Aerohive Deployment Guide For HiveAP and HiveManager Devices Aerohive Technical Publications Copyright Notice Copyright © 2009 Aerohive Networks, Inc. All rights reserved. Aerohive Networks, the Aerohive Networks logo, HiveOS, HiveAP, and HiveManager are trademarks of Aerohive Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies. Information in this document is subject to change without notice.
HIVEAP COMPLIANCE INFORMATION The availability of some specific channels and/or operational frequency bands are country dependent and are firmware programmed at the factory to match the intended destination. The firmware setting is not accessible by the end user. • The 5 GHz Turbo Mode feature is not allowed for operation in any European Community country. You can find the current setting for this feature in two places.
HiveAP Compliance Information Avertissement: L'installation et la dépose de points d'accès HiveAP doivent être effectuées uniquement par un personnel qualifié. Warnung: Die Installation und der Ausbau des Geräts darf nur durch Fachpersonal erfolgen. • Les points d'accès HiveAP doivent être connectés sur le secteur par une prise électrique munie de terre (masse) afin de respecter les standards internationaux de sécurité.
Chapter 2 The HiveAP 20 ag Platform The Aerohive HiveAP 20 ag is a new generation wireless access point. HiveAPs have the unique ability to self-organize and coordinate with each other, creating a distributed-control WLAN solution that offers greater mobility, security, quality of service, and radio control. This guide combines product information, installation instructions, and configuration examples for both the HiveAP and HiveManager platforms.
Chapter 2 The HiveAP 20 ag Platform HIVEAP 20 PRODUCT OVERVIEW The HiveAP 20 ag is a multi-channel wireless AP (access point). It is compatible with IEEE 802.11b/g (2.4 GHz) and IEEE 802.11a (5 GHz) standards and supports a variety of Wi-Fi (wireless fidelity) security protocols, including WPA (Wi-Fi Protected Access) and WPA2. You can see the hardware components on the HiveAP in Figure 1. Each component is described in Table 1.
HIVEAP 20 PRODUCT OVERVIEW Component Description Power Connector The 48-volt DC power connector (0.38 amps) is one of two methods through which you can power the HiveAP 20. To connect it to a 100 – 240-volt AC power source, use the AC/DC power adaptor that is available as an extra option. Because the HiveAP does not have an on/off switch, connecting it to a power source automatically powers on the device.
Chapter 2 The HiveAP 20 ag Platform Ethernet and Console Ports There are two ports on the HiveAP 20: a 10/100Base-T/TX Ethernet port and a male DB-9 console port. Both ports use standard pin assignments. The pin assignments in the PoE (Power over Ethernet) Ethernet port follow the TIA/EIA-568-B standard (see Figure 2). The PoE port accepts standard types of Ethernet cable—cat3, cat5, cat5e, or cat6—and can receive power over this cable from power sourcing equipment (PSE) that is 802.3af-compatible.
HIVEAP 20 PRODUCT OVERVIEW The pin assignments in the male DB-9 console port follow the EIA (Electronic Industries Alliance) RS-232 standard. To make a serial connection between your management system and the console port on the HiveAP, you can use a null modem serial cable, use another serial cable that complies with the RS-232 standard, or refer to the pin-to-signal mapping shown in Figure 3 to make your own serial cable.
Chapter 2 The HiveAP 20 ag Platform Antennas The HiveAP 20 includes two fixed dual-band antennas with 3-dBi gains. These antennas are omnidirectional, providing fairly equal coverage in all directions in a toroidal (donut-shaped) pattern around each antenna. When the antennas are vertically positioned, coverage expands primarily on the horizontal plane, extending horizontally much more than vertically. See Figure 4, which shows the toroidal pattern emanating from a single vertically positioned antenna.
MOUNTING THE HIVEAP 20 The wifi0 interface links to radio 1 (frequency range = 2.4 GHz for IEEE 802.11b/g), and the wifi1 interface links to radio 2 (frequency range = 5 GHz for IEEE 802.11a). These interface-to-radio relationships are permanent. However, the interface-to-antenna relationships can be shifted. In other words, you can change which antenna—fixed or external—the wifi0 and wifi1 interfaces use. For example, to link the wifi0 interface to an external antenna connected to the 802.
Chapter 2 The HiveAP 20 ag Platform Nudge the ceiling tiles slightly away from the track to clear some space. Then attach the track clip to the ceiling track as shown in Figure 7. When done, adjust the ceiling tiles back into their former position. Figure 7 Attaching the HiveAP to a Dropped Ceiling Track 5 6 Press the track clip against the ceiling track so that the the track contacts the two pressure tabs and pushes them flush with the track clip.
DEVICE, POWER, AND ENVIRONMENTAL SPECIFICATIONS DEVICE, POWER, AND ENVIRONMENTAL SPECIFICATIONS Understanding the range of specifications for the HiveAP 20 is necessary for optimal deployment and device operation. The following specifications describe the physical features and hardware components, the power adapter and PoE (Power over Ethernet) electrical requirements, and the temperature and humidity ranges in which the device can operate.
Chapter 2 The HiveAP 20 ag Platform 34 Aerohive
Chapter 3 The HiveAP 28 Outdoor Platform The Aerohive HiveAP 28 is a new generation wireless access point that is customized for outdoor use. It is mountable in any direction and on any hard surface, post, or wire strand. It can receive power either through an Ethernet cable or power cord. Note: Do not open the HiveAP 28 chassis. There are no serviceable parts inside.
Chapter 3 The HiveAP 28 Outdoor Platform HIVEAP 28 PRODUCT OVERVIEW The HiveAP 28 is a multi-channel wireless AP (access point) for outdoor use. It is compatible with IEEE 802.11b/g (2.4 GHz) and IEEE 802.11a (5 GHz) standards and supports a variety of Wi-Fi (wireless fidelity) security protocols, including WPA (Wi-Fi Protected Access) and WPA2. You can see the hardware components on the HiveAP 28 in Figure 1. Each component is described in Table 1.
HIVEAP 28 PRODUCT OVERVIEW Component Description 10/100 Mbps PoE Port The 10/100-Mbps Ethernet port supports IEEE 802.3af PoE (Power over Ethernet) and receives RJ-45 connectors. The HiveAP can receive its power through an Ethernet connection to PSE (power sourcing equipment) that is 802.3af-compatible, such as one of the PoE injectors available as an optional accessory from Aerohive.
Chapter 3 The HiveAP 28 Outdoor Platform 4. Connect the other end of the Ethernet cable to PSE (power sourcing equipment) such as a power injector if the HiveAP 28 receives power through PoE, or directly to a network device such as a switch if it receives power through a power cord. Note: To prevent damage to the HiveAP 28 or power injector when using PoE to provide power, connect the Ethernet cable from the power injector to the HiveAP 28, and connect the injector to a power jack before applying power.
HIVEAP 28 PRODUCT OVERVIEW Antennas The HiveAP 28 includes two detachable single-band antennas with 8dBi gains (802.11b/g) and two detachable single-band antennas with 10dBi gains (802.11a). These antennas are omnidirectional, providing fairly equal coverage in all directions in a toroidal (donut-shaped) pattern around each antenna. When the antennas are vertically positioned, coverage expands primarily on the horizontal plane, extending horizontally much more than vertically.
Chapter 3 The HiveAP 28 Outdoor Platform MOUNTING THE HIVEAP 28 AND ATTACHING ANTENNAS Using the mounting accessories (available separately) you can mount the HiveAP in various locations: • "Pole Mount" on page 41 – Mount the HiveAP 28 on a pole such as a street light. • "Strand Mount" on page 42 – Suspend the HiveAP 28 from a cable or phone line. • "Surface Mount" on page 43 – Mount the HiveAP 28 on a flat surface such as a wall or beam.
MOUNTING THE HIVEAP 28 AND ATTACHING ANTENNAS Pole Mount To mount the HiveAP 28 to a pole with a 1.5-inch diameter, you need two sets of the L-shaped brackets, two 2" U-bolts, saddle clamps, and the nuts, bolts, and washers shown in Figure 5. You also need a wrench to tighten the nuts and bolts securely.
Chapter 3 The HiveAP 28 Outdoor Platform Strand Mount The HiveAP 28 outdoor platform can also be mounted on a cable or strand of wire as shown in Figure 6. When mounted on a wire strand, use 90-degree N type adapters (not included) to orient the antennas vertically. If you do not use the adapters and orient the antennas horizontally, the area covered will be far less.
MOUNTING THE HIVEAP 28 AND ATTACHING ANTENNAS Surface Mount You can use the mounting plate to attach the HiveAP 28 to any surface that supports its weight (9 lbs., 4.08 kg), and to which you can screw or nail the plate. First, mount the plate to the HiveAP 28, and then attach the plate to the surface, as shown in Figure 7. Note that the screw heads that you attach to the wall or surface must be small enough for the keyholes on the mounting plate to slip over them.
Chapter 3 The HiveAP 28 Outdoor Platform Attaching Antennas You can connect the antennas directly to the HiveAP 28 or mount them separately. Although connecting the antennas directly to the device typically provides better performance, in some cases the location of the HiveAP might not be a good location for the antennas; for example, if the HiveAP 28 is mounted on a reinforced concrete wall that interferes with radio coverage.
MOUNTING THE HIVEAP 28 AND ATTACHING ANTENNAS You can mount antennas at the top of a pole as shown in Figure 8 and Figure 9, or to a flat surface. If you must mount the antenna lower on a pole, the pole must be nonmetallic—such as one made from a hard plastic like PVC (polyvinyl chloride)—so that it does not distort the signal. Aerohive recommends that antennas be installed away from power lines and obstructions that can interfere with radio coverage.
Chapter 3 The HiveAP 28 Outdoor Platform Note: Radio coverage might be limited if the surface acts as an obstruction. 5. Make sure that all the antenna and cable connectors are clean. If you are using PTFE tape, wrap the tape around the threads on the HiveAP 28 antenna connectors as explained in "Connecting Antennas Directly to the HiveAP 28" on page 44. 6. Assuming that you are using male-to-female cables, connect the female Type N connector on the cables to the male connectors on the antennas. 7.
Chapter 4 The HiveAP 340 Platform The Aerohive HiveAP 340 is a high-performance and highly reliable 802.11n wireless access point. The HiveAP 340 provides dual concurrent 802.11b/g/n and 802.11a/n radios for 3x3 MIMO (Multiple In, Multiple Out) and dual 10/100/1000 Ethernet ports for link aggregation or link redundancy. Its power management system uses a concept called smart PoE (Power over Ethernet) to adjust its power consumption automatically in response the available power in different environments.
Chapter 4 The HiveAP 340 Platform HIVEAP 340 PRODUCT OVERVIEW The HiveAP 340 is a multi-channel wireless access point. It is compatible with IEEE 802.11b/g/n (2.4 GHz) and IEEE 802.11a/n (5 GHz) standards and supports a variety of Wi-Fi (wireless fidelity) security protocols, including WPA (Wi-Fi Protected Access) and WPA2. You can see the hardware components on the HiveAP in Figure 1. Each component is described in Table 1.
HIVEAP 340 PRODUCT OVERVIEW Component Description 10/100/1000 Mbps PoE Ports The two 10/100/1000-Mbps Ethernet ports—ETH0 and ETH1—support IEEE 802.3af and 802.3at PoE (Power over Ethernet) and receive RJ-45 connectors. The HiveAP can receive power through one or both Ethernet connections from PSE (power sourcing equipment) that is compatible with the 802.3af standard and the forthcoming 802.at standard, such as one of the PoE injectors available as an optional accessory from Aerohive.
Chapter 4 The HiveAP 340 Platform Ethernet and Console Ports There are three ports on the HiveAP 340: two RJ-45 10/100/1000Base-T/TX Ethernet ports and an RJ-45 console port. The pin assignments in the PoE (Power over Ethernet) Ethernet ports follow the TIA/EIA-568-B standard (see Figure 2). The ports accept standard types of Ethernet cable—cat3, cat5, cat5e, or cat6—and can receive power over this cable from power sourcing equipment (PSE) that is 802.3af-compatible.
HIVEAP 340 PRODUCT OVERVIEW Smart PoE The HiveAP 340 applies the Aerohive concept of smart PoE to adjust power consumption as necessitated by varying levels of available power. No adjustments are needed when the power level is 17.5 W (watts) or higher. If the available power drops to a range between 16 and 17.5 W, the HiveAP disables the ETH1 interface. If the level drops to the 14.4 – 16 W range, it then switches from 3x3 MIMO (Multiple In, Multiple Out) to 2x3 (see "MIMO" on page 55).
Chapter 4 The HiveAP 340 Platform Switch(config)#int fastEthernet 0/2 Switch(config-if)#switchport mode access Switch(config-if)#channel-group 1 mode on Switch(config-if)#spanning-tree portfast Switch(config-if)#exit Switch(config)#exit Switch#wr mem Finally, you must cable the Cisco switch and the HiveAP together: Cisco 0/1 to HiveAP eth0, and Cisco 0/2 to HiveAP eth1.
HIVEAP 340 PRODUCT OVERVIEW Console Port The pin-to-signal mapping in the RJ-45 console port is shown shown in Figure 3.
Chapter 4 The HiveAP 340 Platform Status LEDs The five status LEDs on the top of the HiveAP 340 indicate various states of activity through their color (dark, green, amber, and red) and illumination patterns (steady glow or pulsing). The meanings of the various color + illumination patterns for each LED are explained below.
HIVEAP 340 PRODUCT OVERVIEW Figure 5 HiveAP 340 Antennas Generally, orient the antennas vertically for improved radio coverage, as shown here: When mounting the HiveAP 340 on a ceiling, orient its antennas downward. 2.4 GHz Antenna for IEEE 802.11b/g/n 5 GHz Antenna for IEEE 802.
Chapter 4 The HiveAP 340 Platform In previous 802.11 standards, access points and clients each employed a single set of components, or RF chain, for transmitting or receiving. Although two antennas are often used for diversity, only the one with the best signal-to-noise ratio is used at any given moment, and that antenna makes use of the single RF chain while the other antenna remains inactive.
HIVEAP 340 PRODUCT OVERVIEW Using MIMO with Legacy Clients In addition to supporting up to 300-Mbps throughput per radio for 802.11n clients, MIMO (Multiple In, Multiple Out) can improve the reliability and speed of legacy 802.11a/b/g client traffic. When an 802.11a/b/g access point does not receive acknowledgement that a frame it sent was received, it resends that frame, possibly at a somewhat lower transmission rate.
Chapter 4 The HiveAP 340 Platform MOUNTING THE HIVEAP 340 Using the mounting plate and track clips, you can mount the HiveAP 340 to the tracks of a dropped ceiling grid. Using just the mounting plate, you can mount the HiveAP to any surface that can support its weight (3.3 lb., 1.5 kg). Ceiling Mount To mount the HiveAP 340 to a track in a dropped ceiling, you need the mounting plate, two track clips, and two Keps nuts, all of which ship as an option with the HiveAP 340.
MOUNTING THE HIVEAP 340 Figure 9 Attaching the HiveAP 340 to the Mounting Plate and Connecting Cables Mounting Plate HiveAP 340 (shown as transparent for clairty) (side view) 4 With the HiveAP 340 upside down, align its port side with the bottom end of the plate. Tab Slot 5 Push the HiveAP 340 upward, inserting the four tabs on the plate into the four slots on the HiveAP 340. 6 Slide the HiveAP 340 toward the bottom end of the plate, locking the tabs inside the slots.
Chapter 4 The HiveAP 340 Platform Surface Mount You can use the mounting plate to attach the HiveAP 340 to any surface that supports its weight, and to which you can screw or nail the plate. First, mount the plate to the surface. Then, through one of the two large openings in the plate, make a hole in the wall so that you can pass the cables through to the HiveAP. Note: You can tie the cables to the tie points on the mounting plate to prevent them from being pulled out of their connections accidentally.
DEVICE, POWER, AND ENVIRONMENTAL SPECIFICATIONS DEVICE, POWER, AND ENVIRONMENTAL SPECIFICATIONS Understanding the range of specifications for the HiveAP 340 is necessary for optimal deployment and device operation. The following specifications describe the physical features and hardware components, the power adapter and PoE (Power over Ethernet) electrical requirements, and the temperature and humidity ranges in which the device can operate.
Chapter 4 The HiveAP 340 Platform 62 Aerohive
Chapter 5 The HiveAP 320 Platform The Aerohive HiveAP 320 is a high-performance and highly reliable 802.11n wireless access point. The HiveAP 320 provides dual concurrent 802.11b/g/n and 802.11a/n radios for 3x3 MIMO (Multiple In, Multiple Out) and dual 10/100/1000 Ethernet ports for link aggregation or link redundancy. Its power management system uses a concept called smart PoE (Power over Ethernet) to adjust its power consumption automatically in response the available power in different environments.
Chapter 5 The HiveAP 320 Platform HIVEAP 320 PRODUCT OVERVIEW The HiveAP 320 is a multi-channel wireless access point. It is compatible with IEEE 802.11b/g/n (2.4 GHz) and IEEE 802.11a/n (5 GHz) standards and supports a variety of Wi-Fi (wireless fidelity) security protocols, including WPA (Wi-Fi Protected Access) and WPA2. You can see the hardware components on the HiveAP in Figure 1. Each component is described in Table 1.
HIVEAP 320 PRODUCT OVERVIEW Component Description You can configure ETH0 and ETH1 as two individual Ethernet interfaces, combine them into an aggregate interface to increase throughput, or combine them into a redundant interface to increase reliability. You can connect the HiveAP 320 to a wired network or to a wired device (such as a security camera) through these ports using bridging.
Chapter 5 The HiveAP 320 Platform Ethernet and Console Ports There are three ports on the HiveAP 320: two RJ-45 10/100/1000Base-T/TX Ethernet ports and an RJ-45 console port. The pin assignments in the PoE (Power over Ethernet) Ethernet ports follow the TIA/EIA-568-B standard (see Figure 2 on page 50). The ports accept standard types of Ethernet cable—cat3, cat5, cat5e, or cat6. The ETH0 port can receive power over the Ethernet cable from power sourcing equipment (PSE) that is 802.3af-compatible.
HIVEAP 320 PRODUCT OVERVIEW Antennas The HiveAP 320 has six internal single-band antennas. Three of the antennas operate in the 2.4-GHz band (IEEE 802.11b/g/n) and have a 2-dBi gain. The other three antennas operate in the 5-GHz band (IEEE 802.11a/n) and have a 3-dBi gain. All antennas are omnidirectional, providing fairly equal coverage in all directions in a toroidal (donut-shaped) pattern around each antenna (see Figure 4 on page 30). The three three 2.
Chapter 5 The HiveAP 320 Platform MOUNTING THE HIVEAP 320 Using the mounting plate and track clips, you can mount the HiveAP 320 to the tracks of a dropped ceiling grid. Using just the mounting plate, you can mount the HiveAP to any surface that can support its weight (2 lb., 0.68 kg). Note: In addition to these methods, you can also mount the HiveAP 320 on a table using the set of four rubber feet that ship with the product.
MOUNTING THE HIVEAP 320 Figure 4 Attaching the HiveAP 320 to the Mounting Plate 4 With the HiveAP 320 upside down, align the round tab and security screw hole extnesion on the mounting plate with the keyhole opening and security screw cavity on the HiveAP 320, and press the HiveAP upward. Push HiveAP 5 Pushing from the LED end of the HiveAP, slide it toward the bottom end of the plate until the two rippled tabs on the mounting plate snap over the nubs on the undersdie of the HiveAP.
Chapter 5 The HiveAP 320 Platform Surface Mount You can use the mounting plate to attach the HiveAP 320 to any surface that supports its weight, and to which you can screw or nail the plate. First, mount the plate to the surface. Then, through the large opening in the lower part of the plate, make a hole in the wall so that you can pass the cables through to the HiveAP. Finally, attach the device to the plate, and connect the cables, as shown in Figure 6.
DEVICE, POWER, AND ENVIRONMENTAL SPECIFICATIONS DEVICE, POWER, AND ENVIRONMENTAL SPECIFICATIONS Understanding the range of specifications for the HiveAP 320 is necessary for optimal deployment and device operation. The following specifications describe the physical features and hardware components, the power adapter and PoE (Power over Ethernet) electrical requirements, and the temperature and humidity ranges in which the device can operate.
Chapter 5 The HiveAP 320 Platform 72 Aerohive
Chapter 10 HiveOS You can deploy a single HiveAP and it will provide wireless access as an autonomous AP (access point). However, if you deploy two or more HiveAPs in a hive, you can provide superior wireless access with many benefits. A hive is a set of HiveAPs that exchange information with each other to form a collaborative whole (see Figure 1).
Chapter 10 HiveOS COMMON DEFAULT SETTINGS AND COMMANDS Many major components of HiveOS are automated and typically require no further configuration. For example, radio power and frequency selection occurs automatically, as does route learning. Also, after defining a hive and its security protocol suite, all HiveAPs belonging to that hive automatically initiate and maintain communications with each other.
CONFIGURATION OVERVIEW CONFIGURATION OVERVIEW The amount of configuration depends on the complexity of your deployment. As you can see in "Deployment Examples (CLI)" on page 161, you can enter a minimum of three commands to deploy a single HiveAP, and just a few more to deploy a hive. However, for cases when you need to fine tune access control for more complex environments, HiveOS offers a rich set of CLI commands.
Chapter 10 HiveOS Policy-Level Configurations Policies control how wireless clients access the network. The following list contains some key areas of policy-level configurations and relevant commands. • QoS settings qos { classifier-map | classifier-profile | marker-map | marker-profile | policy } … • User profiles user-profile string … • SSIDs ssid string … • AAA (authentication, authorization, and accounting) settings for IEEE 802.
HIVEOS CONFIGURATION FILE TYPES HIVEOS CONFIGURATION FILE TYPES HiveOS supports several types of configuration files: running, current, backup, bootstrap, default, and failed. The running configuration (config) is the configuration that is actively running in DRAM. During the bootup process, a HiveAP loads the running config from one of up to four config files stored in flash memory: • current: a flash file containing a combination of default and admin-defined settings.
Chapter 10 HiveOS When you upload a configuration file from HiveManager or from a TFTP or SCP server, the HiveAP stores the uploaded file in the backup config partition in flash memory, where it remains until the HiveAP reboots. If there is a backup config file already stored in flash, the newly uploaded file overwrites it. See Figure 4.
HIVEOS CONFIGURATION FILE TYPES Note: To upload and activate a config file from HiveManager , see "Uploading HiveAP Configurations" on page 150.
Chapter 10 HiveOS Figure 6 Relationship of Current, Backup, Bootstrap, and Default Config Files Configuration Failover Behavior Backup Config Current Config Failover Bootstrap Config Failover . . . or if there is no bootstrap config . . . If the HiveAP cannot load either the current or backup config files, it deletes them, reboots, and loads the bootstrap config— if present—or the default config. Default Config Resetting the Configuration Current Config reset config Bootstrap Config . . .
Chapter 11 Deployment Examples (CLI) This chapter presents several deployment examples to introduce the primary tasks involved in configuring HiveAPs through the HiveOS CLI. In "Deploying a Single HiveAP" on page 162, you deploy one HiveAP as an autonomous access point. This is the simplest configuration: you only need to enter and save three commands. In "Deploying a Hive" on page 165, you add two more HiveAPs to the one deployed in the first example to form a hive with three members.
Chapter 11 Deployment Examples (CLI) EXAMPLE 1: DEPLOYING A SINGLE HIVEAP In this example, you deploy one HiveAP (HiveAP-1) to provide network access to a small office with 15 – 20 wireless clients.
EXAMPLE 1: DEPLOYING A SINGLE HIVEAP 4. On your management system, run a VT100 terminal emulation program, such as Tera Term Pro© (a free terminal emulator) or Hilgraeve Hyperterminal® (provided with Windows® operating systems). Use the following settings: • Bits per second (baud rate): 9600 • Data bits: 8 • Parity: none • Stop bits: 1 • Flow control: none For HiveAPs set with "FCC" as the region code, the Initial CLI Configuration Wizard appears.
Chapter 11 Deployment Examples (CLI) Step 3 Configure the wireless clients Define the "employee" SSID on all the wireless clients. Specify WPA-PSK for network authentication, AES or TKIP for data encryption, and the preshared key N38bu7Adr0n3. Step 4 Position and power on the HiveAP 1. Place the HiveAP within range of the wireless clients and, optionally, mount it as explained in the mounting section in the chapter about the HiveAP model that you are using. 2.
EXAMPLE 2: DEPLOYING A HIVE EXAMPLE 2: DEPLOYING A HIVE Building on "Deploying a Single HiveAP" on page 162, the office network has expanded and requires more HiveAPs to provide greater coverage. In addition to the basic configuration covered in the previous example, you configure all three HiveAPs to form a hive within the same layer 2 switched network.
Chapter 11 Deployment Examples (CLI) Step 1 Configure HiveAP-1 1. Using the connection settings described in the first example, log in to HiveAP-1. 2. Configure HiveAP-1 as a member of "hive1" and set the security protocol suite.
EXAMPLE 2: DEPLOYING A HIVE Step 2 Configure HiveAP-2 and HiveAP-3 1. Power on HiveAP-2 and log in through its console port. 2. Configure HiveAP-2 with the same commands that you used for HiveAP-1: ssid employee ssid employee security protocol-suite wpa-auto-psk ascii-key N38bu7Adr0n3 interface wifi0 ssid employee hive hive1 hive hive1 password s1r70ckH07m3s interface mgt0 hive hive1 3. (Optional) Change the name and password of the superuser. admin superuser mwebster password 3fF8ha 4.
Chapter 11 Deployment Examples (CLI) After HiveAP-3 boots up, it discovers the two other members of hive1 over a wireless backhaul link. The members authenticate themselves and establish a security association for encrypting backhaul communications among themselves. HiveAP-3 then learns its default route to the wired network from the other hive members. If the other members send routes with equal costs—which is what happens in this example—HiveAP-3 uses the first route it receives.
EXAMPLE 2: DEPLOYING A HIVE 7. To check that the hive members have full data connectivity with each other, associate a client in wireless network-1 with HiveAP-1 (the SSID "employee" is already defined on clients in wireless network-1; see "Deploying a Single HiveAP"). Then check if HiveAP-1 forwards the client’s MAC address to the others to store in their roaming caches.
Chapter 11 Deployment Examples (CLI) Step 4 Configure wireless clients Define the "employee" SSID on all the wireless clients in wireless network-2 and -3. Specify WPA-PSK for network authentication, AES or TKIP for data encryption, and the preshared key N38bu7Adr0n3. The setup of hive1 is complete. Wireless clients can now associate with the HiveAPs using SSID "employee" and access the network.
EXAMPLE 3: USING IEEE 802.1X AUTHENTICATION Note: This example assumes that the RADIUS and AD servers were previously configured and populated with user accounts that have been in use on a wired network (not shown). The only additional configuration on these servers is to enable the RADIUS server to accept authentication requests from the HiveAPs. Step 1 Define the RADIUS server on the HiveAP-1 Configure the settings for the RADIUS server (IP address and shared secret) on HiveAP-1.
Chapter 11 Deployment Examples (CLI) Step 5 Configure the RADIUS Server to accept authentication requests from the HiveAPs Log in to the RADIUS server and define the three HiveAPs as access devices. Enter their mgt0 IP addresses (or fully-qualified domain names) and shared secret. Step 6 Check that clients can form associations and access the network 1. To check that a client can associate with a HiveAP and access the network, open a wireless client application and connect to the "employee" SSID.
EXAMPLE 4: APPLYING QOS EXAMPLE 4: APPLYING QOS In this example, you want the hive members to prioritize voice, streaming media, and e-mail traffic. First, you map distinguishing elements of these traffic types to three Aerohive QoS (Quality of Service) classes: Class 6: voice traffic from VoIP phones with MAC OUI 00:12:3b (the OUI for all phones in the network) Voice traffic is very sensitive to delay and cannot tolerate packet loss without loss of voice quality.
Chapter 11 Deployment Examples (CLI) Note: The HiveAP assigns all traffic that you do not specifically map to an Aerohive class to class 2, which by default uses WRR with a weight of 30 and a rate of 54,000 or 1,000,000 Kbps, depending on the HiveAP. Figure 4 QoS Policy "voice" for Voice, Streaming Media, and Data QoS Policy: “voice” Voice qos policy voice qos 6 strict 512 0 The policy assigns the highest priority to voice traffic (class 6).
EXAMPLE 4: APPLYING QOS Step 1 Map traffic types to Aerohive QoS classes on HiveAP-1 1. Map the MAC OUI (organizational unit identifier) of network users’ VoIP phones to Aerohive class 6. qos classifier-map oui 00:12:3b qos 6 In this example, all network users use VoIP phones from the same vendor whose OUI (that is, the MAC address prefix ) is 00:12:3b. When HiveAP-1 receives traffic from a client whose source MAC address contains this OUI, it assigns it to Aerohive class 6. 2.
Chapter 11 Deployment Examples (CLI) 2. Associate the classifier profiles with the employee SSID and the eth0 interface so that HiveAP-1 can classify incoming traffic arriving at these two interfaces.
EXAMPLE 4: APPLYING QOS The QoS policy that you define is shown in Figure 5. Although you did not configure settings for Aerohive QoS classes 0, 1, 2, 4, and 7, the policy applies default settings to them. The HiveAP assigns all traffic that you do not specifically map to an Aerohive class to class 2, which uses WRR with a weight of 30 and a default rate of 54,000 or 1,000,000 Kbps. Because nothing is mapped to classes 0, 1, 4, and 7, their settings are irrelevant.
Chapter 11 Deployment Examples (CLI) Step 4 Configure HiveAP-2 and HiveAP-3 1. Log in to HiveAP-2 through its console port. 2.
EXAMPLE 5: LOADING A BOOTSTRAP CONFIGURATION Step 5 Configure RADIUS server attributes 1. Log in to the RADIUS server and define the three HiveAPs as RADIUS clients. 2. Configure the following attributes for the realm to which the wireless user accounts in network-1, -2, and -3 belong: • Tunnel Type = GRE (value = 10) • Tunnel Medium Type = IP (value = 1) • Tunnel Private Group ID = 2 The RADIUS server returns the above attributes for all wireless users it authenticates from network-1, -2, and -3.
Chapter 11 Deployment Examples (CLI) Step 1 Define the bootstrap config on HiveAP-1 1. Make a serial connection to the console port on HiveAP-1, log in, and load the default config. load config default reboot You do not want the bootstrap config to contain any of your previously defined settings from the current config. Therefore, you load the default config, which has only default settings.
EXAMPLE 5: LOADING A BOOTSTRAP CONFIGURATION Step 2 Save the bootstrap config to a TFTP server 1. Check the configurations to make sure the settings are accurate. show config bootstrap Check that the settings are those you entered in the previous step for the bootstrap config. show config backup Note that the backup config is the previous current config. This is the configuration that has all your previously defined settings. 2. Return to the previous current config. load config backup reboot 3.
Chapter 11 Deployment Examples (CLI) CLI COMMANDS FOR EXAMPLES This section includes all the CLI commands for configuring the HiveAPs in the previous examples. The CLI configurations are presented in their entirety (without explanations) as a convenient reference, and—if you are reading this guide as a PDF—as an easy way to copy and paste the commands. Simply copy the blocks of text for configuring the HiveAPs in each example and paste them at the command prompt.
EXAMPLE 5: CLI COMMANDS FOR EXAMPLES HiveAP-3 ssid employee ssid employee security protocol-suite wpa-auto-psk ascii-key N38bu7Adr0n3 interface wifi0.1 ssid employee hive hive1 hive hive1 password s1r70ckH07m3s interface mgt0 hive hive1 save config Commands for Example 3 Enter the following commands to configure the hive members to support IEEE 802.1X authentication in "Using IEEE 802.1X Authentication" on page 170: HiveAP-1 aaa radius-server first 10.1.1.
Chapter 11 Deployment Examples (CLI) Commands for Example 4 Enter the following commands to configure the hive members to apply QoS (Quality of Service) to voice, streaming media, and data traffic in "Applying QoS" on page 173: HiveAP-1 qos classifier-map oui 00:12:3b qos 6 service mms tcp 1755 service smtp tcp 25 service pop3 tcp 110 qos classifier-map service mms qos 5 qos classifier-map service smtp qos 3 qos classifier-map service pop3 qos 3 qos classifier-profile employee-voice mac qos classifier-prof
EXAMPLE 5: CLI COMMANDS FOR EXAMPLES qos classifier-profile employee-voice service qos classifier-profile eth0-voice mac qos classifier-profile eth0-voice service ssid employee qos-classifier employee-voice interface eth0 qos-classifier eth0-voice For HiveAPs supporting IEEE 802.11a/b/g qos policy voice qos 5 wrr 20000 90 qos policy voice qos 3 wrr 54000 60 For HiveAPs supporting IEEE 802.
Chapter 11 Deployment Examples (CLI) Commands for Example 5 Enter the following commands to create bootstrap config files and load them on the hive members in "Loading a Bootstrap Configuration" on page 179: bootstrap-security.txt admin root-admin Cwb12o11siNIm8vhD2hs password 8wDamKC1Lo53Ku71 hive hive1 hive hive1 password s1r70ckH07m3s interface mgt0 hive hive1 HiveAP-1 save config tftp://10.1.1.31:bootstrap-security.txt bootstrap show config bootstrap HiveAP-2 save config tftp://10.1.1.
Appendix A Country Codes When the region code on a HiveAP is preset as "world", you must set a country code for the location where you intend to deploy the HiveAP. This code determines the radio channels and power settings that the HiveAP can use when deployed in that country. For HiveAPs intended for use in the United States, the region code is preset as "FCC"—for "Federal Communications Commission"—and the country code is preset for the United States.
Appenidix A Country Codes El Salvador 222 Japan14 (J14) 4014 Estonia 233 Japan15 (J15) 4015 Faeroe Islands 234 Japan16 (J16) 4016 Finland 246 Japan17 (J17) 4017 France 250 Japan18 (J18) 4018 France2 255 Japan19 (J19) 4019 Georgia 268 Japan20 (J20) 4020 Germany 276 Japan21 (J21) 4021 Greece 300 Japan22 (J22) 4022 Guatemala 320 Japan23 (J23) 4023 Honduras 340 Japan24 (J24) 4024 Hong Kong (S.A.R., P.R.
Appenidix A Country Codes Norway 578 Sweden 752 Oman 512 Switzerland 756 Pakistan (Islamic Republic of Pakistan) 586 Syria 760 Panama 591 Taiwan 158 Paraguay 600 Thailand 764 Peru 604 Philippines (Republic of the Philippines) 608 Poland 616 Portugal 620 Puerto Rico 630 Qatar 634 Romania 642 Russia 643 Saudi Arabia 682 Singapore 702 Trinidad y Tobago 780 Tunisia 788 Turkey 792 U.A.E.
Appenidix A Country Codes 192 Aerohive