0% found this document useful (0 votes)

427 views465 pages

ECS-ExtremeWireless Cloud Student Guide v21.04

Uploaded by

David

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

427 views465 pages

ECS-ExtremeWireless Cloud Student Guide v21.04

Uploaded by

David

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 465

ECS-ExtremeWireless Cloud

v21.04

1 ©2021 Extreme Networks, Inc. All rights reserved

1
Extreme uses Cloud Management, Machine Learning, and Artificial Intelligence to
radically simplify and secure the Access Network.

Our Cloud Managed Wireless, Switching, Routing, and Security technologies

provide unrivalled flexibility in deployment, management, and licensing.

Credited with pioneering Controller-less Wi-Fi and Cloud Management, Extreme

delivers continuous innovation at Cloud-speed that constantly challenges the
industry norm, allowing customers to rethink what’s possible.

Our innovations and global cloud footprint radically simplify Access Network
operation for 30,000+ customers and 10+ million daily users.

2 ©2021 Extreme Networks, Inc. All rights reserved

2
Welcome

 Facilities Discussion
 Introductions
 Extra Training Resources
 Course Overview
 Questions

©2021 Extreme Networks, Inc. All rights reserved

3
Introductions

What is your name?

What is your organization’s name?
Customer or Partner?
How long in Wi-Fi or networking?
Have you used ExtremeCloud™ IQ before?

©2021 Extreme Networks, Inc. All rights reserved

4
Extreme Dojo

 Free modular video-based training

 Shorter time to certification
 Expanded choice of instructor-led training
 Simplified and free recertification
 Gamified achievement levels

©2021 Extreme Networks, Inc. All rights reserved

5
Extreme Support Portal

 Community forum discussions

 Knowledgebase (KB) and documentation

©2021 Extreme Networks, Inc. All rights reserved

6
The Hub

©2021 Extreme Networks, Inc. All rights reserved

https://community.extremenetworks.com/

7
The Hub (mobile access)

8 ©2021 Extreme Networks, Inc. All rights reserved

8
Product Documentation

https://docs.aerohive.com/330000/docs/help/english/ng/Content/reference/docs/docs.htm

©2021 Extreme Networks, Inc. All rights reserved

https://docs.aerohive.com/330000/docs/help/english/ng/Content/reference/docs/docs.ht
m

9
ExtremeCloud™ IQ Videos

Feature videos embedded throughout ExtremeCloud™ IQ by

clicking wherever you see the video icon
©2021 Extreme Networks, Inc. All rights reserved

10
Agenda – Part 1/3
 Solution Overview  Lab 3
 Distributed Architecture Overview  Managing Clients, Users and Client
 Creating an ExtremeCloud Account 360
 Predictive Modeling  Lab 4
 Lab 1  Managing devices
 WLAN Design Concepts  Lab 5
 Device Discovery and Provisioning  User Profiles
 Lab 2  Secure WLAN using 802.1X/EAP
 Switch Provisioning  Lab 6
 Guided Configuration & Object  Troubleshooting 802.1X
Management  Lab 7
 Create a Network Policy
©2021 Extreme Networks, Inc. All rights reserved

11
Agenda – Part 2/3

©2021 Extreme Networks, Inc. All rights reserved

12
Agenda – Part 2/3

 Essentials Applications
 ExtremeAirdefense Essentials
 ExtremeGuest Essentials
 ExtremeIOT Essentials
 ExtremeLocation Essentials
 ExtremeCloudIQ CoPilot

©2021 Extreme Networks, Inc. All rights reserved

13
Solution Overview

©2021 Extreme Networks, Inc. All rights reserved

14
ExtremeCloud™ IQ

Extreme’s Cloud Services (ECS)

platform provides cloud-based
network access management:
 A suite of APIs for network integration
and custom application development
 Big data platform
 ExtremeCloud™ IQ is Extreme’s
cloud network management solution

15 ©2021 Extreme Networks, Inc. All rights reserved

15
ExtremeCloud™ IQ

The Extreme Cloud infrastructure

includes two major components:
 Global Data Center (GDC)
 Regional Data Centers (RDC)

16 ©2021 Extreme Networks, Inc. All rights reserved

16
ExtremeCloud™ IQ

The GDC performs tasks related to

Global Data the overall management of
Center
Extreme’s cloud infrastructure eg.
 Managing Administrator and
Customer accounts
 IQEngine and XIQ Image distribution
 Sign on, landing page to the HM
Cloud

17 ©2021 Extreme Networks, Inc. All rights reserved

17
ExtremeCloud™ IQ

The RDCs perform all tasks related

to managing customer networks, for
an assigned set of customer
networks including
 Network devices
Regional  Client information
Data Center
 Application visibility
Customer data resides in the RDCs and does
NOT leave its RDC

18 ©2021 Extreme Networks, Inc. All rights reserved

18
ExtremeCloud™ IQ

 Extreme Networks has designed a geographically distributed public cloud

architecture with data centers located in North America, Europe, and Asia
Pacific.
 This optimizes regional service performance for our cloud networking services,
and also enables Extreme to demonstrate compliance with local data security
and privacy regulations.
 Customer data resides at the RDC-level and stays in region and in-country
 Extreme’s cloud platform can be hosted in AWS, Google, or Azure.
 Extreme is the only vendor to be able to provide unlimited data retention.

19 ©2021 Extreme Networks, Inc. All rights reserved

19
ExtremeCloud™ IQ

20 ©2021 Extreme Networks, Inc. All rights reserved

20
ExtremeCloud™ IQ – Data Retention and Cloud Providers

21 ©2021 Extreme Networks, Inc. All rights reserved

21
EXTREME CLOUD IQ ARCHITECTURE
Monolithic vs Microservices

A consequence of (and rationale for) following this

approach is that the individual microservices can
be individually scaled.
In the monolithic approach, an application
supporting three functions would have to be scaled
in its entirety even if only one of these functions
had a resource constraint. With microservices, only
the microservice supporting the function with
resource constraints needs to be scaled out, thus
providing resource and cost optimization benefits.
22 Extreme Networks, Inc. All rights reserved
©2021

22
ExtremeCloud™ IQ
Data Security and Privacy
 First major cloud-managed networking vendor to
attain ISO/IEC 27001 certification for its
Information Security Management Systems
(ISMS)
 This has now been augmented by ISO/IEC 27017
and ISO/IEC 27701 for all cloud services AND
applications
 ExtremeCloud™ IQ is equipped with features that
enables our customers to address full compliance
with the European Union’s General Data
Protection Regulation (GDPR)
 In addition, ExtremeCloud™ IQ provides logging
and audit tools to track these actions so our
customers can better document them
23 ©2021 Extreme Networks, Inc. All rights reserved

23
ExtremeCloud™ IQ
Private Cloud
 Extreme offers the broadest range
of Cloud Networking deployment
options for access network
management: Public Cloud –
Private Cloud – Virtual Appliance.
 Extreme partners and customers
with large scale requirements
above five thousand devices can
deploy their own Private Cloud
instance of ExtremeCloud IQ,
capable of managing up to one
million connected access points,
switches, and routers.

24 ©2021 Extreme Networks, Inc. All rights reserved

24
ExtremeCloud™ IQ
Private Cloud

Private Cloud is an ideal solution for

Managed Service Providers (MSPs)
or enterprises who want the
scalability and elasticity of the Cloud
with the added control of hosting it in
their on-premises datacenter or in
their own Cloud Service Provider
account

25 ©2021 Extreme Networks, Inc. All rights reserved

25
ExtremeCloud™ IQ
Local Cloud
 It’s an on-premises version of
ExtremeCloud™ IQ , typically
deployed in the customer’s private
network
 A ExtremeCloud™ IQ Virtual
Appliance can manage up to 5000
devices such as APs and switches
 This solution is ideal for small and
mid-size enterprises or partners who
want the power of the Cloud in
addition to complete control over their
local deployment

26 ©2021 Extreme Networks, Inc. All rights reserved

26
Licensing

27 ©2021 Extreme Networks, Inc. All rights reserved

27
Multi-vendor management

Simplify Network
Management

ExtremeCloud™ IQ provides
management of 3rd party switches
from our technology partners to
unify and simplify your access
layer

28 ©2021 Extreme Networks, Inc. All rights reserved

28
Wi-Fi 6 (802.11ax)
What is new?

 OFDMA – better use of the frequency space

 BSS Color – Mitigate Cross Channel Interference (CCI)
 Downlink MU-MIMO for up to 8 devices
 1024-QAM – Higher data rates
 Target Wake Time (TWT) – Great for IoT devices

29 ©2021 Extreme Networks, Inc. All rights reserved

29
OFDMA
True multi-user communications
Resource Unit (RU)

Client 1

Client 2
Subcarriers

Client 3

Channel width
Client 4

Client 5

Client 6

Time

30 ©2021 Extreme Networks, Inc. All rights reserved

30
Cloud Managed Networking and Wi-Fi 6 Technical Resources

31 ©2021 Extreme Networks, Inc. All rights reserved

https://www.extremenetworks.com/resources/ebook/cloud-managed-networking-for-
dummies-concepts-architectures-benefits/https://www.extremenetworks.com/cloud-
technology
https://www.extremenetworks.com/resources/ebook/wi-fi-6-for-dummies

31
Dual 5 GHz Software Defined Radios (SDR)

Radio #1: SDR Radio #2: Fixed 5 GHz

2.4 GHz: Channel 6 5 GHz: Channel 40
5 GHz: Channel 100
Supported APs
 AP250
 AP550
 AP650
 AP650X

SDR radio can switch between 2.4 GHz and 5 GHz

32
Distributed Architecture Overview
Cooperative Control

©2021 Extreme Networks, Inc. All rights reserved

33
The Evolution of Wi-Fi Architecture

1 No Control
NMS Autonomous AP

2 Centralized Controller
NMS Physical Thin AP
Controller

3 Hybrid Controller

NMS Virtual Hybrid AP

Controller
4 Cloud Controller

Limited Cloud Control Thin AP

5 Distributed Control
Cloud Distributed Control
Management
©2021 Extreme Networks, Inc. All rights reserved

Wi-Fi is continually evolving. Originally, we had access points that had no intelligence whatsoever,
and that was ok because there was limited need for co-ordination. However, as the years rolled on
and Wi-Fi was headed towards the primary access medium, things changed. We realized as an
industry that ‘control’ was required to enable a sustainable model for enterprise Wi-Fi.

This led to the development of the wireless LAN controller, a centralized box that acted as the brain
of the network. In an ideal world, we would have placed the intelligence directly into the access
points, however as the inventor of the controller stated, it would have been economically impossible
to do so with the cost of the chipsets in the day.

In recent years, as the shortfalls as controllers became widely acknowledged, speed, scale,
redundancy etc. vendors developed new methods of control functionality distribution.

First came the virtualized controller, the notion of having an access point become the controller for a
group of access points, or putting the controller into the cloud and telling the customer not to worry
about, out of sight out of mind kind of thing. All of these methods had shortcut written all over them
and each faced limitations. That lead to the acceptance of fully distributed control.

Through distributed control, the intelligence (control plane) is all placed into the access points
themselves, and the management remains centralized for ease of administration. The concept of
fully distributed control is a principle that the inventor of the controller had desired to achieve,
however it was only made possible some years later through the observance of moors law.
Distributed control combined with cloud networking increases speed, scale, and resiliency within the
network, without sacrificing the centralized design, deployment, and support of enterprise wireless
networks.

34
Why Distributed Control is important

Smarter Access Layer

• Shared control plane

increases speed, resiliency,
and scale
• No need for dedicated wireless
LAN Controllers

35 ©2021 Extreme Networks, Inc. All rights reserved

35
Wireless LAN Control
“The brain of a WLAN”

 Adaptive RF management
 Enable fast and secure roaming for
clients across layer 2 (switched) and
layer 3 (routed) boundaries
 Determine and enforce client
authentication and access control
policies
 Client Load Balancing and
Band Steering
 And Much More…

36 ©2021 Extreme Networks, Inc. All rights reserved

Dynamic RF management
Radio Channel Selection
Radio Power Selection
Load Balancing

Determine and enforce client authentication and access control policies

Authentication mechanisms
Policies based on BYOD, guest, employee or staff, contractor teachers, students,
etc…
L2 – L7 Firewall Policy, with deep packet inspection for applications
QoS Rate control and Queuing with deep packet inspection for applications

Enable fast and secure roaming for clients across layer 2 (switched) and layer 3 (routed)
boundaries
Maintain IP and active sessions while roaming among APs

Client Load Balancing and

Band Steering
Ensure clients are on the right radio band on the right APs

36
WLAN Control Plane
(Not Management)
 APs with Centralized on-Premise
Wireless LAN Controllers (Cisco,
Aruba)
 APs with mix of Cloud and on-
premise WLAN control functions
(Cisco/Meraki)
 APs that use an elected AP as a
Controller and do some local AP
control exchange (Aruba Instant)
 APs with Protocol-based Cooperative
Control and Flow-based Forwarding
(Extreme Networks)

37 ©2021 Extreme Networks, Inc. All rights reserved

Dynamic RF management
Radio Channel Selection
Radio Power Selection

Determine and enforce client authentication and access control policies

Enable fast and secure roaming for clients across layer 2 (switched) and layer 3 (routed)
boundaries
Maintain IP and active sessions while roaming among APs

Client Load Balancing and

Band Steering
Ensure clients are on the right radio band on the right APs

37
Extreme Distributed Architecture
------ Cooperative Control Messages

ExtremeCloud™ IQ
HQ
Network  Centralized Configuration, AP OS
Management, Planning, Monitoring,
Dashboards, Analytics, and
Troubleshooting
WLAN control function with
WAN
Cooperative Control Protocols is
distributed among all APs
 No centralized controller
 No controller in the cloud
 No controller in an AP
Branch  No virtual controller
Networks
38 ©2021 Extreme Networks, Inc. All rights reserved

38
Extreme Distributed Architecture

HQ One Architecture
Network  From one to thousands of APs
 Same for one to thousands of offices
Flexible software update
 Update one AP, or any number of APs
at any time at any location
WAN
Distributed Forwarding
 Takes advantaged of the wired LAN
 Uses same VLANs as those used by
wired users
Branch
Networks
39 ©2021 Extreme Networks, Inc. All rights reserved

39
APs perform all major functions

Extreme Access Points

 Perform all the control plane mechanisms, whereas our
competitors must do with the combination of access
points and controllers
Examples:
 Application Detection with deep packet inspection
using 1900 application signatures that work even for
encrypted traffic
 Layer 2 MAC Firewall
 Layer 3 > 7 IP and Application Firewall
 Layer 2 and Layer 3 DoS prevention

40 ©2021 Extreme Networks, Inc. All rights reserved

40
APs perform all major functions
…continued

 OS Fingerprinting
 QoS Policy enforcement – queuing and rate limiting
 Fast and Secure Roaming
 Voice enterprise 802.11 r/v/k and OKC
 Multicast to unicast conversion
 RADIUS Server, RADIUS Proxy, Cached Credentials

41 ©2021 Extreme Networks, Inc. All rights reserved

41
Distributed WLAN Architecture

Cooperative Control
Protocols
 Exchanged among APs like
HQ
Network Routers OSPF for routers
L2 Switches
Redundancy
 Built into the protocols
APs
No single point of failure
 Routes around problems and
uses dynamic mesh failover

Intelligence = Protocol-based Control Messages

The APs can bring up a mesh to route around a problem, even if mesh is not being used by
default.

42
Central vs. Distributed Processing
Features and Applications

WLAN Controller

AP Level

Processing at Controller Processing at APs

More APs with Clients > CPU More APs with Clients > CPU Capacity
Capacity Decreases on Controller Increases as APs are added

43 ©2021 Extreme Networks, Inc. All rights reserved

43
Cooperative Control Protocols defined

AMRP (Auto Mobility Routing ANXP (Auto Network INXP (Identity-Based

Protocol) Extension Protocol) Network Extensions Protocol)
 Layer 2 and Layer 3  Micro-segmentation  GRE tunnels for guest
Roaming Room Area Networks tunnels
 Load Balancing  Device-agnostic
 Band Steering authentication
 Layer 2 GRE Tunnel  Granular, identity-driven
Authentication security
 Keepalives

44 ©2021 Extreme Networks, Inc. All rights reserved

44
Cooperative Control Protocols defined

DXNP (Dynamic Network ACSP (Auto Channel

Extensions Protocol) Selection Protocol)
 Dynamic GRE tunnels to  Radio Channel
support layer 3 roaming  Power Management

45 ©2021 Extreme Networks, Inc. All rights reserved

45
AMRP synchronizes client information between APs

Client Details
 User Profile – Identifies access policy
A  Operating System
Pre-Roam Sync of Client  DNS Address and DHCP Lease Info
Roaming Cache  Hostname and Domain Name
 IP Address and VLAN

46 ©2021 Extreme Networks, Inc. All rights reserved

46
AMRP synchronizes client information between APs…

Authentication State for Roaming

 PMK (Pairwise Master Key) from
RADIUS
A  Session Time
Pre-Roam Sync of Client  Captive Web Portal State
Roaming Cache
 Voice Enterprise State (802.11r/k/v)
 Mobile Device Management (MDM) State

47 ©2021 Extreme Networks, Inc. All rights reserved

47
AMRP synchronizes client information between APs

Post-Roam Session Sync for Client

Voice QoS and Firewall Session State

 Layer 2 Firewall Session State
 ALG and Application State from DPI on AP
 Layer 3-7 Firewall and QoS Session state
48 ©2021 Extreme Networks, Inc. All rights reserved

48
Creating ExtremeCloudTM IQ Account

©2021 Extreme Networks, Inc. All rights reserved

49
Getting started with ExtremeCloud™ IQ

50 ©2021 Extreme Networks, Inc. All rights reserved

https://www.extremenetworks.com/cloud-networking

50
Getting started with ExtremeCloud™ IQ

 Complete registration form

 Accept the TOS and click Register
 You will receive an email to complete
the registration

51 ©2021 Extreme Networks, Inc. All rights reserved

51
Register your ExtremeCloud™ IQ account

 Open the email and click the Setup

Password button
 You will be prompted to create a
password

52 ©2021 Extreme Networks, Inc. All rights reserved

52
Register your ExtremeCloud™ IQ account

 Set your account password

 Confirm your password again
 Click the Save and Next button
 You will then be redirected to your
Cloud account

53 ©2021 Extreme Networks, Inc. All rights reserved

53
Welcome to your ExtremeCloud™ IQ

 You will be redirected to the Welcome page

 Click Get Started

54 ©2021 Extreme Networks, Inc. All rights reserved

54
Get started

 A one-time pop-up window will

offer assistance
 Click the option buttons or
close the window

55 ©2021 Extreme Networks, Inc. All rights reserved

55
You are ready to go!

You can now use ExtremeCloud™ IQ to monitor and manage your network

56 ©2021 Extreme Networks, Inc. All rights reserved

56
WLAN Design Concepts

©2021 Extreme Networks, Inc. All rights reserved

57
dBm and mW conversions
dBm Milliwatts Radio Signal
+30 dBm 1000 mW 1 Watt
+20 dBm 100 mW 1/10th of 1 Watt
+10 dBm 10 mW 1/100th of 1 Watt
0 dBm 1 mW 1/1,000th of 1 Watt
–10 dBm .1 mW 1/10th of 1 milliwatt Very Strong
–20 dBm .01 mW 1/100th of 1 milliwatt
–30 dBm .001 mW 1/1,000th of 1 milliwatt
–40 dBm .0001 mW 1/10,000th of 1 milliwatt
–50 dBm .00001 mW 1/100,000th of 1 milliwatt
–60 dBm .000001 mW 1 millionth of 1 milliwatt Great
–70 dBm .0000001 mW 1 ten-millionth of 1 milliwatt Weak
–80 dBm .00000001 mW 1 hundred-millionth of 1 milliwatt
Do not care
–90 dBm .000000001 mW 1 billionth of 1 milliwatt
–95 dBm .0000000002511 mW Noise Floor No Signal

58 ©2021 Extreme Networks, Inc. All rights reserved

58
Coverage Design
Received Signal Strength

 When designing for coverage, the normal recommended best practice is to

provide for a –70 dBm or stronger received signal that is well above the noise
floor.
 In other words, a received signal of –70 dBm or higher is considered to be a
quality received signal.
59 ©2021 Extreme Networks, Inc. All rights reserved

59
Coverage Design

 -70 dBm: high data rate connectivity

 -65 dBm: Voice over Wi-Fi

60 ©2021 Extreme Networks, Inc. All rights reserved

60
Coverage Design
Receive sensitivity…
Data Rate Receive
(2.4 GHz) Sensitivity

1 Mbps -101 dBm

6 Mbps -91 dBm

MCS 0 -90 dBm

11 Mbps -89 dBm

54 Mbps 24 Mbps -87 dBm

36 Mbps 54 Mbps -79 dBm

MCS 7 -77 dBm

18 Mbps
MCS 15 -75 dBm
6 Mbps
MCS 23 -74 dBm

 Please note that not all client devices are created equal.
 Depending on the chipset vendor, the radios of various Wi-Fi clients have
different receive sensitivity thresholds, which are mapped to different data rates.
61 ©2021 Extreme Networks, Inc. All rights reserved

61
Coverage Design
Receive sensitivity…
Data Rate Receive
(2.4 GHz) Sensitivity

1 Mbps -101 dBm

6 Mbps -91 dBm

MCS 0 -90 dBm

11 Mbps -89 dBm

54 Mbps 24 Mbps -87 dBm

36 Mbps 54 Mbps -79 dBm

MCS 7 -77 dBm

18 Mbps
MCS 15 -75 dBm
6 Mbps
MCS 23 -74 dBm

 This means that two client radios receiving an RF signal with the same strength
may use a different data rate for modulation and demodulation. Despite
variances between devices and sensitivity, there is still a common denominator
62 ©2021 Extreme Networks, Inc. All rights reserved

62
Coverage Design
Receive sensitivity…
Data Rate Receive
(2.4 GHz) Sensitivity

1 Mbps -101 dBm

6 Mbps -91 dBm

MCS 0 -90 dBm

11 Mbps -89 dBm

54 Mbps 24 Mbps -87 dBm

36 Mbps 54 Mbps -79 dBm

MCS 7 -77 dBm

18 Mbps
MCS 15 -75 dBm
6 Mbps
MCS 23 -74 dBm

A received signal of –70 dBm or higher usually guarantees that a client radio will
use one of the highest data rates that the client is capable of
63 ©2021 Extreme Networks, Inc. All rights reserved

63
Coverage Design
Signal-to-noise ratio (SNR)

Received signal
= -70 dBm

Received signal
= -88 dBm
SNR = 25 dB SNR = 7 dB

Ambient noise floor = - 95 dBm

64 ©2021 Extreme Networks, Inc. All rights reserved

64
Coverage Design
Signal-to-noise ratio (SNR)

 High SNR needed to prevent L2

retransmissions
 Radios will use modulation and
coding schemes (MCS) that produce
higher data rates

65 ©2021 Extreme Networks, Inc. All rights reserved

65
Coverage Design
Signal-to-noise ratio (SNR)

 Recommendations:
 20 dB or greater
 25 dB or greater for voice-grade
WLAN
 29 dB or greater to use 256 QAM
 35dB or greater to use 1024 QAM

66 ©2021 Extreme Networks, Inc. All rights reserved

66
Coverage Design
Voice
 When you are designing
for voice, SNR is the most
important RF metric.
 Also keep in mind that as
a result of free space path
loss (FSPL), the effective
range for –67 dBm clients
will be less distance than
clients receiving a –70
 -65 dBm received signal
 25 dB SNR
dBm signal.
 For every 3 dB of loss,
 -70 dBm received signal
 20 dB SNR the received signal is half
strength.
67 ©2021 Extreme Networks, Inc. All rights reserved

67
Coverage design
Dynamic rate switching

 Mobility can cause shifts in data

rates
 Weaker signal and lower SNR
results in lower data rates
 APs and client radios upshift and
54 Mbps
downshift data rates based on
36 Mbps
receive sensitivity thresholds
18 Mbps

6 Mbps

68 ©2021 Extreme Networks, Inc. All rights reserved

68
Roaming

AP #1 AP #2
 Primary Coverage: -70 dBm
BSSID #1 BSSID #2  Secondary coverage: -75 dBm

Roaming client station

Clients make the roaming decision

69
Roaming Threshold

 Most client vendors do not publish roaming

thresholds. Apple is an exception*
 A roaming threshold can be adjusted on some
clients
 Client side support for 802.11k,r,v improves
roaming performance

70 ©2021 Extreme Networks, Inc. All rights reserved

https://support.apple.com/en-us/HT206207
https://support.apple.com/en-us/HT203068

70
Roaming Design
Fallacy of cell overlap

 Cell overlap cannot be measured

 Coverage overlap is really
duplicate primary and secondary
coverage from the perspective of a
Wi-Fi client station.

71 ©2021 Extreme Networks, Inc. All rights reserved

71
Primary and Secondary Coverage

 Coverage overlap is really

duplicate primary and
BSSID #1 BSSID #2
secondary coverage from
the perspective of a Wi-Fi
client station
AP #1 AP #2  In other words, each Wi-Fi
client station (STA) needs to
Primary coverage: Secondary coverage: hear at least one access
- 65 dBm - 70 dBm
point at a specific RSSI and
a backup or secondary
access point at a different
RSSI

72 ©2021 Extreme Networks, Inc. All rights reserved

72
Layer 2 retransmissions

Transmitting radio sends a unicast frame

CRC Passes

Receiver radio sends L2 ACK frame

802.11 radios cannot transmit and receive at the same time and therefore cannot
detect collisions. So, if they cannot detect a collision, how do they know whether
one occurred?
73 ©2021 Extreme Networks, Inc. All rights reserved

73
Layer 2 retransmissions

Transmitting radio sends a unicast frame

No ACK frame sent by receiver

CRC Fails

Transmitting radio sends L2 retransmission

74 ©2021 Extreme Networks, Inc. All rights reserved

74
Layer 2 retransmissions
Effects of…

 Throughput goes down

 Latency goes up

75 ©2021 Extreme Networks, Inc. All rights reserved

75
Layer 2 retransmissions

 There is always a percentage of layer 2 retries. Most data applications in a Wi-

Fi network can handle a layer 2 retransmission rate of up to 10 percent without
any noticeable degradation in performance.
 The goal should be 10 percent or less and 5 percent or less for voice-grade
WLANS.
 Exceeding a 20 percent retry rate will almost always impact performance.
76 ©2021 Extreme Networks, Inc. All rights reserved

76
Layer 2 retransmissions

 Time-sensitive applications such as VoIP require that higher-layer IP packet loss

be no greater than 2 percent. Therefore, Voice over Wi-Fi (VoWiFi) networks
need to limit layer 2 retransmissions to 5% or less to ensure the timely and
consistent delivery of VoIP packets.
 VoWiFi communication usually is restricted to 5 GHz because maintaining a 5%
layer 2 retry rate in the over-crowded 2.4 GHz band is rarely possible.
77 ©2021 Extreme Networks, Inc. All rights reserved

77
Layer 2 retransmissions
Causes

 RF interference (Layer 1)
 Low SNR (Layer 1) (bad design)
 Adjacent cell interference (bad design)
 Hidden Node (bad design)
78 ©2021 Extreme Networks, Inc. All rights reserved

78
Data Rates versus Throughput

 Data rate is not TCP throughput

 Medium contention protocol of CSMA/CA consumes much of the available
bandwidth
 Aggregate TCP throughput in a legacy a/b/g environment is 40% – 50% of data
rate
 Aggregate TCP throughput in an 802.11n/ac environment is 60% – 70% of data
rate

79 ©2021 Extreme Networks, Inc. All rights reserved

79
Capacity design
Age old question

 How many clients per AP?

 It depends
 What type of applications?
 How many clients?
 What type of clients?

80 ©2021 Extreme Networks, Inc. All rights reserved

80
Capacity Design
Applications

Application Required Throughput

Email/Web browsing 500 Kbps – 1 Mbps

Printing 1 Mbps

SD video streaming 1 Mbps – 1.5 Mbps

HD video streaming 2 Mbps – 5 Mbps

81 ©2021 Extreme Networks, Inc. All rights reserved

81
Capacity Design
Client Capabilities

 Not all clients are created equally

 Laptops are usually equipped 3x3:3
MIMO radios
 Mobile devices that are 1x1:1
consume much more airtime

82 ©2021 Extreme Networks, Inc. All rights reserved

82
Client Capabilities
Example

Client Example data rate

1x1:1 802.11n 65 Mbps
1x1:1 802.11ac 78 Mbps
2x2:2 802.11n 130 Mbps
2x2:2 802.11ac 156 Mbps
3x3:3 802.11n 195 Mbps
3x3:3 802.11ac 260 Mbps

Mobile devices with lesser capability consume more airtime

83 ©2021 Extreme Networks, Inc. All rights reserved

83
Capacity Design

84 ©2021 Extreme Networks, Inc. All rights reserved

84
Airtime Consumption

 RF is a half-duplex medium
 At any given time only one radio can
transmit on a frequency domain
(channel)
 Everybody takes turns

85 ©2021 Extreme Networks, Inc. All rights reserved

85
Airtime Consumption
Multiple SSIDs

Beacon SSID #1

Beacon SSID #2

Beacon SSID #3
 Multiple SSIDs create more layer two
802.11 management overhead
Beacon SSID #4  Extra set of beacons, probe
responses, etc… consume airtime
Beacon SSID #5

Beacon SSID #6

Beacon SSID #7

86 ©2021 Extreme Networks, Inc. All rights reserved

86
Airtime Consumption
SSID Overhead Calculator

Best Practice
Transmit maximum 3 - 4 SSIDs
87 ©2021 Extreme Networks, Inc. All rights reserved

https://apps.apple.com/us/app/revolution-wi-fi-ssid-overhead/id1041231876

87
Airtime Consumption
Consolidate SSIDs

Consolidate SSIDs:
 Multiple User Profiles can be linked to
a single SSID
 Different groups of users connected to
the same SSID can be assigned
different access control rules
 The result is that different VLANs,
firewall policies, rate-limiting policies,
etc. can be assigned to different
groups of users

88 ©2021 Extreme Networks, Inc. All rights reserved

88
User Profiles
Assignment Rules

User profile assignment rules can

be defined for a single SSID
 Depending on the WLAN security,
rules can be based on:
 RADIUS attributes
 PPSK User groups
 Client OS type
 Client MAC address
 Client Location
 Schedule

89 ©2021 Extreme Networks, Inc. All rights reserved

89
Airtime consumption
2.4 GHz data rates

 Disabling lower data rates

Basic
reduces airtime consumption and
normally increases performance

 Basic = 12 Mbps
 Disabled: 11 Mbps ( Legacy
802.11b clients will not be able to
connect)
 Disabled: 6 Mbps and 9 Mbps
OFDM rates
Default rates: Basic = 11 Mbps
90 ©2021 Extreme Networks, Inc. All rights reserved

90
Airtime consumption
2.4 GHz data rates

 Disabling lower data rates

reduces airtime consumption and
normally increases performance
Basic

 Basic = 24 Mbps
 Disabled: 11 Mbps ( Legacy
802.11b clients will not be able to
connect)
 Disabled: 6, 9, 12 and 18 Mbps
OFDM rates
Default rates: Basic = 11 Mbps
91 ©2021 Extreme Networks, Inc. All rights reserved

91
Improper channel reuse
Co-channel interference
 If an AP on channel 1 is transmitting,
all nearby access points and clients
on the same channel within hearing
range will defer transmissions.
Channel 11 Channel 1
 The result is that throughput is
adversely affected: Nearby APs and
clients have to wait much longer to
transmit because they have to take
their turn.
Channel 1  The unnecessary medium contention
Channel 6 overhead that occurs because all the
APs are on the same channel is
called co-channel interference (CCI).
92 ©2021 Extreme Networks, Inc. All rights reserved

92
Channel reuse

 Primary goal of channel reuse

patterns is to prevent co-channel
Channel 11 Channel 1 interference
 Reduces airtime consumption by
isolating frequency domains
(channels)
Channel 1
Channel 6

93 ©2021 Extreme Networks, Inc. All rights reserved

93
Co-channel interference (CCI)

Channel 11  Does RF just stop?

Channel 1  Almost impossible
to prevent CCI at
2.4 GHz

Channel 1
Channel 6

94 ©2021 Extreme Networks, Inc. All rights reserved

94
Co-channel interference

 CCI is not static and always

Channel 11 Channel 1 changing
 Client transmissions are the top
cause of CCI

Channel 1
Channel 6

95 ©2021 Extreme Networks, Inc. All rights reserved

95
5 GHz channel re-use scheme

5.150 5.250 5.350 5.470 5.725

100
104
108
112
116
120
124
128
132
136
140
144
36
40
44
48
52
56
60
64

20 MHz
U-NII-1 U-NII-2A U-NII-2C U-NII-3

100 52 108 132 60 124 56 120 48 128

36
116 140 40 104 64
44 136 112 36

96 ©2021 Extreme Networks, Inc. All rights reserved

96
High power is bad

Low power is good!  Capacity Problems

 Increase CCI
 Hidden Node
 Mismatch power between clients and AP
 Roaming – Sticky problems
 Turn down the power!

97 ©2021 Extreme Networks, Inc. All rights reserved

97
Use the Environment

 Wall attenuation is good

Poured Concrete

Concrete block

 Reduces CCI

Drywall
 Maximizes channel reuse
Brick

 Isolates contention domain

98 ©2021 Extreme Networks, Inc. All rights reserved

98
Use the Environment

 Wall attenuation is good

 Reduces CCI
 Maximizes channel reuse
 Isolates contention domain
99 ©2021 Extreme Networks, Inc. All rights reserved

99
Hallways are BAD!

 Mounting APs in hallways is a common mistake

 Does not provide adequate coverage for rooms
 CCI and airtime consumption nightmare
100 ©2021 Extreme Networks, Inc. All rights reserved

100
One AP per room

 One AP per room may be needed for capacity

 5 GHz can be achieved with proper channel reuse and power levels
101 ©2021 Extreme Networks, Inc. All rights reserved

101
One AP per room design

 Walls must be VERY thick - concrete, brick, etc.

 5 GHz radios power level 9 dBm (8 mw) or lower
 No channel bonding – 20 MHz channels only
102 ©2021 Extreme Networks, Inc. All rights reserved

102
One AP per room

 2.4 GHz radios will all interfere with each other

 Disable two out of every three 2.4 GHz radios
 Power levels of 0 dBm – 6 dBm (1mw – 4 mw)
103 ©2021 Extreme Networks, Inc. All rights reserved

103
One AP per room

 Even then CCI still may occur in 2.4 GHz

104
One AP per room design
Dual 5 GHz?

 Fixed 5 GHz radios

 Disable two out of every three 2.4 GHz radios?
 Instead convert two out of every three of the adjustable radios to 5 GHz
105 ©2021 Extreme Networks, Inc. All rights reserved

105
Dual 5 GHz WLAN design

 Many Extreme APs have a software

defined-radio (SDR) along with a fixed
5 GHz radio within a dual-frequency
AP
 The radio that has SDR functionality
Radio #1: SDR Radio #2: Fixed 5 GHz
5 GHz: Channel 100 5 GHz: Channel 40
can operate as either a 2.4 GHz or a
5 GHz radio.
 This means a dual-radio AP can
either offer 2.4 GHz and 5 GHz
coverage or offer coverage on two
Note different 5 GHz channels
Dual 5 GHz Design rules are discussed later in class
106 ©2021 Extreme Networks, Inc. All rights reserved

106
Indoor antennas
Directional

 It is common for patch antennas to be

connected to access points to provide
directional coverage within a building.
 Because Omnidirectional antennas
often have difficulty providing
effective RF coverage in areas with
shelving.
 MIMO patch antennas, such as the
one shown, can be used effectively in
libraries, warehouses, and retail
stores with long aisles of shelves.

107 ©2021 Extreme Networks, Inc. All rights reserved

107
Indoor antennas
Warehouse

 Coverage, not capacity, is usually the main concern in warehouse environments

 The client devices are usually handheld barcode scanners or other wireless
data-collection devices used for inventory management. VoWiFi is also common
in many warehouse WLAN deployments
 Because most warehouses have very high ceilings, coverage is primarily
provided with directional antennas mounted on the walls and pointing down the
aisles.
108 ©2021 Extreme Networks, Inc. All rights reserved

108
Indoor antennas
Warehouse

 Because many aisles are very long, directional antennas are often also
mounted from the ceiling.
 As shown, the ceiling-mounted directional antennas are mounted in the center
of the aisles to provide coverage in combination with the directional antennas
mounted on the walls.
109 ©2021 Extreme Networks, Inc. All rights reserved

109
Indoor antennas
Directional

Another common use case for deploying

MIMO patch antennas indoors is in very
high- density (VHD) environments
 The use of directional antennas
reduces CCI, especially when a 40
MHz channel reuse pattern is
deployed
 Directional antennas are often used
in very high density environments to
sector the coverage
 Examples: include lecture halls,
gymnasiums, libraries, cafeterias, etc.

110 ©2021 Extreme Networks, Inc. All rights reserved

110
Predictive Modeling

©2021 Extreme Networks, Inc. All rights reserved

111
Login to ExtremeCloud™ IQ
Students Number Assignment

 The instructor will now assign student numbers.

 In the labs that follow, replace the X with the
number given to you by the instructor

112 ©2021 Extreme Networks, Inc. All rights reserved

https://extremecloudiq.com/login

112
Predictive Modeling
Create Top Level Map

From ML Insights>Network 360 Plan

A hierarchy of maps can be created to be used
for both predictive modeling as well as real-
time monitoring of RF coverage
 A top level Tier 1 map must first be created
 The Tier 1 map is created one time only

113 ©2021 Extreme Networks, Inc. All rights reserved

113
Predictive Modeling
Create Top Level Map

 This pop-up window only appears

one time
 Tier 1 map is usually the name of
the organization
 Maps can also be imported from
ExtremeCloud™ IQ Classic or other
VHMs

114 ©2021 Extreme Networks, Inc. All rights reserved

114
Predictive Modeling
Instructor Creates Top Level Map

 Organization: Company name

 Street Address: HQ address
 City and State: HQ city/state/zip
 Country: HQ country
 Click Get Started

115 ©2021 Extreme Networks, Inc. All rights reserved

115
Predictive Modeling
Create Top Level Map

 Notice the top level Tier 1 map name is called Global View
 Three other tiers: Location, Building and Floor are automatically created
 Admin has the ability to upload a floor plan or draw a floor plan

116 ©2021 Extreme Networks, Inc. All rights reserved

116
Predictive Modeling
Close pop-up

 Click X to close the pop-up window

117 ©2021 Extreme Networks, Inc. All rights reserved

117
Predictive Modeling
Map tree controls

Delete Clone Edit

Move Add Export

 Click on the ellipses (…) icon

 Observe all the controls

118 ©2021 Extreme Networks, Inc. All rights reserved

118
Lab 1: Predictive Modeling

©2021 Extreme Networks, Inc. All rights reserved

119
Device Discovery and Provisioning

©2021 Extreme Networks, Inc. All rights reserved

120
Device Redirection Services
For ExtremeCloud ™ IQ
Extreme Cloud Redirector at cloud.aerohive.com

150.136.193.180

Serial numbers must be entered in

your HiveManager Cloud account

Devices
121 ©2021 Extreme Networks, Inc. All rights reserved

121
AP and ExtremeCloud ™ IQ redirector workflow
 AP calls home (redirector)
HM-Cloud initially
Redirector  Redirector assigns AP to
CAPWAP master in its
designated HM-Cloud
1 2 regional data center.
 AP calls the CAPWAP
3 master
CAPWAP
Master
 CAPWAP master assigns
4
AP to a designated
CAPWAP
Server File Server CAPWAP server
5  AP talks with HM-Cloud
5 through CAPWAP server,
and file server
122 ©2021 Extreme Networks, Inc. All rights reserved

122
Device auto discovery of ExtremeCloud ™ IQ on-premises
On-Premises Virtual Appliance IP Address

Static CLI configuration:

 CAPWAP client server name “ip address”
 Save config
Dynamic IP discovery:
 DHCP option 43
 DNS query
 L2 broadcast (Can be disabled)
Devices  Redirector
Extreme Cloud
On-Premises

123 ©2021 Extreme Networks, Inc. All rights reserved

123
Device auto discovery of ExtremeCloud ™ IQ on-premises
On-Premises Virtual Appliance IP Address

Devices
DHCP Request
Vendor Class Identifier “AEROHIVE”
Option 60

DHCP Response DHCP Server

Option 43
Sub-Option: 226 Appliance IP Address
Sub-Option: 225 FQDN

DNS Query
The device performs a DNS lookup for
hivemanager.yourdomain
DNS Server
Extreme Cloud
On-Premises DNS Response
IP address of Extreme Cloud On-Premises
124 ©2021 Extreme Networks, Inc. All rights reserved

124
Device auto discovery of ExtremeCloud ™ IQ on-premises
On-Premises Virtual Appliance IP Address

Devices

CAPWAP Local Broadcast

CAPWAP Response
IP address of Virtual Appliance on local subnet

CAPWAP Discovery
Extreme devices contact the redirector
redirector.aerohive.com

Extreme Cloud
On-Premises IP address of Virtual Appliance at your data
center
125 ©2021 Extreme Networks, Inc. All rights reserved

125
Device auto discovery of ExtremeCloud ™ IQ on-premises
On-Premises Virtual Appliance IP Address
Redirector at cloud.aerohive.com

Redirect device to:

hivemanager.yourdomain

Connect to: hivemanager.yourdomain

Devices hivemanager.yourdomain
126 ©2021 Extreme Networks, Inc. All rights reserved

126
Management Protocols & Device Updates
ExtremeCloud ™ IQ to AP device
management traffic:
 CAPWAP
 UDP 12222
 TCP 80 Note
 RadSec Firewalls need to allow outbound traffic from
the management interfaces on these ports.
 TCP 2083
 Firmware Updates, File transfers and Switch
Management
 TCP 443
(Cooperative
Control Protocols)

127 ©2021 Extreme Networks, Inc. All rights reserved

https://extremecloudiq.com/support/US_East.html

127
Add Devices
Quick Add

 Manage>Devices>Add>Quick Add Devices

 You can easily enter the serial numbers for new devices in one of two ways:
Quick Add Devices or Advanced Onboarding
128 ©2021 Extreme Networks, Inc. All rights reserved

128
Add Devices
Quick Add

Choose between Multiple serial You can assign

Aerohive or other numbers can be added location at this point as
supported Devices if they are separated well
by a comma

Choose between Real Choose to enter serial Click ADD DEVICES

or Simulated devices numbers separated by to save the serial
a comma or via CSV numbers to your
file upload account

129 ©2021 Extreme Networks, Inc. All rights reserved

129
Device Serial Numbers

 The most common method is to upload serial numbers using the CSV file option
It is recommended to upload serial numbers as soon as the CSV file arrives in
your email
 The workflow for onboarding Dell N-Series Switches is nearly identical. Select
Other for the Device Make and use the Dell Service Tags and the Serial
Numbers.
130 ©2021 Extreme Networks, Inc. All rights reserved

130
Device Serial Numbers

The Serial Number already

exists in system:
 These messages mean that
the device already belongs to
your account or has been
linked to another customer
HiveManager account
 File a support ticket if the
serial number does not
already belong to your
HiveManager account

131 ©2021 Extreme Networks, Inc. All rights reserved

131
Device Serial Numbers

 Devices are now added to the database

 Monitor displays them with a grey icon because they are not connected
 Connect the APs to a switch with a gateway to the Internet
 Green icon will confirm the connection via the CAPWAP protocol
 Devices can also be added in a pre-provisioned mode to prevent disconnection
alarms. In this case the icon is purple
132 ©2021 Extreme Networks, Inc. All rights reserved

132
Device Serial Numbers

 APs with firmware older than HiveOS 6.4r1 cannot connect to HiveManager
APs with firmware below HiveOS 6.5r3a will automatically update.
 We highly recommended that APs use IQEngine 10.0 firmware or higher
133 ©2021 Extreme Networks, Inc. All rights reserved

133
Device Serial Numbers

Once APs are connected the CAPWAP status icon will turn green
134 ©2021 Extreme Networks, Inc. All rights reserved

134
XIQ Mobile Onboarding App
Download from App Store or Google Play

135 ©2021 Extreme Networks, Inc. All rights reserved

135
Lab 2: Device Discovery and Provisioning

©2021 Extreme Networks, Inc. All rights reserved

136
Switch Provisioning

©2021 Extreme Networks, Inc. All rights reserved

137
EXOS/VOSS switches and XIQ - Principles

ExtremeCloud IQ
SSL/HTTPS (TCP port 443) is used

Management traffic only is sent

between XIQ and switches
SSL / HTTPS
User traffic stays LOCAL

Note : This is different from IQ Engine APs

EXOS / VOSS switches where CAPWAP (UDP port 12222) is used
(as well as
WiNG controllers
and legacy
Aerohive switches)
©2021 Extreme Networks, Inc. All rights reserved

TESTE – OK

138
EXOS/VOSS switch : Redirection to XIQ
In your VIQ, when you add the serial number of your EXOS device, this will tell the redirector
(hac.extremenetworks.com) to redirect the EXOS switch to that particular VIQ.

Redirector

2
201908090001
201908090002

1 201908090003
201912310001
202003310001
hac.extremecloudiq.com 202004060001
202004060002
202004130001
202004130002
202004130003
ExtremeCloud IQ

EXOS/VOSS switches Serial Numbers of managed devices MUST be

entered into your ExtremeCloud IQ account

©2021 Extreme Networks, Inc. All rights reserved

TESTE – OK

139
EXOS/VOSS switch : IQ Agent
- XMOD modular applications can run in EXOS
ExtremeCloud IQ

- Container Style EXOS IQAgent Implementation

- EXOS IQAgent Upgrade doesn’t impact switch

software (Data plane / Control plane) :
- Zero Impact to Switch NOS
- Zero Impact to Data Plane IQAgent XMOD
Container Style
- Zero Impact to Control Plane
- No Switch Reboot
Kernel Loadable Module

ExtremeXOS Kernel

Note: It is recommended to terminate and delete

the existing IQAgent process before upgrading
the IQAgent.
©2021 Extreme Networks, Inc. All rights reserved

140
Guided Configuration & Object Management

©2021 Extreme Networks, Inc. All rights reserved

141
Guided Configuration

Network Policies are created with a guided configuration workflow

 Default tile view of Network Policies
 Click the display icon for list view
142 ©2021 Extreme Networks, Inc. All rights reserved

142
Guided Configuration

Guided step-by step configuration for Network Policies:

 Wireless Settings
 Device Templates
 Router Settings
 Additional Settings
 Deploy Policy
143 ©2021 Extreme Networks, Inc. All rights reserved

143
Guided Configuration

Step-by-step configuration for multiple Wireless connectivity scenarios:

 Open SSID, Static PSK, PPSK and Captive Web Portals
 802.1X EAP with External Radius
 802.1X EAP with Aerohive Device as RADIUS (LDAP integration)
 Multiple User Profiles and User Profile assignment rules
 Advanced SSID settings
 AP device templates for physical ports
144 ©2021 Extreme Networks, Inc. All rights reserved

144
Guided Configuration

Step-by-step configuration for switch and access point Device Templates:

 Switch port settings (Access, Trunk, Aggregate etc.) for switches
 VLAN assignment for switch port settings
 Support for Extreme switches and Dell switches
 Create switch templates for multiple location
145 ©2021 Extreme Networks, Inc. All rights reserved

145
Guided Configuration

Step-by step configuration for Router Settings:

 Network Allocation
 Device Template
 VPN Service
 SD WAN
 Routing Policy
 Additional Services
 Firewall
146 ©2021 Extreme Networks, Inc. All rights reserved

146
Guided Configuration

Step-by step configuration for Additional Settings:

 Management Servers: NTP, DNS, SNMP, Syslog
 Policy Settings: Bonjour Gateway, Hive, Time Zone, Supplemental CLI, Device
Data Collection, Management & Native VLAN
 Switch Settings: Spanning Tree, Storm Control, IGMP
 Network Services: LLDP, Access Console, Management Options, Location Server
 QoS Options: Classifier Maps. Marker Maps & QoS Overview
 Security: WIPS and Traffic Filters
147 ©2021 Extreme Networks, Inc. All rights reserved

147
Guided Configuration

Final steps to Deploy Policies:

 Complete Configuration Updates
 Delta Configurations Updates`
 IQEngine Updates
 Application Signature Updates

148 ©2021 Extreme Networks, Inc. All rights reserved

148
Additional Settings

Numerous additional settings can be configured within a Network Policy:

 Select a Network Policy in the guided configuration
 Click Additional Settings
149 ©2021 Extreme Networks, Inc. All rights reserved

149
Additional Settings

Instructor will discuss some of the key objects such as LLDP, NTP server, Syslog
server, etc.
150 ©2021 Extreme Networks, Inc. All rights reserved

150
Additional Settings:
Management and Native VLAN

 Select the Additional Settings tab

 Select Policy Settings>Management
and Native VLAN

151 ©2021 Extreme Networks, Inc. All rights reserved

151
Additional Settings:
Management and Native VLAN

 CAPWAP, Cooperative Control

protocols, SSH and other
management traffic resides in the
management VLAN
 The Native VLAN is for untagged
traffic

Best Practice
Although the default MGT VLAN setting is 1, a good security best practice is to change the setting for the
MGT VLAN to a non-default value.
152 ©2021 Extreme Networks, Inc. All rights reserved

152
Object Management Menu

 Centralized object
management
 Admin has the ability to
create, edit or delete
objects outside of the
guided configuration
 Click Configure
 Click Common Objects
 Dependencies can also be
viewed
Note
Some complex objects like the SSID object cannot be created in the object management menu
153 ©2021 Extreme Networks, Inc. All rights reserved

153
Clone Tool

 Clone tool is available for most

objects in the Object
Management Menu
 Configure>Common Objects
 Select object to clone
 Click the clone icon
 Give the cloned object a name
 Click Clone

154 ©2021 Extreme Networks, Inc. All rights reserved

154
Clone Tool

 Once the cloned object is created,

it can be edited for any needed
tweaks or changes
 Cloned objects can then be linked
to any Network Policy in the
guided configuration

155 ©2021 Extreme Networks, Inc. All rights reserved

155
Create a Network Policy

©2021 Extreme Networks, Inc. All rights reserved

156
Create Network Policy with a PSK SSID
Add Network Policy

To create your first Network Policy:

 Click Configure
 Click Network Policy>Add Network Policy (this screen will only appear once)
157 ©2021 Extreme Networks, Inc. All rights reserved

157
Additional Settings
Management and Native VLAN

 CAPWAP, Cooperative Control

protocols, SSH and other
management traffic resides in the
management VLAN
 The Native VLAN is for untagged
traffic

Best Practice
Although the default MGT VLAN setting is 1, a good security best practice
is to change the setting for the MGT VLAN to a non-default value.
158 ©2021 Extreme Networks, Inc. All rights reserved

158
Create Network Policy with a PSK SSID
Create User Profile and define user VLAN

Scroll down to User Access

Settings>Default User Profile
 Click + to create a new User Profile
 Give User profile a name
 Connect to VLAN: select + to create a
VLAN

159 ©2021 Extreme Networks, Inc. All rights reserved

159
Create Network Policy with a PSK SSID
Verify SSID Profile

Note
 Verify that your SSID Profile has been saved
We will discuss Device Templates in
 Select Additional Settings detail later in class.
160 ©2021 Extreme Networks, Inc. All rights reserved

160
Create Network Policy with a PSK SSID
Additional Settings - DNS

 DHCP device clients receive a

domain name and DNS server IP
address through DHCP
 DNS settings that you enter here
override those that are assigned via
DHCP
 The DNS object defines the DNS
settings assigned to the management
interface (mgt0) of an Aerohive device
 These settings do not define DNS for
WLAN clients. Clients still receive
DNS settings via DHCP for a relevant
client VLAN and IP subnet.
161 ©2021 Extreme Networks, Inc. All rights reserved

161
Create Network Policy with a PSK SSID
Additional Settings – Device Time Zone

 Under Policy Settings, select

Device Time Zone
 Under Time Zone: From the drop-
down, select the time zone of
where the class APs are deployed
 Click Save

162 ©2021 Extreme Networks, Inc. All rights reserved

162
Multiple Time Zones

Best Practice
It is highly recommended that all managed
devices be configured for the correct time zone.
This ensures that timestamps in log files are
accurate.
APs in different time zones can be assigned via
classification and Cloud Config Groups (CCGs).
Classification and CCGs are discussed in day
two.
163 ©2021 Extreme Networks, Inc. All rights reserved

163
Create Network Policy with a PSK SSID
Deploy Policy

 Select the Deploy Policy tab and click the Eligible button
 Select  your AP - (The access point/device whose name begins with your
student number X)
 Click Upload
Note
Please only select your AP. Do not upload your policy to other APs during class
164 ©2021 Extreme Networks, Inc. All rights reserved

164
Create Network Policy with a PSK SSID
Device Update

 Verify that only 1 device will

be updated
 Select  Update Network
Policy and Configuration
 Select  Complete
Configuration Update
 Click Perform Update

165 ©2021 Extreme Networks, Inc. All rights reserved

165
Create Network Policy with a PSK SSID
Upload the Network Policy

 Complete Updates of any

configuration or IQEngine updates
require a reboot

 After the configuration or firmware

is pushed, the slider bar will stop at
about 68%

 Timestamp will appear once the

reboot is complete, and the APs re-
establish CAPWAP connectivity

166 ©2021 Extreme Networks, Inc. All rights reserved

166
Overview of Update

 Complete Update: The entire Extreme AP configuration is uploaded and a

reboot is required
 Delta Update: Only configuration changes are uploaded and no reboot is
required
 The first upload must always be a Complete Update

Best Practice
Should a Delta update ever fail, best practice is to select a Complete update and force a reboot. Also,
a Complete Update is recommended if there are ever complex configuration changes to the Network
Policy.
167 ©2021 Extreme Networks, Inc. All rights reserved

167
Lab 3: Create Network Policy

©2021 Extreme Networks, Inc. All rights reserved

168
Managing Clients, Users & Client 360

©2021 Extreme Networks, Inc. All rights reserved

169
Manage Clients

 Adjustable Timelines
 Multiple sortable Columns
 Multiple filters
170 ©2021 Extreme Networks, Inc. All rights reserved

170
Manage Clients

Note
Click the Edit icon to choose available columns
171 ©2021 Extreme Networks, Inc. All rights reserved

171
Manage Clients

 Column view changes based on selections

 Column view unique to each administrator
172 ©2021 Extreme Networks, Inc. All rights reserved

172
Manage Clients

 Click and hold on any column header

 Drag the column header to desired location
 Release the header and the column order changes
 Columns can be moved left or right
173 ©2021 Extreme Networks, Inc. All rights reserved

173
Manage Clients

 Column width can be adjusted

 Click the column divider
 Hold the cursor, drag the column and release
174 ©2021 Extreme Networks, Inc. All rights reserved

174
Manage Clients

Clients can be filtered by:

 Location
 Operating System
 Wireless/Wired
 SSIDs
 User Profiles
 Custom filters can be
created and saved.

175 ©2021 Extreme Networks, Inc. All rights reserved

175
Manage Clients

 Click on the Hostname or MAC Address of the client

 A deep-dive analytic view using machine-learning appears
176 ©2021 Extreme Networks, Inc. All rights reserved

176
Manage Clients

 Blue column displays the Current Connection Status info of the client
 Adjustable timeline view changes the visual display up to 30 days of
client performance and behavior data
177 ©2021 Extreme Networks, Inc. All rights reserved

177
Manage Clients

Three Client 360º session

and aggregate views:
 Most Usage on 1 AP
 Most Time Spent on 1 AP
 Selected Time Session
 Click to expand session
view

178 ©2021 Extreme Networks, Inc. All rights reserved

178
Manage Clients

Client Trail displays a detailed view into the roaming history of the client
179 ©2021 Extreme Networks, Inc. All rights reserved

179
Manage Clients

Displays the Maximum Client Capabilities of this single client

180
Manager Clients

 Manage>Users
 Based on unique credentials
 View number of client devices connected from a single user
181 ©2021 Extreme Networks, Inc. All rights reserved

181
Manage Clients

 Click User Name

 User Entity View
 Click the individual
client device icons
 This displays
information about
all the Wi-Fi
devices of a single
user
 Can be a PPSK
user or 802.1X
user

182 ©2021 Extreme Networks, Inc. All rights reserved

182
Lab 4: Manage Clients

©2021 Extreme Networks, Inc. All rights reserved

183
Managing Devices

©2021 Extreme Networks, Inc. All rights reserved

184
Manage Devices

 Real-time and historically monitoring of Devices such as APs and

Switches
 Multiple sortable columns
 Multiple Filters
 Utilities and Actions
 Device Updates
 Click the Column Picker icon to choose available columns
185 ©2021 Extreme Networks, Inc. All rights reserved

185
Manage Devices

 Column view changes based on selections

 Column view unique to each administrator
186 ©2021 Extreme Networks, Inc. All rights reserved

186
Manage Devices

☞
 Click and hold on any column header
 Drag the column header to desired location
 Release the header and the column order changes
 Columns can be moved left or right
187 ©2021 Extreme Networks, Inc. All rights reserved

187
Manage Devices

 Column width can be adjusted

 Click the column divider
 Hold the cursor, drag the column and release
188 ©2021 Extreme Networks, Inc. All rights reserved

188
Manage Devices

 By default only 10 devices are displayed per page

 Choose 20|50|100 to display more devices per page
 You can also advance through the devices one page at a time
189 ©2021 Extreme Networks, Inc. All rights reserved

189
Filters

Devices can be filtered by:

 Location
 Network policies
 Device types
 Connection state
 Device function
 OS version
 Cloud Config Groups
 SSIDs
 User Profiles

190 ©2021 Extreme Networks, Inc. All rights reserved

190
Filters

 Customer filters can be saved by an

admin
 Filters are unique to each
administrator
 Filters remain consistent across all
views

191 ©2021 Extreme Networks, Inc. All rights reserved

191
Manage Devices
Status Column

Multiple device status icons:

 Connection State – green indicates the device is
connected to HiveManager via CAPWAP
 Connection State – red indicates the loss of
CAPWAP connectivity
 Connection State – indicates a simulated AP
 Presence icon – AP is functioning as a listening
device for Presence analytics

192 ©2021 Extreme Networks, Inc. All rights reserved

192
Monitor Devices
Status Column

Multiple device status icons:

 Audit icon – ✔ The HiveManager configuration
matches the configuration on the Aerohive
device
 Audit icon – ! The HiveManager configuration
does not match the configuration on the
Aerohive device
 The device needs to be updated with either a
delta or complete upload of the configuration

193 ©2021 Extreme Networks, Inc. All rights reserved

193
Configuration Audit

 Exclamation audit icon

indicates changes to device
configuration
 Click the audit icon to display 3
different tab views
 Audit tab displays a summary
view of any configuration
changes
 Click the Ignore button to clear
the audit icon without a delta
upload

194 ©2021 Extreme Networks, Inc. All rights reserved

194
Configuration Audit

 Delta tab displays the delta

configuration changes that will be
send to the device with a delta
update that requires no reboot
 Complete tab displays the entire
running configuration that will be
uploaded to the device via a
complete update that requires a
reboot

195 ©2021 Extreme Networks, Inc. All rights reserved

195
Device Monitor View

 Device Monitor view is accessible from Monitor/Devices

 Click the Host Name of the device
196 ©2021 Extreme Networks, Inc. All rights reserved

196
Device Monitor View

 Device Monitor view displays detailed information about the individual AP

 Monitoring>Overview displays in the first screen
197 ©2021 Extreme Networks, Inc. All rights reserved

197
Device Monitor View

 Monitoring>Wireless Interfaces displays information about the Wi-Fi radios

 Adjustable timeline view
198 ©2021 Extreme Networks, Inc. All rights reserved

198
Device Monitor View

 Monitoring>Clients displays information about client devices connected to the

AP
 Adjustable timeline view
199 ©2021 Extreme Networks, Inc. All rights reserved

199
Device Monitor View

 Monitoring>Events displays information about AP events such as client

authentications
200 ©2021 Extreme Networks, Inc. All rights reserved

200
Device View

Device specific settings can also be configured

for each individual device
 Examples:
 Host Name
 IP address
 Interface settings
 Supplemental CLI
 Device-level configuration is an override for a
single AP

201 ©2021 Extreme Networks, Inc. All rights reserved

201
Lab 5: Managing Devices

©2021 Extreme Networks, Inc. All rights reserved

202
User Profiles

©2021 Extreme Networks, Inc. All rights reserved

203
User Profiles

 User Profile is the

configuration object created to
define all user traffic settings
 User profile objects can be
created in the guided
configuration of a network
policy or created
independently from the object
management menu

204 ©2021 Extreme Networks, Inc. All rights reserved

204
User Profiles

To create a user profile from the

object management menu:
 Click Configure>Common Objects
 Select User Profiles
 Click Add

Note
Note: Instructor can now demo creating a User Profile. Instructor can also have students create a simple
User Profile.
205 ©2021 Extreme Networks, Inc. All rights reserved

205
User Profiles

User Profile traffic settings include:

 User VLAN
 User firewall policies
 User traffic tunneling
 User traffic QoS rate limiting
 User availability schedules
 Client SLA
 User data and time limits

206 ©2021 Extreme Networks, Inc. All rights reserved

206
User Profiles

All user profile objects must have a

unique name
 Every user profile must define a user
VLAN
 Users assigned to this profile will be
placed into this VLAN

207 ©2021 Extreme Networks, Inc. All rights reserved

207
User Profiles
VLANs

The Name is the logical name of the

VLAN object
 The Default VLAN is the actual VLAN
tag ID
 Multiple VLANs can be defined within
the object using classification

208 ©2021 Extreme Networks, Inc. All rights reserved

208
User Profiles
VLANs

Best Practice
VLAN object naming conventions: For a single VLAN, give the object the same name as the VLAN
number.
209 ©2021 Extreme Networks, Inc. All rights reserved

209
User Profiles
VLANs

Object classification will be

discussed in a later lab

Best Practice
VLAN object naming conventions: If multiple VLANs are defined via classification, give the object a
logical name.
210 ©2021 Extreme Networks, Inc. All rights reserved

210
User Profiles
Firewall

 Click the Security tab

 Built into every AP is a
stateful firewall - Layers 2-
7
 All user traffic can be
inspected at the edge of
the network
 Different firewall policies
can be assigned to
different groups of users
via User Profiles

211 ©2021 Extreme Networks, Inc. All rights reserved

211
User Profiles
Tunneling

 Click the Traffic Tunneling tab

 User traffic can be configured for
Layer 3 roaming using dynamic GRE
tunnels
 Users can maintain IP connectivity
across routed boundaries
 User traffic can also be directed
through static identity-based GRE
tunnels to another network segment
such as a DMZ
Note
Detailed labs for Layer 3 roaming and static GRE tunnels are covered in an advanced class
212 ©2021 Extreme Networks, Inc. All rights reserved

212
User Profiles
Rate Limiting

 Click the QoS tab

 User traffic can be configured for
Rate Limiting policies
 Different rate limiting policies can be
assigned to different groups of users
via User Profiles

213 ©2021 Extreme Networks, Inc. All rights reserved

213
User Profiles
Availability Schedule

User traffic can be restricted by

defined time policies
 Time policies can be one time or
recurring
 Different time schedule policies
can be assigned to different
groups of users via User Profiles

214 ©2021 Extreme Networks, Inc. All rights reserved

214
User Profiles
Client SLA

 Service Level Assurance

 Monitor client throughput and
take action

215 ©2021 Extreme Networks, Inc. All rights reserved

215
User Profiles
Data/Time Limit

User traffic can be restricted to:

 Data limits
 Time Limits

216 ©2021 Extreme Networks, Inc. All rights reserved

216
802.1X with External RADIUS

©2021 Extreme Networks, Inc. All rights reserved

217
Authentication 802.1X/EAP

Root CA EAP Server EAP

cert cert

Client AP RADIUS LDAP

 802.1X: Port based access control  Extensible Authentication Protocol (EAP)

 Authorization Framework  Server certificate and Root CA
 Supplicant certificate
 Authenticator  Tunneled authentication using SSL/TLS
 Authentication Server
 Integrates with LDAP
218 ©2021 Extreme Networks, Inc. All rights reserved

218
802.1X with External RADIUS

 WLAN users should have secure access to the wireless network. The most
secure method is to use 802.1X EAP
 In the next lab, you are going to build an 802.1X EAP solution using an existing
RADIUS server
 RADIUS attributes will be leveraged to assign different types of users to VLANs
and user traffic settings by assigning them to the appropriate User Profiles

219 ©2021 Extreme Networks, Inc. All rights reserved

219
Assignment Rules

 Multiple User Profiles can be linked to

a single SSID
 Different groups of users connected
to the same SSID can be assigned
different access control rules
 The result is that different VLANs,
firewall policies, rate-limiting policies,
etc. can be assigned to different
groups of users

220 ©2021 Extreme Networks, Inc. All rights reserved

220
Assignment Rules

User profile assignment rules can

be defined for a single SSID
 Depending on the WLAN
security, rules can be based on:
 RADIUS attributes
 PPSK User groups
 Client OS type
 Client MAC address
 Client Location
 Schedule

221 ©2021 Extreme Networks, Inc. All rights reserved

221
Review: User Profile Assignment via RADIUS attributes

 Multiple User Profiles can be

assigned based upon returned
RADIUS attributes
 As many as 63 different groups of
users can be assigned to different
VLANs, firewall policies, SLA policies,
time-based policies, etc.

222 ©2021 Extreme Networks, Inc. All rights reserved

222
Review: User Profile Assignment via RADIUS attributes

Best Practice
Leveraging RADIUS attributes for User Profile
assignment means you only need to have a single
SSID for all your employees. Although you can
transmit as many as 16 SSIDs per radio, best
practices dictate no more than 3-4. Excessive
SSIDs create L2 overhead and degrades
performance. A common strategy is to have three
SSIDs: Employees, Voice and Guests.

223 ©2021 Extreme Networks, Inc. All rights reserved

223
Review: User Profile Assignment via RADIUS attributes

 User Profiles can be assigned based upon any returned RADIUS attribute value
pairs
 The attributes can be standard or custom
224 ©2021 Extreme Networks, Inc. All rights reserved

224
Lab 6: 802.1X with External RADIUS

©2021 Extreme Networks, Inc. All rights reserved

225
Troubleshooting 802.1X

©2021 Extreme Networks, Inc. All rights reserved

226
IEEE 802.1X with EAP
Access Calculating key for user…
Please! Calculating
Supplicant my key…
802.11 association Access
Authenticator (AP) RADIUS
Denied

EAPoL-start

EAP-request/identity

EAP-response/identity (username) RADIUS-access-request

EAP-request (challenge) RADIUS-access-challenge

EAP-response (hashed resp.) RADIUS-access-request

EAP-success RADIUS-access-accept (PMK)

Access Granted

227 ©2021 Extreme Networks, Inc. All rights reserved

The 802.1X standard is a port - based access control standard. 802.1X

provides an authorization framework that allows or disallows traffic to pass
through a port and thereby access network resources. An 802.1X framework
may be implemented in either a wireless or wired environment. The three
main components of an 802.1X framework are the supplicant, the
authenticator, and the authentication server. The 802.1X/EAP framework,
when used with wireless networks, provides the necessary means of
validating user identity as well as authorizing client stations onto the wired
network infrastructure.

The current standard requires the use of an 802.1X/EAP authentication

method in the enterprise and the use of a preshared key or a passphrase in
a SOHO environnent. Scaling a VPN secured WLAN compared to scaling an
802.1X/EAP secured WLAN requires more effort and resources. When
scaling an 802.1X/EAP network, the addition of new users only requires an
account on the authentication server and the configuration of the 802.1X
client, which nowadays is often built into the operating system.

In situations where there is no RADIUS server or the client devices do not

support 802.1X/EAP authentication, a WPA/WPA2 - Personal deployment
may be necessary.

227
802.1X Troubleshooting

Unable to reach RADIUS server. Possible causes:

 Incorrect shared secret
 Incorrect IP settings on AP or RADIUS server
 Incorrect authentication port (default is 1812)
 NAS client (AP) not configured in RADIUS server
228 ©2021 Extreme Networks, Inc. All rights reserved

228
802.1X Troubleshooting

External RADIUS server could not accept the access request from the
client. Possible causes:
 Expired password or user account
 Wrong password
 User does not exist in LDAP
 User authentication or machine authentication
229 ©2021 Extreme Networks, Inc. All rights reserved

229
RADIUS Test Tool
1. Test your AP

The RADIUS Test Tool checks the

backend communications between
an Extreme AP device and a
RADIUS server:
 Manage>Tools>Utilities>RADIUS
Test

230 ©2021 Extreme Networks, Inc. All rights reserved

230
RADIUS Test Tool
2. Enter test parameters

RADIUS Server
 Enter a Server: IP address
(Located in the Appendix)
 Extreme Networks RADIUS Client:
(Your AP)
 User Name: faculty
 Password: training
 Click Test

231 ©2021 Extreme Networks, Inc. All rights reserved

231
802.1X Troubleshooting with the RADIUS Test Tool
RADIUS Test tool messages

Check the RADIUS

configuration the Network
policy

Check the shared secret

RADIUS working:
You can also verify the
RADIUS Attributes
232 ©2021 Extreme Networks, Inc. All rights reserved

232
Lab 7: Troubleshooting 802.1X

©2021 Extreme Networks, Inc. All rights reserved

233
Network 360

©2021 Extreme Networks, Inc. All rights reserved

234
Network 360º
Monitor View

It typically takes 24 hours before Network 360º information can first be

displayed in your ExtremeCloud™ IQ cloud account
 Watch embedded videos

235 ©2021 Extreme Networks, Inc. All rights reserved

235
Network 360º
Monitor View

 Click on any of the status cards

for a detailed timeline view
 Select from the dropdown to
move between the 7 different
health views

236 ©2021 Extreme Networks, Inc. All rights reserved

236
Network 360º
Device Health
 Timeline display of the Device Health
of the APs
 Flags for Channel Change Events,
DFS Events and Power Mode
Change Events
 Other info includes:
 Reboots,
 CPU Utilization
 Memory Utilization
 Availability
 Uptime
 Alarms

237 ©2021 Extreme Networks, Inc. All rights reserved

237
Network 360º
Client Health

 Timeline display of the Client Health

 Overall score based on Wi-Fi Health,
Network Health and Application
Health
 Timeline display of the channel
distribution of the clients
 Operational view number of spatial
streams used by clients

238 ©2021 Extreme Networks, Inc. All rights reserved

238
Network 360º
Client Health

Operational views can be compared to the Maximum Client Capabilities of

all the clients:
 Supported Channels  802.11 technology
 Channel Width  WMM support
 MU-MIMO support  Maximum Spatial Streams
239 ©2021 Extreme Networks, Inc. All rights reserved

239
Network 360º
Wi-Fi Health

 Timeline display of the Wi-Fi Health

 Overall score based on SNR,
Channel Utilization and Associations
per Radio score
 Click on a channel to see detailed
data rate and retry statistics

240 ©2021 Extreme Networks, Inc. All rights reserved

240
Network 360º
Network Health

 Network Health timeline display

 Info includes:
 Latency
 Gateway availability
 Multicast/Broadcast/Unicast

241 ©2021 Extreme Networks, Inc. All rights reserved

241
Network 360º
Services Health

 Timeline display of the key Services

Health
 Info includes:
 DHCP availability
 DNS availability
 NTP availability
 Syslog availability

242 ©2021 Extreme Networks, Inc. All rights reserved

242
Network 360º
Application Health

Timeline display of the Applications Health

243 ©2021 Extreme Networks, Inc. All rights reserved

243
Network 360º
Security Health

Timeline display of the Security Health

244 ©2021 Extreme Networks, Inc. All rights reserved

244
Network 360º
Where’s My Data?

 Network 360º may require the

latest versions of the IQE
firmware on Extreme APs and
other devices
 For the latest requirements,
just click Where’s My Data?

245 ©2021 Extreme Networks, Inc. All rights reserved

245
RF Heat Maps

©2021 Extreme Networks, Inc. All rights reserved

246
Network 360º
Plan View

Earlier, we used the Network 360º Plan View for predictive modeling
 Floorplans can also be used to view real-time RF Heat Maps
 Requires real APs to be linked to the floorplans
247 ©2021 Extreme Networks, Inc. All rights reserved

247
Database Cleanup

 From Manage>Devices, create a filter

 Device Types: Uncheck All, Uncheck Real
Devices
 Select Plan Devices

Warning
Please make sure that no real APs are selected or else they will be deleted in the next step
248 ©2021 Extreme Networks, Inc. All rights reserved

248
Database Cleanup

 From Manage>Devices, click All Pages

 Verify that all the Planner APs are selected
 Click the trashcan icon to delete the Planner APs Warning
Please make sure that no real APs are selected or else they will be deleted in the next step
249 ©2021 Extreme Networks, Inc. All rights reserved

249
Database Cleanup

 Clear the filter

 Your real AP should still be listed

Warning
Verify that you did not accidently delete the real APs
250 ©2021 Extreme Networks, Inc. All rights reserved

250
RF Heat Maps

 From Manage>Devices, select Assign Location

 Select Floor 1
 Click Assign
 Assigning location can also be done from the Actions
tab
251 ©2021 Extreme Networks, Inc. All rights reserved

251
RF Heat Maps

 Perform a Delta Update to your AP

 Once the update completes, navigate to ML Insights>Network 360 Plan
252 ©2021 Extreme Networks, Inc. All rights reserved

252
RF Heat Maps

 Select Floor 1
 View Heat Map
 Your AP should be displayed
 Click and drag your AP to different
locations on the map. Notice the
changes
 In a live deployment, they should be
positioned in the location where the APs
are mounted

253 ©2021 Extreme Networks, Inc. All rights reserved

253
Topology Maps
Best practices

 Do not confuse this practice with predictive modeling

 Linking real APs to floorplan maps makes filtering and monitoring much easier
in ExtremeCloud™ IQ
 Linking real APs to floorplan maps is necessary and enhances monitoring for
Network 360º and Client 360º views

Best Practice
It is a highly recommended to link real APs to
floorplan maps
254 ©2021 Extreme Networks, Inc. All rights reserved

254
Topology Maps
Best practices

 When linking real APs to floorplan maps, make sure they are positioned on the
map where the APs are actually mounted
 Make sure maps/floorplans are to scale
 For best RF visualization results, draw walls and set attenuation values

Best Practice
It is a highly recommended to link real APs to
floorplan maps
255 ©2021 Extreme Networks, Inc. All rights reserved

255
Lab 8: RF Heat Maps

©2021 Extreme Networks, Inc. All rights reserved

256
Extreme’s Private Pre-shared Key (PPSK)

©2021 Extreme Networks, Inc. All rights reserved

257
Private
Private Pre-Shared KeyPre Shared Key Overview

To put Extreme Private Pre-shared Key (PPSK) into context, we will first review a
standard Pre-shared Key and 802.1X
258 ©2021 Extreme Networks, Inc. All rights reserved

258
WPA2 Personal
Static PSK Security

Consider a traditional PSK SSID:

 8-63 character shared passphrase
 Never intended for use in the
Passphrase: BadOne123 enterprise
 Susceptible to offline dictionary
attacks
 Wi-Fi Alliance recommends 20 strong
characters or more
Passphrase: BadOne123
 Biggest weakness is that the PSK
credential is “static”

259 ©2021 Extreme Networks, Inc. All rights reserved

259
WPA2 Personal
Static PSK Security

SSID:
SSID:
SSID:  Corp-Wi-Fi
 Corp-Wi-Fi Authentication:
SharedKey:
Shared Key:  WPA2 Personal
 bEtteRkeY
oUrKey Shared Key:
 oUrKey
bEtteRkeY

 All users and devices share the same static passphrase

 If a user leaves or device is lost, for security reasons, the shared key must be
changed, and every AP and client device will need to reconfigured.
260 ©2021 Extreme Networks, Inc. All rights reserved

SSIDs with preshared keys have several advantages. They are easy to set up, are widely
supported by clients, and do not require authentication servers, certificates, or extra
configurations on the clients. Despite these benefits, the fact that all users on the same
SSID must use the same key creates a few problems. If one user leaves or loses his or her
wireless client, the preshared keys on the access points and all clients must be changed to
protect the wireless LAN from unauthorized access.

260
WPA2 Personal
Static PSK Security

SSID:
SSID:  Corp-Wi-Fi
VLAN 10 and
 Corp-Wi-Fi
Authentication:
 WPA2 Personal
FW-Policy-5

Shared Key: Shared Key:

VLAN 10 and FW-Policy-5  oUrKey  oUrKey
 User Profile:
 Profile-A

VLAN 10 and FW-Policy-5 VLAN 10 and FW-Policy-5

 All users and devices share the same user profile

 All users and devices are assigned to the same VLAN, firewall policy and other
user traffic settings
261 ©2021 Extreme Networks, Inc. All rights reserved

Also, all users on the SSID must belong to the same user profile and, therefore, share the
same QoS rate control and queuing policy, VLAN, tunnel policy, firewall policies, and
schedules. It is not possible to provide different network policies to different users on the
same SSID when applying PSK-based authentication.

261
802.1X/EAP Security

Password: Ud6#$%^98f SSID: Corp-Wi-Fi

SSID: Corp-Wi-Fi
Authentication:
AP  WPA2 Enterprise (802.1X)
Password: 87fe@#$%a
 User 1 password: d6#$%^98f
 User 2 password: 87fe@#$%a
Password: 90)356*&f  User 3 password: 90)356*&f
RADIUS

 802.1X/EAP is the most secure authentication method

 All users get unique credentials
 If a user leaves or device lost, that user’s credentials are simply changed in
LDAP
262 ©2021 Extreme Networks, Inc. All rights reserved

262
802.1X/EAP Security

User Profile-A: User Profile-A:

SSID: Corp-Wi-Fi
VLAN 10, FW-Policy-5
VLAN 10, FW-Policy-5
User Profile-B: AP User Profile-B:
VLAN 20, FW-Policy-6 VLAN 20, FW-Policy-6
User Profile-C: User Profile-C:
VLAN 30, FW-Policy-7 VLAN 30, FW-Policy-7
RADIUS

 Multiple user profiles can be linked to a single SSID

 RADIUS attributes can be leveraged to assign different groups of users to
different user traffic settings
263 ©2021 Extreme Networks, Inc. All rights reserved

263
802.1X/EAP Security

EAP EAP

Client AP RADIUS LDAP

Most secure authentication method

 Ideal for the enterprise – every user has unique credentials
 Certificates and PKI needed
 Can be difficult to deploy
 Can be difficult to troubleshoot
 Not necessarily ideal for IoT devices or guest access
264 ©2021 Extreme Networks, Inc. All rights reserved

264
Private Pre-Shared Key (PPSK)

Password: d6#$%^98f

SSID: Corp-Wi-Fi
SSID: Corp-Wi-Fi
AP Authentication: Private PSK
Password: 87fe@#$%a  PPSK1: d6#$%^98f
 PPSK2: 87fe@#$%a
 PPSK3: 90)356*&f
Password: 90)356*&f
RADIUS

 All users and devices have unique credentials

 If a user leaves or device is lost, the PPSK credential is simply changed for that
one user or device
265 ©2021 Extreme Networks, Inc. All rights reserved

265
Private Pre-Shared Key (PPSK)

User Profile-A: User Profile-A:

 Multiple user profiles can be linked to a single SSID

 PPSK User Groups can be leveraged to assign different groups of users or
devices to different user traffic settings
266 ©2021 Extreme Networks, Inc. All rights reserved

266
Map User Profiles to User Groups

 You also have the option to link multiple User Profiles to a single SSID
 You can map different PPSK User Groups to different User Profiles
267 ©2021 Extreme Networks, Inc. All rights reserved

267
Private Pre Shared Key (PPSK)

Multiple per-user and per-device

PSKs assigned to a single SSID
 Easy to deploy
 No need for PKI, certificates or
RADIUS servers
 Can be time-based credentials
 Solves the “static” PSK problem

268 ©2021 Extreme Networks, Inc. All rights reserved

268
PPSK Use Cases

Guest Access: Provide guest users with unique and secure credentials
 BYOD: Onboarding personal and/or company issued mobile devices with unique
and secure credentials
 IoT Devices: Provide unique and secure credentials for IoT devices. Many IoT
devices and/or devices only support WPA2 Personal (PSK)

269 ©2021 Extreme Networks, Inc. All rights reserved

269
User Groups

 As an Administrator you can

configure Users and User Groups
 Each User belongs to a certain
User Group
 A User Group defines what kind of
credentials will be used and
where they will be stored
 DB Location of credentials can be
stored in the Cloud
 Credentials can be stored on an
Extreme AP (Local/Device)
 Credentials can be PPSK
 Credentials can be RADIUS-based (user name/password)
270 ©2021 Extreme Networks, Inc. All rights reserved

270
User Groups
PPSK local device storage

User Group/PPSK configuration:

 Strength of PPSK credentials can be
configured
 Credentials can be either valid
between certain dates or set to never
expire.

271 ©2021 Extreme Networks, Inc. All rights reserved

271
User Groups
Cloud storage

User Group/PPSK configuration:

 More options with Cloud
PPSK expiration options include:
 Never Expire
 Valid During Dates
 Daily
 Valid for Time Period
 Delivery Settings:
 Text Messages (SMS)
 Email

272 ©2021 Extreme Networks, Inc. All rights reserved

272
PPSK Credentials
Local device storage

PPSK Push user accounts Data

Big Data
Processing
Store
User DB
CAPWAP Server

Option 1: Locally on Extreme Device

 PPSK users created in ExtremeCloud™IQ and uploaded to APs
 Supports up to 1,000 users per User Group (10,000 users total)
 PPSK user accounts are pushed to the APs
 User Groups and User Profiles are stored locally on AP
273 ©2021 Extreme Networks, Inc. All rights reserved

273
PPSK Credentials
Local device storage

User DB

When to use local storage of PPSK credentials?

 Survivability in case of WAN failure:
 Infrastructure devices (printers, TVs, scanners…)
 VIP users
 Critical devices (manufacturing...)
 Small sites with unreliable WAN:
 Could also be used for Personal Device and Guest Access
274 ©2021 Extreme Networks, Inc. All rights reserved

274
PPSK Cloud Storage

PPSK Data
Big Data
Processing
Store
AP RADSEC Authentication
Services
CAPWAP Server

Option 2: Cloud
 PPSK credentials are sourced from cloud servers
 RadSec needs to be permitted between Extreme AP and ExtremeCloud™ IQ
 RadSec uses TLS encryption
 TCP port 2083 needs to be open in outbound firewall policies
275 ©2021 Extreme Networks, Inc. All rights reserved

275
RadSec Proxies

PPSK Data
Big Data
Processing
Store
RADSEC Authentication
AP Services
CAPWAP Server
Proxies

 RadSec proxy selection is automatic

 Two APs are dynamically elected as RadSec proxies on every management
subnet
276 ©2021 Extreme Networks, Inc. All rights reserved

276
Secure Access with Cloud PPSK

Internet

RadSec
Proxy AP
PPSK

Client

 Client starts PSK authentication with an AP using a unique PPSK credential

 Original AP contacts the RadSec proxy APs on the management subnet
 RadSec Proxy AP queries cloud storage servers via encrypted RadSec tunnel
277 ©2021 Extreme Networks, Inc. All rights reserved

277
Secure Access with Cloud PPSK

Internet

RadSec
Proxy AP

Client

 Cloud servers send pairwise master key (PMK) to proxy AP

 RadSec proxy AP distributes PMK to neighboring APs
 This ensures that the client device can securely roam between access points
278 ©2021 Extreme Networks, Inc. All rights reserved

278
Secure Access with Cloud PPSK

Internet

RadSec
4
Proxy AP

Client

 Original AP and client device complete 4-Way Handshake

 Unicast and broadcast encryption keys are installed
 The client device joins the WLAN
279 ©2021 Extreme Networks, Inc. All rights reserved

279
Identity APIs

 Identity APIs can be used to create

your own custom applications to
onboard PPSK credentials

280 ©2021 Extreme Networks, Inc. All rights reserved

280
RadSec Proxy troubleshooting

 The RadSec Proxy icon indicates APs that are proxies: Monitor > Devices
 Also, CLI command can be used from any AP to see which of the RadSec
proxies is being used by that AP: show idm
281 ©2021 Extreme Networks, Inc. All rights reserved

281
RadSec Proxy troubleshooting

 TCP port 2083 needs to be open on outbound firewall policies

 No GUI-based RadSec test tool yet
 RadSec test tool available from CLI: exec aaa idm-test radsec-proxy
282 ©2021 Extreme Networks, Inc. All rights reserved

282
PPSK Advanced Settings

PPSK offers many other optional

and advanced settings:
 With Local PPSK, device MAC
address can be bound to the PPSK
credential
 PPSK can also be used for network
micro-segmentation with Extreme
Private Client Groups
 Supplemental slide decks are
available to learn more about Private
Client Groups

283 ©2021 Extreme Networks, Inc. All rights reserved

Selecting fewer than 3 devices can prevent users from connecting essential devices (laptop,
tablet, phone) whereas more than 3 can allow unauthorized key sharing among users

283
Monitor Users

 Manage>Users:
 Locate your User Name in the list and click it
 Because PPSK offers unique credentials we can monitor clients at the user
level as well as the device level
284 ©2021 Extreme Networks, Inc. All rights reserved

284
View Details

 Take a minute and explore the information, including location, devices and
application reported for your user
 Click X to close this window
285 ©2021 Extreme Networks, Inc. All rights reserved

285
Lab 9: Create a PPSK SSID

©2021 Extreme Networks, Inc. All rights reserved

286
Lab 10: Create Guest Users

©2021 Extreme Networks, Inc. All rights reserved

287
Radio Profiles

©2021 Extreme Networks, Inc. All rights reserved

288
Object Power

AP Device Template

WiFi0 interface WiFi1 interface

WiFi0 radio profile WiFi1 radio profile

SDR Profile (Optional)

5Ghz 2.4Ghz

In the following later sections of the courseware, you will learn about AP Device
Templates and their relationship to Radio and SDR Profiles
289 ©2021 Extreme Networks, Inc. All rights reserved

289
Default Radio Profiles

290 ©2021 Extreme Networks, Inc. All rights reserved

290
Radio Profiles

Radio Profile objects are used to

assign advanced Wi-Fi settings to
the radio interfaces in an access
point
 One radio profile is used for the WiFi0
interface (normally 2.4 GHz)
 One radio profile is used for the WiFi1
interface (5 GHz)

291 ©2021 Extreme Networks, Inc. All rights reserved

291
Radio Profiles

Radio profile settings include:

 Power thresholds (ACSP)
 Adaptive channel switching (ACSP)
 Band steering
 Load balancing
 Scan intervals
 Channel width (5 GHz only)
 DFS channels (5 GHz only)
 Short guard interval
 More

292 ©2021 Extreme Networks, Inc. All rights reserved

292
Radio Profiles

 Radio profiles can be linked to the

radio interfaces within the device
specific settings of a single AP
 Radio profiles can also be assigned
to multiple APs using multi-select…

293 ©2021 Extreme Networks, Inc. All rights reserved

293
Radio Profiles

However, the best method to

assign radio profiles to multiple APs
is via AP Device Templates
 Templates allow administrators to
quickly deploy multiple APs with
global settings
*Cloud Config Groups can be used to assign
different templates with different radio profile to
different groups of APs within a single network
policy
Note
*The power of Cloud Config Groups will be
discussed later in class
294 ©2021 Extreme Networks, Inc. All rights reserved

294
Radio Profiles
Modes

2.4 GHz = b/g (Legacy mode)

2.4 GHz = g/n
2.4 GHz = ax
5 GHz = a (Legacy mode)
5 GHz = a/n
5 GHz = ac
5 GHz = ax

295 ©2021 Extreme Networks, Inc. All rights reserved

295
Radio Profiles
Transmission power floor and Max Drop - ACSP Thresholds

The Extreme dynamic RF protocol:

 Automatic Channel Selection Protocol (ACSP) by default
 Transmission Power Floor
 Sets the minimum transmit power for automatic adjustment
 Default: 5 dBm; Range: 2-20 dBm
 Transmission MaxDrop
 Sets the maximum drop in transmit power
 Default: 9 dBm; Range: 0-20 dBm

296 ©2021 Extreme Networks, Inc. All rights reserved

296
Background Scan

Best Practice
In most cases, the default settings for
background scanning are recommended

 By default, all APs perform background scans every 10 minutes to evaluate the
RF environment for the ACSP adaptive channel & power protocol
 Background scanning is also used for WIPS
297 ©2021 Extreme Networks, Inc. All rights reserved

297
Manual Channel Selection and Manual Power Setting
Limit Channel Selection

Best Practice

With some rare exceptions, the default of

Auto Channel Selection and power setting
is used.

298 ©2021 Extreme Networks, Inc. All rights reserved

298
Channel Selection
Limit Channel Selection

Best Practice
With some rare exceptions, the default
channels of 1, 6 and 11 should always be
used for channel selection in the 2.4 GHz
frequency band.

Defines the default channels used by the ACSP protocol for assigning channels

299 ©2021 Extreme Networks, Inc. All rights reserved

299
Exclude Channels 2.4Ghz
Limit Channel Selection

Best Practice
With some rare exceptions, the default of
all available channels should always be
used for channel selection in the 2.4 GHz
frequency band.

Defines the default channels used by the ACSP protocol for assigning channels

300 ©2021 Extreme Networks, Inc. All rights reserved

300
Exclude Channels 5Ghz
Limit Channel Selection

Best Practice

In Europe and some other countries, it is

recommended to disable UNII-3 Channels

Defines the default channels used by the ACSP protocol for assigning channels

301 ©2021 Extreme Networks, Inc. All rights reserved

301
Exclude Channels from Auto Selection

 Some older client devices do not support channel 144. Channel 144 can be
excluded from plan.
 Channels 149 and 153 might be other 5 GHz channels to exclude to avoid
interference with Apple TVs using AirPlay. See QR Code
302 ©2021 Extreme Networks, Inc. All rights reserved

302
Transmit Power Control (TPC)
802.11h

 Extreme APs support transmit power

control (TPC)
 Clients that support TPC can adjust their
power to match the AP transmit power
 Helps reduce contention interference
caused by clients

Warning
TPC must also be supported by the client devices

Warning
Some legacy clients may have connectivity issues
when TPC is enabled
303 ©2021 Extreme Networks, Inc. All rights reserved

303
Transmit Power Control (TPC) 802.11h
Limit Channel Selection

TPC is disabled by
default. Two options
auto or manual

Best Practice

Enabling TPC can disadvantage older

client devices. Enable only if required

304 ©2021 Extreme Networks, Inc. All rights reserved

304
Channel Selection
Dynamic Switching - ACSP

Channel 1
 By default, Extreme APs use the
Channel 11
Channel 6
cooperative-control protocol, ACSP, to
dynamically change channels if RF
conditions change
Channel
Channel11
6 Channel 11
Channel 6 Channel 1  This is true for both 2.4 GHz or 5 GHz
 Adaptive channels channel changes
can be scheduled based on a variety
of RF conditions and/or based on a
percentage of corrupted traffic

305 ©2021 Extreme Networks, Inc. All rights reserved

305
Channel Selection
Dynamic Switching - ACSP

Channel 100 Cost: 38 Channel Utilization Cost

Probability factor: -3
Channel deduction: 0 (CU: 9%, TxU: 0%, IU: 4%, CRC: 3%)
Neighbor adjustments: 41 Neighbor Cost
Neighboring access points: 3
Maximum RSSI among same hive neighbors: 50
Aggregate interference 35 Overlap Cost
Interference number: 1
Penalty on channel: 66
Wide channel penalty: 66 Power Cost
Overlapping channel adjustments: 0
Tx power limit adjustments: 0 (Max Tx power: 24 dBm)
Radar Cost: 0;Radar Term Left: 0000:00:00;Radar Cost Offset: 0
Radar Cost

 This is an example some of the costs and thresholds used in the ACSP protocol
 The inner workings of the protocol are beyond the scope of this class
 CLI command: show acsp channel-info detail
306 ©2021 Extreme Networks, Inc. All rights reserved

306
Channel Selection
Dynamic Switching - ACSP

Channel 100 Cost: 38

Probability factor: -3
Channel deduction: 0 (CU: 9%, TxU: 0%, IU: 4%, CRC: 3%) Channel Utilization Costs
Neighbor adjustments: 41
Neighboring access points: 3
Maximum RSSI among same hive neighbors: 50 Neighbor Cost
Aggregate interference 35
Interference number: 1
Penalty on channel: 66
Wide channel penalty: 66 Power Cost
Overlapping channel adjustments: 0
Tx power limit adjustments: 0 (Max Tx power: 24 dBm)
Radar Cost: 0;Radar Term Left: 0000:00:00;Radar Cost Offset: 0
Radar Cost

 This is an example some of the costs and thresholds used in the ACSP protocol
 The inner workings of the protocol are beyond the scope of this class
 CLI command: show acsp channel-info detail
307 ©2021 Extreme Networks, Inc. All rights reserved

307
Channel Selection
Dynamic Switching

 Throughout the day, APs perform

background scanning to gather
wireless statistics about all the
active channels within radio
range.
 At the scheduled re-evaluation for
their calculations, the APs might
opt to switch channels or remain
on the same one.

APs select channels automatically at boot-up using ACSP

308
Channel Selection
Dynamic Switching

Best Practice
Use this setting carefully so as not to
encourage excessive channel-flapping.

 Additionally, APs can dynamically change channels later based on a CRC

threshold
 If a very high percentage of the traffic is corrupted, it might be a good idea to
change channels
309 ©2021 Extreme Networks, Inc. All rights reserved

309
Band Steering Animation

2.4GHz Client

2.4GHz Connected
Probe @ 2.4GHz

2.4GHz
Response

310 ©2021 Extreme Networks, Inc. All rights reserved

The 5 GHz band has more available channels and is generally used less than the 2.4 GHz
band.

310
Band Steering Animation

2.4GHz & 5GHz Client

(Out of range of 5GHz)

Connected
2.4GHz & 5GHz at 2.4GHz
Probe

2.4GHz & 5GHz

Response

311 ©2021 Extreme Networks, Inc. All rights reserved

By steering some clients with 5 GHz radio support to that band, APs can provide
opportunities for better throughput to those clients operating in the quieter 5 GHz
spectrum while also easing congestion for other clients remaining in the 2.4 GHz spectrum.
Neighboring members perform band steering by suppressing responses to probe and
association requests on their 2.4 GHz radios to clients that are also probing in the 5 GHz
band. When the number of clients associated with all neighbors on their 5 GHz radios
reaches their load limits, the APs suspend band steering. They automatically resume it
again when their 5 GHz radios are no longer overloaded.

311
Band Steering Animation

2.4GHz & 5GHz Client

In range of 5GHz)

Connected
2.4GHz & 5GHz at 5GHz
Probe

5GHz
Response

312 ©2021 Extreme Networks, Inc. All rights reserved

The APs also allow you to load balance clients between 2.4 GHz and 5 GHz, if so desired, by
using band steering in the balance-band mode.

312
Load Balancing

3 clients 6 clients 60 clients 21 clients

313 ©2021 Extreme Networks, Inc. All rights reserved

313
Load Balancing

21 clients 21 clients 24 clients 21 clients

314 ©2021 Extreme Networks, Inc. All rights reserved

314
Radio Profile
Load Balancing Use Case

Load Balancing is often beneficial

in very high density deployments
where there are multiple APs with
omni-directional antennas deployed
in the same open area eg.
gymnasiums, lecture halls,
auditoriums and cafeterias

Warning
If roaming is a requirement, Load Balancing
should NEVER be used
Best Practice
Use this setting only in the environment described in this slide
315 ©2021 Extreme Networks, Inc. All rights reserved

315
Radio Profile
Load Balancing Use Case – Provide WiFi capacity for a large lecture hall

 You place one AP

 Testing shows that one AP is
not enough to meet capacity
needs.
 You place additional APs and
lower the power on their
radios to only cover this
room.
 Enable client load-balancing
as long as roaming is not a
requirement.

316 ©2021 Extreme Networks, Inc. All rights reserved

316
Radio Profiles
Advanced Radio Settings

 The default advanced radio

settings are usually optimal
 In most cases you should not
adjust these settings unless you
have consulted with Extreme
technical support

317 ©2021 Extreme Networks, Inc. All rights reserved

317
Radio Profiles, 5 GHz

 The majority of the settings for a

 5 GHz radio profile are the same as a
2.4 GHz radio profile

Note
We will now discuss settings that may be
unique to 5 GHz
318 ©2021 Extreme Networks, Inc. All rights reserved

318
5 GHz Channels
5.850
5.150 5.250 5.350 5.470 5.725 5.825

100
104
108
112
116
120
124
128
132
136
140
144
149
153
157
161
165
36
40
44
48
52
56
60
64

20 MHz

U-NII-1 U-NII-2A U-NII-2C U-NII-3

38 46 54 62 102 110 118 126 134 142 151 159 40 MHz

42 58 106 122 138 155 80 MHz

50 114 160 MHz

319
5 GHz Radio Profiles
Channel Bonding

5.150 5.250 5.350 5.470 5.725 5.825

GHz GHz GHz GHz GHz GHz

UNII-1 UNII-2 UNII-2e UNII-3

Best Practice
20 MHz channels should normally be used
40 MHz channels can sometimes be used if the dynamic frequency selection (DFS) channels are enabled
320 ©2021 Extreme Networks, Inc. All rights reserved

The 40 MHz channels used by HT and VHT radios are essentially two 20 MHz OFDM
channels that are bonded together. Each 40 MHz channel consists of a primary and
secondary 20 MHz channel. The primary and secondary 20 MHz channels must be adjacent
20 MHz channels in the frequency in which they operate

320
5 GHz Radio Profiles
Channel Width

Best Practice
80 MHz wide channels should only be used as a home solution with one AP and never in an enterprise
where high capacity coverage and roaming is a goal
For enterprise deployments, select 20 MHz (or 40 MHz at most)
321 ©2021 Extreme Networks, Inc. All rights reserved

321
Bond, Channel Bond
Best Practice

 Only use 40 MHz if DFS channels available

 Only use with thick walls
 Might not use in multiple floors
 80 MHz does not scale in the enterprise

322
Disable the UNII-3 Channels
5.850
5.150 5.250 5.350 5.470 5.725 5.825

100
104
108
112
116
120
124
128
132
136
140
144
149
153
157
161
165
36
40
44
48
52
56
60
64

U-NII-1 U-NII-2A U-NII-2C U-NII-3

In EU many legacy clients cannot support the channels in the UNII-3 band
 This is a quick and easy way to disable all the UNII-3 channels from being
selected for use by the ACSP protocol
323 ©2021 Extreme Networks, Inc. All rights reserved

323
Dynamic Frequency Selection (DFS)
1/2
Weather 5.850
5.15 5.25 5.35 5.47 radar 5.725 5.825

100
104
108
112
116
120
124
128
132
136
140
144
149
153
157
161
165
36
40
44
48
52
56
60
64

U-NII-1 U-NII-2A U-NII-2C U-NII-3

Dynamic Frequency Selection

 The channels in the U-NII-2 & UNII-2e band are known as the dynamic
frequency selection (DFS) channels.
 WLAN radios operating in these 5 GHz bands must support DFS to protect
WLAN communications from interfering with military or weather radar systems.
324 ©2021 Extreme Networks, Inc. All rights reserved

324
Dynamic Frequency Selection (DFS)
2/2
Weather 5.850
5.15 5.25 5.35 5.47 radar 5.725 5.825

100
104
108
112
116
120
124
128
132
136
140
144
149
153
157
161
165
36
40
44
48
52
56
60
64

U-NII-1 U-NII-2A U-NII-2C U-NII-3

Dynamic Frequency Selection

325
Radio Profiles, 5 GHz
Radio Load Balancing

5 GHz: Channel 40 5 GHz: Channel 100

 Sometimes when an AP is operating in Dual 5 GHz mode, one radio is busier

than the other. For example, the radio with the lower channel number may have
more associated clients than the other radio.
 Turn on Radio Load Balancing to evenly distribute clients across both radios.
326 ©2021 Extreme Networks, Inc. All rights reserved

326
Radio Profiles
Radio Load Balancing

Best Practice
When APs are configured for Dual 5 GHz, it is highly recommended to enable Radio Load Balancing to
evenly distribute clients across both 5 GHz radios
327 ©2021 Extreme Networks, Inc. All rights reserved

327
Radio Profiles and AP Device Templates

Radio Profiles can be assigned to:

 Individual APs at the device level
 Multiple APs via multi-select from Manage>Devices
 Multiple APs via AP Device Templates

Best Practice
The best way to assign Radio Profiles to multiple APs is with AP Device Templates
Cloud Config Groups and classification rules can also be used to assign different AP Templates and
different Radio Profiles to different groups of APs
328 ©2021 Extreme Networks, Inc. All rights reserved

328
Tying it all together

AP Device Template

WiFi0 interface WiFi1 interface

WiFi0 radio profile WiFi1 radio profile

SDR Profile (Optional)

5Ghz 2.4Ghz

329
Lab 11: Radio Profiles

330
Device Templates

331
AP Device Templates

 Within the guided configuration of

every Network Policy is the tab for
Device Templates
 ExtremeCloud™ IQ allows
administrators to create templates to
global radio and ethernet settings for
all models of Access Points (APs)

332
AP Device Templates
Radio Settings

 Each AP device template has a visual representation of the WiFi 0 and WiFi 1
radio interfaces
 An administrator can then define ”template” radio settings
333 ©2021 Extreme Networks, Inc. All rights reserved

333
AP Device Templates

Radios can be turned on (default) or off

Radio Profiles can be assigned

Radio Usage can be Client Mode, Client

Access, Backhaul Mesh Link, or Sensor

SDR can be enabled (default) or

disabled and SDR Radio Profile
assigned Channel can be set to Auto (default) or
a static channel.
Exclude channels can be set
Tx Power can be set to Auto (default)
or to a static power setting

334
AP Device Templates
Ethernet Settings

 Each AP device template has a visual representation of the Ethernet ports

335
AP Device Templates
Ethernet Settings

Transmission Type Speed and STP

Ports Type can be set to
(some models) can be configured
Uplink, Access, or Trunk

Ports can be turned on

(default) or off

Native VLAN and allowed VLANs

are configured in port types

336
AP Port Types
Configured under Device Templates or locally on the device

 Uplink Port
 Use this option when connecting the AP
to the WAN.
 Access Port
 Use this option when the AP is working in
client access mode and is connected to a
forwarding device like a switch that
supports multiple VLANs.
 Trunk Port
 Use this option when connecting the AP
in bridge mode to a forwarding device
such as a switch that supports multiple
VLANs

337
AP Device Templates
Radio Settings

 AP Device Templates are most often

used for the radio settings
 Templates allow administrators to
quickly deploy multiple APs with
global settings
 Templates simplify AP onboarding
and auto-provisioning
Note
*Cloud Config Groups (CCG) can be used to assign
different templates to different groups of APs within
a single network policy
**The power of Cloud Config Groups will be
discussed later in class
338 ©2021 Extreme Networks, Inc. All rights reserved

338
Individual AP Radio Settings

 All of the settings found in AP device

templates can also be configured at
an individual device level in each AP’s
device specific settings
 For example: A static channel and
power setting could be defined as an
override for a single AP in the WiFi0
or WiFi1 interface.

339
AP Device Templates
Radio Settings

Templates can be used to define

global radio settings:
 Toggle between the 2.4 Ghz and 5
Ghz radio tabs
 Radio Profile: Select a pre-defined
radio profile

Note
The best way to assign radio profiles is with
AP templates

340
AP Device Templates
Radio Usage

Radio Usage options:

 Client Access is the default
setting that allows Wi-Fi client
connectivity
 Backhaul Mesh Link
enables the radio to function
as either a mesh point or
mesh portal
 Selecting both options
allows for mesh and client
connectivity at the same time

341
Mesh

Mesh portals
Mesh portals

Mesh points Mesh points

342

342
Mesh

By default, if each Extreme AP is an access portal (Ethernet connected) it

343

343
Mesh

344

344
Mesh

Best Practice
When configuring mesh it is highly
recommended to use static channel and
power settings

Note

*Current bug in WiFi1 (5 GHz) tab of the AP device

template. Cannot set static channel settings.
*Please note that all channel and power settings will
soon be moving to RADIO PROFILES

345

345
AP Device Templates
Radio Usage

 Radio Usage options:

 Sensor - The radio will function as
a full-time listening sensor for
Presence Analytics or WIPS. You
must also enable Presence
Settings in the Device Specific
Settings of each AP
Presence Analytics will be discussed later in
class

346
AP Device Templates
Channel and Power

 Typically the defaults for the automatic

selection of channel and power settings
are used in AP device templates
 However: A static channel and power
setting could be defined for a device
template and globally applied to
multiple APs.
 Example use case: Mesh
Note
*Current bug in WiFi1 (5 GHz) tab of the AP device
template. Cannot set static channel settings.
*Please note that all channel and power settings will
soon be moving to RADIO PROFILES
347 ©2021 Extreme Networks, Inc. All rights reserved

347
AP Device Templates
SDR Profiles

SDR (Software Defined Radio)

profiles can be assigned AP
Templates
 Select the WiFi0 tab
 Enable SDR (Software Defined
Radio)
 Select the SDR Profile from the
dropdown

348
AP Device Templates
Wired Interfaces

 Ethernet interfaces can be also be enabled or disabled

 VLAN settings of the Network Policy can be overridden
 Transmission Type and Speed normally should be selected automatically
 Default settings are the normally used
349 ©2021 Extreme Networks, Inc. All rights reserved

349
AP Device Templates
Wired Interfaces

 Default settings are the normally used

 VLAN settings of the Network Policy can be overridden
 Make sure Native VLAN matches switch Native VLAN
 Transmission Type and Speed normally should be selected automatically
350 ©2021 Extreme Networks, Inc. All rights reserved

350
AP Device Templates
Wired Interfaces

 AP Ethernet ports are, by default Uplink Ports which function as Trunk ports
 The ‘all’ option does not mean that you are allowing all possible VLANs from 1
to 4095 on the trunk ports. Instead, it means that all VLANs that are configured
in the network policy are allowed for eg, if the network policy uses VLANs 1 (the
native VLAN), 110, 120, and 200, then only traffic for VLANs 1, 110, 120, and
200 will traverse across the trunk link
351 ©2021 Extreme Networks, Inc. All rights reserved

351
AP Device Templates
Advanced

 Specific Firmware can be defined in AP device templates

352
AP Device Templates
Tying it all together

AP Device Template

WiFi0 interface WiFi1 interface

WiFi0 radio profile WiFi1 radio profile

SDR Profile (Optional)

5Ghz 2.4Ghz

353
Lab 12: AP Device Template

354
Software Defined Radio (SDR)

355
Multi-room Design

 In many high-density WLAN designs,

disabling multiple 2.4 GHz radios in
dual-frequency APs is often
necessary to limit CCI in the 2.4 GHz
band.
 One AP may be deployed per room to
provide for adequate 5 GHz coverage
and to meet capacity needs.
 However, 60–75 percent of the 2.4
GHz radios might be disabled.

356
Software Defined Radio
Dual Band APs

Radio #1: Fixed Radio #2: Fixed

2.4 GHz, Ch 6 5 GHz, Ch 40

357
Dual 5 GHz WLAN design

 Many Extreme APs have a software

defined-radio (SDR) along with a
fixed 5 GHz radio within a dual-
frequency AP
 The radio that has SDR functionality
Radio #1: SDR Radio #2: Fixed
5 Ghz: Ch 100 5 GHz: Ch 40 can operate as either a 2.4 GHz or a
5 GHz radio
 This means a dual-radio AP can
either offer 2.4 GHz and 5 GHz
coverage or offer coverage on two
different 5 GHz channels

358
Software Defined Radio
Dual 5 GHz APs

Radio #1: SDR Radio #2: Fixed

2.4 GHz, Ch 6 5 GHz, Ch 40

SDR radio can switch between 2.4 GHz and 5 GHz

359
Software Defined Radio
Dual 5 GHz APs

Radio #1: SDR Radio #2: Fixed

5 GHz, Ch 100 5 GHz, Ch 40

SDR radio can switch between 2.4 GHz and 5 GHz

360
Dual 5 GHz WLAN design

Dual 5 GHz design rules:

 3x channel bandwidth - frequency
separation between these two 5 GHz
radios on each AP.
Radio #1: SDR Radio #2: Fixed  If possible, pair DFS channels with
5 Ghz: Ch 100 5 GHz: Ch 40 non-DFS channels
 Careful 2-dimesional consideration
for 5 GHz channel plan

361
Dual 5 GHz WLAN design

Dual 5 GHz design rules:

 ACSP uses 60 MHz of separation for
two radios using 20 MHz channels
 The more separation the better
 FCC does not permit channels in the
same U-NII band
 Try to avoid using dual 5 GHz with
40 MHz channels

362
SDR Radio Profile
Initial ACSP Process
WiFi0:
2.4GHz
RF
WiFi1: 5Ghz
ACSP SDR Redundancy Above WiFi0 stays
Channels STARTS threshold?
STARTS Detection on 2.4GHz
are
Algorithm
assigned to YES NO
both radios

Final channels Power

Ensure
Assign WiFi0 and Tx- Selection
channel
to 5GHz Powers are Both WiFi0
separation
assigned and Wifi1

ACSP assigns 2.4GHz to WiFi0.

ACSP assigns channel and power toWiFi1
A complex algorithm is running in the background to determine whether interface wifi0
needs to stay on 2.4GHz or switch to 5GHz band.
You only enable SDR is all devices on the network can support both 2.4GHz and 5GHz.
If you have some devices that support 2.4GHz ONLY do NOT enable SDR, instead you assign
interface wifi0 to 2.4GHz.

363
SDR for APs for Dual 5 GHz

 Once an SDR profile has been

defined, it should be linked globally to
the appropriate AP Device Template
 An SDR profile can also be linked in
the device-specific settings of an
individual AP
 Dual 5 GHz APs and all 11ax APs
support SDR

364
Lab 13: SDR Profile for Dual 5 GHz

365
Cloud Config Groups (CCG) & Classification Rules

366
Cloud Config Groups (CCG)

 APs may be grouped

based upon need from
all over your entire
enterprise.
 CCG can be used to
assign: VLANs, CWP,
SSIDs, Radio Profiles,
Time Zones, Device
Templates, and more to
come! Note
By using Cloud Config Groups together with classification rules, a single network policy can be tailored for
specific groups of devices. This makes configuration and management much easier for customers with
multiple locations where devices may have different configuration needs.
367 ©2021 Extreme Networks, Inc. All rights reserved

367
Cloud Config Groups

Cloud Configuration Groups allow IT managers to create a single network

368
Cloud Config Groups

 A Cloud Config Group (CCG) is

simply an object comprised of
selected devices such as APs,
switches, branch routers, etc.
 CCGs can be configured from either
the object management menu or
within the guided configuration of a
Network Policy

369
Cloud Config Groups

By using Cloud Configuration Groups together with classification rules, a single

370
Classification Rules

 Classification Rules is a method of assigning objects within a Network policy

based on different variables.
 A single Network Policy can be used for multiple distributed locations. A network
policy can scale globally.
 Can be used with VLAN objects, Time Zone objects, RADIUS objects, DNS
objects, CWP objects, SSID objects, Device Template objects and more.

371
Classification Rules

Classification rule variables include

 Device location (topology maps)
 Cloud Config Groups
 IP Address
 IP Subnet
 IP Range

372
Classification Rules

 A classification rule object can have multiple rules

373
Cloud Config Groups and Classification Rules

 Different configuration objects

can be assigned by
classification rules based on
different CCGS
 Example: VLAN objects, DNS
object, Time Zones, SSID,
Device templates and much
more

374
Classification Use Cases
VLAN Objects

User VLANS 8, 16 User VLANs 10, 20

Area1 Area2
Router

L2-Switch L2-Switch

VLAN objects support classification

 Use Case #1 – device classification with VLAN objects can be used to assign
user VLANs (Example in upcoming lab)
 Use Case #2 – device classification with VLAN objects can be used to assign
management VLANs to Extreme devices
375 ©2021 Extreme Networks, Inc. All rights reserved

375
Classification Use Cases
Captive Web Portals

Rule 1 = SJC

Rule 2 = SFO

376
Classification Use Cases
Time Zone objects

West Coast East Coast

Time zone settings for device clocks

377
Classification Use Cases
Server objects

Various server objects can be

assigned based on classification
rules including:
 RADIUS server Groups
 DNS server
 NTP
 SMTP server
 Syslog

378
Classification Use Cases
AP Device Templates

AP device templates can be assigned via classification rules

379
Classification Use Cases
AP Device Templates

This means that all sorts of Wi-Fi

radio settings can be uniquely
applied to different groups of APs
 SDR settings
 Radio Profiles
 Mesh/Sensor mode
 Exclude channel
 Channel/Power
 TPC

380
Classification Use Cases
SSIDs

Different groups of APs can now be assigned different sets of SSIDs

381
Cloud Config Groups

382
Classification Use Cases
VLAN Objects

10.5.8.0/24 10.5.10.0/24
User VLANS 8, 16 User VLANs 10, 20

Group 1 Group 2
Router

L2-Switch L2-Switch

SSID = CCG-X

10.5.8.99 10.5.10.99

383
Lab 14: CCG & Classification Rule

384
Deployment Optimization

385
Additional Settings
Management and Native VLAN

 CAPWAP, Cooperative Control

protocols, SSH and other
management traffic resides in the
management VLAN
 The Native VLAN is for untagged
traffic

Best Practice
Although the default MGT VLAN setting is 1, a good security best practice
is to change the setting for the MGT VLAN to a non-default value.
386 ©2021 Extreme Networks, Inc. All rights reserved

386
Using Trunked Ports and VLANs

802.1Q trunk:
 VLAN 1 – Native VLAN
 VLAN 2 – Management VLAN
 VLAN 5,10,20 – User VLANs
802.1Q

SSIDs:
 Employee 802.1X VLAN 5
 Device PPSK VLAN 10
Multiple user VLANs will require 802.1Q tagging  Guest PPSK VLAN 20

387
Extreme APs and VLANs guidelines

int mgt0 vlan 2 Switch port trunk VLANs 1-100

int mgt0 native-vlan 1 Switch port native (untagged) VLAN1

388
Example
Wrong Settings – Native VLAN mismatch

int mgt0 VLAN 2 Switch port trunk

int mgt0 native-VLAN 2 Switch port native VLAN 1
User Profile: Employee VLAN 20 Switch port trunk VLANs 1-100

 Traffic from the AP management interface to the LAN will be untagged. The
switch will drop or dump the AP management traffic in an incorrect VLAN.
 To correct this, the native VLAN on the Extreme AP must match the native
VLAN on the switch
389 ©2021 Extreme Networks, Inc. All rights reserved

389
Configuration Rollback Timer

 Administrator updates complete or

delta configuration of Extreme APs
 ExtremeCloud™ IQ sends new
configuration (NC) update and adds
configuration rollback settings to
configuration for Extreme APs
 The current configuration (CC)
becomes the rollback configuration
(RBC) and the new configuration
(NC) is then loaded

390
Configuration Rollback Timer

 The APs will attempt to contact

ExtremeCloud™ IQ using the
CAPWAP protocol
 If the APs cannot contact
ExtremeCloud™ IQ with CAPWAP
after the configuration update, the APs
will start a 10 minute configuration
rollback timer

391
Configuration Rollback Timer

 The timer will count down for ten

minutes waiting for the APs to
establish CAPWAP connectivity
 When the rollback timer expires the
APs will reboot
 The APs will now be using the
rollback configuration (RBC) which
was the original config before
changes were made
 After a few minutes the APs will
reconnect with ExtremeCloud™ IQ
using CAPWAP
392 ©2021 Extreme Networks, Inc. All rights reserved

392
Configuration Rollback Timer

Switch Management VLAN 8

int mgt0 VLAN 2

 After a new configuration (NC) update, the main cause of APs not being able to
reach ExtremeCloud™ IQ via CAPWAP is that the management VLAN of the
AP does not match the switch management VLAN
 This will trigger the rollback timer.
 CAPWAP traverses via the management VLAN
393 ©2021 Extreme Networks, Inc. All rights reserved

393
Diagnostic Tools

394
Device Diagnostic Tools

 Numerous utilities and diagnostic tools

are available in ExtremeCloud™ IQ
 All diagnostic commands are sent to the
APs from ExtremeCloud™ IQ via
CAPWAP
 Results are returned via CAPWAP

395
Device Diagnostic Tools

 Manage>Tools>Utilities

396
Device Diagnostic Tools

 Select Device Diagnostics from

the drop-down

397
Device Diagnostic Tools
Ping

 Select your device

 Click Diagnostics
 Select PING

398
Device Diagnostic Tools
Ping

399
Scenario
Client cannot get an IP address

VLAN 2 - Scope 192.168.20.0/24

VLAN 5 - Scope 192.168.30.0/24
VLAN 8 - Scope 192.168.30.0/24

802.1Q
Switch Router IP Helper DHCP Server
169.254.255.202
VLANS 2, 8, 10 10.5.1.10 10.5.1.10

SSID: Teacher – VLAN 5

400
Scenario
Client cannot get an IP address

DHCP request
Lease offer
NAK

802.1Q
Switch Router IP Helper DHCP Server
169.254.255.202
VLANS 2, 8, 10 10.5.1.10 10.5.1.10

SSID: Teacher – VLAN 5

401
Points of failure

802.1Q
Switch Router IP Helper DHCP Server
169.254.255.202
VLANS 2, 8, 10 10.5.1.10 10.5.1.10

SSID: Teacher – VLAN 5

402
VLAN Probe

403
VLAN Probe

404
VLAN Probe

 Enter a VLAN Range of 1 to 10

405
VLAN Probe

Observe the operational VLANs and associated subnets

406
Common CLI Commands
show capwap client
CAPWAP client: Enabled
CAPWAP transport mode: UDP
RUN state: Connected securely to the CAPWAP server
CAPWAP client IP: 192.168.255.135
CAPWAP server IP: 34.253.190.204
ExtremeCloud™ IQ Primary Name:cloud-ie-cws-
2.aerohive.com
Used to verify that the AP is
ExtremeCloud™ IQ Backup Name: hmng-prd-ie-cwpm- communicating with
01.aerohive.com
CAPWAP Default Server Name: redirector.aerohive.com
ExtremeCloud™ IQ via the
Virtual ExtremeCloud™ IQ Name: VHM-IQJNIDWE CAPWAP management protocol
Server destination Port: 12222
CAPWAP send event: Enabled
CAPWAP DTLS state: Enabled
CAPWAP DTLS negotiation: Disabled
DTLS next connect status: Enable
DTLS always accept bootstrap passphrase:
Enabled
DTLS session status: Connected ...

407
Common CLI Commands

 show station
 show interface
 show acsp neighbor
 show version detail

408
ML Insights and Reports

409
ML Insights

ML Insights is a broad overview of your wireless and wired network

410
ML Insights
Network Scorecard

View the health ratings and

statistics for devices,
clients, overall network
operation, WiFi and
services. Health levels are
indicated by color and
percentage: red for poor (0-
49%), yellow for good (50-
79%) and green for
excellent (80-100%)

411
ML Insights
Comparative Analytics

 Comparative analytics can

provide insight into how your
network is performing
compared with similar
deployments of other Extreme
customers.
 You can compare
characteristics of your
network with similarly sized
networks and similar client
types within the same industry
or other industries.

412
ML Insights
Proximity

Proximity utilizes iBeacons

transmitted using the BLE
radio in APs such as the AP30
(ATOM). Please reference the
supplemental slide deck about
Proximity and Presence

413
ML Insights
Presence

 Presence reports data such

as passersby, engaged
customers, and conversion
rate from passersby to
engaged customers.
 Please reference the
supplemental slide deck
about Proximity and
Presence

414
Reports

Reports allow you

to view, manage,
and create Network
Summary, PCI
Compliance, and
WIPS reports

415
Diagnostics

Diagnostics
 Top APs by:
 Channel Utilization
 CPU Usage %
 Retries

416
Inventory

Inventory
 Device Count Rollup
 Configuration Status
 User Profiles & Groups
 Device Count by
 Model
 OS Version
 Location

417
Lab 15: ML Insights and Reports

418
Administration

419
ExtremeCloud™ IQ Administration

 Global Settings
 Make changes that affect your account and your entire enterprise
 Switch ExtremeCloud™ IQ account
 Change from one ExtremeCloud™ IQ account to another if you
have more than one associated with your login credentials.
 About ExtremeCloud™ IQ
 Version information and regional datacenter names.
 Communications
 What’s new & planned for the near future in ExtremeCloud™ IQ
 ISO 27001 Certificate
 Logout
 End your current session

420
ExtremeCloud™ IQ Administration
Communications
The communications link
contains information about
what is New in
ExtremeCloud™ IQ, news
about features that are coming,
previews, and any important
notifications such as upgrade
windows

421
ExtremeCloud™ IQ Administration
Communications

422
Global Settings
Account Management

 Multiple admin accounts can be created for ExtremeCloud™ IQ

423
Account Management
Administrator Accounts

Creating a new Admin Role-Based Access Control offers two choices

 Internal admin account: Administrators from within the Organization
 External admin account: Administrators from outside the Organization
(resellers, distributors…)
424 ©2021 Extreme Networks, Inc. All rights reserved

424
Account Management
Internal Admin Account

To create an internal admin account, select ⦿ Create a new admin

425
Account Management
Internal Admin Account
 Email Address: Enter internal
company email address
 Name: Enter name
 Idle Session Timeout: Enter a value
between 5 and 240 minutes

 Select a role from the predefined admin

roles
 Select a location to which the admin will
have access. (Maps)

 Click Save and Close

426
Account Management
Internal Admin Account

 Employee will receive an

email requesting that they
create a password for their
administrative account
 Click Setup Password

427
Account Management
Internal Admin Account

 Employee will now be directed

to ExtremeCloud™ IQ to
create the password
 Once created, click Save and
Next

428
Account Management
External Admin Account

 Access can also be granted to outside users: Admin / Users from outside the
organization (resellers, distributors…)
 To create an external admin account, select ⦿ Grant access to outside users
 Important: Outside users must have existing ExtremeCloud™ IQ Cloud admin
accounts
 Admin Accounts are checked against their email address
429 ©2021 Extreme Networks, Inc. All rights reserved

429
Account Management
External Admin Account

Outside accounts will be indicated by the EXT icon

430
Role Based Access Control (RBAC)

 ExtremeCloud™ IQ supports RBAC

 When creating a new administrative account
you can assign a role
 A role defines what functions the admin is able
to access within ExtremeCloud™ IQ
 Access can be further restricted by location –
users will only have access to devices in
specific locations

431
Role Based Access Control

 Roles can be assigned

access to certain
locations based in
topology maps
 Roles are assigned
based on tier two level
of topology maps
 The Administrator and
the Guest Management
role have universal
access and cannot be
assigned to unique
locations
432 ©2021 Extreme Networks, Inc. All rights reserved

432
Role Based Access Control

 Topology map tiers are accessed from the top-level menu,

click Plan
 Tier one of the network map is called a network name and it
is often named after your organization
 The definition of the second tier depends on how you define
your network map
 You can assign either a geographic location, such as a city
or town, or a building to the network name
 For RBAC, tier two is the most important tier because its
assignment determines the admin/user access
 Example #1: Tier two based on locations
 Example #2: Tier two based on buildings
 RBAC access rights cannot be assigned by floor
433 ©2021 Extreme Networks, Inc. All rights reserved

433
Role Based Access Control

 For role based access control, tier two is the most

important tier because its assignment determines
the admin / user access:
 Example #1: Tier two based on locations
 Example #2: Tier two based on buildings
 RBAC access rights cannot be assigned by floor

434
Role Based Access Control

 Administrator role provides full access to all

configuration, monitoring, and administrative
functions. It is the only role that has access to
account and license management
 Operator role provides full access to most
functions including network and device
configuration. However, it does not allow
access to user account and license
management
 Monitor role provides full access to
troubleshooting and read-only access to
monitoring and configuration functions.

435
Role Based Access Control

 Help Desk role provides full access to the

Troubleshoot tab and search access to the
User 360 View and Client 360 View.
 Guest Management role provides access to
create network credentials.
 Observer role provides read-only access to
most function except for account and license
management.

436
Global Settings
License Management

To install an entitlement key, click License Management, copy/paste the

437
Global Settings
Device Management Settings

 CLI passwords can be globally set from Administration>Device Management

438
Global Settings
ExtremeCloud™ IQ Logs

Multiple ExtremeCloud™ IQ logs are available:

 Audit Logs
 Authentication Logs
 Accounting Logs
 SMS Logs

439
Firmware Updates

440
Device Update
IQEngine Firmware

 Deselect ☐ Update Network Policy

and Configuration

441
Device Update
IQ Engine Firmware

 Deselect ☐ Update Network Policy

and Configuration
 Select  Upgrade IQEngine
 Options include:
 ⦿ Upgrade to the latest version
 ⦿ Upgrade to a specific version
 Click Perform Update

442
Device Update
IQEngine Firmware
show version detail

Running image: Current version

 ExtremeCloud™ IQ pushes new
Current version: HiveOS 10.0r5 build-228634 firmware to APs over SSL
Build host: ci102
Build time: Sun Apr 28 06:54:46 UTC 2019
 New firmware is loaded on the
Build by: build backup partition
Build cookie: 1904272354-228634  AP reboots using backup partition
Backup version: HiveOS 8.4r7  AP is now running new code
Build time: Thu Nov 1 04:36:26 UTC 2018 saved on the boot partition
 Previous code now resides on the
Load after reboot: Current version
• `
backup partition
Platform: AP150W
Bootloader ver: v0.0.4.3c
TPM ver: v1.2.66.4
Uptime: 0 weeks, 0 days, 10 hours,
40 minutes, 30 seconds

443
Device Update
IQEngine Firmware

 By default, an AP reboots 30 seconds

after the firmware is fully loaded
 However the reboot can be scheduled
 In this example, the new firmware is
loaded on the AP and remains dormant
on the backup partition until the
scheduled reboot on July 4th at 3:00
AM

444
Essentials Applications

445
ExtremeAirDefense Essentials

446
ExtremeAirdefense Essentials

ExtremeAirDefense Essentials simplifies the protection, monitoring, and

compliance of your Wireless LAN networks. Extreme AirDefense continuously
safeguards the network from external threats 24x7x365 and notifies IT staff
when attacks occur, enabling an immediate response. A shortlist of the
features include:
• 42+ monitored threats
• Global sensor management
• Historical timeline review of threats and alarms
• Security well beyond basic rogue detection

447
ExtremeAirdefense Essentials

448
ExtremeGuest Essentials

449
ExtremeGuest Essentials

• ExtremeGuest Essentials is a robust and comprehensive guest management and

engagement solution that personalizes engagement by understanding customer behavior
and interest, and then tailor services based on those insights. For example, knowing how
many customers enter a store, how often they visit, and how much time they spend are all
metrics that can be measured through ExtremeGuest Essentials.
• ExtremeGuest Essentials can take advantage of social networking behavior to increase
patronage, expand brand exposure, and understand client demographics and preferences
in a more comprehensive and personal way. Guest onboarding with sponsor approval is
supported, allowing a sponsor to approve or deny guest access with a single click.
• Navigate to the ExtremeCloud IQ Dashboard and select the Guest icon.
The ExtremeGuest Essentials Overview launches in ExtremeCloud IQ.

450
ExtremeGuest Essentials

Select the More

Insights button at the top
right corner of the Overview to
launch ExtremeGuest
Essentials and open
the ExtremeGuest
Essentials Dashboard

451
ExtremeIOT Essentials

452
ExtremeIOT Essentials

ExtremeIOT Essentials is a simple IoT security solution that is designed to

protect high risk, wired IoT devices. Through the application of security
profiles, it controls IoT device attachment and access to the network. It locks
down IoT communications to only what’s authorized, blocking everything else.
A shortlist of the features include:
•Protects high-risk IoT devices & overlay to 3rd party networks
•Provides portal & templates to secure devices
•Enables floor staff (non-IT) to onboard and move IoT devices
•Simplifies IoT onboarding and security

453
ExtremeIOT Essentials

454
ExtremeLocation Essentials

455
ExtremeLocation Essentials

ExtremeLocation Essentials is a resilient and scalable cloud-driven solution,

that provides enterprises powerful multitier location services that can scale to
thousands of sites. Supporting Wi-Fi and/or BLE technologies, enterprises can
monitor workflows and assets, in real-time or historically, to improve their
overall operations and efficiency. ExtremeLocation provides granular location
accuracy resolution to support diverse industry-specific use cases. A shortlist
of the features include:
• Current and historical location analytics
• Wi-Fi and BLE
• Zone and Asset Tracking
• Dwell time and presence analytics

456
ExtremeLocation Essentials

457
ExtremeCloudIQ CoPilot

458
ExtremeCloudIQ CoPilot

Networks are complex and you spend most

of your IT time flying solo.
•How many alerts, alarms, emails, and
tickets do you get each day?
•How much time do you spend
troubleshooting?
•Do you trust your management tools
to provide valuable insights?
You need to spend your precious time and
energy focused on what matters –
delivering great user experiences

459
ExtremeCloudIQ CoPilot

REDUCE FALSE ALARMS

CoPilot proactively eliminates the noise, significantly reducing the number of false alarms that can
consume IT administrators’ time. CoPilot delivers clear insights and recommendations, that lead to fewer
hours wasted, less risk, and an enhanced user experience.

EXPLAINABLE ML/AI

CoPilot provides explainable recommendations which enable you to see, verify, and trust the data behind
every recommendation. By validating network data with human intelligence, CoPilot learns and evolves,
resulting in constant optimization and fast troubleshooting

PROACTIVE RISK REDUCTION

CoPilot reduces risk by proactively detecting anomalies before they become outages. It gathers and
analyses data in real time, correlates it with other information, identifies patterns and provides human-like
guidance on how to address a problem even before it arises

460
ExtremeCloudIQ CoPilot

461
ExtremeCloudIQ CoPilot

462
Questions?

463
Survey

Please remember to complete the survey…………….Thanks!

465

Cobra 29 LTD Alignment Instructions
100% (2)
Cobra 29 LTD Alignment Instructions
6 pages
Cisco SD-Access Workbook
No ratings yet
Cisco SD-Access Workbook
29 pages
2 GPRS Network Elements: GPRS Network Solution, Version 1.0.1 2006 Nokia Corporation Page 1 of 24
No ratings yet
2 GPRS Network Elements: GPRS Network Solution, Version 1.0.1 2006 Nokia Corporation Page 1 of 24
24 pages
EDU - DATASHEET VMware NSX-T Data Center Troubleshooting and Operations V3.03
No ratings yet
EDU - DATASHEET VMware NSX-T Data Center Troubleshooting and Operations V3.03
3 pages
Alteon ADC Professional Lab Manual 2018-Dec5
No ratings yet
Alteon ADC Professional Lab Manual 2018-Dec5
62 pages
ACI and OKD Integration Brief - BRKACI-3330 PDF
No ratings yet
ACI and OKD Integration Brief - BRKACI-3330 PDF
101 pages
Cisco FireSight NRFU
No ratings yet
Cisco FireSight NRFU
16 pages
Aia LLD
No ratings yet
Aia LLD
118 pages
Brkaci 2301
No ratings yet
Brkaci 2301
133 pages
DGTL BRKRST 2377
No ratings yet
DGTL BRKRST 2377
164 pages
FSM500K
No ratings yet
FSM500K
1 page
ECS-ExtremeWireless Cloud - Lab Guide Notes Format v21.04
No ratings yet
ECS-ExtremeWireless Cloud - Lab Guide Notes Format v21.04
185 pages
Extremecloud Iq: Practice Lab Webinar
No ratings yet
Extremecloud Iq: Practice Lab Webinar
37 pages
ACE 2.1.1 Student - HPE Trainers
No ratings yet
ACE 2.1.1 Student - HPE Trainers
551 pages
ADC Guide
No ratings yet
ADC Guide
122 pages
OpenDaylight As A Platform For Network Programmability Extended Version
No ratings yet
OpenDaylight As A Platform For Network Programmability Extended Version
68 pages
Cisco Sdwan Design Guide
No ratings yet
Cisco Sdwan Design Guide
102 pages
GOLF Configuration Steps
No ratings yet
GOLF Configuration Steps
40 pages
Sophos Firewall Competitor Ecosystem Playbook
No ratings yet
Sophos Firewall Competitor Ecosystem Playbook
8 pages
Roadshow Troubleshoot 7.0 v3 220106 Final
No ratings yet
Roadshow Troubleshoot 7.0 v3 220106 Final
173 pages
300-415 V16.95
No ratings yet
300-415 V16.95
78 pages
ACI Multi-Pod White Paper
No ratings yet
ACI Multi-Pod White Paper
43 pages
NterOne Lab Guide - Cisco DCICT v1.0 Rev C
No ratings yet
NterOne Lab Guide - Cisco DCICT v1.0 Rev C
217 pages
Vsphere Esxi 703 Upgrade Guide
No ratings yet
Vsphere Esxi 703 Upgrade Guide
107 pages
Technical Sales LENU319EM
No ratings yet
Technical Sales LENU319EM
239 pages
NSE Insider - Learn How FortiSIEM's New Security Analytics Can Extend Threat Visibility August 11, 2020
No ratings yet
NSE Insider - Learn How FortiSIEM's New Security Analytics Can Extend Threat Visibility August 11, 2020
35 pages
H18974 Vxrail Techbook
No ratings yet
H18974 Vxrail Techbook
59 pages
En NS2 ILM v20
No ratings yet
En NS2 ILM v20
199 pages
Brkewn-3011 Troubleshooting Wireless Lans With Centralized Controllers1
No ratings yet
Brkewn-3011 Troubleshooting Wireless Lans With Centralized Controllers1
120 pages
Huawei SD-WAN Solution Datasheet
No ratings yet
Huawei SD-WAN Solution Datasheet
10 pages
Working Cisco IOS For GNS3 PDF
No ratings yet
Working Cisco IOS For GNS3 PDF
5 pages
Dell Networking Campus Switching and Mobility Reference Architecture 3.0
No ratings yet
Dell Networking Campus Switching and Mobility Reference Architecture 3.0
86 pages
Policies Book Xe Sdwan
No ratings yet
Policies Book Xe Sdwan
230 pages
ACE 2.1.1 - Lab Guide - HPE Trainers
No ratings yet
ACE 2.1.1 - Lab Guide - HPE Trainers
124 pages
Designing Cisco Data Center Infrastructure Dcid v7 0
No ratings yet
Designing Cisco Data Center Infrastructure Dcid v7 0
8 pages
Teccrs 3006
No ratings yet
Teccrs 3006
252 pages
Wireless Site Survey
No ratings yet
Wireless Site Survey
36 pages
2 Discovery 1 Lab Familiarization (Base Learning Lab)
No ratings yet
2 Discovery 1 Lab Familiarization (Base Learning Lab)
13 pages
BRKCOM-2003 UCS Networking - Deep Dive (2014 Milan)
No ratings yet
BRKCOM-2003 UCS Networking - Deep Dive (2014 Milan)
95 pages
Cisco DNAC 1.2.6 MUltiSIte-Lab Guide-Jul2019
No ratings yet
Cisco DNAC 1.2.6 MUltiSIte-Lab Guide-Jul2019
170 pages
An Overview of Trend Micro Deep Security Solution Components
No ratings yet
An Overview of Trend Micro Deep Security Solution Components
7 pages
Deploy Cisco UCS X210c Compute Node With Cisco Intersight Management Mode For VDI
No ratings yet
Deploy Cisco UCS X210c Compute Node With Cisco Intersight Management Mode For VDI
36 pages
209 Arista Campus Architectures ATA 2024
No ratings yet
209 Arista Campus Architectures ATA 2024
71 pages
Brkewn 2016 PDF
No ratings yet
Brkewn 2016 PDF
109 pages
Sd-Wan Velocloud by Vmware
No ratings yet
Sd-Wan Velocloud by Vmware
8 pages
Cisco SD-Access - A Look Under The Hood
No ratings yet
Cisco SD-Access - A Look Under The Hood
121 pages
Ultimate Test Drive: Network Security Management With Panorama
No ratings yet
Ultimate Test Drive: Network Security Management With Panorama
64 pages
Versa Ds Flex VNF 01 5
No ratings yet
Versa Ds Flex VNF 01 5
4 pages
LTRSEC-3001 FTD Integration in ACI Aug 2019
No ratings yet
LTRSEC-3001 FTD Integration in ACI Aug 2019
68 pages
Cwna (Wi Fi Administration) : CWNA - Certified Wireless Network Administrator
0% (1)
Cwna (Wi Fi Administration) : CWNA - Certified Wireless Network Administrator
1 page
2013 - Cisco Icons - 1 - 24 - 13
No ratings yet
2013 - Cisco Icons - 1 - 24 - 13
41 pages
IBN Campus PoV v4 0 DCloud Base Guide Single Switch With External Fusion Router v4.1
No ratings yet
IBN Campus PoV v4 0 DCloud Base Guide Single Switch With External Fusion Router v4.1
47 pages
FW2535 19.0v1 Getting Started With Security Heartbeat On Sophos Firewall
No ratings yet
FW2535 19.0v1 Getting Started With Security Heartbeat On Sophos Firewall
16 pages
NVIDIA MTE - Perfect The Art of Your Network Landscape
100% (1)
NVIDIA MTE - Perfect The Art of Your Network Landscape
14 pages
VMW VCP NV Exam Preparation Guide
No ratings yet
VMW VCP NV Exam Preparation Guide
7 pages
Cisco SDWAN Case Study
No ratings yet
Cisco SDWAN Case Study
4 pages
HCIA Storage Training Material V4.0 Разблокирован (001 064)
No ratings yet
HCIA Storage Training Material V4.0 Разблокирован (001 064)
64 pages
Lenteur SSL Palo Alto
No ratings yet
Lenteur SSL Palo Alto
17 pages
Brkens 2566
No ratings yet
Brkens 2566
39 pages
VMware Horizon View Essentials
From Everand
VMware Horizon View Essentials
Peter von Oven
No ratings yet
Implementing NetScaler VPX??? - Second Edition: Implement the new features of Citrix NetScaler 11 to optimize and deploy secure web services on multiple virtualization platforms
From Everand
Implementing NetScaler VPX??? - Second Edition: Implement the new features of Citrix NetScaler 11 to optimize and deploy secure web services on multiple virtualization platforms
Marius Sandbu
No ratings yet
ExtremeCloud IQ AE Presentation GOLD Jan 24
No ratings yet
ExtremeCloud IQ AE Presentation GOLD Jan 24
24 pages
Extremecloud Iq Data Sheet
No ratings yet
Extremecloud Iq Data Sheet
6 pages
7607 PDF
No ratings yet
7607 PDF
8 pages
Application Layer
No ratings yet
Application Layer
42 pages
Calling Leads Final 13524
No ratings yet
Calling Leads Final 13524
105 pages
Key Word Record
No ratings yet
Key Word Record
2 pages
OFDM
No ratings yet
OFDM
13 pages
Network Engineer Interview Questions
100% (8)
Network Engineer Interview Questions
35 pages
AIR 1641 B25 B66A Datasheet
No ratings yet
AIR 1641 B25 B66A Datasheet
4 pages
Atlona PRO3HD HDMI Matrix Switcher Family Specifications
No ratings yet
Atlona PRO3HD HDMI Matrix Switcher Family Specifications
6 pages
Huawei b683
No ratings yet
Huawei b683
12 pages
EX260 Comunicação Serial PDF
No ratings yet
EX260 Comunicação Serial PDF
30 pages
COMWARE ACL Configuration
No ratings yet
COMWARE ACL Configuration
12 pages
GS33J01A10-01EN Integrated Production Control System CENTUM VP System Overview
No ratings yet
GS33J01A10-01EN Integrated Production Control System CENTUM VP System Overview
27 pages
Stanagdvi-Is A02
No ratings yet
Stanagdvi-Is A02
4 pages
ADC Lab Manual 10EC67
No ratings yet
ADC Lab Manual 10EC67
73 pages
Ch08 DCT Questions
100% (1)
Ch08 DCT Questions
15 pages
Main Content
No ratings yet
Main Content
61 pages
Chapter 5
No ratings yet
Chapter 5
14 pages
CBSE Class 12 Computer Science - Networking
No ratings yet
CBSE Class 12 Computer Science - Networking
10 pages
PMP 450 Release Notes - Release 24.2
No ratings yet
PMP 450 Release Notes - Release 24.2
19 pages
ST7537
No ratings yet
ST7537
5 pages
RT056 DS R1520 V1.0.8
No ratings yet
RT056 DS R1520 V1.0.8
2 pages
Introduction To LTE Feature 2.0
No ratings yet
Introduction To LTE Feature 2.0
68 pages
#1. SmartStruxure Lite Training - Introduction Ver 1.1.0 - 0
No ratings yet
#1. SmartStruxure Lite Training - Introduction Ver 1.1.0 - 0
55 pages
Android List Freeware
No ratings yet
Android List Freeware
24 pages
Introduction of CAN FD Into The Next Generation of Vehicle E/E Architectures
100% (1)
Introduction of CAN FD Into The Next Generation of Vehicle E/E Architectures
6 pages
IP Camera User Manual (Common Version)
No ratings yet
IP Camera User Manual (Common Version)
59 pages
Traffic Flow in Gpon FTTH Access Networks
No ratings yet
Traffic Flow in Gpon FTTH Access Networks
1 page

ECS-ExtremeWireless Cloud Student Guide v21.04

Uploaded by

ECS-ExtremeWireless Cloud Student Guide v21.04

Uploaded by

ECS-ExtremeWireless Cloud

1 ©2021 Extreme Networks, Inc. All rights reserved

Our Cloud Managed Wireless, Switching, Routing, and Security technologies

Credited with pioneering Controller-less Wi-Fi and Cloud Management, Extreme

2 ©2021 Extreme Networks, Inc. All rights reserved

©2021 Extreme Networks, Inc. All rights reserved

What is your name?

©2021 Extreme Networks, Inc. All rights reserved

 Free modular video-based training

©2021 Extreme Networks, Inc. All rights reserved

 Community forum discussions

©2021 Extreme Networks, Inc. All rights reserved

©2021 Extreme Networks, Inc. All rights reserved

8 ©2021 Extreme Networks, Inc. All rights reserved

©2021 Extreme Networks, Inc. All rights reserved

Feature videos embedded throughout ExtremeCloud™ IQ by

 Network 360º  Software Defined Radio (SDR)

©2021 Extreme Networks, Inc. All rights reserved

©2021 Extreme Networks, Inc. All rights reserved

©2021 Extreme Networks, Inc. All rights reserved

Extreme’s Cloud Services (ECS)

15 ©2021 Extreme Networks, Inc. All rights reserved

The Extreme Cloud infrastructure

16 ©2021 Extreme Networks, Inc. All rights reserved

The GDC performs tasks related to

17 ©2021 Extreme Networks, Inc. All rights reserved

The RDCs perform all tasks related

18 ©2021 Extreme Networks, Inc. All rights reserved

 Extreme Networks has designed a geographically distributed public cloud

19 ©2021 Extreme Networks, Inc. All rights reserved

20 ©2021 Extreme Networks, Inc. All rights reserved

21 ©2021 Extreme Networks, Inc. All rights reserved

A consequence of (and rationale for) following this

24 ©2021 Extreme Networks, Inc. All rights reserved

Private Cloud is an ideal solution for

25 ©2021 Extreme Networks, Inc. All rights reserved

26 ©2021 Extreme Networks, Inc. All rights reserved

27 ©2021 Extreme Networks, Inc. All rights reserved

28 ©2021 Extreme Networks, Inc. All rights reserved

 OFDMA – better use of the frequency space

29 ©2021 Extreme Networks, Inc. All rights reserved

30 ©2021 Extreme Networks, Inc. All rights reserved

31 ©2021 Extreme Networks, Inc. All rights reserved

Radio #1: SDR Radio #2: Fixed 5 GHz

SDR radio can switch between 2.4 GHz and 5 GHz

©2021 Extreme Networks, Inc. All rights reserved

NMS Virtual Hybrid AP

Limited Cloud Control Thin AP

Smarter Access Layer

• Shared control plane

35 ©2021 Extreme Networks, Inc. All rights reserved

36 ©2021 Extreme Networks, Inc. All rights reserved

Determine and enforce client authentication and access control policies

Client Load Balancing and

37 ©2021 Extreme Networks, Inc. All rights reserved

Determine and enforce client authentication and access control policies

Client Load Balancing and

Extreme Access Points

40 ©2021 Extreme Networks, Inc. All rights reserved

41 ©2021 Extreme Networks, Inc. All rights reserved

Intelligence = Protocol-based Control Messages

Processing at Controller Processing at APs

43 ©2021 Extreme Networks, Inc. All rights reserved

AMRP (Auto Mobility Routing ANXP (Auto Network INXP (Identity-Based

44 ©2021 Extreme Networks, Inc. All rights reserved

DXNP (Dynamic Network ACSP (Auto Channel

45 ©2021 Extreme Networks, Inc. All rights reserved

46 ©2021 Extreme Networks, Inc. All rights reserved

Authentication State for Roaming

47 ©2021 Extreme Networks, Inc. All rights reserved

Post-Roam Session Sync for Client

Voice QoS and Firewall Session State

©2021 Extreme Networks, Inc. All rights reserved

50 ©2021 Extreme Networks, Inc. All rights reserved

 Complete registration form

51 ©2021 Extreme Networks, Inc. All rights reserved