Aerohive Certified Networking Professional (Acnp) : Confidential

AEROHIVE CERTIFIED NETWORKING
PROFESSIONAL (ACNP)
© 2013 Aerohive Networks CONFIDENTIAL 1

Introductions
•What is your name?

•What is your organizations name?
•How long have you worked in
networking?
•What was your 1st computer?

Facilities Discussion
• Course Material
Distribution
• Course Times
• Restrooms
• Break room
• Smoking Area
• Break Schedule
› Morning Break
› Lunch Break
› Afternoon Break

Aerohive Switching & Routing
Configuration (ACNP) – Course Overview
Each student connects to HiveManager, a remote PC, and a Aerohive AP

over the Internet from their wireless enabled laptop in the classroom, and then
performs hands on labs the cover the following topics:
• Overview of Switching and Routing Platforms

• Unified Network Policy Management
• Spanning Tree
• Device Templates
• Port Types (802.1Q Ports, Phone and Data Ports, Secure Access Ports, Guest
Access Ports and WAN ports)
• Aggregate Channels
• PoE
• VLAN to Network mapping
• Router templates
• Parent networks and branch subnets
• Layer 3 VPN with VPN Gateway Virtual Appliance
• Policy Based Routing
• Router Firewall
• Cookie Cutter Branch Networking
2 Day Hands on Class
Aerohive Training Remote Lab
Aerohive Access Points using external

antenna connections and RF cables to
connect to USB Wi-Fi client cards
(Black cables)
Access Points are connected from eth0 to

Aerohive Managed Switches with 802.1Q
VLAN trunk support providing PoE to the APs
(Yellow cables)
Access Points are connected from their
console port to a console server
(White Cables)
Console server to permit SSH access into the
serial console of Aerohive Access Points
Firewall with routing support, NAT, and
multiple Virtual Router Instances
Server running VMware ESXi running Active
Directory, RADIUS, NPS and hosting the
virtual clients used for testing configurations
to support the labs
Copyright ©2011
Aerohive CBT Learning
http://www.aerohive.com/cbt

The 20 Minute Getting Started Video
Explains the Details
Please view the Aerohive Getting Started Videos:

http://www.aerohive.com/330000/docs/help/english/cbt/Start
.htm

Aerohive Technical Documentation
All the latest technical documentation is available for

download at:
http://www.aerohive.com/techdocs

Aerohive Instructor Led Training
• Aerohive Education Services offers a complete curriculum that provides

you with the courses you will need as a customer or partner to properly
design, deploy, administer, and troubleshoot all Aerohive WLAN solutions.
• Aerohive Certified WLAN Administrator (ACWA) – First-level course
• Aerohive Cerified WLAN Professional (ACWP) – Second-level course
• Aerohive Certified Network Professional (ACNP) – Switching/Routing course
• www.aerohive.com/training – Aerohive Class Schedule

Over 20 books about networking have been written
by Aerohive Employees
CWNA Certified Wireless Network Administrator

Official Study Guide by David D. Coleman and David
A. Westcott
CWSP Certified Wireless Security Professional

Official Study Guide by David D. Coleman, David A.
Westcott, Bryan E. Harkins and Shawn M.
Jackman
CWAP Certified Wireless Analysis Professional Official
Study Guide by David D. Coleman, David A. Westcott,
Ben Miller and Peter MacKenzie
802.11 Wireless Networks: The Definitive Guide,

Second Edition by Matthew Gast
802.11n: A Survival Guide by Matthew Gast
802.11ac: A Survival Guide by Matthew Gast
Over 20 books about networking have

Aerohive
been written by Aerohive Employees
Employees
Aerohive Exams and Certifications
• Aerohive Certified Wireless Administrator

(ACWA) is a first- level certification that
validates your knowledge and
understanding about Aerohive Network’s
WLAN Cooperative Control Architecture.
(Based upon Instructor Led Course)
• Aerohive Certified Wireless Professional
(ACWP) is the second-level certification
that validates your knowledge and
understanding about Aerohive
advanced configuration and
troubleshooting. (Based upon Instructor
Led Course)
• Aerohive Certified Network Professional
(ACNP) is another second-level
certification that validates your
knowledge about Aerohive switching
and branch routing. (Based upon
Instructor Led Course)
Aerohive Forums
• Aerohive’s online community – HiveNation

Have a question, an idea or praise you want to share? Join the HiveNation
Community - a place where customers, evaluators, thought leaders and students
like yourselves can learn about Aerohive and our products while engaging with
like-minded individuals.
• Please, take a moment and register during class if you are not already a
member of HiveNation.
Go to http://community.aerohive.com/aerohive and sign up!

Aerohive Social Media
The HiveMind Blog:
http://blogs.aerohive.com
Follow us on Twitter: @Aerohive

Instructor: David Coleman: @mistermultipath
Instructor: Bryan Harkins: @80211University
Instructor: Gregor Vucajnk: @GregorVucajnk
Instructor: Metka Dragos: @MetkaDragos
Please feel free to tweet about #Aerohive training

during class.

Aerohive Technical Support – General
How do I buy Technical Support?

Support Contracts are sold on a yearly basis, with
discounts for multi-year purchases. Customers can opt
to purchase Support in either 8x5 format or in a 24
hour format.
I have different expiration dates on several Entitlement keys, may

I combine all my support so it all expires on the same date?
Your Aerohive Sales Rep can help you set-up Co-Term, which allows
you to select matching expiration dates for all your support.
I want to talk to somebody live.

Call us at 408-510-6100 / Option 2. We also provide service
toll-free from within the US & Canada by dialing (866) 365-9918.
Aerohive has Support Engineers in the US, China, and the UK,
providing coverage 24 hours a day.

Copyright ©2011
Aerohive Technical Support – The
Americas
How do I reach Technical Support?

Aerohive Technical Support is available 24 hours a
day. This can be via the Aerohive Support Portal or
by calling. For the Support Portal, an authorized
customer can open a Support Case.
Communication is managed via the portal with
new messages and replies. Once the issue is
resolved, the case is closed, and can be retrieved
at any time in the future.
I want to talk to somebody live.
For those who wish to speak with an engineer call us at 408-
510-6100 / Option 2. We also provide service toll-free from
within the US & Canada by dialing (866) 365-9918.
I need an RMA in The Americas
An RMA is generated via the Support Portal, or by calling our Technical
Support group. After troubleshooting, should the unit require repair, we will
overnight* a replacement to the US and Canada. Other countries are
international. If the unit is DOA, it’s replaced with a brand new item, if not it is
replaced with a like new reburbished item.
© 2013 Aerohive Networks CONFIDENTIAL *Restrictions may apply: time of day, location, etc . 15
Copyright ©2011
Aerohive Technical Support – International
How Do I get Technical Support outside The Americas?

Aerohive international Partners provide dedicated
Technical Support to their customers. The Partner has
received specialized training on Aerohive Networks’
product line, and has access to 24 hour Internal
Aerohive Technical Support via the Support Portal, or
by calling 408-510-6100 / Option 2.
I need an RMA internationally

World customer’s defective
units are quickly replaced by
our Partners, and Aerohive
replaces the Partner’s stock
once it arrives at our location.
Partners are responsible for all
shipping charges, duties, taxes,
etc.
Copyright ©2011
Copyright Notice
Copyright © 2013 Aerohive Networks, Inc. All rights

reserved.
Aerohive Networks, the Aerohive Networks logo,

HiveOS, Aerohive AP, HiveManager, and
GuestManager are trademarks of Aerohive Networks,
Inc. All other trademarks and registered trademarks
are the property of their respective companies.

QUESTIONS?
© 2013 Aerohive Networks CONFIDENTIAL

SWITCHING & ROUTING PRODUCT LINE
Overview of hardware and software platforms

Aerohive Switching Platforms
SR2024P SR2124P SR2148P

24 Gigabit Ethernet 48 Gbps Ethernet
24 PoE+ (195 W) 24 PoE+ (408 W) 48 PoE+ (779 W)
4 Ports 1G SFP Uplinks 4 Ports 10 G SFP/SFP+ Uplinks

Routing with 3G/4G USB support and Line rate
switching
Switching Only
56Gbps switching 128 Gbps switch 176 Gbps switch
Single Power Supply Redundant Power Supply Capable

Copyright ©2011
Class Switches Deployed in Data Center
Note: The switch model (2024) used in the lab has been superseded by improved models.
• SR2024 Internet
› Line Rate Layer 2 Switch SR2024
› 8 Ports of PoE
› Multi-authentication AP
PoE
access ports
» 802.1X with fallback to
MAC auth or open
› Client Visibility AP AP
» View client information
by port Provides Access For:
› RADIUS Server • Employees
› Internet Router • Guests
• Contractors
› DHCP Server • Phones
› USB 3G/4G Backup • APs
• Servers
› Policy-based routing with Identity

HiveManager Form Factors
SW, Config, & Policy RF Planner Topology Reporting Heat Maps SLA Compliance Guest Mgmt
Express Mode Enterprise Mode

• Optimized for ease of use • Enterprise sophistication
• Uniform company-wide policy • Multiple Network policies
• One user profile per SSID • Multiple user profiles/SSID
HiveManager Appliance 2U
• power&&fans
Redundant power fans
• HA redundancy
• 5000
8000 APs
HiveManager Virtual Appliance
•• VMware ESX &
VMware ESX & Player
Player
•• HA
HA redundancy
redundancy
•• 5000
1500 APs
APs with minimum configuration
with minimum configuration
HiveManager Online
• Cloud-based SaaS management

HiveManager Appliance

HiveManager Databases

Aerohive Routing Platforms
BR 100 BR 200 AP 330 AP 350 VPN Gateways
Single Radio Dual Radio

L3 IPSec
VPN
1x1 11bgn 3x3:3 450 Mbps 11abgn Gateway
5-10 Mbps ~500 Mbps

30-50Mbps FW/VPN
FW/VPN VPN
5X 4000/1024
5X 10/100 2X 10/100/1000 Ethernet
10/100/1000 Tunnels
Physical/Vi
0 PoE PSE 2X PoE PSE 0 PoE PSE
rtual
© 2013 Aerohive Networks CONFIDENTIAL * Also available as a non-Wi-Fi device 25

Copyright ©2011
BR100 vs. BR200
BR100 BR200/BR200WP
5x FastEthernet 5x Gigabit Ethernet
1x1 11bgn (2.4Ghz) single radio 3x3:3 11abgn dual-band single radio (WP)
No integrated PoE PoE (in WP model)
No console port Console Port
No Spectrum Analysis Integrated Spectrum Analysis (WP)
No Wireless Intrusion Detection Full Aerohive WIPS (WP)
No local RADIUS or AD integration Full Aerohive RADIUS, proxy, and AD
No SNMP logging SNMP Support

Aerohive AP Platforms
AP121 AP141 AP330 AP350 AP230 * AP370 AP390 AP170

Indoor
Indoor Indoor Indoor Industrial Outdoor
Industrial
Dual Radio
Dual Radio 802.11n Dual Radio 802.11ac/n
802.11n
2x2:2 3x3:3 2x2:2 300 Mbps
300 Mbps High 450 Mbps High Power 3x3:3 450 + 1300 Mbps High Power Radios 11n High
Power Radios Radios Power Radios
TPM Security Chip
2X Gig.E - 10/100 link 2X Gig.E w/ link 2X Gig E

1X Gig.E 1X Gig.E
aggregation aggregation /w PoE Failover
PoE (802.3af + 802.3at) and AC Power PoE (802.3at)
Plenum/D Plenum/Plenum Water Proof (IP

Plenum Rated Plenum Rated
ust Dust Proof 68)
-20 to
0 to 40°C 0 to 40°C -20 to 55°C -40 to 55°C
55°C
USB for future use USB for 3G/4G Modem USB for future use N/A
© 2013 Aerohive Networks CONFIDENTIAL * Includes 5 GHz Transmit Beamforming and in 2.4 GHz has TurboQAM
VPN Gateway Virtual Appliance
• Supports the following
› GRE Tunnel Gateway
› L2 IPSec VPN Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
› Bonjour Gateway
› DHCP server
• Use a VPN Gateway Virtual Appliance instead of an AP when higher
scalability for these features are required
Function Scale
VPN Tunnels 1024 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server) 256
authentications
VPN Gateway Physical Appliance
• Supports the following
› GRE Tunnel Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
Ports: One 10/100/1000 WAN port
› Bonjour Gateway Four LAN ports two support PoE
› DHCP server
• Use a VPN Gateway Appliance instead of an AP when higher scalability
for these features are required
Function Scale
VPN Tunnels 4000 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server) 256
authentications
QUESTIONS?

Lab Infrastructure
Core
HiveManager
Router
Distribution VLAN 1
Instructor Space ip address 10.100.1.1/24
VLAN 2
Student Space ip address 10.100.2.1/24
SR2024 VLAN 8
SR2024
ip address 10.100.8.1/24
Access VLAN10
ip address 10.100.10.1/24
PoE PoE
AP PC AP PC
Student 2 Student X
SWITCHING
32
Lab: Setting up a Wireless Network
1. Connect to the Hosted Training HiveManager
• Securely browse to the appropriate HiveManager for class

› TRAINING LAB 1
https://training-hm1.aerohive.com
https://72.20.106.120
› TRAINING LAB 2
https://72.20.106.66
› TRAINING LAB 3
https://209.128.124.220
› TRAINING LAB 4
https://203.214.188.200
› TRAINING LAB 5
https://209.128.124.230
• Supported Browsers:
› Firefox, Internet Explorer, Chrome, Safari
NOTE: In order to access the
HiveManager, someone at your • Class Login Credentials:
location needs to enter the › Login: adminX
X = Student ID 2 - 29
training firewall credentials given › Password: aerohive123
to them by the instructor first.
Lab: Setting Up a Wireless Network
2. Create a Network Policy
• Go to
Configuration
• Click the New
Button

3. Enable network policy options
• Name:
Access-X
• Check the
options for
› Wireless Access
› Switching
• Note, enabling Branch Routing:
» Enables L3 VPN Configuration
› Bonjour
» Disable L2 VPN Configuration Gateway
» Enable L3 Router Firewall Policy • Click Create
» Policy-Based Routing with Identity
» Enables Router configuration settings in
Additional Settings
Network Policy Components
• Wireless Access – Use when you have an AP only

deployment, or you require specific wireless policies
for APs in a mixed AP and router deployment
• Branch Routing– Use when you are managing routers,
or APs behind routers that do not require different
Network Policies than the router they connect through
Internet
Internet
BR200 AP
BR100
AP
Small Branch Office
or Teleworker Site Small to Medium Size Branch Office
that may have APs behind the router
Network Policy Components
• Bonjour Gateway
› Allows Bonjour services to be seen in multiple subnets
• Switching
› Used to manage wired traffic using Aerohive Switches
Internet SR2024
PoE AP
AP AP
4. Create a New SSID Profile
Network
Configuration
• Next to SSIDs click
Choose
• Then click New

5. Configure Employee SSID
• SSID Profile: Class-PSK-X

X = 2 – 29 (Student ID)
• SSID: Class-PSK-X
• Select WPA/WPA2 PSK
(Personal)
• Uncheck the Obscure
Password checkbox
• Key Value: aerohive123
• Confirm Value: aerohive123
• Click Save
• Click OK
For the ALL labs, please follow the

class naming convention.
6. Create a User Profile
• To the right of
your SSID, under
User Profile, click
Add/Remove
In Choose User
Profiles
• Click the New
button

7. Define User Profile Settings
• Name: Default VLAN:

Employee-X From the drop down
box,
• Attribute • Select Create new
Number:10 VLAN,
type:10
• Click Save

8. Choose User Profile and Save
•Ensure
Employee-X
User Profile is
highlighted
•Click Save

9. Review your policy and save
• From the Configure Interfaces &

User Access bar, click Save

SPANNING TREE BEHAVIOR

How loops happen
1. Client sends broadcast such as ARP request
B
2. Switch A forwards packet on all interfaces,
except source interface
3. Switch B receives the broadcast twice, but

does not know it is the same broadcast. It
forwards the broadcast from interface 1 on
interface 24 and vice versa
4. Switch A again receives the broadcast twice

and does the same at Switch B. (It also
sends both broadcasts back to the client
5. Rinse and repeat. The broadcast never
leaves the network

Spanning Tree
Easy to solve, right?

Just disconnect one cable…
But now there is no redundancy…
Have no fear!
There was once a loop to be,

In a redundant path for everyone to see.
The packets went round and round,
Until a new sheriff was found.
His name? Well, Spanning Tree!

Spanning Tree
So what does the Spanning Tree

Protocol (STP) do?
High level overview:
I am root!
1. All interfaces are blocked (for non STP traffic) Root doesn’t
while the switches elect a root bridge have to
(switch) calculate
2. After the root bridge is elected, switches

calculate the lowest cost path to the root
bridge
3. Unblock corresponding ports and keep
redundant ports blocked Speed 1Gbit Speed 100Mbit
4. If an active link fails, unblock redundant port Cost: 20,000 Cost: 200,000

Spanning Tree – extra reading
Found in the class materials:

Spanning-Tree-Overview.pptx
• STP
• RSTP
• MSTP
• (R)PVST

Switch Spanning Tree Settings
• By default, spanning tree is disabled on Aerohive switches

› Why?
› If you plug an edge switch into a network, and the switch priority is
a lower number (higher priority) on our switch, than what is
configured on the existing network, our switch will become the
root switch
› This means that the optimal path and links that are available
through a network will be chosen based on getting to your edge
switch!
› This most likely is not what a customer wants to do! ;-)
• What is the downside of not enabling spanning tree by default?
› If you plug two cables from our switch to the distribution switch
network, and the ports are not configured as an aggregate, you
can cause a loop!
› This is far less of a concern than enabling spanning tree by default
and possibly rerouting all traffic through our switch, so we will
disable spanning tree by default

Verify Existing Network
Spanning Tree Priorities
• Before installing an Aerohive switch into an existing switch

network, have the company determine the root switch and
backup root switch priority
• Ensure our spanning tree priority is set to a higher number
• For example, on a Cisco Catalyst switch you can type:
CS-Dist-2#show spanning-tree
MST0
Spanning tree enabled protocol mstp
Root ID Priority 12288
Address 000f.23b9.0d80
Cost 0
Port 25 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 16384 (priority 16384 sys-id-ext 0)
Address 001f.274c.5180
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- -----
Fa0/24 Desg FWD 200000 128.24 P2p
Gi0/1 Root FWD 200000 128.25 P2p

Verify Existing Network
Spanning Tree Priorities
CS-Dist-2#show spanning-tree
MST0
Spanning tree enabled protocol mstp
Root ID Priority 12288
Address 000f.23b9.0d80
Cost 0
Port 25 (GigabitEthernet0/1)
Bridge ID Priority 16384 (priority 16384 sys-id-ext 0)
Address 001f.274c.5180
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- -----
Fa0/24 Desg FWD 200000 128.24 P2p
Gi0/1 Root FWD 200000 128.25 P2p
• Here you can see the Root Priority is: 12288
• The switch this command is run on shows a priority of 16384
• So most likely our switch default priority of: 32768 will not cause
any harm

Lab: Enable Spanning Tree
1. Enable Spanning Tree
From the network policy that has switching enabled

• Go to Additional Settings and click Edit
2. Enable RSTP
Enable Rapid Spanning

Tree
• Expand Switch Settings
• Expand STP Settings
• Check the box to
Enable STP (Spanning
Tree Protocol)
• Select the radio button
to enable RSTP (Rapid
Spanning Tree)
• Click Save

3. Save your Network Policy
• From the Configure Interfaces & User

Access bar, click Save

Spanning Tree – Switch specific settings
More detailed Spanning Tree settings can be

configured on an individual switch in device
level settings should that be required.
DEVICE TEMPLATES
FOR DEFINING SWITCH PORT
SETTINGS

Device Templates
HiveManager – SR2024 as switch device template

• HiveManager Device Templates
are used to assign switches at the
same or different sites to a
common set of port
configurations
• For example, ports 1, 2
are for APs, ports 3-6 are
for phones, etc…
Distribution
SR2024 SR2024
Access/Edge
PoE PoE
AP AP AP AP

Device Templates
• Device templates are

used to define ports for
the same device, devices
with the same number of
ports, and device
function
• Device templates do not
Apply to SR2024 switches
set device function, i.e.
configured as switches
switch, router, or AP, but
will only match devices
configured with the
matching function
• You configure a devices
function in the device
specific configuration
Apply to SR2024 switches
configured as routers.
Requires WAN port – icon
depicted as a cloud
Device Templates
For Devices Requiring Different Port Settings
SR2024 as Switch • If devices require different port
Default Sites configurations for the same type
of device and function, you can
SR2024 as Switch
Small Sites
› 1. Configure device
classification tags to have
different device templates for
different devices
› 2. Create a new network
policy with a different device
template
SR2024 SR2024
Default Site Device

PoE Classification PoE
Tag: Small Site
AP AP AP
Note: The switch model (2024) used in the lab has been superseded by improved models.
CONFIGURE DEVICE TEMPLATES
FOR DEFINING SWITCH PORT
SETTINGS

Lab: Configure Device Templates
1. Create device template
• Next to Device
templates, click
Choose
• Click New

2. Create switch template
• Name:
SR2024-Default-X
• Click Device
Models
• Select SR2024
• Click OK
• For SR2024, when
functioning as:
› Select Switch
• Click Save
Note: Here you are not setting the SR2024
to function as a switch. Instead, you are
only specifying that this template applies to
SR2024s when they are configured to
function as a switch. The switch/router
Note: You only see switch as an option function is configured in switch device
and not Switch and Router, because Routing settings.
was not enabled in the selection box when
creating this Network Policy.
3. Save switch template
• Ensure your device template is

selected and click OK
• The device template will appear in
the Device Templates section
• You can show or hide the individual
device template by clicking the
triangle
Shows you that this is a template

for your switch as a switch


LINK AGGREGATION

Lab Infrastructure
Aggregate Links for Connection to Distribution
Aggregate is statically configured similar to

EtherChannel
There is no LACP (Link Aggregation Control
Protocol) in this release.
• You can have 8 ports in one channel
› The ports do not have to be contiguous
SR2024 • Every port on the SR2024 can be
configured into port channels except the
USB and console port
• The switch hardware creates a hash of
the the header fields in frames selected
for load balancing, for determining the
ports in an aggregate to send a frame
› Load balancing options are:
» Source & Destination MAC, IP, and Port
PC » Source & Destination IP Port

AP
» Source & Destination IP
» Source & Destination MAC
Lab Infrastructure
Aggregate Links for Connection to Distribution
• Load balance of broadcast, multicast,

and unknown unicast traffic between
ports in an aggregate is based on Src/Dst
MAC/IP.
• You cannot configure a 802.1X port in an
EtherChannel
• mac learning is on the port channel port,
instead of member port
SR2024 • Only ports with same physical media type
and speed can be grouped into one
aggregate.
• Supports LLDP per port but not per
channel
AP PC

Lab Infrastructure
Do not do this with aggregates
Distribution Distribution
Switch 1 Switch 2
Aggregate 1
SR2024
• In this case, distribution switch 1 and switch 2
will see the same MAC addresses and cause
MAC flapping
› i.e. traffic from PC A for example might be
load balanced to Switch 1 and Switch 2
• In this case, there will also be a loop!
• Aggregates must be built between a pair of
switches only!
AP PC

AGGREGATION –
CONFIGURATION EXAMPLE

Aggregate Links for Switch Connections
to Distribution Layer Switches
ESXi Server
Core
HMOL
Distribution
Aggregates
Each access switch will have two

SR2024 aggregates:
Access
• Aggregate 1: Port 17, 18
PoE
• Aggregate 2: Port 19, 20
These ports are not connected in
AP this classroom, this is only a
PC
configuration example

Lab: Link Aggregation
1. Select ports 17 and 18
Select ports that will be used to connect to the distribution layer

switches (example only, aggregates are not used in class)
NOTE: Recommended not to use the first 8 ports on the SR2024 which provide
PoE.
• Select port 17, and 18

• Check the box for Aggregate selected ports…
• Enter 1
• Click Configure
Copyright ©2011
2. Create Trunk Port policy
• Click New
• Name: Trunk-X
• Port Type: 802.1Q
• QoS Classification:
Trusted Traffic
Source
Note: This means we
are trusting the
upstream network
infrastructure
markings
› Map to DSCP or
802.1p
• QoS Marking:Map
Aerohive..
802.1p
• Click Save
2. Save Trunk Port policy
• Ensure that Trunk-X

is selected, click
OK

• Select port 19 and 20

• Check aggregate selected ports… and
enter 2
4. Assign Trunk policy
• Click Configure
• For choose port type, select your
802.Q trunk that you created
previously: Trunk-X
• Click OK

5. Review port settings
Port 17, 18, 19, and 20 will now

display an 802.1Q trunk icon and
should all appear the same, even
though there are two different
aggregates



CONFIGURE UPLINKS USED IN THE
CLASSROOM

Classroom Links for Switch Connections
to Distribution Layer Switches
ESXi Server
• 3CX IP PBX Core
10.100.1.?
HMOL
Distribution
SR2024 For the class, we are going to

configure single uplinks without
Access
aggregation to connect to the
PoE
distribution switches
• Single Uplinks : Port 23, 24
AP Port 23 will be connected to

PC
Distribution switch 1, and
port 24 will be connected to
Distribution switch 2
Lab: Configure Uplink Ports
1. Select Ports 23 and 24
Select ports that will be used to connect to the distribution layer

switches

• Click Configure

Copyright ©2011
2. Assign port policy and save
• For choose port type, select your

802.Q trunk that you created
previously: Trunk-X
• Click OK
• Ports 23 and 24 should now be the
same color as the other Trunk ports



CONFIGURE PORTS FOR APS

Lab Infrastructure
Configure PoE Ports for APs
ESXi Server
Core
HMOL
Distribution
SR2024 Configure two of the PoE

Access ports for APs
IP Phones
PoE • Use Port 1 and 2 for APs
NOTE: For class there is an AP
connected to port 1 of every
AP AP switch

Lab: Configure Access Point ports
Select ports that will be used to connect to APs

NOTE: The first 8 ports on an SR2024 provide power

• Click Configure
Copyright ©2011
2. Create Trunk Policy
• Click New
• Name: AP-Trunk-X
• Port Type: 802.1Q
Trusted Traffic
Source
Note: This means we
are trusting the
upstream network
infrastructure
markings
802.1p
Aerohive..
802.1p
• Click Save
3. Assign AP-Trunk Policy to ports 1 and 2
• Ensure that that AP-Trunk-X is selected

• Click OK
• Port 1and 2 will now display an 802.1Q trunk
icon, but this time, a power symbol appears as
well because ports 1 through 8 can provide
power
• Notice that Ports

1 and 2 are a
different color
because there is
a different port
policy than the
other ports



CONFIGURE POWER SOURCING
EQUIPMENT (PSE) PORTS FOR
POWER OVER ETHERNET (POE)

PoE Overview
• PoE standards define the capabilities of the power sourcing

equipment (PSE) and the powered device (PD).
• The PSE is an Aerohive switch. Aerohive access points would be
considered PDs.
• The 802.3af PoE standard defines 15.4 Watts from the PSE
• All 802.11n Aerohive APs will work with 802.3af - CAT5e cabling or
better is required.
• The maximum draw of an Aerohive AP-330 is14.95 Watts.

PoE Overview
• The 802.3at standard (PoE+) defines 32 Watts from the

PSE
• 802.11ac Aerohive AP230 is fully functional using 802.3af
• However, the older 802.11ac Aerohive APs (AP370 and
AP390) require PoE+ for full functionality
• The AP370 and AP390 will function with 802.3af PoE
however the 80 MHz channels capability is restricted.
PoE Power Budgets
SR2024P SR2124P SR2148P
24 PoE+ (195 W) 24 PoE+ (408 W) 48 PoE+ (779 W)
• Careful PoE power budget planning is a must.

• Access points will randomly reboot if a power budget
has been exceeded and the APs cannot draw their
necessary power.

Lab: Configure PoE ports
1. Select additional port settings
Additional Port Settings

link is available if no ports are
currently selected
• Select Additional port settings to configure

› Port Channel Load-Balance Mode
Settings
› PoE port (PSE) Settings

2. Aggregate channel settings
• For Port Channel Load-Balance Mode, please

selecting the headers in a frame that will be used
in creating a hash to determine which port a frame
should egress
› NOTE: If you are testing a single client, especially for a demo,
the more fields you use you will have a better opportunity to
egress multiple ports

3. PSE settings
• Expand PSE Settings

• Because only the first two ports have been
configured, you will only have the ability to
configure PSE (Provides PoE) to the first two ports
• Next to Eth1/1 Click +

4. PSE settings
Note: Default PoE port

settings is 802.3at (PoE+)
• Name: af-high-X Power priority can be
low, high or critical
• Power Mode: 802.3af
• Power Limit: 15400 mW
• Priority: high
• Save
5. PSE settings
• Assign Eth1/1 and Eth1/2 to: af-high-X

• Save
NOTE: You will only see the Interfaces(Ports) that have been
assign to a port type


CONFIGURE PORTS FOR IP PHONES

Lab Infrastructure
Configure PoE Ports for IP Phones
ESXi Server
Core
HMOL
Distribution
SR2024 Configure 6 of the PoE ports

Access for IP Phones
PoE • Use Port 3 - 8 for IP Phones
AP AP

CONFIGURE PHONE PORTS IN
SWITCH DEVICE TEMPLATE

Lab: Configure PoE ports for IP phones
1. Select ports 3-8
Select ports that will be used to connect to IP Phones

NOTE: The first 8 ports on an SR2024 provide power
• Select port 3, 4, 5, 6, 7, and 8

(Yes, you can multi-select)
• Click Configure
Copyright ©2011
2. Phone & Data ports
•Click New
• Name: Phone-and-Data-X
• Port Type: Phone & Data
• Check Primary
authentication using:
MAC via PAP
Trusted Traffic Sources
Note: This means we are
trusting the upstream
network infrastructure
markings
› Map to DSCP or 802.1p
Aerohive..
› Map to DSCP or 802.1p
• Click Save
• For choose port type, select

Phone-and-Data-X
• Click OK
• Port 3 – 8 will now display with a
phone icon

5. Save your network policy


CONFIGURE PORTS FOR OPEN
GUEST ACCESS

Lab Infrastructure
Configure Ports for Employee Computer Access
ESXi Server
Core
HMOL
Distribution
SR2024
Guest
Access Computers
PoE
IP Phones
Configure 2 of the switch
ports for open access
AP AP
(switch ports are in a secured
room – for testing purposes)
• Use Port 9 and 10
Lab: Configure Open Guest Ports
Select ports that will be used to connect to guest computers
• Select port 9 and 10

• Click Configure
Copyright ©2011
2. Create access port
•Click New
3. Create access port
• Name: Guest-X
• Port Type: Access
• Most likely you will
not be trusting the
DSCP settings on
guest devices, so
click Untrusted
Traffic Sources
• There is no need to
mark the traffic for
QoS marking
• Click Save

4. Assign access port policy

Guest-X
• Click OK
• Port 9 and 10 will now display with a
world icon



CONFIGURE PORTS FOR SECURE
EMPLOYEE ACCESS WITH 802.1X
For switch ports in a secure location

Lab Infrastructure
Configure Ports for Employee Computer Access
ESXi Server
Core
HMOL
Distribution
SR2024
Employee
Access Computers
802.1X
PoE
IP Phones
Configure six of the switch
ports for 802.1X
AP AP authentication
• Use Ports 11-16

Lab: Configure Secure Access Ports
1. Select ports 11 - 16
Select ports that will be used to connect to employee computers

that support 802.1X
• Select port 11,12,13,14,15,16

• Click Configure
Copyright ©2011
2. Create secure port policy
• Click New

3. Create secure port policy
• Name: Secure-X
• Port Type: Access
• Check the box for:
Primary Authentication
using 802.1X
• Uncheck ☐Allow multiple
hosts (same VLAN)
• For the ability to preserve
markings on PCs for
softphones or other
important applications,
select QoS Classification:
Trusted Traffic Sources
• Check the box for QoS
Marking
 Map Aerohive QoS …
• Select DSCP or 802.1p
depending on the upstream
switch architecture
• Click Save

4. Assign secure port policy
• For choose port type, select Secure-X

• Click OK
• Ports 11-16 will now display with a world
icon



CONFIGURE MIRROR PORTS

Lab: Configure Mirror Ports
1. Select ports 21 - 22
Select ports that will be used for port mirroring
• Select ports 21 and 22

• Click Configure
Copyright ©2011
2. Create mirror port policy
• Click New
• Name: Mirror-X
• Port Type: Mirror
• Click Save

3. Assign mirror port policy

Mirror-X
• Click OK
• Check  Port-Based
Note: VLAN-Based port

mirroring can only be
enabled on a single port

4. Choose ports to mirror
• Eth1/21, Egress – click Choose

• Select Eth1/1 and Click OK
• Eth1/22, Ingress – click Choose
• Select Eth1/12 and Click OK
5. Verify and save mirror port policy
• All downstream traffic destined for the WLAN clients of

the Aerohive AP on port Eth1/1 will be mirrored to port
Eth1/21.
• All upstream traffic destined for the network from the
host on Eth1/12 will be mirrored to port Eth1/22.
• Click Save

6. Verify and save mirror port policy
Ports 21 and 22 will now display a magnifying glass icon.



GENERAL DEVICE TEMPLATE INFO

General Port Template Info
If you have more than one port

selected, you can clear port
selections here so you do not
have to click all the selected
ports to deselect them.

General Port Template Info
• If you move
your mouse
over one of the
defined ports,
an option
appears to
select all ports
using this port
type
Click Here

CONFIGURE PORT TYPES
Guest Access

Lab: Configure Ports – Guest Access
1. Port Types
• Configure the authentication, user profile, and VLAN information

for the port types defined in the device templates

2. Create user profile
Similar to SSIDs, you need to

configure User Profiles (user
policy) for the access ports
• For your Guest-X port
type, under User Profile
click Add/Remove
• Click New

3. Assign VLAN
User profiles are used

to assign policy to
devices connected
to the network.
NOTE: Switches use the VLAN in a
user profile. Switches functioning
as routers use the VLAN, but may
also make layer 3 firewall and
policy-based routing decisions
based on the user profile. In
either case, user profile The optional settings are utilized when
information is carried with user
information throughout an the user profile is enforced on an AP. The
Aerohive network infrastructure. switch, because it is forwarding packets
• Name: Guest-X at line speed in silicon, does not utilize
the optional settings. If the switch is
• Attribute: 100 configured to be a branch router, the user
• Default VLAN: 8 profile is used for decisions in layer 3
• Click Save firewall policies, IPSec VPN policies, and
identity-based routing.

4. Save user profile
• Ensure Guest-X is
selected
• Click Save
• Verify your settings

Lab: Configure Ports - Guest Access


Employee Access Secured wit 802.1X

Lab: Configure Ports - Secure Access
1. Configure RADIUS
Configure the RADIUS sever for

the ports secured with 802.1X
• For your Secure-X port type,
under Authentication
click <RADIUS Settings>
• Click New

2. Configure RADIUS
Define the external

RADIUS server settings
• RADIUS name:
RADIUS-X
• IP address: 10.5.1.10
• Shared Secret:
aerohive123
• Confirm Secret:
aerohive123
• Click Apply!!
• Click Save

3. Configure user profile
Assign user profiles to

the secure 802.1X ports
• Next to your Secure-X
port type, under User
Profile click
Add/Remove

Port Types
There are three user profile

assignment methods:
1. (Auth) Default – If a client
authenticates successfully,
but no user profile attribute
is returned, or if a user
profile attribute is returned
matching the default user
profile selected
2. Auth OK – If a client
and a user profile attribute
is returned, it must match
one the selected user
profiles you select here
3. Auth Fail – If a client fails
authentication, use this
user profile

4. Configure default user profile
Define the Default User Profile

assigned If a client
authenticates successfully, but
no user profile attribute is
returned, or if a user profile
attribute is returned matching
the default user profile
selected
• Select the Default tab
• Select the user profile:
Employee-Default(1)
› Created by the
instructor…
› Assigns VLAN 1

5. Configure Auth OK user profile
Define a user profile for

Auth OK – If a client
and a user profile attribute
is returned, it must match
one the selected user
profiles you select here.
You can have up to 63
Auth OK user profiles.
• Select the Auth OK tab

• Select Employee-X(10)
› Assigns VLAN 10

6. Configure Auth Fail user profile
Define a user profile for

Auth Fail – If a clients fails
authentication several
times, assign the Auth Fail
user profile
• Select Auth Fail
• Select Guest-X(100)
› Assigns VLAN 8
• Verify the Default, Auth
OK, and Auth Fail
settings one more time
• Click Save

7. Verify settings
•Verify the settings



PHONE & DATA PORTS
WITH NO AUTHENTICATION

Phone & Data Port Type
With Open Access
SR2024
IP Phone
Data
Switch
Phone & Data

uses 802.1Q
• Switch Port is assigned to a Phone & Data Port Type

• For this example, no authentication is selected in Phone &
Data

With Open Access
SR2024
IP Phone
Data
Switch
Phone & Data LLDP assigns

uses 802.1Q Phone to tagged
Voice VLAN
Note: For default data,

only the VLAN is used,
not the user profile
• You can then select a Default Voice, and Default Data user profile
• The Phone & Data port is an 802.1Q port
• The Phone VLAN will be tagged and sent to the IP phone via LLDP-MED
• The switch port will assign the Data VLAN as the native VLAN
› This way, the phone traffic is tagged, and data traffic is untagged

CLI Commands for
Phone & Data Port without Authentication
• interface eth1/3 switchport mode trunk

• interface eth1/3 switchport user-profile-attribute 2
• interface eth1/3 switchport trunk native vlan 10
• interface eth1/3 switchport trunk voice-vlan 2
• interface eth1/3 switchport trunk allow vlan 2
• interface eth1/3 switchport trunk allow vlan 10
• interface eth1/3 qos-classifier Phone-and-Net-2
• interface eth1/3 qos-marker Phone-and-Net-2
• interface eth1/3 pse profile QS-PSE

PHONE & DATA PORTS
WITH 802.1X/PEAP
AUTHENTICATION OR
MAC AUTHENTICATION

With 802.1X/PEAP or MAC Authentication
RADIUS Server Employees
Phone Policy Returns SR2024
IP Phone
Cisco AV Pair: device-traffic-class=voice
User Profile and/or VLAN
Data (Employee) Policy Returns
User Profile and/or VLAN Switch Data
Phone & Data
uses 802.1Q, and 802.1X
• Switch Port is assigned to a Phone & Data Port Type

• For this example, 802.1X authentication is selected in Phone
& Data

With 802.1X/PEAP
Employees
RADIUS Server SR2024
Phone Policy Returns IP Phone
Data (Employee) Policy Returns Switch Data
Phone & Data
uses 802.1Q, and 802.1X
• You can connect a single client, or multiple clients

behind an IP phone data port
• Phones and clients authenticate independent of each
other and the order in which they authenticate does
not matter
› However, the VLAN assigned to the first data device (Employee)
that authenticates is assigned as the data VLAN, all other
devices will be assigned to the same VLAN, even if they have
different user profiles with other VLANs assigned, or even if
RADIUS returns a different VLAN.

With Primary and Secondary Authentication
RADIUS Server Employees
Phone Policy Returns SR2024
IP Phone
Data (Employee) Policy Returns
User Profile and/or VLAN Switch Data
Phone & Data
uses 802.1Q, and 802.1X
• If a secondary authentication is used, if the first authentication is

not available, or fails three times, the second authentication will be
tried

CLI Commands for
Phone & Data Port with 802.1X
• security-object Phone-and-Data-2
• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret ***
• security-object Phone-and-Data-2 security protocol-suite 802.1x
• security-object Phone-and-Data-2 default-user-profile-attr 1
• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain
• interface eth1/3 security-object Phone-and-Data-2
• interface eth1/3 qos-classifier Phone-and-Data-2
• interface eth1/3 qos-marker Phone-and-Data-2
• no interface eth1/3 spanning-tree enable
• no interface eth1/3 link-discovery cdp receive enable
• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1
• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10
• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2
• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100

CLI Commands for
Phone & Data Port with MAC AUTH
• security-object Phone-and-Data-2
• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret ***
• security-object Phone-and-Data-2 security additional-auth-method mac-based-auth
• security-object Phone-and-Data-2 default-user-profile-attr 1
• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain
• security-object Phone-and-Data-2 security initial-auth-method mac-based-auth
• interface eth1/3 security-object Phone-and-Data-2
• interface eth1/3 qos-classifier Phone-and-Data-2
• interface eth1/3 qos-marker Phone-and-Data-2
• no interface eth1/3 spanning-tree enable
• no interface eth1/3 link-discovery cdp receive enable
• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1
• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10
• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2
• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100

CONFIGURING NPS FOR PHONE
AND EMPLOYEE AUTHENTICATION
WITH 802.1X/PEAP
Overview

Configure NPS for Phone & Data
Authentication
• Create a
network
policy for
voice

Authentication
• Enter a name
for the voice
policy, and
click next

Authentication
• Click add to
specify a
condition

Authentication
• Select
Windows
Groups
• Click Add

Authentication
• Click Add Groups…

• A voice group was created by IT for
IP phones – enter voice and click OK
• Click OK

Authentication
• Click Next

Authentication
• Select
Access
granted

Authentication
• Click Add
• Select Microsoft:
Protected EAP
(PEAP)
• Click OK

Authentication
• Click Next
• For constraints
click Next

Authentication
• Remove attributes
that are not
needed:
› Select Frame-
Protocol, and
Click Remove
› Select Service-
Type, and Click
Remove

Authentication
Add the three attribute

value pairs needed to
assign a user profile
• Tunnel-Medium-Type:
IP v4 (value found in
the others section)
• Tunnel-Type: Generic
Route Encapsulation
(GRE)
• Tunnel-Pvt-Group-ID:
(String) 2
› 2 is the voice user
profile in this case
• Click Next

Authentication
• Under RADIUS
Attributes, select
Vendor Specific

RETURN A CISCO AV PAIR TO LET
THE AEROHIVE SWITCH KNOW
WHICH USER PROFILE SHOULD BE
ASSIGNED AS THE VOICE USER
PROFILE

Authentication
In order for a switch to

know a specific user
profile is for voice,
Aerohive devices can
accept the Cisco AV
Pair: device-traffic-
class=voice. This is sent
to the switch, and the
switch uses LLDP to send
the voice VLAN any
phone that supports
LLDP-MED
• Under RADIUS
Attributes, select
Vendor Specific
• Click Add

Authentication
• Under
Vendor,
Select
Cisco

Authentication
• Click Add
• Click Add again

Authentication
• Attribute value:
device-traffic-class=voice
• Click OK
• Click OK
• Click Close (The value does not show
up on this screen. Do not worry, it is
there.)

Authentication
• Attribute value:
device-traffic-
class=voice
• Click OK
• Click OK
• Click Next

Authentication
• Click
Finish

DEFINE CLIENT ACCESS

CLI Commands for
Create a new
policy for
employee access
• Policy name:
Wireless or Wired
Employee Access

CLI Commands for
• For the condition, select the

windows group that contains
your employees
• Add the three attribute value
pairs needed to assign a user
profile
› Tunnel-Medium-Type: IP v4
(value found in the others
section)
› Tunnel-Type: Generic
Route Encapsulation (GRE)
› Tunnel-Pvt-Group-ID:
(String) 10
» 10 is the voice user profile in this
case
• Click Next

Phone and Data

Lab: Configure Ports - Phone & Data
1. Configure RADIUS
Configure the RADIUS sever

for the ports secured with
802.1X
• For your Phone-and-Data-X
port type, under
Authentication
click <RADIUS Settings>
• Select RADIUS-X which is an
external Microsoft NPS
RADIUS server
• Click OK
Port Types
Assign user profiles to your

802.1X ports
• For your Phone-and-Data-X
port type, under User Profile
click Add/Remove

Port Types (Reminder)
Must Verify
There are three user profile settings:
1. Default – Default for data if no
user profile attribute, or a user
profile attribute is returned
and matches the user profile
configured here
2. Auth OK (Voice) – If a client
and a user profile attribute is
returned matching a selected
user profile, and the Cisco AV
Pair is also returned
3. Auth OK (Data) – Client
passes authentication, and a
user profile attribute is
returned, but no Cisco AV
pair

2. Configure user profile – Auth OK (Voice)
• Click Auth OK (Voice)

• Click New

3. Configure user profile – Auth OK (Voice) VLAN
User profiles are

used to assign
policy to devices
connected to the
network.
• Name: Voice-X
• Attribute: 2
• Default VLAN: 2
• Click Save

4. Configure user profile – Auth OK (Voice)
• For the Auth OK

(Voice) tab
select:
Voice-X(2)
› Assigns VLAN 2

5. Configure user profile – Default
Assign the Default

user profile:
• Select the
Default tab
• Select Employee-
Default(1)
› Assigns VLAN 1

6. Configure user profile – Auth OK (Data)
Define a user profile for Auth

OK (Data)– for clients
connected through an IP
Phone
• Select Auth OK (Data)
• Select Employee-X(10)
› Assigns VLAN 10
• Verify the Default, Auth
OK (Voice), and Auth
OK (Data) settings one
more time
• Click Save

7. Verify your settings
• Verify the settings

Lab: Configure Ports - Phone and Data


CONFIGURE 802.1Q TRUNK PORTS

Lab: Configure Trunk Ports
1. Configure AP-Trunk-X port policy VLANs
Define the allowed

VLANs on a trunk port
• Next to AP-Trunk-X
Click Add/Remove
• Add the specific
VLANs: 1,2,8,10
• Click OK

2. Configure Trunk-X port policy VLANs
Define the allowed

VLANs on a trunk port
• Next to Trunk-X Click
Add/Remove
• Type all
• Click OK

3. Verify your settings
 Verify
Settings

Lab: Configure Ports - Phone and Data
8. Save your network policy and continue


UPDATE DEVICES

Lab: Update Devices
1. Modify your AP
From the Configure & Update Devices section,

modify your AP specific settings
• Click the Name column to sort the APs
• Click the link for your AP: 0X-A-######

Lab: Update Devices
2. Update the configuration of your Aerohive AP
• Location:
<FirstName_LastName>
• Topology Map: Classroom
• Network Policy:
Access-X
Note: Leave this set to default

so you can see how it is
automatically set to your new
network policy when you
update the configuration.
• Set the power down to

1dBm on both radios
because the APs are
stacked in a rack in the data
center
› 2.4GHz(wifi0) Power: 1
› 5GHz (wifi1) Power: 1
• Click Save
Lab: Update Devices
3. Select AP and switch
• Select your AP and switch and click Update
Click Yes

Lab: Update Devices
4. Update the AP and switch
• Select Update Devices

• Select  Perform a
complete configuration
update for all selected
devices
• Click Update
For this class, ALL

Updates should be
Complete
configuration
updates

Lab: Update Devices
5. Update the AP and switch
• Should the Reboot warning box appear, select OK
Click OK

QUESTIONS?

CREATE AN AEROHIVE DEVICE DISPLAY FILTER

Lab: Create a Display Filter from Monitor View
1. Create a filter
• To create a display filter go to Monitor  Filter: Select +

• Network Policy, select: Access-X
• Remember this Filter, type: Access-X
• Click Search
Lab: Create a Display Filter from Monitor View
2. Verify the display filter

QUESTIONS?

TEST YOUR WI-FI CONFIGURATION
USING THE HOSTED PC
208
Lab: Test Hosted Client Access to SSID
Test SSID Access at Hosted Site
Core
ESXi Server
Internet - HM VA
Distribution
Access
SR2024
• Use VNC client to
access Hosted PC:
PoE Ethernet
› password: aerohive
• From the hosted PC,
AP Wi-Fi
you can test
connectivity to your
Hosted
PC
SSID
1. For Windows: Use TightVNC client
• If you are using a windows PC

› Use TightVNC
› TightVNC has good compression so
please use this for class instead of
any other application
• Start TightVNC
› For Lab 1
lab1-pcX.aerohive.com
› For Lab 2
› For Lab 3
› For Lab 4
› For Lab 5
› Select  Low-bandwidth connection
› Click Connect
› Password: aerohive.
› Click OK

2. For Mac: Use the Real VNC client
• If you are using a Mac

› RealVNC has good compression
so please use this for class
instead of any other application
• Start RealVNC
› For Lab 1
› For Lab 2
› For Lab 3
› For Lab 4
› For Lab 5
› Click Connect
› Password: aerohive.
› Click OK

3. In case the PCs are not logged in
If you are not automatically

logged in to your PC
• If you are using the web
browser client
› Click the button to Send
Ctrl-Alt-Del
• If you are using the
TightVNC client
• Click to send a
control alt delete
• Login: AH-LAB\user
• Password: Aerohive1
• Click the right arrow to login

4. Remove any Wireless Networks on Hosted PC
From the bottom task bar, click the locate

wireless networks icon
› Select Open Network and Sharing Center
› Click Manage wireless Networks
› Select a network, then click Remove
› Repeat until all the networks are removed
› Click [x] to close the window

5. Connect to Your Class-PSK-X SSID
• Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK

6. View Active Clients List
Go to MonitorClientsWireless Clients and

locate your PC’s entry
• After associating with your SSID, you should

see your connection in the active clients list
Wireless Clients
• Your IP address should be from the
10.5.10.0/24 network which is from VLAN 10

QUESTIONS?

TESTING SWITCH PORT
CONNECTIONS WITH WINDOWS 7

Lab: Test Hosted Client to Wired Network
Test Guest and 802.1X Access
Core
ESXi Server
Internet - HM VA
Distribution
Access
SR2024
• Use VNC client to
access Hosted PC:
PoE Ethernet
› password: aerohive
• From the hosted PC,
AP Wi-Fi
you can test
connectivity to your
Hosted
PC
SSID
Three Different VLANs are Possible
In this configuration
• Default - Auth OK, and RADIUS does not returned user

profile or matching user profile to default
• Auth OK – and RADIUS returns a user profile that
matches one of the user profiles configured here
• Auth Fail – RADIUS authentication fails (Guest)

1. Verify IP address of Ethernet adapter
• Locate Local Area Connection 3

• Right click
• Click Status
• Click Details
Why do you see an IP

from the 10.5.1.0/24
subnet?
This is the IP address
the device
received on VLAN 1
before the switch
was configured

3. Reset Ethernet Adapter
Because the PC has the

wrong IP it will not work,
you can remedy this by
• Right click on Local Area
Connection 3
• Click Diagnose
or
• Disable then Enable
Local Area Connection 3
• Do NOT Disable Local
Area Connection 2

• Right click
• Click Status
• Click Details

from the 10.5.8.0/24
subnet?
This is the guest
network that is
assigned if
authentication is
not supported or
fails

6. Verify VLAN of wired client
Go to MonitorClientsWired Clients and locate your

PC’s entry
• Note the IP, Client Auth Mode, User Profile

Attribute and VLAN
• VLAN 8 is the guest VLAN assigned because
802.1X authentication was not supported or
failed. The host was assigned to the Auth Fail
user profile.

7. Enable 802.1X for wired clients
• In windows 7, you
must enable 802.1X
support
• As an administrator,
from the start menu
type services
• Then click services

• Click the
Standard tab
on the
bottom of the
services
panel
• Locate Wired
AutoConfig
and right-
click
• Click
Properties

• The Wired AutoConfig

(DOT3SVC) service is
responsible for performing
IEEE 802.1X authentication on
Ethernet interfaces
• If your current wired network
deployment enforces 802.1X
authentication, the DOT3SVC
service should be configured
to run for establishing Layer 2
connectivity and/or providing
access to network resources
• Wired networks that do not
enforce 802.1X
authentication are
unaffected by the DOT3SVC
service
• Click Automatic
• Click Start

• Click OK


• Right click
• Click Status
• Click Details

from the 10.5.10.0/24
subnet?
The user has
authenticated with
802.1X/EAP and
RADIUS is returning
the user profile
attribute: 10

14. Verify authentication and VLAN of wired client
Go to MonitorClientsWired Clients and locate

your entry
• Note the IP, Client Auth Mode, User Profile Attribute

and VLAN
• VLAN 10 is the employee VLAN assigned because
802.1X authentication was successful and the host
was assigned to the Auth OK user profile.

For Reference: Switch CLI
SR-04-866380# show auth int eth1/12
Authentication Entities:
if=interface; UID=User profile group ID; AA=Authenticator

Address;
if=eth1/12; idx=16; AA=08ea:4486:638c; Security-obj=Secure-2;

default-UID=1;
Protocol-suite=802.1X;Auth-mode=port-based; Failure-UID=100;
Dynamic-VLAN=10;
No. Supplicant UID Life State DevType User-Name

Flag
--- -------------- ---- ----- -------------- ------- -----------

--------- ----
0 000c:2974:aa8e 10 0 done data AH-

LAB\user4 000b

Enable 802.1X for Wired Connections
If you need to
troubleshoot you can
view Local Area
Connection 3
• From the start menu,
type view network
• Right-click Local Area
Connection 3, and click
Diagnose
› This will reset the
adapter, clear the
caches, etc…

Clearing Authentication Cache
For Testing or Troubleshooting
• From the Wired

Clients list, you can
select and Deauth a
client
› Clear the All the
caches for the
client on the switch
• Then on the hosted
PC, you will need to
disable then enable
Local Area
Connection 3 to force
a reauth
MISC MONITORING

Switch Monitoring
• MonitorSwitches
• Click on the hostname
of the switch

Switch Monitoring
• Hover with your mouse over the switch ports

Switch Monitoring
System Details

Switch Monitoring
Port Details and PSE Details

Power Cycle Devices via PoE
• To configure this feature for selected ports on a switch, navigate

to Monitor  Switches in the Managed Devices tab, click the
name of the switch, and scroll down to PSE Details.
• Select the check box or boxes for the port or ports that you want
to cycle, and then click Cycle Power.
This is useful in the event that an AP or multiple APs are locked up
and need to be rebooted remotely. Bouncing the PoE port forces
the AP reboot.

Switch Monitoring
• MonitorActive ClientsWired Clients

• Add User Profile Attribute, and move it up, it is useful

Switch Monitoring
• Click on the MAC address for a wired client to see more

information

Switch Monitoring
• Utilities…StatisticsInterface

Switch Monitoring
• Utilities…DiagnosticsShow PSE

VLAN Probe
Use VLAN Probe to verify VLANs and DHCP Service
• MonitorSwitches – Select your device, and go to

Utilities…DiagnosticVLAN probe
NOTE: If you get the same IP subnet for each of the VLANs, that is a sign
that the switch uplink port is connected to an access port, not a trunk port
like it should be.
Client Monitor
• Tools  Client Monitor

• Client Monitor can be used to troubleshoot 802.1X/EAP
authentication for wired clients

Switch CLI
• SR-02-66ec00#show interface switchport

Name: gigabitethernet1/1
Switchport: enable
Port Mode: access
Port Mirror: disable
Port User-profile ID: 0
Static Access VLAN: 1
Dynamic Auth VLAN: 0
Name: gigabitethernet1/2
Switchport: enable
Port Mode: access
Port Mirror: disable
Port User-profile ID: 10
Static Access VLAN: 10
Dynamic Auth VLAN: 0

Switch CLI
• show client-report client

GENERAL SWITCHING

Storm Control
• Aerohive switches can mitigate traffic storms due to a variety of causes by

tracking the source and type of frames to determine whether they are
legitimately required.
• The switches can then discard frames that are determined to be the
products of a traffic storm. You can configure thresholds for broadcast,
multicast, unknown unicast, and TCP-SYN packets as a function of the
percentage of interface capacity, number of bits per second, or number
of packets per second.
From your network policy with Switching enabled: Go to Additional

Settings>Switch Settings>Storm Control

IGMP Snooping MAC Addresses
• Aerohive switches are

capable of monitoring
IGMP transactions
between multicast
routers and client
devices, and
maintaining a local
table of IGMP groups
and group members
• Aerohive switches use
this information to
track the status of
multicast clients
attached to the
switch ports so that it From your network policy with Switching
can forward multicast enabled: Go to Additional Settings>Switch
traffic efficiently Settings>IGMP Settings

• Aerohive switches are

capable of monitoring
IGMP transactions
between multicast
routers and client
devices, and
maintaining a local
table of IGMP groups
and group members
• Aerohive switches use
this information to
track the status of
multicast clients
attached to the
switch ports so that it From your network policy with Switching
can forward multicast enabled: Go to Additional Settings>Switch
traffic efficiently Settings>IGMP Settings

• IGMP device specific options available in the switch device

configuration
• Users can enable/disable IGMP snooping to all VLAN or to a
specified VLAN. When IGMP snooping disabled, all multicast
dynamic mac-address should be deleted.

GENERATE AEROHIVE SWITCH RADIUS
SERVER CERTIFICATES
Required When Aerohive Devices are Configured as

RADIUS Servers
256
HiveManager Root CA Certificate
Location and Uses
• To view certificates, go to: Configuration, click Show Nav, then go to
Advanced Configuration Keys and CertificatesCertificate Mgmt
• This root CA certificate is used to:
› Sign the CSR (certificate signing
request) that the HiveManager
creates on behalf of the AP acting
as a RADIUS or VPN server
› Validate Aerohive AP certificates
to remote client
» 802.1X clients (supplicants) will need
a copy of the CA Certificate in order
to trust the certificates on the
Aerohive AP RADIUS server(s)
• Root CA Cert Name:
Default_CA.pem
• Root CA key Name:
Default_key.pem
Note: The CA key is only ever used

or seen by HiveManager

Copyright ©2011
Use the Existing HiveManager CA
Certificate, Do not Create a New One!
• For this class, please do not create a new HiveManager

CA certificate, otherwise it will render all previous
certificates invalid.
• On your own HiveManager, you can create your own HiveManager
CA certificate by going to: Configuration, then go to
Advanced ConfigurationKeys and CertificatesHiveManager CA
LAB: Aerohive Switch Server Certificate and Key
1. Generate Aerohive switch server certificate
• Go to Configuration, click Show Nav

Advanced Configuration
Keys and CertificatesServer CSR
• Common Name: server-X
• Organizational Name: Company
• Organization Unit: Department
• Locality Name: City
• State/Province: <2 Characters>
• Country Code: <2 Characters>
• Email Address: userX@ah-lab.com
• Subject Alternative Name:
User FQDN: userX@ah-lab.com
Note: This lets you add an extra step of validating
the User FQDN in a certificate during IKE phase 1
for IPSec VPN. This way, the Aerohive AP needs a
valid signed certificate, and the correct user
Enter FQDN.
Switch-X • Key Size: 2048
• Password & Confirm: aerohive123
• CSR File Name: Switch-X
• Click Create
Notes Below
2. Sign and combine
Use this option to send Enabling this setting helps

a signing request to an prevent certificate and key
external certification mismatches when
authority. configuring the RADIUS
settings
• Select Sign by HiveManager CA

› The HiveManager CA will sign the Aerohive AP Server
certificate
• The validity period should be the same as or less than the
number of days the HiveManager CA Certificate is valid
› Enter the Validity: 3650 – approximately 10 years
• Check Combine key and certificate into one file
• Click OK

3. View server certificate and key
• To view certificates,
go to:
Configuration, click
Show Nav
Then go to Advanced
Configuration
Keys and Certificates
Certificate Mgmt
• The certificate and key file
name is:
switch-X_key_cert.pem
• QUIZ
› Which CA signed this
Aerohive switch server key?
› What devices need to install

the CA public cert?

QUESTIONS?

Lab: Switch as a RADIUS server
1. Edit existing policy
• From Configuration,
• Select your Network policy:
Access-X
• Click OK and then Continue
Lab: Switch Active Directory Integration
2. Select your Network Policy
To configure the Aerohive device as a RADIUS server...

Select the Configure & Update Devices bar
• Select the Filter: Current Policy
• Click the link for your Switch – SR-0X-######

Copyright ©2011
3. Create a RADIUS Service Object
Create a Aerohive AP RADIUS Service Object

• Under Optional Settings, expand Service Settings
• Next to Device RADIUS Service click +

Lab: Switch AP Active Directory Integration
4. Create a RADIUS Service Object
• Name: SR-radius-X
• Expand Database
Settings
• Uncheck  Local
Database
• Check  External
Database
• Under Active
Directory, click + to
define the RADIUS
Active Directory
Integration Settings

5. Select a switch to test AD integration
• Name: AD-X
• Aerohive device for Active Directory connection setup,
select your Switch: SR-0X-#####
› This will be used to test Active Directory integration
› Once this switch is working, it can be used as a template for
configuring other Aerohive device RADIUS servers with Active
Directory integration
• The IP settings for the selected Aerohive switch are gathered
and displayed
6. Modify DNS settings
• Set the DNS server to: 10.5.1.10

› This DNS server should be the Active Directory DNS server or
an internal DNS server aware of the Active Directory domain
• Click Update
› This applies the DNS settings to the Network Policy and to the
Aerohive device so that it can test Active Directory
connectivity
7. Specify Domain and Retrieve Directory Information
• Domain: ah-lab.local
• Click Retrieve Directory Information
› The Active Directory Server IP will be populated as well
as the BaseDN used for LDAP user lookups
8. Specify Domain and Retrieve Directory Information
• Domain Admin: hiveapadmin(The delegated admin)

• Password and Confirm Password: Aerohive1
• Click Join
• Check  Save Credentials
› NOTE: By saving credentials you can automatically join
Aerohive devices to the domain without manual intervention
9. Specify A User to Perform LDAP User Searches
• Domain User user@ah-lab.local (a standard domain user )

• Password and Confirm Password: Aerohive1
• Click Validate User
› You should see the message: The user was successfully
authenticated.
› These user credentials will remain and be used to
perform LDAP searches to locate user accounts during
authentication.
10. Save the AD Settings
• Click Save

11. Apply the AD settings
• Select AD-X with

priority: Primary
• Click Apply
…Please make sure
you click apply
• Do not save yet..

12. Enable LDAP credential caching
Enable the ability for

an Switch RADIUS
server to cache user
credentials in the
event that the AD
server is not
reachable, if the user
has previously
authenticated
• Check  Enable
RADIUS Server
Credentials Caching
• Do not save yet...

13. Assign server certificate
Optional Settings >

RADIUS Settings:
Assign the switch
RADIUS server to the
newly created switch
server certificate and
key
• CA Cert File: Default_CA.pem

• Server Cert File:
• Server Key File:
• Key File Password & confirm password: aerohive123
• Click Save
14. Verify the RADIUS service object
• Ensure that the

Aerohive AP RADIUS
Service is set to:
switch-radius-X
• Do not save yet…

15. Set Static IP address on MGT0 interface
• Expand MGT0 Interface Settings

Note: Aerohive devices that
• Select Static IP function as a server must
have a static IP address.
• Static IP Address: 10.5.1.7X
X = student number 02 = 72, 03 = 73… 12 = 82, 13 = 83
• Netmask: 255.255.255.0
• Default Gateway: 10.5.1.1
16. Save the switch settings
• Click Save
NOTE: Your Aerohive
switch will have an
icon displayed
showing that it is a
RADIUS server.

QUESTIONS?

SSID FOR 802.1X/EAP AUTHENTICATION
USING AEROHIVE DEVICE RADIUS WITH
AD KERBEROS INTEGRATION

Lab: Switch RADIUS w/ AD Integration
1. Edit your WLAN Policy and Add SSID Profile
Configure an SSID that

uses the 802.1X/EAP
with AD (Kerberos)
Integration
• Select the Configure
Interfaces & User
Access bar
• Next to SSIDs click
Choose
• In Chose SSIDs
› Select New

2. Configure a 802.1X/EAP SSID
• Profile Name:
Class-AD-X
• SSID:
Class-AD-X
• Under SSID
Access Security
select
 WPA/WPA2
802.1X
(Enterprise)
• Click Save

Copyright ©2011
3. Select new Class-AD-X SSID
Ensure • Click to deselect

Class-AD-X is the Class-PSK-X
highlighted then SSID
click OK
• Ensure the
AD-X SSID
is selected
• Click OK
Click to
deselect
Class-PSK-X

4. Create a RADIUS object
• Under Authentication, click <RADIUS Settings>

• In Choose RADIUS, click New
Click
Click

5. Define the RADIUS Server IP settings
• RADIUS Name:
SWITCH-RADIUS-X
• IP Address/Domain
Name: 10.5.1.7X
02 = 72, 03 = 73…
Click Apply
12 = 82, 13 = 83
When Done!
• Leave the Shared
Secret Empty
NOTE: When the Aerohive
device is a RADIUS server,
devices in the same Hive
automatically generate a
shared secret
• Click Apply
• Click Save
6. Select User Profiles
• Verify that under Authentication, SWITCH-RADIUS-X is

assigned
• Under User Profile click Add/Remove

7. Assign User Profile as Default for the SSID
Default Tab • With the Default tab

select (highlight) the
Employee-Default user
profile
• IMPORTANT: This user
profile will be assigned if
no attribute value is
returned from RADIUS
after successful
Authentication Tab authentication, or if
attribute value 1 is
returned.
• Click the Authentication
tab
8. Assign User Profile to be Returned by RADIUS Attribute
• In the Authentication
tab
• Select (highlight)
Employee-X
› NOTE: The (User
Profile Attribute) is
appended to the
Authentication Tab User Profile Name
• Click Save

9. Verify and Continue
• Ensure Employee-Default-1 • Click Continue

and Employee-X user or click the bar to
profiles are assigned to the Configure & Update
Class-AD-X SSID Devices

10. Upload the config to the switch and AP
In the Configure & Update Devices section

• Select your devices 
• Click Update


devices
• Click Update
For this class, ALL

Updates should be
Complete
configuration
updates

• Should the Reboot Warning box appear, select OK
Click OK
QUESTIONS?

CLIENT ACCESS PREPARATION -
DISTRIBUTING CA CERTIFICATES
TO WIRELESS CLIENTS

LAB: Exporting CA Cert for Server Validation
1. Go to HiveManager from the Remote PC
• From the VNC

connection to the
hosted PC, open a
connection to:
• For HM 1 – 10.5.1.20
• For HM 2 – 10.5.1.23
• For HM 3 – 10.5.1.20
• For HM 5 – 10.5.1.20
• Login with: adminX
• Password: aerohive123
NOTE: Here you are
accessing HiveManager
via the PCs Ethernet
connection

2. Download Default CA Certificate to the Remote PC
NOTE: The HiveManager Root

CA certificate should be
installed on the client PCs
that will be using the RADIUS
service on the Aerohive
device for 802.1X
authentication
• From the Remote PC,
go to Configuration,
then click Show Nav,
Keys and Certificates
Certificate Mgmt
• Select Default_CA.pem
• Click Export

3. Rename HiveManager Default CA Cert
• Export the public root

Default_CA.pem certificate
to the Desktop of your
hosted PC
› This is NOT your Aerohive
AP server certificate, this
IS the HiveManager
public root CA certificate
• Rename the extension of
Make the Certificate name: the Default_CA.pem file to
Default_CA.cer Default_CA.cer
› This way, the certificate
will automatically be
Save as type: recognized by Microsoft
All Files Windows
• Click Save
4. Install HiveManager Default CA Cert
• Find the file that was just

exported to your hosted PC
• Double-click the certificate
file on the Desktop:
Default_CA
• Click Install Certificate
Issued to: HiveManager

This is the name of the certificate if you
wish to find it in the certificate store, or if
you want to select it in the windows
supplicant PEAP configuration.

5. Finish certification installation
• In the Certificate
Import Wizard click
Next
• Click  Place all
certificate in the
following store
• Click Browse

6. Select Trusted Root Certification Authorities
• Click Trusted Root

Certification Authorities
• Click OK
• Click Next

7. Finish Certificate Import
• Click Finish
• Click Yes
• Click OK

8. Verify certificate is valid
• Click OK to Close the

certificate
• Double-click Default_CA to
reopen the certificate
• You will see that the
certificate is valid and it valid
from a start and end date
• Click the Details tab

9. View the Certificate Subject
• In the details section, view

the certificate Subject
• This Subject: HiveManager is
what will appear in the list of
trusted root certification
authorities in your supplicant
configured later in this lab.
Protected EAP (PEAP) Properties
In supplicant (802.1X client)

QUESTIONS?

CONFIGURING AND TESTING YOUR
802.1X SUPPLICANT
For Windows 7
Supplicants

Lab: Testing Switch RADIUS w/ AD Integration
1. Connect to Secure Wireless Network
On the hosted PC,

from the bottom
task bar, click the
wireless networks
icon
• Click Class-AD-X
• Click Connect
• A windows
security alert
should appear,
click Details to
verify this
certificate if from
HiveManager,
then click
Connect server-2 is the AP cert,
and HiveManager is the
© 2013 Aerohive Networks CONFIDENTIAL trusted CA 306
Lab: Testing Switch RADIUS w/ AD Integration
2. View Active Clients
• After associating with your SSID, you should see your

connection in the active clients list in HiveManager
› Go to MonitorClientWireless Clients
• IP Address: 10.5.1.#
• User Name: DOMAIN\user
• VLAN: 1
User Profile Attribute: 1
NOTE: User Profile Attribute is the Employee-Default-1 user profile

for the SSID. This user profile is being assigned because no User
Profile Attribute Value was returned from RADIUS.

QUESTIONS?

MAPPING ACTIVE DIRECTORY
MEMBEROF ATTRIBUTE
TO USER PROFILES

Aerohive AP as a RADIUS Server - Using AD
Member Of for User Profile Assignment
• In your Network policy, you defined an SSID with two user profiles
› Employees(1)-1 – Set if no RADIUS attribute is returned
» This use profile for example is for general employee staff, and they get
assigned to VLAN 1
› Employee(10)-X – Set if a RADIUS attribute is returned
» This user profile for example is for privileged employees, and they get
assigned to VLAN 10
• Because the switch RADIUS server is using AD to authenticate the
users, and AD does not return RADIUS attributes, how can we assign
users to different user profiles?
• Though AD does not return RADIUS attributes, it does return other
attribute values, like MemberOf which is a list of AD groups to which
the user belongs
Instructor Only: Confirm User is a
member of the Wireless AD Group
 Right click the username userX

and click Properties
 Click on the Member Of tab
 The user account userX should

belong to the Wireless
AD Group
 Click OK

Lab: Use AD to Assign User Profile
1. Map memberOf attribute to user profile
• From Configuration, Show Nav,

Authentication 
Aerohive AAA Server Settings
SR-radius-X
• Expand Database Settings
• Check  LDAP server attribute
Mapping
• Select  Manually map LDAP user
groups to user profiles
• LDAP User Group Attribute:
memberOf
• Domain: dc=AH-LAB,dc=LOCAL
• Click + to expand the LDAP tree
2. Add group to user profile mapping
• Expand the tree

Click the LDAP
structure to locate
Group
Map group to
› Expand
Employee(10)-X CN=Users
› Select
CN = Wireless
• For Maps to, from
the drop down list,
select the user
profile: Employee-X
• Click Apply
NOTE: The CN in Active Directory • The mapping
does not have to match the name appears below the
of the user profile, this is just by LDAP directory
choice, not necessity. • Click Save
3. Update devices

• Select Perform a
devices Click Update
For this class, ALL

Updates should be
Complete
configuration
updates

4. Update devices
Click OK
Lab: Use AD to Assign User Profile SSID
5. Disconnect and Reconnect to the Class-AD SSID
To test the mapping

of the memberOf
attribute to your user
profile
• Disconnect from the
Class-AD-X SSID
• Connect to the
Class-AD-X SSID

Lab: Use AD to Assign User Profile SSID
6. Verify your active client settings
• From MonitorClientsActive Clients

› Your client should now be assigned to
» IP Address: 10.5.10.#
» User Profile Attribute: 10
» VLAN: 10
NOTE: In the previous lab, without the

LDAP group mapping, the user was
assigned to attribute 1 in VLAN 1

QUESTIONS?

AEROHIVE SWITCHES AS
BRANCH ROUTERS

Medium Size Branch or Regional Office
• SR2024 as Branch Router

› Line Rate Layer 2 Switch
› 8 Ports of PoE Internet SR2024
› Multi-authentication
access ports
» 802.1X with fallback to AP
PoE
MAC auth or open
› Client Visibility
» View client information by port
AP AP
› RADIUS Server
› Routing between local VLANs
Provides Access For:
› Layer 3 IPSec VPN • Employees
› NAT for Subnets through VPN • Guests
• Contractors
› NAT port forwarding on WAN • Phones
› DHCP Server • APs
› USB 3G/4G Backup • Servers
› and more…
CREATE A ROUTING NETWORK
POLICY – YOU CAN CLONE YOUR
EXISTING ACCESS POLICY
For Wireless, Switching, and Routing

Lab: Add Routing to Network Policy
1. Edit existing policy
• From Configuration,
• Next to your Network policy: Access-X
• Click the sprocket icon
• Click Edit

Lab: Add Routing to Network Policy
2. Edit select Branch Routing
Add the option for

Branch Routing to your
Network Policy
• Check Branch Routing
so you have:
› Wireless Access
› Switching
› Branch Routing
• NOTE: Enabling Branch Routing: › Bonjour Gateway
» Enables L3 VPN Configuration
» Disable L2 VPN Configuration
• Click Save
» Enable L3 Router Firewall Policy • Click OK
» Policy-Based Routing with Identity
» Enables Router configuration settings in Additional Settings

CLONE SWITCH DEVICE TEMPLATE
AS SWITCH AND ADD NEW SWITCH
DEVICE TEMPLATE AS BRANCH
ROUTER

Lab: Create a Switch Template for Routing
1. Select and clone your existing device template
• Next to Device
Templates, click
Choose
• Select your
SR2024-Default-X
device template
(configured as
switch)
• Click the
sprocket icon
• Click Clone

2. Define router function of the device template
• Click Device Models

• Notice all the devices that
you can create templates
when the network policy
includes routing
• Ensure that SR2024 is selected
• Click OK

3. Define router function of the device template
• Name: SR2024-Router-Default-X
• Change the function to Router
• Click Save

4. Select both templates
• Ensure both of your SR2024

policies are selected.
• Click OK
• Hide the SR2024-Default-X
(Switch) template
• Expand the SR2024-
Router-Default-X (Router)
template

5. Remove configuration of existing uplink ports
Next you can change

your uplink ports and
add a WAN port
instead
• Select ports 23 and
24, and click
Configure
• Remove the port
type by clicking on
the port type you
have selected to
ensure it is no longer
highlighted
• Click OK
• Click OK again to the
Warning
Examples of templates for other devices
BR200-WP
AP330 as Router

CONFIGURE ROUTER WAN PORTS
- PORTS THAT CONNECT TO THE
INTERNET AND PROVIDE NAT

Router WAN Ports
• SR2024 as Branch Router DSL –

WAN Port example WAN
Backup 1
Corp ISP (Fast) –

USB Wireless –
WAN
WAN
Primary
Backup 2
1. Add necessary WAN port for router
When the switch is a router, you must configure at least one port as a WAN port
• Select Port 23,

and Port 24
(USB is always a
WAN port)
• Click
Configure
Note: You can have up to 3 WAN ports: 1 primary and 2 backup.

2 Ports can be Ethernet, and one can be USB. If you select
multiple ports as WAN ports, you can select which ones are
primary and backup in the switch specific settings.
2. Add necessary WAN port for router
• Click New
• Name: WAN-X
• Select WAN
• Click Save
• With WAN-X selected, click OK

3. Review WAN port settings
• The USB Port, Port 23, and Port 24 will now display a WAN
(Cloud) icon (USB does not display cloud icon in this version of code)
The ports will

display a WAN
(Cloud) icon


Note: Switch Port Settings
To be configured later, not now.
• At a later point in this lab, you will

configure the priority of the WAN ports
for primary and backup
Switch Settings:
These will be
configured later.

PORT TYPES

6.0 Network Policy
Besides the addition

of the WAN port, all
port types are
identical in network
policies with and
without branch
routing selected!
This means the
same port types
can be used in
both switching
(layer 2) and
branch routing
(layer 3) network
policies.
VLAN-TO-SUBNET ASSIGNMENTS
FOR ROUTER INTERFACES

VLAN-to-subnet assignments
for router interfaces
• If the network policy is configured with Routing, then for

every VLAN configured for SSIDs or port types, you must
define the IP subnets that will be assigned to the branch
routers or switches as branch routers
• The VLANs are automatically populated from the VLANs
assigned to user profiles for SSIDs and port types
• If you have additional VLANs to define, you can click Add

Network and Sub Networks
Internal Use
• HiveManager assigns a unique subnet from the network to each
router, including the DHCP settings
HQ
Network
10.102.0.0/16
BR100
Cloud VPN
Gateway
Sub Network 10.102.2.0/24
Internet DHCP: IP Range 10.102.2.10 – 10.102.2.244
Default Gateway: 10.102.2.1
DNS: 10.102.2.1 (Router is DNS Proxy)
BR100
BR100
Sub Network 10.102.0.0/24 Sub Network 10.102.1.0/24

DHCP: IP Range 10.102.0.10 – 10.102.0.244 DHCP: IP Range 10.102.1.10 – 10.102.1.244
Default Gateway: 10.102.0.1 Default Gateway: 10.102.1.1
DNS: 10.102.0.1 (Router is DNS Proxy) DNS: 10.102.1.1 (Router is DNS Proxy)
Networks and Hosts Per Network
A Little Bit of Subnet Theory – Yay!
Calculating a network using an IP address and a netmask
Conversion chart between binary and decimal

27 26 25 24 23 22 21 20
128 64 32 16 8 4 2 1 Decimal value for bit position
0 0 0 0 1 0 1 0 = 8 + 2 = 10 for example
When you assign IP addresses, you can determine how many
networks and how many hosts per network you need.
Example: Create subnets for network: 10.102.0.0/16
8 bits 8 bits 8 bits 8 bits
IP Address in binary: 00001010.01100110.00000000.00000000
Netmask in binary: X 11111111.11111111.11111111.00000000
Multiply each column: 00001010.01100110.00000000.00000000
Convert back to decimal: 10. 102 . 0 . 0
IP Network Subnet Hosts
8 bits = 8 bits
© 2013 Aerohive Networks CONFIDENTIAL 256 subnets 256 hosts – 2 = 254
IP Address Management
Example 1: Move Subnet slider bar to 256 Branches
Network Mask: /16 Subnet Mask: /24

8 bits = 8 bits
256 branches 256 clients/branch
– 3 = 253
Note: HiveManager lets you reserve the first or last IP in the
subnets as the default gateway for the subnet.
Automatic Subnet Creation
10.102.0000000=0. 1-254
10.102.0000001=1. 1-254
10.102.0000010=2. 1-254
10.102.0000011=3. 1-254
10.102.0000100=4. 1-254
10.102.0000101=5. 1-254
10.102.0000110=6. 1-254
10.102.0000111=7. 1-254
10.102.0001000=8. 1-254
..
10.102.1111111=255.1-254
IP Address Management
Example 2: Move Subnet slider bar to 512 Branches
Network Mask: /16 Subnet Mask: /25

9 bits = 7 bits
512 branches 128 clients/branch
– 3 = 125
Note: HiveManager lets you reserve the first or last IP in the
subnets as the default gateway for the subnet.
Automatic Subnet Creation
10.102.0000000.0 =
0.0 1-126
10.102.0000000.1 =
0.128 129-254
10.102.0000001.0 =
1.0 1-126
10.102.0000001.1 =
1.128 129-254
10.102.0000010.0 =
2.0 1-126
10.102.0000010.1 =
2.128 129-254
10.102.0000011.0 =
3.0 1-126
10.102.0000011.1 =
3.128 129-254
10.102.0000100.0 =
4.0 1-126
..
10.102.1111111.1 = 255.128 129-254
Internal Use
HQ
Network
10.102.0.0/16
BR100
Cloud VPN
Gateway
BR100
BR100

LAB: Assign VLAN-to-subnet – router interfaces
• If the network policy is configured with Routing, then for

every VLAN configured for SSIDs or port types, you must
define the IP subnets that will be assigned to the branch
routers or switches as branch routers
• The VLANs are automatically populated from the VLANs
assigned to user profiles for SSIDs and port types
• If you have additional VLANs to define, you can click Add

1. Select VLAN 10 and create network
• Next to VLAN 10, click Choose
• Click New

2. Create internal employee network
• Name: Net-Employee-1XX
XX=02,03,..15,16
• Web Security: None
• DNS Service: Class
• Network Type: Internal Use
• Do not save yet
Note: DNS Service Objects
NOTE: This Quick Start DNS Service object sets clients to

use the router interface IP as the DNS server, and will
proxy the DNS requests to the DNS server learned
statically or by DHCP on the WAN interface. Separate
DNS servers can also be used for internal and external
domain resolution.
3. Create internal employee network
• Click NEW to create a parent network

4. Define the Parent Network and subnetworks
• IP Network:
10.1XX.0.0/16
NOTE: This is the parent

network that will be
partitioned to create a
• number of IP subnets
10.1XX.0.0/16
determined by moving
the slider bar. The slider
bar is used to set the
number of branches vs.
clients per branch which
defines the subnet mask
for each subnet.
Moving the slider bar changes the
• Move the slider bar to number of bits in the subnet mask.
select 256 branches and
253 clients per branch The clients per branch = 253 in this case
because 1 IP is reserved for the router,
and then 0 and 255 are not used.
5. Enable DHCP
• Check  Enable DHCP

server
NOTE: In most cases, the
router will be the DHCP
server. However, if it is
not, you can disable the
DHCP service and this
network definition will
only be used to
configure the router
interface IP addresses.
• For the DHCP Address

Pool, move the slider bar
to reserve 10 IP addresses
at the start of the address
pool that can be defined
statically.
Please do not save yet!!!
Note: Custom Options Example
• Note that you can

define custom
DHCP options if
needed
• For example, you
can set the custom
DHCP options for
the hostname of
HiveManager
(option 225) or the
IP address of
HiveManager
(option 226) or
options required by
certain IP phones

DEFINE SPECIFIC SUBNETS FOR
EACH SITE BY USING DEVICE
CLASSIFICATION

What is the goal?
Network
10.101.0.0/16
• Define subnets from the IP
address space to specific sites Site-1c
• For example, define the
subnets that will be used for BR100
Site-1a and Site-1b, but let
HiveManager allocate one for
Site-1c Sub Network 10.101.25.0/24
DHCP: IP Range 10.101.25.11 –
10.102.25.254
Internet
Site-1a Site-1b BR100

BR100

1. Define subnet to be assigned to Site-Xa
By default, each branch

router will be assigned one
subnet from the Local IP
Address Space
• To define specific subnets
of the Local IP address
space to assign to sites
› Check  Allocate local
subnetworks by
specific IP addresses at
sites and click
• IP Address: 10.1XX.1.1
(XX=01,02,03,..18)
• Type: Device Tag
• Tag1: Site-Xa
(Xa=2a,3a,4a,..,18a)
• Click Apply
2. Define subnet to be assigned to Site-Xb
Define the next subnet

• Click New
• IP Address: 10.1XX.2.1
• Type: Device Tag
• Tag1: Site-Xb
(Xb = 2b, 3b, 4b,..,18b)
• Click Apply
Note: You can specify up to 256 tags
• Click Save
3. Save the Network
Verify you have

all the setting
needed for the
network
• DNS: Class
• Network Type:
Internal Use
• Subnetwork:
10.1XX.0.0/16
• Verify the IP
Allocation
Statements Note: (T) = True or Match the tag
(F) = False, and no match required
• Click Save Here you can see: 10.102.1.1 must have a router with
Tag1 set to: Site-2a, and 10.102.2.1 must have a router
with Tag1 set to: Site-2b. 361
4. Choose the Network
• Ensure your policy is

highlighted and click OK

Note: Device Classification Settings
On Your Device
• In a later lab, you will need to define Device

Classification Tag1 on your switch with the same entry
that was used in the network configuration: Site-Xa
Device Specific Settings

What did you just do?
• You specified that certain sites Network
had or will require specific IP 10.101.0.0/16
addresses in them, for
example Site-1a (10.101.1.1)
and Site-1b (10.101.2.1)
› These can be any IP in the
Site-1c
subnet. We chose the IP of
default gateways. BR100
• Therefore HiveManager will

allocate the subnets that Sub Network 10.101.25.0/24
match the IP addresses DHCP: IP Range 10.101.25.11 –
that are specified for 10.101.25.254
two of the sites Default Gateway: 10.101.25.1
Internet *This subnet was chosen by HiveManager
because an IP at the site was not defined.
Site-1a Site-1b BR100

BR100

ADD NETWORKS FOR
THE OTHER VLANS

Add More Networks
• Create networks for VLAN 2 and VLAN 8

• If the VLAN is not in the list, click Add
› Enter the VLAN
› Then proceed to configuring the networks

1. Select VLAN 2 and create network
• Next to VLAN 2, click Choose
• Click New

2. Create internal voice network
• Create another Internal Network for VLAN 2:

10.2XX.0.0-Voice-X
• DNS service: Class
• Network Type: Internal Use
• Do not save yet
3. Create internal voice network
• Click NEW to create a parent network

4. Define the Parent Network and subnetworks
• IP Network:
10.2XX.0.0/16
NOTE: This is the parent
network that will be
partitioned to create a
10.1XX.0.0/16
•number of IP subnets
determined by moving
the slider bar. The slider
bar is used to set the
number of branches vs.
clients per branch which
defines the subnet mask
for each subnet.
Moving the slider bar changes the
• Move the slider bar to number of bits in the subnet mask.
select 256 branches and The clients per branch = 253 in this case
253 clients per branch
because 1 IP is reserved for the router,
and then 0 and 255 are not used.
5. Enable DHCP

server
only be used to
at the start of the address
pool that can be defined
statically.
• Click Save
6. Verify and save the Subnetwork
• Click Save
• Ensure your policy is highlighted and click OK

Networks for Guest Use
• All guest stations at each branch office use the same IP subnet
• All guest traffic destined to the Internet is network address translated
to the unique IP address of the router WAN interface
WAN:
HQ 1.3.2.90
Network:
Guest Use
BR100
Cloud VPN
Gateway Network 192.168.83.0/24 (Guest Use)
DHCP: IP Range 192.168.83.10 – 192.168.83.244
Internet Default Gateway: 192.168.83.1
WAN:
2.50.33.5
WAN:
2.1.1.20 BR100
BR100
Network 192.168.83.0/24 (Guest Use) Network 192.168.83.0/24 (Guest Use)

7. Select VLAN 8 and create guest network
• Next to VLAN , click Choose
• Click New

8. Create the Guest network
• Name:
192.168.83.0-Guest-X
• DNS Service: Class
• Network Type to:
Guest Use
• Guest Use Network:
192.168.83.0/24
• DHCP Address Pool,
reserve the first 10
• Check  Enable
DHCP server
NOTE: Devices assigned to a Guest Use network are
restricted from access the corporate VPN or from
initiating communication to corporate devices
9. Save the Guest network
• Verify your settings

• Click Save
• Click OK
Verify Subnet Assignments for
Router Interfaces
• You should have a network defined for each

of the VLANs specified

• From the Configure Interfaces &

User Access bar, click Save
CHANGE SSID PROFILES

Lab: Change SSID Profiles
1. Change SSIDs
• Configure Interface & User Access

• Next to SSIDs, click: Choose

2. Select Class-PSK-X SSID
Ensure
Class-PSK-X is • Click to deselect
highlighted then the AD-X SSID
click OK
• Ensure the
Class-PSK-X SSID
is selected
• Click OK

3. Verify settings
• Verify settings
• Click Continue

CREATING FILTERS

Lab: Device Filters
1. From Configure & Update Devices
Create filters to limit the number of devices displayed

• Click the Configure & Update Devices bar
• Next to Filter, click +

Lab: Device Filters
2. Create a filter
You can create and
save filters based on a
lot of criteria
• For this filter
› Set the Device
Model to SR2024
› Set the hostname
to: SR-XX-
› XX is your two digit
student ID: 02-15
› Do not forget the
dash – at the end,
this will ensure your
student ID is the
match
• For Remember This
Filter, enter:
XX-switch-router
© 2013 Aerohive Networks CONFIDENTIAL • Click Search 385
Lab: Device Filters
3. View your Real and Simulated Switch/Routers
• We will be using real and simulated devices in this lab

• With the filter selected, you will see your real, and
simulated switch/routers that all start with SR-XX-

UPDATE THE DEVICE
CONFIGURATION
OF YOUR SWITCH/ROUTERS

Lab: Update your Switch Configuration
1. Modify your switch
• Check  next to your switch SR-XX-#######

• Click Modify

2. Change switch to function as a router
Make the following

settings
• Device Function:
Router
(IMPORTANT)
• Location:
First-Name_Last-
Name
• Network Policy:
Access-X
• When the warning
box appears, click:
OK
• Do NOT save yet

3. Specify the Device Classification Tag1
Set the Device

Classification Tag1
so that this device
will be assigned to
networks with
matching tag
definitions
• Under Device
Classification
› Tag1: Site-Xa
Note: The tag you
entered in the
network will
automatically
show up in the list
• Do NOT save yet

4. Change WAN port priority settings
NOTE: Check Enable NAT

• Expand Interface and Network Settings
• Set the following priorities:
› USB WAN: Backup2
› Eth1/23 WAN: Backup1
› Eth1/24 WAN: Primary (Please verify that 1/24 is Primary)
• Ensure NAT is enabled on the WAN Interfaces
• Do Not save yet

5. Disable RADIUS services
Remove the RADIUS object from earlier lab

• Under Optional Settings, expand Service Settings
• Uncheck ☐Enable the router as a RADIUS Server

Lab: Update Router Configuration
6. Save your device settings
• Click Save
7. Update your device settings
• Select  Routers to select all three routers

• Click Update


devices
• Click Update
For this class, ALL

Updates should be
Complete
configuration
updates

Click OK

VIEW SUBNET ALLOCATION REPORT

Internal Use
HQ
Network
10.102.0.0/16
BR100
Cloud VPN
Gateway
BR100
BR100

Lab: Subnet Allocation Report
1. View the IP addresses assigned to the routers
• From Monitor, in the navigation

tree, click Subnetwork Allocation
Note: One
subnet was • Under Network Name, select
assigned via Network-1XX
classification.
The others • From the10.102.0.0/16 parent
assigned network, a different subnet and
dynamically. DHCP Pool was allocated to
each branch router.

CLI ROUTER COMMANDS

SHOW L3 INTERFACE
From Monitor  Utilities  SSH Client:

show L3 interface

TEST WIRELESS LAN ACCESS

Lab: Test Wireless LAN Access
1. Connect your computer to the SSID: Class-PSK-X
wireless icon on
the bottom right
corner of the
windows task bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK

2. View your client information in Wireless Clients
• View your client in the Active

Clients list by going to:
MonitorClientsWireless
Clients
• Notice the VLAN and
network address

TEST WIRED LAN SECURE ACCESS

Lab: Test LAN Port Access- Secure
1. View your client information in Active Clients
• View your client in the Active

Clients list by going to:
MonitorClientsWired
Clients
• Notice the VLAN and
network address and client
authentication method

Lab: Test LAN Port Access
2. Disable 802.1X for wired clients
• In windows 7, you
must enable 802.1X
support
• As an administrator,
from the start menu
type services
• Then click services

• Click the
Standard
tab on the
bottom of
the services
panel
• Locate
Wired
AutoConfig
and right-
click
• Click
Properties
• Startup type:
Disabled
• Click Stop

• Click OK

6. Clear wired client cache
• Monitor/Clients/Operation:
Deauth Client
• Check  Clear Cache
• Click OK
• Click Yes

7. Clear wired client cache
• Monitor/Clients/Operation:
Deauth Client
• Check  Clear Cache
• Click OK
• Click Yes

8. Reset Ethernet adapter
Because the PC has the

wrong IP it will not work,
you can remedy this by
• Right click on Local Area
Connection 3
• Click Diagnose
or
• Disable then Enable
Local Area Connection 3
• Do NOT Disable Local
Area Connection 2
9. Verify Auth Fail – Guest Network
• Locate Local Area

Connection 3
• Right click
• Click Status
• Click Details
• Why do you see an
IP from the
192.168.83.0
subnet?
› This is the guest
network that is
assigned if
authentication is
not support or fails

ROUTE-BASED IPSEC VPN

Aerohive Layer 2 VPN
Remote Site Headquarters
Layer 2 VPN client devices Layer 2 VPN server devices
AP-100 series Internet AP-300 series

128 tunnels
AP-300 series VPN Gateway Virtual Appliance

(L2 Gateway mode)
1024 tunnels
BR-100 (AP mode)
Note: Layer 2 VPNs are taught in the Aerohive Certified WLAN Professional (ACWP)
class

Notes Below
Aerohive Layer 3 VPN
Remote Site Headquarters
Layer 3 VPN client devices Layer 3 VPN server
BR-100 router Internet
VPN Gateway
(L3 Gateway mode)
BR-200 router 1024 tunnels
AP 330/350
(router mode)
Aerohive switch
(router mode)

Notes Below
Aerohive Route-Based IPSec VPN
Components
Aerohive Routers are Layer 3 IPSec
VPN clients, and provide DHCP,
DNS Proxy, route synchronization,
and RADIUS service, along with
many other features.
VPN Gateway VA
A HiveOS-based Layer 3
IPSec VPN server
that is a Virtual Appliance BR100 BR200
which runs on VMware ESXi Aerohive
Switch
1 VA supports up to 1024 Configured
IPSec VPN tunnels as a Router
HiveAP 330 HiveAP 350

Configured Configured
as a Router as a Router

Corporate VPN – HiveManager Allocates
Unique Network Settings For Each Site
Branch Network
HQ Branch
172.28.0.0/16
Corporate Network
Network BR100
10.1.0.0/16
VPN Sub Network 172.28.2.0/24
Gateway Internet DHCP: IP Range 172.28.2.10 – 172.28.2.244
Branch Branch
Network Network
BR100
BR100


Corporate VPN – HiveManager Allocates
Unique Network Settings For Each Site
• Each router builds a VPN to one or two VPN Gateways
• Routes are synchronized between the routers and VPN Gateways
over the VPN using a TCP-based route exchange mechanism
Branch Network
HQ
Corporate
Network BR100
10.1.0.0/16
VPN Sub Network 172.28.2.0/24
Gateway Internet
Branch Network Branch Network
BR100
BR100

Route-based VPN
• Routers (VPN clients) ask the VPN Gateway for updated route
information and provide their own route changes over the VPN
tunnel every minute by default using a TCP request
HQ Tunnel C
Corporate
Network
BR100
10.1.0.0/16
VPN
Gateway Local network: 172.28.2.0/24
Route: 10.1.0.0/16 to Corp Router Internet Route: 10.1.0.0/16 through VPN tunnel
Route: 172.28.0.0/24 to VPN tunnel A Route: 172.28.0.0/24 though VPN tunnel
Route: 172.28.1.0/24 to VPN tunnel B Route: 172.28.1.0/24 through VPN tunnel
Route: 172.28.2.0/24 to VPN tunnel C Route: 0.0.0.0/0 to Internet Gateway
Route: 0.0.0.0/0 to Internet Gateway
Tunnel B
BR100
BR100
Tunnel A
Local network: 172.28.0.0/24 Local network: 172.28.1.0/24
Route: 10.1.0.0/16 through VPN tunnel Route: 10.1.0.0/16 through VPN tunnel
Route: 172.28.1.0/24 though VPN tunnel Route: 172.28.0.0/24 though VPN tunnel
Route: 0.0.0.0/0 to Internet Gateway Route: 0.0.0.0/0 to Internet Gateway
VPN GATEWAY VIRTUAL APPLIANCE

General Information
• What is a VPN Gateway Virtual Appliance?
› It is a virtualized version of HiveOS that runs on VMware
ESXi which supports IPSec VPN service, and routing
protocols
• How do you upgrade a VPN Gateway VA?
› VAs can be upgraded using a standard HiveOS software
upgrade from HiveManager, TFTP, or SCP
• How many interfaces does a VPN Gateway VA have - Two
» WAN – used to terminate the VPN from the router VPN
clients, and can be used as a one-armed VPN where it
connects to both the branch networks through the
VPN, and the internal corporate networks.
» LAN – an optional interface that can be used to
connect to an internal network and be the gateway IP
address for corporate traffic to access branch
networks through the VPN
VPN Gateway Virtual Appliance on
VMware (ESXi)
• The VA uses the HiveOS, and looks just like an AP when

you log in to it

VPN Gateway
Deployment Scenarios – Two Interfaces
Headquarters
Router VPN Gateway Firewall
Inside DMZ Branch Office
IPSec VPN
Internet
LAN (Eth1) WAN (Eth0)
Interface Interface
• VPN Gateway with two interfaces configured

› The LAN interface is connected to the inside network
» Traffic from the inside network destined for an IP address in a branch
office is sent to the LAN interface on the VPN Gateway to be
encrypted and sent through a VPN to a branch office
» Routing protocols, OSPF or RIPv2, can be run on the LAN interface so
that the VPN Gateway can exchange routes with the inside network
router
› The WAN interface is connected to the DMZ or outside network and is
used to terminate the VPNs
VPN Gateway
Deployment Scenarios – One Interface
Headquarters
Router VPN Gateway Firewall
Inside
(Clear) DMZ Branch Office
IPSec VPN
Internet
WAN (Eth0) Interface
• VPN Gateway with one interface configured (One Arm)

› The WAN interface is connected to a firewall interface in the DMZ
» Traffic from the inside network destined for an IP address in a
branch office is sent to the firewall which forwards the traffic to
the VPN Gateway as the next hop to the branch office routers
» The VPN Gateway encrypts the traffic and sends the traffic back
to the firewall destined to a branch office router
» You can run statically enter routes, or run a dynamic routing
protocol, OSPF or RIPv2, on the WAN interface to exchange
routes with the firewall
Router IPSec VPN Lab
Uses a Single VPN Gateway Interface
Headquarters Firewall Outside Interface
VPN Gateway eth0/0 – 1.2.2.1/24
NAT – 1.2.2.X to 10.200.2.X
Switch Inside DMZ Branch Office
Public 2.1.1.10
IPSec VPN
Port1 Internet
WAN Interface Internal
Eth0- 10.200.2.X/24 Port2
10.102.1.0/24
Gateway: 10.200.2.1 Bridge Group
Interface: 10.5.1.1
HiveManager
10.5.1.20 X=2,3,..,14,15
• In the training lab, the VPN Gateways learn routes via OSPF from the
firewall, which are: 10.5.2.0/24, 10.5.8.0/24, & 10.5.10.0/24
• The firewall learns the routes from the VPN Gateways to all the
branch office routers via OSPF
• The branch office routers exchange their routes with their VPN
Gateways

THE NEXT STEPS ARE FOR EXAMPLE
ONLY, DO NOT DOWNLOAD THE
VPN GATEWAY VA IMAGES IN
CLASS, OTHERWISE IT WILL TAKE
TOO LONG

Example Only: Downloaded HiveOS-VA
Image From HiveManager
• Please do not download in class!
› To download the VPN Gateway Virtual Appliance image
from HiveManager, go to ConfigurationAll Devices
› Click UpdateAdvancedDownload HiveOS Virtual
Appliance

Example Only: Downloaded HiveOS-VA
Image From HiveManager
› Save the VPN Gateway VA image to a directory of
your choice on your hard drive
› Note, the default name is: AH_HiveOS.ova, but you
can rename the file if you like

THE NEXT STEPS ARE FOR EXAMPLE
ONLY, DO NOT DEPLOY A VPN
GATEWAY IN CLASS, YOUR VPN
GATEWAY VA IMAGES HAVE
ALREADY BEEN DEPLOYED
If time permits the instructor will

demonstrate the process

Recommended Hardware Configuration
VPN Gateway Virtual Appliance Recommended Hardware Configurations

Example Only: Deploy a VPN Gateway in
VMware ESXi
• From the VMware

vSphere client, log
into your ESX/ESXi
server
• Go to File
Deploy OVF
Template
• Locate the
AH_HiveOS.ova file
and click Open

VMware ESXi
• With the
AH_HiveOS.ova file
selected click Next

VMware ESXi
• View the
product
information and
ensure you have
enough disk
space for a think
provisioned
install
› Note: Thick
provisioning
reserves all the
disk space
needed during
the install
• Click Next

VMware ESXi
• Provide a name
for the VPN
Gateway, for
example:
HiveOS-VAXX
XX=02,03,..14,15
› Note: It is a
good idea to
keep this name
relatively small
so it fits better
in the vSphere
client display
• Click Next

Example Only: Deploy a VPN Gateway-VA in
VMware ESXi
• Select  Thick
Provisioned
Lazy Zeroed
› Note: You can
choose Eager
Zeroed, but it
will take more
time because
it will fill the
complete disk
space with
0’s, lazy fills
only as space
is needed.
• Click Next

VMware ESXi
In this example, the

VPN Gateways will
only be using the
WAN interface, so
you can use the
same destination
network (virtual
switch port group)
for both
• Select VM
Network for the
WAN and LAN
interfaces
• Click Next

VMware ESXi
• Optionally,
check the box to
 Power on after
deployment
• Click Finish

VMware ESXi
In a moment, the new VPN

Gateway will be up and
running
• Click Close when the
deployment has
completed successfully

EXAMPLE: INITIAL CONFIGURATION
OF A VPN GATEWAY VIRTUAL
APPLIANCE

Example Only: Initial configuration
of a VPN Gateway Virtual Appliance
• In the vSphere console for the new VPN Gateway

Virtual Appliance
› Type 1 to change the Network Settings and press
enter

• Type 2 to
Manually
configure
interface
settings and
press Enter

• The startup CLI wizard
is used to set up the IP
address for the WAN
interface on the VA
• The VPN Gateway VA
will need access to
the Internet to access
the license server to
obtain a valid and
unique serial number
• IP for eth0: 10.200.2X
• Netmask Length: [24]
• Gateway: 10.200.2.1
• DNS: 8.8.8.8
• Apply Changes: Yes
• The VPN Gateway will check its connection its default

gateway and the Aerohive License server
• For the question: Do you want to reset the networking?
press enter, or type no and press enter
• When a VPN Gateway
VA is purchased,
Aerohive generates an
activation code, and
associates it with a
unique serial number
• You will be emailed
your activation code
• When the activation
code is entered, the
VPN Gateway VA will
contact the Aerohive
license server and
obtain a serial number
associated with the
Optionally you can activation key.
use an HTTP proxy

• If the
activation
code is valid,
the VPN
Gateway VA
will obtain a
valid and
unique serial
number
• You must then
VPN Gateway
by pressing
enter, or by
typing yes
then enter

• After the VPN Gateway VA has

been rebooted, you can login
with:
› Login: admin
› Password: aerohive
• Enter a hostname if you like:
› Hostname HiveOS-VA-X
• If the Serial Number for the VPN
Gateway is not entered into
myhive, then you can configure
the location of its HiveManager
› capwap client server name
10.5.1.20
• Save the configuration
› save config

• Just like on an Aerohive

AP or router, you can
verify CAPWAP status by
typing
› show capwap client
• After a minute, you
should see the run state
show that the VPN
Gateway is Connected
securely to the CAPWAP
server
• The CAPWAP server IP
should be your
HiveManager IP: 10.5.1.20

Your new VPN gateway will be displayed in

MonitorVPN Gateways

LAB: CREATE A ROUTE-BASED
LAYER 3 IPSEC VPN

Lab: Create a Route-Based IPSec VPN
1. Create a Layer 3 IPSec VPN
To create a
route-based
IPSec VPN
• Go to
Configuration
• Select your
Network policy:
Access-X and
click OK
• Next to Layer 3
IPSec VPN click
Choose
• In Choose
VPN Profile
click New

2. Assign your VPN Gateway to the VPN policy
Click
Apply
• Enter a profile name: VPN-X and choose  Layer 3 IPSec VPN

• For VPN Gateway, select: Hive-OS-VA-XX from the drop-down
• External IP address of the VA: 1.2.2.X
• X= your student number
› Note: The external IP is the public address the routers will
contact to access the Virtual Appliance
• Click Apply
3. Certificate settings
Optionally you can add an

additional VA for disaster recovery
• Expand IPSec VPN
Certificate Authority Settings
• VPN Certificate Authority:
Default_CA.pem
• VPN Server Certificate:
VPN-cert_key_cert.pem
• VPN Server Cert Private Key:
VPN-cert_key_cert.pem
Note: Server certificates for the

VPN were created in the
Click HiveManager Certificate Authority

4. Verify VPN Settings Then Go To Configure & Update
• Verify the Layer 3 IPSec VPN settings

Note: The WAN IP and Protocol will be updated after
the configuration update is performed
• Click Configure & Update Devices

Example: Dynamic Routing on the VA
With OSPF or RIPv2
VA Headquarters Branch Office

DMZ
Internet BR100
WAN Interface Sub Network
Eth0- 10.200.2.X/24 Firewall Inside Interfaces 10.102.1.0/24
Gateway: bgroup0 : 10.5.1.1/24 VLAN 1 OSPF area 0
10.200.2.1 bgroup0.2: 10.5.2.1/24 VLAN 2 OSPF area 0
OSPF area 0.0.0.0 bgroup0.8: 10.5.8.1/24 VLAN 8 OSPF area 0
(same as 0) bgroup0.10: 10.5.10.1/24 VLAN 10 OSPF area 0
• In a one-armed configuration, OSPF or RIPv2 can be

enabled on the WAN interface to dynamically learn
routes from the network (e.g. firewall), and advertise
the routes it learns from the branch sites to the
network (e.g. firewall)
Example: Routes Learned via OSPF and
Between the VA and Branch Routers
VA Headquarters
Branch Office 1
DMZ
IPSec VPN to Branch Office 1
Internet BR100
WAN Interface Sub Network
Eth0- 10.200.2.2/24 Firewall Inside Interfaces 10.102.1.0/24
Gateway: 10.200.2.1 bgroup0 : 10.5.1.1/24 VLAN 1 OSPF area 0
Routes to
OSPF area 0.0.0.0 bgroup0.2: 10.5.2.1/24 VLAN 2 OSPF area 0
Headquarters
(same as 0) bgroup0.8: 10.5.8.1/24 VLAN 8 OSPF area 0
through VPN
Routes - Branch 1 bgroup0.10: 10.5.10.1/24 VLAN 10 OSPF area 0
Routes to Branch 1 10.5.1.0/24 to VPN
Through VPN:
10.102.1.0/24 to 10.200.2.2 10.5.2.0/24 to VPN
10.102.1.0/24
10.5.8.0/24 to VPN
Routes - Network: Note: Aerohive uses a 10.5.10.0/24 to VPN
10.5.1.0/24 to 10.200.2.1 TCP-based mechanism through
Local Routes
10.5.2.0/24 to 10.200.2.1 the VPN tunnel to check for
0.0.0.0/0 to Internet
10.5.8.0/24 to 10.200.2.1 route updates between branch
10.5.10.0/24 to 10.200.2.1 sites and the VPN Gateways
0.0.0.0/0 to 10.200.2.1 every minute by default.
5. Modify the settings for your VPN Gateway
• Choose the Current Policy filter

• Under L3 VPN Gateway, click the link to
modify your VPN Gateway: HiveOS-VA-XX
6. Modify the IP settings on the VPN Gateway
00
• By default the management Network is set to the Quick Start

Management Network: QS-MGT-172.18.0.0
• Set the IP address of the Eth0 (WAN) Interface: 10.200.2.X/24
X=2,3,..,14,15
• Set the Default Gateway:10.200.2.1 Do not save yet..
7. Enable OSPF on the VPN Gateway
• Check the box to: 

Enable dynamic routing
and select OSPF
• Set the Eth0 (WAN)
interface to run OSPF so
that it can advertise
and learn routes from
the network, check 
Eth0 (WAN)
• Uncheck
 Eth1(LAN) because
the eth1 interface is not
in use
• Use the default Area:
0.0.0.0 (which is
compatible with area 0)
• Click Save 460
Note: Internal Networks – Required if a
Dynamic Routing Protocol is Not Enabled
• If the VPN Gateway is

configured with static
routes, or just has a single
default gateway to a router,
you can specify which
networks to advertise to the
branch office networks by
specifying Internal Networks
• Any Internal Network defined
here will be advertised to the
branch office networks
through the VPN tunnels so
the branch offices routers
know which networks to
route through the VPN to
headquarters

8. Upload the Configuration of Your Devices

• Select all your devices 
• Click Update


devices
• Click Update
For this class, ALL

Updates should be
Complete
configuration
updates

• When the Reboot Warning box appear, select OK
Click OK

11. Wait for the update to complete and verify VPN
When the VPN Server and Client Icons are green, then
you know the VPN is up.
465

VPN TROUBLESHOOTING

LAB: VPN Troubleshooting
1. Aerohive device VPN Diagnostics
• Go to Monitor Devices All Devices

• Select one of the VPN devices:  SR-0X-######
• Click Utilities...Diagnostics Show IKE Event
• Verify that both Phase 1 an Phase 2 are successful

LAB: VPN Diagnostics
2. Aerohive device VPN Diagnostics – Phase 1
• Select one of the VPN devices:  SR-0X-######

• Click Tools...Diagnostics Show IKE Event
Possible problems if Phase 1 fails:
• Certificate problems
• Incorrect Networking settings
• Incorrect NAT settings on external firewall
Possible problems if Phase 2 fails:
• Mismatched transform sets between the client and
server (encryption algorithm, hash algorithm, etc.)

• Click Tools...
Diagnostics
Show IKE Event
• If you see that phase 1
failed due to a
certificate problem
› Check the time on
the Aerohive devices
» show clock
» show time
› Ensure you have the
correct certificates
loaded on the
Aerohive APs in the
VPN services policy

• Click Tools...
Diagnostics
Show IKE Event
• If you see that
phase 1 failed due
to wrong network
settings
› Check the IP
settings in the
VPN services
policy
› Check the NAT
settings on the
external firewall

• Click
Utilities...Diagnostics
Show IKE SA
• Phase 1 has completed
successfully if you reach
step #9
• If Step #9 is not
established then one of
these problems exists:
Certificate problems
Incorrect Networking
settings
Incorrect NAT settings on
external firewall

• Click Utilities...
Diagnostics
Show IPSec SA
Note: It is clear to see that a
VPN is functional if you see
the tunnel from the MGT0 IP
of the VPN client to the
(NAT) Address of the MGT0
of the VPN Server, and the
reverse. Both use different
SAs (Security Associations)
› State: Mature
• If Phase 2 fails: Check the
encryption & hash settings
on the VPN client and the
VPN server

Lab: VPN Diagnostics
7. View the VPN Topology to Verify VPN Status
• In the Layer 3 IPSec

VPN section, click
VPN Topology
• If the devices show
up green with a line
Please Be between them, the
Patient, it will VPN is operational
take a minute or
• Click Refresh if the
two for the VPNs devices are not
to establish green after a
moment

VERIFY VPN STATUS AND
DYNAMIC ROUTING

Lab: Verify VPN and Dynamic Routing
2. View the VPN Topology to Verify VPN Status
To verify the
routes learned via
OSPF
• Go to Monitor
VPN Gateways
• Check the box
next to your
 HiveOS-VA-XX
• Select
Utilities...
SSH Client

3. Use CLI Commands to Verify OSPF Routes
• show OSPF route (wait about 10 seconds – press enter twice)

› You should see four OSPF routes in this lab
• show OSPF neighbor (press enter twice)
› You should see at a minimum the firewall at 209.128.124.196 as a
neighbor with a Full/DR state

4. View the routes on a branch router
To verify the routes learned through the VPN on a branch

router
• Go to MonitorRouters
• Check the box next to your router:
 SR-XX-######
• Select Utilities...DiagnosticsShow IP Routes
5. View the routes on a branch router
• You should see at a

minimum routes to:
10.5.1.0/24,
10.5.2.0/24,
10.5.8.0/24, and
10.5.10.0/24 all
through the VPN
tunnel0 interface
• High metrics are
used for routes
learned from OSPF
and advertised
though the VPN so
that if the network
exists locally, that will • You will also learn the routes for
be preferred networks at the other branch sites
Note: Higher metrics though the VPN tunnel
have more cost and
are not preferred
Copyright ©2011
For Information: This is the OSPF
configuration on the training Juniper SSG
• ssg5-3-lab-> set vr trust

• ssg5-3-lab(trust-vr)-> set protocol OSPF
• ssg5-3-lab(trust-vr/OSPF)-> set enable
• ssg5-3-lab(trust-vr/OSPF)-> exit
• ssg5-3-lab(trust-vr)-> exit
• ssg5-3-lab-> set int bgroup0 protocol OSPF area 0
• ssg5-3-lab-> set int bgroup0 protocol OSPF enable
• ssg5-3-lab-> set int bgroup0.2 protocol OSPF area 0
• ssg5-3-lab-> set int bgroup0.2 protocol OSPF enable

TEST WLAN ACCESS THROUGH THE VPN
The steps for LAN access are similar

1. Connect your computer to the SSID: Class-PSK-X
wireless icon on
the bottom right
corner of the
windows task bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK

Lab: Test WLAN VPN Access
2. Ping a server through the VPN
Headquarters
VPN Gateway Branch Office 1
DMZ
IPSec VPN to Branch Office 1
Internet BR100
From your PC, ping 10.5.1.20, which is a server in Santa

Clara California data center

Lab: Test WLAN VPN Access
3. View your client information in Wireless Clients
• From your virtual

PC connect to
HiveManager
through VPN
https://10.5.1.20
• View your client
in the Active
Clients list by
going to:
MonitorClients
Wireless Clients

POLICY-BASED ROUTING (PBR)
*A low cost
American beer
that has been
around a long
Not this PBR: time, but was

not popular.
However, over
the last few
years it has
become more
popular in bars
and grocery
stores.
Aerohive Policy-Based Routing
HQ
VPN
3G/4G/LTE
Internet • Policy-based routing is
used mainly in
conjunction with the
layer 3 IPSec VPN
tunneling capabilities
Guests
› Though it does not
require VPN
Employees

Aerohive Policy-Based Routing
• Policy-based routing
lets you decide how
HQ
VPN traffic is forwarded out
of a router
3G/4G/LTE › Decisions are made
Internet
based on IP
reachability of
tracked IP
addresses and user
profiles
Guests
› Forwarding can be
out any WAN port,
USB wireless, Wi-Fi
Employees connection, or VPN

Route-based VPN
Private vs. Internet Traffic
HQ Internet
Branch Office
Corporate
Network Tunnel A BR100
10.1.0.0/16
(Internal) Cloud VPN
Gateway
Route: 10.1.0.0/16 to Corp Router Local network: 172.28.2.0/24
Route 172.28.2.0/24 to VPN Tunnel A Route: 10.1.0.0/16 through VPN tunnel
• Three types of routes in a branch office are
› Private routes – learned over the VPN from the VPN
gateway, such as 10.1.0.0/16 in this example
› Branch routes – to other routers in the branch office,
which can be advertised to HQ over the VPN tunnel
› Internet routes – Essentially the default route 0.0.0.0/0
used to send traffic to the Internet locally from the
branch office
POLICY-BASED ROUTING

Policy-Based Routing: Custom Rules
Overview of Fields
• Source and Destination • Forwarding actions

are used to match a determine where to
packet send the packet

Policy-Based Routing: Forwarding and
Backup Forwarding Actions
• The backup forwarding action

occurs when the interface used
for the forwarding action goes
down or….
• If specific IP addresses are not
reachable via the interface
used for the forwarding, using
track IP

LAB: CREATE A WAN IP TRACKING POLICY

Track IP for Router WAN Connectivity
• Uses Ping to track IP

HQ addresses you specify
VPN on the Internet
› For example, you
can track
Internet ntp1.aerohive.com
3G/4G LTE
ntp1.aerohive.com 206.80.44.205
206.80.44.205
• If no response is
received, you can
Track IP make routing
Guests
decisions such as
failing over to wireless
USB (3G/4G LTE)
Employees
Lab: WAN IP Tracking
1. Create an IP tracking policy
To configure Policy-Based routing:

Go to Configuration
• Select your Network policy: Access-X and click OK
• Next to Additional Settings click Edit

• Expand Service
Settings
• For Track IP Groups
for WAN Interface,
there are two
backup track IP
groups and one
primary
• Next to Primary,
click +

• Track IP Group Name:

Track-X
• Under Tracking group
type select For WAN
interface
• Ensure Enable IP tracking
is checked
• For the IP addresses,
enter: 8.8.8.8,4.2.2.2
• Take action when: all
targets become
unresponsive
• Click Save

• In Track IP Groups for

WAN Interface
• Select the Primary Track
IP Group: Track-X
• Click Save
• Next you will configure the
routing policy
Note: You can specify Track IP Groups for Backup1

and Backup2 as well. The policy-based routing policy
determines if backup1 fails to backup2, or backup2
fails to a Wi-Fi client connection for example.

LAB: CONFIGURE POLICY-BASED ROUTES

Lab: Policy-Based Routing
1. Create a Routing Policy
• Expand Router
Settings
• Next to Routing
Policy, click +
Note: Policy-Based Routing: Type of Rules
• Here you can specify the type of routing policy rules

› Split Tunnel: Tunnel non-guest traffic to internal (HQ)
routes, drop guest traffic for internal (HQ) routes, and
route all other traffic the local Internet gateway
› Tunnel All: Tunnel all non-guest traffic regardless of its
destination and drop all guest traffic.
› Custom: Define a custom routing policy
Create
New
• Name: PBR-X
• Under Routing Policies, select Custom
• Click + to add a new policy

• Source - Type: User Profile, Value: Employee-X

• Destination - Type: Private (routes learned via VPN)
• Forwarding Action: Corporate Network (VPN)
• Backup Forwarding Action: Drop
• Click the save icon next to the right of the policy
• Click + to create a new policy

• Source - Type: User Profile, Value: Employee-X
• Destination- Type: Any (All other routes)
• Forwarding Action: Primary WAN
• Backup Forwarding Action: Backup WAN-1 (e.g. DSL)

• Source - Type: User Profile, Value: Voice-X
• Destination – Type: Private (routes learned via VPN)
• Forwarding Action: Corporate Network (VPN)
• Backup Forwarding Action: USB (USB Wireless - LTE)

• Source - Type: User Profile, Value: Guest-X
• Destination - Type: Private (routes via VPN)
• Forwarding Action: Drop
Click the top +
• Click + on top (Note: This is to show an important point)

• Source - Type: User Profile, Value: Guest-X
• Destination - Type: Any
• Forwarding Action: Primary WAN
• Backup Forwarding Action: Drop
• Question: What is wrong with this policy?

• Answer: All guest traffic will match the first policy,
and no other policy will be used. Guest traffic may
be able to access the local branch network if not
blocked by firewall policy.
• Click the User Profile(Guest-X), Any, Primary WAN

policy and drag it to the bottom
• Click Save
• Additional Settings – Save
• Save your Network Policy
Policy-Based Routing
Analysis
• Processed top down:

1. User Profile(Employee) when going to a private route
learned through the VPN, send to the VPN
2. User Profile(Employee) when not sending to the VPN will
be sent out through the primary WAN, and if that fails,
out the Backup WAN
Analysis
3. User Profile(Voice) if destined to a route learned

through the VPN, forward through VPN
4. User Profile(Guest) if destined to a route learned
through the VPN, drop
5. User Profile(Guest) when not sending to the VPN will be
sent out through the primary WAN, and if that fails, drop
Policy Used For No Matching Routes
• Question: What happens to traffic that does

not match a policy-base routing rule?
• Answer: The router uses its main destination
routing table. (i.e. standard routing)
Caution in 6.0r2a if not using VPN
• If you are not using VPN, do not create a policy-based

routing using: Source: Any, Destination: Any
• If you do, traffic may get sent back out the WAN as
primary instead instead of being sent to a local route.
• This will be resolved in an upcoming release.
SIMPLE TEST

Instructor Classroom demo
If time permits:
If the instructor has a 3G/4G USB dongle available:
• Start a continuous ping from a classroom laptop that is
communicating through an Aerohive BR-200
• Remove the Ethernet cable from the primary WAN
port
• Wait for up to 60 seconds for the connection to
failover to the cellular network
• Reconnect the Ethernet cable from the primary WAN
port
• Wait for up to 60 seconds for the connection to
fallback to the primary WAN network

DEFAULT SPLIT TUNNEL
Use if you do not want to create a custom policy and

you have VPN configured

Policy-based routing – Split Tunnel Policy
• Source - User Profile

› Any Guest - applies to users or
devices connected to a user profile
assigned to a network with the
network type set to Guest Use
› Any –all other non-guest user profiles

Policy-based routing – Split Tunnel Policy
Analysis
• Processed top down

1. Traffic from any guest user profile, going to a route
learned through the VPN or local interface on the
router, drop
2. Any non-guest traffic destined to a route learned
through the VPN, forward through the VPN
3. All other traffic, forward out the Primary WAN interface,
and if that fails, send out the backup WAN interface 516
BRANCH ROUTER 3G/4G MODEM
SETTINGS

Branch Router USB Modem Settings
• Wide range of USB modems are supported

• USB modem can be used when triggered by an IP-
tracking policy or can always stay connected
Generic USB Modem Support
• Generic USB modem support for BR200, BR100 and the

300 series APs functioning as routers
• Configurable through NetConfig UI
COOKIE-CUTTER VPN

Cookie Cutter Branch Deployments
HQ
Corporate
Network
10.0.0.0/8 Branch 1: 10.1.1.0/24
• Each site, even with

the same IP
network, can build
a VPN to the Branch 2: 10.1.1.0/24
corporate network

Branch 3: 10.1.1.0/24 521
HQ
Corporate
Network
10.0.0.0/8 Branch 1: 10.1.1.0/24
• Each site in a branch

can be assigned to
the same IP network Branch 2: 10.1.1.0/24
• How can HQ access
the remote sites?

Branch 3: 10.1.1.0/24 522
HQ
Corporate
Network
10.0.0.0/8 Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24
• Each network can

have a unique
subnet allocated for
each site to perform
one to one night for Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24
every host each
branch office
through the VPN

Branch 3: NAT 10.102.3.0/24 to 10.1.1.0/24
523
Routing on the VPN Gateway
Corporate Network HQ
10.0.0.0/8 Local
Tunnel Routes Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24

10.102.1.0/24 tunnel 1
10.102.2.0/24 tunnel 2
10.102.3.0/24 tunnel 3
• The branch routers

advertise their NAT Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24
subnets to the VPN
Gateways

Branch 3: NAT 10.102.3.0/24 to 10.1.1.0/24
524
HQ
Corporate
Network
10.0.0.0/8
Branch 1: NAT 10.102.0.0/24 to 10.1.1.0/24

• NAT subnets are unique
subnets per site (non cookie- which NATs:
cutter), and can be mapped 10.102.1.1 to 10.1.1.1
to sites dynamically, or via 10.102.1.2 to 10.1.1.2
device classification ..
10.102.1.255 to 10.1.1.255
• Each NAT IP address can be
access from corporate
through the VPN Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24
which NATs:
• Each NAT mapping is 10.102.2.1 to 10.1.1.1
bidirectional, so traffic to HQ 10.102.2.2 to 10.1.1.2
will be sourced from each ..
NAT address
10.102.2.255 to 10.1.1.255
etc….
LAB: COOKIE-CUTTER VPN

Lab: Cookie Cutter
1. Create a new Employee Network
• Next to VLAN 10, click on your network:

Network-Employee-1XX
• Choose Network, click New
Lab: Cookie Cutter
2. Create a new Employee Network
• Enter the network

name:
10.1.1.0-Employee-X
• DNS Service, select
the quick start
automatically
generated object:
Class
• Network Type:
Internal Use
• Under subnetworks
NOTE: This Quick Start DNS Service object click New
sets clients to use the router interface IP as
the DNS server, and will proxy the DNS
requests to the DNS server learned statically
or by DHCP on the WAN interface
Lab: Cookie Cutter
3. Replicate the Network
• Select Replicate
the same
subnetwork at
each site
• Local
Subnetwork:10.1.1
.0/24
• Select Use the
first IP address of
the partitioned
subnetwork for the
default gateway NOTE: You can now use the first or last IP
• Do not save yet address for each branch subnet for the
default gateway assigned to the routers for
these subnets

Lab: Cookie Cutter
4. Enable DHCP

server
only be used to

at the start and end of
the address pool that
can be defined statically.
Lab: Cookie Cutter
5. NAT settings
• Check  Enable NAT through the VPN tunnels

• Number of branches: 256
• NAT IP Address Space Pool: 1.1XX.0.0 Mask 16
XX=102,103,..,114,115
• Note: We are using 1.1XX.0.0 instead of 10.1XX,0.0,
because the lab has no more IP space)
Copyright ©2011
Lab: Cookie Cutter
6. NAT settings
• Check  Allocate NAT

subnetworks by specific
IP addresses at sites
• Click New
› IP Address: 1.1XX.1.1
› Type: Device Tags
› Value: Site-Xa
(Your Switch)
• Click Apply
NOTE: Any device tag you have defined elsewhere is
automatically populated. You can also start typing to narrow
the value list
With these settings, each site will get assigned to one of the /24
NAT subnets in 1.1XX.0.0/16. Entering a single IP address locks
the NAT IP address and the NAT subnet to which it belongs to a
specific site.

Copyright ©2011
Lab: Cookie Cutter
7. Save cookie cutter network
Verify your
settings
• Click Save

Lab: Cookie Cutter
7. Review and save
Your network will have one NAT subnetwork:

1.1XX.0.0/16 that will support 256 branches with
253 clients per branch, and subnet 10.1.1.0/24
will be assigned to each site for DHCP
• Click Save
• Click OK
Lab: Cookie Cutter
8. Save your network policy and continue

Access bar, click Continue

PERFORM A COMPLETE UPLOAD

1. Update your routers

• Select all your Routers 
• Click Update


devices
• Click Update
For this class, ALL

Updates should be
Complete
configuration
updates

• When the Reboot Warning box appear, select OK
Click OK

VIEW SUBNET ALLOCATION REPORT

10.0.0.0/8 Local
Tunnel Routes Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24

10.102.1.0/24 tunnel 1
10.102.2.0/24 tunnel 2
10.102.3.0/24 tunnel 3

advertise their NAT Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24
subnets to the VPN
Gateways

Branch 3: NAT 10.102.3.0/24 to 10.1.1.0/24
541
Lab: Subnet Allocation Report
1. View the IP addresses assigned to the routers
• From Monitor, in the navigation

tree, click Subnetwork Allocation
• Under Network Name, select
10.1.1.0-Employee-X
• Note the unique NAT networks
and the cookie-cutter network
Note: One subnet was assigned via classification. The others assigned dynamically.
SIMULATED ROUTER CLEANUP

Lab: Remove Simulated Routers
1. Select and remove your simulated routers
The simulated routers were

used to show the subnet
allocation report
Now that you have seen how
subnetworks are allocated to
routers, we can remove the
simulated routers
• From
ConfigurationRouters,
check the box next to
your simulated devices
that start with: SR-02-
SIMU-XXXXXX
• Warning: Do NOT
remove the real router
• Click Device Inventory
and click Remove
• Click Remove from the
warning popup
LAYER 3 IPSEC VPN – REDUNDANT
VPN GATEWAYS

Using Two VPN Gateways
Firewall eth0/0 – 209.128.76.30
Headquarters NAT – 209.128.76.28 to 10.1.101.2
VPN Gateway 1 NAT – 209.128.76.29 to 10.1.102.2
LAN 1: 10.1.101.2/24 Firewall eth0/1.1 - 10.1.101.1/24 vlan 101
Protocol OSPF area 0.0.0.1 Protocol OSPF area 0.0.0.1
Firewall eth0/1.2 - 10.1.102.1/24 vlan 102
LAN1 Protocol OSPF area 0.0.0.2
DMZ Protocol OSPF cost 1000
eth0/1
VLAN
LAN 1 VLAN 101 802.1Q eth0/0
102 eth0/2
VPN Gateway 2 Firewall eth0/2 – 10.5.1.1/24

LAN 1: 10.1.102.2/24 Protocol OSPF area 0.0.0.0
Protocol OSPF area 0.0.0.2
Branch Office
Inside Tunnel 1 to 209.128.76.28 pref 1
Tunnel 2 to 209.128.76.29 pref 2
VLAN 10 – 10.1.1.0/24 Employee Net
Internal Network One-to-One Subnet NAT
AD Server Through VPN:
10.5.1.10 10.102.1.0/24 to 10.1.1.0/24
© 2013 Aerohive Networks CONFIDENTIAL (HQ visible IPs) (local IPs) 546
Using Two VPN Gateways
Firewall
Headquarters FW eth0/0 – 209.128.76.30
NAT – 209.128.76.28 to 10.1.101.2
NAT – 209.128.76.29 to 10.1.102.2
FW eth0/1.1 - 10.1.101.1/24 vlan 101
VPN Gateways Protocol OSPF area 0.0.0.1
VPN Gateway 1 FW eth0/1.2 - 10.1.102.1/24 vlan 102
eth 0 Protocol OSPF area 0.0.0.2
LAN 1: 10.1.101.2/24
Protocol OSPF area 0.0.0.1 Protocol OSPF cost 1000
VPN Gateway 2 DMZ eth0/1 eth0/0

VLAN
LAN 1: 10.1.102.2/24 eth 0 802.1Q
VLAN 101
Protocol OSPF area 0.0.0.2 102
eth0/2
Inside
Internal Network FW eth0/2 – 10.5.1.1/24
AD Server Protocol OSPF area 0.0.0.0
10.5.1.10
• VPN tunnels are built from branch offices to the VPN gateways
• Traffic from the branch offices is decrypted at the VPN gateways and sent to
the DMZ firewall for access to the Internet network
• Traffic destined to IP addresses at branch offices is sent to the firewall, which
looks up the IP and finds the route to VPN gateway which encrypts and sends
through a tunnel to a branch office
10.0.0.0/8 Local
Branch 1:
NAT 10.102.1.0/24 to 10.1.1.0/24
Tunnel Routes
10.102.1.0/24 tunnel 1
10.102.2.0/24 tunnel 2

Branch 2:
advertise their NAT NAT 10.102.1.0/24 to 10.1.1.0/24
subnets to the VPN
Gateways
FW Configuration for Accessing VPN
Gateways 1 and 2
set interface bgroup0.5 tag 101 zone Trust

set interface bgroup0.6 tag 102 zone Trust
set interface bgroup0.5 ip 10.1.101.1/24
set interface bgroup0.6 ip 10.1.102.1/24
set interface bgroup0.5 route
set interface bgroup0.6 route
set int bgroup0.5 protocol OSPF area 0.0.0.1
set int bgroup0.5 protocol OSPF enable
set int bgroup0.6 protocol OSPF area 0.0.0.2
set int bgroup0.6 protocol OSPF enable
set interface "ethernet0/0" mip 209.128.76.28 host 10.1.101.2
set interface "ethernet0/0" mip 209.128.76.29 host 10.1.102.2
set interface "ethernet0/0" mip 209.128.76.28 host 10.1.101.2 netmask
255.255.255.255 vr "trust-vr”
set interface "ethernet0/0" mip 209.128.76.29 host 10.1.102.2 netmask
255.255.255.255 vr "trust-vr”
set policy id 18 from "Untrust" to "Trust" "Any" "MIP(209.128.76.28)" "ANY" permit
set policy id 19 from "Untrust" to "Trust" "Any" "MIP(209.128.76.29)" "ANY" permit

CONFIGURING LAYER 3 IPSEC VPN
WITH REDUNDANCY
INSTRUCTOR ONLY – THESE STEPS HAVE
ALREADY BEEN PERFORMED

Layer 3 VPN – Instructor Only Steps
• Under Layer 3 IPSec VPN, click Choose

• Name: Corp-VPN (shared by all network policies in class)

• Layer 3 VPN
• VPN Gateway: VPN-Gateway-1
• External IP: 1.2.2.241
• Click Apply
Under VPN Gateway Settings

• Click New
• VPN Gateway: VPN-Gateway-2
• External IP: 1.2.2.242
• Click Apply

• Two new
certificates
were created
for this lab, you
can use those
or the defaults
if the root CA
did not
change
• Click Save

• From ConfigurationShow Nav  VPN Gateways

• Modify VPN-Gateway-1

Note: VPN Gateways

are not assigned to a
Network policy, they just
use a Management
network
• ETH0 (WAN)
10.200.2.241/24
• Default Gateway
10.200.2.1
•  Enable Dynamic
Routing
• Select OSPF
• Route Advertisement
 Select Eth0(WAN)
☐ Deselect Eth1 (LAN)
• Area: 0.0.0.0
• Click Save 556
• From Configuration VPN Gateways

• Modify VPN-Gateway-2
Note: VPN Gateways

are not assigned to a
Network policy, they
just use a Management
network
• ETH0 (WAN)
10.200.2.242/24
• Default Gateway
10.200.2.1
•  Enable Dynamic
Routing
• Select OSPF
• Route Advertisement
 Select Eth0(WAN)
☐ Deselect Eth1 (LAN)
• Area: 0.0.0.0
• Click Save


devices
• Click Update
For this class, ALL

Updates should be
Complete
configuration
updates

LAB: TWO VPN GATEWAYS
STUDENTS ADD CORP VPN TO THEIR

NETWORK POLICY

Lab: Two VPN Gateways
1. Add the Corp-VPN policy
• In your network policy next to Layer 3 IPSec VPN click

Choose
• In your network policy next to

Layer 3 IPSec VPN click Choose
• Select Corp-VPN
• Click OK
• Save the Network Policy
• Click Continue

2. Select the router
• Choose the current policy filter and select your router

• Click Update Devices and perform a complete upload

4. Verify the VPN toplogy
• Wait about 5 minutes

• When the VPNs are
established, you can
click the VPN Topology
link to see live VPN status
• Click Refresh to update
the screen
BRANCH ROUTER
WAN INTERFACE
NAT PORT FORWARDING

Branch Router WAN Interface
NAT Port Forwarding
• Use port forwarding from a public WAN interface on a
branch router to reach a server within a private network
• This works very well for cookie cutter deployments!!
NAT Port Forwarding Rules
Outside: 2.1.1.100:8005  Inside: 10.1.1.5:80
(IP# 5)
Internet Outside: 2.1.1.100:8006  Inside: 10.1.1.6:80
(IP #6)
http://2.1.1.100:8005 Web Server1 Web Server2
WAN: 2.1.1.100
10.1.1.5 10.1.1.6
SR2024 Port 80 Port 80
as
Branc
h
Router PoE
AP AP

LAB: CONFIGURE BRANCH ROUTER
WAN INTERFACE NAT PORT FORWARDING

LAB: WAN Interface NAT Port Forwarding
1. Modify the Cookie-Cutter Network
• From your network policy, under VLAN-to-

Subnet Assignments for Router Interfaces
› Modify your 10.1.1.0-Employee-X
network
› Click the  icon and select Edit

2. Modify the Cookie-Cutter/NAT Network
• Click the link to edit the subnet: 1.1XX.0.0/16

3. Enable port forwarding
• In the Network Address Translation (NAT) Settings

section
• Check  Enable port forwarding through the WAN
interfaces

4. View Aerohive Ports
• Click View Aerohive Ports to see the ports that are already
in use on Aerohive routers that you cannot use for port
forwarding

NOTE: Always have excludes from the DHCP pool
• In order for port

forwarding to work,
you must have
addresses excluded at
the start of the DHCP
pool
• For example, if you
have a web server at
every site that will be
the 5th IP address from
the start of the pool,
e.g. 10.1.1.5, then you
must have the DHCP
exclusion for the first 5
IP addresses so that
10.1.1.5 can be
statically assigned to
the web server
5. Create port forwarding rules
• Click New to create a port forwarding

rule

• Destination Port Number: 8005

• Local Host IP Address Position: 1
• Internal Host Port Number: 80
• Traffic Protocol: TCP
• Click Apply
• Create several more rules

• Destination Port: 8005

This is the port clients will
use from the Internet to
access the internal server:
https://WAN-IP:8005
• Click on IP Address
Mapping to see how each
position maps to an
internal cookie-cutter IP
address
• Local host IP address
› The position of the IP
address from the start of
the IP address block
› For /24 subnets, position
1 = .2, position 2 = .3,
etc…
9. Review your port forwarding rules
• Review your port

forwarding rules
• Click Save
• Click OK

10. Save the network
• Review your Network

• Click Save
• Click OK

• Click Continue to save your Network

Policy and proceed to device updates
12. Select the router
• Choose the current policy filter and select your router

• Click Update Devices and perform a complete upload

13. Verify port forwarding rules
• Monitor  Routers
•  Select your Router
• Click on Utilities… SSH Client
• Click on Connect
• Type: show ip iptables nat
14. Verify port forwarding rules
• CLI command: sh ip iptables nat
Note: Resize the window to see the port-forwarding rules

THE MANAGEMENT NETWORK

Aerohive Management Network
• Management Network – Every AP, router, and VPN

gateway, has a logical management interface for:
› CAWAP communication with HiveManager;
› cooperative control protocols like AMRP, and DNXP;
› and management services like SNMP, SYSLOG, SCP,
and SSH.
Internet
interface mgt0 interface mgt0
172.18.0.1/24 172.18.0.3/24
VLAN 1 VLAN 1
BR200 AP
AP
interface mgt0
172.18.0.2/24
VLAN 1
• Management subnets can be assigned to a VLAN

within the unified network policy
• Just like internal

networks,
management
subnets can
partitioned from a
parent network and
then assigned
dynamically by
HiveManager.
• Management
subnets can also be
assigned with
device classification.

Aerohive Router Interfaces
Ethernet Switch Ports Logical IP Interfaces Router WAN Port

Eth1 – Eth4 mgt0 (Management) Eth0
Layer 2 172.18.0.1/24 192.168.1.10/24
VLAN 1 No VLAN
• Assigned to VLANs and
mgt0.1
Networks by LAN
10.102.0.1/24
Profiles
VLAN 102 - Employee
• May be 802.1Q VLAN mgt0.2
Trunk ports or access 172.16.102.1/24
ports VLAN 202 -Guest
Interfaces mgt0.1 through mgt0.16 may be created,

each supporting routing for a different IP network.
ENABLE 802.1Q VLAN TRUNKING
ON A LAN PORT

Configuring 802.1Q on a Router Port Policies
BR100 AP
Logical IP Interfaces
mgt0 (Management)
172.18.0.1/24
VLAN 1 802.1Q
mgt0.1 VLAN Logical IP Interface
10.102.0.1/24 Trunk mgt0 (Management)
Employee - VLAN 10 VLANs: 172.18.0.1/24
1 (Native), VLAN 1
mgt0.2 2, 8, 10 Layer 2 Interfaces
10.202.0.1/24 VLAN 1 (Native)
Voice – VLAN 2 SSID: Class-PSK
Note: You should define
mgt0.3 a native network using Employee - VLAN 10
192.168.83.1/24 VLAN 1, which much SSID: Class-Voice
Guest - VLAN 8 match the native VLAN Voice – VLAN 2
mgt0.4 configured for the SSID: Class-Guest
172.28.0.1/25 management interface, Guest – VLAN 8
VLAN 1 (Native) which by default is 1.
ROUTER STATEFUL FIREWALL POLICY
MORE THAN JUST THE 5-TUPLE

Router Firewall
General Guidelines
• Router firewall is not the same firewall used in User Profiles

for Aerohive access points
• Firewall rules are applied in the branch router for both
wireless and wired traffic
• AP firewall can still be used for wireless clients is so desired
• L7 not yet supported in the router firewall
Internet Router firewall for wired and wireless traffic
Branch Router
AP firewall for wireless traffic only
AP
Router Firewall
General Guidelines
• Rules are processed top down and the first matching rule
is used
• After a rule is matched a stateful session is created using:
› Source IP, Destination IP, IP Protocol, Source Port,
Destination Port
› The reverse session is also created for return traffic
• More than just an IP firewall, the router firewall can look at:
› Traffic Source:
» IP Network, IP Range, Network Object,
User Profile, VPN, or IP Wildcard
› Traffic Destination:
» IP Network, IP Range, Network Object,
VPN, IP Wildcard, Hostname
Aerohive Stateful Firewall
Router
Inside Web Server
Internet
10.5.1.102 Firewall Policies:
Default Action: Deny 72.20.106.66
HTTP– Initiated from inside the Network to a web server on the Internet
Source IP, Dest IP, Proto, Source Port, Dest Port, Data
10.5.1.102 72.20.106.66 6(TCP) 3456 80 HTTP Get
The stateful firewall engine opens a pinhole for this

session allowing return traffic for this session
HTTP Response is permitted because firewall in router is stateful (Shown after NAT)
Source IP, Dest IP, Proto, Source Port, Dest Port, Data
72.20.106.66 10.5.1.102 6(TCP) 80 3456 HTTP Reply

Lab: Router Firewall for Guests
1. Create a Router Firewall Profile
To implement a
router firewall
• In your network
policy, next to
Router Firewall,
click Choose
• In Choose
Firewall click
New

2. Create a user profile rule
• Enter a Policy Name:

Firewall-X
• Configure a user
profile-based firewall
policy rule
• Select a source:
User Profile
Guests-X
• Select a destination:
IP Network
10.0.0.0/255.0.0.0
• Service: [-any-]
• Action: Deny
• Logging: Disable
• Click Apply

3. Create another user profile rule
Your rule should appear

• Under Policy Rules,
click New
policy rule
User Profile
Guests-X
IP Network
172.16.0.0/255.240.0.0
• Action: Deny
• Click Apply
4. Create one more user profile rule
Your rule should appear

• Under Policy Rules, click
New
• Configure a user profile-
based firewall policy rule
User Profile
Guest-X
IP Network
192.168.0.0/255.255.255.0
• Action: Deny
• Click Apply

5. Create a clean-up allow all rule
Create a clean up rule

• Under Policy Rules,
click New
policy rule
[-any-]
[-any-]
• Action: Permit
• Click Apply

6. Verify your firewall policy rules and save
• Select the radio button for the Default Rule to Deny all
› Note: This is not needed, but it is a good general practice.
• This policy denies access to any private IP address through the router,
and allows everything else
• Also, you can drag and drop the rules to change their order
• Click Save
7. Create a Router Firewall Profile
• Verify that your Router Firewall is applied:

Firewall-X
• Click Save
Remember this? - Routes Learned via OSPF and
Between the VA and Branch Routers
HQ Tunnel C
Corporate
Network
BR100
10.1.0.0/16
VPN Gateway
Local network: 172.28.2.0/24
Tunnel B
BR100
BR100
Tunnel A
Router Firewall can be used to block
communications between branch offices
HQ Tunnel C
Corporate
Network
BR100
10.1.0.0/16
VPN Gateway
Local network: 172.28.2.0/24
Tunnel B
BR100
BR100
Tunnel A
WEB PROXY FOR SECURING
WEB-BASED TRAFFIC

Cloud Proxy – How does it work?
Traffic is forwarded
with client identity
4 to the cloud
security partner
and processed
Aerohive BR confirms based on identity
traffic is not destined 3
2
for resources across Aerohive BR checks
the tunnel and is not if client network is
whitelisted as trusted configured to use
web security
1 Client makes a
HTTP/HTTP request

Web Security Using
Websense Cloud Web Proxy
To configure Cloud Web

Security, from
HiveManager go to
Home
Administration
HiveManager Services
• Check the box next to 
Websense Server Settings
• Check the box next to 
Enable Websense Server
Settings
• Enter the Account ID and
Security key that were
displayed for your
Websense account
• Default Domain:
Note: The default domain is only used if ah-lab.com
users do not authenticate to access • Click Update
the network using a mechanism that
requires a domain name for login
Web Security Using
Websense Cloud Web Proxy
You can use the default
Web Security Whitelist to
specify safe URLs that do
not need to be sent
though web security
• Next to Web Security
Whitelist, select
QS-WebSense-Whitelist
• Click Update
Note: To create your own
whitelist or clone the quick
start whitelists to make your
own additions, go to:
Configuration
Show Nav
Common Objects
Device Domain Objects

Web Security Using Cloud Proxy
To get started with

Cloud Web
Security, from
HiveManager go to
Home
Administration
HiveManager
Services
• Check the box
next to Websense
Server Settings
• Click the “here”
link to sign up for
a free 30-day trial
• Sign up for a free
30-day Websense
trial

LAB: CLOUD PROXY

LAB: Cloud proxy
1. Edit employee network settings
• Cloud Web Proxy is enabled within a Network Policy

• You may only want to enable this service for corporate
employees
• Next to your Class-PSK-X SSID, under Network(VLAN) click
your network: 10.1.1.0-Employee-X
• Click on the  icon to edit your network
LAB: Cloud proxy
2. Enable web security
• In the network for employees, next to

Web Security, select Websense from the
drop-down menu
• You can keep the option to Deny all
outbound HTTP and HTTPS traffic if
connectivity to the web security server is
lost
• Click Save and then OK
LAB: Cloud proxy
3. Edit guest network settings
• Cloud Web Proxy is enabled within a Network Policy

• You may only want to enable this service for corporate
employees
• Next to your Class-PSK-X SSID, under Network(VLAN) click
your network: 192.168.83.0-Guest-X
• Click on the  icon to edit your network
LAB: Cloud proxy
4. Enable web security
• In the network for employees, next to

Web Security, select Websense from the
drop-down menu
• You can keep the option to Deny all
outbound HTTP and HTTPS traffic if
connectivity to the web security server is
lost
• Click Save and then OK
LAB: Cloud proxy
5. Verify web security
• Note that web security is enabled

• Click Continue to save and go to updates

LAB: Cloud proxy
6. Upload policy to branch router
• Update the configuration of your router

• Click Settings to perform a complete update

TEST CLOUD WEB SECURITY
INSTRUCTOR DEMO – INSTRUCTOR
MUST HAVE CONFIGURED THE
CLASSROOM ROUTER FOR CLOUD
PROXY

Lab: Test LAN Port Web Security
1. Connect your computer to Eth1 on the Router
• Connect the Ethernet Port 2 of your computer to the

ETH2 interface on the router
Class Switch
BR100

2. Open web browser to a website
Class Switch
BR100
• Open a web browser on your remote

computer to a respectable website
• You will be redirected to a captive web portal

3. Login through the captive web portal
• Enter a user name: lanuser

• Password: Aerohive1
• Click Log In
4. Test a web site that is forbidden
• Open a web browser

an try going to:
www.guns.com
• You should be
redirected to a web
page informing that
you were denied from
accessing the site
• This will be denied
because the
Websense policy used
has a rule against sites
that provide
information about,
promote, or support
the sale of weapons
and related items

Websense Cloud Web Security Policies
• From the
Websense
Cloud Web
Security login,
you can set
the web
categories
policies, web
content
security, and
much more...
Note: Here you
can see that
there is a rule
blocking
Weapons sites

MISC

Overwrite protection for NetConfig UI
WAN settings
• The default behavior of of a

branch router originally set up
using the NetConfig UI is
protected from being
overwritten by updates
pushed to it from
HiveManager at a later date.
• To disable the NetConfig UI
settings protection for the BRs,
click Configuration 
Devices, select one or
multiple BRs, and then click
Utilities  Disable NetConfig
UI WAN Configuration.
Protects the NetConfig UI based WAN port

configuration of BR’s and routing devices

THANK YOU – REALLY!!

Aerohive Certified Networking Professional (Acnp) : Confidential

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Aerohive Certified Networking Professional (Acnp) : Confidential

Încărcat de

Drepturi de autor:

Formate disponibile

AEROHIVE CERTIFIED NETWORKING

© 2013 Aerohive Networks CONFIDENTIAL 1

•What is your name?

© 2013 Aerohive Networks CONFIDENTIAL 2

© 2013 Aerohive Networks CONFIDENTIAL 3

Each student connects to HiveManager, a remote PC, and a Aerohive AP

• Overview of Switching and Routing Platforms

Aerohive Access Points using external

Access Points are connected from eth0 to

© 2013 Aerohive Networks CONFIDENTIAL 6

Please view the Aerohive Getting Started Videos:

© 2013 Aerohive Networks CONFIDENTIAL 7

All the latest technical documentation is available for

© 2013 Aerohive Networks CONFIDENTIAL 8

• Aerohive Education Services offers a complete curriculum that provides

© 2013 Aerohive Networks CONFIDENTIAL 9

CWNA Certified Wireless Network Administrator

CWSP Certified Wireless Security Professional

802.11 Wireless Networks: The Definitive Guide,

Over 20 books about networking have

• Aerohive Certified Wireless Administrator

• Aerohive’s online community – HiveNation

© 2013 Aerohive Networks CONFIDENTIAL 12

Follow us on Twitter: @Aerohive

Please feel free to tweet about #Aerohive training

© 2013 Aerohive Networks CONFIDENTIAL 13

How do I buy Technical Support?

I have different expiration dates on several Entitlement keys, may

I want to talk to somebody live.

© 2013 Aerohive Networks CONFIDENTIAL 14

How do I reach Technical Support?

How Do I get Technical Support outside The Americas?

I need an RMA internationally

Copyright © 2013 Aerohive Networks, Inc. All rights

Aerohive Networks, the Aerohive Networks logo,

© 2013 Aerohive Networks CONFIDENTIAL 17

© 2013 Aerohive Networks CONFIDENTIAL

Overview of hardware and software platforms

© 2013 Aerohive Networks CONFIDENTIAL 19

SR2024P SR2124P SR2148P

24 PoE+ (195 W) 24 PoE+ (408 W) 48 PoE+ (779 W)

4 Ports 1G SFP Uplinks 4 Ports 10 G SFP/SFP+ Uplinks

56Gbps switching 128 Gbps switch 176 Gbps switch

Single Power Supply Redundant Power Supply Capable

© 2013 Aerohive Networks CONFIDENTIAL 20

© 2013 Aerohive Networks CONFIDENTIAL

Express Mode Enterprise Mode

© 2013 Aerohive Networks CONFIDENTIAL 22

© 2013 Aerohive Networks CONFIDENTIAL 23

© 2013 Aerohive Networks CONFIDENTIAL 24

BR 100 BR 200 AP 330 AP 350 VPN Gateways

Single Radio Dual Radio

5-10 Mbps ~500 Mbps

© 2013 Aerohive Networks CONFIDENTIAL * Also available as a non-Wi-Fi device 25

© 2013 Aerohive Networks CONFIDENTIAL 26

AP121 AP141 AP330 AP350 AP230 * AP370 AP390 AP170

TPM Security Chip

2X Gig.E - 10/100 link 2X Gig.E w/ link 2X Gig E

PoE (802.3af + 802.3at) and AC Power PoE (802.3at)

Plenum/D Plenum/Plenum Water Proof (IP

© 2013 Aerohive Networks CONFIDENTIAL

• Securely browse to the appropriate HiveManager for class

© 2013 Aerohive Networks CONFIDENTIAL 34