Aerohive QuickStart and Deployment Guide Supplement
Aerohive QuickStart and Deployment Guide Supplement | 2
About This Guide
Whereas the various Aerohive AP and router QuickStarts and the Aerohive Deployment Guide explain how to deploy devices in typical network environments where they can receive their network settings through DHCP, this guide explains alternate ways to deploy APs, routers, and CVGs (Cloud VPN Gateways) under different circumstances. It also includes some commonly used CLI commands and deployment tips that might prove useful during the setup of your Aerohive products.
This guide is intended as a resource for all Aerohive administrators to aid in the deployment of their Aerohive products. If you would like to see an explanation for anything that is not covered in this guide—or anywhere else in Aerohive product documentation—please contact [email protected]. We welcome your suggestions and will strive to provide the documentation you need to use Aerohive products more effectively.
To register, get product documentation, and download software updates, visit www.aerohive.com/support.
Copyright © 2012 Aerohive Networks, Inc. All rights reserved
Aerohive Networks, Inc.
330 Gibraltar Drive
Sunnyvale, CA 94089
P/N 330090-01, Rev. A
To learn more about Aerohive products visit www.aerohive.com/techdocs Aerohive Networks, Inc.
Aerohive QuickStart and Deployment Guide Supplement | 3
Contents AP Deployment in a Network without DHCP ...... 4 Console Connection ...... 4 Virtual Access Console ...... 5 Configuring Network and HiveManager Settings ...... 5 Router Deployment in a Network without DHCP ...... 7 Useful CLI Commands ...... 8 Deployment and Configuration Tips ...... 9
To learn more about Aerohive products visit www.aerohive.com/techdocs Aerohive Networks, Inc.
Aerohive QuickStart and Deployment Guide Supplement | 4
AP Deployment in a Network without DHCP
Although DHCP is commonly available in most networks, you might occasionally find it necessary to add APs to a network without it. For example, management networks sometimes use static IP addressing while their accompanying access networks provide addresses to clients dynamically. In such cases, the APs require static network settings while acting as DHCP servers to assign network settings dynamically to clients connected to them.
After connecting an AP to a network and powering it on, its default behavior is to act as a DHCP client and try to get its network settings automatically from a DHCP server. However, if there is no DHCP service in that network, then you must access the CLI and define the network settings for the AP yourself.
To configure static network settings for an Aerohive AP that is cabled to a network, follow either of the next two procedures to access the CLI.
Console Connection
One way to access the CLI is to use an RS-232 serial (or "null modem") cable, which is available from Aerohive as an optional accessory (AH-ACC-Serial-DB9) and make a physical connection from your management system to the AP. You might also need a DB9-to-USB adapter depending on the ports available on your management system. You also need a VT100 emulator on your management system.
1. Connect one end of the RS-232 serial cable to the serial port on your management system, or—with the aid of a DB9-to-USB adapter—to a USB port on your management system.
2. Connect the other end of the cable to the RJ-45 console port on the AP. 3. On your management system, run a VT100 terminal emulation program, such as Tera Term Pro© (a free terminal emulator). Use the following settings: Bits per second (baud rate): 9600 Data bits: 8 Parity: none Stop bits: 1 Flow control: none
For APs set with "FCC" as the region code, the Initial CLI Configuration Wizard appears. For APs set with "world" as the region code, a prompt appears to set the country code for the location where you intend to deploy the AP. To set the country code, enter the boot-param country-code
4. Because you do not need to configure all the settings presented in the wizard, press N to cancel it. The login prompt appears.
5. Log in using the default login name admin and password aerohive.
To learn more about Aerohive products visit www.aerohive.com/techdocs Aerohive Networks, Inc.
Aerohive QuickStart and Deployment Guide Supplement | 5
Virtual Access Console
Another way to access the CLI is to use the virtual access console. This is a way of accessing the CLI on an Aerohive AP wirelessly through a special SSID that the AP, by default, automatically activates for administrative access when its mgt0 interface has no configuration. This is a convenient approach to take if the AP is already mounted in a location that is difficult to access, such as on a ceiling or high wall.
The default virtual access console SSID name is “
1. Using your wireless client, scan for wireless networks. If you are within range, an SSID such as "AH-123456_ac" appears.
2. Select that SSID, and when prompted to enter a network key, type aerohive, and then click Connect. 3. Check the IP address of the default gateway that the DHCP server for the wireless interface on the AP assigns your client. Then make an SSH or Telnet connection to the AP at that IP address. (Note that the Telnet connection is protected by WPA2 security mechanisms.) When prompted to enter your credentials, enter the default login name admin and password aerohive.
Configuring Network and HiveManager Settings
After connecting to the CLI, you can now configure static network settings (IP address, netmask, default route, and DNS server) for the AP and the IP address or domain name of the HiveManager to which you want the AP to connect so that you can manage it.
1. If you are accessing the CLI wirelessly over a virtual access console SSID, temporarily change its mode from “auto” to “enable”. When it is in automatic mode, the AP enables the virtual access console only when the mgt0 interface does not have an IP address. As soon as you assign it a static IP address, the AP will automatically close the virtual access console, which will prevent you from entering other commands, such as its default route. To keep the virtual access console SSID up indefinitely so that you can finish configuring the AP, enter the following command: access-console mode enable
2. Enter the following commands to disable the DHCP client running on the mgt0 interface and set a static IP address and netmask for it. You then define a default route and the IP address of its primary DNS server: no interface mgt0 dhcp client interface mgt0 ip
3. Enter the next command to set the IP address or domain name of the HiveManager that you want the AP to contact for further management: capwap client server name {
4. To test the accessibility of the default gateway for the AP, ping its IP address: ping
To learn more about Aerohive products visit www.aerohive.com/techdocs Aerohive Networks, Inc.
Aerohive QuickStart and Deployment Guide Supplement | 6
6. To check that the AP has a secure CAPWAP connection to HiveManager, enter show capwap client 7. To return the virtual access console to automatic mode, enter the following command: access-console mode auto
When you do, the AP terminates the current access console SSID as well as your Telnet or SSH session.
If you want to keep the virtual access console SSID available even when the AP has an IP address for its mgt0 interface, then leave the mode as “enable” and change the PSK for the SSID so it no longer uses the default text string (aerohive). You can do this by entering the following command: access-console security protocol-suite wpa2-aes-psk ascii-key
The PSK can be from 8 to 63 characters long. To help guard against anyone guessing the PSK, use a fairly long string with a combination of numerals, special characters, and upper- and lower-case letters. Aerohive supports the following special characters: ! ~ ` @ # $ % ^ & * ( ) - + = . ; ' ] [ _ { } | \ /
This configuration will last until you push a configuration to the AP from HiveManager. Then the access console settings defined in the network policy will overwrite the existing configuration. To define the virtual access console in HiveManager, open the Configure Interfaces & User Access panel in the network policy that you want to apply to the AP, and then click Modify for Additional Settings. Expand Service Settings, and then click the New icon ( + ) for Access Console. In the dialog box that appears, you can choose Enable from the Mode drop-down list, and enter the PSK string that you want to use when accessing the virtual access console SSID.
8. From this point, you can use HiveManager to continue configuring and monitoring the AP. Log in to Hivemanager, check that the AP is listed on the Monitor > Devices > Access Points > Aerohive APs page. Select the check box for the AP, and then click Modify to view its current device-level settings and make any changes if needed. Then click Configuration, choose the network policy that you want to apply to the AP, and configure the hive, SSIDs, and other additional settings that you want it to use. When you upload the configuration to the AP, HiveManager will include both the network policy and device-level settings.
To learn more about Aerohive products visit www.aerohive.com/techdocs Aerohive Networks, Inc.
Aerohive QuickStart and Deployment Guide Supplement | 7
Router Deployment in a Network without DHCP
The previous section explains the steps involved in configuring an Aerohive AP in a network that does not use DHCP to provide network settings dynamically to connected devices. For routers deployed in a network without DHCP, the configuration of static network settings is even simpler due to the NetConfig UI built into the routers.
To configure static network settings for an Aerohive router connected to a network, use the NetConfig UI as explained below.
1. Connect your management system as a DHCP client to a LAN port on the router. All Aerohive routers ship with a default configuration that enables a DHCP client on the WAN port and a DHCP server on each LAN port.
2. Check the default gateway that the DHCP server assigns your client. Then, open a browser and enter the default gateway IP address in the URL field.
3. When the login prompt appears, enter the default login name and password: admin, aerohive.
4. Select Static Network Settings, and then enter an appropriate IP address, netmask, and gateway IP address for the WAN interface. Also, enter the IP address of the primary DNS server and the IP address or domain name of the HiveManager that you want the AP to contact for further management. You can also configure the router to use HTTP and an HTTP proxy server to reach HiveManager. When done, click Apply.
To learn more about Aerohive products visit www.aerohive.com/techdocs Aerohive Networks, Inc.
Aerohive QuickStart and Deployment Guide Supplement | 8
By default, the router proxies the domain name lookups that it receives from its clients to the DNS server in its configuration and translates the source IP addresses in outbound client traffic to that of its WAN interface.
5. To test that your management system can reach the network beyond the router, ping a known public IP address, such as that of the Aerohive NTP server: ping 206.80.44.205
6. To test that your management system can use DNS to resolve domain names to IP addresses, ping a domain name (for example, ping www.aerohive.com) or open a browser and try to access a public web site.
7. To check that the router has a CAPWAP connection to HiveManager, check its status LED. When it is not connected to HiveManager, it glows amber. When it is connected, it glows white. Also, log in to Hivemanager, and check that the router appears on the Monitor > Devices > Routers page.
8. From this point, you can use HiveManager to configure and monitor the router. Select the check box for the router on the Monitor > Devices > Routers page, and then click Modify to view its current device-level settings and make any changes if needed. Then click Configuration, choose the network policy that you want to apply to the router, and configure the hive, SSIDs, LAN ports, and other additional settings that you want it to use. When you upload the configuration to the router, HiveManager will include both the network policy and device-level settings.
Useful CLI Commands
You can view the status of various functions and make configuration changes through the HiveOS CLI. Here are some commonly used commands:
Use these commands: To do the following:
show interface Check the status of both wired and wireless interfaces on a device
show l3 interface See the IP addresses of all Layer 3 interfaces on a device
no interface { mgt0 | eth0 } dhcp Disable the DHCP client on the mgt0 or eth0 interface client interface { mgt0 | eth0 } ip Set the IP address and netmask of the mgt0 or eth0 interface
show capwap client See CAPWAP client settings and status
show hive See the hive name
show hive
show vpn ike event See IKE Phase 1 and Phase 2 initiation and establishment events
show ip route See all Layer 3 routes on the device, including routes through VPN tunnels
show ssid See a list of all SSID names
To learn more about Aerohive products visit www.aerohive.com/techdocs Aerohive Networks, Inc.
Aerohive QuickStart and Deployment Guide Supplement | 9
show { ospf | rip } neighbor (CVG as a L3 VPN gateway) See a list of OSPF or RIP neighbors
show { ospf | rip } route (CVG as a L3 VPN gateway) See routes learned through OSPF or RIP
reset config Return the configuration on a device to its factory default settings
save config Save the configuration to flash
reboot Reboot the device
show cmds | include
Only set the following command when managing devices through HiveManager or HiveManager Virtual Appliance. Do not use it with HiveManager Online.
capwap client server name
The commands listed above are the more common ones. For a complete set of commands, see one of the online Aerohive CLI Reference Guides. They are organized by release and then by platform. You can access them, and other Aerohive product documentation, at www.aerohive.com/techdocs.
Deployment and Configuration Tips
The following are some tips and suggestions to help you troubleshoot a few common problems that might arise when setting up an Aerohive device:
For APs with external antennas, make sure that you connect the 2.4 GHz antennas to the 2.4 GHz connectors, and the 5 GHz antennas to the 5 GHz connectors. If you manage an Aerohive device through HiveManager Online and it does not show up on the Monitor > Devices > All Devices page, do the following: Check if the device serial number is listed in the ACL (access control list) on the Aerohive redirection server. Log in to myhive.aerohive.com, and then click Redirector > Monitor > Device Access Control List). If not, click Enter, type its serial number in the Device Serial Number field, and then click Save. When done, reboot the device. Check connectivity to Aerohive redirection server:
ping redirector.aerohive.com (Check connectivity from the AP network)
capwap ping redirector.aerohive.com (Check connectivity through CAPWAP)
Ensure that any intervening firewalls allow one of the following sets of services from the device to HiveManager Online:
CAPWAP (UDP 12222), SSH (TCP 22), and HTTPS (TCP 443)
or
HTTP (TCP 80) and HTTPS (TCP 443)
To learn more about Aerohive products visit www.aerohive.com/techdocs Aerohive Networks, Inc.
Aerohive QuickStart and Deployment Guide Supplement | 10
If a wireless client cannot form an association with an SSID, check that the client is within range and that it is configured to use the same authentication method as the SSID. For example, if the client is configured to use Open or WEP authentication but the SSID is set for WPA or WPA2, the client will not be able to associate with the Aerohive device. To see the security settings for an SSID, log in to HiveManager, click Configuration > Show Nav > SSIDs > ssid_name, and look at the SSID access security type, the key management method, and the encryption method. If the client associates and authenticates itself, but the Aerohive device cannot forward traffic, check that it is assigning the correct user profile and, if so, that it is also assigning the correct VLAN. To see the user profile and VLAN that a device assigns a client, log in to HiveManager, click Monitor > Clients > Active Clients > client_mac_address. Check the user profile attribute and VLAN. If those are correct, then check that the client has received its network settings through DHCP. To check connectivity to a DHCP server, click Tools > VLAN Probe, choose the device with which the client is associated from the Aerohive Device drop-down list, enter IDs for the VLAN range that you want to check. Click Start to send a DHCP DISCOVER message, and see if it elicits a response. Also check that the VLAN configuration for the port on the connecting switch is correct.
To remove all settings and return the configuration to its factory default settings, enter the reset config command or use a pin to press the Reset button, on the chassis of the Aerohive device, and hold it down for at least 10 seconds.
To learn more about Aerohive products visit www.aerohive.com/techdocs Aerohive Networks, Inc.