ACMA Day2 Ver2.2
ACMA Day2 Ver2.2
ACMA Day2 Ver2.2
ACMA
Part II
HiveManager Advanced Topics
• Strong received
signal and high
SNR needed to get
the higher data
rates
54 Mbps 36 Mbps 18 Mbps 6 Mbps
• Receive sensitivity
of client and APs
radios varies
between vendors
and chipsets
7 | © 2018 Aerohive Networks. All Rights Reserved.
Dynamic Rate Shifting
CRC passes
CRC fails
No ACK frame sent by receiver
CRC fails
• RF interference (Layer 1)
• Low SNR (Layer 1) (bad design)
• Latency goes up
SNR = 25 dB
SNR = 7 dB
• 20 dB or greater
• 25 dB or greater for
voice-grade networks
• 32 dB or greater to use
256 QAM modulation
BSSID #1 BSSID #2
Printing 1 Mbps
• RF is a half-duplex medium
Beacon: SSID #1
• Multiple SSIDs create
Beacon: SSID #2
more layer two 802.11
management
Beacon: SSID #3 overhead
Beacon: SSID #4 • Extra set of beacons,
probe responses, etc…
Beacon: SSID #5 consume airtime
Beacon: SSID #6
Beacon: SSID #7
23 | © 2018 Aerohive Networks. All Rights Reserved.
User Profiles – Assignment Rules
• Consolidate SSIDs
• Multiple User Profiles can be linked to a single SSID
• Different groups of users connected to the same SSID
can be assigned different access control rules
• The result is that different VLANs, firewall policies,
rate-limiting policies, etc can be assigned to different
groups of users
Channel 1
• Co-channel
interference
(CCI) Channel 1
• APs consume
each other
airtime
Channel 1
Channel 1
Channel 11
• Primary goal of
channel reuse
patterns is to Channel 1
prevent co-channel
interference
• Reduces airtime
consumption by
Channel 1
isolating frequency
domains (channels) Channel 6
Channel 11
• Does RF just
stop?
Channel 1
• Almost
impossible to
prevent CCI
at 2.4 GHz
Channel 1
Channel 6
Channel 11
• CCI is not static and
always changing
Channel 1
• Client transmissions
cause CCI
Channel 1
Channel 6
120
128
132
136
112
100
104
108
140
124
116
44
64
36
40
48
52
56
60
36
116 140 40 104 64
44 136 112 36
client 20 40 80 MHz
MHz MHz
1x1:1 78 162
802.11ac Mbps Mbps
2x2:2 156 324 702 Mbps
802.11ac Mbps Mbps
3x3:3 260 540 1170
802.11ac Mbps Mbps Mbps
• More frequency space
provides higher data rates
33 | © 2018 Aerohive Networks. All Rights Reserved.
Channel Bonding
• Bonding results in +3 dB
increase of noise floor
• Lower modulation data
rates will be used
• Increase odds of CCI
• Degrades performance
46
• Two channel 40 MHz
reuse
38 46
• Results in CCI
38
44
36
40
48
46 38 20 MHz
46 38 46 40 MHz
38 38
46
134
• Nine channel 40 MHz reuse
38 118
• Decreased possibility of CCI
102
153
149
157
161
120
128
132
136
112
100
104
108
140
124
116
44
36
40
48
151 38
46 38 46 151 159 102 110 118 126 134
126 159
110
• Capacity Problems
• Increase CCI
• Hidden Node
• Mismatch power
between clients and AP
• Roaming – Sticky
problems
• Turn down the power!
38 | © 2018 Aerohive Networks. All Rights Reserved.
39
Concrete block
AP #1 36/100 AP #5 149/116
AP #2 40/104 AP #6 153/132
AP #3 44/108 AP #7 157/136
AP #4 48/112 AP #8 161/140
AP #1 36/116 AP #5 100/140
AP #2 40/120 AP #6 104/136
AP #3 44/124 AP #7 108/132
AP #4 48/100 AP #8 112/128
Admin: [email protected]
Password: Aerohive123
§Configure >
Common Objects
• On the left
navigation, select
Radio Profiles
• Click to
create a new
radio profile
53 | © 2018 Aerohive Networks. All Rights Reserved.
Lab: Radio Profiles
2. Set Name and Radio Mode
•Name: 2.4GHz-X
• Balance band use: Clients can be steered to either band. Allocate a 50/50
mix to balance the clients between the bands.
• Encourage 5 GHz band use: Most clients will go, but if they insist on 2.4, let
them stay.
• Enforce 5 GHz band use: If a client supports 5 GHz
60 | © 2018 Aerohive Networks. All Rights Reserved.
Band Steering Animation
2.4GHz Client 2.4GHz & 5GHz Client 2.4GHz & 5GHz Client
(Out of Range of 5GHz) (In of Range of 5GHz)
3 clients
21 clients 6 clients
21 clients 60 clients
24 21 clients
• Verify þ Enable
short guard
interval
• Click to
save your 2.4
GHz Radio Profile
§Configure >
Common Objects
• On the left
navigation, select
Radio Profiles
• Click to
create a new
radio profile
66 | © 2018 Aerohive Networks. All Rights Reserved.
67
• Name: 5GHz-X
• Select ac
§Click and
drag the slider
bar until the
display window
reads ac
67 | © 2018 Aerohive Networks. All Rights Reserved.
5 GHz Channels
5.15 5.25 5.35 5.47 5.725 5.825 5.925
5.85
120
128
132
136
153
112
144
100
104
108
140
149
165
169
124
181
116
157
173
161
177
84
44
64
36
40
48
52
56
60
68
72
80
88
92
96
76
U-NII-1 U-NII-2A U-NII-2B U-NII-2C U-NII-3 U-NII-4
38 46 54 62 70 78 86 94 102 110 118 126 134 142 151 159 167 175
50 82 114 163
• Check þ Enable
short guard
interval
• Click to
save your 5 GHz
Radio Profile
For dual-5 GHz APs, SDR automatically scans and selects either a 2.4 or a
5 GHz profile that will provide the best coverage. If the current coverage is
determined to be acceptable, SDR will not make any changes. For devices
that do not support dual-5 GHz radios, SDR scans and automatically shuts
down 2.4 GHz radios when they are not required for good coverage.
WiFi0: 2.4GHz
WiFi1: 5Ghz RF Redundancy NO
ACSP SDR Above WiFi0 stays on
Channels are Detection 2.4GHz
STARTS STARTS threshold?
assigned to both Algorithm
radios
YES
ACSP-SDR
COMPLETES
§Configure >
Common Objects
• On the left
navigation, select
SDR Radio Profiles
• Click to
create a new
radio profile
77 | © 2018 Aerohive Networks. All Rights Reserved.
78
Note: Radio Profile Candidates are for dual 5 GHz APs, select a radio
profile for 2.4 GHz and 5 GHz. This selection is not required for non-
dual-5 GHz APs.
Start Finish
Start
•Dynamic Polarization
Switching changes
•Change polarization
based on client(s)
•Adjust polarization to
provide best polarization
for client device
• Select Configuration
> Device
Configuration
• Configurable settings
unique to this one AP
are available
• Select þ Sensor (for Presence) and the radio will function as a full-time sensor for
Presence Analytics or WIPS
• Note: Must also enable Presence Server settings in the Radio Profile
• Exclude channels
from auto-selection
are off by default in
device specific
settings
• Exclude Channels On
• þ Select the channels
to be excluded from
the dynamic channel
plan
• Example: þ 149 þ 153
§Transmission Power
• Select ⦿ Manual
• Use the slider bar to set a static transmit power level for the
radio
§ SSIDs can also be enabled or disabled globally for all AP radios in the SSID profile settings in a
Network Policy
• WiFi0 interface is a
software-definable
radio that can transmit
on either the 2.4 GHz or
5 GHz bands
§Consider the type of 5 GHz channel planning that might be needed if you have
multiple dual 5 GHz APs deployed throughout an entire building:
• Pair non-DFS channels with DFS channels (This ensures connectively for
clients that do not support DFS)
AP #1 36/100 AP #5 149/116
AP #2 40/104 AP #6 153/132
AP #3 44/108 AP #7 157/136
AP #4 48/112 AP #8 161/140
§ The channel map shows two Aerohive APs using channel 153 and two Aerohive APs
using 161 which provides double the bandwidth of a single channel mesh solution
Router
PoE PoE
Atlanta
Seattle
Additional
Settings > Policy
Settings > Device
Time Zone
• Select þ Apply
time zone to
devices via
classification
• Click +
• Name: West-Coast
• Click +
• Click Device
Location
• Select the desired
location, building or
floor
• Click Select
• Name: East-Coast
• Click +
• Click Device
Location
• Select the desired
location, building or
floor
• Click Select
• Observe the
assignment rules
• Click Save
• Click Next
Admin: [email protected]
Password: Aerohive123
Router
Floor1 VLAN 8
SSID: Teacher Floor2 VLAN 10
• Click the
Configure tab
• Select your
Corp-X Network
Policy
• Scroll down
• Select Personal
WPA/WPA2 PSK
• Select þ Show
Password
• Key Value: aerohive123
• holder
• Name: Teacher-VLANs-X
• Default VLAN ID: 1
• Select þ Apply VLANs to devices using classification
• Click +
• VLAN ID: 8Y
• Click Add
• Click +
• VLAN ID: 10Y
• Click Add
• Name: Rule-A-X
• Click +
• Select Device Location
• Click Select
• Click Save
• Name: Rule-B-X
• Click +
• Select Device Location
• Click Select
• Click Save
• Select þ only the access point/device whose name begins with your
student number 0X
• Click
Note: Please only select your AP. Do not upload your policy to other APs during
class.
• Click
162 | © 2018 Aerohive Networks. All Rights Reserved.
Lab: Verification
Admin: [email protected]
Password: Aerohive123
• Scroll down
• Scroll up
• Wireless Intrusion
Prevention System
(WIPS)
• Click ON
• Name: WIPS-X
• Select þ
Determine if
detected rogue
APs are
connected to
your wired
(backhaul)
network
Note: This setting is used for
Rogue AP classification
170 | © 2018 Aerohive Networks. All Rights Reserved.
Wired Detection
Wired: 00:11:22:33:44:50
Wireless: 00:11:22:33:44:55
Alert: Rogue AP
Rogue AP
1. Rogue AP wired interface 4. Aerohive AP compares the
sends ARP broadcasts wireless and wired MAC
2. Switch floods out all ports addresses
3. Aerohive APs learn the wired 5. If MAC addresses are in a
MAC address of the rogue range of 64 above or 64
AP below, the device is
4. Wireless MAC address Rogue Client classified as a Rogue AP
(BSSID) of rogue AP is
detected when the
Aerohive APs perform scans
• Select ⦿ Manual
Semi Automatic mitigation
requires an administrator to
manually enable once a rogue
AP is detected
• Click Save
• Select þ only the access point/device whose name begins with your
student number 0X
• Click
Note: Please only select your AP. Do not upload your policy to other APs during
class.
• Click
177 | © 2018 Aerohive Networks. All Rights Reserved.
Sensor Mode
Classification Connected
Rogueclients
BSSID
RogueRogue
SSID Vendor
Rogue Location AP Detection
ReportingClassification Times
Reason
• Select þ Rogue
• Select þ Unauthorized
• Select þ Neighbor
• AP has be re-classified as a Neighbor
• Neighbor APs are not considered to be threats
• From a topology
map, choose the
View Heat Map
tab
• Devices: Click Real
• Select þ Rogue
§Real-time and
historically monitoring of
Devices such as APs
and Switches
• Multiple sortable
columns
• Multiple Filters
• Utilities and Actions
• Device Updates
• Click the Column
Picker icon to choose
available columns
☞
• Click and hold on any column header
☞
• You can also advance through the devices one page at a time
• Monitoring > Wireless Interfaces displays information about the Wi-Fi radios
• Adjustable timeline view
• Adjustable timeline
• Multiple sortable columns
• Multiple Filters
• Click the Edit icon to choose available columns
213 | © 2018 Aerohive Networks. All Rights Reserved.
Monitor Clients
Dashboard Summary is a
quick instantaneous
report.
Diagnostics displays:
• Top Access Points by
Channel Utilization
• Top Access Points by CPU
Usage %
• Top Access Points by Retries
Inventory displays:
• Device Count Rollup
• Configuration Status
• User Profiles
• User Groups
• Device Count by Model
• Device Count by OS
Version
• Device Count by Location
234 | © 2018 Aerohive Networks. All Rights Reserved.
Dashboard Inventory
• When creating a new user Role Based Access Control offers two choices:
• Internal user account: Admin/users from within the organization
• Outside users: Admin/users from outside the organization (resellers,
distributors…)
• To create an internal admin account, select ⦿ Create a new user account
• Access can also be granted to outside users: Admin/users from outside the
organization (resellers, distributors…)
• To create an external admin account, select ⦿ Grant access to outside
users
• Important: Outside users must have existing HiveManager NG accounts
• NG Accounts are checked against their email address
• Outside accounts will be indicated by the EXT icon
246 | © 2018 Aerohive Networks. All Rights Reserved.
Role Based Access Control
• To view the topology map tiers, from the top-level menu, click Plan
• Tier one of the network map is called a network name and it is often
named after your organization.
• The definition of the second tier depends on how you define your network
map.
• You can assign either a geographic location, such as a city or town, or a
building to the network name.
• For role based access control, tier two is the most important tier because
its assignment determines the admin/user access.
• Example #1: Tier two based on locations
• Example #2: Tier two based on buildings
§
249 | © 2018 Aerohive Networks. All Rights Reserved.
Role Based Access Control
• For role based access control, tier two is the most important
tier because its assignment determines the admin/user
access:
• Administrator
Administrator role provides full access to all configuration, monitoring,
and administrative functions. It is the only role that has access to
account and license management.
• Operator
Operator role provides full access to most functions including network
and device configuration. However, it does not allow access to user
account and license management.
• Monitor
Monitor role provides full access to troubleshooting and read-only
access to monitoring and configuration functions.
• Help Desk
Help Desk role provides full access to the Troubleshoot tab and search
access to the User 360 View and Client 360 View.
• Guest Management
Guest Management role provides access to create network
credentials.
• Observer
Observer role provides read-only access to most function except for
251 | © 2018 Aerohive Networks. All Rights Reserved.
account and license management.
Account Management
• Device CLI passwords can always be globally set from Administration >
Device Management Settings
• Default Password: xxxxxxxxxx
• Confirm Default Password: xxxxxxxxxx
• Click Save
254 | © 2018 Aerohive Networks. All Rights Reserved.
HiveManager NG Logs
§Other options:
§⦿ Active at next reboot
§Requires a manual reboot
§⦿ Activate at the following time
§Set a specific activation and
reboot
YES
Are you done?
Mesh APs NO
261 | © 2018 Aerohive Networks. All Rights Reserved.
Complete Updates