53-1002517-01 |
® |
14 May 2012 |
|
Brocade Mobility 7131
Access Point
Product Reference Guide
Supporting software release 4.4.0.0 and later
Copyright © 2012 Brocade Communications Systems, Inc. All Rights Reserved.
Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, MLX, SAN Health, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.
The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that accompany it.
The product described by this document may contain “open source” software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit
http://www.brocade.com/support/oscd.
Brocade Communications Systems, Incorporated
Corporate and Latin American Headquarters |
Asia-Pacific Headquarters |
|
|
Brocade Communications Systems, Inc. |
Brocade Communications Systems China HK, Ltd. |
||
130 Holger Way |
No. 1 Guanghua Road |
|
|
San Jose, CA 95134 |
Chao Yang District |
|
|
Tel: 1-408-333-8000 |
Units 2718 and 2818 |
|
|
Fax: 1-408-333-8101 |
Beijing 100020, China |
|
|
E-mail: info@brocade.com |
Tel: +8610 6588 8888 |
|
|
|
Fax: +8610 6588 9999 |
|
|
|
E-mail: china-info@brocade.com |
|
|
European Headquarters |
Asia-Pacific Headquarters |
|
|
Brocade Communications Switzerland Sàrl |
Brocade Communications Systems Co., Ltd. (Shenzhen WFOE) |
||
Centre Swissair |
Citic Plaza |
|
|
Tour B - 4ème étage |
No. 233 Tian He Road North |
|
|
29, Route de l'Aéroport |
Unit 1308 – 13th Floor |
|
|
Case Postale 105 |
Guangzhou, China |
|
|
CH-1215 Genève 15 |
Tel: +8620 3891 2000 |
|
|
Switzerland |
Fax: +8620 3891 2111 |
|
|
Tel: +41 22 799 5640 |
E-mail: china-info@brocade.com |
|
|
Fax: +41 22 799 5641 |
|
|
|
E-mail: emea-info@brocade.com |
|
|
|
Document History |
|
|
|
|
|
|
|
Title |
Publication number |
Summary of changes |
Date |
|
|
|
|
Brocade Mobility 7131 Access Point |
53-1002517-01 |
New document |
May 2012 |
Product Reference Guide |
|
|
|
|
|
|
|
Contents
About This Guide
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Getting technical help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Chapter 1 |
Introduction |
|
|
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
1 |
New Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Power Management Antenna Configuration File . . . . . . . . . . . . . 2
Hotspot Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
WAN Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Proxy ARP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Multi Cipher Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Dynamic Chain Selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Broadcast/Multicast Transmit Rate Control. . . . . . . . . . . . . . . . . 5
Dedicated Sensor Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
LED Disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Brocade Mobility 7131 Access Point Product Reference Guide |
iii |
53-1002517-01 |
|
Feature Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 802.11n Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Sensor Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Mesh Roaming Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Single or Dual Mode Radio Options . . . . . . . . . . . . . . . . . . . . . . . 9 Separate LAN and WAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Multiple Mounting Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Antenna Support for 2.4 GHz and 5 GHz Radios. . . . . . . . . . . . 10 Sixteen Configurable WLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Support for 4 BSSIDs per Radio . . . . . . . . . . . . . . . . . . . . . . . . . 11 Quality of Service (QoS) Support . . . . . . . . . . . . . . . . . . . . . . . . 11 Industry Leading Data Security. . . . . . . . . . . . . . . . . . . . . . . . . . 11 VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Multiple Management Accessibility Options . . . . . . . . . . . . . . . 15 Updatable Firmware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Programmable SNMP v1/v2/v3 Trap Support. . . . . . . . . . . . . . 16 Power-over-Ethernet Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 MU-MU Transmission Disallow . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Voice Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Support for CAM and PSP MUs . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Statistical Displays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Transmit Power Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Advanced Event Logging Capability . . . . . . . . . . . . . . . . . . . . . . 18 Configuration File Import/Export Functionality . . . . . . . . . . . . . 18 Default Configuration Restoration . . . . . . . . . . . . . . . . . . . . . . . 18 DHCP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Mesh Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Additional LAN Subnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 On-board Radius Server Authentication. . . . . . . . . . . . . . . . . . . 20 Hotspot Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Routing Information Protocol (RIP) . . . . . . . . . . . . . . . . . . . . . . . 21 Manual Date and Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . 21 Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Auto Negotiation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Adaptive AP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Rogue AP Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Radius Time-Based Authentication. . . . . . . . . . . . . . . . . . . . . . . 22 QBSS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Triple Radio Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 IP Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 MU Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Per Radio MU Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Power Setting Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 AMSDU Transmission Support . . . . . . . . . . . . . . . . . . . . . . . . . . 24 IPSec VPN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
iv |
Brocade Mobility 7131 Access Point Product Reference Guide |
|
53-1002517-01 |
Theory of Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Wireless Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
MAC Layer Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Media Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Direct-Sequence Spread Spectrum . . . . . . . . . . . . . . . . . . . . . . 27
MU Association Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Operating Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Management Access Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
MAC Address Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Chapter 2 Hardware Installation
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Access Point Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Site Surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Antenna Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Power Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Power Injector System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Installing the Power Injector . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Mounting an Mobility 7131 Access Point or
Mobility 7131N Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Wall Mounted Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Suspended Ceiling T-Bar Installations . . . . . . . . . . . . . . . . . . . . 41 Above the Ceiling (Plenum) Installations . . . . . . . . . . . . . . . . . . 43
LED Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Three Radio Mobility 7131N Access Point LEDs . . . . . . . . . . . . 46 Dual Radio (2.4/5 GHz) LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Single Radio 2.4 GHz LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Single Radio 5 GHz LEDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Rear LED. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Setting Up MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Legacy MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 802.11n MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Chapter 3 |
Getting Started |
|
|
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
51 |
Installing the Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Initially Connecting to the Access Point. . . . . . . . . . . . . . . . . . . . . . . 52 Connecting to the Access Point using the WAN Port . . . . . . . . . 52 Connecting to the Access Point using the LAN Port . . . . . . . . . 52
Brocade Mobility 7131 Access Point Product Reference Guide |
v |
53-1002517-01 |
|
Basic Device Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Configuring Device Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Testing Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64 Where to Go from Here? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Chapter 4 System Configuration
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Configuring System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Configuring Power Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Adaptive AP Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Configuring Data Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Managing Certificate Authority (CA) Certificates. . . . . . . . . . . . . . . . 81 Importing a CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Creating Self Certificates for Accessing the VPN . . . . . . . . . . . .82 Creating a Certificate for Onboard Radius Authentication . . . . 85
Configuring SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Configuring SNMP Access Control . . . . . . . . . . . . . . . . . . . . . . . 92 Enabling SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Configuring Specific SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . 95 Configuring SNMP RF Trap Thresholds. . . . . . . . . . . . . . . . . . . . 98
Configuring LLDP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Configuring Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . .100 Logging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 Importing/Exporting Configurations . . . . . . . . . . . . . . . . . . . . . . . .104 Updating Device Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Chapter 5 Network Management
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Configuring the LAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 Configuring VLAN Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 Configuring LAN1 and LAN2 Settings . . . . . . . . . . . . . . . . . . . .121
Configuring WAN Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127 Configuring Network Address Translation (NAT) Settings . . . .132 Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Enabling Wireless LANs (WLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . .137 Creating/Editing Individual WLANs. . . . . . . . . . . . . . . . . . . . . .139 Setting the Radio Configuration for a WLAN . . . . . . . . . . . . . .161 Configuring MU Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Configuring Router Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178 Setting the RIP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . .179
Configuring IP Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181 Applying a Filter to LAN1, LAN2 or a WLAN (1-16). . . . . . . . . .183 IP Filter Configuration - Example. . . . . . . . . . . . . . . . . . . . . . . .184
vi |
Brocade Mobility 7131 Access Point Product Reference Guide |
|
53-1002517-01 |
Chapter 6 Configuring Access Point Security
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189 Configuring Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
Setting Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 Resetting the Access Point Password. . . . . . . . . . . . . . . . . . . .192
Enabling Authentication and Encryption Schemes. . . . . . . . . . . . .192 Configuring Kerberos Authentication. . . . . . . . . . . . . . . . . . . . . . . .194 Configuring 802.1x EAP Authentication. . . . . . . . . . . . . . . . . . . . . .196 Configuring WEP Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199 Configuring KeyGuard Encryption . . . . . . . . . . . . . . . . . . . . . . . . . .201 Configuring WPA/WPA2 Using TKIP . . . . . . . . . . . . . . . . . . . . . . . . .203 Configuring WPA2-CCMP (802.11i) . . . . . . . . . . . . . . . . . . . . . . . . .205 Configuring Multi Cipher Support. . . . . . . . . . . . . . . . . . . . . . . . . . .208
Configuring Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210 Configuring LAN to WAN Access . . . . . . . . . . . . . . . . . . . . . . . .212 Configuring Advanced Subnet Access . . . . . . . . . . . . . . . . . . .215
Configuring VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216 Creating a VPN Tunnel between Two Access Points . . . . . . . .219 Configuring Manual Key Settings . . . . . . . . . . . . . . . . . . . . . . .221 Configuring Auto Key Settings . . . . . . . . . . . . . . . . . . . . . . . . . .224 Configuring IKE Key Settings. . . . . . . . . . . . . . . . . . . . . . . . . . .226 VPN Configuration - Example . . . . . . . . . . . . . . . . . . . . . . . . . .229 Viewing VPN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
Configuring Content Filtering Settings . . . . . . . . . . . . . . . . . . . . . . .231
Configuring Rogue AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . .234 Moving Rogue APs to the Allowed AP List . . . . . . . . . . . . . . . .236 Using MUs to Detect Rogue Devices. . . . . . . . . . . . . . . . . . . . .239
Configuring User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . .240 Configuring the Radius Server . . . . . . . . . . . . . . . . . . . . . . . . . 241 Configuring LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . .242 Configuring a Proxy Radius Server . . . . . . . . . . . . . . . . . . . . . .244 Managing the Local User Database . . . . . . . . . . . . . . . . . . . . .246 Defining User Access Permissions by Group . . . . . . . . . . . . . .248
Chapter 7 Monitoring Statistics
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253 Viewing WAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
Viewing LAN Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 Viewing STP Statistics for a LAN . . . . . . . . . . . . . . . . . . . . . . . .258 Viewing IP Filter Statistics for a LAN . . . . . . . . . . . . . . . . . . . . .260
Viewing Wireless Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261 Viewing WLAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262 Viewing IP Filter Statistics for a WLAN . . . . . . . . . . . . . . . . . . .265
Brocade Mobility 7131 Access Point Product Reference Guide |
vii |
53-1002517-01 |
|
Viewing Radio Statistics Summary . . . . . . . . . . . . . . . . . . . . . . . . .266
Viewing Radio Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267
Viewing MU Statistics Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Viewing MU Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
Pinging Individual MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
MU Authentication Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Viewing the Mesh Statistics Summary . . . . . . . . . . . . . . . . . . . . . .275
Viewing Known Access Point Statistics . . . . . . . . . . . . . . . . . . . . . .277
Chapter 8 |
CLI Reference |
|
|
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
281 |
Connecting to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281 Accessing the CLI through the Serial Port . . . . . . . . . . . . . . . .281 Accessing the CLI via Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . .282
Admin and Common Commands . . . . . . . . . . . . . . . . . . . . . . . . . . .282 Network Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286
System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378 Firmware Update Commands . . . . . . . . . . . . . . . . . . . . . . . . . .431
Statistics Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433
Chapter 9 Configuring Mesh Networking
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443
Mesh Networking Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443 The Client Bridge Association Process . . . . . . . . . . . . . . . . . . .444 Spanning Tree Protocol (STP) . . . . . . . . . . . . . . . . . . . . . . . . . .445 Defining the Mesh Topology . . . . . . . . . . . . . . . . . . . . . . . . . . .445 Mesh Networking and the Two Subnets of the Access Point .446 Normal Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446 Impact of Importing/Exporting Configurations
to a Mesh Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446
Configuring Mesh Networking Support . . . . . . . . . . . . . . . . . . . . . .447 Setting the LAN Configuration for Mesh Networking Support 447 Configuring a WLAN for Mesh Networking Support. . . . . . . . .449 Configuring the Access Point Radio for Mesh Support . . . . . .452
Mesh Network Deployment - Quick Setup. . . . . . . . . . . . . . . . . . . .457 Scenario 1 - Two Base Bridges and One Client Bridge . . . . . .458 Scenario 2 - Two Hop Mesh Network with a
Base Bridge Repeater and a Client Bridge. . . . . . . . . . . . . . . .464 Mesh Networking Frequently Asked Questions. . . . . . . . . . . . . . . .468
Chapter 10 |
Adaptive AP |
|
|
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
471 |
viii |
Brocade Mobility 7131 Access Point Product Reference Guide |
|
53-1002517-01 |
Adaptive AP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Where to Go From Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Adaptive AP Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Switch Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Securing a Configuration Channel Between Switch and AP . . 474
Adaptive AP WLAN Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Configuration Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Securing Data Tunnels between the Switch and AAP . . . . . . . 474
Adaptive AP Switch Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . .475
Remote Site Survivability (RSS) . . . . . . . . . . . . . . . . . . . . . . . .475
Adaptive Mesh Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475
Supported Adaptive AP Topologies . . . . . . . . . . . . . . . . . . . . . . . . . 476
Topology Deployment Considerations . . . . . . . . . . . . . . . . . . . 476
Extended WLANs Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Independent WLANs Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Extended WLANs with Independent WLANs. . . . . . . . . . . . . . . 477
Extended WLAN with Mesh Networking . . . . . . . . . . . . . . . . . . 477
How the AP Receives its Adaptive Configuration . . . . . . . . . . . . . . 477
Establishing Basic Adaptive AP Connectivity. . . . . . . . . . . . . . . . . .478
Adaptive AP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . .479
Switch Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
Adaptive AP Deployment Considerations . . . . . . . . . . . . . . . . .483
Sample Switch Configuration File for
IPSec and Independent WLAN . . . . . . . . . . . . . . . . . . . . . . . . .484
Chapter A Technical Specifications
In this appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489
Physical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489
Mobility 7131 Access Point Physical Characteristics. . . . . . . .489
Mobility 7131N Access Point Physical Characteristics . . . . . .489
Electrical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .490
Mobility 7131 Access Point Radio Characteristics . . . . . . . . . . . . .490
Mobility 7131N Access Point Radio Characteristics . . . . . . . . . . . .491
Country Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491
Chapter B Usage Scenarios
In this appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495
Configuring Automatic Updates using a DHCP or Linux BootP Server495 Windows - DHCP Server Configuration . . . . . . . . . . . . . . . . . . .495 Linux - BootP Server Configuration. . . . . . . . . . . . . . . . . . . . . .499
Configuring an IPSEC Tunnel and VPN FAQs . . . . . . . . . . . . . . . . . .501 Configuring a VPN Tunnel Between Two Access Points. . . . . .501 Configuring a Cisco VPN Device . . . . . . . . . . . . . . . . . . . . . . . .505 Frequently Asked VPN Questions . . . . . . . . . . . . . . . . . . . . . . .505
Brocade Mobility 7131 Access Point Product Reference Guide |
ix |
53-1002517-01 |
|
x |
Brocade Mobility 7131 Access Point Product Reference Guide |
|
53-1002517-01 |
•Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
•Document Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
•Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
•Getting technical help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
This guide provides configuration and setup information for the Brocade Mobility 7131 Series Access Point.
This section describes text formatting conventions and important notice formats used in this document.
The narrative-text formatting conventions that are used are as follows:
bold text |
Identifies command names |
|
Identifies the names of user-manipulated GUI elements |
|
Identifies keywords |
|
Identifies text to enter at the GUI or CLI |
italic text |
Provides emphasis |
|
Identifies variables |
|
Identifies document titles |
code text |
Identifies CLI output |
For readability, command names in the narrative portions of this guide are presented in bold; for example, show version.
Brocade Mobility 7131 Access Point Product Reference Guide |
xi |
53-1002517-01 |
|
The following notice statement is used in this manual.
NOTE
A note provides a tip, guidance or advice, emphasizes important information, or provides a reference to related information.
The following Brocade Communications Systems, Inc. document supplements the information in this guide and can be located at http://www.brocade.com/ethernetproducts.
•Brocade Mobility RFS4000, RFS6000 and RFS7000 CLI Reference Guide - Describes the Command Line Interface (CLI) and Management Information Base (MIB) commands used to configure the Brocade wireless controllers.
If you find errors in the guide, send an e-mail to documentation@brocade.com.
To contact Technical Support, go to http://www.brocade.com/services-support/index.page for the latest e-mail and telephone contact information.
xii |
Brocade Mobility 7131 Access Point Product Reference Guide |
|
53-1002517-01 |
|
Chapter |
|
Introduction |
1 |
|
|
|
|
•New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
•Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
•Theory of Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
As a standalone access point, the Mobility 7131 Access Point provides small and medium-sized businesses with a consolidated wired and wireless networking infrastructure, all in a single device. The integrated router, gateway, firewall, DHCP and AAA Radius servers, VPN, hot-spot gateway and Power-over-Ethernet (PoE) simplify and reduce the costs associated with networking by eliminating the need to purchase and manage multiple pieces of equipment.
The access point is also designed to meet the needs of large, distributed enterprises by converging the functionality of a thick access point and thin access port into a single device. This mode enables the deployment of a fully featured intelligent access point that can be centrally configured and managed via a Brocade wireless switch in either corporate headquarters or a network operations center (NOC). In the event the connection between the access point and the wireless switch is lost, a Remote Site Survivability (RSS) feature ensures the delivery of uninterrupted wireless services at the local or remote site. All traffic between the adaptive access points and the wireless switch is secured though an IPSec tunnel. Additionally, compatibility with Brocade’s RF Management Suite (RFMS) allows you to centrally plan, deploy, monitor and secure large deployments.
With the introduction of the Mobility 7131 Access Point 4.x firmware baseline, Brocade is also introducing a new series of Mobility 7131N model access points as a compliment to the existing Mobility 7131 Access Point family. The new Mobility 7131N model access points support the same feature set and firmware as existing Mobility 7131 model access points, however Mobility 7131N Access Points support a three radio model (with the third radio dedicated exclusively for sensor support). For more information on the three radio Mobility 7131N Access Point, see IP Filtering on page 1-23.
NOTE
Both the Mobility 7131 Access Point and Mobility 7131N model access points share the same Web applet (user interface) and installation methods. Therefore, the UI and installation descriptions within this guide apply to both models. There are instances where this common interface is used differently to configure various features (radio configuration, power management etc.), however those differences are carefully noted.
If you are new to using an access point for managing your network, refer to Theory of Operations on page 1-25 for an overview on wireless networking fundamentals.
Brocade Mobility 7131 Access Point Product Reference Guide |
1 |
53-1002517-01 |
|
1
The following features are now available with the introduction of the Mobility 7131N Access Point hardware and WiNG 4.4 firmware baseline:
•Power Management Antenna Configuration File
•Hotspot Customization
•WAN Failover
•Proxy ARP Support
•Multi Cipher Support
•Dynamic Chain Selection
•Broadcast/Multicast Transmit Rate Control
•Dedicated Sensor Support
•LED Disable
With this most recent release of the access point firmware, a Power Management Antenna Configuration File (PMACF) has been added to the access point firmware that automatically configures the access point’s radio transmit power based on the antenna type deployed, its supported gain and the deployed country’s regulatory domain restrictions. The antenna type is defined using the access point’s CLI by assigning a numerical code representing a particular type (or category) of antenna. The following are the numerical codes representing available antenna types: 0-Default antenna, 1-Dual band antenna, 2-Omni antenna, 3-Yagi antenna, 4-Embedded antenna,
5-Panel antenna, 6-Patch antenna and 7-Sector antenna. The antenna gain can be defined using either the access point’s CLI, applet or SNMP interfaces.
Once the antenna type and gain are provided, the access point calculates the power range. The PMACF contains transmit power data for each Brocade approved antenna type. Professional installers enter the antenna type (using the access point’s CLI interface), and the access point firmware calculates the transmit power automatically. Therefore, professional installers no longer need to second guess whether the power is over the maximum allowed level.
NOTE
The antenna type and antenna gain values are maintained by the access point after a power cycle, and are available in imported or exported configurations.
For information on specifying the antenna type and gain for the 2.4 and 5 GHz radios using the access point CLI, see br7131>admin(network.wireless.radio.802-11n[2.4 GHz])>set for the access point’s 2.4 GHz radio and br7131>admin(network.wireless.radio.802-11n[5.0 GHz])>set for the access point’s 5 GHz radio.
For information on defining the antenna gain using the access point’s GUI applet, see Configuring the 802.11a/n or 802.11b/g/n Radio on page 5-167 and Configuring the 802.11a/n or 802.11b/g/n Radio on page 5-167.
2 |
Brocade Mobility 7131 Access Point Product Reference Guide |
|
53-1002517-01 |
1
To date, the default hotspot supported on the access point does not allow users to change the text on the hotspot portal or the logo for the enterprise where the hotspot is deployed. With this most recent release of the access point firmware, users now have the ability to customize the appearance of an access point’s WLAN hotspot pages. The access point’s hotspot feature is supported by four customer accessible pages (login page, welcome page, failure page, and no service page) displayed on the client attempting to access the AP’s supported hotspot. These four pages can be unique to each hotspot supported by one of the access point’s 16 WLANs. The content of the four hotspot pages can be customized by:
•Altering the text that displays on the screen
•Altering the properties of various screen elements (such as background colors, banner and logos)
NOTE
The access point allows two logos to be displayed per page. The user has the ability to alter logo placement and screen banner color schemes.
•Configuring a cascading style sheet (css) to define how hotspot pages display font usage, text size etc.
•Four different screens are available for customization:
•Login Page – Page used to get user’s credentials.
•Welcome Page – Page displayed when the user successfully logs on.
•Fail Page – Page displayed when the user fails to log on.
•No Service Page – Page displayed when the AP temporarily loses connection to the authentication server or the adopted wireless controller.
For information on customizing a WLAN’s hotspot display, see Customizing a Hotspot Display on page 5-156.
For information on the access point’s existing (default) hotspot functionality, see Hotspot Support on page 1-20.
With this most recent release of the Mobility 7131N Access Point firmware, a WAN failover feature has been introduced, since a cellular network infrastructure is completely separate from the access point’s wired transmission infrastructure.
A WWAN card is a specialized network interface card, allowing a network device to connect, transmit and receive data over a cellular WAN. The WWAN card uses point to point protocol (PPP) to connect to an Internet Service Provider (ISP) and access the Internet. PPP is the protocol used for establishing internet links over dial-up modems, DSL connections, and many other types of point-to-point links.
The wired WAN is the primary WAN link for a Mobility 7131N Access Point, as long as it is enabled and connected, and the wireless WAN interface is the secondary link. For a WWAN to be a WAN or LAN recovery solution, the Mobility 7131N Access Point needs to monitor the link status of the wired WAN and actively check the health of the WAN connection. If a wired WAN or LAN connection failure is detected, a Mobility 7131N Access Point immediately establishes the WWAN connection and updates the default gateway to the WWAN interface.
Brocade Mobility 7131 Access Point Product Reference Guide |
3 |
53-1002517-01 |
|
1
The WWAN card is detected automatically when inserted into the Mobility 7131N Access Point express card slot. The card is detected as a USB/Serial device once its modules are loaded. If the card is inserted before or during module installation, the user has to wait until all the modules are loaded before the card is operational. These modules are loaded when the Mobility 7131N Access Point boots up (at runtime). Activate and configure the WWAN card from the access point’s applet and CLI.
NOTE
The WAN failover feature is only supported on Mobility 7131N Access Point model access points, as theMobility 7131 model access point does not support the required PCI express card slot.
For more information on configuring a Mobility 7131N Access Point model access point for WAN failover support, see Configuring WAN Settings on page 5-127.
With this most recent release of the access point firmware, the access point can respond to ARP requests on behalf of an associated MU and protect the MU’s network credentials from being broadcasted on a publicly accessible network.
When Proxy ARP is enabled on the access point (it’s enabled by default), the access point can make an MU physically located on one network appear part of a different network connected to the same access point. Proxy AP allows the access point to “hide” an MU’s IP address behind the access point’s firewall, while still having the MU appear to be on the public network. Proxy ARP supports both strict and dynamic modes on the access point.
For example, when Proxy ARP is enabled on the access point (it’s disabled by default) and the access point receives an ARP request (either a wired or wireless request) for the IP address of an associated MU, the access point responds directly to the request (on behalf of the MU) instead of broadcasting the ARP request over the publicly accessible wireless network.
When enabled, any system on the wireless network that ARPs for the IP address of an associated MU will receive an ARP reply from the access point stating the requesting system should be sending packets destined for the MU to access point instead. In turn, the access point forwards the requesting packets to the target MU. Through this process, the access point can pass ARP requests in both directions, making an MU appear to be connected to a public network even though it’s on a private network hidden behind the access point.
For detailed information on configuring Proxy AP support of the access point, see Enabling Wireless LANs (WLANs) on page 5-137.
Beginning with this release, professional installers have the option of deploying both new and legacy MUs within the same WLAN. Multi cipher support extends the access point’s existing WLAN security options by allowing dynamic WEP and 802.11i configurations to co-exist, and allowing multiple security policies to be associated with the same ESSID on different WLANs. Within such an environment, legacy MUs are capable of WEP, while new MUs are capable of WPA/2-TKIP and WPA2-CCMP encryption. This particular form of multi cipher (security) support helps maintain the co-existence of dynamic WEP and 802.11i based environments.
For information on configuring Multi Cipher support, see Configuring Multi Cipher Support on page 6-208.
4 |
Brocade Mobility 7131 Access Point Product Reference Guide |
|
53-1002517-01 |
1
When enabled, dynamic chain selection forces an access point radio to transmit packets using legacy transmit rates (11b, 11g and/or 11a rates) using a single transmit chain. Transmissions utilizing 11n rates (MCS0 - MCS15) continue to use a normal number of transmit chains, which may be 1, 2, or 3 depending on the configuration and power source. If dynamic chain selection is disabled, all transmissions utilize the same number of transmit chains. This feature is disabled by default.
Brocade has determined some of our 802.11abg-based phones don't receive frames transmitted by the a Mobility 7131 series access point very well if all 3 transmit chains are used. When only a single transmit chain is used, communication between the access point and the phones works better. This Brocade phone issue could also exist with other 802.11 legacy devices.
For information on enabling dynamic chain selection using the access point Web applet, see
Configuring the 802.11a/n or 802.11b/g/n Radio on page 5-167.
For information on using the CLI to set the access point’s dynamic chain selection configuration, see br7131>admin(network.wireless.radio.802-11n[2.4 GHz])>set for the access point’s 2.4 GHz radio and br7131>admin(network.wireless.radio.802-11n[5.0 GHz])>set for the access point 5 GHz radio.
Beginning with this release, professional installers now have the ability to define the access point’s broadcast/multicast transmission configuration. Traditionally, the access point used the lowest basic rate for broadcast/multicast transmissions, which was ideal from a range perspective (and remains the default configuration).
The new enhancement provides an option to increase performance by transmitting broadcast/multicast group packets at a higher rate (based on the radio’s defined basic data rates). This option is optimal in environments where the access point’s broadcast/multicast (group packet) transmission range is secondary to performance. Broadcast/multicast rate control is configurable from the access point’s GUI applet, CLI and SNMP interfaces.
For information on configuring broadcast/multicast transmit rate control, see Configuring the 802.11a/n or 802.11b/g/n Radio on page 5-167.
Beginning with this release, the access point supports a CLI command enabling an access point radio to convert to sensor only support. When enabled, only sensor mode radio configurations are permitted. Radio configurations supporting data (WLAN) support are not configurable using the access point’s GUI, CLI or SNMP interfaces.
Through extensive field research, Brocade has learned that not all customers wish to deploy an access point with blinking LEDs. Health care deployments in particular have requested an option to disable blinking LEDs. With this most recent release of the Mobility 7131N Access Point firmware, an option has been added to the access point’s GUI applet and CLI to disable blinking LEDs. The LEDs display and blink default until the disable option is invoked.
Brocade Mobility 7131 Access Point Product Reference Guide |
5 |
53-1002517-01 |
|
1
For information on disabling the access points LEDs, refer to Configuring System Settings on page 4-67.
The following legacy features have been carried forward into the 4.x firmware baseline:
•802.11n Support
•Sensor Support
•Mesh Roaming Client
•Single or Dual Mode Radio Options
•Separate LAN and WAN Ports
•Multiple Mounting Options
•Antenna Support for 2.4 GHz and 5 GHz Radios
•Sixteen Configurable WLANs
•Support for 4 BSSIDs per Radio
•Quality of Service (QoS) Support
•Industry Leading Data Security
•VLAN Support
•Multiple Management Accessibility Options
•Updatable Firmware
•Programmable SNMP v1/v2/v3 Trap Support
•Power-over-Ethernet Support
•MU-MU Transmission Disallow
•Voice Prioritization
•Support for CAM and PSP MUs
•Statistical Displays
•Transmit Power Control
•Advanced Event Logging Capability
•Configuration File Import/Export Functionality
•Default Configuration Restoration
•DHCP Support
•Mesh Networking
•Additional LAN Subnet
•On-board Radius Server Authentication
•Hotspot Support
•Routing Information Protocol (RIP)
•Manual Date and Time Settings
•Dynamic DNS
•Auto Negotiation
6 |
Brocade Mobility 7131 Access Point Product Reference Guide |
|
53-1002517-01 |
1
•Adaptive AP
•Rogue AP Enhancements
•Radius Time-Based Authentication
•QBSS Support
•Triple Radio Support
•IP Filtering
•MU Rate Limiting
•Per Radio MU Limit
•Power Setting Configuration
•AMSDU Transmission Support
•IPSec VPN Support
Brocade provides full life-cycle support for either a new or existing 802.11n mobility deployment, from network design to day-to-day support. For information on deploying your 802.11n radio, see
Configuring the 802.11a/n or 802.11b/g/n Radio on page 5-167.
The Brocade Wireless Intrusion Protection System (WIPS) protects your wireless network, mobile devices and traffic from attacks and unauthorized access. WIPS provides tools for standards compliance and around-the-clock 802.11a/b/g wireless network security in a distributed environment. WIPS allows administrators to identify and accurately locate attacks, rogue devices and network vulnerabilities in real time and permits both a wired and wireless lockdown of wireless device connections upon acknowledgement of a threat.
An access point radio can function as a sensor and upload sensor mode operation information to a dedicated WIPS server. WIPS is not supported on a WLAN basis, rather sensor functionality is supported on the access point radio(s) available to each WLAN. When an access point radio is functioning as a WIPS sensor, it is able to scan in sensor mode across all channels within the 2.4 and 5.0 GHz bands.
NOTE
Sensor support requires a Brocade AirDefense WIPS Server on the network. Sensor functionality is not provided by the access point alone. The access point works in conjunction with a dedicated WIPS server. For information on configuring an AirDefense server for optimal use with an access point in
sensor mode, go to
http://support.symbol.com/support/product/manuals.do, select AirDefense and
download the Brocade AirDefense Enterprise 7.3.3 Users Guide.
The following is a network topology illustrating how a sensor functions within an access point supported wireless network:
Brocade Mobility 7131 Access Point Product Reference Guide |
7 |
53-1002517-01 |
|
1
A radio in sensor mode supports the following basic features:
NOTE
The functions described below are conducted on the WIPS server side, not on the access point.
•Wireless Termination - The access point attempts to force an unwanted (or unauthorized) connection to disconnect.
•Wireless Sniffing - All received frames are reported to the WIPS server. This feature provides the WIPS server with visibility into the activity on the wireless network. The WIPS server processes the received traffic and provides the IT administrator with useful information about the 802.11 RF activities in the enterprise.
•Spectrum Analysis - The data needed to provide the current RF Spectrum is provided to the WIPS server. The access point does not display the data, but it is available to the WIPS server. Spectrum analysis can operate only when there are no WLAN radios configured. The WIPS daemon and server are responsible for limiting operation only when there is no radio in WLAN mode. When a configuration change is made at the AP, the Spectrum Analysis operation stops.
•Live View- The WIPS application provides a live view of the sensors, APs and MUs operating in a WLAN. Live view support exists throughout the WIPS application, wherever a device icon appears in an information panel or navigation tree. Access Live View by right-clicking on the device, which automatically limits the data to the specific device your choose.
Sensor radios can be tuned to channels in both the 2.4GHz and 5.0 GHz band. The channels in use by a given radio are defined by the WIPS application. There is no need to explicitly set a band for a sensor radio. Instead, select either default values or specific channels. Specific channels can be in either band.
8 |
Brocade Mobility 7131 Access Point Product Reference Guide |
|
53-1002517-01 |
1
NOTE
Mobility 7131N Access Point models with three radios never dedicate the third radio to traditional WLAN support. The third radio is either disabled or set exclusively to WIPS support (referred to in the access point interface as sensor mode).
CAUTION
Users cannot define a radio as a WIPS sensor when one of the access point radios is functioning as a rogue AP detector. To use one of the radios as a WIPS sensor, you must disable its current detector method(s) first, then set the radio for WIPS sensor support. For information on disabling rogue AP detection, see Configuring Rogue AP Detection on page 6-234.
WIPS functionality is defined as part of the access point’s quick setup procedure. For information on using the access point’s Quick Setup screen to define how WIPS can be supported on an access point radio, see Configuring Device Settings on page 3-55.
Enable the Mesh Roaming Client feature (using the access point’s CLI) to allow a client bridge to associate in the same manner as a regular mesh client bridge. After an initial (single) association, the client bridge will not attempt additional associations. Since STP will be disabled, the association forwards data as soon as the association attempt is successful. When Mesh Roaming Client is enabled, base bridge mode is not supported to avoid a loop within the mesh topology. Thus, the Mesh Roaming Client is always an end point (by design) within the mesh wireless topology. The base bridge will need STP disabled to immediately begin forwarding data when a roaming client bridge associates.
One or two possible configurations are available on legacy Mobility 7131 access pointsMobility 7131 Access Point depending on which model is purchased. If the access pointMobility 7131 Access Point is manufactured as a single radio access point, the access pointMobility 7131 Access Point enables you to configure the single radio for either 802.11a/n or 802.11b/g/n support.
If the access point Mobility 7131 Access Point is manufactured as a dual-radio access point, the Mobility 7131 Access Point access point enables you to configure one radio for 802.11a/n support, and the other for 802.11b/g/n support.
For detailed information Mobility 7131 Access Point, see Setting the Radio Configuration for a WLAN on page 5-161.
The access pointMobility 7131 Access Point has one LAN (GE1/POE) port and one WAN (GE2) port, each with their own MAC address. The access point must manage all data traffic over the LAN connection carefully as either a DHCP client, BOOTP client, DHCP server or using a static IP address. The access point can only use a Power-over-Ethernet device when connected to the LAN port.
Brocade Mobility 7131 Access Point Product Reference Guide |
9 |
53-1002517-01 |
|
1
For detailed information on configuring the Mobility 7131 Access Point LAN port, see Configuring the LAN Interface on page 5-115.
A Wide Area Network (WAN) is a widely dispersed telecommunications network. In a corporate environment, the WAN port might connect to a larger corporate network. For a small business, the WAN port might connect to a DSL or cable modem to access the Internet. Regardless, network address information must be configured for the access pointMobility 7131 Access Point’s intended mode of operation.
For detailed information on configuring the Mobility 7131 Access Pointaccess point’s WAN port, see
Configuring WAN Settings on page 5-127.
The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats screens.
For detailed information on locating the access point’s MAC addresses, see Viewing WAN Statistics on page 7-253 and Viewing LAN Statistics on page 7-256. For information on access point MAC address assignments, see MAC Address Assignment on page 1-29.
The Mobility 7131 Access Point access point attaches to a wall, mounts under a ceiling or above a ceiling (attic). Choose a mounting option based on the physical environment of the coverage area. Do not mount the access point Mobility 7131 Access Point in a location that has not been approved in a radio coverage site survey.
For detailed information on the mounting options available Mobility 7131 Access Point, see
Mounting an Mobility 7131 Access Point or Mobility 7131N Access Point on page 2-38.
The Mobility 7131 Access Pointaccess point supports several 802.11a/n and 802.11b/g/n radio antennas. Select the antenna best suited to the radio transmission requirements of your coverage area.
For an exhaustive overview of the antennas and associated components supported by the Brocade access point family, refer to the Enterprise Wireless LAN Antenna Specification Guide available at http://support.symbol.com/support/product/manuals.do.
A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the functionalities of a wired LAN. A WLAN does not require lining up devices for line-of-sight transmission, and are thus, desirable for wireless networking. Roaming users can be handed off from one access point Mobility 7131 Access Point to another like a cellular phone system. WLANs can therefore be configured around the needs of specific groups of users, even when they are not in physical proximity. Sixteen WLANs are configurable on each access point Mobility 7131 Access Point.
To enable and configure WLANs on an access point Mobility 7131 Access Point radio, see Enabling Wireless LANs (WLANs) on page 5-137.
10 |
Brocade Mobility 7131 Access Point Product Reference Guide |
|
53-1002517-01 |
1
The access point supports four BSSIDs per radio. Each BSSID has a corresponding MAC address. The first MAC address corresponds to BSSID #1. The MAC addresses for the other three BSSIDs (BSSIDs #2, #3, #4) are derived by adding 1, 2, 3, respectively, to the radio MAC address.
If the radio MAC address displayed on the Radio Settings screen is 00:23:68:72:20:DC, then the BSSIDs for that radio will have the following MAC addresses:
BSSID |
MAC Address |
Hexadecimal Addition |
BSSID #1 |
00:23:68:72:20:DC |
Same as Radio MAC address |
BSSID #2 |
00:23:68:72:20:DD |
Radio MAC address +1 |
BSSID #3 |
00:23:68:72:20:DE |
Radio MAC address +2 |
BSSID #4 |
00:23:68:72:20:DF |
Radio MAC address +3 |
For detailed information on strategically mapping BSSIDs to WLANs, see Configuring the 802.11a/n or 802.11b/g/n Radio on page 5-167. For information on access point MAC address assignments, see
MAC Address Assignment on page 1-29.
The Mobility 7131 Access Point QoS implementation provides applications running on different wireless devices a variety of priority levels to transmit data to and from the access point Mobility 7131 Access Point. Equal data transmission priority is fine for data traffic from applications such as Web browsers, file transfers or email, but is inadequate for multimedia applications.
Voice over Internet Protocol (VoIP), video streaming and interactive gaming are highly sensitive to latency increases and throughput reductions. These forms of higher priority data traffic can significantly benefit from the Mobility 7131 Access Point QoS implementation.The WiFi Multimedia QOS Extensions (WMM) implementation used by the Mobility 7131 Access Point shortens the time between transmitting higher priority data traffic and is thus desirable for multimedia applications. In addition, U-APSD (WMM Power Save) is also supported.
WMM defines four access categories—voice, video, best effort and background—to prioritize traffic for enhanced multimedia support.
For detailed information on configuring QoS support Mobility 7131 Access Point, see Setting the WLAN Quality of Service (QoS) Policy on page 5-147.
The Mobility 7131 Access Point access point supports numerous encryption and authentication techniques to protect the data transmitting on the WLAN.
The following authentication techniques are supported:
•Kerberos Authentication
•EAP Authentication
The following encryption techniques are supported Mobility 7131 Access Point:
•WEP Encryption
Brocade Mobility 7131 Access Point Product Reference Guide |
11 |
53-1002517-01 |
|
1
•KeyGuard Encryption
•Wi-Fi Protected Access (WPA) Using TKIP Encryption
•WPA2-CCMP (802.11i) Encryption
In addition, the Mobility 7131 Access Point access point supports the following additional security features:
•Firewall Security
•VPN Tunnels
•Content Filtering
For an overview on the encryption and authentication schemes available Mobility 7131 Access Point, refer to Configuring Access Point Security on page 6-189.
Kerberos Authentication
Authentication is a means of verifying information transmitted from a secure source. If information is authentic, you know who created it and you know it has not been altered in any way since it was originated. Authentication entails a network administrator employing a software “supplicant” on their computer or wireless device.
Authentication is critical for the security of any wireless LAN device. Traditional authentication methods are not suitable for use in wireless networks where an unauthorized user can monitor network traffic and intercept passwords. The use of strong authentication methods that do not disclose passwords is necessary. The access point uses the Kerberos authentication service protocol (specified in RFC 1510) to authenticate users/clients in a wireless network environment and to securely distribute the encryption keys used for both encrypting and decrypting.
A basic understanding of RFC 1510 Kerberos Network Authentication Service (V5) is helpful in understanding how Kerberos works. By default, WLAN devices operate in an open system network where any wireless device can associate with an AP without authorization. Kerberos requires device authentication before access to the wired network is permitted.
For detailed information on Kerbeors configurations, see Configuring Kerberos Authentication on page 6-194.
EAP Authentication
The Extensible Authentication Protocol (EAP) feature provides access points and their associated MUs an additional measure of security for data transmitted over the wireless network. Using EAP, authentication between devices is achieved through the exchange and verification of certificates.
EAP is a mutual authentication method whereby both the MU and AP are required to prove their identities. Like Kerberos, the user loses device authentication if the server cannot provide proof of device identification.
Using EAP, a user requests connection to a WLAN through the access point Mobility 7131 Access Point. The access point Mobility 7131 Access Point then requests the identity of the user and transmits that identity to an authentication server. The server prompts the AP for proof of identity (supplied to the Mobility 7131 Access Point by the user) and then transmits the user data back to the server to complete the authentication process.
An MU is not able to access the network if not authenticated. When configured for EAP support, the access point displays the MU as an EAP station.
12 |
Brocade Mobility 7131 Access Point Product Reference Guide |
|
53-1002517-01 |
1
EAP is only supported on mobile devices running Windows XP, Windows 2000 (using Service Pack #4) and Windows Mobile 2003. Refer to the system administrator for information on configuring a Radius Server for EAP (802.1x) support.
For detailed information on EAP configurations, see Configuring 802.1x EAP Authentication on page 6-196.
WEP Encryption
All WLAN devices face possible information theft. Theft occurs when an unauthorized user eavesdrops to obtain information illegally. The absence of a physical connection makes wireless links particularly vulnerable to this form of theft. Most forms of WLAN security rely on encryption to various extents. Encryption entails scrambling and coding information, typically with mathematical formulas called algorithms, before the information is transmitted. An algorithm is a set of instructions or formula for scrambling the data. A key is the specific code used by the algorithm to encrypt or decrypt the data. Decryption is the decoding and unscrambling of received encrypted data.
The same device, host computer or front-end processor, usually performs both encryption and decryption. The transmit or receive direction determines whether the encryption or decryption function is performed. The device takes plain text, encrypts or scrambles the text typically by mathematically combining the key with the plain text as instructed by the algorithm, then transmits the data over the network. At the receiving end, another device takes the encrypted text and decrypts, or unscrambles, the text revealing the original message. An unauthorized user can know the algorithm, but cannot interpret the encrypted data without the appropriate key. Only the sender and receiver of the transmitted data know the key.
Wired Equivalent Privacy (WEP) is an encryption security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b and supported by the Mobility 7131 Access Point AP. WEP encryption is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN. The level of protection provided by WEP encryption is determined by the encryption key length and algorithm. An encryption key is a string of case sensitive characters used to encrypt and decrypt data packets transmitted between a mobile unit (MU) and the access point Mobility 7131 Access Point. An access point Mobility 7131 Access Point and its associated wireless clients must use the same encryption key (typically 1 through 4) to interoperate.
For detailed information on WEP, see Configuring WEP Encryption on page 6-199.
KeyGuard Encryption
Use KeyGuard to shield the master encryption keys from being discovered through hacking. KeyGuard negotiation takes place between the access point and MU upon association. The access point can use KeyGuard with Brocade MUs. KeyGuard is only supported on Brocade MUs making it a Brocade proprietary security mechanism.
For detailed information on KeyGuard configurations, see Configuring KeyGuard Encryption on page 6-201.
Wi-Fi Protected Access (WPA) Using TKIP Encryption
Wi-Fi Protected Access (WPA) is a security standard for systems operating with a Wi-Fi wireless connection. WEP’s lack of user authentication mechanisms is addressed by WPA. Compared to WEP, WPA provides superior data encryption and user authentication.
WPA addresses the weaknesses of WEP by including:
Brocade Mobility 7131 Access Point Product Reference Guide |
13 |
53-1002517-01 |
|
1
•a per-packet key mixing function
•a message integrity check
•an extended initialization vector with sequencing rules
•a re-keying mechanism
WPA uses an encryption method called Temporal Key Integrity Protocol (TKIP). WPA employs 802.1X and Extensible Authentication Protocol (EAP).
For detailed information on WPA using TKIP configurations, see Configuring WPA/WPA2 Using TKIP on page 6-203.
WPA2-CCMP (802.11i) Encryption
WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected Access (WPA) and WEP. Counter-mode/CBC-MAC Protocol (CCMP) is the security standard used by the Advanced Encryption Standard (AES). AES serves the same function TKIP does for WPA-TKIP. CCMP computes a Message Integrity Check (MIC) using the proven Cipher Block Message Authentication Code (CBC-MAC) technique. Changing just one bit in a message produces a totally different result.
WPA2-CCMP is based on the concept of a Robust Security Network (RSN), which defines a hierarchy of keys with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator provides are used to derive other keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data. The end result is an encryption scheme as secure as any the access point Mobility 7131 Access Point provides.
For detailed information on WPA2-CCMP, see Configuring WPA2-CCMP (802.11i) on page 6-205.
Firewall Security
A firewall keeps personal data in and hackers out. The Mobility 7131 Access Pointaccess point’s firewall prevents suspicious Internet traffic from proliferating the access point Mobility 7131 Access Point managed network. The Mobility 7131 Access Pointaccess point performs Network Address Translation (NAT) on packets passing to and from the WAN port. This combination provides enhanced security by monitoring communication with the wired network.
For detailed information on configuring the access point’s Mobility 7131 Access Point firewall, see
Configuring Firewall Settings on page 6-210.
VPN Tunnels
Virtual Private Networks (VPNs) are IP-based networks using encryption and tunneling providing users remote access to a secure LAN. In essence, the trust relationship is extended from one LAN across the public network to another LAN, without sacrificing security. A VPN behaves like a private network; however, because the data travels through the public network, it needs several layers of security. The Mobility 7131 Access Point access point can function as a robust VPN gateway.
For detailed information on configuring VPN security support, see Configuring VPN Tunnels on page 6-216.
14 |
Brocade Mobility 7131 Access Point Product Reference Guide |
|
53-1002517-01 |
1
Content Filtering
Content filtering allows system administrators to block specific commands and URL extensions from going out through the Mobility 7131 Access Point WAN port. Therefore, content filtering affords system administrators selective control on the content proliferating the network and is a powerful screening tool. Content filtering allows the blocking of up to 10 files or URL extensions and allows blocking of specific outbound HTTP, SMTP, and FTP requests.
For detailed information on configuring content filtering support, see Configuring Content Filtering Settings on page 6-231.
A Virtual Local Area Network (VLAN) can electronically separate data on the same AP from a single broadcast domain into separate broadcast domains. By using a VLAN, you can group by logical function instead of physical location. There are 16 VLANs supported on the access point Mobility 7131 Access Point. An administrator can map up to 16 WLANs to 16 VLANs and enable or disable dynamic VLAN assignment. In addition to these 16 VLANs, the access point supports dynamic, user-based, VLANs when using EAP authentication.
VLANs enable organizations to share network resources in various network segments within large areas (airports, shopping malls, etc.). A VLAN is a group of clients with a common set of requirements independent of their physical location. VLANs have the same attributes as physical LANs, but they enable administrators to group clients even when they are not members of the same network segment.
For detailed information on configuring VLAN support, see Configuring VLAN Support on page 5-118.
The access point Mobility 7131 Access Point can be accessed and configured using one of the following:
•Java-Based Web UI
•Human readable config file (imported via FTP or TFTP)
•MIB (Management Information Base)
•Command Line Interface (CLI) accessed via RS-232 or Telnet. Use the access point’sMobility 7131 Access Point DB-9 serial port for direct access to the command-line interface from a PC. Use a Null-Modem cable (Part No. 25-632878-0) for the best fitting connection.
Brocade periodically releases updated versions of device firmware to the Brocade Web site. If the Mobility 7131 Access Point firmware version displayed on the System Settings screen (see Configuring System Settings on page 4-67) is older than the version on the Web site, Brocade recommends updating the access point Mobility 7131 Access Point to the latest firmware version for full feature functionality.
For detailed information on updating the Mobility 7131 Access Point firmware using FTP or TFTP, see Updating Device Firmware on page 4-109.
Brocade Mobility 7131 Access Point Product Reference Guide |
15 |
53-1002517-01 |
|
1
Simple Network Management Protocol (SNMP) facilitates the exchange of management information between network devices. SNMP uses Management Information Bases (MIBs) to manage the device configuration and monitor Internet devices in remote locations. MIB information accessed via SNMP is defined by a set of managed objects called Object Identifiers (OIDs). An OID is used to uniquely identify each object variable of a MIB.
SNMP allows a network administrator to configure the access point, manage network performance, find and solve network problems, and plan network growth. The access point Mobility 7131 Access Point supports SNMP management functions for gathering information from its network components. The access point’s download site contains the following MIB files supporting the access point:
•Symbol-CC-WS2000-MIB-2.0 (standard MIB file)
•Symbol-AP_MIB
The Mobility 7131 Access Point access point’s SNMP agent functions as a command responder and is a multilingual agent responding to SNMPv1, v2c and v3 managers (command generators). The factory default configuration maintains SNMPv1/2c support of community names, thus providing backward compatibility.
For detailed information on configuring SNMP traps, see Configuring SNMP Settings on page 4-87.
When users purchase a Brocade WLAN solution, they often need to place access points in obscure locations. In the past, a dedicated power source was required for each access point in addition to the Ethernet infrastructure. This often required an electrical contractor to install power drops at each access point location.
An approved Power Injector solution merges power and Ethernet into one cable, reducing the burden of installation and allows optimal access point Mobility 7131 Access Point placement in respect to the intended radio coverage area. The access point can only use a Power-over-Ethernet device when connected to the access point’s LAN (GE1/POE) port. The access point can also support 3af/3at compliant products from other vendors.
The Power Injector (Part No. AP-PSBIAS-1P3-AFR) is a single-port Power over Ethernet hub combining low-voltage DC with Ethernet data in a single cable connecting to the access point Mobility 7131 Access Point. The Power Injector’s single DC and Ethernet data cable creates a modified Ethernet cabling environment on the Mobility 7131 Access Pointaccess point’s LAN port eliminating the need for separate Ethernet and power cables. For detailed information on using the Power Injector, see Power Injector System on page 2-35.
The access point’s MU-MU Disallow feature prohibits MUs from communicating with each other even if on the same WLAN, assuming one of the WLAN’s is configured to disallow MU-MU communication. Therefore, if an MU’s WLAN is configured for MU-MU disallow, it will not be able to communicate with any other MUs connected to this access point.
For detailed information on configuring an Mobility 7131 Access Point WLAN to disallow MU to MU communications, see Creating/Editing Individual WLANs on page 5-139.
16 |
Brocade Mobility 7131 Access Point Product Reference Guide |
|
53-1002517-01 |
1
Each Mobility 7131 Access Pointaccess point WLAN has the capability of having its QoS policy configured to prioritize the network traffic requirements for associated MUs. A WLAN QoS page is available for each enabled WLAN on either the Mobility 7131 Access Point802.11a/n or 802.11b/g/n radio.
Use the QoS page to enable voice prioritization for devices to receive the transmission priority they may not normally receive over other data traffic. Voice prioritization allows the access point Mobility 7131 Access Point to assign priority to voice traffic over data traffic, and (if necessary) assign legacy voice supported devices (non WMM supported voice devices) additional priority.
For detailed information on configuring voice prioritization over other voice enabled devices, see
Setting the WLAN Quality of Service (QoS) Policy on page 5-147.
The access point Mobility 7131 Access Point supports both CAM and PSP powered MUs. CAM (Continuously Aware Mode) MUs leave their radios on continuously to hear every beacon and message transmitted. These systems operate without any adjustments by the access point Mobility 7131 Access Point.
A beacon is a uniframe system packet broadcast by the AP to keep the network synchronized. A beacon includes the ESSID, Mobility 7131 Access Point MAC address, Broadcast destination addresses, a time stamp, a DTIM (Delivery Traffic Indication Message) and the TIM (Traffic Indication Map).
PSP (Power Save Polling) MUs power off their radios for short periods. When a MU in PSP mode associates with an access pointMobility 7131 Access Point, it notifies the Mobility 7131 Access Pointaccess point of its activity status. The access point Mobility 7131 Access Point responds by buffering packets received for the MU. PSP mode is used to extend an MU’s battery life by enabling the MU to “sleep” during periods of inactivity.
The access point Mobility 7131 Access Point can display robust transmit and receive statistics for the WAN and LAN ports. WLAN stats can be displayed collectively and individually for enabled WLANs. Transmit and receive statistics are available for the Mobility 7131 Access Pointaccess point’s 802.11a/n and 802.11b/g/n radios. An advanced radio statistics page is also available to display retry histograms for specific data packet retry information.
Associated MU stats can be displayed collectively and individually for specific MUs. An echo (ping) test is also available to ping specific MUs to assess association strength. Finally, the access point Mobility 7131 Access Point can detect and display the properties of other APs detected within its radio coverage area. The type of AP detected can be displayed as well as the properties of individual APs.
For detailed information on available Mobility 7131 Access Pointaccess point statistical displays and the values they represent, see Monitoring Statistics on page 7-253.
Brocade Mobility 7131 Access Point Product Reference Guide |
17 |
53-1002517-01 |
|
1
The access point Mobility 7131 Access Point has a configurable power level for each radio. This enables the network administrator to define the antenna’s transmission power level in respect to the access point’s placement or network requirements as defined in the Mobility 7131 Access Point site survey.
For detailed information on setting the radio transmit power level, see Configuring the 802.11a/n or 802.11b/g/n Radio on page 5-167.
The access point Mobility 7131 Access Point periodically logs system events. Logging events is useful in assessing the throughput and performance of the access point Mobility 7131 Access Point or troubleshooting problems on the Mobility 7131 Access Pointaccess point managed Local Area Network (LAN).
For detailed information on access point Mobility 7131 Access Point events, see Logging Configuration on page 4-103.
Configuration settings for an access point Mobility 7131 Access Point can be downloaded from the current configuration of another access point Mobility 7131 Access Point. This affords the administrator the ability to save the current configuration before making significant changes or restoring a default configuration. A configuration file from a single radio Mobility 7131 Access Point can be imported to a single radio model Mobility 7131N Access Point. Similarly, a configuration file from a dual radio Mobility 7131 Access Point can be imported to a dual radio model Mobility 7131N Access Point.
For detailed information on importing or exporting configuration files, see Importing/Exporting Configurations on page 4-104.
The access point Mobility 7131 Access Point can restore its default configuration or a partial default configuration (with the exception of current WAN and SNMP settings). Restoring the default configuration is a good way to create new WLANs if the MUs the Mobility 7131 Access Point access point supports have been moved to different radio coverage areas.
For detailed information on restoring a default or partial default configuration, see Configuring System Settings on page 4-67.
The access point Mobility 7131 Access Point can use Dynamic Host Configuration Protocol (DHCP) to obtain a leased IP address and configuration information from a remote server. DHCP is based on the BOOTP protocol and can coexist or interoperate with BOOTP. Configure the access point Mobility 7131 Access Point to send out a DHCP request searching for a DHCP/BOOTP server to acquire HTML, firmware or network configuration files when the Mobility 7131 Access Pointaccess point boots. Because BOOTP and DHCP interoperate, whichever responds first becomes the server that allocates information.
18 |
Brocade Mobility 7131 Access Point Product Reference Guide |
|
53-1002517-01 |