Tranzeo Wireless Technologies XBYPZ11 2.4/5.8 GHz OUTDOOR ACCESS POINT User Manual Users Guide

Tranzeo Wireless Technologies, Inc 2.4/5.8 GHz OUTDOOR ACCESS POINT Users Guide

Users Guide

    Document No. TR0190 Rev A1     EL-500 Access Point User’s Guide  Rev. A1                   Communicate Without Boundaries      Tranzeo Wireless Technologies Inc. 19473 Fraser Way, Pitt Meadows, BC, Canada V3Y 2V4 www.tranzeo.com technical support email:  support@tranzeo.com
ER-1000 Access Point User’s Guide      TR0190 Rev. A1    2                                                  Tranzeo, the Tranzeo logo and EL-500 are trademarks of Tranzeo Wireless Technologies Inc. All rights reserved.  All  other  company,  brand,  and  product  names  are  referenced  for  identification  purposes  only  and  may  be trademarks that are the properties of their respective owners.  Copyright © 2007, Tranzeo Wireless Technologies Inc.
ER-1000 User’s Guide  TR0190 Rev. A1    3   FCC Notice to Users and Operators This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions:    (1)  This  device  may  not  cause  harmful  interference,  and  (2)  This  device  must accept any interference received, including interference that may cause undesired operation.  This equipment has been tested and found to comply with the limits for Class B Digital Device, pursuant  to  Part  15  of  the  FCC  Rules.  These  limits  are  designed  to  provide  reasonable protection against harmful interference in a residential installation. This equipment generates and can radiate radio frequency energy and, if not installed and used in accordance with the instructions,  may  cause  harmful  interference  to  radio  communications.  However,  there  is  no guarantee  that  interference  will  not  occur  in  a  particular  installation.  If  this  equipment  does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct  the interference by one or more of the following measures.  •  Reorient or relocate the receiving antenna •  Increase the separation between the equipment and receiver •  Connect the equipment into an outlet on a circuit different from that to which the receiver is connected •  Consult the dealer or an experienced radio/TV technician for help  To reduce potential radio interference to other users, the antenna type and its gain should be so  chosen  that  the  equivalent  isotropically  radiated  power  (EIRP)  is  not  more  than  that required for successful communication  Any  changes  or  modification  to  said  product  not  expressly  approved  by  Tranzeo Wireless Technologies Inc. could void the user's authority to operate this device.   The Tranzeo EL-500 Access Point must be installed by a trained professional, value added reseller, or systems integrator who is familiar with RF cell planning issues and the  regulatory  limits  defined  by  the  FCC  for  RF  exposure,  specifically  those  limits outlined in sections 1.1307.
ER-1000 User’s Guide  TR0190 Rev. A1    4    Table of Contents  1 Working with the EL-500.................................................................................... 8 1.1 EL-500 Variants ....................................................................................................8 1.2 EL-500 Capabilities ...............................................................................................8 1.3 EL-500 Interfaces..................................................................................................9 1.3.1 Ethernet and PoE............................................................................................... 10 1.3.2 Antenna.............................................................................................................. 11 1.4 Deployment Considerations ................................................................................11 1.4.1 AP Channel Selection ........................................................................................ 12 2 Connecting to the EL-500................................................................................ 13 2.1 Network Interfaces ..............................................................................................13 2.2 Connecting to an Unconfigured EL-500 ..............................................................14 2.3 Default Login and Password ...............................................................................15 2.4 Resetting the ‘admin’ Password ..........................................................................15 3 Using the Web Interface .................................................................................. 16 3.1 Accessing the Web Interface...............................................................................16 3.2 Navigating the Web Interface..............................................................................18 3.3 Setting Parameters .............................................................................................18 3.4 Help Information..................................................................................................19 3.5 Rebooting............................................................................................................19 4 Using the Command Line Interface ................................................................ 21 4.1 Accessing the CLI ...............................................................................................21 4.2 User Account.......................................................................................................21 4.3 CLI Interfaces......................................................................................................22 4.4 CLI Features .......................................................................................................22 4.4.1 Control of the Cursor.......................................................................................... 22 4.4.2 Cancel a Command ........................................................................................... 22 4.4.3 Searching the Command History ....................................................................... 23 4.4.4 Executing a Previous Command ........................................................................ 23 4.5 CLI Commands ...................................................................................................23 4.5.1 ‘?’ command....................................................................................................... 23 4.5.2 ‘whoami’ command ............................................................................................ 23 4.5.3 ‘help’ command .................................................................................................. 24 4.5.4 ‘show’ command ................................................................................................ 24 4.5.5 ‘use’ command ................................................................................................... 25 4.5.6 ‘set’ command .................................................................................................... 25 4.5.7 ‘get’ command.................................................................................................... 26 4.5.8 ‘list’ command .................................................................................................... 27 4.5.9 ‘ping’ command .................................................................................................. 27
ER-1000 User’s Guide  TR0190 Rev. A1    5 4.5.10 ‘ifconfig’ command ............................................................................................. 28 4.5.11 ‘route’ command................................................................................................. 28 4.5.12 ‘clear’ command ................................................................................................. 28 4.5.13 ‘history’ command .............................................................................................. 29 4.5.14 ‘!’ command........................................................................................................ 30 4.5.15 ‘exit’ command ................................................................................................... 31 4.5.16 ‘quit’ command ................................................................................................... 31 5 Initial Configuration of an EL-500 ................................................................... 32 6 Status Information ........................................................................................... 34 6.1 Configuration Overview Page..............................................................................34 6.2 Interface Status ...................................................................................................35 6.2.1 Virtual AP Interfaces .......................................................................................... 35 6.2.2 Wired Interface Status........................................................................................ 36 6.3 Bridging...............................................................................................................36 6.4 Routing Table......................................................................................................37 6.5 ARP Table...........................................................................................................38 6.6 Event Log............................................................................................................39 6.7 DHCP Event Log.................................................................................................39 7 Configuration Profile Management................................................................. 41 7.1 Saving the Current Configuration ........................................................................41 7.2 Load a Configuration Profile................................................................................42 7.3 Delete a Configuration Profile .............................................................................42 7.4 Downloading a Configuration Profile from an EL-500 .........................................43 7.5 Uploading a Configuration Profile to an EL-500 ..................................................44 8 Mode of Operation ........................................................................................... 45 9 System Settings ............................................................................................... 47 9.1 User Password....................................................................................................47 9.2 Node ID...............................................................................................................48 9.3 DNS / Domain Settings .......................................................................................49 9.4 DNS Proxy Configuration ....................................................................................50 9.5 NetBIOS Server ..................................................................................................51 9.6 SNMP..................................................................................................................51 9.7 Location...............................................................................................................52 9.8 Certificate Information .........................................................................................54 9.9 Time Synchronization..........................................................................................54 9.10 Web GUI Console ...............................................................................................56 9.11 OnRamp Configuration Access...........................................................................56 9.12 CLI Timeout.........................................................................................................58 10 Client Addressing Schemes............................................................................ 59 10.1 Implicit Addressing Scheme ................................................................................60 10.1.1 LAN Prefix.......................................................................................................... 61
ER-1000 User’s Guide  TR0190 Rev. A1    6 10.1.2 Client Address Space Segmentation in Implicit Addressing Mode ..................... 61 10.2 Explicit Addressing Scheme................................................................................64 11 Ethernet Interface Configuration .................................................................... 66 11.1 DHCP..................................................................................................................66 11.2 Manual IP Configuration......................................................................................69 12 Bridge Interface Configuration ....................................................................... 71 12.1 IP Configuration ..................................................................................................71 12.2 Bridging Parameters ...........................................................................................73 13 Virtual Access Point (VAP) Configuration ..................................................... 74 13.1 Virtual Access Point Interfaces............................................................................75 13.2 Enabling and Disabling Virtual Access Points.....................................................75 13.3 Virtual Access Point Client Device Address Space .............................................75 13.4 Channel...............................................................................................................77 13.5 ESSID .................................................................................................................78 13.6 IP Configuration of Client Devices.......................................................................79 13.6.1 IP Configuration of Clients Devices via DHCP ................................................... 79 13.6.2 Manual IP Configuration of Client Devices......................................................... 79 13.7 Client Devices .....................................................................................................81 13.8 Encryption and Authentication.............................................................................81 13.8.1 WEP Encryption................................................................................................. 82 13.8.2 WPA Pre-Shared Key Mode (WPA-PSK)........................................................... 83 13.8.3 WPA EAP Mode................................................................................................. 84 13.9 Transmit Power Cap ...........................................................................................85 13.10 Radio Rate ..........................................................................................................86 13.11 Preamble Length.................................................................................................86 13.12 Beacon Interval ...................................................................................................87 13.13 Maximum Link Distance ......................................................................................87 14 Client DHCP Configuration.............................................................................. 89 14.1 Using Local DHCP Servers.................................................................................89 14.2 Using a Centralized DHCP Server ......................................................................92 14.2.1 Support for Clients with Static IP Addresses...................................................... 93 14.2.2 Configuring the EL-500s..................................................................................... 93 14.2.3 Configuring the Central DHCP Server................................................................ 95 15 Connecting an EL-500 to a LAN...................................................................... 97 15.1 Routed mode.......................................................................................................97 15.1.1 Manual Configuration ......................................................................................... 97 15.1.2 Network Address Translation (NAT)................................................................... 98 15.2 Bridge Mode........................................................................................................99 16 Controlling Access to the EL-500 ................................................................. 100 16.1 Firewall..............................................................................................................100 16.2 Gateway Firewall...............................................................................................101
ER-1000 User’s Guide  TR0190 Rev. A1    7 16.3 Blocking Client-to-Client Traffic.........................................................................102 16.4 Connection Tracking .........................................................................................103 16.4.1 Connection Tracking Table Size ...................................................................... 104 16.4.2 Connection Tracking Timeout .......................................................................... 104 16.4.3 Limiting Number of TCP Connections Per Client Device.................................. 105 16.5 Custom Firewall Rules ......................................................................................105 16.6 Access Control Lists (ACLs)..............................................................................107 17 Quality of Service (QoS) Configuration........................................................ 109 17.1 Priority Levels....................................................................................................109 17.2 Rate Limiting .....................................................................................................112 17.3 Rate Reservation ..............................................................................................114 18 Enabling VLAN Tagging ................................................................................ 117 18.1 Client Access Interface Configuration ...............................................................117 18.2 Ethernet Interface Configuration .......................................................................118 19 Integration with Enterprise Equipment ........................................................ 120 19.1 Configuring Splash Pages.................................................................................120 19.1.1 Enabling Splash Pages .................................................................................... 120 19.1.2 Configuring Splash URLs................................................................................. 122 19.1.3 Sample HTML Code for Splash Pages............................................................. 123 19.1.4 Configuring the Authentication Server.............................................................. 124 19.1.5 Trusted MAC Addresses .................................................................................. 125 19.1.6 Bypass Splash Pages for Access to Specific Hosts ......................................... 126 19.2 Layer 2 Emulation .............................................................................................127 20 Diagnostics Tools .......................................................................................... 129 20.1 Ping...................................................................................................................129 20.2 Traceroute.........................................................................................................129 20.3 Packet Capture .................................................................................................130 20.4 Centralized DHCP Testing ................................................................................132 20.5 RADIUS Server Testing ....................................................................................133 20.6 Diagnostic Dump...............................................................................................133 21 Firmware Management .................................................................................. 135 21.1 Displaying the Firmware Version.......................................................................135 21.2 Upgrading the Firmware....................................................................................135 Glossary....... ........................................................................................................................ 137 Abbreviations....................................................................................................................... 138
Chapter 1: Working with the ER-1000  TR0190 Rev. A1    8  1  Working with the EL-500 Thank  you  for  choosing  the  Tranzeo  EL-500  802.11  Access  Point.  The  EL-500  is  a  full-featured access point in a ruggedized enclosure designed for outdoor installation. This user’s guide presents a wide array of configuration options, but only a limited number of options have to be configured in order to deploy an EL-500. 1.1  EL-500 Variants There are two EL-500 variants available, as shown in Table 1.  Model Number  Frequency Band  802.11 standard EL-500HG  2.4 GHz  802.11b/g EL-500HA  5.8 GHz  802.11a Table 1. EL-500 variants  Throughout  the  manual,  “EL-500”  will be  used to  collectively  refer  to  this  family  of products. Where the functionality of the variants differs, the actual model number will be used. 1.2  EL-500 Capabilities Based on the IEEE 802.11b/g and 802.11a standards and complete with FCC certification, the EL-500  family  of  outdoor  access points  are fully  standards  compliant.  This family  of  outdoor access  points has  been  designed  with  a  multitude  of  network  and  management  features  for ease of installation and operation in any new or existing network. Features include:  •  Multiple ESSIDs per radio •  High-powered +26dBm output in 802.11b/g mode •  High-powered +23dBm output in 802.11a mode •  Router or bridge mode operation •  DHCP server •  DHCP relay •  QoS support (IEEE 802.11e WMM) •  VLAN support (IEEE802.1q) •  Security o  WPA o  WPA2 o  WEP 64/128
Chapter 1: Working with the ER-1000  TR0190 Rev. A1    9 o  Stateful packet inspection o  Custom firewall rules •  Web GUI  •  Tranzeo CLI (SSH) •  Remote upgrade •  Configuration management 1.3  EL-500 Interfaces The interfaces available on the EL-500 are Ethernet and a radio port.             Ethernet Figure 1. EL-500 interfaces. AP radio port Expansion port for future use
Chapter 1: Working with the ER-1000  TR0190 Rev. A1    10 Interface  Description AP radio port  N-type antenna connector for access point radio Ethernet  10/100 Mbit Ethernet interface Passive PoE  PoE power input (9-28VDC, 12W) Not compatible with IEEE 802.3af Table 2. EL-500 Interfaces 1.3.1  Ethernet and PoE The EL-500 has a 10/100 Ethernet port that supports passive Power over Ethernet (PoE). The PoE power injector should supply an input voltage between 9-28VDC and a minimum of 12W. The pinout for the Ethernet interface on the EL-500 is provided in Table 3.  The EL-500 is equipped with an auto-sensing Ethernet port that allows both regular and cross-over cables to be used to connect to it.  Pin  Signal  Standard Wire Color 1  Tx+  White/Orange 2  Tx-  Orange 3  Rx+  White/Green 4  PoE V+  Blue 5  PoE V+  White/Blue 6  Rx-  Green 7  Gnd  White/Brown 8  Gnd  Brown Table 3. Ethernet port pinout  To power the EL-500, connect an Ethernet cable from the Ethernet port of the EL-500 to the port labeled “CPE” on the supplied PoE injector and apply power to the PoE injector using the supplied power supply
Chapter 1: Working with the ER-1000  TR0190 Rev. A1    11 DO  NOT  CONNECT  ANY  DEVICE  OTHER  THAN  THE  EL-500  TO  THE  PORT LABELED  “CPE”  ON  THE  PoE  INJECTOR.  NETWORK  EQUIPMENT  THAT DOES  NOT  SUPPORT  PoE  CAN  BE  PERMANENTLY  DAMAGED  BY CONNECTING  TO  A  PoE  SOURCE.  NOTE  THAT  MOST  ETHERNET INTERFACES  ON  PERSONAL  COMPUTERS  (PCs),  LAPTOP/NOTEBOOK COMPUTERS,  AND  OTHER  NETWORK  EQUIPMENT  (E.G.  ETHERNET SWITCHES AND ROUTERS) DO NOT SUPPORT PoE. 1.3.2  Antenna The EL-500 AP radio port is an N-type RF connector that can interface with a wide range of Tranzeo antennas. After purchasing the desired 2.4GHz or 5.8GHz antenna (for the EL-500HG or EL-500HA models respectively), attach the antenna to the access point (AP) radio port on the EL-500. The antenna must be chosen such that its gain combined with the output power of the radio complies with maximum radiation power regulatory requirements in the area the EL-500 is used.  The following is a list of supported accessory antennas sold with the EL-500 family, as shown in Table 2.   Model Number  Included Antennas TR-ODH24-12  Vertical Omnidrectional 2.4 Ghz 12 dBi TR-ODH24-13  Horizontal Omnidrectional 2.4 Ghz 13 dBi TR-SA24-90-9   Vertical Sector, 2.4 Ghz, 90 degree, 9 dBi TR-24H-90-17  Horizontal Sector, 2.4 Ghz, 90 degree, 17 dBi TR-PAN24-15  Panel, 2.4 Ghz, 15 dBi TR-HTQ-5.8-12  Vertical Omni, 5.8 Ghz, 12 dBi TR-58V-60-17  Vertical Sector, 5.8 Ghz, 60 degree, 17 dBi TR-5.8-32Db-Ant   Parabolic dish, 5.8 Ghz, 32 dBi TR-5X-Ant-24  Panel, 5.8 Ghz, 24 dBi                 Table 2 Supported Accessory antennas  1.4  Deployment Considerations The EL-500’s radio operates in either the 2.4 GHz or the 5.8 GHz ISM band, depending on the model. It is possible that there will be other devices operating in these bands that will interfere with the EL-500’s radio. Interference from adjacent EL-500s can also degrade performance if the EL-500s are not configured properly.
Chapter 1: Working with the ER-1000  TR0190 Rev. A1    12 It  is  advisable  to  carry  out  a  site  survey  prior  to  installation  to  determine  what  devices  are operating in the band that your EL-500 uses. To detect the presence of other 802.11 devices, a tool such as Netstumbler (http://www.netstumbler.com/downloads/) can be used. A spectrum analyzer can be used for further characterization of interference in the band. 1.4.1  AP Channel Selection A site  survey should  be  conducted  to determine  which access point channel  will  provide the best  performance.  Some  of  the  802.11b/g  channels  that  the  EL-500HG’s  radio  can  be configured to use are overlapping. Only channels 1, 6, and 11 are non-overlapping.   Figure 2. 802.11b/g channel chart, showing top, bottom, and center frequencies for each channel
Chapter 2: Connecting to the ER-1000  TR0190 Rev. A1    13 2  Connecting to the EL-500 The EL-500 can be configured and monitored by connecting to one of its network interfaces. The  wired  Ethernet  interface  on  the  EL-500  should  be  used  for  initial  configuration  of  the device,  but  the  wireless  network  interface  can  be  used  to  connect  to  the  device  after  initial configuration has been completed. 2.1  Network Interfaces The EL-500 has several network interfaces, as shown in Table 4.   The network interfaces listed in the table below are logical, not hardware, interfaces. Some of the interfaces listed in the table share the same hardware interface.   Interface Hardware Interface  Primary Function Interface Availability Default Address Can be altered by the user? Wired  Ethernet  Connecting to a LAN   Enabled by default  10.253.0.1/24  No Bridge  N/A  Access to the device when operating in bridge mode Enabled in bridge mode 10.253.1.1/24  No Static Configuration  Ethernet Configuring the device before a unique Ethernet IP address has been configured  Always present  169.254.253.253/16  Yes OnRamp Configuration  Ethernet Configuring the device before a unique Ethernet IP address has been configured. Unlike the static configuration interface, this interface’s address can be modified, allowing multiple unconfigured EL-500s to be attached to a LAN Disabled by default  N/A  No VAP 1 – 4  AP radio  Providing connectivity to wireless client devices Only VAP1 enabled by default 10.253.1.1/24 10.253.2.1/24 10.253.3.1/24 10.253.4.1/24 No Centralized DHCP  N/A Provides a gateway for client devices when using centralized DHCP mode All disabled by default  N/A  No Table 4. EL-500 network interfaces  Note that the “Static Configuration” interface is the only interface that has a fixed address that cannot be changed by the user. Since this interface is known to always be present, it can be
Chapter 2: Connecting to the ER-1000  TR0190 Rev. A1    14 used  for  initial  configuration  and  for  accessing  devices  whose  configuration  settings  are unknown. 2.2  Connecting to an Unconfigured EL-500 Use  the  Static  Configuration  interface  with  IP  address  169.254.253.253  and  netmask 255.255.0.0 to establish network connectivity to an unconfigured EL-500.  The  Static  Configuration  interface  functions  only  with  the  EL-500’s  wired interface.  Do  not  try  to  access  the  EL-500  over  a  wireless  link  using  the address of this interface.  To  connect  to  an EL-500 using  its Static Configuration  IP  address,  you must configure  your computer’s  IP  address  to  be  in  the  169.254.253.253/16  subnet,  e.g.  169.254.253.1  and connect the computer’s Ethernet cable to the “PC” port on the EL-500’s PoE injector.  ENSURE THAT THE DATA CONNECTION FROM THE PC OR THE LAN IS MADE TO THE “PC” PORT. DO NOT CONNECT ANY DEVICE OTHER THAN THE EL-500  TO  THE  PORT  LABELED  “CPE”  ON  THE  PoE  INJECTOR.  NETWORK EQUIPMENT  THAT  DOES  NOT  SUPPORT  PoE  CAN  BE  PERMANENTLY DAMAGED  BY  CONNECTING  TO  A  PoE  SOURCE.  NOTE  THAT  MOST ETHERNET  INTERFACES  ON  PERSONAL  COMPUTERS  (PCs), LAPTOP/NOTEBOOK  COMPUTERS,  AND  OTHER  NETWORK  EQUIPMENT (E.G. ETHERNET SWITCHES AND ROUTERS) DO NOT SUPPORT PoE.  Since  the  Static  Configuration  IP  address  is  the  same  for  all  EL-500s,  you should  not  simultaneously  connect  multiple  EL-500s  to  a  common  LAN  and attempt to access them using the Static Configuration IP address.
Chapter 2: Connecting to the ER-1000  TR0190 Rev. A1    15 If you are configuring multiple EL-500s with the same computer in rapid succession, it may be necessary to clear the ARP cache since the IP addresses for the EL-500s will all be the same, but the MAC addresses will vary. The following commands can be used to clear the ARP cache  Windows XP (executed in a command prompt window)  arp -d *  to clear the entire cache, or   arp -d 169.254.253.253  to just clear the EL-500 entry  Linux  arp -d 169.254.253.253 2.3  Default Login and Password The  EL-500’s  default  login  is  ‘admin’  and  the  default  password  is  ‘default’.  The  login  and password are the same for the web interface and the CLI. Changing the password using one of the interfaces will change it for the other interface as well. 2.4  Resetting the ‘admin’ Password The  EL-500  supports  a  password  recovery  feature  for  the  ‘admin’  account,  should  the password be lost.   Completing  the  password  recovery  procedure  requires  that  you  contact Tranzeo  technical  support.  Please  check  the  Tranzeo  website (www.tranzeo.com)  for  how  to  contact  technical  support  and  hours  of operation.  For security purposes, the ‘admin’ password can only be reset in the first 15 minutes of operation of the device. You will be able to power the unit on and off to be able to reset the password.
Chapter 3: Using the Web Interface  TR0190 Rev. A1    16 3  Using the Web Interface The EL-500 has a web interface accessible through a browser that can be used to configure the device and display status parameters. 3.1  Accessing the Web Interface You can access the web interface by entering one of the EL-500’s IP addresses in the URL field of a web browser (see section 2.2 for a description of how to access an unconfigured EL-500 using its Ethernet interface). When you enter this URL, you will be prompted for a login and  password.  The  default  login  and  password  used  for  the  web  interface  are  ‘admin’  and ‘default’, respectively.    Figure 3. Login window for web interface  Since the certificate used in establishing the secure link to the EL-500 has not been signed by a  Certification  Authority  (CA),  your  browser  will  most  likely  display  one  or  more  warnings similar to those shown below. These warnings are expected and can be disregarded.   Figure 4. Certificate warning
Chapter 3: Using the Web Interface  TR0190 Rev. A1    17  A configuration overview page is loaded by default after the login process has been completed. This page contains the following information  •  Firmware version and list of installed patches •  System uptime •  System mode of operation (router or bridge)  •  Bridge information (if bridge mode is selected) •  IP addresses, netmasks, and MAC addresses for each client access interface •  Status, channel, ESSID, and encryption type for each virtual access point interface •  VLAN status and ID for all interfaces  To access the status page from any other page in the web interface, click on the “Status” link in the navigation bar that appears on the left side of the web interface.   Figure 5. Configuration overview page displayed when logging in
Chapter 3: Using the Web Interface  TR0190 Rev. A1    18 3.2  Navigating the Web Interface The web interface uses a three-tiered navigation scheme.   1.  The first tier of navigation is the navigation bar shown on the left side of the screen. This navigation bar is displayed on all pages in the web interface and remains the same on all pages. 2.  The  second  tier  of  navigation  is  the  primary  row  of  tabs  shown  across  the  top  of  the screen on many of the pages in the web interface. The labels in these tabs vary based on which page is selected on the navigation bar. 3.  The third tier of navigation is the second row of tabs shown below the first row. These tabs are not present on all pages and their labels vary based on the selections made on the navigation bar and the primary row of tabs.   Figure 6. Web interface navigation components  The time displayed at the top of the navigation bar is the current time of the PC used to log in to the web GUI, not the time kept by the EL-500. 3.3  Setting Parameters Many of  the  web  interface  pages allow you  to set  EL-500 operating  parameters.  Each  page that  contains  settable  parameters  has  a  “Save  Changes”  button  at  the  bottom  of  the  page. When you have made your changes on a page and are ready to commit the new configuration, 1 2 3
Chapter 3: Using the Web Interface  TR0190 Rev. A1    19 click on the “Save Changes” button. It typically takes a few seconds to save the changes, after which the page will be reloaded.   For  the  changes  to  take  effect,  the  EL-500  must  be  rebooted.  After  a  change  has  been committed, a message reminding the user to reboot the EL-500 will be displayed at the top of the screen.   Figure 7. Page showing "Save Changes" button and message prompting the user to reboot 3.4  Help Information Help information is  provided on most  web  GUI  pages.  The  help information is  shown on the right-hand side of the page. The help information can be hidden by clicking on the ‘Hide Help’ link inside the help frame. When help is hidden, it can be displayed by clicking on the ‘Show help’ link. 3.5  Rebooting Click on the “Reboot” link on the left of the page and then click on the “Reboot Now” button to reboot the EL-500. Any changes made prior to rebooting will take effect following completion of the boot process.  It takes approximately 3 minutes for the device to reboot.
Chapter 3: Using the Web Interface  TR0190 Rev. A1    20  Figure 8. Rebooting the EL-500
Chapter 4: Using the Command Line Interface  TR0190 Rev. A1    21 4  Using the Command Line Interface All configurable EL-500 parameters can be accessed with a Command Line Interface (CLI).   The CLI allows you to:  •  Modify and verify all configuration parameters •  Save and restore device configurations •  Reboot the device •  Upgrade the firmware 4.1  Accessing the CLI The EL-500’s command-line interface (CLI) is accessible through its network interfaces using an SSH client. Any of the network interfaces can be used to establish the SSH connection to the EL-500.  However, connecting through the Ethernet port is required for devices  that have not previously been configured.   Windows  XP  does  not  include  an  SSH  client  application.  You  will  need  to install  a  3rd-party  client  such  as  SecureCRT  from  Van  Dyke  software (http://www.vandyke.com/products/securecrt)  or  the  free  PuTTY  SSH  client (http://www.putty.nl/) to connect to an EL-500 using SSH.    When you log in to the EL-500, the CLI will present a command prompt. The shell timeout is displayed  above  the  login  prompt.  The  CLI  will  automatically  log  out  a  user  if  a  session  is inactive for longer than the timeout period. Section 9.9 describes how to change the timeout period.  Shell timeout: 3 minutes.  Press '?' for help.. > 4.2  User Account The user login used to access the EL-500 is ‘admin’. The procedure for changing the password for this account is described in section 9.1.
Chapter 4: Using the Command Line Interface  TR0190 Rev. A1    22 4.3  CLI Interfaces The  CLI  provides  the  user  with  a  number  of  interfaces  that  contain  related  parameters  and controls. Some of these interfaces are hardware interfaces, such as Ethernet, while others are virtual interfaces that contain a set of related parameters.  The available interfaces are:  •  wlan1, wlan2, wlan3, wlan4 – controls for the virtual APs supported by the EL-500 •  eth0 – controls for the Ethernet interface •  br0 – controls for bridge mode •  firewall – controls firewall settings •  qos – controls Quality of Service (QoS) settings  •  version – displays version information for the installed firmware •  system – system settings   The currently selected interface is shown as part of the command prompt. For example, when the wlan1 interface is selected, the command prompt will be  wlan1>   After logging in, no interface is selected by default. Before setting or retrieving any parameters, an interface must be selected. 4.4  CLI Features The CLI has a number of features to simplify the configuration of the EL-500. These features are explained in the following sub-sections. 4.4.1  Control of the Cursor The  cursor  can  be  moved  to  the  end  of  the  current  line  with  Ctrl+E.  Ctrl+A  moves  it  to  the beginning of the line. 4.4.2  Cancel a Command Ctrl+C cancels the input on the current command line and moves the cursor to a new, blank command line.
Chapter 4: Using the Command Line Interface  TR0190 Rev. A1    23 4.4.3  Searching the Command History The command history can be searched by pressing Ctrl+R and entering a search string. The most  recently  executed  command  that  matches  the  string  entered  will  be  displayed.  Press ‘Enter’ to execute that command.  4.4.4  Executing a Previous Command By using the up and down arrow keys you can select previously executed commands. When you find the command you wish to execute, you can either edit it or press ‘Return’ to execute it.  4.5  CLI Commands The  usage  of  all  CLI  commands  is  explained  in  the  following  subsections.  The  command syntax used is  command <mandatory argument>  command [optional argument] 4.5.1  ‘?’ command Syntax  ?   Description   Pressing ‘?’ at any time in the CLI will display a help menu that provides an overview  of  the  commands  that  are  described  in  this  section.  It  is  not necessary to press ‘Enter’ after pressing ‘?’. 4.5.2  ‘whoami’ command Syntax  whoami   Description   Displays the name of the user you are logged in as.
Chapter 4: Using the Command Line Interface  TR0190 Rev. A1    24 4.5.3   ‘help’ command Syntax  help [command|parameter]  where  the  optional  argument  is  either  one  of  the  CLI  commands (“[command]”)  or  a  parameter  in  the  currently  selected  interface (“[parameter]”).   Description   When no argument follows the help command, a help menu showing a list of available commands is displayed. When a command is supplied as the argument, a help message for that particular command is displayed. When a  parameter  in  the  current  interface  is  specified  as  the  argument,  help information for it is displayed.    Example  help get  will  display  the  help  information  for  the  ‘get’  command.  With  the  ‘sys’ interface selected  sys> help scheme  displays help information about that ‘scheme’ parameter, as shown below                scheme : wireless node type 4.5.4   ‘show’ command Syntax  show   Description   Displays  all  available  interfaces.  An  interface  in  this  list  can  be  selected with the ‘use’ command.
Chapter 4: Using the Command Line Interface  TR0190 Rev. A1    25 4.5.5   ‘use’ command Syntax  use <interface>  where  <interface>  is  one  of  the  EL-500’s  interfaces.  A  complete  list  of interfaces is available with the ‘show’ command.   Description   Selects  an  interface  to  use.  By  selecting  an  interface  you  can  view  and modify the parameters associated with the interface.    Example  use wlan1  will select the wlan1 virtual AP interface and change the CLI prompt to   wlan1>  to reflect the interface selection. 4.5.6   ‘set’ command Syntax  set <parameter>=<value>  where <parameter> is the parameter being set and <value> is the value it is being set to.    Description   Sets  a  configuration  parameter.  Note  that  is  only  possible  to  set  the parameters  for  the  currently  selected  interface.  If  the  value  of  the parameter  contains  spaces,  the  value  must  be  surrounded  by  double quotes (“ “).  If a valid 'set' command is entered, it will output its result and any effects on other parameters. If changes are made to attributes of other interfaces as a result of changing the parameter, these attributes are preceded by a '/' to signify that they are in another interface.   Changing certain parameters will require the EL-500 to be rebooted.    Example  With the ‘sys’ interface selected  set id.node=2  will set the node ID to 2
Chapter 4: Using the Command Line Interface  TR0190 Rev. A1    26 4.5.7   ‘get’ command Syntax  get <parameter>  where <parameter> is the parameter whose value is being fetched.   Description   Gets  the  value  of  one  or  more  configuration  parameters  for  the  currently selected  interface.  The  ‘*’  character  can  be  used  to  specify  wildcard characters.  This  allows  multiple  values  to  be  fetched  with  a  single command.    Example  With the ‘eth0’ interface selected  get ip.address  will return the Ethernet interface’s IP address, while   get ip.*  will return all parameters that begin with ‘ip.’   ip.address = 10.6.0.1   [read-only]  ip.address_force =   ip.broadcast = 10.6.0.255   [read-only]  ip.broadcast_force =   ip.gateway =    [read-only]  ip.gateway_force =   ip.implicit.size.actual = 31   [read-only]  ip.implicit.size.requested = 31  ip.implicit.start.actual = 225   [read-only]  ip.implicit.start.requested = 225  ip.netmask = 255.255.255.0   [read-only]  ip.netmask_force =
Chapter 4: Using the Command Line Interface  TR0190 Rev. A1    27 4.5.8  ‘list’ command Syntax  list   Description   Lists all parameters for the selected interface    Example  With the ‘eth0’ interface selected  list   will display   acl.mode         : access control list mode  dhcp.default_lease_time : default dhcp lease expiration in…   dhcp.max_lease_time : maximum requestable dhcp lease…    dhcp.relay.enable : use dhcp relay (if sys.dhcp.relay.enable=yes)  dhcp.reserve     : ip addresses to reserve at bottom of range…  dhcp.role        : interface dhcp role (none, client, server)  enable           : interface is enabled  ip.address       : IP address   [read-only]  ip.address_force : override .ip.address (or blank)  ip.broadcast     : broadcast address   [read-only]  ip.broadcast_force : override .ip.broadcast (or blank)  ip.gateway       : gateway   [read-only]  ip.gateway_force : override .ip.gateway (or blank)  ip.implicit.size.actual : actual size of address range  ip.implicit.size.requested : requested size of address range…   ip.implicit.start.actual : actual interface fourth octet     ip.implicit.start.requested : requested interface fourth octet…   ip.netmask       : network mask   [read-only]  ip.netmask_force : override .ip.netmask (or blank)  routes.static    : static routes for this interface  vlan.enable      : use a vlan?  vlan.id          : vlan id (avoid 0 and 1 normally)  vpn.enable       : enable vpn on gateway node  vpn.keyfile      : base name of crt/key files  vpn.port         : port number for vpn  vpn.server       : hostname or ip address of the vpn server 4.5.9  ‘ping’ command Syntax  ping <IP address or hostname>   Description   Pings a remote network device. Halt pinging with Ctrl+C    Example  ping 172.29.1.1
Chapter 4: Using the Command Line Interface  TR0190 Rev. A1    28 4.5.10   ‘ifconfig’ command Syntax  ifconfig <eth0|wlan[1-4]>   Description   Displays  information,  such  as  IP  address  and  MAC  address,  for  the specified network interface.    Example  ifconfig wlan1  will display  wlan1     Link encap:Ethernet  HWaddr 00:15:6D:52:01:FD             inet addr:10.2.10.1  Bcast:172.29.255.255  Mask:255.255.0.0           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1           RX packets:0 errors:0 dropped:0 overruns:0 frame:0           TX packets:2434 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:0            RX bytes:0 (0.0 b)  TX bytes:233128 (227.6 Kb) 4.5.11  ‘route’ command Syntax  route   Description   Displays the current route table. 4.5.12   ‘clear’ command Syntax  clear   Description   Clears the screen
Chapter 4: Using the Command Line Interface  TR0190 Rev. A1    29 4.5.13  ‘history’ command Syntax  history   Description   Shows the command history since the EL-500 was last rebooted   Example  After switching  to the ‘wlan1’ interface, inspecting the ESSID setting, and then changing it  history   will display  1: use wlan1 2: get essid 3: set essid=new_ap_essid
Chapter 4: Using the Command Line Interface  TR0190 Rev. A1    30 4.5.14  ‘!’ command Syntax  !<command history number> !<string that matches start of previously-executed command> !!   Description   Executes  a  previously-executed  command  based  either  on  a  command history  number  or  matching  a  string to  the  start  of  a  previously-executed command. Note that there is no space between the ‘!’ and the argument.  The  ‘history’  command  shows  the  command  history,  with  a  number preceding  each  entry  in  the  command  history.  Use  this  number  as  an argument to the ‘!’ command to execute that command from the history.  When a string is provided as an argument to the ‘!’ command, the string will be  matched against the beginning  of previously-executed commands and the most recently executed command that matches will be executed.  Use ‘!!’ to execute the last command again.   Example  If the command history is as follows  1: use wlan1 2: get essid 3: set essid=new_ap_essid1 4: use wlan2 5: set essid=new_ap_essid2  the command  !1  will execute   use wlan1  The command  !use  will execute   use wlan2
Chapter 4: Using the Command Line Interface  TR0190 Rev. A1    31 4.5.15  ‘exit’ command Syntax  exit   Description   Terminates the current CLI session and logs out the user 4.5.16  ‘quit’ command Syntax  quit   Description   Terminates the current CLI session and logs out the user
Chapter 5: Initial Configuration of an ER-1000  TR0190 Rev. A1    32 5  Initial Configuration of an EL-500 This  user’s  guide  provides  a  comprehensive  overview  of  all  of  the  EL-500’s  features  and configurable  parameters.  However,  it  is  possible  to  deploy  a  network  of  EL-500s  while  only changing  a  limited  number  of  parameters.  The  list  below  will  guide  you  through  a  minimal configuration procedure that prepares a network of EL-500s for deployment.   1  Change the ‘admin’ password.  The  default  password  should  be  changed  to  prevent unauthorized access to the EL-500. See section 9.1 2  Set the node ID The  node  ID  affects  the  client  access  interface  IP  address spaces when the using implicit addressing scheme. See section 9.2 3  Set the DNS servers Specify DNS servers to allow hostnames to be resolved.  See section 9.3  To simplify initial configuration, the web GUI has a page that allows the user to change all the parameters listed in this section on a single page. This page can be accessed by clicking on the ‘Minimal configuration’ link in the web interface navigation bar on the left side of the web interface.  In  addition  to  setting  the  parameters  on  the  “Minimal  Configuration”  page, OnRamp  access  should  be  disabled  after  initial  programming.  See  section 9.11 for instructions on how to enable OnRamp access to the EL-500.
Chapter 5: Initial Configuration of an ER-1000  TR0190 Rev. A1    33  Figure 9. Initial configuration web page
Chapter 6: Status Information  TR0190 Rev. A1    34 6  Status Information Multiple  web  interface  pages  that  display  status  information  about  the  EL-500  and  client devices  attached  to  it  are  available.  These  web  pages  are  accessible  by  clicking  on  the “Status” link in the navigation bar and then selecting the appropriate tab shown at the top of the page.  The status information is not accessible through the CLI. 6.1  Configuration Overview Page The main status page, which is displayed when clicking on “Status” in the navigation bar and when logging in, is the “Config Overview” page.    Figure 10. Partial configuration overview page  The  configuration  overview  page  shows  a  summary  of  settings  for  the  virtual  access  point interfaces  and  the  wired  interface.  The  firmware  version,  uptime  of  the  device,  and  its operating mode are also displayed.   Links labeled “(change)” are shown next to the  settable  parameters. These links take you to the appropriate page to change the setting.
Chapter 6: Status Information  TR0190 Rev. A1    35 6.2  Interface Status Traffic  and  neighbor  information  for  the  virtual  AP  and  wired  interfaces  are  available  on  the “Status”  tab of the “Status” page. Select the appropriate interface for which you wish to  view information from the row of tabs below the primary tab row. 6.2.1  Virtual AP Interfaces The  sub-tabs  display  status  information  about  the  virtual  AP  interfaces.  Data  statistics information for the interface are displayed, showing received and transmitted data in terms of bytes and packets.  On  the  “wlan”  sub-tabs,  the  client  devices  connected  to  the  virtual  APs  are  displayed.  The following information is displayed for each client device:  •  MAC address •  IP address •  Quantity of data received from the client device and transmitted to the client device •  Received signal strength (RSSI) in dBm and in parentheses the associated signal level based on a noise floor of -96dBm •  Time since last reception from the device •  A summary of the capabilities of the client device’s radio card   Figure 11. Status information for one of the virtual AP interfaces
Chapter 6: Status Information  TR0190 Rev. A1    36 6.2.2  Wired Interface Status The  wired  interface  status  pages  is  similar  to  the  wireless  interface  status  pages,  with  the exception that it only displays summary information for the interface and does not break down data transferred on a per-device basis.   Figure 12. Wired interface status information 6.3  Bridging The  “Bridging”  tab  is  only  present  when  the  EL-500  is  in  bridge  mode.  This  page  displays information  about  the  current  bridge  configuration.  A  summary  of  the  interfaces  that  are bridged is provided at the top of the page. This is followed by a list of known devices, identified by their MAC addresses.
Chapter 6: Status Information  TR0190 Rev. A1    37  Figure 13. Bridging status information 6.4  Routing Table The routing table used by the device can be displayed by selecting the “Routing” tab on the “Status” page.
Chapter 6: Status Information  TR0190 Rev. A1    38  Figure 14. Routing table 6.5  ARP Table The device’s ARP table can be displayed by selecting the “ARP” tab on the “Status” page.   Figure 15. ARP table
Chapter 6: Status Information  TR0190 Rev. A1    39 6.6  Event Log The  main  system  log  for  the  device  is  accessible  by  selecting  “Event  Log”  on  the  “Status” page.  The  log  is  displayed  in  reverse  chronological  order,  with  the  last  recorded  event appearing at the top of the page.   Figure 16. Event log  The time reported in the Event Log corresponds to the time maintained by the EL-500  and  may  not  be  consistent  with  that  shown  in  the  upper  left  corner  of  the webpage as this is the time maintained by the computer running the web browser. 6.7  DHCP Event Log The log of DHCP-related  events for the device is accessible by selecting “DHCP Events” on the “Status” page. The log is displayed in reverse chronological  order, with the last recorded event appearing at the top of the page. All times in the log are in UTC time. Messages related to both local and relayed DHCP activity are displayed in the log.
Chapter 6: Status Information  TR0190 Rev. A1    40  Figure 17. DHCP event log  The time reported in the DHCP Log corresponds to the time maintained by the EL-500and  may  not  be  consistent  with  that  shown  in  the  upper  left  corner  of  the webpage as this is the time maintained by the computer running the web browser.
Chapter 7: Configuration Profile Management  TR0190 Rev. A1    41 7  Configuration Profile Management Configuration profiles describe an EL-500’s configuration state and can be created to simplify the provisioning and management of devices. The EL-500 supports the following configuration profile-related actions:  •  Saving the current configuration as a configuration profile •  Loading, or applying, a configuration profile stored on an EL-500 to the device •  Downloading a configuration profile stored on the EL-500 to a computer •  Uploading a configuration profile from a computer to the EL-500 •  Deleting a configuration profile stored on the EL-500  Currently configuration profile management is only supported via the web interface.  7.1  Saving the Current Configuration The current configuration can be saved on the “Save” tab on the “Profile Management” page. Enter a profile name or select an existing profile name from the list of existing configurations, and  then  click  on  “Save  Profile”.  The  saved  profile  is  stored  locally  on  the  EL-500  and  will appear in the “Existing profiles” text box. Use the “Download from Node” tab to download it to a different device.   Figure 18. Save a configuration profile
Chapter 7: Configuration Profile Management  TR0190 Rev. A1    42 7.2  Load a Configuration Profile A  configuration  stored  on  the  EL-500  can  be  applied  using  the  “Load”  tab  on  the  “Profile Management”  page. This profile must  either have been saved earlier or uploaded to the EL-500. Choose a profile name from the “Existing Profiles” box and then click on “Load Profile”. It is necessary to reboot the EL-500 for the loaded profile settings to take effect.  A  number  of  default  configuration  profiles  are  available  on  the  EL-500.  They  are TBD.   Figure 19. Load a configuration profile 7.3  Delete a Configuration Profile A  locally-stored  configuration  profile  can  be  deleted  using  the  “Delete”  tab  on  the  “Profile Management” page. Choose a profile to delete from the profile drop-down box on the page and then click on “Delete Profile”.
Chapter 7: Configuration Profile Management  TR0190 Rev. A1    43  Figure 20. Deleting a configuration profile 7.4  Downloading a Configuration Profile from an EL-500 A configuration profile can be download from an EL-500 using the “Download from node” tab on the “Profile Management“ page. The existing configuration profiles are listed on this page. Click on the one that is to be downloaded to your computer and you will be given the option to specify where the profile should be saved on the host computer.    Figure 21. Downloading a configuration profile from an EL-500
Chapter 7: Configuration Profile Management  TR0190 Rev. A1    44 7.5  Uploading a Configuration Profile to an EL-500 A configuration  profile  can  be uploaded  to an EL-500  using the “Upload to node” tab  on the “Profile  Management”  page.  Use  the  “Browse”  button  to  select  a  profile  file  on  your  host computer  for upload to the EL-500. Alternatively,  enter the file name by hand in the text box adjacent to the “Browse” button. Click on the “Upload Profile” button to upload the selected file to the EL-500.   Figure 22. Uploading a configuration profile to an EL-500
Chapter 8: Mode of Operation  TR0190 Rev. A1    45 8  Mode of Operation The EL-500 can be configured to operate in either routed or bridge mode. In routed mode, all communication  is  managed  at  the  IP  (layer  3)  level,  with  the  EL-500  acting  as  a  router.  In bridge mode, all communication across the EL-500 is managed at the MAC (layer 2) level, with the EL-500 acting as a switch.  The  choice  of  the  operating  mode  affects  the  availability  of  many  of  the  EL-500’s  features, which is reflected in the web GUI options available when a particular mode is chosen. Table 5 summarizes the feature differences between the two modes  Feature  Bridge Mode  Routed mode DHCP •  The bridge interface can be a DHCP client.  •  All DHCP requests from client devices attaching to the virtual APs must be handled by a separate device on the network •  The wired interface can be a DHCP client. •  DHCP requests from client devices attaching to the virtual APs can be handled by a local DHCP server on the EL-500 or can be forwarded to a centralized server Splash pages  Not available  Available Firewall  Custom firewall rules cannot be added Custom firewall rules can be added Wired and virtual AP IP addresses The interfaces do not have IP addresses IP addresses must be assigned to the interfaces QoS  Not available  Available DNS proxy  Not available  Available Table 5. Feature differences between bridge and routed mode  When switching to bridge mode, all the IP addresses for virtual access points ‘wlan1 – 4’ and the wired interface will be disabled. A bridge interface will be created  to  provide  IP  access  to  the  EL-500  in  bridge  mode.  By  default  the address of this interface will be set to <LAN prefix first octet>.<node ID>.1.1 It is  recommended  that  an  IP  address  is  explicitly  set  for  the  bridge  interface when  switching  to  bridge  mode.  See  section  12.1  for  instructions  on  how to set the bridge interface parameters.  Certain  web  GUI  pages  are  only  available  when  the  device  is  configured  for  bridge  mode operation. These pages are:  •  “L2 Bridge” in the main navigation bar •  “Bridging” tab on the “Status” page
Chapter 8: Mode of Operation  TR0190 Rev. A1    46 CLI The  EL-500’s operating mode is  set with the  ‘scheme’ parameter  in  the  ‘sys’ interface. Valid values  are  ‘aponly’  for  routed  mode  and  ‘l2bridge’  for  bridge  mode.  For  example,  set  the operating mode  to routed mode with:  > use sys sys> set scheme=aponly  Web GUI The operating mode can be set via the web interface using the “System” tab on the “System Parameters” page.    Figure 23. Setting operating mode
Chapter 9: System Settings  TR0190 Rev. A1    47 9  System Settings This section describes settings that are applicable to the overall operation of the EL-500, but are not related directly to a particular interface. 9.1  User Password The password for the ‘admin’ user is configurable. The default password is ‘default’.   See section 2.4 for instructions on resetting the ‘admin’ password if it has been lost.  CLI The  password  for  the  ‘admin’  user  can  be  set  using  the  ‘password.admin’  parameter  in  the ‘sys’ interface. The password will not be displayed when using the ‘get’ command with these parameters. The example below shows how to set the ‘admin’ password using the CLI.  > use sys sys> set password.admin=newpass  Web GUI The ‘admin’ password can be changed via the web interface using the “Passwords” tab on the “System Parameters” page.    Figure 24. Passwords page
Chapter 9: System Settings  TR0190 Rev. A1    48 9.2  Node ID The only use of the node ID parameter when operating in bridge mode is for setting the default IP address of the bridge interface when one has not been explicitly set or acquired via DHCP.  The node ID assigned to an EL-500 affects the IP address spaces assigned to each of the EL-500’s  virtual  AP  client  access  interfaces  when  it  uses  implicit  addressing  in  routed  mode.  If multiple EL-500s are  connected to  the  same LAN,  it is  recommended that  they  be  assigned different  node  IDs  unless  they  have  the  NAT  option  enabled  or  use  the  explicit  addressing scheme.   CLI The node ID is set with the ‘id.node’ parameter in the ‘sys’ interface as shown below.  > use sys sys> set id.node=107  Web GUI The  node  ID  can  be  set  via  the  web  interface  using  the  “System”  tab  on  the  “System Parameters” page as shown in Figure 25.    Figure 25. System settings page with EL-500 in routed mode BRIDGE
Chapter 9: System Settings  TR0190 Rev. A1    49 9.3  DNS / Domain Settings At least one DNS server, accessible from the EL-500, must be specified for the device to be able to resolve host names. This DNS server is also provided to client devices that acquire an IP address from the local DHCP server on an EL-500.  If an EL-500 acquires DNS server information through DHCP on its wired interface, this DNS server information will overwrite any manually set DNS server setting.  When operating in bridge mode, the DNS settings are only used locally by the EL-500 and are not provided to any other devices on the network.  CLI The  DNS  server(s)  used  by  an  EL-500  are specified  with  the  ‘dns.servers’  parameter  in  the ‘sys’ interface. To specify multiple DNS servers, list them as a space-delimited string enclosed by quotes as shown in the example below  > use sys sys> set dns.servers =”10.5.0.5 192.168.5.5”    Web GUI A primary and secondary DNS server can be set via the web interface using the “DNS” tab on the “System Parameters” page.    Figure 26. Setting the DNS and Netbios server(s) BRIDGE
Chapter 9: System Settings  TR0190 Rev. A1    50 9.4  DNS Proxy Configuration DNS proxy entries  can be added  to  an  EL-500  to  force  local  resolution  of  host names to  IP addresses for the hosts in the proxy list. Use of a DNS proxy list on the EL-500 is a two step process, first populating the host name/IP address pairs, and then enabling DNS proxy.  DNS proxy is not supported when operating in bridge mode.  CLI A list of hostname/IP address to be resolved locally can be specified using the ‘dnsproxy.hosts’ parameter  in  the  ‘sys’  interface.  If  multiple  hostname/IP  address  entries  are  specified,  they must  be  separated  by  semi-colons,  as  shown  in  the  example  below.  DNS  proxy  must  be explicitly  enabled using  the ‘dnsproxy.enable’ parameter in  the ‘sys’ interface  after  the list of hosts has been specified.  > use sys sys> set dnsproxy.enable=yes sys> set dnsproxy.hosts=”server1.domain.com=10.0.0.1;server2.domain.com=10.0.0.129”  Web GUI DNS  proxy  can  be  enabled  on  the  “DNS  Proxy”  sub-tab  on  the  “DNS”  tab  on  the  “System Parameters” page  as  shown in  Figure  27.  Hostname/IP  address  pairs can  be added  on  this page as well.   Figure 27. Configuring DNS proxy BRIDGE
Chapter 9: System Settings  TR0190 Rev. A1    51 9.5  NetBIOS Server The  NetBIOS  server  parameter  is  used  to  define  a  NetBIOS  server’s  IP  address  that  is provided to client devices when configured by the EL-500’s local DHCP server.  The NetBIOS settings are not used when operating in bridge mode.   CLI The NetBIOS server is set with the ‘netbios.servers’ parameter in the ‘sys’ interface. To specify multiple NetBIOS servers, list them as a space-delimited string enclosed by quotes as shown in the example below  > use sys sys> set netbios.servers =”10.6.0.5 192.168.6.5”  Web GUI A primary and secondary NetBIOS server can be set via the web interface using the “DNS” tab on the “System Parameters” page (see Figure 26).  9.6  SNMP The EL-500 supports SNMP.  The read-only and read-write passwords and the port that SNMP uses can be configured. A contact person and device location can also be specified as part of the SNMP configuration.  CLI The  SNMP  read-only  and  read/write  passwords  are  set  with  the  ‘snmp.community.ro’  and ‘snmp.community.rw’ parameters in the ‘sys’ interface. The example below shows how to set these parameters.  > use sys sys> set snmp.community.ro=”read-only_password” sys> set snmp.community.rw=”read-write_password”  The SNMP port is set with the ‘snmp.port’ parameter in the ‘sys’ interface as shown below. By default this parameter is set to “161”.  > use sys sys> set snmp.port=161 BRIDGE
Chapter 9: System Settings  TR0190 Rev. A1    52  The  contact  person  and  location  of  the  device  located  via  SNMP  are  set  with  the ‘snmp.contact. and ‘snmp.location’ parameters in the ‘sys’ interface as shown below.  > use sys sys> set snmp.contact=”Joe Smith” sys> set snmp.location=”123 Main St., Anytown, USA”  Web GUI The  SNMP-related  parameters  can  be  set  on  the  “SNMP”  tab  on  the  “System”  page  (see Figure 28).   Figure 28. SNMP configuration 9.7  Location Two types of device location information can be stored:  •  Latitude/longitude/altitude  •  Postal address or description a device’s location  Note that these values are not automatically updated and must be entered after a device has been  installed.  Altitude  is  in  meters.  Latitude  and  longitude  must  be  given  as  geographic coordinates in decimal degrees, with latitude ranging from -90 to 90 (with negative being south, positive being north) and longitude ranging from -180 to 180 (with negative being west, positive being east).
Chapter 9: System Settings  TR0190 Rev. A1    53  CLI The  geographic  location  of  the  EL-500  can  be  stored  in  the  following  fields  in  the  ‘sys’ interface:  •  sys.location.gps.altitude •  sys.location.gps.latitude •  sys.location.gps.longitude  For example, you can set the latitude value as follows.  > use sys sys> set location.gps.latitude=”34.01”  A  description  of  the  EL-500’s  location  can  be  stored  in  the  ‘location.postal’  field  in  the  ‘sys’ interface. For example, you can set the location value as shown below.  > use sys sys> set location.postal=”Light post near 123 Main St., Anytown, CA”  Web GUI The  location  information  can  be  set  via  the  web  interface  using  the  “Location”  tab  on  the “System Parameters” page.    Figure 29. Setting location and certificate information
Chapter 9: System Settings  TR0190 Rev. A1    54 9.8  Certificate Information A certificate for use with  splash pages and the web interface is locally generated on the EL-500. The information embedded in this certificate can be defined by the user. A new certificate is automatically generated when the parameters describing the EL-500’s location are changed. The  specific  location  parameters  to  which  the  certificate  is  tied  to  are  listed  in  the  sections below.  CLI The information used in certificate generation can be set using the ‘organization’ parameters in the ‘sys’ interface. These parameters are:  •  sys.organization.name  –name  of  organization  (must  be  enclosed  in  quotes  if  it  contains spaces) •  sys.organization.city – city name (must be enclosed in quotes if it contains spaces) •  sys.organization.state – state name •  sys.organization.country – two-letter country abbreviation  Web GUI The  certificate  information  can  be  set  via  the  web  interface  using  the  “Location”  tab  on  the “System  Parameters”  page  (see  Figure  29).  Changing  any  of  the  Organization,  City, State/Province, or Country parameters will cause the certificate information to be recalculated. 9.9  Time Synchronization An  EL-500  can  be  configured  to  synchronize  its  internal  clock  with  an  external  RFC-868-compliant  time  server.  The  time  synchronization  will  ensure  that  proper  time  stamps  are displayed for entries in the event logs that are available on the web GUI’s “Status” page.  CLI The time synchronization server is set with the ‘time.rfc868.server’ in the ‘sys’ interface. The example below shows how to set the time synchronization server.  > use sys sys> set time.rfc858.server=”your.timeserver.here”  It is not possible to manually adjust the device time through the CLI. Please use the web GUI to adjust it.
Chapter 9: System Settings  TR0190 Rev. A1    55 Web GUI The  synchronization  mode  and  server  can  be  set  on  the  “Time”  tab  on  the  “System”  page  (Figure 30).   Figure 30. Automatic time synchronization  When automatic synchronization is disabled, the user can set the EL-500’s UTC time (Figure 31).  Enter  the  time  using  the  available  drop-down  menus  and  check  the  “Change  Time” checkbox.   Figure 31. Setting the time manually
Chapter 9: System Settings  TR0190 Rev. A1    56 9.10  Web GUI Console The web interface allows the user to set parameters that are not otherwise settable through the web interface using a console interface. The console is available on the “Console” tab on the “System” page.   CLI  key/value pairs  can  be  entered  through the  console.  The key  format  used  is  “<interface name>.<key>”. For example, “wlan1.channel” is the key to set the channel used by virtual AP wlan1. To use the console, enter one or more key/value pairs in the large text box on the page, either  separating  each  pair  with  a  space  or  placing  each  pair  on  its  own  line.  Click  on  the “Submit Commands” button to set the values entered in the text box.   Figure 32. Web interface console 9.11  OnRamp Configuration Access ONRAMP  IS  A  PC-BASED  TOOL  THAT  WILL  BECOME  AVAILABLE  TO SUPPORT  INITIAL  CONFIGURATION  OF  THE  EL-500.  IT  HAS  NOT  BEEN RELEASED  AT  THE  TIME  OF  THE  WRITING  OF  THIS  DOCUMENT.  CHECK WWW.TRANZEO.COM/ONRAMP FOR STATUS.  IT  IS  RECOMMENDED  THAT  ONRAMP  CONFIGURATION  ACCESS  IS DISABLED UNTIL THE TOOL IS MADE AVAILABLE.
Chapter 9: System Settings  TR0190 Rev. A1    57 The OnRamp utility provides network detection and configuration capabilities for EL-500s. The configuration capabilities are only intended for initial configuration and for security reasons, it is strongly  recommended  that  OnRamp  configuration  capability  is  disabled  after  initial configuration.   You  can  use  the  CLI, the  web  interface, or OnRamp  to determine  whether a  device  can be configured from OnRamp. In OnRamp, the “Prog” column displays the programming capability from OnRamp.  A ‘Y”  in this column  indicates that  OnRamp  can configure  the  device, an ‘N’ indicates that it cannot.  CLI The OnRamp configuration capability is controlled by the ‘provisioning.enable’ parameter in the ‘sys’ interface. Set this parameter to ‘0’ to disable configuration through OnRamp, as shown in the example below.  > use sys sys> set provisioning.enable=0  Web GUI The OnRamp configuration capability is set on the “OnRamp” tab on the “Security” page (see Figure 33).   Figure 33. OnRamp configuration access
Chapter 9: System Settings  TR0190 Rev. A1    58 9.12  CLI Timeout The  CLI  will automatically log out  a  user  if  the interface  has  remained  inactive  for  a  certain length  of  time.  The  time,  in  seconds,  that  a  shell  must  remain  inactive  before  a  user  is automatically  logged  out  is  set  with  the  ‘shell.timeout’  parameter  in  the  ‘sys’  interface,  as shown  in  the  example  below.  The  maximum  idle  time  that  can  be  set  is  21600  seconds  (6 hours).   > use sys sys> set shell.timeout=300
Chapter 10: Client Addressing Schemes  TR0190 Rev. A1    59 10  Client Addressing Schemes The  client  addressing  scheme  setting  has  no  effect  when  the  EL-500  is operating in bridge mode.   The choice of client addressing scheme affects how EL-500 client access interface addresses are assigned. The EL-500 can be configured to use an implicit addressing scheme for its client access  interfaces,  where  the  address  spaces  assume  a  default  size  and  the  addresses  are affected  by  a  number  of  settable  parameters.  Alternatively,  explicit  address  spaces  can  be defined for each client access interface. The addressing scheme choice also affects what the addresses  of  client  devices  will  be  when  the  EL-500  is  not  operating  in  centralized  DHCP server mode.   Table  6  compares  how  the  behavior  of  the  EL-500  differs  depending  upon  the  addressing scheme that is chosen.  Feature  Implicit addressing scheme  Explicit addressing scheme Client access interface addresses Derived from node ID and LAN prefix settings. Client access interface addresses cannot be directly set. Can be set to arbitrary values, with a few reserved address ranges that cannot be used. Size of client address space Each of the active client access interfaces must share a class C address space. The address space size for each client access interface can be set independently and can be of arbitrary size. Table 6. Differences between explicit and implicit addressing schemes  CLI The  choice  of  implicit  or  explicit  addressing  scheme  is  controlled  by  the  ‘implicit.enable’ parameter in the ‘mesh’ interface. Set this parameter to ‘yes’ to select implicit addressing and to ‘no’ to select explicit addressing. The example below demonstrates how to select the implicit addressing scheme.  > use mesh0 sys> set implicit.enable=yes  Web GUI The addressing scheme is set with the “Implicit Addressing” drop-down menu on the “System” tab of the “System” page. Set this to disabled to choose the explicit addressing scheme.  BRIDGE
Chapter 10: Client Addressing Schemes  TR0190 Rev. A1    60  Figure 34. Setting the addressing scheme 10.1  Implicit Addressing Scheme The implicit addressing scheme requires the sharing of a class C network between all active client  access  interfaces.  The  subnet  address  space  is  based  on  the  node  ID  and  the  LAN prefix as shown in Figure 35.   Figure 35. Subnet address structure  If the EL-500 is operating in centralized DHCP server mode, the addresses used for the implicit addressing scheme have no bearing on the addresses that are assigned to client devices through DHCP.  The default division of the class C address space is shown in Table 7. It is possible to change this configuration, assigning larger address spaces to certain interfaces if not all interfaces are enabled.
Chapter 10: Client Addressing Schemes  TR0190 Rev. A1    61 Interface  Interface address  Broadcast address  Client device address range wlan1  subnet.1  subnet.127  subnet.2-126 wlan2  subnet.129  subnet.159  subnet.130-158 wlan3  subnet.161  subnet.191  subnet.162-190 wlan4  subnet.193  subnet.223  subnet.194-222 subnet = <LAN prefix first octet>.<LAN prefix second octet >.<node ID> Table 7. Default subnet segmentation between interfaces 10.1.1  LAN Prefix The  LAN  prefix  parameter  sets  the  first  two  octets  of  the  client  access interface  IP  address when using the implicit addressing scheme. The suggested values for the LAN prefix are 10.x and 192.168.   The  LAN  prefix  parameter  only  has  an  effect  on  an  EL-500  using  the  explicit  addressing scheme  when explicit addresses have not been defined for the client access interfaces. See section 10.2 for more information on use of the LAN prefix when using the explicit addressing scheme.  CLI The first octet of the LAN prefix is set with the ‘id.lanprefix’ parameter in the ‘sys’ interface as shown in the example below.   > use sys sys> id.lanprefix=10  The second octet is set with the ‘id.mesh’ parameter in the ‘sys’ interface as shown below.  > use sys sys> id.mesh=12  Web GUI The  LAN  prefix  can  be  set  via  the  web  interface  using  the  “System”  tab  on  the  “System Parameters” page (see Figure 34).  10.1.2  Client Address Space Segmentation in Implicit Addressing Mode As mentioned above, the client access interfaces must share a class C address space when the  EL-500  is  using  the  implicit  addressing  scheme.  The  start  address  of  each  address segment and its size can be set. The following restrictions are placed on the address segment configuration:
Chapter 10: Client Addressing Schemes  TR0190 Rev. A1    62  •  Each active client access interface must be assigned an address segment. •  The IP address range start address (‘ip.implicit.start.requested’ in the CLI) must be one of the following values: 1, 33, 65, 97, 129, 161, 193, 225. •  The  IP  address  range  size  (‘ip.implicit.size.requested’  in  the  CLI)  must  be  one  of  the following values: 31, 63, 127, 255. •  The  IP  address  range  size  and  start  address  must  be  chosen  such  that  the  address segment does not cross a netmask boundary. Table 8 lists allowed combinations. •  The address spaces for enabled interfaces must start at different addresses. •  The address spaces for enabled interfaces should not overlap.  IP address range size (ip.implicit.size.requested) Address range start (ip.implicit.start.requested)  31  63  127  255 1  Yes  Yes  Yes  Yes 33  Yes  No  No  No 65  Yes  Yes  No  No 97  Yes  No  No  No 129  Yes  Yes  Yes  No 161  Yes  No  No  No 193  Yes  Yes  No  No 225  Yes  No  No  No Table 8. Allowed address segment start address and size combinations  Each of the enabled interfaces’ address segments should be configured to avoid overlap with the other interfaces’ address segments. In the case where  an  EL-500 is not configured such that this requirement is  met, address spaces will be automatically reduced in size to prevent overlap.  CLI The  start  and  size  of  client  address  spaces  are  set  with  the  ‘ip.implicit.start.requested’  and ‘ip.implicit.size.requested’  parameters  in  the  ‘wlan1’,  ‘wlan2’,  ‘wlan3’,  and  ‘wlan4’  interfaces. Refer to Table 8 for allowed values for these parameters.   In the first example below, the ‘wlan1’ interface is set to use the entire class C address space (this requires that all the other client access interfaces, wlan2-4, are disabled). In the second example, the ‘wlan1’ interface is set to use the upper half of the class C address space.  > use wlan1 eth0> set ip.implicit.start.requested=1 eth0> set ip.implicit.size.requested=255  > use wlan1 eth0> set ip.implicit.start.requested=129 eth0> set ip.implicit.size.requested=127
Chapter 10: Client Addressing Schemes  TR0190 Rev. A1    63  The actual start address and size of a segment are accessible via the ‘ip.implicit.start.actual’ and  ‘ip.implicit.size.actual’  parameters.  These  may  values  may  differ  from  the  requested values if the rules for setting these parameters were not abided by.  Web GUI The address space segments’ start addresses and sizes can be set via the web interface using the “DHCP” sub-tab on the “DHCP” tab on the “System Parameters” page (see Figure 36).    Figure 36. Address space settings in implicit addressing mode
Chapter 10: Client Addressing Schemes  TR0190 Rev. A1    64 10.2  Explicit Addressing Scheme When  using  the  explicit  addressing  scheme,  the  IP  parameters  for  each  interface  can  be specified manually on the “Wireless Interface” page.  When  specifying  the  IP  addresses  and  subnet  sizes  for  the  client  access  interfaces,  the following rules should be followed:  •  Specify  IP  address  and  subnet  combinations  that  do  not  lead  to  misalignment,  e.g. 10.0.0.4/24 is not  a properly aligned address/subnet size combination. •  Do not specify subnets that are in the following ranges: o  169.254.0.0/16 o  127.0.0.0/8 •  Each  subnet  specified  for  a  client  access  interface  must  not  overlap  with  that  of  any other client access interface on the device. •  Do not specify any subnets for client access interfaces that overlap with subnets outside the device that you want client devices to be able to connect to.  Do  not  specify  a  gateway  IP  address  for  any  of  the  client  access  interfaces when operating using the explicit addressing scheme. This field should be left blank for each interface.  If  an  address  space  is  not  defined  for  a  client  access  interface  when  operating  in  explicit addressing mode, a default address space will be defined with the following parameters  •  IP address: <first octet of LAN prefix>.<node ID>.<virtual AP number (1-4)>.1 •  IP netmask: 255.255.255.0  CLI Set  the  ‘implicit.enable’  parameter  in  the  ‘mesh0’  to  ‘no’  interface  to  select  the  explicit addressing scheme. The example below demonstrates this.  > use mesh0 sys> set implicit.enable=no  See section 13.3 for instructions on how to set the IP addresses for the client access interfaces when using the explicit addressing scheme.  Web GUI The addressing scheme is set with the “Implicit Addressing” drop-down menu on the “System” tab of the “System” page (see Figure 34). Set this to “disabled” to use the explicit addressing scheme.
Chapter 10: Client Addressing Schemes  TR0190 Rev. A1    65 See  section  13.3  for instructions  on  how  to  set  the  IP  addresses  for  the  wired and  wireless client access interfaces when using the explicit addressing scheme.
Chapter 11: Ethernet Interface Configuration  TR0190 Rev. A1    66  11  Ethernet Interface Configuration The  Ethernet  interface  features  described  in  this  chapter  are  not  used  in bridge mode. See  section 12  for information on  how  to configure  the  bridge interface to provide IP access to the EL-500 when operating in bridge mode.  The  Ethernet  interface  is  used  to  connect  the  EL-500  to  a  LAN.  It  is  also  used  for  initial configuration of the device. The Ethernet interface IP address can either be acquired from a DHCP server on the LAN or be set manually.   Figure 37. Wired interface parameters 11.1  DHCP The EL-500 can be set to obtain an IP address for its Ethernet interface using DHCP. When configured  as  a  DHCP  client,  the  EL-500  will  continually  attempt  to  contact  a  DHCP  server until it is successful.   If  the  DHCP  mode  is  set  to  ‘client’,  the  IP  configuration  must  be  carried  out  manually,  as described in the next section.  BRIDGE
Chapter 11: Ethernet Interface Configuration  TR0190 Rev. A1    67 CLI  To  set  the  DHCP  mode  to  ‘client’  on  the  Ethernet  interface,  set  the  value  of  the  ‘dhcp.role’ parameter in the ‘eth0’ interface to ‘client’, as shown in the example below.  > use eth0 eth0> set dhcp.role=client  To  disable  Ethernet  DHCP  client  mode,  set  the  DHCP  mode  parameter  to  ‘none’  as  shown below.  > use eth0 eth0> set dhcp.role=none  Web GUI The Ethernet DHCP mode value can be set via the web interface using the “DHCP” sub-tab on the “DHCP” tab on the “System Parameters” page (see Figure 38).
Chapter 11: Ethernet Interface Configuration  TR0190 Rev. A1    68  Figure 38. Wired DHCP settings
Chapter 11: Ethernet Interface Configuration  TR0190 Rev. A1    69 11.2  Manual IP Configuration If the Ethernet DHCP mode parameter is set to ‘none’, the manually configured IP address will be used. The default IP configuration that is assigned to the interface based on the LAN prefix and node ID settings is available through the CLI and the web GUI.  Note that for the manually configured IP address to be used, the Ethernet DHCP mode setting must  be  set  to  ‘none’  if  the  EL-500  is  connected  to  a  network  which  provides  access  to  a DHCP server.   The IP  configuration  settings  shown in the ‘eth0’  interface in the  CLI and  on the “Wired Interface” page of the web interface do not necessarily reflect the current  settings  of the  interface. They are  the  requested  settings  and  do  not take  into account whether the interface has been configured  via DHCP. If the Ethernet  DHCP  mode    parameter  is  set  to  ‘client’,  the  ‘ip.address’, ip.broadcast’, ‘ip.gateway’, and ‘ip.netmask’ parameters will respond to a ‘get’ command with ‘<dhcp>’ to indicate that the parameters will be assigned by a DHCP server instead of any values assigned via the CLI. Use the ‘ifconfig eth0’ command in  the  CLI or access the  “Status” page  in  the  web interface to get current interface settings.  CLI The Ethernet default IP configuration is available through the following read-only parameters:  •  ip.address – IP address •  ip.broadcast – IP broadcast address •  ip.gateway – default gateway •  ip.netmask – netmask  These parameters cannot be set though. These default parameters can be overridden with the parameters listed below.  •  ip.address_force •  ip.broadcast_force •  ip.gateway_force •  ip.netmask_force  The example below, shows how a custom IP address can be set for the Ethernet interface  > use eth0 eth0> set dhcp=none eth0> set ip.address_force=192.168.1.2 eth0> set ip.broadcast_force=192.168.1.255 eth0> set ip.gateway_force=192.168.1.1
Chapter 11: Ethernet Interface Configuration  TR0190 Rev. A1    70 eth0> set ip.netmask_force=255.255.255.0  Web GUI The Ethernet IP address, gateway, netmask, and broadcast address parameters can be set via the web interface using the “Wired Interface” page (see Figure 37). The current IP values can be viewed on the “Status” page.
Chapter 12: Bridge Interface Configuration  TR0190 Rev. A1    71 12  Bridge Interface Configuration 12.1  IP Configuration The bridge interface has an IP address that can be set manually or acquired via DHCP. With the  exception of  the  fixed  configuration  IP address,  this is the only active  IP address  on the device when it is operating in bridge mode.  When not explicitly specifying an IP address or enabling DHCP client mode, the address for the bridge interface will default to <LAN prefix first octet>.<node ID>.1.1.  CLI The  bridge  IP  settings  are  set  with  the  ‘ip.address_force’,  ‘ip.broadcast_force’, ‘ip.gateway_force’, and ‘ip.netmask_force’ parameters in the ‘br0’ interface. For these settings to be used, the bridge interface DHCP mode must be disabled using the ‘dhcp.role’ parameter in the ‘br0’ interface, as shown in the example below.  The example below, shows how to manually set an IP configuration for the bridge interface  > use br0 br0> set dhcp.role=none br0> set ip.address_force=10.5.1.27 br0> set ip.broadcast_force=10.5.1.255 br0> set ip.gateway_force=10.5.1.1 br0> set ip.netmask_force=255.255.255.0  To set the DHCP mode to ‘client’ for the bridge interface, set the ‘dhcp.role’ parameter in the ‘br0’ interface to ‘client’ as shown below.  > use br0 br0> set dhcp.role=client  Web GUI The IP address, gateway, netmask, and broadcast address parameters can be set on the “L2 Bridge” page when the DHCP mode for the bridge interface is set to ‘none’ (see Figure 13). A link to the “L2 Bridge” page appears in the navigation bar when bridge mode is selected.
Chapter 12: Bridge Interface Configuration  TR0190 Rev. A1    72  Figure 39. Bridge configuration page with DHCP client mode disabled  The  DHCP  mode  for  the  bridge  interface  is  set  on  the  “DHCP”  tab  on  the  “System”  page. When  bridge  mode  is  selected,  the  only  setting  available  on  this  page  is  the  bridge  DHCP mode, as shown in Figure 40.   Figure 40. DHCP configuration page when operating in bridge mode
Chapter 12: Bridge Interface Configuration  TR0190 Rev. A1    73 12.2  Bridging Parameters Two parameters are available for controlling how the bridge mode operates: forwarding delay and Spanning Tree Protocol control.  The  forwarding  delay  sets  how  long,  in  seconds,  the  EL-500  will  watch  traffic  before participating. If there are no other bridges nearby the EL-500 this value can be set to 0. When the  DHCP  mode  for  the  bridge  interface  is  set  to  ‘client’,  the  forwarding  delay  will  be automatically set to 15 to avoid DHCP requests timing out.   The EL-500 supports the Spanning Tree Protocol (STP), which is used to ensure a loop-free topology for any bridged LAN. STP support can be disabled or enabled.  CLI The  forwarding  delay  is  set  with  the  ‘forwarding_delay’  parameter  in  the  ‘br0’ interface. The delay is specified in seconds.  > use br0 br0> set forwarding_delay=5  Spanning Tree Protocol state is set with the ‘stp.enable’ parameter in the ‘br0’ interface. Set this parameter to ‘yes’ to enable it and to ‘no’ to disable it.  > use br0 br0> set stp.enable=yes  Web GUI The forwarding delay and Spanning Tree Protocol state can be set on the “L2 Bridge” page
Chapter 13: Virtual Access Point (VAP) Configuration  TR0190 Rev. A1    74 13  Virtual Access Point (VAP) Configuration An  EL-500  has  four  virtual  access  points  (VAPs)  that  can  be  configured  to  suit  different application needs. These VAPs share a common radio, but, with a few exceptions noted in this chapter,  can  be  configured  independently.  The  availability  of  the  four  VAPs  provides  more flexibility in configuration and catering to different user classes than a single AP does.  The interfaces for the VAPs will be referred to as ‘wlanN’  when it applies to any of the four VAPs. ‘wlan1’ will be used in all examples.   Figure 41. Virtual access point interface page with EL-500 in routed mode
Chapter 13: Virtual Access Point (VAP) Configuration  TR0190 Rev. A1    75 13.1  Virtual Access Point Interfaces There are four interfaces that are used to configure the VAPs: wlan1, wlan2, wlan3, and wlan4. The  VAPs have equivalent configuration capabilities  and  there is  no inherent  prioritization or preference for one VAP. The section on quality-of-service settings (section 17) describes how prioritization on a per-VAP basis can be configured. 13.2  Enabling and Disabling Virtual Access Points VAPs  can be  individually  enabled  or disabled.  A  VAP can  be  configured  when  it  is disabled and parameter settings are retained when it is disabled.  CLI A VAP can be enabled with the ‘enable’ parameter in the ‘wlanN’ interface as shown below.  > use wlan1 wlan1> set enable=yes  A VAP can be disabled with the following commands.  > use wlan1 wlan1> set enable=no  Web GUI Each VAP can be enabled or disabled by setting the “State” parameter via the web interface using the appropriate “wlanN” tab on the “Wireless Interfaces” page (see Figure 41).  13.3  Virtual Access Point Client Device Address Space Each VAP interface is either assigned a segment of the EL-500’s class C client address space, if the device is using implicit addressing mode, or an arbitrary address space can be set for the interface when using the explicit addressing scheme . See section 10 for more information on client addressing schemes.  The  EL-500  VAPs’  interface  IP  configurations  can  be  changed  directly  when  it  is  using  the explicit  addressing  scheme.  They  cannot  be  changed  directly  when  the  device  is  using  the implicit addressing scheme.   When an EL-500 is configured to use the implicit addressing scheme, set the IP address to the desired  value  by  modifying  the  node  ID  and  LAN  prefix  parameters  (see  sections  9.2  and
Chapter 13: Virtual Access Point (VAP) Configuration  TR0190 Rev. A1    76 10.1.1).  Set  the  netmask  by  changing  the  client  address  space  segments  as  described  in 10.1.2.   CLI You can view the IP settings for the VAP interfaces with the ‘ip.*’ parameters in the appropriate ‘wlanN’ interface as shown in the example below.  > use wlan1 wlan1> get ip.*  ip.address = 10.2.4.1   [read-only]  ip.address_force =   ip.broadcast = 10.2.4.127   [read-only]  ip.broadcast_force =   ip.gateway =    [read-only]  ip.gateway_force =   ip.netmask = 255.255.255.0   [read-only]  ip.netmask_force =   ip.implicit.size.actual =    [read-only]  ip.implicit.size.requested = 31  ip.implicit.start.actual =    [read-only]  ip.implicit.start.requested = 1  When an EL-500 is using the implicit addressing scheme, the VAP IP settings can be changed by altering the ‘id.node’, ‘id.mesh’, and ‘id.lanprefix’ parameters in the ‘sys’ interface and the ‘ip.implicit.start.requested’ parameter in the appropriate ‘wlanN’ interface.  When an EL-500 is using the explicit addressing scheme, the IP address, netmask, gateway address,  and  broadcast  address  can  be  set  using  the  ‘ip.address_force’,  ‘ip.netmask_force’, ‘ip.gateway_force’, and ‘ip.broadcast_force’ parameters in the appropriate ‘wlanN’ interface as shown in the example below.  > use wlan1 wlan1> set ip.address_force=10.12.8.1 wlan1> ip.broadcast_force=10.12.8.255 wlan1> ip.gateway_force= wlan1> ip.netmask_force=255.255.255.0   Web GUI The current VAP IP settings can be viewed through the web interface on the “Config Overview” tab on the “Status” page. When using the implicit addressing scheme, the VAP IP settings can be changed by altering the node ID and LAN prefix settings on the “System” parameters tab on the “System Parameters” page. In explicit addressing mode, the IP parameters can be set on the appropriate tab on the “Wireless Interface” page.
Chapter 13: Virtual Access Point (VAP) Configuration  TR0190 Rev. A1    77 13.4  Channel The  EL-500HG  has  an  802.11b/g  radio  that  can  be  set  to  operate  in  the  channels  listed  in Table 9.   Channel  Center Frequency (GHz) 1  2.412 2  2.417 3  2.422 4  2.427 5  2.432 6  2.437 7  2.442 8  2.447 9  2.452 10  2.457 11  2.462 Table 9. EL-500HG access point channels and associated center frequencies  Note that only channels 1, 6, and 11 are non-overlapping.  The EL-500HA has an 802.11a radio that can be set to operate in the channels listed in Table 10.   Channel  Center Frequency (GHz) 149  5.745 153  5.765 157  5.785 161  5.805 165  5.825 Table 10. EL-500HA access point channels and associated center frequencies  It  is  not  possible  to  configure  the  VAPs  to  use  different  channels.  If  the channel  for wlan2  is  changed,  the  channel will  be changed for  wlan1,  wlan3, and wlan4.   CLI The  VAP channel is  set  with the ‘channel’  parameter in  the ‘wlanN’ interfaces.  The example below shows how to set the VAP channel to 6.  > use wlan1
Chapter 13: Virtual Access Point (VAP) Configuration  TR0190 Rev. A1    78 wlan1> set channel=6  Web GUI The access point channel can be set via the web interface using the appropriate “wlanN” tab on the “Wireless Interfaces” page (see Figure 41).  13.5  ESSID The  ESSID,  or  Extended  Service  Set  Identifier,  is  used  in  802.11  infrastructure  networks  to identify  a  particular  network  consisting  of  one  or  more  Basic  Service  Sets.  It  is  used  to differentiate logical networks that operate on the same channel.   The ESSID value must be a text string that has a maximum length of 32 characters. It must only contain alphanumeric characters, spaces, dashes (“-“), and underscores (“_”).The ESSID setting is case sensitive.   It is possible to hide a VAP ESSID by restricting it from broadcasting advertisements for that ESSID. Whether it is appropriate for a VAP ESSID to be hidden depends on the application.   CLI The VAP ESSID is set as shown in the example below. When setting an ESSID that contains spaces, the ESSID value must be enclosed by quotes – the quotes are optional otherwise.  > use wlan1 wlan1> set essid=”wlan1_ap”  The broadcast of the ESSID can be controlled with the ‘hide_essid’ parameter in the ‘wlanN’ interface. The example below shows how hiding of the ESSID can be enabled.  > use wlan1 wlan1> set hide_essid=yes  Web GUI The  VAP  ESSIDs  and  their  broadcast  state  can  be  set  via  the  web  interface  using  the appropriate “wlanN” tab on the “Wireless Interfaces” page (see Figure 41).
Chapter 13: Virtual Access Point (VAP) Configuration  TR0190 Rev. A1    79 13.6  IP Configuration of Client Devices The VAP interfaces allow client devices to connect to the EL-500. The client devices can be assigned  their  IP  configuration in one  of three ways  when  the EL-500  is operating in routed mode:  •  Via DHCP from a centralized server •  Via DHCP from a local server on the EL-500 that the client device is connected to •  Be manually configured  When the EL-500 is operating in bridge mode, the client device IP address requirements will depend on the settings for the LAN that the EL-500 is connected to. 13.6.1  IP Configuration of Clients Devices via DHCP The  EL-500 can be  set  to  serve  IP  addresses to  client  devices on  the VAP  interfaces  using DHCP. DHCP-provided addresses can be served either from a local server on the EL-500 or from an external server. The two DHCP modes are described in detail in section 14. 13.6.2  Manual IP Configuration of Client Devices In routed mode with centralized DHCP server mode disabled, client devices that use static IP addresses must  have an  IP  address  that is  within the  subnet  of  the  VAP  interface  that  they connect  to. See section 14.2.1 for information on using static IP addresses for client devices with centralized DHCP server mode enabled.  When operating in bridge mode, the client devices IP configuration requirements will depend on the network settings for the LAN that the EL-500 is connected to.
Chapter 13: Virtual Access Point (VAP) Configuration  TR0190 Rev. A1    80  Figure 42. Virtual access point and wired interface DHCP and address space settings  If the local DHCP server is enabled for an VAP interface, IP addresses must be reserved for statically  configured  devices  by  setting  the  DHCP  reserve  parameter.  This  will  reserve  the specified number of IP addresses at the bottom of the IP range for the interface. For example, if  the  interface  has  the  IP  address  10.2.4.1,  the  netmask  255.255.255.128,  and  the  DHCP reserve  value  5,  the  IP  addresses  10.2.4.2  through  10.2.4.6  will  be  available  for  use  by statically configured devices. The remaining IP addresses in the interface’s address space can be assigned by the DHCP server to other client devices.
Chapter 13: Virtual Access Point (VAP) Configuration  TR0190 Rev. A1    81 CLI The  number  of  IP  addresses  reserved  for  statically-configured  devices  connected  to  the Ethernet interface is set with the ‘dhcp.reserve’ parameter in the ‘eth0’ interface.  Web GUI The  ‘dhcp.reserve’  value  can  be set  via  the web  interface  using  the  “DHCP”  sub-tab on the “DHCP” tab on the “System Parameters” page (see Figure 42).  13.7  Client Devices Each VAP has a status page that displays information about attached client devices and total throughput through the VAP. The signal strength of each client device, its MAC address, its IP address, and the time since data was last received from it are listed. The status pages can be accessed under the ‘Status’ tab on the ‘Status’ page, as shown in Figure 43.   Figure 43. Virtual access point client device status information 13.8  Encryption and Authentication The  EL-500  supports  several  common  encryption/authentication  schemes,  including  WEP, WPA, and WPA2, to provide secure wireless access for client devices. WEP keys with 40-bit or 104-bit lengths, pre-shared WPA keys, and multiple WPA-EAP modes.
Chapter 13: Virtual Access Point (VAP) Configuration  TR0190 Rev. A1    82 The  WEP  and  WPA  configuration  settings  for  each  VAP  are  independent.  A  VAP  can  only support one of the encryption/authentication modes at a time, but the VAPs in the EL-500 do not all have to use the same encryption/authentication scheme.   Figure 44. Virtual access point authentication and encryption settings 13.8.1  WEP Encryption The VAPs can be protected with a WEP-based encryption key to prevent unauthorized users from intercepting or spoofing traffic.   CLI To enable WEP-based encryption, set the ‘key’ parameter in the ‘wlanN’ interface. The length of  the  encryption  key is  determined  by  the  format  used  to  specify  the  ‘key’  value.  Valid  key formats and the corresponding encryption type and key length are listed in Table 11.  If WPA is enabled for an interface (‘wpa.enable’ CLI parameter in the ‘wlanN’ interfaces),  the  WPA  settings  will  be  used  for  encryption  and  authentication and the ‘key’ value used to enable WEP will be ignored.
Chapter 13: Virtual Access Point (VAP) Configuration  TR0190 Rev. A1    83 Key format  Encryption format  Encryption key length s:<5 ASCII characters> <10 hex values>  WEP  40 bits s:<13 ASCII characters> <26 hex values>  WEP  104 bits <blank>  None  N/A Table 11. WEP encryption key formats  For example, 104-bit WEP encryption can be enabled using an ASCII key with  > use wlan1 wlan1> set key=”s:abcdefghijklm”  or using a hexadecimal key with  > use wlan1 wlan1> set key=”0123456789abcdef0123456789”  WEP encryption can be disabled by specifying a blank value as shown below.  > use wlan1 wlan1> set key=  Web GUI WEP  encryption  can  be  enabled  and  the  key  can  be  set  via  the  web  interface  using  the “WPA/WEP” sub-tab under the “AAA” tab on the “System Parameters” page (see Figure 44). Select  “WEP”  as  the  type  of  encryption  from  the  drop-down  menu  for  the  VAP  you  wish  to configure and set the WEP key in the text box below the drop-down menu. In the example in Figure 44, ‘wlan1’ has been configured to use WEP. 13.8.2  WPA Pre-Shared Key Mode (WPA-PSK) In  WPA  pre-shared  key  (PSK)  mode,  a  common  passphrase  is  used  for  client  devices connecting to an EL-500 VAP. To set the WPA-PSK mode, enable WPA for the interface and set  the  pre-shared  key  value  as  shown  below.  The  passphrase  must  be  between  8  and  63 characters in length.   The minimum number of characters required for the WPA passphrase is 8. However, it  is  recommended  that  a  longer  passphrase,  with  at  least  15  characters,  is used. This will increase the strength of the encryption used for the wireless link.
Chapter 13: Virtual Access Point (VAP) Configuration  TR0190 Rev. A1    84 CLI The  example  below  shows  how  to  enable  WPA-PSK  mode  for  wlan1.  The  ‘wpa.key_mgmt’ parameter must also be set to indicate that PSK mode is being used, as shown below.  > use wlan1 wlan1> set wpa.enable=yes wlan1> set wpa.key_mgmt=”WPA-PSK” wlan1> set wpa.passphrase=long_passphrases_improve_encryption_effectiveness  Web GUI WPA-PSK can be enabled and the pre-shared key can be set via the web interface using the “WPA/WEP” sub-tab under the “AAA” tab on the “System Parameters” page (see Figure 44). Select “WPA-PSK” as the type of encryption/authentication from the drop-down menu for the VAP you wish to configure and enter the WPA-PSK key in the text box below the drop-down menu. In the example in Figure 44, ‘wlan2’ has been configured to use WPA-PSK. 13.8.3  WPA EAP Mode In  WPA-EAP  mode,  a  client  device  is  authenticated  using  an  802.1x  authentication  server, which is typically a RADIUS server.   The supported EAP modes are:  •  TLS      (X509v3 server & client certificates) •  PEAP-TLS    (X509v3 server & client certificates) •  TTLS      (X509v3 server certificate) •  PEAP-MSCHAPv2  (X509v3 server certificate)  The following information must be provided about the RADIUS server:  •  address – the IP address of the 802.1x server that will be used for authentication •  port – the port that the authentication server is listening on (UDP port 1812 by default) •  secret – the shared secret for the authentication server. The secret must be a string that is no longer than 32 characters in length.  See section 20.5 for instructions on how to test the RADIUS configuration and a specific set of credentials.  CLI To  configure  the  EL-500  to  support  802.1x  authentication,  the  following  parameters  in  a ‘wlanN’ interface must be set:
Chapter 13: Virtual Access Point (VAP) Configuration  TR0190 Rev. A1    85 •  wpa.enable •  wpa.key_mgmt •  wpa.auth.server.addr •  wpa.auth.server.port  •  wpa.auth.server.shared_secret  The ‘wpa.key_mgmt’ parameter must be set to indicate that both PSK and EAP modes can be supported, as shown in the example below.  The example below shows how to enable WPA EAP mode.   > use wlan1 wlan1> set wpa.enable=yes wlan1> set wpa.key_mgmt=”WPA-PSK WPA-EAP” wlan1> set wpa.auth.server.addr=1.2.3.4 wlan1> set wpa.auth.server.port=1812 wlan1> set wpa.auth.shared_secret=enroute1000_radius_secret  Web GUI WPA-EAP can be enabled and the authentication server parameters can be set via the web interface using the “WPA/WEP” sub-tab under the “AAA” tab on the “System Parameters” page (see  Figure  44).  Select  “WPA-EAP”  as  the  type  of  encryption/authentication  from  the  drop-down menu for the VAP you  wish to configure and set the authentication server IP address, port,  and  secret  in  the  text  boxes  below  the  drop-down  menu.  In  the  example  in  Figure  44, ‘wlan3’ has been configured to use WPA-EAP. 13.9  Transmit Power Cap The  maximum  transmit  power  cap  of  the  EL-500’s  radio  is  configurable.  Increased  output power  will  improve  communication  range,  but  will  also  extend  the  interference  range  of  the radios. By default, the power cap is set to 30 dBm so as not to limit the power of the AP.   If the transmit power is set to a value in excess of what can be supported by the  AP  radio,  the  actual  radio  output  power  will  be  the  highest  power supported by the AP radio.  When setting the output power for an VAP, consider the output power of the client devices  that  will  be  communicating  the  VAP.  If  these  devices  have  output  power levels that are far lower than that of the VAP, an asymmetric link may result. Such a link  exists  when  the  received  signal  strength  at  client  devices  is  sufficient  for  a downlink to the client device be established, but the received signal level at the VAP is not sufficient for an uplink from the client device to be established.
Chapter 13: Virtual Access Point (VAP) Configuration  TR0190 Rev. A1    86 CLI The example below shows how to set the access point radio’s maximum transmit power using the CLI. The Tx power is specified in dBm, with a granularity of 0.5 dBm.   > use wlan1 wlan1> set txpower=20  Web GUI The  VAPs’  maximum  transmit  power can  be  set via  the  web  interface using  the appropriate “wlanN” tab on the “Wireless Interfaces” page (see Figure 41). The “+” and “-“ buttons can be used to increase or decrease the power setting in 0.5 dBm steps. 13.10  Radio Rate The VAPs can be set to communicate at a specific rate or to automatically select the best rate available. For most applications, choosing automatic rate selection will be the best choice.  CLI It  is  not  currently  possible  to  set  this  through  the  CLI.  Please  use  the  web  GUI  to  set  this parameter.   Web GUI The VAPs’ communication rate can be set via the web interface using the appropriate “wlanN” tab  on  the  “Wireless  Interfaces”  page  (see  Figure  41).  To  limit  communication  to  a  specific rate,  use  the  drop-down  menu  to  select  the  appropriate  rate  and  verify  that  the  “Auto” checkbox is not selected. To set the device to automatically select the most appropriate rate, click on the “Auto” checkbox to select it. 13.11  Preamble Length The VAPs can be configured to use short preambles when there are no client devices present that only support long preambles. Alternatively,  the device can be forced to always use long preambles.  Using  short  preambles  reduces  communication  overhead,  but  may  not  be supported by older 802.11 client devices.  The preamble  length  setting  is  uniform across  all VAPs.  Changing it  for  one will automatically change it for all others as well.
Chapter 13: Virtual Access Point (VAP) Configuration  TR0190 Rev. A1    87 CLI The example below shows how to set the preamble type used by a VAP using the CLI. The preamble  type is  set with the ‘iwpriv.short_preamble’ parameter  in  the  ‘wlanN’ interfaces. To enable  short  preambles,  set  this  parameter  to  ‘1’.  To  force  use  of  long  preambles,  set  this parameter to ‘0’.   > use wlan1 wlan1> set iwpriv.short_preamble=1  Web GUI The  preamble  types  supported  by  the  VAPs  can  be  set  via  the  web  interface  using  the appropriate “wlanN” tab on the “Wireless Interfaces” page (see Figure 41). To allow support for short preambles, set the “Use Short Preamble” drop-down menu to “Yes”. To limit preambles to long ones, set the drop-down menu to “No”. 13.12  Beacon Interval The VAPs’ beacon intervals are configurable. The beacon interval must fall in the range from 20 to 500 ms. The beacon interval is set to 100 ms by default.  CLI The example below shows how to set the beacon interval for a VAP using the CLI. The beacon interval  is  set  with  the  ‘iwpriv.beacon_interval’  parameter  in  the  ‘wlanN’  interfaces  and  is specified in milliseconds.  > use wlan1 wlan1> set iwpriv.beacon_interval=100  Web GUI The beacon interval for an VAP can be set via the web interface using the appropriate “wlanN” tab on the “Wireless Interfaces” page (see Figure 41). Enter a value specified in milliseconds in the “Beacon Interval” field. 13.13  Maximum Link Distance The 802.11 standard defines delay values in the communication between devices that affect the maximum communication distance that can be supported. By default, the communication distance is limited to approximately 4 km (2.5 mi). The maximum communication distance can
Chapter 13: Virtual Access Point (VAP) Configuration  TR0190 Rev. A1    88 be increased by setting a custom maximum link distance value. This value can be specified in either metric or imperial units.  The maximum link distance setting is uniform across all VAPs. Changing it for one will automatically change it for all others as well.  CLI The example below shows how to set the maximum  link distance supported by a VAP using the  CLI.  The  maximum  link  distance  is  set  with  the  ‘distance’  parameter  in  the  ‘wlanN’ interfaces  and  is  specified  in  either  kilometers  or  miles.  The  ‘units’  parameter  in  the  ‘sys’ interface determines whether the distance units are to be entered in kilometers or  miles. Set ‘units’ to “metric” for kilometers, and to “imperial” for miles.   Set the ‘distance’ parameter to “DEFAULT” or leave it blank to use the default maximum link range.  > use sys sys> set units=”metric” > use wlan1 wlan1> set distance=10  Web GUI The maximum link distance supported by  an VAP can be set via the web interface using the appropriate “wlanN” tab on the “Wireless Interfaces” page (see Figure 41). Enter a value and specify whether it is in kilometers of miles using the adjacent drop-down menu.  Set the ‘distance’ parameter to “DEFAULT” or leave it blank to use the default maximum link range.
Chapter 14: Client DHCP Configuration  TR0190 Rev. A1    89 14  Client DHCP Configuration When operating in routed mode, two configuration options exist for assigning IP addresses to client devices using DHCP:  •  The EL-500 hosts a local DHCP server and supplies IP addresses to devices attaching to any of the client access interfaces  •  A  centralized  DHCP  server  supplies  IP  addresses  to  client  devices,  with  the  EL-500s relaying DHCP messages between client devices and the centralized server.  The DHCP modes for client access interfaces on an EL-500 can be set individually to use a local server, a centralized server, or be disabled. This allows a device to support client access interfaces with a combination of centralized and localized DHCP.  An EL-500 operating in bridge mode can provide access to a DHCP server on the  LAN  that  it  is  bridging  to,  but  it  will  not  provide  any  local  DHCP functionality  for  client  devices  when  operating  in  this  mode.  Centralized DHCP server mode does not need to be configured in bridge mode since the relaying  occurs  implicitly  by  virtue  of  the  bridging  function  that  the  EL-500 provides.  It is possible to configure the bridge interface to receive an address via DHCP (see section 12.1) 14.1  Using Local DHCP Servers The  EL-500  can  be  set  to  serve  IP  addresses  to  client  devices  on  enabled  VAP  interfaces using DHCP.   The IP addresses provided by the local DHCP server will be in the subnet defined by the LAN prefix  and  node  ID  and  the  IP  address  range  start  address  and  size  parameters  in  the appropriate client access interface. For example, for the ‘wlan1’ interface, the start and end of the address range are:  Start address =   <LAN prefix octet 1>. < LAN prefix octet 2>. <Node ID>. <wlan1 IP address range start address> + 1 End address =   < LAN prefix octet 1>. < LAN prefix octet 2>. <Node ID>. < wlan1 IP address range start address > -  < wlan1 IP address range size > - 2 BRIDGE
Chapter 14: Client DHCP Configuration  TR0190 Rev. A1    90  The EL-500 can be configured to set aside a number of IP addresses for client devices that will use  a static  IP  address. These IP addresses are  taken from the  pool  that DHCP assigns IP addresses from. Thus, increasing the number of IP addresses set aside for devices with static IP addresses will  reduce  the  size  of  the  DHCP address pool. The DHCP reserve  parameter controls  the  number  of  IP  addresses  that  will  be  reserved  for  static  use.  By  default,  this parameter  is  set  to  zero,  assigning  the  maximum  possible  number  of  IP  addresses  to  the DHCP pool. You may reserve the entire range of IP addresses, but the EL-500 will use at least the highest address in the range for DHCP.  If the ‘dhcp.reserve’ value is non-zero, the DHCP range start address will be affected as shown below  Start address =   < LAN prefix octet 1>. < LAN prefix octet 2>. <Node ID>. <wlan1 IP address range start address> + 1 - < wlan1 DHCP reserve>  CLI The DHCP mode parameters in the ‘wlanN’ interfaces control DHCP behavior. When the mode is  set  to  ‘server’,  the  EL-500  will  respond  to  DHCP  requests  received  from  client  devices connected to the interface.   The examples below show how to set the DHCP server state for the ‘wlan1’ interface.  > use wlan1 wlan1> set dhcp.role=server wlan1> set dhcp.relay.enable=no  To disable the DHCP server, set the ‘dhcp.role’ parameter to ‘none’  > use wlan1 wlan1> set dhcp.role=none  The example below shows how to set the DHCP reserve parameter  > use wlan1 wlan1> set dhcp.reserve=5   Web GUI The  VAP  interfaces’  DHCP  server  state  can  be  set  via  the  web  interface  using  the  “DHCP” sub-tab under  the “DHCP”  tab  on  the “System  Parameters”  page  (see  Figure  45).  All  of  the interfaces’ DHCP settings can be configured on this page. Set the “Mode” field to “Server” to set the DHCP mode for a client access interface to be the local DHCP server.
Chapter 14: Client DHCP Configuration  TR0190 Rev. A1    91  The DHCP reserve setting for all VAPs and the wired interface can be set via the web interface using  the  “DHCP”  sub-tab  under  the  “DHCP”  tab  on  the  “System  Parameters”  page  (see Figure 45).    Figure 45. Virtual access point DHCP configuration
Chapter 14: Client DHCP Configuration  TR0190 Rev. A1    92 14.2  Using a Centralized DHCP Server Centralized DHCP server mode uses DHCP relaying to enable assignment of IP addresses to wireless  client devices from a common remote DHCP server. The remote DHCP server may reside either on a host connected to the LAN segment that the EL-500’s Ethernet is attached to, or on a server that is beyond one or more routers. When using a common DHCP server, wireless client devices are assigned IP addresses from a single address pool, and are allowed to keep their IP address while roaming seamlessly from AP to AP.   There are three classes of entities that must be configured when using this DHCP mode:  1.  The EL-500 2.  The central DHCP server 3.  Any intermediate router(s) in the path between the DHCP server and the EL-500  When  using  a  centralized  DHCP  server,  a  Client  Address  Space  (CAS),  from  which  client device IP addresses are assigned, must  be defined. The active VAP client access interfaces on the EL-500 (there can be up to 4 per EL-500) must also have IP addresses that fall within the CAS. This is to facilitate DHCP relay and selection of client device IP addresses from the correct  DHCP  scope  on  servers  that  serve  hosts  connected  to  different  subnets.  The  VAP client access interface IP addresses must be configured statically and must be contiguous. It is recommended that  a contiguous range of IP addresses at either the beginning or the end of the CAS be set aside, one for each VAPs on the EL-500.  The Client  Address  Space  (CAS)  is  not equivalent to  the  range  of  addresses served by the DHCP server. The DHCP-served address range is a subset of the CAS. The CAS must also include the addresses for the client access interfaces and the address of the EL-500’s Ethernet interface.   Consider  the example where  an  EL-500  has  all four of its  VAPs  enabled. The  DHCP server resides on a host that also acts as the WAN router and is connected to the same LAN segment that the EL-500’s wired interface is. We will set aside 4 IP addresses for the EL-500’s VAPs. Assuming  the  client  address  space  is  192.168.5.0/24,  with  available  addresses  from 192.168.5.1 to 192.168.5.255, we will use 192.168.5.1 for the server hosting the DHCP server, 192.168.5.2 for the EL-500’s Ethernet interface, set aside 192.168.5.3 to 192.168.5.6 for the EL-500’s VAP interfaces, and configure the remote DHCP server to serve IP addresses in the range of 192.168.5.7 to 192.168.5.254 to wireless client devices. We will keep 192.168.5.255 as the broadcast address.  A bridged EnRoute1000 will pass DHCP traffic through its wired interface to any client devices on its VAPs regardless of the EnRoute1000’s DHCP mode settings. Centralized DHCP mode provides similar capability for an EnRoute1000 in routed mode,  while  adding  the  capability  to  support  different  subnets,  a  firewall,  and QoS, which are not available in bridge mode.
Chapter 14: Client DHCP Configuration  TR0190 Rev. A1    93 14.2.1  Support for Clients with Static IP Addresses When  using  centralized  DHCP  server  mode  for  a  client  access  interface,  client  devices connected to that interface can be assigned static addresses within the client address space. However, for these client devices to roam successfully across EL-500s and third party access point  bridges  connected  to the same  LAN,  they must  employ duplicate  address  detection by sending  out  ARP  requests  for  their  own  IP  address.  Windows-based  devices  support  this requirement.  Please  contact  the  client  device  manufacturer  if  you  are  unsure  if  your  client device meets this requirement. 14.2.2  Configuring the EL-500s When operating in centralized DHCP server mode, each EL-500 client access interface that is to  serve  DHCP  addresses  from  the  centralized  server  must  be  explicitly  configured  to  use centralized  DHCP  server  mode.  The  EL-500s  with  client  access  interfaces  in  centralized DHCP server mode must also use the same centralized DHCP server. The IP address of the central  DHCP  server  is  set  with  the  DHCP  relay  server  parameter.  The  server  must  be reachable through the EL-500’s Ethernet interface.  A gateway router IP address must be entered. This will be supplied to DHCP client devices as their gateway. This IP address can be the same as for the DHCP server, but need not be.  Each client access interface on the EL-500 that is to support centralized DHCP server mode must  have  its  DHCP  mode  set  to  “server”  for  it  to  support  relay  of  IP  addresses  to  client devices from a central DHCP server. It is  possible to disable DHCP address assignments to client devices on a per-interface basis and have them use static IP addresses instead.   The address space that is to be used for the wireless client devices is a subnet specified with the Client Address Space parameter. The value must be specified in CIDR notation (a subnet and its size separated by a ‘/’), e.g. ‘192.168.5.0/24’  The  IP  addresses  of  the  EL-500’s  client  access  interfaces  (wlan1-4)  need  to  be  manually assigned. This is done by setting the Address Base parameter, which is assigned to the first enabled  client  access  interface.  Addresses  for  the  remaining  client  access  interfaces  are determined by successively incrementing the Base Address by one.  Layer  2  emulation  must  also  be  enabled  when  operating  in  centralized  DHCP  server  mode. This  setting  is  located  on  the  “System”  tab  of  the  “System”  page  of  the  web  interface.  See section 19.2 for more information on layer 2 emulation mode.  CLI Centralized  DHCP  mode  is  enabled  using  the  ‘dhcp.relay.enable’  and  ‘l2.client_mac_fwd’ parameters in the ‘sys’ interface as shown in the example below.
Chapter 14: Client DHCP Configuration  TR0190 Rev. A1    94  > use sys sys> set dhcp.relay.enable=yes sys> set l2.client_mac_fwd=yes  In  the  example  below,  the  central  DHCP  server  and  next  WAN  router  reside  on  the  same segment to which the EL-500’s Ethernet interface is connected.  > use sys sys> set dhcp.relay.server=192.168.5.2 sys> set dhcp.relay.gateway=192.168.5.1  The example below shows how to  set the  DHCP mode parameters for the wlan1 and wlan2 interfaces.  > use wlan1 wlan1> set dhcp=server wlan1> set wlan1.dhcp.relay.enable=yes > use wlan2 wlan2> set dhcp=server wlan1> set wlan2.dhcp.relay.enable=yes  To  disable  distribution  of  centralized  DHCP  addresses  on  an  interface,  set  the  interface’s ‘dhcp.role’ parameter to ‘none’ as shown below.  > use wlan3 wlan3> set dhcp=none  The Client Address Space value is set with the ‘dhcp.relay.dhcp_subnet’ parameter in the ‘sys’ interface.  This value  should be  a  class A, B,  or, C  subnet specified using CIDR  notation  as shown in the example below.  > use sys sys> set dhcp.relay.dhcp_subnet=192.168.5.0/24  The  Base  Value,  which sets  the IP address of client access interfaces  on  an  EL-500, is set through the ‘dhcp.relay.base’ parameter in the ‘sys’ interface.   > use sys sys> set dhcp.relay.base=192.168.5.3  Web GUI Centralized DHCP mode can be enabled via the web interface on the “DHCP Relay” sub-tab under the “DHCP” tab on the “System Parameters” page (see Figure 46). The external DHCP server IP address, the gateway router address, the Client Address Space parameter, and the Base  Value  can also  be set  on  this  page.  The  DHCP  mode parameters for  all client access interfaces  can  be  set  on  the  “DHCP”  sub-tab  under  the  “DHCP”  tab  on  the  “System Parameters”  page.  Set  the  DHCP  mode  to  “central  server”  for  all  interfaces  whose  client devices should receive addresses from the central DHCP server.
Chapter 14: Client DHCP Configuration  TR0190 Rev. A1    95  On the “System” tab of the “System” page, set the “L2 Emulation” to “enabled”.   Figure 46. Centralized DHCP server mode settings  14.2.3  Configuring the Central DHCP Server Guidelines for configuring the central DHCP server are provided below. The full configuration of the central DHCP server will depend on the type of DHCP server that is used and is beyond the scope of this document.   Typically the following information must be available in order to configure the server:  1.  The local interface (to the DHCP server) over which the DHCP-related messages from the EL-500 arrive 2.  The parameter(s) that define the address lease time  3.  Whether DNS and domain names are to be provided by the DHCP server to client devices 4.  The  range  of  the  flat  IP  address  that  is  used  for  assigning  IP  addresses  to  client devices.  The range  must not  include  the IP addresses set aside  for  the client  access interfaces on the EL-500.  The following is a segment of the dhcpd.conf file for a Linux DHCP server (ISC DHCP server) that illustrates the scope settings for the part of the network pertaining to the EL-500:
Chapter 14: Client DHCP Configuration  TR0190 Rev. A1    96 subnet 192.168.5.0 netmask 255.255.255.0 {         option broadcast-address        192.168.5.255;         option subnet-mask              255.255.255.0;         option domain-name              "domain.com";         range                           192.168.5.7 192.168.5.254; }   Note that in this definition no “routers” option is needed. If a global “routers” option is defined, the  EL-500  will  automatically  change it  to an appropriate  value in  DHCP  responses to  client devices  based  on  the  centralized  DHCP  settings  on  the  EL-500.  In  this  example,  two  IP addresses are set aside for the DHCP server and the EL-500’s Ethernet interface and four IP addresses are set aside for the client access interfaces on the EL-500. Therefore the address pool starts from 192.168.5.7.
Chapter 15: Connecting an ER-1000 to a LAN  TR0190 Rev. A1    97 15  Connecting an EL-500 to a LAN The options for connecting an EL-500 to a LAN are described below. 15.1  Routed mode 15.1.1  Manual Configuration An  EL-500  can  be  directly  connected  to  a  LAN  without  using  Network  Address  Translation. With this configuration and with the implicit client addressing scheme in use, the router on the network  that  the  EL-500  is  attached  to  must  be  configured  to  forward  the  client  access interface subnets to the EL-500s Ethernet IP address. The subnet that needs to be forwarded is:  Class C subnet:   <LAN prefix octet 1>.<LAN prefix octet 2>.<node ID>.0  In the case where the LAN prefix is 10.12 and the node ID is 14, the subnet the router would need to forward to the EL-500 is 10.12.14.0/255.255.255.0.  If the explicit addressing scheme is used, all the individual client access interface subnets must be forwarded to the EL-500’s Ethernet IP address.  The sections below describe how to acquire the parameter values that determine what subnets the router should forward to the EnRoute1000.  CLI When using the implicit addressing scheme, the subnet information can be retrieved from the ‘sys’ interface as shown below.  > use sys sys> get id.*  sys.id.lanprefix = 10  sys.id.mesh = 12  sys.id.node = 4  This indicates the router needs to forward traffic destined for the 10.12.4.0/255.255.255.0 subnet to the EL-500.  When using the explicit addressing scheme, the subnet information has to be retrieved from the individual interfaces. The example below shows how to obtain the address information for ‘wlan1’. A similar approach can be used to obtain that information for the other interfaces.
Chapter 15: Connecting an ER-1000 to a LAN  TR0190 Rev. A1    98 > use wlan1 sys> get ip.*_force  ip.address_force = 10.5.1.1  ip.broadcast_force = 10.5.1.255  ip.gateway_force =   ip.netmask_force = 255.255.255.0  Web GUI The LAN prefix and node ID can be obtained by inspecting the IP addresses available on the “Status”  page.  The  addresses  of  interest  are  the  IP  addresses  for  each  of  the active  VAPs. When using the implicit addressing scheme, all of these addresses will fall within a single class C address space, whereas when using the explicit addressing scheme they can be of arbitrary size. 15.1.2  Network Address Translation (NAT) Network  Address  Translation  (NAT)  shields  the  client  access  interfaces  and  client  devices connected to the VAPs from the LAN network that the EL-500 is connected to. The EL-500 and its  client  devices  are  able  to  communicate  with  devices  connected  to  the  external  network. However,  devices  on  the  external  network  cannot  initiate  communication  with  any  devices connected to the EL-500.   The advantages of using NAT are:  •  You  can  easily attach  an  EL-500  to an  existing network.  You  do  not need  to  modify  any settings on the router on your existing network to forward packets to the IP addresses used for the VAP interfaces and their client devices. •  The  devices  connected  to  the  EL-500  are  shielded  from  the  network  that  the  EL-500  is attached to. •  You only consume a single IP address on your existing network when connecting the EL-500 to it.  The main disadvantage of using NAT is   •  You are not able to initiate connections to the client devices connected to the EL-500 from devices connected to the LAN or points beyond that..  CLI To set the NAT state, use the commands  > use sys sys> set nat.enable=<yes|no>
Chapter 15: Connecting an ER-1000 to a LAN  TR0190 Rev. A1    99 Web GUI The NAT state can be set via the web interface on the “Wired Interface” page (Figure 47).   Figure 47. NAT and VPN settings 15.2  Bridge Mode In  bridge  mode,  the  EL-500  can  be  connected  to  a  LAN  with  minimal  configuration.  See section 12.2 for the parameters that are available to control bridging behavior.
Chapter 16: Controlling Access to the ER-1000  TR0190 Rev. A1    100  16  Controlling Access to the EL-500 The  EL-500  supports  the  following  features  for  restricting  access  to  it,  restricting  inter-client device communication, and shielding client devices from an external network:  •  Firewall •  Client-to-client communication blocking •  Gateway firewall  It  further  supports  controlled  network  access  by  client  devices  through  MAC  address  black lists.  The  firewalls  are  disabled  and  client-to-client  blocking  is  not  possible  when operating in bridge mode. 16.1  Firewall The  EL-500  has  a  firewall  that  blocks  certain  types  of  traffic  destined  for  the  EL-500.  This prevents client devices attached to an EL-500  and devices on the LAN which the EL-500 is attached to from connecting to it.   The default firewall rules only affect packets destined for the EL-500, and have no effect on packets forwarded by the device. The firewall should typically be enabled on all EL-500s since it prevents undesired access them.  By default, the ports listed in Table 12 are set to be allowed for connection to the EL-500.  Function  Port(s)  Type  Protocol SSH  22  Source & destination  TCP DNS  53  Source & destination  UDP DHCP  67, 68  Destination  UDP HTTP  80  Destination  TCP SNMP  161  Source & destination  UDP HTTPS  443  Destination  TCP HTTP redirect (if splash pages are enabled)  3060  Destination  TCP Roaming support  7202 – 7205, 7207  Destination  UDP OnRamp  20123  Source & destination  UDP Table 12. Source and destination ports allowed by default BRIDGE
Chapter 16: Controlling Access to the ER-1000  TR0190 Rev. A1    101  CLI The  firewall  is  enabled  by  selecting  the  ‘firewall’  interface  and  setting  the  ‘node.enable’ parameter.  > use firewall firewall> set node.enable=yes  Lists  of  allowed  source  and  destination  ports  for  inbound  TCP  and  UDP  traffic  can  be specified. These lists can be set with the following parameters in the ‘firewall’ interface:  •  node.tcp.allow.dest •  node.tcp.allow.source •  node.udp.allow.dest •  node.udp.allow.source  The list of allowed ports  must  be a  space-delimited  string enclosed  by quotes. The  example below shows how to set the TCP source ports parameters.  > use firewall firewall> set node.tcp.allow.dest=”22 23 80 5280”  Web GUI It is not possible to configure the state of the firewall and the open firewall ports via the web interface. It is enabled by default. 16.2  Gateway Firewall The gateway firewall blocks connections originating outside the EL-500 and its client address spaces  from  entering  the  device,  protecting  VAP  client  devices  from  unwanted  traffic.  The gateway firewall will permit return traffic for connections that originate from devices in the VAP client subnets.  If you have enabled NAT (see section 15.1.2), you will have an implicit firewall that limits the type of inbound connections that are possible.  CLI The  state  of  the  gateway  firewall  is  controlled  with  the  ‘gateway’  parameter  in  the  ‘firewall’ interface. Enable the gateway firewall with  > use firewall
Chapter 16: Controlling Access to the ER-1000  TR0190 Rev. A1    102 firewall> set gateway=yes  disable it with  > use firewall firewall> set gateway=no  Web GUI It is not possible to configure the state of the gateway firewall via the web interface. 16.3  Blocking Client-to-Client Traffic Client-to-client traffic can be blocked or permitted on a per-interface basis. By enabling client-to-client  traffic  blocking  for  one  or  more  of  an  EL-500’s  client  access  interfaces,  the  client devices that attach to that particular interface will not be able to communicate with any client devices  attached  to  that  or  any  other  client  access  interface  on  the  EL-500.  Client-to-client traffic can be controlled for interfaces wlan1, wlan2, wlan3, and wlan4.  CLI  The parameters that control client-to-client access are all in the ‘firewall’ interface. They are:  •  node.allowc2c.wlan1 •  node.allowc2c.wlan2 •  node.allowc2c.wlan3 •  node.allowc2c.wlan4  To  block  client-to-client  traffic,  select  the  ‘firewall’  interface  and  set  the  parameter  for  the appropriate interface to ‘no’, To allow traffic between client devices, set the parameter to ‘yes’. The examples below illustrate how to configure these parameters.   To block client-to-client traffic for client devices attached to wlan1:  > use firewall firewall> set node.allowc2c.wlan1=no  To allow client-to-client traffic for client devices attached to wlan2:  > use firewall firewall> set node.allowc2c.wlan2=yes
Chapter 16: Controlling Access to the ER-1000  TR0190 Rev. A1    103 Web GUI The  client isolation parameters can be  set  via the  web interface on the “Firewall”  tab on the “Security”  page  (see  Figure  48).  By  setting  an  interface’s  client  isolation  parameter  to  ‘yes’, client devices connecting to that interface will not be able to communicate with any other client devices connected to the EL-500.   Figure 48. Connection-related firewall settings  Note  that devices  connected to  different interfaces  can  only communicate  with  each  other if client-to-client isolation is disabled for both interfaces.   Client-to-client  isolation  is  only  enabled  if  the  EL-500  firewall (firewall.node.enable) is enabled (section 16.1). 16.4  Connection Tracking The  firewall  keeps  track  of  existing  TCP  connections.  It  is  advisable  to  enable  connection tracking for public networks that can have large numbers of users. In particular, it is important to  enable connection  tracking  if  your  network is  heavily  loaded  or if  it has  users running file
Chapter 16: Controlling Access to the ER-1000  TR0190 Rev. A1    104 sharing applications. A number of parameters are available for tuning how connection tracking is handled. 16.4.1  Connection Tracking Table Size The  size  of  the  connection  tracking  table  can  be  set.  Allowed  values  are  in  the  range  from 4096 to 16384. A larger connection tracking table allows more connections to be maintained without dropping older connections. Typically, the default size of 8192 is adequate for normal operation  and the  setting should  only  be increased  on devices  with high levels  of  traffic and many users.  CLI The  connection  tracking  table  size  is  set  by  selecting  the  ‘firewall’  interface  and  setting  the ‘conntrack.table_size’ parameter.  > use firewall firewall> set conntrack.table_size=16384  Web GUI The connection tracking table size is set with the “Conntrack Size” field on the “Connections” sub-tab on the “Firewall” tab of the “Security” page (see Figure 48). This field is located under the “Connection Tracking” heading. 16.4.2  Connection Tracking Timeout The connection tracking timeout parameter allows you to flush connections that have been idle for  an  extended  period  of  time  from  the  connection  tracking  table.  This  will  help  limit  the maximum  required  size of  the  connection  tracking  table.  By  default,  this  parameter  is  set  to 3600 seconds (1 hour).  CLI The  connection  tracking  timeout  is  set  by  selecting  the  ‘firewall’  interface  and  setting  the ‘conntrack.tcp_timeout_established’ parameter. The timeout is specified in seconds.  > use firewall firewall> set conntrack.tcp_timeout_established=3600
Chapter 16: Controlling Access to the ER-1000  TR0190 Rev. A1    105 Web GUI The  connection  tracking  timeout is set  with  the “Conntrack  Connection  Timeout”  field  on the “Connections” sub-tab on the “Firewall” tab of the “Security” page (see Figure 48). This field is located under the “Connection Tracking” heading. Specify the timeout limit in seconds. 16.4.3  Limiting Number of TCP Connections Per Client Device The number of TCP connections allowed per client device can be limited. For most use cases, setting the connection limit to 30 is sufficient.   Users running file sharing applications may have difficulties establishing connections when  TCP  connection  limiting is  enabled  since  the file  sharing  application  may be consuming the maximum number of TCP connections allowed.  CLI The ‘conntrack.connlimit.enable’ parameter in the ‘firewall’ interface is used to set the state of TCP  connection  limiting.  The  ‘conntrack.connlimit.connections’  parameter  is  used  to  set  the maximum number of connections allowed per client device.  > use firewall firewall> set conntrack.connlimit.enable=yes firewall> set conntrack.connlimit.connections=30  Web GUI The  TCP  connection  limit-related  settings  are  set  on  the  “Connections”  sub-tab  on  the “Firewall” tab of the “Security” page (see Figure 48). The “Conntrack Limiting” drop-down box sets  the  state  of  TCP  connection  limiting  and  the  “Conntrack  Connection  Limits”  sets  the maximum number of TCP connections allowed per client device. 16.5  Custom Firewall Rules Custom firewall rules can be added that control how traffic forwarded by an EL-500 is handled. For example, rules can be added to:  •  Block client traffic on certain ports •  Block traffic from a given client access interface to a certain subnet  The custom firewall rules can be added on the “Custom Rules” sub-tab on the “Firewall” tab on the  “Security”  page  as  shown  in  Figure  49. These  rules  are  specified  as  you  would  specify
Chapter 16: Controlling Access to the ER-1000  TR0190 Rev. A1    106 rules  for  iptables,  with  the  exception  of  the  chain  that  they  are  to  be  added  to  cannot  be specified. All rules will be applied to the iptables forwarding chain.  List one  rule per  line  in  the  text box on  the  “Custom  Rules”  tab  and click on  the “Save and Apply Changes” button when all rules have been entered. The following examples of custom rules illustrate how to use the custom firewall interface.  Blocking SMTP traffic 25   This rule will block all SMTP traffic, which uses port 25.  -dport 25 -j DROP  Limiting Access Based on Client Access Interface  Packets can be filtered based upon which interface they were received through. For example, wlan1 and wlan2 can be used to provide users with access to two different,  private subnets, while  wlan3  users  have  access  to  neither  of  these  subnets.  Users  of  all  wlans  would  have access to the Internet though. The following rules will:  •  Drop traffic from wlan1 destined for the 192.168.2.0 subnet •  Drop traffic from wlan2 destined for the 192.168.1.0 subnet •  Drop traffic from wlan3 destined for the 192.168.1.0 and 192.168.2.0 subnets  -i wlan1 --dst 192.168.2.0/24 -j DROP -i wlan2 --dst 192.168.1.0/24 -j DROP -i wlan3 --dst 192.168.1.0/24 -j DROP -i wlan3 --dst 192.168.2.0/24 -j DROP
Chapter 16: Controlling Access to the ER-1000  TR0190 Rev. A1    107  Figure 49. Custom firewall settings 16.6  Access Control Lists (ACLs) The  access  control  lists  (ACLs)  for  the  VAP  interfaces  (wlan1-wlan4)  block  access  to  any device with a MAC address matching those on the list. Individual ACLs can be defined for each VAP.  Web GUI The ACLs can be defined via the web interface on the appropriate “wlanN” sub-tab under the “ACL” tab on the “Security” page as shown in Figure 50. Enter a MAC address and click on the “Add  MAC”  button  to  add  the  address  to the ACL for  that  VAP. Once  an  address  has  been added, it will appear at the bottom of the page. To delete a MAC address in an ACL, click on the “Delete MAC” button next to the address.  The ACL for an VAP  must be enabled after it has been created. Choose “blacklist” from  the drop-down menu and click on “Change ACL Mode” to enable the list. Choose “none” from the drop-down menu and click on “Change ACL Mode” to disable the ACL.
Chapter 16: Controlling Access to the ER-1000  TR0190 Rev. A1    108  Figure 50. VAP ACL configuration
Chapter 17: Quality of Service (QoS) Configuration  TR0190 Rev. A1    109 17  Quality of Service (QoS) Configuration QoS  rate  limiting  and  reservations  are  not  supported  when  the  EL-500  is operating in bridge mode. Priority level settings are supported in bridge mode.  The  EL-500  has  extensive  support  for  quality  of  service  settings  that  allow  traffic  to  be prioritized based on the source interface, destination interface, and type of traffic. The EL-500 QoS scheme allows both rate limiting and rate reservation for all interfaces.  17.1  Priority Levels The Flow Priority parameters  set the  relative priority of outbound traffic  based on the source interface. These parameters can be set to an integer value in  the range from 0 to 99, with a higher number indicating a higher priority. If a flow priority level parameter is set to ‘inherit’, the associated  interface  will  assume  the  default priority level  set. The  default  flow  priority  is the flow  priority  ‘inherited’  by  each  interface  if  another  flow  priority  setting  is  not  applied.  The default flow priority is configurable.  Traffic originating  from  an  interface  with  a higher priority  will take priority  over traffic from all interfaces  with  a  lower  priority  value  until  the  higher-priority  interface  has  no  more  data  to send. If multiple interfaces have the same priority level, their traffic will be given equal access to  the  outbound  interface.  Rate  reservation  and  rate  limiting,  described  in  the  following sections,  can  be  used  to  avoid  one  interface  dominating  the  use  of  the  Ethernet  interface bandwidth.  The absolute values of the flow priority settings do not have any weighting effect. If a flow  priority  is  higher  for  one  interface  than  another,  the  former  will  always  be prioritized with any remaining bandwidth allocated to the other one.  The Max/Min Hardware Priority parameters can be used to limit the hardware priority queues that  traffic  from  a  particular  interface  can  use  for  outbound  traffic.  Valid  values  for  these parameters are from 1 to 4, which are the priority levels listed in Table 13.   Abbreviation  Description  Priority level VO  Voice  4 (highest) VI  Video  3 BE  Best Effort  2 BK  Background  1 (lowest) Table 13. Hardware priority levels  BRIDGE
Chapter 17: Quality of Service (QoS) Configuration  TR0190 Rev. A1    110 When  sending  data  out  through  any  of  the  wireless  interfaces  (wlanN),  these  hardware priorities map directly to the 802.11e hardware priority output queues on the wireless card. The default level for all traffic is Best Effort.  To  increase  the  hardware  priority  of  all  traffic  originating  from  a  particular  interface,  set  the value of Min Hardware Priority to a value larger than 1. This will force all traffic from the chosen interface to use a hardware queue equal to or greater than the Min Hardware Priority value set. To reduce the  maximum hardware  priority of traffic from an interface, set the Max Hardware Priority parameter to  a value less than 4. To  disable hardware prioritization, set the Min/Max Hardware Priority parameters to ‘0’.  Setting an interface’s flow priority above that of another interface results in all traffic originating  on  the  higher  flow  priority  interface  blocking  traffic  on  the  lower  priority interface until all traffic from the prioritized interface has been sent. In comparison, elevating  the  Min  Hardware  Priority  associated  with  an  interface  will  prioritize,  but not  fully  block  traffic  tagged  with  a  lower  hardware  priority.  Instead  the  medium access  delay  will  be  reduced  (as  dictated  by  the  IEEE  802.11e  standard)  for  the traffic  with  the  elevated  hardware  priority.  Thus,  these  two  priority  types  provide different  gradations of  quality  control,  even when applied  en mass to  an  interface, although further refinements can be set using the EnRoute1000 rate limiting features discussed below.   Changing hardware priorities does not affect the rate limiting and reservation (section 17.2), it only affects which output hardware queues that provide the required support for the 802.11e standard.  CLI Flow  priority  levels  are  set  with  the  ‘in.<intf>.flow_priority’  parameters  in  the  ‘qos’  interface, where  <intf>  is  one  of  the  following:  default,  local,  eth0,  wlan1,  wlan2,  wlan3,  wlan4.  ‘local’ refers to traffic originating on the device itself, not from its client devices. The example below sets  locally  generated  traffic  to  have  top  priority  and  wlan1  to  have  priority  over  all  other interfaces.  > use qos qos> set in.default.flow_priority=10 qos> set in.local.flow_priority=90 qos> set in.wlan1.flow_priority=20 qos> set in.wlan2.flow_priority=inherit qos> set in.wlan3.flow_priority=inherit qos> set in.wlan4.flow_priority=inherit qos> set in.eth0.flow_priority=inherit  Hardware  priority  levels  are  set  with  ‘in.<intf>.hwpri{max,min}’  in  the  ‘qos’  interface,  where <intf> is one of the following: default, local, eth0, wlan1, wlan2, wlan3, wlan4.
Chapter 17: Quality of Service (QoS) Configuration  TR0190 Rev. A1    111 The example below shows how to configure the system such that all traffic from ‘wlan1’ with a ‘Voice’ or ‘Video’ priority will be reduced to a ‘Best Effort’ priority. Traffic with ‘Best Effort’ and ‘Background’ priorities will not be affected.  > use qos qos> set in.wlan1.hwpri.max=2  The example below shows how to configure the system such that all traffic from ‘wlan2’ with a ‘Background’ or ‘Best Effort’ priority will be increased to a  ‘Video’ priority. Traffic  with ‘Video’ and ‘Voice’ priorities will not be affected.  > use qos qos> set in.wlan2.hwpri.min=2   Web GUI Flow priorities can be  set via the web interface under the “QoS” tab on the “QoS” page (see Figure  51).  The  hardware  priority  levels  can  be  set  for  each  interface  under  the  “Advanced QoS” tab on the “QoS” page (see Figure 52).   Figure 51. QoS settings
Chapter 17: Quality of Service (QoS) Configuration  TR0190 Rev. A1    112   Figure 52. Advanced QoS configuration (only settings for some interfaces are shown) 17.2  Rate Limiting A rate limit can be set at each QoS Control Point shown in Figure 53. The Control Points can be split into three groups, listed below in decreasing order of importance:  •  Interface output limit •  Interface output limit of traffic from a particular interface •  Interface output limit of traffic of a certain type from a particular interface   All  rate  limit  parameter  values  are  in  kbps.  If  no  rate  limit  parameter  is  set,  rate limiting will be disabled for that interface or interface and traffic combination.
Chapter 17: Quality of Service (QoS) Configuration  TR0190 Rev. A1    113 The maximum output data rate for interfaces can be limited with the Output Limit parameters for each client access interface. The default output limit value is applied to interfaces that have the Output Limit parameter set to ‘inherit’.    Figure 53. Quality of Service rate limit control points  Data rate limits can also be imposed based on traffic type through an interface. The maximum data rate for a certain type of traffic that enters the EL-500 through a particular interface and exits it through another interface can be limited.   There is no standalone input rate limiting. Limiting the input rate of an interface on the EL-500 only makes sense in the context of the output for another interface(s). In most cases you are concerned with eth0 as the output interface.   CLI The  example  below  shows  how  to  limit  the  maximum  output  rate  of  the  eth0  interface  to  8 Mbps and the maximum output rates of all four wlanN interfaces to 2 Mbps each.  > use qos qos> set out.eth0.limit=8192 qos> set out.wlan1.limit=2048 qos> set out.wlan2.limit=2048 qos> set out.wlan3.limit=2048 qos> set out.wlan4.limit=2048  The  maximum  data  rate  for  traffic  that  enters  the  EL-500  through  a  particular  interface  and exits  it  through  another  interface  can  be  limited  with  the  ‘out.<output  intf>.<input  intf>.limit’ parameters  in  the  ‘qos’  interface,  where  <output  intf>  is  one  of  the  following:  default,  eth0,
Chapter 17: Quality of Service (QoS) Configuration  TR0190 Rev. A1    114 wlan1, wlan2, wlan3, wlan4; and <input intf> is one of the following: default, eth0, local, wlan1, wlan2, wlan3, wlan4. The ‘out.default.default.limit’ value is applied to interfaces that have the ‘out.<output intf>.<input intf>.limit’ parameter set to ‘inherit’ or is left blank.   The example below shows how to  limit the maximum output rate of data from wlan1, wlan2, wlan3,  and  wlan4  through  the  eth0  interface  to  2  Mbps,  1  Mbps,  512  kbps,  and  256  kbps, respectively.  > use qos qos> set out.eth0.wlan1.limit=2048 qos> set out.eth0.wlan2.limit=1024 qos> set out.eth0.wlan3.limit=512 qos> set out.eth0.wlan4.limit=256  Traffic  type  limits  can  be  set  with  the  ‘out.<output  intf>.<input  intf>.<traffic  type>.limit.’ parameters  in  the  ‘qos’  interface,  where  <output  intf>  is  one  of  the  following:  default,  eth0, wlan1,  wlan2,  wlan3,  wlan4;  <input  intf>  is  one  of  the  following:  default,  eth0,  local,  wlan1, wlan2, wlan3, wlan4; <traffic type> is one of the following: ‘vo’, ‘vi’, ‘be’, ‘bk’ (see Table 13 for description of traffic types).  The example below shows how to  limit the maximum output rate of voice, video, best effort, and background traffic from wlan1 through the eth0 interface to 256 kbps, 1 Mbps, 256 kbps, and 256 kbps, respectively.  > use qos qos> set out.eth0.wlan1.vo.limit=256 qos> set out.eth0.wlan1.vi.limit=1024 qos> set out.eth0.wlan1.be.limit=256 qos> set out.eth0.wlan1.bk.limit=256  Web GUI The  interface-  and  traffic-based  Output  Limit  parameters  can  be  set  via  the  web  interface under the “QoS” and “Advanced QoS” tabs on the “QoS” page (see Figure 51 and Figure 52). 17.3  Rate Reservation Rate reservation is used to guarantee bandwidth for certain types of traffic. Rate reservations can be made for traffic based on:  •  The traffic input and output interfaces  •  The traffic type, input interface, and output interface
Chapter 17: Quality of Service (QoS) Configuration  TR0190 Rev. A1    115 For rate reservations to be enforced, a rate limit must be set for the traffic type that the reservation is made for. Setting a rate limit for a broader traffic type, of which the one the reservation is made for is a subset, is also acceptable. For example,  when making  a rate reservation  for voice traffic  from wlan1  to  eth0 (‘out.eth0.wlan1.vo.reserve’),  a  limit  must  be  set  with  ‘out.eth0.limit’, ‘out.eth0.wlan1.limit’, or ‘out.eth0.wlan1.vo.limit’.  Rate  reservations  guarantee  bandwidth  for  a  particular  traffic  type,  but  if  no  such  traffic  is present, the bandwidth reserved will be returned to the pool of available bandwidth for other traffic types to use. The points at which rate reservations can be made are shown in Figure 54. These  points  are  similar  to  where  rate  limits  can  be  placed,  except  that  rate  reservations require both an input and output interface, whereas rate limits can be made without specifying an input interface.   Figure 54. Quality of Service rate reservation control points  All rate reservation parameter values are in kbps. If no rate reservation parameter is set,  rate  reservation  will  be  disabled  for  that  interface  or  interface  and  traffic combination.  A rate reservation, which guarantees a certain amount of bandwidth, can be made for traffic that  enters  the  EL-500  through  a  particular  interface  and  exits  it  through  another  interface. Rate reservations can also be set based on traffic type through an interface. The default value set  for  the  EL-500  rate  reservation  is  applied  to  interfaces  that  have  their  bandwidth reservation parameters set to ‘inherit’ or are left blank.
Chapter 17: Quality of Service (QoS) Configuration  TR0190 Rev. A1    116 CLI The parameters that are used to set these rate reservations are in the ‘qos’ interface and are of the form ‘out.<output intf>.<input intf>.reserve’, where <output intf> is one of the following: default, eth0, wlan1, wlan2, wlan3, wlan4; and <input intf> is one of the following: default, eth0, local, wlan1, wlan2, wlan3, wlan4.  Typically,  most  rate  reservations  will  involve  reserving bandwidth  for  traffic  from  a  particular client access interface to the eth0 interface. The example below shows how to reserve differing amount  of  bandwidth on  eth0  for  traffic  originating  from  the wlan1,  wlan2, wlan3, and  wlan4 interfaces.  > use qos qos> set out.eth0.wlan1.reserve=2048 qos> set out.eth0.wlan2.limit=1024 qos> set out.eth0.wlan3.limit=512 qos> set out.eth0.wlan4.limit=256  A  rate  reservation  for  a  certain  type  of  traffic  that  enters  the  EL-500  through  a  particular interface  and  exits  it  through  another  interface  can  be  set  with  the  ‘out.<output  intf>.<input intf>.<traffic type>.reserve.’ parameters in the ‘qos’ interface, where <output intf> is one of the following: default, eth0, wlan1, wlan2, wlan3, wlan4; <input intf> is one of the following: default, eth0, local, wlan1, wlan2, wlan3, wlan4; <traffic type> is one of the following: ‘vo’, ‘vi’, ‘be’, ‘bk’ (see Table 13 for description of traffic types).  The  ‘out.default.default.limit’  value  is  applied  to  interfaces  that  have  the  ‘out.<output intf>.<input intf>.reserve’ parameter set to ‘inherit’ or is left blank.  The  example  below  shows  how  to  reserve  bandwidth  for  voice,  video,  best  effort,  and background traffic from wlan1 through the eth0 interface to 512 kbps, 1 Mbps, 256 kbps, and 128 kbps, respectively.  > use qos qos> set out.eth0.wlan1.vo.reserve=512 qos> set out.eth0.wlan1.vi.reserve=1024 qos> set out.eth0.wlan1.be.reserve=256 qos> set out.eth0.wlan1.bk.reserve=128  Web GUI The  rate  reservation  parameters  can  be  set  via  the  web  interface  under  the  “QoS”  and “Advanced QoS” tabs on the “QoS” page (see Figure 51 and Figure 52).
Chapter 18: Enabling VLAN Tagging  TR0190 Rev. A1    117 18  Enabling VLAN Tagging The EL-500 supports VLAN tagging, with each client access interface capable of supporting a different VLAN tag. 18.1  Client Access Interface Configuration VLAN tagging can be independently controlled on each client access interface (wlan1-4). The Enable  VLAN parameters  for  the ‘wlan1’, ‘wlan2’,  ‘wlan3’, and  ‘wlan4’ interfaces  controls  the state of VLAN tagging.   VLAN tagging must be enabled on the Ethernet interface for VLAN tags to be included in data frames sent to the LAN. See section 18.2 for more details.  The VLAN ID value for each client access interface is set with the VLAN ID parameter for each interface.  The  VLAN  ID  must  be  in  the  range  from  0  to  4095.  Note  that  0  and  4095  are reserved  values  and  1  is  the  default  VLAN  ID.  There  are  no  restrictions  on  VLAN  IDs  for different interfaces having to match or be different.  CLI The example below shows how to enable VLAN tagging  on  the ‘wlan1’ interface and set the VLAN ID to 12 using the parameters ‘vlan.enable’ and ‘vlan.id’ in the ‘wlan1’ interface.   > use wlan1 wlan1> set vlan.enable=yes > use wlan1 wlan1> set vlan.id=12  Web GUI The  VLAN  Enable  and  VLAN  ID  parameters  can  be  set  via  the  web  interface  under  the “wlanN” tabs on the “Wireless Interfaces” page and on the “Wired Interface” page (see Figure 55).
Chapter 18: Enabling VLAN Tagging  TR0190 Rev. A1    118  Figure 55. Configuring VLAN for VAP interfaces 18.2  Ethernet Interface Configuration For VLAN tags to be preserved on traffic that traverses the Ethernet interface, VLAN support must  be  enabled  for  the  Ethernet  interface.  The  “Enable  VLAN”  parameter  for  the  wired interface  controls  the  state  of  VLAN  tagging.  If  VLAN  tagging  is  enabled  on  the  Ethernet interface, all outbound traffic will have its VLAN tags preserved. If VLAN tagging is disabled for the  Ethernet  interface,  all  VLAN  tags  will  be  stripped  from  frames  received  through  the Ethernet interface.
Chapter 18: Enabling VLAN Tagging  TR0190 Rev. A1    119 When VLAN is  enabled  for the  wired  interface, data  frames forwarded  by the  EL-500  to the LAN will preserve their existing VLAN tag, if they have one. Frames that do not have a tag will be tagged with the default VLAN ID for the EL-500’s Ethernet interface. The VLAN ID must be in the range  from  0  to  4095. Note  that 0  and  4095 are  reserved  values  and  1  is the  default VLAN ID.  CLI The  example  below  shows  how  to  enable  VLAN  tagging  on  Ethernet  interface  using  the ‘vlan.enable’ parameter in the ‘eth0’ interface.   > use eth0 eth0> set vlan.enable=yes  The example below shows how to set the VLAN ID for the Ethernet interface using the ‘vlan.id’ parameter in the ‘eth0’ interface.  > use eth0 eth0> set vlan.id=1  Web GUI The  Ethernet interface  VLAN parameters  are  set  on  the “Wired  Interface” page  as  shown  in Figure 56.   Figure 56. Configuring VLAN for Ethernet interface
Chapter 19: Integration with Enterprise Equipment  TR0190 Rev. A1    120   19  Integration with Enterprise Equipment The EL-500 supports authentication, accounting, and monitoring services that easily integrate with enterprise equipment. In this section the following topics are described:  •  Splash pages •  Layer 2 client emulation  Splash pages are not supported and Layer 2 emulation is unnecessary when operating in bridge mode. 19.1  Configuring Splash Pages The  EL-500  supports  splash  pages,  which  can  be  used  to  restrict  access  to  the  802.11 network and provide information to users that connect to the network. When a user connects through a client access interface to an EL-500 with splash page support enabled, the splash page  for  the  appropriate  interface  will  be  displayed  and  the  user  will  be  restricted  from accessing  other  destinations  on the  Internet  until  they  have logged in.  The splash  page can require  the  user  to  enter  logon  credentials  or  simply  click  a  button  to  complete  the  login process.   To use splash pages, a number of URLs for  login, successful login, and failed login must be specified.  A  RADIUS  server  that  provides  authentication  services  may  also  need  to  be specified. 19.1.1  Enabling Splash Pages The  enabling  of  splash  pages  can  be  controlled  on  a  per-interface  basis.  Two  splash  page modes are supported – one which requires client device users to login in to gain access to the network  and  another  which  requires  them  to  simply  click  on  a  button  on  the  web  page  to proceed.   CLI Enable  or  disable  splash  pages  with  the  ‘splash.enable.wlanN’  parameters  in  the  ‘sys’ interface. For a splash page to be displayed on an interface, the appropriate parameter  must be set to ‘yes’. The example below illustrates how to set the ‘splash.enable.wlan1’ parameter in the ‘sys’ interface to enable splash pages for the wlan1 interface.  > use sys sys> set splash.enable.wlan1=yes BRIDGE
Chapter 19: Integration with Enterprise Equipment  TR0190 Rev. A1    121  Use the ‘splash.auth.server.wlanN.enable’ parameters in the ‘sys’ interface to select whether a user  is  required  to  provide  login  credentials  for  a  particular  interface.  The  example  below illustrates how to set the parameter for the wlan1 interface such that a user will be required to login to access the network.  > use sys sys> set splash.auth.server.enable.wlan1=yes  Web GUI Splash pages can be enabled on a per-interface basis on the “Splash Pages” sub-tab under the “AAA” tab on the “System Parameters” page of the web interface (see Figure 57). Setting whether  client  login  is  required  can  also  be  set  on  this  page  with  the  “Require  Login” parameter.    Figure 57. Splash page configuration
Chapter 19: Integration with Enterprise Equipment  TR0190 Rev. A1    122 19.1.2  Configuring Splash URLs The URL that a user is redirected to for login purposes can be individually configured for each client access interface that supports splash pages (wlan1-4). URLs for successful login, failed login, and error conditions can also be specified for each interface.   The ‘login URL’ parameter sets the URL that a user is redirected to when they attach to the interface  and  have  not  yet  been  authenticated.  This  parameter  should  not  be  left  blank  if splash  pages  are  enabled  for  the  interface.  No  client  device  would  be  able  to  access  the network through the interface if splash pages are enabled and the login URL parameter does not point to a valid URL.  The  ‘success  URL’  parameter  sets  the  URL  that  a  user  is  redirected  to  when  they  have successfully logged in. If this variable is left blank, a default page that indicates login success will be displayed.  The ‘fail URL’ parameter sets the URL that a user is redirected to when a login attempt fails. If this variable is left blank, a default page that indicates login failure will be displayed.  The  ‘error  URL’  parameter  sets  the  URL  that  a  user  is  redirected  to  when  a login  error has occurred. For example, this page would be displayed if a valid authentication server could not be reached. If this variable is left blank, a default page that indicates an error has occurred will be displayed.  CLI In  the  examples  that  follow,  <intf>  represents  any  of  the  client  access  interfaces  ‘wlan1’, ‘wlan2’, ‘wlan3’, or ‘wlan4’. The ‘splash.url.<intf>.login’ parameters in the ‘sys’ interface set the login  URLs.  The  ‘splash.url.<intf>.success’  parameters  in  the  ‘sys’ interface  set  the  success URLs.  The  ‘splash.url.<intf>.fail’  parameters  in  the  ‘sys’  interface  set  the  fail  URLs.  The ‘splash.url.<intf>.error’ parameters in the ‘sys’ interface set the error URLs   The example below shows how the ‘wlan1’ and ‘wlan2’ interfaces can be  set to use different URLs for the login process.  > use sys sys> set splash.url.wlan1.login=http://server.domain.com/wlan1_login.htm sys> set splash.url.wlan1.success=http://server.domain.com/wlan1_success.htm sys> set splash.url.wlan1.fail=http://server.domain.com/wlan1_fail.htm sys> set splash.url.wlan1.error=http://server.domain.com/wlan1_error.htm sys> set splash.url.wlan2.login=http://server.domain.com/wlan2_login.htm sys> set splash.url.wlan2.success=http://server.domain.com/wlan2_success.htm sys> set splash.url.wlan2.fail=http://server.domain.com/wlan2_fail.htm sys> set splash.url.wlan2.error=http://server.domain.com/wlan2_error.htm
Chapter 19: Integration with Enterprise Equipment  TR0190 Rev. A1    123 Web GUI All of the splash page-related URLs can be set on the “Splash Pages” sub-tab under the “AAA” tab on the “System Parameters” page of the web interface (see Figure 57). 19.1.3  Sample HTML Code for Splash Pages The login HTML page must contain specific form information as shown in the sample code in Figure 58 and Figure 59. Figure 58 contains the code required for an interface that requires a login.  Figure  59  contains  code  for  a  login  page  that  the  user  just  clicks  through  to  unlock network access.   The critical lines in Figure 58 are 6, 12, 15, and 19. The ‘action’ value in line 6 of Figure 58 must point to a server name for which there is a DNS proxy entry on the EL-500 and the last part  of  it  must  be  ‘/radius/login.cgi’.  The  DNS  proxy  entry,  which  will  be  different  for  each deployed EL-500, must be mapped to one of the EL-500’s IP addresses (see section 9.4 for more information on how to set DNS proxy configuration).   The example below shows how to configure the DNS proxy assuming the login page redirects to the host ‘redirect.domain.com’ and the IP address of the wlan1 interface is 10.1.2.1.  > use sys sys> set dnsproxy.enable=yes sys> set dnsproxy.hosts=”dns.proxy.name.here=10.1.2.1”  The DNS proxy setting is used in conjunction with the splash pages to ensure that a common  login  URL  can  be  used  on  all  EL-500.  The  DNS  proxy  entry  directs  the results of the login process to the right location – that is, the EL-500 that the client device is connected to.  The login page must also contain the ‘input’ fields on lines 12, 15, and 19. These are used to allow  a  user  logging  in  to  provide  their  username  and  password,  and  to  submit  them.  The names of these input fields, ‘username’, ‘password’, and ‘login’, must not be changed.
Chapter 19: Integration with Enterprise Equipment  TR0190 Rev. A1    124 1 <html> 2 <head> 3   <title>Test Login Page</title> 4 </head> 5 <body> 6   <form method="POST" action="https://dns.proxy.name.here/radius/login.cgi"> 7   Welcoming text or 'Terms of Service' could go here. <br /> 8  9   <table border="0"> 10   <tr> 11     <td> Username: </td> 12     <td> <input name="username" type="text"><br /> </td> 13   </tr><tr> 14     <td> Password: </td> 15     <td> <input name="password" type="password"> </td> 16   </tr> 17   </table> 18  19     <input name="login" type="submit" value="Submit"> 20   </form> 21 </body> 22 </html> Figure 58. Sample HTML code for login web page with password authentication  If  the  splash  page  is  not  configured  to  require  a  user  to  provide  login  credentials,  the requirements for the login page are slightly different,  as shown in Figure 59. The page must still contain a form definition similar to that on line 6 in Figure 59. The ‘action’ value must be set to point to a proxied server name, just as for the case where a user is required to provide login credentials. The last part of the ‘action’ value must be ‘/splash/nologin.cgi’. Also, a button with the name ‘login’ must be defined, as shown on line 8 of Figure 59.  1 <html> 2 <head> 3   <title>Test Login Page</title> 4 </head> 5 <body> 6   <form method="POST" action="https://dns.proxy.name.here/splash/nologin.cgi"> 7   Welcoming text or 'Terms of Service' could go here.<br /> 8     <input name="login" type="submit" value="Continue"> 9   </form> 10 </body> 11 </html> Figure 59. Sample HTML code for web page when authentication is disabled 19.1.4  Configuring the Authentication Server A  RADIUS  authentication  server  must  be  specified  when  the  splash  page  is  enabled  for  an interface and login is required. The following parameters must be specified:  •  the server address – can be either a hostname or and IP address
Chapter 19: Integration with Enterprise Equipment  TR0190 Rev. A1    125 •  the port on the server that the RADIUS server is listening on •  the shared secret – must be a string of alphanumeric characters that is 32 characters or less in length.  CLI The  ‘splash.auth.server.<intf>.host’,  ‘splash.auth.server.<intf>.port’,  and ‘splash.auth.server.<intf>.secret’  parameters  in  the  ‘sys’  interface,  where  <intf>  is  either ‘wlan1’,  ‘wlan2’,  ‘wlan3’,  or  ‘wlan4’,  specify  the  authentication  server  to  use.  The  example below shows how to configure the authentication server for interfaces ‘wlan1’ and ‘wlan2’.  > use sys sys> set splash.auth.server.wlan1.host=auth1.yourserverhere.com sys> set splash.auth.server.wlan1.port=1812 sys> set splash.auth.server.wlan1.secret=authsecret sys> set splash.auth.server.wlan2.host=auth2.yourserverhere.com sys> set splash.auth.server.wlan2.port=1812 sys> set splash.auth.server.wlan2.secret=authsecret  Web GUI The  authentication  server  parameters  can  be  set  on  the  “Splash  Pages”  sub-tab  under  the “AAA” tab  on  the “System  Parameters” page  of  the  web  interface  (see  Figure  57)  using the fields for “Login Server Address”, “Login Server Port”, and “Login Server Secret”. 19.1.5  Trusted MAC Addresses A  list  of  trusted  MAC  addresses,  which  do  not  require  splash  page  authentication,  can  be defined.  When  a  device  with  one  of  these  MAC  addresses  connects  to  an  EL-500,  it  will automatically have full access to the WAN.   CLI The list of trusted MAC addresses is set with the ‘splash.trusted_macs’ parameter in the ‘sys’ interface.  The  MAC  addresses  are  specified  as  a  list  of  48-bit  addresses  separated  by commas. An example of setting this parameter is shown below.  > use sys sys> set splash.trusted_macs="aa:bb:cc:00:00:01,aa:bb:cc:00:00:02"  Web GUI The  authentication  server  parameters  can  be  set  on  the  “Advanced  Splash  Pages”  sub-tab under the “AAA” tab on the “System  Parameters” page of the web interface  (see Figure 60). The list of trusted MAC addresses is displayed on this page. To delete a trusted MAC from the list, click on the “Delete MAC” button next to the MAC address.
Chapter 19: Integration with Enterprise Equipment  TR0190 Rev. A1    126   Figure 60. Adding trusted MAC addresses and accessible hosts 19.1.6  Bypass Splash Pages for Access to Specific Hosts It is possible to specify a list of IP addresses that client devices can access without the client devices having to view a splash screen.   CLI The list of hosts that can be accessed without having to view a splash screen is set with the ‘splash.bypass_hosts’  parameter  in  the  ‘sys’  interface.  The  hosts  are  specified  by  their  IP addresses and must be separated by commas. An example of setting this parameter is shown below.  > use sys sys> set splash.bypass_hosts="1.1.1.1,2.2.2.2"
Chapter 19: Integration with Enterprise Equipment  TR0190 Rev. A1    127 Web GUI The IP addresses of hosts that can be accessed without having to view a splash screen can be set on the “Advanced Splash Pages” sub-tab under the “AAA” tab on the “System Parameters” page  of  the  web  interface  (see  Figure  60).  The  list  of  IP  addresses  of  bypassed  hosts  is displayed on this page. To delete an IP address from the list, click on the “Delete Host” button next to the IP address. 19.2  Layer 2 Emulation Certain back-end systems (e.g. Internet gateways) use the MAC addresses of client  devices for  authentication  and  accounting  purposes.  When  the  EL-500  is  operating  in  routed  mode client  device  MAC  addresses  are  typically  not  provided  to  the  back-end  servers.  A  layer  2 emulation  mode  can  be  enabled  on  the  EL-500  to  provide  the  client  device  MAC  address information to back-end systems.  When layer 2 emulation is enabled, the EL-500 will send Ethernet (layer 2) frames to the LAN using the MAC address of  the device the packet originated from as the source address. The EL-500 will also act as a proxy and forward packets with MAC destination addresses of client devices that are connected to it.  In  layer  2  emulation  mode,  an  EL-500  will  respond  to  ARP  requests  if it  has  a  route  to  the target IP address contained in the ARP request. The list of subnets that the EL-500  has routes to includes implicit/explicit network addresses. Thus care must be taken that these subnets are not used elsewhere in the network.   Alternatively, to reduce the amount of address space consumed by the EL-500’s subnets, the ARP responses can be limited to certain parts of the EL-500’s address space. The EL-500 can be  configured  to  disregard  all  ARP  requests  except  for  those  with  IP  addresses  within  the client address space that it has a host or network route for.   CLI Layer 2 emulation is enabled with the ‘l2.client_mac_fwd’ parameter in the ‘sys’ interface. The example below shows how to enable layer 2 emulation.  > use sys sys> set l2.client_mac_fwd=yes  To  limit  the  range  of  addresses  for  ARP  requests  that  the  EL-500  will  respond  to,  set  the ‘l2.hide_internal.enable’  parameter  in  the  ‘sys’  interface  to  ‘yes’.  Set ‘l2.hide_internal.gateway.deny.all’  in  the  ‘sys’ interface  to ‘yes’ to disregard all ARP requests except for those with addresses within the client address subnet. The example shows how to disregard all ARP requests except for those for addresses within the client address space.
Chapter 19: Integration with Enterprise Equipment  TR0190 Rev. A1    128 > use sys sys> set l2.hide_internal.enable=yes sys> set l2.hide_internal.gateway.deny.all=yes  Web GUI The state of layer 2 emulation is set on the “System” tab of the “System” page (see Figure 61). The console interface in the web GUI must be used to configure which address ranges the EL-500 responds to ARP requests for. See the CLI section above for parameter names and set these using the console interface (see section 9.10).   Figure 61. Enabling/disabling layer 2 emulation
Chapter 20: Diagnostics Tools  TR0190 Rev. A1    129  20  Diagnostics Tools The  EL-500  has  a  number  of  diagnostics  tools  to  help  the  user  diagnose  and  correct configuration issues. These tools are available on the “Diagnostics” page, accessible from the navigation bar. The individual diagnostics tools are accessible from the row of tabs shown on the “Diagnostics” page. 20.1  Ping The “Ping” tab on the “Diagnostics” page allows the user to check for network connectivity by pinging a remote device (see Figure 62). Either an IP address, e.g. 10.1.2.3, or a hostname, e.g. www.yahoo.com, can be specified. The number of pings to send can be set  to 1, 10, or 100.  Click on “Ping Address” to start pinging the device. The results of the pings will appear on the bottom  half  of  the  page  shortly  after  clicking  on  the  button.  There  may  be  a  delay  of  a  few seconds to display the ping results if the ping destination is not responsive.   Figure 62. Pinging a remote device 20.2  Traceroute The  “Traceroute”  tab  on  the  “Diagnostics”  page  allows  the  user  to  determine  the  individual intermediary devices used to route traffic from the EL-500 to a remote device (see Figure 63).   Enter the IP address, e.g. 10.1.2.3, or hostname, e.g. www.yahoo.com, of the device you wish to  find  the  route  path  to.  Check  the  “Resolve  Names”  box  if  traceroute  should  show  device names,  when  available,  instead  of  just  IP  addresses.  Click  on  the  “Trace  Route”  button  to begin  tracing  the  route.  The  intermediary  nodes  will  be  displayed  on  the  bottom  half  of  the page. Click on “Stop Trace” to stop the tracing process.
Chapter 20: Diagnostics Tools  TR0190 Rev. A1    130   Figure 63. Determining the route from the EL-500 to a remote device using traceroute 20.3  Packet Capture The “Packet  Capture”  tab on the “Diagnostics” page allows the user to capture  traffic on the EL-500’s network interfaces (see Figure 64). The captured data can either be displayed in the web  interface  or saved  to  a  file  that  can  be downloaded  and  analyzed  using  3rd-party  tools, such as Wireshark (http://www.wireshark.org/). At most, 10 captured files can be saved on the EL-500 at any given time.  The  full array  of  options  available  for  packet  capture is  described  in  Table  14.  A  number  of examples of common packet capture scenarios are also presented below.  Capturing DHCP Traffic From Clients on wlan1  1.  Set “Interface” to “wlan1” 2.  Set “Protocol” to “all” 3.  Set “Packet Count” to “20” 4.  Set “Packet length” to 500 5.  Click on “DHCP” next to “Common Protocols” 6.  Set “Output” to “File” 7.  Click on “Start Capture” 8.  Allow the capture to complete automatically when the prescribed number of packets has been captured or click on “Stop Capture” to halt the capture 9.  The captured data is accessible by clicking on the link at the bottom of the page under the  heading  “Available  tcpdump  files”.  The  file  name  format  used  is  “<file prefix>_MMDDYYY.HHMM.  Click  on  this  link  to  save  it  to  your  computer.  The downloaded file can be parsed by packet analyzers such as Wireshark. 10. Click the checkbox next to the filename in the “Available tcpdump list” and click on the “Delete Selected” button. This will delete the file from the EL-500 and free up space for other capture files.  Capturing All Traffic From a Specific Client Device
Chapter 20: Diagnostics Tools  TR0190 Rev. A1    131  1.  Set “Interface” to the one that the client device is attached to 2.  Set “Protocol” to “all” 3.  Set “Packet Count” to “500” 4.  Set “Packet Length” to 500 5.  Set the “Optional Host” to the IP address of the client device of interest 6.  Set “Output” to “File” 7.  Click on “Start Capture” 8.  Allow the capture to complete automatically when the prescribed number of packets has been captured or click on “Stop Capture” to halt the capture 9.  The captured data is accessible by clicking on the link at the bottom of the page under the  heading  “Available  tcpdump  files”.  The  file  name  format  used  is  “<file prefix>_MMDDYYY.HHMM.  Click  on  this  link  to  save  it  to  your  computer.  The downloaded file can be parsed by packet analyzers such as Wireshark. 10. Click the checkbox next to the filename in the “Available tcpdump list” and click on the “Delete Selected” button. This will delete the file from the EL-500 and free up space for other capture files.   Figure 64. Capturing network traffic
Chapter 20: Diagnostics Tools  TR0190 Rev. A1    132 Option  Description Interface Selects the interface from which packets are captured. Note that some packets may be available  on  multiple  interfaces.  For  example,  data  from  a  client  device  connected  to wlan1  destined  for  a  device  on  the  Internet  will  pass  through  wlan1  and  the  wired interface. Protocol  Data can be captured for the following protocols: TCP, UDP, ICMP,  and ARP. Set the value to “all” if you do not wish to filter out packets based on protocol type. Packet Count  Sets the number of packets to capture. The provided settings are 20, 50, 100, and 500. Show Host Names  Captured data will show resolved host names instead of IP addresses when this option is selected.  Show MAC addresses In addition to IP address or hostnames, source and destination MAC addresses will be displayed for each packet when this option is selected. Packet Length Sets the length of each packet that should be captured. If you are only interested in the header contents of  a packet, this value  can be lowered to reduce the  size of  the  data capture file. If it is set to too low of a value, critical data may be not be captured though. Optional Host  Sets a host name or IP address to use for filtering purposes. All packets with this host as their source OR destination address will be captured. Optional Port Sets  a  port  to  use  for filtering  purposes.  All  packets  with  this  port  as  their  source  OR destination port will be captured. NOTE: this setting only has an effect on capture of TCP or UDP packets. Common Protocols  Click on the protocol names listed to add filtering parameters for them in the “Additional Parameters” text box. It is possible to select more than one protocol to filter on. Optional Additional Parameters The underlying application used to capture packets is tcpdump. Use this field to specify additional parameters to tcpdump that are not made available through the GUI.  Output Select whether to display the data on the webpage or to save it to a file, which can be downloaded  from  the  device.  The  file  name  format  used  is  “<file prefix>_MMDDYYY.HHMM. Output File Prefix  Sets an optional file prefix for saved files. Table 14. Packet capture options 20.4  Centralized DHCP Testing The “DHCP” tab on the “Diagnostics” page can be used to test access to an external DHCP server  when  the  EL-500  is  in  centralized  DHCP  server  mode  (see  Figure  65).  Click  on  the “Test DHCP” button to initiate a test. The results of the test will be displayed at the bottom of the page.   Figure 65. Testing the connection to an external DHCP server
Chapter 20: Diagnostics Tools  TR0190 Rev. A1    133 20.5  RADIUS Server Testing The “RADIUS” tab on the “Diagnostics” page can be used to test authentication of credentials by a RADIUS servers used for splash page or WPA authentication (see Figure 66). Use the procedure below to test the validity of credentials with a RADIUS server.  1.  Select the RADIUS server you want to use for the test from the drop-down menu 2.  Enter the credentials you want to test in the “Username” and “Password” fields 3.  Click on the “Test User” button   The  results  of  the  test  will  be  displayed  at  the  bottom  of  the  page.  Three  outcomes  are possible:  •  The credentials were authenticated by the server •  Communication was established with the server, but the credentials were not valid •  It was not possible to establish communication with the server   Figure 66. Testing credentials with a RADIUS server 20.6  Diagnostic Dump The “Diagnostic Dump” tab on the “Diagnostics” page allows the user to create a snapshot of diagnostic  data  that  can  be  downloaded  to  a  PC  and  sent  to  Tranzeo  technical  support  for analysis (see Figure 67).
Chapter 20: Diagnostics Tools  TR0190 Rev. A1    134  Figure 67. Generating a diagnostic dump  The list of diagnostic dumps available for download is displayed at the bottom of the page. The diagnostic  dumps  can  be  downloaded  by  clicking  on  the  filenames.  To  delete  one  or  more diagnostic dumps, select the check boxes next to the ones you wish to delete and then click on the “Delete Selected” button.
Chapter 21: Firmware Management  TR0190 Rev. A1    135 21  Firmware Management 21.1  Displaying the Firmware Version The firmware version string contains the following information:  •  Build date •  Major version number •  Minor version number •  Build number  These values are embedded in the version string as follows:  enroute1000_< Build date >_< Major version >_< Minor version >_< Build number>  CLI Firmware version information is available in the ‘version’ interface. The example below shows how to display the current firmware version.  > use version version> get release  release = ENROUTE1000_20070911_03_00_0215  Web GUI The  firmware  version  is  displayed  at  the  top  of  the  “Status”  page  accessible  via  the  web interface. 21.2  Upgrading the Firmware The EL-500 supports secure remote firmware upgrade.   Prior to upgrading firmware, please contact Tranzeo technical support to find out  if  there  are  any  version-specific  instructions  for  upgrading  from  the firmware version you are currently using.  The  EL-500  must  have  access  to  the  Internet,  and  specifically  the  Tranzeo upgrade server, to complete an upgrade.
Chapter 21: Firmware Management  TR0190 Rev. A1    136 If power  to the  EL-500  is  lost during the  upgrade process,  it  is possible  that the device will become inoperable.   The  firmware  can  be  upgraded  using  the  “Upgrade”  page.  This  page  displays  the  following information:  •  Firmware currently installed on the EL-500 •  Firmware available on the remote upgrade server •  Firmware available in the non-volatile memory of the EL-500 •  Space used/available in non-volatile memory for storing upgrade images  Follow the procedure below to upgrade the firmware on a device:  1.  Select the firmware version you want to upgrade to from the “Firmware on Server” box  2.  Click on the button with the arrow to the right of the “Firmware on Server” box. This will begin  the  download  process  of  the  firmware  from  the  Tranzeo  upgrade  server  to  the non-volatile memory on the EL-500. While the firmware is downloading, it will be shown in blue in the “Firmware on Node” box.  3.  When the  download has  been completed, select  the  firmware you  wish  to  upgrade  to from the “Firmware on Node” box. 4.  Click on the “Install” button. 5.  Wait for the install to complete. The EL-500 will reboot automatically when the upgrade has been completed.   Figure 68. Updating firmware
Glossary  TR0190 Rev. A1    137 Glossary Client access interface An  interface  on  the  EL-500  used  by  a  client  device,  such  as  an 802.11-enabled  laptop,  to  connect  to  the  EL-500.  The  client  access interfaces are the virtual APs wlan1 – wlan4. Client device  A  device  that  is  connected  to  one  of  the  EL-500’s  client  access interfaces, e.g. a laptop Client address scheme The  method  used  to  assign  address  spaces  to  client  address interfaces. The two supported client address schemes are implicit and explicit. Operating mode  The mode that sets the method for how packets forwarding is done by the  EL-500.  The  two  supported  operating  modes  are  “bridge”  and “router”,  with  the  former  using  layer  2-based  traffic  forwarding mechanisms and the latter using layer 3-based mechanisms.
Abbreviations  TR0190 Rev. A1    138  Abbreviations ACL  Access Control List AP  Access Point CLI  Command line interface Client access interface An  interface  on  the  EL-500  used  by  a  client  device,  such  as  an 802.11-enabled  laptop,  to  connect  to  the  EL-500.  The  client  access interfaces are the virtual APs wlan1 – wlan4. ESSID  Extended Service Set Identifier LAN  Local-Area Network NAT  Network Address Translation PoE  Power over Ethernet QoS  Quality of Service RSSI  Received signal strength indicator STP  Spanning  Tree Protocol VAP  Virtual  Access  Point.  An  access  point  that  uses  the  same  radio  as other access points in the system. VLAN  Virtual Local-Area Network VPN  Virtual Private Network WAN  Wide-Area Network WLAN  Wireless Local-Area Network WPA  Wi-Fi Protected Access WPA-PSK  Wi-Fi Protected Access Pre-Shared Key

Navigation menu