Question

Using ANYAP is a good choice for my scenario?

  • 25 June 2019
  • 3 replies
  • 257 views

Hi, does using ANYAP profile a problem for me?
I have ap622, 71xx, 7522 and 7532.
All of them using profile ANYAP as can be seen on the configuration above.
I´ve made this configuration using the recommended options in WLAN HD and WLAN Best practices.
Any sugestions to make it better?

!
! Configuration of RFS7000 version 5.8.2.0-030R
!
!
version 2.5
!
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
permit ip any 239.0.0.0/24 rule-precedence 19
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
ip snmp-access-list default
deny any
!
firewall-policy default
no ip dos smurf
no ip dos twinge
no ip dos invalid-protocol
no ip dos router-advt
no ip dos router-solicit
no ip dos option-route
no ip dos ascend
no ip dos chargen
no ip dos fraggle
no ip dos snork
no ip dos ftp-bounce
no ip dos tcp-intercept
no ip dos broadcast-multicast-icmp
no ip dos land
no ip dos tcp-xmas-scan
no ip dos tcp-null-scan
no ip dos winnuke
no ip dos tcp-fin-scan
no ip dos udp-short-hdr
no ip dos tcp-post-syn
no ip dos tcphdrfrag
no ip dos ip-ttl-zero
no ip dos ipspoof
no ip dos tcp-bad-sequence
no ip dos tcp-sequence-past-window
no ip-mac conflict
no ip-mac routing conflict
dhcp-offer-convert
no ipv6 strict-ext-hdr-check
no ipv6 unknown-options
no ipv6 duplicate-options
no ipv6 option strict-hao-opt-check
no ipv6 option strict-padding
no stateful-packet-inspection-l2
no ipv6-mac conflict
no ipv6-mac routing conflict
!
!
mint-policy global-default
mtu 1468
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
aaa-policy EXTERNAL-AAA
authentication server 1 host ???.???.???.??? secret 0 ????????
!
aaa-policy on-board
!
roaming-assist-policy RASST
aggressiveness medium-low
detection-threshold -70
handoff-threshold -75
action assisted-roam
!
wlan eduroam
description eduroam
ssid eduroam
vlan 400
bridging-mode local
encryption-type tkip-ccmp
authentication-type eap
no answer-broadcast-probes
no client-client-communication
radio-resource-measurement
fast-bss-transition
802.11v bss-transition
assoc-response rssi-threshold -72
assoc-response deny-threshold 3
data-rates 2.4GHz gn
wing-extensions move-command
wing-extensions smart-scan
wing-extensions wmm-load-information
wing-extensions ap-attributes-information
wing-extensions scan-assist
wing-extensions ft-over-ds-aggregate
use aaa-policy EXTERNAL-AAA
use roaming-assist-policy RASST
use ip-access-list out BROADCAST-MULTICAST-CONTROL
use mac-access-list out PERMIT-ARP-AND-IPv4
proxy-arp-mode strict
no nsight client-history
!
wlan wifi-zone
description wifi-zone
ssid wifi-zone
vlan 410
bridging-mode local
encryption-type none
authentication-type none
no answer-broadcast-probes
no client-client-communication
wireless-client cred-cache-ageout 1800
radio-resource-measurement
802.11v bss-transition
assoc-response rssi-threshold -72
assoc-response deny-threshold 3
data-rates 2.4GHz gn
wing-extensions smart-scan
wing-extensions wmm-load-information
wing-extensions ap-attributes-information
use roaming-assist-policy RASST
use ip-access-list out BROADCAST-MULTICAST-CONTROL
use mac-access-list out PERMIT-ARP-AND-IPv4
proxy-arp-mode strict
no nsight client-history
!
smart-rf-policy smart-rf
assignable-power 5GHz min 10
assignable-power 2.4GHz min 10
channel-list 5GHz 36,40,44,48,52,56,60,64
channel-width 5GHz 20MHz
no smart-ocs-monitoring
no neighbor-recovery
no coverage-hole-recovery
!
profile anyap wifi-zone
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
data-rates gn
wlan eduroam bss 1 primary
wlan wifi-zone bss 2 primary
probe-response rate lowest-basic
probe-response rssi-threshold -72
interface radio2
wlan eduroam bss 1 primary
wlan wifi-zone bss 2 primary
probe-response rate lowest-basic
probe-response rssi-threshold -72
interface radio3
interface up1
interface ge1
switchport mode trunk
switchport trunk native vlan 415
switchport trunk native tagged
switchport trunk allowed vlan 400,410,415
interface ge2
interface fe1
interface fe2
interface fe3
interface fe4
interface vlan415
ip address dhcp
ip dhcp client request options all
interface wwan1
interface pppoe1
use firewall-policy default
no cdp run
no lldp run
no auto-learn staging-config
service pm sys-restart
router ospf
!

3 replies

Userlevel 5
Where the ANYAP option proves to be most useful is in scenarios where the actual configuration of the several AP models is the same...and only the hardware differs.
In that instance, the system will automatically create the appropriate configuration for each AP model based on the ANYAP Profile that you create.
I don't see anything in that configuration section that would change this response.

One recommendation I would make would be to assign MBR (minimum Basic rates) as appropriate to the different WLANs. If you don't have a requirement to support 11b clients, then remove those rates.
Where the ANYAP option proves to be most useful is in scenarios where the actual configuration of the several AP models is the same...and only the hardware differs.
In that instance, the system will automatically create the appropriate configuration for each AP model based on the ANYAP Profile that you create.
I don't see anything in that configuration section that would change this response.

One recommendation I would make would be to assign MBR (minimum Basic rates) as appropriate to the different WLANs. If you don't have a requirement to support 11b clients, then remove those rates.


So, i have this on AP profile:
interface radio1
data-rates gn

and this on WLAN profile:
data-rates 2.4GHz gn

What i should do to be comply with your recomendation?
Userlevel 5
Apologies, I missed that on the radio configuration.
Having the rates defined on the radio is sufficient. I would only add that if any of these WLANs have DIFFERENT data rate requirements, you can accommodate that by removing the rate setup on the radio (which will enforce the data rates for ALL WLANs) and instead defining the needed rates within each of the WLANs individually.

Reply