Network Detector Configuration Guide

AirTight Wi-Fi 7.1 Update 2

AirTight WIPS 7.1 Update 2

339 N. Bernardo Avenue, # 200, Mountain View, CA 94043

www.airtightnetworks.com

2003-2014 AirTight Networks, Inc. All rights reserved.

This page is intentionally left blank.

Network Detector Configuration Guide

END USER LICENSE AGREEMENT

Please read the End User License Agreement before installing or upgrading the AirTight Wi-Fi or AirTight WIPS
server. The End User License Agreement is available at the following location
http://www.airtightnetworks.com/fileadmin/pdf/AirTight-EULA.pdf.
Installing the software constitutes your acceptance of the terms and conditions of the End User License
Agreement.
DISCLAIMER

THE INFORMATION IN THIS GUIDE IS SUBJECT TO CHANGE WITHOUT ANY PRIOR NOTICE.

AIRTIGHT NETWORKS, INC. IS NOT LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR
CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS
OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR ANY OTHER
PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO USE THIS PRODUCT.
THIS PRODUCT HAS THE CAPABILITY TO BLOCK WIRELESS TRANSMISSIONS FOR THE PURPOSE OF
PROTECTING YOUR NETWORK FROM MALICIOUS WIRELESS ACTIVITY. BASED ON THE POLICY
SETTINGS, YOU HAVE THE ABILITY TO SELECT WHICH WIRELESS TRANSMISSIONS ARE BLOCKED AND,
THEREFORE, THE CAPABILITY TO BLOCK AN EXTERNAL WIRELESS TRANSMISSION. IF IMPROPERLY
USED, YOUR USAGE OF THIS PRODUCT MAY VIOLATE US FCC PART 15 AND OTHER LAWS. BUYER
ACKNOWLEDGES THE LEGAL RESTRICTIONS ON USAGE AND UNDERSTANDS AND WILL COMPLY WITH
US FCC RESTRICTIONS AS WELL AS OTHER GOVERNMENT REGULATIONS. AIRTIGHT IS NOT
RESPONSIBLE FOR ANY WIRELESS INTERFERENCE CAUSED BY YOUR USE OF THE PRODUCT.
AIRTIGHT NETWORKS, INC. AND ITS AUTHORIZED RESELLERS OR DISTRIBUTORS WILL ASSUME NO
LIABILITY FOR ANY DAMAGE OR VIOLATION OF GOVERNMENT REGULATIONS ARISING FROM YOUR
USAGE OF THE PRODUCT, EXCEPT AS EXPRESSLY DEFINED IN THE INDEMNITY SECTION OF THIS
DOCUMENT.
LIMITATION OF LIABILITY
AirTight Networks will not be liable to customer or any other party for any indirect, incidental, special,
consequential, exemplary, or reliance damages arising out of or related to the use of AirTight Wi-Fi, AirTight
WIPS, AirTight Cloud Services, and AirTight devices under any legal theory, including but not limited to lost profits,
lost data, or business interruption, even if AirTight Networks knows of or should have known of the possibility of
such damages. Regardless of the cause of action or the form of action, the total cumulative liability of AirTight
Networks for actual damages arising out of or related to the use of AirTight Wi-Fi, AirTight WIPS, AirTight Cloud
Services or AirTight devices will not exceed the respective price paid for AirTight Wi-Fi, AirTight WIPS, AirTight
Cloud Services, or AirTight devices.

Copyright 20032014 AirTight Networks, Inc. All Rights Reserved.

TM

TM

TM

TM

TM

Powered by Marker Packet , Active Classification , Live Events , VLAN Policy Mapping , Smart Forensics ,
TM
TM
WEPGuard and WPAGuard . AirTight Networks and the AirTight Networks logo are trademarks and AirTight is
a registered trademark of AirTight Networks, Inc.
This product contains components from Open Source software. These components are governed by the terms
and conditions of the GNU Public License. To read these terms and conditions visit
http://www.gnu.org/copyleft/gpl.html.
Protected by one or more of U.S. patent Nos. 7,002,943; 7,154,874; 7,216,365; 7,333,800; 7,333,481; 7,339,914;
7,406,320; 7,440,434; 7,447,184; 7,496,094; 7,536,723; 7,558,253; 7,710,933; 7,751,393; 7,764,648; 7,804,808;
7,856,209; 7,856,656; 7,970,894; 7,971,253; 8,032,939; and international patents: AU 200429804; GB 2410154;
JP 4639195; DE 60 2004 038 621.9; and GB/NL/FR/SE 1976227. More patents pending. For more information on
patents, please visit: www.airtightnetworks.com/patents.

Network Detector Configuration Guide

About this Guide

The Network Detector Configuration Guide explains how to configure sensors in the Network Detector (ND)
mode.
Important! Please read the EULA before installing the sensors. Installing the sensor constitutes your
acceptance of the terms and conditions of the EULA mentioned above in this document.

Intended Audience
This guide is intended for anyone who wants to configure and use sensors in the ND mode.

Document Overview
This guide contains the following chapters:
1. Modes of Operation of Sensor: Describes the sensor operation modes
2. Guidelines for Using Sensor Operation Modes: Provides guidelines for deploying sensors in various
modes.
3. Guidelines for Configuring and Installing ND: Describes the installation and configuration of a sensor
in the ND mode.
4. Upgrade the Network Detector: Describes how to upgrade a sensor in the ND mode.
5. VLAN States: Explains the various states of a VLAN.
6. Useful Tips: Few tips for ND configuration.
Note: All instances of the term server in this document refer to the AirTight Wi-Fi / AirTight WIPS server,
unless the server name or type is explicitly stated.

Product and Documentation Updates

To receive important news on product updates, please visit our website at http://www.airtightnetworks.com.
We continuously enhance our product documentation based on customer feedback. To obtain a latest copy of this
document, visit http://www.airtightnetworks.com/home/support.html.

Contact Information
AirTight Networks, Inc.
339 N, Bernardo Avenue, Suite #200,
Mountain View, CA 94043
Tel: (650) 961-1111
Fax: (650) 963-3388
For technical support, send an email to support@airtightnetworks.com.

Network Detector Configuration Guide

1.

Modes of Operation of Sensor

There are two types of AirTight sensors that are available for deployment:

SS-300-AT-C-10, SS-300-AT-C-50, SS-300-AT-C-55, and SS-300-AT-C-60 (802.11 a/b/g/n capable)

SS-200-AT (802.11 a/b/g capable)

All these sensors are capable of operating in two modes as described below.
Note: In the document, the generic model name SS-300-AT would refer to SS-300-AT-C-10, SS-300-AT-C-50,
SS-300-AT-C-55, and SS-300-AT-C-60 sensors.
Sensor Mode (Sensor): This is the default mode of operation. In this mode, the sensor can be connected to an
access port or a trunk port (802.1Q capable) on a switch. When connected to a trunk port, it monitors multiple
VLANs that are configured on that trunk port and are chosen by the user. The wireless interface of the sensor is
enabled. In this mode, an SS-200-AT sensor can monitor up to 4 VLANs, the SS-300-AT-C-10, SS-300-AT-C-55,
and SS-300-AT-C-60 sensors can monitor up to 16 VLANs, and an SS-300-AT-C-50 sensor can monitor up to 8
VLANs.

Network Detector Mode (ND): This mode must be explicitly configured. In this mode, the ND should be
connected to a trunk port (802.1Q capable) on a switch. It then monitors multiple VLANs that are configured on
that trunk port and are chosen by the user using the ND CLI. The wireless interface of the ND is disabled. In this
mode, an SS-200-AT sensor monitor up to 32 VLANs, the SS-300-AT-C-10, SS-300-AT-C-55, and SS-300-AT-C60 sensors can monitor up to 100 VLANs, and an SS-300-AT-C-50 sensor can monitor up to 50 VLANs.

Network Detector Configuration Guide

2.

Guidelines for Using Sensor Operation Modes

For good wireless security cover, following is required:

Good air coverage (radio coverage)

Good network coverage (coverage of enterprise subnets/VLANs)

Guideline 1 Determine the sensor count and placement using air coverage criterion.
You can achieve good air coverage by using appropriate number of sensors that are strategically
placed on the enterprise premises. You can use AirTight Planner or Planning Service to plan for the
right number and placement of sensors for your floor plan.
Guideline 2 Attempt to cover as many VLANs as possible with the sensors on the wired side.
Each sensor can be connected to an access port of a switch. This sensor monitors the VLAN
configured on this access port, in addition to monitoring wireless signals within its radio coverage
area. Same sensor can also monitor additional VLANs by connecting it to a switch trunk port and
configuring the list of VLANs to be monitored.
Guideline 3 Use a ND to cover the remaining VLANs on the wired side.
When a sensor in sensor mode is connected to a trunk port, it can monitor multiple VLANs. In the
sensor mode, a sensor can monitor relatively lesser number of VLANs than that a sensor in the ND
mode can monitor. An SS-200-AT sensor in the sensor mode can monitor up to 4 VLANs and in the
ND mode can monitor a maximum of 32 VLANs. An SS-300-AT-C-10, SS-300-AT-C-55, and SS300-AT-C-60 sensor in the sensor mode can monitor up to 16 VLANs and in the ND mode can
monitor a maximum of 100 VLANs. An SS-300-AT-C-50 sensor in the sensor mode can detect and
monitor up to 8 VLANs and in the ND mode can detect and monitor up to 50 VLANs. The number of
sensors in the sensor mode and the number of sensors in the ND mode should be adjusted based
on the number of VLANs to be monitored.
Guideline 4 Use sensor in remote sites with few VLANs.
Remote sites are generally small and have few VLANs. Therefore, a single sensor should be
sufficient to provide good air coverage as well as network coverage. The sensor can be connected to
a trunk port on the switch. All VLANs at that site are trunked on that switch port. The sensor should
be configured to monitor all VLANs .The following figures show Air cover using sensors and network
cover using sensors and NDs.

Network Detector Configuration Guide

3.

Guidelines for Configuring and Installing ND

In this chapter, we describe the configuration and installation of ND in detail.

Step 1: Configure the Sensor in ND mode

1. Power the SS-300-AT using an 802.3af Class 3 Power Over Ethernet (PoE) of Nominal input voltage 48V
DC , and SS-200-AT using either a 5V 3A DC Power adapter or an 802.3af compliant PoE source.
2. Connect a serial (straight through DB9 console) cable to the serial (DB9) port on the sensor.
3. Make the following serial port settings by using a serial application such as HyperTerminal, SecureCRT,
TeraTerm, minicom, etc.:

For SS-300-AT: 115200 bps, 8 data bits, No parity, 1 stop bit, No flow control

For SS-200-AT; 9600 bps, 8 data bits, No parity, 1 stop bit, No flow control

4. Allow the sensor to boot.

5. Enter the username config and the password config, at the login prompt.
6. Type the set mode command to change the mode to ND (The default mode is Sensor).
7. Press Enter at subsequent prompts until the device actually goes for a reboot and you get the login
prompt.
The device must reboot for the new setting to take effect.
Note: You are prompted for IP configurations before reboot; please enter the IP configuration settings on the CLI
prompt. However, note that the IP routing table cannot be changed after you change the mode. Any changes to
the IP routing table must be done before you change the mode to ND.
Changes in the IP settings during the mode change (that is, when the mode is changed from sensor to ND) are
applied to the untagged VLAN.

8. Type the command get mode to ensure that the mode has correctly changed to ND before proceeding to
next step.

Network Detector Configuration Guide

Step 2: Onsite and Online Deployments

Onsite Deployment: Provide the AirTight Wi-Fi or AirTight WIPS Server IP address/ hostname to the ND
1. Type the set server discovery command.
2. Choose option 2 (which is the default option) and press Enter.
3. Enter the IP address/ hostname of the server and press Enter.

Note: In the onsite deployment, either primary or secondary server IP address/ hostname should be specified with
the IP address of the server.
Online Deployment: Provide connection details for ND to connect to the server
In online deployment, sensors do not directly connect to the server. Instead, they connect through a redirector.
The default IP address/ hostname of the redirector is redirector.airtightnetworks.net.
1. Type the set server discovery command.
2. Choose option 2 (which is the default option) and press Enter.
3. Enter the IP address/ hostname of the redirector and press Enter.

After the Sensor process restarts, the [config]$ prompt appears.

Note: In the online deployment, either primary or secondary server IP address/ hostname should be specified with
the IP address/ hostname of the redirector. In case you have problems connecting to the redirector, contact
support@airtightnetworks.com who will guide you through the process.

Step 3: Configure VLANs

1. Type the set vlan config command to configure all the VLANs.
2. Choose option 1 to configure VLANs for DHCP and option 2 to configure VLANs with static IP address.
Sensor will restart / reboot after the VLAN configuration.

Network Detector Configuration Guide

10

Step 4: Configure/ Change the Communication VLAN

Note: By default, untagged VLAN is the communication VLAN. Perform this step only if you want to change the
communication VLAN to a tagged VLAN.
Before configuring the communication VLAN of ND, ensure that a route to the server VLAN exists from the
communication VLAN of ND. SSH works only for the IP address of the communication VLAN, therefore, note
down the IP address of the communication VLAN to access the ND.
1. Type the set vlan config command.
2. Choose option 3 from the menu that appears.

3. Enter the communication VLAN ID.

4. Enter y to confirm the new ID of the communication VLAN.
5. Select option 5 to exit. The ND reboots.

Network Detector Configuration Guide

11

Step 5: Create a Trunk Port on the Switch for the ND

Create a trunk port on the switch keeping in mind the following points:

Configure only the VLANs that you want the ND to monitor on this trunk port (maximum of 100 for SS300-AT, 50 for SS-300-AT-C-50, and 32 for SS-200-AT). ND will monitor only the configured VLANs.

A VLAN must be configured on the trunk port such that a route exists from the VLAN to the server VLAN.
This VLAN can be tagged or untagged VLAN and is referred to as Communication VLAN of ND. To
configure/change communication VLAN, please refer to the Step 4 above.

Step 6: Connect the ND to the Trunk Port

Wait until the ND connects to the server. After the ND is connected, the first two LEDs (PWR and Link) glow
stable green. Now, log in to the ND using SSH with username config and password config. For this, type the
get vlan config command and note down the IP address of the communication VLAN from the VLAN table.

Step 7: Get VLAN Status

Type the get vlan config command and look at the status of the VLANs. If any of the VLANs show inactive
status, type the get vlan status command to get the details.
Note: VLAN is reported as inactive if there is no activity seen by ND and/or IP settings have not been obtained by
the VLAN. A VLAN will be monitored only if it is active and no other sensor or ND is monitoring the VLAN.

Step 8: Use the get vlan id command to get the list of VLANs seen by ND

Network Detector Configuration Guide

12

Step 9: Deletion of VLAN

To delete a VLAN, type the set vlan config command and choose option 4 from the menu that appears.
Now enter the list of VLANs that are presently configured, but need not be monitored.

Network Detector Configuration Guide

13

Step 10: Ensure that all the VLANs are properly displayed in the Console
1. Go to the Devices > AirTight Devices tab and locate the entry for the ND.
The ND entry has a superscript N and is indicated by
in the (Device) Active Status column. You can
also locate the entry for your ND by matching the Ethernet MAC address displayed on the physical device
with the MAC address displayed in the Console.
2. See the Visible LANs widget below the list of AirTight Devices on the Devices page.
3. You should see all the VLANs that you wanted ND to monitor, along with their correct IP addresses, Net
Mask, and Status as Monitored.

You can also navigate to Devices > Networks tab on the UI and verify the list of networks being
monitored. The following figure shows the Networks tab.

Network Detector Configuration Guide

14

4.

Upgrade the Network Detector

When you upgrade a sensor operating in SNDC/Sensor mode, it continues to monitor the previously configured
VLANs, and operates in sensor mode. You can add or delete the VLANs to be monitored by a sensor in sensor
mode from the AirTight Management Console. For details, refer to the Sensor Configuration section in the Users
Guide.
When you upgrade a sensor operating in ND mode, it continues to monitor the previously configured VLANs. You
can add more VLANs to the list of monitored VLANs or delete existing VLANs from the list of monitored VLANs.
The following procedure is recommended:
1. Before upgrade, type the get vlan config command to capture information about all VLANs being
monitored.
2. After the upgrade, type the get vlan config command and compare list of VLANs with those before
upgrade.
3. Configure any missing VLANs that need to be monitored.
AirTight Wi-Fi and AirTight WIPS support the use of a tagged VLAN as the communication VLAN of ND.
Upgrade from versions prior 5.5 to 7.1 Update 1 will keep the communication VLAN as untagged VLAN by
default, but this can be changed to any monitored tagged VLAN using the set vlan config command.
Even for an upgrade of sensor version 4.3, the communication VLAN will default to untagged VLAN.

Network Detector Configuration Guide

15

5.

VLAN States

The status of the VLAN configured by the user can be seen using the get vlan status command. The status
of the VLAN can be any of the following:

Inactive and Unmonitored: In this state a VLAN is configured by the user and is not detected. All the
VLANs configured by the user will be in this state, when the ND starts.

Active and Unmonitored: In this state a VLAN is configured by the user and is detected, but not yet
monitored.

Active and Monitored: In this state a VLAN is configured by the user and is monitored by the ND.

Note: The get vlan status command displays the status of the VLAN at that given instance. This status
changes randomly and ND will automatically switch in monitoring the VLANs.
Various messages, their VLAN states, and descriptions of these states are described in the table below:
Message

VLAN State

Description

Activity seen, but

DHCP request failed

Inactive and
Unmonitored

There is activity on the VLAN, but the IP address cannot

be obtained through DHCP. This can happen when the
VLAN is configured for DHCP.

Activity not seen and

DHCP request failed

Inactive and
Unmonitored

There is no activity seen on the VLAN and the IP address

could not be obtained through DHCP. This can happen
when the VLAN is configured for DHCP.

IP address configured,
but no activity seen

Inactive and
Unmonitored

There is no activity seen on the VLAN and the VLAN is

configured for static IP settings.

Activity seen, but not

locally monitored

Active and Unmonitored

This happens when the ND is not monitoring the VLAN

as any other sensor/ND/SNDC is monitoring the same
VLAN.

Network Detector Configuration Guide

16

6.

Useful Tips

The communication VLAN of ND is used for communication with the server. An untagged VLAN is also
called native VLAN in some switches.

Multiple sensors/NDs can be configured to monitor same VLAN for redundancy purpose, although, at a
particular time, only one connected device will monitor the VLAN.

Do not use Ctrl+C while configuring the VLANs using the set vlan config command.

Network Detector Configuration Guide

17