Configuring the Virtual AP Profile

The recommended method for creating a new WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. configuration is through the new WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard, although advanced users may also configure a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. manually.

 

For important information on changing the virtual AP forwarding mode for a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. serving active wired or wireless clients, see Changing a Virtual AP Forwarding Mode.

Manually Configuring the Virtual AP Profile

The following procedure describes how to configure Virtual AP profile.

1. In the Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.

2. From the All Profiles list, select Wireless LAN >Virtual AP.

3. To edit an existing Virtual AP profile, select the Virtual AP profile you want to edit. To create a new Virtual AP profile, click + and enter a name for the new Virtual AP profile in the Profile name field.
The Virtual AP profile settings are divided into four sections, General, RF, Advanced, and Broadcast/Multicast.

4. Configure your Virtual AP settings, the profile parameters in each section are described in Virtual AP Profile Parameters.

5. Click Submit.

6. Click Pending Changes.

7. In the Pending Changes window, select the check box and click Deploy Changes.

Table 1: Virtual AP Profile Parameters

Parameter

Description

General

Virtual AP enable

Select the Virtual AP enable check box to enable or disable the virtual AP.

VLAN

The VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.(s) into which users are placed in order to obtain an IP address.

NOTE: You must add an existing VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID to the Virtual AP profile.

Forward mode

This parameter controls whether data is tunneled to the managed device using GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network., bridged into the local Ethernet Ethernet is a network protocol for data transmission over LAN. LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. (for remote APs Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.), or a combination thereof depending on the destination (corporate traffic goes to the managed device, and Internet access remains local). All forwarding modes support band Band refers to a specified range of frequencies of electromagnetic radiation. steering, TSPEC Traffic Specification. TSPEC allows an 802.11e client or a QoS-capable wireless client to signal its traffic requirements to the AP. /TCLAS enforcement, 802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. and station blacklisting.

Click the drop-down list to select one of the following forward modes:

Tunnel: The AP handles all 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association requests and responses, but sends all 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. data packets, action frames and EAPOL frames over a GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel to the managed device for processing. The managed device removes or adds the GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. headers, decrypts or encrypts 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. frames and applies firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. rules to the user traffic as usual. Both remote and campus APs Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. can be configured in tunnel mode.

Bridge: 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. frames are bridged into the local Ethernet Ethernet is a network protocol for data transmission over LAN. LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server.. When a remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. or campus AP Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. is in bridge mode, the AP (and not the managed device) handles all 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association requests and responses, encryption/decryption processes, and firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. enforcement. The 802.11e 802.11e is an enhancement to the 802.11a and 802.11b specifications that enhances the 802.11 Media Access Control layer with a coordinated Time Division Multiple Access (TDMA) construct. It adds error-correcting mechanisms for delay-sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability between business, home, and public environments such as airports and hotels, and offers all subscribers high-speed Internet access with full-motion video, high-fidelity audio, and VoIP. and 802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. action frames are also processed by the AP, which then sends out responses as needed.

An AP in bridge mode does not support captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication. Both remote and campus APs Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. can be configured in bridge mode. Note that you must enable the control plane security feature on the managed device before you configure campus APs Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. in bridge mode.

NOTE: In a bridge mode, the wired or wireless clients which have the same IP address as the Remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.'s local DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server cannot communicate with other devices even if the AP is deployed as a Campus AP Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on.. If you want to use the default Remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.'s IP address as the client IP address, you need to change the Remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.'s DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server IP address to a different IP address. To change Remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.'s DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server IP address, see Enabling Remote AP Advanced Configuration Options.

Split-Tunnel: 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. frames are either tunneled or bridged, depending on the destination (corporate traffic goes to the managed device, and Internet access remains local).

A remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. in split-tunnel forwarding mode handles all 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association requests and responses, encryption/decryption, and firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. enforcement. the 802.11e 802.11e is an enhancement to the 802.11a and 802.11b specifications that enhances the 802.11 Media Access Control layer with a coordinated Time Division Multiple Access (TDMA) construct. It adds error-correcting mechanisms for delay-sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability between business, home, and public environments such as airports and hotels, and offers all subscribers high-speed Internet access with full-motion video, high-fidelity audio, and VoIP. and 802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. action frames are also processed by the remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link., which then sends out responses as needed.

Decrypt-Tunnel: Both remote and campus APs Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. can be configured in decrypt-tunnel mode. When an AP uses decrypt-tunnel forwarding mode, that AP decrypts and decapsulates all 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. frames from a client and sends the 802.3 frames through the GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel to the managed device, which then applies firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies to the user traffic.

When the managed device sends traffic to a client, the managed device sends 802.3 traffic through the GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel to the AP, which then converts it to encrypted 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. and forwards to the client. This forwarding mode allows a network to utilize the encryption/decryption capacity of the AP while reducing the demand for processing resources on the managed device.

APs in decrypt-tunnel forwarding mode also manage all 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association requests and responses, and process all 802.11e 802.11e is an enhancement to the 802.11a and 802.11b specifications that enhances the 802.11 Media Access Control layer with a coordinated Time Division Multiple Access (TDMA) construct. It adds error-correcting mechanisms for delay-sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability between business, home, and public environments such as airports and hotels, and offers all subscribers high-speed Internet access with full-motion video, high-fidelity audio, and VoIP. and 802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. action frames. APs using decrypt-tunnel mode do have some limitations that are not present for APs in regular tunnel forwarding mode.

You must enable the control plane security feature on the managed device before you configure campus APs Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. in decrypt-tunnel forward mode.

NOTE: Virtual APs in bridge or split-tunnel mode using static WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. should use key slots 2-4 on the managed device. Key slot 1 should only be used with Virtual APs in tunnel mode.

RF

Allowed band

The band Band refers to a specified range of frequencies of electromagnetic radiation.(s) on which to use the virtual AP:

g802.11b 802.11b is a WLAN standard often called Wi-Fi and is backward compatible with 802.11. Instead of the Phase-Shift Keying (PSK) modulation method used in 802.11 standards, 802.11b uses Complementary Code Keying (CCK) that allows higher data speeds and makes it less susceptible to multipath-propagation interference. 802.11b operates in the 2.4 GHz band and the maximum data transfer rate is 11 Mbps./g band Band refers to a specified range of frequencies of electromagnetic radiation. only (2.4 Ghz).

a802.11a 802.11a provides specifications for wireless systems. Networks using 802.11a operate at radio frequencies in the 5 GHz band. The specification uses a modulation scheme known as orthogonal frequency-division multiplexing (OFDM) that is especially well suited to use in office settings. The maximum data transfer rate is 54 Mbps. band Band refers to a specified range of frequencies of electromagnetic radiation. only (5 Ghz).

all—both 802.11a 802.11a provides specifications for wireless systems. Networks using 802.11a operate at radio frequencies in the 5 GHz band. The specification uses a modulation scheme known as orthogonal frequency-division multiplexing (OFDM) that is especially well suited to use in office settings. The maximum data transfer rate is 54 Mbps. and 802.11b 802.11b is a WLAN standard often called Wi-Fi and is backward compatible with 802.11. Instead of the Phase-Shift Keying (PSK) modulation method used in 802.11 standards, 802.11b uses Complementary Code Keying (CCK) that allows higher data speeds and makes it less susceptible to multipath-propagation interference. 802.11b operates in the 2.4 GHz band and the maximum data transfer rate is 11 Mbps./g bands Band refers to a specified range of frequencies of electromagnetic radiation. (5 GHz Gigahertz. and 2.4 GHz Gigahertz.). This is the default setting.

Band Steering

ARM Adaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. ’s band Band refers to a specified range of frequencies of electromagnetic radiation. steering feature encourages dual-band capable clients to stay on the 5 GHz Gigahertz. band Band refers to a specified range of frequencies of electromagnetic radiation. on dual-band APs. This frees up resources on the 2.4 Ghz band Band refers to a specified range of frequencies of electromagnetic radiation. for single band Band refers to a specified range of frequencies of electromagnetic radiation. clients like VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. phones.

Band Band refers to a specified range of frequencies of electromagnetic radiation. steering reduces co-channel interference and increases available bandwidth for dual-band clients, because there are more channels on the 5 Ghz band Band refers to a specified range of frequencies of electromagnetic radiation. than on the 2.4 Ghz band Band refers to a specified range of frequencies of electromagnetic radiation.. Dual-band 802.11n 802.11n is a wireless networking standard to improve network throughput over the two previous standards, 802.11a and 802.11g. With 802.11n, there will be a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz.-capable clients may see even greater bandwidth improvements, because the band Band refers to a specified range of frequencies of electromagnetic radiation. steering feature will automatically select between 40MHz or 20 Mhz channels in 802.11n 802.11n is a wireless networking standard to improve network throughput over the two previous standards, 802.11a and 802.11g. With 802.11n, there will be a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. networks. This feature is disabled by default, and must be enabled in a Virtual AP profile.

The band Band refers to a specified range of frequencies of electromagnetic radiation. steering feature supports both campus APs Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. and remote APs Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. that have a virtual AP profile set to tunnel, split-tunnel or bridge forwarding mode. Note, however, that if a campus or remote APs Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. has virtual AP profiles configured in bridge or split-tunnel forwarding mode but no virtual AP in tunnel mode, those APs will gather information about 5G-capable clients independently and will not exchange this information with other APs that also have bridge or split-tunnel virtual APs only.

Steering Mode

Band Band refers to a specified range of frequencies of electromagnetic radiation. steering supports the following three different band Band refers to a specified range of frequencies of electromagnetic radiation. steering modes.

Balance-bands: In this band Band refers to a specified range of frequencies of electromagnetic radiation. steering mode, the AP tries to balance the clients across the two radios in order to best utilize the available 2.4G Fourth Generation of Wireless Mobile Telecommunications Technology. See LTE. bandwidth. This feature takes into account the fact that the 5 Ghz band Band refers to a specified range of frequencies of electromagnetic radiation. has more channels than the 2.4 Ghz band Band refers to a specified range of frequencies of electromagnetic radiation., and that the 5 Ghz channels operate in 40 Mhz while the 2.5 Ghz band Band refers to a specified range of frequencies of electromagnetic radiation. operates in 20 MHz Megahertz.

Prefer-5GHz (default): If you configure the AP to use prefer-5GHz band Band refers to a specified range of frequencies of electromagnetic radiation. steering mode, the AP will try to steer the client to 5G band Band refers to a specified range of frequencies of electromagnetic radiation. (if the client is 5G capable) but will let the client connect on the 2.4G Fourth Generation of Wireless Mobile Telecommunications Technology. See LTE. band Band refers to a specified range of frequencies of electromagnetic radiation. if the client persists in 2.4 G association attempts.

Force-5GHz: When the AP is configured in force-5GHz band Band refers to a specified range of frequencies of electromagnetic radiation. steering mode, the AP will try to force 5Ghz-capable APs to use that radio band Band refers to a specified range of frequencies of electromagnetic radiation..

Advanced

Cellular handoff assist

When both the ClientMatch and the cellular handoff assist features are enabled, the cellular handoff assist feature can help a dual-mode, 3G Third Generation of Wireless Mobile Telecommunications Technology. See W-CDMA. or 4G Fourth Generation of Wireless Mobile Telecommunications Technology. See LTE.-capable Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. device such as an iPhone, iPad or Android client at the end of a Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. network switch from Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. to an alternate 3G Third Generation of Wireless Mobile Telecommunications Technology. See W-CDMA. or 4G Fourth Generation of Wireless Mobile Telecommunications Technology. See LTE. radio that provides better network access. This feature is supported by iOS and Android devices only.

Authentication Failure Blacklist Time

Time, in seconds, a client is blocked if it fails repeated authentication. The default setting is 3600 seconds (1 hour). A value of 0 blocks the client indefinitely.

Blacklist Time

Number of seconds that a client is quarantined from the network after being blacklisted.

Default: 3600 seconds (1 hour)

Deny inter user traffic

Select this check box to deny traffic between the clients using this virtual AP profile.

The global firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. shown in the Configuration>Advanced Services > Stateful Firewall > Global window also includes an option to deny all inter-user traffic, regardless of the Virtual AP profile used by those clients.

If the global setting to deny inter-user traffic is enabled, all inter-user traffic between clients will be denied, regardless of the settings configured in the virtual AP profiles. If the setting to deny inter-user traffic is disabled globally but enabled on an individual virtual AP, only the traffic between un-trusted users and the clients on that particular virtual AP will be blocked.

NOTE: This field is not applicable across controllers even when they are in the same cluster.

Deny time range

Click the drop-down list and select a configured time range for which the AP will deny access. If you have not yet configured a time range, navigate to Configuration > Security > Access Control > Time Ranges to define a time range before configuring this setting in the Virtual AP profile.

DoS Prevention

If enabled, APs ignore de-authentication frames from clients. This prevents a successful de-authorization attack from being carried out against the AP. This does not affect third-party APs.

Default: Disabled

HA Discovery
on-association

If enabled, home agent discovery is triggered on client association instead of home agent discovery based on traffic from client. Mobility on association can speed up roaming and improve connectivity for clients that do not send many uplink packets to trigger mobility (VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. clients). Best practices is to disable this parameter as it increases IP mobility control traffic between managed devices in the same mobility domain. Enable this parameter only when voice issues are observed in VoIP Voice over IP. VoIP allows transmission of voice and multimedia content over an IP network. clients.

Default: Disabled

NOTE: ha-disc-onassoc parameter works only when IP mobility is enabled and configured on the managed device. For more information about this parameter, see Home Agent Discovery on Association

Mobile IP

Enables or disables IP mobility for this virtual AP.

Default: Enabled

Preserve Client VLAN

If you select this check box, clients retain their previous VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. assignment if the client disassociates from an AP and then immediately re-associates either with same AP or another AP on the same managed device.

Remote-AP Operation

Configures when the virtual AP operates on a remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.:

standard (default)—Enables the virtual AP when the remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. connects to the managed device. This option can be used for any (bridge/split-tunnel/tunnel/d-tunnel) virtual APs.

persistent—Permanently enables the virtual AP after the remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. initially connects to the managed device (Bridge Mode only). This option can be used for any (Open/PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. /802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.) bridge VAPs.

backup—Enables the virtual AP if the remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. cannot connect to the managed device (Bridge Mode only). This option can be used for non-802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. bridge VAPs.

always—Permanently enables the virtual AP (Bridge Mode only). This option can be used for non-802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. bridge VAPs.

Station Blacklisting

Select this check box to enable detection of DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attacks, such as ping or SYN floods, that are not spoofed deauthorization attacks.

Default: Enabled

Strict Compliance

If enabled, the AP denies client association requests if the AP and client station have no common rates defined. Some legacy client stations which are not fully 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing.-compliant may not include their configured rates in their association requests. Such non-compliant stations may have difficulty associating with APs unless strict compliance is disabled.

Default: Disabled

VLAN Mobility

Enable or disable VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. (Layer-2) mobility.

Default: Disabled

WAN operation mode

This feature works in conjunction with the WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. Health Check Manager and Uplink Manager. When all uplinks are down, the uplink manager makes the needed changes based on configuration and pushes these changes to APs.

If the operation mode is set to primary, the VAP will be disabled.

If the operation mode is set to backup, the VAP will be enabled.

If the operation mode is set to always, the VAP will not change.

FDB Update on Assoc

This parameter enables seamless failover for silent clients, allowing them to re-associate. If you select this option, the controller will generate a Layer 2 update on behalf of client to update forwarding tables in bridge devices.

Default: Disabled

Broadcast/Multicast

Dynamic Multicast Optimization (DMO)

Enable/Disable dynamic multicast optimization. This parameter is disabled by default, and cannot be enabled without the PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

Dynamic Multicast Optimization (DMO) Threshold

Maximum number of high-throughput stations in a multicast group beyond which dynamic multicast optimization stops.

Range: 2-255 stations

Default: 6 stations.

Drop Broadcast and Multicast

Select the Drop Broadcast and Multicast check box to filter out broadcast and multicast traffic in the air.

Do not enable this option for virtual APs configured in bridge forwarding mode. This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the controller, so the controller is able to drop all broadcast traffic. When a virtual AP is configured to use bridge forwarding mode, most data traffic stays local to the AP, and the controller is not able to filter out that broadcast traffic.

IMPORTANT: If you enable this option, you must also enable the Convert Broadcast ARP requests to unicast parameter on the virtual AP profile to prevent ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. requests from being dropped.

Convert Broadcast ARP requests to unicast

If enabled, all broadcast ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. requests are converted to unicast and sent directly to the client. You can check the status of this option using the show ap active and the show datapath tunnel command. If enabled, the output will display the letter a in the flags column.

This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the controller, so the controller is able to convert ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. requests directed to the broadcast address into unicast.

When a virtual AP is configured to use bridge forwarding mode, most data traffic stays local to the AP, and the controller is not able to convert that broadcast traffic.

This parameter is enabled by default. Behaviors associated with these settings are enabled upon upgrade to ArubaOS 6.1.3.2. If your controller supports clients behind a wireless bridge or virtual clients on VMware devices, you must disable this setting to allow those clients to obtain an IP address. In previous releases of ArubaOS, the virtual AP profile included two unique broadcast filter parameters; the drop broadcast and multicast parameter, which filtered out all broadcast and multicast traffic in the air except DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  response frames (these were converted to unicast frames and sent to the corresponding client) and the convert Broadcast ARP requests to unicast parameter, which converted broadcast ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. requests to unicast messages sent directly to the client.

The Convert Broadcast ARP requests to unicast  setting includes the additional functionality of broadcast-filter all parameter, where DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  response frames are sent as unicast to the corresponding client. This can impact DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  discover/requested packets for clients behind a wireless bridge and virtual clients on VMware devices. Disable this option to resolve this issue and allow clients behind a wireless bridge or VMware devices to receive an IP address.

Default: Enabled

A Virtual AP profile directly references one of each of the following profiles types.

802.11k 802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN.

AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption.

AnySpot

HotSpot Hotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet. 2.0

SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.

WWM Traffic Management

The following procedure describes how to change the profiles associated to a Virtual AP profile.

1. In the Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.

2. From the All Profiles list, select Wireless LAN >Virtual AP.

3. Select the Virtual AP profile you want to edit. The All Profiles window displays the list of associated profiles for that Virtual AP.

4. Select any of the associated profiles in the list.

5. A drop-down list appears at the top of the right window pane which allows you to select another profile for that type.

6. Click Submit.

7. Click Pending Changes.

8. In the Pending Changes window, select the check box and click Deploy Changes.

Figure 1  Associating Profiles to a Virtual AP

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a Virtual AP profile.

(host)[node](config) #wlan virtual-ap <profile>

(host)[node] (Virtual AP profile "profile")aaa-profile <profile>

(host)[node] (Virtual AP profile "profile")anyspot-profile <profile>

(host)[node] (Virtual AP profile "profile")dot11k-profile <profile>

(host)[node] (Virtual AP profile "profile")hs2-profile <profile>

(host)[node] (Virtual AP profile "profile")ssid-profile <profile>

(host)[node] (Virtual AP profile "profile")wmm-traffic-management-profile <profile>

Modifying Profiles and Parameters Associated with AP Groups

The following procedure describes how to modify profiles and parameters associated with AP groups:.

1. In the Managed Network node hierarchy, navigate to the Configuration > AP Groups page.

2. Select an AP group in the AP Groups table and click on the Profiles tab.

3. Select a profile under Profiles for Group <AP Group>.

4. Click <NAME> profile drop-down list and select a profile.

5. Make the necessary changes to the profile and click Submit.

6. Click Pending Changes.

7. In the Pending Changes window, select the check box and click Deploy changes.

Selective Multicast Streams

The selective multicast group is based only on the packets learned through the Internet Group Management Protocol (IGMP Internet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships.).

When the Drop Broadcast and Multicast setting is enabled in the virtual AP profile, the managed device allows multicast packets to be forwarded only if the following conditions are met:

packets originating from the wired side have a destination address range of 225.0.0.0 - 239.255.255.255

a station has subscribed to a multicast group.

If the DMO setting is enabled in the virtual AP profile , the packets are sent with 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. unicast header.

When IGMP snooping/proxy is disabled, the managed device is not aware of the IGMP Internet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. membership and drops the multicast flow.

If AirGroup is enabled, mDNS Multicast Domain Name System. mDNS provides the ability to perform DNS-like operations on the local link in the absence of any conventional unicast DNS server. The mDNS protocol uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and Linux NSS-mDNS services. mDNS works in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration technique specified. See RFC 6763. (SSDP) packets are sent to the AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. application. The common address for mDNS Multicast Domain Name System. mDNS provides the ability to perform DNS-like operations on the local link in the absence of any conventional unicast DNS server. The mDNS protocol uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and Linux NSS-mDNS services. mDNS works in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration technique specified. See RFC 6763. is 224.0.0.251 and SSDP is 239.255.255.250.

Changing a Virtual AP Forwarding Mode

When you change the forwarding mode for a Virtual AP actively serving clients, the user table will NOT reflect accurate client information unless the entries for those users are manually cleared. Use the following procedure to change the forwarding mode on a Virtual AP serving wired or wireless clients.

Changing the Forwarding Mode for Wired Users

To change the forwarding mode for wired users connected to the wired port on an AP:

1. Disable the port by issuing the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command ap wired-port-profile <ap-wired-port-profile> shutdown. This will disconnect any wired clients using that port.

2. Issue the command aaa user delete {<ipaddr>|all|mac <macaddr>|name <username>|role <role>} to remove from the user table the wired users associated with AP wired ports using the <ap-wired-port-profile>.

3. Issue the command ap wired-ap-profile <profile> forward-mode <mode> where <mode> is the new forwarding mode for the wired port

4. Re-enable the port using the command ap wired-port-profile <ap-wired-port-profile> no shutdown.

Changing the Forwarding Mode for Wireless Users

To change the forwarding mode for wireless users associated with an AP radio:

1. Issue the command ap-name <group> no virtual-ap <vap-profile> or ap-group <group> no virtual-ap <vap-profile> to disassociate the AP or group of APs from the virtual AP profile.

2. Issue the command aaa user delete {<ipaddr>|all|mac <macaddr>|name <username>|role <role>} to remove from the user table the users associated to the virtual-ap specified in the previous step.

3. Issue the command wlan virtual-AP <vap-profile> forward-mode <mode> where <mode> is the new forwarding mode for the virtual AP.

4. Issue the command ap-name <group> virtual-ap <vap-profile> or ap-group <group> virtual-ap <vap-profile> to reassociate the AP or group of APs with the virtual AP profile.