FortiWLC – More About VLANs

More About VLANs

FortiWLC (SD) provides commands for configuring both virtual LAN (VLANs) and Generic Routing Encapsulation (GRE) tunnels to facilitate the separation of traffic using logical rather than physical constraints. As an alternative to VLANs, GRE Tunneling can be configured on the either Ethernet interface, as described in Configure GRE Tunnels in the Security chapter. VLANs and GRE tunnels can coexist within any given network, logically segmenting traffic by organization or function. In this way, all systems used by a given organization can be interconnected, independent of physical location. This has the benefit of limiting the broadcast domain and increasing security.

VLANs, when used in conjunction with multiple ESSIDs, as discussed in Chapter , “,” allow you to support multiple wireless networks on a single access point. You can create a one-toone mapping of ESSID to VLAN or map multiple ESSIDs to one VLAN.

Customized security configuration by VLAN is also supported. By assigning a VLAN a Security Profile, you can fine-tune the security requirements based on the use of the VLAN (see Chapter , “,” for details).

Dynamic VLAN support in Bridge mode

FortiWLC – Delete a VLAN

Delete a VLAN

You cannot delete a VLAN if it is currently assigned to an ESSID (see Chapter , “” on page 137). You cannot delete a VLAN created by E(z)RF Network Server; that must be done from Network Server. To delete a VLAN created on a controller, use the following command in global configuration mode:

no vlan name

For example, to delete the VLAN name vlan1, enter the following:

controller (config)# no vlan vlan1 controller (config)#

FortiWLC – VLAN Tagging in Bridge Mode for Wired Ports

VLAN Tagging in Bridge Mode for Wired Ports

You can enable VLAN tagging for wired ports in bridged mode. VLAN tagging for wired ports provide four VLAN policies:

  • No VLAN
  • Static VLAN: VLAN tag shall be configured for a valid range of 0-4094.
Configuring VLAN Tagging
Using CLI

In the port profile configuration, use the following commands to specify the policy and the VLAN tag.

  • default (config-port-profile)# port-ap-vlan-policy
  • default(config-port-profile)# port-ap-vlan-tag

VLAN Tagging in Bridge Mode for Wired Ports

FortiWLC – Bridged APs in a VLAN

Bridged APs in a VLAN

When creating an ESS, AP400/AP822/AP832, FAP-U421EV, FAP-U423EV and AP1000 can be configured to bridge the traffic to the Ethernet interface. This is called bridged VLAN dataplane mode (per ESSID); it is also sometimes known as Remote AP mode. These two AP models also have the capability to tag the Ethernet frames when egressing the port, using 802.1Q VLAN tags, and setting the 802.1p priority bit. Bridging is configured setting the Dataplane Mode parameter in the ESS profile to Bridged (default is Tunneled).

Configure and Deploy a VLAN

 

In Tunneled mode, all traffic in an ESS is sent from the AP to the controller, and then forwarded from there. This is configured on a per ESS profile basis. In Bridged mode, client traffic is sent out to the local switch. Fortinet control and coordination traffic is still sent between the AP and the controller.

Remote AP400s can use VLANs with FortiWLC (SD) 4.0 and later. When configuring an ESS, the Dataplane Mode setting selects the type of AP/Controller configuration:

Bridged VLANs support:

  • Non-Virtual Cell
  • Virtual Port
  • RADIUS profile for Mac Filtering/1x/WPA/WPA2
  • Standard DSCP/802.1q to AC mapping defined in WMM
  • RADIUS profile for Mac Filtering/1x/WPA/WPA2
  • RADIUS assigned VLANs (even with 802.1x)
  • QoS Rules

See the ESSID chapters in this guide for more information on configuring an ESSID.

FortiWLC – Configure and Deploy a VLAN

Configure and Deploy a VLAN

VLANs can be configured/owned either by E(z)RF Network Manager or by a controller. You can tell where a profile was configured by checking the read-only field Owner; the Owner is either nms-server or controller.

In order to map an ESSID to a VLAN, the VLAN must first be configured. To create a VLAN from the CLI, use the command vlan name tag id. The name can be up to 16 alphanumeric characters long and the tag id between 1 and 4,094.

For example, to create a VLAN named guest with a tag number of 1, enter the following in global configuration mode:

controller (config)# vlan guest tag 1 controller (config‐vlan)#

As shown by the change in the prompt above, you have entered VLAN configuration mode, where you can assign the VLAN interface IP address, default gateway, DHCP Pass-through or optional DHCP server (if specified, this DHCP server overrides the controller DHCP server configuration).

In the following example, the following parameters are set:

  • VLAN interface IP address: 10.1.1.2 with a subnet mask of 255.255.255.0
  • Default gateway: 10.1.1.1
  • DHCP server: 10.1.1.254

controller (config‐vlan)# ip address 10.1.1.2 255.255.255.0 controller (config‐vlan)# ip default-gateway 10.1.1.1 controller (config‐vlan)# ip dhcp-server 10.1.1.254 controller (config‐vlan)# exit controller (config)#

To create a VLAN from the GUI, click Config > Wired > VLAN > Add.

FortiWLC – Configuring VLANs

Configuring VLANs

A virtual local area network (VLAN) is a broadcast domain that can span across wired or wireless LAN segments. Each VLAN is a separate logical network. Several VLANs can coexist within any given network, logically segmenting traffic by organization or function. In this way, all systems used by a given organization can be interconnected independent of physical location. This has the benefit of limiting the broadcast domain and increasing security. VLANs can be configured in software, which enhances their flexibility. VLANs operate at the data link layer (OSI Layer 2), however, they are often configured to map directly to an IP network, or subnet, at the network layer (OSI Layer 3). You can create up to 512 VLANs.

IEEE 802.1Q is the predominant protocol used to tag traffic with VLAN identifiers. VLAN1 is called the default or native VLAN. It cannot be deleted, and all traffic on it is untagged. A trunk port is a network connection that aggregates multiple VLANs or tags, and is typically used between two switches or between a switch and a router. VLAN membership can be portbased, MAC-based, protocol-based, or authentication-based when used in conjunction with the 802.1x protocol. Used in conjunction with multiple ESSIDs, VLANs support multiple wireless networks on a single Access Point using either a one-to-one mapping of ESSID to VLAN, or mapping multiple ESSIDs to one VLAN. By assigning a security profile to a VLAN, the security requirements can be fine-tuned based on the use of the VLAN, providing wire-like security or better on a wireless network.

VLAN assignment is done for RADIUS-based MAC filtering and authentication. VLAN assignment is not done in Captive Portal Authentication by any of the returned attributes. Because VLANs rely on a remote switch that must be configured to support trunking, also refer to the Fortinet Wi-Fi Technology Note WF107, “VLAN Configuration and Deployment.” This document contains the recommended configuration for switches as well as a comprehensive description of VLAN configuration and deployment.

FortiWLC – Modifying Detection and Mitigation CLI Settings

Modifying Detection and Mitigation CLI Settings

The default settings that are configured for the rogue AP detection and mitigation features are adequate for most situations. However, many default settings can be changed if your network requires lighter or heavier scanning and/or mitigation services. The following is the list of rogue-ap commands:

controller (config)# rogue‐ap ?

acl                    Add a new rogue AP ACL entry. aging                  Sets the aging of alarms for rogue APs. assigned‐aps           Number of APs assigned for mitigation. blocked                Add a new rogue AP blocked entry. detection              Turn on rogue AP detection. min‐rssi               Sets RSSI Threshold for Mitigation. mitigation             Set the rogue AP mitigation parameters.

mitigation‐frames      Sets the maximum number of mitigation frames sent out per channel.

operational‐time       Sets the APs time on the home channel during scanning. scanning‐channels      Sets the global Rogue AP scanning channels. scanning‐time          Sets the APs per channel scanning time

As a general rule, unless the AP is in dedicated scanning mode, the more time that is spent scanning and mitigating, the less time is spent by the AP in normal WLAN operating services. Some rules determine how service is provided:

  • The controller picks the APs that will scan and mitigate; those that mitigate are dependant on their proximity to the rogue AP and the number of mitigating APs that have been set.
  • To preserve operational performance, APs will mitigate only the home channel if they have clients that are associated.
  • Settings are administered globally; there is no way to set a particular AP to mitigate.
  • Mitigation is performed only on clients associated to rogue APs; the rogue APs themselves are not mitigated. It is the network administrator’s responsibility to remove the rogue APs from the network.
  • AP mitigation frames are prioritized below QoS frames, but above Best Effort frames.
  • To reduce network traffic, you may configure the scanning channels list that contains only the home channels
Changing the Number of Mitigating APs with the CLI

By default, three Mitigating APs are selected by the controller to perform scanning and mitigation. This number can be set to a high of 20 APs or down to 1 AP, depending on the needs of your network. To change the number of mitigating APs to 5:

controller (config)# rogue-ap assigned-aps 5

Changing the Scanning and Mitigation Settings with the CLI

When rogue AP scanning is enabled, for any given period, the AP spends part of the time scanning channels, and part of the time performing normal AP WLAN operations on the home channel. This cycle of scan/operate repeats so quickly that both tasks are performed without noticeable network operation degradation.

If scanning is enabled, the rogue-ap operational-time command sets the number of milliseconds that are spent in operational time, performing normal wireless services, on the home channel. This command is related to the rogue-ap scanning-time command. The channels that are scanned are determined by the rogue-ap scanning channels command. The complete set of default channels are 1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165.

The following command changes the operational time from the default 400 to 2500 milliseconds: controller (config)# rogue-ap operational-time 2500

The following command changes the scanning time from the default 100 to 200 milliseconds: controller (config)# rogue-ap scanning-time 200

The following command sets the scanning channels to 1, 6, 11, 36, 44, 52, 60:

controller (config)# rogue-ap scanning-channels 1,6,11,36,44,52,60 controller (config)# exit

To verify the changes, use the show rogue-ap globals command:

controller# show rogue-ap globals

Global Settings

Detection                              : on

Mitigation                             : selected

Rogue AP Aging (seconds)               : 60

Number of Candidate APs                : 5

Number of Mitigating APs               :5

Scanning time in ms                    : 200

Operational time in ms                 : 2500

Max mitigation frames sent per channel : 10

Scanning Channels                      : 1,6,11,36,44,52,60

RSSI Threshold for Mitigation          : ‐100

Changing the Minimum RSSI with the CLI

RSSI is the threshold for which APs attempt to mitigate rogues; if the signal is very week (distant AP), APs won’t try to mitigate it.

The command to change the minimum RSSI (Received Signal Strength Indication) level, over which a station will be mitigated is rogue-ap min-rssi. A level range of 0 of -100 is supported, with -100 being the default setting.

The following command sets the minimum RSSI level to -80:

controller (config)# rogue-ap min-rssi -80 controller (config)#

TABLE 20: CLI Commands for Rogue Mitigation

Rogue Mitigation Command Action
rogue-ap mitigation all Sets rogue mitigation for all rogue APs that are not on the access control list.
rogue-ap mitigation selected Sets rogue mitigation for all rogue APs that are on the blocked list.
rogue-ap mitigation wiredrogue Sets rogue mitigation for all wired-side rogue APs. If rogue clients on the wired side are added to the blocked ACL list, then only those listed wired-side rogue clients are blocked.
show rogue-ap globals Displays current rogue data.
rogue-ap mitigation none Turns off rogue mitigation.
Rogue Mitigation Example

Rogue AP mitigation for APs in the blocked list is enabled and confirmed as follows:

controller# configure terminal controller(config)# rogue‐ap detection controller(config)# rogue-ap mitigation selected controller(config)# exit controller# show rogue-ap globals

Global Settings

Detection                              : on

Mitigation                             : selected

Rogue AP Aging (seconds)               : 60

Number of Candidate APs                : 3

Number of Mitigating APs               : 5

Scanning time in ms                    : 100

Operational time in ms                 : 400

Max mitigation frames sent per channel : 10

Scanning Channels                      :

1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165 RSSI Threshold for Mitigation          : ‐100

Modify Rogue Detection and Mitigation Settings with the CLI

The default settings that are configured for the rogue AP detection and mitigation features are adequate for most situations. However, many default settings can be changed if your network requires lighter or heavier scanning and/or mitigation services. The following is the list of rogue-ap commands:

controller(config)# rogue‐ap ?

acl                    Add a new rogue AP ACL entry. aging                  Sets the aging of alarms for rogue APs. assigned‐aps           Number of APs assigned for mitigation. blocked                Add a new rogue AP blocked entry. detection              Turn on rogue AP detection.

min‐rssi               Sets RSSI Threshold for Mitigation. mitigation             Set the rogue AP mitigation parameters.

mitigation‐frames      Sets the maximum number of mitigation frames sent out per channel.

operational‐time       Sets the APs time on the home channel during scanning. scanning‐channels      Sets the global Rogue AP scanning channels. scanning‐time          Sets the APs per channel scanning time

As a general rule, unless the AP is in dedicated scanning mode, the more time that is spent scanning and mitigating, the less time is spent by the AP in normal WLAN operating services. Some rules determine how service is provided:

  • The controller picks the APs that will scan and mitigate; those that mitigate are dependant on their proximity to the rogue AP and the number of mitigating APs that have been set. To preserve operational performance, APs will mitigate only the home channel if they have clients that are associated.
  • Settings are administered globally; there is no way to set a particular AP to mitigate.
  • Mitigation is performed only on clients associated to rogue APs; the rogue APs themselves are not mitigated. It is the network administrator’s responsibility to remove the rogue APs from the network.
  • AP mitigation frames are prioritized below QoS frames, but above Best Effort frames.
  • To reduce network traffic, you can configure the scanning channels list that contains only the home channels.
Changing the Number of Mitigating APs with the CLI

By default, three mitigating APs are selected by the controller to perform scanning and mitigation. This number can be set to a high of 20 APs or down to 1 AP, depending on the needs of your network, although we do not recommend assigning a high number of APs for mitigation because they can interfere with each other while mitigating the rogue. To change the number of mitigating APs to 5: controller(config)# rogue‐ap assigned‐aps 5

Changing the Scanning and Mitigation Settings with the CLI

When rogue AP scanning is enabled, for any given period, the AP spends part of the time scanning channels, and part of the time performing normal AP WLAN operations on the home channel. This cycle of scan/operate repeats so quickly that both tasks are performed without noticeable network operation degradation.

If scanning is enabled, the rogue-ap operational-time command sets the number of milliseconds that are spent in operational time, performing normal wireless services, on the home channel. This command is related to the rogue-ap scanning-time command. The channels that are scanned are determined by the rogue-ap scanning channels command. The complete set of default channels are 1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165.

The following command changes the operational time from the default 400 to 2500 milliseconds: controller(config)# rogue-ap operational-time 2500

The following command changes the scanning time from the default 100 to 200 milliseconds: controller(config)# rogue-ap scanning-time 200

The following command sets the scanning channels to 1, 6, 11, 36, 44, 52, 60:

controller(config)# rogue-ap scanning-channels 1,6,11,36,44,52,60 controller(config)# exit

To verify the changes, use the show rogue-ap globals command:

controller# show rogue-ap globals

Global Settings

Detection                              : on

Mitigation                             : selected

Rogue AP Aging (seconds)               : 60

Number of Candidate APs                : 5

Number of Mitigating APs               : 5

Scanning time in ms                    : 200

Operational time in ms                 : 2500

Max mitigation frames sent per channel : 10 Scanning Channels                      : 1,6,11,36,44,52,60

RSSI Threshold for Mitigation          : ‐100

Changing the Minimum RSSI with the CLI

RSSI is the threshold for which APs attempt to mitigate rogues; if the signal is very week (distant AP), APs won’t try to mitigate it.

The command to change the minimum RSSI (Received Signal Strength Indication) level, over which a station will be mitigated is rogue-ap min-rssi. A level range of 0 of -100 is supported, with -100 being the default setting.

The following command sets the minimum RSSI level to -80:

controller(config)# rogue-ap min-rssi -80 controller(config)#

Configure Rogue AP Mitigation with the Web UI

To prevent clients of unauthorized APs from accessing your network, enable the options for both scanning for the presence of rogue APs and mitigating the client traffic originating from them. These features are set globally, with the controller managing the lists of allowable and blocked WLAN BSSIDs and coordinating the set of APs (the Mitigating APs) that perform mitigation when a rogue AP is detected.

When rogue AP scanning (detection) is enabled, for any given period, the AP spends part of the time scanning channels (determined by the Scanning time in ms setting), and part of the time performing normal AP WLAN operations on the home channel (determined by the Operational time in ms setting). This cycle of scan/operate repeats so quickly that both tasks are performed without noticeable network operation degradation.

The channels that are scanned by a particular AP are determined by the model of AP. As a result of the channel scan, a list of rogue APs is compiled and sent by the controller to a number of Mitigating APs that are closest to the rogue AP. Mitigating APs send mitigation (deauth) frames to the rogue AP where clients are associated to remove those clients from the network. This presence of the rogue AP generates alarms that are noted on the Web UI monitoring dashboard and via syslog alarm messages so the administrator is aware of the situation and can then remove the offending AP or update the configuration list.

As well, if a rogue device seen on the wired interface of the AP and if the device is in the AP’s discovered list of stations a wired rogue notification will be sent via the Web UI monitoring dashboard and syslog alarm message. If the rogue client is associated with the AP, that client is also classified as a rogue.

Alter the List of Allowed APs with the Web UI

To change the list of allowed APs, follow these steps:

  1. From the Web UI, click Configure > Security > Rogue AP > Global settings. The Allowed APs screen appears. See Figure .

Figure 63: Web UI List of Allowed APs

  1. To add a BSSID to the list, click Add.
  • In the BSSID boxes, type the BSSID, in hexadecimal format, of the permitted access point. To add the BSSID to the ACL, click OK.
  1. To delete a BSSID from the list, select the BSSID, click Delete, then OK.
Alter the List of Blocked APs with the Web UI

To change the list of allowed APs, follow these steps:

  1. From the Web UI click Configure > Security > Rogue AP > Blocked APs. The table shows information about access points listed as blocked BSSIDs in the access control list (ACL).
  2. To see an updated list of the APs blocked in the WLAN, click Refresh.
  3. To add an AP to the blocked list, click Add.
    • In the BSSID box, type the BSSID, in hexadecimal format, of the access point. Add the BSSID to the ACL, by clicking OK.
  4. The blocked BSSID now appears on the list with the following information:
    • BSSID The access point’s BSSID.
    • Creation Time The timestamp of when the blocked AP entry was created.
    • Last Reported Time The time the AP was last discovered. If this field is blank, the AP has not been discovered yet.
  5. To remove a blocked BSSID from the ACL, select the checkbox of the blocked AP entry you want to delete, click Delete, and then click OK.
Configure Scanning and Mitigation Settings with the Web UI

To configure rogue AP scanning and mitigation settings, follow these steps:

  1. From the Web UI click Configuration > Wireless IDS/IPS > Rogue APs.

The Rogue AP screen appears with the Global Settings tab selected. See Figure 62.

Figure 64: Web UI Rogue AP Global Settings

  1. In the Detection list, select one of the following:
    • On: Enables scanning for rogue APs.
    • Off: Disables rogue detection.
  2. In the Mitigation list, select one of the following:
  • No mitigation: No rogue AP mitigation is performed.
  • Block all BSSIDs that are not in the ACL: Enables rogue AP mitigation of all detected BSSIDs that are not specified as authorized in the Allowed APs list.
  • Block only BSSIDs in blocked list: Enables rogue AP mitigation only for the BSSIDs that are listed in the Blocked APs list.
  • Block Clients seen on the wire: Enables rogue mitigation for any rogue station detected on the wired side of the AP (the corporate network, in many cases). When Block clients seen on the wire is selected, clients seen on the corporate network are mitigated. When Block clients seen on the wire is selected and the BSSID of the wired rogue client is entered in the blocked list (see “Alter the List of Blocked APs with the Web UI” on page 310) only listed clients are mitigated.
  1. In the Rogue AP Aging box, type the amount of time that passes before the rogue AP alarm is cleared if the controller no longer detects the rogue. The value can be from 60 through 86,400 seconds.
  2. In the Number of Mitigating APs text box, enter the number of APs (from 1 to 20) that will perform scanning and mitigation of rogue APs.
  3. In the Scanning time in ms text box, enter the amount of time Mitigating APs will scan the scanning channels for rogue APs. This can be from 100 to 500 milliseconds.
  4. In the Operational time in ms text box, enter the amount of time Mitigating APs will spend in operational mode on the home channel. This can be from 100 to 5000 milliseconds.
  5. In the Max mitigation frames sent per channel text box, enter the maximum number of mitigation frames that will be sent to the detected rogue AP. This can be from 1 to 50 deauth frames.
  6. In the Scanning Channels text box, enter the list of channels that will be scanned for rogue APs. Use a comma separated list from 0 to 256 characters. The complete set of default channels are

1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165.

10.In the RSSI Threshold for Mitigation text box, enter the minimum threshold level over which stations are mitigated. The range of valid values is from to -100 to 0.

11.Click OK.

If a station that is already present in the discovered station database (learned wirelessly by the AP) is also discovered via DHCP broadcast on the APs wired interface, it implies that the station is connected to the same physical wired network as the AP. Such a station could potentially be a rogue device and is flagged by the controller as a wired rogue, indicating the rogue was identified as being present on the same wired network as the AP. If mitigation is enabled for wired rogue, mitigation action is performed accordingly on the rogue device.