Bpg Configuring Wired Networks for Wi Fi

7/27/2019 Bpg Configuring Wired Networks for Wi Fi

1/57

!"#$%&'(%#&)*%(+,)

-+./"(01)$"()*%23%)4-54676894)

:+1.)7(;


2/57

2013 Ruckus Wireless, Inc. Wired Networks for Wi-Fi v1.3 1

5;?@+)"$)!"#.+#.1)

!"#$%&'()*+")&,-*./0*1%"#%&-).%$*2/3"%4.)&"/*555555555555555 555555555555555 5555555555555555 5555555555555555 555555555555555 555*6!2/)-/0-0*780&-/,-*5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*9 !:;-%;&-*F-,8%&)$*55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*CG !

Network Port Access .......................................................................................................................... 18!Access Points ................................................................................................................. 18!ZoneDirector.................................................................................................................. 20!

Firewalls .............................................................................................................................................. 21!ZoneDirector and Managed APs ................................................................................... 21!Standalone APs ............................................................................................................. 21!FlexMaster ..................................................................................................................... 21!Firewall Caveat .............................................................................................................. 22!


3/57

2013 Ruckus Wireless, Inc. Wired Network Design v1.3 2

Management Access .......................................................................................................................... 22!

Access Points ................................................................................................................. 22!ZoneDirector.................................................................................................................. 22!

!"/3&'8%&/'*H/).''-0*IJ7+B*55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*KL !Note on VLAN 1 ................................................................................................................................. 23!Example .............................................................................................................................................. 23!Wired Configuration ........................................................................................................................... 24!ZoneDirector Configuration ............................................................................................................... 24!

!"/3&'8%&/'*?.''-0*IJ7+B*5555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*K= !Note on VLAN 1 ................................................................................................................................. 26!Example .............................................................................................................................................. 26!Wired Configuration ........................................................................................................................... 27!ZoneDirector Configuration ............................................................................................................... 27!Dynamic VLANs .................................................................................................................................. 28!Wired Configuration ........................................................................................................................... 29!ZoneDirector Configuration ............................................................................................................... 29!

!"/3&'8%&/'*?8//-@-0*IJ7+B*55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*LD !Note on VLAN 1 ................................................................................................................................. 30!Example .............................................................................................................................................. 30!Wired Configuration ........................................................................................................................... 31!ZoneDirector Configuration ............................................................................................................... 31!

MJ7+*:;-%%&0-B*55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*LL !ZoneDirector Configuration ............................................................................................................... 33!

N./.'-4-/)*MJ7+B*555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*L9 !Note on VLAN 1 ................................................................................................................................. 35!Who Should Use Management VLANs ............................................................................................... 35!Example .............................................................................................................................................. 35!Wired Configuration ........................................................................................................................... 36!ZoneDirector Configuration ............................................................................................................... 36!AP Configuration ................................................................................................................................ 37!Recommendations .............................................................................................................................. 38!

Switch Port Configuration .............................................................................................. 38!APs Can Discover the ZoneDirector .............................................................................. 39!APs First ......................................................................................................................... 39!

!"/3&'8%&/'*O8.@&)$*"3*F-%;&,-*55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*6D !WMM, ToS and DSCP Support .......................................................................................................... 40!

Other Classification Values ............................................................................................ 42!Modifying Traffic Classification ...................................................................................... 43!


4/57


Multicast and Broadcast Traffic .......................................................................................................... 43!

ZoneDirector Directed Traffic Commands .................................................................... 43!AP Directed Traffic Commands ..................................................................................... 44!

Configuring per-SSID Priority ............................................................................................................. 45!ZoneDirector-based SSID Prioritization ......................................................................... 45!

?%"8P@-B("")&/'*555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555*6Q !AP Cannot Connect to ZoneDirector ................................................................................................. 47!

Discovery ....................................................................................................................... 47!VLANs and Connectivity ............. .............. .............. ............. .............. .............. ............. . 47!Model Support .............................................................................................................. 47!Firewalls ......................................................................................................................... 48!

Captive Portal Fails to Redirect to Login Page ................................................................................... 48!7##-/0&R*7S*T-,"44-/0-0*T-.0&/'*555555555555555 5555555555555555 5555555555555555 555555555555555 5555555555555555 5555555555555555 555*6U!

OSI Model .......................................................................................................................................... 49!Virtual LANs .............. ............... ................ ............... ................ ............... ................ ............... .............. 49!Cisco Wired Networking .................................................................................................................... 49!

7##-/0&R*VS*!"44"/*!&B,"*!"44./0B*5555555555555555 555555555555555 5555555555555555 5555555555555555 555555555555555 55555555555555*9D!Configuring an Access Port ................................................................................................................ 50!Configuring a Trunk Port .................................................................................................................... 50!Troubleshooting ................................................................................................................................. 51!

Access Port .................................................................................................................... 51!Trunk Port ...................................................................................................................... 52!7##-/0&R*!S*!"44"/*W1*!"44./0B*555555555555555 5555555555555555 5555555555555555 555555555555555 5555555555555555 5555555555555555 555*9L!

Configuring a Port .............................................................................................................................. 53!7##-/0&R*AS*!"44"/*ER)%-4-*!"44./0B*55555555555555 555555555555555 5555555555555555 5555555555555555 5555555555555555 55555555*96!

Configuring a Port .............................................................................................................................. 54!7##-/0&R*ES*!"/3&'8%&/'*E/)-%.B$B*F


5/57


!"AB(%&C.)-".%


6/57


8#.+#,+,)E',%+#


7/57


FG+(G%+/)Most wireless networks are designed for wireless to wired communications. This requires a

sound design both on the wireless and wired network. This document describes

recommended practices for designing the wired side and the wireless side for seamless

communication and application support. Several relevant topics are covered:

OSI-level integration Network deployment models Network element placement within a deployment model Security Quality of Service Common issues and troubleshooting

:F2*When discussing interactions between two types of networks, a good place to start is with

the Open Systems Interconnection (OSI) model. This describes the functions of a network

in terms of distinct layers. Each layer defines to a specific function required to transmit and

receive data over a physical medium up to the end application.

Figure 1 - OSI Model


8/57


5C%1),"


9/57


Appendix A: Recommended Reading at the end of this document.

*%(+,)-+./"(01);#,)F98)

From the wired network perspective, the OSI frameworks is as follows:

Layer 1 (physical) the physical medium for wired networks, it typically consists of copper

or fiber optic cabling

Layer 2 (data link) consists of the basic communications protocol to transmit frames,

physical addressing, and access and flow control. For an Ethernet network this is defined in

the IEEE 802.3 specification. Layer 2 assumes a single network in which all devices are

reachable to each other. Layer 2 is often referred to as the MAC or IP layer as well 1 as a

subnet

Layer 3 (network) provides mechanisms to transport data (routing) from one network to

another. Routers and Layer 3 Ethernet switches typically perform this. Layer 3 networks can

use different protocols over the IP network such as UDP and TCP.

Virtual LANs

Virtual LANs (IEEE 802.1Q specification) are commonly deployed as part of a Layer 2

network. A VLAN is a way to logically create a Layer 2 network that mimics a physical Layer

2 network. Multiple VLANs can exist in a given infrastructure. VLANs are often referred to

as broadcast domains meaning any device on a physical port that is configured to be part

of that VLAN can reach each other but no other device. Two devices might be physicallyconnected to the same Ethernet switch, but if they are members of different VLANs they

will require a Layer 3 routing service to reach each other.

VLANs work by modifying a frame to include a VLAN ID number. This is referred to as

VLAN tagging. No number means a packet is untagged, i.e. it is part of the locally defined

Layer 2 network for that physical port (called an access port). When a VLAN tag is inserted,

the Ethernet switch must be configured to understand and use that VLAN tag. Not all

Ethernet switches understand or honor VLAN tags; those that do support 802.1Q must be

configured so they know what to do with it.

Physical switch ports that understand 802.1Q are typically referred to as trunk ports theyconsist of a native VLAN (the untagged network) and one or more VLANs. Any packet that

arrives with a VLAN tag is sent to any other physical ports that have that VLAN tag defined.

The diagram below shows how VLAN tags work on a single switch and upstream to a

second switch.

1 There are several other non-IP protocols that may be used, for the purposes of this document only IP is

discussed


10/57


Figure 2 - VLAN Tagging

Switch 1 (top) is configured with some ports (untagged) in the red VLAN and some in the

blue VLAN. The gray ports are not configured for VLAN tagging. Note that the uplink port

that connects it to Switch 2 is a trunk port that is configured for the red and blue VLANs.

In this scenario, machine A can only communicate directly with machine C. The same is true

for the devices on the blue VLAN B and D. If machine A needs to communicate with B or

D the traffic must be routed. This can occur on these switches (if they are Layer 3) or via an

external router that also has a trunk port configured with the red and blue VLANs.

How a wired switch or router is configured to create these actions depends on the vendor

but conceptually, they all follow the same behavior. In some cases, the same behavior can

be achieved in multiple ways.

*%23%);#,).C+)F98)P",+@)

A Wi-Fi network works within the OSI model as follows:

Layer 1 (physical) the physical medium for wireless networks (also called the PHY layer),

consisting of the RF signal from a radio, the spectrum and modulation used to transmit raw

symbols. Examples of Layer 1 include 802.11a, 802.11g, etc.


11/57


Layer 2 (data link) consists of the basic communications protocol to transmit frames,physical addressing, and access and flow control. For a WI-FI network this is defined in

numerous IEEE 802.11 specifications. Layer 2 assumes a single network in which all devices

are reachable to each other. Because Wi-Fi is a shared medium (unlike most wired

networks), collision detection and avoidance is extremely important. This is still the IP

network layer for IP-based deployments

Layer 3 (network) provides mechanisms to transport data (routing) from one network to

another. Routers and Layer 3 Ethernet switches typically perform this. This function is

unchanged from the wired model

!"DD"#)*%23%)=+A@"BD+#.1)

Once a client connects to an AP, the traffic is usually transported from the AP to a wired

network. Which network it goes to will depend on the configuration of the AP. Some

common scenarios are:

1. All traffic for the SSID is untagged and goes to the native VLAN on that port2. All traffic for the SSID is tagged for a specific VLAN (static or dynamic)3. Traffic is tunneled from the AP to the controller and then onto the wired networkCorrectly designing and configuring the wired network is critical for a successful Wi-Fi

deployment. The rest this document examines each of these points in-depth and offer

guidelines and suggestions for optimized wired design configuration with Ruckus wireless

equipment. Where needed, specific configuration commands are documented for step-by-step configuration instructions.


12/57


-+./"(0)5"A"@"&B)=+1%)

Most Wi-Fi equipment acts as an adjunct to an existing wired network; i.e. the Wi-Fi

essentially functions as an extension of the wired network rather than self-contained. When

designing for a Wi-Fi deployment, the first question is overall network topology. Its

important to understand how and where the wireless client traffic will enter the wired

network. There are common solutions to this:

Distr ibuted data forwarding Client traffic enters the network at the APswitch port

Central ized data forwarding Client traffic is tunneled to theZoneDirector and enters the network from the ZoneDirectors switch port

Both of these methods are supported by Ruckus Wireless equipment. Each option is

configured on a per-SSID basis.

The decision on which to use will depend on the local environment and usage

requirements.

A&B)%&P8)-0*A.).*X"%


13/57


Figure 3 - Distributed Data Forwarding Topology

E,G;#.;&+1)

Distributed data forwarding offers the highest performance for a Wi-Fi network. The client

traffic is immediately placed on the wired network at the AP switch port. There is no

additional delay, latency or potential bottleneck to slow down throughput.

=%1;,G;#.;&+1)

A large Wi-Fi network could potentially have the same WLAN (SSID) broadcast on APs on

different networks. If two APs both have the same SSID but put clients on different subnets,

the client will need to release its first IP address and request a new one. This can take time

and delay data transmission from that device. This is normally not a problem for data traffic

but it can cause issues for VoIP Wi-Fi devices, which can drop calls if transmission latency isover 150ms. For more information on how APs use different subnets for the same SSID,

please see Dynamic VLANs and VLAN Overrides.

HIJKLQ)RSE-)5;&&%#&)

In a distributed model, any network that is available on an APs wired port is available for

the WLAN clients connected to that AP. If the switch port is unmanaged or has a default

VLAN assigned, all AP traffic should be sent as untagged traffic to that port.


14/57


If the wired switch is configured for VLAN tagging however, the AP may have severalnetworks choices available: the untagged (default) VLAN on the port or it may include an

802.1Q tag on the client traffic and place it on a different VLAN.

Client traffic can be tagged or untagged this refers to the network it will be placed into

by the AP.

!-/)%.@&Y-0Z?8//-@-0*A.).*X"%


15/57


SSID on the same VLAN then tunneling is not required since there is no potential VLANchange.

Tunneling is also useful when traffic must be broken out using the ZoneDirector is a

terminator, e.g. hotels that want to only send encrypted POS traffic in a tunnel and all

guest data distributed locally.

=%1;,G;#.;&+1)

Sending all traffic through the ZoneDirector does make it a point of failure. It also limits the

maximum throughput; the amount of data that can go through a single ZoneDirector with

one Gigabit Ethernet port is far smaller than 10 APs all sending data locally (distributed) on

their own Gigabit Ethernet ports. If throughput performance is a requirement, centralizeddata forwarding is not a good choice.

The following table shows some estimates on tunneling throughput based on the

ZoneDirector model. These are estimates only and may differ depending specific packet

size and characteristics.

ZoneDirector Model Unecrypted Throughput Encrypted Throughput

ZD1100 598 Mbps 63 Mbps

ZD3000 1893 Mbps 1208 Mbps

ZD5000 1957 Mbps 1949 Mbps

*Numbers are based on the sum bi-directional throughput with 1518 byte packets and dual

ports.

HIJKLQ)RSE-)5;&&%#&)

In a centralized model, any network that is available on a ZoneDirectors wired port can be

available for the WLAN clients. If the switch port is unmanaged or has a default VLANassigned, all traffic should be sent as untagged traffic to that port.

If VLAN tagging is used, the ZoneDirectors switch port must be configured as a

trunk port NOT the AP. The AP will tag the traffic for the correct VLAN but that is not

used until the traffic is outside the LWAPP tunnel.

If the wired switch is configured for VLAN tagging however, several networks choices may

be available: the untagged (default) VLAN on the port or it may include an 802.1Q tag on

the client traffic and place it on a different VLAN.


16/57


Client traffic can be tagged or untagged this refers to the network it will be placed intoby the AP.


17/57


-+./"(0)4@+D+#.)7@;


18/57


Active-Active two ZoneDirectors are active at the same time and eachsupports approximately half of the APs Primary-Secondary each AP is given a primary ZoneDirector (preferred)

and a secondary to contact if the primary is unreachable

Smart Redundancy N+1 active-standby redundancyPros and Cons of Redundancy Strategies

Method Advantage Disadvantage

Active-Active Simplest configuration, self-balances

across all APs (no configuration

necessary)

-No automatic configuration updates between

controllers (manual)

-APs see a different controller at failover

-L2 onlyPrimary-Secondary -Simple to configure

-L2 or L3 support

-No automatic configuration synchronization

between controllers

-Network disruption could cause some APs to

connect to primary and some on secondary at

the same time

-APs see a different controller at failover

-If both controllers are unavailable, APs will

not try to connect to a third controller

Smart Redundancy -True N+1 redundancy

-Automatic synchronization of

configuration, databases

-Transparent to APs

-L2 or L3 support

-More complex configuration

-Network isolation could cause AP split across

controllers (fixed when network converges)

In each case, redundant controllers must be the same model and software version. They

must also be licensed for the same number of APs.

Full coverage of all redundancy options is beyond the scope of this document. For more

information on how to configure redundancy, please refer to the ZoneDirector User Guide.

1-%3"%4./,-*

E


19/57


affected by packet size. The table below offers some guidelines on throughput capacitybased on 1400 byte packets.

ZoneDirector Model Unencrypted Tunnel Performance Encrypted Tunnel Performance

ZD1100 ~300 Mbps ~62 Mbps

ZD3000 ~900 Mbps ~580 Mbps

ZD5000 ~957 Mbps ~297 Mbps

["/-A&%-,)"%*A&B,";-%$*The ZoneDirectors location can affect how APs discover and join the ZoneDirector. In

particular, a Layer 3 deployment will require some additional configuration to ensure the

APs can find the ZoneDirector. There are several options available:

DHCP Option 43 DNS entry for zonedirector. Static configuration via the AP shell Pre-deployment configuration via Layer 2 to the ZoneDirector


20/57


-+./"(0)9+


21/57


6. Click OK to save the changesNOTE: If 802.1X is not already configured correctly on the wired switch port, the AP willlose contact with the ZoneDirector.

MAC Authentication (Wired Switch)

If the wired switch supports it, the AP port may also be locked down to the specific APs

MAC address. This is not as secure as 802.1X any device that can spoof the APs MAC

can use the port.

Untagged Traffic

Another possibility is to deny network access to all untagged traffic for example, the

untagged traffic might go to a non-routed subnet that has no connectivity, DHCP, DNS,

etc. Since user devices would typically only transmit untagged traffic this would preventthem from gaining any useful network access. Using this solution however would require all

other traffic (WLAN traffic and AP management traffic) use 802.1Q tags.

In the case of additional Ethernet ports on the AP, if they are not used, the best practice is

to disable them. The following steps configure a ZoneDirector-managed AP or group of

APs for 802.1X security:

1. Log onto the ZoneDirector and go to Configure->Access Points2. Click Edit next to the AP or AP Group to be configured3. Under Port Setting, choose each the unused port4. Make sure the Enable checkbox is unselected

5. Click OK to save the changes


22/57


T"#+=%(+


23/57


X&%-


24/57


80, 443 TCP FlexMaster to AP template/auto configuration

443 TCP ZoneDirector to FlexMaster registration/informs

443 TCP FlexMaster to ZoneDirector firmware upgrades

60010 TCP ZoneDirector template feature (FlexMaster)

8082 TCP FlexMaster to AP wake up

18301 UDP SpeedFlex

3%(+/;@@)!;G+;.)

If the ZoneDirector is used to provide captive portal authentication (internal or guest

access), the ZoneDirector must be accessible via HTTP/HTTPS by user devices.

If the ZoneDirector or AP is used to provide WISPr or Open Secure Hotspot, the external

captive portal must have access to the ZoneDirector (refer to the table above for specific

ports).

N./.'-4-/)*7,,-BB*E


25/57


!"#$%&'(%#&)U#.;&&+,)*SE-1)


network. Which network it goes to will depend on the configuration of the AP. The simplest

configuration is to instruct the AP to pass all client data as untagged to the wired network.

+")-*"/*MJ7+*C*Ruckus equipment will always assume traffic should be untagged if VLAN 1 is specified.

VLAN 1 traffic is never tagged.

ER.4#@-*The following is an example of a Wi-Fi design with untagged client traffic on the employee

network (VLAN 1). The example uses three networks:

Name Network Usage

VLAN 1 10.1.1.0 Employee

VLAN 100 10.1.100.0 BYOD

VLAN 200 10.1.200.0 Guest

The Ethernet switch is marked to show the default (untagged) VLAN for each port.


26/57


Figure 5 - Untagged WLAN Traffic

To place employee Wi-Fi clients on VLAN 1 10.1.1.0 the AP must be configured to not

tag client traffic for that SSID.

NOTE: Although the ZoneDirector is shown also connected to VLAN 1 (untagged) this

is not required. The ZoneDirector can be on any network provided it can

communicate with the AP.

I&%-0*!"/3&'8%.)&"/*The APs port on the Ethernet switch in this example must be configured such that VLAN 1

is available and untagged (access port). For examples of how to configure this on popularwired switches, please see the various appendixes at the end of this document.

["/-A&%-,)"%*!"/3&'8%.)&"/*Here are the steps to configure an SSID with untagged traffic on the ZoneDirector.

1. Log onto the ZoneDirector Web UI2. Go to Configure->WLANs3. Click Create New in the WLANs section


27/57


4. Enter the required information for the new SSID

5. Click the Advanced Options link at the bottom of the window6. Make sure the VLAN ID under ACCESS VLAN is set to 1 (untagged)



28/57


!"#$%&'(%#&)5;&&+,)*SE-1)


network. Which network it goes to will depend on the configuration of the AP. An AP can

add an 802.1Q VLAN tag if the device should be on a network other than the default.

When a WLAN is configured with a specific VLAN tag, the client traffic is modified to

include the VLAN tag in the frame. This means the Ethernet switch will keep the tag and

use it to place the traffic on the correct network. If the Ethernet switch is not configured as

a trunk port or it does not have the correct VLAN assigned it will ignore (drop) the client

packets.



ER.4#@-*The following is an example of a Wi-Fi design with tagged client traffic on the guest

network (VLAN 200). The example uses three networks:

Name Network Usage


VLAN 100 10.1.100.0 BYOD

VLAN 200 10.1.200.0 Guest

The Ethernet switch is marked to show the default (untagged) VLAN for each port. Eachport is also configured as a tagged/trunk port for other VLANs.


29/57


Figure 6 - Tagged WLAN Traffic

To place guest Wi-Fi clients on VLAN 200 10.1.200.0 the AP must be configured to tag

client traffic for the Guest SSID. If the guest SSID is not tagged, these devices will be

placed on the employee network (VLAN 1).

NOTE: Although the ZoneDirector is shown also connected to VLAN 1 (untagged) this

is not required. The ZoneDirector can be on any network provided it can

communicate with the AP.

I&%-0*!"/3&'8%.)&"/*

The APs port on the Ethernet switch in this example must be configured such that VLAN200 is available and tagged. For examples of how to configure this on popular wired

switches, please see the various appendixes at the end of this document.

["/-A&%-,)"%*!"/3&'8%.)&"/*Here are the steps to configure a guest SSID with tagged traffic on the ZoneDirector.

1. Log onto the ZoneDirector Web UI2. Go to Configure->WLANs


30/57


3. Click Create New in the WLANs section4. Enter the required information for the new SSID

5. Click the Advanced Options link at the bottom of the window6.

Make sure the VLAN ID under ACCESS VLAN is set to 200 (tagged)


A$/.4&,*MJ7+B**If RADIUS authentication is used for clients, dynamic VLANs may also be used. The RADIUS

server sends a specific VLAN assignment for that user as part of the Access-Accept

message. The VLAN assignment could be different for other clients even though they are

on the same SSID. In this case, the AP will make each clients traffic with the correct VLAN

tag.


31/57


I&%-0*!"/3&'8%.)&"/*Dynamic VLANs are configured similarly to tagged traffic on a port. A wired switch port

must be configured to allow all VLANs that might be assigned.

["/-A&%-,)"%*!"/3&'8%.)&"/*Here are the steps to configure a dynamic VLAN SSID with tagged traffic on the

ZoneDirector.

1. Log onto the ZoneDirector Web UI2. Go to Configure->WLANs3. Click Create New in the WLANs section4. Enter the required information for the new SSID note that Dynamic VLANs are onlyavailable for WLANS that use RADIUS authentication (MAC authentication or 802.1X)5. Click the Advanced Options link at the bottom of the window6. Make sure the VLAN ID under ACCESS VLAN is set to the default VLAN for the SSID

it can be tagged or untagged (VLAN 1)

7. Check the Enable Dynamic VLAN box

8. Click OK to save the changesNote that a default VLAN must be specified for this SSID regardless of whether Dynamic

VLANs are used or not. A default must always be specified in case the RADIUS server does

not return a specific VLAN.

RADIUS-assigned VLANs always override the default.


32/57


!"#$%&'(%#&)5'##+@+,)*SE-1)


network. Which network it goes to will depend on the configuration of the AP. Normally a

Wi-Fi clients traffic enters the wired network at the APs switch port. But sometimes it is

preferable to tunnel the traffic to the ZoneDirectors switch port instead.

Traffic tunneling is usually used to allow more seamless roaming in certain conditions. For

example, a Wi-Fi VoIP handset might roam from one AP to another. This is fine if both APs

place it on the same subnet but if the second AP is configured to put the handset on a

different network it must drop its IP address and acquire a new one. The time to do this will

drop any active voice connections.

To solve this, the handsets voice traffic is tunneled from the AP to the ZoneDirector. This

means any handset, regardless of the AP it is connected to, will be assigned a network,

address, etc. from the ZoneDirectors switch port instead of the AP. Handsets can then

roam to any AP and never need to drop their connection to acquire a new address.

Because the traffic is tunneled back to the ZoneDirector, the AP does not need to be

connected to a trunk port or have the voice subnet available, it only needs to be able to

reach the ZoneDirector. The ZoneDirector controller is the device that must be

connected to a wired switch port with the voice VLAN not the AP .



ER.4#@-*The following is an example of a Wi-Fi design with tagged VoIP traffic on the voice network

(VLAN 110). The example uses three networks:

Name Network Usage


VLAN 100 10.1.100.0 BYOD

VLAN 222 10.1.222.0 Voice


33/57


The Ethernet switch is marked to show the default (untagged) VLAN for each port. Each

port is also configured as a tagged/trunk port for other VLANs.

Figure 7 - Tunneled WLAN Traffic

Voice clients must be placed on VLAN 222, but in this example the VLAN is not configured

for the AP switch port. Instead, it will be tunneled via LWAPP over VLAN 1 to the

ZoneDirector. The ZoneDirector is connected to a switch port that does have VLAN 222

available.

I&%-0*!"/3&'8%.)&"/*The ZoneDirectors port on the Ethernet switch in this example must be configured such

that VLAN 222 is available and tagged. For examples of how to configure this on popular

wired switches, please see the various appendixes at the end of this document.

["/-A&%-,)"%*!"/3&'8%.)&"/*Here are the steps to configure a voice SSID with tunneled traffic on the ZoneDirector.


34/57


1. Log onto the ZoneDirector Web UI2. Go to Configure->WLANs3. Click Create New in the WLANs section4. Enter the required information for the new SSID5. Click the Advanced Options link at the bottom of the window6. Make sure the VLAN ID under ACCESS VLAN is set to 222 (tagged)7. Click the checkbox next to Tunnel Mode

8. Click OK to save the changesThis configuration will cause the AP to tag all client traffic on the voice SSID with VLAN 222

and tunnel it to the ZoneDirector. The client traffic will enter the network at the

ZoneDirectors switch port.


35/57


RSE-)FG+((%,+1)

Sometimes the default VLAN configuration for an SSID has to be changed for a subset of

APs/locations. This commonly happens in very large deployments where many smaller

subnets are used instead of one very large broadcast domain. It might also be used if the

same SSID is configured on APs in different geographical locations, i.e. different campuses,

offices, etc.

Figure 8 - VLAN Overrides

WLAN Groups offer a way to change the VLAN assignment for an SSID broadcast by a

group of APs.

["/-A&%-,)"%*!"/3&'8%.)&"/*Here are the steps to configure a WLAN group with VLAN override on the ZoneDirector.

1. Log onto the ZoneDirector Web UI2. Go to Configure->WLANs3. Click Create New in the WLAN Groups section4. Select the WLANs an AP member of this group will broadcast


36/57


5. To the right of each WLAN, set VLAN override if the VLAN tag has changed (VLAN 1 =untagged)

6. Click Apply to save the changes7. Assign this WLAN Group to each AP that will use this VLAN override


37/57


P;#;&+D+#.)RSE-1)

A management VLAN is dedicated to monitoring and managing network equipment. It is

also the subnet over which management control plane traffic is sent software upgrades,

heartbeats, signaling, etc. This type of network is typically isolated and firewalled from the

rest of the organization. Both Ruckus APs and ZoneDirectors can be configured to use a

specific VLAN for management traffic. By default, they use the untagged network.

Although both typically use the same management VLAN, a ZoneDirector and an AP can

be configured to use different management VLANs as well. For this to work, the two

management networks must be reachable with each other. Alternatively, just one device

can be configured to tag management traffic. The other device must either be on a

network that can reach the management subnet or connected to a port that is a member of

that management VLAN by default (untagged).



I("*F("8@0*HB-*N./.'-4-/)*MJ7+B*Use of the untagged VLAN is recommended for most deployments. This is due to its

simplicity and ease of recovery in case of misconfigured switch ports, APs or ZoneDirectors.

If management a VLAN is required, please review the instructions below carefully.

ER.4#@-*The following is an example of a Wi-Fi design in which APs and ZoneDirectors send

management traffic on VLAN 33:

Name Network Usage


VLAN 33 10.1.33.0 Management

VLAN 100 10.1.100.0 BYOD


38/57


The Ethernet switch is marked to show the default (untagged) VLAN for each port. Eachport is also configured as a tagged/trunk port for other VLANs.

Figure 9 - Management VLAN Traffic

I&%-0*!"/3&'8%.)&"/*The ZoneDirectors port on the Ethernet switch in this example must be configured such

that VLAN 33 is available and tagged. For examples of how to configure this on popular

wired switches, please see the various appendixes at the end of this document.

["/-A&%-,)"%*!"/3&'8%.)&"/*

Here are the steps to configure a management VLAN on the ZoneDirector.

1. Log onto the ZoneDirector Web UI2. Go to Configure->System3. Go the Device IP Settings area4. Set ACCESS VLAN to 33


39/57


5. Click Apply to save the changesThis configuration will cause the ZoneDirector to immediately begin tagging all

management traffic to VLAN 33.

NOTE: You will likely be disconnected from the ZoneDirector after applying this change.

This is because the ZoneDirectors switch port does not have VLAN tagging enabled for

VLAN 33. To regain access to the ZoneDirector, reconfigure its switch port.

71*!"/3&'8%.)&"/*The management VLAN for an AP is configured on a global basis. Only one management

VLAN can be configured for all APs. This VLAN can be different from the ZoneDirectors,

but all APs must use the same management VLAN.

Here are the steps to configure a management VLAN on the Ruckus AP.


40/57


1. Log onto the ZoneDirector Web UI2. Go to Configure->Access Points3. Go the Access Point Policies area4. Next to Management LAN, click the radio button and enter the VLAN number (33)

5. Click Apply to save the changesThis configuration will cause all APs to immediately begin tagging all management traffic to

VLAN 33.

NOTE: You will likely see the APs disconnect from the ZoneDirector after applying this

change. This is because the APs switch port does not have VLAN tagging enabled for

VLAN 33. To all the APs to gain access to the ZoneDirector, reconfigure each AP switch

port.

T-,"44-/0.)&"/B*Assigning management VLANs is a disruptive process and will typically cause some outage

time. How much time depends on how smoothly the transition occurs. The following are

some hints and tips to make this easier:

9/%.


41/57


E71)!;#)=%1


42/57


!"#$%&'(%#&)Q';@%.B)"$)9+(G%


43/57


The access category for each packet is specified using either 802.1p tagging (whenavailable and supported by the access point) or by the use of Diffserv Code Points (DSCP).

DSCP tags are carried in the IP header of each packet and most often used on wired

networks due to simplicity and Layer 2 capability. In other words, the DSCP tags survive

crossing through every piece of network equipment that is not aware of DSCP tags,

whereas 802.1p requires 802.1p-aware links (802.1Q) throughout the network, all carried

over 802.1Q VLAN links.

The 802.1p value is a field in the VLAN header that indicates the priority of the tagged

packet. 802.1p classification is similar to ToS classification. However, while ToS values

apply to any IP packet, 802.1p values only apply to traffic on a specified VLAN. 802.1p

values range from 0 to 7 (0 is lowest and 7 is highest).

NOTE: Note that if 802.1p classification and ToS classification are both enabled, 802.1p

classification takes precedence. Therefore, if you want to use ToS classification, 802.1p

classification should be disabled.

There are eight DSCP tags, which map to the four access categories. The application that

generates the traffic is responsible for filling in the DSCP tag. The standard mapping is as

follows:

Table 1 - DSCP and ToS to AC Mapping

Traffic Type Priority ToS Value DSCP Value AC/802.11e

Voice 7 0xE0 (224) 0x38 (56) AC_VO

Voice 6 0xC0 (192) 0x30 (48) AC_VO

Video 5 0xA0 (160) 0x28 (40) AC_VI

Video 4 0x80 (128) 0x20 (32) AC_VI

Best Effort 3 0x60 (96) 0x18 (24) AC_BE

Background 2 0x40 (64) 0x10 (16) AC_BK

Background 1 0x20 (32) 0x08 (8) AC_BK

Best Effort 0 0x00 (0) 0x00 (0) AC_BE


44/57


Although ToS and DSCP support up to 8 distinct categories, WMM only mandates fourqueues for traffic: voice, video, best effort and background.

F.C+()!@;11%$%


45/57


IGMP General Query V2/V3: Disabled/DisabledMLD General Query V1/V2: Disabled/Disabled

TOS Classification: Voice=0xE0,0xC0,0xB8, Video=0xA0,0x80,

Data=0x0, Background=0x0

TOS marking: VoIP=0x0, Video=0xA0, Data=0x0,

Background=0x0

Dot1p Classification: Voice=none, Video=none, Data=none,

Background=none

Dot1p marking: VoIP=0, Video=0, Data=0, Background=0

Tunnel TOS Marking: Data=0xA0 (static TOS), Ctrl=0xA0

Heuristic Classifier: VoIP Video Data

Background

Octet Count During Classify: 600 50000 0 0

Octet Count Between Classify: 10000 500000 0 0

Min/Max Avg Packet Length: 70/400 1000/1518 0/0 0/0

Min/Max Avg Inter Packet Gap: 15/275 0/65 0/0 0/0

P",%$B%#&)5(;$$%


46/57


IGMP SnoopingTo disable/enable IGMP snooping for a WLAN:

ruckus(config)#wlan test-ssid

ruckus(config-wlan)# qos igmp-snooping

ruckus(config-wlan)# no qos igmp-snooping

MLD Snooping

To disable/enable MLD snooping for a WLAN:


ruckus(config-wlan)# no qos mld-snooping

ruckus(config-wlan)# qos mld-snooping

Directed Threshold

To configure the maximum number of clients before unicast conversion stops for a WLAN:


ruckus(config-wlan)# qos directed-threshold 10

E7)=%(+


47/57


MLD Snooping is Enabled on interface wlan0

Directed Threshold

To configure the max rkscli: set directedthreshold wlan0 0

rkscli: set directedthreshold wlan0 0

OK

rkscli: set directedthreshold wlan0 5

!"/3&'8%&/'*#-%]FF2A*1%&"%&)$*When an AP has traffic of the same from multiple WLANs, it uses a round robin method to

determine which WLANs traffic is sent. This ensures all SSIDs get some airtime. If one of

the WLANs has a higher priority traffic, this is always sent first. However, in the case of

multiple WLANs with traffic of the same (high) priority, the AP will again treat these WLANs

in a round-robin fashion.

There are times when one WLANs traffic should be prioritized over another. For example,

two SSIDs exist one is for voice devices and one is for guests. If high priority (voice) traffic

is sent from both SSIDs, most organizations would prefer the internal voice SSID have

preference over a guest network voice traffic. In this case, the internal SSID can be given a

high priority and the guest network set to low.

Note, that there are only two settings an SSID may have high or low. In the case of

multiple SSIDs with high priority, it will again be round robin for higher priority traffic.

Note: This feature is available on the ZoneDirector only.

T"#+=%(+


48/57


5. Click Apply to save the changesTo configure SSID priority on a ZoneDirector (CLI):

ruckus(config)#wlan voice

ruckus(config-wlan)# priority high


49/57


5("'?@+1C"".%#&)

Integrated Wi-Fi into a wired network can be a simple as deployed on an untagged, L2

network or more complex with multiple tagged VLANs, redundancy, QoS and

management VLANs. This section offers some common issues and resolutions.

71*!.//")*!"//-,)*)"*["/-A&%-,)"%*

=%1


50/57


ResolutionTo correct the problem, upgrade the ZoneDirector software. This can be verified in the

ZoneDirector event log: Monitor->Access Points. If the AP is an unsupported model this

will also generate an event log message.

3%(+/;@@1)

Another basic issue is a firewall blocking required ports. This is especially true if the basic

ports required for control and management are blocked. These ports are listed in section

Firewalls.

Resolution

To solve these problems, make sure the necessary ports are unblocked between the APand the ZoneDirector.

!.#)&;-*1"%).@*X.&@B*)"*T-0&%-,)*)"*J"'&/*1.'-*There are many issues that can affect captive port redirections. These typically include:

Firewall has blocked HTTP/S access to the ZoneDirector from the SSIDs subnet. Thismay be due to ACLs on the AP/WLAN or a 3 rd party firewall

Client does not have DNS configured correctlyResolution

To check firewall issues, make sure the ACLs (if configured) for the WLAN allow access to

the ZoneDirectors login page.

Since redirection occurs after the client does a DNS lookup/URL request, make sure the

client has a DNS server configured. This can be checked via the client configuration or by

attempting to access a URL with an IP address instead of a DNS name.


51/57


EAA+#,%O)EW)6+&/'*Cisco Switched Internetworks: VLANs, ATM & Voice/Data Integration, Chris Lewis

Cisco IOS Cookbook, Kevin Dooley, Ian Brown


52/57


EAA+#,%O):W)!"DD"#)!%1


53/57


encapsulation be explicitly set to dot1q. Failure to set this will prevent the switch fromcorrectly interpreting tagged frames from the AP.

The native VLAN for this port is VLAN 101. Any untagged traffic for this port will be

assigned to VLAN 101.

interface vlan 100

description Red VLAN

ip address 10.1.100.1 255.255.255.0

!

interface vlan 101

description Native VLAN

ip address 10.1.101.1 255.255.255.0!

interface GigabitEthernet1/1

description Red VLAN Trunk

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk native vlan 101

switchport trunk allowed vlan 100

!

Multiple VLANs may be configured for a single trunk port however only one native VLAN is

allowed.

?%"8P@-B("")&/'*When troubleshooting with a Cisco switch, it may be useful to configure the switch to

update the port status more quickly than the default of 30 seconds when the spanning tree

protocol (STP) is enabled. The amount of time spanning tree takes to transition ports to a

forwarding state can cause problems. This is especially true of an individual device such as

an AP. It might consider itself in an up date, but the switch port has not switched back to

forwarding yet which prevents it from getting a connection.

The Cisco portfast command will speed convergence to help with this problem. NOTE:

This command should only be used on ports connected to a single device that is not a

switch or other Layer 2 device capable of causing spanning tree loops.

E


54/57


5('#0)7"(.)

interface GigabitEthernet1/1

spanning-tree portfast trunk

!


55/57


EAA+#,%O)!W)!"DD"#)X7)!"DD;#,1)

!"/3&'8%&/'*.*1"%)*These are the Command Line Interface (CLI) commands to configure a port on an HP

ProCurve switch or router. In HP terms, a trunk port is an aggregate of multiple ports, e.g.

C1-C4 rather than the Cisco definition of a trunk as a port that understands 802.1Q tags.

Therefore, configuring a port to support VLAN tagging simply entails added those ports as

tagged to the VLAN configuration:

The first command creates VLAN 100 with ports B10-B12 defined as untagged members of

that VLAN. All untagged traffic will go on this VLAN. Any tagged traffic will be ignored.

vlan 100

name Red VLAN

ip address 10.1.100.1 255.255.255.0

untagged B10-B12

exit

To support tagged VLANs add an additional line specifying the ports.

vlan 100name Red VLAN

ip address 10.1.100.1 255.255.255.0

untagged B3-B9

tagged C10-C12

exit

vlan 200

name Blue VLAN

ip address 10.1.200.1 255.255.255.0

untagged C10-C12

tagged B3-B9

exit

The above configuration defines ports B3-B9 as untagged for VLAN 100 and tagged for

VLAN 200. Therefore the ports will place untagged packets on the red VLAN 100. If it

receives tagged traffic, only VLAN 200 will be honored and only for ports B3-B9.


56/57


EAA+#,%O)=W)!"DD"#)4O.(+D+)!"DD;#,1)

!"/3&'8%&/'*.*1"%)*These are the Command Line Interface (CLI) commands to configure a port on an

ExtremeOS switch or router. In Extreme terms, a trunk port is configured by specifying

which port is tagged or untagged as part of the VLAN command.

The commands below create a VLAN called RedVLAN. This VLAN is assigned an ID of

100. Ports 7-24 are untagged members of this VLAN.

vlan RedVLAN

configure vlan RedVLAN tag 100

configure vlan RedVLAN add port 7:24 untagged

To support tagged VLANs add an additional line specifying the tagged ports.

vlan RedVLAN

configure vlan RedVLAN tag 100

configure vlan RedVLAN add port 7:24 untagged

configure vlan RedVLAN add port 5-6 tagged

The above configuration defines ports 7-24 as untagged for VLAN 100 and tagged for

ports 5-6. Therefore ports 7-24 will place all untagged traffic into VLAN 100 and ports 5-6

will only do so if the packet is specifically tagged for VLAN 100.


57/57

EAA+#,%O)4W)!"#$%&'(%#&)4#.+(;1B1)9/%.

Documents

Bpg Configuring Wired Networks for Wi Fi