Aerohive Configuration guide.

© 2013 Aerohive Networks CONFIDENTIAL
AEROHIVE CERTIFIED
NETWORKING PROFESSIONAL
(ACNP)
1

Introductions
2
•What is your name?
•What is your organizations name?
•How long have you worked in networking?
•What was your 1st computer?

Facilities Discussion
3
• Course Material
Distribution
• Course Times
• Restrooms
• Break room
• Smoking Area
• Break Schedule
› Morning Break
› Lunch Break
› Afternoon Break

Aerohive Switching & Routing
Configuration (ACNP) – Course Overview
4
Each student connects to HiveManager, a remote PC, and a Aerohive AP over the
Internet from their wireless enabled laptop in the classroom, and then performs hands
on labs the cover the following topics:
• Overview of Switching and Routing Platforms
• Unified Network Policy Management
• Spanning Tree
• Device Templates
• Port Types (802.1Q Ports, Phone and Data Ports, Secure Access Ports, Guest
Access Ports and WAN ports)
• Aggregate Channels
• PoE
• VLAN to Network mapping
• Router templates
• Parent networks and branch subnets
• Layer 3 VPN with VPN Gateway Virtual Appliance
• Policy Based Routing
• Router Firewall
• Cookie Cutter Branch Networking
2 Day Hands on Class

Copyright ©2011
Aerohive Training Remote Lab
5
Aerohive Access Points using external
antenna connections and RF cables to
connect to USB Wi-Fi client cards
(Black cables)
Access Points are connected from eth0 to
Aerohive Managed Switches with 802.1Q
VLAN trunk support providing PoE to the
APs (Yellow cables)
Firewall with routing support, NAT, and
multiple Virtual Router Instances
Access Points are connected from their
console port to a console server
(White Cables)
Console server to permit SSH access into the
serial console of Aerohive Access Points
Server running VMware ESXi running Active
Directory, RADIUS, NPS and hosting the
virtual clients used for testing configurations
to support the labs

Aerohive CBT Learning
6
http://www.aerohive.com/cbt

The 20 Minute Getting Started Video
Explains the Details
7
Please view the Aerohive Getting Started Videos:
http://www.aerohive.com/330000/docs/help/english/cbt/Start.ht
m

Aerohive Technical Documentation
8
All the latest technical documentation is available for download
at:
http://www.aerohive.com/techdocs

Aerohive Instructor Led Training
9
• Aerohive Education Services offers a complete curriculum that provides you with
the courses you will need as a customer or partner to properly design, deploy,
administer, and troubleshoot all Aerohive WLAN solutions.
• Aerohive Certified WLAN Administrator (ACWA) – First-level course
• Aerohive Cerified WLAN Professional (ACWP) – Second-level course
• Aerohive Certified Network Professional (ACNP) – Switching/Routing course
• www.aerohive.com/training – Aerohive Class Schedule

Over 20 books about networking have been written
by Aerohive Employees
10
CWNA Certified Wireless Network Administrator
Official Study Guide by David D. Coleman and David
A. Westcott
CWSP Certified Wireless Security Professional
Official Study Guide by David D. Coleman, David A.
Westcott, Bryan E. Harkins and Shawn M.
Jackman
CWAP Certified Wireless Analysis Professional Official
Study Guide by David D. Coleman, David A. Westcott,
Ben Miller and Peter MacKenzie
802.11 Wireless Networks: The Definitive Guide,
Second Edition by Matthew Gast
802.11n: A Survival Guide by Matthew Gast
Aerohive
Employees
802.11ac: A Survival Guide by Matthew Gast
Over 20 books about networking have
been written by Aerohive Employees

Aerohive Exams and Certifications
11
• Aerohive Certified Wireless Administrator
(ACWA) is a first- level certification that
validates your knowledge and understanding
about Aerohive Network’s WLAN
Cooperative Control Architecture. (Based
upon Instructor Led Course)
• Aerohive Certified Wireless Professional
(ACWP) is the second-level certification that
validates your knowledge and understanding
about Aerohive advanced configuration and
troubleshooting. (Based upon Instructor Led
Course)
• Aerohive Certified Network Professional
(ACNP) is another second-level certification
that validates your knowledge about
Aerohive switching and branch routing.
(Based upon Instructor Led Course)

Aerohive Forums
12
• Aerohive’s online community – HiveNation
Have a question, an idea or praise you want to share? Join the HiveNation Community - a
place where customers, evaluators, thought leaders and students like yourselves can
learn about Aerohive and our products while engaging with like-minded individuals.
• Please, take a moment and register during class if you are not already a
member of HiveNation.
Go to http://community.aerohive.com/aerohive and sign up!

Aerohive Social Media
13
The HiveMind Blog:
http://blogs.aerohive.com
Follow us on Twitter: @Aerohive
Instructor: David Coleman: @mistermultipath
Instructor: Bryan Harkins: @80211University
Instructor: Gregor Vucajnk: @GregorVucajnk
Instructor: Metka Dragos: @MetkaDragos
Please feel free to tweet about #Aerohive training during
class.

Copyright ©2011
Aerohive Technical Support – General
14
I want to talk to somebody live.
Call us at 408-510-6100 / Option 2. We also provide service
toll-free from within the US & Canada by dialing (866) 365-9918.
Aerohive has Support Engineers in the US, China, and the UK,
providing coverage 24 hours a day.
Support Contracts are sold on a yearly basis, with
discounts for multi-year purchases. Customers can opt
to purchase Support in either 8x5 format or in a 24
hour format.
How do I buy Technical Support?
I have different expiration dates on several Entitlement keys, may
I combine all my support so it all expires on the same date?
Your Aerohive Sales Rep can help you set-up Co-Term, which allows
you to select matching expiration dates for all your support.

Copyright ©2011
Aerohive Technical Support – The
Americas
15
Aerohive Technical Support is available 24 hours a
day. This can be via the Aerohive Support Portal or
by calling. For the Support Portal, an authorized
customer can open a Support Case.
Communication is managed via the portal with new
messages and replies. Once the issue is resolved,
the case is closed, and can be retrieved at any time
in the future.
How do I reach Technical Support?
I want to talk to somebody live.
For those who wish to speak with an engineer call us at 408-510-
6100 / Option 2. We also provide service toll-free from within
the US & Canada by dialing (866) 365-9918.
I need an RMA in The Americas
An RMA is generated via the Support Portal, or by calling our Technical Support
group. After troubleshooting, should the unit require repair, we will overnight*
a replacement to the US and Canada. Other countries are international. If the
unit is DOA, it’s replaced with a brand new item, if not it is replaced with a like
new reburbished item.
*Restrictions may apply: time of day, location, etc.

Copyright ©2011
Aerohive Technical Support – International
16
Aerohive international Partners provide dedicated
Technical Support to their customers. The Partner has
received specialized training on Aerohive Networks’
product line, and has access to 24 hour Internal
Aerohive Technical Support via the Support Portal, or
by calling 408-510-6100 / Option 2.
How Do I get Technical Support outside The Americas?
World customer’s defective
units are quickly replaced by
our Partners, and Aerohive
replaces the Partner’s stock
once it arrives at our location.
Partners are responsible for all
shipping charges, duties, taxes,
etc.
I need an RMA internationally

Copyright Notice
17
Copyright © 2013 Aerohive Networks, Inc. All rights
reserved.
Aerohive Networks, the Aerohive Networks logo, HiveOS,
Aerohive AP, HiveManager, and GuestManager are
trademarks of Aerohive Networks, Inc. All other trademarks
and registered trademarks are the property of their
respective companies.

© 2013 Aerohive Networks CONFIDENTIAL© 2013 Aerohive Networks CONFIDENTIAL
QUESTIONS?

Overview of hardware and software platforms
SWITCHING & ROUTING PRODUCT
LINE
19

Copyright ©2011
Aerohive Switching Platforms
20
SR2124P SR2148P
24 Gigabit Ethernet 48 Gbps Ethernet
4 Ports 1G SFP Uplinks 4 Ports 10 G SFP/SFP+ Uplinks
24 PoE+ (408 W)
128 Gbps switch56Gbps switching 176 Gbps switch
48 PoE+ (779 W)
Routing with 3G/4G USB support and Line rate
switching
Redundant Power Supply CapableSingle Power Supply
24 PoE+ (195 W)
SR2024P
Switching Only

Class Switches Deployed in Data Center
• SR2024
› Line Rate Layer 2 Switch
› 8 Ports of PoE
› Multi-authentication
access ports
» 802.1X with fallback to
MAC auth or open
› Client Visibility
» View client information
by port
› RADIUS Server
› Internet Router
› DHCP Server
› USB 3G/4G Backup
› Policy-based routing with Identity
Internet
AP
AP
PoE
SR202
4
AP
Provides Access For:
• Employees
• Guests
• Contractors
• Phones
• APs
• Servers
Note: The switch model (2024) used in the lab has been superseded by improved models.

Express Mode
• Optimized for ease of use
• Uniform company-wide policy
• One user profile per SSID
Enterprise Mode
• Enterprise sophistication
• Multiple Network policies
• Multiple user profiles/SSID
HiveManager Appliance 2U
• Redundant power& fans
• HA redundancy
• 5000 APs
HiveManager Virtual Appliance
• VMware ESX & Player
• HA redundancy
• 1500 APs with minimum configuration
HiveManager Form Factors
22
HiveManager Appliance
• Redundant power & fans
• HA redundancy
• 8000 APs
HiveManager Virtual Appliance
• VMware ESX & Player
• HA redundancy
• 5000 APs with minimum configuration
HiveManager Online
• Cloud-based SaaS management
Topology Reporting Heat Maps SLA ComplianceRF PlannerSW, Config, & Policy Guest Mgmt

HiveManager Appliance
23

HiveManager Databases
24

Copyright ©2011
Aerohive Routing Platforms
25
BR 100 BR 200 AP 330 AP 350
Single Radio Dual Radio
2X 10/100/1000 Ethernet
5-10 Mbps
FW/VPN
30-50Mbps FW/VPN
1x1 11bgn 3x3:3 450 Mbps 11abgn
5X 10/100
5X
10/100/1000
0 PoE PSE0 PoE PSE 2X PoE PSE
*
* Also available as a non-Wi-Fi device
L3 IPSec
VPN
Gateway
~500 Mbps
VPN
4000/1024
Tunnels
Physical/Vir
tual
VPN Gateways

BR100 vs. BR200
26
BR100 BR200/BR200WP
5x FastEthernet 5x Gigabit Ethernet
1x1 11bgn (2.4Ghz) single radio 3x3:3 11abgn dual-band single radio (WP)
No integrated PoE PoE (in WP model)
No console port Console Port
No Spectrum Analysis Integrated Spectrum Analysis (WP)
No Wireless Intrusion Detection Full Aerohive WIPS (WP)
No local RADIUS or AD integration Full Aerohive RADIUS, proxy, and AD
No SNMP logging SNMP Support

2x2:2 300 Mbps
11n High Power
Radios
1X Gig.E
-40 to 55°C
PoE (802.3at)
N/A
Outdoor
Water Proof (IP
68)
Aerohive AP Platforms
AP170
2X Gig E
/w PoE Failover
3x3:3 450 + 1300 Mbps High Power Radios
Dual Radio 802.11ac/n
Plenum/Plenum
Dust Proof
-20 to 55°C
AP390
Indoor Industrial
Dual Radio
802.11n
AP230
Dual Radio 802.11n
2X Gig.E - 10/100 link
aggregation
-20 to
55°C
0 to 40°C
3x3:3
450 Mbps High Power
Radios
TPM Security Chip
PoE (802.3af + 802.3at) and AC Power
Indoor
Industrial
Indoor
Plenum/D
ust
Plenum Rated
AP121 AP330 AP350
1X Gig.E
2x2:2
300 Mbps High
Power Radios
USB for 3G/4G Modem
AP141
USB for future use
Indoor
2X Gig.E w/ link
aggregation
Plenum Rated
0 to 40°C
USB for future use
AP370*
* Includes 5 GHz Transmit Beamforming and in 2.4 GHz has TurboQAM

VPN Gateway Virtual Appliance
28
• Supports the following
› GRE Tunnel Gateway
› L2 IPSec VPN Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
› Bonjour Gateway
› DHCP server
• Use a VPN Gateway Virtual Appliance instead of an AP when higher
scalability for these features are required
Function Scale
VPN Tunnels 1024 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server)
authentications
256

VPN Gateway Physical Appliance
29
• Supports the following
› GRE Tunnel Gateway
› RADIUS Authentication Server
› RADIUS Relay Agent
› Bonjour Gateway
› DHCP server
• Use a VPN Gateway Appliance instead of an AP when higher scalability for
these features are required
Function Scale
VPN Tunnels 4000 Tunnels
RADIUS – Local users per VPN Gateway 9999
# Users Cache (RADIUS Server) 1024
# Simultaneous (RADIUS Server)
authentications
256
Ports: One 10/100/1000 WAN port
Four LAN ports two support PoE

Lab Infrastructure
31
PC
PoE
SR202
4
AP
PC
PoE
SR202
4
AP
Core
Access
Student Space
Instructor Space
Student 2 Student X
Distribution
HiveManager
Router
VLAN 1
ip address 10.100.1.1/24
VLAN 2
ip address 10.100.2.1/24
VLAN 8
ip address 10.100.8.1/24
VLAN10
ip address 10.100.10.1/24

SWITCHING
32

Lab: Setting up a Wireless Network
1. Connect to the Hosted Training HiveManager
33
• Securely browse to the appropriate HiveManager for class
› TRAINING LAB 1
https://training-hm1.aerohive.com
https://72.20.106.120
› TRAINING LAB 2
https://72.20.106.66
› TRAINING LAB 3
https://209.128.124.220
› TRAINING LAB 4
https://203.214.188.200
› TRAINING LAB 5
https://209.128.124.230
• Supported Browsers:
› Firefox, Internet Explorer, Chrome, Safari
• Class Login Credentials:
› Login: adminX
X = Student ID 2 - 29
› Password: aerohive123
NOTE: In order to access the
HiveManager, someone at your
location needs to enter the
training firewall credentials given
to them by the instructor first.

Lab: Setting Up a Wireless Network
2. Create a Network Policy
34
• Go to
Configuration
• Click the New
Button

3. Enable network policy options
35
• Name:
Access-X
• Check the options
for
› Wireless
Access
› Switching
› Bonjour
Gateway
• Click Create
• Note, enabling Branch Routing:
» Enables L3 VPN Configuration
» Disable L2 VPN Configuration
» Enable L3 Router Firewall Policy
» Policy-Based Routing with Identity
» Enables Router configuration settings in
Additional Settings

Network Policy Components
36
• Wireless Access – Use when you have an AP only
deployment, or you require specific wireless policies for
APs in a mixed AP and router deployment
• Branch Routing– Use when you are managing routers, or
APs behind routers that do not require different Network
Policies than the router they connect through
BR100
BR200 AP
AP
Internet
Internet
Small Branch Office
or Teleworker Site Small to Medium Size Branch Office
that may have APs behind the router

• Bonjour Gateway
› Allows Bonjour services to be seen in multiple subnets
• Switching
› Used to manage wired traffic using Aerohive Switches
Network Policy Components
37
Internet
AP
AP
PoE
SR2024
AP

4. Create a New SSID Profile
38
Network Configuration
• Next to SSIDs click
Choose
• Then click New

5. Configure Employee SSID
39
• SSID Profile: Class-PSK-X
X = 2 – 29 (Student ID)
• SSID: Class-PSK-X
• Select WPA/WPA2 PSK
(Personal)
• Uncheck the Obscure
Password checkbox
• Key Value: aerohive123
• Confirm Value: aerohive123
• Click Save
• Click OK
For the ALL labs, please follow the
class naming convention.

6. Create a User Profile
40
• To the right of your
SSID, under User
Profile, click
Add/Remove
In Choose User
Profiles
• Click the New
button

7. Define User Profile Settings
41
•Name:
Employee-X
•Attribute
Number:10
Default VLAN:
From the drop down
box,
•Select Create new
VLAN,
type:10
•Click Save

8. Choose User Profile and Save
42
•Ensure
Employee-X
User Profile is
highlighted
•Click Save

9. Review your policy and save
43
• From the Configure Interfaces & User
Access bar, click Save

SPANNING TREE BEHAVIOR
44

How loops happen
1. Client sends broadcast such as ARP request
2. Switch A forwards packet on all interfaces, except
source interface
3. Switch B receives the broadcast twice, but does
not know it is the same broadcast. It forwards
the broadcast from interface 1 on interface 24
and vice versa
4. Switch A again receives the broadcast twice and
does the same at Switch B. (It also sends both
broadcasts back to the client
5. Rinse and repeat. The broadcast never leaves
the network
B
A

© 2013 Aerohive Networks CONFIDENTIAL 46
Easy to solve, right?
Just disconnect one cable…
But now there is no redundancy…
Have no fear!
There was once a loop to be,
In a redundant path for everyone to see.
The packets went round and round,
Until a new sheriff was found.
His name? Well, Spanning Tree!
Spanning Tree

So what does the Spanning Tree
Protocol (STP) do?
High level overview:
1. All interfaces are blocked (for non STP traffic)
while the switches elect a root bridge (switch)
2. After the root bridge is elected, switches calculate
the lowest cost path to the root bridge
3. Unblock corresponding ports and keep redundant
ports blocked
4. If an active link fails, unblock redundant port
I am root!
Speed 1Gbit
Cost: 20,000
Speed 100Mbit
Cost: 200,000
Root doesn’t
have to
calculate
Spanning Tree

Spanning Tree – extra reading
Found in the class materials:
Spanning-Tree-Overview.pptx
• STP
• RSTP
• MSTP
• (R)PVST

Switch Spanning Tree Settings
49
• By default, spanning tree is disabled on Aerohive switches
› Why?
› If you plug an edge switch into a network, and the switch priority is a
lower number (higher priority) on our switch, than what is configured on
the existing network, our switch will become the root switch
› This means that the optimal path and links that are available through a
network will be chosen based on getting to your edge switch!
› This most likely is not what a customer wants to do! ;-)
• What is the downside of not enabling spanning tree by default?
› If you plug two cables from our switch to the distribution switch network,
and the ports are not configured as an aggregate, you can cause a loop!
› This is far less of a concern than enabling spanning tree by default and
possibly rerouting all traffic through our switch, so we will disable
spanning tree by default

Verify Existing Network
Spanning Tree Priorities
50
• Before installing an Aerohive switch into an existing switch network,
have the company determine the root switch and backup root switch
priority
• Ensure our spanning tree priority is set to a higher number
• For example, on a Cisco Catalyst switch you can type:
CS-Dist-2#show spanning-tree
MST0
Spanning tree enabled protocol mstp
Root ID Priority 12288
Address 000f.23b9.0d80
Cost 0
Port 25 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 16384 (priority 16384 sys-id-ext 0)
Address 001f.274c.5180
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- -----
Fa0/24 Desg FWD 200000 128.24 P2p
Gi0/1 Root FWD 200000 128.25 P2p

Verify Existing Network
Spanning Tree Priorities
51
CS-Dist-2#show spanning-tree
MST0
Spanning tree enabled protocol mstp
Root ID Priority 12288
Address 000f.23b9.0d80
Cost 0
Port 25 (GigabitEthernet0/1)
Bridge ID Priority 16384 (priority 16384 sys-id-ext 0)
Address 001f.274c.5180
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- -----
Fa0/24 Desg FWD 200000 128.24 P2p
Gi0/1 Root FWD 200000 128.25 P2p
• Here you can see the Root Priority is: 12288
• The switch this command is run on shows a priority of 16384
• So most likely our switch default priority of: 32768 will not cause any
harm

Lab: Enable Spanning Tree
1. Enable Spanning Tree
52
From the network policy that has switching enabled
• Go to Additional Settings and click Edit

2. Enable RSTP
53
Enable Rapid Spanning
Tree
• Expand Switch Settings
• Expand STP Settings
• Check the box to Enable
STP (Spanning Tree
Protocol)
• Select the radio button to
enable RSTP (Rapid
Spanning Tree)
• Click Save

3. Save your Network Policy
54

Spanning Tree – Switch specific settings
55
More detailed Spanning Tree settings can be
configured on an individual switch in device level
settings should that be required.

DEVICE TEMPLATES
FOR DEFINING SWITCH PORT
SETTINGS
56

Device Templates
57
• HiveManager Device Templates are
used to assign switches at the same
or different sites to a common set of
port configurations
• For example, ports 1, 2
are for APs, ports 3-6 are
for phones, etc…
AP
PoE
SR202
4
APAP
PoE
SR202
4
AP
Distribution
Access/Edge
HiveManager – SR2024 as switch device template

Device Templates
58
• Device templates are used
to define ports for the same
device, devices with the
same number of ports, and
device function
• Device templates do not set
device function, i.e. switch,
router, or AP, but will only
match devices configured
with the matching function
• You configure a devices
function in the device
specific configuration
Apply to SR2024 switches
configured as switches
Apply to SR2024 switches
configured as routers.
Requires WAN port – icon
depicted as a cloud

Device Templates
For Devices Requiring Different Port
Settings
59
• If devices require different port
configurations for the same type of
device and function, you can
› 1. Configure device classification
tags to have different device
templates for different devices
› 2. Create a new network policy
with a different device template
PoE
SR202
4
APAP
PoE
SR202
4
AP
SR2024 as Switch
Default Sites
Default Site Device
Classification
Tag: Small Site
SR2024 as Switch
Small Sites
Note: The switch model (2024) used in the lab has been superseded by improved models.

CONFIGURE DEVICE TEMPLATES
FOR DEFINING SWITCH PORT
SETTINGS
60

Lab: Configure Device Templates
1. Create device template
61
• Next to Device
templates, click
Choose
• Click New

2. Create switch template
62
• Name:
SR2024-Default-X
• Click Device Models
• Select SR2024
• Click OK
• For SR2024, when
functioning as:
› Select Switch
• Click Save
Note: Here you are not setting the SR2024
to function as a switch. Instead, you are
only specifying that this template applies to
SR2024s when they are configured to
function as a switch. The switch/router
function is configured in switch device
settings.
Note: You only see switch as an option
and not Switch and Router, because Routing
was not enabled in the selection box when
creating this Network Policy.

3. Save switch template
63
• Ensure your device template is selected
and click OK
• The device template will appear in the
Device Templates section
• You can show or hide the individual
device template by clicking the triangle
Shows you that this is a template
for your switch as a switch

64

LINK AGGREGATION
65

Lab Infrastructure
Aggregate Links for Connection to Distribution
66
Aggregate is statically configured similar to
EtherChannel
There is no LACP (Link Aggregation Control
Protocol) in this release.
• You can have 8 ports in one channel
› The ports do not have to be contiguous
• Every port on the SR2024 can be configured
into port channels except the USB and
console port
• The switch hardware creates a hash of the the
header fields in frames selected for load
balancing, for determining the ports in an
aggregate to send a frame
› Load balancing options are:
» Source & Destination MAC, IP, and Port
» Source & Destination IP Port
» Source & Destination IP
» Source & Destination MAC
PC
SR202
4
AP

Lab Infrastructure
Aggregate Links for Connection to Distribution
67
• Load balance of broadcast, multicast, and
unknown unicast traffic between ports in an
aggregate is based on Src/Dst MAC/IP.
• You cannot configure a 802.1X port in an
EtherChannel
• mac learning is on the port channel port,
instead of member port
• Only ports with same physical media type and
speed can be grouped into one aggregate.
• Supports LLDP per port but not per channel
PC
SR202
4
AP

Lab Infrastructure
Do not do this with aggregates
68
• In this case, distribution switch 1 and switch 2 will
see the same MAC addresses and cause MAC
flapping
› i.e. traffic from PC A for example might be load
balanced to Switch 1 and Switch 2
• In this case, there will also be a loop!
• Aggregates must be built between a pair of
switches only!
PC
SR202
4
AP
Aggregate 1
Distribution
Switch 1
Distribution
Switch 2

AGGREGATION –
CONFIGURATION EXAMPLE
69

Aggregate Links for Switch Connections
to Distribution Layer Switches
70
Each access switch will have two
aggregates:
• Aggregate 1: Port 17, 18
• Aggregate 2: Port 19, 20
These ports are not connected in
this classroom, this is only a
configuration example
PC
PoE
SR202
4
AP
Core
Access
Aggregates
ESXi Server
Distribution
HMOL

Copyright ©2011
Lab: Link Aggregation
1. Select ports 17 and 18
Select ports that will be used to connect to the distribution layer
switches (example only, aggregates are not used in class)
NOTE: Recommended not to use the first 8 ports on the SR2024 which provide PoE.
• Select port 17, and 18
• Check the box for Aggregate selected ports…
• Enter 1
• Click Configure
71

2. Create Trunk Port policy
72
• Click New
• Name: Trunk-X
• Port Type: 802.1Q
• QoS Classification:
Trusted Traffic
Source
Note: This means we
are trusting the
upstream network
infrastructure markings
› Map to DSCP or
802.1p
• QoS Marking:Map
Aerohive..
802.1p
• Click Save

2. Save Trunk Port policy
73
• Ensure that Trunk-X
is selected, click OK

74
• Select port 19 and 20
• Check aggregate selected ports… and enter 2

4. Assign Trunk policy
75
• Click Configure
• For choose port type, select your
802.Q trunk that you created
previously: Trunk-X
• Click OK

5. Review port settings
76
Port 17, 18, 19, and 20 will now display
an 802.1Q trunk icon and should all
appear the same, even though there
are two different aggregates

77

CONFIGURE UPLINKS USED IN
THE CLASSROOM
78

Classroom Links for Switch Connections
to Distribution Layer Switches
79
For the class, we are going to
configure single uplinks without
aggregation to connect to the
distribution switches
• Single Uplinks : Port 23, 24
Port 23 will be connected to
Distribution switch 1, and
port 24 will be connected to
Distribution switch 2
PC
PoE
SR202
4
AP
Core
Access
ESXi Server
Distribution
HMOL
• 3CX IP PBX
10.100.1.?

Copyright ©2011
Lab: Configure Uplink Ports
1. Select Ports 23 and 24
Select ports that will be used to connect to the distribution layer
switches
• Click Configure
80

2. Assign port policy and save
81
• For choose port type, select your
802.Q trunk that you created
previously: Trunk-X
• Click OK
• Ports 23 and 24 should now be the
same color as the other Trunk ports

82

CONFIGURE PORTS FOR APS
83

Lab Infrastructure
Configure PoE Ports for APs
84
Configure two of the PoE ports
for APs
• Use Port 1 and 2 for APs
NOTE: For class there is an AP
connected to port 1 of every
switch
PoE
SR202
4
Core
Access
ESXi Server
Distribution
HMOL
APAP
IP Phones

Copyright ©2011
Lab: Configure Access Point ports
Select ports that will be used to connect to APs
NOTE: The first 8 ports on an SR2024 provide power
• Click Configure
85

2. Create Trunk Policy
86
• Click New
• Name: AP-Trunk-X
• Port Type: 802.1Q
Trusted Traffic
Source
Note: This means we
are trusting the
upstream network
802.1p
Aerohive..
802.1p
• Click Save

3. Assign AP-Trunk Policy to ports 1 and 2
87
• Ensure that that AP-Trunk-X is selected
• Click OK
• Port 1and 2 will now display an 802.1Q trunk icon,
but this time, a power symbol appears as well
because ports 1 through 8 can provide power
• Notice that Ports 1
and 2 are a
different color
because there is a
different port policy
than the other
ports

88

CONFIGURE POWER SOURCING
EQUIPMENT (PSE) PORTS FOR
POWER OVER ETHERNET (POE)
89

PoE Overview
90
• PoE standards define the capabilities of the power sourcing equipment (PSE)
and the powered device (PD).
• The PSE is an Aerohive switch. Aerohive access points would be considered
PDs.
• The 802.3af PoE standard defines 15.4 Watts from the PSE
• All 802.11n Aerohive APs will work with 802.3af - CAT5e cabling or better is
required.
• The maximum draw of an Aerohive AP-330 is14.95 Watts.

PoE Overview
91
• The 802.3at standard (PoE+) defines 32 Watts from the PSE
• 802.11ac Aerohive AP230 is fully functional using 802.3af
• However, the older 802.11ac Aerohive APs (AP370 and
AP390) require PoE+ for full functionality
• The AP370 and AP390 will function with 802.3af PoE however
the 80 MHz channels capability is restricted.

PoE Power Budgets
92
• Careful PoE power budget planning is a must.
• Access points will randomly reboot if a power budget has
been exceeded and the APs cannot draw their necessary
power.
SR2124P SR2148P
24 PoE+ (408 W) 48 PoE+ (779 W)24 PoE+ (195 W)
SR2024P

Lab: Configure PoE ports
1. Select additional port settings
93
• Select Additional port settings to configure
› Port Channel Load-Balance Mode Settings
› PoE port (PSE) Settings
Additional Port Settings
link is available if no ports are
currently selected

2. Aggregate channel settings
94
• For Port Channel Load-Balance Mode, please selecting
the headers in a frame that will be used in creating a
hash to determine which port a frame should egress
› NOTE: If you are testing a single client, especially for a demo, the
more fields you use you will have a better opportunity to egress
multiple ports

3. PSE settings
95
• Expand PSE Settings
• Because only the first two ports have been configured,
you will only have the ability to configure PSE (Provides
PoE) to the first two ports
• Next to Eth1/1 Click +

4. PSE settings
96
• Name: af-high-X
• Power Mode: 802.3af
• Power Limit: 15400 mW
• Priority: high
• Save
Note: Default PoE port
settings is 802.3at (PoE+)
Power priority can be low,
high or critical

5. PSE settings
97
• Assign Eth1/1 and Eth1/2 to: af-high-X
• Save
NOTE: You will only see the Interfaces(Ports) that have been
assign to a port type

98

CONFIGURE PORTS FOR IP
PHONES
99

Lab Infrastructure
Configure PoE Ports for IP Phones
100
Configure 6 of the PoE ports for
IP Phones
• Use Port 3 - 8 for IP PhonesPoE
SR202
4
Core
Access
ESXi Server
Distribution
HMOL
APAP

CONFIGURE PHONE PORTS IN
SWITCH DEVICE TEMPLATE
101

Copyright ©2011
Lab: Configure PoE ports for IP phones
1. Select ports 3-8
Select ports that will be used to connect to IP Phones
NOTE: The first 8 ports on an SR2024 provide power
• Select port 3, 4, 5, 6, 7, and 8
(Yes, you can multi-select)
• Click Configure
102

2. Phone & Data ports
103
•Click New

104
• Name: Phone-and-Data-X
• Port Type: Phone & Data
• Check Primary authentication
using:
MAC via PAP
Trusted Traffic Sources
Note: This means we are
trusting the upstream network
› Map to DSCP or 802.1p
Aerohive..
› Map to DSCP or 802.1p
• Click Save

105
• For choose port type, select
Phone-and-Data-X
• Click OK
• Port 3 – 8 will now display with a phone
icon

5. Save your network policy
106

CONFIGURE PORTS FOR OPEN
GUEST ACCESS
107

Lab Infrastructure
Configure Ports for Employee Computer Access
108
Configure 2 of the switch ports
for open access
(switch ports are in a secured
room – for testing purposes)
• Use Port 9 and 10
PoE
SR202
4
Core
Access
ESXi Server
Distribution
HMOL
APAP
IP Phones
Guest
Computers

Copyright ©2011
Lab: Configure Open Guest Ports
Select ports that will be used to connect to guest computers
• Select port 9 and 10
• Click Configure
109

2. Create access port
110
•Click New

3. Create access port
111
• Name: Guest-X
• Port Type: Access
• Most likely you will
not be trusting the
DSCP settings on
guest devices, so
click Untrusted
Traffic Sources
• There is no need to
mark the traffic for
QoS marking
• Click Save

4. Assign access port policy
112
• For choose port type, select
Guest-X
• Click OK
• Port 9 and 10 will now display with a
world icon

113

For switch ports in a secure location
CONFIGURE PORTS FOR SECURE
EMPLOYEE ACCESS WITH 802.1X
114

Lab Infrastructure
Configure Ports for Employee Computer Access
115
Configure six of the switch ports
for 802.1X authentication
• Use Ports 11-16
PoE
SR202
4
Core
Access
ESXi Server
Distribution
HMOL
APAP
IP Phones
Employee
Computers
802.1X

Copyright ©2011
Lab: Configure Secure Access Ports
1. Select ports 11 - 16
Select ports that will be used to connect to employee computers
that support 802.1X
• Select port 11,12,13,14,15,16
• Click Configure
116

2. Create secure port policy
117
• Click New

3. Create secure port policy
118
• Name: Secure-X
• Port Type: Access
• Check the box for:
Primary Authentication
using 802.1X
• Uncheck ☐Allow multiple
hosts (same VLAN)
• For the ability to preserve
markings on PCs for softphones
or other important applications,
select QoS Classification:
Trusted Traffic Sources
• Check the box for QoS
Marking
 Map Aerohive QoS …
• Select DSCP or 802.1p
depending on the upstream
switch architecture
• Click Save

4. Assign secure port policy
119
• For choose port type, select Secure-X
• Click OK
• Ports 11-16 will now display with a world
icon

120

CONFIGURE MIRROR PORTS
121

Copyright ©2011
Lab: Configure Mirror Ports
1. Select ports 21 - 22
Select ports that will be used for port mirroring
• Select ports 21 and 22
• Click Configure
122

2. Create mirror port policy
123
• Click New
• Name: Mirror-X
• Port Type: Mirror
• Click Save

3. Assign mirror port policy
124
• For choose port type, select Mirror-X
• Click OK
• Check  Port-Based
Note: VLAN-Based port
mirroring can only be
enabled on a single port

4. Choose ports to mirror
125
• Eth1/21, Egress – click Choose
• Select Eth1/1 and Click OK
• Eth1/22, Ingress – click Choose
• Select Eth1/12 and Click OK

5. Verify and save mirror port policy
126
• All downstream traffic destined for the WLAN clients of the
Aerohive AP on port Eth1/1 will be mirrored to port Eth1/21.
• All upstream traffic destined for the network from the host on
Eth1/12 will be mirrored to port Eth1/22.
• Click Save

6. Verify and save mirror port policy
127
Ports 21 and 22 will now display a magnifying glass icon.

GENERAL DEVICE TEMPLATE
INFO
129

General Port Template Info
130
If you have more than one port
selected, you can clear port
selections here so you do not
have to click all the selected
ports to deselect them.

General Port Template Info
131
• If you move your
mouse over one
of the defined
ports, an option
appears to
select all ports
using this port
type
Click Here

Guest Access
CONFIGURE PORT TYPES
132

Lab: Configure Ports – Guest Access
1. Port Types
133
• Configure the authentication, user profile, and VLAN information for the
port types defined in the device templates

2. Create user profile
134
Similar to SSIDs, you need to
configure User Profiles (user
policy) for the access ports
• For your Guest-X port
type, under User Profile
click Add/Remove
• Click New

3. Assign VLAN
135
User profiles are used
to assign policy to
devices connected to
the network.
NOTE: Switches use the VLAN in a
user profile. Switches functioning as
routers use the VLAN, but may also
make layer 3 firewall and policy-
based routing decisions based on
the user profile. In either case, user
profile information is carried with
user information throughout an
Aerohive network infrastructure.
• Name: Guest-X
• Attribute: 100
• Default VLAN: 8
• Click Save
The optional settings are utilized when
the user profile is enforced on an AP. The
switch, because it is forwarding packets
at line speed in silicon, does not utilize
the optional settings. If the switch is
configured to be a branch router, the user
profile is used for decisions in layer 3
firewall policies, IPSec VPN policies, and
identity-based routing.

4. Save user profile
136
• Ensure Guest-X is
selected
• Click Save
• Verify your settings

Lab: Configure Ports - Guest Access

Employee Access Secured wit 802.1X
138

Lab: Configure Ports - Secure Access
1. Configure RADIUS
139
Configure the RADIUS sever for
the ports secured with 802.1X
• For your Secure-X port type,
under Authentication
click <RADIUS Settings>
• Click New

2. Configure RADIUS
140
Define the external
RADIUS server settings
• RADIUS name:
RADIUS-X
• IP address: 10.5.1.10
• Shared Secret:
aerohive123
• Confirm Secret:
aerohive123
• Click Apply!!
• Click Save

3. Configure user profile
141
Assign user profiles to
the secure 802.1X ports
• Next to your Secure-X
port type, under User
Profile click
Add/Remove

Port Types
142
There are three user profile
assignment methods:
1. (Auth) Default – If a client
authenticates successfully,
but no user profile attribute is
returned, or if a user profile
attribute is returned matching
the default user profile
selected
2. Auth OK – If a client
authenticates successfully,
and a user profile attribute is
returned, it must match one
the selected user profiles you
select here
3. Auth Fail – If a client fails
authentication, use this user
profile

4. Configure default user profile
143
Define the Default User Profile
assigned If a client authenticates
successfully, but no user profile
attribute is returned, or if a user
profile attribute is returned
matching the default user profile
selected
• Select the Default tab
• Select the user profile:
Employee-Default(1)
› Created by the
instructor…
› Assigns VLAN 1

5. Configure Auth OK user profile
144
Define a user profile for Auth
OK – If a client authenticates
successfully, and a user
profile attribute is returned, it
must match one the selected
user profiles you select here.
You can have up to 63 Auth
OK user profiles.
• Select the Auth OK tab
• Select Employee-X(10)
› Assigns VLAN 10

6. Configure Auth Fail user profile
145
Define a user profile for
Auth Fail – If a clients fails
authentication several
times, assign the Auth Fail
user profile
• Select Auth Fail
• Select Guest-X(100)
› Assigns VLAN 8
• Verify the Default, Auth
OK, and Auth Fail settings
one more time
• Click Save

7. Verify settings
146
•Verify the settings

PHONE & DATA PORTS
WITH NO AUTHENTICATION
148

Phone & Data Port Type
With Open Access
149
• Switch Port is assigned to a Phone & Data Port Type
• For this example, no authentication is selected in Phone & Data
SR2024
IP Phone
Phone & Data
uses 802.1Q
Data
Switch

With Open Access
150
• You can then select a Default Voice, and Default Data user profile
• The Phone & Data port is an 802.1Q port
• The Phone VLAN will be tagged and sent to the IP phone via LLDP-MED
• The switch port will assign the Data VLAN as the native VLAN
› This way, the phone traffic is tagged, and data traffic is untagged
SR2024
IP Phone
LLDP assigns
Phone to tagged
Voice VLAN
Phone & Data
uses 802.1Q
Data
Switch
Note: For default data,
only the VLAN is used,
not the user profile

CLI Commands for
Phone & Data Port without Authentication
151
• interface eth1/3 switchport mode trunk
• interface eth1/3 switchport user-profile-attribute 2
• interface eth1/3 switchport trunk native vlan 10
• interface eth1/3 switchport trunk voice-vlan 2
• interface eth1/3 switchport trunk allow vlan 2
• interface eth1/3 switchport trunk allow vlan 10
• interface eth1/3 qos-classifier Phone-and-Net-2
• interface eth1/3 qos-marker Phone-and-Net-2
• interface eth1/3 pse profile QS-PSE

PHONE & DATA PORTS
WITH 802.1X/PEAP
AUTHENTICATION OR
MAC AUTHENTICATION
152

With 802.1X/PEAP or MAC Authentication
153
• Switch Port is assigned to a Phone & Data Port Type
• For this example, 802.1X authentication is selected in Phone &
Data
SR2024
Phone & Data
uses 802.1Q, and 802.1X
Switch
IP Phone
Data
RADIUS Server
Phone Policy Returns
Cisco AV Pair: device-traffic-class=voice
User Profile and/or VLAN
Data (Employee) Policy Returns
Employees

With 802.1X/PEAP
154
• You can connect a single client, or multiple clients behind an
IP phone data port
• Phones and clients authenticate independent of each other
and the order in which they authenticate does not matter
› However, the VLAN assigned to the first data device (Employee) that
authenticates is assigned as the data VLAN, all other devices will be
assigned to the same VLAN, even if they have different user profiles
with other VLANs assigned, or even if RADIUS returns a different
VLAN.
SR2024
Phone & Data
uses 802.1Q, and 802.1X
Switch
IP Phone
Data
RADIUS Server
Employees

With Primary and Secondary Authentication
155
• If a secondary authentication is used, if the first authentication is not
available, or fails three times, the second authentication will be tried
SR2024
Phone & Data
uses 802.1Q, and 802.1X
Switch
IP Phone
Data
RADIUS Server
Employees

CLI Commands for
Phone & Data Port with 802.1X
156
• security-object Phone-and-Data-2
• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret ***
• security-object Phone-and-Data-2 security protocol-suite 802.1x
• security-object Phone-and-Data-2 default-user-profile-attr 1
• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain
• interface eth1/3 security-object Phone-and-Data-2
• interface eth1/3 qos-classifier Phone-and-Data-2
• interface eth1/3 qos-marker Phone-and-Data-2
• no interface eth1/3 spanning-tree enable
• no interface eth1/3 link-discovery cdp receive enable
• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1
• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10
• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2
• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100

CLI Commands for
Phone & Data Port with MAC AUTH
157
• security-object Phone-and-Data-2
• security-object Phone-and-Data-2 security aaa radius-server primary 10.250.1.1
shared-secret ***
• security-object Phone-and-Data-2 security additional-auth-method mac-based-auth
• security-object Phone-and-Data-2 default-user-profile-attr 1
• security-object Phone-and-Data-2 security auth-mode host-based multiple-domain
• security-object Phone-and-Data-2 security initial-auth-method mac-based-auth
• interface eth1/3 security-object Phone-and-Data-2
• interface eth1/3 qos-classifier Phone-and-Data-2
• interface eth1/3 qos-marker Phone-and-Data-2
• no interface eth1/3 spanning-tree enable
• no interface eth1/3 link-discovery cdp receive enable
• user-profile Default qos-policy def-user-qos vlan-id 1 attribute 1
• user-profile Employee-2 qos-policy def-user-qos vlan-id 10 attribute 10
• user-profile Voice-2 qos-policy def-user-qos vlan-id 2 attribute 2
• user-profile Guest-2 qos-policy def-user-qos vlan-id 8 attribute 100

Overview
CONFIGURING NPS FOR PHONE
AND EMPLOYEE
AUTHENTICATION WITH
802.1X/PEAP
158

Configure NPS for Phone & Data
Authentication
159
• Create a
network
policy for
voice

Authentication
160
• Enter a name
for the voice
policy, and click
next

Authentication
161
• Click add to
specify a
condition

Authentication
162
• Select
Windows
Groups
• Click Add

Authentication
163
• Click Add Groups…
• A voice group was created by IT for IP
phones – enter voice and click OK
• Click OK

Authentication
164
• Click Next

Authentication
165
• Select
Access
granted

Authentication
166
• Click Add
• Select Microsoft:
Protected EAP
(PEAP)
• Click OK

Authentication
167
• Click Next
• For constraints
click Next

Authentication
168
• Remove attributes
that are not
needed:
› Select Frame-
Protocol, and
Click Remove
› Select Service-
Type, and Click
Remove

Authentication
169
Add the three attribute
value pairs needed to
assign a user profile
• Tunnel-Medium-Type: IP
v4 (value found in the
others section)
• Tunnel-Type: Generic
Route Encapsulation
(GRE)
• Tunnel-Pvt-Group-ID:
(String) 2
› 2 is the voice user
profile in this case
• Click Next

Authentication
170
• Under RADIUS
Attributes, select
Vendor Specific

RETURN A CISCO AV PAIR TO LET
THE AEROHIVE SWITCH KNOW
WHICH USER PROFILE SHOULD
BE ASSIGNED AS THE VOICE
USER PROFILE
171

Authentication
172
In order for a switch to
know a specific user profile
is for voice, Aerohive
devices can accept the
Cisco AV Pair: device-
traffic-class=voice. This is
sent to the switch, and the
switch uses LLDP to send
the voice VLAN any phone
that supports LLDP-MED
• Under RADIUS
Attributes, select Vendor
Specific
• Click Add

Authentication
173
• Under
Vendor,
Select Cisco

Authentication
174
• Click Add
• Click Add again

Authentication
175
• Attribute value:
device-traffic-class=voice
• Click OK
• Click OK
• Click Close (The value does not show up
on this screen. Do not worry, it is there.)

Authentication
176
• Attribute value:
device-traffic-
class=voice
• Click OK
• Click OK
• Click Next

Authentication
177
• Click
Finish

DEFINE CLIENT ACCESS
178

CLI Commands for
179
Create a new policy
for employee access
• Policy name:
Wireless or Wired
Employee Access

CLI Commands for
180
• For the condition, select the
windows group that contains
your employees
• Add the three attribute value
pairs needed to assign a user
profile
› Tunnel-Medium-Type: IP v4
(value found in the others
section)
› Tunnel-Type: Generic Route
Encapsulation (GRE)
› Tunnel-Pvt-Group-ID: (String)
10
» 10 is the voice user profile in this
case
• Click Next

Phone and Data
181

Lab: Configure Ports - Phone & Data
1. Configure RADIUS
182
Configure the RADIUS sever for
the ports secured with 802.1X
• For your Phone-and-Data-X
port type, under Authentication
click <RADIUS Settings>
• Select RADIUS-X which is an
external Microsoft NPS
RADIUS server
• Click OK

Port Types
183
Assign user profiles to your
802.1X ports
• For your Phone-and-Data-X
port type, under User Profile
click Add/Remove

Port Types (Reminder)
Must Verify
184
There are three user profile settings:
1. Default – Default for data if no
user profile attribute, or a user
profile attribute is returned and
matches the user profile
configured here
2. Auth OK (Voice) – If a client
authenticates successfully, and a
user profile attribute is returned
matching a selected user profile,
and the Cisco AV Pair is also
returned
3. Auth OK (Data) – Client passes
authentication, and a user profile
attribute is returned, but no
Cisco AV pair

2. Configure user profile – Auth OK (Voice)
185
• Click Auth OK (Voice)
• Click New

3. Configure user profile – Auth OK (Voice) VLAN
186
User profiles are
used to assign
policy to devices
connected to the
network.
• Name: Voice-X
• Attribute: 2
• Default VLAN: 2
• Click Save

4. Configure user profile – Auth OK (Voice)
187
• For the Auth OK
(Voice) tab select:
Voice-X(2)
› Assigns VLAN 2

5. Configure user profile – Default
188
Assign the Default
user profile:
• Select the
Default tab
• Select Employee-
Default(1)
› Assigns VLAN 1

6. Configure user profile – Auth OK (Data)
189
Define a user profile for Auth OK
(Data)– for clients connected
through an IP Phone
• Select Auth OK (Data)
• Select Employee-X(10)
› Assigns VLAN 10
• Verify the Default, Auth
OK (Voice), and Auth OK
(Data) settings one more
time
• Click Save

7. Verify your settings
190
• Verify the settings

Lab: Configure Ports - Phone and Data

CONFIGURE 802.1Q TRUNK
PORTS
192

Lab: Configure Trunk Ports
1. Configure AP-Trunk-X port policy VLANs
193
Define the allowed
VLANs on a trunk port
• Next to AP-Trunk-X
Click Add/Remove
• Add the specific
VLANs: 1,2,8,10
• Click OK

2. Configure Trunk-X port policy VLANs
194
Define the allowed
VLANs on a trunk port
• Next to Trunk-X Click
Add/Remove
• Type all
• Click OK

3. Verify your settings
195
Verify
Settings

Lab: Configure Ports - Phone and Data
8. Save your network policy and continue

UPDATE DEVICES
197

Lab: Update Devices
1. Modify your AP
198
From the Configure & Update Devices section,
modify your AP specific settings
• Click the Name column to sort the APs
• Click the link for your AP: 0X-A-######

Lab: Update Devices
2. Update the configuration of your Aerohive AP
199
• Location:
<FirstName_LastName>
• Topology Map: Classroom
• Network Policy:
Access-X
Note: Leave this set to default so
you can see how it is
automatically set to your new
network policy when you update
the configuration.
• Set the power down to 1dBm
on both radios because the
APs are stacked in a rack in the
data center
› 2.4GHz(wifi0) Power: 1
› 5GHz (wifi1) Power: 1
• Click Save

Lab: Update Devices
3. Select AP and switch
200
• Select your AP and switch and click Update
Click Yes

• Select Update Devices
• Select  Perform a
complete configuration
update for all selected
devices
• Click Update
For this class, ALL
Updates should be
Complete
configuration
updates
Lab: Update Devices
4. Update the AP and switch

Lab: Update Devices
5. Update the AP and switch
202
• Should the Reboot warning box appear, select OK
Click OK

CREATE AN AEROHIVE DEVICE DISPLAY
FILTER
204

Lab: Create a Display Filter from Monitor View
1. Create a filter
205
• To create a display filter go to Monitor  Filter: Select +
• Network Policy, select: Access-X
• Remember this Filter, type: Access-X
• Click Search

Lab: Create a Display Filter from Monitor View
2. Verify the display filter
206

TEST YOUR WI-FI
CONFIGURATION
USING THE HOSTED PC
208

Lab: Test Hosted Client Access to SSID
Test SSID Access at Hosted Site
209
• Use VNC client to
access Hosted PC:
› password: aerohive
• From the hosted PC, you
can test connectivity to
your SSID
PoE
SR202
4
Core
Access
ESXi Server
- HM VA
Distribution
Internet
Hosted
PC
AP
Ethernet
Wi-Fi

1. For Windows: Use TightVNC client
210
• If you are using a windows PC
› Use TightVNC
› TightVNC has good compression so
please use this for class instead of any
other application
• Start TightVNC
› For Lab 1
lab1-pcX.aerohive.com
› For Lab 2
› For Lab 3
› For Lab 4
› For Lab 5
› Select  Low-bandwidth connection
› Click Connect
› Password: aerohive.
› Click OK

2. For Mac: Use the Real VNC client
211
• If you are using a Mac
› RealVNC has good compression so
please use this for class instead of
any other application
• Start RealVNC
› For Lab 1
› For Lab 2
› For Lab 3
› For Lab 4
› For Lab 5
› Click Connect
› Password: aerohive.
› Click OK

3. In case the PCs are not logged in
212
If you are not automatically
logged in to your PC
• If you are using the web
browser client
› Click the button to Send
Ctrl-Alt-Del
• If you are using the TightVNC
client
• Click to send a
control alt delete
• Login: AH-LABuser
• Password: Aerohive1
• Click the right arrow to login

4. Remove any Wireless Networks on Hosted PC
213
From the bottom task bar, click the locate wireless
networks icon
› Select Open Network and Sharing Center
› Click Manage wireless Networks
› Select a network, then click Remove
› Repeat until all the networks are removed
› Click [x] to close the window

5. Connect to Your Class-PSK-X SSID
214
• Single-click the
wireless icon on the
bottom right corner
of the windows task
bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK

6. View Active Clients List
215
• After associating with your SSID, you should see
your connection in the active clients list Wireless
Clients
• Your IP address should be from the 10.5.10.0/24
network which is from VLAN 10
Go to MonitorClientsWireless Clients and
locate your PC’s entry

TESTING SWITCH PORT
CONNECTIONS WITH WINDOWS 7
217

Lab: Test Hosted Client to Wired Network
Test Guest and 802.1X Access
218
• Use VNC client to
access Hosted PC:
› password: aerohive
• From the hosted PC, you
can test connectivity to
your SSID
PoE
SR202
4
Core
Access
ESXi Server
- HM VA
Distribution
Internet
Hosted
PC
AP
Ethernet
Wi-Fi

Three Different VLANs are Possible
In this configuration
219
• Default - Auth OK, and RADIUS does not returned user
profile or matching user profile to default
• Auth OK – and RADIUS returns a user profile that matches
one of the user profiles configured here
• Auth Fail – RADIUS authentication fails (Guest)

1. Verify IP address of Ethernet adapter
220
• Locate Local Area Connection 3
• Right click
• Click Status
• Click Details

221
Why do you see an IP
from the 10.5.1.0/24
subnet?
This is the IP address
the device received
on VLAN 1 before the
switch was
configured

3. Reset Ethernet Adapter
222
Because the PC has the
wrong IP it will not work, you
can remedy this by
• Right click on Local Area
Connection 3
• Click Diagnose
or
• Disable then Enable Local
Area Connection 3
• Do NOT Disable Local Area
Connection 2

223
• Right click
• Click Status
• Click Details

224
from the 10.5.8.0/24
subnet?
This is the guest
network that is
assigned if
authentication is not
supported or fails

6. Verify VLAN of wired client
225
Go to MonitorClientsWired Clients and locate your
PC’s entry
• Note the IP, Client Auth Mode, User Profile Attribute
and VLAN
• VLAN 8 is the guest VLAN assigned because
802.1X authentication was not supported or failed.
The host was assigned to the Auth Fail user
profile.

7. Enable 802.1X for wired clients
226
• In windows 7, you
must enable 802.1X
support
• As an administrator,
from the start menu
type services
• Then click services

227
• Click the
Standard tab
on the bottom
of the services
panel
• Locate Wired
AutoConfig
and right-click
• Click
Properties

228
• The Wired AutoConfig
(DOT3SVC) service is
responsible for performing IEEE
802.1X authentication on
Ethernet interfaces
• If your current wired network
deployment enforces 802.1X
authentication, the DOT3SVC
service should be configured to
run for establishing Layer 2
connectivity and/or providing
access to network resources
• Wired networks that do not
enforce 802.1X authentication
are unaffected by the DOT3SVC
service

229
• Click Automatic
• Click Start

230
• Click OK

231
• Right click
• Click Status
• Click Details

232
from the 10.5.10.0/24
subnet?
The user has
authenticated with
802.1X/EAP and
RADIUS is returning
the user profile
attribute: 10

14. Verify authentication and VLAN of wired client
233
Go to MonitorClientsWired Clients and locate your
entry
• Note the IP, Client Auth Mode, User Profile Attribute and
VLAN
• VLAN 10 is the employee VLAN assigned because
802.1X authentication was successful and the host was
assigned to the Auth OK user profile.

For Reference: Switch CLI
234
SR-04-866380# show auth int eth1/12
Authentication Entities:
if=interface; UID=User profile group ID; AA=Authenticator
Address;
if=eth1/12; idx=16; AA=08ea:4486:638c; Security-obj=Secure-2;
default-UID=1;
Protocol-suite=802.1X;Auth-mode=port-based; Failure-UID=100;
Dynamic-VLAN=10;
No. Supplicant UID Life State DevType User-Name
Flag
--- -------------- ---- ----- -------------- ------- -----------
--------- ----
0 000c:2974:aa8e 10 0 done data AH-
LABuser4 000b

Enable 802.1X for Wired Connections
235
If you need to troubleshoot
you can view Local Area
Connection 3
• From the start menu, type
view network
• Right-click Local Area
Connection 3, and click
Diagnose
› This will reset the
adapter, clear the
caches, etc…

Clearing Authentication Cache
For Testing or Troubleshooting
236
• From the Wired Clients
list, you can select and
Deauth a client
› Clear the All the
caches for the client
on the switch
• Then on the hosted PC,
you will need to disable
then enable Local Area
Connection 3 to force a
reauth

MISC MONITORING
237

Switch Monitoring
238
• MonitorSwitches
• Click on the hostname of
the switch

Switch Monitoring
239
• Hover with your mouse over the switch ports

Switch Monitoring
240
System Details

Switch Monitoring
241
Port Details and PSE Details

Power Cycle Devices via PoE
242
• To configure this feature for selected ports on a switch, navigate to
Monitor  Switches in the Managed Devices tab, click the name of
the switch, and scroll down to PSE Details.
• Select the check box or boxes for the port or ports that you want to
cycle, and then click Cycle Power.
This is useful in the event that an AP or multiple APs are locked up
and need to be rebooted remotely. Bouncing the PoE port forces
the AP reboot.

Switch Monitoring
243
• MonitorActive ClientsWired Clients
• Add User Profile Attribute, and move it up, it is useful

Switch Monitoring
244
• Click on the MAC address for a wired client to see more
information

Switch Monitoring
245
• Utilities…StatisticsInterface

Switch Monitoring
246
• Utilities…DiagnosticsShow PSE

VLAN Probe
Use VLAN Probe to verify VLANs and DHCP Service
247
• MonitorSwitches – Select your device, and go to
Utilities…DiagnosticVLAN probe
NOTE: If you get the same IP subnet for each of the VLANs, that is a sign that
the switch uplink port is connected to an access port, not a trunk port like it
should be.

Client Monitor
248
• Tools  Client Monitor
• Client Monitor can be used to troubleshoot 802.1X/EAP
authentication for wired clients

Switch CLI
249
• SR-02-66ec00#show interface switchport
Name: gigabitethernet1/1
Switchport: enable
Port Mode: access
Port Mirror: disable
Port User-profile ID: 0
Static Access VLAN: 1
Dynamic Auth VLAN: 0
Name: gigabitethernet1/2
Switchport: enable
Port Mode: access
Port Mirror: disable
Port User-profile ID: 10
Static Access VLAN: 10
Dynamic Auth VLAN: 0

Switch CLI
250
• show client-report client

GENERAL SWITCHING
251

Storm Control
252
• Aerohive switches can mitigate traffic storms due to a variety of causes by
tracking the source and type of frames to determine whether they are legitimately
required.
• The switches can then discard frames that are determined to be the products of a
traffic storm. You can configure thresholds for broadcast, multicast, unknown
unicast, and TCP-SYN packets as a function of the percentage of interface
capacity, number of bits per second, or number of packets per second.
From your network policy with Switching enabled: Go to Additional
Settings>Switch Settings>Storm Control

IGMP Snooping MAC Addresses
253
• Aerohive switches are
capable of monitoring
IGMP transactions
between multicast
routers and client
devices, and maintaining
a local table of IGMP
groups and group
members
• Aerohive switches use
this information to track
the status of multicast
clients attached to the
switch ports so that it
can forward multicast
traffic efficiently
From your network policy with Switching
enabled: Go to Additional Settings>Switch
Settings>IGMP Settings

254
• Aerohive switches are
capable of monitoring
IGMP transactions
between multicast
routers and client
devices, and maintaining
a local table of IGMP
groups and group
members
• Aerohive switches use
this information to track
the status of multicast
clients attached to the
switch ports so that it
can forward multicast
traffic efficiently
From your network policy with Switching
enabled: Go to Additional Settings>Switch
Settings>IGMP Settings

255
• IGMP device specific options available in the switch device
configuration
• Users can enable/disable IGMP snooping to all VLAN or to a specified
VLAN. When IGMP snooping disabled, all multicast dynamic mac-
address should be deleted.

Required When Aerohive Devices are Configured as
RADIUS Servers
GENERATE AEROHIVE SWITCH
RADIUS
SERVER CERTIFICATES
256

Copyright ©2011
HiveManager Root CA Certificate
Location and Uses
• This root CA certificate is used to:
› Sign the CSR (certificate signing
request) that the HiveManager creates
on behalf of the AP acting as a
RADIUS or VPN server
› Validate Aerohive AP certificates to
remote client
» 802.1X clients (supplicants) will need a
copy of the CA Certificate in order to
trust the certificates on the Aerohive AP
RADIUS server(s)
• Root CA Cert Name:
Default_CA.pem
• Root CA key Name:
Default_key.pem
Note: The CA key is only ever used
or seen by HiveManager
• To view certificates, go to: Configuration, click Show Nav, then go to
Advanced Configuration Keys and CertificatesCertificate Mgmt
257

Use the Existing HiveManager CA
Certificate, Do not Create a New One!
258
• For this class, please do not create a new HiveManager CA
certificate, otherwise it will render all previous certificates
invalid.
• On your own HiveManager, you can create your own HiveManager CA
certificate by going to: Configuration, then go to
Advanced ConfigurationKeys and CertificatesHiveManager CA

LAB: Aerohive Switch Server Certificate and
Key
1. Generate Aerohive switch server certificate
259
• Go to Configuration, click Show Nav
Advanced Configuration
Keys and CertificatesServer CSR
• Common Name: server-X
• Organizational Name: Company
• Organization Unit: Department
• Locality Name: City
• State/Province: <2 Characters>
• Country Code: <2 Characters>
• Email Address: userX@ah-lab.com
• Subject Alternative Name:
User FQDN: userX@ah-lab.com
Note: This lets you add an extra step of validating the
User FQDN in a certificate during IKE phase 1 for
IPSec VPN. This way, the Aerohive AP needs a valid
signed certificate, and the correct user FQDN.
• Key Size: 2048
• Password & Confirm: aerohive123
• CSR File Name: Switch-X
• Click Create
Notes Below
Enter
Switch-X

• Select Sign by HiveManager CA
› The HiveManager CA will sign the Aerohive AP Server certificate
• The validity period should be the same as or less than the number of
days the HiveManager CA Certificate is valid
› Enter the Validity: 3650 – approximately 10 years
• Check Combine key and certificate into one file
• Click OK
Enabling this setting helps
prevent certificate and key
mismatches when
configuring the RADIUS
settings
Use this option to send
a signing request to an
external certification
authority.
Key
2. Sign and combine

• To view certificates,
go to:
Configuration, click
Show Nav
Then go to Advanced
Configuration
Keys and Certificates
Certificate Mgmt
• The certificate and key file
name is:
switch-X_key_cert.pem
• QUIZ
› Which CA signed this
Aerohive switch server key?
› What devices need to install
the CA public cert?
Key
3. View server certificate and key

Lab: Switch as a RADIUS server
1. Edit existing policy
263
• From Configuration,
• Select your Network policy:
Access-X
• Click OK and then Continue

Copyright ©2011
Lab: Switch Active Directory Integration
2. Select your Network Policy
To configure the Aerohive device as a RADIUS server...
Select the Configure & Update Devices bar
• Select the Filter: Current Policy
• Click the link for your Switch – SR-0X-######
264

3. Create a RADIUS Service Object
265
Create a Aerohive AP RADIUS Service Object
• Under Optional Settings, expand Service Settings
• Next to Device RADIUS Service click +

Lab: Switch AP Active Directory Integration
4. Create a RADIUS Service Object
266
• Name: SR-radius-X
• Expand Database
Settings
• Uncheck Local
Database
• Check External
Database
• Under Active Directory,
click + to define the
RADIUS Active Directory
Integration Settings

5. Select a switch to test AD integration
267
• Name: AD-X
• Aerohive device for Active Directory connection setup,
select your Switch: SR-0X-#####
› This will be used to test Active Directory integration
› Once this switch is working, it can be used as a template for
configuring other Aerohive device RADIUS servers with Active
Directory integration
• The IP settings for the selected Aerohive switch are gathered and
displayed

6. Modify DNS settings
268
• Set the DNS server to: 10.5.1.10
› This DNS server should be the Active Directory DNS server or an
internal DNS server aware of the Active Directory domain
• Click Update
› This applies the DNS settings to the Network Policy and to the
Aerohive device so that it can test Active Directory connectivity

7. Specify Domain and Retrieve Directory Information
269
• Domain: ah-lab.local
• Click Retrieve Directory Information
› The Active Directory Server IP will be populated as well as
the BaseDN used for LDAP user lookups

8. Specify Domain and Retrieve Directory Information
270
• Domain Admin: hiveapadmin(The delegated admin)
• Password and Confirm Password: Aerohive1
• Click Join
• Check Save Credentials
› NOTE: By saving credentials you can automatically join Aerohive
devices to the domain without manual intervention

9. Specify A User to Perform LDAP User Searches
271
• Domain User user@ah-lab.local (a standard domain user )
• Password and Confirm Password: Aerohive1
• Click Validate User
› You should see the message: The user was successfully
authenticated.
› These user credentials will remain and be used to perform
LDAP searches to locate user accounts during
authentication.

10. Save the AD Settings
272
• Click Save

11. Apply the AD settings
273
• Select AD-X with
priority: Primary
• Click Apply
…Please make sure
you click apply
• Do not save yet..

12. Enable LDAP credential caching
274
Enable the ability for an
Switch RADIUS server to
cache user credentials in
the event that the AD
server is not reachable,
if the user has previously
authenticated
• Check Enable
RADIUS Server
Credentials Caching
• Do not save yet...

13. Assign server certificate
275
• CA Cert File: Default_CA.pem
• Server Cert File:
• Server Key File:
• Key File Password & confirm password: aerohive123
• Click Save
Optional Settings >
RADIUS Settings:
Assign the switch
RADIUS server to the
newly created switch
server certificate and
key

14. Verify the RADIUS service object
276
• Ensure that the
Aerohive AP RADIUS
Service is set to:
switch-radius-X
• Do not save yet…

15. Set Static IP address on MGT0 interface
277
• Expand MGT0 Interface Settings
• Select Static IP
• Static IP Address: 10.5.1.7X
X = student number 02 = 72, 03 = 73… 12 = 82, 13 = 83
• Netmask: 255.255.255.0
• Default Gateway: 10.5.1.1
Note: Aerohive devices that
function as a server must
have a static IP address.

16. Save the switch settings
278
• Click Save
NOTE: Your Aerohive
switch will have an icon
displayed showing that
it is a RADIUS server.

SSID FOR 802.1X/EAP
AUTHENTICATION
USING AEROHIVE DEVICE RADIUS
WITH
AD KERBEROS INTEGRATION
280

Lab: Switch RADIUS w/ AD Integration
1. Edit your WLAN Policy and Add SSID Profile
281
Configure an SSID that
uses the 802.1X/EAP
with AD (Kerberos)
Integration
• Select the Configure
Interfaces & User
Access bar
• Next to SSIDs click
Choose
• In Chose SSIDs
› Select New

Copyright ©2011
2. Configure a 802.1X/EAP SSID
• Profile Name:
Class-AD-X
• SSID:
Class-AD-X
• Under SSID
Access Security
select
WPA/WPA2
802.1X
(Enterprise)
• Click Save
282

3. Select new Class-AD-X SSID
283
• Click to deselect
the Class-PSK-X
SSID
• Ensure the
AD-X SSID
is selected
• Click OK
Click to
deselect
Class-PSK-X
Ensure
Class-AD-X is
highlighted then
click OK

4. Create a RADIUS object
284
• Under Authentication, click <RADIUS Settings>
• In Choose RADIUS, click New
Click
Click

5. Define the RADIUS Server IP settings
285
• RADIUS Name:
SWITCH-RADIUS-X
• IP Address/Domain
Name: 10.5.1.7X
02 = 72, 03 = 73…
12 = 82, 13 = 83
• Leave the Shared
Secret Empty
NOTE: When the Aerohive
device is a RADIUS server,
devices in the same Hive
automatically generate a
shared secret
• Click Apply
• Click Save
Click Apply
When Done!

6. Select User Profiles
286
• Verify that under Authentication, SWITCH-RADIUS-X is
assigned
• Under User Profile click Add/Remove

7. Assign User Profile as Default for the SSID
287
• With the Default tab
select (highlight) the
Employee-Default user
profile
• IMPORTANT: This user
profile will be assigned if
no attribute value is
returned from RADIUS
after successful
authentication, or if
attribute value 1 is
returned.
• Click the Authentication
tab
Default Tab
Authentication Tab

8. Assign User Profile to be Returned by RADIUS
Attribute
288
• In the Authentication tab
• Select (highlight)
Employee-X
› NOTE: The (User
Profile Attribute) is
appended to the User
Profile Name
• Click Save
Authentication Tab

9. Verify and Continue
289
• Ensure Employee-Default-1
and Employee-X user
profiles are assigned to the
Class-AD-X SSID
• Click Continue
or click the bar to
Configure & Update
Devices

In the Configure & Update Devices section
• Select your devices 
• Click Update
10. Upload the config to the switch and AP

devices
• Click Update
For this class, ALL
Updates should be
Complete
configuration
updates

• Should the Reboot Warning box appear, select OK
Click OK

CLIENT ACCESS PREPARATION -
DISTRIBUTING CA CERTIFICATES
TO WIRELESS CLIENTS
294

LAB: Exporting CA Cert for Server Validation
1. Go to HiveManager from the Remote PC
295
• From the VNC connection
to the hosted PC, open a
connection to:
• For HM 1 – 10.5.1.20
• For HM 2 – 10.5.1.23
• For HM 3 – 10.5.1.20
• For HM 5 – 10.5.1.20
• Login with: adminX
• Password: aerohive123
NOTE: Here you are
accessing HiveManager via
the PCs Ethernet connection

2. Download Default CA Certificate to the Remote PC
296
NOTE: The HiveManager Root
CA certificate should be
installed on the client PCs that
will be using the RADIUS
service on the Aerohive device
for 802.1X authentication
• From the Remote PC,
go to Configuration,
then click Show Nav,
Keys and Certificates
Certificate Mgmt
• Select Default_CA.pem
• Click Export

3. Rename HiveManager Default CA Cert
297
• Export the public root
Default_CA.pem certificate to
the Desktop of your hosted
PC
› This is NOT your Aerohive
AP server certificate, this IS
the HiveManager public root
CA certificate
• Rename the extension of the
Default_CA.pem file to
Default_CA.cer
› This way, the certificate will
automatically be recognized
by Microsoft Windows
• Click Save
Make the Certificate name:
Default_CA.cer
Save as type:
All Files

4. Install HiveManager Default CA Cert
298
• Find the file that was just
exported to your hosted PC
• Double-click the certificate file on
the Desktop: Default_CA
• Click Install Certificate
Issued to: HiveManager
This is the name of the certificate if you
wish to find it in the certificate store, or if
you want to select it in the windows
supplicant PEAP configuration.

5. Finish certification installation
299
• In the Certificate Import
Wizard click Next
• Click  Place all
certificate in the
following store
• Click Browse

6. Select Trusted Root Certification Authorities
300
• Click Trusted Root
Certification
Authorities
• Click OK
• Click Next

7. Finish Certificate Import
301
• Click Finish
• Click Yes
• Click OK

8. Verify certificate is valid
302
• Click OK to Close the certificate
• Double-click Default_CA to
reopen the certificate
• You will see that the certificate is
valid and it valid from a start and
end date
• Click the Details tab

9. View the Certificate Subject
303
• In the details section, view the
certificate Subject
• This Subject: HiveManager is
what will appear in the list of
trusted root certification
authorities in your supplicant
configured later in this lab.
Protected EAP (PEAP) Properties
In supplicant (802.1X client)

For Windows 7
Supplicants
CONFIGURING AND TESTING
YOUR
802.1X SUPPLICANT
305

Lab: Testing Switch RADIUS w/ AD Integration
1. Connect to Secure Wireless Network
306
On the hosted PC,
from the bottom
task bar, click the
wireless networks
icon
• Click Class-AD-X
• Click Connect
• A windows security
alert should
appear, click
Details to verify
this certificate if
from HiveManager,
then click Connect
server-2 is the AP cert,
and HiveManager is the
trusted CA

NOTE: User Profile Attribute is the Employee-Default-1 user profile for
the SSID. This user profile is being assigned because no User Profile
Attribute Value was returned from RADIUS.
Lab: Testing Switch RADIUS w/ AD Integration
2. View Active Clients
307
• After associating with your SSID, you should see your
connection in the active clients list in HiveManager
› Go to MonitorClientWireless Clients
• IP Address: 10.5.1.#
• User Name: DOMAINuser
• VLAN: 1
User Profile Attribute: 1

MAPPING ACTIVE DIRECTORY
MEMBEROF ATTRIBUTE
TO USER PROFILES
309

Aerohive AP as a RADIUS Server - Using AD
Member Of for User Profile Assignment
310
• In your Network policy, you defined an SSID with two user profiles
› Employees(1)-1 – Set if no RADIUS attribute is returned
» This use profile for example is for general employee staff, and they get
assigned to VLAN 1
› Employee(10)-X – Set if a RADIUS attribute is returned
» This user profile for example is for privileged employees, and they get assigned
to VLAN 10
• Because the switch RADIUS server is using AD to authenticate the users,
and AD does not return RADIUS attributes, how can we assign users to
different user profiles?
• Though AD does not return RADIUS attributes, it does return other attribute
values, like MemberOf which is a list of AD groups to which the user belongs

Instructor Only: Confirm User is a
member of the Wireless AD Group
311
 Right click the username userX
and click Properties
 Click on the Member Of tab
 The user account userX should
belong to the Wireless
AD Group
 Click OK

Lab: Use AD to Assign User Profile
1. Map memberOf attribute to user profile
312
• From Configuration, Show Nav,
Authentication 
Aerohive AAA Server Settings
SR-radius-X
• Expand Database Settings
• Check  LDAP server attribute
Mapping
• Select  Manually map LDAP user
groups to user profiles
• LDAP User Group Attribute:
memberOf
• Domain: dc=AH-LAB,dc=LOCAL
• Click + to expand the LDAP tree

2. Add group to user profile mapping
313
• Expand the tree
structure to locate
› Expand
CN=Users
› Select
CN = Wireless
• For Maps to, from the
drop down list, select
the user profile:
Employee-X
• Click Apply
• The mapping
appears below the
LDAP directory
• Click Save
Click the LDAP
Group
Map group to
Employee(10)-X
NOTE: The CN in Active Directory
does not have to match the name of
the user profile, this is just by choice,
not necessity.

• Select Perform a
devices Click Update
For this class, ALL
Updates should be
Complete
configuration
updates
3. Update devices

4. Update devices
Click OK

Lab: Use AD to Assign User Profile SSID
5. Disconnect and Reconnect to the Class-AD SSID
316
To test the mapping of
the memberOf
attribute to your user
profile
• Disconnect from the
Class-AD-X SSID
• Connect to the
Class-AD-X SSID

Lab: Use AD to Assign User Profile SSID
6. Verify your active client settings
317
• From MonitorClientsActive Clients
› Your client should now be assigned to
»IP Address: 10.5.10.#
»User Profile Attribute: 10
»VLAN: 10
NOTE: In the previous lab, without the
LDAP group mapping, the user was
assigned to attribute 1 in VLAN 1

AEROHIVE SWITCHES AS
BRANCH ROUTERS
319

Medium Size Branch or Regional Office
• SR2024 as Branch Router
› Line Rate Layer 2 Switch
› 8 Ports of PoE
› Multi-authentication
access ports
» 802.1X with fallback to
MAC auth or open
› Client Visibility
» View client information by port
› RADIUS Server
› Routing between local VLANs
› Layer 3 IPSec VPN
› NAT for Subnets through VPN
› NAT port forwarding on WAN
› DHCP Server
› USB 3G/4G Backup
› and more…
Internet
AP
AP
PoE
SR202
4
AP
Provides Access For:
• Employees
• Guests
• Contractors
• Phones
• APs
• Servers

For Wireless, Switching, and Routing
CREATE A ROUTING NETWORK
POLICY – YOU CAN CLONE YOUR
EXISTING ACCESS POLICY
321

Lab: Add Routing to Network Policy
1. Edit existing policy
322
• From Configuration,
• Next to your Network policy: Access-X
• Click the sprocket icon
• Click Edit

Lab: Add Routing to Network Policy
2. Edit select Branch Routing
323
Add the option for Branch
Routing to your Network
Policy
• Check Branch Routing so
you have:
› Wireless Access
› Switching
› Branch Routing
› Bonjour Gateway
• Click Save
• Click OK
• NOTE: Enabling Branch Routing:
» Enables L3 VPN Configuration
» Disable L2 VPN Configuration
» Enable L3 Router Firewall Policy
» Policy-Based Routing with Identity
» Enables Router configuration settings in Additional Settings

CLONE SWITCH DEVICE
TEMPLATE AS SWITCH AND ADD
NEW SWITCH DEVICE TEMPLATE
AS BRANCH ROUTER
324

Lab: Create a Switch Template for Routing
1. Select and clone your existing device template
325
• Next to Device
Templates, click
Choose
• Select your
SR2024-Default-X
device template
(configured as
switch)
• Click the sprocket
icon
• Click Clone

2. Define router function of the device template
326
• Click Device Models
• Notice all the devices that you
can create templates when the
network policy includes routing
• Ensure that SR2024 is selected
• Click OK

3. Define router function of the device template
327
• Name: SR2024-Router-Default-X
• Change the function to Router
• Click Save

4. Select both templates
328
• Ensure both of your SR2024
policies are selected.
• Click OK
• Hide the SR2024-Default-X
(Switch) template
• Expand the SR2024-
Router-Default-X (Router)
template

5. Remove configuration of existing uplink ports
329
Next you can change
your uplink ports and add
a WAN port instead
• Select ports 23 and 24,
and click Configure
• Remove the port type
by clicking on the port
type you have selected
to ensure it is no longer
highlighted
• Click OK
• Click OK again to the
Warning

Examples of templates for other devices
330
BR200-WP
AP330 as Router

CONFIGURE ROUTER WAN PORTS
- PORTS THAT CONNECT TO THE
INTERNET AND PROVIDE NAT
331

Router WAN Ports
• SR2024 as Branch Router
WAN Port example
DSL –
WAN
Backup 1
USB Wireless –
WAN
Backup 2
Corp ISP (Fast) –
WAN
Primary

1. Add necessary WAN port for router
333
• Select Port 23,
and Port 24
(USB is always a
WAN port)
• Click
Configure
Note: You can have up to 3 WAN ports: 1 primary and 2 backup.
2 Ports can be Ethernet, and one can be USB. If you select
multiple ports as WAN ports, you can select which ones are
primary and backup in the switch specific settings.
When the switch is a router, you must configure at least one port as a WAN port

2. Add necessary WAN port for router
334
• Click New
• Name: WAN-X
• Select WAN
• Click Save
• With WAN-X selected, click OK

• The USB Port, Port 23, and Port 24 will now display a WAN
(Cloud) icon (USB does not display cloud icon in this version of code)
3. Review WAN port settings
335
The ports will
display a WAN
(Cloud) icon

336

Note: Switch Port Settings
To be configured later, not now.
337
• At a later point in this lab, you will configure
the priority of the WAN ports for primary and
backup
Switch Settings:
These will be
configured later.

PORT TYPES
338

6.0 Network Policy
339
Besides the addition of
the WAN port, all port
types are identical in
network policies with
and without branch
routing selected!
This means the same
port types can be
used in both
switching (layer 2)
and branch routing
(layer 3) network
policies.

VLAN-TO-SUBNET ASSIGNMENTS
FOR ROUTER INTERFACES
340

VLAN-to-subnet assignments
for router interfaces
341
• If the network policy is configured with Routing, then for every
VLAN configured for SSIDs or port types, you must define the
IP subnets that will be assigned to the branch routers or
switches as branch routers
• The VLANs are automatically populated from the VLANs
assigned to user profiles for SSIDs and port types
• If you have additional VLANs to define, you can click Add

Network and Sub Networks
Internal Use
• HiveManager assigns a unique subnet from the network to each router,
including the DHCP settings
Cloud VPN
Gateway
HQ
Network
10.102.0.0/16
BR10
0
BR10
0
Sub Network 10.102.0.0/24
DHCP: IP Range 10.102.0.10 – 10.102.0.244
Default Gateway: 10.102.0.1
DNS: 10.102.0.1 (Router is DNS Proxy)
DHCP: IP Range 10.102.1.10 – 10.102.1.244
DHCP: IP Range 10.102.2.10 – 10.102.2.244
DNS: 10.102.2.1 (Router is DNS
Proxy)
BR10
0
Internet
342

Networks and Hosts Per Network
A Little Bit of Subnet Theory – Yay!
Calculating a network using an IP address and a netmask
Conversion chart between binary and decimal
27 26 25 24 23 22 21 20
128 64 32 16 8 4 2 1 Decimal value for bit position
0 0 0 0 1 0 1 0 = 8 + 2 = 10 for example
When you assign IP addresses, you can determine how many networks and
how many hosts per network you need.
Example: Create subnets for network: 10.102.0.0/16
8 bits 8 bits 8 bits 8 bits
IP Address in binary: 00001010.01100110.00000000.00000000
Netmask in binary: X 11111111.11111111.11111111.00000000
Multiply each column: 00001010.01100110.00000000.00000000
Convert back to decimal: 10. 102 . 0 . 0
IP Network Subnet Hosts
8 bits = 8 bits
256 subnets 256 hosts – 2 = 254

IP Address Management
8 bits = 8 bits
256 branches 256 clients/branch
– 3 = 253
Note: HiveManager lets you reserve the first or last IP in the subnets
as the default gateway for the subnet.
Example 1: Move Subnet slider bar to 256 Branches
Network Mask: /16 Subnet Mask: /24
344

10.102.0000000=0. 1-254
10.102.0000001=1. 1-254
10.102.0000010=2. 1-254
10.102.0000011=3. 1-254
10.102.0000100=4. 1-254
10.102.0000101=5. 1-254
10.102.0000110=6. 1-254
10.102.0000111=7. 1-254
10.102.0001000=8. 1-254
..
10.102.1111111=255.1-254
Automatic Subnet Creation
345

IP Address Management
9 bits = 7 bits
512 branches 128 clients/branch
– 3 = 125
Example 2: Move Subnet slider bar to 512 Branches
Network Mask: /16 Subnet Mask: /25
Note: HiveManager lets you reserve the first or last IP in the subnets
as the default gateway for the subnet.
346

10.102.0000000.0 = 0.0 1-126
10.102.0000000.1 = 0.128 129-254
10.102.0000001.0 = 1.0 1-126
10.102.0000001.1 = 1.128 129-254
10.102.0000010.0 = 2.0 1-126
10.102.0000010.1 = 2.128 129-254
10.102.0000011.0 = 3.0 1-126
10.102.0000011.1 = 3.128 129-254
10.102.0000100.0 = 4.0 1-126
..
10.102.1111111.1 = 255.128 129-254
Automatic Subnet Creation
347

Internal Use
Cloud VPN
Gateway
HQ
Network
10.102.0.0/16
BR10
0
BR10
0
DHCP: IP Range 10.102.0.10 – 10.102.0.244
DHCP: IP Range 10.102.1.10 – 10.102.1.244
DHCP: IP Range 10.102.2.10 – 10.102.2.244
Proxy)
BR10
0
Internet
348

LAB: Assign VLAN-to-subnet – router
interfaces
349
• If the network policy is configured with Routing, then for every
VLAN configured for SSIDs or port types, you must define the
IP subnets that will be assigned to the branch routers or
switches as branch routers
• The VLANs are automatically populated from the VLANs
assigned to user profiles for SSIDs and port types
• If you have additional VLANs to define, you can click Add

• Next to VLAN 10, click Choose
• Click New
interfaces
1. Select VLAN 10 and create network

• Name: Net-Employee-1XX
XX=02,03,..15,16
• Web Security: None
• DNS Service: Class
• Network Type: Internal Use
• Do not save yet
interfaces
2. Create internal employee network

NOTE: This Quick Start DNS Service object sets clients to
use the router interface IP as the DNS server, and will proxy
the DNS requests to the DNS server learned statically or by
DHCP on the WAN interface. Separate DNS servers can
also be used for internal and external domain resolution.
352
Note: DNS Service Objects

• Click NEW to create a parent network
interfaces
3. Create internal employee network

• IP Network:
10.1XX.0.0/16
• 10.1XX.0.0/16
• Move the slider bar to select
256 branches and 253
clients per branch
NOTE: This is the parent
network that will be
partitioned to create a
number of IP subnets
determined by moving the
slider bar. The slider bar is
used to set the number of
branches vs. clients per
branch which defines the
subnet mask for each
subnet.
Moving the slider bar changes the number
of bits in the subnet mask.
The clients per branch = 253 in this case
because 1 IP is reserved for the router, and
then 0 and 255 are not used.
interfaces
4. Define the Parent Network and subnetworks

• Check Enable DHCP
server
• For the DHCP Address
Pool, move the slider bar to
reserve 10 IP addresses at
the start of the address pool
that can be defined
statically.
NOTE: In most cases, the
router will be the DHCP
server. However, if it is not,
you can disable the DHCP
service and this network
definition will only be used
to configure the router
interface IP addresses.
interfaces
5. Enable DHCP
Please do not save yet!!!

Note: Custom Options Example
356
• Note that you can
define custom DHCP
options if needed
• For example, you can
set the custom DHCP
options for the
hostname of
HiveManager (option
225) or the IP
address of
HiveManager (option
226) or options
required by certain IP
phones

DEFINE SPECIFIC SUBNETS FOR
EACH SITE BY USING DEVICE
CLASSIFICATION
357

What is the goal?
• Define subnets from the IP
address space to specific sites
• For example, define the subnets
that will be used for Site-1a and
Site-1b, but let HiveManager
allocate one for
Site-1c
Network
10.101.0.0/16
BR10
0
BR10
0
Sub Network 10.101.25.0/24
DHCP: IP Range 10.101.25.11 –
10.102.25.254
DHCP: IP Range 10.101.1.11 – 10.102.1.254
DHCP: IP Range 10.101.2.11 – 10.102.2.254
BR10
0
Internet
Site-1a Site-1b
Site-1c

By default, each branch router
will be assigned one subnet
from the Local IP Address Space
• To define specific subnets
of the Local IP address
space to assign to sites
› Check Allocate local
subnetworks by
specific IP addresses at
sites and click
• IP Address: 10.1XX.1.1
(XX=01,02,03,..18)
• Type: Device Tag
• Tag1: Site-Xa
(Xa=2a,3a,4a,..,18a)
• Click Apply
interfaces
1. Define subnet to be assigned to Site-Xa

Define the next subnet
• Click New
• IP Address: 10.1XX.2.1
• Type: Device Tag
• Tag1: Site-Xb
(Xb = 2b, 3b, 4b,..,18b)
• Click Apply
• Click Save
interfaces
2. Define subnet to be assigned to Site-Xb
Note: You can specify up to 256 tags

LAB: Assign VLAN-to-subnet – router interfaces
3. Save the Network
361
Verify you have all
the setting needed
for the network
• DNS: Class
• Network Type:
Internal Use
• Subnetwork:
10.1XX.0.0/16
• Verify the IP
Allocation
Statements
• Click Save
Note: (T) = True or Match the tag
(F) = False, and no match required
Here you can see: 10.102.1.1 must have a router with
Tag1 set to: Site-2a, and 10.102.2.1 must have a router
with Tag1 set to: Site-2b.
361

• Ensure your policy is
highlighted and click OK
interfaces
4. Choose the Network

• In a later lab, you will need to define Device Classification
Tag1 on your switch with the same entry that was used in
the network configuration: Site-Xa
Note: Device Classification Settings
On Your Device
Device Specific Settings

What did you just do?
• You specified that certain sites
had or will require specific IP
addresses in them, for example
Site-1a (10.101.1.1) and Site-1b
(10.101.2.1)
› These can be any IP in the
subnet. We chose the IP of default
gateways.
• Therefore HiveManager will
allocate the subnets that match
the IP addresses
that are specified for
two of the sites
Network
10.101.0.0/16
BR10
0
BR10
0
Sub Network 10.101.25.0/24
DHCP: IP Range 10.101.25.11 –
10.101.25.254
*This subnet was chosen by HiveManager
because an IP at the site was not defined.
DHCP: IP Range 10.101.1.11 – 10.101.1.254
DHCP: IP Range 10.101.2.11 – 10.101.2.254
BR10
0
Internet
Site-1a Site-1b
Site-1c

ADD NETWORKS FOR
THE OTHER VLANS
365

Add More Networks
366
• Create networks for VLAN 2 and VLAN 8
• If the VLAN is not in the list, click Add
› Enter the VLAN
› Then proceed to configuring the networks

• Next to VLAN 2, click Choose
• Click New
interfaces
1. Select VLAN 2 and create network

• Create another Internal Network for VLAN 2:
10.2XX.0.0-Voice-X
• DNS service: Class
• Network Type: Internal Use
• Do not save yet
interfaces
2. Create internal voice network

• Click NEW to create a parent network
interfaces
3. Create internal voice network

interfaces
4. Define the Parent Network and subnetworks
• IP Network:
10.2XX.0.0/16
• 10.1XX.0.0/16
• Move the slider bar to
select 256 branches and
253 clients per branch
NOTE: This is the parent
network that will be
partitioned to create a
number of IP subnets
determined by moving the
slider bar. The slider bar is
used to set the number of
branches vs. clients per
branch which defines the
subnet mask for each
subnet.
Moving the slider bar changes the number
of bits in the subnet mask.
The clients per branch = 253 in this case
because 1 IP is reserved for the router, and
then 0 and 255 are not used.

interfaces
5. Enable DHCP
371
server
the start of the address pool
that can be defined
statically.
• Click Save
server. However, if it is
not, you can disable the
DHCP service and this
network definition will only
be used to configure the
router interface IP
addresses.

• Click Save
• Ensure your policy is highlighted and click OK
interfaces
6. Verify and save the Subnetwork

Networks for Guest Use
• All guest stations at each branch office use the same IP subnet
• All guest traffic destined to the Internet is network address translated to the
unique IP address of the router WAN interface
Cloud VPN
Gateway
HQ
Network:
Guest Use
BR100
BR100
Network 192.168.83.0/24 (Guest Use)
DHCP: IP Range 192.168.83.10 – 192.168.83.244
BR100
Internet
DHCP: IP Range 192.168.83.10 – 192.168.83.244
DHCP: IP Range 192.168.83.10 – 192.168.83.244
Proxy)
WAN:
2.1.1.20
WAN:
2.50.33.5
WAN:
1.3.2.90

• Next to VLAN , click Choose
• Click New
interfaces
7. Select VLAN 8 and create guest network

• Name:
192.168.83.0-Guest-X
• DNS Service: Class
• Network Type to:
Guest Use
• Guest Use Network:
192.168.83.0/24
• DHCP Address Pool,
reserve the first 10
server
NOTE: Devices assigned to a Guest Use network are
restricted from access the corporate VPN or from
initiating communication to corporate devices
interfaces
8. Create the Guest network

• Verify your settings
• Click Save
• Click OK
interfaces
9. Save the Guest network

Verify Subnet Assignments for
Router Interfaces
377
• You should have a network defined for each of
the VLANs specified

interfaces

CHANGE SSID PROFILES
379

Lab: Change SSID Profiles
1. Change SSIDs
380
• Configure Interface & User Access
• Next to SSIDs, click: Choose

2. Select Class-PSK-X SSID
381
• Click to deselect
the AD-X SSID
• Ensure the
Class-PSK-X SSID
is selected
• Click OK
Ensure
Class-PSK-X is
highlighted then
click OK

3. Verify settings
382
• Verify settings
• Click Continue

CREATING FILTERS
383

Lab: Device Filters
1. From Configure & Update Devices
384
Create filters to limit the number of devices displayed
• Click the Configure & Update Devices bar
• Next to Filter, click +

Lab: Device Filters
2. Create a filter
385
You can create and save
filters based on a lot of
criteria
• For this filter
› Set the Device Model
to SR2024
› Set the hostname to:
SR-XX-
› XX is your two digit
student ID: 02-15
› Do not forget the
dash – at the end,
this will ensure your
student ID is the
match
• For Remember This
Filter, enter:
XX-switch-router
• Click Search

Lab: Device Filters
3. View your Real and Simulated Switch/Routers
386
• We will be using real and simulated devices in this lab
• With the filter selected, you will see your real, and
simulated switch/routers that all start with SR-XX-

UPDATE THE DEVICE
CONFIGURATION
OF YOUR SWITCH/ROUTERS
387

Lab: Update your Switch Configuration
1. Modify your switch
• Check next to your switch SR-XX-#######
• Click Modify

Make the following
settings
• Device Function:
Router
(IMPORTANT)
• Location:
First-Name_Last-
Name
• Network Policy:
Access-X
• When the warning
box appears, click:
OK
• Do NOT save yet
2. Change switch to function as a router

Set the Device
Classification Tag1 so
that this device will be
assigned to networks
with matching tag
definitions
• Under Device
Classification
› Tag1: Site-Xa
Note: The tag you
entered in the
network will
automatically show
up in the list
• Do NOT save yet
3. Specify the Device Classification Tag1

• Expand Interface and Network Settings
• Set the following priorities:
› USB WAN: Backup2
› Eth1/23 WAN: Backup1
› Eth1/24 WAN: Primary (Please verify that 1/24 is Primary)
• Ensure NAT is enabled on the WAN Interfaces
• Do Not save yet
NOTE: Check Enable NAT
4. Change WAN port priority settings

5. Disable RADIUS services
392
Remove the RADIUS object from earlier lab
• Under Optional Settings, expand Service Settings
• Uncheck ☐Enable the router as a RADIUS Server

Lab: Update Router Configuration
6. Save your device settings
393
• Click Save

• Select  Routers to select all three routers
• Click Update
7. Update your device settings

devices
• Click Update
For this class, ALL
Updates should be
Complete
configuration
updates

Click OK

VIEW SUBNET ALLOCATION
REPORT
397

Internal Use
Cloud VPN
Gateway
HQ
Network
10.102.0.0/16
BR10
0
BR10
0
DHCP: IP Range 10.102.0.10 – 10.102.0.244
DHCP: IP Range 10.102.1.10 – 10.102.1.244
DHCP: IP Range 10.102.2.10 – 10.102.2.244
Proxy)
BR10
0
Internet

Lab: Subnet Allocation Report
1. View the IP addresses assigned to the routers
399
• From Monitor, in the navigation tree,
click Subnetwork Allocation
• Under Network Name, select
Network-1XX
• From the10.102.0.0/16 parent
network, a different subnet and
DHCP Pool was allocated to each
branch router.
Note: One
subnet was
assigned via
classification.
The others
assigned
dynamically.

CLI ROUTER COMMANDS
400

SHOW L3 INTERFACE
401
From Monitor  Utilities  SSH
Client:
show L3 interface

TEST WIRELESS LAN ACCESS
402

bottom right corner
of the windows task
bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK
Lab: Test Wireless LAN Access
1. Connect your computer to the SSID: Class-PSK-X

2. View your client information in Wireless Clients
404
• View your client in the Active
Clients list by going to:
MonitorClientsWireless
Clients
• Notice the VLAN and network
address

TEST WIRED LAN SECURE
ACCESS
405

• View your client in the Active
Clients list by going to:
MonitorClientsWired
Clients
• Notice the VLAN and network
address and client
authentication method
Lab: Test LAN Port Access- Secure
1. View your client information in Active Clients

Lab: Test LAN Port Access
2. Disable 802.1X for wired clients
407
• In windows 7, you
must enable 802.1X
support
• As an administrator,
from the start menu
type services
• Then click services

408
• Click the
Standard tab
on the bottom
of the
services
panel
• Locate Wired
AutoConfig
and right-
click
• Click
Properties

409
• Startup type: Disabled
• Click Stop

410
• Click OK

6. Clear wired client cache
411
• Monitor/Clients/Operation:
Deauth Client
• Check  Clear Cache
• Click OK
• Click Yes

7. Clear wired client cache
412
• Monitor/Clients/Operation:
Deauth Client
• Check  Clear Cache
• Click OK
• Click Yes

8. Reset Ethernet adapter
413
Because the PC has the
wrong IP it will not work, you
can remedy this by
• Right click on Local Area
Connection 3
• Click Diagnose
or
• Disable then Enable Local
Area Connection 3
• Do NOT Disable Local Area
Connection 2

9. Verify Auth Fail – Guest Network
414
• Locate Local Area
Connection 3
• Right click
• Click Status
• Click Details
• Why do you see an IP
from the 192.168.83.0
subnet?
› This is the guest
network that is
assigned if
authentication is not
support or fails

ROUTE-BASED IPSEC VPN

Internet
Headquarters
Aerohive Layer 2 VPN
416
Remote Site
Notes Below
Layer 2 VPN client devices
AP-100 series
AP-300 series
BR-100 (AP mode)
AP-300 series
128 tunnels
(L2 Gateway mode)
1024 tunnels
Note: Layer 2 VPNs are taught in the Aerohive Certified WLAN Professional
(ACWP) class
Layer 2 VPN server devices

Internet
Headquarters
Aerohive Layer 3 VPN
417
Remote Site
Notes Below
Layer 3 VPN client devices
BR-100 router
BR-200 router
AP 330/350
(router mode)
Aerohive switch
(router mode)
VPN Gateway
(L3 Gateway mode)
1024 tunnels
Layer 3 VPN server

Aerohive Route-Based IPSec VPN
Components
418
HiveAP 330
Configured
as a Router
BR100 BR200
VPN Gateway VA
A HiveOS-based Layer 3
IPSec VPN server
that is a Virtual Appliance
which runs on VMware ESXi
1 VA supports up to 1024
IPSec VPN tunnels
HiveAP 350
Configured
as a Router
Aerohive Routers are Layer 3 IPSec
VPN clients, and provide DHCP,
DNS Proxy, route synchronization,
and RADIUS service, along with
many other features.
Aerohive
Switch
Configured
as a Router

Corporate VPN – HiveManager Allocates
Unique Network Settings For Each Site
VPN
Gateway
HQ Branch Network
172.28.0.0/16
BR100
BR100
DHCP: IP Range 172.28.0.10 – 172.28.0.244
DHCP: IP Range 172.28.1.10 – 172.28.1.244
Proxy)
DHCP: IP Range 172.28.2.10 – 172.28.2.244
BR10
0
Internet
Corporate
Network
10.1.0.0/16
Branch
Network
Branch
Network
Branch
Network

Corporate VPN – HiveManager Allocates
Unique Network Settings For Each Site
• Each router builds a VPN to one or two VPN Gateways
• Routes are synchronized between the routers and VPN Gateways over
the VPN using a TCP-based route exchange mechanism
VPN
Gateway
HQ
BR100
BR100
Sub Network 172.28.0.0/24 Sub Network 172.28.1.0/24
BR10
0
Internet
Corporate
Network
10.1.0.0/16
Branch Network Branch Network
Branch Network

Route-based VPN
• Routers (VPN clients) ask the VPN Gateway for updated route information
and provide their own route changes over the VPN tunnel every minute by
default using a TCP request
VPN
Gateway
HQ
BR10
0
BR10
0
Local network: 172.28.0.0/24
Route: 10.1.0.0/16 through VPN tunnel
Route: 172.28.1.0/24 though VPN tunnel
Route: 0.0.0.0/0 to Internet Gateway
BR10
0
Internet
Corporate
Network
10.1.0.0/16
Route: 10.1.0.0/16 to Corp Router
Route: 172.28.0.0/24 to VPN tunnel A
Route: 172.28.1.0/24 to VPN tunnel B
Route: 172.28.2.0/24 to VPN tunnel C
Tunnel A
Tunnel B
Tunnel C

VPN GATEWAY VIRTUAL
APPLIANCE
422

General Information
423
• What is a VPN Gateway Virtual Appliance?
› It is a virtualized version of HiveOS that runs on VMware ESXi
which supports IPSec VPN service, and routing protocols
• How do you upgrade a VPN Gateway VA?
› VAs can be upgraded using a standard HiveOS software
upgrade from HiveManager, TFTP, or SCP
• How many interfaces does a VPN Gateway VA have - Two
»WAN – used to terminate the VPN from the router VPN
clients, and can be used as a one-armed VPN where it
connects to both the branch networks through the VPN, and
the internal corporate networks.
»LAN – an optional interface that can be used to connect to
an internal network and be the gateway IP address for
corporate traffic to access branch networks through the VPN

VPN Gateway Virtual Appliance on
VMware (ESXi)
424
• The VA uses the HiveOS, and looks just like an AP when
you log in to it

VPN Gateway
Deployment Scenarios – Two Interfaces
425
• VPN Gateway with two interfaces configured
› The LAN interface is connected to the inside network
» Traffic from the inside network destined for an IP address in a branch office is
sent to the LAN interface on the VPN Gateway to be encrypted and sent
through a VPN to a branch office
» Routing protocols, OSPF or RIPv2, can be run on the LAN interface so that
the VPN Gateway can exchange routes with the inside network router
› The WAN interface is connected to the DMZ or outside network and is used to
terminate the VPNs
Headquarters
LAN (Eth1)
Interface
Firewall
WAN (Eth0)
Interface
DMZ
VPN Gateway
Branch Office
Internet
Router
Inside
IPSec VPN

VPN Gateway
Deployment Scenarios – One Interface
426
• VPN Gateway with one interface configured (One Arm)
› The WAN interface is connected to a firewall interface in the DMZ
»Traffic from the inside network destined for an IP address in a branch
office is sent to the firewall which forwards the traffic to the VPN
Gateway as the next hop to the branch office routers
»The VPN Gateway encrypts the traffic and sends the traffic back to the
firewall destined to a branch office router
»You can run statically enter routes, or run a dynamic routing protocol,
OSPF or RIPv2, on the WAN interface to exchange routes with the
firewall
Headquarters
Firewall
WAN (Eth0) Interface
DMZ
VPN Gateway
Branch Office
Internet
IPSec VPN
Router
Inside
(Clear)

Internet
Router IPSec VPN Lab
Uses a Single VPN Gateway Interface
427
• In the training lab, the VPN Gateways learn routes via OSPF from the
firewall, which are: 10.5.2.0/24, 10.5.8.0/24, & 10.5.10.0/24
• The firewall learns the routes from the VPN Gateways to all the branch
office routers via OSPF
• The branch office routers exchange their routes with their VPN Gateways
Headquarters
DMZ
VPN Gateway
Branch Office
IPSec VPN
Switch Inside
Bridge Group
Interface: 10.5.1.1
Port1
Port2
Firewall Outside Interface
eth0/0 – 1.2.2.1/24
NAT – 1.2.2.X to 10.200.2.X
HiveManager
10.5.1.20
Internal
10.102.1.0/24
Public 2.1.1.10
WAN Interface
Eth0- 10.200.2.X/24
Gateway: 10.200.2.1
X=2,3,..,14,15

THE NEXT STEPS ARE FOR
EXAMPLE ONLY, DO NOT
DOWNLOAD THE VPN GATEWAY
VA IMAGES IN CLASS, OTHERWISE
IT WILL TAKE TOO LONG
428

Example Only: Downloaded HiveOS-VA
Image From HiveManager
429
• Please do not download in class!
› To download the VPN Gateway Virtual Appliance image from
HiveManager, go to ConfigurationAll Devices
› Click UpdateAdvancedDownload HiveOS Virtual
Appliance

Example Only: Downloaded HiveOS-VA
Image From HiveManager
430
› Save the VPN Gateway VA image to a directory of your
choice on your hard drive
› Note, the default name is: AH_HiveOS.ova, but you can
rename the file if you like

If time permits the instructor will
demonstrate the process
THE NEXT STEPS ARE FOR
EXAMPLE ONLY, DO NOT DEPLOY
A VPN GATEWAY IN CLASS, YOUR
VPN GATEWAY VA IMAGES HAVE
ALREADY BEEN DEPLOYED
431

Recommended Hardware Configuration
432
VPN Gateway Virtual Appliance Recommended Hardware Configurations

Example Only: Deploy a VPN Gateway in
VMware ESXi
433
• From the VMware
vSphere client, log
into your ESX/ESXi
server
• Go to File
Deploy OVF
Template
• Locate the
AH_HiveOS.ova file
and click Open

VMware ESXi
434
• With the
AH_HiveOS.ova file
selected click Next

VMware ESXi
435
• View the product
information and
ensure you have
enough disk
space for a think
provisioned install
› Note: Thick
provisioning
reserves all the
disk space
needed during
the install
• Click Next

VMware ESXi
436
• Provide a name for
the VPN Gateway,
for example:
HiveOS-VAXX
XX=02,03,..14,15
› Note: It is a
good idea to
keep this name
relatively small
so it fits better in
the vSphere
client display
• Click Next

Example Only: Deploy a VPN Gateway-VA in
VMware ESXi
437
• Select Thick
Provisioned
Lazy Zeroed
› Note: You can
choose Eager
Zeroed, but it
will take more
time because it
will fill the
complete disk
space with 0’s,
lazy fills only as
space is
needed.
• Click Next

VMware ESXi
438
In this example, the
VPN Gateways will
only be using the
WAN interface, so
you can use the
same destination
network (virtual
switch port group)
for both
• Select VM Network
for the WAN and
LAN interfaces
• Click Next

VMware ESXi
439
• Optionally, check
the box to
Power on after
deployment
• Click Finish

VMware ESXi
440
In a moment, the new VPN
Gateway will be up and running
• Click Close when the
deployment has completed
successfully

EXAMPLE: INITIAL
CONFIGURATION
OF A VPN GATEWAY VIRTUAL
APPLIANCE
441

Example Only: Initial configuration
of a VPN Gateway Virtual Appliance
442
• In the vSphere console for the new VPN Gateway Virtual
Appliance
› Type 1 to change the Network Settings and press enter

443
• Type 2 to
Manually
configure
interface settings
and press Enter

444
• The startup CLI wizard
is used to set up the IP
address for the WAN
interface on the VA
• The VPN Gateway VA
will need access to the
Internet to access the
license server to obtain
a valid and unique serial
number
• IP for eth0: 10.200.2X
• Netmask Length: [24]
• Gateway: 10.200.2.1
• DNS: 8.8.8.8
• Apply Changes: Yes

445
• The VPN Gateway will check its connection its default
gateway and the Aerohive License server
• For the question: Do you want to reset the networking?
press enter, or type no and press enter

446
• When a VPN Gateway
VA is purchased,
Aerohive generates an
activation code, and
associates it with a
unique serial number
• You will be emailed your
activation code
• When the activation code
is entered, the VPN
Gateway VA will contact
the Aerohive license
server and obtain a serial
number associated with
the activation key.
Optionally you can
use an HTTP proxy

447
• If the activation
code is valid,
the VPN
Gateway VA
will obtain a
valid and
unique serial
number
• You must then
VPN Gateway
by pressing
enter, or by
typing yes then
enter

448
• After the VPN Gateway VA has
been rebooted, you can login with:
› Login: admin
› Password: aerohive
• Enter a hostname if you like:
› Hostname HiveOS-VA-X
• If the Serial Number for the VPN
Gateway is not entered into
myhive, then you can configure the
location of its HiveManager
› capwap client server name
10.5.1.20
• Save the configuration
› save config

449
• Just like on an Aerohive AP
or router, you can verify
CAPWAP status by typing
› show capwap client
• After a minute, you should
see the run state show that
the VPN Gateway is
Connected securely to the
CAPWAP server
• The CAPWAP server IP
should be your
HiveManager IP: 10.5.1.20

450
Your new VPN gateway will be displayed in
MonitorVPN Gateways

LAB: CREATE A ROUTE-BASED
LAYER 3 IPSEC VPN
451

Lab: Create a Route-Based IPSec VPN
1. Create a Layer 3 IPSec VPN
452
To create a route-
based IPSec VPN
• Go to
Configuration
• Select your
Network policy:
Access-X and
click OK
• Next to Layer 3
IPSec VPN click
Choose
• In Choose
VPN Profile
click New

2. Assign your VPN Gateway to the VPN policy
453
• Enter a profile name: VPN-X and choose  Layer 3 IPSec VPN
• For VPN Gateway, select: Hive-OS-VA-XX from the drop-down
• External IP address of the VA: 1.2.2.X
• X= your student number
› Note: The external IP is the public address the routers will contact
to access the Virtual Appliance
• Click Apply
Click
Apply

3. Certificate settings
454
Optionally you can add an additional VA
for disaster recovery
• Expand IPSec VPN Certificate
Authority Settings
• VPN Certificate Authority:
Default_CA.pem
• VPN Server Certificate:
VPN-cert_key_cert.pem
• VPN Server Cert Private Key:
VPN-cert_key_cert.pem
Note: Server certificates for the
VPN were created in the
HiveManager Certificate AuthorityClick

4. Verify VPN Settings Then Go To Configure & Update
455
• Verify the Layer 3 IPSec VPN settings
Note: The WAN IP and Protocol will be updated after the
configuration update is performed
• Click Configure & Update Devices

Internet
Example: Dynamic Routing on the VA
With OSPF or RIPv2
456
• In a one-armed configuration, OSPF or RIPv2 can be
enabled on the WAN interface to dynamically learn routes
from the network (e.g. firewall), and advertise the routes it
learns from the branch sites to the network (e.g. firewall)
WAN Interface
Eth0- 10.200.2.X/24
Gateway: 10.200.2.1
OSPF area 0.0.0.0
(same as 0)
DMZ
VA
Firewall Inside Interfaces
bgroup0 : 10.5.1.1/24 VLAN 1 OSPF area 0
bgroup0.2: 10.5.2.1/24 VLAN 2 OSPF area 0
Sub Network
10.102.1.0/24
BR10
0
Headquarters Branch Office

Internet
Example: Routes Learned via OSPF and
Between the VA and Branch Routers
457
WAN Interface
Eth0- 10.200.2.2/24
Gateway: 10.200.2.1
OSPF area 0.0.0.0
(same as 0)
Routes - Branch 1
Through VPN:
10.102.1.0/24
Routes - Network:
10.5.1.0/24 to 10.200.2.1
10.5.2.0/24 to 10.200.2.1
10.5.8.0/24 to 10.200.2.1
10.5.10.0/24 to 10.200.2.1
0.0.0.0/0 to 10.200.2.1
DMZ
VA
Firewall Inside Interfaces
bgroup0 : 10.5.1.1/24 VLAN 1 OSPF area 0
Routes to Branch 1
10.102.1.0/24 to 10.200.2.2
Sub Network
10.102.1.0/24
Routes to
Headquarters
through VPN
10.5.1.0/24 to VPN
10.5.2.0/24 to VPN
10.5.8.0/24 to VPN
10.5.10.0/24 to VPN
Local Routes
0.0.0.0/0 to Internet
BR10
0
Headquarters
Branch Office 1
IPSec VPN to Branch Office 1
Note: Aerohive uses a
TCP-based mechanism through
the VPN tunnel to check for
route updates between branch
sites and the VPN Gateways
every minute by default.

5. Modify the settings for your VPN Gateway
458
• Choose the Current Policy filter
• Under L3 VPN Gateway, click the link to
modify your VPN Gateway: HiveOS-VA-XX

6. Modify the IP settings on the VPN Gateway
459
• By default the management Network is set to the Quick Start
Management Network: QS-MGT-172.18.0.0
• Set the IP address of the Eth0 (WAN) Interface: 10.200.2.X/24
X=2,3,..,14,15
• Set the Default Gateway:10.200.2.1 Do not save yet..
00

7. Enable OSPF on the VPN Gateway
460
• Check the box to:
Enable dynamic routing
and select OSPF
• Set the Eth0 (WAN)
interface to run OSPF so
that it can advertise and
learn routes from the
network, check Eth0
(WAN)
• Uncheck
Eth1(LAN) because the
eth1 interface is not in use
• Use the default Area:
0.0.0.0 (which is
compatible with area 0)
• Click Save

Note: Internal Networks – Required if a
Dynamic Routing Protocol is Not
Enabled
461
• If the VPN Gateway is
configured with static routes, or
just has a single default
gateway to a router, you can
specify which networks to
advertise to the branch office
networks by specifying Internal
Networks
• Any Internal Network defined
here will be advertised to the
branch office networks through
the VPN tunnels so the branch
offices routers know which
networks to route through the
VPN to headquarters

• Select all your devices 
• Click Update
8. Upload the Configuration of Your Devices

devices
• Click Update

For this class, ALL
Updates should be
Complete
configuration
updates

• When the Reboot Warning box appear, select OK
Click OK

11. Wait for the update to complete and verify VPN
465
When the VPN Server and Client Icons are green, then
you know the VPN is up.

VPN TROUBLESHOOTING
466

LAB: VPN Troubleshooting
1. Aerohive device VPN Diagnostics
467
• Go to Monitor Devices All Devices
• Select one of the VPN devices: SR-0X-######
• Click Utilities...Diagnostics Show IKE Event
• Verify that both Phase 1 an Phase 2 are successful

LAB: VPN Diagnostics
2. Aerohive device VPN Diagnostics – Phase 1
468
• Select one of the VPN devices: SR-0X-######
• Click Tools...Diagnostics Show IKE Event
Possible problems if Phase 1 fails:
• Certificate problems
• Incorrect Networking settings
• Incorrect NAT settings on external firewall
Possible problems if Phase 2 fails:
• Mismatched transform sets between the client and server
(encryption algorithm, hash algorithm, etc.)

469
• Click Tools...
Diagnostics
Show IKE Event
• If you see that phase 1
failed due to a certificate
problem
› Check the time on the
Aerohive devices
» show clock
» show time
› Ensure you have the
correct certificates
loaded on the Aerohive
APs in the VPN
services policy

470
• Click Tools...
Diagnostics
Show IKE Event
• If you see that phase
1 failed due to wrong
network settings
› Check the IP
settings in the
VPN services
policy
› Check the NAT
settings on the
external firewall

471
• Click
Utilities...Diagnostics
 Show IKE SA
• Phase 1 has completed
successfully if you reach
step #9
• If Step #9 is not
established then one of
these problems exists:
Certificate problems
Incorrect Networking
settings
Incorrect NAT settings on
external firewall

472
• Click Utilities...
Diagnostics
Show IPSec SA
Note: It is clear to see that a
VPN is functional if you see the
tunnel from the MGT0 IP of the
VPN client to the (NAT)
Address of the MGT0 of the
VPN Server, and the reverse.
Both use different SAs
(Security Associations)
› State: Mature
• If Phase 2 fails: Check the
encryption & hash settings on
the VPN client and the VPN
server

Lab: VPN Diagnostics
7. View the VPN Topology to Verify VPN Status
473
• In the Layer 3 IPSec
VPN section, click
VPN Topology
• If the devices show up
green with a line
between them, the
VPN is operational
• Click Refresh if the
devices are not green
after a moment
Please Be
Patient, it will
take a minute or
two for the VPNs
to establish

VERIFY VPN STATUS AND
DYNAMIC ROUTING
474

Lab: Verify VPN and Dynamic Routing
2. View the VPN Topology to Verify VPN Status
475
To verify the routes
learned via OSPF
• Go to Monitor
VPN Gateways
• Check the box
next to your
HiveOS-VA-XX
• Select
Utilities...
SSH Client

3. Use CLI Commands to Verify OSPF Routes
476
• show OSPF route (wait about 10 seconds – press enter twice)
› You should see four OSPF routes in this lab
• show OSPF neighbor (press enter twice)
› You should see at a minimum the firewall at 209.128.124.196 as a
neighbor with a Full/DR state

4. View the routes on a branch router
477
To verify the routes learned through the VPN on a branch router
• Go to MonitorRouters
• Check the box next to your router:
SR-XX-######
• Select Utilities...DiagnosticsShow IP Routes

Copyright ©2011
5. View the routes on a branch router
• You should see at a
minimum routes to:
10.5.1.0/24,
10.5.2.0/24,
10.5.8.0/24, and
10.5.10.0/24 all
through the VPN
tunnel0 interface
• High metrics are used
for routes learned from
OSPF and advertised
though the VPN so that
if the network exists
locally, that will be
preferred
Note: Higher metrics
have more cost and
are not preferred
• You will also learn the routes for
networks at the other branch sites though
the VPN tunnel
478

For Information: This is the OSPF
configuration on the training Juniper
SSG
479
• ssg5-3-lab-> set vr trust
• ssg5-3-lab(trust-vr)-> set protocol OSPF
• ssg5-3-lab(trust-vr/OSPF)-> set enable
• ssg5-3-lab(trust-vr/OSPF)-> exit
• ssg5-3-lab(trust-vr)-> exit
• ssg5-3-lab-> set int bgroup0 protocol OSPF area 0
• ssg5-3-lab-> set int bgroup0 protocol OSPF enable
• ssg5-3-lab-> set int bgroup0.2 protocol OSPF area 0
• ssg5-3-lab-> set int bgroup0.2 protocol OSPF enable

The steps for LAN access are similar
TEST WLAN ACCESS THROUGH THE
VPN
480

bottom right corner
of the windows task
bar
• Click your SSID
Class-PSK-X
• Click Connect
› Security Key:
aerohive123
› Click OK
1. Connect your computer to the SSID: Class-PSK-X

Lab: Test WLAN VPN Access
2. Ping a server through the VPN
482
From your PC, ping 10.5.1.20, which is a server in Santa
Clara California data center
Internet
DMZ
VPN Gateway
BR10
0
Headquarters
Branch Office 1
IPSec VPN to Branch Office 1

Lab: Test WLAN VPN Access
3. View your client information in Wireless Clients
483
• From your virtual
PC connect to
HiveManager
through VPN
https://10.5.1.20
• View your client in
the Active Clients
list by going to:
MonitorClients
Wireless Clients

Not this PBR:
POLICY-BASED ROUTING (PBR)
484
*A low cost
American beer
that has been
around a long
time, but was
not popular.
However, over
the last few
years it has
become more
popular in bars
and grocery
stores.

Aerohive Policy-Based Routing
485
• Policy-based routing is
used mainly in
conjunction with the
layer 3 IPSec VPN
tunneling capabilities
› Though it does not
require VPN
3G/4G/LTE
Employees
Guests
Internet
VPN
HQ

Aerohive Policy-Based Routing
486
• Policy-based routing lets
you decide how traffic is
forwarded out of a
router
› Decisions are made
based on IP
reachability of tracked
IP addresses and user
profiles
› Forwarding can be out
any WAN port, USB
wireless, Wi-Fi
connection, or VPN
3G/4G/LTE
Employees
Guests
Internet
VPN
HQ

Route-based VPN
Private vs. Internet Traffic
• Three types of routes in a branch office are
› Private routes – learned over the VPN from the VPN
gateway, such as 10.1.0.0/16 in this example
› Branch routes – to other routers in the branch office,
which can be advertised to HQ over the VPN tunnel
› Internet routes – Essentially the default route 0.0.0.0/0
used to send traffic to the Internet locally from the branch
office
Cloud VPN
Gateway
HQ
BR10
0
Internet
Corporate
Network
10.1.0.0/16
(Internal)
Route 172.28.2.0/24 to VPN Tunnel A
Tunnel A
Branch Office

POLICY-BASED ROUTING
488

Policy-Based Routing: Custom Rules
Overview of Fields
489
• Forwarding actions
determine where to send
the packet
• Source and Destination
are used to match a
packet

Policy-Based Routing: Forwarding and
Backup Forwarding Actions
490
• The backup forwarding action
occurs when the interface used for
the forwarding action goes down
or….
• If specific IP addresses are not
reachable via the interface used for
the forwarding, using track IP

LAB: CREATE A WAN IP TRACKING
POLICY
491

Track IP for Router WAN Connectivity
492
• Uses Ping to track IP
addresses you specify
on the Internet
› For example, you can
track
ntp1.aerohive.com
206.80.44.205
• If no response is
received, you can make
routing decisions such
as failing over to
wireless USB (3G/4G
LTE)
3G/4G LTE
Employees
Guests
Internet
VPN
HQ
ntp1.aerohive.com
206.80.44.205
Track IP

Lab: WAN IP Tracking
1. Create an IP tracking policy
493
To configure Policy-Based routing:
Go to Configuration
• Select your Network policy: Access-X and click OK
• Next to Additional Settings click Edit

• Expand Service
Settings
• For Track IP Groups
for WAN Interface,
there are two backup
track IP groups and
one primary
• Next to Primary, click
+

• Track IP Group Name:
Track-X
• Under Tracking group type
select For WAN
interface
• Ensure Enable IP tracking
is checked
• For the IP addresses, enter:
8.8.8.8,4.2.2.2
• Take action when: all
targets become
unresponsive
• Click Save

• In Track IP Groups for WAN
Interface
• Select the Primary Track IP
Group: Track-X
• Click Save
• Next you will configure the
routing policy
Note: You can specify Track IP Groups for Backup1 and
Backup2 as well. The policy-based routing policy
determines if backup1 fails to backup2, or backup2 fails to
a Wi-Fi client connection for example.

LAB: CONFIGURE POLICY-BASED
ROUTES
497

• Expand Router
Settings
• Next to Routing
Policy, click +
Lab: Policy-Based Routing
1. Create a Routing Policy

Note: Policy-Based Routing: Type of Rules
499
• Here you can specify the type of routing policy rules
› Split Tunnel: Tunnel non-guest traffic to internal (HQ) routes,
drop guest traffic for internal (HQ) routes, and route all other
traffic the local Internet gateway
› Tunnel All: Tunnel all non-guest traffic regardless of its
destination and drop all guest traffic.
› Custom: Define a custom routing policy

• Name: PBR-X
• Under Routing Policies, select Custom
• Click + to add a new policy
Create
New

• Source - Type: User Profile, Value: Employee-X
• Destination - Type: Private (routes learned via VPN)
• Forwarding Action: Corporate Network (VPN)
• Backup Forwarding Action: Drop
• Click the save icon next to the right of the policy

• Click + to create a new policy
• Source - Type: User Profile, Value: Employee-X
• Destination- Type: Any (All other routes)
• Forwarding Action: Primary WAN
• Backup Forwarding Action: Backup WAN-1 (e.g. DSL)

• Source - Type: User Profile, Value: Voice-X
• Destination – Type: Private (routes learned via VPN)
• Forwarding Action: Corporate Network (VPN)
• Backup Forwarding Action: USB (USB Wireless - LTE)

• Source - Type: User Profile, Value: Guest-X
• Destination - Type: Private (routes via VPN)
• Forwarding Action: Drop

• Click + on top (Note: This is to show an important point)
• Source - Type: User Profile, Value: Guest-X
• Destination - Type: Any
• Forwarding Action: Primary WAN
• Backup Forwarding Action: Drop
Click the top +

• Question: What is wrong with this policy?
• Answer: All guest traffic will match the first policy, and no
other policy will be used. Guest traffic may be able to
access the local branch network if not blocked by firewall
policy.

• Click the User Profile(Guest-X), Any, Primary WAN
policy and drag it to the bottom
• Click Save
• Additional Settings – Save
• Save your Network Policy

Policy-Based Routing
Analysis
508
• Processed top down:
1. User Profile(Employee) when going to a private route
learned through the VPN, send to the VPN
2. User Profile(Employee) when not sending to the VPN will be
sent out through the primary WAN, and if that fails, out the
Backup WAN

Analysis
509
3. User Profile(Voice) if destined to a route learned through the
VPN, forward through VPN
4. User Profile(Guest) if destined to a route learned through the
VPN, drop
5. User Profile(Guest) when not sending to the VPN will be
sent out through the primary WAN, and if that fails, drop

Policy Used For No Matching Routes
510
• Question: What happens to traffic that does not
match a policy-base routing rule?
• Answer: The router uses its main destination
routing table. (i.e. standard routing)

Caution in 6.0r2a if not using VPN
511
• If you are not using VPN, do not create a policy-based
routing using: Source: Any, Destination: Any
• If you do, traffic may get sent back out the WAN as primary
instead instead of being sent to a local route.
• This will be resolved in an upcoming release.

SIMPLE TEST
512

Instructor Classroom demo
513
If time permits:
If the instructor has a 3G/4G USB dongle available:
• Start a continuous ping from a classroom laptop that is
communicating through an Aerohive BR-200
• Remove the Ethernet cable from the primary WAN port
• Wait for up to 60 seconds for the connection to failover to
the cellular network
• Reconnect the Ethernet cable from the primary WAN port
• Wait for up to 60 seconds for the connection to fallback to
the primary WAN network

Use if you do not want to create a custom policy and you
have VPN configured
DEFAULT SPLIT TUNNEL
514

• Source - User Profile
› Any Guest - applies to users or devices
connected to a user profile assigned to a
network with the network type set to
Guest Use
› Any –all other non-guest user profiles
Policy-based routing – Split Tunnel
Policy

• Processed top down
1. Traffic from any guest user profile, going to a route learned
through the VPN or local interface on the router, drop
2. Any non-guest traffic destined to a route learned through the
VPN, forward through the VPN
3. All other traffic, forward out the Primary WAN interface, and
if that fails, send out the backup WAN interface
Policy-based routing – Split Tunnel
Policy
Analysis

BRANCH ROUTER 3G/4G MODEM
SETTINGS
517

• Wide range of USB modems are supported
• USB modem can be used when triggered by an IP-
tracking policy or can always stay connected
Branch Router USB Modem Settings

Generic USB Modem Support
519
• Generic USB modem support for BR200, BR100 and the
300 series APs functioning as routers
• Configurable through NetConfig UI

COOKIE-CUTTER VPN
520

Cookie Cutter Branch Deployments
521
• Each site, even with
the same IP network,
can build a VPN to
the corporate network
HQ
Corporate
Network
10.0.0.0/8 Branch 1: 10.1.1.0/24
Branch 2: 10.1.1.0/24
Branch 3: 10.1.1.0/24

522
• Each site in a branch
can be assigned to the
same IP network
• How can HQ access
the remote sites?
HQ
Corporate
Network
10.0.0.0/8 Branch 1: 10.1.1.0/24
Branch 2: 10.1.1.0/24
Branch 3: 10.1.1.0/24

523
• Each network can have
a unique subnet
allocated for each site
to perform one to one
night for every host
each branch office
through the VPN
HQ
Corporate
Network
10.0.0.0/8 Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24
Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24
Branch 3: NAT 10.102.3.0/24 to 10.1.1.0/24

Routing on the VPN Gateway
524
• The branch routers
advertise their NAT
subnets to the VPN
Gateways
HQCorporate Network
10.0.0.0/8 Local
Tunnel Routes
10.102.1.0/24 tunnel 1
10.102.2.0/24 tunnel 2
10.102.3.0/24 tunnel 3
Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24
Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24
Branch 3: NAT 10.102.3.0/24 to 10.1.1.0/24

• NAT subnets are unique
subnets per site (non cookie-
cutter), and can be mapped to
sites dynamically, or via device
classification
• Each NAT IP address can be
access from corporate through
the VPN
• Each NAT mapping is
bidirectional, so traffic to HQ will
be sourced from each NAT
address
HQ
Corporate
Network
10.0.0.0/8
Branch 1: NAT 10.102.0.0/24 to 10.1.1.0/24
which NATs:
10.102.1.1 to 10.1.1.1
10.102.1.2 to 10.1.1.2
. .
10.102.1.255 to 10.1.1.255
Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24
which NATs:
10.102.2.1 to 10.1.1.1
10.102.2.2 to 10.1.1.2
. .
10.102.2.255 to 10.1.1.255
etc….

LAB: COOKIE-CUTTER VPN
526

Lab: Cookie Cutter
1. Create a new Employee Network
527
• Next to VLAN 10, click on your network: Network-
Employee-1XX
• Choose Network, click New

Lab: Cookie Cutter
2. Create a new Employee Network
528
• Enter the network
name:
10.1.1.0-Employee-X
• DNS Service, select
the quick start
automatically
generated object:
Class
• Network Type:
Internal Use
• Under subnetworks
click NewNOTE: This Quick Start DNS Service object
sets clients to use the router interface IP as the
DNS server, and will proxy the DNS requests to
the DNS server learned statically or by DHCP
on the WAN interface

Lab: Cookie Cutter
3. Replicate the Network
529
• Select Replicate
the same
subnetwork at
each site
• Local
Subnetwork:10.1.1.
0/24
• Select Use the
first IP address of
the partitioned
subnetwork for
the default
gateway
• Do not save yet
NOTE: You can now use the first or last IP
address for each branch subnet for the default
gateway assigned to the routers for these
subnets

Lab: Cookie Cutter
4. Enable DHCP
530
server
the start and end of the
address pool that can be
defined statically.
server. However, if it is
not, you can disable the
DHCP service and this
network definition will only
be used to configure the
router interface IP
addresses.

Copyright ©2011
Lab: Cookie Cutter
5. NAT settings
• Check Enable NAT through the VPN tunnels
• Number of branches: 256
• NAT IP Address Space Pool: 1.1XX.0.0 Mask 16
XX=102,103,..,114,115
• Note: We are using 1.1XX.0.0 instead of 10.1XX,0.0,
because the lab has no more IP space)
531

Copyright ©2011
Lab: Cookie Cutter
6. NAT settings
• Check Allocate NAT
subnetworks by specific
IP addresses at sites
• Click New
› IP Address: 1.1XX.1.1
› Type: Device Tags
› Value: Site-Xa
(Your Switch)
• Click Apply
NOTE: Any device tag you have defined elsewhere is automatically
populated. You can also start typing to narrow the value list
With these settings, each site will get assigned to one of the /24 NAT
subnets in 1.1XX.0.0/16. Entering a single IP address locks the NAT
IP address and the NAT subnet to which it belongs to a specific site.
532

Lab: Cookie Cutter
7. Save cookie cutter network
533
Verify your
settings
• Click Save

Lab: Cookie Cutter
7. Review and save
534
Your network will have one NAT subnetwork:
1.1XX.0.0/16 that will support 256 branches with
253 clients per branch, and subnet 10.1.1.0/24 will
be assigned to each site for DHCP
• Click Save
• Click OK

Lab: Cookie Cutter
8. Save your network policy and continue
535
Access bar, click Continue

PERFORM A COMPLETE UPLOAD
536

• Select all your Routers 
• Click Update
1. Update your routers

devices
• Click Update

For this class, ALL
Updates should be
Complete
configuration
updates

• When the Reboot Warning box appear, select OK
Click OK

VIEW SUBNET ALLOCATION
REPORT
540

541
advertise their NAT
subnets to the VPN
Gateways
HQCorporate Network
10.0.0.0/8 Local
Tunnel Routes
10.102.1.0/24 tunnel 1
10.102.2.0/24 tunnel 2
10.102.3.0/24 tunnel 3
Branch 1: NAT 10.102.1.0/24 to 10.1.1.0/24
Branch 2: NAT 10.102.2.0/24 to 10.1.1.0/24
Branch 3: NAT 10.102.3.0/24 to 10.1.1.0/24

Lab: Subnet Allocation Report
1. View the IP addresses assigned to the routers
542
• From Monitor, in the navigation tree,
click Subnetwork Allocation
• Under Network Name, select
10.1.1.0-Employee-X
• Note the unique NAT networks and
the cookie-cutter network
Note: One subnet was assigned via classification. The others assigned dynamically.

SIMULATED ROUTER CLEANUP
543

Lab: Remove Simulated Routers
1. Select and remove your simulated routers
544
The simulated routers were used
to show the subnet allocation
report
Now that you have seen how
subnetworks are allocated to
routers, we can remove the
simulated routers
• From
ConfigurationRouters
, check the box next to
your simulated devices
that start with: SR-02-
SIMU-XXXXXX
• Warning: Do NOT
remove the real router
• Click Device Inventory
and click Remove
• Click Remove from the
warning popup

LAYER 3 IPSEC VPN –
REDUNDANT VPN GATEWAYS
545

Using Two VPN Gateways
546
Headquarters
DMZ
802.1Q
Inside
Firewall eth0/0 – 209.128.76.30
NAT – 209.128.76.28 to 10.1.101.2
NAT – 209.128.76.29 to 10.1.102.2
Firewall eth0/1.1 - 10.1.101.1/24 vlan 101
Protocol OSPF area 0.0.0.1
Firewall eth0/1.2 - 10.1.102.1/24 vlan 102
Protocol OSPF cost 1000
Internal Network
AD Server
10.5.1.10
VPN Gateway 1
LAN 1: 10.1.101.2/24
VPN Gateway 2
LAN 1: 10.1.102.2/24
VLAN
102
VLAN
101
eth0/1
eth0/2
eth0/0
LAN1
LAN 1
Firewall eth0/2 – 10.5.1.1/24
Branch Office
Tunnel 1 to 209.128.76.28 pref 1
Tunnel 2 to 209.128.76.29 pref 2
VLAN 10 – 10.1.1.0/24 Employee Net
One-to-One Subnet NAT
Through VPN:
10.102.1.0/24 to 10.1.1.0/24
(HQ visible IPs) (local IPs)

Using Two VPN Gateways
547
• VPN tunnels are built from branch offices to the VPN gateways
• Traffic from the branch offices is decrypted at the VPN gateways and sent to the DMZ
firewall for access to the Internet network
• Traffic destined to IP addresses at branch offices is sent to the firewall, which looks up
the IP and finds the route to VPN gateway which encrypts and sends through a tunnel
to a branch office
DMZ
802.1Q
Inside
Firewall
FW eth0/0 – 209.128.76.30
NAT – 209.128.76.28 to 10.1.101.2
NAT – 209.128.76.29 to 10.1.102.2
FW eth0/1.1 - 10.1.101.1/24 vlan 101
FW eth0/1.2 - 10.1.102.1/24 vlan 102
Protocol OSPF cost 1000
Internal Network
AD Server
10.5.1.10
FW eth0/2 – 10.5.1.1/24
VPN Gateway 1
LAN 1: 10.1.101.2/24
VPN Gateway 2
LAN 1: 10.1.102.2/24
VPN Gateways
VLAN
102
VLAN
101
eth0/1
eth0/2
eth0/0
eth 0
eth 0
Headquarters

Corporate Network
10.0.0.0/8 Local
Tunnel Routes
10.102.1.0/24 tunnel 1
10.102.2.0/24 tunnel 2
advertise their NAT
subnets to the VPN
Gateways
HQ
Branch 1:
NAT 10.102.1.0/24 to 10.1.1.0/24
Branch 2:
NAT 10.102.1.0/24 to 10.1.1.0/24

FW Configuration for Accessing VPN
Gateways 1 and 2
549
set interface bgroup0.5 tag 101 zone Trust
set interface bgroup0.6 tag 102 zone Trust
set interface bgroup0.5 ip 10.1.101.1/24
set interface bgroup0.6 ip 10.1.102.1/24
set interface bgroup0.5 route
set interface bgroup0.6 route
set int bgroup0.5 protocol OSPF area 0.0.0.1
set int bgroup0.5 protocol OSPF enable
set int bgroup0.6 protocol OSPF area 0.0.0.2
set int bgroup0.6 protocol OSPF enable
set interface "ethernet0/0" mip 209.128.76.28 host 10.1.101.2
set interface "ethernet0/0" mip 209.128.76.29 host 10.1.102.2
set interface "ethernet0/0" mip 209.128.76.28 host 10.1.101.2 netmask
255.255.255.255 vr "trust-vr”
set interface "ethernet0/0" mip 209.128.76.29 host 10.1.102.2 netmask
255.255.255.255 vr "trust-vr”
set policy id 18 from "Untrust" to "Trust" "Any" "MIP(209.128.76.28)" "ANY" permit
set policy id 19 from "Untrust" to "Trust" "Any" "MIP(209.128.76.29)" "ANY" permit

CONFIGURING LAYER 3 IPSEC
VPN
WITH REDUNDANCY
INSTRUCTOR ONLY – THESE STEPS
HAVE ALREADY BEEN PERFORMED
550

Layer 3 VPN – Instructor Only Steps
551
• Under Layer 3 IPSec VPN, click Choose

552
• Name: Corp-VPN (shared by all network policies in class)
• Layer 3 VPN
• VPN Gateway: VPN-Gateway-1
• External IP: 1.2.2.241
• Click Apply

553
Under VPN Gateway Settings
• Click New
• VPN Gateway: VPN-Gateway-2
• External IP: 1.2.2.242
• Click Apply

554
• Two new
certificates were
created for this
lab, you can use
those or the
defaults if the
root CA did not
change
• Click Save

555
• From ConfigurationShow Nav  VPN Gateways
• Modify VPN-Gateway-1

556
Note: VPN Gateways are
not assigned to a Network
policy, they just use a
Management network
• ETH0 (WAN)
10.200.2.241/24
• Default Gateway
10.200.2.1
•  Enable Dynamic
Routing
• Select OSPF
• Route Advertisement
 Select Eth0(WAN)
☐ Deselect Eth1 (LAN)
• Area: 0.0.0.0
• Click Save

557
• From Configuration VPN Gateways
• Modify VPN-Gateway-2

558
Note: VPN Gateways are
not assigned to a
Network policy, they just
use a Management
network
• ETH0 (WAN)
10.200.2.242/24
• Default Gateway
10.200.2.1
•  Enable Dynamic
Routing
• Select OSPF
• Route Advertisement
 Select Eth0(WAN)
☐ Deselect Eth1 (LAN)
• Area: 0.0.0.0
• Click Save

devices
• Click Update
For this class, ALL
Updates should be
Complete
configuration
updates

LAB: TWO VPN GATEWAYS
STUDENTS ADD CORP VPN TO
THEIR NETWORK POLICY
560

• In your network policy next to Layer 3 IPSec VPN click
Choose
• In your network policy next to
Layer 3 IPSec VPN click Choose
• Select Corp-VPN
• Click OK
• Save the Network Policy
• Click Continue
Lab: Two VPN Gateways
1. Add the Corp-VPN policy

• Choose the current policy filter and select your router
• Click Update Devices and perform a complete upload
2. Select the router

• Wait about 5 minutes
• When the VPNs are
established, you can click
the VPN Topology link to
see live VPN status
• Click Refresh to update the
screen
4. Verify the VPN toplogy

BRANCH ROUTER
WAN INTERFACE
NAT PORT FORWARDING
564

Branch Router WAN Interface
NAT Port Forwarding
565
• Use port forwarding from a public WAN interface on a branch router
to reach a server within a private network
• This works very well for cookie cutter deployments!!
AP
PoE
SR202
4
as
Branc
h
Router
AP
Web Server1
10.1.1.5
Port 80
http://2.1.1.100:8005
Internet
WAN: 2.1.1.100
NAT Port Forwarding Rules
Outside: 2.1.1.100:8005  Inside: 10.1.1.5:80
(IP# 5)
Outside: 2.1.1.100:8006  Inside: 10.1.1.6:80
(IP #6)
Web Server2
10.1.1.6
Port 80

LAB: CONFIGURE BRANCH ROUTER
WAN INTERFACE NAT PORT
FORWARDING
566

LAB: WAN Interface NAT Port Forwarding
1. Modify the Cookie-Cutter Network
567
• From your network policy, under VLAN-to-
Subnet Assignments for Router Interfaces
› Modify your 10.1.1.0-Employee-X network
› Click the  icon and select Edit

• Click the link to edit the subnet: 1.1XX.0.0/16
2. Modify the Cookie-Cutter/NAT Network

• In the Network Address Translation (NAT) Settings
section
• Check  Enable port forwarding through the WAN
interfaces
3. Enable port forwarding

• Click View Aerohive Ports to see the ports that are already in
use on Aerohive routers that you cannot use for port forwarding
4. View Aerohive Ports

• In order for port
forwarding to work, you
must have addresses
excluded at the start of
the DHCP pool
• For example, if you have
a web server at every
site that will be the 5th IP
address from the start of
the pool, e.g. 10.1.1.5,
then you must have the
DHCP exclusion for the
first 5 IP addresses so
that 10.1.1.5 can be
statically assigned to the
web server
NOTE: Always have excludes from the DHCP pool

• Click New to create a port forwarding rule
5. Create port forwarding rules

• Destination Port Number: 8005
• Local Host IP Address Position: 1
• Internal Host Port Number: 80
• Traffic Protocol: TCP
• Click Apply

• Create several more rules

• Destination Port: 8005
This is the port clients will
use from the Internet to
access the internal server:
https://WAN-IP:8005
• Click on IP Address
Mapping to see how each
position maps to an internal
cookie-cutter IP address
• Local host IP address
› The position of the IP
address from the start of
the IP address block
› For /24 subnets, position 1
= .2, position 2 = .3,
etc…

• Review your port
forwarding rules
• Click Save
• Click OK
9. Review your port forwarding rules

10. Save the network
• Review your Network
• Click Save
• Click OK

• Click Continue to save your Network Policy
and proceed to device updates

• Choose the current policy filter and select your router
• Click Update Devices and perform a complete upload
12. Select the router

• Monitor  Routers
•  Select your Router
• Click on Utilities… SSH Client
• Click on Connect
• Type: show ip iptables nat
13. Verify port forwarding rules

14. Verify port forwarding rules
Note: Resize the window to see the port-forwarding rules
• CLI command: sh ip iptables nat

THE MANAGEMENT NETWORK
582

Aerohive Management Network
583
• Management Network – Every AP, router, and VPN gateway,
has a logical management interface for:
› CAWAP communication with HiveManager;
› cooperative control protocols like AMRP, and DNXP;
› and management services like SNMP, SYSLOG, SCP, and
SSH.
BR20
0
AP
AP
Internet
interface mgt0
172.18.0.1/24
VLAN 1
interface mgt0
172.18.0.2/24
VLAN 1
interface mgt0
172.18.0.3/24
VLAN 1

• Management subnets can be assigned to a VLAN within
the unified network policy

• Just like internal
networks,
management subnets
can partitioned from a
parent network and
then assigned
dynamically by
HiveManager.
• Management subnets
can also be assigned
with device
classification.

Aerohive Router Interfaces
586
Router WAN Port
Eth0
192.168.1.10/24
No VLAN
Logical IP Interfaces
mgt0 (Management)
172.18.0.1/24
VLAN 1
mgt0.1
10.102.0.1/24
VLAN 102 - Employee
mgt0.2
172.16.102.1/24
VLAN 202 -Guest
Ethernet Switch Ports
Eth1 – Eth4
Layer 2
• Assigned to VLANs and
Networks by LAN Profiles
• May be 802.1Q VLAN
Trunk ports or access
ports
Interfaces mgt0.1 through mgt0.16 may be created, each
supporting routing for a different IP network.

ENABLE 802.1Q VLAN TRUNKING
ON A LAN PORT
587

Configuring 802.1Q on a Router Port Policies
588
Logical IP Interfaces
mgt0 (Management)
172.18.0.1/24
VLAN 1
mgt0.1
10.102.0.1/24
Employee - VLAN 10
mgt0.2
10.202.0.1/24
Voice – VLAN 2
mgt0.3
192.168.83.1/24
Guest - VLAN 8
mgt0.4
172.28.0.1/25
VLAN 1 (Native)
Note: You should define a
native network using VLAN
1, which much match the
native VLAN configured for
the management interface,
which by default is 1.
BR100
Logical IP Interface
mgt0 (Management)
172.18.0.1/24
VLAN 1
Layer 2 Interfaces
VLAN 1 (Native)
SSID: Class-PSK
Employee - VLAN 10
SSID: Class-Voice
Voice – VLAN 2
SSID: Class-Guest
Guest – VLAN 8
AP
802.1Q
VLAN
Trunk
VLANs:
1 (Native),
2, 8, 10

ROUTER STATEFUL FIREWALL
POLICY
MORE THAN JUST THE 5-TUPLE
589

Router Firewall
General Guidelines
590
• Router firewall is not the same firewall used in User Profiles for
Aerohive access points
• Firewall rules are applied in the branch router for both wireless
and wired traffic
• AP firewall can still be used for wireless clients is so desired
• L7 not yet supported in the router firewall
Branch Router
AP
Internet Router firewall for wired and wireless
traffic
AP firewall for wireless traffic only

Router Firewall
General Guidelines
591
• Rules are processed top down and the first matching rule is
used
• After a rule is matched a stateful session is created using:
› Source IP, Destination IP, IP Protocol, Source Port,
Destination Port
› The reverse session is also created for return traffic
• More than just an IP firewall, the router firewall can look at:
› Traffic Source:
»IP Network, IP Range, Network Object,
User Profile, VPN, or IP Wildcard
› Traffic Destination:
»IP Network, IP Range, Network Object,
VPN, IP Wildcard, Hostname

Aerohive Stateful Firewall
592
Web Server
Router
10.5.1.102
72.20.106.66
Firewall Policies:
Default Action: Deny
Inside
HTTP– Initiated from inside the Network to a web server on the Internet
Source IP, Dest IP, Proto, Source Port, Dest Port, Data
10.5.1.102 72.20.106.66 6(TCP) 3456 80 HTTP Get
HTTP Response is permitted because firewall in router is stateful (Shown after NAT)
Source IP, Dest IP, Proto, Source Port, Dest Port, Data
72.20.106.66 10.5.1.102 6(TCP) 80 3456 HTTP Reply
The stateful firewall engine opens a pinhole for this
session allowing return traffic for this session
Internet

Lab: Router Firewall for Guests
1. Create a Router Firewall Profile
593
To implement a
router firewall
• In your network
policy, next to
Router Firewall,
click Choose
• In Choose
Firewall click
New

2. Create a user profile rule
594
• Enter a Policy Name:
Firewall-X
• Configure a user
profile-based firewall
policy rule
• Select a source:
User Profile
Guests-X
• Select a destination:
IP Network
10.0.0.0/255.0.0.0
• Service: [-any-]
• Action: Deny
• Logging: Disable
• Click Apply

3. Create another user profile rule
595
Your rule should appear
• Under Policy Rules, click
New
• Configure a user profile-
based firewall policy rule
User Profile
Guests-X
IP Network
172.16.0.0/255.240.0.0
• Action: Deny
• Click Apply

4. Create one more user profile rule
596
Your rule should appear
New
User Profile
Guest-X
IP Network
192.168.0.0/255.255.255.0
• Action: Deny
• Click Apply

5. Create a clean-up allow all rule
597
Create a clean up rule
New
[-any-]
[-any-]
• Action: Permit
• Click Apply

6. Verify your firewall policy rules and save
598
• Select the radio button for the Default Rule to Deny all
› Note: This is not needed, but it is a good general practice.
• This policy denies access to any private IP address through the router, and
allows everything else
• Also, you can drag and drop the rules to change their order
• Click Save

7. Create a Router Firewall Profile
599
• Verify that your Router Firewall is applied:
Firewall-X
• Click Save

Remember this? - Routes Learned via OSPF and
Between the VA and Branch Routers
VPN Gateway
HQ
BR10
0
BR10
0
BR10
0
Internet
Corporate
Network
10.1.0.0/16
Tunnel A
Tunnel B
Tunnel C

Router Firewall can be used to block
communications between branch offices
VPN Gateway
HQ
BR10
0
BR10
0
BR10
0
Internet
Corporate
Network
10.1.0.0/16
Tunnel A
Tunnel B
Tunnel C

WEB PROXY FOR SECURING
WEB-BASED TRAFFIC
602

Cloud Proxy – How does it work?
1 Client makes a
HTTP/HTTP
request
2
Aerohive BR checks if
client network is
configured to use web
security
3
Aerohive BR confirms
traffic is not destined
for resources across
the tunnel and is not
whitelisted as trusted
4
Traffic is forwarded
with client identity to
the cloud security
partner and
processed based on
identity

Web Security Using
Websense Cloud Web Proxy
To configure Cloud Web
Security, from HiveManager
go to Home
Administration
HiveManager Services
• Check the box next to
Websense Server
Settings
• Check the box next to
Enable Websense Server
Settings
• Enter the Account ID and
Security key that were
displayed for your
Websense account
• Default Domain:
ah-lab.com
• Click Update
Note: The default domain is only used if
users do not authenticate to access the
network using a mechanism that requires a
domain name for login

Web Security Using
Websense Cloud Web Proxy
You can use the default Web
Security Whitelist to specify
safe URLs that do not need to
be sent though web security
• Next to Web Security
Whitelist, select
QS-WebSense-Whitelist
• Click Update
Note: To create your own
whitelist or clone the quick
start whitelists to make your
own additions, go to:
Configuration
Show Nav
Common Objects
Device Domain Objects

Web Security Using Cloud Proxy
To get started with
Cloud Web Security,
from HiveManager go
to Home
Administration
HiveManager
Services
• Check the box next
to Websense
Server Settings
• Click the “here” link
to sign up for a free
30-day trial
• Sign up for a free
30-day Websense
trial

LAB: CLOUD PROXY
607

LAB: Cloud proxy
1. Edit employee network settings
608
• Cloud Web Proxy is enabled within a Network Policy
• You may only want to enable this service for corporate
employees
• Next to your Class-PSK-X SSID, under Network(VLAN) click
your network: 10.1.1.0-Employee-X
• Click on the  icon to edit your network

• In the network for employees, next to Web
Security, select Websense from the drop-
down menu
• You can keep the option to Deny all
outbound HTTP and HTTPS traffic if
connectivity to the web security server is lost
• Click Save and then OK
LAB: Cloud proxy
2. Enable web security

LAB: Cloud proxy
3. Edit guest network settings
610
• Cloud Web Proxy is enabled within a Network Policy
• You may only want to enable this service for corporate
employees
• Next to your Class-PSK-X SSID, under Network(VLAN) click
your network: 192.168.83.0-Guest-X
• Click on the  icon to edit your network

• In the network for employees, next to Web
Security, select Websense from the drop-
down menu
• You can keep the option to Deny all
outbound HTTP and HTTPS traffic if
connectivity to the web security server is lost
• Click Save and then OK
LAB: Cloud proxy
4. Enable web security

• Note that web security is enabled
• Click Continue to save and go to updates
LAB: Cloud proxy
5. Verify web security

• Update the configuration of your router
• Click Settings to perform a complete update
LAB: Cloud proxy
6. Upload policy to branch router

TEST CLOUD WEB SECURITY
INSTRUCTOR DEMO –
INSTRUCTOR MUST HAVE
CONFIGURED THE CLASSROOM
ROUTER FOR CLOUD PROXY
614

Lab: Test LAN Port Web Security
1. Connect your computer to Eth1 on the Router
615
• Connect the Ethernet Port 2 of your computer to the
ETH2 interface on the router
BR100
Class Switch

2. Open web browser to a website
616
• Open a web browser on your remote computer to
a respectable website
• You will be redirected to a captive web portal
BR100
Class Switch

3. Login through the captive web portal
617
• Enter a user name: lanuser
• Password: Aerohive1
• Click Log In

4. Test a web site that is forbidden
618
• Open a web browser an
try going to:
www.guns.com
• You should be
redirected to a web
page informing that you
were denied from
accessing the site
• This will be denied
because the Websense
policy used has a rule
against sites that
provide information
about, promote, or
support the sale of
weapons and related
items

Websense Cloud Web Security Policies
619
• From the
Websense
Cloud Web
Security login,
you can set the
web categories
policies, web
content
security, and
much more...
Note: Here you
can see that
there is a rule
blocking
Weapons sites

MISC
620

Overwrite protection for NetConfig UI
WAN settings
621
• The default behavior of of a
branch router originally set up
using the NetConfig UI is
protected from being overwritten
by updates pushed to it from
HiveManager at a later date.
• To disable the NetConfig UI
settings protection for the BRs,
click Configuration  Devices,
select one or multiple BRs, and
then click Utilities  Disable
NetConfig UI WAN
Configuration.
Protects the NetConfig UI based WAN port
configuration of BR’s and routing devices

THANK YOU – REALLY!!
622

Aerohive Configuration guide.

More Related Content

What's hot (20)

Viewers also liked (15)

Similar to Aerohive Configuration guide. (20)

Recently uploaded (20)

Aerohive Configuration guide.