WS5100 Series Switch System Reference Guide
© 2007 Motorola, Inc. All rights reserved. MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. Symbol is a registered trademark of Symbol Technologies, Inc. All other product or service names are the property of their respective owners.
Contents Chapter 1. Overview 1.1 Hardware Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 1.1.1 Physical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.1.2 System Status LED Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-2 WS5100 Series Switch System Reference Guide 3.5 3.6 3.7 3.8 3.4.2 Enabling Global Settings for the Failover Image. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22 3.4.3 Updating the Switch Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23 Configuring Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-3 5.2.5 Viewing DHCP Server Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15 5.3 Configuring Secure NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16 5.3.1 Defining the SNTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16 5.3.
TOC-4 WS5100 Series Switch System Reference Guide 6.7 6.8 6.9 6.10 6.6.2 Defining Static NAT Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-31 6.6.3 Configuring NAT Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-34 6.6.4 Viewing NAT Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-5 8.2 8.3 8.4 8.5 8.6 8.1.5 Switch Memory Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 8.1.6 Other Switch Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Configuring System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOC-6 WS5100 Series Switch System Reference Guide
About This Guide Introduction This guide provides information about using the WS5100 Series Switch. NOTE: Screens and windows pictured in this guide are samples and can differ from actual screens. Documentation Set The documentation set for the WS5100 Series Switch is partitioned into the following guides to provide information for specific user needs. • WS5100 Installation Guide - describes the basic setup and configuration required to transition to more advanced configuration of the switch.
viii WS5100 Series Switch System Reference Guide Notational Conventions The following additional notational conventions are used in this document: • Italics are used to highlight the following: • Chapters and sections in this and related documents • Dialog box, window and screen names • Drop-down list and list box names • Check box and radio button names • Icons on a screen. • GUI text is used to highlight the following: • Screen names • Menu items • Button names on a screen.
Overview The switch provides a centralized management solution for wireless networking components across the wired network infrastructure. The switch connects to legacy access ports through a Layer 2 switch/hub. The switch connects to non-legacy access ports through a Layer 3 interface. The switch functions as the center of the wireless network. The access ports function as radio antennas for data traffic management and routing.
1-2 WS5100 Series Switch System Reference Guide 1.1.1 Physical Specifications The physical dimensions and operating parameters of the WS5100 Series Switch include: Width 48.1 cm / 18.93 in. (with mounting brackets) 42.9 cm / 16.89 in. (without mounting brackets) Height 4.39 cm / 1.73 in. Depth 40.46 cm / 15.93 in. Weight 6.25 kg / 13.75 lbs. Max Power Consumption 100 VAC, 50/60 Hz, 3A 240 VAC, 50/60 Hz, 1.
Overview 1-3 1.1.2.1 Start Up Event Top LED Bottom LED Power off Off Off Power On Self Test (POST) running All colors in rotation All colors in rotation POST succeeded Blue solid Blue solid 1.1.2.2 Primary Event Top LED Bottom LED Active (Continually Adopting Access Ports) Blue blinking Blue solid No License to Adopt Amber blinking Amber blinking 1.1.2.
1-4 WS5100 Series Switch System Reference Guide LED State Upper left Upper right Meaning Off 10 Mbps link rate Green steady 100 Mbps link rate Amber steady 1 Gigabit link rate Off The port isn’t linked Green steady The port is linked Green blinking The port is linked and active 1.2 Software Overview The switch includes a robust set of features.This section provides an overview of the software and features.
Overview 1-5 1.2.1.1 Installation Feature The upgrade/downgrade of the switch can be performed at boot time using one of the following methods: • Web UI • DHCP • CLI • SNMP • Patches NOTE: HTTPS must be enabled to access the switch Web UI. Ensure that HTTPS access has been enabled before using the login screen to access the switch Web UI. The switch platform has sufficient non-volatile memory to store multiple firmware images. The switch stores an active and a passive firmware image.
1-6 WS5100 Series Switch System Reference Guide • RAM tests, Real Time Clock tests, etc. 3. Manufacturing Diagnostics – Manufacturing diagnostics are a set of diagnostics used by manufacturing to inspect quality of hardware. 1.2.1.5 Serviceability A special set of Service CLI commands are available to provide additional troubleshooting capabilities for service personnel (for example, check the time critical processes were started), access to Linux services, panic logs, etc.
Overview 1-7 • Up to 12 switch redundancy members supported per group. Each member is capable of tracking statistics for the entire group in addition to their own. • Each redundancy group is capable of supporting an Active/Active configuration. Each redundancy group can support two or more primary members, each responsible for group load sharing. • Members within the same redundancy group can be deployed across different subnets and maintain their interdependence as redundancy group members.
1-8 WS5100 Series Switch System Reference Guide • Self Healing • Wireless Capacity • AP and MU Load Balancing • Wireless Roaming • Power Save Polling • QoS • Wireless Layer 2 Switching • Automatic Channel Selection • WMM-Unscheduled APSD 1.2.2.1 Physical Layer Features 802.
Overview 1-9 destination IP address and/or TCP/UDP port number. Rate limiting allows the definition of two rates: a guaranteed minimum bandwidth and a second burst size. Rate limiting is performed as part of the flow control process (WISP protocol) between access ports and the switch. 1.2.2.3 Proxy-ARP Proxy ARP is provided for MU's in PSP mode whose IP address is known. The WLAN generates an ARP reply on behalf of a MU, if the MU's IP address is known.
1-10 WS5100 Series Switch System Reference Guide on the Motorola Web site) for a use case on hotspot deployment. For information on configuring a hotspot, see Configuring Hotspots on page 4-29. 1.2.2.5 IDM (Identity Driven Management) Radius authentication is performed for all protocols using a Radius-based authentication scheme such as EAP. Identity driven management is provided using a Radius client.
Overview 1-11 • Self Healing Actions — When an AP fails, actions are taken on the neighbor APs to do self-healing. Detector APs Configure an AP in either – Data mode (the regular mode) or Detector mode. In Detector mode, the AP scans all channels at a configurable rate and forwards received beacons the switch. The switch uses the received information to establish a receive signal strength baseline over a period of time and initiates self-healing procedures (if necessary).
1-12 WS5100 Series Switch System Reference Guide MU Balancing Across Multiple APs As per the 802.11 standard, AP and MU association is a process conducted independently of the switch. 802.11 provides message elements used by the MU firmware to influence the roaming decision. The switch implements the following MU load balancing techniques: • 802.11e admission control — 1 byte: channel utilization % and 1 byte: MU count is sent in QBSS Load Element in beacons to MU.
Overview 1-13 L3 Roaming L3 roaming works with switches in the mobility domain to exchange mobility related control information. This includes IP addresses, Media Access Control (MAC) address information and the HS-VLAN-id of all MUs in the mobility-domain. A consistent peer configuration results in full-mesh sessions required for L3 roaming to work correctly. Peering sessions use Transmission Control Protocol (TCP) as the transport layer protocol to carry mobility update messages.
1-14 WS5100 Series Switch System Reference Guide When multiple BSSID's are enabled, you cannot tell by snooping the air whether any pair of beacons is sent out by the same physical AP or different physical AP. Hence the term "virtual AP's"- each virtual AP behaves exactly like a single-BSSID AP. Each BSSID supports 1 Extended Service Set Identifier (ESSID). Sixteen ESSIDs per switch are supported. 1.2.2.11 Power Save Polling An MU uses Power Save Polling (PSP) to reduce power consumption.
Overview 1-15 disconnect. With QoS, the VoIP conversation (a real-time session), receives priority, maintaining a high level of voice quality.
1-16 WS5100 Series Switch System Reference Guide flow having UPSD enabled. After the AP acknowledges the trigger frame, it transmits the frames in its UPSD power save buffer addressed to the triggering switch. UPSD is well suited to support bi-directional frame exchanges between a voice STA and its AP 1.2.3 Wired Switching The switch includes the following wired switching features: • DHCP Servers • DDNS • GRE Tunneling • VLAN Enhancements • Interface Management • Multiple WLAN Support 1.2.3.
Overview 1-17 • When packets are received on the GRE tunnel interface by the switch, the switch decapsulates the GRE header and forwards the IP packet to the MU based on the destination IP address. The MAC address of the MU is obtained from the MU table. 1.2.3.4 VLAN Enhancements The switch has incorporated the following VLAN enhancements: • Physical port (L2) is now operated in Trunk Mode or Access Mode. • A VLAN now allows an AP to receive and send only untagged packets.
1-18 WS5100 Series Switch System Reference Guide 1.2.5 Security Features The switch security can be classified into wireless security and wired security. The switch includes the following Wireless Security features: • Encryption and Authentication • MU Authentication • Secure Beacon • MU to MU Allow • MU to MU Disallow • Switch-to-Wired • 802.1x Authentication • IEEE 802.
Overview 1-19 WPA WPA is designed for use with an 802.1X authentication server, which distributes different keys to each user; however, it can also be used in a less secure pre-shared key (PSK) mode, where every user is given the same passphrase. WPA uses Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used. When combined with the much larger Initialization Vector, it defeats well-known key recovery attacks on WEP.
1-20 WS5100 Series Switch System Reference Guide uses the MAC address of the MU as both the username and password (this configuration is also expected on the Radius server). MAC-Auth supports all encryption types, and (in case of 802.11i) the handshake is allowed to be completed before the Radius lookup begins. For information on configuring 802.1x EAP for a WLAN, see Configuring Dynamic MAC ACL on page 4-36. 1.2.5.
Overview 1-21 If no response is received from the EAPOL start message, or if the authentication attempt is not successful, the AP300 continues to transmit Hello messages followed by LoadMe messages. If a parent reply is received in response to the Hello, then downloading continue normally - without authentication. In this case, you need not enable or disable the port authentication. 802.
1-22 WS5100 Series Switch System Reference Guide as intruding MUs try to find network vulnerabilities. Basic forms of this behavior can be monitored and reported without needing a dedicated WIPS. When the parameters exceed a configurable threshold, the switch generates an SNMP trap and reports the result via the management interfaces. Basic WIPS functionality does not require monitoring APs and does not perform off-channel scanning.
Overview 1-23 SNMP Trap on discovery An SNMP trap is sent for each detected and Rogue AP. Rogue APs are only detected, and notification is provided via a SNMP trap. NOTE: Wired side scanning for Rogue APs using WNMP is not supported. Similarly, Radius lookup for approved AP is not provided. Authorized AP Lists The switch allows you to configure a list of authorized access ports based on their MAC addresses.
1-24 WS5100 Series Switch System Reference Guide • Site-Site VPN — For example, a company branching office traffic to another branch office traffic with an unsecured link between the two locations. • Remote VPN — Provides remote user ability to access company resources from outside the company premises. The switch supports: • IPSec termination for site to site • IPSec termination for remote access • IPSec traversal of firewall filtering • IPSec traversal of NAT • IPSec/L2TP (client to switch) 1.2.5.
Switch Web UI Access and Image Upgrades The content of this chapter is segregated amongst the following: • Accessing the Switch Web UI • Switch Password Recovery • Upgrading the Switch Image • Auto Installation • Downgrading the Switch Image • AP-4131 Access Point to Access Port Conversion 2.1 Accessing the Switch Web UI 2.1.1 Web UI Requirements The switch Web UI is accessed using Internet Explorer version 5.5 (or later) and SUN JRE (Java Runtime Environment) 1.5 (or later).
2-2 WS5100 Series Switch System Reference Guide 2.1.2 Connecting to the Switch Web UI To display the Web UI, launch a Web browser on a computer with the capability of accessing the switch. NOTE: Ensure you have HTTP connectivity to the switch, as HTTP is a required to launch the switch Web UI from a browser. To display the switch Web UI: 1. Point the browser to the IP address assigned to the wired Ethernet port (port 2). Specify a secure connection using the https:// protocol.
Switch Web UI Access and Image Upgrades of firmware running on the switch, quickly assess the last 5 alarms generated by the switch, view the status of the switch’s Ethernet connections and view switch CPU and memory utilization statistics. NOTE: The chapters within this System Reference Guide are arranged to be complimentary with the main menu items in the menu tree of the switch Web UI. Refer to this content to configure switch network addressing, security and diagnostics as required. 2.
2-4 WS5100 Series Switch System Reference Guide 2.3 Upgrading the Switch Image The switch ships with a factory installed firmware image with the full feature functionality described in this System Reference Guide. However, Motorola periodically releases switch firmware that includes enhancements or resolutions to known issues. Verify your current switch firmware version with the latest version available from the Motorola Web site before determining if your system requires an upgrade.
Switch Web UI Access and Image Upgrades 3. From the WS5100 running either 1.4.x or 2.x, create a configuration and save it on the switch. WS5100# save <.cfg> This is the configuration that will be upgraded to the new 3.x baseline. NOTE: Motorola recommends saving a copy of the switch configurartion to a secure location before the upgrade. If an error occurs with the upgrade a viable configuration will be needed to restore on the switch. 4. Copy the configuration file <.
2-6 WS5100 Series Switch System Reference Guide For the static case (where the URLs for the configuration and image files are not supplied by DHCP), the URLs can be specified using the CLI, SNMP or Applet. Use the CLI to define the expected firmware image version. If the image version is not specified, derive it from the file name. If it can not be derived from the filename, the system will attempt to load something other than what it is currently running.
Switch Web UI Access and Image Upgrades After this configuration update, any switch reboot with DHCP enabled on the RON port will trigger an auto install, provided the DHCP Server is configured with appropriate options. The "enables" are cleared using the no autoinstall URLs and the version string are set as text and can be cleared using an empty pair of double quotes to denote the blank string.
2-8 WS5100 Series Switch System Reference Guide 3. Select the AP Installation main menu item. 4. From the IP Address field, enter a new IP address (if required) and select Save-[F1] to save the change. If the IP address was changed, you will need to reset the AP for the change to be implemented. 5. Reset the AP if you changed the AP's IP address, buy displaying the System Summary and selecting the Reset AP option. If you reset the AP-4131 you will need to login as Admin again.
Switch Web UI Access and Image Upgrades 6. Select the Special Functions main menu item. 7. Select the Firmware Update Menu-[F3] menu item 8. Select the Alter Filename(s)/HELP URL/TFTP Server menu item. a. Confirm that the Firmware File Name is correct, make changes as needed. b. Enter the IP address of your TFTP server, select enter. c. Select F1 to save your changes. 9. Select Firmware under the Use TFTP to update Access Point's option. 10.Select yes when asked to confirm. 11.
2-10 WS5100 Series Switch System Reference Guide
Switch Information This chapter describes the Switch main menu information used to configure the switch. This chapter consists of the following sections: • Viewing the Switch Interface • Viewing Switch Port Information • Viewing Switch Configurations • Viewing Switch Firmware Information • Configuring Automatic Updates • Viewing the Switch Alarm Log • Viewing Switch Licenses • How to use the Filter Option NOTE: HTTPS must be enabled to access the switch applet.
3-2 WS5100 Series Switch System Reference Guide NOTE: When the switch’s configuration is successfully updated (using the Web UI), the effected screen is closed without informing the user their change was successful. However, if an error were to occur, the error displays within the effected screen’s Status field and the screen remains displayed.
Switch Information 3-3 4. Refer the System field to view or define the following information: System Name Displays the designated read-only system name. Select a system name serving as a reminder of the user base the switch supports (engineering, retail, etc.). Location The Location is used to define the location of the switch. The Location parameter acts as a reminder of where the switch can be found. Use the System Name field as a specific identifier of the switch’s location.
3-4 WS5100 Series Switch System Reference Guide 8. Click the Reset Password button to display a screen to reset you password to a new value. Enter the new password within the Password and Confirm Password fields and click OK. 9. Click the Apply button to save the updates (to Time Zone or Country). 10.Click the Revert button to undo any changes. 3.1.1.1 Viewing Dashboard Details The switch dashboard represents a high-level (graphical) overview of central switch processes.
Switch Information 3-5 The Dashboard screen displays the current health of the switch and is divided into the following fields: • Alarms • Ports • Environment • CPU Memory • File Systems Apart from the sections mentioned above, it also displays the following: Displays the status of the switch. The status can be either Active or Inactive. • Active — Is denoted with a green dot. • Standby— Is denoted with a red dot. Displays the current Firmware value of the current software running on the wireless switch.
3-6 WS5100 Series Switch System Reference Guide 2. Refer to the Ports field for link, speed, duplex, POE Status of each physical port on the front panel. It displays the following details in a tabular format: Name Displays the name of the port, either—Ethernet1 or Ethernet 2 Status Displays the status of the port, either— Up or Down Speed Displays the speed at which the port transmits or receives data. Duplex Displays the status of the port, either— Full Duplex or Unknown. 3.
Switch Information 3-7 3. Refer to the Switch Statistics area for the following read-only information about associated MUs: Number of MUs Associated Displays the total number of MUs currently associated to the switch. Number of APs Adopted Displays the total number of access ports currently adopted by the switch. Number of Radios Adopted Displays the total number of radios currently adopted by the switch. 4.
3-8 WS5100 Series Switch System Reference Guide Average Number of Retries Displays the average number of retries for all MUs associated with the switch. The number in black represents average retries for the last 30 seconds and the number in blue represents average retries for the last hour. % Gave Up Pkts Displays the percentage of packets which the switch gave up on for all MUs associated with the switch.
Switch Information 3-9 Name Displays the current port name. By default, eth1 and eth2 are available. MAC Address Displays the port’s MAC Address. This value is read-only, set at the factory and cannot be modified. Admin Status Displays whether the port is currently Up or Down. Speed Displays the current speed of the data transmitted and received over the port. Duplex Displays the port as either half or full duplex. 3. Select a port and click the Edit button to modify the port configuration.
3-10 WS5100 Series Switch System Reference Guide Name If necessary, modify the read-only name assigned to the port. Speed Select the speed at which the port can receive and transmit the data. You can select from either of the following ranges: • 10 Mbps • 100 Mbps • 1000 Mbps • Auto Duplex Modify the duplex status of the switch by selecting one of the following options: • Half • Full • Auto Description Enter a brief description for the port.
Switch Information 3-11 2. Select the Runtime tab to display the following read-only information: Name Displays the ports current name. MAC Address Displays the port’s MAC Address. This value is read-only, set at the factory and cannot be modified. Oper Status Displays the operational status of the port. The port status can be either Up or Down. Speed Displays the current speed of the data transmitted and received over the port. Duplex Displays the port as either half or full duplex.
3-12 WS5100 Series Switch System Reference Guide 2. Select the Statistics tab. 3. Refer to the Statistics tab to display the following read-only information: Name Defines the port name (as either uplink or downlink). Bytes In Displays the total number of bytes received by the port. Packets In Displays the total number of packets received by the port. Packets In Dropped Displays the number of packets dropped by the port. If the number appears excessive, a different port could be required.
Switch Information 3-13 3.2.3.1 Detailed Port Statistics To view detailed statistics for a port: 1. Select a port from the table displayed within the Statistics screen. 2. Click the Details button. 3. The Interface Statistics screen displays. This screen displays the following statistics for the selected port: Name Displays the port name. MAC Address Displays the physical address information associated with the interface. This address is read-only (hard-coded at the factory) and cannot be modified.
3-14 WS5100 Series Switch System Reference Guide Output Unicast Packets Displays the number of unicast packets (packets directed towards a single destination address) transmitted from the interface. Output NonUnicast Packets Displays the number of unicast packets transmitted from the interface. Output Total Packets Displays the total number of packets transmitted from the interface. Output Packets Dropped Displays the number of transmitted packets dropped at the interface.
Switch Information 3-15 The Interface Statistics screen displays for the selected port. The screen provides the option to view statistics for the following: • Input Bytes • Input Pkts Dropped • Output Pkts Total • Output Pkts Error • Input Pkts Total • Input Pkts Error • Output Pkts NUCast • Input Pkts NUCast • Output Bytes • Output Pkts Dropped 3. Select any of the above parameters by selecting the checkbox associated with it.
3-16 WS5100 Series Switch System Reference Guide 3.3 Viewing Switch Configurations Use the Configurations screen to review the configuration files available to the switch. The details of each file can be viewed individually. Optionally, you can edit the file to modify its name or use the file as the startup configuration. A file can be deleted from the list of available configurations or transferred to a user specified location.
Switch Information 3-17 Created Displays the date and time each configuration file was created. Use this information as a baseline for troubleshooting problems by comparing event log data with configuration file creation data. Modified Displays the date and time each configuration file was last modified. Compare this column against the Created column to discern which files were modified and make informed decisions whether existing files should be further modified or deleted. 2.
3-18 WS5100 Series Switch System Reference Guide 3. The Main screen displays the contents of the configuration file. Use the up and down navigation facilities on the right-hand side of the screen to view the entire page. 4. The Page parameter displays the portion of the configuration file currently displayed in the main viewing area. The total number of pages in the file are displayed to the right of the current page.
Switch Information 3-19 3. Select the Copy this file as the system startup config checkbox to use this configuration file as the switch configuration on the next boot. Ensure this file meets the switch’s initial (startup) configuration requirements before selecting this option. 4. Refer to the Status field for the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet.
3-20 WS5100 Series Switch System Reference Guide Password Enter the Password required to send the configuration file from an FTP server. Path Specify the appropriate Path name to the target directory on the local system disk or server. The Target options are different depending on the target selected. 3. Refer to the Target field to specify the details of the target file. To Use the To drop-down menu to define the location of the configuration file.
Switch Information 3-21 To view the firmware files available to the switch: 1. Select Switch > Firmware from the main menu tree. 2. Refer to the following information displayed within the Firmware screen: Image Displays whether a firmware image is the primary image or a secondary image. The primary image is typically the image loaded when the switch boots. Version Displays a unique alphanumeric version name for each firmware version listed.
3-22 WS5100 Series Switch System Reference Guide 2. Click the Edit button. The Firmware screen displays the current firmware version and whether this version is used for the next reboot. 3. Select the checkbox to use this version on the next boot of the switch. 4. To edit the secondary image, select the secondary image, click the Edit button and select the Use this firmware on next reboot checkbox. This firmware version will now be the file initiated after the next reboot of the switch. 5.
Switch Information 3-23 3.4.3 Updating the Switch Firmware Use the Update screen to update the firmware version currently used by the switch. NOTE: When performing a firmware update using the switch CLI, use the following syntax (specific to FTP) ftp://username:password@ipaddress:port/path/filename. If using TFTP, use tftp://ipaddress/path/filename. 1. Select an image from the table in the Firmware screen. 2. Click the Update Firmware button. 3.
3-24 WS5100 Series Switch System Reference Guide 12.Refer to the Status field for the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet. The Status field displays error messages if something goes wrong in the transaction between the applet and the switch. 13.Click Cancel to close the dialog without committing updates to the running configuration. 3.
Switch Information 3-25 File Name (With Path) Provide the complete and accurate path to the location of the configuration files on the server. This path must be accurate to ensure the most recent file is retrieved. Protocol Use the Protocol drop-down menu to specify the FTP, TFTP, HTTP, SFTP or resident switch FLASH medium used for the file update from the server. FLASH is the default setting. Password Enter the password required to access the server. 3.
3-26 WS5100 Series Switch System Reference Guide 3.6 Viewing the Switch Alarm Log Use the Alarm Log screen as an initial snapshot for alarm log information. Use this screen to expand alarms for greater detail, delete alarms, acknowledge alarms or export alarm data to a user-specified location. To view switch Alarm Log information: 1. Select Switch > Alarm Log from the main menu tree. 2. Use the Alarm Log screen’s filtering options as required to view alarm log data by page or the by entire content. 3.
Switch Information 3-27 Time Stamp Displays the date, year and time the alarm was raised (as well as the time zone of the system). The Time Stamp only states the time the alarm was generated, not the time it was acknowledged. Severity Displays the severity level of the event. Use this (non numerical and verbal) description to assess the criticality of the alarms.
3-28 WS5100 Series Switch System Reference Guide 3. Refer to the fields within the Details screen for the following information: Severity Displays the severity of the event. Use these numeric identifiers to assess the criticality of this specific alarm. The Severity classes include: Critical, Major, Warning, Informational and Normal. Description Displays the details of the alarm log event.
Switch Information 3-29 2. Refer to the Install License field for the following information: License Key Enter the license key required to install a particular feature. The license key is provided when you supply the switch MAC address to Motorola customer care. Feature Name The name of the feature you wish to install/upgrade using the license. 3. Click the Install button to install the selected license. 4.
3-30 WS5100 Series Switch System Reference Guide 2. Enter the filter criteria as per the options provided in the Filter Option zone. 3. The fields in the Filter Option zone are populated with the parameters of the screen in which it appears. Filtering is always conducted for the entire table. 4. Click the Filter Entire Table button to filter the entire table in which the filter zone appears. The result of the filtering operation displays at the bottom of the table 5.
Network Setup This chapter describes the Network Setup menu information used to configure the switch.
4-2 WS5100 Series Switch System Reference Guide To view the switch’s Network configuration: 1. Select Network from the main menu tree. 2. Refer to the following information to discern if configuration changes are warranted: DNS Servers Displays the number of DNS Servers configured thus far for use with the switch. For more information, see Viewing Network IP Information on page 4-3. IP Routes Displays the number of IP routes for routing packets to a defined destination.
Network Setup 4-3 Access Ports Displays the number of Access Ports (APs) active on the switch. Access ports can be added or existing APs can have their VLAN assignments changed, their descriptions modified and their current authentication and encryption schemes modified. For more information, see Viewing Access Port Information on page 4-64. Radios Displays the number of AP radios detected over the switch managed network.
4-4 WS5100 Series Switch System Reference Guide 3. The Domain Name System tab displays DNS details in a tabular format. Server IP Address Displays the IP address of the domain name server(s) the system can use for resolving domain names to IP addresses. Domain look up order is determined by the order of the servers listed. The first server queried is the first server displayed. Therefore, ensure obsolete addresses are periodically removed.
Network Setup 4-5 1. Click the Global Settings button in the main Domain Network System screen. A Configuration screen displays allowing you to edit the DNS settings of the server 2. Select the Domain Look Up checkbox to enable the switch to query domain name servers to resolve domain names to IP addresses. NOTE: The order of look up is determined by the order of the servers within Domain Name System tab. The first server queried is the first server displayed. 3. Enter a Domain Name in the text field.
4-6 WS5100 Series Switch System Reference Guide 3. The read-only IP Forwarding tab displays the current status between VLANs. To toggle the status of routing between VLANs, use the Enable/Disable options located at the bottom of the screen. The following details display in the table: Destination Subnet Displays the mask used for destination subnet entries. The Subnet Mask is the IP mask used to divide internet addresses into blocks (known as subnets). A value of 255.255.255.
Network Setup 4-7 Route Metric The Route Metric is used for selecting the best available path. If there are multiple routes for a particular destination address, the packets are forwarded on the basis of the route metric. Routes with lower metric value are given higher preference. A routing protocol uses the route metric to determine which routes to include in the routing table when it has two available routes to the same destination from a single routing protocol (static, RIP, OSPF etc).
4-8 WS5100 Series Switch System Reference Guide 6. Click OK to use the changes to the running configuration and close the dialog. 7. Click Cancel to close the dialog without committing updates to the running configuration. 4.2.3 Viewing Address Resolution The Address Resolution table displays the mapping of layer three (IP) addresses to layer two (MAC) addresses. To view the details of the tab: 1. Select Network > Internet Protocol from the main tree menu. 2. Select the Address Resolution tab. 3.
Network Setup 4-9 4.3 Viewing and Configuring Layer 2 Virtual LANs A virtual LAN (VLAN) is similar to a Local Area Network (LAN), however devices do not need to be connected to the same segment physically. Devices perform as if they are connected to the same LAN, but they may be connected at various physical connections across the LAN segment. The VLAN can be connected at various physical points but react as if it were connected directly.
4-10 WS5100 Series Switch System Reference Guide Name Displays the name of the VLAN to which the switch is currently connected. It can be either ethernet 1 or ethernet 2. Mode It can be either Access or Trunk. • Access– This ethernet interface accepts packets only form the native VLANs. • Trunk–The Ethernet interface allows packets from the given list of VLANs that you add to the trunk. Native VLAN Displays the tag assigned to the native VLAN.
Network Setup 4-11 4.3.1 Editing the Details of an Existing VLAN To revise the configuration of an existing VLAN: 1. Select Network > Virtual LANs from the main menu tree. 2. Select an Ethernet for which you want to configure the VLAN and click on the Edit button. The system prompts you with a Port VLAN Change Warning message stating communication disruptions could occur with the switch. 3. Click OK to continue. 4.
4-12 WS5100 Series Switch System Reference Guide Native VLAN Use this field to change the tag assigned to the native VLAN. Allowed VLANs This section has the following 2 options (and is only available when Trunk is selected from the Mode drop-down menu): • No VLANs– Select this option if you do not wish to add any additional VLANs. • Selected VLANs– Select this option if you wish to add additional VLANs. 6. Refer to the Status field for the current state of the requests made from applet.
Network Setup 4-13 The following configuration details display in the table: Name Displays the name of the virtual interface. VLAN ID Displays the VLAN ID associated with the interface. DHCP Displays whether the DHCP client is enabled or not. A green check mark defines the DHCP client as enabled for the interface. A red X means the interface is disabled. IP Address Displays the IP address for the virtual interface. Subnet Mask Displays the subnet mask assigned for this interface.
4-14 WS5100 Series Switch System Reference Guide 6. Select an interface as click the Startup button to invoke the selected interface the next time the switch is booted. 7. Select an interface as click the Shutdown button to disable the selected interface. 4.4.1.1 Adding a Virtual Interface To add a new virtual interface : 1. Select Network > Switch Virtual Interface from the main tree menu. 2. Select the Configuration tab. 3. Click on the Add button. 4. Enter the VLAN ID for the switch virtual interface.
Network Setup 4-15 2. Select the Configuration tab and click the Edit button. The screen displays with the name of the VLAN in the upper left-hand side. The VLAN ID cannot be modified and should be used to associate the VLAN ID with the description and IP address assignments defined. 3. Unselect the Use DHCP to obtain IP Address automatically checkbox to assign IP addresses manually and do not want DHCP to provide them. 4.
4-16 WS5100 Series Switch System Reference Guide 2. Select the Statistics tab. 3. Refer to the following details as displayed within the Statistics tab: Name Displays the user defined interface name. The corresponding statistics are displayed along the row. The statistics are the total traffic to the interface since its creation. Bytes In Displays the number of bytes coming into the interface. The status is not self-updated periodically. To view the current status, click on the Details button.
Network Setup 4-17 Packets In Error Displays the number of error packets coming into the interface.It includes: • Runt frames — Packets shorter than the minimum Ethernet frame length (64 bytes). • CRC errors — The Cyclical Redundancy Check (CRC) is the 4 byte field at the end of every frame the receiving station uses to interpret if the frame is valid. If CRC value computed by the interface does not match with the value at the end of frame it is considered as a CRC error.
4-18 WS5100 Series Switch System Reference Guide 2. Click the Details button. 3. The Interface Statistics screen displays with the following content: Name Displays the title of the logical interface selected. MAC Address Displays physical address information associated with the interface. This address is readonly (hard-coded at the factory) and cannot be modified. Input Bytes Displays the number of bytes received by the interface.
Network Setup 4-19 Output Packets Dropped Displays the number of transmitted packets dropped at the interface. Output Packets Dropped are the packets dropped when the output queue of the physical device associated with interface is saturated. Output Packets Error Displays the number of transmitted packets with errors at the interface. Output Packet Errors are the sum of all the output packet errors, malformed packets and misaligned packets received on an interface. 4.
4-20 WS5100 Series Switch System Reference Guide NOTE: Do not select more than four parameters at any given time. 4. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 5. Click Close to close the dialog. 4.5 Viewing and Configuring Switch WLANs A wireless LAN (WLAN) is a local area network (LAN) without wires.
Network Setup 4-21 updates to a WLAN’s description and their current authentication and encryption schemes. Be careful to properly map BSS WLANs and security schemes. the WS5100 supports 32 WLANs. To configure a WLAN: 1. Select Network > Wireless LANs from the main menu tree. 2. Click the Configuration tab. The Configuration tab displays the following details: Index Displays the WLAN’s numerical identifier. The WLAN index range is from 1 to 32.
4-22 WS5100 Series Switch System Reference Guide 3. Click the Edit button to display a screen where WLAN information, encryption and authentication settings can be viewed or changed. 4. Click the Enable button to enable the selected WLAN. When enabled, a green check mark displays. When disabled, a red "X" displays. To enable or disable a WLAN, select it from the table and click the Enable or Disable button. The Enable button is only available when the selected WLAN is disabled. 5.
Network Setup 4-23 4. Click the Edit button. The Wireless LANs Edit screen is divided into the following user-configurable fields: • Configuration • Authentication • Encryption • Advanced 5. Refer to the Configuration field to define the following WLAN values ESSID Displays the Service Set ID associated with each WLAN. If changing the SSID, ensure the value used is unique. Name If editing an existing WLAN, ensure its description is updates accordingly to best describe the intended function of the WLAN.
4-24 WS5100 Series Switch System Reference Guide VLAN ID Select the VLAN ID checkbox to change the VLAN designation for this WLAN. By default, all WLANs created are assigned to VLAN 1. Select the Dynamic Assignment checkbox for an automatic VLAN assignment for this WLAN. The WS5100 Series Switch cannot route traffic between different VLANs on ETH1 and ETH2. Be cognizant of this limitation when planning to route traffic between different VLANs.
Network Setup 4-25 WPA-WPA2-TKIP Use the WPA-TKIP radio button to enable Wi-Fi Protected Access (WPA) with Temporal Key Integrity Protocol (TKIP). For detailed information on configuring TKIP for the WLAN, see Configuring WPA/WPA2 using TKIP and CCMP on page 4-43. WPA2-CCMP WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected Access (WPA) and WEP. CCMP is the security standard used by the Advanced Encryption Standard (AES).
4-26 WS5100 Series Switch System Reference Guide Access Category Displays the Access Category for the intended AP traffic. The Access Categories are the different WLAN-WMM options available to the radio.
Network Setup 4-27 server on the wired side of the switch. All other packet types are blocked until the authentication server (typically, a RADIUS server) verifies the MU’s identity. NOTE: As part of the EAP configuration process, ensure a primary and optional secondary Radius server have been properly configured to authenticate the users requesting access to the EAP protected WLAN. For more information on configuring Radius Server support for the EAP 802.
4-28 WS5100 Series Switch System Reference Guide across an insecure network connection. Once a MU and server prove their identity, they can encrypt all communications to assure privacy and data integrity. Kerberos can only be used on the with Motorola clients. ! CAUTION: Kerberos makes no provisions for host security. Kerberos assumes it is running on a trusted host with an untrusted network.
Network Setup 4-29 9. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 10.Click OK to use the changes to the running configuration and close the dialog. 11.Click Cancel to close the dialog without committing updates to the running configuration.
4-30 WS5100 Series Switch System Reference Guide login.html. The client is now redirected to the Login.htm web page of the hotspot instead of landing on their destination Web site (www.xyz.com). The client enters its identification information and is authenticated with the Radius server. Upon successful authentication, the client is presented with the Welcome.htm page. All client traffic from this point forward is authenticated and is forwarded to the Internet (until the user session expires).
Network Setup 4-31 1. Select Network > Wireless LANs from the main menu tree. Select an existing WLAN from those displayed within the Configuration tab and click the Edit button. 2. Select the Hotspot button from within the Authentication field. Ensure Internal is selected from within the This WLAN’s Web Pages are of the drop-down menu. 3.
4-32 WS5100 Series Switch System Reference Guide Main Logo URL Displays the URL for the main logo image displayed on the Failed page when using the switch’s internal Web server. This option is only available if Internal is chosen from the dropdown menu above. Descriptive Text Specify any additional text containing instructions or information for the users who access the Failed page. This option is only available if Internal is chosen from the drop-down menu above.
Network Setup 4-33 2. Select the Hotspot button from within the Authentication field. Ensure External is selected from within the This WLAN’s Web Pages are of the drop-down menu. 3. Refer to the External Web Pages field and provide the Login, Welcome and Failed Page URLs used by the external Web server to support the hotspot. Login Page URL Define the complete URL for the location of the Login page. The Login screen will prompt the hotspot user for a username and password to access the Welcome page.
4-34 WS5100 Series Switch System Reference Guide 5. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 6. Click OK to use the changes to the running configuration and close the dialog. 7. Click Cancel to close the dialog without committing updates to the running configuration.
Network Setup 4-35 4. Select the Hotspot button from within the Authentication field. Ensure Advanced is selected from within the This WLAN’s Web Pages are of the drop-down menu. NOTE: Advanced hotspot configuration is not permissible using the switch Web UI. Refer to the switch CLI or other advanced configuration options to define a hotspot with advanced properties. However, the switch can still install and maintain directories containing Web page content. 5.
4-36 WS5100 Series Switch System Reference Guide g. Once the location and settings for the advanced hotspot configuration have been defined, click the Install button to use the hotspot configuration with the switch. 6. Refer to the Allow List field, and enter any IP address (for internal or external Web sites) that may be accessed by the Hotspot user without authentication. NOTE: In certain instances, an associated MU may not be able to ping the host within the hotspot.
Network Setup 4-37 3. Click the Edit button. 4. Select either the EAP 802.1x, Hotspot or Dynamic MAC ACL button from within the Authentication field. This enables the Radius Conig... button at the bottom of the Network > Wireless LANs > Edit screen. 5. Select the Radius Conig... button. The Radius Configuration screen displays for defining an external Radius Server. 6. Refer to the Server field and define the following credentials for a primary and secondary Radius server.
4-38 WS5100 Series Switch System Reference Guide 7. Refer to the Accounting field and define the following credentials for a primary and secondary Radius Server. Accounting Server Address Enter the IP address of the primary and secondary server acting as the Radius accounting server. Accounting Port Enter the TCP/IP port number for the primary and secondary server acting as the Radius accounting data source. The default port is 1813.
Network Setup 4-39 Configuring Motorola Specific Radius Server User Privilege Values The following recommended Radius Server user privilege settings specify access privilege levels for those accessing the switch managed network. To define user privilege values, assign the following attributes in the external Radius Server: 1. Set the attribute number to 1 and its type as "integer." 2. Define the following possible decimal values for user access permissions: a.
4-40 WS5100 Series Switch System Reference Guide Configuring WEP 64 Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard. WEP is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN. WEP 64 is a less robust encryption scheme than WEP 128 (shorter WEP algorithm for a hacker to duplicate), but WEP 64 may be all that a small-business user needs for the simple encryption of wireless data.
Network Setup 4-41 6. Use the Key #1-4 areas to specify key numbers. The key can be either a hexadecimal or ASCII. For WEP 64 (40-bit key), the keys are 10 hexadecimal characters in length or 5 ASCII characters. Select one of these keys for activation by clicking its radio button. Default (hexadecimal) keys for WEP 64 include: Key 1 1011121314 Key 2 2021222324 Key 3 3031323334 Key 4 4041424344 7.
4-42 WS5100 Series Switch System Reference Guide 5. Specify a 4 to 32 character Pass Key and click the Generate button. The pass key can be any alphanumeric string. The switch and Motorola MUs use the algorithm to convert an ASCII string to the same hexadecimal number. MUs without Motorola adapters need to use WEP keys manually configured as hexadecimal numbers. 6. Use the Key #1-4 areas to specify key numbers. The key can be either a hexadecimal or ASCII.
Network Setup 4-43 Configuring WPA/WPA2 using TKIP and CCMP Wi-Fi Protected Access (WPA) is a robust encryption scheme specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11i. WPA provides more sophisticated data encryption than WEP. WPA is designed for corporate networks and small-business environments where more wireless traffic allows quicker discovery of encryption keys by an unauthorized person. WPA's encryption method is Temporal Key Integrity Protocol (TKIP).
4-44 WS5100 Series Switch System Reference Guide 5. Select the Broadcast Key Rotation checkbox to enable the broadcasting of encryption-key changes to MUs. Only broadcast key changes when required by associated MUs to reduce the transmissions of sensitive key information. This value is enabled by default. 6. Refer to the Update broadcast keys every field to specify a time period (in seconds) for broadcasting encryption-key changes to MUs.
Network Setup 4-45 8. Optionally select one of the following from within the Fast Roaming (8021x only) field. PMK Caching Select Pairwise Master Key (PMK) caching to create a shared key between a client device and its authenticator. When a client roams between devices, the clients credentials no longer must be completely reauthenticated (a process that can take up to 100 milliseconds). In the instance of a voice session, the connection would likely be terminated if not using a PMK.
4-46 WS5100 Series Switch System Reference Guide 2. Click the Statistics tab. 3. Refer to the following details displayed within the table: Last 30s Click the Last 30s radio button to display statistics for the WLAN over the last 30 seconds. Last Hr Click the Last Hr radio button to displays statistics for the WLAN over the last 1 hour. Index The Idx (or index) is a numerical identifier used to differentiate the WLAN from other WLANs that may have similar characteristics.
Network Setup 4-47 5. To view WLAN statistics in a graphical format, select a WLAN and click the Graph button. For more information, see Viewing WLAN Statistics in a Graphical Format on page 4-49. 6. To view WLAN packet data rates and retry counts, select a WLAN and click the Switch Statistics button. For more information, see Viewing WLAN Switch Statistics on page 4-51. 4.5.2.
4-48 WS5100 Series Switch System Reference Guide 5. Refer to the The Information field for the following information: ESSID Displays the Service Set ID (SSID) for the selected WLAN. VLAN Displays the name of the VLAN the WLAN is associated with. Num Associated Stations Displays the total number of MUs currently associated with the selected WLAN. Authentication Type Displays the authentication method active on the selected WLAN.
Network Setup 4-49 8. Refer to the Errors field for the following information: Average Number of Retries Displays the average number of retries for all MUs associated with the selected WLAN. The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour. % Gave Up Pkts Displays the percentage of packets the switch gave up on for all MUs associated with the selected WLAN.
4-50 WS5100 Series Switch System Reference Guide 2. Click the Graph button. The WLAN Statistics screen displays for the select port.
Network Setup 4-51 3. Select any of the above listed parameters by clicking on the checkbox associated with it. 4. Click the Close button to exit the screen. 4.5.2.3 Viewing WLAN Switch Statistics The Switch Statistics screen is recommended for displaying individual WLAN packet data rate and retry information. Therefore, the Switch Statistics screen is optimal for determining whether the data traffic within each WLAN meets its intended throughput speed based on the WLAN’s MU traffic requirements.
4-52 WS5100 Series Switch System Reference Guide 6. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 7. Click Refresh to update the Packet Rate and Retry Count data displayed within the screen. 8. Click Close to close the dialog and re turn to the Network > Wireless LANs > Statistics screen. 4.5.
Network Setup 4-53 ESSID Displays the Service Set ID (SSID) associated with each WLAN. VLAN (Number) Lists all available VLANs, and contains a checkbox that (when selected) will associate the SSID with a particular VLAN ID. At a minimum, VLAN1 is available to each WLAN. Motorola recommends mapping WLANs to as many VLANs as practical to ensure the WLAN has viable interface at all times. 4. Click the Apply button to save all changes to the VLAN assignments. 5.
4-54 WS5100 Series Switch System Reference Guide WMM enabled Displays WLAN-WMM status. It can be enabled (for a WLAN) from the WLAN Configurations Edit screen by selecting the Enable WMM checkbox. Access Displays the Access Category for the intended radio traffic. The Access Categories are the different WLAN-WMM options available to the radio.
Network Setup 4-55 4. Select the QoS Mappings button to revise the existing mappings of access category to 802.1p and DSCP to access category settings. With a drastic increase in bandwidth absorbing network traffic (VOIP, multimedia etc.), the importance of data prioritization is critical to effective network management. Refer to the following fields within the QoS Mapping screen to optionally revise the existing settings to in respect to the data traffic requirements for this WLAN.
4-56 WS5100 Series Switch System Reference Guide 4.5.4.1 Editing WMM Settings Use the WMM Edit screen to modify the existing Access Category settings for the WLAN selected within the WMM screen. This could be necessary in instances when the data traffic has changed and high-priority traffic (video and voice) must be accounted for by modifying the AIFSN Transmit Ops and CW values accordingly. WMM is for downstream and WLAN WMM is for upstream. To edit existing WMM Settings: 1.
Network Setup 4-57 AIFSN Define the current Arbitrary Inter-frame Space Number (AIFSN). Higher-priority traffic categories should have lower AIFSNs than lower-priority traffic categories. This will causes lower-priority traffic to wait longer before trying to access the medium. Transmit Ops Define the maximum duration a device can transmit after obtaining a transmit opportunity. For Higher-priority traffic categories, this value should be set higher.
4-58 WS5100 Series Switch System Reference Guide 2. Click the Status tab. The Status screen displays the following read-only device information for MUs interoperating within the switch managed network. Station Index Displays a numerical device recognition identifier for a specific MU. MAC Address Each MU has a unique Media Access Control (MAC) address through which it is identified. This address is burned into the ROM of the MU. IP Address Displays the unique IP address for the MU.
Network Setup 4-59 4. Highlight a MU from those listed and click the Disconnect button to remove the MU from the list of currently associated devices. Be aware that disconnected MUs will often become immediately re-connected to the switch. Ensure disconnected MUs are permanently removed from switch association. 5. Click the Export button to export the content of the table to a Comma Separated Values file (CSV). 4.6.1.
4-60 WS5100 Series Switch System Reference Guide Radio Type Displays the radio type used by the adopted MU. The Switch supports 802.11b MUs and 802.11 a/b and 802.11 a/g dual-radio MUs. The radio also supports 802.11a only and 802.11g MUs. Base Radio MAC Displays the SSID of the access port when it is initially adopted by the switch. BSS Address Displays the MU’s BSSID. Voice Displays whether or not the MU is a voice capable device.
Network Setup 4-61 2. Click the Statistics tab. 3. Select the Last 30s checkbox to display MU statistics as gathered over the last 30 seconds. 4. Select the Last HR checkbox to display MU statistics as gathered over the last hour. 5. Refer to following details as displayed within the MU Statistics table: Radio Index Displays a numerical identifier used to associate a particular Radio with a set of statistics.
4-62 WS5100 Series Switch System Reference Guide 7. Click the Graph button to launch a graph with pictorial information about the selected MU in a graphical format. For more information, see View a MU Statistics Graph on page 4-64. 8. Click the Export button to export the content of the table to a Comma Separated Values file (CSV). 4.6.2.1 Viewing MU Statistics in Detail The MU Statistics Details screen displays additional device address and performance information for the selected MU.
Network Setup 4-63 4. Refer to the Information field for the following information: MAC Address Displays the Hardware or Media Access Control (MAC) address for the MU. This address is hard-coded at the factory and cannot be modified. BSS Address Displays the MU’s BSSID. IP Address Displays the current IP address for the MU. Voice Displays whether the MU is a voice capable device. Traffic from voice enabled MUs is handled differently than traffic from MUs without this capability.
4-64 WS5100 Series Switch System Reference Guide 4.6.2.2 View a MU Statistics Graph The MU Statistics tab has an option for displaying detailed MU statistics for individual MUs in a graphical format. This information can be used for comparison purposes to chart MU performance and overall switch performance. To view the MU Statistics in a graphical format: 1. Select a Network > Mobile Units from the main menu tree. 2. Click the Statistics tab. 3.
Network Setup 4-65 NOTE: The Motorola RF Management Software is a recommended utility to plan the deployment of the switch and view its configuration once operational in the field. Motorola RFMS can help optimize the positioning and configuration of a switch and access ports in respect to a WLAN’s MU throughput requirements. For more information, refer to the Motorola Web site.
4-66 WS5100 Series Switch System Reference Guide AP Type Displays whether the AP is an AP100 or AP300 model Motorola access port or an AP-4131 model access point, if configured to operate as an access port. Type Use the Type to identify whether the radio is 802.11a radio or an 802.11bg radio. Adopted Displays the radio’s adoption status. If the radio is adopted, a green check displays. If the radio is not adopted, a red X displays.
Network Setup 4-67 channels and moves the radio to the channel where it is least likely to have interference from the other radios. Use the Export option to move the contents of the table to a Comma Separated Values file (CSV). 10.Click the Global Settings button to display a screen with settings applying to all radios on the system. For more information, see Configuring an AP’s Global Settings on page 4-67. 4.7.1.
4-68 WS5100 Series Switch System Reference Guide 7. Click OK to save the changes and return to the previous screen. Port Authentication To configure the port authentication settings on an access port: 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Configuration tab. 3. Click the Global Settings button. 4. Click the Configure Port Authentication button. 5. Enter the 802.1x Username assigned to the access port. 6. Enter the 802.
Network Setup 4-69 settings as well as a set of advanced properties in case its transmit and receive capabilities need to be adjusted. NOTE: The display of the screen can vary slightly depending on whether the access port radio is an 802.11a or 802.11bg model. To edit a radio’s configuration: 1. Select Network > Access Port Radios from the main menu tree. 2. Click the Configuration tab. 3. Select a radio to edit from the table. 4.
4-70 WS5100 Series Switch System Reference Guide 8. From within the Radio Settings field, define the Placement of the access port as either Indoors or Outdoors. An access port can be set for Indoors or Outdoors use depending on the model and the placement location. Power settings and channel selection options differ based on each country's regulatory rules and whether or not the unit is placed indoors or outdoors. 9.
Network Setup 4-71 Short Preambles only If using an 802.11bg radio, select this checkbox for the radio to transmit using a short preamble. Short preambles improve throughput. However, some devices (SpectraLink phones) require long preambles. This checkbox does not display if using an 802.11a radio. RTS Threshold Specify a Request To Send (RTS) threshold (in bytes) for use by the WLAN's adopted access ports.
4-72 WS5100 Series Switch System Reference Guide Self Healing Offset When an access port increases its power to compensate for a failure, power is increased to the country's regulatory maximum. Set the Self Healing Offset to reduce the country's regulatory maximum power if access ports are situated close to each other or if access port uses an external antenna. For additional information on determining the offset value, see the documentation shipped with the access port.
Network Setup 4-73 Supported Rates allow an 802.11 network to specify the data rate it supports. When a MU attempts to join the network, it checks the data rate used on the network. If a rate is selected as a basic rate it is automatically selected as a supported rate. The basic default rates for an 802.11a radio differ from those default rates available to an 802.11b radio, as an 802.11a radio can support a maximum data rate of 54Mbps, while an 802.11b radio can support a maximum data rate of 11Mbps. 4.
4-74 WS5100 Series Switch System Reference Guide 3. Click the Add button to display at screen containing settings for adding a radio 4. Enter the device MAC Address (the physical MAC address of the radio). Ensure this address is the actual hard-coded MAC address of the device. 5. Use the AP Type drop-down menu to define the radio type you would like to add. If adding an AP-4131 model access point, its access port conversion will render the access point a “thin” access port. 6.
Network Setup 4-75 2. Click the Statistics tab. 3. To select the time frame for the radio statistics, select either Last 30s or Last Hr above the statistics table. • Select the Last 30s radio button to display statistics for the last 30 seconds for the radio. • Select the Last Hr radio button to display statistics from the last hour for the radio. 4. Refer to the table for the following information: Index Displays the numerical index (device identifier) used with the radio.
4-76 WS5100 Series Switch System Reference Guide 5. Select a radio from those displayed and click the Details button for additional radio information in rae data format. For more information, see Viewing AP Statistics in Detail on page 4-76. 6. Select a radio from those displayed and click the Graph button for additional radio performance information in graphical format. For more information, see Viewing AP Statistics in Detail on page 4-76. 4.7.2.
Network Setup 4-77 Avg Bit Speed Displays the average bit speed in Mbps on the selected radio. This includes all packets that are sent and received. The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour. Non-unicast Pkts Displays the percentage of the total packets for the selected radio that are non-unicast packets. Non-unicast packets include broadcast and multicast packets.
4-78 WS5100 Series Switch System Reference Guide 3. Select a radio index from the table displayed in the Statistics screen and click the Graph button. 4. Select a checkbox to display that metric charted within the graph. Choose as many of the values displayed to chart that behavior graphically within the graph. However, do not select more than four checkboxes at any one time. 5. Refer to the Status field for the current state of the requests made from applet.
Network Setup 4-79 4. Select a radio from the table to view WLAN assignment information. The WLAN Assignment tab is divided into two fields; Select Radios and Assigned WLANs. 5. Refer to the Select Radios field for the following information: Index Displays the numerical index (device identifier) used with the radio. Use this index (along with the radio description) to differentiate the radio from other radios with similar configurations. Description Displays a description of the Radio.
4-80 WS5100 Series Switch System Reference Guide 2. Click the WLAN Assignment tab. 3. Select a radio from the table and click the Edit button. The Select Radio/BSS sections displays the WLANs associated to each of the BSSIDs used by the radios within the radio table. The Select/Change Assigned WLANs section can be used to edit the WLAN assignment. 4. Select any of the WLANs from the table to unassign/disable it from the list of available WLANs. 5.
Network Setup 4-81 Access Category Displays the Access Category currently in use. There are four categories: Video, Voice, Best Effort and Background. Click the Edit button to change the current Access Category. Ensure the Access Category reflects the radio’s intended network traffic. AIFSN Displays the current Arbitrary Inter-frame Space Number. Higher-priority traffic categories should have lower AIFSNs than lower-priority traffic categories.
4-82 WS5100 Series Switch System Reference Guide 4. Enter a number between 0 and 15 for the AIFSN value for the selected radio. The AIFSN value is the current Arbitrary Inter-frame Space Number. Higher-priority traffic categories should have lower AIFSNs than lower-priority traffic categories. This will causes lower-priority traffic to wait longer before trying to access the medium. 5. Enter a number between 0 and 65535 for the Transmit Ops value.
Network Setup 4-83 2. Click the Configuration tab. 3. Refer to the following information as displayed within the Configuration tab: Type Displays whether the radio is an 802.11a radio or an 802.11 bg model radio Placement Displays the default placement when an radio auto-adopts and takes on the default settings. Options include Indoor or Outdoor. Default is Indoor. Channel Displays the default channel when an radio auto-adopts and takes on the default settings.
4-84 WS5100 Series Switch System Reference Guide 4.8.1.1 Editing Default Radio Adoption Settings Use the Edit screen to dedicate a target radio as a detector radio, as well as change the radios settings (placement, power and channel) and advanced properties (antenna setting, maximum associations, adoption preference etc.). To edit radio adoption configuration settings: 1. Select Network Setup > Radio Adoption Defaults from the main menu tree. 2. Click the Configuration tab. 3.
Network Setup 4-85 8. Select a channel for communications between the access port and MUs in the Desired Channel field. The selection of a channel determines the available power levels. The range of legally approved communication channels varies depending on the installation location and country. The selected channel can be a specific channel, “Random,” or “ACS.” Random assigns each radio a random channel. ACS (Automatic Channel Selection) allows the switch to systematically assign channels.
4-86 WS5100 Series Switch System Reference Guide RTS Threshold Specify a Request To Send (RTS) threshold (in bytes) for use by the WLAN's adopted access ports. RTS is a transmitting station's signal that requests a Clear To Send (CTS) response from a receiving station. This RTS/CTS procedure clears the air where many MUs (or nodes) are contending for transmission time.
Network Setup 4-87 14.Click Cancel to close the dialog without committing updates to the running configuration. Configuring Rate Settings Use the Rate Settings screen to define a set of basic and supported rates for the target radio. This allows the radio to sync with networks using varying data rates and allows the radio to default to a predefined set of data rates when higher data rates cannot be maintained. To configure a radio’s rate settings: 1.
4-88 WS5100 Series Switch System Reference Guide 4.8.2 Configuring Layer 3 Access Port Adoption The configuration activity required for adopting access ports in a layer 3 environment is unique. In a layer 3 environment, switch discovery is attempted in the following ways: • On the local VLAN • Through the DHCP Server Initially, the access port attempts to find its wireless switch by broadcasting a Hello packet on its local VLAN. During this activity: 1.
Network Setup 4-89 2. Click the WLAN Assignment tab. The Assigned WLANs tab displays two fields: Select Radios/BSS and Select/Change Assigned WLANs. 3. With the Select Radios/BSS field, select the radio type to configure (802.11a or 802.11bg) from the Select Radio drop-down menu. 4. Select the desired BSS from the BSS list or select a Radio (802.11a or 802.11bg) to modify. 5.
4-90 WS5100 Series Switch System Reference Guide 6. Click Apply to save the changes made within the screen. 7. Click Revert to cancel the changes made and revert back to the last saved configuration. 4.8.4 Configuring WMM Use the WMM tab to review each radio type, as well as the Access Category that defines which data type (Video, Voice, Best Effort and Background) the radio has been configured to process. Additionally, the WMM screen displays the transmit intervals defined for the target access category.
Network Setup 4-91 CW Min The CW Min is combined with the CW Max to make the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. CW Max The CW Max is combined with the CW Min to make the Contention Window. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. 4.
4-92 WS5100 Series Switch System Reference Guide 5. Enter a number between 0 and 65535 for the Transmit Ops value. The Transmit Ops value is the maximum duration a device can transmit after obtaining a transmit opportunity. For Higher-priority traffic categories, this value should be set higher. 6. Enter a value between 0 and 15 for the Contention Window minimum value. The CW Minimum is combined with the CW Maximum to make the Contention Window.
Network Setup 4-93 2. Click the Adopted AP tab. 3. Refer to the Adopted AP screen for the following information: MAC Address Displays the radio's first MAC address when it is adopted by the switch. Model Displays s the Model Number of the access port. Serial Displays the serial number of the access port, and is used for management purposes by the switch. It is read-only and cannot be modified. HW Version Displays the Hardware Version of the access port.
4-94 WS5100 Series Switch System Reference Guide 1. Select Network > Access Port Status from the main menu tree. 2. Click the Unadopted AP tab. ! CAUTION: An access port is required to have a DHCP provided IP address before attempting layer 3 adoption, otherwise it will not work. Additionally, the access port must be able to find the IP addresses of the switches on the network. To locate switch IP addresses on the network: • Configure DHCP option 189 to specify each switch IP address.
Network Setup 4-95 3. Select an available index and click the Adopt button to display a screen wherein the properties of a new radio can be added for adoption to the switch. When displayed, the screen prompts for the MAC address and type of radio. Complete the fields and click the OK button to add the radio. 4. Click the Export button to export the contents of the table to a Comma Separated Values file (CSV).
4-96 WS5100 Series Switch System Reference Guide
Switch Services This chapter describes the following Services main menu information used to configure the switch. • Displaying the Services Interface • DHCP Server Settings • Configuring Secure NTP • Configuring Switch Redundancy • Layer 3 Mobility • Configuring GRE Tunnels • Configuring Self Healing • Configuring Switch Discovery NOTE: HTTPS must be enabled to access the switch applet. Ensure that HTTPS access has been enabled before using the login screen to access the switch applet.
5-2 WS5100 Series Switch System Reference Guide 5.1 Displaying the Services Interface Refer to the Services main menu interface to review a summary describing the availability of several of the central features within the Services main menu item. NOTE: When the switch’s configuration is successfully updated (using the Web UI), the effected screen is closed without informing the user their change was successful.
Switch Services 5-3 Layer 3 Mobility Displays whether Layer 3 Mobility is currently enabled or disabled for the switch. Layer 3 mobility is a mechanism which enables a MU to maintain the same Layer 3 address while roaming throughout a multi-VLAN network. This enables transparent routing of IP datagrams to MUs during their movement, so data sessions can be initiated while they roam (in for voice applications in particular).
5-4 WS5100 Series Switch System Reference Guide are expected to renew them to continue to use the addresses. Once a lease has expired, the client to which that lease was assigned is no longer permitted to use the leased IP address. NOTE: DHCP Server setting updates are only implemented when the switch is restarted. To configure DHCP: 1. Select Services > DHCP Server from the main menu tree. The DHCP Server screen displays with the Configuration tab displayed. 2.
Switch Services 5-5 Lease Time (dd:hh:mm) When a DHCP server allocates an address for a DHCP client, the client is assigned a lease, which expires after a designated interval defined by the administrator. The lease time is the number of seconds an IP address is reserved for re-connection after its last use. Using very short leases, DHCP can dynamically reconfigure networks in which there are more computers than there are available IP addresses.
5-6 WS5100 Series Switch System Reference Guide machine. • A m-mixed is a mixed node that uses broadcasted queries to find a node, and failing that, queries a known p-node name server for the address. • A h-hybrid is a combination of two or all of the nodes mentioned above. 6. Change the name of the boot file used for this pool within the Boot File parameter. 7.
Switch Services 5-7 2. Click the Add button at the bottom of the screen. 3. Enter the name of the IP pool from which IP addresses can be issued to client requests on this interface. 4. Provide the Domain name as appropriate for the interface using the pool. 5. Enter the NetBios Node used with this particular pool. The NetBios Node could have one of the following types: • A b-broadcast (broadcast node) uses broadcasting to query nodes on the network for the owner of a NetBIOS name.
5-8 WS5100 Series Switch System Reference Guide 7. From the Network field, use the Associated Interface drop-down menu to define the switch interface used for the newly created DHCP configuration. Use VLAN1 as a default interface if no others have been defined. Additionally, define the IP Address and Subnet Mask used for DHCP discovery and requests between the DHCP Server and DHCP clients.
Switch Services 5-9 2. Highlight an existing pool name from within either the Configuration or Host Pool tab and click the Options Setup button at the bottom of the screen 3. Click the Insert button to display an editable field wherein the name and value of the DHCP option can be added. 4. Name the option as appropriate, assign a Code value and use the Type drop-down options to specify a value of ip or ascii to the DHCP global option. 5.
5-10 WS5100 Series Switch System Reference Guide 2. Highlight an existing pool name from within either the Configuration or Host Pool tabs and click the DDNS button at the bottom of the screen. 3. Enter a Domain Name which represents the forward zone in the DNS server. For example test.net. 4. Define the TTL (Time to Live) to specify the validity of DDNS records. The maximum value is 65535 seconds. 5. Use the Automatic Update drop-down menu to specify whether the automatic update feature is on or off.
Switch Services 5-11 5.2.2 Viewing the Attributes of Existing Host Pools Refer to the Host Pool tab within the DHCP Server screen to view how the host pools reserve IP addresses for specific MAC addresses. This information can be an asset in determining if a new pool needs to be created or an existing pool requires modification. To view the attributes of existing host pools: 1. Select Services > DHCP Server from the main menu tree. The DHCP Server screen displays with the Configuration tab displayed. 2.
5-12 WS5100 Series Switch System Reference Guide 6. Click the Add button to create a new DHCP pool. For more information, see Adding a New DHCP Pool on page 5-6. 7. Click the Options button to insert a global pool name into the list of available pools. For more information, see Configuring DHCP Global Options on page 5-8. 8. Click the DDNS button to configure a DDNS domain and server address that can be used with the list of available pools.
Switch Services 5-13 5.2.4 Configuring DHCP Server Relay Information Refer to the Relay tab to view the current DHCP Relay configurations for available switch VLAN interfaces. The Relay tab also displays the VLAN interfaces for which the DHCP Relay is enabled/configured. The Gateway Interface address information is helpful in selecting the interface suiting the data routing requirements between the External DHCP Server and DHCP client (present on one of the switch’s available VLANs).
5-14 WS5100 Series Switch System Reference Guide 2. Click the Relay tab. 3. Refer to the Interface field for the names of the interfaces available to route information between the DHCP Server and DHCP clients. If this information is insufficient, consider creating a new IP pool or edit an existing pool. 4.
Switch Services 5-15 d. Click Cancel to close the dialog without committing updates to the running configuration. 5.2.5 Viewing DHCP Server Status The switch DHCP Server screen can display a tab with information on the MUs using a leased IP address from the switch DHCP server. User this information to assess whether the MU is still a viable client for receiving switch DHCP resources. To view detailed DHCP Server status: 1. Select Services > DHCP Server from the main menu tree.
5-16 WS5100 Series Switch System Reference Guide 3. Refer to the contents of the Status tab for the following: Displays the IP address for the client with the MAC Address listed in the MAC IP Address Address/Client ID column. MAC Address/Client ID Displays the MAC address (client ID) of the client using the switch’s DHCP Server to access switch resources. The MAC address is read-only and cannot be modified. Type Displays the client type interoperating with the switch’s DHCP server.
Switch Services 5-17 2. Select the Configuration tab. 3. An ACL Id must be created before it is selectable from any of the drop-down menus. Refer to the Access Group field to define the following: Full Access Supply a numeric ACL ID to enable the supplied ACL ID full access. Only Control Queries Supply a numeric ACL ID to enable the supplied ID only control query access to SNTP resources.
5-18 WS5100 Series Switch System Reference Guide Broadcast Delay Auto Key Enter the estimated round-trip delay (between 1 and 999999 seconds) for SNTP broadcasts between the SNTP broadcast server and the switch. Define the interval based on the priority of receiving accurate system time frequently. Typically, no more than one packet per minute is necessary to synchronize the switch to within a millisecond of the SNTP broadcast server.
Switch Services 5-19 3. Click the Add button. 4. Enter a Key ID between 1-65534. The Key ID is a Key abbreviation allowing the switch to reference multiple passwords. This makes password migration easier and more secure between the switch and its NTP resource. 5. Enter the authentication Key Value used to secure the credentials of the NTP server providing system time to the switch. 6. Select the Trusted Key checkbox to use a trusted key.
5-20 WS5100 Series Switch System Reference Guide 2. Select the NTP Neighbor tab. 3. Refer to the following information (as displayed within the NTP Neighbor tab) to assess whether an existing neighbor configuration can be used as is, if an existing configuration requires modification or a new configuration is required. IP Address/ Hostname Displays the numeric IP address of the resource (peer or server) providing SNTP resources for the switch.
Switch Services 5-21 5.3.4 Adding an NTP Neighbor To add a new NTP peer or server neighbor configuration to those available to the switch for synchronization: 1. Select Services > Secure NTP from the main menu tree. 2. Select the NTP Neighbor tab. 3. Click the Add button. 4. Select the Peer checkbox if the SNTP neighbor is a peer to the switch (non FTP server) within the switch’s current subnet. 5. Select the Server checkbox if the neighbor is a server within the switch’s current subnet. 6.
5-22 WS5100 Series Switch System Reference Guide 9. Use the NTP Version drop-down menu to select the version of SNTP to use with this configuration Currently version three and version four implementations of NTP are available. The latest version is NTPv4, but the official Internet standard is NTPv3. 10.If necessary, select the No Authentication checkbox to allow communications with the NTP resource without any form of security. This option should only be used with known NTP resources. 11.
Switch Services 5-23 2. Select the NTP Associations tab. 3. Refer to the following SNTP Association data for each SNTP association displayed: Address Displays the numeric IP address of the SNTP resource (Server) providing SNTP updates to the switch. Reference Clock Displays the address of the time source the switch is synchronized to. Stratum Displays how many hops the switch is from a SNTP time source. The switch automatically chooses the SNTP resource with the lowest stratum number.
5-24 WS5100 Series Switch System Reference Guide 5.3.6 Viewing SNTP Status Refer to the SNTP Status tab to display performance (status) information relative to the switch’s current NTP association. Verifying the switch’s SNTP status is important to assess which resource the switch is currently getting its system time from, as well as the time server’s current differences in time attributes as compared to the current switch time.
Switch Services 5-25 Root delay The total round-trip delay in seconds.This variable can take on both positive and negative values, depending on the relative time and frequency offsets. The values that normally appear in this field range from negative values of a few milliseconds to positive values of several hundred milliseconds. Root Dispersion Displays the nominal error relative to the primary time source in seconds.
5-26 WS5100 Series Switch System Reference Guide running on WS1, by duplicating the commands and sending them to the group over the virtual connection. To view status and membership information, refer to the following: After sending the command to the other members, the cluster-management protocol (at WS1) waits for a response from the members of the redundancy group. Upon receiving a response from each member, WS1 updates the user’s screen and allows the user to enter/execute the next command.
Switch Services 5-27 context). For information on licensing rules impacting redundancy group members, see Redundancy Group License Aggregation Rules on page 5-34. To view status and membership data and define a redundancy group configuration, refer to the following: • Reviewing Redundancy Status • Configuring Redundancy Group Membership To configure switch redundancy: 1. Select Services > Redundancy from the main menu tree. The Redundancy screen displays with the Configuration tab selected. 2.
5-28 WS5100 Series Switch System Reference Guide Hold Time Define the Hold Time for a redundancy group. If there are no heartbeats received from a peer during the hold time, the peer is considered to be down. In general, the hold period is configured for three times the heartbeat period. Meaning, if three consecutive heartbeats are not received from the peer, the peer is assumed down and unreachable. The hold time is required to be greater than the heartbeat interval.
Switch Services 5-29 2. Select the Status tab. 3. Refer to the Status field to assess the current state of the redundancy group. Redundancy state is Displays the state of the redundancy group. When the redundancy feature is disabled, the state is “Disabled.” When enabled, it goes to “Startup” state. From “startup” it goes to “Discovery” state immediately if the STP convergence is not enabled. Otherwise, it remains in “Startup” state for a period of 50 seconds (the standard STP convergence time).
5-30 WS5100 Series Switch System Reference Guide Rogue Access Ports in group Displays the cumulative number of rogue APs detected by the members of the group. Compare this value with the number of rogues detected by this AP to discern whether an abundance of rogues has been located by a particular switch and thus escalates a security issue with a particular switch. Radios in group Displays the combined number (sum) of radios a amongst all the members of the redundancy group.
Switch Services 5-31 2. Select the Member tab. 3. Refer to the following information within the Member tab: IP Address Displays the IP addresses of the redundancy group member. Status Displays the current status of this group member. This status could have the following values: • Configured: The member is configured on the current wireless service module. • Seen: Heartbeats can be exchanged between the current switch and this member.
5-32 WS5100 Series Switch System Reference Guide 6. Click the Add button to add a member to the redundancy group. The redundancy group should be disabled to conduct an Add or Delete operation. For more information, see Adding a Redundancy Group Member on page 5-34. 5.4.2.1 Displaying Redundancy Member Details Use the Details screen (in conjunction with its parent Member screen) to display additional (more detailed) information on the redundancy group (cluster) member selected within the Member screen.
Switch Services 5-33 Adoption Count Displays the number of access ports adopted by this member. Adoption Capacity Displays the maximum number of access ports this member is licensed to adopt. For information on licensing rules impacting redundancy group members, see Redundancy Group License Aggregation Rules on page 5-34. Mode The Redundancy Mode could be Active or Standby depending on the mode configuration on the member.
5-34 WS5100 Series Switch System Reference Guide 5.4.2.2 Adding a Redundancy Group Member Use the Add screen as the means to add a new member (by adding their IP address) to an existing redundancy group (cluster). To add a new member to a redundancy group: 1. Select Services > Redundancy from the main menu tree. The Redundancy screen displays with the Configuration tab selected. 2. Select the Member tab. 3. Select the Add button. 4. Enter the IP Address of a new member. 5.
Switch Services 5-35 • Whenever the cluster protocol is disabled, a member switch forgets the learned cluster license as well as peer information needed to compute license totals. • If the switch start-up configuration is removed, a member switch forgets the learned cluster license as well as peer information needed to compute license totals.
5-36 WS5100 Series Switch System Reference Guide DHCP and ARP are tunneled through the home switch. The IP address for the MU is assigned from the VLAN to which the MU belongs (as determined by the home switch). The current switch for the MU is the switch in the mobility domain to which it is currently associated to, and keeps changing as the MU continues to roam amongst. The current switch is also responsible for delivering data packets from the MU to its home switch and vice-versa.
Switch Services 5-37 To configure Layer 3 Mobility for the switch: 1. Select Services > Layer 3 Mobility from the main menu tree. The Layer 3 Mobility screen appears with the Configuration tab displayed. 2. Select the Use Default Management Interface checkbox to use the switch’s default management interface IP address for the MUs roaming amongst different Layer 3 subnets,. The IP address displayed to the right of the checkbox will be used by the Layer 3 MU traffic. 3.
5-38 WS5100 Series Switch System Reference Guide 5.5.2 Defining the Layer 3 Peer List The Layer 3 Peer List contains the IP addresses MUs are using to roam amongst various subnets. This screen is helpful in display the IP addresses available to the MUs requiring access to different subnet resources. To define the Layer 3 Peer List: 1. Select Services > Layer 3 Mobility from the main menu tree. The Layer 3 Mobility screen appears with the Configuration tab displayed. 2. Select the Peer List tab. 3.
Switch Services 5-39 5.5.3 Reviewing Layer 3 Peer List Statistics When a MU roams to a current switch on the same layer 3 network, it sends a L2-ROAM message to the home switch to indicate the MU has roamed within the same VLAN. The old home switch forwards the information to all its peers. The MU is basically re-synchronized to the new current switch, but gets to keep its old IP address.
5-40 WS5100 Series Switch System Reference Guide 3. Refer to the following information within the Peer Statistics tab: Peer IP Displays the IP addresses of the peer switches within the mobility domain. Each peer can handle up to a maximum of 500 MUs. JOIN Events sent/rcvd Displays the number of JOIN messages sent and received. JOIN messages advertise the presence of MUs entering the mobility domain for the first time.
Switch Services 5-41 2. Select the MU Status tab. 3. Refer to the following information within the MU Status tab: MU MAC Displays the factory hardcoded MAC address of the MU. This value is set at the factory and cannot be modified. Thus, it should be consistent as the MU roams within the mobility domain. MU IP Addr Displays the IP address the MU is using within the mobility domain.
5-42 WS5100 Series Switch System Reference Guide • Assigning priority to different types of traffic • Assigning security levels to different types of traffic The advantages of using Tunnel include: 1. It provides communication between sub-network that have invalid or non-contiguous network addresses. 2. Multiple protocols types can be consolidated on a common backbone for reduced operational cost. 3. Assurance of privacy and security in shared networks that support multiple enterprise customers.
Switch Services 5-43 GRE tunneling allows desktop protocols to take advantage of the enhanced route selection capabilities of IP. With GRE Tunneling, it is possible for the two sub-networks of network 131.108.0.0 to talk to each other even though they are separated by another network. To configure GRE tunnelling on the switch: 1. Select Services > GRE Tunnels from the main menu tree. The GRE Tunnels screen displays with existing GRE tunnels. 2.
5-44 WS5100 Series Switch System Reference Guide Interface IP Displays the network IP address used to route GRE packets to their destination address. Admin Status Displays the status of a tunnel as either the active tunnel used currently for the switch or disabled. Operation Status Displays the status of tunnels as either the active (in use) or disabled. 3. Highlight an existing tunnel and click the Edit button to modify the properties of the tunnel.
Switch Services 5-45 Destination IP Traffic received on a GRE tunnel will be forwarded to MUs based on the Destination IP address defined. Interface IP Modify the network IP address (if necessary) used to route GRE packets to their destination address. Subnet Define the subnet address used to route GRE tunnel packets between end-points. Each GRE tunnel must have a unique subnet to function properly and independent of one another.
5-46 WS5100 Series Switch System Reference Guide Subnet Define the subnet address used to route GRE tunnel packets between end-points. Each GRE tunnel must have a unique subnet to function properly and independent of one another. Time-to-live Configure the period of time (in seconds) packets are kept alive between tunnel destinations. The defined interval ensures IP reachability between the tunnel end-points. 4. Click OK to save the contents of the screen and return to the main GRE Tunnels screen. 5.
Switch Services 5-47 3. Refer to the Interference Avoidance field to define the following settings: Enable Interference Avoidance Select Enable Interference Avoidance to enable the Interference Avoidance feature. The switch is capable of switching channels on an access port (Automatic Channel Selection) if the interference is observed on the current operating channel. Average Retries The Average Number of Retries is the average number of retries for a MU to communicate with a neighbor radio.
5-48 WS5100 Series Switch System Reference Guide 3. Refer to the following information as displayed within the Neighbor Recovery screen. Radio Index Displays a numerical identifier used (in conjunction with the radio’s name) to differentiate the radio from its peers. Description Displays an identifier used (in conjunction with the radio’s index) to differentiate the radio from its peers. Type Displays the radio as either a 802.11a or 802.11bg radio.
Switch Services 5-49 3. Select an existing neighbor and click the Edit button. The radio index and description for the current radio display in the upper right corner of the screen. The Available Radios value represents the radios that can be added as a neighbor for the target radio. Neighbor Radios are existing radios (neighbors). 4. Select one of the following four actions from the Self Healing Action drop-down menu: • None: The radio takes no action at all when its neighbor radio fails.
5-50 WS5100 Series Switch System Reference Guide 5.8 Configuring Switch Discovery Switch discovery enables the SNMP discovery (location) of Motorola devices (running switch software version 3.0 or later). To discover devices in the specified range of IP addresses, the switch Web UI sends SNMP GET requests (using the user specified SNMP v2 or v 3 version) to all IP addresses of the specified network.
Switch Services 5-51 2. Refer to the following information within the Discovery Profiles tab to discern whether an existing profile can be used as is, requires modification (or deletion) or if a new discovery profile is required. Index Displays the WEB UI supplied numerical identifier used to differentiate this profile from others with similar configurations. The index is supplied to new profiles sequentially. Profile Name Displays the user-assigned name used to title the profile.
5-52 WS5100 Series Switch System Reference Guide If SNMP v3 is used with a discovering profile, a V3 Authentication screen displays.The User Name and Password entered is required to match the name used by the remote network management software of the discovered switch When the credentials of the V2 Read Community or V3 Authentication screens are satisfied, the switch discovery process begins. 7.
Switch Services 5-53 End IP Address Enter the ending numeric (non DNS) IP address from where the search for available network devices is conducted SNMP Version Use the SNMP Version drop-down menu to define the version of the SNMP (either SNMP v2 or v3) used for discovering available network devices. 4. Refer to the Status field for an update of the edit process. The Status is the current state of the requests made from the applet. Requests are any “SET/GET” operation from the applet.
5-54 WS5100 Series Switch System Reference Guide 3. Refer to the following information within the Saved Devices screen to discern whether a located device should be deleted from the list or selected to have its Web UI launched and its current configuration modified. IP Address Displays the IP address of the discovered switch. This IP address obviously falls within the range of IP addresses specified for the discovery profile used for the device search.
Switch Security This chapter describes the security mechanisms available to the switch. This chapter includes the following: • Displaying the Main Security Interface • AP Intrusion Detection • MU Intrusion Detection • Configuring Wireless Filters • Configuring ACLs • Configuring NAT Information • Configuring IKE Settings • Configuring IPSec VPN • Configuring the Radius Server • Creating Server Certificates NOTE: HTTPS must be enabled to access the switch applet.
6-2 WS5100 Series Switch System Reference Guide To view main menu security information: 1. Select Security from the main menu tree. 2. Refer to the following information to discern if configuration changes are warranted: Access Port Intrusion Detection Displays the Enable or Disable state of the switch to detect potentially hostile access ports (the definition of which defined by you).
Switch Security 6-3 6.2 AP Intrusion Detection Use the Internet Protocol sub-menu to view and configure network related IP information. The Internet Protocol screen consists of the following tabs: • Enabling and Configuring AP Detection • Approved APs (Reported by APs) • Unapproved APs (Reported by APs) • Unapproved APs (Reported by MUs) 6.2.
6-4 WS5100 Series Switch System Reference Guide 3. Enable AP assisted scanning and timeout intervals as required. Enable Select the Enable checkbox to enable associated access ports to detect potentially hostile access points (the definition of which defined by you). Once detected, the access points can be added to a list of APs either approved or denied from interoperating within the switch managed network.
Switch Security 6-5 6.2.1.1 Adding or Editing an Allowed AP To add a new range or modify the address range used to designate devices as Allowed APs: 1. Select Security > Access Point Intrusion Detection from the main tree menu. 2. Click the Configuration tab. 3. Select an existing Allowed AP and click the Edit button to modify the properties of an existing Allowed AP or click the Add button to define the attributes of a new Allowed AP. 4.
6-6 WS5100 Series Switch System Reference Guide 6.2.2 Approved APs (Reported by APs) Those access points detected and approved for operation within the switch managed network can be separately displayed to assess the reporting (detecting) AP, the channel of operation, the last time the AP was observed on the network and the ESSID. Use this information to assess if an approved access point was incorrectly defined as an approved device and requires categorization as an unapproved and disallowed AP.
Switch Security 6-7 6.2.3 Unapproved APs (Reported by APs) Use the Unapproved APs (Reported by APs) tab to review access points detected by associated switch access port radios that have been restricted from operation within the switch managed network. The criteria for restriction was defined using the Security > Access Port Intrusion Detection > Configuration screen. To view access port detected unapproved access points: 1. Select Security > Access Port Intrusion Detection from the main menu tree. 2.
6-8 WS5100 Series Switch System Reference Guide Last Seen (in Seconds) Displays the time (in seconds) the Unapproved AP was last seen on the network by the detecting AP. ESSID Displays the ESSID of each Unapproved AP. These ESSIDs are device ESSIDs observed on the network, but have yet to be added to the list of Approved APs and are therefore interpreted as a threat. If an ESSID displays on the list incorrectly, click the Allow button and add the ESSID to a new Allowed AP index. 4.
Switch Security 6-9 3. The Unapproved APs (Reported by MUs) table displays the following information: BSS MAC Address Displays the MAC Address of each Unapproved AP. These MAC Addresses are access points observed on the network (by associated MUs), but have yet to be added to the list of Approved APs, and are therefore interpreted as a threat on the network. Reporting MU Displays the numerical value for the detecting MU.
6-10 WS5100 Series Switch System Reference Guide 2. Click the Configuration tab. The MU Intrusion Detection tab consists of the following two fields: • Collection Settings • Violation Parameters 3. Within the Collection Settings field, set the Detection Window interval (in seconds) the switch uses to scan for MU violations. The available range is from 5 - 300 seconds. 4.
Switch Security 6-11 6. Click on Revert to rollback to the previous configuration. 6.3.2 Viewing Filtered MUs Periodically check the Filtered MUs tab to review those MUs that have been filtered by the switch for incurring a violation based on the settings defined within the Configuration tab. Each MU listed can be deleted from the list or its attributes exported to a user defined location. To view status of those MUs filtered using the settings defined within the Configuration tab: 1.
6-12 WS5100 Series Switch System Reference Guide Violation Type Displays the reason the violation occurred for each detected MU. The following violation types are possible: • excessive probes • excessive associations • excessive disassocs • 802.11 replay failures • crypto replay failures • decryption failures • authentication failures • all 0's address • same source-dest address • multicast source address • use of weak WEP IV • TKIP countermeasures • excessive EAP/802.
Switch Security 6-13 The Filters field contains the following read-only information: MU-ACL Index Displays a numerical identifier used to associate a particular ACL to a range of MAC addresses (or a single MAC address) that are either allowed or denied access to the switch managed network. Starting MAC Displays the beginning MAC Address (for this specific Index) either allowed or denied access to the switch managed network.
6-14 WS5100 Series Switch System Reference Guide 7. Click the Memberships button to display a screen wherein a selected index can be added to one or more existing WLANs. For more information see, Associating an ACL with WLAN on page 6-16 8. Click on the Export button to export the contents of the table to a Comma Separated Values file (CSV). 6.4.1 Editing an Existing Wireless Filter Use the Edit screen to modify the properties of an existing filter.
Switch Security 6-15 10.Click Cancel to close the dialog without committing updates to the running configuration. 6.4.2 Adding a new Wireless Filter Use the Add screen to create a new index and define a new address permission range. Once created, an allow or deny designation can be applied to the new filter ACL. To create a new filter ACL: 1. Select Security > Wireless Filters from the main menu tree. 2. Click the Add button at the bottom of the screen to launch a new dialogue used for creating an ACL.
6-16 WS5100 Series Switch System Reference Guide 6.4.3 Associating an ACL with WLAN Use the Membership screen to define a name for the ACL index and map the index to WLANs (1-32) requiring membership permission restrictions. To associate a filter ACL index with a WLAN: 1. Select Security> Wireless Filters from the main menu tree. 2. Select one or more of the existing ACLs from the filters list. 3. Click the Memberships button. 4. Check the box below each WLAN you want associated with the ACL.
Switch Security 6-17 6.5.1 ACL Overview An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies an action and a set of conditions that a packet must satisfy in order to match the ACE. The order of conditions in the list is critical because the switch stops testing conditions after the first match. The switch supports the following ACLs to filter traffic: • Router ACLs — Applied to VLAN (Layer 3) interfaces.
6-18 WS5100 Series Switch System Reference Guide A session is computed based on the following: • Source IP address • Destination IP address • Source Port • Destination Port • ICMP identifier • Incoming interface index • IP Protocol NOTE: Port and router ACLs can be applied only in an inbound direction. WLAN ACLs support applying ACLs in the inbound and outbound direction. Each session has a default idle time-out interval.
Switch Security 6-19 6.5.1.3 Wireless LAN ACLs Wireless LAN ACLs filter/mark packets based on the wireless LAN from which they arrive rather than filtering the packets arrived on L2 ports. In general, a Wireless-LAN ACL can be used to filter wireless to wireless, wireless to wired and wired to wireless traffic. Typical wired to wired traffic can be filtered using a L2 port based ACL rather than a WLAN ACL. Each WLAN is assumed to be a virtual L2 port.
6-20 WS5100 Series Switch System Reference Guide 6.5.2 Configuring an ACL Configure an ACL to enforce privilege separation and determine appropriate switch access permissions for groups and users. To configure an ACL: 1. Select Security > ACLs from the main tree menu. 2. Click the Configuration tab. 3.
Switch Security 6-21 To create a new ACL: 1. Select Security > ACLs from the main menu tree. 2. Click on the Configuration tab to view the list of ACLs currently associated with the switch. 3. Click on the Add button. 4. Select an ACL Type from the drop-down menu.
6-22 WS5100 Series Switch System Reference Guide 3. Click the Add button within the Associated Rules field. 4. Use the Precedence field to enter a precedence (priority) value between 1 and 5000. The rules within an ACL will be applied to packets based on their precedence value. Rules with lower precedence are always applied first. NOTE: If adding an access control entry to an ACL using the switch SNMP interface, Precedence is a required parameter. 5.
Switch Security 6-23 6.5.2.3 Editing an Existing Rule As network and access permission requirements change, existing ACL rules need to be modified to be relevant with new client access requests to the switch. To modify an existing ACL rule: 1. Select Security > ACLs from the main menu tree. 2. Click on the Configuration tab. 3. Select an ACL from the ACLs field. The rules associated with the selected ACL display in the Associated Rules section. 4. Click the Edit button within the Associated Rules field. 5.
6-24 WS5100 Series Switch System Reference Guide 6.5.3 Attaching an ACL Use the Attach-L2/L3 screen to view and assign the ACL to a physical interface or VLAN on the switch. To attach an interface: 1. Select Security > ACLs from the main menu tree. 2. Click the Attach-L2/L3 tab. 3. Refer to the following information as displayed within the Attach tab: Interface The interface to which the switch is configured.
Switch Security 6-25 2. Click on the Attach tab. 3. Click on the Add button. 4. Use the Interface drop-down menu to select the interface to configure on the switch. Available options include – Ethernet 1, Ethernet 2, VLAN 1 (plus those VLANs created thus far) and Tunnel n (where n equals the name(s) of those tunnels created thus far). 5. Use the IP ACL drop-down menu to select an IP ACL used as the inbound IP for the layer 2 or layer 3 interface. 6.
6-26 WS5100 Series Switch System Reference Guide 3. Refer to the following information as displayed within the Attach -WLAN tab: WLAN Index The WLAN Index displays the list of WLANs attached with ACLs. IP ACL Displays the IP ACL configured. MAC ACL Displays the MAC ACL configured. Direction Displays whether the WLAN ACL is configured to work in the inbound or outbound direction. 4. Select a WLAN (by row) and click Edit to modify the WLAN Index, IP ACL and MAC ACL values. 5.
Switch Security 6-27 8. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 9. Click OK to use the changes to the running configuration and close the dialog. 10.Click Cancel to close the dialog without committing updates to the running configuration. 6.5.
6-28 WS5100 Series Switch System Reference Guide High Destination IP Displays the High Destination IP Address. Times Used Displays the number of instances this ACL has been used. Periodically review this among ACLs to determine whether specific ACLs should be deleted or modified to make relevant. 4. Select an interface and click the Delete button to delete the ACL interface from the switch. 5. Click the Export to export the selected ACL attribute to a user specified location. 6.
Switch Security 6-29 3. Refer to the following information as displayed within the Dynamic Translation tab. Type Displays the NAT type as either: • Inside - Applies NAT on packets coming in on interfaces marked as inside. These switch interfaces should be private networks which are not accessible from outside (public) networks. • Outside - Applies NAT on packets coming in on interfaces marked as outside.
6-30 WS5100 Series Switch System Reference Guide 6. Click the Add button to display screen to create a new NAT configuration and add it to the list of available configurations. For more information, see Adding a New Dynamic NAT Configuration on page 6-30. 6.6.1.1 Adding a New Dynamic NAT Configuration If the existing NAT configurations displayed with the Configuration prove unsuitable for translation, consider creating a new one. To define a new NAT configuration: 1.
Switch Security 6-31 10.Click Cancel to close the dialog without committing updates to the running configuration. 6.6.2 Defining Static NAT Translations Static Network Address Translation (NAT) creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address.
6-32 WS5100 Series Switch System Reference Guide 3. Refer to the following information as displayed within the Static Translation tab. Type Displays the NAT type as either: • Inside - The set of networks that are subject to translation. These are the internal addresses you are trying to prevent from being exposed to the outside world. • Outside - All other addresses. Usually these are valid addresses located on the Internet. Outside addresses pose no risk if exposed over a publicly accessible network.
Switch Security 6-33 3. Click the Add button. 4. Define the NAT Type from the drop-down menu. Options include: • Inside - The set of networks that are subject to translation. These are the internal addresses you are trying to prevent from being exposed to the outside world. • Outside - All other addresses. Usually these are valid addresses located on the Internet. Outside addresses pose no risk if exposed over a publicly accessible network. 5. Define the NAT Direction from the drop-down menu.
6-34 WS5100 Series Switch System Reference Guide 13.Click Cancel to close the dialog without committing updates to the running configuration. 6.6.3 Configuring NAT Interfaces The NAT Interface is the VLAN used to route switch data traffic between the source and destination address locations within the switch-managed network. Any of the default VLANs is available as the NAT interface, in addition to any other VLANs you may have created.
Switch Security 6-35 6. If modifying an existing interface is not a valid option, consider configuring a new interface. To define a new NAT interface: a. Click the Add button from within the Interfaces tab. b. Use the Interface drop-down menu to select the VLAN used as the communication medium between the switch managed network and its destination (within the insecure outside world). c. Use the Type drop-down menu to specific the Inside or Outside designation as follows: d.
6-36 WS5100 Series Switch System Reference Guide . 3. Refer to the following information to assess the validity and total NAT translation configurations available to the switch. Inside-Global Displays the internal global pool of addresses (allocated out of the switch’s private address space but relevant to the outside) you are trying to prevent from being exposed to the outside world.
Switch Security 6-37 NOTE: By default, the IKE feature is enabled on the switch. Motorola does not support disabling the IKE server. 6.7.1 Defining the IKE Configuration Refer to the Configuration tab to enable (or disable) IKE and define the IKE identity (for exchanging identities) and aggressive mode. Aggressive mode enables you to configure Internet Key Exchange (IKE) preshared keys as IPSec tunnel attributes for IP Security (IPSec) peers.
6-38 WS5100 Series Switch System Reference Guide 6. Refer to the Pre-shared Keys field to review the following information: Peer IP Address Use the Peer IP Address to associate an IP address with the specific tunnel used by a group of peers. Aggressive Mode Displays whether aggressive mode is enabled for this IP address and key string. A green check mark defines aggressive mode as enabled. A red “X” denotes the mode as disabled. Key Displays the string ID a remote peer uses to look up pre-shared keys.
Switch Security 6-39 • A priority value (1 through 65,543, with 1 as highest priority permitted) • An authentication scheme ensure the credentials of the peers • An encryption scheme protecting the data • A HMAC method ensuring the identity of the sender, and validating that the message has not been altered • A Diffie-Hellman group establishing the strength of the of the encryption-key algorithm. • A time limit for how long the encryption key is used before it is replaced.
6-40 WS5100 Series Switch System Reference Guide 3. Refer to the values displayed within the IKE Policies tab to determine if an existing policy requires revision, removal or a new policy requires creation. Priority Displays the priority for the IKE policy. The available range is from 1 to 65,543, with 1 being the highest priority value. Encryption Displays the encryption method protecting data transmitted between peers. Options include: • DES.
Switch Security 6-41 6. If the properties of an existing policy are no longer relevant and cannot be edited to be useful, click the Add button to define a new policy. a. Configure a set of attributes for the new IKE policy: Priority Define the priority for the IKE policy. The available range is from 1 to 65,543, with 1 being the highest priority value. Encryption Set the encryption method used to protect the data transmitted between peers. Options include: • DES.
6-42 WS5100 Series Switch System Reference Guide b. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. c. Click OK to use the changes to the running configuration and close the dialog. d. Click Cancel to close the dialog without committing updates to the running configuration. 6.7.
Switch Security 6-43 4. Select an index and click the Details button to display a more robust set of statistics for the selected index. Use this information to discern whether changes to an existing IKE configuration is warranted or if a new configuration is required. 5. Click the Stop Connection button to terminate the statistic collection of the selected IKE peer. 6.8 Configuring IPSec VPN Use IPSec Virtual Private Network (VPN) to define secure tunnels between two peers.
6-44 WS5100 Series Switch System Reference Guide security parameters in the Crypto Maps at both peers. Allows you to specify a lifetime for the IPSec security association. Allows encryption keys to change during IPSec sessions. Permits Certification Authority (CA) support for a manageable, scalable IPSec implementation. Allows dynamic authentication of peers. If you do not want IKE to be used with your IPSec implementation, you can disable it for IPSec peers.
Switch Security 6-45 • Viewing IPSec Security Associations 6.8.1 Defining the IPSec Configuration Use the IPSec VPN Configuration screen to view the attributes of existing VPN tunnels and modify the security association lifetime and keep alive intervals used to maintain the routes between VPN peers. From the Configuration screen, transform sets can be created as existing sets modified or deleted. 1. Select Security > IPSec VPN from the main menu tree. 2. Click the Configuration tab. 3.
6-46 WS5100 Series Switch System Reference Guide 4. Refer to the Transform Sets field to view the following data: Name Displays a transform set identifier used to differentiate transform sets. The index is helpful when transform sets with similar attributes need to be revised or discarded. AH Authentication Scheme Displays the AH Transform Authentication scheme used with the index. Options include: • None - No AH authentication is used.
Switch Security 6-47 4. Revise the following information as required to render the existing transform set useful. Name The name is read-only and cannot be modified unless a new transform set is created. AH Authentication Scheme Select the Use AH checkbox (if necessary) to modify the AH Transform Authentication scheme. Options include: • None - No AH authentication is used. • AH-MD5-HMAC - AH with the MD5 (HMAC variant) authentication algorithm.
6-48 WS5100 Series Switch System Reference Guide 3. Click the Add button. 4. Define the following information as required for the new transform set. Name Create a name describing this new transform set. AH Authentication Scheme Select the Use AH checkbox to define the AH Transform Authentication scheme. Options include: • None - No AH authentication is used. • AH-MD5-HMAC - AH with the MD5 (HMAC variant) authentication algorithm. • AH-SHA-HMAC - AH with the SHA (HMAC variant) authentication algorithm.
Switch Security 6-49 6.8.2 Defining the IPSec VPN Remote Configuration Use the IPSec VPN Remote tab to configure the DNS and/or WINS Servers used to route packets to the remote end of the IPSec VPN tunnel. The Remote is also used for defining the IP address range used within the IPSec VPN tunnel and configuring the user authentication scheme for user permissions within the IPSec VPN tunnel. To define the IPSEc VPN remote configuration: 1. Select Security > IPSec VPN from the main menu tree. 2.
6-50 WS5100 Series Switch System Reference Guide Starting IP Address Enter the numerical IP address used as the starting address for the range defined. If the Ending IP address is left blank, then only the starting address is used for the remote destination. Ending IP Address Enter a numerical IP address to complete the range. If the Ending IP address is blank, then only the starting address is used as the destination address. 5.
Switch Security 6-51 2. Click the Authentication tab. 3. Define whether the IPSec VPN user authentication is conducted using a Radius Server (by selecting the Radius radio button), by a user-defined set of names and password (by selecting the User Table radio button) or if no authentication is used for credential verification (by selecting the No Authentication radio button). 4. Enter a NAS ID for the NAS port.
6-52 WS5100 Series Switch System Reference Guide 7. Select an existing server and click the Delete button to remove it from list of available Radius Servers for the remote VPN connection. Only delete a server if its configuration does not provide a valid authentication medium. 8. If you require a new Radius Server be configured, click the Add button. Set this server’s designation as a primary or secondary Radius Server (using the checkboxes), define the server IP address, port and shared secret password.
Switch Security 6-53 access, specify a fewer number of Crypto Maps (referring to large identity sections) instead of specifying a large number of Crypto Maps (referring to small identity sections). To define the Crypto Map configuration: 1. Select Security > IPSec VPN from the main menu tree. 2. Click the Crypto Maps tab. The Crypto Maps screen is divided into 5 tabs, each serving a different function in the overall Crypto Map configuration.
6-54 WS5100 Series Switch System Reference Guide Mode Config This columns displays a green checkmark for the Crypto Map used with the current interface. A “X” is displayed next to other Crypto Maps not currently being used. Number of Peers Displays the number of peers used by each Crypto Map displayed. SA Lifetime (secs) Displays a SA Lifetime (in seconds) that forces the periodical expiration and re-negotiation of peer credentials. Thus, continually validating the peer relationship.
Switch Security 6-55 b. Assign the Crypto Map a Name to differentiate from others with similar configurations. c. Use the None, Domain Name or Host Name radio buttons to select and enter the fully qualified domain or host name of the host exchanging identity information. d. Define a SA Lifetime (secs) to define an interval (in seconds) that (when expired) forces a new association negotiation. e.
6-56 WS5100 Series Switch System Reference Guide 2. Click the Crypto Maps tab and select Peers. 3. Refer to the read-only information displayed within the Peers tab to determine whether a peer configuration (among those listed) requires modification or a new peer requires creation. Priority / Seq # Displays each peer’s Seq # (sequence number) in order to distinguish one from the other. The sequence number determines its priority among Crypto Maps. The lower the number, the higher the priority.
Switch Security 6-57 a. Define the Seq # /Name for the new peer. The lower the number, the higher the priority among Crypto Maps. b. Enter the name of the IKE Peer used with the Crypto Map to build an IPSec security association. 7. Click OK when completed to save the configuration of the new Crypto Map peer. 6.8.4.3 Crypto Map Manual SAs To review, revise or add a Crypto Map using a manually defined security association: 1. Select Security > IPSec VPN from the main menu tree. 2.
6-58 WS5100 Series Switch System Reference Guide 6. If a new Crypto Map manual security association requires creation, click the Add button. a. Define the Seq #. The sequence number determines priority among Crypto Maps. The lower the number, the higher the priority. b. Provide a unique Name for this Crypto Map with the manual security association to differentiate it from others with similar configurations. c. Enter the name of the IKE Peer used to build an IPSec security association. d.
Switch Security 6-59 1. Select Security > IPSec VPN from the main menu tree. 2. Click the Crypto Maps tab and select Transform Sets. 3. Refer to the read-only information displayed within the Transform Sets tab to determine whether a Crypto Map transform set requires modification or a new one requires creation. Priority / Seq # Displays the Seq # (sequence number) used to determine priority. The lower the number, the higher the priority.
6-60 WS5100 Series Switch System Reference Guide a. Define the Seq #/Name. The lower the number, the higher the priority among Crypto Maps. b. Enter the name of the Transform set used with the Crypto Map. 7. Click OK when completed to save the configuration of the Crypto Map transform set. 6.8.4.5 Crypto Map Interfaces To review the interfaces currently available to the Crypto Maps or assign an interface: NOTE: A Crypto Map cannot get applied to more than one interface at a time. 1.
Switch Security 6-61 Crypto Map configuration. Also, adding new peers through the use of new sequence numbers and reassigning the Crypto Map does not tear down existing connections. 6.8.5 Viewing IPSec Security Associations Refer to the IPSec SAs tab to review the various security associations (SAs) between the local and remote peers comprising an IPSec VPN connection.
6-62 WS5100 Series Switch System Reference Guide 4. If necessary, select a security association from those displayed and click the Delete button to remove it. 6.9 Configuring the Radius Server Remote Authentication Dial-In User Service (Radius) is a client/server protocol and software enabling remote access servers to communicate with the switch to authenticate users and authorize their access to the switch managed network.
Switch Security 6-63 • TTLS and MSCHAPv2 • PEAP and GTC • PEAP and MSCHAPv2 Apart from EAP authentication, the switch allows enforcement of User based policies. User based policies include dynamic VLAN assignment and access based on time of day. The switch uses a default trustpoint. A certificate is required for EAP TTLS,PEAP and TLS Radius authentication (configured with the Radius service). Dynamic VLAN assignment is achieved based on Radius server response.
6-64 WS5100 Series Switch System Reference Guide 6.9.1.2 Authentication of Terminal/Management User(s) The local Radius server can be used to authenticate users. A normal user (with password) should be created in the local database. These users should not be a part of any group. 6.9.1.3 Access Policy Access policies are defined for a group created in local database. Each user is authorized based on the access policies defined for the groups to which the user belongs.
Switch Security 6-65 authentication source if a user does not exist in the local Server’s database, since the primary method has rejected the authentication attempt. 6.9.3 Defining the Radius Configuration To configure Radius support on the switch: 1. Select Security > Radius Server from the main menu. 2. Ensure the Configuration tab is selected. 3. Click the Start the RADIUS server link to use the switch’s own Radius server to authenticate users accessing the switch managed network. 4.
6-66 WS5100 Series Switch System Reference Guide 6.9.3.1 Radius Client Configuration A Radius client implements a client/server mechanism enabling the switch to communicate with a central server to authenticate users and authorize their access to the switch managed network. A Radius client is often an embedded device since it alleviates the need to store detailed user information locally. To configure Radius client support: 1. Select Security > Radius Server from the main menu. 2.
Switch Security 6-67 To configure Radius proxy server support: 1. Select Security > Radius Server from the main menu. 2. Ensure the Configuration tab is selected. 3. Select the Proxy Servers tab from the bottom portion of the Configuration tab. The Proxy Servers tab displays the user ID suffix (index), IP address and port number of the switch’s existing proxy server configurations. 4.
6-68 WS5100 Series Switch System Reference Guide 1. Select Security > Radius Server from the main menu. 2. Select the Authentication tab. 3. Refer to the Authentication field to define the following Radius authentication information: EAP and Auth Type Specify the EAP type for the Radius server. • PEAP uses a TLS layer on top of EAP as a carrier for other EAP modules. PEAP is an ideal choice for networks using legacy EAP authentication methods.
Switch Security 6-69 Cert Trustpoint Click the View/Change button to specify the trustpoint from which the Radius server automatically grants certificate enrollment requests. A trustpoint is a representation of a CA or identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate. If the server certificate trustpoint is not used, the default trustpoint will be used instead.
6-70 WS5100 Series Switch System Reference Guide To define the Radius user permissions for switch access: 1. Select Security > Radius Server from the main menu. 2. Select the Users tab. 3. Refer to the following user information to assess whether an existing user can be used with the local Radius server as is, requires modification or if a new user is required. User ID Displays the username for this specific user.
Switch Security 6-71 7. To create a new user for use with the local Radius server, click the Add button and provide the following information. ! CAUTION: Radius user passwords will be stored in the running configuration file in clear text if password encryption is not enabled. The user passwords will be shown as encrypted if the global password encryption is enabled. The maximum for the file is 500 users, 100 groups, 25 clients, 5 realms and 2 LDAP servers.
6-72 WS5100 Series Switch System Reference Guide 2. Select the Groups tab. 3. Refer to the displayed user groups to assess the following read-only attributes for each group listed: Name Displays the unique name assigned to each group. The group name should be indicative of the user population within and their shared activity within the switch managed network. Guest Group Displays whether a specific group has been defined as a guest group (with a red X) or has been configured as permanent group.
Switch Security 6-73 6. To modify the attributes of an existing group, select the group from the list of groups displayed and click the Edit button. Modify the existing group’s guest designation, VLAN ID, access period and WLAN assignment. 7. If an existing group is no longer needed (perhaps obsolete in function), select the group from those displayed and click the Delete button to permanently remove the group from the list of available groups. 8.
6-74 WS5100 Series Switch System Reference Guide 2. Select the Accounting Logs tab. 3. Refer to the following information as displayed within the Accounting Logs tab. Filename Displays the name of each accounting log file. Use this information to differentiate files with similar attributes. Type Displays the type of file each file is. Size Display the size of the file. NOTE: An explicit purge operation is not supported, the accounting logs are purged automatically once they reach their limit. 6.
Switch Security 6-75 Server Certificates are issued to Web Servers and used to authenticate Web Servers to Web browsers while establishing a Secure Socket Layer (SSL) connection. The Server Certificates screen contains the following two tabs: • Using Trustpoints to Configure Certificates • Configuring Trustpoint Associated Keys 6.10.1 Using Trustpoints to Configure Certificates Each certificate is digitally signed by a trustpoint.
6-76 WS5100 Series Switch System Reference Guide Org. Unit (OU) Displays the name of the organizational unit making the certificate request. Common Name (CN) If there is a common name (IP address) for the organizational unit making the certificate request, it displays here. Issued By Country (C) Displays the Country of the certificate issuer. State (ST) Displays the state or province for the country the certificate was issued.
Switch Security 6-77 Using the Wizard to Create a New Certificate To generate a new self-signed certificate or prepare a certificate request which can be send to a Certificate Authority (CA): 1. Select the Create new certificate radio button in the wizard and click the Next button. The second page of the wizard contains two editable fields, Select Certificate Operation and Specify a key for you new certificate. 2.
6-78 WS5100 Series Switch System Reference Guide Select a trustpoint for the new certificate • Use existing trustpoint - Select an existing trustpoint from the drop-down menu. • Create a new trustpoint - Provide a name for the new trustpoint in the space provided. To specify the key for the new certificate, select one of the following options: • Automatically generate a key — Select this option to automatically generate a key for the trustpoint.
Switch Security 6-79 If generating a new self-signed certificate (as selected in page 2 of the wizard), the wizard continues the installation. Use the third page of the wizard to enter a unique trustpoint name and other credentials required to create a new certificate. 3. Select the Configure the trustpoint checkbox to enable the new self signed certificate to be configured as a trustpoint. 4.
6-80 WS5100 Series Switch System Reference Guide IP Address Specify the switch IP address that can be used as the switch destination for certificate requests. Password Enter an alphanumeric password used to access the certificate configuration. Company Provide a Company name to be used on behalf of the certificate. 5. Select the Enroll the trustpoint checkbox to enroll the certificate request with the CA. 6. Click Next to proceed with the certificate creation.
Switch Security 6-81 1. Select the Delete Operations radio button in the wizard and click the Next button. The next page of the wizard is used to delete a trustpoint. 2. Select the Delete the following for trustpoint checkbox and select the trustpoint to delete from the drop-down menu associated with it. This enables the following options: Delete entire trustpoint Select the checkbox and select a certificate to remove. If selected, the Delete the following trustpoint option is disabled.
6-82 WS5100 Series Switch System Reference Guide 2. Select the Keys tab. The Keys tab displays the following: Key Label The Key Label is the name of the key pair that can be automatically generated separately, or automatically when selecting a certificate. Specify your option within the wizard. Key Sizes The size of the desired key. If not specified, a key size of 1024 is used. 3. Highlight a Key from the table and click the Delete button to delete it from the switch. 4.
Switch Security 6-83 3. Click the Add button at the bottom of the screen. 4. Enter a Key Label in the space provided to specify a name for the new key pair. 5. Define the Key Size between 1024 and 2048 in the space provided. 6. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 7. Click OK to save the changes to the running configuration and close the dialog. 8.
6-84 WS5100 Series Switch System Reference Guide 8. Use the Using drop down-menu to configure whether the log file transfer will be sent using FTP or TFTP. 9. Enter the IP Address of destination server or system receiving the target log file. 10.Enter the User ID credentials required to send the file to the target location. Use the user ID for FTP transfers only. 11.Enter the Password required to send the file to the target location using FTP. 12.
Switch Management This chapter describes the Management Access main menu items used to configure the switch. This chapter contains following content: • Displaying the Management Access Interface • Configuring Access Control • Configuring SNMP Access • Configuring SNMP Traps • Configuring SNMP Trap Receivers • Configuring Management Users NOTE: HTTPS must be enabled to access the switch applet. Ensure that HTTPS access has been enabled before using the login screen to access the switch applet. 7.
7-2 WS5100 Series Switch System Reference Guide To display the main Management screen: 1. Select Management Access from the main menu tree. 2. Refer to the Current Status field to review the following read-only information: Firmware In Use The Firmware In Use value displays the software version currently running on the switch. Use this information to assess whether a firmware update would improve the switch feature set and functionality.
Switch Management 7-3 1. Select Management Access > Access Control from the main menu tree. 2. Refer to the Management Settings field to enable or disable the following switch interfaces: Secure Management (on Management VLAN only) Select this checkbox to allow management VLAN access to switch resources. The management VLAN is used to establish an IP connection to the switch from a workstation connected to a port in the VLAN.
7-4 WS5100 Series Switch System Reference Guide Enable FTP Select this checkbox to enable FTP access to the switch. File Transfer Protocol (FTP) is the language used for file transfers across the Web. This setting is disabled by default. Port Displays the port number used for the FTP session with the switch (if using FTP). Username Displays the read-only name of the user whose credentials are used for the FTP session.
Switch Management 7-5 7.3.1 Configuring SNMP v1/v2 Access SNMP version 2 (SNMPv2) is an evolution of the SNMPv1. The Get, GetNext, and Set operations used in SNMPv1 are exactly the same as those used in SNMPv2. However, SNMPv2 adds and enhances some protocol operations. The SNMPv2 Trap operation, for example, serves the same function used in SNMPv1, but it uses a different message format and is designed to replace a SNMPv1 Trap.
7-6 WS5100 Series Switch System Reference Guide 7.3.1.1 Editing an Existing SNMP v1/v2 Community Name The Edit screen allows the user to modify a community name and change its read-only or read/write designation. Since the community name is required to match the name used within the remote network management software, it is recommended the name be changed appropriately to match a new naming (and user) requirement used by the management software.
Switch Management 7-7 ! CAUTION: The 3.x version WS5100 switch uses 3 unique (default) SNMPv3 user names and passwords for MD5 authentication and DES privacy. If upgrading your configuration from a 1.4.x or 2.x baseline, you will need to change your SNMPv3 usernames and passwords to ensure SNMPv3 interoperation.
7-8 WS5100 Series Switch System Reference Guide 4. Highlight an existing v3 entry and click the Edit button to modify the password for the Auth Protocol and Priv Protocol. For additional information, see Editing an Existing SNMP v1/v2 Community Name on page 7-6 5. Highlight an existing SNMP v3 User Name and click the Enable button to enable the log-in for the specified user. When selected the status of the user is defined as active. 6.
Switch Management 7-9 7.3.3 Accessing SNMP v2/v3 Statistics Refer to the Statistics screen for a read-only overview of SNMP V2/V3 events and their current values. The screen also displays Usm Statistics (SNMP V3 specific events specific to the User-based Security Model) and their values. To edit an SNMP v3 user profile: 1. Select Management Access > SNMP Access from the main menu tree. 2. Select the Statistics tab from within the SNMP Access screen. 3.
7-10 WS5100 Series Switch System Reference Guide Usm Statistics Displays SNMP v3 events specific to Usm. The User-based Security Model (USM) decrypts incoming messages. The module then verifies authentication data. For outgoing messages, the USM module encrypts PDUs and generates authentication data. The module then passes the PDUs to the message processor, which then invokes the dispatcher.
Switch Management 7-11 7.4 Configuring SNMP Traps Use the SNMP Trap Configuration screen to enable or disable trap generation individually or by functional group. It is also used for modifying the existing threshold conditions values for individual trap descriptions. The SNMP Trap Configuration window consists of the following tabs: • Enabling Trap Configuration • Configuring Trap Thresholds 7.4.
7-12 WS5100 Series Switch System Reference Guide 4. Select an individual trap, by expanding the node in the tree view, to view a high-level description of this specific trap within the Trap Description field. You can also select a trap family category heading (such as "Redundnacy" or "NSM") to view a high-level description of the traps within that trap category. Redundancy Displays a list of sub-items (trap options) specific to the Redundancy (clustering) configuration option.
Switch Management 7-13 8. Highlight a sub-menu header (such as Redundancy or Update Server) and click the Enable all sub-items button to enable the item as an active SNMP trap. Those sub-items previously disabled (with an "X" to the left) now display with a check to the left of them. Once the Apply button is clicked, the selected items are now active SNMP traps on the system. 9.
7-14 WS5100 Series Switch System Reference Guide Threshold values for: MU Displays a threshold value for associated MUs. Use the Threshold Name and Threshold Conditions as input criteria to define an appropriate Threshold Value unique to the MUs within the network. For information on specific values, see Wireless Trap Threshold Values on page 7-15. Threshold values for: AP Set a threshold value for associated radios.
Switch Management 7-15 7.4.2.1 Wireless Trap Threshold Values The table below lists the Wireless Trap threshold values for the switch: # Threshold Name Condition Station Range Radio Range WLAN Range Wireless Service Range Units 1 Packets per Second Greater than A decimal number greater than 0.00 and less than or equal to 100000.00 A decimal number greater than 0.00 and less than or equal to 100000.00 A decimal number greater than 0.00 and less than or equal to 100000.
7-16 WS5100 Series Switch System Reference Guide 7.5 Configuring SNMP Trap Receivers Refer to the Trap Receivers screen to review the attributes of existing SNMP trap receivers (including destination address, port, community, retry count, timeout and trap version). A new v2c or v3 trap receiver can be added to the existing list by clicking the Add button. To configure the attributes of SNMP trap receivers: 1. Select Management Access > SNMP Trap Receivers from the main menu tree. 2.
Switch Management 7-17 4. Highlight an existing Trap Receiver and click the Delete button to remove the Trap Receiver from the list of available destinations available to receive SNMP trap information. Remove Trap Receivers as needed if the destination address information is no longer available on the system. 5. Click the Add button to display a sub-screen used to assign a new Trap Receiver IP Address, Port Number and v2c or v3 designation to the new trap.
7-18 WS5100 Series Switch System Reference Guide 6. Click OK to save and add the changes to the running configuration and close the dialog. 7. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 8. Click Cancel to close the dialog without committing updates to the running configuration. 7.
Switch Management 7-19 • Privileges – This frame displays the privileges assigned to different type of user. 3. Select the user (Admin, Operator or user defined) from the Users frame and the Privilege frame displays the rights authorized to the user. 4. Click on the Edit button to modify the associated roles and access modes of the selected user. By default, the switch has two default users – Admin and Operator. Admin’s role is that of a superuser and Operator the role will be monitored (read only). 5.
7-20 WS5100 Series Switch System Reference Guide 5. Select the role you want to assign to the new user from the options provided in the Associated Roles panel. Select one or more of the following options: Monitor Select Monitor to assign regular user permissions without any administrative rights. The Monitor option provides read-only permissions. Help Desk Manager Assign this role to someone who typically troubleshoots and debugs problems reported by the customer.
Switch Management 7-21 5. Select the role to assign to the user from the options provided in the Associated Roles field. Select one or more of the following options: Monitor If necessary, modify user permissions without any administrative rights. The Monitor option provides read-only permissions. Help Desk Manager Optionally assign this role to someone who typically troubleshoots and debugs problems reported by the customer.
7-22 WS5100 Series Switch System Reference Guide 7.6.1.3 Creating a Guest Admin and Guest User Optionally, create a guest administrator for the purpose of creating guest users with specific usernames, start and expiry times and passwords. Each guest user can be assigned access to specific user groups to ensure they are limited to just the group information they need, and nothing additional. NOTE: A guest user added from switch Web UI will be 5 minutes ahead of the switch's current time.
Switch Management 7-23 5. Assign the guest-admin WebUser Administrator access. NOTE: To be able to create guest users, a guest administrator must be assigned a WebUser Administrator access mode. None of the other modes will launch the required Guest User Configuration screen upon login. When the guest-admin user logs in, they are redirected to a Guest User Configuration screen, wherein start and end user permissions can be defined in respect to specific users. 6.
7-24 WS5100 Series Switch System Reference Guide 2. Click on the Authentication tab. 3. Refer to the Authentication methods field for the following: Preferred Method Select the preferred method for authentication. Options include: • None - No authentication • Local - The user employs a local user authentication resource. This is the default setting. • Radius - Uses an external Radius Server. Alternate Method Select an alternate method for authentication.
Switch Management 7-25 Shared Secret Displays the shared secret used to verify Radius messages (with the exception of the AccessRequest message) are sent by a Radius-enabled device configured with the same shared secret. The shared secret is a case-sensitive string that can include letters, numbers, or symbols. Ensure the shared secret is at least 22 characters long to protect the Radius server from brute-force attacks.
7-26 WS5100 Series Switch System Reference Guide 5. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 6. Click on OK to complete the modification of the Radius Server. 7. Click Cancel to revert back to the last saved configuration without saving any of your changes. 7.6.2.
Switch Management 7-27 5. Refer to the Status field for the current state of the requests made from applet. This field displays error messages if something goes wrong in the transaction between the applet and the switch. 6. Click on OK to complete the addition of the Radius Server. 7. Click Cancel to revert back to the last saved configuration without saving any of your changes.
7-28 WS5100 Series Switch System Reference Guide
Diagnostics This chapter describes the various diagnostic features available to monitor switch performance. It consists of the following sections: • Displaying the Main Diagnostic Interface • Configuring System Logging • Reviewing Core Snapshots • Reviewing Panic Snapshots • Debugging the Applet • Configuring a Ping NOTE: HTTPS must be enabled to access the switch applet. Ensure HTTPS access has been enabled before using the login screen to access the switch applet.
8-2 WS5100 Series Switch System Reference Guide NOTE: When the switch’s configuration is successfully updated (using the Web UI), the effected screen is closed without informing the user their change was successful. However, if an error were to occur, the error displays within the effected screen’s Status field and the screen remains displayed.
Diagnostics 8-3 5. Use the Temperature Sensors field to monitor the CPU and system temperatures. This information is extremely useful in assessing if the switch exceeds its critical limits. 6. Refer to the Fans field to monitor the CPU and system fan speeds. Unlike a RFS7000 model switch, a WS5100 has two fans. 7. Click on the Apply button to commit and apply the changes. 8. Click the Revert button to revert back to the last saved configuration. 8.1.
8-4 WS5100 Series Switch System Reference Guide 8.1.3 Switch Memory Allocation Use the Memory screen to assess the CPU’s load over the last 1, 5, and 15 minutes. 1. Select Diagnostics from the main tree menu. 2. Select the Memory tab. The Memory tab has the following two fields: • RAM • Buffer 3. Refer to the RAM field to view the percentage of CPU memory in use in a pie chart format. Use the Free Limit field to change the CPUs memory allocation limits.
Diagnostics 8-5 2. Select the Disk tab. 3. This Disk tab displays the status of the various disks on the switch. Each section displays the following information: • Maximum Limit • Free INodes • Free INode Limit 4. Use the Free Limit Space variable carefully, as disk space may be required during periods of high bandwidth traffic and file transfers. 5. Click the Apply button to commit and apply the changes. 6. Click the Revert button to revert back to the last saved configuration. 8.1.
8-6 WS5100 Series Switch System Reference Guide 2. Select the Processes tab 3. The Processes tab has 2 fields: • General • Processes by highest memory consumption 4. Refer to the General field for the number of processes in use and percentage of memory usage per process. The value defined is the maximum limit per process during periods of increased and network activity and is negotiated amongst the other process as needed during normal periods of switch activity. 5.
Diagnostics 8-7 2. Select the Other Resources tab. The Other Resources tab displays the memory allocation of Packet Buffer, IP Route Cache and File Descriptors. Keep the Cache allocation in line with cache expectations required within the switch managed network. 8.2 Configuring System Logging Use the System Logging screen for logging system events. Its important to log individual switch events to discern an overall pattern that may be natively impacting switch performance.
8-8 WS5100 Series Switch System Reference Guide 2. Select the Log Options tab. 3. Select the Enable Logging Module checkbox to enable the switch to log system events to a local log file or a syslog server. 4. Select the Enable Logging to Buffer checkbox to enable the switch to log system events to a buffer. Use the drop-down menu to select the desired log level for tracking system events to a local log file. 5.
Diagnostics 8-9 9. Click the Revert button to move the display back to the last saved configuration. 8.2.2 File Management Use the File Mgt screen to view existing system logs. Select a file to display its details in the Preview field. Click the View button to display the file’s entire contents. Once viewed, the user has the option of clearing the file or transferring the file to a user-defined location. To view the Log options: 1. Select Diagnostics > System Logging from the main menu tree. 2.
8-10 WS5100 Series Switch System Reference Guide 5. Highlight a file from the list of log files available within the File Mgt tab and click the View button to display a detailed description of the entire contents of the log file. To view the entire content of an individual log file, see Viewing the Entire Contents of Individual Log Files on page 8-10. 6. Click the Clear Buffer button to remove the contents of the File Mgt tab.
Diagnostics 8-11 3. Refer to the following for information on the elements that can be viewed within a log file: Timestamp Displays the date, year and time of day the log file was initially created. This value only states the time the file was initiated, not the time it was modified or appended. Module Displays the name of the switch logging the target event. Severity The Severity level coincides with the logging levels defined within the Log Options tab.
8-12 WS5100 Series Switch System Reference Guide 2. Select a target log file to transfer and click the Transfer File button. 3. Use the From drop-down menu (within the Source field) to specify the location from which the log file is sent. If only the applet is available as a transfer location, use the default switch option. 4. Select a target file for transfer from the File drop-down menu. The drop-down menu contains the log files listed within the File-Mgmt screen. 5.
Diagnostics 8-13 To view the core snapshots available on the switch: 1. Select Diagnostics > Core Snapshots from the main menu tree. 2. Refer to the following table headings within the Core Snapshots screen: Name Displays the title of the process, process ID (pid) and build number separated by underscores. The file extension is always .core for core files. Size (Bytes) Displays the size of the core file in bytes. Created Displays the date and time the core file was generated.
8-14 WS5100 Series Switch System Reference Guide 2. Select a target file, and select the Transfer Files button. 3. Use the From drop-down menu to specify the location from which the log file is sent. If only the applet is available as a transfer location, use the default switch option. 4. Select a target file for the file transfer from the File drop-down menu. The drop-down menu contains the core files listed within the File-Mgmt screen. 5.
Diagnostics 8-15 To review the current Panic Snapshots on the switch: 1. Select Diagnostics > Panic Snapshots from the main menu. 2. Refer to the following table headings within the Panic Snapshots screen: Name Displays the title of the panic file. Panic files are named n.panic where n is in the range 0-9. 0 is always the oldest saved panic file and the highest number is the most recent.
8-16 WS5100 Series Switch System Reference Guide 8.4.1 Viewing Panic Details Use the View facility to review the entire contents of a panic snapshot before transferring or deleting the file. The view screen enables you to display the entire file. To review Panic Snapshots: 1. Select Diagnostics > Panic Snapshots from the main menu. 2. Select a panic from those available and click the View button. 3.
Diagnostics 8-17 8. If Server has been selected as the source, enter the IP Address of destination server or system receiving the target panic file. 9. If Server has been selected as the source, enter the User ID credentials required to send the file to the target location. The User ID is required for FTP transfers only. 10.If Server has been selected as the source, enter the Password required (for FTP transfers) to send the file to the target location. 11.
8-18 WS5100 Series Switch System Reference Guide • What kinds of message should be seen. 4. Select the Send log message to a file checkbox if you wish to store the log message. Enabling this checkbox allows you to select the file location where you wish to store the log message. 5. Select the Use SNMP V2 only checkbox to use SNMP v2 to debug the applet. Check whether you have access to SNMP v2 by clicking on the Test SNMP V2 access button. 6.
Diagnostics 8-19 To view the switch’s existing ping configuration: 1. Select Diagnostics > Ping from the main menu. 2. Refer to the following information displayed within the Configuration tab: Description Displays the user assigned description of the ping test. The name is read-only. Use this title to determine whether this test can be used as is, modified under the same description or if a new ping test is required. Destination IP Displays the IP address of the target device.
8-20 WS5100 Series Switch System Reference Guide 8.6.1 Modifying the Configuration of an Existing Ping Test The properties of an existing ping tests can be modified in order to ping an existing (known) device whose network address attributes may have changed and require modification to connect (ping) to it. To modify the attributes of an existing ping test: 1. Select Diagnostics > Ping from the main menu. 2. Highlight an existing ping test within the Configuration tab and select the Edit button. 3.
Diagnostics 8-21 2. Click the Add button at the bottom of the Configuration tab. 3. Enter the following information to define the properties of the new ping test: Test Name Enter a short name for the ping test to describe either the target destination of the ping packet or the ping test’s expected result. Use the name provided in combination with the ping test description to convey the overall function of the test.
8-22 WS5100 Series Switch System Reference Guide 8.6.3 Viewing Ping Statistics Refer to the Ping Statistics tab for an overview of the overall success of the ping test with the destination IP addresses displayed within the screen. Use this information to determine whether the destination IP represents a device that could offer the switch a viable connection to either extend the switch’s existing radio coverage area or provide support for additional MUs within an existing network segment.
Diagnostics 8-23 Average RTT Displays the average round trip time for ping packets transmitted between the switch and its destination IP address. Use this value as a general baseline (along with packets sent vs packets received) for the overall connection and association potential between the switch and target device. Last Response Displays the time (in seconds) the switch last “heard” the destination IP address over the switch managed network.
8-24 WS5100 Series Switch System Reference Guide
Appendix A Customer Support Motorola’s Enterprise Mobility Support Center If you have a problem with your equipment, contact Enterprise Mobility support for your region. Contact information is available at: http://www.symbol.com/contactsupport.
A-2 WS5100 Series System Reference Guide
MOTOROLA INC. 1303 E. ALGONQUIN ROAD SCHAUMBURG, IL 60196 http://www.motorola.