ZyXEL Communications EMG3415-B10A Dual-Band Wireless AC/N Gigabit Ethernet Gateway User Manual Book

ZyXEL Communications Corporation Dual-Band Wireless AC/N Gigabit Ethernet Gateway Book

Contents

Users Manual-2

EMG3415-B10A User’s Guide205CHAPTER 32Backup/Restore32.1  OverviewThe Backup/Restore screen allows you to backup and restore device configurations. You can also reset your device settings back to the factory default.32.2  The Backup/Restore Screen Click Maintenance > Backup/Restore. Information related to factory defaults, backup configuration, and restoring configuration appears in this screen, as shown next.Figure 135   Maintenance >  Backup/RestoreBackup Configuration Backup Configuration allows you to back up (save) the EMG’s current configuration to a file on your computer. Once your EMG is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. Click Backup to save the EMG’s current configuration to your computer.
Chapter 32 Backup/RestoreEMG3415-B10A User’s Guide206Restore Configuration Restore Configuration allows you to upload a new or previously saved configuration file from your computer to your EMG.Do not turn off the EMG while configuration file upload is in progress.After the EMG configuration has been restored successfully, the login screen appears. Login again to restart the EMG. The EMG automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.Figure 136   Network Temporarily DisconnectedIf you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address (192.168.200.1).If the upload was not successful, the following screen will appear. Click OK to go back to the Configuration screen. Figure 137   Configuration Upload ErrorReset to Factory Defaults  Click the Reset button to clear all user-entered configuration information and return the EMG to its factory defaults. The following warning screen appears.Table 109   Restore ConfigurationLABEL DESCRIPTIONFile Path  Type in the location of the file you want to upload in this field or click Choose File to find it.Choose File   Click this to find the file you want to upload. Remember that you must decompress compressed (.ZIP) files before you can upload them. Upload  Click this to begin the upload process.
 Chapter 32 Backup/RestoreEMG3415-B10A User’s Guide207Figure 138   Reset Warning MessageFigure 139   Reset In Process MessageYou can also press the RESET button on the rear panel to reset the factory defaults of your EMG. Refer to Section 1.6 on page 17 for more information on the RESET button.32.3  The ROM-D ScreenThe ROM-D feature enables service providers to customize the EMG’s default configuration settings easily. You can use the ROM-D file to store the customized default settings. Click Save to save the EMG’s current configuration to the ROM-D file. Click Clear to reset the customized settings in the ROM-D file to factory defaults.Click Maintenance > Backup/Restore > ROM-D to open the following screen.Figure 140   Backup Restore > ROM-D32.4  The Reboot Screen System restart allows you to reboot the EMG remotely without turning the power off. You may need to do this if the EMG hangs, for example.Click Maintenance > Reboot. Click Reboot to have the EMG reboot. This does not affect the EMG's configuration. Figure 141   Maintenance > Reboot
EMG3415-B10A User’s Guide208CHAPTER 33Diagnostic33.1  OverviewThe Diagnostic screens display information to help you identify problems with the EMG.The route between a CO VDSL switch and one of its CPE may go through switches owned by independent organizations. A connectivity fault point generally takes time to discover and impacts subscriber’s network access. In order to eliminate the management and maintenance efforts, IEEE 802.1ag is a Connectivity Fault Management (CFM) specification which allows network administrators to identify and manage connection faults. Through discovery and verification of the path, CFM can detect, analyze and isolate connectivity faults in bridged LANs.33.1.1  What You Can Do in this Chapter• The Ping & TraceRoute & NsLookup screen lets you ping an IP address or trace the route packets take to a host (Section 33.3 on page 209).33.2  What You Need to KnowThe following terms and concepts may help as you read through this chapter.How CFM Works A Maintenance Association (MA) defines a VLAN and associated Maintenance End Point (MEP) ports on the device under a Maintenance Domain (MD) level. An MEP port has the ability to send Connectivity Check Messages (CCMs) and get other MEP ports information from neighbor devices’ CCMs within an MA. CFM provides two tests to discover connectivity faults. • Loopback test - checks if the MEP port receives its Loop Back Response (LBR) from its target after it sends the Loop Back Message (LBM). If no response is received, there might be a connectivity fault between them. • Link trace test - provides additional connectivity fault analysis to get more information on where the fault is. If an MEP port does not respond to the source MEP, this may indicate a fault. Administrators can take further action to check and resume services from the fault according to the line connectivity status report.
 Chapter 33 DiagnosticEMG3415-B10A User’s Guide20933.3  Ping & TraceRoute & NsLookup Use this screen to ping, traceroute, or nslookup an IP address. Click Maintenance > Diagnostic > Ping&TraceRoute&NsLookup to open the screen shown next.Figure 142   Maintenance > Diagnostic > Ping & Traceroute & Nslookup The following table describes the fields in this screen. Table 110   Maintenance > Diagnostic > Ping & TraceRoute & NsLookupLABEL DESCRIPTIONURL or IP AddressType the IP address of a computer that you want to perform ping, traceroute, or nslookup in order to test a connection.Ping Click this to ping the IP address that you entered.TraceRoute Click this button to perform the traceroute function. This determines the path a packet takes to the specified computer.Nslookup Click this button to perform a DNS lookup on the IP address of a computer you enter.
EMG3415-B10A User’s Guide210CHAPTER 34TroubleshootingThis chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. •Power, Hardware Connections, and LEDs•EMG Access and Login•Internet Access•Wireless Internet Access•UPnP34.1  Power, Hardware Connections, and LEDsThe EMG does not turn on. None of the LEDs turn on.1Make sure the EMG is turned on. 2Make sure you are using the power adaptor or cord included with the EMG.3Make sure the power adaptor or cord is connected to the EMG and plugged in to an appropriate power source. Make sure the power source is turned on.4Turn the EMG off and on.5If the problem continues, contact the vendor.One of the LEDs does not behave as expected.1Make sure you understand the normal behavior of the LED. See Section 1.5 on page 15.2Check the hardware connections.3Inspect your cables for damage. Contact the vendor to replace any damaged cables.4Turn the EMG off and on.5If the problem continues, contact the vendor.
 Chapter 34 TroubleshootingEMG3415-B10A User’s Guide21134.2  EMG Access and LoginI forgot the IP address for the EMG.1The default LAN IP address is 192.168.200.1.2If you changed the IP address and have forgotten it, you might get the IP address of the EMG by looking up the IP address of the default gateway for your computer. To do this in most Windows computers, click Start > Run, enter cmd, and then enter ipconfig. The IP address of the Default Gateway might be the IP address of the EMG (it depends on the network), so enter this IP address in your Internet browser.3If this does not work, you have to reset the device to its factory defaults. See Section 1.6 on page 17.I cannot see or access the Login screen in the web configurator.1Make sure you are using the correct IP address.• The default IP address is 192.168.200.1.• If you changed the IP address (Section 7.2 on page 90), use the new IP address.• If you changed the IP address and have forgotten it, see the troubleshooting suggestions for I forgot the IP address for the EMG.2Check the hardware connections, and make sure the LEDs are behaving as expected. See Section 1.5 on page 15.3Make sure your Internet browser does not block pop-up windows and has JavaScripts and Java enabled.4If it is possible to log in from another interface, check the service control settings for HTTP and HTTPS (Maintenance > Remote MGMT).5Reset the device to its factory defaults, and try to access the EMG with the default IP address. See Section 1.6 on page 17.6If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.Advanced Suggestions• Make sure you have logged out of any earlier management sessions using the same user account even if they were through a different interface or using a different browser.• Try to access the EMG using another service, such as Telnet. If you can access the EMG, check the remote management settings and firewall rules to find out why the EMG does not respond to HTTP.
Chapter 34 TroubleshootingEMG3415-B10A User’s Guide212I can see the Login screen, but I cannot log in to the EMG.7You cannot log in to the web configurator while someone is using Telnet to access the EMG. Log out of the EMG in the other session, or ask the person who is logged in to log out. 8Turn the EMG off and on. 9If this does not work, you have to reset the device to its factory defaults. See Section 34.1 on page 210.I cannot Telnet to the EMG.See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser.I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware.See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser.34.3  Internet AccessI cannot access the Internet.1Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.5 on page 15.2Make sure you entered your ISP account information correctly in the Network Setting > Broadband screen. These fields are case-sensitive, so make sure [Caps Lock] is not on. 3If you are trying to access the Internet wirelessly, make sure that you enabled the wireless LAN in the EMG and your wireless client and that the wireless settings in the wireless client are the same as the settings in the EMG.4Disconnect all the cables from your device and reconnect them. 5If the problem continues, contact your ISP.
 Chapter 34 TroubleshootingEMG3415-B10A User’s Guide213I cannot connect to the Internet using an Ethernet connection.1Make sure you have the Ethernet WAN port connected to a modem or router.2Make sure you configured a proper Ethernet WAN interface (Network Setting > Broadband screen) with the Internet account information provided by your ISP and that it is enabled.3Check that the LAN interface you are connected to is in the same interface group as the Ethernet WAN connection (Network Setting > Interface Grouping).4If you set up a WAN connection using bridging service, make sure you turn off the DHCP feature in the LAN screen to have the clients get WAN IP addresses directly from your ISP’s DHCP server.I cannot access the EMG anymore. I had access to the EMG, but my connection is not available anymore.1Your session with the EMG may have expired. Try logging into the EMG again.2Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.5 on page 15.3Turn the EMG off and on.4If the problem continues, contact your vendor. 34.4  Wireless Internet AccessWhat factors may cause intermittent or unstabled wireless connection? How can I solve this problem?The following factors may cause interference:• Obstacles: walls, ceilings, furniture, and so on.• Building Materials: metal doors, aluminum studs.• Electrical devices: microwaves, monitors, electric motors, cordless phones, and other wireless devices.To optimize the speed and quality of your wireless connection, you can:• Move your wireless device closer to the AP if the signal strength is low.• Reduce wireless interference that may be caused by other wireless networks or surrounding wireless electronics such as cordless phones.
Chapter 34 TroubleshootingEMG3415-B10A User’s Guide214• Place the AP where there are minimum obstacles (such as walls and ceilings) between the AP and the wireless client. • Reduce the number of wireless clients connecting to the same AP simultaneously, or add additional APs if necessary.• Try closing some programs that use the Internet, especially peer-to-peer applications. If the wireless client is sending or receiving a lot of information, it may have too many programs open that use the Internet. What is a Server Set ID (SSID)?An SSID is a name that uniquely identifies a wireless network. The AP and all the clients within a wireless network must use the same SSID.34.5  UPnPWhen using UPnP and the EMG reboots, my computer cannot detect UPnP and refresh My Network Places > Local Network.1Disconnect the Ethernet cable from the EMG’s LAN port or from your computer.2Re-connect the Ethernet cable. The Local Area Connection icon for UPnP disappears in the screen.Restart your computer.
215PART IIIAppendicesAppendices contain general information. Some information may not apply to your device.
EMG3415-B10A User’s Guide216APPENDIX ACustomer SupportIn the event of problems that cannot be solved by using this manual, you should contact your vendor. If you cannot contact your vendor, then contact a Zyxel office for the region in which you bought the device. See http://www.zyxel.com/homepage.shtml and also http://www.zyxel.com/about_zyxel/zyxel_worldwide.shtml for the latest information.Please have the following information ready when you contact an office.Required Information• Product model and serial number.• Warranty Information.• Date that you received your device.• Brief description of the problem and the steps you took to solve it.Corporate Headquarters (Worldwide)Taiwan• Zyxel Communications Corporation• http://www.zyxel.comAsiaChina• Zyxel Communications (Shanghai) Corp.Zyxel Communications (Beijing) Corp.Zyxel Communications (Tianjin) Corp.• http://www.zyxel.cnIndia•Zyxel Technology India Pvt Ltd• http://www.zyxel.inKazakhstan•Zyxel Kazakhstan• http://www.zyxel.kz
 Appendix A Customer SupportEMG3415-B10A User’s Guide217Korea• Zyxel Korea Corp.• http://www.zyxel.krMalaysia• Zyxel Malaysia Sdn Bhd.• http://www.zyxel.com.myPakistan• Zyxel Pakistan (Pvt.) Ltd.• http://www.zyxel.com.pkPhilippines• Zyxel Philippines• http://www.zyxel.com.phSingapore• Zyxel Singapore Pte Ltd.• http://www.zyxel.com.sgTaiwan• Zyxel Communications Corporation• http://www.zyxel.com/tw/zh/Thailand• Zyxel Thailand Co., Ltd • http://www.zyxel.co.thVietnam• Zyxel Communications Corporation-Vietnam Office• http://www.zyxel.com/vn/viEuropeAustria•Zyxel Deutschland GmbH • http://www.zyxel.deBelarus•Zyxel BY • http://www.zyxel.by
Appendix A Customer SupportEMG3415-B10A User’s Guide218Belgium• Zyxel Communications B.V.  • http://www.zyxel.com/be/nl/• http://www.zyxel.com/be/fr/ Bulgaria•Zyxel България• http://www.zyxel.com/bg/bg/ Czech Republic• Zyxel Communications Czech s.r.o • http://www.zyxel.czDenmark• Zyxel Communications A/S• http://www.zyxel.dkEstonia• Zyxel Estonia• http://www.zyxel.com/ee/et/Finland• Zyxel Communications• http://www.zyxel.fiFrance•Zyxel France• http://www.zyxel.frGermany•Zyxel Deutschland GmbH • http://www.zyxel.deHungary• Zyxel Hungary & SEE • http://www.zyxel.huItaly• Zyxel Communications Italy • http://www.zyxel.it/
 Appendix A Customer SupportEMG3415-B10A User’s Guide219Latvia•Zyxel Latvia• http://www.zyxel.com/lv/lv/homepage.shtmlLithuania•Zyxel Lithuania• http://www.zyxel.com/lt/lt/homepage.shtmlNetherlands• Zyxel Benelux• http://www.zyxel.nlNorway• Zyxel Communications• http://www.zyxel.noPoland• Zyxel Communications Poland• http://www.zyxel.plRomania• Zyxel Romania• http://www.zyxel.com/ro/roRussia• Zyxel Russia • http://www.zyxel.ruSlovakia• Zyxel Communications Czech s.r.o. organizacna zlozka• http://www.zyxel.skSpain• Zyxel Communications ES Ltd• http://www.zyxel.esSweden• Zyxel Communications • http://www.zyxel.seSwitzerland•Studerus AG
Appendix A Customer SupportEMG3415-B10A User’s Guide220• http://www.zyxel.ch/Turkey• Zyxel Turkey A.S.• http://www.zyxel.com.trUK• Zyxel Communications UK Ltd.• http://www.zyxel.co.ukUkraine•Zyxel Ukraine• http://www.ua.zyxel.comLatin AmericaArgentina• Zyxel Communication Corporation• http://www.zyxel.com/ec/es/Brazil• Zyxel Communications Brasil Ltda.• https://www.zyxel.com/br/pt/Ecuador• Zyxel Communication Corporation• http://www.zyxel.com/ec/es/Middle EastIsrael• Zyxel Communication Corporation• http://il.zyxel.com/homepage.shtmlMiddle East• Zyxel Communication Corporation• http://www.zyxel.com/me/en/
 Appendix A Customer SupportEMG3415-B10A User’s Guide221North AmericaUSA• Zyxel Communications, Inc. - North America Headquarters• http://www.zyxel.com/us/en/OceaniaAustralia• Zyxel Communications Corporation• http://www.zyxel.com/au/en/AfricaSouth Africa• Nology (Pty) Ltd.• http://www.zyxel.co.za
EMG3415-B10A User’s Guide222APPENDIX BWireless LANsWireless LAN TopologiesThis section discusses ad-hoc and infrastructure wireless LAN topologies.Ad-hoc Wireless LAN ConfigurationThe simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example of notebook computers using wireless adapters to form an ad-hoc wireless LAN. Figure 143   Peer-to-Peer Communication in an Ad-hoc NetworkBSSA Basic Service Set (BSS) exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other.
 Appendix B Wireless LANsEMG3415-B10A User’s Guide223Figure 144   Basic Service SetESSAn Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS).This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate.
Appendix B Wireless LANsEMG3415-B10A User’s Guide224Figure 145   Infrastructure WLANChannelA channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11.RTS/CTSA hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other.
 Appendix B Wireless LANsEMG3415-B10A User’s Guide225Figure 146    RTS/CTSWhen station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked.When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission.Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake. If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Note: Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy.Fragmentation ThresholdA Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames.A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference.If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.
Appendix B Wireless LANsEMG3415-B10A User’s Guide226IEEE 802.11g Wireless LANIEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows:Wireless Security OverviewWireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network.Wireless security methods available on the EMG are data encryption, wireless client authentication, restricting access by device MAC address and hiding the EMG identity.The following figure shows the relative effectiveness of these wireless security methods available on your EMG.Note: You must enable the same wireless security settings on the EMG and on all wireless clients that you want to associate with it. IEEE 802.1xIn June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are:• User based identification that allows for roaming.• Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. Table 111   IEEE 802.11gDATA RATE (MBPS) MODULATION1 DBPSK (Differential Binary Phase Shift Keyed)2 DQPSK (Differential Quadrature Phase Shift Keying)5.5 / 11 CCK (Complementary Code Keying) 6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing) Table 112   Wireless Security LevelsSECURITY LEVEL SECURITY TYPELeast       Secure                                                                                  Most SecureUnique SSID (Default)Unique SSID with Hide SSID EnabledMAC Address FilteringWEP EncryptionIEEE802.1x EAP with RADIUS Server AuthenticationWi-Fi Protected Access (WPA)WPA2
 Appendix B Wireless LANsEMG3415-B10A User’s Guide227• Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients. RADIUSRADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:• Authentication Determines the identity of the users.•AuthorizationDetermines the network services available to authenticated users once they are connected to the network.• AccountingKeeps track of the client’s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server. Types of RADIUS MessagesThe following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication:• Access-RequestSent by an access point requesting authentication.• Access-RejectSent by a RADIUS server rejecting access.• Access-AcceptSent by a RADIUS server allowing access. • Access-ChallengeSent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting:• Accounting-RequestSent by the access point requesting accounting.• Accounting-ResponseSent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access.
Appendix B Wireless LANsEMG3415-B10A User’s Guide228Types of EAP Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types. EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner.EAP-MD5 (Message-Digest Algorithm 5)MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client ‘proves’ that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security)With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender’s identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. PEAP (Protected EAP)   Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2
 Appendix B Wireless LANsEMG3415-B10A User’s Guide229and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco.LEAPLEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. Dynamic WEP Key ExchangeThe AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed.If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You may still configure and store keys, but they will not be used while dynamic WEP is enabled.Note: EAP-MD5 cannot be used with Dynamic WEP Key ExchangeFor added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.WPA and WPA2Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication.If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN. If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not.Table 113   Comparison of EAP Authentication TypesEAP-MD5 EAP-TLS EAP-TTLS PEAP LEAPMutual Authentication No Yes Yes Yes YesCertificate – Client No Yes Optional Optional NoCertificate – Server No Yes Yes Yes NoDynamic Key Exchange No Yes Yes Yes YesCredential Integrity None Strong Strong Strong ModerateDeployment Difficulty Easy Hard Moderate Moderate ModerateClient Identity Protection No No Yes Yes No
Appendix B Wireless LANsEMG3415-B10A User’s Guide230Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2.Encryption WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA2 also uses TKIP when required for compatibility reasons, but offers stronger encryption than TKIP with Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP).TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically.The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped. By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network. The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force password-guessing attacks but it’s still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP)User Authentication WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre-authentication. These two features are optional and may not be supported in all wireless devices.Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again.Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it.
 Appendix B Wireless LANsEMG3415-B10A User’s Guide231Wireless Client WPA SupplicantsA wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it. WPA(2) with RADIUS Application ExampleTo set up WPA(2), you need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system.1The AP passes the wireless client's authentication request to the RADIUS server.2The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly.3A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADIUS server and the client.4The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys. The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.Figure 147   WPA(2) with RADIUS Application ExampleWPA(2)-PSK Application ExampleA WPA(2)-PSK application looks as follows.1First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols).2The AP checks each wireless client's password and allows it to join the network only if the password matches.
Appendix B Wireless LANsEMG3415-B10A User’s Guide2323The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them.Figure 148   WPA(2)-PSK AuthenticationSecurity Parameters SummaryRefer to this table to see what other security parameters you should configure for each authentication method or key management protocol type. MAC address filters are not dependent on how you configure these security features.Antenna OverviewAn antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN. Table 114   Wireless Security Relational MatrixAUTHENTICATION METHOD/ KEY MANAGEMENT PROTOCOL ENCRYPTION METHOD ENTER MANUAL KEY IEEE 802.1XOpen None No DisableEnable without Dynamic WEP KeyOpen WEP No           Enable with Dynamic WEP KeyYes Enable without Dynamic WEP KeyYes DisableShared WEP  No           Enable with Dynamic WEP KeyYes Enable without Dynamic WEP KeyYes DisableWPA  TKIP/AES No EnableWPA-PSK  TKIP/AES Yes DisableWPA2 TKIP/AES No EnableWPA2-PSK  TKIP/AES Yes Disable
 Appendix B Wireless LANsEMG3415-B10A User’s Guide233Antenna CharacteristicsFrequencyAn antenna in the frequency of 2.4GHz (IEEE 802.11b and IEEE 802.11g) or 5GHz (IEEE 802.11a) is needed to communicate efficiently in a wireless LANRadiation PatternA radiation pattern is a diagram that allows you to visualize the shape of the antenna’s coverage area. Antenna GainAntenna gain, measured in dB (decibel), is the increase in coverage within the RF beam width. Higher antenna gain improves the range of the signal for better communications. For an indoor site, each 1 dB increase in antenna gain results in a range increase of approximately 2.5%. For an unobstructed outdoor site, each 1dB increase in gain results in a range increase of approximately 5%. Actual results may vary depending on the network environment. Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna. An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions. dBi represents the true gain that the antenna provides.   Types of Antennas for WLANThere are two types of antennas used for wireless LAN applications.• Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points. • Directional antennas concentrate the RF signal in a beam, like a flashlight does with the light from its bulb. The angle of the beam determines the width of the coverage pattern. Angles typically range from 20 degrees (very directional) to 120 degrees (less directional). Directional antennas are ideal for hallways and outdoor point-to-point applications.Positioning AntennasIn general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area.
EMG3415-B10A User’s Guide234APPENDIX CIPv6OverviewIPv6 (Internet Protocol version 6), is designed to enhance IP address size and features. The increase in IPv6 address size to 128 bits (from the 32-bit IPv4 address) allows up to 3.4 x 1038 IP addresses. IPv6 AddressingThe 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000. IPv6 addresses can be abbreviated in two ways:• Leading zeros in a block can be omitted. So 2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can be written as 2001:db8:1a2b:15:0:0:1a2f:0. • Any number of consecutive blocks of zeros can be replaced by a double colon. A double colon can only appear once in an IPv6 address. So 2001:0db8:0000:0000:1a2f:0000:0000:0015 can be written as 2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015, 2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15.Prefix and Prefix LengthSimilar to an IPv4 subnet mask, IPv6 uses an address prefix to represent the network address. An IPv6 prefix length specifies how many most significant bits (start from the left) in the address compose the network address. The prefix length is written as “/x” where x is a number. For example, 2001:db8:1a2b:15::1a2f:0/32means that the first 32 bits (2001:db8) is the subnet prefix. Link-local AddressA link-local address uniquely identifies a device on the local network (the LAN). It is similar to a “private IP address” in IPv4. You can have the same link-local address on multiple interfaces on a device. A link-local unicast address has a predefined prefix of fe80::/10. The link-local unicast address format is as follows.Table 115   Link-local Unicast Address FormatGlobal AddressA global address uniquely identifies a device on the Internet. It is similar to a “public IP address” in IPv4. A global unicast address starts with a 2 or 3. 1111 1110 10 0 Interface ID10 bits 54 bits 64 bits
 Appendix C IPv6EMG3415-B10A User’s Guide235Unspecified AddressAn unspecified address (0:0:0:0:0:0:0:0 or ::) is used as the source address when a device does not have its own address. It is similar to “0.0.0.0” in IPv4.Loopback AddressA loopback address (0:0:0:0:0:0:0:1 or ::1) allows a host to send packets to itself. It is similar to “127.0.0.1” in IPv4.Multicast AddressIn IPv6, multicast addresses provide the same functionality as IPv4 broadcast addresses. Broadcasting is not supported in IPv6. A multicast address allows a host to send packets to all hosts in a multicast group. Multicast scope allows you to determine the size of the multicast group. A multicast address has a predefined prefix of ff00::/8. The following table describes some of the predefined multicast addresses. The following table describes the multicast addresses which are reserved and can not be assigned to a multicast group. Table 116   Predefined Multicast AddressMULTICAST ADDRESS DESCRIPTIONFF01:0:0:0:0:0:0:1 All hosts on a local node. FF01:0:0:0:0:0:0:2 All routers on a local node.FF02:0:0:0:0:0:0:1 All hosts on a local connected link.FF02:0:0:0:0:0:0:2 All routers on a local connected link.FF05:0:0:0:0:0:0:2 All routers on a local site. FF05:0:0:0:0:0:1:3 All DHCP severs on a local site. Table 117   Reserved Multicast AddressMULTICAST ADDRESSFF00:0:0:0:0:0:0:0FF01:0:0:0:0:0:0:0FF02:0:0:0:0:0:0:0FF03:0:0:0:0:0:0:0FF04:0:0:0:0:0:0:0FF05:0:0:0:0:0:0:0FF06:0:0:0:0:0:0:0FF07:0:0:0:0:0:0:0FF08:0:0:0:0:0:0:0FF09:0:0:0:0:0:0:0FF0A:0:0:0:0:0:0:0FF0B:0:0:0:0:0:0:0FF0C:0:0:0:0:0:0:0FF0D:0:0:0:0:0:0:0
Appendix C IPv6EMG3415-B10A User’s Guide236Subnet MaskingBoth an IPv6 address and IPv6 subnet mask compose of 128-bit binary digits, which are divided into eight 16-bit blocks and written in hexadecimal notation. Hexadecimal uses four bits for each character (1 ~ 10, A ~ F). Each block’s 16 bits are then represented by four hexadecimal characters. For example, FFFF:FFFF:FFFF:FFFF:FC00:0000:0000:0000.Interface IDIn IPv6, an interface ID is a 64-bit identifier. It identifies a physical interface (for example, an Ethernet port) or a virtual interface (for example, the management IP address for a VLAN). One interface should have a unique interface ID.EUI-64The EUI-64 (Extended Unique Identifier) defined by the IEEE (Institute of Electrical and Electronics Engineers) is an interface ID format designed to adapt with IPv6. It is derived from the 48-bit (6-byte) Ethernet MAC address as shown next. EUI-64 inserts the hex digits fffe between the third and fourth bytes of the MAC address and complements the seventh bit of the first byte of the MAC address. See the following example. Identity AssociationAn Identity Association (IA) is a collection of addresses assigned to a DHCP client, through which the server and client can manage a set of related IP addresses. Each IA must be associated with exactly one interface. The DHCP client uses the IA assigned to an interface to obtain configuration from a DHCP server for that interface. Each IA consists of a unique IAID and associated IP information.The IA type is the type of address in the IA. Each IA holds one type of address. IA_NA means an identity association for non-temporary addresses and IA_TA is an identity association for temporary addresses. An IA_NA option contains the T1 and T2 fields, but an IA_TA option does not. The DHCPv6 server uses T1 and T2 to control the time at which the client contacts with the server to extend the lifetimes on any addresses in the IA_NA before the lifetimes expire. After T1, the client sends the server (S1) (from which the addresses in the IA_NA were obtained) a Renew message. If the time T2 is reached and the server FF0E:0:0:0:0:0:0:0FF0F:0:0:0:0:0:0:0Table 117   Reserved Multicast Address (continued)MULTICAST ADDRESS                MAC 00 : 13 : 49 :12 : 34 :56     EUI-64 02:13 :49 :FF :FE :12 : 34 :56
 Appendix C IPv6EMG3415-B10A User’s Guide237does not respond, the client sends a Rebind message to any available server (S2). For an IA_TA, the client may send a Renew or Rebind message at the client's discretion. DHCP Relay AgentA DHCP relay agent is on the same network as the DHCP clients and helps forward messages between the DHCP server and clients. When a client cannot use its link-local address and a well-known multicast address to locate a DHCP server on its network, it then needs a DHCP relay agent to send a message to a DHCP server that is not attached to the same network.The DHCP relay agent can add the remote identification (remote-ID) option and the interface-ID option to the Relay-Forward DHCPv6 messages. The remote-ID option carries a user-defined string, such as the system name. The interface-ID option provides slot number, port information and the VLAN ID to the DHCPv6 server. The remote-ID option (if any) is stripped from the Relay-Reply messages before the relay agent sends the packets to the clients. The DHCP server copies the interface-ID option from the Relay-Forward message into the Relay-Reply message and sends it to the relay agent. The interface-ID should not change even after the relay agent restarts.Prefix DelegationPrefix delegation enables an IPv6 router to use the IPv6 prefix (network address) received from the ISP (or a connected uplink router) for its LAN. The EMG uses the received IPv6 prefix (for example, 2001:db2::/48) to generate its LAN IP address. Through sending Router Advertisements (RAs) regularly by multicast, the EMG passes the IPv6 prefix information to its LAN hosts. The hosts then can use the prefix to generate their IPv6 addresses.ICMPv6Internet Control Message Protocol for IPv6 (ICMPv6 or ICMP for IPv6) is defined in RFC 4443. ICMPv6 has a preceding Next Header value of 58, which is different from the value used to identify ICMP for IPv4. ICMPv6 is an integral part of IPv6. IPv6 nodes use ICMPv6 to report errors encountered in packet processing and perform other diagnostic functions, such as "ping".Neighbor Discovery Protocol (NDP)The Neighbor Discovery Protocol (NDP) is a protocol used to discover other IPv6 devices and track neighbor’s reachability in a network. An IPv6 device uses the following ICMPv6 messages types: • Neighbor solicitation: A request from a host to determine a neighbor’s link-layer address (MAC address) and detect if the neighbor is still reachable. A neighbor being “reachable” means it responds to a neighbor solicitation message (from the host) with a neighbor advertisement message. • Neighbor advertisement: A response from a node to announce its link-layer address.T1T2Renew RebindRebindto S1Renewto S1Renewto S1Renewto S1Renewto S1Renewto S1to S2to S2
Appendix C IPv6EMG3415-B10A User’s Guide238• Router solicitation: A request from a host to locate a router that can act as the default router and forward packets.• Router advertisement: A response to a router solicitation or a periodical multicast advertisement from a router to advertise its presence and other parameters.IPv6 CacheAn IPv6 host is required to have a neighbor cache, destination cache, prefix list and default router list. The EMG maintains and updates its IPv6 caches constantly using the information from response messages. In IPv6, the EMG configures a link-local address automatically, and then sends a neighbor solicitation message to check if the address is unique. If there is an address to be resolved or verified, the EMG also sends out a neighbor solicitation message. When the EMG receives a neighbor advertisement in response, it stores the neighbor’s link-layer address in the neighbor cache. When the EMG uses a router solicitation message to query for a router and receives a router advertisement message, it adds the router’s information to the neighbor cache, prefix list and destination cache. The EMG creates an entry in the default router list cache if the router can be used as a default router.When the EMG needs to send a packet, it first consults the destination cache to determine the next hop. If there is no matching entry in the destination cache, the EMG uses the prefix list to determine whether the destination address is on-link and can be reached directly without passing through a router. If the address is unlink, the address is considered as the next hop. Otherwise, the EMG determines the next-hop from the default router list or routing table. Once the next hop IP address is known, the EMG looks into the neighbor cache to get the link-layer address and sends the packet when the neighbor is reachable. If the EMG cannot find an entry in the neighbor cache or the state for the neighbor is not reachable, it starts the address resolution process. This helps reduce the number of IPv6 solicitation and advertisement messages.Multicast Listener DiscoveryThe Multicast Listener Discovery (MLD) protocol (defined in RFC 2710) is derived from IPv4's Internet Group Management Protocol version 2 (IGMPv2). MLD uses ICMPv6 message types, rather than IGMP message types. MLDv1 is equivalent to IGMPv2 and MLDv2 is equivalent to IGMPv3.MLD allows an IPv6 switch or router to discover the presence of MLD listeners who wish to receive multicast packets and the IP addresses of multicast groups the hosts want to join on its network. MLD snooping and MLD proxy are analogous to IGMP snooping and IGMP proxy in IPv4. MLD filtering controls which multicast groups a port can join.MLD MessagesA multicast router or switch periodically sends general queries to MLD hosts to update the multicast forwarding table. When an MLD host wants to join a multicast group, it sends an MLD Report message for that address.An MLD Done message is equivalent to an IGMP Leave message. When an MLD host wants to leave a multicast group, it can send a Done message to the router or switch. The router or switch then sends a group-specific query to the port on which the Done message is received to determine if other devices connected to this port should remain in the group.
 Appendix C IPv6EMG3415-B10A User’s Guide239Example - Enabling IPv6 on Windows XP/2003/VistaBy default, Windows XP and Windows 2003 support IPv6. This example shows you how to use the ipv6 install command on Windows XP/2003 to enable IPv6. This also displays how to use the ipconfig command to see auto-generated IP addresses.IPv6 is installed and enabled by default in Windows Vista. Use the ipconfig command to check your automatic configured IPv6 address as well. You should see at least one IPv6 address available for the interface on your computer.Example - Enabling DHCPv6 on Windows XPWindows XP does not support DHCPv6. If your network uses DHCPv6 for IP address assignment, you have to additionally install a DHCPv6 client software on your Windows XP. (Note: If you use static IP addresses or Router Advertisement for IPv6 address assignment in your network, ignore this section.)This example uses Dibbler as the DHCPv6 client. To enable DHCPv6 client on your computer:1Install Dibbler and select the DHCPv6 client option on your computer.2After the installation is complete, select Start > All Programs > Dibbler-DHCPv6 > Client Install as service.3Select Start > Control Panel > Administrative Tools > Services.4Double click Dibbler - a DHCPv6 client.C:\>ipv6 installInstalling...Succeeded.C:\>ipconfigWindows IP ConfigurationEthernet adapter Local Area Connection:        Connection-specific DNS Suffix  . :         IP Address. . . . . . . . . . . . : 10.1.1.46        Subnet Mask . . . . . . . . . . . : 255.255.255.0        IP Address. . . . . . . . . . . . : fe80::2d0:59ff:feb8:103c%4        Default Gateway . . . . . . . . . : 10.1.1.254
Appendix C IPv6EMG3415-B10A User’s Guide2405Click Start and then OK.6Now your computer can obtain an IPv6 address from a DHCPv6 server.Example - Enabling IPv6 on Windows 7Windows 7 supports IPv6 by default. DHCPv6 is also enabled when you enable IPv6 on a Windows 7 computer.To enable IPv6 in Windows 7:1Select Control Panel > Network and Sharing Center > Local Area Connection.2Select the Internet Protocol Version 6 (TCP/IPv6) checkbox to enable it.3Click OK to save the change.
 Appendix C IPv6EMG3415-B10A User’s Guide2414Click Close to exit the Local Area Connection Status screen.5Select Start > All Programs > Accessories > Command Prompt.6Use the ipconfig command to check your dynamic IPv6 address. This example shows a global address (2001:b021:2d::1000) obtained from a DHCP server.C:\>ipconfigWindows IP ConfigurationEthernet adapter Local Area Connection:   Connection-specific DNS Suffix  . :    IPv6 Address. . . . . . . . . . . : 2001:b021:2d::1000   Link-local IPv6 Address . . . . . : fe80::25d8:dcab:c80a:5189%11   IPv4 Address. . . . . . . . . . . : 172.16.100.61   Subnet Mask . . . . . . . . . . . : 255.255.255.0   Default Gateway . . . . . . . . . : fe80::213:49ff:feaa:7125%11                                       172.16.100.254
EMG3415-B10A User’s Guide242APPENDIX DServicesThe following table lists some commonly-used services and their associated protocols and port numbers.•Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like.•Protocol: This is the type of IP protocol used by the service. If this is TCP/UDP, then the service uses the same port number with TCP and UDP. If this is USER-DEFINED, the Port(s) is the IP protocol number, not the port number.•Port(s): This value depends on the Protocol.•If the Protocol is TCP, UDP, or TCP/UDP, this is the IP port number.•If the Protocol is USER, this is the IP protocol number.•Description: This is a brief explanation of the applications that use this service or the situations in which this service is used.
 Appendix D ServicesEMG3415-B10A User’s Guide243Table 118   Examples of ServicesNAME PROTOCOL PORT(S) DESCRIPTIONAH (IPSEC_TUNNEL) User-Defined 51 The IPSEC AH (Authentication Header) tunneling protocol uses this service.AIM TCP 5190 AOL’s Internet Messenger service.AUTH TCP 113 Authentication protocol used by some servers.BGP TCP 179 Border Gateway Protocol.BOOTP_CLIENT UDP 68 DHCP Client.BOOTP_SERVER UDP 67 DHCP Server.CU-SEEME TCP/UDPTCP/UDP 764824032A popular videoconferencing solution from White Pines Software.DNS TCP/UDP 53 Domain Name Server, a service that matches web names (for instance www.zyxel.com) to IP numbers.ESP (IPSEC_TUNNEL) User-Defined 50 The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service.FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.FTP TCPTCP2021File Transfer Protocol, a program to enable fast transfer of files, including large files that may not be possible by e-mail.H.323 TCP 1720 NetMeeting uses this protocol.HTTP TCP 80 Hyper Text Transfer Protocol - a client/server protocol for the world wide web.HTTPS TCP 443 HTTPS is a secured http session often used in e-commerce.ICMP User-Defined 1Internet Control Message Protocol is often used for diagnostic purposes.ICQ UDP 4000 This is a popular Internet chat program.IGMP (MULTICAST) User-Defined 2Internet Group Multicast Protocol is used when sending packets to a specific group of hosts.IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management.IMAP4 TCP 143 The Internet Message Access Protocol is used for e-mail.IMAP4S TCP 993 This is a more secure version of IMAP4 that runs over SSL.IRC TCP/UDP 6667 This is another popular Internet chat program.MSN Messenger TCP 1863 Microsoft Networks’ messenger service uses this protocol. NetBIOS TCP/UDPTCP/UDPTCP/UDPTCP/UDP137138139445The Network Basic Input/Output System is used for communication between computers in a LAN.NEW-ICQ TCP 5190 An Internet chat program.NEWS  TCP 144 A protocol for news groups.
Appendix D ServicesEMG3415-B10A User’s Guide244NFS UDP 2049 Network File System - NFS is a client/server distributed file service that provides transparent file sharing for network environments.NNTP TCP 119 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.PING User-Defined 1Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other).POP3S TCP 995 This is a more secure version of POP3 that runs over SSL.PPTP TCP 1723 Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel.PPTP_TUNNEL (GRE) User-Defined 47 PPTP (Point-to-Point Tunneling Protocol) enables secure transfer of data over public networks. This is the data channel.RCMD TCP 512 Remote Command Service.REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web.REXEC TCP 514 Remote Execution Daemon.RLOGIN TCP 513 Remote Login.ROADRUNNER TCP/UDP 1026 This is an ISP that provides services mainly for cable modems.RTELNET TCP 107 Remote Telnet.RTSP TCP/UDP 554 The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP TCP 115 The Simple File Transfer Protocol is an old way of transferring files between computers.SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.SMTPS TCP 465 This is a more secure version of SMTP that runs over SSL.SNMP TCP/UDP 161 Simple Network Management Program.SNMP-TRAPS TCP/UDP 162 Traps for use with the SNMP (RFC:1215).SQL-NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers.SSDP UDP 1900 The Simple Service Discovery Protocol supports Universal Plug-and-Play (UPnP).SSH TCP/UDP 22 Secure Shell Remote Login Program.STRM WORKS UDP 1558 Stream Works Protocol.SYSLOG UDP 514 Syslog allows you to send system logs to a UNIX server.Table 118   Examples of Services (continued)NAME PROTOCOL PORT(S) DESCRIPTION
 Appendix D ServicesEMG3415-B10A User’s Guide245TACACS UDP 49 Login Host Protocol used for (Terminal Access Controller Access Control System).TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.VDOLIVE TCPUDP7000user-definedA videoconferencing solution. The UDP port number is specified in the application.Table 118   Examples of Services (continued)NAME PROTOCOL PORT(S) DESCRIPTION
EMG3415-B10A User’s Guide246APPENDIX ELegal InformationCopyrightCopyright © 2017 by Zyxel Communications Corporation.The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of Zyxel Communications Corporation.Published by Zyxel Communications Corporation. All rights reserved.DisclaimerZyxel does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. Zyxel further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.Regulatory Notice and StatementUNITED STATES of AMERICAThe following information applies if you use the product within USA area.FCC EMC Statement• The device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:(1) This device may not cause harmful interference, and (2) This device must accept any interference received, including interference that may cause undesired operation.• Changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate the device.• This product has been tested and complies with the specifications for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy and, if not installed and used according to the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. • If this device does cause harmful interference to radio or television reception, which is found by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures:• Reorient or relocate the receiving antenna • Increase the separation between the devices • Connect the equipment to an outlet other than the receiver’s • Consult a dealer or an experienced radio/TV technician for assistanceThe following information applies if you use the product with RF function within USA area.FCC Radiation Exposure Statement• This device complies with FCC RF radiation exposure limits set forth for an uncontrolled environment. • This transmitter must be at least 20 cm from the user and must not be co-located or operating in conjunction with any other antenna or transmitter.CANADA  The following information applies if you use the product within Canada area.Industry Canada ICES statementCAN ICES-3 (B)/NMB-3(B)Industry Canada RSS-GEN & RSS-247 statement• This device complies with Industry Canada license-exempt RSS standard(s). Operation is subject to the following two conditions: (1) this device may not cause interference, and (2) this device must accept any interference, including interference that may cause undesired operation of the device.
 Appendix E Legal InformationEMG3415-B10A User’s Guide247• This radio transmitter has been approved by Industry Canada to operate with the antenna types listed below with the maximum permissible gain and required antenna impedance for each antenna type indicated. Antenna types not included in this list, having a gain greater than the maximum gain indicated for that type, are strictly prohibited for use with this device.If the product with 5G wireless function operating in 5150-5250 MHz and 5725-5850 MHz, the following attention must be paid.• The device for operation in the band 5150-5250 MHz is only for indoor use to reduce the potential for harmful interference to co-channel mobile satellite systems.• For devices with detachable antenna(s), the maximum antenna gain permitted for devices in the band 5725-5850 MHz shall be such that the equipment still complies with the e.i.r.p. limits specified for point-to-point and non-point-to-point operation as appropriate; and• The worst-case tilt angle(s) necessary to remain compliant with the e.i.r.p. elevation mask requirement set forth in Section 6.2.2(3) of RSS 247 shall be clearly indicated.If the produce with 5G wireless function operating in 5250-5350 MHz and 5470-5725 MHz , the following attention must be paid.• For devices with detachable antenna(s), the maximum antenna gain permitted for devices in the bands 5250-5350 MHz and 5470-5725 MHz shall be such that the equipment still complies with the e.i.r.p. limit• Le présent appareil est conforme aux CNR d’Industrie Canada applicables aux appareils radio exempts de licence. L’exploitation est autorisée aux deux conditions suivantes :  (1) l’appareil ne doit pas produire de brouillage; (2) l’utilisateur de l’appareil doit accepter tout brouillage radioélectrique subi, même si le brouillage est susceptible d’en compromettre le fonctionnement.• Le présent émetteur radio de modèle s'il fait partie du matériel de catégorieI) a été approuvé par Industrie Canada pour fonctionner avec les types d'antenne énumérés ci-dessous et ayant un gain admissible maximal et l'impédance requise pour chaque type d'antenne. Les types d'antenne non inclus dans cette liste, ou dont le gain est supérieur au gain maximal indiqué, sont strictement interdits pour l'exploitation de l'émetteur.Lorsque la fonction sans fil 5G fonctionnant en5150-5250 MHz and 5725-5850 MHz est activée pour ce produit , il est nécessaire de porter une attention particulière aux choses suivantes• Les dispositifs fonctionnant dans la bande 5150-5250 MHz sont réservés uniquement pour une utilisation à l’intérieur afin de réduire les risques de brouillage préjudiciable aux systèmes de satellites mobiles utilisant les mêmes canaux;• Pour les dispositifs munis d’antennes amovibles, le gain maximal d'antenne permis (pour les dispositifs utilisant la bande de 5 725 à 5 850 MHz) doit être conforme à la limite de la p.i.r.e. spécifiée pour l'exploitation point à point et l’exploitation non point à point, selon le cas;• Les pires angles d’inclinaison nécessaires pour rester conforme à l’exigence de la p.i.r.e. applicable au masque d’élévation, et énoncée à la section 6.2.2 3) du CNR-247, doivent être clairement indiqués.Lorsque la fonction sans fil 5G fonctionnant en 5250-5350 MHz et 5470-5725 MHz est activée pour ce produit , il est nécessaire de porter une attention particulière aux choses suivantes• Pour les dispositifs munis d’antennes amovibles, le gain maximal d'antenne permis pour les dispositifs utilisant les bandes de 5 250 à 5 350 MHz et de 5 470 à 5 725 MHz doit être conforme à la limite de la p.i.r.e.Industry Canada radiation exposure statementThis equipment complies with IC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20 cm between the radiator and your body.Déclaration d’exposition aux radiations:Cet équipement est conforme aux limites d’exposition aux rayonnements IC établies pour un environnement non contrôlé.Cet équipement doit être installé et utilisé avec un minimum de 20 cm de distance entre la source de rayonnement et votre corps.EUROPEAN UNIONThe following information applies if you use the product within the European Union.Declaration of Conformity with Regard to EU Directive 1999/5/EC (R&TTE Directive)• Compliance information for 2.4GHz and/or 5GHz wireless products relevant to the EU and other Countries following the EU Directive 1999/5/EC (R&TTE).• This device is restricted to indoor use only when operating in the 5150 to 5350 MHz frequency range.   Български (Bulgarian)С настоящото Zyxel декларира, че това оборудване е в съответствие със съществените изисквания и другите приложими разпоредбите на Директива 1999/5/ЕC.Español (Spanish)Por medio de la presente Zyxel declara que el equipo cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE.Čeština (Czech)Zyxel tímto prohlašuje, že tento zařízení je ve shodě se základními požadavky a dalšími příslušnými ustanoveními směrnice 1999/5/EC.Dansk (Danish) Undertegnede Zyxel erklærer herved, at følgende udstyr udstyr overholder de væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF.Deutsch (German)Hiermit erklärt Zyxel, dass sich das Gerät Ausstattung in Übereinstimmung mit den grundlegenden Anforderungen und den übrigen einschlägigen Bestimmungen der Richtlinie 1999/5/EU befindet.Eesti keel (Estonian)Käesolevaga kinnitab Zyxel seadme seadmed vastavust direktiivi 1999/5/EÜ põhinõuetele ja nimetatud direktiivist tulenevatele teistele asjakohastele sätetele.
Appendix E Legal InformationEMG3415-B10A User’s Guide248National Restrictions• This product may be used in all EU countries (and other countries following the EU Directive 1999/5/EC) without any limitation except for the countries mentioned below:• Ce produit peut être utilisé dans tous les pays de l’UE (et dans tous les pays ayant transposés la directive 1999/5/CE) sans aucune limitation, excepté pour les pays mentionnés ci-dessous:• Questo prodotto è utilizzabile in tutte i paesi EU (ed in tutti gli altri paesi che seguono le direttiva 1999/5/EC) senza nessuna limitazione, eccetto per i paesii menzionati di seguito:• Das Produkt kann in allen EU Staaten ohne Einschränkungen eingesetzt werden (sowie in anderen Staaten die der Richtlinie 1999/5/CE folgen) mit Außnahme der folgenden aufgeführten Staaten:In the majority of the EU and other European countries, the 2.4GHz and 5GHz bands have been made available for the use of wireless local area networks (LANs). Later in this document you will find an overview of countries in which additional restrictions or requirements or both are applicable. The requirements for any country may evolve. Zyxel recommends that you check with the local authorities for the latest status of their national regulations for both the  2.4GHz and 5GHz wireless LANs. The following countries have restrictions and/or requirements in addition to those given in the table labeled “Overview of Regulatory Requirements for Wireless LANs”:.Belgium• The Belgian Institute for Postal Services and Telecommunications (BIPT) must be notified of any outdoor wireless link having a range exceeding 300 meters. Please check http://www.bipt.be for more details.• Draadloze verbindingen voor buitengebruik en met een reikwijdte van meer dan 300 meter dienen aangemeld te worden bij het Belgisch Instituut voor postdiensten en telecommunicatie (BIPT). Zie http://www.bipt.be voor meer gegevens.• Les liaisons sans fil pour une utilisation en extérieur d’une distance supérieure à 300 mètres doivent être notifiées à l’Institut Belge des services Postaux et des Télécommunications (IBPT). Visitez http://www.ibpt.be pour de plus amples détails.Denmark• In Denmark, the band 5150 - 5350 MHz is also allowed for outdoor usage.• I Danmark må frekvensbåndet 5150 - 5350 også anvendes udendørs.ItalyΕλληνικά (Greek)ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ Zyxel ∆ΗΛΩΝΕΙ ΟΤΙ εξοπλισμός ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ ΤΙΣ ΟΥΣΙΩ∆ΕΙΣ ΑΠΑΙΤΗΣΕΙΣ ΚΑΙ ΤΙΣ ΛΟΙΠΕΣ ΣΧΕΤΙΚΕΣ ∆ΙΑΤΑΞΕΙΣ ΤΗΣ Ο∆ΗΓΙΑΣ 1999/5/ΕC.English Hereby, Zyxel declares that this device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC.Français (French)Par la présente Zyxel déclare que l'appareil équipements est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/EC.Hrvatski (Croatian)Zyxel ovime izjavljuje da je radijska oprema tipa u skladu s Direktivom 1999/5/EC.Íslenska (Icelandic)Hér með lýsir, Zyxel því yfir að þessi búnaður er í samræmi við grunnkröfur og önnur viðeigandi ákvæði tilskipunar 1999/5/EC.Italiano (Italian) Con la presente Zyxel dichiara che questo attrezzatura è conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE.Latviešu valoda (Latvian)Ar šo Zyxel deklarē, ka iekārtas atbilst Direktīvas 1999/5/EK būtiskajām prasībām un citiem ar to saistītajiem noteikumiem.Lietuvių kalba (Lithuanian)Šiuo Zyxel deklaruoja, kad šis įranga atitinka esminius reikalavimus ir kitas 1999/5/EB Direktyvos nuostatas.Magyar (Hungarian)Alulírott, Zyxel nyilatkozom, hogy a berendezés megfelel a vonatkozó alapvetõ követelményeknek és az 1999/5/EK irányelv egyéb elõírásainak.Malti (Maltese) Hawnhekk, Zyxel, jiddikjara li dan tagħmir jikkonforma mal-ħtiġijiet essenzjali u ma provvedimenti oħrajn relevanti li hemm fid-Dirrettiva 1999/5/EC.Nederlands (Dutch)Hierbij verklaart Zyxel dat het toestel uitrusting in overeenstemming is met de essentiële eisen en de andere relevante bepalingen van richtlijn 1999/5/EC.Polski (Polish) Niniejszym Zyxel oświadcza, że sprzęt jest zgodny z zasadniczymi wymogami oraz pozostałymi stosownymi postanowieniami Dyrektywy 1999/5/EC.Português (Portuguese)Zyxel declara que este equipamento está conforme com os requisitos essenciais e outras disposições da Directiva 1999/5/EC.Română (Romanian)Prin prezenta, Zyxel declară că acest echipament este în conformitate cu cerinţele esenţiale şi alte prevederi relevante ale Directivei 1999/5/EC.Slovenčina (Slovak)Zyxel týmto vyhlasuje, že zariadenia spĺňa základné požiadavky a všetky príslušné ustanovenia Smernice 1999/5/EC.Slovenščina (Slovene)Zyxel izjavlja, da je ta oprema v skladu z bistvenimi zahtevami in ostalimi relevantnimi določili direktive 1999/5/EC.Suomi (Finnish) Zyxel vakuuttaa täten että laitteet tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sitä koskevien direktiivin muiden ehtojen mukainen.Svenska (Swedish)Härmed intygar Zyxel att denna utrustning står I överensstämmelse med de väsentliga egenskapskrav och övriga relevanta bestämmelser som framgår av direktiv 1999/5/EC.Norsk (Norwegian)Erklærer herved Zyxel at dette utstyret er I samsvar med de grunnleggende kravene og andre relevante bestemmelser I direktiv 1999/5/EF.
 Appendix E Legal InformationEMG3415-B10A User’s Guide249• This product meets the National Radio Interface and the requirements specified in the National Frequency Allocation Table for Italy. Unless this wireless LAN product is operating within the boundaries of the owner's property, its use requires a “general authorization.” Please check http://www.sviluppoeconomico.gov.it/ for more details.• Questo prodotto è conforme alla specifiche di Interfaccia Radio Nazionali e rispetta il Piano Nazionale di ripartizione delle frequenze in Italia. Se non viene installato all 'interno del proprio fondo, l'utilizzo di prodotti Wireless LAN richiede una “Autorizzazione Generale”. Consultare http://www.sviluppoeconomico.gov.it/ per maggiori dettagli.Latvia• The outdoor usage of the 2.4 GHz band requires an authorization from the Electronic Communications Office. Please check http:// www.esd.lv for more details.• 2.4 GHz frekvenèu joslas izmantoðanai ârpus telpâm nepiecieðama atïauja no Elektronisko sakaru direkcijas. Vairâk informâcijas: http://www.esd.lv.Notes:1. Although Norway, Switzerland and Liechtenstein are not EU member states, the EU Directive 1999/5/EC has also been implemented in those countries.2. The regulatory limits for maximum output power are specified in EIRP. The EIRP level (in dBm) of a device can be calculated by adding the gain of the antenna used(specified in dBi) to the output power available at the connector (specified in dBm).List of national codesSafety Warnings• Do not use this product near water, for example, in a wet basement or near a swimming pool.• Do not expose your device to dampness, dust or corrosive liquids.• Do not store things on the device.• Do not obstruct the device ventilation slots as insufficient airflow may harm your device. For example, do not place the device in an enclosed space such as a box or on a very soft surface such as a bed or sofa.• Do not install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning.• Connect ONLY suitable accessories to the device.• Do not open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel should service or disassemble this device. Please contact your vendor for further information.• Make sure to connect the cables to the correct ports.• Place connecting cables carefully so that no one will step on them or stumble over them.• Always disconnect all cables from this device before servicing or disassembling.• Do not remove the plug and connect it to a power outlet by itself; always attach the plug to the power adaptor first before connecting it to a power outlet.• Do not allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord.• Please use the provided or designated connection cables/power cables/ adaptors. Connect it to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe). If the power adaptor or cord is damaged, it might cause electrocution. Remove it from the device and the power source, repairing the power adapter or cord is prohibited. Contact your local vendor to order a new one.• Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning.• CAUTION: Risk of explosion if battery is replaced by an incorrect type, dispose of used batteries according to the instruction. Dispose them at the applicable collection point for the recycling of electrical and electronic devices. For detailed information about recycling of this product, please contact your local city office, your household waste disposal service or the store where you purchased the product.• The following warning statements apply, where the disconnect device is not incorporated in the device or where the plug on the power supply cord is intended to serve as the disconnect device,- For permanently connected devices, a readily accessible disconnect device shall be incorporated external to the device;- For pluggable devices, the socket-outlet shall be installed near the device and shall be easily accessible.COUNTRY ISO 3166 2 LETTER CODE COUNTRY ISO 3166 2 LETTER CODEAustria AT Liechtenstein LIBelgium BE Lithuania LTBulgaria BG Luxembourg LUCroatia HR Malta MTCyprus CY Netherlands NLCzech Republic CZ Norway NODenmark DK Poland PLEstonia EE Portugal PTFinland FI Romania ROFrance FR Serbia RSGermany DE Slovakia SKGreece GR Slovenia SIHungary HU Spain ESIceland IS Switzerland CHIreland IE Sweden SEItaly IT Turkey TRLatvia LV United Kingdom GB
Appendix E Legal InformationEMG3415-B10A User’s Guide250• The RJ-45 jacks are not used for telephone line connection.• Always disconnect all telephone lines from the wall outlet before servicing or disassembling this product.• Les prises RJ-45 ne sont pas utilisés pour la connexion de la ligne téléphonique.• Ne pas utiliser ce produit près de l'eau, par exemple un sous-sol humide ou près d'une piscine.• Évitez d'utiliser ce produit (autre qu'un type sans fil) pendant un orage. Il peut y avoir un risque de choc électrique de la foudre.• Toujours débrancher toutes les lignes téléphoniques de la prise murale avant de réparer ou de démonter ce produit.Environment StatementErP (Energy-related Products) Zyxel products put on the EU market in compliance with the requirement of the European Parliament and the Council published Directive 2009/125/EC establishing a framework for the setting of ecodesign requirements for energy-related products (recast), so called as "ErP Directive (Energy-related Products directive) as well as ecodesign requirement laid down in applicable implementing measures, power consumption has satisfied regulation requirements which are:• Network standby power consumption < 8W, and/or• Off mode power consumption < 0.5W, and/or• Standby mode power consumption < 0.5W.(Wireless setting, please refer to "Wireless" chapter for more detail.)European Union - Disposal and Recycling InformationThe symbol below means that according to local regulations your product and/or its battery shall be disposed of separately from domestic waste. If this product is end of life, take it to a recycling station designated by local authorities. At the time of disposal, the separate collection of your product and/or its battery will help save natural resources and ensure that the environment is sustainable development.Die folgende Symbol bedeutet, dass Ihr Produkt und/oder seine Batterie gemäß den örtlichen Bestimmungen getrennt vom Hausmüll entsorgt werden muss. Wenden Sie sich an eine Recyclingstation, wenn dieses Produkt das Ende seiner Lebensdauer erreicht hat. Zum Zeitpunkt der Entsorgung wird die getrennte Sammlung von Produkt und/oder seiner Batterie dazu beitragen, natürliche Ressourcen zu sparen und die Umwelt und die menschliche Gesundheit zu schützen.El símbolo de abajo indica que según las regulaciones locales, su producto y/o su batería deberán depositarse como basura separada de la doméstica. Cuando este producto alcance el final de su vida útil, llévelo a un punto limpio. Cuando llegue el momento de desechar el producto, la recogida por separado éste y/o su batería ayudará a salvar los recursos naturales y a proteger la salud humana y medioambiental.Le symbole ci-dessous signifie que selon les réglementations locales votre produit et/ou sa batterie doivent être éliminés séparément des ordures ménagères. Lorsque ce produit atteint sa fin de vie, amenez-le à un centre de recyclage. Au moment de la mise au rebut, la collecte séparée de votre produit et/ou de sa batterie aidera à économiser les ressources naturelles et protéger l'environnement et la santé humaine.Il simbolo sotto significa che secondo i regolamenti locali il vostro prodotto e/o batteria deve essere smaltito separatamente dai rifiuti domestici. Quando questo prodotto raggiunge la fine della vita di servizio portarlo a una stazione di riciclaggio. Al momento dello smaltimento, la raccolta separata del vostro prodotto e/o della sua batteria aiuta a risparmiare risorse naturali e a proteggere l'ambiente e la salute umana.Symbolen innebär att enligt lokal lagstiftning ska produkten och/eller dess batteri kastas separat från hushållsavfallet. När den här produkten når slutet av sin livslängd ska du ta den till en återvinningsstation. Vid tiden för kasseringen bidrar du till en bättre miljö och mänsklig hälsa genom att göra dig av med den på ett återvinningsställe.
 Appendix E Legal InformationEMG3415-B10A User’s Guide251Environmental Product Declaration
Appendix E Legal InformationEMG3415-B10A User’s Guide252台灣 以下訊息僅適用於產品具有無線功能且銷售至台灣地區• 第十二條 經型式認證合格之低功率射頻電機,非經許可,公司,商號或使用者均不得擅自變更頻率、加大功率或變更原設計之特性及功能。• 第十四條 低功率射頻電機之使用不得影響飛航安全及干擾合法通信;經發現有干擾現象時,應立即停用,並改善至無干擾時方得繼續使用。前項合法通信,指依電信法規定作業之無線電通信。 低功率射頻電機須忍受合法通信或工業、科學及醫療用電波輻射性電機設備之干擾。• 無線資訊傳輸設備忍受合法通信之干擾且不得干擾合法通信;如造成干擾,應立即停用, 俟無干擾之虞,始得繼續使用。• 無線資訊傳設備的製造廠商應確保頻率穩定性,如依製造廠商使用手冊上所述正常操作, 發射的信號應維持於操作頻帶中以下訊息僅適用於產品操作於 5.25-5.35 秭赫頻帶內並銷售至台灣地區• 在 5.25-5.35 秭赫頻帶內操作之無線資訊傳輸設備,限於室內使用。以下訊息僅適用於產品屬於專業安裝並銷售至台灣地區• 本器材須經專業工程人員安裝及設定,始得設置使用,且不得直接販售給一般消費者。安全警告 - 為了您的安全,請先閱讀以下警告及指示 :• 請勿將此產品接近水、火焰或放置在高溫的環境。• 避免設備接觸 :- 任何液體 - 切勿讓設備接觸水、雨水、高濕度、污水腐蝕性的液體或其他水份。- 灰塵及污物 - 切勿接觸灰塵、污物、沙土、食物或其他不合適的材料。• 雷雨天氣時,不要安裝,使用或維修此設備。有遭受電擊的風險。• 切勿重摔或撞擊設備,並勿使用不正確的電源變壓器。• 若接上不正確的電源變壓器會有爆炸的風險。• 請勿隨意更換產品內的電池。• 如果更換不正確之電池型式,會有爆炸的風險,請依製造商說明書處理使用過之電池。• 請將廢電池丟棄在適當的電器或電子設備回收處。• 請勿將設備解體。• 請勿阻礙設備的散熱孔,空氣對流不足將會造成設備損害。• 請插在正確的電壓供給插座 ( 如 : 北美 / 台灣電壓 110V AC,歐洲是 230V AC)。• 假若電源變壓器或電源變壓器的纜線損壞,請從插座拔除,若您還繼續插電使用,會有觸電死亡的風險。• 請勿試圖修理電源變壓器或電源變壓器的纜線,若有毀損,請直接聯絡您購買的店家,購買一個新的電源變壓器。• 請勿將此設備安裝於室外,此設備僅適合放置於室內。• 請勿隨一般垃圾丟棄。• 請參閱產品背貼上的設備額定功率。• 請參考產品型錄或是彩盒上的作業溫度。• 產品沒有斷電裝置或者採用電源線的插頭視為斷電裝置的一部分,以下警語將適用 :- 對永久連接之設備, 在設備外部須安裝可觸及之斷電裝置;- 對插接式之設備, 插座必須接近安裝之地點而且是易於觸及的。About the SymbolsVarious symbols are used in this product to ensure correct usage, to prevent danger to the user and others, and to prevent property damage. The meaning of these symbols are described below. It is important that you read these descriptions thoroughly and fully understand the contents.
 Appendix E Legal InformationEMG3415-B10A User’s Guide253Explanation of the SymbolsViewing Certifications Go to http://www.zyxel.com to view this product’s documentation and certifications.Zyxel Limited Warranty Zyxel warrants to the original end user (purchaser) that this product is free from any defects in material or workmanship for a specific period (the Warranty Period) from the date of purchase. The Warranty Period varies by region. Check with your vendor and/or the authorized Zyxel local distributor for details about the Warranty Period of this product. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, Zyxel will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product  or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of Zyxel. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.NoteRepair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. Zyxel shall in no event be held liable for indirect or consequential damages of any kind to the purchaser.To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://www.zyxel.com/web/support_warranty_info.php.Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products.Open Source Licenses This product contains in part some free software distributed under GPL license terms and/or GPL like licenses. Open source licenses are provided with the firmware package. You can download the latest firmware at www.zyxel.com. To obtain the source code covered under those Licenses, please contact support@zyxel.com.tw to get it. SYMBOL EXPLANATIONAlternating current (AC):AC is an electric current in which the flow of electric charge periodically reverses direction.Direct current (DC):DC if the unidirectional flow or movement of electric charge carriers.Earth; ground:A wiring terminal intended for connection of a Protective Earthing Conductor.Class II equipment:The method of protection against electric shock in the case of class II equipment is either double insulation or reinforced insulation.
 IndexEMG3415-B10A User’s Guide254IndexAACL rule 157activationfirewalls 154SIP ALG 136Address Resolution Protocol 181antennadirectional 233gain 233omni-directional 233AP (access point) 224applicationsInternet access 13applications, NAT 141ARP Table 181, 183authentication 77, 78RADIUS server 78Bbackupconfiguration 205Basic Service Set, See BSS 222Basic Service Set, see BSSblinking LEDs 16Broadband 50broadcast 62BSS 80, 222example 80CCA 169, 228Canonical Format Indicator See CFICCMs 208certificatefactory default 170Certificate AuthoritySee CA.certificates 169authentication 169CAcreating 170public key 169replacing 170storage space 170Certification Authority 169Certification Authority. see CAcertifications 249viewing 253CFI 62CFM 208CCMs 208link trace test 208loopback test 208MA 208MD 208MEP 208MIP 208channel 224interference 224channel, wireless LAN 76client list 94configurationbackup 205firewalls 154reset 206restoring 206static route 103, 105, 144Connectivity Check Messages, see CCMscontact information 216copyright 246CoS 123CoS technologies 110creating certificates 170CTS (Clear to Send) 225CTS threshold 73, 77
 IndexEMG3415-B10A User’s Guide255customer support 216customizing default settings 207Ddata fragment threshold 73, 77DDoS 154default server address 136Denials of Service, see DoSDHCP 89, 101Differentiated Services, see DiffServ 123DiffServ 123marking rule 123digital IDs 169disclaimer 246DMZ 135DNS 89, 101DNS server address assignment 63Domain Name 141Domain Name System, see DNSDomain Name System. See DNS.DoS 154DS field 123DS, dee differentiated servicesDSCP 123dynamic DNS 143wildcard 143Dynamic Host Configuration Protocol, see DHCPdynamic WEP key exchange 229DYNDNS wildcard 143EEAP Authentication 228ECHO 141e-maillog example 201Encapsulation 60MER 60PPP over Ethernet 60encryption 79, 230ESS 223Extended Service Set IDentification 66Extended Service Set, See ESS 223FfiltersMAC address 70, 78Finger 141firewalls 153add protocols 155configuration 154DDoS 154DoS 154LAND attack 154Ping of Death 154SYN attack 154firmware 203version 47forwarding ports 128fragmentation threshold 73, 77, 225FTP 128, 141GGeneral wireless LAN screen 65Hhidden node 224HTTP 141IIBSS 222IEEE 802.11g 226IEEE 802.1Q 62IGA 139IGMP 62multicast group list 185version 62
 IndexEMG3415-B10A User’s Guide256ILA 139Independent Basic Service SetSee IBSS 222initialization vector (IV) 230Inside Global Address, see IGAInside Local Address, see ILAinterface group 149Internet Protocol version 6 51Internet Protocol version 6, see IPv6IP address 89ping 209WAN 51IP Address Assignment 61IP aliasNAT applications 141IPv6 51, 234addressing 51, 63, 234EUI-64 236global address 234interface ID 236link-local address 234Neighbor Discovery Protocol 234ping 234prefix 51, 63, 234prefix delegation 53prefix length 51, 63, 234unspecified address 235LLAN 88client list 94DHCP 89, 101DNS 89, 101IP address 89, 90MAC address 94status 48subnet mask 89, 90LAND attack 154LBR 208limitationswireless LAN 79WPS 86link trace 208Link Trace Message, see LTMLink Trace Response, see LTRlogin 20logs 175, 178, 185, 200Loop Back Response, see LBRloopback 208LTM 208LTR 208MMA 208MAC address 70, 94filter 70, 78MAC authentication 70Mac filter 160Maintenance Association, see MAMaintenance Domain, see MDMaintenance End Point, see MEPManagement Information Base (MIB) 194managing the devicegood habits 13Maximum Burst Size (MBS) 61MD 208MEP 208MTU (Multi-Tenant Unit) 62multicast 62multiplexing 60LLC-based 60VC-based 60NNAT 127, 128, 129, 139, 140applications 141IP alias 141example 140global 139IGA 139ILA 139inside 139local 139outside 139port forwarding 128
 IndexEMG3415-B10A User’s Guide257port number 141services 141SIP ALG 136activation 136NAT example 142Network Address Translation, see NATNetwork Map 45network map 23NNTP 141PPairwise Master Key (PMK) 230, 232PBC 81Peak Cell Rate (PCR) 61Per-Hop Behavior, see PHB 123PHB 123PIN, WPS 81example 83Ping of Death 154Point-to-Point Tunneling Protocol, see PPTPPOP3 141port forwarding 128ports 16PPPoE 60Benefits 60PPTP 142preamble 74, 77preamble mode 80prefix delegation 53PSK 230Push Button Configuration, see PBCpush button, WPS 81QQoS 109, 123marking 110setup 109tagging 110versus CoS 110Quality of Service, see QoSRRADIUS 227message types 227messages 227shared secret key 227RADIUS server 78reset 206restart 207restoring configuration 206RFC 1058. See RIP.RFC 1389. See RIP.RFC 3164 175RIP 107ROM-D 207Routing Information Protocol. See RIPRTS (Request To Send) 225threshold 224, 225RTS threshold 73, 77Ssecuritywireless LAN 77Security Log 176Security Parameter Index, see SPIservice access control 191, 192, 193Service Set 66Services 141setupfirewalls 154static route 103, 105, 144Simple Network Management Protocol, see SNMPSingle Rate Three Color Marker, see srTCMSIP ALG 136activation 136SMTP 141SNMP 141, 194, 195agents 194Get 195GetNext 195Manager 194managers 194MIB 194
 IndexEMG3415-B10A User’s Guide258network components 194Set 195Trap 195versions 194SNMP trap 142SPI 154srTCM 125SSID 78static route 102, 107, 198configuration 103, 105, 144example 102static VLANstatus 45firmware version 47LAN 48WAN 47wireless LAN 48status indicators 16subnet mask 89Sustained Cell Rate (SCR) 61SYN attack 154syslogprotocol 175severity levels 175systemfirmware 203version 47status 45LAN 48WAN 47wireless LAN 48time 196TTag Control Information See TCITag Protocol Identifier See TPIDTCIThe 51thresholdsdata fragment 73, 77RTS/CTS 73, 77time 196TPID 62traffic shaping 61trTCM 126Two Rate Three Color Marker, see trTCMUunicast 62Universal Plug and Play, see UPnPupgrading firmware 203UPnP 95cautions 90NAT traversal 89VVendor ID 99VIDVirtual Circuit (VC) 60Virtual Local Area Network See VLANVLAN 61Introduction 61number of possible VIDspriority framestaticVLAN ID 62VLAN Identifier See VIDVLAN tag 62WWake on LAN 99WANstatus 47Wide Area Network, see WAN 50warranty 253note 253web configurator 20login 20WEP 79WEP Encryption 68, 69WEP encryption 67WEP key 67
 IndexEMG3415-B10A User’s Guide259Wi-Fi Protected Access 229wireless client WPA supplicants 231wireless LAN 64, 75authentication 77, 78BSS 80example 80channel 76encryption 79example 76fragmentation threshold 73, 77limitations 79MAC address filter 70, 78preamble 74, 77RADIUS server 78RTS/CTS threshold 73, 77security 77SSID 78status 48WEP 79WPA 79WPA-PSK 79WPS 81, 83example 84limitations 86PIN 81push button 81wireless security 226Wireless tutorial 32WLANinterference 224security parameters 232WPA 79, 229key caching 230pre-authentication 230user authentication 230vs WPA-PSK 230wireless client supplicant 231with RADIUS application example 231WPA2 229user authentication 230vs WPA2-PSK 230wireless client supplicant 231with RADIUS application example 231WPA2-Pre-Shared Key 229WPA2-PSK 229, 230application example 231WPA-PSK 79, 229, 230application example 231WPS 81, 83example 84limitations 86PIN 81example 83push button 81ZZyXEL Family Safety page 165

Navigation menu