How it Works
Brocade
Loading...
5181
User Manual
428 pgs4.6 Mb0
Table of contents
Loading...

Brocade 5181 User Manual

Download
Page 1
53-1002516-01 14 May 2012
Brocade Mobility 5181 Access Point
®
Product Reference Guide
Supporting software release 4.4.0.0
Page 2
Copyright © 2012 Brocade Communications Systems, Inc. All Rights Reserved.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.
The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that accompany it.
The product described by this document may contain “open source” software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit
http://www.brocade.com/support/oscd.
Brocade Communications Systems, Incorporated
Corporate and Latin American Headquarters Brocade Communications Systems, Inc. 130 Holger Way San Jose, CA 95134 Tel: 1-408-333-8000 Fax: 1-408-333-8101 E-mail: info@brocade.com
European Headquarters Brocade Communications Switzerland Sàrl Centre Swissair Tour B - 4ème étage 29, Route de l'Aéroport Case Postale 105 CH-1215 Genève 15 Switzerland Tel: +41 22 799 5640 Fax: +41 22 799 5641 E-mail: emea-info@brocade.com
Asia-Pacific Headquarters Brocade Communications Systems China HK, Ltd. No. 1 Guanghua Road Chao Yang District Units 2718 and 2818 Beijing 100020, China Tel: +8610 6588 8888 Fax: +8610 6588 9999 E-mail: china-info@brocade.com
Asia-Pacific Headquarters Brocade Communications Systems Co., Ltd. (Shenzhen WFOE) Citic Plaza No. 233 Tian He Road North Unit 1308 – 13th Floor Guangzhou, China Tel: +8620 3891 2000 Fax: +8620 3891 2111 E-mail: china-info@brocade.com
Document History
Title Publication number Summary of changes Date
Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01 New document 14 May 2012
Page 3

Contents

About This Document
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Getting technical help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Chapter 1 Introduction
New features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
WIPS support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Trusted host management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Apache certificate management. . . . . . . . . . . . . . . . . . . . . . . . . . 2
Adaptive AP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Rogue AP enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Bandwidth management enhancements. . . . . . . . . . . . . . . . . . . 3
Radius time-based authentication . . . . . . . . . . . . . . . . . . . . . . . . 3
QBSS support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Brocade Mobility 5181 Access Point Product Reference Guide iii 53-1002516-01
Page 4
Feature overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Single or dual mode radio options . . . . . . . . . . . . . . . . . . . . . . . . 4
Separate LAN and WAN ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Multiple mounting options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Antenna support for 2.4 GHz and 5 GHz radios . . . . . . . . . . . . . 5
Sixteen configurable WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Support for 4 BSSIDs per radio. . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Quality of Service (QoS) support . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Industry leading data security. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
VLAN support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Multiple management accessibility options. . . . . . . . . . . . . . . .10
Updatable firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Programmable SNMP v1/v2/v3 trap support . . . . . . . . . . . . . . 11
Power-over-Ethernet support. . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Client-client transmission disallow . . . . . . . . . . . . . . . . . . . . . . .11
Voice prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Support for CAM and PSP clients . . . . . . . . . . . . . . . . . . . . . . . .12
Statistical displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Transmit power control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Advanced event logging capability . . . . . . . . . . . . . . . . . . . . . . . 13
Configuration file import/export functionality . . . . . . . . . . . . . . 13
Default configuration restoration . . . . . . . . . . . . . . . . . . . . . . . .13
DHCP support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Multi-function LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Mesh networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Additional LAN subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
On-board Radius server authentication . . . . . . . . . . . . . . . . . . .15
Hotspot support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Routing information protocol (RIP) . . . . . . . . . . . . . . . . . . . . . . .16
Manual date and time settings. . . . . . . . . . . . . . . . . . . . . . . . . . 16
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Auto negotiation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Theory of operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Wireless coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
MAC layer bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Media types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Direct-sequence spread spectrum . . . . . . . . . . . . . . . . . . . . . . .19
Client association process . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Operating modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Management access options . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Mobility 5181 Access Point MAC address assignment . . . . . . .21
Chapter 2 Hardware Installation
Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Mobility 5181 Access Point configurations . . . . . . . . . . . . . . . . . . . . 23
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Access point placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Site surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Antenna options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
iv Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 5
Power options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Power Injector and Power Tap systems . . . . . . . . . . . . . . . . . . . . . . . 26
Installing the Power Tap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Mounting a Mobility 5181 Access Point . . . . . . . . . . . . . . . . . . . . . . 28
Mobility 5181 Access Point pole mounted installations . . . . . .28
Mobility 5181 Access Point wall mounted installations . . . . . . 31
Mobility 5181 Access Point LED indicators . . . . . . . . . . . . . . . . . . . . 33
Setting up clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Chapter 3 Getting Started
Installing the Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Initially connecting to the Access Point . . . . . . . . . . . . . . . . . . . . . . . 36
Connecting to the Access Point using the WAN port . . . . . . . . . 36
Connecting to the Access Point using the LAN port . . . . . . . . .36
Basic device configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Configuring device settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Testing connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Where to go from here?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Chapter 4 System Configuration
Configuring system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Adaptive AP setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Configuring data access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Defining trusted hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Managing Certificate Authority (CA) certificates . . . . . . . . . . . . . . . .56
Importing a CA certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Creating self certificates for accessing the VPN . . . . . . . . . . . .58
Creating a certificate for onboard RADIUS authentication . . . .60
Apache certificate management. . . . . . . . . . . . . . . . . . . . . . . . . 63
Configuring SNMP settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Configuring SNMP access control. . . . . . . . . . . . . . . . . . . . . . . .68
Enabling SNMP traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Configuring specific SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . 71
Configuring SNMP RF trap thresholds . . . . . . . . . . . . . . . . . . . . 74
Configuring Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . . . 76
Configuring LLDP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Logging configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Importing/exporting configurations . . . . . . . . . . . . . . . . . . . . . . . . . .81
Updating device firmware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Upgrade/downgrade considerations . . . . . . . . . . . . . . . . . . . . . 91
Brocade Mobility 5181 Access Point Product Reference Guide v 53-1002516-01
Page 6
Chapter 5 Network Management
Configuring the LAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Configuring VLAN support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Configuring LAN1 and LAN2 settings . . . . . . . . . . . . . . . . . . . . . 97
Configuring WAN settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Configuring Network Address Translation (NAT) settings . . . .103
Configuring dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Enabling wireless LANs (WLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Creating/editing individual WLANs . . . . . . . . . . . . . . . . . . . . . .107
Setting the WLAN’s radio configuration . . . . . . . . . . . . . . . . . .118
Configuring bandwidth management settings. . . . . . . . . . . . .126
Configuring WIPS server settings. . . . . . . . . . . . . . . . . . . . . . . . . . .127
Configuring router settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Setting the RIP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . .129
Chapter 6 Configuring Access Point Security
Configuring security options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Setting passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Resetting the access point password. . . . . . . . . . . . . . . . . . . .133
Enabling authentication and encryption schemes . . . . . . . . . . . . .134
Configuring Kerberos authentication. . . . . . . . . . . . . . . . . . . . . . . .136
Configuring 802.1x EAP authentication. . . . . . . . . . . . . . . . . . . . . .137
Configuring WEP encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Configuring KeyGuard encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Configuring WPA/WPA2 using TKIP . . . . . . . . . . . . . . . . . . . . . . . . .142
Configuring WPA2-CCMP (802.11i) . . . . . . . . . . . . . . . . . . . . . . . . .144
Configuring firewall settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Configuring LAN to WAN access . . . . . . . . . . . . . . . . . . . . . . . .147
Configuring advanced subnet access. . . . . . . . . . . . . . . . . . . .150
Configuring VPN tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Configuring manual key settings. . . . . . . . . . . . . . . . . . . . . . . .153
Configuring auto key settings . . . . . . . . . . . . . . . . . . . . . . . . . .156
Configuring IKE key settings . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Viewing VPN status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Configuring content filtering settings. . . . . . . . . . . . . . . . . . . . . . . .160
Configuring rogue AP detection . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Moving rogue APs to the allowed AP list. . . . . . . . . . . . . . . . . .164
Using clients to detect rogue devices . . . . . . . . . . . . . . . . . . . .166
vi Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 7
Configuring user authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Configuring the Radius server. . . . . . . . . . . . . . . . . . . . . . . . . .167
Configuring LDAP authentication . . . . . . . . . . . . . . . . . . . . . . .169
Configuring a proxy Radius server . . . . . . . . . . . . . . . . . . . . . .170
Managing the local user database . . . . . . . . . . . . . . . . . . . . . .172
Defining user access permissions by group. . . . . . . . . . . . . . .173
Defining the user access policy . . . . . . . . . . . . . . . . . . . . . . . .173
Chapter 7 Monitoring Statistics
Viewing WAN statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Viewing LAN statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
Viewing STP statistics for a LAN . . . . . . . . . . . . . . . . . . . . . . . .182
Viewing wireless statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Viewing WLAN statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Viewing radio statistics summary . . . . . . . . . . . . . . . . . . . . . . . . . .187
Viewing radio statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Viewing client statistics summary . . . . . . . . . . . . . . . . . . . . . . . . . .191
Viewing client details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Pinging individual clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Client authentication statistics . . . . . . . . . . . . . . . . . . . . . . . . .195
Viewing the mesh statistics summary . . . . . . . . . . . . . . . . . . . . . . .195
Viewing known access point statistics. . . . . . . . . . . . . . . . . . . . . . .196
Chapter 8 CLI Reference
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Connecting to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Accessing the CLI through the Serial Port . . . . . . . . . . . . . . . .199
Accessing the CLI via Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Admin and Common Commands . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Network Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Network LAN Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
Network WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Network Wireless Commands. . . . . . . . . . . . . . . . . . . . . . . . . .240
Network Firewall Commands . . . . . . . . . . . . . . . . . . . . . . . . . .285
Network Router Commands . . . . . . . . . . . . . . . . . . . . . . . . . . .289
System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Adaptive AP Setup Commands . . . . . . . . . . . . . . . . . . . . . . . . .297
System Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
System Certificate Management Commands . . . . . . . . . . . . .302
System SNMP Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
System User Database Commands . . . . . . . . . . . . . . . . . . . . .319
System Radius Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
System Network Time Protocol (NTP) Commands . . . . . . . . . .337
System Log Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340
System Configuration-Update Commands . . . . . . . . . . . . . . .343
Firmware Update Commands . . . . . . . . . . . . . . . . . . . . . . . . . .347
Brocade Mobility 5181 Access Point Product Reference Guide vii 53-1002516-01
Page 8
Statistics Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
Chapter 9 Configuring Mesh Networking
Mesh networking overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Mobility 5181 Access Point client bridge
association process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360
Spanning tree protocol (STP). . . . . . . . . . . . . . . . . . . . . . . . . . .361
Defining the mesh topology . . . . . . . . . . . . . . . . . . . . . . . . . . .361
Mesh networking and the two subnets of the
Mobility 5181 Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
Normal operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
Impact of importing/exporting configurations
to a mesh network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
Configuring mesh networking support. . . . . . . . . . . . . . . . . . . . . . .363
Setting the LAN configuration for mesh networking support .363
Configuring a WLAN for mesh networking support . . . . . . . . .364
Configuring the access point radio for mesh support . . . . . . .367
Mesh network deployment - quick setup. . . . . . . . . . . . . . . . . . . . . 371
Scenario 1 - two base bridges and one client bridge . . . . . . . 371
Scenario 2 - two hop mesh network with a base
bridge repeater and a client bridge . . . . . . . . . . . . . . . . . . . . .373
Mesh networking frequently asked questions . . . . . . . . . . . . . . . . 374
Chapter 10 Adaptive AP
Adaptive AP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Where to go from here. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Adaptive AP management . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Controller discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Securing a configuration channel between
controller and AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Adaptive AP WLAN topology . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Configuration updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Securing data tunnels between the controller and AAP . . . . .382
Adaptive AP controller failure . . . . . . . . . . . . . . . . . . . . . . . . . .382
Remote site survivability (RSS) . . . . . . . . . . . . . . . . . . . . . . . . .382
Adaptive mesh support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
Supported adaptive AP topologies. . . . . . . . . . . . . . . . . . . . . . . . . .383
Topology deployment considerations . . . . . . . . . . . . . . . . . . . .383
Extended WLANs only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
Independent WLANs only . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
Extended WLANs with independent WLANs. . . . . . . . . . . . . . .384
Extended WLAN with mesh networking . . . . . . . . . . . . . . . . . .385
How the AP receives its adaptive configuration . . . . . . . . . . . . . . .385
viii Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 9
Establishing basic adaptive AP connectivity . . . . . . . . . . . . . . . . . .386
Adaptive AP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .387
Controller configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388
Adaptive AP deployment considerations . . . . . . . . . . . . . . . . .389
Sample controller configuration file for
IPSec and independent WLAN . . . . . . . . . . . . . . . . . . . . . . . . .390
Appendix A Technical Specifications
Physical characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
Mobility 5181 Access Point Physical Characteristics . . . . . . .395
Electrical characteristics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Radio characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Antenna specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Mobility 5181 Access Point antenna specifications . . . . . . . .396
Country codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
Appendix B Usage Scenarios
Configuring Automatic Updates using a
DHCP or Linux BootP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
Windows - DHCP server configuration . . . . . . . . . . . . . . . . . . .401
Linux - BootP server configuration . . . . . . . . . . . . . . . . . . . . . .405
Configuring an IPSEC tunnel and VPN FAQs . . . . . . . . . . . . . . . . . .407
Configuring a VPN tunnel between two Access Points . . . . . .407
Frequently asked VPN questions . . . . . . . . . . . . . . . . . . . . . . .410
Brocade Mobility 5181 Access Point Product Reference Guide ix 53-1002516-01
Page 10
x Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 11

About This Document

In this chapter
Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Getting technical help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Audience
This document is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing.
If you are using a Brocade Layer 3 Controller, you should be familiar with the following protocols if applicable to your network – IP, RIP, OSPF, BGP, ISIS, IGMP, PIM, DVMRP, and VRRP.
Supported hardware and software
The following hardware platform is supported by this release of this guide:
Mobility 5181 Access Point
Document conventions
This section describes text formatting conventions and important notice formats used in this document.
Text formatting
The narrative-text formatting conventions that are used are as follows:
Brocade Mobility 5181 Access Point Product Reference Guide xi 53-1002516-01
Page 12
bold text Identifies command names
Identifies the names of user-manipulated GUI elements
Identifies keywords
Identifies text to enter at the GUI or CLI
italic text Provides emphasis
Identifies variables
Identifies document titles
code text Identifies CLI output
For readability, command names in the narrative portions of this guide are presented in mixed lettercase: for example, controllerShow. In actual examples, command lettercase is often all lowercase. Otherwise, this manual specifically notes those cases in which a command is case sensitive.
.
Notes, cautions, and warnings
The following notices and statements are used in this manual. They are listed below in order of increasing severity of potential hazards.
NOTE
A note provides a tip, guidance or advice, emphasizes important information, or provides a reference to related information.
CAUTION
A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data.
DANGER
A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.
Related publications
The following Brocade Communications Systems, Inc. document supplements the information in this guide and can be located at http://www.brocade.com/ethernetproducts.
Brocade Mobility RFS4000, RFS6000 and RFS7000 CLI Reference Guide - Describes the
Command Line Interface (CLI) and Management Information Base (MIB) commands used to configure the Brocade controllers.
If you find errors in the guide, send an e-mail to documentation@brocade.com.
xii Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 13
Getting technical help
To contact Technical Support, go to http://www.brocade.com/services-support/index.page for
the latest e-mail and telephone contact information.
Brocade Mobility 5181 Access Point Product Reference Guide xiii 53-1002516-01
Page 14
xiv Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 15
Chapter

Introduction

In this chapter
This Brocade Mobility 5181 Access Point Product Reference Guide contains setup and advanced configuration instructions for the Brocade Product Name Access Point.
The Mobility 5181 Access Point is constructed to support outdoor installations. A Mobility 5181 Access Point is only available in a dual-radio SKU. Brocade recommends using the Mobility 5181 Access Point Power Tap (Part No. BR-APPSBIAS518101R) designed specifically for outdoor deployments. A Mobility 5181 Access Point must use an RJ-45 to Serial cable to establish a serial connection to a host computer.
The access point (AP) provides a bridge between Ethernet wired LANs or WANs and wireless networks. It provides connectivity between Ethernet wired networks and radio-equipped wireless clients. Clients include the full line of terminals, adapters (PC cards, Compact Flash cards and PCI adapters) and other devices.
1
New features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Theory of operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

New features

The Mobility 5181 Access Point provides a maximum 54Mbps data transfer rate via each radio. It monitors Ethernet traffic and forwards appropriate Ethernet messages to Clients over the network. It also monitors Client radio traffic and forwards Client packets to the Ethernet LAN.
If you are new to using an access point for managing your network, refer to “Theory of operations” on page 16 for an overview on wireless networking fundamentals.
The Mobility 5181 Access Point has the following features carried forward from previous releases:
WIPS support
Trus ted h ost ma nage m ent
Apache certificate management
Adaptive AP
Rogue AP enhancements
Bandwidth management enhancements
Radius time-based authentication
QBSS support
Legacy users can upgrade their firmware image to benefit from the new features described in this section. For information on upgrading the access point’s firmware image, see Updating Device Firmware.
Brocade Mobility 5181 Access Point Product Reference Guide 1 53-1002516-01
Page 16
1
New features

WIPS support

An access point can radio can function as a Wireless Intrusion Protection System (WIPS) sensor and upload sensor mode operation information to a dedicated WIPS server.
WIPS protects your wireless network, mobile devices and traffic from attacks and unauthorized access. WIPS provides tools for standards compliance and around-the-clock 802.11a/b/g wireless network security in a distributed environment. WIPS allows administrators to identify and accurately locate attacks, rogue devices and network vulnerabilities in real time and permits both a wired and wireless lockdown of wireless device connections upon acknowledgement of a threat.
For use in configuring the access point for WIPS support, see “Configuring WIPS server settings” on page 127.

Trusted host management

Trusted subnet management restricts Mobility 5181 Access Point LAN1, LAN2 and WAN interface access (via SNMP, HTTP, HTTPS, Telnet and SSH) to a set of user defined trusted host or subnets. Only hosts with matching subnet (or IP) addresses are able to access the access point. Enabling the feature denies access from any subnet not defined as trusted. Once a set of trusted hosts is defined and applied, the settings can be imported and exported as a part of the access point’s configuration import/export functionality.
For information on defining a set of trusted hosts for exclusive access point access, see “Defining
trusted hosts” on page 55.

Apache certificate management

Apache certificate management allows the update and management of security certificates for an Apache HTTP server. This allows users to upload a trusted certificate to their AP. When a client attaches to it with a browser, a warning message pertaining to the certificate no longer displays.
Apache certificate management utilizes the access point’s existing Certificate Manager for the creation of certificates and keys. The certificate can then be loaded into the apache file system using a command.
For information on defining the Apache certificate management configuration, see “Apache
certificate management” on page 63.

Adaptive AP

An adaptive AP (AAP) is a Mobility 5181 Access Point that can adopt like a Mobility 300. The management of an AAP is conducted by a controller, once the access point connects to a Brocade Mobility RFS6000 Controller or Mobility RFS7000 Controller and receives its AAP configuration.
An AAP provides:
local 802.11 traffic termination
local encryption/decryption
local traffic bridging
the tunneling of centralized traffic to the wireless controller
For a information overview of the adaptive AP feature as well as how to configure it, refer to
“Adaptive AP overview” on page 379.
2 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 17

Feature overview

1

Rogue AP enhancements

The access point now has the option to scan for rogues over all channels on both of the access point’s 11a and 11bg radio bands. The switching of radio bands is based on a timer with no user intervention required.
For information on configuring the access point for Rogue AP support, see “Configuring rogue AP
detection” on page 162.

Bandwidth management enhancements

Use the Bandwidth Management screen to control the network bandwidth allotted to individual WLANs. Define a weighted scheme as needed when WLAN traffic supporting a specific network segment becomes critical. Bandwidth management is configured on a per-WLAN basis. However, a separate tab has been created for each access point radio. With this new segregated radio approach, bandwidth management can be configured uniquely for individual WLANs on different access point radios.
For information on configuring bandwidth management, see “Configuring bandwidth management
settings” on page 126.

Radius time-based authentication

An external server maintains a users and groups database used by the access point for access permissions. Various kinds of access policies can be applied to each group. Individual groups can be configured with their own time-based access policy. Each group’s policy has a user defined interval defining the days and hours access is permitted. Authentication requests for users belonging to the group are honored only during these defined hourly intervals.
For more information on defining access point access policies by group, see “Defining user access
permissions by group” on page 173.

QBSS support

Each access point radio can be configured to optionally allow the access point to communicate channel usage data to associated devices and define the beacon interval used for channel utilization transmissions. The QBSS load represents the percentage of time the channel is in use by the access point and the access point’s station count. This information is very helpful in assessing the access point’s overall load on a channel, its availability for additional device associations and multi media traffic support.
For information on enabling QBSS and defining the channel utilization transmission interval, see
“Configuring the 802.11a or 802.11b/g radio” on page 121.
Feature overview
The Mobility 5181 Access Point has the following features carried forward from previous releases:
Single or dual mode radio options
Separate LAN and WAN ports
Multiple mounting options
Brocade Mobility 5181 Access Point Product Reference Guide 3 53-1002516-01
Page 18
Feature overview
1
Antenna support for 2.4 GHz and 5 GHz radios
Sixteen configurable WLANs
Support for 4 BSSIDs per radio
Quality of Service (QoS) support
Industry leading data security
VLAN support
Multiple management accessibility options
Updatable firmware
Programmable SNMP v1/v2/v3 trap support
Power-over-Ethernet support
Client-client transmission disallow
Voice prioritization
Support for CAM and PSP clients
Statistical displays
Transmit power control
Advanced event logging capability
Configuration file import/export functionality
Default configuration restoration
DHCP support
Multi-function LEDs
Mesh networking
Additional LAN subnet
On-board Radius server authentication
Hotspot support
Routing information protocol (RIP)
Manual date and time settings
Dynamic DNS
Auto negotiation

Single or dual mode radio options

One or two possible configurations are available on the Mobility 5181 Access Point depending on which model is purchased. If the Mobility 5181 Access Point is manufactured as a single radio access point, the Mobility 5181 Access Point enables you to configure the single radio for either
802.11a or 802.11b/g.
The Mobility 5181 Access Point is a dual-radio access point. The access point enables you to configure one radio for 802.11a support, and the other for 802.11b/g support.
For detailed information, see “Setting the WLAN’s radio configuration” on page 118.
4 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 19
Feature overview
1

Separate LAN and WAN ports

The Mobility 5181 Access Point has one LAN port and one WAN port, each with their own MAC address. The access point must manage all data traffic over the LAN connection carefully as either a DHCP client, BOOTP client, DHCP server or using a static IP address. The access point can only use a Power-over-Ethernet device when connected to the LAN port.
For detailed information on configuring the Mobility 5181 Access Point LAN port, see “Configuring
the LAN interface” on page 93.
A Wide Area Network (WAN) is a widely dispersed telecommunications network. In a corporate environment, the WAN port might connect to a larger corporate network. For a small business, the WAN port might connect to a DSL or cable modem to access the Internet. Regardless, network address information must be configured for the Mobility 5181 Access Point’s intended mode of operation.
For detailed information on configuring the access point’s WAN port, see “Configuring WAN
settings” on page 101.
The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats screens.
For detailed information on locating the access point’s MAC addresses, see “Viewing WAN
statistics” on page 177 and “Viewing LAN statistics” on page 180. For information on access point
MAC address assignments, see “Mobility 5181 Access Point MAC address assignment” on page 21.

Multiple mounting options

The Mobility 5181 Access Point rests on a flat surface, attaches to a wall, mounts under a ceiling or above a ceiling (attic). Choose a mounting option based on the physical environment of the coverage area. Do not mount the Mobility 5181 Access Point in a location that has not been approved in a Mobility 5181 Access Point radio coverage site survey.
For detailed information on the mounting options available, see “Mounting a Mobility 5181 Access
Point” on page 28.

Antenna support for 2.4 GHz and 5 GHz radios

The Mobility 5181 Access Point supports several 802.11a and 802.11b/g radio antennas. Select the antenna best suited to the radio transmission requirements of your coverage area.
For an overview of the Radio 1 (2.4 GHz) and Radio 2 (5 GHz) antennas supported on the Mobility 5181 Access Point’s connectors, see “Antenna specifications” on page 396. The Mobility 5181 Access Point uses an antenna suite primarily suited for outdoor use.

Sixteen configurable WLANs

A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the functionalities of a wired LAN. A WLAN does not require lining up devices for line-of-sight transmission, and are thus, desirable for wireless networking. Roaming users can be handed off from one Mobility 5181 Access Point to another like a cellular phone system. WLANs can therefore be configured around the needs of specific groups of users, even when they are not in physical proximity. Sixteen WLANs are configurable on each Mobility 5181 Access Point.
Brocade Mobility 5181 Access Point Product Reference Guide 5 53-1002516-01
Page 20
Feature overview
1
To enable and configure WLANs on an Mobility 5181 Access Point radio, see “Enabling wireless
LANs (WLANs)” on page 106.

Support for 4 BSSIDs per radio

The access point supports four BSSIDs per radio. Each BSSID has a corresponding MAC address. The first MAC address corresponds to BSSID #1. The MAC addresses for the other three BSSIDs (BSSIDs #2, #3, #4) are derived by adding 1, 2, 3, respectively, to the radio MAC address.
If the radio MAC address displayed on the Radio Settings screen is 00:24:38:28:9B:DC, then the BSSIDs for that radio will have the following MAC addresses:
BSSID MAC Address Hexadecimal Addition
BSSID #1 00:24:38:28:9B:DC Same as Radio MAC address
BSSID #2 00:24:38:28:9B:DD Radio MAC address +1
BSSID #3 00:24:38:28:9B0:DE Radio MAC address +2
BSSID #4 00:24:38:28:9B:DF Radio MAC address +3
For detailed information on strategically mapping BSSIDs to WLANs, see “Configuring the 802.11a
or 802.11b/g radio” on page 121. For information on access point MAC address assignments, see “Mobility 5181 Access Point MAC address assignment” on page 21.

Quality of Service (QoS) support

The Mobility 5181 Access Point QoS implementation provides applications running on different wireless devices a variety of priority levels to transmit data to and from the Mobility 5181 Access Point. Equal data transmission priority is fine for data traffic from applications such as Web browsers, file transfers or email, but is inadequate for multimedia applications.
Voice over Internet Protocol (VoIP), video streaming and interactive gaming are highly sensitive to latency increases and throughput reductions. These forms of higher priority data traffic can significantly benefit from the Mobility 5181 Access Point QoS implementation. The WiFi Multimedia QOS Extensions (WMM) implementation used by the Mobility 5181 Access Point shortens the time between transmitting higher priority data traffic and is thus desirable for multimedia applications. In addition, U-APSD (WMM Power Save) is also supported.
WMM defines four access categories—voice, video, best effort and background—to prioritize traffic for enhanced multimedia support.
For detailed information on configuring QoS support, see “Setting the WLAN Quality of Service
(QoS) policy” on page 111.

Industry leading data security

The Mobility 5181 Access Point supports numerous encryption and authentication techniques to protect the data transmitting on the WLAN.
The following authentication techniques are supported:
Kerberos authentication
EAP authentication
6 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 21
Feature overview
The following encryption techniques are supported:
1
WEP encryption
KeyGuard encryption
Wi-Fi protected access (WPA) using TKIP encryption
WPA2-CCMP (802.11i) encryption
In addition, the Mobility 5181 Access Point supports the following additional security features:
Firewall security
VPN tunnels
Content filtering
For an overview on the encryption and authentication schemes available, refer to “Configuring
Access Point Security” on page 131.
Kerberos authentication
Authentication is a means of verifying information transmitted from a secure source. If information is authentic, you know who created it and you know it has not been altered in any way since originated. Authentication entails a network administrator employing a software “supplicant” on their computer or wireless device.
Authentication is critical for the security of any wireless LAN device. Traditional authentication methods are not suitable for use in wireless networks where an unauthorized user can monitor network traffic and intercept passwords. The use of strong authentication methods that do not disclose passwords is necessary. The access point uses the Kerberos authentication service protocol (specified in RFC 1510) to authenticate users/clients in a wireless network environment and to securely distribute the encryption keys used for both encrypting and decrypting.
A basic understanding of RFC 1510 Kerberos Network Authentication Service (V5) is helpful in understanding how Kerberos functions. By default, WLAN devices operate in an open system network where any wireless device can associate with an AP without authorization. Kerberos requires device authentication before access to the wired network is permitted.
For detailed information on Kerbeors configurations, see “Configuring Kerberos authentication” on page 136.
EAP authentication
The Extensible Authentication Protocol (EAP) feature provides access points and their associated Client’s an additional measure of security for data transmitted over the wireless network. Using EAP, authentication between devices is achieved through the exchange and verification of certificates.
EAP is a mutual authentication method whereby both the Client and AP are required to prove their identities. Like Kerberos, the user loses device authentication if the server cannot provide proof of device identification.
Using EAP, a user requests connection to a WLAN through the Mobility 5181 Access Point. The Mobility 5181 Access Point then requests the identity of the user and transmits that identity to an authentication server. The server prompts the AP for proof of identity (supplied to the Mobility 5181 Access Point by the user) and then transmits the user data back to the server to complete the authentication process.
Brocade Mobility 5181 Access Point Product Reference Guide 7 53-1002516-01
Page 22
Feature overview
1
An Client is not able to access the network if not authenticated. When configured for EAP support, the access point displays the Client as an EAP station.
EAP is only supported on mobile devices running Windows XP, Windows 2000 (using Service Pack #4) and Windows Mobile 2003. Refer to the system administrator for information on configuring a Radius Server for EAP (802.1x) support.
For detailed information on EAP configurations, see “Configuring 802.1x EAP authentication” on page 137.
WEP encryption
All WLAN devices face possible information theft. Theft occurs when an unauthorized user eavesdrops to obtain information illegally. The absence of a physical connection makes wireless links particularly vulnerable to this form of theft. Most forms of WLAN security rely on encryption to various extents. Encryption entails scrambling and coding information, typically with mathematical formulas called algorithms, before the information is transmitted. An algorithm is a set of instructions or formula for scrambling the data. A key is the specific code used by the algorithm to encrypt or decrypt the data. Decryption is the decoding and unscrambling of received encrypted data.
The same device, host computer or front-end processor, usually performs both encryption and decryption. The transmit or receive direction determines whether the encryption or decryption function is performed. The device takes plain text, encrypts or scrambles the text typically by mathematically combining the key with the plain text as instructed by the algorithm, then transmits the data over the network. At the receiving end, another device takes the encrypted text and decrypts, or unscrambles, the text revealing the original message. An unauthorized user can know the algorithm, but cannot interpret the encrypted data without the appropriate key. Only the sender and receiver of the transmitted data know the key.
Wired Equivalent Privacy (WEP) is an encryption security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b and supported by the Mobility 5181 Access Point. WEP encryption is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN. The level of protection provided by WEP encryption is determined by the encryption key length and algorithm. An encryption key is a string of case sensitive characters used to encrypt and decrypt data packets transmitted between a mobile unit (Client) and the Mobility 5181 Access Point. An Mobility 5181 Access Point and its associated wireless clients must use the same encryption key (typically 1 through 4) to interoperate.
For detailed information on WEP, see “Configuring WEP encryption” on page 140.
KeyGuard encryption
Use KeyGuard to shield the master encryption keys from being discovered through hacking. KeyGuard negotiation takes place between the access point and Client upon association. The access point can use KeyGuard with Brocade Clients. KeyGuard is only supported on Brocade Clients making it a proprietary security mechanism.
For detailed information on KeyGuard configurations, see “Configuring KeyGuard encryption” on page 141.
8 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 23
Feature overview
1
Wi-Fi protected access (WPA) using TKIP encryption
Wi-Fi Protected Access (WPA) is a security standard for systems operating with a Wi-Fi wireless connection. WEP’s lack of user authentication mechanisms is addressed by WPA. Compared to WEP, WPA provides superior data encryption and user authentication.
WPA addresses the weaknesses of WEP by including:
a per-packet key mixing function
a message integrity check
an extended initialization vector with sequencing rules
a re-keying mechanism
WPA uses an encryption method called Temporal Key Integrity Protocol (TKIP). WPA employs
802.1X and Extensible Authentication Protocol (EAP).
For detailed information on WPA using TKIP configurations, see “Configuring WPA/WPA2 using
TKIP” on page 142.
WPA2-CCMP (802.11i) encryption
WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected Access (WPA) and WEP. Counter-mode/CBC-MAC Protocol (CCMP) is the security
standard used by the Advanced Encryption Standard (AES). AES serves the same function TKIP does for WPA-TKIP. CCMP computes a Message Integrity Check (MIC) using the proven Cipher Block Message Authentication Code (CBC-MAC) technique. Changing just one bit in a message produces a totally different result.
WPA2-CCMP is based on the concept of a Robust Security Network (RSN), which defines a hierarchy of keys with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator provides are used to derive other keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data. The end result is an encryption scheme as secure as any the Mobility 5181 Access Point provides.
For detailed information on WPA2-CCMP, see “Configuring WPA2-CCMP (802.11i)” on page 144.
Firewall security
A firewall keeps personal data in and hackers out. The Mobility 5181 Access Point firewall prevents suspicious Internet traffic from proliferating the Mobility 5181 Access Point managed network. The Mobility 5181 Access Point performs Network Address Translation (NAT) on packets passing to and from the WAN port. This combination provides enhanced security by monitoring communication with the wired network.
For detailed information on configuring the Mobility 5181 Access Point’s firewall, see “Configuring
firewall settings” on page 146.
VPN tunnels
Virtual Private Networks (VPNs) are IP-based networks using encryption and tunneling providing users remote access to a secure LAN. In essence, the trust relationship is extended from one LAN across the public network to another LAN, without sacrificing security. A VPN behaves like a private network; however, because the data travels through the public network, it needs several layers of security. The Mobility 5181 Access Point can function as a robust VPN gateway.
Brocade Mobility 5181 Access Point Product Reference Guide 9 53-1002516-01
Page 24
Feature overview
1
For detailed information on configuring VPN security support, see “Configuring VPN tunnels” on page 151.
Content filtering
Content filtering allows system administrators to block specific commands and URL extensions from going out through the Mobility 5181 Access Point WAN port. Therefore, content filtering affords system administrators selective control on the content proliferating the network and is a powerful screening tool. Content filtering allows the blocking of up to 10 files or URL extensions and allows blocking of specific outbound HTTP, SMTP, and FTP requests.
For detailed information on configuring content filtering support, see “Configuring content filtering
settings” on page 160.

VLAN support

A Virtual Local Area Network (VLAN) can electronically separate data on the same AP from a single broadcast domain into separate broadcast domains. By using a VLAN, you can group by logical function instead of physical location. There are 16 VLANs supported on the Mobility 5181 Access Point. An administrator can map up to 16 WLANs to 16 VLANs and enable or disable dynamic VLAN assignment. In addition to these 16 VLANs, the access point supports dynamic, user-based, VLANs when using EAP authentication.
VLANs enable organizations to share network resources in various network segments within large areas (airports, shopping malls, etc.). A VLAN is a group of clients with a common set of requirements independent of their physical location. VLANs have the same attributes as physical LANs, but they enable administrators to group clients even when they are not members of the same network segment.
For detailed information on configuring VLAN support, see “Configuring VLAN support” on page 95.

Multiple management accessibility options

The Mobility 5181 Access Point can be accessed and configured using one of the following methods:
Java-Based Web UI
Human readable config file (imported via FTP or TFTP)
MIB (Management Information Base)
Command Line Interface (CLI) accessed via RS-232 or Telnet. Use the Mobility 5181 Access
Point’s DB-9 serial port for direct access to the command-line interface from a PC.

Updatable firmware

Brocade periodically releases updated versions of device firmware to the Brocade Web site. If the Mobility 5181 Access Point firmware version displayed on the System Settings page (see
“Configuring system settings” on page 45) is older than the version on the Web site, Brocade
recommends updating the Mobility 5181 Access Point to the latest firmware version for full feature functionality.
For detailed information on updating the Mobility 5181 Access Point firmware using FTP or TFTP, see “Updating device firmware” on page 86.
10 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 25
Feature overview
1

Programmable SNMP v1/v2/v3 trap support

Simple Network Management Protocol (SNMP) facilitates the exchange of management information between network devices. SNMP uses Management Information Bases (MIBs) to manage the device configuration and monitor Internet devices in remote locations. MIB information accessed via SNMP is defined by a set of managed objects called Object Identifiers (OIDs). An object identifier (OID) is used to uniquely identify each object variable of a MIB.
SNMP allows a network administrator to configure the access point, manage network performance, find and solve network problems, and plan for network growth. The Mobility 5181 Access Point supports SNMP management functions for gathering information from its network components. The access point’s download site contains the following 2 MIB files:
BROCADE-CC-BR51XX-MIB-2.0.mib (standard MIB file)
BROCADE-BR51XX-MIB.mib
The Mobility 5181 Access Point’s SNMP agent functions as a command responder and is a multilingual agent responding to SNMPv1, v2c and v3 managers (command generators). The factory default configuration maintains SNMPv1/2c support of community names, thus providing backward compatibility.
For detailed information on configuring SNMP traps, see “Configuring SNMP settings” on page 64.

Power-over-Ethernet support

When users purchase a Brocade WLAN solution, they often need to place access points in obscure locations. In the past, a dedicated power source was required for each access point in addition to the Ethernet infrastructure. This often required an electrical contractor to install power drops at each access point location.
The Mobility 5181 Access Point Power Tap is a single-port Power over Ethernet hub combining low-voltage DC with Ethernet data in a single cable connecting to the Mobility 5181 Access Point. However, the Power Tap is designed and ruggedized for use with a Mobility 5181 Access Point’s outdoor deployment. For detailed information on using the Power Tap, see “Power options” on page 26.

Client-client transmission disallow

The access point’s Client-Client Disallow feature prohibits Clients from communicating with each other even if on the same WLAN, assuming one WLAN is configured to disallow Client-Client communication. Therefore, if an Client’s WLAN is configured for Client-Client disallow, it will not be able to communicate with any other Clients connected to this access point.
For detailed information on configuring an Mobility 5181 Access Point WLAN to disallow Client to Client communications, see “Creating/editing individual WLANs” on page 107.

Voice prioritization

Each Mobility 5181 Access Point WLAN has the capability of having its QoS policy configured to prioritize the network traffic requirements for associated Clients. A WLAN QoS page is available for each enabled WLAN on both the 802.11a and 802.11b/g radio.
Brocade Mobility 5181 Access Point Product Reference Guide 11 53-1002516-01
Page 26
Feature overview
1
Use the QoS page to enable voice prioritization for devices to receive the transmission priority they may not normally receive over other data traffic. Voice prioritization allows the Mobility 5181 Access Point to assign priority to voice traffic over data traffic, and (if necessary) assign legacy voice supported devices (non WMM supported voice devices) additional priority.
For detailed information on configuring voice prioritization over other voice enabled devices, see
“Setting the WLAN Quality of Service (QoS) policy” on page 111.

Support for CAM and PSP clients

The Mobility 5181 Access Point supports both CAM and PSP powered Clients. CAM (Continuously Aware Mode) Clients leave their radios on continuously to hear every beacon and message
transmitted. These systems operate without any adjustments by the Mobility 5181 Access Point.
A beacon is a uniframe system packet broadcast by the AP to keep the network synchronized. A beacon includes the ESSID, Mobility 5181 Access Point MAC address, Broadcast destination addresses, a time stamp, a DTIM (Delivery Traffic Indication Message) and the TIM (Traffic
Indication Map).
PSP (Power Save Polling) Clients power off their radios for short periods. When a Client in PSP
mode associates with an Mobility 5181 Access Point, it notifies the Mobility 5181 Access Point of its activity status. The Mobility 5181 Access Point responds by buffering packets received for the Client. PSP mode is used to extend an Client’s battery life by enabling the Client to “sleep” during periods of inactivity.

Statistical displays

The Mobility 5181 Access Point can display robust transmit and receive statistics for the WAN and LAN ports. WLAN stats can be displayed collectively and individually for enabled WLANs. Transmit and receive statistics are available for the Mobility 5181 Access Point’s 802.11a and 802.11b/g radios. An advanced radio statistics page is also available to display retry histograms for specific data packet retry information.
Associated Client stats can be displayed collectively and individually for specific Clients. An echo (ping) test is also available to ping specific Clients to assess association strength. Finally, the Mobility 5181 Access Point can detect and display the properties of other APs detected within the Mobility 5181 Access Point’s radio coverage area. The type of AP detected can be displayed as well as the properties of individual APs.
For detailed information on available Mobility 5181 Access Point statistical displays and the values they represent, see “Monitoring Statistics” on page 177.

Transmit power control

The Mobility 5181 Access Point has a configurable power level for each radio. This enables the network administrator to define the antenna’s transmission power level in respect to the access point’s placement or network requirements as defined in the Mobility 5181 Access Point site survey.
For detailed information on setting the radio transmit power level, see “Configuring the 802.11a or
802.11b/g radio” on page 121.
12 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 27
Feature overview
1

Advanced event logging capability

The Mobility 5181 Access Point provides the capability for periodically logging system events. Logging events is useful in assessing the throughput and performance of the Mobility 5181 Access Point or troubleshooting problems on the Mobility 5181 Access Point managed Local Area Network (LAN).
For detailed information on Mobility 5181 Access Point events, see “Logging configuration” on page 79.

Configuration file import/export functionality

Configuration settings for an Mobility 5181 Access Point can be downloaded from the current configuration of another Mobility 5181 Access Point. This affords the administrator the opportunity to save the current configuration before making significant changes or restoring the default configuration.
For detailed information on importing or exporting configuration files, see “Importing/exporting
configurations” on page 81.

Default configuration restoration

The Mobility 5181 Access Point has the ability to restore its default configuration or a partial default configuration (with the exception of current WAN and SNMP settings). Restoring the default configuration is a good way to create new WLANs if the Clients the Mobility 5181 Access Point supports have been moved to different radio coverage areas.
For detailed information on restoring a default or partial default configuration, see “Configuring
system settings” on page 45.

DHCP support

The Mobility 5181 Access Point can use Dynamic Host Configuration Protocol (DHCP) to obtain a leased IP address and configuration information from a remote server. DHCP is based on the BOOTP protocol and can coexist or interoperate with BOOTP. Configure the Mobility 5181 Access Point to send out a DHCP request searching for a DHCP/BOOTP server to acquire HTML, firmware or network configuration files when the Mobility 5181 Access Point boots. Because BOOTP and DHCP interoperate, whichever responds first becomes the server that allocates information.
The Mobility 5181 Access Point can be set to only accept replies from DHCP or BOOTP servers or both (this is the default setting). Disabling DHCP disables BOOTP and DHCP and requires network settings to be set manually. If running both DHCP and BOOTP, do not select BOOTP Only. BOOTP should only be used when the server is running BOOTP exclusively.
The DHCP client automatically sends a DHCP request at an interval specified by the DHCP server to renew the IP address lease as long as the Mobility 5181 Access Point is running (this parameter is programmed at the DHCP server). For example: Windows 2000 servers typically are set for 3 days.
Brocade Mobility 5181 Access Point Product Reference Guide 13 53-1002516-01
Page 28
Feature overview
1

Multi-function LEDs

A Mobility 5181 Access Point has seven LED indicators. Four LEDs exist on the top of the Mobility 5181 Access Point and are visible from wall, ceiling and table-top orientations. Three of these four LEDs are single color activity LEDs, and one is a multifunction red and white status LED. Two LEDs exist on the rear of the Mobility 5181 Access Point and are viewable using a single (customer installed) extended light pipe, adjusted as required to suit above the ceiling installations. An Mobility 5181 Access Point houses four LEDs on the bottom/back side of the unit.
For detailed information on the Mobility 5181 Access Point LEDs and their functionality, see
“Mobility 5181 Access Point LED indicators” on page 33.

Mesh networking

Utilize the new mesh networking functionality to allow the access point to function as a bridge to connect two Ethernet networks or as a repeater to extend your network’s coverage area without additional cabling. Mesh networking is configurable in two modes. It can be set in a wireless client bridge mode and/or a wireless base bridge mode (which accepts connections from client bridges). These two modes are not mutually exclusive.
In client bridge mode, the access point scans to find other access points using the selected WLAN’s ESSID. The access point must go through the association and authentication process to establish a wireless connection. The mesh networking association process is identical to the access point’s Client association process. Once the association/authentication process is complete, the wireless client adds the connection as a port on its bridge module. This causes the access point (in client bridge mode) to begin forwarding configuration packets to the base bridge. An access point in base bridge mode allows the access point radio to accept client bridge connections.
The two bridges communicate using the Spanning Tree Protocol (STP). The spanning tree determines the path to the root and detects if the current connection is part of a network loop with another connection. Once the spanning tree converges, both access points begin learning which destinations reside on which side of the network. This allows them to forward traffic intelligently.
After the access point (in client bridge mode) establishes at least one wireless connection, it will begin beaconing and accepting wireless connections (if configured to support mobile users). If the access point is configured as both a client bridge and a base bridge, it begins accepting client bridge connections. In this way, the mesh network builds itself over time and distance.
Once the access point (in client bridge mode) establishes at least one wireless connection, it establishes other wireless connections in the background as they become available. In this way, the access point can establish simultaneous redundant links. An access point (in client bridge mode) can establish up to 3 simultaneous wireless connections with other Mobility 5181 Access Points. A client bridge always initiates the connections and the base bridge is always the acceptor of the mesh network data proliferating the network.
Since each access point can establish up to 3 simultaneous wireless connections, some of these connections may be redundant. In that case, the STP algorithm determines which links are the redundant links and disables the links from forwarding.
For an overview on mesh networking as well as details on configuring the access point’s mesh networking functionality, see “Configuring Mesh Networking” on page 359.
14 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 29
Feature overview
1

Additional LAN subnet

In a typical retail or small office environment (wherein a wireless network is available along with a production WLAN) it is frequently necessary to segment a LAN into two subnets. Consequently, a second LAN is necessary to “segregate” wireless traffic.
The access point has a second LAN subnet enabling administrators to segment the access point’s LAN connection into two separate networks. The main access point LAN screen allows the user to select either LAN1 or LAN2 as the active LAN over the access point’s Ethernet port. Both LANs can still be active at any given time, but only one can transmit over the access point’s physical LAN connection. Each LAN has a separate configuration screen (called LAN 1 and LAN 2 by default) accessible under the main LAN screen. The user can rename each LAN as necessary. Additionally, each LAN can have its own Ethernet Type Filter configuration, and subnet access (HTTP, SSH, SNMP and telnet) configuration.
For detailed information on configuring the access point for additional LAN subnet support, see
“Configuring the LAN interface” on page 93.

On-board Radius server authentication

The access point has the ability to work as a Radius Server to provide user database information and user authentication. Several new screens have been added to the access point’s menu tree to configure Radius server authentication and configure the local user database and access policies. A new Radius Server screen allows an administrator to define the data source, authentication type and associate digital certificates with the authentication scheme. The LDAP screen allows the administrator to configure an external LDAP Server for use with the access point. A new Access Policy screen enables the administrator to set WLAN access based on user groups defined within the User Database screen. Each user is authorized based on the access policies applicable to that user. Access policies allow an administrator to control access to a user groups based on the WLAN configurations.
For detailed information on configuring the access point for AAA Radius Server support, see
“Configuring user authentication” on page 167.

Hotspot support

The access point allows hotspot operators to provide user authentication and accounting without a special client application. The access point uses a traditional Internet browser as a secure authentication device. Rather than rely on built-in 802.11 security features to control access point association privileges, you can configure a WLAN with no WEP (an open network). The access point issues an IP address to the user using a DHCP server, authenticates the user and grants the user to access the Internet.
If a tourist visits a public hotspot and wants to browse a Web page, they boot their laptop and associate with a local Wi-Fi network by entering a valid SSID. They start a browser, and the hotspot’s access controller forces the un-authenticated user to a Welcome page (from the hotspot operator) that allows the user to login with a username and password. In order to send a redirected page (a login page), a TCP termination exists locally on the access point. Once the login page displays, the user enters their credentials. The access point connects to the Radius server and determines the identity of the connected wireless user. Thus, allowing the user to access the Internet once successfully authenticated.
Brocade Mobility 5181 Access Point Product Reference Guide 15 53-1002516-01
Page 30

Theory of operations

1
For detailed information on configuring the access point for Hotspot support, see “Configuring
WLAN hotspot support” on page 114.

Routing information protocol (RIP)

RIP is an interior gateway protocol that specifies how routers exchange routing-table information. The parent Router screen also allows the administrator to select the type of RIP and the type of RIP authentication used.
For detailed information on configuring RIP functionality as part of the access point’s Router functionality, see “Setting the RIP Configuration” on page 129.

Manual date and time settings

As an alternative to defining a NTP server to provide access point system time, the access point can now have its date and time set manually. A new Manual Date/Time Setting screen can be used to set the time using a Year-Month-Day HH:MM:SS format.
For detailed information on manually setting the access point’s system time, see “Configuring
Network Time Protocol (NTP)” on page 76.

Dynamic DNS

The access point supports the Dynamic DNS service. Dynamic DNS (or DynDNS) is a feature offered by www.dyndns.com which allows the mapping of domain names to dynamically assigned IP addresses. When the dynamically assigned IP address of a client changes, the new IP address is sent to the DynDNS service and traffic for the specified domain(s) is routed to the new IP address. For information on configuring the Dynamic DNS feature, see “Configuring dynamic DNS” on page 105.

Auto negotiation

Auto negotiation enables the access point to automatically exchange information (over either its LAN or WAN port) about data transmission speed and duplex capabilities. Auto negotiation is helpful when using the access point in an environment where different devices are connected and disconnected on a regular basis. For information on configuring the auto negotiation feature, see
“Configuring the LAN interface” on page 93 or “Configuring WAN settings” on page 101
Theory of operations
To understand Mobility 5181 Access Point management and performance alternatives, users need familiarity with Mobility 5181 Access Point functionality and configuration options. The Mobility 5181 Access Point includes features for different interface connections and network management.
The Mobility 5181 Access Point uses electromagnetic waves to transmit and receive electric signals without wires. Users communicate with the network by establishing radio links between wireless clients and access points.
16 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 31
Theory of operations
The Mobility 5181 Access Point uses DSSS (direct sequence spread spectrum) to transmit digital data from one device to another. A radio signal begins with a carrier signal that provides the base or center frequency. The digital data signal is encoded onto the carriers using a DSSS chipping algorithm. The Mobility 5181 Access Point radio signal propagates into the air as electromagnetic waves. A receiving antenna (on the Client) in the path of the waves absorbs the waves as electrical signals. The receiving Client interprets (demodulates) the signal by reapplying the direct sequence chipping code. This demodulation results in the original digital data.
The Mobility 5181 Access Point uses its environment (the air and certain objects) as the transmission medium.The Mobility 5181 Access Point can either transmit in the 2.4 to 2.5-GHz frequency range (802.11b/g radio) or the 5 GHz frequency range (802.11a radio), the actual range is country-dependent. Brocade devices, like other Ethernet devices, have unique, hardware encoded Media Access Control (MAC) or IEEE addresses. MAC addresses determine the device sending or receiving data. A MAC address is a 48-bit number written as six hexadecimal bytes separated by colons. For example: 00:A0:F8:24:9A:C8
Also see the following sections:
1
Wireless coverage
MAC layer bridging
Content filtering
DHCP support
Media types
Direct-sequence spread spectrum
Client association process
Operating modes
Management access options
Mobility 5181 Access Point MAC address assignment

Wireless coverage

An Mobility 5181 Access Point establishes an average communication range with Clients called a Basic Service Set (BSS) or cell. When in a particular cell, the Client associates and communicates with the Mobility 5181 Access Point supporting the radio coverage area of that cell. Adding Mobility 5181 Access Points to a single LAN establishes more cells to extend the range of the network. Configuring the same ESSID (Extended Service Set Identifier) on all Mobility 5181 Access Points makes them part of the same Wireless LAN.
Mobility 5181 Access Points with the same ESSID define a coverage area. A valid ESSID is an alphanumeric, case-sensitive identifier up to 32 characters. An Client searches for an Mobility 5181 Access Point with a matching ESSID and synchronizes (associates) to establish communications. This device association allows Clients within the coverage area to move about or roam. As the Client roams from cell to cell, it associates with a different Mobility 5181 Access Point. The roam occurs when the Client analyzes the reception quality at a location and determines a different Mobility 5181 Access Point provides better signal strength and lower Client load distribution.
If the Client does not find an Mobility 5181 Access Point with a workable signal, it can perform a scan to find any AP. As Clients switch APs, the AP updates its association statistics.
Brocade Mobility 5181 Access Point Product Reference Guide 17 53-1002516-01
Page 32
Theory of operations
1
The user can configure the ESSID to correspond to up to 16 WLANs on each 802.11a or 802.11b/g radio. A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the functionalities of a wired LAN. A WLAN does not require lining up devices for line-of-sight transmission, and are thus, desirable. Within the WLAN, roaming users can be handed off from one Mobility 5181 Access Point to another like a cellular phone system. WLANs can therefore be configured around the needs of specific groups of users, even when they are not in physical proximity.

MAC layer bridging

The Mobility 5181 Access Point provides MAC layer bridging between its interfaces. The Mobility 5181 Access Point monitors traffic from its interfaces and, based on frame address, forwards the frames to the proper destination. The access point tracks source and destination addresses to provide intelligent bridging as Clients roam or network topologies change. The Mobility 5181 Access Point also handles broadcast and multicast messages and responds to Client association requests.
The Mobility 5181 Access Point listens to all packets on its LAN and WAN interfaces and builds an address database using MAC addresses. An address in the database includes the interface media that the device uses to associate with the Mobility 5181 Access Point. The Mobility 5181 Access Point uses the database to forward packets from one interface to another. The bridge forwards packets addressed to unknown systems to the Default Interface (Ethernet).
The Mobility 5181 Access Point internal stack interface handles all messages directed to the Mobility 5181 Access Point. Each Mobility 5181 Access Point stores information on destinations and their interfaces to facilitate forwarding. When a user sends an ARP (Address Resolution Protocol) request packet, the Mobility 5181 Access Point forwards it over all enabled interfaces except over the interface the ARP request packet was received.
On receiving the ARP response packet, the Mobility 5181 Access Point database keeps a record of the destination address along with the receiving interface. With this information, the Mobility 5181 Access Point forwards any directed packet to the correct destination. Transmitted ARP request packets echo back to other Clients. The access point removes from its database the destination or interface information that is not used for a specified time. The AP refreshes its database when it transmits or receives data from these destinations and interfaces.

Media types

The Mobility 5181 Access Point radio interface conforms to IEEE 802.11a/b/g specifications. The interface operates at a maximum 54Mbps (802.11a radio) using direct-sequence radio technology. The Mobility 5181 Access Point supports multiple-cell operations with fast roaming between cells. Within a direct-sequence system, each cell can operate independently. Adding cells to the network provides an increased coverage area and total system capacity.
The RS-232 serial port provides a Command Line Interface (CLI) connection. The serial link supports a direct serial connection (assuming a DB9 connector is used). The Mobility 5181 Access Point is a Data Terminal Equipment (DTE) device with male pin connectors for the RS-232 port. Connecting the Mobility 5181 Access Point to a PC requires a null modem serial cable.
18 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 33
Theory of operations
1

Direct-sequence spread spectrum

Spread spectrum (broadband) uses a narrowband signal to spread the transmission over a segment of the radio frequency band or spectrum. Direct-sequence is a spread spectrum technique where the transmitted signal is spread over a particular frequency range. The access point uses Direct-Sequence Spread Spectrum (DSSS) for radio communication.
Direct-sequence systems communicate by continuously transmitting a redundant pattern of bits called a chipping sequence. Each bit of transmitted data is mapped into chips by the Mobility 5181 Access Point and rearranged into a pseudorandom spreading code to form the chipping sequence. The chipping sequence is combined with a transmitted data stream to produce the output signal.
Clients receiving a direct-sequence transmission use the spreading code to map the chips within the chipping sequence back into bits to recreate the original data transmitted by the Mobility 5181 Access Point. Intercepting and decoding a direct-sequence transmission requires a predefined algorithm to associate the spreading code used by the transmitting Mobility 5181 Access Point to the receiving Client. This algorithm is established by IEEE 802.11 specifications. The bit redundancy within the chipping sequence enables the receiving Client to recreate the original data pattern, even if bits in the chipping sequence are corrupted by interference.
The ratio of chips per bit is called the spreading ratio. A high spreading ratio increases the resistance of the signal to interference. A low spreading ratio increases the bandwidth available to the user. The Mobility 5181 Access Point uses different modulation schemes to encode more bits per chip at higher data rates. The Mobility 5181 Access Point is capable of a maximum 54Mbps data transmission rate (802.11a radio), but the coverage area is less than that of an Mobility 5181 Access Point operating at lower data rates since coverage area decreases as bandwidth increases.

Client association process

An Mobility 5181 Access Point recognizes Clients as they begin the association process. An Mobility 5181 Access Point keeps a list of the Clients it services. Clients associate with an Mobility 5181 Access Point based on the following conditions:
Signal strength between the Mobility 5181 Access Point and Client
Number of Clients currently associated with the Mobility 5181 Access Point
Clients encryption and authentication capabilities
Clients supported data rate
Clients perform pre-emptive roaming by intermittently scanning for Mobility 5181 Access Point’s and associating with the best available Mobility 5181 Access Point. Before roaming and associating, Clients perform full or partial scans to collect Mobility 5181 Access Point statistics and determine the direct-sequence channel used by the Mobility 5181 Access Point.
Scanning is a periodic process where the Client sends out probe messages on all channels defined by the country code. The statistics enable an Client to reassociate by synchronizing its channel to the Mobility 5181 Access Point. The Client continues communicating with that Mobility 5181 Access Point until it needs to switch cells or roam.
Clients perform partial scans at programmed intervals, when missing expected beacons or after excessive transmission retries. In a partial scan, the Client scans Mobility 5181 Access Point’s classified as proximate on the Mobility 5181 Access Point table. For each channel, the Client tests for Clear Channel Assessment (CCA). The Client broadcasts a probe with the ESSID and broadcast BSS_ID when the channel is transmission-free. It sends an ACK to a directed probe response from the Mobility 5181 Access Point and updates the table.
Brocade Mobility 5181 Access Point Product Reference Guide 19 53-1002516-01
Page 34
Theory of operations
1
An Client can roam within a coverage area by switching Mobility 5181 Access Points. Roaming occurs when:
Unassociated Client attempts to associate or reassociate with an available Mobility 5181
Access Point
Supported rate changes or the Client finds a better transmit rate with another Mobility 5181
Access Point
RSSI (received signal strength indicator) of a potential Mobility 5181 Access Point exceeds the
current Mobility 5181 Access Point
Ratio of good-transmitted packets to attempted-transmitted packets falls below a threshold.
An Client selects the best available Mobility 5181 Access Point and adjusts itself to the Mobility 5181 Access Point direct-sequence channel to begin association. Once associated, the Mobility 5181 Access Point begins forwarding frames addressed to the target Client. Each frame contains fields for the current direct-sequence channel. The Client uses these fields to resynchronize to the Mobility 5181 Access Point.
The scanning and association process continues for active Clients. This process allows the Clients to find new Mobility 5181 Access Points and discard out-of-range or deactivated Mobility 5181 Access Points. By testing the airwaves, the Clients can choose the best network connection available.

Operating modes

The Mobility 5181 Access Point can operate in a couple of configurations.
Access Point - As an Access Point, the Mobility 5181 Access Point functions as a layer 2 bridge.
The wired uplink can operate as a trunk and support multiple VLANs. Up to 16 WLANs can be defined and mapped to Mobility 5181 Access Point XX WLANs. Each WLAN can be configured to be broadcast by one or both Mobility 5181 Access Point radios. A Mobility 5181 Access Point can operate in both an Access Point mode and Wireless Gateway/Router mode simultaneously. The network architecture and access point configuration define how the Access Point and Wireless Gateway/Router mode are negotiated.
Wireless Gateway/Router - If operating as a Wireless Gateway/Router, the access point
functions as a router between two layer 2 networks: the WAN uplink (the ethernet port) and the Wireless side. The following options are available providing a solution for single-cell deployment:
PPPoE - The WAN interface can terminate a PPPoE connection, thus enabling the Mobility
5181 Access Point to operate in conjunction with a DSL or Cable modem to provide WAN connectivity.
NAT - (Network Address Translation) on the Wireless interface. Using NAT, the Mobility
5181 Access Point router is able to manage a private IP scheme. NAT allows translation of private addresses to the WAN IP address.
DHCP - On the wireless and LAN side, the Mobility 5181 Access Point can assign private IP
addresses.
Firewall - A Firewall protects against a number of known attacks.
20 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 35
Theory of operations
1

Management access options

Managing the Mobility 5181 Access Point includes viewing network statistics and setting configuration options. Statistics track the network activity of associated Clients and data transfers on the AP interfaces.
The Mobility 5181 Access Point requires one of the following connection methods to perform a custom installation and manage the network:
Secure Java-Based WEB UI - (use Sun Microsystems’ JRE 1.5 or higher available from Sun’s
Web site and be sure to disable Microsoft’s Java Virtual Machine if installed)
Command Line Interface (CLI) via Serial, Telnet and SSH
Config file - Human-readable; Importable/Exportable via FTP and TFTP
MIB (Management Information Base) accessing the Mobility 5181 Access Point SNMP function
using a MIB Browser. The Mobility 5181 Access Point downloads site contains the following 2 MIB files:
BROCADE-CC-BR51XX-MIB-2.0.mib (standard MIB file)
BROCADE-BR51XX-MIB.mib (Mobility 5181 Access Point Access Point MIB file)
Make configuration changes to Mobility 5181 Access Points individually. Optionally, use the Mobility 5181 Access Point import/export configuration function to download settings to other access points.
For detailed information, see “Importing/exporting configurations” on page 81.

Mobility 5181 Access Point MAC address assignment

The Mobility 5181 Access Point MAC address assignments are as follows:
WAN - The access point MAC address can be found underneath the access point chassis.
LAN1 - WAN MAC address + 1.
LAN2 - A virtual LAN not mapped to the LAN Ethernet port. This address is the lowest of the two
radio MAC addresses.
Radio1 (802.11bg) - Random address located on the Web UI, CLI and SNMP interfaces.
Radio2 (802.11a) - Random address located on the Web UI, CLI and SNMP interfaces.
The access point’s BSS (virtual AP) MAC addresses are calculated as follows:
BSS1 - The same as the corresponding base radio’s MAC address.
BSS2 - Base radio MAC address +1
BSS3 - Base radio MAC address +2
BSS4 - Base radio MAC address +3
Brocade Mobility 5181 Access Point Product Reference Guide 21 53-1002516-01
Page 36
Theory of operations
1
22 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 37
Chapter

Hardware Installation

In this chapter
Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Mobility 5181 Access Point configurations . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Access point placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Power options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Power Injector and Power Tap systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Mounting a Mobility 5181 Access Point. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Mobility 5181 Access Point LED indicators . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Setting up clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
An access point installation includes mounting the access point, connecting the access point to the network (LAN or WAN port connection), connecting antennae and applying power. Installation procedures vary for different environments.
2
CAUTION
Brocade recommends conducting a radio site survey prior to installing an access point. A site survey is an excellent method of documenting areas of radio interference and providing a tool for device placement.

Precautions

Before installing a Mobility 5181 Access Pointverify the following:
Do not install in wet or dusty areas without additional protection. Contact a Brocade
representative for more information.
Verify the environment has a continuous temperature range between -20° C to 50° C.

Mobility 5181 Access Point configurations

A Mobility 5181 Access Point is only available in a dual-radio configuration. There is one mechanical version of the Mobility 5181 Access Point providing one SKU option (with both 802.11a and 802.11g radios in the access point). The following is the Mobility 5181 Access Point orderable SKU:
Brocade Mobility 5181 Access Point Product Reference Guide 23 53-1002516-01
Page 38
2

Requirements

Part No. Description
BR-AP-5181-13040-WW 1 Mobility 5181 802.11a+g Dual Radio Access Point
1 Mobility 5181 Install Guide 1 WEEE Regulatory Addendum 1 set of cable connectors 3 antenna dust cover 2 connector cover AP67 jack, plus chain_LTW-M9/14-SB
NOTE
To mount the Mobility 5181 Access Point access point to a pole (1.5 - 18 inches in diameter) a Mobility 5181 Access Point Mounting Kit (Part No. BR-KT-5181-WP-01R) can be separately ordered. This kit contains the brackets and accessories required to mount the Mobility 5181 Access Point to a pole or wall.
NOTE
If installing the Mobility 5181 Access Point in an outdoor area prone to high winds and rain, Brocade recommends using the Mobility 5181 Access Point Heavy Weather Kit (Part No. BR-KT-5181-HW-01R). This kit shields a Product Name from wind and rain damage resulting from driving rain.
NOTE
Brocade recommends using the Mobility 5181 Access Point Power Tap (Part No. BR-APPSBIAS518101R), designed specifically for outdoor deployments.
Requirements
The minimum installation requirements for a single-cell, peer-to-peer network
A Mobility 5181 Access Point
Power Tap (Part No. BR-APPSBIAS518101R)
A power outlet
Dual-Band Antennae.
NOTE
A Mobility 5181 Access Point optimally uses 2 antennae for the single-radio model and 4 antenna for the dual-radio model. The Mobility 5181 Access Point uses an antenna suite designed primarily for outdoor usage. For more information, see “Antenna specifications” on page 396.

Access point placement

For optimal performance, install the access point (regardless of model) away from transformers, heavy-duty motors, fluorescent lights, microwave ovens, refrigerators and other industrial equipment. Signal loss can occur when metal, concrete, walls or floors block transmission. Install the access point in open areas or add access points as needed to improve coverage.
24 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 39
Access point placement
Antenna coverage is analogous to lighting. Users might find an area lit from far away to be not bright enough. An area lit sharply might minimize coverage and create dark areas. Uniform antenna placement in an area (like even placement of a light bulb) provides even, efficient coverage.
Place the access point using the following guidelines:
2
Install the access point at an ideal height of 10 feet from the ground.
Orient the access point antennae vertically for best reception.
Point the access point antenna(s) downward if attaching to the ceiling.
To maximize the access point’s radio coverage area, Brocade recommends conducting a site survey to define and document radio interference obstacles before installing the access point.

Site surveys

A site survey analyzes the installation environment and provides users with recommendations for equipment and placement. The optimum placement of 802.11a access points differs from
802.11b/g access points, because the locations and number of access points required are different to support the radio coverage area.
Brocade recommends conducting a new site survey and developing a new coverage area floor plan when switching from 2 or 11Mbps access points to 54Mbps access points (the Mobility 5181 Access Point), as the device placement requirements are significantly different.

Antenna options

Both Radio 1 and Radio 2 require one antenna and can optimally use two antennae per radio (4 antennae total). Antenna connectors for Radio 1 are located in a different location from the Radio 2 antenna connectors. Two antennae per radio provides diversity that can improve performance and signal reception. Brocade supports two antenna suites for the Mobility 5181 Access Point. One antenna suite supporting the 2.4 GHz band and another antenna suite supporting the 5 GHz band. Select an antenna model best suited to the intended operational environment of your Mobility 5181 Access Point.
Refer to the following for the antenna options available to a Mobility 5181 Access Point:
The Mobility 5181 Access Point 2.4 GHz antenna suite includes the following models:
Part Number Antenna Type Nominal Net Gain (dBi) Description
ML-2499-FHPA5-01R Omni-Directional Antenna 5.0 2.4 GHz,
Type N connector, no pigtail
ML-2499-FHPA9-01R Omni-Directional Antenna 9.0 2.4 GHz,
Type N connector, no pigtail
ML-2452-PNA7-01R Panel Antenna (Dual-Band) 8.0 2.4 - 2.5/4.9 - 5.99 GHz,
66 deg/60 deg Type N connector, with pigtail
ML-2452-PNA5-01R Sector Antenna (Dual-Band) 6.0 2.3 - 2.4/4.9 - 5.9 GHz,
120 deg Sector Type N connector, with pigtail
Brocade Mobility 5181 Access Point Product Reference Guide 25 53-1002516-01
Page 40

Power options

2
The Mobility 5181 Access Point 5 GHz antenna suite includes the following models:
Part Number Antenna Type Nominal Net Gain (dBi) Description
ML-5299-FHPA6-01R Omni-Directional Antenna 7.0 4.900-5.850 GHz,
ML-5299-FHPA10-01R Omni-Directional Antenna 10.0 5.8 GHz,
Power options
The power options for the include:
Type N connector, no pigtail
Type N connector, no pigtail
CAUTION
Brocade recommends the AP-PSBIAS-5181-01R Power Tap for Mobility 5181 Access Point and its intended outdoor deployment.
Power Injector (Part No. AP-PSBIAS-1P2-AFR)
Power Tap (Part No. AP-PSBIAS-5181-01R)
Any 802.3af midspan device.

Power Injector and Power Tap systems

A Mobility 5181 Access Point can receive power via an Ethernet cable connected to the access point’s LAN port. When users purchase a WLAN solution, they often need to place access points in obscure locations. In the past, a dedicated power source was required for each access point in addition to the Ethernet infrastructure. This often required an electrical contractor to install power drops at each access point location.
The Power Injector and Power Tap solution merges power and Ethernet into one cable, reducing the burden of installation and allow optimal access point placement in respect to the intended radio coverage area.
Both the Power Injector and Power Tap is an integrated AC-DC converter requiring 110-220 VAC power to combine low-voltage DC with Ethernet data in a single cable connecting to the access point. The access point can only use a Power Tap when connecting the unit to the access point’s LAN port. The Mobility 5181 Access Point Power Tap (Part No. BR-APPSBIAS518101R) is ordered separately and is intended for Mobility 5181 Access Point outdoor deployments.
NOTE
Brocade recommends using the Mobility 5181 Access Point Power Tap (Part No. BR-APPSBIAS518101R) designed especially for outdoor deployments.
A separate Power Injector or Power Tap is required for each access point comprising the network.
26 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 41
Power Injector and Power Tap systems
2

Installing the Power Tap

Refer to the following sections for information on planning, installing, and validating the installation:
Preparing for site installation
Cabling the Power Injector or Power Tap
Preparing for site installation
The Power Injector or Power Tap can be installed free standing, on an even horizontal surface or wall mounted using the unit’s wall mounting key holes. The following guidelines should be adhered to before cabling the Power Injector or Power Tap to an Ethernet source and an access point:
Do not block or cover airflow to the Power Injector or Power Tap.
Keep the unit away from excessive heat, humidity, vibration and dust.
The Power Injector or Power Tap is not a repeater, and does not amplify the Ethernet data
signal. For optimal performance, ensure the unit is placed as close as possible to the network data port.
Cabling the Power Injector or Power Tap
To install a Power Injector or Power Tap to an Ethernet data source and access point:
CAUTION
For Power Tap installations, an electrician is required to open the Power Tap unit, feed the power cable through the Line AC connector, secure the power cable to the unit’s three screw termination block and tighten the unit’s Line AC clamp (by hand) to ensure the power cable cannot be pulled from the Power Tap enclosure. Only a certified electrician should conduct the installation.
CAUTION
Ensure AC power is supplied to the Power Injector or Power Tap using an AC cable with an appropriate ground connection approved for the country of operation.
1. Connect an RJ-45 Ethernet cable between the network data supply (host) and the Power Injector’s Data In or Power Tap’s DATA IN connector.
2. Connect an RJ-45 Ethernet cable between the Power Injector’s Data & Power Out connector or the Power Tap’s DATA/PWR OUT connector and the access point’s LAN port.
CAUTION
Cabling the Power Injector to the access point’s WAN port renders the access point non operational. Only use a Power Injector with the access point’s LAN port.
Brocade Mobility 5181 Access Point Product Reference Guide 27 53-1002516-01
Page 42

Mounting a Mobility 5181 Access Point

2
Ensure the cable length from the Ethernet source (host) to the Power Tap (or Power Injector) and access point does not exceed 100 meters (333 ft). Neither the Power Tap or Power Injector has an On/Off switch. Each receives power as soon as AC power is applied.
3. For Power Tap installations, have a certified electrician open the Power Tap enclosure, feed the power cable through the unit’s LINE AC connector, secure the power cable to the unit’s three screw termination block and tighten the unit’s LINE AC clamp (by hand) to ensure the power cable cannot be pulled from the unit and is protected from the elements.
4. For Power Tap installations, attach a ground cable between the EARTH GROUND connector (on the back of the unit) to a suitable earth ground connection as defined by your local electrical code.
5. Verify all cable connections are complete before supplying power to the access point.
Power Injector LED Indicators
NOTE
The Mobility 5181 Access Point Power Tap (Part No. AP-PSBIAS-5181-01R) does not have LED indicators.
The Power Injector demonstrates the following LED behavior under normal and/or problematic operating conditions:
LED AC (Main) Port
Green (Steady) Power Injector is receiving power from an
AC outlet.
Green (Blinking) Output voltage source is out of range. The Power Injector is overloaded or
Mounting a Mobility 5181 Access Point
The Mobility 5181 Access Point can be connected to a pole or attach to a wall. Choose one of the following mounting options based on the physical environment of the coverage area. Do not mount the Mobility 5181 Access Point in a location that has not been approved in a site survey.
Refer to the following, depending on how you intend to mount the Mobility 5181 Access Point:
Mobility 5181 Access Point pole mounted installations
Mobility 5181 Access Point wall mounted installations

Mobility 5181 Access Point pole mounted installations

Complete the following steps to mount the Mobility 5181 Access Point to a (1.5 to 18 inch diameter) steel pole or tube (using the mounting bracket):
Indicates a device is connected to the Power Injector’s outgoing Data & Power cable.
has a short circuit.
28 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 43
Mounting a Mobility 5181 Access Point
2
1. Fit the edges of the V-shaped clamp parts into the slots on the flat side of the rectangular plate.
2. Place the V-shaped bracket clamp parts around the pole and tighten the nuts just enough to hold the bracket to the pole. (The bracket may need to be rotated around the pole during the antenna alignment process).
Fit the edges of the V-shaped part into the slots
Tighten the securing bolts
3. Attach the square mounting plate to the bridge with the supplied screws.
Attach the square
plate to the bridge
4. Attach the Mobility 5181 Access Point and mounting plate to the bracket already fixed to the pole.
5. Secure the Mobility 5181 Access Point to the pole bracket using the provided nuts.
NOTE
The Mobility 5181 Access Point tilt angle may need to be adjusted during the antenna alignment process. Verify the antenna polarization angle when installing, ensure the antennas are oriented correctly in respect to the Mobility 5181 Access Point's coverage area.
6. Attach the radio antenna to their correct connectors.
7. Cable the Mobility 5181 Access Point using either the Mobility 5181 Access Point Power Tap (Part No. BR-APPSBIAS518101R).
Brocade Mobility 5181 Access Point Product Reference Guide 29 53-1002516-01
Page 44
Mounting a Mobility 5181 Access Point
2
NOTE
The access point must be mounted with the RJ45 cable connectors oriented upwards to ensure proper operation.
CAUTION
Do not supply power to the Mobility 5181 Access Point Power Tap until the cabling of the access point is complete.
CAUTION
For Power Tap installations, an electrician is required to open the Power Tap unit, feed the power cable through the Line AC connector, secure the power cable to the unit’s three screw termination block and tighten the unit’s Line AC clamp (by hand) to ensure the power cable cannot be pulled from the Power Tap enclosure. Only a certified electrician should conduct the installation.
a. Connect a RJ-45 Ethernet cable between the network data supply (host) and the Power
Tap ’s DATA IN connector or the Power Injector’s Data In connector.
b. Connect a RJ-45 Ethernet cable between the Power Tap’s DATA/PWR OUT connector or the
Power Injector’s Data & Power Out connector and the Mobility 5181 Access Point LAN port.
c. For Power Tap installations, have a certified electrician open the Power Tap enclosure,
feed the power cable through the unit’s LINE AC connector, secure the power cable to the unit’s three screw termination block and tighten the unit’s LINE AC clamp (by hand) to ensure the power cable cannot be pulled from the unit.
d. For Power Tap installations, attach a ground cable between the EARTH GROUND connector
(on the back of the unit) to a suitable earth ground connection as defined by your local electrical code.
e. Ensure the cable length from the Ethernet source (host) to the Power Tap (or Power
Injector) and Mobility 5181 Access Point does not exceed 100 meters (333 ft). Neither the Power Tap or Power Injector has an On/Off power switch. It receives power as soon as AC power is applied. For more information, see “Power options” on page 26.
8. Use the supplied cable connector to cover the Mobility 5181 Access Point’s Console, LAN/PoE and WAN connectors.
9. Once power has been applied, Verify the behavior of the Mobility 5181 Access Point LEDs. For more information, see “Mobility 5181 Access Point LED indicators” on page 33.
The Mobility 5181 Access Point is ready to configure. For information on a Mobility 5181 Access Point default configuration, see “Getting Started” on page 35.
NOTE
If installing the Mobility 5181 Access Point in an outdoor area prone to high winds and rain, Brocade recommends using the Mobility 5181 Access Point Heavy Weather Kit (Part No. BR-KT-5181-HW-01R). This kit shields a Mobility 5181 Access Point from high winds and water damage as a result of driving rain.
30 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 45
Mounting a Mobility 5181 Access Point
2

Mobility 5181 Access Point wall mounted installations

Complete the following steps to mount the Mobility 5181 Access Point to a wall using the supplied wall-mounting bracket:
1. Attach the bracket to a wall with flat side flush against the wall (see the illustration below). Position the bracket in the intended location and mark the positions of the four mounting screw holes.
2. Drill four holes in the wall that match the screws and wall plugs.
3. Secure the bracket to the wall.
4. Attach the square mounting plate to the bridge with the supplied screws. Attach the bridge to the plate on the pole.
5. Use the included nuts to tightly secure the wireless bridge to the bracket. Fit the edges of the V-shaped clamp into the slots on the flat side of the rectangular plate.
6. Attach the radio antenna to their correct connectors.
7. Cable the Mobility 5181 Access Point using either the Mobility 5181 Access Point Power Tap (Part No. BR-APPSBIAS518101R).
NOTE
Once ready for the final positioning of the access point, ensure the RJ45 cable connectors are oriented upwards to ensure proper operation.
Brocade Mobility 5181 Access Point Product Reference Guide 31 53-1002516-01
Page 46
Mounting a Mobility 5181 Access Point
2
CAUTION
Do not supply power to the Mobility 5181 Access Point Power Tap until the cabling of the access point is complete.
CAUTION
For Power Tap installations, an electrician is required to open the Power Tap unit, feed the power cable through the Line AC connector, secure the power cable to the unit’s three screw termination block and tighten the unit’s Line AC clamp (by hand) to ensure the power cable cannot be pulled from the Power Tap enclosure. Only a certified electrician should conduct the installation.
a. Connect a RJ-45 Ethernet cable between the network data supply (host) and the Power
Tap ’s DATA IN connector or the Power Injector’s Data In connector.
b. Connect a RJ-45 Ethernet cable between the Power Tap’s DATA/PWR OUT connector or the
Power Injector’s Data & Power Out connector and the Mobility 5181 Access Point LAN port.
c. For Power Tap installations, have a certified electrician open the Power Tap enclosure,
feed the power cable through the unit’s LINE AC connector, secure the power cable to the unit’s three screw termination block and tighten the unit’s LINE AC clamp (by hand) to ensure the power cable cannot be pulled from the unit.
d. For Power Tap installations, attach a ground cable between the EARTH GROUND connector
(on the back of the unit) to a suitable earth ground connection as defined by your local electrical code.
e. Ensure the cable length from the Ethernet source (host) to the Power Tap (Power Injector)
and Mobility 5181 Access Point does not exceed 100 meters (333 ft). Neither the Power Tap or Power Injector has an On/Off power switch. It receives power as soon as AC power is applied. For more information on using the see, “Power options” on page 26.
8. Use the supplied cable connector to cover the Mobility 5181 Access Point’s Console, LAN/PoE and WAN connectors.
9. Once power has been applied, Verify the behavior of the Mobility 5181 Access Point LEDs. For more information, see “Mobility 5181 Access Point LED indicators” on page 33.
The Mobility 5181 Access Point is ready to configure. For information on a Mobility 5181 Access Point default configuration, see “Getting Started” on page 35.
NOTE
If installing the Mobility 5181 Access Point in an outdoor area prone to high winds and rain, Brocade recommends using the Mobility 5181 Access Point Heavy Weather Kit (Part No. BR-KT-5181-HW-01R). This kit shields a Mobility 5181 Access Point from high winds and water damage as a result of driving rain.
32 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 47

Mobility 5181 Access Point LED indicators

Mobility 5181 Access Point LED indicators
The Mobility 5181 Access Point utilizes four LED indicators. Five LEDs display within four LED slots on the back of the access point. The five LEDs have the following display and functionality:
2
Power and error conditions (split LED) Data over Ethernet
802.11a radio activity
802.11b/g radio activity
Power Status Solid white indicates the access point is adequately powered.
Error Conditions Solid red indicates the access point is experiencing a problem condition requiring
Ethernet Activity Flashing white indicates data transfers and Ethernet activity.
802.11a Radio Activity Flickering amber indicates beacons and data transfers over the access point
802.11b/g Radio Activity Flickering green indicates beacons and data transfers over the access point

Setting up clients

For a discussion of how to initially test the access point to ensure it can interoperate with the Clients intended for its operational environment, see “Basic device configuration” on page 37 and specifically “Testing connectivity” on page 44.
Refer to the LA-5030 & LA-5033 Wireless Networker PC Card and PCI Adapter Users Guide, available from the Brocade Web site, for installing drivers and client software if operating in an
802.11a/g network environment.
sym_025
immediate attention.
802.11a radio.
802.11b/g radio.
Brocade Mobility 5181 Access Point Product Reference Guide 33 53-1002516-01
Page 48
Setting up clients
2
Refer to the Spectrum24 LA-4121 PC Card, LA-4123 PCI Adapter & LA-4137 Wireless Networker User Guide, available from the Brocade Web site, for installing drivers and client software if operating in an 802.11b network environment.
Use the default values for the ESSID and other configuration parameters until the network connection is verified. Clients attach to the network and interact with the AP transparently.
34 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 49
Chapter

Getting Started

In this chapter
Installing the Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Initially connecting to the Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Basic device configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
The Mobility 5181 Access Point should be installed in an area tested for radio coverage using one of the site survey tools available to the field service technician. Once an installation site has been identified, the installer should carefully follow the hardware precautions, requirements, mounting guidelines and power options outlined in Hardware Installation.

Installing the Access Point

Make the required cable and power connections before mounting the access point in its final operating position. Test the access point with an associated Client before mounting and securing the access point. Carefully follow the mounting instructions in one of the following sections to ensure the access point is installed correctly:
3
For installing a Mobility 5181 Access Point on a pole, see “Mobility 5181 Access Point pole
mounted installations” on page 28.
For instructions on installing the Mobility 5181 Access Point to a wall, see “Mobility 5181
Access Point wall mounted installations” on page 31.
For information on the 802.11a and 802.11b/g radio antenna suite available to the Mobility 5181 Access Point, see “Antenna options” on page 25. For more information on using a Power Tap to combine Ethernet and power in one cable to a Product Name model access point, see “Power
options” on page 26. To verify the behavior of the Product Name LEDs once installed, see “Mobility 5181 Access Point LED indicators” on page 33.

Configuration options

Once installed and powered, a Mobility 5181 Access Point can be configured using one of several connection techniques. Managing the Mobility 5181 Access Point includes viewing network statistics and setting configuration options. The Mobility 5181 Access Point requires one of the following connection methods to manage the network:
Secure Java-Based WEB UI - (use Sun Microsystems’ JRE 1.5 or higher available from Sun’s
Web site. Disable Microsoft’s Java Virtual Machine if installed). For information on using the Web UI to set Mobility 5181 Access Point default configuration, see “Basic device
configuration” on page 37 or chapters 4 through 7 of this guide.
Brocade Mobility 5181 Access Point Product Reference Guide 35 53-1002516-01
Page 50

Initially connecting to the Access Point

3
Command Line Interface (CLI) via Serial, Telnet and SSH. The access point CLI is accessed
through the RS232 port, via Telnet or SSH. The CLI follows the same configuration conventions as the device user interface with a few documented exceptions. For details on using the CLI to manage the access point, see “CLI Reference” on page 199.
Config file - Readable text file; Importable/Exportable via FTP, TFTP and HTTP. Configuration
settings for an access point can be downloaded from the current configuration of another access point meeting the import/export requirements. For information on importing or exporting configuration files, see “Importing/exporting configurations” on page 81.
MIB (Management Information Base) accessing the Mobility 5181 Access Point SNMP
functions using a MIB Browser. The access point download package contains the following 2 MIB files:
BROCADE-CC-BR51XX-MIB-2.0.mib (standard MIB file)
BROCADE-BR51XX-MIB.mib
Initially connecting to the Access Point
NOTE
The procedures described below assume this is the first time you are connecting to a Mobility 5181 Access Point model access point.

Connecting to the Access Point using the WAN port

To initially connect to the access point using the access point’s WAN port:
1. Connect AC power to the access point, as Power-Over-Ether support is not available on the access point’s WAN port.
2. Start a browser and enter the access point’s static IP WAN address (10.1.1.1). The default password is “admin123.”
3. Refer to “Basic device configuration” on page 37 for instructions on the initial (basic) configuration of the access point.

Connecting to the Access Point using the LAN port

To initially connect to the access point using the access point’s LAN port:
1. The LAN port default is set to DHCP. Connect the access point’s LAN port to a DHCP server.
The access point will receive its IP address automatically.
2. To view the IP address, connect one end of a null modem serial cable to the access point and the other end to the serial port of a computer running HyperTerminal or similar emulation program.
NOTE
An RJ-45 to Serial cable is required to make the connection.
3. Configure the following settings:
Baud Rate - 19200
36 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 51

Basic device configuration

Data Bits - 8
Stop Bits - 1
No Parity
No Flow Control
4. Press <ESC> or <Enter> to access the access point CLI.
5. Enter the default username of “admin” and the default password of “admin123.”
As this is the first time you are logging into the access point, you are prompted to enter a new password and set the county code. Refer to “Country codes” on page 397 for a list of each available countries two digit country code.
6. At the CLI prompt (admin>), type “summary.”
The access point’s LAN IP address will display.
7. Using a Web browser, use the access point’s IP address to access the access point.
8. Refer to “Basic device configuration” on page 37 for instructions on the initial (basic) configuration of the access point.
3
Basic device configuration
For the basic setup described in this section, the Java-based Web UI will be used to configure the access point. Use the access point’s LAN interface for establishing a link with the access point. Configure the access point as a DHCP client. For optimal screen resolution, set your screen resolution to 1024 x 768 pixels or greater.
1. Log in using admin as the default Username and admin123 as the default Password. Use your new password if it has been updated from default.
NOTE
For optimum compatibility, use Sun Microsystems’ JRE 1.5 or higher (available from Sun’s Website), and be sure to disable Microsoft’s Java Virtual Machine if installed.
2. If the default login is successful, the Change Admin Password window displays. Change the password.
Brocade Mobility 5181 Access Point Product Reference Guide 37 53-1002516-01
Page 52
Basic device configuration
3
Enter the current password and a new admin password in fields provided. Click Apply. Once the admin password has been updated, a warning message displays stating the access point must be set to a country.
The export function will always expor t the encrypted Admin User password. The import function will import the Admin Password only if the access point is set to factory default. If the access point is not configured to factory default settings, the Admin User password WILL NOT get imported.
NOTE
Though the Mobility 5181 Access Point can have its basic settings defined using a number of different screens, Brocade recommends using the Mobility 5181 Access Point Quick Setup screen to set the correct country of operation and define its minimum required configuration from one convenient location.

Configuring device settings

Configure a set of minimum required device settings within the Quick Setup screen. The values defined within the Quick Setup screen are also configurable in numerous other locations within the menu tree. When you change the settings in the Quick Setup screen, the values also change within the screen where these parameters also exist. Additionally, if the values are updated in these other screens, the values initially set within the Quick Setup screen will be updated.
To define a basic access point configuration:
1. Select System Configuration -> Quick Setup from the menu tree, if the Quick Setup screen is not already displayed.
2. Enter a System Name for the Mobility 5181 Access Point.
38 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 53
Basic device configuration
3
The System Name is useful if multiple devices are being administered.
3. Select the Country for the Mobility 5181 Access Point’s country of operation from the drop-down menu
The access point prompts the user for the correct country code on the first login. A warning message also displays stating that an incorrect country settings may result in illegal radio operation. Selecting the correct country is central to legally operating the access point. Each country has its own regulatory restrictions concerning electromagnetic emissions and the maximum RF signal strength that can be transmitted. To ensure compliance with national and local laws, be sure to set the country accurately. CLI and MIB users cannot configure their access point until a two character country code (for example, United States - us) is set. Refer to
“Country codes” on page 397 for the two character country codes.
NOTE
The System Name and Country are also configurable within the System Settings screen. Refer to “Configuring system settings” on page 45 (if necessary) to set a system location and admin email address for the Mobility 5181 Access Point or to view other default settings.
4. Optionally enter the IP address of the server used to provide system time to the Mobility 5181 Access Point within the Time Server field.
Brocade Mobility 5181 Access Point Product Reference Guide 39 53-1002516-01
Page 54
Basic device configuration
3
NOTE
DNS names are not supported as a valid IP address. The user is required to enter a numerical IP address.
Once the IP address is entered, the Mobility 5181 Access Point’s Network Time Protocol (NTP) functionality is engaged automatically. Refer to the Mobility 5181 Access Point Product Reference Guide for information on defining alternate time servers and setting a synchronization interval for the Mobility 5181 Access Point to adjust its displayed time. Refer to
“Configuring Network Time Protocol (NTP)” on page 76 (if necessary) for information on setting
alternate time servers and setting a synchronization interval for the Mobility 5181 Access Point to adjust its displayed time.
5. Click the WAN tab to set a minimum set of parameters for using the WAN interface.
a. Select the Enable WAN Interface check box to enable a connection between the Mobility
5181 Access Point and a larger network or outside world through the WAN port. Disable this option to effectively isolate the Mobility 5181 Access Point’s WAN connection. No connections to a larger network or the Internet will be possible. Clients cannot communicate beyond the configured subnets.
b. Select the This Interface is a DHCP Client check box to enable DHCP for the Mobility 5181
Access Point’s WAN connection. This is useful, if the larger corporate network or Internet Service Provider (ISP) uses DHCP. DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. Some of these parameters are IP address, network mask, and gateway.
NOTE
Brocade recommends that the WAN and LAN ports should not both be configured as DHCP clients.
c. Specify an IP address for the Mobility 5181 Access Point’s WAN connection. An IP address
uses a series of four numbers expressed in dot notation, for example, 190.188.12.1 (no DNS names supported).
d. Specify a Subnet Mask for the Mobility 5181 Access Point’s WAN connection. This number
is available from the ISP for a DSL or cable-modem connection, or from an administrator if the Mobility 5181 Access Point connects to a larger network. A subnet mask uses a series of four numbers expressed in dot notation. For example, 255.255.255.0 is a valid subnet mask.
e. Define a Default Gateway address for the Mobility 5181 Access Point’s WAN connection.
The ISP or a network administrator provides this address.
f. Specify the address of a Primary DNS Server. The ISP or a network administrator provides
this address.
6. Optionally, use the Enable PPP over Ethernet check box to enable Point-to-Point over Ethernet (PPPoE) for a high-speed connection that supports this protocol. Most DSL providers are currently using or deploying this protocol. PPPoE is a data-link protocol for dialup connections. PPPoE will allow the access point to use a broadband modem (DSL, cable modem, etc.) for access to high-speed data networks.
40 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 55
Basic device configuration
a. Select the Keep Alive check box to enable occasional communications over the WAN port
even when client communications to the WAN are idle. Some ISPs terminate inactive connections, while others do not. In either case, enabling Keep-Alive maintains the WAN connection, even when there is no traffic. If the ISP drops the connection after the idle time, the Mobility 5181 Access Point automatically reestablishes the connection to the ISP.
b. Specify the Username entered when connecting to the ISP. When the Internet session
begins, the ISP authenticates the username.
c. Specify the Password entered when connecting to the ISP. When the Internet session
starts, the ISP authenticates the password.
For additional Mobility 5181 Access Point WAN port configuration options, see “Configuring
WAN settings” on page 101.
7. Cl ic k t h e LAN tab to set a minimum set of parameters to use the Mobility 5181 Access Point LAN interface.
a. Select the Enable LAN Interface check box to forward data traffic over the Mobility 5181
Access Point’s LAN connection. The LAN connection is enabled by default.
b. Use the This Interface drop-down menu to specify how network address information is
defined over the Mobility 5181 Access Point’s LAN connection. Select DHCP Client if the larger corporate network uses DHCP. DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. Some of these parameters are IP address, network mask, and gateway. Select DHCP Server to use the Mobility 5181 Access Point as a DHCP server over the LAN connection. Select the Bootp client option to enable a diskless system to discover its own IP address.
3
NOTE
Brocade recommends that the WAN and LAN ports should not both be configured as DHCP clients.
c. If using the static or DHCP Server option, enter the network-assigned IP Address of the
Mobility 5181 Access Point.
NOTE
DNS names are not supported as a valid IP address for the Mobility 5181 Access Point. The user is required to enter a numerical IP address.
d. The Subnet Mask defines the size of the subnet. The first two sets of numbers specify the
network domain, the next set specifies the subset of hosts within a larger network. These values help divide a network into subnetworks and simplify routing and data transmission.
e. If using the static or DHCP Server option, enter a Default Gateway to define the numerical
IP address of a router the Mobility 5181 Access Point uses on the Ethernet as its default gateway.
f. If using the static or DHCP Server option, enter the Primary DNS Server numerical IP
address.
g. If using the DHCP Server option, use the Address Assignment Range parameter to specify
a range of IP address reserved for mapping clients to IP addresses. If a manually (static) mapped IP address is within the IP address range specified, that IP address could still be assigned to another client. To avoid this, ensure all statically mapped IP addresses are outside of the IP address range assigned to the DHCP server.
Brocade Mobility 5181 Access Point Product Reference Guide 41 53-1002516-01
Page 56
Basic device configuration
3
For additional Mobility 5181 Access Point LAN port configuration options, see “Configuring the
LAN interface” on page 93.
8. Enable the radio(s) using the Enable checkbox(es) within the Radio Configuration field. If using a single radio access point, enable the radio, then select either 2.4 GHz or 5 GHz from the RF Band of Operation field. Only one RF band option at a time is permissible in a single-radio model. If using a dual-radio model, the user can enable both RF bands. For additional radio configuration options, see “Configuring the 802.11a or 802.11b/g radio” on page 121.
9. Select the WLAN #1 tab (WLANs 1 - 4 are available within the Quick Setup screen) to define its ESSID and security scheme for basic operation.
NOTE
A maximum of 16 WLANs are configurable within the Wireless Configuration screen. The limitation of 16 WLANs exists regardless of whether the access point is a single or dual-radio model.
a. Enter the Extended Services Set Identification (ESSID) and name associated with the
WLAN. For additional information on creating and editing up to 16 WLANs per Mobility 5181 Access Point, see “Creating/editing individual WLANs” on page 107.
b. Use the Available On check boxes to define whether the target WLAN is operating over the
802.11a or 802.11b/g radio. Ensure the radio selected has been enabled (see step 8).
c. Even an access point configured with minimal values must protect its data against theft
and corruption. A security policy should be configured for WLAN1 as part of the basic configuration outlined in this guide. A security policy can be configured for the WLAN from within the Quick Setup screen. Policies can be defined over time and saved to be used as needed as security requirements change. Brocade recommends you familiarize yourself with the security options available on the access point before defining a security policy. Refer to “Configuring WLAN security settings” on page 42.
10. Click Apply to save any changes to the Mobility 5181 Access Point Quick Setup screen. Navigating away from the screen without clicking Apply results in all changes to the screens being lost.
11. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Mobility 5181 Access Point Quick Setup screen to the last saved configuration.
Configuring WLAN security settings
To configure a basic security policy for a WLAN:
1. From the Mobility 5181 Access Point Quick Setup screen, click the Create button to the right of the Security Policy item.
The New Security Policy screen displays with the Manually Pre-shared key/No authentication and No Encryption options selected. Naming and saving such a policy (as is) would provide no security and might only make sense in a guest network wherein no sensitive data is either transmitted or received. Consequently, at a minimum, a basic security scheme (in this case WEP 128) is recommended in a network environment wherein sensitive data is transmitted.
NOTE
For information on configuring the other encryption and authentication options available to the Mobility 5181 Access Point, see “Configuring security options” on page 132.
42 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 57
Basic device configuration
3
2. Ensure the Name of the security policy entered suits the intended configuration or function of the policy.
Multiple WLANs can share the same security policy, so be careful not to name security policies after specific WLANs or risk defining a WLAN to single policy. Brocade recommends naming the policy after the attributes of the authentication or encryption type selected.
3. Select the WEP 128 (104 bit key) check box.
The WEP 128 Settings field displays within the New Security Policy screen.
4. Configure the WEP 128 Settings field as required to define the Pass Key used to generate the WEP keys
Pass Key
Keys #1-4
.
Specify a 4 to 32 character pass key and click the Generate button. The access point, other proprietary routers and Clients use the same algorithm to convert an ASCII string to the same hexadecimal number. Non-Brocade clients and devices need to enter WEP keys manually as hexadecimal numbers. The access point and its target client(s) must use the same pass key to interoperate.
Use the Key #1-4 fields to specify key numbers. The key can be either a hexidecimal or ASCII depending on which option is selected from the drop-down menu. For WEP 64 (40-bit key), the keys are 10 hexadecimal characters in length or 5 ASCII characters. For WEP 128 (104-bit key), the keys are 26 hexadecimal characters in length or 13 ASCII characters. Select one of these keys for activation by clicking its radio button. The access point and its target client(s) must use the same key to interoperate.
5. Click the Apply button to save the security policy and return to the Mobility 5181 Access Point Quick Setup screen.
At this point, you can test the Mobility 5181 Access Point for Client interoperability.
Brocade Mobility 5181 Access Point Product Reference Guide 43 53-1002516-01
Page 58
Basic device configuration
3

Testing connectivity

Verify the access point’s link with an Client by sending Wireless Network Management Protocol (WNMP) ping packets to the associated Client. Use the Echo Test screen to specify a target Client and configure the parameters of the test. The WNMP ping test only works with Brocade Clients. Only use a Brocade Client to test access point connectivity using WNMP.
NOTE
Before testing for connectivity, the target Client needs to be set to the same ESSID as the access point. Since WEP 128 has been configured for the access point, the Client also needs to be configured for WEP 128 and use the same WEP keys. Ensure the Client is associated with the access point before testing for connectivity.
To ping a specific Client to assess its connection with an access point:
1. Select Status and Statistics -> Client Stats from the menu tree.
2. Select the Echo Test button from within the Client Stats Summary screen.
3. Define the following parameters for the test.
Station Address
Number of pings
Packet Length
4. Click the Ping button to begin transmitting packets to the specified Client address.
Refer to the Number of Responses value to assess the number of responses from the Client versus the number of ping packets transmitted by the access point. Use the ratio of packets sent versus the number of packets received the link quality between the Client and the access point.
Click the OK button to exit the Echo Test screen and return to the Client Stats Summary screen.
The station address is the IP address of the target Client. Refer to the Client Stats Summary screen for associated Client IP address information.
Defines the number of packets to be transmitted to the Client. The default is
100.
Specifies the length of each packet transmitted to the Client during the test. The default length is 100 bytes.

Where to go from here?

Once basic connectivity has been verified, the Mobility 5181 Access Point can be fully configured to meet the needs of the network and the users it supports. Refer to the following:
For detailed information on Mobility 5181 Access Point device access, SNMP settings, network
time, importing/exporting device configurations and device firmware updates, see “System
Configuration” on page 45.
For detailed information on configuring Mobility 5181 Access Point LAN interface (subnet) and
WAN interface see, “Network Management” on page 93.
For detailed information on configuring specific encryption and authentication security
schemes for individual Mobility 5181 Access Point WLANs, see “Configuring Access Point
Security” on page 131.
To view detailed statistics on the Mobility 5181 Access Point and its associated Clients, see
“Monitoring Statistics” on page 177.
44 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 59
Chapter

System Configuration

In this chapter
Configuring system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Adaptive AP setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Configuring data access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Managing Certificate Authority (CA) certificates . . . . . . . . . . . . . . . . . . . . . . 56
Configuring SNMP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Configuring Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Logging configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Importing/exporting configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Updating device firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
The access point contains a built-in browser interface for system configuration and remote management using a standard Web browser such as Microsoft Internet Explorer, Netscape Navigator or Mozilla Firefox (version 0.8 or higher is recommended). The browser interface also allows for system monitoring of the access point.
4
Web management of the Mobility 5181 Access Point requires either Microsoft Internet Explorer 5.0 or later or Netscape Navigator 6.0 or later.
NOTE
For optimum compatibility, use Sun Microsystems’ JRE 1.5 or higher (available from Sun’s Web site), and be sure to disable Microsoft’s Java Virtual Machine if installed.
To connect to the access point, an IP address is required. If connected to the access point using the WAN port, the default static IP address is 10.1.1.1. The default password is “admin123.” If connected to the access point using the LAN port, the default setting is DHCP client. The user is required to know the IP address to connect to the access point using a Web browser.

Configuring system settings

Use the System Settings screen to specify the name and location of the Mobility 5181, assign an email address for the network administrator, restore the AP’s default configuration or restart the AP.
To configure System Settings for the Mobility 5181:
Brocade Mobility 5181 Access Point Product Reference Guide 45 53-1002516-01
Page 60
Configuring system settings
4
1. Select System Configuration -> System Settings from the Mobility 5181 Access Point menu tree.
2. Configure the Mobility 5181 Access Point System Settings field to assign a system name and location, set the country of operation and view device version information.
System Name Specify a device name for the Mobility 5181. Brocade recommends selecting a
name serving as a reminder of the user base the Mobility 5181 Access Point supports (engineering, retail, etc.).
System Location Enter the location of the Mobility 5181. The System Location parameter acts
as a reminder of where the AP can be found. Use the System Name field as a specific identifier of device location. Use the System Name and System Location fields together to optionally define the AP name by the radio coverage it supports and specific physical location. For example, “second floor engineering”
Admin Email Address
46 Brocade Mobility 5181 Access Point Product Reference Guide
Specify the AP administrator's email address.
53-1002516-01
Page 61
Configuring system settings
Country The Mobility 5181 Access Point prompts the user for the correct country code
after the first login. A warning message also displays stating that an incorrect country setting will lead to an illegal use of the access point. Use the pull-down menu to select the country of operation. Selecting the correct country is extremely important. Each country has its own regulatory restrictions concerning electromagnetic emissions (channel range) and the maximum RF signal strength transmitted. To ensure compliance with national and local laws, be sure to set the Country field correctly.
Mobility 5181 Access Point Version
System Uptime Displays the current uptime of the Mobility 5181 Access Point defined in the
Serial Number Displays the Mobility 5181 Access PointMedia Access Control (MAC) address.
AP Mode Displays the access point’s mode of operation to convey whether the access
The displayed number is the current version of the device firmware. Use this information to determine if the access point is running the most recent firmware available from Brocade. Use the Firmware Update screen to keep the AP’s firmware up to date.
System Name field. System Uptime is the cumulative time since the Mobility 5181 Access Point was last rebooted or lost power.
The Mobility 5181 Access Point MAC address is hard coded at the factory and cannot be modified. The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats screens.
point is functioning as a standalone access point (Independent mode) or in Adaptive (thin AP) mode. If in Adaptive mode, the access point attempts to discover a controller through one or more of several mechanisms: DNS, DHCP, ICMP, CAPWAP or a statically programmed IP address.
4
3. Refer to the Factory Defaults field to restore either a full or partial default configuration.
CAUTION
Restoring the access point’s configuration back to default settings changes the administrative password back to “admin.” If restoring the configuration back to default settings, be sure you change the administrative password accordingly.
Restore Default Configuration
Restore Partial Default Configuration
Select the Restore Default Configuration button to reset the AP’s configuration to factory default settings. If selected, a message displays warning the user the current configuration will be lost if the default configuration is restored. Before using this feature, Brocade recommends using the Config Import/Export screen to export the current configuration for safekeeping.
Select the Restore Partial Default Configuration button to restore a default configuration with the exception of the current LAN, WAN, SNMP settings and IP address used to launch the browser. If selected, a message displays warning the user all current configuration settings will be lost with the exception of WAN and SNMP settings. Before using this feature, Brocade recommends using the Config Import/Export screen to export the current configuration for safekeeping.
4. Use the Restart Mobility 5181 Access Point field to restart the AP (if necessary).
Restart Mobility 5181 Access Point
Click the Restart Mobility 5181 Access Point button to reboot the AP. Restarting the Mobility 5181 Access Point resets all data collection values to zero. Brocade does not recommend restarting the AP during significant system uptime or data collection activities.
Brocade Mobility 5181 Access Point Product Reference Guide 47 53-1002516-01
Page 62

Adaptive AP setup

4
CAUTION
After a reboot, static route entries disappear from the AP Route Table if a LAN Interface is set to DHCP Client. The entries can be retrieved (once the reboot is done) by performing an Apply operation from the WEB UI or a save operation from the CLI.
5. Click Apply to save any changes to the System Settings screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.
NOTE
The Apply button is not needed for restoring the Mobility 5181 Access Point default configuration or restarting the Mobility 5181.
6. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the System Settings screen to the last saved configuration.
7. Cl i c k Logout to securely exit the Mobility 5181 Access Point applet. A prompt displays confirming the logout before the applet is closed.
Adaptive AP setup
An access point needs settings defined to discover (and adopt) an available controller and establish a connection and data tunnel. It’s through this controller adoption that the access point receives its adaptive AP (AAP) configuration. A new screen has been added to define the mechanisms used to adopt a controller and route AAP configuration information
NOTE
For an AAP overview and a theoretical discussion of how an access point discovers a controller to creates a secure data tunnel for adaptive AP operation, see “Adaptive AP” on page 379.
NOTE
The Adaptive AP Setup screen does not display the AAP’s adoption status or adopted controller. This information is available using the access point’s CLI.
To configure the access point’s controller discovery method and connection medium:
48 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 63
Adaptive AP setup
1. Select System Configuration -> Adaptive AP Setup from the menu tree.
4
2. Define the following to prioritize a controller connection scheme and AP interface used to adopt to the controller.
Control Port Define the port used by the controller FQDN to transmit and receive with the AAP.
The default control port is 24576.
Controller FQDN Add a complete controller fully qualified domain name (FQDN) to add a controller
to the 12 available controller IP addresses available for connection. The access point resolves the name to one or more IP addresses if a DNS IP address is present. This method is used when the access point fails to obtain an IP address using DHCP.
PSK Before the access point sends a packet requesting its mode and configuration, the
controller and the access point require a secure link using a pre-shared key.
Auto Discovery Enable
Brocade Mobility 5181 Access Point Product Reference Guide 49 53-1002516-01
When the Auto Discovery Enable checkbox is selected, the access point begins the controller discovery (adoption) process using DHCP first, then a user provided domain name, lastly using static IP addresses. This setting is disabled by default. When disabled, the AP functions as a standalone access point without trying to adopt a controller. Consequently, the access point will not be able to obtain an AAP configuration.
Page 64

Configuring data access

4
Controller Interface Use the Controller Interface drop-down menu to specify the interface used by the
controller for connectivity with the access point. Options include LAN1, LAN2 and WAN. The default setting is LAN1.
Enable AP-Controller Tunnel
Keep-alive Period The Keepalive interval defines a period (in seconds) the AAP uses to terminate its
Current Controller Displays the IP address of the connected controller. This is the controller from
AP Adoption State Displays whether the access point has been adopted by the controller (whose IP
This setting is required to enable an IPSec VPN from the AAP to the wireless controller.
connection to the controller if no data is received.
which the access point receives its adaptive configuration.
address is listed in the Current Controller parameter). The access point cannot receive its adaptive configuration without association.
3. Refer to the 12 available Switch IP Addresses to review the addresses the access point uses to adopt with a controller.
The access point contacts each controller on the list (from top to bottom) until a viable controller adoption is made. The access point first populates the list with the IP addresses received from its DHCP resource. If DHCP is not able to obtain IP addresses, the access point attempts to resolve the controller's Domain Name if provided within the Controller FQDN parameter. However, if the access point receives one or more IP addresses from the DHCP server, it will not solicit an IP address from a user provided domain name. Lastly, provide static (manually provided) IP addresses to the list as long as there is room. The access point will defer to these addresses if DHCP and a provided domain address fail to secure a controller adoption.
4. Click Apply to save any changes to the Adaptive AP Setup screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.
5. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Adaptive AP Setup screen to the last saved configuration.
6. Click Logout to securely exit the Mobility 5181 Access Point Access Point applet. A prompt displays confirming the logout before the applet is closed.
Configuring data access
Use the point from different subnets (LAN1, LAN2 or WAN) using different protocols such as HTTP, HTTPS, Telnet, SSH or SNMP. The access options are either enabled or disabled. It is not meant to function as an ACL in routers or other firewalls, where you can specify and customize specific IPs to access specific interfaces.
Use the Mobility 5181 Access Point’s Access screen checkboxes to enable or disable LAN1, LAN2 and/or WAN access using the protocols and ports listed. If access is disabled, this effectively locks out the administrator from configuring the Mobility 5181 Access Point using that interface. To avoid jeopardizing the network data managed by the Mobility 5181 Access Point, Brocade recommends enabling only those interfaces used in the routine (daily) management of the network, and disabling all other interfaces until they are required.
Mobility 5181 Access Point
Access screen to allow/deny management access to the access
50 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 65
Configuring data access
The Mobility 5181 Access Point Access screen also has a facility allowing customers to create a login message with customer generated text. When enabled (using either the access point Web UI or CLI), the login message displays when the user is logging into the access point. If the login message is disabled, the default login screen displays with no message.
AP access can be restricted to specific IP addresses. Trusted Host subnet management restricts LAN1, LAN2 and WAN interface access (via SNMP, HTTP, HTTPS, Telnet and/or SSH) to a set of (up to 8) user defined trusted hosts or subnets. Only hosts with matching IP addresses can access the access point. Enabling the feature denies access from any subnet (IP address) not defined as trusted. Once a set of trusted hosts is defined and applied, the settings can be imported and exported as a part of the access point’s configuration import/export functionality. For information on defining trusted hosts for exclusive AP access, see “Defining trusted hosts” on page 55.
To configure access for the Mobility 5181 Access Point:
4
1. Select System Configuration ->
The Truste d Hosts field appears at the top of the screen, but the remainder of the screen can be viewed by using the scroll bar on the right-hand side of the screen.
Mobility 5181 Access Point
Access from the menu tree.
2. Select the Truste d Hosts checkbox to display a field where up to 8 IP addresses can be defined for exclusive access to the AP. For more information, see “Defining trusted hosts” on page 55.
Brocade Mobility 5181 Access Point Product Reference Guide 51 53-1002516-01
Page 66
Configuring data access
4
3. Use the Mobility 5181 Access Point Access field check boxes to enable/disable the following on the access point’s LAN1, LAN2 or WAN interfaces:
Applet HTTP (port 80)
Applet HTTPS (port 443)
CLI TELNET (port 23)
CLI SSH (port 22)
SNMP (port 161)
Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the Mobility 5181 Access Point configuration applet using a Web browser.
Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the Mobility 5181 Access Point configuration applet using a Secure Sockets Layer (SSL) for encrypted HTTP sessions.
Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the Mobility 5181 Access Point CLI via the TELNET terminal emulation TCP/IP protocol.
Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the Mobility 5181 Access Point CLI using the SSH (Secure Shell) protocol.
Select the LAN1, LAN2 and/or WAN checkboxes to enable access to the Mobility 5181 Access Point configuration settings from an SNMP-capable client.
4. Refer to the Applet Timeout field to set an HTTPS timeout interval.
HTTP/S Timeout
Disables access to the access point if no data activity is detected over Applet HTTPS (port 443) after the user defined interval. Default is 0 Mins.
5. Use the Admin Authentication buttons to specify the authentication server connection method.
Local
Radius
The Mobility 5181 Access Point verifies the authentication connection.
Designates that a Radius server is used in the authentication credential verification. If using this option, the connected PC is required to have its Radius credentials verified with an external Radius server. Additionally, the Radius Server’s Active Directory should have a valid user configured and have a PAP based Remote Access Policy configured for Radius Admin Authentication to work.
6. Configure the Secure Shell field to set timeout values to reduce network inactivity.
Authentication Timeout
SSH Keepalive Interval
Defines the maximum time (between 30 - 120 seconds) allowed for SSH authentication to occur before executing a timeout. The minimum permissible value is 30 seconds.
The SSH Keepalive Interval defines a period (in seconds) after which if no data has been received from a client, SSH sends a message through the encrypted channel to request a response from the client. The default is 0, and no messages will be sent to the client until a non-zero value is set. Defining a Keepalive interval is important, otherwise programs running on a server may never notice if the other end of a connection is rebooted.
7. Use the Radius Server if a Radius server has been selected as the authentication server. Enter the required network address information
52 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 67
.
Radius Server IP
Port
Shared Secret
Configuring data access
Specify the numerical (non DNS name) IP address of the Remote Authentication Dial-In User Service (Radius) server. Radius is a client/server protocol and software enabling remote-access servers to communicate with a server used to authenticate users and authorize access to the requested system or service.
Specify the port on which the server is listening. The Radius server typically listens on ports 1812 (default port).
Define a shared secret for authentication on the server. The shared secret is required to be the same as the shared secret defined on the Radius server. Use shared secrets to verify Radius messages (with the exception of the Access-Request message) sent by a Radius-enabled device configured with the same shared secret.
Apply the qualifications of a well-chosen password to the generation of a shared secret. Generate a random, case-sensitive string using letters and numbers. The default is Brocade.
4
8. Update the Administrator Access field to change the administrative password used to access the configuration settings.
Change Admin Password
Click the Change Admin Password button to display a screen for updating the AP administrator password. Enter and confirm a new administrator password as required.
9. Refer to the Login Message field to optionally define a message displayed to the customer as they login into the access point.
Message Settings
Click the Message Settings button to display a screen used to create a text message. Once displayed, select the Enable Login Message checkbox to allow your customized message to be displayed when the user is logging into the access point. If the checkbox is not selected (as is the case by default), the user will encounter the login screen with no additional message.
When the login message function is enabled, the user can enter a (511 character maximum) message describing any usage caveat required (such as the authorization disclaimer displayed on the following page). Thus, the login message can serve an important function by discouraging unauthorized users from illegally managing the access point. As your message is entered, the character usage counter is updated to allow you to visualize how close you are coming to the maximum allowed number of characters. Click the Clear button at any time to remove the contents of the message and begin a new one. Once you have finished creating your message, click the OK button to return to the
Mobility 5181 Access Point access screen.
Brocade Mobility 5181 Access Point Product Reference Guide 53 53-1002516-01
Page 68
Configuring data access
4
10. Click Apply to save any changes to the Mobility 5181 Access Point Access screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.
11. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Mobility 5181 Access Point Access screen to the last saved configuration.
12. Click Logout to securely exit the Mobility 5181 Access Point applet. A prompt displays confirming the logout before the applet is closed.
54 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 69
Configuring data access
4

Defining trusted hosts

Mobility 5181 Access Point access can be restricted to up 8 specific IP addresses. Trusted Host
management restricts LAN1, LAN2 and WAN access (via SNMP, HTTP, HTTPS, Telnet and SSH). Only hosts with IP addresses matching those defined within the Trusted Host Access field are able to access the access point. Enabling the feature denies access from any subnet (IP address) not defined as trusted.
To restrict AP access to a set of user defined IP addresses:
1. Select System Configuration ->
Mobility 5181 Access Point
Access from the menu tree.
2. Select the Trusted H osts check box.
The Trusted Ho st A cces s field displays. The remaining portion of the Access screen (not related to Trusted Host support) can be accessed using the scroll bar on the right-hand side of the Mobility 5181 Access Point Access screen.
3. Click the Add button and define an IP address in the subsequent pop-up screen.
4. Individually define up to 8 addresses using the Add function. Each address defined will be granted permission to access point resources.
5. Select an existing IP address and click the Edit button to modify the address if no longer relevant.
Brocade Mobility 5181 Access Point Product Reference Guide 55 53-1002516-01
Page 70

Managing Certificate Authority (CA) certificates

4
6. If you are near the capacity of 8 allowed IP addresses or an address becomes obsolete, consider selecting an existing address and click the Delete button to remove an address.
7. Cl i c k Apply to save any changes to the Access screen’s Trusted Host configuration. Navigating away from the screen without clicking Apply results in all changes to the screen being lost.
8. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the Trusted Host settings within the Access screen to the last saved configuration.
9. Click Logout to securely exit the Mobility 5181 Access Point applet. A prompt displays confirming the logout before the applet is closed.
Managing Certificate Authority (CA) certificates
Certificate management includes the following sections:
Importing a CA certificate
Creating self certificates for accessing the VPN
Apache certificate management

Importing a CA certificate

A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates that it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate. A browser must contain this CA certificate in its Trusted Root Lib rary so it can trust certificates “signed” by the CA's private key.
Depending on the public key infrastructure, the digital certificate includes the owner's public key, the certificate expiration date, the owner's name and other public key owner information.
The Mobility 5181 Access Point can import and maintain a set of CA certificates to use as an authentication option for Virtual Private Network (VPN) access. To use the certificate for a VPN tunnel, define a tunnel and select the IKE settings to use either RSA or DES certificates. For additional information on configuring VPN tunnels, see “Configuring VPN tunnels” on page 151
CAUTION
Loaded and signed CA certificates will be lost when changing the access point’s firmware version using either the GUI or CLI. After a certificate has been successfully loaded, export it to a secure location to ensure its availability after a firmware update. If restoring the access point’s factory default firmware, you must export the certificate file BEFORE restoring the access point’s factory default configuration. Import the file back after the updated firmware is installed.
Refer to your network administrator to obtain a CA certificate to import into the Mobility 5181 Access Point.
56 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 71
Managing Certificate Authority (CA) certificates
4
NOTE
Verify the Mobility 5181 Access Point device time is synchronized with an NTP server before importing a certificate to avoid issues with conflicting date/time stamps. For more information, see
“Configuring Network Time Protocol (NTP)” on page 76.
To import a CA certificate:
1. Select System Configuration -> Certificate Mgmt -> CA Certificates from the menu tree.
2. Copy the content of the CA Certificate message (using a text editor such as notepad) and click on Paste from Clipboard.
The content of the certificate displays in the Import a root CA Certificate field.
3. Click the Import root CA Certificate button to import it into the CA Certificate list.
4. Once in the list, select the certificate ID within the View Imported root CA Certificates field to view the certificate issuer name, subject, and certificate expiration data.
5. To delete a certificate, select the Id from the drop-down menu and click the Del button.
Brocade Mobility 5181 Access Point Product Reference Guide 57 53-1002516-01
Page 72
Managing Certificate Authority (CA) certificates
4

Creating self certificates for accessing the VPN

The Mobility 5181 Access Point requires two kinds of certificates for accessing the VPN, CA certificates and self certificates. Self certificates are certificate requests you create, send to a Certificate Authority (CA) to be signed, then import the signed certificate into the management system.
CAUTION
Self certificates can only be generated using the access point GUI and CLI interfaces. No functionality exists for creating a self-certificate using the access point’s SNMP configuration option.
To create a self certificate:
1. Select System Configuration -> Certificate Mgmt -> Self Certificates from the Mobility 5181 Access Point menu tree.
2. Click on the Add button to create the certificate request.
The Certificate Request screen displays.
3. Complete the request form with the pertinent information. Only 4 values are required, the others optional.
58 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 73
Managing Certificate Authority (CA) certificates
4
Key ID
Subject
Signature Algorithm
Key Length
Enter a logical name for the certificate to help distinguish between certificates. The name can be up to 7 characters in length.
The required Subject value contains important information about the certificate. Contact the CA signing the certificate to determine the content of the Subject parameter.
Use the drop-down menu to select the signature algorithm used for the certificate. Options include:
MD5-RSA - Message Digest 5 algorithm in combination with RSA encryption. SHA1-RSA - Secure Hash Algorithm 1 in combination with RSA encryption.
Defines the length of the key. Possible values are 512, 1024, and 2048.
4. When the form is completed, click the Generate button.
The Certificate Request screen disappears and the ID of the generated certificate request displays in the drop-down list of certificates within the Self Certificates screen.
5. Click the Generate Request button.
The generated certificate request displays in Self Certificates screen text box.
6. Click the Copy to Clipboard button.
Brocade Mobility 5181 Access Point Product Reference Guide 59 53-1002516-01
Page 74
Managing Certificate Authority (CA) certificates
4
The content of certificate request is copied to the clipboard.
Create an email to your CA, paste the content of the request into the body of the message and send it to the CA.
The CA signs the certificate and will send it back. Once received, copy the content from the email into the clipboard.
7. Cl ic k t h e Paste from clipboard button.
The content of the email displays in the window.
NOTE
Click the Load Certificate button to import the certificate and make it available for use as a VPN authentication option. The certificate ID displays in the Signed list.
NOTE
If the Mobility 5181 Access Point is restarted after a certificate request has been generated but before the signed certificate is imported, the import will not execute properly. Do not restart the Mobility 5181 Access Point during this process.
8. To use the certificate for a VPN tunnel, first define a tunnel and select the IKE settings to use either RSA or DES certificates. For additional information on configuring VPN tunnels, see
“Configuring VPN tunnels” on page 151.

Creating a certificate for onboard RADIUS authentication

The Mobility 5181 Access Point can use its on-board RADIUS Server to generate certificates to authenticate Clients for use with the access point. In addition, a Windows 2000 or 2003 Server is used to sign the certificate before downloading it back to the access point’s on-board Radius server and loading the certificate for use with the access point.
Both a CA and Self certificate are required for Onboard Radius Authentication. For information on CA Certificates, see “Importing a CA certificate” on page 56. Ensure the certificate is in a Base 64 Encoded format or risk loading an invalid certificate.
CAUTION
If using the RADIUS time-based authentication feature to authenticate access point user permissions, ensure the access point’s time is synchronized with the CA server used to generate certificate requests.
CAUTION
Self certificates can only be generated using the access point GUI and CLI interfaces. No functionality exists for creating a self-certificate using the access point’s SNMP configuration option.
To create a self certificate for on-board RADIUS authentication:
60 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 75
Managing Certificate Authority (CA) certificates
1. Select System Configuration -> Certificate Mgmt -> Self Certificates from the Mobility 5181 Access Point menu tree.
2. Click on the Add button to create the certificate request.
The Certificate Request screen displays.
3. Complete the request form with the pertinent information.
4
Key ID (required)
Subject (required)
Department
Organization
City
State
Postal Code
Country Code
Email
Domain Name
IP Address
Signature Algorithm
Key Length
Enter a logical name for the certificate to help distinguish between certificates. The name can be up to 7 characters in length.
The required Subject value contains important information about the certificate. Contact the CA signing the certificate to determine the content of the Subject parameter.
Optionally enter a value for your organizations’s department name if needing to differentiate the certificate from similar certificates used in other departments within your organization.
Optionally enter the name of your organization for supporting information for the certificate request.
Optionally enter the name of the City where the access point (using the certificate) resides.
Optionally enter the name of the State where the access point (using the certificate) resides.
Optionally enter the name of the Postal (Zip) Code where the access point (using the certificate) resides.
Optionally enter the access point’s Country Code.
Enter a organizational email address (avoid using a personal address if possible) to associate the request with the proper requesting organization.
Ensure the Domain name is the name of the CA Server. This value must be set correctly to ensure the certificate is properly generated.
Enter the IP address of this access point (as you are using the access point’s onbard Radius server).
Use the drop-down menu to select the signature algorithm used for the certificate. Options include:
MD5-RSA - Message Digest 5 algorithm in combination with RSA encryption. SHA1-RSA - Secure Hash Algorithm 1 in combination with RSA encryption.
Defines the length of the key. Possible values are 512, 1024, and 2048. Brocade recommends setting this value to 1024 to ensure optimum functionality.
4. Complete as many of the optional values within the Certificate Request screen as possible.
5. When the form is completed, click the Generate button from within the Certificate Request screen.
The Certificate Request screen disappears and the ID of the generated certificate request displays in the drop-down list of certificates within the Self Certificates screen.
Brocade Mobility 5181 Access Point Product Reference Guide 61 53-1002516-01
Page 76
Managing Certificate Authority (CA) certificates
4
NOTE
A Warning screen may display at this phase stating key information could be lost if you proceed with the certificate request. Click the OK button to continue, as the certificate has not been signed yet.
6. Click the Generate Request button from within the Self Certificates screen. The certificate content displays within the Self Certificate screen.
7. Cl ic k t h e Copy to clipboard button. Save the certificate content to a secure location.
8. Connect to the Windows 2000 or 2003 server used to sign the certificate.
9. Select the Request a certificate option. Click Next to continue.
10. Select the Advanced request checkbox from within the Choose Request Type screen and click Next to continue.
11. From within the Advanced Certificate Requests screen, select the Submit a certificate request
using a base 64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS file option. Click Next to continue.
12. Paste the content of certificate in the Saved Request field (within the Submit a Saved Request screen).
NOTE
An administrator must make sure the Web Server option is available as a selectable option for those without administrative privileges.
If you do not have administrative privileges, ensure the Web Server option has been selected from the Certificate Template drop-down menu. Click Submit.
13. Select the Base 64 encoded check box option from within the Certificate Issued screen and select the Download CA Certificate link.
A File Download screen displays prompting the user to select the download location for the certificate.
14. Click the Save button and save the certificate to a secure location.
15. Load the certificates on the access point
CAUTION
Ensure the CA Certificate is loaded before the Self Certificate, or risk an invalid certificate load.
16. Open the certificate file and copy its contents into the CA Certificates screen by clicking the Paste from Clipboard button.
The certificate is now ready to be loaded into the access point’s flash memory.
17. Cli ck th e Import root CA Certificate button from within the CA Certificates screen.
.
18. Verify the contents of the certificate file display correctly within the CA Certificates screen.
19. Open the certificate file and copy its contents into the Self Certificates screen by clicking the Paste from Clipboard button.
20. Click the Load Certificate button.
62 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 77
Managing Certificate Authority (CA) certificates
21. Verify the contents of the certificate file display correctly within the Self Certificates screen.
The certificate for the onboard RADIUS authentication of Clients has now been generated and loaded into the access point’s flash memory.
4

Apache certificate management

Apache certificate management allows the update and management of security certificates for an Apache HTTP server. This allows users to upload a trusted certificate to their AP. When a client attaches to it with a browser, a warning message pertaining to the certificate no longer displays.
Apache certificate management utilizes the access point’s existing Certificate Manager for the creation of certificates and keys. The certificate can then be loaded into the Apache file system.
To import or export an Apache certificate:
1. Select System Configuration -> Certificate Mgmt -> Apache Certificates from the Mobility 5181 Access Point menu tree.
The Apache Certificate Import/Export screen displays.
2. Configure the FTP and TFTP Import/Export field to import/export security certificates for an Apache HTTP server.
Brocade Mobility 5181 Access Point Product Reference Guide 63 53-1002516-01
Page 78

Configuring SNMP settings

4
Certificate Name (no extension)
FTP/TFTP Server IP Address
Filepath (optional)
FTP
TFTP
Username
Password
Import Certificate and Key
Export Certificate and Key
Specify the name of the certificate file to be written to the FTP or TFTP server. Do not enter the file’s extension.
Enter the numerical (non DNS name) IP address of the destination FTP or TFTP server where the security certificate is imported or exported.
Defines the optional path name used to import/export the target security certificate.
Select the FTP radio button if using an FTP server to import or export the security certificate.
Select the TFTP radio button if using an FTP server to import or export the security certificate.
Specify a username to be used when logging in to the FTP server. A username is not required for TFTP server logins.
Define a password allowing access to the FTP server for the import or export operation.
Click the Import Certificate and Key button to import the security certificate from the server with the assigned filename and login information.
Click the Export Certificate and Key button to export the security certificate from the server with the assigned filename and login information.
3. Refer to the Status field to review the progress of an import or export operation.
When an import operation is in progress, an “importing certificate and key” message displays. Once completed, an indication of the import or export operation’s success or failure displays.
4. Click Apply to save any changes to the Apache certificate import/export configuration. Navigating away from the screen without clicking Apply results in all changes to the screen being lost.
5. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings within the screen to the last saved configuration.
6. Click Logout to securely exit the Access Point applet. A prompt displays confirming the logout before the applet is closed.
Configuring SNMP settings
Simple Network Management Protocol (SNMP) facilitates the exchange of management information between network devices. SNMP uses Management Information Bases (MIBs) to manage the device configuration and monitor Internet devices in potentially remote locations. MIB information accessed via SNMP is defined by a set of managed objects called object identifiers (OIDs). An object identifier (OID) is used to uniquely identify each object variable of a MIB. The access point Web download package contains the following 2 MIB files:
BROCADE-CC-BR51XX-MIB-2.0.mib (standard MIB file)
BROCADE-BR51XX-MIB.mib
64 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 79
Configuring SNMP settings
SNMP allows a network administrator to manage network performance, find and solve network problems, and plan for network growth. The Mobility 5181 Access Point supports SNMP management functions for gathering information from its network components, communicating that information to specified users and configuring the access point. All the fields available within the access point are also configurable within the MIB.
The Mobility 5181 Access Point SNMP agent functions as a command responder and is a multilingual agent responding to SNMPv1, v2c and v3 managers (command generators). The factory default configuration maintains SNMPv1/2c support of the community names, hence providing backward compatibility.
SNMP v1/v2c community definitions and SNMP v3 user definitions work independently, and both use the Access Control List (ACL) of the SNMP Access Control sub-screen.
Use the SNMP Access screen to define SNMP v1/v2c community definitions and SNMP v3 user definitions. SNMP version 1 (v1) provides a strong network management system, but its security is relatively weak. The improvements in SNMP version 2c (v2c) do not include the attempted security enhancements of other version-2 protocols. Instead, SNMP v2c defaults to SNMP-standard community strings for read-only and read/write access. SNMP version 3 (v3) further enhances protocol features, providing much improved security. SNMP v3 encrypts transmissions and provides authentication for users generating requests.
To configure SNMP v1/v2c community definitions and SNMP v3 user definitions for the Mobility 5181 Access Point:
4
Brocade Mobility 5181 Access Point Product Reference Guide 65 53-1002516-01
Page 80
Configuring SNMP settings
4
1. Select System Configuration - > SNMP Access from the Mobility 5181 Access Point menu tree.
SNMP v1/v2c community definitions allow read-only or read/write access to Mobility 5181 Access Point management information. The SNMP community includes users whose IP addresses are specified on the SNMP Access Control screen.
A read-only community string allows a remote device to retrieve information, while a read/write community string allows a remote device to modify settings. Brocade recommends considering adding a community definition using a site-appropriate name and access level. Set up a read/write definition (at a minimum) to facilitate full access by the Mobility 5181 Access Point administrator.
2. Configure the SNMP v1/v2 Configuration field (if SNMP v1/v2 is used) to add or delete community definitions, name the community, specify the OID and define community access.
Add
Delete
Community
66 Brocade Mobility 5181 Access Point Product Reference Guide
Click Add to create a new SNMP v1/v2c community definition.
Select Delete to remove a SNMP v1/v2c community definition.
Use the Community field to specify a site-appropriate name for the community. The name is required to match the name used within the remote network management software.
53-1002516-01
Page 81
Configuring SNMP settings
4
OID
Access
Use the OID (Object Identifier) pull-down list to specify a setting of All or a enter a Custom OID. Select All to assign the user access to all OIDs in the MIB. The OID field uses numbers expressed in dot notation.
Use the Access pull-down list to specify read-only (R) access or read/write (RW) access for the community. Read-only access allows a remote device to retrieve access point information, while read/write access allows a remote device to modify access point settings.
3. Configure the SNMP v3 User Definitions field (if SNMP v3 is used) to add and configure SNMP v3 user definitions.
SNMP v3 user definitions allow read-only or read/write access to management information as appropriate.
Add
Delete
Username
Security Level
OID
Passwords
Access
Click Add to create a new entry for an SNMP v3 user.
Select Delete to remove an entry for an SNMP v3 user.
Specify a username by typing an alphanumeric string of up to 31 characters.
Use the Security Level area to specify a security level of noAuth (no authorization),
AuthNoPriv (authorization without privacy), or AuthPriv (authorization with privacy).
The NoAuth setting specifies no login authorization or encryption for the user. The AuthNoPriv setting requires login authorization, but no encryption. The AuthPriv setting requires login authorization and uses the Data Encryption
Standard (DES) protocol.
Use the OID (Object Identifier) area to specify a setting of All or enter a Custom OID. Select All to assign the user access to all OIDs in the MIB. The OID field uses numbers expressed in dot notation.
Select Passwords to display the Password Settings screen for specifying authentication and password settings for an SNMP v3 user. The maximum password length is 11 characters. Use the Authentication Algorithm drop-down menu to specify MD5 or SHA1 as the authentication algorithm. Use the Privacy Algorithm drop-down menu to define an algorithm of DES or AES-128bit.
When entering the same username on the SNMP Traps and SNMP Access screens, the password entered on the SNMP Traps page overwrites the password entered on the SNMP Access page. To avoid this problem, enter the same password on both pages.
Use the Access pull-down list to specify read-only (R) access or read/write (RW) access for a user. Read-only access permits a user to retrieve
Access Point
information, while read/write access allows a user to modify
Mobility 5181
Mobility 5181 Access Pointsettings.
4. Specify the users who can read and optionally modify the SNMP-capable client.
SNMP Access Control
Click the SNMP Access Control button to display the SNMP Access Control screen for specifying which users can read SNMP-generated information and potentially modify related settings from an SNMP-capable client.
The SNMP Access Control screen's Access Control List (ACL) uses Internet Protocol (IP) addresses to restrict access to the AP’s SNMP interface. The ACL applies to both SNMP v3 user definitions and SNMP v1/v2c community definitions.
5. If configuring SNMP v3 user definitions, set the SNMP v3 engine ID.
Brocade Mobility 5181 Access Point Product Reference Guide 67 53-1002516-01
Page 82
Configuring SNMP settings
4
Mobility 5181 Access
SNMP v3 Engine ID
Point
6. Click Apply to save any changes to the SNMP Access screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.
7. Cl i c k Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the SNMP Access screen to the last saved configuration.
8. Click Logout to securely exit the Mobility 5181 Access Point Access Point applet. A prompt displays confirming the logout before the applet is closed.
For additional SNMP configuration information, see:
The Mobility 5181 Access Point SNMP v3 Engine ID field lists the unique SNMP v3 Engine ID for the Mobility 5181 Access Point. This ID is used in SNMP v3 as the source for a trap, response or report. It is also used as the destination ID when sending get, getnext, getbulk, set or inform commands.
Configuring SNMP access control
Enabling SNMP traps
Configuring specific SNMP traps
Configuring SNMP RF trap thresholds

Configuring SNMP access control

Use the SNMP Access Control screen (as launched from the SNMP Access screen) to specify which users can read SNMP generated information and, if capable, modify related settings from an SNMP-capable client.
Use the SNMP Access Control screen's Access Control List (ACL) to limit, by Internet Protocol (IP) address, who can access the Mobility 5181 Access Point SNMP interface.
NOTE
The ACL applies to both SNMP v3 user definitions and SNMP v1/v2c community definitions on the Mobility 5181 Access Point SNMP Access screen.
To configure SNMP user access control for the Mobility 5181 Access Point:
68 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 83
Configuring SNMP settings
4
1. Select System Configuration - > SNMP Access from the Mobility 5181 Access Point menu tree. Click on the SNMP Access Control button from within the SNMP Access screen.
2. Configure the SNMP Access Control screen to add the IP addresses of those users receiving SNMP access.
Access Control List
Add
Edit
Delete
OK
Cancel
Enter Start IP and End IP addresses (numerical addresses only, no DNS names supported) to specify a range of user that can access the Mobility 5181 Access Point SNMP interface. An SNMP-capable client can be set up whereby only the administrator (for example) can use a read/write community definition. Use just the Starting IP Address column to specify a single SNMP user. Use both the Starting IP Address and Ending IP Address columns to specify a range of addresses for SNMP users.
To add a single IP address to the ACL, enter the same IP address in the Start IP and End IP fields.
Leave the ACL blank to allow access to the SNMP interface from the IP addresses of all authorized users.
Click Add to create a new ACL entr y.
Click Edit to revise an existing ACL entry.
Click Delete to remove a selected ACL entry for one or more SNMP users.
Click Ok to return to the SNMP Access screen. Click Apply within the SNMP Access screen to save any changes made on the SNMP Access Control screen.
Click Cancel to undo any changes made on the SNMP Access Control screen. This reverts all settings for this screen to the last saved configuration.

Enabling SNMP traps

SNMP provides the ability to send traps to notify the administrator that trap conditions are met. Traps are network packets containing data relating to network devices, or SNMP agents, that send the traps. SNMP management applications can receive and interpret these packets, and optionally can perform responsive actions. SNMP trap generation is programmable on a trap-by-trap basis.
Brocade Mobility 5181 Access Point Product Reference Guide 69 53-1002516-01
Page 84
Configuring SNMP settings
4
Use the SNMP Traps Configuration screen to enable traps and to configure appropriate settings for reporting this information. Trap configuration depends on the network machine that receives the generated traps. SNMP v1/v2c and v3 trap configurations function independently. In a mixed SNMP environment, generated traps can be sent using configurations for both SNMP v1/v2c and v3.
To configure SNMP traps on the Mobility 5181 Access Point:
1. Select System Configuration - > SNMP Access - > SNMP Trap Configuration from the Mobility 5181 Access Point menu tree.
2. Configure the SNMP v1/v2c Trap Configuration field (if SNMP v1/v2c Traps are used) to modify the following:
Add
Delete
Destination IP
Port
70 Brocade Mobility 5181 Access Point Product Reference Guide
Click Add to create a new SNMP v1/v2c Trap Configuration entry.
Click Delete to remove a selected SNMP v1/v2c Trap Configuration entry.
Specify a numerical (non DNS name) destination IP address for receiving the traps sent by the Mobility 5181 Access Point SNMP agent.
Specify a destination User Datagram Protocol (UDP) port for receiving traps. The default is 162.
53-1002516-01
Page 85
Configuring SNMP settings
4
Community
SNMP Version
Enter a community name specific to the SNMP-capable client that receives the traps.
Use the SNMP Version drop-down menu to specify v1 or v2. Some SNMP clients support only SNMP v1 traps, while others support SNMP v2 traps and possibly both, verify the correct traps are in use with clients that support them.
3. Configure the SNMP v3 Trap Configuration field (if SNMP v3 Traps are used) to modify the following:
Add
Delete
Destination IP
Port
Username
Security Level
Passwords
Click Add to create a new SNMP v3 Trap Configuration entry.
Select Delete to remove an entry for an SNMP v3 user.
Specify a numerical (non DNS name) destination IP address for receiving the traps sent by the Mobility 5181 Access Point SNMP agent.
Specify a destination User Datagram Protocol (UDP) port for receiving traps.
Enter a username specific to the SNMP-capable client receiving the traps.
Use the Security Level drop-down menu to specify a security level of noAuth (no authorization), AuthNoPriv (authorization without privacy), or AuthPriv (authorization with privacy). The “NoAuth” setting specifies no login authorization or encryption for the user. The “AuthNoPriv” setting requires login authorization, but no encryption. The “AuthPriv” setting requires login authorization and uses the Data Encryption Standard (DES).
Select Passwords to display the Password Settings screen for specifying authentication and password settings for an SNMP v3 user. The maximum password length is 11 characters. Use the Authentication Algorithm drop-down menu to specify MD5 or SHA1 as the authentication algorithm. Use the Privacy Algorithm drop-down menu to define an algorithm of DES or AES-128bit.
If entering the same username on the SNMP Traps and SNMP Access screens, the password entered on the SNMP Traps page overwrites the password entered on the SNMP Access page. To avoid this problem, enter the same password on both pages.
4. Click Apply to save any changes to the SNMP Trap Configuration screen. Navigating away from the screen without clicking the Apply button results in all changes being lost.
5. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on SNMP Trap Configuration screen to the last saved configuration.
6. Click Logout to securely exit the Mobility 5181 Access Point applet. A prompt displays confirming the logout before the applet is closed.

Configuring specific SNMP traps

Use the SNMP Traps screen to enable specific traps on the Mobility 5181 Access Point. Brocade recommends defining traps to capture unauthorized devices operating within the Mobility 5181 Access Point coverage area. Trap configuration depends on the network machine that receives the generated traps. SNMP v1/v2c and v3 trap configurations function independently. In a mixed SNMP environment, traps can be sent using configurations for both SNMP v1/v2c and v3. To configure specific SNMP traps on the Mobility 5181 Access Point:
Brocade Mobility 5181 Access Point Product Reference Guide 71 53-1002516-01
Page 86
Configuring SNMP settings
4
1. Select System Configuration - > SNMP Access - > SNMP Traps from the menu tree.
2. Configure the Client Traps field to generate traps for Client associations, Client association denials and Client authentication denials. When a trap is enabled, a trap is sent every 10 seconds until the condition no longer exists.
Client associated
Client unassociated
Client denied association
Client denied authentication
Generates a trap when an Client becomes associated with one of the Mobility 5181 Access Point’s WLANs.
Generates a trap when an Client becomes unassociated with (or gets dropped from) one of the Mobility 5181 Access Point’s WLANs.
Generates a trap when an Client is denied association to a Mobility 5181 Access Point WLAN. Can be caused when the maximum number of Clients for a WLAN is exceeded or when an Client violates the Mobility 5181 Access Point’s Access
Control List (ACL).
Generates a trap when an Client is denied authentication on one of the AP’s WLANs. Can be caused by the Client being set for the wrong authentication type for the WLAN or by an incorrect key or password.
3. Configure the SNMP Traps field to generate traps when SNMP capable Clients are denied authentication privileges or are subject of an ACL violation. When a trap is enabled, a trap is sent every 5 seconds until the condition no longer exists.
72 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 87
Configuring SNMP settings
4
SNMP authentication failures
SNMP ACL violation
Generates a trap when an SNMP-capable client is denied access to the Mobility 5181 Access Point’s SNMP management functions or data. This can result from an incorrect login, or missing/incorrect user credentials.
Generates a trap when an SNMP client cannot access SNMP management functions or data due to an Access Control List (ACL) violation. This can result from a missing/incorrect IP address entered within the SNMP Access Control screen.
4. Configure the Network Traps field to generate traps when the Mobility 5181 Access Point’s link status changes or when the AP’s firewall detects a DOS attack.
Physical port status change
DynDNS Update
Denial of service (DOS) attempts
Send trap every
Generates a trap whenever the status changes on the Mobility 5181 Access Point. The physical port status changes when a link is lost between the Mobility 5181 Access Point and a connected device.
Generates a trap whenever domain name information is updated as a result of the IP address associated with that domain being modified.
Generates a trap whenever a Denial of Service (DOS) attack is detected by the Mobility 5181 Access Point firewall. A new trap is sent at the specified interval until the attack has stopped.
Defines the interval in seconds the Mobility 5181 Access Point uses to generate a trap until the Denial of Service attack is stopped. Default is 10 seconds.
5. Configure the System Traps field to generate traps when the Mobility 5181 Access Point re-initializes during transmission, saves its configuration file. When a trap is enabled, a trap is sent every 5 seconds until the condition no longer exists.
System Cold Start
Configuration Changes
Rogue AP Detection
AP Radar Detection
WPA Counter Measure
Client Hotspot Status
VLAN
LAN Monitor
Health Check Trap
Generates a trap when the Mobility 5181 Access Point re-initializes while transmitting, possibly altering the SNMP agent's configuration or protocol entity implementation.
Generates a trap whenever changes to the Mobility 5181 Access Point’s configuration file are saved.
Generates a trap if a Rogue AP is detected by the Mobility 5181 Access Point.
Generates a trap if an AP is detected using a form of radar detection.
Generates a trap if an attack is detected against the WPA Key Exchange Mechanism.
Generates a trap when a change to the status of Client hotspot member is detected.
Generates a trap when a change to a VLAN state is detected.
Generates a trap when a change to the LAN monitoring state is detected.
Generates a trap when access to a configured resource such as a RADIUS server or a web portal is lost.
6. Refer to the Set All Traps field to use a single location to either enable or disable each trap listed within the SNMP Traps screen.
Brocade Mobility 5181 Access Point Product Reference Guide 73 53-1002516-01
Page 88
Configuring SNMP settings
4
Enable All
Disable All
Select this button to enable each trap defined within the SNMP Traps screen. Once the changes are applied, each event listed will generate a trap upon its occurrence.
Select this button to disable each trap defined within the SNMP Traps screen. Once the changes are applied, none of the events listed will generate a trap upon their occurrence.
7. Cl i c k Apply to save any changes to the SNMP Traps screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.
8. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on SNMP Traps screen to the last saved configuration.
9. Click Logout to securely exit the Mobility 5181 Access Point applet. A prompt displays confirming the logout before the applet is closed.

Configuring SNMP RF trap thresholds

Use the SNMP RF Trap Threshold screen as a means to track RF activity and the Mobility 5181 Access Point’s radio and associated Client performance. SNMP RF Traps are sent when RF traffic exceeds defined limits set in the RF Trap Thresholds field of the SNMP RF Traps screen. Thresholds are displayed for the Mobility 5181 Access Point, WLAN, selected radio and the associated Client.
To configure specific SNMP RF Traps on the Mobility 5181 Access Point:
74 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 89
Configuring SNMP settings
4
1. Select System Configuration - > SNMP Access - > SNMP RF Trap Thresholds from the menu tree.
2. Configure the RF Trap Thresholds field to define device threshold values for SNMP traps.
NOTE
Average Bit Speed,% of Non-Unicast, Average Signal, Average Retries,% Dropped and % Undecryptable are not access point statistics.
Pkts/s
Throughput
Average Bit Speed
Average Signal
Average Retries
Brocade Mobility 5181 Access Point Product Reference Guide 75 53-1002516-01
Enter a maximum threshold for the total throughput in Pps (Packets per second).
Set a maximum threshold for the total throughput in Mbps (Megabits per second).
Enter a minimum threshold for the average bit speed in Mbps (Megabits per second).
Enter a minimum threshold for the average signal strength in dBm for each device.
Set a maximum threshold for the average number of retries for each device.
Page 90

Configuring Network Time Protocol (NTP)

4
% Dropped
% Undecryptable
Associated Clients
Enter a maximum threshold for the total percentage of packets dropped for each device. Dropped packets can be caused by poor RF signal or interference on the channel.
Define a maximum threshold for the total percentage of packets undecryptable for each device. Undecryptable packets can be the result of corrupt packets, bad CRC checks or incomplete packets.
Set a maximum threshold for the total number of Clients associated with each device.
3. Configure the Minimum Packets field to define a minimum packet throughput value for trap generation.
Minimum number of packets required for a trap to fire
Enter the minimum number of packets that must pass through the device before an SNMP rate trap is sent. Brocade recommends using the default setting of 1000 as a minimum setting for the field.
4. Click Apply to save any changes to the SNMP RF Traps screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.
5. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on SNMP RF Traps screen to the last saved configuration.
6. Click Logout to securely exit the Mobility 5181 Access Point applet. A prompt displays confirming the logout before the applet is closed.
Configuring Network Time Protocol (NTP)
Network Time Protocol (NTP) manages time and/or network clock synchronization in the Mobility 5181 Access Point-managed network environment. NTP is a client/server implementation. The Mobility 5181 Access Point (an NTP client) periodically synchronizes its clock with a master clock (an NTP server). For example, the Mobility 5181 Access Point resets its clock to 07:04:59 upon reading a time of 07:04:59 from its designated NTP server.
Time synchronization is recommended for the access point’s network operations. For sites using Kerberos authentication, time synchronization is required. Use the Date and Time Settings screen to enable NTP and specify the IP addresses and ports of available NTP servers.
NOTE
The current time is not set accurately when initially connecting to the Mobility 5181 Access Point. Until a server is defined to provide the Mobility 5181 Access Point the correct time, or the correct time is manually set, the Mobility 5181 Access Point displays 1970-01-01 00:00:00 as the default time.
CAUTION
If using the Radius time-based authentication feature to authenticate access point user permissions, ensure UTC has been selected from the Date and Time Settings screen’s Time Zone field. If UTC is not selected, time based authentication will not work properly. For information on configuring Radius time-based authentication, see “Defining user access permissions by group” on page 173.
76 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 91
Configuring Network Time Protocol (NTP)
To manage clock synchronization on the Mobility 5181 Access Point:
1. Select System Configuration - > Date/Time from the Mobility 5181 Access Point menu tree.
4
2. From within the Current Time field, click the Refresh button to update the time since the screen was displayed by the user.
The Current Time field displays the current time based on the Mobility 5181 Access Point system clock. If NTP is disabled or if there are no servers available, the system time displays the Mobility 5181 Access Point uptime starting at 1970-01-01 00:00:00, with the time and date advancing.
3. Select the Set Date/Time button to display the Manual Date/Time Setting screen.
This screen enables the user to manually enter the access point’s system time using a Year-Month-Day HH:MM:SS format.
This option is disabled when the Enable NTP checkbox has been selected, and therefore should be viewed as a second means to define the access point system time.
4. If using the Manual Date/Time Setting screen to define the access point’s system time, refer to the Time Zone field to select the time used to use as complimentary information to the information entered within the Manual Date/Time Setting screen.
Brocade Mobility 5181 Access Point Product Reference Guide 77 53-1002516-01
Page 92

Configuring LLDP Settings

4
CAUTION
If using the Radius time-based authentication feature to authenticate access point user permissions, ensure UTC has been selected from the Time Zone field. If UTC is not selected, time based authentication will not work properly. For information on configuring Radius time-based authentication, see “Defining user access permissions by group” on page 173.
5. If using an NTP server to supply system time to the access point, configure the NTP Server Configuration field to define the server network address information required to acquire the Mobility 5181 Access Point network time.
Enable NTP on Mobility
5181 Access Point
Preferred Time Server
First Alternate Time Server
Second Alternate Time Server
Synchronization Interval
Select the Enable NTP on Mobility 5181 Access Point checkbox to allow a connection between the Mobility 5181 Access Point and one or more specified NTP servers. A preferred, first alternate and second alternate NTP server cannot be defined unless this checkbox is selected.
Disable this option (uncheck the checkbox) if Kerberos is not in use and time synchronization is not necessary.
Specify the numerical (non DNS name) IP address and port of the primary NTP server. The default port is 123.
Optionally, specify the numerical (non DNS name) IP address and port of an alternative NTP server to use for time synchronization if the primary NTP server goes down.
Optionally, specify the numerical (non DNS name) and port of yet another NTP server for the greatest assurance of uninterrupted time synchronization.
Define an interval in minutes the Mobility 5181 Access Point uses to synchronize its system time with the NTP server. A synchronization interval value from 15 minutes to 65535 minutes can be specified. For implementations using Kerberos, a synchronization interval of 15 minutes (default interval) or sooner is recommended.
6. Click Apply to save any changes to the Date and time Settings screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.
7. Cl i c k Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on Date and Time Settings screen to the last saved configuration.
8. Click Logout to securely exit the Mobility 5181 Access Point applet. A prompt displays confirming the logout before the applet is closed.
Configuring LLDP Settings
Link Layer Discovery Protocol (LLDP) is a Layer 2 protocol (IEEE standard 802.1AB) used to determine the capabilities of devices such as repeaters, bridges, access points, routers and wireless clients. LLDP enables devices to advertise their capabilities and media-specific configurations. LLDP provides a method of discovering and representing the physical network connections of a given network management domain. The LLDP neighbor discovery protocol allows you to discover and maintain accurate network topologies in a multi-vendor environment.
78 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 93

Logging configuration

The information is in a Type Length Value (TLV) format for each data item. TLV information is transmitted in a LLDP protocol data unit (LLDPDU), enclosed in an Ethernet frame and sent to a destination MAC address. Certain TLVs are mandatory, and always sent once LLDP is enabled, while other TLVs are optionally configured. LLDP defines a set of common advertisement messages, a protocol for transmitting the advertisements and a method for storing information in received advertisements. A switch can receive and record the TLVs, but not transmit them. The information distributed using LLDP is stored by its recipients in a standard MIB, making it possible for the information to be accessed by a NMS using a management protocol such as SNMP.
LLDP transmits periodic advertisements containing device information and media-specific configuration information to neighbors attached to the same network. LLDP agents cannot solicit information from other agents by using LLDP.
To configure LLDP support:
1. Select System Configuration - > LLDP from the menu tree.
2. Select the Enable LLDP radio button to enable or disable the transmission of LLDP advertisements. LLDP is enabled by default.
3. Set a Refresh Interval (in seconds 5-32768) to define the LLDP refresh-interval/transmit-interval. The Refresh Interval is the interval LLDP frames are transmitted on behalf of the LLDP agent. The default is 30 seconds.
4
4. Set a Holdtime Multiplier (2-10) to define the holdtimemultiplier. This parameter is a multiplier on the Refresh Interval that determines the actual TTL value used in an LLDPDU.The default setting is 4.
5. Click Apply to save any changes to the LLDP screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.
6. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on LLDP screen to the last saved configuration.
Logging configuration
The Mobility 5181 Access Point provides the capability for periodically logging system events that prove useful in assessing the throughput and performance of the Mobility 5181 Access Point or troubleshooting problems on the Mobility 5181 Access Point managed Local Area Network (LAN). Use the Logging Configuration screen to set the desired logging level (standard syslog levels) and view or save the current Mobility 5181 Access Point system log.
To configure event logging for the Mobility 5181 Access Point:
Brocade Mobility 5181 Access Point Product Reference Guide 79 53-1002516-01
Page 94
Logging configuration
4
1. Select System Configuration - > Logging Configuration from the Mobility 5181 Access Point menu tree.
2. Configure the Log Options field to save event logs, set the log level and optionally port the Mobility 5181 Access Point’s log to an external server.
80 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 95

Importing/exporting configurations

4
View Log
Logging Level
Enable logging to an external syslog server
Syslog server IP address
Click View to save a log of events retained on the Mobility 5181 Access Point. The system displays a prompt requesting the administrator password before saving the log. After the password has been entered, click Get File to display a dialogue with buttons to Open or Save the log.txt file. Click Save and specify a location to save the log file.
Use the WordPad application to view the saved log.txt file on a Microsoft Windows based computer. Do not view the log file using Notepad, as the Notepad application does not properly display the formatting of the Mobility 5181 Access Point log file. Log entries are not saved in the Mobility 5181 Access Point. While the AP is in operation, log data temporarily resides in memory. AP memory is completely cleared each time the AP reboots.
Use the Logging Level drop-down menu to select the desired log level for tracking system events. Eight logging levels, (0 to 7) are available. Log Level 6: Info is the Mobility 5181 Access Point default log level. These are the standard UNIX/LINUX syslog levels.The levels are as follows:
0 - Emergency 1 - Alert 2 - Critical 3 - Errors 4 - Warning 5 - Notice 6 - Info 7 - Debug
The Mobility 5181 Access Point can log events to an external syslog (system log) server. Select the Enable logging to an external syslog server checkbox to enable the server to listen for incoming syslog messages and decode the messages into a log for viewing.
If the Enable logging to an external syslog server checkbox is selected, the numerical (non DNS name) IP address of an external syslog server is required in order to route the syslog events to that destination.
3. Click Apply to save any changes to the Logging Configuration screen. Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost.
4. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on the Logging Configuration screen to the last saved configuration.
5. Click Logout to securely exit the Mobility 5181 Access Point applet. A prompt displays confirming the logout before the applet is closed.
Importing/exporting configurations
All of the configuration settings for an Mobility 5181 Access Point can be obtained from another Mobility 5181 Access Point in the form of a text file. Additionally, all of the Mobility 5181 Access Point’s settings can be downloaded to another Mobility 5181 Access Point. Use the file-based configuration feature to speed up the setup process significantly at sites using multiple Mobility 5181 Access Points.
Brocade Mobility 5181 Access Point Product Reference Guide 81 53-1002516-01
Page 96
Importing/exporting configurations
4
Another benefit is the opportunity to save the current AP configuration before making significant changes or restoring the default configuration. All options on the access point are deleted and updated by the imported file. Therefore, the imported configuration is not a merge with the configuration of the target access point. The exported file can be edited with any document editor if necessary.
NOTE
Use the System Settings screen as necessary to restore an Mobility 5181 Access Point’s default configuration. For more information on restoring configurations, see “Configuring system settings” on page 45.
The export function will always export the encrypted Admin User password. The import function will import the Admin Password only if the access point is set to factory default. If the access point is not configured to factory default settings, the Admin User password WILL NOT get imported.
NOTE
When modifying the text file manually and spaces are used for wireless, security, Client policy names etc., ensure you use “\20” between the spaces. For example, “Second\20Floor\20Lab”. When imported, the name would display as “Second Floor Lab”.
CAUTION
A single-radio model access point cannot import/export its configuration to a dual-radio model access point. In turn, a dual-radio model access point cannot import/export its configuration to a single-radio access point.
Use the Config Import/Export screen to configure an import or export operation for Mobility 5181 Access Point configuration settings.
To create an importable/exportable Mobility 5181 Access Point configuration file:
82 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 97
Importing/exporting configurations
1. Select System Configuration - > Config Import/Export from the Mobility 5181 Access Point menu tree.
4
2. Configure the FTP and TFTP Import/Export field to import/export configuration settings.
Filename
FTP/TFTP Server IP Address
Filepath (optional)
FTP
TFTP
Username
Password
Brocade Mobility 5181 Access Point Product Reference Guide 83 53-1002516-01
Specify the name of the configuration file to be written to the FTP or TFTP server.
Enter the numerical (non DNS name) IP address of the destination FTP or TFTP server where the configuration file is imported or exported.
Defines the optional path name used to import/export the target configuration file.
Select the FTP radio button if using an FTP server to import or export the configuration.
Select the TFTP radio button if using an FTP server to import or export the configuration.
Specify a username to be used when logging in to the FTP server. A username is not required for TFTP server logins.
Define a password allowing access to the FTP server for the import or export operation.
Page 98
Importing/exporting configurations
4
Import Configuration
Export Configuration
Click the Import Configuration button to import the configuration file from the server with the assigned filename and login information. The system displays a confirmation window indicating the administrator must log out of the Mobility 5181 Access Point after the operation completes for the changes to take effect. Click Yes to continue the operation. Click No to cancel the configuration file import.
Click the Export Configuration button to export the configuration file from the server with the assigned filename and login information. If the IP mode is set to DHCP Client, IP address information is not exported (true for both LAN1, LAN2 and the WAN port). For LAN1 and LAN2, IP address information is only exported when the IP mode is set to either static or DHCP Server. For the WAN port, IP address information is only exported when the This interface is a DHCP Client checkbox is not selected. The system displays a confirmation window prompting the administrator to log out of the Mobility 5181 Access Point after the operation completes for the changes to take effect. Click Yes to continue the operation. Click No to cancel the configuration file export.
3. Configure the HTTP Import/Export field to import/export Mobility 5181 Access Point configuration settings using HTTP.
CAUTION
For HTTP downloads (exports) to be successful, pop-up messages must be disabled.
Upload and Apply A Configuration File
Download Configuration File
Click the Upload and Apply A Configuration File button to upload a configuration file to this access point using HTTP.
Click the Download Configuration File button to download this access point’s configuration file using HTTP.
4. Refer to the Status field to assess the completion of the import/export operation.
84 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Page 99
Importing/exporting configurations
4
Status
After executing an operation (by clicking any of the buttons in the window), check the Status field for a progress indicator and messages about the success or errors in executing the Import/Export operation. Possible status messages include:
ambiguous input before marker: line <number > unknown input before marker: line <number> ignored input after marker: line <number> additional input required after marker: line <number> invalid input length: line <number> error reading input: line <number> import file from incompatible hardware type: line <number> [0] Import operation done [1] Export operation done [2] Import operation failed [3] Export operation failed [4] File transfer in progress [5] File transfer failed [6] File transfer done Auto cfg update: Error in applying config Auto cfg update: Error in getting config file Auto cfg update: Aborting due to fw update failure The <number> value appearing at the end of some messages
relates to the line of the configuration file where an error or ambiguous input was detected.
CAUTION
If errors occur when importing the configuration file, a parsing message displays defining the line number where the error occurred. The configuration is still imported, except for the error. Consequently, it is possible to import an invalid configuration. The user is required to fix the problem and repeat the import operation until an error-free import takes place.
NOTE
Brocade recommends importing configuration files using the CLI. If errors occur during the import process, they display all at once and are easier to troubleshoot. The access point GUI displays errors one at a time, and troubleshooting can be a more time-consuming process.
NOTE
When importing the configuration, a xxxxxbytes loaded status message indicates the file was downloaded successfully. An Incompatible Hardware Type Error message indicates the configuration was not applied due to a hardware compatibility issue between the importing and exporting devices.
5. Click Apply to save the filename and Server IP information. The Apply button does not execute the import or export operation, only saves the settings entered.
6. Click Undo Changes (if necessary) to undo any changes made. Undo Changes reverts the settings displayed on Config Import/Export screen to the last saved configuration.
7. Cl i c k Logout to securely exit the Mobility 5181 Access Point applet. A prompt displays confirming the logout before the applet is closed.
Brocade Mobility 5181 Access Point Product Reference Guide 85 53-1002516-01
Page 100

Updating device firmware

4
Updating device firmware
Brocade periodically releases updated versions of the Mobility 5181 Access Point device firmware to the Brocade Web site. If the Mobility 5181 Access Point firmware version displayed on the System Settings page (see “Configuring system settings” on page 45) is older than the version on the Web site, Brocade recommends updating the Mobility 5181 Access Point to the latest firmware version for full feature functionality.
The access point’s automatic update feature updates the access point’s firmware and configuration file automatically when the access point is reset or when the access point initiates a DHCP request.
The firmware is automatically updated each time firmware versions are found to be different between what is running on the access point and the firmware file located on the server. The configuration file is automatically updated when the configuration file name on the server is different than the name of the file previously loaded on the access point or when the file version (on the server) is different than the version currently in use on the access point.
Additionally, the configuration version can be manually changed in the text file to cause the configuration to be applied when required. The parameter name within the configuration file is “cfg-version-1.1-01.” The access point only checks the two characters after the third hyphen (01) when making a comparison. Change the last two characters to update the access point’s configuration. The two characters can be alpha-numeric.
Upgrading from a legacy to a new firmware version is a two step process requiring the same upgrade procedure to be repeated twice. The first upgrade will result in a bootloader change, and the second upgrade will result in the actual firmware update. For subsequent upgrades, a single download will suffice. Using Auto Update, the access point will automatically update itself twice when upgrading.
Upgrading to a new access point firmware baseline does not retain the configuration of the previous (lower version) firmware. Brocade recommends users export their 1.0 configuration for backup purposes prior to upgrading.
When downloading to a lower firmware version, all configuration settings are lost and the access point returns to factory default settings of the lower version.
CAUTION
If downgrading firmware from to a lower version, the access point automatically reverts to default settings of the lower version, regardless of whether you are downloading the firmware manually or using the automatic download feature. The automatic feature allows the user to download the configuration file at the same time, but since the firmware reverts to the default settings of the lower version, the configuration file is ignored.
CAUTION
Loaded and signed CA certificates will be lost when changing the access point’s firmware version using either the GUI or CLI. After a certificate has been successfully loaded, export it to a secure location to ensure its availability after a firmware update.
86 Brocade Mobility 5181 Access Point Product Reference Guide
53-1002516-01
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use