Brocade 5181 User Manual
53-1002516-01
14 May 2012
Brocade Mobility 5181
Access Point
®
Product Reference Guide
Supporting software release 4.4.0.0
Copyright © 2012 Brocade Communications Systems, Inc. All Rights Reserved.
Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, MLX, SAN Health, VCS, and VDX are registered trademarks, and
AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of
Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names
mentioned may be trademarks of their respective owners.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning
any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to
this document at any time, without notice, and assumes no responsibility for its use. This informational document describes
features that may not be currently available. Contact a Brocade sales office for information on feature and product availability.
Export of technical data contained in this document may require an export license from the United States government.
The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with
respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that
accompany it.
The product described by this document may contain “open source” software covered by the GNU General Public License or other
open source license agreements. To find out which open source software is included in Brocade products, view the licensing
terms applicable to the open source software, and obtain a copy of the programming source code, please visit
http://www.brocade.com/support/oscd.
Brocade Communications Systems, Incorporated
Corporate and Latin American Headquarters
Brocade Communications Systems, Inc.
130 Holger Way
San Jose, CA 95134
Tel: 1-408-333-8000
Fax: 1-408-333-8101
E-mail: info@brocade.com
European Headquarters
Brocade Communications Switzerland Sàrl
Centre Swissair
Tour B - 4ème étage
29, Route de l'Aéroport
Case Postale 105
CH-1215 Genève 15
Switzerland
Tel: +41 22 799 5640
Fax: +41 22 799 5641
E-mail: emea-info@brocade.com
Asia-Pacific Headquarters
Brocade Communications Systems China HK, Ltd.
No. 1 Guanghua Road
Chao Yang District
Units 2718 and 2818
Beijing 100020, China
Tel: +8610 6588 8888
Fax: +8610 6588 9999
E-mail: china-info@brocade.com
Asia-Pacific Headquarters
Brocade Communications Systems Co., Ltd. (Shenzhen WFOE)
Citic Plaza
No. 233 Tian He Road North
Unit 1308 – 13th Floor
Guangzhou, China
Tel: +8620 3891 2000
Fax: +8620 3891 2111
E-mail: china-info@brocade.com
Document History
Title Publication number Summary of changes Date
Brocade Mobility 5181 Access Point
Product Reference Guide
53-1002516-01 New document 14 May 2012
Contents
About This Document
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Getting technical help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Chapter 1 Introduction
New features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
WIPS support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Trusted host management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Apache certificate management. . . . . . . . . . . . . . . . . . . . . . . . . . 2
Adaptive AP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Rogue AP enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Bandwidth management enhancements. . . . . . . . . . . . . . . . . . . 3
Radius time-based authentication . . . . . . . . . . . . . . . . . . . . . . . . 3
QBSS support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Brocade Mobility 5181 Access Point Product Reference Guide iii
53-1002516-01
Feature overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Single or dual mode radio options . . . . . . . . . . . . . . . . . . . . . . . . 4
Separate LAN and WAN ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Multiple mounting options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Antenna support for 2.4 GHz and 5 GHz radios . . . . . . . . . . . . . 5
Sixteen configurable WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Support for 4 BSSIDs per radio. . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Quality of Service (QoS) support . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Industry leading data security. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
VLAN support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Multiple management accessibility options. . . . . . . . . . . . . . . .10
Updatable firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Programmable SNMP v1/v2/v3 trap support . . . . . . . . . . . . . . 11
Power-over-Ethernet support. . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Client-client transmission disallow . . . . . . . . . . . . . . . . . . . . . . .11
Voice prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Support for CAM and PSP clients . . . . . . . . . . . . . . . . . . . . . . . .12
Statistical displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Transmit power control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Advanced event logging capability . . . . . . . . . . . . . . . . . . . . . . . 13
Configuration file import/export functionality . . . . . . . . . . . . . . 13
Default configuration restoration . . . . . . . . . . . . . . . . . . . . . . . .13
DHCP support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Multi-function LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Mesh networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Additional LAN subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
On-board Radius server authentication . . . . . . . . . . . . . . . . . . .15
Hotspot support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Routing information protocol (RIP) . . . . . . . . . . . . . . . . . . . . . . .16
Manual date and time settings. . . . . . . . . . . . . . . . . . . . . . . . . . 16
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Auto negotiation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Theory of operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Wireless coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
MAC layer bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Media types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Direct-sequence spread spectrum . . . . . . . . . . . . . . . . . . . . . . .19
Client association process . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Operating modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Management access options . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Mobility 5181 Access Point MAC address assignment . . . . . . .21
Chapter 2 Hardware Installation
Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Mobility 5181 Access Point configurations . . . . . . . . . . . . . . . . . . . . 23
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Access point placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Site surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Antenna options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
iv Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Power options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Power Injector and Power Tap systems . . . . . . . . . . . . . . . . . . . . . . . 26
Installing the Power Tap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Mounting a Mobility 5181 Access Point . . . . . . . . . . . . . . . . . . . . . . 28
Mobility 5181 Access Point pole mounted installations . . . . . .28
Mobility 5181 Access Point wall mounted installations . . . . . . 31
Mobility 5181 Access Point LED indicators . . . . . . . . . . . . . . . . . . . . 33
Setting up clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Chapter 3 Getting Started
Installing the Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Initially connecting to the Access Point . . . . . . . . . . . . . . . . . . . . . . . 36
Connecting to the Access Point using the WAN port . . . . . . . . . 36
Connecting to the Access Point using the LAN port . . . . . . . . .36
Basic device configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Configuring device settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Testing connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Where to go from here?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Chapter 4 System Configuration
Configuring system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Adaptive AP setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Configuring data access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Defining trusted hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Managing Certificate Authority (CA) certificates . . . . . . . . . . . . . . . .56
Importing a CA certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Creating self certificates for accessing the VPN . . . . . . . . . . . .58
Creating a certificate for onboard RADIUS authentication . . . .60
Apache certificate management. . . . . . . . . . . . . . . . . . . . . . . . . 63
Configuring SNMP settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Configuring SNMP access control. . . . . . . . . . . . . . . . . . . . . . . .68
Enabling SNMP traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Configuring specific SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . 71
Configuring SNMP RF trap thresholds . . . . . . . . . . . . . . . . . . . . 74
Configuring Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . . . 76
Configuring LLDP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Logging configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Importing/exporting configurations . . . . . . . . . . . . . . . . . . . . . . . . . .81
Updating device firmware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Upgrade/downgrade considerations . . . . . . . . . . . . . . . . . . . . . 91
Brocade Mobility 5181 Access Point Product Reference Guide v
53-1002516-01
Chapter 5 Network Management
Configuring the LAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Configuring VLAN support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Configuring LAN1 and LAN2 settings . . . . . . . . . . . . . . . . . . . . . 97
Configuring WAN settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Configuring Network Address Translation (NAT) settings . . . .103
Configuring dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Enabling wireless LANs (WLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Creating/editing individual WLANs . . . . . . . . . . . . . . . . . . . . . .107
Setting the WLAN’s radio configuration . . . . . . . . . . . . . . . . . .118
Configuring bandwidth management settings. . . . . . . . . . . . .126
Configuring WIPS server settings. . . . . . . . . . . . . . . . . . . . . . . . . . .127
Configuring router settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Setting the RIP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . .129
Chapter 6 Configuring Access Point Security
Configuring security options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Setting passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Resetting the access point password. . . . . . . . . . . . . . . . . . . .133
Enabling authentication and encryption schemes . . . . . . . . . . . . .134
Configuring Kerberos authentication. . . . . . . . . . . . . . . . . . . . . . . .136
Configuring 802.1x EAP authentication. . . . . . . . . . . . . . . . . . . . . .137
Configuring WEP encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Configuring KeyGuard encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Configuring WPA/WPA2 using TKIP . . . . . . . . . . . . . . . . . . . . . . . . .142
Configuring WPA2-CCMP (802.11i) . . . . . . . . . . . . . . . . . . . . . . . . .144
Configuring firewall settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Configuring LAN to WAN access . . . . . . . . . . . . . . . . . . . . . . . .147
Configuring advanced subnet access. . . . . . . . . . . . . . . . . . . .150
Configuring VPN tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Configuring manual key settings. . . . . . . . . . . . . . . . . . . . . . . .153
Configuring auto key settings . . . . . . . . . . . . . . . . . . . . . . . . . .156
Configuring IKE key settings . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Viewing VPN status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Configuring content filtering settings. . . . . . . . . . . . . . . . . . . . . . . .160
Configuring rogue AP detection . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Moving rogue APs to the allowed AP list. . . . . . . . . . . . . . . . . .164
Using clients to detect rogue devices . . . . . . . . . . . . . . . . . . . .166
vi Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Configuring user authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Configuring the Radius server. . . . . . . . . . . . . . . . . . . . . . . . . .167
Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . . . . .169
Configuring a proxy Radius server . . . . . . . . . . . . . . . . . . . . . .170
Managing the local user database . . . . . . . . . . . . . . . . . . . . . .172
Defining user access permissions by group. . . . . . . . . . . . . . .173
Defining the user access policy . . . . . . . . . . . . . . . . . . . . . . . .173
Chapter 7 Monitoring Statistics
Viewing WAN statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Viewing LAN statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
Viewing STP statistics for a LAN . . . . . . . . . . . . . . . . . . . . . . . .182
Viewing wireless statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Viewing WLAN statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Viewing radio statistics summary . . . . . . . . . . . . . . . . . . . . . . . . . .187
Viewing radio statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Viewing client statistics summary . . . . . . . . . . . . . . . . . . . . . . . . . .191
Viewing client details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Pinging individual clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Client authentication statistics . . . . . . . . . . . . . . . . . . . . . . . . .195
Viewing the mesh statistics summary . . . . . . . . . . . . . . . . . . . . . . .195
Viewing known access point statistics. . . . . . . . . . . . . . . . . . . . . . .196
Chapter 8 CLI Reference
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Connecting to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Accessing the CLI through the Serial Port . . . . . . . . . . . . . . . .199
Accessing the CLI via Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Admin and Common Commands . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Network Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Network LAN Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
Network WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Network Wireless Commands. . . . . . . . . . . . . . . . . . . . . . . . . .240
Network Firewall Commands . . . . . . . . . . . . . . . . . . . . . . . . . .285
Network Router Commands . . . . . . . . . . . . . . . . . . . . . . . . . . .289
System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Adaptive AP Setup Commands . . . . . . . . . . . . . . . . . . . . . . . . .297
System Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
System Certificate Management Commands . . . . . . . . . . . . .302
System SNMP Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
System User Database Commands . . . . . . . . . . . . . . . . . . . . .319
System Radius Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
System Network Time Protocol (NTP) Commands . . . . . . . . . .337
System Log Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340
System Configuration-Update Commands . . . . . . . . . . . . . . .343
Firmware Update Commands . . . . . . . . . . . . . . . . . . . . . . . . . .347
Brocade Mobility 5181 Access Point Product Reference Guide vii
53-1002516-01
Statistics Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
Chapter 9 Configuring Mesh Networking
Mesh networking overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Mobility 5181 Access Point client bridge
association process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360
Spanning tree protocol (STP). . . . . . . . . . . . . . . . . . . . . . . . . . .361
Defining the mesh topology . . . . . . . . . . . . . . . . . . . . . . . . . . .361
Mesh networking and the two subnets of the
Mobility 5181 Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
Normal operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
Impact of importing/exporting configurations
to a mesh network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
Configuring mesh networking support. . . . . . . . . . . . . . . . . . . . . . .363
Setting the LAN configuration for mesh networking support .363
Configuring a WLAN for mesh networking support . . . . . . . . .364
Configuring the access point radio for mesh support . . . . . . .367
Mesh network deployment - quick setup. . . . . . . . . . . . . . . . . . . . . 371
Scenario 1 - two base bridges and one client bridge . . . . . . . 371
Scenario 2 - two hop mesh network with a base
bridge repeater and a client bridge . . . . . . . . . . . . . . . . . . . . .373
Mesh networking frequently asked questions . . . . . . . . . . . . . . . . 374
Chapter 10 Adaptive AP
Adaptive AP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Where to go from here. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Adaptive AP management . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Controller discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Securing a configuration channel between
controller and AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Adaptive AP WLAN topology . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Configuration updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Securing data tunnels between the controller and AAP . . . . .382
Adaptive AP controller failure . . . . . . . . . . . . . . . . . . . . . . . . . .382
Remote site survivability (RSS) . . . . . . . . . . . . . . . . . . . . . . . . .382
Adaptive mesh support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
Supported adaptive AP topologies. . . . . . . . . . . . . . . . . . . . . . . . . .383
Topology deployment considerations . . . . . . . . . . . . . . . . . . . .383
Extended WLANs only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
Independent WLANs only . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
Extended WLANs with independent WLANs. . . . . . . . . . . . . . .384
Extended WLAN with mesh networking . . . . . . . . . . . . . . . . . .385
How the AP receives its adaptive configuration . . . . . . . . . . . . . . .385
viii Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Establishing basic adaptive AP connectivity . . . . . . . . . . . . . . . . . .386
Adaptive AP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .387
Controller configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388
Adaptive AP deployment considerations . . . . . . . . . . . . . . . . .389
Sample controller configuration file for
IPSec and independent WLAN . . . . . . . . . . . . . . . . . . . . . . . . .390
Appendix A Technical Specifications
Physical characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
Mobility 5181 Access Point Physical Characteristics . . . . . . .395
Electrical characteristics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Radio characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Antenna specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Mobility 5181 Access Point antenna specifications . . . . . . . .396
Country codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
Appendix B Usage Scenarios
Configuring Automatic Updates using a
DHCP or Linux BootP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
Windows - DHCP server configuration . . . . . . . . . . . . . . . . . . .401
Linux - BootP server configuration . . . . . . . . . . . . . . . . . . . . . .405
Configuring an IPSEC tunnel and VPN FAQs . . . . . . . . . . . . . . . . . .407
Configuring a VPN tunnel between two Access Points . . . . . .407
Frequently asked VPN questions . . . . . . . . . . . . . . . . . . . . . . .410
Brocade Mobility 5181 Access Point Product Reference Guide ix
53-1002516-01
x Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
About This Document
In this chapter
•Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
•Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
•Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
•Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
•Getting technical help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Audience
This document is designed for system administrators with a working knowledge of Layer 2 and
Layer 3 switching and routing.
If you are using a Brocade Layer 3 Controller, you should be familiar with the following protocols if
applicable to your network – IP, RIP, OSPF, BGP, ISIS, IGMP, PIM, DVMRP, and VRRP.
Supported hardware and software
The following hardware platform is supported by this release of this guide:
• Mobility 5181 Access Point
Document conventions
This section describes text formatting conventions and important notice formats used in this
document.
Text formatting
The narrative-text formatting conventions that are used are as follows:
Brocade Mobility 5181 Access Point Product Reference Guide xi
53-1002516-01
bold text Identifies command names
Identifies the names of user-manipulated GUI elements
Identifies keywords
Identifies text to enter at the GUI or CLI
italic text Provides emphasis
Identifies variables
Identifies document titles
code text Identifies CLI output
For readability, command names in the narrative portions of this guide are presented in mixed
lettercase: for example, controllerShow. In actual examples, command lettercase is often all
lowercase. Otherwise, this manual specifically notes those cases in which a command is case
sensitive.
.
Notes, cautions, and warnings
The following notices and statements are used in this manual. They are listed below in order of
increasing severity of potential hazards.
NOTE
A note provides a tip, guidance or advice, emphasizes important information, or provides a reference
to related information.
CAUTION
A Caution statement alerts you to situations that can be potentially hazardous to you or cause
damage to hardware, firmware, software, or data.
DANGER
A Danger statement indicates conditions or situations that can be potentially lethal or extremely
hazardous to you. Safety labels are also attached directly to products to warn of these conditions
or situations.
Related publications
The following Brocade Communications Systems, Inc. document supplements the information in
this guide and can be located at http://www.brocade.com/ethernetproducts.
• Brocade Mobility RFS4000, RFS6000 and RFS7000 CLI Reference Guide - Describes the
Command Line Interface (CLI) and Management Information Base (MIB) commands used to
configure the Brocade controllers.
If you find errors in the guide, send an e-mail to documentation@brocade.com.
xii Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Getting technical help
• To contact Technical Support, go to http://www.brocade.com/services-support/index.page for
the latest e-mail and telephone contact information.
Brocade Mobility 5181 Access Point Product Reference Guide xiii
53-1002516-01
xiv Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Chapter
Introduction
In this chapter
This Brocade Mobility 5181 Access Point Product Reference Guide contains setup and advanced
configuration instructions for the Brocade Product Name Access Point.
The Mobility 5181 Access Point is constructed to support outdoor installations. A Mobility 5181
Access Point is only available in a dual-radio SKU. Brocade recommends using the Mobility 5181
Access Point Power Tap (Part No. BR-APPSBIAS518101R) designed specifically for outdoor
deployments. A Mobility 5181 Access Point must use an RJ-45 to Serial cable to establish a serial
connection to a host computer.
The access point (AP) provides a bridge between Ethernet wired LANs or WANs and wireless
networks. It provides connectivity between Ethernet wired networks and radio-equipped wireless
clients. Clients include the full line of terminals, adapters (PC cards, Compact Flash cards and PCI
adapters) and other devices.
1
•New features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
•Theory of operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
New features
The Mobility 5181 Access Point provides a maximum 54Mbps data transfer rate via each radio. It
monitors Ethernet traffic and forwards appropriate Ethernet messages to Clients over the network.
It also monitors Client radio traffic and forwards Client packets to the Ethernet LAN.
If you are new to using an access point for managing your network, refer to “Theory of operations”
on page 16 for an overview on wireless networking fundamentals.
The Mobility 5181 Access Point has the following features carried forward from previous releases:
• WIPS support
• Trus ted h ost ma nage m ent
• Apache certificate management
• Adaptive AP
• Rogue AP enhancements
• Bandwidth management enhancements
• Radius time-based authentication
• QBSS support
Legacy users can upgrade their firmware image to benefit from the new features described in this
section. For information on upgrading the access point’s firmware image, see Updating Device
Firmware.
Brocade Mobility 5181 Access Point Product Reference Guide 1
53-1002516-01
1
New features
WIPS support
An access point can radio can function as a Wireless Intrusion Protection System (WIPS) sensor
and upload sensor mode operation information to a dedicated WIPS server.
WIPS protects your wireless network, mobile devices and traffic from attacks and unauthorized
access. WIPS provides tools for standards compliance and around-the-clock 802.11a/b/g wireless
network security in a distributed environment. WIPS allows administrators to identify and
accurately locate attacks, rogue devices and network vulnerabilities in real time and permits both a
wired and wireless lockdown of wireless device connections upon acknowledgement of a threat.
For use in configuring the access point for WIPS support, see “Configuring WIPS server settings” on
page 127.
Trusted host management
Trusted subnet management restricts Mobility 5181 Access Point LAN1, LAN2 and WAN interface
access (via SNMP, HTTP, HTTPS, Telnet and SSH) to a set of user defined trusted host or subnets.
Only hosts with matching subnet (or IP) addresses are able to access the access point. Enabling
the feature denies access from any subnet not defined as trusted. Once a set of trusted hosts is
defined and applied, the settings can be imported and exported as a part of the access point’s
configuration import/export functionality.
For information on defining a set of trusted hosts for exclusive access point access, see “Defining
trusted hosts” on page 55.
Apache certificate management
Apache certificate management allows the update and management of security certificates for an
Apache HTTP server. This allows users to upload a trusted certificate to their AP. When a client
attaches to it with a browser, a warning message pertaining to the certificate no longer displays.
Apache certificate management utilizes the access point’s existing Certificate Manager for the
creation of certificates and keys. The certificate can then be loaded into the apache file system
using a command.
For information on defining the Apache certificate management configuration, see “Apache
certificate management” on page 63.
Adaptive AP
An adaptive AP (AAP) is a Mobility 5181 Access Point that can adopt like a Mobility 300. The
management of an AAP is conducted by a controller, once the access point connects to a Brocade
Mobility RFS6000 Controller or Mobility RFS7000 Controller and receives its AAP configuration.
An AAP provides:
• local 802.11 traffic termination
• local encryption/decryption
• local traffic bridging
• the tunneling of centralized traffic to the wireless controller
For a information overview of the adaptive AP feature as well as how to configure it, refer to
“Adaptive AP overview” on page 379.
2 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Feature overview
1
Rogue AP enhancements
The access point now has the option to scan for rogues over all channels on both of the access
point’s 11a and 11bg radio bands. The switching of radio bands is based on a timer with no user
intervention required.
For information on configuring the access point for Rogue AP support, see “Configuring rogue AP
detection” on page 162.
Bandwidth management enhancements
Use the Bandwidth Management screen to control the network bandwidth allotted to individual
WLANs. Define a weighted scheme as needed when WLAN traffic supporting a specific network
segment becomes critical. Bandwidth management is configured on a per-WLAN basis. However, a
separate tab has been created for each access point radio. With this new segregated radio
approach, bandwidth management can be configured uniquely for individual WLANs on different
access point radios.
For information on configuring bandwidth management, see “Configuring bandwidth management
settings” on page 126.
Radius time-based authentication
An external server maintains a users and groups database used by the access point for access
permissions. Various kinds of access policies can be applied to each group. Individual groups can
be configured with their own time-based access policy. Each group’s policy has a user defined
interval defining the days and hours access is permitted. Authentication requests for users
belonging to the group are honored only during these defined hourly intervals.
For more information on defining access point access policies by group, see “Defining user access
permissions by group” on page 173.
QBSS support
Each access point radio can be configured to optionally allow the access point to communicate
channel usage data to associated devices and define the beacon interval used for channel
utilization transmissions. The QBSS load represents the percentage of time the channel is in use by
the access point and the access point’s station count. This information is very helpful in assessing
the access point’s overall load on a channel, its availability for additional device associations and
multi media traffic support.
For information on enabling QBSS and defining the channel utilization transmission interval, see
“Configuring the 802.11a or 802.11b/g radio” on page 121.
Feature overview
The Mobility 5181 Access Point has the following features carried forward from previous releases:
• Single or dual mode radio options
• Separate LAN and WAN ports
• Multiple mounting options
Brocade Mobility 5181 Access Point Product Reference Guide 3
53-1002516-01
Feature overview
1
• Antenna support for 2.4 GHz and 5 GHz radios
• Sixteen configurable WLANs
• Support for 4 BSSIDs per radio
• Quality of Service (QoS) support
• Industry leading data security
• VLAN support
• Multiple management accessibility options
• Updatable firmware
• Programmable SNMP v1/v2/v3 trap support
• Power-over-Ethernet support
• Client-client transmission disallow
• Voice prioritization
• Support for CAM and PSP clients
• Statistical displays
• Transmit power control
• Advanced event logging capability
• Configuration file import/export functionality
• Default configuration restoration
• DHCP support
• Multi-function LEDs
• Mesh networking
• Additional LAN subnet
• On-board Radius server authentication
• Hotspot support
• Routing information protocol (RIP)
• Manual date and time settings
• Dynamic DNS
• Auto negotiation
Single or dual mode radio options
One or two possible configurations are available on the Mobility 5181 Access Point depending on
which model is purchased. If the Mobility 5181 Access Point is manufactured as a single radio
access point, the Mobility 5181 Access Point enables you to configure the single radio for either
802.11a or 802.11b/g.
The Mobility 5181 Access Point is a dual-radio access point. The access point enables you to
configure one radio for 802.11a support, and the other for 802.11b/g support.
For detailed information, see “Setting the WLAN’s radio configuration” on page 118.
4 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Feature overview
1
Separate LAN and WAN ports
The Mobility 5181 Access Point has one LAN port and one WAN port, each with their own MAC
address. The access point must manage all data traffic over the LAN connection carefully as either
a DHCP client, BOOTP client, DHCP server or using a static IP address. The access point can only
use a Power-over-Ethernet device when connected to the LAN port.
For detailed information on configuring the Mobility 5181 Access Point LAN port, see “Configuring
the LAN interface” on page 93.
A Wide Area Network (WAN) is a widely dispersed telecommunications network. In a corporate
environment, the WAN port might connect to a larger corporate network. For a small business, the
WAN port might connect to a DSL or cable modem to access the Internet. Regardless, network
address information must be configured for the Mobility 5181 Access Point’s intended mode of
operation.
For detailed information on configuring the access point’s WAN port, see “Configuring WAN
settings” on page 101.
The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats screens.
For detailed information on locating the access point’s MAC addresses, see “Viewing WAN
statistics” on page 177 and “Viewing LAN statistics” on page 180. For information on access point
MAC address assignments, see “Mobility 5181 Access Point MAC address assignment” on
page 21.
Multiple mounting options
The Mobility 5181 Access Point rests on a flat surface, attaches to a wall, mounts under a ceiling or
above a ceiling (attic). Choose a mounting option based on the physical environment of the
coverage area. Do not mount the Mobility 5181 Access Point in a location that has not been
approved in a Mobility 5181 Access Point radio coverage site survey.
For detailed information on the mounting options available, see “Mounting a Mobility 5181 Access
Point” on page 28.
Antenna support for 2.4 GHz and 5 GHz radios
The Mobility 5181 Access Point supports several 802.11a and 802.11b/g radio antennas. Select
the antenna best suited to the radio transmission requirements of your coverage area.
For an overview of the Radio 1 (2.4 GHz) and Radio 2 (5 GHz) antennas supported on the Mobility
5181 Access Point’s connectors, see “Antenna specifications” on page 396. The Mobility 5181
Access Point uses an antenna suite primarily suited for outdoor use.
Sixteen configurable WLANs
A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the
functionalities of a wired LAN. A WLAN does not require lining up devices for line-of-sight
transmission, and are thus, desirable for wireless networking. Roaming users can be handed off
from one Mobility 5181 Access Point to another like a cellular phone system. WLANs can therefore
be configured around the needs of specific groups of users, even when they are not in physical
proximity. Sixteen WLANs are configurable on each Mobility 5181 Access Point.
Brocade Mobility 5181 Access Point Product Reference Guide 5
53-1002516-01
Feature overview
1
To enable and configure WLANs on an Mobility 5181 Access Point radio, see “Enabling wireless
LANs (WLANs)” on page 106.
Support for 4 BSSIDs per radio
The access point supports four BSSIDs per radio. Each BSSID has a corresponding MAC address.
The first MAC address corresponds to BSSID #1. The MAC addresses for the other three BSSIDs
(BSSIDs #2, #3, #4) are derived by adding 1, 2, 3, respectively, to the radio MAC address.
If the radio MAC address displayed on the Radio Settings screen is 00:24:38:28:9B:DC, then the
BSSIDs for that radio will have the following MAC addresses:
BSSID MAC Address Hexadecimal Addition
BSSID #1 00:24:38:28:9B:DC Same as Radio MAC address
BSSID #2 00:24:38:28:9B:DD Radio MAC address +1
BSSID #3 00:24:38:28:9B0:DE Radio MAC address +2
BSSID #4 00:24:38:28:9B:DF Radio MAC address +3
For detailed information on strategically mapping BSSIDs to WLANs, see “Configuring the 802.11a
or 802.11b/g radio” on page 121. For information on access point MAC address assignments, see
“Mobility 5181 Access Point MAC address assignment” on page 21.
Quality of Service (QoS) support
The Mobility 5181 Access Point QoS implementation provides applications running on different
wireless devices a variety of priority levels to transmit data to and from the Mobility 5181 Access
Point. Equal data transmission priority is fine for data traffic from applications such as Web
browsers, file transfers or email, but is inadequate for multimedia applications.
Voice over Internet Protocol (VoIP), video streaming and interactive gaming are highly sensitive to
latency increases and throughput reductions. These forms of higher priority data traffic can
significantly benefit from the Mobility 5181 Access Point QoS implementation. The WiFi Multimedia
QOS Extensions (WMM) implementation used by the Mobility 5181 Access Point shortens the time
between transmitting higher priority data traffic and is thus desirable for multimedia applications.
In addition, U-APSD (WMM Power Save) is also supported.
WMM defines four access categories—voice, video, best effort and background—to prioritize traffic
for enhanced multimedia support.
For detailed information on configuring QoS support, see “Setting the WLAN Quality of Service
(QoS) policy” on page 111.
Industry leading data security
The Mobility 5181 Access Point supports numerous encryption and authentication techniques to
protect the data transmitting on the WLAN.
The following authentication techniques are supported:
• Kerberos authentication
• EAP authentication
6 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Feature overview
The following encryption techniques are supported:
1
• WEP encryption
• KeyGuard encryption
• Wi-Fi protected access (WPA) using TKIP encryption
• WPA2-CCMP (802.11i) encryption
In addition, the Mobility 5181 Access Point supports the following additional security features:
• Firewall security
• VPN tunnels
• Content filtering
For an overview on the encryption and authentication schemes available, refer to “Configuring
Access Point Security” on page 131.
Kerberos authentication
Authentication is a means of verifying information transmitted from a secure source. If information
is authentic, you know who created it and you know it has not been altered in any way since
originated. Authentication entails a network administrator employing a software “supplicant” on
their computer or wireless device.
Authentication is critical for the security of any wireless LAN device. Traditional authentication
methods are not suitable for use in wireless networks where an unauthorized user can monitor
network traffic and intercept passwords. The use of strong authentication methods that do not
disclose passwords is necessary. The access point uses the Kerberos authentication service
protocol (specified in RFC 1510) to authenticate users/clients in a wireless network environment
and to securely distribute the encryption keys used for both encrypting and decrypting.
A basic understanding of RFC 1510 Kerberos Network Authentication Service (V5) is helpful in
understanding how Kerberos functions. By default, WLAN devices operate in an open system
network where any wireless device can associate with an AP without authorization. Kerberos
requires device authentication before access to the wired network is permitted.
For detailed information on Kerbeors configurations, see “Configuring Kerberos authentication” on
page 136.
EAP authentication
The Extensible Authentication Protocol (EAP) feature provides access points and their associated
Client’s an additional measure of security for data transmitted over the wireless network. Using
EAP, authentication between devices is achieved through the exchange and verification of
certificates.
EAP is a mutual authentication method whereby both the Client and AP are required to prove their
identities. Like Kerberos, the user loses device authentication if the server cannot provide proof of
device identification.
Using EAP, a user requests connection to a WLAN through the Mobility 5181 Access Point. The
Mobility 5181 Access Point then requests the identity of the user and transmits that identity to an
authentication server. The server prompts the AP for proof of identity (supplied to the Mobility 5181
Access Point by the user) and then transmits the user data back to the server to complete the
authentication process.
Brocade Mobility 5181 Access Point Product Reference Guide 7
53-1002516-01
Feature overview
1
An Client is not able to access the network if not authenticated. When configured for EAP support,
the access point displays the Client as an EAP station.
EAP is only supported on mobile devices running Windows XP, Windows 2000 (using Service Pack
#4) and Windows Mobile 2003. Refer to the system administrator for information on configuring a
Radius Server for EAP (802.1x) support.
For detailed information on EAP configurations, see “Configuring 802.1x EAP authentication” on
page 137.
WEP encryption
All WLAN devices face possible information theft. Theft occurs when an unauthorized user
eavesdrops to obtain information illegally. The absence of a physical connection makes wireless
links particularly vulnerable to this form of theft. Most forms of WLAN security rely on encryption to
various extents. Encryption entails scrambling and coding information, typically with mathematical
formulas called algorithms, before the information is transmitted. An algorithm is a set of
instructions or formula for scrambling the data. A key is the specific code used by the algorithm to
encrypt or decrypt the data. Decryption is the decoding and unscrambling of received encrypted
data.
The same device, host computer or front-end processor, usually performs both encryption and
decryption. The transmit or receive direction determines whether the encryption or decryption
function is performed. The device takes plain text, encrypts or scrambles the text typically by
mathematically combining the key with the plain text as instructed by the algorithm, then transmits
the data over the network. At the receiving end, another device takes the encrypted text and
decrypts, or unscrambles, the text revealing the original message. An unauthorized user can know
the algorithm, but cannot interpret the encrypted data without the appropriate key. Only the sender
and receiver of the transmitted data know the key.
Wired Equivalent Privacy (WEP) is an encryption security protocol specified in the IEEE Wireless
Fidelity (Wi-Fi) standard, 802.11b and supported by the Mobility 5181 Access Point. WEP
encryption is designed to provide a WLAN with a level of security and privacy comparable to that of
a wired LAN. The level of protection provided by WEP encryption is determined by the encryption
key length and algorithm. An encryption key is a string of case sensitive characters used to encrypt
and decrypt data packets transmitted between a mobile unit (Client) and the Mobility 5181 Access
Point. An Mobility 5181 Access Point and its associated wireless clients must use the same
encryption key (typically 1 through 4) to interoperate.
For detailed information on WEP, see “Configuring WEP encryption” on page 140.
KeyGuard encryption
Use KeyGuard to shield the master encryption keys from being discovered through hacking.
KeyGuard negotiation takes place between the access point and Client upon association. The
access point can use KeyGuard with Brocade Clients. KeyGuard is only supported on Brocade
Clients making it a proprietary security mechanism.
For detailed information on KeyGuard configurations, see “Configuring KeyGuard encryption” on
page 141.
8 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Feature overview
1
Wi-Fi protected access (WPA) using TKIP encryption
Wi-Fi Protected Access (WPA) is a security standard for systems operating with a Wi-Fi wireless
connection. WEP’s lack of user authentication mechanisms is addressed by WPA. Compared to
WEP, WPA provides superior data encryption and user authentication.
WPA addresses the weaknesses of WEP by including:
• a per-packet key mixing function
• a message integrity check
• an extended initialization vector with sequencing rules
• a re-keying mechanism
WPA uses an encryption method called Temporal Key Integrity Protocol (TKIP). WPA employs
802.1X and Extensible Authentication Protocol (EAP).
For detailed information on WPA using TKIP configurations, see “Configuring WPA/WPA2 using
TKIP” on page 142.
WPA2-CCMP (802.11i) encryption
WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi
Protected Access (WPA) and WEP. Counter-mode/CBC-MAC Protocol (CCMP) is the security
standard used by the Advanced Encryption Standard (AES). AES serves the same function TKIP
does for WPA-TKIP. CCMP computes a Message Integrity Check (MIC) using the proven Cipher Block
Message Authentication Code (CBC-MAC) technique. Changing just one bit in a message produces
a totally different result.
WPA2-CCMP is based on the concept of a Robust Security Network (RSN), which defines a
hierarchy of keys with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator
provides are used to derive other keys. Messages are encrypted using a 128-bit secret key and a
128-bit block of data. The end result is an encryption scheme as secure as any the Mobility 5181
Access Point provides.
For detailed information on WPA2-CCMP, see “Configuring WPA2-CCMP (802.11i)” on page 144.
Firewall security
A firewall keeps personal data in and hackers out. The Mobility 5181 Access Point firewall prevents
suspicious Internet traffic from proliferating the Mobility 5181 Access Point managed network. The
Mobility 5181 Access Point performs Network Address Translation (NAT) on packets passing to and
from the WAN port. This combination provides enhanced security by monitoring communication
with the wired network.
For detailed information on configuring the Mobility 5181 Access Point’s firewall, see “Configuring
firewall settings” on page 146.
VPN tunnels
Virtual Private Networks (VPNs) are IP-based networks using encryption and tunneling providing
users remote access to a secure LAN. In essence, the trust relationship is extended from one LAN
across the public network to another LAN, without sacrificing security. A VPN behaves like a private
network; however, because the data travels through the public network, it needs several layers of
security. The Mobility 5181 Access Point can function as a robust VPN gateway.
Brocade Mobility 5181 Access Point Product Reference Guide 9
53-1002516-01
Feature overview
1
For detailed information on configuring VPN security support, see “Configuring VPN tunnels” on
page 151.
Content filtering
Content filtering allows system administrators to block specific commands and URL extensions
from going out through the Mobility 5181 Access Point WAN port. Therefore, content filtering
affords system administrators selective control on the content proliferating the network and is a
powerful screening tool. Content filtering allows the blocking of up to 10 files or URL extensions and
allows blocking of specific outbound HTTP, SMTP, and FTP requests.
For detailed information on configuring content filtering support, see “Configuring content filtering
settings” on page 160.
VLAN support
A Virtual Local Area Network (VLAN) can electronically separate data on the same AP from a single
broadcast domain into separate broadcast domains. By using a VLAN, you can group by logical
function instead of physical location. There are 16 VLANs supported on the Mobility 5181 Access
Point. An administrator can map up to 16 WLANs to 16 VLANs and enable or disable dynamic VLAN
assignment. In addition to these 16 VLANs, the access point supports dynamic, user-based, VLANs
when using EAP authentication.
VLANs enable organizations to share network resources in various network segments within large
areas (airports, shopping malls, etc.). A VLAN is a group of clients with a common set of
requirements independent of their physical location. VLANs have the same attributes as physical
LANs, but they enable administrators to group clients even when they are not members of the
same network segment.
For detailed information on configuring VLAN support, see “Configuring VLAN support” on page 95.
Multiple management accessibility options
The Mobility 5181 Access Point can be accessed and configured using one of the following
methods:
• Java-Based Web UI
• Human readable config file (imported via FTP or TFTP)
• MIB (Management Information Base)
• Command Line Interface (CLI) accessed via RS-232 or Telnet. Use the Mobility 5181 Access
Point’s DB-9 serial port for direct access to the command-line interface from a PC.
Updatable firmware
Brocade periodically releases updated versions of device firmware to the Brocade Web site. If the
Mobility 5181 Access Point firmware version displayed on the System Settings page (see
“Configuring system settings” on page 45) is older than the version on the Web site, Brocade
recommends updating the Mobility 5181 Access Point to the latest firmware version for full feature
functionality.
For detailed information on updating the Mobility 5181 Access Point firmware using FTP or TFTP,
see “Updating device firmware” on page 86.
10 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Feature overview
1
Programmable SNMP v1/v2/v3 trap support
Simple Network Management Protocol (SNMP) facilitates the exchange of management
information between network devices. SNMP uses Management Information Bases (MIBs) to
manage the device configuration and monitor Internet devices in remote locations. MIB information
accessed via SNMP is defined by a set of managed objects called Object Identifiers (OIDs). An
object identifier (OID) is used to uniquely identify each object variable of a MIB.
SNMP allows a network administrator to configure the access point, manage network performance,
find and solve network problems, and plan for network growth. The Mobility 5181 Access Point
supports SNMP management functions for gathering information from its network components.
The access point’s download site contains the following 2 MIB files:
• BROCADE-CC-BR51XX-MIB-2.0.mib (standard MIB file)
• BROCADE-BR51XX-MIB.mib
The Mobility 5181 Access Point’s SNMP agent functions as a command responder and is a
multilingual agent responding to SNMPv1, v2c and v3 managers (command generators). The
factory default configuration maintains SNMPv1/2c support of community names, thus providing
backward compatibility.
For detailed information on configuring SNMP traps, see “Configuring SNMP settings” on page 64.
Power-over-Ethernet support
When users purchase a Brocade WLAN solution, they often need to place access points in obscure
locations. In the past, a dedicated power source was required for each access point in addition to
the Ethernet infrastructure. This often required an electrical contractor to install power drops at
each access point location.
The Mobility 5181 Access Point Power Tap is a single-port Power over Ethernet hub combining
low-voltage DC with Ethernet data in a single cable connecting to the Mobility 5181 Access Point.
However, the Power Tap is designed and ruggedized for use with a Mobility 5181 Access Point’s
outdoor deployment. For detailed information on using the Power Tap, see “Power options” on
page 26.
Client-client transmission disallow
The access point’s Client-Client Disallow feature prohibits Clients from communicating with each
other even if on the same WLAN, assuming one WLAN is configured to disallow Client-Client
communication. Therefore, if an Client’s WLAN is configured for Client-Client disallow, it will not be
able to communicate with any other Clients connected to this access point.
For detailed information on configuring an Mobility 5181 Access Point WLAN to disallow Client to
Client communications, see “Creating/editing individual WLANs” on page 107.
Voice prioritization
Each Mobility 5181 Access Point WLAN has the capability of having its QoS policy configured to
prioritize the network traffic requirements for associated Clients. A WLAN QoS page is available for
each enabled WLAN on both the 802.11a and 802.11b/g radio.
Brocade Mobility 5181 Access Point Product Reference Guide 11
53-1002516-01
Feature overview
1
Use the QoS page to enable voice prioritization for devices to receive the transmission priority they
may not normally receive over other data traffic. Voice prioritization allows the Mobility 5181
Access Point to assign priority to voice traffic over data traffic, and (if necessary) assign legacy
voice supported devices (non WMM supported voice devices) additional priority.
For detailed information on configuring voice prioritization over other voice enabled devices, see
“Setting the WLAN Quality of Service (QoS) policy” on page 111.
Support for CAM and PSP clients
The Mobility 5181 Access Point supports both CAM and PSP powered Clients. CAM (Continuously
Aware Mode) Clients leave their radios on continuously to hear every beacon and message
transmitted. These systems operate without any adjustments by the Mobility 5181 Access Point.
A beacon is a uniframe system packet broadcast by the AP to keep the network synchronized. A
beacon includes the ESSID, Mobility 5181 Access Point MAC address, Broadcast destination
addresses, a time stamp, a DTIM (Delivery Traffic Indication Message) and the TIM (Traffic
Indication Map).
PSP (Power Save Polling) Clients power off their radios for short periods. When a Client in PSP
mode associates with an Mobility 5181 Access Point, it notifies the Mobility 5181 Access Point of
its activity status. The Mobility 5181 Access Point responds by buffering packets received for the
Client. PSP mode is used to extend an Client’s battery life by enabling the Client to “sleep” during
periods of inactivity.
Statistical displays
The Mobility 5181 Access Point can display robust transmit and receive statistics for the WAN and
LAN ports. WLAN stats can be displayed collectively and individually for enabled WLANs. Transmit
and receive statistics are available for the Mobility 5181 Access Point’s 802.11a and 802.11b/g
radios. An advanced radio statistics page is also available to display retry histograms for specific
data packet retry information.
Associated Client stats can be displayed collectively and individually for specific Clients. An echo
(ping) test is also available to ping specific Clients to assess association strength. Finally, the
Mobility 5181 Access Point can detect and display the properties of other APs detected within the
Mobility 5181 Access Point’s radio coverage area. The type of AP detected can be displayed as well
as the properties of individual APs.
For detailed information on available Mobility 5181 Access Point statistical displays and the values
they represent, see “Monitoring Statistics” on page 177.
Transmit power control
The Mobility 5181 Access Point has a configurable power level for each radio. This enables the
network administrator to define the antenna’s transmission power level in respect to the access
point’s placement or network requirements as defined in the Mobility 5181 Access Point site
survey.
For detailed information on setting the radio transmit power level, see “Configuring the 802.11a or
802.11b/g radio” on page 121.
12 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Feature overview
1
Advanced event logging capability
The Mobility 5181 Access Point provides the capability for periodically logging system events.
Logging events is useful in assessing the throughput and performance of the Mobility 5181 Access
Point or troubleshooting problems on the Mobility 5181 Access Point managed Local Area Network
(LAN).
For detailed information on Mobility 5181 Access Point events, see “Logging configuration” on
page 79.
Configuration file import/export functionality
Configuration settings for an Mobility 5181 Access Point can be downloaded from the current
configuration of another Mobility 5181 Access Point. This affords the administrator the opportunity
to save the current configuration before making significant changes or restoring the default
configuration.
For detailed information on importing or exporting configuration files, see “Importing/exporting
configurations” on page 81.
Default configuration restoration
The Mobility 5181 Access Point has the ability to restore its default configuration or a partial
default configuration (with the exception of current WAN and SNMP settings). Restoring the default
configuration is a good way to create new WLANs if the Clients the Mobility 5181 Access Point
supports have been moved to different radio coverage areas.
For detailed information on restoring a default or partial default configuration, see “Configuring
system settings” on page 45.
DHCP support
The Mobility 5181 Access Point can use Dynamic Host Configuration Protocol (DHCP) to obtain a
leased IP address and configuration information from a remote server. DHCP is based on the
BOOTP protocol and can coexist or interoperate with BOOTP. Configure the Mobility 5181 Access
Point to send out a DHCP request searching for a DHCP/BOOTP server to acquire HTML, firmware
or network configuration files when the Mobility 5181 Access Point boots. Because BOOTP and
DHCP interoperate, whichever responds first becomes the server that allocates information.
The Mobility 5181 Access Point can be set to only accept replies from DHCP or BOOTP servers or
both (this is the default setting). Disabling DHCP disables BOOTP and DHCP and requires network
settings to be set manually. If running both DHCP and BOOTP, do not select BOOTP Only. BOOTP
should only be used when the server is running BOOTP exclusively.
The DHCP client automatically sends a DHCP request at an interval specified by the DHCP server to
renew the IP address lease as long as the Mobility 5181 Access Point is running (this parameter is
programmed at the DHCP server). For example: Windows 2000 servers typically are set for 3 days.
Brocade Mobility 5181 Access Point Product Reference Guide 13
53-1002516-01
Feature overview
1
Multi-function LEDs
A Mobility 5181 Access Point has seven LED indicators. Four LEDs exist on the top of the Mobility
5181 Access Point and are visible from wall, ceiling and table-top orientations. Three of these four
LEDs are single color activity LEDs, and one is a multifunction red and white status LED. Two LEDs
exist on the rear of the Mobility 5181 Access Point and are viewable using a single (customer
installed) extended light pipe, adjusted as required to suit above the ceiling installations. An
Mobility 5181 Access Point houses four LEDs on the bottom/back side of the unit.
For detailed information on the Mobility 5181 Access Point LEDs and their functionality, see
“Mobility 5181 Access Point LED indicators” on page 33.
Mesh networking
Utilize the new mesh networking functionality to allow the access point to function as a bridge to
connect two Ethernet networks or as a repeater to extend your network’s coverage area without
additional cabling. Mesh networking is configurable in two modes. It can be set in a wireless client
bridge mode and/or a wireless base bridge mode (which accepts connections from client bridges).
These two modes are not mutually exclusive.
In client bridge mode, the access point scans to find other access points using the selected WLAN’s
ESSID. The access point must go through the association and authentication process to establish a
wireless connection. The mesh networking association process is identical to the access point’s
Client association process. Once the association/authentication process is complete, the wireless
client adds the connection as a port on its bridge module. This causes the access point (in client
bridge mode) to begin forwarding configuration packets to the base bridge. An access point in base
bridge mode allows the access point radio to accept client bridge connections.
The two bridges communicate using the Spanning Tree Protocol (STP). The spanning tree
determines the path to the root and detects if the current connection is part of a network loop with
another connection. Once the spanning tree converges, both access points begin learning which
destinations reside on which side of the network. This allows them to forward traffic intelligently.
After the access point (in client bridge mode) establishes at least one wireless connection, it will
begin beaconing and accepting wireless connections (if configured to support mobile users). If the
access point is configured as both a client bridge and a base bridge, it begins accepting client
bridge connections. In this way, the mesh network builds itself over time and distance.
Once the access point (in client bridge mode) establishes at least one wireless connection, it
establishes other wireless connections in the background as they become available. In this way,
the access point can establish simultaneous redundant links. An access point (in client bridge
mode) can establish up to 3 simultaneous wireless connections with other Mobility 5181 Access
Points. A client bridge always initiates the connections and the base bridge is always the acceptor
of the mesh network data proliferating the network.
Since each access point can establish up to 3 simultaneous wireless connections, some of these
connections may be redundant. In that case, the STP algorithm determines which links are the
redundant links and disables the links from forwarding.
For an overview on mesh networking as well as details on configuring the access point’s mesh
networking functionality, see “Configuring Mesh Networking” on page 359.
14 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Feature overview
1
Additional LAN subnet
In a typical retail or small office environment (wherein a wireless network is available along with a
production WLAN) it is frequently necessary to segment a LAN into two subnets. Consequently, a
second LAN is necessary to “segregate” wireless traffic.
The access point has a second LAN subnet enabling administrators to segment the access point’s
LAN connection into two separate networks. The main access point LAN screen allows the user to
select either LAN1 or LAN2 as the active LAN over the access point’s Ethernet port. Both LANs can
still be active at any given time, but only one can transmit over the access point’s physical LAN
connection. Each LAN has a separate configuration screen (called LAN 1 and LAN 2 by default)
accessible under the main LAN screen. The user can rename each LAN as necessary. Additionally,
each LAN can have its own Ethernet Type Filter configuration, and subnet access (HTTP, SSH,
SNMP and telnet) configuration.
For detailed information on configuring the access point for additional LAN subnet support, see
“Configuring the LAN interface” on page 93.
On-board Radius server authentication
The access point has the ability to work as a Radius Server to provide user database information
and user authentication. Several new screens have been added to the access point’s menu tree to
configure Radius server authentication and configure the local user database and access policies.
A new Radius Server screen allows an administrator to define the data source, authentication type
and associate digital certificates with the authentication scheme. The LDAP screen allows the
administrator to configure an external LDAP Server for use with the access point. A new Access
Policy screen enables the administrator to set WLAN access based on user groups defined within
the User Database screen. Each user is authorized based on the access policies applicable to that
user. Access policies allow an administrator to control access to a user groups based on the WLAN
configurations.
For detailed information on configuring the access point for AAA Radius Server support, see
“Configuring user authentication” on page 167.
Hotspot support
The access point allows hotspot operators to provide user authentication and accounting without a
special client application. The access point uses a traditional Internet browser as a secure
authentication device. Rather than rely on built-in 802.11 security features to control access point
association privileges, you can configure a WLAN with no WEP (an open network). The access point
issues an IP address to the user using a DHCP server, authenticates the user and grants the user to
access the Internet.
If a tourist visits a public hotspot and wants to browse a Web page, they boot their laptop and
associate with a local Wi-Fi network by entering a valid SSID. They start a browser, and the
hotspot’s access controller forces the un-authenticated user to a Welcome page (from the hotspot
operator) that allows the user to login with a username and password. In order to send a redirected
page (a login page), a TCP termination exists locally on the access point. Once the login page
displays, the user enters their credentials. The access point connects to the Radius server and
determines the identity of the connected wireless user. Thus, allowing the user to access the
Internet once successfully authenticated.
Brocade Mobility 5181 Access Point Product Reference Guide 15
53-1002516-01
Theory of operations
1
For detailed information on configuring the access point for Hotspot support, see “Configuring
WLAN hotspot support” on page 114.
Routing information protocol (RIP)
RIP is an interior gateway protocol that specifies how routers exchange routing-table information.
The parent Router screen also allows the administrator to select the type of RIP and the type of RIP
authentication used.
For detailed information on configuring RIP functionality as part of the access point’s Router
functionality, see “Setting the RIP Configuration” on page 129.
Manual date and time settings
As an alternative to defining a NTP server to provide access point system time, the access point can
now have its date and time set manually. A new Manual Date/Time Setting screen can be used to
set the time using a Year-Month-Day HH:MM:SS format.
For detailed information on manually setting the access point’s system time, see “Configuring
Network Time Protocol (NTP)” on page 76.
Dynamic DNS
The access point supports the Dynamic DNS service. Dynamic DNS (or DynDNS) is a feature
offered by www.dyndns.com which allows the mapping of domain names to dynamically assigned
IP addresses. When the dynamically assigned IP address of a client changes, the new IP address is
sent to the DynDNS service and traffic for the specified domain(s) is routed to the new IP address.
For information on configuring the Dynamic DNS feature, see “Configuring dynamic DNS” on
page 105.
Auto negotiation
Auto negotiation enables the access point to automatically exchange information (over either its
LAN or WAN port) about data transmission speed and duplex capabilities. Auto negotiation is
helpful when using the access point in an environment where different devices are connected and
disconnected on a regular basis. For information on configuring the auto negotiation feature, see
“Configuring the LAN interface” on page 93 or “Configuring WAN settings” on page 101
Theory of operations
To understand Mobility 5181 Access Point management and performance alternatives, users need
familiarity with Mobility 5181 Access Point functionality and configuration options. The Mobility
5181 Access Point includes features for different interface connections and network management.
The Mobility 5181 Access Point uses electromagnetic waves to transmit and receive electric signals
without wires. Users communicate with the network by establishing radio links between wireless
clients and access points.
16 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Loading...