Management Options

For more information, see the ExtremeCloud IQ User Guide.

About Management Options

Toggle the switch to On to enable Management Options and configure management settings. Use these settings to control how administrators are authenticated and how they access the devices they manage. You can also configure global and device-level settings. For example, you can enable or disable the reset button and console port, enable or disable proxying ARP requests and replies, allow APs and routers to forward broadcasts and multicasts between SSIDs, and a variety of other options such as adjusting LED brightness, and setting temperature alarms.

Enter the following information for your management services set:

Name: Enter a descriptive name for the management services set. The name can contain up to 32 characters and cannot have spaces.

Description: Enter an optional note about the set of management options for future reference. It can contain up to 64 characters, including spaces.

Configuring settings described in the following sections, and then select Save. Select Next to push these settings to your devices.

Forwarding Engine Control

The forwarding engine controls the type of traffic being forwarded between interfaces, GRE tunnels, and sets logging features.

GRE Tunneling Selective Multicast Forwarding

Extreme Networks devices can selectively block or allow broadcast and multicast traffic through GRE tunnels to reduce traffic congestion. You can filter using a blacklist that blocks the forwarding of all broadcast and multicast traffic through GRE tunnels (or blocks all except to a few select destinations) or using a whitelist that allows all broadcast and multicast traffic through GRE tunnels (or allows all except to a few destinations).

Block All: Select to block the forwarding of all multicast and broadcast traffic through tunnels.

Allow All: Select to allow the forwarding of all multicast and broadcast traffic through tunnels.

Exception IP List: To specify exceptions to the blacklist (Block All) or whitelist (Allow All), select . In the dialog box, enter the destination IP address and netmask, and then select Add. You can also enter an IPv6 address.

Service Control

Limit MAC sessions per station: Select the check box to enable MAC session limiting, and then set the maximum number of MAC sessions (Layer 2 sessions) that can be created to or from a station. You can set the maximum number of MAC sessions from 1 to 8000.

Clear the check box to disable MAC session limiting. By default, devices do not enforce MAC session limits per station.

Limit IP sessions per station: Select the check box to enable IP session limiting, and then set the maximum number of IP sessions (Layer 3 sessions) that can be created to or from a station. You can set the maximum number of IP sessions from 1 to 8000.

Clear the check box to disable IP session limiting. By default, devices do not enforce IP session limits per station.

Enable TCP Maximum Segment Size: When establishing a TCP connection, neither end is aware of the packet processing done by network forwarding equipment in between. For example, if a device has to send traffic through an IPsec VPN tunnel, then it adds a GRE header, IPsec header, and possibly a UDP header for NAT-Traversal to each packet. Because the additional headers expand packet size, the device will be forced to fragment them, which increases packet processing and slows down throughput. To avoid fragmentation, the device can adjust the MSS (maximum segment size) value inside the initial SYN packet to allow room for the additional headers.

Select the check box to enable a device to monitor the TCP MSS (maximum segment size) option in TCP SYN and SYN-ACK messages for traffic that the device is going to pass through GRE tunnels (for Layer 3 roaming and static identity-based tunnels) and GRE-over-IPsec tunnels (for IPsec VPN tunnels). The device can then notify the sender to adjust the TCP MSS value if it exceeds a maximum threshold. The default thresholds are 1414 bytes for GRE tunnels and 1336 bytes for GRE-over-IPsec tunnels and are based on encapsulation overhead of the corresponding tunnel type and the MTU (maximum transmission unit) for the mgt0 interface, which is 1500 bytes by default. (If you change the MTU and use "auto" for the TCP MSS option, the device automatically readjusts the TCP MSS thresholds.)

Enable ARP Shield: Enable ARP Shield to prevent Man-In-the-Middle attacks by client devices attempting to impersonate critical network resources on the network such as a network gateway or DNS server through an ARP poisoning attack. ARP Shield should not be used if any clients on the network are assigned static IP addresses. ARP Shield is disabled by default and may only be enabled only on access points running IQ Engine 6.8r1 and above. Enabling ARP Shield will not be enforced on access points running IQ Engine 6.5, switches, routers, or Virtual Gateway appliances.

Disable DHCP Shield: Disable DHCP Shield to turn off the built-in ability for IQ Engine to prevent attached clients from impersonating a DHCP server. In the default enabled state, connected clients are blocked from responding to DHCP server discovery or IP lease requests. When disabled, connected clients will be able to respond to DHCP discovery or IP lease requests. DHCP Shield is enabled by default on access points running IQ Engine 6.8r1 and above. Disabling DHCP Shield will result in no changes to access points running IQ Engine 6.5, switches, routers, or Virtual Gateway appliances.

Disable Proxy-ARP: Disable proxying ARP requests by selecting the check box. To enable learning MAC addresses and proxy replies to ARP requests, clear the check box. By default, this option is enabled.

  • By default, a device proxies all ARP requests and replies that traverse it. However, there might be occasions, such as when you need to diagnose a network issue, when you want to allow the ARP requests and replies between wireless clients and network devices such as the default gateway to flow directly across the device without proxying them.

Disable Inter-SSID Flooding: Select the check box to disable the forwarding of multicast and broadcast traffic between access interfaces bound to different SSIDs to protect the SSIDs from flooding. This prohibits a device from forwarding traffic that it receives from clients in one SSID to clients associated with the same device in another SSID. Instead, such traffic must first cross the device from an interface in access mode to an interface in backhaul mode. From there, the traffic might pass through an internal firewall that performs deep-packet inspection, URL filtering, or antivirus checking, and so on before sending the traffic back across the device to reach the clients in the destination SSID. Clear the check box to enable the forwarding of multicast and broadcast traffic between access interfaces bound to different SSIDs. SSID flooding is enabled by default.

Disable WebUI Without Disabling CWP: Disable the local web user interface on a device to improve system security without disabling the associated captive web portal.
Select the check box to disable the local web user interface on the selected device. Clear the check box (default) to enable the local web user interface on the selected device.

Global Logging Options and Firewall Policies

Configure the options in this section to log and drop certain types of traffic.

Select the Log check boxes to log dropped packets that are denied by MAC or IP firewall policies, and for the first packets of sessions destined for the IP address of the device itself.

Select the Drop check boxes to drop all fragmented IP packets, and all traffic destined for the device, but which is not management traffic.

System Settings

The system settings allow you adjust various device-level functions, including device health alarm thresholds, VoIP features, client OS detection types. Miscellaneous settings cover reset, console, PoE, and data collection features.

Device-level Settings

LED Brightness: Set the brightness level of the status LEDs on devices: Bright, Soft, Dim, or Off.

  • The AP121, AP141, AP230, AP370, and AP390 support only Bright and Off.

Temperature Alarm Threshold: You can set a temperature threshold for devices, so that when the ambient temperature exceeds the threshold, a warning is generated. The default threshold is 75 degrees Celsius. You can change within a range of 50 to 80 degrees Celsius. This option applies only to the AP340, AP320, and SR series switch devices.

Fans Underspeed Alarm Threshold: Set the lower threshold for the fan speed. A warning is generated when the fan speed drops below the default value of 2000 RPM, or the value you enter here. This option applies only to the SR switch series.

Call Admission Control: Indicates if devices monitor VoIP (Voice over IP) traffic so that they can determine if there is enough available airtime to admit new VoIP calls. The default setting is disabled.

Airtime per Second: Set the amount of airtime reserved for VoIP traffic. By default, a device reserves 500 milliseconds of airtime per second for all VoIP calls. You can change the reserved airtime per second for VoIP from 100 to 1000 milliseconds per second. Decreasing the amount of reserved airtime for VoIP traffic frees more airtime for different types of traffic other than VoIP. This can be useful if there are only a few VoIP users on the WLAN. Conversely, for a high number of VoIP users, increasse the amount of reserved airtime for VoIP calls to better support these users.

Guaranteed Airtime for Roaming Clients: Set the percentage of airtime that a device reserves on the access interface for receiving VoIP calls from roaming clients. By default, a device guarantees 20% of the reserved VoIP airtime for VoIP calls from roaming clients. You can change the percent of guaranteed airtime for roaming clients from 0% to 100%. Consider lowering the percent if VoIP users rarely roam, and raising the setting if roaming often occurs.
  • Because VoIP traffic from a roaming client belongs to an existing session, the device to which the client roams always accepts it. If there is not enough airtime available in the guaranteed roaming reserve, the device then deducts available airtime from the relevant user profile.

OS Detection: Enable to allow devices to detect the OS of client devices based on a combination of DHCP option 55 contents and what is contained in HTTP headers. After you select this option, choose from the following detection methods:

Use DHCP option 55 contents: Select to use the DHCP option 55 parameter list to identify the operating system of the connected client.

Use HTTP user agent IDs: Select to use the contents of the HTTP user agent ID within the HTTP headers to identify the operating system of the connected client.

Use both detection methods (DHCP=primary method, HTTP=secondary method): Select to use both the DHCP option 55 parameter list and the HTTP user agent information to identify the client operating system. When you select this option, devices first check the contents of the DHCP option 55 parameter list. If it finds no match, then the device examines the HTTP header for the HTTP user agent ID to determine the operating system. If no match is found in either pass, then ExtremeCloud IQ displays “unknown” as the client OS.

Miscellaneous Settings (Reset, Console, PoE, and Data Collection)

Disable Reset Button: If a device is physically accessible to people other than administrators, you can disable the ability of the reset button on the front panel of the chassis to reset the device to its default settings or—if set—to a bootstrap configuration. To disable the reset button, clear the check box. To enable the reset button, select the check box.

Disable Console Port: Select the check box to disable the functionality of the console port on a device and, therefore, block all administrative access to the device through that port. Disabling the console port on a device that is deployed in a publicly accessibly location is a good security precaution. However, disabling the console port means that all administrative access must flow over the network, and if there are any connectivity issues with the network or if the device—if configured to use only DHCP to get an IP address—cannot get its network settings from a DHCP server, you will not be able to log in to the device. Clear the check box to enable console port functionality and access to devices through it. By default, the console port is enabled.

Enable Smart PoE: The smart PoE (Power on Ethernet) feature lets an AP230, AP320 or AP340 adjust power consumption automatically based on the current power supply. The AP230 and AP320 support PoE on the ETH0 interface. The AP340 supports PoE on both its ETH0 or ETH1 interfaces and can draw power through either one or through both simultaneously.

  • Only AP230, AP320, and AP340 support Smart PoE. For AP230 and AP320, devices, when you use 802.3af PoE on ETH0, ETH1 is automatically turned off, which prevents you from aggregating ETH0 and ETH1.

Using smart PoE, an AP can detect if there are power injectors connected to one or both of its Ethernet ports, how many watts are available for each PoE channel, and if the power adapter is connected or not. Using this information, it manages its internal use of power resources based on the currently available power level as follows:

  • 20 W or higher: No adjustments are needed when the power level is 20 W or higher.
  • 18 - 20 W: The device disables the ETH1 interface. (For the AP340, this assumes that it is drawing power through its ETH0 interface. If it is drawing power solely through its ETH1 interface, then it disables its ETH0 interface instead.)
  • 15 – 18 W: The device switches from 3x3 MIMO (Multiple In, Multiple Out) to 2x3.
  • 13.6 - 15 W: In rare cases when the power drops between 13.6 and 15 W and further power conservation is necessary, the device reduces the speed on its active Ethernet interface from 10/100/1000 Mbps to 10/100 Mbps.
  • 0 - 13.6 W: Finally, in the event that there is a problem with the PoE switch or Ethernet cable and the power falls between 0 and 13.6 W, the device disables its wireless interfaces and returns its ETH0 and ETH1 interfaces to 10/100/1000 Mbps speeds.

Through the application of smart PoE, an AP320 or AP340 can make power usage adjustments so that it can continue functioning even when the available power level drops. Select the check box to enable smart PoE, or clear the check box to disable it. By default, smart PoE is enabled.

  • When using smart PoE, the maximum power consumption setting must be set to No limitation (the default) on Manage> APs > ap > Update > Update PoE Max Power. Manually setting the PoE maximum power consumption level to anything else overrides smart PoE and essentially disables it.

Enable PCI Wireless Control Data Collection: To include data about MAC DoS, IP DoS, and MAC filter violations in PCI compliance reports, select this check box. To exclude this data, clear the check box.

Accept ICMP Redirect Messages: Select the check box to enable devices to accept ICMP redirect messages from routers on their subnet, or clear it so that devices reject ICMP redirect messages. By default, devices reject ICMP redirects because crafted ICMP redirect messages can be maliciously used to cause a victim host to send traffic to an attacker's host—perhaps for a Man-in-the-Middle attack—or even back to the victim itself, which is what occurs during a WinFreeze attack. However, if you feel your network is safe from such threats and you want multiple routers on the local subnet to be able to update the routing table on devices, then enable this option.

Report client information gathered from captive web portals: Select to instruct devices to forward client information (such as name and email address) to ExtremeCloud IQ, where the information is logged as an event.

Activate iBeacon

Hostname in Beacon: To enable iBeacon service, from Manage> Devices > ap_name > Interface Settings, toggle the switch to ON. iBeacon settings are displayed in the Interface Settings window for the APs that have internal iBeacon transmitters and that belong to this network policy .

For more information, see "iBeacon Service".

Authentication Settings

Configure a database location for storing administrator accounts, set the PPSK (Private PSK) save list, and the MAC address format.

Extreme Networks Device Admin Authentication: Specify the location of the database storing administrator accounts with which the AP authenticates administrators when they log in. You can store admin accounts locally on APs, remotely on RADIUS authentication servers, or in both places. If one or more RADIUS servers are already in place, for convenience and security, you can keep all the accounts there and configure the AP to look up administrators on those servers. In this case, select RADIUS from the drop-down list.

  • Be careful about using the RADIUS option. If all the AP admin accounts are on a RADIUS server and the device cannot connect to it, then the administrators will not be able to log in to the device.

If there is no central RADIUS server containing a user database, or if you prefer to keep the admin accounts locally on the AP, select Local. If you want to use accounts located on an external RADIUS server and locally on the device, select Both. In this case, the device authenticates administrators by first checking accounts on the external RADIUS servers specified in the RADIUS profile, and then by checking accounts stored on its local database second.

Private PSK Server Auto Save Interval: Set the length of time that a device acting as a private PSK server automatically saves its list of private PSK-to-client MAC address bindings to flash memory. The default interval is 600 seconds (10 minutes). Depending on how frequently the server is binding private PSKs to client MAC addresses, you can make the interval as short as 60 seconds or as long as 3600 seconds (1 hour).

MAC Address Format Delimiter: Some servers only accept MAC addresses in a particular format. To accommodate these requirements, you can specify the types of delimiters between groups of digits, the number of groups to use, and whether to use lower case or upper case.

How you set these parameters controls how MAC authentication for local users on an Extreme Networks RADIUS server is affected. For example, if you set case sensitivity as lower case (default) and store local users with upper case MAC addresses for their user names and passwords, MAC authentication checks fail.

By default, a device formats MAC addresses using lower case without any delimiter; for example: 0016cF8d55bc. You can reformat this address by making the following selections:

Colon, no delimiter, upper case: 0016CF8D55BC

Colon, two-delimiter, upper case: 0016:CF8D:55BC

Colon, five-delimiter, upper case: 00:16:CF:8D:55:BC

Dash, five-delimiter, upper case: 00-16-CF-8D-55-BC

Dot, five-delimiter, upper case: 00.16.CF.8D.55.BC

Select Save. Select Next to push these settings to your devices.