit, 104 bit, 152 bit, RC4
802.1X
802.1X
기 타
41 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
무선랜 보안 기술
PEAP
EAP-TTLS
EAP-MD5
Authentication
Shared Key
Dynamic WEP
TKIP
AES
MAC Filtering
Default
42 | Presentation Title | Month 2009
WPA
Static WEP
etc
Not Secure
MAC Authentication
Open
Encryption
EAP-TLS
SSID Disabled
Authentication server
All Rights Reserved © Alcatel-Lucent 2009
Most secure
Extensible Authentication Protocol (EAP) 인증 타입 [비교표]
Topic
EAP-MD5
EAP-TLS
EAP-TTLS
PEAP
LEAP
보안표준
국제표준
국제표준
국제표준
국제표준
Cisco Only
사용자 인증서
N/A
필요
필요없음
필요없음
N/A
서버인증서
N/A
필요
필요
필요
N/A
신용증명
(Credential) 보안
없음
강함
강함
강함
약함
지원인증용
데이타베이스
평문기반
데이타베이스
Active Directory
동적 키 변경
지원안함
지원
지원
지원
지원
상호인증
지원안함
지원
지원
지원
지원
43 | Presentation Title | Month 2009
Active Directory
Active Directory
NT Domains
NT Domains
Token,SQL,LDAP Token,SQL,LDAP
All Rights Reserved © Alcatel-Lucent 2009
Active Directory
NT Domains
무선랜 보안 접속 흐름도
AP
STA
IEEE802.11&11i
Radius
802.11 Beacon
802.11 Associate-Request
802.11 Associate-Response
IEEE802.1X
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
RADIUS-Access-Request
EAP-Request
EAP-Response(Credentials)
RADIUS-Access-Request
EAP-Success
IEEE802.11i
EAPOL-Key(P, ANonce)
EAPOL-Key(P, Snonce, MIC, RSN IE)
EAPOL-Key(P, ANonce, MIC, RSN IE)
EAPOL-Key(P, MIC)
EAPOL-Key(G, Index, GNonce, RSC, MIC, GTK)
EAPOL-Key(G, MIC)
IEEE802.11aa
44 | Presentation Title | Month 2009
RADIUS-Access-Challenge
Access Allowed
All Rights Reserved © Alcatel-Lucent 2009
RADIUS-Access-Accept & MS-MPPE(PMK)
WLAN Switch - Multi-Layered Security
Application Security
Network-Layer Security
Link-Layer Security
Wireless Intrusion Protection
45 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Centralized Wireless
ACCESS
DISTRIBUTION
CORE
DATA
CENTER
FLOOR x
EMPLOYEE
GUEST
GRE Tunnel
WLAN Controller
AP Communications
1. AP가 Switch port에 연결되어 있고 AP의 전원이 켜진다면 설정된 IP로 Controller를 찾는다.(AP가
DHCP를 사용하는 경우에는 DHCP 서버로부터 IP를 받게됨)
2. AP는 Boot Image(TFTP)를 Controller로부터 받게되고 Control Protocol을 위한 PAPI (UDP 8211) 연결을
생성한다.
3. AP는 WLAN controller로부터 인증이 되고 AP와 Controller간에 GRE Tunnel이 생성된다.
4. 모든 Clent의 통신은 GRE tunnel에서 암호화 되어 Controller로 전송된다.
46 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
WLAN Switch의 동작 Flow
1. Client는 802.11 association request을 보내고 그것은 자동적으로 AP를 통해서 WLAN switch로
전달된다.
2. WLAN switch는 association acknowledgement로 응답한다.
3. Client와 WLAN switch는 802.1x authentication 인증절차를 RADIUS server와 연동해서
진행한다.
4. Encryption key를 WLAN switch에 pass하고 user의 encryption keys를 획득 후 암호화된
data를 보내기 시작한다.
5. WLAN switch는 .11 MAC
기반으로 decrypts data, processes
packet, applies services and forward
packets들을 수행한다.
Corp Backbone
5
3
4
2
1
RADIUS
47 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Generic Routing Encapsulation (GRE)
0
8
Ver
HL
16
TOS
Total Length
Identification
TTL
31
IP packet
Flags Fragm. Offset
Protocol
Header Checksum
Delivery Header
GRE packet
Src Address
Dest Address
C
Reserved
v
Checksum (opt.)
Protocol Type
Reserved1(opt.)
Payload
48 | Presentation Title | Month 2009
GRE Header
Payload Packet
All Rights Reserved © Alcatel-Lucent 2009
Payload packet
(original)
Radio Distance
49 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
134 ft = 40 m
2 (b) /36 (a/g) Mbps
90 ft = 27 m
5.5 (b) /48 (a/g) Mbps
44 ft = 14 m
11 (b) /54 (a/g) Mbps
3. CLI Configuration Overview
CLI Configuration Overview
 OAW Switch는 CLI와 GUI(Web)을 이용한 Configuration 방식을 지원
 CLI Access 방법
 Local Serial Interface
 Remote Telnet or SSH session
 GUI Access 방법
 Remote Web browser
 Internet Explorer and Netscape/Firefox 지원
 CLI는 세가지 mode로 구성
 User
 Enable or Privileged
 Configure
51 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
CLI Access
 Default 상태에서는 Serial Console or SSH를 통해 접근 가능
 Serial
 Cisco-compatible RJ-45 serial cable
 9600, N, 8, 1, No flow control
 SSH
 Version 2
 Password based
 Telnet 접근을 가능하게 하기 위해서는 아래의 설정 필요
 (Alcatel 4324) (config) #telnet cli
52 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
CLI User Mode
 User Mode
 ( > )의 prompt 상태
 (Alcatel 4324) >
 Basic utilities (Ping, Traceroute, etc) 사용 가능
 User mode에서 아래의 항목은 사용 불가능
 Display or changing of any info that might be a security risk, such as ACLs,
Policies, SNMP, IP addressing, etc.
 Entry into Configuration mode
– Must enter Enable mode first
 “enable” 명령어에 의해 Enable mode로 변경
53 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
CLI Enable Mode
 Enable Mode
 (#)의 prompt 상태
 (Alcatel 4324) #
 모든 configuration information에 대해 display 가능
 Configuration mode로 이동 가능
 “configure terminal” 명령어에 의해 Configuration mode로 변경
 “exit” 명령어에 의해 user mode로 return
54 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
CLI Configuration Mode
 Configuration Mode
 “(config) #” 의 prompt 상태
 (Alcatel 4324) (config) #
 User는 OAW switch에 대해 Config가 가능한 상태
 Enable mode에서만 Configuration mode로 변경 가능

^Z 또는 “exit” 명령어에 의해 Enable mode로 return 가능
 사용한 명령어들은 running config 바로 적용됨
 Config를 Startup (NVRAM)로 저장하는 명령어 필요
 (Alcatel 4324) (config) # copy running-config startup-config
55 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
CLI Feature Overview
 Command Completion
 <TAB> key를 이용한 명령어 완성 가능
 Context-sensitive help
 “?” 명령어를 이용하여 다음에 사용 가능한 명령어 확인 가능
(Alcatel 4324) #cl?
clear
Clear configuration
clock
Configure the system clock
(Alcatel 4324) #clock ?
set
Set the time and date
56 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
CLI Feature Overview
 Configuration을 확인하는 명령어
(Alcatel 4324) #show running-config
(Alcatel 4324) #show startup-config
 Configuration 출력 시 다음의 Option 사용 가능
(Alcatel 4324) #show running-config | ?
begin
Begin with the Line that matches
exclude
Exclude Lines that match
include
Include Lines that match
 Switch configuration 삭제 명령어
(Alcatel 4324) #write erase all
All the configuration will be deleted. Press 'y' to proceed :y
Write Erase successful
Write erase : 전체 Configuration만 삭제
Write erase all : 전체 Configuration와 등록된 License도 삭제
57 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
OmniAccess File System
 256MB of Flash(기종별로 다름)
 3 partition으로 분할
 2 system partitions (45MB each)
 1 user partition (165MB)
 System partitions
 Hold system software
 2 copies - Active and Backup
 User partition
 Holds everything else
 Startup config
 Databases
 Log files
58 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
File System Commands
 File system 명령어
 Dir
 flash file system의 file을 출력
 Delete
 flash file system의 file을 삭제
 Copy
 Enable or Config Mode에서 copy 명령어 사용 가능
 (Alcatel 4324) #copy [source] [destination]
 Source and Destination can be:
–
–
–
–
–
–
–
59 | Presentation Title | Month 2009
flash:
ftp:
Log
running-config
startup-config
system:
tftp:
All Rights Reserved © Alcatel-Lucent 2009
CLI Copy Command

TFTP server로 running configuration을 Backup 명령어
(Alcatel 4324) #copy running-config tftp: 172.16.1.50 2400.cfg
Saved Configuration
60 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Rebooting the OmniAccess Switch
 ‘reload’ 명령어로 Switch reboot 가능 (Enable Mode)
(Alcatel 4324) #reload
Do you want to save the configuration(y/n): y
Saving Configuration...
Saved Configuration
Do you really want to reset the system(y/n): y
System will now restart!
61 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Port Naming Conventions
 CLI 에서 Port type format
 <port type> <slot number>/<port number>
 “FastEthernet” - 10/100 Ethernet port
 “GigabitEthernet” - Gigabit Ethernet port
 Exception
 “port-channel” - Etherchannel - port-channel <#>
62 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
4. GUI Configuration Overview
GUI (Web) Management Access
 Initial setup후에는 GUI를 통해 모든 system management가 가능
 GUI에서는 Wireless information의 변화에 대한 monitoring과 Wireless 구성에 대한
설정이 가능
64 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
GUI Access
 Initial configuration을 완료하면 Web browser를 통해 GUI 접속이 가능
 http://switchip
 https://switchip:4343
65 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Monitoring / Network Summary Screen
66 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Configuration / Wireless Screen
67 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Diagnostics / Network Screen
68 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Maintenance / Switch Screen
69 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Plan Screen
70 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Events & Reports Screen
71 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
5. Basic System Setup
Initial Setup Dialog
 초기 Booting시 (또는 Config를 초기화 후), switch는 basic switch parameter를 설정할
수 있는 initial setup dialog가 제공됨
 Initial setup는 Serial console에서만 사용 가능
 Initial setup은 skip이 불가능함
•***************** Welcome to the OAW-4308 setup dialog *****************
•This dialog will help you to set the basic configuration for the switch.
•These settings, except for the Country Code, can later be changed from the
•Command Line Interface or Graphical User Interface.
•Commands: <Enter> Submit input or use [default value], <ctrl-I> Help
•<ctrl-B> Back, <ctrl-F> Forward, <ctrl-A> Line begin, <ctrl-E> Line end
•<ctrl-D> Delete, <BackSpace> Delete back, <ctrl-K> Delete to end of line
•<ctrl-P> Previous question <ctrl-X> Restart beginning
73 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Initial Setup Dialog
Enter system name [Alcatel 4324]:
Hostname은 CLI prompt 또는 SNMP system name으로 사용. GUI or Captive Portal에서 이 hostname으로
표시됨
Enter VLAN 1 interface IP address [172.16.0.254]:
Switch의 default VLAN에 대한 interface IP address 설정
Enter VLAN 1 interface subnet mask [255.255.255.0]:
VLAN interface subnet mask 설정
Enter IP Default gateway [none]:
Switch의 Default Route 설정. ( uplink된 router의 IP)
Enter Switch Role, (master|local) [master]:
Switch의 Role 설정. single-switch network라면 master를 선택하고 만약 기존 Network에 추가하는
것이라면 local을 선택.
74 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Initial Setup Dialog
Enter country code (ISO-3166), <ctrl-I> for supported list:
Switch의 사용 국가 Country code 설정. 한국은 “ KR ”로 설정
Enter password for admin login (up to 32 chars):
“admin”에 대한 Password 설정
Enter password for enable mode (up to 15 chars):
Enable mode에 대한 password 설정
Do you wish to shutdown all the ports (yes|no)? [no]:
기본적으로 모든 port들을 shutdown할지 설정
75 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Initial Setup Dialog
Current choices are:
System name: OAW-4324
VLAN 1 interface IP address: 172.16.12.2
VLAN 1 interface subnet mask: 255.255.255.0
IP Default gateway: 172.16.12.1
Switch Role: master
Country code: KR
Ports shutdown: no
If you accept the changes the switch will restart!
Type <ctrl-P> to go back and change answer for any question
Do you wish to accept the changes (yes|no)
설정된 Basic config를 확인 후 Reboot하면 Basic config로 load 됨
76 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Setting Date and Time
 Enable mode 에서 Date/Time Manual 설정
(Alcatel 4324) #clock set <year> <month> <day> <hour> <minute> <seconds>
 NTP Server
(Alcatel 4324) (config) # ntp server x.x.x.x
 Timezone & DST 설정은 Config Mode에서 가능
(Alcatel 4324) (config) # clock timezone PST -8
(Alcatel 4324) (config) #clock summer-time PDT recurring first sunday april 02:00
last sunday october 02:00 -7
77 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Setting System Contact
 System Contact는 SNMP query시 또는 GUI login page에서 표시됨
(Alcatel 4324) (config) # syscontact ”John Smith x1234"
78 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Additional S/W Module License
 “license add”의 명령어로 Software module을 등록
(Alcatel 4324) (config) # license add xxxxxx-xxxxxx-xxxxx-xxxxx-xxxx
 “license add”후에는 반드시 reload 필요
79 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Switch Management Configuration
 GUI에서 SNMP, SYSLOG, and user administration 의 설정이 가능
Configuration/Management
80 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Access Control

Management User에 대한 Role 설정 가능
Configuration/Management/Administration
81 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Vlan Configuration
 VLAN 설정은 GUI를 통해서도 가능
 Configuration/Network/VLAN
 VLANs can be:
 Created
 Deleted
 Add L3 VLAN Interfaces
 Assign DHCP Helper addresses
 In the CLI:
(Alcatel 4324) (config) #vlan 10
(Alcatel 4324) (config) #interface vlan 10
(Alcatel 4324) (config-subif)#ip address x.x.x.x <mask>
(Alcatel 4324) (config) #interface FastEthernet 1/0
(Alcatel 4324) (config-if) #switchport access vlan 10
82 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Vlan Configuration
83 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Port Configuration
 Port 설정은 GUI를 통해서도 가능
 Configuration/Switch/Port
 One or more ports can be selected and:
 Enabled or disabled
 Assigned to VLANs
 Made trusted or untrusted
 Enable 802.3af POE (default) or Cisco POE
 Assign a Firewall Policy (not used for AP connectivity)
 Made an 802.1q trunk port
 GUI를 사용시에는 설정 후 반드시 “Apply”를 click하여 switch에 변경된 명령어를
update해야 하며 “Save Configuration” button을 click하여 현재 running
config를 startup config로 저장 필요
84 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Port Configuration
85 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Port Mirroring
 Port Mirroring 은 CLI를 통해서만 설정 가능
(Alcatel 4324) (config) #interface fastethernet 1/22
(Alcatel 4324) (config-if)#port monitor fastethernet 1/0
 위의 설정으로 1/0의 모든 Traffic은 1/22로 copy됨
86 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
DHCP Configuration
 Two modes:
 External DHCP Server (recommended)
 DHCP Relay (Helper Address)
 Configured on a per-VLAN basis at: Configuration/Network/VLAN
 Internal DHCP Server
 Configured via: Configuration/Network/IP/DHCP Server
 Configured independently of VLANs - Subnet will match VLAN to DHCP
scope
 Recommend naming scope after VLAN - ie “vlan-4”
 Must assign a complete subnet, then exclude ranges of addresses
87 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
DHCP Configuration
88 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
ESSID Configuration

GUI에서 ESSID는 아래의 경로에서 먼저 profile을 생성 해야함
 Configuration/Advanced Services/All Profile Management/Wireless LAN
89 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
AP Provisioning
 AOS-W <3.0
 Location code (1-256).(1-256).(1-163
 bldg . floor . location
 Controller configuration
 ap location 0.0.0
All APs
 ap location 2.3.0
Bldg 2, floor 3 APs
 ap location 2.3.6
Bldg 2, floor 3, AP 6
 AOS-W 3.0
 ap-name “63개 이상의 영문+숫자로 설정 가능”
 ap-group “63개 이상의 영문+숫자로 설정 가능”
 All controller config done through “ap-group” and “ap-name” statements
90 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
AP Provisioning
 초기의 AP default values
 ap-name == AP wired MAC address
 ap-group == “default”
 각 AP는 반드시 사용하는 ap-group에 속하도록 설정을 해야 함
91 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
AP Provisioning
92 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Radio Configuration
 Configuration/Advanced Services/All Profile Management/RF Management
93 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Spanning Tree
 기본적으로 Switch의 모든 port들은 Vlan1에서 STP & RSTP spanning tree로 동작
 Spanning tree can be modified globally through the GUI at:
Configuration/Network/Switch
 To disable spanning tree in the CLI:
 Globally:
(Alcatel 4324) (config) #no spanning-tree
 On a per-interface basis:
(Alcatel 4324) (config) #interface fastethernet 1/0
(Alcatel 4324) (config-if)#no spanning-tree
94 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration
 2.5에서 3.0으로 OS가 변경되며 Wireless function에 대한 설정은 Profile형식으로 변경됨
 생성한 Profile을 AP Configuration에서 적용하는 방식으로 설정
 GUI의 Configuration/Advanced Services/All Profile Management에서 각 Function별
Profile들을 생성
 GUI의 Configuration/AP Group에서 All Profile Management에서 생성한 Profile을
지정하는 방식
95 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Hierarchy
ap-group
ap-name
ap
rf
wlan
virtual-ap
qos
ssid-profile
ids
aaa-profile
dot1x auth
mac auth
96 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
6. AP Configuration
AP Connectivity
 AP들이 switch에 연결되는 방법은 아래의 두 가지 방법이 존재
 Direct Attach
 The AP physically plugs into the Alcatel Switch.
 Power and Serial over Ethernet are available with this setup.
 Indirect Attach
 The AP physically plugs into some other network device (switch or router)
with L2 or L3 connectivity back to the Alcatel Switch.
 Power over Ethernet is available if the network device attached to the AP
supports it. Serial over Ethernet is not supported.
98 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
AP Boot Sequence
 AP는 booting시 아래의 정보가 필요
 IP Address, Netmask, Default Gateway
 Location ID
 IP Address of Alcatel WLAN Switch
 AP 설정 방법은 아래의 2가지 방법이 존재
 Static
 All parameters manually configured
 Dynamic
 AP only configured with a location ID (optional on first boot)
99 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
AP Static Boot Sequence
1.
AP는 booting시 bootrom에서 저장된 설정값을 load
2.
AP는 자신의 location ID를 OAW switch로 message 보냄
3.
AP는 OAW switch로 TFTP request를 보내고 OS image download
4.
AP의 Location ID를 기준으로 OAW switch에서 control
5.
AP와 OAW siwtch간에 GRE tunnel이 생성
100 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
AP Dynamic Boot Sequence
1.
AP는 booting시 bootrom에서 location ID를 loading
2.
AP는 IP address에 대한 DHCP request를 보냄
3.
만약 vendor option 43 (masterip)이 포함된 DHCP response를 받으면 AP는 이것을
Master IP address로 사용
4.
만약 vendor option이 포함되지 않은 DHCP response를 받으면 AP는 “ADP” packet을
Multicast group 224.0.82.11 주소로 보냄
5.
만약 보낸 Multicast ADP에 대해 response가 없다면 AP는 “ADP” packet을 L2/L3
broadcast (configure Master OAW Switch as a DHCP helper recipient)로 보냄
6.
만약 그래도 response가 없다면 AP는 설정된 DNS 서버(“alcatelmaster.domain.com”) 로 DNS query를 보내고 domain에서는 DHCP를 주면 AP는
이것을 Master IP address로 사용
7.
AP에 Master IP address가 결정되면 , Static config의 Step2로부터 booting이 진행됨
101 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
AP Configuration
 AP의 config는 Switch의 연결 전후에 따라 두 가지 방법이 필요
 AP가 Switch에 연결된 후,
 GUI에서 설정 가능
 AP가 Switch에 연결되기 전,
 AP가 직접 OAW switch에 연결되었다면 SOE (Serial over Ethernet)를 사용하여
설정 가능
 SPOE adapter(AP console)을 이용하여 serial port를 통해 설정 가능
102 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
SPOE adapter (AP console) Pin-out
103 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Post-deployment Method
 GUI “Re”provision
 AP가 Configuration없이 Network에 연결되었다면 OAW switch에서 “Unprovisioned
Alcatel AP” 부분에 표시되며 해당 AP를 선택하면 Reprovision 메뉴로 이동하며 Config
수정이 가능함
104 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Unprovisioned AP
105 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Provisioning the AP
106 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Pre-deployment Configuration
 SOE configuration
 OAW switch CLI에서 SOE를 Enable
(Alcatel 4234) # configure terminal
(Alcatel 4234) (config)# telnet soe
Switch IP로 Telnet을 port 2300을 이용해 접속 후 Swithc에 1/0 port에 AP가
연결되었다면 connect 1/0을 입력
telnet x.x.x.x 2300
107 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
AP CLI
 AP CLI 접속한 후에 AP를 다시 booting 시키고 stop autoboot 화면에서 enter 를
입력해 bootrom mode booting
 Commands:
 printenv
– 현재 설정을 Display
 setenv variable <value>
– Setenv로 특정 value값들을 설정 (ex. ip, netmask etc..)
 save
– AP flash에 configuration을 저장
 boot
– AP를 booting
108 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
AP CLI
 Dynamic AP configuration에서는 location 설정만 필요
setenv location x.x.x
save
 Static AP configuration:
 AP configuration 최기화 : AP boot mode
setenv ipaddr x.x.x.x
Purge
setenv netmask x.x.x.x
Save
setenv gatewayip x.x.x.x
reset
setenv serverip x.x.x.x
setenv master x.x.x.x
setenv name xxxxxxx
setenv group xxxxxxx
Save
109 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Verifying AP/AP Configuration
 From the CLI:
 From the GUI:
 Monitoring/Network/All Access Points
 Monitoring/Network/All Air Monitors
110 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
7. Managing System Images
System Backup
 To backup the system:
 Config file
(Alcatel 4324) #copy running-config tftp: x.x.x.x filename
 WMS database
(Alcatel 4324) #wms export-db wms.db
(Alcatel 4324) #copy flash: wms.db tftp: x.x.x.x filename
(Alcatel 4324) #local-userdb export-db user.db
(Alcatel 4324) #copy flash: user.db tftp: x.x.x.x filename
 RF Plan
 Plan/Building List/Export…
112 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
System Restore
 To restore the system:
 Databases
(Alcatel 4324) #copy tftp: x.x.x.x filename flash: wms.db
(Alcatel 4324) #wms import-db wms.db
(Alcatel 4324) ) #copy tftp: x.x.x.x filename flash: user.db
(Alcatel 4324) #local-userdb import-db user.db
 Config file
(Alcatel 4324) #copy tftp: x.x.x.x filename flash: default.bak
(Alcatel 4324) #copy flash: default.bak flash: default.cfg
 RF Plan
 Plan/Building List/Import…
 Reload
113 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
GUI Backup/Restore
114 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Adding System Images
 CLI를 통한 System image upgrade
 TFTP server로 IP connectivity 필요
 VLAN에 IP interface 설정 필요
 TFTP server IP로 switch에 ping이 가능해야 함
 Running system의 impact를 최소화 하기 위해 switch는 2개의 system image
partition을 사용
 Active
 Backup
115 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Adding System Images
 Step 1: Active Partition 확인
116 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Adding System Images
 Step 2: Copy new image
(Alcatel 4324) #copy tftp: 172.16.1.50 image_file_name system: partition 0
Upgrading partition 0
................................................................................
................................................................................
................................................................................
....................
Copied image successfully.
The system will boot from partition 1 during the next reboot.
 Step 3: Default Boot 변경
([OAW4308]) #boot system partition 0
 Step 4 : Reload
117 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
5. Basic Configuration Sample
Profile Configuration Sample
 인증 및 암호화를 하지 않는 All Open 구성 Sample
 Step 1 : Configuration/Advanced Services/All Profile Management
119 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample
 Step 2 : AAA Profile -> 새로운 AAA profile name 설정 후 Add
120 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample
 Step 3 : 생성한 test-open을 선택하면 해당 Default Profile이 표시됨
 Step4 : Initial role을 allow all role인 default-vpn-role을 선택 후 apply Click
121 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample
 Step 5 : SSID Profile -> 새로운 SSID profile name 설정 후 Add
 Step 6 : 생성된 test-ssid를 선택 후 실제 사용할 SSID를 입력 후 apply click
122 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample
 Step 7 : Virtual AP Profile -> 새로운 Virtual AP profile name 설정 후 Add
 Step 8 : 설정된 Virtual AP Profile을 선택하면 SSID & AAA Profile 설정이 나타남
123 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample
 Step 9 : Virtual AP Profile -> SSID Profile에서 기존에 생성한 SSID Profile을 지정 후 apply
click
124 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample
 Step 10 : Virtual AP Profile -> AAA Profile에서 기존에 생성한 AAA Profile을 지정 후 apply
click
 이것으로 Profile 설정은 종료되었으나 실제 AP에 적용은 되지 않은 상태임
125 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample
 [참고] WLAN switch가 이중화되어 AP에 LMS, B-LMS사용시에는 아래와 같이 AP System
Profile을 생성해야 함
126 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample
 Step 11 : Configuration -> Wireless -> AP Configuration에서 New를 선택 후 새로운 AP
Configuration name을 생성 후 Add
 Step 12 : 생성한 AP Configuration의 Edit를 선택하면 아래와 같이 기존에 All Profiles에서
설정한 것과 같은 Menu가 표시됨
127 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample
 Step 13 : Wireless LAN -> Virtual AP 선택 후 기존에 생생한 Virtual AP Profile을 지정 &
Add 선택 후 Apply
 Step 14 : All Profiles에서 설정한 내용이 그대로 적용됨을 확인
128 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample
 Step 15 : 모든 AP들은 default AP-Group에 속해 있으므로 새로 생성한 AP-Group로
변경해야함. Wireless -> AP Installation -> Provisioning
 Step 16 : AP를 선택하고 Provision을 누른 후 AP-Group을 선택한다.
129 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample
 Step 17 : AP의 구성을 최종 확인 후 Apply and Reboot 선택한다.
130 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample
 Step 18 : PC에서 해당 SSID로 접속을 시도해서 구성내용을 최종확인한다.
131 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample [외부 인증 서버와 연동시 설정]
- 앞장의 기본 설정에서 인증서버 부분의 수정이 필요하다.
 Step 1 : Advanced Services > All Profile Management > Wireless LAN -> RADIUS
Server에서 Radius 이름을 입력하고 add를 선택한다.
132 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample [외부 인증 서버와 연동시 설정]
 Step 2 : 새로 생성된 이름을 선택후 자세한 인증서버 정보를 입력한다.
인증서버의 IP 그리고 인증 KEY값 그리고 인증 port number는 반드시 인증서버와 WLAN
Switch간에 일치해야 한다.
133 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample [외부 인증 서버와 연동시 설정]
 Step 3 : Advanced Services > All Profile Management > Wireless LAN -> Server Group에서
새로운 이름을 입력하고 add를 선택한다. 생성된 Server Group을 선택해서 미리 지정한
Radius server를 지정 & Apply한다.
134 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample [외부 인증 서버와 연동시 설정]
 Step 4 : 802.1X Authentication Profile에서 Default 802.1x Profile을 확인한다. 기본값을
그대로 사용해도 됨.
135 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample [외부 인증 서버와 연동시 설정]
 Step 5 : AAA Profile로 이동후 새로운 Profile을 생성하고 그것을 선택한다. 해당
Profile에서 인증후에 사용자가 받게될 Role을 802.1X Authentication Default Role에서
설정한다.
136 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample [외부 인증 서버와 연동시 설정]
 Step 6 : 기존에 정의한 아래의 항목을 차례로 선택한다.
802.1X Authentication Profile -> Default
802.1X Authentication Server Group -> Radius
RADIUS Accounting Server Group -> Radius
137 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample [외부 인증 서버와 연동시 설정]
 Step 7 : SSID Profile로 이동하여 802.1x인증에서 사용할 SSID와 Encryption 방법을
설정한다. 802.1x에서는 Open으로는 설정이 불가능하며 반드시 Encryption을 설정해야
한다. Encryption은 사용자의 Wilress 단말과 AP간의 설정이므로 사용자 단말에서 해당
방식을 지원하는지 확인 필요.
138 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Profile Configuration Sample [외부 인증 서버와 연동시 설정]
 Step 8 : Virtual AP profile로 이동해서 SSID & AAA Profile에 기존에 생성한 Profile을
지정한다. 나머지 설정은 기본 설정과 동일하게 진행한다.
139 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
7. Lab
Basic System Configuration
Lab Diagram - 1

SSID : Test10
AP1
Backbone
10.3
vlan 1
10.10.10.1/24
WLAN Switch
Vlan 1
10.10.10.2/24
141 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
별도의 인증 없이 Open 구성
Lab Diagram - 2
SSID : Test10
SSID : Test20
AP1

별도의 인증 없이 Open 구성

Backbone과 WLAN switch간에는
802.1q 구성하여 vlan10과 vlan20
Backbone
vlan 10
10.10.10.1/24

vlan 20
10.10.20.1/24
Test10에는 vlan10을 Test20에는
V10, 20
vlan20의 Network이 사용 가능
Vlan 10
10.10.10.2/24
vlan 20
10.10.20.2/24
AP2
해야 함

OS6600-P24
142 | Presentation Title | Month 2009
SSID는 2개를 생성하고
802.1q
WLAN Switch
vlan 30
10.10.30.1/24
30.3
사용 가능 해야 함
10.3
Vlan 30
10.10.30.2/24
All Rights Reserved © Alcatel-Lucent 2009
각 AP에 연결된 단말간에 통신이
가능한지 확인
Lab Diagram -3
vlan 10
10.10.10.1/24

별

Ba
80
WLAN#1 10.11 ssid test-1
Backbone
사
WLAN#2 10.12 ssid test-2

SS
Te
WLAN#3
vl
10.12ssid test-3
vlan 20
10.10.20.1/24
해
WLAN#4 10.14 ssid test-4
APs
20.x
143 | Presentation Title | Month 2009

각
가
PoE
Vlan 20
10.10.20.2/24
AP1
All Rights Reserved © Alcatel-Lucent 2009
www.alcatel-lucent.com
144 | Presentation Title | Month 2009
All Rights Reserved © Alcatel-Lucent 2009
Download
Related flashcards
Create Flashcards