Siemens SCALANCE W1750D UI

To Next Page

To Previous Page

AP-VPN Deployment Scenarios

35.1 Scenario 1 - IPsec: Single Datacenter Deployment with No Redundancy

SCALANCE W1750D UI

Configuration Manual, 02/2018, C79000-G8976-C451-02

531

Topology

The following figure shows the topology and the IP addressing scheme used in this scenario.

Figure 35-1 Scenario 1 - IPsec: Single datacenter Deployment with No Redundancy

Main Page

Default Chapter2
- C79000-G8976-C4512
- Table of Contents5
1 About this Guide19
- Table 1- 1 Typographical Conventions19
2 Security Recommendations21
3 About SCALANCE W25
- Overview25
- Scalance W Ui26
- Scalance W Cli27
4 Setting up an AP29
- Setting up an SCALANCE W Network29
- Connecting an AP29
- Assigning an IP Address to the AP30
- Provisioning an AP31
- Zero Touch Provisioning of Aps31
- Provisioning Aps through Airwave33
- Logging in to the SCALANCE W UI34
- Figure 4-1 Login Screen34
- Accessing the SCALANCE W CLI36
5 Automatic Retrieval of Configuration41
- Managed Mode Operations41
- Configuration Managed Mode Parameters42
- Table 5- 1 Managed Mode Commands42
- Verifying the Configuration44
6 SCALANCE W User Interface45
- Login Screen45
- Figure 6-1 Connectivity Summary45
- Main Window47
- Figure 6-2 SCALANCE W Main Window47
- Configuration47
- Tabs49
- Network Tab49
- Access Points Tab50
- Clients Tab51
- Links52
- New Version Available52
- System53
- Security54
- Maintenance55
- More56
- Figure 6-3 VPN Window for Ipsec Configuration56
- Figure 6-4 IDS Window: Intrusion Detection57
- Figure 6-5 IDS Window: Intrusion Protection57
- Figure 6-6 Wired Window58
- Figure 6-7 Services Window: Default View59
- Figure 6-8 DHCP Servers Window60
- Help61
- Logout61
- Monitoring61
- Figure 6-9 RF Dashboard in the Monitoring Pane64
- Figure 6-10 RF Trends for Access Point66
- Figure 6-11 RF Trends for Clients66
- Monitoring67
- Figure 6-12 Usage Trends Graphs in the Default View68
- Client Match72
- Figure 6-13 Client Distribution on AP Radio72
- Figure 6-14 Channel Availability Map for Clients72
- Apprf73
- Spectrum73
- Alerts74
- Figure 6-15 Alerts Link74
- Table 6- 1 Types of Alerts75
- Figure 6-16 Client Alerts75
- Table 6- 2 Types of Alerts76
- Ids78
- Airgroup79
- Configuration79
- Airwave Setup80
- Pause/Resume80
- Views80
7 Initial Configuration Tasks81
- Configuring System Parameters81
- Table 7- 1 System Parameters81
- Changing Password87
8 Customizing AP Settings89
- Modifying the AP Host Name89
- Configuring Zone Settings on an AP90
- Specifying a Method for Obtaining IP Address91
- Configuring Radio Profiles for an AP92
- Configuring Uplink VLAN for an AP94
- Changing USB Port Status95
- Master Election and Virtual Controller96
- Adding an AP to the Network98
- Removing an AP from the Network99
9 VLAN Configuration101
- VLAN Pooling101
- Uplink VLAN Monitoring and Detection on Upstream Devices101
10 Ipv6 Support103
- Ipv6 Notation103
- Enabling Ipv6 Support for AP Configuration104
- Firewall Support for Ipv6106
- Debugging Commands107
11 Wireless Network Profiles109
- Configuring Wireless Network Profiles109
- Configuring WLAN Settings for an SSID Profile110
- Configuring VLAN Settings for a WLAN SSID Profile117
- Configuring Security Settings for a WLAN SSID Profile120
- Configuring Access Rules for a WLAN SSID Profile131
- Configuring Per-AP SSID and Per-AP-VLAN Settings on a Wireless Profile134
- Configuring Fast Roaming for Wireless Clients135
- Opportunistic Key Caching135
- Fast BSS Transition (802.11R Roaming)137
- Radio Resource Management (802.11K)138
- BSS Transition Management (802.11V)141
- Configuring Modulation Rates on a WLAN SSID142
- Multi-User-MIMO143
- Management Frame Protection144
- Disabling Short Preamble for Wireless Client144
- Editing Status of a WLAN SSID Profile145
- Deleting a WLAN SSID Profile145
12 Wired Profiles147
- Configuring a Wired Profile147
- Configuring Wired Settings147
- Configuring VLAN for a Wired Profile149
- Configuring Security Settings for a Wired Profile151
- Authentication and User151
- Configuring Access Rules for a Wired Profile153
- Assigning a Profile to Ethernet Ports155
- Editing a Wired Profile156
- Deleting a Wired Profile156
- Link Aggregation Control Protocol156
- Enabling Port-Channel on a Switch157
- Enabling Static LACP Configuration158
- Understanding Hierarchical Deployment159
13 Captive Portal for Guest Access161
- Understanding Captive Portal161
- Types of Captive Portal161
- Walled Garden162
- Configuring a WLAN SSID for Guest Access163
- Configuring Wired Profile for Guest Access170
- Configuring Internal Captive Portal for Guest Network172
- Configuring External Captive Portal for Guest Network176
- External Captive Portal Profiles176
- Creating a Captive Portal Profile176
- Configuring an SSID or Wired Profile to Use External Captive Portal Authentication178
- External Captive Portal Redirect Parameters181
- Configuring External Captive Portal Authentication Using Clearpass Guest181
- Table 13- 1 External Captive Portal Redirect Parameters181
- Configuring Facebook Login184
- Setting up a Facebook Page184
- Configuring an SSID184
- Configuring the Facebook Portal Page185
- Accessing the Portal Page186
- Configuring Guest Logon Role and Access Rules for Guest Users187
- Configuring Captive Portal Roles for an SSID190
- Configuring Walled Garden Access194
- Disabling Captive Portal Authentication195
14 Authentication and User Management197
- Managing AP Users197
- Table 14- 1 User Privileges197
- Configuring AP Users198
- Configuring Authentication Parameters for Management Users200
- Adding Guest Users through the Guest Management Interface202
- Supported Authentication Methods203
- Supported EAP Authentication Frameworks205
- Configuring Authentication Servers206
- Supported Authentication Servers206
- TACACS Servers208
- Configuring an External Server for Authentication209
- Enabling RADIUS Communication over TLS214
- Configuring Dynamic RADIUS Proxy Parameters216
- Associate Server Profiles to a Network Profile218
- Understanding Encryption Types220
- Table 14- 2 WPA and WPA-2 Features220
- Table 14- 3 Recommended Authentication and Encryption Combinations221
- Configuring Authentication Survivability222
- Configuring 802.1X Authentication for a Network Profile224
- Enabling 802.1X Supplicant Support227
- Configuring MAC Authentication for a Network Profile229
- Configuring MAC Authentication with Captive Portal Authentication231
- Configuring Wispr Authentication233
- Blacklisting Clients235
- Uploading Certificate238
15 Roles and Policies243
- Firewall Policies243
- Access Control List Rules243
- Configuring ACL Rules for Network Services244
- Configuring Network Address Translation Rules247
- Configuring ALG Protocols250
- Configuring Firewall Settings for Protection from ARP Attacks251
- Configuring Firewall Settings to Disable Auto Topology Rules253
- Managing Inbound Traffic254
- Content Filtering260
- Configuring User Roles266
- Configuring Derivation Rules270
- Understanding Role Assignment Rule270
- Creating a Role Derivation Rule271
- Understanding VLAN Assignment273
- Configuring VLAN Derivation Rules275
- Using Advanced Expressions in Role and VLAN Derivation Rules277
- Table 15- 1 Regular Expressions277
- Configuring a User Role for VLAN Derivation279
16 DHCP Configuration281
- Configuring DHCP Scopes281
- Configuring Local DHCP Scopes281
- Configuring Distributed DHCP Scopes284
- Configuring Centralized DHCP Scopes288
- Table 16- 1 DHCP Relay and Option 82289
- Configuring the Default DHCP Scope for Client IP Assignment291
17 Configuring Time-Based Services295
- Time Range Profiles295
- Configuring a Time Range Profile296
- Applying a Time Range Profile to a WLAN SSID297
- Verifying the Configuration298
18 Dynamic DNS Registration299
- Enabling Dynamic DNS299
- Configuring Dynamic DNS Updates for Clients301
- Verifying the Configuration302
19 VPN Configuration303
- Understanding VPN Features303
- Table 19- 1 VPN Protocols304
- Configuring a Tunnel from an AP to a Mobility Controller305
- Configuring an Ipsec Tunnel305
- Configuring an L2-GRE Tunnel308
- Configuring an L2Tpv3 Tunnel313
- Configuring Routing Profiles323
20 AP-VPN Deployment327
- Understanding AP-VPN Architecture327
- Table 20- 1 AP-VPN Scalability327
- Table 20- 2 DHCP Scope and VPN Forwarding Modes Matrix330
- Configuring AP and Controller for AP-VPN Operations331
- Configuring an AP Network for AP-VPN Operations331
- Configuring a Controller for AP-VPN Operations334
- Table 20- 3 Branch Details339
21 Adaptive Radio Management341
- ARM Overview341
- Configuring ARM Features on an AP343
- Band Steering343
- Airtime Fairness Mode343
- Client Match344
- Access Point Control347
- Verifying ARM Configuration348
- Configuring Radio Settings351
22 Deep Packet Inspection and Application Visibility357
- Deep Packet Inspection357
- Enabling Application Visibility358
- Application Visibility359
- Enabling URL Visibility366
- Configuring ACL Rules for Application and Application Categories367
- Configuring Web Policy Enforcement Service371
23 Voice and Video375
- Wi-Fi Multimedia Traffic Management376
- Table 23- 1 WMM AC to 802.1P Priority Mapping376
- Table 23- 2 WMM AC-DSCP Mapping377
- Media Classification for Voice and Video Calls380
- Enabling Enhanced Voice Call Tracking382
- Table 23- 3 SNMP Trap Details for Voip Calls382
24 Services383
- Configuring Airgroup383
- Multicast DNS and Bonjour® Services384
- DLNA Upnp Support385
- Airgroup Features386
- Airgroup Components388
- Table 24- 1 SCALANCE W, Clearpass Policy Manager, and Clearpass Guest Requirements388
- Configuring Airgroup and Airgroup Services on an AP389
- Table 24- 2 Airgroup Filtering Options389
- Configuring Airgroup and Clearpass Policy Manager Interface in SCALANCE W393
- Configuring an AP for RTLS Support395
- Configuring an AP for Analytics and Location Engine Support397
- Managing BLE Beacons400
- Configuring Opendns Credentials402
- Integrating an AP with Palo Alto Networks Firewall403
- Integrating an AP with an XML API Interface406
- Table 24- 3 XML API Command407
- Table 24- 4 XML API Command Options408
- CALEA Integration and Lawful Intercept Compliance409
25 AP Management and Monitoring417
- Managing an AP from Airwave417
- Configuring Organization String421
- Alternate Method for Defining Vendor Specific DHCP Options424
26 Uplink Configuration425
- Uplink Interfaces425
- Ethernet Uplink426
- Cellular Uplink429
- Wi-Fi Uplink431
- Uplink Preferences and Switching434
- Enforcing Uplinks434
- Setting an Uplink Priority435
- Enabling Uplink Preemption435
- Switching Uplinks Based on VPN and Internet Availability436
- Viewing Uplink Status and Configuration438
27 Intrusion Detection441
- Detecting and Classifying Rouge Aps441
- OS Fingerprinting442
- Configuring Wireless Intrusion Protection and Detection Levels443
- Configuring IDS448
28 Mesh AP Configuration451
- Mesh Network Overview451
- Setting up SCALANCE W Mesh Network453
- Configuring Wired Bridging on Ethernet 0 for Mesh Point454
29 Mobility and Client Management455
- Layer-3 Mobility Overview455
- Configuring L3-Mobility457
30 Spectrum Monitor461
- Understanding Spectrum Data461
- Configuring Spectrum Monitors and Hybrid Aps467
31 AP Maintenance471
- Upgrading an AP471
- Backing up and Restoring AP Configuration Data473
- Converting an AP to a Remote AP and Campus AP474
- Resetting a Remote AP or Campus AP to an AP478
- Rebooting the AP479
32 Monitoring Devices and Logs481
- Configuring SNMP481
- Configuring a Syslog Server486
- Configuring TFTP Dump Server489
- Running Debug Commands490
- Uplink Bandwidth Monitoring495
33 Hotspot Profiles497
- Understanding Hotspot Profiles497
- Configuring Hotspot Profiles500
- Creating Advertisement Profiles for Hotspot Configuration500
- Creating a Hotspot Profile509
- Associating an Advertisement Profile to a Hotspot Profile511
- Creating a WLAN SSID and Associating Hotspot Profile512
- Sample Configuration514
34 Clearpass Guest Setup519
- Configuring Clearpass Guest519
- Verifying Clearpass Guest Setup526
- Troubleshooting527
35 AP-VPN Deployment Scenarios529
- Scenario 1 - Ipsec: Single Datacenter Deployment with no Redundancy530
- Scenario 2 - Ipsec: Single Datacenter with Multiple Controllers for Redundancy535
- Scenario 3 - Ipsec: Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy541
- Scenario 4 - GRE: Single Datacenter Deployment with no Redundancy547
Appendix553
- Terms553
- Acronyms and Abbreviations556
- Glossary566

Siemens SCALANCE W1750D UI

Table of Contents

Related product manuals