:+1.)7(;<.%<+1);#,)) =+1%&#)>'%,+)!"#$%&'(%#&)*%(+,) -+./"(01)$"()*%23%) )

Transcription

1 :+1.)7(;<.%<+1);#,)) =+1%&#)>'%,+)!"#$%&'(%#&)*%(+,) -+./"(01)$"()*%23%) )

2 2/)-/0-0*780&-/,-* *9! :;-%;&-<* *=! OSI... 6! Wired Networks and OSI... 7! Wi-Fi and the OSI Model... 8! Common Wi-Fi Deployments... 9! Distributed Data Forwarding... 10! Advantages... 11! Disadvantages... 11! 802.1Q VLAN Tagging... 11! Centralized/Tunneled Data Forwarding... 12! Advantages... 12! Disadvantages... 13! 802.1Q VLAN Tagging... 13! Physical Security... 15! Access Points... 15! ZoneDirector... 15! Redundancy... 15! Access Points... 15! ZoneDirector... 15! Performance... 16! Access Points... 16! ZoneDirector... 16! ZoneDirector Discovery... 17! +-)<"%>*F-,8%&)$* *CG! Network Port Access... 18! Access Points... 18! ZoneDirector... 20! Firewalls... 21! ZoneDirector and Managed APs... 21! Standalone APs... 21! FlexMaster... 21! Firewall Caveat... 22! 2013 Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 1

3 Management Access... 22! Access Points... 22! ZoneDirector... 22!!"/3&'8%&/'*H/).''-0*IJ7+B* *KL! Note on VLAN ! Example... 23! Wired Configuration... 24! ZoneDirector Configuration... 24!!"/3&'8%&/'*?.''-0*IJ7+B* *K=! Note on VLAN ! Example... 26! Wired Configuration... 27! ZoneDirector Configuration... 27! Dynamic VLANs... 28! Wired Configuration... 29! ZoneDirector Configuration... Note on VLAN ! Example... 30! Wired Configuration... 31! ZoneDirector Configuration... 31! MJ7+*:;-%%&0-B* *LL! ZoneDirector Configuration... 33! N./.'-4-/)*MJ7+B* *L9! Note on VLAN ! Who Should Use Management VLANs... 35! Example... 35! Wired Configuration... 36! ZoneDirector Configuration... 36! AP Configuration... 37! Recommendations... 38! Switch Port Configuration... 38! APs Can Discover the ZoneDirector... 39! APs First... WMM, ToS and DSCP Support... 40! Other Classification Values... 42! Modifying Traffic Classification... 43! 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 2

4 Multicast and Broadcast Traffic... 43! ZoneDirector Directed Traffic Commands... 43! AP Directed Traffic Commands... 44! Configuring per-ssid Priority... 45! ZoneDirector-based SSID Prioritization... AP Cannot Connect to ZoneDirector... 47! Discovery... 47! VLANs and Connectivity... 47! Model Support... 47! Firewalls... 48! Captive Portal Fails to Redirect to Login Page... 48! 7##-/0&R*7S*T-,"44-/0-0*T-.0&/'* *6U! OSI Model... 49! Virtual LANs... 49! Cisco Wired Networking... 49! 7##-/0&R*VS*!"44"/*!&B,"*!"44./0B* *9D! Configuring an Access Port... 50! Configuring a Trunk Port... 50! Troubleshooting... 51! Access Port... 51! Trunk Port... 52! 7##-/0&R*!S*!"44"/*W1*!"44./0B* *9L! Configuring a Port... 53! 7##-/0&R*AS*!"44"/*ER)%-4-*!"44./0B* *96! Configuring a Port... 54! 7##-/0&R*ES*!"/3&'8%&/'*E/)-%.B$B*F<&),(-B*./0*T"8)-%B* *99! Configuring a Port... 55! 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 3

5 !"AB(%&C.)-".%<+);#,) 7("A(%+.;(B)8#$"(D;.%"#) Copyright 2013 Ruckus Wireless, Inc. All rights reserved. No part of this documentation may be reproduced, transmitted, or translated, in any form or by any means, electronic, mechanical, manual, optical, or otherwise, without prior written permission of Ruckus Wireless, Inc. ( Ruckus ), or as expressly provided by under license from Ruckus. Destination Control Statement Technical data contained in this publication may be subject to the export control laws of the United States of America. Disclosure to nationals of other countries contrary to United States law is prohibited. It is the reader s responsibility to determine the applicable regulations and to comply with them. Disclaimer THIS DOCUMENTATION AND ALL INFORMATION CONTAINED HEREIN ( MATERIAL ) IS PROVIDED FOR GENERAL INFORMATION PURPOSES ONLY. RUCKUS AND ITS LICENSORS MAKE NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THE MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR THAT THE MATERIAL IS ERROR-FREE, ACCURATE OR RELIABLE. RUCKUS RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES TO THE MATERIAL AT ANY TIME. Limitation of Liability IN NO EVENT SHALL RUCKUS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, ARISING FROM YOUR ACCESS TO, OR USE OF, THE MATERIAL. Trademarks Ruckus Wireless is a trademark of Ruckus Wireless, Inc. in the United States and other countries. All other product or company names may be trademarks of their respective owners Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 4

6 8#.+#,+,)E',%+#<+) There are many factors and concerns related to wired network support of Wi-Fi enterprise deployments. This document is written for and intended for use by technical engineers with some background in Wi-Fi design, Ethernet and /wireless engineering principles Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 5

7 FG+(G%+/) Most wireless networks are designed for wireless to wired communications. This requires a sound design both on the wireless and wired network. This document describes recommended practices for designing the wired side and the wireless side for seamless communication and application support. Several relevant topics are covered: OSI-level integration Network deployment models Network element placement within a deployment model Security Quality of Service Common issues and troubleshooting :F2* When discussing interactions between two types of networks, a good place to start is with the Open Systems Interconnection (OSI) model. This describes the functions of a network in terms of distinct layers. Each layer defines to a specific function required to transmit and receive data over a physical medium up to the end application. Figure 1 - OSI Model 2013 Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 6

8 5C%1),"<'D+#.)$"<'1+1)"#).C"1+)?+./++#)HIJKLL)M*%23%N);#,) Ruckus Wireless, Inc. Wired Network Design v1.3 7

9 1 There Appendix A: Recommended Reading at the end of this document. *%(+,)-+./"(01);#,)F98) From the wired network perspective, the OSI frameworks is as follows: Layer 1 (physical) the physical medium for wired networks, it typically consists of copper or fiber optic cabling Layer 2 (data link) consists of the basic communications protocol to transmit frames, physical addressing, and access and flow control. For an Ethernet network this is defined in the IEEE specification. Layer 2 assumes a single network in which all devices are reachable to each other. Layer 2 is often referred to as the MAC or IP layer as well1 as a subnet Layer 3 (network) provides mechanisms to transport data (routing) from one network to another. Routers and Layer 3 Ethernet switches typically perform this. Layer 3 networks can use different protocols over the IP network such as UDP and TCP. Virtual LANs Virtual LANs (IEEE 802.1Q specification) are commonly deployed as part of a Layer 2 network. A VLAN is a way to logically create a Layer 2 network that mimics a physical Layer 2 network. Multiple VLANs can exist in a given infrastructure. VLANs are often referred to as broadcast domains meaning any device on a physical port that is configured to be part of that VLAN can reach each other but no other device. Two devices might be physically connected to the same Ethernet switch, but if they are members of different VLANs they will require a Layer 3 routing service to reach each other. VLANs work by modifying a frame to include a VLAN ID number. This is referred to as VLAN tagging. No number means a packet is untagged, i.e. it is part of the locally defined Layer 2 network for that physical port (called an access port). When a VLAN tag is inserted, the Ethernet switch must be configured to understand and use that VLAN tag. Not all Ethernet switches understand or honor VLAN tags; those that do support 802.1Q must be configured so they know what to do with it. Physical switch ports that understand 802.1Q are typically referred to as trunk ports they consist of a native VLAN (the untagged network) and one or more VLANs. Any packet that arrives with a VLAN tag is sent to any other physical ports that have that VLAN tag defined. The diagram below shows how VLAN tags work on a single switch and upstream to a second switch. are several other non-ip protocols that may be used, for the purposes of this document only IP is discussed 2013 Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 8

10 Figure 2 - VLAN Tagging Switch 1 (top) is configured with some ports (untagged) in the red VLAN and some in the blue VLAN. The gray ports are not configured for VLAN tagging. Note that the uplink port that connects it to Switch 2 is a trunk port that is configured for the red and blue VLANs. In this scenario, machine A can only communicate directly with machine C. The same is true for the devices on the blue VLAN B and D. If machine A needs to communicate with B or D the traffic must be routed. This can occur on these switches (if they are Layer 3) or via an external router that also has a trunk port configured with the red and blue VLANs. How a wired switch or router is configured to create these actions depends on the vendor but conceptually, they all follow the same behavior. In some cases, the same behavior can be achieved in multiple ways. *%23%);#,).C+)F98)P",+@) A Wi-Fi network works within the OSI model as follows: Layer 1 (physical) the physical medium for wireless networks (also called the PHY layer), consisting of the RF signal from a radio, the spectrum and modulation used to transmit raw symbols. Examples of Layer 1 include a, g, etc Ruckus Wireless, Inc. Wired Network Design v1.3 9

11 Layer 2 (data link) consists of the basic communications protocol to transmit frames, physical addressing, and access and flow control. For a WI-FI network this is defined in numerous IEEE specifications. Layer 2 assumes a single network in which all devices are reachable to each other. Because Wi-Fi is a shared medium (unlike most wired networks), collision detection and avoidance is extremely important. This is still the IP network layer for IP-based deployments Layer 3 (network) provides mechanisms to transport data (routing) from one network to another. Routers and Layer 3 Ethernet switches typically perform this. This function is unchanged from the wired model!"dd"#)*%23%)=+a@"bd+#.1) Once a client connects to an AP, the traffic is usually transported from the AP to a wired network. Which network it goes to will depend on the configuration of the AP. Some common scenarios are: 1. All traffic for the SSID is untagged and goes to the native VLAN on that port 2. All traffic for the SSID is tagged for a specific VLAN (static or dynamic) 3. Traffic is tunneled from the AP to the controller and then onto the wired network Correctly designing and configuring the wired network is critical for a successful Wi-Fi deployment. The rest this document examines each of these points in-depth and offer guidelines and suggestions for optimized wired design configuration with Ruckus wireless equipment. Where needed, specific configuration commands are documented for step-bystep configuration instructions Ruckus Wireless, Inc. Wired Network Design v1.3 10

12 Most Wi-Fi equipment acts as an adjunct to an existing wired network; i.e. the Wi-Fi essentially functions as an extension of the wired network rather than self-contained. When designing for a Wi-Fi deployment, the first question is overall network topology. It s important to understand how and where the wireless client traffic will enter the wired network. There are common solutions to this: Distributed data forwarding Client traffic enters the network at the AP switch port Centralized data forwarding Client traffic is tunneled to the ZoneDirector and enters the network from the ZoneDirector s switch port Both of these methods are supported by Ruckus Wireless equipment. Each option is configured on a per-ssid basis. The decision on which to use will depend on the local environment and usage requirements. A&B)%&P8)-0*A.).*X"%<.%0&/'* This model is the default configuration for Ruckus equipment. In this mode, the client traffic enters the wired network at the AP s switch port. The ZoneDirector is not part of the data path and is not necessary for any traffic forwarding Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 11

13 Figure 3 - Distributed Data Forwarding Topology E,G;#.;&+1) Distributed data forwarding offers the highest performance for a Wi-Fi network. The client traffic is immediately placed on the wired network at the AP switch port. There is no additional delay, latency or potential bottleneck to slow down throughput. =%1;,G;#.;&+1) A large Wi-Fi network could potentially have the same WLAN (SSID) broadcast on APs on different networks. If two APs both have the same SSID but put clients on different subnets, the client will need to release its first IP address and request a new one. This can take time and delay data transmission from that device. This is normally not a problem for data traffic but it can cause issues for VoIP Wi-Fi devices, which can drop calls if transmission latency is over 150ms. For more information on how APs use different subnets for the same SSID, please see Dynamic VLANs and VLAN Overrides. HIJKLQ)RSE-)5;&&%#&) In a distributed model, any network that is available on an AP s wired port is available for the WLAN clients connected to that AP. If the switch port is unmanaged or has a default VLAN assigned, all AP traffic should be sent as untagged traffic to that port Ruckus Wireless, Inc. Wired Network Design v1.3 12

14 If the wired switch is configured for VLAN tagging however, the AP may have several networks choices available: the untagged (default) VLAN on the port or it may include an 802.1Q tag on the client traffic and place it on a different VLAN. Client traffic can be tagged or untagged this refers to the network it will be placed into by the AP.!-/)%.@&Y-0Z?8//-@-0*A.).*X"%<.%0&/'* Client traffic can also be sent via an LWAPP tunnel from the AP to the ZoneDirector. In this mode, the traffic does not actually enter the network until it gets to, and flows through, the ZoneDirector. As the endpoint of the LWAPP tunnel from the AP, the ZoneDirector is in the data path and must be present for client traffic to get onto the network successfully. Figure 4 - Centralized Data Forwarding E,G;#.;&+1) Tunneling is recommended when Layer 3 roaming latency is a concern, e.g. VoIP Wi-Fi clients. By tunneling all client traffic to the ZoneDirector, the handsets can stay on the same VLAN regardless of which AP they use. This is only an issue for roaming devices if they same SSID is broadcast with different VLANs on some APs. If all APs put clients for the 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 13

15 SSID on the same VLAN then tunneling is not required since there is no potential VLAN change. Tunneling is also useful when traffic must be broken out using the ZoneDirector is a terminator, e.g. hotels that want to only send encrypted POS traffic in a tunnel and all guest data distributed locally. =%1;,G;#.;&+1) Sending all traffic through the ZoneDirector does make it a point of failure. It also limits the maximum throughput; the amount of data that can go through a single ZoneDirector with one Gigabit Ethernet port is far smaller than 10 APs all sending data locally (distributed) on their own Gigabit Ethernet ports. If throughput performance is a requirement, centralized data forwarding is not a good choice. The following table shows some estimates on tunneling throughput based on the ZoneDirector model. These are estimates only and may differ depending specific packet size and characteristics. ZoneDirector Model Unecrypted Throughput Encrypted Throughput ZD Mbps 63 Mbps ZD Mbps 1208 Mbps ZD Mbps 1949 Mbps *Numbers are based on the sum bi-directional throughput with 1518 byte packets and dual ports. HIJKLQ)RSE-)5;&&%#&) In a centralized model, any network that is available on a ZoneDirector s wired port can be available for the WLAN clients. If the switch port is unmanaged or has a default VLAN assigned, all traffic should be sent as untagged traffic to that port. If VLAN tagging is used, the ZoneDirector s switch port must be configured as a trunk port NOT the AP. The AP will tag the traffic for the correct VLAN but that is not used until the traffic is outside the LWAPP tunnel. If the wired switch is configured for VLAN tagging however, several networks choices may be available: the untagged (default) VLAN on the port or it may include an 802.1Q tag on the client traffic and place it on a different VLAN Ruckus Wireless, Inc. Wired Network Design v1.3 14

16 Client traffic can be tagged or untagged this refers to the network it will be placed into by the AP Ruckus Wireless, Inc. Wired Network Design v1.3 15

17 There are many ways to place Ruckus ZoneDirectors and APs into a wired network topology. One or more of the following concerns can drive where these devices are installed: Physical security Redundancy Performance/efficiency 1($B&,.@*F-,8%&)$* E<<+11)7"%#.1) In general, an AP is always physically located in the coverage area and homed out of a switch closet. It is possible to home run the AP to the data center, but is typically not required. Locking the switch closet is generally enough to secure the AP wired connection. This is especially true if the AP is hidden and not easily reachable (above the ceiling, etc.). In some cases however, an AP may be visible and possibly easily reachable. A Kensington lock is advised to prevent theft. T"#+=%(+<."() A ZoneDirector is typically located in the data center or network core. These areas are usually tightly controlled and not subject to tampering. T-08/0./,$* E<<+11)7"%#.1) All Ruckus APs have at least one port and, in some cases, more than one. Any of these may be used for network connectivity. However, only one Power Over Ethernet (POE) port is available. In the case of APs, the simplest redundancy plan is to ensure a client is always within reasonable performance range of at least two APs at any time. T"#+=%(+<."() As the central point for management, monitoring and control, the ZoneDirector should be installed to minimize service interruptions. At the least, this should include uninterruptable power. It may also require redundant uplinks to the core network. The ZoneDirector also supports a couple variants on redundancy options: 2013 Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 16

18 Active-Active two ZoneDirectors are active at the same time and each supports approximately half of the APs Primary-Secondary each AP is given a primary ZoneDirector (preferred) and a secondary to contact if the primary is unreachable Smart Redundancy N+1 active-standby redundancy Pros and Cons of Redundancy Strategies Method Advantage Disadvantage Active-Active Primary-Secondary Smart Redundancy Simplest configuration, self-balances across all APs (no configuration necessary) -Simple to configure -L2 or L3 support -True N+1 redundancy -Automatic synchronization of configuration, databases -Transparent to APs -L2 or L3 support -No automatic configuration updates between controllers (manual) -APs see a different controller at failover -L2 only -No automatic configuration synchronization between controllers -Network disruption could cause some APs to connect to primary and some on secondary at the same time -APs see a different controller at failover -If both controllers are unavailable, APs will not try to connect to a third controller -More complex configuration -Network isolation could cause AP split across controllers (fixed when network converges) In each case, redundant controllers must be the same model and software version. They must also be licensed for the same number of APs. Full coverage of all redundancy options is beyond the scope of this document. For more information on how to configure redundancy, please refer to the ZoneDirector User Guide. 1-%3"%4./,-* E<<+11)7"%#.1) The distributed data-forwarding model is the highest performing deployment for a Ruckus AP. All user traffic enters the network at the AP s wired port. This prevents potential bottlenecks and single points of failure at the core (ZoneDirector). This is the recommended deployment for most installations. T"#+=%(+<."() In cases where centralized traffic forwarding is required, the amount of traffic should be matched with the capacity of the ZoneDirector. Each controller model offers a different amount of throughput capacity based on processing speed, etc. Performance is also 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 17

19 affected by packet size. The table below offers some guidelines on throughput capacity based on 1400 byte packets. ZoneDirector Model Unencrypted Tunnel Performance Encrypted Tunnel Performance ZD1100 ~300 Mbps ~62 Mbps ZD3000 ~900 Mbps ~580 Mbps ZD5000 ~957 Mbps ~297 Mbps ["/-A&%-,)"%*A&B,";-%$* The ZoneDirector s location can affect how APs discover and join the ZoneDirector. In particular, a Layer 3 deployment will require some additional configuration to ensure the APs can find the ZoneDirector. There are several options available: DHCP Option 43 DNS entry for zonedirector.<domain> Static configuration via the AP shell Pre-deployment configuration via Layer 2 to the ZoneDirector 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 18

20 -+./"(0)9+<'(%.B) Physical security is usually not sufficient to ensure the wireless network is tamper-proof. Securing the Wi-Fi devices should include: Network port access Firewalls Management access +-)<"%>*1"%)*7,,-BB* E<<+11)7"%#.1) A Kensington lock on an AP may be not sufficient if the AP or its switch port connection is physically accessible. This type of vulnerability can potentially allow users to unplug the AP and use its cable for their own equipment or (if the AP has multiple Ethernet ports) plug their device into a second port on the AP itself X Authentication In the case of a physically accessible wired port, the most secure solution is 802.1X wired security on the port. This assumes the following is true: 1. The AP uplink port is configured as an 802.1X supplicant 2. The AP uplink is configured as a trunk port 3. The wired switch port must be configured as a trunk port and as an 802.1X authenticator 4. The AP is configured for either MAC based authentication or with a user name and password 5. The wired port s 802.1X configuration does not allow a 3 rd party (i.e. anything other than the AP) to successfully authenticate via 802.1X. The following steps configure a ZoneDirector-managed AP or group of APs for 802.1X security: 1. Log onto the ZoneDirector and go to Configure->Access Points 2. Click Edit next to the AP or AP Group to be configured 3. Under Port Setting, choose Supplicant from the drop-down box for the uplink port 4. Make sure the Type is set to Trunk Port 5. Select the authentication credentials under Supplicant: MAC authentication or a user name and password 2013 Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 19

21 6. Click OK to save the changes NOTE: If 802.1X is not already configured correctly on the wired switch port, the AP will lose contact with the ZoneDirector. MAC Authentication (Wired Switch) If the wired switch supports it, the AP port may also be locked down to the specific AP s MAC address. This is not as secure as 802.1X any device that can spoof the AP s MAC can use the port. Untagged Traffic Another possibility is to deny network access to all untagged traffic for example, the untagged traffic might go to a non-routed subnet that has no connectivity, DHCP, DNS, etc. Since user devices would typically only transmit untagged traffic this would prevent them from gaining any useful network access. Using this solution however would require all other traffic (WLAN traffic and AP management traffic) use 802.1Q tags. In the case of additional Ethernet ports on the AP, if they are not used, the best practice is to disable them. The following steps configure a ZoneDirector-managed AP or group of APs for 802.1X security: 1. Log onto the ZoneDirector and go to Configure->Access Points 2. Click Edit next to the AP or AP Group to be configured 3. Under Port Setting, choose each the unused port 4. Make sure the Enable checkbox is unselected 5. Click OK to save the changes 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 20

22 T"#+=%(+<."() A ZoneDirector is typically not physically accessible outside a locked data center. But management access should be locked down as well. There are several ways to do this: Configure ZoneDirector to deny management Web UI access to all but an exception list of allowed management devices or subnets (wired and wireless network devices) Place the ZoneDirector on an isolated management VLAN. For more information on management VLANs, please see section Management VLANs. Configure wired security (firewalls) to deny all traffic except permitted devices (see the next section) Block Management Access from the ZoneDirector The following steps configure a ZoneDirector to refuse management access to all but a specific list of devices or subnets: 1. Log onto the ZoneDirector and go to Configure->System 2. Click the Create New link under the Management Access Control section 3. Configure the allowed devices (single device, range or entire subnet) 4. Click OK to save the changes 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 21

23 The following ports should be configured on any firewall policies as per the usage indicated below: T"#+=%(+<."();#,)P;#;&+,)E71) Port Number Protocol Usage 80, 443, 22 TCP/UDP Management access to ZoneDirector (HTTP/HTTPS, SSH) 1222, 1223 UDP LWAPP management/tunnel between AP and ZoneDirector 20, 21 TCP ZoneDirector to AP firmware upgrade 443, TCP Smart Redundancy (ZoneDirectors) UDP SpeedFlex 9997/9998 TCP WISPr access Port Number Protocol Usage 80, 443, 22 TCP Management access to AP (HTTP/HTTPS, SSH) 3990, 3992 TCP WISPr access Port Number Protocol Usage 443 TCP Web UI management access to FlexMaster 80 TCP FlexMaster to AP firmware upgrade 80, 443 TCP First time connection/registration of standalone AP to FlexMaster 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 22

24 80, 443 TCP FlexMaster to AP template/auto configuration 443 TCP ZoneDirector to FlexMaster registration/informs 443 TCP FlexMaster to ZoneDirector firmware upgrades TCP ZoneDirector template feature (FlexMaster) 8082 TCP FlexMaster to AP wake up UDP SpeedFlex If the ZoneDirector is used to provide captive portal authentication (internal or guest access), the ZoneDirector must be accessible via HTTP/HTTPS by user devices. If the ZoneDirector or AP is used to provide WISPr or Open Secure Hotspot, the external captive portal must have access to the ZoneDirector (refer to the table above for specific ports). N./.'-4-/)*7,,-BB* E<<+11)7"%#.1) APs managed by a ZoneDirector, should be restricted to only allow HTTP/S, SSH and telnet traffic to a secure management network. The devices should not be accessible to connected users. Both standalone and managed APs support the use of a management VLAN to further restrict access. For more information, please see section Management VLANs. T"#+=%(+<."() The controller should also be restricted to only be accessible by approved devices and networks. For more information, please see section Management VLANs Ruckus Wireless, Inc. Wired Network Design v1.3 23

25 !"#$%&'(%#&)U#.;&&+,)*SE-1) Once a client connects to an AP, the traffic is usually transported from the AP to a wired network. Which network it goes to will depend on the configuration of the AP. The simplest configuration is to instruct the AP to pass all client data as untagged to the wired network. +")-*"/*MJ7+*C* Ruckus equipment will always assume traffic should be untagged if VLAN 1 is specified. VLAN 1 traffic is never tagged. ER.4#@-* The following is an example of a Wi-Fi design with untagged client traffic on the employee network (VLAN 1). The example uses three networks: Name Network Usage VLAN Employee VLAN BYOD VLAN Guest The Ethernet switch is marked to show the default (untagged) VLAN for each port Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 24

26 Figure 5 - Untagged WLAN Traffic To place employee Wi-Fi clients on VLAN the AP must be configured to not tag client traffic for that SSID. NOTE: Although the ZoneDirector is shown also connected to VLAN 1 (untagged) this is not required. The ZoneDirector can be on any network provided it can communicate with the AP. I&%-0*!"/3&'8%.)&"/* The AP s port on the Ethernet switch in this example must be configured such that VLAN 1 is available and untagged (access port). For examples of how to configure this on popular wired switches, please see the various appendixes at the end of this document. ["/-A&%-,)"%*!"/3&'8%.)&"/* Here are the steps to configure an SSID with untagged traffic on the ZoneDirector. 1. Log onto the ZoneDirector Web UI 2. Go to Configure->WLANs 3. Click Create New in the WLANs section 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 25

27 4. Enter the required information for the new SSID 5. Click the Advanced Options link at the bottom of the window 6. Make sure the VLAN ID under ACCESS VLAN is set to 1 (untagged) 7. Click OK to save the changes 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 26

28 !"#$%&'(%#&)5;&&+,)*SE-1) Once a client connects to an AP, the traffic is usually transported from the AP to a wired network. Which network it goes to will depend on the configuration of the AP. An AP can add an 802.1Q VLAN tag if the device should be on a network other than the default. When a WLAN is configured with a specific VLAN tag, the client traffic is modified to include the VLAN tag in the frame. This means the Ethernet switch will keep the tag and use it to place the traffic on the correct network. If the Ethernet switch is not configured as a trunk port or it does not have the correct VLAN assigned it will ignore (drop) the client packets. +")-*"/*MJ7+*C* Ruckus equipment will always assume traffic should be untagged if VLAN 1 is specified. VLAN 1 traffic is never tagged. ER.4#@-* The following is an example of a Wi-Fi design with tagged client traffic on the guest network (VLAN 200). The example uses three networks: Name Network Usage VLAN Employee VLAN BYOD VLAN Guest The Ethernet switch is marked to show the default (untagged) VLAN for each port. Each port is also configured as a tagged/trunk port for other VLANs Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 27

29 Figure 6 - Tagged WLAN Traffic To place guest Wi-Fi clients on VLAN the AP must be configured to tag client traffic for the Guest SSID. If the guest SSID is not tagged, these devices will be placed on the employee network (VLAN 1). NOTE: Although the ZoneDirector is shown also connected to VLAN 1 (untagged) this is not required. The ZoneDirector can be on any network provided it can communicate with the AP. I&%-0*!"/3&'8%.)&"/* The AP s port on the Ethernet switch in this example must be configured such that VLAN 200 is available and tagged. For examples of how to configure this on popular wired switches, please see the various appendixes at the end of this document. ["/-A&%-,)"%*!"/3&'8%.)&"/* Here are the steps to configure a guest SSID with tagged traffic on the ZoneDirector. 1. Log onto the ZoneDirector Web UI 2. Go to Configure->WLANs 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 28

30 3. Click Create New in the WLANs section 4. Enter the required information for the new SSID 5. Click the Advanced Options link at the bottom of the window 6. Make sure the VLAN ID under ACCESS VLAN is set to 200 (tagged) 7. Click OK to save the changes A$/.4&,*MJ7+B** If RADIUS authentication is used for clients, dynamic VLANs may also be used. The RADIUS server sends a specific VLAN assignment for that user as part of the Access-Accept message. The VLAN assignment could be different for other clients even though they are on the same SSID. In this case, the AP will make each client s traffic with the correct VLAN tag Ruckus Wireless, Inc. Wired Network Design v1.3 29

31 I&%-0*!"/3&'8%.)&"/* Dynamic VLANs are configured similarly to tagged traffic on a port. A wired switch port must be configured to allow all VLANs that might be assigned. ["/-A&%-,)"%*!"/3&'8%.)&"/* Here are the steps to configure a dynamic VLAN SSID with tagged traffic on the ZoneDirector. 1. Log onto the ZoneDirector Web UI 2. Go to Configure->WLANs 3. Click Create New in the WLANs section 4. Enter the required information for the new SSID note that Dynamic VLANs are only available for WLANS that use RADIUS authentication (MAC authentication or 802.1X) 5. Click the Advanced Options link at the bottom of the window 6. Make sure the VLAN ID under ACCESS VLAN is set to the default VLAN for the SSID it can be tagged or untagged (VLAN 1) 7. Check the Enable Dynamic VLAN box 8. Click OK to save the changes Note that a default VLAN must be specified for this SSID regardless of whether Dynamic VLANs are used or not. A default must always be specified in case the RADIUS server does not return a specific VLAN. RADIUS-assigned VLANs always override the default Ruckus Wireless, Inc. Wired Network Design v1.3 30

32 Once a client connects to an AP, the traffic is usually transported from the AP to a wired network. Which network it goes to will depend on the configuration of the AP. Normally a Wi-Fi client s traffic enters the wired network at the AP s switch port. But sometimes it is preferable to tunnel the traffic to the ZoneDirector s switch port instead. Traffic tunneling is usually used to allow more seamless roaming in certain conditions. For example, a Wi-Fi VoIP handset might roam from one AP to another. This is fine if both APs place it on the same subnet but if the second AP is configured to put the handset on a different network it must drop its IP address and acquire a new one. The time to do this will drop any active voice connections. To solve this, the handset s voice traffic is tunneled from the AP to the ZoneDirector. This means any handset, regardless of the AP it is connected to, will be assigned a network, address, etc. from the ZoneDirector s switch port instead of the AP. Handsets can then roam to any AP and never need to drop their connection to acquire a new address. Because the traffic is tunneled back to the ZoneDirector, the AP does not need to be connected to a trunk port or have the voice subnet available, it only needs to be able to reach the ZoneDirector. The ZoneDirector controller is the device that must be connected to a wired switch port with the voice VLAN not the AP. +")-*"/*MJ7+*C* Ruckus equipment will always assume traffic should be untagged if VLAN 1 is specified. VLAN 1 traffic is never tagged. ER.4#@-* The following is an example of a Wi-Fi design with tagged VoIP traffic on the voice network (VLAN 110). The example uses three networks: Name Network Usage VLAN Employee VLAN BYOD VLAN Voice 2013 Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 31

33 The Ethernet switch is marked to show the default (untagged) VLAN for each port. Each port is also configured as a tagged/trunk port for other VLANs. Figure 7 - Tunneled WLAN Traffic Voice clients must be placed on VLAN 222, but in this example the VLAN is not configured for the AP switch port. Instead, it will be tunneled via LWAPP over VLAN 1 to the ZoneDirector. The ZoneDirector is connected to a switch port that does have VLAN 222 available. I&%-0*!"/3&'8%.)&"/* The ZoneDirector s port on the Ethernet switch in this example must be configured such that VLAN 222 is available and tagged. For examples of how to configure this on popular wired switches, please see the various appendixes at the end of this document. ["/-A&%-,)"%*!"/3&'8%.)&"/* Here are the steps to configure a voice SSID with tunneled traffic on the ZoneDirector Ruckus Wireless, Inc. Wired Network Design v1.3 32

34 1. Log onto the ZoneDirector Web UI 2. Go to Configure->WLANs 3. Click Create New in the WLANs section 4. Enter the required information for the new SSID 5. Click the Advanced Options link at the bottom of the window 6. Make sure the VLAN ID under ACCESS VLAN is set to 222 (tagged) 7. Click the checkbox next to Tunnel Mode 8. Click OK to save the changes This configuration will cause the AP to tag all client traffic on the voice SSID with VLAN 222 and tunnel it to the ZoneDirector. The client traffic will enter the network at the ZoneDirector s switch port Ruckus Wireless, Inc. Wired Network Design v1.3 33

35 RSE-)FG+((%,+1) Sometimes the default VLAN configuration for an SSID has to be changed for a subset of APs/locations. This commonly happens in very large deployments where many smaller subnets are used instead of one very large broadcast domain. It might also be used if the same SSID is configured on APs in different geographical locations, i.e. different campuses, offices, etc. Figure 8 - VLAN Overrides WLAN Groups offer a way to change the VLAN assignment for an SSID broadcast by a group of APs. ["/-A&%-,)"%*!"/3&'8%.)&"/* Here are the steps to configure a WLAN group with VLAN override on the ZoneDirector. 1. Log onto the ZoneDirector Web UI 2. Go to Configure->WLANs 3. Click Create New in the WLAN Groups section 4. Select the WLANs an AP member of this group will broadcast 2013 Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 34

36 5. To the right of each WLAN, set VLAN override if the VLAN tag has changed (VLAN 1 = untagged) 6. Click Apply to save the changes 7. Assign this WLAN Group to each AP that will use this VLAN override 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 35

37 P;#;&+D+#.)RSE-1) A management VLAN is dedicated to monitoring and managing network equipment. It is also the subnet over which management control plane traffic is sent software upgrades, heartbeats, signaling, etc. This type of network is typically isolated and firewalled from the rest of the organization. Both Ruckus APs and ZoneDirectors can be configured to use a specific VLAN for management traffic. By default, they use the untagged network. Although both typically use the same management VLAN, a ZoneDirector and an AP can be configured to use different management VLANs as well. For this to work, the two management networks must be reachable with each other. Alternatively, just one device can be configured to tag management traffic. The other device must either be on a network that can reach the management subnet or connected to a port that is a member of that management VLAN by default (untagged). +")-*"/*MJ7+*C* Ruckus equipment will always assume traffic should be untagged if VLAN 1 is specified. VLAN 1 traffic is never tagged. I("*F("8@0*HB-*N./.'-4-/)*MJ7+B* Use of the untagged VLAN is recommended for most deployments. This is due to its simplicity and ease of recovery in case of misconfigured switch ports, APs or ZoneDirectors. If management a VLAN is required, please review the instructions below carefully. ER.4#@-* The following is an example of a Wi-Fi design in which APs and ZoneDirectors send management traffic on VLAN 33: Name Network Usage VLAN Employee VLAN Management VLAN BYOD 2013 Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 36

38 The Ethernet switch is marked to show the default (untagged) VLAN for each port. Each port is also configured as a tagged/trunk port for other VLANs. Figure 9 - Management VLAN Traffic I&%-0*!"/3&'8%.)&"/* The ZoneDirector s port on the Ethernet switch in this example must be configured such that VLAN 33 is available and tagged. For examples of how to configure this on popular wired switches, please see the various appendixes at the end of this document. ["/-A&%-,)"%*!"/3&'8%.)&"/* Here are the steps to configure a management VLAN on the ZoneDirector. 1. Log onto the ZoneDirector Web UI 2. Go to Configure->System 3. Go the Device IP Settings area 4. Set ACCESS VLAN to Ruckus Wireless, Inc. Wired Network Design v1.3 37

39 5. Click Apply to save the changes This configuration will cause the ZoneDirector to immediately begin tagging all management traffic to VLAN 33. NOTE: You will likely be disconnected from the ZoneDirector after applying this change. This is because the ZoneDirector s switch port does not have VLAN tagging enabled for VLAN 33. To regain access to the ZoneDirector, reconfigure its switch port. 71*!"/3&'8%.)&"/* The management VLAN for an AP is configured on a global basis. Only one management VLAN can be configured for all APs. This VLAN can be different from the ZoneDirector s, but all APs must use the same management VLAN. Here are the steps to configure a management VLAN on the Ruckus AP Ruckus Wireless, Inc. Wired Network Design v1.3 38

40 1. Log onto the ZoneDirector Web UI 2. Go to Configure->Access Points 3. Go the Access Point Policies area 4. Next to Management LAN, click the radio button and enter the VLAN number (33) 5. Click Apply to save the changes This configuration will cause all APs to immediately begin tagging all management traffic to VLAN 33. NOTE: You will likely see the APs disconnect from the ZoneDirector after applying this change. This is because the AP s switch port does not have VLAN tagging enabled for VLAN 33. To all the APs to gain access to the ZoneDirector, reconfigure each AP switch port. T-,"44-/0.)&"/B* Assigning management VLANs is a disruptive process and will typically cause some outage time. How much time depends on how smoothly the transition occurs. The following are some hints and tips to make this easier: 9/%.<C)7"(.)!"#$%&'(;.%"#) When moving from untagged to tagged management, it s a good idea to make sure every switch port needed is configured as a trunk port with the management VLAN tagged. Doing this ahead of time reduces disruption since the port still works for untagged traffic but will instantly support the device when it starts tagging its traffic. Make a list of all ports that must be reconfigured before starting this should include all devices ZoneDirectors and APs that are being configured to use a tagged management VLAN Ruckus Wireless, Inc. Wired Network Design v1.3 39

41 E71)!;#)=%1<"G+().C+)T"#+=%(+<."() Make sure there is a way for them to discover the controller after they move to the management VLAN. If the ZoneDirector s IP address has not changed, there is nothing to do the APs remember the last address used. If the IP address of the ZoneDirector changes during this process, the APs must have a way to find the controller again. There are several methods an AP can use; one of these must work on the new management VLAN: 1. Layer 2 broadcast discovery the AP and the ZoneDirector are on the same logical subnet (after both have been moved) 2. DHCP Option 43 the DHCP server for the management VLAN (if using one) is configured to give the ZoneDirector s IP address to the APs 3. DNS lookup the DNS server is configured to give the controller s IP address when queried for zonedirector.<local domain> 4. Static assignment if the controller s IP address is changing, the new address could be pre-loaded onto the AP s by making it the secondary controller. Thus, when the AP s move and can t find the primary address, they will try the second E71)3%(1.) If changing both APs and ZoneDirectors, always change the management VLAN on the APs first. Doing the ZoneDirector first will prevent the AP s from connecting at which point there will be no way to configure the APs with the new management VLAN since they can t connect Ruckus Wireless, Inc. Wired Network Design v1.3 40

42 Quality of Service (QoS) refers to the capability of a wired or wireless network to provide differentiated priority services to selected network traffic over various network technologies. Delay or latency sensitive traffic such as video or voice sent from the wireless network to the wired network should always have the correct QoS maintained. Without QoS, an AP will not differentiate between the various traffic types (voice, video, data) on the network. All traffic is treated as equal, and thus the WLAN typically works in a firstcome first-served fashion. Ruckus SmartCast QoS technology helps avoid this behavior by combining multicast traffic handling techniques, QoS and application-aware traffic classification capabilities to ensure the highest quality video transmissions over Wi-Fi. WMM and QoS are enabled by default on all Ruckus products. QoS and priority can also be configured on an administrative basis as well. Supported options include: Heuristics - Ruckus equipment automatically detects the traffic type and assigns a QoS ToS (Type of Service) Classification honor ToS bits set on the traffic ToS Marking allows the device to set the ToS of unmarked traffic Directed Multicast/Broadcast convert multi-media packets into unicast for each client IGMP Snooping Mode selectively forward multicast frames to those devices subscribing to the multicast stream Well-Known Multicast Forwarding for well-known protocols: UPnP, Bonjour and Link-Local Multicast Name Resolution (LLMNR) Per-SSID policy assigns a high or low priority over other SSIDs Per-VLAN policy assigns a specific QoS for a VLAN Unknown Multicast Drop multicast traffic that is not recognized INN\*?"F*./0*AF!1*F8##"%)* WMM is a Wi-Fi Alliance certification of support for a set of features from an e draft. This certification is for both clients and APs, and certifies the operation of WMM. The Wi-Fi Multimedia (WMM) specification lays out a method for Wi-Fi networks to also prioritize traffic according to four common classes of service, each known as an access category (AC). AC_VO - highest-priority voice traffic AC_VI - medium-priority video traffic AC_BE - standard-priority data traffic, also known as "best effort" AC_BK - background traffic, that may be dropped- when the network is congested 2013 Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 41

43 The access category for each packet is specified using either 802.1p tagging (when available and supported by the access point) or by the use of Diffserv Code Points (DSCP). DSCP tags are carried in the IP header of each packet and most often used on wired networks due to simplicity and Layer 2 capability. In other words, the DSCP tags survive crossing through every piece of network equipment that is not aware of DSCP tags, whereas 802.1p requires 802.1p-aware links (802.1Q) throughout the network, all carried over 802.1Q VLAN links. The 802.1p value is a field in the VLAN header that indicates the priority of the tagged packet p classification is similar to ToS classification. However, while ToS values apply to any IP packet, 802.1p values only apply to traffic on a specified VLAN p values range from 0 to 7 (0 is lowest and 7 is highest). NOTE: Note that if 802.1p classification and ToS classification are both enabled, 802.1p classification takes precedence. Therefore, if you want to use ToS classification, 802.1p classification should be disabled. There are eight DSCP tags, which map to the four access categories. The application that generates the traffic is responsible for filling in the DSCP tag. The standard mapping is as follows: Table 1 - DSCP and ToS to AC Mapping Traffic Type Priority ToS Value DSCP Value AC/802.11e Voice 7 0xE0 (224) 0x38 (56) AC_VO Voice 6 0xC0 (192) 0x30 (48) AC_VO Video 5 0xA0 (160) 0x28 (40) AC_VI Video 4 0x80 (128) 0x20 (32) AC_VI Best Effort 3 0x60 (96) 0x18 (24) AC_BE Background 2 0x40 (64) 0x10 (16) AC_BK Background 1 0x20 (32) 0x08 (8) AC_BK Best Effort 0 0x00 (0) 0x00 (0) AC_BE 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 42

44 Although ToS and DSCP support up to 8 distinct categories, WMM only mandates four queues for traffic: voice, video, best effort and background. F.C+()!@;11%$%<;.%"#)R;@'+1) Ruckus products set the following default classifications by traffic type: Type Voice Video Data Background ToS Marking 0x0 0xA0 0x0 0x0 Tunneled ToS Marking 802.1p Classification Heuristic Classifier 0xA0 None None None None Voice Video Data Background ) The current QoS values in use on a ZoneDirector can be seen via the following CLI command: ruckus(config)# services ruckus(config-sys)# qos ruckus(config-sys-qos)# show System QoS: ToS DATA TUNNEL = 0xA0 ToS CTRL TUNNEL = 0xA0 ToS Classification-Voice = 0xE0 0xC0 0xB8 ToS Classification-Video = 0xA0 0x80 ToS Classification-Data = 0x0 ToS Classification-Background = 0x0 Tx fail threshold = 50 heuristics inter-packet-gap Video = 0 65 heuristics inter-packet-gap Voice = heuristics packet-length Video = heuristics packet-length Voice = heuristics classification Video = heuristics classification Voice = 600 heuristics no classification Video = heuristics no classification Voice = The current QoS values for a standalone AP are gathered as follows: rkscli: get qos Tx Failure Threshold: 50 Dead Station Count: 0 Directed DHCP: Enabled Directed ICMPv6 RA: Enabled 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 43

45 IGMP General Query V2/V3: Disabled/Disabled MLD General Query V1/V2: Disabled/Disabled TOS Classification: Voice=0xE0,0xC0,0xB8, Video=0xA0,0x80, Data=0x0, Background=0x0 TOS marking: VoIP=0x0, Video=0xA0, Data=0x0, Background=0x0 Dot1p Classification: Voice=none, Video=none, Data=none, Background=none Dot1p marking: VoIP=0, Video=0, Data=0, Background=0 Tunnel TOS Marking: Data=0xA0 (static TOS), Ctrl=0xA0 Heuristic Classifier: VoIP Video Data Background Octet Count During Classify: Octet Count Between Classify: Min/Max Avg Packet Length: 70/ /1518 0/0 0/0 Min/Max Avg Inter Packet Gap: 15/275 0/65 0/0 0/0 P",%$B%#&)5(;$$%<)!@;11%$%<;.%"#)) Changing these values can impact existing application behavior. In general, this should not be modified from the default settings. For more information, please contact the Ruckus Technical Assistance Center. N8@)&,.B)*./0*V%".0,.B)*?%.33&,* Ruckus converts broadcast/multicast traffic to unicast by default. This is known as directed broadcast/multicast. The default setting converts traffic until there are 5 or more devices receiving the traffic. After this, conversion to unicast stops. This is done on the principle that having more devices reduces the utility of the unicast conversion. The directed threshold of clients or even the conversion itself can be modified or disabled/enabled completely. T"#+=%(+<."()=%(+<.+,)5(;$$%<)!"DD;#,1) All QoS settings are configured from the command line interface (CLI) only. Directed Multicast To disable/enable directed multicast for a WLAN: ruckus(config)# wlan test-ssid ruckus(config-wlan)# no qos directed-multicast The command was executed successfully. To save the changes, type 'end' or 'exit'. ruckus(config-wlan)# qos directed-multicast The command was executed successfully. To save the changes, type 'end' or 'exit' 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 44

46 IGMP Snooping To disable/enable IGMP snooping for a WLAN: ruckus(config)# wlan test-ssid ruckus(config-wlan)# qos igmp-snooping ruckus(config-wlan)# no qos igmp-snooping MLD Snooping To disable/enable MLD snooping for a WLAN: ruckus(config)# wlan test-ssid ruckus(config-wlan)# no qos mld-snooping ruckus(config-wlan)# qos mld-snooping Directed Threshold To configure the maximum number of clients before unicast conversion stops for a WLAN: ruckus(config)# wlan test-ssid ruckus(config-wlan)# qos directed-threshold 10 E7)=%(+<.+,)5(;$$%<)!"DD;#,1) All QoS settings are configured from the command line interface (CLI) only. Directed Multicast To disable/enable directed multicast for a WLAN: rkscli: set qos wlan0 directed multicast disabled Directed Multicast ingress packet processing is Disabled on interface wlan0 rkscli: set qos wlan0 directed multicast enabled Directed Multicast ingress packet processing is Enabled on interface wlan0d IGMP Snooping To disable/enable IGMP snooping for a WLAN: rkscli: set qos wlan0 igmp disable IGMP Snooping is Disabled on interface wlan0 OK rkscli: set qos wlan0 igmp enable IGMP Snooping is Enabled on interface wlan0 MLD Snooping To disable/enable MLD snooping for a WLAN: rkscli: set qos wlan0 mld disable MLD Snooping is Disabled on interface wlan0 rkscli: set qos wlan0 mld enable 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 45

47 MLD Snooping is Enabled on interface wlan0 Directed Threshold To configure the max rkscli: set directedthreshold wlan0 0 rkscli: set directedthreshold wlan0 0 OK rkscli: set directedthreshold wlan0 5!"/3&'8%&/'*#-%]FF2A*1%&"%&)$* When an AP has traffic of the same from multiple WLANs, it uses a round robin method to determine which WLAN s traffic is sent. This ensures all SSIDs get some airtime. If one of the WLANs has a higher priority traffic, this is always sent first. However, in the case of multiple WLANs with traffic of the same (high) priority, the AP will again treat these WLANs in a round-robin fashion. There are times when one WLAN s traffic should be prioritized over another. For example, two SSIDs exist one is for voice devices and one is for guests. If high priority (voice) traffic is sent from both SSIDs, most organizations would prefer the internal voice SSID have preference over a guest network voice traffic. In this case, the internal SSID can be given a high priority and the guest network set to low. Note, that there are only two settings an SSID may have high or low. In the case of multiple SSIDs with high priority, it will again be round robin for higher priority traffic. Note: This feature is available on the ZoneDirector only. T"#+=%(+<."(2?;1+,)998=)7(%"(%.%V;.%"#) To configure SSID priority on a ZoneDirector via Web UI: 1. Log onto the ZoneDirector Web UI 2. Go to Configure->WLANs 3. Click Edit next to the WLAN to be configured 4. Select the priority in the Priority section (high or low) 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 46

48 5. Click Apply to save the changes To configure SSID priority on a ZoneDirector (CLI): ruckus(config)# wlan voice ruckus(config-wlan)# priority high 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 47

49 Integrated Wi-Fi into a wired network can be a simple as deployed on an untagged, L2 network or more complex with multiple tagged VLANs, redundancy, QoS and management VLANs. This section offers some common issues and resolutions. 71*!.//")*!"//-,)*)"*["/-A&%-,)"%* =%1<"G+(B) One of the most basic issues is an AP that is unable to discover and connect to a ZoneDirector. This is typically because none of the supported discovery processes are in place. These include: ZoneDirector is not on the same Layer 2 network as the AP AP is on a different network and no Layer 3 discovery mechanism is setup (DHCP Option 43, DNS, static configuration of the AP with the ZoneDirector s IP address) Resolution To solve these problems, select the discovery process you are using (above) and verify it is working correctly. This can involve checking if the AP has a valid IP address, can reach (ping the ZoneDirector), there is a proper DHCP or DNS entry, etc. RSE-1);#,)!"##+<.%G%.B) AP does not have a valid address (no DHCP or misconfigured static IP address) AP or ZoneDirector are on a management VLAN that has no connectivity, DHCP, or is on an untagged port or a trunk port that does not allow that VLAN Resolution In the case of a misconfigured AP, if it is on the same Layer 2 network as the ZoneDirector it may still be able to discover the ZoneDirector (Layer 2 broadcast) but is unable to connect due to an invalid IP address. A management VLAN problem is more easily checked on the wired switch, as this is the most frequent root cause. In the cast of some switches, the port may need to be explicitly set to 802.1Q tagging. P",+@)9'AA"(.) An AP model may be installed that is not supported by the ZoneDirector firmware. This issue is typically due to an older version of software on the ZoneDirector Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 48

50 Resolution To correct the problem, upgrade the ZoneDirector software. This can be verified in the ZoneDirector event log: Monitor->Access Points. If the AP is an unsupported model this will also generate an event log message. Another basic issue is a firewall blocking required ports. This is especially true if the basic ports required for control and management are blocked. These ports are listed in section Firewalls. Resolution To solve these problems, make sure the necessary ports are unblocked between the AP and the ZoneDirector.!.#)&;-*1"%).@*X.&@B*)"*T-0&%-,)*)"*J"'&/*1.'-* There are many issues that can affect captive port redirections. These typically include: Firewall has blocked HTTP/S access to the ZoneDirector from the SSID s subnet. This may be due to ACLs on the AP/WLAN or a 3 rd party firewall Client does not have DNS configured correctly Resolution To check firewall issues, make sure the ACLs (if configured) for the WLAN allow access to the ZoneDirector s login page. Since redirection occurs after the client does a DNS lookup/url request, make sure the client has a DNS server configured. This can be checked via the client configuration or by attempting to access a URL with an IP address instead of a DNS name Ruckus Wireless, Inc. Wired Network Design v1.3 49

51 EAA+#,%O)EW)6+<"DD+#,+,) 6+;,%#&) OSI: A Model for Computer Communications Standards, Uyless D. Black M&%)8.@*J7+B* Virtual LANs: A Guide to Construction, Operation and Utilization, Marina Smith Network Warrior, Gary A. Donahue!&B,"*I&%-0*+-)<"%>&/'* Cisco Switched Internetworks: VLANs, ATM & Voice/Data Integration, Chris Lewis Cisco IOS Cookbook, Kevin Dooley, Ian Brown 2013 Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 50

52 EAA+#,%O):W)!"DD"#)!%1<")!"DD;#,1)!"/3&'8%&/'*./*7,,-BB*1"%)* These are the Command Line Interface (CLI) commands to configure a port on a Cisco switch or router as an access port for VLAN 100 (red). The first command creates VLAN 100. interface vlan 100 description Red VLAN ip address ! This command configures the 1/1 port as an access port on VLAN 100. All untagged traffic will go on this VLAN. Any tagged traffic will be ignored. interface GigabitEthernet1/1 description Red VLAN Access Port switchport mode access switchport access vlan 100! This command configures the 1/2 port as a trunk port with VLAN 100 as the native VLAN. All untagged traffic will go to VLAN 100. Any tagged traffic will be ignored unless it is tagged for VLAN 200 or 300. This configuration is essentially the same as that for port 1/1 as far as access to the red VLAN (100) is concerned. In both cases, the AP should be configured to send red network traffic as untagged only. interface GigabitEthernet1/2 description Native Red VLAN Trunk switchport trunk encapsulation dot1q switchport mode trunk switchport trunk native vlan 101 switchport trunk allowed vlan 200,300!!"/3&'8%&/'*.*?%8/>*1"%)* These are the CLI commands to configure a port on a Cisco switch or router as a trunk port for VLAN 100 (red). The first command creates the VLAN and the second configures port 1/1 as a trunk port that includes VLAN 100. Note that Cisco switches require the 2013 Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 51

53 encapsulation be explicitly set to dot1q. Failure to set this will prevent the switch from correctly interpreting tagged frames from the AP. The native VLAN for this port is VLAN 101. Any untagged traffic for this port will be assigned to VLAN 101. interface vlan 100 description Red VLAN ip address ! interface vlan 101 description Native VLAN ip address ! interface GigabitEthernet1/1 description Red VLAN Trunk switchport trunk encapsulation dot1q switchport mode trunk switchport trunk native vlan 101 switchport trunk allowed vlan 100! Multiple VLANs may be configured for a single trunk port however only one native VLAN is allowed.?%"8p@-b("")&/'* When troubleshooting with a Cisco switch, it may be useful to configure the switch to update the port status more quickly than the default of 30 seconds when the spanning tree protocol (STP) is enabled. The amount of time spanning tree takes to transition ports to a forwarding state can cause problems. This is especially true of an individual device such as an AP. It might consider itself in an up date, but the switch port has not switched back to forwarding yet which prevents it from getting a connection. The Cisco portfast command will speed convergence to help with this problem. NOTE: This command should only be used on ports connected to a single device that is not a switch or other Layer 2 device capable of causing spanning tree loops. E<<+11)7"(.) interface GigabitEthernet1/1 spanning-tree portfast! 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 52

54 5('#0)7"(.) interface GigabitEthernet1/1 spanning-tree portfast trunk! 2013 Ruckus Wireless, Inc. Wired Network Design v1.3 53

55 EAA+#,%O)!W)!"DD"#)X7)!"DD;#,1)!"/3&'8%&/'*.*1"%)* These are the Command Line Interface (CLI) commands to configure a port on an HP ProCurve switch or router. In HP terms, a trunk port is an aggregate of multiple ports, e.g. C1-C4 rather than the Cisco definition of a trunk as a port that understands 802.1Q tags. Therefore, configuring a port to support VLAN tagging simply entails added those ports as tagged to the VLAN configuration: The first command creates VLAN 100 with ports B10-B12 defined as untagged members of that VLAN. All untagged traffic will go on this VLAN. Any tagged traffic will be ignored. vlan 100 name Red VLAN ip address untagged B10-B12 exit To support tagged VLANs add an additional line specifying the ports. vlan 100 name Red VLAN ip address untagged B3-B9 tagged C10-C12 exit vlan 200 name Blue VLAN ip address untagged C10-C12 tagged B3-B9 exit The above configuration defines ports B3-B9 as untagged for VLAN 100 and tagged for VLAN 200. Therefore the ports will place untagged packets on the red VLAN 100. If it receives tagged traffic, only VLAN 200 will be honored and only for ports B3-B Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 54

56 EAA+#,%O)=W)!"DD"#)4O.(+D+)!"DD;#,1)!"/3&'8%&/'*.*1"%)* These are the Command Line Interface (CLI) commands to configure a port on an ExtremeOS switch or router. In Extreme terms, a trunk port is configured by specifying which port is tagged or untagged as part of the VLAN command. The commands below create a VLAN called RedVLAN. This VLAN is assigned an ID of 100. Ports 7-24 are untagged members of this VLAN. vlan RedVLAN configure vlan RedVLAN tag 100 configure vlan RedVLAN add port 7:24 untagged To support tagged VLANs add an additional line specifying the tagged ports. vlan RedVLAN configure vlan RedVLAN tag 100 configure vlan RedVLAN add port 7:24 untagged configure vlan RedVLAN add port 5-6 tagged The above configuration defines ports 7-24 as untagged for VLAN 100 and tagged for ports 5-6. Therefore ports 7-24 will place all untagged traffic into VLAN 100 and ports 5-6 will only do so if the packet is specifically tagged for VLAN Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 55

57 EAA+#,%O)4W)!"#$%&'(%#&) 4#.+(;1B1)9/%.<C+1);#,)6"'.+(1)!"/3&'8%&/'*.*1"%)* These are the Command Line Interface (CLI) commands to configure a port on an Enterasys switch or router. The commands below create a VLAN called RedVLAN. This VLAN is assigned an ID of 100. Port ge are untagged members of this VLAN. set vlan create 100 set vlan name 100 RedVLAN set vlan create 200 set vlan name 200 BlueVLAN set port vlan ge modify-egress To support tagged VLANs add an additional line specifying the tagged ports. set vlan egress 200 ge.1.10 The above command adds VLAN tagging for port ge.1.10 for VLAN Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 56