AP-5131 Access Point Product Reference Guide
AP-5131 Access Point Product Reference Guide 72E-94168-01 Revision A November 2006
© 2006 by Symbol Technologies, Inc. All rights reserved. No part of this publication may be reproduced or used in any form, or by any electrical or mechanical means, without permission in writing from Symbol. This includes electronic or mechanical means, such as photocopying, recording, or information storage and retrieval systems. The material in this manual is subject to change without notice. The software is provided strictly on an “as is” basis.
Contents About This Guide Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Document Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Notational Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viii Service Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iv AP-5131 Access Point Product Reference Guide Single or Dual Mode Radio Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 Separate LAN and WAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 Multiple Mounting Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 Antenna Support for 2.4 GHz and 5.2 GHz Radios . . . . . . . . . . . . . . . . . . . . . . 1-7 Sixteen Configurable WLANs. . . . . . . . . . . . .
v MU Association Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22 Operating Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23 Management Access Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23 Chapter 2. Hardware Installation Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vi AP-5131 Access Point Product Reference Guide Testing Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13 Where to Go from Here? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14 Chapter 4. System Configuration Configuring System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Configuring Data Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vii Setting the WLAN’s Radio Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45 Configuring the 802.11a or 802.11b/g Radio . . . . . . . . . . . . . . . . . . . . . 5-48 Configuring Bandwidth Management Settings. . . . . . . . . . . . . . . . . . . . . . . . 5-55 Configuring Router Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-57 Setting the RIP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
viii AP-5131 Access Point Product Reference Guide Mapping Users to Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-71 Defining the User Access Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-72 Chapter 7. Monitoring Statistics Viewing WAN Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Viewing LAN Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ix Network ACL Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-80 Network Radio Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . 8-85 Network Quality of Service (QoS) Commands. . . . . . . . . . . . . . . . . . . . 8-102 Network Bandwith Management Commands . . . . . . . . . . . . . . . . . . . . 8-107 Network Rogue-AP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-110 Network Firewall Commands . . . . . . . . . . . . . . .
x AP-5131 Access Point Product Reference Guide Appendix A. Technical Specifications Physical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2 Electrical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2 Radio Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3 Antenna Specifications. . . . . . . . . . . . . . . . . . . .
About This Guide Introduction This guide provides configuration and setup information for the AP-5131 model access point. Document Conventions The following document conventions are used in this document: NOTE Indicate tips or special requirements. ! CAUTION Indicates conditions that can cause equipment damage or data loss.
viii AP-5131 Access Point Product Reference Guide WARNING! Indicates a condition or procedure that could result in personal injury or equipment damage. Notational Conventions The following notational conventions are used in this document: • • • Italics are used to highlight specific items in the general text, and to identify chapters and sections in this and related documents.
AP-5131 Introduction The Symbol AP-5131 Access Point (AP) provides a bridge between Ethernet wired LANs or WANs and wireless networks. It provides connectivity between Ethernet wired networks and radio-equipped mobile units (MUs). MUs include the full line of Symbol terminals, bar-code scanners, adapters (PC cards, Compact Flash cards and PCI adapters) and other devices. The AP-5131 provides a maximum 54Mbps data transfer rate via each radio.
1-2 AP-5131 Access Point Product Reference Guide 1.1 New AP-5131 Features With this most recent 1.1 release of the AP-5131 firmware, the following new features have been introduced to the existing AP-5131 feature set: • • • • • • Mesh Networking Additional LAN Subnet On-board Radius Server Authentication Hotspot Support Routing Information Protocol (RIP) Manual Date and Time Settings 1.1.
AP-5131 Introduction Once the AP-5131 (in client bridge mode) establishes at least one wireless connection, it establishes other wireless connections in the background as they become available. In this way, the AP-5131 is able to establish simultaneous redundant links. An AP-5131 (in client bridge mode) can establish up to 3 simultaneous wireless connections with other AP-5131s.
1-4 AP-5131 Access Point Product Reference Guide 1.1.3 On-board Radius Server Authentication The AP-5131 now has the ability to work as a Radius Server to provide user database information and user authentication. Several new screens have been added to the AP-5131’s menu tree to configure Radius server authentication and configure the local user database and access policies.
AP-5131 Introduction 1.1.5 Routing Information Protocol (RIP) With the release of the 1.1 version AP-5131, Routing Information Protocol (RIP) functionality has been added to the AP-5131’s existing Router screen. RIP is an interior gateway protocol that specifies how routers exchange routing-table information. The parent Router screen also allows the administrator to select the type of RIP and the type of RIP authentication used.
1-6 AP-5131 Access Point Product Reference Guide 1.2 Feature Overview The Symbol AP-5131 has the following existing features carried forward from its initial 1.0 release: • • • • • • • • • • • • • • • • • • • • • • • Single or Dual Mode Radio Options Separate LAN and WAN Ports Multiple Mounting Options Antenna Support for 2.4 GHz and 5.
AP-5131 Introduction If the AP-5131 is manufactured as a dual-radio access point, the AP-5131 enables you to configure one radio for 802.11a, and the other 802.11b/g. For detailed information on configuring your AP-5131, see Setting the WLAN’s Radio Configuration on page 5-45. 1.2.2 Separate LAN and WAN Ports The AP-5131 has one LAN port and one WAN port, each with their own MAC address.
1-8 AP-5131 Access Point Product Reference Guide For an overview of the Radio 1 (2.4 GHz) and Radio 2 (5.2 GHz) antennas supported on the AP-5131’s Reverse SMA (RSMA) connectors, see Antenna Specifications on page A-4. 1.2.5 Sixteen Configurable WLANs A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the functionalities of a wired LAN. A WLAN does not require lining up devices for line-of-sight transmission, and are thus, desirable for wireless networking.
AP-5131 Introduction 1.2.7 Quality of Service (QoS) Support The AP-5131 QoS implementation provides applications running on different wireless devices a variety of priority levels to transmit data to and from the AP-5131. Equal data transmission priority is fine for data traffic from applications such as Web browsers, file transfers or email, but is inadequate for multimedia applications.
1-10 AP-5131 Access Point Product Reference Guide • Content Filtering For an overview on the encryption and authentication schemes available on the AP-5131, refer to Configuring Access Point Security on page 6-1. 1.2.8.1 Kerberos Authentication Authentication is a means of verifying information that is transmitted from a secure source. If information is authentic, you know who created it and you know that it has not been altered in any way since it was originated.
AP-5131 Introduction An MU is not able to access the network if not authenticated. When configured for EAP support, the access point displays the MU as an EAP station. EAP is only supported on mobile devices running Windows XP, Windows 2000 (using Service Pack #4) and Windows Mobile 2003. Refer to the system administrator for information on configuring a Radius Server for EAP (802.1x) support. For detailed information on EAP configurations, see Configuring 802.1x EAP Authentication on page 6-11. 1.2.8.
1-12 AP-5131 Access Point Product Reference Guide 1.2.8.4 KeyGuard Encryption Use KeyGuard to shield the master encryption keys from being discovered through hacking. KeyGuard negotiation takes place between the access point and MU upon association. The access point can use KeyGuard with Symbol MUs. KeyGuard is only supported on Symbol MUs making it a Symbol proprietary security mechanism. For detailed information on KeyGuard configurations, see Configuring KeyGuard Encryption on page 6-18. 1.2.8.
AP-5131 Introduction For detailed information on WPA2-CCMP configurations, see Configuring WPA2-CCMP (802.11i) on page 6-22. 1.2.8.7 Firewall Security A firewall keeps personal data in and hackers out. The AP-5131 firewall prevents suspicious Internet traffic from proliferating the AP-5131 managed network. The AP-5131 performs network address translation (NAT) on packets passing to and from the WAN port. This combination provides enhanced security by monitoring communication with the wired network.
1-14 AP-5131 Access Point Product Reference Guide assignment. In addition to these 16 VLANs, the AP-5131 supports dynamic, user-based, VLANs when using EAP authentication. VLANs enable organizations to share network resources in various network segments within large areas (airports, shopping malls, etc.). A VLAN is a group of clients with a common set of requirements independent of their physical location.
AP-5131 Introduction SNMP allows a network administrator to configure the AP-5131, manage network performance, find and solve network problems, and plan for network growth. The AP-5131 supports SNMP management functions for gathering information from its network components. The AP-5131 CDROM and the (AP5131 downloads site) contains the following 2 MIB files: • • Symbol-CC-WS2000-MIB-2.
1-16 AP-5131 Access Point Product Reference Guide 1.2.15 Voice Prioritization Each AP-5131 WLAN has the capability of having its QoS policy configured to prioritize the network traffic requirements for associated MUs. A WLAN QoS page is available for each enabled WLAN on either the AP-5131 802.11a or 802.11b/g radio. Use the QoS page to enable voice prioritization for devices to receive the transmission priority they may not normally receive over other data traffic.
AP-5131 Introduction For detailed information on available AP-5131 statistical displays and the values they represent, see Monitoring Statistics on page 7-1. 1.2.18 Transmit Power Control The AP-5131 has a configurable power level for each radio. This enables the network administrator to define the antenna’s transmission power level in respect to the AP-5131’s placement or network requirements as defined in the AP-5131 site survey.
1-18 AP-5131 Access Point Product Reference Guide 1.2.22 DHCP Support The AP-5131 can use Dynamic Host Configuration Protocol (DHCP) to obtain a leased IP address and configuration information from a remote server. DHCP is based on the BOOTP protocol and can coexist or interoperate with BOOTP. Configure the AP-5131 to send out a DHCP request searching for a DHCP/ BOOTP server to acquire HTML, firmware or network configuration files when the AP-5131 boots.
AP-5131 Introduction digital data signal is encoded onto the carriers using a DSSS chipping algorithm. The AP-5131 radio signal propagates into the air as electromagnetic waves. A receiving antenna (on the MU) in the path of the waves absorbs the waves as electrical signals. The receiving MU interprets (demodulates) the signal by reapplying the direct sequence chipping code. This demodulation results in the original digital data.
1-20 AP-5131 Access Point Product Reference Guide different AP-5131. The roam occurs when the MU analyzes the reception quality at a location and determines a different AP-5131 provides better signal strength and lower MU load distribution. If the MU does not find an AP-5131 with a workable signal, it can perform a scan to find any AP. As MUs switch APs, the AP updates its association statistics. The user can configure the ESSID to correspond to up to 16 WLANs on each 802.11a or 802.11b/g radio.
AP-5131 Introduction 1.3.3 Media Types The AP-5131 radio interface conforms to IEEE 802.11a/b/g specifications. The interface operates at a maximum 54Mbps (802.11a radio) using direct-sequence radio technology. The AP-5131 supports multiple-cell operations with fast roaming between cells. Within a direct-sequence system, each cell can operates independently. Adding cells to the network provides increased coverage area and total system capacity.
1-22 AP-5131 Access Point Product Reference Guide 1.3.5 MU Association Process An AP-5131 recognizes MUs as they begin the association process with the AP-5131. An AP-5131 keeps a list of the MUs it services.
AP-5131 Introduction 1.3.6 Operating Modes The AP-5131 can operate in a couple of configurations. • • Access Point - As an Access Point, the AP-5131 functions as a layer 2 bridge (similar to Symbol’s existing AP-4131 access point). The wired uplink can operate as a trunk and support multiple VLANs. Up to 16 WLANs can be defined and mapped to AP-5131 WLANs. Each WLAN can be configured to be broadcast by one or both AP-5131 radios (unlike the AP-4131).
1-24 AP-5131 Access Point Product Reference Guide • MIB (Management Information Base) accessing the AP-5131 SNMP function using a MIB Browser. The AP-5131 CDROM contains the following 2 MIB files: • Symbol-CC-WS2000-MIB-2.0 (standard Symbol MIB file) • Symbol-AP-5131-MIB (AP-5131 specific MIB file) Make configuration changes to AP-5131’s individually. Optionally, use the AP-5131 import/export configuration function to download AP-5131’s settings to other AP-5131s.
Hardware Installation An AP-5131 installation includes mounting the AP-5131 on a table-top, wall, ceiling T-bar or above the ceiling (attic or plenum), connecting the AP-5131 to the network (LAN or WAN port connection), connecting antennae and applying power. Installation procedures vary for different environments.
2-2 AP-5131 Access Point Product Reference Guide ! CAUTION Symbol recommends conducting a radio site survey prior to installing the AP-5131. A site survey is an excellent method of documenting areas of radio interference and providing a tool for AP-5131 placement. 2.1 Precautions Before installing the AP-5131 verify the following: • • Do not install in wet or dusty areas without additional protection. Contact a Symbol representative for more information.
Hardware Installation Symbol Part # Description AP-5131-13041-WWR AP-5131 802.11a+g Dual Radio Access Point AP-5131 Install Guide Power Injector (Part No. AP-PSBIAS-1P2-AFR) Software and Documentation CD-ROM Accessories Bag AP-5131-13042-WW AP-5131 802.11a+g Dual Radio Access Point AP-5131 Install Guide Software and Documentation CD-ROM (4) Dual-Band Antennae (Part No. ML-2452-APA2-01) Accessories Bag AP-5131-13043-WWR AP-5131 802.
2-4 AP-5131 Access Point Product Reference Guide The Symbol power injector (Part No. AP-PSBIAS-1P2-AFR) is included in certain orderable configurations, but can be added to any configuration. For more information on the Symbol power injector, see Symbol Power Injector System on page 2-8. NOTE A standard Symbol 48 Volt Power Adapter (Part No. 50-24000-050) is recommended with AP-5131 product SKUs that do not include the Symbol power injector.
Hardware Installation metal, concrete, walls or floors block transmission. Install the AP-5131 in open areas or add access points as needed to improve coverage. Antenna coverage is analogous to lighting. Users might find an area lit from far away to be not bright enough. An area lit sharply might minimize coverage and create dark areas. Uniform antenna placement in an area (like even placement of a light bulb) provides even, efficient coverage.
2-6 AP-5131 Access Point Product Reference Guide suite supporting the 2.4 GHz band and another antenna suite supporting the 5.2 GHz band. Select an antenna model best suited to the intended operational environment of your AP-5131. NOTE On a single-radio AP-5131, Radio 1 can be configured to be either a 2.4 GHz or 5.2 GHz radio. On a dual-radio model, Radio 1 refers to the AP5131’s 2.4 GHz radio and Radio 2 refers to the AP-5131 5.2 GHz radio.
Hardware Installation The 5.2 GHz antenna suite includes the following models: Symbol Part Number Antenna Type Nominal Net Gain (dBi) ML-5299-WPNA1-01R Panel Antenna 13.0 ML-5299-HPA1-01R Wide-Band Omni-Directional Antenna 5.0 ML-2452-APA2-0 Dual-Band 4.0 For detailed specifications on the 2.4 GHz and 5.2 GHz antennae mentioned in this section, see section 2.4 GHz Antenna Matrix on page A-4 and section 5.2 GHz Antenna Matrix on page A-4.
2-8 AP-5131 Access Point Product Reference Guide 2.5 Power Options The power options for the AP-5131 include: • • • Symbol Power Injector (Part No. AP-PSBIAS-1P2-AFR) Symbol 48-Volt Power Supply (Part No. 50-24000-050) Any standard 802.3af compliant device. 2.6 Symbol Power Injector System The AP-5131 can receive power either directly form a Symbol 48V AC-DC power supply (Part No. 50-24000-050) or via an Ethernet cable connected to the LAN port (using the 802.3af standard).
Hardware Installation 2.6.1 Installing the Power Injector Refer to the following sections for information on planning, installing, and validating the power injector installation: • • • Preparing for Site Installation Cabling the Power Injector Power Injector LED Indicators 2.6.1.1 Preparing for Site Installation The power injector can be installed free standing, on an even horizontal surface or wall mounted using the power injector’s wall mounting key holes.
2-10 AP-5131 Access Point Product Reference Guide Ensure the cable length from the Ethernet source (host) to the power injector and AP-5131 does not exceed 100 meters (333 ft.) The power injector has no On/Off power switch. The power injector receives power and is ready for AP-5131 device connection and operation as soon as AC power is applied. 2.6.1.
Hardware Installation 2.7 Mounting the AP-5131 The AP-5131 can rest on a flat surface, attach to a wall, mount under a suspended T-Bar or above a ceiling (plenum or attic). Choose one of the following mounting options based on the physical environment of the coverage area. Do not mount the AP-5131 in a location that has not been approved in a site survey.
2-12 AP-5131 Access Point Product Reference Guide 4. Cable the AP-5131 using either the Symbol power injector solution or an approved line cord and power supply. ! CAUTION Do not supply power to the AP-5131 until the cabling of the unit is complete. For Symbol power injector installations: a. Connect a RJ-45 Ethernet cable between the network data supply (host) and the power injector Data In connector. b.
Hardware Installation 5. Verify the behavior of the AP-5131 LEDs. For more information, see LED Indicators on page 2-20. 6. Return the AP-5131 to an upright position and place it in the location you wish it to operate. Ensure the AP-5131 is sitting evenly on all four rubber feet. The AP-5131 is ready to configure. For information on an AP-5131 default configuration, see Getting Started on page 3-1. For specific details on AP-5131 system configurations, see System Configuration on page 4-1. 2.7.
2-14 AP-5131 Access Point Product Reference Guide ! CAUTION Both the Dual and Single Radio model AP-5131s use RSMA type antenna connectors. On the Dual Radio AP-5131, a single dot on the antenna connector indicates the primary antenna for both Radio 1 (2.4 GHz) and Radio 2 (5.2 GHz). Two dots designate the secondary antenna for both Radio 1 and Radio 2.
Hardware Installation e. Plug the power adapter into an outlet. NOTE If the AP-5131 is utilizing remote management antennae, a wire cover can be used to provide a clean finished look to the installation. Contact Symbol for more information. 9. Verify the behavior of the AP-5131 LEDs. For more information, see LED Indicators on page 2-20. The AP-5131 is ready to configure. For information on an AP-5131 default configuration, see Getting Started on page 3-1.
2-16 AP-5131 Access Point Product Reference Guide 4. Cable the AP-5131 using either the Symbol power injector solution or an approved line cord and power supply. ! CAUTION Do not supply power to the AP-5131 until the cabling of the unit is complete. For Symbol power injector installations: a. Connect a RJ-45 Ethernet cable between the network data supply (host) and the Power Injector Data In connector. b.
Hardware Installation 10. Rotate the AP-5131 chassis 45 degrees counter-clockwise. The clips click as they fasten to the T-bar. 11. The AP-5131 is ready to configure. For information on an AP-5131 default configuration, see Getting Started on page 3-1. For specific details on AP-5131 system configurations, see System Configuration on page 4-1. NOTE If the AP-5131 is utilizing remote management antennae, a wire cover can be used to provide a clean finished look to the installation.
2-18 AP-5131 Access Point Product Reference Guide ! CAUTION Symbol does not recommend mounting the AP-5131 directly to any suspended ceiling tile with a thickness less than 12.7mm (0.5in.) or a suspended ceiling tile with an unsupported span greater than 660mm (26in.). Symbol strongly recommends fitting the AP-5131 with a safety wire suitable for supporting the weight of the device. The safety wire should be a standard ceiling suspension cable or equivalent steel wire between 1.59mm (.062in.) and 2.
Hardware Installation Light Pipe Ceiling Tile Decal Badge 9. Snap the clips of the light pipe into the bottom of the AP-5131. 10. Fit the light pipe into hole in the tile from its unfinished side. 11. Place the decal on the back of the badge and slide the badge onto the light pipe from the finished side of the tile. 12. Attach the radio antennae to their correct connectors. ! CAUTION Both the Dual and Single Radio model AP-5131s use RSMA type antenna connectors.
2-20 AP-5131 Access Point Product Reference Guide For Symbol power injector installations: a. Connect a RJ-45 Ethernet cable between the network data supply (host) and the Power Injector Data In connector. b. Connect a RJ-45 Ethernet cable between the power injector Data & Power Out connector and the AP-5131 LAN port. c. Ensure the cable length from the Ethernet source (host) to the power injector and AP-5131 does not exceed 100 meters (333 ft). The power injector has no On/Off power switch.
Hardware Installation Power and Error Conditions (Split LED) Data Over Ethernet 802.11a Radio Activity 802.11b/g Radio Activity The five LEDs on the top housing of the AP-5131 are clearly visible in table-top, wall and below ceiling installations. The five AP-5131 top housing LEDs have the following display and functionality: Power Status Solid white indicates the AP-5131 is adequately powered.
2-22 AP-5131 Access Point Product Reference Guide Boot and Power Status Solid white indicates the AP-5131 is adequately powered. Error Conditions Solid red indicates the AP-5131 is experiencing a problem condition requiring immediate attention. Power and Error Conditions Blinking red indicates the AP-5131 Rogue AP Detection feature has located a rogue device 2.
Getting Started The AP-5131 should be installed in an area tested for radio coverage using one of the site survey tools available to the Symbol field service technician. Once an installation site has been identified, the installer should carefully follow the hardware precautions, requirements, mounting guidelines and power options outlined in Appendix 2, Hardware Installation on page 2-1.
3-2 AP-5131 Access Point Product Reference Guide • • • • For instructions on installing the AP-5131 on a table top, see Desk Mounted Installations on page 2-11. For instructions on AP-5131 wall mounting, see Wall Mounted Installations on page 2-13. For instructions on mounting an AP-5131 to a ceiling T-bar, see Suspended Ceiling T-Bar Installations on page 2-15. For instructions on installing the AP-5131 in an above the ceiling attic space, see Above the Ceiling (Plenum) Installations on page 2-17.
Getting Started 3.3 Default Configuration Changes The following table illustrates the changes made to the AP-5131 version 1.1 configuration as compared to the 1.0 version configuration: Version 1.0 Version 1.1 WAN DHCP client Auto-Update Enabled Static IP: 10.1.1.1 Static Mask: 255.0.0.0 LAN 1 Static IP: 192.168.0.1 Static Mask: 255.255.255.0 DHCP Server Enabled DHCP Client Auto-Update Enabled Default Gateway Ethernet Port Enabled LAN 2 Not applicable in 1.0 release Static IP: 192.168.1.
3-4 AP-5131 Access Point Product Reference Guide 3.4.2 Connecting to the Access Point using the LAN Port To initially connect to the AP-5131 using the access point’s LAN port: 1. The LAN port default is set to DHCP. Connect the AP-5131’s LAN port to a DHCP server. The AP-5131 will receive its IP address automatically. 2.
Getting Started 3.5 Basic Device Configuration For the basic setup described in this section, the Java-based Web UI will be used to configure the AP-5131. Use the AP-5131’s LAN interface for establishing a link with the AP-5131. Configure the AP5131 as a DHCP client. For optimal screen resolution, set your screen resolution to 1024 x 768 pixels or greater. 1. Log in using admin as the default user ID and symbol as the default password. Use your new password if it has been updated from default.
3-6 AP-5131 Access Point Product Reference Guide Enter the current password and a new admin password in fields provided, and click Apply. Once the admin password has been updated, a warning message displays stating the AP5131 must be set to a country. The export function will always export the encrypted Admin User password. The import function will import the Admin Password only if the AP-5131 is set to factory default.
Getting Started 2. Enter a System Name for the AP-5131. The System Name is useful if multiple Symbol devices are being administered. 3. Select the Country for the AP-5131’s country of operation from the drop-down menu The AP-5131 prompts the user for the correct country code on the first login. A warning message also displays stating that an incorrect country settings may result in illegal radio operation. Selecting the correct country is central to legally operating the AP-5131.
3-8 AP-5131 Access Point Product Reference Guide 4. Optionally enter the IP address of the server used to provide system time to the AP-5131 within the Time Server field. NOTE DNS names are not supported as a valid IP address. The user is required to enter a numerical IP address. Once the IP address is entered, the AP-5131’s Network Time Protocol (NTP) functionality is engaged automatically.
Getting Started e. Define a Default Gateway address for the AP-5131’s WAN connection. The ISP or a network administrator provides this address. f. Specify the address of a Primary DNS Server. The ISP or a network administrator provides this address. 6. Optionally, use the Enable PPP over Ethernet checkbox to enable Point-to-Point over Ethernet (PPPoE) for a high-speed connection that supports this protocol. Most DSL providers are currently using or deploying this protocol.
3-10 AP-5131 Access Point Product Reference Guide c. If using the static or DHCP Server option, enter the network-assigned IP Address of the AP-5131. NOTE DNS names are not supported as a valid IP address for the AP-5131. The user is required to enter a numerical IP address. d. The Subnet Mask defines the size of the subnet. The first two sets of numbers specify the network domain, the next set specifies the subset of hosts within a larger network.
Getting Started a. Enter the Extended Services Set Identification (ESSID) and name associated with the WLAN. For additional information on creating and editing up to 16 WLANs per AP-5131, see Creating/Editing Individual WLANs on page 5-24. b. Use the Available On checkboxes to define whether the target WLAN is operating over the 802.11a or 802.11b/g radio. Ensure the radio selected has been enabled (see step 8). c.
3-12 AP-5131 Access Point Product Reference Guide Multiple WLANs can share the same security policy, so be careful not to name security policies after specific WLANs or risk defining a WLAN to single policy. Symbol recommends naming the policy after the attributes of the authentication or encryption type selected. 3. Select the WEP 128 (104 bit key) checkbox. The WEP 128 Settings field displays within the New Security Policy screen. 4.
Getting Started Keys #1-4 Use the Key #1-4 fields to specify key numbers. The key can be either a hexidecimal or ASCII depending on which option is selected from the drop-down menu. For WEP 64 (40-bit key), the keys are 10 hexadecimal characters in length or 5 ASCII characters. For WEP 128 (104-bit key), the keys are 26 hexadecimal characters in length or 13 ASCII characters. Select one of these keys for activation by clicking its radio button.
3-14 AP-5131 Access Point Product Reference Guide Packet Length Specifies the length of each packet transmitted to the MU during the test. The default length is 100 bytes. 4. Click the Ping button to begin transmitting packets to the specified MU address. Refer to the Number of Responses value to assess the number of responses from the MU versus the number of ping packets transmitted by the AP-5131.
System Configuration The Symbol AP-5131 contains a built-in browser interface for system configuration and remote management using a standard Web browser such as Microsoft Internet Explorer, Netscape Navigator or Mozilla Firefox. The browser interface also allows for system monitoring of the AP-5131. Web management of the AP-5131 requires either Microsoft Internet Explorer 5.0 or later or Netscape Navigator 6.0 or later. NOTE For optimum compatibility, use Sun Microsystems’ JRE 1.
4-2 AP-5131 Access Point Product Reference Guide . NOTE DNS names are not supported as a valid IP address for the AP-5131. The user is required to enter a numerical IP address. System configuration topics include: • • • • • • • • Configuring System Settings Configuring Data Access Managing Certificate Authority (CA) Certificates Configuring SNMP Settings Configuring Network Time Protocol (NTP) Logging Configuration Importing/Exporting Configurations Updating Device Firmware 4.
System Configuration 2. Configure the AP-5131 System Settings field to assign a system name and location, set the country of operation and view device version information. System Name Specify a device name for the AP-5131. Symbol recommends selecting a name serving as a reminder of the user base the AP-5131 supports (engineering, retail, etc.). System Location Enter the location of the AP-5131. The System Location parameter acts as a reminder of where the AP can be found.
4-4 AP-5131 Access Point Product Reference Guide Country The AP-5131 prompts the user for the correct country code after the first login. A warning message also displays stating that an incorrect country setting will lead to an illegal use of the AP-5131. Use the pull-down menu to select the country of operation. Selecting the correct country is extremely important.
System Configuration Restore Default Configuration Select the Restore Default Configuration button to reset the AP’s configuration to factory default settings. If selected, a message displays warning the user the current configuration will be lost if the default configuration is restored. Before using this feature, Symbol recommends using the Config Import/Export screen to export the current configuration for safekeeping, see Importing/Exporting Configurations on page 4-37.
4-6 AP-5131 Access Point Product Reference Guide 7. Click Logout to securely exit the AP-5131 Symbol Access Point applet. A prompt displays confirming the logout before the applet is closed. 4.2 Configuring Data Access Use the AP-5131 Access screen to enable/disable data throughput to the AP-5131’s LAN1, LAN2 and/or WAN interfaces and display screens for changing administrator passwords.
System Configuration Applet HTTP (port 80) Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the AP-5131 configuration applet using a Web browser. Applet HTTPS (port 443) Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the AP-5131 configuration applet using a Secure Sockets Layer (SSL) for encrypted HTTP sessions. CLI TELNET (port 23) Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the AP-5131 CLI via the TELNET terminal emulation TCP/IP protocol.
4-8 AP-5131 Access Point Product Reference Guide Radius Designates that a Radius server is used in the authentication credential verification. If using this option, the connected PC is required to have its Radius credentials verified with an external Radius server. Additionally, the Radius Server’s Active Directory should have a valid user configured and have a PAP based Remote Access Policy configured for Radius Admin Authentication to work. 6.
System Configuration 4.3 Managing Certificate Authority (CA) Certificates Certificate management includes the following sections: • • Importing a CA Certificate Creating Self Certificates for Accessing the VPN 4.3.1 Importing a CA Certificate A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates that it issues with its own private key.
4-10 AP-5131 Access Point Product Reference Guide 2. Copy the content of the CA Certificate message (using a text editor such as notepad) and then click on Paste from Clipboard. The content of the certificate displays in the Import a root CA Certificate field. 3. Click the Import root CA Certificate button to import it into the CA Certificate list. 4.
System Configuration To create a self certificate: 1. Select System Configuration -> Certificate Mgmt -> Self Certificates from the AP-5131 menu tree. 2. Click on the Add button to create the certificate request. The Certificate Request screen displays. 3. Complete the request form with the pertinent information. Only 4 values are required, the others optional: Key ID Enter a logical name for the certificate to help distinguish between certificates. The name can be up to 7 characters in length.
4-12 AP-5131 Access Point Product Reference Guide Subject The required Subject value contains important information about the certificate. Contact the CA signing the certificate to determine the content of the Subject parameter. Signature Algorithm Use the drop-down menu to select the signature algorithm used for the certificate. Options include: • MD5-RSA - Message Digest 5 algorithm in combination with RSA encryption. • SHA1-RSA - Secure Hash Algorithm 1 in combination with RSA encryption.
System Configuration 6. Click the Copy to Clipboard button. The content of certificate request is copied to the clipboard. Create an email to your CA, paste the content of the request into the body of the message and send it to the CA. The CA signs the certificate and will send it back. Once received, copy the content from the email into the clipboard. 7. Click the Paste from clipboard button. The content of the email displays in the window.
4-14 AP-5131 Access Point Product Reference Guide 1. Select System Configuration -> Certificate Mgmt -> Self Certificates from the AP-5131 menu tree. 2. Click on the Add button to create the certificate request. The Certificate Request screen displays. 3. Complete the request form with the pertinent information. Key ID (required) Enter a logical name for the certificate to help distinguish between certificates. The name can be up to 7 characters in length.
System Configuration Signature Algorithm Use the drop-down menu to select the signature algorithm used for the certificate. Options include: • MD5-RSA - Message Digest 5 algorithm in combination with RSA encryption. • SHA1-RSA - Secure Hash Algorithm 1 in combination with RSA encryption. Key Length Defines the length of the key. Possible values are 512, 1024, and 2048. Symbol recommends setting this value to 1024 to ensure optimum functionality. 4.
4-16 AP-5131 Access Point Product Reference Guide 7. 8. 9. 10. Click the Copy to clipboard button. Save the certificate content to a secure location. Connect to the Windows 2000 or 2003 server used to sign the certificate. Select the Request a certificate option. Click Next to continue. Select the Advanced request checkbox from within the Choose Request Type screen and click Next to continue. 11.
System Configuration A File Download screen displays prompting the user to select the download location for the certificate. 14. Click the Save button and save the certificate to a secure location. 15. Load the certificates on the AP-5131. ! CAUTION Ensure the CA Certificate is loaded before the Self Certificate, or risk an invalid certificate load. 16. Open the certificate file and copy its contents into the CA Certificates screen by clicking the Paste from Clipboard button.
4-18 AP-5131 Access Point Product Reference Guide NOTE The Symbol-AP-5131-MIB contains the majority of the information contained within the Symbol-CC-WS2000-MIB-2.0 file. This feature rich information has been validated with the Symbol WS2000 and proven reliable. The remaining portion of the Symbol-AP-5131-MIB contains supplemental information unique to the AP-5131 feature set. If using the Symbol-CC-WS2000-MIB-2.
System Configuration Feature MIB Feature MIB WNMP Ping Configuration Symbol-AP-5131-MIB System Settings Symbol-CC-WS2000-MIB-2.0 Known AP Stats Symbol-AP-5131-MIB AP 5131 Access Symbol-CC-WS2000-MIB-2.0 Flash LEDs Symbol-AP-5131-MIB Certificate Mgt Symbol-CC-WS2000-MIB-2.0 Automatic Update Symbol-AP-5131-MIB SNMP Access Configuration Symbol-CC-WS2000-MIB-2.0 SNMP Trap Configuration Symbol-CC-WS2000-MIB-2.0 NTP Server Configuration Symbol-CC-WS2000-MIB-2.
4-20 AP-5131 Access Point Product Reference Guide community strings for read-only and read/write access. SNMP version 3 (v3) further enhances protocol features, providing much improved security. SNMP v3 encrypts transmissions and provides authentication for users generating requests. To configure SNMP v1/v2c community definitions and SNMP v3 user definitions for the AP-5131: 1. Select System Configuration - > SNMP Access from the AP-5131 menu tree.
System Configuration Delete Select Delete to remove a SNMP v1/v2c community definition. Community Use the Community field to specify a site-appropriate name for the community. The name is required to match the name used within the remote network management software. OID Use the OID (Object Identifier) pull-down list to specify a setting of All or a enter a Custom OID. Select All to assign the user access to all OIDs in the MIB. The OID field uses numbers expressed in dot notation.
4-22 AP-5131 Access Point Product Reference Guide Passwords Select Passwords to display the Password Settings screen for specifying authentication and password settings for an SNMP v3 user. The maximum password length is 11 characters. Use the Authentication Algorithm drop-down menu to specify MD5 or SHA1 as the authentication algorithm. Use the Privacy Algorithm drop-down menu to define an algorithm of DES or AES-128bit.
System Configuration 7. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the SNMP Access screen to the last saved configuration. 8. Click Logout to securely exit the AP-5131 Symbol Access Point applet. A prompt displays confirming the logout before the applet is closed.
4-24 AP-5131 Access Point Product Reference Guide 2. Configure the SNMP Access Control screen to add the IP addresses of those users receiving SNMP access. Access Control List Enter Start IP and End IP addresses (numerical addresses only, no DNS names supported) to specify a range of user that can access the AP-5131 SNMP interface. An SNMP-capable client can be set up whereby only the administrator (for example) can use a read/ write community definition.
System Configuration OK Click Ok to return to the SNMP Access screen. Click Apply within the SNMP Access screen to save any changes made on the SNMP Access Control screen. Cancel Click Cancel to undo any changes made on the SNMP Access Control screen. This reverts all settings for this screen to the last saved configuration. 4.4.2 Enabling SNMP Traps SNMP provides the ability to send traps to notify the administrator that trap conditions are met.
4-26 AP-5131 Access Point Product Reference Guide 2. Configure the SNMP v1/v2c Trap Configuration field (if SNMP v1/v2c Traps are used) to modify the following: Add Click Add to create a new SNMP v1/v2c Trap Configuration entry. Delete Click Delete to remove a selected SNMP v1/v2c Trap Configuration entry. Destination IP Specify a numerical (non DNS name) destination IP address for receiving the traps sent by the AP-5131 SNMP agent.
System Configuration Add Click Add to create a new SNMP v3 Trap Configuration entry. Delete Select Delete to remove an entry for an SNMP v3 user. Destination IP Specify a numerical (non DNS name) destination IP address for receiving the traps sent by the AP-5131 SNMP agent. Port Specify a destination User Datagram Protocol (UDP) port for receiving traps. Username Enter a username specific to the SNMP-capable client receiving the traps.
4-28 AP-5131 Access Point Product Reference Guide 4.4.3 Configuring Specific SNMP Traps Use the SNMP Traps screen to enable specific traps on the AP-5131. Symbol recommends defining traps to capture unauthorized devices operating within the AP-5131 coverage area. Trap configuration depends on the network machine that receives the generated traps. SNMP v1/v2c and v3 trap configurations function independently. In a mixed SNMP environment, traps can be sent using configurations for both SNMP v1/v2c and v3.
System Configuration MU denied association Generates a trap when an MU is denied association to a AP-5131 WLAN. Can be caused when the maximum number of MUs for a WLAN is exceeded or when an MU violates the AP-5131’s Access Control List (ACL). MU denied authentication Generates a trap when an MU is denied authentication on one of the AP’s WLANs. Can be caused by the MU being set for the wrong authentication type for the WLAN or by an incorrect key or password. 3.
4-30 AP-5131 Access Point Product Reference Guide System Cold Start Generates a trap when the AP-5131 re-initializes while transmitting, possibly altering the SNMP agent's configuration or protocol entity implementation. Configuration Changes Generates a trap whenever changes to the AP-5131’s configuration file are saved. Rogue AP detection Generates a trap if a Rogue AP is detected by the AP-5131. AP Radar detection Generates a trap if an AP is detected using a form of radar detection.
System Configuration 2. Configure the RF Trap Thresholds field to define device threshold values for SNMP traps. NOTE Average Bit Speed,% of Non-Unicast, Average Signal, Average Retries,% Dropped and % Undecryptable are not AP-5131 statistics. Pkts/s Enter a maximum threshold for the total throughput in Pps (Packets per second). Throughput Set a maximum threshold for the total throughput in Mbps (Megabits per second).
4-32 AP-5131 Access Point Product Reference Guide % Dropped Enter a maximum threshold for the total percentage of packets dropped for each device. Dropped packets can be caused by poor RF signal or interference on the channel. % Undecryptable Define a maximum threshold for the total percentage of packets undecryptable for each device. Undecryptable packets can be the result of corrupt packets, bad CRC checks or incomplete packets.
System Configuration NOTE The current time is not set accurately when initially connecting to the AP-5131. Until a server is defined to provide the AP-5131 the correct time, or the correct time is manually set, the AP-5131 displays 1970-01-01 00:00:00 as the default time. To manage clock synchronization on the AP-5131: 1. Select System Configuration - > Date/Time from the AP-5131 menu tree. 2.
4-34 AP-5131 Access Point Product Reference Guide This option is disabled when the Enable NTP on AP-5131 checkbox has been selected, and therefore should be viewed as a second means to define the AP-5131 system time. 4. If using the Manual Date/Time Setting screen to define the AP-5131’s system time, refer to the Time Zone field to select the time used to use as complimentary information to the information entered within the Manual Date/Time Setting screen. 5.
System Configuration 4.6 Logging Configuration The AP-5131 provides the capability for periodically logging system events that prove useful in assessing the throughput and performance of the AP-5131 or troubleshooting problems on the AP-5131 managed Local Area Network (LAN). Use the Logging Configuration screen to set the desired logging level (standard syslog levels) and view or save the current AP-5131 system log. To configure event logging for the AP-5131: 1.
4-36 AP-5131 Access Point Product Reference Guide View Log Click View to save a log of events retained on the AP-5131. The system displays a prompt requesting the administrator password before saving the log. After the password has been entered, click Get File to display a dialogue with buttons to Open or Save the log.txt file. Click Save and specify a location to save the log file. Use the WordPad application to view the saved log.txt file on a Microsoft Windows based computer.
System Configuration 4. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Logging Configuration screen to the last saved configuration. 5. Click Logout to securely exit the AP-5131 Symbol Access Point applet. A prompt displays confirming the logout before the applet is closed. 4.7 Importing/Exporting Configurations All of the configuration settings for an AP-5131 can be obtained from another AP-5131 in the form of a text file.
4-38 AP-5131 Access Point Product Reference Guide To create an importable/exportable AP-5131 configuration file: 1. Select System Configuration - > Config Import/Export from the AP-5131 menu tree. 2. Configure the FTP and TFTP Import/Export field to import/export configuration settings. Filename Specify the name of the configuration file to be written to the FTP or TFTP server.
System Configuration Username Specify a username to be used when logging in to the FTP server. A username is not required for TFTP server logins. Password Define a password allowing access to the FTP server for the import or export operation. Import Configuration Click the Import Configuration button to import the configuration file from the server with the assigned filename and login information.
4-40 AP-5131 Access Point Product Reference Guide 4. Refer to the Status field to assess the completion of the import/export operation. Status After executing an operation (by clicking any of the buttons in the window), check the Status field for a progress indicator and messages about the success or errors in executing the Import/ Export operation.
System Configuration NOTE Symbol recommends importing configuration files using the CLI. If errors occur using the CLI, they display all at once and are easier to troubleshoot. The AP-5131 GUI displays errors one at a time, and troubleshooting can be a more time-consuming process. 5. Click Apply to save the filename and Server IP information. The Apply button does not execute the import or export operation, only saves the settings entered. 6. Click Undo Changes (if necessary) to undo any changes made.
4-42 AP-5131 Access Point Product Reference Guide For detailed update scenarios involving both a Windows DHCP and a Linux BootP server configuration, see Configuring Automatic Updates using a DHCP or Linux BootP Server Configuration on page B-1. ! CAUTION Loaded and signed CA certificates will be lost when changing the AP-5131’s firmware version using either the GUI or CLI.
System Configuration 3. Configure the DHCP Options field to enable automatic firmware and/or configuration file updates. DHCP options are used for out-of-the-box rapid deployment for Symbol wireless products. The following are the two DHCP options available on the AP-5131: • Enable Automatic Firmware Update • Enable Automatic Configuration Update These options can be used to update newer firmware and configuration files on the AP-5131.
4-44 AP-5131 Access Point Product Reference Guide The DHCP Server needs to be configured with the above mentioned vendor specific options and vendor class identifier. The update is conducted over the LAN or WAN port depending on which is the active port at the time the firmware update request is made. Enable Automatic Firmware Update Select this checkbox to allow an automatic firmware update each time firmware versions are found to be different between the AP-5131 and the LAN or WAN interface.
System Configuration •Username - Specify a username for the FTP server login. •Password - Specify a password for FTP server login. Default is symbol. NOTE Click Apply to save the settings before performing the firmware update. The user is not able to navigate the AP-5131 user interface while the firmware update is in process. 9. Click the Perform Update button to initiate the update. Upon confirming the firmware update, the AP reboots and completes the update.
4-46 AP-5131 Access Point Product Reference Guide 11. Confirm the AP-5131 configuration is the same as it was before the firmware update. If they are not, restore the settings. Refer to Importing/Exporting Configurations on page 4-37 for instructions on exporting the configuration back to the AP-5131. 12. Click Apply to save the filename and filepath information entered into the Firmware Update screen. The Apply button does not execute the firmware, only saves the update settings entered. 13.
System Configuration NOTE For a discussion on the implications of replacing an existing Symbol AP-4131 deployment with an AP-5131, see Replacing an AP-4131 with an AP-5131 on page B-19.
4-48 AP-5131 Access Point Product Reference Guide
Network Management Configuring network management includes configuring network aspects in numerous areas. See the following sections for more information on AP-5131 network management: • • • • Configuring the LAN Interface Configuring WAN Settings Enabling Wireless LANs (WLANs) Configuring Router Settings 5.1 Configuring the LAN Interface The AP-5131 has one physical LAN port supporting two unique LAN interfaces. The AP-5131 LAN port has its own MAC address.
5-2 AP-5131 Access Point Product Reference Guide Use the LAN Configuration screen to enable one (or both) of an AP-5131’s LAN interfaces, assign them names, define which LAN is currently active on the AP-5131 Ethernet port and assign a timeout value to disable the LAN connection if no data traffic is detected within a defined interval. To configure the AP-5131 LAN interface: 1. Select Network Configuration -> LAN from the AP-5131 menu tree. 2.
Network Management Ethernet Port The Ethernet Port radio buttons allow you to select one of the two available LANs as the LAN actively transmitting over the AP-5131’s LAN port. Both LANs can be active at any given time, but only one can transmit over the AP-5131 physical LAN connection, thus the selected LAN has priority. Enable 802.1q Trunking Select the Enable 802.1q Trunking checkbox to enable the LAN to conduct VLAN tagging.
5-4 AP-5131 Access Point Product Reference Guide 5. Click Logout to securely exit the AP-5131 Symbol Access Point applet. A prompt displays confirming the logout before the applet is closed. 5.1.1 Configuring VLAN Support A Virtual Local Area Network (VLAN) is a means to electronically separate data on the same AP-5131 from a single broadcast domain into separate broadcast domains.
Network Management AP-5131. The AP-5131 then maps the target WLAN for the assigned VLAN and traffic passes normally, allowing for the completion of the DHCP request and further traffic. To create new VLANs or edit the properties of an existing VLAN: 1. Select Network Configuration -> LAN from the AP-5131 menu tree. 2. Ensure the Enable 802.1q Trunking button is selected from within the LAN Setting field. Trunk links are required to pass VLAN information between destinations.
5-6 AP-5131 Access Point Product Reference Guide To create a new VLAN, click the Create button, to edit the properties of an existing VLAN, click the Edit button. 4. Assign a unique VLAN ID (from 1 to 4095) to each VLAN added or modified. The VLAN ID associates a frame with a specific VLAN and provides the information the AP-5131 needs to process the frame across the network. Therefore, it may be practical to assign a name to a VLAN representative or the area or type of network traffic it represents.
Network Management 8. Enter a Management VLAN Tag for LAN1 and LAN2. The Management VLAN uses a default tag value of 1. The Management VLAN is used to distinguish VLAN traffic flows for the LAN. The trunk port marks the frames with special tags as they pass between the AP-5131 and its destination, these tags help distinguish data traffic. Authentication servers (such as Radius and Kerberos) must be on the same Management VLAN.
5-8 AP-5131 Access Point Product Reference Guide arrives on the AP-5131, it queries the VMPS for the VLAN assignment based on the source MAC address of the arriving frame. If statically mapping VLANs, leave the Dynamic checkbox specific to the target WLAN and its intended VLAN unselected. The administrator is then required to configure VLAN memberships manually. The Dynamic checkbox is enabled only when a WLAN is having EAP security configured. Otherwise, the checkbox is disabled. 12.
Network Management 2. Configure the DHCP Configuration field to define the DHCP settings used for the LAN. NOTE Symbol recommends the WAN and LAN ports should not both be configured as DHCP clients. This interface is a DHCP Client Select this button to enable DHCP to set AP-5131 network address information via this LAN1 or LAN2 connection. This is recommended if the AP-5131 resides within a large corporate network or the Internet Service Provider (ISP) uses DHCP.
5-10 AP-5131 Access Point Product Reference Guide This interface is a BOOTP Client Select this button to enable BOOTP to set AP-5131 network address information via this LAN1 or LAN2 connection. When selected, only BOOTP responses are accepted by the AP-5131. If both DHCP and BOOTP services are required, do not select BOOTP Client. This interface uses static IP Address Select the This interface uses static IP Address button, and manually enter static network address information in the areas provided.
Network Management Secondary DNS Server Symbol recommends entering the numerical IP address of an additional DNS server (if available), used if the primary DNS server goes down. A maximum of two DNS servers can be used. WINS Server Enter the numerical (non DNS name) IP address of the WINS server. WINS is a Microsoft NetBIOS name server. Using a WINS server eliminates the broadcasts needed to resolve computer names to IP addresses by providing a cache or database of translations.
5-12 AP-5131 Access Point Product Reference Guide available IP addresses. This is useful, for example, in education and customer environments where MU users change frequently. Use longer leases if there are fewer users. To generate a list of client MAC address to IP address mappings for the AP-5131: 1. Select Network Configuration -> LAN -> LAN1 (or LAN2) from the AP-5131 menu tree. 2. Click the Advanced DHCP Server button from within the LAN1 or LAN2 screen. 3.
Network Management 7. Click Cancel to undo any changes made. Undo Changes reverts the settings displayed to the last saved configuration. 5.1.2.2 Setting the Type Filter Configuration Each AP-5131 LAN (either LAN1 or LAN2) can keep a list of frame types that it forwards or discards. The Type Filtering feature prevents specific (a potentially unneccesary) frames from being processed by the AP-5131 in order to improve throughput.
5-14 AP-5131 Access Point Product Reference Guide 3. To add an Ethernet type, click the Add button. The Add Ethernet Type screen displays. Use this screen to add one type filter option at a time, for a list of up to 16 entries. Packet types supported for the type filtering function include 16-bit DIX Ethernet types as well as Symbol proprietary types. Select an Ethernet type from the drop down menu, or enter the Ethernet type’s hexadecimal value.
Network Management To configure WAN settings for the AP-5131: 1. Select Network Configuration -> WAN from the AP-5131 menu tree. 2. Refer to the WAN IP Configuration field to enable the WAN interface, and set network address information for the WAN connection. NOTE Symbol recommends that the WAN and LAN ports should not both be configured as DHCP clients.
5-16 AP-5131 Access Point Product Reference Guide This interface is a DHCP Client This checkbox enables DHCP for the AP-5131 WAN connection. This is useful, if the larger corporate network or Internet Service Provider (ISP) uses DHCP. DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. Some of these parameters are IP address, network mask, and gateway.
Network Management More IP Addresses Click the More IP Addresses button to specify additional static IP addresses for the AP-5131. Additional IP addresses are required when users within the WAN need dedicated IP addresses, or when servers need to be accessed (addressed) by the outside world. The More IP Addresses screen allows the administrator to enter up to seven additional WAN IP addresses for the AP-5131 WAN. Only numeric, non-DNS names can be used.
5-18 AP-5131 Access Point Product Reference Guide Keep-Alive Select the Keep-Alive checkbox to maintain the AP-5131 WAN connection indefinitely (no timeout interval). Some ISPs terminate inactive connections. Enabling Keep-Alive keeps the AP-5131 WAN connection active, even when there is no traffic. If the ISP drops the connection after an idle period, the AP-5131 automatically re-establishes the connection to the ISP. Enabling Keep-Alive mode disables (grays out) the Idle Time field.
Network Management 5.2.1 Configuring Network Address Translation (NAT) Settings Network Address Translation (NAT) converts an IP address in one network to a different IP address or set of IP addresses in another network. The AP-5131 router maps its local (inside) network addresses to WAN (outside) IP addresses, and translates the WAN IP addresses on incoming packets to local IP addresses.
5-20 AP-5131 Access Point Product Reference Guide 2. Configure the Address Mappings field to generate a WAN IP address, define the NAT type and set outbound/inbound NAT mappings. WAN IP Address The WAN IP addresses on the NAT screen are dynamically generated from address settings applied on the WAN screen. NAT Type Specify the NAT Type as 1 to 1 to map a WAN IP address to a single host (local) IP address.
Network Management 5. Click Logout to securely exit the AP-5131 Symbol Access Point applet. A prompt displays confirming the logout before the applet is closed. 5.2.1.1 Configuring Port Forwarding Use the Port Forwarding screen to configure port forwarding parameters for inbound traffic from the associated WAN IP address. To configure port forwarding for the AP-5131: 1. Select Network Configuration -> WAN -> NAT from the AP-5131 menu tree. 2. Select 1 to 1 or 1 to Many from the NAT Type drop-down menu. 3.
5-22 AP-5131 Access Point Product Reference Guide Transport Use the Transport pull-down menu to specify the transport protocol used in this service. The choices are ALL, TCP, UDP, ICMP, AH, ESP, and GRE. Start Port and End Port Enter the port or ports used by the port forwarding service. To specify a single port, enter the port number in the Start Port area. To specify a range of ports, use both the Start Port and End Port options to enter the port numbers.
Network Management To configure WLANs on the AP-5131: 1. Select Network Configuration -> Wireless from the AP-5131 menu tree. If a WLAN is defined, that WLAN displays within the Wireless Configuration screen. When the AP-5131 is first booted, WLAN1 exists as a default WLAN available immediately for connection. 2. Refer to the information within the Wireless Configuration screen to view the name, ESSID, AP-5131 radio designation, VLAN ID and security policy of existing WLANs.
5-24 AP-5131 Access Point Product Reference Guide Radio The Radio field displays the name of the AP-5131 radio the WLAN is mapped to (either the 802.11a radio or the 802.11b/g radio). To change the radio designation for a specific WLAN, see Creating/ Editing Individual WLANs on page 5-24. VLAN The VLAN field displays the specific VLAN the target WLAN is mapped to. For information on VLAN configuration for the WLAN, see Configuring VLAN Support on page 5-4.
Network Management NOTE Before editing the properties of an existing WLAN, ensure it is not being used by an AP-5131 radio, or is a WLAN that is needed in its current configuration. Once updated, the previous configuration is not available unless saved. Use the New WLAN and Edit WLAN screens as required to create/modify a WLAN. To create a new WLAN or edit the properties of an existing WLAN: 1. Select Network Configuration -> Wireless from the AP-5131 menu tree. The Wireless Configuration screen displays.
5-26 AP-5131 Access Point Product Reference Guide 3. Set the parameters in the Configuration field as required for the WLAN. ESSID Enter the Extended Services Set Identification (ESSID) associated with the WLAN. The WLAN name is auto-generated using the ESSID until changed by the user. The maximum number of characters that can be used for the ESSID is 32.
Network Management Name Define or revise the name for the WLAN. The name should be logical representation of WLAN coverage area (engineering, marketing etc.). The maximum number of characters that can be used for the name is 31. Available On Use the Available On checkboxes to define whether the WLAN you are creating or editing is available to clients on either the 802.11a or 802.11b/g radio (or both radios).
5-28 AP-5131 Access Point Product Reference Guide ! CAUTION A WLAN cannot be enabled for both mesh and hotspot support at the same time. Only one of these two options can be enabled at one time, as the AP-5131 GUI and CLI will prevent both from being enabled. NOTE If 802.11a is selected as the radio used for the WLAN, the WLAN cannot use a Kerberos supported security policy. 4. Configure the Security field as required to set the data protection requirements for the WLAN.
Network Management ! Disallow MU to MU Communication The AP-5131’s MU-MU Disallow feature prohibits MUs from communicating with each other even if they are on different WLANs, assuming one of the WLAN’s is configured to disallow MU-MU communication. Therefore, if an MU’s WLAN is configured for MU-MU disallow, it will not be able to communicate with any other MUs connected to this AP-5131. Use Secure Beacon Select the Use Secure Beacon checkbox to not transmit the AP5131’s ESSID.
5-30 AP-5131 Access Point Product Reference Guide security requirements of the WLAN. Once new policies are defined, they are available within the New WLAN or Edit WLAN screens and can be mapped to any WLAN. A single security policy can be used by more than one WLAN if its logical to do so. For example, there may be two or more WLANs within close proximity of each other requiring the same data protection scheme. To create a new security policy or modify an existing policy: 1.
Network Management 2. Click Logout to exit the Security Configuration screen. 5.3.1.2 Configuring a WLAN Access Control List (ACL) An Access Control Lists (ACL) affords a system administrator the ability to grant or restrict MU access by specifying a MU MAC address or range of MAC addresses to either include or exclude from AP-5131 connectivity.
5-32 AP-5131 Access Point Product Reference Guide The Mobile Unit Access Control List Configuration screen displays with existing ACL policies and their current WLAN (if mapped to a WLAN). NOTE When the AP-5131 is first launched, a single ACL policy (default) is available and mapped to WLAN 1. It is anticipated numerous additional ACL policies will be created as the list of WLANs grows. 2.
Network Management Either the New MU ACL Policy or Edit MU ACL Policy screens display. 3. Assign a name to the new or edited ACL policy that represents an inclusion or exclusion policy specific to a particular type of MU traffic you may want to use with a single or group of WLANs. More than one WLAN can use the same ACL policy. 4. Configure the parameters within the Mobile Unit Access Control List field to allow or deny MU access to the AP-5131. The MU adoption list identifies MUs by their MAC address.
5-34 AP-5131 Access Point Product Reference Guide 5. Click Apply to save any changes to the New MU ACL Policy or Edit MU ACL Policy screen and return to the Mobile Unit Access Control List Configuration screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost. 6. Click Cancel to securely exit the New MU ACL Policy or Edit MU ACL Policy screen and return to the Mobile Unit Access Control List Configuration screen. 7.
Network Management 2. Click the Create button to configure a new QoS policy, or select a policy and click the Edit button to modify an existing QoS policy. The AP-5131 supports a maximum of 16 QoS policies.
5-36 AP-5131 Access Point Product Reference Guide 3. Assign a name to the new or edited QoS policy that makes sense to the AP-5131 traffic receiving priority. More than one WLAN can use the same QoS policy. 4. Select the Support Voice prioritization checkbox to allow legacy voice prioritization. Certain products may not receive priority over other voice or data traffic.
Network Management 5. Use the two Multicast Address fields to specify one or two MAC addresses to be used for multicast applications. Some VoIP devices make use of multicast addresses. Using this mechanism ensures that the multicast packets for these devices are not delayed by the packet queue. 6. Use the drop-down menu to select the radio traffic best representing the network requirements of this WLAN.
5-38 AP-5131 Access Point Product Reference Guide Background Backgrounds traffic is typically of a low priority (file transfers, print jobs ect.). Background traffic typically does not have strict latency (arrival) and throughput requirements. Best Effort Best Effort traffic includes traffic from legacy devices or applications lacking QoS capabilities. Best Effort traffic is negatively impacted by data transfers with long delays as well as multimedia traffic.
Network Management TXOPs Time ms TXOP times range from 0.2 ms (background priority) to 3 ms (video priority) in a 802.11a network, and from 1.2 ms to 6 ms in an 802.11b/g network. The TXOP bursting capability greatly enhances the efficiency for high data rate traffic such as streaming video 9. Click Apply to save any changes to the New QoS Policy or Edit QoS Policy screen to return to the Quality of Service Configuration screen.
5-40 AP-5131 Access Point Product Reference Guide 5.3.1.4 Configuring WLAN Hotspot Support The AP-5131 enables hotspot operators to provide user authentication and accounting without a special client application. The AP-5131 uses a traditional Internet browser as a secure authentication device. Rather than rely on built-in 802.11security features to control AP-5131 association privileges, configure a WLAN with no WEP (an open network).
Network Management 3. Refer to the HTTP Redirection field to specify how the Login, Welcome, and Fail pages are maintained for this specific WLAN. The pages can be hosted locally or remotely. . Use Default Files Select the Use Default Files checkbox if the login, welcome and fail pages reside on the AP-5131. Use External URL Select the Use External URL checkbox to define a set of external URLs for hotspot users to access the login, welcome and fail pages.
5-42 AP-5131 Access Point Product Reference Guide Welcome Page URL Define the complete URL for the location of the Welcome page. The Welcome page asserts the hotspot user has logged in successfully and can access the Internet. Fail Page URL Define the complete URL for the location of the Fail page. The Fail screen asserts the hotspot authentication attempt failed, you are not allowed to access the Internet and you need to provide correct login information to access the Internet. 5.
Network Management Select mode Use the Select mode drop-down menu to define whether an Internal or External server is to be used for the primary server. Pri Server IP Define the IP address of the primary Radius server. This is the address of your first choice for Radius server. Pri Port Enter the TCP/IP port number for the server acting as the primary Radius server. The default port is 1812. Pri Secret Enter the shared secret password used with the primary Radius Server.
5-44 AP-5131 Access Point Product Reference Guide When a client requests a URL from a Web server, the login handler returns an HTTP redirection status code (for example, 301 Moved Permanently), which indicates to the browser it should look for the page at another URL. This other URL can be a local or remote login page (based on the hotspot configuration). The login page URL is specified in the location’s HTTP header.
Network Management 5.3.2 Setting the WLAN’s Radio Configuration Each AP-5131 WLAN can have a separate 802.11a or 802.11b/g radio configured and mapped to that WLAN. The first step is to enable the radio. One of two possible radio configuration pages are available on the AP-5131 depending on which model SKU is purchased. If the AP-5131 is a single-radio model, the Radio Configuration screen enables you to configure the single radio for either 802.11a or 802.11b/g use.
5-46 AP-5131 Access Point Product Reference Guide 2. Enable the radio(s) using the Enable checkbox(es). Refer to RF Band of Operation parameter to ensure you are enabling the correct 802.11a or 802.11b/g radio. After the settings are applied within this Radio Configuration screen, the Radio Status and MUs connected values update. If this is an existing radio within a mesh network, these values update in real-time.
Network Management The maximum number of client bridge connections per AP-5131 radio is 12, with 24 representing the maximum for dual-radio models. ! CAUTION An AP-5131 is Base Bridge mode logs out whenever a Client Bridge associates to the Base Bridge over the LAN connection. This problem is not experienced over the AP-5131’s WAN connection. If this situation is experienced, log-in to the AP-5131 again.
5-48 AP-5131 Access Point Product Reference Guide within the BBs Connected field. If this is an existing radio within a mesh network, these values update in real-time. 6. Click the Advanced button to define a prioritized list of access points to define Mesh Connection links. For a detailed overview on mesh networking and how to configure the AP-5131 radio for mesh networking support, see Configuring Mesh Networking on page 9-1. 7. Click Apply to save any changes to the Radio Configuration screen.
Network Management On a single-radio AP-5131, Radio1 could either be an 802.11a or 802.11b/g radio depending on which radio has been enabled. 2. Configure the Properties field to assign a name and placement designation for the radio. Placement Use the Placement drop-down menu to specify whether the radio is located outdoors or indoors. Default placement depends on the country of operation selected for the AP-5131.
5-50 AP-5131 Access Point Product Reference Guide ERP Protection Extended Rate PHY (ERP) allows 802.11g MUs to interoperate with 802.11b only MUs. ERP Protection is managed automatically by the AP-5131 and informs users when 802.11b MUs are present within the AP-5131’s coverage area. The presence of 802.11b MUs within the 802.11g coverage area negatively impacts network performance, so this feature should looked to as an indicator of why network performance has been degraded. 3.
Network Management Set Rates Click the Set Rates button to display a window for selecting minimum and maximum data transmit rates for the radio. At least one Basic Rate must be selected as a minimum transmit rate value. Supported Rates define the data rate the radio defaults to if a higher selected data rate cannot be maintained. Click OK to implement the selected rates and return to the 802.11a or 802.11b/g radio configuration screen.
5-52 AP-5131 Access Point Product Reference Guide Beacon Interval The beacon interval controls the performance of power save stations. A small interval may make power save stations more responsive, but it will also cause them to consume more battery power. A large interval makes power save stations less responsive, but could increase power savings. The default is 100. Avoid changing this parameter as it can adversely affect performance.
Network Management Set RF QoS Click the Set RF QoS button to display the Set RF QOS screen to set QoS parameters for the AP-5131 radio. Do not confuse with the QoS configuration screen used for a WLAN. The Set RF QoS screen initially appears with default values displayed. Select manual from the Select Parameter set drop-down menu to edit the CW min and CW max (contention window), AIFSN (Arbitrary Inter-Frame Space Number) and TXOPs Time for each Access Category. These are the QoS policies for the 802.
5-54 AP-5131 Access Point Product Reference Guide Defining Primary WLANs allows an administrator to dedicate BSSIDs (4 BSSIDs are available for mapping) to WLANs. From that initial BSSID assignment, Primary WLANs can be defined from within the WLANs assigned to BSSID groups 1 through 4. Each BSSID beacons only on the primary WLAN. The user should assign each WLAN to its own BSSID.
Network Management BSSID Assign a BSSID value of 1 through 4 to a WLAN in order to map the WLAN to a specific BSSID. BC/MC Cipher A read only field displaying the downgraded BC/MC (Broadcast/ Multicast) cipher for a WLAN based on the BSSID and VLAN ID to which it has been mapped.
5-56 AP-5131 Access Point Product Reference Guide 2. Use the Bandwidth Share Mode drop-down menu to define the order enabled WLANs receive AP-5131 services. Select one of the following three options: First In First Out WLANs receive services from the AP-5131 on a first-come, firstserved basis. This is the default setting. Round-Robin Each WLAN receives AP-5131 services in turn as long the AP-5131 has data traffic to forward.
Network Management WLAN Name Displays the name of the WLAN. This field is read-only. To change the name of the WLAN, see Creating/Editing Individual WLANs on page 5-24. Weight This column is not available unless Weighted Round-Robin is selected. Assign a weight to each WLAN. This percentage equals the AP-5131 bandwidth share for that WLAN when network traffic is detected. Weight (%) This column is automatically updated with the appropriate WLAN bandwidth share when the Weight is modified.
5-58 AP-5131 Access Point Product Reference Guide 2. Refer to the AP-5131 Router Table field to view existing routes. The AP-5131 Router Table field displays a list of connected routes between an enabled subnet and the router. These routes can be changed by modifying the IP address and subnet masks of the enabled subnets. The information in the AP-5131 Router Table is dynamically generated from settings applied on the WAN screen. The destination for each subnet is its IP address.
Network Management 5. Use the User Defined Routes field to add or delete static routes. The User Defined Routes field allows the administrator to view, add or delete internal static (dedicated) routes. a. Click the Add button to create a new table entry. b. Highlight an entry and click the Del (delete) button to remove an entry. c. Specify the destination IP address, subnet mask, and gateway information for the internal static route. d.
5-60 AP-5131 Access Point Product Reference Guide RIP v2 RIP version 2 enables the use of a simple authentication mechanism to secure table updates. More importantly, RIP version 2 supports subnet masks, a critical feature not available in RIP version 1. This selection is not compatible with RIP version 1 support. 2. Select a routing direction from the RIP Direction drop-down menu. Both (for both directions), Rx only (receive only), and TX only (transmit only) are available options. 3.
Network Management None This option disables the RIP authentication. Simple This option enable RIP version 2’s simple authentication mechanism. This setting activates the Password (Simple Authentication) field. MD5 This option enables the MD5 algorithm for data verification. MD5 takes as input a message of arbitrary length and produces a 128bit fingerprint. The MD5 setting activates the RIP v2 Authentication settings for keys (below). 4.
5-62 AP-5131 Access Point Product Reference Guide
Configuring Access Point Security Security measures for the AP-5131 and its WLANs are critical. Use the available AP-5131 security options to protect the AP-5131 LAN from wireless vulnerabilities, and safeguard the transmission of RF packets between the AP-5131 and its associated MUs. WLAN security can be configured on an ESS by ESS basis on the AP-5131. Sixteen separate ESSIDs (WLANs) can be supported on an AP-5131, and must be managed (if necessary) between the 802.11a and 802.11b/g radio.
6-2 AP-5131 Access Point Product Reference Guide NOTE Security for the AP-5131 can be configured in various locations throughout the AP-5131 menu structure. This chapter outlines the security options available to the AP-5131, and the menu locations and steps required to configure specific security measures. 6.
Configuring Access Point Security 6.2 Setting Passwords Before setting the AP-5131 security parameters, verify an administrative password for the AP-5131 has been created to restrict access to the device before advanced device security is configured. To password protect and restrict AP-5131 device access: 1. Connect a wired computer to the AP-5131 LAN port using a standard CAT-5 cable. 2. Set up the computer for TCP/IP DHCP network addressing and make sure the DNS settings are not hardcoded. 3.
6-4 AP-5131 Access Point Product Reference Guide 4. Log in using the “admin” as the default User ID and “symbol” as the default Password. If the default login is successful, the Change Admin Password window displays. Change the default login and password to significantly decrease the likelihood of hacking. ! CAUTION Restoring the AP-5131’s configuration back to default settings changes the administrative password back to “symbol.
Configuring Access Point Security 4. Press or to access the AP-5131 CLI. A serial connection has now been established and the user should be able to view the serial connection window. 5. Reset the AP-5131. An AP-5131 can be reset by removing and re-inserting the LAN cable or removing and reinserting the power cable. As the AP-5131 is re-booting, a “Press esc key to run boot firmware” message displays. 6. Quickly press .
6-6 AP-5131 Access Point Product Reference Guide Each WLAN (16 WLANs available in total to an AP-5131 regardless of the model) can have a separate security policy. However, more than one WLAN can use the same security policy. Therefore, to avoid confusion, do not name security policies the same name as WLANs. Once security policies have been created, they are selectable within the Security field of each WLAN screen.
Configuring Access Point Security NOTE An existing security policy can be edited from the Security Configuration screen by selecting an existing policy and clicking the Edit button. Use the Edit Security Policy screen to edit the policy. For more information on editing an existing security policy, refer to security configuration sections described in steps 4 and 5. 3. Use the Name field to define a logical security policy name.
6-8 AP-5131 Access Point Product Reference Guide WEP 128 (104-bit key) Select the WEP 128 (104 bit key) button to display the WEP 128 Settings field within the New Security Policy screen. For specific information on configuring WEP 128, see Configuring WEP Encryption on page 6-16. KeyGuard Select the KeyGuard button to display the KeyGuard Settings field within the New Security Policy screen. For specific information on configuring KeyGuard, see Configuring KeyGuard Encryption on page 6-18.
Configuring Access Point Security 7. Click Cancel to return to the target WLAN screen without keeping any of the changes made within the New Security Policy screen. 6.4 Configuring Kerberos Authentication Kerberos (designed and developed by MIT) provides strong authentication for client/server applications using secret-key cryptography. Using Kerberos, a client must prove its identity to a server (and vice versa) across an insecure network connection.
6-10 AP-5131 Access Point Product Reference Guide 3. Select the Kerberos radio button. The Kerberos Configuration field displays within the New Security Policy screen. 4. Ensure the Name of the security policy entered suits the intended configuration or function of the policy. 5. Set the Kerberos Configuration field as required to define the parameters of the Kerberos authentication server and AP-5131. Realm Name Specify a realm name that is case-sensitive, for example, SYMBOL.COM.
Configuring Access Point Security Backup KDC Optionally, specify a numerical (non-DNS) IP address and port for a backup KDC. Backup KDCs are referred to as slave servers. The slave server periodically synchronizes its database with the primary (or master) KDC. Remote KDC Optionally, specify a numerical (non-DNS) IP address and port for a remote KDC. Kerberos implementations can use an administration server allowing remote manipulation of the Kerberos database.
6-12 AP-5131 Access Point Product Reference Guide 3. Select the 802.1x EAP radio button. The 802.1x EAP Settings field displays within the New Security Policy screen. 4. Ensure the Name of the security policy entered suits the intended configuration or function of the policy. 5. If using the AP-5131’s Internal Radius server, leave the Radius Server drop-down menu in the default setting of Internal. If an external Radius server is used, select External from the drop-down menu. 6.
Configuring Access Point Security Radius Server Address If using an External Radius Server, specify the numerical (non-DNS) IP address of a primary Remote Dial-In User Service (Radius) server. Optionally, specify the IP address of a secondary server. The secondary server acts as a failover server if the primary server cannot be contacted. An ISP or a network administrator provides these addresses.
6-14 AP-5131 Access Point Product Reference Guide 7. Select the Accounting tab as required to define a timeout period and retry interval Syslog for MUs interoperating with the AP-5131 and EAP authentication server. The items within this tab could be enabled or disabled depending on whether internal or External has been selected from the Radius Server drop-down menu.
Configuring Access Point Security Period (30-9999) secs Set the EAP reauthentication period to a shorter time interval (at least 30 seconds) for tighter security on the WLAN's connections. Set the EAP reauthentication period to a longer time interval (at most, 9999 seconds) to relax security on wireless connections. The reauthentication period setting does not affect wireless connection throughput. The default is 3600 seconds. Max.
6-16 AP-5131 Access Point Product Reference Guide 11. Click the Cancel button to undo any changes made within the 802.1x EAP Settings field and return to the WLAN screen. This reverts all settings for the 802.1x EAP Settings field to the last saved configuration. 6.6 Configuring WEP Encryption Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard.
Configuring Access Point Security 5. Configure the WEP 64 Settings or WEP 128 Settings field as required to define the Pass Key used to generate the WEP keys. These keys must be the same between the AP-5131 and its MU to encrypt packets between the two devices. Pass Key Specify a 4 to 32 character pass key and click the Generate button. The pass key can be any alphanumeric string.
6-18 AP-5131 Access Point Product Reference Guide Key 1 1011121314 Key 2 2021222324 Key 3 3031323334 Key 4 4041424344 Default (hexadecimal) keys for WEP 128 include: Key 1 101112131415161718191A1B1C Key 2 202122232425262728292A2B2C Key 3 303132333435363738393A3B3C Key 4 404142434445464748494A4B4C 6. Click the Apply button to save any changes made within the WEP 64 Setting or WEP 128 Setting field of the New Security Policy screen. 7.
Configuring Access Point Security 3. Select the KeyGuard radio button. The KeyGuard Settings field displays within the New Security Policy screen. 4. Ensure the Name of the security policy entered suits the intended configuration or function of the policy. 5. Configure the KeyGuard Settings field as required to define the Pass Key used to generate the WEP keys used with the KeyGuard algorithm.
6-20 AP-5131 Access Point Product Reference Guide Default (hexadecimal) keys for KeyGuard include: Key 1 101112131415161718191A1B1C Key 2 202122232425262728292A2B2C Key 3 303132333435363738393A3B3C Key 4 404142434445464748494A4B4C 6. Select the Allow WEP128 Clients checkbox (from within the KeyGuard Mixed Mode field) to enable WEP128 clients to associate with an AP-5131’s KeyGuard supported WLAN.
Configuring Access Point Security 3. Select the WPA/TKIP radio button. The WPA/TKIP Settings field displays within the New Security Policy screen. 4. Ensure the Name of the security policy entered suits the intended configuration or function of the policy. 5. Configure the Key Rotation Settings area as needed to broadcast encryption key changes to MUs and define the broadcast interval.
6-22 AP-5131 Access Point Product Reference Guide ASCII Passphrase To use an ASCII passphrase (and not a hexadecimal value), select the checkbox and enter an alphanumeric string of 8 to 63 characters. The alphanumeric string allows character spaces. The AP-5131 converts the string to a numeric value. This passphrase saves the administrator from entering the 256-bit key each time keys are generated.
Configuring Access Point Security If security policies supporting WPA2-CCMP exist, they appear within the Security Configuration screen. These existing policies can be used as is, or their properties edited by clicking the Edit button. To configure a new security policy supporting WPA2-CCMP, continue to step 2. 2. Click the Create button to configure a new policy supporting WPA2-CCMP. The New Security Policy screen displays with no authentication or encryption options selected. 3.
6-24 AP-5131 Access Point Product Reference Guide Broadcast Key Rotation Select the Broadcast Key Rotation checkbox to enable or disable the broadcasting of encryption key changes to MUs. Only broadcast key changes when required by associated MUs to reduce the transmissions of sensitive key information. This option is disabled by default. Update broadcast keys every (300604800 seconds) Specify a time period in seconds for broadcasting encryption key changes to MUs.
Configuring Access Point Security 8. Configure the Fast Roaming (802.1x only) field as required to enable additional AP-5131 roaming and key caching options. This feature is applicable only when using 802.1x EAP authentication with WPA2/CCMP. Pre-Authentication Selecting this option enables an associated MU to carry out an 802.1x authentication with another AP-5131 before it roams to it. The AP-5131 caches the keying information of the client until it roams to the other AP-5131.
6-26 AP-5131 Access Point Product Reference Guide 2. Refer to the Global Firewall Disable field to enable or disable the AP-5131 firewall. Disable Firewall Select the Disable Firewall checkbox to disable all firewall functions on the AP-5131. This includes firewall filters, NAT, VPN, content filtering, and subnet access. Disabling the AP-5131 firewall makes the AP-5131 vulnerable to data attacks and is not recommended during normal operation if using the WAN port. 3.
Configuring Access Point Security SYN Flood Attack Check A SYN flood attack requests a connection and then fails to promptly acknowledge a destination host's response, leaving the destination host vulnerable to a flood of connection requests. Source Routing Check A source routing attack specifies an exact route for a packet's travel through a network, while exploiting the use of an intermediate host to gain access to a private host.
6-28 AP-5131 Access Point Product Reference Guide 6.10.1 Configuring LAN to WAN Access The AP-5131 LAN can be configured to communicate with the WAN side of the AP-5131. Use the Subnet Access screen to allow/deny access to the AP-5131 WAN protocols, specify names and properties for existing protocols and enable pre-configured protocols (FTP, TFTP, Telnet ect.). To configure AP-5131 subnet access: 1. Select Network Configuration -> Firewall -> Subnet Access from the AP-5131 menu tree. 2.
Configuring Access Point Security 3. Configure the Rules field as required to allow or deny access to selected (enabled) protocols. Allow or Deny all protocols, except Use the drop-down menu to select either Allow or Deny. The selected setting applies to all protocols except those with enabled checkboxes and any traffic that is added to the table. For example, if the adoption rule is to Deny access to all protocols except those listed, access is allowed only to those selected protocols.
6-30 AP-5131 Access Point Product Reference Guide Pre configured Rules The following protocols are preconfigured with the AP-5131. To enable a protocol, check the box next to the protocol name. • HTTP - Hypertext Transfer Protocol is the protocol for transferring files on the Web. HTTP is an application protocol running on top of the TCP/IP suite of protocols, the foundation protocols for the Internet. The HTTP protocol uses TCP port 80. • TELNET - TELNET is the terminal emulation protocol of TCP/ IP.
Configuring Access Point Security End Port Enter the ending port number for a port range. If the protocol uses a single port, leave the field blank. A new entry might use Web Traffic for its name, TCP for its protocol, and 80 for its port number. 4. Click Apply to save any changes to the Subnet Access screen. Navigating away from the screen without clicking the Apply button results in all changes to the screens being lost. 5. Click Undo Changes (if necessary) to undo any changes made.
6-32 AP-5131 Access Point Product Reference Guide • between two end points. ESP can also be used in tunnel mode, providing security like that of a Virtual Private Network (VPN). GRE - General Routing Encapsulation supports VPNs across the Internet. GRE is a mechanism for encapsulating network layer protocols over any other network layer protocol. Such encapsulation allows routing of IP packets between private IP networks across an Internet using globally assigned IP addresses. 6.10.
Configuring Access Point Security 2. Configure the Settings field as needed to override the settings in the Subnet Access screen and import firewall rules into the Advanced Subnet Access screen. Override Subnet Access settings Select this checkbox to enable advanced subnet access rules and disable existing subnet access rules, port forwarding, and 1 to many mappings from the system.
6-34 AP-5131 Access Point Product Reference Guide Source IP The Source IP range defines the origin address or address range for the firewall rule. To configure the Source IP range, click on the field. A new window displays for entering the IP address and range. Destination IP The Destination IP range determines the target address or address range for the firewall rule. To configure the Destination IP range, click on the field. A new window displays for entering the IP address and range.
Configuring Access Point Security Use the VPN screen to add and remove VPN tunnels. To configure an existing VPN tunnel, select it from the list in the VPN Tunnels field. The selected tunnel’s configuration displays in a VPN Tunnel Config field. To configure a VPN tunnel on the AP-5131: 1. Select Network Configuration -> WAN -> VPN from the AP-5131 menu tree. 2.
6-36 AP-5131 Access Point Product Reference Guide Remote Subnet The Remote Subnet column lists the remote subnet for each tunnel. The remote subnet is the subnet the remote network uses for connection. Remote Gateway The Remote Gateway column lists a remote gateway IP address for each tunnel. The numeric remote gateway is the gateway IP address on the remote network the VPN tunnel connects to. Ensure the address is the same as the WAN port address of the target gateway AP or switch.
Configuring Access Point Security Subnet name Use the drop-down menu to specify the LAN1 or LAN2 connection used for routing VPN traffic. Remember, only one LAN connection can be active on the AP-5131 Ethernet port at a time. The LAN connection specified from the LAN screen to receive priority for Ethernet port connectivity may be the better subnet to select for VPN traffic. Local WAN IP Enter the WAN’s numerical (non-DNS) IP address in order for the tunnel to pass traffic to a remote network.
6-38 AP-5131 Access Point Product Reference Guide IKE Settings After selecting Auto (IKE) Key Exchange, click the IKE Settings button to open a screen where IKE specific settings can be configured. For more information, see Configuring IKE Key Settings on page 6-44. 4. Click Apply to save any changes to the VPN screen as well as changes made to the Auto Key Settings, IKE Settings and Manual Key Settings screens.
Configuring Access Point Security 3. Configure the Manual Key Settings screen to modify the following: NOTE When entering Inbound or Outbound encryption or authentication keys, an error message could display stating the keys provided are “weak”. Some WEP attack tools invoke a dictionary to hack WEP keys based on commonly used words. To avoid entering a weak key, try to not to produce a WEP key using commonly used terms and attempt to mix alphabetic and numerical key attributes when possible.
6-40 AP-5131 Access Point Product Reference Guide Inbound AH Authentication Key Configure a key for computing the integrity check on inbound traffic with the selected authentication algorithm. The key must be 32/40 (for MD5/SHA1) hexadecimal (0-9, A-F) characters in length. The key value must match the corresponding outbound key on the remote security gateway. Outbound AH Authentication Key Configure a key for computing the integrity check on outbound traffic with the selected authentication algorithm.
Configuring Access Point Security Inbound ESP Encryption Key Enter a key for inbound traffic. The length of the key is determined by the selected encryption algorithm. The key must match the outbound key at the remote gateway. Outbound ESP Encryption Key Define a key for outbound traffic. The length of the key is determined by the selected encryption algorithm. The key must match the inbound key at the remote gateway. ESP Authentication Algorithm Select the authentication algorithm to use with ESP.
6-42 AP-5131 Access Point Product Reference Guide AP2 Inbound SPI = 801 AP2 Outbound SPI = 800 4. Click Ok to return to the VPN screen. Click Apply to retain the settings made on the Manual Key Settings screen. 5. Click Cancel to return to the VPN screen without retaining the changes made to the Manual Key Settings screen. 6.11.2 Configuring Auto Key Settings The AP-5131’s Network Management System can automatically set encryption and authentication keys for VPN access.
Configuring Access Point Security 3. Configure the Auto Key Settings screen to modify the following: Use Perfect Forward Secrecy Forward secrecy is a key-establishment protocol guaranteeing the discovery of a session key or long-term private key does not compromise the keys of other sessions. Select Yes to enable Perfect Forward Secrecy. Select No to disable Perfect Forward Secrecy.
6-44 AP-5131 Access Point Product Reference Guide ESP Encryption Algorithm Use this menu to select the encryption and authentication algorithms for this VPN tunnel. • DES - Selects the DES algorithm.No keys are required to be manually provided. • 3DES - Selects the 3DES algorithm. No keys are required to be manually provided. • AES 128-bit: - Selects the Advanced Encryption Standard algorithm with 128-bit. No keys are required to be manually provided.
Configuring Access Point Security 3. Configure the IKE Key Settings screen to modify the following: Operation Mode The Phase I protocols of IKE are based on the ISAKMP identityprotection and aggressive exchanges. IKE main mode refers to the identity-protection exchange, and IKE aggressive mode refers to the aggressive exchange. • Main - Standard IKE mode for communication and key exchange. • Aggressive - Aggressive mode is faster, but less secure than Main mode.
6-46 AP-5131 Access Point Product Reference Guide Local ID Type Select the type of ID to be used for the AP-5131 end of the SA. • IP - Select IP if the local ID type is the IP address specified as part of the tunnel. • FQDN - Use FQDN if the local ID is a fully qualified domain name (such as sj.symbol.com). • UFQDN - Select UFQDN if the local ID is a user fully-qualified email (such as johndoe@symbol.com). Local ID Data Specify the FQDN or UFQDN based on the Local ID type assigned.
Configuring Access Point Security IKE Authentication Algorithm IKE provides data authentication and anti-replay services for the VPN tunnel. Select an authentication methods from the drop-down menu. • MD5 - Enables the Message Digest 5 algorithm. No keys are required to be manually provided. • SHA1 - Enables Secure Hash Algorithm. No keys are required to be manually provided. IKE Authentication Passphrase If you selected Pre-Shared Key as the authentication mode, you must provide a passphrase.
6-48 AP-5131 Access Point Product Reference Guide Diffie Hellman Group Select a Diffie-Hellman Group to use. The Diffie-Hellman key agreement protocol allows two users to exchange a secret key over an insecure medium without any prior secrets. Two algorithms exist, 768-bit and 1024-bit. Select one of the following options: • Group 1 - 768 bit - Somewhat faster than the 1024-bit algorithm, but secure enough in most situations.
Configuring Access Point Security 2. Reference the Security Associations field to view the following: Tunnel Name The Tunnel Name column lists the names of all the tunnels configured on the AP-5131. For information on configuring a tunnel, see Configuring VPN Tunnels on page 6-34. Status The Status column lists the status of each configured tunnel. When the tunnel is not in use, the status reads NOT_ACTIVE. When the tunnel is connected, the status reads ACTIVE.
6-50 AP-5131 Access Point Product Reference Guide Life Time Use the Life Time column to view the lifetime associated with a particular Security Association (SA). Each SA has a finite lifetime defined. When the lifetime expires, the SA can no longer be used to protect data traffic. The maximum SA lifetime is 65535 seconds. Tx Bytes The Tx Bytes column lists the amount of data (in bytes) transmitted through each configured tunnel.
Configuring Access Point Security To configure content filtering for the AP-5131: 1. Select Network Configuration -> WAN -> Content Filtering from the AP-5131 menu tree. 2. Configure the HTTP field to configure block Web proxies and URL extensions. Block Outbound HTTP HyperText Transport Protocol (HTTP) is the protocol used to transfer information to and from Web sites. HTTP Blocking allows for blocking of specific HTTP commands going outbound on the AP-5131 WAN port. HTTP blocks commands on port 80 only.
6-52 AP-5131 Access Point Product Reference Guide 3. Configure the SMTP field to disable or restrict specific kinds of network mail traffic. Block Outbound SMTP Simple Mail Transport Protocol (SMTP) is the Internet standard for Commands host-to-host mail transport. SMTP generally operates over TCP on port 25. SMTP filtering allows the blocking of any or all outgoing SMTP commands. Check the box next to the command to disable that command when using SMTP across the AP-5131’s WAN port.
Configuring Access Point Security Block Outbound FTP Actions File Transfer Protocol (FTP) is the Internet standard for host-to-host mail transport. FTP generally operates over TCP port 20 and 21. FTP filtering allows the blocking of any or all outgoing FTP functions. Check the box next to the command to disable the command when using FTP across the AP-5131’s WAN port. • Storing Files - Blocks the request to transfer files sent from the client across the AP’s WAN port to the FTP server.
6-54 AP-5131 Access Point Product Reference Guide The rogue detection interval is used in conjunction with Symbol MUs that identify themselves as rogue detection capable to the AP-5131. The detection interval defines how often the AP-5131 requests these MUs to scan for a rogue AP. A shorter interval can effect the performance of the MU, but it will also decrease the time it takes for the AP-5131 to scan for a rogue AP.
Configuring Access Point Security RF Scan by MU Select the RF Scan by MU checkbox to enable MUs to scan for potential rogue APs within the network. Define an interval in the Scan Interval field for associated MUs to beacon in an attempt to locate a rogue AP. Set the interval to a value sooner than the default if a large volume of device network traffic is anticipated within the coverage area of the target AP-5131 access point.
6-56 AP-5131 Access Point Product Reference Guide Any ESSID Select the Any ESSid checkbox to prevent a device’s ESSID (whether it is a known device ESSID or not) from being considered a rogue device ESSID Click Add, and enter the name of a device ESSid to be excluded from classification as a rogue device. 4. Click Apply to save any changes to the Rogue AP Detection screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost. 5.
Configuring Access Point Security The Active APs screen displays with detected rogue devices displayed within the Rogue APs table. 2. Enter a value (in minutes) in the Allowed APs Age Out Time field to indicate the number of elapsed minutes before an AP will be removed from the approved list and reevaluated. A zero (0) for this value (default value) indicates an AP can remain on the approved AP list permanently. 3.
6-58 AP-5131 Access Point Product Reference Guide 6. Highlight a rogue AP and click the Details button to display a screen with device and detection information specific to that rogue device. This information is helpful in determining if a rogue AP should be moved to the Allowed APs table. For more information on the displaying information on detected rogue APs, see Displaying Rogue AP Details on page 6-58. 7.
Configuring Access Point Security 3. Refer to the Rogue AP Detail field for the following information: BSSID/MAC Displays the MAC address of the rogue AP. This information could be useful if the MAC address is determined to be a Symbol MAC address and the device is interpreted as non-hostile and the device should be defined as an allowed AP. ESSID Displays the ESSID of the rogue AP.
6-60 AP-5131 Access Point Product Reference Guide Detection Method Displays the RF Scan by MU, RF On-Channel Detection or RF Scan by Detector Radio method selected from the Rogue AP screen to detect rogue devices. For information on detection methods, see Configuring Rogue AP Detection on page 6-53. First Heard (days:hrs:min) Defines the time in (days:hrs:min) that the rogue AP was initially heard by the detecting AP.
Configuring Access Point Security 2. Highlight an MU from within the Rogue AP enabled MUs field and click the scan button. The target MU begins scanning for rogue devices using the detection parameters defined within the Rogue AP Detection screen. To modify the detection parameters, see Configuring Rogue AP Detection on page 6-53. Those devices detected as rogue APs display within the Scan Result table.
6-62 AP-5131 Access Point Product Reference Guide 6. Click Logout to return to the Rogue AP Detection screen. 6.14 Configuring User Authentication The AP-5131 can work with external RADIUS and LDAP Servers (AAA Servers) to provide user database information and user authentication. 6.14.1 Configuring the Radius Server The Radius Server screen enables an administrator to define data sources and specify authentication information for the RADIUS Server. To configure the Radius Server: 1.
Configuring Access Point Security LDAP If LDAP is selected, the switch will use the data in an LDAP server. Configure the LDAP server settings on the LDAP screen under RADIUS Server on the menu tree. For more information, see Configuring LDAP Authentication on page 6-65. 3. Use the TTLS/PEAP Configuration field to specify the Radius Server default EAP type, EAP authentication type and a Server or CA certificate (if used).
6-64 AP-5131 Access Point Product Reference Guide Default Authentication Type Specify a PEAP and/or TTLS Authentication Type for EAP to use from the drop-down menu to the right of each checkbox item. PEAP options include: • GTC - EAP Generic Token Card (GTC) is a challenge handshake authentication protocol using a hardware token card to provide the response string.
Configuring Access Point Security 4. Use the Radius Client Authentication table to configure multiple shared secrets based on the subnet or host attempting to authenticate with the Radius server. Use the Add button to add entries to the list. Modify the following information as needed within the table. Subnet/Host Defines the IP address of the subnet or host that will be authenticating with the Radius server.
6-66 AP-5131 Access Point Product Reference Guide 2. Enter the appropriate information within the LDAP Configuration field to allow the AP-5131 to interoperate with the LDAP server. Consult with your LDAP server administrator for details on how to define the values in this screen. LDAP Server IP Enter the IP address of the external LDAP server acting as the data source for the Radius server. The LDAP server must be accessible from the WAN port or from the AP-5131’s active subnet.
Configuring Access Point Security ! Password Enter a valid password for the LDAP server. Base Distinguished Name Enter a name that establishes the base object for the search. The base object is the point in the LDAP tree at which to start searching. Group Attribute Define the group attribute used by the LDAP server. Group Filter Specify the group filters used by the LDAP server. Group Member Attribute Enter the Group Member Attribute sent to the LDAP server when authenticating users.
6-68 AP-5131 Access Point Product Reference Guide 2. Refer to the Proxy Configuration field to define the proxy server’s retry count and timeout values. Retry Count Enter a value between 3 and 6 to indicate the number of times the AP-5131 attempts to reach a proxy server before giving up. Timeout Enter a value between 5 and 10 to indicate the number of elapsed seconds causing the AP-5131to time out on a request to a proxy server. 3. Use the Add button to add a new proxy server.
Configuring Access Point Security Shared Secret Set a shared secret used for each suffix used for authentication with the RADIUS proxy server. 4. To remove a row, select the row and click the Del (Delete) button. 5. Click Apply to save any changes to the Proxy screen. Navigating away from the screen without clicking Apply results in all changes to the screen being lost. 6. Click Undo Changes (if necessary) to undo any changes made.
6-70 AP-5131 Access Point Product Reference Guide Refer to the Groups field for a list of all groups in the local Radius database. The groups are listed in the order added. Although groups can be added and deleted, there is no capability to edit a group name. 2. Click the Add button and enter the name of the group in the new blank field in the Groups table. 3. To remove a group, select the group from the table and click the Del (Delete) key. The Users table displays the entire list of users.
Configuring Access Point Security 7. Click the List of Groups cell. A new screen displays enabling you to associate groups with the user. For more information on mapping groups with a user, see Mapping Users to Groups on page 6-71. 8. Click Apply to save any changes to the Users screen. Navigating away from the screen without clicking Apply results in all changes to the screen being lost. 9. Click Undo Changes (if necessary) to undo any changes made.
6-72 AP-5131 Access Point Product Reference Guide 3. To add the user to a group, select the group in the Available list (on the right) and click the <-Add button. Assigned users will display within the Assigned table. Map one or more groups as needed for group authentication access for this particular user. 4. To remove the user from a group, select the group in the Assigned list (on the left) and click the Delete-> button. 5.
Configuring Access Point Security WLAN or editing the properties of an existing WLAN, see Creating/Editing Individual WLANs on page 5-24 1. Select User Authentication -> Radius Server -> Access Policy from the AP-5131 menu tree. 2. Click the WLANs button to the right of a specific group name. A pop-up window displays with the name of the user group appearing on the top of the screen and the names of existing WLANs displaying within the screen.
6-74 AP-5131 Access Point Product Reference Guide 7. Click Logout to securely exit the AP-5131 Symbol Access Point applet. A prompt displays confirming the logout before the applet is closed.
Monitoring Statistics The AP-5131 has functionality to display robust transmit and receive statistics for its WAN and LAN port. Wireless Local Area Network (WLAN) stats can also be displayed collectively for each enabled WLAN as well as individually for up to 16 specific WLANs. Transmit and receive statistics can also be displayed for the AP-5131’s 802.11a and 802.11b/g radios. An advanced radio statistics page is also available to display retry histograms for specific data packet retry information.
7-2 AP-5131 Access Point Product Reference Guide See the following sections for more details on viewing statistics for the AP-5131: • • • • • • • Viewing WAN Statistics Viewing LAN Statistics Viewing Wireless Statistics Viewing Radio Statistics Summary Viewing MU Statistics Summary Viewing the Mesh Statistics Summary Viewing Known Access Point Statistics 7.
Monitoring Statistics 2. Refer to the Information field to reference the following AP-5131 WAN data: Status The Status field displays Enabled if the WAN interface is enabled on the WAN screen. If the WAN interface is disabled on the WAN screen, the WAN Stats screen displays no connection information and statistics. To enable the WAN connection, see Configuring WAN Settings on page 5-14 HW Address The Media Access Control (MAC) address of the AP-5131 WAN port.
7-4 AP-5131 Access Point Product Reference Guide Link The Link field displays Up if the WAN connection is active between the AP-5131 and network, and Down if the WAN connection is interrupted or lost. Use this information to assess the current connection status of the WAN port. Speed The WAN connection speed is displayed in Megabits per second (Mbps), for example, 54Mbps.
Monitoring Statistics TX Packets TX packets are data packets sent over the WAN connection. The displayed number is a cumulative total since the WAN interface was last enabled or the AP-5131 was last restarted. To begin a new data collection, see Configuring System Settings on page 4-2. TX Bytes TX bytes are bytes of information sent over the WAN connection. The displayed number is a cumulative total since the WAN interface was last enabled or the AP-5131 was last restarted.
7-6 AP-5131 Access Point Product Reference Guide 7.2 Viewing LAN Statistics Use the LAN Stats screen to monitor the activity of the AP-5131 LAN1 or LAN2 connection. The Information field of the LAN Stats screen displays network traffic information as monitored over the AP-5131 LAN1 or LAN2 port.
Monitoring Statistics Network Mask The first two sets of numbers specify the network domain, the next set specifies the subset of hosts within a larger network. These values help divide a network into subnetworks and simplify routing and data transmission. Ethernet Address The Media Access Control (MAC) address of the AP-5131. The MAC address is hard coded at the factory and cannot be changed.
7-8 AP-5131 Access Point Product Reference Guide TX Packets TX packets are data packets sent over the AP-5131 LAN port. The displayed number is a cumulative total since the LAN connection was last enabled or the AP-5131 was last restarted. To begin a new data collection, see Configuring System Settings on page 4-2. TX Bytes TX bytes are bytes of information sent over the LAN port. The displayed number is a cumulative total since the LAN Connection was last enabled or the AP-5131 was last restarted.
Monitoring Statistics 7.2.1 Viewing a LAN’s STP Statistics Each AP-5131 LAN has the ability to track its own unique STP statistics. Refer to the LAN STP Stats page when assessing mesh networking functionality for each of the two AP-5131 LANs. AP-5131s in bridge mode exchange configuration messages at regular intervals (typically 1 to 4 seconds). If a bridge fails, neighboring bridges detect a lack of configuration messaging and initiate a spanning-tree recalculation (when spanning tree is enabled).
7-10 AP-5131 Access Point Product Reference Guide Designated Root Displays the AP-5131 MAC address of the bridge defined as the root bridge in the Bridge STP Configuration screen. For information on defining an AP-5131 as a root bridge, see Setting the LAN Configuration for Mesh Networking Support on page 9-5. Bridge ID The Bridge ID identifies the priority and ID of the bridge sending the message Root Port Number Identifies the root bridge by listing its 2-byte priority followed by its 6-byte ID.
Monitoring Statistics State Displays whether a bridge is forwarding traffic to other members of the mesh network (over this port) or blocking traffic. Each viable member of the mesh network must forward traffic to extent the coverage area of the mesh network. Path Cost The root path cost is the distance (cost) from the sending bridge to the root bridge. Designated Root Displays the MAC address of the AP-5131 defined with the lowest priority within the Mesh STP Configuration screen.
7-12 AP-5131 Access Point Product Reference Guide 2. Refer to the WLAN Summary field to reference high-level data for each enabled WLAN. Name Displays the names of all the enabled WLANs on the AP-5131. For information on enabling a WLAN, see Enabling Wireless LANs (WLANs) on page 5-22. MUs Displays the total number of MUs currently associated with each enabled WLAN. Use this information to assess if the MUs are properly grouped by function within each enabled WLAN.
Monitoring Statistics Retries Displays the average number of retries per packet. An excessive number could indicate possible network or hardware problems. Clear All WLAN Stats Click this button to reset each of the data collection counters to zero in order to begin new data collections. Do not clear the WLAN stats if currently in an important data gathering activity or risk losing all data calculations to that point. 3.
7-14 AP-5131 Access Point Product Reference Guide information. The Traffic field displays statistics on RF traffic and throughput. The RF Status field displays information on RF signal averages from the associated MUs. The Error field displays RF traffic errors based on retries, dropped packets, and undecryptable packets. The WLAN Stats screen is view-only with no user configurable data fields. To view statistics for an individual WLAN: 1.
Monitoring Statistics Encryption Type Displays the encryption method defined for the WLAN. If the encryption type does not match the desired scheme for the WLAN or needs to be enabled, see Enabling Authentication and Encryption Schemes on page 6-5. Num. Associated MUs Displays the total number of MUs currently associated with the WLAN. If this number seems excessive, consider segregating MU’s to other WLANs if appropriate. 3.
7-16 AP-5131 Access Point Product Reference Guide 4. Refer to the RF Status field to view the following MU signal, noise and performance information for the WLAN selected from the AP-5131 menu tree. Avg MU Signal Displays the average RF signal strength in dBm for all MUs associated with the selected WLAN. The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour.
Monitoring Statistics 6. Click the Clear WLAN Stats button to reset each of the data collection counters to zero in order to begin new data collections. Do not clear the WLAN stats if currently in an important data gathering activity or risk losing all data calculations to that point. 7. Click the Logout button to securely exit the AP-5131 Symbol Access Point applet. A prompt displays confirming the logout before the applet is closed. 7.
7-18 AP-5131 Access Point Product Reference Guide Type MUs Displays the type of radio (either 802.11a or 802.11b/g) currently deployed by the AP-5131. To configure the radio type, see Setting the WLAN’s Radio Configuration on page 5-45. Displays the total number of MUs currently associated with each AP-5131 radio. T-put Displays the total throughput in Megabits per second (Mbps) for each AP-5131 radio listed. To adjust the data rate for a specific radio, see Configuring the 802.11a or 802.
Monitoring Statistics dropped or could not decrypt. The information within the 802.11a Radio Statistics screen is view-only with no configurable data fields. To view detailed radio statistics: 1. Select Status and Statistics -> Radio Stats -> Radio1(802.11b/g) Stats from the AP-5131 menu tree. 2. Refer to the Information field to view the AP-5131 802.11a or 802.11b/g radio’s MAC address, placement and transmission information.
7-20 AP-5131 Access Point Product Reference Guide Placement Lists whether the AP-5131 radio is indoors or outdoors. To change the placement setting, see Configuring the 802.11a or 802.11b/g Radio on page 5-48. Current Channel Indicates the channel for communications between the AP-5131 radio and its associated MUs. To change the channel setting, see Configuring the 802.11a or 802.11b/g Radio on page 5-48.
Monitoring Statistics 4. Refer to the RF Status field to view the following MU signal, noise and performance information for the target AP-5131 802.11a or 802.11b/g radio. Avg MU Signal Avg MU Noise Displays the average RF signal strength in dBm for all MUs associated with the radio. The number in black represents the average signal for the last 30 seconds and the number in blue represents the average signal for the last hour.
7-22 AP-5131 Access Point Product Reference Guide 7.4.1.1 Retry Histogram Refer to the Retry Histrogram screen for an overview of the retries transmitted by an AP-5131 radio and whether those retries contained any data packets. Use this information in combination with the error fields within a Radio Stats screen to assess overall radio performance. To display a Retry Histogram screen for an AP-5131 radio: 1. Select Status and Statistics -> Radio Stats -> Radio1(802.
Monitoring Statistics 2. Click Apply to save any changes to the Radio Histogram screen. Navigating away from the screen without clicking Apply results in changes to the screens being lost. 3. Click Undo Changes (if necessary) to undo any changes made to the screen. Undo Changes reverts the settings to the last saved configuration. 4. Click Logout to securely exit the AP-5131 Symbol Access Point applet. A prompt displays confirming the logout before the applet is closed. 7.
7-24 AP-5131 Access Point Product Reference Guide 2. Refer to the MU List field to reference associated MU address, throughput and retry information. IP Address Displays the IP address of each of the associated MU. MAC Address Displays the MAC address of each of the associated MU. WLAN Displays the WLAN name each MU is interoperating with. Radio Displays the name of the 802.11a or 802.11b/g radio each MU is associated with.
Monitoring Statistics 8. Click the Logout button to securely exit the AP-5131 Symbol Access Point applet. A prompt displays confirming the logout before the applet is closed. 7.5.1 Viewing MU Details Use the MU Details screen to display throughput, signal strength and transmit error information for a specific MU associated with the AP-5131. The MU Details screen is separated into four fields; MU Properties, MU Traffic, MU Signal, and MU Errors.
7-26 AP-5131 Access Point Product Reference Guide QoS Client Type Displays the data type transmitted by the mobile unit. Possible types include Legacy, Voice, WMM Baseline and Power Save. For more information, see Setting the WLAN Quality of Service (QoS) Policy on page 5-34. Encryption Displays the encryption scheme deployed by the associated MU. 5. Refer to the Traffic field to view individual MU RF throughput information.
Monitoring Statistics 6. Refer to the RF Status field to view MU signal and signal disturbance information. Avg MU Signal Displays RF signal strength in dBm for the target MU. The number in black represents signal information for the last 30 seconds and the number in blue represents signal information for the last hour. Avg MU Noise Displays RF noise for the target MU. The number in black represents noise for the last 30 seconds, the number in blue represents noise for the last hour.
7-28 AP-5131 Access Point Product Reference Guide To ping a specific MU to assess its connection with an AP-5131: 1. Select Status and Statistics - > MU Stats from the AP-5131 menu tree. 2. Select the Echo Test button from within the MU Stats Summary screen 3. Specify the following ping test parameters. Station Address The IP address of the target MU. Refer to the MU Stats Summary screen for associated MU IP address information.
Monitoring Statistics 7.6 Viewing the Mesh Statistics Summary The AP-5131 has the capability of detecting and displaying the properties of other access points in mesh network (either base bridges or client bridges) mode. This information is used to create a list of known wireless bridges. To view detected mesh network statistics: 1. Select Status and Statistics -> Mesh Stats from the AP-5131 menu tree.
7-30 AP-5131 Access Point Product Reference Guide WLAN Displays the WLAN name each wireless bridge is interoperating with. Radio Displays the name of the 802.11a or 802.11b/g radio each bridge is associated with. T-put Displays the total throughput in Megabits per second (Mbps) for each associated bridge. ABS Displays the Average Bit Speed (ABS) in Megabits per second (Mbps) for each associated bridge. Retries Displays the average number of retries per packet.
Monitoring Statistics The Known AP Statistics screen displays the following information: IP Address The network-assigned Internet Protocol address of the located AP. MAC Address The unique 48-bit, hard-coded Media Access Control address, known as the devices station identifier. This value is hard coded at the factory by the manufacturer and cannot be changed. MUs The number MUs associated with the located AP-5131. Unit Name Displays the name assigned to the AP-5131 using the System Settings screen.
7-32 AP-5131 Access Point Product Reference Guide The Known AP Details screen displays the target AP’s MAC address, IP address, radio channel, number of associated MUs, packet throughput per second, radio type(s), model, firmware version, ESS and client bridges currently connected to the AP radio. Use this information to determine whether this AP provides better MU association support than the locating AP-5131 or warrants consideration as a member of a different mesh network. 4.
Monitoring Statistics 5. Click the Send Cfg to APs button to send the your AP-5131’s configuration to other AP5131’s. Recipient AP-5131 must be the same single or dual-radio model as the AP-5131 sending the configuration. The sending and recipient AP-5131’s must also be running the same major firmware version (i.e., 1.1 to 1.1).
7-34 AP-5131 Access Point Product Reference Guide
Command Line Interface Reference The AP-5131 Command Line Interface (CLI) is accessed through the serial port or a Telnet session. The AP-5131 CLI follows the same conventions as the Web-based user interface. The CLI does, however, provide an “escape sequence” to provide diagnostics for problem identification and resolution. The AP-5131 CLI treats the following as invalid characters: | " & , \ ' < > In order to avoid problems when using the AP-5131 CLI, these characters should be avoided. 8.
8-2 AP-5131 Access Point Product Reference Guide 8.1.2 Accessing the CLI via Telnet To connect to the AP-5131 CLI through a Telnet connection: 1. Telnet into the AP-5131 using an IP address of 192.168.0.1 2. Enter the default username of admin and the default password of symbol. If this is your first time logging into the AP-5131, you are unable to access any of the AP-5131’s commands until the country code is set. A new password will also need to be created.
Command Line Interface Reference 8-3 8.2 Admin and Common Commands AP5131>admin> Description: Displays admin configuration options. The items available under this command are shown below. Syntax: help passwd summary network system stats .. / save quit Displays general user interface help. Changes the admin password. Shows a system summary. Goes to the network submenu Goes to the system submenu. Goes to the stats submenu. Goes to the parent menu. Goes to the root menu.
8-4 AP-5131 Access Point Product Reference Guide AP5131>admin>help Description: Displays general CLI user interface help. Syntax: help Displays command line help using combinations of function keys for navigation. Example: admin>help ? * Restriction of “?”: : display command help - Eg. ?, show ?, s? : “?” after a function argument is treated : as an argument : Eg. admin
Command Line Interface Reference 8-5 AP5131>admin>passwd Description: Changes the password for the admin login. Syntax: passwd Changes the admin password for AP-5131 access. This requires typing the old admin password and entering a new password and confirming it. Passwords can be up to 11 characters. The AP-5131 CLI treats the following as invalid characters: | " & , \ ' < > In order to avoid problems when using the AP-5131 CLI, these characters should be avoided.
8-6 AP-5131 Access Point Product Reference Guide AP5131>admin>summary Description: Displays the AP-5131’s system summary. Syntax: summary Displays a summary of high-level characteristics and settings for the WAN, LAN and WLAN. Example: admin>summary AP-5131 firmware version 1.1.0.0-xxx country code us serial number 00A0F8716A74 WLAN 1: WLAN Name WLAN1 ESS ID 101 Radio 11a, 11b/g VLAN VLAN1 Security Ploicy Default QoS Ploicy Default LAN1 Name: LAN1 LAN1 Mode: enable LAN1 IP: 0.0.0.
Command Line Interface Reference 8-7 AP5131>admin>.. Description: Displays the parent menu of the current menu. This command appears in all of the submenus under admin. In each case, it has the same function, to move up one level in the directory structure. Example: admin(network.lan)>..
8-8 AP-5131 Access Point Product Reference Guide AP5131>admin> / Description: Displays the root menu, that is, the top-level CLI menu. This command appears in all of the submenus under admin. In each case, it has the same function, to move up to the top level in the directory structure. Example: admin(network.
Command Line Interface Reference 8-9 AP5131>admin>save Description: Saves the configuration to system flash. The save command appears in all of the submenus under admin. In each case, it has the same function, to save the current configuration. Syntax: save Saves configuration settings. The save command works at all levels of the CLI. The save command must be issued before leaving the CLI for updated settings to be retained.
8-10 AP-5131 Access Point Product Reference Guide AP5131>admin>quit Description: Exits the command line interface session and terminates the session. The quit command appears in all of the submenus under admin. In each case, it has the same function, to exit out of the CLI. Once the quit command is executed, the login prompt displays again.
Command Line Interface Reference 8-11 8.3 Network Commands AP5131>admin(network)> Description: Displays the network submenu. The items available under this command are shown below. lan wan wireless firewall router .. / save quit Goes to the LAN submenu. Goes to the WAN submenu. Goes to the Wireless Configuration submenu. Goes to the firewall submenu. Goes to the router submenu. Goes to the parent menu. Goes to the root menu. Saves the current configuration to the system flash.
8-12 AP-5131 Access Point Product Reference Guide 8.3.1 Network LAN Commands AP5131>admin(network.lan)> Description: Displays the LAN submenu. The items available under this command are shown below. show set bridge wlan-mapping dhcp type-filter .. / save quit Shows current AP-5131 LAN parameters. Sets LAN parameters. Goes to the mesh configuration submenu. Goes to the WLAN/Lan/Vlan Mapping submenu. Goes to the LAN DHCP submenu. Goes to the Ethernet Type Filter submenu. Goes to the parent menu.
Command Line Interface Reference 8-13 AP5131>admin(network.lan)> show Description: Displays the AP-5131 LAN settings. Syntax: show Shows the settings for the AP-5131 LAN1 and LAN2 interfaces. Example: admin(network.lan)>show LAN On Ethernet Port : LAN1 LAN Ethernet Timeout : disable 802.1x Port Authentication: Username : admin Password : ******** ** LAN1 Information ** LAN Name : LAN1 LAN Interface : enable 802.11q Trunking : disable LAN IP mode : DHCP client IP Address : 192.168.0.
8-14 AP-5131 Access Point Product Reference Guide Primary DNS Server : 192.168.0.2 Secondary DNS Server : 192.168.0.3 WINS Server : 192.168.0.255 admin(network.lan)> For information on displaying LAN information using the applet (GUI), see Configuring the LAN Interface on page 5-1.
Command Line Interface Reference 8-15 AP5131>admin(network.lan)> set Description: Sets the LAN parameters for the LAN port. Syntax: set lan name ethernet-port-lan timeout trunking username passwd ip-mode ipadr mask dgw domain dns wins Enables or disables the AP-5131 LAN interface. Defines the LAN name by index. Defines which LAN (LAN 1 or LAN 2) is active on the AP-5131’s Ethernet port.
8-16 AP-5131 Access Point Product Reference Guide 8.3.1.1 Network LAN, Bridge Commands AP5131>admin(network.lan.bridge)> Description: Displays the AP-5131 Bridge submenu. show set .. / save quit Displays the mesh configuration parameters for the AP-5131’s LANs. Sets the mesh configuration parameters for the AP-5131’s LANs.. Moves to the parent menu. Goes to the root menu. Saves the configuration to system flash. Quits the CLI and exits the session.
Command Line Interface Reference 8-17 AP5131>admin(network.lan.bridge)> show Description: Displays the mesh bridge configuration parameters for the AP-5131’s LANs. Syntax: show Displays the mesh bridge configuration parameters for the AP-5131’s LANs. Example: admin(network.lan.
8-18 AP-5131 Access Point Product Reference Guide AP5131>admin(network.lan.bridge)> set Description: Sets the mesh configuration parameters for the AP-5131’s LANs. Syntax: set priority hello msgage fwddelay ageout Sets bridge priority time in seconds (0-65535) for specified LAN. Sets bridge hello time in seconds (0-10) for specified LAN. Sets bridge message age time in seconds (6-40) for specified LAN.
Command Line Interface Reference 8-19 8.3.1.2 Network LAN, WLAN-Mapping Commands AP5131>admin(network.lan.wlan-mapping)> Description: Displays the WLAN/Lan/Vlan Mapping submenu. show set create edit delete lan-map vlan-map .. / save quit Displays the VLAN list currently defined for the AP-5131. Sets the AP-5131 VLAN configuration. Creates a new AP-5131 VLAN. Edits the properties of an existing AP-5131 VLAN. Deletes a VLAN. Maps AP-5131 existing WLANs to an enabled LAN.
8-20 AP-5131 Access Point Product Reference Guide AP5131>admin(network.lan.wlan-mapping)> show Description: Displays the VLAN list currently defined for the AP-5131.. These parameters are defined with the set command. Syntax: show name vlan-cfg lan-wlan wlan Displays the existing list of AP-5131 VLAN names. Shows WLAN-VLAN mapping and VLAN configuration. Displays a WLAN-LAN mapping summary. Displays the WLAN summary list. Example: admin(network.lan.
Command Line Interface Reference 8-21 admin(network.lan.wlan-mapping)>show wlan WLAN1: WLAN Name :WLAN1 ESSID :101 Radio : VLAN : Security Policy :Default QoS Policy :Default For information on displaying the AP-5131 VLAN screens using the applet (GUI), see Configuring VLAN Support on page 5-4.
8-22 AP-5131 Access Point Product Reference Guide AP5131>admin(network.lan.wlan-mapping)> set Description: Sets VLAN parameters for the AP-5131. Syntax: set mgmt- tag native-tag mode Defines the Management VLAN tag (1-4095). Sets the Native VLAN tag (1-4095). Sets WLAN VLAN mode (WLAN 1-16) to either dynamic or static. Example: admin(network.lan.wlan-mapping)>set mgmt-tag 1 admin(network.lan.wlan-mapping)>set native-tag 2 admin(network.lan.
Command Line Interface Reference 8-23 AP5131>admin(network.lan.wlan-mapping)> create Description: Creates a VLAN for the AP-5131. Syntax: create vlan-id vlan-name Defines the VLAN ID (1-4095). Specifies the name of the VLAN (1-31 characters in length). Example: admin(network.lan.wlan-mapping)> admin(network.lan.wlan-mapping)>create 5 vlan-5 For information on creating VLANs using the applet (GUI), see Configuring VLAN Support on page 5-4.
8-24 AP-5131 Access Point Product Reference Guide AP5131>admin(network.lan.wlan-mapping)> edit Description: Modifies a VLAN’s name and ID. Syntax: edit name id Modifies an exisiting VLAN name (1-31 characters in length) Modifies an existing VLAN ID (1-4095) characters in length). For information on editing VLANs using the applet (GUI), see Configuring VLAN Support on page 5-4.
Command Line Interface Reference 8-25 AP5131>admin(network.lan.wlan-mapping)> delete Description: Deletes a specific VLAN or all VLANs. Syntax: delete < VLAN id> Deletes a specific VLAN ID (1-16). all Deletes all defined VLANs. For information on deleting VLANs using the applet (GUI), see Configuring VLAN Support on page 5-4.
8-26 AP-5131 Access Point Product Reference Guide AP5131>admin(network.lan.wlan-mapping)> lan-map Description: Maps an AP-5131 VLAN to a WLAN. Syntax: .. lan-map Maps an existing WLAN to an enabled AP-5131 LAN. All names and IDs are case-sensitive. admin(network.lan.wlan-mapping)>lan-map wlan1 lan1 For information on mapping VLANs using the applet (GUI), see Configuring VLAN Support on page 5-4.
Command Line Interface Reference 8-27 AP5131>admin(network.lan.wlan-mapping)> vlan-map Description: Maps an AP-5131 VLAN to a WLAN. Syntax: vlan-map Maps an existing WLAN to an enabled AP-5131 LAN. All names and IDs are case-sensitive. admin(network.lan.wlan-mapping)>vlan-map wlan1 vlan1 For information on mapping VLANs using the applet (GUI), see Configuring VLAN Support on page 5-4.
8-28 AP-5131 Access Point Product Reference Guide 8.3.1.3 Network LAN, DHCP Commands AP5131>admin(network.lan.dhcp)> Description: Displays the AP-5131 DHCP submenu. The items available are displayed below. show set add delete list .. / save quit Displays DHCP parameters. Sets DHCP parameters. Adds static DHCP address assignments. Deletes static DHCP address assignments. Lists static DHCP address assignments. Goes to the parent menu. Goes to the root menu. Saves the configuration to system flash.
Command Line Interface Reference 8-29 AP5131>admin(network.lan.dhcp)> show Description: Shows DHCP parameter settings. Syntax: show Displays DHCP parameter settings for the AP-5131. These parameters are defined with the set command. Example: admin(network.lan.dhcp)>show **LAN1 DHCP Information** DHCP Address Assignment Range: Starting IP Address Ending IP Address Lease Time : 192.168.0.100 : 192.168.0.
8-30 AP-5131 Access Point Product Reference Guide AP5131>admin(network.lan.dhcp)> set Description: Sets DHCP parameters for the LAN port. Syntax: set range lease Sets the DHCP assignment range from IP address to IP address for the specified LAN. Sets the DHCP lease time in seconds (1-999999) for the specified LAN. Example: admin(network.lan.dhcp)>set range 1 192.168.0.100 192.168.0.254 admin(network.lan.dhcp)>set lease 1 86400 admin(network.
Command Line Interface Reference 8-31 AP5131>admin(network.lan.dhcp)> add Description: Adds static DHCP address assignments. Syntax: add Adds a reserved static IP address to a MAC address for the specified LAN. Example: admin(network.lan.dhcp)>add 1 00A0F8112233 192.160.24.6 admin(network.lan.dhcp)>add 1 00A0F1112234 192.169.24.7 admin(network.lan.
8-32 AP-5131 Access Point Product Reference Guide AP5131>admin(network.lan.dhcp)> delete Description: Deletes static DHCP address assignments. Syntax: delete all Deletes the static DHCP address entry for the specified LAN. Deletes all static DHCP addresses. Example: admin(network.lan.
Command Line Interface Reference 8-33 AP5131>admin(network.lan.dhcp)> list Description: Lists static DHCP address assignments. Syntax: list Lists the static DHCP address assignments for the specified LAN. Example: admin(network.lan.dhcp)>list 1 ----------------------------------------------------------------------------Index MAC Address IP Address ----------------------------------------------------------------------------1 00A0F8112233 10.1.2.4 2 00A0F8102030 10.10.1.
8-34 AP-5131 Access Point Product Reference Guide 8.3.1.4 Network Type Filter Commands AP5131>admin(network.lan.type-filter)> Description: Displays the AP-5131 Type Filter submenu. The items available under this command include: e show set add delete .. / save quit Displays the current Ethernet Type exception list. Defines Ethernet Type Filter parameters. Adds an Ethernet Type Filter entry. Removes an Ethernet Type Filter entry. Goes to the parent menu. Goes to the root menu.
Command Line Interface Reference 8-35 AP5131>admin(network.lan.type-filter)> show Description: Displays the AP-5131’s current Ethernet Type Filter configuration. Syntax: show Displays the existing Type-Filter configuration for the specified LAN. Example: admin(network.lan.
8-36 AP-5131 Access Point Product Reference Guide AP5131>admin(network.lan.type-filter)> set Description: Defines the AP-5131 Ethernet Type Filter configuration. Syntax: set mode allow or deny Allows or denies the AP-5131 from processing a specified Ethernet data type for the specified LAN. Example: admin(network.lan.type-filter)>set mode 1 allow For information on configuring the AP-5131’s type filter settings using the applet (GUI), see Setting the Type Filter Configuration on page 5-13.
Command Line Interface Reference 8-37 AP5131>admin(network.lan.type-filter)> add Description: Adds an Ethernet Type Filter entry. Syntax: add Adds entered Ethernet Type to list of data types either allowed or denied AP-5131 processing permissions for the specified LAN. Example: admin(network.lan.type-filter)> admin(network.wireless.type-filter)>add 1 8137 admin(network.wireless.type-filter)>add 2 0806 admin(network.wireless.
8-38 AP-5131 Access Point Product Reference Guide AP5131>admin(network.lan.type-filter)> delete Description: Removes an Ethernet Type Filter entry individually or the entire Type Filter list. Syntax: delete all Deletes the specified Ethernet Type index entry (1 through 16). Deletes all Ethernet Type entries currently in list. Example: admin(network.lan.type-filter)>delete 1 1 admin(network.lan.
Command Line Interface Reference 8-39 8.3.2 Network WAN Commands AP5131>admin(network.wan)> Description: Displays the WAN submenu. The items available under this command are shown below. show set nat vpn content .. / save quit Displays the AP-5131 WAN configuration and the AP-5131’s current PPPoE configuration. Defines the AP-5131’s WAN and PPPoE configuration. Displays the NAT submenu, wherein Network Address Translations (NAT) can be defined.
8-40 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wan)> show Description: Displays the AP-5131 WAN port parameters. Syntax: show Shows the general IP parameters for the WAN port along with settings for the WAN interface.. Example: admin(network.wan)>show Status : enable WAN DHCP Client Mode : disable IP address : 0.0.0.0 Network Mask : 0.0.0.0 Default Gateway : 10.10.1.1 Primary DNS Server : 0.0.0.0 Secondary DNS Server : 0.0.0.
Command Line Interface Reference 8-41 AP5131>admin(network.wan)> set Description: Defines the configuration of the AP-5131 WAN port. Syntax: set wan dhcp ipadr enable/disable enable/disable mask dgw dns pppoe mode user passwd ka idle type enable/disable enable/disable
8-42 AP-5131 Access Point Product Reference Guide 8.3.2.1 Network WAN NAT Commands AP5131>admin(network.wan.nat)> Description: Displays the NAT submenu. The items available under this command are shown below. show set add delete list .. / save quit Displays the AP-5131’s current NAT parameters for the specified index. Defines the AP-5131 NAT settings. Adds NAT entries. Deletes NAT entries. Lists NAT entries. Goes to the parent menu. Goes to the root menu. Saves the configuration to system flash.
Command Line Interface Reference 8-43 AP5131>admin(network.wan.nat)> show Description: Displays AP-5131 NAT parameters. Syntax: show Displays AP-5131 NAT parameters for the specified NAT index. Example: admin(network.wan.nat)>show 2 WAN IP Mode : disable WAN IP Address : 157.235.91.2 NAT Type : 1-to-many One to many nat mapping : LAN1 LAN2 Inbound Mappings : Port Forwarding unspecified port forwarding mode : enable unspecified port fwd. ip address : 111.223.222.1 admin(network.wan.
8-44 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wan.nat)> set Description: Sets NAT inbound and outbound parameters. Syntax: set type ip inb outb mode enable/disable unspec-ip Sets the type of NAT translation for WAN address index (1-8) to (none, 1-to-1, or 1-to-many). Sets NAT IP mapping associated with WAN address to the specified IP address . Sets inbound NAT parameters.
Command Line Interface Reference 8-45 AP5131>admin(network.wan.nat)> add Description: Adds NAT entries.
8-46 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wan.nat)> delete Description: Deletes NAT entries. Syntax: delete all Deletes a specified NAT index entry associated with the WAN. Deletes all NAT entries associated with the WAN. Example: admin(network.wan.
Command Line Interface Reference 8-47 AP5131>admin(network.wan.nat)> list Description: Lists AP-5131 NAT entries for the specified index. Syntax: list Lists the inbound NAT entries associated with WAN port. Example: admin(network.wan.
8-48 AP-5131 Access Point Product Reference Guide 8.3.2.2 Network WAN, VPN Commands AP5131>admin(network.wan.vpn)> Description: Displays the VPN submenu. The items available under this command include: add set delete list reset stats ikestate .. / save quit Adds VPN tunnel entries. Sets key exchange parameters. Deletes VPN tunnel entries. Lists VPN tunnel entries Resets all VPN tunnels. Lists security association status for the VPN tunnels. Displays an Internet Key Exchange (IKE) summary.
Command Line Interface Reference 8-49 AP5131>admin(network.wan.vpn)> add Description: Adds a VPN tunnel entry. Syntax: add Creates a tunnel (1 to 13 characters) to gain access through local WAN IP from the remote subnet with address and subnet mask using the remote gateway . Example: admin(network.wan.vpn)>add 2 SJSharkey 209.235.44.31 206.107.22.46 255.255.255.224 206.107.22.
8-50 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wan.vpn)> set Description: Sets VPN entry parameters. Syntax: set type Sets the tunnel type to Auto or Manual for the specified tunnel name. authalgo Sets the authentication algorithm for to (None, MD5, or SHA1).
Command Line Interface Reference 8-51 salife Defines the name of the tunnnel the Security Association Life Time <300-65535> applies to in seconds. ike opmode Sets the Operation Mode of IKE for to Main or Aggr(essive). myidtype Sets the Local ID type for IKE authentication for (1 to 13 characters) to (IP, FQDN, or UFQDN).
8-52 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wan.vpn)> delete Description: Deletes VPN tunnel entries. Syntax: delete all Deletes all VPN entries. Deletes VPN entries . Example: admin(network.wan.vpn)>list -------------------------------------------------------------------------Tunnel Name Type Remote IP/Mask Remote Gateway Local WAN IP -------------------------------------------------------------------------Eng2EngAnnex Manual 192.168.32.2/24 192.168.33.
Command Line Interface Reference 8-53 AP5131>admin(network.wan.vpn)> list Description: Lists VPN tunnel entries. Syntax: list Lists all tunnel entries. Lists detailed information about tunnel named . Note that the must match case with the name of the VPN tunnel entry Example: admin(network.wan.
8-54 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wan.vpn)> reset Description: Resets all of the AP-5131’s VPN tunnels. Syntax: reset Resets all VPN tunnels. Example: admin(network.wan.vpn)>reset VPN tunnels reset. admin(network.wan.vpn)> For information on configuring VPN using the applet (GUI), see Configuring VPN Tunnels on page 6-34.
Command Line Interface Reference 8-55 AP5131>admin(network.wan.vpn)> stats Description: Lists statistics for all active tunnels. Syntax: stats Display statistics for all VPN tunnels. Example: admin(network.wan.
8-56 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wan.vpn)> ikestate Description: Displays statistics for all active tunnels using Internet Key Exchange (IKE). Syntax: ikestate Displays status about Internet Key Exchange (IKE) for all tunnels. In particular, the table indicates whether IKE is connected for any of the tunnels, it provides the destination IP address, and the remaining lifetime of the IKE key. Example: admin(network.wan.
Command Line Interface Reference 8-57 8.3.3 Network Wireless Commands AP5131>admin(network.wireless) Description: Displays the AP-5131 wireless submenu. The items available under this command include: wlan security Displays the WLAN submenu used to create and configure up to 16 WLANs per AP-5131. Displays the security submenu used to create encryption and authentication based security policies for use with AP-5131 WLANs.
8-58 AP-5131 Access Point Product Reference Guide 8.3.3.1 Network WLAN Commands AP5131>admin(network.wireless.wlan)> Description: Displays the AP-5131 wireless LAN (WLAN) submenu. The items available under this command include: e show create edit delete hotspot .. / save quit Displays the AP-5131’s current WLAN configuration. Defines the parameters of a new WLAN. Modifies the properties of an existing WLAN. Deletes an existing WLAN. Displays the WLAN hotspot menu. Goes to the parent menu.
Command Line Interface Reference 8-59 AP5131>admin(network.wireless.wlan)> show Description: Displays the AP-5131’s current WLAN configuration. Syntax: show summary wlan Displays the current configuration for existing WLANs. Displays the configuration for the requested WLAN (WLAN 1 through 16). Example: admin(network.wireless.wlan)>show summary WLAN1 WLAN Name : Lobby ESSID : 101 Radio : 11a, 11b/g VLAN : Security Policy : Default QoS Policy : Default admin(network.wireless.
8-60 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.wlan)> create Description: Defines the parameters of a new AP-5131 WLAN. Syntax: sh create show set wlan ess wlan-name 11a 11bg mesh hotspot max-mu security acl passwd no-mu-mu sbeacon bcast qos add-wlan .. Displays newly created WLAN and policy number. Defines the ESSID for a target WLAN.
Command Line Interface Reference 8-61 Accept Broadcast ESSID : disable QoS Policy : Default admin(network.wireless.wlan.create)>show security ---------------------------------------------------------------------Secu Policy Name Authen Encryption Associated WLANs ---------------------------------------------------------------------1 Default Manual no encrypt Front Lobby 2 WEP Demo Manual WEP 64 2nd Floor 3 Open Manual no encrypt 1st Floor admin(network.wireless.wlan.
8-62 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.wlan)> edit Description: Edits the properties of an existing WLAN policy. Syntax: edit show set change .. Edits the properties of an existing WLAN policy. Displays the WLANs pamaters and summary. Edits the same WLAN parameters that can be modified using the create command. Completes the WLAN edits and exits the CLI session. Cancel the WLAN edits and exit the CLI session.
Command Line Interface Reference 8-63 AP5131>admin(network.wireless.wlan)> delete Description: Deletes an existing WLAN. Syntax: delete Deletes a target WLAN by name supplied. all Deletes all WLANs defined. For information on deleting a WLAN using the applet (GUI), see Creating/Editing Individual WLANs on page 5-24.
8-64 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.wlan.hotspot)> Description: Displays the Hotspot submenu. The items available under this command include: e show redirection radius white-list save quit .. / Show hotspot parameters. Goes to the hotspot redirection menu. Goes to the hotspot Radius menu. Goes to the hotspot white-list menu. Saves the configuration to system flash. Quits the CLI. Goes to the parent menu. Goes to the root menu.
Command Line Interface Reference 8-65 AP5131>admin(network.wireless.wlan.hotspot)> show Description: Displays the current AP-5131 Rogue AP detection configuration. Syntax: show hotspot Shows hotspot parameters per wlan index (1-16). Example: admin(network.wireless.wlan.hotspot)>show hotspot 1 WLAN1 Hotspot Mode : enable Hotspot Page Location : default External Login URL : www.sjsharkey.com External Welcome URL : External Fail URL : Primary Server Ip adr :157.235.21.
8-66 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.wlan.hotspot)> redirection Description: Goes to the hotspot redirection menu. Syntax: redirection set show save quit .. / Sets the hotspot http-re-direction by index (1-16) for the specified URL. Shows hotspot http-redirection details for specifiec index (1-16) for specified page (login, welcome, fail) and target URL.. Shows hotspot http-redirection details.
Command Line Interface Reference 8-67 AP5131>admin(network.wireless.wlan.hotspot)> radius Description: Goes to the hotspot Radius menu. Syntax: set show save quit .. / Sets the Radius hotspot configuration. Shows Radius hotspot server details. Saves the configuration to system flash. Quits the CLI. Goes to the parent menu. Goes to the root menu. For information on configuring the Hotspot options available to the AP-5131 using the applet (GUI), see Configuring WLAN Hotspot Support on page 5-40.
8-68 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.wlan.hotspot.radius)> set Description: Sets the Radius hotspot configuration.
Command Line Interface Reference 8-69 AP5131>admin(network.wireless.wlan.hotspot.radius)> show Description: Shows Radius hotspot server details. Syntax: show radius Displays Radius hotspot server details per index (1-16) Example: admin(network.wireless.wlan.hotspot.radius)>show radius 1 Primary Server Ip adr : 157.235.12.12 Primary Server Port : 1812 Primary Server Secret : ****** Secondary Server Ip adr : 0.0.0.
8-70 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.wlan.hotspot)> white-list Description: Goes to the hotspot white-list menu. Syntax: white-list add clear show save quit .. / Adds hotspot whitelist rules by index (1-16) for specified IP address. Clears hotspot whitelist rules for specified index (1-16). Shows hotspot whitelist rules for specified index (1-16). Saves the updated hotspot configuration to flash memory. Quits the CLI session. Goes to the parent menu.
Command Line Interface Reference 8-71 8.3.3.2 Network Security Commands AP5131>admin(network.wireless.security)> Description: Displays the AP-5131 wireless security submenu. The items available under this command include: show create edit delete .. / save quit Displays the AP-5131’s current security configuration. Defines the parameters of a security policy. Edits the properties of an existing security policy. Removes a specific security policy. Goes to the parent menu. Goes to the root menu.
8-72 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.security)> show Description: Displays the AP-5131’s current security configuration. Syntax: show summary policy Displays list of existing security policies (1-16). Displays the specified security policy . Example: admin(network.wireless.
Command Line Interface Reference 8-73 AP5131>admin(network.wireless.security)> create Description: Defines the parameter of AP-5131 security policies.
8-74 AP-5131 Access Point Product Reference Guide Syntax: create Defines the parameters of a security policy. show set Displays new or existing security policy parameters. sec-name Sets the name of the security policy. auth Sets the authentication type for WLAN to (none, eap, or kerberos). Note: Kerberos parameters are only in affect if "kerberos" is specified for the authentication method (set auth ). kerb realm Sets the Kerberos realm.
Command Line Interface Reference 8-75 accounting adv retry Sets the maximum number of reauthentication retries (1-99). mode Enable or disable Radius accounting. server port secret timeout Set external Radius server IP address. Set external Radius server port number. Set external Radius server shared secret password. Defines MU timout period in seconds (1-255). retry Sets the maximum number of MU retries to (1-10).
8-76 AP-5131 Access Point Product Reference Guide weppasskey keyguard The passkey used as a text abbreviation for the entire key length (4-32). index Selects the WEP/KeyGuard key (from one of the four potential values of (1-4). hex-key Sets the WEP/KeyGuard key for key index (1-4) for WLAN to . ascii-key Sets the WEP/KeyGuard key for key index (1-4) for WLAN to .
Command Line Interface Reference 8-77 preauth Enables or disables preauthentication (fast roaming). add-policy Adds the policy and exits. .. Disregards the policy creation and exits the CLI session. For information on configuring the encryption and authentication options available to the AP-5131 using the applet (GUI), see Configuring Security Options on page 6-2.
8-78 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.security.edit)> Description: Edits the properties of a specific security policy. Syntax: show set change .. Displays the new or modified security policy parameters. Edits security policy parameters. Completes policy changes and exits the session. Cancels the changes made and exits the session. Example: admin(network.wireless.security)>edit 1 admin(network.wireless.security.
Command Line Interface Reference 8-79 AP5131>admin(network.wireless.security)> delete Description: Deletes a specific security policy. Syntax: delete Removes the specified security policy for the list supported. Removes all security policies except the default policy. For information on configuring the encryption and authentication options available to the AP-5131 using the applet (GUI), see Configuring Security Options on page 6-2.
8-80 AP-5131 Access Point Product Reference Guide 8.3.3.3 Network ACL Commands AP5131>admin(network.wireless.acl)> Description: Displays the AP-5131 Mobile Unit Access Control List (ACL) submenu. The items available under this command include: show create edit delete .. / save quit Displays the AP-5131’s current ACL configuration. Creates an MU ACL policy. Edits the properties of an existing MU ACL policy. Removes an MU ACL policy. Goes to the parent menu. Goes to the root menu.
Command Line Interface Reference 8-81 AP5131>admin(network.wireless.acl)> show Description: Displays the AP-5131’s current ACL configuration. Syntax: show summary policy Displays the list of existing MU ACL policies. Displays the requested MU ACL index policy. Example: admin(network.wireless.
8-82 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.acl)> create Description: Creates an MU ACL policy. Syntax: create show set add-addr delete add-policy .. acl-name mode Displays the parameters of a new ACL policy. Sets the MU ACL policy name. Sets the ACL mode for the defined index (1-16). Allowed MUs can access the AP-5131 managed LAN. Options are deny and allow. Adds specified MAC address to list of ACL MAC addresses.
Command Line Interface Reference 8-83 AP5131>admin(network.wireless.acl.edit)> Description: Edits the properties of an existing MU ACL policy. Syntax: show set add-addr delete change .. Displays MU ACL policy and its parameters. Modifies the properties of an existing MU ACL policy. Adds an MU ACL table entry. Deletes an MU ACL table entry, including starting and ending MAC address ranges. Completes the changes made and exits the session. Cancels the changes made and exits the session.
8-84 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.acl)> delete Description: Removes an MU ACL policy. Syntax: delete all Deletes a partilcular MU ACL policy. Deletes all MU ACL policies. For information on configuring the ACL options available to the AP-5131 using the applet (GUI), see Configuring a WLAN Access Control List (ACL) on page 5-31.
Command Line Interface Reference 8-85 8.3.3.4 Network Radio Configuration Commands AP5131>admin(network.wireless.radio)> Description: Displays the AP-5131 Radio submenu. The items available under this command include: e show set radio1 radio2 .. / save quit Summarizes AP-5131 radio parameters at a high-level. Defines the AP-5131 radio configuration. Displays the 802.11b/g radio submenu. Displays the 802.11a radio submenu. Goes to the parent menu. Goes to the root menu.
8-86 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.radio)> show Description: Displays the AP-5131’s current radio configuration. Syntax: show Displays the AP-5131’s current radio configuration. Example: admin(network.wireless.radio)>show Radio Configuration Radio 1 Name : Radio 1 Radio Mode : enable RF Band of Operation : 802.11b/g (2.
Command Line Interface Reference 8-87 AP5131>admin(network.wireless.radio)> set Description: Enables an AP-5131 Radio and defines the RF band of operation. Syntax: set 11a 11bg mesh-base mesh-max mesh-client mesh-wlan Enables or disables the AP-5131’s 802.11a radio. Enables or disables the AP-5131’s 802.11b/g radio. Enables or disables base bridge mode. Sets the maximum number of wireless bridge clients. Enables or Disables client bridge mode.
8-88 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.radio.radio1)> Description: Displays a specific 802.11b/g radio submenu. The items available under this command include: Syntax: show set advanced mesh .. / save quit Displays 802.11b/g radio settings. Defines specific 802.11b/g radio parameters. Displays the Adavanced radio settings submenu. Goes to the Wireless AP Connections submenu. Goes to the parent menu. Goes to the root menu. Saves the configuration to system flash.
Command Line Interface Reference 8-89 AP5131>admin(network.wireless.radio.radio1)> show Description: Displays specific 802.11b/g radio settings. Syntax: show radio qos Displays specific 802.11b/g radio settings. Displays specific 802.11b/g radio WMM QoS settings. Example: admin(network.wireless.radio.radio1)>show radio Radio Setting Information Placement : indoor MAC Address : 00A0F8715920 Radio Type : 802.
8-90 AP-5131 Access Point Product Reference Guide admin(network.wireless.radio.radio1)>show qos Radio QOS Parameter Set 11g-default ----------------------------------------------------------------------------Access Category CWMin CWMax AIFSN TXOPs (32 usec) TXOPs ms ----------------------------------------------------------------------------Background 15 1023 7 0 0.000 Best Effort 15 63 3 31 0.992 Video 7 15 1 94 3.008 Voice 3 7 1 47 1.
Command Line Interface Reference 8-91 AP5131>admin(network.wireless.radio.802-11bg)> set Description: Defines specific 802.11b/g radio parameters. Syntax: set placement Defines the AP-5131 radio placement as indoors or outdoors. ch-mode Determines how the radio channel is selected. channel Defines the actual channel used by the radio. antenna Sets the radio antenna power power Defines the radio antenna power transmit level. bg-mode Enables or disables 802-11bg radio mode support.
8-92 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.radio.802-11bg.advanced)> Description: Displays the advanced submenu for the 802.11b/g radio. The items available under this command include: Syntax: show set .. / save quit Displays advanced radio settings for the 802.11b/g radio. Defines advanced parameters for the 802.11b/g radio. Goes to the parent menu. Goes to the root menu. Saves the configuration to system flash. Quits the CLI.
Command Line Interface Reference 8-93 AP5131>admin(network.wireless.radio.802-11bg.advanced)> show Description: Displays the BSSID to WLAN mapping for the 802.11b/g radio. Syntax: show advanced wlan Displays advanced settings for the 802.11b/g radio. Displays WLAN summary list for the 802.11b/g radio. Example: admin(network.wireless.radio.802-11bg.
8-94 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.radio.802-11bg.advanced)> set Description: Defines advanced parameters for the target 802.11b/g radio. Syntax: set wlan bss Defines advanced WLAN to BSSID mapping for the target radio. Sets the BSSID to primary WLAN definition. Example: admin(network.wireless.radio.802-11bg.advanced)>set wlan demoroom 1 admin(network.wireless.radio.802-11bg.
Command Line Interface Reference 8-95 AP5131>admin(network.wireless.radio.radio2)> Description: Displays a specific 802.11a radio submenu. The items available under this command include: Syntax: show set advanced mesh .. / save quit Displays 802.11a radio settings Defines specific 802.11a radio parameters. Displays the Advanced radio settings submenu. Goes to the Wireless AP Connections submenu. Goes to the parent menu. Goes to the root menu. Saves the configuration to system flash. Quits the CLI.
8-96 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.radio.802-11a)> show Description: Displays specific 802.11a radio settings. Syntax: show radio qos Displays specific 802.11a radio settings. Displays specific 802.11a radio WMM QoS settings. Example: admin(network.wireless.radio.802-11a)>show radio Radio Setting Information Placement : indoor MAC Address : 00A0F8715920 Radio Type : 802.
Command Line Interface Reference 8-97 admin(network.wireless.radio.802-11a)>show qos Radio QOS Parameter Set: 11a default ----------------------------------------------------------------------------Access Category CWMin CWMax AIFSN TXOPs (32 sec) TXOPs ms ----------------------------------------------------------------------------Background 15 1023 7 0 0.000 Best Effort 15 63 3 31 0.992 Video 7 15 1 94 3.008 Voice 3 7 1 47 1.
8-98 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.radio.802-11a)> set Description: Defines specific 802.11a radio parameters. Syntax: set placement Defines the AP-5131 radio placement as indoors or outdoors. ch-mode Determines how the radio channel is selected. channel Defines the actual channel used by the radio. antenna Sets the radio antenna power. power Defines the radio antenna power transmit level. rates Sets the supported radio transmit rates.
Command Line Interface Reference 8-99 AP5131>admin(network.wireless.radio.802-11a.advanced)> Description: Displays the advanced submenu for the 802-11a radio. The items available under this command include: Syntax: show set .. / save quit Displays advanced radio settings for the 802-11a radio. Defines advanced parameters for the 802-11a radio. Goes to the parent menu. Goes to the root menu. Saves the configuration to system flash. Quits the CLI.
8-100 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.radio.802-11a.advanced)> show Description: Displays the BSSID to WLAN mapping for the 802.11a radio. Syntax: show advanced wlan Displays advanced settings for the 802.11a radio. Displays WLAN summary list for 802.11a radio. Example: admin(network.wireless.radio.802-11a.
Command Line Interface Reference 8-101 AP5131>admin(network.wireless.radio.802-11a.advanced)> set Description: Defines advanced parameters for the target 802..11a radio. Syntax: set wlan bss Defines advanced WLAN to BSSID mapping for the target radio. Sets the BSSID to primary WLAN definition. Example: admin(network.wireless.radio.802-11a.advanced)>set wlan demoroom 1 admin(network.wireless.radio.802-11a.
8-102 AP-5131 Access Point Product Reference Guide 8.3.3.5 Network Quality of Service (QoS) Commands AP5131>admin(network.wireless.qos)> Description: Displays the AP-5131 Quality of Service (QoS) submenu. The items available under this command include: e show create edit delete .. / save quit Displays AP-5131 QoS policy information. Defines the parameters of the QoS policy. Edits the settings of an existing QoS policy. Removes an existing QoS policy. Goes to the parent menu. Goes to the root menu.
Command Line Interface Reference 8-103 AP5131>admin(network.wireless.qos)> show Description: Displays the AP-5131’s current QoS policy by summary or individual policy. Syntax: show summary policy Displays all exisiting QoS policies that have been defined. Displays the configuration for the requested QoS policy. Example: admin(network.wireless.
8-104 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.qos.create)> Description: Defines an AP-5131 QoS policy. Syntax: show set qos-name vop mcast wmm-qos param-set cwmin cwmax aifsn txops default add-policy .. Displays QoS policy parameters. Sets the QoS name for the specified index entry.
Command Line Interface Reference 8-105 AP5131>admin(network.wireless.qos.edit)> Descripton: Edits the properties of an existing QoS policy. Syntax: show set qos-name vop mcast wmm-qos param-set cwmin cwmax aifsn txops default change .. Displays QoS policy parameters. Sets the QoS name for the specified index entry.
8-106 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.qos)> delete Description: Removes a QoS policy. Syntax: delete Deletes the specified QoS polciy index, or all of the policies. For information on configuring the WLAN QoS options available to the AP-5131 using the applet (GUI), see Setting the WLAN Quality of Service (QoS) Policy on page 5-34.
Command Line Interface Reference 8-107 8.3.3.6 Network Bandwith Management Commands AP5131>admin(network.wireless.bandwidth)> Description: Displays the AP-5131 Bandwidth Management submenu. The items available under this command include: e show set .. / save quit Displays Bandwidth Management information for how data is processed by the AP-5131. Defines Bandwidth Management parameters for the AP-5131. Goes to the parent menu. Goes to the root menu. Saves the configuration to system flash. Quits the CLI.
8-108 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.bandwidth)> show Description: Displays the AP-5131’s current Bandwidth Management configuration. Syntax: show Displays the current Bandwidth Management configuration for defined WLANs and how they are weighted. Example: admin(network.wireless.
Command Line Interface Reference 8-109 AP5131>admin(network.wireless.bandwidth)> set Description: Defines the AP-5131 Bandwidth Management configuration. Syntax: set mode weight Defines bandwidth share mode of First In First Out , Round Robin or Weighted Round Robin Assigns a bandwidth share allocation for the WLAN when Weighted Round Robin is selected. The weighting is from 1-10.
8-110 AP-5131 Access Point Product Reference Guide 8.3.3.7 Network Rogue-AP Commands AP5131>admin(network.wireless.rogue-ap)> Description: Displays the Rogue AP submenu. The items available under this command include: e show set mu-scan allowed-list active-list rogue-list .. / save quit Displays the current AP-5131 Rogue AP detection configuration. Defines the Rogue AP detection method. Goes to the Rogue AP mu-uscan submenu. Goes to the Rogue AP Allowed List submenu.
Command Line Interface Reference 8-111 AP5131>admin(network.wireless.rogue-ap)> show Description: Displays the current AP-5131 Rogue AP detection configuration. Syntax: show Displays the current AP-5131 Rogue AP detection configuration. Example: admin(network.wireless.
8-112 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.rogue-ap)> set Description: Defines the AP-5131 ACL rogue AP method. Syntax: set mu-scan interval on-channel detector-scan symbol-ap applst-ageout roglst-ageout Enables or disables to permit MUs to scan for rogue APs. Define an interval for associated MUs to beacon in attempting to locate rogue APs. Value not available unless mu-scan is enabled.
Command Line Interface Reference 8-113 AP5131>admin(network.wireless.rogue-ap.mu-scan)> Description: Displays the Rogue-AP mu-scan submenu. Syntax: show start .. / save quit Displays all APs located by the MU scan. Initiates scan immediately by the MU. Goes to the parent menu. Goes to the root menu. Saves the configuration to system flash. Quits the CLI.
8-114 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.rogue-ap.mu-scan)> start Description: Initiates an MU scan from a user provided MAC address. Syntax: start Initiates MU scan from user provided MAC address. For information on configuring the Rogue AP options available to the AP-5131 using the applet (GUI), see Configuring Rogue AP Detection on page 6-53.
Command Line Interface Reference 8-115 AP5131>admin(network.wireless.rogue-ap.mu-scan)> show Description: Displays the results of an MU scan. Syntax: show Displays all APs located by the MU scan. For information on configuring the Rogue AP options available to the AP-5131 using the applet (GUI), see Configuring Rogue AP Detection on page 6-53.
8-116 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.rogue-ap.allowed-list)> Description: Displays the Rogue-AP allowed-list submenu. show add delete .. / save quit Displays the rogue AP allowed list Adds an AP MAC address and ESSID to the allowed list. Deletes an entry or all entries from the allowed list. Goes to the parent menu. Goes to the root menu. Saves the configuration to system flash. Quits the CLI.
Command Line Interface Reference 8-117 AP5131>admin(network.wireless.rogue-ap.allowed-list)> show Description: Displays the Rogue AP allowed List. Syntax: show Displays the rogue-AP allowed list. Example: admin(network.wireless.rogue-ap.
8-118 AP-5131 Access Point Product Reference Guide AP5131>admin(network.wireless.rogue-ap.allowed-list)> add Description: Adds an AP MAC address and ESSID to existing allowed list. Syntax: add Adds an AP MAC address and ESSID to existing allowed list. Use a “*” for any ESSID. Example: admin(network.wireless.rogue-ap.allowed-list)>add 00A0F83161BB 103 admin(network.wireless.rogue-ap.
Command Line Interface Reference 8-119 AP5131>admin(network.wireless.rogue-ap.allowed-list)> delete Description: Deletes an AP MAC address and ESSID to existing allowed list. Syntax: delete Deletes an AP MAC address and ESSID (or all addresses) from the allowed list. For information on configuring the Rogue AP options available to the AP-5131 using the applet (GUI), see Configuring Rogue AP Detection on page 6-53.
8-120 AP-5131 Access Point Product Reference Guide 8.3.4 Network Firewall Commands AP5131>admin(network.firewall)> Description: Displays the AP-5131 firewall submenu. The items available under this command include: show set access advanced .. / save quit Displays the AP-5131’s current firewall configuration. Defines the AP-5131’s firewall parameters. Enables/disables firewall permissions through the LAN and WAN ports. Displays interoperaility rules between the LAN and WAN ports. Goes to the parent menu.
Command Line Interface Reference 8-121 AP5131>admin(network.firewall)> show Description: Displays the AP-5131 firewall parameters. Syntax: show Shows all AP-5131’s firewall settings. Example: admin(network.
8-122 AP-5131 Access Point Product Reference Guide AP5131>admin(network.firewall)> set Description: Defines the AP-5131 firewall parameters. Syntax: set mode nat-timeout syn src win ftp ip seq mime len hdr filter Enables or disables the firewall. Defines the NAT timeout value. Enables or disables SYN flood attack check. Enables or disables source routing check. Enables or disables Winnuke attack check.
Command Line Interface Reference 8-123 AP5131>admin(network.firewall)> access Description: Enables or disables firewall permissions through LAN to WAN ports. Syntax: show set add delete list .. / save quit Displays LAN to WAN access rules. Sets LAN to WAN access rules. Adds LAN to WAN exception rules. Deletes LAN to WAN access exception rules. Displays LAN to WAN access exception rules. Goes to parent menu Goes to root menu. Saves configuration to system flash. Quits and exits the CLI session.
8-124 AP-5131 Access Point Product Reference Guide AP5131>admin(network.firewall)> advanced Description: Displays whether an AP-5131 firewall rule is intended for inbound traffic to an interface or outbound traffic from that interface.. Syntax: show set import inbound outbound .. / save quit Shows advanced subnet access parameters. Sets advanced subnet access parameters. Imports rules from subnet access. Goes to the Inbound Firewall Rules submenu. Goes to the Outbound Firewall Rules submenu.
Command Line Interface Reference 8-125 8.3.5 Network Router Commands AP5131>admin(network.router)> Description: Displays the router submenu. The items available under this command are: show set add delete list .. / save quit Displays the existing AP-5131 router configuration. Sets the RIP parameters. Adds user-defined routes. Deletes user-defined routes. Lists user-defined routes. Goes to the parent menu. Goes to the root menu. Saves the configuration to system flash. Quits the CLI.
8-126 AP-5131 Access Point Product Reference Guide AP5131>admin(network.router)> show Description: Shows the AP-5131 route table. Syntax: show Shows the AP-5131 route table. Example: admin(network.router)>show routes ---------------------------------------------------------------------------index destination netmask gateway interface metric ---------------------------------------------------------------------------1 192.168.2.0 255.255.255.0 0.0.0.0 lan1 0 2 192.168.1.0 255.255.255.0 0.0.0.
Command Line Interface Reference 8-127 AP5131>admin(network.router)> set Description: Shows the AP-5131 route table. Syntax: set auth dir id key passwd type dgw-iface Sets the RIP authentication type. Sets RIP direction. Sets MD5 authetication ID. Sets MD5 authetication key. Sets the password for simple authentication. Defines the RIP type. Sets the default gateway interface.
8-128 AP-5131 Access Point Product Reference Guide AP5131>admin(network.router)> add Description: Adds user-defined routes. Syntax: add Adds a route with destination IP address , IP netmask , destination gateway IP address , interface LAN1, LAN2 or WAN , and metric set to (1-15). Example: admin(network.router)>add 192.168.3.0 255.255.255.0 192.168.2.1 LAN 1 1 admin(network.
Command Line Interface Reference 8-129 AP5131>admin(network.router)> delete Description: Deletes user-defined routes. Syntax: delete all Deletes the user-defined route (1-20) from list. Deletes all user-defined routes. Example: admin(network.router)>list ---------------------------------------------------------------------------index destination netmask gateway interface metric ---------------------------------------------------------------------------1 192.168.2.0 255.255.255.0 192.168.0.
8-130 AP-5131 Access Point Product Reference Guide AP5131>admin(network.router)> list Description: Lists user-defined routes. Syntax: list Displays a list of user-defined routes. Example: admin(network.router)>list ---------------------------------------------------------------------------index destination netmask gateway interface metric ---------------------------------------------------------------------------1 192.168.2.0 255.255.255.0 192.168.0.1 lan1 1 2 192.168.1.0 255.255.255.0 0.0.0.
Command Line Interface Reference 8-131 8.4 System Commands AP5131>admin(system)> Description: Displays the System submenu. The items available under this command are shown below. restart show set debug lastpw exec access cmgr snmp ntp logs config fw-update .. / save quit Restarts the AP-5131. Shows AP-5131 system parameter settings. Defines AP-5131 system parameter settings. Accesses AP-5131 password-protected debug information. Displays last debug password. Goes to a Linux command menu.
8-132 AP-5131 Access Point Product Reference Guide AP5131>admin(system)>restart Description: Restarts the AP-5131 access point. Syntax: restart Restarts the AP-5131. Example: admin(system)>restart ********************************WARNING*********************************** ** Unsaved configuration changes will be lost when the AP-5131 is reset. ** Please be sure to save changes before resetting.
Command Line Interface Reference 8-133 AP5131>admin(system)>show Description: Displays high-level AP-5131 system information. Syntax: show Displays AP-5131 system information. Example: admin(system)>show system name : BldgC system location : Atlanta Field Office admin email address : johndoe@mycompany.com system uptime : 0 days 4 hours 41 minutes AP-5131 firmware version : 1.1.0.
8-134 AP-5131 Access Point Product Reference Guide AP5131>admin(system)>set Description: Sets AP-5131 system parameters. Syntax: ? set name loc email cc Sets the AP-5131 system name to (1 to 59 characters). The AP-5131 does not allow intermediate space characters between characters within the system name. For example, “ap5131 sales” must be changed to “ap5131sales” to be a valid system name. Sets the AP-5131 system location to (1 to 59 characters).
Command Line Interface Reference 8-135 8.4.1 System Debug and Last Password Commands AP5131>admin(system)>debug Description: Accesses AP-5131 debug information. This information is designed for field service use only, and should not be used by unqualified personnel. Example: admin(system)>debug Debug Password: AP-5131 MAC Address is 00:A0:F8:71:6A:74 Last Password was symbol12 AP5131>admin(system)>lastpw Description: Displays the last debug password.
8-136 AP-5131 Access Point Product Reference Guide 8.4.2 System Access Commands AP5131>admin(system)>access Description: Displays the AP-5131 access submenu. show set .. / save quit Displays AP-5131 system access capabilities. Goes to the AP-5131 system access submenu. Goes to the parent menu. Goes to the root menu. Saves the current configuration to the AP-5131 system flash. Quits the CLI and exits the current session.
Command Line Interface Reference 8-137 AP5131>admin(system.access)>set Description: Defines the permissions to access the AP-5131 applet, CLI, SNMP as well as defining their timeout values. Syntax: set applet app-timeout cli ssh auth-timout inactivetimeout snmp admin-auth server port secret local/ RADIUS Defines the applet HTTP/HTTPS access parameters. Sets the applet timeout. Default is 300 Mins. Defines CLI Telnet access parameters.
8-138 AP-5131 Access Point Product Reference Guide AP5131>admin(system.access)>show Description: Displays the current AP-5131 access permissions and timeout values. Syntax: show Shows all of the current system access settings for the AP-5131.. Example: admin(system.
Command Line Interface Reference 8-139 8.4.3 System Certificate Management Commands AP5131>admin(system)>cmgr Description: Displays the Certificate Manager submenu. The items available under this command include: genreq delself loadself listself loadca delca listca showreq delprivkey listprivkey expcert impcert .. / save quit Generates a Certificate Request. Deletes a Self Certificate. Loads a Self Certificate signed by CA. Lists the self certificate loaded. Loads trusted certificate from CA.
8-140 AP-5131 Access Point Product Reference Guide AP5131>admin(system.cmgr)> genreq Description: Generates a certificate request. Syntax: genreq [-ou ] [-on ] [-cn ] ...
Command Line Interface Reference 8-141 AP5131>admin(system.cmgr)> delself Description: ) Deletes a self certificate. Syntax: delself Deletes the self certificate named . Example: admin(system.cmgr)>delself MyCert2 For information on configuring self certificate settings using the applet (GUI), see Creating Self Certificates for Accessing the VPN on page 4-10.
8-142 AP-5131 Access Point Product Reference Guide AP5131>admin(system.cmgr)> loadself Description: Loads a self certificate signed by the Certificate Authority. Syntax: loadself Load the self certificate signed by the CA with name . For information on configuring self certificate settings using the applet (GUI), see Creating Self Certificates for Accessing the VPN on page 4-10.
Command Line Interface Reference 8-143 AP5131>admin(system.cmgr)> listself Description: Lists the loaded self certificates. Syntax: listself Lists all self certificates that are loaded. For information on configuring self certificate settings using the applet (GUI), see Creating Self Certificates for Accessing the VPN on page 4-10.
8-144 AP-5131 Access Point Product Reference Guide AP5131>admin(system.cmgr)> loadca Description: Loads a trusted certificate from the Certificate Authority. Syntax: loadca Loads the trusted certificate (in PEM format) that is pasted into the command line. For information on configuring certificate settings using the applet (GUI), see Importing a CA Certificate on page 4-9.
Command Line Interface Reference 8-145 AP5131>admin(system.cmgr)> delca Description: Deletes a trusted certificate. Syntax: delca Deletes the trusted certificate. For information on configuring certificate settings using the applet (GUI), see Importing a CA Certificate on page 4-9.
8-146 AP-5131 Access Point Product Reference Guide AP5131>admin(system.cmgr)> listca Description: Lists the loaded trusted certificate. Syntax: listca Lists the loaded trusted certificates. For information on configuring certificate settings using the applet (GUI), see Importing a CA Certificate on page 4-9.
Command Line Interface Reference 8-147 AP5131>admin(system.cmgr)> showreq Description: Displays a certificate request in PEM format. Syntax: showreq Displays a certificate request named generated from the genreq command. For information on configuring certificate settings using the applet (GUI), see Importing a CA Certificate on page 4-9.
8-148 AP-5131 Access Point Product Reference Guide AP5131>admin(system.cmgr)> delprivkey Description: Deletes a private key. Syntax: delprivkey Deletes private key named . For information on configuring certificate settings using the applet (GUI), see Creating Self Certificates for Accessing the VPN on page 4-10.
Command Line Interface Reference 8-149 AP5131>admin(system.cmgr)> listprivkey Description: Lists the names of private keys. Syntax: listprivkey Lists all private keys. For information on configuring certificate settings using the applet (GUI), see Importing a CA Certificate on page 4-9.
8-150 AP-5131 Access Point Product Reference Guide AP5131>admin(system.cmgr)> expcert Description: Exports the certificaqte file. Syntax: expcert Exports the certificaqte file. For information on configuring certificate settings using the applet (GUI), see Importing a CA Certificate on page 4-9.
Command Line Interface Reference 8-151 AP5131>admin(system.cmgr)> impcert Description: Imports the target certificate file. Syntax: impcert Imports the target certificate file. For information on configuring certificate settings using the applet (GUI), see Importing a CA Certificate on page 4-9.
8-152 AP-5131 Access Point Product Reference Guide 8.4.4 System SNMP Commands AP5131>admin(system)> snmp Description: Displays the SNMP submenu. The items available under this command are shown below. access traps .. / save quit Goes to the SNMP access submenu. Goes to the SNMP traps submenu. Goes to the parent menu. Goes to the root menu. Saves the configuration to system flash. Quits the CLI.
Command Line Interface Reference 8-153 8.4.4.1 System SNMP Access Commands AP5131>admin(system.snmp.access) Description: Displays the SNMP Access menu. The items available under this command are shown below. show add delete list .. / save quit Shows SNMP v3 engine ID. Adds SNMP access entries. Deletes SNMP access entries. Lists SNMP access entries. Goes to the parent menu. Goes to the root menu. Saves the configuration to system flash. Quits the CLI.
8-154 AP-5131 Access Point Product Reference Guide AP5131>admin(system.snmp.access)> show Description: Shows the SNMP v3 engine ID. Syntax: show eid Shows the SNMP v3 Engine ID. Example: admin(system.snmp.access)>show eid AP-5131 snmp v3 engine id : 000001846B8B4567F871AC68 admin(system.snmp.access)> For information on configuring SNMP access settings using the applet (GUI), see Configuring SNMP Access Control on page 4-23.
Command Line Interface Reference 8-155 AP5131>admin(system.snmp.access)> add Description: Adds SNMP access entries for specific v1v2 and v3 user definitions. Syntax: add acl v1v2c v3 Adds an entry to the SNMP access control list with as the starting IP address and and as the ending IP address.
8-156 AP-5131 Access Point Product Reference Guide AP5131>admin(system.snmp.access)> delete Description: Deletes SNMP access entries for specific v1v2 and v3 user definitions. Syntax: delete acl v1v2c v3 all all all Deletes entry (1-10) from the access control list. Deletes all entries from the access control list. Deletes entry (1-10) from the v1/v2 configuration list. Deletes all entries from the v1/v2 configuration list.
Command Line Interface Reference 8-157 AP5131>admin(system.snmp.access)> list Description: Lists SNMP access entries. Syntax: list acl v1v2c v3 all Lists SNMP access control list entries. Lists SNMP v1/v2c configuration. Lists SNMP v3 user definition with index . Lists all SNMP v3 user definitions. Example: admin(system.snmp.
8-158 AP-5131 Access Point Product Reference Guide 8.4.4.2 System SNMP Traps Commands AP5131>admin(system.snmp.traps) Description: Displays the SNMP traps submenu. The items available under this command are shown below. show set add delete list .. / save quit Shows SNMP trap parameters. Sets SNMP trap parameters. Adds SNMP trap entries. Deletes SNMP trap entries. Lists SNMP trap entries. Goes to the parent menu. Goes to the root menu. Saves the configuration to system flash. Quits the CLI.
Command Line Interface Reference 8-159 AP5131>admin(system.snmp.traps)> show Description: Shows SNMP trap parameters. Syntax: show trap rate-trap Shows SNMP trap parameter settings. Shows SNMP rate-trap parameter settings. Example: admin(system.snmp.
8-160 AP-5131 Access Point Product Reference Guide AP5131>admin(system.snmp.traps)> set Description: Sets SNMP trap parameters.
Command Line Interface Reference 8-161 AP5131>admin(system.snmp.traps)> add Description: Adds SNMP trap entries. Syntax: add v1v2 Adds an entry to the SNMP v1/v2 access list with the destination IP address set to , the destination UDP port set to , the community string set to (1 to 31 characters), and the SNMP version set to .
8-162 AP-5131 Access Point Product Reference Guide AP5131>admin(system.snmp.traps)> delete Description: Deletes SNMP trap entries. Syntax: delete v1v2c v3 all all Deletes entry from the v1v2c access control list. Deletes all entries from the v1v2c access control list. Deletes entry from the v3 access control list. Deletes all entries from the v3 access control list. Example: admin(system.snmp.
Command Line Interface Reference 8-163 AP5131>admin(system.snmp.traps)> list Description: Lists SNMP trap entries. Syntax: list v1v2c v3 all Lists SNMP v1/v2c access entries. Lists SNMP v3 access entry . Lists all SNMP v3 access entries. Example: admin(system.snmp.traps)>add v1v2 203.223.24.2 162 mycomm v1 admin(system.snmp.
8-164 AP-5131 Access Point Product Reference Guide 8.4.5 System Network Time Protocol (NTP) Commands AP5131>admin(system)> ntp Description: Displays the NTP menu. The correct network time is required for numerous functions to be configured accuaretly on the AP-5131. Syntax: set show date-zone zone-list set .. / save quit Shows NTP parameters settings. Show date, time and time zone. Displays list of time zones. Sets NTP parameters. Goes to the parent menu. Goes to the root menu.
Command Line Interface Reference 8-165 AP5131>admin(system.ntp)> show Description: Displays the NTP server configuration. Syntax: show Shows all NTP server settings. Example: admin(system.ntp)>show current time (UTC) : 2006-07-31 14:35:20 Time Zone: ntp mode : enable preferred Time server ip : 203.21.37.18 preferred Time server port : 123 first alternate server ip : 203.21.37.19 first alternate server port : 123 second alternate server ip : 0.0.0.
8-166 AP-5131 Access Point Product Reference Guide AP5131>admin(system.ntp)> date-zone Description: Show date, time and time zone. Syntax: date-zone Show date, time and time zone. Example: admin(system.
Command Line Interface Reference 8-167 AP5131>admin(system.ntp)> zone-list Description: Displays an extensive list of time zones for countries around the world. Syntax: zone-list Displays list of time zones for every known zone. Example: admin(system.
8-168 AP-5131 Access Point Product Reference Guide AP5131>admin(system.ntp)> set Description: Sets NTP parameters for AP-5131 clock synchronization. Syntax: set mode server port intrvl time
Command Line Interface Reference 8-169 8.4.6 System Log Commands AP5131>admin(system)> logs Description: Displays the AP-5131 log submenu. Logging options include: Syntax: show set view delete send .. / save quit Shows logging options. Sets log options and parameters. Views system log. Deletes the system log. Sends log to the designated FTP Server. Goes to the parent menu. Goes to the root menu. Saves configuration to system flash. Quits the CLI.
8-170 AP-5131 Access Point Product Reference Guide AP5131>admin(system.logs)> show Description: Displays the current AP-5131 logging settings. Syntax: show Displays the logging options. Example: admin(system.logs)>show log level : L6 Info syslog server logging : enable syslog server ip address : 192.168.0.102 For information on configuring logging settings using the applet (GUI), see Logging Configuration on page 4-35.
Command Line Interface Reference 8-171 AP5131>admin(system.logs)> set Description: Sets log options and parameters. Syntax: set level mode ipadr Sets the level of the events that will be logged. All events with a level at or above (L0-L7) will be saved to the system log. L0:Emergency L1:Alert L2:Critical L3:Errors L4:Warning L5:Notice L6:Info (default setting) L7:Debug Enables or disables syslog server logging. Sets the external syslog server IP address to (a.b.c.d).
8-172 AP-5131 Access Point Product Reference Guide AP5131>admin(system.logs)> view Description: Displays the AP-5131 system log file. Syntax: view Displays the entire AP-5131 system log file. Example: admin(system.logs)>view Jan 7 16:14:00 (none) syslogd 1.4.1: restart (remote reception).
Command Line Interface Reference 8-173 AP5131>admin(system.logs)> delete Description: Deletes the log files. Syntax: delete Deletes the AP-5131 system log file. Example: admin(system.logs)>delete For information on configuring logging settings using the applet (GUI), see Logging Configuration on page 4-35.
8-174 AP-5131 Access Point Product Reference Guide AP5131>admin(system.logs)> send Description: Sends log and core file to an FTP Server. Syntax: send Sends the system log file via FTP to a location specified with the set command. Refer to the command set under the AP5131>admin(config) command for information on setting up an FTP server and login information. Example: admin(system.logs)>send File transfer : [ In progress ] File transfer : [ Done ] admin(system.
Command Line Interface Reference 8-175 8.4.7 System Configuration-Update Commands AP5131>admin(system.config)> Description: Displays the AP-5131 configuration update submenu. Syntax: default partial show set export import .. / save quit Restores the default AP-5131 configuration. Restores a partial default AP-5131 configuration. Shows import/export parameters. Sets import/export AP-5131 configuration parameters. Exports AP-5131 configuration to a designated system. Imports configuration to the AP-5131.
8-176 AP-5131 Access Point Product Reference Guide AP5131>admin(system.config)> default Description: Restores the full AP-5131 factory default configuration. Syntax: default Restores the AP-5131 to the original (factory) configuration. Example: admin(system.config)>default Are you sure you want to default the configuration? : For information on importing/exporting AP-5131 configurations using the applet (GUI), see Importing/Exporting Configurations on page 4-37.
Command Line Interface Reference 8-177 AP5131>admin(system.config)> partial Description: Restores a partial factory default configuration. The AP-5131’s LAN, WAN and SNMP settings are uneffected by the partial restore. Syntax: default Restores a partial AP-5131 configuration. Example: admin(system.
8-178 AP-5131 Access Point Product Reference Guide AP5131>admin(system.config)> show Description: Displays import/export parameters for the AP-5131 configuration file. Syntax: show Shows all import/export parameters. Example: admin(system.config)>show cfg filename : cfg.txt cfg filepath : ftp/tftp server ip address : 192.168.0.
Command Line Interface Reference 8-179 AP5131>admin(system.config)> set Description: Sets the import/export parameters. Syntax: set file path server user passwd Sets the configuration file name (1 to 39 characters in length). Defines the path used for the configuration file upload. Sets the FTP/TFTP server IP address. Sets the FTP user name (1 to 39 characters in length). Sets the FTP password (1 to 39 characters in length). Example: admin(system.
8-180 AP-5131 Access Point Product Reference Guide AP5131>admin(system.config)> export Description: Exports the configuration from the system. Syntax: export ftp tftp terminal Exports the AP-5131 configuration to the FTP server. Use the set command to set the server, user, password, and file name before using this command. Exports the AP-5131 configuration to the TFTP server. Use the set command to set the IP address for the TFTP server before using the command.
Command Line Interface Reference 8-181 AP5131>admin(system.config)> import Description: Imports the AP-5131 configuration to the AP-5131. Errors could display as a result of invaid configuration parameters. Correct the sepcified lines and import the file again until the import operation is error free. Syntax: import ftp tftp Imports the AP-5131 configuration file from the FTP server. Use the set command to set the server, user, password, and file. Imports the AP-5131 configuration from the TFTP server.
8-182 AP-5131 Access Point Product Reference Guide 8.4.8 Firmware Update Commands AP5131>admin(system)>fw-update Description: Displays the firmware update submenu. The items available under this command are shown below. NOTE The AP-5131 must complete the reboot process to successfully update the device firmware, regardless of whether the reboot is conducted uing the GUI or CLI interfaces. show set update .. / save quit Displays the current AP-5131 firmware update settings.
Command Line Interface Reference 8-183 AP5131>admin(system.fw-update)>show Description: Displays the current AP-5131 firmware update settings. Syntax: show Shows the current system firmware update settings for the AP-5131. Example: admin(system.fw-update)>show automatic firmware upgrade automatic config upgrade automatic upgrade interface : enable : enable : WAN firmware filename firmware path ftp/tftp server ip address ftp user name ftp password : : : : : APFW.bin /tftpboot/ 168.197.2.
8-184 AP-5131 Access Point Product Reference Guide AP5131>admin(system.fw-update)>set Description: Defines AP-5131 firmware update settings and user permissions. Syntax: set fw-auto cfg-auto iface file path server user passwd When enabled, updates device firmware each time the firmware versions are found to be different between the AP-5131 and the specified firmware on the remote system.
Command Line Interface Reference 8-185 AP5131>admin(system.fw-update)>update Description: Executes the AP-5131 firmware update over the WAN or LAN port using either ftp or tftp. Syntax: update Defines the ftp ot tftp mode used to conduct the firmware update. Specifies whether the update is executed over the AP-5131’s WAN, LAN1 or LAN2 interface .
8-186 AP-5131 Access Point Product Reference Guide 8.5 Statistics Commands AP5131>admin(stats) Description: Displays the AP-5131 statistics submenu. The items available under this command are: show send-cfg-ap send-cfg-all clear flash-all-leds echo ping .. / save quit Displays AP-5131 WLAN, MU, LAN and WAN statistics. Sends a config file to another AP-5131 within the known AP table. Sends a config file to all AP-5131s within the known AP table. Clears all statistic counters to zero.
Command Line Interface Reference 8-187 AP5131>admin(stats)> show Description: Displays AP-5131 system information. Syntax: show wan lan stp wlan s-wlan radio s-radio retry-hgram mu s-mu auth-mu wlap s-wlap known-ap Displays stats for the AP-5131 WAN port. Displays stats for the AP-5131 LAN port Displays LAN Spanning Tree Status Displays WLAN status and statistics summary. Displays status and statistics for an individual WLAN Displays a radio statistics transmit and receive summary.
8-188 AP-5131 Access Point Product Reference Guide AP5131>admin(stats)> send-cfg-ap Description: Copies the AP-5131’s configuration to another AP-5131 within the known AP table. Syntax: send-cfg-ap Copies the AP-5131’s configuration to the AP-5131s within the known AP table. Mesh configuration attributes do not get copied using this command and must be configured manually.
Command Line Interface Reference 8-189 AP5131>admin(stats)> send-cfg-all Description: Copies the AP-5131’s configuration to all of the AP-5131s within the known AP table. Syntax: send-cfg-all Copies the AP-5131’s configuration to all of the AP-5131s within the known AP table. Example: admin(stats)>send-cfg-all admin(stats)> NOTE The send-cfg-all command copies all existing configuration parameters except Mesh settings, LAN IP data, WAN IP data and DHCP Server parameter information.
8-190 AP-5131 Access Point Product Reference Guide AP5131>admin(stats)> clear Description: Clears the specified statistics counters to zero to begin new data calculations. Syntax: clear wan lan all-rf all-wlan wlan all-radio radio1 radio2 all-mu mu known-ap Clears WAN statistics counters. Clears LAN statistics counters. Clears all RF data. Clears all WLAN summary information. Clears individual WLAN statistic counters. Clears AP-5131 radio summary information.
Command Line Interface Reference 8-191 AP5131>admin(stats)> flash-all-leds Description: Starts and stops the illumination of a specified access point’s LEDs. Syntax: flash-all-leds Defines the Known AP index number of the target AP to flash. Begins or terminates the flash activity.
8-192 AP-5131 Access Point Product Reference Guide AP5131>admin(stats)> echo Description: Defines the echo test values used to conduct a ping test to an associated MU. Syntax: show list set start .. / quit Shows the Mobile Unit Statistics Summary. Defines echo test parameters and result. Determines echo test packet data. Begins echoing the defined station. Goes to parent menu. Goes to root menu. Quits CLI session.
Command Line Interface Reference 8-193 AP5131>admin.stats.echo)> show Description: Shows Mobile Unit Statistics Summary. Syntax: show Shows Mobile Unit Statistics Summary. Example: admin(stats.echo)>show ---------------------------------------------------------------------------Idx IP Address MAC Address WLAN Radio T-put ABS Retries ---------------------------------------------------------------------------1 192.168.2.
8-194 AP-5131 Access Point Product Reference Guide AP5131>admin.stats.echo)> list Description: Lists echo test parameters and results. Syntax: list Lists echo test parameters and results. Example: admin(stats.echo)>list Station Address : 00A0F8213434 Number of Pings : 10 Packet Length : 10 Packet Data (in HEX) : 55 admin(stats.echo)> For information on MU Echo and Ping tests using the applet (GUI), see Pinging Individual MUs on page 7-27.
Command Line Interface Reference 8-195 AP5131>admin.stats.echo)>set Description: Defines the parameters of the echo test. Syntax: set station request length data Defines MU target MAC address. Sets number of echo packets to transmit (1-539). Determines echo packet length in bytes (1-539). Defines the particular packet data. For information on MU Echo and Ping tests using the applet (GUI), see Pinging Individual MUs on page 7-27.
8-196 AP-5131 Access Point Product Reference Guide AP5131>admin.stats.echo)> start Description: Initiates the echo test. Syntax: start Initiates the echo test. Example: admin(stats.echo)>start admin(stats.echo)>list Station Address : 00A0F843AABB Number of Pings : 10 Packet Length : 100 Packet Data (in HEX) : 1 Number of MU Responses : 2 For information on MU Echo and Ping tests using the applet (GUI), see Pinging Individual MUs on page 7-27.
Command Line Interface Reference 8-197 AP5131>admin(stats)> ping Description: Defines the ping test values used to conduct a ping test to an AP with the same ESSID. Syntax: ping show list set start .. / quit Shows Known AP Summary details. Defines ping test packet length. Determines ping test packet data. Begins pinging the defined station. Goes to parent menu. Goes to root menu. Quits CLI session. For information on Known AP tests using the applet (GUI), see Pinging Individual MUs on page 7-27.
8-198 AP-5131 Access Point Product Reference Guide AP5131>admin.stats.ping)> show Description: Shows Known AP Summary Details. Syntax: show Shows Known AP Summary Details. Example: admin(stats.ping)>show ---------------------------------------------------------------------------Idx IP Address MAC Address MUs KBIOS Unit Name ---------------------------------------------------------------------------1 192.168.2.
Command Line Interface Reference 8-199 AP5131>admin.stats.ping)> list Description: Lists ping test parameters and results. Syntax: list Lists ping test parameters and results. Example: admin(stats.ping)>list Station Address : 00A0F8213434 Number of Pings : 10 Packet Length : 10 Packet Data (in HEX) : 55 admin(stats.ping)> For information on Known AP tests using the applet (GUI), see Pinging Individual MUs on page 7-27.
8-200 AP-5131 Access Point Product Reference Guide AP5131>admin.stats.ping)> set Description: Defines the parameters of the ping test. Syntax: set station request length data Defines the AP target MAC address. Sets number of ping packets to transmit (1-539). Determines ping packet length in bytes (1-539). Defines the particular packet data. Example: admin(stats.ping)>set station 00A0F843AABB admin(stats.ping)>set request 10 admin(stats.ping)>set length 100 admin(stats.ping)>set data 1 admin(stats.
Command Line Interface Reference 8-201 AP5131>admin.stats.echo)> start Description: Initiates the ping test. Syntax: start Initiates the ping test. Example: admin(stats.ping)>start admin(stats.ping)>list Station Address : 00A0F843AABB Number of Pings : 10 Packet Length : 100 Packet Data (in HEX) : 1 Number of AP Responses : 2 For information on Known AP tests using the applet (GUI), see Pinging Individual MUs on page 7-27.
8-202 AP-5131 Access Point Product Reference Guide
Configuring Mesh Networking 9.1 Mesh Networking Overview An AP-5131 can be configured in two modes to support the new mesh networking functionality. The AP-5131 can be set to a client bridge mode and/or a base bridge mode (which accepts connections from client bridges). Base bridge and client bridge mode can be used at the same time by an individual AP-5131 to optimally bridge traffic to other members of the mesh network and service associated MUs.
9-2 AP-5131 Access Point Product Reference Guide AP-5131s configured as both a base and a client bridge function as repeaters to transmit data with associated MUs in their coverage area (client bridge mode) as well as forward traffic to other AP5131s in the mesh network (base bridge mode). The number of AP-5131s and their intended function within the mesh network dictate whether they should be configured as base bridges, client bridges or both (repeaters).
Configuring Mesh Networking If an AP-5131 is configured as a base bridge (but not as a client bridge) it operates normally at boot time. The base bridge AP-5131 supports connections made by other client bridge AP-5131s. The dual-radio model AP-5131 affords users better optimization of the mesh networking feature by enabling the AP-5131 to transmit to other mesh network members using one independent radio and transmit with associated MUs using the second independent radio.
9-4 AP-5131 Access Point Product Reference Guide The dual-radio model AP-5131 affords users better optimization of the mesh networking feature by allowing the AP-5131 to transmit to other AP-5131s (in base or client bridge mode) using one independent radio and transmit with its associated MUs using the second independent radio.
Configuring Mesh Networking Limit the wireless client’s connections to reduce the total number of hops required to get to the wired network. Use each radio’s "preferred" base bridge list to define which AP-5131s the client bridge is allowed to connect to. For more information, see Configuring Mesh Networking Support on page 9-6. 9.1.4 Mesh Networking and the AP-5131’s Two Subnets The AP-5131 now has a second subnet on the LAN side of the system.
9-6 AP-5131 Access Point Product Reference Guide However, if using the Known AP Statistics screen’s Send Cfg to APs functionality, “auto-select” and preferred list” settings do not get imported. CAUTION When using the Import/Export screen to import a mesh supported configuration, do not import a base bridge configuration into an existing client bridge, as this could cause the mesh configuration to break. ! 9.
Configuring Mesh Networking Verify the enabled LAN is named appropriately in respect to its intended function in supporting the mesh network. 3. Select Network Configuration -> LAN -> LAN1 or LAN2 from the AP-5131 menu tree. 4. Click the Mesh STP Configuration button on the bottom off the screen. 5.
9-8 AP-5131 Access Point Product Reference Guide Hello Time The Hello Time is the time between each bridge protocol data unit sent. This time is equal to 2 seconds (sec) by default, but you can tune the time to be between 1 and 10 sec. If you drop the hello time from 2 sec to 1 sec, you double the number of bridge protocol data units sent/received by each bridge. The 802.1d specification recommends the Hello Time be set to a value less than half of the Max Message age value.
Configuring Mesh Networking The Wireless Configuration screen displays with those existing WLANs displayed within the table. 2. Select the Create button to configure a new WLAN specifically to support mesh networking. An existing WLAN can be modified (or used as is) for mesh networking support by selecting it from the list of available WLANs and clicking the Edit button. 3. Assign an ESSID and Name to the WLAN that each AP-5131 will share when using this WLAN within their mesh network.
9-10 AP-5131 Access Point Product Reference Guide Symbol recommends assigning a unique name to a WLAN supporting a mesh network to differentiate it from WLANs defined for non mesh support. The name assigned to the WLAN is what is selected from the Radio Configuration screen for use within the mesh network. NOTE It is possible to have different ESSID and WLAN assignments within a single mesh network (one set between the Base Bridge and repeater and another between the repeater and Client Bridge).
Configuring Mesh Networking are typically not guest networks, wherein public assess is more important than data protection. Symbol also discourages user-based authentication schemes such as Kerberos and 802.1x EAP, as these authentication schemes are not supported within a mesh network. If none of the existing policies are suitable, select the Create button to the right of the Security Policy drop-down menu and configure a policy suitable for the mesh network.
9-12 AP-5131 Access Point Product Reference Guide 10. Select the Use Secure Beacon checkbox to not transmit the AP- 5131’s ESSID amongst the AP-5131s and devices within the mesh network. If a hacker tries to find an ESSID via an MU, the AP- 5131’s ESSID does not display since the ESSID is not in the beacon. Symbol recommends keeping the option enabled to reduce the likelihood of hacking into the WLAN. 11.
Configuring Mesh Networking 1. Select Network Configuration -> Wireless -> Radio Configuration from the AP-5131 menu tree. 2. Enable the radio(s) using the Enable checkbox(es) for both Radio 1 and Radio 2. Refer to RF Band of Operation parameter to ensure you are enabling the correct 802.11a or 802.11b/g radio. After the settings are applied within this Radio Configuration screen, the Radio Status and MUs connected values update.
9-14 AP-5131 Access Point Product Reference Guide mesh network data from those client bridges within the mesh network and never the initiator. ! CAUTION A problem could arise if a Base Bridge’s Indoor channel is not available on an Outdoor Client Bridge's list of available channels. As long as an Outdoor Client Bridge has the Indoor Base Bridge channel in its available list of channels, it can associate to the Base Bridge. 4.
Configuring Mesh Networking If the Client Bridge checkbox has been selected, use the Mesh Network Name drop-down menu to select the WLAN (ESS) the client bridge uses to establish a wireless link. The default setting, is (WLAN1). Symbol recommends creating (and naming) a WLAN specifically for mesh networking support to differentiate the Mesh supported WLAN from non-Mesh supported WLANs.
9-16 AP-5131 Access Point Product Reference Guide the user from selecting the order base bridges are added to the mesh network when one of the three associated base bridges becomes unavailable. NOTE Auto link selection is based on the RSSI and load. The client bridge will select the best available link when the Automatic Link Selection checkbox is selected. Symbol recommends you do not disable this option, as (when enabled) the AP-5131 will select the best base bridge for connection. 8.
Configuring Mesh Networking If a MAC address is not desirable as others but still worthy of being on the preferred list, select it, and click the Down button to decrease its likelihood of being selected as a member of the mesh network. 13. If a device MAC address is on the Preferred Base Bridge List and constitutes a threat as a potential member of the mesh network (poor RSSI etc.), select it and click the Remove button to exclude it from the preferred list.
9-18 AP-5131 Access Point Product Reference Guide 9.3 Usage Scenario - Trion Enterprises Trion Enterprises is a new shipping and receiving company. Trion wants to create an outdoor wireless coverage area (in addition to its indoor wireless infrastructure) that can expand as they grow their business.
Configuring Mesh Networking 1. The Trion IT department verifies connectivity with both of the AP-5131s following the instructions in Testing Connectivity on page 3-13. 2. The Trion IT Department installs the AP1 on a wall with the antennas orienting outward into the shipping and receiving yard. The team then installs the AP2 on a wall on the receiving shack in the shipping yard. AP1 AP2 The Trion IT department follows the instructions in Wall Mounted Installations on page 2-13 to install AP1 and AP2.
9-20 AP-5131 Access Point Product Reference Guide 3. The Trion IT department selects Network Configuration -> LAN from the AP-5131 menu tree. 4. The Trion IT department verifies the LAN used to support the mesh network is enabled for both AP1 and AP2, (by selecting the Enable checkbox). NOTE In this fictional mesh network deployment for Trion Enterprises, AP1 and AP2 should both have the AP-5131’s Ethernet Port mapped to the mesh LAN. However, there are some scenarios when this is not necessary.
Configuring Mesh Networking 6. The IT team selects the Mesh STP Configuration button on the bottom off the screen. 7. The Trion IT department sets the Priority setting to 1 (for AP1) in order for future members of the mesh network to defer to AP1 as the AP defining the mesh network configuration (setting this value to 1 AP1 to what is commonly referred to as the root). NOTE AP1 and AP2 have been configured identically up to this point.
9-22 AP-5131 Access Point Product Reference Guide The Wireless Configuration screen displays with those existing WLANs displayed within the table. This is Trion’s first deployment for this new dual-radio AP-5131, upon reviewing the Wireless Page they determine the existing default WLAN should be left as is and a new WLAN should be created that can be dedicated to the mesh network supporting the shipping yard. 10.
Configuring Mesh Networking 12. The team assigns the name of “trion mesh” to the WLAN so it will not be confused with other WLANs used in other areas of the Trion facility. This name also serves to associate the name of the WLAN with its intended mesh network utilization of data. entry within the shipping yard 13. For AP1 the team selects the 802.11a checkbox. Enabling the 802.11a radio for the mesh WLAN and configuring a separate WLAN for MU traffic (using the 802.
9-24 AP-5131 Access Point Product Reference Guide 19. The Broadcast Key Rotation checkbox is selected, as the IT team plans to change the keys from time to time (for security purposes) and wants these keys to be broadcasted using the default interval 86400 seconds. 20. The IT team does not want to use a passphrase to represent the 256-bit keys, so the 256bit Key checkbox is selected, and the team enters 16 hexadecimal characters into each of the four fields displayed.
Configuring Mesh Networking 23. The IT team assigns the name of “trion mesh network” to the ACL to eliminate any confusion with the ACLs intended function 24. Since the range of client bridge MAC addresses for the shipping yard mesh network is known to the IT Team, they select the Deny drop-down menu option, as the team wants to deny access to all MAC addresses except their own known range of device MAC addresses. 25.
9-26 AP-5131 Access Point Product Reference Guide 26. The team decides to leave the Disallow MU to MU Communication checkbox unselected for the WLAN, as the team considers all MU traffic within the secure shipping and receiving yard known and not a threat to the initial 2 AP mesh network deployment. 27. The team selects the Use Secure Beacon checkbox from the Edit WLAN screen to not transmit the AP- 5131’s ESSID between AP1 and AP2.
Configuring Mesh Networking 31. The IT Team does not plan on supporting any legacy 802.11b voice enabled devices, so they leave the Support Voice prioritization checkbox unselected. 32. The IT Team selects 11ag-default from the drop-down menu to best describe the type of data proliferating the mesh network. With this setting selected, the Access Category settings do not need to be configured for the QoS policy. 33.
9-28 AP-5131 Access Point Product Reference Guide 37. For AP2, the IT Team enables both Radio 1 and Radio 2 and defines radio 1 as a client bridge. NOTE The Trion IT team is aware it is not a good idea to dedicate both radios (of a dual-radio model AP-5131) to support mesh networking. They know it is possible to dedicate both radios of a single AP-5131 for mesh support, but the Trion team wants to dedicate the 802.11b/g radio for MU operation and the 802.11a radio for backhaul support.
Configuring Mesh Networking For the next six months, Trion Enterprises’ mesh network only consists of AP1 and AP2. AP1 has already been defined as the root bridge in the mesh network when it was assigned a Priority value of 1 within the Bridge STP Configuration screen. 41. The Trion IT Team clicks Apply within both the AP1 and AP2 Radio Configuration screens to complete the mesh network configuration of each AP1 and AP2 radio.
9-30 AP-5131 Access Point Product Reference Guide broadcast range (see the illustration below). The Trion IT department follows the instructions in Wall Mounted Installations on page 2-13 to install AP3 and AP4. AP4 AP1 AP2 AP3 3. The Trion IT department selects Network Configuration -> LAN from the AP-5131 menu tree. 4. The Trion IT department verifies the LAN used to support the mesh network is enabled for both AP3 and AP4, (by selecting the Enable checkbox).
Configuring Mesh Networking 5. The Trion IT department then selects Network Configuration -> LAN -> trion from the AP-5131 menu tree. 6. The IT team selects the Mesh STP Configuration button on the bottom of the screen. 7. The Trion IT department leaves the Priority setting to at 32768 for AP3 and AP4 for both to defer to AP1 (which was assigned a priority of 1 for root designation) as the AP-5131 defining the mesh network configuration.
9-32 AP-5131 Access Point Product Reference Guide 9. The team selects the Edit button to revise (and rename) the existing default WLAN to support mesh networking. 10. The Trion IT team assigns AP3 and AP4 an ESSID of 103. Therefore, AP1 and AP2 should be able to “see” AP3 and AP4 as soon as they are deployed. 11. The team assigns the name of “trion mesh” to the WLAN to be consistent with the WLAN supporting mesh networking on AP1 and AP2. 12. The team selects the 802.
Configuring Mesh Networking 13. The team does not want any MUs connecting to the mesh WLAN, only the devices comprising the mesh network. Therefore, the team leaves the Maximum MUs field as is, and will use the Radio Configuration page to control the number of client bridge connections. 14. The team verifies the Enable Client Bridge Backhaul checkbox is selected for both AP3 and AP4 to ensure the WLAN is available in the WLAN drop-down menu within the Radio Configuration screen. 15.
9-34 AP-5131 Access Point Product Reference Guide 21. Now a QoS policy needs to be defined for the shipping and receiving mesh WLAN. The IT Team still envisions little (if any) video or voice traffic within the shipping as the MUs within primarily scan bar codes and upload data. This holds true for the QoS requirements for AP3 and AP4 as the required coverage area has grown, not the security, access permission or QoS considerations.
Configuring Mesh Networking 25. For both AP3 and AP4, the IT Team uses the Mesh Network Name drop-down menu to assign the “trion mesh” WLAN to radio 1. This is the WLAN the AP3 and AP4 radios will use to interoperate with the MUs populating the shipping yard. 26. As with AP1 and AP2, the IT Team decides to not select the Advanced button within the AP3 and AP4 WLAP Client Bridge Settings field. 27.
9-36 AP-5131 Access Point Product Reference Guide 9.3.3 Adding 2 More Client Bridges to the Trion Network After an additional six months with their existing 4 AP-5131 mesh network, Trion Enterprises needs and approves the addition of two additional AP-5131s (AP5 and AP6) to be configured as client bridges.
Configuring Mesh Networking 3. The Trion IT department selects Network Configuration -> LAN from the AP-5131 menu tree. 4. The Trion IT department verifies the LAN used to support the mesh network is enabled for both AP5 and AP6, (by selecting the Enable checkbox). 5. The Trion IT department then selects Network Configuration -> LAN -> trion from the AP-5131 menu tree. 6. The IT team selects the Mesh STP Configuration button on the bottom of the screen.
9-38 AP-5131 Access Point Product Reference Guide 7. The Trion IT department leaves the Priority setting to at 32768 for AP5 and AP6 for both to defer to AP1 (which was assigned a priority of 1 for root designation) as the AP-5131 defining the mesh network configuration. The remainder of the Mesh STP Configuration settings are left unchanged from their default values. The team clicks OK from within the Mesh STP Configuration screen and Apply from within the trion (LAN1) screen to save the settings.
Configuring Mesh Networking 9. The team selects the Edit button to revise (and rename) the existing default WLAN to support mesh networking. 10. The Trion IT team assigns the WLAN an ESSID of 103 to be consistent with the trion mesh WLAN ESSID of the other four AP-5131s within the mesh network. 11. The team assigns the name of “trion mesh” to the WLAN to be consistent with the WLAN supporting mesh on APs 1-4. 12. The team selects the 802.11a Radio checkbox for both AP5 and AP6. The 802.
9-40 AP-5131 Access Point Product Reference Guide 13. The team still does not want any MUs connecting to the mesh WLAN, only the devices comprising the mesh network. Therefore, the team leaves the Maximum MUs field as is, and will use the Radio Configuration page to control the number of client bridge connections within the mesh WLAN. 14.
Configuring Mesh Networking 22. The IT team selects Network Configuration -> Wireless -> Radio Configuration from the AP-5131 menu tree. The Radio Configuration screen displays. 23. For both AP5 and AP6, the IT Team enables Radio 1 and defines the radio as a client bridge. 24. For both AP5 and AP6, the IT Team uses the Mesh Network Name drop-down menu to assign the “trion mesh” WLAN to radio 1. 25.
9-42 AP-5131 Access Point Product Reference Guide
Technical Specifications This appendix provides technical specifications in the following areas: • • • • • Physical Characteristics Electrical Characteristics Radio Characteristics Antenna Specifications Country Codes
A-2 AP-5131 Access Point Product Reference Guide A.1 Physical Characteristics The AP-5131 has the following physical characteristics: Dimensions 5.32 inches long x 9.45 inches wide x 1.77 inches thick. 135 mm long x 240 mm wide x 45 mm thick. Housing Metal, Plenum Housing (UL2043) Weight 1.95 lbs/0.88 Kg (single-radio model) 2.05 lbs/0.
Technical Specifications A.3 Radio Characteristics The AP-5131 has the following radio characteristics: Operating Channels 802.11a radio - Channels 34-161 (5170-5825 MHz) 802.11b/g radio - Channels 1-13 (2412-2472 MHz) 802.11b/g radio - Channel 14 (2484 MHz Japan only) Actual operating frequencies depend on regulatory rules and certification agencies. Receiver Sensitivity 802.11a Radio 802.
A-4 AP-5131 Access Point Product Reference Guide A.4 Antenna Specifications The AP-5131 antenna suite has the following specifications: ! CAUTION Using an antenna other than the Dual-Band Antenna (Part No. ML-2452-APA2-01) could render the AP-5131’s Rogue AP Detector Mode feature inoperable. Contact your Symbol sales associate for specific information. A.4.1 2.4 GHz Antenna Matrix The following table describes each 2.4 GHz antenna approved for use with the AP-5131.
Technical Specifications A.4.3 Additional Antenna Components The following table lists the Symbol part number for various antenna accessories. This table also includes the loss for each accessory at both 2.4 and 5.2 GHz. Item Symbol Part Number Loss (db) @ 2.4 GHz Description Loss (db) @ 5.2 GHz 72PJ ML-1499-72PJ-01R Cable Extension 2.5 LAK1 ML-1499-LAK1-01R Lightning Arrestor+ 0.75 LAK2 ML-1499-LAK2-01R Lightning Arrestor 0.25 10JK ML-1499-10JK-01R Jumper Kit 0.75 1.
A-6 AP-5131 Access Point Product Reference Guide A.
Technical Specifications Germany DE Turkey TR Greece GR Ukraine UA Hong Kong HK UAE AE Hungary HU United Kingdom UK Iceland IS USA US India IN Uruguay UY Indonesia ID Vietnam VN Ireland IE Venezuela VE Israel IL Italy IT Japan JP Jordan JO Kazakhanstan KZ Kuwait KW Latvia LV Liechtenstein LI Lithuania LT Luxembourg LU Malaysia MY Malta MT Mexico MX Morocco MA Nambia NA Netherlands NL A-7
A-8 AP-5131 Access Point Product Reference Guide
AP-5131 Usage Scenarios This appendix provides practical usage scenarios for many of the AP-5131’s key features. This information should be referenced as a supplement to the information contained within this AP-5131 Product Reference Guide. The following scenarios are described: • • Configuring Automatic Updates using a DHCP or Linux BootP Server Configuration Configuring an IPSEC Tunnel and VPN FAQs B.
B-2 AP-5131 Access Point Product Reference Guide The firmware is automatically updated each time firmware versions are found to be different between the AP-5131 and the firmware file located on the DHCP/BootP server. The configuration file is automatically applied only if the filename is different than what resides on the AP-5131. B.1.
AP-5131 Usage Scenarios e. Add the following 3 new options under AP5131 Options class: Code Data type AP-5131 TFTP Server IP Address (Note: Use any one option) 181 186 IP address String AP-5131 Firmware File Name 187 String AP5131 Config File Name (Note: Use any one option) 129 188 String String f. Highlight Scope Options from the tree and select Configure Options. g. Go to the Advanced tab.
B-4 AP-5131 Access Point Product Reference Guide B.1.1.2 Global Options - Using Extended/Standard Options The following are instructions for automatic firmware and configuration file updates via DHCP using extended options or standard options configured globally. The setup example described in this section includes: • • • 1 AP-5131 1 Microsoft Windows DHCP Server 1 TFTP Server. To configure Global options using extended/standard options: 1.
AP-5131 Usage Scenarios d. Under the General tab, check all 3 options mentioned within the Extended Options table and enter a value for each option. 3. Copy both the firmware and configuration files to the appropriate directory on the TFTP Server. By default, auto update is enabled on the AP-5131 (since the LAN Port is a DHCP Client, out-of-the-box auto update support is on the LAN Port). 4. Restart the AP-5131. 5.
B-6 AP-5131 Access Point Product Reference Guide -------------------------------------------------------------------------------------------- If the DHCP Server is configured for options 186 and 66 (to assign TFTP Server IP addresses) the AP-5131 uses the IP address configured for option 186. Similarly, if the DHCP Server is configured for options 187 and 67 (for the firmware file) the AP-5131 uses the file name configured for option 187.
AP-5131 Usage Scenarios B.1.2.1 BootP Options This section contains instructions for the automatic update of the AP-5131 firmware and configuration file using a BootP Server. The setup example described in this section includes: • • • 1 AP-5131 1 Linux/Unix BOOTP Server 1 TFTP Server. To configure BootP options using a Linux/Unix BootP Server: 1. Set the Linux/Unix BootP Server and AP-5131 on the same Ethernet segment. 2.
B-8 AP-5131 Access Point Product Reference Guide Using options sa, bf and 136: AP-5131:ha=00a0f88aa6d8\ :sm =255.255.255.0\ :ip=157.235.93.128\ :gw =157.235.93.2\ :sa=157.235.93.250\ :bf=/tftpboot/cfg.txt\ :T136=”/tftpboot/”: < LAN M AC Address> NOTE The bf option prefixes a forward slash (/) to the firmware file name. This may not be supported on Windows based TFTP Servers. 3.
AP-5131 Usage Scenarios NOTE If the firmware files are the same, the firmware will not get updated. If the configuration file name matches the last saved configuration file on the AP-5131, the configuration will not get updated. Additionally, the LAN port needs to be configured as a BootP client, as no BootP support exists on the WAN port (WAN only supports DHCP). B.1.2.
B-10 AP-5131 Access Point Product Reference Guide B.2.1 Configuring a VPN Tunnel Between Two AP-5131s The AP-5131 can connect to a non-AP device supporting IPSec, such as a Cisco VPN device - labeled as "Device #2". For this usage scenario, the following components are required: • 2 AP-5131s • 1 PC on each side of the AP-5131s LAN. To configure a VPN tunnel between two AP-5131s: 1. 2. 3. 4. Ensure the WAN ports are connected via the internet. On AP-5131 #1, select WAN -> VPN from the main menu tree.
AP-5131 Usage Scenarios 8. Click Apply to save the changes. NOTE For this example, Auto IKE Key Exchange is used. Any key exchange can be used, depending on the security needed, as long as both devices on each end of the tunnel are configured exactly the same. 9. Select the Auto (IKE) Key Exchange checkbox. 10. Select the Auto Key Settings button. 11. For the ESP Type, select ESP with Authentication and use AES 128-bit as the ESP Encryption Algorithm. Click OK. 12. Select the IKE Settings button.
B-12 AP-5131 Access Point Product Reference Guide 13. Select Pre Shared Key (PSK) from the IKE Authentication Mode drop-down menu. 14. Enter a Passphrase. Passphrases must match on both VPN devices. NOTE Ensure the IKE authentication Passphrase is the same as the Pre-shared key on the Cisco PIX device. 15. Select AES 128-bit as the IKE Encryption Algorithm. 16. Select Group 2 as the Diffie -Hellman Group. Click OK. This will take you back to the VPN screen. 17. Click Apply to make the changes 18.
AP-5131 Usage Scenarios 19. On AP-5131 #2/ Device #2, repeat the same procedure. However, replace AP-5131 #2 information with AP-5131 #1 information. 20. Once both tunnels are established, ping each side of the tunnel to ensure connectivity. B.2.2 Configuring a Cisco VPN Device This section includes general instructions for configuring a Cisco PIX Firewall 506 series device.
B-14 AP-5131 Access Point Product Reference Guide B.2.3 Frequently Asked VPN Questions The following are common questions that arise when configuring a VPN tunnel using the AP-5131. • Question 1: Does the AP-5131 IPSec tunnel support multiple subnets on the other end of a VPN concentrator? Yes. The AP-5131 can access multiple subnets on the other end of the VPN Concentrator from the AP-5131's Local LAN Subnet by: • Creating multiple VPN Tunnels. The AP supports a maximum of 25 tunnels.
AP-5131 Usage Scenarios • Question 2: Even if a wildcard entry of "0.0.0.0" is entered in the Remote Subnet field in the VPN configuration page, can the AP access multiple subnets on the other end of a VPN concentrator for the APs LAN/WAN side? No. Using a "0.0.0.0" wildcard is an unsupported configuration. In order to access multiple subnets, the steps in Question #1 must be followed. • Question 3: Can the AP be accessed via its LAN interface of AP#1 from the local subnet of AP#2 and vice versa? Yes.
B-16 AP-5131 Access Point Product Reference Guide Yes. • Question 6: Can an IPSec tunnel over a PPPoE connection be established - such as a PPPoE enabled DSL link? Yes. The AP-5131 supports tunneling when using a PPPoE username and password. • Question 7: Can I setup an AP-5131 so clients can access both the WAN normally and only use the VPN when talking to specific networks? Yes. Only packets that match the VPN Tunnel Settings will be sent through the VPN tunnel.
AP-5131 Usage Scenarios • UFQDN - tries to match the user entered remote ID data string to the email address field of the received certificate. • Question 9: I am using a direct cable connection between my two VPN gateways for testing and cannot get a tunnel established, yet it works when I set them up across another network or router. Why? The packet processing architecture of the AP-5131 VPN solution requires the WAN default gateway to work properly.
B-18 AP-5131 Access Point Product Reference Guide • Question 11: I still can't get my tunnel to work after attempting to initiate traffic between the two subnets. What now? Try the following troubleshooting tips: • • Verify you can ping each of the remote Gateway IP addresses from clients on either side. Failed pings can indicate general network connection problems. • Pinging the internal gateway address of the remote subnet should run the ping through the tunnel as well.
AP-5131 Usage Scenarios Scr Dst Transport UDP Scr port 1:65535 Dst port 500 Rev NAT None These three rules should be configured above all other rules (default or user defined). When Advanced LAN Access is used, certain inbound/outbound rules need to be configured to control incoming/outgoing packet flow for IPSec to work properly (with Advanced LAN Access). These rules should be configured first before other rules are configured.
B-20 AP-5131 Access Point Product Reference Guide • • The interface parameter has been removed from the Auto Update configuration feature. The WAN interface now has http/telnet/https/ssh connectivity enabled by default.
Customer Support Symbol Technologies provides its customers with prompt and accurate customer support. Use the Symbol Support Center as the primary contact for any technical problem, question or support issue involving Symbol products. If the Symbol Customer Support specialists cannot solve a problem, access to all technical disciplines within Symbol becomes available for further assistance and support.
C-2 AP-5131 Access Point Product Reference Guide North American Contacts Inside North America: Symbol Technologies, Inc. One Symbol Plaza Holtsville, New York 11742-1300 Telephone: 1-631-738-2400/1-800-SCAN 234 Fax: 1-631-738-5990 Symbol Support Center (for warranty and service information): telephone: 1-800-653-5350 fax: (631) 738-5410 Email: support@symbol.
Customer Support Web Support Sites MySymbolCare http://www.symbol.com/services/msc/msc.html Symbol Services Homepage http://symbol.com/services Symbol Software Updates http://symbol.com/services/downloads Symbol Developer Program http://devzone.symbol.com Additional Information Obtain additional information by contacting Symbol at: 1-800-722-6234, inside North America +1-516-738-5200, in/outside North America http://www.symbol.
C-4 AP-5131 Access Point Product Reference Guide
Index A access options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23 access point CAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16 encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11 PSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16 RSSI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22 accessories bag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IN-6 AP-5131 Access Point Product Reference Guide CAM stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16 PSP stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16 BSSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 bullets, use of . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii C CA certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 CAM . . . . . . . . . . . . . . . . . . . . . .
IN-7 I importing certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 importing/exporting configurations. . . . . . . . . . . . . . . 4-37 installation, ceiling . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17 installation, ceiling T-Bar. . . . . . . . . . . . . . . . . . . . . . . 2-15 installation, desk mounting . . . . . . . . . . . . . . . . . . . . . 2-11 installation, wall mounting . . . . . . . . . . . . . . . . . . . . . 2-13 J Java-Based WEB UI. . . . . . . . . . . . .
IN-8 AP-5131 Access Point Product Reference Guide R radio options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 radio, retry histogram . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22 radio, statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17 restore default configuration . . . . . . . . . . . . . . . . . . . . . 4-4 roaming across routers TIM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16 rogue AP detection . . . . .
IN-9 WAN, statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11 WEP encryption . . . . . . . . . . . . . . . . . . . . . . . . . . .1-9, 1-11 Wi-Fi Protected Access (WPA) . . . . . . . . . . . . . . . . . . 1-12 WLAN, ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-31 WLAN, creating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24 WLAN, editing . . . . . . .
IN-10 AP-5131 Access Point Product Reference Guide
Symbol Technologies, Inc.
