BPG Configuring Wired Networks For Wi Fi

Configuiing Wiieu
Netwoiks foi Wi-Fi

ENTERPRISE
Best Piactices anu
Besign uuiue

2013 Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 1

Table of Contents
!"#$%&'()*+")&,-*./0*1%"#%&-).%$*2/3"%4.)&"/*55555555555555555555555555555555555555555555555555555555555555555555555555555555*6!
2/)-/0-0*780&-/,-*5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*9!
:;-%;&-<*55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*=!
OSI ........................................................................................................................................................ 6!
Wired Networks and OSI ................................................................................................. 7!
Wi-Fi and the OSI Model ................................................................................................. 8!
Common Wi-Fi Deployments .......................................................................................... 9!
+-)<"%>*?"#"@"'$*A-B&'/B*5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*CD!
Distributed Data Forwarding .............................................................................................................. 10!
Advantages .................................................................................................................... 11!
Disadvantages ............................................................................................................... 11!
802.1Q VLAN Tagging .................................................................................................. 11!
Centralized/Tunneled Data Forwarding ............................................................................................. 12!
Advantages .................................................................................................................... 12!
Disadvantages ............................................................................................................... 13!
802.1Q VLAN Tagging .................................................................................................. 13!
+-)<"%>*E@-4-/)*1@.,-4-/)*5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*C9!
Physical Security ................................................................................................................................. 15!
Access Points ................................................................................................................. 15!
ZoneDirector .................................................................................................................. 15!
Redundancy ........................................................................................................................................ 15!
Access Points ................................................................................................................. 15!
ZoneDirector .................................................................................................................. 15!
Performance ....................................................................................................................................... 16!
Access Points ................................................................................................................. 16!
ZoneDirector .................................................................................................................. 16!
ZoneDirector Discovery ...................................................................................................................... 17!
+-)<"%>*F-,8%&)$*55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*CG!
Network Port Access .......................................................................................................................... 18!
Access Points ................................................................................................................. 18!
ZoneDirector .................................................................................................................. 20!
Firewalls .............................................................................................................................................. 21!
ZoneDirector and Managed APs ................................................................................... 21!
Standalone APs ............................................................................................................. 21!
FlexMaster ..................................................................................................................... 21!
Firewall Caveat .............................................................................................................. 22!

2013 Ruckus Wireless, Inc. Wired Network Design v1.3 2

Management Access .......................................................................................................................... 22!
Access Points ................................................................................................................. 22!
ZoneDirector .................................................................................................................. 22!
!"/3&'8%&/'*H/).''-0*IJ7+B*55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*KL!
Note on VLAN 1 ................................................................................................................................. 23!
Example .............................................................................................................................................. 23!
Wired Configuration ........................................................................................................................... 24!
ZoneDirector Configuration ............................................................................................................... 24!
!"/3&'8%&/'*?.''-0*IJ7+B*5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*K=!
Note on VLAN 1 ................................................................................................................................. 26!
Example .............................................................................................................................................. 26!
Dynamic VLANs .................................................................................................................................. 28!
!"/3&'8%&/'*?8//-@-0*IJ7+B*55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*LD!
Note on VLAN 1 ................................................................................................................................. 30!
Example .............................................................................................................................................. 30!
MJ7+*:;-%%&0-B*55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*LL!
N./.'-4-/)*MJ7+B*555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*L9!
Note on VLAN 1 ................................................................................................................................. 35!
Who Should Use Management VLANs ............................................................................................... 35!
Example .............................................................................................................................................. 35!
AP Configuration ................................................................................................................................ 37!
Recommendations .............................................................................................................................. 38!
Switch Port Configuration .............................................................................................. 38!
APs Can Discover the ZoneDirector .............................................................................. 39!
APs First ......................................................................................................................... 39!
!"/3&'8%&/'*O8.@&)$*"3*F-%;&,-*55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*6D!
WMM, ToS and DSCP Support .......................................................................................................... 40!
Other Classification Values ............................................................................................ 42!
Modifying Traffic Classification ...................................................................................... 43!


Multicast and Broadcast Traffic .......................................................................................................... 43!
ZoneDirector Directed Traffic Commands .................................................................... 43!
AP Directed Traffic Commands ..................................................................................... 44!
Configuring per-SSID Priority ............................................................................................................. 45!
ZoneDirector-based SSID Prioritization ......................................................................... 45!
?%"8P@-B("")&/'*555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*6Q!
AP Cannot Connect to ZoneDirector ................................................................................................. 47!
Discovery ....................................................................................................................... 47!
VLANs and Connectivity ................................................................................................ 47!
Model Support .............................................................................................................. 47!
Firewalls ......................................................................................................................... 48!
Captive Portal Fails to Redirect to Login Page ................................................................................... 48!
7##-/0&R*7S*T-,"44-/0-0*T-.0&/'*5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*6U!
OSI Model .......................................................................................................................................... 49!
Virtual LANs ........................................................................................................................................ 49!
Cisco Wired Networking .................................................................................................................... 49!
7##-/0&R*VS*!"44"/*!&B,"*!"44./0B*55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*9D!
Configuring an Access Port ................................................................................................................ 50!
Configuring a Trunk Port .................................................................................................................... 50!
Troubleshooting ................................................................................................................................. 51!
Access Port .................................................................................................................... 51!
Trunk Port ...................................................................................................................... 52!
7##-/0&R*!S*!"44"/*W1*!"44./0B*5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*9L!
Configuring a Port .............................................................................................................................. 53!
7##-/0&R*AS*!"44"/*ER)%-4-*!"44./0B*5555555555555555555555555555555555555555555555555555555555555555555555555555555555555*96!
7##-/0&R*ES*!"/3&'8%&/'*E/)-%.B$B*F<&),(-B*./0*T"8)-%B*555555555555555555555555555555555555555555555555555555555*99!


Copyiight Notice anu
Piopiietaiy Infoimation
Copyright 2013 Ruckus Wireless, Inc. All rights reserved.
No part of this documentation may be reproduced, transmitted, or translated, in any form
or by any means, electronic, mechanical, manual, optical, or otherwise, without prior written
permission of Ruckus Wireless, Inc. (Ruckus), or as expressly provided by under license
from Ruckus.
Destination Control Statement
Technical data contained in this publication may be subject to the export control laws of
the United States of America. Disclosure to nationals of other countries contrary to United
States law is prohibited. It is the readers responsibility to determine the applicable
regulations and to comply with them.
Disclaimer
THIS DOCUMENTATION AND ALL INFORMATION CONTAINED HEREIN (MATERIAL) IS
PROVIDED FOR GENERAL INFORMATION PURPOSES ONLY. RUCKUS AND ITS
LICENSORS MAKE NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD
TO THE MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE,
OR THAT THE MATERIAL IS ERROR-FREE, ACCURATE OR RELIABLE. RUCKUS RESERVES
THE RIGHT TO MAKE CHANGES OR UPDATES TO THE MATERIAL AT ANY TIME.
Limitation of Liability
IN NO EVENT SHALL RUCKUS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS,
REVENUE, DATA OR USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN
ACTION IN CONTRACT OR TORT, ARISING FROM YOUR ACCESS TO, OR USE OF, THE
MATERIAL.
Trademarks
Ruckus Wireless is a trademark of Ruckus Wireless, Inc. in the United States and other
countries. All other product or company names may be trademarks of their respective
owners.


Intenueu Auuience
There are many factors and concerns related to wired network support of Wi-Fi enterprise
deployments. This document is written for and intended for use by technical engineers with
some background in Wi-Fi design, Ethernet and 802.11/wireless engineering principles.


0veiview
Most wireless networks are designed for wireless to wired communications. This requires a
sound design both on the wireless and wired network. This document describes
recommended practices for designing the wired side and the wireless side for seamless
communication and application support. Several relevant topics are covered:
OSI-level integration
Network deployment models
Network element placement within a deployment model
Security
Quality of Service
Common issues and troubleshooting
:F2*
When discussing interactions between two types of networks, a good place to start is with
the Open Systems Interconnection (OSI) model. This describes the functions of a network
in terms of distinct layers. Each layer defines to a specific function required to transmit and
receive data over a physical medium up to the end application.

Figure 1 - OSI Model


This uocument focuses on those
between 8u2.11 (Wi-Fi) anu
excellent iefeiences on the
entiie 0SI mouel. Foi moie
infoimation please see


Appendix A: Recommended Reading at the end of this document.
Wiieu Netwoiks anu 0SI
From the wired network perspective, the OSI frameworks is as follows:
Layer 1 (physical) the physical medium for wired networks, it typically consists of copper
or fiber optic cabling
Layer 2 (data link) consists of the basic communications protocol to transmit frames,
physical addressing, and access and flow control. For an Ethernet network this is defined in
the IEEE 802.3 specification. Layer 2 assumes a single network in which all devices are
reachable to each other. Layer 2 is often referred to as the MAC or IP layer as well
1
as a
subnet
Layer 3 (network) provides mechanisms to transport data (routing) from one network to
another. Routers and Layer 3 Ethernet switches typically perform this. Layer 3 networks can
use different protocols over the IP network such as UDP and TCP.
Virtual LANs
Virtual LANs (IEEE 802.1Q specification) are commonly deployed as part of a Layer 2
network. A VLAN is a way to logically create a Layer 2 network that mimics a physical Layer
2 network. Multiple VLANs can exist in a given infrastructure. VLANs are often referred to
as broadcast domains meaning any device on a physical port that is configured to be part
of that VLAN can reach each other but no other device. Two devices might be physically
connected to the same Ethernet switch, but if they are members of different VLANs they
will require a Layer 3 routing service to reach each other.
VLANs work by modifying a frame to include a VLAN ID number. This is referred to as
VLAN tagging. No number means a packet is untagged, i.e. it is part of the locally defined
Layer 2 network for that physical port (called an access port). When a VLAN tag is inserted,
the Ethernet switch must be configured to understand and use that VLAN tag. Not all
Ethernet switches understand or honor VLAN tags; those that do support 802.1Q must be
configured so they know what to do with it.
Physical switch ports that understand 802.1Q are typically referred to as trunk ports they
consist of a native VLAN (the untagged network) and one or more VLANs. Any packet that
arrives with a VLAN tag is sent to any other physical ports that have that VLAN tag defined.
The diagram below shows how VLAN tags work on a single switch and upstream to a
second switch.

1
There are several other non-IP protocols that may be used, for the purposes of this document only IP is
discussed


Figure 2 - VLAN Tagging
Switch 1 (top) is configured with some ports (untagged) in the red VLAN and some in the
blue VLAN. The gray ports are not configured for VLAN tagging. Note that the uplink port
that connects it to Switch 2 is a trunk port that is configured for the red and blue VLANs.
In this scenario, machine A can only communicate directly with machine C. The same is true
for the devices on the blue VLAN B and D. If machine A needs to communicate with B or
D the traffic must be routed. This can occur on these switches (if they are Layer 3) or via an
external router that also has a trunk port configured with the red and blue VLANs.
How a wired switch or router is configured to create these actions depends on the vendor
but conceptually, they all follow the same behavior. In some cases, the same behavior can
be achieved in multiple ways.
Wi-Fi anu the 0SI Nouel
A Wi-Fi network works within the OSI model as follows:
Layer 1 (physical) the physical medium for wireless networks (also called the PHY layer),
consisting of the RF signal from a radio, the spectrum and modulation used to transmit raw
symbols. Examples of Layer 1 include 802.11a, 802.11g, etc.


Layer 2 (data link) consists of the basic communications protocol to transmit frames,
physical addressing, and access and flow control. For a WI-FI network this is defined in
numerous IEEE 802.11 specifications. Layer 2 assumes a single network in which all devices
are reachable to each other. Because Wi-Fi is a shared medium (unlike most wired
networks), collision detection and avoidance is extremely important. This is still the IP
network layer for IP-based deployments
Layer 3 (network) provides mechanisms to transport data (routing) from one network to
another. Routers and Layer 3 Ethernet switches typically perform this. This function is
unchanged from the wired model
Common Wi-Fi Beployments
Once a client connects to an AP, the traffic is usually transported from the AP to a wired
network. Which network it goes to will depend on the configuration of the AP. Some
common scenarios are:
1. All traffic for the SSID is untagged and goes to the native VLAN on that port
2. All traffic for the SSID is tagged for a specific VLAN (static or dynamic)
3. Traffic is tunneled from the AP to the controller and then onto the wired network
Correctly designing and configuring the wired network is critical for a successful Wi-Fi
deployment. The rest this document examines each of these points in-depth and offer
guidelines and suggestions for optimized wired design configuration with Ruckus wireless
equipment. Where needed, specific configuration commands are documented for step-by-
step configuration instructions.


Netwoik Topology Besigns
Most Wi-Fi equipment acts as an adjunct to an existing wired network; i.e. the Wi-Fi
essentially functions as an extension of the wired network rather than self-contained. When
designing for a Wi-Fi deployment, the first question is overall network topology. Its
important to understand how and where the wireless client traffic will enter the wired
network. There are common solutions to this:
Di stri buted data forwardi ng Client traffic enters the network at the AP
switch port
Central i zed data forwardi ng Client traffic is tunneled to the
ZoneDirector and enters the network from the ZoneDirectors switch port
Both of these methods are supported by Ruckus Wireless equipment. Each option is
configured on a per-SSID basis.
The decision on which to use will depend on the local environment and usage
requirements.
A&B)%&P8)-0*A.).*X"%<.%0&/'*
This model is the default configuration for Ruckus equipment. In this mode, the client traffic
enters the wired network at the APs switch port. The ZoneDirector is not part of the data
path and is not necessary for any traffic forwarding.


Figure 3 - Distributed Data Forwarding Topology
Auvantages
Distributed data forwarding offers the highest performance for a Wi-Fi network. The client
traffic is immediately placed on the wired network at the AP switch port. There is no
additional delay, latency or potential bottleneck to slow down throughput.
Bisauvantages
A large Wi-Fi network could potentially have the same WLAN (SSID) broadcast on APs on
different networks. If two APs both have the same SSID but put clients on different subnets,
the client will need to release its first IP address and request a new one. This can take time
and delay data transmission from that device. This is normally not a problem for data traffic
but it can cause issues for VoIP Wi-Fi devices, which can drop calls if transmission latency is
over 150ms. For more information on how APs use different subnets for the same SSID,
please see Dynamic VLANs and VLAN Overrides.
8u2.1Q vLAN Tagging
In a distributed model, any network that is available on an APs wired port is available for
the WLAN clients connected to that AP. If the switch port is unmanaged or has a default
VLAN assigned, all AP traffic should be sent as untagged traffic to that port.


If the wired switch is configured for VLAN tagging however, the AP may have several
networks choices available: the untagged (default) VLAN on the port or it may include an
802.1Q tag on the client traffic and place it on a different VLAN.
Client traffic can be tagged or untagged this refers to the network it will be placed into
by the AP.
!-/)%.@&Y-0Z?8//-@-0*A.).*X"%<.%0&/'*
Client traffic can also be sent via an LWAPP tunnel from the AP to the ZoneDirector. In this
mode, the traffic does not actually enter the network until it gets to, and flows through, the
ZoneDirector. As the endpoint of the LWAPP tunnel from the AP, the ZoneDirector is in the
data path and must be present for client traffic to get onto the network successfully.

Figure 4 - Centralized Data Forwarding
Auvantages
Tunneling is recommended when Layer 3 roaming latency is a concern, e.g. VoIP Wi-Fi
clients. By tunneling all client traffic to the ZoneDirector, the handsets can stay on the same
VLAN regardless of which AP they use. This is only an issue for roaming devices if they
same SSID is broadcast with different VLANs on some APs. If all APs put clients for the


SSID on the same VLAN then tunneling is not required since there is no potential VLAN
change.
Tunneling is also useful when traffic must be broken out using the ZoneDirector is a
terminator, e.g. hotels that want to only send encrypted POS traffic in a tunnel and all
guest data distributed locally.
Bisauvantages
Sending all traffic through the ZoneDirector does make it a point of failure. It also limits the
maximum throughput; the amount of data that can go through a single ZoneDirector with
one Gigabit Ethernet port is far smaller than 10 APs all sending data locally (distributed) on
their own Gigabit Ethernet ports. If throughput performance is a requirement, centralized
data forwarding is not a good choice.
The following table shows some estimates on tunneling throughput based on the
ZoneDirector model. These are estimates only and may differ depending specific packet
size and characteristics.
ZoneDirector Model Unecrypted Throughput Encrypted Throughput
ZD1100 598 Mbps 63 Mbps
ZD3000 1893 Mbps 1208 Mbps
ZD5000 1957 Mbps 1949 Mbps

*Numbers are based on the sum bi-directional throughput with 1518 byte packets and dual
ports.
8u2.1Q vLAN Tagging
In a centralized model, any network that is available on a ZoneDirectors wired port can be
available for the WLAN clients. If the switch port is unmanaged or has a default VLAN
assigned, all traffic should be sent as untagged traffic to that port.
If VLAN tagging is used, the ZoneDirectors switch port must be configured as a
trunk port NOT the AP. The AP will tag the traffic for the correct VLAN but that is not
used until the traffic is outside the LWAPP tunnel.
If the wired switch is configured for VLAN tagging however, several networks choices may
be available: the untagged (default) VLAN on the port or it may include an 802.1Q tag on
the client traffic and place it on a different VLAN.


Client traffic can be tagged or untagged this refers to the network it will be placed into
by the AP.


Netwoik Element Placement
There are many ways to place Ruckus ZoneDirectors and APs into a wired network
topology. One or more of the following concerns can drive where these devices are
installed:
Physical security
Redundancy
Performance/efficiency
1($B&,.@*F-,8%&)$*
Access Points
In general, an AP is always physically located in the coverage area and homed out of a
switch closet. It is possible to home run the AP to the data center, but is typically not
required. Locking the switch closet is generally enough to secure the AP wired connection.
This is especially true if the AP is hidden and not easily reachable (above the ceiling, etc.).
In some cases however, an AP may be visible and possibly easily reachable. A Kensington
lock is advised to prevent theft.
ZoneBiiectoi
A ZoneDirector is typically located in the data center or network core. These areas are
usually tightly controlled and not subject to tampering.
T-08/0./,$*
Access Points
All Ruckus APs have at least one port and, in some cases, more than one. Any of these may
be used for network connectivity. However, only one Power Over Ethernet (POE) port is
available. In the case of APs, the simplest redundancy plan is to ensure a client is always
within reasonable performance range of at least two APs at any time.
ZoneBiiectoi
As the central point for management, monitoring and control, the ZoneDirector should be
installed to minimize service interruptions. At the least, this should include uninterruptable
power. It may also require redundant uplinks to the core network.
The ZoneDirector also supports a couple variants on redundancy options:


Acti ve-Acti ve two ZoneDirectors are active at the same time and each
supports approximately half of the APs
Pri mary-Secondary each AP is given a primary ZoneDirector (preferred)
and a secondary to contact if the primary is unreachable
Smart Redundancy N+1 active-standby redundancy
Pros and Cons of Redundancy Strategies
Method Advantage Disadvantage
Active-Active Simplest configuration, self-balances
across all APs (no configuration
necessary)
-No automatic configuration updates between
controllers (manual)
-APs see a different controller at failover
-L2 only
Primary-Secondary -Simple to configure
-L2 or L3 support
-No automatic configuration synchronization
between controllers
-Network disruption could cause some APs to
connect to primary and some on secondary at
the same time
-APs see a different controller at failover
-If both controllers are unavailable, APs will
not try to connect to a third controller
Smart Redundancy -True N+1 redundancy
-Automatic synchronization of
configuration, databases
-Transparent to APs
-L2 or L3 support
-More complex configuration
-Network isolation could cause AP split across
controllers (fixed when network converges)

In each case, redundant controllers must be the same model and software version. They
must also be licensed for the same number of APs.
Full coverage of all redundancy options is beyond the scope of this document. For more
information on how to configure redundancy, please refer to the ZoneDirector User Guide.
1-%3"%4./,-*
Access Points
The distributed data-forwarding model is the highest performing deployment for a Ruckus
AP. All user traffic enters the network at the APs wired port. This prevents potential
bottlenecks and single points of failure at the core (ZoneDirector). This is the
recommended deployment for most installations.
ZoneBiiectoi
In cases where centralized traffic forwarding is required, the amount of traffic should be
matched with the capacity of the ZoneDirector. Each controller model offers a different
amount of throughput capacity based on processing speed, etc. Performance is also


affected by packet size. The table below offers some guidelines on throughput capacity
based on 1400 byte packets.
ZoneDirector Model Unencrypted Tunnel Performance Encrypted Tunnel Performance
ZD1100 ~300 Mbps ~62 Mbps
ZD3000 ~900 Mbps ~580 Mbps
ZD5000 ~957 Mbps ~297 Mbps

["/-A&%-,)"%*A&B,";-%$*
The ZoneDirectors location can affect how APs discover and join the ZoneDirector. In
particular, a Layer 3 deployment will require some additional configuration to ensure the
APs can find the ZoneDirector. There are several options available:
DHCP Option 43
DNS entry for zonedirector.<domain>
Static configuration via the AP shell
Pre-deployment configuration via Layer 2 to the ZoneDirector


Netwoik Secuiity
Physical security is usually not sufficient to ensure the wireless network is tamper-proof.
Securing the Wi-Fi devices should include:
Network port access
Firewalls
Management access
+-)<"%>*1"%)*7,,-BB*
Access Points
A Kensington lock on an AP may be not sufficient if the AP or its switch port connection is
physically accessible. This type of vulnerability can potentially allow users to unplug the AP
and use its cable for their own equipment or (if the AP has multiple Ethernet ports) plug
their device into a second port on the AP itself.
802.1X Authentication
In the case of a physically accessible wired port, the most secure solution is 802.1X wired
security on the port. This assumes the following is true:
1. The AP uplink port is configured as an 802.1X supplicant
2. The AP uplink is configured as a trunk port
3. The wired switch port must be configured as a trunk port and as an 802.1X
authenticator
4. The AP is configured for either MAC based authentication or with a user name and
password
5. The wired ports 802.1X configuration does not allow a 3
rd
party (i.e. anything other
than the AP) to successfully authenticate via 802.1X.

The following steps configure a ZoneDirector-managed AP or group of APs for 802.1X
security:
1. Log onto the ZoneDirector and go to Configure->Access Points
2. Click Edit next to the AP or AP Group to be configured
3. Under Port Setting, choose Supplicant from the drop-down box for the uplink port
4. Make sure the Type is set to Trunk Port
5. Select the authentication credentials under Supplicant: MAC authentication or a user
name and password


6. Click OK to save the changes
NOTE: If 802.1X is not already configured correctly on the wired switch port, the AP will
lose contact with the ZoneDirector.
MAC Authentication (Wired Switch)
If the wired switch supports it, the AP port may also be locked down to the specific APs
MAC address. This is not as secure as 802.1X any device that can spoof the APs MAC
can use the port.
Untagged Traffic
Another possibility is to deny network access to all untagged traffic for example, the
untagged traffic might go to a non-routed subnet that has no connectivity, DHCP, DNS,
etc. Since user devices would typically only transmit untagged traffic this would prevent
them from gaining any useful network access. Using this solution however would require all
other traffic (WLAN traffic and AP management traffic) use 802.1Q tags.
In the case of additional Ethernet ports on the AP, if they are not used, the best practice is
to disable them. The following steps configure a ZoneDirector-managed AP or group of
APs for 802.1X security:
1. Log onto the ZoneDirector and go to Configure->Access Points
2. Click Edit next to the AP or AP Group to be configured
3. Under Port Setting, choose each the unused port
4. Make sure the Enable checkbox is unselected



ZoneBiiectoi
A ZoneDirector is typically not physically accessible outside a locked data center. But
management access should be locked down as well. There are several ways to do this:
Configure ZoneDirector to deny management Web UI access to all but an
exception list of allowed management devices or subnets (wired and wireless
network devices)
Place the ZoneDirector on an isolated management VLAN. For more
information on management VLANs, please see section Management VLANs.
Configure wired security (firewalls) to deny all traffic except permitted devices
(see the next section)
Block Management Access from the ZoneDirector
The following steps configure a ZoneDirector to refuse management access to all but a
specific list of devices or subnets:
1. Log onto the ZoneDirector and go to Configure->System
2. Click the Create New link under the Management Access Control section
3. Configure the allowed devices (single device, range or entire subnet)



X&%-<.@@B*
The following ports should be configured on any firewall policies as per the usage
indicated below:
ZoneBiiectoi anu Nanageu APs
Port Number Protocol Usage
80, 443, 22 TCP/UDP Management access to ZoneDirector
(HTTP/HTTPS, SSH)
1222, 1223 UDP LWAPP management/tunnel between AP and
ZoneDirector
20, 21 TCP ZoneDirector to AP firmware upgrade
443, 33003 TCP Smart Redundancy (ZoneDirectors)
18301 UDP SpeedFlex
9997/9998 TCP WISPr access

Stanualone APs
80, 443, 22 TCP Management access to AP (HTTP/HTTPS, SSH)
3990, 3992 TCP WISPr access

FlexNastei
443 TCP Web UI management access to FlexMaster
80 TCP FlexMaster to AP firmware upgrade
80, 443 TCP First time connection/registration of standalone
AP to FlexMaster


80, 443 TCP FlexMaster to AP template/auto configuration
443 TCP ZoneDirector to FlexMaster registration/informs
443 TCP FlexMaster to ZoneDirector firmware upgrades
60010 TCP ZoneDirector template feature (FlexMaster)
8082 TCP FlexMaster to AP wake up
18301 UDP SpeedFlex
Fiiewall Caveat
If the ZoneDirector is used to provide captive portal authentication (internal or guest
access), the ZoneDirector must be accessible via HTTP/HTTPS by user devices.
If the ZoneDirector or AP is used to provide WISPr or Open Secure Hotspot, the external
captive portal must have access to the ZoneDirector (refer to the table above for specific
ports).
N./.'-4-/)*7,,-BB*
Access Points
APs managed by a ZoneDirector, should be restricted to only allow HTTP/S, SSH and telnet
traffic to a secure management network. The devices should not be accessible to
connected users. Both standalone and managed APs support the use of a management
VLAN to further restrict access. For more information, please see section Management
VLANs.
ZoneBiiectoi
The controller should also be restricted to only be accessible by approved devices and
networks. For more information, please see section Management VLANs.


Configuiing 0ntaggeu WLANs
network. Which network it goes to will depend on the configuration of the AP. The simplest
configuration is to instruct the AP to pass all client data as untagged to the wired network.
+")-*"/*MJ7+*C*
Ruckus equipment will always assume traffic should be untagged if VLAN 1 is specified.
VLAN 1 traffic is never tagged.
ER.4#@-*
The following is an example of a Wi-Fi design with untagged client traffic on the employee
network (VLAN 1). The example uses three networks:
Name Network Usage
VLAN 1 10.1.1.0 Employee
VLAN 100 10.1.100.0 BYOD
VLAN 200 10.1.200.0 Guest

The Ethernet switch is marked to show the default (untagged) VLAN for each port.


Figure 5 - Untagged WLAN Traffic
To place employee Wi-Fi clients on VLAN 1 10.1.1.0 the AP must be configured to not
tag client traffic for that SSID.
NOTE: Although the ZoneDirector is shown also connected to VLAN 1 (untagged) this
is not required. The ZoneDirector can be on any network provided it can
communicate with the AP.
I&%-0*!"/3&'8%.)&"/*
The APs port on the Ethernet switch in this example must be configured such that VLAN 1
is available and untagged (access port). For examples of how to configure this on popular
wired switches, please see the various appendixes at the end of this document.
["/-A&%-,)"%*!"/3&'8%.)&"/*
Here are the steps to configure an SSID with untagged traffic on the ZoneDirector.
1. Log onto the ZoneDirector Web UI
2. Go to Configure->WLANs
3. Click Create New in the WLANs section


4. Enter the required information for the new SSID

5. Click the Advanced Options link at the bottom of the window
6. Make sure the VLAN ID under ACCESS VLAN is set to 1 (untagged)



Configuiing Taggeu WLANs
network. Which network it goes to will depend on the configuration of the AP. An AP can
add an 802.1Q VLAN tag if the device should be on a network other than the default.
When a WLAN is configured with a specific VLAN tag, the client traffic is modified to
include the VLAN tag in the frame. This means the Ethernet switch will keep the tag and
use it to place the traffic on the correct network. If the Ethernet switch is not configured as
a trunk port or it does not have the correct VLAN assigned it will ignore (drop) the client
packets.
+")-*"/*MJ7+*C*
ER.4#@-*
The following is an example of a Wi-Fi design with tagged client traffic on the guest
network (VLAN 200). The example uses three networks:
Name Network Usage
VLAN 100 10.1.100.0 BYOD
VLAN 200 10.1.200.0 Guest

The Ethernet switch is marked to show the default (untagged) VLAN for each port. Each
port is also configured as a tagged/trunk port for other VLANs.


Figure 6 - Tagged WLAN Traffic
To place guest Wi-Fi clients on VLAN 200 10.1.200.0 the AP must be configured to tag
client traffic for the Guest SSID. If the guest SSID is not tagged, these devices will be
placed on the employee network (VLAN 1).
NOTE: Although the ZoneDirector is shown also connected to VLAN 1 (untagged) this
is not required. The ZoneDirector can be on any network provided it can
communicate with the AP.
I&%-0*!"/3&'8%.)&"/*
The APs port on the Ethernet switch in this example must be configured such that VLAN
200 is available and tagged. For examples of how to configure this on popular wired
switches, please see the various appendixes at the end of this document.
["/-A&%-,)"%*!"/3&'8%.)&"/*
Here are the steps to configure a guest SSID with tagged traffic on the ZoneDirector.



6. Make sure the VLAN ID under ACCESS VLAN is set to 200 (tagged)


A$/.4&,*MJ7+B**
If RADIUS authentication is used for clients, dynamic VLANs may also be used. The RADIUS
server sends a specific VLAN assignment for that user as part of the Access-Accept
message. The VLAN assignment could be different for other clients even though they are
on the same SSID. In this case, the AP will make each clients traffic with the correct VLAN
tag.


I&%-0*!"/3&'8%.)&"/*
Dynamic VLANs are configured similarly to tagged traffic on a port. A wired switch port
must be configured to allow all VLANs that might be assigned.
["/-A&%-,)"%*!"/3&'8%.)&"/*
Here are the steps to configure a dynamic VLAN SSID with tagged traffic on the
ZoneDirector.
4. Enter the required information for the new SSID note that Dynamic VLANs are only
available for WLANS that use RADIUS authentication (MAC authentication or 802.1X)
6. Make sure the VLAN ID under ACCESS VLAN is set to the default VLAN for the SSID
it can be tagged or untagged (VLAN 1)
7. Check the Enable Dynamic VLAN box

Note that a default VLAN must be specified for this SSID regardless of whether Dynamic
VLANs are used or not. A default must always be specified in case the RADIUS server does
not return a specific VLAN.
RADIUS-assigned VLANs always override the default.


Configuiing Tunneleu WLANs
network. Which network it goes to will depend on the configuration of the AP. Normally a
Wi-Fi clients traffic enters the wired network at the APs switch port. But sometimes it is
preferable to tunnel the traffic to the ZoneDirectors switch port instead.
Traffic tunneling is usually used to allow more seamless roaming in certain conditions. For
example, a Wi-Fi VoIP handset might roam from one AP to another. This is fine if both APs
place it on the same subnet but if the second AP is configured to put the handset on a
different network it must drop its IP address and acquire a new one. The time to do this will
drop any active voice connections.
To solve this, the handsets voice traffic is tunneled from the AP to the ZoneDirector. This
means any handset, regardless of the AP it is connected to, will be assigned a network,
address, etc. from the ZoneDirectors switch port instead of the AP. Handsets can then
roam to any AP and never need to drop their connection to acquire a new address.
Because the traffic is tunneled back to the ZoneDirector, the AP does not need to be
connected to a trunk port or have the voice subnet available, it only needs to be able to
reach the ZoneDirector. The ZoneDirector controller is the device that must be
connected to a wired switch port with the voice VLAN not the AP.
+")-*"/*MJ7+*C*
ER.4#@-*
The following is an example of a Wi-Fi design with tagged VoIP traffic on the voice network
(VLAN 110). The example uses three networks:
Name Network Usage
VLAN 100 10.1.100.0 BYOD
VLAN 222 10.1.222.0 Voice



Figure 7 - Tunneled WLAN Traffic
Voice clients must be placed on VLAN 222, but in this example the VLAN is not configured
for the AP switch port. Instead, it will be tunneled via LWAPP over VLAN 1 to the
ZoneDirector. The ZoneDirector is connected to a switch port that does have VLAN 222
available.
I&%-0*!"/3&'8%.)&"/*
The ZoneDirectors port on the Ethernet switch in this example must be configured such
that VLAN 222 is available and tagged. For examples of how to configure this on popular
["/-A&%-,)"%*!"/3&'8%.)&"/*
Here are the steps to configure a voice SSID with tunneled traffic on the ZoneDirector.


6. Make sure the VLAN ID under ACCESS VLAN is set to 222 (tagged)
7. Click the checkbox next to Tunnel Mode

This configuration will cause the AP to tag all client traffic on the voice SSID with VLAN 222
and tunnel it to the ZoneDirector. The client traffic will enter the network at the
ZoneDirectors switch port.


vLAN 0veiiiues
Sometimes the default VLAN configuration for an SSID has to be changed for a subset of
APs/locations. This commonly happens in very large deployments where many smaller
subnets are used instead of one very large broadcast domain. It might also be used if the
same SSID is configured on APs in different geographical locations, i.e. different campuses,
offices, etc.

Figure 8 - VLAN Overrides
WLAN Groups offer a way to change the VLAN assignment for an SSID broadcast by a
group of APs.
["/-A&%-,)"%*!"/3&'8%.)&"/*
Here are the steps to configure a WLAN group with VLAN override on the ZoneDirector.
3. Click Create New in the WLAN Groups section
4. Select the WLANs an AP member of this group will broadcast


5. To the right of each WLAN, set VLAN override if the VLAN tag has changed (VLAN 1 =
untagged)

6. Click Apply to save the changes
7. Assign this WLAN Group to each AP that will use this VLAN override


Nanagement vLANs
A management VLAN is dedicated to monitoring and managing network equipment. It is
also the subnet over which management control plane traffic is sent software upgrades,
heartbeats, signaling, etc. This type of network is typically isolated and firewalled from the
rest of the organization. Both Ruckus APs and ZoneDirectors can be configured to use a
specific VLAN for management traffic. By default, they use the untagged network.
Although both typically use the same management VLAN, a ZoneDirector and an AP can
be configured to use different management VLANs as well. For this to work, the two
management networks must be reachable with each other. Alternatively, just one device
can be configured to tag management traffic. The other device must either be on a
network that can reach the management subnet or connected to a port that is a member of
that management VLAN by default (untagged).
+")-*"/*MJ7+*C*
I("*F("8@0*HB-*N./.'-4-/)*MJ7+B*
Use of the untagged VLAN is recommended for most deployments. This is due to its
simplicity and ease of recovery in case of misconfigured switch ports, APs or ZoneDirectors.
If management a VLAN is required, please review the instructions below carefully.
ER.4#@-*
The following is an example of a Wi-Fi design in which APs and ZoneDirectors send
management traffic on VLAN 33:
Name Network Usage
VLAN 33 10.1.33.0 Management
VLAN 100 10.1.100.0 BYOD



Figure 9 - Management VLAN Traffic
I&%-0*!"/3&'8%.)&"/*
The ZoneDirectors port on the Ethernet switch in this example must be configured such
that VLAN 33 is available and tagged. For examples of how to configure this on popular
["/-A&%-,)"%*!"/3&'8%.)&"/*
Here are the steps to configure a management VLAN on the ZoneDirector.
2. Go to Configure->System
3. Go the Device IP Settings area
4. Set ACCESS VLAN to 33


This configuration will cause the ZoneDirector to immediately begin tagging all
management traffic to VLAN 33.
NOTE: You will likely be disconnected from the ZoneDirector after applying this change.
This is because the ZoneDirectors switch port does not have VLAN tagging enabled for
VLAN 33. To regain access to the ZoneDirector, reconfigure its switch port.
71*!"/3&'8%.)&"/*
The management VLAN for an AP is configured on a global basis. Only one management
VLAN can be configured for all APs. This VLAN can be different from the ZoneDirectors,
but all APs must use the same management VLAN.
Here are the steps to configure a management VLAN on the Ruckus AP.


2. Go to Configure->Access Points
3. Go the Access Point Policies area
4. Next to Management LAN, click the radio button and enter the VLAN number (33)

This configuration will cause all APs to immediately begin tagging all management traffic to
VLAN 33.
NOTE: You will likely see the APs disconnect from the ZoneDirector after applying this
change. This is because the APs switch port does not have VLAN tagging enabled for
VLAN 33. To all the APs to gain access to the ZoneDirector, reconfigure each AP switch
port.
T-,"44-/0.)&"/B*
Assigning management VLANs is a disruptive process and will typically cause some outage
time. How much time depends on how smoothly the transition occurs. The following are
some hints and tips to make this easier:
Switch Poit Configuiation
When moving from untagged to tagged management, its a good idea to make sure every
switch port needed is configured as a trunk port with the management VLAN tagged.
Doing this ahead of time reduces disruption since the port still works for untagged traffic
but will instantly support the device when it starts tagging its traffic.
Make a list of all ports that must be reconfigured before starting this should include all
devices ZoneDirectors and APs that are being configured to use a tagged management
VLAN.


APs Can Biscovei the ZoneBiiectoi
Make sure there is a way for them to discover the controller after they move to the
management VLAN. If the ZoneDirectors IP address has not changed, there is nothing to
do the APs remember the last address used.
If the IP address of the ZoneDirector changes during this process, the APs must have a way
to find the controller again. There are several methods an AP can use; one of these must
work on the new management VLAN:
1. Layer 2 broadcast discovery the AP and the ZoneDirector are on the same logical
subnet (after both have been moved)
2. DHCP Option 43 the DHCP server for the management VLAN (if using one) is
configured to give the ZoneDirectors IP address to the APs
3. DNS lookup the DNS server is configured to give the controllers IP address when
queried for zonedirector.<local domain>
4. Static assignment if the controllers IP address is changing, the new address could
be pre-loaded onto the APs by making it the secondary controller. Thus, when the
APs move and cant find the primary address, they will try the second
APs Fiist
If changing both APs and ZoneDirectors, always change the management VLAN on the APs
first. Doing the ZoneDirector first will prevent the APs from connecting at which point
there will be no way to configure the APs with the new management VLAN since they cant
connect.


Configuiing Quality of Seivice
Quality of Service (QoS) refers to the capability of a wired or wireless network to provide
differentiated priority services to selected network traffic over various network
technologies. Delay or latency sensitive traffic such as video or voice sent from the wireless
network to the wired network should always have the correct QoS maintained. Without
QoS, an AP will not differentiate between the various traffic types (voice, video, data) on
the network. All traffic is treated as equal, and thus the WLAN typically works in a first-
come first-served fashion.
Ruckus SmartCast QoS technology helps avoid this behavior by combining multicast traffic
handling techniques, QoS and application-aware traffic classification capabilities to ensure
the highest quality video transmissions over Wi-Fi. WMM and QoS are enabled by default
on all Ruckus products. QoS and priority can also be configured on an administrative basis
as well. Supported options include:
Heuri sti cs - Ruckus equipment automatically detects the traffic type and
assigns a QoS
ToS ( Type of Servi ce) Cl assi fi cati on honor ToS bits set on the traffic
ToS Marki ng allows the device to set the ToS of unmarked traffic
Di rected Mul ti cast/Broadcast convert multi-media packets into unicast
for each client
I GMP Snoopi ng Mode selectively forward multicast frames to those
devices subscribing to the multicast stream
Wel l -Known Mul ti cast Forwardi ng for well-known protocols: UPnP,
Bonjour and Link-Local Multicast Name Resolution (LLMNR)
Per-SSI D pol i cy assigns a high or low priority over other SSIDs
Per-VLAN pol i cy assigns a specific QoS for a VLAN
Unknown Mul ti cast Drop multicast traffic that is not recognized
INN\*?"F*./0*AF!1*F8##"%)*
WMM is a Wi-Fi Alliance certification of support for a set of features from an 802.11e draft.
This certification is for both clients and APs, and certifies the operation of WMM. The Wi-Fi
Multimedia (WMM) specification lays out a method for Wi-Fi networks to also prioritize
traffic according to four common classes of service, each known as an access category (AC).
AC_VO - highest-priority voice traffic
AC_VI - medium-priority video traffic
AC_BE - standard-priority data traffic, also known as "best effort"
AC_BK - background traffic, that may be dropped- when the network is congested


The access category for each packet is specified using either 802.1p tagging (when
available and supported by the access point) or by the use of Diffserv Code Points (DSCP).
DSCP tags are carried in the IP header of each packet and most often used on wired
networks due to simplicity and Layer 2 capability. In other words, the DSCP tags survive
crossing through every piece of network equipment that is not aware of DSCP tags,
whereas 802.1p requires 802.1p-aware links (802.1Q) throughout the network, all carried
over 802.1Q VLAN links.
The 802.1p value is a field in the VLAN header that indicates the priority of the tagged
packet. 802.1p classification is similar to ToS classification. However, while ToS values
apply to any IP packet, 802.1p values only apply to traffic on a specified VLAN. 802.1p
values range from 0 to 7 (0 is lowest and 7 is highest).
NOTE: Note that if 802.1p classification and ToS classification are both enabled, 802.1p
classification takes precedence. Therefore, if you want to use ToS classification, 802.1p
classification should be disabled.
There are eight DSCP tags, which map to the four access categories. The application that
generates the traffic is responsible for filling in the DSCP tag. The standard mapping is as
follows:
Table 1 - DSCP and ToS to AC Mapping
Traffic Type Priority ToS Value DSCP Value AC/802.11e
Voice 7 0xE0 (224) 0x38 (56) AC_VO
Voice 6 0xC0 (192) 0x30 (48) AC_VO
Video 5 0xA0 (160) 0x28 (40) AC_VI
Video 4 0x80 (128) 0x20 (32) AC_VI
Best Effort 3 0x60 (96) 0x18 (24) AC_BE
Background 2 0x40 (64) 0x10 (16) AC_BK
Background 1 0x20 (32) 0x08 (8) AC_BK
Best Effort 0 0x00 (0) 0x00 (0) AC_BE


Although ToS and DSCP support up to 8 distinct categories, WMM only mandates four
queues for traffic: voice, video, best effort and background.
0thei Classification values
Ruckus products set the following default classifications by traffic type:
Type Voice Video Data Background
ToS Marking 0x0 0xA0 0x0 0x0
Tunneled ToS
Marking
0xA0
802.1p
Classification
None None None None
Heuristic
Classifier
Voice Video Data Background

The current QoS values in use on a ZoneDirector can be seen via the following CLI
command:
ruckus(config)# services
ruckus(config-sys)# qos
ruckus(config-sys-qos)# show
System QoS:
ToS DATA TUNNEL = 0xA0
ToS CTRL TUNNEL = 0xA0
ToS Classification-Voice = 0xE0 0xC0 0xB8
ToS Classification-Video = 0xA0 0x80
ToS Classification-Data = 0x0
ToS Classification-Background = 0x0
Tx fail threshold = 50
heuristics inter-packet-gap Video = 0 65
heuristics inter-packet-gap Voice = 15 275
heuristics packet-length Video = 1000 1518
heuristics packet-length Voice = 70 400
heuristics classification Video = 50000
heuristics classification Voice = 600
heuristics no classification Video = 500000
heuristics no classification Voice = 10000
The current QoS values for a standalone AP are gathered as follows:
rkscli: get qos
Tx Failure Threshold: 50 Dead Station Count: 0
Directed DHCP: Enabled
Directed ICMPv6 RA: Enabled


IGMP General Query V2/V3: Disabled/Disabled
MLD General Query V1/V2: Disabled/Disabled

TOS Classification: Voice=0xE0,0xC0,0xB8, Video=0xA0,0x80,
Data=0x0, Background=0x0
TOS marking: VoIP=0x0, Video=0xA0, Data=0x0,
Background=0x0
Dot1p Classification: Voice=none, Video=none, Data=none,
Background=none
Dot1p marking: VoIP=0, Video=0, Data=0, Background=0
Tunnel TOS Marking: Data=0xA0 (static TOS), Ctrl=0xA0
Heuristic Classifier: VoIP Video Data
Background
Octet Count During Classify: 600 50000 0 0
Octet Count Between Classify: 10000 500000 0 0
Min/Max Avg Packet Length: 70/400 1000/1518 0/0 0/0
Min/Max Avg Inter Packet Gap: 15/275 0/65 0/0 0/0
Nouifying Tiaffic Classification
Changing these values can impact existing application behavior. In general, this should not
be modified from the default settings. For more information, please contact the Ruckus
Technical Assistance Center.
N8@)&,.B)*./0*V%".0,.B)*?%.33&,*
Ruckus converts broadcast/multicast traffic to unicast by default. This is known as directed
broadcast/multicast. The default setting converts traffic until there are 5 or more devices
receiving the traffic. After this, conversion to unicast stops. This is done on the principle
that having more devices reduces the utility of the unicast conversion.
The directed threshold of clients or even the conversion itself can be modified or
disabled/enabled completely.
ZoneBiiectoi Biiecteu Tiaffic Commanus
All QoS settings are configured from the command line interface (CLI) only.
Directed Multicast
To disable/enable directed multicast for a WLAN:
ruckus(config)# wlan test-ssid
ruckus(config-wlan)# no qos directed-multicast
The command was executed successfully. To save the changes, type
'end' or 'exit'.
ruckus(config-wlan)# qos directed-multicast
The command was executed successfully. To save the changes, type
'end' or 'exit'


IGMP Snooping
To disable/enable IGMP snooping for a WLAN:
ruckus(config-wlan)# qos igmp-snooping
ruckus(config-wlan)# no qos igmp-snooping
MLD Snooping
To disable/enable MLD snooping for a WLAN:
ruckus(config-wlan)# no qos mld-snooping
ruckus(config-wlan)# qos mld-snooping
Directed Threshold
To configure the maximum number of clients before unicast conversion stops for a WLAN:
ruckus(config-wlan)# qos directed-threshold 10
AP Biiecteu Tiaffic Commanus
All QoS settings are configured from the command line interface (CLI) only.
Directed Multicast
To disable/enable directed multicast for a WLAN:
rkscli: set qos wlan0 directed multicast disabled
Directed Multicast ingress packet processing is Disabled on
interface wlan0
rkscli: set qos wlan0 directed multicast enabled
Directed Multicast ingress packet processing is Enabled on
interface wlan0d
IGMP Snooping
To disable/enable IGMP snooping for a WLAN:
rkscli: set qos wlan0 igmp disable
IGMP Snooping is Disabled on interface wlan0
OK
rkscli: set qos wlan0 igmp enable
IGMP Snooping is Enabled on interface wlan0
MLD Snooping
To disable/enable MLD snooping for a WLAN:
rkscli: set qos wlan0 mld disable
MLD Snooping is Disabled on interface wlan0
rkscli: set qos wlan0 mld enable


MLD Snooping is Enabled on interface wlan0
Directed Threshold
To configure the max rkscli: set directedthreshold wlan0 0
rkscli: set directedthreshold wlan0 0
OK
rkscli: set directedthreshold wlan0 5
!"/3&'8%&/'*#-%]FF2A*1%&"%&)$*
When an AP has traffic of the same from multiple WLANs, it uses a round robin method to
determine which WLANs traffic is sent. This ensures all SSIDs get some airtime. If one of
the WLANs has a higher priority traffic, this is always sent first. However, in the case of
multiple WLANs with traffic of the same (high) priority, the AP will again treat these WLANs
in a round-robin fashion.
There are times when one WLANs traffic should be prioritized over another. For example,
two SSIDs exist one is for voice devices and one is for guests. If high priority (voice) traffic
is sent from both SSIDs, most organizations would prefer the internal voice SSID have
preference over a guest network voice traffic. In this case, the internal SSID can be given a
high priority and the guest network set to low.
Note, that there are only two settings an SSID may have high or low. In the case of
multiple SSIDs with high priority, it will again be round robin for higher priority traffic.
Note: This feature is available on the ZoneDirector only.
ZoneBiiectoi-baseu SSIB Piioiitization
To configure SSID priority on a ZoneDirector via Web UI:
3. Click Edit next to the WLAN to be configured
4. Select the priority in the Priority section (high or low)


To configure SSID priority on a ZoneDirector (CLI):
ruckus(config)# wlan voice
ruckus(config-wlan)# priority high


Tioubleshooting
Integrated Wi-Fi into a wired network can be a simple as deployed on an untagged, L2
network or more complex with multiple tagged VLANs, redundancy, QoS and
management VLANs. This section offers some common issues and resolutions.
71*!.//")*!"//-,)*)"*["/-A&%-,)"%*
Biscoveiy
One of the most basic issues is an AP that is unable to discover and connect to a
ZoneDirector. This is typically because none of the supported discovery processes are in
place. These include:
ZoneDirector is not on the same Layer 2 network as the AP
AP is on a different network and no Layer 3 discovery mechanism is setup (DHCP
Option 43, DNS, static configuration of the AP with the ZoneDirectors IP address)
Resolution
To solve these problems, select the discovery process you are using (above) and verify it is
working correctly. This can involve checking if the AP has a valid IP address, can reach (ping
the ZoneDirector), there is a proper DHCP or DNS entry, etc.
vLANs anu Connectivity
AP does not have a valid address (no DHCP or misconfigured static IP address)
AP or ZoneDirector are on a management VLAN that has no connectivity, DHCP, or is
on an untagged port or a trunk port that does not allow that VLAN
Resolution
In the case of a misconfigured AP, if it is on the same Layer 2 network as the ZoneDirector
it may still be able to discover the ZoneDirector (Layer 2 broadcast) but is unable to
connect due to an invalid IP address.
A management VLAN problem is more easily checked on the wired switch, as this is the
most frequent root cause. In the cast of some switches, the port may need to be explicitly
set to 802.1Q tagging.
Nouel Suppoit
An AP model may be installed that is not supported by the ZoneDirector firmware. This
issue is typically due to an older version of software on the ZoneDirector.


Resolution
To correct the problem, upgrade the ZoneDirector software. This can be verified in the
ZoneDirector event log: Monitor->Access Points. If the AP is an unsupported model this
will also generate an event log message.
Fiiewalls
Another basic issue is a firewall blocking required ports. This is especially true if the basic
ports required for control and management are blocked. These ports are listed in section
Firewalls.
Resolution
To solve these problems, make sure the necessary ports are unblocked between the AP
and the ZoneDirector.
!.#)&;-*1"%).@*X.&@B*)"*T-0&%-,)*)"*J"'&/*1.'-*
There are many issues that can affect captive port redirections. These typically include:
Firewall has blocked HTTP/S access to the ZoneDirector from the SSIDs subnet. This
may be due to ACLs on the AP/WLAN or a 3
rd
party firewall
Client does not have DNS configured correctly
Resolution
To check firewall issues, make sure the ACLs (if configured) for the WLAN allow access to
the ZoneDirectors login page.
Since redirection occurs after the client does a DNS lookup/URL request, make sure the
client has a DNS server configured. This can be checked via the client configuration or by
attempting to access a URL with an IP address instead of a DNS name.


Appenuix A: Recommenueu
Reauing
:F2*N"0-@*
OSI: A Model for Computer Communications Standards, Uyless D. Black
M&%)8.@*J7+B*
Virtual LANs: A Guide to Construction, Operation and Utilization, Marina Smith
Network Warrior, Gary A. Donahue
!&B,"*I&%-0*+-)<"%>&/'*
Cisco Switched Internetworks: VLANs, ATM & Voice/Data Integration, Chris Lewis
Cisco IOS Cookbook, Kevin Dooley, Ian Brown


Appenuix B: Common Cisco
Commanus
!"/3&'8%&/'*./*7,,-BB*1"%)*
These are the Command Line Interface (CLI) commands to configure a port on a Cisco
switch or router as an access port for VLAN 100 (red).
The first command creates VLAN 100.
interface vlan 100
description Red VLAN
ip address 10.1.100.1 255.255.255.0
!
This command configures the 1/1 port as an access port on VLAN 100. All untagged traffic
will go on this VLAN. Any tagged traffic will be ignored.
interface GigabitEthernet1/1
description Red VLAN Access Port
switchport mode access
switchport access vlan 100
!
This command configures the 1/2 port as a trunk port with VLAN 100 as the native VLAN.
All untagged traffic will go to VLAN 100. Any tagged traffic will be ignored unless it is
tagged for VLAN 200 or 300. This configuration is essentially the same as that for port 1/1
as far as access to the red VLAN (100) is concerned. In both cases, the AP should be
configured to send red network traffic as untagged only.
description Native Red VLAN Trunk
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 101
switchport trunk allowed vlan 200,300
!
!"/3&'8%&/'*.*?%8/>*1"%)*
These are the CLI commands to configure a port on a Cisco switch or router as a trunk port
for VLAN 100 (red). The first command creates the VLAN and the second configures port
1/1 as a trunk port that includes VLAN 100. Note that Cisco switches require the


encapsulation be explicitly set to dot1q. Failure to set this will prevent the switch from
correctly interpreting tagged frames from the AP.
The native VLAN for this port is VLAN 101. Any untagged traffic for this port will be
assigned to VLAN 101.
interface vlan 100
description Red VLAN
ip address 10.1.100.1 255.255.255.0
!

interface vlan 101
description Native VLAN
ip address 10.1.101.1 255.255.255.0
!

description Red VLAN Trunk
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 101
switchport trunk allowed vlan 100
!
Multiple VLANs may be configured for a single trunk port however only one native VLAN is
allowed.
?%"8P@-B("")&/'*
When troubleshooting with a Cisco switch, it may be useful to configure the switch to
update the port status more quickly than the default of 30 seconds when the spanning tree
protocol (STP) is enabled. The amount of time spanning tree takes to transition ports to a
forwarding state can cause problems. This is especially true of an individual device such as
an AP. It might consider itself in an up date, but the switch port has not switched back to
forwarding yet which prevents it from getting a connection.
The Cisco portfast command will speed convergence to help with this problem. NOTE:
This command should only be used on ports connected to a single device that is not a
switch or other Layer 2 device capable of causing spanning tree loops.
Access Poit
spanning-tree portfast
!


Tiunk Poit
spanning-tree portfast trunk
!


Appenuix C: Common BP
Commanus
!"/3&'8%&/'*.*1"%)*
These are the Command Line Interface (CLI) commands to configure a port on an HP
ProCurve switch or router. In HP terms, a trunk port is an aggregate of multiple ports, e.g.
C1-C4 rather than the Cisco definition of a trunk as a port that understands 802.1Q tags.
Therefore, configuring a port to support VLAN tagging simply entails added those ports as
tagged to the VLAN configuration:
The first command creates VLAN 100 with ports B10-B12 defined as untagged members of
that VLAN. All untagged traffic will go on this VLAN. Any tagged traffic will be ignored.
vlan 100
name Red VLAN
ip address 10.1.100.1 255.255.255.0
untagged B10-B12
exit
To support tagged VLANs add an additional line specifying the ports.
vlan 100
name Red VLAN
ip address 10.1.100.1 255.255.255.0
untagged B3-B9
tagged C10-C12
exit

vlan 200
name Blue VLAN
ip address 10.1.200.1 255.255.255.0
untagged C10-C12
tagged B3-B9
exit
The above configuration defines ports B3-B9 as untagged for VLAN 100 and tagged for
VLAN 200. Therefore the ports will place untagged packets on the red VLAN 100. If it
receives tagged traffic, only VLAN 200 will be honored and only for ports B3-B9.


Appenuix B: Common Extieme
Commanus
!"/3&'8%&/'*.*1"%)*
These are the Command Line Interface (CLI) commands to configure a port on an
ExtremeOS switch or router. In Extreme terms, a trunk port is configured by specifying
which port is tagged or untagged as part of the VLAN command.
The commands below create a VLAN called RedVLAN. This VLAN is assigned an ID of
100. Ports 7-24 are untagged members of this VLAN.
vlan RedVLAN
configure vlan RedVLAN tag 100
configure vlan RedVLAN add port 7:24 untagged
To support tagged VLANs add an additional line specifying the tagged ports.
vlan RedVLAN
configure vlan RedVLAN tag 100
configure vlan RedVLAN add port 7:24 untagged
configure vlan RedVLAN add port 5-6 tagged
The above configuration defines ports 7-24 as untagged for VLAN 100 and tagged for
ports 5-6. Therefore ports 7-24 will place all untagged traffic into VLAN 100 and ports 5-6
will only do so if the packet is specifically tagged for VLAN 100.


Appenuix E: Configuiing
Enteiasys Switches anu Routeis
!"/3&'8%&/'*.*1"%)*
These are the Command Line Interface (CLI) commands to configure a port on an Enterasys
switch or router.
The commands below create a VLAN called RedVLAN. This VLAN is assigned an ID of
100. Port ge.1.10-12 are untagged members of this VLAN.
set vlan create 100
set vlan name 100 RedVLAN
set vlan create 200
set vlan name 200 BlueVLAN
set port vlan ge.1.10-12 100 modify-egress
To support tagged VLANs add an additional line specifying the tagged ports.
set vlan egress 200 ge.1.10
The above command adds VLAN tagging for port ge.1.10 for VLAN 200.

BPG Configuring Wired Networks For Wi Fi

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

BPG Configuring Wired Networks For Wi Fi

Încărcat de

Drepturi de autor:

Formate disponibile

Configuiing Wiieu

Netwoiks foi Wi-Fi

S-ar putea să vă placă și