1.48k likes | 1.85k Views
WLAN 3.x Training OAW Products. Alcatel-Lucent - Enterprise Solutions Division. Agenda. Products Overview Wireless Basic CLI Configuration Overview GUI Configuration Overview Basic System Setup AP Configuration Managing System Images Basic Configuration Sample
E N D
WLAN3.x TrainingOAW Products Alcatel-Lucent - Enterprise Solutions Division
Agenda • Products Overview • Wireless Basic • CLI Configuration Overview • GUI Configuration Overview • Basic System Setup • AP Configuration • Managing System Images • Basic Configuration Sample • Lab : Basic System Configuration
Why Alcatel-Lucent • Complete communication solutions provider • Market leadership in key data, voice, video and fixed mobile convergence technologies • turnkey solutions • over 500,000 customers • Presence in over 130 countries submarine data/IP voice broadband satellite outsourcing optical #1 in broadband, switching, optics, satellite, telecom, …
What Can Alcatel-Lucent Enterprise Solutions Do For You?Build the IP Communications House Communications Applications Voice over IP IP NetworkInfrastructure
OmniSwitch 9800/9700 OmniSwitch 6850/ 6850Lite Alcatel-Lucent EBG Product Portfolio IP Networking Core Layer/ Large Scale Access Layer/ Small Scale Distributed Layer/ Medium Scale WLAN Router(WAN) VoIP OmniStack 6200 OmniPCX Office OAW 6000s/SUP-III OAW4x04 7750/7450 OmniSwitch 7800 OmniSwitch 6600/ 6602 OmniSwitch 6400 OmniAccess 780 OAW 4324/08/04 OmniSwitch 6855 OmniPCX Enterprise OmniSwitch 9600 OmniAccess 740 OmniSwitch 7700 IP Phone OmniAccess 720s OAW-AP 4x/6x/70/12x/85 보안과 관리 Vital Suite/QIP OmniVista 2500 Mobile NAC Brick Family Safeguard Cybergatekeeper Firewall/ VPN NLG3500 Performance Management Quarantine Manager
기존 무선랜 솔루션 vs.OmniAccess WLAN solution OmniAccess WLAN solution 기존 무선랜 솔루션 Access points Site survey Access points Packet capture Air monitors WLAN switches WiFi IDS / IPS WLAN switches/blades 통합된 토탈 솔루션 제공 향상된 보안성 확장 용이 풍부한 기능 지원 편리한 관리 기능 쉬운 설치 투자비 감소 Captive portal VPN concentrator LAN-speed firewall QoS devices
WiFi 관리 Adaptive RF, Packet Capture, Location Tracking Roaming, SSID Mgmt, RF Fingerprinting Policy Control Management WiFi 보안 WiFi IDS/IPS, Rogue AP Defense WiFi 환경 WiFi IDS/IPS WiFi 접속제어 Radius LDAP Active Dir. 암호화 WEP, TKIP, AES, 3DES 인증과 사용자 무결성 체크(HIC) MAC, Captive Portal, 802.1x, VPN 권한 제어 User/Flow Stateful FW + Content Inspection re-direction Network 접속제어 Service Provisioning Network Integration 트래픽 관리 QoS/Priority/Bandwidth Contracts 네트워크 서비스 Routing, VLANS, NAT, DHCP, Switching OmniAccess Wireless Switches의 특징
Alcatel-Lucent WLAN System 소개 • Alcatel-Lucent WLAN System 구조 • Alcatel-Lucent WLAN Switch • 무선랜을 위한 Alcatel 고유의 하드웨어 아키텍쳐를 통한 성능 향상 • Performance 향상을 위해 각 기능별 4개의 별도 Processor사용 • 차세대 Access Point • 두 개의 주파수 대역을 지원하는 다목적 AP • 802.11 a, b/g/n 지원가능 • User access and air monitoring • 프로그래밍 가능 • Linux 기반 • 응용 프로그램 사용 가능 • - 무선 패킷 캡쳐 가능 • - 위치 확인 • 설치의 용이성 • Alcatel 스위치를 통한 자동설정 Wireless Control Processor Wireless Packet Processor Wireless Security Processor Wireless Switching Processor
Alcatel WLAN Switch 소개 • Alcatel WLAN Switch 제품군 • OmniAccess 6000 WLAN Switches • 4 Slot의 샤시형 • Data 센터 내에서 Remote AP의 중앙 관리 가능 • 64 ~ 2048 AP 관리 가능 • Line card 당 24 10/100 PoE 지원 인터페이스 와 2 GE uplink 포트 제공 • SUP-III당 2 10GE 와 10 1GE 지원 • 802.11 a/b/g/n 지원 • OmniAccess 4504/4604/4704 Wireless Switches • 4x Dual personality ports 10/100/1000Base-T (RJ-45) or • 1000Base-X (SFP) • 32/64/128 의 AP 관리 가능 • 802.11 a/b/g/n 지원 • OmniAccess 4302/4308/4324 Wireless Switches • 장비당 0/8/ 24 10/100 PoE 인터페이스 제공 • 1 or 2 port Gigabit uplink 포트 제공 • 6/16/48 AP의 AP 관리 가능 • 802.11b&g and 802.11a/b&g (multimode)
40x 1000Base-X (SFP) 8x 10GBase-X (XFP) Redundant PSUs Fan Tray Up to 4 M3 Modules OAW6000 with Sup III • Capacity • Up to 2,048 Campus Connected APs • Up to 8,192 Remote APs • Up to 32,768 Users • Performance • 80 Gbps Clear (full-duplex) • 32 Gbps Crypto (3DES, AESCBC256) • 16 Gbps Crypto (AES-CCM) • Compatibility • Up to 4 Sup III per 6000 chassis • Supports legacy Line cards • Requires 400 watt PSU • All Components Modular, Hot-Swappable
Dedicated Network Processors Dedicated Hardware Crypto Cores Multiple Dedicated Control Processors 1RU 19” Enclosure Serial Console Port Status LEDs 4x Dual personality ports 10/100/1000Base-T (RJ-45) or 1000Base-X (SFP) OAW 4504, 4604, 4704 • Capacity • OAW-4504 • Up to 32 Campus Connected APs • Up to 128 Remote APs • Up to 512 Users • OAW-4604 • Up to 64 Campus Connected APs • Up to 256 Remote APs • Up to 1,024 Users • OAW-4704 • Up to 128 Campus Connected APs • Up to 512 Remote APs • Up to 2,048 Users • Performance • 1.6 Gbps, 4 Gbps and 8 Gbps crypto performance (3DES, AESCBC256) • 800 Mbps, 2 Gbps, 4 Gbps crypto performance (AES-CCM) • 3 Gbps, 4 Gbps, and 4 Gbps wired Non-encrypted Throughput Performance (full-duplex) • Interfaces • 4x Dual personality ports 10/100/1000Base-T (RJ-45) or 1000Base-X (SFP) • 1 x RJ-45 Serial Console Port • Programmable Architecture • Multi-core, Multi-threaded Network Processor • Dedicated Crypto cores
Alcatel-Lucent WLAN Switch 성능 Number of AP Regional HQ Large Branch Branch Medium-802.11n Large – 802.11n 2048 OAW-6000-2048 (with Supervisor III) 512 OAW-6000-512 (Dual Supervisor II) 256 128 OAW-4704 64 OAW-4604 OAW-4324 Pay as you grow capability 48 32 OAW-4504 OAW-4308 16 OAW-4304 Performance(Clear text / encrypted) 4 80 Gbps / 32 Gbps 1 Gbps / 200 Mbps 2 Gbps / 400 Mbps 8 Gbps / 8 Gbps 6 Gbps / 1.6 Gbps 8 Gbps / 4 Gbps 8 Gbps / 7.2 Gbps
OAW-AP60 OAW-AP61 OAW-AP65 OAW-AP70 OAW-AP85 Alcatel-Lucent Access Point 소개 (11a/b/g) Single Radio APs • Software Configurable 802.11a OR b/g • AP / Air Monitor / Remote AP / Mesh • Internal or External Antenna Options Dual Radio APs • Dual-Radio 802.11 a AND b/g • AP / Air Monitor / Remote AP / Mesh • Dual Fast Ethernet Interfaces (OAW-AP70) for resiliency of secured RJ-45 port • Extensible USB Interface Port (OAW-AP70) • Weatherproof, Outdoor (OAW-AP85)
Alcatel-Lucent Access Point 소개 (11n) 802.11n Ready APs • Single Radio 802.11a OR b/g • AP / Air Monitor / Remote AP / Mesh • Adaptive PoE (802.3af, PoE+, 802.3at) • Dual Gigabit Ethernet Interfaces (resiliency and secured RJ-45 port) • 802.11n SW upgrade for future OAW-AP120 abg OAW-AP121 abg 802.11n MIMO APs • Dual Radio pre-802.11n a/n AND b/g/n • 3x3 MIMO 300Mbps per radio • AP / Air Monitor / Remote AP / Mesh • Adaptive PoE (802.3af, PoE+, 802.3at) • Dual Gigabit Ethernet Interfaces (resiliency and secured RJ-45 port) OAW-AP124 OAW-AP125
Mobility enterprise-wide WLAN guest access internal WLAN hotspots remote / branch office access small office, home office access Location tracking users equipment assets security Converged communication services converged mobile devices fixed / mobile convergence Enterprise WLANThe Business Benefits
Enterprise WLANRequirements / Challenges Security • authentication and encryption • identity-based security and guest access • rogues, ad-hoc networks, hacks and attacks • firewalling Availability • coverage • reliability • mobility • performance Convergence • QoS • security • load balancing • voice-aware Deployment • no disruption of existing network • RF engineering • new infrastructure • network redesign and upgrades Management • design and configuration • monitoring • troubleshooting • growth
Addressing the Management ChallengesPlanning, Deploying and Managing • Simplest RF planning tool • Zero-touch AP deployment model • Adaptive radio management • Real-time coverage maps • Centralized configuration and monitoring • Integrated packet capture for easy troubleshooting • Integrated location tracking
Addressing the Availability ChallengesReliability, Coverage and Mobility • VRRP-based redundancy requires no AP provisioning • APs automatically become aware of redundant topology when deployed across L3 boundary • Modular architecture for scalability • Remote office connectivity with site-to-site VPN • Home office connectivity with remote AP • Mobile office connectivity with client VPN Split-second VRRP Failover Hot-Standby Data Center Built-in Site-to-site IPSec VPN Internet Branch Office Remote AP with IPSec VPN Regional Office Home Office Auto-awareness of Redundant topology (No priming needed) Public Hotspot OAW Client
Active Directory Wireless Controller Employees Centralized Encryption Keys Rights, QoS, VLAN Voice Wired L2 / L3 Transport Access Point SSID: GUEST SSID: CORP SSID: VOICE Rogue AP Guest Addressing the Security ChallengesAuthentication, Authorization and Control • Integrated stateful firewall • Role-based access control • Built-in client integrity • Centralized 802.11i security • Built-in AAA services • L1-L7 wireless IPS • Rogue detection services • Quarantine Manager Direct Interface to Microsoft Active Directory Built-in Rogue Detection & Containment Scan & Quarantine Un-trusted Users
Addressing Enterprise ApplicationsConvergence Services to Meet the Needs of Business • QoS for application-aware traffic management • Security to protect the network, users, and remote clients • Load-balancing automatically distributes clients across multiple APs • Application-aware design allows better management of time sensitive applications (voice)
Adding VoIP is Easy with OmniAccess Wireless • Bi-directional QoS on wired and wireless network • Voice flow classification ensures QoS for converged devices with single SSID for voice and data • Call admission control ensures QoS in the wireless environment • Secure devices that support only MAC auth against spoofing 1 Protocol-aware voice flow classification and security Wired 2 802.1p or DSCP prioritized voice packets Data Packets 3 Call admission control distributes call volume between access points Wireless 4 Single ESSID for Voice & Data Converged voice and data packet stream with WMM tags 5 RF management stops channel scanning when voice clients are present
OmniAccess Wireless Features and ServicesBase Feature Set OMNI VISTA MOBILITY MANAGER OmniAccess WLAN Switch Base Software • Alcatel-Lucent’s standard WLAN software provides unprecedented control over the entire wireless environment, offering intelligent / centralized WLAN switching and advanced services. Services Included in Base Software • WLAN switching and Dynamic RF management • Embedded management • Adaptive Radio resource Management (ARM) • Authentication – MAC, 802.1x, Captive Portal • Encryption – WEP, WPA, WPA2 / 802.11i • Mobility – seamless hand-over – L2/L3 • Rogue Access Point Detection, Classification, Containment • Wireless QoS – WMM, SVP, T-Spec, U-APSD • Per SSID AAA server selection • Switch to switch IPSec encryption for control traffic
OmniAccess Wireless Features and ServicesAdditional Hardware and Software Modules OMNI VISTA MOBILITY MANAGER OmniVista 3600 Air Manager • Centralized visibility of the mobile edge Switch level modules • Policy Enforcement Firewall module • Wireless Intrusion Protection (WIP) module • Voice Service Module • VPN Server Module • Mesh AP License Module • Remote AP License Module • External Services Interface Module • xSec Module
OmniAccess Wireless Features and ServicesPolicy Enforcement Firewall Module Key benefits • Firewall permit/deny/drop/log (ICSA certified to version 4.1 corporate standard) • Role-based services for user / group class of service differentiation, bandwidth contracts • QoS - priority traffic queues, BW contracts, traffic marking 802.1p/DSCP • Policy Enforcement Firewall module • User and group policy enforcement through an integrated, ICSA-certified stateful firewall • Security policies can be centrally defined and enforced on a per-user or per-group basis • Policies are enforced dynamically, following users as they move and taking into account a variety of metrics such as: • User location • Time-of-day • Device type • Authentication method
OmniAccess Wireless Features and ServicesWireless Intrusion Protection Module • Wireless Intrusion Protection module • Patented classification technology that identifies and protects against vulnerabilities and malicious attacks • Ad-hoc networks • Client and AP impersonation • Denial of service attacks • Man-in-the-middle attacks Key benefits • Detection of: • Network probing and DoS attacks, impersonation and man-in-the-middle attacks • Unauthorized devices (ad-hoc networks,Windows bridging, wireless bridges) • Prevention of: • Clients roaming to unauthorized APs • Attempted intrusion
“on-hook” phone OmniAccess Wireless Features and ServicesVoice Service Module “off-hook” – active- phones • Voice service module • Stateful VoWLAN QoS • Voice Connection Admission Control • Stateful voice load balancing • Voice-aware ARM, 802.1x • Automatic Voice Prioritization • Troubleshooting and security • WMM, T-Spec enforcement • Phone number awareness • Voice flow quality measurement Key benefits • Improved end user experience • QoS mechanisms such as CAC ensures optimum audio quality even as network load increases • Mechanism such as voice-aware QoS and stateful load balancing minimizes call drops • Improved troubleshooting and security • Voice Clients are identified by phone numbers, key call quality metrics are availblr to network administrator • WMM and T-Spec security is enforced by stateful firewall
OmniAccess Wireless Features and ServicesVPN Server Module • VPN Server module • Integration support for a variety of VPN implementations • Eliminates need for discrete, external VPN concentrators • Hardware acceleration provides LAN-speed VPN connectivity • Both client termination as well as site-to-site VPNs are supported • Supported VPN protocols include: • L2TP/IPSec • IPSec/XAUTH • PPTP Key benefits • Complete client VPN services - PPTP, L2TP/IPSec • Site-to-site VPN services - IPSec NAT-T transport mode tunnels between OmniAccess WLAN switches or third-party VPN concentrators
OmniAccess Wireless Features and ServicesMesh AP License Module Mesh Link Mesh Path OmniAccess Mesh Portal OmniAccess Mesh Point OmniAccess WLAN switch Wire-line network • Mesh AP module • Securely extend wireless network beyond the reach of wire-line infrastructure • Mesh Points and Mesh Portals allow seamless, campus-like WLAN connectivity • Mesh Points support Ethernet bridging over the mesh network Key benefits • Allows for coverage of areas such as university campuses, docks, ship yards, warehouses where wires cannot be used • Consistent services and management model with regular APs • Survivability – survives mesh points / mesh portal through dynamic L2 routing protocols
OmniAccess Wireless Features and ServicesRemote AP License Module • Remote AP module • Securely extend corporate wireless functionality to any location with an Internet connection • Remote APs allow seamless, corporate-like WLAN connectivity • Remote office • Home • Anywhere a mobile worker chooses to work Key benefits • Remote access point - termination of remotely deployed APs using IPSec transport • Flexible modes of operation: • Tunnel mode – all traffic is tunneled to the WLAN switch • Local bridging – all traffic is forwarded by the Remote AP at the remote location • Split tunneling (requires PEF module) – policy-based forwarding of packets in the tunnel or locally • Survivability – survives WAN failure with pre-shared key auth/encryption
OmniAccess Wireless Features and ServicesExternal Services Interface Module • External Services Interface module • Per FQDS AAA server selection • Allows an OmniAccess WLAN switch to communicate with external service devices (Fortinet cluster) • Supports advanced interaction with authentication, authorization, and accounting (AAA) services infrastructure Key benefits • Choice of AAA server for authentication • XML API for captive portal (external captive portal server support) • Content inspection with external appliance, Fortinet integration Note: requires that the Policy Enforcement Firewall module is installed
OmniAccess Wireless Features and ServicesxSec Module • xSec module • Termination of highly secure xSec client sessions • Link-layer 256-bit AES-CBC encryption with complete header obscuration for highly sensitive environments • Enables encryption of trunk ports between WLAN switches based on the same strong encryption standard X-Sec Tunnel X-Sec Tunnel Layer 2 Connectivity Key benefits • Client/server xSec: termination of AES layer 2 xSec secure VPN sessions • Point/point xSec: termination of AES layer 2 xSec secure VPN switch port session
Completing the SolutionBenefits of Alcatel-Lucent’s Enterprise Portfolio • End-to-end, highly available, consistent solution • complete set of switching solutions sharing common feature set thus enabling the perfect fit for any need • superior availability for better voice services • Smart PoE for every need • PoE flavors for all switching needs • dynamic power allocation allowing maximized efficiency • Enhanced security • unique support of 802.1x authentication • not recognition but authentication • Best in class support for VoWLAN • roaming, handover, QoS, security • Single management platform • wired, wireless and voice management on the same server • same GUI and look and feel across applications
Wireless Network Management Platform Supported Platforms: OmniVista 3600 Air Manager • Hardware • 2 servers to support the OV3600 applications (OV3600-HWPRO, OV3600-HWENT) Software • Centralized network management (Network Discovery, Firmware distribution, Real-time and historical trend reports) • Granular administrative access (Role-based, Network segment based) • Rogue Access Point Detection and Classification • Display of location information for all wireless users and devices • Up-to-date heatmaps and channel maps for RF diagnostics
Delivering business benefits… mobility location tracking converged communication services …by meeting the Wireless LAN challenges management security availability convergence services Best-in-class functionality for lowest TCO Easy to deploy Easy to secure Easy to manage Easy to scale Easy to add voice Summary: The Alcatel-Lucent WLAN solution
무선랜의 개요 • 네트웍 구축 시 기존의 트위스트 페어 케이블, 동축 케이블 등을 전송 신호로 이용하던 유선 랜 대신 고주파수의 전파(Radio Frequency)나 적외선등을 이용하여 대기를 통신 채널로 이용하는 Network • 데이터를 전송하는 방식은 여러가지 제품이 있으나 도달거리,성능,보안성을 고려하여 ISM 과 UNII Band를 이용하는 Spread Spectrum 방식의 무선랜이 가장 보편화되어 있음 • 사용자들에게 높은 이동성과 편의성, 구축 용이성, 확장성을 제공 함으로서 기존 LAN의 보완 및 대체를 통한 효율성 및 생산성 제고 측면에서 널리 사용되고 있음 • ISM and UNII Spectra • 국제 표준화는 1990년 10월부터 위원회에 IEEE 802.11에 의해 무선 매체 접근제어 물리계층 규격에 대한 표준화가 OSI참조모델에 준하여 진행되고 있다 .
무선랜 표준 (802.11n) • SISO -> MIMO SISO (Single Input Single Outpur)를 MIMO (Multiple Input Multiple Output) 다중 송수신 안테나 기술을 채택하여 송수신 데이터 효율을 높였으며, MIMO 방식의 스마트 안테나는 노이즈를 최소화하여 원활한 데이터 전송경로를 조정 한다. • 효율성이 강화된 MAC 실제 데이터 처리 속도를 물리적 계층의 속도와 가깝게 만들어 사용자들에게 최소100Mbps의 속도 보장 (최대 600Mbps) 기존의 시스템은 통신의 확실성을 위해 하나의 패킷을 보낼 때마다 엑세스 포인트로 부터 수신 성공 패킷(ACK)를 기다려야 한다. 그리고 공평한 송수신권 할당을 위해 무선랜 단말이 패킷을 계속해서 보내려 할 때에도 ACK 수신기에 일정 시간을 기다리지 않으면 다음 패킷을 송출할 수 없다. 802.11n에서는 프레임 집속 (Focusing) 기능을 통해 ACK 빈도를 최소화 하고 그 효율성을 최대화 한다. • 복수의 안테나와 첨단 코딩을 통한 더 늘어난 송수신 가능 거리 일정한 무선 스피드를 유지하면서 접속 가능 범위 확대 (현재의 약 3배 정도) • 2010년 표준화 완료 예정
무선랜 보안 기술 PEAP EAP-TTLS EAP-MD5 EAP-TLS Authentication Shared Key MAC Authentication Open WPA Encryption AES Static WEP Dynamic WEP TKIP MAC Filtering etc Default SSID Disabled Not Secure Authentication server Most secure
무선랜 보안 접속 흐름도 AP STA Radius IEEE802.11&11i 802.11 Beacon 802.11 Associate-Request 802.11 Associate-Response IEEE802.1X EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS-Access-Request EAP-Request RADIUS-Access-Challenge EAP-Response(Credentials) RADIUS-Access-Request EAP-Success RADIUS-Access-Accept & MS-MPPE(PMK) IEEE802.11i EAPOL-Key(P, ANonce) EAPOL-Key(P, Snonce, MIC, RSN IE) EAPOL-Key(P, ANonce, MIC, RSN IE) EAPOL-Key(P, MIC) EAPOL-Key(G, Index, GNonce, RSC, MIC, GTK) EAPOL-Key(G, MIC) IEEE802.11aa Access Allowed
WLAN Switch - Multi-Layered Security Application Security Network-Layer Security Link-Layer Security Wireless Intrusion Protection
EMPLOYEE Centralized Wireless DATA CENTER ACCESS DISTRIBUTION CORE FLOOR x GUEST GRE Tunnel WLAN Controller • AP Communications 1. AP가 Switch port에 연결되어 있고 AP의 전원이 켜진다면 설정된 IP로 Controller를 찾는다.(AP가 DHCP를 사용하는 경우에는 DHCP 서버로부터 IP를 받게됨) 2. AP는 Boot Image(TFTP)를 Controller로부터 받게되고 Control Protocol을 위한 PAPI (UDP 8211) 연결을 생성한다. 3. AP는 WLAN controller로부터 인증이 되고 AP와 Controller간에 GRE Tunnel이 생성된다. 4. 모든 Clent의 통신은 GRE tunnel에서 암호화 되어 Controller로 전송된다.
5 3 4 2 1 WLAN Switch의 동작 Flow 1. Client는 802.11 association request을 보내고 그것은 자동적으로 AP를 통해서 WLAN switch로 전달된다. 2. WLAN switch는 association acknowledgement로 응답한다. 3. Client와 WLAN switch는 802.1x authentication 인증절차를 RADIUS server와 연동해서 진행한다. 4. Encryption key를 WLAN switch에 pass하고 user의 encryption keys를 획득 후 암호화된 data를 보내기 시작한다. Corp Backbone 5. WLAN switch는 .11 MAC 기반으로 decrypts data, processes packet, applies services and forward packets들을 수행한다. RADIUS
Generic Routing Encapsulation (GRE) IP packet 0 8 16 31 Ver HL TOS Total Length Identification Flags Fragm. Offset GRE packet TTL Protocol Header Checksum Delivery Header Src Address Payload packet (original) Dest Address C Reserved v Protocol Type GRE Header Checksum (opt.) Reserved1(opt.) Payload Payload Packet
Radio Distance 134 ft = 40 m 44 ft = 14 m 90 ft = 27 m 11 (b) /54 (a/g) Mbps 5.5 (b) /48 (a/g) Mbps 2 (b) /36 (a/g) Mbps