Extreme Networks Wi-Fi Solutions for Wireless Network Access
Extreme Networks wireless corporate network consists of the following components:
• Identifi Wireless Appliance - a wireless network controller.
• Wireless AP - wireless access points
• Netsight - control system for wired and wireless network components.
Identifi Wireless Appliance
Identifi Series controllers are an Extreme Networks solution for managing a scalable, high-performance WLAN wireless network — a solution that is easy to use and provides the required level of network security.
')
Wireless network controllers support various network functions, including centralized management and configuration of wireless access points, user authentication, and advanced radio frequency management.
Wireless controllers support an intuitive interface that allows you to manage your wireless network from any laptop or computer on the network. A CLI interface is also available for managing the wireless network.
The word "controller" refers to both types of controllers - software (virtual) and hardware.
| Wireless Access Controllers | C25 | C35 | C5210 |
| Performance | |||
| Number of licenses for access points available on the controller by default | sixteen | 50 | 100 |
| Total TD support per device | 100 | 250 | 2000 |
| Total TD support for the device in standalone mode | 50 | 125 | 1000 |
| Additional TD support for the device in high-availability mode | 50 | 125 | 1000 |
| Amount of one-time supported users per device | 1024 | 4,000 | 32,000 |
| Amount lump sum | 512 | 2000 | 16,000 |
| supported users per device in standalone mode | |||
| Amount of simultaneously supported users per device in high-availability mode | 512 | 2000 | 16,000 |
C25
C35
C5210
| Wireless Access Controllers | V2110 (VMWARE) | V2110 (HYPER-V) | ||
| Performance | SMALL | MEDIUM | LARGE | |
| Number of licenses for access points available on the controller by default | 8 & 2 Radar license | |||
| Total TD support per device | 64 | 500 | 1050 | 500 |
| Total TD support for the device in standalone mode | 32 | 250 | 525 | 250 |
| Additional TD support for the device in high-availability mode | 32 | 250 | 525 | 250 |
| Amount of one-time supported users per device | 512 | 4096 | 8192 | 4096 |
| Amount of one-time supported users per device in standalone mode | 256 | 2048 | 4096 | 2048 |
| Amount of simultaneously supported users per device in high-availability mode | 256 | 2048 | 4096 | 2048 |
| Server technical requirements | ||||
| CPU count requirements | 2 | four | eight | four |
| Requirements for the amount of RAM (Gb) | one | 2 | four | 2 |
| Requirements for the amount of free hard disk space (Gb) | 25 | 25 | 25 | 25 |
| Requirements for the number of physical interfaces | Two ports for data transfer, one port for dedicated control of the controller. | |||
A more detailed description of the parameters of the Extreme Networks wireless controllers can be found on the manufacturer's website:
learn.extremenetworks.com/rs/extreme/images/Wireless-Controllers-DS.pdf
Virtualized User Segmentation
The concept of hierarchical dependence, when setting up VNS elements
The wireless network controller allows you to create and manage unique virtual network services - Virtual Network Services (VNS), through which you can provide unique service levels (such as access authorization, device encryption and authorization) in groups of mobile users, devices or applications based on basic politician (roles).
Roles (also known as policies) define the topology of the TD (network segment), filtering (access restriction) and class of service (Class of Service). The concept of VNS consists of a WLAN Service associated with one or two roles that are applied to stations by default. Until the association with the role is completed, the WLAN Service remains inactive.
When a user is associated with a specific SSID (WLAN Service), a specific role is assigned to the user, which VNS considers to be the default role. The user enters a special segment where his access to the network is limited to “role” filters, and his speed is limited by the parameters that are specified in the role.
However, if the authentication server responds (for example, RADIUS) or a request from an external API, you can reassign the user to another policy. A role can reconnect a user to a completely different segment (VLAN), access status (filters) and speed limit.
The role assigned to a specific user session remains active as long as the user is and moves to the mobile domain.
A wireless controller (Identifi Wireless Appliance) can support the following number of VNSs, topologies, roles, and speed limit profiles:
| Controller | Maximum supported amount: | ||||
| Active VNs | Vns | Topologies | Roles | Rate Control Profiles | |
| C5210 | 128 | 256 | 256 | 1024 | 128 |
| C25 | sixteen | 32 | 32 | 128 | 32 |
| C35 | 48 | sixteen | 32 | 128 | 32 |
| V2110 | 64 | 128 | 128 | 512 | 128 |
Authentication and Encryption
A wireless network controller (Identifi Wireless Appliance) and access points work together supporting extensive authentication, encryption, and intrusion detection.
The 802.1x mechanisms in combination of WPA-2 Enterprise and WPA-2 PSK (Pre-Shared Key Authentication) allow only authorized users to access the network. Other features include the Captive Portal to redirect users to web authentication.
Radar WIDS-WIPS
Identifi Radar is an advanced suite of Wireless-Intrusion-Detection-Service and Wireless-Intrusion-Prevention-Service (WIDS-WIPS) integrated with a wireless controller, access points and related software. Radar provides a basic solution for detecting unauthorized devices in a wireless coverage area. Radar performs basic radio frequency (RF) analysis of the network to identify unmanaged access points and personal ad-hoc networks. Features Radar includes: support for dynamic channel and radio frequency selection, location mapping (Netsight 4.4 and higher required), adaptation to and classification of interference, and wireless intrusion detection and protection.
When Radar features are enabled:
• AP39xx, AP38xx, and AP37xx series access points simultaneously scan WIPS-WIDS and transmit traffic. Access points check and protect the frequency channel in which they operate.
• Also, points can be configured in Guardians mode; in this mode, the access point can check for violations (as well as prevent them) on all active data transmission channels. Access points in Guardians mode cannot transmit traffic, but they can be switched to Traffic Forwarding mode, if necessary. Access points can be configured to actively counter certain types of threats that they detect. The following types of countermeasures are available: sending deauthenticating frames to devices and access points to "violators", automatically blacklisting (blocking) devices performing WIDS-WIPS attacks, as well as limiting the speed of transmission of wireless frames identified as part of Denial of Service (DoS) attacks.
The WIPS / WIDS feature requires licensing.
More information on setting up Radar WIDS-WIPS can be found in the Wireless User Guide.
Automatic assignment of IP addresses to client devices
A wireless network controller (Identifi Wireless Appliance) has a built-in DHCP server that can be used to assign IP addresses to network clients in a given topology. The controller is also capable of working with an external DHCP server, relaying DHCP requests from workstations to servers.
Web authentication
The Wireless Controller (Identifi Wireless Appliance) has a built-in Captive Portal, which allows you to perform Web authentication. It also supports work with an external captive portal.
Identifi Wireless Access Point
Extreme Networks access points are enterprise-class access points, they provide advanced radio frequency (RF) capabilities, security, reliability, and scalability.
Access points physically connect to the LAN infrastructure and establish an IP connection to the wireless controller. You can configure and manage global or individual access point functions using a wireless controller. All interconnection between access points and the controller is carried out using UDP-based protocols.
Access points for internal premises:
| Access points | Performance |
| AP3935 | 802.11ac Wave 2, up to 2.5 Gbps, dual-radio 4x4: 4 |
| AP3825 | 802.11ac AP up to 1.75Gbps capacity, dual-radio, 3x3: 3 |
| AP3805 | 802.11ac AP up to 1.17Gbps capacity, dual radio, 2x2: 2 |
| AP3801 | Single radio 802.11n or 802.11ac, Up to 867 mbps |
| AP3705 | Up to 600Mbps capacity, dual-radio, 2x2: 2 |
| AP3715 | Up to 900Mbps capacity, dual-radio, 3x3: 3, redundant power options |
External access points:
| Access points | Performance |
| AP3965 | 802.11ac Wave 2, up to 2.5 Gbps capacity, 4x4: 4, 4, IP 67 / NEMA 6, with integrated or external antennas |
| AP3865 | 802.11ac AP, up to 1.75 Gbps capacity, dual-radio, 3x3: 3, IP67 / NEMA 6 and supports multiple antenna options |
A more detailed description of the parameters of Extreme Networks wireless access points can be found on the manufacturer's website: www.extremenetworks.com
MESH and WDS
Mesh networks or Wireless Distribution System (WDS) allow you to expand the coverage area of a wireless network by connecting several wireless access points to a single network without a wired connection between them. The MESH network is a self-healing, dynamic network. Mesh Network and Wireless Distribution System (WDS)
Ideal for locations where wired Ethernet networks are expensive or difficult to install.
Detection Mechanisms in Extreme Networks Wireless Solutions
Extreme Networks solution provides automatic detection of the controller by access points:
To do this, use one of the following modes:
• SLP (Service Location Protocol) - Multicast and Unicast
The service discovery protocol allows computers and other devices to detect the provided service (for example, auto-discovery of Wi-Fi networks) without preliminary settings. SLP is one of the modes by which access points detect wireless controllers on a network.
• DNS (Domain Name Server)
DNS server that translates domain names into IP addresses. Extreme Networks access points can be used as an alternative controller auto-discovery mechanism. The wireless controller can be registered in DNS as “controller”. After setting the parameter of the DNS-name of the controller, the access points will be able to get its IP address via a DNS query.
A class A record (host) that binds the Physical IP address of the controller topology to the domain name “controller” must be entered into DNS. The DHCP server serving points must distribute the domain name suffix (Option 15, DNS Domain Name). For verification, you can use the command: ping controller (ie, only the prefix). If the DNS and DHCP configuration are correct, the controller should respond.
• DHCP server (Dynamic Host Configuration Protocol) (RFC2131)
DHCP server - dynamically assigns an IP address, gateway and subnet mask, etc. It is also used by access points to locate the controller during initial registration. Uses options 43, 60 and option 78. Options 43 and 60 specify the manufacturer’s class identifier (vendor class identifier (VCI)) and manufacturer specific information. Option 78 locates one or more SLP agents from the directory. For SLP, DHCP option 78 must be enabled. Use option 60 to query the DHCP server for the controller address. The DHCP server will respond to the access point with option 43, which lists the available controllers.
Distribution of Extreme Netwroks solutions in Ukraine, Belarus, CIS countries
Extreme Networks Training Courses
MUK-Service - all types of IT repair: warranty, non-warranty repair, sale of spare parts, contract service
Source: https://habr.com/ru/post/276655/
All Articles