ZyXEL Communications MAX200HW2 WiMAX Router User Manual UserMan I88MAX200HW2 revised

ZyXEL Communications Corporation WiMAX Router UserMan I88MAX200HW2 revised

UserManual.wiki >

ZyXEL Communications >

MAX200HW2 User Manual >

User manual revised 3

Contents

User manual revised 3

Chapter 22LogsMAX-200HW2 Series User s Guide 253Table 116 FSM Logs: Callee SideLOG MESSAGE DESCRIPTIONVoIP Call Start from SIP[SIP Port Number]A VoIP phone call came to the ZyXEL Device from the listed SIP number.VoIP Call Established Ph[Phone Port] <- Outgoing Call NumberA VoIP phone call was set up from the listed SIP number to the ZyXEL Device.VoIP Call End Phone[Phone Port]A VoIP phone call that came into the ZyXEL Device has terminated.Table 117 Lifeline LogsLOG MESSAGE DESCRIPTIONPSTN Call Start A PSTN call has been initiated.PSTN Call End A PSTN call has terminated.PSTN Call Established A PSTN call has been set up.

Chapter 22LogsMAX-200HW2 Series User s Guide254

MAX-200HW2 Series User s Guide 255CHAPTER 23ToolsUse these screens to upload new firmware, back up and restore the configuration, and restart the ZyXEL Device.23.1 Tools Overview23.1.1 FirmwareContact your service provider for information on available firmware upgrades.Firmware files (usually) use the system model name with a "*.bin" extension, e.g., "ZyXEL Device.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. Only use firmware for your ZyXEL Device s specific model. Refer to the label on the back of your ZyXEL Device.23.2 Tools Screens23.2.1 Firmware ScreenUse this screen to upload new firmware to the ZyXEL Device. To access this screen, click Maintenance > Tools > Firmware.Only use firmware for your ZyXEL Device s specific model. Refer to the label on the bottom of your ZyXEL Device.

Chapter 23ToolsMAX-200HW2 Series User s Guide256Figure 160 Maintenance > Tools > FirmwareEach field is described in the following table.23.2.2 Firmware Upload ScreensDo not turn off the device while firmware upload is in progress!When the ZyXEL Device starts to upload firmware, the Firmware Upload in Process screen appears.Figure 161 Firmware Upload In ProcessTable 118 Maintenance > Tools > FirmwareLABEL DESCRIPTIONFile Path Enter the location of the .bin file you want to upload, or click Browse... to find it. You must decompress compressed (.zip) files before you can upload them.Browse... Click this to find the .bin file you want to upload.Upload Click this to begin uploading the selected file. This may take up to two minutes. See Section 23.2.2 on page 256 for more information about this process.Note: Do not turn off the device while firmware upload is in progress!

Chapter 23ToolsMAX-200HW2 Series User s Guide 257The process usually takes about two minutes. The device automatically restarts in this time. This causes a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.Figure 162 Network Temporarily DisconnectedAfter two minutes, log in again, and check your new firmware version in the Status screen. You might have to open a new browser window to log in.If the upload is not successful, the following screen appears.Figure 163 Firmware Upload ErrorClick Return to go back to the Firmware screen.23.2.3 Configuration ScreenUse this screen to back up or restore the configuration of the ZyXEL Device. You can also use this screen to reset the ZyXEL Device to the factory default settings. To access this screen, click Maintenance > Tools > Configuration.Figure 164 Maintenance > Tools > Configuration

Chapter 23ToolsMAX-200HW2 Series User s Guide258Each field is described in the following table.23.2.4 Restore Configuration ScreensDo not turn off the device while configuration file upload is in progress.When the ZyXEL Device has finished restoring the selected configuration file, the following screen appears.Figure 165 Configuration Upload SuccessfulThe device now automatically restarts. This causes a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.Table 119 Maintenance > Tools > ConfigurationLABEL DESCRIPTIONBackup ConfigurationBackup Click this to save the ZyXEL Device s current configuration to a file on your computer. Once your device is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file is useful if you need to return to your previous settings.Restore ConfigurationFile PathEnter the location of the file you want to upload, or click Browse... to find it.BrowseClick this to find the file you want to upload.UploadClick this to restore the selected configuration file. See Section 23.2.4 on page 258 for more information about this.Note: Do not turn off the device while configuration file upload is in progress.Back to Factory DefaultsReset Click this to clear all user-entered configuration information and return the ZyXEL Device to its factory defaults. There is no warning screen.

Chapter 23ToolsMAX-200HW2 Series User s Guide 259Figure 166 Network Temporarily DisconnectedIf the ZyXEL Device!s IP address is different in the configuration file you selected, you may need to change the IP address of your computer to be in the same subnet as that of the default management IP address (192.168.5.1). See your Quick Start Guide or the appendices for details on how to set up your computer!s IP address.You might have to open a new browser to log in again.If the upload was not successful, a Configuration Upload Error screen appears.Figure 167 Configuration Upload ErrorClick Return to go back to the Configuration screen.23.2.5 Restart ScreenUse this screen to reboot the ZyXEL Device without turning the power off. To access this screen, click Maintenance > Tools > Restart.Figure 168 Maintenance > Tools > RestartThis does not affect the ZyXEL Device!s configuration. When you click Restart, the following screen appears.

Chapter 23ToolsMAX-200HW2 Series User s Guide260Figure 169 Maintenance > Tools > Restart > In ProgressWait one minute for the device to finish restarting. Then, you can log in again.

261PART IVTroubleshooting and SpecificationsTroubleshooting (263)Product Specifications (269)

262

MAX-200HW2 Series User s Guide 263CHAPTER 24TroubleshootingThis chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. Power, Hardware Connections, and LEDs ZyXEL Device Access and Login Internet Access Phone Calls and VoIP Reset the ZyXEL Device to Its Factory Defaults Wireless LAN Troubleshooting24.1 Power, Hardware Connections, and LEDsThe ZyXEL Device does not turn on. None of the LEDs turn on.1Make sure you are using the power adaptor or cord included with the ZyXEL Device.2Make sure the power adaptor or cord is connected to the ZyXEL Device and plugged in to an appropriate power source. Make sure the power source is turned on.3Disconnect and re-connect the power adaptor or cord to the ZyXEL Device.4If the problem continues, contact the vendor.One of the LEDs does not behave as expected.1Make sure you understand the normal behavior of the LED. See Section 1.2.1 on page 35.2Check the hardware connections. See the Quick Start Guide and Section 1.2 on page 35.3Inspect your cables for damage. Contact the vendor to replace any damaged cables.4Disconnect and re-connect the power adaptor to the ZyXEL Device.5If the problem continues, contact the vendor.

Chapter 24TroubleshootingMAX-200HW2 Series User s Guide26424.2 ZyXEL Device Access and LoginI forgot the IP address for the ZyXEL Device.1The default IP address is 192.168.1.1.2If you changed the IP address and have forgotten it, you might get the IP address of the ZyXEL Device by looking up the IP address of the default gateway for your computer. To do this in most Windows computers, click Start > Run, enter cmd, and then enter ipconfig. The IP address of the Default Gateway might be the IP address of the ZyXEL Device (it depends on the network), so enter this IP address in your Internet browser.3If this does not work, you have to reset the ZyXEL Device to its factory defaults. See Section 24.1 on page 263.I forgot the password.1The default password is 1234.2If this does not work, you have to reset the ZyXEL Device to its factory defaults. See Section 23.2.3 on page 257.I cannot see or access the Login screen in the web configurator.1Make sure you are using the correct IP address. The default IP address is 192.168.1.1. If you changed the IP address (Section 9.2.1 on page 122), use the new IP address. If you changed the IP address and have forgotten it, see the troubleshooting suggestions for I forgot the IP address for the ZyXEL Device.2Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.2.1 on page 35.3Make sure your Internet browser does not block pop-up windows and has JavaScripts and Java enabled. See Appendix C on page 301.4If there is a DHCP server on your network, make sure your computer is using a dynamic IP address. Your ZyXEL Device is a DHCP server by default.If there is no DHCP server on your network, make sure your computer!s IP address is in the same subnet as the ZyXEL Device. See Appendix D on page 309.5Reset the ZyXEL Device to its factory defaults, and try to access the ZyXEL Device with the default IP address. See Section 23.2.3 on page 257.6If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.

Chapter 24TroubleshootingMAX-200HW2 Series User s Guide266box and ensure that the values are correct. If the values are incorrect, enter the correct frequency settings in the Network > WAN > WiMAX Frequency screen. If you are unsure of the correct values, contact your service provider.5If you are trying to access the Internet wirelessly, make sure the wireless settings in the wireless client are the same as the settings in the AP.6Disconnect all the cables from your ZyXEL Device, and follow the directions in the Quick Start Guide again.7If the problem continues, contact your ISP.I cannot access the Internet anymore. I had access to the Internet (with the ZyXEL Device), but my Internet connection is not available anymore.1Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.2.1 on page 35.2Disconnect and re-connect the power adaptor to the ZyXEL Device. 3If the problem continues, contact your ISP.The Internet connection is slow or intermittent.1The quality of the ZyXEL Device!s wireless connection to the base station may be poor. Poor signal reception may be improved by moving the ZyXEL Device away from thick walls and other obstructions, or to a higher floor in your building. 2There may be radio interference caused by nearby electrical devices such as microwave ovens and radio transmitters. Move the ZyXEL Device away or switch the other devices off. Weather conditions may also affect signal quality.3As well as having an external antenna connector, the MAX-210HW2 is equipped with an internal directional antenna. If you know the location of the base station, orient the front of the ZyXEL Device (the side with the LEDs) towards the base station. If you do not know the location of the base station, experiment by moving the ZyXEL Device while observing the SIGNAL LEDs for an increase in received signal strength. The MAX-200HW2 and MAX-230HW2 do not have internal antennas.4There might be a lot of traffic on the network. Look at the LEDs, and check Section 1.2.1 on page 35. If the ZyXEL Device is sending or receiving a lot of information, try closing some programs that use the Internet, especially peer-to-peer applications.5Disconnect and re-connect the power adaptor to the ZyXEL Device.6If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.The Internet connection disconnects.

Chapter 24TroubleshootingMAX-200HW2 Series User s Guide 267Check your WiMAX link and signal strength using the LINK and SIGNAL LEDs on the device. See the following section if signal strength is poor or the ZyXEL Device has no link to a base station.Contact your ISP if the problem persists. 24.4 Phone Calls and VoIPThe telephone port won t work or the telephone lacks a dial tone.1Check the telephone connections and telephone wire.2Make sure you have the VoIP SIP Settings screen properly configured.I can access the Internet, but cannot make VoIP calls.1Make sure you have the VoIP SIP Settings screen properly configured.2The VoIP LED should come on. Make sure that your telephone is connected to the LINE port.3You can also check the VoIP status in the Status screen. 4If the VoIP settings are correct, use speed dial to make peer-to-peer calls. If you cannot make a call using speed dial, there may be something wrong with the SIP server. Contact your VoIP service provider.Problems With Multiple SIP AccountsYou can set up two SIP accounts on your ZyXEL Device. By default your ZyXEL Device uses SIP account 1 for outgoing calls, and it uses SIP accounts 1 and 2 for incoming calls. With this setting, you always use SIP account 1 for your outgoing calls and you cannot distinguish which SIP account the calls are coming in through. If you want to control the use of different dialing plans for accounting purposes or other reasons, you need to configure your phone port in order to control which SIP account you are using when placing or receiving calls.24.5 Reset the ZyXEL Device to Its Factory DefaultsIf you reset the ZyXEL Device, you lose all of the changes you have made. The ZyXEL Device re-loads its default settings, and the password resets to 1234. You have to make all of your changes again.

Chapter 24TroubleshootingMAX-200HW2 Series User s Guide268You will lose all of your changes when you push the RESET button.To reset the ZyXEL Device,1Make sure the PWR LED is on and not blinking.2Press and hold the RESET button for five to ten seconds. Release the RESET button when the PWR LED begins to blink. The default settings have been restored.If the ZyXEL Device restarts automatically, wait for the ZyXEL Device to finish restarting, and log in to the web configurator. The password is "1234#.If the ZyXEL Device does not restart automatically, disconnect and reconnect the ZyXEL Device!s power. Then, follow the directions above again.24.5.1 Pop-up Windows, JavaScripts and Java PermissionsPlease see Section Appendix C on page 301.24.6 Wireless LAN TroubleshootingI cannot access the ZyXEL Device orping any computer from the WLAN1Make sure the wireless LAN is enabled on the ZyXEL Device2Make sure the wireless adapter on the wireless station is working properly.3Make sure the wireless adapter (installed on your computer) is IEEE 802.11 compatible and supports the same wireless standard as the ZyXEL Device.4Make sure your computer (with a wireless adapter installed) is within the transmission range of the ZyXEL Device.5Check that both the ZyXEL Device and your wireless station are using the same wireless and wireless security settings.6Make sure traffic between the WLAN and the LAN is not blocked by the firewall on the ZyXEL Device.7Make sure you allow the ZyXEL Device to be remotely accessed through the WLAN interface. Check your remote management settings.

MAX-200HW2 Series User s Guide 269CHAPTER 25Product SpecificationsThis chapter gives details about your ZyXEL Device!s hardware and firmware features.Table 120 Product SpecificationsPHYSICAL AND ENVIRONMENTALProduct Name WIMAX-200HW2/WIMAX-210HW2/WIMAX-230HW2Ethernet InterfaceFour auto-negotiating, auto-MDI/MDI-X 10/100 Mbps RJ-45 Ethernet portsWLAN InterfaceWiFi (54 Mbps) interface (801.11g, 802.16b backward compatible)Telephony InterfaceTwo analog interfaces for standard telephones through RJ-11 connectorsStandardsIEEE 802.16e-2005Antenna MAX-210HW2:Built-in patch antenna (WiMAX): 6dBi, 70?azimuth, 30?elevationWiMAX SMA antenna connector, equipped by default with 2dBi omni antenna, 60 WiFi SMA antenna connector, equipped by default with 2dBi omni antenna, 60 MAX-200HW2/MAX-230HW2: WiFi SMA antenna connector, equipped by default with 2dBi omni antenna, 60 Panel Directional AntennaOperating Temperature 0蚓 to 45蚓Storage Temperature -25蚓 to 55蚓Operating Humidity10% ~ 90% (non-condensing)Storage Humidity 10% to 95%Power Supply18 V DC 1APower consumptionWorst-case-scenario 10W, peak 15WWeight600gDimensions216 x 164 x 52mmRADIO SPECIFICATIONSMedia Access ProtocolIEEE 802.16eWiMAX BandwidthMAX-200HW2: 2.5 - 2.7 GHzMAX-210HW2: 3.4 ~ 3.6 GHzMAX-230HW2: 2.3 ~ 2.4 GHzData RateDownlink:Maximum 5 MbpsUplink:Maximum 2 Mbps

Chapter 25Product SpecificationsMAX-200HW2 Series User s Guide270ModulationQPSK (uplink and downlink)16-QAM (uplink and downlink)64-QAM (downlink only)Output Power27dBm (+/- 1dB)Duplex modeTime Division Duplex (TDD)SOFTWARE SPECIFICATIONSSecurityPKMv2EAPCCMP, 128-bit AESTable 121 Physical FeaturesFEATUREDESCRIPTIONAuto-crossover 10/100 Mbps Ethernet InterfaceThis interface automatically adjusts to either a crossover or straight-through Ethernet cable.External Antenna The MAX-210HW2 is equipped with WiFi and WiMAX omnidirectional antennas.The MAX-200HW2 and MAX-230HW2 are equippped with a WiFi omnidirectional antenna and a WiMAX panel directional antenna.Telephone Port Connect analog telephones to the ZyXEL Device s 2 LINE ports (RJ-11 connector) to take advantage of its Voice over IP (VoIP) features.Reset ButtonThe reset button is built into the rear panel. Use this button to restore the factory default password to 1234; IP address to 192.168.1.1, subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 32 IP addresses starting at 192.168.1.33. Table 122 Non-Physical FeaturesFEATUREDESCRIPTIONHigh Speed Wireless Internet AccessThe ZyXEL Device is ideal for high-speed wireless Internet browsing. WiMAX (Worldwide Interoperability for Microwave Access) is a wireless networking standard providing high-bandwidth, wide-range secured wireless service. The ZyXEL Device is a WiMAX mobile station (MS) compatible with the IEEE 802.16e standard. WiFi FunctionalityAllow the IEEE 802.11b and/or IEEE 802.11g wireless clients to connect to the ZyXEL Device wirelessly. Enable wireless security (WEP, WPA(2), WPA(2)-PSK) and/or MAC filtering to protect your wireless network.FirewallThe ZyXEL Device is a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN. The ZyXEL Device s firewall supports TCP/UDP inspection, DoS detection and prevention, real time alerts, reports and logs.Content FilteringThe ZyXEL Device can block access to web sites containing specified keywords. You can define time periods and days during which content filtering is enabled and include or exclude a range of users on the LAN from content filtering.Auto ProvisioningYour Internet service provider can automatically update your device s configuration via an auto-provisioning server. Table 120 Product Specifications (continued)

Chapter 25Product SpecificationsMAX-200HW2 Series User s Guide 271Auto Firmware UpgradeYour device gives you the option to upgrade to a newer firmware version if it finds one during auto-provisioning. Your VoIP service provider must have an auto-provisioning server and a server set up with firmware in order for this feature to work. Network Address Translation (NAT)Network Address Translation (NAT) allows the translation of an Internet protocoladdress used within one network (for example a private IP address used in a local network) to a different IP address known withinanother network (for example a public IP address used on the Internet).Universal Plug and Play (UPnP)Your device and other UPnP enabled devices can use the standard TCP/IP protocol to dynamically join a network, obtain an IP address and convey their capabilities to each other.Dynamic DNS SupportWith Dynamic DNS support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS service provider.DHCPDHCP (Dynamic Host Configuration Protocol) allows the individual clients (computers) to obtain the TCP/IP configuration at start-up from a centralized DHCP server. Your device has built-in DHCP server capability enabled by default. It can assign IP addresses, an IP default gateway and DNS servers to DHCP clients. Your device can also act as a surrogate DHCP server (DHCP Relay) where it relays IP address assignment from the actual real DHCP server to the clients.Multiple PVC (Permanent Virtual Circuits) SupportYour device supports up to 8 Permanent Virtual Circuits (PVCs).IP AliasIP alias allows you to partition a physical network into logical networks over the same Ethernet interface. Your device supports three logical LAN interfaces via its single physical Ethernet interface with the your device itself as the gateway for each LAN network.IP Policy Routing (IPPR)Traditionally, routing is based on the destination address only and the router takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. RENA Ringer Equivalence Number (REN) is used to determine the number of devices (like telephones or fax machines) that may be connected to the telephone line. Your device has a REN of three, so it can support three devices per telephone port.Multiple SIP AccountsYou can configure multiple voice (SIP) accounts.SIP ALGYour device is a SIP Application Layer Gateway (ALG). It allows VoIP calls to pass through NAT for devices behind it (such as a SIP-based VoIP software application on a computer). Dynamic Jitter BufferThe built-in adaptive buffer helps to smooth out the variations in delay (jitter) for voice traffic. This helps ensure good voice quality for your conversations.Voice Activity Detection/Silence SuppressionVoice Activity Detection (VAD) reduces the bandwidth that a call uses by not transmitting when you are not speaking. Comfort Noise GenerationYour device generates background noise to fill moments of silence when the other device in a call stops transmitting because the other party is not speaking (as total silence could easily be mistaken for a lost connection). Table 122 Non-Physical FeaturesFEATUREDESCRIPTION

Chapter 25Product SpecificationsMAX-200HW2 Series User s Guide272Echo Cancellation You device supports G.168, an ITU-T standard for eliminating the echo caused by the sound of your voice reverberating in the telephone receiver while you talk.QoS (Quality of Service) Quality of Service (QoS) mechanisms help to provide better service on a per-flow basis. Your device supports Type of Service (ToS) tagging. This allows the device to tag voice frames so they can be prioritized over the network.Packet FiltersYour device s packet filtering function allows added network security and management.Table 122 Non-Physical FeaturesFEATUREDESCRIPTION

273PART VAppendices and IndexWiMAX Security (275)Setting up Your Computer!s IP Address (279)Pop-up Windows, JavaScripts and Java Permissions (301)IP Addresses and Subnetting (309)Wireless LANs (319)Common Services (333)Legal Information (337)Customer Support (341)Index (347)

274

MAX-200HW2 Series User s Guide 275APPENDIX A WiMAX SecurityWireless security is vital to protect your wireless communications. Without it, information transmitted over the wireless network would be accessible to any networking device within range.User Authentication and Data EncryptionThe WiMAX (IEEE 802.16) standard employs user authentication and encryption to ensure secured communication at all times.User authentication is the process of confirming a user!s identity and level of authorization. Data encryption is the process of encoding information so that it cannot be read by anyone who does not know the code. WiMAX uses PKMv2 (Privacy Key Management version 2) for authentication, and CCMP (Counter Mode with Cipher Block Chaining Message Authentication Protocol) for data encryption.WiMAX supports EAP (Extensible Authentication Protocol, RFC 2486) which allows additional authentication methods to be deployed with no changes to the base station or the mobile or subscriber stations.PKMv2PKMv2 is a procedure that allows authentication of a mobile or subscriber station and negotiation of a public key to encrypt traffic between the MS/SS and the base station. PKMv2 uses standard EAP methods such as Transport Layer Security (EAP-TLS) or Tunneled TLS (EAP-TTLS) for secure communication. In cryptography, a $key! is a piece of information, typically a string of random numbers and letters, that can be used to $lock! (encrypt) or $unlock! (decrypt) a message. Public key encryption uses key pairs, which consist of a public (freely available) key and a private (secret) key. The public key is used for encryption and the private key is used for decryption. You can decrypt a message only if you have the private key. Public key certificates (or $digital IDs!) allow users to verify each other!s identity. RADIUSRADIUS is based on a client-server model that supports authentication, authorization and accounting. The base station is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:

Appendix AWiMAX SecurityMAX-200HW2 Series User s Guide276 Authentication Determines the identity of the users. AuthorizationDetermines the network services available to authenticated users once they are connected to the network. AccountingKeeps track of the client!s network activity. RADIUS is a simple package exchange in which your base station acts as a message relay between the MS/SS and the network RADIUS server. Types of RADIUS MessagesThe following types of RADIUS messages are exchanged between the base station and the RADIUS server for user authentication: Access-RequestSent by an base station requesting authentication. Access-RejectSent by a RADIUS server rejecting access. Access-AcceptSent by a RADIUS server allowing access. Access-ChallengeSent by a RADIUS server requesting more information in order to allow access. The base station sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the base station and the RADIUS server for user accounting: Accounting-RequestSent by the base station requesting accounting. Accounting-ResponseSent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. DiameterDiameter (RFC 3588) is a type of AAA server that provides several improvements over RADIUS in efficiency, security, and support for roaming. Security AssociationThe set of information about user authentication and data encryption between two computers is known as a security association (SA). In a WiMAX network, the process of security association has three stages.

Appendix AWiMAX SecurityMAX-200HW2 Series User s Guide 277 Authorization request and replyThe MS/SS presents its public certificate to the base station. The base station verifies the certificate and sends an authentication key (AK) to the MS/SS. Key request and replyThe MS/SS requests a transport encryption key (TEK) which the base station generates and encrypts using the authentication key. Encrypted trafficThe MS/SS decrypts the TEK (using the authentication key). Both stations can now securely encrypt and decrypt the data flow.CCMPAll traffic in a WiMAX network is encrypted using CCMP (Counter Mode with Cipher Block Chaining Message Authentication Protocol). CCMP is based on the 128-bit Advanced Encryption Standard (AES) algorithm. $Counter mode! refers to the encryption of each block of plain text with an arbitrary number, known as the counter. This number changes each time a block of plain text is encrypted. Counter mode avoids the security weakness of repeated identical blocks of encrypted text that makes encrypted data vulnerable to pattern-spotting.$Cipher Block Chaining Message Authentication! (also known as CBC-MAC) ensures message integrity by encrypting each block of plain text in such a way that its encryption is dependent on the block before it. This series of $chained! blocks creates a message authentication code (MAC or CMAC) that ensures the encrypted data has not been tampered with.AuthenticationThe ZyXEL Device supports EAP-TTLS authentication.EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection (with EAP-TLS digital certifications are needed by both the server and the wireless clients for mutual authentication). Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2.

Appendix AWiMAX SecurityMAX-200HW2 Series User s Guide278

MAX-200HW2 Series User s Guide 279APPENDIX B Setting up Your Computer s IPAddressThe purpose of this appendix is to show you how to configure an IP address on your computer depending on what operating system you have. It does NOT mean that your ZyXEL Device supports all these operating systems.All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP/Vista, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.TCP/IP should already be installed on computers using Windows NT/2000/XP, Macintosh OS 7 and later operating systems.After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order to "communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyXEL Device!s LAN port.Windows 95/98/MeClick Start,Settings,Control Panel and double-click the Network icon to open the Network window.

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide280Figure 170 WIndows 95/98/Me: Network: ConfigurationInstalling ComponentsThe Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks.If you need the adapter:1In the Network window, click Add.2Select Adapter and then click Add.3Select the manufacturer and model of your network adapter and then click OK.If you need TCP/IP:1In the Network window, click Add.2Select Protocol and then click Add.3Select Microsoft from the list of manufacturers.4Select TCP/IP from the list of network protocols and then click OK.If you need Client for Microsoft Networks:1Click Add.2Select Client and then click Add.3Select Microsoft from the list of manufacturers.4Select Client for Microsoft Networks from the list of network clients and then click OK.5Restart your computer so the changes you made take effect.

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide 281Configuring1In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties2Click the IP Address tab. If your IP address is dynamic, select Obtain an IP address automatically. If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields.Figure 171 Windows 95/98/Me: TCP/IP Properties: IP Address3Click the DNS Configuration tab. If you do not know your DNS information, select Disable DNS. If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in).

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide282Figure 172 Windows 95/98/Me: TCP/IP Properties: DNS Configuration4Click the Gateway tab. If you do not know your gateway!s IP address, remove previously installed gateways. If you have a gateway IP address, type it in the New gateway field and click Add.5Click OK to save and close the TCP/IP Properties window.6Click OK to close the Network window. Insert the Windows CD if prompted.7Turn on your ZyXEL Device and restart your computer when prompted.Verifying Settings1Click Start and then Run.2In the Run window, type "winipcfg" and then click OK to open the IP Configurationwindow.3Select your network adapter. You should see your computer's IP address, subnet mask and default gateway.Windows 2000/NT/XPThe following example figures use the default Windows XP GUI theme.1Click start (Start in Windows 2000/NT), Settings,Control Panel.

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide 283Figure 173 Windows XP: Start Menu2In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT).Figure 174 Windows XP: Control Panel3Right-click Local Area Connection and then click Properties.

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide284Figure 175 Windows XP: Control Panel: Network Connections: Properties4Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties.Figure 176 Windows XP: Local Area Connection Properties5The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). If you have a dynamic IP address click Obtain an IP address automatically. If you have a static IP address click Use the following IP Address and fill in the IPaddress,Subnet mask, and Default gateway fields. Click Advanced.

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide 285Figure 177 Windows XP: Internet Protocol (TCP/IP) Properties6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.Do one or more of the following if you want to configure additional IP addresses: In the IP Settings tab, in IP addresses, click Add. In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet mask, and then click Add. Repeat the above two steps for each IP address you want to add. Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways. In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway.To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. Click Add. Repeat the previous three steps for each default gateway you want to add. Click OK when finished.

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide286Figure 178 Windows XP: Advanced TCP/IP Properties7In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNSserver and Alternate DNS serverfields.If you have previously configured DNS servers, click Advanced and then the DNStab to order them.

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide 287Figure 179 Windows XP: Internet Protocol (TCP/IP) Properties8Click OK to close the Internet Protocol (TCP/IP) Properties window.9Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window.10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT).11 Turn on your ZyXEL Device and restart your computer (if prompted).Verifying Settings1Click Start,All Programs,Accessories and then Command Prompt.2In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab.Windows VistaThis section shows screens from Windows Vista Enterprise Version 6.0.1Click the Start icon, Control Panel.

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide288Figure 180 Windows Vista: Start Menu2In the Control Panel, double-click Network and Internet.Figure 181 Windows Vista: Control Panel3Click Network and Sharing Center.Figure 182 Windows Vista: Network And Internet4Click Manage network connections.Figure 183 Windows Vista: Network and Sharing Center

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide 2895Right-click Local Area Connection and then click Properties.During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue.Figure 184 Windows Vista: Network and Sharing Center6Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.Figure 185 Windows Vista: Local Area Connection Properties

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide2907The Internet Protocol Version 4 (TCP/IPv4) Properties window opens (the General tab). If you have a dynamic IP address click Obtain an IP address automatically. If you have a static IP address click Use the following IP address and fill in the IPaddress,Subnet mask, and Default gateway fields. Click Advanced.Figure 186 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties8 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.Do one or more of the following if you want to configure additional IP addresses: In the IP Settings tab, in IP addresses, click Add. In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet mask, and then click Add. Repeat the above two steps for each IP address you want to add. Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways. In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway.To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. Click Add. Repeat the previous three steps for each default gateway you want to add. Click OK when finished.

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide 291Figure 187 Windows Vista: Advanced TCP/IP Properties9In the Internet Protocol Version 4 (TCP/IPv4) Properties window, (the General tab): Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNSserver and Alternate DNS serverfields.If you have previously configured DNS servers, click Advanced and then the DNStab to order them.

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide292Figure 188 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties10 Click OK to close the Internet Protocol Version 4 (TCP/IPv4) Properties window.11 Click Close to close the Local Area Connection Properties window.12 Close the Network Connections window.13 Turn on your ZyXEL Device and restart your computer (if prompted).Verifying Settings1Click Start,All Programs,Accessories and then Command Prompt.2In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab.Macintosh OS 8/9 1Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IPControl Panel.

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide 293Figure 189 Macintosh OS 8/9: Apple Menu2Select Ethernet built-in from the Connect via list.Figure 190 Macintosh OS 8/9: TCP/IP3For dynamically assigned settings, select Using DHCP Server from the Configure: list.4For statically assigned settings, do the following: From the Configure box, select Manually.

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide294 Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your ZyXEL Device in the Router address box.5Close the TCP/IP Control Panel.6Click Save if prompted, to save changes to your configuration.7Turn on your ZyXEL Device and restart your computer (if prompted).Verifying SettingsCheck your TCP/IP properties in the TCP/IP Control Panel window.Macintosh OS X1Click the Apple menu, and click System Preferences to open the System Preferenceswindow.Figure 191 Macintosh OS X: Apple Menu2Click Network in the icon bar. Select Automatic from the Location list. Select Built-in Ethernet from the Show list. Click the TCP/IP tab.3For dynamically assigned settings, select Using DHCP from the Configure list.

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide 295Figure 192 Macintosh OS X: Network4For statically assigned settings, do the following: From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your ZyXEL Device in the Router address box.5Click Apply Now and close the window.6Turn on your ZyXEL Device and restart your computer (if prompted).Verifying SettingsCheck your TCP/IP properties in the Network window.LinuxThis section shows you how to configure your computer!s TCP/IP settings in Red Hat Linux 9.0. Procedure, screens and file location may vary depending on your Linux distribution and release version.

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide 297 If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. If you have a static IP address, click Statically set IP Addresses and fill in the Address,Subnet mask, and Default Gateway Address fields. 3Click OK to save the changes and close the Ethernet Device General screen. 4If you know your DNS server IP address(es), click the DNS tab in the NetworkConfiguration screen. Enter the DNS server information in the fields provided. Figure 195 Red Hat 9.0: KDE: Network Configuration: DNS 5Click the Devices tab. 6Click the Activate button to apply the changes. The following screen displays. Click Yes to save the changes in all screens.Figure 196 Red Hat 9.0: KDE: Network Configuration: Activate7After the network card restart process is complete, make sure the Status is Active in the Network Configuration screen.Using Configuration FilesFollow the steps below to edit the network configuration files and set your computer IP address. 1Assuming that you have only one network card on the computer, locate the ifconfig-eth0 configuration file (where eth0 is the name of the Ethernet card). Open the configuration file with any plain text editor. If you have a dynamic IP address, enter dhcp in the BOOTPROTO= field. The following figure shows an example.

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide298Figure 197 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 If you have a static IP address, enter static in the BOOTPROTO= field. Type IPADDR= followed by the IP address (in dotted decimal notation) and type NETMASK=followed by the subnet mask. The following example shows an example where the static IP address is 192.168.1.10 and the subnet mask is 255.255.255.0. Figure 198 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0 2If you know your DNS server IP address(es), enter the DNS server information in the resolv.conf file in the /etc directory. The following figure shows an example where two DNS server IP addresses are specified.Figure 199 Red Hat 9.0: DNS Settings in resolv.conf 3After you edit and save the configuration files, you must restart the network card. Enter ./network restart in the /etc/rc.d/init.d directory. The following figure shows an example.Figure 200 Red Hat 9.0: Restart Ethernet Card DEVICE=eth0ONBOOT=yesBOOTPROTO=dhcpUSERCTL=noPEERDNS=yesTYPE=EthernetDEVICE=eth0ONBOOT=yesBOOTPROTO=staticIPADDR=192.168.1.10NETMASK=255.255.255.0USERCTL=noPEERDNS=yesTYPE=Ethernetnameserver 172.23.5.1nameserver 172.23.5.2[root@localhost init.d]# network restartShutting down interface eth0: [OK]Shutting down loopback interface: [OK]Setting network parameters: [OK]Bringing up loopback interface: [OK]Bringing up interface eth0: [OK]

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide 299Verifying SettingsEnter ifconfig in a terminal screen to check your TCP/IP properties. Figure 201 Red Hat 9.0: Checking TCP/IP Properties [root@localhost]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:BA:72:5B:44 inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:717 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:730412 (713.2 Kb) TX bytes:1570 (1.5 Kb) Interrupt:10 Base address:0x1000 [root@localhost]#

Appendix BSetting up Your Computer s IP AddressMAX-200HW2 Series User s Guide300

MAX-200HW2 Series User s Guide 301APPENDIX C Pop-up Windows, JavaScriptsand Java PermissionsIn order to use the web configurator you need to allow: Web browser pop-up windows from your device. JavaScripts (enabled by default). Java permissions (enabled by default).Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions may vary.Internet Explorer Pop-up BlockersYou may have to disable pop-up blocking to log into your device. Either disable pop-up blocking (enabled by default in Windows XP SP (Service Pack) 2) or allow pop-up blocking and create an exception for your device!s IP address.Disable Pop-up Blockers1In Internet Explorer, select Tools,Pop-up Blocker and then select Turn Off Pop-up Blocker.Figure 202 Pop-up BlockerYou can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1In Internet Explorer, select Tools,Internet Options,Privacy.

Appendix CPop-up Windows, JavaScripts and Java PermissionsMAX-200HW2 Series User s Guide3022Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 203 Internet Options: Privacy3Click Apply to save this setting.Enable Pop-up Blockers with ExceptionsAlternatively, if you only want to allow pop-up windows from your device, see the following steps.1In Internet Explorer, select Tools,Internet Options and then the Privacy tab. 2Select Settings to open the Pop-up Blocker Settings screen.

Appendix CPop-up Windows, JavaScripts and Java PermissionsMAX-200HW2 Series User s Guide 303Figure 204 Internet Options: Privacy3Type the IP address of your device (the web page that you do not want to have blocked) with the prefix "http://#. For example, http://192.168.167.1. 4Click Add to move the IP address to the list of Allowed sites.Figure 205 Pop-up Blocker Settings

Appendix CPop-up Windows, JavaScripts and Java PermissionsMAX-200HW2 Series User s Guide3045Click Close to return to the Privacy screen. 6Click Apply to save this setting. JavaScriptsIf pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed. 1In Internet Explorer, click Tools,Internet Options and then the Security tab. Figure 206 Internet Options: Security 2Click the Custom Level... button. 3Scroll down to Scripting.4Under Active scripting make sure that Enable is selected (the default).5Under Scripting of Java applets make sure that Enable is selected (the default). 6Click OK to close the window.

Appendix CPop-up Windows, JavaScripts and Java PermissionsMAX-200HW2 Series User s Guide 305Figure 207 Security Settings - Java ScriptingJava Permissions1From Internet Explorer, click Tools,Internet Options and then the Security tab. 2Click the Custom Level... button. 3Scroll down to Microsoft VM.4Under Java permissions make sure that a safety level is selected.5Click OK to close the window.Figure 208 Security Settings - Java

Appendix CPop-up Windows, JavaScripts and Java PermissionsMAX-200HW2 Series User s Guide306JAVA (Sun)1From Internet Explorer, click Tools,Internet Options and then the Advanced tab. 2Make sure that Use Java 2 for <applet> under Java (Sun) is selected.3Click OK to close the window.Figure 209 Java (Sun)Mozilla FirefoxMozilla Firefox 2.0 screens are used here. Screens for other versions may vary. You can enable Java, Javascripts and pop-ups in one screen. Click Tools, then click Options inthe screen that appears.

Appendix CPop-up Windows, JavaScripts and Java PermissionsMAX-200HW2 Series User s Guide 307Figure 210 Mozilla Firefox: Tools > OptionsClick Content.to show the screen below. Select the check boxes as shown in the following screen.Figure 211 Mozilla Firefox Content Security

Appendix CPop-up Windows, JavaScripts and Java PermissionsMAX-200HW2 Series User s Guide308

MAX-200HW2 Series User s Guide 309APPENDIX D IP Addresses and SubnettingThis appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts.Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks.Introduction to IP AddressesOne part of the IP address is the network number, and the other part is the host ID. In the same way that houses on a street share a common street name, the hosts on a network share a common network number. Similarly, as each house has its own house number, each host on the network has its own unique identifying number - the host ID. Routers use the network number to send packets to the correct network, while the host ID determines to which host on the network the packets are delivered.StructureAn IP address is made up of four parts, written in dotted decimal notation (for example, 192.168.1.1). Each of these four parts is known as an octet. An octet is an eight-digit binary number (for example 11000000, which is 192 in decimal notation). Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal.The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID.

Appendix DIP Addresses and SubnettingMAX-200HW2 Series User s Guide310Figure 212 Network Number and Host IDHow much of the IP address is the network number and how much is the host ID varies according to the subnet mask. Subnet MasksA subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). The term "subnet# is short for "sub-network#.A subnet mask has 32 bits. If a bit in the subnet mask is a "1# then the corresponding bit in the IP address is part of the network number. If a bit in the subnet mask is "0# then the corresponding bit in the IP address is part of the host ID. The following example shows a subnet mask identifying the network number (in bold text) and host ID of an IP address (192.168.1.2 in decimal).By convention, subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits.Subnet masks can be referred to by the size of the network number part (the bits with a "1# value). For example, an "8-bit mask# means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes.Table 123 IP Address Network Number and Host ID Example1ST OCTET:(192)2ND OCTET:(168)3RD OCTET:(1)4TH OCTET(2)IP Address (Binary)11000000101010000000000100000010Subnet Mask (Binary) 111111111111111111111111 00000000Network Number 110000001010100000000001Host ID00000010

Appendix DIP Addresses and SubnettingMAX-200HW2 Series User s Guide 311Subnet masks are expressed in dotted decimal notation just like IP addresses. The following examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet masks. Network SizeThe size of the network number determines the maximum number of possible hosts you can have on your network. The larger the number of network number bits, the smaller the number of remaining host ID bits. An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 with a 24-bit subnet mask, for example). An IP address with host IDs of all ones is the broadcast address for that network (192.168.1.255 with a 24-bit subnet mask, for example).As these two IP addresses cannot be used for individual hosts, calculate the maximum number of possible hosts in a network as follows:NotationSince the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a "/# followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. The following table shows some possible subnet masks using both notations. Table 124 Subnet MasksBINARYDECIMAL1ST OCTET2ND OCTET3RD OCTET 4TH OCTET8-bit mask 11111111 00000000 00000000 00000000 255.0.0.016-bit mask 11111111 11111111 00000000 00000000 255.255.0.024-bit mask 11111111 11111111 11111111 00000000 255.255.255.029-bit mask 11111111 11111111 11111111 11111000 255.255.255.248Table 125 Maximum Host NumbersSUBNET MASK HOST ID SIZE MAXIMUM NUMBER OF HOSTS8 bits255.0.0.024 bits224 % 21677721416 bits255.255.0.016 bits216 % 26553424 bits255.255.255.08 bits28 % 225429 bits255.255.255.2483 bits23 % 26Table 126 Alternative Subnet Mask NotationSUBNET MASK ALTERNATIVE NOTATIONLAST OCTET (BINARY)LAST OCTET (DECIMAL)255.255.255.0 /24 0000 0000 0255.255.255.128 /25 1000 0000 128

Appendix DIP Addresses and SubnettingMAX-200HW2 Series User s Guide312SubnettingYou can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the company network for security reasons.In this example, the company network address is 192.168.1.0. The first three octets of the address (192.168.1) are the network number, and the remaining octet is the host ID, allowing a maximum of 28 % 2 or 254 possible hosts.The following figure shows the company network before subnetting. Figure 213 Subnetting Example: Before SubnettingYou can "borrow# one of the host ID bits to divide the network 192.168.1.0 into two separate sub-networks. The subnet mask is now 25 bits (255.255.255.128 or /25).The "borrowed# host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. The following figure shows the company network after subnetting. There are now two sub-networks, A and B.255.255.255.192 /26 1100 0000 192255.255.255.224 /27 1110 0000 224255.255.255.240 /28 1111 0000 240255.255.255.248 /29 1111 1000 248255.255.255.252 /30 1111 1100 252Table 126 Alternative Subnet Mask Notation (continued)SUBNET MASK ALTERNATIVE NOTATIONLAST OCTET (BINARY)LAST OCTET (DECIMAL)

Appendix DIP Addresses and SubnettingMAX-200HW2 Series User s Guide 313Figure 214 Subnetting Example: After SubnettingIn a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 27 % 2 or 126 possible hosts (a host ID of all zeroes is the subnet!s address itself, all ones is the subnet!s broadcast address).192.168.1.0 with mask 255.255.255.128 is subnet A itself, and 192.168.1.127 with mask 255.255.255.128 is its broadcast address. Therefore, the lowest IP address that can be assigned to an actual host for subnet A is 192.168.1.1 and the highest is 192.168.1.126. Similarly, the host ID range for subnet B is 192.168.1.129 to 192.168.1.254.Example: Four Subnets The previous example illustrated using a 25-bit subnet mask to divide a 24-bit address into two subnets. Similarly, to divide a 24-bit address into four subnets, you need to "borrow# two host ID bits to give four possible combinations (00, 01, 10 and 11). The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192. Each subnet contains 6 host ID bits, giving 26 - 2 or 62 hosts for each subnet (a host ID of all zeroes is the subnet itself, all ones is the subnet!s broadcast address). Table 127 Subnet 1IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address (Decimal) 192.168.1. 0IP Address (Binary) 11000000.10101000.00000001. 00000000Subnet Mask (Binary) 11111111.11111111.11111111. 11000000Subnet Address: 192.168.1.0Lowest Host ID: 192.168.1.1Broadcast Address: 192.168.1.63Highest Host ID: 192.168.1.62

Appendix DIP Addresses and SubnettingMAX-200HW2 Series User s Guide314Example: Eight SubnetsSimilarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). The following table shows IP address last octet values for each subnet.Table 128 Subnet 2IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address 192.168.1. 64IP Address (Binary) 11000000.10101000.00000001. 01000000Subnet Mask (Binary) 11111111.11111111.11111111. 11000000Subnet Address: 192.168.1.64Lowest Host ID: 192.168.1.65Broadcast Address: 192.168.1.127Highest Host ID: 192.168.1.126Table 129 Subnet 3IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address 192.168.1. 128IP Address (Binary) 11000000.10101000.00000001. 10000000Subnet Mask (Binary) 11111111.11111111.11111111. 11000000Subnet Address: 192.168.1.128Lowest Host ID: 192.168.1.129Broadcast Address: 192.168.1.191Highest Host ID: 192.168.1.190Table 130 Subnet 4IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUEIP Address 192.168.1. 192IP Address (Binary) 11000000.10101000.00000001. 11000000Subnet Mask (Binary) 11111111.11111111.11111111. 11000000Subnet Address: 192.168.1.192Lowest Host ID: 192.168.1.193Broadcast Address: 192.168.1.255Highest Host ID: 192.168.1.254Table 131 Eight SubnetsSUBNET SUBNETADDRESS FIRST ADDRESS LAST ADDRESSBROADCAST ADDRESS1 0 1 30 312 32 33 62 633 64 65 94 954 96 97 126 127

Appendix DIP Addresses and SubnettingMAX-200HW2 Series User s Guide 315Subnet PlanningThe following table is a summary for subnet planning on a network with a 24-bit network number.The following table is a summary for subnet planning on a network with a 16-bit network number. 5128 129 158 1596 160 161 190 1917 192 193 222 2238 224 225 254 255Table 131 Eight Subnets (continued)SUBNET SUBNETADDRESS FIRST ADDRESS LAST ADDRESSBROADCAST ADDRESSTable 132 24-bit Network Number Subnet PlanningNO. "BORROWED# HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET1255.255.255.128 (/25) 2 1262 255.255.255.192 (/26) 4 623 255.255.255.224 (/27) 8 304 255.255.255.240 (/28) 16 145 255.255.255.248 (/29) 32 66 255.255.255.252 (/30) 64 27 255.255.255.254 (/31) 128 1Table 133 16-bit Network Number Subnet PlanningNO. "BORROWED# HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET1255.255.128.0 (/17) 2 327662 255.255.192.0 (/18) 4 163823 255.255.224.0 (/19) 8 81904 255.255.240.0 (/20) 16 40945 255.255.248.0 (/21) 32 20466 255.255.252.0 (/22) 64 10227 255.255.254.0 (/23) 128 5108 255.255.255.0 (/24) 256 2549 255.255.255.128 (/25) 512 12610 255.255.255.192 (/26) 1024 6211 255.255.255.224 (/27) 2048 3012 255.255.255.240 (/28) 4096 1413 255.255.255.248 (/29) 8192 6

Appendix DIP Addresses and SubnettingMAX-200HW2 Series User s Guide316Configuring IP AddressesWhere you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. You must also enable Network Address Translation (NAT) on the ZyXEL Device.Once you have decided on the network number, pick an IP address for your ZyXEL Device that is easy to remember (for instance, 192.168.1.1) but make sure that no other device on your network is using that IP address.The subnet mask specifies the network number portion of an IP address. Your ZyXEL Device will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the ZyXEL Device unless you are instructed to do otherwise.Private IP AddressesEvery machine on the Internet must have a unique address. If your networks are isolated from the Internet (running only between two branch offices, for example) you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks: 10.0.0.0 ' 10.255.255.255 172.16.0.0 ' 172.31.255.255 192.168.0.0 ' 192.168.255.255You can obtain your IP address from the IANA, from an ISP, or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.14 255.255.255.252 (/30) 16384 215 255.255.255.254 (/31) 32768 1Table 133 16-bit Network Number Subnet Planning (continued)NO. "BORROWED# HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET

Appendix DIP Addresses and SubnettingMAX-200HW2 Series User s Guide 317IP Address ConflictsEach device on a network must have a unique IP address. Devices with duplicate IP addresses on the same network will not be able to access the Internet or other resources. The devices may also be unreachable through the network. Conflicting Computer IP Addresses ExampleMore than one device can not use the same IP address. In the following example computer Ahas a static (or fixed) IP address that is the same as the IP address that a DHCP server assigns to computer B which is a DHCP client. Neither can access the Internet. This problem can be solved by assigning a different static IP address to computer A or setting computer A to obtain an IP address automatically. Figure 215 Conflicting Computer IP Addresses ExampleConflicting Router IP Addresses ExampleSince a router connects different networks, it must have interfaces using different network numbers. For example, if a router is set between a LAN and the Internet (WAN), the router!s LAN and WAN addresses must be on different subnets. In the following example, the LAN and WAN are on the same subnet. The LAN computers cannot access the Internet because the router cannot route between networks.Figure 216 Conflicting Computer IP Addresses Example

Appendix DIP Addresses and SubnettingMAX-200HW2 Series User s Guide318Conflicting Computer and Router IP Addresses ExampleMore than one device can not use the same IP address. In the following example, the computer and the router!s LAN port both use 192.168.1.1 as the IP address. The computer cannot access the Internet. This problem can be solved by assigning a different IP address to the computer or the router!s LAN port. Figure 217 Conflicting Computer and Router IP Addresses Example

MAX-200HW2 Series User s Guide 319APPENDIX E Wireless LANsWireless LAN TopologiesThis section discusses ad-hoc and infrastructure wireless LAN topologies.Ad-hoc Wireless LAN ConfigurationThe simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example of notebook computers using wireless adapters to form an ad-hoc wireless LAN. Figure 218 Peer-to-Peer Communication in an Ad-hoc NetworkBSSA Basic Service Set (BSS) exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other.

Appendix EWireless LANsMAX-200HW2 Series User s Guide320Figure 219 Basic Service SetESSAn Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS).This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate.

Appendix EWireless LANsMAX-200HW2 Series User s Guide 321Figure 220 Infrastructure WLANChannelA channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11.RTS/CTSA hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other.

Appendix EWireless LANsMAX-200HW2 Series User s Guide322Figure 221 RTS/CTSWhen station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked.When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission.Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake. If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy.Fragmentation ThresholdAFragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames.A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference.

Appendix EWireless LANsMAX-200HW2 Series User s Guide 323If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.Preamble TypePreamble is used to signal that data is coming to the receiver. Short and long refer to the length of the synchronization field in a packet.Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11 compliant wireless adapters support long preamble, but not all support short preamble. Use long preamble if you are unsure what preamble mode other wireless devices on the network support, and to provide more reliable communications in busy wireless networks. Use short preamble if you are sure all wireless devices on the network support it, and to provide more efficient communications.Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it, otherwise the ZyXEL Device uses long preamble.The wireless devices MUSTuse the same preamble mode in order to communicate.IEEE 802.11g Wireless LANIEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows:Wireless Security OverviewWireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network.Table 134 IEEE 802.11gDATA RATE (MBPS) MODULATION1DBPSK (Differential Binary Phase Shift Keyed)2DQPSK (Differential Quadrature Phase Shift Keying)5.5 / 11CCK (Complementary Code Keying) 6/9/12/18/24/36/48/54OFDM (Orthogonal Frequency Division Multiplexing)

Appendix EWireless LANsMAX-200HW2 Series User s Guide 325Determines the network services available to authenticated users once they are connected to the network. AccountingKeeps track of the client!s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server. Types of RADIUS MessagesThe following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication: Access-RequestSent by an access point requesting authentication. Access-RejectSent by a RADIUS server rejecting access. Access-AcceptSent by a RADIUS server allowing access. Access-ChallengeSent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: Accounting-RequestSent by the access point requesting accounting. Accounting-ResponseSent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. Types of EAP Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types. EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication.The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. .

Appendix EWireless LANsMAX-200HW2 Series User s Guide326For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner.EAP-MD5 (Message-Digest Algorithm 5)MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client $proves! that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security)With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender!s identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. PEAP (Protected EAP)Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco.LEAPLEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x.

Appendix EWireless LANsMAX-200HW2 Series User s Guide 327Dynamic WEP Key ExchangeThe AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed.If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You may still configure and store keys, but they will not be used while dynamic WEP is enabled.EAP-MD5 cannot be used with Dynamic WEP Key ExchangeFor added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.WPA and WPA2WPA is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication.If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN. If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not.Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2.Table 136 Comparison of EAP Authentication TypesEAP-MD5 EAP-TLS EAP-TTLS PEAP LEAPMutual Authentication No Yes Yes Yes YesCertificate % Client No Yes Optional Optional NoCertificate % Server No Yes Yes Yes NoDynamic Key Exchange No Yes Yes Yes YesCredential Integrity None Strong Strong Strong ModerateDeployment Difficulty Easy Hard Moderate Moderate ModerateClient Identity Protection No No Yes Yes No

Appendix EWireless LANsMAX-200HW2 Series User s Guide328EncryptionBoth WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP.TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically.The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped. By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network. The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force password-guessing attacks but it!s still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP)User Authentication WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre-authentication. These two features are optional and may not be supported in all wireless devices.Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again.Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it.

Appendix EWireless LANsMAX-200HW2 Series User s Guide 329Wireless Client WPA SupplicantsA wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is theWPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it. WPA(2) with RADIUS Application ExampleTo set up WPA(2), you need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system.1The AP passes the wireless client's authentication request to the RADIUS server.2The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly.3A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADIUS server and the client.4The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys. The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.Figure 222 WPA(2) with RADIUS Application ExampleWPA(2)-PSK Application ExampleA WPA(2)-PSK application looks as follows.1First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols).2The AP checks each wireless client's password and allows it to join the network only if the password matches.

Appendix EWireless LANsMAX-200HW2 Series User s Guide3303The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them.Figure 223 WPA(2)-PSK AuthenticationSecurity Parameters SummaryRefer to this table to see what other security parameters you should configure for each authentication method or key management protocol type. MAC address filters are not dependent on how you configure these security features.Table 137 Wireless Security Relational MatrixAUTHENTICATION METHOD/ KEY MANAGEMENT PROTOCOLENCRYPTION METHODENTERMANUAL KEY IEEE 802.1XOpenNoneNoDisableEnable without Dynamic WEP KeyOpen WEP No Enable with Dynamic WEP KeyYes Enable without Dynamic WEP KeyYes DisableShared WEP No Enable with Dynamic WEP KeyYes Enable without Dynamic WEP KeyYes DisableWPA TKIP/AES No EnableWPA-PSK TKIP/AES Yes DisableWPA2 TKIP/AES No EnableWPA2-PSK TKIP/AES Yes Disable

Appendix EWireless LANsMAX-200HW2 Series User s Guide 331Antenna OverviewAn antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN. Antenna CharacteristicsFrequencyAn antenna in the frequency of 2.4GHz (IEEE 802.11b and IEEE 802.11g) or 5GHz (IEEE 802.11a) is needed to communicate efficiently in a wireless LANRadiation PatternA radiation pattern is a diagram that allows you to visualize the shape of the antenna!s coverage area. Antenna GainAntenna gain, measured in dB (decibel), is the increase in coverage within the RF beam width. Higher antenna gain improves the range of the signal for better communications. For an indoor site, each 1 dB increase in antenna gain results in a range increase of approximately 2.5%. For an unobstructed outdoor site, each 1dB increase in gain results in a range increase of approximately 5%. Actual results may vary depending on the network environment. Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna. An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions. dBi represents the true gain that the antenna provides. Types of Antennas for WLANThere are two types of antennas used for wireless LAN applications. Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points. Directional antennas concentrate the RF signal in a beam, like a flashlight does with the light from its bulb. The angle of the beam determines the width of the coverage pattern. Angles typically range from 20 degrees (very directional) to 120 degrees (less directional). Directional antennas are ideal for hallways and outdoor point-to-point applications.

Appendix EWireless LANsMAX-200HW2 Series User s Guide332Positioning AntennasIn general, antennas should be mounted as high as practically possible and free of obstructions. In point-to%point application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible.For directional antennas, point the antenna in the direction of the desired coverage area.

MAX-200HW2 Series User s Guide 333APPENDIX F Common ServicesThe following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like. Protocol: This is the type of IP protocol used by the service. If this is TCP/UDP, then the service uses the same port number with TCP and UDP. If this is USER-DEFINED, the Port(s) is the IP protocol number, not the port number. Port(s): This value depends on the Protocol. Please refer to RFC 1700 for further information about port numbers. If the Protocol is TCP,UDP, or TCP/UDP, this is the IP port number. If the Protocol is USER, this is the IP protocol number. Description: This is a brief explanation of the applications that use this service or the situations in which this service is used.Table 138 Commonly Used ServicesNAME PROTOCOL PORT(S) DESCRIPTIONAH (IPSEC_TUNNEL)User-Defined 51 The IPSEC AH (Authentication Header) tunneling protocol uses this service.AIM/New-ICQ TCP 5190 AOL s Internet Messenger service. It is also used as a listening port by ICQ.AUTH TCP 113 Authentication protocol used by some servers.BGP TCP 179 Border Gateway Protocol.BOOTP_CLIENT UDP 68 DHCP Client.BOOTP_SERVER UDP 67 DHCP Server.CU-SEEME TCPUDP764824032A popular videoconferencing solution from White Pines Software.DNS TCP/UDP 53 Domain Name Server, a service that matches web names (for example www.zyxel.com) to IP numbers.ESP (IPSEC_TUNNEL)User-Defined 50 The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service.FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.

Appendix FCommon ServicesMAX-200HW2 Series User s Guide334FTP TCPTCP2021File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.H.323 TCP 1720 NetMeeting uses this protocol.HTTP TCP 80 Hyper Text Transfer Protocol - a client/server protocol for the world wide web.HTTPS TCP 443 HTTPS is a secured http session often used in e-commerce.ICMP User-Defined 1 Internet Control Message Protocol is often used for diagnostic or routing purposes.ICQ UDP 4000 This is a popular Internet chat program.IGMP (MULTICAST) User-Defined 2 Internet Group Management Protocol is used when sending packets to a specific group of hosts.IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management.IRC TCP/UDP 6667 This is another popular Internet chat program.MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol. NEW-ICQ TCP 5190 An Internet chat program.NEWS TCP 144 A protocol for news groups.NFS UDP 2049 Network File System - NFS is a client/server distributed file service that provides transparent file sharing for network environments.NNTP TCP 119 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.PING User-Defined 1 Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other).PPTP TCP 1723 Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel.PPTP_TUNNEL (GRE)User-Defined 47 PPTP (Point-to-Point Tunneling Protocol) enables secure transfer of data over public networks. This is the data channel.RCMD TCP 512 Remote Command Service.REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web.REXEC TCP 514 Remote Execution Daemon.RLOGIN TCP 513 Remote Login.RTELNET TCP 107 Remote Telnet.Table 138 Commonly Used Services (continued)NAME PROTOCOL PORT(S) DESCRIPTION

Appendix FCommon ServicesMAX-200HW2 Series User s Guide 335RTSP TCP/UDP 554 The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP TCP 115 Simple File Transfer Protocol.SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.SNMP TCP/UDP 161 Simple Network Management Program.SNMP-TRAPS TCP/UDP 162 Traps for use with the SNMP (RFC:1215).SQL-NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers.SSH TCP/UDP 22 Secure Shell Remote Login Program.STRM WORKS UDP 1558 Stream Works Protocol.SYSLOG UDP 514 Syslog allows you to send system logs to a UNIX server.TACACS UDP 49 Login Host Protocol used for (Terminal Access Controller Access Control System).TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol).VDOLIVE TCP 7000 Another videoconferencing solution.Table 138 Commonly Used Services (continued)NAME PROTOCOL PORT(S) DESCRIPTION

Appendix FCommon ServicesMAX-200HW2 Series User s Guide336

MAX-200HW2 Series User s Guide 337APPENDIX G Legal InformationCopyrightCopyright ?2007 by ZyXEL Communications Corporation.The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.Published by ZyXEL Communications Corporation. All rights reserved.DisclaimersZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.TrademarksZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.CertificationsFederal Communications Commission (FCC) Interference StatementThe device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation.

Appendix GLegal InformationMAX-200HW2 Series User s Guide338If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures:1Reorient or relocate the receiving antenna.2Increase the separation between the equipment and the receiver.3Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.4Consult the dealer or an experienced radio/TV technician for help.FCC Radiation Exposure Statement The device complies with FCC RF radiation exposure limits set forth for an uncontrolled environment, under 47 CFR 2.1093 paragraph (d)(2). End users must follow the specific operating instructions for satisfying RF exposure compliance.To maintain compliance with FCC RF exposure compliance requirements, please follow operation instruction as documented in this manual. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. To comply with FCC RF exposure compliance requirements, a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons. Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.Viewing Certifications1Go to http://www.zyxel.com.2Select your product from the drop-down list box on the ZyXEL home page to go to that product's page.3Select the certification you wish to view from this page.

Appendix GLegal InformationMAX-200HW2 Series User s Guide 339ZyXEL Limited WarrantyZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.NoteRepair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser.To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit be insured when shipped. Any returned products without proof of purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.RegistrationRegister your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com.

Appendix GLegal InformationMAX-200HW2 Series User s Guide340

MAX-200HW2 Series User s Guide 341APPENDIX H Customer SupportPlease have the following information ready when you contact customer support.Required Information Product model and serial number. Warranty Information. Date that you received your device. Brief description of the problem and the steps you took to solve it."+# is the (prefix) number you dial to make an international telephone call.Corporate Headquarters (Worldwide) Support E-mail: support@zyxel.com.tw Sales E-mail: sales@zyxel.com.tw Telephone: +886-3-578-3942 Fax: +886-3-578-2439 Web: www.zyxel.com, www.europe.zyxel.com FTP: ftp.zyxel.com, ftp.europe.zyxel.com Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Park, Hsinchu 300, TaiwanCosta Rica Support E-mail: soporte@zyxel.co.cr Sales E-mail: sales@zyxel.co.cr Telephone: +506-2017878 Fax: +506-2015098 Web: www.zyxel.co.cr FTP: ftp.zyxel.co.cr Regular Mail: ZyXEL Costa Rica, Plaza Roble Escazú, Etapa El Patio, Tercer Piso, San Jos? Costa RicaCzech Republic E-mail: info@cz.zyxel.com Telephone: +420-241-091-350 Fax: +420-241-091-359 Web: www.zyxel.cz

Appendix HCustomer SupportMAX-200HW2 Series User s Guide342 Regular Mail: ZyXEL Communications, Czech s.r.o., Modransk?621, 143 01 Praha 4 - Modrany, Cesk?RepublikaDenmark Support E-mail: support@zyxel.dk Sales E-mail: sales@zyxel.dk Telephone: +45-39-55-07-00 Fax: +45-39-55-07-07 Web: www.zyxel.dk Regular Mail: ZyXEL Communications A/S, Columbusvej, 2860 Soeborg, DenmarkFinland Support E-mail: support@zyxel.fi Sales E-mail: sales@zyxel.fi Telephone: +358-9-4780-8411 Fax: +358-9-4780-8448 Web: www.zyxel.fi Regular Mail: ZyXEL Communications Oy, Malminkaari 10, 00700 Helsinki, FinlandFrance E-mail: info@zyxel.fr Telephone: +33-4-72-52-97-97 Fax: +33-4-72-52-19-20 Web: www.zyxel.fr Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, FranceGermany Support E-mail: support@zyxel.de Sales E-mail: sales@zyxel.de Telephone: +49-2405-6909-69 Fax: +49-2405-6909-99 Web: www.zyxel.de Regular Mail: ZyXEL Deutschland GmbH., Adenauerstr. 20/A2 D-52146, Wuerselen, GermanyHungary Support E-mail: support@zyxel.hu Sales E-mail: info@zyxel.hu Telephone: +36-1-3361649 Fax: +36-1-3259100 Web: www.zyxel.hu Regular Mail: ZyXEL Hungary, 48, Zoldlomb Str., H-1025, Budapest, Hungary

Appendix HCustomer SupportMAX-200HW2 Series User s Guide 343India Support E-mail: support@zyxel.in Sales E-mail: sales@zyxel.in Telephone: +91-11-30888144 to +91-11-30888153 Fax: +91-11-30888149, +91-11-26810715 Web: http://www.zyxel.in Regular Mail: India - ZyXEL Technology India Pvt Ltd., II-Floor, F2/9 Okhla Phase -1, New Delhi 110020, IndiaJapan Support E-mail: support@zyxel.co.jp Sales E-mail: zyp@zyxel.co.jp Telephone: +81-3-6847-3700 Fax: +81-3-6847-3705 Web: www.zyxel.co.jp Regular Mail: ZyXEL Japan, 3F, Office T&U, 1-10-10 Higashi-Gotanda, Shinagawa-ku, Tokyo 141-0022, JapanKazakhstan Support: http://zyxel.kz/support Sales E-mail: sales@zyxel.kz Telephone: +7-3272-590-698 Fax: +7-3272-590-689 Web: www.zyxel.kz Regular Mail: ZyXEL Kazakhstan, 43 Dostyk Ave., Office 414, Dostyk Business Centre, 050010 Almaty, Republic of KazakhstanMalaysia Support E-mail: support@zyxel.com.my Sales E-mail: sales@zyxel.com.my Telephone: +603-8076-9933 Fax: +603-8076-9833 Web: http://www.zyxel.com.my Regular Mail: ZyXEL Malaysia Sdn Bhd., 1-02 & 1-03, Jalan Kenari 17F, Bandar Puchong Jaya, 47100 Puchong, Selangor Darul Ehsan, MalaysiaNorth America Support E-mail: support@zyxel.com Support Telephone: +1-800-978-7222 Sales E-mail: sales@zyxel.com Sales Telephone: +1-714-632-0882 Fax: +1-714-632-0858 Web: www.zyxel.com

Appendix HCustomer SupportMAX-200HW2 Series User s Guide344 Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806-2001, U.S.A.Norway Support E-mail: support@zyxel.no Sales E-mail: sales@zyxel.no Telephone: +47-22-80-61-80 Fax: +47-22-80-61-81 Web: www.zyxel.no Regular Mail: ZyXEL Communications A/S, Nils Hansens vei 13, 0667 Oslo, NorwayPoland E-mail: info@pl.zyxel.com Telephone: +48-22-333 8250 Fax: +48-22-333 8251 Web: www.pl.zyxel.com Regular Mail: ZyXEL Communications, ul. Okrzei 1A, 03-715 Warszawa, PolandRussia Support: http://zyxel.ru/support Sales E-mail: sales@zyxel.ru Telephone: +7-095-542-89-29 Fax: +7-095-542-89-25 Web: www.zyxel.ru Regular Mail: ZyXEL Russia, Ostrovityanova 37a Str., Moscow 117279, RussiaSingapore Support E-mail: support@zyxel.com.sg Sales E-mail: sales@zyxel.com.sg Telephone: +65-6899-6678 Fax: +65-6899-8887 Web: http://www.zyxel.com.sg Regular Mail: ZyXEL Singapore Pte Ltd., No. 2 International Business Park, The Strategy #03-28, Singapore 609930Spain Support E-mail: support@zyxel.es Sales E-mail: sales@zyxel.es Telephone: +34-902-195-420 Fax: +34-913-005-345 Web: www.zyxel.es Regular Mail: ZyXEL Communications, Arte, 21 5ª planta, 28033 Madrid, Spain

Appendix HCustomer SupportMAX-200HW2 Series User s Guide 345Sweden Support E-mail: support@zyxel.se Sales E-mail: sales@zyxel.se Telephone: +46-31-744-7700 Fax: +46-31-744-7701 Web: www.zyxel.se Regular Mail: ZyXEL Communications A/S, Sjöporten 4, 41764 Göteborg, SwedenThailand Support E-mail: support@zyxel.co.th Sales E-mail: sales@zyxel.co.th Telephone: +662-831-5315 Fax: +662-831-5395 Web: http://www.zyxel.co.th Regular Mail: ZyXEL Thailand Co., Ltd., 1/1 Moo 2, Ratchaphruk Road, Bangrak-Noi, Muang, Nonthaburi 11000, Thailand.Ukraine Support E-mail: support@ua.zyxel.com Sales E-mail: sales@ua.zyxel.com Telephone: +380-44-247-69-78 Fax: +380-44-494-49-32 Web: www.ua.zyxel.com Regular Mail: ZyXEL Ukraine, 13, Pimonenko Str., Kiev 04050, UkraineUnited Kingdom Support E-mail: support@zyxel.co.uk Sales E-mail: sales@zyxel.co.uk Telephone: +44-1344-303044, 08707-555779 (UK only) Fax: +44-1344-303034 Web: www.zyxel.co.uk FTP: ftp.zyxel.co.uk Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road, Bracknell, Berkshire RG12 2XB, United Kingdom (UK)

Appendix HCustomer SupportMAX-200HW2 Series User s Guide346

IndexMAX-200HW2 Series User s Guide 347IndexNumerics802.11 Mode 106AAAA 108AbS 154Access point 91See also AP.accounting serversee AAAACK message 150activity 108Advanced Encryption StandardSee AES.advanced encryption standardsee AESAES 277,328AK 277ALG 131,271alternative subnet mask notation 311analysis-by-synthesis 154Antenna 36,117antenna 269directional 331gain 331omni-directional 331Antenna selection 117AP 91See also access point.AP (access point) 321application layer gateway 131,152,271Application Layer Gateway. See ALG.authentication 68,84,108,110,275inner 277types 277authentication keysee AKauthentication serversee AAAauthorization 275authorization request and reply 277authorization serversee AAAauto firmware upgrade 271auto-discovering UPnP-enabled network devices 225automatic log out 41auto-provisioning 270Bbase stationsee BSBasic Service Set, See BSS 319Basic wireless security 64BS 107links 107BSS 319BYE request 150CCA 187,188,326and certificates 188call hold 166,168call service mode 166,167call transfer 167,168call waiting 167,168CBC-MAC 277CCMP 275,277cell 107certificate 275verification 277Certificate AuthoritySee CA.Certificate Management Protocol (CMP) 194Certificate Revocation List (CRL) 188certificates 187advantages 188and CA 188certification path 188,196expired 188factory-default 188file formats 188fingerprints 197

IndexMAX-200HW2 Series User s Guide348importing 192not used for encryption 188revoked 188self-signed 194serial number 197storage space 191thumbprint algorithms 190thumbprints 190used for authentication 188verifying fingerprints 189Certification Authority. See CA.certification requests 187,194certifications 337notices 338viewing 338chaining 277chaining message authenticationsee CCMPchange password at login 40channel 91,321interference 321circuit-switched telephone networks 149Class of Service (CoS) 156clicks 154client serverSIP 150client-server protocol 150CMACsee MACcode 275codec 153coder/decoder 153comfort noise 165comfort noise generation 271computer name 233configuration upload successful 258,259connections 35contact information 341copyright 337CoS 156counter modesee CCMPcoverage area 107cryptography 275CTS (Clear to Send) 322customer support 341Ddata encryption 275,276data flow 277data rate 269daytime RFC 867 238decoder 153decryption 275,277default LAN IP address 39device name 231DHCP 233,234,271DHCP client 271DHCP clients 233DHCP relay 271DHCP server 271DIAMETER 108differentiated services 156DiffServ 156DiffServ Code Point (DSCP) 156DiffServ code point (DSCP) 156DiffServ marking rule 156digital ID 275dimensions 269disclaimer 337DL frequency 113domain name 233download frequencysee DL frequencyDS field 156DSCPs 156DTMF 154dual-tone multi-frequencysee DTMFduplex 270dynamic DNS 234,271dynamic host configuration protocol 271dynamic jitter buffer 271dynamic WEP key exchange 327EEAP 108EAP Authentication 325echo cancellation 165,272encoding 275encrypted traffic 277encryption 93,275,276,277,328and local (user) database 93key 94WPA compatible 94environmental specifications 269ESS 320

IndexMAX-200HW2 Series User s Guide 349ESSID 268ethernet 269ethernet encapsulation 129europe type call service mode 166Extended Service Set, See ESS 320Extended wireless security 65extensible authorization protocolsee EAPExternal Antenna 270FFCC interference statement 337firewall 179,180firmware upload 256firmware upload error 257flash key 166flashing 166Fragmentation Threshold 106fragmentation threshold 322frequency band 114scanning 114frequency pairs 154frequency ranges 113FTP 213,234FTP restrictions 213GG.168 165,272G.711 153G.729 154General wireless LAN screen 94Graphical User Interface (GUI) 33Hhardware 35hidden node 321hide SSID 92HTTP 255humidity 269hybrid waveform codec 154hypertext transfer protocol 255IIANA 316IBSS 319identity 108,275idle timeout 214IEEE 802.11g 323IEEE 802.16 107,275IEEE 802.16e 3,107IEEE 802.1Q VLAN 156IGD 1.0 222Independent Basic Service SetSee IBSS 319initialization vector (IV) 328inner authentication 277install UPnP 222Windows Me 222Windows XP 223installation 35interface 269Internet access 108,270Internet access wizard setup 61Internet Assigned Numbers AuthoritySee IANA 316Internet gateway device 222Internet service providersee ISPInternet Telephony Service Provider 34Internet telephony service provider 149interoperability 107introduction 33IP alias 271IP policy routing (IPPR) 271IP-PBX 149ISP 49ITSP 149ITU-T 165Jjitter buffer 271Kkey 68,84,110,275key request and reply 277

IndexMAX-200HW2 Series User s Guide350Llistening port 161local (user) database 92and encryption 93log out 41MMAC 104,277MAC address 92MAC address filter 92MAC address filtering 104MAC filter 104MAN 107management information base (MIB) 217managing the devicegood habits 37manual site survey 113Media access control 104media access protocol 269message authentication codesee MACmessage integrity 277Message Integrity Check (MIC) 328message waiting indication 154Metropolitan Area Networksee MANmicrowave 107mobile stationsee MSmodulation 270MS 107multimedia 149multiple PVC support 271multiple SIP accounts 271MWI 154My Certificates. See also certificates. 190NNAT 316and remote management 213server sets 129NAT routers 153NAT traversal 221network activity 108network address translation (NAT) 271network address translators 153network disconnect 257,259network services 108NTP RFC 1305 238NTP time servers 234OOK response 150operating humidity 269operating temperature 269outbound proxy 152,153SIP 153outbound proxy server 153PPairwise Master Key (PMK) 328,330pattern-spotting 277PBX services 149PCM 153peer-to-peer calls 173per-hop behavior 156PHB (per-hop behavior) 156phone book 173phone services 165physical specifications 269PKMv2 68,84,108,110,275,277plain text encryption 277port forwarding 129port numbers 129services 129port numbers 129power 269output 270power supply 269preamble mode 323pre-defined NTP time servers list 234preparation 33privacy key managementsee PKMprivate key 275product registration 339proxy serverSIP 151PSK 328

IndexMAX-200HW2 Series User s Guide 351PSTN 154public certificate 277public key 68,84,110,275Public Switched Telephone Network 154Public-Key Infrastructure (PKI) 188public-private key pairs 187pulse code modulation 153pulse dialing 154QQoS 155,272quality of servicesee QoSQuality of Service (QoS) 106Quick Start Guide 35,39Rradio specifications 269RADIUS 108,275,324message types 325messages 325Shared Secret Key 276shared secret key 325RADIUS Message Types 276RADIUS Messages 276RADIUS server 92real-time transport protocol 152redirect serverSIP 151register serverSIP 152registrationproduct 339related documentation 3remote management 213remote management and NAT 213remote management limitations 213REN 271required bandwidth 154reset button 41,258resetting the time 235resetting your device 41RFC 1305 238RFC 1889 152RFC 2510. See Certificate Management Protocol.RFC 3489 153RFC 3842 154RFC 867 238RFC 868 238ringer equivalence number 271Roaming 105RTP 152RTS (Request To Send) 322threshold 321,322RTS/CTS Threshold 106Ssafety warnings 6secure communication 68,84,110,275secure connection 108security 270,275security association 276see SAsee QoSsee WANserver, outbound proxy 153Service Set 95Service Set IDentification 95Service Set IDentity. See SSID.services 108,129session initiation protocolsee SIPsilence suppression 165,271silent packets 165Simple Certificate Enrollment Protocol (SCEP) 194SIP 149ALG 131authentication 74authentication password 74SIP account 149,271SIP ACK message 150SIP ALG 131,152,271SIP application layer gateway 131,271SIP BYE request 150SIP call progression 150SIP client 150SIP client server 150SIP identities 149SIP INVITE request 150SIP number 74,149SIP OK response 150SIP outbound proxy 153SIP proxy server 151

IndexMAX-200HW2 Series User s Guide352SIP redirect server 151SIP register server 152SIP server address 74SIP servers 150SIP service domain 74,150SIP URI 149SIP user agent 150SNMP 216manager 216MIBs 217sound quality 154specificationsphysical and environmental 269radio 269speed dial 173SS 107SSID 91,95hide 92standards 269stateful inspection 179storage humidity 269storage temperature 269STUN 152,153subnet 309subnet mask 310subnetting 312subscriber stationsee SSsupplementary phone services 165syntax conventions 4system name 233system timeout 214TtamperingTDD 270TEK 277telephone keys 154temperature 269Temporal Key Integrity Protocol (TKIP) 328TFTP restrictions 213three-way conference 167,168timeresetting 235time RFC 868 238TLS 68,84,110,275ToS 156Touch Tone 154trademarks 337transport encryption keysee TEKtransport layer securitysee TLStriangle 181triangle routesolutions 182trigger port forwarding 130process 130TTLS 68,84,110,275,277tunneled TLSsee TTLSType of Service 156UUIC 222unauthorized device 275uniform resource identifier 149Universal Plug and Play 221application 221security issues 221Universal Plug and Play (UPnP) 271Universal Plug and Play Forum 222UPnP 221,231auto-discovery 225installing example 222UPnP certification 222USA type call service mode 167use NAT 152,153user agent, SIP 150user authentication 92,275local (user) database 92RADIUS server 92weaknesses 93user ID 74user name 237VVAD 165,271verification 277virtual local area networksee VLANVLAN 156VLAN group 156VLAN ID 156

IndexMAX-200HW2 Series User s Guide 353VLAN ID tags 156VLAN tags 156voice activity detection 165,271voice coding 153voice mail 149voice over IPsee VoIPVoIP 3,149standards compliance 271WWAN 107WAN setup 107warranty 339note 339waveform codec 153web configurator 39weight 269WEP Encryption 97WEP encryption 96WEP key 96wide area networkWiMAX 3,107,269security 276WiMAX Forum 107WiMAX bandwidth 269wireless channel 268wireless client 91wireless client WPA supplicants 329Wireless Interoperability for Microwave Accesssee WiMAXWireless LAN 91wireless LAN 268wireless Metropolitan Area Networksee MANWireless networkbasic guidelines 91channel 91encryption 93example 91MAC address filter 92overview 91security 92SSID 91wireless network 3access 107standard 107Wireless security 92overview 92type 92wireless security 268,270,275,323wizard setup 61WLAN 91interference 321security parameters 330WPA 327key caching 328pre-authentication 328user authentication 328vs WPA-PSK 328wireless client supplicant 329with RADIUS application example 329WPA compatible 94WPA2 327user authentication 328vs WPA2-PSK 328wireless client supplicant 329with RADIUS application example 329WPA2-Pre-Shared Key 327WPA2-PSK 327,328application example 329WPA-PSK 327,328application example 329ZZyXEL utility 33,35

IndexMAX-200HW2 Series User s Guide354

IndexMAX-200HW2 Series User s Guide 355

IndexMAX-200HW2 Series User s Guide356