53-1002516-01 14 May 2012 Brocade Mobility 5181 Access Point Product Reference Guide Supporting software release 4.4.0.
Copyright © 2012 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, MLX, SAN Health, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.
Contents About This Document Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Getting technical help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Feature overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Single or dual mode radio options . . . . . . . . . . . . . . . . . . . . . . . . 4 Separate LAN and WAN ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Multiple mounting options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Antenna support for 2.4 GHz and 5 GHz radios . . . . . . . . . . . . . 5 Sixteen configurable WLANs . . . . . . . . . . . . . . . . . . . . . . . . . .
Power options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Power Injector and Power Tap systems . . . . . . . . . . . . . . . . . . . . . . . 26 Installing the Power Tap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Mounting a Mobility 5181 Access Point . . . . . . . . . . . . . . . . . . . . . . 28 Mobility 5181 Access Point pole mounted installations . . . . . . 28 Mobility 5181 Access Point wall mounted installations . . . . . .
Chapter 5 Network Management Configuring the LAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Configuring VLAN support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Configuring LAN1 and LAN2 settings . . . . . . . . . . . . . . . . . . . . . 97 Configuring WAN settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101 Configuring Network Address Translation (NAT) settings . . . .103 Configuring dynamic DNS . . . . . . . . . . . . . . . . . . .
Configuring user authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . .167 Configuring the Radius server. . . . . . . . . . . . . . . . . . . . . . . . . .167 Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . . . . .169 Configuring a proxy Radius server . . . . . . . . . . . . . . . . . . . . . .170 Managing the local user database . . . . . . . . . . . . . . . . . . . . . .172 Defining user access permissions by group. . . . . . . . . . . . . . .
Statistics Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350 Chapter 9 Configuring Mesh Networking Mesh networking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359 Mobility 5181 Access Point client bridge association process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360 Spanning tree protocol (STP). . . . . . . . . . . . . . . . . . . . . . . . . . .361 Defining the mesh topology . . . . . . . . . . . . . . . . . . . . .
Establishing basic adaptive AP connectivity . . . . . . . . . . . . . . . . . .386 Adaptive AP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .387 Controller configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388 Adaptive AP deployment considerations . . . . . . . . . . . . . . . . .389 Sample controller configuration file for IPSec and independent WLAN . . . . . . . . . . . . . . . . . . . . . . . . .
x Brocade Mobility 5181 Access Point Product Reference Guide 53-1002516-01
About This Document In this chapter • Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi • Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords Identifies text to enter at the GUI or CLI italic text Provides emphasis Identifies variables Identifies document titles code text Identifies CLI output For readability, command names in the narrative portions of this guide are presented in mixed lettercase: for example, controllerShow. In actual examples, command lettercase is often all lowercase.
Getting technical help • To contact Technical Support, go to http://www.brocade.com/services-support/index.page for the latest e-mail and telephone contact information.
xiv Brocade Mobility 5181 Access Point Product Reference Guide 53-1002516-01
Chapter 1 Introduction In this chapter • New features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • Theory of operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 This Brocade Mobility 5181 Access Point Product Reference Guide contains setup and advanced configuration instructions for the Brocade Product Name Access Point.
1 New features WIPS support An access point can radio can function as a Wireless Intrusion Protection System (WIPS) sensor and upload sensor mode operation information to a dedicated WIPS server. WIPS protects your wireless network, mobile devices and traffic from attacks and unauthorized access. WIPS provides tools for standards compliance and around-the-clock 802.11a/b/g wireless network security in a distributed environment.
Feature overview 1 Rogue AP enhancements The access point now has the option to scan for rogues over all channels on both of the access point’s 11a and 11bg radio bands. The switching of radio bands is based on a timer with no user intervention required. For information on configuring the access point for Rogue AP support, see “Configuring rogue AP detection” on page 162. Bandwidth management enhancements Use the Bandwidth Management screen to control the network bandwidth allotted to individual WLANs.
1 Feature overview • • • • • • • • • • • • • • • • • • • • • • • • • • • • Antenna support for 2.
Feature overview 1 Separate LAN and WAN ports The Mobility 5181 Access Point has one LAN port and one WAN port, each with their own MAC address. The access point must manage all data traffic over the LAN connection carefully as either a DHCP client, BOOTP client, DHCP server or using a static IP address. The access point can only use a Power-over-Ethernet device when connected to the LAN port.
1 Feature overview To enable and configure WLANs on an Mobility 5181 Access Point radio, see “Enabling wireless LANs (WLANs)” on page 106. Support for 4 BSSIDs per radio The access point supports four BSSIDs per radio. Each BSSID has a corresponding MAC address. The first MAC address corresponds to BSSID #1. The MAC addresses for the other three BSSIDs (BSSIDs #2, #3, #4) are derived by adding 1, 2, 3, respectively, to the radio MAC address.
Feature overview 1 The following encryption techniques are supported: • • • • WEP encryption KeyGuard encryption Wi-Fi protected access (WPA) using TKIP encryption WPA2-CCMP (802.11i) encryption In addition, the Mobility 5181 Access Point supports the following additional security features: • Firewall security • VPN tunnels • Content filtering For an overview on the encryption and authentication schemes available, refer to “Configuring Access Point Security” on page 131.
1 Feature overview An Client is not able to access the network if not authenticated. When configured for EAP support, the access point displays the Client as an EAP station. EAP is only supported on mobile devices running Windows XP, Windows 2000 (using Service Pack #4) and Windows Mobile 2003. Refer to the system administrator for information on configuring a Radius Server for EAP (802.1x) support. For detailed information on EAP configurations, see “Configuring 802.1x EAP authentication” on page 137.
Feature overview 1 Wi-Fi protected access (WPA) using TKIP encryption Wi-Fi Protected Access (WPA) is a security standard for systems operating with a Wi-Fi wireless connection. WEP’s lack of user authentication mechanisms is addressed by WPA. Compared to WEP, WPA provides superior data encryption and user authentication.
1 Feature overview For detailed information on configuring VPN security support, see “Configuring VPN tunnels” on page 151. Content filtering Content filtering allows system administrators to block specific commands and URL extensions from going out through the Mobility 5181 Access Point WAN port. Therefore, content filtering affords system administrators selective control on the content proliferating the network and is a powerful screening tool.
Feature overview 1 Programmable SNMP v1/v2/v3 trap support Simple Network Management Protocol (SNMP) facilitates the exchange of management information between network devices. SNMP uses Management Information Bases (MIBs) to manage the device configuration and monitor Internet devices in remote locations. MIB information accessed via SNMP is defined by a set of managed objects called Object Identifiers (OIDs). An object identifier (OID) is used to uniquely identify each object variable of a MIB.
1 Feature overview Use the QoS page to enable voice prioritization for devices to receive the transmission priority they may not normally receive over other data traffic. Voice prioritization allows the Mobility 5181 Access Point to assign priority to voice traffic over data traffic, and (if necessary) assign legacy voice supported devices (non WMM supported voice devices) additional priority.
Feature overview 1 Advanced event logging capability The Mobility 5181 Access Point provides the capability for periodically logging system events. Logging events is useful in assessing the throughput and performance of the Mobility 5181 Access Point or troubleshooting problems on the Mobility 5181 Access Point managed Local Area Network (LAN). For detailed information on Mobility 5181 Access Point events, see “Logging configuration” on page 79.
1 Feature overview Multi-function LEDs A Mobility 5181 Access Point has seven LED indicators. Four LEDs exist on the top of the Mobility 5181 Access Point and are visible from wall, ceiling and table-top orientations. Three of these four LEDs are single color activity LEDs, and one is a multifunction red and white status LED.
Feature overview 1 Additional LAN subnet In a typical retail or small office environment (wherein a wireless network is available along with a production WLAN) it is frequently necessary to segment a LAN into two subnets. Consequently, a second LAN is necessary to “segregate” wireless traffic. The access point has a second LAN subnet enabling administrators to segment the access point’s LAN connection into two separate networks.
1 Theory of operations For detailed information on configuring the access point for Hotspot support, see “Configuring WLAN hotspot support” on page 114. Routing information protocol (RIP) RIP is an interior gateway protocol that specifies how routers exchange routing-table information. The parent Router screen also allows the administrator to select the type of RIP and the type of RIP authentication used.
Theory of operations 1 The Mobility 5181 Access Point uses DSSS (direct sequence spread spectrum) to transmit digital data from one device to another. A radio signal begins with a carrier signal that provides the base or center frequency. The digital data signal is encoded onto the carriers using a DSSS chipping algorithm. The Mobility 5181 Access Point radio signal propagates into the air as electromagnetic waves.
1 Theory of operations The user can configure the ESSID to correspond to up to 16 WLANs on each 802.11a or 802.11b/g radio. A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the functionalities of a wired LAN. A WLAN does not require lining up devices for line-of-sight transmission, and are thus, desirable. Within the WLAN, roaming users can be handed off from one Mobility 5181 Access Point to another like a cellular phone system.
Theory of operations 1 Direct-sequence spread spectrum Spread spectrum (broadband) uses a narrowband signal to spread the transmission over a segment of the radio frequency band or spectrum. Direct-sequence is a spread spectrum technique where the transmitted signal is spread over a particular frequency range. The access point uses Direct-Sequence Spread Spectrum (DSSS) for radio communication.
1 Theory of operations An Client can roam within a coverage area by switching Mobility 5181 Access Points.
Theory of operations 1 Management access options Managing the Mobility 5181 Access Point includes viewing network statistics and setting configuration options. Statistics track the network activity of associated Clients and data transfers on the AP interfaces. The Mobility 5181 Access Point requires one of the following connection methods to perform a custom installation and manage the network: • Secure Java-Based WEB UI - (use Sun Microsystems’ JRE 1.
1 22 Theory of operations Brocade Mobility 5181 Access Point Product Reference Guide 53-1002516-01
Chapter 2 Hardware Installation In this chapter • Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Mobility 5181 Access Point configurations . . . . . . . . . . . . . . . . . . . . . . . . . . • Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Access point placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Power options . . . . . . .
2 Requirements Part No. Description BR-AP-5181-13040-WW 1 Mobility 5181 802.11a+g Dual Radio Access Point 1 Mobility 5181 Install Guide 1 WEEE Regulatory Addendum 1 set of cable connectors 3 antenna dust cover 2 connector cover AP67 jack, plus chain_LTW-M9/14-SB NOTE To mount the Mobility 5181 Access Point access point to a pole (1.5 - 18 inches in diameter) a Mobility 5181 Access Point Mounting Kit (Part No. BR-KT-5181-WP-01R) can be separately ordered.
Access point placement 2 Antenna coverage is analogous to lighting. Users might find an area lit from far away to be not bright enough. An area lit sharply might minimize coverage and create dark areas. Uniform antenna placement in an area (like even placement of a light bulb) provides even, efficient coverage. Place the access point using the following guidelines: • Install the access point at an ideal height of 10 feet from the ground. • Orient the access point antennae vertically for best reception.
2 Power options The Mobility 5181 Access Point 5 GHz antenna suite includes the following models: Part Number Antenna Type Nominal Net Gain (dBi) Description ML-5299-FHPA6-01R Omni-Directional Antenna 7.0 4.900-5.850 GHz, Type N connector, no pigtail ML-5299-FHPA10-01R Omni-Directional Antenna 10.0 5.
Power Injector and Power Tap systems 2 Installing the Power Tap Refer to the following sections for information on planning, installing, and validating the installation: • Preparing for site installation • Cabling the Power Injector or Power Tap Preparing for site installation The Power Injector or Power Tap can be installed free standing, on an even horizontal surface or wall mounted using the unit’s wall mounting key holes.
2 Mounting a Mobility 5181 Access Point Ensure the cable length from the Ethernet source (host) to the Power Tap (or Power Injector) and access point does not exceed 100 meters (333 ft). Neither the Power Tap or Power Injector has an On/Off switch. Each receives power as soon as AC power is applied. 3.
Mounting a Mobility 5181 Access Point 2 1. Fit the edges of the V-shaped clamp parts into the slots on the flat side of the rectangular plate. 2. Place the V-shaped bracket clamp parts around the pole and tighten the nuts just enough to hold the bracket to the pole. (The bracket may need to be rotated around the pole during the antenna alignment process). Fit the edges of the V-shaped part into the slots Tighten the securing bolts 3.
2 Mounting a Mobility 5181 Access Point NOTE The access point must be mounted with the RJ45 cable connectors oriented upwards to ensure proper operation. CAUTION Do not supply power to the Mobility 5181 Access Point Power Tap until the cabling of the access point is complete.
Mounting a Mobility 5181 Access Point 2 Mobility 5181 Access Point wall mounted installations Complete the following steps to mount the Mobility 5181 Access Point to a wall using the supplied wall-mounting bracket: 1. Attach the bracket to a wall with flat side flush against the wall (see the illustration below). Position the bracket in the intended location and mark the positions of the four mounting screw holes. 2. Drill four holes in the wall that match the screws and wall plugs. 3.
2 Mounting a Mobility 5181 Access Point CAUTION Do not supply power to the Mobility 5181 Access Point Power Tap until the cabling of the access point is complete. CAUTION For Power Tap installations, an electrician is required to open the Power Tap unit, feed the power cable through the Line AC connector, secure the power cable to the unit’s three screw termination block and tighten the unit’s Line AC clamp (by hand) to ensure the power cable cannot be pulled from the Power Tap enclosure.
Mobility 5181 Access Point LED indicators 2 Mobility 5181 Access Point LED indicators The Mobility 5181 Access Point utilizes four LED indicators. Five LEDs display within four LED slots on the back of the access point. The five LEDs have the following display and functionality: Power and error conditions (split LED) Data over Ethernet 802.11a radio activity 802.11b/g radio activity sym_025 Power Status Solid white indicates the access point is adequately powered.
2 Setting up clients Refer to the Spectrum24 LA-4121 PC Card, LA-4123 PCI Adapter & LA-4137 Wireless Networker User Guide, available from the Brocade Web site, for installing drivers and client software if operating in an 802.11b network environment. Use the default values for the ESSID and other configuration parameters until the network connection is verified. Clients attach to the network and interact with the AP transparently.
Chapter 3 Getting Started In this chapter • Installing the Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Initially connecting to the Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Basic device configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Initially connecting to the Access Point • Command Line Interface (CLI) via Serial, Telnet and SSH. The access point CLI is accessed through the RS232 port, via Telnet or SSH. The CLI follows the same configuration conventions as the device user interface with a few documented exceptions. For details on using the CLI to manage the access point, see “CLI Reference” on page 199. • Config file - Readable text file; Importable/Exportable via FTP, TFTP and HTTP.
Basic device configuration • • • • 3 Data Bits - 8 Stop Bits - 1 No Parity No Flow Control 4. Press or to access the access point CLI. 5. Enter the default username of “admin” and the default password of “admin123.” As this is the first time you are logging into the access point, you are prompted to enter a new password and set the county code. Refer to “Country codes” on page 397 for a list of each available countries two digit country code. 6. At the CLI prompt (admin>), type “summary.
3 Basic device configuration Enter the current password and a new admin password in fields provided. Click Apply. Once the admin password has been updated, a warning message displays stating the access point must be set to a country. The export function will always export the encrypted Admin User password. The import function will import the Admin Password only if the access point is set to factory default.
Basic device configuration 3 The System Name is useful if multiple devices are being administered. 3. Select the Country for the Mobility 5181 Access Point’s country of operation from the drop-down menu The access point prompts the user for the correct country code on the first login. A warning message also displays stating that an incorrect country settings may result in illegal radio operation. Selecting the correct country is central to legally operating the access point.
3 Basic device configuration NOTE DNS names are not supported as a valid IP address. The user is required to enter a numerical IP address. Once the IP address is entered, the Mobility 5181 Access Point’s Network Time Protocol (NTP) functionality is engaged automatically. Refer to the Mobility 5181 Access Point Product Reference Guide for information on defining alternate time servers and setting a synchronization interval for the Mobility 5181 Access Point to adjust its displayed time.
Basic device configuration 3 a. Select the Keep Alive check box to enable occasional communications over the WAN port even when client communications to the WAN are idle. Some ISPs terminate inactive connections, while others do not. In either case, enabling Keep-Alive maintains the WAN connection, even when there is no traffic. If the ISP drops the connection after the idle time, the Mobility 5181 Access Point automatically reestablishes the connection to the ISP. b.
3 Basic device configuration For additional Mobility 5181 Access Point LAN port configuration options, see “Configuring the LAN interface” on page 93. 8. Enable the radio(s) using the Enable checkbox(es) within the Radio Configuration field. If using a single radio access point, enable the radio, then select either 2.4 GHz or 5 GHz from the RF Band of Operation field. Only one RF band option at a time is permissible in a single-radio model. If using a dual-radio model, the user can enable both RF bands.
Basic device configuration 3 2. Ensure the Name of the security policy entered suits the intended configuration or function of the policy. Multiple WLANs can share the same security policy, so be careful not to name security policies after specific WLANs or risk defining a WLAN to single policy. Brocade recommends naming the policy after the attributes of the authentication or encryption type selected. 3. Select the WEP 128 (104 bit key) check box.
3 Basic device configuration Testing connectivity Verify the access point’s link with an Client by sending Wireless Network Management Protocol (WNMP) ping packets to the associated Client. Use the Echo Test screen to specify a target Client and configure the parameters of the test. The WNMP ping test only works with Brocade Clients. Only use a Brocade Client to test access point connectivity using WNMP.
Chapter 4 System Configuration In this chapter • Configuring system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Adaptive AP setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring data access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Managing Certificate Authority (CA) certificates . . . . . . . . . . . . . . . . . . . . . . • Configuring SNMP settings . . . . . . .
4 Configuring system settings 1. Select System Configuration -> System Settings from the Mobility 5181 Access Point menu tree. 2. Configure the Mobility 5181 Access Point System Settings field to assign a system name and location, set the country of operation and view device version information. 46 System Name Specify a device name for the Mobility 5181. Brocade recommends selecting a name serving as a reminder of the user base the Mobility 5181 Access Point supports (engineering, retail, etc.).
Configuring system settings Country The Mobility 5181 Access Point prompts the user for the correct country code after the first login. A warning message also displays stating that an incorrect country setting will lead to an illegal use of the access point. Use the pull-down menu to select the country of operation. Selecting the correct country is extremely important.
4 Adaptive AP setup CAUTION After a reboot, static route entries disappear from the AP Route Table if a LAN Interface is set to DHCP Client. The entries can be retrieved (once the reboot is done) by performing an Apply operation from the WEB UI or a save operation from the CLI. 5. Click Apply to save any changes to the System Settings screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.
Adaptive AP setup 4 1. Select System Configuration -> Adaptive AP Setup from the menu tree. 2. Define the following to prioritize a controller connection scheme and AP interface used to adopt to the controller. Control Port Define the port used by the controller FQDN to transmit and receive with the AAP. The default control port is 24576.
4 Configuring data access Controller Interface Use the Controller Interface drop-down menu to specify the interface used by the controller for connectivity with the access point. Options include LAN1, LAN2 and WAN. The default setting is LAN1. Enable This setting is required to enable an IPSec VPN from the AAP to the wireless AP-Controller Tunnel controller.
Configuring data access 4 The Mobility 5181 Access Point Access screen also has a facility allowing customers to create a login message with customer generated text. When enabled (using either the access point Web UI or CLI), the login message displays when the user is logging into the access point. If the login message is disabled, the default login screen displays with no message. AP access can be restricted to specific IP addresses.
4 Configuring data access 3. Use the Mobility 5181 Access Point Access field check boxes to enable/disable the following on the access point’s LAN1, LAN2 or WAN interfaces: Applet HTTP (port 80) Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the Mobility 5181 Access Point configuration applet using a Web browser.
Configuring data access 4 . Radius Server IP Specify the numerical (non DNS name) IP address of the Remote Authentication Dial-In User Service (Radius) server. Radius is a client/server protocol and software enabling remote-access servers to communicate with a server used to authenticate users and authorize access to the requested system or service. Port Specify the port on which the server is listening. The Radius server typically listens on ports 1812 (default port).
4 Configuring data access 10. Click Apply to save any changes to the Mobility 5181 Access Point Access screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost. 11. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Mobility 5181 Access Point Access screen to the last saved configuration. 12. Click Logout to securely exit the Mobility 5181 Access Point applet.
Configuring data access 4 Defining trusted hosts Mobility 5181 Access Point access can be restricted to up 8 specific IP addresses. Trusted Host management restricts LAN1, LAN2 and WAN access (via SNMP, HTTP, HTTPS, Telnet and SSH). Only hosts with IP addresses matching those defined within the Trusted Host Access field are able to access the access point. Enabling the feature denies access from any subnet (IP address) not defined as trusted.
4 Managing Certificate Authority (CA) certificates 6. If you are near the capacity of 8 allowed IP addresses or an address becomes obsolete, consider selecting an existing address and click the Delete button to remove an address. 7. Click Apply to save any changes to the Access screen’s Trusted Host configuration. Navigating away from the screen without clicking Apply results in all changes to the screen being lost. 8. Click Undo Changes (if necessary) to undo any changes made.
Managing Certificate Authority (CA) certificates 4 NOTE Verify the Mobility 5181 Access Point device time is synchronized with an NTP server before importing a certificate to avoid issues with conflicting date/time stamps. For more information, see “Configuring Network Time Protocol (NTP)” on page 76. To import a CA certificate: 1. Select System Configuration -> Certificate Mgmt -> CA Certificates from the menu tree. 2.
4 Managing Certificate Authority (CA) certificates Creating self certificates for accessing the VPN The Mobility 5181 Access Point requires two kinds of certificates for accessing the VPN, CA certificates and self certificates. Self certificates are certificate requests you create, send to a Certificate Authority (CA) to be signed, then import the signed certificate into the management system. CAUTION Self certificates can only be generated using the access point GUI and CLI interfaces.
Managing Certificate Authority (CA) certificates Key ID Enter a logical name for the certificate to help distinguish between certificates. The name can be up to 7 characters in length. Subject The required Subject value contains important information about the certificate. Contact the CA signing the certificate to determine the content of the Subject parameter. Signature Algorithm Use the drop-down menu to select the signature algorithm used for the certificate.
4 Managing Certificate Authority (CA) certificates The content of certificate request is copied to the clipboard. Create an email to your CA, paste the content of the request into the body of the message and send it to the CA. The CA signs the certificate and will send it back. Once received, copy the content from the email into the clipboard. 7. Click the Paste from clipboard button. The content of the email displays in the window.
Managing Certificate Authority (CA) certificates 4 1. Select System Configuration -> Certificate Mgmt -> Self Certificates from the Mobility 5181 Access Point menu tree. 2. Click on the Add button to create the certificate request. The Certificate Request screen displays. 3. Complete the request form with the pertinent information. Key ID (required) Enter a logical name for the certificate to help distinguish between certificates. The name can be up to 7 characters in length.
4 Managing Certificate Authority (CA) certificates NOTE A Warning screen may display at this phase stating key information could be lost if you proceed with the certificate request. Click the OK button to continue, as the certificate has not been signed yet. 6. Click the Generate Request button from within the Self Certificates screen. The certificate content displays within the Self Certificate screen. 7. Click the Copy to clipboard button. Save the certificate content to a secure location. 8.
Managing Certificate Authority (CA) certificates 4 21. Verify the contents of the certificate file display correctly within the Self Certificates screen. The certificate for the onboard RADIUS authentication of Clients has now been generated and loaded into the access point’s flash memory. Apache certificate management Apache certificate management allows the update and management of security certificates for an Apache HTTP server. This allows users to upload a trusted certificate to their AP.
4 Configuring SNMP settings Certificate Name (no extension) Specify the name of the certificate file to be written to the FTP or TFTP server. Do not enter the file’s extension. FTP/TFTP Server IP Address Enter the numerical (non DNS name) IP address of the destination FTP or TFTP server where the security certificate is imported or exported. Filepath (optional) Defines the optional path name used to import/export the target security certificate.
Configuring SNMP settings 4 SNMP allows a network administrator to manage network performance, find and solve network problems, and plan for network growth. The Mobility 5181 Access Point supports SNMP management functions for gathering information from its network components, communicating that information to specified users and configuring the access point. All the fields available within the access point are also configurable within the MIB.
4 Configuring SNMP settings 1. Select System Configuration - > SNMP Access from the Mobility 5181 Access Point menu tree. SNMP v1/v2c community definitions allow read-only or read/write access to Mobility 5181 Access Point management information. The SNMP community includes users whose IP addresses are specified on the SNMP Access Control screen. A read-only community string allows a remote device to retrieve information, while a read/write community string allows a remote device to modify settings.
Configuring SNMP settings OID Use the OID (Object Identifier) pull-down list to specify a setting of All or a enter a Custom OID. Select All to assign the user access to all OIDs in the MIB. The OID field uses numbers expressed in dot notation. Access Use the Access pull-down list to specify read-only (R) access or read/write (RW) access for the community.
4 Configuring SNMP settings Mobility 5181 Access Point SNMP v3 Engine ID The Mobility 5181 Access Point SNMP v3 Engine ID field lists the unique SNMP v3 Engine ID for the Mobility 5181 Access Point. This ID is used in SNMP v3 as the source for a trap, response or report. It is also used as the destination ID when sending get, getnext, getbulk, set or inform commands. 6. Click Apply to save any changes to the SNMP Access screen.
Configuring SNMP settings 4 1. Select System Configuration - > SNMP Access from the Mobility 5181 Access Point menu tree. Click on the SNMP Access Control button from within the SNMP Access screen. 2. Configure the SNMP Access Control screen to add the IP addresses of those users receiving SNMP access. Access Control List Enter Start IP and End IP addresses (numerical addresses only, no DNS names supported) to specify a range of user that can access the Mobility 5181 Access Point SNMP interface.
4 Configuring SNMP settings Use the SNMP Traps Configuration screen to enable traps and to configure appropriate settings for reporting this information. Trap configuration depends on the network machine that receives the generated traps. SNMP v1/v2c and v3 trap configurations function independently. In a mixed SNMP environment, generated traps can be sent using configurations for both SNMP v1/v2c and v3. To configure SNMP traps on the Mobility 5181 Access Point: 1.
Configuring SNMP settings Community Enter a community name specific to the SNMP-capable client that receives the traps. SNMP Version Use the SNMP Version drop-down menu to specify v1 or v2. Some SNMP clients support only SNMP v1 traps, while others support SNMP v2 traps and possibly both, verify the correct traps are in use with clients that support them. 4 3.
4 Configuring SNMP settings 1. Select System Configuration - > SNMP Access - > SNMP Traps from the menu tree. 2. Configure the Client Traps field to generate traps for Client associations, Client association denials and Client authentication denials. When a trap is enabled, a trap is sent every 10 seconds until the condition no longer exists. Client associated Generates a trap when an Client becomes associated with one of the Mobility 5181 Access Point’s WLANs.
Configuring SNMP settings SNMP authentication failures Generates a trap when an SNMP-capable client is denied access to the Mobility 5181 Access Point’s SNMP management functions or data. This can result from an incorrect login, or missing/incorrect user credentials. SNMP ACL violation Generates a trap when an SNMP client cannot access SNMP management functions or data due to an Access Control List (ACL) violation.
4 Configuring SNMP settings Enable All Select this button to enable each trap defined within the SNMP Traps screen. Once the changes are applied, each event listed will generate a trap upon its occurrence. Disable All Select this button to disable each trap defined within the SNMP Traps screen. Once the changes are applied, none of the events listed will generate a trap upon their occurrence. 7. Click Apply to save any changes to the SNMP Traps screen.
Configuring SNMP settings 4 1. Select System Configuration - > SNMP Access - > SNMP RF Trap Thresholds from the menu tree. 2. Configure the RF Trap Thresholds field to define device threshold values for SNMP traps. NOTE Average Bit Speed,% of Non-Unicast, Average Signal, Average Retries,% Dropped and % Undecryptable are not access point statistics. Pkts/s Enter a maximum threshold for the total throughput in Pps (Packets per second).
4 Configuring Network Time Protocol (NTP) % Dropped Enter a maximum threshold for the total percentage of packets dropped for each device. Dropped packets can be caused by poor RF signal or interference on the channel. % Undecryptable Define a maximum threshold for the total percentage of packets undecryptable for each device. Undecryptable packets can be the result of corrupt packets, bad CRC checks or incomplete packets.
Configuring Network Time Protocol (NTP) 4 To manage clock synchronization on the Mobility 5181 Access Point: 1. Select System Configuration - > Date/Time from the Mobility 5181 Access Point menu tree. 2. From within the Current Time field, click the Refresh button to update the time since the screen was displayed by the user. The Current Time field displays the current time based on the Mobility 5181 Access Point system clock.
4 Configuring LLDP Settings CAUTION If using the Radius time-based authentication feature to authenticate access point user permissions, ensure UTC has been selected from the Time Zone field. If UTC is not selected, time based authentication will not work properly. For information on configuring Radius time-based authentication, see “Defining user access permissions by group” on page 173. 5.
Logging configuration 4 The information is in a Type Length Value (TLV) format for each data item. TLV information is transmitted in a LLDP protocol data unit (LLDPDU), enclosed in an Ethernet frame and sent to a destination MAC address. Certain TLVs are mandatory, and always sent once LLDP is enabled, while other TLVs are optionally configured.
4 Logging configuration 1. Select System Configuration - > Logging Configuration from the Mobility 5181 Access Point menu tree. 2. Configure the Log Options field to save event logs, set the log level and optionally port the Mobility 5181 Access Point’s log to an external server.
Importing/exporting configurations View Log Click View to save a log of events retained on the Mobility 5181 Access Point. The system displays a prompt requesting the administrator password before saving the log. After the password has been entered, click Get File to display a dialogue with buttons to Open or Save the log.txt file. Click Save and specify a location to save the log file. Use the WordPad application to view the saved log.txt file on a Microsoft Windows based computer.
4 Importing/exporting configurations Another benefit is the opportunity to save the current AP configuration before making significant changes or restoring the default configuration. All options on the access point are deleted and updated by the imported file. Therefore, the imported configuration is not a merge with the configuration of the target access point. The exported file can be edited with any document editor if necessary.
Importing/exporting configurations 4 1. Select System Configuration - > Config Import/Export from the Mobility 5181 Access Point menu tree. 2. Configure the FTP and TFTP Import/Export field to import/export configuration settings. Filename Specify the name of the configuration file to be written to the FTP or TFTP server. FTP/TFTP Server IP Address Enter the numerical (non DNS name) IP address of the destination FTP or TFTP server where the configuration file is imported or exported.
4 Importing/exporting configurations Import Configuration Click the Import Configuration button to import the configuration file from the server with the assigned filename and login information. The system displays a confirmation window indicating the administrator must log out of the Mobility 5181 Access Point after the operation completes for the changes to take effect. Click Yes to continue the operation. Click No to cancel the configuration file import.
Importing/exporting configurations Status 4 After executing an operation (by clicking any of the buttons in the window), check the Status field for a progress indicator and messages about the success or errors in executing the Import/Export operation.
4 Updating device firmware Updating device firmware Brocade periodically releases updated versions of the Mobility 5181 Access Point device firmware to the Brocade Web site. If the Mobility 5181 Access Point firmware version displayed on the System Settings page (see “Configuring system settings” on page 45) is older than the version on the Web site, Brocade recommends updating the Mobility 5181 Access Point to the latest firmware version for full feature functionality.
Updating device firmware 4 If restoring the access point’s factory default firmware, you must export the certificate file BEFORE restoring the access point’s factory default configuration. Import the file back after the updated firmware is installed. If a firmware update is required, use the Firmware Update screen to specify a filename and define a file location for updating the firmware. NOTE The firmware file must be available from an FTP or TFTP site to perform the update.
4 Updating device firmware 3. Configure the DHCP Options checkboxes to enable/disable automatic firmware and/or configuration file updates. DHCP options are used for out-of-the-box rapid deployment for Brocade wireless products. The following are the two options available on the access point: • Enable Automatic Firmware Update • Enable Automatic Configuration Update Both DHCP options are enabled by default. These options can be used to update newer firmware and configuration files on the access point.
Updating device firmware Enable Automatic Firmware Update Enable this checkbox to allow an automatic firmware update when firmware versions are found to be different between what is running on the access point and the firmware that resides on the server. A firmware update will only occur if the access point is reset or when the access point does a DHCP request. This feature is used in conjunction with DHCP/BootP options configured on a DHCP or BootP server.
4 Updating device firmware NOTE The access point must complete the reboot process to successfully update the device firmware, regardless of whether the reboot is conducted using the GUI or CLI interfaces. 10. After the AP reboots, return to the Firmware Update screen. Check the Status field to verify whether the firmware update was successful.
Updating device firmware 4 Upgrade/downgrade considerations CAUTION Prior to upgrading/downgrading the access point’s configuration, ensure the access point’s current configuration has been exported to a secure location. Having the configuration available is recommended in case errors occur in the upgrade/downgrade process. • Export either a CA or Self Certificate to a safe and secure location before upgrading or downgrading your access point firmware.
4 92 Updating device firmware Brocade Mobility 5181 Access Point Product Reference Guide 53-1002516-01
Chapter Network Management 5 In this chapter • Configuring the LAN interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 • Configuring WAN settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 • Enabling wireless LANs (WLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 • Configuring WIPS server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 • Configuring router settings . . . . .
5 Configuring the LAN interface Enable Select the LAN1 and/or LAN2 checkbox to allow the forwarding of data traffic over the specified LAN connection. The LAN1 connection is enabled by default, but both LAN interfaces can be enabled simultaneously. The LAN2 setting is disabled by default. LAN Name Use the LAN Name field to modify the existing LAN name. LAN1 and LAN2 are the default names assigned to the LANs until modified by the user.
Configuring the LAN interface half duplex Select this option to transmit data to and from the access point, but not at the same time. Using a half duplex transmission, the access point can send data over its LAN port then immediately receive data from the same direction in which the data was transmitted. Like a full-duplex transmission, a half-duplex transmission can carry data in both directions, just not at the same time.
5 Configuring the LAN interface database houses the records of MAC addresses and VLAN assignments. The VLAN database looks up the MAC to determine what VLAN is assigned to it. If it is not in the database, it simply uses a default VLAN assignment. The VLAN assignment is sent to the Mobility 5181 Access Point. The Mobility 5181 Access Point then maps the target WLAN for the assigned VLAN and traffic passes normally, allowing for the completion of the DHCP request and further traffic.
Configuring the LAN interface 5 A trunk port configured with 802.1Q tagging can receive both tagged and untagged traffic. By default, the access point forwards untagged traffic with the native VLAN configured for the port. The Native VLAN is VLAN 1 by default. Brocade suggests leaving the Native VLAN set to 1 as other layer 2 devices also have their Native VLAN set to 1. 10. Use the LAN drop-down menu to map one of the two LANs to the WLAN listed to the left.
5 98 Configuring the LAN interface This interface is a DHCP Client Select this button to enable DHCP to set network address information via this LAN1 or LAN2 connection. This is recommended if the Mobility 5181 Access Point resides within a large corporate network or the Internet Service Provider (ISP) uses DHCP. This setting is enabled for LAN1 by default.
Configuring the LAN interface WINS Server Enter the numerical (non DNS name) IP address of the WINS server. WINS is a Microsoft NetBIOS name server. Using a WINS server eliminates the broadcasts needed to resolve computer names to IP addresses by providing a cache or database of translations. Mesh STP Configuration Click the Mesh STP Configuration button to define bridge settings for this specific LAN. Each of the access point’s two LANs can have a separate mesh configuration.
5 Configuring the LAN interface 5. Click the Del (delete) button to remove a selected table entry. 6. Click OK to return to the LAN1 or LAN2 page, where the updated settings within the Advanced DHCP Server screen can be saved by clicking the Apply button. 7. Click Cancel to undo any changes made. Undo Changes reverts the settings displayed to the last saved configuration.
Configuring WAN settings 5 Configuring WAN settings A Wide Area Network (WAN) is a widely dispersed telecommunications network. The Mobility 5181 Access Point includes one WAN port. The Mobility 5181 Access Point WAN port has its own MAC address. In a corporate environment, the WAN port might connect to a larger corporate network. For a small business, the WAN port might connect to a DSL or cable modem to access the Internet.
5 Configuring WAN settings Primary DNS Server Specify the address of a primary Domain Name System (DNS) server. The ISP or a network administrator provides this address. A DNS server translates a domain name (for example, www.brocade.com) into an IP address that networks can use. Secondary DNS Server Specify the address of a secondary DNS server if one is used. A secondary address is recommended if the primary DNS server goes down.
Configuring WAN settings Idle Time (seconds) Specify an idle time in seconds to limit how long the Mobility 5181 Access Point’s WAN connection remains active after outbound and inbound traffic is not detected. The Idle Time field is grayed out if Keep-Alive is enabled. Authentication Type Use the Authentication Type menu to specify the authentication protocol(s) for the WAN connection. Choices include None, PAP or CHAP, PAP, or CHAP.
5 Configuring WAN settings WAN IP Address The WAN IP addresses on the NAT screen are dynamically generated from address settings applied on the WAN screen. NAT Type Specify the NAT Type as 1 to 1 to map a WAN IP address to a single host (local) IP address. 1 to 1 mapping is useful when users need dedicated addresses, and for public-facing servers connected to the Mobility 5181 Access Point. Set the NAT Type as 1 to Many to map a WAN IP address to multiple local IP addresses.
Configuring WAN settings Name Enter a name for the service being forwarded. The name can be any alphanumeric string and is used for identification of the service. Transport Use the Transport pull-down menu to specify the transport protocol used in this service. The choices are ALL, TCP, UDP, ICMP, AH, ESP, and GRE. Start Port and End Port Enter the port or ports used by the port forwarding service. To specify a single port, enter the port number in the Start Port area.
5 Enabling wireless LANs (WLANs) 4. Enter the DynDNS Password for the account you wish to use for the access point. 5. Provide the Hostname for the DynDNS account you wish to use for the access point. 6. Click the Update DynDNS button to update the access point’s current WAN IP address with the DynDNS service. NOTE DynDNS supports devices directly connected to the Internet. Having VPN enabled, and the DynDNS Server on the other side of the VPN is not supported. 7.
Enabling wireless LANs (WLANs) Radio The Radio field displays the name of the Mobility 5181 Access Point radio the WLAN is mapped to (either the 802.11a radio or the 802.11b/g radio). To change the radio designation for a specific WLAN, see “Creating/editing individual WLANs” on page 107. VLAN The VLAN field displays the specific VLAN the target WLAN is mapped to. For information on VLAN configuration for the WLAN, see “Configuring VLAN support” on page 95.
5 Enabling wireless LANs (WLANs) ESSID Enter the Extended Services Set Identification (ESSID) associated with the WLAN. The WLAN name is auto-generated using the ESSID until changed by the user. The maximum number of characters that can be used for the ESSID is 32. Name Define or revise the name for the WLAN. The name should be logical representation of WLAN coverage area (engineering, marketing etc.). The maximum number of characters that can be used for the name is 31.
Enabling wireless LANs (WLANs) Security Policy Use the scroll down Security Policies menu to select the security scheme best suited for the new or revised WLAN. Click the Create button to jump to the New Security Policy screen where a new policy can be created to suit the needs of the WLAN. For more information, see “Configuring WLAN security policies” on page 110. Client Access Control Select an ACL policy suiting the WLAN‘s Client interoperability requirements from the drop-down menu.
5 Enabling wireless LANs (WLANs) Configuring WLAN security policies As WLANs are being defined for an Mobility 5181 Access Point, a security policy can be created or an existing policy edited (using the Create or Edit buttons within the Security Configuration screen) to best serve the security requirements of the WLAN. Once new policies are defined, they are available within the New WLAN or Edit WLAN screens and can be mapped to any WLAN.
Enabling wireless LANs (WLANs) 5 NOTE When the Mobility 5181 Access Point is first launched, a single ACL policy (default) is available and mapped to WLAN 1. It is anticipated numerous additional ACL policies will be created as the list of WLANs grows. 2. Click the Create button to configure a new ACL policy, or select a policy and click the Edit button to modify an existing ACL policy. The access point supports a maximum of 16 Client ACL policies.
5 Enabling wireless LANs (WLANs) Brocade recommends using the New QoS Policy and Edit QoS Policy screens strategically to name and configure QoS policies meeting the requirements of the particular WLANs they may to. However, be careful not to name policies after specific WLANs, as individual QoS policies can be used by more than one WLAN. For detailed information on assigning QoS policies to specific WLANs, see “Creating/editing individual WLANs” on page 107. To configure QoS policies: 1.
Enabling wireless LANs (WLANs) 11b - wifi Use this setting for high-end devices multimedia devices that use the 802.11b radio. 11ag - default Use this setting for typical “data-centric” Client traffic over the high rate 802.11a or 802.11g radio. 11b - default Use this setting for typical “data-centric” Client traffic over the 802.11b radio. 11ag voice Use this setting for “Voice-Over-IP” traffic over the high rate 802.11a or 802.11g radio.
5 Enabling wireless LANs (WLANs) TXOPs Time 32usec The TXOPs Time is the interval the transmitting Client is assigned for transmitting. The default for Background traffic is 0. The same TXOPs values should be used for either the 802.11a or 802.11b/g radio, there is no difference. TXOPs Time ms TXOP times range from 0.2 ms (background priority) to 3 ms (video priority) in a 802.11a network, and from 1.2 ms to 6 ms in an 802.11b/g network.
Enabling wireless LANs (WLANs) 5 • User authentication - Authenticates users using a Radius server. • Walled garden support - Enables a list of IP address (not domain names) accessed without authentication. • Billing system integration - Sends accounting records to a Radius accounting server.
5 Enabling wireless LANs (WLANs) Welcome Page URL Define the complete URL for the location of the Welcome page. The Welcome page asserts the hotspot user has logged in successfully and can access the Internet. Fail Page URL Define the complete URL for the location of the Fail page. The Fail screen asserts the hotspot authentication attempt failed, you are not allowed to access the Internet and you need to provide correct login information to access the Internet. 5.
Enabling wireless LANs (WLANs) Timeout Set the timeout value in seconds (1-255) used to timeout users accessing the Radius Accounting server if they have not successfully accessed the Accounting Server. Retries Define the number of retries (1-10) the user is allowed to access the Radius Accounting Server if the first attempt fails. The default is 1. 5 8. Refer to the Radius Configuration field to define a primary and secondary Radius server port and shared secret password.
5 Enabling wireless LANs (WLANs) 4. Click OK to return to the Hotspot Config screen where the configuration can be saved by clicking the Apply button. Now user enters his/her credentials on Login page and submits the page. Login Handler will execute a CGI script, which will use this data as input. 5. Click Cancel to return to the Hotspot Config screen without saving any of the White List entries defined within the White List Entries screen.
Enabling wireless LANs (WLANs) 5 CAUTION If a radio is disabled, be careful not to accidentally configure a new WLAN, expecting the radio to be operating when you have forgotten it was disabled. 3. Select the Base Bridge check box to allow the access point radio to accept client bridge connections from other access points in client bridge mode. The base bridge is the acceptor of mesh network data from those client bridges within the mesh network and never the initiator. 4.
5 Enabling wireless LANs (WLANs) NOTE Ensure you have verified the radio configuration for both Radio 1 and Radio 2 before saving the existing settings and exiting the Radio Configuration screen. Once the settings within the Radio Configuration screen are applied (for an initial deployment), the current number of base bridges visible to the radio displays within the BBs Visible field, and the number of base bridges currently connected to the radio displays within the BBs Connected field.
Enabling wireless LANs (WLANs) 5 Enter a value in the Client Bridge Signal Threshold field. This configures the signal strength of the base bridge below which the device keeps monitoring the connection to the base bridge. The default value is 65 dbm. Enter a value in the Client Bridge Signal Delta field. This is the change in signal strength of the monitored base bridge that causes the device to drop this connection and seek to establish connection to a base bridge with a stronger signal. 9.
5 Enabling wireless LANs (WLANs) Placement Use the Placement drop-down menu to specify whether the radio is located outdoors or indoors. Default placement depends on the country of operation selected for the Mobility 5181 Access Point. MAC Address The Mobility 5181 Access Point, like other Ethernet devices, has a unique, hardware encoded Media Access Control (MAC) or IEEE address. MAC addresses determine the device sending or receiving data.
Enabling wireless LANs (WLANs) Channel Setting The following channel setting options exist: User Selection - If selected, use the drop-down menu to specify the legal channel for the intended country of operation. The drop-down menu is not available if this option is not selected. Automatic Selection - When the access point is booted, the access point scans non-overlapping channels listening for beacons from other access points. For 802.11b, it scans channels 1, 6, and 11. For 802.
5 Enabling wireless LANs (WLANs) 4. Refer to the Beacon Settings field to set the radio beacon and DTIM intervals. Beacon Interval The beacon interval controls the performance of power save stations. A small interval may make power save stations more responsive, but it will also cause them to consume more battery power. A large interval makes power save stations less responsive, but could increase power savings. The default is 100. Avoid changing this parameter as it can adversely affect performance.
Enabling wireless LANs (WLANs) RTS Threshold RTS allows the Mobility 5181 Access Point to use RTS (Request To Send) on frames longer than the specified length. The default is 2341bytes. Set RF QoS Click the Set RF QoS button to display the Set RF QOS screen to set QoS parameters for the radio. Do not confuse with the QoS configuration screen used for a WLAN. The Set RF QoS screen initially appears with default values displayed.
5 Enabling wireless LANs (WLANs) 8. Use the Primary WLAN drop-down menu to select a WLAN from those WLANs sharing the same BSSID. The selected WLAN is the primary WLAN for the specified BSSID. 9. Click Apply to save any changes to the Radio Settings and Advanced Settings screens. Navigating away from the screen without clicking Apply results in changes to the screens being lost. 10. Click Undo Changes (if necessary) to undo any changes made to the screen and its sub-screens.
Configuring WIPS server settings WLAN Name Displays the name of the WLAN. This field is read-only. To change the name of the WLAN, see “Creating/editing individual WLANs” on page 107. Weight This column is not available unless Weighted Round-Robin is selected. Assign a weight to each WLAN. This percentage equals the Mobility 5181 Access Point bandwidth share for that WLAN when network traffic is detected.
5 Configuring router settings NOTE The AP-51x1 radios are dual band capable radios. When selected as a WIPS sensor these radios scan both the 2.4 GHz and 5 GHz bands. 3. Define a primary and alternate WIPS server IP Address within the WIPS Server 1 and WIPS Server 2 fields. This is the address of the WIPS console server. 4. Click Apply to save any changes to the WIPS screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost. 5.
Configuring router settings 5 a. Click the Add button to create a new table entry. b. Highlight an entry and click the Del (delete) button to remove an entry. c. Specify the destination IP address, subnet mask, and gateway information for the internal static route. d. Select an enabled subnet from the Interface(s) column’s drop-down menu to complete the table entry. Information in the Metric column is a user-defined value (from 1 to 65535) used by router protocols to determine the best hop routes.
5 Configuring router settings 4. If the Simple authentication method is selected, specify a password of up to 15 alphanumeric characters in the Password (Simple Authentication) area. 5. If the MD5 authentication method is selected, fill in the Key #1 field (Key #2 is optional). Enter any numeric value between 0 and 256 into the MD5 ID area. Enter a string consisting of up to 16 alphanumeric characters in the MD5 Auth Key area. 6. Click the OK button to return to the Router screen.
Chapter 6 Configuring Access Point Security In this chapter • Configuring security options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Setting passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling authentication and encryption schemes . . . . . . . . . . . . . . . . . . . • Configuring Kerberos authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring 802.1x EAP authentication . . . . .
6 Configuring security options Configuring security options To configure the data protection options available on the Mobility 5181 Access Point, refer to the following: • To set an administrative password for secure Mobility 5181 Access Point logins, see “Setting passwords” on page 132. • To display security policy screens used to configure the authetication and encryption schemes available to the Mobility 5181 Access Point, see “Enabling authentication and encryption schemes” on page 134.
Setting passwords 6 The Mobility 5181 Access Point Login screen displays. NOTE For optimum compatibility use Sun Microsystems’ JRE 1.5 or higher (available from Sun’s Web site), and be sure to disable Microsoft’s Java Virtual Machine if it is installed. NOTE DNS names are not supported as a valid IP address for the Mobility 5181 Access Point. The user is required to enter a numerical IP address. 4. Log in using the “admin” as the default Username and “admin123” as the default Password.
6 Enabling authentication and encryption schemes Enabling authentication and encryption schemes To complement the built-in firewall filters on the WAN side of the Mobility 5181 Access Point, the WLAN side of the Mobility 5181 Access Point supports authentication and encryption schemes. Authentication is a challenge-response procedure for validating user credentials such as username, password, and sometimes secret-key information.
Enabling authentication and encryption schemes Manually Pre-Shared Key / No Authentication Select this button to disable authentication. This is the default value for the Authentication field. Kerberos Select the Kerberos button to display the Kerberos Configuration field within the New Security Policy screen. 802.1x EAP Select the 802.1x EAP button to display the 802.1x EAP Settings field within the New Security Policy screen. 6 5.
6 Configuring Kerberos authentication Configuring Kerberos authentication Kerberos (designed and developed by MIT) provides strong authentication for client/server applications using secret-key cryptography. Using Kerberos, a client must prove its identity to a server (and vice versa) across an insecure network connection. Once a client and server use Kerberos to prove their identity, they can encrypt all communications to assure privacy and data integrity.
Configuring 802.1x EAP authentication Realm Name Specify a realm name that is case-sensitive, for example, BROCADE.COM. The realm name is the name domain/realm name of the KDC Server. A realm name functions similarly to a DNS domain name. In theory, the realm name is arbitrary. However, in practice a Kerberos realm is named by uppercasing the DNS domain name that is associated with hosts in the realm.
6 Configuring 802.1x EAP authentication The 802.1x EAP Settings field displays within the New Security Policy screen. 4. Ensure the Name of the security policy entered suits the intended configuration or function of the policy. 5. If using the access point’s Internal RADIUS server, leave the Radius Server drop-down menu in the default setting of Internal. If an external RADIUS server is used, select External from the drop-down menu. 6.
Configuring 802.1x EAP authentication External Radius Shared Secret Specify a shared secret for authentication. The shared secret is required to match the shared secret on the Radius server. Client Timeout Specify the time (in seconds) for the access point’s retransmission of EAP-Request packets. The default is 10 seconds. If this time is exceeded, the authentication session is terminated.
6 Configuring WEP encryption Client Max Retries (1-10) retries Specify the maximum number of times the access point retransmits an EAP-Request frame to the client before it times out the authentication session. The default is 2 retries. Server Timeout (1-255) secs Specify the time (in seconds) for the access point's retransmission of EAP-Request packets to the server. The default is 5 seconds. If this time is exceeded, the authetnication session is terminated.
Configuring KeyGuard encryption Pass Key Specify a 4 to 32 character pass key and click the Generate button. The pass key can be any alphanumeric string. The Mobility 5181 Access Point, other proprietary routers and Brocade Clients use the algorithm to convert an ASCII string to the same hexadecimal number. Clients without Brocade adapters need to use WEP keys manually configured as hexadecimal numbers. Keys #1-4 Use the Key #1-4 areas to specify key numbers.
6 Configuring WPA/WPA2 using TKIP The New Security Policy screen displays with no authentication or encryption options selected. 3. Select the KeyGuard radio button. The KeyGuard Settings field displays within the New Security Policy screen. 4. Ensure the Name of the security policy entered suits the intended configuration or function of the policy. 5. Configure the KeyGuard Settings field as required to define the Pass Key used to generate the WEP keys used with the KeyGuard algorithm.
Configuring WPA/WPA2 using TKIP 6 Wi-Fi Protected Access 2 (WPA2) is an enhanced version of WPA. WPA2 uses the Advanced Encryption Standard (AES) instead of TKIP. AES supports 128-bit, 192-bit and 256-bit keys. WPA/WPA2 also provide strong user authentication based on 802.1x EAP. To configure WPA/WPA2 encryption on the Mobility 5181 Access Point: 1. Select Network Configuration -> Wireless -> Security from the Mobility 5181 Access Point menu tree.
6 Configuring WPA2-CCMP (802.11i) 28292A2B2C2D2E2F 7. Enable WPA2-TKIP Support as needed to allow WPA2 and TKIP client interoperation. Allow WPA2-TKIP clients WPA2-TKIP support enables WPA2 and TKIP clients to operate together on the network. 8. Configure the Fast Roaming (802.1x only) field as required to enable additional Mobility 5181 Access Point roaming and key caching options. This feature is applicable only when using 802.1x EAP authentication with WPA2-TKIP.
Configuring WPA2-CCMP (802.11i) 6 3. Select the WPA2/CCMP (802.11i) checkbox. The WPA2/CCMP Settings field displays within the New Security Policy screen. 4. Ensure the Name of the security policy entered suits the intended configuration or function of the policy. 5. Configure the Key Rotation Settings field as required to set Broadcast Key Rotation and the update interval. Broadcast Key Rotation Select the Broadcast Key Rotation checkbox to enable or disable broadcast key rotation.
6 Configuring firewall settings 8. Configure the Fast Roaming (802.1x only) field as required to enable additional Mobility 5181 Access Point roaming and key caching options. This feature is applicable only when using 802.1x EAP authentication with WPA2/CCMP. Pre-Authentication Selecting this option enables an associated Client to carry out an 802.1x authentication with another Mobility 5181 Access Point before it roams to it.
Configuring firewall settings NAT Timeout 6 Network Address Translation (NAT) converts an IP address in one network to a different IP address or set of IP addresses in a different network. Set a NAT Timeout interval (in minutes) the Mobility 5181 Access Point uses to terminate the IP address translation process if no translation activity is detected after the specified interval. 4.
6 Configuring firewall settings 1. Select Network Configuration -> Firewall -> Subnet Access from the Mobility 5181 Access Point menu tree. 2. Refer to the Overview field to view rectangles representing subnet associations. The three possible colors indicate the current access level, as defined, for each subnet association. Color Access Type Description Green Full Access No protocol exceptions (rules) are specified. All traffic may pass between these two areas.
Configuring firewall settings Transport Select a protocol from the drop-down menu. Start Port Enter the starting port number for a range of ports. If the protocol uses a single port, enter that port in this field. End Port Enter the ending port number for a port range. If the protocol uses a single port, leave the field blank. A new entry might use Web Traffic for its name, TCP for its protocol, and 80 for its port number. 6 4. Click Apply to save any changes to the Subnet Access screen.
6 Configuring firewall settings Configuring advanced subnet access Use the Advanced Subnet Access screen to configure complex access rules and filtering based on source port, destination port, and transport protocol. To enable advanced subnet access, the subnet access rules must be overridden. However, the Advanced Subnet Access screen allows you to import existing subnet access rules into the advanced subnet access rules. To configure Mobility 5181 Access Point Advanced Subnet Access: 1.
Configuring VPN tunnels Destination IP The Destination IP range determines the target address or address range for the firewall rule. To configure the Destination IP range, click on the field. A new window displays for entering the IP address and range. Transport Select a protocol from the drop-down list. Src. Ports (Source Ports) The source port range determines which ports the firewall rule applies to on the source IP address. Click on the field to configure the source port range.
6 Configuring VPN tunnels Remote Subnet The Remote Subnet column lists the remote subnet for each tunnel. The remote subnet is the subnet the remote network uses for connection. Remote Gateway The Remote Gateway column lists a remote gateway IP address for each tunnel. The numeric remote gateway is the gateway IP address on the remote network the VPN tunnel connects to. Ensure the address is the same as the WAN port address of the target gateway AP or controller.
Configuring VPN tunnels Default Gateway 6 Displays the WAN interface's default gateway IP address. Manual Key Exchange Selecting Manual Key Exchange requires you to manually enter keys for AH and/or ESP encryption and authentication. Click the Manual Key Settings button to configure the settings. Manual Key Settings Select Manual Key Exchange and click the Manual Key Settings button to open a screen where AH authentication and ESP encryption/authentication can be configured and keys entered.
6 Configuring VPN tunnels NOTE When entering Inbound or Outbound encryption or authentication keys, an error message could display stating the keys provided are “weak”. Some WEP attack tools invoke a dictionary to hack WEP keys based on commonly used words. To avoid entering a weak key, try to not to produce a WEP key using commonly used terms and attempt to mix alphabetic and numerical key attributes when possible.
Configuring VPN tunnels Inbound ESP Encryption Key Enter a key for inbound traffic. The length of the key is determined by the selected encryption algorithm. The key must match the outbound key at the remote gateway. Outbound ESP Encryption Key Define a key for outbound traffic. The length of the key is determined by the selected encryption algorithm. The key must match the inbound key at the remote gateway. ESP Authentication Algorithm Select the authentication algorithm to use with ESP.
6 Configuring VPN tunnels Configuring auto key settings The Mobility 5181 Access Point’s Network Management System can automatically set encryption and authentication keys for VPN access. Use the Auto Key Settings screen to specify the type of encryption and authentication, without specifying the keys. To manually specify keys, cancel out of the Auto Key Settings screen, select the Manual Key Exchange radio button, and set the keys within the Manual Key Setting screen.
Configuring VPN tunnels ESP Encryption Algorithm 1 1 1 1 1 1 ESP Authentication Algorithm 1 1 1 6 Use this menu to select the encryption and authentication algorithms for this VPN tunnel. DES - Selects the DES algorithm.No keys are required to be manually provided. 3DES - Selects the 3DES algorithm. No keys are required to be manually provided. AES 128-bit: - Selects the Advanced Encryption Standard algorithm with 128-bit. No keys are required to be manually provided.
6 158 Configuring VPN tunnels Operation Mode The Phase I protocols of IKE are based on the ISAKMP identity-protection and aggressive exchanges. IKE main mode refers to the identity-protection exchange, and IKE aggressive mode refers to the aggressive exchange. Main - Standard IKE mode for communication and key exchange. Aggressive - Aggressive mode is faster, but less secure than Main mode. Identities are not encrypted unless public key encryption is used.
Configuring VPN tunnels IKE Encryption Algorithm Select the encryption and authentication algorithms for the VPN tunnel from the drop-down menu. DES - Uses the DES encryption algorithm. No keys are required to be manually provided. 3DES - Enables the 3DES encryption algorithm. No keys are required to be manually provided. AES 128-bit - Uses the Advanced Encryption Standard algorithm with 128-bit. No keys are required to be manually provided.
6 Configuring content filtering settings Outb SPI The Outb SPI column displays the outbound Security Parameter Index (SPI) for each tunnel. The SPI is used locally by the Mobility 5181 Access Point to identify a security association. There are unique outbound and inbound SPIs. Inb SPI The Inb SPI column displays the inbound SPI Security Parameter Index (SPI) for each of the tunnels. The SPI is used locally by the Mobility 5181 Access Point to identify a security association.
Configuring content filtering settings 6 1. Select Network Configuration -> WAN -> Content Filtering from the Mobility 5181 Access Point menu tree. 2. Configure the HTTP field to configure block Web proxies and URL extensions. Block Outbound HTTP HyperText Transport Protocol (HTTP) is the protocol used to transfer information to and from Web sites. HTTP Blocking allows for blocking of specific HTTP commands going outbound on the Mobility 5181 Access Point WAN port. HTTP blocks commands on port 80 only.
6 Configuring rogue AP detection Block Outbound FTP Actions File Transfer Protocol (FTP) is the Internet standard for host-to-host mail transport. FTP generally operates over TCP port 20 and 21. FTP filtering allows the blocking of any or all outgoing FTP functions. Check the box next to the command to disable the command when using FTP across the Mobility 5181 Access Point’s WAN port. Storing Files - Blocks the request to transfer files sent from the client across the AP’s WAN port to the FTP server.
Configuring rogue AP detection 6 CAUTION sing an antenna other than the Dual-Band Antenna (Part No. ML-2452-APA2-01) could render the Mobility 5181 Access Point’s Rogue AP Detector Mode feature inoperable. Contact your Brocade sales associate for specific information. To configure Rogue AP detection for the Mobility 5181 Access Point: 1. Select Network Configuration -> Wireless -> Rogue AP Detection from the Mobility 5181 Access Point menu tree. 2.
6 Configuring rogue AP detection Del (Delete) Click the Delete button to remove the highlighted line from the Rule Management field. The MAC and ESS address information previously defined is no longer applicable unless the previous configuration is restored. Delete All Click the Delete All button to remove all entries from the Rule Management field. All MAC and ESS address information previously defined is no longer applicable unless the previous configuration is restored.
Configuring rogue AP detection 6 5. Click the Add All to Allowed APs List button to move each of the APs displayed within the Rogue APs table to the list of allowed APs. 6. Highlight a rogue AP and click the Details button to display a screen with device and detection information specific to that rogue device. This information is helpful in determining if a rogue AP should be moved to the Allowed APs table.
6 Configuring rogue AP detection Finder’s MAC The MAC address of the access point detecting the rogue AP. Detection Method Displays the RF Scan by Client, RF On-Channel Detection or RF Scan by Detector Radio method selected from the Rogue AP screen to detect rogue devices. First Heard (days:hrs:min) Defines the time in (days:hrs:min) that the rogue AP was initially heard by the detecting AP.
Configuring user authentication 6 Configuring user authentication The access point can work with external Radius and LDAP Servers (AAA Servers) to provide user database information and user authentication. Configuring the Radius server The Radius Server screen enables an administrator to define data sources and specify authentication information for the Radius Server. To configure the Radius Server: 1. Select System Configuration -> User Authentication -> Radius Server from the menu tree. 2.
6 168 Configuring user authentication EAP Type Use the EAP Type checkboxes to enable the default EAP type(s) for the Radius server. Options include: PEAP - Select the PEAP checkbox to enable both PEAP types (GTC and MSCHAP-V2) available to the access point. PEAP uses a TLS layer on top of EAP as a carrier for other EAP modules. PEAP is an ideal choice for networks using legacy EAP authentication methods.
Configuring user authentication 6 CAUTION If you have imported a Server or CA certificate, the certificate will not be saved when updating the access point’s firmware. Export your certificates before upgrading the access point’s firmware. From the access point CLI, use the admin(system.cmgr)> expcert command to export the certificate to a secure location.
6 Configuring user authentication NOTE The LDAP screen displays with unfamiliar alphanumeric characters (if new to LDAP configuration). Brocade recommends only qualified administrators change the default values within the LDAP screen. 2. Enter the appropriate information within the LDAP Configuration field to allow the access point to interoperate with the LDAP server. Consult with your LDAP server administrator for details on how to define the values in this screen.
Configuring user authentication 6 CAUTION If using a proxy server for Radius authentication, the Data Source field within the Radius server screen must be set to Local. If set to LDAP, the proxy server will not be successful when performing the authentication. To verify the existing settings, see “Configuring the Radius server” on page 167.
6 Configuring user authentication Managing the local user database Use the User Database screen to create groups for use with the Radius server. The database of groups is employed if Local is selected as the Data Source from the Radius Server screen. For information on selecting Local as the Data Source, see “Configuring the Radius server” on page 167. To add groups to the User database: NOTE Each group can be configured to have its own access policy using the Access Policy screen.
Configuring user authentication 6 2. Refer to the Users field and select the List of Groups column for the particular user you wish to map to one or more groups. The Users Group Setting screen displays with the groups available for user inclusion displayed within the Available column. 3. To add the user to a group, select the group in the Available list (on the right) and click the <-Add button. Assigned users will display within the Assigned table.
6 Configuring user authentication Groups The Groups field displays the names of those existing groups that can have access intervals applied to them. Click the Edit button to display a screen designed to create access intervals for specific days and hours. A mechanism also exists for mapping specific WLANs to these intervals. Time of Access The Time of Access field displays the days of the week and the hours defined for group access to access point resources.
Configuring user authentication 6 NOTE Groups have a strict start and end time (as defined using the Edit Access Policy screen). Only during this period of time can authentication requests from users be honored (with no overlaps). Any authentication request outside of this defined interval is denied regardless of whether a user’s credentials match or not. 5. Refer to the WLANs field to select existing WLANs to apply to the selected group’s set of access permissions.
6 176 Configuring user authentication Brocade Mobility 5181 Access Point Product Reference Guide 53-1002516-01
Chapter 7 Monitoring Statistics In this chapter • Viewing WAN statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Viewing LAN statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Viewing wireless statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Viewing radio statistics summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Viewing client statistics summary .
7 Viewing WAN statistics Status The Status field displays Enabled if the WAN interface is enabled on the WAN screen. If the WAN interface is disabled on the WAN screen, the WAN Stats screen displays no connection information and statistics. To enable the WAN connection, see “Configuring WAN settings” on page 101 HW Address The Media Access Control (MAC) address of the Mobility 5181 Access Point WAN port. The WAN port MAC address is hard coded at the factory and cannot be changed.
Viewing WAN statistics RX Overruns RX overruns are buffer overruns on the WAN connection. RX overruns occur when packets are received faster than the WAN port can handle them. If RX overruns are excessive, consider reducing the data rate, for more information, see “Configuring the 802.11a or 802.11b/g radio” on page 121. RX Frame The RX Frame field displays the number of TCP/IP data frame errors received. 7 4.
7 Viewing LAN statistics Viewing LAN statistics Use the LAN Stats screen to monitor the activity of the Mobility 5181 Access Point’s LAN1 or LAN2 connection. The Information field of the LAN Stats screen displays network traffic information as monitored over the Mobility 5181 Access Point LAN1 or LAN2 port.
Viewing LAN statistics RX Packets RX packets are data packets received over the Mobility 5181 Access Point LAN port. The number is a cumulative total since the LAN connection was last enabled or the Mobility 5181 Access Point was last restarted. To begin a new data collection, see “Configuring system settings” on page 45. RX Bytes RX bytes are bytes of information received over the LAN port.
7 Viewing LAN statistics 5. Click the Clear LAN Stats button to reset each of the data collection counters to zero in order to begin new data collections. The RX/TX Packets and RX/TX Bytes totals remain at their present values and are not cleared. 6. Click the Logout button to securely exit the Access Point applet. There will be a prompt confirming logout before the applet is closed. Viewing STP statistics for a LAN Each access point LAN has the ability to track its own unique STP statistics.
Viewing wireless statistics Bridge Hello Time The Bridge Hello Time is the time between each bridge protocol data unit sent. This time is equal to 2 seconds (sec) by default, but can tuned between 1 and 10 sec. For information on setting the Bridge Hello Time, see “Setting the LAN configuration for mesh networking support” on page 363. The 802.1d specification recommends the Hello Time be set to a value less than half of the Max Message age value.
7 Viewing wireless statistics If a WLAN is not displayed within the Wireless Statistics Summary screen, see “Enabling wireless LANs (WLANs)” on page 106 to enable the WLAN. For information on configuring the properties of individual WLANs, see “Creating/editing individual WLANs” on page 107. To view Mobility 5181 Access Point WLAN Statistics: 1. Select Status and Statistics -> Wireless Stats from the Mobility 5181 Access Point menu tree. 2.
Viewing wireless statistics 7 4. Click the Clear RF Stats button to reset each of the data collection counters to zero in order to begin new data collections. 5. Click the Logout button to securely exit the access point applet. A prompt displays confirming the logout before the applet is closed. Viewing WLAN statistics Use the WLAN Stats screen to view detailed statistics for individual WLANs.The WLAN Stats screen is separated into four fields; Information, Traffic, RF Status, and Errors.
7 Viewing wireless statistics Pkts per second The Total column displays the average total packets per second crossing the selected WLAN. The Rx column displays the average total packets per second received on the selected WLAN. The Tx column displays the average total packets per second sent on the selected WLAN. The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour.
Viewing radio statistics summary Avg Num of Retries Displays the average number of retries for all Clients associated with the selected WLAN. The number in black represents average retries for the last 30 seconds and the number in blue represents average retries for the last hour. Dropped Packets Displays the percentage of packets which the AP gave up on for all Clients associated with the selected WLAN.
7 Viewing radio statistics summary % NU Displays the percentage of the total packets that are non-unicast. Non-unicast packets include broadcast and multicast packets. Retries Displays the average number of retries per packet on each radio. A high number could indicate network or hardware problems. 3. Click the Clear All Radio Stats button to reset each of the data collection counters to zero in order to begin new data collections.
Viewing radio statistics summary Current Channel Indicates the channel for communications between the Mobility 5181 Access Point radio and its associated Clients. To change the channel setting, see “Configuring the 802.11a or 802.11b/g radio” on page 121. Num Associated Clients Lists the number of wireless clients currently associated with the Mobility 5181 Access Point 802.11a or 802.11b/g radio. 7 3.
7 Viewing radio statistics summary Avg Client Noise Displays the average RF noise for all Clients associated with the Mobility 5181 Access Point radio. The number in black represents Client noise for the last 30 seconds and the number in blue represents Client noise for the last hour. If Client noise is excessive, consider moving the Client closer to the Mobility 5181 Access Point, or in area with less conflicting network traffic.
Viewing client statistics summary 7 3. Click Undo Changes (if necessary) to undo any changes made to the screen. Undo Changes reverts the settings to the last saved configuration. 4. Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed. Viewing client statistics summary Use the Client Stats Summary screen to display overview statistics for wireless clients associated with the Mobility 5181 Access Point.
7 Viewing client statistics summary For information on individual Client authentication statistics, see “Client authentication statistics” on page 195. 6. Click the Client Details button to display a screen with detailed statistics for a selected Client. For detailed information on individual Client authentication statistics, see “Viewing client details” on page 192. 7. Click the Clear All Client Stats button to reset each of the data collection counters to zero in order to begin new data collections.
Viewing client statistics summary 7 5. Refer to the Traffic field to view individual Client RF throughput information. Packets per second The Total column displays average total packets per second crossing the Client. The Rx column displays the average total packets per second received on the Client. The Tx column displays the average total packets per second sent on the Client.
7 Viewing client statistics summary Avg Num of Retries Displays the average number of retries for the Client. The number in black represents average retries for the last 30 seconds and the number in blue represents average retries for the last hour. Dropped Packets Displays the percentage of packets the AP gave up as not received on for the selected Client.
Viewing the mesh statistics summary 7 Client authentication statistics The Mobility 5181 Access Point can access and display authentication statistics for individual Clients. To view Mobility 5181 Access Point authentication statistics for a specific Client: 1. Select Status and Statistics - > Client Stats from the Mobility 5181 Access Point menu tree. 2. Highlight a target Client from within the Client List field. 3.
7 Viewing known access point statistics 4. Click the Logout button to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed. Viewing known access point statistics The Mobility 5181 Access Point has the capability of detecting and displaying the properties of other Brocade access points located within its coverage area. Detected Mobility 5181 Access Point’s transmit a WNMP message indicating their channel, IP address, firmware version, etc.
Viewing known access point statistics 7 CAUTION When using the Send Cfg to APs function to migrate an access point’s configuration to other access points, it is important to keep in mind mesh network configuration parameters do not get completely sent to other access points. The Send Cfg to APs function will not send the “auto-select” and “preferred list” settings. Additionally, LAN1 and LAN2 IP mode settings will only be sent if the sender’s AP mode is DHCP or BOOTP.
7 198 Viewing known access point statistics Brocade Mobility 5181 Access Point Product Reference Guide 53-1002516-01
Chapter 8 CLI Reference In this chapter • Connecting to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Admin and Common Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Network Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Statistics Commands . . . . . . . . . . . . . . . . .
8 Admin and Common Commands Accessing the CLI via Telnet To connect to the Mobility 5181 Access Point CLI through a Telnet connection: 1. If this is your first time connecting to your access point, keep in mind the access point uses a static IP WAN address (10.1.1.1). Additionally, the access point’s LAN port is set as a DHCP client. 2. Enter the default username of admin and the default password of admin123.
Admin and Common Commands ? * Restriction of “?”: : : : : : : : 8 display command help - Eg. ?, show ?, s? “?” after a function argument is treated as an argument Eg. admin set lan enable? (Here “?” is an invalid extra argument, because it is after the argument “enable”) : go backwards in command history : go forwards in command history * Note : : : : 1) commands can be incomplete - Eg. sh = sho = show 2) “//” introduces a comment and gets no resposne from CLI.
8 Admin and Common Commands Example admin>summary BR5181 firmware version country code ap-mode serial number 2.3.2.0-xxx us independent 00A0F8716A74 WLAN 1: WLAN Name ESS ID Radio VLAN Security Policy QoS Policy WLAN1 101 11a, 11b/g VLAN1 Default Default LAN1 LAN1 LAN1 LAN1 LAN1 Name: LAN1 Mode: enable IP: 0.0.0.0 Mask: 0.0.0.0 DHCP Mode: server LAN2 LAN2 LAN2 LAN2 LAN2 Name: LAN2 Mode: enable IP: 192.235.1.1 Mask: 255.255.255.
Admin and Common Commands 8 This command appears in all of the submenus under admin. In each case, it has the same function, to move up to the top level in the directory structure. Example admin(network.lan)>/ admin> BR5181>admin>save Description Saves the configuration to system flash. The save command appears in all of the submenus under admin. In each case, it has the same function, to save the current configuration. Syntax save Saves configuration settings.
8 Network Commands Network Commands BR5181>admin(network)> Description Displays the network submenu. The items available under this command are shown below. 204 lan Goes to the LAN submenu. wan Goes to the WAN submenu. wireless Goes to the Wireless Configuration submenu. firewall Goes to the firewall submenu. router Goes to the router submenu. ipfilter Goes to the IP Filtering submenu. .. Goes to the parent menu. / Goes to the root menu.
Network Commands 8 Network LAN Commands BR5181>admin(network.lan)> Description Displays the LAN submenu. The items available under this command are shown below. show Shows current Mobility 5181 Access Point LAN parameters. set Sets LAN parameters. bridge Goes to the mesh configuration submenu. wlan-mapping Goes to the WLAN/Lan/Vlan Mapping submenu. dhcp Goes to the LAN DHCP submenu. type-filter Goes to the Ethernet Type Filter submenu. ipfpolicy Goes to the LAN IP Filtering Policy submneu. .
8 Network Commands ** LAN1 Information ** LAN Name LAN Interface 802.11q Trunking : LAN1 : enable : disable LAN IP mode IP Address Network Mask Default Gateway Domain Name Primary DNS Server Secondary DNS Server WINS Server : : : : : : : : ** LAN2 Information ** LAN Name LAN Interface 802.11q Trunking : LAN2 : disable : disable LAN IP mode IP Address Network Mask Default Gateway Domain Name Primary DNS Server Secondary DNS Server WINS Server : : : : : : : : DHCP client 192.168.0.1 255.255.255.
Network Commands 8 duplex Defines the access point LAN port duplex as either half or full. username Specifies the user name for 802.1x port authentication over the LAN interface. passwd The 0-32 character password for the username for the 802.1x port. ip-mode Defines the Mobility 5181 Access Point LAN port IP mode. ipadr Sets the IP address used by the LAN port. mask Defines the IP address used for Mobility 5181 Access Point LAN port network mask.
8 Network Commands Network LAN, Bridge Commands BR5181>admin(network.lan.bridge)> Description Displays the Mobility 5181 Access Point Bridge submenu. show Displays the mesh configuration parameters for the Mobility 5181 Access Point’s LANs. set Sets the mesh configuration parameters for the Mobility 5181 Access Point’s LANs.. .. Moves to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI and exits the session.
Network Commands 8 BR5181>admin(network.lan.bridge)> set Description Sets the mesh configuration parameters for the Mobility 5181 Access Point’s LANs. Syntax set priority Sets bridge priority time in seconds (0-65535) for specified LAN. hello Sets bridge hello time in seconds (0-10) for specified LAN. msgage Sets bridge message age time in seconds (6-40) for specified LAN.
8 Network Commands Network LAN, WLAN-Mapping Commands BR5181>admin(network.lan.wlan-mapping)> Description Displays the WLAN/Lan/Vlan Mapping submenu. show Displays the VLAN list currently defined for the Mobility 5181 Access Point. set Sets the Mobility 5181 Access Point VLAN configuration. create Creates a new Mobility 5181 Access Point VLAN. edit Edits the properties of an existing Mobility 5181 Access Point VLAN. delete Deletes a VLAN.
Network Commands 1 2 3 4 1 2 3 4 8 VLAN_1 VLAN_2 VLAN_3 VLAN_4 admin(network.lan.wlan-mapping)>show vlan-cfg Management VLAN Tag Native VLAN Tag WLAN mapped to VLAN VLAN Mode :1 :2 :WLAN1 :VLAN 2 :static admin(network.lan.wlan-mapping)>show lan-wlan WLANs on LAN1: :WLAN1 :WLAN2 :WLAN3 WLANs on LAN2: admin(network.lan.
8 Network Commands WLAN mapped to VLAN VLAN Mode :WLAN1 :VLAN 2 :static For information on configuring VLANs using the applet (GUI), see “Configuring VLAN support” on page 95. BR5181>admin(network.lan.wlan-mapping)> create Description Creates a VLAN for the Mobility 5181 Access Point. Syntax create vlan-id Defines the VLAN ID (1-4095). vlan-name Specifies the name of the VLAN (1-31 characters in length). Example admin(network.lan.wlan-mapping)> admin(network.lan.
Network Commands 8 Syntax delete < VLAN id> Deletes a specific VLAN ID (1-16). all Deletes all defined VLANs. For information on deleting VLANs using the applet (GUI), see “Configuring VLAN support” on page 95. BR5181>admin(network.lan.wlan-mapping)> lan-map Description Maps an Mobility 5181 Access Point VLAN to a WLAN. Syntax lan-map Defines enabled LAN name.
8 Network Commands Network LAN, DHCP Commands BR5181>admin(network.lan.dhcp)> Description Displays the Mobility 5181 Access Point DHCP submenu. The items available are displayed below. show Displays DHCP parameters. set Sets DHCP parameters. add Adds static DHCP address assignments. delete Deletes static DHCP address assignments. list Lists static DHCP address assignments. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash.
Network Commands 8 BR5181>admin(network.lan.dhcp)> set Description Sets DHCP parameters for the LAN port. Syntax set range lease Sets the DHCP assignment range from IP address to IP address for the specified LAN. Sets the DHCP lease time in seconds (1-999999) for the specified LAN. Example admin(network.lan.dhcp)>set range 1 192.168.0.100 192.168.0.254 admin(network.lan.dhcp)>set lease 1 86400 admin(network.lan.
8 Network Commands BR5181>admin(network.lan.dhcp)> delete Description Deletes static DHCP address assignments. Syntax delete all Deletes the static DHCP address entry for the specified LAN (1-LAN1, 2-LAN2) and DHCP entry index (1-30). Deletes all static DHCP addresses. Example admin(network.lan.
Network Commands 8 Example admin(network.lan.dhcp)>list 1 ----------------------------------------------------------------------------Index MAC Address IP Address ----------------------------------------------------------------------------1 2 3 4 5 00A0F8112233 00A0F8102030 00A0F8112234 00A0F8112235 00A0F8112236 10.1.2.4 10.10.1.2 10.1.2.3 192.160.24.6 192.169.24.7 admin(network.lan.
8 Network Commands Network Type Filter Commands BR5181>admin(network.lan.type-filter)> Description Displays the Mobility 5181 Access Point Type Filter submenu. The items available under this command include: show Displays the current Ethernet Type exception list. set Defines Ethernet Type Filter parameters. add Adds an Ethernet Type Filter entry. delete Removes an Ethernet Type Filter entry. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash.
Network Commands 8 Syntax set mode Allows or denies the Mobility 5181 Access Point from processing a allow/deny specified Ethernet data type for the specified LAN. Example admin(network.lan.type-filter)>set mode 1 allow For information on configuring the type filter settings using the applet (GUI), see “Setting the type filter configuration” on page 100. BR5181>admin(network.lan.type-filter)> add Description Adds an Ethernet Type Filter entry.
8 Network Commands Example admin(network.lan.type-filter)>delete 1 1 admin(network.lan.type-filter)>show 1 Ethernet Type Filter mode : allow ----------------------------------------------------------------------------index ethernet type ----------------------------------------------------------------------------1 0806 2 0800 3 8782 admin(network.lan.type-filter)>delete 2 all admin(network.lan.
Network Commands 8 Network WAN Commands BR5181>admin(network.wan)> Description Displays the WAN submenu. The items available under this command are shown below. show Displays the Mobility 5181 Access Point WAN configuration and the Mobility 5181 Access Point’s current PPPoE configuration. set Defines the Mobility 5181 Access Point’s WAN and PPPoE configuration. nat Displays the NAT submenu, wherein Network Address Translations (NAT) can be defined.
8 Network Commands Speed Duplex WAN WAN WAN WAN WAN WAN WAN IP IP IP IP IP IP IP PPPoE PPPoE PPPoE PPPoE PPPoE PPPoE PPPoE : 100M : full 2 3 4 5 6 7 8 Mode User Name Password keepalive mode Idle Time Authentication Type State : : : : : : : disable disable disable disable disable disable disable : : : : : : enable JohnDoe ******* enable 600 chap admin(network.wan)> For an overview of the WAN configuration options available using the applet (GUI), see “Configuring WAN settings” on page 101.
Network Commands pppo e mode enable/d isable Enables or disables PPPoE. user Sets PPPoE user name. passwd Defines the PPPoE password. ka enable/d isable Enables or disables PPPoE keepalive. idle
8 Network Commands Network WAN NAT Commands BR5181>admin(network.wan.nat)> Description Displays the NAT submenu. The items available under this command are shown below. show Displays the Mobility 5181 Access Point’s current NAT parameters for the specified index. set Defines the Mobility 5181 Access Point NAT settings. add Adds NAT entries. delete Deletes NAT entries. list Lists NAT entries. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash.
Network Commands 8 one to many nat mapping -----------------------------------------------------------------------------LAN No. WAN IP -----------------------------------------------------------------------------1 157.235.91.2 2 157.235.91.2 admin(network.wan.nat)> For an overview of the NAT options available using the applet (GUI), see “Configuring Network Address Translation (NAT) settings” on page 103. BR5181>admin(network.wan.nat)> set Description Sets NAT inbound and outbound parameters.
8 Network Commands 1 2 157.235.91.2 10.1.1.1 For an overview of the NAT options available using the applet (GUI), see “Configuring Network Address Translation (NAT) settings” on page 103. BR5181>admin(network.wan.nat)> add Description Adds NAT entries.
Network Commands 8 Syntax delete Deletes a specified NAT index entry associated with the WAN. all Deletes all NAT entries associated with the WAN. Example admin(network.wan.nat)>list 1 ----------------------------------------------------------------------------index name prot start port end port internal ip translation port ----------------------------------------------------------------------------1 special tcp 20 21 192.168.42.16 21 admin(network.wan.
8 Network Commands 1 special tcp 20 21 192.168.42.16 21 Related Commands 1 delete Deletes inbound NAT entries from the list. add Adds entries to the list of inbound NAT entries. For an overview of the NAT options available using the applet (GUI), see “Configuring Network Address Translation (NAT) settings” on page 103.
Network Commands 8 Network WAN, VPN Commands BR5181>admin(network.wan.vpn)> Description Displays the VPN submenu. The items available under this command include: add Adds VPN tunnel entries. set Sets key exchange parameters. delete Deletes VPN tunnel entries. list Lists VPN tunnel entries reset Resets all VPN tunnels. stats Lists security association status for the VPN tunnels. ikestate Displays an Internet Key Exchange (IKE) summary. .. Goes to the parent menu. / Goes to the root menu.
8 Network Commands For information on configuring VPN using the applet (GUI), see “Configuring VPN tunnels” on page 151. BR5181>admin(network.wan.vpn)> set Description Sets VPN entry parameters. Syntax set type 230 Sets the tunnel type to Auto or Manual for the specified tunnel name. authalgo Sets the authentication algorithm for to (None, MD5, or SHA1).
Network Commands 8 salife ike opmode Sets the Operation Mode of IKE for to Main or Aggr(essive). myidtype Sets the Local ID type for IKE authentication for (1 to 13 characters) to (IP, FQDN, or UFQDN). remidtyp e Sets the Remote ID type for IKE authentication for (1 to 13 characters) to (IP, FQDN, or UFQDN).
8 Network Commands BR5181>admin(network.wan.vpn)> delete Description Deletes VPN tunnel entries. Syntax delete all Deletes all VPN entries. Deletes VPN entries by supplied name. Example admin(network.wan.vpn)>list -------------------------------------------------------------------------Tunnel Name Type Remote IP/Mask Remote Gateway Local WAN IP -------------------------------------------------------------------------Eng2EngAnnex Manual 192.168.32.2/24 192.168.33.1 192.168.24.
Network Commands 8 -------------------------------------------------------------------------Name : SJSharkey Local Subnet : 1 Tunnel Type : Manual Remote IP : 206.107.22.45 Remote IP Mask : 255.255.255.224 Remote Security Gateway : 206.107.22.2 Local Security Gateway : 209.239.160.
8 Network Commands ----------------------------------------------------------------------------Eng2EngAnnex SJSharkey Not Active Not Active For information on displaying VPN information using the applet (GUI), see “Viewing VPN status” on page 159. BR5181>admin(network.wan.vpn)> ikestate Description Displays statistics for all active tunnels using Internet Key Exchange (IKE). Syntax ikestate Displays status about Internet Key Exchange (IKE) for all tunnels.
Network Commands 8 BR5181>admin(network.wan.content)> addcmd Description Adds control commands to block outbound traffic. Syntax addcmd web Adds WEB commands to block outbound traffic. proxy Adds a Web proxy command. activex Adds activex files. file Adds Web URL extensions (10 files maximum) smtp Adds SMTP commands to block outbound traffic.
8 Network Commands BR5181>admin(network.wan.content)> delcmd Description Deletes control commands to block outbound traffic. Syntax delcmd web Deletes WEB commands to block outbound traffic. proxy Deletes a Web proxy command. activex Deletes activex files. file Deletes Web URL extensions (10 files maximum) smtp Deletes SMTP commands to block outbound traffic.
Network Commands 8 BR5181>admin(network.wan.content)> list Description Lists application control commands. Syntax list web Lists WEB application control record. smtp Lists SMTP application control record. ftp Lists FTP application control record. Example admin(network.wan.content)>list web HTTP Files/Commands Web Proxy ActiveX filename : deny : allow : admin(network.wan.
8 Network Commands Network WAN, Dynamic DNS Commands BR5181>admin(network.wan.dyndns)> Description Displays the Dynamic DNS submenu. The items available under this command include: set Sets Dynamic DNS parameters. update Sets key exchange parameters. show Shows the Dynamic DNS configuration. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
Network Commands 8 Syntax update Updates the access point’s current WAN IP address with the DynDNS service (when DynDNS is enabled), Example admin(network.wan.dyndns)>update IP Address Hostname : 157.235.91.231 : greengiant For an overview of the Dynamic DNS options available using the applet (GUI), see “Configuring dynamic DNS” on page 105. BR5181>admin(network.wan.dyndns)> show Description Shows the current Dynamic DNS configuration.
8 Network Commands Network Wireless Commands BR5181>admin(network.wireless) Description Displays the Mobility 5181 Access Point wireless submenu. The items available under this command include: 240 wlan Displays the WLAN submenu used to create and configure up to 16 WLANs per Mobility 5181 Access Point. security Displays the security submenu used to create encryption and authentication based security policies for use with Mobility 5181 Access Point WLANs.
Network Commands 8 Network WLAN Commands BR5181>admin(network.wireless.wlan)> Description Displays the Mobility 5181 Access Point wireless LAN (WLAN) submenu. The items available under this command include: show Displays the Mobility 5181 Access Point’s current WLAN configuration. create Defines the parameters of a new WLAN. edit Modifies the properties of an existing WLAN. delete Deletes an existing WLAN. hotspot Displays the WLAN hotspot menu.
8 Network Commands ESS Identifier : 101 WLAN Name : Lobby 802.11a Radio : available 802.
Network Commands 8 no-Client-Clie nt Enables or disables Clients associated to the same WLAN to not communicate with each other. sbeacon Enables or disables the BR5181 from transmitting the ESSID in the beacon. bcast Enables or disables the Mobility 5181 Access Point from accepting broadcast IDs from Clients. Broadcast IDs are transmitted without security. qos Defines the index name representing the QoS policy used with this WLAN.
8 Network Commands 3 Video Video Dept The CLI treats the following as invalid characters, thus they should not be used in the creation of an ESSID (or other): -> space < > | " & , \ ? For information on creating a WLAN using the applet (GUI), see “Creating/editing individual WLANs” on page 107. BR5181>admin(network.wireless.wlan)> edit Description Edits the properties of an existing WLAN policy. Syntax edit Edits the sequence number (index) in the WLAN summary.
Network Commands white-list Goes to the hotspot white-list menu. save Saves the configuration to system flash. quit Quits the CLI. .. Goes to the parent menu. / Goes to the root menu. 8 For information on configuring the Hotspot options available to the using the applet (GUI), see “Configuring WLAN hotspot support” on page 114. BR5181>admin(network.wireless.wlan.hotspot)> show Description Displays the current Mobility 5181 Access Point Rogue AP detection configuration.
8 Network Commands For information on configuring the Hotspot options available to the access point using the applet (GUI), see “Configuring WLAN hotspot support” on page 114. BR5181>admin(network.wireless.wlan.hotspot)> redirection Description Goes to the hotspot redirection menu. Syntax redirection set Sets the hotspot http-re-direction by index (1-16) for the specified URL.
Network Commands 8 BR5181>admin(network.wireless.wlan.hotspot.radius)> set Description Sets the Radius hotspot configuration. Syntax set server Sets the Radius hotpost server IP address per wlan index (1-16) port Sets the Radius hotpost server port per wlan index (1-16) secret Sets the Radius hotspot server shared secret password.
8 Network Commands BR5181>admin(network.wireless.wlan.hotspot.radius)> show Description Shows Radius hotspot server details. Syntax show radius Displays Radius hotspot server details per index (1-16) Example admin(network.wireless.wlan.hotspot.radius)>show radius 1 WLAN 1 Hotspot Mode : enable Primary Server Ip adr : 157.235.12.12 Primary Server Port : 1812 Primary Server Secret : ****** Secondary Server Ip adr : 0.0.0.
Network Commands 8 WLAN 1 Hotspot Mode disable WhiteList Rules ------------------------------------------------------------------------------Idx IP Address ------------------------------------------------------------------------------1 157.235.21.21 For information on configuring the Hotspot options available to the access point using the applet (GUI), see “Configuring WLAN hotspot support” on page 114.
8 Network Commands Network Security Commands BR5181>admin(network.wireless.security)> Description Displays the Mobility 5181 Access Point wireless security submenu. The items available under this command include: show Displays the Mobility 5181 Access Point’s current security configuration. set Sets security parameters. create Defines the parameters of a security policy. edit Edits the properties of an existing security policy. delete Removes a specific security policy. ..
Network Commands 8 admin(network.wireless.security)>show policy 1 Policy Name Authentication : Default : Manual Pre-shared key/No Authentication Encryption type : no encryption Related Commands create Defines security parameters for the specified WLAN. For information displaying existing WLAN security settings using the applet (GUI), see “Only a qualified installation professional should set or restore the access point’s radio and power management configuration in the event of a password reset.
8 Network Commands server Sets the Kerberos server (1-primary, 2-backup, or 3-remote) to KDC IP address. port Sets the Kerberos port to (KDC port) for server (1-primary, 2-backup, or 3-remote). Note: EAP parameters are only in affect if "eap" is specified for the authentication method (set auth ). eap server Sets the radius server (1-primary or as 2-secondary) IP address .
Network Commands adv Brocade Mobility 5181 Access Point Product Reference Guide 53-1002516-01 8 secret Set external Radius server shared secret password. timeout Defines Client timout period in seconds (1-255). retry Sets the maximum number of Client retries to (1-10). syslog Enable or disable syslog messages. ip Defines syslog server IP address. Client-quiet
8 Network Commands Note: The WEP authentication mechanism saves up to four different keys (one for each WLAN). It is not requirement to set all keys, but you must associate a WLAN with the same keys. enc Sets the encryption type to (one of none, wep40, wep104, keyguard, tkip, or ccmp) for WLAN . The passkey used as a text abbreviation for the entire key length (4-32).
Network Commands ccmp 8 allow-wpa2-tkip Enables or disables the interoperation with wpa2-tkip clients. preauth Enables or disables preauthentication (fast roaming). type Sets the TKIP key type. key <256 bit key> Sets the TKIP key to <256 bit key>. phrase Sets the TKIP ASCII pass phrase to (8-63 characters). rotate-mode Enables or disabled the broadcast key.
8 Network Commands For information on configuring the encryption and authentication options available to the access point using the applet (GUI), see “Configuring security options” on page 132. BR5181>admin(network.wireless.security.edit)> Description Edits the properties of a specific security policy. Syntax show Displays the new or modified security policy parameters. set Edits security policy parameters. change Completes policy changes and exits the session. ..
Network Commands 8 Network ACL Commands BR5181>admin(network.wireless.acl)> Description Displays the Mobility 5181 Access Point Mobile Unit Access Control List (ACL) submenu. The items available under this command include: show Displays the Mobility 5181 Access Point’s current ACL configuration. create Creates an Client ACL policy. edit Edits the properties of an existing Client ACL policy. delete Removes an Client ACL policy. .. Goes to the parent menu. / Goes to the root menu.
8 Network Commands For information on configuring the ACL options available to the access point using the applet (GUI), see “Configuring a WLAN Access Control List (ACL)” on page 110. BR5181>admin(network.wireless.acl)> create Description Creates an Client ACL policy. Syntax create show set Displays the parameters of a new ACL policy. acl-name mode Sets the ACL mode for the defined index (1-16). Allowed Clients can access the Mobility 5181 Access Point managed LAN.
Network Commands 8 Syntax show Displays Client ACL policy and its parameters. set Modifies the properties of an existing Client ACL policy. add-addr Adds an Client ACL table entry. delete Deletes an Client ACL table entry, including starting and ending MAC address ranges. change Completes the changes made and exits the session. .. Cancels the changes made and exits the session.
8 Network Commands Network Radio Configuration Commands BR5181>admin(network.wireless.radio)> Description Displays the Mobility 5181 Access Point Radio submenu. The items available under this command include: show Summarizes Mobility 5181 Access Point radio parameters at a high-level. set Defines the access point radio configuration. radio1 Displays the 802.11b/g radio submenu. radio2 Displays the 802.11a radio submenu. .. Goes to the parent menu. / Goes to the root menu.
Network Commands RF Band of Operation RF Function : 802.11a (5 GHz) : WLAN Wireless Mesh Configuration: Base Bridge Mode Max Wireless AP Clients Client Bridge Mode Client Bridge WLAN Mesh Connection Timeout : : : : : Dot11 Auth Algorithm : open-system-only 8 enable 5 disable WLAN1 enable For information on configuring the Radio Configuration options available to the access point using the applet (GUI), see “Setting the WLAN’s radio configuration” on page 118. BR5181>admin(network.wireless.
8 Network Commands Radio 1 Name Radio Mode RF Band of Operation : Radio 1 : enable : 802.11b/g (2.4 GHz) Wireless AP Configuration: Base Bridge Mode Max Wireless AP Clients Client Bridge Mode Clitn Bridge WLAN Mesh Connection Timeout : : : : : Dot11 Auth Algorithm : shared-key-allowed enable 11 disable WLAN1 45 sec. For information on configuring the Radio Configuration options available to the access point using the applet (GUI), see “Setting the WLAN’s radio configuration” on page 118.
Network Commands 8 Syntax show radio Displays specific 802.11b/g radio settings. qos Displays specific 802.11b/g radio WMM QoS settings. Example admin(network.wireless.radio.radio1)>show radio Radio Setting Information Placement MAC Address Radio Type ERP Protection : : : : Channel Setting ACS Exception Channel List Antenna Diversity Power Level : user selection : : full : 5 dbm (4 mW) 802.11b/g mode Basic Rates Supported Rates : B-Only : 1 2 5.5 11 : 1 2 5.
8 Network Commands BR5181>admin(network.wireless.radio.802-11bg)> set Description Defines specific 802.11b/g radio parameters. Syntax set placement Defines the Mobility 5181 Access Point radio placement as indoors or outdoors. ch-mode Determines how the radio channel is selected. channel Defines the actual channel used by the radio. acs-exception-list Sets the ACS exception list (for auto selection only) for up to 3 channels.
Network Commands 8 For information on configuring the Radio 1 Configuration options available to the access point using the applet (GUI), see “Configuring the 802.11a or 802.11b/g radio” on page 121. CAUTION If you do NOT include the index number (for example, "set dtim 50"), the DTIMs for all four BSSIDs will be changed to 50. To change individual DTIMs for BSSIDs, specify the BSS Index number (for example, "set dtim 2 50). This will change the DTIM for BSSID 2 to 50. BR5181>admin(network.wireless.
8 Network Commands BSSID Primary WLAN ----------------------------------------------------------------------------1 2 3 Lobby HR Office admin(network.wireless.radio.802-11bg.advanced)>show wlan WLAN 1: WLAN name ESS ID Radio VLAN Security Policy QoS Policy : : : : : : WLAN1 101 11a,11b/g Default Default For information on configuring Radio 1 Configuration options available to the access point using the applet (GUI), see “Configuring the 802.11a or 802.11b/g radio” on page 121.
Network Commands .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI. 8 BR5181>admin(network.wireless.radio.802-11a)> show Description Displays specific 802.11a radio settings. Syntax show radio Displays specific 802.11a radio settings. qos Displays specific 802.11a radio WMM QoS settings. Example admin(network.wireless.radio.
8 Network Commands Best Effort Video Voice 15 7 3 63 15 7 3 1 1 31 94 47 0.992 3.008 1.504 For information on configuring Radio 2 Configuration options available to the access point using the applet (GUI), see “Configuring the 802.11a or 802.11b/g radio” on page 121. BR5181>admin(network.wireless.radio.802-11a)> set Description Defines specific 802.11a radio parameters. Syntax set placement Defines the Mobility 5181 Access Point radio placement as indoors or outdoors.
Network Commands 8 admin(network.wireless.radio.802-11a)>set qos txops 0 admin(network.wireless.radio.802-11a)>set qbss-beacon 110 admin(network.wireless.radio.802-11a)>set qbss-mode enable For information on configuring the Radio 2 Configuration options available to the access point using the applet (GUI), see “Configuring the 802.11a or 802.11b/g radio” on page 121. BR5181>admin(network.wireless.radio.802-11a.advanced)> Description Displays the advanced submenu for the 802-11a radio.
8 Network Commands 2 3 HR Office admin(network.wireless.radio.802-11bg.advanced)>show wlan WLAN 1: WLAN name ESS ID Radio VLAN Security Policy QoS Policy : : : : : : WLAN1 101 11a, 11b/g Default Default For information on configuring the Radio 2 Configuration options available to the access point using the applet (GUI), see “Configuring the 802.11a or 802.11b/g radio” on page 121. BR5181>admin(network.wireless.radio.802-11a.
Network Commands 8 Network Quality of Service (QoS) Commands BR5181>admin(network.wireless.qos)> Description Displays the Mobility 5181 Access Point Quality of Service (QoS) submenu. The items available under this command include: show Displays Mobility 5181 Access Point QoS policy information. create Defines the parameters of the QoS policy. edit Edits the settings of an existing QoS policy. delete Removes an existing QoS policy. .. Goes to the parent menu. / Goes to the root menu.
8 Network Commands For information on configuring the WLAN QoS options available to the access point using the applet (GUI), see “Setting the WLAN Quality of Service (QoS) policy” on page 111. BR5181>admin(network.wireless.qos.create)> Description Defines an Mobility 5181 Access Point QoS policy. Syntax show set Displays QoS policy parameters. qos-name Sets the QoS name for the specified index entry. vop Enables or disables support (by index) for legacy VOIP devices.
Network Commands 8 Syntax show set Displays QoS policy parameters. qos-name Sets the QoS name for the specified index entry. vop Enables or disables support (by index) for legacy VOIP devices. mcast Defines primary and secondary Multicast MAC address. wmm-qos Enables or disables the QoS policy index specified. param-set Defines the data type used with the qos policy and mesh network.
8 Network Commands Network Bandwith Management Commands BR5181>admin(network.wireless.bandwidth)> Description Displays the Mobility 5181 Access Point Bandwidth Management submenu. The items available under this command include: show Displays Bandwidth Management information for how data is processed by the Mobility 5181 Access Point. set Defines Bandwidth Management parameters for the Mobility 5181 Access Point. .. Goes to the parent menu. / Goes to the root menu.
Network Commands 8 For information on configuring the Bandwidth Management options available to the access point using the applet (GUI), see “Configuring bandwidth management settings” on page 126.
8 Network Commands Network Rogue-AP Commands BR5181>admin(network.wireless.rogue-ap)> Description Displays the Rogue AP submenu. The items available under this command include: show Displays the current Mobility 5181 Access Point Rogue AP detection configuration. set Defines the Rogue AP detection method. Client-scan Goes to the Rogue AP Client-uscan submenu. allowed-list Goes to the Rogue AP Allowed List submenu. active-list Goes the Rogue AP Active List submenu.
Network Commands 8 BR5181>admin(network.wireless.rogue-ap)> set Description Defines the Mobility 5181 Access Point ACL rogue AP method. Syntax set Client-scan interval Define an interval for associated Clients to beacon in attempting to locate rogue APs. Value not available unless Client-scan is enabled. on-channel Enables or disables on-channel detection. detector-scan Enables or disables AP detector scan (dual-radio model only).
8 Network Commands Syntax add Add all or just one scan result to Allowed AP list. show Displays all APs located by the Client scan. start Initiates scan immediately by the Client. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI. BR5181>admin(network.wireless.rogue-ap.Client-scan)> start Description Initiates an Client scan for a user provided MAC address.
Network Commands .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI. 8 BR5181>admin(network.wireless.rogue-ap.allowed-list)> show Description Displays the Rogue AP allowed List. Syntax show Displays the rogue-AP allowed list. Example admin(network.wireless.rogue-ap.
8 Network Commands 3 4 00:A0:F8:40:20:01 00:A0:F8:31:61:BB Marketing 103 For information on configuring the Rogue AP options available to the access point using the applet (GUI), see “Configuring rogue AP detection” on page 162. BR5181>admin(network.wireless.rogue-ap.allowed-list)> delete Description Deletes an AP MAC address and ESSID to existing allowed list. Syntax delete Deletes a specified AP MAC address and ESSID index (1-50) from the allowed list.
Network Commands 8 WIPS Commands BR5181>admin(network.wireless.wips> Description Displays the wips Locationing submenu. The items available under this command include: show Displays the current WLAN Intrusion Prevention configuration. set Sets WLAN Intrusion Prevention parameters. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI. BR5181>admin(network.wireless.
8 Network Commands admin(network.wireless.
Network Commands 8 Network Client Locationing Commands BR5181>admin(network.wireless.Client-locationing)> Description Displays the Client Locationing submenu. The items available under this command include: show Displays the current Client Locationing configuration. set Defines Client Locationing parameters. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI. BR5181>admin(network.wireless.
8 Network Commands Example admin(network.wireless.Client-locationing)>set admin(network.wireless.Client-locationing)>set mode enable admin(network.wireless.Client-locationing)>set size 200 admin(network.wireless.
Network Commands 8 Network Firewall Commands BR5181>admin(network.firewall)> Description Displays the Mobility 5181 Access Point firewall submenu. The items available under this command include: show Displays the Mobility 5181 Access Point’s current firewall configuration. set Defines the Mobility 5181 Access Point’s firewall parameters. access Enables/disables firewall permissions through the LAN and WAN ports. advanced Displays interoperaility rules between the LAN and WAN ports. ..
8 Network Commands BR5181>admin(network.firewall)> set Description Defines the Mobility 5181 Access Point firewall parameters. Syntax set mode Enables or disables the firewall. nat-timeout Defines the NAT timeout value. syn Enables or disables SYN flood attack check. src Enables or disables source routing check. win Enables or disables Winnuke attack check. ftp Enables or disables FTP bounce attack check.
Network Commands 8 BR5181>admin(network.firewall)> access Description Enables or disables firewall permissions through LAN to WAN ports. Syntax show Displays LAN to WAN access rules. set Sets LAN to WAN access rules. add Adds LAN to WAN exception rules. delete Deletes LAN to WAN access exception rules. list Displays LAN to WAN access exception rules. .. Goes to parent menu / Goes to root menu. save Saves configuration to system flash. quit Quits and exits the CLI session.
8 Network Commands outbound Goes to the Outbound Firewall Rules submenu. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to flash memory. quit Quits and exits the CLI session. Example admin(network.firewall.adv-lan-access)>inbound admin(network.firewall.adv-lan-access.
Network Commands 8 Network Router Commands BR5181>admin(network.router)> Description Displays the router submenu. The items available under this command are: show Displays the existing Mobility 5181 Access Point router configuration. set Sets the RIP parameters. add Adds user-defined routes. delete Deletes user-defined routes. list Lists user-defined routes. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
8 Network Commands BR5181>admin(network.router)> set Description Shows the access point route table. Syntax set auth Sets the RIP authentication type. dir Sets RIP direction. id Sets MD5 authetication ID. key Sets MD5 authetication key. passwd Sets the password for simple authentication. type Defines the RIP type. dgw-iface Sets the default gateway interface.
8 Network Commands BR5181>admin(network.router)> delete Description Deletes user-defined routes. Syntax delete Deletes the user-defined route (1-20) from list. all Deletes all user-defined routes. Example admin(network.router)>list ---------------------------------------------------------------------------index destination netmask gateway interface metric ---------------------------------------------------------------------------1 192.168.2.0 255.255.255.0 192.168.0.1 lan1 1 2 192.168.1.
8 Network Commands For information on configuring the Router options available to the access point using the applet (GUI), see “Configuring router settings” on page 128.
System Commands 8 System Commands BR5181>admin(system)> Description Displays the System submenu. The items available under this command are shown below. restart Restarts the Mobility 5181 Access Point. show Shows Mobility 5181 Access Point system parameter settings. set Defines Mobility 5181 Access Point system parameter settings. lastpw Displays last debug password. exec Goes to a Linux command menu. arp Dispalys the access point’s arp table.
8 System Commands Example admin(system)>restart ********************************WARNING*********************************** ** Unsaved configuration changes will be lost when the access point is reset. ** Please be sure to save changes before resetting. ************************************************************************** Are you sure you want to restart the BR5181?? (yes/no): BR5181 Boot Firmware Version 2.3.2.0-XXX Copyright(c) Brocade 2009. All rights reserved.
System Commands 8 BR5181>admin(system)>set Description Sets Mobility 5181 Access Point system parameters. Syntax set name Sets the Mobility 5181 Access Point system name to (1 to 59 characters). The access point does not allow intermediate space characters between characters within the system name. For example, “BR5181 sales” must be changed to “BR5181sales” to be a valid system name. loc Sets the Mobility 5181 Access Point system location to (1 to 59 characters).
8 System Commands 157.235.92.3 157.235.92.181 157.235.92.80 157.235.92.95 157.235.92.161 157.235.92.
System Commands 8 Adaptive AP Setup Commands BR5181>admin(system)>aap-setup Description Displays the Adaptive AP submenu. show Displays Adaptive AP information. set Defines the Adaptive AP configuration. delete Deletes static controller address assignments. .. Goes to the parent menu. / Goes to the root menu. save Saves the current configuration to the Mobility 5181 Access Point system flash. quit Quits the CLI and exits the current session.
8 System Commands IP Address 10 IP Address 11 IP Address 12 : 0.0.0.0 : 0.0.0.0 : 0.0.0.0 Tunnel to Controller AC Keepalive : 5 Current Controller AP Adoption State : 157.235.22.11 : TBD : disable admin(system.aap-setup)> NOTE The access point CLI is only the only AP interface that displays the adaptive AP’s adoption status and AP run state. This information does not appear within the Adaptive AP Setup screen.
System Commands 8 BR5181>admin(system.aap-setup)>delete Description Deletes static controller address assignments. Syntax delete Deletes static controller address assignments by selecte index. Deletes all assignments. Example admin(system.aap-setup)>delete 1 admin(system.aap-setup)> For information on configuring Adaptive AP using the applet (GUI), see “Adaptive AP setup” on page 48. For an overview of adaptive AP functionality and its implications, see “Adaptive AP” on page 379.
8 System Commands System Access Commands BR5181>admin(system)>access Description Displays the access point access submenu. show Displays Mobility 5181 Access Point system access capabilities. set Goes to the Mobility 5181 Access Point system access submenu. .. Goes to the parent menu. / Goes to the root menu. save Saves the current configuration to the Mobility 5181 Access Point system flash. quit Quits the CLI and exits the current session. BR5181>admin(system.
System Commands mode msg 8 Enables/disables the access point message mode. Defines the access point login message text. For information on configuring access point access settings using the applet (GUI), see “Configuring data access” on page 50. BR5181>admin(system.access)>show Description Displays the current Mobility 5181 Access Point access permissions and timeout values. Syntax show Shows all of the current system access settings for the Mobility 5181 Access Point.. Example admin(system.
8 System Commands System Certificate Management Commands BR5181>admin(system)>cmgr Description Displays the Certificate Manager submenu. The items available under this command include: genreq Generates a Certificate Request. delself Deletes a Self Certificate. loadself Loads a Self Certificate signed by CA. listself Lists the self certificate loaded. loadca Loads trusted certificate from CA. delca Deletes the trusted certificate. listca Lists the trusted certificate loaded.
System Commands 8 Generates a self-certificate request for a Certification Authority (CA), where: -ou -on -cn -st -p -cc -e -d -i -sa -k The private key ID Name (up to 7 chars) Subject Name (up to 49 chars) Organization Unit (up to 49 chars) Organization Name (up to 49 chars) City Name of Organization (up to 49 chars) State Name (up to 49 chars) Postal code (9 digits) Country code (2 chars) E
8 System Commands For information on configuring self certificate settings using the applet (GUI), see “Creating self certificates for accessing the VPN” on page 58. BR5181>admin(system.cmgr)> loadself Description Loads a self certificate signed by the Certificate Authority. Syntax loadself [https] Load the self certificate signed by the CA with name (7 characters). HTTPS is needed of an apacahe certificate and keys.
System Commands 8 Syntax delca Deletes the trusted certificate. For information on configuring certificate settings using the applet (GUI), see “Importing a CA certificate” on page 56. BR5181>admin(system.cmgr)> listca Description Lists the loaded trusted certificate. Syntax listca Lists the loaded trusted certificates. For information on configuring certificate settings using the applet (GUI), see “Importing a CA certificate” on page 56. BR5181>admin(system.
8 System Commands For information on configuring certificate settings using the applet (GUI), see “Creating self certificates for accessing the VPN” on page 58. BR5181>admin(system.cmgr)> listprivkey Description Lists the names of private keys. Syntax listprivkey Lists all private keys and their associated certificates. For information on configuring certificate settings using the applet (GUI), see “Importing a CA certificate” on page 56. BR5181>admin(system.
System Commands listca showreq format delprivkey listprivkey expcert impcert (..
8 System Commands impcert (..) / save quit : : : : : imports the target certficate file goes to the parent menu goes to the root menu saves the configuration to system flash quits the CLI session For information on configuring certificate settings using the applet (GUI), see “Importing a CA certificate” on page 56.
System Commands 8 System SNMP Commands BR5181>admin(system)> snmp Description Displays the SNMP submenu. The items available under this command are shown below. access Goes to the SNMP access submenu. traps Goes to the SNMP traps submenu. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI.
8 System Commands System SNMP Access Commands BR5181>admin(system.snmp.access) Description Displays the SNMP Access menu. The items available under this command are shown below. show Shows SNMP v3 engine ID. add Adds SNMP access entries. delete Deletes SNMP access entries. list Lists SNMP access entries. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI. BR5181>admin(system.snmp.
System Commands 8 Syntax add acl Adds an entry to the SNMP access control list with as the starting IP address and and as the ending IP address. v1v2c : comm - community string 1 to 31 characters : access - read/write access - (ro,rw) : oid - string 1 to 127 chars - E.g. 1.3.6.
8 System Commands v3 Deletes entry (1-10) from the v3 user definition list. all Deletes all entries from the v3 user definition list. Example admin(system.snmp.access)>list acl ----------------------------------------------------------------------------index start ip end ip ----------------------------------------------------------------------------1 209.236.24.1 209.236.24.46 admin(system.snmp.access)>delete acl all admin(system.snmp.
System Commands index username access permission object identifier security level auth algorithm auth password privacy algorithm privacy password : : : : : : : : : 8 2 judy read/write 1.3.6.1 auth/priv md5 ******** des ******* For information on configuring SNMP access settings using the applet (GUI), see “Configuring SNMP access control” on page 68.
8 System Commands System SNMP Traps Commands BR5181>admin(system.snmp.traps) Description Displays the SNMP traps submenu. The items available under this command are shown below. show Shows SNMP trap parameters. set Sets SNMP trap parameters. add Adds SNMP trap entries. delete Deletes SNMP trap entries. list Lists SNMP trap entries. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash. quit Quits the CLI. BR5181>admin(system.snmp.
System Commands system cold start system config changed rogue ap detection ap radar detection wpa counter measure Client hotspot status vlan lan monitor DynDNS Update 8 : : : : : disable disable disable disable disable : disable : disable : disable : enable For information on configuring SNMP traps using the applet (GUI), see “Enabling SNMP traps” on page 69. BR5181>admin(system.snmp.traps)> set Description Sets SNMP trap parameters.
8 System Commands hotspot-Client-status enable/disable Enables/disables the hotspot Client status trap. vlan enable/disable Enables/disables VLAN traps. lan-monitor enable/disable Enables/disables LAN monitor traps. rate min-pkt Sets the particular to monitor to given the indicated . See table below for information on the possible values for , , and .
System Commands index destination ip destination port username security level auth algorithm auth password privacy algorithm privacy password : : : : : : : : : 8 1 201.232.24.33 555 BigBoss none md5 ******** des ******** For information on configuring SNMP traps using the applet (GUI), see “Configuring SNMP RF trap thresholds” on page 74. BR5181>admin(system.snmp.traps)> delete Description Deletes SNMP trap entries. Syntax delete v1v2c Deletes entry from the v1v2c access control list.
8 System Commands 1 203.223.24.2 162 mycomm v1 admin(system.snmp.traps)>add v3 201.232.24.33 555 BigBoss none md5 admin(system.snmp.traps)>list v3 all index destination ip destination port username security level auth algorithm auth password privacy algorithm privacy password : : : : : : : : : 1 201.232.24.33 555 BigBoss none md5 ******** des ******** For information on configuring SNMP traps using the applet (GUI), see “Configuring SNMP RF trap thresholds” on page 74.
System Commands 8 System User Database Commands BR5181>admin(system)> userdb Description Goes to the user database submenu. Syntax user Goes to the user submenu. group Goes to the group submenu. save Saves the configuration to system flash. .. Goes to the parent menu. / Goes to the root menu. For information on configuring User Database permissions using the applet (GUI), see “Defining user access permissions by group” on page 173.
8 System Commands 8.4.5.1 Adding and Removing Users from the User Databse BR5181>admin(system.userdb)> user Description Adds and remvoves users from the user database and defines user passwords. Syntax add Adds a new user. delete Deletes an existing user ID.. clearall Removes all existing user IDs from the system. set Sets a password for a user. show Displays the current user database configuration. save Saves the configuration to system flash. .. Goes to the parent menu.
System Commands 8 BR5181>admin(system.userdb.user)> delete Description Removes a new user to the user database. Syntax delete Removes a user ID string from the user database. Example admin(system.userdb.user>delete george admin(system.userdb.user> For information on configuring User Database permissions using the applet (GUI), see “Defining user access permissions by group” on page 173. BR5181>admin(system.userdb.user)>clearall Description Removes all existing user IDs from the system.
8 System Commands 8.4.5.2 Adding and Removing Groups from the User Databse BR5181>admin(system.userdb)> group Description Adds and remvoves groups from the user database. Syntax create Creates a group name. delete Deletes a group name. clearall Removes all existing group names from the system. add Adds a user to an existing group. remove Removes a user from an existing group. show Displays existing groups. save Saves the configuration to system flash. .. Goes to the parent menu.
System Commands 8 Syntax delete Deletes an existing group. Example admin(system.userdb.group>delete 2 admin(system.userdb.group> For information on configuring User Database permissions using the applet (GUI), see “Defining user access permissions by group” on page 173. BR5181>admin(system.userdb.group> clearall Description Removes all existing group names from the system. Syntax clearall Removes all existing group names from the system. Example admin(system.userdb.group>clearall admin(system.
8 System Commands Syntax remove Removes a user from an existing group . Example admin(system.userdb.group>remove lucy group x admin(system.userdb.group> For information on configuring User Database permissions using the applet (GUI), see “Defining user access permissions by group” on page 173 BR5181>admin(system.userdb.group> show Description Displays existing groups. Syntax show Displays existing groups and users, users Displays configured user IDs for a group.
System Commands 8 System Radius Commands BR5181>admin(system)> radius Description Goes to the Radius system submenu. Syntax eap Goes to the EAP submenu. policy Goes to the access policy submenu. ldap Goes to the LDAP submenu. proxy Goes to the proxy submenu. client Goes to the client submenu. set Sets Radius parameters. show Displays Radius parameters. save Saves the configuration to system flash. quit Quits the CLI. .. Goes to the parent menu. / Goes to the root menu.
8 System Commands For information on configuring Radius using the applet (GUI), see “Configuring user authentication” on page 167. BR5181>admin(system.radius)> eap Description Goes to the EAP submenu. Syntax peap Goes to the Peap submenu. ttls Goes to the TTLS submenu. import Imports the requested EAP certificates. set Defines EAP parameters. show Displays the EAP configuration. save Saves the configuration to system flash. quit Quits the CLI. .. Goes to the parent menu.
System Commands 8 BR5181>admin(system.radius.eap.peap> set/show Description Defines and displays Peap parameters Syntax set Sets the Peap authentication . show Displays the Peap authentication type. Example admin(system.radius.eap.peap)>set auth gtc admin(system.radius.eap.peap)>show PEAP Auth Type : gtc For information on configuring EAP PEAP Radius values using the applet (GUI), see “Configuring user authentication” on page 167. BR5181>admin(system.radius.
8 System Commands Description admin(system.radius.eap.ttls)>set auth pap admin(system.radius.eap.ttls)>show TTLS Auth Type : pap For information on configuring EAP TTLS Radius values using the applet (GUI), see “Configuring user authentication” on page 167. 8.4.6.2 BR5181>admin(system.radius)> policy Description Goes to the access policy submenu. Syntax set Sets a group’s WLAN access policy. access-time Goes to the time based login submenu. show Displays the group’s access policy.
System Commands 8 BR5181>admin(system.radius.policy> access-time Description Goes to the time-based login submenu. Syntax set Defines a target group’s access time permissions. Access time is in DayDDDD-DDDD format. sho w Displays the group’s access time rule. save Saves the configuration to system flash. quit Quits the CLI. .. Goes to the parent menu. / Goes to the root menu. Example admin(system.radius.policy.
8 System Commands BR5181>admin(system.radius.policy> show Description Displays a group’s access policy. Syntax show Displays a group’s access policy. Example admin(system.radius.policy)>show List of Access Policies engineering marketing demo room test demo : : : : 16 10 3 No Wlans admin(system.radius.policy)> For information on configuring Radius WLAN policy values using the applet (GUI), see “Configuring user authentication” on page 167 8.4.6.3 BR5181>admin(system.
System Commands 8 Syntax set Defines the LDAP parameters. ipadr Sets LDAP IP address. port Sets LDAP server port. binddn Sets LDAP bind distinguished name. basedn Sets LDAP base distinguished name. passwd Sets LDAP server password. login Sets LDAP login attribute. pass_attr Sets LDAP password attribute. groupname Sets LDAP group name attribute. filter Sets LDAP group membership filter. membership Sets LDAP group membership attribute. Example admin(system.radius.
8 System Commands LDAP Base DN : 0=trion LDAP Login Attribute : (uid=%{Stripped-User-Name:-%{User-Name}}) LDAP Password attribute : userPassword LDAP Group Name Attribue : cn LDAP Group Membership Filter : (|(&(objectClass=GroupOfNames)(member=%{Ldap-objectClass=GroupOfUniqueNames)( uniquemember=%{Ldap-UserDn}))) LDAP Group Membership Attribute : radiusGroupName admin(system.radius.
System Commands port Authentication server port. sec Shared secret password. 8 Example admin(system.radius.proxy)>add lancelot 157.235.241.22 1812 muddy admin(system.radius.proxy)> For information on configuring Radius proxy server values using the applet (GUI), see “Configuring a proxy Radius server” on page 170. BR5181>admin(system.radius.proxy)> delete Description Adds a proxy. Syntax delete Deletes a specified realm name. Example admin(system.radius.
8 System Commands BR5181>admin(system.radius.proxy)> set Description Sets Radius proxy server parameters. Syntax set Sets Radius proxy server parameters. delay Defines retry delay time (in seconds) for the proxy server. count Defines retry count value for the proxy server. Example admin(system.radius.proxy)>set delay 10 admin(system.radius.proxy)>set count 5 admin(system.radius.
System Commands 8 Syntax add Adds a proxy. ip Client’s IP address. mask Network mask address of the client. secret Shared secret password. Example admin(system.radius.client)>add 157.235.132.11 255.255.255.225 muddy admin(system.radius.client)> For information on configuring Radius client values using the applet (GUI), see “Configuring the Radius server” on page 167. BR5181>admin(system.radius.
8 System Commands For information on configuring Radius client values using the applet (GUI), see “Configuring the Radius server” on page 167.
System Commands 8 System Network Time Protocol (NTP) Commands BR5181>admin(system)> ntp Description Displays the NTP menu. The correct network time is required for numerous functions to be configured accurately on the Mobility 5181 Access Point. Syntax show Shows NTP parameters settings. date-zone Show date, time and time zone. zone-list Displays list of time zones. set Sets NTP parameters. .. Goes to the parent menu. / Goes to the root menu. save Saves the configuration to system flash.
8 System Commands For information on configuring NTP using the applet (GUI), see “Configuring Network Time Protocol (NTP)” on page 76. BR5181>admin(system.ntp)> date-zone Description Show date, time and time zone. Syntax date-zone Show date, time and time zone. Example admin(system.ntp)>date-zone Date/Time : Sat 1970-Jan-03 20:06:22 +0000 UTC Time Zone : UTC For information on configuring NTP using the applet (GUI), see “Configuring Network Time Protocol (NTP)” on page 76. BR5181>admin(system.
System Commands 8 Syntax set mode server Enables or disables NTP. Sets the NTP sever IP address. port Defines the port number. intrvl Defines the clock synchronization interval used between the Mobility 5181 Access Point and the NTP server in minutes (15 - 65535). time
8 System Commands System Log Commands BR5181>admin(system)> logs Description Displays the Mobility 5181 Access Point log submenu. Logging options include: Syntax show Shows logging options. set Sets log options and parameters. view Views system log. delete Deletes the system log. send Sends log to the designated FTP Server. .. Goes to the parent menu. / Goes to the root menu. save Saves configuration to system flash. quit Quits the CLI. BR5181>admin(system.
System Commands 8 Syntax set level Sets the level of the events that will be logged. All events with a level at or above (L0-L7) will be saved to the system log. L0:Emergency L1:Alert L2:Critical L3:Errors L4:Warning L5:Notice L6:Info (default setting) L7:Debug mode Enables or disables syslog server logging. ipadr Sets the external syslog server IP address to (a.b.c.d). admin(system.logs)>set mode enable admin(system.logs)>set level L4 admin(system.
8 System Commands For information on configuring logging settings using the applet (GUI), see “Logging configuration” on page 79. BR5181>admin(system.logs)> delete Description Deletes the log files. Syntax delete Deletes the Mobility 5181 Access Point system log file. Example admin(system.logs)>delete For information on configuring logging settings using the applet (GUI), see “Logging configuration” on page 79. BR5181>admin(system.logs)> send Description Sends log and core file to an FTP Server.
System Commands 8 System Configuration-Update Commands BR5181>admin(system.config)> Description Displays the Mobility 5181 Access Point configuration update submenu. Syntax default Restores the default Mobility 5181 Access Point configuration. partial Restores a partial default Mobility 5181 Access Point configuration. show Shows import/export parameters. set Sets import/export Mobility 5181 Access Point configuration parameters.
8 System Commands BR5181>admin(system.config)> partial Description Restores a partial factory default configuration. The Mobility 5181 Access Point’s LAN, WAN and SNMP settings are uneffected by the partial restore. Syntax default Restores a partial access point configuration. Example admin(system.
System Commands 8 Syntax set file Sets the configuration file name (1 to 39 characters in length). path Defines the path used for the configuration file upload. server Sets the FTP/TFTP server IP address. user Sets the FTP user name (1 to 39 characters in length). passwd Sets the FTP password (1 to 39 characters in length). Example admin(system.config)>set server 192.168.22.12 admin(system.config)>set user myadmin admin(system.
8 System Commands Export Operation : [ Done ] Export TFTP Example: admin(system.config)>set server 192.168.0.101 admin(system.config)>set file config.txt admin(system.
System Commands 8 File transfer : [ In progress ] File transfer : [ Done ] Import operation : [ Done ] CAUTION A single-radio model access point cannot import/export its configuration to a dual-radio model access point. In turn, a dual-radio model access point cannot import/export its configuration to a single-radio access point. CAUTION Brocade discourages importing a 1.0 baseline configuration file to a 1.1 version access point. Similarly, a 1.
8 System Commands BR5181>admin(system.fw-update)>show Description Displays the current Mobility 5181 Access Point firmware update settings. Syntax show Shows the current system firmware update settings for the Mobility 5181 Access Point. Example admin(system.fw-update)>show automatic firmware upgrade automatic config upgrade : enable : enable firmware filename firmware path ftp/tftp server ip address ftp user name ftp password : : : : : APFW.bin /tftpboot/ 168.197.2.
System Commands 8 admin(system.fw-update)>set user mudskipper admin(system.fw-update)>set passwd muddy For information on updating access point device firmware using the applet (GUI), see “Updating device firmware” on page 86. BR5181>admin(system.fw-update)>update Description Executes the Mobility 5181 Access Point firmware update over the WAN or LAN port using either ftp or tftp. Syntax update Defines the ftp ot tftp mode used to conduct the firmware update.
8 Statistics Commands Statistics Commands BR5181>admin(stats) Description Displays the Mobility 5181 Access Point statistics submenu. The items available under this command are: show Displays Mobility 5181 Access Point WLAN, Client, LAN and WAN statistics. send-cfg-ap Sends a config file to another access point within the known AP table. send-cfg-all Sends a config file to all access points within the known AP table. clear Clears all statistic counters to zero.
Statistics Commands s-Client Displays status and statistics for an individual Client. auth-Client Displays single Client Authentication statistics. wlap Displays Wireless Bridge Statistics statistics summary. s-wlap Displays single Wirless Bridge statistics. known-ap Displays a Known AP summary. cpu-mem Displays memory and CPU usage statistics. 8 For information on displaying WAN port statistics using the applet (GUI), see “Viewing WAN statistics” on page 177.
8 Statistics Commands NOTE The send-cfg-ap command copies all existing configuration parameters except Mesh settings, LAN IP data, WAN IP data and DHCP Server parameter information. For information on copying the access point config to another access point using the applet (GUI), see “Viewing known access point statistics” on page 196. BR5181>admin(stats)> send-cfg-all Description Copies the Mobility 5181 Access Point’s configuration to all of the Mobility 5181 Access Points within the known AP table.
Statistics Commands 8 all-Client Clears all Client statistic counters. Client Clears Client statistics counters. known-a p Clears Known AP statistic counters. BR5181>admin(stats)> flash-all-leds Description Starts and stops the illumination of a specified access point’s LEDs. Syntax flash-all-leds Defines the Known AP index number of the target AP to flash. Starts or stops the flash activity.
8 Statistics Commands For information on Client Echo and Ping tests using the applet (GUI), see “Pinging individual clients” on page 194. BR5181>admin.stats.echo)> show Description Shows Mobile Unit Statistics Summary. Syntax show Shows Mobile Unit Statistics Summary. Example admin(stats.
Statistics Commands 8 BR5181>admin.stats.echo)>set Description Defines the parameters of the echo test. Syntax set station Defines Client target MAC address. request Sets number of echo packets to transmit (1-539). length Determines echo packet length in bytes (1-539). data Defines the particular packet data. For information on Client Echo and Ping tests using the applet (GUI), see “Pinging individual clients” on page 194. BR5181>admin.stats.
8 Statistics Commands Syntax ping show Shows Known AP Summary details. list Defines ping test packet length. set Determines ping test packet data. start Begins pinging the defined station. .. Goes to parent menu. / Goes to root menu. quit Quits CLI session. For information on Known AP tests using the applet (GUI), see “Pinging individual clients” on page 194. BR5181>admin.stats.ping)> show Description Shows Known AP Summary Details. Syntax show Shows Known AP Summary Details.
Statistics Commands Packet Data (in HEX) 8 : 55 admin(stats.ping)> For information on Known AP tests using the applet (GUI), see “Pinging individual clients” on page 194. BR5181>admin.stats.ping)> set Description Defines the parameters of the ping test. Syntax set station Defines the AP target MAC address. request Sets number of ping packets to transmit (1-539). length Determines ping packet length in bytes (1-539). data Defines the particular packet data. Example admin(stats.
8 Statistics Commands Packet Data (in HEX) : 1 Number of AP Responses : 2 For information on Known AP tests using the applet (GUI), see “Pinging individual clients” on page 194.
Chapter 9 Configuring Mesh Networking In this chapter • Mesh networking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring mesh networking support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Mesh network deployment - quick setup . . . . . . . . . . . . . . . . . . . . . . . . . . . • Mesh networking frequently asked questions. . . . . . . . . . . . . . . . . . . . . . .
9 Mesh networking overview A mesh network must use one of the two access point LANs. If intending to use the access point for mesh networking support, Brocade recommends configuring at least one WLAN (of the 16 WLANs available) specifically for mesh networking support. The client bridge creates up to three connections if it can find base bridges for connection. If the connections are redundant (on the same network), then one connection will be forwarding and the others blocked.
Mesh networking overview 9 CAUTION An access point is Base Bridge mode logs out whenever a Client Bridge associates to the Base Bridge over the LAN connection. This problem is not experienced over the access point’s WAN connection. If this situation is experienced, log-in to the access point again. The access point in client bridge mode attempts to establish up to 3 simultaneous wireless connections. The second and third connections are established in the background while the system is running.
9 Mesh networking overview The access point can manipulate the path cost assigned to a bridge connection based on that connection’s RSSI. This results in the spanning tree selecting the optimal path for forwarding data when redundant paths exist. However, this can be overridden using the preferred list. When using the preferred list, the user enters a priority for each bridge, resulting in the selection of the forwarding link.
Configuring mesh networking support 9 CAUTION When using the Import/Export screen to import a mesh supported configuration, do not import a base bridge configuration into an existing client bridge, as this could cause the mesh configuration to break.
9 Configuring mesh networking support Priority Set the Priority as low as possible for a to force other devices within the mesh network to defer to this client bridge as the bridge defining the mesh configuration (commonly referred to as the root). Brocade recommends assigning a Base Bridge AP with the lowest bridge priority so it becomes the root in the STP. If a root already exists, set the Bridge Priorities of new APs accordingly so the root of the STP doesn't get altered.
Configuring mesh networking support 9 2. Select the Create button to configure a new WLAN specifically to support mesh networking. An existing WLAN can be modified (or used as is) for mesh networking support by selecting it from the list of available WLANs and clicking the Edit button. 3. Assign an ESSID and Name to the WLAN that each access point will share when using this WLAN within their mesh network.
9 Configuring mesh networking support If none of the existing policies are suitable, select the Create button to the right of the Security Policy drop-down menu and configure a policy suitable for the mesh network. For information on configuring a security using the authentication and encryption techniques available to the access point, see “Only a qualified installation professional should set or restore the access point’s radio and power management configuration in the event of a password reset.
Configuring mesh networking support 9 Configuring the access point radio for mesh support An access point radio intended for use within a mesh network requires configuration attributes unique from a radio intended for non-mesh support.This section describes how to configure an access point radio for mesh network support.
9 Configuring mesh networking support Once the settings within the Radio Configuration screen are applied (for an initial deployment), the current number of client bridge connections for this specific radio displays within the CBs Connected field. If this is an existing radio within a mesh network, this value updates in real-time. 5.
Configuring mesh networking support RSSI The Relative Signal Strength Indicator (RSSI) displays the located device’s signal strength with the associated access point in client bridge mode. Use this information as criteria on whether to move a particular device from the available list to the preferred list. CHANN The CHANN displays the name of the channel that both the access point and base bridge use. A client bridge can only connect to access points (Base Bridges) on the same channel.
9 Configuring mesh networking support Disabled When disabled, both radios are up at boot time and beaconing. If one radio (radio 1) does not have a mesh connection, the other radio (radio 2) is not affected. Radio 2 continues to beacon and associate Clients, but Client's can only communicate amongst themselves using the access point. Disabled is the default value. Upload Detect When Uplink Detect is selected, the access point only boots up the radio configured as a client bridge.
Mesh network deployment - quick setup 9 Mesh network deployment - quick setup This section provides instructions on how to quickly setup and demonstrate mesh functionality using three access points. Two following two deployment scenarios will be addressed: • Scenario 1 - Two base bridges (redundant) and one client bridge • Scenario 2 - A two hop mesh network with a base bridge, repeater (combined base bridge and client bridge mode) and a client bridge.
9 Mesh network deployment - quick setup 3. Define a mesh supported WLAN. 4. Enable base bridge functionality on the 802.11a radio (Radio 2). 5. Define a channel of operation for the 802.11a radio. 6. If needed, create another WLAN mapped to the 802.11bg radio if 802.11bg support is required for Clients on that 802.11 band.
Mesh network deployment - quick setup 9 Verifying mesh network functionality for scenario #1 You now have a three AP mesh network ready to demonstrate. Associate a single Client on each AP WLAN configured for 802.11bg radio support. Once completed, pass traffic among the three APs comprising the mesh network.
9 Mesh networking frequently asked questions Configuring AP#2 AP#2 requires the following modifications from AP#2 in the previous scenario to function in base bridge/client bridge repeater mode. 1. Enable client bridge backhaul on the mesh supported WLAN. 2. Enable client and base bridge functionality on the 802.11a radio Configuring AP#3 To define AP #3’s configuration: 1.
Mesh networking frequently asked questions 9 Resolution This is valid behavior, you see this when your mesh APs are close enough (in proximity) so the client bridge can see both the base bridges (AP1, AP2), in which case it forms two links, one each to AP1 and AP2. Since the link to AP1 is the shortest path in terms of number of hops, AP3 uses that link to forward traffic.
9 Mesh networking frequently asked questions Mesh Deployment Issue 9 - Can I mesh between and an access point and a Mobility 300? Can you mesh between a Product Name and a Mobility 300 model access point? Resolution No, a Mobility 300 does not support mesh networking. so you won't be able to mesh between two Mobility 300s or between a Mobility 300 and a Product Name.
Mesh networking frequently asked questions 9 Resolution Yes, all mesh nodes have built in dynamic link switching and auto-recovery mechanisms that ensure they adapt to changing RF conditions.
9 378 Mesh networking frequently asked questions Brocade Mobility 5181 Access Point Product Reference Guide 53-1002516-01
Chapter 10 Adaptive AP In this chapter • Adaptive AP overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported adaptive AP topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • How the AP receives its adaptive configuration . . . . . . . . . . . . . . . . . . . . . • Establishing basic adaptive AP connectivity . . . . . . . . . . . . . . . . . . . . . . . .
10 Adaptive AP overview Where to go from here Refer to the following for a further understanding of AAP operation: • • • • • • • • • • Adaptive AP management Licensing Controller discovery Securing a configuration channel between controller and AP Adaptive AP WLAN topology Configuration updates Securing data tunnels between the controller and AAP Adaptive AP controller failure Remote site survivability (RSS) Adaptive mesh support For an understanding of how AAP support should be configured for the acce
Adaptive AP overview 10 • Auto discovery using DHCP • Manual adoption configuration Auto discovery using DHCP Extended Global Options 189, 190, 191, 192 can be used or Embedded Option 43 - Vendor Specific options can be embedded in Option 43 using the vendor class identifier: BrocadeAP.51xx.
10 Adaptive AP overview • Extended WLANs - Extended WLANs are the centralized WLANs created on the controller • Independent WLANs - Independent WLANs are local to an AAP and can be configured from the controller. You must specify a WLAN as independent to stop traffic from being forwarded to the controller. Independent WLANs behave like WLANs on a standalone access point. • Both - Extended and independent WLANs are configured from the controller and operate simultaneously.
Supported adaptive AP topologies RSS State Independent WLANs Extended WLANs RSS Enabled WLAN continues beaconing WLAN continues beaconing but AP does allow clients to associate on that WLAN RSS Disabled WLAN stops beaconing WLAN stops beaconing 10 NOTE For a dependant AAP, independent WLANs continue to beacon for three days in the absence of a controller. Adaptive mesh support An AAP can extend an AP51x1's existing mesh functionality to a controller managed network.
10 Supported adaptive AP topologies • An AAP firmware upgrade will not be performed at the time of adoption from the wireless controller. Instead, the firmware is upgraded using the AP-51x1’s firmware update procedure (manually or using the DHCP Auto Update feature). • An AAP can use its LAN1 interface or WAN interface for adoption. The default gateway interface is set to LAN1. If the WAN Interface is used, explicitly configure WAN as the default gateway interface.
How the AP receives its adaptive configuration 10 Extended WLAN with mesh networking Mesh networking is an extension of the existing wired network. There is no special configuration required, with the exceptions of setting the mesh and using it within one of the two extended VLAN configurations and defining an access point radio as a preferred base bridge. NOTE The mesh backhaul WLAN must be an independent WLAN mapped to LAN1.
10 Establishing basic adaptive AP connectivity To avoid a lengthy broken connection with the controller, Brocade recommends generating an SNMP trap when the AAP loses adoption with the controller. NOTE For additional information (in greater detail) on the AP configuration activities described above, see “Adaptive AP configuration” on page 387. Configuring the controller for adaptive AP adoption The tasks described below are configured on a Mobility RFS6000 Controller or a Mobility RFS7000 Controller.
Establishing basic adaptive AP connectivity 10 Adaptive AP configuration An AAP can be manually adopted by the controller, adopted using a configuration file (consisting of the adaptive parameters) pushed to the access point or adopted using DHCP options. Each of these adoption techniques is described in the sections that follow. Adopting an adaptive AP manually To manually enable the access point’s controller discovery method and connection medium required for adoption: 1.
10 Establishing basic adaptive AP connectivity Either import the configuration manually to other APs or the same AP later (if you elect to default its configuration). Use DHCP option 186 and 187 to force a download of the configuration file during startup (when it receives a DHCP offer). For instruction on how to use the access point’s configuration import/export functionality, see “Importing/exporting configurations” on page 81.
Establishing basic adaptive AP connectivity 10 Any WLAN configured on the controller becomes an extended WLAN by default for an AAP. 4. Select Network > Wireless LANs from the controller main menu tree. 5. Select the target WLAN you would like to use for AAP support from those displayed and click the Edit button. 6. Select the Independent Mode (AAP Only) checkbox. Selecting the checkbox designates the WLAN as independent and prevents traffic from being forwarded to the controller.
10 Establishing basic adaptive AP connectivity Sample controller configuration file for IPSec and independent WLAN The following constitutes a sample Mobility RFS7000 Controller configuration file supporting an AAP IPSec with Independent WLAN configuration. Please note new AAP specific CLI commands in red and relevant comments in blue. The sample output is as follows: ! ! configuration of Mobility RFS7000 RFS7000-1 version 1.1.0.0-016D ! version 1.
Establishing basic adaptive AP connectivity 10 license AP xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyx yxyxxyxyxyx ! wireless no adopt-unconf-radio enable manual-wlan-mapping enable wlan 1 enable wlan 1 ssid qs5-ccmp wlan 1 vlan 200 wlan 1 encryption-type ccmp wlan 1 dot11i phrase 0 Brocade123 wlan 2 enable wlan 2 ssid qs5-tkip wlan 2 vlan 210 wlan 2 encryption-type tkip wlan 2 dot11i phrase 0 Brocade123 wlan 3 enable wlan 3 ssid qs5-wep128 wlan 3 vlan 220 wlan 3 encry
10 Establishing basic adaptive AP connectivity radio 4 channel-power indoor 48 4 radio 4 rss enable radio 4 client-bridge bridge-select-mode auto radio 4 client-bridge ssid Mesh radio 4 client-bridge mesh-timeout 0 radio 4 client-bridge enable radio default-11a rss enable radio default-11bg rss enable radio default-11b rss enable no ap-ip default-ap controller-ip ! radius-server local ! To create an IPSEC Transform Set ! crypto ipsec transform-set AAP-TFSET esp-aes-256 esp-sha-hmac mode tunnel ! To create
Establishing basic adaptive AP connectivity 10 ! interface vlan1 ip address dhcp ! To attach a Crypto Map to a VLAN Interface ! crypto map AAP-CRYPTOMAP ! sole ! ip route 157.235.0.0/16 157.235.92.2 ip route 172.0.0.0/8 157.235.92.2 ! ntp server 10.10.10.
10 394 Establishing basic adaptive AP connectivity Brocade Mobility 5181 Access Point Product Reference Guide 53-1002516-01
Appendix A Technical Specifications In this chapter • Physical characteristics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Electrical characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Radio characteristics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Antenna specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Country codes . . . .
A Electrical characteristics Electrical characteristics The Mobility 5181 Access Point access point has the following electrical characteristics: CAUTION Brocade recommends only the AP-PSBIAS-5181-01R model power supply for use the Mobility 5181 Access Point. Operating Voltage 48Vdc (Nom) Operating Current 200mA (Peak) @ 48Vdc 170mA (Nom) @ 48Vdc Radio characteristics The Mobility 5181 Access Point access point has the following radio characteristics: Operating Channels 802.
Country codes Part Number Antenna Type Nominal Net Gain (dBi) Description ML-2499-FHPA5-01R Omni-Directional Antenna 5.0 2.4 GHz, Type N connector, no pigtail ML-2499-FHPA9-01R Omni-Directional Antenna 9.0 2.4 GHz, Type N connector, no pigtail ML-2452-PNA7-01R Panel Antenna (Dual-Band) 8.0 2.4 - 2.5/4.9 - 5.99 GHz, 66 deg/60 deg Type N connector, with pigtail ML-2452-PNA5-01R Sector Antenna (Dual-Band) 6.0 2.3 - 2.4/4.9 - 5.
A 398 Country codes Botznia-Herzegovina BA Pakistan PK Brazil BR Paraguay PY Bulgaria BG Peru PE Canada CA Philippines PH Cayman Islands KY Poland PL Chile CL Portugal PT China CN Puerto Rico PR Christmas Islands CX Qatar QA Colombia CO Romania RO Costa Rica CR Russian Federation RU Croatia HR Saudi Arabia SA Cypress CY Serbia RS Czech Rep.
Country codes Japan JP Jordan JO Kazakhstan KZ Kuwait KW Latvia LV Lebanon LB Liechtenstein LI Lithuania LT Luxembourg LU Macedonia MK Malaysia MY Malta MT Martinique MQ Brocade Mobility 5181 Access Point Product Reference Guide 53-1002516-01 A 399
A 400 Country codes Brocade Mobility 5181 Access Point Product Reference Guide 53-1002516-01
Appendix Usage Scenarios B This appendix provides practical usage scenarios for many of the access point’s key features. This information should be referenced as a supplement to the information contained within this Product Reference Guide.
B Configuring Automatic Updates using a DHCP or Linux BootP server Embedded Options - Using Option 43 This section provides instructions for automatic update of firmware and configuration file via DHCP using extended options or standard options configured globally.
Configuring Automatic Updates using a DHCP or Linux BootP server B NOTE If the firmware files are the same, the firmware will not get updated. If the configuration file name matches the last used configuration file on the access point or if the configuration file versions are the same, the access point configuration will not get updated.
B Configuring Automatic Updates using a DHCP or Linux BootP server 4. Restart the access point. 5. While the access point boots up, verify the access point: • Obtains and applies the expected IP Address from the DHCP Server • Downloads the firmware and configuration files from the TFTP Server and updates both as required. Verify the file versions within the System Settings screen. NOTE If the firmware files are the same, the firmware will not get updated.
Configuring Automatic Updates using a DHCP or Linux BootP server B Linux - BootP server configuration See the following sections for information on these BootP server configurations in the Linux environment: • BootP options • BootP priorities BootP options This section contains instructions for the automatic update of the access point firmware and configuration file using a BootP Server.
B Configuring Automatic Updates using a DHCP or Linux BootP server 1:ha=00a0f88aa6d8\ :sm =255.255.255.0\ :ip=157.235.93.128\ :gw =157.235.93.2\ :sa=157.235.93.250\ :bf=/tftpboot/cfg.txt\ :T136=”/tftpboot/”: < LAN M AC Address> NOTE The bf option prefixes a forward slash (/) to the configuration file name. The forward slash may not be supported on Windows based TFTP Servers. 3.
Configuring an IPSEC tunnel and VPN FAQs B If the BootP Server is configured for options 186 and 66 (to assign TFTP server IP addresses) the access point uses the IP address configured for option 186. Similarly, if the BootP Server is configured for options 188 and 129 (for the configuration file) the AP uses the file name configured for option 188. Configuring an IPSEC tunnel and VPN FAQs The access point has the capability to create a tunnel between an access point and a VPN endpoint.
B Configuring an IPSEC tunnel and VPN FAQs 5. Enter the WAN port IP address of AP #1 for the Local WAN IP. 6. Within the Remote Subnet and Remote Subnet Mask fields, enter the LAN IP subnet and mask of AP #2 /Device #2. 7. Enter the WAN port IP address of AP #2/ Device #2 for a Remote Gateway. 8. Click Apply to save the changes. NOTE For this example, Auto IKE Key Exchange is used.
Configuring an IPSEC tunnel and VPN FAQs B 11. For the ESP Type, select ESP with Authentication and use AES 128-bit as the ESP encryption algorithm and MD5 as the authentication algorithm. Click OK. 12. Select the IKE Settings button. 13. Select Pre Shared Key (PSK) from the IKE Authentication Mode drop-down menu. 14. Enter a Passphrase. Passphrases must match on both VPN devices. NOTE Ensure the IKE authentication Passphrase is the same as the Pre-shared key on the Cisco PIX device. 15.
B Configuring an IPSEC tunnel and VPN FAQs 18. Check the VPN Status screen. Notice the status displays "NOT_ACTIVE". This screen automatically refreshes to get the current status of the VPN tunnel. Once the tunnel is active, the IKE_STATE changes from NOT_CONNECTED to SA_MATURE. 19. On access point #2/ Device #2, repeat the same procedure. However, replace access point #2 information with access point #1 information. 20.
Configuring an IPSEC tunnel and VPN FAQs B • Question 4: Will the default "Manual Key Exchange" settings work without making any changes? No. Changes need to be made. Enter Inbound and Outbound ESP Encryption keys on both APs. Each one should be of 16 Hex characters (depending on the encryption or authentication scheme used). The VPN tunnel can be established only when these corresponding keys match. Ensure the Inbound/Outbound SPI and ESP Authentication Keys have been properly specified.
B Configuring an IPSEC tunnel and VPN FAQs • Question 8: I am using a direct cable connection between my two VPN gateways for testing and cannot get a tunnel established, yet it works when I set them up across another network or router. Why? The packet processing architecture of the access point VPN solution requires the WAN default gateway to work properly. When connecting two gateways directly, you don't need a default gateway when the two addresses are on the same subnet.
Configuring an IPSEC tunnel and VPN FAQs Scr Dst Transport ANY Scr port 1:65535 Dst port 1:65535 Rev NAT None B • An 'allow' outbound rule. Scr Dst Transport ANY Scr port 1:65535 Dst port 1:65535 NAT None • For IKE, an 'allow' inbound rule.
B 414 Configuring an IPSEC tunnel and VPN FAQs Brocade Mobility 5181 Access Point Product Reference Guide 53-1002516-01
