We just recently started replacing our legacy Motorola (formerly Symbol) WS5000/WS5100 Wireless LAN Switches with the Motorola RFS 7000 Wireless LAN Switch. I know quite a few organizations have jumped from Motorola over the past few years to Cisco, Aruba, Trapeze and Meru. While Motorola isn’t the easiest company to work with (who is these days) they really understand wireless and they have come through on a number of occasions involving highly technical problems. In short the product works and works well for our needs and fits in our budget. While Motorola may lack some of the bells and whistles of the other vendors mentioned above it’s stability is something we’ve come to enjoy.
The RFS7000 provides 4 10/100/1000 Cu/SFP Ethernet interfaces and can manage up to 256 802.11a/b/g Access Ports. We’ve long struggled managing some of our largest wireless environments where we needed 18 WS5000 switches (each WS5000 would only manage up to 48 802.11a/b/g Access Ports).The old WS5000 also required a one-to-one cold standby for redundancy and high-availability. The RFS7000 supports clustering and N+1 redundancy so we’re going to be using a lot less power and rack space not to mention all the configuration and cabling.
Let me provide a small example configuration. You’ll need to connect to the console interface (19200,8,N,1) and configure the Gigabit Ethernet interfaces. The default username is “admin” while the default password is “superuser”.
RFS7000 release 18.104.22.168-040R Login as 'cli' to access CLI. sw-wireless.acme.org login: cli User Access Verification Username: admin Password: Welcome to CLI RFS7000>enable RFS7000#config term Enter configuration commands, one per line. End with CNTL/Z.
We’ll be using the interface ‘ge1’ as the Layer 2 (AP VLAN) interface and ‘ge2’ will be our Layer 3 interface. We’ll trunk ge2 and leave ge1 as access. We’ll also use VLANS 29-32 in order to bridge our WLANs to our Nortel Ethernet Routing Switch 8600 core. VLAN 23 will be our Layer 2 AP VLAN where the Access Ports will be connected.
RFS7000(config)#interface ge1 RFS7000(config-if )# switchport access vlan 23 RFS7000(config-if)# exit RFS7000(config)# interface ge2 RFS7000(config-if)# switchport mode trunk RFS7000(config-if)# switchport trunk native vlan 200 RFS7000(config-if)# switchport trunk native tagged RFS7000(config-if)# switchport trunk allowed vlan none RFS7000(config-if)# switchport trunk allowed vlan add 29-32,200
We’ll shutdown VLAN 1 just to be careful, we don’t want any loops.
RFS7000(config)# interface vlan1 no ip address RFS7000(config)# interface vlan1 RFS7000(config-if)# shutdown
I use VLAN 200 as my management VLAN and place all my network electronics in that VLAN.
RFS7000(config)# interface vlan200 RFS7000(config-if)# management RFS7000(config-if)# interface vlan200 ip address 10.1.1.40/24 RFS7000(config-if)# exit RFS7000(config)# ip route 0.0.0.0/0 10.1.1.1
At this point the Motorola RFS7000 should be online and reachable via the network. Let’s configure a single WLAN/ESSID called “PHILLIES” for WPA-TKIP with 802.1x EAP-PEAP authentication to a Microsoft Internet Authentication Server (IAS) so our Windows XP laptop can automatically pass our Windows Active Directory credentials for authentication.
RFS7000(config)#wireless RFS7000(config-wirless)# manual-wlan-mapping enable RFS7000(config-wirless)# wlan 1 enable RFS7000(config-wirless)# wlan 1 description 80211a RFS7000(config-wirless)# wlan 1 ssid PHILLIES RFS7000(config-wirless)# wlan 1 vlan 30 RFS7000(config-wirless)# wlan 1 encryption-type tkip RFS7000(config-wirless)# wlan 1 authentication-type eap RFS7000(config-wirless)# wlan 1 radius server primary 10.1.1.100 RFS7000(config-wirless)# wlan 1 radius server primary radius-key 0 RaDiUsKeY RFS7000(config-wirless)# wlan 1 radius server secondary 10.5.1.100 RFS7000(config-wirless)# wlan 1 radius server secondary radius-key 0 RaDiUsKeY RFS7000(config-wirless)# wlan 1 radius authentication-protocol chap RFS7000(config-wirless)# exit RFS7000(config)#
I’m authenticating users against the RADIUS servers at 10.1.1.100 and 10.5.1.100 with the radius key of “RaDiUsKeY” using CHAP as the protocol. Those servers are actually Windows 2003 Domain Controllers running the Internet Authentication Service (IAS).
Since I’m manaully mapping the WLANs I need to make sure I map the WLAN to the default 802.11a radio configuration with the following command. I’ll also set the AP to indoor, the channel selection to ACS and the power to 20mW.
RFS7000(config)#wireless RFS7000(config-wireless)# radio default-11a bss 1 1 RFS7000(config-wireless)# radio default-11a channel-power indoor acs 20
You’ll obviously need to have the the RADIUS servers setup and you’ll also need Microsoft’s Certificate Server in your Active Directory. The clients will use the trusted root certificate to authenticate the login request from the RADIUS server.
I don’t think there are may people that haven’t figured out how to-do this (it’s really ease) so I’m not going to really go into the topic. If you have questions please feel free to post a comment and I’ll do me best to respond.
That’s a little taste of the RFS700, hopefully you’ll find the information useful.