Attaching an ACL on a Wlan Interface/Port | Motorola WS5100 guide

Switch Security 6-25

2.Click on the Attach tab.

3.Click on the Add button.

4.Use the Interface drop-down menu to select the interface to configure on the switch. Available options include – Ethernet 1, Ethernet 2, VLAN 1 (plus those VLANs created thus far) and Tunnel n (where n equals the name(s) of those tunnels created thus far).

5.Use the IP ACL drop-down menu to select an IP ACL used as the inbound IP for the layer 2 or layer 3 interface.

6.Use the MAC ACL drop-down menu to select an MAC ACL used as the MAC IP for the layer 2 interface.

7.Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch.

8.Click OK to use the changes to the running configuration and close the dialog.

9.Click Cancel to close the dialog without committing updates to the running configuration.

6.5.4Attaching an ACL on a WLAN Interface/Port

Use the Attach- WLAN tab to view and assign an ACL to a WLAN on the switch. By default, arp is not supported. Create a MAC ACL to allow arp on the switch.

NOTE: WLAN based ACLs allows users to enforce rules/ACLs on both the inbound and outbound direction, as opposed to L2 ACLs, which just support the inbound direction.

To configure a WLAN ACL:

1.Select Security > ACLs from the main menu tree.

2.Click the Attach-WLANtab.

Image 249

Motorola WS5100 manual Attaching an ACL on a Wlan Interface/Port, Click on the Attach tab Click on the Add button

Contents

WS5100 Series Switch Motorola, Inc. All rights reserved Contents Switch Services Network Setup TOC-3 Switch Security Diagnostics Switch Management TOC-5 TOC-6WS5100 Series Switch System Reference Guide Introduction Documentation SetDocument Conventions Notational Conventions Hardware Overview Overview Power Cord Specifications Physical SpecificationsPower Protection System Status LED Codes Start Up Error CodesPrimary Standby Infrastructure Features Switch includes the following Infrastructure featuresSoftware Overview Configuration Management Installation FeatureText Based Configuration Licensing Support Tracing / Logging ServiceabilityProcess Monitor Hardware Abstraction Layer and Drivers Password Recovery Wireless SwitchingSwitch includes the following wireless switching features Secure Network Time Protocol Sntp Physical Layer Features 802.11a 802.11bgRate Limiting HotSpot / IP Redirect Proxy-ARP Voice Prioritization IDM Identity Driven ManagementSelf Healing Currently voice support implies the following Wireless Capacity Neighbor ConfigurationDetector APs Self Healing Actions AP Balancing Across Multiple Switches Wireless RoamingMU Balancing Across Multiple APs MU Move Command Interswitch Layer 2 RoamingL3 Roaming Fast Roaming 2.12 QoS Power Save Polling802.11e QoS 802.1p Support Data QoS Wireless Layer 2 SwitchingDcscp to AC Mapping Automatic Channel Selection Switch includes the following wired switching features Wired SwitchingDhcp Servers Ddns WS5100 switch supports 32 Wlans Management FeaturesVlan Enhancements Interface Management Security Features Encryption and AuthenticationSwitch includes the following wired security features Keyguard-WEP MU AuthenticationKerberos 802.1x EAP 5.7 802.1x Authentication Switch-to-WiredSecure Beacon MU to MU Allow Reset Username/Password to Factory Defaults Change Username/Password after AP AdoptionLldp is always enabled and cannot be disabled Ieee 802.1AB Lldp Rogue AP Detection RF scan by Access Port on all channels Snmp Trap on discovery Authorized AP ListsRogue AP Report Access Port Support 5.14 NATCertificate Management Accessing the Switch Web UI Content of this chapter is segregated amongst the followingWeb UI Requirements Connecting to the Switch Web UI Switch Web UI Access and Image Upgrades Switch Password Recovery Upgrading the Switch Image from 1.4.x or 2.x to Version Upgrading the Switch Image Auto Installation Enables are set using the autoinstall feature command Configuring Auto Install via the CLI AP-4131 Access Point to Access Port Conversion Downgrading the Switch ImageEnables are cleared using the no autoinstall feature Whenever a string is blank it is shown as --not-set Select the AP Installation main menu item Select the Special Functions main menu item 10WS5100 Series Switch System Reference Guide It consists of the following two tabs Viewing the Switch Interface Viewing the Switch Configuration Time Displays the time of day used by the switch Time Zone TroubleshootingIncorrectly could render your switch as operating illegally System Name Viewing Dashboard Details Severity Last Occurrence Message # Occurrences Name Viewing Switch StatisticsStatus Speed Avg Signal Utilization issues negatively impacting performanceNumber of MUs Associated Number of APs Viewing the Port Configuration Viewing Switch Port Information Editing the Port Configuration ModifiedDuplex Displays the port as either half or full duplex Viewing the Ports Runtime Status Viewing the Ports Statistics Ethernet ports have a maximum MTU settingName Displays the ports current name MAC Address Oper Status Indication of a network problem Packets In ErrorNetwork issues Different port could be required Detailed Port Statistics Output Unicast Viewing the Port Statistics GraphOutput Packets With interface is saturated Switch Information Size Bytes Viewing Switch Configurations Viewing the Detailed Contents of a Config File Main screen displays the contents of the configuration file Editing a Config File Transferring a Config File Viewing Switch Firmware Information PasswordPath Editing the Switch Firmware Enabling Global Settings for the Failover Image If using TFTP, use tftp//ipaddress/path/filename Updating the Switch Firmware Configuring Automatic Updates EnableBoot of the switch Password Enter the password required to access the server SettingFile Name With Protocol View By Viewing the Switch Alarm LogView All Index Viewing Alarm Log Details Solution Viewing Switch LicensesDescription Possible Causes How to use the Filter Option 30WS5100 Series Switch System Reference Guide Displaying the Network Interface Network Setup Switch Virtual Resolution EntriesWireless LANs DNS Servers Access Ports Configuring DNSViewing Network IP Information Select the Domain Network System tab Adding an IP Address for a DNS Server Configuring Global SettingsObsolete addresses are periodically removed Server IP Address Configuring IP Forwarding Following details display in the table Adding a New Static Route Route MetricActive Select the Address Resolution tab Viewing Address ResolutionTypically a Vlan Type Viewing and Configuring Layer 2 Virtual LANs Mode It can be either Access or Trunk Ethernet 1 or ethernetTrunk Is selected, the Allowed VLANs field is unavailable Editing the Details of an Existing Vlan Configuring Switch Virtual Interfaces Configuring the Virtual InterfaceMode drop-down menu Name Displays the name of the virtual interface Following configuration details display in the tableDisplays the Vlan ID associated with the interface Up or not Down Modifying a Virtual Interface Adding a Virtual InterfaceTo add a new virtual interface To modify an existing virtual interface Viewing Virtual Interface Statistics Packets, etc Viewing Virtual Interface Statistics Only hard-coded at the factory and cannot be modified Viewing the Virtual Interface Statistics Graph Viewing and Configuring Switch WLANs Configuring WLANsClick Close to close the dialog 4094. The default Vlan ID is EnabledAuthentication Modify the WLAN’s current authentication scheme Editing the Wlan Configuration Intended function of the Wlan Value used is unique Tunnel No Authentication802.1X EAP Kerberos Refer to the Advanced field for the following information Configuring 802.1x EAP Configuring Authentication Types Configuring Kerboros MU TimeoutMU Max Retries 28WS5100 Series Switch System Reference Guide Switch Hotspot Redirection Configuring Hotspots Configuring an Internal Hotspot Header Text Title TextFooter Text Small Logo URL Configuring External Hotspot Main Logo URLDescriptive Text Login Page URL Need to provide correct login information to access the WebFailed Page URL 34WS5100 Series Switch System Reference Guide Configuring Advanced Hotspot Network Setup Configuring External Radius Server Support Configuring Dynamic MAC ACL Authentication data source. The default port is Address Authentication data source Radius PortSecret Secondary Radius server Server Timeout Radius Server Motorola user privilege values User login source Configuring the User Login Sources Configuring Different Encryption Types Configuring WEP Key 1011121314 2021222324 3031323334 4041424344 Configuring WEP 128 / KeyGuard Default hexadecimal keys for WEP 128 and KeyGuard include Use the Key #1-4areas to specify key numbersKey Configuring WPA/WPA2 using Tkip and Ccmp Ascii Passphrase From entering the 256-bit key each time keys are generatedBit Key Viewing Wlan Statistics Pre-AuthenticationPMK Caching Opportunistic Key Ssid is the Service Set ID Ssid for the selected Wlan That may have similar characteristicsLast 30s Last Hr Viewing Wlan Statistics in Detail Refer to the RF Status field for the following information Viewing Wlan Statistics in a Graphical Format Refer to the Errors field for the following information 50WS5100 Series Switch System Reference Guide Viewing Wlan Switch Statistics Edit button on the Configuration tab within the WLANs Viewing VLAN/Tunnel AssignmentsClick the VLAN/Tunnel Assignment tab Configuring WMM Access WMM enabledFour Access Category types are Background Optimized for background traffic Category Network traffic Dscp to Access Access Category toCategory Network traffic Generic QoS GQoS application programming interface API Read-only and cannot be modified within this screen Editing WMM Settings Viewing MU Status Viewing Associated MU DetailsCW Minimum CW Maximum This address is burned into the ROM of the MU Power SaveReady Interoperating with Similar configurations Viewing MU DetailsDisplays of the Wlan the MU is currently associated with Viewing MU Statistics Selected MU from the access port ConfigurationPossible network or hardware problems Address is hard coded at the factory and cannot be modified Viewing MU Statistics in Detail Hard-coded at the factory and cannot be modified Refer to the Traffic field for the following information View a MU Statistics Graph Viewing Access Port Information Configuring Access Port Radios Access Ports screen consists of the following tabsName Displays a user assigned name for the radio Refer to the Properties field for the following Configuring Layer 3 Access Port Adoption on Configuring an AP’s Global Settings Port Authentication Editing AP SettingsClick the Configure Port Authentication button Network Setup MUs that can associate to a radio is Maximum MUs Beacon Interval RTS Threshold Configuring Rate Settings Self Healing OffsetDtim Periods Adding APs Viewing AP Statistics Average Mbps Differentiate the radio from other device radiosPackets that are sent and received RF Util Viewing AP Statistics in Detail Was encountered on the configured channel Statistic for the last hour Viewing AP Statistics in Graphical Format Click the Wlan Assignment tab Configuring Wlan Assignment Configurations Editing a Wlan AssignmentIts intended coverage area or function Identifier such as 1/4, 1/3, etc From the description field in the Radio Configuration screen Editing WMM Settings Viewing Access Port Adoption Defaults Configuring AP Adoption DefaultsTo view existing Radio Configuration information Channel. Default is random Options include Indoor or Outdoor. Default is IndoorPower dBm Defaults are 20 dBM for 802.11bg and 17 dBm for 802.11a Editing Default Radio Adoption Settings Stations that can associate to a radio are Dtim Period Transmission path Configuring Rate Settings Configuring Layer 3 Access Port Adoption Select/Change Assigned WLANs Assigned WLANs tab displays two fields Select Radios/BSS Cannot be modified Access Category reflects the radios intended network traffic Editing Access Port Adoption WMM Settings To edit the existing WMM settingsHigher priority traffic Viewing Adopted Access Ports Viewing Access Port Status Viewing Unadopted Access Ports Unadopted AP tab displays the following information Network Setup 96WS5100 Series Switch System Reference Guide Switch Services To display a Services Summary Displaying the Services InterfaceDhcp Servers NTP Time Dhcp Server Settings Configuring the Switch Dhcp ServerFor information on configuring GRE tunneling, see Pool Name Lease Time Editing the Properties of an Existing Dhcp PoolDdhhmm Domain Adding a New Dhcp Pool Click the Add button at the bottom of the screen Configuring Dhcp Global Options Configuring Dhcp Server Ddns Values 10WS5100 Series Switch System Reference Guide Can be assigned Viewing the Attributes of Existing Host PoolsHardware Address Client Name Configuring Excluded IP Address Information Configuring Dhcp Server Relay Information 14WS5100 Series Switch System Reference Guide Viewing Dhcp Server Status Configuring Secure NTP Defining the Sntp ConfigurationRefer to the contents of the Status tab for the following Refer to the Other Settings field to define the following Adding a New Sntp Symmetric Key Defining a Sntp Neighbor Configuration Hostname When adding or editing an NTP neighborSupport Neighbor Type Adding an NTP Neighbor Viewing Sntp Associations Select the NTP Associations tab Leap Viewing Sntp StatusTransmissions are synchronized Found in some workstations Configuring Switch Redundancy Root delayRoot Dispersion 26WS5100 Series Switch System Reference Guide Redundancy ID Redundancy SwitchMode Discovery Period Reviewing Redundancy Status Redundancy Group License Aggregation Rules on Configuring Redundancy Group Membership Do not match this switch’s parameters Not Seen The member is no more seen by this switchValues Module Displaying Redundancy Member Details Updates Sent Complimentary with this switch’s version?Updates Received Adoption Capacity Adding a Redundancy Group Member Redundancy Group License Aggregation Rules Layer 3 Mobility Configuring Layer 3 Mobility 36WS5100 Series Switch System Reference Guide Switch Services Defining the Layer 3 Peer List Select the Peer Statistics tab Reviewing Layer 3 Peer List Statistics Reviewing Layer 3 MU Status Configuring GRE Tunnels Assigning priority to different types of traffic To configure GRE tunnelling on the switch Source IPDestinations IP Disabled Editing the Properties of a GRE TunnelInterface IP Adding a New GRE Tunnel Select the Enable Neighbor Recovery checkbox Configuring Self Healing Select the Neighbor Details tab Configuring Self Healing Neighbor Details Editing the Properties of a Neighbor Switch Services Configuring Discovery Profiles Configuring Switch Discovery To be located Profile NameStart IP Address Network devices is conducted Adding a New Discovery Profile Viewing Discovered Switches Different profile for the switch discovery process Assigned using the Switch Configuration screenDiscovery profile and launching a new search New search Displaying the Main Security Interface Switch Security Detection Wireless FiltersCertificates Trustpoints Enabling and Configuring AP Detection To configure AP DetectionAP Intrusion Detection Unapproved AP TimeoutRefresh Time BSS MAC Address Any MAC Address Adding or Editing an Allowed APSpecific MAC Address Particular index To review the attributes of allowed APs Approved APs Reported by APs Therefore interpreted as a threat on the network Unapproved APs Reported by APsAddress to a new Allowed AP index Dbm Unapproved APs Reported by MUs Seconds Detecting APEssid to a new Allowed AP index To configure MU intrusion detection Configuring MU Intrusion DetectionMU Intrusion Detection As a threat Contents of the MUs that have been filtered thus far Switch columnsViolation Type Mobile Unit Click on Revert to rollback to the previous configuration Viewing Filtered MUsIdentifier Configuring Wireless Filters Refer to the Associated WLANs field for following Filters field contains the following read-only information Editing an Existing Wireless Filter Enter the a hex value for the Starting MAC address Adding a new Wireless Filter Associating an ACL with Wlan Configuring ACLs ACL Overview Switch supports the following ACLs to filter trafficRouter ACLs For more information, see Port ACLs Wireless LAN ACLs ACL ActionsPrecedence Order Adding a New ACL Configuring an ACL Adding a New ACL Rule 22WS5100 Series Switch System Reference Guide Editing an Existing Rule Attaching an ACL Adding a New ACL ConfigurationEth1 Eth2 Click on the Attach tab Click on the Add button Attaching an ACL on a Wlan Interface/Port Displays the IP ACL configured Adding a New ACL Wlan ConfigurationDisplays the MAC ACL configured Direction Reviewing ACL Statistics Configuring NAT Information Defining Dynamic NAT TranslationsClick on the Dynamic Translation tab LAN over the switch managed network Anywhere on the InternetAccess List Type Displays the NAT type as either Adding a New Dynamic NAT Configuration Click the Static Translation tab Defining Static NAT Translations Click on the Static Translation tab Adding a New Static NAT Configuration Switch Security Available from the drop-down menu for use as the interface Configuring NAT Interfaces Viewing NAT Status Inside-Global Configuring IKE SettingsWorld Inside Local Click the Configurations tab Defining the IKE Configuration Aggressive Mode Setting IKE PoliciesPeer IP Address Peers Switch Security Default value SHA The default valuePriority Highest priority value Include Options includeSecret without transmitting it to one another Viewing SA Statistics Configure a Dhcp Sever to give public IP address Configuring IPSec VPN Configure security associations parameters Defining the IPSec Configuration Transport Editing an Existing Transform Set Adding a New Transform Set AH AuthenticationESP Encryption Tunnel or Transport Scheme Include None No AH authentication is used Click the IP Range tab to view the following information Defining the IPSec VPN Remote Configuration Configuring Ipsec VPN Authentication Default port is Click the Authentication tabPort Shared Secret Configuring Crypto Maps Crypto Map Entries Click the Crypto Maps tab and select Crypto Map EntriesPriority / Seq ACL ID Mode Config Crypto Map Peers Priority / Seq # Click the Crypto Maps tab and select PeersHigher the priority Peer Name Crypto Map Manual SAs Transform SetSet for protecting the data flow Crypto Map Transform Sets Protecting the data flow Crypto Map Interfaces Viewing IPSec Security Associations Index from others with similar configurations Setting up Radius on the switch entails the following Configuring the Radius ServerRadius Overview TLS and MD5 Ttls and PAP Ttls and MSCHAPv2 Peap and GTC Peap and MSCHAPv2 User Database Using the Switch’s Radius Server Versus an External Radius Defining the Radius Configuration Radius Proxy Server Configuration Radius Client Configuration Configuring Radius Authentication and Accounting EAP and Auth Type Specify the EAP type for the Radius server Cert Trustpoint Configuring Radius UsersCA Cert Trustpoint Activity is detected User Guest UserTheir Radius privileges expire Configuring Radius User Groups Guest Group Select the Groups tab Time of access Configured WLANsViewing Radius Accounting Logs Available WLANs Select the Accounting Logs tab Creating Server CertificatesAutomatically once they reach their limit Size Certificate was issued Using Trustpoints to Configure CertificatesCity L Within the State/Prov stated Creating a Server / CA Root Certificate Key for you new certificate Using the Wizard to Create a New Certificate 78WS5100 Series Switch System Reference Guide City OrganizationOrganization Unit Using the Wizard Delete Operation To use the wizard to delete trustpoint propertiesRequests Click the Next button to complete the trustpoint removal Configuring Trustpoint Associated Keys Adding a New Key Select the Keys tab Keys tab displays the followingKey Label Transferring Keys 84WS5100 Series Switch System Reference Guide Displaying the Management Access Interface Switch Management Configuring Access Control To configure access control settings on the switchLog Output Network. This setting is enabled by default Enable TelnetLong as the Enable Telnet option remains enabled Enable Snmp Retries 360 is associated with the SSH-Server Configuring Snmp Access Configuring Snmp v1/v2 Access Access ControlCommunity Name Editing an Existing Snmp v1/v2 Community Name Configuring Snmp v3 Access User Name Unique SNMPv3 usernames and passwords include Select Management Access Snmp Access from the main menu tree Editing a Snmp v3 Authentication and Privacy Password Accessing Snmp v2/v3 Statistics Read-Only errorsV2/V3 Metrics Usm Statistics Values Configuring Snmp Traps Enabling Trap ConfigurationTo configure Snmp trap definitions Redundancy WirelessMiscellaneous Mobility To configure Snmp trap threshold values Configuring Trap ThresholdsThreshold Name Generation 14WS5100 Series Switch System Reference Guide Radio Range Wlan Range Wireless Units Wireless Trap Threshold Values To configure the attributes of Snmp trap receivers Configuring Snmp Trap Receivers Editing Snmp Trap Receivers Adding Snmp Trap ReceiversTo add a new Snmp trap receiver Configuring Local Users Configuring Management Users Creating a New Local User Modifying an Existing Local User Provides read-only permissions Redundancy/clustering and control access Creating a Guest Admin and Guest User Assign the guest-admin WebUser Administrator access Configuring Switch Authentication Assignment is from 1 Not a DNS name Modify the following Radius Server attributes as necessary Modifying the Properties of an Existing Radius Server Address Not a DNS name Radius Server Port Adding a New Radius ServerIs from 1 Session. The available range is between 0 Switch Management 28WS5100 Series Switch System Reference Guide Displaying the Main Diagnostic Interface Diagnostics Switch Environment CPU Performance Switch Disk Allocation Switch Memory AllocationBuffer Usage Switch Memory Processes Other Switch Resources Configuring System Logging Log OptionsSelect the Other Resources tab 8WS5100 Series Switch System Reference Guide Log level File ManagementMade, they have been accounted for Date Viewing the Entire Contents of Individual Log Files Transferring Log Files Reviewing Core Snapshots Troubleshooting issues Transferring Core SnapshotsFile extension is always .core for core files Select a target file, and select the Transfer Files button Reviewing Panic Snapshots Remaining nine are renamed so the newest can be saved as Size Displays the size of the panic file in bytes CreatedPanic actually occurred Transferring Panic Files Viewing Panic Details Debugging the Applet Select Diagnostics Applet Debugging from the main menu Configuring a Ping Not received by the switch from its target device Timeout secTime between the switch and its connected device New ping test is required Modifying the Configuration of an Existing Ping Test TimeoutsecAdding a New Ping Test Between the switch and its connected device Within the Configuration tabTest Name Test description to convey the overall function of the test Viewing Ping Statistics Last Response Average RTT 24WS5100 Series Switch System Reference Guide Motorola’s Enterprise Mobility Support Center Customer Support Web SiteGeneral Information 2WS5100 Series System Reference Guide Page Motorola INC