Hewlett Packard Enterprise WL575 Outdoor 11a Building to Building Bridge & 11bg AP User Manual OAP6626A UG 32
Hewlett-Packard Company Outdoor 11a Building to Building Bridge & 11bg AP OAP6626A UG 32
Contents
- 1. Users Manual 1
- 2. Users Manual 2
- 3. Users Manual1
- 4. Users Manual2
Users Manual 1
User Guide 3Com Outdoor 11a Building to Building Bridge and 11bg Access Point 3CRWEASYA73 / WL-546 http://www.3com.com/ http://www.3com.com/support/en_US/productreg/frontpg Published June, 2006 Version 2.0.2 3Com Corporation 350 Campus Drive Marlborough, MA 01752-3064 Copyright © 2006 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change. 3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time. If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you. UNITED STATES GOVERNMENT LEGEND If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following: All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (November 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide. Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries. 3Com, the 3Com logo, and SuperStack are registered trademarks of 3Com Corporation. Wi-Fi is a trademark of the Wireless Ethernet Compatibility Alliance. All other company and product names may be trademarks of the respective companies with which they are associated. EXPORT RESTRICTIONS: This product contains Encryption and may require US and/or Local Government authorization prior to export or import to another country. Contents Radio Path Planning 4 Antenna Height 5 Antenna Position and Orientation 7 Radio Interference 9 Weather Conditions 9 Ethernet Cabling 10 Grounding 10 Initial Configuration 1 Initial Setup through the CLI 1 Required Connections 1 Initial Configuration Steps 2 Logging In 3 System Configuration 1 Advanced Configuration 2 System Identification 3 TCP / IP Settings 5 Radius 7 PPPoE Settings 9 Authentication 11 Filter Control 18 SNMP 20 Administration 23 System Log 27 Wireless Distribution System (WDS) 31 Bridge 33 Spanning Tree Protocol (STP) 36 RSSI 40 Radio Interface 41 Radio Settings A (802.11a) 42 Radio Settings G (802.11g) 46 Security (Bridge Mode) 48 Security (Access Point Mode) 53 Status Information 63 AP Status 63 Station Status 65 Event Logs 67 Command Line Interface 1 Using the Command Line Interface 1 iii Accessing the CLI 1 Console Connection 1 Telnet Connection 1 Entering Commands 2 Keywords and Arguments 2 Minimum Abbreviation 2 Command Completion 3 Getting Help on Commands 3 Partial Keyword Lookup 4 Negating the Effect of Commands 4 Using Command History 4 Understanding Command Modes 4 Exec Commands 5 Configuration Commands 5 Command Line Processing 6 Command Groups 6 General Commands 7 configure 8 end 8 exit 8 ping 9 reset 10 show history 10 show line 11 System Management Commands 11 country 12 prompt 14 system name 14 username 15 password 15 ip ssh-server enable 16 ip ssh-server port 16 ip telnet-server enable 17 ip http port 17 ip http server 18 ip https port 18 ip https server 19 web-redirect 20 APmgmtIP 21 APmgmtUI 22 show apmanagement 22 show system 23 show version 24 show config 24 show hardware 28 System Logging Commands 28 logging on 29 logging host 29 iv logging console 30 logging level 30 logging facility-type 31 logging clear 32 show logging 32 show event-log 33 System Clock Commands 33 sntp-server ip 34 sntp-server enable 34 sntp-server date-time 35 sntp-server daylight-saving 36 sntp-server timezone 36 show sntp 37 DHCP Relay Commands 38 dhcp-relay enable 38 dhcp-relay 39 show dhcp-relay 39 SNMP Commands 40 snmp-server community 41 snmp-server contact 41 snmp-server location 42 snmp-server enable server 42 snmp-server host 43 snmp-server trap 44 snmp-server engine-id 45 snmp-server user 46 snmp-server targets 48 snmp-server filter 49 snmp-server filter-assignments 50 show snmp groups 50 show snmp users 51 show snmp group-assignments 51 show snmp target 52 show snmp filter 52 show snmp filter-assignments 53 show snmp 54 Flash/File Commands 55 bootfile 55 copy 56 delete 57 dir 58 show bootfile 58 RADIUS Client 59 radius-server address 59 radius-server port 60 radius-server key 60 radius-server retransmit 61 radius-server timeout 61 radius-server port-accounting 62 radius-server timeout-interim 62 radius-server radius-mac-format 63 radius-server vlan-format 63 show radius 64 802.1X Authentication 65 802.1x 65 802.1x broadcast-key-refresh-rate 66 802.1x session-key-refresh-rate 67 802.1x session-timeout 67 802.1x-supplicant enable 68 802.1x-supplicant user 68 show authentication 69 MAC Address Authentication 70 address filter default 70 address filter entry 71 address filter delete 71 mac-authentication server 72 mac-authentication session-timeout 72 Filtering Commands 73 filter local-bridge 74 filter ap-manage 74 filter uplink enable 75 filter uplink 75 filter ethernet-type enable 75 filter ethernet-type protocol 76 show filters 77 WDS Bridge Commands 77 bridge role (WDS) 78 bridge-link parent 78 bridge-link child 79 bridge dynamic-entry age-time 80 show bridge aging-time 80 show bridge filter-entry 81 show bridge link 81 Spanning Tree Commands 83 bridge stp enable 83 bridge stp forwarding-delay 84 bridge stp hello-time 84 bridge stp max-age 85 bridge stp priority 85 bridge-link path-cost 86 bridge-link port-priority 86 show bridge stp 87 Ethernet Interface Commands 88 interface ethernet 88 dns server 89 ip address 89 vi ip dhcp 90 speed-duplex 91 shutdown 92 show interface ethernet 92 Wireless Interface Commands 93 interface wireless 94 vap 95 speed 95 turbo 96 multicast-data-rate 97 channel 98 transmit-power 98 radio-mode 99 preamble 100 antenna control 100 antenna id 101 antenna location 102 beacon-interval 102 dtim-period 103 fragmentation-length 104 rts-threshold 104 super-a 105 super-g 106 description 106 ssid 107 closed-system 107 max-association 108 assoc-timeout-interval 108 auth-timeout-value 108 shutdown 109 show interface wireless 110 show station 112 Rogue AP Detection Commands 113 rogue-ap enable 113 rogue-ap authenticate 114 rogue-ap duration 114 rogue-ap interval 115 rogue-ap scan 116 show rogue-ap 117 Wireless Security Commands 117 auth 118 encryption 120 key 121 transmit-key 122 cipher-suite 123 mic_mode 124 wpa-pre-shared-key 125 pmksa-lifetime 125 vii pre-authentication 126 Link Integrity Commands 127 link-integrity ping-detect 128 link-integrity ping-host 128 link-integrity ping-interval 129 link-integrity ping-fail-retry 129 link-integrity ethernet-detect 129 show link-integrity 130 IAPP Commands 131 iapp 131 VLAN Commands 132 vlan 132 management-vlanid 133 vlan-id 133 WMM Commands 134 wmm 135 wmm-acknowledge-policy 135 wmmparam 136 viii 1 INTRODUCTION The 3Com Outdoor 11a Building to Building Bridge and 11bg Access Point system provides point-to-point or point-to-multipoint bridge links between remote Ethernet LANs, and wireless access point services for clients in the local LAN area. It includes an integrated high-gain antenna for the 802.11a radio and can operate as a “Slave” or “Master” bridge in point-to-multipoint configurations, or provide a high-speed point-to-point wireless link between two sites that can be up to 15.4 km (9.6 miles) apart. As a “Master” bridge in point-to-multipoint configurations it can support connections to as many as 16 “Slave” units. The 802.11b/g radio requires an external antenna option. Each model is housed in a weatherproof enclosure for mounting outdoors and includes its own brackets for attaching to a wall, pole, radio mast, or tower structure. The unit is powered through its Ethernet cable connection from a power injector module that is installed indoors. The wireless bridge system offers a fast, reliable, and cost-effective solution for connectivity between remote Ethernet wired LANs or to provide Internet access to an isolated site. The system is also easy to install and operate, ideal for situations where a wired link may be difficult or expensive to deploy. The wireless bridge connection provides data rates of up to 108 Mbps. In addition, both wireless bridge models offer full network management capabilities through an easy-to-use web interface, a command-line interface, and support for Simple Network Management Protocol (SNMP) tools. RADIO CHARACTERISTICS The IEEE 802.11a and 802.11g standards use a radio modulation technique known as Orthogonal Frequency Division Multiplexing (OFDM), and a shared collision domain (CSMA/CA). The 802.11a standard operates in the 5 GHz Unlicensed National Information Infrastructure (UNII) band, and the 802.11g standard in the 2.4 GHz band. 1-1 IEEE 802.11g includes backward compatibility with the IEEE 802.11b standard. IEEE 802.11b also operates at 2.4 GHz, but uses Direct Sequence Spread Spectrum (DSSS) and Complementary Code Keying (CCK) modulation technology to achieve a communication rate of up to 11 Mbps. The wireless bridge provides a 54 Mbps half-duplex connection for each active channel (up to 108 Mbps in turbo mode on the 802.11a interface). APPROVED CHANNELS Use of this product is only authorized for the channels approved by each country. For proper installation, select your country from the country selection list. To conform to FCC and other country restrictions your product may be limited in the channels that are available. If other channels are permitted in your country please visit the 3Comwebsite for the latest software version. PACKAGE CHECKLIST The 3Com Outdoor 11a Building to Building Bridge and 11bg Access Point package includes: One Dual-band Outdoor Access Point / Bridge One Category 5 network cable, length 164 ft (50 m) One power injector module and power cord Outdoor pole-mounting bracket kit This User Guide Optional: One N-type RF coaxial cable Optional: Outdoor wall-mounting bracket kit Inform your dealer if there are any incorrect, missing or damaged parts. If possible, retain the carton, including the original packing materials. Use them again to repack the product in case there is a need to return it. 1-2 HARDWARE DESCRIPTION Bottom View Console Port Cover Attachment Console Port RSSI Connector with Protective Cap Water-Tight Test Point Integrated Antenna Top View N-Type External Antenna Connector (5 GHz) N-Type External Antenna Connector (2.4 GHz) INTEGRATED HIGH-GAIN ANTENNA The OAP6626A wireless bridge includes an integrated high-gain (17 dBi) flat-panel antenna for 5 GHz operation. The antenna can provide a direct line-of-sight link up to 15.4 km (9.6 miles) with a 6 Mbps data rate. EXTERNAL ANTENNA OPTIONS The OAP6626A Master bridge unit does not include an integrated antenna, but provides various external antenna options for both 5 GHz and 2.4 GHz operation. In a point-to-multipoint configuration, an external high-gain omnidirectional, sector, or high-gain panel antenna can be attached to communicate with bridges spread over a wide area. The OAP6626A and OAP6626A units both require the 2.4 GHz 8 dBi omnidirectional external antenna for 2.4 GHz operation. The following table summarizes the external antenna options: 1-3 Antenna Type Gain (dBi) HPBW* HPBW* Horizontal Vertical Polarization Max Range/Speed 5 GHz Omnidirectional 360 12 Linear, vertical 3.3 km at 6 Mbps 5 GHz 120-Degree Sector 14 120 Linear, vertical 10.3 km at 6 Mbps 5 GHz 60-Degree Sector 17 60 Linear, vertical 14 km at 6 Mbps 5 GHz High-Gain Panel 23 Linear 24.4 km at 6 Mbps 2.4 GHz Omnidirectional 360 15 Linear, vertical 7.6 km at 6 Mbps * Half-power beam width in degrees External antennas connect to the N-type RF connectors on the wireless bridge using the provided coaxial cables. ETHERNET PORT The wireless bridge has one 10BASE-T/100BASE-TX 8-pin DIN port that connects to the power injector module using the included Ethernet cable. The Ethernet port connection provides power to the wireless bridge as well as a data link to the local network. The wireless bridge appears as an Ethernet node and performs a bridging function by moving packets from the wired LAN to the remote end of the wireless bridge link. NOTE: The power injector module does not support Power over Ethernet (PoE) based on the IEEE 802.3af standard. The wireless bridge unit must always be powered on by being connected to the power injector module. POWER INJECTOR MODULE The wireless bridge receives power through its network cable connection using power-over-Ethernet technology. A power injector module is included in the wireless bridge package and provides two RJ-45 Ethernet ports, one for connecting to the wireless bridge (Output), and the other for connecting to a local LAN switch (Input). The Input port uses an MDI (i.e., internal straight-through) pin configuration. You can therefore use straight-through twisted-pair cable to connect this port to most network interconnection devices such as a switch or router that provide MDI-X ports. However, when connecting the access point to a workstation or other device that does not have MDI-X ports, you must use crossover twisted-pair cable. 1-4 LED Indicator Input AC Power Socket (Hidden) Output Ethernet from Local Network Ethernet and Power to Wireless Bridge The wireless bridge does not have a power switch. It is powered on when its Ethernet port is connected to the power injector module, and the power injector module is connected to an AC power source. The power injector includes one LED indicator that turns on when AC power is applied. The power injector module automatically adjusts to any AC voltage between 100-240 volts at 50 or 60 Hz. No voltage range settings are required. WARNING: The power injector module is designed for indoor use only. Never mount the power injector outside with the wireless bridge unit. RECEIVE SIGNAL STRENGTH INDICATOR (RSSI) BNC CONNECTOR The RSSI connector provides an output voltage that is proportional to the received radio signal strength. A DC voltmeter can be connected the this port to assist in aligning the antennas at both ends of a wireless bridge link. GROUNDING POINT Even though the wireless bridge includes its own built-in lightning protection, it is important that the unit is properly connected to ground. A grounding screw is provided for attaching a ground wire to the unit. WALL- AND POLE-MOUNTING BRACKET KITS The wireless bridge includes bracket kits that can be used to mount the bridge to a wall, pole, radio mast, or part of a tower structure. 1-5 SYSTEM CONFIGURATION At each location where a unit is installed, it must be connected to the local network using the power injector module. The following figure illustrates the system component connections. External Antenna Indoor Outdoor RF Coaxial Cable Wireless Bridge Unit LAN Switch Ethernet Cable Ethernet Cable Power Injector Ground Wire AC Power FEATURES AND BENEFITS OAP6626A Slave units support a 5 GHz point-to-point wireless link up 15.4 km (at 6 Mbps data rate) using integrated high-gain 17 dBi antennas OAP6626A Master units support 5 GHz point-to-multipoint links using various external antenna options Both OAP6626A and OAP6626A units also support access point services for the 5 GHz and 2.4 GHz radios using various external antenna options Maximum data rate up to 108 Mbps on the 802.11a (5 GHz) radio Outdoor weatherproof design IEEE 802.11a and 802.11b/g compliant Local network connection via 10/100 Mbps Ethernet port Powered through its Ethernet cable connection to the power injector module Includes wall- and pole-mount brackets Security through 64/128/152-bit Wired Equivalent Protection (WEP) or 128-bit Advanced Encryption Standard (AES) encryption Scans all available channels and selects the best channel and data rate based on the signal-to-noise ratio Manageable through an easy-to-use web-browser interface, command line (via Telnet), or SNMP network management tools 1-6 SYSTEM DEFAULTS The following table lists some of the wireless bridge’s basic system defaults. To reset the bridge defaults, use the CLI command “reset configuration” from the Exec level prompt. Feature Parameter Default Identification System Name Dual Band Outdoor AP Administration User Name admin Password null HTTP Server Enabled HTTP Server Port 80 IP Address 192.168.1.1 Subnet Mask 255.255.255.0 Default Gateway 0.0.0.0 Primary DNS IP 0.0.0.0 Secondary DNS IP 0.0.0.0 Status Disabled Native VLAN ID Filter Control Ethernet Type Disabled SNMP Status Enabled Location null Contact Contact Community (Read Only) Public Community (Read/Write) Private Traps Enabled Trap Destination IP Address null Trap Destination Community Name Public General TCP/IP VLANs 1-7 Feature Parameter Default System Logging Syslog Disabled Logging Host Disabled Logging Console Disabled IP Address / Host Name 0.0.0.0 Logging Level Informational Logging Facility Type 16 Spanning Tree Status Enabled Ethernet Interface Speed and Duplex Auto WDS Bridging Outdoor Bridge Band A (802.11a) Wireless Interface 802.11a Status Enabled SSID DualBandOutdoor Turbo Mode Disabled Radio Channel Default to first channel Auto Channel Select Enabled Transmit Power Full Maximum Data Rate 54 Mbps Beacon Interval 100 TUs Data Beacon Rate (DTIM Interval) 2 beacons RTS Threshold 2347 bytes Authentication Type Open System AES Encryption Disabled WEP Encryption Disabled WEP Key Length 128 bits WEP Key Type Hexadecimal WEP Transmit Key Number Wireless Security 802.11a 1-8 Feature Parameter Default Wireless Interface 802.11b/g Status Enabled SSID DualBandOutdoor Radio Channel Default to first channel Auto Channel Select Enabled Transmit Power Full Maximum Data Rate 54 Mbps Beacon Interval 100 TUs Data Beacon Rate (DTIM Interval) 2 beacons RTS Threshold 2347 bytes Authentication Type Open System AES Encryption Disabled WEP Encryption Disabled WEP Key Length 128 bits WEP Key Type Hexadecimal WEP Transmit Key Number WEP Keys null WEP Keys null Wireless Security 802.11b/g 1-9 1-10 2 INSTALLING THE BRIDGE The 3Com Outdoor 11a Building to Building Bridge and 11bg Access Point system provides access point or bridging services through either the 5 GHz or 2.4 GHz radio interfaces. The wireless bridge units can be used just as normal 802.11a/b/g access points connected to a local wired LAN, providing connectivity and roaming services for wireless clients in an outdoor area. Units can also be used purely as bridges connecting remote LANs. Alternatively, you can employ both access point and bridging functions together, offering a flexible and convenient wireless solution for many applications. This chapter describes the role of wireless bridge in various wireless network configurations. ACCESS POINT TOPOLOGIES Wireless networks support a stand-alone wireless configuration as well as an integrated configuration with 10/100 Mbps Ethernet LANs. Wireless network cards, adapters, and access points can be configured as: Ad hoc for departmental, SOHO, or enterprise LANs Infrastructure for wireless LANs Infrastructure wireless LAN for roaming wireless PCs The 802.11b and 802.11g frequency band, which operates at 2.4 GHz, can easily encounter interference from other 2.4 GHz devices, such as other 802.11b or g wireless devices, cordless phones and microwave ovens. If you experience poor wireless LAN performance, try the following measures: Limit any possible sources of radio interference within the service area Increase the distance between neighboring access points Increase the channel separation of neighboring access points (e.g., up to 3 channels of separation for 802.11b or up to 5 channels for 802.11g) 2-1 AD HOC WIRELESS LAN (NO ACCESS POINT OR BRIDGE) An ad hoc wireless LAN consists of a group of computers, each equipped with a wireless adapter, connected through radio signals as an independent wireless LAN. Computers in a specific ad hoc wireless LAN must therefore be configured to the same radio channel. Ad Hoc Wireless LAN Notebook with Wireless USB Adapter Notebook with Wireless PC Card PC with Wireless PCI Adapter INFRASTRUCTURE WIRELESS LAN The access point function of the wireless bridge provides access to a wired LAN for 802.11a/b/g wireless workstations. An integrated wired/wireless LAN is called an Infrastructure configuration. A Basic Service Set (BSS) consists of a group of wireless PC users and an access point that is directly connected to the wired LAN. Each wireless PC in a BSS can connect to any computer in its wireless group or access other computers or network resources in the wired LAN infrastructure through the access point. The infrastructure configuration not only extends the accessibility of wireless PCs to the wired LAN, but also increases the effective wireless transmission range for wireless PCs by passing their signals through one or more access points. A wireless infrastructure can be used for access to a central database, or for connection between mobile workers, as shown in the following figure. 2-2 Wired LAN Extension to Wireless Clients Server Switch Desktop PC Access Point Notebook PC Desktop PC INFRASTRUCTURE WIRELESS LAN FOR ROAMING WIRELESS PCS The Basic Service Set (BSS) defines the communications domain for each access point and its associated wireless clients. The BSS ID is a 48-bit binary number based on the access point’s wireless MAC address, and is set automatically and transparently as clients associate with the access point. The BSS ID is used in frames sent between the access point and its clients to identify traffic in the service area. The BSS ID is only set by the access point, never by its clients. The clients only need to set the Service Set Identifier (SSID) that identifies the service set provided by one or more access points. The SSID can be manually configured by the clients, can be detected in an access point’s beacon, or can be obtained by querying for the identity of the nearest access point. For clients that do not need to roam, set the SSID for the wireless card to that used by the access point to which you want to connect. A wireless infrastructure can also support roaming for mobile workers. More than one access point can be configured to create an Extended Service Set (ESS). By placing the access points so that a continuous coverage area is created, wireless users within this ESS can roam freely. All wireless network card adapters and wireless access points within a specific ESS must be configured with the same SSID. 2-3 Seamless Roaming Between Access Points Server Desktop PC Switch Switch Access Point Notebook PC Notebook PC Access PointDesktop PC BRIDGE LINK TOPOLOGIES The IEEE 802.11 standard defines a WIreless Distribution System (WDS) for bridge connections between BSS areas (access points). The outdoor wireless bridge uses WDS to forward traffic on links between units. Up to 16 WDS links can be specified for a OAP6626A unit, which acts as the “Master” in the wireless bridge network. OAP6626A units support only one WDS link, which must be to the network’s master unit. The unit supports WDS bridge links on either the 5 GHz (802.11a) or 2.4 GHz (802.11b/g) bands and can be used with various external antennas to offer flexible deployment options. NOTE: The external antennas offer longer range options using the 5 GHz radio, which makes this interface more suitable for bridge links. The 2.4 GHz radio has only the 8 dBi omnidirectional antenna option, which is better suited for local access point services. When using WDS on a radio band, only wireless bridge units can associate to each other. Wireless clients can only associate with the wireless bridge using a radio band set to access point mode. 2-4 POINT-TO-POINT CONFIGURATION Two OAP6626A bridges can form a wireless point-to-point link using their 5 GHz (802.11a) integrated antennas. A point-to-point configuration can provide a limited data rate (6 Mbps) link over a long range (up to 15.4 km), or a high data rate (108 Mbps) over a short range (1.3 km). EASY873 EASY873 LAN LAN POINT-TO-MULTIPOINT CONFIGURATION A OAP6626A wireless bridge set to “Master” mode can use an omnidirectional or sector antenna to connect to as many as 16 bridges in a point-to-multipoint configuration. There can only be one “Master” unit in the wireless bridge network, all other bridges must be “Slave” units. Using the 5 GHz 8 dBi omnidirectional external antenna, the Master unit can connect to Slave units up to 3.3 km (2 miles) away. Using the 13.5 dBi 120-degree sector antenna, the Master can connect to Slave units up to 10.3 km (6.4 miles) away. 2-5 Slave Slave Slave Master with Omnidirectional Antenna Slave Slave Slave Slave Slave Master with Sector Antenna Slave 2-6 3 BRIDGE LINK PLANNING The 3Com Outdoor 11a Building to Building Bridge and 11bg Access Point supports fixed point-to-point or point-to-multipoint wireless links. A single link between two points can be used to connect a remote site to larger core network. Multiple bridge links can provide a way to connect widespread Ethernet LANs. For each link in a wireless bridge network to be reliable and provide optimum performance, some careful site planning is required. This chapter provides guidance and information for planning your wireless bridge links. NOTE: The planning and installation of the wireless bridge requires professional personnel that are trained in the installation of radio transmitting equipment. The user is responsible for compliance with local regulations concerning items such as antenna power, use of lightning arrestors, grounding, and radio mast or tower construction. Therefore, it is recommended to consult a professional contractor knowledgeable in local radio regulations prior to equipment installation. 3-1 DATA RATES Using its 5 GHz integrated antenna, the OAP6626A bridge set to “Slave” mode can operate over a range of up to 15.4 km (9.6 miles) or provide a high-speed connection of 54 Mbps (108 Mbps in turbo mode). However, the maximum data rate for a link decreases as the operating range increases. A 15.4 km link can only operate up to 6 Mbps, whereas a 108 Mbps connection is limited to a range of 1.3 km. When you are planning each wireless bridge link, take into account the maximum distance and data rates for the various antenna options. A summary for 5 GHz (802.11a) antennas is provided in the following table. For full specifications for each antenna, see “Antenna Specifications” on page B-3. Distances Achieved Using Normal Mode Data Rate 17 dBi Integrated 8 dBi Omni 13.5 dBi 120-Degre e Sector 16.5 dBi 60-Degree Sector 23 dBi Panel 6 Mbps 15.4 km 3.3 km 10.3 km 14 km 24.4 km 9 Mbps 14.7 km 2.9 km 9.2 km 13.4 km 23.3 km 12 Mbps 14 km 2.6 km 8.2 km 12.8 km 22.2 km 18 Mbps 12.8 km 2.1 km 6.5 km 11.7 km 20.3 km 24 Mbps 11.1 km 1.5 km 4.6 km 9.2 km 17.7 km 36 Mbps 6.5 km 0.8 km 2.6 km 5.2 km 14 km 48 Mbps 2.9 km 0.4 km 1.2 km 2.3 km 9.2 km 54 Mbps 1.8 km 0.2 km 0.7 km 1.5 km 5.8 km Distances provided in this table are an estimate for a typical deployment and may be reduced by local regulatory limits. For accurate distances, you need to calculate the power link budget for your specific environment. 3-2 . Distances Achieved Using Turbo Mode Data Rate 17 dBi Integrated 8 dBi Omni 13.5 dBi 120-Degre e Sector 16.5 dBi 60-Degree Sector 23 dBi Panel 12 Mbps 13.4 km 2.3 km 7.3 km 12.2 km 21.2 km 18 Mbps 12.8 km 2.1 km 6.5 km 11.7 km 20.3 km 24 Mbps 12.2 km 1.8 km 5.8 km 11.1 km 19.4 km 36 Mbps 11.1 km 1.5 km 4.6 km 9.2 km 17.7 km 48 Mbps 8.2 km 1 km 3.3 km 6.5 km 15.4 km 72 Mbps 4.6 km 0.6 km 1.8 km 3.7 km 12.2 km 96 Mbps 2.1 km 0.3 km 0.8 km 1.6 km 6.5 km 108 Mbps 1.3 km 0.2 km 0.5 km 1 km 4.1 km Distances provided in this table are an estimate for a typical deployment and may be reduced by local regulatory limits. For accurate distances, you need to calculate the power link budget for your specific environment. 3-3 Radio Path Planning Although the wireless bridge uses IEEE 802.11a radio technology, which is capable of reducing the effect of multipath signals due to obstructions, the wireless bridge link requires a “radio line-of-sight” between the two antennas for optimum performance. The concept of radio line-of-sight involves the area along a radio link path through which the bulk of the radio signal power travels. This area is known as the first Fresnel Zone of the radio link. For a radio link not to be affected by obstacles along its path, no object, including the ground, must intrude within 60% of the first Fresnel Zone. The following figure illustrates the concept of a good radio line-of-sight. Visual Line of Sight Radio Line of Sight If there are obstacles in the radio path, there may still be a radio link but the quality and strength of the signal will be affected. Calculating the maximum clearance from objects on a path is important as it directly affects the decision on antenna placement and height. It is especially critical for long-distance links, where the radio signal could easily be lost. NOTE: For wireless links less than 500 m, the IEEE 802.11a radio signal will tolerate some obstacles in the path and may not even require a visual line of sight between the antennas. When planning the radio path for a wireless bridge link, consider these factors: • Avoid any partial line-of-sight between the antennas. • Be cautious of trees or other foliage that may be near the path, or may grow and obstruct the path. 3-4 • Be sure there is enough clearance from buildings and that no building construction may eventually block the path. • Check the topology of the land between the antennas using topographical maps, aerial photos, or even satellite image data (software packages are available that may include this information for your area) • Avoid a path that may incur temporary blockage due to the movement of cars, trains, or aircraft. Antenna Height A reliable wireless link is usually best achieved by mounting the antennas at each end high enough for a clear radio line of sight between them. The minimum height required depends on the distance of the link, obstacles that may be in the path, topology of the terrain, and the curvature of the earth (for links over 3 miles). For long-distance links, a mast or pole may need to be contsructed to attain the minimum required height. Use the following table to estimate the required minimum clearance above the ground or path obstruction (for 5 GHz bridge links). Total Link Distance Max Clearance for 60% of First Fresnel Zone at 5.8 GHz Approximate Clearance for Earth Curvature Total Clearance Required at Mid-point of Link 0.25 mile (402 m) 4.5 ft (1.4 m) 4.5 ft (1.4 m) 0.5 mile (805 m) 6.4 ft (1.95 m) 6.4 ft (1.95 m) 1 mile (1.6 km) 9 ft (2.7 m) 9 ft (2.7 m) 2 miles (3.2 km) 12.7 ft (3.9 m) 12.7 ft (3.9 m) 3 miles (4.8 km) 15.6 ft (4.8 m) 1.8 ft (0.5 m) 17.4 ft (5.3 m) 4 miles (6.4 km) 18 ft (5.5 m) 3.2 ft (1.0 m) 21.2 ft (6.5 m) 5 miles (8 km) 20 ft (6.1 m) 5 ft (1.5 m) 25 ft (7.6 m) 7 miles (11.3 km) 24 ft (7.3 m) 9.8 ft (3.0 m) 33.8 ft (10.3 m) 9 miles (14.5 km) 27 ft (8.2 m) 16 ft (4.9 m) 43 ft (13.1 m) 12 miles (19.3 km) 31 ft (9.5 m) 29 ft (8.8 m) 60 ft (18.3 m) 3-5 Total Link Distance Max Clearance for 60% of First Fresnel Zone at 5.8 GHz Approximate Clearance for Earth Curvature Total Clearance Required at Mid-point of Link 15 miles (24.1 km) 35 ft (10.7 m) 45 ft (13.7 m) 80 ft (24.4 m) 17 miles (27.4 km) 37 ft (11.3 m) 58 ft (17.7 m) 95 ft (29 m) Note that to avoid any obstruction along the path, the height of the object must be added to the minimum clearance required for a clear radio line-of-sight. Consider the following simple example, illustrated in the figure below. Radio Line of Sight Visual Line of Sight 3 miles (4.8 km) 2.4 m 5.4 m 1.4 m 9m 20 m 17 m 12 m A wireless bridge link is deployed to connect building A to a building B, which is located three miles (4.8 km) away. Mid-way between the two buidings is a small tree-covered hill. From the above table it can be seen that for a three-mile link, the object clearance required at the mid-point is 5.3 m (17.4 ft). The tree-tops on the hill are at an elevation of 17 m (56 ft), so the antennas at each end of the link need to be at least 22.3 m (73 ft) high. Building A is six stories high, or 20 m (66 ft), so a 2.3 m (7.5 ft) mast or pole must be contructed on its roof to achieve the required antenna height. Building B is only three stories high, or 9 m (30 ft), but is located at an elevation that is 12 m (39 ft) higher than bulding A. To mount an anntena at the required height on building B, a mast or pole of only 1.3 m (4.3 ft) is needed. WARNING: Never construct a radio mast, pole, or tower near overhead power lines. 3-6 NOTE: Local regulations may limit or prevent construction of a high radio mast or tower. If your wireless bridge link requires a high radio mast or tower, consult a professional contractor for advice. Antenna Position and Orientation Once the required antenna height has been determined, other factors affecting the precise position of the wireless bridge must be considered: • Be sure there are no other radio antennas within 2 m (6 ft) of the wireless bridge • Place the wireless bridge away from power and telephone lines • Avoid placing the wireless bridge too close to any metallic reflective surfaces, such as roof-installed air-conditioning equipment, tinted windows, wire fences, or water pipes • The wireless bridge antennas at both ends of the link must be positioned with the same polarization direction, either horizontal or vertical 3-7 Antenna Polarization — The wireless bridge’s integrated antenna sends a radio signal that is polarized in a particular direction. The antenna’s receive sensitivity is also higher for radio signals that have the same polarization. To maximize the performance of the wireless link, both antennas must be set to the same polarization direction. Ideally the antennas should be pointing upwards mounted on the top part of a pole. 3-8 Radio Interference The avoidance of radio interference is an important part of wireless link planning. Interference is caused by other radio transmissions using the same or an adjacent channel frequency. You should first scan your proposed site using a spectrum analyzer to determine if there are any strong radio signals using the 802.11a channel frequencies. Always use a channel frequency that is furthest away from another signal. If radio interference is still a problem with your wireless bridge link, changing the antenna polarization direction may improve the situation. Weather Conditions When planning wireless bridge links, you must take into account any extreme weather conditions that are known to affect your location. Consider these factors: • Temperature — The wireless bridge is tested for normal operation in temperatures from -33°C to 55°C. Operating in temperatures outside of this range may cause the unit to fail. • Wind Velocity — The wireless bridge can operate in winds up to 90 MPH and survive higher wind speeds up to 125 MPH. You must consider the known maximum wind velocity and direction at the site and be sure that any supporting structure, such as a pole, mast, or tower, is built to withstand this force. • Lightning — The wireless bridge includes its own built-in lightning protection. However, you should make sure that the unit, any supporting structure, and cables are all properly grounded. Additional protection using lightning rods, lightning arrestors, or surge suppressors may also be employed. • Rain — The wireless bridge is weatherproofed against rain. Also, prolonged heavy rain has no significant effect on the radio signal. However, it is recommended to apply weatherproof sealing tape around the Ethernet port and antenna connectors for extra protection. If moisture enters a connector, it may cause a degradation in performance or even a complete failure of the link. • Snow and Ice — Falling snow, like rain, has no significant effect on the radio signal. However, a build up of snow or ice on antennas may cause the link to fail. In this case, the snow or ice has to be cleared from the antennas to restore operation of the link. 3-9 Ethernet Cabling When a suitable antenna location has been determined, you must plan a cable route form the wireless bridge outdoors to the power injector module indoors. Consider these points: • The Ethernet cable length should never be longer than 100 m (328 ft) • Determine a building entry point for the cable • Determine if conduits, bracing, or other structures are required for safety or protection of the cable • For lightning protection at the power injector end of the cable, consider using a lightning arrestor immediately before the cable enters the building Grounding It is important that the wireless bridge, cables, and any supporting structures are properly grounded. The wireless bridge unit includes a grounding screw for attaching a ground wire. Be sure that grounding is available and that it meets local and national electrical codes. 3-10 4 HARDWARE INSTALLATION Before mounting antennas to set up your wireless bridge links, be sure you have selected appropriate locations for each antenna. Follow the guidance and information in Chapter 2, “Wireless Link Planning.” Also, before mounting units in their intended locations, you should first perform initial configuration and test the basic operation of the wireless bridge links in a controlled environment over a very short range. (See the section “Testing Basic Link Operation” in this chapter.) The wireless bridge includes its own bracket kit for mounting the unit to a 1.5 to 2 inch diameter steel pole or tube. The pole-mounting bracket allows the unit to be mounted to part of a radio mast or tower structure. The unit also has a wall-mounting bracket kit that enables it to be fixed to a building wall or roof when using external antennas. Hardware installation of the wireless bridge involves these steps: Mount the unit on a wall, pole, mast, or tower using the mounting bracket. Mount external antennas on the same supporting structure as the bridge and connect them to the bridge unit. Connect the Ethernet cable and a grounding wire to the unit. Connect the power injector to the Ethernet cable, a local LAN switch, and an AC power source. Align antennas at both ends of the link. 4-1 TESTING BASIC LINK OPERATION Set up the units over a very short range (15 to 25 feet), either outdoors or indoors. Connect the units as indicated in this chapter and be sure to perform all the basic configuration tasks outlined in Chapter 4, “Initial Configuration.” When you are satisfied that the links are operating correctly, proceed to mount the units in their intended locations. MOUNT THE UNIT The bridge can be mounted on the following types of surfaces: Pole Wall, or electrical box (NEMA enclosure) CAUTION: The bridge is intended for outdoor use only. Do not install the bridge indoors. Using the Pole-Mounting Bracket Perform the following steps to mount the unit to a 1.5 to 2 inch diameter steel pole or tube using the mounting bracket: Always attach the bracket to a pole with the open end of the mounting grooves facing up. Place the V-shaped part of the bracket around the pole and tighten the securing nuts just enough to hold the bracket to the pole. (The bracket may need to be rotated around the pole during the alignment process.) Attach V-shaped parts to pole with provided nuts and bolts 4-2 Slot the edges of the V-shaped part into the slats in the rectangular plate, and tighten the nuts Attach the adjustable rectangular plate to the bridge with supplied screws 4-3 Attach the bridge with bracket to afixed plate on pole Use the included nuts to tightly secure the wireless bridge to the bracket. Be sure to take account of the antenna polarization direction; all antennas in a link must be mounted with the same polarization. USING THE WALL-MOUNTING BRACKET Perform the following steps to mount the unit to a wall using the wall-mounting bracket: CAUTION: The wall-mounting bracket does not allow the wireless bridge’s intrgrated antenna to be aligned. It is intended for use with the unit using an external antenna. 4-4 1 Always attach the bracket to a wall with flat side flush against the wall (see following figure). Position the bracket in the intended location and mark the position of the three mounting screw holes. Drill three holes in the wall that match the screws and wall plugs included in the bracket kit, then secure the bracket to the wall. Use the included nuts to tightly secure the wireless bridge to the bracket. 4-5 5 Connect the Ethernet cable (and power cable, if applicable) to the port(s) on the front of the FEM656B - 3Com 10-100 LAN + 56K Modem CardBus PC Card-(Fast Ethernet). CONNECTING THE BRIDGE TO A SWITCH It is recommended that you install and configure the 3Com Wireless LAN switch before installing the FEM656B - 3Com 10-100 LAN + 56K Modem CardBus PC Card-(Fast Ethernet). If the switch is already installed and configured for the FEM656B - 3Com 10-100 LAN + 56K Modem CardBus PC Card-(Fast Ethernet), you can immediately verify the cable connection when you plug the cable into the FEM656B - 3Com 10-100 LAN + 56K Modem CardBus PC Card-(Fast Ethernet). WARNING: Do not connect or disconnect cables or otherwise work with the bridge during periods of lightning activity. You can connect the bridge directly to a Wireless LAN Switch port or indirectly to Wireless LAN switches through an intermediate Layer 2 or Layer 3 network. In either case, use Category 5 cable with straight-through signaling for each FEM656B - 3Com 10-100 LAN + 56K Modem CardBus PC Card-(Fast Ethernet) connection. CONNECT EXTERNAL ANTENNAS When deploying a OAP6626A Master bridge unit for a bridge link or access point operation, you need to mount external antennas and connect them to the bridge. Typically, a bridge link requires a 5 GHz antenna, and access point operation a 2.4 GHz antenna. OAP6626A Slave units also require an external antenna for 2.4 GHz operation. Perform these steps: Mount the external antenna to the same supporting structure as the bridge, within 3 m (10 ft) distance, using the bracket supplied in the antenna package. Connect the antenna to the bridge’s N-type connector using the RF coaxial cable provided in the antenna package. Apply weatherproofing tape to the antenna connectors to help prevent water entering the connectors. 4-6 2.4 GHz N-type Connector 5 GHz N-type Connector 5 GHz External High-gain Panel Antenna 2.4 GHz External Omnidirectional Antenna RF Coaxial Cable CONNECT CABLES TO THE UNIT Attach the Ethernet cable to the Ethernet port on the wireless bridge. For extra protection against rain or moisture, apply weatherproofing tape (not included) around the Ethernet connector. Be sure to ground the unit with an appropriate grounding wire (not included) by attaching it to the grounding screw on the unit. CAUTION: Be sure that grounding is available and that it meets local and national electrical codes. For additional lightning protection, use lightning rods, lightning arrestors, or surge suppressors. 4-7 Console Port PoE (Ethernet) Port Ground Wire Grounding Screw Ethernet Cable CONNECT THE POWER INJECTOR To connect the wireless bridge to a power source: CAUTION: Do not install the power injector outdoors. The unit is for indoor installation only. NOTE: The wireless bridge’s Ethernet port does not support Power over Ethernet (PoE) based on the IEEE 802.3af standard. Do not try to power the unit by connecting it directly to a network switch that provides IEEE 802.3af PoE. Always connect the unit to the included power injector module. Connect the Ethernet cable from the wireless bridge to the RJ-45 port labeled “Output” on the power injector. Connect a straight-through unshielded twisted-pair (UTP) cable from a local LAN switch to the RJ-45 port labeled “Input” on the power injector. Use Category 5e or better UTP cable for 10/100BASE-TX connections. NOTE: The RJ-45 port on the power injector is an MDI port. If connecting directly to a computer for testing the link, use a crossover cable. 4-8 AC power Ethernet cable from LAN switch Inp ut Ou tpu Power LED indicator Ethernet cable to wireless bridge Insert the power cable plug directly into the standard AC receptacle on the power injector. Plug the other end of the power cable into a grounded, 3-pin socket, AC power source. NOTE: For International use, you may need to change the AC line cord. You must use a line cord set that has been approved for the receptacle type in your country. Check the LED on top of the power injector to be sure that power is being supplied to the wireless bridge through the Ethernet connection. CONNECT EXTERNAL ANTENNAS When deploying a OAP6626A set to “Master” mode for a bridge link or access point operation, you need to mount external antennas and connect them to the bridge. Typically, a bridge link requires a 5 GHz antenna, and access point operation a 2.4 GHz antenna. Units set to “Slave” mode also require an external antenna for 2.4 GHz operation. Perform these steps: Mount the external antenna to the same supporting structure as the bridge, within 3 m (10 ft) distance, using the bracket supplied in the antenna package. Connect the antenna to the bridge’s N-type connector using the RF coaxial cable provided in the antenna package. Apply weatherproofing tape to the antenna connectors to help prevent water entering the connectors. 4-9 2.4 GHz N-type Connector 5 GHz N-type Connector 5 GHz External High-gain Panel Antenna 2.4 GHz External Omnidirectional Antenna RF Coaxial Cable CONNECT CABLES TO THE UNIT Attach the Ethernet cable to the Ethernet port on the wireless bridge. NOTE: The Ethernet cable included with the package is 30 m (100 ft) long. To wire a longer cable (maximum 100 m, 325 ft), use the connector pinout information in Appendix B. For extra protection against rain or moisture, apply weatherproofing tape (not included) around the Ethernet connector. Be sure to ground the unit with an appropriate grounding wire (not included) by attaching it to the grounding screw on the unit. CAUTION: Be sure that grounding is available and that it meets local and national electrical codes. For additional lightning protection, use lightning rods, lightning arrestors, or surge suppressors. 4-10 Console Port PoE (Ethernet) Port Ground Wire Grounding Screw Ethernet Cable CONNECT THE POWER INJECTOR To connect the wireless bridge to a power source: CAUTION: Do not install the power injector outdoors. The unit is for indoor installation only. NOTE: The wireless bridge’s Ethernet port does not support Power over Ethernet (PoE) based on the IEEE 802.3af standard. Do not try to power the unit by connecting it directly to a network switch that provides IEEE 802.3af PoE. Always connect the unit to the included power injector module. Connect the Ethernet cable from the wireless bridge to the RJ-45 port labeled “Output” on the power injector. Connect a straight-through unshielded twisted-pair (UTP) cable from a local LAN switch to the RJ-45 port labeled “Input” on the power injector. Use Category 5 or better UTP cable for 10/100BASE-TX connections. NOTE: The RJ-45 port on the power injector is an MDI port. If connecting directly to a computer for testing the link, use a crossover cable. 4-11 AC power Ethernet cable from LAN switch Inp ut Ou tpu Power LED indicator Ethernet cable to wireless bridge Insert the power cable plug directly into the standard AC receptacle on the power injector. Plug the other end of the power cable into a grounded, 3-pin socket, AC power source. NOTE: For International use, you may need to change the AC line cord. You must use a line cord set that has been approved for the receptacle type in your country. Check the LED on top of the power injector to be sure that power is being supplied to the wireless bridge through the Ethernet connection. ALIGN ANTENNAS After wireless bridge units have been mounted, connected, and their radios are operating, the antennas must be accurately aligned to ensure optimum performance on the bridge links. This alignment process is particularly important for long-range point-to-point links. In a point-to-multipoint configuration the Master bridge uses an omnidirectional or sector antenna, which does not require alignment, but Slave bridges still need to be correctly aligned with the Master bridge antennna. Point-to-Point Configurations – In a point-to-point configuration, the alignment process requires two people at each end of the link. The use of cell phones or two-way radio communication may help with coordination. To start, you can just point the antennas at each other, using binoculars or a compass to set the general direction. For accurate alignment, you must connect a DC voltmeter to the RSSI connector on the wireless bridge and monitor the voltage as the antenna moves horizontally and vertically. 4-12 Point-to-Multipoint Configurations – In a point-to-multipoint configuration all Slave bridges must be aligned with the Master bridge antenna. The alignment process is the same as in point-to-point links, but only the Slave end of the link requires the alignment. The RSSI connector provides an output voltage between 0 and 3.28 VDC that is proportional to the received radio signal strength. The higher the voltage reading, the stronger the signal. The radio signal from the remote antenna can be seen to have a strong central main lobe and smaller side lobes. The object of the alignment process is to set the antenna so that it is receiving the strongest signal from the central main lobe. Vertical Scan Remote Antenna Maximum Signal Strength Position for Vertical Alignment Horizontal Scan Main Lobe Maximum RSSI Voltage RSSI Voltage Side Lobe Maximum Maximum Signal Strength Position for Horizontal Alignment To align the antennas in the link using the RSSI output voltage, start with one antenna fixed and then perform the following procedure on the other antenna: Note: NOTE: The RSSI output can be configured through management interfaces to output a value for specific WDS ports. See page 6-40 for more information. 4-13 1 Remove the RSSI connector cover and connect a voltmeter using a cable with a male BNC connector (not included). Console Port PoE (Ethernet) Port Voltmeter RSSI BNC Connection Pan the antenna horizontally back and forth while checking the RSSI voltage. If using the pole-mounting bracket with the unit, you must rotate the mounting bracket around the pole. Other external antenna brackets may require a different horizontal adjustment. Find the point where the signal is strongest (highest voltage) and secure the horizontal adjustment in that position. NOTE: Sometimes there may not be a central lobe peak in the voltage because vertical alignment is too far off; only two similar peaks for the side lobes are detected. In this case, fix the antenna so that it is halfway between the two peaks. Loosen the vertical adjustment on the mounting bracket and tilt the antenna slowly up and down while checking the RSSI voltage. Find the point where the signal is strongest and secure the vertical adjustment in that position. Remove the voltmeter cable and replace the RSSI connector cover. 4-14 Chapter 5: Initial Configuration The 2.4 GHz/5 GHz Wireless Bridge offers a variety of management options, including a web-based interface, a direct connection to the console port, Telnet, Secure Shell (SSH), or using SNMP software. The initial configuration steps can be made through the web browser interface or CLI. The bridge requests an IP address via DHCP by default. If no response is received from the DHCP server, then the bridge uses the default address 192.168.2.2. If this address is not compatible with your network, you can first use the command line interface (CLI) as described below to configure a valid address. Note: Units sold in countries outside the United States are not configured with a specific country code. You must use the CLI to set the country code and enable wireless operation (page 5-3). Initial Setup through the CLI Required Connections The bridge provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuration. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the bridge. You can use the console cable provided with this package, or use a cable that complies with the wiring assignments shown on page B-3. To connect to the console port, complete the following steps: 1. Connect the console cable to the serial port on a terminal, or a PC running terminal emulation software, and tighten the captive retaining screws on the DB-9 connector. 2. Connect the other end of the cable to the RS-232 serial port on the bridge. 3. Make sure the terminal emulation software is set as follows: • • • • • • Select the appropriate serial port (COM port 1 or 2). Set the data rate to 9600 baud. Set the data format to 8 data bits, 1 stop bit, and no parity. Set flow control to none. Set the emulation mode to VT100. When using HyperTerminal, select Terminal keys, not Windows keys. 5-1 5 Initial Configuration Note: When using HyperTerminal with Microsoft® Windows® 2000, make sure that you have Windows 2000 Service Pack 2 or later installed. Windows 2000 Service Pack 2 fixes the problem of arrow keys not functioning in HyperTerminal’s VT100 emulation. See www.microsoft.com for information on Windows 2000 service packs. 4. Once you have set up the terminal correctly, press the [Enter] key to initiate the console connection. The console login screen will be displayed. For a description of how to use the CLI, see “Using the Command Line Interface” on page 7-1. For a list of all the CLI commands and detailed information on using the CLI, refer to “Command Groups” on page 7-6. Initial Configuration Steps Logging In – Enter “admin” for the user name and leave the password blank. The CLI prompt appears displaying the bridge’s name. Username: admin Password: Enterprise AP# Setting the IP Address – By default, the bridge is configured to obtain IP address settings from a DHCP server. If a DHCP server is not available, the IP address defaults to 192.168.2.2, which may not be compatible with your network. You will therefore have to use the command line interface (CLI) to assign an IP address that is compatible with your network. Type “configure” to enter configuration mode, then type “interface ethernet” to access the Ethernet interface-configuration mode. Enterprise AP#configure Enterprise AP(config)#interface ethernet Enterprise AP(config-if)# First type “no ip dhcp” to disable DHCP client mode. Then type “ip address ip-address netmask gateway,” where “ip-address” is the bridge’s IP address, “netmask” is the network mask for the network, and “gateway” is the default gateway router. Check with your system administrator to obtain an IP address that is compatible with your network. Enterprise AP(if-ethernet)#no ip dhcp Enterprise AP(if-ethernet)#ip address 192.168.2.2 255.255.255.0 192.168.2.254 Enterprise AP(if-ethernet)# 5-2 5 Logging In After configuring the bridge’s IP parameters, you can access the management interface from anywhere within the attached network. The command line interface can also be accessed using Telnet from any computer attached to the network. Setting the Country Code – Units sold in the United States are configured by default to use only radio channels 1-11 in 802.11b or 802.11g mode as defined by FCC regulations. Units sold in other countries are configured by default without a country code (i.e., 99). You must use the CLI to set the country code. Setting the country code restricts operation of the bridge to the radio channels and transmit power levels permitted for wireless networks in the specified country. Type “exit” to leave configuration mode. Then type “country ?” to display the list of countries. Select the code for your country, and enter the country command again, following by your country code (e.g., tw for Taiwan). Enterprise AP#country tw Enterprise AP# Note: Command examples shown later in this manual abbreviate the console prompt to “AP” for simplicity. Logging In There are only a few basic steps you need to complete to connect the bridge to your corporate network, and provide network access to wireless clients. The bridge can be managed by any computer using a web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Enter the default IP address: http://192.168.2.2 Logging In – Enter the username “admin,” and password “smcadmin” then click LOGIN. For information on configuring a user name and password, see page 6-23. 5-3 5 Initial Configuration The home page displays the Main Menu. 5-4 Chapter 6: System Configuration Before continuing with advanced configuration, first complete the initial configuration steps described in Chapter 4 to set up an IP address for the wireless bridge. The wireless bridge can be managed by any computer using a web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Enter the default IP address: http://192.168.1.1 To log into the wireless bridge, enter the default user name “admin” and click LOGIN (there is no default password). When the home page displays, click on Advanced Setup. The following page will display. The information in this chapter is organized to reflect the structure of the web screens for easy reference. However, it is recommended that you configure a user name and password as the first step under advanced configuration to control management access to the wireless bridge (page 6-23). 6-1 6 System Configuration Advanced Configuration The Advanced Configuration pages include the following options. Menu System Description Page Configures basic administrative and client access 6-3 Identification Specifies the system name, location and contact information 6-3 TCP / IP Settings Configures the IP address, subnet mask, gateway, and domain name servers 6-5 RADIUS Configures the RADIUS server for wireless client authentication 6-7 PPPoE Settings Configures PPPoE on the Ethernet interface for a connection to an ISP Authentication Configures 802.1X client authentication and MAC address authentication 6-11 Filter Control Enables VLAN support and filters traffic matching specific Ethernet protocol types 6-18 SNMP Controls access to this wireless bridge from management stations using SNMP, as well as the hosts that will receive trap messages 6-20 Administration Configures user name and password for management access; upgrades software from local file, FTP or TFTP server; resets configuration settings to factory defaults; and resets the wireless bridge 6-23 System Log Controls logging of error messages; sets the system clock via SNTP server or manual configuration 6-27 WDS Sets the MAC addresses of other units in the wireless bridge network 6-31 Bridge Sets the time for aging out entries in the bridge MAC address table 6-33 STP Configures Spanning Tree Protocol parameters 6-36 RSSI 6-9 Controls the maximum RSSI voltage output for specific WDS ports 6-40 Configures the IEEE 802.11a interface 6-41 Radio Settings Configures radio signal parameters, such as radio channel, transmission rate, and beacon settings 6-42 Security Configures data encryption using Wired Equivalent Protection (WEP) or Wi-Fi Protected Access (WPA) 6-48 Configures the IEEE 802.11b/g interface 6-46 Radio Settings Configures radio signal parameters, such as radio channel, transmission rate, and beacon settings 6-46 Security Configures data encryption using Wired Equivalent Protection (WEP) or Wi-Fi Protected Access (WPA) 6-48 Radio Interface A Radio Interface G 6-2 Advanced Configuration System Identification The system information parameters for the wireless bridge can be left at their default settings. However, modifying these parameters can help you to more easily distinguish different devices in your network. The wireless bridge allows the selection of the band to be used for bridge links. The bridge band can support no wireless clients. Alternatively, bridging can be disabled and both bands can support access point functions. System Name – An alias for the wireless bridge, enabling the device to be uniquely identified on the network. (Default: Dual Band Outdoor AP; Range: 1-22 characters) Outdoor Bridge Band – Selects the radio band used for bridge links. • A – Bridging is supported on the 802.11a 5 GHz band. • G – Bridging is supported on the 802.11b/g 2.4 GHz band. • None – Bridging is not supported on either radio band. Allows both bands to support access point operations for wireless clients. Location – A text string that describes the system location. (Maximum length: 20 characters) Contact – A text string that describes the system contact. (Maximum length: 255 characters) 6-3 6 System Configuration CLI Commands for System Identification – Enter the global configuration mode and use the system name command to specify a new system name. Use the snmp-server location and snmp-server contact commands to indicate the physical location of the wireless bridge and define a system contact. Then return to the Exec mode, and use the show system command to display the changes to the system identification settings. DUAL DUAL DUAL DUAL DUAL DUAL OUTDOOR#configure OUTDOOR(config)#system name R&D OUTDOOR(config)#snmp-server location building-1 OUTDOOR(config)#snmp-server contact Paul OUTDOOR(config)#exit OUTDOOR#show system 6-8 6-14 6-42 6-41 6-23 System Information =================================================== Serial Number : 0000000005 System Up time : 0 days, 0 hours, 35 minutes, 56 seconds System Name : R&D System Location : building-1 System Contact : Paul System Country Code : US - UNITED STATES MAC Address : 00-30-F1-BE-F4-96 IP Address : 192.168.1.1 Subnet Mask : 255.255.255.0 Default Gateway : 0.0.0.0 VLAN State : DISABLED Native VLAN ID : 1 IAPP State : ENABLED DHCP Client : ENABLED HTTP Server : ENABLED HTTP Server Port : 80 Slot Status : Dual band(a/g) Software Version : v1.1.0.3 =================================================== DUAL OUTDOOR# CLI Commands for Bridge Band Selection – Enter the global configuration mode and use the wds channel command to specify the bridge band. DUAL OUTDOOR#configure DUAL OUTDOOR(config)#wds channel a DUAL OUTDOOR(config)# 6-4 6-8 7-43 Advanced Configuration TCP / IP Settings Configuring the wireless bridge with an IP address expands your ability to manage the wireless bridge. A number of wireless bridge features depend on IP addressing to operate. Note: You can use the web browser interface to access IP addressing only if the wireless bridge already has an IP address that is reachable through your network. By default, the wireless bridge will be automatically configured with IP settings from a Dynamic Host Configuration Protocol (DHCP) server. However, if you are not using a DHCP server to configure IP addressing, use the CLI to manually configure the initial IP values (page 4-2). After you have network access to the wireless bridge, you can use the web browser interface to modify the initial IP configuration, if needed. Note: If there is no DHCP server on your network, or DHCP fails, the wireless bridge will automatically start up with a default IP address of 192.168.1.1. DHCP Client (Enable) – Select this option to obtain the IP settings for the wireless bridge from a DHCP (Dynamic Host Configuration Protocol) server. The IP address, subnet mask, default gateway, and Domain Name Server (DNS) address are dynamically assigned to the wireless bridge by the network DHCP server. (Default: Enabled) 6-5 6 System Configuration DHCP Client (Disable) – Select this option to manually configure a static address for the wireless bridge. • IP Address: The IP address of the wireless bridge. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. • Subnet Mask: The mask that identifies the host address bits used for routing to specific subnets. • Default Gateway: The default gateway is the IP address of the router for the wireless bridge, which is used if the requested destination address is not on the local subnet. If you have management stations, DNS, or other network servers located on another subnet, type the IP address of the default gateway router in the text field provided. Otherwise, leave the address as all zeros (0.0.0.0). • Primary and Secondary DNS Address: The IP address of Domain Name Servers on the network. A DNS maps numerical IP addresses to domain names and can be used to identify network hosts by familiar names instead of the IP addresses. If you have one or more DNS servers located on the local network, type the IP addresses in the text fields provided. Otherwise, leave the addresses as all zeros (0.0.0.0). CLI Commands for TCP/IP Settings – From the global configuration mode, enter the interface configuration mode with the interface ethernet command. Use the ip dhcp command to enable the DHCP client, or no ip dhcp to disable it. To manually configure an address, specify the new IP address, subnet mask, and default gateway using the ip address command. To specify DNS server addresses use the dns server command. Then use the show interface ethernet command from the Exec mode to display the current IP settings. DUAL OUTDOOR(config)#interface ethernet Enter Ethernet configuration commands, one per line. DUAL OUTDOOR(if-ethernet)#no ip dhcp DUAL OUTDOOR(if-ethernet)#ip address 192.168.1.2 255.255.255.0 192.168.1.253 DUAL OUTDOOR(if-ethernet)#dns primary-server 192.168.1.55 DUAL OUTDOOR(if-ethernet)#dns secondary-server 10.1.0.55 DUAL OUTDOOR(config)#end DUAL OUTDOOR#show interface ethernet Ethernet Interface Information ======================================== IP Address : 192.168.1.2 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.1.253 Primary DNS : 192.168.1.55 Secondary DNS : 10.1.0.55 Admin status : Up Operational status : Up ======================================== DUAL OUTDOOR# 6-6 6-87 6-89 6-88 6-88 6-88 6-8 6-91 Advanced Configuration Radius Remote Authentication Dial-in User Service (RADIUS) is an authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of user credentials for each user that requires access to the network. A primary RADIUS server must be specified for the access point to implement IEEE 802.1X network access control and Wi-Fi Protected Access (WPA) wireless security. A secondary RADIUS server may also be specified as a backup should the primary server fail or become inaccessible. Note: This guide assumes that you have already configured RADIUS server(s) to support the access point. Configuration of RADIUS server software is beyond the scope of this guide, refer to the documentation provided with the RADIUS server software. Primary Radius Server Setup – Configure the following settings to use RADIUS authentication on the access point. • IP Address: Specifies the IP address or host name of the RADIUS server. • Port: The UDP port number used by the RADIUS server for authentication messages. (Range: 1024-65535; Default: 1812) • Key: A shared text string used to encrypt messages between the access point and the RADIUS server. Be sure that the same text string is specified on the RADIUS server. Do not use blank spaces in the string. (Maximum length: 255 characters) 6-7 6 System Configuration • Timeout: Number of seconds the access point waits for a reply from the RADIUS server before resending a request. (Range: 1-60 seconds; Default: 5) • Retransmit attempts: The number of times the access point tries to resend a request to the RADIUS server before authentication fails. (Range: 1-30; Default: 3) Note: For the Timeout and Retransmit attempts fields, accept the default values unless you experience problems connecting to the RADIUS server over the network. Secondary Radius Server Setup – Configure a secondary RADIUS server to provide a backup in case the primary server fails. The access point uses the secondary server if the primary server fails or becomes inaccessible. Once the access point switches over to the secondary server, it periodically attempts to establish communication again with primary server. If communication with the primary server is re-established, the secondary server reverts to a backup role. CLI Commands for RADIUS – From the global configuration mode, use the radius-server address command to specify the address of the primary or secondary RADIUS servers. (The following example configures the settings for the primary RADIUS server.) Configure the other parameters for the RADIUS server. Then use the show show radius command from the Exec mode to display the current settings for the primary and secondary RADIUS servers. DUAL DUAL DUAL DUAL DUAL DUAL DUAL OUTDOOR(config)#radius-server OUTDOOR(config)#radius-server OUTDOOR(config)#radius-server OUTDOOR(config)#radius-server OUTDOOR(config)#radius-server OUTDOOR(config)#exit OUTDOOR#show radius address 192.168.1.25 port 181 key green timeout 10 retransmit 5 Radius Server Information ======================================== IP : 192.168.1.25 Port : 181 Key : ***** Retransmit : 5 Timeout : 10 ======================================== Radius Secondary Server Information ======================================== IP : 0.0.0.0 Port : 1812 Key : ***** Retransmit : 3 Timeout : 5 ======================================== DUAL OUTDOOR# 6-8 6-59 6-60 6-60 6-61 6-61 6-64 Advanced Configuration PPPoE Settings The wireless bridge uses a Point-to-Point Protocol over Ethernet (PPPoE) connection, or tunnel, only for management traffic between the wireless bridge and a remote PPPoE server (typically at an ISP). Examples of management traffic that may initiated by the wireless bridge and carried over a PPPoE tunnel are RADIUS, Syslog, or DHCP traffic. PPP over Ethernet – Enable PPPoE on the RJ-45 Ethernet interface to pass management traffic between the unit and a remote PPPoE server. (Default: Disable) PPPoE Username – The user name assigned for the PPPoE tunnel. (Range: 1-63 alphanumeric characters) PPPoE Password – The password assigned for the PPPoE tunnel. (Range: 1-63 alphanumeric characters) Confirm Password – Use this field to confirm the PPPoE password. PPPoE Service Name – The service name assigned for the PPPoE tunnel. The service name is normally optional, but may be required by some service providers. (Range: 1-63 alphanumeric characters) IP Allocation Mode – This field specifies how IP adresses for the PPPoE tunnel are configured on the RJ-45 interface. The allocation mode depends on the type of service provided by the PPPoE server. If automatic mode is selected, DHCP is used 6-9 6 System Configuration to allocate the IP addresses for the PPPoE connection. If static addresses have been assigned to you by the service provider, you must manually enter the assigned addresses. (Default: Automatic) • Automatically allocated: IP addresses are dynamically assigned by the service provider during PPPoE session initialization. • Static assigned: Fixed addresses are assigned by the service provider for both the local and remote IP addresses. Local IP Address – IP address of the local end of the PPPoE tunnel. (Must be entered for static IP allocation mode.) Remote IP Address – IP address of the remote end of the PPPoE tunnel. (Must be entered for static IP allocation mode.) CLI Commands for PPPoE – From the CLI configuration mode, use the interface ethernet command to access interface configuration mode. Use the ip pppoe command to enable PPPoE on the Ethernet interface. Use the other PPPoE commands shown in the example below to set a user name and password, IP settings, and other PPPoE parameters as required by the service provider. The pppoe restart command can then be used to start a new connection using the modified settings. To display the current PPPoE settings, use the show pppoe command from the Exec mode. DUAL OUTDOOR(config)#interface ethernet Enter Ethernet configuration commands, one per line. DUAL OUTDOOR(if-ethernet)#ip pppoe DUAL OUTDOOR(if-ethernet)#pppoe username mike DUAL OUTDOOR(if-ethernet)#pppoe password 12345 DUAL OUTDOOR(if-ethernet)#pppoe service-name classA DUAL OUTDOOR(if-ethernet)#pppoe ip allocation mode static DUAL OUTDOOR(if-ethernet)#pppoe local ip 10.7.1.200 DUAL OUTDOOR(if-ethernet)#pppoe remote ip 192.168.1.20 DUAL OUTDOOR(if-ethernet)#pppoe ipcp dns DUAL OUTDOOR(if-ethernet)#pppoe lcp echo-interval 30 DUAL OUTDOOR(if-ethernet)#pppoe lcp echo-failure 5 DUAL OUTDOOR(if-ethernet)#pppoe restart DUAL OUTDOOR(if-ethernet)#end DUAL OUTDOOR#show pppoe PPPoE Information ====================================================== State : Link up Username : mike Service Name : classA IP Allocation Mode : Static DNS Negotiation : Enabled Local IP : 10.7.1.200 Echo Interval : 30 Echo Failure : 5 ====================================================== DUAL OUTDOOR# 6-10 6-87 7-57 7-61 7-61 7-62 7-57 7-60 7-60 7-58 7-58 7-59 6-87 7-63 Advanced Configuration Authentication Wireless clients can be authenticated for network access by checking their MAC address against the local database configured on the access point, or by using a database configured on a central RADIUS server. Alternatively, authentication can be implemented using the IEEE 802.1X network access control protocol. The access point can also operate in a 802.1X supplicant mode. This enables the access point itself and any bridge-connected units to be authenticated with a RADIUS server using a configured MD5 user name and password. This mechanism can prevent rogue access points from gaining access to the network. Ethernet Supplicant Setup – Allows the access point to act as an 802.1X supplicant so it can be authenticated through its Ethernet port with a RADIUS server on the local network. When enabled, a unique MD5 user name and password needs to be configured. (Default: Disabled) • Enabled/Disabled – Enables/Disables the 802.1X supplicant function. - Username – Specifies the MD5 user name. (Range: 1-22 characters) - Password – Specifies the MD5 password. (Range: 1-22 characters) WDS Supplicant Setup – Allows the access point to act as an 802.1X supplicant so it can be authenticated through a WDS (wireless) port with a RADIUS server on the remote network. When enabled, a unique MD5 user name and password needs to be configured for the WDS port. For a OAP6626A Slave unit, there is only one WDS port. For a OAP6626AM Master unit, there are 16 WDS ports. (Default: Disabled) 6-11 6 System Configuration MAC Authentication – You can configure a list of the MAC addresses for wireless clients that are authorized to access the network. This provides a basic level of authentication for wireless clients attempting to gain access to the network. A database of authorized MAC addresses can be stored locally on the access point or remotely on a central RADIUS server. (Default: Local MAC) • Local MAC: The MAC address of the associating station is compared against the local database stored on the access point. The Local MAC Authentication section enables the local database to be set up. • Radius MAC: The MAC address of the associating station is sent to a configured RADIUS server for authentication. When using a RADIUS authentication server for MAC address authentication, the server must first be configured in the Radius window (page 6-7). • Disable: No checks are performed on an associating station’s MAC address. Note: Client station MAC authentication occurs prior to the IEEE 802.1X authentication procedure configured for the access point. However, a client’s MAC address provides relatively weak user authentication, since MAC addresses can be easily captured and used by another station to break into the network. Using 802.1X provides more robust user authentication using user names and passwords or digital certificates. So, although you can configure the access point to use MAC address and 802.1X authentication together, it is better to choose one or the other, as appropriate. 802.1X Setup – IEEE 802.1X is a standard framework for network access control that uses a central RADIUS server for user authentication. This control feature prevents unauthorized access to the network by requiring an 802.1X client application to submit user credentials for authentication. The 802.1X standard uses the Extensible Authentication Protocol (EAP) to pass user credentials (either digital certificates, user names and passwords, or other) from the client to the RADIUS 6-12 6 Advanced Configuration server. Client authentication is then verified on the RADIUS server before the access point grants client access to the network. The 802.1X EAP packets are also used to pass dynamic unicast session keys and static broadcast keys to wireless clients. Session keys are unique to each client and are used to encrypt and correlate traffic passing between a specific client and the access point. You can also enable broadcast key rotation, so the access point provides a dynamic broadcast key and changes it at a specified interval. You can enable 802.1X as optionally supported or as required to enhance the security of the wireless network. • Disable: The access point does not support 802.1X authentication for any wireless client. After successful wireless association with the access point, each client is allowed to access the network. • Supported: The access point supports 802.1X authentication only for clients initiating the 802.1X authentication process (i.e., the access point does not initiate 802.1X authentication). For clients initiating 802.1X, only those successfully authenticated are allowed to access the network. For those clients not initiating 802.1X, access to the network is allowed after successful wireless association with the access point. • Required: The access point enforces 802.1X authentication for all associated wireless clients. If 802.1X authentication is not initiated by a client, the access point will initiate authentication. Only those clients successfully authenticated with 802.1X are allowed to access the network. When 802.1X is enabled, the broadcast and session key rotation intervals can also be configured. • Broadcast Key Refresh Rate: Sets the interval at which the broadcast keys are refreshed for stations using 802.1X dynamic keying. (Range: 0-1440 minutes; Default: 0 means disabled) • Session Key Refresh Rate: The interval at which the access point refreshes unicast session keys for associated clients. (Range: 0-1440 minutes; Default: 0 means disabled) • 802.1X Re-authentication Refresh Rate: The time period after which a connected client must be re-authenticated. During the re-authentication process of verifying the client’s credentials on the RADIUS server, the client remains connected the network. Only if re-authentication fails is network access blocked. (Range: 0-65535 seconds; Default: 0 means disabled) 6-13 6 System Configuration Local MAC Authentication – Configures the local MAC authentication database. The MAC database provides a mechanism to take certain actions based on a wireless client’s MAC address. The MAC list can be configured to allow or deny network access to specific clients. • System Default: Specifies a default action for all unknown MAC addresses (that is, those not listed in the local MAC database). - Deny: Blocks access for all MAC addresses except those listed in the local database as “Allow.” - Allow: Permits access for all MAC addresses except those listed in the local database as “Deny.” • MAC Authentication Settings: Enters specified MAC addresses and permissions into the local MAC database. - MAC Address: Physical address of a client. Enter six pairs of hexadecimal digits separated by hyphens; for example, 00-90-D1-12-AB-89. - Permission: Select Allow to permit access or Deny to block access. If Delete is selected, the specified MAC address entry is removed from the database. - Update: Enters the specified MAC address and permission setting into the local database. • MAC Authentication Table: Displays current entries in the local MAC database. CLI Commands for 802.1X Suppicant Configuration – Use the 802.1X supplicant commands to set the Ethernet and WDS user names and passwords, and to enable the feature. DUAL DUAL DUAL DUAL 6-14 OUTDOOR(config)#802.1X supplicant eth_user David OUTDOOR(config)#802.1X supplicant eth_password DEF OUTDOOR(config)#802.1X supplicant eth OUTDOOR(config)# 7-38 7-38 7-38 6 Advanced Configuration DUAL DUAL DUAL DUAL OUTDOOR(config)#802.1X supplicant wds_user 1 David OUTDOOR(config)#802.1X supplicant wds_password 1 ABC OUTDOOR(config)#802.1X supplicant wds 1 OUTDOOR(config)# 7-38 7-38 7-38 CLI Commands for Local MAC Authentication – Use the mac-authentication server command from the global configuration mode to enable local MAC authentication. Set the default for MAC addresses not in the local table using the address filter default command, then enter MAC addresses in the local table using the address filter entry command. To remove an entry from the table, use the address filter delete command. To display the current settings, use the show authentication command from the Exec mode. DUAL OUTDOOR(config)#mac-authentication server local 6-72 DUAL OUTDOOR(config)#address filter default denied 6-70 DUAL OUTDOOR(config)#address filter entry 00-70-50-cc-99-1a denied 6-71 DUAL OUTDOOR(config)#address filter entry 00-70-50-cc-99-1b allowed DUAL OUTDOOR(config)#address filter entry 00-70-50-cc-99-1c allowed DUAL OUTDOOR(config)#address filter delete 00-70-50-cc-99-1c 6-71 DUAL OUTDOOR(config)#exit DUAL OUTDOOR#show authentication 6-68 Authentication Information ========================================================= MAC Authentication Server : LOCAL MAC Auth Session Timeout Value : 300 secs 802.1X : DISABLED Broadcast Key Refresh Rate : 5 min Session Key Refresh Rate : 5 min 802.1X Session Timeout Value : 300 secs Address Filtering : DENIED System Default : DENY addresses not found in filter table. Filter Table MAC Address Status -------------------------00-70-50-cc-99-1a DENIED 00-70-50-cc-99-1b ALLOWED ========================================================= DUAL OUTDOOR# 6-15 6 System Configuration CLI Commands for RADIUS MAC Authentication – Use the mac-authentication server command from the global configuration mode to enable remote MAC authentication. Set the timeout value for re-authentication using the mac-authentication session-timeout command. Be sure to also configure connection settings for the RADIUS server (not shown in the following example). To display the current settings, use the show authentication command from the Exec mode. DUAL DUAL DUAL DUAL OUTDOOR(config)#mac-authentication server remote OUTDOOR(config)#mac-authentication session-timeout 300 OUTDOOR(config)#exit OUTDOOR#show authentication Authentication Information ========================================================= MAC Authentication Server : REMOTE MAC Auth Session Timeout Value : 300 secs 802.1X : DISABLED Broadcast Key Refresh Rate : 5 min Session Key Refresh Rate : 5 min 802.1X Session Timeout Value : 300 secs Address Filtering : DENIED System Default : DENY addresses not found in filter table. Filter Table MAC Address Status -------------------------00-70-50-cc-99-1a DENIED 00-70-50-cc-99-1b ALLOWED ========================================================= DUAL OUTDOOR# 6-16 6-72 6-72 6-68 6 Advanced Configuration CLI Commands for 802.1X Authentication – Use the 802.1X supported command from the global configuration mode to enable 802.1X authentication. Set the session and broadcast key refresh rate, and the re-authentication timeout. To display the current settings, use the show authentication command from the Exec mode. DUAL DUAL DUAL DUAL DUAL DUAL OUTDOOR(config)#802.1X supported OUTDOOR(config)#802.1X broadcast-key-refresh-rate 5 OUTDOOR(config)#802.1X session-key-refresh-rate 5 OUTDOOR(config)#802.1X session-timeout 300 OUTDOOR(config)#exit OUTDOOR#show authentication 6-65 6-66 6-67 6-67 6-68 Authentication Information ========================================================= MAC Authentication Server : REMOTE MAC Auth Session Timeout Value : 300 secs 802.1X : SUPPORTED Broadcast Key Refresh Rate : 5 min Session Key Refresh Rate : 5 min 802.1X Session Timeout Value : 300 secs Address Filtering : DENIED System Default : DENY addresses not found in filter table. Filter Table MAC Address Status -------------------------00-70-50-cc-99-1a DENIED 00-70-50-cc-99-1b ALLOWED ========================================================= DUAL OUTDOOR# 6-17 6 System Configuration Filter Control The wireless bridge can employ VLAN tagging support and network traffic frame filtering to control access to network resources and increase security. Native VLAN ID – The VLAN ID assigned to wireless clients that are not assigned to a specific VLAN by RADIUS server configuration. (Range: 1-64) VLAN – Enables or disables VLAN tagging support on the wireless bridge (changing the VLAN status forces a system reboot). When VLAN support is enabled, the wireless bridge tags traffic passing to the wired network with the assigned VLAN ID associated with each client on the RADIUS server or the configured native VLAN ID. Traffic received from the wired network must also be tagged with a known VLAN ID. Received traffic that has an unknown VLAN ID or no VLAN tag is dropped. When VLAN support is disabled, the wireless bridge does not tag traffic passing to the wired network and ignores the VLAN tags on any received frames. Note: Before enabling VLANs on the wireless bridge, you must configure the connected LAN switch port to accept tagged VLAN packets with the wireless bridge’s native VLAN ID. Otherwise, connectivity to the wireless bridge will be lost when you enable the VLAN feature. Up to 64 VLAN IDs can be mapped to specific wireless clients, allowing users to remain within the same VLAN as they move around a campus site. This feature can also be used to control access to network resources from wireless clients, thereby improving security. 6-18 Advanced Configuration A VLAN ID (1-4094) is assigned to a client after successful authentication using IEEE 802.1X and a central RADIUS server. The user VLAN IDs must be configured on the RADIUS server for each user authorized to access the network. If a user does not have a configured VLAN ID, the access point assigns the user to its own configured native VLAN ID. When setting up VLAN IDs for each user on the RADIUS server, be sure to use the RADIUS attributes and values as indicated in the following table. Number RADIUS Attribute Value 64 Tunnel-Type VLAN (13) 65 Tunnel-Medium-Type 802 81 Tunnel-Private-Group VLANID (1 to 4094 in hexadecimal) Note: The specific configuration of RADIUS server software is beyond the scope of this guide. Refer to the documentation provided with the RADIUS server software. When VLAN filtering is enabled, the access point must also have 802.1X authentication enabled and a RADIUS server configured. Wireless clients must also support 802.1X client software to be assigned to a specific VLAN. When VLAN filtering is disabled, the access point ignores the VLAN tags on any received frames. Local Bridge Filter – Controls wireless-to-wireless communications between clients through the access point. However, it does not affect communications between wireless clients and the wired network. • Disable: Allows wireless-to-wireless communications between clients through the access point. • Enable: Blocks wireless-to-wireless communications between clients through the access point. AP Management Filter – Controls management access to the access point from wireless clients. Management interfaces include the web, Telnet, or SNMP. • Disable: Allows management access from wireless clients. • Enable: Blocks management access from wireless clients. Ethernet Type Filter – Controls checks on the Ethernet type of all incoming and outgoing Ethernet packets against the protocol filtering table. • Disable: Wireless bridge does not filter Ethernet protocol types. • Enable: Wireless bridge filters Ethernet protocol types based on the configuration of protocol types in the filter table. If a protocol has its status set to “ON,” the protocol is filtered from the wireless bridge. 6-19 6 System Configuration CLI Commands for VLAN Support – From the global configuration mode use the native-vlanid command to set the default VLAN ID for the Ethernet interface, then enable VLANs using the vlan enable command. When you change the access point’s VLAN support setting, you must reboot the access point to implement the change. To view the current VLAN settings, use the show system command. DUAL OUTDOOR(config)#native-vlanid 3 DUAL OUTDOOR(config)#vlan enable Reboot system now? : y 7-87 6-130 CLI Commands for Bridge Filtering – Use the filter ap-manage command to restrict management access from wireless clients. To configure Ethernet protocol filtering, use the filter ethernet-type enable command to enable filtering and the filter ethernet-type protocol command to define the protocols that you want to filter. To display the current settings, use the show filters command from the Exec mode. DUAL DUAL DUAL DUAL DUAL OUTDOOR(config)#filter ap-manage OUTDOOR(config)#filter ethernet-type enable OUTDOOR(config)#filter ethernet-type protocol ARP OUTDOOR(config)#exit OUTDOOR#show filters 6-74 6-74 6-75 6-76 Protocol Filter Information ========================================================= AP Management :ENABLED Ethernet Type Filter :ENABLED Enabled Protocol Filters --------------------------------------------------------Protocol: ARP ISO: 0x0806 ========================================================= DUAL OUTDOOR# SNMP You can use a network management application to manage the wireless bridge via the Simple Network Management Protocol (SNMP) from a management station. To implement SNMP management, the wireless bridge must have an IP address and subnet mask, configured either manually or dynamically. Once an IP address has been configured, appropriate SNMP communities and trap receivers should be configured. Community names are used to control management access to SNMP stations, as well as to authorize SNMP stations to receive trap messages from the wireless bridge. To communicate with the wireless bridge, a management station must first submit a valid community name for authentication. You therefore need to assign community names to specified users or user groups and set the access level. 6-20 Advanced Configuration SNMP – Enables or disables SNMP management access and also enables the wireless bridge to send SNMP traps (notifications). SNMP management is enabled by default. Community Name (Read Only) – Defines the SNMP community access string that has read-only access. Authorized management stations are only able to retrieve MIB objects. (Maximum length: 23 characters, case sensitive; Default: public) Community Name (Read/Write) – Defines the SNMP community access string that has read/write access. Authorized management stations are able to both retrieve and modify MIB objects. (Maximum length: 23 characters, case sensitive; Default: private) Trap Destination IP Address – Specifies the recipient of SNMP notifications. Enter the IP address or the host name. (Host Name: 1 to 20 characters) Trap Destination Community Name – The community string sent with the notification operation. (Maximum length: 23 characters; Default: public) 6-21 6 System Configuration CLI Commands for SNMP – Use the snmp-server enable server command from the global configuration mode to enable SNMP. To set read/write and read-only community names, use the snmp-server community command. The snmp-server host command defines a trap receiver host. To view the current SNMP settings, use the show snmp command. DUAL DUAL DUAL DUAL DUAL DUAL OUTDOOR(config)#snmp-server OUTDOOR(config)#snmp-server OUTDOOR(config)#snmp-server OUTDOOR(config)#snmp-server OUTDOOR(config)#exit OUTDOOR#show snmp enable server community alpha rw community beta ro host 10.1.19.23 alpha SNMP Information ============================================ Service State : Enable Community (ro) : **** Community (rw) : ***** Location : building-1 Contact : Paul Traps : Enabled Host Name/IP : 10.1.19.23 Trap Community : ***** ============================================= DUAL OUTDOOR# 6-22 6-42 6-41 6-43 6-54 6 Advanced Configuration Administration Changing the Password Management access to the web and CLI interface on the wireless bridge is controlled through a single user name and password. You can also gain additional access security by using control filters (see “Filter Control” on page 6-18). To protect access to the management interface, you need to configure an Administrator’s user name and password as soon as possible. If the user name and password are not configured, then anyone having access to the wireless bridge may be able to compromise wireless bridge and network security. Note: Pressing the Reset button on the back of the wireless bridge for more than five seconds resets the user name and password to the factory defaults. For this reason, we recommend that you protect the wireless bridge from physical access by unauthorized persons. Username – The name of the user. The default name is “admin.” (Length: 3-16 characters, case sensitive.) New Password – The password for management access. (Length: 3-16 characters, case sensitive) Confirm New Password – Enter the password again for verification. CLI Commands for the User Name and Password – Use the username and password commands from the CLI configuration mode. DUAL OUTDOOR(config)#username bob DUAL OUTDOOR(config)#password spiderman DUAL OUTDOOR# 6-15 6-15 6-23 6 System Configuration Upgrading Firmware You can upgrade new wireless bridge software from a local file on the management workstation, or from an FTP or TFTP server. After upgrading new software, you must reboot the wireless bridge to implement the new code. Until a reboot occurs, the wireless bridge will continue to run the software it was using before the upgrade started. Also note that rebooting the wireless bridge with new software will reset the configuration to the factory default settings. Note: Before upgrading your wireless bridge software, it is recommended to save a copy of the current configuration file. See “copy” on page 6-56 for information on saving the configuration file to a TFTP or FTP server. Before upgrading new software, verify that the wireless bridge is connected to the network and has been configured with a compatible IP address and subnet mask. If you need to download from an FTP or TFTP server, take the following additional steps: • Obtain the IP address of the FTP or TFTP server where the wireless bridge software is stored. • If upgrading from an FTP server, be sure that you have an account configured on the server with a user name and password. Current version – Version number of runtime code. 6-24 6 Advanced Configuration Firmware Upgrade Local – Downloads an operation code image file from the web management station to the wireless bridge using HTTP. Use the Browse button to locate the image file locally on the management station and click Start Upgrade to proceed. • New firmware file: Specifies the name of the code file on the server. The new firmware file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names is 32 characters for files on the wireless bridge. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) Firmware Upgrade Remote – Downloads an operation code image file from a specified remote FTP or TFTP server. After filling in the following fields, click Start Upgrade to proceed. • New firmware file: Specifies the name of the code file on the server. The new firmware file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the FTP/TFTP server is 255 characters or 32 characters for files on the wireless bridge. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) • IP Address: IP address or host name of FTP or TFTP server. • Username: The user ID used for login on an FTP server. • Password: The password used for login on an FTP server. Restore Factory Settings – Click the Restore button to reset the configuration settings for the wireless bridge to the factory defaults and reboot the system. Note that all user configured information will be lost. You will have to re-enter the default user name (admin) to re-gain management access to this device. Reset wireless bridge – Click the Reset button to reboot the system. Note: If you have upgraded system software, then you must reboot the wireless bridge to implement the new operation code. 6-25 6 System Configuration CLI Commands for Downloading Software from a TFTP Server – Use the copy tftp file command from the Exec mode and then specify the file type, name, and IP address of the TFTP server. When the download is complete, the dir command can be used to check that the new file is present in the wireless bridge file system. To run the new software, use the reset board command to reboot the wireless bridge. DUAL OUTDOOR#copy tftp file 1. Application image 2. Config file 3. Boot block image Select the type of download<1,2,3>: [1]:1 TFTP Source file name:bridge-img.bin TFTP Server IP:192.168.1.19 6-56 DUAL OUTDOOR#dir File Name -------------------------dflt-img.bin bridge-img.bin syscfg syscfg_bak 6-58 Type ---2 File Size ----------1319939 1629577 17776 17776 262144 byte(s) available DUAL OUTDOOR#reset board Reboot system now? : y 6-26 6-10 Advanced Configuration System Log The wireless bridge can be configured to send event and error messages to a System Log Server. The system clock can also be synchronized with a time server, so that all the messages sent to the Syslog server are stamped with the correct time and date. Enabling System Logging The wireless bridge supports a logging process that can control error messages saved to memory or sent to a Syslog server. The logged messages serve as a valuable tool for isolating wireless bridge and network problems. System Log Setup – Enables the logging of error messages. Logging Host – Enables the sending of log messages to a Syslog server host. Server Name/IP – The IP address or name of a Syslog server. Logging Console – Enables the logging of error messages to the console. Logging Level – Sets the minimum severity level for event logging. 6-27 6 System Configuration The system allows you to limit the messages that are logged by specifying a minimum severity level. The following table lists the error message levels from the most severe (Emergency) to least severe (Debug). The message levels that are logged include the specified minimum level up to the Emergency level. Error Level Description Emergency System unusable Alert Immediate action needed Critical Critical conditions (e.g., memory allocation, or free memory error - resource exhausted) Error Error conditions (e.g., invalid input, default used) Warning Warning conditions (e.g., return false, unexpected return) Notice Normal but significant condition, such as cold start Informational Informational messages only Debug Debugging messages Note: The wireless bridge error log can be viewed using the Event Logs window in the Status section (page 6-67).The Event Logs window displays the last 128 messages logged in chronological order, from the newest to the oldest. Log messages saved in the wireless bridge’s memory are erased when the device is rebooted. 6-28 6 Advanced Configuration CLI Commands for System Logging – To enable logging on the wireless bridge, use the logging on command from the global configuration mode. The logging level command sets the minimum level of message to log. Use the logging console command to enable logging to the console. Use the logging host command to specify up to four Syslog servers. The CLI also allows the logging facility-type command to set the facility-type number to use on the Syslog server. To view the current logging settings, use the show logging command. DUAL DUAL DUAL DUAL DUAL DUAL DUAL OUTDOOR(config)#logging OUTDOOR(config)#logging OUTDOOR(config)#logging OUTDOOR(config)#logging OUTDOOR(config)#logging OUTDOOR(config)#exit OUTDOOR#show logging on level alert console host 1 10.1.0.3 514 facility-type 19 6-29 6-30 6-30 6-29 6-31 6-32 Logging Information ============================================ Syslog State : Enabled Logging Host State : Enabled Logging Console State : Enabled Server Domain name/IP : 1 10.1.0.3 Logging Level : Error Logging Facility Type : 16 ============================================= DUAL OUTDOOR# Configuring SNTP Simple Network Time Protocol (SNTP) allows the wireless bridge to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the wireless bridge enables the system log to record meaningful dates and times for event entries. If the clock is not set, the wireless bridge will only record the time from the factory default set at the last bootup. The wireless bridge acts as an SNTP client, periodically sending time synchronization requests to specific time servers. You can configure up to two time server IP addresses. The wireless bridge will attempt to poll each server in the configured sequence. SNTP Server – Configures the wireless bridge to operate as an SNTP client. When enabled, at least one time server IP address must be specified. • Primary Server: The IP address of an SNTP or NTP time server that the wireless bridge attempts to poll for a time update. • Secondary Server: The IP address of a secondary SNTP or NTP time server. The wireless bridge first attempts to update the time from the primary server; if this fails it attempts an update from the secondary server. Note: The wireless bridge also allows you to disable SNTP and set the system clock manually using the CLI. 6-29 6 System Configuration Set Time Zone – SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours your time zone is located before (east) or after (west) UTC. Enable Daylight Saving – The wireless bridge provides a way to automatically adjust the system clock for Daylight Savings Time changes. To use this feature you must define the month and date to begin and to end the change from standard time. During this period the system clock is set back by one hour. CLI Commands for SNTP – To enable SNTP support on the wireless bridge, from the global configuration mode specify SNTP server IP addresses using the sntp-server ip command, then use the sntp-server enable command to enable the service. Use the sntp-server timezone command to set the location time zone and the sntp-server daylight-saving command to set up a daylight saving. To view the current SNTP settings, use the show sntp command. DUAL OUTDOOR(config)#sntp-server ip 10.1.0.19 DUAL OUTDOOR(config)#sntp-server enable DUAL OUTDOOR(config)#sntp-server timezone +8 DUAL OUTDOOR(config)#sntp-server daylight-saving Enter Daylight saving from which month<1-12>: 3 and which day<1-31>: 31 Enter Daylight saving end to which month<1-12>: 10 and which day<1-31>: 31 DUAL OUTDOOR(config)#exit DUAL OUTDOOR#show sntp SNTP Information ========================================================= Service State : Enabled SNTP (server 1) IP : 137.92.140.80 SNTP (server 2) IP : 192.43.244.18 Current Time : 19 : 35, Oct 10th, 2003 Time Zone : +8 (TAIPEI, BEIJING) Daylight Saving : Enabled, from Mar, 31th to Oct, 31th ========================================================= DUAL OUTDOOR# 6-30 6-34 6-34 6-36 6-36 6-37 6 Advanced Configuration CLI Commands for the System Clock – The following example shows how to manually set the system time when SNTP server support is disabled on the wireless bridge. DUAL OUTDOOR(config)#no sntp-server enable DUAL OUTDOOR(config)#sntp-server date-time Enter Year<1970-2100>: 2003 Enter Month<1-12>: 10 Enter Day<1-31>: 10 Enter Hour<0-23>: 18 Enter Min<0-59>: 35 DUAL OUTDOOR(config)# 6-34 6-35 Wireless Distribution System (WDS) The IEEE 802.11 standard defines a WIreless Distribution System (WDS) for connections between wireless bridges. The access point uses WDS to forward traffic on bridge links between units. When using WDS, only wireless bridge units can associate to each other using the bridge band. A wireless client cannot associate with the access point on the wireless bridge band. To set up a wireless bridge link, you must configure the WDS forwarding table by specifying the wireless MAC address of the bridge to which you want to forward traffic. For a Slave bridge unit, you need to specify the MAC address of the wireless bridge unit at the opposite end of the link. For a Master bridge unit, you need to specify the MAC addresses of all the Slave bridge units in the network. 6-31 6 System Configuration Mode – The wireless bridge is set to operate as a Slave or Master unit: • Master Mode: In a point-to-multipoint network configuration, only one wireless bridge unit must be a Master unit (all others must be Slave units). A Master wireless bridge provides support for up to 16 MAC addresses in the WDS forwarding table. The MAC addresses of all other Slave bridge units in the network must be configured in the forwarding table. • Slave Mode: A Slave wireless bridge provides support for only one MAC address in the WDS forwarding table. A Slave bridge communicates with only one other wireless bridge, either another Slave bridge in a point-to-point configuration, or to the Master bridge in a point-to-multipoint configuration. 6-32 6 Advanced Configuration Port Number (Master bridge only) – The wireless port identifier. MAC Address – The physical layer address of the wireless bridge unit at the other end of the wireless link. (12 hexadecimal digits in the form “xx:xx:xx:xx:xx:xx”) Port Status – Enables or disables the wireless bridge link. Note: The wireless MAC address for each bridge unit is printed on the label on the back of the unit. CLI Commands for WDS – The following example shows how to configure the MAC address of the wireless bridge at the opposite end of a point-to-point link, and then enable forwarding on the link. DUAL DUAL DUAL DUAL OUTDOOR(config)#wds mac-address 1 00-12-34-56-78-9a OUTDOOR(config)#wds enable OUTDOOR(config)#exit OUTDOOR#show wds 7-43 7-44 7-44 Outdoor_Mode SLAVE ================================================== Port ID | Status Mac-Address ================================================== 01 ENABLE 00-12-34-56-78-9A ================================================== DUAL OUTDOOR# Bridge The wireless bridge can store the MAC addresses for all known devices in the connected networks. All the addresses are learned by monitoring traffic received by the wireless bridge and are stored in a dynamic MAC address table. This information is then used to forward traffic directly between the Ethernet port and the corresponding wireless interface. 6-33 6 System Configuration The Bridging page allows the MAC address aging time to be set for both the Ethernet port and the bridge radio interface. If the MAC address of an entry in the address table is not seen on the associated interface for longer than the aging time, the entry is discarded. Bridge Aging Time – Changes the aging time for entries in the dynamic address table: • Ethernet: The time after which a learned Ethernet port entry is discarded. (Range: 60-1800 seconds; Default: 100 seconds) • Wireless 802.11a (g): The time after which a learned wireless entry is discarded. (Range: 60-1800 seconds; Default: 1800 seconds) 6-34 6 Advanced Configuration CLI Commands for Bridging – The following example shows how to set the MAC address aging time for the wireless bridge. DUAL DUAL DUAL DUAL OUTDOOR(config)#bridge timeout 0 300 OUTDOOR(config)#bridge timeout 2 1000 OUTDOOR(config)#exit OUTDOOR#show bridge 7-46 7-46 7-52 Bridge Information ================================================= Media Type | Age Time(sec)| ================================================= EtherNet | 300 WLAN_A | 1000 ================================================== Bridge Id : 32768.037fbef192 Root Bridge Id : 32768.01f47483e2 Root Path Cost : 25 Root Port Id : 0 Bridge Status : Enabled Bridge Priority : 32768 Bridge Hello Time : 2 Seconds Bridge Maximum Age : 20 Seconds Bridge Forward Delay: 15 Seconds ============================= Port Summary ============================= Id| Priority | Path Cost | Fast Forward | Status | State 128 25 Enable Enabled Forwarding DUAL OUTDOOR# 6-35 6 System Configuration Spanning Tree Protocol (STP) The Spanning Tree Protocol (STP) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the wireless bridge to interact with other bridging devices (that is, an STP-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down. STP uses a distributed algorithm to select a bridging device (STP-compliant switch, bridge or router) that serves as the root of the spanning tree network. It selects a root port on each bridging device (except for the root device) which incurs the lowest path cost when forwarding a packet from that device to the root device. Then it selects a designated bridging device from each LAN which incurs the lowest path cost when forwarding a packet from that LAN to the root device. All ports connected to designated bridging devices are assigned as designated ports. After determining the lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the root bridge is down. This bridge will then initiate negotiations with other bridges to reconfigure the network to reestablish a valid network topology. Enable – Enables/disables STP on the wireless bridge. (Default: Enabled) 6-36 6 Advanced Configuration Forward Delay – The maximum time (in seconds) this device waits before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result. (Range: 4-30 seconds) • Default: 15 • Minimum: The higher of 4 or [(Max. Message Age / 2) + 1] • Maximum: 30 Hello Time – Interval (in seconds) at which the root device transmits a configuration message. (Range: 1-10 seconds) • Default: 2 • Minimum: 1 • Maximum: The lower of 10 or [(Max. Message Age / 2) -1] Maximum Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STP information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network. (Range: 6-40 seconds) • Default: 20 • Minimum: The higher of 6 or [2 x (Hello Time + 1)]. • Maximum: The lower of 40 or [2 x (Forward Delay - 1)] Bridge Priority – Used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STP root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.) • Range: 0-65535 • Default: 32768 Port Cost – This parameter is used by the STP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) • Range: 1-65535 • Default: Ethernet interface: 19; Wireless interface: 40 6-37 6 System Configuration Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the spanning tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. • Default: 128 • Range: 0-240, in steps of 16 Port Fast (Fast Forwarding) – You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state. Specifying fast forwarding provides quicker convergence for devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STP-related timeout problems. However, remember that fast forwarding should only be enabled for ports connected to an end-node device. (Default: Disabled) Status – Enables/disables STP on this interface. (Default: Enabled) 6-38 6 Advanced Configuration CLI Commands for STP – The following example configures spanning tree paramters for the bridge and wireless port 5. DUAL DUAL DUAL DUAL DUAL DUAL DUAL DUAL DUAL DUAL OUTDOOR(config)#bridge stp-bridge priority 40000 OUTDOOR(config)#bridge stp-bridge hello-time 5 OUTDOOR(config)#bridge stp-bridge max-age 38 OUTDOOR(config)#bridge stp-bridge forward-time 20 OUTDOOR(config)#no bridge stp-port spanning-disabled 5 OUTDOOR(config)#bridge stp-port priority 5 0 OUTDOOR(config)#bridge stp-port path-cost 5 50 OUTDOOR(config)#no bridge stp-port portfast 5 OUTDOOR(config)#end OUTDOOR#show bridge 6-84 6-83 7-48 6-83 7-52 6-85 6-85 7-51 7-52 Bridge Information ================================================= Media Type | Age Time(sec)| ================================================= EtherNet | 300 WLAN_A | 1000 ================================================== Bridge Id : 32768.037fbef192 Root Bridge Id : 32768.01f47483e2 Root Path Cost : 25 Root Port Id : 0 Bridge Status : Enabled Bridge Priority : 40000 Bridge Hello Time : 5 Seconds Bridge Maximum Age : 38 Seconds Bridge Forward Delay: 20 Seconds ============================= Port Summary ============================= Id| Priority | Path Cost | Fast Forward | Status | State 128 25 Enable Enabled Forwarding DUAL OUTDOOR# 6-39 6 System Configuration RSSI The RSSI value displayed on the RSSI page represents a signal to noise ratio. A value of 30 would indicate that the power of the received signal is 30 dBm above the signal noise threshold. This value can be used to align antennas (see page 2-10) and monitor the quality of the received signal for bridge links. An RSSI value of about 30 or more indicates a strong enough signal to support the maximum data rate of 54 Mbps. Below a value of 30, the supported data rate would drop to lower rates. A value of 15 or less indicates that the signal is weak and the antennas may require realignment. The RSSI controls allow the external connector to be disabled and the receive signal for each WDS port displayed. RSSI – The RSSI value for a selected port can be displayed and a representative voltage output can be enabled. • Output Activate: Enables or disables the RSSI voltage output on the external RSSI connector. (Default: Enabled) • Port Number: Selects a specific WDS port for which to set the maximum RSSI output voltage level. Ports 1-16 are available for a Master unit, only port 1 for a Slave unit. (Default: 1) • Output Value: The maximum RSSI voltage level for the current selected WDS port. A value of zero indicates that there is no received signal or that the WDS port is disabled. 6-40 6 Radio Interface Distance – This value is used to adjust timeout values to take into account transmit delays due to link distances in the wireless bridge network. For a point-to-point link, specify the approximate distance between the two bridges. For a point-to-multipoint network, specify the distance of the Slave bridge farthest from the Master bridge • Mode: Indicates if the 802.11a radio is operating in normal or Turbo mode. (See "Radio Settings A" on page 6-42.) • Distance: The approximate distance between antennas in a bridge link. Note: There are currently no equivalent CLI commands for the RSSI controls. Radio Interface The IEEE 802.11a and 802.11g interfaces include configuration options for radio signal characteristics and wireless security features. The configuration options are nearly identical, but depend on which interface is operating as the bridge band. Both interfaces and operating modes are covered in this section of the manual. The access point can operate in the following modes: • 802.11a in bridge mode and 802.11g in access point mode • 802.11a in access point mode and 802.11g in bridge mode • 802.11a and 802.11g both in access point mode (no bridging) • 802.11a only in bridge or access point mode • 802.11g only in bridge or access point mode Note that 802.11g is backward compatible with 802.11b and can be configured to support both client types or restricted to 802.11g clients only. Both wireless interfaces are configured independently under the following web pages: • Radio Interface A: 802.11a • Radio Interface G: 802.11b/g Note: The radio channel settings for the wireless bridge are limited by local regulations, which determine the number of channels that are available. 6-41 6 System Configuration Radio Settings A (802.11a) The IEEE 802.11a interface operates within the 5 GHz band, at up to 54 Mbps in normal mode or up to 108 Mbps in Turbo mode. Enable – Enables radio communications on the wireless interface. (Default: Enabled) Description – Adds a comment or description to the wireless interface. (Range: 1-80 characters) Network Name (SSID) – (Access point mode only) The name of the basic service set provided by the access point. Clients that want to connect to the network through the access point must set their SSID to the same as that of the access point. (Default: DualBandOutdoor; Range: 1-32 characters) Note: The SSID is not configurable when the radio band is set to Bridge mode. Secure Access – When enabled, the access point radio does not include its SSID in beacon messages. Nor does it respond to probe requests from clients that do not include a fixed SSID. (Default: Disable) Turbo Mode – The normal 802.11a wireless operation mode provides connections up to 54 Mbps. Turbo Mode is an enhanced mode (not regulated in IEEE 802.11a) that provides a higher data rate of up to 108 Mbps. Enabling Turbo Mode allows the wireless bridge to provide connections up to 108 Mbps. (Default: Disabled) 6-42 Radio Interface Note: In normal mode, the wireless bridge provides a channel bandwidth of 20 MHz, and supports the maximum number of channels permitted by local regulations (e.g., 11 channels for the United States). In Turbo Mode, the channel bandwidth is increased to 40 MHz to support the increased data rate. However, this reduces the number of channels supported (e.g., 5 channels for the United States). Radio Channel – The radio channel that the wireless bridge Normal Mode uses to communicate with wireless clients. When multiple wireless bridges are deployed in the same area, set the channel on neighboring wireless bridges at least four channels apart to avoid interference with each other. For example, in the United States you can deploy up to four wireless bridges in the same area (e.g., channels 36, 56, 149, 165). Also note that the channel for wireless clients is automatically set to the same as that used by the wireless bridge to which it is linked. (Default: Channel 60 for normal mode, and channel 42 for Turbo mode) Auto Channel Select – Enables the wireless bridge to automatically select an unoccupied radio channel. (Default: Enabled) Turbo Mode Transmit Power – Adjusts the power of the radio signals transmitted from the wireless bridge. The higher the transmission power, the farther the transmission range. Power selection is not just a trade off between coverage area and maximum supported clients. You also have to ensure that high-power signals do not interfere with the operation of other radio devices in the service area. (Options: 100%, 50%, 25%, 12%, minimum; Default: 100%) Maximum Supported Rate – The maximum data rate at which the access point transmits unicast packets on the wireless interface. The maximum transmission distance is affected by the data rate. The lower the data rate, the longer the transmission distance. (Options: 54, 48, 36, 24, 18, 12, 9, 6 Mbps; Default: 54 Mbps) Beacon Interval – The rate at which beacon signals are transmitted from the wireless bridge. The beacon signals allow wireless clients to maintain contact with the wireless bridge. They may also carry power-management information. (Range: 20-1000 TUs; Default: 100 TUs) Data Beacon Rate – The rate at which stations in sleep mode must wake up to receive broadcast/multicast transmissions. Known also as the Delivery Traffic Indication Map (DTIM) interval, it indicates how often the MAC layer forwards broadcast/multicast traffic, which is necessary to wake up stations that are using Power Save mode. The default value of 2 indicates that the wireless bridge will save all broadcast/multicast frames for the Basic Service Set 6-43 6 System Configuration (BSS) and forward them after every second beacon. Using smaller DTIM intervals delivers broadcast/multicast frames in a more timely manner, causing stations in Power Save mode to wake up more often and drain power faster. Using higher DTIM values reduces the power used by stations in Power Save mode, but delays the transmission of broadcast/multicast frames. (Range: 1-255 beacons; Default: 2 beacons) Fragment Length – Configures the minimum packet size that can be fragmented when passing through the wireless bridge. Fragmentation of the PDUs (Package Data Unit) can increase the reliability of transmissions because it increases the probability of a successful transmission due to smaller frame size. If there is significant interference present, or collisions due to high network utilization, try setting the fragment size to send smaller fragments. This will speed up the retransmission of smaller frames. However, it is more efficient to set the fragment size larger if very little or no interference is present because it requires overhead to send multiple frames. (Range: 256-2346 bytes; Default: 2346 bytes) RTS Threshold – Sets the packet size threshold at which a Request to Send (RTS) signal must be sent to a receiving station prior to the sending station starting communications. The wireless bridge sends RTS frames to a receiving station to negotiate the sending of a data frame. After receiving an RTS frame, the station sends a CTS (clear to send) frame to notify the sending station that it can start sending data. If the RTS threshold is set to 0, the wireless bridge always sends RTS signals. If set to 2347, the wireless bridge never sends RTS signals. If set to any other value, and the packet size equals or exceeds the RTS threshold, the RTS/CTS (Request to Send / Clear to Send) mechanism will be enabled. The wireless bridges contending for the medium may not be aware of each other. The RTS/CTS mechanism can solve this “Hidden Node Problem.” (Range: 0-2347 bytes: Default: 2347 bytes) Maximum Associations – (Access point mode only) Sets the maximum number of clients that can be associated with the access point radio at the same time. (Range: 1-64 per radio: Default: 64) 6-44 6 Radio Interface CLI Commands for the 802.11a Wireless Interface – From the global configuration mode, enter the interface wireless a command to access the 802.11a radio interface. If required, configure a name for the interface using the description command. Use the turbo command to enable this feature before setting the radio channel with the channel command. Set any other parameters as required. To view the current 802.11a radio settings, use the show interface wireless a command. DUAL OUTDOOR(config)#interface wireless a Enter Wireless configuration commands, one per line. DUAL OUTDOOR(if-wireless a)#description RD-AP#3 DUAL OUTDOOR(if-wireless a)#ssid r&d DUAL OUTDOOR(if-wireless a)#no turbo DUAL OUTDOOR(if-wireless a)#channel 44 DUAL OUTDOOR(if-wireless a)#closed-system DUAL OUTDOOR(if-wireless a)#transmit-power full DUAL OUTDOOR(if-wireless a)#speed 9 DUAL OUTDOOR(if-wireless a)#max-association 32 DUAL OUTDOOR(if-wireless a)#beacon-interval 150 DUAL OUTDOOR(if-wireless a)#dtim-period 5 DUAL OUTDOOR(if-wireless a)#fragmentation-length 512 DUAL OUTDOOR(if-wireless a)#rts-threshold 256 DUAL OUTDOOR(if-wireless a)#exit DUAL OUTDOOR#show interface wireless a 7-69 7-69 7-70 6-105 6-96 6-106 6-97 6-95 6-106 6-101 6-101 6-102 6-103 6-109 Wireless Interface Information =========================================================== ----------------Identification----------------------------Description : RD-AP#3 Service Type : Access Point SSID : r&d Turbo Mode : OFF Channel : 44 Status : Disable ----------------802.11 Parameters-------------------------Transmit Power : FULL (15 dBm) Max Station Data Rate : 9Mbps Fragmentation Threshold : 512 bytes RTS Threshold : 256 bytes Beacon Interval : 150 TUs DTIM Interval : 5 beacons Maximum Association : 32 stations ----------------Security----------------------------------Closed System : ENABLED Multicast cipher : WEP Unicast cipher : WEP WPA clients : SUPPORTED WPA Key Mgmt Mode : DYNAMIC WPA PSK Key Type : HEX Encryption : DISABLED Default Transmit Key : 1 Static Keys : Key 1: EMPTY Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY Authentication Type : OPEN =========================================================== DUAL OUTDOOR# 6-45 6 System Configuration Radio Settings G (802.11g) The IEEE 802.11g standard operates within the 2.4 GHz band at up to 54 Mbps. Also note that because the IEEE 802.11g standard is an extension of the IEEE 802.11b standard, it allows clients with 802.11b wireless network cards to associate to an 802.11g access point. Enable – Enables radio communications on the access point. (Default: Enabled) Radio Channel – The radio channel that the access point uses to communicate with wireless clients. When multiple access points are deployed in the same area, set the channel on neighboring access points at least five channels apart to avoid interference with each other. For example, in the United States you can deploy up to three access points in the same area (e.g., channels 1, 6, 11). Also note that the channel for wireless clients is automatically set to the same as that used by the access point to which it is linked. (Range: 1-11 (US/Canada); Default: 1) Auto Channel Select – Enables the access point to automatically select an unoccupied radio channel. (Default: Enabled) 6-46 6 Radio Interface Working Mode – Selects the operating mode for the 802.11g wireless interface. (Default: b & g mixed mode) • b & g mixed mode: Both 802.11b and 802.11g clients can communicate with the access point (up to 54 Mbps). • g only: Only 802.11g clients can communicate with the access point (up to 54 Mbps). • b only: Both 802.11b and 802.11g clients can communicate with the access point, but 802.11g clients can only transfer data at 802.11b standard rates (up to 11 Mbps). Maximum Station Data Rate – The maximum data rate at which the access point transmits unicast packets on the wireless interface. The maximum transmission distance is affected by the data rate. The lower the data rate, the longer the transmission distance. (Default: 54 Mbps) For a description of the remaining configuration items, see “Radio Settings A (802.11a)” on page 6-42. CLI Commands for the 802.11g Wireless Interface – From the global configuration mode, enter the interface wireless g command to access the 802.11g radio interface. Set the interface SSID using the ssid command and, if required, configure a name for the interface using the description command. You can also use the closed-system command to stop sending the SSID in beacon messages. Select a radio channel or set selection to Auto using the channel command. Set any other parameters as required. To view the current 802.11g radio settings, use the show interface wireless g command. DUAL OUTDOOR(config)#interface wireless g Enter Wireless configuration commands, one per line. DUAL OUTDOOR(if-wireless g)#description RD-AP#3 DUAL OUTDOOR(if-wireless g)#ssid r&d DUAL OUTDOOR(if-wireless g)#channel auto DUAL OUTDOOR(if-wireless a)#closed-system DUAL OUTDOOR(if-wireless a)#transmit-power full DUAL OUTDOOR(if-wireless g)#speed 6 DUAL OUTDOOR(if-wireless g)#max-association 32 DUAL OUTDOOR(if-wireless g)#beacon-interval 150 DUAL OUTDOOR(if-wireless g)#dtim-period 5 DUAL OUTDOOR(if-wireless g)#fragmentation-length 512 DUAL OUTDOOR(if-wireless g)#rts-threshold 256 DUAL OUTDOOR(if-wireless g)#exit 7-69 7-69 7-70 6-96 6-106 6-97 6-95 6-106 6-105 6-101 6-102 6-103 6-47 6 System Configuration DUAL OUTDOOR#show interface wireless g 6-109 Wireless Interface Information =========================================================== ----------------Identification----------------------------Description : Enterprise 802.11g Access Point Service Type : Access Point SSID : r&d Channel : 11 (AUTO) Status : Enable ----------------802.11 Parameters-------------------------Transmit Power : FULL (14 dBm) Max Station Data Rate : 6Mbps Fragmentation Threshold : 512 bytes RTS Threshold : 256 bytes Beacon Interval : 150 TUs DTIM Interval : 5 beacons Maximum Association : 64 stations ----------------Security----------------------------------Closed System : DISABLED Multicast cipher : WEP Unicast cipher : TKIP WPA clients : SUPPORTED WPA Key Mgmt Mode : DYNAMIC WPA PSK Key Type : HEX Encryption : DISABLED Default Transmit Key : 1 Static Keys : Key 1: EMPTY Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY Authentication Type : OPEN =========================================================== DUAL OUTDOOR# Security (Bridge Mode) Wired Equivalent Privacy (WEP) and Advanced Encryption Standard (AES) are implemented for security in bridge mode to prevent unauthorized access to network data. To secure bridge link data transmissions, enable WEP or AES encryption for the bridge radio and set at least one encryption key. Wired Equivalent Privacy (WEP) WEP provides a basic level of security, preventing unauthorized access to the network and encrypting data transmitted between wireless bridge units. WEP uses static shared keys (fixed-length hexadecimal or alphanumeric strings) that are manually configured on all units in the wireless bridge network. 6-48 6 Radio Interface Setting up IEEE 802.11 Wired Equivalent Privacy (WEP) shared keys prevents unauthorized access to the wireless bridge network. Be sure to define at least one static WEP key for data encryption. Also, be sure that the WEP keys are the same for all bridge units in the wireless network. Data Encryption Setup – Enable or disable the wireless bridge to use either WEP or AES for data encryption. If WEP encryption is selected and enabled, you must configure at least one encryption key on the wireless bridge. (Default: Disable) Shared Key Setup – Select 64 Bit, 128 Bit, or 152 Bit key length. Note that the same size of WEP encryption key must be set on all bridge units in the wireless network. (Default: 128 Bit) Key Type – Select the preferred method of entering WEP encryption keys on the wireless bridge and enter up to four keys: • Hexadecimal: Enter keys as 10 hexadecimal digits (0 to 9 and A to F) for 64 bit keys, 26 hexadecimal digits for 128 bit keys, or 32 hexadecimal digits for 152 bit keys. • Alphanumeric: Enter keys as 5 alphanumeric characters for 64 bit keys, 13 alphanumeric characters for 128 bit keys, or 16 alphanumeric characters for 152 bit keys. 6-49 6 System Configuration • Transmit Key Select: Selects the key number to use for encryption. Bridge units in the wireless network must have all four keys configured to the same values. Note: Key index and type must match on all bridge units in the wireless network. Advanced Encryption Standard (AES) AES has been designated by the National Institute of Standards and Technology as the successor to the Data Encryption Standard (DES) encryption algorithm, and will be used by the U.S. government for encrypting all sensitive, nonclassified information. Because of its strength, and resistance to attack, AES is also being incorporated as part of the 802.11 security standard. The bridge radio band uses 128-bit static AES keys (hexadecimal or alphanumeric strings) that are configured for each link pair in the wireless bridge network. For a Slave bridge unit, only one encryption key needs to be defined. A Master bridge allows a different key to be defined for each wireless bridge link in the network. Configuring AES encryption keys on the wireless bridge provides far more robust security than using WEP. Also, a unique AES key can be used for each bridge link in the wireless network, instead of all bridges sharing the same WEP keys. Data Encryption Setup – Enable or disable the wireless bridge to use either WEP or AES for data encryption. If AES encryption is selected and enabled, you must configure one encryption key for each wireless port link on the wireless bridge. A Slave bridge supports only one wireless port link, but a Master bridge supports up to 16 links. (Default: Disable) 6-50 6 Radio Interface Key Type – Select the preferred method of entering AES encryption keys on the wireless bridge and enter a key for each bridge link in the network: • Hexadecimal: Enter keys as exactly 32 hexadecimal digits (0 to 9 and A to F). • Alphanumeric: Enter keys as an alphanumeric string using between 8 and 31 characters. Note: For each wireless port link (1 to 16), the AES keys must match on the corresponding bridge unit. CLI Commands for WEP Security – From the 802.11a interface configuration mode, use the encryption command to enable WEP encryption. To enter WEP keys, use the key command, and then set one key as the transmit key using the transmit-key command. To view the current security settings, use the show interface wireless a command. DUAL OUTDOOR(config)#interface wireless a Enter Wireless configuration commands, one per line. DUAL OUTDOOR(if-wireless a)#encryption wep 128 DUAL OUTDOOR(if-wireless a)#key wep 1 128 ascii abcdeabcdeabc DUAL OUTDOOR(if-wireless a)#transmit-key 1 DUAL OUTDOOR(if-wireless a)#exit DUAL OUTDOOR#show interface wireless a 7-69 6-118 6-119 6-120 6-109 Wireless Interface Information =========================================================== ----------------Identification----------------------------Description : Enterprise 802.11a Access Point Service Type : WDS Bridge SSID : DualBandOutdoor Turbo Mode : OFF Channel : 36 Status : Disable ----------------802.11 Parameters-------------------------Transmit Power : FULL (15 dBm) Max Station Data Rate : 54Mbps Fragmentation Threshold : 2346 bytes RTS Threshold : 2347 bytes Beacon Interval : 100 TUs DTIM Interval : 2 beacons Maximum Association : 64 stations ----------------Security----------------------------------Encryption : 128-BIT WEP ENCRYPTION WEP Key type : Alphanumeric Default Transmit Key : 1 Static Keys : Key 1: ***** Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY =========================================================== DUAL OUTDOOR# Note: The index and length values used in the key command must be the same values used in the encryption and transmit-key commands. 6-51 6 System Configuration CLI Commands for AES Security – From the 802.11a interface configuration mode, use the encryption command to enable AES encryption. To enter AES keys, use the key command. To view the current security settings, use the show interface wireless a command. DUAL OUTDOOR(config)#interface wireless a Enter Wireless configuration commands, one per line. DUAL OUTDOOR(if-wireless a)#encryption wdsaes alphanumeric DUAL OUTDOOR(if-wireless a)#key wdsaes 1 agoodsecretkey DUAL OUTDOOR(if-wireless a)#exit DUAL OUTDOOR#show interface wireless a 7-69 6-118 6-119 6-109 Wireless Interface Information =========================================================== ----------------Identification----------------------------Description : Enterprise 802.11a Access Point Service Type : WDS Bridge SSID : DualBandOutdoor Turbo Mode : OFF Channel : 36 Status : Disable ----------------802.11 Parameters-------------------------Transmit Power : FULL (15 dBm) Max Station Data Rate : 54Mbps Fragmentation Threshold : 2346 bytes RTS Threshold : 2347 bytes Beacon Interval : 100 TUs DTIM Interval : 2 beacons Maximum Association : 64 stations ----------------Security----------------------------------Encryption : 128-BIT AES ENCRYPTION AES Key type : Alphanumeric =========================================================== DUAL OUTDOOR# Note: The key type value entered using the key command must be the same as the type specified in the encryption command. 6-52 6 Radio Interface Security (Access Point Mode) A radio band set to access point mode is configured by default as an “open system,” which broadcasts a beacon signal including the configured SSID. Wireless clients can read the SSID from the beacon, and automatically reset their SSID to allow immediate connection to the access point. To improve wireless network security for access point operation, you have to implement two main functions: • Authentication: It must be verified that clients attempting to connect to the network are authorized users. • Traffic Encryption: Data passing between the access point and clients must be protected from interception and evesdropping. For a more secure network, the access point can implement one or a combination of the following security mechanisms: • Wired Equivalent Privacy (WEP) page 6-48 • IEEE 802.1X page 6-12 • Wireless MAC address filtering page 6-13 • Wi-Fi Protected Access (WPA) page 6-59 The security mechanisms that may be employed depend on the level of security required, the network and management resources available, and the software support provided on wireless clients. A summary of wireless security considerations is listed in the following table. Security Mechanism Client Support Implementation Considerations WEP Built-in support on all 802.11a and 802.11g devices • Provides only weak security • Requires manual key management WEP over 802.1X Requires 802.1X client support in system or by add-in software • Provides dynamic key rotation for improved WEP security • Requires configured RADIUS server • 802.1X EAP type may require management of digital certificates for clients and server (support provided in Windows 2000 SP3 or later and Windows XP) MAC Address Uses the MAC address of Filtering client network card • Provides only weak user authentication • Management of authorized MAC addresses • Can be combined with other methods for improved security • Optionally configured RADIUS server 6-53 6 System Configuration Security Mechanism Client Support Implementation Considerations WPA over Requires WPA-enabled 802.1X Mode system and network card driver • Provides robust security in WPA-only mode (i.e., WPA clients only) • Offers support for legacy WEP clients, but with increased security risk (i.e., WEP (native support provided in authentication keys disabled) Windows XP) • Requires configured RADIUS server • 802.1X EAP type may require management of digital certificates for clients and server WPA PSK Mode Requires WPA-enabled system and network card driver • Provides good security in small networks • Requires manual management of pre-shared key (native support provided in Windows XP) Note: Although a WEP static key is not needed for WEP over 802.1X, WPA over 802.1X, and WPA PSK modes, you must enable WEP encryption through the web or CLI in order to enable all types of encryption in the access point. Wired Equivalent Privacy (WEP) WEP provides a basic level of security, preventing unauthorized access to the network and encrypting data transmitted between wireless clients and the access point. WEP uses static shared keys (fixed-length hexadecimal or alphanumeric strings) that are manually distributed to all clients that want to use the network. WEP is the security protocol initially specified in the IEEE 802.11 standard for wireless communications. Unfortunately, WEP has been found to be seriously flawed and cannot be recommended for a high level of network security. For more robust wireless security, the access point provides Wi-Fi Protected Access (WPA) for improved data encryption and user authentication. 6-54 6 Radio Interface Setting up shared keys enables the basic IEEE 802.11 Wired Equivalent Privacy (WEP) on the access point to prevent unauthorized access to the network. If you choose to use WEP shared keys instead of an open system, be sure to define at least one static WEP key for user authentication and data encryption. Also, be sure that the WEP shared keys are the same for each client in the wireless network. Authentication Type Setup – Sets the access point to communicate as an open system that accepts network access attempts from any client, or with clients using pre-configured static shared keys. • Open System: Select this option if you plan to use WPA or 802.1X as a security mechanism. If you don’t set up any other security mechanism on the access point, the network has no protection and is open to all users. This is the default setting. • Shared Key: Sets the access point to use WEP shared keys. If this option is selected, you must configure at least one key on the access point and all clients. Note: To use 802.1X on wireless clients requires a network card driver and 802.1X client software that supports the EAP authentication type that you want to use. Windows 2000 SP3 or later and Windows XP provide 802.1X client support. Windows XP also provides native WPA support. Other systems require additional client software to support 802.1X and WPA. Data Encryption Setup – Enable or disable the access point to use WEP shared keys for data encryption. If this option is selected, you must configure at least one key on the access point and all clients. (Default: Disable) Note: You must enable data encryption through the web or CLI in order to enable all types of encryption (WEP, TKIP, and AES) in the access point. 6-55 6 System Configuration Shared Key Setup – Select 64 Bit, 128 Bit, or 152 Bit key length. Note that the same size of encryption key must be supported on all wireless clients. 152 Bit key length is only supported on 802.11a radio. (Default: 128 Bit) Key Type – Select the preferred method of entering WEP encryption keys on the access point and enter up to four keys: • Hexadecimal: Enter keys as 10 hexadecimal digits (0 to 9 and A to F) for 64 bit keys, 26 hexadecimal digits for 128 bit keys, or 32 hexadecimal digits for 152 bit keys (802.11a radio only). • Alphanumeric: Enter keys as 5 alphanumeric characters for 64 bit keys, 13 alphanumeric characters for 128 bit keys, or 16 alphanumeric characters for 152 bit keys (802.11a radio only). • Transmit Key Select: Selects the key number to use for encryption. If the clients have all four keys configured to the same values, you can change the encryption key to any of the four settings without having to update the client keys. Note: Key index and type must match that configured on the clients. 6-56 6 Radio Interface The configuration settings for WEP are summarized below: WEP only WEP over 802.1X Authentication Type: Shared Key WEP (encryption): Enable WPA clients only: Disable Multicast Cipher: WEP Shared Key: 64/128/152 Key Type Hex: 10/26/32 characters ASCII: 5/13/16 characters Transmit Key: 1/2/3/4 (set index) 802.1X = Disabled1 MAC Authentication: Any setting2 Authentication Type: Open System WEP (encryption): Enable WPA clients only: Disable Multicast Cipher: WEP Shared Key: 64/128 802.1X = Required1 MAC Authentication: Disabled/Local2 1: See Authentication (page 6-11) 2: See Radius (page 6-7) CLI Commands for static WEP Shared Key Security – From the 802.11a or 802.11g interface configuration mode, use the authentication command to enable WEP shared-key authentication and the encryption command to enable WEP encryption. Use the multicast-cipher command to select WEP cipher type. To enter WEP keys, use the key command, and then set one key as the transmit key using the transmit-key command. Then disable 802.1X port authentication with the no 802.1X command. To view the current security settings, use the show interface wireless a or show interface wireless g command. DUAL OUTDOOR(config)#interface wireless g Enter Wireless configuration commands, one per line. DUAL OUTDOOR(if-wireless g)#authentication shared DUAL OUTDOOR(if-wireless g)#encryption 128 DUAL OUTDOOR(if-wireless g)#multicast-cipher wep DUAL OUTDOOR(if-wireless g)#key 1 128 ascii abcdeabcdeabc DUAL OUTDOOR(if-wireless g)#transmit-key 1 DUAL OUTDOOR(if-wireless g)#end DUAL OUTDOOR(config)#no 802.1X DUAL OUTDOOR(config)#end DUAL OUTDOOR#show interface wireless g 7-69 6-119 6-118 6-121 6-119 6-120 6-65 6-109 Wireless Interface Information =========================================================== ----------------Identification----------------------------Description : Enterprise 802.11g Access Point Service Type : Access Point SSID : DualBandOutdoor Channel : 5 (AUTO) Status : Disable ----------------802.11 Parameters-------------------------Transmit Power : FULL (20 dBm) Max Station Data Rate : 54Mbps Fragmentation Threshold : 2346 bytes RTS Threshold : 2347 bytes Beacon Interval : 100 TUs DTIM Interval : 2 beacons Maximum Association : 64 stations 6-57 6 System Configuration ----------------Security----------------------------------Closed System : DISABLED Multicast cipher : WEP Unicast cipher : TKIP WPA clients : SUPPORTED WPA Key Mgmt Mode : DYNAMIC WPA PSK Key Type : HEX Encryption : 128-BIT ENCRYPTION Default Transmit Key : 1 Static Keys : Key 1: ***** Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY Authentication Type : SHARED =========================================================== DUAL OUTDOOR# Note: The index and length values used in the key command must be the same values used in the encryption and transmit-key commands. CLI Commands for WEP over 802.1X Security – From the 802.11a or 802.11g interface configuration mode, use the authentication command to select open system authentication. Use the multicast-cipher command to select WEP cipher type. Then set 802.1X to required with 802.1X command, and disable MAC authentication with the mac-authentication command. To view the current 802.11g security settings, use the show interface wireless g command (not shown in example). DUAL OUTDOOR(config)#interface wireless g Enter Wireless configuration commands, one per line. DUAL OUTDOOR(if-wireless g)#authentication open DUAL OUTDOOR(if-wireless g)#encryption 128 DUAL OUTDOOR(if-wireless g)#multicast-cipher wep DUAL OUTDOOR(if-wireless g)#end DUAL OUTDOOR(config)#802.1X required DUAL OUTDOOR(config)#no mac-authentication DUAL OUTDOOR(config)# 6-58 7-69 6-119 6-118 6-121 6-65 6-72 Radio Interface Wi-Fi Protected Access (WPA) WPA employs a combination of several technologies to provide an enhanced security solution for 802.11 wireless networks. The access point supports the following WPA components and features: IEEE 802.1X and the Extensible Authentication Protocol (EAP): WPA employs 802.1X as its basic framework for user authentication and dynamic key management. The 802.1X client and RADIUS server should use an appropriate EAP type—such as EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled TLS), or PEAP (Protected EAP)—for strongest authentication. Working together, these protocols provide “mutual authentication” between a client, the access point, and a RADIUS server that prevents users from accidentally joining a rogue network. Only when a RADIUS server has authenticated a user’s credentials will encryption keys be sent to the access point and client. Note: To implement WPA on wireless clients requires a WPA-enabled network card driver and 802.1X client software that supports the EAP authentication type that you want to use. Windows XP provides native WPA support, other systems require additional software. Temporal Key Integrity Protocol (TKIP): WPA specifies TKIP as the data encryption method to replace WEP. TKIP avoids the problems of WEP static keys by dynamically changing data encryption keys. Basically, TKIP starts with a master (temporal) key for each user session and then mathematically generates other keys 6-59 6 System Configuration to encrypt each data packet. TKIP provides further data encryption enhancements by including a message integrity check for each packet and a re-keying mechanism, which periodically changes the master key. WPA Pre-Shared Key (PSK) Mode: For enterprise deployment, WPA requires a RADIUS authentication server to be configured on the wired network. However, for small office networks that may not have the resources to configure and maintain a RADIUS server, WPA provides a simple operating mode that uses just a pre-shared password for network access. The Pre-Shared Key mode uses a common password for user authentication that is manually entered on the access point and all wireless clients. The PSK mode uses the same TKIP packet encryption and key management as WPA in the enterprise, providing a robust and manageable alternative for small networks. Mixed WPA and WEP Client Support: WPA enables the access point to indicate its supported encryption and authentication mechanisms to clients using its beacon signal. WPA-compatible clients can likewise respond to indicate their WPA support. This enables the access point to determine which clients are using WPA security and which are using legacy WEP. The access point uses TKIP unicast data encryption keys for WPA clients and WEP unicast keys for WEP clients. The global encryption key for multicast and broadcast traffic must be the same for all clients, therefore it restricts encryption to a WEP key. When access is opened to both WPA and WEP clients, no authentication is provided for the WEP clients through shared keys. To support authentication for WEP clients in this mixed mode configuration, you can use either MAC authentication or 802.1X authentication. Advanced Encryption Standard (AES) Support: WPA specifies AES encryption as an optional alternative to TKIP and WEP. AES provides very strong encryption using a completely different ciphering algorithm to TKIP and WEP. The developing IEEE 802.11i wireless security standard has specified AES as an eventual replacement for TKIP and WEP. However, because of the difference in ciphering algorithms, AES requires new hardware support in client network cards that is currently not widely available. The access point includes AES support as a future security enhancement. The WPA configuration parameters are described below: Authentication Type Setup – When using WPA, set the access point to communicate as an open system to disable WEP keys. Note: Although WEP keys are not needed for WPA, you must enable WEP encryption through the web or CLI in order to enable all types of encryption in the access point. For example, set Wired Equivalent Privacy (WEP) Setup to “Enable” on the Security page. WPA Configuration Mode – The access point can be configured to allow only WPA-enabled clients to access the network, or also allow clients only capable of supporting WEP. 6-60 Radio Interface WPA Key Management – WPA can be configured to work in an enterprise environment using IEEE 802.1X and a RADIUS server for user authentication. For smaller networks, WPA can be enabled using a common pre-shared key for client authentication with the access point. • WPA authentication over 802.1X: The WPA enterprise mode that uses IEEE 802.1X to authenticate users and to dynamically distribute encryption keys to clients. • WPA Pre-shared Key: The WPA mode for small networks that uses a common password string that is manually distributed. If this mode is selected, be sure to also specify the key string. Multicast Cipher Mode – Selects an encryption method for the global key used for multicast and broadcast traffic, which is supported by all wireless clients. • WEP: WEP is the first generation security protocol used to encrypt data crossing the wireless medium using a fairly short key. Communicating devices must use the same WEP key to encrypt and decrypt radio signals. WEP has many security flaws, and is not recommended for transmitting highly-sensitive data. • TKIP: TKIP provides data encryption enhancements including per-packet key hashing (that is, changing the encryption key on each packet), a message integrity check, an extended initialization vector with sequencing rules, and a re-keying mechanism. • AES: AES has been designated by the National Institute of Standards and Technology as the successor to the Data Encryption Standard (DES) encryption algorithm, and will be used by the U.S. government for encrypting all sensitive, nonclassified information. Because of its strength, and resistance to attack, AES is also being incorporated as part of the 802.11 standard. WPA Pre-Shared Key Type – If the WPA pre-shared-key mode is used, all wireless clients must be configured with the same key to communicate with the access point. • Hexadecimal: Enter a key as a string of 64 hexadecimal numbers. • Alphanumeric: Enter a key as an easy-to-remember form of letters and numbers. The string must be from 8 to 63 characters, which can include spaces. 6-61 6 System Configuration The configuration settings for WPA are summarized below: WPA pre-shared key only WPA over 802.1X Authentication Type: Open System WEP (encryption): Enable1 WPA clients only: Enable WPA Mode: Pre-shared-key Multicast Cipher: WEP/TKIP/AES2 WPA PSK Type Hex: 64 characters ASCII: 8-63 characters Shared Key: 64/128/152 802.1X = Disabled3 MAC Authentication: Disabled/Local4 Authentication Type: Open System WEP (encryption): Enable1 WPA clients only: Enable WPA Mode: WPA over 802.1X Multicast Cipher: WEP/TKIP/AES2 Shared Key: 64/128/152 802.1X = Required3 MAC Authentication: Disabled/Local4 1: Although WEP keys are not needed for WPA, you must enable WEP encryption through the web or CLI in order to enable all types of encryption in the access point. For example, use the CLI encryption command to set Encryption = 64, 128 or 152, thus enabling encryption (i.e., all types of encryption) in the access point. 2: Do not use WEP unless the access point must support both WPA and WEP clients. 3: See Authentication (page 6-11) 4: See Radius (page 6-7) CLI Commands for WPA Pre-shared Key Security – From the 802.11a or 802.11g interface configuration mode, use the authentication command to set the access point to “Open System.” Use the WEP encryption command to enable all types of encryption. To enable WPA to be required for all clients, use the wpa-clients command. Use the wpa-mode command to enable the Pre-shared Key mode. To enter a key value, use the wpa-psk-type command to specify a hexadecimal or alphanumeric key, and then use the wpa-preshared-key command to define the key. Then disable 802.1X and MAC authentication. To view the current 802.11g security settings, use the show interface wireless a or show interface wireless g command (not shown in example). AP(config)#interface wireless g Enter Wireless configuration commands, one per line. AP(if-wireless g)#authentication open AP(if-wireless g)#encryption 128 AP(if-wireless g)#wpa-clients required AP(if-wireless g)#wpa-mode pre-shared-key AP(if-wireless g)#wpa-psk-type alphanumeric AP(if-wireless g)#wpa-preshared-key ASCII asecret AP(if-wireless g)#end AP(config)#no 802.1X AP(config)#no mac-authentication 7-69 6-119 6-118 6-123 7-82 7-83 6-123 6-65 6-72 CLI Commands for WPA over 802.1X Security – From the 802.11a or 802.11g interface configuration mode, use the authentication command to set the access point to “Open System.” Use the WEP encryption command to enable all types of encryption. Use the wpa-clients command to set WPA to be required or supported for clients. Use the wpa-mode command to enable WPA dynamic keys over 802.1X. Set the broadcast and multicast key encryption using the multicast-cipher command. Then set 802.1X to required, and disable MAC authentication. To view 6-62 6 Status Information the current 802.11g security settings, use the show interface wireless g command (not shown in example). AP(config)#interface wireless g Enter Wireless configuration commands, one per line. AP(if-wireless g)#authentication open AP(if-wireless g)#encryption 128 AP(if-wireless g)#wpa-clients required AP(if-wireless g)#wpa-mode dynamic AP(if-wireless g)#multicast-cipher TKIP AP(if-wireless g)#end AP(config)#802.required AP(config)#no mac-authentication 7-69 6-119 6-118 6-123 7-82 6-121 6-65 6-72 Status Information The Status page includes information on the following items: Menu Description Page AP Status Displays configuration settings for the basic system and the wireless interfaces 6-63 Station Status Shows wireless clients currently associated with the access point 6-65 Event Logs Shows log messages stored in memory 6-67 AP Status The AP Status window displays basic system configuration settings, as well as the settings for the wireless interfaces. 6-63 6 System Configuration AP System Configuration – The AP System Configuration table displays the basic system configuration settings: • System Up Time: Length of time the management agent has been up. • MAC Address: The physical layer address for this device. • System Name: Name assigned to this system. • System Contact: Administrator responsible for the system. • IP Address: IP address of the management interface for this device. • IP Default Gateway: IP address of the gateway router between this device and management stations that exist on other network segments. • HTTP Server: Shows if management access via HTTP is enabled. • HTTP Server Port: Shows the TCP port used by the HTTP interface. • Version: Shows the version number for the runtime code. AP Wireless Configuration – The AP Wireless Configuration table displays the wireless interface settings listed below. Note that Radio A refers to the 802.11a interface and Radio G to the 802.11b/g interface. • Network Name (SSID): The service set identifier for this wireless group. • Radio Channel: The radio channel currently used on the wireless bridge. • Radio Encryption: The key size used for data encryption. • Radio Authentication Type: Shows the bridge is set as an open system. • 802.1X: Shows if IEEE 802.1X access control for wireless clients is enabled. CLI Commands for Displaying System Settings – To view the current wireless bridge system settings, use the show system command from the Exec mode. To view the 6-64 6 Status Information current radio interface settings, use the show interface wireless a command (see page 6-109). DUAL OUTDOOR#show system System Information ============================================================ Serial Number : . System Up time : 0 days, 5 hours, 2 minutes, 4 seconds System Name : Dual Band Outdoor AP System Location System Contact : Contact System Country Code : US - UNITED STATES MAC Address : 00-03-7F-BE-F8-99 IP Address : 192.168.1.1 Subnet Mask : 255.255.255.0 Default Gateway : 0.0.0.0 VLAN State : DISABLED Native VLAN ID : 1 IAPP State : ENABLED DHCP Client : ENABLED HTTP Server : ENABLED HTTP Server Port : 80 Slot Status : Dual band(a/g) Software Version : v1.1.0.0B07 ============================================================ DUAL OUTDOOR# 6-23 Station Status The Station Status window shows wireless clients currently associated with the access point. 6-65 6 System Configuration The Station Status page displays basic connection information for all associated stations. Note that this page is automatically refreshed every five seconds. • Station Address: The MAC address of the remote wireless bridge. • Authenticated: Shows if the station has been authenticated. The two basic methods of authentication supported for 802.11 wireless networks are “open system” and “shared key.” Open-system authentication accepts any client attempting to connect to the access point without verifying its identity. The shared-key approach uses Wired Equivalent Privacy (WEP) to verify client identity by distributing a shared key to stations before attempting authentication. • Associated: Shows if the station has been successfully associated with the access point. • Forwarding Allowed: Shows if the station has passed authentication and is now allowed to forward traffic. • Key Type: Displays one of the following: - Disabled: The client is not using Wired Equivalent Privacy (WEP) encryption keys. - Dynamic: The client is using Wi-Fi Protected Access (802.1X or pre-shared key mode) or using 802.1X authentication with dynamic keying. - Static: The client is using static WEP keys for encryption. CLI Commands for Displaying Station Information – To view status of clients currently associated with the access point, use the show station command from the Exec mode. DUAL OUTDOOR#show station Station Table Information =========================================================== 802.11a Channel : 56 No 802.11a Channel Stations. 802.11g Channel : 11 802.11g Channel Station Table Station Address : 00-04-E2-41-C2-9D VLAN ID: 0 Authenticated Associated Forwarding KeyType TRUE TRUE TRUE NONE Counters:pkts Tx Rx bytes Tx Rx 4/ 1440/ Time:Associated LastAssoc LastDisAssoc LastAuth 143854 =========================================================== DUAL OUTDOOR# 6-66 6-110 6 Status Information Event Logs The Event Logs window shows the log messages generated by the wireless bridge and stored in memory. The Event Logs table displays the following information: • Log Time: The time the log message was generated. • Event Level: The logging level associated with this message. For a description of the various levels, see “logging level” on page 6-27. • Event Message: The content of the log message. CLI Commands for Displaying the Event Logs – From the global configuration mode, use the show logging command. DUAL OUTDOOR#show loggging 6-32 Logging Information ============================================ Syslog State : Enabled Logging Host State : Enabled Logging Console State : Enabled Server Domain name/IP : 192.168.1.19 Logging Level : Alert Logging Facility Type : 16 ============================================= DUAL OUTDOOR# 6-67 6 6-68 System Configuration Chapter 7: Command Line Interface Using the Command Line Interface Accessing the CLI When accessing the management interface for the over a direct connection to the console port, or via a Telnet connection, the bridge can be managed by entering command keywords and parameters at the prompt. Using the bridge’s command-line interface (CLI) is very similar to entering commands on a UNIX system. Console Connection To access the bridge through the console port, perform these steps: 1. At the console prompt, enter the user name and password. (The default user name is “admin” and the default password is null) When the user name is entered, the CLI displays the “Enterprise AP#” prompt. 2. Enter the necessary commands to complete your desired tasks. 3. When finished, exit the session with the “exit” command. After connecting to the system through the console port, the login screen displays: Username: admin Password: Enterprise AP# Caution: Command examples shown later in this chapter abbreviate the console prompt to “AP” for simplicity. Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, if the bridge cannot acquire an IP address from a DHCP server, the default IP address used by the bridge, 192.168.1.1, consists of a network portion (192.168.1) and a host portion (1). To access the bridge through a Telnet session, you must first set the IP address for the bridge, and set the default gateway if you are managing the bridge from a different IP subnet. For example: Enterprise Enterprise Enterprise Enterprise AP#configure AP(config)#interface ethernet AP(if-ethernet)#ip address 10.1.0.1 255.255.255.0 10.1.0.254 AP(if-ethernet)# 7-1 7 Command Line Interface If your corporate network is connected to another network outside your office or to the Internet, you need to apply for a registered IP address. However, if you are attached to an isolated network, then you can use any IP address that matches the network segment to which you are attached. After you configure the bridge with an IP address, you can open a Telnet session by performing these steps. 1. From the remote host, enter the Telnet command and the IP address of the device you want to access. 2. At the prompt, enter the user name and system password. The CLI will display the “Enterprise AP#” prompt to show that you are using executive access mode (i.e., Exec). 3. Enter the necessary commands to complete your desired tasks. 4. When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: Enterprise AP# Caution: You can open up to four sessions to the device via Telnet. Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces ethernet,” show and interfaces are keywords, and ethernet is an argument that specifies the interface type. You can enter commands as follows: • To enter a simple command, enter the command keyword. • To enter commands that require parameters, enter the required parameters after the command keyword. For example, to set a password for the administrator, enter: Enterprise AP(config)#username smith Minimum Abbreviation The CLI will accept a minimum number of characters that uniquely identify a command. For example, the command “configure” can be entered as con. If an entry is ambiguous, the system will prompt for further input. 7-2 Entering Commands Command Completion If you terminate input with a Tab key, the CLI will print the remaining characters of a partial keyword up to the point of ambiguity. In the “configure” example, typing con followed by a tab will result in printing the command up to “configure.” Getting Help on Commands You can display a brief description of the help system by entering the help command. You can also display command syntax by following a command with the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current configuration mode (Exec, Global Configuration, or Interface). You can also display a list of valid keywords for a specific command. For example, the command “show ?” displays a list of possible show commands: Enterprise AP#show ? APmanagement Show management AP information. authentication Show Authentication parameters bootfile Show bootfile name bridge Show bridge config System snapshot for tech support dhcp-relay Show DHCP Relay Configuration event-log Show event log on console filters Show filters hardware Show hardware version history Display the session history interface Show interface information line TTY line information link-integrity Show link integrity information logging Show the logging buffers radius Show radius server rogue-ap Show Rogue ap Stations snmp Show snmp configuration sntp Show sntp configuration station Show 802.11 station table system Show system information version Show system version Enterprise AP#show The command “show interface ?” will display the following information: Enterprise AP#show interface ? ethernet Show Ethernet interface wireless Show wireless interface Enterprise AP#show interface 7-3 7 Command Line Interface Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.” Enterprise AP#show s? snmp sntp station Enterprise AP#show s system Negating the Effect of Commands For many configuration commands you can enter the prefix keyword “no” to cancel the effect of a command or reset the configuration to the default value. For example, the logging command will log system messages to a host server. To disable logging, specify the no logging command. This guide describes the negation effect for all applicable commands. Using Command History The CLI maintains a history of commands that have been entered. You can scroll back through the history of commands by pressing the up arrow key. Any command displayed in the history list can be executed again, or first modified and then executed. Using the show history command displays a longer list of recently executed commands. Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain functions. These classes are further divided into different modes. Available commands depend on the selected mode. You can always enter a question mark “?” at the prompt to display a list of the commands available for the current mode. The command classes and associated modes are displayed in the following table: Class Mode Exec Privileged Configuration Global Interface-ethernet Interface-wireless Interface-wireless-vap 7-4 Entering Commands Exec Commands When you open a new console session on an bridge, the system enters Exec command mode. Only a limited number of the commands are available in this mode. You can access all other commands only from the configuration mode. To access Exec mode, open a new console session with the user name “admin.” The command prompt displays as “Enterprise AP#” for Exec mode. Username: admin Password: [system login password] Enterprise AP# Configuration Commands Configuration commands are used to modify bridge settings. These commands modify the running configuration and are saved in memory. The configuration commands are organized into four different modes: • Global Configuration (GC) - These commands modify the system level configuration, and include commands such as username and password. • Interface-Ethernet Configuration (IC-E) - These commands modify the Ethernet port configuration, and include command such as dns and ip. • Interface-Wireless Configuration (IC-W) - These commands modify the wireless port configuration of global parameters for the radio, and include commands such as channel and transmit-power. • Interface-Wireless Virtual bridge Configuration (IC-W-VAP) - These commands modify the wireless port configuration for each VAP, and include commands such as ssid and authentication. To enter the Global Configuration mode, enter the command configure in Exec mode. The system prompt will change to “Enterprise AP(config)#” which gives you access privilege to all Global Configuration commands. Enterprise AP#configure Enterprise AP(config)# To enter Interface mode, you must enter the “interface ethernet,” or “interface wireless a,” or “interface wireless g” command while in Global Configuration mode. The system prompt will change to “Enterprise AP(if-ethernet)#,” or Enterprise AP(if-wireless)” indicating that you have access privileges to the associated commands. You can use the end command to return to the Exec mode. Enterprise AP(config)#interface ethernet Enterprise AP(if-ethernet)# 7-5 7 Command Line Interface Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches. You can also use the following editing keystrokes for command-line processing: Table 7-1. Keystroke Commands Keystroke Function Ctrl-A Shifts cursor to start of command line. Ctrl-B Shifts cursor to the left one character. Ctrl-C Terminates a task and displays the command prompt. Ctrl-E Shifts cursor to end of command line. Ctrl-F Shifts cursor to the right one character. Ctrl-K Deletes from cursor to the end of the command line. Ctrl-L Repeats current command line on a new line. Ctrl-N Enters the next command line in the history buffer. Ctrl-P Shows the last command. Ctrl-R Repeats current command line on a new line. Ctrl-U Deletes the entire line. Ctrl-W Deletes the last word typed. Esc-B Moves the cursor backward one word. Esc-D Deletes from the cursor to the end of the word. Esc-F Moves the cursor forward one word. Delete key or backspace key Erases a mistake when entering a command. Command Groups The system commands can be broken down into the functional groups shown below. Table 7-2. Command Groups Command Group Description General Basic commands for entering configuration mode, restarting the system, or quitting the CLI Page 7-7 System Management Controls user name, password, web browser management options, and a variety of other system information 7-11 System Logging Configures system logging parameters 7-28 System Clock Configures SNTP and system clock settings 7-33 DHCP Relay Configures the bridge to send DHCP requests from clients to specified servers 7-38 7-6 General Commands Table 7-2. Command Groups Command Group Description Page SNMP Configures community access strings and trap managers 7-40 Flash/File Manages code image or bridge configuration files 7-55 RADIUS Configures the RADIUS client used with 802.1X authentication 7-58 802.1X Authentication Configures 802.1X authentication 7-65 MAC Address Authentication Configures MAC address authentication 7-70 Filtering Filters communications between wireless clients, controls access to the management interface from wireless clients, and filters traffic using specific Ethernet protocol types 7-73 WDS Bridge Configures WDS forwarding table settings 7-77 Spanning Tree Configures spanning tree parameters 7-83 Ethernet Interface Configures connection parameters for the Ethernet interface 7-88 Wireless Interface Configures radio interface settings 7-93 Wireless Security Configures radio interface security and encryption settings 7-113 Rogue AP Detection Configures settings for the detection of rogue bridges in the network 7-113 Link Integrity Configures a link check to a host device on the wired network 7-127 IAPP Enables roaming between multi-vendor bridges 7-131 VLANs Configures VLAN membership 7-132 WMM Configures WMM quality of service parameters 7-134 The access mode shown in the following tables is indicated by these abbreviations: Exec (Executive Mode), GC (Global Configuration), IC-E (Interface-Ethernet Configuration), IC-W (Interface-Wireless Configuration), and IC-W-VAP (Interface-Wireless VAP Configuration). General Commands Table 7-3. General Commands Command Function Mode configure Activates global configuration mode Exec Page end Returns to previous configuration mode GC, IC 7-8 exit Returns to the previous configuration mode, or exits the CLI any 7-8 ping Sends ICMP echo request packets to another node on the network Exec 7-9 reset Restarts the system Exec 7-10 show history Shows the command history buffer Exec 7-10 show line Shows the configuration settings for the console port Exec 7-11 7-8 7-7 7 Command Line Interface configure This command activates Global Configuration mode. You must enter this mode to modify most of the settings on the bridge. You must also enter Global Configuration mode prior to enabling the context modes for Interface Configuration. See “Using the Command Line Interface” on page 1. Default Setting None Command Mode Exec Example Enterprise AP#configure Enterprise AP(config)# Related Commands end (7-8) end This command returns to the previous configuration mode. Default Setting None Command Mode Global Configuration, Interface Configuration Example This example shows how to return to the Configuration mode from the Interface Configuration mode: Enterprise AP(if-ethernet)#end Enterprise AP(config)# exit This command returns to the Exec mode or exits the configuration program. Default Setting None Command Mode Any 7-8 General Commands Example This example shows how to return to the Exec mode from the Interface Configuration mode, and then quit the CLI session: Enterprise AP(if-ethernet)#exit Enterprise AP#exit CLI session with the bridge is now closed Username: ping This command sends ICMP echo request packets to another node on the network. Syntax ping • host_name - Alias of the host. • ip_address - IP address of the host. Default Setting None Command Mode Exec Command Usage • Use the ping command to see if another site on the network can be reached. • The following are some results of the ping command: - Normal response - The normal response occurs in one to ten seconds, depending on network traffic. - Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds. - Destination unreachable - The gateway for this destination indicates that the destination is unreachable. - Network or host unreachable - The gateway found no corresponding entry in the route table. • Press to stop pinging. Example Enterprise AP#ping 10.1.0.19 192.168.1.19 is alive Enterprise AP# 7-9 7 Command Line Interface reset This command restarts the system or restores the factory default settings. Syntax reset • board - Reboots the system. • configuration - Resets the configuration settings to the factory defaults, and then reboots the system. Default Setting None Command Mode Exec Command Usage When the system is restarted, it will always run the Power-On Self-Test. Example This example shows how to reset the system: Enterprise AP#reset board Reboot system now? : y show history This command shows the contents of the command history buffer. Default Setting None Command Mode Exec Command Usage • The history buffer size is fixed at 10 commands. • Use the up or down arrow keys to scroll through the commands in the history buffer. Example In this example, the show history command lists the contents of the command history buffer: Enterprise AP#show history config exit show history Enterprise AP# 7-10 System Management Commands show line This command displays the console port’s configuration settings. Command Mode Exec Example The console port settings are fixed at the values shown below. Enterprise AP#show line Console Line Information ====================================================== databits : 8 parity : none speed : 9600 stop bits : 1 ====================================================== Enterprise AP# System Management Commands These commands are used to configure the user name, password, system logs, browser management options, clock settings, and a variety of other system information. Table 7-4. System Management Commands Command Function Mode Page Sets the bridge country code Exec 7-12 prompt Customizes the command line prompt GC 7-14 system name Specifies the host name for the bridge GC 7-14 snmp-server contact Sets the system contact string GC 7-41 snmp-server location Sets the system location string GC 7-42 Country Setting country Device Designation Management Access username Configures the user name for management access GC 7-15 password Specifies the password for management access GC 7-15 ip ssh-server enable Enables the Secure Shell server IC-E 7-16 ip ssh-server port 7-16 Sets the Secure Shell port IC-E ip telnet-server enable Enables the Telnet server IC-E 7-17 APmgmtIP Specifies an IP address or range of addresses allowed access to the management interface GC 7-21 APmgmtUI Enables or disables SNMP, Telnet or web management access GC 7-22 Exec 7-22 show APmanagement Shows the AP management configuration 7-11 7 Command Line Interface Table 7-4. System Management Commands Command Function Mode Page ip http port Specifies the port to be used by the web browser interface GC 7-17 ip http server Allows the bridge to be monitored or configured from a browser GC 7-18 ip https port Specifies the UDP port number used for a secure HTTP connection to the bridge’s Web interface GC 7-18 ip https server Enables the secure HTTP server on the bridge GC 7-19 web-redirect Enables web authentication of clients using a public access Internet service GC 7-20 show system Displays system information Exec 7-23 show version Displays version information for the system Exec 7-24 show config Displays detailed configuration information for the system Exec 7-24 show hardware Displays the bridge’s hardware version Exec 7-28 Web Server System Status country This command configures the bridge’s country code, which identifies the country of operation and sets the authorized radio channels. Syntax country country_code - A two character code that identifies the country of operation. See the following table for a full list of codes. Table 7-5. Country Codes Country Code Country Code Country Code Country Code Albania AL Dominican Republic DO Kuwait KW Romania RO Algeria DZ Ecuador EC Latvia LV Russia RU Argentina AR Egypt EG Lebanon LB Saudi Arabia SA Armenia AM Estonia EE Liechtenstein LI Singapore SG Australia AU Finland FI Lithuania LT Slovak Republic SK Austria AT France FR Macao MO Spain ES Azerbaijan AZ Georgia GE Macedonia MK Sweden SE Bahrain BH Germany DE Malaysia MY Switzerland CH 7-12 System Management Commands Table 7-5. Country Codes Country Code Country Code Country Code Country Code Belarus BY Greece GR Malta MT Syria SY Belgium BE Guatemala GT Mexico MX Taiwan TW Honduras HN Monaco MC Thailand TH Belize BZ Hong Kong HK Morocco MA Trinidad & Tobago TT Bolivia BO Hungary HU Netherlands NL Tunisia TN Brazil BR Iceland IS New Zealand NZ Turkey TR Brunei Darussalam BN India IN Norway NO Ukraine UA Bulgaria BG Indonesia ID Qatar QA United Arab Emirates AE Canada CA Iran IR Oman OM United Kingdom GB Chile CL Ireland IE Pakistan PK United States US China CN Israel IL Panama PA Uruguay UY Colombia CO Italy IT Peru PE Uzbekistan UZ Costa Rica CR Japan JP Philippines PH Yemen YE Croatia HR Jordan JO Poland PL Venezuela VE Cyprus CY Kazakhstan KZ Portugal PT Vietnam VN Czech Republic CZ North Korea KP Puerto Rico PR Zimbabwe ZW Denmark DK Korea Republic KR Slovenia SI Elsalvador SV Luxembourg LU South Africa ZA Default Setting US - for units sold in the United States 99 (no country set) - for units sold in other countries Command Mode Exec 7-13 7 Command Line Interface Command Usage • If you purchased an bridge outside of the United States, the country code must be set before radio functions are enabled. • The available Country Code settings can be displayed by using the country ? command. Example Enterprise AP#country tw Enterprise AP# prompt This command customizes the CLI prompt. Use the no form to restore the default prompt. Syntax prompt no prompt string - Any alphanumeric string to use for the CLI prompt. (Maximum length: 32 characters) Default Setting Enterprise AP Command Mode Global Configuration Example Enterprise AP(config)#prompt RD2 RD2(config)# system name This command specifies or modifies the system name for this device. Use the no form to restore the default system name. Syntax system name no system name name - The name of this host. (Maximum length: 32 characters) Default Setting Enterprise AP 7-14 System Management Commands Command Mode Global Configuration Example Enterprise AP(config)#system name AP Enterprise AP(config)# username This command configures the user name for management access. Syntax username name - The name of the user. (Length: 3-16 characters, case sensitive) Default Setting admin Command Mode Global Configuration Example Enterprise AP(config)#username bob Enterprise AP(config)# password After initially logging onto the system, you should set the password. Remember to record it in a safe place. Use the no form to reset the default password. Syntax password no password password - Password for management access. (Length: 3-16 characters, case sensitive) Default Setting null Command Mode Global Configuration Example Enterprise AP(config)#password Enterprise AP(config)# 7-15 7 Command Line Interface ip ssh-server enable This command enables the Secure Shell server. Use the no form to disable the server. Syntax ip ssh-server enable no ip ssh-server Default Setting Interface enabled Command Mode Interface Configuration (Ethernet) Command Usage • The bridge supports Secure Shell version 2.0 only. • After boot up, the SSH server needs about two minutes to generate host encryption keys. The SSH server is disabled while the keys are being generated. The show system command displays the status of the SSH server. Example Enterprise AP(if-ethernet)#ip ssh-server enable Enterprise AP(if-ethernet)# ip ssh-server port This command sets the Secure Shell server port. Use the no form to disable the server. Syntax ip ssh-server port • port-number - The UDP port used by the SSH server. (Range: 1-65535) Default Setting 22 Command Mode Interface Configuration (Ethernet) Example Enterprise AP(if-ethernet)#ip ssh-server port 1124 Enterprise AP(if-ethernet)# 7-16 System Management Commands ip telnet-server enable This command enables the Telnet server. Use the no form to disable the server. Syntax ip telnet-server enable no ip telnet-server Default Setting Interface enabled Command Mode Interface Configuration (Ethernet) Example Enterprise AP(if-ethernet)#ip telnet-server enable Enterprise AP(if-ethernet)# ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port no ip http port port-number - The TCP port to be used by the browser interface. (Range: 1024-65535) Default Setting 80 Command Mode Global Configuration Example Enterprise AP(config)#ip http port 769 Enterprise AP(config)# Related Commands ip http server (7-18) 7-17 7 Command Line Interface ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax ip http server no ip http server Default Setting Enabled Command Mode Global Configuration Example Enterprise AP(config)#ip http server Enterprise AP(config)# Related Commands ip http port (7-17) ip https port Use this command to specify the UDP port number used for HTTPS/SSL connection to the bridge’s Web interface. Use the no form to restore the default port. Syntax ip https port no ip https port port_number – The UDP port used for HTTPS/SSL. (Range: 80, 1024-65535) Default Setting 443 Command Mode Global Configuration Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port. • To avoid using common reserved TCP port numbers below 1024, the configurable range is restricted to 443 and between 1024 and 65535. • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number 7-18 System Management Commands Example Enterprise AP(config)#ip https port 1234 Enterprise AP(config)# ip https server Use this command to enable the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the bridge’s Web interface. Use the no form to disable this function. Syntax ip https server no ip https server Default Setting Enabled Command Mode Global Configuration Command Usage • Both HTTP and HTTPS service can be enabled independently. • If you enable HTTPS, you must indicate this in the URL: https://device:port_number] • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection. - The client and server generate session keys for encrypting and decrypting data. • The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 5.x. Example Enterprise AP(config)#ip https server Enterprise AP(config)# 7-19 7 Command Line Interface web-redirect Use this command to enable web-based authentication of clients. Use the no form to disable this function. Syntax [no] web-redirect Default Setting Disabled Command Mode Global Configuration Command Usage • The web redirect feature is used to support billing for a public access wireless network. After successful association to an bridge, a client is “redirected” to an bridge login web page as soon as Internet access is attempted. The client is then authenticated by entering a user name and password on the web page. This process allows controlled access for clients without requiring 802.1X or MAC authentication. • Web redirect requires a RADIUS server on the wired network with configured user names and passwords for authentication. The RADIUS server details must also be configured on the bridge. (See “show bootfile” on page 7-58.) • Use the show system command to display the current web redirect status. Example Enterprise AP(config)#web-redirect Enterprise AP(config)# 7-20 System Management Commands APmgmtIP This command specifies the client IP addresses that are allowed management access to the bridge through various protocols. Caution: Secure Web (HTTPS) connections are not affected by the UI Management or IP Management settings. Syntax APmgmtIP • multiple - Adds IP addresses within a specifiable range to the SNMP, web and Telnet groups. • single - Adds an IP address to the SNMP, web and Telnet groups. • any - Allows any IP address access through SNMP, web and Telnet groups. • IP_address - Adds IP addresses to the SNMP, web and Telnet groups. • subnet_mask - Specifies a range of IP addresses allowed management access. Default Setting All addresses Command Mode Global Configuration Command Usage • If anyone tries to access a management interface on the bridge from an invalid address, the unit will reject the connection, enter an event message in the system log, and send a trap message to the trap manager. • IP address can be configured for SNMP, web and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. • When entering addresses for the same group (i.e., SNMP, web or Telnet), the bridge will not accept overlapping address ranges. When entering addresses for different groups, the bridge will accept overlapping address ranges. • You cannot delete an individual address from a specified range. You must delete the entire range, and reenter the addresses. • You can delete an address range just by specifying the start address, or by specifying both the start address and end address. Example This example restricts management access to the indicated addresses. Enterprise AP(config)#apmgmtip multiple 192.168.1.50 255.255.255.0 Enterprise AP(config)# 7-21 7 Command Line Interface APmgmtUI This command enables and disables management access to the bridge through SNMP, Telnet and web interfaces. Caution: Secure Web (HTTPS) connections are not affected by the UI Management or IP Management settings. Syntax APmgmtUI <[SNMP | Telnet | Web] enable | disable> • SNMP - Specifies SNMP management access. • Telnet - Specifies Telnet management access. • Web - Specifies web based management access. - enable/disable - Enables or disables the selected management access method. Default Setting All enabled Command Mode Global Configuration Example This example restricts management access to the indicated addresses. Enterprise AP(config)#apmgmtui SNMP enable Enterprise AP(config)# show apmanagement This command shows the AP management configuration, including the IP addresses of management stations allowed to access the bridge, as well as the interface protocols which are open to management access. Command Mode Exec Example Enterprise AP#show apmanagement Management AP Information ================================= AP Management IP Mode: Any IP Telnet UI: Enable WEB UI : Enable SNMP UI : Enable ================================== Enterprise AP# 7-22 System Management Commands show system This command displays basic system configuration settings. Default Setting None Command Mode Exec Example Enterprise AP#show system System Information ========================================================== Serial Number : A123456789 System Up time : 0 days, 4 hours, 33 minutes, 29 seconds System Name : Enterprise Wireless AP System Location System Contact : David System Country Code : US - UNITED STATES MAC Address : 00-30-F1-F0-9A-9C IP Address : 192.168.1.1 Subnet Mask : 255.255.255.0 Default Gateway : 0.0.0.0 VLAN State : DISABLED Management VLAN ID(AP): 1 IAPP State : ENABLED DHCP Client : ENABLED HTTP Server : ENABLED HTTP Server Port : 80 HTTPS Server : ENABLED HTTPS Server Port : 443 Slot Status : Dual band(a/g) Boot Rom Version : v1.1.8 Software Version : v4.3.2.8b03 SSH Server : ENABLED SSH Server Port : 22 Telnet Server : ENABLED WEB Redirect : DISABLED DHCP Relay : DISABLED Proxy ARP : DISABLED ========================================================== Enterprise AP# 7-23 7 Command Line Interface show version This command displays the software version for the system. Command Mode Exec Example Enterprise AP#show version Version Information ========================================= Version: v4.3.2.8b03 Date : Dec 20 2005, 18:38:12 ========================================= Enterprise AP# show config This command displays detailed configuration information for the system. Command Mode Exec Example Enterprise AP#show config Authentication Information =========================================================== MAC Authentication Server : DISABLED MAC Auth Session Timeout Value : 0 min 802.1x supplicant : DISABLED 802.1x supplicant user : EMPTY 802.1x supplicant password : EMPTY Address Filtering : ALLOWED System Default : ALLOW addresses not found in filter table. Filter Table ----------------------------------------------------------No Filter Entries. Bootfile Information =================================== Bootfile : ec-img.bin =================================== Protocol Filter Information =========================================================== Local Bridge :DISABLED AP Management :ENABLED Ethernet Type Filter :DISABLED Enabled Protocol Filters ----------------------------------------------------------No protocol filters are enabled =========================================================== 7-24 System Management Commands Hardware Version Information =========================================== Hardware version R01A =========================================== Ethernet Interface Information ======================================== IP Address : 192.168.0.151 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.0.1 Primary DNS : 210.200.211.225 Secondary DNS : 210.200.211.193 Speed-duplex : 100Base-TX Full Duplex Admin status : Up Operational status : Up ======================================== Wireless Interface 802.11a Information =========================================================== ----------------Identification----------------------------Description : Enterprise 802.11a bridge SSID : VAP_TEST_11A 0 Channel : 0 (AUTO) Status : Disable ----------------802.11 Parameters-------------------------Transmit Power : 100% (5 dBm) Data Rate : 54Mbps Fragmentation Threshold : 2346 bytes RTS Threshold : 2347 bytes Beacon Interval : 100 TUs DTIM Interval : 1 beacon Maximum Association : 64 stations Native VLAN ID : 1 ----------------Security----------------------------------Closed System : DISABLED Multicast cipher : WEP Unicast cipher : TKIP and AES WPA clients : REQUIRED WPA Key Mgmt Mode : PRE SHARED KEY WPA PSK Key Type : ALPHANUMERIC Encryption : DISABLED Default Transmit Key : 1 Static Keys : Key 1: EMPTY Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY Key Length : Key 1: ZERO Key 2: ZERO Key 3: ZERO Key 4: ZERO Authentication Type : OPEN Rogue AP Detection : Disabled Rogue AP Scan Interval : 720 minutes Rogue AP Scan Duration : 350 milliseconds =========================================================== Console Line Information =========================================================== databits : 8 parity : none speed : 9600 stop bits : 1 =========================================================== 7-25 7 Command Line Interface Logging Information ===================================================== Syslog State : Disabled Logging Console State : Disabled Logging Level : Informational Logging Facility Type : 16 Servers 1: 0.0.0.0 , UDP Port: 514, State: Disabled 2: 0.0.0.0 , UDP Port: 514, State: Disabled 3: 0.0.0.0 , UDP Port: 514, State: Disabled 4: 0.0.0.0 , UDP Port: 514, State: Disabled ====================================================== Radius Server Information ======================================== IP : 0.0.0.0 Port : 1812 Key : ***** Retransmit : 3 Timeout : 5 Radius MAC format : no-delimiter Radius VLAN format : HEX ======================================== Radius Secondary Server Information ======================================== IP : 0.0.0.0 Port : 1812 Key : ***** Retransmit : 3 Timeout : 5 Radius MAC format : no-delimiter Radius VLAN format : HEX ======================================== SNMP Information ============================================== Service State : Disable Community (ro) : ******** Community (rw) : ******** Location Contact : Contact EngineId :80:00:07:e5:80:00:00:29:f6:00:00:00:0c EngineBoots:2 Trap Destinations: 1: 0.0.0.0, 2: 0.0.0.0, 3: 0.0.0.0, 4: 0.0.0.0, 7-26 Community: Community: Community: Community: *****, *****, *****, *****, State: State: State: State: Disabled Disabled Disabled Disabled System Management Commands dot11InterfaceAGFail dot11StationAssociation dot11StationReAssociation dot1xAuthFail dot1xAuthSuccess dot1xMacAddrAuthSuccess iappStationRoamedFrom localMacAddrAuthFail pppLogonFail configFileVersionChanged systemDown Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled dot11InterfaceBFail dot11StationAuthentication dot11StationRequestFail dot1xAuthNotInitiated dot1xMacAddrAuthFail iappContextDataSent iappStationRoamedTo localMacAddrAuthSuccess sntpServerFail radiusServerChanged systemUp Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled ============================================= SNTP Information =========================================================== Service State : Disabled SNTP (server 1) IP : 137.92.140.80 SNTP (server 2) IP : 192.43.244.18 Current Time : 00 : 14, Jan 1st, 1970 Time Zone : -5 (BOGOTA, EASTERN, INDIANA) Daylight Saving : Disabled =========================================================== Station Table Information =========================================================== if-wireless A VAP [0] 802.11a Channel : Auto No 802.11a Channel Stations. if-wireless G VAP [0] 802.11g Channel : Auto No 802.11g Channel Stations. System Information ============================================================== Serial Number System Up time : 0 days, 0 hours, 16 minutes, 51 seconds System Name : Enterprise Wireless AP System Location System Contact : David System Country Code : 99 - NO_COUNTRY_SET MAC Address : 00-12-CF-05-B7-84 IP Address : 192.168.0.151 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.0.1 VLAN State : DISABLED Management VLAN ID(AP): 1 IAPP State : ENABLED DHCP Client : ENABLED HTTP Server : ENABLED HTTP Server Port : 80 HTTPS Server : ENABLED HTTPS Server Port : 443 Slot Status : Dual band(a/g) Boot Rom Version : v1.1.8 Software Version : v4.3.2.8b03 7-27 7 Command Line Interface SSH Server : ENABLED SSH Server Port : 22 Telnet Server : ENABLED WEB Redirect : DISABLED DHCP Relay : DISABLED ============================================================== Version Information ========================================= Version: v4.3.2.2 Date : Dec 20 2005, 18:38:12 ========================================= Enterprise AP# show hardware This command displays the hardware version of the system. Command Mode Exec Example Enterprise AP#show hardware Hardware Version Information =========================================== Hardware version R01 =========================================== Enterprise AP# System Logging Commands These commands are used to configure system logging on the bridge. Table 7-6. System Logging Commands Command Function Mode logging on Controls logging of error messages GC Page 7-29 logging host Adds a syslog server host IP address that will receive GC logging messages 7-29 logging console Initiates logging of error messages to the console GC 7-30 logging level Defines the minimum severity level for event logging GC 7-30 logging facility-type Sets the facility type for remote logging of syslog messages GC 7-31 logging clear Clears all log entries in bridge memory GC 7-32 show logging Displays the state of logging Exec 7-32 show event-log Displays all log entries in bridge memory Exec 7-33 7-28 System Logging Commands logging on This command controls logging of error messages; i.e., sending debug or error messages to memory. The no form disables the logging process. Syntax [no] logging on Default Setting Disabled Command Mode Global Configuration Command Usage The logging process controls error messages saved to memory. You can use the logging level command to control the type of error messages that are stored in memory. Example Enterprise AP(config)#logging on Enterprise AP(config)# logging host This command specifies syslog servers host that will receive logging messages. Use the no form to remove syslog server host. Syntax logging host <1 | 2 | 3 | 4> [udp_port] no logging host <1 | 2 | 3 | 4> • • • • • • • 1 - First syslog server. 2 - Second syslog server. 3 - Third syslog server. 4 - Fourth syslog server. host_name - The name of a syslog server. (Range: 1-20 characters) host_ip_address - The IP address of a syslog server. udp_port - The UDP port used by the syslog server. Default Setting None Command Mode Global Configuration 7-29 7 Command Line Interface Example Enterprise AP(config)#logging host 1 10.1.0.3 Enterprise AP(config)# logging console This command initiates logging of error messages to the console. Use the no form to disable logging to the console. Syntax logging console no logging console Default Setting Disabled Command Mode Global Configuration Example Enterprise AP(config)#logging console Enterprise AP(config)# logging level This command sets the minimum severity level for event logging. Syntax logging level Default Setting Informational Command Mode Global Configuration 7-30
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.6 Linearized : No Tagged PDF : Yes Page Mode : UseNone XMP Toolkit : 3.1-701 Producer : Acrobat Distiller 7.0 (Windows) Create Date : 2006:06:15 16:31:31Z Creator Tool : FrameMaker 7.0 Modify Date : 2006:06:19 14:21:20+08:00 Metadata Date : 2006:06:19 14:21:20+08:00 Format : application/pdf Title : OAP6626A-UG-32.book Creator : david Document ID : uuid:2c08631f-31a9-4806-a1df-f11df3986601 Instance ID : uuid:2489a3d2-e778-4730-bcdd-12b2b49db416 Has XFA : No Page Count : 150 Author : davidEXIF Metadata provided by EXIF.tools
Users Manual1
User Guide 3Com Outdoor 11a Building to Building Bridge and 11bg Access Point 3CRWEASYA73 / WL-546 http://www.3com.com/ http://www.3com.com/support/en_US/productreg/frontpg Published June, 2006 Version 2.0.2 3Com Corporation 350 Campus Drive Marlborough, MA 01752-3064 Copyright © 2006 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change. 3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time. If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you. UNITED STATES GOVERNMENT LEGEND If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following: All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (November 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide. Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries. 3Com, the 3Com logo, and SuperStack are registered trademarks of 3Com Corporation. Wi-Fi is a trademark of the Wireless Ethernet Compatibility Alliance. All other company and product names may be trademarks of the respective companies with which they are associated. EXPORT RESTRICTIONS: This product contains Encryption and may require US and/or Local Government authorization prior to export or import to another country. Contents Radio Path Planning 4 Antenna Height 5 Antenna Position and Orientation 7 Radio Interference 9 Weather Conditions 9 Ethernet Cabling 10 Grounding 10 Initial Configuration 1 Initial Setup through the CLI 1 Required Connections 1 Initial Configuration Steps 2 Logging In 3 System Configuration 1 Advanced Configuration 2 System Identification 3 TCP / IP Settings 5 Radius 7 PPPoE Settings 9 Authentication 11 Filter Control 18 SNMP 20 Administration 23 System Log 27 Wireless Distribution System (WDS) 31 Bridge 33 Spanning Tree Protocol (STP) 36 RSSI 40 Radio Interface 41 Radio Settings A (802.11a) 42 Radio Settings G (802.11g) 46 Security (Bridge Mode) 48 Security (Access Point Mode) 53 Status Information 63 AP Status 63 Station Status 65 Event Logs 67 Command Line Interface 1 Using the Command Line Interface 1 iii Accessing the CLI 1 Console Connection 1 Telnet Connection 1 Entering Commands 2 Keywords and Arguments 2 Minimum Abbreviation 2 Command Completion 3 Getting Help on Commands 3 Partial Keyword Lookup 4 Negating the Effect of Commands 4 Using Command History 4 Understanding Command Modes 4 Exec Commands 5 Configuration Commands 5 Command Line Processing 6 Command Groups 6 General Commands 7 configure 8 end 8 exit 8 ping 9 reset 10 show history 10 show line 11 System Management Commands 11 country 12 prompt 14 system name 14 username 15 password 15 ip ssh-server enable 16 ip ssh-server port 16 ip telnet-server enable 17 ip http port 17 ip http server 18 ip https port 18 ip https server 19 web-redirect 20 APmgmtIP 21 APmgmtUI 22 show apmanagement 22 show system 23 show version 24 show config 24 show hardware 28 System Logging Commands 28 logging on 29 logging host 29 iv logging console 30 logging level 30 logging facility-type 31 logging clear 32 show logging 32 show event-log 33 System Clock Commands 33 sntp-server ip 34 sntp-server enable 34 sntp-server date-time 35 sntp-server daylight-saving 36 sntp-server timezone 36 show sntp 37 DHCP Relay Commands 38 dhcp-relay enable 38 dhcp-relay 39 show dhcp-relay 39 SNMP Commands 40 snmp-server community 41 snmp-server contact 41 snmp-server location 42 snmp-server enable server 42 snmp-server host 43 snmp-server trap 44 snmp-server engine-id 45 snmp-server user 46 snmp-server targets 48 snmp-server filter 49 snmp-server filter-assignments 50 show snmp groups 50 show snmp users 51 show snmp group-assignments 51 show snmp target 52 show snmp filter 52 show snmp filter-assignments 53 show snmp 54 Flash/File Commands 55 bootfile 55 copy 56 delete 57 dir 58 show bootfile 58 RADIUS Client 59 radius-server address 59 radius-server port 60 radius-server key 60 radius-server retransmit 61 radius-server timeout 61 radius-server port-accounting 62 radius-server timeout-interim 62 radius-server radius-mac-format 63 radius-server vlan-format 63 show radius 64 802.1X Authentication 65 802.1x 65 802.1x broadcast-key-refresh-rate 66 802.1x session-key-refresh-rate 67 802.1x session-timeout 67 802.1x-supplicant enable 68 802.1x-supplicant user 68 show authentication 69 MAC Address Authentication 70 address filter default 70 address filter entry 71 address filter delete 71 mac-authentication server 72 mac-authentication session-timeout 72 Filtering Commands 73 filter local-bridge 74 filter ap-manage 74 filter uplink enable 75 filter uplink 75 filter ethernet-type enable 75 filter ethernet-type protocol 76 show filters 77 WDS Bridge Commands 77 bridge role (WDS) 78 bridge-link parent 78 bridge-link child 79 bridge dynamic-entry age-time 80 show bridge aging-time 80 show bridge filter-entry 81 show bridge link 81 Spanning Tree Commands 83 bridge stp enable 83 bridge stp forwarding-delay 84 bridge stp hello-time 84 bridge stp max-age 85 bridge stp priority 85 bridge-link path-cost 86 bridge-link port-priority 86 show bridge stp 87 Ethernet Interface Commands 88 interface ethernet 88 dns server 89 ip address 89 vi ip dhcp 90 speed-duplex 91 shutdown 92 show interface ethernet 92 Wireless Interface Commands 93 interface wireless 94 vap 95 speed 95 turbo 96 multicast-data-rate 97 channel 98 transmit-power 98 radio-mode 99 preamble 100 antenna control 100 antenna id 101 antenna location 102 beacon-interval 102 dtim-period 103 fragmentation-length 104 rts-threshold 104 super-a 105 super-g 106 description 106 ssid 107 closed-system 107 max-association 108 assoc-timeout-interval 108 auth-timeout-value 108 shutdown 109 show interface wireless 110 show station 112 Rogue AP Detection Commands 113 rogue-ap enable 113 rogue-ap authenticate 114 rogue-ap duration 114 rogue-ap interval 115 rogue-ap scan 116 show rogue-ap 117 Wireless Security Commands 117 auth 118 encryption 120 key 121 transmit-key 122 cipher-suite 123 mic_mode 124 wpa-pre-shared-key 125 pmksa-lifetime 125 vii pre-authentication 126 Link Integrity Commands 127 link-integrity ping-detect 128 link-integrity ping-host 128 link-integrity ping-interval 129 link-integrity ping-fail-retry 129 link-integrity ethernet-detect 129 show link-integrity 130 IAPP Commands 131 iapp 131 VLAN Commands 132 vlan 132 management-vlanid 133 vlan-id 133 WMM Commands 134 wmm 135 wmm-acknowledge-policy 135 wmmparam 136 viii 1 INTRODUCTION The 3Com Outdoor 11a Building to Building Bridge and 11bg Access Point system provides point-to-point or point-to-multipoint bridge links between remote Ethernet LANs, and wireless access point services for clients in the local LAN area. It includes an integrated high-gain antenna for the 802.11a radio and can operate as a “Slave” or “Master” bridge in point-to-multipoint configurations, or provide a high-speed point-to-point wireless link between two sites that can be up to 15.4 km (9.6 miles) apart. As a “Master” bridge in point-to-multipoint configurations it can support connections to as many as 16 “Slave” units. The 802.11b/g radio requires an external antenna option. Each model is housed in a weatherproof enclosure for mounting outdoors and includes its own brackets for attaching to a wall, pole, radio mast, or tower structure. The unit is powered through its Ethernet cable connection from a power injector module that is installed indoors. The wireless bridge system offers a fast, reliable, and cost-effective solution for connectivity between remote Ethernet wired LANs or to provide Internet access to an isolated site. The system is also easy to install and operate, ideal for situations where a wired link may be difficult or expensive to deploy. The wireless bridge connection provides data rates of up to 108 Mbps. In addition, both wireless bridge models offer full network management capabilities through an easy-to-use web interface, a command-line interface, and support for Simple Network Management Protocol (SNMP) tools. RADIO CHARACTERISTICS The IEEE 802.11a and 802.11g standards use a radio modulation technique known as Orthogonal Frequency Division Multiplexing (OFDM), and a shared collision domain (CSMA/CA). The 802.11a standard operates in the 5 GHz Unlicensed National Information Infrastructure (UNII) band, and the 802.11g standard in the 2.4 GHz band. 1-1 IEEE 802.11g includes backward compatibility with the IEEE 802.11b standard. IEEE 802.11b also operates at 2.4 GHz, but uses Direct Sequence Spread Spectrum (DSSS) and Complementary Code Keying (CCK) modulation technology to achieve a communication rate of up to 11 Mbps. The wireless bridge provides a 54 Mbps half-duplex connection for each active channel (up to 108 Mbps in turbo mode on the 802.11a interface). APPROVED CHANNELS Use of this product is only authorized for the channels approved by each country. For proper installation, select your country from the country selection list. To conform to FCC and other country restrictions your product may be limited in the channels that are available. If other channels are permitted in your country please visit the 3Comwebsite for the latest software version. PACKAGE CHECKLIST The 3Com Outdoor 11a Building to Building Bridge and 11bg Access Point package includes: One Dual-band Outdoor Access Point / Bridge One Category 5 network cable, length 164 ft (50 m) One power injector module and power cord Outdoor pole-mounting bracket kit This User Guide Optional: One N-type RF coaxial cable Optional: Outdoor wall-mounting bracket kit Inform your dealer if there are any incorrect, missing or damaged parts. If possible, retain the carton, including the original packing materials. Use them again to repack the product in case there is a need to return it. 1-2 HARDWARE DESCRIPTION Bottom View Console Port Cover Attachment Console Port RSSI Connector with Protective Cap Water-Tight Test Point Integrated Antenna Top View N-Type External Antenna Connector (5 GHz) N-Type External Antenna Connector (2.4 GHz) INTEGRATED HIGH-GAIN ANTENNA The OAP6626A wireless bridge includes an integrated high-gain (17 dBi) flat-panel antenna for 5 GHz operation. The antenna can provide a direct line-of-sight link up to 15.4 km (9.6 miles) with a 6 Mbps data rate. EXTERNAL ANTENNA OPTIONS The OAP6626A Master bridge unit does not include an integrated antenna, but provides various external antenna options for both 5 GHz and 2.4 GHz operation. In a point-to-multipoint configuration, an external high-gain omnidirectional, sector, or high-gain panel antenna can be attached to communicate with bridges spread over a wide area. The OAP6626A and OAP6626A units both require the 2.4 GHz 8 dBi omnidirectional external antenna for 2.4 GHz operation. The following table summarizes the external antenna options: 1-3 Antenna Type Gain (dBi) HPBW* HPBW* Horizontal Vertical Polarization Max Range/Speed 5 GHz Omnidirectional 360 12 Linear, vertical 3.3 km at 6 Mbps 5 GHz 120-Degree Sector 14 120 Linear, vertical 10.3 km at 6 Mbps 5 GHz 60-Degree Sector 17 60 Linear, vertical 14 km at 6 Mbps 5 GHz High-Gain Panel 23 Linear 24.4 km at 6 Mbps 2.4 GHz Omnidirectional 360 15 Linear, vertical 7.6 km at 6 Mbps * Half-power beam width in degrees External antennas connect to the N-type RF connectors on the wireless bridge using the provided coaxial cables. ETHERNET PORT The wireless bridge has one 10BASE-T/100BASE-TX 8-pin DIN port that connects to the power injector module using the included Ethernet cable. The Ethernet port connection provides power to the wireless bridge as well as a data link to the local network. The wireless bridge appears as an Ethernet node and performs a bridging function by moving packets from the wired LAN to the remote end of the wireless bridge link. NOTE: The power injector module does not support Power over Ethernet (PoE) based on the IEEE 802.3af standard. The wireless bridge unit must always be powered on by being connected to the power injector module. POWER INJECTOR MODULE The wireless bridge receives power through its network cable connection using power-over-Ethernet technology. A power injector module is included in the wireless bridge package and provides two RJ-45 Ethernet ports, one for connecting to the wireless bridge (Output), and the other for connecting to a local LAN switch (Input). The Input port uses an MDI (i.e., internal straight-through) pin configuration. You can therefore use straight-through twisted-pair cable to connect this port to most network interconnection devices such as a switch or router that provide MDI-X ports. However, when connecting the access point to a workstation or other device that does not have MDI-X ports, you must use crossover twisted-pair cable. 1-4 LED Indicator Input AC Power Socket (Hidden) Output Ethernet from Local Network Ethernet and Power to Wireless Bridge The wireless bridge does not have a power switch. It is powered on when its Ethernet port is connected to the power injector module, and the power injector module is connected to an AC power source. The power injector includes one LED indicator that turns on when AC power is applied. The power injector module automatically adjusts to any AC voltage between 100-240 volts at 50 or 60 Hz. No voltage range settings are required. WARNING: The power injector module is designed for indoor use only. Never mount the power injector outside with the wireless bridge unit. RECEIVE SIGNAL STRENGTH INDICATOR (RSSI) BNC CONNECTOR The RSSI connector provides an output voltage that is proportional to the received radio signal strength. A DC voltmeter can be connected the this port to assist in aligning the antennas at both ends of a wireless bridge link. GROUNDING POINT Even though the wireless bridge includes its own built-in lightning protection, it is important that the unit is properly connected to ground. A grounding screw is provided for attaching a ground wire to the unit. WALL- AND POLE-MOUNTING BRACKET KITS The wireless bridge includes bracket kits that can be used to mount the bridge to a wall, pole, radio mast, or part of a tower structure. 1-5 SYSTEM CONFIGURATION At each location where a unit is installed, it must be connected to the local network using the power injector module. The following figure illustrates the system component connections. External Antenna Indoor Outdoor RF Coaxial Cable Wireless Bridge Unit LAN Switch Ethernet Cable Ethernet Cable Power Injector Ground Wire AC Power FEATURES AND BENEFITS OAP6626A Slave units support a 5 GHz point-to-point wireless link up 15.4 km (at 6 Mbps data rate) using integrated high-gain 17 dBi antennas OAP6626A Master units support 5 GHz point-to-multipoint links using various external antenna options Both OAP6626A and OAP6626A units also support access point services for the 5 GHz and 2.4 GHz radios using various external antenna options Maximum data rate up to 108 Mbps on the 802.11a (5 GHz) radio Outdoor weatherproof design IEEE 802.11a and 802.11b/g compliant Local network connection via 10/100 Mbps Ethernet port Powered through its Ethernet cable connection to the power injector module Includes wall- and pole-mount brackets Security through 64/128/152-bit Wired Equivalent Protection (WEP) or 128-bit Advanced Encryption Standard (AES) encryption Scans all available channels and selects the best channel and data rate based on the signal-to-noise ratio Manageable through an easy-to-use web-browser interface, command line (via Telnet), or SNMP network management tools 1-6 SYSTEM DEFAULTS The following table lists some of the wireless bridge’s basic system defaults. To reset the bridge defaults, use the CLI command “reset configuration” from the Exec level prompt. Feature Parameter Default Identification System Name Dual Band Outdoor AP Administration User Name admin Password null HTTP Server Enabled HTTP Server Port 80 IP Address 192.168.1.1 Subnet Mask 255.255.255.0 Default Gateway 0.0.0.0 Primary DNS IP 0.0.0.0 Secondary DNS IP 0.0.0.0 Status Disabled Native VLAN ID Filter Control Ethernet Type Disabled SNMP Status Enabled Location null Contact Contact Community (Read Only) Public Community (Read/Write) Private Traps Enabled Trap Destination IP Address null Trap Destination Community Name Public General TCP/IP VLANs 1-7 Feature Parameter Default System Logging Syslog Disabled Logging Host Disabled Logging Console Disabled IP Address / Host Name 0.0.0.0 Logging Level Informational Logging Facility Type 16 Spanning Tree Status Enabled Ethernet Interface Speed and Duplex Auto WDS Bridging Outdoor Bridge Band A (802.11a) Wireless Interface 802.11a Status Enabled SSID DualBandOutdoor Turbo Mode Disabled Radio Channel Default to first channel Auto Channel Select Enabled Transmit Power Full Maximum Data Rate 54 Mbps Beacon Interval 100 TUs Data Beacon Rate (DTIM Interval) 2 beacons RTS Threshold 2347 bytes Authentication Type Open System AES Encryption Disabled WEP Encryption Disabled WEP Key Length 128 bits WEP Key Type Hexadecimal WEP Transmit Key Number Wireless Security 802.11a 1-8 Feature Parameter Default Wireless Interface 802.11b/g Status Enabled SSID DualBandOutdoor Radio Channel Default to first channel Auto Channel Select Enabled Transmit Power Full Maximum Data Rate 54 Mbps Beacon Interval 100 TUs Data Beacon Rate (DTIM Interval) 2 beacons RTS Threshold 2347 bytes Authentication Type Open System AES Encryption Disabled WEP Encryption Disabled WEP Key Length 128 bits WEP Key Type Hexadecimal WEP Transmit Key Number WEP Keys null WEP Keys null Wireless Security 802.11b/g 1-9 1-10 2 INSTALLING THE BRIDGE The 3Com Outdoor 11a Building to Building Bridge and 11bg Access Point system provides access point or bridging services through either the 5 GHz or 2.4 GHz radio interfaces. The wireless bridge units can be used just as normal 802.11a/b/g access points connected to a local wired LAN, providing connectivity and roaming services for wireless clients in an outdoor area. Units can also be used purely as bridges connecting remote LANs. Alternatively, you can employ both access point and bridging functions together, offering a flexible and convenient wireless solution for many applications. This chapter describes the role of wireless bridge in various wireless network configurations. ACCESS POINT TOPOLOGIES Wireless networks support a stand-alone wireless configuration as well as an integrated configuration with 10/100 Mbps Ethernet LANs. Wireless network cards, adapters, and access points can be configured as: Ad hoc for departmental, SOHO, or enterprise LANs Infrastructure for wireless LANs Infrastructure wireless LAN for roaming wireless PCs The 802.11b and 802.11g frequency band, which operates at 2.4 GHz, can easily encounter interference from other 2.4 GHz devices, such as other 802.11b or g wireless devices, cordless phones and microwave ovens. If you experience poor wireless LAN performance, try the following measures: Limit any possible sources of radio interference within the service area Increase the distance between neighboring access points Increase the channel separation of neighboring access points (e.g., up to 3 channels of separation for 802.11b or up to 5 channels for 802.11g) 2-1 AD HOC WIRELESS LAN (NO ACCESS POINT OR BRIDGE) An ad hoc wireless LAN consists of a group of computers, each equipped with a wireless adapter, connected through radio signals as an independent wireless LAN. Computers in a specific ad hoc wireless LAN must therefore be configured to the same radio channel. Ad Hoc Wireless LAN Notebook with Wireless USB Adapter Notebook with Wireless PC Card PC with Wireless PCI Adapter INFRASTRUCTURE WIRELESS LAN The access point function of the wireless bridge provides access to a wired LAN for 802.11a/b/g wireless workstations. An integrated wired/wireless LAN is called an Infrastructure configuration. A Basic Service Set (BSS) consists of a group of wireless PC users and an access point that is directly connected to the wired LAN. Each wireless PC in a BSS can connect to any computer in its wireless group or access other computers or network resources in the wired LAN infrastructure through the access point. The infrastructure configuration not only extends the accessibility of wireless PCs to the wired LAN, but also increases the effective wireless transmission range for wireless PCs by passing their signals through one or more access points. A wireless infrastructure can be used for access to a central database, or for connection between mobile workers, as shown in the following figure. 2-2 Wired LAN Extension to Wireless Clients Server Switch Desktop PC Access Point Notebook PC Desktop PC INFRASTRUCTURE WIRELESS LAN FOR ROAMING WIRELESS PCS The Basic Service Set (BSS) defines the communications domain for each access point and its associated wireless clients. The BSS ID is a 48-bit binary number based on the access point’s wireless MAC address, and is set automatically and transparently as clients associate with the access point. The BSS ID is used in frames sent between the access point and its clients to identify traffic in the service area. The BSS ID is only set by the access point, never by its clients. The clients only need to set the Service Set Identifier (SSID) that identifies the service set provided by one or more access points. The SSID can be manually configured by the clients, can be detected in an access point’s beacon, or can be obtained by querying for the identity of the nearest access point. For clients that do not need to roam, set the SSID for the wireless card to that used by the access point to which you want to connect. A wireless infrastructure can also support roaming for mobile workers. More than one access point can be configured to create an Extended Service Set (ESS). By placing the access points so that a continuous coverage area is created, wireless users within this ESS can roam freely. All wireless network card adapters and wireless access points within a specific ESS must be configured with the same SSID. 2-3 Seamless Roaming Between Access Points Server Desktop PC Switch Switch Access Point Notebook PC Notebook PC Access PointDesktop PC BRIDGE LINK TOPOLOGIES The IEEE 802.11 standard defines a WIreless Distribution System (WDS) for bridge connections between BSS areas (access points). The outdoor wireless bridge uses WDS to forward traffic on links between units. Up to 16 WDS links can be specified for a OAP6626A unit, which acts as the “Master” in the wireless bridge network. OAP6626A units support only one WDS link, which must be to the network’s master unit. The unit supports WDS bridge links on either the 5 GHz (802.11a) or 2.4 GHz (802.11b/g) bands and can be used with various external antennas to offer flexible deployment options. NOTE: The external antennas offer longer range options using the 5 GHz radio, which makes this interface more suitable for bridge links. The 2.4 GHz radio has only the 8 dBi omnidirectional antenna option, which is better suited for local access point services. When using WDS on a radio band, only wireless bridge units can associate to each other. Wireless clients can only associate with the wireless bridge using a radio band set to access point mode. 2-4 POINT-TO-POINT CONFIGURATION Two OAP6626A bridges can form a wireless point-to-point link using their 5 GHz (802.11a) integrated antennas. A point-to-point configuration can provide a limited data rate (6 Mbps) link over a long range (up to 15.4 km), or a high data rate (108 Mbps) over a short range (1.3 km). EASY873 EASY873 LAN LAN POINT-TO-MULTIPOINT CONFIGURATION A OAP6626A wireless bridge set to “Master” mode can use an omnidirectional or sector antenna to connect to as many as 16 bridges in a point-to-multipoint configuration. There can only be one “Master” unit in the wireless bridge network, all other bridges must be “Slave” units. Using the 5 GHz 8 dBi omnidirectional external antenna, the Master unit can connect to Slave units up to 3.3 km (2 miles) away. Using the 13.5 dBi 120-degree sector antenna, the Master can connect to Slave units up to 10.3 km (6.4 miles) away. 2-5 Slave Slave Slave Master with Omnidirectional Antenna Slave Slave Slave Slave Slave Master with Sector Antenna Slave 2-6 3 BRIDGE LINK PLANNING The 3Com Outdoor 11a Building to Building Bridge and 11bg Access Point supports fixed point-to-point or point-to-multipoint wireless links. A single link between two points can be used to connect a remote site to larger core network. Multiple bridge links can provide a way to connect widespread Ethernet LANs. For each link in a wireless bridge network to be reliable and provide optimum performance, some careful site planning is required. This chapter provides guidance and information for planning your wireless bridge links. NOTE: The planning and installation of the wireless bridge requires professional personnel that are trained in the installation of radio transmitting equipment. The user is responsible for compliance with local regulations concerning items such as antenna power, use of lightning arrestors, grounding, and radio mast or tower construction. Therefore, it is recommended to consult a professional contractor knowledgeable in local radio regulations prior to equipment installation. 3-1 DATA RATES Using its 5 GHz integrated antenna, the OAP6626A bridge set to “Slave” mode can operate over a range of up to 15.4 km (9.6 miles) or provide a high-speed connection of 54 Mbps (108 Mbps in turbo mode). However, the maximum data rate for a link decreases as the operating range increases. A 15.4 km link can only operate up to 6 Mbps, whereas a 108 Mbps connection is limited to a range of 1.3 km. When you are planning each wireless bridge link, take into account the maximum distance and data rates for the various antenna options. A summary for 5 GHz (802.11a) antennas is provided in the following table. For full specifications for each antenna, see “Antenna Specifications” on page B-3. Distances Achieved Using Normal Mode Data Rate 17 dBi Integrated 8 dBi Omni 13.5 dBi 120-Degre e Sector 16.5 dBi 60-Degree Sector 23 dBi Panel 6 Mbps 15.4 km 3.3 km 10.3 km 14 km 24.4 km 9 Mbps 14.7 km 2.9 km 9.2 km 13.4 km 23.3 km 12 Mbps 14 km 2.6 km 8.2 km 12.8 km 22.2 km 18 Mbps 12.8 km 2.1 km 6.5 km 11.7 km 20.3 km 24 Mbps 11.1 km 1.5 km 4.6 km 9.2 km 17.7 km 36 Mbps 6.5 km 0.8 km 2.6 km 5.2 km 14 km 48 Mbps 2.9 km 0.4 km 1.2 km 2.3 km 9.2 km 54 Mbps 1.8 km 0.2 km 0.7 km 1.5 km 5.8 km Distances provided in this table are an estimate for a typical deployment and may be reduced by local regulatory limits. For accurate distances, you need to calculate the power link budget for your specific environment. 3-2 . Distances Achieved Using Turbo Mode Data Rate 17 dBi Integrated 8 dBi Omni 13.5 dBi 120-Degre e Sector 16.5 dBi 60-Degree Sector 23 dBi Panel 12 Mbps 13.4 km 2.3 km 7.3 km 12.2 km 21.2 km 18 Mbps 12.8 km 2.1 km 6.5 km 11.7 km 20.3 km 24 Mbps 12.2 km 1.8 km 5.8 km 11.1 km 19.4 km 36 Mbps 11.1 km 1.5 km 4.6 km 9.2 km 17.7 km 48 Mbps 8.2 km 1 km 3.3 km 6.5 km 15.4 km 72 Mbps 4.6 km 0.6 km 1.8 km 3.7 km 12.2 km 96 Mbps 2.1 km 0.3 km 0.8 km 1.6 km 6.5 km 108 Mbps 1.3 km 0.2 km 0.5 km 1 km 4.1 km Distances provided in this table are an estimate for a typical deployment and may be reduced by local regulatory limits. For accurate distances, you need to calculate the power link budget for your specific environment. 3-3 Radio Path Planning Although the wireless bridge uses IEEE 802.11a radio technology, which is capable of reducing the effect of multipath signals due to obstructions, the wireless bridge link requires a “radio line-of-sight” between the two antennas for optimum performance. The concept of radio line-of-sight involves the area along a radio link path through which the bulk of the radio signal power travels. This area is known as the first Fresnel Zone of the radio link. For a radio link not to be affected by obstacles along its path, no object, including the ground, must intrude within 60% of the first Fresnel Zone. The following figure illustrates the concept of a good radio line-of-sight. Visual Line of Sight Radio Line of Sight If there are obstacles in the radio path, there may still be a radio link but the quality and strength of the signal will be affected. Calculating the maximum clearance from objects on a path is important as it directly affects the decision on antenna placement and height. It is especially critical for long-distance links, where the radio signal could easily be lost. NOTE: For wireless links less than 500 m, the IEEE 802.11a radio signal will tolerate some obstacles in the path and may not even require a visual line of sight between the antennas. When planning the radio path for a wireless bridge link, consider these factors: • Avoid any partial line-of-sight between the antennas. • Be cautious of trees or other foliage that may be near the path, or may grow and obstruct the path. 3-4 • Be sure there is enough clearance from buildings and that no building construction may eventually block the path. • Check the topology of the land between the antennas using topographical maps, aerial photos, or even satellite image data (software packages are available that may include this information for your area) • Avoid a path that may incur temporary blockage due to the movement of cars, trains, or aircraft. Antenna Height A reliable wireless link is usually best achieved by mounting the antennas at each end high enough for a clear radio line of sight between them. The minimum height required depends on the distance of the link, obstacles that may be in the path, topology of the terrain, and the curvature of the earth (for links over 3 miles). For long-distance links, a mast or pole may need to be contsructed to attain the minimum required height. Use the following table to estimate the required minimum clearance above the ground or path obstruction (for 5 GHz bridge links). Total Link Distance Max Clearance for 60% of First Fresnel Zone at 5.8 GHz Approximate Clearance for Earth Curvature Total Clearance Required at Mid-point of Link 0.25 mile (402 m) 4.5 ft (1.4 m) 4.5 ft (1.4 m) 0.5 mile (805 m) 6.4 ft (1.95 m) 6.4 ft (1.95 m) 1 mile (1.6 km) 9 ft (2.7 m) 9 ft (2.7 m) 2 miles (3.2 km) 12.7 ft (3.9 m) 12.7 ft (3.9 m) 3 miles (4.8 km) 15.6 ft (4.8 m) 1.8 ft (0.5 m) 17.4 ft (5.3 m) 4 miles (6.4 km) 18 ft (5.5 m) 3.2 ft (1.0 m) 21.2 ft (6.5 m) 5 miles (8 km) 20 ft (6.1 m) 5 ft (1.5 m) 25 ft (7.6 m) 7 miles (11.3 km) 24 ft (7.3 m) 9.8 ft (3.0 m) 33.8 ft (10.3 m) 9 miles (14.5 km) 27 ft (8.2 m) 16 ft (4.9 m) 43 ft (13.1 m) 12 miles (19.3 km) 31 ft (9.5 m) 29 ft (8.8 m) 60 ft (18.3 m) 3-5 Total Link Distance Max Clearance for 60% of First Fresnel Zone at 5.8 GHz Approximate Clearance for Earth Curvature Total Clearance Required at Mid-point of Link 15 miles (24.1 km) 35 ft (10.7 m) 45 ft (13.7 m) 80 ft (24.4 m) 17 miles (27.4 km) 37 ft (11.3 m) 58 ft (17.7 m) 95 ft (29 m) Note that to avoid any obstruction along the path, the height of the object must be added to the minimum clearance required for a clear radio line-of-sight. Consider the following simple example, illustrated in the figure below. Radio Line of Sight Visual Line of Sight 3 miles (4.8 km) 2.4 m 5.4 m 1.4 m 9m 20 m 17 m 12 m A wireless bridge link is deployed to connect building A to a building B, which is located three miles (4.8 km) away. Mid-way between the two buidings is a small tree-covered hill. From the above table it can be seen that for a three-mile link, the object clearance required at the mid-point is 5.3 m (17.4 ft). The tree-tops on the hill are at an elevation of 17 m (56 ft), so the antennas at each end of the link need to be at least 22.3 m (73 ft) high. Building A is six stories high, or 20 m (66 ft), so a 2.3 m (7.5 ft) mast or pole must be contructed on its roof to achieve the required antenna height. Building B is only three stories high, or 9 m (30 ft), but is located at an elevation that is 12 m (39 ft) higher than bulding A. To mount an anntena at the required height on building B, a mast or pole of only 1.3 m (4.3 ft) is needed. WARNING: Never construct a radio mast, pole, or tower near overhead power lines. 3-6 NOTE: Local regulations may limit or prevent construction of a high radio mast or tower. If your wireless bridge link requires a high radio mast or tower, consult a professional contractor for advice. Antenna Position and Orientation Once the required antenna height has been determined, other factors affecting the precise position of the wireless bridge must be considered: • Be sure there are no other radio antennas within 2 m (6 ft) of the wireless bridge • Place the wireless bridge away from power and telephone lines • Avoid placing the wireless bridge too close to any metallic reflective surfaces, such as roof-installed air-conditioning equipment, tinted windows, wire fences, or water pipes • The wireless bridge antennas at both ends of the link must be positioned with the same polarization direction, either horizontal or vertical 3-7 Antenna Polarization — The wireless bridge’s integrated antenna sends a radio signal that is polarized in a particular direction. The antenna’s receive sensitivity is also higher for radio signals that have the same polarization. To maximize the performance of the wireless link, both antennas must be set to the same polarization direction. Ideally the antennas should be pointing upwards mounted on the top part of a pole. 3-8 Radio Interference The avoidance of radio interference is an important part of wireless link planning. Interference is caused by other radio transmissions using the same or an adjacent channel frequency. You should first scan your proposed site using a spectrum analyzer to determine if there are any strong radio signals using the 802.11a channel frequencies. Always use a channel frequency that is furthest away from another signal. If radio interference is still a problem with your wireless bridge link, changing the antenna polarization direction may improve the situation. Weather Conditions When planning wireless bridge links, you must take into account any extreme weather conditions that are known to affect your location. Consider these factors: • Temperature — The wireless bridge is tested for normal operation in temperatures from -33°C to 55°C. Operating in temperatures outside of this range may cause the unit to fail. • Wind Velocity — The wireless bridge can operate in winds up to 90 MPH and survive higher wind speeds up to 125 MPH. You must consider the known maximum wind velocity and direction at the site and be sure that any supporting structure, such as a pole, mast, or tower, is built to withstand this force. • Lightning — The wireless bridge includes its own built-in lightning protection. However, you should make sure that the unit, any supporting structure, and cables are all properly grounded. Additional protection using lightning rods, lightning arrestors, or surge suppressors may also be employed. • Rain — The wireless bridge is weatherproofed against rain. Also, prolonged heavy rain has no significant effect on the radio signal. However, it is recommended to apply weatherproof sealing tape around the Ethernet port and antenna connectors for extra protection. If moisture enters a connector, it may cause a degradation in performance or even a complete failure of the link. • Snow and Ice — Falling snow, like rain, has no significant effect on the radio signal. However, a build up of snow or ice on antennas may cause the link to fail. In this case, the snow or ice has to be cleared from the antennas to restore operation of the link. 3-9 Ethernet Cabling When a suitable antenna location has been determined, you must plan a cable route form the wireless bridge outdoors to the power injector module indoors. Consider these points: • The Ethernet cable length should never be longer than 100 m (328 ft) • Determine a building entry point for the cable • Determine if conduits, bracing, or other structures are required for safety or protection of the cable • For lightning protection at the power injector end of the cable, consider using a lightning arrestor immediately before the cable enters the building Grounding It is important that the wireless bridge, cables, and any supporting structures are properly grounded. The wireless bridge unit includes a grounding screw for attaching a ground wire. Be sure that grounding is available and that it meets local and national electrical codes. 3-10 4 HARDWARE INSTALLATION Before mounting antennas to set up your wireless bridge links, be sure you have selected appropriate locations for each antenna. Follow the guidance and information in Chapter 2, “Wireless Link Planning.” Also, before mounting units in their intended locations, you should first perform initial configuration and test the basic operation of the wireless bridge links in a controlled environment over a very short range. (See the section “Testing Basic Link Operation” in this chapter.) The wireless bridge includes its own bracket kit for mounting the unit to a 1.5 to 2 inch diameter steel pole or tube. The pole-mounting bracket allows the unit to be mounted to part of a radio mast or tower structure. The unit also has a wall-mounting bracket kit that enables it to be fixed to a building wall or roof when using external antennas. Hardware installation of the wireless bridge involves these steps: Mount the unit on a wall, pole, mast, or tower using the mounting bracket. Mount external antennas on the same supporting structure as the bridge and connect them to the bridge unit. Connect the Ethernet cable and a grounding wire to the unit. Connect the power injector to the Ethernet cable, a local LAN switch, and an AC power source. Align antennas at both ends of the link. 4-1 TESTING BASIC LINK OPERATION Set up the units over a very short range (15 to 25 feet), either outdoors or indoors. Connect the units as indicated in this chapter and be sure to perform all the basic configuration tasks outlined in Chapter 4, “Initial Configuration.” When you are satisfied that the links are operating correctly, proceed to mount the units in their intended locations. MOUNT THE UNIT The bridge can be mounted on the following types of surfaces: Pole Wall, or electrical box (NEMA enclosure) CAUTION: The bridge is intended for outdoor use only. Do not install the bridge indoors. Using the Pole-Mounting Bracket Perform the following steps to mount the unit to a 1.5 to 2 inch diameter steel pole or tube using the mounting bracket: Always attach the bracket to a pole with the open end of the mounting grooves facing up. Place the V-shaped part of the bracket around the pole and tighten the securing nuts just enough to hold the bracket to the pole. (The bracket may need to be rotated around the pole during the alignment process.) Attach V-shaped parts to pole with provided nuts and bolts 4-2 Slot the edges of the V-shaped part into the slats in the rectangular plate, and tighten the nuts Attach the adjustable rectangular plate to the bridge with supplied screws 4-3 Attach the bridge with bracket to afixed plate on pole Use the included nuts to tightly secure the wireless bridge to the bracket. Be sure to take account of the antenna polarization direction; all antennas in a link must be mounted with the same polarization. USING THE WALL-MOUNTING BRACKET Perform the following steps to mount the unit to a wall using the wall-mounting bracket: CAUTION: The wall-mounting bracket does not allow the wireless bridge’s intrgrated antenna to be aligned. It is intended for use with the unit using an external antenna. 4-4 1 Always attach the bracket to a wall with flat side flush against the wall (see following figure). Position the bracket in the intended location and mark the position of the three mounting screw holes. Drill three holes in the wall that match the screws and wall plugs included in the bracket kit, then secure the bracket to the wall. Use the included nuts to tightly secure the wireless bridge to the bracket. 4-5 5 Connect the Ethernet cable (and power cable, if applicable) to the port(s) on the front of the FEM656B - 3Com 10-100 LAN + 56K Modem CardBus PC Card-(Fast Ethernet). CONNECTING THE BRIDGE TO A SWITCH It is recommended that you install and configure the 3Com Wireless LAN switch before installing the FEM656B - 3Com 10-100 LAN + 56K Modem CardBus PC Card-(Fast Ethernet). If the switch is already installed and configured for the FEM656B - 3Com 10-100 LAN + 56K Modem CardBus PC Card-(Fast Ethernet), you can immediately verify the cable connection when you plug the cable into the FEM656B - 3Com 10-100 LAN + 56K Modem CardBus PC Card-(Fast Ethernet). WARNING: Do not connect or disconnect cables or otherwise work with the bridge during periods of lightning activity. You can connect the bridge directly to a Wireless LAN Switch port or indirectly to Wireless LAN switches through an intermediate Layer 2 or Layer 3 network. In either case, use Category 5 cable with straight-through signaling for each FEM656B - 3Com 10-100 LAN + 56K Modem CardBus PC Card-(Fast Ethernet) connection. CONNECT EXTERNAL ANTENNAS When deploying a OAP6626A Master bridge unit for a bridge link or access point operation, you need to mount external antennas and connect them to the bridge. Typically, a bridge link requires a 5 GHz antenna, and access point operation a 2.4 GHz antenna. OAP6626A Slave units also require an external antenna for 2.4 GHz operation. Perform these steps: Mount the external antenna to the same supporting structure as the bridge, within 3 m (10 ft) distance, using the bracket supplied in the antenna package. Connect the antenna to the bridge’s N-type connector using the RF coaxial cable provided in the antenna package. Apply weatherproofing tape to the antenna connectors to help prevent water entering the connectors. 4-6 2.4 GHz N-type Connector 5 GHz N-type Connector 5 GHz External High-gain Panel Antenna 2.4 GHz External Omnidirectional Antenna RF Coaxial Cable CONNECT CABLES TO THE UNIT Attach the Ethernet cable to the Ethernet port on the wireless bridge. For extra protection against rain or moisture, apply weatherproofing tape (not included) around the Ethernet connector. Be sure to ground the unit with an appropriate grounding wire (not included) by attaching it to the grounding screw on the unit. CAUTION: Be sure that grounding is available and that it meets local and national electrical codes. For additional lightning protection, use lightning rods, lightning arrestors, or surge suppressors. 4-7 Console Port PoE (Ethernet) Port Ground Wire Grounding Screw Ethernet Cable CONNECT THE POWER INJECTOR To connect the wireless bridge to a power source: CAUTION: Do not install the power injector outdoors. The unit is for indoor installation only. NOTE: The wireless bridge’s Ethernet port does not support Power over Ethernet (PoE) based on the IEEE 802.3af standard. Do not try to power the unit by connecting it directly to a network switch that provides IEEE 802.3af PoE. Always connect the unit to the included power injector module. Connect the Ethernet cable from the wireless bridge to the RJ-45 port labeled “Output” on the power injector. Connect a straight-through unshielded twisted-pair (UTP) cable from a local LAN switch to the RJ-45 port labeled “Input” on the power injector. Use Category 5e or better UTP cable for 10/100BASE-TX connections. NOTE: The RJ-45 port on the power injector is an MDI port. If connecting directly to a computer for testing the link, use a crossover cable. 4-8 AC power Ethernet cable from LAN switch Inp ut Ou tpu Power LED indicator Ethernet cable to wireless bridge Insert the power cable plug directly into the standard AC receptacle on the power injector. Plug the other end of the power cable into a grounded, 3-pin socket, AC power source. NOTE: For International use, you may need to change the AC line cord. You must use a line cord set that has been approved for the receptacle type in your country. Check the LED on top of the power injector to be sure that power is being supplied to the wireless bridge through the Ethernet connection. CONNECT EXTERNAL ANTENNAS When deploying a OAP6626A set to “Master” mode for a bridge link or access point operation, you need to mount external antennas and connect them to the bridge. Typically, a bridge link requires a 5 GHz antenna, and access point operation a 2.4 GHz antenna. Units set to “Slave” mode also require an external antenna for 2.4 GHz operation. Perform these steps: Mount the external antenna to the same supporting structure as the bridge, within 3 m (10 ft) distance, using the bracket supplied in the antenna package. Connect the antenna to the bridge’s N-type connector using the RF coaxial cable provided in the antenna package. Apply weatherproofing tape to the antenna connectors to help prevent water entering the connectors. 4-9 2.4 GHz N-type Connector 5 GHz N-type Connector 5 GHz External High-gain Panel Antenna 2.4 GHz External Omnidirectional Antenna RF Coaxial Cable CONNECT CABLES TO THE UNIT Attach the Ethernet cable to the Ethernet port on the wireless bridge. NOTE: The Ethernet cable included with the package is 30 m (100 ft) long. To wire a longer cable (maximum 100 m, 325 ft), use the connector pinout information in Appendix B. For extra protection against rain or moisture, apply weatherproofing tape (not included) around the Ethernet connector. Be sure to ground the unit with an appropriate grounding wire (not included) by attaching it to the grounding screw on the unit. CAUTION: Be sure that grounding is available and that it meets local and national electrical codes. For additional lightning protection, use lightning rods, lightning arrestors, or surge suppressors. 4-10 Console Port PoE (Ethernet) Port Ground Wire Grounding Screw Ethernet Cable CONNECT THE POWER INJECTOR To connect the wireless bridge to a power source: CAUTION: Do not install the power injector outdoors. The unit is for indoor installation only. NOTE: The wireless bridge’s Ethernet port does not support Power over Ethernet (PoE) based on the IEEE 802.3af standard. Do not try to power the unit by connecting it directly to a network switch that provides IEEE 802.3af PoE. Always connect the unit to the included power injector module. Connect the Ethernet cable from the wireless bridge to the RJ-45 port labeled “Output” on the power injector. Connect a straight-through unshielded twisted-pair (UTP) cable from a local LAN switch to the RJ-45 port labeled “Input” on the power injector. Use Category 5 or better UTP cable for 10/100BASE-TX connections. NOTE: The RJ-45 port on the power injector is an MDI port. If connecting directly to a computer for testing the link, use a crossover cable. 4-11 AC power Ethernet cable from LAN switch Inp ut Ou tpu Power LED indicator Ethernet cable to wireless bridge Insert the power cable plug directly into the standard AC receptacle on the power injector. Plug the other end of the power cable into a grounded, 3-pin socket, AC power source. NOTE: For International use, you may need to change the AC line cord. You must use a line cord set that has been approved for the receptacle type in your country. Check the LED on top of the power injector to be sure that power is being supplied to the wireless bridge through the Ethernet connection. ALIGN ANTENNAS After wireless bridge units have been mounted, connected, and their radios are operating, the antennas must be accurately aligned to ensure optimum performance on the bridge links. This alignment process is particularly important for long-range point-to-point links. In a point-to-multipoint configuration the Master bridge uses an omnidirectional or sector antenna, which does not require alignment, but Slave bridges still need to be correctly aligned with the Master bridge antennna. Point-to-Point Configurations – In a point-to-point configuration, the alignment process requires two people at each end of the link. The use of cell phones or two-way radio communication may help with coordination. To start, you can just point the antennas at each other, using binoculars or a compass to set the general direction. For accurate alignment, you must connect a DC voltmeter to the RSSI connector on the wireless bridge and monitor the voltage as the antenna moves horizontally and vertically. 4-12 Point-to-Multipoint Configurations – In a point-to-multipoint configuration all Slave bridges must be aligned with the Master bridge antenna. The alignment process is the same as in point-to-point links, but only the Slave end of the link requires the alignment. The RSSI connector provides an output voltage between 0 and 3.28 VDC that is proportional to the received radio signal strength. The higher the voltage reading, the stronger the signal. The radio signal from the remote antenna can be seen to have a strong central main lobe and smaller side lobes. The object of the alignment process is to set the antenna so that it is receiving the strongest signal from the central main lobe. Vertical Scan Remote Antenna Maximum Signal Strength Position for Vertical Alignment Horizontal Scan Main Lobe Maximum RSSI Voltage RSSI Voltage Side Lobe Maximum Maximum Signal Strength Position for Horizontal Alignment To align the antennas in the link using the RSSI output voltage, start with one antenna fixed and then perform the following procedure on the other antenna: Note: NOTE: The RSSI output can be configured through management interfaces to output a value for specific WDS ports. See page 6-40 for more information. 4-13 1 Remove the RSSI connector cover and connect a voltmeter using a cable with a male BNC connector (not included). Console Port PoE (Ethernet) Port Voltmeter RSSI BNC Connection Pan the antenna horizontally back and forth while checking the RSSI voltage. If using the pole-mounting bracket with the unit, you must rotate the mounting bracket around the pole. Other external antenna brackets may require a different horizontal adjustment. Find the point where the signal is strongest (highest voltage) and secure the horizontal adjustment in that position. NOTE: Sometimes there may not be a central lobe peak in the voltage because vertical alignment is too far off; only two similar peaks for the side lobes are detected. In this case, fix the antenna so that it is halfway between the two peaks. Loosen the vertical adjustment on the mounting bracket and tilt the antenna slowly up and down while checking the RSSI voltage. Find the point where the signal is strongest and secure the vertical adjustment in that position. Remove the voltmeter cable and replace the RSSI connector cover. 4-14 Chapter 5: Initial Configuration The 2.4 GHz/5 GHz Wireless Bridge offers a variety of management options, including a web-based interface, a direct connection to the console port, Telnet, Secure Shell (SSH), or using SNMP software. The initial configuration steps can be made through the web browser interface or CLI. The bridge requests an IP address via DHCP by default. If no response is received from the DHCP server, then the bridge uses the default address 192.168.2.2. If this address is not compatible with your network, you can first use the command line interface (CLI) as described below to configure a valid address. Note: Units sold in countries outside the United States are not configured with a specific country code. You must use the CLI to set the country code and enable wireless operation (page 5-3). Initial Setup through the CLI Required Connections The bridge provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuration. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the bridge. You can use the console cable provided with this package, or use a cable that complies with the wiring assignments shown on page B-3. To connect to the console port, complete the following steps: 1. Connect the console cable to the serial port on a terminal, or a PC running terminal emulation software, and tighten the captive retaining screws on the DB-9 connector. 2. Connect the other end of the cable to the RS-232 serial port on the bridge. 3. Make sure the terminal emulation software is set as follows: • • • • • • Select the appropriate serial port (COM port 1 or 2). Set the data rate to 9600 baud. Set the data format to 8 data bits, 1 stop bit, and no parity. Set flow control to none. Set the emulation mode to VT100. When using HyperTerminal, select Terminal keys, not Windows keys. 5-1 5 Initial Configuration Note: When using HyperTerminal with Microsoft® Windows® 2000, make sure that you have Windows 2000 Service Pack 2 or later installed. Windows 2000 Service Pack 2 fixes the problem of arrow keys not functioning in HyperTerminal’s VT100 emulation. See www.microsoft.com for information on Windows 2000 service packs. 4. Once you have set up the terminal correctly, press the [Enter] key to initiate the console connection. The console login screen will be displayed. For a description of how to use the CLI, see “Using the Command Line Interface” on page 7-1. For a list of all the CLI commands and detailed information on using the CLI, refer to “Command Groups” on page 7-6. Initial Configuration Steps Logging In – Enter “admin” for the user name and leave the password blank. The CLI prompt appears displaying the bridge’s name. Username: admin Password: Enterprise AP# Setting the IP Address – By default, the bridge is configured to obtain IP address settings from a DHCP server. If a DHCP server is not available, the IP address defaults to 192.168.2.2, which may not be compatible with your network. You will therefore have to use the command line interface (CLI) to assign an IP address that is compatible with your network. Type “configure” to enter configuration mode, then type “interface ethernet” to access the Ethernet interface-configuration mode. Enterprise AP#configure Enterprise AP(config)#interface ethernet Enterprise AP(config-if)# First type “no ip dhcp” to disable DHCP client mode. Then type “ip address ip-address netmask gateway,” where “ip-address” is the bridge’s IP address, “netmask” is the network mask for the network, and “gateway” is the default gateway router. Check with your system administrator to obtain an IP address that is compatible with your network. Enterprise AP(if-ethernet)#no ip dhcp Enterprise AP(if-ethernet)#ip address 192.168.2.2 255.255.255.0 192.168.2.254 Enterprise AP(if-ethernet)# 5-2 5 Logging In After configuring the bridge’s IP parameters, you can access the management interface from anywhere within the attached network. The command line interface can also be accessed using Telnet from any computer attached to the network. Setting the Country Code – Units sold in the United States are configured by default to use only radio channels 1-11 in 802.11b or 802.11g mode as defined by FCC regulations. Units sold in other countries are configured by default without a country code (i.e., 99). You must use the CLI to set the country code. Setting the country code restricts operation of the bridge to the radio channels and transmit power levels permitted for wireless networks in the specified country. Type “exit” to leave configuration mode. Then type “country ?” to display the list of countries. Select the code for your country, and enter the country command again, following by your country code (e.g., tw for Taiwan). Enterprise AP#country tw Enterprise AP# Note: Command examples shown later in this manual abbreviate the console prompt to “AP” for simplicity. Logging In There are only a few basic steps you need to complete to connect the bridge to your corporate network, and provide network access to wireless clients. The bridge can be managed by any computer using a web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Enter the default IP address: http://192.168.2.2 Logging In – Enter the username “admin,” and password “smcadmin” then click LOGIN. For information on configuring a user name and password, see page 6-23. 5-3 5 Initial Configuration The home page displays the Main Menu. 5-4 Chapter 6: System Configuration Before continuing with advanced configuration, first complete the initial configuration steps described in Chapter 4 to set up an IP address for the wireless bridge. The wireless bridge can be managed by any computer using a web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Enter the default IP address: http://192.168.1.1 To log into the wireless bridge, enter the default user name “admin” and click LOGIN (there is no default password). When the home page displays, click on Advanced Setup. The following page will display. The information in this chapter is organized to reflect the structure of the web screens for easy reference. However, it is recommended that you configure a user name and password as the first step under advanced configuration to control management access to the wireless bridge (page 6-23). 6-1 6 System Configuration Advanced Configuration The Advanced Configuration pages include the following options. Menu System Description Page Configures basic administrative and client access 6-3 Identification Specifies the system name, location and contact information 6-3 TCP / IP Settings Configures the IP address, subnet mask, gateway, and domain name servers 6-5 RADIUS Configures the RADIUS server for wireless client authentication 6-7 PPPoE Settings Configures PPPoE on the Ethernet interface for a connection to an ISP Authentication Configures 802.1X client authentication and MAC address authentication 6-11 Filter Control Enables VLAN support and filters traffic matching specific Ethernet protocol types 6-18 SNMP Controls access to this wireless bridge from management stations using SNMP, as well as the hosts that will receive trap messages 6-20 Administration Configures user name and password for management access; upgrades software from local file, FTP or TFTP server; resets configuration settings to factory defaults; and resets the wireless bridge 6-23 System Log Controls logging of error messages; sets the system clock via SNTP server or manual configuration 6-27 WDS Sets the MAC addresses of other units in the wireless bridge network 6-31 Bridge Sets the time for aging out entries in the bridge MAC address table 6-33 STP Configures Spanning Tree Protocol parameters 6-36 RSSI 6-9 Controls the maximum RSSI voltage output for specific WDS ports 6-40 Configures the IEEE 802.11a interface 6-41 Radio Settings Configures radio signal parameters, such as radio channel, transmission rate, and beacon settings 6-42 Security Configures data encryption using Wired Equivalent Protection (WEP) or Wi-Fi Protected Access (WPA) 6-48 Configures the IEEE 802.11b/g interface 6-46 Radio Settings Configures radio signal parameters, such as radio channel, transmission rate, and beacon settings 6-46 Security Configures data encryption using Wired Equivalent Protection (WEP) or Wi-Fi Protected Access (WPA) 6-48 Radio Interface A Radio Interface G 6-2 Advanced Configuration System Identification The system information parameters for the wireless bridge can be left at their default settings. However, modifying these parameters can help you to more easily distinguish different devices in your network. The wireless bridge allows the selection of the band to be used for bridge links. The bridge band can support no wireless clients. Alternatively, bridging can be disabled and both bands can support access point functions. System Name – An alias for the wireless bridge, enabling the device to be uniquely identified on the network. (Default: Dual Band Outdoor AP; Range: 1-22 characters) Outdoor Bridge Band – Selects the radio band used for bridge links. • A – Bridging is supported on the 802.11a 5 GHz band. • G – Bridging is supported on the 802.11b/g 2.4 GHz band. • None – Bridging is not supported on either radio band. Allows both bands to support access point operations for wireless clients. Location – A text string that describes the system location. (Maximum length: 20 characters) Contact – A text string that describes the system contact. (Maximum length: 255 characters) 6-3 6 System Configuration CLI Commands for System Identification – Enter the global configuration mode and use the system name command to specify a new system name. Use the snmp-server location and snmp-server contact commands to indicate the physical location of the wireless bridge and define a system contact. Then return to the Exec mode, and use the show system command to display the changes to the system identification settings. DUAL DUAL DUAL DUAL DUAL DUAL OUTDOOR#configure OUTDOOR(config)#system name R&D OUTDOOR(config)#snmp-server location building-1 OUTDOOR(config)#snmp-server contact Paul OUTDOOR(config)#exit OUTDOOR#show system 6-8 6-14 6-42 6-41 6-23 System Information =================================================== Serial Number : 0000000005 System Up time : 0 days, 0 hours, 35 minutes, 56 seconds System Name : R&D System Location : building-1 System Contact : Paul System Country Code : US - UNITED STATES MAC Address : 00-30-F1-BE-F4-96 IP Address : 192.168.1.1 Subnet Mask : 255.255.255.0 Default Gateway : 0.0.0.0 VLAN State : DISABLED Native VLAN ID : 1 IAPP State : ENABLED DHCP Client : ENABLED HTTP Server : ENABLED HTTP Server Port : 80 Slot Status : Dual band(a/g) Software Version : v1.1.0.3 =================================================== DUAL OUTDOOR# CLI Commands for Bridge Band Selection – Enter the global configuration mode and use the wds channel command to specify the bridge band. DUAL OUTDOOR#configure DUAL OUTDOOR(config)#wds channel a DUAL OUTDOOR(config)# 6-4 6-8 7-43 Advanced Configuration TCP / IP Settings Configuring the wireless bridge with an IP address expands your ability to manage the wireless bridge. A number of wireless bridge features depend on IP addressing to operate. Note: You can use the web browser interface to access IP addressing only if the wireless bridge already has an IP address that is reachable through your network. By default, the wireless bridge will be automatically configured with IP settings from a Dynamic Host Configuration Protocol (DHCP) server. However, if you are not using a DHCP server to configure IP addressing, use the CLI to manually configure the initial IP values (page 4-2). After you have network access to the wireless bridge, you can use the web browser interface to modify the initial IP configuration, if needed. Note: If there is no DHCP server on your network, or DHCP fails, the wireless bridge will automatically start up with a default IP address of 192.168.1.1. DHCP Client (Enable) – Select this option to obtain the IP settings for the wireless bridge from a DHCP (Dynamic Host Configuration Protocol) server. The IP address, subnet mask, default gateway, and Domain Name Server (DNS) address are dynamically assigned to the wireless bridge by the network DHCP server. (Default: Enabled) 6-5 6 System Configuration DHCP Client (Disable) – Select this option to manually configure a static address for the wireless bridge. • IP Address: The IP address of the wireless bridge. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. • Subnet Mask: The mask that identifies the host address bits used for routing to specific subnets. • Default Gateway: The default gateway is the IP address of the router for the wireless bridge, which is used if the requested destination address is not on the local subnet. If you have management stations, DNS, or other network servers located on another subnet, type the IP address of the default gateway router in the text field provided. Otherwise, leave the address as all zeros (0.0.0.0). • Primary and Secondary DNS Address: The IP address of Domain Name Servers on the network. A DNS maps numerical IP addresses to domain names and can be used to identify network hosts by familiar names instead of the IP addresses. If you have one or more DNS servers located on the local network, type the IP addresses in the text fields provided. Otherwise, leave the addresses as all zeros (0.0.0.0). CLI Commands for TCP/IP Settings – From the global configuration mode, enter the interface configuration mode with the interface ethernet command. Use the ip dhcp command to enable the DHCP client, or no ip dhcp to disable it. To manually configure an address, specify the new IP address, subnet mask, and default gateway using the ip address command. To specify DNS server addresses use the dns server command. Then use the show interface ethernet command from the Exec mode to display the current IP settings. DUAL OUTDOOR(config)#interface ethernet Enter Ethernet configuration commands, one per line. DUAL OUTDOOR(if-ethernet)#no ip dhcp DUAL OUTDOOR(if-ethernet)#ip address 192.168.1.2 255.255.255.0 192.168.1.253 DUAL OUTDOOR(if-ethernet)#dns primary-server 192.168.1.55 DUAL OUTDOOR(if-ethernet)#dns secondary-server 10.1.0.55 DUAL OUTDOOR(config)#end DUAL OUTDOOR#show interface ethernet Ethernet Interface Information ======================================== IP Address : 192.168.1.2 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.1.253 Primary DNS : 192.168.1.55 Secondary DNS : 10.1.0.55 Admin status : Up Operational status : Up ======================================== DUAL OUTDOOR# 6-6 6-87 6-89 6-88 6-88 6-88 6-8 6-91 Advanced Configuration Radius Remote Authentication Dial-in User Service (RADIUS) is an authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of user credentials for each user that requires access to the network. A primary RADIUS server must be specified for the access point to implement IEEE 802.1X network access control and Wi-Fi Protected Access (WPA) wireless security. A secondary RADIUS server may also be specified as a backup should the primary server fail or become inaccessible. Note: This guide assumes that you have already configured RADIUS server(s) to support the access point. Configuration of RADIUS server software is beyond the scope of this guide, refer to the documentation provided with the RADIUS server software. Primary Radius Server Setup – Configure the following settings to use RADIUS authentication on the access point. • IP Address: Specifies the IP address or host name of the RADIUS server. • Port: The UDP port number used by the RADIUS server for authentication messages. (Range: 1024-65535; Default: 1812) • Key: A shared text string used to encrypt messages between the access point and the RADIUS server. Be sure that the same text string is specified on the RADIUS server. Do not use blank spaces in the string. (Maximum length: 255 characters) 6-7 6 System Configuration • Timeout: Number of seconds the access point waits for a reply from the RADIUS server before resending a request. (Range: 1-60 seconds; Default: 5) • Retransmit attempts: The number of times the access point tries to resend a request to the RADIUS server before authentication fails. (Range: 1-30; Default: 3) Note: For the Timeout and Retransmit attempts fields, accept the default values unless you experience problems connecting to the RADIUS server over the network. Secondary Radius Server Setup – Configure a secondary RADIUS server to provide a backup in case the primary server fails. The access point uses the secondary server if the primary server fails or becomes inaccessible. Once the access point switches over to the secondary server, it periodically attempts to establish communication again with primary server. If communication with the primary server is re-established, the secondary server reverts to a backup role. CLI Commands for RADIUS – From the global configuration mode, use the radius-server address command to specify the address of the primary or secondary RADIUS servers. (The following example configures the settings for the primary RADIUS server.) Configure the other parameters for the RADIUS server. Then use the show show radius command from the Exec mode to display the current settings for the primary and secondary RADIUS servers. DUAL DUAL DUAL DUAL DUAL DUAL DUAL OUTDOOR(config)#radius-server OUTDOOR(config)#radius-server OUTDOOR(config)#radius-server OUTDOOR(config)#radius-server OUTDOOR(config)#radius-server OUTDOOR(config)#exit OUTDOOR#show radius address 192.168.1.25 port 181 key green timeout 10 retransmit 5 Radius Server Information ======================================== IP : 192.168.1.25 Port : 181 Key : ***** Retransmit : 5 Timeout : 10 ======================================== Radius Secondary Server Information ======================================== IP : 0.0.0.0 Port : 1812 Key : ***** Retransmit : 3 Timeout : 5 ======================================== DUAL OUTDOOR# 6-8 6-59 6-60 6-60 6-61 6-61 6-64 Advanced Configuration PPPoE Settings The wireless bridge uses a Point-to-Point Protocol over Ethernet (PPPoE) connection, or tunnel, only for management traffic between the wireless bridge and a remote PPPoE server (typically at an ISP). Examples of management traffic that may initiated by the wireless bridge and carried over a PPPoE tunnel are RADIUS, Syslog, or DHCP traffic. PPP over Ethernet – Enable PPPoE on the RJ-45 Ethernet interface to pass management traffic between the unit and a remote PPPoE server. (Default: Disable) PPPoE Username – The user name assigned for the PPPoE tunnel. (Range: 1-63 alphanumeric characters) PPPoE Password – The password assigned for the PPPoE tunnel. (Range: 1-63 alphanumeric characters) Confirm Password – Use this field to confirm the PPPoE password. PPPoE Service Name – The service name assigned for the PPPoE tunnel. The service name is normally optional, but may be required by some service providers. (Range: 1-63 alphanumeric characters) IP Allocation Mode – This field specifies how IP adresses for the PPPoE tunnel are configured on the RJ-45 interface. The allocation mode depends on the type of service provided by the PPPoE server. If automatic mode is selected, DHCP is used 6-9 6 System Configuration to allocate the IP addresses for the PPPoE connection. If static addresses have been assigned to you by the service provider, you must manually enter the assigned addresses. (Default: Automatic) • Automatically allocated: IP addresses are dynamically assigned by the service provider during PPPoE session initialization. • Static assigned: Fixed addresses are assigned by the service provider for both the local and remote IP addresses. Local IP Address – IP address of the local end of the PPPoE tunnel. (Must be entered for static IP allocation mode.) Remote IP Address – IP address of the remote end of the PPPoE tunnel. (Must be entered for static IP allocation mode.) CLI Commands for PPPoE – From the CLI configuration mode, use the interface ethernet command to access interface configuration mode. Use the ip pppoe command to enable PPPoE on the Ethernet interface. Use the other PPPoE commands shown in the example below to set a user name and password, IP settings, and other PPPoE parameters as required by the service provider. The pppoe restart command can then be used to start a new connection using the modified settings. To display the current PPPoE settings, use the show pppoe command from the Exec mode. DUAL OUTDOOR(config)#interface ethernet Enter Ethernet configuration commands, one per line. DUAL OUTDOOR(if-ethernet)#ip pppoe DUAL OUTDOOR(if-ethernet)#pppoe username mike DUAL OUTDOOR(if-ethernet)#pppoe password 12345 DUAL OUTDOOR(if-ethernet)#pppoe service-name classA DUAL OUTDOOR(if-ethernet)#pppoe ip allocation mode static DUAL OUTDOOR(if-ethernet)#pppoe local ip 10.7.1.200 DUAL OUTDOOR(if-ethernet)#pppoe remote ip 192.168.1.20 DUAL OUTDOOR(if-ethernet)#pppoe ipcp dns DUAL OUTDOOR(if-ethernet)#pppoe lcp echo-interval 30 DUAL OUTDOOR(if-ethernet)#pppoe lcp echo-failure 5 DUAL OUTDOOR(if-ethernet)#pppoe restart DUAL OUTDOOR(if-ethernet)#end DUAL OUTDOOR#show pppoe PPPoE Information ====================================================== State : Link up Username : mike Service Name : classA IP Allocation Mode : Static DNS Negotiation : Enabled Local IP : 10.7.1.200 Echo Interval : 30 Echo Failure : 5 ====================================================== DUAL OUTDOOR# 6-10 6-87 7-57 7-61 7-61 7-62 7-57 7-60 7-60 7-58 7-58 7-59 6-87 7-63 Advanced Configuration Authentication Wireless clients can be authenticated for network access by checking their MAC address against the local database configured on the access point, or by using a database configured on a central RADIUS server. Alternatively, authentication can be implemented using the IEEE 802.1X network access control protocol. The access point can also operate in a 802.1X supplicant mode. This enables the access point itself and any bridge-connected units to be authenticated with a RADIUS server using a configured MD5 user name and password. This mechanism can prevent rogue access points from gaining access to the network. Ethernet Supplicant Setup – Allows the access point to act as an 802.1X supplicant so it can be authenticated through its Ethernet port with a RADIUS server on the local network. When enabled, a unique MD5 user name and password needs to be configured. (Default: Disabled) • Enabled/Disabled – Enables/Disables the 802.1X supplicant function. - Username – Specifies the MD5 user name. (Range: 1-22 characters) - Password – Specifies the MD5 password. (Range: 1-22 characters) WDS Supplicant Setup – Allows the access point to act as an 802.1X supplicant so it can be authenticated through a WDS (wireless) port with a RADIUS server on the remote network. When enabled, a unique MD5 user name and password needs to be configured for the WDS port. For a OAP6626A Slave unit, there is only one WDS port. For a OAP6626AM Master unit, there are 16 WDS ports. (Default: Disabled) 6-11 6 System Configuration MAC Authentication – You can configure a list of the MAC addresses for wireless clients that are authorized to access the network. This provides a basic level of authentication for wireless clients attempting to gain access to the network. A database of authorized MAC addresses can be stored locally on the access point or remotely on a central RADIUS server. (Default: Local MAC) • Local MAC: The MAC address of the associating station is compared against the local database stored on the access point. The Local MAC Authentication section enables the local database to be set up. • Radius MAC: The MAC address of the associating station is sent to a configured RADIUS server for authentication. When using a RADIUS authentication server for MAC address authentication, the server must first be configured in the Radius window (page 6-7). • Disable: No checks are performed on an associating station’s MAC address. Note: Client station MAC authentication occurs prior to the IEEE 802.1X authentication procedure configured for the access point. However, a client’s MAC address provides relatively weak user authentication, since MAC addresses can be easily captured and used by another station to break into the network. Using 802.1X provides more robust user authentication using user names and passwords or digital certificates. So, although you can configure the access point to use MAC address and 802.1X authentication together, it is better to choose one or the other, as appropriate. 802.1X Setup – IEEE 802.1X is a standard framework for network access control that uses a central RADIUS server for user authentication. This control feature prevents unauthorized access to the network by requiring an 802.1X client application to submit user credentials for authentication. The 802.1X standard uses the Extensible Authentication Protocol (EAP) to pass user credentials (either digital certificates, user names and passwords, or other) from the client to the RADIUS 6-12 6 Advanced Configuration server. Client authentication is then verified on the RADIUS server before the access point grants client access to the network. The 802.1X EAP packets are also used to pass dynamic unicast session keys and static broadcast keys to wireless clients. Session keys are unique to each client and are used to encrypt and correlate traffic passing between a specific client and the access point. You can also enable broadcast key rotation, so the access point provides a dynamic broadcast key and changes it at a specified interval. You can enable 802.1X as optionally supported or as required to enhance the security of the wireless network. • Disable: The access point does not support 802.1X authentication for any wireless client. After successful wireless association with the access point, each client is allowed to access the network. • Supported: The access point supports 802.1X authentication only for clients initiating the 802.1X authentication process (i.e., the access point does not initiate 802.1X authentication). For clients initiating 802.1X, only those successfully authenticated are allowed to access the network. For those clients not initiating 802.1X, access to the network is allowed after successful wireless association with the access point. • Required: The access point enforces 802.1X authentication for all associated wireless clients. If 802.1X authentication is not initiated by a client, the access point will initiate authentication. Only those clients successfully authenticated with 802.1X are allowed to access the network. When 802.1X is enabled, the broadcast and session key rotation intervals can also be configured. • Broadcast Key Refresh Rate: Sets the interval at which the broadcast keys are refreshed for stations using 802.1X dynamic keying. (Range: 0-1440 minutes; Default: 0 means disabled) • Session Key Refresh Rate: The interval at which the access point refreshes unicast session keys for associated clients. (Range: 0-1440 minutes; Default: 0 means disabled) • 802.1X Re-authentication Refresh Rate: The time period after which a connected client must be re-authenticated. During the re-authentication process of verifying the client’s credentials on the RADIUS server, the client remains connected the network. Only if re-authentication fails is network access blocked. (Range: 0-65535 seconds; Default: 0 means disabled) 6-13 6 System Configuration Local MAC Authentication – Configures the local MAC authentication database. The MAC database provides a mechanism to take certain actions based on a wireless client’s MAC address. The MAC list can be configured to allow or deny network access to specific clients. • System Default: Specifies a default action for all unknown MAC addresses (that is, those not listed in the local MAC database). - Deny: Blocks access for all MAC addresses except those listed in the local database as “Allow.” - Allow: Permits access for all MAC addresses except those listed in the local database as “Deny.” • MAC Authentication Settings: Enters specified MAC addresses and permissions into the local MAC database. - MAC Address: Physical address of a client. Enter six pairs of hexadecimal digits separated by hyphens; for example, 00-90-D1-12-AB-89. - Permission: Select Allow to permit access or Deny to block access. If Delete is selected, the specified MAC address entry is removed from the database. - Update: Enters the specified MAC address and permission setting into the local database. • MAC Authentication Table: Displays current entries in the local MAC database. CLI Commands for 802.1X Suppicant Configuration – Use the 802.1X supplicant commands to set the Ethernet and WDS user names and passwords, and to enable the feature. DUAL DUAL DUAL DUAL 6-14 OUTDOOR(config)#802.1X supplicant eth_user David OUTDOOR(config)#802.1X supplicant eth_password DEF OUTDOOR(config)#802.1X supplicant eth OUTDOOR(config)# 7-38 7-38 7-38 6 Advanced Configuration DUAL DUAL DUAL DUAL OUTDOOR(config)#802.1X supplicant wds_user 1 David OUTDOOR(config)#802.1X supplicant wds_password 1 ABC OUTDOOR(config)#802.1X supplicant wds 1 OUTDOOR(config)# 7-38 7-38 7-38 CLI Commands for Local MAC Authentication – Use the mac-authentication server command from the global configuration mode to enable local MAC authentication. Set the default for MAC addresses not in the local table using the address filter default command, then enter MAC addresses in the local table using the address filter entry command. To remove an entry from the table, use the address filter delete command. To display the current settings, use the show authentication command from the Exec mode. DUAL OUTDOOR(config)#mac-authentication server local 6-72 DUAL OUTDOOR(config)#address filter default denied 6-70 DUAL OUTDOOR(config)#address filter entry 00-70-50-cc-99-1a denied 6-71 DUAL OUTDOOR(config)#address filter entry 00-70-50-cc-99-1b allowed DUAL OUTDOOR(config)#address filter entry 00-70-50-cc-99-1c allowed DUAL OUTDOOR(config)#address filter delete 00-70-50-cc-99-1c 6-71 DUAL OUTDOOR(config)#exit DUAL OUTDOOR#show authentication 6-68 Authentication Information ========================================================= MAC Authentication Server : LOCAL MAC Auth Session Timeout Value : 300 secs 802.1X : DISABLED Broadcast Key Refresh Rate : 5 min Session Key Refresh Rate : 5 min 802.1X Session Timeout Value : 300 secs Address Filtering : DENIED System Default : DENY addresses not found in filter table. Filter Table MAC Address Status -------------------------00-70-50-cc-99-1a DENIED 00-70-50-cc-99-1b ALLOWED ========================================================= DUAL OUTDOOR# 6-15 6 System Configuration CLI Commands for RADIUS MAC Authentication – Use the mac-authentication server command from the global configuration mode to enable remote MAC authentication. Set the timeout value for re-authentication using the mac-authentication session-timeout command. Be sure to also configure connection settings for the RADIUS server (not shown in the following example). To display the current settings, use the show authentication command from the Exec mode. DUAL DUAL DUAL DUAL OUTDOOR(config)#mac-authentication server remote OUTDOOR(config)#mac-authentication session-timeout 300 OUTDOOR(config)#exit OUTDOOR#show authentication Authentication Information ========================================================= MAC Authentication Server : REMOTE MAC Auth Session Timeout Value : 300 secs 802.1X : DISABLED Broadcast Key Refresh Rate : 5 min Session Key Refresh Rate : 5 min 802.1X Session Timeout Value : 300 secs Address Filtering : DENIED System Default : DENY addresses not found in filter table. Filter Table MAC Address Status -------------------------00-70-50-cc-99-1a DENIED 00-70-50-cc-99-1b ALLOWED ========================================================= DUAL OUTDOOR# 6-16 6-72 6-72 6-68 6 Advanced Configuration CLI Commands for 802.1X Authentication – Use the 802.1X supported command from the global configuration mode to enable 802.1X authentication. Set the session and broadcast key refresh rate, and the re-authentication timeout. To display the current settings, use the show authentication command from the Exec mode. DUAL DUAL DUAL DUAL DUAL DUAL OUTDOOR(config)#802.1X supported OUTDOOR(config)#802.1X broadcast-key-refresh-rate 5 OUTDOOR(config)#802.1X session-key-refresh-rate 5 OUTDOOR(config)#802.1X session-timeout 300 OUTDOOR(config)#exit OUTDOOR#show authentication 6-65 6-66 6-67 6-67 6-68 Authentication Information ========================================================= MAC Authentication Server : REMOTE MAC Auth Session Timeout Value : 300 secs 802.1X : SUPPORTED Broadcast Key Refresh Rate : 5 min Session Key Refresh Rate : 5 min 802.1X Session Timeout Value : 300 secs Address Filtering : DENIED System Default : DENY addresses not found in filter table. Filter Table MAC Address Status -------------------------00-70-50-cc-99-1a DENIED 00-70-50-cc-99-1b ALLOWED ========================================================= DUAL OUTDOOR# 6-17 6 System Configuration Filter Control The wireless bridge can employ VLAN tagging support and network traffic frame filtering to control access to network resources and increase security. Native VLAN ID – The VLAN ID assigned to wireless clients that are not assigned to a specific VLAN by RADIUS server configuration. (Range: 1-64) VLAN – Enables or disables VLAN tagging support on the wireless bridge (changing the VLAN status forces a system reboot). When VLAN support is enabled, the wireless bridge tags traffic passing to the wired network with the assigned VLAN ID associated with each client on the RADIUS server or the configured native VLAN ID. Traffic received from the wired network must also be tagged with a known VLAN ID. Received traffic that has an unknown VLAN ID or no VLAN tag is dropped. When VLAN support is disabled, the wireless bridge does not tag traffic passing to the wired network and ignores the VLAN tags on any received frames. Note: Before enabling VLANs on the wireless bridge, you must configure the connected LAN switch port to accept tagged VLAN packets with the wireless bridge’s native VLAN ID. Otherwise, connectivity to the wireless bridge will be lost when you enable the VLAN feature. Up to 64 VLAN IDs can be mapped to specific wireless clients, allowing users to remain within the same VLAN as they move around a campus site. This feature can also be used to control access to network resources from wireless clients, thereby improving security. 6-18 Advanced Configuration A VLAN ID (1-4094) is assigned to a client after successful authentication using IEEE 802.1X and a central RADIUS server. The user VLAN IDs must be configured on the RADIUS server for each user authorized to access the network. If a user does not have a configured VLAN ID, the access point assigns the user to its own configured native VLAN ID. When setting up VLAN IDs for each user on the RADIUS server, be sure to use the RADIUS attributes and values as indicated in the following table. Number RADIUS Attribute Value 64 Tunnel-Type VLAN (13) 65 Tunnel-Medium-Type 802 81 Tunnel-Private-Group VLANID (1 to 4094 in hexadecimal) Note: The specific configuration of RADIUS server software is beyond the scope of this guide. Refer to the documentation provided with the RADIUS server software. When VLAN filtering is enabled, the access point must also have 802.1X authentication enabled and a RADIUS server configured. Wireless clients must also support 802.1X client software to be assigned to a specific VLAN. When VLAN filtering is disabled, the access point ignores the VLAN tags on any received frames. Local Bridge Filter – Controls wireless-to-wireless communications between clients through the access point. However, it does not affect communications between wireless clients and the wired network. • Disable: Allows wireless-to-wireless communications between clients through the access point. • Enable: Blocks wireless-to-wireless communications between clients through the access point. AP Management Filter – Controls management access to the access point from wireless clients. Management interfaces include the web, Telnet, or SNMP. • Disable: Allows management access from wireless clients. • Enable: Blocks management access from wireless clients. Ethernet Type Filter – Controls checks on the Ethernet type of all incoming and outgoing Ethernet packets against the protocol filtering table. • Disable: Wireless bridge does not filter Ethernet protocol types. • Enable: Wireless bridge filters Ethernet protocol types based on the configuration of protocol types in the filter table. If a protocol has its status set to “ON,” the protocol is filtered from the wireless bridge. 6-19 6 System Configuration CLI Commands for VLAN Support – From the global configuration mode use the native-vlanid command to set the default VLAN ID for the Ethernet interface, then enable VLANs using the vlan enable command. When you change the access point’s VLAN support setting, you must reboot the access point to implement the change. To view the current VLAN settings, use the show system command. DUAL OUTDOOR(config)#native-vlanid 3 DUAL OUTDOOR(config)#vlan enable Reboot system now? : y 7-87 6-130 CLI Commands for Bridge Filtering – Use the filter ap-manage command to restrict management access from wireless clients. To configure Ethernet protocol filtering, use the filter ethernet-type enable command to enable filtering and the filter ethernet-type protocol command to define the protocols that you want to filter. To display the current settings, use the show filters command from the Exec mode. DUAL DUAL DUAL DUAL DUAL OUTDOOR(config)#filter ap-manage OUTDOOR(config)#filter ethernet-type enable OUTDOOR(config)#filter ethernet-type protocol ARP OUTDOOR(config)#exit OUTDOOR#show filters 6-74 6-74 6-75 6-76 Protocol Filter Information ========================================================= AP Management :ENABLED Ethernet Type Filter :ENABLED Enabled Protocol Filters --------------------------------------------------------Protocol: ARP ISO: 0x0806 ========================================================= DUAL OUTDOOR# SNMP You can use a network management application to manage the wireless bridge via the Simple Network Management Protocol (SNMP) from a management station. To implement SNMP management, the wireless bridge must have an IP address and subnet mask, configured either manually or dynamically. Once an IP address has been configured, appropriate SNMP communities and trap receivers should be configured. Community names are used to control management access to SNMP stations, as well as to authorize SNMP stations to receive trap messages from the wireless bridge. To communicate with the wireless bridge, a management station must first submit a valid community name for authentication. You therefore need to assign community names to specified users or user groups and set the access level. 6-20 Advanced Configuration SNMP – Enables or disables SNMP management access and also enables the wireless bridge to send SNMP traps (notifications). SNMP management is enabled by default. Community Name (Read Only) – Defines the SNMP community access string that has read-only access. Authorized management stations are only able to retrieve MIB objects. (Maximum length: 23 characters, case sensitive; Default: public) Community Name (Read/Write) – Defines the SNMP community access string that has read/write access. Authorized management stations are able to both retrieve and modify MIB objects. (Maximum length: 23 characters, case sensitive; Default: private) Trap Destination IP Address – Specifies the recipient of SNMP notifications. Enter the IP address or the host name. (Host Name: 1 to 20 characters) Trap Destination Community Name – The community string sent with the notification operation. (Maximum length: 23 characters; Default: public) 6-21 6 System Configuration CLI Commands for SNMP – Use the snmp-server enable server command from the global configuration mode to enable SNMP. To set read/write and read-only community names, use the snmp-server community command. The snmp-server host command defines a trap receiver host. To view the current SNMP settings, use the show snmp command. DUAL DUAL DUAL DUAL DUAL DUAL OUTDOOR(config)#snmp-server OUTDOOR(config)#snmp-server OUTDOOR(config)#snmp-server OUTDOOR(config)#snmp-server OUTDOOR(config)#exit OUTDOOR#show snmp enable server community alpha rw community beta ro host 10.1.19.23 alpha SNMP Information ============================================ Service State : Enable Community (ro) : **** Community (rw) : ***** Location : building-1 Contact : Paul Traps : Enabled Host Name/IP : 10.1.19.23 Trap Community : ***** ============================================= DUAL OUTDOOR# 6-22 6-42 6-41 6-43 6-54 6 Advanced Configuration Administration Changing the Password Management access to the web and CLI interface on the wireless bridge is controlled through a single user name and password. You can also gain additional access security by using control filters (see “Filter Control” on page 6-18). To protect access to the management interface, you need to configure an Administrator’s user name and password as soon as possible. If the user name and password are not configured, then anyone having access to the wireless bridge may be able to compromise wireless bridge and network security. Note: Pressing the Reset button on the back of the wireless bridge for more than five seconds resets the user name and password to the factory defaults. For this reason, we recommend that you protect the wireless bridge from physical access by unauthorized persons. Username – The name of the user. The default name is “admin.” (Length: 3-16 characters, case sensitive.) New Password – The password for management access. (Length: 3-16 characters, case sensitive) Confirm New Password – Enter the password again for verification. CLI Commands for the User Name and Password – Use the username and password commands from the CLI configuration mode. DUAL OUTDOOR(config)#username bob DUAL OUTDOOR(config)#password spiderman DUAL OUTDOOR# 6-15 6-15 6-23 6 System Configuration Upgrading Firmware You can upgrade new wireless bridge software from a local file on the management workstation, or from an FTP or TFTP server. After upgrading new software, you must reboot the wireless bridge to implement the new code. Until a reboot occurs, the wireless bridge will continue to run the software it was using before the upgrade started. Also note that rebooting the wireless bridge with new software will reset the configuration to the factory default settings. Note: Before upgrading your wireless bridge software, it is recommended to save a copy of the current configuration file. See “copy” on page 6-56 for information on saving the configuration file to a TFTP or FTP server. Before upgrading new software, verify that the wireless bridge is connected to the network and has been configured with a compatible IP address and subnet mask. If you need to download from an FTP or TFTP server, take the following additional steps: • Obtain the IP address of the FTP or TFTP server where the wireless bridge software is stored. • If upgrading from an FTP server, be sure that you have an account configured on the server with a user name and password. Current version – Version number of runtime code. 6-24 6 Advanced Configuration Firmware Upgrade Local – Downloads an operation code image file from the web management station to the wireless bridge using HTTP. Use the Browse button to locate the image file locally on the management station and click Start Upgrade to proceed. • New firmware file: Specifies the name of the code file on the server. The new firmware file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names is 32 characters for files on the wireless bridge. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) Firmware Upgrade Remote – Downloads an operation code image file from a specified remote FTP or TFTP server. After filling in the following fields, click Start Upgrade to proceed. • New firmware file: Specifies the name of the code file on the server. The new firmware file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the FTP/TFTP server is 255 characters or 32 characters for files on the wireless bridge. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) • IP Address: IP address or host name of FTP or TFTP server. • Username: The user ID used for login on an FTP server. • Password: The password used for login on an FTP server. Restore Factory Settings – Click the Restore button to reset the configuration settings for the wireless bridge to the factory defaults and reboot the system. Note that all user configured information will be lost. You will have to re-enter the default user name (admin) to re-gain management access to this device. Reset wireless bridge – Click the Reset button to reboot the system. Note: If you have upgraded system software, then you must reboot the wireless bridge to implement the new operation code. 6-25 6 System Configuration CLI Commands for Downloading Software from a TFTP Server – Use the copy tftp file command from the Exec mode and then specify the file type, name, and IP address of the TFTP server. When the download is complete, the dir command can be used to check that the new file is present in the wireless bridge file system. To run the new software, use the reset board command to reboot the wireless bridge. DUAL OUTDOOR#copy tftp file 1. Application image 2. Config file 3. Boot block image Select the type of download<1,2,3>: [1]:1 TFTP Source file name:bridge-img.bin TFTP Server IP:192.168.1.19 6-56 DUAL OUTDOOR#dir File Name -------------------------dflt-img.bin bridge-img.bin syscfg syscfg_bak 6-58 Type ---2 File Size ----------1319939 1629577 17776 17776 262144 byte(s) available DUAL OUTDOOR#reset board Reboot system now? : y 6-26 6-10 Advanced Configuration System Log The wireless bridge can be configured to send event and error messages to a System Log Server. The system clock can also be synchronized with a time server, so that all the messages sent to the Syslog server are stamped with the correct time and date. Enabling System Logging The wireless bridge supports a logging process that can control error messages saved to memory or sent to a Syslog server. The logged messages serve as a valuable tool for isolating wireless bridge and network problems. System Log Setup – Enables the logging of error messages. Logging Host – Enables the sending of log messages to a Syslog server host. Server Name/IP – The IP address or name of a Syslog server. Logging Console – Enables the logging of error messages to the console. Logging Level – Sets the minimum severity level for event logging. 6-27 6 System Configuration The system allows you to limit the messages that are logged by specifying a minimum severity level. The following table lists the error message levels from the most severe (Emergency) to least severe (Debug). The message levels that are logged include the specified minimum level up to the Emergency level. Error Level Description Emergency System unusable Alert Immediate action needed Critical Critical conditions (e.g., memory allocation, or free memory error - resource exhausted) Error Error conditions (e.g., invalid input, default used) Warning Warning conditions (e.g., return false, unexpected return) Notice Normal but significant condition, such as cold start Informational Informational messages only Debug Debugging messages Note: The wireless bridge error log can be viewed using the Event Logs window in the Status section (page 6-67).The Event Logs window displays the last 128 messages logged in chronological order, from the newest to the oldest. Log messages saved in the wireless bridge’s memory are erased when the device is rebooted. 6-28 6 Advanced Configuration CLI Commands for System Logging – To enable logging on the wireless bridge, use the logging on command from the global configuration mode. The logging level command sets the minimum level of message to log. Use the logging console command to enable logging to the console. Use the logging host command to specify up to four Syslog servers. The CLI also allows the logging facility-type command to set the facility-type number to use on the Syslog server. To view the current logging settings, use the show logging command. DUAL DUAL DUAL DUAL DUAL DUAL DUAL OUTDOOR(config)#logging OUTDOOR(config)#logging OUTDOOR(config)#logging OUTDOOR(config)#logging OUTDOOR(config)#logging OUTDOOR(config)#exit OUTDOOR#show logging on level alert console host 1 10.1.0.3 514 facility-type 19 6-29 6-30 6-30 6-29 6-31 6-32 Logging Information ============================================ Syslog State : Enabled Logging Host State : Enabled Logging Console State : Enabled Server Domain name/IP : 1 10.1.0.3 Logging Level : Error Logging Facility Type : 16 ============================================= DUAL OUTDOOR# Configuring SNTP Simple Network Time Protocol (SNTP) allows the wireless bridge to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the wireless bridge enables the system log to record meaningful dates and times for event entries. If the clock is not set, the wireless bridge will only record the time from the factory default set at the last bootup. The wireless bridge acts as an SNTP client, periodically sending time synchronization requests to specific time servers. You can configure up to two time server IP addresses. The wireless bridge will attempt to poll each server in the configured sequence. SNTP Server – Configures the wireless bridge to operate as an SNTP client. When enabled, at least one time server IP address must be specified. • Primary Server: The IP address of an SNTP or NTP time server that the wireless bridge attempts to poll for a time update. • Secondary Server: The IP address of a secondary SNTP or NTP time server. The wireless bridge first attempts to update the time from the primary server; if this fails it attempts an update from the secondary server. Note: The wireless bridge also allows you to disable SNTP and set the system clock manually using the CLI. 6-29 6 System Configuration Set Time Zone – SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours your time zone is located before (east) or after (west) UTC. Enable Daylight Saving – The wireless bridge provides a way to automatically adjust the system clock for Daylight Savings Time changes. To use this feature you must define the month and date to begin and to end the change from standard time. During this period the system clock is set back by one hour. CLI Commands for SNTP – To enable SNTP support on the wireless bridge, from the global configuration mode specify SNTP server IP addresses using the sntp-server ip command, then use the sntp-server enable command to enable the service. Use the sntp-server timezone command to set the location time zone and the sntp-server daylight-saving command to set up a daylight saving. To view the current SNTP settings, use the show sntp command. DUAL OUTDOOR(config)#sntp-server ip 10.1.0.19 DUAL OUTDOOR(config)#sntp-server enable DUAL OUTDOOR(config)#sntp-server timezone +8 DUAL OUTDOOR(config)#sntp-server daylight-saving Enter Daylight saving from which month<1-12>: 3 and which day<1-31>: 31 Enter Daylight saving end to which month<1-12>: 10 and which day<1-31>: 31 DUAL OUTDOOR(config)#exit DUAL OUTDOOR#show sntp SNTP Information ========================================================= Service State : Enabled SNTP (server 1) IP : 137.92.140.80 SNTP (server 2) IP : 192.43.244.18 Current Time : 19 : 35, Oct 10th, 2003 Time Zone : +8 (TAIPEI, BEIJING) Daylight Saving : Enabled, from Mar, 31th to Oct, 31th ========================================================= DUAL OUTDOOR# 6-30 6-34 6-34 6-36 6-36 6-37 6 Advanced Configuration CLI Commands for the System Clock – The following example shows how to manually set the system time when SNTP server support is disabled on the wireless bridge. DUAL OUTDOOR(config)#no sntp-server enable DUAL OUTDOOR(config)#sntp-server date-time Enter Year<1970-2100>: 2003 Enter Month<1-12>: 10 Enter Day<1-31>: 10 Enter Hour<0-23>: 18 Enter Min<0-59>: 35 DUAL OUTDOOR(config)# 6-34 6-35 Wireless Distribution System (WDS) The IEEE 802.11 standard defines a WIreless Distribution System (WDS) for connections between wireless bridges. The access point uses WDS to forward traffic on bridge links between units. When using WDS, only wireless bridge units can associate to each other using the bridge band. A wireless client cannot associate with the access point on the wireless bridge band. To set up a wireless bridge link, you must configure the WDS forwarding table by specifying the wireless MAC address of the bridge to which you want to forward traffic. For a Slave bridge unit, you need to specify the MAC address of the wireless bridge unit at the opposite end of the link. For a Master bridge unit, you need to specify the MAC addresses of all the Slave bridge units in the network. 6-31 6 System Configuration Mode – The wireless bridge is set to operate as a Slave or Master unit: • Master Mode: In a point-to-multipoint network configuration, only one wireless bridge unit must be a Master unit (all others must be Slave units). A Master wireless bridge provides support for up to 16 MAC addresses in the WDS forwarding table. The MAC addresses of all other Slave bridge units in the network must be configured in the forwarding table. • Slave Mode: A Slave wireless bridge provides support for only one MAC address in the WDS forwarding table. A Slave bridge communicates with only one other wireless bridge, either another Slave bridge in a point-to-point configuration, or to the Master bridge in a point-to-multipoint configuration. 6-32 6 Advanced Configuration Port Number (Master bridge only) – The wireless port identifier. MAC Address – The physical layer address of the wireless bridge unit at the other end of the wireless link. (12 hexadecimal digits in the form “xx:xx:xx:xx:xx:xx”) Port Status – Enables or disables the wireless bridge link. Note: The wireless MAC address for each bridge unit is printed on the label on the back of the unit. CLI Commands for WDS – The following example shows how to configure the MAC address of the wireless bridge at the opposite end of a point-to-point link, and then enable forwarding on the link. DUAL DUAL DUAL DUAL OUTDOOR(config)#wds mac-address 1 00-12-34-56-78-9a OUTDOOR(config)#wds enable OUTDOOR(config)#exit OUTDOOR#show wds 7-43 7-44 7-44 Outdoor_Mode SLAVE ================================================== Port ID | Status Mac-Address ================================================== 01 ENABLE 00-12-34-56-78-9A ================================================== DUAL OUTDOOR# Bridge The wireless bridge can store the MAC addresses for all known devices in the connected networks. All the addresses are learned by monitoring traffic received by the wireless bridge and are stored in a dynamic MAC address table. This information is then used to forward traffic directly between the Ethernet port and the corresponding wireless interface. 6-33 6 System Configuration The Bridging page allows the MAC address aging time to be set for both the Ethernet port and the bridge radio interface. If the MAC address of an entry in the address table is not seen on the associated interface for longer than the aging time, the entry is discarded. Bridge Aging Time – Changes the aging time for entries in the dynamic address table: • Ethernet: The time after which a learned Ethernet port entry is discarded. (Range: 60-1800 seconds; Default: 100 seconds) • Wireless 802.11a (g): The time after which a learned wireless entry is discarded. (Range: 60-1800 seconds; Default: 1800 seconds) 6-34 6 Advanced Configuration CLI Commands for Bridging – The following example shows how to set the MAC address aging time for the wireless bridge. DUAL DUAL DUAL DUAL OUTDOOR(config)#bridge timeout 0 300 OUTDOOR(config)#bridge timeout 2 1000 OUTDOOR(config)#exit OUTDOOR#show bridge 7-46 7-46 7-52 Bridge Information ================================================= Media Type | Age Time(sec)| ================================================= EtherNet | 300 WLAN_A | 1000 ================================================== Bridge Id : 32768.037fbef192 Root Bridge Id : 32768.01f47483e2 Root Path Cost : 25 Root Port Id : 0 Bridge Status : Enabled Bridge Priority : 32768 Bridge Hello Time : 2 Seconds Bridge Maximum Age : 20 Seconds Bridge Forward Delay: 15 Seconds ============================= Port Summary ============================= Id| Priority | Path Cost | Fast Forward | Status | State 128 25 Enable Enabled Forwarding DUAL OUTDOOR# 6-35 6 System Configuration Spanning Tree Protocol (STP) The Spanning Tree Protocol (STP) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the wireless bridge to interact with other bridging devices (that is, an STP-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down. STP uses a distributed algorithm to select a bridging device (STP-compliant switch, bridge or router) that serves as the root of the spanning tree network. It selects a root port on each bridging device (except for the root device) which incurs the lowest path cost when forwarding a packet from that device to the root device. Then it selects a designated bridging device from each LAN which incurs the lowest path cost when forwarding a packet from that LAN to the root device. All ports connected to designated bridging devices are assigned as designated ports. After determining the lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the root bridge is down. This bridge will then initiate negotiations with other bridges to reconfigure the network to reestablish a valid network topology. Enable – Enables/disables STP on the wireless bridge. (Default: Enabled) 6-36 6 Advanced Configuration Forward Delay – The maximum time (in seconds) this device waits before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result. (Range: 4-30 seconds) • Default: 15 • Minimum: The higher of 4 or [(Max. Message Age / 2) + 1] • Maximum: 30 Hello Time – Interval (in seconds) at which the root device transmits a configuration message. (Range: 1-10 seconds) • Default: 2 • Minimum: 1 • Maximum: The lower of 10 or [(Max. Message Age / 2) -1] Maximum Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STP information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network. (Range: 6-40 seconds) • Default: 20 • Minimum: The higher of 6 or [2 x (Hello Time + 1)]. • Maximum: The lower of 40 or [2 x (Forward Delay - 1)] Bridge Priority – Used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STP root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.) • Range: 0-65535 • Default: 32768 Port Cost – This parameter is used by the STP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) • Range: 1-65535 • Default: Ethernet interface: 19; Wireless interface: 40 6-37 6 System Configuration Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the spanning tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. • Default: 128 • Range: 0-240, in steps of 16 Port Fast (Fast Forwarding) – You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state. Specifying fast forwarding provides quicker convergence for devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STP-related timeout problems. However, remember that fast forwarding should only be enabled for ports connected to an end-node device. (Default: Disabled) Status – Enables/disables STP on this interface. (Default: Enabled) 6-38 6 Advanced Configuration CLI Commands for STP – The following example configures spanning tree paramters for the bridge and wireless port 5. DUAL DUAL DUAL DUAL DUAL DUAL DUAL DUAL DUAL DUAL OUTDOOR(config)#bridge stp-bridge priority 40000 OUTDOOR(config)#bridge stp-bridge hello-time 5 OUTDOOR(config)#bridge stp-bridge max-age 38 OUTDOOR(config)#bridge stp-bridge forward-time 20 OUTDOOR(config)#no bridge stp-port spanning-disabled 5 OUTDOOR(config)#bridge stp-port priority 5 0 OUTDOOR(config)#bridge stp-port path-cost 5 50 OUTDOOR(config)#no bridge stp-port portfast 5 OUTDOOR(config)#end OUTDOOR#show bridge 6-84 6-83 7-48 6-83 7-52 6-85 6-85 7-51 7-52 Bridge Information ================================================= Media Type | Age Time(sec)| ================================================= EtherNet | 300 WLAN_A | 1000 ================================================== Bridge Id : 32768.037fbef192 Root Bridge Id : 32768.01f47483e2 Root Path Cost : 25 Root Port Id : 0 Bridge Status : Enabled Bridge Priority : 40000 Bridge Hello Time : 5 Seconds Bridge Maximum Age : 38 Seconds Bridge Forward Delay: 20 Seconds ============================= Port Summary ============================= Id| Priority | Path Cost | Fast Forward | Status | State 128 25 Enable Enabled Forwarding DUAL OUTDOOR# 6-39 6 System Configuration RSSI The RSSI value displayed on the RSSI page represents a signal to noise ratio. A value of 30 would indicate that the power of the received signal is 30 dBm above the signal noise threshold. This value can be used to align antennas (see page 2-10) and monitor the quality of the received signal for bridge links. An RSSI value of about 30 or more indicates a strong enough signal to support the maximum data rate of 54 Mbps. Below a value of 30, the supported data rate would drop to lower rates. A value of 15 or less indicates that the signal is weak and the antennas may require realignment. The RSSI controls allow the external connector to be disabled and the receive signal for each WDS port displayed. RSSI – The RSSI value for a selected port can be displayed and a representative voltage output can be enabled. • Output Activate: Enables or disables the RSSI voltage output on the external RSSI connector. (Default: Enabled) • Port Number: Selects a specific WDS port for which to set the maximum RSSI output voltage level. Ports 1-16 are available for a Master unit, only port 1 for a Slave unit. (Default: 1) • Output Value: The maximum RSSI voltage level for the current selected WDS port. A value of zero indicates that there is no received signal or that the WDS port is disabled. 6-40 6 Radio Interface Distance – This value is used to adjust timeout values to take into account transmit delays due to link distances in the wireless bridge network. For a point-to-point link, specify the approximate distance between the two bridges. For a point-to-multipoint network, specify the distance of the Slave bridge farthest from the Master bridge • Mode: Indicates if the 802.11a radio is operating in normal or Turbo mode. (See "Radio Settings A" on page 6-42.) • Distance: The approximate distance between antennas in a bridge link. Note: There are currently no equivalent CLI commands for the RSSI controls. Radio Interface The IEEE 802.11a and 802.11g interfaces include configuration options for radio signal characteristics and wireless security features. The configuration options are nearly identical, but depend on which interface is operating as the bridge band. Both interfaces and operating modes are covered in this section of the manual. The access point can operate in the following modes: • 802.11a in bridge mode and 802.11g in access point mode • 802.11a in access point mode and 802.11g in bridge mode • 802.11a and 802.11g both in access point mode (no bridging) • 802.11a only in bridge or access point mode • 802.11g only in bridge or access point mode Note that 802.11g is backward compatible with 802.11b and can be configured to support both client types or restricted to 802.11g clients only. Both wireless interfaces are configured independently under the following web pages: • Radio Interface A: 802.11a • Radio Interface G: 802.11b/g Note: The radio channel settings for the wireless bridge are limited by local regulations, which determine the number of channels that are available. 6-41 6 System Configuration Radio Settings A (802.11a) The IEEE 802.11a interface operates within the 5 GHz band, at up to 54 Mbps in normal mode or up to 108 Mbps in Turbo mode. Enable – Enables radio communications on the wireless interface. (Default: Enabled) Description – Adds a comment or description to the wireless interface. (Range: 1-80 characters) Network Name (SSID) – (Access point mode only) The name of the basic service set provided by the access point. Clients that want to connect to the network through the access point must set their SSID to the same as that of the access point. (Default: DualBandOutdoor; Range: 1-32 characters) Note: The SSID is not configurable when the radio band is set to Bridge mode. Secure Access – When enabled, the access point radio does not include its SSID in beacon messages. Nor does it respond to probe requests from clients that do not include a fixed SSID. (Default: Disable) Turbo Mode – The normal 802.11a wireless operation mode provides connections up to 54 Mbps. Turbo Mode is an enhanced mode (not regulated in IEEE 802.11a) that provides a higher data rate of up to 108 Mbps. Enabling Turbo Mode allows the wireless bridge to provide connections up to 108 Mbps. (Default: Disabled) 6-42 Radio Interface Note: In normal mode, the wireless bridge provides a channel bandwidth of 20 MHz, and supports the maximum number of channels permitted by local regulations (e.g., 11 channels for the United States). In Turbo Mode, the channel bandwidth is increased to 40 MHz to support the increased data rate. However, this reduces the number of channels supported (e.g., 5 channels for the United States). Radio Channel – The radio channel that the wireless bridge Normal Mode uses to communicate with wireless clients. When multiple wireless bridges are deployed in the same area, set the channel on neighboring wireless bridges at least four channels apart to avoid interference with each other. For example, in the United States you can deploy up to four wireless bridges in the same area (e.g., channels 36, 56, 149, 165). Also note that the channel for wireless clients is automatically set to the same as that used by the wireless bridge to which it is linked. (Default: Channel 60 for normal mode, and channel 42 for Turbo mode) Auto Channel Select – Enables the wireless bridge to automatically select an unoccupied radio channel. (Default: Enabled) Turbo Mode Transmit Power – Adjusts the power of the radio signals transmitted from the wireless bridge. The higher the transmission power, the farther the transmission range. Power selection is not just a trade off between coverage area and maximum supported clients. You also have to ensure that high-power signals do not interfere with the operation of other radio devices in the service area. (Options: 100%, 50%, 25%, 12%, minimum; Default: 100%) Maximum Supported Rate – The maximum data rate at which the access point transmits unicast packets on the wireless interface. The maximum transmission distance is affected by the data rate. The lower the data rate, the longer the transmission distance. (Options: 54, 48, 36, 24, 18, 12, 9, 6 Mbps; Default: 54 Mbps) Beacon Interval – The rate at which beacon signals are transmitted from the wireless bridge. The beacon signals allow wireless clients to maintain contact with the wireless bridge. They may also carry power-management information. (Range: 20-1000 TUs; Default: 100 TUs) Data Beacon Rate – The rate at which stations in sleep mode must wake up to receive broadcast/multicast transmissions. Known also as the Delivery Traffic Indication Map (DTIM) interval, it indicates how often the MAC layer forwards broadcast/multicast traffic, which is necessary to wake up stations that are using Power Save mode. The default value of 2 indicates that the wireless bridge will save all broadcast/multicast frames for the Basic Service Set 6-43 6 System Configuration (BSS) and forward them after every second beacon. Using smaller DTIM intervals delivers broadcast/multicast frames in a more timely manner, causing stations in Power Save mode to wake up more often and drain power faster. Using higher DTIM values reduces the power used by stations in Power Save mode, but delays the transmission of broadcast/multicast frames. (Range: 1-255 beacons; Default: 2 beacons) Fragment Length – Configures the minimum packet size that can be fragmented when passing through the wireless bridge. Fragmentation of the PDUs (Package Data Unit) can increase the reliability of transmissions because it increases the probability of a successful transmission due to smaller frame size. If there is significant interference present, or collisions due to high network utilization, try setting the fragment size to send smaller fragments. This will speed up the retransmission of smaller frames. However, it is more efficient to set the fragment size larger if very little or no interference is present because it requires overhead to send multiple frames. (Range: 256-2346 bytes; Default: 2346 bytes) RTS Threshold – Sets the packet size threshold at which a Request to Send (RTS) signal must be sent to a receiving station prior to the sending station starting communications. The wireless bridge sends RTS frames to a receiving station to negotiate the sending of a data frame. After receiving an RTS frame, the station sends a CTS (clear to send) frame to notify the sending station that it can start sending data. If the RTS threshold is set to 0, the wireless bridge always sends RTS signals. If set to 2347, the wireless bridge never sends RTS signals. If set to any other value, and the packet size equals or exceeds the RTS threshold, the RTS/CTS (Request to Send / Clear to Send) mechanism will be enabled. The wireless bridges contending for the medium may not be aware of each other. The RTS/CTS mechanism can solve this “Hidden Node Problem.” (Range: 0-2347 bytes: Default: 2347 bytes) Maximum Associations – (Access point mode only) Sets the maximum number of clients that can be associated with the access point radio at the same time. (Range: 1-64 per radio: Default: 64) 6-44 6 Radio Interface CLI Commands for the 802.11a Wireless Interface – From the global configuration mode, enter the interface wireless a command to access the 802.11a radio interface. If required, configure a name for the interface using the description command. Use the turbo command to enable this feature before setting the radio channel with the channel command. Set any other parameters as required. To view the current 802.11a radio settings, use the show interface wireless a command. DUAL OUTDOOR(config)#interface wireless a Enter Wireless configuration commands, one per line. DUAL OUTDOOR(if-wireless a)#description RD-AP#3 DUAL OUTDOOR(if-wireless a)#ssid r&d DUAL OUTDOOR(if-wireless a)#no turbo DUAL OUTDOOR(if-wireless a)#channel 44 DUAL OUTDOOR(if-wireless a)#closed-system DUAL OUTDOOR(if-wireless a)#transmit-power full DUAL OUTDOOR(if-wireless a)#speed 9 DUAL OUTDOOR(if-wireless a)#max-association 32 DUAL OUTDOOR(if-wireless a)#beacon-interval 150 DUAL OUTDOOR(if-wireless a)#dtim-period 5 DUAL OUTDOOR(if-wireless a)#fragmentation-length 512 DUAL OUTDOOR(if-wireless a)#rts-threshold 256 DUAL OUTDOOR(if-wireless a)#exit DUAL OUTDOOR#show interface wireless a 7-69 7-69 7-70 6-105 6-96 6-106 6-97 6-95 6-106 6-101 6-101 6-102 6-103 6-109 Wireless Interface Information =========================================================== ----------------Identification----------------------------Description : RD-AP#3 Service Type : Access Point SSID : r&d Turbo Mode : OFF Channel : 44 Status : Disable ----------------802.11 Parameters-------------------------Transmit Power : FULL (15 dBm) Max Station Data Rate : 9Mbps Fragmentation Threshold : 512 bytes RTS Threshold : 256 bytes Beacon Interval : 150 TUs DTIM Interval : 5 beacons Maximum Association : 32 stations ----------------Security----------------------------------Closed System : ENABLED Multicast cipher : WEP Unicast cipher : WEP WPA clients : SUPPORTED WPA Key Mgmt Mode : DYNAMIC WPA PSK Key Type : HEX Encryption : DISABLED Default Transmit Key : 1 Static Keys : Key 1: EMPTY Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY Authentication Type : OPEN =========================================================== DUAL OUTDOOR# 6-45 6 System Configuration Radio Settings G (802.11g) The IEEE 802.11g standard operates within the 2.4 GHz band at up to 54 Mbps. Also note that because the IEEE 802.11g standard is an extension of the IEEE 802.11b standard, it allows clients with 802.11b wireless network cards to associate to an 802.11g access point. Enable – Enables radio communications on the access point. (Default: Enabled) Radio Channel – The radio channel that the access point uses to communicate with wireless clients. When multiple access points are deployed in the same area, set the channel on neighboring access points at least five channels apart to avoid interference with each other. For example, in the United States you can deploy up to three access points in the same area (e.g., channels 1, 6, 11). Also note that the channel for wireless clients is automatically set to the same as that used by the access point to which it is linked. (Range: 1-11 (US/Canada); Default: 1) Auto Channel Select – Enables the access point to automatically select an unoccupied radio channel. (Default: Enabled) 6-46 6 Radio Interface Working Mode – Selects the operating mode for the 802.11g wireless interface. (Default: b & g mixed mode) • b & g mixed mode: Both 802.11b and 802.11g clients can communicate with the access point (up to 54 Mbps). • g only: Only 802.11g clients can communicate with the access point (up to 54 Mbps). • b only: Both 802.11b and 802.11g clients can communicate with the access point, but 802.11g clients can only transfer data at 802.11b standard rates (up to 11 Mbps). Maximum Station Data Rate – The maximum data rate at which the access point transmits unicast packets on the wireless interface. The maximum transmission distance is affected by the data rate. The lower the data rate, the longer the transmission distance. (Default: 54 Mbps) For a description of the remaining configuration items, see “Radio Settings A (802.11a)” on page 6-42. CLI Commands for the 802.11g Wireless Interface – From the global configuration mode, enter the interface wireless g command to access the 802.11g radio interface. Set the interface SSID using the ssid command and, if required, configure a name for the interface using the description command. You can also use the closed-system command to stop sending the SSID in beacon messages. Select a radio channel or set selection to Auto using the channel command. Set any other parameters as required. To view the current 802.11g radio settings, use the show interface wireless g command. DUAL OUTDOOR(config)#interface wireless g Enter Wireless configuration commands, one per line. DUAL OUTDOOR(if-wireless g)#description RD-AP#3 DUAL OUTDOOR(if-wireless g)#ssid r&d DUAL OUTDOOR(if-wireless g)#channel auto DUAL OUTDOOR(if-wireless a)#closed-system DUAL OUTDOOR(if-wireless a)#transmit-power full DUAL OUTDOOR(if-wireless g)#speed 6 DUAL OUTDOOR(if-wireless g)#max-association 32 DUAL OUTDOOR(if-wireless g)#beacon-interval 150 DUAL OUTDOOR(if-wireless g)#dtim-period 5 DUAL OUTDOOR(if-wireless g)#fragmentation-length 512 DUAL OUTDOOR(if-wireless g)#rts-threshold 256 DUAL OUTDOOR(if-wireless g)#exit 7-69 7-69 7-70 6-96 6-106 6-97 6-95 6-106 6-105 6-101 6-102 6-103 6-47 6 System Configuration DUAL OUTDOOR#show interface wireless g 6-109 Wireless Interface Information =========================================================== ----------------Identification----------------------------Description : Enterprise 802.11g Access Point Service Type : Access Point SSID : r&d Channel : 11 (AUTO) Status : Enable ----------------802.11 Parameters-------------------------Transmit Power : FULL (14 dBm) Max Station Data Rate : 6Mbps Fragmentation Threshold : 512 bytes RTS Threshold : 256 bytes Beacon Interval : 150 TUs DTIM Interval : 5 beacons Maximum Association : 64 stations ----------------Security----------------------------------Closed System : DISABLED Multicast cipher : WEP Unicast cipher : TKIP WPA clients : SUPPORTED WPA Key Mgmt Mode : DYNAMIC WPA PSK Key Type : HEX Encryption : DISABLED Default Transmit Key : 1 Static Keys : Key 1: EMPTY Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY Authentication Type : OPEN =========================================================== DUAL OUTDOOR# Security (Bridge Mode) Wired Equivalent Privacy (WEP) and Advanced Encryption Standard (AES) are implemented for security in bridge mode to prevent unauthorized access to network data. To secure bridge link data transmissions, enable WEP or AES encryption for the bridge radio and set at least one encryption key. Wired Equivalent Privacy (WEP) WEP provides a basic level of security, preventing unauthorized access to the network and encrypting data transmitted between wireless bridge units. WEP uses static shared keys (fixed-length hexadecimal or alphanumeric strings) that are manually configured on all units in the wireless bridge network. 6-48 6 Radio Interface Setting up IEEE 802.11 Wired Equivalent Privacy (WEP) shared keys prevents unauthorized access to the wireless bridge network. Be sure to define at least one static WEP key for data encryption. Also, be sure that the WEP keys are the same for all bridge units in the wireless network. Data Encryption Setup – Enable or disable the wireless bridge to use either WEP or AES for data encryption. If WEP encryption is selected and enabled, you must configure at least one encryption key on the wireless bridge. (Default: Disable) Shared Key Setup – Select 64 Bit, 128 Bit, or 152 Bit key length. Note that the same size of WEP encryption key must be set on all bridge units in the wireless network. (Default: 128 Bit) Key Type – Select the preferred method of entering WEP encryption keys on the wireless bridge and enter up to four keys: • Hexadecimal: Enter keys as 10 hexadecimal digits (0 to 9 and A to F) for 64 bit keys, 26 hexadecimal digits for 128 bit keys, or 32 hexadecimal digits for 152 bit keys. • Alphanumeric: Enter keys as 5 alphanumeric characters for 64 bit keys, 13 alphanumeric characters for 128 bit keys, or 16 alphanumeric characters for 152 bit keys. 6-49 6 System Configuration • Transmit Key Select: Selects the key number to use for encryption. Bridge units in the wireless network must have all four keys configured to the same values. Note: Key index and type must match on all bridge units in the wireless network. Advanced Encryption Standard (AES) AES has been designated by the National Institute of Standards and Technology as the successor to the Data Encryption Standard (DES) encryption algorithm, and will be used by the U.S. government for encrypting all sensitive, nonclassified information. Because of its strength, and resistance to attack, AES is also being incorporated as part of the 802.11 security standard. The bridge radio band uses 128-bit static AES keys (hexadecimal or alphanumeric strings) that are configured for each link pair in the wireless bridge network. For a Slave bridge unit, only one encryption key needs to be defined. A Master bridge allows a different key to be defined for each wireless bridge link in the network. Configuring AES encryption keys on the wireless bridge provides far more robust security than using WEP. Also, a unique AES key can be used for each bridge link in the wireless network, instead of all bridges sharing the same WEP keys. Data Encryption Setup – Enable or disable the wireless bridge to use either WEP or AES for data encryption. If AES encryption is selected and enabled, you must configure one encryption key for each wireless port link on the wireless bridge. A Slave bridge supports only one wireless port link, but a Master bridge supports up to 16 links. (Default: Disable) 6-50 6 Radio Interface Key Type – Select the preferred method of entering AES encryption keys on the wireless bridge and enter a key for each bridge link in the network: • Hexadecimal: Enter keys as exactly 32 hexadecimal digits (0 to 9 and A to F). • Alphanumeric: Enter keys as an alphanumeric string using between 8 and 31 characters. Note: For each wireless port link (1 to 16), the AES keys must match on the corresponding bridge unit. CLI Commands for WEP Security – From the 802.11a interface configuration mode, use the encryption command to enable WEP encryption. To enter WEP keys, use the key command, and then set one key as the transmit key using the transmit-key command. To view the current security settings, use the show interface wireless a command. DUAL OUTDOOR(config)#interface wireless a Enter Wireless configuration commands, one per line. DUAL OUTDOOR(if-wireless a)#encryption wep 128 DUAL OUTDOOR(if-wireless a)#key wep 1 128 ascii abcdeabcdeabc DUAL OUTDOOR(if-wireless a)#transmit-key 1 DUAL OUTDOOR(if-wireless a)#exit DUAL OUTDOOR#show interface wireless a 7-69 6-118 6-119 6-120 6-109 Wireless Interface Information =========================================================== ----------------Identification----------------------------Description : Enterprise 802.11a Access Point Service Type : WDS Bridge SSID : DualBandOutdoor Turbo Mode : OFF Channel : 36 Status : Disable ----------------802.11 Parameters-------------------------Transmit Power : FULL (15 dBm) Max Station Data Rate : 54Mbps Fragmentation Threshold : 2346 bytes RTS Threshold : 2347 bytes Beacon Interval : 100 TUs DTIM Interval : 2 beacons Maximum Association : 64 stations ----------------Security----------------------------------Encryption : 128-BIT WEP ENCRYPTION WEP Key type : Alphanumeric Default Transmit Key : 1 Static Keys : Key 1: ***** Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY =========================================================== DUAL OUTDOOR# Note: The index and length values used in the key command must be the same values used in the encryption and transmit-key commands. 6-51 6 System Configuration CLI Commands for AES Security – From the 802.11a interface configuration mode, use the encryption command to enable AES encryption. To enter AES keys, use the key command. To view the current security settings, use the show interface wireless a command. DUAL OUTDOOR(config)#interface wireless a Enter Wireless configuration commands, one per line. DUAL OUTDOOR(if-wireless a)#encryption wdsaes alphanumeric DUAL OUTDOOR(if-wireless a)#key wdsaes 1 agoodsecretkey DUAL OUTDOOR(if-wireless a)#exit DUAL OUTDOOR#show interface wireless a 7-69 6-118 6-119 6-109 Wireless Interface Information =========================================================== ----------------Identification----------------------------Description : Enterprise 802.11a Access Point Service Type : WDS Bridge SSID : DualBandOutdoor Turbo Mode : OFF Channel : 36 Status : Disable ----------------802.11 Parameters-------------------------Transmit Power : FULL (15 dBm) Max Station Data Rate : 54Mbps Fragmentation Threshold : 2346 bytes RTS Threshold : 2347 bytes Beacon Interval : 100 TUs DTIM Interval : 2 beacons Maximum Association : 64 stations ----------------Security----------------------------------Encryption : 128-BIT AES ENCRYPTION AES Key type : Alphanumeric =========================================================== DUAL OUTDOOR# Note: The key type value entered using the key command must be the same as the type specified in the encryption command. 6-52 6 Radio Interface Security (Access Point Mode) A radio band set to access point mode is configured by default as an “open system,” which broadcasts a beacon signal including the configured SSID. Wireless clients can read the SSID from the beacon, and automatically reset their SSID to allow immediate connection to the access point. To improve wireless network security for access point operation, you have to implement two main functions: • Authentication: It must be verified that clients attempting to connect to the network are authorized users. • Traffic Encryption: Data passing between the access point and clients must be protected from interception and evesdropping. For a more secure network, the access point can implement one or a combination of the following security mechanisms: • Wired Equivalent Privacy (WEP) page 6-48 • IEEE 802.1X page 6-12 • Wireless MAC address filtering page 6-13 • Wi-Fi Protected Access (WPA) page 6-59 The security mechanisms that may be employed depend on the level of security required, the network and management resources available, and the software support provided on wireless clients. A summary of wireless security considerations is listed in the following table. Security Mechanism Client Support Implementation Considerations WEP Built-in support on all 802.11a and 802.11g devices • Provides only weak security • Requires manual key management WEP over 802.1X Requires 802.1X client support in system or by add-in software • Provides dynamic key rotation for improved WEP security • Requires configured RADIUS server • 802.1X EAP type may require management of digital certificates for clients and server (support provided in Windows 2000 SP3 or later and Windows XP) MAC Address Uses the MAC address of Filtering client network card • Provides only weak user authentication • Management of authorized MAC addresses • Can be combined with other methods for improved security • Optionally configured RADIUS server 6-53 6 System Configuration Security Mechanism Client Support Implementation Considerations WPA over Requires WPA-enabled 802.1X Mode system and network card driver • Provides robust security in WPA-only mode (i.e., WPA clients only) • Offers support for legacy WEP clients, but with increased security risk (i.e., WEP (native support provided in authentication keys disabled) Windows XP) • Requires configured RADIUS server • 802.1X EAP type may require management of digital certificates for clients and server WPA PSK Mode Requires WPA-enabled system and network card driver • Provides good security in small networks • Requires manual management of pre-shared key (native support provided in Windows XP) Note: Although a WEP static key is not needed for WEP over 802.1X, WPA over 802.1X, and WPA PSK modes, you must enable WEP encryption through the web or CLI in order to enable all types of encryption in the access point. Wired Equivalent Privacy (WEP) WEP provides a basic level of security, preventing unauthorized access to the network and encrypting data transmitted between wireless clients and the access point. WEP uses static shared keys (fixed-length hexadecimal or alphanumeric strings) that are manually distributed to all clients that want to use the network. WEP is the security protocol initially specified in the IEEE 802.11 standard for wireless communications. Unfortunately, WEP has been found to be seriously flawed and cannot be recommended for a high level of network security. For more robust wireless security, the access point provides Wi-Fi Protected Access (WPA) for improved data encryption and user authentication. 6-54 6 Radio Interface Setting up shared keys enables the basic IEEE 802.11 Wired Equivalent Privacy (WEP) on the access point to prevent unauthorized access to the network. If you choose to use WEP shared keys instead of an open system, be sure to define at least one static WEP key for user authentication and data encryption. Also, be sure that the WEP shared keys are the same for each client in the wireless network. Authentication Type Setup – Sets the access point to communicate as an open system that accepts network access attempts from any client, or with clients using pre-configured static shared keys. • Open System: Select this option if you plan to use WPA or 802.1X as a security mechanism. If you don’t set up any other security mechanism on the access point, the network has no protection and is open to all users. This is the default setting. • Shared Key: Sets the access point to use WEP shared keys. If this option is selected, you must configure at least one key on the access point and all clients. Note: To use 802.1X on wireless clients requires a network card driver and 802.1X client software that supports the EAP authentication type that you want to use. Windows 2000 SP3 or later and Windows XP provide 802.1X client support. Windows XP also provides native WPA support. Other systems require additional client software to support 802.1X and WPA. Data Encryption Setup – Enable or disable the access point to use WEP shared keys for data encryption. If this option is selected, you must configure at least one key on the access point and all clients. (Default: Disable) Note: You must enable data encryption through the web or CLI in order to enable all types of encryption (WEP, TKIP, and AES) in the access point. 6-55 6 System Configuration Shared Key Setup – Select 64 Bit, 128 Bit, or 152 Bit key length. Note that the same size of encryption key must be supported on all wireless clients. 152 Bit key length is only supported on 802.11a radio. (Default: 128 Bit) Key Type – Select the preferred method of entering WEP encryption keys on the access point and enter up to four keys: • Hexadecimal: Enter keys as 10 hexadecimal digits (0 to 9 and A to F) for 64 bit keys, 26 hexadecimal digits for 128 bit keys, or 32 hexadecimal digits for 152 bit keys (802.11a radio only). • Alphanumeric: Enter keys as 5 alphanumeric characters for 64 bit keys, 13 alphanumeric characters for 128 bit keys, or 16 alphanumeric characters for 152 bit keys (802.11a radio only). • Transmit Key Select: Selects the key number to use for encryption. If the clients have all four keys configured to the same values, you can change the encryption key to any of the four settings without having to update the client keys. Note: Key index and type must match that configured on the clients. 6-56 6 Radio Interface The configuration settings for WEP are summarized below: WEP only WEP over 802.1X Authentication Type: Shared Key WEP (encryption): Enable WPA clients only: Disable Multicast Cipher: WEP Shared Key: 64/128/152 Key Type Hex: 10/26/32 characters ASCII: 5/13/16 characters Transmit Key: 1/2/3/4 (set index) 802.1X = Disabled1 MAC Authentication: Any setting2 Authentication Type: Open System WEP (encryption): Enable WPA clients only: Disable Multicast Cipher: WEP Shared Key: 64/128 802.1X = Required1 MAC Authentication: Disabled/Local2 1: See Authentication (page 6-11) 2: See Radius (page 6-7) CLI Commands for static WEP Shared Key Security – From the 802.11a or 802.11g interface configuration mode, use the authentication command to enable WEP shared-key authentication and the encryption command to enable WEP encryption. Use the multicast-cipher command to select WEP cipher type. To enter WEP keys, use the key command, and then set one key as the transmit key using the transmit-key command. Then disable 802.1X port authentication with the no 802.1X command. To view the current security settings, use the show interface wireless a or show interface wireless g command. DUAL OUTDOOR(config)#interface wireless g Enter Wireless configuration commands, one per line. DUAL OUTDOOR(if-wireless g)#authentication shared DUAL OUTDOOR(if-wireless g)#encryption 128 DUAL OUTDOOR(if-wireless g)#multicast-cipher wep DUAL OUTDOOR(if-wireless g)#key 1 128 ascii abcdeabcdeabc DUAL OUTDOOR(if-wireless g)#transmit-key 1 DUAL OUTDOOR(if-wireless g)#end DUAL OUTDOOR(config)#no 802.1X DUAL OUTDOOR(config)#end DUAL OUTDOOR#show interface wireless g 7-69 6-119 6-118 6-121 6-119 6-120 6-65 6-109 Wireless Interface Information =========================================================== ----------------Identification----------------------------Description : Enterprise 802.11g Access Point Service Type : Access Point SSID : DualBandOutdoor Channel : 5 (AUTO) Status : Disable ----------------802.11 Parameters-------------------------Transmit Power : FULL (20 dBm) Max Station Data Rate : 54Mbps Fragmentation Threshold : 2346 bytes RTS Threshold : 2347 bytes Beacon Interval : 100 TUs DTIM Interval : 2 beacons Maximum Association : 64 stations 6-57 6 System Configuration ----------------Security----------------------------------Closed System : DISABLED Multicast cipher : WEP Unicast cipher : TKIP WPA clients : SUPPORTED WPA Key Mgmt Mode : DYNAMIC WPA PSK Key Type : HEX Encryption : 128-BIT ENCRYPTION Default Transmit Key : 1 Static Keys : Key 1: ***** Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY Authentication Type : SHARED =========================================================== DUAL OUTDOOR# Note: The index and length values used in the key command must be the same values used in the encryption and transmit-key commands. CLI Commands for WEP over 802.1X Security – From the 802.11a or 802.11g interface configuration mode, use the authentication command to select open system authentication. Use the multicast-cipher command to select WEP cipher type. Then set 802.1X to required with 802.1X command, and disable MAC authentication with the mac-authentication command. To view the current 802.11g security settings, use the show interface wireless g command (not shown in example). DUAL OUTDOOR(config)#interface wireless g Enter Wireless configuration commands, one per line. DUAL OUTDOOR(if-wireless g)#authentication open DUAL OUTDOOR(if-wireless g)#encryption 128 DUAL OUTDOOR(if-wireless g)#multicast-cipher wep DUAL OUTDOOR(if-wireless g)#end DUAL OUTDOOR(config)#802.1X required DUAL OUTDOOR(config)#no mac-authentication DUAL OUTDOOR(config)# 6-58 7-69 6-119 6-118 6-121 6-65 6-72 Radio Interface Wi-Fi Protected Access (WPA) WPA employs a combination of several technologies to provide an enhanced security solution for 802.11 wireless networks. The access point supports the following WPA components and features: IEEE 802.1X and the Extensible Authentication Protocol (EAP): WPA employs 802.1X as its basic framework for user authentication and dynamic key management. The 802.1X client and RADIUS server should use an appropriate EAP type—such as EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled TLS), or PEAP (Protected EAP)—for strongest authentication. Working together, these protocols provide “mutual authentication” between a client, the access point, and a RADIUS server that prevents users from accidentally joining a rogue network. Only when a RADIUS server has authenticated a user’s credentials will encryption keys be sent to the access point and client. Note: To implement WPA on wireless clients requires a WPA-enabled network card driver and 802.1X client software that supports the EAP authentication type that you want to use. Windows XP provides native WPA support, other systems require additional software. Temporal Key Integrity Protocol (TKIP): WPA specifies TKIP as the data encryption method to replace WEP. TKIP avoids the problems of WEP static keys by dynamically changing data encryption keys. Basically, TKIP starts with a master (temporal) key for each user session and then mathematically generates other keys 6-59 6 System Configuration to encrypt each data packet. TKIP provides further data encryption enhancements by including a message integrity check for each packet and a re-keying mechanism, which periodically changes the master key. WPA Pre-Shared Key (PSK) Mode: For enterprise deployment, WPA requires a RADIUS authentication server to be configured on the wired network. However, for small office networks that may not have the resources to configure and maintain a RADIUS server, WPA provides a simple operating mode that uses just a pre-shared password for network access. The Pre-Shared Key mode uses a common password for user authentication that is manually entered on the access point and all wireless clients. The PSK mode uses the same TKIP packet encryption and key management as WPA in the enterprise, providing a robust and manageable alternative for small networks. Mixed WPA and WEP Client Support: WPA enables the access point to indicate its supported encryption and authentication mechanisms to clients using its beacon signal. WPA-compatible clients can likewise respond to indicate their WPA support. This enables the access point to determine which clients are using WPA security and which are using legacy WEP. The access point uses TKIP unicast data encryption keys for WPA clients and WEP unicast keys for WEP clients. The global encryption key for multicast and broadcast traffic must be the same for all clients, therefore it restricts encryption to a WEP key. When access is opened to both WPA and WEP clients, no authentication is provided for the WEP clients through shared keys. To support authentication for WEP clients in this mixed mode configuration, you can use either MAC authentication or 802.1X authentication. Advanced Encryption Standard (AES) Support: WPA specifies AES encryption as an optional alternative to TKIP and WEP. AES provides very strong encryption using a completely different ciphering algorithm to TKIP and WEP. The developing IEEE 802.11i wireless security standard has specified AES as an eventual replacement for TKIP and WEP. However, because of the difference in ciphering algorithms, AES requires new hardware support in client network cards that is currently not widely available. The access point includes AES support as a future security enhancement. The WPA configuration parameters are described below: Authentication Type Setup – When using WPA, set the access point to communicate as an open system to disable WEP keys. Note: Although WEP keys are not needed for WPA, you must enable WEP encryption through the web or CLI in order to enable all types of encryption in the access point. For example, set Wired Equivalent Privacy (WEP) Setup to “Enable” on the Security page. WPA Configuration Mode – The access point can be configured to allow only WPA-enabled clients to access the network, or also allow clients only capable of supporting WEP. 6-60 Radio Interface WPA Key Management – WPA can be configured to work in an enterprise environment using IEEE 802.1X and a RADIUS server for user authentication. For smaller networks, WPA can be enabled using a common pre-shared key for client authentication with the access point. • WPA authentication over 802.1X: The WPA enterprise mode that uses IEEE 802.1X to authenticate users and to dynamically distribute encryption keys to clients. • WPA Pre-shared Key: The WPA mode for small networks that uses a common password string that is manually distributed. If this mode is selected, be sure to also specify the key string. Multicast Cipher Mode – Selects an encryption method for the global key used for multicast and broadcast traffic, which is supported by all wireless clients. • WEP: WEP is the first generation security protocol used to encrypt data crossing the wireless medium using a fairly short key. Communicating devices must use the same WEP key to encrypt and decrypt radio signals. WEP has many security flaws, and is not recommended for transmitting highly-sensitive data. • TKIP: TKIP provides data encryption enhancements including per-packet key hashing (that is, changing the encryption key on each packet), a message integrity check, an extended initialization vector with sequencing rules, and a re-keying mechanism. • AES: AES has been designated by the National Institute of Standards and Technology as the successor to the Data Encryption Standard (DES) encryption algorithm, and will be used by the U.S. government for encrypting all sensitive, nonclassified information. Because of its strength, and resistance to attack, AES is also being incorporated as part of the 802.11 standard. WPA Pre-Shared Key Type – If the WPA pre-shared-key mode is used, all wireless clients must be configured with the same key to communicate with the access point. • Hexadecimal: Enter a key as a string of 64 hexadecimal numbers. • Alphanumeric: Enter a key as an easy-to-remember form of letters and numbers. The string must be from 8 to 63 characters, which can include spaces. 6-61 6 System Configuration The configuration settings for WPA are summarized below: WPA pre-shared key only WPA over 802.1X Authentication Type: Open System WEP (encryption): Enable1 WPA clients only: Enable WPA Mode: Pre-shared-key Multicast Cipher: WEP/TKIP/AES2 WPA PSK Type Hex: 64 characters ASCII: 8-63 characters Shared Key: 64/128/152 802.1X = Disabled3 MAC Authentication: Disabled/Local4 Authentication Type: Open System WEP (encryption): Enable1 WPA clients only: Enable WPA Mode: WPA over 802.1X Multicast Cipher: WEP/TKIP/AES2 Shared Key: 64/128/152 802.1X = Required3 MAC Authentication: Disabled/Local4 1: Although WEP keys are not needed for WPA, you must enable WEP encryption through the web or CLI in order to enable all types of encryption in the access point. For example, use the CLI encryption command to set Encryption = 64, 128 or 152, thus enabling encryption (i.e., all types of encryption) in the access point. 2: Do not use WEP unless the access point must support both WPA and WEP clients. 3: See Authentication (page 6-11) 4: See Radius (page 6-7) CLI Commands for WPA Pre-shared Key Security – From the 802.11a or 802.11g interface configuration mode, use the authentication command to set the access point to “Open System.” Use the WEP encryption command to enable all types of encryption. To enable WPA to be required for all clients, use the wpa-clients command. Use the wpa-mode command to enable the Pre-shared Key mode. To enter a key value, use the wpa-psk-type command to specify a hexadecimal or alphanumeric key, and then use the wpa-preshared-key command to define the key. Then disable 802.1X and MAC authentication. To view the current 802.11g security settings, use the show interface wireless a or show interface wireless g command (not shown in example). AP(config)#interface wireless g Enter Wireless configuration commands, one per line. AP(if-wireless g)#authentication open AP(if-wireless g)#encryption 128 AP(if-wireless g)#wpa-clients required AP(if-wireless g)#wpa-mode pre-shared-key AP(if-wireless g)#wpa-psk-type alphanumeric AP(if-wireless g)#wpa-preshared-key ASCII asecret AP(if-wireless g)#end AP(config)#no 802.1X AP(config)#no mac-authentication 7-69 6-119 6-118 6-123 7-82 7-83 6-123 6-65 6-72 CLI Commands for WPA over 802.1X Security – From the 802.11a or 802.11g interface configuration mode, use the authentication command to set the access point to “Open System.” Use the WEP encryption command to enable all types of encryption. Use the wpa-clients command to set WPA to be required or supported for clients. Use the wpa-mode command to enable WPA dynamic keys over 802.1X. Set the broadcast and multicast key encryption using the multicast-cipher command. Then set 802.1X to required, and disable MAC authentication. To view 6-62 6 Status Information the current 802.11g security settings, use the show interface wireless g command (not shown in example). AP(config)#interface wireless g Enter Wireless configuration commands, one per line. AP(if-wireless g)#authentication open AP(if-wireless g)#encryption 128 AP(if-wireless g)#wpa-clients required AP(if-wireless g)#wpa-mode dynamic AP(if-wireless g)#multicast-cipher TKIP AP(if-wireless g)#end AP(config)#802.required AP(config)#no mac-authentication 7-69 6-119 6-118 6-123 7-82 6-121 6-65 6-72 Status Information The Status page includes information on the following items: Menu Description Page AP Status Displays configuration settings for the basic system and the wireless interfaces 6-63 Station Status Shows wireless clients currently associated with the access point 6-65 Event Logs Shows log messages stored in memory 6-67 AP Status The AP Status window displays basic system configuration settings, as well as the settings for the wireless interfaces. 6-63 6 System Configuration AP System Configuration – The AP System Configuration table displays the basic system configuration settings: • System Up Time: Length of time the management agent has been up. • MAC Address: The physical layer address for this device. • System Name: Name assigned to this system. • System Contact: Administrator responsible for the system. • IP Address: IP address of the management interface for this device. • IP Default Gateway: IP address of the gateway router between this device and management stations that exist on other network segments. • HTTP Server: Shows if management access via HTTP is enabled. • HTTP Server Port: Shows the TCP port used by the HTTP interface. • Version: Shows the version number for the runtime code. AP Wireless Configuration – The AP Wireless Configuration table displays the wireless interface settings listed below. Note that Radio A refers to the 802.11a interface and Radio G to the 802.11b/g interface. • Network Name (SSID): The service set identifier for this wireless group. • Radio Channel: The radio channel currently used on the wireless bridge. • Radio Encryption: The key size used for data encryption. • Radio Authentication Type: Shows the bridge is set as an open system. • 802.1X: Shows if IEEE 802.1X access control for wireless clients is enabled. CLI Commands for Displaying System Settings – To view the current wireless bridge system settings, use the show system command from the Exec mode. To view the 6-64 6 Status Information current radio interface settings, use the show interface wireless a command (see page 6-109). DUAL OUTDOOR#show system System Information ============================================================ Serial Number : . System Up time : 0 days, 5 hours, 2 minutes, 4 seconds System Name : Dual Band Outdoor AP System Location System Contact : Contact System Country Code : US - UNITED STATES MAC Address : 00-03-7F-BE-F8-99 IP Address : 192.168.1.1 Subnet Mask : 255.255.255.0 Default Gateway : 0.0.0.0 VLAN State : DISABLED Native VLAN ID : 1 IAPP State : ENABLED DHCP Client : ENABLED HTTP Server : ENABLED HTTP Server Port : 80 Slot Status : Dual band(a/g) Software Version : v1.1.0.0B07 ============================================================ DUAL OUTDOOR# 6-23 Station Status The Station Status window shows wireless clients currently associated with the access point. 6-65 6 System Configuration The Station Status page displays basic connection information for all associated stations. Note that this page is automatically refreshed every five seconds. • Station Address: The MAC address of the remote wireless bridge. • Authenticated: Shows if the station has been authenticated. The two basic methods of authentication supported for 802.11 wireless networks are “open system” and “shared key.” Open-system authentication accepts any client attempting to connect to the access point without verifying its identity. The shared-key approach uses Wired Equivalent Privacy (WEP) to verify client identity by distributing a shared key to stations before attempting authentication. • Associated: Shows if the station has been successfully associated with the access point. • Forwarding Allowed: Shows if the station has passed authentication and is now allowed to forward traffic. • Key Type: Displays one of the following: - Disabled: The client is not using Wired Equivalent Privacy (WEP) encryption keys. - Dynamic: The client is using Wi-Fi Protected Access (802.1X or pre-shared key mode) or using 802.1X authentication with dynamic keying. - Static: The client is using static WEP keys for encryption. CLI Commands for Displaying Station Information – To view status of clients currently associated with the access point, use the show station command from the Exec mode. DUAL OUTDOOR#show station Station Table Information =========================================================== 802.11a Channel : 56 No 802.11a Channel Stations. 802.11g Channel : 11 802.11g Channel Station Table Station Address : 00-04-E2-41-C2-9D VLAN ID: 0 Authenticated Associated Forwarding KeyType TRUE TRUE TRUE NONE Counters:pkts Tx Rx bytes Tx Rx 4/ 1440/ Time:Associated LastAssoc LastDisAssoc LastAuth 143854 =========================================================== DUAL OUTDOOR# 6-66 6-110 6 Status Information Event Logs The Event Logs window shows the log messages generated by the wireless bridge and stored in memory. The Event Logs table displays the following information: • Log Time: The time the log message was generated. • Event Level: The logging level associated with this message. For a description of the various levels, see “logging level” on page 6-27. • Event Message: The content of the log message. CLI Commands for Displaying the Event Logs – From the global configuration mode, use the show logging command. DUAL OUTDOOR#show loggging 6-32 Logging Information ============================================ Syslog State : Enabled Logging Host State : Enabled Logging Console State : Enabled Server Domain name/IP : 192.168.1.19 Logging Level : Alert Logging Facility Type : 16 ============================================= DUAL OUTDOOR# 6-67 6 6-68 System Configuration Chapter 7: Command Line Interface Using the Command Line Interface Accessing the CLI When accessing the management interface for the over a direct connection to the console port, or via a Telnet connection, the bridge can be managed by entering command keywords and parameters at the prompt. Using the bridge’s command-line interface (CLI) is very similar to entering commands on a UNIX system. Console Connection To access the bridge through the console port, perform these steps: 1. At the console prompt, enter the user name and password. (The default user name is “admin” and the default password is null) When the user name is entered, the CLI displays the “Enterprise AP#” prompt. 2. Enter the necessary commands to complete your desired tasks. 3. When finished, exit the session with the “exit” command. After connecting to the system through the console port, the login screen displays: Username: admin Password: Enterprise AP# Caution: Command examples shown later in this chapter abbreviate the console prompt to “AP” for simplicity. Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, if the bridge cannot acquire an IP address from a DHCP server, the default IP address used by the bridge, 192.168.1.1, consists of a network portion (192.168.1) and a host portion (1). To access the bridge through a Telnet session, you must first set the IP address for the bridge, and set the default gateway if you are managing the bridge from a different IP subnet. For example: Enterprise Enterprise Enterprise Enterprise AP#configure AP(config)#interface ethernet AP(if-ethernet)#ip address 10.1.0.1 255.255.255.0 10.1.0.254 AP(if-ethernet)# 7-1 7 Command Line Interface If your corporate network is connected to another network outside your office or to the Internet, you need to apply for a registered IP address. However, if you are attached to an isolated network, then you can use any IP address that matches the network segment to which you are attached. After you configure the bridge with an IP address, you can open a Telnet session by performing these steps. 1. From the remote host, enter the Telnet command and the IP address of the device you want to access. 2. At the prompt, enter the user name and system password. The CLI will display the “Enterprise AP#” prompt to show that you are using executive access mode (i.e., Exec). 3. Enter the necessary commands to complete your desired tasks. 4. When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: Enterprise AP# Caution: You can open up to four sessions to the device via Telnet. Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces ethernet,” show and interfaces are keywords, and ethernet is an argument that specifies the interface type. You can enter commands as follows: • To enter a simple command, enter the command keyword. • To enter commands that require parameters, enter the required parameters after the command keyword. For example, to set a password for the administrator, enter: Enterprise AP(config)#username smith Minimum Abbreviation The CLI will accept a minimum number of characters that uniquely identify a command. For example, the command “configure” can be entered as con. If an entry is ambiguous, the system will prompt for further input. 7-2 Entering Commands Command Completion If you terminate input with a Tab key, the CLI will print the remaining characters of a partial keyword up to the point of ambiguity. In the “configure” example, typing con followed by a tab will result in printing the command up to “configure.” Getting Help on Commands You can display a brief description of the help system by entering the help command. You can also display command syntax by following a command with the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current configuration mode (Exec, Global Configuration, or Interface). You can also display a list of valid keywords for a specific command. For example, the command “show ?” displays a list of possible show commands: Enterprise AP#show ? APmanagement Show management AP information. authentication Show Authentication parameters bootfile Show bootfile name bridge Show bridge config System snapshot for tech support dhcp-relay Show DHCP Relay Configuration event-log Show event log on console filters Show filters hardware Show hardware version history Display the session history interface Show interface information line TTY line information link-integrity Show link integrity information logging Show the logging buffers radius Show radius server rogue-ap Show Rogue ap Stations snmp Show snmp configuration sntp Show sntp configuration station Show 802.11 station table system Show system information version Show system version Enterprise AP#show The command “show interface ?” will display the following information: Enterprise AP#show interface ? ethernet Show Ethernet interface wireless Show wireless interface Enterprise AP#show interface 7-3 7 Command Line Interface Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.” Enterprise AP#show s? snmp sntp station Enterprise AP#show s system Negating the Effect of Commands For many configuration commands you can enter the prefix keyword “no” to cancel the effect of a command or reset the configuration to the default value. For example, the logging command will log system messages to a host server. To disable logging, specify the no logging command. This guide describes the negation effect for all applicable commands. Using Command History The CLI maintains a history of commands that have been entered. You can scroll back through the history of commands by pressing the up arrow key. Any command displayed in the history list can be executed again, or first modified and then executed. Using the show history command displays a longer list of recently executed commands. Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain functions. These classes are further divided into different modes. Available commands depend on the selected mode. You can always enter a question mark “?” at the prompt to display a list of the commands available for the current mode. The command classes and associated modes are displayed in the following table: Class Mode Exec Privileged Configuration Global Interface-ethernet Interface-wireless Interface-wireless-vap 7-4 Entering Commands Exec Commands When you open a new console session on an bridge, the system enters Exec command mode. Only a limited number of the commands are available in this mode. You can access all other commands only from the configuration mode. To access Exec mode, open a new console session with the user name “admin.” The command prompt displays as “Enterprise AP#” for Exec mode. Username: admin Password: [system login password] Enterprise AP# Configuration Commands Configuration commands are used to modify bridge settings. These commands modify the running configuration and are saved in memory. The configuration commands are organized into four different modes: • Global Configuration (GC) - These commands modify the system level configuration, and include commands such as username and password. • Interface-Ethernet Configuration (IC-E) - These commands modify the Ethernet port configuration, and include command such as dns and ip. • Interface-Wireless Configuration (IC-W) - These commands modify the wireless port configuration of global parameters for the radio, and include commands such as channel and transmit-power. • Interface-Wireless Virtual bridge Configuration (IC-W-VAP) - These commands modify the wireless port configuration for each VAP, and include commands such as ssid and authentication. To enter the Global Configuration mode, enter the command configure in Exec mode. The system prompt will change to “Enterprise AP(config)#” which gives you access privilege to all Global Configuration commands. Enterprise AP#configure Enterprise AP(config)# To enter Interface mode, you must enter the “interface ethernet,” or “interface wireless a,” or “interface wireless g” command while in Global Configuration mode. The system prompt will change to “Enterprise AP(if-ethernet)#,” or Enterprise AP(if-wireless)” indicating that you have access privileges to the associated commands. You can use the end command to return to the Exec mode. Enterprise AP(config)#interface ethernet Enterprise AP(if-ethernet)# 7-5 7 Command Line Interface Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches. You can also use the following editing keystrokes for command-line processing: Table 7-1. Keystroke Commands Keystroke Function Ctrl-A Shifts cursor to start of command line. Ctrl-B Shifts cursor to the left one character. Ctrl-C Terminates a task and displays the command prompt. Ctrl-E Shifts cursor to end of command line. Ctrl-F Shifts cursor to the right one character. Ctrl-K Deletes from cursor to the end of the command line. Ctrl-L Repeats current command line on a new line. Ctrl-N Enters the next command line in the history buffer. Ctrl-P Shows the last command. Ctrl-R Repeats current command line on a new line. Ctrl-U Deletes the entire line. Ctrl-W Deletes the last word typed. Esc-B Moves the cursor backward one word. Esc-D Deletes from the cursor to the end of the word. Esc-F Moves the cursor forward one word. Delete key or backspace key Erases a mistake when entering a command. Command Groups The system commands can be broken down into the functional groups shown below. Table 7-2. Command Groups Command Group Description General Basic commands for entering configuration mode, restarting the system, or quitting the CLI Page 7-7 System Management Controls user name, password, web browser management options, and a variety of other system information 7-11 System Logging Configures system logging parameters 7-28 System Clock Configures SNTP and system clock settings 7-33 DHCP Relay Configures the bridge to send DHCP requests from clients to specified servers 7-38 7-6 General Commands Table 7-2. Command Groups Command Group Description Page SNMP Configures community access strings and trap managers 7-40 Flash/File Manages code image or bridge configuration files 7-55 RADIUS Configures the RADIUS client used with 802.1X authentication 7-58 802.1X Authentication Configures 802.1X authentication 7-65 MAC Address Authentication Configures MAC address authentication 7-70 Filtering Filters communications between wireless clients, controls access to the management interface from wireless clients, and filters traffic using specific Ethernet protocol types 7-73 WDS Bridge Configures WDS forwarding table settings 7-77 Spanning Tree Configures spanning tree parameters 7-83 Ethernet Interface Configures connection parameters for the Ethernet interface 7-88 Wireless Interface Configures radio interface settings 7-93 Wireless Security Configures radio interface security and encryption settings 7-113 Rogue AP Detection Configures settings for the detection of rogue bridges in the network 7-113 Link Integrity Configures a link check to a host device on the wired network 7-127 IAPP Enables roaming between multi-vendor bridges 7-131 VLANs Configures VLAN membership 7-132 WMM Configures WMM quality of service parameters 7-134 The access mode shown in the following tables is indicated by these abbreviations: Exec (Executive Mode), GC (Global Configuration), IC-E (Interface-Ethernet Configuration), IC-W (Interface-Wireless Configuration), and IC-W-VAP (Interface-Wireless VAP Configuration). General Commands Table 7-3. General Commands Command Function Mode configure Activates global configuration mode Exec Page end Returns to previous configuration mode GC, IC 7-8 exit Returns to the previous configuration mode, or exits the CLI any 7-8 ping Sends ICMP echo request packets to another node on the network Exec 7-9 reset Restarts the system Exec 7-10 show history Shows the command history buffer Exec 7-10 show line Shows the configuration settings for the console port Exec 7-11 7-8 7-7 7 Command Line Interface configure This command activates Global Configuration mode. You must enter this mode to modify most of the settings on the bridge. You must also enter Global Configuration mode prior to enabling the context modes for Interface Configuration. See “Using the Command Line Interface” on page 1. Default Setting None Command Mode Exec Example Enterprise AP#configure Enterprise AP(config)# Related Commands end (7-8) end This command returns to the previous configuration mode. Default Setting None Command Mode Global Configuration, Interface Configuration Example This example shows how to return to the Configuration mode from the Interface Configuration mode: Enterprise AP(if-ethernet)#end Enterprise AP(config)# exit This command returns to the Exec mode or exits the configuration program. Default Setting None Command Mode Any 7-8 General Commands Example This example shows how to return to the Exec mode from the Interface Configuration mode, and then quit the CLI session: Enterprise AP(if-ethernet)#exit Enterprise AP#exit CLI session with the bridge is now closed Username: ping This command sends ICMP echo request packets to another node on the network. Syntax ping • host_name - Alias of the host. • ip_address - IP address of the host. Default Setting None Command Mode Exec Command Usage • Use the ping command to see if another site on the network can be reached. • The following are some results of the ping command: - Normal response - The normal response occurs in one to ten seconds, depending on network traffic. - Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds. - Destination unreachable - The gateway for this destination indicates that the destination is unreachable. - Network or host unreachable - The gateway found no corresponding entry in the route table. • Press to stop pinging. Example Enterprise AP#ping 10.1.0.19 192.168.1.19 is alive Enterprise AP# 7-9 7 Command Line Interface reset This command restarts the system or restores the factory default settings. Syntax reset • board - Reboots the system. • configuration - Resets the configuration settings to the factory defaults, and then reboots the system. Default Setting None Command Mode Exec Command Usage When the system is restarted, it will always run the Power-On Self-Test. Example This example shows how to reset the system: Enterprise AP#reset board Reboot system now? : y show history This command shows the contents of the command history buffer. Default Setting None Command Mode Exec Command Usage • The history buffer size is fixed at 10 commands. • Use the up or down arrow keys to scroll through the commands in the history buffer. Example In this example, the show history command lists the contents of the command history buffer: Enterprise AP#show history config exit show history Enterprise AP# 7-10 System Management Commands show line This command displays the console port’s configuration settings. Command Mode Exec Example The console port settings are fixed at the values shown below. Enterprise AP#show line Console Line Information ====================================================== databits : 8 parity : none speed : 9600 stop bits : 1 ====================================================== Enterprise AP# System Management Commands These commands are used to configure the user name, password, system logs, browser management options, clock settings, and a variety of other system information. Table 7-4. System Management Commands Command Function Mode Page Sets the bridge country code Exec 7-12 prompt Customizes the command line prompt GC 7-14 system name Specifies the host name for the bridge GC 7-14 snmp-server contact Sets the system contact string GC 7-41 snmp-server location Sets the system location string GC 7-42 Country Setting country Device Designation Management Access username Configures the user name for management access GC 7-15 password Specifies the password for management access GC 7-15 ip ssh-server enable Enables the Secure Shell server IC-E 7-16 ip ssh-server port 7-16 Sets the Secure Shell port IC-E ip telnet-server enable Enables the Telnet server IC-E 7-17 APmgmtIP Specifies an IP address or range of addresses allowed access to the management interface GC 7-21 APmgmtUI Enables or disables SNMP, Telnet or web management access GC 7-22 Exec 7-22 show APmanagement Shows the AP management configuration 7-11 7 Command Line Interface Table 7-4. System Management Commands Command Function Mode Page ip http port Specifies the port to be used by the web browser interface GC 7-17 ip http server Allows the bridge to be monitored or configured from a browser GC 7-18 ip https port Specifies the UDP port number used for a secure HTTP connection to the bridge’s Web interface GC 7-18 ip https server Enables the secure HTTP server on the bridge GC 7-19 web-redirect Enables web authentication of clients using a public access Internet service GC 7-20 show system Displays system information Exec 7-23 show version Displays version information for the system Exec 7-24 show config Displays detailed configuration information for the system Exec 7-24 show hardware Displays the bridge’s hardware version Exec 7-28 Web Server System Status country This command configures the bridge’s country code, which identifies the country of operation and sets the authorized radio channels. Syntax country country_code - A two character code that identifies the country of operation. See the following table for a full list of codes. Table 7-5. Country Codes Country Code Country Code Country Code Country Code Albania AL Dominican Republic DO Kuwait KW Romania RO Algeria DZ Ecuador EC Latvia LV Russia RU Argentina AR Egypt EG Lebanon LB Saudi Arabia SA Armenia AM Estonia EE Liechtenstein LI Singapore SG Australia AU Finland FI Lithuania LT Slovak Republic SK Austria AT France FR Macao MO Spain ES Azerbaijan AZ Georgia GE Macedonia MK Sweden SE Bahrain BH Germany DE Malaysia MY Switzerland CH 7-12 System Management Commands Table 7-5. Country Codes Country Code Country Code Country Code Country Code Belarus BY Greece GR Malta MT Syria SY Belgium BE Guatemala GT Mexico MX Taiwan TW Honduras HN Monaco MC Thailand TH Belize BZ Hong Kong HK Morocco MA Trinidad & Tobago TT Bolivia BO Hungary HU Netherlands NL Tunisia TN Brazil BR Iceland IS New Zealand NZ Turkey TR Brunei Darussalam BN India IN Norway NO Ukraine UA Bulgaria BG Indonesia ID Qatar QA United Arab Emirates AE Canada CA Iran IR Oman OM United Kingdom GB Chile CL Ireland IE Pakistan PK United States US China CN Israel IL Panama PA Uruguay UY Colombia CO Italy IT Peru PE Uzbekistan UZ Costa Rica CR Japan JP Philippines PH Yemen YE Croatia HR Jordan JO Poland PL Venezuela VE Cyprus CY Kazakhstan KZ Portugal PT Vietnam VN Czech Republic CZ North Korea KP Puerto Rico PR Zimbabwe ZW Denmark DK Korea Republic KR Slovenia SI Elsalvador SV Luxembourg LU South Africa ZA Default Setting US - for units sold in the United States 99 (no country set) - for units sold in other countries Command Mode Exec 7-13 7 Command Line Interface Command Usage • If you purchased an bridge outside of the United States, the country code must be set before radio functions are enabled. • The available Country Code settings can be displayed by using the country ? command. Example Enterprise AP#country tw Enterprise AP# prompt This command customizes the CLI prompt. Use the no form to restore the default prompt. Syntax prompt no prompt string - Any alphanumeric string to use for the CLI prompt. (Maximum length: 32 characters) Default Setting Enterprise AP Command Mode Global Configuration Example Enterprise AP(config)#prompt RD2 RD2(config)# system name This command specifies or modifies the system name for this device. Use the no form to restore the default system name. Syntax system name no system name name - The name of this host. (Maximum length: 32 characters) Default Setting Enterprise AP 7-14 System Management Commands Command Mode Global Configuration Example Enterprise AP(config)#system name AP Enterprise AP(config)# username This command configures the user name for management access. Syntax username name - The name of the user. (Length: 3-16 characters, case sensitive) Default Setting admin Command Mode Global Configuration Example Enterprise AP(config)#username bob Enterprise AP(config)# password After initially logging onto the system, you should set the password. Remember to record it in a safe place. Use the no form to reset the default password. Syntax password no password password - Password for management access. (Length: 3-16 characters, case sensitive) Default Setting null Command Mode Global Configuration Example Enterprise AP(config)#password Enterprise AP(config)# 7-15 7 Command Line Interface ip ssh-server enable This command enables the Secure Shell server. Use the no form to disable the server. Syntax ip ssh-server enable no ip ssh-server Default Setting Interface enabled Command Mode Interface Configuration (Ethernet) Command Usage • The bridge supports Secure Shell version 2.0 only. • After boot up, the SSH server needs about two minutes to generate host encryption keys. The SSH server is disabled while the keys are being generated. The show system command displays the status of the SSH server. Example Enterprise AP(if-ethernet)#ip ssh-server enable Enterprise AP(if-ethernet)# ip ssh-server port This command sets the Secure Shell server port. Use the no form to disable the server. Syntax ip ssh-server port • port-number - The UDP port used by the SSH server. (Range: 1-65535) Default Setting 22 Command Mode Interface Configuration (Ethernet) Example Enterprise AP(if-ethernet)#ip ssh-server port 1124 Enterprise AP(if-ethernet)# 7-16 System Management Commands ip telnet-server enable This command enables the Telnet server. Use the no form to disable the server. Syntax ip telnet-server enable no ip telnet-server Default Setting Interface enabled Command Mode Interface Configuration (Ethernet) Example Enterprise AP(if-ethernet)#ip telnet-server enable Enterprise AP(if-ethernet)# ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port no ip http port port-number - The TCP port to be used by the browser interface. (Range: 1024-65535) Default Setting 80 Command Mode Global Configuration Example Enterprise AP(config)#ip http port 769 Enterprise AP(config)# Related Commands ip http server (7-18) 7-17 7 Command Line Interface ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax ip http server no ip http server Default Setting Enabled Command Mode Global Configuration Example Enterprise AP(config)#ip http server Enterprise AP(config)# Related Commands ip http port (7-17) ip https port Use this command to specify the UDP port number used for HTTPS/SSL connection to the bridge’s Web interface. Use the no form to restore the default port. Syntax ip https port no ip https port port_number – The UDP port used for HTTPS/SSL. (Range: 80, 1024-65535) Default Setting 443 Command Mode Global Configuration Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port. • To avoid using common reserved TCP port numbers below 1024, the configurable range is restricted to 443 and between 1024 and 65535. • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number 7-18 System Management Commands Example Enterprise AP(config)#ip https port 1234 Enterprise AP(config)# ip https server Use this command to enable the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the bridge’s Web interface. Use the no form to disable this function. Syntax ip https server no ip https server Default Setting Enabled Command Mode Global Configuration Command Usage • Both HTTP and HTTPS service can be enabled independently. • If you enable HTTPS, you must indicate this in the URL: https://device:port_number] • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection. - The client and server generate session keys for encrypting and decrypting data. • The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 5.x. Example Enterprise AP(config)#ip https server Enterprise AP(config)# 7-19 7 Command Line Interface web-redirect Use this command to enable web-based authentication of clients. Use the no form to disable this function. Syntax [no] web-redirect Default Setting Disabled Command Mode Global Configuration Command Usage • The web redirect feature is used to support billing for a public access wireless network. After successful association to an bridge, a client is “redirected” to an bridge login web page as soon as Internet access is attempted. The client is then authenticated by entering a user name and password on the web page. This process allows controlled access for clients without requiring 802.1X or MAC authentication. • Web redirect requires a RADIUS server on the wired network with configured user names and passwords for authentication. The RADIUS server details must also be configured on the bridge. (See “show bootfile” on page 7-58.) • Use the show system command to display the current web redirect status. Example Enterprise AP(config)#web-redirect Enterprise AP(config)# 7-20 System Management Commands APmgmtIP This command specifies the client IP addresses that are allowed management access to the bridge through various protocols. Caution: Secure Web (HTTPS) connections are not affected by the UI Management or IP Management settings. Syntax APmgmtIP • multiple - Adds IP addresses within a specifiable range to the SNMP, web and Telnet groups. • single - Adds an IP address to the SNMP, web and Telnet groups. • any - Allows any IP address access through SNMP, web and Telnet groups. • IP_address - Adds IP addresses to the SNMP, web and Telnet groups. • subnet_mask - Specifies a range of IP addresses allowed management access. Default Setting All addresses Command Mode Global Configuration Command Usage • If anyone tries to access a management interface on the bridge from an invalid address, the unit will reject the connection, enter an event message in the system log, and send a trap message to the trap manager. • IP address can be configured for SNMP, web and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. • When entering addresses for the same group (i.e., SNMP, web or Telnet), the bridge will not accept overlapping address ranges. When entering addresses for different groups, the bridge will accept overlapping address ranges. • You cannot delete an individual address from a specified range. You must delete the entire range, and reenter the addresses. • You can delete an address range just by specifying the start address, or by specifying both the start address and end address. Example This example restricts management access to the indicated addresses. Enterprise AP(config)#apmgmtip multiple 192.168.1.50 255.255.255.0 Enterprise AP(config)# 7-21 7 Command Line Interface APmgmtUI This command enables and disables management access to the bridge through SNMP, Telnet and web interfaces. Caution: Secure Web (HTTPS) connections are not affected by the UI Management or IP Management settings. Syntax APmgmtUI <[SNMP | Telnet | Web] enable | disable> • SNMP - Specifies SNMP management access. • Telnet - Specifies Telnet management access. • Web - Specifies web based management access. - enable/disable - Enables or disables the selected management access method. Default Setting All enabled Command Mode Global Configuration Example This example restricts management access to the indicated addresses. Enterprise AP(config)#apmgmtui SNMP enable Enterprise AP(config)# show apmanagement This command shows the AP management configuration, including the IP addresses of management stations allowed to access the bridge, as well as the interface protocols which are open to management access. Command Mode Exec Example Enterprise AP#show apmanagement Management AP Information ================================= AP Management IP Mode: Any IP Telnet UI: Enable WEB UI : Enable SNMP UI : Enable ================================== Enterprise AP# 7-22 System Management Commands show system This command displays basic system configuration settings. Default Setting None Command Mode Exec Example Enterprise AP#show system System Information ========================================================== Serial Number : A123456789 System Up time : 0 days, 4 hours, 33 minutes, 29 seconds System Name : Enterprise Wireless AP System Location System Contact : David System Country Code : US - UNITED STATES MAC Address : 00-30-F1-F0-9A-9C IP Address : 192.168.1.1 Subnet Mask : 255.255.255.0 Default Gateway : 0.0.0.0 VLAN State : DISABLED Management VLAN ID(AP): 1 IAPP State : ENABLED DHCP Client : ENABLED HTTP Server : ENABLED HTTP Server Port : 80 HTTPS Server : ENABLED HTTPS Server Port : 443 Slot Status : Dual band(a/g) Boot Rom Version : v1.1.8 Software Version : v4.3.2.8b03 SSH Server : ENABLED SSH Server Port : 22 Telnet Server : ENABLED WEB Redirect : DISABLED DHCP Relay : DISABLED Proxy ARP : DISABLED ========================================================== Enterprise AP# 7-23 7 Command Line Interface show version This command displays the software version for the system. Command Mode Exec Example Enterprise AP#show version Version Information ========================================= Version: v4.3.2.8b03 Date : Dec 20 2005, 18:38:12 ========================================= Enterprise AP# show config This command displays detailed configuration information for the system. Command Mode Exec Example Enterprise AP#show config Authentication Information =========================================================== MAC Authentication Server : DISABLED MAC Auth Session Timeout Value : 0 min 802.1x supplicant : DISABLED 802.1x supplicant user : EMPTY 802.1x supplicant password : EMPTY Address Filtering : ALLOWED System Default : ALLOW addresses not found in filter table. Filter Table ----------------------------------------------------------No Filter Entries. Bootfile Information =================================== Bootfile : ec-img.bin =================================== Protocol Filter Information =========================================================== Local Bridge :DISABLED AP Management :ENABLED Ethernet Type Filter :DISABLED Enabled Protocol Filters ----------------------------------------------------------No protocol filters are enabled =========================================================== 7-24 System Management Commands Hardware Version Information =========================================== Hardware version R01A =========================================== Ethernet Interface Information ======================================== IP Address : 192.168.0.151 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.0.1 Primary DNS : 210.200.211.225 Secondary DNS : 210.200.211.193 Speed-duplex : 100Base-TX Full Duplex Admin status : Up Operational status : Up ======================================== Wireless Interface 802.11a Information =========================================================== ----------------Identification----------------------------Description : Enterprise 802.11a bridge SSID : VAP_TEST_11A 0 Channel : 0 (AUTO) Status : Disable ----------------802.11 Parameters-------------------------Transmit Power : 100% (5 dBm) Data Rate : 54Mbps Fragmentation Threshold : 2346 bytes RTS Threshold : 2347 bytes Beacon Interval : 100 TUs DTIM Interval : 1 beacon Maximum Association : 64 stations Native VLAN ID : 1 ----------------Security----------------------------------Closed System : DISABLED Multicast cipher : WEP Unicast cipher : TKIP and AES WPA clients : REQUIRED WPA Key Mgmt Mode : PRE SHARED KEY WPA PSK Key Type : ALPHANUMERIC Encryption : DISABLED Default Transmit Key : 1 Static Keys : Key 1: EMPTY Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY Key Length : Key 1: ZERO Key 2: ZERO Key 3: ZERO Key 4: ZERO Authentication Type : OPEN Rogue AP Detection : Disabled Rogue AP Scan Interval : 720 minutes Rogue AP Scan Duration : 350 milliseconds =========================================================== Console Line Information =========================================================== databits : 8 parity : none speed : 9600 stop bits : 1 =========================================================== 7-25 7 Command Line Interface Logging Information ===================================================== Syslog State : Disabled Logging Console State : Disabled Logging Level : Informational Logging Facility Type : 16 Servers 1: 0.0.0.0 , UDP Port: 514, State: Disabled 2: 0.0.0.0 , UDP Port: 514, State: Disabled 3: 0.0.0.0 , UDP Port: 514, State: Disabled 4: 0.0.0.0 , UDP Port: 514, State: Disabled ====================================================== Radius Server Information ======================================== IP : 0.0.0.0 Port : 1812 Key : ***** Retransmit : 3 Timeout : 5 Radius MAC format : no-delimiter Radius VLAN format : HEX ======================================== Radius Secondary Server Information ======================================== IP : 0.0.0.0 Port : 1812 Key : ***** Retransmit : 3 Timeout : 5 Radius MAC format : no-delimiter Radius VLAN format : HEX ======================================== SNMP Information ============================================== Service State : Disable Community (ro) : ******** Community (rw) : ******** Location Contact : Contact EngineId :80:00:07:e5:80:00:00:29:f6:00:00:00:0c EngineBoots:2 Trap Destinations: 1: 0.0.0.0, 2: 0.0.0.0, 3: 0.0.0.0, 4: 0.0.0.0, 7-26 Community: Community: Community: Community: *****, *****, *****, *****, State: State: State: State: Disabled Disabled Disabled Disabled System Management Commands dot11InterfaceAGFail dot11StationAssociation dot11StationReAssociation dot1xAuthFail dot1xAuthSuccess dot1xMacAddrAuthSuccess iappStationRoamedFrom localMacAddrAuthFail pppLogonFail configFileVersionChanged systemDown Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled dot11InterfaceBFail dot11StationAuthentication dot11StationRequestFail dot1xAuthNotInitiated dot1xMacAddrAuthFail iappContextDataSent iappStationRoamedTo localMacAddrAuthSuccess sntpServerFail radiusServerChanged systemUp Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled ============================================= SNTP Information =========================================================== Service State : Disabled SNTP (server 1) IP : 137.92.140.80 SNTP (server 2) IP : 192.43.244.18 Current Time : 00 : 14, Jan 1st, 1970 Time Zone : -5 (BOGOTA, EASTERN, INDIANA) Daylight Saving : Disabled =========================================================== Station Table Information =========================================================== if-wireless A VAP [0] 802.11a Channel : Auto No 802.11a Channel Stations. if-wireless G VAP [0] 802.11g Channel : Auto No 802.11g Channel Stations. System Information ============================================================== Serial Number System Up time : 0 days, 0 hours, 16 minutes, 51 seconds System Name : Enterprise Wireless AP System Location System Contact : David System Country Code : 99 - NO_COUNTRY_SET MAC Address : 00-12-CF-05-B7-84 IP Address : 192.168.0.151 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.0.1 VLAN State : DISABLED Management VLAN ID(AP): 1 IAPP State : ENABLED DHCP Client : ENABLED HTTP Server : ENABLED HTTP Server Port : 80 HTTPS Server : ENABLED HTTPS Server Port : 443 Slot Status : Dual band(a/g) Boot Rom Version : v1.1.8 Software Version : v4.3.2.8b03 7-27 7 Command Line Interface SSH Server : ENABLED SSH Server Port : 22 Telnet Server : ENABLED WEB Redirect : DISABLED DHCP Relay : DISABLED ============================================================== Version Information ========================================= Version: v4.3.2.2 Date : Dec 20 2005, 18:38:12 ========================================= Enterprise AP# show hardware This command displays the hardware version of the system. Command Mode Exec Example Enterprise AP#show hardware Hardware Version Information =========================================== Hardware version R01 =========================================== Enterprise AP# System Logging Commands These commands are used to configure system logging on the bridge. Table 7-6. System Logging Commands Command Function Mode logging on Controls logging of error messages GC Page 7-29 logging host Adds a syslog server host IP address that will receive GC logging messages 7-29 logging console Initiates logging of error messages to the console GC 7-30 logging level Defines the minimum severity level for event logging GC 7-30 logging facility-type Sets the facility type for remote logging of syslog messages GC 7-31 logging clear Clears all log entries in bridge memory GC 7-32 show logging Displays the state of logging Exec 7-32 show event-log Displays all log entries in bridge memory Exec 7-33 7-28 System Logging Commands logging on This command controls logging of error messages; i.e., sending debug or error messages to memory. The no form disables the logging process. Syntax [no] logging on Default Setting Disabled Command Mode Global Configuration Command Usage The logging process controls error messages saved to memory. You can use the logging level command to control the type of error messages that are stored in memory. Example Enterprise AP(config)#logging on Enterprise AP(config)# logging host This command specifies syslog servers host that will receive logging messages. Use the no form to remove syslog server host. Syntax logging host <1 | 2 | 3 | 4> [udp_port] no logging host <1 | 2 | 3 | 4> • • • • • • • 1 - First syslog server. 2 - Second syslog server. 3 - Third syslog server. 4 - Fourth syslog server. host_name - The name of a syslog server. (Range: 1-20 characters) host_ip_address - The IP address of a syslog server. udp_port - The UDP port used by the syslog server. Default Setting None Command Mode Global Configuration 7-29 7 Command Line Interface Example Enterprise AP(config)#logging host 1 10.1.0.3 Enterprise AP(config)# logging console This command initiates logging of error messages to the console. Use the no form to disable logging to the console. Syntax logging console no logging console Default Setting Disabled Command Mode Global Configuration Example Enterprise AP(config)#logging console Enterprise AP(config)# logging level This command sets the minimum severity level for event logging. Syntax logging level Default Setting Informational Command Mode Global Configuration 7-30
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.6 Linearized : No Tagged PDF : Yes Page Mode : UseNone XMP Toolkit : 3.1-701 Producer : Acrobat Distiller 7.0 (Windows) Create Date : 2006:06:15 16:31:31Z Creator Tool : FrameMaker 7.0 Modify Date : 2006:06:19 14:21:20+08:00 Metadata Date : 2006:06:19 14:21:20+08:00 Format : application/pdf Title : OAP6626A-UG-32.book Creator : david Document ID : uuid:2c08631f-31a9-4806-a1df-f11df3986601 Instance ID : uuid:2489a3d2-e778-4730-bcdd-12b2b49db416 Has XFA : No Page Count : 150 Author : davidEXIF Metadata provided by EXIF.tools