Extreme Networks AP3917E Wireless 802.11 a/ac+b/g/n Access Point User Manual WiNG 5 9 1 System Reference Guide Part 3

Extreme Networks, Inc. Wireless 802.11 a/ac+b/g/n Access Point WiNG 5 9 1 System Reference Guide Part 3

UserManual.wiki >

Extreme Networks >

AP3917E User Manual >

WiNG 5.9.1 System Reference Guide Part 3

Contents

WiNG 5.9.1 System Reference Guide Part 3

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 77 Select the OK button to save the administrator’s configuration. Select Reset to revert to the last saved configuration.12.1.1.2 Setting an Allowed Location ConfigurationAdding or Editing a Management Access PolicyExtreme Networks’ WiNG and NSight applications may have the same users with different permissions defined in each application. Various user roles are supported in WiNG (superuser, system-admin, network-admin, security-admin, device-provisioning-admin, helpdesk and monitor). With NSight, a user logging into the NSight UI should also have an access control restriction based on the role they’re assigned. For example, a WiNG user with helpdesk privileges should have access to only the site (RF Domain) in which the helpdesk is situated, and the location tree should contain only one RF Domain. Similarly, when a user responsible for a set of sites logs in NSight, their location tree needs to contain the RF Domains for which they’re responsible.To set an allowed location configuration:Monitor Select Monitor to assign permissions without any administrative rights. The Monitor option provides read-only permissions.Help Desk Assign this role to someone who typically troubleshoots and debugs problems reported by the customer. The Help Desk manager typically runs troubleshooting utilities (like a sniffer), executes service commands, views/retrieves logs and reboots the controller or service platform. However, Help Desk personnel are not allowed to conduct controller or service platform reloads.Web User Select Web User to assign the administrator privileges needed to add users for authentication. Device Provisioning Select Device Provisioning to assign an administrator privileges to update (provision) device configuration files or firmware. Such updates run the risk of overwriting and losing a device’s existing configuration unless the configuration is properly archived.Vendor Admin Select this option to create a vendor-admin user role group so this particular user type can access offline device-registration portal data. Vendors are assigned username/password credentials for securely on-boarding devices. Devices are moved to a vendor allowed VLAN immediately after this on-boarding process, so vendors do require unique administration roles. When the Vendor-Admin role is selected, provide the vendor’s Group name for RADIUS authentication. The vendor's RADIUS group takes precedence over the statically configured group for device registration.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 81 Select the Allowed Locations tab from the Management Policy screen.Figure 12-5 Management Policy screen - Allowed Locations tabThe Allowed Locations screen lists existing users and their permitted locations. 2Select Add to create a new allowed location, Edit to modify an existing location or Delete to permanently remove a user name and location from the list of those available. Figure 12-6 Adding Allowed Locations screen3 Set the following allowed location parameters:Name Define a 32 character maximum user name whose access is a mapped to a specific site (RF Domain).

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 94Select OK to update the allowed location configuration. Select Reset to the last saved configuration.12.1.1.3 Setting the Access Control ConfigurationAdding or Editing a Management Access PolicyRestricting remote access to a controller or service platform ensures only trusted hosts can communicate with enabled management services. This ensures only trusted hosts can perform management tasks and provide protection from brute force attacks from hosts attempting to break into the controller or service platform managed network.Administrators can permit management connections to be established on any IP interface on the controller or service platform (including IP interfaces used to provide captive portal guest access). Administrators can restrict management access by limiting access to a specific host (IP address), subnet, or ACL on the controller or service platform.Refer to the Access Control tab to allow/deny management access to the network using strategically selected protocols (HTTP, HTTPS, Telnet, SSH or SNMP). Access options can be either enabled or disabled as required. Disabling unused interfaces is recommended to close unnecessary security holes. The Access Control tab is not meant to function as an ACL (in routers or other firewalls), where you can specify and customize specific IPs to access specific interfaces. •Source hosts - Management access can be restricted to one or more hosts by specifying their IP addresses•Source subnets - Management access can be restricted to one or more subnets•IP ACL - Management access can be based on the policies defined in an IP based ACLIn the following example, a controller has two IP interfaces defined with VLAN10 hosting management and network services and VLAN70 providing guest services. For security the guest network is separated from all trusted VLANs by a firewall.By default, management services are accessible on both VLAN10 and VLAN70, and that’s not desirable to an administrator. By restricting access to VLAN10, the controller only accepts management sessions on VLAN10. Management access on VLAN70 is longer available.Administrators can secure access to a controller or service platform by disabling less secure interfaces. By default, the CLI, SNMP and FTP disable interfaces that do not support encryption or authentication. However, Web management using HTTP is enabled. Insecure management interfaces such as Telnet, HTTP and SNMP should be disabled, and only secure management interfaces, like SSH and HTTPS should be used to access the controller or service platform managed network.The following table demonstrates some interfaces provide better security than others: Locations Create locations and use the navigation arrows to move them into the list of those enabled once saved.Interface Description IP Address ManagementVLAN10 Services Yes YesVLAN70 Guest Yes NoAccess Type Encrypted Authenticated Default StateTelnet No Yes DisabledSNMPv2 No No Enabled

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 10To set an access control configuration for the Management Access policy:1 Select the Access Control tab from the Management Policy screen.Figure 12-7 Management Policy screen - Access Control tabSNMPv3 Yes Yes EnabledHTTP No Yes DisabledHTTPS Yes Yes DisabledFTP No Yes DisabledSSHv2 Yes Yes Disabled

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 112 Set the following parameters required for Telnet access: 3 Set the following parameters required for SSH access:4 Set the following HTTP/HTTPS parameters:5 Select the Enable Rest Server option, within the Rest Server field, to facilitate device on-boarding. When selected, the REST server allows vendor-specific users access to the online device registration portal. All requests and responses to and from the on-boarding portal are handled by the REST server through restful Application Programming Interface (API) transactions. The REST server serves the Web pages used to associate a device’s MAC address with a specific vendor group. This option is enabled by default.6 Set the following parameters required for FTP access:Enable Telnet Select the checkbox to enable Telnet device access. Telnet provides a command line interface to a remote host over TCP. Telnet provides no encryption, but it does provide a measure of authentication. Telnet access is disabled by default.Telnet Port Set the port on which Telnet connections are made (1 - 65,535). The default port is 23. Change this value using the spinner control next to this field or by entering the port number in the field.Enable SSHv2 Select the checkbox to enable SSH device access. SSH (Secure Shell) version 2, like Telnet, provides a command line interface to a remote host. SSH transmissions are encrypted and authenticated, increasing the security of transmission. SSH access is disabled by default.SSHv2 Port Set the port on which SSH connections are made. The default port is 22. Change this value using the spinner control next to this field or by entering the port number in the field.Enable HTTP Select the checkbox to enable HTTP device access. HTTP provides limited authentication and no encryption.Enable HTTPS Select the checkbox to enable HTTPS device access. HTTPS (Hypertext Transfer Protocol Secure) is more secure plain HTTP. HTTPS provides both authentication and data encryption as opposed to just authentication (as is the case with HTTP).NOTE: If the a RADIUS server is not reachable, HTTPS or SSH management access to the controller or service platform may be denied.Enable FTP Select the checkbox to enable FTP device access. FTP (File Transfer Protocol) is the standard protocol for transferring files over a TCP/IP network. FTP requires administrators enter a valid username and password authenticated locally. FTP access is disabled by default.FTP Username Specify a username required when logging in to the FTP server. The username cannot exceed 32 characters.FTP Password Specify a password required when logging in to the FTP server. Reconfirm the password in the field provided to ensure it has been entered correctly. The password cannot exceed 63 characters.FTP Root Directory Provide the complete path to the root directory in the space provided. The default setting has the root directory set to flash:/

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 127 Set the following General parameters:8 Set the following Access Restrictions parameters:Idle Session Timeout Specify an inactivity timeout for management connection attempts (in seconds) from 0 - 4,320. Message of the Day Enter message of the day text (no longer then 255 characters) displayed at login for clients connecting via the CLI.Filter Type Select a filter type for access restriction. Options include IP Access List, Source Address or None. To restrict management access to specific hosts, select Source Address as the filter type and provide the allowed addresses within the Source Hosts field.IP Access List If the selected filter type is IP Access List, select an access list from the drop-down menu or select the Create button to define a new one. IP based firewalls function like Access Control Lists (ACLs) to filter/mark packets based on the IP from which they arrive, as opposed to filtering packets on layer 2 ports. IP firewalls implement uniquely defined access control policies, so if you don't have an idea of what kind of access to allow or deny, a firewall is of little value, and could provide a false sense of network security.Source Hosts If the selected filter type is Source Address, enter an IP Address or IP Addresses for the source hosts. To restrict management access to specific hosts, select Source Address as the filter type and provide the allowed addresses within the Source Hosts field.Source Subnets If the selected filter type is Source Address, enter a source subnet or subnets for the source hosts. To restrict management access to specific subnets, select Source Address as the filter type and provide the allowed addresses within the Source Subnets field.Logging Policy If the selected filter is Source Address, enter a logging policy for administrative access. Options includes None, Denied Requests or All.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 139Set the User Lockout Settings. Click the Add Row button and configure the following role-based user-account lockout and unlock criteria:10 Select OK to update the access control configuration. Select Reset to the last saved configuration.12.1.1.4 Setting the Authentication ConfigurationAdding or Editing a Management Access PolicyRefer to the Authentication tab to define how user credential validation is conducted on behalf of a Management Access policy. If utilizing an external authentication resource, an administrator can optionally apply a TACACS policy. Terminal Access Controller Access - Control System+ (TACACS+) is a protocol created by CISCO to provide access control to network devices (routers, network access servers or other networked devices) through one or more centralized servers. TACACS provides separate authentication, authorization, and accounting services running on different servers.To configure an external authentication resource:Role Specify the user-role for which account lockout is to be enabled. The options are:• device-provisioning-admin•helpdesk•monitor•network-admin•security-admin• system-admin• vendor-admin• web-suer-adminNote, you can enable account lockout for multiple roles. After specifying the role/roles, set the Lockout Time and Number of Password Attempts.User-account lockout is individually applied to each account within the specified role/roles. For example, consider the ‘monitor’ role having two users: ‘user1’ and ‘user2’. The Number of Password Attempts and Lockout Time is set at ‘5’ attempts and ‘10’ minutes respectively. In this scenario, user2 makes 5 consecutive, failed login attempts, and the user2 account is locked out for 10 minutes. However, during this lockout time the user1 account remains active.Lockout Time Specify the maximum time for which an account remains locked. Specify a value from 0 to 600 minutes. The value ‘0’ indicates that the account is permanently locked.Number of Password AttemptsSpecify the maximum number of consecutive, failed attempts allowed before an account is locked. Specify a value from 1 to 100.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 141 Select the Authentication tab from the Management Policy screen.Figure 12-8 Management Policy screen - Authentication tab2 Define the following settings to authenticate management access requests:3Select OK to update the authentication configuration. Select Reset to the last saved configuration.12.1.1.5 Setting the SNMP ConfigurationAdding or Editing a Management Access PolicyOptionally use the Simple Network Management Protocol (SNMP) to communicate with devices within the network. SNMP is an application layer protocol that facilitates the exchange of management information between the controller or service platform and a managed device. SNMP enabled devices listen on port 162 (by default) for SNMP packets from the controller or service platform’s management server. SNMP uses read-only and read-write community strings as an authentication mechanism to monitor and configure supported devices. The read-only Local Select whether the authentication server resource is centralized (local), or whether an external authentication resource is deployed for validating user access. Local is enabled by default.RADIUS If local authentication is disabled, define whether the RADIUS server is External or Fallback.AAA Policy Define the AAA policy used to authenticate user validation requests to the controller or service platform managed network. Select the Create icon as needed to define a new AAA policy or select the Edit icon to modify an existing policy.TACACS If local authentication is disabled, optionally select Authentication or Fallback (only one authentication or fallback option can be selected) or Accounting and Authorization. TACACS policies control user access to devices and network resources while providing separate accounting, authentication, and authorization services.AAA TACACS Policy Select an existing AAA TACACS policy (if available), or select Create to define a new policy or Edit to modify an existing one.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 15community string is used to gather statistics and configuration parameters from a supported wireless device. The read-write community string is used by a management server to set device parameters. SNMP is generally used to monitor a system’s performance and other parameters.To configure SNMP Management Access:1 Select the SNMP tab from the Management Policy screen.Figure 12-9 Management Policy screen - SNMP tab2 Enable or disable SNMP v1, SNMPv2 and SNMPv3.SNMP Version Encrypted Authenticated Default StateSNMPv1 No No DisabledSNMPv2 No No EnabledSNMPv3 Yes Yes EnabledEnable SNMPv1 SNMP v1exposes a device’s management data so it can be managed remotely. Device data is exposed as variables that can be accessed and modified as text strings, with version 1 being the original (rudimentary) implementation. SNMPv1 is enabled by default.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 163Set the SNMP v1/v2 Community String configuration. Use the + Add Row function as needed to add additional SNMP v1/2 community strings, or select an existing community string’s radio button and select the Delete icon to remove it.4Set the SNMPv3 Users configuration. Use the + Add Row function as needed to add additional SNMPv3 user configurations, or select a SNMP user’s radio button and select the Delete icon to remove the user.5Select OK to update the SNMP configuration. Select Reset to revert to the last saved configuration.12.1.1.6 SNMP Trap ConfigurationAdding or Editing a Management Access PolicyThe managed network can use SNMP trap receivers for fault notifications. SNMP traps are unsolicited notifications triggered by thresholds (or actions), and are therefore an important fault management tool. A SNMP trap receiver is the destination of SNMP messages (external to the controller or service platform). A trap is like a Syslog message, just over another protocol (SNMP). A trap is generated when a device consolidates event Enable SNMPv2 Select the checkbox to enable SNMPv2 support. SNMPv2 provides device management using a hierarchical set of variables. SNMPv2 uses Get, GetNext, and Set operations for data management. SNMPv2 is enabled by default.Enable SNMPv3 Select the checkbox to enable SNMPv3 support. SNMPv3 adds security and remote configuration capabilities to previous versions. The SNMPv3 architecture introduces the user-based security model (USM) for message security and the view-based access control model (VACM) for access control. The architecture supports the concurrent use of different security, access control and message processing techniques. SNMPv3 is enabled by default.Community Define a public or private community designation. By default, SNMPv2 community strings on most devices are set to public, for the read-only community string, and private for the read-write community string. Access Control Set the access permission for each community string used by devices to retrieve or modify information. Available options include:Read Only - Allows a remote device to retrieve information. Read-Write - Allows a remote device to modify settings.IP SNMP ACL Set the IP SNMP ACL used along with community string. Use the drop-down menu to select an existing ACL. Use the Create icon to create and add a new ACL. Select an existing ACL and the Edit icon to update an existing ACL.User Name Use the drop-down menu to define a user name of snmpmanager, snmpoperator or snmptrap.Authentication Displays the authentication scheme used with the listed SNMPv3 user. The listed authentication scheme ensures only trusted and authorized users and devices can access the network.Encryption Displays the encryption scheme used with the listed SNMPv3 user. Password Provide the user’s password in the field provided. Select the Show check box to display the actual character string used in the password, while leaving the check box unselected protects the password and displays each character as “*”.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 17information and transmits the information to an external repository. The trap contains several standard items, such as the SNMP version, community etc.SNMP trap notifications exist for most controller or service platform operations, but not all are necessary for day-to-day operation. To define a SNMP trap configuration for receiving events at a remote destination:1 Select the SNMP Traps tab from the Management Policy screen.Figure 12-10 Management Policy screen - SNMP Traps tab2 Select the Enable Trap Generation checkbox to enable trap generation using the trap receiver configuration defined. This feature is disabled by default.3 Refer to the Trap Receiver table to set the configuration of the external resource dedicated to receiving trap information. Select Add Row + as needed to add additional trap receivers. Select the Delete icon to permanently remove a trap receiver. IP Address Sets the IP address of the external server resource dedicated to receiving the SNMP traps on behalf of the controller or service platform.Port Set the port of the server resource dedicated to receiving SNMP traps. The default port is port 162.Version Sets the SNMP version to use to send SNMP traps. SNMPv2 is the default. Trap Community Provide a 32 character maximum trap community string. The community string functions like a user id or password allowing access to controller or Access Point resources. If the community string is correct, the controller or Access Point provides with the requested information. If the community string is incorrect, the device controller or Access Point discards the request and does not respond. Community strings are used only by devices which support SNMPv1 and SNMPv2c. SNMPv3 uses username/password authentication, along with an encryption key. The default setting is public.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 184Select OK to update the SNMP Trap configuration. Select Reset to revert to the last saved configuration.12.1.1.7 T5 PowerBroadband SNMPAdding or Editing a Management Access PolicyA T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5’s management within a WiNG supported subnet populated by both types of devices.To define a T5 controller power broadband SNMP configuration:1 Select the T5 Power Broadband tab from the Management Policy screen.Figure 12-11 Management Policy screen - T5 PowerBroadband tab2 Set the following SNMP settings: Contact Set a 64 character maximum contact name for the administration of T5 controller SNMP events.Enable Server Select this option to enable SNMP event management for the T5 controller. This setting is disabled by default.Location Set a 64 character maximum location for the SNMP resource dedicated to T5 controller support.Traps Select this option for SNMP trap support for the T5 controller. A trap is like a Syslog message, just over another protocol (SNMP). A trap is generated when a device consolidates event information and transmits the information to an external repository. The trap contains several standard items, such as the SNMP version, community etc.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 193Set the SNMP v1/v2c Community String configuration for T5 controller usage. Use the + Add Row function as needed to add additional SNMP v1/2 community strings, or select an existing community string’s radio button and select the Delete icon to remove it.4Use the Host table to define up to 4 SNMP receiver resource IP addresses.5Select OK to update the configuration. Select Reset to revert to the last saved configuration.12.2 EX3500 Management Policies The EX3500 series switch is a Gigabit Ethernet Layer 2 switch with either 24 or 48 10/100/1000-BASE-T ports, and four Small Form Factor Pluggable (SFP) transceiver slots for fiber connectivity. Each 10/100/1000 Mbps port supports both the IEEE 802.3af and IEEE 802.3at-2009 PoE standards. Each EX3500 series switch includes an SNMP-based management agent, which provides both in-band and out-of-band access for management. An EX3500 series switch utilizes an embedded HTTP Web agent and command line interface (CLI) somewhat different from the WiNG operating system, while still enabling the EX3500 series switch to provide WiNG controllers PoE and port management resources.Going forward NX9600, NX9500, NX7500, NX5500 WiNG managed services platforms and WiNG VMs can discover, adopt and partially manage EX3500 series Ethernet switches, as DHCP option 193 has been added to support external device adoption. DHCP option 193 is a simplified form of DHCP options 191 and 192 used by WiNG devices currently. DHCP option 193 supports pool1, hello-interval and adjacency-hold-time parameters. WiNG service platforms leave the proprietary operating system running the EX3500 switches unmodified, and partially manage them utilizing standardized WiNG interfaces. WiNG service platforms use a translation layer to communicate with EX3500 series switches.To set EX3500 management settings for user EX3500 user group creation, authentication, password management and SNMP:1Select Configuration. 2Select Management.3 Refer to the upper, left-hand, portion of the UI and select EX3500 Management Policy.Community Set a 32 character maximum SNMP community string.Access Set the access permission for each community string used by devices to retrieve or modify information. Available options include:Read Only - Allows a remote device to retrieve information. Read-Write - Allows a remote device to modify settings.IP Set the IP address of the SNMP manager.NOTE: WiNG can partially manage an EX3500 without using DHCP option 193. In this case the EX3500 must be directly configured to specify the IPv4 addresses of potential WiNG adopters, using the EX3500 controller host ip address CLI command.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 20Figure 12-12 EX3500 Management Policy screenThe screen lists those EX3500 management policies created thus far. Select Add to create a new EX3500 management policy, Edit to modify the attributes of a policy or Delete to remove an obsolete list from those available. Existing lists can be copied or renamed as needed.For more information, refer to the following:•EX3500 User Groups•EX3500 Authentication•EX3500 Exec Password Management•EX3500 System Settings•EX3500 SNMP Management•EX3500 SNMP Users12.2.1 EX3500 User GroupsEX3500 switch user groups are stored in a local database on the WiNG service platform. Each user group can be assigned unique access levels and passswords to provide administrative priority.To set an EX3500 user group configuration:1Select Configuration. 2Select Management.3 Refer to the upper, left-hand, portion of the UI and select EX3500 Management Policy.4 The screen lists those EX3500 management policies created thus far. Select Add to create a new EX3500 management policy, Edit to modify an existing policy or Delete to remove an obsolete policy. Existing lists can be copied or renamed as needed.5 If creating a new EX35000 user group, assign it a Name up to 32 characters. Select Continue.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 21Figure 12-13 EX3500 Management Policy User Group screen6Select Add to create a new EX3500 user group, Edit to modify an existing group or Delete to remove an obsolete group. Set the following User Group attributes:Figure 12-14 User Group Add/Edit screenAccess Level Use the spinner control to set an access level from 0 - 15 serving as the access priority of each user group requesting access and interoperability with an EX3500 switch. Access level 0 corresponds to a guest user with minimal access to commands while access level 15 corresponds to an administrator user with full access to all commands.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 227Select OK when completed to update the EX3500 user group configuration. Select Reset to revert the screen back to its last saved configuration.12.2.2 EX3500 AuthenticationManagement access to an EX3500 switch can be enabled/disabled as required using separate interfaces and protocols (HTTP, SSH). Disabling un-used and insecure interfaces and unused management services can dramatically reduce an attack footprint and free resources within an EX3500 management policy.To authenticate an EX3500 management policy:1Select Configuration from the Web UI.2Select Management.3 Refer to the upper, left-hand, portion of the UI and select EX3500 Management Policy.4 The screen lists those EX3500 management policies created thus far. Select Add to create a new EX3500 management policy, Edit to modify an existing policy or Delete to remove an obsolete policy. Existing lists can be copied or renamed as needed.5 Select the Authentication tab.Figure 12-15 EX35000 Management Policy Authentication screen6 Select the following HTTP server settings to authenticating a HTTP connection to an EX3500:Hash Type Select either 0 or 7 to define the hash in plain text (0) or encrypted characters (7). Admin Password Create a 32 character maximum password for the EX3500 user group.Server When selected, access the EX3500 using HTTP from any Windows PC, Linux PC or other device that uses HTTP. This setting is enabled by default.Port Set the HTTP port number from 1 - 65,535. The default port is 80.Secure Server Select this option to secure HTTP over a designated secure port.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 237 Select the following SSH server settings to authenticate a SSH connection to an EX3500:8Select OK when completed to update the EX3500 authentication configuration. Select Reset to revert the screen back to its last saved configuration.12.2.3 EX3500 Exec Password ManagementEach EX3500 management policy can have a unique exec password with its own privilege level assigned. Utilize these passwords as specific EX3500 management sessions require priority over others.To administrate EX3500 management passwords and their privileges:1Select Configuration from the Web UI.2Select Management.3 Refer to the upper, left-hand, portion of the UI and select EX3500 Management Policy.4 The screen lists those EX3500 management policies created thus far. Select Add to create a new EX3500 management policy, Edit to modify an existing policy or Delete to remove an obsolete policy. Existing lists can be copied or renamed as needed.5 Select the Exec Password tab.Secure Port Use the spinner control to select a secure port from 1 - 65, 535. Server When selected, access the EX3500 using SSH from any Windows PC, Linux PC or other device that uses SSH. This setting is enabled by default.Retries for SSH Set the maximum number of retries, from 1 - 5, for connection to the SSH server resource. The default setting is 3.Server Key Set the SSH server key length from 512 - 1,024. The default length is 768.Time Out Set the inactivity timeout for the SSH server resource from 1 - 120 seconds. When this setting is exceeded, the SSH server resource becomes unreachable and must be reauthenticated. The default value is 120 seconds.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 24Figure 12-16 EX35000 Management Policy Exec Password screen6Select Add to create a new EX3500 exec password, Edit to modify an existing password configuration or Delete to remove an obsolete password.Figure 12-17 EX35000 Management Policy Exec Password Add/Edit screen7 Assign a privilege level from 0 - 15. 0 provides the least access, while level 15 provides the most access. The commands available at each level vary.8 Select the following Exec Password settings:Hash Type Select either 0 or 7 to define the hash in plain text (0) or encrypted characters (7).

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 259Select OK when completed to update the EX3500 exec password. Select Reset to revert the screen back to its last saved configuration.12.2.4 EX3500 System SettingsAn EX3500 management policy can be customized to include high and low alarm thresholds for EX3500 memory and CPU utilization. The Memory and CPU rising and falling thresholds control when the EX3500 generates SNMP traps if these thresholds are exceeded. A trap is generated when the utilization exceeds the rising threshold, and another trap is generated after the utilization drops below the falling threshold. These thresholds do not protect the resource, they provide notification of an excessive use of the resource.To administrate EX3500 management policy memory and CPU threshold settings:1Select Configuration from the Web UI.2Select Management.3 Refer to the upper, left-hand, portion of the UI and select EX3500 Management Policy.4 The screen lists those EX3500 management policies created thus far. Select Add to create a new EX3500 management policy, Edit to modify an existing policy or Delete to remove an obsolete policy. Existing lists can be copied or renamed as needed.5 Select the System tab.Figure 12-18 EX35000 Management Policy System screen6 Set the following Memory - Alarm Configuration threshold settings:Exec Privilege PasswordCreate a 32 character maximum password for the EX3500 exec password.Falling Threshold Set the threshold for clearing the EX3500 memory utilization alarm. Once the rising threshold is exceeded, the memory utilization must drop below this threshold for the alarm to clear. The threshold is set as a percentage from 1 - 100, with a default of 90.Rising Threshold Set the threshold for EX3500 memory utilization as too high. The threshold is set as a percentage from 1 - 100, with a default of 95.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 267 Set the following CPU - Alarm Configuration threshold settings:8Select OK when completed to update the EX3500 system threshold settings. Select Reset to revert the screen back to its last saved configuration.12.2.5 EX3500 SNMP ManagementOptionally use the Simple Network Management Protocol (SNMP) with the EX3500 management policy for statistics gathering, or to fully manage the EX3500. SNMP is an application layer protocol that facilitates the exchange of management information between the controller or service platform and a managed device. SNMP enabled devices listen on port 161 (by default) for SNMP packets from the controller or service platform’s management server. SNMP uses read-only and read-write community strings as an authentication mechanism to monitor and configure supported devices. The read-only community string is used to gather statistics and configuration parameters from a supported wireless device. The read-write community string is used by a management server to set device parameters. SNMP is generally used to monitor a system’s performance and other parameters.To the EX3500’s SNMP management policy configuration:1Select Configuration from the Web UI.2Select Management.3 Refer to the upper, left-hand, portion of the UI and select EX3500 Management Policy.4 The screen lists those EX3500 management policies created thus far. Select Add to create a new EX3500 management policy, Edit to modify an existing policy or Delete to remove an obsolete policy. Existing lists can be copied or renamed as needed.5 Select the SNMP tab.Falling Threshold Set the threshold for clearing the EX3500 CPU (processor) utilization alarm. Once the rising threshold is exceeded, the CPU (processor) utilization must drop below this threshold for the alarm to clear. The threshold is set as a percentage from 1 - 100, with a default of 70.Rising Threshold Set the notification threshold for EX3500 CPU (processor) utilization as too high. The threshold is set as a percentage from 1 - 100, with a default of 90.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 27Figure 12-19 EX35000 Management Policy SNMP screen6 Set the following SNMP settings:Enable Select the checkbox to enable SNMPv1, SNMPv2 or SNMPv3 support. The SNMP version utilized is selected and mapped to a user group within the Group table. Contact Define a 255 character maximum SNMP contact name for responsible for the WiNG administration of the EX3500 switch.Local Engine ID Set a 64 character maximum local engine ID. The local engine ID is the administratively unique identifier of an SNMPv3 engine used for identification, not addressing. There are two parts of an engine ID: prefix and suffix. The prefix is formatted according to the specifications defined in RFC 3411.Location Assign a 255 character maximum EX3500 switch location reflecting the switch’s physical deployment location.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 287Select + Add Row and set the following Community Strings:8Select + Add Row and set the following Group settings for SNMP management of the EX3500:9 Set the following SNMP Traps for SNMP event management of the EX3500:10 Refer to the SNMP View table and select + Add Row to include or exclude up to 31 SNMP views.Name Define a public or private community designation. By default, SNMPv2 community strings on most devices are set to public, for the read-only community string, and private for the read-write community string.Access Set the access permission for each community string used by devices to retrieve or modify information. Available options include:Read Only - Allows a remote device to retrieve information.Read-Write - Allows a remote device to modify settings.Group Name Define a 32 character maximum name for this SNMP group. A maximum of 17 groups can be set for EX3500 model switches.Authentication If utilizing SNMPv3 as the version for this group, select whether auth, noauth or priv is applied to this group as a credential exchange and validation mechanism. This setting is not enabled if utilizing either SNMPv1 or SNMPv2. Version Apply either SNMPv1, SNMPv2 or SNMPv3 to this EX3500 SNMP group. SNMP v2 is identical to version 1, but it adds support for 64 bit counters. Most devices support SNMP v2c automatically. However, there are some devices that require you to explicitly enable v2, and that poses no risk. SNMP v3 adds security to the 64 bit counters provided with SNMP v2. SNMP v3 adds both encryption and authentication, which can be used together or separately. Its setup is more complex than just defining a community string. But if you require security, SNMP v3 is recommended.Notify View Set a 32 character maximum notify string to restrict and filter the objects in the notification. Read View Set an optional 32 character maximum string indicating that users who belong to this group have read access to the EX3500 switch.Write View Set an optional 32 character maximum string indicating that users who belong to this group have write access to the EX3500 switch.Authentication Select the checkbox to enable trap generation for user authentication events when accessing a EX3500 switch from a WiNG managed controller. This feature is disabled by default.Enable SNMP Trap Select the checkbox to enable EX3500 MAC generation traps. When enabled a trap is generated when a dynamic MAC address is added or removed to/from the switch's address table. This feature is disabled by default.Link Up Down Select this option to generate a trap a when either a link is established or broken between the EX3500 switch and a connected device (WiNG managed or not).View Name Enter a 32 alphanumeric character maximum name to identify the EX3500 SNMP MIB view. A view is a set of MIB view subtrees, or a family of subtrees, where each is a subtree within the managed object naming tree. Create MIB views to control the OID range that SNMPv3 users can access.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 2911 Refer to the Notify Filter table and select + Add Row to set up to 5 remote resources for archive and retrieval.12 Refer to the Remote Engine table and select + Add Row to set up to 5 remote IDs and addresses.13 Refer to the Host table and select + Add Row to set the trap receiver host configuration.OID Tree Provide an OID string to include or exclude from the view. The OID string is 128 characters in length.View Access Designate whether view access is included or excluded for the subtree or family of subtrees from the MIB view. If creating an excluded view subtree, consider creating a corresponding included entry with the same view name to allow subtrees outside of the excluded subtree to be included.Name Enter a 26 character maximum name for the filter. Notifications indicate erroneous user authentication requests, restarts, connection closures, connection loss to a neighbor router or other events.Remote Host Provide a destination IP address for a remote server resource for trap filters.Remote Engine IP Enter a remote engine IP address for the remote SNMP agent of the device where the user resides.Remote Engine Id Provide an Id 9 - 64 characters in length. If configuring the EX3500 management for SNMP V3, is it necessary to configure an engine ID, as passwords are localized using the SNMP ID of the SNMP engine. The remote agent's SNMP engine ID is needed when computing authentication from a password.Authentication If using SNMPv3, define the authentication scheme for user credential validation as either auth, noauth or priv. Community String Provide the 1 - 32 character text community strings for accessing EX3500 switch configuration files. SNMP uses read-only and read-write community strings as an authentication mechanism to monitor and configure supported devices.Inform Enable this option to enable an EX3500 switch to send inform requests to SNMP managers.Traps are not as reliable than informs since an acknowledgment is not sent from the receiving end when a trap is received. A SNMP manager that receives an inform acknowledges the message with an SNMP response.IP Define the trap receiver’s IP address.Retry Set the number of server connection retries (from 1 - 255). When no response is received after the last retry attempt, the connection session is terminated with the trap receiver IP address.Timeout Configures the duration (in seconds) the host connection process is shutdown temporarily before a reset of the process is attempted for the set number of retries. UDP Port Set the port of the server resource dedicated to receiving EX3500 switch SNMP traps. The default port is port 162.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 3012.2.6 EX3500 SNMP UsersAn EX3500 SNMP management session utilizes unique SNMP users with specific authentication and privacy parameters.To administrate EX3500 SNMP users and their permissions:1Select Configuration from the Web UI.2Select Management.3 Refer to the upper, left-hand, portion of the UI and select EX3500 Management Policy.4 The screen lists those EX3500 management policies created thus far. Select Add to create a new EX3500 management policy, Edit to modify an existing policy or Delete to remove an obsolete policy. Existing lists can be copied or renamed as needed.5 Select the SNMP User tab.Figure 12-20 EX3500 SNMP User screen6 Review the following EX3500 SNMP user credentials to determine whether a new user requires creation on an existing user configuration needs modification:Version Set whether SNMP version 1, 2 or 3 is used with this dedicated host. Versions 1 and 2 provide no data security. SNMPv3 adds security and remote configuration capabilities to previous versions. The SNMPv3 architecture introduces the user-based security model (USM) for message security and the view-based access control model (VACM) for access control.User Name Displays the 32 character maximum SNMP user name assigned the specific SNMP version and remote SNMP server resource listed. More than one user can be assigned to the same EX3500 SNMP user group.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 317Select Add to create a new user configuration or Edit to modify the attributes of an existing EX3500 SNMP user configuration.Figure 12-21 EX3500 SNMP User Add/Edit screen8 Set the following SNMP user credentials for the EX3500 SNMP user:.Version Lists whether SNMPv1, SNMPv2 or SNMPv3 is applied to this EX3500 SNMP user. SNMP v2 is identical to version 1, but it adds support for 64 bit counters. Most devices support SNMP v2c automatically. However, there are some devices that require you to explicitly enable v2, and that poses no risk. SNMP v3 adds security to the 64 bit counters provided with SNMP v2. SNMP v3 adds both encryption and authentication, which can be used together or separately. Its setup is more complex than just defining a community string. But if you require security, SNMP v3 is recommended.Remote IP Address Lists the remote server resource designated for receiving SNMP trap and inform event messages for the listed SNMP user.Group Name Lists the 32 character maximum name assigned to this SNMP group, as SNMP access rights are organized by groups. The trap group name can be any string and is embedded in the community name field of a trap. A maximum of 17 groups can be set for EX3500 model switches.User Name Enter a 32 character maximum SNMP user name for EX3500 SNMP session management.Version Use the drop-down menu to define whether SNMPv1, SNMPv2 or SNMPv3 is applied to this EX3500 SNMP user configuration. SNMP v2 is identical to version 1, but it adds support for 64 bit counters. Most devices support SNMP v2c automatically. However, there are some devices that require you to explicitly enable v2, and that poses no risk. SNMP v3 adds security to the 64 bit counters provided with SNMP v2. SNMP v3 adds both encryption and authentication, which can be used together or separately. Its setup is more complex than just defining a community string. But if you require security, SNMP v3 is recommended.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 329Select OK when completed to update the EX3500 SNMP user settings. Select Reset to revert the screen back to its last saved configuration.12.3 Hierarchical TreeTree Setup is unique because it is not a policy (which is reused in other objects), but rather a global configuration that represents the tree displayed for Dashboard, Operations and Statistics. However since it is set as a configuration, it follows the standard configuration methods, and requires a Commit before it taking effect and a Save to become persistent across reboots.ADSP can run as a virtual machine on NX9500 and NX9510 model service platforms. WiNG communicates with ADSP using a single sign-on (SSO) authentication mechanism. Once the user is logged in, WiNG gains access to ADSP without being prompted to login again at ADSP. There is no synchronization between the WiNG and ADSP databases. ADSP has its own user database stored locally within its virtual machine. This local database is accessed if a user logs directly into ADSP. WiNG and ADSP must be consistent in the manner events are reported up through a network hierarchy to ensure optimal interoperability and event reporting. To provide such consistency, WiNG has added support for an ADSP-like hierarchal tree. The tree resides within WiNG, and ADSP reads it from WiNG and displays the network hierarchy in its own ADSP interface. The hierarchal tree can also be used to launch ADSP modules (like Spectrum Analyzer) directly from WiNG.WiNG uses the following containers within the tree to be consistent with ADSP’s hierarchy conventions:Remote IP Address Set the remote server resource IP address designated for receiving SNMP trap and inform event messages for this SNMP user.Group Name Enter a 32 character maximum for a SNMP group. The group name can be any string and is embedded in the community name field of a SNMP trap.Encryption When using SNMPv3, the Encryption option becomes available to scramble packet contents and prevent them from exposure to unauthorized sources.Authentication When using SNMPv3, the Authentication option becomes available to ensure messaging is from a valid source. SNMPv3 uses the user-based security model (USM) for message security and the view-based access control model (VACM) for access control. USM specifies authentication and encryption. VACM specifies access-control rules.Authentication PasswordEnter a 8 - 40 character ASCII authentication password. The selected authentication password ensures only trusted and authorized users can access an EX3500 SNMP management session.Private Type Use the drop-down menu to specify the privacy type. The Advanced Encryption Standard (AES) is utilized as one of the privacy protocol options for SNMPv3 messages in either an aes128, aes192 or aes256 format and are recommended. 3DES and des56 are also options, but are considered somewhat insecure and vulnerable to brute-force-attacks.Private Password Enter a 8 - 64 character ASCII password to secure the privacy type selected.NOTE: The Hierarchical tree is available on both controllers and service platforms, but not Access Points.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 33•Country•Region•City•CampusHierarchy rules are enforced in the containers. For example, a city can be created under a country or region, but not vice versa. An RF Domain can be placed in any container. However, there cannot be any additional containers under the RF Domain. WiNG’s RF Domain’s already use areas and floors, and these will continue to work as they currently do. Floors are also numbered to be consistent with ADSP’s usage. To configure a hierarchal tree to use with ADSP:1Select Configuration. 2Select Management.3 Refer to the upper, left-hand, portion of the UI and select Tree Setup.The Tree Setup screen displays with a System node that requires population with the containers to represent the deployment shared between WiNG and ADSP.The Country, Region, City and Campus containers can be defined in any order, but at least one of these containers is required within the hierarchy before the RF Domain can be added and the hierarchy defined as valid.Figure 12-22 Hierarchal Tree screen4 To add a Country, Region, City or Campus to the tree, select System from the upper, left-hand, portion of the Tree Setup screen. An add child link displays on the right-hand side of the display. If adding a Country, select a deployment country from the Type drop-down menu and use the Name drop-down menu to scroll to the country of deployment where the RF Domain resides. Adding a country first is a good idea since regions, city and campus can all be added as child items in the tree structure. However, the selected country is an invalid tree node until a RF Domain is applied.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 34If adding a region, select Region from the Type drop-down menu and use the Name parameter to enter its name. Select Add to display the region. A city and campus can be added as child items in the tree structure under a region. An RF Domain can be mapped anywhere down the hierarchy for a region and not just directly under a Country. For example, a region can have city and campus and one RF Domain mapped.If adding a City, select City from the Type drop-down menu and use the Name parameter to enter its name. Select Add to display the city. Only a campus can be added as a child item under a city. The city is an invalid tree node until a RF Domain is applied somewhere within the directory tree.If adding a Campus, select Campus from the Type drop-down menu and use the Name parameter to enter its name. Select Add to display the campus. A Campus is the last node in the hierarchy before A RF Domain, and it cannot be valid unless it has a RF Domain mapped to it.5 Select the add RF Domain link at the right-hand side of any container to display an Unmapped RF Domain screen.6 Provide the default RF Domain name whose deployment area and floor is mapped graphically, and whose events are shared between WiNG and ADSP. Select Add to display the RF Domain within its respective place in the tree hierarchy. A default RF Domain can also be dragged into the tree from the right-hand side of the screen.Once the RF Domain is in the tree, select the add child link at the right-hand side of the RF Domain to display a screen where the RF Domain deployment Area and Floor are defined. Once define, select Add to populate the tree with the Area and Floor. Provide the Map URL to upload the floor plan created under an Area. Each area can have multiple floors7 Edit a tree node at any time by selecting it from amongst the Tree Setup screen, and referring to the right-hand side of the screen where a field displays to modify the container.8 Optionally, select Tree Import Export Template to upload a template.csv file if one is needed for container configuration.A sample of the tree template is provided here for reference.Row Descriptionrecord type (folder),server,Name,Description,Type,Floor Number,Path(slash delimited),Command(add|delete)Actual Row is CSV fileNOTE: If a complete tree configuration has been saved and exported for archive to remote location, it can be imported back into the Tree Setup screen and utilized without having to re-configure the containers and RF Domain of that tree. Select Import to utilize and existing tree configuration.NOTE: If a tree container (country, region, city or campus) has a red box around it, it either has invalid attributes or a RF Domain requires addition.NOTE: While the MAP URL graphic file represents the RF Domain’s physical device deployment area, devices cannot be dragged into topology or manipulated. To define a network topology that allows an administrator to add devices and manipulate locations, refer to Network View on page 4-27.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 35folder,localhost,US,Country Description,Country,,folder,localhost,Southeast,Region Description,Region,,USfolder,localhost,Alpharetta,City Description,City,,US/Southeastfolder,localhost,Sanctuary Park,Campus Description,Campus,,US/Southeast/Alpharettafolder,localhost,The Falls 1125,Domain Description,RFDomain,,US/Southeast/Alpharetta/Sanctuary Parkfolder,localhost,Queens,,Area,,US/Southeast/Alpharetta/Sanctuary Park/The Falls 1125folder,localhost,FloorQLab,,Floor,1,US/Southeast/Alpharetta/Sanctuary Park/The Falls 1125/Queensfolder,localhost,FloorSLab,,Floor,2,US/Southeast/Alpharetta/Sanctuary Park/The Falls 1125/Queensfolder,localhost,FloorTLab,,Floor,3,US/Southeast/Alpharetta/Sanctuary Park/The Falls 1125/QueensIn the CSV file, configure specific tree node properties.Index 1 : Record Type. This value is always 'folder'. Import/export allows the configuration of folder nodes only. Leaf nodes cannot be configured like devices.Index 2 : Server Name. This value is always 'localhost' as we are supporting the import/export from localhost only.Index 3 : Name. This configures the name/label of the tree node. This is the value which is visible to the user in Tree node.Index 4 : Description. This configures the additional information in form, which user wants to store with the Tree node.Index 5 : Type. This configures the type of the Tree node. Type can take one of the value "country, region, city, campus, rfdomain, area, floor".Index 6 : Floor Number. This is configures the floor number. This is applicable only for the floor node.Index 7 : Path. This is /'(slash delimited) from the 'root'.Index 8 : add|delete. Allows manipulation of the node. If no value is specified, the default is 'add' . If value is 'delete' then reference node is removed.9Select Import Tree Structure to optionally import a .csv file with pre-defined the containers and RF Domain. Importing an existing tree saves an administrator from creating a new one from the beginning.10 Once the tree topology is defined to your satisfaction, select Export Tree Structure to archive the tree topology (in .csv file format) to a defined location. The exported tree topology can be re-imported and automatically displayed within the Tree Setup screen at any time.11 Select OK to update the tree setup configuration. Select Reset to revert to the last saved configuration.NOTE: Since the tree is set as a configuration, it follows standard configuration methods, and requires a Commit before it taking effect and A Save to become persistent across reboots.

Management AccessWireless Controller and Service Platform System Reference Guide 12 - 3612.4 Management Access Deployment ConsiderationsBefore defining a access control configuration as part of a Management Access policy, refer to the following deployment guidelines to ensure the configuration is optimally effective:• Unused management protocols should be disabled to reduce a potential attack against managed resources. For example, if a device is only being managed by the Web UI and SNMP, there is no need to enable CLI interfaces.• Use management interfaces providing encryption and authentication. Management services like HTTPS, SSH and SNMPv3 should be used when possible, as they provide both data privacy and authentication.• By default, SNMPv2 community strings on most devices are set to public for the read-only community string and private for the read-write community string. Legacy devices may use other community strings by default. • SNMPv3 should be used for SNMP device management, as it provides both encryption, and authentication.• Enabling SNMP traps can provide alerts for isolated attacks at both small managed radio deployments or distributed attacks occurring across multiple managed sites.• Whenever possible, centralized RADIUS management should be enabled. This provides better management and control of management usernames and passwords and allows administrators to quickly change credentials in the event of a security breach.

13 - 1Wireless Controller and Service Platform System Reference Guide13DiagnosticsResident diagnostic capabilities enable administrators to understand how devices are performing and troubleshoot issues impacting device performance. Performance and diagnostic information is collected and measured on controllers and service platforms for any anomalies potentially causing a key processes to fail.Numerous tools are available within the Diagnostics menu. Some filter events, others allow you to view logs and manage files generated when hardware or software issues are detected.The diagnostics are managed as follows:•Fault Management•Crash Files•Advanced Diagnostics13.1 Fault ManagementFault management enables user's administering multiple sites to assess how individual devices are performing and review issues impacting the network. Use the Fault Management screens to administrate errors generated by the controller or service platform, Access Point or wireless client.To assess the Fault Management configuration:1Select Diagnostics > Fault Management.The Filter Events screen displays by default. Use this screen to configure how events are tracked. By default, all events are enabled, and an administrator has to turn off events that do not require tracking.Figure 13-1 Fault Management Filter Events screenUse the Filter Events screen to create filters for managing detected events. Events can be filtered based on severity, module received, source MAC, device MAC and client MAC address.

DiagnosticsWireless Controller and Service Platform System Reference Guide 13 - 22 Define the following Customize Event Filters parameters for the Fault Management configuration:3 Select the Add to Active Filters button to create a new filter and add it to the Active Event Filters table. When added, the filter uses the current configuration defined in the Customize Event Filters field.4 Refer to the Active Event Filters table to set the following parameters for the Fault Management configuration:a. To activate all the events in the Active Events Filters table, select the Enable All Events button. To stop event generation, select Disable All Events.b. To enable an event in the Active Event Filters table, click the event to select it. Then, select the Activate Defined Filter(s) button. 5Select View Events from the upper, left-hand, side of the Diagnostics > Fault Management menu.Severity Set the filtering severity. Select from the following:All Severities – All events are displayed, irrespective of their severityCritical – Only critical events are displayedError – Only errors and above are displayedWarning – Only warnings and above are displayedInformational – Only informational and above events are displayedModule Select the module from which events are tracked. When a module is selected, events from other modules are not tracked. Remember this when interested in events generated by a particular module. Individual modules can be selected (such as TEST, LOG, FSM etc.) or all modules can be tracked by selecting All Modules.Source Set the MAC address of the source device to be tracked. Setting a MAC address of 00:00:00:00:00:00 allows all devices to be tracked.Message Substring Optionally append a text message (substring) to the event filter to assist the administrator in distinguishing this filter from others with similar attributes.NOTE: Leave the fields to a default value of 00:00:00:00:00:00 to track all MAC addresses. NOTE: Filters cannot be persisted across sessions. They have to be created every time a new session is established.

DiagnosticsWireless Controller and Service Platform System Reference Guide 13 - 3Figure 13-2 Fault Management View Events screenUse the View Events screen to track and troubleshoot events using the source and severity levels defined in the Configure events screen. 6 Define the following Customize Event Filters parameters for the Fault Management configuration:7Select Clear All to clear events and begin new event data gathering.8Select Event History from the upper, left-hand, side of the Diagnostics > Fault Management menu.Timestamp Displays the Timestamp (time zone specific) when the fault occurred.Module Displays the module used to track the event. Events detected by other module are not tracked.Message Displays error or status messages for each event listed.Severity Displays the severity of the event as defined for tracking from the Configuration screen. Severity options include:All Severities – All events are displayed irrespective of their severityCritical – Only critical events are displayedError – Only errors and above are displayedWarning – Only warnings and above are displayedInfo – Only informational and above events are displayedSource Displays the MAC address of the tracked source device.Hostname Lists the administrator assigned hostname of the tracked source device.

DiagnosticsWireless Controller and Service Platform System Reference Guide 13 - 4Figure 13-3 Fault Management Event History screenThe Event History screen displays events for controllers, service platforms and Access Points. The Controller(s) tab displays by default. Information on this tab can be filtered by controllers and service platforms, then further by a RF Domain. Similarly, the Access Point(s) tab displays information for each RF Domain on the Access Point and this information can be further filtered on the devices adopted by this Access Point. 9 Within the Controller(s) tab, select the controller from the Select a Controller field to filter events to display. To filter messages further, select a RF Domain from the Filter by RF Domain field.10 Within the Access Point(s) tab, select the RF Domain from the Select a RF Domain field to filter events to display. To filter messages further, select a device from the Filter by Device field.11 Select Fetch Historical Events from the lower, right-hand, side of the UI to populate the table with either device or RF Domain events. The following event data is fetched and displayed:Timestamp Displays the Timestamp (time zone specific) when the fault occurred.Module Displays the module used to track the event. Events detected by other module are not tracked.Message Displays error or status messages for each event listed.Severity Displays the severity of the event as defined for tracking from the Configuration screen. Severity options include:All Severities – All events are displayed irrespective of their severityCritical – Only critical events are displayedError – Only errors and above are displayedWarning – Only warnings and above are displayedInfo – Only informational and above events are displayedSource Displays the MAC address of the source device tracked by the selected module.Hostname Lists the administrator assigned hostname of the source device tracked by the selected module.

DiagnosticsWireless Controller and Service Platform System Reference Guide 13 - 512 Select Clear All to clear events and begin new event data gathering.13.2 Crash FilesUse the Crash Files screen to review files created when a controller or service platform encounters a critical error or malfunction. Use crash files to troubleshoot issues specific to the device on which a crash event was generated. These are issues impacting the core (distribution layer). Once reviewed, files can be deleted or transferred for archive. Crash files can be sent to a support team to expedite issues with the reporting device.1Select Diagnostics > Crash Files to display the crash file information.Once a target device has been selected its crash file information displays in the viewer on the right.Figure 13-4 Crash Files information2 Refer to the following crash file information for the selected device.3Select Copy to copy a selected crash file to an external location. Select Delete to remove a selected crash file.RF Domain Displays the RF Domain membership of the source device tracked by the selected module.File Name Displays the name of the file generated when a crash event occurred. This is the file available for copy to an external location for archive and remote administration.Size Lists the size of the crash file, as this information is often needed when copying files to an external location.Last Modified Displays the Timestamp (time zone specific) when the most recent update to the file occurred.Actions Displays the action taken in direct response to the detected crash event.

DiagnosticsWireless Controller and Service Platform System Reference Guide 13 - 613.3 Advanced DiagnosticsRefer to Advanced UI Diagnostics to review and troubleshoot any potential issue with the resident User Interface (UI). The UI Diagnostics screen provides diagnostic tools to identify and correct issues with the UI. Diagnostics can also be performed at the device level for the Access Point radios and connected clients.13.3.1 UI DebuggingAdvanced DiagnosticsUse the UI Debugging screen to view debugging information for a selected device.To review device debugging information:1Select Diagnostics > Advanced > UI Debugging to display the UI Debugging menu options.The UI debugging information displays within the NETCONF Viewer by default.Figure 13-5 UI Debugging screen - NETCONF Viewer2Use the NETCONF Viewer to review NETCONF information. NETCONF is a proprietary tag-based configuration protocol for devices. Messages are exchanged using XML tags.3The Real Time NETCONF Messages area lists an XML representation of any message generated by the system. The main display area of the screen is updated in real time.4 Refer to the Request Response and Time Taken fields on the bottom of the screen to assess the time to receive and respond to requests. The time is displayed in microseconds.5Use the Clear button to clear the contents of the Real Time NETCONF Messages area. Use the Find parameter and the Next button to search for message variables in the Real Time NETCONF Messages area.

DiagnosticsWireless Controller and Service Platform System Reference Guide 13 - 713.3.2 Viewing UI LogsAdvanced DiagnosticsUse the UI logs to periodically assess user interface (UI) events by type, category and severity to assess whether any administrative corrective actions are warranted.To view UI log information:1Select Diagnostics > Advanced > View UI Logs to display the Flex Logs and Error Logs screens. The Flex Logs screen displays by default, but both tabs list the same information for either UI logs or UI error logs respectively.Figure 13-6 View UI Logs screen - Flex Logs tab2 Refer to the following UI event or error log parameters:Sequence Displays a numeric number for the generation of the listed UI events. If changing the data display from a sequential display, these numbers can be used to assess the chronology of the UI event generation.Date/Time Lists the date and time when each listed UI log event occurred. Use this information to assess whether time was factor in the generation of one or more events and whether their timestamp increases their significance.Type Displays each listed log entry’s event or error type. Some events are DEBUG while others are INFO. Categorize collectively as specific events warrant additional administration.Category Lists each event or error’s system defined category as a means of further filtering specific events or system collected error logs. This is helpful when assess whether specific events or errors impact multiple UI functions.

DiagnosticsWireless Controller and Service Platform System Reference Guide 13 - 83Select Clear All to remove all the log or error entries from the screen and begin a new data collection.13.3.3 Viewing UI SessionsAdvanced DiagnosticsRefer to the View Sessions screen to assess specific user interface sessions by individual user.s To view UI session information:1Select Diagnostics > Advanced > View Sessions.Figure 13-7 View Sessions Screen2 Refer to the following UI session data to assess its significance:3 Select a specific user session and Delete to remove the selected session from those listed for administration.Message Displays the system generated message for the functions impacted by each listed UI or error. Use this data in combination with the date, type and category to assess whether specific messages are related and their significance worthy of immediate administration.Cookie Displays a numeric session cookie which identifies the session corresponding to it. This information can be used to further filter specific user sessions to the network route used.From Lists the numeric IP address used by each listed user as their network identifier into the WiNG user interface.Role Displays each user’s defined administrative role. Each role has different access and administrative privileges.Start Time Lists the time each listed user began their WiNG interface UI session. Does this start time correspond to a known UI event or error condition?User Displays each user’s SNMP administrative access protocol and their session permissions.

1Wireless Controller and Service Platform System Reference Guide14OperationsThe functions within the controller or service platform’s Operations menu allow firmware and configuration files management and certificate generation for managed devices. In a clustered environment, these operations can be performed on one controller or service platform, then propagated to each member of the cluster and onwards to the devices managed by each cluster member.A certificate links identity information with a public key enclosed in the certificate. Device certificates can be imported and exported to and from the controller or service platform to a secure remote location for archive and retrieval as they are required for application to other managed devices.Self Monitoring At Run Time RF Management (Smart RF) is an innovation designed to simplify RF configurations for new deployments, while (over time) providing on-going deployment optimization and radio performance improvements. The Smart RF functionality scans the managed network to determine the best channel and transmit power for each managed Access Point radio. Smart RF policies can be applied to specific RF Domains, to add site specific deployment configurations and self recovery values to groups of devices within pre-defined physical RF coverage areas.For more information, refer to the following:•Device Operations•Certificates•Smart RF14.1 Device OperationsUpdated device firmware and configuration files are periodically released to the Support Web site. If an Access Point’s (or its associated device’s) firmware is older than the version on the Web site, update to the latest firmware version for full feature functionality and optimal controller or service platform utilization. Additionally, selected devices can either have a primary or secondary firmware image applied or fallback to a selected firmware image if an error occurs in the update process.For more information, refer to the following:•Operations Summary on page 14-1•Adopted Device Upgrades•Using the File Management Browser•Restarting Adopted Devices•Captive Portal Configuration•Crypto CMP Certificate•RAID Operations •Re-elect Controller14.1.1 Operations SummaryDevice OperationsThe Summary screen displays by default when Operations is selected from the controller or service platform’s main menu bar.

OperationsWireless Controller and Service Platform System Reference Guide 2The Summary screen displays firmware information for a specific device selected from either the RF Domain or Network tabs on the left-hand side of the screen.Figure 14-1 Device Details screenNOTE: When displaying the Summary screen at the RF Domain level of the UI’s hierarchal tree, the screen does not display a field for a device’s Primary and Secondary firmware image. At the RF Domain level, the Summary screen just lists the Hostname, MAC Address, Online status, Device Type and Is Controller designations for the devices comprising the selected RF Domain. A RF Domain must be selected from the hierarchal tree and expanded to list the devices comprising the RF Domain. From there, individual controllers, service platforms and Access Points can be selected and their properties modified.

OperationsWireless Controller and Service Platform System Reference Guide 31 Refer to the following to determine whether a firmware image needs to be updated for the selected device, or a device requires a restart or revert to factory default settings.2 Refer to the device table for basic information for known device types. The device table displays the Device Type, Controller status, Online, Offline and Total device counts.14.1.1.1 Upgrading Device FirmwareOperations SummaryControllers and service platforms can conduct firmware updates on behalf of their managed devices.To update the firmware of a managed device:1 Select a device from the browser. 2 Select the Firmware Upgrade button.Figure 14-2 Firmware Update screen3 By default, the Firmware Upgrade screen displays the server parameters for the target device firmware file. Version Displays the primary and secondary firmware image version from the wireless controller.Build Date Displays the date the primary and secondary firmware image was built for the selected device.Install Date Displays the date the firmware was installed for the selected device.Fallback Lists whether fallback is currently enabled for the selected device. When enabled, the device reverts back to the last successfully installed firmware image if something were to happen in its next firmware upgrade that would render the device inoperable.Current Boot Lists firmware image for the device on the current boot.Upgrade Status Displays the status of the last firmware upgrade performed for each listed device managed by this controller or service platform. Firmware Upgrade Select this option to display the firmware upgrade window for the selected device. Select the Apply button to perform the function.Reload Select this option to restart the selected device. Selecting this option restarts the target device using the specified options in the settings window. Restarting a device resets all data collection values to zero. Select the Reload button to perform the function.

OperationsWireless Controller and Service Platform System Reference Guide 44 Provide the following information to accurately define the location of the target device firmware file: 5Select Apply to start the firmware update. Select Abort to terminate the firmware update. Select Close to close the upgrade popup. The upgrade continues in the background.14.1.2 Adopted Device UpgradesDevice OperationsAn administrator can designate controllers, service platforms or Access Points as RF Domain managers capable of receiving firmware files from the NOC (NX7500 or NX9000 series service platforms) then provisioning other devices within their same RF Domain. Controllers, service platforms and Access Points can now all update the firmware of different device models within their RF Domain. However, firmware updates cannot be made simultaneously to devices in different site deployments.To administer a device upgrade and administrate upgrade status and history:1 Select the Operations. 2 Ensure Devices is selected from the Operations menu on the top, left-hand, side of the screen.3 Expand the System node on the left-hand side of the screen, select a RF Domain and one of its member devices. 4 Select the Adopted Device Upgrade tab. The screen displays with the Device Upgrade List selected by default.Protocol Select the protocol used for updating the device firmware. Available options include:tftpftpsftphttpcfusb1-4Port Use the spinner control or manually enter the value to define the port used by the protocol for firmware updates. This option is not valid for cf or usb1-4.Host Provide the hostname or numeric IPv4 or IPv6 formatted address of the server used to update the firmware. This option is not valid for cf and usb1-4. A hostname cannot contain an underscore.User Name Define the user name used to access either a FTP or SFTP server.Password Specify the password for the user account to access a FTP or a SFTP server.Path/File Specify the path to the firmware file. Enter the complete relative path to the file on the server.

OperationsWireless Controller and Service Platform System Reference Guide 5Figure 14-3 Device Upgrade List screen 5 Select a controller, service platform or Access Point model from the Device Type List drop-down menu. This is the device model intended to provision firmware to the devices selected within the All Devices table below.6Use the Scheduled Upgrade Time option to set when the upgrade occurs. To perform an upgrade immediately, select Now. To schedule the upgrade to take place at a specified time, enter a date and time in the appropriate fields.7 Refer to the Scheduled Reboot Time option to schedule when an updated device is rebooted to implement the updated firmware. To reboot immediately, select Now. To schedule the reboot to take place at a future time to keep the device in service, enter a date and time in the appropriate fields. Use the No Reboot option to keep from rebooting after an upgrade. Select Staggered Reboot to avoid upgrading devices simultaneously and risk bringing down the network. When selected, devices are rebooted incrementally to preserve network availability. Select Force Upgrade to initiate an Access Point firmware upgrade and reboot at the present time.NOTE: If selecting the Device Upgrade screen from the RF Domain level of the UI’s hierarchal tree, there’s an additional Upgrade from Controller option to the right of the Device Type List. Select this option to provision selected device models within the same RF Domain from this RF Domain manager. If expanding a RF Domain and selecting a member device, the upgrade tab is entitled Adopted Device Upgrade, as an upgrade is made from an elected RF Domain Manager device. There’s also an additional Device Image File screen to select the device image type and set the transfer protocol.NOTE: The Scheduled Upgrade Time and Scheduled Reboot Time are your local system’s time. They’re not the Access Point, controller, service platform or VX time and are not synched with the device.

OperationsWireless Controller and Service Platform System Reference Guide 6Use the All Devices table to select controller, service platform and Access Point models for firmware updates from the device model selected from the Device Type List. Refer to the MAC Address and Device Type values to help determine the specific models available for upgrade within the RF domain. Use the Version and Upload Version values to assess each listed device’s current firmware as well as the firmware version available to a device upgrade.8Select Device Image File.Figure 14-4 Device Image File screen 9 Select a controller, service platform or Access Point model from the Device Image Type drop-down menu. Selecting All makes each controller, service platform and Access Point model images available for updates on those specific models.10 Select the Basic link to enter a URL pointing to the location of the controller, service platform or Access Point image files for the device update(s).11 Selecting Advanced lists additional options for the device’s firmware image file location:Protocol Select the protocol for device firmware file management and transfer. Available options include:tftpftpsftphttpcfPort Designate the port for transferring the firmware files used in the upgrade operation. Enter the port number directly or use the spinner control.

OperationsWireless Controller and Service Platform System Reference Guide 712 Select the Load Image button to upload the device firmware in preparation of an upgrade.The firmware image is loaded to the flash/upgrade directory (not the flash/cache directory). If the NOC pushes the image, then it is loaded to flash/cache/upgrade.13 Select Upgrade Status to assess the administration, scheduling and progress of device firmware updates.Figure 14-5 Upgrade Status screen 14 Refer to the Upgrade Status field to assess the completion of in-progress upgrades. Host Specify a numerical IP address or textual Hostname of the resource used to transfer files to the devices designated for a firmware update. A hostname cannot contain an underscore. Path / File Define the path to the file on the file repository resource. Enter the complete relative path to the file.Number of devices currently being upgraded Lists the number of firmware upgrades currently in-progress and downloading for selected devices. Once the device has the image it requires a reboot to implement the firmware image. Number of devices currently being bootedLists the number devices currently booting after receiving an upgrade image. The reboot is required to implement the new image and renders the device offline during that period. Using the Device Upgrade List, reboots can be staggered or placed on hold to ensure device remains in service.Number of devices waiting in queue to be upgradedLists the number of devices waiting to receive a firmware image from their provisioning controller, service platform or Access Point. Each device can have its own upgrade time defined, so the upgrade queue could be staggered.

OperationsWireless Controller and Service Platform System Reference Guide 815 Refer to the following status reported for each current or scheduled upgrade operation:16 Optionally select Cancel (from the lower, right-hand corner of the screen) to cancel the upgrade of devices under the selected RF Domain. The Cancel button is enabled only if there are device undergoing upgrade and they’re are selected for cancellation.17 Select Upgrade History.Number of devices waiting in queue to be upgradedLists the number of devices waiting to reboot before actively utilizing its upgraded image. The Device Upgrade List list allows an administrator to disable or stagger a reboot time, so device reboots may not occur immediately after an upgrade. The reboot operation renders the device offline until completed so reboots can scheduled for periods of reduced load.Number of devices marked for cancellationLists the number of upgrades that have been manually cancelled during the upgrade operation.Device Type Displays the model number of devices pending an upgrade. Each listed device is provisioned an image file unique to that model.Hostname Lists the factory encoded MAC address of a device either currently upgrading or in the queue of scheduled upgrades.MAC Address Lists the factory encoded MAC address of a device either currently upgrading or in the queue of scheduled upgrades.Result Lists the state of an upgrade operation (downloading, waiting for a reboot etc.).Upgrade Time Displays whether an upgrade is immediate or set by an administrator for a specific time. Staggering upgrades is helpful to ensure a sufficient number of devices remain in service at any given time while others are upgrading.Reboot Time Displays whether a reboot is immediate or time set by an administrator for a specific time. Reboots render the device offline, so planning reboots carefully is central to ensuring a sufficient number of devices remain in service.Progress Lists the number of specific device types currently upgrading. Retries Displays the number of retries, if any, needed for an in-progress firmware upgrade operation.Last Status Lists the last reported upgrade and reboot status of each listed in progress or planned upgrade operation.Upgraded By Lists the model of the controller, service platform or Access Point RF Domain manager that’s provisioning an image to a listed device.

OperationsWireless Controller and Service Platform System Reference Guide 9Figure 14-6 Upgrade History screen 18 Refer to the following Upgrade History status:19 Select the Clear History button to clear the current update information for each listed device and begin new data collections.Hostname Displays the administrator assigned Hostname for each listed controller, service platform or Access Point that’s received an update.Device Type Displays the controller, service platform or Access Point model upgraded by a firmware update operation.MAC Address Displays the device Media Access Control (MAC) or hardware address for a device that’s received an update.Result Displays the upgrade result for each listed device.Time Displays the time and date of the last status received from an upgraded device.Retries Displays the number of retries, if any, needed for the firmware upgrade operation.Upgraded By Displays the administrator credentials responsible for initiating each listed upgrade operation.Last Status Displays the last status update received for devices that have been upgraded.

OperationsWireless Controller and Service Platform System Reference Guide 1014.1.3 Using the File Management BrowserDevice OperationsControllers and service platforms maintain a File Browser allowing an administrator to review the files residing on a controller or service platform’s internal or external memory resource. Directories can be created and maintained for each File Browser location and folders and files can be moved and deleted as an administrator interprets necessary. To administer files for managed devices and memory resources:1 Select the Operations > Devices > File Management.Figure 14-7 File Browser screen - flash2 Refer to the following to determine whether a file needs to be deleted or included in a new folder for the selected internal (flash, system, nvram) or external (cf, USB1-4) memory resource. The following display for each available memory resource:NOTE: The File Management tab is not available at the RF Domain level of the UI’s hierarchal tree. A RF Domain must be selected and expanded to display the RF Domain’s member devices. Once expanded, selected a RF Domain member device to ensure the File Management UI option is available.File Name Displays the name of the file residing on the selected flash, system, nvram or usb1-4 location. The name cannot be modified from this location.Size (Kb) Displays the size of the file in kb. Use this information to help determine whether the file should be moved or deleted in respect to available system memory.

OperationsWireless Controller and Service Platform System Reference Guide 113 If needed, use the Create Folder utility to create a folder that servers as a directory for some or all of the files for a selected memory resource. 4Select Transfer File to invoke a subscreen where the local or server file source and target (destination) are defined as well as the file transfer protocol and external destination location or resource. For more information, see Managing File Transfers on page 14-11.5Optionally, use the Delete Folder or Delete File buttons to remove a folder or file from within the controller, service platform or Access Point’s current memory resource.14.1.3.1 Managing File TransfersDevice OperationsControllers and service platforms can administer files on managed devices. Transfer files from a device to this controller, to a remote server or from a remote server to the controller. An administrator can transfer logs, configurations and crash dumps.To administer files for managed devices:1 Select the Operations > Devices > File Management2 Select the Transfer File button.Figure 14-8 File Transfers screenLast Modified Lists a timestamp for the last time each listed file was modified. Use this information to determine the file’s relevance or whether it should be deleted.File Type Displays the type for each file including binary, text or empty.

OperationsWireless Controller and Service Platform System Reference Guide 123 Set the following file management source and target directions as well as the configuration parameters of the required file management activity:4Select Copy to begin the file transfer. Selecting Reset reverts the screen to its last saved configuration.Source Select the source of the file transfer.Select Server to indicate the source of the file is a remote server. Select Local to indicate the source of the file is local to this controller or service platform.File If the source is Local, enter the name of the file to be transferred.Protocol Select the protocol for file management. Available options include:tftpftpsftphttpcfusb1-4This parameter is required only when Server is selected as the Source.Port Specify the port for transferring files. This option is not available for cf, and usb1-4. Enter the port number directly or use the spinner control.This parameter is required only when Server is selected as the Source.Host If needed, specify a hostname or numeric IP address of the serve transferring the file. This option is not valid for cf and usb1-4. If a hostname is provided, an IP Address is not needed. A hostname cannot contain an underscore.This field is only available when Server is selected in the From field.User Name Provide a user name to access a FTP or a SFTP server.This parameter is required only when Server is selected as the Source, and the selected protocol is ftp or sftp.Password Provide a password to access the FTP or SFTP server.This parameter is required only when Server is selected as the Source, and the selected protocol is ftp or sftp.Path / File Define the path to the file on the server. Enter the complete relative path to the file.This parameter is required only when Server is selected as the Source.Target Select the target destination to transfer the file.Select Server if the destination is a remote server, then provide a URL to the location of the server resource or select Advanced and provide the same network address information described above. Select Local if the destination is this controller or service platform.

OperationsWireless Controller and Service Platform System Reference Guide 1314.1.4 Restarting Adopted DevicesDevice OperationsAdopted devices may periodically require restarting to implement firmware updates or other maintenance activities. To restart controller or service platform adopted Access Points:1 Select the Operations > Devices > Adopted Device Restart.Figure 14-9 Adopted Device Restart screen2The Adopted AP Restart table displays the following information for each Adopted AP:NOTE: The Adopted Device Restart tab is not available at the RF Domain level of the UI’s hierarchal tree. A RF Domain must be selected and expanded to display the RF Domain’s member devices. Once expanded, selected a RF Domain member device to ensure the Adopted Device Restart option is available.Hostname Displays the specified Hostname for each known Access Point.MAC Address Displays the primary Media Access Control (MAC) or hardware address for each known Access Point.Type Displays the Access Point model number for each adopted Access Point.Version Displays the current firmware version for each adopted Access Point.Reason Lists the administrator defined reason an adopted device has been queued for a restart.

OperationsWireless Controller and Service Platform System Reference Guide 143 To restart an Access Point (or Access Points), select the checkbox to the left of each Access Point to restart and configure the following options:14.1.5 Captive Portal ConfigurationDevice OperationsA captive portal is an access policy that provides temporary and restrictive access to the controller or service platform managed wireless network.A captive portal policy provides secure authenticated access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access the wireless network. Once logged into the captive portal, additional Terms and Agreement, Welcome, Fail and No Service pages provide the administrator with a number of options on screen flow and appearance.Captive portal authentication is used primarily for guest or visitor access to the network, but is increasingly used to provide authenticated access to private network resources when 802.1X EAP is not a viable option. Captive portal authentication does not provide end-user data encryption, but it can be used with static WEP, WPA-PSK or WPA2-PSK encryption.The Captive Portal Pages enable the management of the client access request pages and their transfer to the controller or service platform managed wireless network.To manage captive portal pages:1 Select the Operations > Devices > Captive Portal Pages. The AP Upload List displays by default.Use the AP Upload List to provide connected Access Points with specific captive portal configurations so they can successfully provision login, welcome and condition pages to requesting clients attempting to access the wireless network using a captive portal.Force Reload To force a reload of an Access Point or Access Points, select the Force Reload checkbox next to each AP.Delay (Seconds) Specify the amount of time, in seconds, before the Access Point restart should be executed. Delaying the restart may allow a selected Access Point to complete its current duty cycle. Message Displays any messages associated with each adopted Access PointReload Status Click the Reload Status button next to each adopted Access Point to display their current status information.

OperationsWireless Controller and Service Platform System Reference Guide 15Figure 14-10 Captive Portal Pages - AP Upload List screen2Use the Captive Portal List drop-down menu to select an existing captive portal configuration to upload to an Access Point and display to requesting client devices as they login and adhere to the terms required set for access.3Use Scheduled Upload Time to set the time of the captive portal page upload. Select Now to immediately start. Use the date, hour and minute spinner controls to set a future date and time for the upload.The All Devices table lists the hostname and MAC address of devices adopted by this Access Point. 4 At the device level, use the arrow buttons (>> > < <<) to move selected devices from the All Devices table to the Upload List table. The Upload List table displays the Access Points to which the captive portal pages are applied.5Select Upload from the lower right-hand side of the screen to upload the captive portal pages to the designated Access Points.6 Select the CP Pages Image File tab.NOTE: If selecting the Captive Portal Pages screen from the System and RF Domain levels of the UI’s hierarchal tree, there’s an additional Upload from Controller option to the right of the Captive Portal List drop-down menu. Select this option to upload existing captive portal pages from this device’s managing controller or service platform.NOTE: The Scheduled Upload Time is your local system’s time. It’s not the Access Point, controller, service platform or VX time and it is not synched with the device.

OperationsWireless Controller and Service Platform System Reference Guide 16Figure 14-11 Captive Portal Pages - CP Page Image File screen7Use the Captive Portal List drop-down menu to select an existing policy. This policy contains the image (or set of login and conditions pages) requesting clients will navigate and complete before granted access to the network using the unique permissions of the captive portal.8 Set the following protocols, ports and network address information for sending image files to captive portal provisioning Access Points: Protocol Define the protocol (transfer medium) used to forward the image files to the Access Points provisioning captive portal files to requesting clients. Available options include:• tftp• ftp• sftp• httpThe protocol parameter is required only when Server is selected as the Source and the Advanced option is used.Host If needed, specify a Hostname of the server transferring the file. This option is not valid for cf, usb1, and usb2. If a hostname is provided, an IP Address is not needed. A hostname cannot contain an underscore. This field is only available when Server is selected in the From field.Port Specify the port for transferring files. Enter the port number directly or use the spinner control.User Name Provide a user name to access the FTP or SFTP server. This parameter is required only when the selected protocol is ftp or sftp.

OperationsWireless Controller and Service Platform System Reference Guide 179Select Load Image to upload the image file. Optionally, refer to the Load Image Status field to review the status of the current upload.10 Select the Status tab.Figure 14-12 Captive Portal Pages - Status screen11 Refer to the Status tab to review the progress of Captive Portal Pages upload.12 Select Clear History to clear the history displayed in the Status tab and begin new data collections.Password Provide a password to access the FTP or SFTP server. This parameter is required only when the selected protocol is ftp or sftp.Path/File Define the path to the file on the server. Enter the complete relative path to the file.Hostname Displays the hostname of the recipient device to which the captive portal files are directed.MAC Displays the factory encoded MAC address of the recipient device.State Displays the target device’s current operational state within the controller or service platform managed network.Progress Displays the completion progress of each captive portal upload operation.Retries Lists the number of retries needed to upload the captive portal files to each listed device.Last Status Displays the last known status of the captive portal page uploaded to each listed device.

OperationsWireless Controller and Service Platform System Reference Guide 1814.1.6 Crypto CMP Certificate Device OperationsCertificate Management Protocol (CMP) is an Internet protocol to obtain and manage digital certificates in a Public Key Infrastructure (PKI) network. A Certificate Authority (CA) issues the certificates using the defined CMP.Using CMP, a device can communicate to a CMP supported CA server, initiate a certificate request and download the required certificates from the CA server. CMP supports multiple request options through for device communicating to a CMP supported CA server. The device can initiate a request for getting the certificates from the server. It can also auto update the certificates which are about to expire.The CMP client on the controller, service platform or Access Point triggers a request for the configured CMS CA server. Once the certificate is validated and confirmed from the CA server it is saved on the device and becomes part of the trustpoint. During the creation of the CMP policy the trustpoint is assigned a name and client information. An administrator can use a manually created trustpoint for one service (like HTTPs) and use the CMP generated trustpoint for RADIUS EAP certificate based authentication.To assess existing certificates and, if necessary, renew a certificate:1Select Operations > Devices > Crypto CMP Certificate. This option is selectable at the controller level.Figure 14-13 Crypto CMP Certificate screen2 Review the following Crypto CMP certificate information to assess whether a certificate requires renewal:Hostname Lists the administrator assigned hostname of the CMP resource requesting a certificate renewal from the CMP CA server.MAC Address Lists the hardware encoded MAC address of the CMP server resource.

OperationsWireless Controller and Service Platform System Reference Guide 201Select Operations > Devices > RAID.Figure 14-14 RAID screen2 Conduct the following array diagnostic operations from within the RAID Manage Array field:3 Conduct the following drive diagnostic operations from within the RAID Manage Drive field:4Select Execute to initiate the selected command from either the RAID Manage Array or RAID Manage Drive fields.To view the service platform’s current RAID array status, drive utilization and consistency check information, refer to RAID Statistics on page 15-114.silence Select silence to stop (silence) the service platform’s RAID controller array alarm. When a drive is rendered offline for any reason, the service platform’s array controller alarm is invoked. locate-stop Select locate-stop to stop the LEDs of all the drives within the array.check-start Select check-start to initiate a consistency check on the RAID array.remove Select remove to prepare a selected drive for physically removing it from the drive array. The remove command can be applied to either an online or hot spare drive.install Once a new drive is installed, it must be prepared for active array utilization. Select install to dedicate a selected drive to repair a degraded array and begin an array rebuild operation.spare Select spare to define a selected unused drive as a hot spare that can be dedicate as an active array drive if one of the two online array drives were to fail. locate Select locate to flash a selected drive’s LED so it can easily located within the drive array.

OperationsWireless Controller and Service Platform System Reference Guide 2114.1.8 Re-elect ControllerDevice OperationsUse the Controller Re-election screen to identity available Access Point resources within a selected RF Domain and optionally make some, or all, of the Access Points available to initiate tunnel connections.To re-elect controller adoption resources for tunnel establishment:1Select Operations.2 Ensure a RF Domain is selected from the Operations menu on the top, left-hand, side of the screen. Otherwise, the Re-elect Controller screen cannot be located, as it does not display at either the system or device levels of the hierarchal tree.3 Select the Re-elect Controller tab.NOTE: Take care when selecting Access Points for controller re-election, as client connections may be broken on upon re-election. Ensure an elected Access Point's client load can be compensated by another Access Point in the same RF Domain.NOTE: The Re-elect Controller tab is only available at the RF Domain level of the UI’s hierarchal tree and is not available for individual controllers, service platforms and Access Points.

OperationsWireless Controller and Service Platform System Reference Guide 22Figure 14-15 Re-elect Controller screen4 Refer to the Available APs column, and use the > button to move the selected Access Point into the list of Selected APs available for RF Domain Manager candidacy. Use the >> button to move all listed Access Points into the Selected APs table.The re-election process can be achieved through the selection of an individual Access Point, or through the selection of several Access Points with a specific Tunnel Controller Name matching the selected Access Points.5Select Re-elect to designate the Selected AP(s) as resources capable of tunnel establishment. 14.2 CertificatesA certificate links identity information with a public key enclosed in the certificate.A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate. A browser must contain this CA certificate in its Trusted Root Library so it can trust certificates signed by the CA's private key.Depending on the public key infrastructure, the digital certificate includes the owner's public key, the certificate expiration date, the owner's name and other public key owner information.

OperationsWireless Controller and Service Platform System Reference Guide 23Each certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters and an association with an enrolled identity certificate.SSH keys are a pair of cryptographic keys used to authenticate users instead of, or in addition to, a username/password. One key is private and the other is public key. Secure Shell (SSH) public key authentication can be used by a client to access managed resources, if properly configured. A RSA key pair must be generated on the client. The public portion of the key pair resides with the controller or service platform, while the private portion remains on a secure local area of the client. For more information on the certification activities support by the controller or service platform, refer to the following:•Certificate Management•RSA Key Management•Certificate Creation•Generating a Certificate Signing Request14.2.1 Certificate ManagementCertificatesIf not wanting to use an existing certificate or key with a selected device, an existing stored certificate can be leveraged from a different managed device for use with the target device. Device certificates can be imported and exported to and from the controller or service platform to a secure remote location for archive and retrieval as they are required for application to other managed devices.To configure trustpoints for use with certificates:1Select Operations > Manage Certificates. 2 Select a device from amongst those displayed in either the RF Domain or Network panes on the left-hand side of the screen.

OperationsWireless Controller and Service Platform System Reference Guide 24Figure 14-16 Manage Certificates screen3 Select a device from amongst those displayed to review its certificate usage within the controller or service platform managed network. 4 Refer to the All Certificate Details to review the certificate’s properties, self-signed credentials, validity period and CA information.5 To import a certificate to the controller or service platform, select the Import button from the bottom of the Manage Certificates screen.An Import New Trustpoint screen displays where CA certificates, CRLs and signed certificates can optionally be imported to the controller or service platform once the network credentials of the file transfer have been defined.

OperationsWireless Controller and Service Platform System Reference Guide 25Figure 14-17 Import New Trustpoint screen6 To optionally import a CA certificate to the controller or service platform, select the Import CA button from the Import New Trustpoint screen.A CA is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate.

OperationsWireless Controller and Service Platform System Reference Guide 26Figure 14-18 Import New Trustpoint - Import CA screen7 Define the following configuration parameters required for the Import CA of the CA certificate:Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA specific configuration parameters, and an association with an enrolled identity certificate. URL Provide the complete URL to the location of the trustpoint. If needed, select Advanced to expand the dialog to display network address information to the location of the target trustpoint. The number of additional fields populating the screen is dependent on the selected protocol.Advanced / Basic Click the Advanced or Basic link to switch between a basic URL and an advanced location to specify trustpoint location.Protocol Select the protocol used for importing the target CA certificate. Available options include:tftpftpsftphttpcfusb 1-4Port Use the spinner control to set the port. This option is not valid for cf and usb1 - 4.

OperationsWireless Controller and Service Platform System Reference Guide 2810 Define the following configuration parameters required for the Import of the CRL:11 Select OK to import the CRL. Select Cancel to revert the screen to its last saved configuration.12 To import a signed certificate to the controller or service platform, select Import Signed Cert from the Import New Trustpoint screen.Signed certificates (or root certificates) avoid the use of public or private CAs. A self-signed certificate is an identity certificate signed by its own creator, thus the certificate creator also signs off on its legitimacy. The lack of mistakes or corruption in the issuance of self signed certificates is central.Self-signed certificates cannot be revoked which may allow an attacker who has already gained access to monitor and inject data into a connection to spoof an identity if a private key has been compromised. However, CAs have the ability to revoke a compromised certificate, preventing its further use.Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate. From Network Select the From Network radio button to provide network address information to the location of the target CRL. The number of additional fields that populate the screen is also dependent on the selected protocol. This is the default setting.URL Provide the complete URL to the location of the CRL. If needed, select Advanced to expand the dialog to display network address information to the location of the CRL. The number of additional fields that populate the screen is also dependent on the selected protocol.Protocol Select the protocol used for importing the CRL. Available options include:tftpftpsftphttpcfusb1-4Port Use the spinner control to set the port. This option is not valid for cf and usb1-4.Host Provide the hostname or numeric IP4 or IPv6 formatted IP address of the server used to export the trustpoint. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Providing a host is not required for cf and usb1-4. A hostname cannot contain an underscore.Path/File Specify the path to the CRL. Enter the complete relative path to the file on the server.Cut and Paste Select the Cut and Paste radio button to simply copy an existing CRL into the cut and paste field. When pasting a CRL, no additional network address information is required.

OperationsWireless Controller and Service Platform System Reference Guide 29Figure 14-20 Import New Trustpoint - Import Signed Cert13 Define the following parameters required for the Import of the Signed Certificate:Trustpoint Name Enter the 32 character maximum trustpoint name with which the certificate should be associated.From Network Select the From Network radio button to provide network address information to the location of the signed certificate. The number of additional fields that populate the screen is dependent on the selected protocol. From Network is the default setting.URL Provide the complete URL to the location of the signed certificate. If needed, select Advanced to expand the dialog to display network address information to the location of the signed certificate. The number of additional fields populating the screen is dependent on the selected protocol.Protocol Select the protocol for importing the signed certificate. Available options include:tftpftpsftphttpcfusb1-4Port Use the spinner control to set the port. This option is not valid for cf and usb1-4.

OperationsWireless Controller and Service Platform System Reference Guide 3014 Select OK to import the signed certificate. Select Cancel to revert the screen to its last saved configuration.15 To optionally export a trustpoint from the controller or service platform to a remote location, select the Export button from the Certificate Management screen.Once a certificate has been generated on the controller or service platform’s authentication server, export the self signed certificate. A digital CA certificate is different from a self signed certificate. The CA certificate contains the public and private key pairs. The self certificate only contains a public key. Export the self certificate for publication on a Web server or file server for certificate deployment or export it in to an active directory group policy for automatic root certificate deployment.Figure 14-21 Certificate Management - Export Trustpoint screen16 Define the following configuration parameters required for the Export of the trustpoint.Host Provide the hostname or numeric IP4 or IPv6 formatted IP address of the server used to import the trustpoint. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Providing a host is not required for cf and usb1-4. A hostname cannot contain an underscore.Path/File Specify the path to the signed certificate. Enter the complete relative path to the file on the server.Cut and Paste Select the Cut and Paste radio button to simply copy an existing signed certificate into the cut and paste field. When pasting a signed certificate, no additional network address information is required.Trustpoint Name Enter the 32 character maximum name assigned to the trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual.

OperationsWireless Controller and Service Platform System Reference Guide 3117 Select OK to export the defined trustpoint. Select Cancel to revert the screen to its last saved configuration.18 To optionally delete a trustpoint, select the Delete button from within the Certificate Management screen. Provide the trustpoint name within the Delete Trustpoint screen and optionally select Delete RSA Key to remove the RSA key along with the trustpoint. Select OK to proceed with the deletion, or Cancel to revert to the Certificate Management screen.14.2.2 RSA Key ManagementCertificatesRefer to the RSA Keys screen to review existing RSA key configurations applied to managed devices. If an existing key does not meet the needs of a pending certificate request, generate a new key or import/export an existing key to and from a remote location.Rivest, Shamir, and Adleman (RSA) is an algorithm for public key cryptography. It’s an algorithm that can be used for certificate signing and encryption. When a device trustpoint is created, the RSA key is the private key used with the trustpoint.To review existing device RSA key configurations, generate additional keys or import/export keys to and from remote locations:URL Provide the complete URL to the location of the trustpoint. If needed, select Advanced to expand the dialog to display network address information to the location of the trustpoint. The number of additional fields that populate the screen is dependent on the selected protocol.Protocol Select the protocol used for exporting the target trustpoint. Available options include:tftpftpsftphttpcfusb1-4Port Use the spinner control to set the port. This option is not valid for cf and usb1-4.Host Provide the hostname or numeric IPv4 or IPv6 formatted address of the server used to export the trustpoint. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Providing a host is not required for cf and usb1-4. A hostname cannot contain an underscore.Path/File Specify the path to the trustpoint. Enter the complete relative path to the file on the server.

OperationsWireless Controller and Service Platform System Reference Guide 321Select RSA Keys tab from the Certificate Management screen. Figure 14-22 Certificate Management - RSA Keys screen2 Select a listed device to review its current RSA key configuration.Each key can have its size and character syntax displayed. Once reviewed, optionally generate a new RSA key, import a key from a selected device, export a key from the controller or service platform to a remote location or delete a key from a selected device.3Select Generate Key to create a new key with a defined size.

OperationsWireless Controller and Service Platform System Reference Guide 33Figure 14-23 Certificate Management - Generate RSA Keys screen4 Define the following configuration parameters required for the Import of the key: 5Select OK to generate the RSA key. Select Cancel to revert the screen to its last saved configuration.6 To optionally import a CA certificate to the controller or service platform, select the Import button from the Certificate Management > RSA Keys screen.Key Name Enter the 32 character maximum name assigned to the RSA key. Key Size Set the size of the key as either 2048 (bits) or 4096 (bits). Leaving this value at the default setting of 2048 is recommended to ensure optimum functionality.

OperationsWireless Controller and Service Platform System Reference Guide 34Figure 14-24 Certificate Management - Import New RSA Key screen7 Define the following parameters required for the Import of the RSA key:Key Name Enter the 32 character maximum name assigned to identify the RSA key. Key Passphrase Define the key used by both the controller or service platform and the server (or repository) of the RSA key. Select the Show to expose the actual characters used in the passphrase. Leaving the Show unselected displays the passphrase as a series of asterisks “*”.URL Provide the complete URL to the location of the RSA key. If needed, select Advanced to expand the dialog to display network address information to the location of the target key. The number of additional fields that populate the screen is dependent on the selected protocol.Advanced / Basic Select either the Advanced or Basic link to switch between a basic URL and an advanced location to specify key location.Protocol Select the protocol used for importing the target key. Available options include:tftpftpsftphttpcfusb1-4Port Use the spinner control to set the port. This option is not valid for cf and usb1-4.

OperationsWireless Controller and Service Platform System Reference Guide 358Select OK to import the defined RSA key. Select Cancel to revert the screen to its last saved configuration.9 To optionally export a RSA key from the controller or service platform to a remote location, select the Export button from the Certificate Management > RSA Keys screen.Export the key to a redundant RADIUS server to import it without generating a second key. If there’s more than one RADIUS authentication server, export the certificate and don’t generate a second key unless you want to deploy two root certificates.Figure 14-25 Certificate Management - Export RSA Key screen10 Define the following configuration parameters required for the Export of the RSA key.Host Provide the hostname or numeric IPv4 or IPv6 formatted address of the server used to import the RSA key. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Providing a host is not required for cf and usb1-4. A hostname cannot contain an underscore.Path/File Specify the path to the RSA key. Enter the complete relative path to the key on the server.Key Name Enter the 32 character maximum name assigned to the RSA key. Key Passphrase Define the key passphrase used by both the controller or service platform and the server. Select Show to expose the actual characters used in the passphrase. Leaving the Show unselected displays the passphrase as a series of asterisks “*”.

OperationsWireless Controller and Service Platform System Reference Guide 3611 Select OK to export the defined RSA key. Select Cancel to revert the screen to its last saved configuration.12 To optionally delete a key, select the Delete button from within the Certificate Management > RSA Keys screen. Provide the key name within the Delete RSA Key screen and select Delete Certificates to remove the certificate. Select OK to proceed with the deletion, or Cancel to revert back to the Certificate Management screen.14.2.3 Certificate CreationCertificatesThe Create Certificate screen provides the facility for creating new self-signed certificates. Self signed certificates (often referred to as root certificates) do not use public or private CAs. A self signed certificate is a certificate signed by its own creator, with the certificate creator responsible for its legitimacy.To create a self-signed certificate that can be applied to a managed device:URL Provide the complete URL to the location of the key. If needed, select Advanced to expand the dialog to display network address information to the location of the target key. The number of additional fields that populate the screen is dependent on the selected protocol.Protocol Select the protocol used for exporting the RSA key. Available options include:tftpftpsftphttpcfusb1-4Port Use the spinner control to set the port. This option is not valid for cf and usb1-4.Host Provide the hostname or numeric IPv4 or IPv6 formatted address of the server used to export the RSA key. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Providing a host is not required for cf and usb1-4. A hostname cannot contain an underscore.Path/File Specify the path to the key. Enter the complete relative path to the key on the server.

OperationsWireless Controller and Service Platform System Reference Guide 371 Select the Create Certificate tab the Certificate Management screen. Figure 14-26 Certificate Management - Create Certificate screen2 Define the following configuration parameters required to Create New Self-Signed Certificate:3 Set the following Certificate Subject Name parameters required for the creation of the certificate: Certificate Name Enter the 32 character maximum name assigned to identify the name of the trustpoint associated with the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate.RSA Key To create a new RSA key, select Create New to define a 32 character maximum name used to identify the RSA key. Set the size of the key (2048, 4096 bits). Leave this value at the default setting of 2048 to ensure optimum functionality. To use an existing key, select Use Existing and select a key from the drop-down menu.Certificate Subject NameSelect either auto-generate to automatically create the certificate's subject credentials or user-configured to manually enter the credentials of the self signed certificate. The default setting is auto-generate.Country (C) Define the Country used in the certificate. The field can be modified by the user to other values. This is a required field and must not exceed 2 characters.

OperationsWireless Controller and Service Platform System Reference Guide 384 Select the following Additional Credentials required for the generation of the self signed certificate:5 Select the Generate Certificate button at the bottom of the Create Certificate screen to produce the certificate. 14.2.4 Generating a Certificate Signing RequestCertificatesA certificate signing request (CSR) is a message from a requestor to a certificate authority to apply for a digital identity certificate. The CSR is composed of a block of encrypted text generated on the server the certificate will be used on. It contains information included in the certificate, including organization name, common name (domain name), locality, and country. A RSA key must be either created or applied to the certificate request before the certificate can be generated. A private key is not included in the CSR, but is used to digitally sign the completed request. The certificate created with a particular CSR only worked with the private key generated with it. If the private key is lost, the certificate is no longer functional.The CSR can be accompanied by other identity credentials required by the certificate authority, and the certificate authority maintains the right to contact the applicant for additional information.If the request is successful, the CA sends an identity certificate digitally signed with the private key of the CA.To create a CSR:1Select Operations > Certificates. 2 Select a device from amongst those displayed in either the RF Domain or Network panes on the left-hand side of the screen.3Select Create CSR. State (ST) Enter a State/Prov. for the state or province name used in the certificate. This is a required field.City (L) Enter a City to represent the city used in the certificate. This is a required field.Organization (O) Define an Organization for the organization represented in the certificate. This is a required field.Organizational Unit (OU)Enter an Org. Unit for the organization unit represented in the certificate. This is a required field. Common Name (CN) If there’s a common name (IP address) for the organizational unit issuing the certificate, enter it here.Email Address Provide an Email Address used as the contact address for issues relating to this certificate request.Domain Name Enter a fully qualified domain name (FQDN) is an unambiguous domain name that specifies the node's position in the DNS tree hierarchy absolutely. To distinguish an FQDN from a regular domain name, a trailing period is added. For example, somehost.example.com. An FQDN differs from a regular domain name by its absoluteness, since a suffix is not added.IP Address Specify the IP address used as the destination for certificate requests.

OperationsWireless Controller and Service Platform System Reference Guide 39Figure 14-27 Create CSR screen4 Define the following configuration parameters required to Create New Certificate Signing Request (CSR):5 Set the following Certificate Subject Name parameters: RSA Key To create a new RSA key, select Create New to define a 32 character maximum name used to identify the RSA key. Set a 2,048 bit key. To use an existing key, select Use Existing and select a key from the drop-down menu.Certificate Subject NameSelect either the auto-generate radio button to automatically create the certificate's subject credentials or select user-configured to manually enter the credentials of the self signed certificate. The default setting is auto-generate.Country (C) Define the Country used in the CSR. The field can be modified by the user to other values. This is a required field and must not exceed 2 characters.State (ST) Enter a State/Prov. for the state or province name used in the CSR. This is a required field.City (L) Enter a City to represent the city name used in the CSR. This is a required field.Organization (O) Define an Organization for the organization used in the CSR. This is a required field.

OperationsWireless Controller and Service Platform System Reference Guide 406 Select the following Additional Credentials required for the generation of the CSR:7 Select the Generate CSR button at the bottom of the screen to produce the CSR. 14.3 Smart RFSelf Monitoring At Run Time RF Management (Smart RF) is an innovation designed to simplify RF configurations for new deployments, while (over time) providing on-going deployment optimization and radio performance improvements.The Smart RF functionality scans the managed network to determine the best channel and transmit power for each wireless controller managed Access Point radio. Smart RF policies can be applied to specific RF Domains, to apply site specific deployment configurations and self recovery values to groups of devices within pre-defined physical RF coverage areas.Smart RF also provides self recovery functions by monitoring the managed network in real-time and provides automatic mitigation from potentially problematic events such as radio interference, coverage holes and radio failures. Smart RF employs self recovery to enable a WLAN to better maintain wireless client performance and site coverage during dynamic RF environment changes, which typically require manual reconfiguration to resolve.Smart RF is supported in standalone and clustered environments. In standalone environments, the individual controller or service platform manages the calibration and monitoring phases. In clustered environments, a single controller or service platform is elected a Smart Scan master and the remaining cluster members operate as Smart RF clients. In cluster operation, the Smart Scan master coordinates calibration and configuration and during the monitoring phase receives information from the Smart RF clients. Smart RF calibration can be triggered manually or continues at run-time, all the time.Smart RF is supported on wireless controllers managing Access Points in either standalone or clustered environments. Within the Operations node, Smart RF is managed within selected RF Domains, using the Access Points that comprise the RF Domain and their respective radio and channel configurations as the basis to conduct Smart RF calibration operations.Organizational Unit (OU)Enter an Org. Unit for the name of the organization unit used in the CSR. This is a required field. Common Name (CN) If there’s a common name (IP address) for the organizational unit issuing the certificate, enter it here.Email Address Provide an email address used as the contact address for issues relating to this CSR.Domain Name Enter a fully qualified domain name (FQDN) is an unambiguous domain name that specifies the node's position in the DNS tree hierarchy absolutely. A trailing period is added to distinguish an FQDN from a regular domain name. For example, somehost.example.com. An FQDN differs from a regular domain name by its absoluteness, since a suffix is not added.IP Address Specify the IP address used as the controller or service platform destination for certificate requests.

OperationsWireless Controller and Service Platform System Reference Guide 4114.3.1 Managing Smart RF for an RF DomainSmart RFWhen calibration is initiated, Smart RF instructs adopted radios (within a selected RF Domain) to beacon on a specific legal channel, using a specific transmit power setting. Smart RF measures the signal strength of each beacon received from both managed and unmanaged neighboring APs to define a RF map of the neighboring radio coverage area. Smart RF uses this information to calculate each managed radio’s RF configuration as well as assign radio roles, channel and power.Within a well planned RF Domain, any associated radio should be reachable by at least one other radio. The Smart RF feature records signals received from its neighbors. Access Point to Access Point distance is recorded in terms of signal attenuation. The information is used during channel assignment to minimize interference.To conduct Smart RF calibration for an RF Domain:1Select Operations > Smart RF. 2 Expand the System mode in the upper, left-hand, side of the user interface to display the RF Domains available for Smart RF calibration.3 Select a RF Domain from amongst those displayed. The Smart RF screen displays information specific to the devices within the selected RF Domain using data from the last interactive calibration. Figure 14-28 Smart RF screen4 Refer to the following to determine whether a Smart RF calibration or an interactive calibration is required: Hostname Displays the assigned Hostname for each member of the RF Domain.AP MAC Address Displays the hardware encoded MAC address assigned to each Access Point radio within the selected RF Domain. This value cannot be modified as past of a calibration activity.

OperationsWireless Controller and Service Platform System Reference Guide 425 Select the Refresh button to (as needed) to update the contents of the Smart RF screen and the attributes of the devices within the selected RF Domain.6 Select the Clear Config button to remove a displayed Smart RF configuration.7 Select the Clear History button to revert the statistics counters to zero to begin a new assessment. Radio MAC Address Displays the hardware encoded MAC address assigned to each Access Point radio within the selected RF Domain. This value cannot be modified as past of a calibration activity.Radio Index Displays a numerical index assigned to each listed Access Point radio when it was added to the managed network. This index helps distinguish this radio from others within this RF Domain with similar configurations. This value is not subject to change as a result of a calibration activity, but each listed radio index can be used in Smart RF calibration.Old Channel Lists the channel originally assigned to each listed Access Point MAC address within this RF Domain. This value may have been changed as part an Interactive Calibration process applied to this RF Domain. Compare this Old Channel against the Channel value to right of it (in the table) to determine whether a new channel assignment was warranted to compensate for a coverage hole. Channel Lists the current channel assignment for each listed Access Point, as potentially updated by an Interactive Calibration. Use this data to determine whether a channel assignment was modified as part of an Interactive Calibration. If a revision was made to the channel assignment, a coverage hole was detected on the channel as a result of a potentially failed or under performing Access Point radio within this RF Domain. Old Power Lists the transmit power assigned to each listed Access Point MAC address within this RF Domain. The power level may have been increased or decreased as part an Interactive Calibration process applied to this RF Domain. Compare this Old Power level against the Power value to right of it (in the table) to determine whether a new power level was warranted to compensate for a coverage hole. Power This column displays the transmit power level for the listed Access Point MAC address after an Interactive Calibration resulted in an adjustment. This is the new power level defined by Smart RF to compensate for a coverage hole.Smart Sensor Defines whether a listed Access Point is smart sensor on behalf of the other Access Point radios comprising the RF Domain.State Displays the current state of the Smart RF managed Access Point radio. Possible states include: Normal, Offline and Sensor.Type Displays the radio type (802.11an, 802.11bgn etc.) of each listed Access Point radio within the selected RF Domain.

15 - 1Wireless Controller and Service Platform System Reference Guide15StatisticsThis chapter describes statistics displayed by the graphical user interface (GUI). Statistics are available for controllers or service platforms and their managed devices.A Smart RF statistical history is available to assess adjustments made to device configurations to compensate for detected coverage holes or device failures.Statistics display detailed information about controller or service platform peers, health, device inventories, wireless clients associations, adopted AP information, rogue APs and WLANs.Access Point statistics can be exclusively displayed to validate connected Access Points, their VLAN assignments and their current authentication and encryption schemes.Wireless client statistics are available for an overview of client health. Wireless client statistics includes RF quality, traffic utilization and user details. Use this information to assess if configuration changes are required to improve network performance.Guest access statistics are also available for the periodic review of wireless clients requesting the required pass code, authentication and access into the WiNG managed guest network.For more information, see:•System Statistics•RF Domain Statistics•Controller Statistics•Access Point Statistics•Wireless Client Statistics•Guest Access Statistics15.1 System Statistics StatisticsThe System screen displays information supporting managed devices or peer controllers. Use this information to asses the overall state of the devices comprising the system. Systems data is organized as follows:•Health•Inventory•Adopted Devices•Pending Adoptions•Offline Devices•Device Upgrade•Licenses•WIPS SummaryNOTE: NOC controllers (NX9000, NX9500, NX9510, NX7500, and RFS6000) can utilize an analytics developer interface as an additional tool available to administrators to review specific APIs in granular detail. For more information, see Analytics Developer Interface on page 15-332.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 215.1.1 HealthSystem StatisticsThe Health screen displays the overall performance of the controller or service platform managed network (system). This includes device availability, overall RF quality, resource utilization and network threat perception.To display the health of the wireless controller managed network: 1 Select the Statistics menu from the Web UI.2 Select the System node from the left navigation pane.3Select Health from the left-hand side of the UI.Figure 15-1 System - Health screen4The Devices field displays the total number of devices in the controller or service platform managed network. The pie chart is a proportional view of how many devices are functional and currently online. Green indicates online devices and red offline devices detected within the controller or service platform managed network.5The Offline Devices table displays a list of detected devices in the network that are currently offline but available as potential managed resources. The table displays the number of offline devices within each impacted RF Domain. Assess whether the configuration of a particular RF Domain is contributing to an excessive number of offline devices.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 36The Traffic Utilization table displays the top 5 RF Domains with the most effective resource utilization. Utilization is dependent on the number of devices connected to the RF Domain. 7The Device Types table displays the kinds of devices detected within the system. Each device type displays the number currently online and offline.8Use the RF Quality table to isolate poorly performing radio devices within specific RF Domains. This information is a starting point to improving the overall quality of the wireless controller managed network.The RF Quality area displays the RF Domain performance. Quality indices are:•0 – 50 (Poor) •50 – 75 (Medium) •75 – 100 (Good).The RF Quality field displays the following:9The System Security table defines a Threat Level as an integer value indicating a potential threat to the system. It’s an average of the threat indices of all the RF Domains managed by the wireless controller. 10 Select Refresh at any time to update the statistics counters to their latest values.Top 5 Displays the top 5 RF Domains in terms of usage index. Utilization index is a measure of how efficiently the domain is utilized. This value is defined as a percentage of current throughput relative to the maximum possible throughput. The values are:0-20 – Very low utilization20-40 – Low utilization40-60 – Moderate utilization60 and above – High utilizationRF Domain Displays the name of the RF Domain.Client Count Displays the number of wireless clients associated with the RF Domain.Worst 5 Displays five RF Domains with the lowest quality indices in the wireless controller managed network. The value can be interpreted as:0-50 – Poor quality50-75 – Medium quality75-100 – Good qualityRF Domain Displays the name of the RF Domain wherein system statistics are polled for the poorly performing device.Threat Level Displays the threat perception value. This value can be interpreted as:0-2 – Low threat level3-4 – Moderate threat level5 – High threat levelRF Domain Displays the name of the target RF Domain for which the threat level is displayed.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 415.1.2 InventorySystem StatisticsThe Inventory screen displays information about the physical hardware managed within the system by its member controller or service platforms. Use this information to assess the overall performance of wireless controller managed devices.To display the inventory statistics:1 Select the Statistics menu from the Web UI. 2 Select the System node from the left navigation pane.3Select Inventory from the left-hand side of the UI.Figure 15-2 System - Inventory screen4The Devices field displays an exploded pie chart depicting controller, service platform and Access Point device type distribution by model. The device on the left displays managing controller models. Select View Legends to assess connected Access Points. Use this information to assess whether these are the correct models for the original deployment objective.5The Radios table displays radios deployed within the wireless controller managed network. This area displays the total number of managed radios and top 5 RF Domains in terms of radio count. The Total Radios value is the total number of radios in this system.Top Radio Count Displays the radios index of each listed top radio.RF Domain Displays the name of the RF Domain the listed radios belong. The RF Domain displays as a link that can be selected to display configuration and network address information in greater detail.Last Update Displays the UTC timestamp when each listed client was last seen on the network.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 56The Clients table displays the total number of wireless clients managed by the controller or service platform. This Top Client Count table lists the top 5 RF Domains, in terms of the number of wireless clients adopted:7Select Refresh to update the statistics counters to their latest values.15.1.3 Adopted DevicesSystem StatisticsThe Adopted Devices screen displays a list of devices adopted to the wireless controller managed network (entire system). Use this screen to view a list of devices and their current status.To view adopted AP statistics:1 Select the Statistics menu from the Web UI.2 Select the System node from the left navigation pane.3Select Adopted Devices from the left-hand side of the UI.Figure 15-3 System - Adopted Devices screenThe Adopted Devices screen provides the following:Top Client Count Displays the client index of each listed top performing client.RF Domain Displays the name of the client RF Domain.Last Update Displays the UTC timestamp when the client count was last reported.Adopted Device Displays administrator assigned hostname of the adopted device. Select the adopted device link to display configuration and network address information in greater detail.Type Displays the adopted Access Point’s model type.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 615.1.4 Pending AdoptionsSystem StatisticsThe Pending Adoptions screen displays those devices detected within the controller or service platform coverage area, but have yet to be adopted by the controller or service platform. Review these devices to assess whether they could provide radio coverage to wireless clients needing support.To view pending AP adoptions to the controller or service platform:1 Select the Statistics menu from the Web UI.2 Select the System node from the left navigation pane.3Select Pending Adoptions from the left-hand side of the UI.RF Domain Name Displays the domain the adopted AP has been assigned to. Select the RF Domain to display configuration and network address information in greater detail.Model Number Lists the model number of each AP that’s been adopted to the controller or service platform since this screen was last refreshed.Config Status Displays the configuration file version in use by each listed adopted device. Use this information to determine whether an upgrade would increase the functionality of the adopted device.Config Errors Lists any errors encountered when the listed device was adopted by the controller or service platform.Adopter Hostname Lists the administrator hostname assigned to the adopting controller or service platform. Adoption Time Displays a timestamp for each listed device that reflects when the device was adopted by the controller or service platform.Startup Time Provides a date stamp when the adopted device was restarted post adoption.Refresh Select Refresh to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 7Figure 15-4 System - Pending Adoptions screenThe Pending Adoptions screen displays the following: 15.1.5 Offline DevicesSystem StatisticsThe Offline Devices screen displays a list of devices in the controller or service platform managed network or RF Domain that are currently offline. Review the contents of this screen to help determine whether an offline status is still warranted.To view offline device potentially available for adoption by the controller or service platform:MAC Address Displays the MAC address of the device pending adoption. Select the MAC address to view device configuration and network address information in greater detail.Type Displays the AP type.IP Address Displays the current IP Address of the device pending adoption.VLAN Displays the VLAN the device pending adoption will use as a virtual interface with its adopting controller or service platform.Reason Displays a status (reason) as to why the device is pending adoption.Discovery Option Displays the discovery option code for each AP listed pending adoption.Last Seen Displays the date and time stamp of the last time the device was seen. Click the arrow next to the date and time to toggle between standard time and UTC.Add to Devices Select a listed AP and select the Add to Devices button to begin the adoption process for this detected AP.Refresh Click the Refresh button to update the list of pending adoptions.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 81 Select the Statistics menu from the Web UI.2 Select the System node from the left navigation pane.3Select Offline Devices from the left-hand side of the UI.Figure 15-5 System - Offline Devices screenThe Ofp indentfline Devices screen provides the following: Hostname Lists the administrator assigned hostname provided when the device was added to the controller or service platform managed network.MAC Address Displays the factory encoded MAC address of each listed offline device.Type Displays the offline Access Point’s model type.RF Domain Name Displays the name of the offline device’s RF Domain membership, if applicable. Select the RF Domain to display configuration and network address information in greater detail.Reporter Displays the hostname of the device reporting the listed device as offline. Select the reporting device name to display configuration and network address information in greater detail.Area Lists the administrator assigned deployment area where the offline device has been detected.Floor Lists the administrator assigned deployment floor where the offline device has been detected.Connected To Lists the offline’s device’s connected controller, service platform or peer model Access Point.Last Update Displays the date and time stamp of the last time the device was detected within the controller or service platform managed network. Click the arrow next to the date and time to toggle between standard time and UTC.Refresh Select Refresh to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 915.1.6 Device UpgradeSystem StatisticsThe Device Upgrade screen displays available licenses for devices within a cluster. It displays the total number of AP licenses. To view a licenses statistics within the controller or service platform managed network:1 Select the Statistics menu from the Web UI.2 Select the System node from the left navigation pane.3Select Device Upgrade from the left-hand side of the UI.Figure 15-6 System - Device Upgrade screen4Select Device Upgrade from the left-hand side of the UI.Upgraded By Device Displays the MAC address of the controller, service platform or peer model Access Point that performed an upgrade.Type Displays the model type of the adopting controller, service platform or Access Point. An updating Access Point must be of the same model as the Access Point receiving the update.Device Hostname List the administrator assigned hostname of the device receiving an update.History ID Displays a unique timestamp for the upgrade event.Last Update Status Displays the initiation, completion or error status of each listed upgrade operation.Time Last Upgraded Lists the date and time of each upgrade operation.Retries Count Displays the number of retries required in an update operation.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1015.1.7 LicensesSystem StatisticsThe Licenses statistics screen displays available licenses for devices within a cluster. It displays the total number of AP licenses. Native (local) and Guest license utilization can now be separately tracked as well. To view a licenses statistics within the controller or service platform managed network:1 Select the Statistics menu from the Web UI.2 Select the System node from the left navigation pane.3Select Licenses from the left-hand side of the UI.Figure 15-7 System - Licenses screen4The Local Licenses table provides the following information:State Displays the done or failed state of an upgrade operation.Clear History Select Clear History to clear the screen of its current status and begin a new data collection.Refresh Select Refresh to update the screen’s statistics counters to their latest values.Cluster/Hostname Lists the administrator assigned cluster hostname whose license count and utilization is tallied in this Local Licenses table.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 115The Global Licenses table provides the following information:6The AP Licenses table provides the following information:7The Featured Licenses area provides the following information:AP Licenses Installed Lists the number of Access Point connections available to this controller or service platform under the terms of the current license.Lent AP Licenses Displays the number of Access Point licenses lent (from this controller or service platform) to a cluster member to compensate for an Access Point’s license deficiency.Total AP Licenses Displays the total number of Access Point connection licenses currently available to this controller or service platform. AP License Usage Lists the number of Access Point connections currently utilized by this controller or service platform out of the total available under the terms of the current license.Remaining AP Licenses Lists the remaining number of AP licenses available from the pooled license capabilities of all the members of the cluster.AAP Licenses Installed Lists the number of Adaptive Access Point connections available to this controller or service platform under the terms of the current license.Lent AAP Licenses Displays the number of Adaptive Access Point licenses lent (from this controller or service platform) to a cluster member to compensate for an Access Point licenses deficiency.Total AAP Licenses Displays the total number of Adaptive Access Point connection licenses currently available to this controller or service platform.AAP Licenses Usage Lists the number of Adaptive Access Point connections currently utilized by this controller or service platform out of the total available under the terms of the current license.Remaining AAP Licenses Lists the remaining number of AAP licenses available from the pooled license capabilities of all the members of the cluster.Validity Displays validity information for the license’s legal usage with the controller or service platform.Cluster AP Adoption LicensesDisplays the current number of Access Point adoption licenses utilized by controller or service platform connected Access Points within a cluster.Cluster Total AP Licenses Displays the total number of Access Point adoption licenses available to controller or service platform connected Access Points within a cluster.Cluster AAP Adoption LicensesDisplays the current number of Adaptive Access Point adoption licenses utilized by controller or service platform connected Access Points within a cluster.Cluster Total AAP LicensesDisplays the total number of Adaptive Access Point adoption licenses available to controller or service platform connected Access Points within a cluster.Cluster Maximum AP Lists the maximum number of Access Points permitted in a cluster under the terms of the current license. Hostname Displays the administrator assigned hostname of the controller, service platform or Access Point whose potentially implemented a advanced security, WIPS or Analytics feature licenses.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 128 Select the Details tab.Refer to the Details screen to further assess the total number of cluster member licenses available, cluster memberships, current utilization versus total licenses available, borrowed licenses, remaining licenses and license validity. 9 Refer to the following license utilization data:15.1.8 WIPS SummarySystem StatisticsThe Wireless Intrusion Protection System (WIPS) provides continuous protection against wireless threats and acts as an additional layer of security complementing wireless VPNs and existing encryption and authentication policies. Controllers and service platforms support WIPS through the use of dedicated sensor devices, designed to Advanced Security Displays whether the separately licensed Advanced Security application is installed for each hostname.Hotspot Analytics Displays whether a separately licensed Analytics application is installed for supported NX9500 and NX9510 service platforms.Cluster/Hostname Lists the administrator assigned cluster hostname whose license count and utilization is listed and tallied for member controllers, service platforms or Access Points.AP Licenses Installed Lists the number of Access Point connections available to this controller or service or peer Access Point under the terms of the current license.Borrowed AP Licenses Displays the number of Access Point licenses temporarily borrowed from a cluster member to compensate for an AP license deficiency.Total AP Licenses Displays the total number of Access Point connection licenses currently available to clustered devices.AP Licenses Usage Lists the number of Access Point connections currently utilized out of the total available under the terms of current licenses.Remaining AP Licenses Lists the remaining number of AP licenses available from the pooled license capabilities of cluster members.AAP Licenses Installed Lists the number of Adaptive Access Point connections available under the terms of current licenses.Borrowed AAP Licenses Displays the number of Adaptive Access Point licenses temporarily borrowed from a cluster member to compensate for an AAP license deficiency.Total AAP Licenses Displays the total number of Adaptive Access Point connection licenses currently available to clustered devices.AAP Licenses Usage Lists the number of Adaptive Access Point connections currently utilized out of the total available under the terms of the current licenses.Remaining AAP Licenses Lists the remaining number of AAP licenses available from the pooled license capabilities of all the members of the cluster.Validity Displays validity information for the license’s legal usage by cluster member devices.Refresh Select Refresh to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 13actively detect and locate unauthorized AP devices. After detection, they use mitigation techniques to block devices using manual termination, air lockdown or port suppression.The WIPS Summary screen lists RF Domains residing in the system and reports the number of unauthorized and interfering devices contributing to the potential poor performance of the RF Domain’s network traffic. Additionally, the number of WIPS events reported by each RF Domain is also listed to help an administrator better mitigate risks to the network. To review and assess the impact of rogue and interfering Access Points, as well as the occurrence of WIPS events within the controller or service platform’s managed system:1 Select the Statistics menu from the Web UI.2 Select the System node from the left navigation pane.3Select WIPS Summary from the left-hand side of the UI.Figure 15-8 System - WIPS Summary screen4 Refer to the following WIPS data reported for each RF Domain in the system:RF Domain Lists the RF Domain within the system reporting rogue and interfering Access Point event counts. Use this information to assess whether a particular RF Domain is reporting an excessive number of events or a large number of potentially invasive rogue Access Points versus the other RF Domains within the controller, service platform or Access Point managed system.Number of Rogue APs Displays the number of unsanctioned devices in each listed RF Domain. Unsanctioned devices are those devices detected within the listed RF Domain, but have not been deployed by a administrator as a known and approved controller or service platform managed device.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 145 Select the WIPS Report button to launch a sub-screen to filter how WIPS reports are generated for the system.Figure 15-9 System - WIPS Summary screenSelect Summary to capture all WIPS data or just select Only Rogue APs, Only Interferer APs for All APs to refine event reporting to a specific type of WIPS activity. Select Generate Report to compile and archive the results of the query.6Select Refresh to update the screen’s statistics counters to their latest values. 15.2 RF Domain StatisticsStatisticsThe RF Domain screens display status for a selected RF domain. This includes the RF Domain health and device inventory, wireless clients and Smart RF functionality. RF Domains allow administrators to assign regional, regulatory and RF configuration to devices deployed in a common coverage area such as on a building floor, or site. Each RF Domain contains regional, regulatory and sensor server configuration parameters and may also be assigned policies that determine Access, SMART RF and WIPS configuration. Use the following information to obtain an overall view of the performance of the selected RF Domain and troubleshoot issues with the domain or any member device.•Health•Inventory•Devices•AP Detection•Wireless Clients•Device Upgrade•Wireless LANsNumber of Interfering APsDisplays the number of devices exceeding the interference threshold in each listed RF Domain. Each RF Domain utilizes a WIPS policy with a set interference threshold (from -100 to -10 dBm). When a device exceeds this noise value, its defined as an interfering Access Point capable of disrupting the signal quality of other sanctioned devices operating below an approved RSSI maximum value. Number of WIPS Events Lists the number of devices triggering a WIPS event within each listed RF Domain.Each RF Domain utilizes a WIPS policy where excessive, MU and AP events can have their individual values set for event generation. An administrator can enable or disable the filtering of each listed event and set the thresholds required for the generation of the event notification and filtering action.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 15•Radios•Bluetooth•Mesh•Mesh Point•SMART RF•WIPS•Captive Portal•Application Visibility (AVC)•Coverage Hole Summary•Coverage Hole Details15.2.1 HealthRF Domain StatisticsThe Health screen displays general status information for a selected RF Domain, including data polled from all its members. To display the health of a controller or service platform’s RF Domain: 1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Select Health from the RF Domain menu.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 16Figure 15-10 RF Domain - Health screen4The Domain field displays the name of the RF Domain manager. The RF Domain manager is the focal point for the radio system and acts as a central registry of applications, hardware and capabilities. It also serves as a mount point for all the different pieces of the hardware system file. 5The Devices field displays the total number of online versus offline devices in the RF Domain, and an exploded pie chart depicts their status. 6The Radio Quality field displays information on the RF Domain’s RF quality. The RF quality index is the overall effectiveness of the RF environment as a percentage of the connect rate in both directions, as well as the retry and error rate. This area also lists the worst 5 performing radios in the RF Domain. The RF Quality Index can be interpreted as:•0-20 – Very poor quality•20-40 – Poor quality•40-60 – Average quality•60-100 – Good quality

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 177 Refer to the Radio Quality table for RF Domain member radios requiring administration to improve performance:8 Refer to the Client Quality table for RF Domain connected clients requiring administration to improve performance:9 Refer to the WLAN Utilization field to assess the following: 10 The Radio Traffic Utilization area displays the following:11 Refer to the Client Traffic Utilization table: 12 The Wireless Security area indicates the security of the transmission between WLANs and the wireless clients they support. This value indicates the vulnerability of the WLANs. Worst 5 Radios Displays five radios with the lowest average quality in the RF Domain.Radio ID Lists each radio’s administrator defined hostname and its radio designation (radio 1, radio 2 or radio 3).Radio Type Displays the radio type as either 5 GHz or 2.4 GHz. Worst 5 Clients Displays the five clients having the lowest average quality indices.Client MAC Displays the hardcoded radio MAC of the wireless client. Vendor Displays the vendor name of the wireless client. Total WLANs Displays the total number of WLANs managed by RF Domain member Access Points.Top 5 Displays the five RF Domain utilized WLANs with the highest average quality indices.WLAN Name Displays the WLAN Name for each of the Top 5 WLANs in the Access Point RF Domain. SSID Lists the SSD utilized by each listed top 5 performing RF Domain WLANs.Max. User Rate Displays the maximum recorded user rate in kbps.Top 5 Radios Displays five radios with the best average quality in the RF Domain.Radio ID Lists each radio’s administrator defined hostname and its radio designation (radio 1, radio 2 or radio 3).Radio Type Displays the radio type as either 5 GHz or 2.4 GHz. Top 5 Clients Displays the five clients having the highest average quality indices.Client MAC Displays the client’s hardcoded MAC address used a hardware identifier. Vendor Lists each client’s manufacturer.RF Domain Threat Level Indicates the threat from the wireless clients trying to find network vulnerabilities within the Access Point RF Domain. The threat level is represented by an integer.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1813 The Traffic Statistics statistics table displays the following information for transmitted and received packets:14 The SMART RF Activity area displays the following: 15.2.2 InventoryRF Domain StatisticsThe Inventory screen displays an inventory of RF Domain member Access Points, connected wireless clients, wireless LAN utilization and radio availability. To display RF Domain inventory statistics: 1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Select Inventory from the RF Domain menu.Rogue APs Lists the number of unauthorized Access Points detected by RF Domain member devices.WIPS Events Lists the number of WIPS events generated by RF Domain member devices.Total Bytes Displays the total bytes of data transmitted and received within the Access Point RF Domain. Total Packets Lists the total number of data packets transmitted and received within the Access Point RF Domain. User Data Rate Lists the average user data rate within the Access Point RF Domain.Bcast/Mcast Packets Displays the total number of broadcast/multicast packets transmitted and received within the Access Point RF Domain.Management Packets This is the total number of management packets processed within the Access Point RF Domain.Tx Dropped Packets Lists total number of dropped data packets within the Access Point RF Domain.Rx Errors Displays the number of errors encountered during data transmission within the Access Point RF Domain. The higher the error rate, the less reliable the connection or data transfer. Time Period Lists the time period when Smart RF calibrations or adjustments were made to compensate for radio coverage holes or interference.Power Changes Displays the total number of radio transmit power changes that have been made using SMART RF within the Access Point RF Domain.Channel Changes Displays the total number of radio transmit channel changes that have been made using SMART RF within the Access Point RF Domain.Coverage Changes Displays the total number of radio coverage area changes that have been made using SMART RF within the Access Point RF Domain.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 19Figure 15-11 RF Domain - Inventory screen4The Device Types table displays the total members in the RF Domain. The exploded pie chart depicts the distribution of RF Domain members by controller and Access Point model type.5The Radios by Band field displays the total number of radios using 802.11an and 802.11bgn bands within the RF Domain. The number of radios designated as sensors is also represented.6The Radios by Channel field displays the radio channels utilized by RF Domain member devices in two separate charts. One chart displays for 5 GHz channels and the other for 2.4 GHz channels.7The Top 5 Radios by Clients table displays the highest 5 performing wireless clients connected to RF Domain members.Total Wireless Clients Displays the total number of clients connected to RF Domain members.AP Name Displays the clients connected and reporting Access Point. The name displays as a link that can be selected to display Access Point data in greater detail.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 208 Refer to the WLANs table to review RF Domain WLAN, radio and client utilization. Use this information to help determine whether the WLANs within this RF Domain have an optimal radio and client utilization.9The Clients by Band bar graph displays the total number of RF Domain member clients by their IEEE 802.11 radio type. 10 The Clients by Channel pie charts displays the channels used by RF Domain member clients using 5GHz and 2.4GHz radios. 11 Periodically select Refresh to update the contents of the screen to their latest values. 15.2.3 DevicesRF Domain StatisticsThe Devices screen displays RF Domain member hardware data, connected client counts, radio data and network IP address.To display RF Domain member device statistics:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Select Devices from the RF Domain menu.Client Count List the number of connected clients to each listed RF Domain member Access Point.Radio Id Lists each radio’s administrator defined hostname and its radio designation (radio 1, radio 2 etc.). The name displays as a link that can be selected to display Access Point data in greater detail.Radio Band Lists each client’s operational radio band.Location Displays system assigned deployment location for the client.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 21Figure 15-12 RF Domain - Devices screen15.2.4 AP DetectionRF Domain StatisticsThe AP Detection screen displays information about detected Access Points that are not members of a RF Domain. They could be authorized devices or potential rogue devices.To view device information on detected Access Points:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Select AP Detection from the RF Domain menu.Device Displays the system assigned name of each device that’s a member of the RF Domain. The name displays as a link that can be selected to display configuration and network address information in greater detail.AP MAC Address Displays each device’s factory encoded MAC address as its hardware identifier. Type Displays each device model within the selected RF Domain.Client Count Displays the number of clients connected with each listed device. Supported Access Point models support up to 256 clients per Access Point, with the exception of AP6521 model, which only supports 128.Radio Count Displays the number of radios on each listed device. IP Address Displays the IP address each listed device is using as a network identifier.Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 22Figure 15-13 RF Domain - AP Detection screenThe AP Detection screen displays the following:MAC Address Displays the hardware encoded MAC address of each listed Access Point detected by a RF Domain member device. The MAC address is set at the factory and cannot be modified via the management software. The MAC address displays as a link that can be selected to display RF Domain member device information in greater detail.Channel Displays the channel of operation used by the detected Access Point. The channel must be utilized by both the Access Point and its connected client and be approved for the target deployment country.SSID Displays the Service Set ID (SSID) of the network to which the detected Access Point belongs.First Seen Provides a timestamp when the detected Access Point was first detected by a RF Domain member device.Top Reporter Hostname Lists the administrator assigned hostname of the top performing RF Domain member detecting the listed Access Point MAC address. Consider this top performer the best resource for information on the detected Access Point and its potential threat.Vendor Lists the manufacturer of the detected Access Point as an additional means of assessing its potential threat to the members of this RF Domain and its potential for interoperability with RF Domain device members.VLAN Lists the numeric VLAN ID (virtual interface) the detected Access Point was detected on by members of this RF Domain.RSSI Displays the Received Signal Strength Indicator (RSSI) of the detected Access Point. Use this variable to help determine whether a device connection would improve network coverage or add noise.Is Interferer Lists whether the detected device exceeds the administrator defined RSSI threshold (from -100 to -10 dBm) determining whether a detected Access Point is classified as an interferer.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2315.2.5 Wireless ClientsRF Domain StatisticsThe Wireless Clients screen displays device information for wireless clients connected to RF Domain member Access Points. Review this content to determine whether a client should be removed from Access Point association within the selected RF Domain.To review a RF Domain’s connected wireless clients:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Select Wireless Clients from the RF Domain menu.Is Rogue Displays whether the detected device has been classified as a rogue device whose detection threatens the interoperation of RF Domain member devices.Termination Active Lists whether Air Termination is active and applied to the detected Access Point. Air termination lets you terminate the connection between your wireless LAN and any Access Point or client associated with it. If the device is an Access Point, all clients dis-associated with the Access Point. If the device is a client, its connection with the Access Point is terminated. Air Termination is disabled by default.Terminate Select the Terminate button to remove the selected Access Point from RF Domain membership.Clear All Select Clear All to reset the statistics counters to zero and begin a new data collection.WIPS Report Select WIPS Report launch a subscreen to save a WIPS report (in PDF format) to a specified location. This is a recommended practice to capture RF Domain member Access Point client connection terminations in a format that can be archived externally.Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 24Figure 15-14 RF Domain - Wireless Clients screenThe Wireless Clients screen displays the following:MAC Address Displays the hostname (MAC address) of each listed wireless client. This address is hard-coded at the factory and can not be modified. The address displays as a link that can be selected to display RF Domain member device and network address information in greater detail.IP Address Displays the current IP address the wireless client is using for a network identifier.IPv6 Address Displays the current IPv6 formatted IP address a listed wireless client is using as a network identifier. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.Hostname Displays the unique administrator assigned hostname when the client’s configuration was originally set.Role Lists the role assigned to each controller, service platform or Access Point managed client.Client Identity Lists the client’s operating system vendor identity (Android, Windows etc.)Vendor Displays the vendor (or manufacturer) of the wireless client.Band Lists the 2.4 or 5 GHz radio band the listed client is currently utilizing with its connected Access Point, controller or service platform within the RF Domain.AP Hostname Displays the administrator assigned hostname of the Access Point to which the client is connected.Radio MAC Lists the hardware encoded MAC address of the Access Point radio to which the client is currently connected within the RF Domain.WLAN Displays the name of the WLAN the wireless client is currently using for its interoperation within the RF Domain.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2515.2.6 Device UpgradeRF Domain StatisticsThe Device Upgrade screen reports information about devices receiving updates the RF Domain member provisioning the device. Use this screen to assess version data and upgrade status.To view wireless device upgrade data for RF Domain members:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Select Device Upgrade from the RF Domain menu.Figure 15-15 RF Domain - Device Upgrade screenThe Device Upgrade screen displays the following for RF Domain member devices:VLAN Displays the VLAN ID the client’s connected Access Point has defined for use as a virtual interface.Last Active Displays the time when this wireless client was last detected by a RF Domain member.RF Domain Name Lists each client’s RF Domain membership as defined by its connected Access Point and associated controller or service platform.Disconnect All ClientsSelect the Disconnect All Clients button to terminate each listed client’s connection and RF Domain membership.Disconnect Client Select a specific client MAC address and select the Disconnect Client button to terminate this client’s connection and RF Domain membership.Refresh Select the Refresh button to update the statistics counters to their latest values.Upgraded By Lists the name of the device performing an update on behalf of a RF Domain member peer device.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2615.2.7 Wireless LANsRF Domain StatisticsThe Wireless LANs screen displays the name, network identification and radio quality information for the WLANs currently being utilized by RF Domain members. To view wireless LAN statistics for RF Domain members:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Select Wireless LANs from the RF Domain menu.Type Displays the model of the device receiving an update. An updating Access Point must be of the same model as the Access point receiving the update.Device Hostname Lists the administrator assigned hostname of each device receiving an update from a RF Domain member.History Id Lists the RF Domain member device’s MAC address along with a history ID appended to it for each upgrade operation.Last Update Status Displays the last status message from the RF Domain member device performing the upgrade operation.Time Last Upgrade Displays a timestamp for the last successful upgrade.Retries Count Lists the number of retries needed for each listed RF Domain member update operation.State Lists whether the upgrade operation is completed, in-progress, failed or whether an update was made without a device reboot.Clear History Select Clear History to remove the upgrade records for RF Domain member devices. Unlike the Refresh function (that updates existing data), Clear History removes the update record from the screen.Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 27Figure 15-16 RF Domain - Wireless LANs screenThe Wireless LANs screen displays the following:WLAN Name Displays the name assigned to each WLAN upon its creation within the controller or service platform managed network.SSID Displays the Service Set ID (SSID) assigned to the WLAN upon its creation within the controller or service platform managed network.Traffic Index Displays the traffic utilization index of each listed WLAN, which measures how efficiently the traffic medium is used. It’s defined as the percentage of current throughput relative to the maximum possible throughput. Traffic indices are: 0 – 20 (very low utilization), 20 – 40 (low utilization), 40 – 60 (moderate utilization), and 60 and above (high utilization). Radio Count Displays the number of radios deployed in each listed WLAN by RF Domain member devices.Tx Bytes Displays the average number of packets (in bytes) sent on each listed RF Domain member WLAN.Tx User Data Rate Displays the average data rate per user for packets transmitted on each listed RF Domain member WLAN.Rx Bytes Displays the average number of packets (in bytes) received on each listed RF Domain member WLAN.Rx User Data Rate Displays the average data rate per user for packets received on each listed RF Domain member WLAN.Disconnect All ClientsSelect the Disconnect All Clients button to terminate each listed client’s WLAN membership from this RF Domain.Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2815.2.8 RadiosRF Domain StatisticsThe Radio screens displays information on RF Domain member Access Point radios. Use these screens to troubleshooting radio issues negatively impacting RF Domain performance.For more information, refer to the following:•Status•RF Statistics•Traffic Statistics15.2.8.1 StatusTo view the RF Domain radio statistics:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Expand Radios from the RF Domain menu and select Status.Figure 15-17 RF Domain - Radio Status screenThe Radio Status screen displays the following:Radio Displays the name assigned to each listed RF Domain member Access Point radio. Each name displays as a link that can be selected to display radio information in greater detail.Radio MAC Displays the MAC address as a numerical value factory hardcoded to each listed RF Domain member Access Point radio. Radio Type Defines whether the radio is operating within the 2.4 or 5 GHz radio band.Access Point Displays the user assigned name of the RF Domain member Access Point to which the radio resides. AP Type Lists the model type of each RF Domain member Access Point.State Displays the radio’s current operational state.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2915.2.8.2 RF StatisticsTo view the RF Domain radio statistics:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Expand Radios from the RF Domain menu and select RF Statistics.Figure 15-18 RF Domain - Radio RF Statistics screenThe RF Statistics screen displays the following:Channel Current (Config)Displays the current channel each listed RF Domain member Access Point radio is broadcasting on.Power Current (Config)Displays the current power level the radio is using for its transmissions.Clients Displays the number of clients currently connected to each listed RF Domain member Access Point radio. Supported models can manage up to 256 clients per radio.Refresh Select the Refresh button to update the statistics counters to their latest values.Radio Displays the name assigned to each listed RF Domain member radio. Each name displays as a link that can be selected to display radio information in greater detail.Signal Displays the power of listed RF Domain member radio signals in dBm.Noise Lists the level of noise (in - X dbm format) reported by each listed RF Domain member Access Point.SNR Displays the signal to noise ratio (SNR) of each listed RF Domain member radio.Tx Physical Layer RateDisplays the data transmit rate for each RF Domain member radio’s physical layer. The rate is displayed in Mbps.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 3015.2.8.3 Traffic StatisticsThe Traffic Statistics screen displays transmit and receive data as well as data rate and packet drop and error information for RF Domain member radios. Individual RF Domain member radios can be selected and to information specific to that radio as troubleshoot requirements dictate.1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Expand Radios from the RF Domain menu and select Traffic Statistics.Figure 15-19 RF Domain - Radio Traffic Statistics screenThe Radio Traffic screen displays the following:Rx Physical Layer RateDisplays the data receive rate for each RF Domain member radio’s physical layer. The rate is displayed in Mbps. Avg Retry Number Displays the average number of retries for each RF Domain member radio. Error Rate Displays the average number of retries per packet. A high number indicates possible network or hardware problems.RF Quality Index Displays an integer (and performance icon) that indicates the overall RF performance for each listed radio. The RF quality indices are: 0 – 50 (Poor)50 – 75 (Medium)75 – 100 (Good)Refresh Select the Refresh button to update the statistics counters to their latest values.Radio Displays the name assigned to each listed RF Domain member Access Point radio. Each name displays as a link that can be selected to display radio information in greater detail.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 3115.2.9 BluetoothRF Domain StatisticsAP-8432 and AP-8533 model Access Points utilize a built in Bluetooth chip for specific Bluetooth functional behaviors in a WiNG managed network. AP-8432 and AP-8533 models support both Bluetooth classic and Bluetooth low energy technology. These platforms can use their Bluetooth classic enabled radio to sense other Bluetooth enabled devices and report device data (MAC address, RSSI and device calls) to an ADSP server for intrusion detection. If the device presence varies in an unexpected manner, ADSP can raise an alarm. AP-8432 and AP-8533 model Access Points support Bluetooth beaconing to emit either iBeacon or Eddystone-URL beacons. The Access Point’s Bluetooth radio sends non-connectable, undirected low-energy (LE) advertisement packets on a periodic basis. These advertisement packets are short, and sent on Bluetooth advertising channels that conform to already-established iBeacon and Eddystone-URL standards. To view Bluetooth radio statistics for RF Domain member Access Points:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.Tx Bytes Displays the total number of bytes transmitted by each RF Domain member Access Point radio. This includes all user data as well as any management overhead data. Rx Bytes Displays the total number of bytes received by each RF Domain member Access Point radio. This includes all user data as well as any management overhead data. Tx Packets Displays the total number of packets transmitted by each RF Domain member Access Point radio. This includes all user data as well as any management overhead packets. Rx Packets Displays the total number of packets received by each RF Domain member Access Point radio. This includes all user data as well as any management overhead packets. Tx User Data Rate Displays the rate (in kbps) user data is transmitted by each RF Domain member Access Point radio. This rate only applies to user data and does not include any management overhead. Rx User Data Rate Displays the rate (in kbps) user data is received by each RF Domain member Access Point radio. This rate only applies to user data and does not include any management overhead. Tx Dropped Displays the total number of transmitted packets which have been dropped by each RF Domain member Access Point radio. This includes all user data as well as any management overhead packets that were dropped. Traffic Index Displays the traffic utilization index of RF Domain member Access Point radios, which measures how efficiently the traffic medium is utilized within this RF Domain. It’s defined as the percentage of current throughput relative to the maximum possible throughput. Traffic indices are: 0 – 20 (very low utilization), 20 – 40 (low utilization), 40 – 60 (moderate utilization) and 60 and above (high utilization). Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 323Select Bluetooth.Figure 15-20 RF Domain - Bluetooth screen The RF Domain Bluetooth screen displays the following: Name Lists the name of the Access Point’s Bluetooth radio.Alias If an alias has been defined for the Access Point its listed here. The alias value is expressed in the form of <hostname>: B<Bluetooth_radio_number>. If the administrator has defined a hostname for the Access Point, it’s used in place of the Access Point’s default hostname.Radio State Displays the current operational state (On/Off) of the Bluetooth radio.Off Reason If the Bluetooth radio is offline, this field states the reason.Radio MAC Lists the Bluetooth radio’s factory encoded MAC address serving as this device’s hardware identifier on the network.Hostname Lists the hostname set for the Access Point as its network identifier. Device MAC Lists the Access Point’s factory encoded MAC address serving as this device’s hardware identifier on the network.AP Location Lists the Access Point’s administrator assigned deployment location.Radio Mode Lists an Access Point’s Bluetooth radio functional mode as either bt-sensor or le-beacon. Beacon Period Lists the Bluetooth radio’s beacon transmission period from 100 -10,000 milliseconds.Beacon Type Lists the type of beacon currently configured. Last Error Lists descriptive text on any error that’s preventing the Bluetooth radio from operating.Refresh Select Refresh to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 3315.2.10 MeshRF Domain StatisticsMesh networking enables users to wirelessly access broadband applications anywhere (even in a moving vehicle). Initially developed for secure and reliable military battlefield communications, mesh technology supports public safety, public access and public works. Mesh technology reduces the expense of wide-scale networks, by leveraging Wi-Fi enabled devices already deployed.To view Mesh statistics for RF Domain member Access Point and their connected clients:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Select Mesh.Figure 15-21 RF Domain - Mesh screen The RF Domain Mesh screen displays the following: Client Displays the configured hostname for each mesh client connected to a RF Domain member Access Point.Client Radio MAC Displays the hardware encoded MAC address for each mesh client connected to a RF Domain member Access Point.Portal Displays a numerical portal Index ID for the each mesh client connected to a RF Domain member Access Point.Portal Radio MAC Displays the hardware encoded MAC address for each radio in the RF Domain mesh network.Connect Time Displays the total connection time for each listed client in the RF Domain mesh network.Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 3415.2.11 Mesh PointRF Domain StatisticsTo view Mesh Point statistics for RF Domain member Access Point and their connected clients:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Select Mesh Point.The MCX Geographical View displays by default.Figure 15-22 RF Domain - Mesh Point MCX Geographical View screen The MCX Geographical View screen displays a map where icons of each device in the RF Domain are overlaid. This provides a geographical overview of the location of each RF Domain member device.4Use the N, W, S and E buttons to move the map in the North, West, South and East directions respectively. The slider next to these buttons enables zooming in and out of the view. The available fixed zoom levels are World, Country, State, Town, Street and House.5Use the Maximize button to maximize this view to occupy the complete screen. Use the Refresh button to update the status of the screen.6 Select the MCX Logical View tab to view a logical representation of the Meshpoint.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 35Figure 15-23 RF Domain - Mesh Point MCX Logical View screen The Concentric and hierarchical buttons define how the mesh point is displayed in the MCX Logical View screen. In the Concentric mode, the mesh is displayed as a concentric arrangement of devices with the root mesh at the centre and the other mesh device arranged around it.In the hierarchical arrangement, the root node of the mesh is displayed at the top of the mesh tree and the relationship of the mesh nodes are displayed as such.Use the Meshpoint Name drop down to select a mesh point to see the graphical representation of that mesh point. The view can further be filtered based on the values Neighbor or Path selected in the Meshpoint View field.7 Select the Device Type tab.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 36Figure 15-24 RF Domain - Mesh Point Device Type screen The Root field displays the Mesh ID and MAC Address of the configured root mesh points in the RF Domain.8The Non Root field displays the Mesh ID and MAC Address of all configured non-root mesh points in the RF Domain. displays the Mesh ID and MAC Address of all configured non-root mesh points in the RF Domain.9The Mesh Point Details field on the bottom portion of the screen displays tabs for General, Path, Root, Multicast Path, Neighbors, Security and Proxy. Refer to the following:The General tab displays the following:Mesh Point Name Displays the name of each configured mesh point in the RF Domain.MAC Displays the MAC Address of each configured mesh point in the RF Domain.Hostname Displays the administrator assigned hostname for each configured mesh point in the RF Domain.Configured As Root Indicates whether a mesh point is configured to act as a root device. (Yes/No).Is Root A root mesh point is defined as a mesh point connected to the WAN and provides a wired backhaul to the network (Yes/No).

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 37The Path tab displays the following:Meshpoint Identifier The MP identifier is used to distinguish between other mesh points both on the same device and on other devices. This is used by a user to setup the preferred root configuration.Interface ID The IFID uniquely identifies an interface associated with the MPID. Each mesh point on a device can be associated with one or more interfaces.Radio Interface Uniquely identifies the radio interface on which the Mesh Point operates.Next Hop IFID Lists the ID of the interface on which the next hop for the mesh network can be found.Next Hops Use Time Lists the time when the next hop in the mesh network topology was last utilized.Root Hops Number of hops to a root and should not exceed 4 in general practice. If using the same interface to both transmit and receive, then you will get approximately half the performance every additional hop out.Root MP ID Displays the ID of the root device for this mesh point.Root Bound Time Displays the duration this mesh point has been connected to the mesh root.IFID Count Displays the number of Interface IDs (IFIDs) associated with all the configured mesh points in the RF Domain.Mesh Point Name Displays the name of each configured mesh point in the RF Domain.Meshpoint Identifier The identifier is used to distinguish between other mesh points both on the same device and on other devices. This is used by a user to setup the preferred root configuration.Destination Addr The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID.Next Hop IFID The Interface ID of the mesh point that traffic is being directed to.Is Root A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network (Yes/No).MiNT ID Displays the MiNT Protocol ID for the global mint area identifier. This area identifier separates two overlapping mint networks and need only be configured if the administrator has two mint networks that share the same packet broadcast domain.Hops Number of hops to a root and should not exceed 4 in general practice. If using the same interface to both transmit and receive, then you will get approximately half the performance every additional hop out.Mobility Displays whether the mesh point is a mobile or static node. Displays True when the device is mobile and False when the device is not mobile.Metric A measure of the quality of the path. A lower value indicates a better path.State Indicates whether the path is currently Valid of Invalid.Binding Indicates whether the path is bound or unbound.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 38The Root tab displays the following:The Multicast Path tab displays the following:The Neighbors tab displays the following:Timeout The timeout interval in mili-seconds. The interpretation this value will vary depending on the value of the state. Sequence The sequence number also known as the destination sequence number. It is updated whenever a mesh point receives new information about the sequence number from RREQ, RREP, or RERR messages that may be received related to that destination.Mesh Point Name Displays the name of each configured mesh point in the RF Domain.Recommended Displays the root that is recommended by the mesh routing layer.Root MPID The MP identifier is used to distinguish between other mesh points both on the same device and on other devices. This is used by a user to setup the preferred root configuration.Next Hop IFID The IFID of the next hop. The IFID is the MAC Address on the destination device.Radio Interface This indicates the interface that is used by the device to communicate with this neighbor. The values are 2.4 and 5.8, indicating the frequency of the radio that is used to communicate with the neighbor.Bound Indicates whether the root is bound or unbound.Metric Displays the computed path metric between the neighbor and their root mesh point.Interface Bias This field lists any bias applied because of the Preferred Root Interface Index.Neighbor Bias This field lists any bias applied because of the Preferred Root Next-Hop Neighbor IFID.Root Bias This field lists any bias applied because of the Preferred Root MPID.Mesh Point Name Displays the name of each configured mesh point in the RF Domain.Subscriber Name The identifier is used to distinguish between other mesh points both on the same device and on other devices. This is used by a user to setup the preferred root configuration.Subscriber MPID Lists the subscriber ID to distinguish between other mesh point neighbor devices in the RF Domain.Group Address Displays the MAC address used for the Group in the mesh point.Timeout The timeout interval in seconds. The interpretation this value will vary depending on the value of the state. If the state is Init or In Progress, the timeout duration has no significance. If the state is Enabled, the timeout duration indicates the amount of time left before the security validity check is initiated. If the state is Failed, the timeout duration is the amount of time after which the system will retry.Mesh Point Name Displays the name of each configured mesh point in the RF Domain.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 39Destination Addr Displays the MeshID (MAC Address) of each mesh point in the RF Domain.Neighbor MP ID The MAC Address that the device uses to define the mesh point in the device that the neighbor is a part of. It is used to distinguish the device that is the neighbor.Neighbor IFID The MAC Address used by the interface on the neighbor device to communicate with this device. This may define a particular radio or Ethernet port that communicates with this device over the mesh.Root MP ID The MAC Address of the neighbor's root mesh point.Is Root A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network. Yes if the mesh point that is the neighbor is a root mesh point or No if the mesh point that is the neighbor is not a root mesh point.Mobility Displays whether the Mesh Point is a mobile or static node. Displays True when the device is mobile and False when the device is not mobile.Radio Interface This indicates the interface that is used by the device to communicate with this neighbor. The values are 2.4 and 5.8, indicating the frequency of the radio that is used to communicate with the neighbor.Mesh Root Hops The number of devices between the neighbor and its root mesh point. If the neighbor is a root mesh point, this value will be 0. If the neighbor is not a root mesh point but it has a neighbor that is a root mesh point, this value will be 1. Each mesh point between the neighbor and its root mesh point is counted as 1 hop.Resourced Displays whether the mesh point has been resourced or not. The Mesh Connex neighbor table can contain more neighbors than the AP supports. If the neighbor is resourced, it will take away a one of the resources for a wireless client device to be used for meshing. Displays True when the device is resourced and False when the device is not.Link Quality An abstract value depicting the quality of the mesh link between the device and the neighbor. The range is from 0 (weakest) to 100 (strongest).Link Metric This value shows the computed path metric from the device to the neighbor mesh point using this interface. The lower the number the better the possibility that the neighbor will be chosen as the path to the root mesh point.Root Metric The computed path metric between the neighbor and their root mesh point.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 40The Security tab displays the following:Rank The rank is the level of importance and is used for automatic resource management. 8 – The current next hop to the recommended root.7 – Any secondary next hop to the recommended root to has a good potential route metric.6 – A next hop to an alternate root node.5 – A downstream node currently hopping through to get to the root.4 – A downstream node that could hop through to get to the root, but is currently not hopping through any node (look at authentication, as this might be an issue).3 – A downstream node that is currently hopping through a different node to get to the root, but could potentially have a better route metric if it hopped through this node. 2 – Reserved for active peer to peer routes and is not currently used.1 - A neighbor bound to the same recommended root but does not have a potential route metric as good as the neighbors ranked 8 and 7.0 – A neighbor bound to a different root node.-1 – Not a member of the mesh as it has a different mesh ID.All client devices hold a rank of 3 and can replace any mesh devices lower than that rank.Age Displays the number of miliseconds since the mesh point last heard from this neighbor.Mesh Point Name Displays the name of each configured mesh point in the RF Domain.Mesh Point Identifier The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID.Radio Interface This indicates the interface that is used by the device to communicate with this neighbor. The values are 2.4 and 5.8, indicating the frequency of the radio that is used to communicate with the neighbor.Interface ID The IFID uniquely identifies an interface associated with the MPID. Each mesh point on a device can be associated with one or more interfaces.State Displays the Link State for each mesh point:Init - indicates the link has not been established or has expired.Enabled - indicates the link is available for communication.Failed - indicates the attempt to establish the link failed and cannot be retried yet.In Progress - indicates the link is being established but is not yet available.Timeout Displays the maximum value in seconds that the link is allowed to stay in the In Progress state before timing out.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 41The Proxy tab displays the following:10 Select the Device Brief Info tab from the top of the screen.The Device Brief Info screen is divided into 2 fields, All Roots and Mesh Points and MeshPoint Details.Keep Alive Yes indicates that the local MP will act as a supplicant to authenticate the link and not let it expire (if possible). No indicates that the local MP does not need the link and will let it expire if not maintained by the remote MP.Mesh Point Name Displays the name of each configured mesh point in the RF Domain.Destination Addr The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID.Proxy Address Displays the MAC Address of the proxy used in the mesh point.Age Displays the age of the proxy connection for each of the mesh points in the RF Domain.Proxy Owner The owner’s (MPID) is used to distinguish the neighbor device.Persistence Displays the persistence (duration) of the proxy connection for each of the mesh points in the RF Domain.VLAN The VLAN ID used as a virtual interface with this proxy. A value of 4095 indicates that there is no VLAN ID.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 42Figure 15-25 RF Domain - Mesh Point Device Brief Info screen The All Roots and Mesh Points field displays the following:MAC Displays the MAC Address of each configured mesh point in the RF Domain.Mesh Point Name Displays the name of each configured mesh point in the RF Domain.Hostname Displays the administrator assigned hostname for each configured mesh point in the RF Domain.Configured as Root A root mesh point is defined as a mesh point connected to the WAN, providing a wired backhaul to the network (Yes/No).Is Root Indicates whether the current mesh point is a root meshpoint (Yes/No).Destination Addr The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID.Root Hops The number of devices between the selected mesh point and the destination device.IFID Count Displays the number of Interface IDs (IFIDs) associated with all the configured mesh points in the RF Domain.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 4311 The MeshPoint Details field on the bottom portion of the screen displays tabs for General, Path, Root, Multicast Path, Neighbors, Security and Proxy. Refer to the following:The General tab displays the following:The Path tab displays the following:Mesh Point Name Displays the name of each configured mesh point in the RF Domain.MAC Displays the MAC Address of each configured mesh point in the RF Domain.Hostname Displays the hostname for each configured mesh point in the RF Domain.Configured as Root A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network (Yes/No).Is Root A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network (Yes/No).Mesh Point Identifier The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID.Next Hop IFID Identifies the ID of the interface on which the next hop for the mesh network can be found.Next Hops Use Time Lists the time when the next hop in the mesh network topology was last utilized.Root Hops Number of hops to a root and should not exceed 4 in general practice. If using the same interface to both transmit and receive, then you will get approximately half the performance every additional hop out.Root MP ID Lists the interface ID of the interface on which the next hop for the mesh network can be found.Root Bound time Displays the duration this mesh point has been connected to the mesh root.IFID Count Displays the number of Interface IDs (IFIDs) associated with all the configured mesh points in the RF Domain.Mesh Point Name Displays the name of each configured mesh point in the RF Domain.Destination Addr The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID.Destination The MAC Address used by the interface on the neighbor device to communicate with this device. This may define a particular radio or Ethernet port that communicates with this device over the mesh.Is Root A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network (Yes/No).MiNT ID Displays the MiNT Protocol ID for the global mint area identifier. This area identifier separates two overlapping mint networks and need only be configured if the administrator has two mint networks that share the same packet broadcast domain.Next Hop IFID The Interface ID of the mesh point that traffic is being directed to.Hops Number of hops to a root and should not exceed 4 in general practice. If using the same interface to both transmit and receive, then you will get approximately half the performance every additional hop out.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 44The Root tab displays the following:The Multicast Path tab displays the following:Mobility Displays whether the mesh point is a mobile or static node. Displays True when the device is mobile and False when the device is not mobile.Metric A measure of the quality of the path. A lower value indicates a better path.State Indicates whether the path is currently Valid of Invalid.Binding Indicates whether the path is bound or unbound.Timeout The timeout interval in seconds. The interpretation this value will vary depending on the value of the state. If the state is Init or In Progress, the timeout duration has no significance. If the state is Enabled, the timeout duration indicates the amount of time left before the security validity check is initiated. If the state is Failed, the timeout duration is the amount of time after which the system will retry.Sequence The sequence number also known as the destination sequence number. It is updated whenever a mesh point receives new information about the sequence number from RREQ, RREP, or RERR messages that may be received related to that destination.Mesh Point Name Displays the name of each configured mesh point in the RF Domain.Recommended Displays the root that is recommended by the mesh routing layer.Root MPID The MP identifier is used to distinguish between other mesh points both on the same device and on other devices. This is used by a user to setup the preferred root configuration.Next Hop IFID The IFID of the next hop. The IFID is the MAC Address on the destination device.Radio Interface This indicates the interface that is used by the device to communicate with this neighbor. The values are 2.4 and 5.8, indicating the frequency of the radio that is used to communicate with the neighbor.Bound Indicates whether the root is bound or unbound.Metric Displays the computed path metric between the neighbor and their root mesh point.Interface Bias This field lists any bias applied because of the preferred root Interface Index.Neighbor Bias This field lists any bias applied because of the preferred root next-hop Neighbor IFID.Root Bias This field lists any bias applied because of the preferred root MPID.Mesh Point Name Displays the name of each configured mesh point in the RF Domain.Subscriber Name Lists the subscriber name is used to distinguish between other mesh point neighbors both on the same device and on other devices. Subscriber MPID Lists the subscriber ID to distinguish between other mesh point neighbors both on the same device and on other devices.Group Address Displays the MAC address used for the Group in the mesh point.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 45The Neighbors tab displays the following:Path Timeout The timeout interval in seconds. The interpretation this value will vary depending on the value of the state. If the state is Init or In Progress, the timeout duration has no significance. If the state is Enabled, the timeout duration indicates the amount of time left before the security validity check is initiated. If the state is Failed, the timeout duration is the amount of time after which the system will retry.Mesh Point Name Displays the name of each configured mesh point in the RF Domain.Mesh Point Identifier The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID.Neighbor MP ID The MAC Address that the device uses to define the mesh point in the device that the neighbor is a part of. It is used to distinguish the device that is the neighbor.Neighbor IFID The MAC Address used by the interface on the neighbor device to communicate with this device. This may define a particular radio or Ethernet port that communicates with this device over the mesh.Root MP ID The mesh point ID of the neighbor's root mesh point.Is Root A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network. Yes if the mesh point that is the neighbor is a root mesh point or No if the mesh point that is the neighbor is not a root mesh point.Mobility Displays whether the mesh point is a mobile or static node. Displays True when the device is mobile and False when the device is not mobile.Radio Interface This indicates the interface that is used by the device to communicate with this neighbor. The values are 2.4 and 5.8, indicating the frequency of the radio that is used to communicate with the neighbor.Mesh Root Hops The number of devices between the neighbor and its root mesh point. If the neighbor is a root mesh point, this value will be 0. If the neighbor is not a root mesh point but it has a neighbor that is a root mesh point, this value will be 1. Each mesh point between the neighbor and its root mesh point is counted as 1 hop.Resourced Displays whether the mesh point has been resourced or not. The Mesh Connex neighbor table can contain more neighbors than the AP supports. If the neighbor is resourced, it will take away a one of the resources for a wireless client device to be used for meshing. Displays True when the device is resourced and False when the device is not.Link Quality An abstract value depicting the quality of the mesh link between the device and the neighbor. The range is from 0 (weakest) to 100 (strongest).Link Metric This value shows the computed path metric from the device to the neighbor mesh point using this interface. The lower the number the better the possibility that the neighbor will be chosen as the path to the root mesh point.Root Metric The computed path metric between the neighbor and their root mesh point.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 46The Security tab displays the following:Rank The rank is the level of importance and is used for automatic resource management.8 – The current next hop to the recommended root.7 – Any secondary next hop to the recommended root to has a good potential route metric.6 – A next hop to an alternate root node.5 – A downstream node currently hopping through to get to the root.4 – A downstream node that could hop through to get to the root, but is currently not hopping through any node (look at authentication, as this might be an issue).3 – A downstream node that is currently hopping through a different node to get to the root, but could potentially have a better route metric if it hopped through this node.2 – Reserved for active peer to peer routes and is not currently used.1 - A neighbor bound to the same recommended root but does not have a potential route metric as good as the neighbors ranked 8 and 7.0 – A neighbor bound to a different root node.-1 – Not a member of the mesh as it has a different mesh ID.All client devices hold a rank of 3 and can replace any mesh devices lower than that rank.Age Displays the number of miliseconds since the mesh point last heard from this neighbor.Mesh Point Name Displays the name of each configured mesh point in the RF Domain.Mesh Point Identifier The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID.Radio Interface This indicates the interface that is used by the device to communicate with this neighbor. The values are 2.4 and 5.8, indicating the frequency of the radio that is used to communicate with the neighbor.Interface ID The IFID uniquely identifies an interface associated with the MPID. Each mesh point on a device can be associated with one or more interfaces.State Displays the Link State for each mesh point:Init - indicates the link has not been established or has expired.Enabled - indicates the link is available for communication.Failed - indicates the attempt to establish the link failed and cannot be retried yet.In Progress - indicates the link is being established but is not yet available.Timeout Displays the maximum value in seconds that the link is allowed to stay in the In Progress state before timing out.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 47The Proxy tab displays the following:12 Select Device Data Transmit.Keep Alive Yes indicates the local MP acts as a supplicant to authenticate the link and not let it expire (if possible). No indicates that the local MP does not need the link and will let it expire if not maintained by the remote MP.Mesh Point Name Displays the name of each configured mesh point in the RF Domain.Mesh Point Identifier The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID.Proxy Address Displays the MAC Address of the proxy used in the mesh point.Age Displays the age of the proxy connection for each of the mesh points in the RF Domain.Proxy Owner The owner (MPID) is used to distinguish the device that is the neighbor.VLAN The VLAN ID used as a virtual interface with this proxy. A value of 4095 indicates that there is no VLAN ID.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 48Figure 15-26 RF Domain - Mesh Point Device Data Transmit screen 13 Review the following transmit and receive statistics for Mesh nodes:Data Bytes (Bytes): Transmitted BytesDisplays the total amount of data, in Bytes, transmitted by mesh points in the RF Domain.Data Bytes (Bytes): Received BytesDisplays the total amount of data, in Bytes, received by mesh points in the RF Domain.Data Bytes (Bytes): Total BytesDisplays the total amount of data, in Bytes, transmitted and received by mesh points in the RF Domain.Data Packets Throughput (Kbps): Transmitted PacketsDisplays the total amount of data, in packets, transmitted by mesh points in the RF Domain.Data Packets Throughput (Kbps): Received PacketsDisplays the total amount of data, in packets, received by mesh points in the RF Domain.Data Packets Throughput (Kbps): Total PacketsDisplays the total amount of data, in packets, transmitted and received by mesh points in the RF Domain.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 4915.2.12 SMART RFRF Domain StatisticsWhen invoked by an administrator, Self-Monitoring At Run Time (Smart RF) instructs Access Point radios to change to a specific channel and begin beaconing using the maximum available transmit power. Within a well-planned deployment, any RF Domain member Access Point radio should be reachable by at least one other radio. Smart RF records signals received from its neighbors as well as signals from external, un-managed radios. AP-to-Data Rates (bps): Transmit Data RateDisplays the average data rate, in kbps, for all data transmitted by mesh points in the RF Domain.Data Rates (bps): Receive Data RateDisplays the average data rate, in kbps, for all data received by mesh points in the RF Domain.Data Rates (bps): Total Data RateDisplays the average data rate, in kbps, for all data transmitted and received by mesh points in the RF Domain.Packets Rate (pps): Transmitting Packet rateDisplays the average packet rate, in packets per second, for all data transmitted and received by mesh points in the RF Domain.Packets Rate (pps): Received Packet rateDisplays the average packet rate, in packets per second, for all data received and received by mesh points in the RF Domain.Packets Rate (pps): Total Packet RateDisplays the average data packet rate, in packets per second, for all data transmitted and received by mesh points in the RF Domain.Data Packets Dropped and Errors: Tx DroppedDisplays the total number of transmissions that were dropped mesh points in the RF Domain.Data Packets Dropped and Errors: Rx ErrorsDisplays the total number of receive errors from mesh points in the RF Domain.Broadcast Packets: Tx Bcast/Mcast PktsDisplays the total number of broadcast and multicast packets transmitted from mesh points in the RF Domain.Broadcast Packets: Rx Bcast/Mcast PktsDisplays the total number of broadcast and multicast packets received from mesh points in the RF Domain.Broadcast Packets: Total Bcast/Mcast PktsDisplays the total number of broadcast and multicast packets transmitted and received from mesh points in the RF Domain.Management Packets: Transmitted by the nodeDisplays the total number of management packets transmitted through the mesh point node.Management Packets: Received by the nodeDisplays the total number of management packets received through the mesh point node.Management Packets: Total Through the domainDisplays the total number of management packets that were transmitted and received through the mesh point node.Data Indicators: Traffic IndexDisplays True of False to indicate whether or not a traffic index is present.Data Indicators: Max User RateDisplays the maximum user throughput rate for mesh points in the RF Domain.Data Distribution: Neighbor CountDisplays the total number of neighbors known to the mesh points in the RF Domain.Data Distribution: Radio CountDisplays the total number of neighbor radios known to the mesh points in the RF Domain.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 50AP distance is recorded in terms of signal attenuation. The information from external radios is used during channel assignment to minimize interference.To view the Smart RF summary for RF Domain member Access Point radios:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Select SMART RF from the RF Domain menu.4Expand the SMART RF menu and select Summary.The summary screen enables administrators to assess the efficiency of RF Domain member device channel distributions, sources of interference potentially requiring Smart RF adjustments, top performing RF Domain member device radios and the number of power, channel and coverage changes required as part of a Smart RF performance compensation activity.Figure 15-27 RF Domain - Smart RF Summary screen5The Channel Distribution field lists how RF Domain member devices are utilizing different channels to optimally support connect devices and avoid congestion and interference with neighboring devices. Assess whether the channel spectrum is being effectively utilized and whether channel changes are warranted to improve RF Domain member device performance.6Review the Top 10 interference table to assess RF Domain member devices whose level of interference exceeds the threshold set (from -100 to -10 dBm) for acceptable performance.Interferer Lists the administrator defined name of the interfering RF Domain member device.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 517Review the Top 5 Active Radios to assess the significance of any Smart RF initiated compensations versus their reported top performance.8 Refer to the SMART RF Activity table to view the trending of Smart RF compensations.Vendor Displays the vendor name (manufacturer) of the interfering RF Domain member device radio.Radio Lists each offending device’s radio name contributing to the top 10 interference listing.Radio MAC Displays the factory encoded hardware MAC address assigned to the RF Domain member device radio.Channel Displays the channel each of the 10 poorly performing RF Domain member devices was detected on. Numerous interfering devices on the same channel could define the need for better channel segregation to reduce the levels of detected interference.RSSI Lists a relative signal strength indication (RSSI) in dBm for those RF Domain member devices falling into the poorest performing 10 devices based on the administrator defined threshold value.Radio MAC Lists the hardware encoded MAC address of each listed top performing RF Domain member device radio.RF Band Displays the top performing radio’s operation band. This may help administrate whether more changes were required in the 2.4 GHz band then 5 GHz or vice versa.AP Name Lists the administrator assigned Access Point name used to differentiate from other RF Domain member Access Point radios. The name displays in the form of a link that can be selected to display device information in greater detail.Power Changes Displays the number of Smart RF initiated power level changes reported for this top performing RF Domain member radio.Channel Changes Displays the number of Smart RF initiated channel changes reported for this top performing RF Domain member radio.Coverage Changes Displays the number of Smart RF initiated coverage changes reported for this top performing RF Domain member radio.Time Period Lists the frequency Smart RF activity is trended for the RF Domain. Trending periods include the Current Hour, Last 24 Hours or the Last Seven Days. Comparing Smart RF adjustments versus the last seven days enables an administrator to assess whether periods of interference and poor performance were relegated to just specific periods.Power Changes Displays the number of Smart RF initiated power level changes needed for RF Domain member devices during each of the three trending periods. Determine whether power compensations were relegated to known device outages or if compensations were consistent over the course of a day or week.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 529Select Refresh to update the Summary to its latest RF Domain Smart RF information.10 Select Details from the RF Domain menu.Refer to the General field to review the radio's factory encoded hardware MAC address, the radio index assigned by the administrator, the 802.11 radio type, its current operational state, the radio's AP hostname assigned by an administrator, its current operating channel and power.Figure 15-28 RF Domain - Smart RF Details screenRefer to the Neighbors table to review the attributes of neighbor radio resources available for Smart RF radio compensations for other RF Domain member device radios. Individual Access Point hostnames can be selected and the RF Domain member radio can be reviewed in greater detail. Attenuation is a measure of the reduction of signal strength during transmission. Attenuation is the opposite of amplification, and is normal when a signal is sent from one point to another. If the signal attenuates too much, it becomes unintelligible. Attenuation is measured in decibels. The radio's current operating channel is also displayed, as is the radio's hard coded MAC address transmit power level and administrator assigned ID. Select Refresh at any time to update the Details screen to its latest values.11 Select the Energy Graph tabUse the Energy Graph to review the radio’s operating channel, noise level and neighbor count. This information helps assess whether Smart RF neighbor recovery is needed in respect to poorly performing radios.Channel Changes Lists the number of Smart RF initiated channel changes needed for RF Domain member devices during each of the three trending periods. Determine if channel adjustments were relegated to known device count increases or decreases over the course of a day or week.Coverage Changes Displays the number of Smart RF initiated coverage changes needed for RF Domain member devices during each of the three trending periods. Determine if coverage changes were relegated to known device failures or known periods of interference over the course of a day or week.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 53Figure 15-29 RF Domain - Smart RF Energy Graph12 Select Smart RF History to review the descriptions and types of Smart RF events impacting RF Domain member devices.Figure 15-30 RF Domain - Smart RF History screen

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 54The SMART RF History screen displays the following RF Domain member historical data:15.2.13 WIPSRF Domain StatisticsRefer to the Wireless Intrusion Protection Software (WIPS) screens to review a client blacklist and events reported by a RF Domain member Access Point. For more information, see:•WIPS Client Blacklist•WIPS Events15.2.13.1 WIPS Client BlacklistWIPSThe Client Blacklist displays clients detected by WIPS and removed from RF Domain utilization. Blacklisted clients are not allowed to associate to RF Domain member Access Point radios.To view the WIPS client blacklist:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Expand the WIPS menu item and select Client Blacklist.Time Displays a time stamp when Smart RF status was updated on behalf of a Smart RF adjustment within the selected RF Domain.Type Lists a high-level description of the Smart RF activity initiated for a RF Domain member device. Description Provides a more detailed description of the Smart RF event in respect to the actual Smart RF calibration or adjustment made to compensate for detected coverage holes and interference.Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 55Figure 15-31 RF Domain - WIPS Client Blacklist screenThe WIPS Client Blacklist screen displays the following:15.2.13.2 WIPS EventsWIPSRefer to the WIPS Events screen to assess WIPS events detected by RF Domain member Access Point radios and reported to the controller or service platform.To view the rogue Access Point statistics:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Expand the WIPS menu item and select WIPS Events.Event Name Displays the name of the blacklisting wireless intrusion event detected by a RF Domain member Access Point.Blacklisted Client Displays the MAC address of the unauthorized (blacklisted) client intruding the RF Domain.Time Blacklisted Displays the time when the wireless client was blacklisted by a RF Domain member Access Point.Total Time Displays the time the unauthorized (now blacklisted) device remained in the RF Domain.Time Left Displays the time the blacklisted client remains on the list.Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 56Figure 15-32 RF Domain - WIPS Events screenThe WIPS Events screen displays the following:15.2.14 Captive PortalRF Domain StatisticsA captive portal is guest access policy for providing guests temporary and restrictive access to the controller or service platform managed wireless network. Captive portal authentication is used primarily for guest or visitor access to the network, but is increasingly being used to provide authenticated access to private network resources when 802.1X EAP is not a viable option. Captive portal authentication does not provide end-user data encryption, but it can be used with static WEP, WPA-PSK or WPA2-PSK encryption.To view the RF Domain captive portal statistics:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Select Captive Portal from the RF Domain menu.Event Name Displays the event name of the intrusion detected by a RF Domain member Access Point.Reporting AP Displays the MAC address of the RF Domain member Access Point reporting the event.Originating Device Displays the MAC address of the device generating the event.Detector Radio Displays the radio number detecting the WIPS event. Time Reported Displays a time stamp of when the event was reported by the RF Domain member Access Point radio.Clear All Select the Clear All button to clear the statistics counters and begin a new data collection. Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 57Figure 15-33 RF Domain - Captive PortalThe screen displays the following Captive Portal data for requesting clients:Client MAC Displays the MAC address of each listed client requesting captive portal access to the controller or service platform managed network. This address can be selected to display client information in greater detail.Hostname Lists the administrator assigned hostname of the device requesting captive portal access to network’s RF Domain resources.Client IP Displays the IPv4 formatted address of each listed client using its connected RF Domain member Access Point for captive portal access.Client IPv6 Displays any IPv6 formatted address of any listed client using its connected RF Domain member Access Point for captive portal access. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.Captive Portal Lists the name of the RF Domain captive portal currently utilized by each listed client.Port Name Lists the name virtual port used for captive portal session direction.Authentication Displays the authentication status of requesting clients attempting to connect to the controller or service platform via the captive portal.WLAN Displays the name of the WLAN the requesting client would use for interoperation with the controller or service platform.VLAN Displays the name of the VLAN the client would use as a virtual interface for captive portal operation with the controller or service platform.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 5815.2.15 Application Visibility (AVC)RF Domain StatisticsRF Domain member devices inspect every byte of each application header packet allowed to pass through the WiNG managed network. When an application is recognized and classified by the WiNG application recognition engine, administrator defined actions can be applied to that specific application. For information on categorizing, filtering and logging the application data allowed to proliferate the WiNG managed network, refer to Application Policy on page 7-54 and Application on page 7-58.To view the RF Domain application utilization statistics:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Select Application Visibility (AVC) from the RF Domain menu.Figure 15-34 RF Domain - Application VisibilityRemaining Time Displays the time after which a connected client is disconnected from the captive portal.Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 594 Refer to the Top Applications graph to assess the most prolific, and allowed, application data passing through RF Domain member devices.5 Refer to the Application Detailed Stats table to assess specific application data utilization:6 Select the Category tab.Categories are existing WiNG or user defined application groups (video, streaming, mobile, audio etc.) that assist administrators in filtering (allowing or denying) application data. For information on categorizing application data, refer to Application Policy on page 7-54 and Application on page 7-58.Total Bytes Displays the top ten RF Domain member utilized applications in respect to total data bytes passing through the RF Domain member WiNG managed network. These are only the administrator allowed applications approved for proliferation within the RF Domain member device.Bytes Uploaded Displays the top ten RF Domain member applications in respect to total data bytes uploaded through the RF Domain member WiNG managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority).Bytes Downloaded Displays the top ten RF Domain member applications in respect to total data bytes downloaded from the RF Domain member WiNG managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority).Application Name Lists the RF Domain member allowed application name whose data (bytes) are passing through the WiNG managed network.Uploaded Displays the number of uploaded application data (in bytes) passing the through the WiNG managed network. Downloaded Displays the number of downloaded application data (in bytes) passing the through the WiNG managed network. Num Flows Lists the total number of application data flows passing through RF Domain member devices for each listed application. An application flow can consist of packets in a specific connection or media stream. Application packets with the same source address/port and destination address/port are considered one flow. Clear Application Stats Select this option to clear the application assessment data counters and begin a new assessment.Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 60Figure 15-35 RF Domain - Application Category Visibility7 Refer to the Top Categories graph to assess the most prolific, and allowed, application data categories utilized by RF Domain member devices. 8 Refer to the Category Detailed Stats table to assess specific application category data utilization: Total Bytes Displays the top ten RF Domain member application categories in respect to total data bytes passing through the RF Domain member WiNG managed network. These are only the administrator allowed application categories approved for proliferation within the RF Domain.Bytes Uploaded Displays the top ten RF Domain member application categories in respect to total data bytes uploaded through the RF Domain member WiNG managed network. If this category data is not aligned with application utilization expectations, consider allowing or denying additional categories or adjusting their precedence (priority).Bytes Downloaded Displays the top ten RF Domain member application categories in respect to total data bytes downloaded from the RF Domain member WiNG managed network. If this category data is not aligned with application utilization expectations, consider allowing or denying additional categories and categories or adjusting their precedence (priority).Category Name Lists the RF Domain member allowed category whose application data (in bytes) is passing through the WiNG managed network.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 6115.2.16 Coverage Hole SummaryRF Domain StatisticsPeriodically refer to a selected RF Domain’s coverage hole summary to assess the RF Domain member Access Point radios reporting coverage hole adjustments. When coverage hole recovery is enabled and a deployment area radio coverage hole is detected, Smart RF determines the radio’s power increase compensation required based on a reporting client’s signal to noise (SNR) ratio. If a client’s SNR is above the administrator threshold, its connected Access Point’s transmit power is increased until the noise rate falls below the threshold.To view a RF Domain’s coverage hole summary:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.3Select Coverage Hole Detection from the RF Domain menu and expand this item to display its submenu options.4Select Summary.Uploaded Displays the number of uploaded application category data (in bytes) passing the through the WiNG managed network.Downloaded Displays the number of downloaded application category data (in bytes) passing the through the WiNG managed network. Num Flows Lists the total number of application category data flows passing through RF Domain member devices. A category flow can consist of packets in a specific connection or media stream. Packets with the same source address/port and destination address/port are considered one flow. Clear Application Stats Select this option to clear the application category assessment data counters and begin a new assessment.Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 62Figure 15-36 RF Domain - Coverage Hole SummaryThe screen displays the following RF Domain coverage hole summarization data:15.2.17 Coverage Hole DetailsRF Domain StatisticsIn addition to the RF Domain’s Coverage Hole Summary, a specific Access Point’s coverage hole history can be reviewed in detail. Consider using different RF Domain member Access Points or their connected clients to help validate the data reported before compensating for the coverage hole by increasing the radio transmit power of neighboring Access Points. To review specific RF Domain member Access Point coverage hole information:1 Select the Statistics menu from the Web UI.2 Select a RF Domain from under the System node on the top, left-hand side, of the screen.AP Hostname Displays each RF Domain member Access Point hostname reporting a coverage hole compensation event. This can be helpful in assessing whether specific Access Points consistently report coverage holes and whether additional Access Point placements are required to compensate for poorly performing radios.Coverage Hole Incidents CountLists each reporting Access Point’s coverage hole incident count since the screen was last cleared. Periodically assess whether a specific Access Point’s high incident count over a trended repeatable period warrants additional Access Point placements in that same radio coverage area to reduce a coverage hole. Clear Coverage IncidentsSelect this option to clear the statistics counters and begin a new coverage hole summary for RF Domain member Access Point radios. Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 633Select Coverage Hole Detection from the RF Domain menu and expand this item to display its submenu options.4Select Detail.Figure 15-37 RF Domain - Coverage Hole Details5Use the Filtered By option to define whether the RF Domain’s coverage hole details are provided by a selected Access Point (AP) or by a specific RF Domain member Access Point’s connected Client. Consider filtering by different RF Domain member devices to validate the accuracy of a reported coverage hole before increasing the transmit power of neighboring radios to compensate.6 Refer to the Enter MAC Address parameter to define a RF Domain member Access Point MAC address or Hostname or just a client MAC address. This is the selected device reporting coverage hole details to the listed RF Domain member Access Point.7Select Filter to begin the coverage hole data collection using the Access Point or client details provided. Refer to the following to review the data reported:Hostname Lists the administrator assigned hostname used as each listed Access Point’s network identifier. This is the Access Point whose client(s) are reporting coverage hole RSSI data.Radio Lists the Access Point radio receiving and reporting coverage hole RSSI data from the listed client MAC. Each supported Access Point has at least two radios, with the exception of AP6521 model, which is a single-radio model.BSSID Displays the basic service set identifier (BSSID) included in an Access Point’s wireless packet transmissions. Packets need to go to their correct destination. While a SSID keeps packets within the correct WLAN there’s usually multiple Access Points within each WLAN. A BSSID identifies the correct Access Point and its connected clients. Client MAC Lists each connected client’s hardware encoded MAC address. This is the client reporting coverage hole RSSI data to its connected Access Point radio.RSSI Displays the Received Signal Strength Indicator (RSSI) of the detecting Access Radio or client.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 6415.3 Controller StatisticsStatisticsThe Wireless Controller screen displays information about peer controllers or service platforms and their connected Access Points. As members of a cluster, a controller or service platform manages its own network and is ready to assume the load of an offline peer. The screen displays detailed statistics which include network health, inventory of devices, wireless clients, adopted APs, rogue APs and WLANs. For more information, refer to the following: •Health•Device•Cluster Peers•Web-Filtering•Application Visibility (AVC)•Application Policy•Device Upgrade•Mirroring•Adoption•AP Detection•Guest User•Wireless LANs•Policy Based Routing•Radios•Mesh•Interfaces•RAID Statistics•Border Gateway Protocol (BGP) Statistics•Power Status•PPPoE•OSPF•L2TPv3•VRRP•Critical Resources•LDAP Agent Status•Mint Links•Guest Users•GRE Tunnels•Dot1x•Network•DHCPv6 Relay & ClientDate-Time Displays the date and time when each listed Access Point received its coverage hole indecent information.Clear Coverage IncidentsSelect this option to clear the statistics counters and begin a new coverage hole assessment for RF Domain member Access Point radios. Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 65•DHCP Server•Firewall•VPN•Viewing Certificate Statistics•WIPS Statistics•Sensor Server•Bonjour Services•Captive Portal Statistics•Network Time15.3.1 HealthController StatisticsThe Health screen displays details such as hostname, device name, RF Domain name, radio RF quality and client RF quality.To view controller or service platform device health data:1 Select the Statistics tab from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Health from the left-hand side of the UI.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 66Figure 15-38 Wireless Controller - Health screenThe Device Details field displays the following:Hostname Displays the administrator assigned hostname of the controller or service platform.Device MAC Displays the MAC address of the controller.Primary IP Lists the network address used by this controller or service platform as a network identifier.Type Displays the RFS series controller or NX series service platform type.RF Domain Name Displays the controller’s domain membership. The name displays in the form of a link that can be selected to display a detailed description of the RF Domain configuration.Model Number Displays the RFS series controller or NX series service platform type.Version Displays the version of the image running on the controller or service platform.Uptime Displays the cumulative time since the controller or service platform was last rebooted or lost power.CPU Displays the controller or service platform processor name.RAM Displays the CPU memory in use.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 67The Access Point Health (w/ cluster members) chart shows how many Access Points are online and how many are offline. These are APs with cluster members directly managed by the wireless controller. This data does not include Access Points associated to other controllers or service platforms in the same cluster.The Radio RF Quality Index field displays RF quality (overall effectiveness of the RF environment). Use this table to assess radio performance for improvement ideas.The RF Quality Index field displays the following:The Radio Utilization Index field measures how efficiently the traffic medium is used. It’s defined as the percentage of the current throughput relative to the maximum relative possible throughput:The Client RF Quality Index field displays the RF quality of the clients. Use this table to troubleshoot radios not optimally performing: 4Select Refresh to update the statistics counters to their latest values.15.3.2 DeviceController StatisticsThe Device statistics screen provides detailed information about the selected device. To view controller or service platform device statistics:1 Select the Statistics tab from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Device from the left-hand side of the UI.System Clock Displays the system clock information.RF Quality Index Displays the five radios with the lowest average quality. Radio Id Displays the hardware encoded MAC address of the radio.Radio Type Displays the radio type used by this Access Point.Total Bytes Displays the total bytes of data transmitted and received by the controller or service platform since the screen was last refreshed.Total Packets Lists the total number of data packets transmitted and received by the controller or service platform since the screen was last refreshed.Total Dropped List the number of dropped data packets by a controller or service platform managed Access Point radio since the screen was last refreshed.Worst 5 Displays the five client radios with the lowest quality indices.Client MAC Displays the MAC address of the client.Retry Rate Displays the excessive retry rate of each listed controller or service platform managed client.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 68Figure 15-39 Wireless Controller - Device screenThe System field displays the following:The System Resources field displays the following:Model Number Displays the model number for the selected controller or service platform.Serial Number Displays the serial number factory encoded on the controller or service platform at the factory.Version Displays the unique alphanumeric firmware version name for the controller or service platform firmware.Boot Partition Displays the boot partitioning type.Fallback Enabled Displays whether fallback is enabled. The fallback feature enables a user to store both a legacy and new firmware version in memory. You can test the new software and use an automatic fallback mechanism, which loads the old version, if the new version fails.Fallback Image TriggeredDisplays whether the fallback image has been triggered. The fallback is a legacy software image stored in device memory. This allows an user to test a new version and revert to the older version if needed. Next Boot Designates this version as the version used the next time the controller or service platform is booted.Available Memory (MB) Displays the available memory (in MB) available on the selected controller or service platform.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 69The Upgrade Status field displays firmware upgrade statistics. The table provides the following:The IP Domain field displays the following:The Fan Speed field displays the following:The Temperature field displays the following:The Kernal Buffers field displays the following:Total Memory (MB) Displays the controller or service platform’s total memory. Currently Free RAM Displays the Access Point’s free RAM space. If its very low, free up some space by closing some processes.Recommended Free RAMDisplays the recommended RAM required for routine operation.Current File Descriptors Displays the controller or service platform’s current file description. Maximum File Current File DescriptorsDisplays the controller or service platform’s maximum file description.CPU Load 1 Minute Lists the typical controller or service platform processor load over 1 minute.CPU Load 5 Minutes Lists the typical controller or service platform processor load over 5 minutes.CPU Load 15 Minutes Lists the typical controller or service platform processor load over 15 minutes.Upgrade Status Displays whether the image upgrade was successful.Upgrade Status Time Displays the time of the upgrade.IP Domain Name Displays the name of the IP Domain service used with the selected controller or service platform.IP Domain Lookup state Lists the current state of the lookup operation.Number Displays the number of fans supported on the this controller or service platform.Speed (Hz) Displays the fan speed in Hz. Number Displays the number of temperature elements used by the controller or service platform.Temperature Displays the current temperature (in Celsius) to assess a potential Access Point overheat condition.Buffer Size Lists the sequential buffer size.Current Buffers Displays the current buffers available to the selected controller or service platform.Maximum Buffers Lists the maximum buffers available to the selected controller or service platform.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 70The Firmware Images field displays the following:The AP Licenses field displays the following:The AAP Licenses field displays the following:The Additional Licenses area displays the following information:The IP Name Servers table displays the following:Primary Build Date Displays the build date when this version was created.Primary Install Date Displays the date this version was installed on the controller or service platform. Primary Version Displays the primary version string.Secondary Build Date Displays the build date when this secondary version was created.Secondary Install Date Displays the date this secondary version was installed on the controller or service platform. Secondary Version Displays the secondary version string.FGPA Version Displays the version of FGPA firmware used by the controller or service platform.PoE Version Firmware Lists the Power-Over-Ethernet (PoE) version firmware.AP Licenses Displays the number of AP licenses currently available on the controller or service platform. This value represents the maximum number of licenses the controller or service platform can adopt.AP Adoptions Displays the number of Access Points adopted by this controller or service platform.AP License Displays the license string of the AP.AAP Licenses Displays the number of AAP licenses currently available on the controller or service platform. This value represents the maximum number of licenses the controller or service platform can adopt.AAP Adoptions Displays the number of adaptive Access Points adopted by this controller or service platform.AAP License Displays the license string of the adaptive Access Point.ADSEC Displays Advanced Security licenses. This enables the Role Based firewall and increases the number of IP Sec VPN tunnels. The maximum number of IP Sec VPN tunnels varies by platform.WIPS Displays the number of WIPS licenses utilized by the controller or service platform.Hotspot Analytics Displays whether an advanced hotspot analytics license is in use and applied to the controller or service platform.Name Server Displays any custom Name Server mappings on the controller or service platform.Type Displays the type of DNS mapping, if any, on the controller or service platform.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 71The IPv6 Name Servers table displays the following:The IPv6v Hop Limit table displays the following:The IPv6 Delegated Prefixes table displays the following:15.3.3 Cluster Peers Controller StatisticsRefer to the Cluster Peers screen to review device address and version information for peer devices within a cluster. To view controller or service platform cluster peer statistics:1 Select the Statistics tab from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Cluster Peers from the left-hand side of the UI.Name Server Displays any custom IPv6 formatted IP address Name Server mappings on the controller or service platform.Type Displays the type of DNS mapping, if any, on the controller or service platform.Hop Limit Lists the maximum number of times IPv6 traffic can hop. The IPv6 header contains a hop limit field that controls the number of hops a datagram can be sent before being discarded (similar to the TTL field in an IPv4 header). IPv6 Delegated Prefix If IPv6, prefix delegation is used to assign a network address prefix, configuring the controller or service platform with the prefix. Prefix Name Lists the 32 character maximum name for the IPv6 delegated prefix used as an easy to remember alias for an entire IPv6 address.DHCPv6 Client State Displays the current DHCPv6 client state as impacted by the IPv6 delegated prefix.Interface Name Lists the interface over which IPv6 prefix delegation occurs.T1 timer (seconds) Lists the amount of time in seconds before the DHCP T1 (delay before renew) timer expires.T2 timer (seconds) Lists the amount of time in seconds before the DHCP T2 (delay before rebind) timer expires.Last Refreshed (seconds)Lists the time, in seconds, since IPv6 prefix delegation has been updated. Preferred Lifetime (seconds)Lists is the time in seconds (relative to when the packet is sent) the IPv6 formatted addresses remains in a preferred state on the selected interface. The preferred lifetime must always be less than or equal to the valid lifetime.Valid Lifetime (seconds) Displays the time in seconds (relative to when the packet is sent) the IPv6 formatted address remains in a valid state on the selected interface. The valid lifetime must always be greater than or equal to the preferred lifetime.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 72Figure 15-40 Wireless Controller - Cluster Peers screenThe Cluster Peers screen displays the following:15.3.4 Web-FilteringController StatisticsThe Web-Filtering screen displays information on Web requests for content and whether the requests were blocked or approved based on URL filter settings defined for the selected controller or service platform. A URL filter is comprised of several filter rules. A whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist.To view this controller’s Web filter statistics:Wireless Controller Displays the IP addresses of current cluster member controller or service platform. The name displays in the form of a link that can be selected to display a detailed description of the controller or service platform’s configuration.MAC Address Displays the MAC addresses of current cluster members.Type Displays the type of cluster peer (by controller or service platform model).RF Domain Name Displays each member’s RF Domain name. The name displays in the form of a link that can be selected to display a detailed description of the RF Domain’s configuration.Online Displays whether a controller or service platform is online. If online, a green check mark displays, if it is offline a red X displays.Version Displays the numeric firmware version currently running on the controller or service platform. Use this version as the basis for comparison on whether newer versions are available from the support site that may provide increased functionality and a broader feature set.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 731 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Web-Filtering.Figure 15-41 Wireless Controller - Web Filtering screenThe Web-Filtering Requests field displays the following information:The Top Categories field helps administrators assess the content most requested, blocked and approved based on the defined whitelist and blacklist permissions:Total Blocks Lists the number of Web request hits against content blocked in the URL blacklist. Total Requests Lists the total number of requests for URL content cached locally on this controller or service platform.Total URL Cache EntriesDisplays the number of chached URL data entries made on this controller or service platform on the request of requesting clients requiring URL data managed by the controller or service platform and their respective whitelist or blacklist.Top Categories - RequestedLists those Web content categories most requested by clients managed by this controller or service platform. Use this information to assess whether the permissions defined in the blacklist and whitelist optimally support these client requests for cached Web content.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 74The Web Filter Status field displays the following information:4 Periodically select Refresh to update this screen to its latest values.15.3.5 Application Visibility (AVC)Controller StatisticsControllers and service platforms can inspect every byte of each application header packet allowed to pass their managed radio devices. When an application is recognized and classified by the WiNG application recognition engine, administrator defined actions can be applied to that specific application. For information on categorizing, filtering and logging the application data allowed to proliferate the controller or service platform managed network, refer to Application Policy on page 7-54 and Application on page 7-58.To view controller or service platform application utilization statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Application Visibility (AVC).Top Categories - BlockedLists those Web content categories blocked most often for requesting clients managed by this controller or service platform. Use this information to periodically assess whether the permissions defined in the blacklist and whitelist still restrict the desired cached Web content from requesting clients. Remember, a whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist.Top Categories - ApprovedLists those Web content categories approved most often on behalf of requesting clients managed by this controller or service platform. Periodically review this information to assess whether this cached and available Web content still adhere’s to your organization’s standards for client access. Name Displays the name of the filter whose URL rule set has been invoked.Blacklist Category Lists the blacklist category whose URL filter rule set has caused data to be filtered to a requesting client. Periodically assess whether these rules are still relevant to the data requirements of requesting clients.VLAN Lists the impacted controller or service platform VLAN whose Web data traffic has been filtered based on the restrictions in the listed blacklist category.WLAN Lists the impacted controller or service platform WLAN whose Web data traffic has been filtered based on the restrictions in the listed blacklist category. Periodically assess whether clients are segregated to the correct WLAN based on their cached Web data requirements and impending filter rules.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 75Figure 15-42 Controller - Application Visibility4 Refer to the Top Applications graph to assess the most prolific, and allowed, application data passing through the controller and service platform.5 Refer to the Application Detailed Stats table to assess specific application data utilization:Total Bytes Displays the top ten utilized applications in respect to total data bytes passing through the controller or service platform managed network. These are only the administrator allowed applications approved for proliferation within the controller or service platform managed network.Bytes Uploaded Displays the top ten applications in respect to total data bytes uploaded through the controller or service platform managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority).Bytes Downloaded Displays the top ten applications in respect to total data bytes downloaded from the controller or service platform managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority).Application Name Lists the allowed application name whose data (bytes) are passing through the controller or service platform managed networkUploaded Displays the number of uploaded application data (in bytes) passing the through the controller or service platform managed network.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 766 Select the Category tab.Categories are existing WiNG or user defined application groups (video, streaming, mobile, audio etc.) that assist administrators in filtering (allowing or denying) application data. For information on categorizing application data, refer to Application Policy on page 7-54 and Application on page 7-58.Figure 15-43 Controller - Application Category VisibilityDownloaded Displays the number of downloaded application data (in bytes) passing the through the controller or service platform managed network. Num Flows Lists the total number of application data flows passing through the controller or service platform for each listed application. An application flow can consist of packets in a specific connection or media stream. Application packets with the same source address/port and destination address/port are considered one flow. Clear Application Stats Select this option to clear the application assessment data counters and begin a new assessment. Selecting this option will not clear category stats, just application stats.Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 777 Refer to the Top Categories graph to assess the most prolific, and allowed, application data categories utilized by the controller or service platform.8 Refer to the Category Detailed Stats table to assess specific application category data utilization: 15.3.6 Application PolicyController StatisticsWhen an application is recognized and classified by the WiNG application recognition engine, administrator defined actions can be applied to that specific application. An application policy defines the rules or actions executed on recognized HTTP (Facebook), enterprise (Webex) and peer-to-peer (gaming) applications or application-categories. For each rule defined, a precedence is assigned to resolve conflicting rules for applications and categories. A deny rule is exclusive, as no other action can be combined with a deny. An allow rule is redundant with other actions, Total Bytes Displays the top ten application categories in respect to total data bytes passing through the controller or service platform managed network. These are only the administrator allowed application categories approved for proliferation within the controller or service platform managed network.Bytes Uploaded Displays the top ten application categories in respect to total data bytes uploaded through the controller or service platform managed network. If this category data is not aligned with application utilization expectations, consider allowing or denying additional categories or adjusting their precedence (priority).Bytes Downloaded Displays the top ten application categories in respect to total data bytes downloaded from the controller or service platform managed network. If this category data is not aligned with application utilization expectations, consider allowing or denying additional categories and categories or adjusting their precedence (priority).Category Name Lists the allowed category whose application data (in bytes) is passing through the controller or service platform network.Uploaded Displays the number of uploaded application category data (in bytes) passing the through the controller or service platform managed network. Downloaded Displays the number of downloaded application category data (in bytes) passing the through the controller or service platform managed network. Num Flows Lists the total number of application category data flows passing through controller or service platform managed devices. A category flow can consist of packets in a specific connection or media stream. Packets with the same source address/port and destination address/port are considered one flow. Clear Category Stats Select this option to clear the application category assessment data counters and begin a new assessment. Selecting this option will not clear application stats, just category stats.Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 78since the default action is allow. An allow rule is useful when wanting to deny packets for a category, but wanting to allow a few applications in the same category to proceed. In such a cases, add an allow rule for applications with a higher precedence then a deny rule for that category.Mark actions mark packets for a recognized application and category with DSCP/8021p values used for QoS. Rate-limits create a rate-limiter applied to packets recognized for an application and category. Ingress and egress rates need to be specified for the rate-limiter, but both are not required. Mark and rate-limit are the only two actions that can be combined for an application and category. All other combinations are invalid.To view controller or service platform application policy statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Application Policy.Figure 15-44 Controller - Application Policy4 Refer to the Rules table to review the results of the application policies put in place thus far from this managing controller or service platform.Action Displays the action executed on the listed application. Allow - Allows packets for a specific application and its defined category type (social networking etc.). This is the defaultDeny - Denies (restricts) the action applied to a specific application or a specific application categoryMark - Marks recognized packets with DSCP/8021p valueRate-limit - Rate limits packets from specific application types.Type Displays the application policy type applied.Precedence Lists the priority (from 1 - 256) for the application policy rule. The lower the value, the higher the priority assigned to this rule’s enforcement action and the category and application assigned. A precedence also helps resolve conflicting rules for applications and categories.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 7915.3.7 Device UpgradeController StatisticsThe Device Upgrade screen displays information about the devices receiving updates within the controller or service platform managed network. Use this screen to gather version data, install firmware images, boot an image and upgrade status.Controllers, service platforms or Access Points can be RF domain managers capable of receiving device firmware files from the NOC (NX7500 or NX9000 series service platforms) then provisioning other devices within their same RF domain. Controllers, service platforms and Access Points can now all update the firmware of different device models within their RF domain. However, firmware updates cannot be made simultaneously to devices in different site deployments.To view the upgrade statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Device Upgrade.Figure 15-45 Wireless Controller - Device Upgrade screenThe Upgrade screen displays the following information:Action Hit Count Displays the number of times each listed application policy action has been triggered.Refresh Select the Refresh button to update the statistics counters to their latest values.Device Hostname Displays the administrator assigned hostname of the device receiving the update.Type Displays the model type of the device receiving a firmware update from the provisioning controller or service platform.State Displays the current state of the Access Point upgrade (done, failed etc.).

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 8015.3.8 MirroringController StatisticsNX4524 and NX6524 model service platforms have the ability to mirror data packets transmitted or received on any of their GE ports (GE port 1 - 24). Both transmit and receive packets can be mirrored from a source to a destination port as needed to provide traditional spanning functionality on the 24 GE ports.Port mirroring is not supported on NX4500 or NX6500 models, as they only utilize GE ports 1 - 2. Additionally, port mirroring is not supported on uplink (up) ports or wired ports on any controller or service platform model.To view NX4524 or NX6524 model service platform port mirroring statistics:1 Select the Statistics tab from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Mirroring from the left-hand side of the UI.Figure 15-46 Wireless Controller - Mirroring screenTime Last Upgraded Displays the date and time of the last successful upgrade operation.Retries Count Displays the number of retries made in an update operation.Upgraded By Displays the MAC address of the controller or service platform that performed the upgrade operation.Last Update Status Displays the status of the last upgrade operation (Start Upgrade, Update error etc.).Clear History Select the Clear History button to clear the screen of its current status and begin a new data collection.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 81The Mirroring screen displays the following statistical data:15.3.9 AdoptionController StatisticsThe Adoption screens lists Access Points adopted by the controller or service platform, and includes model, RF Domain membership, configuration status and device uptime information. For additional AP adoption information, including an adoption history and pending adoptions, see:•AP Adoption History•Pending AdoptionsTo view device adoption statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Adoption > Adopted Devices from the left-hand side of the UI.Source Lists the GE port (1 - 24) used as the data source to span packets to the selected destination port. The packets spanned from the selected source to the destination depend on whether Inbound, Outbound or Any was selected as the direction. A source port cannot be a destination port.Destination Displays the GE port (1 - 24) used as the port destination to span packets from the selected source. The destination port serves as a duplicate image of the source port and can be used to send packets to a network diagnostic without disrupting the behavior on the original port. The destination port transmits only mirrored traffic and does not forward received traffic. Additionally, address learning is disabled on the destination port.Direction Lists the direction data packets are spanned from the selected source to the defined destination. Packets spanned from the source to the destination depend on whether Inbound (received packets only), Outbound (transmitted packets only) or Any (packets in either direction) was selected.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 82Figure 15-47 Wireless Controller - Adopted Devices screenThe Adopted Devices screen displays the following:Device Displays the name assigned to the adopted device by the management software. The Access Point name displays as a link that can be selected to display configuration and network address information in greater detail.Type Lists the model type of each Access Point managed by the selected controller or service platform (the controller or service platform listed in the Adopter Hostname column).RF Domain Name Displays the RF Domain memberships of each listed adopted device.Model Number Displays the model number of the adopted device.Status Lists whether an adopted Access Point has been configured (provisioned) by its connected Access Point or service platform.Errors Lists any errors encountered when the each listed Access Point was adopted by the controller or service platform.Adopter Hostname Lists the hostname assigned to the adopting controller or service platform. Adoption Time Displays a timestamp for each listed Access Point reflecting when the device was adopted by the controller or service platform.Startup Time Lists the time the adopted device was last started up and detected on the network. Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 8315.3.9.1 AP Adoption HistoryController StatisticsThe AP Adoption History screen displays a list of devices adopted to the controller or service platform managed network. Use this screen to view a list of devices and their current status.To view adopted AP Adoption History statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Adoption > AP Adoption History from the left-hand side of the UI.Figure 15-48 Wireless Controller - AP Adoption History screenThe AP Adoption History screen displays the followingEvent Name Displays the current adoption status of each AP as either adopted or un-adopted. AP MAC Address Displays the Media Access Control (MAC) address of each Access Point that the controller or service platform has attempted to adopt.Reason Displays the adoption reason message string for each event in the adoption history statistics table.Event Time Displays the day, date and time for each Access Point adoption attempt by this controller or service platform.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 8415.3.9.2 Pending AdoptionsController StatisticsThe Pending Adoptions screen displays devices still pending (awaiting) adoption to the controller or service platform managed network. Review this data to assess whether adoption is still beneficial and to troubleshoot issues preventing adoption.To view adopted AP statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Adoption > Pending Adoptions from the left-hand side of the UI.Figure 15-49 Wireless Controller - Pending Adoptions screenThe Pending Adoptions screen provides the followingMAC Address Displays the MAC address of the device pending adoption.Type Displays the AP’s model type.IP Address Displays the current IP address of the device pending adoption.VLAN Displays the current VLAN number (virtual interface ID) of the device pending adoption.Reason Displays the status code as to why the device is still pending adoption.Discovery Option Displays the discovery option code for each AP listed pending adoption.Last Seen Displays the date and time stamp of the last time the device was seen. Click the arrow next to the date and time to toggle between standard time and UTC.Add to Devices Select a device from amongst those displayed and select Add to Devices to validate the adoption of the selected device and begin the process of connecting the device to the controller or service platform managed network.Refresh Select Refresh to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 8515.3.10 AP Detection Controller StatisticsThe AP Detection screen displays potentially hostile Access Points, their SSIDs, reporting AP, and so on. Continuously revalidating the credentials of detected devices reduces the possibility of an Access Point hacking into the controller or service platform managed network. To view AP detection statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select AP Detection from the left-hand side of the UI.Figure 15-50 Wireless Controller - AP Detection screenThe AP Detection screen displays the following: Unsanctioned AP Displays the MAC address of unsanctioned APs detected within the controller or service platform radio coverage area. Unsanctioned APs are detected APs without deployment approval.Reporting AP Lists the Access Point whose radio detected the unsanctioned AP. The Access Point displays as a link that can be selected to display configuration and network address information in greater detail.SSID Displays the SSID of each unsanctioned AP.AP Mode Displays the operating mode of the unsanctioned device.Radio Type Displays the unsanctioned AP’s radio type. The radio can be 802.11b, 802.11bg, 802.1bgn, 802.11a or 802.11an. Channel Displays the channel where the unsanctioned AP was detected.RSSI Lists the Received Signal Strength Indicator (RSSI) for each listed AP.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 8615.3.11 Guest UserController StatisticsThe Guest User screen displays read only device information for guest clients associated with the selected controller or service platform. Use this information to assess if configuration changes are required to improve network performance.To view a controller or service platform’s connected guest user client statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Guest User from the left-hand side of the UI.Figure 15-51 Wireless Controller - Guest User screenThe Guest User screen displays the following:Last Seen Displays when the unsanctioned AP was last seen by the detecting AP.Clear All Select Clear All to clear all the screen’s statistic counters and begin detecting new Access Points.Refresh Select Refresh to update the statistics counters to their latest values.Client MAC Displays the hardcoded MAC address assigned to the guest client at the factory and can not be modified. The address displays as a link that can be selected to display configuration and network address information in greater detail.IP Address Displays the unique IP address of the guest client. Use this address as necessary throughout the applet for filtering and device intrusion recognition and approval.IPv6 Address Displays the current IPv6 formatted IP address a listed guest client is using as a network identifier. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 8715.3.12 Wireless LANs Controller StatisticsThe Wireless LANs statistics screen displays performance statistics for each controller or service platform managed WLAN. Use this information to assess if configuration changes are required to improve connected Access Point and client performance. To view the wireless LAN statistics for the controller or service platform:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Wireless LANs from the left-hand side of the UI.Hostname Displays the hostname (MAC addresses) of connected guest clients. The hostname displays as a link that can be selected to display configuration and network address information in greater detail.Role Lists the guest client’s defined role within the controller or service platform managed network.Client Identity Displays the unique vendor identity of the listed device as it appears to its adopting controller or service platform.Vendor Displays the name of the client vendor (manufacturer).Band Displays the 2.4 or 5 GHz radio band on which the listed guest client operates.AP Hostname Displays the administrator assigned hostname of the Access Point to which this guest client is associated.Radio MAC Displays the MAC address of the radio which the guest client is connected.WLAN Displays the name of the WLAN the guest client is currently assigned for its Access Point interoperation.VLAN Displays the VLAN ID the guest client’s connected Access Point has defined as a virtual interface.Last Active Displays the time when this guest client was last seen (or detected) by a device within the controller or service platform managed network.Disconnect Client Select a specific client and select the Disconnect Client button to terminate this guest client’s connection to its controller or service platform connected Access Point radio.Refresh Select Refresh to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 88Figure 15-52 Wireless Controller - Wireless LANs screenThe Wireless LANs screen displays the following:15.3.13 Policy Based RoutingController StatisticsThe Policy Based Routing statistics screen displays statistics for selective path packet redirection. PBR can optionally mark traffic for preferential services (QoS). PBR is applied to incoming routed packets, and a route-map WLAN Name Displays the name of the WLANs the controller or service platform is currently utilizing for client connections and QoS segregation.SSID Displays the Service Set ID each listed WLAN is using as an identifier. Traffic Index Displays the traffic utilization index, which measures how efficiently the traffic medium is used. It’s defined as the percentage of current throughput relative to the maximum possible throughput. Traffic indices are: 0 – 20 (very low utilization)20 – 40 (low utilization)40 – 60 (moderate utilization)60 and above (high utilization)Radio Count Displays the number of radios currently in use by devices utilizing the listed controller or service platform managed WLAN.Tx Bytes Displays data transmit activity (in bytes) on each listed WLAN.Tx User Data Rate Displays the average user data rate on each listed WLAN.Rx Bytes Displays the data received in bytes on each listed WLAN.Rx User Data Rate Displays the average user data rate for packets received by controller or service platform connected devices using this WLAN.Disconnect All Clients Select Disconnect All Clients to terminate the all client WLAN memberships.Refresh Select Refresh to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 89is created containing a set of filters and associated actions. Based on the actions defined in the route-map, packets are forwarded to the next relevant hop. Route-maps are configurable under a global policy called routing-policy, and applied to profiles and devices.To review controller PBR statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Policy Based Routing.Figure 15-53 Wireless Controller - Policy Based Routing screenThe Policy Based Routing screen displays the following:Precedence Lists the numeric precedence (priority) assigned to each listed PBR configuration. A route-map consists of multiple entries, each carrying a precedence value. An incoming packet is matched against the route-map with the highest precedence (lowest numerical value). Primary Next Hop IPLists the IP address of the virtual resource that, if available, is used with no additional route considerations.Primary Next Hop StateDisplays whether the primary hop is being applied to incoming routed packets.Secondary Next Hop IPIf the primary hop is unavailable, a second resource is used. This column lists the address set for the alternate route in the election process.Secondary Next Hop StateDisplays whether the secondary hop is being applied to incoming routed packets.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 9015.3.14 RadiosController StatisticsThe radio Status screen provides radio association data, including radio ID, connected APs, radio type, quality index and Signal to Noise Ratio (SNR). To view the radio statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Radio from the left-hand side of the UI.Figure 15-54 Wireless Controller - Radio Status screenThe Radios Status screen provides the following information:Default Next Hop IPIf a packet subjected to PBR does not have an explicit route to the destination, the configured default next hop is used. This is either the IP address of the next hop or the outgoing interface. Only one default next hop is available. The difference between the next hop and the default next-hop is in case of former, PBR occurs first, then destination based routing. In case of the latter, the order is reverse. Default Next Hop StateDisplays whether the default hop is being applied to incoming routed packets.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.Radio Displays the model and numerical value assigned to the radio as its unique identifier. Optionally, select the listed radio (it displays as a link) to display radio configuration information in greater detail.Radio MAC Displays the MAC address assigned to the radio as its unique hardware identifier.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 914Select RF Statistics from the expanded Radios menu.Figure 15-55 Wireless Controller - Radio RF Statistics screenThe RF Statistics screen provides the following information:Radio Type Defines whether the radio is operating in the 2.4 GHz or 5 GHz radio band.Access Point Displays the administrator assigned system name of each listed Access Point. Optionally, select the listed Access Point to display Access Point configuration information in greater detail.AP Type Lists the model type of the Access Point housing the listed radio.State Displays the current operational state (On/Off) of each radio.Channel Current (Config)Displays the administrator configured channel each listed radio is broadcasting on.Power Current (Config)Displays the administrator configured power level the radio is using for its transmissions.Clients Displays the number of wireless clients associated with each listed radio.Refresh Select Refresh to update the statistics counters to their latest values.Radio Displays the name assigned to each listed radio. Each radio name displays as a link that can be selected to display radio information in greater detail.Signal Displays the power of each listed radio signal in dBm.SNR Displays the signal to noise ratio (SNR) of each listed radio.SNR is a measure that compares the level of a desired signal to the level of background noise. It is defined as the ratio of signal power to the noise power. A ratio higher than 1:1 indicates more signal than noise.Tx Physical Layer RateDisplays the data transmit rate for each radio’s physical layer. The rate is displayed in Mbps. Rx Physical Layer RateDisplays the data receive rate for each radio’s physical layer. The rate is displayed in Mbps. Avg Retry Rate Displays the average number of retries for each radio.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 925Select Traffic Statistics from the expanded Radios menu.Figure 15-56 Wireless Controller - Radio Traffic Statistics screenThe Traffic Statistics screen provides the following information:Error Rate Displays the average number of retries per packet. A high number indicates possible network or hardware problems.Quality Index Displays the client’s RF quality. The RF quality index is the overall effectiveness of the RF environment, as a percentage of the connect rate in both directions as well as the retry rate and the error rate. RF quality index value can be interpreted as:0 – 20 - very poor quality20 – 40 - poor quality40 – 60 - average quality60 – 100 - good qualityRefresh Select Refresh to update the statistics counters to their latest values.Radio Displays the name assigned to each listed radio. Each radio name displays as a link that can be selected to display radio configuration and network address information in greater detail.Tx Bytes Displays the amount of transmitted data in bytes for each radio.Rx Bytes Displays the amount of received data in bytes for each radio.Tx Packets Displays the amount of transmitted data in packets for each radio.Rx Packets Displays the amount of received data in packets for each radio.Tx User Data Rate Displays the average speed in kbps of data transmitted to users for each radio.Rx User Data Rate Displays the average speed (in kbps of data) received from users for each radio.Tx Dropped Displays the number of transmissions (packets) dropped by each listed radio. An excessive number of drops and a high error rate could be an indicator to lighten the radio’s current load.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 9315.3.15 MeshController StatisticsThe Mesh screen provides detailed statistics on each of Mesh capable client within the selected controller or service platform’s radio coverage area.To view Mesh statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Mesh from the left-hand side of the UI.Figure 15-57 Wireless Controller - Mesh screenThe Mesh screen displays the following:Traffic Index Displays the traffic utilization index of each listed radio, which measures how efficiently the traffic medium is used. It’s defined as the percentage of current throughput relative to the maximum possible throughput. Traffic indices are: 0 – 20 (very low utilization), 20 – 40 (low utilization), 40 – 60 (moderate utilization), and 60 and above (high utilization). Refresh Select Refresh to update the statistics counters to their latest values.Client Displays the name assigned to each mesh client when added to the controller or service platform managed network.Client Radio MAC Displays the factory encoded Media Access Control (MAC) address of each device within the controller or service platform managed mesh network.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 9415.3.16 InterfacesController StatisticsThe Interface screen provides detailed statistics on each of the interfaces available on the selected controller or service platform. Use this screen to review the statistics for each interface. Interfaces vary amongst supported hardware model controllers and service platforms.To review controller or service platform interface statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Interfaces menu from the left-hand side of the UI.4Select General.Figure 15-58 Wireless Controller - General Interface screenInterface Statistics support the following:Portal Mesh portals are mesh enabled devices connected to an external network that forward traffic in and out. Mesh devices must find paths to a portal to access the Internet. When multiple portals exist, the Mesh point must select one.Portal Radio MAC Lists the MAC addresses of those Access Points serving as mesh portals.Connect Time Displays the total (elapsed) connection time for each client within the controller or service platform managed mesh network.Refresh Select Refresh to update the statistics counters to their latest value.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 95•General Interface Details•IPv6 Address•Multicast Groups Joined•Network Graph15.3.16.1 General Interface DetailsInterfacesThe General tab provides information on a selected controller or service platform interface such as its MAC address, type and TX/RX statistics.The General table displays the following:The IPv6 Mode and MTU table displays the following information:Name Displays the name of the controller or service platform interface ge1, up 1etc.Interface MAC Address Displays the MAC address of the interface.IP Address IP address of the interface. IP Address Type Displays the IP address type, either IPv4 or IPv6.Secondary IP Displays a list of secondary IP resources assigned to this interface.Hardware Type Displays the networking technology.Index Displays the unique numerical identifier for the interface.Access Setting Displays the VLAN mode as either Access or Trunk.Access VLAN Displays the tag assigned to the native VLAN.Native VLAN The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode.Tagged Native VLAN When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. A native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame.Allowed VLANs Displays the list of allowed virtual interface(s) on this interface.Administrative Status Displays whether the interface is currently UP or DOWN. Operational Status Lists whether the selected interface is currently UP (operational) or DOWN.IPv6 Mode Lists the current IPv6 mode is utilized.IPv6 MTU Lists the IPv6 formatted largest packet size that can be sent over the interface.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 96The Specification table displays the following information:The Traffic table displays the following:Media Type Displays the physical connection type of the interface. Medium types include: Copper - Used on RJ-45 Ethernet portsOptical - Used on fibre optic gigabit Ethernet portsProtocol Displays the routing protocol used by the interface.MTU Displays the maximum transmission unit (MTU) setting configured on the interface. The MTU value represents the largest packet size that can be sent over the interface. 10/100 Ethernet ports have a maximum setting of 1500.Mode The mode can be either: Access – The Ethernet interface accepts packets only from native VLANs.Trunk – The Ethernet interface allows packets from a list of VLANs you can add to the trunk.Metric Displays the metric associated with the interface’s route.Maximum Speed Displays the maximum speed the interface uses to transmit or receive data.Admin Speed Displays the speed the port can transmit or receive. This value can be either 10, 100, 1000 or Auto. This value is the maximum port speed in Mbps. Auto indicates the speed is negotiated between connected devices.Operator Speed Displays the current speed of data transmitted and received over the interface.Admin Duplex Setting Displays the administrator’s duplex setting.Current Duplex Setting Displays the interface as either half duplex, full duplex or unknown.Good Octets Sent Displays the number of octets (bytes) with no errors sent by the interface.Good Octets Received Displays the number of octets (bytes) with no errors received by the interface.Good Packets Sent Displays the number of good packets transmitted.Good Packets Received Displays the number of good packets received.Mcast Pkts Sent Displays the number of multicast packets sent through the interface.Mcast Pkts Received Displays the number of multicast packets received through the interface.Ucast Pkts Sent Displays the number of unicast packets sent through the interface.Ucast Pkts Received Displays the number of unicast packets received through the interface.Bcast Pkts Sent Displays the number of broadcast packets sent through the interface.Bcast Pkts Received Displays the number of broadcast packets received through the interface.Packet Fragments Displays the number of packet fragments transmitted or received through the interface.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 97The Errors table displays the following:The Receive Errors table displays the following:Jabber Pkts Displays the number of packets transmitted through the interface larger than the MTU.Bad Pkts Received Displays the number of bad packets received through the interface.Collisions Displays the number of collisions over the selected interface.Late Collisions A late collision is any collision that occurs after the first 64 octets of data have been sent. Late collisions are not normal, and usually the result of out of specification cabling or a malfunctioning device.Excessive Collisions Displays the number of excessive collisions. Excessive collisions occur when the traffic load increases to the point a single Ethernet network cannot handle it efficiently. Drop Events Displays the number of dropped packets transmitted or received through the interface.Tx Undersize Pkts Displays the number of undersized packets transmitted through the interface.Oversize Pkts Displays the number of oversized packets transmitted through the interface.MAC Transmit Error Displays the number of failed transmits due to an internal MAC sublayer error (that’s not a late collision), due to excessive collisions or a carrier sense error.MAC Receive Error Displays the number of received packets that failed due to an internal MAC sublayer (that’s not a late collision), an excessive number of collisions or a carrier sense error.Bad CRC Displays the CRC error. The CRC is the 4 byte field at the end of every frame. The receiving station uses it to interpret if the frame is valid. If the CRC value computed by the interface does not match the value at the end of frame, it is considered as a bad CRC.Rx Frame Errors Displays the number of frame errors received at the interface. A frame error occurs when data is received, but not in an expected format.Rx Length Errors Displays the number of length errors received at the interface. Length errors are generated when the received frame length was either less or over the Ethernet standard.Rx FIFO Errors Displays the number of FIFO errors received at the interface. First-in First-out queueing is an algorithm that involves buffering and forwarding of packets in the order of arrival. FIFO entails no priority. There is only one queue, and all packets are treated equally. An increase in FIFO errors indicates a probable hardware malfunction.Rx Missed Errors Displays the number of missed packets. Packets are missed when the hardware received FIFO has insufficient space to store an incoming packet.Rx Over Errors Displays the number of overflow errors received. Overflows occur when a packet size exceeds the allocated buffer size.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 98The Transmit Errors field displays the following:15.3.16.2 IPv6 AddressInterfacesIPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. To view controller or service platform IPv6 address utilization:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Interfaces menu from the left-hand side of the UI.4 Select the IPv6 Address tab.Tx Errors Displays the number of packets with errors transmitted on the interface.Tx Dropped Displays the number of transmitted packets dropped from the interface.Tx Aborted Errors Displays the number of packets aborted on the interface because a clear-to-send request was not detected.Tx Carrier Errors Displays the number of carrier errors on the interface. This generally indicates bad Ethernet hardware or bad cabling. Tx FIFO Errors Displays the number of FIFO errors transmitted at the interface. First-in First-Out queueing is an algorithm that involves the buffering and forwarding of packets in the order of arrival. FIFO uses no priority. There is only one queue, and all packets are treated equally. An increase in the number of FIFO errors indicates a probable hardware malfunction.Tx Heartbeat Errors Displays the number of heartbeat errors. This generally indicates a software crash, or packets stuck in an endless loop.Tx Window Errors Displays the number of window errors transmitted. TCP uses a sliding window flow control protocol. In each TCP segment, the receiver specifies the amount of additional received data (in bytes) the receiver is willing to buffer for the connection. The sending host can send only up to that amount. If the sending host transmits more data before receiving an acknowledgment, it constitutes a window error.Refresh Select Refresh to update the statistics counters to their latest value.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 99Figure 15-59 Wireless Controller - Interface IPv6 Address screen5The IPv6 Addresses table displays the following:6 Select the Link Local Address & Traffic Report tab to assess data traffic and errors discovered in transmitted and received IPv6 formatted data packets.IPv6 Addresses Lists the IPv6 formatted addresses currently utilized by the controller or service platform in the selected interface.Status Lists the current utilization status of each IPv6 formatted address currently in use by this controller or service platform’s selected interface.Address Type Lists whether the address is unicast or multicast in its utilization over the selected controller or service platform interface.Preferred Lifetime (seconds)Lists is the time in seconds (relative to when the packet is sent) the IPv6 formatted addresses remains in a preferred state on the selected interface. The preferred lifetime must always be less than or equal to the valid lifetime.Valid Lifetime (seconds) Displays the time in seconds (relative to when the packet is sent) the IPv6 formatted address remains in a valid state on the selected interface. The valid lifetime must always be greater than or equal to the preferred lifetime.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 100Figure 15-60 Wireless Controller - Interface IPv6 Address screen7 Verify the following Local Link Address data for the IPv6 formatted address:8 Verify the following IPv6 formatted Traffic data:Address Lists the IPv6 local link address. IPv6 requires a link local address assigned to every interface the IPv6 protocol is enabled on, even when one or more routable addresses are assigned.Status Lists the IPv6 local link address utilization status and its current availability.Preferred Lifetime (seconds)Lists is the time in seconds (relative to when the packet is sent) the local link addresses remains in the preferred state on the selected interface. The preferred lifetime must always be less than or equal to the valid lifetime.Valid Lifetime (seconds) Displays the time in seconds (relative to when the packet is sent) the local link addresses remains in the valid state on the selected interface. The valid lifetime must always be greater than or equal to the preferred lifetime. Packets In Lists the number of IPv6 formatted data packets received on the selected controller or service platform interface since the screen was last refreshed.Packets Out Lists the number of IPv6 formatted data packets transmitted on the selected controller or service platform interface since the screen was last refreshed.Bytes In Displays the number of octets (bytes) with no errors received by the selected interface.Bytes Out Displays the number of octets (bytes) with no errors sent by the selected interface.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1019 Review the following Receive Errors for IPv6 formatted data traffic:10 Review the following Transmit Errors for IPv6 formatted data traffic:Bad Packets Received Displays the number of bad IPv6 formatted packets received through the interface.Bad CRC Displays the CRC error. The CRC is the 4 byte field at the end of every frame. The receiving station uses it to interpret if the frame is valid. If the CRC value computed by the interface does not match the value at the end of frame, it is considered as a bad CRC.Collisions Displays the number of collisions over the selected interface. Excessive collisions occur when the traffic load increases to the point a single Ethernet network cannot handle it efficiently. A late collision is any collision that occurs after the first 64 octets of data have been sent. Late collisions are not normal, and usually the result of out of specification cabling or a malfunctioning device.Receive Length Errors Displays the number of IPv6 length errors received at the interface. Length errors are generated when the received IPv6 frame length was either less or over the Ethernet standard. Receive Over Errors Displays the number of IPv6 overflow errors received. Overflows occur when a packet size exceeds the allocated buffer size.Receive Frame Errors Displays the number of IPv6 frame errors received at the interface. A frame error occurs when data is received, but not in an expected format.Receive FIFO Errors Displays the number of IPv6 FIFO errors received at the interface. First-in First-out queueing is an algorithm that involves buffering and forwarding of packets in the order of arrival. FIFO entails no priority. There is only one queue, and all IPv6 formatted packets are treated equally. An increase in FIFO errors indicates a probable hardware malfunction.Receive Missed Errors Displays the number of missed IPv6 formatted packets. Packets are missed when the hardware received FIFO has insufficient space to store an incoming packet.Transmit Errors Displays the number of IPv6 formatted data packets with errors transmitted on the interface.Transmit Aborted Errors Displays the number of IPv6 formatted packets aborted on the interface because a clear-to-send request was not detected.Transmit Carrier Errors Displays the number of IPv6 formatted carrier errors on the interface. This generally indicates bad Ethernet hardware or bad cabling. Transmit FIFO Errors Displays the number of IPv6 formatted FIFO errors transmitted at the interface. First-in First-Out queueing is an algorithm that involves the buffering and forwarding of packets in the order of arrival. FIFO uses no priority. There is only one queue, and all packets are treated equally. An increase in the number of FIFO errors indicates a probable hardware malfunction.Transmit Heartbeat ErrorsDisplays the number of IPv6 formatted heartbeat errors. This generally indicates a software crash, or packets stuck in an endless loop.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 10215.3.16.3 Multicast Groups JoinedInterfacesMulticast groups scale to a larger set of destinations by not requiring prior knowledge of who or how many destinations there are. Multicast devices uses their infrastructure efficiently by requiring the source to send a packet only once, even if delivered to a large number of devices. Devices replicate a packet to reach multiple receivers only when necessary.Controllers and service platforms are free to join or leave a multicast group at any time. There are no restrictions on the location or members in a multicast group. A host may be a member of more than one multicast group at any given time and does not have to belong to a group to send messages to members of a group.To view the controller or service platform multicast group memberships on the selected interface:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Interfaces menu from the left-hand side of the UI.4Select Multicast Groups Joined.Transmit Window Errors Displays the number of IPv6 formatted window errors transmitted. TCP uses a sliding window flow control protocol. In each TCP segment, the receiver specifies the amount of additional received data (in bytes) the receiver is willing to buffer for the connection. The sending host can send only up to that amount. If the sending host transmits more data before receiving an acknowledgment, it constitutes a window error.Refresh Select Refresh to update the statistics counters to their latest value.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 103Figure 15-61 Wireless Controller - Interface Multicast Groups Joined screen5 The screen displays the following:6 Periodically select Refresh to update the screen’s counters to their latest values.Group Lists the name of existing multicast groups whose current members share multicast packets with one another on this selected interface as a means of collective interoperation.Users Lists the number of devices currently interoperating on this interface in each listed multicast group. Any single device can be a member of more then one group at a time.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 10415.3.16.4 Network GraphInterfacesThe Network Graph tab displays statistics the controller or service platform continuously collects for its interfaces. Even when the interface statistics graph is closed, data is still collected. Display the interface statistics graph periodically for assessing the latest interface information. Up to three different stats can be selected and displayed within the graph.To view a detailed graph for an interface, select an interface and drop it on to the graph. The graph displays Port Statistics as the Y-axis and the Polling Interval as the X-axis. Use the Polling Interval from the drop-down menu to define the intervals for which data is displayed on the graph.To view the Interface Statistics graph:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Interfaces menu from the left-hand side of the UI.4Select Network Graph. Use the Parameters drop-down menu to specify what’s trended in the graph.Figure 15-62 Wireless Controller - Interface Network Graph screen

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 10515.3.17 Border Gateway Protocol (BGP) StatisticsController StatisticsBorder Gateway Protocol (BGP) is an inter-ISP routing protocol which establishes routes between ISPs. ISPs use BGP to exchange routing and reachability information between Autonomous Systems (AS) on the Internet. BGP makes routing decisions based on paths, network policies and/or rules configured by network administrators. The primary role of a BGP system is to exchange network reachability information with other BGP peers. This information includes information on AS that the reachability information traverses. This information is sufficient to create a graph of AS connectivity from which routing decisions can be created and rules enforced.An Autonomous System (AS) is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets within the AS. AS uses inter-AS routing to route packets to other ASs. For an external AS, an AS appears to have a single coherent interior routing plan and presents a consistent picture of the destinations reachable through it.Routing information exchanged through BGP supports only destination based forwarding (it assumes a router forwards packets based on the destination address carried in the IP header of the packet).BGP uses TCP as its transport protocol. This eliminates the need to implement explicit update fragmentation, retransmission, acknowledgement, and sequencing. BGP listens on TCP port 179. The error notification mechanism used in BGP assumes that TCP supports a graceful close (all outstanding data is delivered before the connection is closed).BGP statistics are available to assist an administrator in assessing the status of the service platforms’s BGP feature and its neighbor BGP peers. Much of the configuration information can be filtered from the Route Filters screen.To review BGP statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane.3Select BGP from the left-hand side of the UI. The BGP Summary tab displays by default.NOTE: BGP is only supported on RFS6000 and NX9500 model controllers and service platforms.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 106Figure 15-63 Wireless Controller - BGP - Summary screenThe Summary tab displays the following:4 Periodically select Refresh to update the screen’s counters to their latest value.5 Select the Neighbor tab. Neighbor Lists the IP address of neighbor BGP supported devices.ASN Lists the Autonomous System Number (ASN) assigned to each listed neighbor BGP peer. ASN is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packetsMsg Sent Lists the number of messages sent out of this BGP peer.Msg Received Lists the number of messages received by this BGP peer.In Queue Lists the number of messages in the controller or service platform queue that have not yet been read (processed).Out Queue Lists the number of messages in the controller or service platform queue that have not yet been sent.Status Displays the status of each listed BGP neighbor as Active or Disabled.Uptime Displays the time duration in HH:MM:SS format since the connection to this neighbor BGP peer was established.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 107Figure 15-64 Wireless Controller - BGP - Neighbor screenThe Neighbor tab displays the following BGP neighbor information:Neighbor Lists the IP address of neighbor BGP supported peer controllers or service platforms. Each IP address displays as a link to display BGP supported device data in greater detail.Remote AS Lists the AS number configured on this BGP neighbor. An Autonomous System (AS) is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets within the AS. Local AS Lists the AS number (1 - 4,294,967,295) configured on this BGP wireless controller or service platforms.MD5 Enabled A green check defines MD5 authentication enabled on the listed BGP neighbor. A red X means disabled. MD5 is a message digest algorithm using a cryptographic hash producing a 128-bit (16-byte) hash value, usually expressed in text as a 32 digit hexadecimal number. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity.Link Type Lists the type of BGP link. Displays internal if the link type is iBGP. Displays external if the link type is eBGP. iBGP exchanges routing table information between routers within an autonomous system. eBGP exchanges routing table information between hosts outside an autonomous system.Status Displays the current Active or Inactive state of each listed BGP neighbor device. Uptime Displays the uptime for each listed BGP neighbor.Remote Router Lists the IP address used by the BGP remote router resource as a network identifier.Hold Time Displays the duration, in seconds, for the hold (delay) of packet transmissions to each listed BGP neighbor device. Keepalive Displays the duration, in seconds, for the keep alive timer used to maintain the connection to each listed BGP neighbor device.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1086 Optionally select the IP address of a listed BGP neighbor device to launch the following screen for more granular device information for the selected peer device:Figure 15-65 Wireless Controller - BGP - Neighbor - Statistics screenThe BGP neighbor Statistics screen displays route information for the following kinds of routes:•Advertised – Displays route information for routes advertised to the selected neighbor device.•Received – Displays route information for routes received from the selected neighbor device.•Routes – Displays the route information for routes learned from the selected neighbor device.7 Refer to the following for details on the displayed route. The fields are common to all the screens.Clear Routes Select the Clear Retries item (within the table) this to reset and clear all routes received from this BGP neighbor.Route Status Displays the status of this route. Route statuses include:Suppressed – This route has been suppressed.Damped – This route has been damped due to flapping.History - This route is kept in memory to retain flap-dampening statistics. This route is not currently announced by the peer.Valid – This route is a valid route.Best – This route is the best route of all the routes utilized.RIB Failure - A route with better administrative distance is already present, a memory failure exists or the number of routes in VPN routing/forwarding (VRF) exceeds the route-limit configured under the VRF instance.Removed – This route has been removed from the routes list and is no longer available to BGP supported neighbor devices.Network Displays network information for this route.Next Hop Displays the IP address of the next hop in this route.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1098 Select the Refresh button to update the information displayed in this screen to the latest values. Use the Exit button to exit to the Neighbor screen.9Select Route Filters tab. This screen provides eight (8) different filters for viewing route statistics. Route statistics can be filtered on eight (8) different parameters.Figure 15-66 Wireless Controller - BGP - Route Filter screenThe Route Filters tab supports the following route filters:•BGP Stats Details – Routes are filtered on BGP statistics details.•Community List – Routes are filtered on the community lists included in each route.•Community – Routes are filtered on the community information included in each route,•Expanded Community List – Routes are filtered on the expanded community information included in each route.•Prefix List – Routes are filtered on the prefix list included in each route.•Filter List – Routes are filtered on the filter list included in each route.•Regular Expression – Routes are filtered based on regular expressions.•Route Map – Routes are filtered on the route map information included in each route.10 Select BGP Stats Detail from the Select Filter Type list. Local Pref Lists the IP address of this controller or service platform’s preferred next hop for the route.Weight Displays the weight assigned to this route. Weight is used to decide the preferred route when the same route is learned from multiple neighbors. The route with the highest weight is always chosen.Metric Lists a measure (metric) of the quality of the path. A lower value indicates a better path.AS-Path Displays the AS Path information for this route.Origin Displays the IP address of the route’s origin.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 110Figure 15-67 Wireless Controller - BGP - Route Filter - BGP Stats Detail11 Use the Type Specific Network field to filter statistics based on the provided IP or Network information. Select Show Details to display the list of filtered routes.12 Select Community List from the Select Filter Type list.Route Status Displays the status of this route. Route status options include:Suppressed – This route has been suppressed.Damped – This route has been damped due to flapping.History - This route is kept in memory to retain flap-dampening statistics. This route is not currently announced by the peer.Valid – This route is a valid route.Best – This route is the best route of all routes.RIB Failure – A route with better administrative distance is already present, a memory failure exists or the number of routes in VPN routing/forwarding (VRF) exceeds the route-limit configured under the VRF instance.Removed – This route has been removed from the routes list.Network Displays network information for this route.Next Hop Displays the IP address of the next hop resource utilized in this route.Local Pref Lists the IP address of this controller or service platform’s preferred next hop for this route. The local preference indicates the preferred path when there are multiple paths to the same destination. The path having the highest preference value is preferred. The preference value is sent to all routers and access servers in the local AS.Weight Displays the weight assigned to this route. Weight is used to decide the preferred route when the same route is learned from multiple neighbors. The route with the highest weight is always chosen.Metric Lists a measure (metric) of the quality of the path. A lower value indicates a better path. This value is the Multi Exit Discriminator (MED) evaluated by BGP during the best path selection process.Path Displays path information for this route.Origin Displays the IP address of the origin for this route.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 111Figure 15-68 Wireless Controller - BGP - Route Filter - Community List13 Use the Type Community List field to filter the statistics based on the community type of the route. Select Show Details to display the list of filtered routes.NOTE: The following table is common to these filter types:Community ListCommunityPrefix ListFilter ListRegular ExpressionRoute MapRoute Status Displays the status of this route. The route status could be one of:Suppressed – This route has been suppressed.Damped – This route has been damped due to flapping.History - This route is kept in memory to retain flap-dampening statistics. This route is not currently announced by the peer.Valid – This route is a valid route.Best – This route is the best route of all routes.RIB Failure – A route with better administrative distance is already present, a memory failure exists or the number of routes in VPN routing/forwarding (VRF) exceeds the route-limit configured under the VRF instance.Removed – This route has been removed from the routes list.Network Displays network information for this route.Next Hop Displays the IP address of the next hop in this route.Local Pref Lists the IP address of this controller or service platform’s preferred next hop for this route.The local preference indicates the preferred path when there are multiple paths to the same destination. The path having the highest preference value is preferred. This preference value is sent to all routers and access servers in the local AS.Weight Displays the weight assigned to this route. Weight is used to decide the preferred route when the same route is learned from multiple neighbors. The route with the highest weight is always chosen.Metric Lists a measure of the quality of the path. A lower value indicates a better path. This value is the Multi Exit Discriminator (MED) evaluated by BGP during the best path selection process.AS-Path Displays AS path information for this route.Origin Displays the IP address of the origin for this route.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 112Select Community from the Select Filter Type list. Figure 15-69 Wireless Controller - BGP - Route Filter - Community14 Use the Type Community drop-down menu to filter the statistics based on the community of the route. Routes can be filtered on:•local-AS - Displays routes that prevent the transmission of packets outside the local AS.•no-advertise - Displays routes not advertised to any peer, either internal or external. •no-export - Displays routes not advertised to BGP peers, keeping this route within an AS.•aa:nn - Filters routes based on the AS Number specified. The first part (aa) represents the AS number. The second part (nn) represents a 2-byte number. Routes matching this number are filtered.15 Select Show Details to display the list of filtered routes.16 Select Prefix List from the Select Filter Type list. Figure 15-70 Wireless Controller - BGP - Route Filter - Prefix List17 Use the Type Prefix list field to filter the statistics based on the prefix of the route. Select Show Details to display the list of filtered routes.18 Select Filter List from the Select Filter Type list.Figure 15-71 Wireless Controller - BGP - Route Filter - Filter List19 Use the Type Filter List field to filter the statistics based on the filter list of the route. Select Show Details to display the list of filtered routes.20 Select Regular Expression from the Select Filter Type list. Figure 15-72 Wireless Controller - BGP - Route Filter - Regular Expression

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 11321 Use the Type Regular Expression field to filter the routes based on regular expressions. Select Show Details to display the list of filtered routes.22 Select Route Map from the Select Filter Type list. Figure 15-73 Wireless Controller - BGP - Route Filter - Route Map23 Use the Type Route Map field to filter the routes based on route maps (enhanced packet filters). Select Show Details to display the list of filtered routes.24 Select Expanded Community List from the Select Filter Type list. Figure 15-74 Wireless Controller - BGP - Route Filter - Expanded Community25 Use the Type Expanded list to filter routes based on route-maps. Select Show Details to display a list of filtered routes.26 Select State tab.Figure 15-75 Wireless Controller - BGP - StateThe State screen displays the following:Maximum Routes AllowedLists the maximum number of routes allowed on the selected BGP wireless controller or service platforms.Routes Received Lists the number of routes received from all the BGP peers.Current Ignore CountLists the number of times the BGP daemon has been put in the Ignore state.Ignore Count AllowedLists the maximum number of times the BGP daemon can be put in an Ignore state before entering permanent ignore state.Reset Time Lists the time after which ignore state count is reset to 0 and BGP daemon continues in the state it was in previously.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1166Use the Physical Drives field to assess the RAID array’s drive utilization and whether the drives are currently online: 7Select Refresh at any time to update either the screen’s statistic counters to their latest value.15.3.19 Power StatusController StatisticsPeriodically review the controller or service platform power status to assess the power budget and PoE capability (if supported).PoE is supported on RFS4000 and RFS6000 model controllers.To view Power Status statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Power Status from the left-hand side of the UI.Slot Lists RAID array’s drive slot utilization. Since there is only one RAID array controller reporting status to the service platform, its important to know if other drive slots house hot spare drives available as additional resources should one of the dedicated drives fail.State Displays whether a physical slot within the RAID array has a drive installed, and whether the drive is currently online.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 117Figure 15-77 Wireless Controller - Power Status screenThe Power Status provides the following information for supported controllers or service platforms:Device Displays the administrator assigned device name for the controller or service platform.Temperature Displays the internal system temperature for the controller or service platform.PoE Enabled Displays whether or not Power over Ethernet (PoE) is enabled for the controller or service platform. When enabled, the controller or service platform supports 802.3af PoE on each of its ge ports. The PoE allows users to monitor port power consumption and configure power usage limits and priorities for each ge port.Power Limit Displays the total watts available for Power over Ethernet on the controller or service platform. The value should be between 0 - 40 watts.Port Name Displays the GE port name on the controller or service platform.Priority Displays the power priority for the listed port as either Critical, High or Low. This is the priority assigned to this port versus the power requirements of the other supports available on the controller or service platform.System Voltage Displays the total current system voltage for the controller or service platform.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 11815.3.20 PPPoEController StatisticsThe PPPoE statistics screen displays stats derived from the PPPoE capable controller or service platform’s access to high-speed data and broadband networks. PPPoE uses standard encryption, authentication, and compression methods as specified by the PPPoE protocol. PPPoE enables point-to-points connection to an ISP over existing Ethernet interface.Power over Ethernet is supported on RFS4000 and RFS6000 model controllers. When enabled, the controller supports 802.3af PoE on each of its ge ports.To review a selected controller or service platform’s PPPoE statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select PPPoE from the left-hand side of the UI.System Guard Band Displays the amount of voltage allocated to a System Guard Band. A System Guard Band is an amount of voltage allocated to prevent power loss or cycling on connected PoE devices when the power draw goes above the PoE Power Budget.Power Budget Displays the total amount of voltage on the controller or service platform allocated for use in Power over Ethernet.Power Consumption Displays the current amount of power being consumed by PoE devices on the controller or service platform.Non-Standard PoE power budgetDisplays the amount of voltage allocated to non 802.3af or 802.3at PoE devices.Port Name Displays the GE port name for each PoE capable port on the controller or service platform.Voltage Displays the voltage in use by each PoE capable port on the controller or service platform.Current Displays the amount of current in milliwatts being used by each PoE capable port on the controller or service platform.Power Displays whether or not each PoE capable port on the controller or service platform is providing power.Class Type Displays the PoE class type including 802.3af, 802.3at and non-standard PoE types.Port Status Displays the status of each PoE capable port on the controller or service platform. It will display either Enabled or Disabled.Refresh Select Refresh to update the statistics counters to their latest value.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 119Figure 15-78 Wireless Controller - PPPoE screenThe Configuration Information field screen displays the following:Shutdown Displays whether a high speed client mode point-to-point connection has been enabled using the PPPoE protocol. A green checkmark defines the connection as enabled. A red X defines the connection as shutdown.Service Lists the 128 character maximum PPPoE client service name provided by the service provider.DSL Modem Network (VLAN)Displays the PPPoE VLAN (client local network) connected to the DSL modem. This is the local network connected to DSL modem.Authentication Type Lists authentication type used by the PPPoE client whose credentials must be shared by its peer. Supported authentication options include None, PAP, CHAP, MSCHAP, and MSCHAP-v2.Username Displays the 64 character maximum username used for authentication support by the PPPoE client.Password Displays the 64 character maximum password used for authentication by the PPPoE client.Client Idle Timeout The controller or service platform uses the listed timeout so it does not sit idle waiting for input from a PPPoE client and the server that may never come.Keep Alive If a keep alive is utilized (enabled displays a green checkmark, disabled a red X) the point-to-point connect to the PPPoE client is continuously maintained and not timed out. Maximum Transmission Unit (MTU)Displays the PPPoE client maximum transmission unit (MTU) from 500 - 1,492. The MTU is the largest physical packet size in bytes a network can transmit. Any messages larger than the MTU are divided into smaller packets before being sent. A PPPoE client should be able to maintain its point-to-point connection for this defined MTU size.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1204 Refer to the Connection Status field.The Connection Status table lists the MAC address, SID, Service information, MTU and status of each route destination peer. To provide this point-to-point connection, each PPPoE session learns the Ethernet address of a remote PPPoE client, and establishes a session. PPPoE uses both a discover and session phase to identify a client and establish a point-to-point connection. By using such a connection, a wireless WAN failover is available to maintain seamless network access if the Wired WAN were to fail5 Select the Refresh button to update the screen’s statistics counters to their latest values.15.3.21 OSPFController StatisticsOpen Shortest Path First (OSPF) is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.Refer to the following for detailed descriptions of the tabs available within the OSPF statistics screen:•OSPF Summary•OSPF Neighbors•OSPF Area Details•OSPF Route Statistics•OSPF Interface•OSPF State15.3.21.1 OSPF SummaryOSPFTo view OSPF summary statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select OSPF from the left-hand side of the UI.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 121Figure 15-79 Wireless Controller - OSPF Summary tabThe Summary tab describes the following data fields:General The general field displays the router ID assigned for this OSPF connection, RFC compliance information and LSA data. ABR/ASBR DetailsLists Autonomous System Boundary Router (ASBR) data relevant to OSPF routing, including the ASBR, ABR and ABR type. An Area Border Router (ABR) is a router that connects one or more areas to the main backbone network. It is considered a member of all areas it is connected to. An ABR keeps multiple copies of the link-state database in memory, one for each area to which that router is connected An ASBR is a router connected to more than one Routing protocol and exchanges routing information with routers in other protocols. ASBRs typically also run an exterior routing protocol (for example, BGP), or use static routes, or both. An ASBR is used to distribute routes received from other, external ASs throughout its own autonomous system. Routers in other areas use ABR as next hop to access external addresses. Then the ABR forwards packets to the ASBR announcing the external addressesSPF Refer to the SPF field to assess the status of the shortest path forwarding (SFF) execution, last SPF execution, SPF delay, SPF due in, SPF hold multiplier, SPF hold time, SPF maximum hold time and SPF timer due flag.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1224 Select the Refresh button to update the statistics counters to their latest values.15.3.21.2 OSPF NeighborsOSPFOSPF establishes neighbor relationships to exchange routing updates with other routers. A controller or service platform supporting OSPF sends hello packets to discover neighbors and elect a designated router. The hello packet includes link state information and list of neighbors. OSPF is savvy with layer 2 topologies. If on a point-to-point link, OSPF knows it is sufficient, and the link stays up. If on a broadcast link, the router waits for election before determining if the link is functional.To view OSPF neighbor statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select OSPF from the left-hand side of the UI.4 Select the Neighbor Info tab.Figure 15-80 Wireless Controller - OSPF Neighbor Info tabStub Router The summary screen displays information relating to stub router advertisements and shutdown and startup times. An OSPF stub router advertisement allows a new router into a network without immediately routing traffic through the new router and allows a graceful shut down or reload a router without dropping packets that are destined for other networks. This feature introduces three configuration options that allow you to configure a router that is running the OSPF protocol to advertise a maximum or infinite metric to all neighbors.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 123The Neighbor Info tab describes the following:5 Select the Refresh button to update the statistics counters to their latest values.15.3.21.3 OSPF Area DetailsOSPFAn OSPF network is subdivided into routing areas (with 32 bit area identifiers) to simplify administration and optimize traffic utilization. Areas are logical groupings of hosts and networks, including routers having interfaces connected to an included network. Each area maintains a separate link state database whose information may be summarized towards the rest of the network. An OSPF Area contains a set of routers exchanging Link State Advertisements (LSAs) with others in the same area. Areas limit LSAs and encourage aggregate routes. Areas are identified by 32-bit IDs, expressed either in decimal, or octet-based dot-decimal notation. To view OSPF area statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select OSPF from the left-hand side of the UI.Router ID Displays the router ID assigned for this OSPF connection. The router is a level three Internet Protocol packet switch. This ID must be established in every OSPF instance. If not explicitly configured, the highest logical IP address is duplicated as the router identifier. However, since the router identifier is not an IP address, it does not have to be a part of any routable subnet in the network.Neighbor PriorityDisplays each listed neighbor’s priority in respect to becoming the designated router managing the OSPF connection. The designated router is the router interface elected among all routers on a particular multi-access network segment.IF Name Lists the name assigned to the router interface used to support connections amongst OSPF enabled neighbors.Neighbor Address Lists the IP address of the neighbor sharing the router interface with each listed router ID.Request Count Lists the connection request count (hello packets) to connect to the router interface, discover neighbors and elect a designated router.Retransmit CountLists the connection retransmission count attempted in order to connect to the router interface, discover neighbors and elect a designated router. A designated router (DR) is the router interface elected among all routers on a particular multi-access network segment, generally assumed to be broadcast.Dead Time Lists the dead time between neighbors in the network topology that are currently utilizing the listed router ID.Self Neighbor StateDisplays the self-neighbor status assessment used to discover neighbors and elect a designated router.Source Address Displays the single source address used by all neighbor routers to obtain topology and connection status. This form of multicasting significantly reduces network load.Summary Count Routes that originate from other areas are called summary routes. Summary routes are not flooded in a totally stubby or NSSA totally stubby area.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1244 Select the Area Details tab.Figure 15-81 Wireless Controller - OSPF Area Details tabThe Area Details tab describes the following:OSPF Area ID Lists the connection request count (hello packets) to connect to the router interface, discover neighbors and elect a designated router.OSPF INF Lists the interface ID (virtual interface for dynamic OSPF routes) supporting each listed OSPF area ID.Fully adj numbersFully adjusted numbers strip away the effects of other non OSPF and LSA factors and events, leaving only relevant OSPF area network route events counted.Auth Type Lists the authentication schemes used to validate the credentials of dynamic route connections and their areas.Total LSA Lists the Link State Advertisements (LSAs) of all entities using the dynamic route (in any direction) in the listed area ID.Router LSA Lists the Link State Advertisements of the router supporting each listed area ID. The router LSA reports active router interfaces, IP addresses, and neighbors.Network LSA Displays which routers are joined together by the designated router on a broadcast segment (e.g. Ethernet). Type 2 LSAs are flooded across their own area only. The link state ID of the type 2 LSA is the IP interface address of the designated route.Summary LSA The summary LSA is generated by ABR to leak area summary address info into another areas. ABR generates more than one summary LSA for an area if the area addresses cannot be properly aggregated by only one prefix.ASBR Summary LSAOriginated by ABRs when an ASBR is present to let other areas know where the ASBR is. These are supported just like summary LSAs.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1255 Select the Refresh button to update the statistics counters to their latest values.15.3.21.4 OSPF Route StatisticsOSPFRefer to the Routes tab to assess the status of OSPF Border Routes, External Routes, Network Routes and Router Routes.To view OSPF route statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select OSPF from the left-hand side of the UI.4 Select the Routes tab. Border Routes display by default.An area border router (ABR) connects (links) more than one area. Usually an ABR is used to connect non-backbone areas to the backbone. If OSPF virtual links are used an ABR will also be used to connect the area using the virtual link to another non-backbone area. Border routes use internal OSPF routing table entries to an ABR or Autonomous System Boundary Router (ASBR). Border routers maintain an LSDB for each area supported. They also participate in the backbone.5 Refer to External Routes tab.NSSA LSA Routers in a Not-so-stubby-area (NSSA) do not receive external LSAs from Area Border Routers, but are allowed to send external routing information for redistribution. They use type 7 LSAs to tell the ABRs about these external routes, which the Area Border Router then translates to type 5 external LSAs and floods as normal to the rest of the OSPF network.Redistribution into an NSSA area creates a special type of LSA known as TYPE 7, which can exist only in an NSSA area. An NSSA ASBR generates this LSA, and an NSSA ABR router translates it into type 5 LSA which gets propagated into the OSPF domain.Opaque Area LSA CSUMDisplays the Type-10 opaque link area checksum with the complete contents of the LSA.Opaque link CSUMDisplays the Type-10 opaque link checksum with the complete contents of the LSA.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 126Figure 15-82 Wireless Controller - OSPF External Routes tabExternal routes are external to area, originate from other routing protocols (or different OSPF processes) and are inserted into OSPF using redistribution. A stub area is configured not to carry external routes. Each external route can be tagged by the advertising router, enabling the passing of additional information between routers. Each external route can also be tagged by the advertising router, enabling the passing of additional information between routers on the boundary of the autonomous system.The External route tab displays a list of external routes, the area impacted, cost, path type, tag and type 2 cost. Cost factors may be the distance of a router (round-trip time), network throughput of a link, or link availability and reliability, expressed as simple unit-less numbers. This provides a dynamic process of traffic load balancing between routes of equal cost.6 Refer to the Network Routes tab.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 127Figure 15-83 Wireless Controller - OSPF Network Routes tabNetwork routes support more than two routers, with the capability of addressing a single physical message to all attached routers (broadcast). Neighboring routers are discovered dynamically using OSPF hello messages. This use of the hello protocol takes advantage of broadcast capability. An OSPF network route makes further use of multicast capabilities, if they exist. Each pair of routers on the network is assumed to communicate directly. The network tab displays the network name, impacted OSPF area, cost, destination and path type.7 Select the Router Routes tab.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 128Figure 15-84 Wireless Controller - OSPF Router Routes tabAn internal (or router) route connects to one single OSPF area. All of its interfaces connect to the area in which it is located and does not connect to any other area.8 Select the Refresh button (within any of the four OSPF Routes tabs) to update the statistics counters to their latest values15.3.21.5 OSPF InterfaceOSPFAn OSPF interface is the connection between a router and one of its attached networks. An interface has state information associated with it, which is obtained from the underlying lower level protocols and the routing protocol itself. A network interface has associated a single IP address and mask (unless the network is an unnumbered point-to-point network). An interface is sometimes also referred to as a link.To view OSPF interface statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select OSPF from the left-hand side of the UI.4 Select the OSPF Interface tab.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 129Figure 15-85 Wireless Controller - OSPF Interface tabThe OSPF Interface tab describes the following:5 Select the Refresh button to update the statistics counters to their latest values.15.3.21.6 OSPF StateOSPFAn OSPF enabled controller or service platform sends hello packets to discover neighbors and elect a designated router for dynamic links. The hello packet includes link state data periodically updated on all OSPF members. The controller or service platform tracks link state information to help assess the health of the OSPF dynamic route.Interface Name Displays the IP addresses and mask defined as the virtual interface for dynamic OSPF routes. Zero config and DHCP can be used to generate route addresses, or a primary and secondary address can be manually provided.Interface Index Lists the numerical index used for the OSPF interface. This interface ID is in the hello packets establishing the OSPF network connection.Bandwidth(kb) Lists the OSPF interface bandwidth (in Kbps) from 1 - 10,000,000.Interface flags Displays the flag used to determine the interface status and how to proceed.MTU Lists the OSPF interface maximum transmission unit (MTU) size. The MTU is the largest physical packet size (in bytes) a network can transmit. Any packets larger than the MTU are divided into smaller packets before being sent.OSPF Enabled Lists whether OSPF has been enabled for each listed interface. OSPF is disabled by default.UP/DOWN Displays whether the OSPF interface (the dynamic route) is currently up or down for each listed interface. An OSPF interface is the connection between a router and one of its attached networks.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 130To view OSPF state statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select OSPF from the left-hand side of the UI.4 Select the OSPF State tab.Figure 15-86 Wireless Controller - OSPF State tabThe OSPF State tab describes the following:OSPF state Displays the OSPF link state amongst neighbors within the OSPF topology. Link state information is maintained in a link-state database (LSDB) which is a tree image of the entire network topology. Identical copies of the LSDB are periodically updated through flooding on all OSPF supported nodes. Flooding is the part of the OSPF protocol that distributes and synchronizes the link-state database between OSPF routers.OSPF ignore state countLists the number of times state requests have been ignored between the controller or service platform and its peers within this OSPF supported broadcast domain.OSPF ignore state monitor timeoutDisplays the timeout that, when exceeded, prohibits the controller or service platform from detecting changes to the OSPF link state.OSPF ignore state timeoutDisplays the timeout that, when exceeded, returns the controller or service platform back to state assessment amongst neighbors in the OSPF topology.OSPF max ignore state countDisplays whether an OSPF state timeout is being ignored and not utilized in the transmission of state update requests amongst neighbors within the OSPF topology.OSPF max routes States the maximum number of routes negotiated amongst neighbors within the OSPF topology.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1315 Select the Refresh button to update the statistics counters to their latest values.15.3.22 L2TPv3Controller StatisticsUse L2TP V3 to create tunnels for transporting layer 2 frames. L2TP V3 enables a controller or service platform to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TP V3 tunnels can be defined between WING devices and other devices supporting the L2TP V3 protocol.To review a selected controller or service platform’s L2TPv3 statistics:6 Select the Statistics menu from the Web UI.7Select a Wireless Controller node from the left navigation pane.8Select L2TPv3 Tunnels.Figure 15-87 Wireless Controller - L2TPv3 screenOSPF routes receivedLists the routes received and negotiated amongst neighbors within the OSPF topology.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 132The L2TPv3 screen displays the following:Tunnel Name Displays the name of each listed L2TPv3 tunnel assigned upon creation. Each listed tunnel name can be selected as a link to display session data specific to that tunnel. The Sessions screen displays cookie size information as well as psuedowire information specific to the selected tunnel. Data is also available to define whether the tunnel is a trunk session and whether tagged VLANs are used. The number of transmitted, received and dropped packets also display to provide a throughput assessment of the tunnel connection. Each listed session name can also be selected as a link to display VLAN information specific to that session. The VLAN Details screen lists those VLANs used an interface in L2TP tunnel establishment. Local Address Lists the IP address assigned as the local tunnel end point address, not the tunnel interface’s IP address. This IP is used as the tunnel source IP address. If a local address is not specified, the source IP address is chosen automatically based on the tunnel peer IP address.Peer Address Lists the IP address of the L2TP tunnel peer establishing the tunnel connection.Tunnel State States whether the tunnel is Idle (not utilized by peers) or is currently active. Peer Host Name Lists the assigned peer hostname used as matching criteria in the tunnel establishment process. Peer Control Connection IDDisplays the numeric identifier for the tunnel session. This is the peer pseudowire ID for the session. This source and destination IDs are exchanged in session establishment messages with the L2TP peer.Control Connection IDDisplays the router ID(s) sent in tunnel establishment messages with a potential peer device.Up Time Lists the amount of time the L2TP connection has remained established amongst peers sharing the L2TPv3 tunnel connection. The Up Time is displayed in a Days: Hours: Minutes: Seconds: format. If D:0 H:0 M:0 S:0 is displayed, the tunnel connection is not currently established.Encapsulation ProtocolDisplays either IP or UDP as the peer encapsulation protocol. The default setting is IP. UDP uses a simple transmission model without implicit handshakes. Tunneling is also called encapsulation. Tunneling works by encapsulating a network protocol within packets carried by the second network.Critical Resource Displays monitored critical resources. Critical resources are device IP addresses or interface destinations interopreted as critical to the health of the network. Critical resources allow for the continuous monitoring of these defined addresses. A critical resource, if not available, can result in the network suffering performance degradation. A critical resource can be a gateway, AAA server, WAN interface or any hardware or service on which the stability of the network depends.VRRP Group Lists a VRRP group ID (if utilized). A VRRP group is only enabled when the establishment criteria is set to vrrp-master. A VRRP master responds to ARP requests, forwards packets with a destination link MAC layer address equal to the virtual router MAC layer address, rejects packets addressed to the IP associated with the virtual router and accepts packets addressed to the IP associated with the virtual router.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1339 To view per-session statistics for a specific L2TPv3 tunnel, click the Tunnel Name link. The sessions for the selected L2TPv3 tunnel are displayed.10 Click the VLAN ID of the desired session to display session statistics.15.3.23 VRRPController StatisticsThe VRRP statistics screen displays Virtual Router Redundancy Protocol (VRRP) configuration statistics supporting router redundancy in a wireless network requiring high availability.To review a selected controller or service platform’s VRRP statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select VRRP.Figure 15-88 Wireless Controller - VRRP screenEstablishment CriteriaDisplays the tunnel establishment criteria for this tunnel. Tunnel establishment involves exchanging 3 message types (SCCRQ, SCCRP and SCCN) with the peer. Tunnel IDs and capabilities are exchanged during the tunnel establishment with the host.Refresh Select the Refresh button to update the screen’s statistics counters to their latest value.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1344 Refer to the Global Error Status field to review the various sources of packet errors logged during the implementation of the virtual route.Errors include the mismatch of authentication credentials, invalid packet checksums, invalid packet types, invalid virtual route IDs, TTL errors, packet length errors and invalid (non matching) VRRP versions.5 Refer to the Router Operations Summary for the following status:6 Optionally select a VRID to list the ID’s VRRP information in greater detail.VRID Lists a numerical index (1 - 254) used to differentiate VRRP configurations. The index is assigned when a VRRP configuration is initially defined. This ID identifies the virtual router a packet is reporting status for. The ID displays as a link that can optionally selected to list the ID’s VRRP information in greater detail.Virtual IP Address Lists the virtual interface IP address used as the redundant gateway address for the virtual route.Master IP Address Displays the IP address of the elected VRRP master. A VRRP master (once elected) responds to ARP requests, forwards packets with a destination link layer MAC address equal to the virtual router MAC address, rejects packets addressed to the IP address associated with the virtual router and accepts packets addressed to the IP address associated with the virtual router.Interface Name Displays the interfaces selected to supply VRRP redundancy failover support.Version Display VRRP version 3 (RFC 5798) or 2 (RFC 3768) as selected to set the router redundancy. Version 3 supports sub-second (centisecond) VRRP failover and support services over virtual IP. State Displays the current state of each listed virtual router ID.Clear Router Status Select the Clear Router Status button to clear the Router Operations Summary table values to zero and begin new data collections.Clear Global Error StatusSelect the Clear Global Error Status button to clear the Global Error Status table values to zero and begin new data collections.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 135Figure 15-89 Wireless Controller - VRRP VRID Detail screen7The Configuration field lists the following for the selected VRID:VRID Lists this selected ID’s assigned ID. The index is assigned when a VRRP configuration is initially defined. This ID identifies the virtual router a packet is reporting status for. Interface Displays the interfaces selected to supply VRRP redundancy failover support.Version Displays the VRRP version scheme used with the configuration. VRRP version 3 (RFC 5798) and 2 (RFC 3768) are selectable to set the router redundancy. Version 3 supports sub-second (centisecond) VRRP failover and support services over virtual IP. For more information on the VRRP protocol specifications (available publicly) refer to http://www.ietf.org/rfc/rfc3768.txt (version 2) and http://www.ietf.org/rfc/rfc5798.txt (version 3).Priority Lists the ID’s numerical value (from 1 - 254) used for the virtual router master election process. The higher the numerical value, the higher the priority in the election process.Delta Priority Displays the configured priority (by the set value) when the monitored interface is down. When critical resource monitoring, the configured value is incremented by the value defined. CRM Down Action Lists the critical resource down action applied to this listed VRID.No. of Virtual IP AddressLists the number of virtual interface IP address used as the redundant gateway address for the virtual route.Virtual IP Addresses Lists the virtual interface IP address set as the redundant gateway address for the virtual route.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1368The Operational State field lists the following for the selected VRID:9The Router Status field lists the following router performance and error data:Advertisement IntervalLists the interval for unsolicited router assignments.The advertisement interval is the minimum interval between sending router updates. Sending too many updates creates flapping of routes leading to possible disruption.Sync Group Lists whether a VRRP sync group is assigned to this VRRP ID’s group of virtual IP addresses. This triggers VRRP failover if an advertisement is not received from the virtual masters that are part of this VRRP sync group.Preempt Lists whether preempt is enabled for the selected ID. Preempt ensures a high priority backup router is available to preempt a lower priority backup router resource. The default setting is enabled. When selected, the preempt delay option becomes enabled to set the actual delay interval for pre-emption. This setting determines if a node with a higher priority can take over all the Virtual IPs from the nodes with a lower priority.Preempt Delay If preempt is enabled, this item lists the delay interval (in seconds) for pre-emption.Virtual MAC Address Lists the alpha numeric virtual MAC address utilized by the selected VRID.Local IP Address This address represents an alternative to an interface IP address. The last byte of the address (XX) is the VRID, which is different for each virtual router in the networkCritical Resource Displays the critical resource currently utilized by the selected VRID.CRM Status Lists operational network status of the critical resource used by this VRID.Sync Group Failure Lists any sync failures detected with the sync group of virtual IP addresses. Interface Status Lists the operational network status of the interfaces selected to supply VRRP redundancy failover support.Master Transitions Lists the number of transitions to master router designation that have occurred with this VRID’s router.Master Reason Displays an event message in respect the dedicated VRRP router’s availability.Advertisement Pkts ReceivedLists the number of router advertisements received by this selected VRID. Router advertisements are periodically sent to hosts or sent in response to solicitation requests. Router advertisements contain prefixes used for link determination, address configuration and maximum hop limits. Advertisement Interval ErrorsLists this VRID’s number of advertisement prefix errors for link determination, address configuration and maximum hop limits.Advertisement Pkts SentLists the number of router advertisements sent by this selected VRID. Router advertisements are periodically sent to hosts or sent in response to solicitation requests. Router advertisements contain prefixes used for link determination, address configuration and maximum hop limits. Received Pkts in Init StateLists the number of packets received by the selected VRID when a router receives a hello packet but the local router ID is not listed in the received neighbor field. This means bidirectional communication is not been established.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 13710 Refer to the Monitor Interface field to assess the names of this VRID’s interface utilization and their respective statuses.15.3.24 Critical ResourcesController StatisticsThe Critical Resources statistics screen displays a list of device IP addresses on the network (gateways, routers etc.). These defined IP addresses are critical to the health of the controller or service platform managed network. These device addresses are pinged regularly by the Access Point. If there is a connectivity issue, an event is generated stating a critical resource is unavailable. To view controller or service platform Critical Resource statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Critical Resource from the left-hand side of the UI.Figure 15-90 Wireless Controller - Critical Resource screen4 Refer to the General field to assess the Monitor Interval and Monitor Using Flows Interval used to poll for updates from the critical resource IP listed for Source IP For Port-Limited Monitoring. Monitoring Retries before Marking Resource as DOWN are the number of retry connection attempts permitted before this listed resource is defined as down (offline).Received Pkts with Priority ZeroLists this VRID’s number of received packets with a value of zero.Sent Pkts with Priority ZeroLists this VRID’s number of sent packets with a value of zero.Address List Errors Lists the number of router event errors detected where an address that could not be resolved and bidirectional communication could not be established.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1385 Refer to the following List of Critical Resources:15.3.25 LDAP Agent StatusController StatisticsWhen LDAP has been specified as an external resource (as opposed to local RADIUS resources) to validate PEAP-MS-CHAP v2 authentication requests, user credentials and password information needs to be made available locally to successfully connect to the external LDAP server. Up to two LDAP Agents (primary and secondary external resources) can be defined as external resources for PEAP-MS-CHAP v2 authentication requests. For more information on setting LDAP agents as part of the RADIUS server policy, see Configuring RADIUS Server Policies on page 11-57.To view controller or service platform LDAP agent statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select LDAP Agent Status from the left-hand side of the UI.Figure 15-91 Wireless Controller - LDAP Agent Status screenCritical Resource Name Lists the name of the resource being monitored by the controller or service platform.Via Lists the VLAN used by the critical resource as a virtual interface. the VLAN displays as a link than can be selected to list configuration and network address information in greater detail. Status Defines the operational state of each listed critical resource VLAN interface (Up or Down).Error Reason Provides an error status as to why the critical resource is not available over its designated VLAN. Mode Defines the operational state of each listed critical resource (up or down).Refresh Select Refresh to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 139The LDAP Agent Status screen displays the following:15.3.26 Mint LinksController StatisticsWireless controllers and Access Points use the MiNT protocol as the primary means of device discovery and communication for Access point adoption and management. MiNT provides a mechanism to discover neighbor devices in the network, and exchange packets between devices regardless of how these devices are connected (L2 or L3).MiNT provides the means to secure communications at the transport layer. Using MiNT, a device can be configured to only communicate with other authorized (MiNT enabled) devices of the same model. MiNT links can be established over a VLAN (Among Access Points on a VLAN) or IP (remote access point to controller).MiNT Links are automatically created between controllers and Access Points during adoption using MLCP (MiNT Link Creation Protocol). They can also be manually created between a controller and Access Point (or) between Access Points. MiNT links are manually created between controllers while configuring a cluster. Level 2 (or) remote MiNT links are controller aware links, and requires IP network for communication. This level 2 MiNT links at access points are intended for remote Adaptive AP deployment and management from NOC. With Level2 MiNT links, access points are only aware of the controllers and not about other Access points. Level 2 MiNT links also provide partitioning, between Access Points deployed at various remote sites. To view controller or service platform Mint link statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Mint Links from the left-hand side of the UI.LDAP Agent Primary Lists the primary IP address of a remote LDAP server resource used by the controller or service platform to validate PEAP-MS-CHAP v2 authentication requests. When a RADIUS server policy’s data source is set to LDAP, this is the first resource for authentication requests.LDAP Agent Secondary Lists the secondary IP address of a remote LDAP server resource used by the controller or service platform to validate PEAP-MS-CHAP v2 authentication requests. When a RADIUS server policy’s data source is set to LDAP, this is the second resource for authentication requests.Message Displays any system message generated in the controller or service platform’s connection with the primary or secondary LDAP agent. If there’s a problem with the username and password used to connection to the LDAP agent it would be listed here.Status Displays whether the controller or service platform has successfully joined the remote LDAP server domain designated to externally validate PEAP-MS-CHAP v2 authentication requests.Refresh Select Refresh to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 140Figure 15-92 Wireless Controller - Mint Links screenThe Mint Links screen lists the name of the impacted VLAN or link in the form of a link that can be selected to display more granular information about that VLAN. A green check mark or a red X defines whether the listed VLAN is listening to traffic, forced to stay up or unused with the Mint link. The level column specifies whether the listed Mint link is traditional switching link (level 2) or a routing link (level 3). The type column defines whether the listed Mint link is a VLAN or an IPv4 or IPv6 type network address. The dis column lists how each link was discovered.Refer to the secure column to assess whether the listed links are isolated between peers. The local ip column lists the IP address assigned as the link’s end point address, not the interface’s IP address. The natted column lists whether the link is NAT enabled or disabled for modifying network address information in IP packet headers in transit. The cost defines the cost for a packet to travel from its originating port to its end point destination.The hello seq number and hello interval define the interval between hello keep alive messages between link end points. While the adj hold time sets the time after the last hello packet when the connected between end points is defined as lost. The static and dynamic link columns state whether each listed link is static route using a manually configured route entry, or a dynamic route characterized by its destination The rim column defines whether the listed link is managed remotely. The control vlan column states whether the listed link has enabled as a control VLAN. Lastly, the clustering column states whether listed link members discover and establish connections to other peers and provide self-healing in the event of cluster member failure.4 Periodically select Refresh to update the screen’s data counters to their latest values.5 If needed, select a Mint link from the name column to display more granular information for that link.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 141Figure 15-93 Wireless Controller - Mint Link Details screenThe first table lists the Mint link’s name and level specifying whether the Mint link is traditional switching link (level 2) or a routing link (level 3). The cost defines the cost for a packet to travel from its originating port to its end point destination. The hello interval lists the time between hello keep alive messages between link end points. The adj hold time sets the time after the last hello packet when the connected between end points is defined as lost. The Adjacencies table lists neighbor devices by their hardware identifiers and operational state to help determine their availability as Mint link end points and peers. The up time lists the selected link’s detection on the network and the last hello lists when the last hello message was exchanged. 6 Periodically select Refresh to update the statistics counters to their latest values.15.3.27 Guest UsersController StatisticsA captive portal is an access policy for providing guests temporary and restrictive access to the wireless network. A captive portal configuration provides secure authenticated access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network. Captive portals can have their access durations set by an administrator to either provide temporary access to the controller or service platform managed network or provide access without limitations.For information on setting captive portal duration and authentication settings, refer to Configuring Captive Portal Policies on page 11-1.To view the controller or service platform guest user utilization:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Guest Users from the left-hand side of the UI.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 142Figure 15-94 Wireless Controller – Guest Users screenThe Guest Users screen describes the following:Name Lists the administrator assigned name of the client utilizing the controller or service platform for guest access to the wireless network. Configured Time(days:hrs:mins:secs)Displays the restricted permissions each listed client was initially configured for their captive portal guest user session with this managing controller or service platform. Remaining Time(days:hrs:mins:secs)Displays the time each listed client has remaining in their captive portal guest user session with this managing controller or service platform. Configured KilobytesLists the maximum configured bandwidth consumable by the listed guest user (in kilobytes). Remaining Kilobytes Lists the remaining bandwidth available to the listed guest user (in kilobytes). This is the difference between the configured (maximum) bandwidth and the users’s current utilization.Configured Downlink Rate (kbps)Specifies the download speed configured for the listed guest user. When bandwidth is available, the user can download data at the specified rate (in kilobytes per second). If a guest user has a bandwidth based policy and exceeds the specified data limit, their speed is throttled to the defined reduced downlink rate. For more information, refer to Defining User Pools on page 11-53. Configured Uplink Rate (kbps)Specifies the upload speed dedicated to the listed guest user. When bandwidth is available, the user is able to upload data at the specified rate (in kilobytes per second). If a guest user has a bandwidth based policy and exceeds the specified data limit, their speed is throttled to the reduced uplink rate. For more information, refer to Defining User Pools on page 11-53. Current Downlink Rate (Kbps)Lists the listed guest user’s current downlink rate in kbps. Use this information to assess whether this user’s configured downlink rate is adequate for their session requirements and whether their reduced downlink rate need adjustment if the configured downlink rate is exceeded. For more information, refer to Defining User Pools on page 11-53.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 14315.3.28 GRE TunnelsController StatisticsGeneric Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint.Use the GRE Tunnel screen to view information on the traffic flow in a GRE tunnel.To view the GRE Tunnel statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select GRE Tunnels from the left-hand side of the UI.Figure 15-95 Wireless Controller – GRE Tunnel screenThe GRE Tunnels screen describes the following:Current Uplink Rate (Kbps)Lists the listed guest user’s current uplink rate in kbps. Use this information to assess whether this user’s configured uplink rate is adequate for their session requirements and whether their reduced uplink rate need adjustment if the configured uplink rate is exceeded. For more information, refer to Defining User Pools on page 11-53.Refresh Select the Refresh button to update the screen’s statistics counters to their latest value.GRE State Displays the current operational state of the GRE tunnel.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 14415.3.29 Dot1xController StatisticsDot1x (or 802.1x) is an IEEE standard for network authentication. Devices supporting Dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a Dot1x network, a device automatically connects and authenticates without needing to manually login.To view the Dot1x statistics:1 Select the Statistics menu from the Web UI.2 Select the Wireless Controller node from the left navigation pane. 3Select Dot1x from the left-hand side of the UI.Peer IP Address Displays the IP address of the peer device on the remote end of the GRE tunnel.Tunnel Id Displays the session ID of an established GRE tunnel. This ID is only viable while the tunnel is operational and does not carry to subsequent sessions.Total Packets ReceivedDisplays the total number of packets received from a peer at the remote end of the GRE tunnel.Total Packets Sent Displays the total number of packets sent from this controller or service platform to a peer at the remote end of the GRE tunnel.Total Packets DroppedLists the number of packets dropped from tunneled exchanges between this controller or service platform and a peer at the remote end of the VPN tunnelClear Select Clear to revert the screen counters to zero and begin a new data collection.Refresh Select the Refresh button to update the screen’s statistics counters to their latest value.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 145Figure 15-96 Wireless Controller – Dot1x screen4 Refer to the following Dot1xAuth statistics:5 Review the following Dot1x Auth Ports utilization information: AAA Policy Lists the AAA policy currently being utilized for authenticating user requests.Guest Vlan Control Lists whether guest VLAN control has been allowed (or enabled). This is the VLAN traffic is bridged on if the port is unauthorized and guest VLAN globally enabled. A green checkmark designates guest VLAN control as enabled. A red X defines guest VLAN control as disabled.System Auth Control Lists whether Dot1x authorization is globally enabled for the controller or service platform. A green checkmark designates Dot1x authorization globally enabled. A red X defines Dot1x as globally disabled.Name Lists the controller or service platform ge ports subject to automatic connection and authentication using Dot1x.Auth SM Lists whether Dot1x authentication is forced over the listed port.Auth VLAN Lists the numeric VLAN ID used as a virtual interface for authentication requests over the listed port.BESM Lists whether an authentication request is pending on the listed port.Client MAC Lists the MAC address of requesting clients seeking authentication over the listed port.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1466 Refer to the MacAuth table to assess the AAA policy applied to MAC authorization requests.7 Review the following MAC Auth Ports utilization information:8 Select the Refresh button to update the screen’s statistics counters to their latest value.15.3.30 Network Controller StatisticsUse the Network screen to view information for ARP, DHCP, Routing, MLD and Bridging. Each of these screens provides enough data to troubleshoot issues related to the following:•ARP Entries•Route Entries•Default Routes•Bridge•IGMP•MLD•LACP•Traffic Shaping•DHCP Options•Cisco Discovery Protocol•Link Layer Discovery Protocol•IPv6 Neighbor Discovery•MSTP15.3.30.1 ARP EntriesNetworkThe Address Resolution Protocol (ARP) is a networking protocol for determining a network host’s hardware address when its IP address or network layer address is known. To view the ARP entries on the network statistics screen:Guest VLAN Lists the guest VLAN utilized for the listed port. This is the VLAN traffic is bridged on if the port is unauthorized and guest VLAN globally enabled.Host Lists whether the host is a single entity or not.Pstatus Lists whether the listed port has been authorized for Dot1x network authentication.Name Lists the controller or service platform ge ports subject to automatic connection and MAC authentication using Dot1x.Authorized Lists whether MAC authorization using Dot1x has been authorized (permitted) on the listed ge port. A green checkmark designates Dot1x authorization as permitted. A red X defines authorization as disabled.Enabled Lists whether MAC authorization using Dot1x has been enabled on the listed ge port. A green checkmark designates Dot1x authorization as allowed. A red X defines authorization as disabled.MAC Auth Lists the port’s factory encoded MAC address.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1471 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Networks menu from the left-hand side of the UI.4Select ARP.Figure 15-97 Wireless Controller - Network ARP screenThe ARP Entries screen displays the following:15.3.30.2 Route EntriesNetworkThe Route Entries screen displays data for routing packets to a defined destination. When an existing destination subnet does not meet the needs of the network, add a new destination subnet, subnet mask and gateway as needed for either IPv4 or IPv6 formatted data packets.IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity.IP Address Displays the IP address of the client being resolved on behalf of the controller or service platform.ARP MAC Address Displays the MAC address of the device where an IP address is being resolved. Type Defines whether the entry was added statically or created dynamically in respect to network traffic. Entries are typically static.VLAN Displays the name of the virtual interface where the IP address was found.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 148IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for devices on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. To view the route entries:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Network menu from the left-hand side of the UI.4Select Route Entries. The IPv4 Route Entries tab displays by default.Figure 15-98 Wireless Controller - IPv4 Route Entries screenThe IPv4 Route Entries screen provides the following information:Destination Displays the IPv4 formatted address of the destination route address.Distance Lists the hop distance to a desired route. Devices regularly send neighbors their own assessment of the total cost to get to all known destinations. A neighboring device examines the information and compares it to their own routing data. Any improvement on what’s already known is inserted in that device’s own routing tables. Over time, each networked device discovers the optimal next hop for each destination. Route Lists the IPv4 formatted IP address used for routing packets to a defined destination.Flags The flag signifies the condition of the direct or indirect route. Gateway Displays the gateway IP address used to route packets to the destination subnet.Interface Displays the name of the controller interface or VLAN utilized by the destination subnet.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1495 Select the IPv6 Route Entries tab to review route data for IPv6 formatted traffic. Figure 15-99 Wireless Controller - IPv6Route Entries screenThe IPv6 Route Entries screen provides the following information:15.3.30.3 Default RoutesNetworkIn an IPv6 supported environment unicast routing is always enabled. A controller or service platform routes IPv6 formatted traffic between interfaces as long as the interfaces are enabled for IPv6 and ACLs allow IPv6 formatted traffic. However, an administrator can add a default routes as needed.Static routes are manually configured. They work fine in simple networks. However, static routes with topology changes require an administrator to manually configure and modify the corresponding route revisions. Default routes are useful, as they forward packets that match no specific routes in the routing table. Metric Lists the metric (or cost) of the route to select (or predict) the best route. The metric is computed using a routing algorithm, and covers information bandwidth, network delay, hop count, path cost, load, MTU, reliability, and communication cost.Refresh Select Refresh to update the display to the latest values.Destination Displays the IPv6 formatted address of the destination route address. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.Gateway Displays the gateway IP address used to route packets to the destination subnet.Interface Displays the name of the controller interface or VLAN utilized by the destination subnet.Flag The flag signifies the condition of the direct or indirect route. Refresh Select Refresh to update the display to the latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 150To view controller or service platform default routes:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Network menu from the left-hand side of the UI.4Select Default Routes. The IPv4 Default Routes tab displays by default.Figure 15-100 Wireless Controller - IPv4 Default Routes screenThe IPv4 Default Routes screen provides the following information:DNS Server Lists the address of the DNS server providing IPv4 formatted address assignments on behalf of the controller or service platform.Gateway Address Lists the IP address of the gateway resource used with the listed route.Installed A green checkmark defines the listed route as currently installed on the controller or service platform. A red X defines the route as not currently installed and utilized.Metric The metric (or cost) could be the distance of a router (round-trip time), link throughput or link availability.Monitor Mode Displays where in the network the route is monitored for utilization status.Source Lists whether the route is static or an administrator defined default route. Static routes are manually configured. Static routes work adequately in simple networks. However, static routes with topology changes require an administrator to manually configure and modify the corresponding route revisions. Default routes are useful, as they forward packets that match no specific routes in the routing table. Monitoring Status Lists whether the defined IPv4 route is currently reachable on the controller or service platform managed network. If not, perhaps a topology change has occurred to a static route requiring a default route be utilized.Refresh Select Refresh to update the display to the latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1515 Select the IPv6 Default Routes tab to review default route availabilities for IPv6 formatted traffic.Figure 15-101 Wireless Controller - IPv6 Default Routes screenThe IPv6 Default Routes screen provides the following information:15.3.30.4 BridgeNetworkBridging is a forwarding technique making no assumption about where a particular network address is located. It depends on flooding and the examination of source addresses in received packet headers to locate unknown devices. Once a device is located, its location is stored in a table to avoid broadcasting to that device again. Gateway Address Lists the IP address of the gateway resource used with the listed route.Installed A green checkmark defines the listed IPv6 default route as currently installed on the controller or service platform. A red X defines the route as not currently installed and utilized.Interface Name Displays the interface on which the IPv6 default route is being utilized.Lifetime Lists the lifetime representing the valid usability of the default IPv6 route.Preference Displays the administrator defined IPv6 preferred route for IPv6 traffic.Source Lists whether the route is static or an administrator defined default route. Static routes are manually configured. Static routes work adequately in simple networks. However, static routes with topology changes require an administrator to manually configure and modify the corresponding route revisions. Default routes are useful, as they forward packets that match no specific routes in the routing table. Status Lists whether the defined IPv6 route is currently reachable on the controller or service platform managed network. If not, perhaps a topology change has occurred to a static route requiring a default route be utilized.Refresh Select Refresh to update the display to the latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 152Bridging is limited by its dependency on flooding, and is used in local area networks only. A bridge and a controller or service platform are very similar, since a controller or service platform is a bridge with a number of ports.To view network bridge information:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Network menu from the left-hand side of the UI.4Select Bridge.Figure 15-102 Wireless Controller - Network Bridge screenThe Bridge screen displays the following:15.3.30.5 IGMPNetworkInternet Group Management Protocol (IGMP) is a protocol used for managing members of IP multicast groups. The Access Point listens to IGMP network traffic and forwards the IGMP multicast packets to radios on which the Bridge Name Displays the numeric ID of the network bridge.MAC Address Displays the MAC address of each listed bridge.Interface Displays the controller or service platform physical port interface the bridge uses to transfer packets. Interface availability is slightly different amongst supported controller and service platform models.VLAN Displays the VLAN the bridge is using as a virtual interface within the controller or service platform managed network.Forwarding Displays whether the bridge is forwarding packets. Refresh Select Refresh to update the statistics counters to the latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 153interested hosts are connected. On the wired side of the network, the Access Point floods all the wired interfaces. This feature reduces unnecessary flooding of multicast traffic in the network. To view network IGMP configuration options:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Network menu from the left-hand side of the UI.4Select IGMP.Figure 15-103 Wireless Controller - Network IGMP screenThe Group field describes the following:The Multicast Router (MRouter) field describes the following:VLAN Displays the group VLAN where the multicast transmission is conducted.Group Address Displays the Multicast Group ID supporting the statistics displayed. This group ID is the multicast address hosts are listening to.Port Members Displays the ports on which multicast clients have been discovered. For example, ge1, radio1, etc. Ports can vary somewhat amongst supported controller and service platform models.Version Displays each listed group IGMP version compatibility as either version 1, 2 or 3.VLAN Displays the group VLAN where the multicast transmission is conducted.Learn Mode Displays the learning mode used by the router as either Static or PIM-DVMRP.Port Members Displays the physical ports on which multicast clients have been discovered by the multicast router. For example, ge1, radio1, etc. Ports can vary somewhat amongst supported controller and service platform models.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 155Figure 15-104 Wireless Controller - Network MLD screenThe Multicast Listener Discovery (MLD) Group field describes the following:The IPv6 Multicast Router (MRouter) field describes the following:VLAN Displays the group VLAN where the MLD groups multicast transmission is conducted.Group Address Displays the Multicast Group ID supporting the statistics displayed. This group ID is the multicast address hosts are listening to.Port Members Displays the ports on which MLD multicast clients have been discovered. For example, ge1, radio1, etc. Ports can vary somewhat amongst supported controller and service platform models.Version Displays each listed group’s version compatibility as either version 1, 2 or 3.VLAN Displays the group VLAN where the multicast transmission is conducted.MiNT IDs Lists MiNT IDs for each listed VLAN. MiNT provides the means to secure communications at the transport layer. Using MiNT, a controller or service platform can be configured to only communicate with other authorized (MiNT enabled) devices.Learn Mode Displays the learning mode used by the router as either Static or PIM-DVMRP.Port Members Displays the physical ports on which multicast clients have been discovered by the multicast router. For example, ge1, radio1, etc. Ports can vary somewhat amongst supported controller and service platform models.Query Interval Lists the query interval implemented when the querier functionality is enabled. The default value is 60 seconds.Version Lists the multicast router version compatibility as either version 1, 2 or 3. The default setting is 3.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 15615.3.30.7 LACPNetworkLink Aggregation Control Protocol (LACP) is used to dynamically determine if link aggregation is possible and then to automatically configure the aggregation. LACP is a part of the IEEE 802.1ad standard and allows the switch to dynamically reconfigure the link aggregation groups (LAGs). A LAG is enabled only if the LACP determines that the remote device is also using LACP and is able to join the LAG.To view network LACP statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Network menu from the left-hand side of the UI.4Select LACP. The System and Aggregator Statistics tab displays by default.Figure 15-105 Wireless Controller - Network LACP - System And Aggregator Statistics screenThe System field describes the following:The Aggregator Statistics field describes the following:System Identifier Displays the MAC address of the device. System Priority Displays the system’s LACP priority value.Aggregator Name Displays the name of the port channel configured on this device.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 157Figure 15-106 Wireless Controller - Network LACP screen - Aggregator Details tab5 Select the Aggregator Details tab. This field describes the following:Interface Displays the name of the interface for which these statistics are being displayed.LACPDU Sent Displays the number of Link Aggregation Control Protocol Data Units (LACPDUs) sent from this device.LACPDU Received Displays the number of LACPDUs received by this device.Marker Sent Displays the number of marker packets sent. Marker packets are sent to the remote device to ensure that all frames transmitted through the link have been received. Marker Received Displays the number of marker packet responses received from the remote device.Packets Error Sent Displays the total number packets transmitted with errorPackets Error ReceivedDisplays the total number packets received with errorAggregator Name Displays the name of the link aggregator (LAG).Interface Displays the name of the interface that is a member of the LAG.MAC Address Displays the MAC address of the physical interface.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 15815.3.30.8 Traffic ShapingNetworkTraffic shaping regulates network data transfers to ensure a specific performance level. Traffic shaping delays the flow of packets defined as less important than prioritized traffic streams. Traffic shaping enables traffic control out an interface to match its flow to the speed of a remote target’s interface and ensure traffic conforms applied policies. Traffic can be shaped to meet downstream requirements and eliminate network congestion when data rates are in conflict. Apply traffic shaping to specific applications to apply application categories. When application and ACL rules are conflicting, an application takes precedence over an application category, then ACLs. To view network the controller or service platform’s traffic shaping configuration:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Network menu from the left-hand side of the UI.4Select Traffic Shaping. The Status screen displays by default, and lists the controller or service platform’s traffic shaping status.MUX machine state Displays the state of the multiplexer state machine for the aggregation port. The values are:• attached – Displays the state as attached, when the multiplexer state machine is initiating the process of attaching the port to the selected aggregator.• detached – Displays the state as detached, when the multiplexer state machine is initiating the process of detaching the port from the aggregator.• collecting/distributing – Displays the state as collecting/distributing. Collecting and distributing states are merged together to form a combined state (coupled control). Because independent control is not possible, the coupled control state machine does not wait for the partner to signal that collection has started before enabling both collection and distribution.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 159Figure 15-107 Wireless Controller - Network Traffic Shaping screen5Select Statistics.6 Refer to the following Traffic Shaping statistics:15.3.30.9 DHCP Options NetworkControllers and service platforms contain an internal Dynamic Host Configuration Protocol (DHCP) server. The DHCP server can provide the dynamic assignment of IP addresses automatically from existing address pools. This Rate The rate configuration controls the maximum traffic rate sent or received on an interface. Consider this form of rate limiting on interfaces at the edge of a network to limit traffic into or out of the network. Traffic within the set limit is sent and traffic exceeding the set limit is dropped or sent with a different priority.Priority Lists the traffic shaper queue priority. There are 8 queues (0 - 7), and traffic is queued in each based on incoming packets 802.1p markings.Packets Sent Provides a baseline of the total number of packets sent to assess packet delays and drops as a result of the filter rules applied in the traffic shaping configuration.Packets Delayed Lists the packets defined as less important than prioritized traffic streams and delayed as a result of traffic shaping filter rules applied.Packets Dropped Lists the packets defined as less important than prioritized traffic streams, delayed and eventually dropped as a result of traffic shaping filter rules applied.Current Length Lists the packet length of the data traffic shaped to meet downstream requirements.Current Latency Traffic shaping latency is the time limit after which packets start dropping as a result of the traffic prioritization filter rules applied.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 160is a protocol that includes IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. Some of these parameters include IP address, gateway and network mask. To view network DHCP options:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Network menu from the left-hand side of the UI.4Select DHCP Options.Figure 15-108 Wireless Controller - Network DHCP Options screenThe DHCP Options screen describes the following:15.3.30.10 Cisco Discovery Protocol NetworkThe Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer network protocol implemented in Cisco networking equipment and used to share information about network devices.To view a controller or service platform’s CDP Statistics:Server Information Lists server information specific to each DHCP server resource available to requesting clients for the dynamic assignment of IP addresses.Image File Displays the image file name. BOOTP or the bootstrap protocol can be used to boot diskless clients. An image file is sent from the boot server. The file contains the operating system image. DHCP servers can be configured to support BOOTP.Configuration Displays the name of the configuration file on the DHCP server.Legacy Adoption Displays legacy (historical) device adoption information.Adoption Displays pending (current) adoption information.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1611 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Network menu from the left-hand side of the UI. 4Select Cisco Discovery Protocol. Figure 15-109 Wireless Controller - Network CDP screenThe Cisco Discovery Protocol screen displays the following:15.3.30.11 Link Layer Discovery Protocol NetworkThe Link Layer Discovery Protocol (LLDP) or IEEE 802.1AB is a vendor-neutral data link layer protocol used by network devices for advertising of (announcing) their identity, capabilities, and interconnections on a IEEE 802 LAN network. The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery.To view a controller or service platform’s Link Layer Discovery Protocol statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. Capabilities Displays the capabilities code for Cisco neighbors. Device ID Displays the configured device ID or name for each device in the table.Local Port Displays the local port name for each CDP capable device.Platform Displays the model number of the CDP capable device.Port ID Displays the identifier for the local port.TTL Displays the time to live (TTL) for each CDP connection.Clear Neighbors Click Clear Neighbors to remove all known CDP neighbors from the table.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1623Expand the Network menu from the left-hand side of the UI. 4Select Link Layer Discovery Protocol. Figure 15-110 Wireless Controller - Network LLDP screenThe Link Layer Discovery Protocol screen displays the following:15.3.30.12 IPv6 Neighbor DiscoveryNetworkIPv6 neighbor discovery uses ICMP messages and solicited multicast addresses to find the link layer address of a neighbor on the same local network, verify the neighbor’s reachability and track neighboring devices. Upon receiving a neighbor solicitation message, the destination replies with neighbor advertisement (NA). The source address in the advertisement is the IPv6 address of the device sending the message. The destination address in the advertisement message is the IPv6 address of the device sending the neighbor solicitation. The data portion of the NA includes the link layer address of the node sending the neighbor advertisement.Neighbor solicitation messages also verify the availability of a neighbor once its the link layer address is identified. When a node wants to verify the reachability of a neighbor, the destination address in a neighbor solicitation message is the unicast address of the neighbor.Capabilities Displays the Access Point capabilities code.Device ID Displays the configured device ID or name for each device in the table.Enabled Capabilities Displays which LLDP capabilities are currently utilized by the listed device.Local Port Displays the physical local port name for each LLDP capable device.Platform Displays the model number of the LLDP capable device and its firmware load.Port ID Displays the identifier for the local port.TTL Displays the time to live (TTL) for each LLDP connection.Clear Neighbors Click Clear Neighbors to remove all known LLDP neighbors from the table.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 163A neighbor is interpreted as reachable when an acknowledgment is returned indicating packets have been received and processed. If packets are reaching the device, they’re also reaching the next hop neighbor, providing a confirmation the next hop is reachable. To view a controller or service platform’s IPv6 neighbor statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Network menu from the left-hand side of the UI. 4Select IPv6 Neighbor Discovery. Figure 15-111 Wireless Controller - Network IPv6 Neighbor screenThe IPv6 Neighbor screen displays the following:IPv6 Address Lists an IPv6 IP address for neighbor discovery. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via CMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.MAC Address Lists the factory encoded hardware MAC address of the neighbor device using an IPv6 formatted IP address as its network identifier.Type Displays the device type for the neighbor solicitation. Neighbor solicitations request the link layer address of a target node while providing the sender’s own link layer address to the target. Neighbor solicitations are multicast when the node needs to resolve an address and unicast when the node seeks to verify the reachability of a neighbor. Options include Host, Router and DHCP Server.VLAN Lists the virtual interface (from 1 - 4094) used for the required neighbor advertisements and solicitation messages used for neighbor discovery.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 16415.3.30.13 MSTPNetworkThe Multiple Spanning Tree Protocol (MSTP) provides an extension to RSTP to optimize the usefulness of VLANs. MSTP allows for a separate spanning tree for each VLAN group, and blocks all but one of the possible alternate paths within each spanning tree topology.If there’s just one VLAN in the Access Point managed network, a single spanning tree works fine. However, if the network contains more than one VLAN, the network topology defined by single STP would work, but it’s possible to make better use of the alternate paths available by using an alternate spanning tree for different VLANs or groups of VLANs.MSTP includes all of its spanning tree information in a single Bridge Protocol Data Unit (BPDU) format. BPDUs are used to exchange information bridge IDs and root path costs. Not only does this reduce the number of BPDUs required to communicate spanning tree information for each VLAN, but it also ensures backward compatibility with RSTP. MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages. Each MSTI messages conveys spanning tree information for each instance. Each instance can be assigned a number of configured VLANs. The frames assigned to these VLANs operate in this spanning tree instance whenever they are inside the MST region. To avoid conveying their entire VLAN to spanning tree mapping in each BPDU, the Access Point encodes an MD5 digest of their VLAN to an instance table in the MSTP BPDU. This digest is used by other MSTP supported devices to determine if the neighboring device is in the same MST region as itself.To view a controller or service platform’s MSTP statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Network menu from the left-hand side of the UI. 4Select MSTP. Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 165Figure 15-112 Wireless Controller - Network MSTP screenThe MST Config field displays the name assigned to the MSTP configuration, its digest, format ID, name and revision.The MST Bridge field lists the filters and guards that have been enabled and whether Cisco interoperability if enabled. The MST Bridge Port Detail field lists specific controller or service platform port status and their current state.15.3.31 DHCPv6 Relay & ClientController StatisticsDHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. DHCPv6 relay agents receive messages from clients and forward them a DHCPv6 server. The server sends responses back to the relay agent and the relay agent sends the responses to the client on the local link.To assess the DHCPv6 relay configuration:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select DHCP Relay & Client from the left-hand side of the UI.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 166Figure 15-113 Wireless Controller - DHCPv6 Relay and Client screen4The DHCPv6 Relay Status tables defines the following:5The DHCPv6 Client Received Options tables defines the following:Interfaces Displays the controller or service platform interface used for DHCPv6 relay.State Displays the current operational state of the DHCPv6 server to assess its availability as a viable IPv6 provisioning resource.Client Identifier Lists whether the reporting client is using a hardware address or client identifier as its identifier type within requests to the DHCPv6 server.Server Identifier Displays the server identifier supporting client DHCPv6 relay message reception.DNS Servers Lists the DNS server resources supporting relay messages received from clients.Domain Name Lists the domain to which the remote server resource belongs.Interface Displays the interfaces dedicated to client DHCPv6 relay message reception.Refresh Time (Seconds) Lists the time (in seconds) since the data populating the DHCPv6 client received options table has been refreshed.Server Preference Lists the preferred DHCPv6 server resource supporting relay messages received from clients.SIP Domain Name Lists the SIP domain name supporting DHCPv6 client telephone extensions or voice over IP systems.SIP Server Displays the SIP server name supporting DHCPv6 telephone extensions or voice over IP systems.Enterprise ID Lists the enterprise ID associated with DHCPv6 received client options.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1676 Refer to the Vendor Options table for the following:7 Select the Refresh button to update the screen’s statistics counters to their latest values.15.3.32 DHCP ServerController StatisticsControllers and service platforms contain an internal Dynamic Host Configuration Protocol (DHCP) server. DHCP can provide IP addresses automatically. DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters (IP address, network mask gateway etc.) from a DHCP server to a host. To review DHCP server statistics, refer to the following:•Viewing General DHCP Information•Viewing DHCP Binding Information•Viewing DHCP Server Networks Information15.3.32.1 Viewing General DHCP InformationDHCP ServerTo view General DHCP status and binding information for both DHCPv4 and DHCPv6:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller from the left navigation pane. 3Expand the DHCP Server menu from the left-hand side of the UI. 4Select General. Figure 15-114 Wireless Controller - DHCP Server General screenCode Lists the relevant numeric DHCP vendor code.Data Lists the supporting data relevant to the listed DHCP vendor code.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1685The DHCPv4 Status and DHCPv6 Status tables defines the following:6The DDNS Bindings table displays the following:7The DHCP Manual Bindings table displays the following:8 Select the Refresh button to update the screen’s statistics counters to their latest values.15.3.32.2 Viewing DHCP Binding InformationDHCP ServerThe DHCP Binding screen displays DHCP binding information such as expiry time, client IP addresses and their MAC address. Controllers and service platforms build and maintain a DHCP snooping table (DHCP binding database). A controller or service platform uses the snooping table to identify and filter untrusted messages. The DHCP binding database keeps track of DHCP addresses assigned to ports, as well as filtering DHCP messages from untrusted ports. Incoming packets received on untrusted ports, are dropped if the source MAC address does not match the MAC in the binding table.To view the DHCP binding information:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the DHCP Server menu from the left-hand side of the UI. 4Select Bindings. Interfaces Displays the controller or service platform interface used with the DHCPv4 or DHCPv6 resource for IP address provisioning.State Displays the current operational state of the DHCPv4 or DHCPv6 server to assess its availability as a viable IP provisioning resource.IP Address Displays the IP address assigned to the requesting client.Name Displays the domain name mapping corresponding to the listed IP address.IP Address Displays the IP address for clients requesting DHCP provisioning resources.Client Id Displays the client’s ID used to differentiate requesting clients.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 169Figure 15-115 Wireless Controller - DHCP Server Bindings screenThe Bindings screen displays the following:15.3.32.3 Viewing DHCP Server Networks Information DHCP ServerThe DHCP server maintains a pool of IP addresses and client configuration parameters (default gateway, domain name, name servers etc). On receiving a valid client request, the server assigns the requestor an IP address, a lease (the validity of time), and other IP configuration parameters. The Networks screen provides network pool information such as the subnet for the addresses you want to use from the pool, the pool name, the used addresses and the total number of addresses.To view the DHCP Server Networks information:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the DHCP Server menu from the left-hand side of the UI. 4Select Networks. Expiry Time Displays the expiration of the lease used by the client for controller or service platform DHCP resources. IP Address Displays the IP address of each listed client requesting DHCP services.DHCP MAC Address Displays the MAC address of each listed client requesting DHCP services.Clear Select a table entry and select Clear to remove the client from the list of devices requesting DHCP services from the controller or service platform.Clear All Select Clear All to remove all listed clients from the list of requesting clients.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 170Figure 15-116 Wireless Controller - DHCP Server Networks screenThe Networks screen displays the following:15.3.33 Firewall Controller StatisticsA firewall is designed to block unauthorized access while permitting authorized communications. It’s a device or a set of devices configured to permit or deny computer applications based on a set of rules. For more information, refer to the following:•Viewing Packet Flow Statistics•Viewing Denial of Service Statistics•IP Firewall Rules•IPv6 Firewall Rules•MAC Firewall Rules•NAT Translations•Viewing DHCP Snooping Statistics•IPv6 Neighbor SnoopingName Displays the name of the virtual network (VLAN) from which IP addresses can be issued to DHCP client requests on the listed controller or service platform interface.Subnet Address Displays the subnet for the IP addresses used from the network pool.Used Addresses Displays the number of host IP addresses allocated by the DHCP server. Total Addresses Displays the total number of IP addresses available in the network pool for requesting clients.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 17115.3.33.1 Viewing Packet Flow StatisticsFirewallThe Packet Flows screen displays data traffic packet flow utilization. The chart lists the different protocol flows supported, and displays a proportional view of the flows in respect to their percentage of data traffic utilized. The Total Active Flows field displays the total number of flows supported by the controller or service platform. To view the packet flow statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Firewall menu from the left-hand side of the UI. 4Select Packets Flows. Select Clear All to revert the statistics counters to zero and begin a new data collection, or select Refresh to update the display to the latest values.Figure 15-117 Firewall Packet Flows15.3.33.2 Viewing Denial of Service StatisticsFirewallA denial-of-service attack (DoS attack), or distributed denial-of-service attack, is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out a DoS attack may vary, it generally consists of a concerted effort to prevent an Internet site or service from functioning efficiently.One common attack involves saturating the target’s (victim’s) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service. The Denial of Service screen displays attack type, number of occurrences, and time of last occurrence.To view the denial of service statistics:

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1721 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Firewall menu from the left-hand side of the UI. 4Select Denial of Service. Figure 15-118 Wireless Controller - Firewall DoS screenThe Denial of Service screen displays the following:15.3.33.3 IP Firewall Rules FirewallCreate firewall rules to let any computer send IPv4 traffic to, or receive traffic from, programs, system services, computers or users. Firewall rules can be created to provide one of the three actions listed below that match the rule’s criteria:•Allow a connection•Allow a connection only if it is secured through the use of Internet Protocol security•Block a connectionRules can be created for either inbound or outbound traffic.To view existing IPv4 firewall rules:Attack Type Displays the DoS attack type. The controller or service platform supports enabling or disabling 24 different DoS attack filters.Count Displays the number of times each DoS attack was observed by the controller or service platform’s firewall. Last Occurrence Displays the amount of time since the DoS attack has been observed by the controller or service platform’s firewall.Clear All Select Clear All to revert the statistics counters to zero and begin a new data collection.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1731 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Firewall menu from the left-hand side of the UI. 4Select IP Firewall Rules. Figure 15-119 Wireless Controller - Firewall IP Firewall Rules screenThe IP Firewall Rules screen displays the following:15.3.33.4 IPv6 Firewall Rules FirewallIPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet layer configuration parameters.•Allow an IPv6 formatted connection•Allow a connection only if it is secured through the use of IPv6 security•Block a connection and exchange of IPv6 formatted packetsPrecedence Displays the precedence (priority) applied to packets. Every rule has a unique precedence value between 1 - 5000. You cannot add two rules with the same precedence value.Friendly String This is a string that provides more information as to the contents of the rule. This is for information purposes only.Hit Count Displays the number of times each IP ACL has been triggered.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 174To view existing IPv6 firewall rules:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Firewall menu from the left-hand side of the UI. 4Select IPv6 Firewall Rules. Figure 15-120 Wireless Controller - Firewall IPv6 Firewall Rules screenThe IPv6 Firewall Rules screen displays the following:15.3.33.5 MAC Firewall Rules FirewallThe ability to allow or deny client access by MAC address ensures malicious or unwanted users are unable to bypass security filters. Firewall rules can use one of the three following actions based on a rule criteria:•Allow a connection•Allow a connection only if it is secured through the MAC firewall security•Block a connectionTo view MAC firewall rules:Precedence Displays the precedence (priority) applied to IPV6 formatted packets. Unlike IPv4, IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Every rule has a unique precedence value between 1 - 5000. You cannot add two rules with the same precedence value.Friendly String This is a string that provides more information as to the contents of the IPv6 specific IP rule. This is for information purposes only.Hit Count Displays the number of times each IPv6 ACL has been triggered.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1761 Select the Statistics menu from the Web UI.2 Select an Access Point node from the left navigation pane. Expand the Firewall menu from the left-hand side of the UI. 3Select NAT Translations. Figure 15-122 Wireless Controller - Firewall NAT Translation screen4The NAT Translations screen displays the following:Protocol Displays the translation protocol as either TCP, UDP or ICMP.Forward Source IP Displays the internal network IP address for forward facing NAT translations.Forward Source Port Displays the internal network (virtual) port for forward facing NAT translations.Forward Dest IP Displays the external network destination IP address for forward facing NAT translations.Forward Dest Port Displays the external network destination port for forward facing NAT translations.Reverse Source IP Displays the internal network IP address for reverse facing NAT translations.Reverse Source Port Displays the internal network port for reverse facing NAT translations.Reverse Dest IP Displays the external network destination IP address for reverse facing NAT translations.Reverse Dest Port Displays the external network destination port for reverse facing NAT translations.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 17715.3.33.7 Viewing DHCP Snooping StatisticsFirewallWhen DHCP servers are allocating IP addresses to the clients, DHCP snooping can strengthen the security on the LAN allowing only clients with specific IP/MAC addresses.To view the DHCP snooping statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Firewall menu from the left-hand side of the UI. 4Select DHCP Snooping. Figure 15-123 Wireless Controller - Firewall DHCP Snooping screenThe DHCP Snooping screen displays the following:Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.MAC Address Displays the MAC address of the client.Node Type Displays the NetBios node with an IP pool from which IP addresses can be issued to client requests on this interface.IP Address Displays the IP address used for DHCP discovery and requests between the DHCP server and DHCP clients.Netmask Displays the subnet mask used for DHCP discovery and requests between the DHCP server and DHCP clients.VLAN Displays the controller or service platform virtual interface ID used for a new DHCP configuration.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 17815.3.33.8 IPv6 Neighbor SnoopingFirewallIPv6 snooping bundles layer 2 IPv6 hop security features, such as IPv6 neighbor discovery (ND) inspection, IPv6 address gleaning and IPv6 device tracking. When IPv6 ND is configured on a device, packet capture instructions redirect the ND protocol and DHCP for IPv6 traffic up to the controller for inspection.A database of connected IPv6 neighbors is created from the IPv6 neighbor snoop. The database is used by IPv6 to validate the link layer address, IPv6 address and prefix binding of the neighbors to prevent spoofing and potential redirect attacks.To review IPv6 neighbor snooping statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Expand the Firewall menu from the left-hand side of the UI. 4Select IPv6 Neighbor Snooping. Lease Time When a DHCP server allocates an address for a DHCP client, the client is assigned a lease (which expires after a designated interval defined by the administrator). The lease is the time an IP address is reserved for re-connection after its last use. Using short leases, DHCP can dynamically reconfigure networks in which there are more computers than available IP addresses. This is useful, for example, in education and customer environments where client users change frequently. Use longer leases if there are fewer users.Time Elapsed SinceLast UpdateDisplays the amount of time elapsed since the DHCP server was last updated.Clear All Select Clear All to revert the counters to zero and begin a new data collection.Refresh Select the Refresh button to update the screen’s counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 179Figure 15-124 Wireless Controller - Firewall IPv6 Neighbor Snooping screenThe IPv6 Neighbor Snooping screen displays the following:MAC Address Displays the hardware encoded MAC address of an IPv6 client reporting to the controller or service platform.Node Type Displays the NetBios node type from an IPv6 address pool from which IP addresses can be issued to requesting clients.IPv6 Address Displays the IPv6 address used for DHCPv6 discovery and requests between the DHCPv6 server and DHCP clients.VLAN Displays the controller or service platform virtual interface ID used for a new DHCPv6 configuration.Mint Id Lists MiNT IDs for each listed VLAN. MiNT provides the means to secure communications at the transport layer. Using MiNT, a device can be configured to only communicate with other authorized (MiNT enabled) devices of the same model. Snoop Id Lists a numeric snooping ID associated with each packet inspection snooping session conducted by the controller or service platform.Time Elapsed SinceLast UpdateDisplays the amount of time elapsed since the DHCPv6 server was last updated.Clear Neighbors Select Clear Neighbors to revert the counters to zero and begin a new data collection.Refresh Select the Refresh button to update the screen’s counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 18015.3.34 VPNController StatisticsIPSec VPN provides a secure tunnel between two networked peer controllers or service platforms. Administrators can define which packets are sent within the tunnel, and how they are protected. When a tunnelled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination.Tunnels are sets of security associations (SA) between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunnelled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP). Crypto maps combine the elements comprising IPSec SAs. Crypto maps also include transform sets. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic. One crypto map is utilized for each IPsec peer, however for remote VPN deployments one crypto map is used for all the remote IPsec peers.Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs, and enables secure communications without time consuming manual pre-configuration.VPN statistics are partitioned into the following:•IKESA•IPSec15.3.34.1 IKESAVPN The IKESA screen allows for the review of individual peer security association statistics.1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select VPN and expand the menu to reveal its sub menu items.4Select IKESA.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 181Figure 15-125 Wireless Controller - VPN IKESA screen Review the following VPN peer security association statistics:Peer Lists IDs for peers sharing security associations (SA) for tunnel interoperability. When a peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its destination.Version Displays each peer’s IKE version used for auto IPSec secure authentication with the IPSec gateway and other controllers or service platforms.State Lists the online or offline state of each listed peer’s SA.Lifetime Displays the lifetime for the duration of each listed peer IPSec VPN security association. Once the set value is exceeded, the association is timed out.Local IP Address Displays each listed peer’s local tunnel end point IP address. This address represents an alternative to an interface IP address.Clear/Clear All Select Clear to remove a selected peer. Select the Clear All button to clear each peer of its current status and begin a new data collection.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 18215.3.34.2 IPSecVPNUse the IPSec VPN screen to assess tunnel status between networked peers.To view IPSec VPN status for tunnelled peers:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane.3Select VPN and expand the menu to reveal its sub menu items.4Select IPSec.Figure 15-126 Wireless Controller - VPN IPSec screenReview the following VPN peer security association statistics:Peer Lists IP addresses for peers sharing security associations (SA) for tunnel interoperability. When a peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its destination.Local IP Address Displays each listed peer’s local tunnel end point IP address. This address represents an alternative to an interface IP address.Protocol Lists the security protocol used with the VPN IPSec tunnel connection. SAs are unidirectional, existing in each direction and established per security protocol. Options include ESP and AH.State Lists the state of each listed peer’s security association.SPI In Lists stateful packet inspection (SPI) status for incoming IPSec tunnel packets. SPI tracks each connection traversing the IPSec VPN tunnel and ensures they are valid.SPI Out Lists SPI status for outgoing IPSec tunnel packets. SPI tracks each connection traversing the IPSec VPN tunnel and ensures they are valid.Mode Displays the IKE mode. IPSEC has two modes in IKEv1 for key exchanges. Aggressive mode requires 3 messages be exchanged between the IPSEC peers to setup the SA, Main requires 6 messages

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 18315.3.35 Viewing Certificate StatisticsController StatisticsThe Secure Socket Layer (SSL) protocol is used to ensure secure transactions between Web servers and browsers. This protocol uses a third-party, a certificate authority, to identify one end or both ends of the transactions. A browser checks the certificate issued by the server before establishing a connection. For more information, see:•Viewing Trustpoints Statistics•Viewing the RSA Key Details15.3.35.1 Viewing Trustpoints StatisticsViewing Certificate StatisticsEach certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporate or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters and an association with an enrolled identity certificate.To view controller or service platform trustpoint statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Certificate and expand the menu to reveal its sub menu items.4Select Trustpoint.Clear All Select the Clear All button to clear each peer of its current status and begin a new data collection.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 184Figure 15-127 Wireless Controller - Certificates Trustpoint screenThe Certificate Details field displays the following:Subject Name Describes the entity to which the certificate is issued.Alternate Subject NameLists alternate subject information about the certificate as provided to the certificate authority.Issuer Name Displays the name of the organization issuing the certificate.Serial Number Lists the unique serial number of the certificate.RSA Key Used Displays the name of the key pair generated separated, or automatically when selecting a certificate. IS CA Indicates whether this certificate is an authority certificate (Yes/No).Is Self Signed Displays whether the certificate is self-signed (Yes/No).Server Certification PresentDisplays whether a server certification is present or not (Yes/No).CRL Present Displays whether a Certificate Revocation List (CRL) is present (Yes/No). A CRL contains a list of subscribers paired with digital certificate status. The list displays revoked certificates along with the reasons for revocation. The date of issuance and the entities that issued the certificate are also included.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 185The Validity field displays the following:The Certificate Authority (CA) Details field displays the following:The Certificate Authority Validity field displays the following:5 Select the Refresh button to update the screen’s statistics counters to their latest values.15.3.35.2 Viewing the RSA Key DetailsViewing Certificate StatisticsRivest, Shamir, and Adleman (RSA) is an algorithm for public key cryptography. It’s the first algorithm known to be suitable for signing as well as encryption. The RSA Keys screen displays a list of RSA keys installed in the selected Access Point. RSA Keys are generally used for establishing a SSH session, and are a part of the certificate set used by RADIUS, VPN and HTTPS.To view the RSA Key details:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Certificate and expand the menu to reveal its sub menu items.4Select RSA Keys.Valid From Displays the certificate’s issue date stating the beginning of the certificate’s validity.Valid Until Displays the certificate’s expiration date.Subject Name Displays information about the entity to which the certificate is issued.Alternate Subject NameThis section provides alternate information about the certificate as provided to the certificate authority. This field is used to provide more information that supports information provided in the Subject Name field.Issuer Name Displays the organization issuing the certificate.Serial Number Lists the unique serial number of each certificate issued.Validity From Displays the date when the validity of a CA begins.Validity Until Displays the date when the validity of a CA expires.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 186Figure 15-128 Wireless Controller - Certificates RSA Keys screenThe RSA Key Details field describes the size (in bits) of the desired key. If not specified, a default key size of 1024 is used. The RSA Public Key field describes the public key’s character set used for encrypting messages. This key is known to everyone.5 Select the Refresh button to update the screen’s statistics counters to their latest values.15.3.36 WIPS StatisticsController StatisticsWireless Intrusion Protection System (WIPS) detects the presence of unauthorized Access Points. Unauthorized attempts to access the WLAN is generally accompanied by intruding clients finding network vulnerabilities. Basic forms of this behavior can be monitored and reported without a dedicated WIPS deployment. When the parameters exceed a configurable threshold, the controller or service platform generates a SNMP trap and reports the result via the management interfaces. Basic WIPS functionality does not require monitoring APs and does not perform off-channel scanning. For more information, see:•Viewing the Client Blacklist•Viewing WIPS Event Statistics15.3.36.1 Viewing the Client BlacklistWIPS StatisticsThis Client Blacklist displays blacklisted clients detected using WIPS. Blacklisted clients are not allowed to associate to connected devices within the controller or service platform managed network.To view the client blacklist screen:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1873Select WIPS and expand the menu to reveal its sub menu items.4Select Client Blacklist.Figure 15-129 Wireless Controller - WIPS Client Blacklist screenThe Client Blacklist screen displays the following:15.3.36.2 Viewing WIPS Event StatisticsThe WIPS Events screen displays event information for rogue Access Point intrusions within the controller or service platform managed network.To view WIPS event statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select WIPS and expand the menu to reveal its sub menu items.Event Name Displays the name of the detected wireless intrusion resulting in a blacklisting of the client from controller or service platform resources.Blacklisted Client Displays the MAC address of the intruding client device pending exclusion from the controller or service platform managed network.Time Blacklisted Displays the time this client was blacklisted.Total Time Displays the duration the unauthorized device remained in the WLAN.Time Left Displays the duration after which the blacklisted client is removed from the blacklist.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 1884Select WIPS EventsFigure 15-130 Wireless Controller - WIPS Events screenThe WIPS Events screen displays the following:15.3.37 Sensor Server Controller StatisticsSensor servers allow the monitor and download of data from multiple sensors and remote locations using Ethernet, TCP/IP or serial communication. Repeaters are available to extend the transmission range and combine sensors with various frequencies on the same receiver. To view the Sensor Server statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Sensor Servers from the left-hand side of the controller or service platform UI.Event Name Displays the name of the detected intrusion event.Reporting AP Displays the hostname of the AP reporting each intrusion. The Access Point displays as a link that can be selected to provide configuration and network address information in greater detail.Originating Device Displays the MAC address of the intruder AP.Detector Radio Displays which AP radio is making the intrusion detection.Time Reported Displays the time when the intruding AP was detected.Clear All Select Clear All to reset the statistics counters to zero and begin a new data collection.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 189Figure 15-131 Wireless Controller - Sensor Server screenThe Sensor Servers screen displays the following:15.3.38 Bonjour ServicesController StatisticsBonjour is Apple’s zero-configuration networking (Zeroconf) implementation. Zeroconf is a group of technologies including service discovery, address assignment and hostname resolution. Bonjour locates the devices (printers, computers etc.) and services these computers provide over a local network.Bonjour provides a method to discover services on a LAN. Bonjour allows users to set up a network without any configuration. Services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains.To view the Bonjour service statistics:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Bonjour Services from the left-hand side of the controller or service platform UI.IP Address/HostnameDisplays a list of sensor server IP addresses. These are sensor resources available to the controller or service platform.Port Displays the port on which this server is listening.Status Displays whether the server is connected or not connected.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 190Figure 15-132 Wireless Controller - Bonjour Services screenRefer to the following Bonjour service utilization stats:15.3.39 Captive Portal StatisticsController StatisticsA captive portal redirects an HTTP client to a Web page (usually for authentication purposes) before authenticating for Internet access. A captive portal turns a Web browser into an authenticator. This is done by Service Name Lists the services discoverable by the Bonjour gateway. Services can either be pre-defined Apple services (scanner, printer etc.) or an alias not available on the predefined list.Instance Name Lists the name of each Bonjour service instance (session) utilized by the controller or service platform.IP Address Lists the network IP address utilized by the listed Bonjour service providing resources to the controller or service platform.Port Displays the port used to secure a connection with the listed Bonjour service.Vlan Lists the VLAN(s) on which a listed Bonjour service is routable.Vlan Type Lists the VLAN type as either a local bridging mode or a shared tunnel.Expiry Lists the expiration date of the listed Bonjour service, and its availability to discover resources on the LAN.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 191intercepting packets (regardless of the address or port) until the user opens a browser and attempts to access the Internet. At that time, the browser is redirected to a Web page requiring authentication.To view the controller or service platform captive portal statistics:1 Select the Statistics tab from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Captive Portal from the left-hand side of the controller or service platform UI.Figure 15-133 Wireless Controller - Captive Portal screenThe Captive Portal screen displays the following:Client MAC Displays the requesting client’s MAC address. The MAC displays as a link that can be selected to display client configuration and network address information in greater detail.Client IP Displays the requesting client’s IPv4 formatted IP address.Client IPv6 Displays the requesting client’s IPv6 formatted IP address.Captive Portal Displays the captive portal name that each listed client is utilizing for guest access to controller resources. Port Name Lists the controller or service platform port name supporting the captive portal connection with the listed client MAC address.Authentication Displays the authentication status of the requesting client.WLAN Displays the name of the WLAN the client belongs to.VLAN Displays the name of the requesting client’s VLAN interface.Remaining Time Displays the time after which the client is disconnected from the captive portal managed Internet.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 19215.3.40 Network TimeController StatisticsNetwork Time Protocol (NTP) is central to networks that rely on their controller or service platform to supply system time. Without NTP, system time is unpredictable, which can result in data loss, failed processes and compromised security. With network speed, memory, and capability increasing at an exponential rate, the accuracy, precision, and synchronization of network time is essential in a controller or service platform managed network. The controller or service platform can use a dedicated server to supply system time. The controller or service platform can also use several forms of NTP messaging to sync system time with authenticated network traffic.15.3.40.1 Viewing NTP StatusNetwork TimeThe NTP Status screen displays performance (status) information relative to the NTP association status. Verify the NTP status to assess the controller or service platform’s current NTP resource. To view the NTP status of a managed network:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Network Time.4Select NTP Status.Figure 15-134 Wireless Controller - NTP Status screenRefer to the NTP Status table to review the accuracy and performance of the controller or service platform’s synchronization with an NTP server.Clock Offset Displays the time differential between the controller or service platform time and the NTP resource.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 19315.3.40.2 Viewing NTP AssociationsNetwork TimeThe interaction between the controller or service platform and an SNTP server constitutes an association. SNTP associations can be either peer associations (the controller or service platform synchronizes to another system or allows another system to synchronize to it), or a server associations (only the controller or service platform synchronizes to the SNTP resource, not the other way around).To view the NTP associations:1 Select the Statistics menu from the Web UI.2 Select a Wireless Controller node from the left navigation pane. 3Select Network Time.4Select NTP Associations.Frequency An SNTP server clock’s skew (difference) for the controller or service platform and the dedicated NTP resource.Leap Indicates if a second is added or subtracted to SNTP packet transmissions, or if transmissions are synchronized.Precision Displays the precision of the controller’s time clock (in Hz). The values that normally appear in this field range from -6 for mains-frequency clocks to -20 for microsecond clocks.Reference Time Displays the time stamp the local clock was last set or corrected.Reference Displays the address of the time source the controller or service platform is synchronized to.Root Delay The total round-trip delay in seconds. This variable can take on both positive and negative values, depending on relative time and frequency offsets. The values that normally appear in this field range from negative values (a few milliseconds) to positive values (several hundred milliseconds).Root Dispersion The difference between the time on the root NTP server and it’s reference clock. The reference clock is the clock used by the NTP server to set its own clock.Stratum Displays how many hops the controller or service platform is from its current NTP resource.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 194Figure 15-135 Wireless Controller - NTP Association screenThe NTP Associations screen provides the controller or service platform’s current NTP associations:Delay Time Displays the round-trip delay (in seconds) for SNTP broadcasts between the SNTP server and the controller or service platform.Display Displays the time difference between the peer NTP server and the onboard wireless controller clock. Offset Displays the calculated offset between the controller or service platform and the SNTP server. The controller or service platform adjusts its clock to match the server’s time. The offset gravitates towards zero overtime, but never completely reduces its offset to zero.Poll Displays the maximum interval between successive messages (in seconds) to the nearest power of two.Reach Displays the status of the last eight SNTP messages. If an SNTP packet is lost, the lost packet is tracked over the next eight SNTP messages.Reference IP Address Displays the address of the time source the controller or service platform is synchronized to.Server IP Address Displays the numerical IP address of the SNTP resource (server) providing SNTP updates to the controller.State Displays the NTP association status code.Status Displays the NTP peer’s current status.Time Displays the timestamp of the last NTP packet received from the NTP peer.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 19515.4 Access Point StatisticsStatisticsThe Access Point statistics screens displays controller or service platform connected Access Point performance, health, version, client support, radio, mesh, interface, DHCP, firewall, WIPS, sensor, captive portal, NTP and load information. Access point statistics consists of the following:•Health•Device•Web-Filtering•Application Visibility (AVC)•Device Upgrade•Adoption•AP Detection•Guest User•Wireless LANs•Policy Based Routing•Radios•Mesh•Interfaces•RTLS•PPPoE•Bluetooth•OSPF•L2TPv3 Tunnels•VRRP•Critical Resources•LDAP Agent Status•Mint Links•Guest Users•GRE Tunnels•Dot1x•Network•DHCPv6 Relay & Client•DHCP Server•Firewall•VPN•Certificates•WIPS•Sensor Servers•Bonjour Services•Captive Portal•Network Time•Load Balancing•Environmental Sensors (AP8132 Models Only)

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 19615.4.1 HealthAccess Point StatisticsThe Health screen displays a selected Access Point’s hardware version and software version. Use this information to fine tune the performance of an Access Point. This screen should also be the starting point for troubleshooting an Access Point since it’s designed to present a high level display of Access Point performance efficiency.To view the Access Point health:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Health.Figure 15-136 Access Point - Health screenThe Device Details field displays the following information:Hostname Displays the AP’s unique name as assigned within the controller or service platform managed network. A hostname is assigned to a device connected to a computer network.Device MAC Displays the MAC address of the AP. This is factory assigned and cannot be changed.Primary AP Displays the IP address of assigned to this device either through DHCP or through static IP assignment.Type Displays the Access Point’s model type.Model Number Displays the Access Point’s model number to help further differentiate the Access Point from others of the same model series and defined country of operation.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 197The Radio RF Quality Index field displays the following:The Radio Utilization Index field displays the following:The Client RF Quality Index field displays the following:4 Select the Refresh button as needed to update the screen’s statistics counters to their latest values.15.4.2 DeviceAccess Point StatisticsThe Device screen displays basic information about the selected Access Point. Use this screen to gather version information, such as the installed firmware image version, the boot image and upgrade status.RF Domain Name Displays the Access Point’s RF Domain membership. Unlike a controller or service platform, an Access Point can only belong to one RF Domain based on its model. The domain name appears as a link that can be selected to show RF Domain utilization in greater detail.Version Displays the Access Point’s current firmware version. Use this information to assess whether an upgrade is required for better compatibility.Uptime Displays the cumulative time since the Access Point was last rebooted or lost power.CPU Displays the processor core.RAM Displays the free memory available with the RAM.System Clock Displays the system clock information.RF Quality Index Displays Access Point radios and their quality indices. RF quality index indicates the overall RF performance. The RF quality indices are: 0 – 50 (poor)50 – 75 (medium)75 – 100 (good)Radio Id Displays a radio’s hardware encoded MAC address The ID appears as a link that can be selected to show radio utilization in greater detail.Radio Type Identifies whether the radio is a 2.4 or 5 GHz.Total Bytes Displays the total bytes of data transmitted and received by the Access Point since the screen was last refreshed.Total Packets Lists the total number of data packets transmitted and received by the Access Point since the screen was last refreshed.Total Dropped List the number of dropped data packets by an Access Point radio since the screen was last refreshed.Worst 5 Displays clients having lowest RF quality within the network.Client MAC Displays the MAC addresses of the clients with the lowest RF indices.Retry Rate Displays the average number of retries per packet. A high number indicates possible network or hardware problems.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 198To view the device statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Device.Figure 15-137 Access Point - Device screen The System field displays the following:Model Number Displays the model of the selected Access Point to help distinguish its exact SKU and country of operation.Serial Number Displays the numeric serial number set for the Access Point.Version Displays the software (firmware) version on the Access Point.Boot Partition Displays the boot partition type.Fallback Enabled Displays whether this option is enabled. This method enables a user to store a known legacy version and a new version in device memory. The user can test the new software, and use an automatic fallback, which loads the old version on the Access Point if the new version fails.Fallback Image TriggeredDisplays whether the fallback image was triggered. The fallback image is an old version of a known and operational software stored in device memory. This allows a user to test a new version of software. If the new version fails, the user can use the old version of the software.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 199The System Resources field displays the following:The Upgrade Status field displays the following:The Fan Speed field displays the following:The Temperature field displays the following:The Kernal Buffers field displays the following:The IP Domain field displays the following:Next Boot Designates this version as the version used the next time the AP is booted.Available Memory (MB)Displays the available memory (in MB) available on the Access Point.Total Memory (MB) Displays the Access Point’s total memory. Currently Free RAM Displays the Access Point’s free RAM space. If its very low, free up some space by closing some processes.Recommended Free RAMDisplays the recommended RAM required for routine operation.Current File DescriptorsDisplays the Access Point’s current file description. Maximum File DescriptorsDisplays the Access Point’s maximum file description.CPU Load 1 Minute Lists this Access Point’s CPU utilization over a 1 minute span.CPU Load 5 Minutes Lists this Access Point’s CPU utilization over a 5 minute span.CPU Load 15 Minutes Lists this Access Point’s CPU utilization over a 15 minute span.Upgrade Status Displays the status of the last firmware upgrade performed by this controller or service platform.Upgrade Status Time Lists a time stamp defining the occurrence of the most recent upgrade operation. Number Displays the number of fans supported on the this Access Point.Speed (Hz) Displays the fan speed in Hz. Number Displays the number of temperature elements used by the Access Point.Temperature Displays the current temperature (in Celsius) to assess a potential Access Point overheat condition.Buffer Size Lists the sequential buffer size.Current Buffers Displays the current buffers available to the selected Access Point.Maximum Buffers Lists the maximum buffers available to the selected Access Point.Number Displays the number of fans supported on the this Access Point.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 200The IP Name Servers field displays the following:The Firmware Images field displays the following:The IPv6 Name Servers field displays the following:The Sensor Lock field displays the following:The Power Management field displays the following:Speed (Hz) Displays the fan speed in Hz. Name Server Displays the names of the servers designated to provide DNS resources to this Access Point.Type Displays the type of server for each server listed. Primary Build Date Displays the build date when this Access Point firmware version was created.Primary Install Date Displays the date this version was installed. Primary Version Displays the primary version string.Secondary Build Date Displays the build date when this version was created.Secondary Install Date Displays the date this secondary version was installed. Secondary Version Displays the secondary version string.FPGA Version Displays whether a FPGA supported firmware load is being utilized.PoE Firmware Version Displays whether a PoE supported firmware load is being utilized.Name Server List the IPv6 name server hosting a network service for providing responses to queries against a directory. The IPv6 name server maps a human recognizable identifier to a system’s internal identifier. This service is performed by the server in response to a network service protocol request.Type Lists the type of IPv6 name server mapping a human readable identifier to system identifier.Sensor Lock Displays whether a lock has been applied to Access Point sensor capabilities.Power Management ModeDisplays the power mode currently invoked by the selected Access Point.Power Management StatusLists the power status of the Access Point.Ethernet Power Status Displays the Access Point’s Ethernet power status.Radio Power Status Displays the power status of the Access Point’s radios.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 201The IPv6v Hop Limit table displays the following:The IPv6 Delegated Prefixes table displays the following:4Select Refresh to update the statistics counters to their latest values.15.4.3 Web-FilteringAccess Point StatisticsThe Web-Filtering screen displays information on Web requests for content and whether the requests were blocked or approved based on URL filter settings defined for the selected Access Point. A URL filter is comprised of several filter rules. A whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist.To view this Access Point’s Web filter statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Web-Filtering.Hop Limit Lists the maximum number of times IPv6 traffic can hop. The IPv6 header contains a hop limit field that controls the number of hops a datagram can be sent before being discarded (similar to the TTL field in an IPv4 header). IPv6 Delegated Prefix In IPv6, prefix delegation is used to assign a network address prefix, configuring the controller or service platform with the prefix.Prefix Name Lists the name assigned to the IPv6 delegated prefix.DHCPv6 Client State Displays the current DHCPv6 client state as impacted by the IPv6 delegated prefix.Interface Name Lists the interface over which IPv6 prefix delegation occurs.T1 timer (seconds) Lists the amount of time in seconds before the DHCP T1 (delay before renew) timer expires.T2 timer (seconds) Lists the amount of time in seconds before the DHCP T2 (delay before rebind) timer expires.Last Refreshed (seconds)Lists the time, in seconds, since IPv6 prefix delegation has been updated. Preferred Lifetime (seconds)Lists is the time in seconds (relative to when the packet is sent) the IPv6 formatted addresses remains in a preferred state on the selected interface. The preferred lifetime must always be less than or equal to the valid lifetime.Valid Lifetime (seconds) Displays the time in seconds (relative to when the packet is sent) the IPv6 formatted address remains in a valid state on the selected interface. The valid lifetime must always be greater than or equal to the preferred lifetime.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 202Figure 15-138 Access Point - Web Filtering screenThe Web-Filtering Requests field displays the following information:The Top Categories field helps administrators assess the content most requested, blocked or approved based on the defined whitelist and blacklist permissions:Total Blocks Lists the number of Web request hits against content blocked in the URL blacklist. Total Requests Lists the total number of requests for URL content cached locally on this Access Point.Total URL Cache EntriesDisplays the number of chached URL data entries made on this Access Point on the request of requesting clients requiring URL data managed by the Access Point and their respective whitelist or blacklist.Top Categories - RequestedLists those Web content categories most requested by clients managed by this Access Point. Use this information to assess whether the permissions defined in the blacklist and whitelist optimally support these client requests for cached Web content.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 203The Web Filter Status field displays the following information:4 Periodically select Refresh to update this screen to its latest values.15.4.4 Application Visibility (AVC)Access Point StatisticsAccess Points can inspect every byte of each application header packet allowed to pass to their connected clients. When an application is recognized and classified by the WiNG application recognition engine, administrator defined actions can be applied to that specific application. For information on categorizing, filtering and logging the application data allowed to proliferate the WiNG network, refer to Application Policy on page 7-54 and Application on page 7-58.To view Access Point application utilization statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Application Visibility (AVC).Top Categories - BlockedLists those Web content categories blocked most often for requesting clients managed by this Access Point. Use this information to periodically assess whether the permissions defined in the blacklist and whitelist still restrict the desired cached Web content from requesting clients. Remember, a whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist.Top Categories - ApprovedLists those Web content categories approved most often on behalf of requesting clients managed by this Access Point. Periodically review this information to assess whether this cached and available Web content still adhere’s to your organization’s standards for client access. Name Displays the name of the filter whose URL rule set has been invoked.Blacklist Category Lists the blacklist category whose URL filter rule set has caused data to be filtered to a requesting client. Periodically assess whether these rules are still relevant to the data requirements of requesting clients.VLAN Lists the impacted Access Point VLAN whose Web data traffic has been filtered based on the restrictions in the listed blacklist category.WLAN Lists the impacted Access Point WLAN whose Web data traffic has been filtered based on the restrictions in the listed blacklist category. Periodically assess whether clients are segregated to the correct WLAN based on their cached Web data requirements and impending filter rules.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 204Figure 15-139 Access Point - Application Visibility4 Refer to the Top Applications graph to assess the most prolific, and allowed, application data passing through the Access Point.5 Refer to the Application Detailed Stats table to assess specific application data utilization:Total Bytes Displays the top ten utilized applications in respect to total data bytes passing through the Access Point. These are only the administrator allowed applications approved for proliferation within the Access Point managed network.Bytes Uploaded Displays the top ten applications in respect to total data bytes uploaded through the Access Point managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority).Bytes Downloaded Displays the top ten applications in respect to total data bytes downloaded from the Access Point managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority).Application Name Lists the allowed application name whose data (bytes) are passing through the Access Point managed network.Uploaded Displays the number of uploaded application data (in bytes) passing the through the Access Point managed network.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2056 Select the Category tab.Categories are existing WiNG or user defined application groups (video, streaming, mobile, audio etc.) that assist administrators in filtering (allowing or denying) application data. For information on categorizing application data, refer to Application Policy on page 7-54 and Application on page 7-58.Figure 15-140 Access Point - Application Category Visibility7 Refer to the Top Categories graph to assess the most prolific, and allowed, application data categories utilized by the Access Point.Downloaded Displays the number of downloaded application data (in bytes) passing the through the Access Point managed network. Num Flows Lists the total number of application data flows passing through the Access Point for each listed application. An application flow can consist of packets in a specific connection or media stream. Application packets with the same source address/port and destination address/port are considered one flow. Clear Application Stats Select this option to clear the application assessment data counters and begin a new assessment.Refresh Select the Refresh button to update the statistics counters to their latest values.Total Bytes Displays the top ten application categories in respect to total data bytes passing through the Access Point managed network. These are only the administrator allowed application categories approved for proliferation within the Access Point managed network.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2068 Refer to the Category Detailed Stats table to assess specific application category data utilization: 15.4.5 Device UpgradeAccess Point StatisticsThe Device Upgrade screen displays information about devices receiving updates and the devices used to provision them. Use this screen to gather version data, install firmware images, boot an image and upgrade status.To view the device upgrade statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Device Upgrade.Bytes Uploaded Displays the top ten application categories in respect to total data bytes uploaded through the controller or service platform managed network. If this category data is not aligned with application utilization expectations, consider allowing or denying additional categories or adjusting their precedence (priority).Bytes Downloaded Displays the top ten application categories in respect to total data bytes downloaded from the Access Point managed network. If this category data is not aligned with application utilization expectations, consider allowing or denying additional categories and categories or adjusting their precedence (priority).Category Name Lists the allowed category whose application data (in bytes) is passing through the Access Point managed network.Uploaded Displays the number of uploaded application category data (in bytes) passing the through the Access Point managed network. Downloaded Displays the number of downloaded application category data (in bytes) passing the through the Access Point managed network. Num Flows Lists the total number of application category data flows passing through Access Point connected clients. A category flow can consist of packets in a specific connection or media stream. Packets with the same source address/port and destination address/port are considered one flow. Clear Application Stats Select this option to clear the application category assessment data counters and begin a new assessment.Refresh Select the Refresh button to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 207Figure 15-141 Access Point - Device Upgrade screenThe Upgrade screen displays the following information:Device Hostname Displays the administrator assigned hostname of the Access Point receiving the update.Type Displays the Access Point model type of the device receiving a firmware update from the provisioning Access Point.State Displays the current state of the Access Point upgrade (done, failed etc.).Time Last Upgraded Displays the date and time of the last successful Access Point firmware upgrade operation.Retries Count Displays the number of retries made in an Access Point firmware update operation.Upgraded By Displays the MAC address of the Access Point that performed the upgrade operation.Last Update Status Displays the status of the last upgrade operation (Start Upgrade, Update Error etc.).Clear History Select the Clear History button to clear the screen of its current status and begin a new data collection.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 20815.4.6 AdoptionAccess Point StatisticsAccess point adoption stats are available for both currently adopted and Access Points pending adoption. Historical data can be also be fetched for adopted Access Points.For more information, refer to the following:•Adopted APs•AP Adoption History•AP Self Adoption History•Pending Adoptions15.4.6.1 Adopted APsAdoptionThe Adopted APs screen lists Access Points adopted by the selected Access Point, their RF Domain memberships and network service information.To view adopted Access Point statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Expand the Adoption menu item.4Select Adopted APs.Figure 15-142 Access Point - Adopted APs screenThe Adopted APs screen displays the following:Access Point Displays the name assigned to the adopted Access Point as part of its device configuration.Type Lists the each listed Access Point type adopted by this Access Point.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 20915.4.6.2 AP Adoption HistoryAdoptionThe AP Adoption History screen displays a list of peer Access Points and their adoption event status.To review a selected Access Point’s adoption history:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand the a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3Expand the Adoption menu item.4Select AP Adoption History.Figure 15-143 Access Point - AP Adoption History screenRF Domain Name Displays each Access Point’s RF Domain membership. An Access Point can only share RF Domain membership with other Access Points of the same model.Model Number Displays each listed Access Point’s numeric model (AP6532, AP6562, etc.).Status Displays each listed Access Point’s configuration status to help determine its service role.Errors Lists any configuration errors that may be hindering a clean adoption.Adopted By Lists the adopting Access Point.Adoption time Displays each listed Access Point’s time of adoption.Startup Time Displays each listed Access Point’s in service time since last offline.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 210The Adopted Devices screen describes the following historical data for adopted Access Points:15.4.6.3 AP Self Adoption HistoryAdoptionThe AP Self Adoption History displays an event history of peer Access Points that have adopted to the selected Access Point.1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand the a RF Domain, select a controller, and select one of its connected Access Points. 3Expand the Adoption menu item.4Select AP Self Adoption History.Figure 15-144 Access Point - AP Self Adoption History screenThe AP Self Adoption History screen describes the following historical data for adopted Access Points:Event Name Displays the adoption status of each listed Access Point as either adopted or un-adopted. AP MAC Address Displays the MAC address of each Access Point this Access Point has attempted to adopt.Reason Displays the reason code for each event listed.Event Time Displays day, date and time for each Access Point adoption attempt.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.Event History Displays the self adoption status of each AP as either Adopted or un-adopted. MAC Displays the hardware encoded Media Access Control (MAC) of the auto adopted Access Point.Reason Displays the adoption reason code for an Access Point’s auto adoption.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 21115.4.6.4 Pending AdoptionsAdoptionThe Pending Adoptions screen displays a list of devices yet to be adopted to this peer Access Point, or Access Points in the process of adoption.To view pending Access Point statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand the a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Expand the Adoption menu item.4Select Pending Adoptions.Figure 15-145 Access Point - Pending Adoptions screenThe Pending Adoptions screen provides the following:Adoption Time Displays a timestamp for the Access Point’s auto-adoption by the controller or service platform.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.MAC Address Displays the MAC address of the device pending adoption.Type Displays the Access Point’s model type.IP Address Displays the current network IP Address of the device pending adoption.VLAN Displays the current VLAN used as a virtual interface by device pending adoption.Reason Displays the status as to why the device is still pending adoption and has not yet successfully connected to this Access Point.Discovery Option Displays the discovery option code for each AP listed pending adoption.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 21215.4.7 AP DetectionAccess Point StatisticsThe AP Detection screen displays potentially hostile Access Points, their SSIDs, reporting AP, and so on. Continuously revalidating the credentials of detected devices reduces the possibility of an Access Point hacking into the network. To view the AP detection statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select AP Detection.Figure 15-146 Access Point - AP DetectionThe AP Detection screen displays the following:Last Seen Displays the date and time stamp of the last time the device was seen. Click the arrow next to the date and time to toggle between standard time and UTC.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.Unsanctioned AP Displays the MAC address of a detected Access Point that is yet to be authorized for interoperability within the Access Point managed network.Reporting AP Displays the hardware encoded MAC address of the radio used by the detecting Access Point. Select an Access Point to display configuration and network address information in greater detail. SSID Displays the WLAN SSID the unsanctioned Access Point was detected on.AP Mode Displays the operating mode of the unsanctioned Access Point.Radio Type Displays the type of the radio on the unsanctioned Access Point. The radio can be 802.11b, 802.11bg, 802.1bgn, 802.11a or 802.11an.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 21315.4.8 Guest UserAccess Point StatisticsThe Guest User screen displays credential information for wireless clients associated with an Access Point. Use this information to assess if configuration changes are required to improve network performance.To view guest user statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Guest User.Figure 15-147 Access Point - Guest User screenThe Guest User screen displays the following client information:Channel Displays the channel the unsanctioned Access Point is currently transmitting on.RSSI Lists a relative signal strength indication (RSSI) for a detected (and perhaps unsanctioned) Access Point.Last Seen Displays the time (in seconds) the unsanctioned Access Point was last seen on the network.Clear All Select the Clear All button to clear the screen of its current status and begin a new data collection.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.Client MAC Displays the hardcoded MAC address assigned to the guest client at the factory. The address displays as a link that can be selected to display configuration and network address information in greater detail.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 21415.4.9 Wireless LANsAccess Point StatisticsThe Wireless LANs screen displays an overview of Access Point WLAN utilization. This screen displays Access Point WLAN assignment, SSIDs, traffic utilization, number of radios the Access Point is utilizing on the WLAN and transmit and receive statistics. To review a selected Access Point’s WLAN statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Wireless LANs.IP Address Displays the unique IP address of the guest client. Use this address as necessary throughout the applet for filtering and device intrusion recognition and approval.IPv6 Address Displays the current IPv6 formatted IP address a listed guest client is using as a network identifier. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.Hostname Displays the hostname (MAC addresses) of connected guest clients. The hostname displays as a link that can be selected to display configuration and network address information in greater detail.Role Lists the guest client’s defined role within the Access Point managed network.Client Identity Displays the unique identity of the listed guest client as it appears to its adopting Access Point.Vendor Displays the name of the client vendor (manufacturer).Band Displays the 802.11 radio band on which the listed guest client operates.AP Hostname Displays the administrator assigned hostname of the Access Point to which this Access Point is adopted.Radio MAC Displays the MAC address of the radio which the wireless client is using.WLAN Displays the name of the WLAN the Access Point's using with each listed guest client. Use this information to determine if the client's WLAN assignment best suits its intended deployment in respect to the WLAN's QoS objective.VLAN Displays the VLAN ID each listed guest client is currently mapped to as a virtual interface for Access Point interoperability.Last Active Displays the time when this guest client was last seen (or detected) by a device within the Access Point managed network.Disconnect Client Select a specific client MAC address and select the Disconnect Client button to terminate this client’s connection to its Access Point.Refresh Select the Refresh button to update the screen's statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 215Figure 15-148 Access Point - Wireless LANs screenThe Wireless LANs screen displays the following:WLAN Name Displays the name of the WLAN the Access Point is currently using for client transmissions.SSID Displays each listed WLAN’s Service Set ID (SSID) used as the WLAN’s network identifier.Traffic Index Displays the traffic utilization index, which measures how efficiently the WLAN’s traffic medium is used. It’s defined as the percentage of current throughput relative to maximum possible throughput. Traffic indices are: 0 – 20 (very low utilization)20 – 40 (low utilization)40 – 60 (moderate utilization)60 and above (high utilization)Radio Count Displays the cumulative number of peer Access Point radios deployed within each listed WLAN.Tx Bytes Displays the average number of transmitted bytes sent on each listed WLAN.Tx User Data Rate Displays the transmitted user data rate in kbps for each listed WLAN. Rx Bytes Displays the average number of packets in bytes received on each listed WLAN.Rx User Data Rate Displays the received user data rate on each listed WLAN.Disconnect All ClientsSelect an WLAN then Disassociate All Clients to terminate the client connections within that WLAN.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 21615.4.10 Policy Based RoutingAccess Point StatisticsThe Policy Based Routing statistics screen displays statistics for selective path packet redirection. PBR can optionally mark traffic for preferential services (QoS). PBR is applied to incoming routed packets, and a route-map is created containing a set of filters and associated actions. Based on the actions defined in the route-map, packets are forwarded to the next relevant hop. Route-maps are configurable under a global policy called routing-policy, and applied to profiles and devices.To review Access Point PBR statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3Select Policy Based Routing.Figure 15-149 Access Point - Policy Based Routing screenThe Policy Based Routing screen displays the following:Precedence Lists the numeric precedence (priority) assigned to each listed PBR configuration. A route-map consists of multiple entries, each carrying a precedence value. An incoming packet is matched against the route-map with the highest precedence (lowest numerical value). Primary Next Hop IPLists the IP address of the virtual resource that, if available, is used with no additional route considerations.Primary Next Hop StateDisplays whether the primary hop is applied to incoming routed packets (UP/UNREACHABLE).

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 21715.4.11 RadiosAccess Point StatisticsThe Radio statistics screens display information on Access Point radios. The actual number of radios depend on the Access Point model and type. This screen displays information on a per radio basis. Use this information to refine and optimize the performance of each radio and therefore improve network performance.The Access Point’s radio statistics screens provide details about associated radios. It provides radio ID, radio type, RF quality index etc. Use this information to assess the overall health of radio transmissions and Access Point placement. Each of these screens provide enough statistics to troubleshoot issues related to the following three areas: •Status•RF Statistics•Traffic StatisticsIndividual Access Point radios display as selectable links within each of the three Access Point radio screens. To review a radio’s configuration in greater detail, select the link within the Radio column of either the Status, RF Statistics or Traffic Statistics screens.Additionally, navigate the Traffic, WMM TSPEC, Wireless LANs and Graph options available on the upper, left-hand side, of the screen to review radio traffic utilization, WMM QoS settings, WLAN advertisement and radio graph information in greater detail. This information can help determine whether the radio is properly configured in respect to its intended deployment objective.Secondary Next Hop IPIf the primary hop is unavailable, a second resource is used. This column lists the address set for the alternate route in the election process.Secondary Next Hop StateDisplays whether the secondary hop is applied to incoming routed packets (UP/UNREACHABLE).Default Next Hop IPIf a packet subjected to PBR does not have an explicit route to the destination, the configured default next hop is used. This is either the IP address of the next hop or the outgoing interface. Only one default next hop is available. The difference between the next hop and the default next-hop is in case of former, PBR occurs first, then destination based routing. In case of the latter, the order is reverse. Default Next Hop StateDisplays whether the default hop is being applied to incoming routed packets.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 21815.4.11.1 StatusUse the Status screen to review Access Point radio stats in detail. Use the screen to assess radio type, operational state, operating channel and current power to assess whether the radio is optimally configured. To view Access Point radio statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Expand the Radios menu item.4Select Status.Figure 15-150 Access Point - Radio Status screenThe radio Status screen provides the following information:Radio Displays the name assigned to the radio as its unique identifier. The name displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data.Radio MAC Displays the factory encoded hardware MAC address assigned to the radio. Radio Type Displays the radio as supporting the 2.4 or 5 GHZ radio band or functioning as a sensor device.State Lists a radio’s On/Off operational designation. Channel Current (Config)Displays the configured channel each listed radio is set to transmit and receive on.Power Current (Config)Displays the configured power each listed radio is using to transmit and receive.Clients Displays the number of connected clients currently utilizing the listed Access Point radio.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 21915.4.11.2 RF StatisticsUse the RF Statistics screen to review Access Point radio transmit and receive statistics, error rate and RF quality. To view Access Point radio RF statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Expand the Radios menu item.4Select RF Statistics.Figure 15-151 Access Point - Radio RF Statistics screenThe RF Statistics screen lists the following:Radio Displays the name assigned to the radio as its unique identifier. The name displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data.Signal Displays the radio’s current power level in - dBm.SNR Displays the signal to noise ratio of the radio’s associated wireless clients. Tx Physical Layer RateDisplays the data transmit rate for the radio’s physical layer. The rate is displayed in Mbps. Rx Physical Layer RateDisplays the data receive rate for the radio’s physical layer. The rate is displayed in Mbps. Avg Retry Number Displays the average number of retries per packet. A high number indicates possible network or hardware problems. Assess the error rate in respect to potentially high signal and SNR values to determine whether the error rate coincides with a noisy signal.Error Rate Displays the total number of received packets which contained errors for the listed radio.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 22015.4.11.3 Traffic StatisticsRefer to the Traffic Statistics screen to review Access Point radio transmit and receive statistics, data rate, and packets dropped during both transmit and receive operations. To view the Access Point radio traffic statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Expand Radios.4Select Traffic Statistics.Figure 15-152 Access Point - Radio Traffic Statistics screenThe Traffic Statistics screen displays the following:Quality Index Displays the traffic utilization index of the radio. This is expressed as an integer value. 0 – 20 indicates very low utilization, and 60 and above indicate high utilization.Quality Index Displays an integer that indicates overall RF performance. The RF quality indices are: 0 – 50 (poor)50 – 75 (medium)75 – 100 (good)Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.Radio Displays the name assigned to the radio as its unique identifier. The name displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 22115.4.12 MeshAccess Point StatisticsThe Mesh screen provides detailed statistics on each Mesh capable client available within the selected Access Point’s radio coverage area. To view the Mesh statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Mesh.Tx Bytes Displays the total number of bytes transmitted by each listed radio. This includes all user data as well as any management overhead data. Rx Bytes Displays the total number of bytes received by each listed radio. This includes all user data as well as any management overhead data. Tx Packets Displays the total number of packets transmitted by each listed radio. This includes all user data as well as any management overhead packets. Rx Packets Displays the total number of packets received by each listed radio. This includes all user data as well as any management overhead packets. Tx User Data Rate Displays the rate (in kbps) user data is transmitted by each listed radio. This rate only applies to user data and does not include management overhead. Rx User Data Rate Displays the rate (in kbps) user data is received by the radio. This rate only applies to user data and does not include management overhead. Tx Dropped Displays the total number of transmitted packets dropped by each listed radio. This includes all user data as well as management overhead packets that were dropped. Traffic Index This area displays the traffic index, which measures how efficiently the traffic medium is utilized. It’s defined as the percentage of current throughput relative to the maximum possible throughput.The indices include: 0 – 20 (Very low utilization)20 – 40 (Low utilization)40 – 60 (Moderate utilization)60 and above (High utilization)Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 222Figure 15-153 Access Point - Mesh screenThe Mesh screen describes the following:15.4.13 InterfacesAccess Point StatisticsThe Interface screen provides detailed statistics on each of the interfaces available on the selected Access Point. Use this screen to review the statistics for each interface. Interfaces vary amongst supported Access Point models.To review Access Point interface statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Interfaces.The General tab displays by default.Client Displays the system assigned name of each member of the mesh network.Client Radio MAC Displays the MAC address of each client radio in the mesh network.Portal Mesh points connected to an external network and forward traffic in and out are Mesh Portals. Mesh points must find paths to a Portal to access the Internet. When multiple Portals exist, the Mesh point must select one.Portal Radio MAC Lists the MAC addresses of those Access Points serving as mesh portals.Connect Time Displays the elapsed connection time for each listed client in the mesh network.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 223Figure 15-154 Access Point- General Interface screenInterface Statistics support the following:•General Interface Details•IPv6 Address•Multicast Groups Joined•Network Graph15.4.13.1 General Interface DetailsInterfacesThe General tab provides information on a selected Access Point interface such as its MAC address, type and TX/RX statistics.The General table displays the following:Name Displays the name of the Access Point interface ge1, vlan1 etc.Interface MAC Address Displays the MAC address of the interface.IP Address IP address of the interface. IP Address Type Displays the IP address type, either IPv4 or IPv6.Secondary IP Displays a list of secondary IP resources assigned to this interface.Hardware Type Displays the networking technology.Index Displays the unique numerical identifier for the interface.Access VLAN Displays the tag assigned to the native VLAN.Access Setting Displays the VLAN mode as either Access or Trunk.Administrative Status Displays whether the interface is currently UP or DOWN. Operational Status Lists whether the selected interface is currently UP (operational) or DOWN.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 224The IPv6 Mode and MTU table displays the following:The Specification table displays the following information:The Traffic table displays the following:IPv6 Mode Lists the current IPv6 mode utilized.IPv6 MTU Lists the IPv6 formatted largest packet size that can be sent over the interface.Media Type Displays the physical connection type of the interface. Medium types include: Copper - Used on RJ-45 Ethernet portsOptical - Used on fibre optic gigabit Ethernet portsProtocol Displays the routing protocol used by the interface.MTU Displays the maximum transmission unit (MTU) setting configured on the interface. The MTU value represents the largest packet size that can be sent over a link. 10/100 Ethernet ports have a maximum setting of 1500.Mode Lists whether traffic on the listed port is Layer 2 or Layer 3.Metric Displays the metric associated with the interface’s route.Maximum Speed Displays the maximum speed the interface uses to transmit or receive data.Admin Speed Displays the speed the port can transmit or receive. This value can be either 10, 100, 1000 or Auto. This value is the maximum port speed in Mbps. Auto indicates the speed is negotiated between connected devices.Operator Speed Displays the current speed of data transmitted and received over the interface.Admin Duplex Setting Displays the administrator’s duplex setting.Current Duplex Setting Displays the interface as either half duplex, full duplex or unknown.Good Octets Sent Displays the number of octets (bytes) with no errors sent by the interface.Good Octets Received Displays the number of octets (bytes) with no errors received by the interface.Good Packets Sent Displays the number of good packets transmitted.Good Packets Received Displays the number of good packets received.Mcast Pkts Sent Displays the number of multicast packets sent through the interface.Mcast Pkts Received Displays the number of multicast packets received through the interface.Ucast Pkts Sent Displays the number of unicast packets sent through the interface.Ucast Pkts Received Displays the number of unicast packets received through the interface.Bcast Pkts Sent Displays the number of broadcast packets sent through the interface.Bcast Pkts Received Displays the number of broadcast packets received through the interface.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 225The Errors table displays the following:The Receive Errors table displays the following:Packet Fragments Displays the number of packet fragments transmitted or received through the interface.Jabber Pkts Displays the number of packets transmitted through the interface larger than the MTU.Bad Pkts Received Displays the number of bad packets received through the interface.Collisions Displays the number of collisions over the selected interface.Late Collisions A late collision is any collision that occurs after the first 64 octets of data have been sent. Late collisions are not normal, and usually the result of out of specification cabling or a malfunctioning device.Excessive Collisions Displays the number of excessive collisions. Excessive collisions occur when the traffic load increases to the point a single Ethernet network cannot handle it efficiently. Drop Events Displays the number of dropped packets transmitted or received through the interface.Tx Undersize Pkts Displays the number of undersized packets transmitted through the interface.Oversize Pkts Displays the number of oversized packets transmitted through the interface.MAC Transmit Error Displays the number of failed transmits due to an internal MAC sublayer error (that’s not a late collision), due to excessive collisions or a carrier sense error.MAC Receive Error Displays the number of received packets that failed due to an internal MAC sublayer (that’s not a late collision), an excessive number of collisions or a carrier sense error.Bad CRC Displays the CRC error. The CRC is the 4 byte field at the end of every frame. The receiving station uses it to interpret if the frame is valid. If the CRC value computed by the interface does not match the value at the end of frame, it is considered as a bad CRC.Rx Frame Errors Displays the number of frame errors received at the interface. A frame error occurs when data is received, but not in an expected format.Rx Length Errors Displays the number of length errors received at the interface. Length errors are generated when the received frame length was either less or over the Ethernet standard.Rx FIFO Errors Displays the number of FIFO errors received at the interface. First-in First-out queueing is an algorithm that involves buffering and forwarding of packets in the order of arrival. FIFO entails no priority. There is only one queue, and all packets are treated equally. An increase in FIFO errors indicates a probable hardware malfunction.Rx Missed Errors Displays the number of missed packets. Packets are missed when the hardware received FIFO has insufficient space to store an incoming packet.Rx Over Errors Displays the number of overflow errors received. Overflows occur when a packet size exceeds the allocated buffer size.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 226The Transmit Errors field displays the following:4 Select the Refresh button to update the screen’s statistics counters to their latest values.15.4.13.2 IPv6 AddressInterfacesIPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. To view IPv6 address utilization:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3Expand the Interfaces menu from the left-hand side of the UI.4Select IPv6 Address.Tx Errors Displays the number of packets with errors transmitted on the interface.Tx Dropped Displays the number of transmitted packets dropped from the interface.Tx Aborted Errors Displays the number of packets aborted on the interface because a clear-to-send request was not detected.Tx Carrier Errors Displays the number of carrier errors on the interface. This generally indicates bad Ethernet hardware or bad cabling. Tx FIFO Errors Displays the number of FIFO errors transmitted at the interface. First-in First-Out queueing is an algorithm that involves the buffering and forwarding of packets in the order of arrival. FIFO uses no priority. There is only one queue, and all packets are treated equally. An increase in the number of FIFO errors indicates a probable hardware malfunction.Tx Heartbeat Errors Displays the number of heartbeat errors. This generally indicates a software crash, or packets stuck in an endless loop.Tx Window Errors Displays the number of window errors transmitted. TCP uses a sliding window flow control protocol. In each TCP segment, the receiver specifies the amount of additional received data (in bytes) the receiver is willing to buffer for the connection. The sending host can send only up to that amount. If the sending host transmits more data before receiving an acknowledgment, it constitutes a window error.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 227Figure 15-155 Access Point - Interface IPv6 Address screen5The IPv6 Addresses table displays the following:6 Select the Link Local Address & Traffic Report tab to assess data traffic and errors discovered in transmitted and received IPv6 formatted data packets.IPv6 Addresses Lists the IPv6 formatted addresses currently utilized by the Access Point on the selected interface.Status Lists the current utilization status of each IPv6 formatted address currently in use by this controller or Access Point’s selected interface.Address Type Lists whether the address is unicast or multicast in its utilization over the selected Access Point interface.Preferred Lifetime (seconds)Lists is the time in seconds (relative to when the packet is sent) the IPv6 formatted addresses remains in a preferred state on the selected interface. The preferred lifetime must always be less than or equal to the valid lifetimeValid Lifetime (seconds) Displays the time in seconds (relative to when the packet is sent) the IPv6 formatted address remains in a valid state on the selected interface. The valid lifetime must always be greater than or equal to the preferred lifetime.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 228Figure 15-156 Access Point - Interface IPv6 Address screen7 Verify the following Local Link Address data for the IPv6 formatted address:8 Verify the following IPv6 formatted Traffic data:9 Review the following Receive Errors for IPv6 formatted data traffic:Address Lists the IPv6 local link address. IPv6 requires a link local address assigned to every interface the IPv6 protocol is enabled on, even when one or more routable addresses are assigned.Status Lists the IPv6 local link address utilization status and its current availability.Preferred Lifetime (seconds)Lists is the time in seconds (relative to when the packet is sent) the local link addresses remains in the preferred state on the selected interface. The preferred lifetime must always be less than or equal to the valid lifetime.Valid Lifetime (seconds) Displays the time in seconds (relative to when the packet is sent) the local link addresses remains in the valid state on the selected interface. The valid lifetime must always be greater than or equal to the preferred lifetime. Packets In Lists the number of IPv6 formatted data packets received on the selected Access Point interface since the screen was last refreshed.Packets Out Lists the number of IPv6 formatted data packets transmitted on the selected Access Point interface since the screen was last refreshed.Refresh Periodically select Refresh to update the screen’s counters to their latest values.Receive Length Errors Displays the number of IPv6 length errors received at the interface. Length errors are generated when the received IPv6 frame length was either less or over the Ethernet standard.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 22910 Review the following Transmit Errors for IPv6 formatted data traffic:15.4.13.3 Multicast Groups JoinedInterfacesMulticast groups scale to a larger set of destinations by not requiring prior knowledge of who or how many destinations there are. Multicast devices uses their infrastructure efficiently by requiring the source to send a packet only once, even if delivered to a large number of devices. Devices replicate a packet to reach multiple receivers only when necessary.Access Points are free to join or leave a multicast group at any time. There are no restrictions on the location or members in a multicast group. A host may be a member of more than one multicast group at any given time and does not have to belong to a group to send messages to members of a group.Receive Over Errors Displays the number of IPv6 overflow errors received. Overflows occur when a packet size exceeds the allocated buffer size.Receive Frame Errors Displays the number of IPv6 frame errors received at the interface. A frame error occurs when data is received, but not in an expected format.Receive FIFO Errors Displays the number of IPv6 FIFO errors received at the interface. First-in First-out queueing is an algorithm that involves buffering and forwarding of packets in the order of arrival. FIFO entails no priority. There is only one queue, and all IPv6 formatted packets are treated equally. An increase in FIFO errors indicates a probable hardware malfunction.Receive Missed Errors Displays the number of missed IPv6 formatted packets. Packets are missed when the hardware received FIFO has insufficient space to store an incoming packet.Transmit Errors Displays the number of IPv6 formatted data packets with errors transmitted on the interface.Transmit Aborted Errors Displays the number of IPv6 formatted packets aborted on the interface because a clear-to-send request was not detected.Transmit Carrier Errors Displays the number of IPv6 formatted carrier errors on the interface. This generally indicates bad Ethernet hardware or bad cabling. Transmit FIFO Errors Displays the number of IPv6 formatted FIFO errors transmitted at the interface. First-in First-Out queueing is an algorithm that involves the buffering and forwarding of packets in the order of arrival. FIFO uses no priority. There is only one queue, and all packets are treated equally. An increase in the number of FIFO errors indicates a probable hardware malfunction.Transmit Heartbeat ErrorsDisplays the number of IPv6 formatted heartbeat errors. This generally indicates a software crash, or packets stuck in an endless loop.Transmit Window Errors Displays the number of IPv6 formatted window errors transmitted. TCP uses a sliding window flow control protocol. In each TCP segment, the receiver specifies the amount of additional received data (in bytes) the receiver is willing to buffer for the connection. The sending host can send only up to that amount. If the sending host transmits more data before receiving an acknowledgment, it constitutes a window error.Refresh Select Refresh to update the statistics counters to their latest value.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 230To view the Access Point’s multicast group memberships on the selected interface:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Interfaces.4Select Multicast Groups Joined.Figure 15-157 Access Point - Interface Multicast Groups Joined screen5 The screen displays the following:6 Periodically select Refresh to update the screen’s counters to their latest values.Group Lists the name of existing multicast groups whose current members share multicast packets with one another on this selected interface as a means of collective interoperation.Users Lists the number of devices currently interoperating on this interface in each listed multicast group. Any single device can be a member of more then one group at a time.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 23115.4.13.4 Network GraphInterfacesThe Network Graph displays statistics the Access Point continuously collects for its interfaces. Even when the interface statistics graph is closed, data is still collected. Display the interface statistics graph periodically for assessing the latest interface information. Up to three different stats can be selected and displayed within the graph.To view a detailed graph for an interface, select an interface and drop it on to the graph. The graph displays Port Statistics as the Y-axis and the Polling Interval as the X-axis. Use the Polling Interval from the drop-down menu to define the intervals data is displayed on the graph.To view the Interface Statistics graph:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Interfaces.4Select Network Graph. Use the Parameters drop-down menu to specify interface values to trend.Figure 15-158 Access Point- Interface Network Graph screen

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 23215.4.14 RTLSAccess Point StatisticsThe real time locationing system (RTLS) enables accurate location determination and presence detection capabilities for Wi-Fi-based devices, Wi-Fi-based active RFID tags and passive RFID tags. While the operating system does not support locationing locally, it does report the locationing statistics of both Aeroscout and Ekahau tags.To review a selected Access Point’s RTLS statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select RTLS.Figure 15-159 Access Point - RTLS screenThe Access Point RTLS screen displays the following for Aeroscout tags: Engine IP Lists the IP address of the Aeroscout locationing engine.Engine Port Displays the port number of the Aeroscout engine.Send Count Lists the number location determination packets sent by the locationing engine.Recv Count Lists the number location determination packets received by the locationing engine.Tag Reports Displays the number of tag reports received from locationing equipped radio devices supporting RTLS.Nacks Displays the number of Nack (no acknowledgement) frames received from RTLS supported radio devices providing locationing services.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 233The Access Point RTLS screen displays the following for Ekahau tags: 4 Select the Refresh button to update the screen’s statistics counters to their latest values.15.4.15 PPPoEAccess Point StatisticsThe PPPoE statistics screen displays stats derived from the AP’s access to high-speed data and broadband networks. PPPoE uses standard encryption, authentication, and compression methods as specified by the PPPoE protocol. PPPoE enables Access Points to establish a point-to-point connection to an ISP over existing Ethernet interface.To review a selected Access Point’s PPPoE statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select PPPoE.Acks Displays the number of Ack (acknowledgment) frames received from RTLS supported radio devices providing locationing services.Lbs Displays the number of location based service (LBS) frames received from RTLS supported radio devices providing locationing services.AP Status Provides the status of peer APs providing locationing assistance. AP Notifications Displays a count of the number of notifications sent to Access Points that may be available to provide RTLS support.Send Errors Lists the number of send errors received by the RTLS initiating Access Point.Error Message Count Displays a cumulative count of error messages received from RTLS enabled Access Point radios.Tag Reports Displays the number of tag reports received from locationing equipped radio devices supporting RTLS.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 234Figure 15-160 Access Point - PPPoE screenThe Configuration Information field screen displays the following:4 Refer to the Connection Status field.The Connection Status table lists the MAC address, SID, Service information, MTU and status of each route destination peer. To provide this point-to-point connection, each PPPoE session learns the Ethernet address of Shutdown Displays whether a high speed client mode point-to-point connection has been enabled using the PPPoE protocol. Service Lists the 128 character maximum PPPoE client service name provided by the service provider.DSL Modem Network (VLAN)Displays the PPPoE VLAN (client local network) connected to the DSL modem. This is the local network connected to DSL modem.Authentication Type Lists authentication type used by the PPPoE client whose credentials must be shared by its peer Access Point. Supported authentication options include None, PAP, CHAP, MSCHAP, and MSCHAP-v2.Username Displays the 64 character maximum username used for authentication support by the PPPoE client.Password Displays the 64 character maximum password used for authentication by the PPPoE client.Client Idle Timeout The Access Point uses the listed timeout so it does not sit idle waiting for input from the PPPoE client and the server, that may never come. Keep Alive If a keep alive is utilized, the point-to-point connect to the PPPoE client is continuously maintained and not timed out. Maximum Transmission Unit (MTU)Displays the PPPoE client maximum transmission unit (MTU) from 500 - 1,492. The MTU is the largest physical packet size in bytes a network can transmit. Any messages larger than the MTU are divided into smaller packets before being sent. A PPPoE client should be able to maintain its point-to-point connection for this defined MTU size.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 235a remote PPPoE client, and establishes a session. PPPoE uses both a discover and session phase to identify a client and establish a point-to-point connection. By using such a connection, a Wireless WAN failover is available to maintain seamless network access if the Access Point’s Wired WAN were to fail.5 Select the Refresh button to update the screen’s statistics counters to their latest values.15.4.16 BluetoothAccess Point StatisticsAP-8432 and AP-8533 model Access Points utilize a built in Bluetooth chip for specific Bluetooth functional behaviors in a WiNG managed network. AP-8432 and AP-8533 models support both Bluetooth classic and Bluetooth low energy technology. These platforms can use their Bluetooth classic enabled radio to sense other Bluetooth enabled devices and report device data (MAC address, RSSI and device calls) to an ADSP server for intrusion detection. If the device presence varies in an unexpected manner, ADSP can raise an alarm. AP-8432 and AP-8533 model Access Points support Bluetooth beaconing to emit either iBeacon or Eddystone-URL beacons. The Access Point’s Bluetooth radio sends non-connectable, undirected low-energy (LE) advertisement packets on a periodic basis. These advertisement packets are short, and sent on Bluetooth advertising channels that conform to already-established iBeacon and Eddystone-URL standards. To view Bluetooth radio statistics for an Access Point:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Point3Select Bluetooth.Figure 15-161 Access Point - Bluetooth screen The Access Point’s Bluetooth screen displays the following: Name Lists the name of the Access Point’s Bluetooth radio.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 23615.4.17 OSPFAccess Point StatisticsOpen Shortest Path First (OSPF) is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.Refer to the following for detailed descriptions of the tabs available within the OSPF statistics screen:•OSPF Summary•OSPF Neighbors•OSPF Area Details•OSPF Route Statistics•OSPF Route Statistics•OSPF StateAlias If an alias has been defined for the Access Point its listed here. The alias value is expressed in the form of <hostname>: B<Bluetooth_radio_number>. If the administrator has defined a hostname for the Access Point, it’s used in place of the Access Point’s default hostname.Radio State Displays the current operational state (On/Off) of the Bluetooth radio.Off Reason If the Bluetooth radio is offline, this field states the reason.Radio MAC Lists the Bluetooth radio’s factory encoded MAC address serving as this device’s hardware identifier on the network.Hostname Lists the hostname set for the Access Point as its network identifier. Device MAC Lists the Access Point’s factory encoded MAC address serving as this device’s hardware identifier on the network.AP Location Lists the Access Point’s administrator assigned deployment location.Radio Mode Lists an Access Point’s Bluetooth radio functional mode as either bt-sensor or le-beacon. Beacon Period Lists the Bluetooth radio’s beacon transmission period from 100 -10,000 milliseconds.Beacon Type Lists the type of beacon currently configured. Last Error Lists descriptive text on any error that’s preventing the Bluetooth radio from operating.Refresh Select Refresh to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 23715.4.17.1 OSPF SummaryOSPFTo view OSPF summary statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an Access Point for statistical observation.3Select OSPF. The Summary tab displays by default.Figure 15-162 Access Point - OSPF Summary tabThe Summary tab describes the following information fields:General The general field displays the router ID assigned for this OSPF connection, RFC compliance information and LSA data.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2384 Select the Refresh button to update the statistics counters to their latest values.15.4.17.2 OSPF NeighborsOSPFOSPF establishes neighbor relationships to exchange routing updates with other routers. An Access Point supporting OSPF sends hello packets to discover neighbors and elect a designated router. The hello packet includes link state information and list of neighbors. OSPF is savvy with layer 2 topologies. If on a point-to-point link, OSPF knows it is sufficient, and the link stays up. If on a broadcast link, the router waits for election before determining if the link is functional.To view OSPF neighbor statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an Access Point for statistical observation.3Select OSPF. 4 Select the Neighbor Info tab.ABR/ASBR DetailsLists Autonomous System Boundary Router (ASBR) data relevant to OSPF routing, including the ASBR, ABR and ABR type. An Area Border Router (ABR) is a router that connects one or more areas to the main backbone network. It is considered a member of all areas it is connected to. An ABR keeps multiple copies of the link-state database in memory, one for each area to which that router is connected An ASBR is a router connected to more than one Routing protocol and exchanges routing information with routers in other protocols. ASBRs typically also run an exterior routing protocol (for example, BGP), or use static routes, or both. An ASBR is used to distribute routes received from other, external ASs throughout its own autonomous system. Routers in other areas use ABR as next hop to access external addresses. Then the ABR forwards packets to the ASBR announcing the external addresses.SPF Refer to the SPF field to assess the status of the shortest path forwarding (SFF) execution, last SPF execution, SPF delay, SPF due in, SPF hold multiplier, SPF hold time, SPF maximum hold time and SPF timer due flag.Stub Router The summary screen displays information relating to stub router advertisements and shutdown and startup times. An OSPF stub router advertisement allows a new router into a network without immediately routing traffic through the new router and allows a graceful shut down or reload a router without dropping packets that are destined for other networks. This feature introduces three configuration options that allow you to configure a router that is running the OSPF protocol to advertise a maximum or infinite metric to all neighbors.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 239Figure 15-163 Access Point - OSPF Neighbor Info tabThe Neighbor Info tab describes the following:Router ID Displays the router ID assigned for this OSPF connection. The router is a level three Internet Protocol packet switch. This ID must be established in every OSPF instance. If not explicitly configured, the highest logical IP address is duplicated as the router identifier. However, since the router identifier is not an IP address, it does not have to be a part of any routable subnet in the network.Neighbor PriorityDisplays each listed neighbor’s priority in respect to becoming the designated router managing the OSPF connection. The designated router is the router interface elected among all routers on a particular multi-access network segment.IF Name Lists the name assigned to the router interface used to support connections amongst OSPF enabled neighbors.Neighbor Address Lists the IP address of the neighbor sharing the router interface with each listed router ID.Request Count Lists the connection request count (hello packets) to connect to the router interface, discover neighbors and elect a designated router.Retransmit CountLists the connection retransmission count attempted in order to connect to the router interface, discover neighbors and elect a designated router. A designated router (DR) is the router interface elected among all routers on a particular multi-access network segment, generally assumed to be broadcast.Dead Time Lists the dead time between neighbors in the network topology that are currently utilizing the listed router ID.Self Neighbor StateDisplays the self-neighbor status assessment used to discover neighbors and elect a designated router.Source Address Displays the single source address used by all neighbor routers to obtain topology and connection status. This form of multicasting significantly reduces network load.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2405 Select the Refresh button to update the statistics counters to their latest values.15.4.17.3 OSPF Area DetailsOSPFAn OSPF network is subdivided into routing areas (with 32 bit area identifiers) to simplify administration and optimize traffic utilization. Areas are logical groupings of hosts and networks, including routers having interfaces connected to an included network. Each area maintains a separate link state database whose information may be summarized towards the rest of the network. An OSPF Area contains a set of routers exchanging Link State Advertisements (LSAs) with others in the same area. Areas limit LSAs and encourage aggregate routes. Areas are identified by 32-bit IDs, expressed either in decimal, or octet-based dot-decimal notation. To view OSPF area statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an Access Point for statistical observation.3Select OSPF. 4 Select the Area Details tab.Figure 15-164 Access Point - OSPF Area Details tabThe Area Details tab describes the following:Summary Count Routes that originate from other areas are called summary routes. Summary routes are not flooded in a totally stubby or NSSA totally stubby area.OSPF Area ID Displays either the integer (numeric ID) or IP address assigned to the OSPF area as a unique identifier.OSPF INF Lists the interface ID (virtual interface for dynamic OSPF routes) supporting each listed OSPF area ID.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2415 Select the Refresh button to update the statistics counters to their latest values.15.4.17.4 OSPF Route StatisticsOSPFRefer to the Routes tab to assess the status of OSPF Border Routes, External Routes, Network Routes and Router Routes.To view OSPF route statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an Access Point for statistical observation.3Select OSPF. Fully adj numbersFully adjusted numbers strip away the effects of other non OSPF and LSA factors and events, leaving only relevant OSPF area network route events counted.Auth Type Lists the authentication schemes used to validate the credentials of dynamic route connections and their areas.Total LSA Lists the Link State Advertisements (LSAs) of all entities using the dynamic route (in any direction) in the listed area ID.Router LSA Lists the Link State Advertisements of the router supporting each listed area ID. The router LSA reports active router interfaces, IP addresses, and neighbors.Network LSA Displays which routers are joined together by the designated router on a broadcast segment (e.g. Ethernet). Type 2 LSAs are flooded across their own area only. The link state ID of the type 2 LSA is the IP interface address of the designated route.Summary LSA The summary LSA is generated by ABR to leak area summary address info into another areas. ABR generates more than one summary LSA for an area if the area addresses cannot be properly aggregated by only one prefix.ASBR Summary LSAOriginated by ABRs when an ASBR is present to let other areas know where the ASBR is. These are supported just like summary LSAs.NSSA LSA Routers in a Not-so-stubby-area (NSSA) do not receive external LSAs from Area Border Routers, but are allowed to send external routing information for redistribution. They use type 7 LSAs to tell the ABRs about these external routes, which the Area Border Router then translates to type 5 external LSAs and floods as normal to the rest of the OSPF network.Redistribution into an NSSA area creates a special type of LSA known as TYPE 7, which can exist only in an NSSA area. An NSSA ASBR generates this LSA, and an NSSA ABR router translates it into type 5 LSA which gets propagated into the OSPF domain.Opaque Area LSA CSUMDisplays the Type-10 opaque link area checksum with the complete contents of the LSA. Type-10 Opaque LSAs are not flooded beyond the borders of their associated area.Opaque link CSUMDisplays the Type-10 opaque link checksum with the complete contents of the LSA.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2424 Select the Routes tab. The Border Routers tab display by default.An area border router (ABR) connects (links) more than one area. Usually an ABR is used to connect non-backbone areas to the backbone. If OSPF virtual links are used an ABR will also be used to connect the area using the virtual link to another non-backbone area. Border routes use internal OSPF routing table entries to an ABR or Autonomous System Boundary Router (ASBR). Border routers maintain an LSDB for each area supported. They also participate in the backbone.5 Refer to External Routes tab.Figure 15-165 Access Point - OSPF External Routes tabExternal routes are external to area, originate from other routing protocols (or different OSPF processes) and are inserted into OSPF using redistribution. A stub area is configured not to carry external routes. Each external route can be tagged by the advertising router, enabling the passing of additional information between routers. Each external route can also be tagged by the advertising router, enabling the passing of additional information between routers on the boundary of the autonomous system.The External route tab displays a list of external routes, the area impacted, cost, path type, tag and type 2 cost. Cost factors may be the distance of a router (round-trip time), network throughput of a link, or link availability and reliability, expressed as simple unit-less numbers. This provides a dynamic process of traffic load balancing between routes of equal cost.6 Refer to the Network Routes tab.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 243Figure 15-166 Access Point - OSPF Network Routes tabNetwork routes support more than two routers, with the capability of addressing a single physical message to all attached routers (broadcast). Neighboring routers are discovered dynamically using OSPF hello messages. This use of the hello protocol takes advantage of broadcast capability. An OSPF network route makes further use of multicast capabilities, if they exist. Each pair of routers on the network is assumed to communicate directly. The network tab displays the network name, impacted OSPF area, cost, destination and path type.7 Select the Router Routes tab.Figure 15-167 Access Point - OSPF Router Routes tab

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 244An internal (or router) route connects to one single OSPF area. All of its interfaces connect to the area in which it is located and does not connect to any other area.8 Select the Refresh button (within any of the four OSPF Routes tabs) to update the statistics counters to their latest values.15.4.17.5 OSPF InterfaceOSPFAn OSPF interface is the connection between a router and one of its attached networks. An interface has state information associated with it, which is obtained from the underlying lower level protocols and the routing protocol itself. A network interface has associated a single IP address and mask (unless the network is an unnumbered point-to-point network). An interface is sometimes also referred to as a link.To view OSPF interface statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an Access Point for statistical observation.3Select OSPF. 4 Select the OSPF Interface tab.Figure 15-168 Access Point - OSPF Interface tabThe OSPF Interface tab describes the following:Interface Name Displays the IP addresses and mask defined as the virtual interface for dynamic OSPF routes. Zero config and DHCP can be used to generate route addresses, or a primary and secondary address can be manually provided.Interface Index Lists the numerical index used for the OSPF interface. This interface ID is in the hello packets establishing the OSPF network connection.Bandwidth (kb) Lists the OSPF interface bandwidth (in Kbps) in the range of 1 - 10,000,000.Interface Flags Displays the flag used to determine the interface status.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2455 Select the Refresh button to update the statistics counters to their latest values.15.4.17.6 OSPF StateOSPFAn OSPF enabled Access Point sends hello packets to discover neighbors and elect a designated router for dynamic links. The hello packet includes link state data maintained on each Access Point and is periodically updated on all OSPF members. The Access Point tracks link state information to help assess the health of the OSPF dynamic route.To view OSPF state statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an Access Point for statistical observation.3Select OSPF. 4 Select the OSPF State tab.Figure 15-169 Access Point OSPF - State tabMTU Lists the OSPF interface maximum transmission unit (MTU) size. The MTU is the largest physical packet size (in bytes) a network can transmit. Any packets larger than the MTU are divided into smaller packets before being sent.OSPF Enabled Lists whether OSPF has been enabled for each listed interface. OSPF is disabled by default.UP/DOWN Displays whether the OSPF interface (the dynamic route) is currently up or down for each listed interface. An OSPF interface is the connection between a router and one of its attached networks.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 246The OSPF State tab describes the following:5 Select the Refresh button to update the statistics counters to their latest values.15.4.18 L2TPv3 TunnelsAccess Point StatisticsAccess Points use L2TP V3 to create tunnels for transporting layer 2 frames. L2TP V3 enables an Access Point to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TP V3 tunnels can be defined between WING devices and other devices supporting the L2TP V3 protocol.To review a selected Access Point’s L2TPv3 statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select L2TPv3.OSPF state Displays the OSPF link state amongst neighbors within the OSPF topology. Link state information is maintained in a link-state database (LSDB) which is a tree image of the entire network topology. Identical copies of the LSDB are periodically updated through flooding on all OSPF supported nodes. Flooding is the part of the OSPF protocol that distributes and synchronizes the link-state database between OSPF routers.OSPF ignore state countLists the number of times state requests have been ignored between the Access Point and its peers within this OSPF supported broadcast domain.OSPF ignore state monitor timeoutDisplays the timeout that, when exceeded, prohibits the Access Point from detecting changes to the OSPF link state.OSPF ignore state timeoutDisplays the timeout that, when exceeded, returns the Access Point back to state assessment amongst neighbors in the OSPF topology.OSPF max ignore state countDisplays whether an OSPF state timeout is being ignored and not utilized in the transmission of state update requests amongst neighbors within the OSPF topology.OSPF max routes States the maximum number of routes negotiated amongst neighbors within the OSPF topology.OSPF routes receivedLists the routes received and negotiated amongst neighbors within the OSPF topology.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 247Figure 15-170 Access Point - L2TPv3 screenThe Access Point L2TPv3 Tunnels screen displays the following:Tunnel Name Displays the name of each listed L2TPv3 tunnel assigned upon creation. Each listed tunnel name can be selected as a link to display session data specific to that tunnel. The Sessions screen displays cookie size information as well as psuedowire information specific to the selected tunnel. Data is also available to define whether the tunnel is a trunk session and whether tagged VLANs are used. The number of transmitted, received and dropped packets also display to provide a throughput assessment of the tunnel connection. Each listed session name can also be selected as a link to display VLAN information specific to that session. The VLAN Details screen lists those VLANs used an Access Point interface in L2TP tunnel establishment. Local Address Lists the IP address assigned as the local tunnel end point address, not the tunnel interface’s IP address. This IP is used as the tunnel source IP address. If a local address is not specified, the source IP address is chosen automatically based on the tunnel peer IP address.Peer Address Lists the IP address of the L2TP tunnel peer establishing the tunnel connection.Tunnel State States whether the tunnel is Idle (not utilized by peers) or is currently active. Peer Host Name Lists the assigned peer hostname used as matching criteria in the tunnel establishment process. Peer Control Connection IDDisplays the numeric identifier for the tunnel session. This is the peer pseudowire ID for the session. This source and destination IDs are exchanged in session establishment messages with the L2TP peer.CTRL Connection ID Displays the router ID(s) sent in tunnel establishment messages with a potential peer device.Up Time Lists the amount of time the L2TP connection has remained established amongst peers sharing the L2TPv3 tunnel connection. The Up Time is displayed in a Days: Hours: Minutes: Seconds: format. If D:0 H:0 M:0 S:0 is displayed, the tunnel connection is not currently established.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 24815.4.19 VRRPAccess Point StatisticsThe VRRP statistics screen displays Virtual Router Redundancy Protocol (VRRP) configuration statistics supporting router redundancy in a wireless network requiring high availability.To review a selected Access Point’s VRRP statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select VRRP.Encapsulation ProtocolDisplays either IP or UDP as the peer encapsulation protocol. The default setting is IP. UDP uses a simple transmission model without implicit handshakes. Tunneling is also called encapsulation. Tunneling works by encapsulating a network protocol within packets carried by the second network.Critical Resource Lists critical resources for this tunnel. Critical resources are device IP addresses on the network (gateways, routers etc.). These IP addresses are critical to the health of the network. These device addresses are pinged regularly by Access Points. If there’s a connectivity issue, an event is generated stating a critical resource is unavailable. VRRP Group Displays the VRRP group name if configured. VRRP configurations support router redundancy in a wireless network requiring high availability.Establishment CriteriaDisplays the tunnel establishment criteria for this tunnel. Tunnel establishment involves exchanging 3 message types (SCCRQ, SCCRP and SCCN) with the peer. Tunnel IDs and capabilities are exchanged during the tunnel establishment with the host.Refresh Select the Refresh button to update the screen’s statistics counters to their latest value.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 249Figure 15-171 Access Point - VRRP screen4 Refer to the Global Error Status field to review the various sources of packet errors logged during the implementation of the virtual route.Errors include the mismatch of authentication credentials, invalid packet checksums, invalid packet types, invalid virtual route IDs, TTL errors, packet length errors and invalid (non matching) VRRP versions.5 Refer to the Router Operations Summary for the following status:VRID Lists a numerical index (1 - 254) used to differentiate VRRP configurations. The index is assigned when a VRRP configuration is initially defined. This ID identifies the virtual router a packet is reporting status for.Virtual IP Address Lists the virtual interface IP address used as the redundant gateway address for the virtual route.Master IP Address Displays the IP address of the elected VRRP master. A VRRP master (once elected) responds to ARP requests, forwards packets with a destination link layer MAC address equal to the virtual router MAC address, rejects packets addressed to the IP address associated with the virtual router and accepts packets addressed to the IP address associated with the virtual router.Interface Name Displays the interfaces selected on the Access Point to supply VRRP redundancy failover support.Version Display VRRP version 3 (RFC 5798) or 2 (RFC 3768) as selected to set the router redundancy. Version 3 supports sub-second (centisecond) VRRP failover and support services over virtual IP. State Displays the current state of each listed virtual router ID.Clear Router Status Select the Clear Router Status button to clear the Router Operations Summary table values to zero and begin new data collections.Clear Global Error StatusSelect the Clear Global Error Status button to clear the Global Error Status table values to zero and begin new data collections.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 25015.4.20 Critical ResourcesAccess Point StatisticsThe Critical Resources statistics screen displays a list of device IP addresses on the network (gateways, routers etc.). These IP addresses are critical to the health of the controller or service platform managed network. These device addresses are pinged regularly by managed Access Points. If there’s a connectivity issue, an event is generated stating a critical resource is unavailable. Thus, each device’s VLAN, ping mode and state is displayed for the administrator.To review a selected Access Point’s critical resource statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Critical Resources.Figure 15-172 Access Point - Critical Resources screen4 Refer to the General field to assess the Monitor Interval and Monitor Using Flows Interval used to poll for updates from the critical resource IP listed for Source IP For Port-Limited Monitoring. Monitoring Retries before Marking Resource as DOWN are the number of retry connection attempts permitted before this listed resource is defined as down (offline).The Access Point Critical Resource screen displays the following:Critical Resource NameLists the name of the critical resource monitored by the Access Point. Critical resources are device IP addresses on the network (gateways, routers etc.). These IP addresses are critical to the health of the network. These device addresses are pinged regularly by Access Points. If there’s a connectivity issue, an event is generated stating a critical resource is unavailable. Via Lists the VLAN used by the critical resource as a virtual interface. The critical resource displays as a link than can be selected to list configuration and network address information in greater detail.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 25115.4.21 LDAP Agent StatusAccess Point StatisticsWhen LDAP has been specified as an external resource (as opposed to local Access Point RADIUS resources) to validate PEAP-MS-CHAP v2 authentication requests, user credentials and password information needs to be made available locally to successfully connect to the external LDAP server. Up to two LDAP Agents (primary and secondary external resources) can be defined as external resources for PEAP-MS-CHAP v2 authentication requests. AP6521 model Access Point does not support this feature in Standalone AP or Controller AP mode. However, AP6521 model is supported when adopted and managed by a controller or service platform.For more information on setting LDAP agents as part of the RADIUS server policy, see Configuring RADIUS Server Policies on page 11-57.To view Access Point LDAP agent statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select LDAP Agent Status.Figure 15-173 Access Point - LDAP Agent Status screenStatus Defines the operational state of each listed critical resource VLAN interface (either Up or Down).Error Reason Provides an error status as to why the critical resource is not available over its designated VLAN. Mode Displays the operational mode of each listed critical resource.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 252The LDAP Agent Status screen displays the following:15.4.22 Mint LinksAccess Point StatisticsWireless controllers and Access Points use the MiNT protocol as the primary means of device discovery and communication for Access point adoption and management. MiNT provides a mechanism to discover neighbor devices in the network, and exchange packets between devices regardless of how these devices are connected (L2 or L3).MiNT provides the means to secure communications at the transport layer. Using MiNT, a device can be configured to only communicate with other authorized (MiNT enabled) devices of the same model. MiNT links can be established over a VLAN (Among Access Points on a VLAN) or IP (remote access point to controller).MiNT Links are automatically created between controllers and Access Points during adoption using MLCP (MiNT Link Creation Protocol). They can also be manually created between a controller and Access Point (or) between Access Points. MiNT links are manually created between controllers while configuring a cluster. Level 2 (or) remote MiNT links are controller aware links, and requires IP network for communication. This level 2 MiNT links at access points are intended for remote Adaptive AP deployment and management from NOC. With Level2 MiNT links, access points are only aware of the controllers and not about other Access points. Level 2 MiNT links also provide partitioning, between Access Points deployed at various remote sites. To view an Access Point’s Mint links:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3Select Mint Links from the left-hand side of the UI.LDAP Agent Primary Lists the primary IP address of a remote LDAP server resource used by the Access Point to validate PEAP-MS-CHAP v2 authentication requests. When a RADIUS server policy’s data source is set to LDAP, this is the first resource for authentication requests.LDAP Agent Secondary Lists the secondary IP address of a remote LDAP server resource used by the Access Point to validate PEAP-MS-CHAP v2 authentication requests. When a RADIUS server policy’s data source is set to LDAP, this is the second resource for authentication requests.Message Displays any system message generated in the Access Point’s connection with the primary or secondary LDAP agent. If there’s a problem with the username and password used to connection to the LDAP agent, it would be listed here.Status Displays whether the Access Point has successfully joined the remote LDAP server domain designated to externally validate PEAP-MS-CHAP v2 authentication requests.Refresh Select Refresh to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 253Figure 15-174 Access Point - Mint Links screenThe Mint Links screen lists the name of the impacted VLAN or link in the form of a link that can be selected to display more granular information about that VLAN. A green check mark or a red X defines whether the listed VLAN is listening to traffic, forced to stay up or unused with the Mint link. The level column specifies whether the listed Mint link is traditional switching link (level 2) or a routing link (level 3). The type column defines whether the listed Mint link is a VLAN or an IPv4 or IPv6 type network address. The dis column lists how each link was discovered.Refer to the secure column to assess whether the listed links are isolated between peers. The local ip column lists the IP address assigned as the link’s end point address, not the interface’s IP address. The natted column lists whether the link is NAT enabled or disabled for modifying network address information in IP packet headers in transit. The cost defines the cost for a packet to travel from its originating port to its end point destination.The hello seq number and hello interval define the interval between hello keep alive messages between link end points. While the adj hold time sets the time after the last hello packet when the connected between end points is defined as lost. The static and dynamic link columns state whether each listed link is static route using a manually configured route entry, or a dynamic route characterized by its destination The rim column defines whether the listed link is managed remotely. The control vlan column states whether the listed link has enabled as a control VLAN. Lastly, the clustering column states whether listed link members discover and establish connections to other peers and provide self-healing in the event of cluster member failure.4 Periodically select Refresh to update the screen’s data counters to their latest values.5 If needed, select a Mint link from the name column to display more granular information for that link.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 254Figure 15-175 Access Point - Mint Link Details screenThe first table lists the Mint link’s name and level specifying whether the Mint link is traditional switching link (level 2) or a routing link (level 3). The cost defines the cost for a packet to travel from its originating port to its end point destination. The hello interval lists the time between hello keep alive messages between link end points. The adj hold time sets the time after the last hello packet when the connected between end points is defined as lost. The Adjacencies table lists neighbor devices by their hardware identifiers and operational state to help determine their availability as Mint link end points and peers. The up time lists the selected link’s detection on the network and the last hello lists when the last hello message was exchanged. 6 Periodically select Refresh to update the statistics counters to their latest values.15.4.23 Guest UsersAccess Point StatisticsA captive portal is an access policy for providing guests temporary and restrictive access to the wireless network. A captive portal configuration provides secure authenticated access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network. Captive portals can have their access durations set by an administrator to either provide temporary access to the Access Point managed network or provide access without limitations.For information on setting captive portal duration and authentication settings, refer to Configuring Captive Portal Policies on page 11-1.To view current Access Point guest user utilization:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2553Select Guest Users.Figure 15-176 Access Point – Guest Users screenThe Guest Users screen describes the following:Name Lists the administrator assigned name of the client utilizing the Access Point for guest access to the WiNG managed wireless network. Configured Time(days:hrs:mins:secs)Displays the restricted permissions each listed client was initially configured for their captive portal guest user session with this managing Access Point. Remaining Time(days:hrs:mins:secs)Displays the time each listed client has remaining in their captive portal guest user session with this Access Point. Configured KilobytesLists the maximum configured bandwidth consumable by the listed guest user (in kilobytes). Remaining Kilobytes Lists the remaining bandwidth available to the listed guest user (in kilobytes). This is the difference between the configured (maximum) bandwidth and the users’s current utilization.Configured Downlink Rate (kbps)Specifies the download speed configured for the listed guest user. When bandwidth is available, the user can download data at the specified rate (in kilobytes per second). If a guest user has a bandwidth based policy and exceeds the specified data limit, their speed is throttled to the defined reduced downlink rate. For more information, refer to Defining User Pools on page 11-53.Configured Uplink Rate (kbps)Specifies the upload speed dedicated to the listed guest user. When bandwidth is available, the user is able to upload data at the specified rate (in kilobytes per second). If a guest user has a bandwidth based policy and exceeds the specified data limit, their speed is throttled to the reduced uplink rate. For more information, refer to Defining User Pools on page 11-53.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 25615.4.24 GRE TunnelsAccess Point StatisticsGeneric Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint.To review a selected Access Point’s GRE statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select GRE Tunnels.Current Downlink Rate (Kbps)Lists the listed guest user’s current downlink rate in kbps. Use this information to assess whether this user’s configured downlink rate is adequate for their session requirements and whether their reduced downlink rate need adjustment if the configured downlink rate is exceeded. For more information, refer to Defining User Pools on page 11-53.Current Uplink Rate (Kbps)Lists the listed guest user’s current uplink rate in kbps. Use this information to assess whether this user’s configured uplink rate is adequate for their session requirements and whether their reduced uplink rate need adjustment if the configured uplink rate is exceeded. For more information, refer to Defining User Pools on page 11-53.Refresh Select the Refresh button to update the screen’s statistics counters to their latest value.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 257Figure 15-177 Access Point - GRE Tunnels screenThe Access Point GRE Tunnels screen displays the following:15.4.25 Dot1xAccess Point StatisticsDot1x (or 802.1x) is an IEEE standard for network authentication. Devices supporting Dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a Dot1x network, a device automatically connects and authenticates without needing to manually login.To view the Dot1x statistics:GRE State Displays the current operational state of the GRE tunnel.Peer IP Address Displays the IP address of the peer device on the remote end of the GRE tunnel.Tunnel Id Displays the session ID of an established GRE tunnel. This ID is only viable while the tunnel is operational.Total Packets ReceivedDisplays the total number of packets received from a peer at the remote end of the GRE tunnel.Total Packets Sent Displays the total number of packets sent from this Access Point to a peer at the remote end of the GRE tunnel.Total Packets DroppedLists the number of packets dropped from tunneled exchanges between this Access Point and a peer at the remote end of the VPN tunnelRefresh Select the Refresh button to update the screen’s statistics counters to their latest value.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2581 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3Select Dot1x from the left-hand side of the UI.Figure 15-178 Access Point – Dot1x screen4 Refer to the following Dot1xAuth statistics:5 Review the following Dot1x Auth Ports utilization information: AAA Policy Lists the AAA policy currently being utilized for authenticating user requests.Guest Vlan Control Lists whether guest VLAN control has been allowed (or enabled). This is the VLAN traffic is bridged on if the port is unauthorized and guest VLAN globally enabled. A green checkmark designates guest VLAN control as enabled. A red X defines guest VLAN control as disabled.System Auth Control Lists whether Dot1x authorization is globally enabled for the Access Point. A green checkmark designates Dot1x authorization globally enabled. A red X defines Dot1x as globally disabled.Name Lists the Access Point ge ports subject to automatic connection and authentication using Dot1x.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2596 Refer to the MacAuth table to assess the AAA policy applied to MAC authorization requests.7 Review the following MAC Auth Ports utilization information:8 Select the Refresh button to update the screen’s statistics counters to their latest value.15.4.26 NetworkAccess Point StatisticsUse the Network screen to view information for performance statistics for ARP, DHCP, Routing and Bridging.For more information, refer to the following: •ARP Entries•Route Entries•Default Routes•Bridge•IGMP•MLD•Traffic Shaping•DHCP Options•Cisco Discovery Protocol•Link Layer Discovery Protocol•IPv6 Neighbor Discovery•MSTPAuth SM Lists the current authentication state of the listed port.Auth VLAN Lists the virtual interface utilized post authentication.BESM Lists whether an authentication request is pending on the listed port.Client MAC Lists the MAC address of requesting clients seeking authentication over the listed port.Guest VLAN Lists the guest VLAN utilized for the listed port. This is the VLAN traffic is bridged on if the port is unauthorized and guest VLAN globally enabled.Host Lists whether the host is a single entity or not.Pstatus Lists whether the listed port has been authorized for Dot1x network authentication.Name Lists the Access Point ge ports subject to automatic connection and MAC authentication using Dot1x.Authorized Lists whether MAC authorization using Dot1x has been authorized (permitted) on the listed ge port. A green checkmark designates Dot1x authorization as authorized. A red X defines authorization as disabled.Enabled Lists whether MAC authorization using Dot1x has been enabled on the listed ge port. A green checkmark designates Dot1x authorization as allowed. A red X defines authorization as disabled.MAC Auth Lists the MAC address corresponding to the listed Access Point port interface on which authentication requests are made.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 26015.4.26.1 ARP EntriesNetworkAddress Resolution Protocol (ARP) is a protocol for mapping an IP address to a device address recognized in the local network. An address is 32 bits long. In an Ethernet local area network, however, addresses for attached devices are 48 bits long. (The physical machine address is also known as a MAC address.) A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions.To view an Access Point’s ARP statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Network and expand the menu to reveal its submenu items.4Select ARP Entries.Figure 15-179 Access Point - Network ARP screenThe ARP Entries screen describes the following:IP Address Displays the IP address of the client resolved on behalf of the Access Point.ARP MAC Address Displays the MAC address corresponding to the IP address being resolved. Type Lists the type of ARP entry.VLAN Displays the system assigned VLAN ID where an IP address was found.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 26115.4.26.2 Route EntriesNetworkThe Route Entries screen displays data for routing packets to a defined destination. When an existing destination subnet does not meet the needs of the network, add a new destination subnet, subnet mask and gateway as needed for either IPv4 or IPv6 formatted data packets.IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity.IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for devices on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. To view IPv4 and IPv6 route entries:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Network and expand the menu to reveal its sub menu items.4Select Route Entries. The IPv4 Route Entries tab displays by default.Figure 15-180 Access Point - Network IPv4 Route Entries screenThe IPv4 Route Entries screen lists the following:Destination Displays the IPv4 formatted address of the destination route address.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2625 Select the IPv6 Route Entries tab to review route data for IPv6 formatted traffic. Figure 15-181 Wireless Controller - IPv6 Route Entries screenThe IPv6 Route Entries screen lists the following:Distance Lists the hop distance to a desired route. Devices regularly send neighbors their own assessment of the total cost to get to all known destinations. A neighboring device examines the information and compares it to their own routing data. Any improvement on what’s already known is inserted in that device’s own routing tables. Over time, each networked device discovers the optimal next hop for each destination. Route Lists the IPv4 formatted IP address used for routing packets to a defined destination.Flags The flag signifies the condition of the direct or indirect route. Gateway Displays the gateway IP address used to route packets to the destination subnet.Interface Displays the name of the controller interface or VLAN utilized by the destination subnet.Metric Lists the metric (or cost) of the route to select (or predict) the best route. The metric is computed using a routing algorithm, and covers information bandwidth, network delay, hop count, path cost, load, MTU, reliability, and communication cost.Refresh Select Refresh to update the display to the latest values.Destination Displays the IPv6 formatted address of the destination route address.Gateway Displays the gateway IP address used to route packets to the destination subnet.Interface Displays the name of the controller interface or VLAN utilized by the destination subnet.Flag The flag signifies the condition of the direct or indirect route. Refresh Select Refresh to update the display to the latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 26315.4.26.3 Default RoutesNetworkIn an IPv6 supported environment unicast routing is always enabled. A controller or service platform routes IPv6 formatted traffic between interfaces as long as the interfaces are enabled for IPv6 and ACLs allow IPv6 formatted traffic. However, an administrator can add a default routes as needed.Static routes are manually configured. They work fine in simple networks. However, static routes with topology changes require an administrator to manually configure and modify the corresponding route revisions. Default routes are useful, as they forward packets that match no specific routes in the routing table.To view Access Point default routes:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Network and expand the menu to reveal its sub menu items.4Select Default Routes. The IPv4 Default Routes tab displays by default.Figure 15-182 Access Point - IPv4 Default Routes screenThe IPv4 Default Routes screen provides the following information:DNS Server Lists the address of the DNS server providing IPv4 formatted address assignments on behalf of the Access Point.Gateway Address Lists the IP address of the gateway resource used with the listed route.Installed A green checkmark defines the listed route as currently installed on the Access Point. A red X defines the route as not currently installed and utilized.Metric The metric (or cost) could be the distance of a router (round-trip time), link throughput or link availability.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2645 Select the IPv6 Default Routes tab to review default route availabilities for IPv6 formatted traffic. Figure 15-183 Wireless Controller - IPv6 Default Routes screenThe IPv6 Default Routes screen provides the following information:Monitor Mode Displays where in the network the route is monitored for utilization status.Source Lists whether the route is static, a DHCP-Client or an administrator defined default route. Static routes are manually configured. Static routes work adequately in simple networks. However, static routes with topology changes require an administrator to manually configure and modify the corresponding route revisions. Default routes are useful, as they forward packets that match no specific routes in the routing table. Monitoring Status Lists whether the defined IPv4 route is currently reachable on the Access Point managed network. If not, perhaps a topology change has occurred to a static route requiring a default route be utilized.Refresh Select Refresh to update the display to the latest values.Gateway Address Lists the IP address of the gateway resource used with the listed route.Installed A green checkmark defines the listed IPv6 default route as currently installed on the Access Point. A red X defines the route as not currently installed and utilized.Interface Name Displays the interface on which the IPv6 default route is being utilized.Lifetime Lists the lifetime representing the valid usability of the default IPv6 route.Preference Displays the administrator defined IPv6 preferred route for IPv6 traffic.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 26515.4.26.4 BridgeNetworkBridging is a forwarding technique used in networks. Bridging makes no assumption about where a particular address is located. It relies on the flooding and examination of source addresses in received packet headers to locate unknown devices. Once a device is located, its location is stored in a table to avoid broadcasting to that device again. Bridging is limited by its dependency on flooding, and is used in local area networks only. A bridge and an Access Point are very much alike, as an Access Point can be viewed as a bridge with a number of ports.The Bridge screen provides details about the Integrate Gateway Server (IGS), which is a router connected to an Access Point. The IGS performs the following:• Issues IP addresses• Throttles bandwidth• Permits access to other networks• Times out old loginsThe Bridging screen also provides information about the Multicast Router (MRouter), which is a router program that distinguishes between multicast and unicast packets and how they should be distributed along the Multicast Internet. Using an appropriate algorithm, a multicast router instructs a switching device what to do with the multicast packet.To view an Access Point’s Bridge statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Network and expand the menu to reveal its sub menu items.4Select Bridge. Source Lists whether the route is static or an administrator defined default route. Static routes are manually configured. Static routes work adequately in simple networks. However, static routes with topology changes require an administrator to manually configure and modify the corresponding route revisions. Default routes are useful, as they forward packets that match no specific routes in the routing table. Status Lists whether the defined IPv6 route is currently reachable on the Access Point managed network. If not, perhaps a topology change has occurred to a static route requiring a default route be utilized.Refresh Select Refresh to update the display to the latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 266Figure 15-184 Access Point - Network Bridge screen5 Review the following bridge configuration attributes: 6Select Refresh to update the counters to their latest values. 15.4.26.5 IGMPNetworkInternet Group Management Protocol (IGMP) is a protocol used for managing members of IP multicast groups. The Access Point listens to IGMP network traffic and forwards the IGMP multicast packets to radios on which the interested hosts are connected. On the wired side of the network, the Access Point floods all the wired interfaces. This feature reduces unnecessary flooding of multicast traffic in the networkTo view a network’s IGMP configuration:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Network and expand the menu to reveal its sub menu items.4Select IGMP.Bridge Name Displays the numeric ID of the network bridge.MAC Address Displays the MAC address of the bridge selected.Interface Displays the interface (Access Point physical port name) where the bridge transferred packets. Supported Access Points models have different port configurations.VLAN Displays the VLAN the bridge uses a virtual interface.Forwarding Displays whether the bridge is forwarding packets.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 26815.4.26.6 MLDNetworkMulticast Listener Discovery (MLD) snooping enables a controller, service platform or Access Point to examine MLD packets and make forwarding decisions based on content. MLD is used by IPv6 devices to discover devices wanting to receive multicast packets destined for specific multicast addresses. MLD uses multicast listener queries and multicast listener reports to identify which multicast addresses have listeners and join multicast groups.MLD snooping caps the flooding of IPv6 multicast traffic on controller, service platform or Access Point VLANs. When enabled, MLD messages are examined between hosts and multicast routers and to discern which hosts are receiving multicast group traffic. The controller, service platform or Access Point then forwards multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces.To view network MLD configuration options:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Network and expand the menu to reveal its sub menu items.4Select MLD.Figure 15-186 Access Point - Network MLD screen

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 269The Multicast Listener Discovery (MLD) Group field describes the following:The IPv6 Multicast Router (MRouter) field describes the following:15.4.26.7 Traffic ShapingNetworkTraffic shaping regulates network data transfers to ensure a specific performance level. Traffic shaping delays the flow of packets defined as less important than prioritized traffic streams. Traffic shaping enables traffic control out an interface to match its flow to the speed of a remote target’s interface and ensure traffic conforms applied policies. Traffic can be shaped to meet downstream requirements and eliminate network congestion when data rates are in conflict. Apply traffic shaping to specific applications to apply application categories. When application and ACL rules are conflicting, an application takes precedence over an application category, then ACLs. To view network Access Point traffic shaping configuration:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Expand the Network menu from the left-hand side of the UI.4Select Traffic Shaping. The Status screen displays by default, and lists the Access Point’s traffic shaping status.VLAN Displays the group VLAN where the MLD groups multicast transmission is conducted.Group Address Displays the Multicast Group ID supporting the statistics displayed. This group ID is the multicast address hosts are listening to.Port Members Displays the ports on which MLD multicast clients have been discovered. For example, ge1, radio1, etc. Ports can vary somewhat amongst supported Access Point models.Version Displays each listed group’s version compatibility as either version 1, 2 or 3.VLAN Displays the group VLAN where the multicast transmission is conducted.MiNT IDs Lists MiNT IDs for each listed VLAN. MiNT provides the means to secure communications at the transport layer. Using MiNT, an Access Point can be configured to only communicate with other authorized (MiNT enabled) devices.Learn Mode Displays the learning mode used by the router as either Static or PIM-DVMRP.Port Members Displays the physical ports on which multicast clients have been discovered by the multicast router. For example, ge1, radio1, etc. Ports can vary somewhat amongst supported Access Point models.Query Interval Lists the query interval implemented when the querier functionality is enabled. The default value is 60 seconds.Version Lists the multicast router version compatibility as either version 1, 2 or 3. The default setting is 3.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 270Figure 15-187 Access Point - Network Traffic Shaping Statistics screen5Select Statistics.6 Refer to the following Traffic Shaping statistics:15.4.26.8 DHCP Options NetworkSupported Access Points can use a DHCP server resource to provide the dynamic assignment of IP addresses automatically. This is a protocol that includes IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. Some of these parameters are IP address, gateway and network mask.Rate The rate configuration controls the maximum traffic rate sent or received on an interface. Consider this form of rate limiting on interfaces at the edge of a network to limit traffic into or out of the network. Traffic within the set limit is sent and traffic exceeding the set limit is dropped or sent with a different priority.Priority Lists the traffic shaper queue priority. There are 8 queues (0 - 7), and traffic is queued in each based on incoming packets 802.1p markings.Packets Sent Provides a baseline of the total number of packets sent to assess packet delays and drops as a result of the filter rules applied in the traffic shaping configuration.Packets Delayed Lists the packets defined as less important than prioritized traffic streams and delayed as a result of traffic shaping filter rules applied.Packets Dropped Lists the packets defined as less important than prioritized traffic streams, delayed and eventually dropped as a result of traffic shaping filter rules applied.Current Length Lists the packet length of the data traffic shaped to meet downstream requirements.Current Latency Traffic shaping latency is the time limit after which packets start dropping as a result of the traffic prioritization filter rules applied.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 271The DHCP Options screen provides the DHCP server name, image file on the DHCP server, and its configuration.To view a network’s DHCP Options:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Network and expand the menu to reveal its sub menu items.4Select DHCP Options.Figure 15-188 Access Point - Network DHCP Options screenThe DHCP Options screen displays the following:Server Information Displays the DHCP server hostname used on behalf of the Access Point.Image File Displays the image file name. BOOTP or the bootstrap protocol can be used to boot diskless clients. An image file is sent from the boot server. The image file contains the image of the operating system the client will run. DHCP servers can be configured to support BOOTP.Configuration Displays the name of the configuration file on the DHCP server.Legacy Adoption Displays historical device adoption information on behalf of the Access Point.Adoption Displays adoption information on behalf of the Access Point.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 27215.4.26.9 Cisco Discovery Protocol NetworkThe Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer network protocol implemented in Cisco networking equipment and used to share information about network devices.To view an Access Point’s CDP statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Network and expand the menu to reveal its sub menu items.4Select Cisco Discovery Protocol.Figure 15-189 Access Point - Network CDP screenThe Cisco Discovery Protocol screen displays the following:Capabilities Displays the capabilities code for the device as either Router, Trans Bridge, Source Route Bridge, Host, IGMP or Repeater.Device ID Displays the configured device ID or name for each listed device.Local Port Displays the local port name (Access Point physical port) for each CDP capable device. Supported Access Point models have unique port configurations.Platform Displays the model number of the CDP capable device interoperating with the Access Point.Port ID Displays the Access Point’s numeric identifier for the local port.TTL Displays the time to live (TTL) for each CDP connection.Clear Neighbors Select Clear Neighbors to remove CDP neighbors from the table and begin a new data collection.Refresh Select Refresh to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 27315.4.26.10 Link Layer Discovery Protocol NetworkThe Link Layer Discovery Protocol (LLDP) or IEEE 802.1AB is a vendor-neutral Data Link Layer protocol used by network devices for advertising of (announcing) their identity, capabilities, and interconnections on a IEEE 802 LAN network. The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery. To view a network’s Link Layer Discovery Protocol statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Network and expand the menu to reveal its sub menu items.4Select Link Layer Discovery.Figure 15-190 Access Point - Network LLDP screenThe Link Layer Discovery Protocol screen displays the following:Capabilities Displays the capabilities code for the device.Device ID Displays the configured device ID or name for each device in the table.Enabled Capabilities Displays which device capabilities are currently enabled.Local Port Displays the local port name (Access Point physical port) for each LLDP capable device. Supported Access Point models have unique port configurations.Platform Displays the model number of the LLDP capable device interoperating with the Access Point.Port ID Displays the identifier for the local port.TTL Displays the time to live (TTL) for each LLDP connection.Clear Neighbors Select Clear Neighbors to remove all known LDP neighbors from the table.Refresh Select Refresh to update the statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 27415.4.26.11 IPv6 Neighbor DiscoveryNetworkIPv6 neighbor discovery uses ICMP messages and solicited multicast addresses to find the link layer address of a neighbor on the same local network, verify the neighbor’s reachability and track neighboring devices. Upon receiving a neighbor solicitation message, the destination replies with neighbor advertisement (NA). The source address in the advertisement is the IPv6 address of the device sending the message. The destination address in the advertisement message is the IPv6 address of the device sending the neighbor solicitation. The data portion of the NA includes the link layer address of the node sending the neighbor advertisement.Neighbor solicitation messages also verify the availability of a neighbor once its the link layer address is identified. When a node wants to verify the reachability of a neighbor, the destination address in a neighbor solicitation message is the unicast address of the neighbor.A neighbor is interpreted as reachable when an acknowledgment is returned indicating packets have been received and processed. If packets are reaching the device, they’re also reaching the next hop neighbor, providing a confirmation the next hop is reachable. To view an Access Point’s IPv6 neighbor statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Expand the Network menu from the left-hand side of the UI. 4Select IPv6 Neighbor Discovery Figure 15-191 Access Point - Network IPv6 Neighbor screen

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 275The IPv6 Neighbor screen displays the following:15.4.26.12 MSTPNetworkThe Multiple Spanning Tree Protocol (MSTP) provides an extension to RSTP to optimize the usefulness of VLANs. MSTP allows for a separate spanning tree for each VLAN group, and blocks all but one of the possible alternate paths within each spanning tree topology.If there’s just one VLAN in the Access Point managed network, a single spanning tree works fine. However, if the network contains more than one VLAN, the network topology defined by single STP would work, but it’s possible to make better use of the alternate paths available by using an alternate spanning tree for different VLANs or groups of VLANs.MSTP includes all of its spanning tree information in a single Bridge Protocol Data Unit (BPDU) format. BPDUs are used to exchange information bridge IDs and root path costs. Not only does this reduce the number of BPDUs required to communicate spanning tree information for each VLAN, but it also ensures backward compatibility with RSTP. MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages. Each MSTI messages conveys spanning tree information for each instance. Each instance can be assigned a number of configured VLANs. The frames assigned to these VLANs operate in this spanning tree instance whenever they are inside the MST region. To avoid conveying their entire VLAN to spanning tree mapping in each BPDU, the Access Point encodes an MD5 digest of their VLAN to an instance table in the MSTP BPDU. This digest is used by other MSTP supported devices to determine if the neighboring device is in the same MST region as itself.To view a controller or service platform’s MSTP statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.IPv6 Address Lists an IPv6 IP address for neighbor discovery. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via CMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.MAC Address Lists the factory encoded hardware MAC address of the neighbor device using an IPv6 formatted IP address as its network identifier.Type Displays the device type for the neighbor solicitation. Neighbor solicitations request the link layer address of a target node while providing the sender’s own link layer address to the target. Neighbor solicitations are multicast when the node needs to resolve an address and unicast when the node seeks to verify the reachability of a neighbor. Options include Host, Router and DHCP Server.VLAN Lists the virtual interface (from 1 - 4094) used for the required neighbor advertisements and solicitation messages used for neighbor discovery.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2763Expand the Network menu from the left-hand side of the UI. 4Select MSTP. Figure 15-192 Access Point- Network MSTP screenThe MST Config field displays the name assigned to the MSTP configuration, its digest, format ID, name and revision.The MST Bridge field lists the filters and guards that have been enabled and whether Cisco interoperability if enabled. The MST Bridge Port Detail field lists specific Access Point port status and their current state.15.4.27 DHCPv6 Relay & ClientAccess Point StatisticsDHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. DHCPv6 relay agents receive messages from clients and forward them a DHCPv6 server. The server sends responses back to the relay agent, and the relay agent sends the responses to the client on the local link To assess an Access Point’s DHCPv6 relay configuration:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2773Select DHCP Relay & Client from the left-hand side of the UI.Figure 15-193 Access Point - DHCPv6 Relay and Client screen4The DHCPv6 Status tables defines the following:5The DHCPv6 Status tables defines the following:Interfaces Displays the Access Point interface used for DHCPv6 relay.State Displays the current operational state of the DHCPv6 server to assess its availability as a viable IPv6 provisioning resource.Client Identifier Lists whether the reporting client is using a hardware address or client identifier as its identifier type within requests to the DHCPv6 server.Server Identifier Displays the server identifier supporting client DHCPv6 relay message reception.DNS Servers Lists the DNS server resources supporting relay messages received from clients.Domain Name Lists the domain to which the remote server resource belongs.Interface Displays the interfaces dedicated to client DHCPv6 relay message reception.Refresh Time (Seconds) Lists the time (in seconds) since the data populating the DHCPv6 client received options table has been refreshed.Server Preference Lists the preferred DHCPv6 server resource supporting relay messages received from clients.SIP Domain Name Lists the SIP domain name supporting DHCPv6 client telephone extensions or voice over IP systems.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2786 Refer to the Vendor Options table for the following:15.4.28 DHCP ServerAccess Point StatisticsAccess Point’s utilize an internal Dynamic Host Configuration Protocol (DHCP) server. DHCP can provide IP addresses automatically. DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters (IP address, network mask gateway etc.) from a DHCP server to a host. To review DHCP server statistics, refer to the following:•Viewing General DHCP Information•Viewing DHCP Binding Information•Viewing DHCP Server Networks Information15.4.28.1 Viewing General DHCP InformationDHCP ServerTo view General DHCP status and binding information for both DHCPv4 and DHCPv6:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3Expand the DHCP Server menu from the left-hand side of the UI. 4Select General. SIP Server Displays the SIP server name supporting DHCPv6 telephone extensions or voice over IP systems.Enterprise ID Lists the enterprise ID associated with DHCPv6 received client options.Code Lists the relevant numeric DHCP vendor code.Data Lists the supporting data relevant to the listed DHCP vendor code.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 279Figure 15-194 Access Point - DHCP Server General screen5The DHCPv4 Status and DHCPv6 Status tables defines the following:6The DDNS Bindings table displays the following:7The DHCP Manual Bindings table displays the following:8 Select the Refresh button to update the screen’s statistics counters to their latest values.15.4.28.2 Viewing DHCP Binding InformationDHCP ServerThe DHCP Binding screen displays DHCP binding information such as expiry time, client IP addresses and their MAC address. Access Points build and maintain a DHCP snooping table (DHCP binding database). An Access Point uses the snooping table to identify and filter untrusted messages. The DHCP binding database keeps track of DHCP Interfaces Displays the Access Point interface used with the DHCPv4 or DHCPv6 resource for IP address provisioning.State Displays the current operational state of the DHCPv4 or DHCPv6 server to assess its availability as a viable IP provisioning resource.IP Address Displays the IP address assigned to the requesting client.Name Displays the domain name mapping corresponding to the listed IP address.IP Address Displays the IP address for clients requesting DHCP provisioning resources.Client Id Displays the client’s ID used to differentiate requesting clients.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 280addresses assigned to ports, as well as filtering DHCP messages from untrusted ports. Incoming packets received on untrusted ports, are dropped if the source MAC address does not match the MAC in the binding table.To view the DHCP binding information:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3Expand the DHCP Server menu from the left-hand side of the UI. 4Select Bindings. Figure 15-195 Access Point - DHCP Server Bindings screenThe Bindings screen displays the following:15.4.28.3 Viewing DHCP Server Networks Information DHCP ServerThe DHCP server maintains a pool of IP addresses and client configuration parameters (default gateway, domain name, name servers etc). On receiving a valid client request, the server assigns the requestor an IP address, a lease (the validity of time), and other IP configuration parameters. Expiry Time Displays the expiration of the lease used by the client for Access Point DHCP resources. IP Address Displays the IP address of each listed client requesting DHCP services.DHCP MAC Address Displays the MAC address of each listed client requesting DHCP services.Clear Select a table entry and select Clear to remove the client from the list of devices requesting DHCP services from the Access Point.Clear All Select Clear All to remove all listed clients from the list of requesting clients.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 281The Networks screen provides network pool information such as the subnet for the addresses you want to use from the pool, the pool name, the used addresses and the total number of addresses.To view the DHCP Server Networks information:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3Expand the DHCP Server menu from the left-hand side of the UI. 4Select Networks. Figure 15-196 Access Point - DHCP Server Networks screenThe Networks screen displays the following:5 Select the Refresh button to update the screen’s statistics counters to their latest values.15.4.29 FirewallAccess Point StatisticsA firewall is a part of a computer system or network designed to block unauthorized access while permitting authorized communications. It’s a device or set of devices configured to permit or deny access to the controller or service platform managed network based on a defined set of rules.This screen is partitioned into the following:•Packet FlowsName Displays the name of the virtual network (VLAN) from which IP addresses can be issued to DHCP client requests on the listed Access Point interface.Subnet Address Displays the subnet for the IP addresses used from the network pool.Used Addresses Displays the number of host IP addresses allocated by the DHCP server. Total Addresses Displays the total number of IP addresses available in the network pool for requesting clients.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 282•Denial of Service•IP Firewall Rules•IPv6 Firewall Rules•MAC Firewall Rules•NAT Translations•DHCP Snooping•IPv6 Neighbor Snooping15.4.29.1 Packet FlowsFirewallThe Packet Flows screen displays data traffic packet flow utilization. The chart represents the different protocol flows supported, and displays a proportional view of the flows in respect to their percentage of data traffic utilized.The Total Active Flows graph displays the total number of flows supported. Other bar graphs display for each individual packet type.To view Access Point packet flows statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Firewall and expand the menu to reveal its sub menu items.4Select Packet Flows.5 Periodically select Refresh to update the statistics counters to their latest values. Clear All clears all the statistics counters and begins a new data collection.Figure 15-197 Access Point - Firewall Packet Flows screen

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 28315.4.29.2 Denial of ServiceFirewallA denial-of-service attack (DoS attack) or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out a DoS attack may vary, it generally consists of concerted efforts to prevent an Internet site or service from functioning efficiently.One common method involves saturating the target’s machine with external communications requests, so it cannot respond to legitimate traffic or responds so slowly as to be rendered effectively unavailable. DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consume its resources so it can’t provide its intended service. The DoS screen displays the types of attack, number of times it occurred and the time of last occurrence.To view Access Point DoS attack information:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Firewall and expand the menu to reveal its sub menu items.4Select Denial of Service.Figure 15-198 Access Point - Firewall Denial of Service screenThe Denial of Service screen displays the following:Attack Type Displays the Denial of Service (DoS) attack type. Count Displays the number of times the Access Point’s firewall has detected each listed DoS attack.Last Occurrence Displays the when the attack event was last detected by the Access Point firewall.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 28415.4.29.3 IP Firewall Rules FirewallCreate firewall rules to let any computer to send IPv4 formatted traffic to, or receive traffic from, programs, system services, computers or users. Firewall rules can be created to take one of the three actions listed below that match the rule’s criteria: •Allow an IPv4 connection•Allow an IPv4 connection only if it is secured through the use of Internet Protocol security•Block a connectionRules can be created for either inbound or outbound IPv4 formatted packet traffic. To view IPv4 firewall rules:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Firewall and expand the menu to reveal its sub menu items.4Select IP Firewall Rules.Figure 15-199 Access Point - Firewall IP Firewall Rules screenThe IP Firewall Rules screen displays the following:Clear All Select the Clear All button to clear the screen of its current status and begin a new data collection.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.Precedence Displays the precedence value applied to packets. The rules within an Access Control Entries (ACL) list are based on precedence values. Every rule has a unique precedence value between 1 and 5000. You cannot add two rules with the same precedence.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 28515.4.29.4 IPv6 Firewall Rules FirewallIPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet layer configuration parameters.•Allow an IPv6 formatted connection•Allow a connection only if it is secured through the use of IPv6 security•Block a connection and exchange of IPv6 formatted packetsTo view existing IPv6 firewall rules:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Expand the Firewall menu from the left-hand side of the UI. 4Select IPv6 Firewall Rules. Figure 15-200 Access Point- Firewall IPv6 Firewall Rules screenFriendly String The friendly string provides information as to which firewall the rules apply. Hit Count Displays the number of times each firewall rule has been triggered.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 286The IPv6 Firewall Rules screen displays the following:15.4.29.5 MAC Firewall Rules FirewallThe ability to allow or deny Access Point connectivity by client MAC address ensures malicious or unwanted clients are unable to bypass the Access Point’s security filters. Firewall rules can be created to support one of the three actions listed below that match the rule’s criteria:•Allow a connection•Allow a connection only if it’s secured through the MAC firewall security•Block a connectionTo view the Access Point’s MAC Firewall Rules:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Firewall and expand the menu to reveal its sub menu items.4Select MAC Firewall Rules.Precedence Displays the precedence (priority) applied to IPV6 formatted packets. Unlike IPv4, IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Every rule has a unique precedence value between 1 - 5000. You cannot add two rules with the same precedence value.Friendly String This is a string that provides more information as to the contents of the IPv6 specific IP rule. This is for information purposes only.Hit Count Displays the number of times each IPv6 ACL has been triggered.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 288To view the Firewall’s NAT translations:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Firewall and expand the menu to reveal its sub menu items.4Select NAT Translations.Figure 15-202 Access Point - Firewall NAT Translation screenThe NAT Translations screen displays the following:Protocol Lists the NAT translation IP protocol as either TCP, UDP or ICMP.Forward Source IP Displays the source IP address for the forward NAT flow.Forward Source Port Displays the source port for the forward NAT flow (contains ICMP ID if it is an ICMP flow).Forward Dest IP Displays the destination IP address for the forward NAT flow.Forward Dest Port Destination port for the forward NAT flow (contains ICMP ID if it is an ICMP flow).Reverse Source IP Displays the source IP address for the reverse NAT flow.Reverse Source Port Displays the source port for the reverse NAT flow (contains ICMP ID if it is an ICMP flow).Reverse Dest IP Displays the destination IP address for the reverse NAT flow.Reverse Dest Port Displays the destination port for the reverse NAT flow (contains ICMP ID if it is an ICMP flow).Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 28915.4.29.7 DHCP SnoopingFirewallWhen DHCP servers are allocating IP addresses to clients on the LAN, DHCP snooping can be configured to better enforce the security on the LAN to allow only clients with specific IP/MAC addresses.1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Firewall and expand the menu to reveal its sub menu items.4Select DHCP Snooping.Figure 15-203 Access Point - Firewall DHCP Snooping screenThe DHCP Snooping screen displays the following: MAC Address Displays the MAC address of the client requesting DHCP resources from the controller or service platform.Node Type Displays the NetBios node from which IP addresses can be issued to client requests on this interface.IP Address Displays the IP address used for DHCP discovery, and requests between the DHCP server and DHCP clients.Netmask Displays the subnet mask used for DHCP discovery, and requests between the DHCP server and DHCP clients.VLAN Displays the VLAN used as a virtual interface for the newly created DHCP configuration.Lease Time When a DHCP server allocates an address for a DHCP client, the client is assigned a lease (which expires after a designated interval defined by the administrator). The lease time is the time an IP address is reserved for re-connection after its last use. Using very short leases, DHCP can dynamically reconfigure networks in which there are more computers than there are available IP addresses. This is useful, for example, in education and customer environments where client users change frequently. Use longer leases if there are fewer users.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 29015.4.29.8 IPv6 Neighbor SnoopingFirewallAccess Points listen to IPv6 formatted network traffic and forward IPv6 packets to radios on which the interested hosts are connected. To review IPv6 neighbor snooping statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Expand the Firewall menu from the left-hand side of the UI. 4Select IPv6 Neighbor Snooping. Figure 15-204 Access Point- Firewall IPv6 Neighbor Snooping screenThe IPv6 Neighbor Snooping screen displays the following:Time Elapsed Since Last UpdatedDisplays the time the server was last updated.Clear All Select the Clear All button to clear the screen of its current status and begin a new data collection.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.MAC Address Displays the MAC address of the IPv6 client.Node Type Displays the NetBios node with an IPv6 address pool from which IP addresses can be issued to client requests on this interface.IPv6 Address Displays the IPv6 address used for DHCPv6 discovery and requests between the DHCPv6 server and DHCP clients.VLAN Displays an Access Point virtual interface ID used for a new DHCPv6 configuration.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 29115.4.30 VPNAccess Point StatisticsIPSec VPN provides a secure tunnel between two networked peer controllers or service platforms. Administrators can define which packets are sent within the tunnel, and how they are protected. When a tunnelled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination.Tunnels are sets of security associations (SA) between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunnelled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP). Crypto maps combine the elements comprising IPSec SAs. Crypto maps also include transform sets. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic. One crypto map is utilized for each IPsec peer, however for remote VPN deployments one crypto map is used for all the remote IPsec peers.Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs, and enables secure communications without time consuming manual pre-configuration.VPN statistics are partitioned into the following:IKESAIPSec15.4.30.1 IKESAVPN The IKESA screen allows for the review of individual peer security association statistics.1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.Mint Id Lists MiNT IDs for each listed VLAN. MiNT provides the means to secure communications at the transport layer. Using MiNT, a device can be configured to only communicate with other authorized (MiNT enabled) devices of the same model. Snoop Id Lists the numeric snooping session ID generated when Access Points listen to IPv6 formatted network traffic and forward IPv6 packets to radios. Time Elapsed SinceLast UpdateDisplays the amount of time elapsed since the DHCPv6 server was last updated.Clear Neighbors Select Clear Neighbors to revert the counters to zero and begin a new data collection.Refresh Select the Refresh button to update the screen’s counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2923Select VPN and expand the menu to reveal its sub menu items.4Select IKESA.Figure 15-205 Access Point - VPN IKESA screen 5 Review the following VPN peer security association statistics:15.4.30.2 IPSecVPNUse the IPSec VPN screen to assess tunnel status between networked peers.To view IPSec VPN status for tunnelled peers:Peer Lists peer IDs for peers sharing security associations (SA) for tunnel interoperability. When a peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its destination.Version Displays each peer’s IKE version used for auto IPSec secure authentication with the IPSec gateway and other controllers or service platforms.State Lists the state of each listed peer’s security association (whether established or not).Lifetime Displays the lifetime for the duration of each listed peer IPSec VPN security association. Once the set value is exceeded, the association is timed out.Local IP Address Displays each listed peer’s local tunnel end point IP address. This address represents an alternative to an interface IP address.Clear All Select the Clear All button to clear each peer of its current status and begin a new data collection.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2931 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points3Select VPN and expand the menu to reveal its sub menu items.4Select IPSec.Figure 15-206 Access Point - VPN IPSec screen5 Review the following VPN peer security association statistics:Peer Lists IP addresses for peers sharing security associations (SAs) for tunnel interoperability. When a peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its destination.Local IP Address Displays each listed peer’s local tunnel end point IP address. This address represents an alternative to an interface IP address.Protocol Lists the security protocol used with the VPN IPSec tunnel connection. SAs are unidirectional, existing in each direction and established per security protocol. Options include ESP and AH.State Lists the state of each listed peer’s security association.SPI In Lists stateful packet inspection (SPI) status for incoming IPSec tunnel packets. SPI tracks each connection traversing the IPSec VPN tunnel and ensures they are valid. SPI Out Lists SPI status for outgoing IPSec tunnel packets. SPI tracks each connection traversing the IPSec VPN tunnel and ensures they are valid.Mode Displays the IKE mode. IPSEC has two modes in IKEv1 for key exchanges. Aggressive mode requires 3 messages be exchanged between the IPSEC peers to setup the SA, Main requires 6 messages.Clear All Select the Clear All button to clear each peer of its current status and begin a new data collection.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 29415.4.31 CertificatesAccess Point StatisticsThe Secure Socket Layer (SSL) protocol ensures secure transactions between Web servers and browsers. SSL uses a third-party certificate authority to identify one (or both) ends of a transaction. A browser checks the certificate issued by the server before establishing a connection.This screen is partitioned into the following:•Trustpoints•RSA Keys15.4.31.1 TrustpointsCertificatesEach certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporate or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters and an association with an enrolled identity certificate.1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points3Select Certificates and expand the menu to reveal its sub menu items.4Select Trustpoints.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 295Figure 15-207 Access Point - Certificate Trustpoint screen The Certificate Details field displays the following:Subject Name Lists details about the entity to which the certificate is issued.Alternate Subject NameDisplays alternative details to the information specified under the Subject Name field.Issuer Name Displays the name of the organization issuing the certificate.Serial Number The unique serial number of the certificate issued.RSA Key Used Displays the name of the key pair generated separately, or automatically when selecting a certificate. IS CA Indicates whether this certificate is an authority certificate (Yes/No).Is Self Signed Displays whether the certificate is self-signed (Yes/No).Server Certificate PresentDisplays whether a server certification is present or not (Yes/No).CRL Present Displays whether a Certificate Revocation List (CRL) is present (Yes/No). A CRL contains a list of subscribers paired with digital certificate status. The list displays revoked certificates along with the reasons for revocation. The date of issuance and the entities that issued the certificate are also included.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 2965 Refer to the Validity field to assess the certificate duration beginning and end dates.6Review the Certificate Authority (CA) Details and Validity information to assess the subject and certificate duration periods.7 Periodically select the Refresh button to update the screen’s statistics counters to their latest values. 15.4.31.2 RSA Keys CertificatesRivest, Shamir, and Adleman (RSA) is an algorithm for public key cryptography. It’s the first algorithm known to be suitable for signing, as well as encryption.The RSA Keys screen displays a list of RSA keys installed in the selected Access Point. RSA Keys are generally used for establishing a SSH session, and are a part of the certificate set used by RADIUS, VPN and HTTPS.To view the RSA Key details:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points3Select Certificates and expand the menu to reveal its sub menu items.4Select RSA Keys.Figure 15-208 Access Point - Certificate RSA Keys screenThe RSA Key Details field displays the size (in bits) of the desired key. If not specified, a default key size of 1024 is used. The RSA Public Key field lists the public key used for encrypting messages.5 Periodically select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 29715.4.32 WIPSAccess Point StatisticsA Wireless Intrusion Prevention System (WIPS) monitors the radio spectrum for the presence of unauthorized Access Points and take measures to prevent an intrusion. Unauthorized attempts to access a controller or service platform managed WLAN is generally accompanied by anomalous behavior as intruding clients try to find network vulnerabilities. Basic forms of this behavior can be monitored and reported without a dedicated WIPS. When the parameters exceed a configurable threshold, a SNMP trap is generated that reports the results via management interfaces.The WIPS screens provide details about the blacklisted clients (unauthorized Access Points) intruded into the network. Details include the name of the blacklisted client, the time when the client was blacklisted, the total time the client remained in the network, etc. The screen also provides WIPS event details.For more information, see:•WIPS Client Blacklist•WIPS Events15.4.32.1 WIPS Client BlacklistWIPSThis Client Blacklist displays blacklisted clients detected by this Access Point using WIPS. Blacklisted clients are not allowed to associate to this Access Points.To view the WIPS client blacklist for this Access Point:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select WIPS and expand the menu to reveal its sub menu items.4Select Client Blacklist.Figure 15-209 Access Point - WIPS Client Blacklist screen

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 298The WIPS Client Blacklist screen displays the following: 15.4.32.2 WIPS EventsWIPSTo view the WIPS events statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select WIPS and expand the menu to reveal its sub menu items.4Select WIPS Events.Figure 15-210 Access Point - WIPS Events screenThe WIPS Events screen provides the following:Event Name Displays the name of the event that resulted in the blacklisting.Blacklisted Client Displays the MAC address of the unauthorized and blacklisted device intruding this Access Point’s radio coverage area.Time Blacklisted Displays the time when the client was blacklisted by this Access Point.Total Time Displays the time the unauthorized (now blacklisted) device remained in this Access Point’s WLAN.Time Left Displays the time the blacklisted client remains on the list.Refresh Select the Refresh button to update the statistics counters to their latest values.Event Name Displays the name of the detected wireless intrusion event.Reporting AP Displays the MAC address of the Access Point reporting the listed intrusion.Originating Device Displays the MAC address of the intruding device.Detector Radio Displays the number of the detecting Access Point radio.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 29915.4.33 Sensor ServersAccess Point StatisticsSensor servers allow the monitor and download of data from multiple sensors and remote locations using Ethernet TCP/IP or serial communication. Repeaters are available to extend the transmission range and combine sensors with various frequencies on the same receiver. To view the network address and status information of the sensor server resources available to the Access Point:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Sensor Servers.Figure 15-211 Access Point - Sensor Servers screenThe Sensor Servers screen displays the following:Time Reported Displays the time when the intrusion event was detected.Clear All Select the Clear All button to clear the screen of its current status and begin a new data collection.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.IP Address/HostnameDisplays a list of sensor server IP addresses or administrator assigned hostnames. These are the server resources available to the Access Point for the management of data uploaded from dedicated sensors.Port Displays the numerical port where the sensor server is listening. Unconnected server resources are not able to provide sensor reporting.Status Displays whether the server resource is connected or not.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 30015.4.34 Bonjour ServicesAccess Point StatisticsBonjour is Apple’s zero-configuration networking (Zeroconf) implementation. Zeroconf is a group of technologies that include service discovery, address assignment and hostname resolution. Bonjour locates the devices (printers, computers etc.) and services these computers provide over a local network.Bonjour provides a method to discover services on a LAN. Bonjour allows users to set up a network without any configuration. Services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains.To view the Bonjour service statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Bonjour Services from the left-hand side of the Access Point UI.Figure 15-212 Access Point - Bonjour Services screenRefer to the following Bonjour service utilization stats.:Service Name Lists the services discoverable by the Bonjour gateway. Services can either be pre-defined Apple services (scanner, printer etc.) or an alias not available on the predefined list.Instance Name Lists the name of each Bonjour service instance (session) utilized by the Access Point.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 30115.4.35 Captive PortalAccess Point StatisticsA captive portal forces a HTTP client to use a special Web page for authentication before using the Internet. A captive portal turns a Web browser into a client authenticator. This is done by intercepting packets regardless of the address or port, until the user opens a browser and tries to access the Internet. At that time, the browser is redirected to a Web page. To view the captive portal statistics of an Access Point:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Captive Portal.Figure 15-213 Access Point - Captive Portal screen The Captive Portal screen displays the following:IP Address Lists the network IP address utilized by the listed Bonjour service providing resources to the Access Point.Port Displays the port used to secure a connection with the listed Bonjour service.Vlan Lists the VLAN(s) on which a listed Bonjour service is routable.Vlan Type Lists the VLAN type as either a local bridging mode or a shared tunnel.Expiry Lists the expiration date of the listed Bonjour service, and its availability to discover resources on the LAN.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.Client MAC Displays the requesting client’s MAC address. The MAC displays as a link that can be selected to display client configuration and network address information in greater detail.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 30215.4.36 Network TimeAccess Point StatisticsNetwork Time Protocol (NTP) is central to networks that rely on their Access Point(s) to supply system time. Without NTP, Access Point supplied network time is unpredictable, which can result in data loss, failed processes, and compromised security. With network speed, memory, and capability increasing at an exponential rate, the accuracy, precision, and synchronization of network time is essential in an Access Point managed enterprise network. The Access Point can use a dedicated server to supply system time. The Access Point can also use several forms of NTP messaging to sync system time with authenticated network traffic.The Network Time screen provides detailed statistics of an associated NTP Server of an Access Point. Use this screen to review the statistics for each Access Point.The Network Time statistics screen consists of two tabs:•NTP Status•NTP Association15.4.36.1 NTP StatusNetwork TimeTo view the Network Time statistics of an Access Point:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Network Time.Client IP Displays the requesting client’s IPv4 formatted IP address.Client IPv6 Displays the requesting client’s IPv6 formatted IP address.Captive Portal Displays the captive portal name that each listed client is utilizing for guest access to Access Point resources. Port Name Lists the Access Point port name supporting the captive portal connection with the listed client MAC address.Authentication Displays the authentication status of the requesting client.WLAN Displays the name of the WLAN the client belongs to.VLAN Displays the name of the requesting client’s VLAN interface.Remaining Time Displays the time after which the client is disconnected from the captive portal managed Internet.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 303Figure 15-214 Access Point - NTP Status screenThe NTP Status tab displays by default with the following information:Clock Offset Displays the time differential between the Access Point’s time and its NTP resource’s time.Frequency Indicates the SNTP server clock’s skew (difference) for the Access Point.Leap Indicates if a second is added or subtracted to SNTP packet transmissions, or if transmissions are synchronized.Precision Displays the precision of the time clock (in Hz). The values that normally appear in this field range from -6, for mains-frequency clocks, to -20 for microsecond clocks.Reference Time Displays the time stamp the Access Point’s clock was last synchronized or corrected.Reference Displays the address of the time source the Access Point is synchronized to.Root Delay The total round-trip delay in seconds. This variable can take on both positive and negative values, depending on relative time and frequency offsets. The values that normally appear in this field range from negative values (a few milliseconds) to positive values (several hundred milliseconds).Root Dispersion The difference between the time on the root NTP server and its reference clock. The reference clock is the clock used by the NTP server to set its own clock.Stratum Displays how many hops the Access Point is from its current NTP time resource.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 30415.4.36.2 NTP AssociationNetwork TimeThe interaction between the Access Point and an NTP server constitutes an association. NTP associations can be either peer associations (the Access Point synchronizes to another system or allows another system to synchronize to it), or a server associations (only the Access Point synchronizes to the NTP resource, not the other way around).To view the Access Point’s NTP association statistics:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Network Time.4 Select the NTP Association tab.Figure 15-215 Access Point - NTP Association screenThe NTP Association screen displays the following:Delay Time Displays the round-trip delay (in seconds) for broadcasts between the NTP server and the Access Point.Display Displays the time difference between the peer NTP server and the Access Point’s clock. Offset Displays the calculated offset between the Access Point and the NTP server. The Access Point adjusts its clock to match the server’s time value. The offset gravitates towards zero, but never completely reduces its offset to zero.Poll Displays the maximum interval between successive messages (in seconds) to the nearest power of two.Reach Displays the status of the last eight SNTP messages. If an SNTP packet is lost, the lost packet is tracked over the next eight SNTP messages.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 30515.4.37 Load BalancingAccess Point StatisticsAn Access Point load can be viewed in a graph and filtered to display different load attributes. The Access Point’s entire load can be displayed, as well as the separate loads on the 2.4 and 5 GHz radio bands. The channels can also be filtered for display. Each element can either be displayed individually or collectively in the graph. To view the Access Point’s load balance in a filtered graph format:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points.3Select Load Balancing.Reference IP AddressDisplays the address of the time source the Access Point is synchronized to.Server IP Address Displays the numerical IP address of the SNTP resource (server) providing SNTP updates to the Access Point.State Displays the NTP association status code. Status Displays how many hops the Access Point is from its current NTP time source.Time Displays the time of the last statistics update.Refresh Select the Refresh button to update the screen’s statistics counters to their latest values.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 306Figure 15-216 Access Point - Load Balancing screen The Load Balancing screen displays the following:Load Balancing Select any of the options to display any or all of the following information in the graph below: AP Load, 2.4GHz Load, 5GHz Load, and Channel. The graph section displays the load percentages for each of the selected variables over a period of time, which can be altered using the slider below the upper graph.Client Requests EventsThe Client Request Events displays the Time, Client, Capability, State, WLAN and Requested Channels for all client request events on the Access Point. Supported Access Points can support up to 256 clients per Access Point.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 311•Details•Traffic•WMM TSPEC•Association History•Graph15.5.1 HealthWireless Client StatisticsThe Health screen displays information on the overall performance of a selected wireless client.To view the health of a wireless client: 1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, an Access Point, then a connected client.3Select Health.Figure 15-221 Wireless Client - Health screenThe Wireless Client field displays the following:Client MAC Displays the factory encoded MAC address of the selected wireless client.Hostname Lists the hostname assigned to the client when initially managed by the controller, service platform or Access Point.Vendor Displays the vendor name (manufacturer) of the wireless client.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 312The User Details field displays the following:The RF Quality Index field displays the following: The Association field displays the following:State Displays the current operational state of the wireless client. The client’s state can be idle, authenticated, roaming, associated or blacklisted.IP Address Displays the IP address the selected wireless client is currently utilizing as a network identifier. WLAN Displays the client’s connected Access Point WLAN membership. This is the WLAN whose QoS settings should account for the clients’s radio traffic objective.Radio MAC Displays the Access Point radio MAC address the wireless client is connected to on the network.VLAN Displays the VLAN ID the Access Point has defined for use as a virtual interface with the client.Username Displays the unique name of the administrator or operator managing the client’s connected Access Point, controller or service platform.Authentication Lists the authentication scheme applied to the client for interoperation with the Access Point. Encryption Lists the encryption scheme applied to the client for interoperation with the Access Point. Captive Portal Auth. Displays whether captive portal authentication is enabled for the client as a guest access medium to the controller or service platform managed network.RF Quality Index Displays information on the RF quality for the selected wireless client. The RF quality index is the overall effectiveness of the RF environment as a percentage of the connect rate in both directions, as well as the retry and error rate. RF quality index can be interpreted as:0 – 20 (Very poor quality)20 – 40 (Poor quality)40 – 60 (Average quality)60 – 100 (Good quality)Average Retry NumberDisplays the average number of retries per packet. A high number indicates possible network or hardware problems.SNR Displays the signal to noise (SNR) ratio of the connected wireless client. Signal Displays the power of the radio signals in - dBm.Noise Displays the disturbing influences on the signal by interference of signals in - dBm.Error Rate Displays the number of received bit rates altered due to noise, interference and distortion. It’s a unitless performance measure.AP Hostname Lists the administrator assigned device name of the client’s connected Access Point.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 3134The Traffic Utilization field displays statistics on the traffic generated and received by the selected client. This area displays the traffic index, which measures how efficiently the traffic medium is utilized. It’s defined as the percentage of current throughput relative to the maximum possible throughput.Traffic indices are: •0 – 20 (Very low utilization)•20 – 40 (Low utilization)•40 – 60 (Moderate utilization)•60 and above (High utilization)The Traffic Utilization table displays the following: 5 Select the Refresh button to update the screen’s statistics counters to their latest values.15.5.2 DetailsWireless Client StatisticsThe Details screen provides granular performance information for a selected wireless client.To view the details screen of a connected wireless client:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, an Access Point, then a connected client.3Select Details.AP Displays the MAC address of the client’s connected Access Point.Radio Lists the target Access Point that houses the radio. Select the Access Point to view performance information in greater detail.Radio ID Lists the hardware encoded MAC address the radio uses as a hardware identifier that further distinguishes the radio from others within the same device.Radio Number Displays the Access Point’s radio number (either 1, 2 or 3) to which the selected client is associated. Radio Type Displays the radio type. The radio can be 802.11b, 802.11bg, 802.11bgn, 802.11a or 802.11an.Total Bytes Displays the total bytes processed by the Access Point’s connected wireless client.Total Packets Displays the total number of packets processed by the wireless client.User Data Rate Displays the average user data rate in both directions.Physical Layer Rate Displays the average packet rate at the physical layer in both directions.Tx Dropped Packets Displays the number of packets dropped during transmission.Rx Errors Displays the number of errors encountered during data transmission. The higher the error rate, the less reliable the connection or data transfer between the client and connected Access Point.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 314Figure 15-222 Wireless Client - Details screenThe Wireless Client field displays the following:SSID Displays the client’s Service Set ID (SSID).Hostname Lists the hostname assigned to the client when initially managed by the controller, service platform or Access Point managed network.Device Type Displays the client device type providing the details to the operating system.RF Domain Displays the RF Domain to which the connected client is a member via its connected Access Point, controller or service platform. The RF Domain displays as a link that can be selected to display configuration and network address information in greater detail.OS Lists the client’s operating system (Android etc.).Browser Displays the browser type used by the client to facilitate its wireless connection.Type Lists the client manufacturer (or vendor).Role Lists the client’s defined role in the controller, service platform or Access Point managed network.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 315The User Details field displays the following:The Connection field displays the following:Role Policy Lists the user role set for the client as it became a controller, service platform or Access Point managed device.Client Identity Displays the unique vendor identity of the listed device as it appears to its adopting controller or service platform.Client Identity PrecedenceLists the numeric precedence this client uses in establishing its identity amongst its peers.Protected Management FramesA green checkmark defines management frames as protected between this client and its associated Access Point radio. A red X states that management frames are disabled for the client and its connected radio.Transmit Power ManagementLists the number power management frames exchanged between this client and its connected Access Point radio. Lists zero when disabled.Username Displays the unique name of the administrator or operator managing the client’s connected Access Point.Authentication Lists the authentication scheme applied to the client for interoperation with its connected Access Point radio. Encryption Lists the encryption scheme applied to the client for interoperation with its connected Access Point radio. Captive Portal Auth. Displays whether captive portal authentication is enabled. When enabled, a restrictive set of access permissions may be in effect.Idle Time Displays the time for which the wireless client remained idle.Last Active Displays the time in seconds the wireless client was last interoperating with its connected Access Point.Last Association Displays the duration the wireless client was in association with its connected Access Point. Session Time Displays the duration for which a session can be maintained by the wireless client without it being dis-associated from the Access Point.SM Power Save ModeDisplays whether this feature is enabled on the wireless client. The spatial multiplexing (SM) power save mode allows an 802.11n client to power down all but one of its radios. This power save mode has two sub modes of operation: static operation and dynamic operation.Power Save Mode Displays whether this feature is enabled or not. To prolong battery life, the 802.11 standard defines an optional Power Save Mode, which is available on most 80211 clients. End users can simply turn it on or off via the card driver or configuration tool. With power save off, the 802.11 network card is generally in receive mode listening for packets and occasionally in transmit mode when sending packets. These modes require the 802.11 NIC to keep most circuits powered-up and ready for operation.WMM Support Displays whether WMM is enabled or not in order to provide data packet type prioritization between the Access Point and connected client.40 MHz Capable Displays whether the wireless client has 802.11n channels operating at 40 MHz.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 316The Association field displays the following:The 802.11 Protocol field displays the following:Max Physical Rate Displays the maximum data rate at the physical layer.Max User Rate Displays the maximum permitted user data rate.MC2UC Streams Lists the number or multicast to unicast data streams detected.AP Displays the MAC address of the client’s connected Access Point.BSS Displays the Basic Service Set (BSS) the Access Point belongs to. A BSS is a set of stations that can communicate with one another.Radio Number Displays the Access Point radio the wireless client is connected to.Radio Type Displays the radio type. The radio can be 802.11b, 802.11bg, 802.11bgn, 802.11a or 802.11an.Rate Displays the permitted data rate for Access Point and client interoperation.High-Throughput Displays whether high throughput is supported. High throughput is a measure of the successful packet delivery over a communication channel.RIFS Displays whether this feature is supported. RIFS is a required 802.11n feature that improves performance by reducing the amount of dead time between OFDM transmissions. Negotiated Fast BSS TransitionLists whether Fast BSS transition is negotiated. This indicates support for a seamless fast and secure client handoff between two Access Points, controllers or service platforms.Unscheduled APSD Displays whether APSD is supported. APSD defines an unscheduled service period, which is a contiguous period of time during which the Access Point is expected to be awake.AID Displays the Association ID (AID) established by an AP. 802.11 association enables the Access Point to allocate resources and synchronize with a client. A client begins the association process by sending an association request to an Access Point. This association request is sent as a frame. This frame carries information about the client and the SSID of the network it wishes to associate. After receiving the request, the Access Point considers associating with the client, and reserves memory space for establishing an AID for the client.Max AMSDU Size Displays the maximum size of AMSDU. AMSDU is a set of Ethernet frames to the same destination that are wrapped in a 802.11n frame. This values is the maximum AMSDU frame size in bytes.Max AMPDU Size Displays the maximum size of AMPDU. AMPDU is a set of Ethernet frames to the same destination that are wrapped in an 802.11n MAC header. AMPDUs are used in a very noisy environment to provide reliable packet transmission. This value is the maximum AMPDU size in bytes.Interframe Spacing Displays the interval between two consecutive Ethernet frames.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 3174 Select the Refresh button to update the screen’s statistics counters to their latest values.15.5.3 TrafficWireless Client StatisticsThe traffic screen provides an overview of client traffic utilization in both the transmit and receive directions. This screen also displays a RF quality index.To view the traffic statistics of a wireless clients:1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, an Access Point, then a connected client.3Select Traffic.Figure 15-223 Wireless Client - Traffic screenTraffic Utilization statistics employ an index, which measures how efficiently the traffic medium is used. It’s defined as the percentage of current throughput relative to the maximum possible throughput. Traffic indices are:Short Guard Interval Displays the guard interval in micro seconds. Guard intervals prevent interference between data transmissions. The guard interval is the space between characters being transmitted. The guard interval eliminates inter-symbol interference (ISI). ISI occurs when echoes or reflections from one character interfere with another character. Adding time between transmissions allows echo's and reflections to settle before the next character is transmitted. A shorter guard interval results in shorter character times which reduces overhead and increases data rates by up to 10%.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 318• 0 – 20 (Very low utilization)• 20 – 40 (Low utilization)• 40 – 60 (Moderate utilization)• 60 and above (High utilization)This screen also provides the following:The RF Quality Index area displays the following information:Total Bytes Displays the total bytes processed (in both directions) by the Access Point’s connected client.Total Packets Displays the total number of data packets processed (in both directions) by the Access Point’s connected wireless client.User Data Rate Displays the average user data rate.Packets per Second Displays the packets processed per second.Physical Layer Rate Displays the data rate at the physical layer level.Bcast/Mcast Packets Displays the total number of broadcast/multicast packets processed by the client.Management PacketsDisplays the number of management (overhead) packets processed by the client.Tx Dropped Packets Displays the client’s number of dropped packets while transmitting to its connected Access Point.Tx Retries Displays the total number of client transmit retries with its connected Access Point.Rx Errors Displays the errors encountered by the client during data transmission. The higher the error rate, the less reliable the connection or data transfer between client and connected Access Point.Rx Actions Displays the number of receive actions during data transmission with the client’s connected Access Point.Rx Probes Displays the number of probes sent. A probe is a program or other device inserted at a key juncture in a for network for the purpose of monitoring or collecting data about network activity. Rx Power Save Poll Displays the power save using the Power Save Poll (PSP) mode. Power Save Poll is a protocol, which helps to reduce the amount of time a radio needs to powered. PSP allows the WiFi adapter to notify the Access Point when the radio is powered down. The Access Point holds any network packet to be sent to this radio.RF Quality Index Displays information on the RF quality of the selected wireless client. The RF quality index is the overall effectiveness of the RF environment as a percentage of the connect rate in both directions as well as the retry rate and the error rate. The RF quality index value can be interpreted as:0 – 20 (Very low utilization)20 – 40 (Low utilization)40 – 60 (Moderate utilization)60 and above (High utilization)Retry Rate Displays the average number of retries per packet. A high number indicates possible network or hardware problems.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 3194 Select the Refresh button to update the screen’s statistics counters to their latest values.15.5.4 WMM TSPECWireless Client StatisticsThe 802.11e Traffic Specification (TSPEC) provides a set of parameters that define the characteristics of the traffic stream, (operating requirement and scheduling etc.). The sender TSPEC specifies parameters available for packet flows. Both sender and the receiver use TSPEC. The TSPEC screen provides information about TSPEC counts and TSPEC types utilized by the selected wireless client.To view the TSPEC statistics: 1 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, an Access Point, then a connected client.3Select WMM TSPEC.SNR (dBm) Displays the connected client’s signal to noise ratio (SNR). A high SNR could warrant a different Access Point connection to improve performance. Signa (dBm) Displays the power of the radio signals in - dBm.Noise (dBm) Displays the disturbing influences on the signal in - dBm.Error Rate (ppm) Displays the number of received bit rates altered due to noise, interference and distortion. It’s a unitless performance measure.MOS Score Displays average voice call quality using the Mean Opinion Score (MOS) call quality scale. The MOS scale rates call quality on a scale of 1-5, with higher scores being better. If the MOS score is lower than 3.5, it’s likely users will not be satisfied with the voice quality of their call. R-Value R-value is a number or score used to quantitatively express the quality of speech in communications systems. This is used in digital networks that carry Voice over IP (VoIP) traffic. The R-value can range from 1 (worst) to 100 (best) and is based on the percentage of users who are satisfied with the quality of a test voice signal after it has passed through a network from a source (transmitter) to a destination (receiver). The R-value scoring method accurately portrays the effects of packet loss and delays in digital networks carrying voice signals.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 320Figure 15-224 Wireless Client - WMM TSPEC screen The top portion of the screen displays the TSPEC stream type and whether the client has roamed.The Ports Stats field displays the following:4 Periodically select Refresh to update the screen to its latest values.15.5.5 Association HistoryWireless Client StatisticsRefer to the Association History screen to review this client’s Access Point connections. Hardware device identification, operating channel and GHz band data is listed for each Access Point. The Association History can help determine whether the client has connected to its target Access Point and maintained its connection, or has roamed and been supported by unplanned Access Points in the controller or service platform managed network.To view a selected client’s association history: Sequence Number Lists a sequence number that’s unique to this WMM TSPEC uplink or downlink data stream.Direction Type Displays whether the WMM TSPEC data stream is in the uplink or downlink direction.Request Time Lists each sequence number’s request time for WMM TSPEC traffic in the specified direction. This is time allotted for a request before packets are actually sent.Used Time Displays the time the client used TSPEC. The client sends a delete traffic stream (DELTS) message when it has finished communicating.TID Displays the parameter for defining the traffic stream. TID identifies data packets as belonging to a unique traffic stream.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 3211 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, an Access Point, then a connected client.3Select Association History.Figure 15-225 Wireless Client - Association History screenRefer to the following to discern this client’s Access Point association history:4Select Refresh to update the screen to its latest values.15.5.6 GraphWireless Client StatisticsUse the client Graph to assess a connected client’s radio performance and diagnose performance issues that may be negatively impact performance. Up to three selected performance variables can be charted at one time. The graph uses a Y-axis and a X-axis to associate selected parameters with their performance measure. To view a graph of this client’s statistics: Access Point Lists the Access Point MAC address this client has connected to, and is being managed by.BSSID Displays the BSSID of each previously connected Access Point.Channel Lists the channel shared by both the Access Point and client for interoperation, and to avoid congestion with adjacent channel traffic.Band Lists the 2.4 or 5GHz radio band this clients and its connect Access Point are using for transmit and receive operations. Time Lists the historical connection time between each listed Access Point and this client.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 3221 Select the Statistics menu from the Web UI.2Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, an Access Point then a connected client.3Select Graph.4Use the Parameters drop down menu to define from 1- 3 variables assessing client signal noise, transmit or receive values.5Use the Polling Interval drop-down menu to define the interval the chart is updated. Options include 30 seconds, 1 minute, 5 minutes, 20 minutes or 1 hour. 30 seconds is the default value. Figure 15-226 Wireless Client - Graph6 Select an available point in the graph to list the selected performance parameter, and display that parameter’s value and a time stamp of when it occurred.15.6 Guest Access StatisticsStatisticsGuest client statistics are uniquely available for wireless clients requesting the required pass code, authentication and access into the WiNG managed guest client networkGuest Access statistics can be assessed for the following:•Guest Access Cumulative Statistics•Social Media Statistics•Reports•Notifications•Guest Access Database

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 32315.6.1 Guest Access Cumulative StatisticsGuest Access StatisticsThe Statistics screen displays information on the WiNG managed guest client network. Its includes browser utilization, new versus returning user trends, client user age, client operating system, device type proliferation and gender trending. To view a cumulative set of client guest access statistics: 1 Select the Statistics menu from the Web UI.2Select Guest Access above the navigation pane (on the upper left-hand side of the screen, directly to the right of System).3Select Statistics.Figure 15-227 Guest Access - Statistics screen4 Refer to the top of the screen to configure how the following trending periods and user filters are set for guest access statistics trending and reporting:Timeline Use the drop-down menu to specify whether statistics are gathered for 1-Day, 1-Month, 1-Week, 2-Hours, 30-Mins or 5-Hours. Timelines support the latest time period from present. For example, specifying 30-Mins displays statistics for the most recent 30 minutes trended.RF Domain Use the drop-down menu to select a single RF Domain from which to filter guest access statistics. Optionally select All to include data from each RF Domain supported.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 3245 Refer to the following to assess guest client browser, operating system, age, gender and new versus returning status to assess whether guest client utilization is in line with WiNG guest access deployment objectives:WLAN Use the drop down menu to filter guest access statistics to a specific WLAN. A single WLAN can belong to more then one RF Domain.Device Browser Displays guest user browser utilization in pie-chart format. Each client browser type (Chrome, Firefox, Safari and Internet Explorer) detected within the defined trending period displays uniquely in its own color for easy differentiation. The number of guest clients utilizing each browser also displays numerically. User Walk-in Trends Walk-in trending enables an administrator to filter new guest access clients versus return guest clients out of the total reported for the trending period and selected RF Domain and WLAN. New guest users (blue), return guests (red) or total guests can either be collectively displayed or individually displayed by selecting one, two or all three of the options.Age Range Displays guest user age differentiation in pie-chart format. Age ranges are uniquely color coded as Less Than 18, 18 to 20, 21 to 24, 25 to 34, 35 to 44, 45 to 54, 55 to 64 and Greater Than 64. Each age group detected within the trending period displays uniquely in its own color for easy differentiation. Each age range also displays numerically. Periodically assess whether the age ranges meet expectations for guest client access within the WiNG managed guest network.Operating System Displays guest client operating system utilization in pie-chart format. Each client operating system type (Android, Windows 7, Windows 8, Apple iOS and Macintosh) displays uniquely in its own color for easy differentiation. The number of guest clients utilizing each operating system also displays numerically. Visitors Displays return guest clients versus new guest clients in pie-chart format. Both new and returning clients display uniquely in their own color for easy differentiation. Periodically assess whether the number of returning guest clients is line with the guest network’s deployment objectives in respect to the RF Domain(s) and WLAN(s) selected for trending.Customer Loyalty AppGraphically displays the number of guest clients with loyalty application presence enabled. Loyalty application detection occurs on the Access Point to which the client is associated, allowing a retail administrator to assess whether a captive portal client is using specific retail (loyalty) applications in their captive portal. This setting is enabled by default.Devices Displays guest client device type utilization in pie-chart format. Each client device type (Windows PC, Macintosh, Apple iPad, Android Mobile and Motorola Droid) displays uniquely in its own color for easy differentiation. The number of each device type detected also displays numerically to help assess their proliferation with WiNG managed guest network.Gender Displays guest client gender in pie-chart format. Detected male and female guest users display uniquely in their own color for easy differentiation. Guest clients whose gender is unspecified also displays to help assess the undetermined gender client count out of total. The number of male, female and unspecified guest clients also displays numerically.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 326The data displays in bar graph format, with the total number of social media authenticating clients listed in green, and those currently online displayed in orange for both Google and Facebook authenticating clients. Refer to the Local graph to assess those clients requiring captive portal authentication as a fallback mechanism for guest registration through social media authentication.5 Periodically select Refresh to update the statistics counters to their latest values.15.6.3 ReportsGuest Access StatisticsReport queries can be filtered and run to obtain information on targeted guest clients within the WiNG guest network.To generate customized guest client reports:1 Select the Statistics menu from the Web UI.2Select Guest Access above the navigation pane (on the upper left-hand side of the screen, directly to the right of System).3Select Reports.Figure 15-229 Guest Access - Reports screen4 Select the drop-down menu at the top, left-hand, side of the screen to define whether the guest client’s report data is fetched based on its MAC, Name, Mobile, Email, Member or Time. Once provided, enter an appropriate search string to generate a report for the target guest client. When completed with the report’s search strings, select Get Data.RF Domain Use the drop-down menu to select a single RF Domain from which to filter social media guest access statistics. Optionally select All to include data from each RF Domain supported.WLAN Use the drop down menu to filter guest access social media statistics to a specific WLAN. A single WLAN can belong to more then one RF Domain.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 3275 Refer to the User Data table to review the following report output:15.6.4 NotificationsGuest Access StatisticsFor each registered guest user, a passcode is sent by E-mail, SMS or both. A guest management policy defines E-mail host and SMS gateway commands, along with credentials required for sending a passcode to guest client via E-mail and SMS Users can configure up to 32 different guest management policies. Each policy enables the user to configure the SMS gateway, SMS message body, E-mail SMTP server, E-mail subject contents and E-mail message body. There can be only one guest management policy active per device at any one time.The short message service (SMS) is the text messaging service component of phone, E-Mail and mobile systems. SMS uses standardized communications protocols to allow fixed or mobile phone devices to exchange text messages.To review guest client notification statistics: 1 Select the Statistics menu from the Web UI.2Select Guest Access above the navigation pane (on the upper left-hand side of the screen, directly to the right of System).3Select Notification.MAC Displays the factory encoded hardware MAC address assigned to this guest client at the factory by the manufacturer. This is the guest client’s hardware identifier added to the guest user database. If the guest client requests access later, this MAC address is validated against the guest user database, and the client is allowed access to the WiNG managed guest network.Name Lists the name used for guest access authentication and pass code generation.Email Lists the E-Mail address used for guest access authentication and the receipt of the required passcode.Mobile Lists the guest client’s registered mobile number used for guest access authentication requests and the receipt of the required passcode.Source Lists the source (Facebook, Google) whose username and password were used as the clients’s social media authenticator.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 328Figure 15-230 Guest Access - Notification screen 4 Review the following Clickatell Gateway information. By default, clickatell is the host SMS gateway server resource for guest access.Status Displays an icon as a visual indicator of the gateway status. Green defines the gateway as available. Red indicates the gateway is down and unavailable.Session ID Lists an event ID for the clickatell gateway session credential and passcode exchange. Message ID Lists the unique SMS message ID created for the successful message exchange with the clickatell host SMS gateway server.Last SMS Time Lists the timestamp appended to the sent time of the clickatell SMS gateway message.Last SMS Number Lists the numeric status code returned in response to a SMS gateway server guest access request.Last SMS Sent Status Lists the associated status strings returned in response to a SMS gateway server guest access request.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 3295 Review the following SMS to SMTP Gateway information.6 Review the following Email Gateway information.15.6.5 Guest Access DatabaseGuest Access StatisticsRefer to the Database screen to periodically import or export guest access information to and from a WiNG managed device. The import or export of the guest access database is supported in JSON format only. Archiving guest access utilization data is a good way to assess periods of high and low utilization and better plan for client guest access consumption of controller or Access Point network resources.To administrate the guest access database: 1 Select the Statistics menu from the Web UI.2Select Guest Access above the navigation pane (on the upper left-hand side of the screen, directly to the right of System).3Select Database.Last SMS Authentication StatusLists the SMS authentication credential and validation message exchange status for the listed clieckatell gateway session ID.Last E-Mail Time Displays the most recent E-Mailed passcode to a guest via SMS. SMS enables guest users to register with their E-Mail or mobile device ID as the primary key for authentication.Last E-Mail To Lists the recipient of the most recent SMS to SMTP server credential E-mail exchange containing the required passcode for the registered guest. Last E-Mail Status Lists the completion status of the most recent server SMS to SMTP gateway credential exchange containing the required passcode for the authenticating guest client. Last E-Mail Time Displays the time of the most recent E-Mailed passcode to a guest access requesting client. Guest users can register with their E-mail credentials as the primary means of authentication.Last E-Mail To Lists the recipient of this session’s server E-Mail credential exchange containing the required passcode for the authenticating guest client. Last E-Mail Status Lists the completion status of the most recent server E-Mail credential exchange containing the required passcode for the authenticating guest client.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 330Figure 15-231 Guest Access - Database Import/Export screen4Select Export to archive guest access data (in JSON or CSV format) to a designated remote location, or Import to upload guest access utilization data back to the WiNG managed controller, service platform or Access Point.5 If conducting an Export operation, provide the following to refine the data exported: Format Define whether the guest access data is exported in JSON or CSV format. JavaScript Object Notation (JSON) is an open standard format using text to export data objects consisting of attribute value pairs. A comma-separated values (CSV) file stores tabular data in plain text. Plain text means that the file is interpreted a sequence of characters, so that it is human-readable with a standard text editor. Each line of the file is a data record. Each record consists of one or more fields, separated by commas.Timeline Use the drop-down menu to specify whether guest access statistics are exported for the previous 1-Day, 1-Month, 1-Week, 2-Hours, 30-Mins or 5-Hours. Timelines support the latest time period from present. For example, specifying 30-Mins exports statistics trended over the most recent 30 minutes.RF Domain Use the drop-down menu to select a single RF Domain from which to filter social media guest access statistics. Optionally select All to include data from each RF Domain supported.WLAN Use the drop down menu to filter guest access social media statistics to a specific WLAN. A single WLAN can belong to more then one RF Domain.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 3316 When exporting or importing guest access data (regardless or format), provide the following URL data to accurately configure the remote host.7 When the URL data is accurately entered, select the Export or Import button respectively to initiate the operation.8 Optionally select the Delete tab to purge either all or part of the guest user database.Figure 15-232 Guest Access - Database Deletion screenFormat Select the data transfer protocol used for exporting or importing guest access data. Available options include:tftpftpsftp Port Use the spinner control to set the virtual port for the for the export or import operation.Host Provide a textual hostname or numeric IP address of the server used for guest access data transfer operations. Hostnames cannot include an underscore character.Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.User Name If using FTP or SFTP and the data transfer protocol, enter the username required by the remote FTP or SFTP server resource.Password If using FTP or SFTP and the data transfer protocol, enter the password required by the remote FTP or SFTP server resource.Path/File Specify the path to the server resource where guest access data is either exported or imported. Enter the complete relative path to the file on the server. If electing to use SFTP as the file transfer protocol, its recommended the path/file be set using the command line interface (CLI).

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 3329Select All to remove the contents of the entire database. Select Any to invoke a drop-down menu where Mac, Name, Mobile, Email or a WLAN can be selected to refine the database removal to just a selected entity. Enter the name of the MAC address, user, mobile number or WLAN you wish to remove from the database, then select Delete.15.7 Analytics Developer InterfaceStatisticsThe analytics developer interface is an additional tool available to administrators to review specific APIs in granular detail. The developer interface is available to elected NOC controllers or service platforms capable of provisioning all of its peer controllers, service platforms and adopted devices. NOC controllers include NX9000, NX9500, NX9510, NX7500, and RFS6000 models.To access the developer interface:1 Connect to controller using its existing IP address, but append /stats to the end of the IP address as follows: http://<CONTROLLER_IP_ADDRESS>/stats or https://<CONTROLLER_IP_ADDRESS>/stats The following login screen displays for the developer interface:Figure 15-233 Developer Interface - Login screen 2Provide the same Username and Password credentials you’re currently utilizing for a typical controller login.Once the login credentials are successfully entered, the following screen displays:Figure 15-234 Developer Interface - Main screen Refer to the following for more detailed descriptions of the functionality available to administrators using the analytics developer interface:•Download REST API Toolkit•API Assessment15.7.1 Download REST API ToolkitAnalytics Developer InterfaceSample Representational State Transfer (REST) code can be downloaded from the toolkit. REST is a software design schema for Web application development.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 333To download sample REST API code:1Select Download REST api toolkit from the Web UI.A File Download screen displays prompting for the desired location of the download or whether the files should be opened directly.Figure 15-235 Developer Interface -File Download screen 2 Open the zip archive and review the Readme file to assess the contents and how they can be leveraged for API creation and modification. Sample Ruby Client A sample ruby client is provided as part of this package. The Ruby client can be used as a sample to pull statistics data from NXAnalytics. The response from NXAnalytics is in JSON format.ContentsReadme.txt file.Ruby script files: NXAStatsClient.rb NXARESTClient.rb NXAResultsJSONParser.rb NXALogin.rb NXAException.rb NXAConstants.rb NXAConnectionParams.rb

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 334 Requirements To Run Sample Ruby ClientRuby 2.0 or above. The sample has been tested with Ruby 2.0. To download Ruby use the following:https://www.ruby-lang.org/en/downloads/or http://rubyinstaller.org/Additional Ruby Gems needed to run the sample client are the following. - ipaddress - json - rest-client Please install the gems before running the sample client.How To Run the Program From Command Line ruby NXAStatsClient <IPAddress Of Controller> <Protocol[http|https]> <Port [8080|443]> <Stats_Type>[wlan | rfdomain | radio | client | captive-portal | client-assoc-disassoc] <lookback_duration_in_seconds [ 1 - 2592000]> <username> <password> <number_of_results_to_return [ 1 - 100]> Sample: ruby NXAStatsClient 172.20.33.45 https 443 rfdomain 600 admin admin 30

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 335How To Run the Program From IDEIf you are using Eclipse or APTANA or any other IDE please do the following. - Choose appropriate network proxy settings - Configure IDE to choose appropriate Ruby interpreter - Create a Ruby project - Copy the Ruby files as part of package to the new Ruby project - Define the arguments required for the main Ruby program - Run the main Ruby program 15.7.2 API AssessmentAnalytics Developer InterfaceRefer to the toolkit’s API functionality to review a collection of APIs for specific feature groups, including captive portals, client associations and disassociations, client stats, RF Domains.To review the toolkit’s built-in set of APIs:1Select API from the Web UI. Figure 15-236 Developer Interface - API 2 Select an available feature from the catalog of features.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 336An administrator can either launch a query for a selected feature or select catalog to expose the schema for a selected feature.3Select query to display the NX2 Raw Query Interface.Figure 15-237 Developer Interface - API Raw Query Interface4Select Go to initiate the query for the selected item.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 337Figure 15-238 Developer Interface - API Raw Query ResultsThe results of the query display the values currently set for the selected feature. This information cannot be manipulated as a configurable API attribute, though this information can be utilized as criteria for API attribute creation.5 From the NX2 Features Interface, select a feature from those available and select catalog.

StatisticsWireless Controller and Service Platform System Reference Guide 15 - 338Figure 15-239 Developer Interface - API CatalogThe catalog item selection displays the values currently set for the selected feature. As with queries, this information cannot be manipulated as a configurable API attribute, though this information can be utilized as criteria for API attribute creation.

16 - 1Wireless Controller and Service Platform System Reference Guide16AnalyticsA NX9500 and NX9510 model service platforms can provide granular and robust analytic reporting for a RFS4000 and RFS6000 controller managed network. Using analytics, data is collected and reported at varying intervals. Analytic data is culled from WLANs at either the system, RF Domain, controller/service platform or Access Point level. Analytics can parse and process events within the NOC managed network as events are received. The analytics display resembles the Health and Inventory pages available to controllers and Access Points, though Analytics provides performance information at a far more granular level. The analytics user interface populates information within a data store, with multiple displays partitioned by performance function. The data store is a customizable display managed with just the content the administrator wants viewed. The data store is purged after 90 days if no administration is conducted sooner. A separate analytics license is enforced at the NOC. The license restricts the number of Access Point streams processed at the NOC or forwarded to partner systems for further processing. The analytics feature can be turned on at select APs by enabling them in configuration. This way the customer can enable analytics on a select set of APs and not the entire system as long as the number of APs on which it is enabled is less than or equal to the total number of AP analytics licenses available at the NOC controller. For more information, see:•System Analytics•RF Domain Analytics•Wireless Controller Analytics•Access Point Analytics•Analytic Event Monitoring16.1 System AnalyticsAnalytics can be administrated at the system level to include all RF Domains, their controller or service platform memberships, adopted Access Points and their connected clients. For information on monitoring analytic events, refer to Analytic Event Monitoring.To administrate analytics system-wide:1Select Statistics from the Web UI.2 Select the Analytics menu item directly to the right of the System menu item within Statistics.The analytics screen displays with Captive Portal data displayed by default.Refer to the arrow icon located in the top, right-hand, side of each panel to define whether the display is in Chart format, a Table or whether you would like the output for that parameter saved as a PDF report at a user specified location.

AnalyticsWireless Controller and Service Platform System Reference Guide 16 - 2Figure 16-1 System Analytics - Captive Portal screen3 Refer to the upper, right-hand, portion of the analytics interface and define the trending period for the data displayed. Options include Last 1 Day, Last 3 Days, Last 1 Week, Last 2 Weeks, Last 3 Weeks, Last 1 Month, Last 2 Months or Last 3 Months. Today is the default setting for trending analytics data.4 Refer to the following Captive Portal analytic data trended and reported in real-time on the selected interval:Device Types Displays a pie chart (by default) of the captive portal clients (smart phones, tablets, laptops etc.). Select the table icon from the top, right-hand, side of the field to display the data in table format. Both the pie chart and table display the device type and the percentage of those devices only within the captive portal. Device OS Displays a pie chart (by default) of connected devices (using captive portal authentication), differentiated by their operating system (Windows, Linux, Android etc.). Select the table icon from the top, right-hand, side of the field to display the data in table format. Both the pie chart and table display the OS type and the percentage of that device OS type only within the captive portal.Browser Types Displays a pie chart (by default) of the browser types utilized by captive portal authenticated devices. Select the table icon from the top, right-hand, side of the field to display the data in table format. Both the pie chart and table display the OS type by percentage of utilization only within the captive portal.

AnalyticsWireless Controller and Service Platform System Reference Guide 16 - 35Select Client Analytics to display analytic level data for connected wireless clients.Top X URLs Reports the top visited URLs by connected clients using captive portal authentication. Use the spinner control to refine the number of URLs reported, then select Reload to update the display. Set whether the content is displayed as a chart or as a table. Search Terms Lists the number of unique clients who searched for using a search term. Each display option lists the search term and the number of times each term was searched by a connected captive portal client. For example, if there’s two clients (clients A and B), and client A searched for "extremenetworks" 5 times and B searched for "extremenetworks" 2 times. The count would be 2 and not 7. As with URLs, search terms are normalized (aggregated daily).Normalized URLs Reports URLs visited most often, normalized (aggregated daily), by devices using captive portal authentication. Select the arrow to the left of each listed URL timestamp to populate the URL and Count columns with the specific URLs visited and the number of times they’ve been visited.Unique vs Repeat UsersDisplays a breakdown of repeat versus new users to the captive portal. Both a chart and a table display are available, each with a timestamp of when the data was collected.Device Count Per AP Displays the number of top performing Access Points reporting connected client counts using captive portal authentication.Clients in WLAN Displays the number of managed WLANs reporting connected client counts. Client analytics are trended every 75 minutes.NOTE: Be sure to select the Search button adjacent to the Search for Wireless Client parameter to ensure the tables are populated and refreshed with detected wireless clients. Client analytics are trended every 75 minutes.

AnalyticsWireless Controller and Service Platform System Reference Guide 16 - 4Figure 16-2 System Analytics - Client Analytics screen6 Refer to the following Client Analytics trended at the selected interval:Hostname Lists the administrator assigned hostname set for each listed client when connected to the controller, service platform or Access Point managed network.Mac Address Displays the factory encoded MAC address for the listed client as a hardware manufacturing ID.IP Address Lists the IP addresses the client is using as a wireless network identifier within the controller, service platform or Access Point managed network.RF Domain Lists the client’s current RF Domain membership. RF Domains allow administrators to assign regional, regulatory and RF configuration to devices deployed in a common coverage area such as on a building floor, or site. Each RF Domain contains regional, regulatory and sensor server configuration parameters and may also be assigned policies that determine access, Smart RF and WIPS configuration.Access Point Displays an administrator assigned hostname for each listed Access Point whose radio is providing a network connection for the wireless network.

AnalyticsWireless Controller and Service Platform System Reference Guide 16 - 5The Client Analytics screen contains Web Activity, Traffic and RF displays within the lower half of the screen. Each of these analytics display an administrator’s choice of graphical or tabled data for the client’s Web activity, SNR, network interference, signal quality and packet retries.Figure 16-3 System Analytics - Client Web Activity screen7The Web Activity field displays by default with the following content trended in the selected interval:8Select Traffic.Bandwidth Displays the client’s Web activity bandwidth utilization in Bits per second (Bps) in either chart or table format. URL Visited Displays URLs visited by a selected client in either chart or table format. Either display contains the Web destination URL and the number of times the URL was accessed by the client.Search Terms Displays terms used as search Web search criteria by connected clients in either chart or table format. Either display contains the search item and the number of times the term was searched by the client.

AnalyticsWireless Controller and Service Platform System Reference Guide 16 - 6Figure 16-4 System Analytics - Client Traffic screen 9 Refer to the following client Traffic analytics trended at the selected interval:10 Select RF.Figure 16-5 System Analytics - Client RF screenTx/Rx Bps Displays the Bits per second (Bps) speed of data both transmitted from and received at the listed client, in either chart or table format.Signal to Noise Ratio Displays the connected client’s signal to noise ratio (SNR) and a time stamp of its reporting. A high SNR could warrant a different Access Point connection to improve performance.Tx/Rx Rate Displays the connected client’s transmit and receive data rate in either chart or table format.

AnalyticsWireless Controller and Service Platform System Reference Guide 16 - 711 Refer to the following client RF analytics trended in the selected interval:12 Select Smart RF to display system-level power and channel compensation analytics:Figure 16-6 System Analytics - Smart RF screen13 Refer to the following system-wide power level, channel and coverage Smart RF analytics trended in real-time at the administrator defined interval:RF Quality Index Displays the overall effectiveness of the system-wide RF environment as a percentage of the connect rate in both directions. The RF quality index value can be interpreted as: 0 – 20 (Very low utilization)20 – 40 (Low utilization)40 – 60 (Moderate utilization)60 and above (High utilization)Average Retries Displays the rate of client connection retry attempts and a timestamp of their occurrence in either chart or table format. A high number indicates potential network or hardware issues.Power Level Changes Displays the number of Smart RF power level compensations made for the system’s RF Domains during the defined analytic reporting interval. This helps an administrator assess the device power changes needed to accommodate a potentially failed or poorly performing device and provides an overall insight into the overall duty cycle requirements of a particular RF Domain.Channel Changes Displays the number of Smart RF channel change compensations made for the system’s RF Domains during the defined analytic reporting interval.Coverage Changes Displays the number of Smart RF coverage change compensations made for the system’s RF Domains during the defined analytic reporting interval.

AnalyticsWireless Controller and Service Platform System Reference Guide 16 - 816.2 RF Domain AnalyticsAdditional analytics are available at the RF Domain level of the user interface for trending data for specific groups of RF Domain member devices. RF Domain analytics are trended every 60 minutes. For information on monitoring analytic events, refer to Analytic Event Monitoring.To administrate RF Domain level analytics:1Select Statistics from the Web UI.2 Select the Analytics menu item directly to the right of the System menu item within Statistics.3 Expand the System hierarchy on the left-hand side of the user interface and select a RF Domain.The Analytics screen displays with the Captive Portal tab displayed by default. This is the same data presented at the system level of the user interface. For more information on captive portal analytics, see System Analytics on page 16-1.4Select Traffic to assess throughput and bandwidth utilization information reported collectively for selected RF Domain member devices. Use the WLAN drop-down menu to refine whether traffic statistics are reported for a particular RD Domain WLAN or reported collectively for all WLANs.Refer to the arrow icon located in the top, right-hand, side of each panel to define whether the display is in Chart format, a Table or whether you would like the output for that parameter saved as a PDF report at a user specified location.

AnalyticsWireless Controller and Service Platform System Reference Guide 16 - 9Figure 16-7 RF Domain Analytics - Traffic screen5 Refer to the upper, right-hand, portion of the analytics interface and define the trending period for the data displayed. Options include Yesterday, Last 24 Hours, Last 3 Days, Last 1 Week, Last 2 Weeks, Last 3 Weeks, Last 1 Month, Last 2 Months or Last 3 Months. Today is the default setting for trending analytics data.6 Refer to the following Traffic analytic data trended and reported for RF Domain member devices:Throughput Lists RF Domain member device throughput (in Mbps) as an overall indicator of RF traffic activity of all RF Domain member devices. Assess whether specific times of the day require additional RF domain member device support to adequately support RF traffic requirements.Tx/Rx Bps Displays transmit and receive data (in Bps) for RF Domain member devices over the listed trending period.Bandwidth Usage Lists RF Domain member bandwidth utilization (in Kbps) to help an administrator assess periods os sustainable versus unsustainable activity.Average Client Count per APDisplays RF Domain member Access Points and their connected client counts. Assess whether particular client counts are excessive, and whether loads can be better distributed amongst RF Domain member Access Points. Client analytics are trended every 75 minutes.Client Count Lists RF Domain member Access Point connected client counts. Use the trending data to assess periods of high versus low client connection activity. Client analytics are trended every 75 minutes.

AnalyticsWireless Controller and Service Platform System Reference Guide 16 - 107Select RF to display RF Domain member device RF quality, detected network interference (noise) and device connection retries.Figure 16-8 RF Domain Analytics - RF screen8 Refer to the following RF analytics trended for a selected RF Domain:Wireless Traffic DistributionDisplays a chart of unicast versus management frames transmitted by RF Domain member devices.RF Quality Index Displays the trended graph of the effectiveness of a selected RF Domain’s RF environment as a percentage of the connect rate in both directions. The RF quality index value can be interpreted as: 0 – 20 (Very low utilization)20 – 40 (Low utilization)40 – 60 (Moderate utilization)60 and above (High utilization).Signal to Noise Ratio Displays a selected RF Domain’s connected client signal to noise ratio (SNR) and a time stamp of its reporting. A high SNR could warrant power compensation to account for poorly performing radios.Retry Rate Lists the number of retry attempts for requesting client connections to RF Domain member device radios.

Navigation menu