Aerohive Configuration guide.

© 2013 Aerohive Networks CONFIDENTIAL
AEROHIVE CERTIFIED
NETWORKING PROFESSIONAL
(ACNP)
1

Introductions
2
•What is your name?
•What is your organizations name?
•How long have you worked in networking?
•What was your 1st computer?

Facilities Discussion
3
• Course Material
Distribution
• Course Times
• Restrooms
• Break room
• Smoking Area
• Break Schedule
› Morning Break
› Lunch Break
› Afternoon Break

Aerohive Switching & Routing
Configuration (ACNP) – Course Overview
4
Each student connects to HiveManager, a remote PC, and a Aerohive AP over the
Internet from their wireless enabled laptop in the classroom, and then performs hands
on labs the cover the following topics:
• Overview of Switching and Routing Platforms
• Unified Network Policy Management
• Spanning Tree
• Device Templates
• Port Types (802.1Q Ports, Phone and Data Ports, Secure Access Ports, Guest
Access Ports and WAN ports)
• Aggregate Channels
• PoE
• VLAN to Network mapping
• Router templates
• Parent networks and branch subnets
• Layer 3 VPN with VPN Gateway Virtual Appliance
• Policy Based Routing
• Router Firewall
• Cookie Cutter Branch Networking
2 Day Hands on Class

Copyright ©2011
Aerohive Training Remote Lab
5
Aerohive Access Points using external
antenna connections and RF cables to
connect to USB Wi-Fi client cards
(Black cables)
Access Points are connected from eth0 to
Aerohive Managed Switches with 802.1Q
VLAN trunk support providing PoE to the
APs (Yellow cables)
Firewall with routing support, NAT, and
multiple Virtual Router Instances
Access Points are connected from their
console port to a console server
(White Cables)
Console server to permit SSH access into the
serial console of Aerohive Access Points
Server running VMware ESXi running Active
Directory, RADIUS, NPS and hosting the
virtual clients used for testing configurations
to support the labs

Aerohive CBT Learning
6
http://www.aerohive.com/cbt

The 20 Minute Getting Started Video
Explains the Details
7
Please view the Aerohive Getting Started Videos:
http://www.aerohive.com/330000/docs/help/english/cbt/Start.ht
m

Aerohive Technical Documentation
8
All the latest technical documentation is available for download
at:
http://www.aerohive.com/techdocs

Aerohive Instructor Led Training
9
• Aerohive Education Services offers a complete curriculum that provides you with
the courses you will need as a customer or partner to properly design, deploy,
administer, and troubleshoot all Aerohive WLAN solutions.
• Aerohive Certified WLAN Administrator (ACWA) – First-level course
• Aerohive Cerified WLAN Professional (ACWP) – Second-level course
• Aerohive Certified Network Professional (ACNP) – Switching/Routing course
• www.aerohive.com/training – Aerohive Class Schedule

Over 20 books about networking have been written
by Aerohive Employees
10
CWNA Certified Wireless Network Administrator
Official Study Guide by David D. Coleman and David
A. Westcott
CWSP Certified Wireless Security Professional
Official Study Guide by David D. Coleman, David A.
Westcott, Bryan E. Harkins and Shawn M.
Jackman
CWAP Certified Wireless Analysis Professional Official
Study Guide by David D. Coleman, David A. Westcott,
Ben Miller and Peter MacKenzie
802.11 Wireless Networks: The Definitive Guide,
Second Edition by Matthew Gast
802.11n: A Survival Guide by Matthew Gast
Aerohive
Employees
802.11ac: A Survival Guide by Matthew Gast
Over 20 books about networking have
been written by Aerohive Employees

Aerohive Exams and Certifications
11
• Aerohive Certified Wireless Administrator
(ACWA) is a first- level certification that
validates your knowledge and understanding
about Aerohive Network’s WLAN
Cooperative Control Architecture. (Based
upon Instructor Led Course)
• Aerohive Certified Wireless Professional
(ACWP) is the second-level certification that
validates your knowledge and understanding
about Aerohive advanced configuration and
troubleshooting. (Based upon Instructor Led
Course)
• Aerohive Certified Network Professional
(ACNP) is another second-level certification
that validates your knowledge about
Aerohive switching and branch routing.
(Based upon Instructor Led Course)

Aerohive Forums
12
• Aerohive’s online community – HiveNation
Have a question, an idea or praise you want to share? Join the HiveNation Community - a
place where customers, evaluators, thought leaders and students like yourselves can
learn about Aerohive and our products while engaging with like-minded individuals.
• Please, take a moment and register during class if you are not already a
member of HiveNation.
Go to http://community.aerohive.com/aerohive and sign up!

Aerohive Social Media
13
The HiveMind Blog:
http://blogs.aerohive.com
Follow us on Twitter: @Aerohive
Instructor: David Coleman: @mistermultipath
Instructor: Bryan Harkins: @80211University
Instructor: Gregor Vucajnk: @GregorVucajnk
Instructor: Metka Dragos: @MetkaDragos
Please feel free to tweet about #Aerohive training during
class.

Copyright ©2011
Aerohive Technical Support – General
14
I want to talk to somebody live.
Call us at 408-510-6100 / Option 2. We also provide service
toll-free from within the US & Canada by dialing (866) 365-9918.
Aerohive has Support Engineers in the US, China, and the UK,
providing coverage 24 hours a day.
Support Contracts are sold on a yearly basis, with
discounts for multi-year purchases. Customers can opt
to purchase Support in either 8x5 format or in a 24
hour format.
How do I buy Technical Support?
I have different expiration dates on several Entitlement keys, may
I combine all my support so it all expires on the same date?
Your Aerohive Sales Rep can help you set-up Co-Term, which allows
you to select matching expiration dates for all your support.

Copyright ©2011
Aerohive Technical Support – The
Americas
15
Aerohive Technical Support is available 24 hours a
day. This can be via the Aerohive Support Portal or
by calling. For the Support Portal, an authorized
customer can open a Support Case.
Communication is managed via the portal with new
messages and replies. Once the issue is resolved,
the case is closed, and can be retrieved at any time
in the future.
How do I reach Technical Support?
I want to talk to somebody live.
For those who wish to speak with an engineer call us at 408-510-
6100 / Option 2. We also provide service toll-free from within
the US & Canada by dialing (866) 365-9918.
I need an RMA in The Americas
An RMA is generated via the Support Portal, or by calling our Technical Support
group. After troubleshooting, should the unit require repair, we will overnight*
a replacement to the US and Canada. Other countries are international. If the
unit is DOA, it’s replaced with a brand new item, if not it is replaced with a like
new reburbished item.
*Restrictions may apply: time of day, location, etc.

Copyright ©2011
Aerohive Technical Support – International
16
Aerohive international Partners provide dedicated
Technical Support to their customers. The Partner has
received specialized training on Aerohive Networks’
product line, and has access to 24 hour Internal
Aerohive Technical Support via the Support Portal, or
by calling 408-510-6100 / Option 2.
How Do I get Technical Support outside The Americas?
World customer’s defective
units are quickly replaced by
our Partners, and Aerohive
replaces the Partner’s stock
once it arrives at our location.
Partners are responsible for all
shipping charges, duties, taxes,
etc.
I need an RMA internationally

Copyright Notice
17
Copyright © 2013 Aerohive Networks, Inc. All rights
reserved.
Aerohive Networks, the Aerohive Networks logo, HiveOS,
Aerohive AP, HiveManager, and GuestManager are
trademarks of Aerohive Networks, Inc. All other trademarks
and registered trademarks are the property of their
respective companies.

© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?

Overview of hardware and software platforms
SWITCHING & ROUTING PRODUCT
LINE
19

Copyright ©2011
Aerohive Switching Platforms
20
SR2124P SR2148P
24 Gigabit Ethernet 48 Gbps Ethernet
4 Ports 1G SFP Uplinks 4 Ports 10 G SFP/SFP+ Uplinks
24 PoE+ (408 W)
128 Gbps switch56Gbps switching 176 Gbps switch
48 PoE+ (779 W)
Routing with 3G/4G USB support and Line rate
switching
Redundant Power Supply CapableSingle Power Supply
24 PoE+ (195 W)
SR2024P
Switching Only

Class Switches Deployed in Data Center
• SR2024
› Line Rate Layer 2 Switch
› 8 Ports of PoE
› Multi-authentication
access ports
» 802.1X with fallback to
MAC auth or open
› Client Visibility
» View client information
by port
› RADIUS Server
› Internet Router
› DHCP Server
› USB 3G/4G Backup
› Policy-based routing with Identity
Internet
AP
AP
PoE
SR202
4
AP
Provides Access For:
• Employees
• Guests
• Contractors
• Phones
• APs
• Servers
Note: The switch model (2024) used in the lab has been superseded by improved models.

Express Mode
• Optimized for ease of use
• Uniform company-wide policy
• One user profile per SSID
Enterprise Mode
• Enterprise sophistication
• Multiple Network policies
• Multiple user profiles/SSID
HiveManager Appliance 2U
• Redundant power& fans
• HA redundancy
• 5000 APs
HiveManager Virtual Appliance
• VMware ESX & Player
• HA redundancy
• 1500 APs with minimum configuration
HiveManager Form Factors
22
HiveManager Appliance
• Redundant power & fans
• HA redundancy
• 8000 APs
HiveManager Virtual Appliance
• VMware ESX & Player
• HA redundancy
• 5000 APs with minimum configuration
HiveManager Online
• Cloud-based SaaS management
Topology Reporting Heat Maps SLA ComplianceRF PlannerSW, Config, & Policy Guest Mgmt

HiveManager Appliance
23

HiveManager Databases
24

Copyright ©2011
Aerohive Routing Platforms
25
BR 100 BR 200 AP 330 AP 350
Single Radio Dual Radio
2X 10/100/1000 Ethernet
5-10 Mbps
FW/VPN
30-50Mbps FW/VPN
1x1 11bgn 3x3:3 450 Mbps 11abgn
5X 10/100
5X
10/100/1000
0 PoE PSE0 PoE PSE 2X PoE PSE
*
* Also available as a non-Wi-Fi device
L3 IPSec
VPN
Gateway
~500 Mbps
VPN
4000/1024
Tunnels
Physical/Vir
tual
VPN Gateways

BR100 vs. BR200
26
BR100 BR200/BR200WP
5x FastEthernet 5x Gigabit Ethernet
1x1 11bgn (2.4Ghz) single radio 3x3:3 11abgn dual-band single radio (WP)
No integrated PoE PoE (in WP model)
No console port Console Port
No Spectrum Analysis Integrated Spectrum Analysis (WP)
No Wireless Intrusion Detection Full Aerohive WIPS (WP)
No local RADIUS or AD integration Full Aerohive RADIUS, proxy, and AD
No SNMP logging SNMP Support

2x2:2 300 Mbps
11n High Power
Radios
1X Gig.E
-40 to 55°C
PoE (802.3at)
N/A
Outdoor
Water Proof (IP
68)
Aerohive AP Platforms
AP170
2X Gig E
/w PoE Failover
3x3:3 450 + 1300 Mbps High Power Radios
Dual Radio 802.11ac/n
Plenum/Plenum
Dust Proof
-20 to 55°C
AP390
Indoor Industrial
Dual Radio
802.11n
AP230
Dual Radio 802.11n
2X Gig.E - 10/100 link
aggregation
-20 to
55°C
0 to 40°C
3x3:3
450 Mbps High Power
Radios
TPM Security Chip
PoE (802.3af + 802.3at) and AC Power
Indoor
Industrial
Indoor
Plenum/D
ust
Plenum Rated
AP121 AP330 AP350
1X Gig.E
2x2:2
300 Mbps High
Power Radios
USB for 3G/4G Modem
AP141
USB for future use
Indoor
2X Gig.E w/ link
aggregation
Plenum Rated
0 to 40°C
USB for future use
AP370*
* Includes 5 GHz Transmit Beamforming and in 2.4 GHz has TurboQAM

VPN Gateway Virtual Appliance
28
• Supports the following
› GRE Tunnel Gateway
› L2 IPSec VPN Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
› Bonjour Gateway
› DHCP server
• Use a VPN Gateway Virtual Appliance instead of an AP when higher
scalability for these features are required
Function Scale
VPN Tunnels 1024 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server)
authentications
256

VPN Gateway Physical Appliance
29
• Supports the following
› GRE Tunnel Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
› Bonjour Gateway
› DHCP server
• Use a VPN Gateway Appliance instead of an AP when higher scalability for
these features are required
Function Scale
VPN Tunnels 4000 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server)
authentications
256
Ports: One 10/100/1000 WAN port
Four LAN ports two support PoE

Lab Infrastructure
31
PC
PoE
SR202
4
AP
PC
PoE
SR202
4
AP
Core
Access
Student Space
Instructor Space
Student 2 Student X
Distribution
HiveManager
Router
VLAN 1
ip address 10.100.1.1/24
VLAN 2
ip address 10.100.2.1/24
VLAN 8
ip address 10.100.8.1/24
VLAN10
ip address 10.100.10.1/24

SWITCHING
32

Lab: Setting up a Wireless Network
1. Connect to the Hosted Training HiveManager
33
• Securely browse to the appropriate HiveManager for class
› TRAINING LAB 1
https://training-hm1.aerohive.com
https://72.20.106.120
› TRAINING LAB 2
https://72.20.106.66
› TRAINING LAB 3
https://209.128.124.220
› TRAINING LAB 4
https://203.214.188.200
› TRAINING LAB 5
https://209.128.124.230
• Supported Browsers:
› Firefox, Internet Explorer, Chrome, Safari
• Class Login Credentials:
› Login: adminX
X = Student ID 2 - 29
› Password: aerohive123
NOTE: In order to access the
HiveManager, someone at your
location needs to enter the
training firewall credentials given
to them by the instructor first.

Lab: Setting Up a Wireless Network
2. Create a Network Policy
34
• Go to
Configuration
• Click the New
Button

3. Enable network policy options
35
• Name:
Access-X
• Check the options
for
› Wireless
Access
› Switching
› Bonjour
Gateway
• Click Create
• Note, enabling Branch Routing:
» Enables L3 VPN Configuration
» Disable L2 VPN Configuration
» Enable L3 Router Firewall Policy
» Policy-Based Routing with Identity
» Enables Router configuration settings in
Additional Settings

Network Policy Components
36
• Wireless Access – Use when you have an AP only
deployment, or you require specific wireless policies for
APs in a mixed AP and router deployment
• Branch Routing– Use when you are managing routers, or
APs behind routers that do not require different Network
Policies than the router they connect through
BR100
BR200 AP
AP
Internet
Internet
Small Branch Office
or Teleworker Site Small to Medium Size Branch Office
that may have APs behind the router

• Bonjour Gateway
› Allows Bonjour services to be seen in multiple subnets
• Switching
› Used to manage wired traffic using Aerohive Switches
Network Policy Components
37
Internet
AP
AP
PoE
SR2024
AP

4. Create a New SSID Profile
38
Network Configuration
• Next to SSIDs click
Choose
• Then click New

5. Configure Employee SSID
39
• SSID Profile: Class-PSK-X
X = 2 – 29 (Student ID)
• SSID: Class-PSK-X
• Select WPA/WPA2 PSK
(Personal)
• Uncheck the Obscure
Password checkbox
• Key Value: aerohive123
• Confirm Value: aerohive123
• Click Save
• Click OK
For the ALL labs, please follow the
class naming convention.

6. Create a User Profile
40
• To the right of your
SSID, under User
Profile, click
Add/Remove
In Choose User
Profiles
• Click the New
button

7. Define User Profile Settings
41
•Name:
Employee-X
•Attribute
Number:10
Default VLAN:
From the drop down
box,
•Select Create new
VLAN,
type:10
•Click Save

8. Choose User Profile and Save
42
•Ensure
Employee-X
User Profile is
highlighted
•Click Save

9. Review your policy and save
43
• From the Configure Interfaces & User
Access bar, click Save

SPANNING TREE BEHAVIOR
44

How loops happen
1. Client sends broadcast such as ARP request
2. Switch A forwards packet on all interfaces, except
source interface
3. Switch B receives the broadcast twice, but does
not know it is the same broadcast. It forwards
the broadcast from interface 1 on interface 24
and vice versa
4. Switch A again receives the broadcast twice and
does the same at Switch B. (It also sends both
broadcasts back to the client
5. Rinse and repeat. The broadcast never leaves
the network
B
A

© 2013 Aerohive Networks CONFIDENTIAL 46
Easy to solve, right?
Just disconnect one cable…
But now there is no redundancy…
Have no fear!
There was once a loop to be,
In a redundant path for everyone to see.
The packets went round and round,
Until a new sheriff was found.
His name? Well, Spanning Tree!
Spanning Tree

So what does the Spanning Tree
Protocol (STP) do?
High level overview:
1. All interfaces are blocked (for non STP traffic)
while the switches elect a root bridge (switch)
2. After the root bridge is elected, switches calculate
the lowest cost path to the root bridge
3. Unblock corresponding ports and keep redundant
ports blocked
4. If an active link fails, unblock redundant port
I am root!
Speed 1Gbit
Cost: 20,000
Speed 100Mbit
Cost: 200,000
Root doesn’t
have to
calculate
Spanning Tree

Spanning Tree – extra reading
Found in the class materials:
Spanning-Tree-Overview.pptx
• STP
• RSTP
• MSTP
• (R)PVST

Switch Spanning Tree Settings
49
• By default, spanning tree is disabled on Aerohive switches
› Why?
› If you plug an edge switch into a network, and the switch priority is a
lower number (higher priority) on our switch, than what is configured on
the existing network, our switch will become the root switch
› This means that the optimal path and links that are available through a
network will be chosen based on getting to your edge switch!
› This most likely is not what a customer wants to do! ;-)
• What is the downside of not enabling spanning tree by default?
› If you plug two cables from our switch to the distribution switch network,
and the ports are not configured as an aggregate, you can cause a loop!
› This is far less of a concern than enabling spanning tree by default and
possibly rerouting all traffic through our switch, so we will disable
spanning tree by default

Verify Existing Network
Spanning Tree Priorities
50
• Before installing an Aerohive switch into an existing switch network,
have the company determine the root switch and backup root switch
priority
• Ensure our spanning tree priority is set to a higher number
• For example, on a Cisco Catalyst switch you can type:
CS-Dist-2#show spanning-tree
MST0
Spanning tree enabled protocol mstp
Root ID Priority 12288
Address 000f.23b9.0d80
Cost 0
Port 25 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 16384 (priority 16384 sys-id-ext 0)
Address 001f.274c.5180
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- -----
Fa0/24 Desg FWD 200000 128.24 P2p
Gi0/1 Root FWD 200000 128.25 P2p

Verify Existing Network
Spanning Tree Priorities
51
CS-Dist-2#show spanning-tree
MST0
Spanning tree enabled protocol mstp
Root ID Priority 12288
Address 000f.23b9.0d80
Cost 0
Port 25 (GigabitEthernet0/1)
Bridge ID Priority 16384 (priority 16384 sys-id-ext 0)
Address 001f.274c.5180
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- -----
Fa0/24 Desg FWD 200000 128.24 P2p
Gi0/1 Root FWD 200000 128.25 P2p
• Here you can see the Root Priority is: 12288
• The switch this command is run on shows a priority of 16384
• So most likely our switch default priority of: 32768 will not cause any
harm

Lab: Enable Spanning Tree
1. Enable Spanning Tree
52
From the network policy that has switching enabled
• Go to Additional Settings and click Edit

2. Enable RSTP
53
Enable Rapid Spanning
Tree
• Expand Switch Settings
• Expand STP Settings
• Check the box to Enable
STP (Spanning Tree
Protocol)
• Select the radio button to
enable RSTP (Rapid
Spanning Tree)
• Click Save

3. Save your Network Policy
54

Spanning Tree – Switch specific settings
55
More detailed Spanning Tree settings can be
configured on an individual switch in device level
settings should that be required.

DEVICE TEMPLATES
FOR DEFINING SWITCH PORT
SETTINGS
56

Device Templates
57
• HiveManager Device Templates are
used to assign switches at the same
or different sites to a common set of
port configurations
• For example, ports 1, 2
are for APs, ports 3-6 are
for phones, etc…
AP
PoE
SR202
4
APAP
PoE
SR202
4
AP
Distribution
Access/Edge
HiveManager – SR2024 as switch device template

Device Templates
58
• Device templates are used
to define ports for the same
device, devices with the
same number of ports, and
device function
• Device templates do not set
device function, i.e. switch,
router, or AP, but will only
match devices configured
with the matching function
• You configure a devices
function in the device
specific configuration
Apply to SR2024 switches
configured as switches
Apply to SR2024 switches
configured as routers.
Requires WAN port – icon
depicted as a cloud

Device Templates
For Devices Requiring Different Port
Settings
59
• If devices require different port
configurations for the same type of
device and function, you can
› 1. Configure device classification
tags to have different device
templates for different devices
› 2. Create a new network policy
with a different device template
PoE
SR202
4
APAP
PoE
SR202
4
AP
SR2024 as Switch
Default Sites
Default Site Device
Classification
Tag: Small Site
SR2024 as Switch
Small Sites
Note: The switch model (2024) used in the lab has been superseded by improved models.

CONFIGURE DEVICE TEMPLATES
FOR DEFINING SWITCH PORT
SETTINGS
60

Lab: Configure Device Templates
1. Create device template
61
• Next to Device
templates, click
Choose
• Click New

2. Create switch template
62
• Name:
SR2024-Default-X
• Click Device Models
• Select SR2024
• Click OK
• For SR2024, when
functioning as:
› Select Switch
• Click Save
Note: Here you are not setting the SR2024
to function as a switch. Instead, you are
only specifying that this template applies to
SR2024s when they are configured to
function as a switch. The switch/router
function is configured in switch device
settings.
Note: You only see switch as an option
and not Switch and Router, because Routing
was not enabled in the selection box when
creating this Network Policy.

3. Save switch template
63
• Ensure your device template is selected
and click OK
• The device template will appear in the
Device Templates section
• You can show or hide the individual
device template by clicking the triangle
Shows you that this is a template
for your switch as a switch

64

LINK AGGREGATION
65

Lab Infrastructure
Aggregate Links for Connection to Distribution
66
Aggregate is statically configured similar to
EtherChannel
There is no LACP (Link Aggregation Control
Protocol) in this release.
• You can have 8 ports in one channel
› The ports do not have to be contiguous
• Every port on the SR2024 can be configured
into port channels except the USB and
console port
• The switch hardware creates a hash of the the
header fields in frames selected for load
balancing, for determining the ports in an
aggregate to send a frame
› Load balancing options are:
» Source & Destination MAC, IP, and Port
» Source & Destination IP Port
» Source & Destination IP
» Source & Destination MAC
PC
SR202
4
AP

Lab Infrastructure
Aggregate Links for Connection to Distribution
67
• Load balance of broadcast, multicast, and
unknown unicast traffic between ports in an
aggregate is based on Src/Dst MAC/IP.
• You cannot configure a 802.1X port in an
EtherChannel
• mac learning is on the port channel port,
instead of member port
• Only ports with same physical media type and
speed can be grouped into one aggregate.
• Supports LLDP per port but not per channel
PC
SR202
4
AP

Lab Infrastructure
Do not do this with aggregates
68
• In this case, distribution switch 1 and switch 2 will
see the same MAC addresses and cause MAC
flapping
› i.e. traffic from PC A for example might be load
balanced to Switch 1 and Switch 2
• In this case, there will also be a loop!
• Aggregates must be built between a pair of
switches only!
PC
SR202
4
AP
Aggregate 1
Distribution
Switch 1
Distribution
Switch 2

AGGREGATION –
CONFIGURATION EXAMPLE
69

Aggregate Links for Switch Connections
to Distribution Layer Switches
70
Each access switch will have two
aggregates:
• Aggregate 1: Port 17, 18
• Aggregate 2: Port 19, 20
These ports are not connected in
this classroom, this is only a
configuration example
PC
PoE
SR202
4
AP
Core
Access
Aggregates
ESXi Server
Distribution
HMOL

Copyright ©2011
Lab: Link Aggregation
1. Select ports 17 and 18
Select ports that will be used to connect to the distribution layer
switches (example only, aggregates are not used in class)
NOTE: Recommended not to use the first 8 ports on the SR2024 which provide PoE.
• Select port 17, and 18
• Check the box for Aggregate selected ports…
• Enter 1
• Click Configure
71

2. Create Trunk Port policy
72
• Click New
• Name: Trunk-X
• Port Type: 802.1Q
• QoS Classification:
Trusted Traffic
Source
Note: This means we
are trusting the
upstream network
infrastructure markings
› Map to DSCP or
802.1p
• QoS Marking:Map
Aerohive..
802.1p
• Click Save

2. Save Trunk Port policy
73
• Ensure that Trunk-X
is selected, click OK

74
• Select port 19 and 20
• Check aggregate selected ports… and enter 2

4. Assign Trunk policy
75
• Click Configure
• For choose port type, select your
802.Q trunk that you created
previously: Trunk-X
• Click OK

5. Review port settings
76
Port 17, 18, 19, and 20 will now display
an 802.1Q trunk icon and should all
appear the same, even though there
are two different aggregates

77

CONFIGURE UPLINKS USED IN
THE CLASSROOM
78

Classroom Links for Switch Connections
to Distribution Layer Switches
79
For the class, we are going to
configure single uplinks without
aggregation to connect to the
distribution switches
• Single Uplinks : Port 23, 24
Port 23 will be connected to
Distribution switch 1, and
port 24 will be connected to
Distribution switch 2
PC
PoE
SR202
4
AP
Core
Access
ESXi Server
Distribution
HMOL
• 3CX IP PBX
10.100.1.?

Copyright ©2011
Lab: Configure Uplink Ports
1. Select Ports 23 and 24
Select ports that will be used to connect to the distribution layer
switches
• Click Configure
80

2. Assign port policy and save
81
• For choose port type, select your
802.Q trunk that you created
previously: Trunk-X
• Click OK
• Ports 23 and 24 should now be the
same color as the other Trunk ports

82

CONFIGURE PORTS FOR APS
83

Lab Infrastructure
Configure PoE Ports for APs
84
Configure two of the PoE ports
for APs
• Use Port 1 and 2 for APs
NOTE: For class there is an AP
connected to port 1 of every
switch
PoE
SR202
4
Core
Access
ESXi Server
Distribution
HMOL
APAP
IP Phones

Copyright ©2011
Lab: Configure Access Point ports
Select ports that will be used to connect to APs
NOTE: The first 8 ports on an SR2024 provide power
• Click Configure
85

2. Create Trunk Policy
86
• Click New
• Name: AP-Trunk-X
• Port Type: 802.1Q
Trusted Traffic
Source
Note: This means we
are trusting the
upstream network
802.1p
Aerohive..
802.1p
• Click Save

3. Assign AP-Trunk Policy to ports 1 and 2
87
• Ensure that that AP-Trunk-X is selected
• Click OK
• Port 1and 2 will now display an 802.1Q trunk icon,
but this time, a power symbol appears as well
because ports 1 through 8 can provide power
• Notice that Ports 1
and 2 are a
different color
because there is a
different port policy
than the other
ports

88

CONFIGURE POWER SOURCING
EQUIPMENT (PSE) PORTS FOR
POWER OVER ETHERNET (POE)
89

PoE Overview
90
• PoE standards define the capabilities of the power sourcing equipment (PSE)
and the powered device (PD).
• The PSE is an Aerohive switch. Aerohive access points would be considered
PDs.
• The 802.3af PoE standard defines 15.4 Watts from the PSE
• All 802.11n Aerohive APs will work with 802.3af - CAT5e cabling or better is
required.
• The maximum draw of an Aerohive AP-330 is14.95 Watts.

PoE Overview
91
• The 802.3at standard (PoE+) defines 32 Watts from the PSE
• 802.11ac Aerohive AP230 is fully functional using 802.3af
• However, the older 802.11ac Aerohive APs (AP370 and
AP390) require PoE+ for full functionality
• The AP370 and AP390 will function with 802.3af PoE however
the 80 MHz channels capability is restricted.

PoE Power Budgets
92
• Careful PoE power budget planning is a must.
• Access points will randomly reboot if a power budget has
been exceeded and the APs cannot draw their necessary
power.
SR2124P SR2148P
24 PoE+ (408 W) 48 PoE+ (779 W)24 PoE+ (195 W)
SR2024P

Lab: Configure PoE ports
1. Select additional port settings
93
• Select Additional port settings to configure
› Port Channel Load-Balance Mode Settings
› PoE port (PSE) Settings
Additional Port Settings
link is available if no ports are
currently selected

2. Aggregate channel settings
94
• For Port Channel Load-Balance Mode, please selecting
the headers in a frame that will be used in creating a
hash to determine which port a frame should egress
› NOTE: If you are testing a single client, especially for a demo, the
more fields you use you will have a better opportunity to egress
multiple ports

3. PSE settings
95
• Expand PSE Settings
• Because only the first two ports have been configured,
you will only have the ability to configure PSE (Provides
PoE) to the first two ports
• Next to Eth1/1 Click +

4. PSE settings
96
• Name: af-high-X
• Power Mode: 802.3af
• Power Limit: 15400 mW
• Priority: high
• Save
Note: Default PoE port
settings is 802.3at (PoE+)
Power priority can be low,
high or critical

5. PSE settings
97
• Assign Eth1/1 and Eth1/2 to: af-high-X
• Save
NOTE: You will only see the Interfaces(Ports) that have been
assign to a port type

98

CONFIGURE PORTS FOR IP
PHONES
99

Lab Infrastructure
Configure PoE Ports for IP Phones
100
Configure 6 of the PoE ports for
IP Phones
• Use Port 3 - 8 for IP PhonesPoE
SR202
4
Core
Access
ESXi Server
Distribution
HMOL
APAP

CONFIGURE PHONE PORTS IN
SWITCH DEVICE TEMPLATE
101

Copyright ©2011
Lab: Configure PoE ports for IP phones
1. Select ports 3-8
Select ports that will be used to connect to IP Phones
NOTE: The first 8 ports on an SR2024 provide power
• Select port 3, 4, 5, 6, 7, and 8
(Yes, you can multi-select)
• Click Configure
102

2. Phone & Data ports
103
•Click New

104
• Name: Phone-and-Data-X
• Port Type: Phone & Data
• Check Primary authentication
using:
MAC via PAP
Trusted Traffic Sources
Note: This means we are
trusting the upstream network
› Map to DSCP or 802.1p
Aerohive..
› Map to DSCP or 802.1p
• Click Save

105
• For choose port type, select
Phone-and-Data-X
• Click OK
• Port 3 – 8 will now display with a phone
icon

5. Save your network policy
106

CONFIGURE PORTS FOR OPEN
GUEST ACCESS
107

Lab Infrastructure
Configure Ports for Employee Computer Access
108
Configure 2 of the switch ports
for open access
(switch ports are in a secured
room – for testing purposes)
• Use Port 9 and 10
PoE
SR202
4
Core
Access
ESXi Server
Distribution
HMOL
APAP
IP Phones
Guest
Computers

Copyright ©2011
Lab: Configure Open Guest Ports
Select ports that will be used to connect to guest computers
• Select port 9 and 10
• Click Configure
109

2. Create access port
110
•Click New

3. Create access port
111
• Name: Guest-X
• Port Type: Access
• Most likely you will
not be trusting the
DSCP settings on
guest devices, so
click Untrusted
Traffic Sources
• There is no need to
mark the traffic for
QoS marking
• Click Save

4. Assign access port policy
112
• For choose port type, select
Guest-X
• Click OK
• Port 9 and 10 will now display with a
world icon

113

For switch ports in a secure location
CONFIGURE PORTS FOR SECURE
EMPLOYEE ACCESS WITH 802.1X
114

Lab Infrastructure
Configure Ports for Employee Computer Access
115
Configure six of the switch ports
for 802.1X authentication
• Use Ports 11-16
PoE
SR202
4
Core
Access
ESXi Server
Distribution
HMOL
APAP
IP Phones
Employee
Computers
802.1X

Copyright ©2011
Lab: Configure Secure Access Ports
1. Select ports 11 - 16
Select ports that will be used to connect to employee computers
that support 802.1X
• Select port 11,12,13,14,15,16
• Click Configure
116

2. Create secure port policy
117
• Click New

3. Create secure port policy
118
• Name: Secure-X
• Port Type: Access
• Check the box for:
Primary Authentication
using 802.1X
• Uncheck ☐Allow multiple
hosts (same VLAN)
• For the ability to preserve
markings on PCs for softphones
or other important applications,
select QoS Classification:
Trusted Traffic Sources
• Check the box for QoS
Marking
 Map Aerohive QoS …
• Select DSCP or 802.1p
depending on the upstream
switch architecture
• Click Save

4. Assign secure port policy
119
• For choose port type, select Secure-X
• Click OK
• Ports 11-16 will now display with a world
icon

120

CONFIGURE MIRROR PORTS
121

Copyright ©2011
Lab: Configure Mirror Ports
1. Select ports 21 - 22
Select ports that will be used for port mirroring
• Select ports 21 and 22
• Click Configure
122

2. Create mirror port policy
123
• Click New
• Name: Mirror-X
• Port Type: Mirror
• Click Save

3. Assign mirror port policy
124
• For choose port type, select Mirror-X
• Click OK
• Check  Port-Based
Note: VLAN-Based port
mirroring can only be
enabled on a single port

4. Choose ports to mirror
125
• Eth1/21, Egress – click Choose
• Select Eth1/1 and Click OK
• Eth1/22, Ingress – click Choose
• Select Eth1/12 and Click OK

5. Verify and save mirror port policy
126
• All downstream traffic destined for the WLAN clients of the
Aerohive AP on port Eth1/1 will be mirrored to port Eth1/21.
• All upstream traffic destined for the network from the host on
Eth1/12 will be mirrored to port Eth1/22.
• Click Save

6. Verify and save mirror port policy
127
Ports 21 and 22 will now display a magnifying glass icon.

GENERAL DEVICE TEMPLATE
INFO
129

General Port Template Info
130
If you have more than one port
selected, you can clear port
selections here so you do not
have to click all the selected
ports to deselect them.

General Port Template Info
131
• If you move your
mouse over one
of the defined
ports, an option
appears to
select all ports
using this port
type
Click Here

Guest Access
CONFIGURE PORT TYPES
132

Lab: Configure Ports – Guest Access
1. Port Types
133
• Configure the authentication, user profile, and VLAN information for the
port types defined in the device templates

2. Create user profile
134
Similar to SSIDs, you need to
configure User Profiles (user
policy) for the access ports
• For your Guest-X port
type, under User Profile
click Add/Remove
• Click New

3. Assign VLAN
135
User profiles are used
to assign policy to
devices connected to
the network.
NOTE: Switches use the VLAN in a
user profile. Switches functioning as
routers use the VLAN, but may also
make layer 3 firewall and policy-
based routing decisions based on
the user profile. In either case, user
profile information is carried with
user information throughout an
Aerohive network infrastructure.
• Name: Guest-X
• Attribute: 100
• Default VLAN: 8
• Click Save
The optional settings are utilized when
the user profile is enforced on an AP. The
switch, because it is forwarding packets
at line speed in silicon, does not utilize
the optional settings. If the switch is
configured to be a branch router, the user
profile is used for decisions in layer 3
firewall policies, IPSec VPN policies, and
identity-based routing.

4. Save user profile
136
• Ensure Guest-X is
selected
• Click Save
• Verify your settings

Lab: Configure Ports - Guest Access

Employee Access Secured wit 802.1X
138

Lab: Configure Ports - Secure Access
1. Configure RADIUS
139
Configure the RADIUS sever for
the ports secured with 802.1X
• For your Secure-X port type,
under Authentication
click <RADIUS Settings>
• Click New

2. Configure RADIUS
140
Define the external
RADIUS server settings
• RADIUS name:
RADIUS-X
• IP address: 10.5.1.10
• Shared Secret:
aerohive123
• Confirm Secret:
aerohive123
• Click Apply!!
• Click Save

3. Configure user profile
141
Assign user profiles to
the secure 802.1X ports
• Next to your Secure-X
port type, under User
Profile click
Add/Remove

Port Types
142
There are three user profile
assignment methods:
1. (Auth) Default – If a client
authenticates successfully,
but no user profile attribute is
returned, or if a user profile
attribute is returned matching
the default user profile
selected
2. Auth OK – If a client
authenticates successfully,
and a user profile attribute is
returned, it must match one
the selected user profiles you
select here
3. Auth Fail – If a client fails
authentication, use this user
profile

4. Configure default user profile
143
Define the Default User Profile
assigned If a client authenticates
successfully, but no user profile
attribute is returned, or if a user
profile attribute is returned
matching the default user profile
selected
• Select the Default tab
• Select the user profile:
Employee-Default(1)
› Created by the
instructor…
› Assigns VLAN 1

5. Configure Auth OK user profile
144
Define a user profile for Auth
OK – If a client authenticates
successfully, and a user
profile attribute is returned, it
must match one the selected
user profiles you select here.
You can have up to 63 Auth
OK user profiles.
• Select the Auth OK tab
• Select Employee-X(10)
› Assigns VLAN 10

6. Configure Auth Fail user profile
145
Define a user profile for
Auth Fail – If a clients fails
authentication several
times, assign the Auth Fail
user profile
• Select Auth Fail
• Select Guest-X(100)
› Assigns VLAN 8
• Verify the Default, Auth
OK, and Auth Fail settings
one more time
• Click Save

7. Verify settings
146
•Verify the settings

PHONE & DATA PORTS
WITH NO AUTHENTICATION
148

Phone & Data Port Type
With Open Access
149
• Switch Port is assigned to a Phone & Data Port Type
• For this example, no authentication is selected in Phone & Data
SR2024
IP Phone
Phone & Data
uses 802.1Q
Data
Switch

With Open Access
150
• You can then select a Default Voice, and Default Data user profile
• The Phone & Data port is an 802.1Q port
• The Phone VLAN will be tagged and sent to the IP phone via LLDP-MED
• The switch port will assign the Data VLAN as the native VLAN
› This way, the phone traffic is tagged, and data traffic is untagged
SR2024
IP Phone
LLDP assigns
Phone to tagged
Voice VLAN
Phone & Data
uses 802.1Q
Data
Switch
Note: For default data,
only the VLAN is used,
not the user profile

CLI Commands for
Phone & Data Port without Authentication
151
• interface eth1/3 switchport mode trunk
• interface eth1/3 switchport user-profile-attribute 2
• interface eth1/3 switchport trunk native vlan 10
• interface eth1/3 switchport trunk voice-vlan 2
• interface eth1/3 switchport trunk allow vlan 2
• interface eth1/3 switchport trunk allow vlan 10
• interface eth1/3 qos-classifier Phone-and-Net-2
• interface eth1/3 qos-marker Phone-and-Net-2
• interface eth1/3 pse profile QS-PSE

PHONE & DATA PORTS
WITH 802.1X/PEAP
AUTHENTICATION OR
MAC AUTHENTICATION
152

With 802.1X/PEAP or MAC Authentication
153
• Switch Port is assigned to a Phone & Data Port Type
• For this example, 802.1X authentication is selected in Phone &
Data
SR2024
Phone & Data
uses 802.1Q, and 802.1X
Switch
IP Phone
Data
RADIUS Server
Phone Policy Returns
Cisco AV Pair: device-traffic-class=voice
User Profile and/or VLAN
Data (Employee) Policy Returns
Employees

With 802.1X/PEAP
154
• You can connect a single client, or multiple clients behind an
IP phone data port
• Phones and clients authenticate independent of each other
and the order in which they authenticate does not matter
› However, the VLAN assigned to the first data device (Employee) that
authenticates is assigned as the data VLAN, all other devices will be
assigned to the same VLAN, even if they have different user profiles
with other VLANs assigned, or even if RADIUS returns a different
VLAN.
SR2024
Phone & Data
uses 802.1Q, and 802.1X
Switch
IP Phone
Data
RADIUS Server
Employees

With Primary and Secondary Authentication
155
• If a secondary authentication is used, if the first authentication is not
available, or fails three times, the second authentication will be tried
SR2024
Phone & Data
uses 802.1Q, and 802.1X
Switch
IP Phone
Data
RADIUS Server
Employees

CLI Commands for
Phone & Data Port with 802.1X
156
• security-object Phone-and-Data-2
• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret ***
• security-object Phone-and-Data-2 security protocol-suite 802.1x
• security-object Phone-and-Data-2 default-user-profile-attr 1
• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain
• interface eth1/3 security-object Phone-and-Data-2
• interface eth1/3 qos-classifier Phone-and-Data-2
• interface eth1/3 qos-marker Phone-and-Data-2
• no interface eth1/3 spanning-tree enable
• no interface eth1/3 link-discovery cdp receive enable
• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1
• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10
• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2
• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100

CLI Commands for
Phone & Data Port with MAC AUTH
157
• security-object Phone-and-Data-2
• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret ***
• security-object Phone-and-Data-2 security additional-auth-method mac-based-auth
• security-object Phone-and-Data-2 default-user-profile-attr 1
• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain
• security-object Phone-and-Data-2 security initial-auth-method mac-based-auth
• interface eth1/3 security-object Phone-and-Data-2
• interface eth1/3 qos-classifier Phone-and-Data-2
• interface eth1/3 qos-marker Phone-and-Data-2
• no interface eth1/3 spanning-tree enable
• no interface eth1/3 link-discovery cdp receive enable
• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1
• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10
• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2
• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100

Overview
CONFIGURING NPS FOR PHONE
AND EMPLOYEE
AUTHENTICATION WITH
802.1X/PEAP
158

Configure NPS for Phone & Data
Authentication
159
• Create a
network
policy for
voice

Authentication
160
• Enter a name
for the voice
policy, and click
next

Authentication
161
• Click add to
specify a
condition

Authentication
162
• Select
Windows
Groups
• Click Add

Authentication
163
• Click Add Groups…
• A voice group was created by IT for IP
phones – enter voice and click OK
• Click OK

Authentication
164
• Click Next

Authentication
165
• Select
Access
granted

Authentication
166
• Click Add
• Select Microsoft:
Protected EAP
(PEAP)
• Click OK

Authentication
167
• Click Next
• For constraints
click Next

Authentication
168
• Remove attributes
that are not
needed:
› Select Frame-
Protocol, and
Click Remove
› Select Service-
Type, and Click
Remove

Authentication
169
Add the three attribute
value pairs needed to
assign a user profile
• Tunnel-Medium-Type: IP
v4 (value found in the
others section)
• Tunnel-Type: Generic
Route Encapsulation
(GRE)
• Tunnel-Pvt-Group-ID:
(String) 2
› 2 is the voice user
profile in this case
• Click Next

Authentication
170
• Under RADIUS
Attributes, select
Vendor Specific

RETURN A CISCO AV PAIR TO LET
THE AEROHIVE SWITCH KNOW
WHICH USER PROFILE SHOULD
BE ASSIGNED AS THE VOICE
USER PROFILE
171

Authentication
172
In order for a switch to
know a specific user profile
is for voice, Aerohive
devices can accept the
Cisco AV Pair: device-
traffic-class=voice. This is
sent to the switch, and the
switch uses LLDP to send
the voice VLAN any phone
that supports LLDP-MED
• Under RADIUS
Attributes, select Vendor
Specific
• Click Add

Authentication
173
• Under
Vendor,
Select Cisco

Authentication
174
• Click Add
• Click Add again

Authentication
175
• Attribute value:
device-traffic-class=voice
• Click OK
• Click OK
• Click Close (The value does not show up
on this screen. Do not worry, it is there.)

Authentication
176
• Attribute value:
device-traffic-
class=voice
• Click OK
• Click OK
• Click Next

Authentication
177
• Click
Finish

DEFINE CLIENT ACCESS
178

CLI Commands for
179
Create a new policy
for employee access
• Policy name:
Wireless or Wired
Employee Access

CLI Commands for
180
• For the condition, select the
windows group that contains
your employees
• Add the three attribute value
pairs needed to assign a user
profile
› Tunnel-Medium-Type: IP v4
(value found in the others
section)
› Tunnel-Type: Generic Route
Encapsulation (GRE)
› Tunnel-Pvt-Group-ID: (String)
10
» 10 is the voice user profile in this
case
• Click Next

Phone and Data
181

Lab: Configure Ports - Phone & Data
1. Configure RADIUS
182
Configure the RADIUS sever for
the ports secured with 802.1X
• For your Phone-and-Data-X
port type, under Authentication
click <RADIUS Settings>
• Select RADIUS-X which is an
external Microsoft NPS
RADIUS server
• Click OK

Port Types
183
Assign user profiles to your
802.1X ports
• For your Phone-and-Data-X
port type, under User Profile
click Add/Remove

Port Types (Reminder)
Must Verify
184
There are three user profile settings:
1. Default – Default for data if no
user profile attribute, or a user
profile attribute is returned and
matches the user profile
configured here
2. Auth OK (Voice) – If a client
authenticates successfully, and a
user profile attribute is returned
matching a selected user profile,
and the Cisco AV Pair is also
returned
3. Auth OK (Data) – Client passes
authentication, and a user profile
attribute is returned, but no
Cisco AV pair

2. Configure user profile – Auth OK (Voice)
185
• Click Auth OK (Voice)
• Click New

3. Configure user profile – Auth OK (Voice) VLAN
186
User profiles are
used to assign
policy to devices
connected to the
network.
• Name: Voice-X
• Attribute: 2
• Default VLAN: 2
• Click Save

4. Configure user profile – Auth OK (Voice)
187
• For the Auth OK
(Voice) tab select:
Voice-X(2)
› Assigns VLAN 2

5. Configure user profile – Default
188
Assign the Default
user profile:
• Select the
Default tab
• Select Employee-
Default(1)
› Assigns VLAN 1

6. Configure user profile – Auth OK (Data)
189
Define a user profile for Auth OK
(Data)– for clients connected
through an IP Phone
• Select Auth OK (Data)
• Select Employee-X(10)
› Assigns VLAN 10
• Verify the Default, Auth
OK (Voice), and Auth OK
(Data) settings one more
time
• Click Save

7. Verify your settings
190
• Verify the settings

Lab: Configure Ports - Phone and Data

CONFIGURE 802.1Q TRUNK
PORTS
192

Lab: Configure Trunk Ports
1. Configure AP-Trunk-X port policy VLANs
193
Define the allowed
VLANs on a trunk port
• Next to AP-Trunk-X
Click Add/Remove
• Add the specific
VLANs: 1,2,8,10
• Click OK

2. Configure Trunk-X port policy VLANs
194
Define the allowed
VLANs on a trunk port
• Next to Trunk-X Click
Add/Remove
• Type all
• Click OK

3. Verify your settings
195
Verify
Settings

Lab: Configure Ports - Phone and Data
8. Save your network policy and continue

UPDATE DEVICES
197

Lab: Update Devices
1. Modify your AP
198
From the Configure & Update Devices section,
modify your AP specific settings
• Click the Name column to sort the APs
• Click the link for your AP: 0X-A-######

Lab: Update Devices
2. Update the configuration of your Aerohive AP
199
• Location:
<FirstName_LastName>
• Topology Map: Classroom
• Network Policy:
Access-X
Note: Leave this set to default so
you can see how it is
automatically set to your new
network policy when you update
the configuration.
• Set the power down to 1dBm
on both radios because the
APs are stacked in a rack in the
data center
› 2.4GHz(wifi0) Power: 1
› 5GHz (wifi1) Power: 1
• Click Save

Lab: Update Devices
3. Select AP and switch
200
• Select your AP and switch and click Update
Click Yes

• Select Update Devices
• Select  Perform a
complete configuration
update for all selected
devices
• Click Update
For this class, ALL
Updates should be
Complete
configuration
updates
Lab: Update Devices
4. Update the AP and switch

Lab: Update Devices
5. Update the AP and switch
202
• Should the Reboot warning box appear, select OK
Click OK

CREATE AN AEROHIVE DEVICE DISPLAY
FILTER
204

Lab: Create a Display Filter from Monitor View
1. Create a filter
205
• To create a display filter go to Monitor  Filter: Select +
• Network Policy, select: Access-X
• Remember this Filter, type: Access-X
• Click Search

Lab: Create a Display Filter from Monitor View
2. Verify the display filter
206

TEST YOUR WI-FI
CONFIGURATION
USING THE HOSTED PC
208

Lab: Test Hosted Client Access to SSID
Test SSID Access at Hosted Site
209
• Use VNC client to
access Hosted PC:
› password: aerohive
• From the hosted PC, you
can test connectivity to
your SSID
PoE
SR202
4
Core
Access
ESXi Server
- HM VA
Distribution
Internet
Hosted
PC
AP
Ethernet
Wi-Fi

1. For Windows: Use TightVNC client
210
• If you are using a windows PC
› Use TightVNC
› TightVNC has good compression so
please use this for class instead of any
other application
• Start TightVNC
› For Lab 1
lab1-pcX.aerohive.com
› For Lab 2
› For Lab 3
› For Lab 4
› For Lab 5
› Select  Low-bandwidth connection
› Click Connect
› Password: aerohive.
› Click OK

2. For Mac: Use the Real VNC client
211
• If you are using a Mac
› RealVNC has good compression so
please use this for class instead of
any other application
• Start RealVNC
› For Lab 1
› For Lab 2
› For Lab 3
› For Lab 4
› For Lab 5
› Click Connect
› Password: aerohive.
› Click OK

3. In case the PCs are not logged in
212
If you are not automatically
logged in to your PC
• If you are using the web
browser client
› Click the button to Send
Ctrl-Alt-Del
• If you are using the TightVNC
client
• Click to send a
control alt delete
• Login: AH-LABuser
• Password: Aerohive1
• Click the right arrow to login

4. Remove any Wireless Networks on Hosted PC
213
From the bottom task bar, click the locate wireless
networks icon
› Select Open Network and Sharing Center
› Click Manage wireless Networks
› Select a network, then click Remove
› Repeat until all the networks are removed
› Click [x] to close the window

5. Connect to Your Class-PSK-X SSID
214
• Single-click the
wireless icon on the
bottom right corner
of the windows task
bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK

6. View Active Clients List
215
• After associating with your SSID, you should see
your connection in the active clients list Wireless
Clients
• Your IP address should be from the 10.5.10.0/24
network which is from VLAN 10
Go to MonitorClientsWireless Clients and
locate your PC’s entry

TESTING SWITCH PORT
CONNECTIONS WITH WINDOWS 7
217

Lab: Test Hosted Client to Wired Network
Test Guest and 802.1X Access
218
• Use VNC client to
access Hosted PC:
› password: aerohive
• From the hosted PC, you
can test connectivity to
your SSID
PoE
SR202
4
Core
Access
ESXi Server
- HM VA
Distribution
Internet
Hosted
PC
AP
Ethernet
Wi-Fi

Three Different VLANs are Possible
In this configuration
219
• Default - Auth OK, and RADIUS does not returned user
profile or matching user profile to default
• Auth OK – and RADIUS returns a user profile that matches
one of the user profiles configured here
• Auth Fail – RADIUS authentication fails (Guest)

1. Verify IP address of Ethernet adapter
220
• Locate Local Area Connection 3
• Right click
• Click Status
• Click Details

221
Why do you see an IP
from the 10.5.1.0/24
subnet?
This is the IP address
the device received
on VLAN 1 before the
switch was
configured

3. Reset Ethernet Adapter
222
Because the PC has the
wrong IP it will not work, you
can remedy this by
• Right click on Local Area
Connection 3
• Click Diagnose
or
• Disable then Enable Local
Area Connection 3
• Do NOT Disable Local Area
Connection 2

223
• Right click
• Click Status
• Click Details

224
from the 10.5.8.0/24
subnet?
This is the guest
network that is
assigned if
authentication is not
supported or fails

6. Verify VLAN of wired client
225
Go to MonitorClientsWired Clients and locate your
PC’s entry
• Note the IP, Client Auth Mode, User Profile Attribute
and VLAN
• VLAN 8 is the guest VLAN assigned because
802.1X authentication was not supported or failed.
The host was assigned to the Auth Fail user
profile.

7. Enable 802.1X for wired clients
226
• In windows 7, you
must enable 802.1X
support
• As an administrator,
from the start menu
type services
• Then click services

227
• Click the
Standard tab
on the bottom
of the services
panel
• Locate Wired
AutoConfig
and right-click
• Click
Properties

228
• The Wired AutoConfig
(DOT3SVC) service is
responsible for performing IEEE
802.1X authentication on
Ethernet interfaces
• If your current wired network
deployment enforces 802.1X
authentication, the DOT3SVC
service should be configured to
run for establishing Layer 2
connectivity and/or providing
access to network resources
• Wired networks that do not
enforce 802.1X authentication
are unaffected by the DOT3SVC
service

229
• Click Automatic
• Click Start

230
• Click OK

231
• Right click
• Click Status
• Click Details

232
from the 10.5.10.0/24
subnet?
The user has
authenticated with
802.1X/EAP and
RADIUS is returning
the user profile
attribute: 10

14. Verify authentication and VLAN of wired client
233
Go to MonitorClientsWired Clients and locate your
entry
• Note the IP, Client Auth Mode, User Profile Attribute and
VLAN
• VLAN 10 is the employee VLAN assigned because
802.1X authentication was successful and the host was
assigned to the Auth OK user profile.

For Reference: Switch CLI
234
SR-04-866380# show auth int eth1/12
Authentication Entities:
if=interface; UID=User profile group ID; AA=Authenticator
Address;
if=eth1/12; idx=16; AA=08ea:4486:638c; Security-obj=Secure-2;
default-UID=1;
Protocol-suite=802.1X;Auth-mode=port-based; Failure-UID=100;
Dynamic-VLAN=10;
No. Supplicant UID Life State DevType User-Name
Flag
--- -------------- ---- ----- -------------- ------- -----------
--------- ----
0 000c:2974:aa8e 10 0 done data AH-
LABuser4 000b

Enable 802.1X for Wired Connections
235
If you need to troubleshoot
you can view Local Area
Connection 3
• From the start menu, type
view network
• Right-click Local Area
Connection 3, and click
Diagnose
› This will reset the
adapter, clear the
caches, etc…

Clearing Authentication Cache
For Testing or Troubleshooting
236
• From the Wired Clients
list, you can select and
Deauth a client
› Clear the All the
caches for the client
on the switch
• Then on the hosted PC,
you will need to disable
then enable Local Area
Connection 3 to force a
reauth

MISC MONITORING
237

Switch Monitoring
238
• MonitorSwitches
• Click on the hostname of
the switch

Switch Monitoring
239
• Hover with your mouse over the switch ports

Switch Monitoring
240
System Details

Switch Monitoring
241
Port Details and PSE Details

Power Cycle Devices via PoE
242
• To configure this feature for selected ports on a switch, navigate to
Monitor  Switches in the Managed Devices tab, click the name of
the switch, and scroll down to PSE Details.
• Select the check box or boxes for the port or ports that you want to
cycle, and then click Cycle Power.
This is useful in the event that an AP or multiple APs are locked up
and need to be rebooted remotely. Bouncing the PoE port forces
the AP reboot.

Switch Monitoring
243
• MonitorActive ClientsWired Clients
• Add User Profile Attribute, and move it up, it is useful

Switch Monitoring
244
• Click on the MAC address for a wired client to see more
information

Switch Monitoring
245
• Utilities…StatisticsInterface

Switch Monitoring
246
• Utilities…DiagnosticsShow PSE

VLAN Probe
Use VLAN Probe to verify VLANs and DHCP Service
247
• MonitorSwitches – Select your device, and go to
Utilities…DiagnosticVLAN probe
NOTE: If you get the same IP subnet for each of the VLANs, that is a sign that
the switch uplink port is connected to an access port, not a trunk port like it
should be.

Client Monitor
248
• Tools  Client Monitor
• Client Monitor can be used to troubleshoot 802.1X/EAP
authentication for wired clients

Switch CLI
249
• SR-02-66ec00#show interface switchport
Name: gigabitethernet1/1
Switchport: enable
Port Mode: access
Port Mirror: disable
Port User-profile ID: 0
Static Access VLAN: 1
Dynamic Auth VLAN: 0
Name: gigabitethernet1/2
Switchport: enable
Port Mode: access
Port Mirror: disable
Port User-profile ID: 10
Static Access VLAN: 10
Dynamic Auth VLAN: 0

Switch CLI
250
• show client-report client

GENERAL SWITCHING
251

Storm Control
252
• Aerohive switches can mitigate traffic storms due to a variety of causes by
tracking the source and type of frames to determine whether they are legitimately
required.
• The switches can then discard frames that are determined to be the products of a
traffic storm. You can configure thresholds for broadcast, multicast, unknown
unicast, and TCP-SYN packets as a function of the percentage of interface
capacity, number of bits per second, or number of packets per second.
From your network policy with Switching enabled: Go to Additional
Settings>Switch Settings>Storm Control

IGMP Snooping MAC Addresses
253
• Aerohive switches are
capable of monitoring
IGMP transactions
between multicast
routers and client
devices, and maintaining
a local table of IGMP
groups and group
members
• Aerohive switches use
this information to track
the status of multicast
clients attached to the
switch ports so that it
can forward multicast
traffic efficiently
From your network policy with Switching
enabled: Go to Additional Settings>Switch
Settings>IGMP Settings

254
• Aerohive switches are
capable of monitoring
IGMP transactions
between multicast
routers and client
devices, and maintaining
a local table of IGMP
groups and group
members
• Aerohive switches use
this information to track
the status of multicast
clients attached to the
switch ports so that it
can forward multicast
traffic efficiently
From your network policy with Switching
enabled: Go to Additional Settings>Switch
Settings>IGMP Settings

255
• IGMP device specific options available in the switch device
configuration
• Users can enable/disable IGMP snooping to all VLAN or to a specified
VLAN. When IGMP snooping disabled, all multicast dynamic mac-
address should be deleted.

Required When Aerohive Devices are Configured as
RADIUS Servers
GENERATE AEROHIVE SWITCH
RADIUS
SERVER CERTIFICATES
256

Copyright ©2011
HiveManager Root CA Certificate
Location and Uses
• This root CA certificate is used to:
› Sign the CSR (certificate signing
request) that the HiveManager creates
on behalf of the AP acting as a
RADIUS or VPN server
› Validate Aerohive AP certificates to
remote client
» 802.1X clients (supplicants) will need a
copy of the CA Certificate in order to
trust the certificates on the Aerohive AP
RADIUS server(s)
• Root CA Cert Name:
Default_CA.pem
• Root CA key Name:
Default_key.pem
Note: The CA key is only ever used
or seen by HiveManager
• To view certificates, go to: Configuration, click Show Nav, then go to
Advanced Configuration Keys and CertificatesCertificate Mgmt
257

Use the Existing HiveManager CA
Certificate, Do not Create a New One!
258
• For this class, please do not create a new HiveManager CA
certificate, otherwise it will render all previous certificates
invalid.
• On your own HiveManager, you can create your own HiveManager CA
certificate by going to: Configuration, then go to
Advanced ConfigurationKeys and CertificatesHiveManager CA

LAB: Aerohive Switch Server Certificate and
Key
1. Generate Aerohive switch server certificate
259
• Go to Configuration, click Show Nav
Advanced Configuration
Keys and CertificatesServer CSR
• Common Name: server-X
• Organizational Name: Company
• Organization Unit: Department
• Locality Name: City
• State/Province: <2 Characters>
• Country Code: <2 Characters>
• Email Address: userX@ah-lab.com
• Subject Alternative Name:
User FQDN: userX@ah-lab.com
Note: This lets you add an extra step of validating the
User FQDN in a certificate during IKE phase 1 for
IPSec VPN. This way, the Aerohive AP needs a valid
signed certificate, and the correct user FQDN.
• Key Size: 2048
• Password & Confirm: aerohive123
• CSR File Name: Switch-X
• Click Create
Notes Below
Enter
Switch-X

• Select Sign by HiveManager CA
› The HiveManager CA will sign the Aerohive AP Server certificate
• The validity period should be the same as or less than the number of
days the HiveManager CA Certificate is valid
› Enter the Validity: 3650 – approximately 10 years
• Check Combine key and certificate into one file
• Click OK
Enabling this setting helps
prevent certificate and key
mismatches when
configuring the RADIUS
settings
Use this option to send
a signing request to an
external certification
authority.
Key
2. Sign and combine

• To view certificates,
go to:
Configuration, click
Show Nav
Then go to Advanced
Configuration
Keys and Certificates
Certificate Mgmt
• The certificate and key file
name is:
switch-X_key_cert.pem
• QUIZ
› Which CA signed this
Aerohive switch server key?
› What devices need to install
the CA public cert?
Key
3. View server certificate and key

Lab: Switch as a RADIUS server
1. Edit existing policy
263
• From Configuration,
• Select your Network policy:
Access-X
• Click OK and then Continue

Copyright ©2011
Lab: Switch Active Directory Integration
2. Select your Network Policy
To configure the Aerohive device as a RADIUS server...
Select the Configure & Update Devices bar
• Select the Filter: Current Policy
• Click the link for your Switch – SR-0X-######
264

3. Create a RADIUS Service Object
265
Create a Aerohive AP RADIUS Service Object
• Under Optional Settings, expand Service Settings
• Next to Device RADIUS Service click +

Lab: Switch AP Active Directory Integration
4. Create a RADIUS Service Object
266
• Name: SR-radius-X
• Expand Database
Settings
• Uncheck Local
Database
• Check External
Database
• Under Active Directory,
click + to define the
RADIUS Active Directory
Integration Settings

5. Select a switch to test AD integration
267
• Name: AD-X
• Aerohive device for Active Directory connection setup,
select your Switch: SR-0X-#####
› This will be used to test Active Directory integration
› Once this switch is working, it can be used as a template for
configuring other Aerohive device RADIUS servers with Active
Directory integration
• The IP settings for the selected Aerohive switch are gathered and
displayed

6. Modify DNS settings
268
• Set the DNS server to: 10.5.1.10
› This DNS server should be the Active Directory DNS server or an
internal DNS server aware of the Active Directory domain
• Click Update
› This applies the DNS settings to the Network Policy and to the
Aerohive device so that it can test Active Directory connectivity

7. Specify Domain and Retrieve Directory Information
269
• Domain: ah-lab.local
• Click Retrieve Directory Information
› The Active Directory Server IP will be populated as well as
the BaseDN used for LDAP user lookups

8. Specify Domain and Retrieve Directory Information
270
• Domain Admin: hiveapadmin(The delegated admin)
• Password and Confirm Password: Aerohive1
• Click Join
• Check Save Credentials
› NOTE: By saving credentials you can automatically join Aerohive
devices to the domain without manual intervention

9. Specify A User to Perform LDAP User Searches
271
• Domain User user@ah-lab.local (a standard domain user )
• Password and Confirm Password: Aerohive1
• Click Validate User
› You should see the message: The user was successfully
authenticated.
› These user credentials will remain and be used to perform
LDAP searches to locate user accounts during
authentication.

10. Save the AD Settings
272
• Click Save

11. Apply the AD settings
273
• Select AD-X with
priority: Primary
• Click Apply
…Please make sure
you click apply
• Do not save yet..

12. Enable LDAP credential caching
274
Enable the ability for an
Switch RADIUS server to
cache user credentials in
the event that the AD
server is not reachable,
if the user has previously
authenticated
• Check Enable
RADIUS Server
Credentials Caching
• Do not save yet...

13. Assign server certificate
275
• CA Cert File: Default_CA.pem
• Server Cert File:
• Server Key File:
• Key File Password & confirm password: aerohive123
• Click Save
Optional Settings >
RADIUS Settings:
Assign the switch
RADIUS server to the
newly created switch
server certificate and
key

14. Verify the RADIUS service object
276
• Ensure that the
Aerohive AP RADIUS
Service is set to:
switch-radius-X
• Do not save yet…

15. Set Static IP address on MGT0 interface
277
• Expand MGT0 Interface Settings
• Select Static IP
• Static IP Address: 10.5.1.7X
X = student number 02 = 72, 03 = 73… 12 = 82, 13 = 83
• Netmask: 255.255.255.0
• Default Gateway: 10.5.1.1
Note: Aerohive devices that
function as a server must
have a static IP address.

16. Save the switch settings
278
• Click Save
NOTE: Your Aerohive
switch will have an icon
displayed showing that
it is a RADIUS server.

SSID FOR 802.1X/EAP
AUTHENTICATION
USING AEROHIVE DEVICE RADIUS
WITH
AD KERBEROS INTEGRATION
280

Lab: Switch RADIUS w/ AD Integration
1. Edit your WLAN Policy and Add SSID Profile
281
Configure an SSID that
uses the 802.1X/EAP
with AD (Kerberos)
Integration
• Select the Configure
Interfaces & User
Access bar
• Next to SSIDs click
Choose
• In Chose SSIDs
› Select New

3. Select new Class-AD-X SSID
283
• Click to deselect
the Class-PSK-X
SSID
• Ensure the
AD-X SSID
is selected
• Click OK
Click to
deselect
Class-PSK-X
Ensure
Class-AD-X is
highlighted then
click OK

4. Create a RADIUS object
284
• Under Authentication, click <RADIUS Settings>
• In Choose RADIUS, click New
Click
Click

5. Define the RADIUS Server IP settings
285
• RADIUS Name:
SWITCH-RADIUS-X
• IP Address/Domain
Name: 10.5.1.7X
02 = 72, 03 = 73…
12 = 82, 13 = 83
• Leave the Shared
Secret Empty
NOTE: When the Aerohive
device is a RADIUS server,
devices in the same Hive
automatically generate a
shared secret
• Click Apply
• Click Save
Click Apply
When Done!

6. Select User Profiles
286
• Verify that under Authentication, SWITCH-RADIUS-X is
assigned
• Under User Profile click Add/Remove

7. Assign User Profile as Default for the SSID
287
• With the Default tab
select (highlight) the
Employee-Default user
profile
• IMPORTANT: This user
profile will be assigned if
no attribute value is
returned from RADIUS
after successful
authentication, or if
attribute value 1 is
returned.
• Click the Authentication
tab
Default Tab
Authentication Tab

8. Assign User Profile to be Returned by RADIUS
Attribute
288
• In the Authentication tab
• Select (highlight)
Employee-X
› NOTE: The (User
Profile Attribute) is
appended to the User
Profile Name
• Click Save
Authentication Tab

9. Verify and Continue
289
• Ensure Employee-Default-1
and Employee-X user
profiles are assigned to the
Class-AD-X SSID
• Click Continue
or click the bar to
Configure & Update
Devices

In the Configure & Update Devices section
• Select the Filter: Current Policy
• Select your devices 
• Click Update
10. Upload the config to the switch and AP

• Select Update Devices
• Select  Perform a
complete configuration
update for all selected
devices
• Click Update
For this class, ALL
Updates should be
Complete
configuration
updates

• Should the Reboot Warning box appear, select OK
Click OK

CLIENT ACCESS PREPARATION -
DISTRIBUTING CA CERTIFICATES
TO WIRELESS CLIENTS
294

LAB: Exporting CA Cert for Server Validation
1. Go to HiveManager from the Remote PC
295
• From the VNC connection
to the hosted PC, open a
connection to:
• For HM 1 – 10.5.1.20
• For HM 2 – 10.5.1.23
• For HM 3 – 10.5.1.20
• For HM 5 – 10.5.1.20
• Login with: adminX
• Password: aerohive123
NOTE: Here you are
accessing HiveManager via
the PCs Ethernet connection

2. Download Default CA Certificate to the Remote PC
296
NOTE: The HiveManager Root
CA certificate should be
installed on the client PCs that
will be using the RADIUS
service on the Aerohive device
for 802.1X authentication
• From the Remote PC,
go to Configuration,
then click Show Nav,
Advanced Configuration
Keys and Certificates
Certificate Mgmt
• Select Default_CA.pem
• Click Export

3. Rename HiveManager Default CA Cert
297
• Export the public root
Default_CA.pem certificate to
the Desktop of your hosted
PC
› This is NOT your Aerohive
AP server certificate, this IS
the HiveManager public root
CA certificate
• Rename the extension of the
Default_CA.pem file to
Default_CA.cer
› This way, the certificate will
automatically be recognized
by Microsoft Windows
• Click Save
Make the Certificate name:
Default_CA.cer
Save as type:
All Files

4. Install HiveManager Default CA Cert
298
• Find the file that was just
exported to your hosted PC
• Double-click the certificate file on
the Desktop: Default_CA
• Click Install Certificate
Issued to: HiveManager
This is the name of the certificate if you
wish to find it in the certificate store, or if
you want to select it in the windows
supplicant PEAP configuration.

5. Finish certification installation
299
• In the Certificate Import
Wizard click Next
• Click  Place all
certificate in the
following store
• Click Browse

6. Select Trusted Root Certification Authorities
300
• Click Trusted Root
Certification
Authorities
• Click OK
• Click Next

7. Finish Certificate Import
301
• Click Finish
• Click Yes
• Click OK

8. Verify certificate is valid
302
• Click OK to Close the certificate
• Double-click Default_CA to
reopen the certificate
• You will see that the certificate is
valid and it valid from a start and
end date
• Click the Details tab

Aerohive Configuration guide.

Recomendados

Recomendados

Mais conteúdo relacionado

Destaque

Destaque (16)

Semelhante a Aerohive Configuration guide.

Semelhante a Aerohive Configuration guide. (20)

Último

Último (20)

Aerohive Configuration guide.