Best Practices Guide Dell Networking W-AirWave 7.
Copyright © 2013 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless ® Networks , the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents Overview 5 Understanding Dell Networking W-Series Topology 5 Prerequisites for Integrating Dell Networking W-Series Infrastructure 5 Configuring AirWave for Global W-Series Infrastructure 7 Disabling Rate Limiting in AMP Setup > General 7 Entering Credentials in Device Setup > Communication 8 Setting Up Recommended Timeout and Retries 9 Setting Up Time Synchronization 9 Manually Setting the Clock on a Controller Enabling Support for Channel Utilization And Statistics 9 9 AirWave
ARM and Channel Utilization Information VisualRF and Channel Utilization 29 Configuring Channel Utilization Triggers 30 Viewing Channel Utilization Alerts 31 Channel Utilization Alerts on the APs/Devices > Monitor Page 31 Channel Utilization Alerts on the System > Alerts Page 32 View Channel Utilization in RF Health Reports 32 Viewing Controller License Information 32 Rogue Device Classification 33 Rules-Based Controller Classification 35 Using RAPIDS Defaults for Controller Classification
Chapter 1 Overview This document provides best practices for leveraging AirWave to monitor and manage your Dell Networking W-Series infrastructure. Dell Networking W-Series wireless infrastructure provides a wealth of functionality such as firewall, VPN, remote AP, IDS, IPS, and ARM, as well as an abundance of statistical information. Follow the simple guidelines in this document to garner the full benefit of your Dell Networking W-Series infrastructure.
Without proper Telnet/SSH credentials AirWave will not be able to acquire license and serial information from controllers. l 6 | Overview SNMPv3 credentials are required for WMS Offload: n Username n Auth password n Privacy password n Auth protocol Dell Networking W-AirWave 7.
Chapter 2 Configuring AirWave for Global WSeries Infrastructure This section explains how to optimally configure AirWave to globally manage your global Dell Networking W-Series infrastructure.
Entering Credentials in Device Setup > Communication AirWave requires several credentials to properly interface with Dell Networking W-Series devices. To enter these credentials, follow these steps: 1. Navigate to Device Setup > Communication. 2. In the Default Credentials section, select the Edit link next to Dell. The page illustrated in Figure 3 appears. 3. Enter the SNMP Community String.
6. Click Save when you are finished. Setting Up Recommended Timeout and Retries To set recommended timeout and retries settings, follow these steps: 1. In the Device Setup > Communication page, locate the SNMP Setting section. 2. Change the SNMP Timeout setting to a value or either 3, 4, or 5. This is the number of seconds that AirWave will wait for a response from a device after sending an SNMP request, so a smaller number is more ideal. 3. Change the SNMP Retries value to 10.
l Access points - Dell Networking W-AP92, W-AP93, W-AP105, W-AP124, W-AP125, W-AP134, W-AP135 l Controllers - Dell Networking W-600 Series, W-3000 Series, W-6000M3, or W-7200 Series AirWave Setup Follow these steps in AirWave: 1. Navigate to AMP Setup > General. 2. In the Additional AMP Services section, set Enable AMON Data Collection to Yes, and set Prefer AMON vs SNMP Polling to Yes. Figure 5 AMON Data Collection setting in AMP Setup > General 3. Click Save when you are done.
Chapter 3 Configuring a Dell Networking W Group in AirWave It is prudent to establish one or more Dell Networking W Groups within AirWave. During the discovery process you will move new discovered controllers into this group. This section contains the following topics: l "Basic Monitoring Configuration" on page 11 l "Advanced Configuration " on page 12 Basic Monitoring Configuration 1. Navigate to Groups > List. 2. Select Add. 3.
Figure 7 Group SNMP Version for Monitoring 7. Click Save and Apply when you are done. Advanced Configuration Refer to the Dell Networking W-AirWave Controller Configuration Guide at dell.com/support/manuals for detailed instructions. 12 | Configuring a Dell Networking W Group in AirWave Dell Networking W-AirWave 7.
Chapter 4 Discovering Dell Networking W-Series Infrastructure AirWave utilizes the Dell Networking W-Series topology to efficiently discover downstream infrastructure. This section guides you through the process of discovering and managing your Dell Networking W-Series device infrastructure.
Figure 8 Dell Networking W Credentials in Device Setup > Add 4. Enter the required fields for configuration and basic monitoring: n Telnet/SSH Username n Telnet/SSH password n enable password 5. Enter the required fields for WMS Offload n SNMPv3 Auth Protocol n SNMPv3 Privacy Protocol n SNMPv3 Username n Auth Password n Privacy Password The protocols for SNMPv3 Auth and SNMPv3 Privacy should be SHA-1 and DES in order for WMS Offload to work.
6. Assign the controller to a Group and Folder. 7. Ensure that the Monitor Only option is selected. If you select Manage read/write, AMP will push the group setting configuration, and existing device configurations will be deleted/overwritten. 8. Select Add. 9. Navigate to the APs/Devices > New page. 10. Select the Dell Networking W-Series master controller you just added from the list of new devices. 11. Ensure Monitor Only option is selected. 12. Select Add.
| Discovering Dell Networking W-Series Infrastructure Dell Networking W-AirWave 7.
Chapter 5 AirWave and Dell Networking WSeries Integration Strategies This section describes strategies for integrating AirWave and Dell Networking W-Series devices and contains the following topics: l "Integration Goals" on page 17 l "Example Use Cases" on page 18 l "Prerequisites for Integration" on page 19 l "Enable Stats Utilizing AirWave" on page 19 l "WMS Offload with AirWave" on page 20 l "Define AirWave as a Trap Host using the ArubaOS CLI" on page 21 l "Understanding WMS Offload Impact
l Unless you enable stats on the local controllers in a master/local environment, the local controllers do not populate their MIBs with any information about clients or rogue devices discovered/associated with their APs. Instead the information is sent upstream to master controller.
l You are in the process of converting their older third-party WLAN devices to Dell Networking W-Series devices and want a unified IDS dashboard for all WLAN infrastructure. l You want to relate Auth failures to a client device, AP, Group of APs, and controller. AirWave provides this unique correlation capability. See "Define AirWave as a Trap Host using the ArubaOS CLI" on page 21. When to Use Channel Utilization l You have a minimum version of ArubaOS 6.1.0.0 and W-AP105 or W-AP135.
Figure 10 Offload WMS Database field in Groups > Basic 6. Select Save and Apply. 7. Select Save. This will push a set of commands via SSH to all Dell Networking W-Series local controllers. AirWave must have read/write access to the controllers in order to push these commands. This process will not reboot your controllers. If you don't follow the above steps, local controllers will not be configured to populate statistics.
This process will not reboot your controllers. See "ArubaOS and AirWave CLI Commands" on page 37 for information on how to utilize the ArubaOS CLI to enable stats for WMS Offload. The SNMPv3 user's Auth Password and Privacy Password must be the same. Do not enter these commands; these are pushed by AirWave while enabling WMS Offload.
IDS Traps l wlsxwlsxSignatureMatchAP l wlsxSignatureMatchSta l wlsxSignAPNetstumbler l wlsxSignStaNetstumbler l wlsxSignAPAsleap l wlsxSignStaAsleap l wlsxSignAPAirjack l wlsxSignStaAirjack l wlsxSignAPNullProbeResp l wlsxSignStaNullProbeResp l wlsxSignAPDeauthBcast l wlsxSignStaDeauthBcastwlsxChannelFrameErrorRateExceeded l wlsxChannelFrameFragmentationRateExceeded l wlsxChannelFrameRetryRateExceeded l wlsxNIpSpoofingDetected l wlsxStaImpersonation l wlsxReservedChannelViol
l wlsxAPImpersonation l wlsxDisconnectStationAttackAP l wlsxDisconnectStationAttackSta ARM Traps l AP Power Change l AP Mode Change l AP Channel Change Ensuring That IDS And Auth Traps Display in AirWave Validate your ArubaOS configuration by exiting the configure terminal mode and issue the following command: (Controller-Name) # show snmp trap-list If any of the traps in the output of this command do not appear to be enabled enter configure terminal mode and issue the following command: (Contr
Validate that traps are making it into AirWave by issuing the following commands from AirWave command line. [root@AMP ~]# qlog enable snmp_traps [root@AMP ~]# tail -f /var/log/amp_diag/snmp_traps 1241627740.392536 handle_trap|2009-05-06 09:35:40 UDP: [10.2.32.65]->[10.51.5.118]:-32737 sends trap: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (127227800) 14 days, 17:24:38.00 SNMPv2MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.14823.2.3.1.11.1.2.1106 SNMPv2-SMI::enterpris es.14823.2.3.1.11.1.1.
See "Rogue Device Classification" on page 33 for more information on security, IDS, WIPS, WIDS, classification, and RAPIDS. Dell Networking W-AirWave 7.
| AirWave and Dell Networking W-Series Integration Strategies Dell Networking W-AirWave 7.
Chapter 6 Dell Networking W-Series Specific Capabilities in AirWave This section discusses Dell Networking W-Series specific capabilities in AirWave and contains the following topics: l "Dell Networking W-Series Traps for RADIUS Auth and IDS Tracking" on page 27 l "Remote AP Monitoring" on page 28 l "ARM and Channel Utilization Information" on page 28 l "Viewing Controller License Information" on page 32 l "Rogue Device Classification" on page 33 l "Rules-Based Controller Classification" on page
Remote AP Monitoring To monitor remote APs, follow these steps: 1. From the APs/Devices > List page, filter on the Remote Device column to find remote devices. 2. To view detailed information on the remote device, select the device name. The page illustrated in Figure 15 appears. Figure 15 Remote AP Detail Page 3. You can also see if there are users plugged into the wired interfaces in the Connected Clients list below the Clients and Usage graphs.
Figure 16 ARM and Channel Utilization Graphs See the Dell Networking W-AirWave 7.7 User Guide at dell.com/support/manuals for more information on the data that displays in the Radio Statistics page for these devices. VisualRF and Channel Utilization To view how channel utilization is impacting an area within a building, follow these steps: 1. Navigate to a floor plan by clicking on the thumbnail on a device’s APs/Devices > Monitor page or navigating to VisualRF > Floor Plans page. 2.
Figure 17 Channel Utilization in VisualRF (Interference/2.4 GHz) Configuring Channel Utilization Triggers 1. Navigate to System > Triggers and select Add. 2. Select Channel Utilization from the Type drop-down menu as seen on Figure 18: 30 | Dell Networking W-Series Specific Capabilities in AirWave Dell Networking W-AirWave 7.
Figure 18 Channel Utilization Trigger 3. Enter the duration evaluation period. 4. Click the Add New Trigger Condition button. 5. Create a trigger condition for Radio Type and select the frequency to evaluate. 6. Select total, receive, transmit, or interference trigger condition. 7. Set up any restrictions or notifications. (Refer to the Dell Networking W-AirWave 7.7 User Guide at dell.com/support/manuals for more details.) 8. When you are finished, click Add.
2. Scroll down to the Alert Summary page and select AMP Alerts. Figure 19 Channel Utilization alerts Channel Utilization Alerts on the System > Alerts Page 1. Navigate to the System > Alerts page. 2. Sort the Trigger Type column and find Channel Utilization alerts. Figure 20 Channel Utilization alerts on the System > Alerts page View Channel Utilization in RF Health Reports 1. Navigate to Reports > Generated. 2. Find and select an RF Health report. 3. Scroll down to view most and least utilized 2.
Figure 22 License Popup from APs/Devices > Monitor page a controller Rogue Device Classification Complete this section if you have completed WMS Offload procedure above. After offloading WMS, AirWave maintains the primary ARM, WIPS, and WIDS state classification for all devices discovered over-the-air.
Controller classification can also be updated from RAPIDS > List via the Modify Devices link. All rogue devices will be set to a default controller classification of unclassified when WMS is first offloaded except for devices classified as valid. Rogue devices classified in ArubaOS as valid will also be classified within AirWave as valid for their controller classification as well.
There is no method in the AirWave UI to update user classification on mass to match the controller’s classification. Each client must be updated individually within the AirWave UI. Rules-Based Controller Classification Using RAPIDS Defaults for Controller Classification To use the controller's classification as RAPIDS classification, follow these steps: 1. Navigate to the RAPIDS > Rules page and select the pencil icon beside the rule that you want to change. 2.
Figure 26 Configure Rules for Classification 4. Click Add. 5. A new Controller Classification field displays. Select the desired controller classification to use as an evaluation in RAPIDS. 6. Click Save. 36 | Dell Networking W-Series Specific Capabilities in AirWave Dell Networking W-AirWave 7.
Appendix A ArubaOS and AirWave CLI Commands Enable Channel Utilization Events Enabling these commands on ArubaOS versions prior to 6.1 can result in performance issues on the controller. To enable channel utilization events utilizing the Dell Networking W-Series ArubaOS CLI, use SSH to access a local or master controller’s command-line interface, enter enable mode, and issue the following commands: (Controller-Name) # configure terminal Enter Configuration commands, one per line.
Enter Configuration commands, one per line. End with CNTL/Z (Controller-Name) (config) # mobility-manager user (Controller-Name) (config) # write mem This command creates an SNMPv3 user on the controller with the authentication protocol configured to SHA and privacy protocol DES. The user and password must be at least eight characters because the Net-SNMP package in AirWave adheres to this IETF recommendation.
so it is highly recommended to disable debugging. To disable debugging, SSH into the controller, enter enable mode, and issue the following commands: (Controller-Name) # show running-config | include logging level debugging If there is output, then use the following commands to remove the debugging: (Controller-Name) # configure terminal Enter Configuration commands, one per line.
snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap trap
Appendix B AirWave Data Acquisition Methods The following table describes the different methods through which AirWave acquires data from Dell Networking WSeries devices on the network.
Data Elements Active BSSIDs/SSIDs Dell Networking WInstant Controller/Thin AP X X Security IDS events Neighbors/rogues Neighbor re-classification N/A X X X Client classification User deauthorization 42 | AirWave Data Acquisition Methods X X X X N/A X N/A N/A Dell Networking W-AirWave 7.
Appendix C WMS Offload Details WMS Offload instructs the master controller to stop correlating ARM, WIPS, and WIDS state information amongst its local controllers because AirWave will assume this responsibility. Figure 27 depicts how AirWave communicates state information with local controllers. Figure 27 ARM/WIPS/WIDS Classification Message Workflow State Correlation Process 1. AP-1-3-1 hears rogue device A. 2.
Using AirWave as a Master Device State Manager AirWave offers the following benefits as a master device state manager: l Ability to correlate state among multiple master controllers. This will reduce delays in containing a rogue device or authorizing a valid device when devices roam across a large campus. l Ability to correlate state of third party access points with ARM. This will ensure that Dell Networking W-Series infrastructure inter-operates more efficiently in a mixed infrastructure environment.
Appendix D Increasing Location Accuracy This section describes the impact that band steering can have on location accuracy. It also explains how RTLS can be used to increase location accuracy. Leveraging RTLS to Increase Accuracy This section provides instructions for integrating the AirWave and Dell Networking W-Series WLAN infrastructure with Dell Networking W's RTLS feed to more accurately locate wireless clients and Wi-Fi Tags.
l Ensure that the firewall configuration for port 5050 (default port) supports bidirectional UDP communication between the AirWave server's IP address and each access point's IP address. Enable RTLS Service on the AirWave Server To enable RTLS service on the AirWave server, follow these steps: 1. Navigate to AMP Setup > General and locate the Additional AMP Services section 2. Select Yes for the Enable RTLS Collector option. 3.
(Controller-Name) (config) # ap system-profile (Controller-Name) (AP system profile default) # rtls-server ip-addr port 5050 key (Controller-Name) (AP system profile default) # write mem To validate exit configuration mode: (Controller-Name) # show ap monitor debug status ip-addr ... RTLS configuration ------------------Type Server IP Port Frequency Active --------------- --------- -----MMS 10.51.2.
Mon Oct 20 13:35:00 2008: 1224534900.588338 - got 96 bytes from 10.51.1.39 on port 5050 payload: 0014c9c90100003c001a1ec050780000000200000013c9c70100000c001a1ec050780000000d54a7a280 540001ddff020013c9c80100000c001a1ec050780000000cdb8ae9a9000006c4ff02 Ensure chirps are published to Airbus by snooping on RTLS tag reports. [root@AMPServer]# airbus_snoop rtls_tag_report Snooping on rtls_tag_report: Mon Oct 20 13:49:03 2008 (1224535743.
Wi-Fi Tag Setup Guidelines l Ensure that the tags can be heard by at least three (3) access points from any given location. The recommended value is is 4 APs. l Ensure that the tags chirp on all regulatory channels. Dell Networking W-AirWave 7.
| Increasing Location Accuracy Dell Networking W-AirWave 7.
