Wi-Fi Mini Physical Interface Module (MPIM)
The Wi-Fi Mini-Physical Interface Module (Mini-PIM) for SRX Series devices provides an integrated wireless access point (or wireless LAN) solution along with routing, switching, and security in a single device. The topics below describes the overview and configuration of Wi-Fi Mini-PIM on SRX series devices.
Wi-Fi Mini-Physical Interface Module Overview
Wi-Fi Mini-Physical Interface Module (Wi-Fi Mini-PIM) for SRX320, SRX340, SRX345, SRX380, and SRX550M provides an integrated wireless access point —or wireless LAN— along with routing, switching, and security in a single device. Mini-PIM supports the 802.11ac Wave 2 wireless standards and is backward compatible with 802.11a/b/g/n. You can use the three new models of the Wi-Fi Mini-PIM based on the regional wireless standard requirements;
SRX-MP-WLAN-US — The model based on USA’s wireless standard.
SRX-MP-WLAN-IL — The model based on Israel’s wireless standard.
SRX-MP-WLAN-WW — The model for other countries.
You cannot change the country code for the SRX-MP-WLAN-US and SRX-MP-WLAN-IL models as they are fixed. The Wi-Fi Mini-PIM can coexist with other Mini-PIMs supported on the SRX Series device.Table 1 provides a summary of the features supported on Mini-PIM.
Typical deployments for Wi-Fi Mini-PIM solution include:
Secure wireless LAN connectivity to endpoint devices of corporate users at remote branch offices. 802.11ac, WPA2, 802.1X, and SSID-to-VLAN mapping features provide secure Wireless LAN connectivity.
Direct network connectivity to the enterprise Internet of Things (IoT) devices. The security features on the SRX Series devices secure the IoT devices.
See How to Install the Wi-Fi Mini-PIM for SRX Series Services Gateways for more information about how to install the Wi-Fi Mini-PIM.
- Wireless LAN Interface in Chassis Cluster Mode
- Wireless LAN Interface in Layer 3 (L3) Mode
- Wireless LAN Interface in Layer 2 (L2) Mode
- Features Supported on the Wi-Fi Mini-PIM
Wireless LAN Interface in Chassis Cluster Mode
The Mini-PIM is also supported in chassis cluster mode to provide
redundancy. Wireless users are connected to the active interface in
redundancy group. To support chassis cluster mode for wireless LAN
interface Mini-PIM, you need to configure chassis cluster setup with
two wireless LAN interfaces wl-x/0/0
and wl-y/0/0
, where x indicates the slot number which wireless LAN interface Mini-PIM
plug in on the node 0 and Y indicates the slot
number which wireless LAN interface Mini-PIM plug in on the node 1.
In chassis cluster mode, there is one wireless LAN interface active, the other wireless LAN interface is inactive. Wi-Fi client is associated to active wireless LAN interface.
Below are the list of events which trigger wireless LAN interface failover when:
wireless LAN interface is abnormal.
primary wireless LAN interface is down.
Redundant group which wireless LAN interface belongs to failover manually.
primary WLAN interface node is failed.
After wireless LAN interface failover, the original inactive wireless LAN interface is changed to active and the Wi-Fi client sessions are reconnected to the new primary wireless LAN interface.
With chassis cluster mode, WLAND process runs on both nodes. The WLAND on primary node pushes the WLAN configuration to PFE on two nodes, and then PFE forwards the configuration to local wireless LAN interface card so that two wireless LAN interface cards have the same configuration.
To monitor wireless LAN interface status, WLAND finds the wireless
LAN interface to be abnormal, it can trigger redundant group failover.
In Layer 3 mode, by default, wireless LAN interface activity monitor
is configured for WLAN high availability using the commands set
chassis cluster redundancy-group 1 interface-monitor wl-2/0/0 weight
255
and set chassis cluster redundancy-group 1 interface-monitor
wl-7/0/0 weight 255
.
The new primary wireless LAN interface is active and the abnormal wireless LAN interface card is restarted and goes to inactive state. The Wi-Fi client is reconnected to the active wireless LAN interface automatically since the configuration (radio, channel, bandwidth, ssid, and so on) on active WAP is same as the original wireless LAN interface.
Wireless LAN Interface in Layer 3 (L3) Mode
The interfaces are configured as subordinate interface of RETH
using the command set interfaces wl-x/0/0 gigether-options redundant-parent
reth-interface
. You can add the RETH interface to one redundant
group and set the priority for each node in the redundant group. Only
one wireless LAN interface is active in the redundant group and the
other one is inactive.
Wireless LAN Interface in Layer 2 (L2) Mode
You can build SRX devices in chassis cluster mode with wireless
LAN interface Mini-PIM. The peer wireless LAN interfaces are configured
in the same VLAN and the wireless LAN interface on the primary node
of redundant group zero is chosen as active interface by default.
L2 mode (family ethernet-switching
) of wireless LAN interface
behave like any other L2 switching port (trunk port).
Features Supported on the Wi-Fi Mini-PIM
Table 1 lists the key features supported on the Wi-Fi Mini-PIM.
Feature |
Description |
---|---|
2x2 MU-MIMO |
Enables transmission of data to multiple clients simultaneously. |
Dual radios |
Both radios of 2.4 GHz and 5 GHz bands are simultaneously supported. The maximum supported speed is upto 1.2 Gbps. |
Virtual access points (VAPs) and VLAN features |
|
Co-existence of interfaces |
The Wi-Fi Mini-PIM coexists with 4G LTE, VDSL, T1, and serial interfaces. |
Client authentication methods |
Client authentication methods supported are Wi-Fi Protected Access (WPA) Enterprise (WPA2 standards) and Wi-Fi Protected Access (WPA) Personal (AES-CCMP cipher suits and WPA2 standards). |
Configure Wi-Fi Mini-PIM
You can configure the radios and virtual access points on the Wi-Fi Mini-PIM. This topic contains sections that describe the basic Wi-Fi Mini-PIM configuration at the wireless interface level. For more information about how to install a Wi-Fi Mini-PIM see How to Install the Wi-Fi Mini-PIM for SRX Series Services Gateways.
The following sections describe how to configure the Wi-Fi Mini-PIM on your SRX Series device.
Configure Network Setting for the Wi-Fi Mini-PIM
Configure wl- interface
The interface name for the Mini-PIM is denoted as wl-x/0/0
, where x is the slot
on the SRX Series Services Gateway in which the Mini-PIM is installed.
The wl- interface is created automatically when you insert the Mini-PIM
into the slot on the SRX Series device.
To configure the wireless LAN interface:
Configure access point
To configure the access point associated with the wireless LAN interface wl-x/0/0:
Configure the name of the wireless access point.
[edit] user@host# set wlan access-point name interface wl-x/0/0
Set the country code (applicable only for SRX-MP-WLAN-WW models of the Mini-PIM).
Note:If you do not set the country code for the SRX-MP-WLAN-WW models, the Mini-PIM considers the country code as US. The country code for the SRX-MP-WLAN-US and SRX-MP-WLAN-IL models are set and cannot be changed.
[edit] user@host# set wlan access-point name access-point-options country country-code
Set the physical location (location of your hardware device, example: 1st-floor).
[edit] user@host# set wlan access-point name location location
Commit the configuration.
Configure Radios
Every access point has two radios—radio 1 operates at 5-GHz bandwidth and radio 2 operates at 2.4-GHz bandwidth. A VAP is configured based on the radio. You can configure up to eight VAPs per radio and map up to 16 ESSIDs to individual VLANs. Wi-Fi Mini-PIM supports both the radios (2.4 and 5 GHz) to work simultaneously. You can also disable a radio. Table 2 lists the modes supported on each radio.
Radio |
Supported Modes |
---|---|
Radio 1 (5.0 GHz) |
|
Radio 2 (2.4 GHz) |
|
To configure the radio:
Configure the radio mode. Radio 1 supports acn and an modes. Radio 2 supports g and gn mode. Note that radio 1 operates at 5-GHz and radio 2 operates at 2.4-GHz.
For radio 1: [edit] user@host# set wlan access-point name radio 1 radio-options mode (an | acn)
For radio 2: [edit] user@host# set wlan access-point name radio 2 radio-options mode gn
Configure the channel number. If you select auto, then the Mini-PIM chooses the channel automatically. By default, channel number is set to
auto
.[edit] user@host# set wlan access-point name radio (1 | 2) radio-options channel number (auto | channel-number)
Configure the channel bandwidth. The default channel bandwidth is 20 MHz for the 2.4 GHz radio and 40 MHz for the 5 GHz radio. You can only set 80 MHz as the channel bandwidth for 5 GHz radio and not for 2.4GHz
[edit] user@host# set wlan access-point name radio (1| 2) radio-options channel bandwidth (20 | 40 | 80)
Configure the transmit power. You can configure the transmit power on a per-radio basis.
Note:When you configure the transmit power, the Mini-PIM card will fix transmit power to the specified value set, in this case, the power by rate functionality does not work. So it is recommended not to set transmit power to a specified value. When you do not configure the transmit power (do not fix the transmit power to a specified value), the power by rate functionality works. If you configure the transmit power percentage to 100, then it chooses the option "
auto
", the behavior is similar to no transmit power configured and power by rate functionality will work.[edit] user@host# set wlan access-point name radio (1| 2) radio-options transmit-power percent
Commit the configuration.
In countries where Dynamic Frequency Selection (DFS) is required, the Wi-Fi card performs appropriate checks for radar. DFS is enabled by default. If you set the
channel number
toauto
, the access point selects the channel from the list of DFS and non-DFS channels. You can disable DFS by using thedfs-off
optionset wlan access-point name radio 1 radio-options dfs-off
.Only the 5 GHz radio (radio 1) supports DFS.
For more information on DFS, see Channels and Frequencies Supported on the Wi-Fi Mini-PIM.
Configure Virtual access Points (VAP)
VAPs allow segmentation of the wireless LAN into multiple broadcast domains that are the wireless equivalents of Ethernet VLANs. To configure the virtual access point:
Configure the VAP settings.
[edit] user@host# set wlan access-point name radio (1| 2) virtual-access-point id description description
[edit] user@host# set wlan access-point name radio (1| 2) virtual-access-point id ssid ssid
Configure either the WPA Enterprise or the WPA Personal authentication methods for the VAP.
none—The data transferred between clients and the access point is not encrypted. Clients can associate with the access point without any authentication.
[edit] user@host# set wlan access-point name radio (1| 2) virtual-access-point id security none
wpa-enterprise—The device authenticates through an 802.1X-compliant RADIUS server.
[edit] user@host# set wlan access-point name radio (1| 2) virtual-access-point id security wpa-enterprise cipher-suites ccmp user@host# set wlan access-point name radio (1| 2) virtual-access-point id security wpa-enterprise radius-port port user@host# set wlan access-point name radio (1| 2) virtual-access-point id security wpa-enterprise radius-key secret-key user@host# set wlan access-point name radio (1| 2) virtual-access-point id security wpa-enterprise wpa-version v2
wpa-personal—The device uses preshared keys (PSKs) or a passphrase for authentication and encryption.
[edit] user@host# set wlan access-point name radio (1| 2) virtual-access-point id security wpa-personal cipher-suites ccmp user@host# set wlan access-point name radio (1| 2) virtual-access-point id security wpa-personal key-type (ascii|hex) user@host# set wlan access-point name radio (1| 2) virtual-access-point id security wpa-personal key key user@host# set wlan access-point name radio (1| 2) virtual-access-point id security wpa-personal wpa-version v2
Configure and specify the upload and download rate limits on the Wi-Fi Mini-PIM. The range for
upload-limit
anddownload-limit
is from 256 Kbps to 1,048,576 Kbps.[edit] user@host# set wlan access-point name radio (1| 2) virtual-access-point id upload-limit upload-limit-rate user@host# set wlan access-point name radio (1| 2) virtual-access-point id download-limit download-limit-rate
Specify the number maximum number of clients that can be connected to the VAP.
[edit] user@host# set wlan access-point name radio (1| 2) virtual-access-point id maximum-stations number
Commit the configuration.
After completing the configuration successfully completed, you
can view the parameters by using the show wlan access-points name detail
command.
Configure VLANS
Configure VLANs based on VAP
(Optional) A single access point is segregated into multiple individual virtual access points (VAPs) simulating multiple access points in a single system. The access point supports multiple VLANs. To configure the VLAN ID based on the VAP:
Configure WPA enterprise authentication
(Optional) Wi-Fi protected access (WPA) enterprise is Wi-Fi alliance standard that uses RADIUS server authentication with AES-CCMP cipher suite. With this mode you can use high security encryption along with a centrally managed user authentication. Only the WPA2 standard is supported. To configure the WPA enterprise authentication:
Configure the address book and assign a security zone.
[edit] user@host# set security address-book book-name address address-name ip-prefix user@host# set security address-book book-name attach zone trust user@host# set security address-book book-name attach zone dot1x
Configure security source rule-set from trust zone to the WPA authentication.
[edit] user@host# set security nat source rule-set rule-set-name from zone trust user@host# set security nat source rule-set rule-set-name to zone dot1x
Configure the security source to match the source and destination address.
[edit] user@host# set security nat source rule-set rule-set-name rule rule-name match source-address ip-address user@host# set security nat source rule-set rule-set-name rule rule-name match destination-address ip-address
Configure the UDP protocol and security source on the interface.
[edit] user@host# set security nat source rule-set rule-set-name rule rule-name match protocol udp user@host# set security nat source rule-set rule-set-name rule rule-name then source-nat interface
Assign the security policies to the source and destination address.
[edit] user@host# set security policies from-zone trust to-zone dot1x policy internet-access match source-address ip-address user@host# set security policies from-zone trust to-zone dot1x policy internet-access match destination-address ip-address user@host# set security policies from-zone trust to-zone dot1x policy internet-access match application any user@host# set security policies from-zone trust to-zone dot1x policy internet-access then permit
Commit the configuration.
After completing the configuration successfully completed, you
can view the parameters by using the show wlan access-points name virtual-access-points
command.
Configure Multiple VLANs and SSIDs
You can configure 8 VAPs on each radio and each VAP is identified by the SSID. Up to 16 SSIDs can be configured on the Wi-Fi Mini-PIM. You can map a VLAN to each SSID or you can assign a single VLAN for multiple SSIDs The client connects to the VAP using the SSID and is associated to the VLAN that is mapped to the SSID.
You can configure multiple SSIDs to provide varied levels of access to different devices and users. Here is a sample configuration for three different types of users connecting to different VAPs. Each VAP is associated with a different VLAN.
Interface |
VLAN ID |
Address pool |
VAP |
SSID |
Address pool |
---|---|---|---|---|---|
wl-2/0/0.0 |
100 |
junosDHCPPool |
192.168.2.0/24 |
||
wl-2/0/0.10 |
10 |
junosDHCPPool1 |
VAP1 |
VAP-10 |
192.168.10.0/24 |
wl-2/0/0.20 |
20 |
junosDHCPPool2 |
VAP2 |
VAP-20 |
192.168.20.0/24 |
wl-2/0/0.30 |
30 |
junosDHCPPool3 |
VAP3 |
VAP-30 |
192.168.30.0/24 |
Verification
Display information about the parameters configured on the Wi-Fi Mini-PIM.
-
To display the details of all the access points configured on the Mini-PIM:
user@host# set security zones security-zone trust interfaces wl-2/0/0.0
user@host# set security zones security-zone trust host-inbound-traffic system-services dhcp
-
To display the status of the specific access point.
user@host# set system services dhcp-local-server group jdhcp-group interface wl-2/0/0.0
user@host# set access address-assignment pool junosDHCPPool family inet network 192.168.2.0/24
user@host# set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.2.2
user@host# set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.2.254
user@host# set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.2.1
user@host# set interfaces wl-2/0/0 flexible-vlan-tagging
user@host# set interfaces wl-2/0/0 native-vlan-id 100