Professional Documents
Culture Documents
The Controller must support an ability to dynamically adjust channel and power
settings based on the RF environment. The offered Access Point must support
necessary spectrum analysis functionality to achieve this.
The Controller must support interference detection and avoidance for both Wi‐Fi
and non‐Wi‐Fi interferes. The offered Access Point must support
necessary spectrum analysis functionality to achieve this.
Must support coverage hole detection and correction that can be adjusted on a
per WLAN basis.
The controller should support advance QoS to implement role based access for
data, voice and video applications.
Controller should able to detect 1500+ applications for Application based QoS,
Access Control per user and per SSID. Controller should support application
throttling /should have application control
Rules for access rights should be based on any combination of time, location, user
identity and device identity.
The controller/overlay solution should provide differentiated access for Guests and
staff group on same SSID using statefull firewall capabilities in
controller, Guests should have restricted access like not able to telnet & SSH to
servers while connecting on same SSID. Similarly, other ROLE BASED
ACCESS policy support should be available for differentiated access.
The controller should provide latest network authentication (WEP, WPA, WPA2-
Enterprise) and encryption types like DES/3DES, TKIP and AES.
Controller should support reliable fast roaming standards 802.11k/r
Controller should support management frame protection.
Solution must support per user Rate limiting control
The Controller Should provide a dashboard of spectrum quality in terms of the
performance and impact of interference on the wireless network
identifying the problem areas, channel utilization.
The Offered Access Point should support this feature to send necessary data to
controller.
The Controller shall provide a spectrum Quality detail on a per‐radio basis to help
gauge the impact of interference on the network. The Offered Access
Point shall support this feature to send necessary
data to controller.
The WLAN solution should have the HW to implement advance WIDS & WIPS.
WIPS solution should Automatically blacklist clients when it attempt any attack.
WIPS solution should be capable of wireless intrusion detection & prevention. The
WLAN should be able to detect Rogue AP and take corrective action to prevent the
rogue AP. The system should
detect and prevent an organization’s wireless client connecting to rogue AP and
also prevent an outside client trying to connect to organizational WLAN.
WIPS solution should detect & prevent an Ad-hoc connection (i.e. clients forming a
network amongst themselves without an AP) as well as windows
bridge (client that is associated to AP is also connected to wired network and
enabled bridging between two interfaces)
The system should detect an invalid AP broadcasting valid SSID and should prevent
valid clients getting connected from these AP’s.
WIPS Solution should track the location of interferer objects.
For advance forensic WIPS solution should perform spectrum analysis to detect
and classify sources of interferences. System should provide chart displays and
spectrograms for real-time troubleshooting and
visualization.
Th e WIPS solution should able to detect and locate the rogue access point on floor
maps once detected.
The WIPS solution should detect and protect if a client probe-request frame will
be answered by a probe response containing a null SSID to crash or lock up the
firmware of any 802.11 NIC.
The WIPS solution should detect and protect if a client/tool try to flood an AP with
802.11 management frames like authenticate/associate
frames which are designed to fill up the association table of an AP.
The WIPS solution should detect and protect if a client/tool keep on sending
disassociation frames to the broadcast address (FF:FF:FF:FF:FF:FF)
disconnect all stations on a network for a widespread DoS.
Th e WIPS solution should detect and protect if somebody try to spoof mac
address of client or AP for unauthorized authentication.
The WIPS solution should detect and protect if a client/tool try de-authentication
broadcast attempts to disconnect all clients in range rather than sending a spoofed
de-auth to a specific MAC address.
The WIPS solution should detect and protect if an attacker attempts to lure a client
to a malicious AP using SSID on fake AP in close proximity of the
premises. It should detect When the Valid Client probes for Valid SSID and these
malicious APs respond and invite the client to connect to them.
Proposed solution should support IPsec using Internet Key Exchange (IKE) or IKEv2
– RFC6379
• TLS 1.2 Suite B ciphersuites – RFC 6460
• Extensible Authentication Protocol (EAP) offload with
TLS v1.2 – RFC 5246
Qu ality Requirement:
1. All the components shall be from the same OEM.
2. Complete lifecycle for the Controller OS should
be under control of hardware OEM
3. Controller should be NDPP/EAL4+ Protection
Profile complied and FIPS 140-2
4. AAA should comply to FIPS 140-2
Remarks
II. Specification for Access Point – Type I
Specifications
Compliance
(Yes/No)
802.11n/ac 2x2:2 (2.4 GHz) and 3x3:3 or 3x3:2 (5 GHz) MU-MIMO Dual Radio
Integrated Antenna AP
Acc ess Point shall be 802.11ac ready from day one
AP shall have 1x10/100/1000 Ge LAN port.
802.11 b/g/n/ac functionality certified by the Wi-Fi alliance.
The Max transit power of the AP + Antenna should be as per WPC norms for
indoor Access Points.
Should support 16 x BSSID per AP
Access point should support 802.11ac beamforming for 802.11ac.
The access point should be capable of performing security scanning and serving
clients on the same radio. It should be also capable of performing
spectrum analysis and security scanning using same radio.
Should support BPSK, QPSK, 16-QAM, 64-QAM and 256 QAM (256 QAM for
802.11ac only) modulation types
Acc ess point shall support 802.3af/at PoE standard.
Vendor shall offer AP with PoE only.
Acc ess point should have console port.
Must support Proactive Key Caching and/or other methods for Fast Secure
Roaming.
Must operate as a sensor for wireless IPS
AP model proposed must be able to be both a clientserving
AP and a monitor-only AP for Intrusion Prevention services
The Access Point shall have the technology to improve downlink performance to
all mobile devices.
Access point must incorporate radio resource management for power, channel,
coverage hole detection and performance optimization
AP mounting kit shall be with locking mechanism so that AP cannot be removed
without using special tools.
Should support BPSK, QPSK, 16-QAM, 64-QAM and 256 QAM (256 QAM for
802.11ac only) modulation types
Acc ess point shall support 802.3af/at PoE standard.
Vendor shall offer AP with PoE only.
Acc ess point should have console port.
Must support Proactive Key Caching and/or other methods for Fast Secure
Roaming.
Must operate as a sensor for wireless IPS
AP model proposed must be able to be both a clientserving
AP and a monitor-only AP for Intrusion Prevention services
The Access Point shall have the technology to improve downlink performance to
all mobile devices.
Access point must incorporate radio resource management for power, channel,
coverage hole detection and performance optimization
AP mounting kit shall be with locking mechanism so that AP cannot be removed
without using special tools.
Remarks
Remarks
III. Specification for AAA Appliance
Feature Specifications
Compliance
(Yes/No)
Product AAA Appliance with Guest Access through SMS
Servers
Shall support approach that combines AAA, NAC, BYOD and Guest
Access by incorporating identity, health, physical/device
information, and conditional elements into
Servers one set of policies.
Failure of master node should not impact the ability for backup
appliances to continue servicing authentication traffic.
3.3
3.4
3.5
3.6
5
5.1
5.2
5.3
5.5
6
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
6.1
7
7.1
7.2
7.3
7.4
7.5
7.6
7.7
8
8.1
8.2
9
9.1
9.2
9.3
10
10.1
10.2
Specifications
Architecture
Shall be 1RU, 19" Rack Mountable
24 RJ-45 autosensing 10/100/1000 ports and minimum four 10G SFP + uplink ports
IEEE 802.3af PoE and IEEE 802.3at PoE+ compliant on Gigabit Copper Ports.
1 GB SDRAM and 2 GB flash memory
Packet buffer size of minimum 10 MB to support video/streaming traffic
Shall have switching capacity of 128 Gbps for providing non-blocking performance
Shall have 65 to 70 million pps switching throughput to achieve wire-speed forwarding
Shall provide latency of < 4 µs
Switch should support multi-switch stacking feature across four switches.
Switch should have 740W POE budget
Layer 2 Features
MAC address table size of 30000 entries
Shall support up to IEEE 802.1Q (4,094 VLAN IDs) and 1000 VLANs simultaneously
Shall support Multiple VLAN Registration Protocol (MVRP) or equivalent feature to allow automatic learning and
dynamic assignment of VLANs
Shall support Jumbo frames to improve the performance of large data transfers
IEEE 802.1AB Link Layer Discovery Protocol (LLDP) and LLDP-MED (Media Endpoint Discovery) or equivalent
IPv6 host and Dual stack (IPv4/IPv6) support to provide transition mechanism from IPv4 to IPv6
Layer 3 Features (any additional licenses required shall be included)
Static routing for IPv4 and IPv6
Advanced routing features including RIPv1 , RIPv2, RIPng, OSPF v2 and OPSPF v3 from day one .
Shall include Equal-cost Multipath (ECMP) capability
DHCP, DHCPv6 (client and relay)
Environmental Features
Access Control Lists for traffic filtering
Source-port filtering or equivalent feature to allow only specified ports to communicate with each other
Traffic prioritization based on IP address, IP Type of Service (ToS), Layer 3 protocol, TCP/UDP port number, source
port, DiffServ etc
Shall support traffic classification into eight priority levels mapped to eight queues
Shall support traffic rate-limiting per port
Shall support selecting the number of queues and associated memory buffering to meet the requirements of the
network applications
IEEE 802.1x to provide port-based user authentication with multiple 802.1x authentication sessions per port
Media access control (MAC) authentication to provide simple authentication based on a user's MAC address
Web-based authentication to provide a browser-based environment to authenticate clients that do not support the IEEE
802.1X supplicant
Dynamic ARP protection blocking ARP broadcasts from unauthorized hosts
Management Features
Configuration through the CLI, console, Telnet, SSH and browser-based management GUI (SSL)
SNMPv1, v2, and v3 and Remote monitoring (RMON) support
sFlow (RFC 3176) or equivalent for traffic analysis
TFTP and Secure FTP support
RADIUS/TACACS+ for switch security access administration
Simple Network Time Protocol (SNTP) or equivalent support
Shall have Digital optical monitoring of transceivers to allow detailed monitoring of the transceiver settings and
parameters
Software Defined Networking (SDN) Capability
OpenFlow protocol capability to enable software-defined networking
Allows the separation of data (packet forwarding) and control (routing decision) paths, to be controlled by an external
SDN Controller, utilizing Openflow protocol
Environmental Features
Shall support IEEE 802.3az Energy-efficient Ethernet (EEE) to reduce power consumption
Operating temperature of 0°C to 45°C
Safety and Emission standards including EN 60950; IEC 60950; VCCI Class A; FCC part 15 Class A
Warranty and Support
The below Warranty shall be offered directly from the switch OEM.
Lifetime warranty with advance replacement and next-business-day delivery
Software upgrades/updates shall be included as part of the warranty
Compliance Yes / No Remarks
Annexure - 2
Sr. No Technical Specifications ( to be submitted by the tenderes) Compliance Yes / No Remarks
1 Architecture
1.1 Shall be 1RU, 19" Rack Mountable
1.2 8 RJ-45 autosensing 10/100/1000 ports and minimum 2 10G SFP + uplink ports
1.3 IEEE 802.3af PoE and IEEE 802.3at PoE+ compliant on Gigabit Copper Ports.
1.4 1 GB SDRAM and 2 GB flash memory
1.5 Packet buffer size of minimum 10 MB to support video/streaming traffic
1.6 Shall have switching capacity of 56 Gbps for providing non-blocking performance
1.7 Shall have up to 41 million pps switching throughput to achieve wire-speed forwarding
1.8 Shall provide latency of < 4 µs
1.9 Switch should support multi-switch stacking feature across four switches.
2 Switch should have 120W POE budget
3 Layer 2 Features
3.1 MAC address table size of 30000 entries
3.2 Shall support up to IEEE 802.1Q (4,094 VLAN IDs) and 1000 VLANs simultaneously
3.3 Shall support Multiple VLAN Registration Protocol (MVRP) or equivalent feature to allow automatic learning and
dynamic assignment of VLANs
3.4 Shall support Jumbo frames to improve the performance of large data transfers
3.5 IEEE 802.1AB Link Layer Discovery Protocol (LLDP) and LLDP-MED (Media Endpoint Discovery) or equivalent
3.6 IPv6 host and Dual stack (IPv4/IPv6) support to provide transition mechanism from IPv4 to IPv6
5 Layer 3 Features (any additional licenses required shall be included)
5.1 Static routing for IPv4 and IPv6
5.2 Advanced routing features including RIPv1 , RIPv2, RIPng, OSPF v2 and OPSPF v3 from day one .
5.3 Shall include Equal-cost Multipath (ECMP) capability
5.5 DHCP, DHCPv6 (client and relay)
6 Environmental Features
6.1 Access Control Lists for traffic filtering
6.2 Source-port filtering or equivalent feature to allow only specified ports to communicate with each other
6.3 Traffic prioritization based on IP address, IP Type of Service (ToS), Layer 3 protocol, TCP/UDP port number, source
port, DiffServ etc
6.4 Shall support traffic classification into eight priority levels mapped to eight queues
6.5 Shall support traffic rate-limiting per port
6.6 Shall support selecting the number of queues and associated memory buffering to meet the requirements of the
network applications
6.7 IEEE 802.1x to provide port-based user authentication with multiple 802.1x authentication sessions per port
6.8 Media access control (MAC) authentication to provide simple authentication based on a user's MAC address
6.9 Web-based authentication to provide a browser-based environment to authenticate clients that do not support the IEEE
802.1X supplicant
6.1 Dynamic ARP protection blocking ARP broadcasts from unauthorized hosts
7 Management Features
7.1 Configuration through the CLI, console, Telnet, SSH and browser-based management GUI (SSL)
7.2 SNMPv1, v2, and v3 and Remote monitoring (RMON) support
7.3 sFlow (RFC 3176) or equivalent for traffic analysis
7.4 TFTP and Secure FTP support
7.5 RADIUS/TACACS+ for switch security access administration
7.6 Simple Network Time Protocol (SNTP) or equivalent support
7.7 Shall have Digital optical monitoring of transceivers to allow detailed monitoring of the transceiver settings and
parameters
8 Software Defined Networking (SDN) Capability
8.1 OpenFlow protocol capability to enable software-defined networking
8.2 Allows the separation of data (packet forwarding) and control (routing decision) paths, to be controlled by an external
SDN Controller, utilizing Openflow protocol
9 Environmental Features
9.1 Shall support IEEE 802.3az Energy-efficient Ethernet (EEE) to reduce power consumption
9.2 Operating temperature of 0°C to 45°C
9.3 Safety and Emission standards including EN 60950; IEC 60950; VCCI Class A; FCC part 15 Class A
10 Warranty and Support
The below Warranty shall be offered directly from the switch OEM.
10.1 Three years warranty with advance replacement and next-business-day delivery
10.2 Software upgrades/updates shall be included as part of the warranty