Edge-Core EAP8518 User Manual

EAP8518

802.11n Access Point

User Guide

www.edge-core.com

U

SER

G

UIDE

EAP8518

IEEE 802.11n Access Point

EAP8518

E092009-DT-R01

149100000037A

COMPLIANCES

FEDERAL COMMUNICATION COMMISSION INTERFERENCE STATEMENT

This equipment has been tested and found to comply with the limits for a
Class B digital device, pursuant to Part 15 of the FCC Rules. These limits
are designed to provide reasonable protection against harmful interference
in a residential installation. This equipment generates, uses and can
radiate radio frequency energy and, if not installed and used in accordance
with the instructions, may cause harmful interference to radio
communications. However, there is no guarantee that interference will not
occur in a particular installation. If this equipment does cause harmful
interference to radio or television reception, which can be determined by
turning the equipment off and on, the user is encouraged to try to correct
the interference by one of the following measures:

◆ Reorient or relocate the receiving antenna

◆ Increase the separation between the equipment and receiver

◆ Connect the equipment into an outlet on a circuit different from that to

which the receiver is connected

◆ Consult the dealer or an experienced radio/TV technician for help

This device complies with Part 15 of the FCC Rules. Operation is subject to
the following two conditions: (1) This device may not cause harmful
interference, and (2) this device must accept any interference received,
including interference that may cause undesired operation.

FCC Caution: Any changes or modifications not expressly approved by the
party responsible for compliance could void the user's authority to operate
this equipment.

For product available in the USA/Canada market, only channel 1~11 can be
operated. Selection of other channels is not possible.

This device and its antenna(s) must not be co-located or operation in
conjunction with any other antenna or transmitter.

This device is going to be operated in 5.15~5.25GHz frequency range, it is
restricted in indoor environment only.

– 3 –

C

OMPLIANCES

IMPORTANT NOTE:
FCC RADIATION EXPOSURE STATEMENT

This equipment complies with FCC radiation exposure limits set forth for an
uncontrolled environment. This equipment should be installed and
operated with minimum distance 20 cm between the radiator & your body.

IC STATEMENT :

This Class B digital apparatus complies with Canadian ICES-003.

Operation is subject to the following two conditions: (1) this device may
not cause interference, and (2) this device must accept any interference,
including interference that may cause undesired operation of the device.

Cet appareil numérique de la classe B conforme á la norme NMB-003 du
Canada.

To reduce potential radio interference to other users, the antenna type and
its gain should be so chosen that the equivalent isotropically radiated
power (e.i.r.p) is not more than that permitted for successful
communication.

This device has been designed to operate with the antennas listed below,
and having a maximum gain of 5 dB. Antennas not included in this list or
having a gain greater than 5 dB are strictly prohibited for use with this
device. The required antenna impedance is 50 ohms.

The device could automatically discontinue transmission in case of absence
of information to transmit, or operational failure. Note that this is not
intended to prohibit transmission of control or signaling information or the
use of repetitive codes where required by the technology.

The device for the band 5150-5250 MHz is only for indoor usage to reduce
potential for harmful interference to co-channel mobile satellite systems.

The maximum antenna gain permitted (for devices in the band 5725-5825
MHz) to comply with the e.i.r.p. limits specified for point-to-point and non
point-to-point operation as appropriate, as stated in section A9.2(3).

The maximum antenna gain permitted (for devices in the bands 5250-5350
MHz and 5470-5725 MHz) to comply with the e.i.r.p. limit.

High-power radars are allocated as primary users (meaning they have
priority) of the bands 5250-5350 MHz and 5650-5850 MHz and these
radars could cause interference and/or damage to LE-LAN devices.

IMPORTANT NOTE:

ADIATION EXPOSURE STATEMENT:

IC R

This equipment complies with IC RSS-102 radiation exposure limits set
forth for an uncontrolled environment. This equipment should be installed
and operated with minimum distance 20 cm between the radiator & your
body.

– 4 –

C

ACN 066 352010

OMPLIANCES

AUSTRALIA/NEW ZEALAND AS/NZS 4771

TAIWAN NCC

根據交通部低功率管理辦法規定：

第十二條　經型式認證合格之低功率射頻電機，非經許可，公司、商號或使用者均不得擅自變更

頻率、加大功率或變更原設計之特性及功能。

第十四條　低功率射頻電機之使用不得影響飛航安全及干擾合法通信；經發現有干擾現象時，應
立即停用，並改善至無干擾時方得繼續使用。前項合法通信，指依電信法規定作業之無線電通
信。低功率射頻電機須忍受合法通信或工業、科學及醫療用電波輻射性電機設備之干擾。

EC CONFORMANCE DECLARATION

Marking by the above symbol indicates compliance with the Essential
Requirements of the R&TTE Directive of the European Union (1999/5/EC).
This equipment meets the following conformance standards:

◆ EN 60950-1 (IEC 60950-1) - Product Safety

◆ EN 301 893 - Technical requirements for 5 GHz radio equipment

◆ EN 300 328 - Technical requirements for 2.4 GHz radio equipment

◆ EN 301 489-1 / EN 301 489-17 - EMC requirements for radio

equipment

This device is intended for use in the following European Community and
EFTA countries:

◆

Austria ◆ Belgium ◆ Cyprus ◆ Czech Republic ◆ Denmark

◆ Estonia ◆ Finland ◆ France ◆ Germany ◆ Greece

◆ Hungary ◆ Iceland ◆ Ireland ◆ Italy ◆ Latvia

◆ Liechtenstein ◆ Lithuania ◆ Luxembourg ◆ Malta ◆ Netherlands

◆ Norway ◆ Poland ◆ Portugal ◆ Slovakia ◆ Slovenia

◆ Spain ◆ Sweden ◆ Switzerland ◆ United Kingdom ◆

Requirements for indoor vs. outdoor operation, license requirements and
allowed channels of operation apply in some countries as described below:

◆ In Italy the end-user must apply for a license from the national

spectrum authority to operate this device outdoors.

◆ In Belgium outdoor operation is only permitted using the 2.46 - 2.4835

GHz band: Channel 13.

◆ In France outdoor operation is only permitted using the 2.4 - 2.454 GHz

band: Channels 1 - 7.

– 5 –

C

OMPLIANCES

N

OTE

:

The user must use the configuration utility provided with this
product to ensure the channels of operation are in conformance with the
spectrum usage rules for European Community countries as described
below.

◆ This device requires that the user or installer properly enter the current

country of operation in the command line interface as described in the
user guide, before operating this device.

◆ This device will automatically limit the allowable channels determined

by the current country of operation. Incorrectly entering the country of
operation may result in illegal operation and may cause harmful
interference to other systems. The user is obligated to ensure the
device is operating according to the channel limitations, indoor/outdoor
restrictions and license requirements for each European Community
country as described in this document.

◆ This device employs a radar detection feature required for European

Community operation in the 5 GHz band. This feature is automatically
enabled when the country of operation is correctly configured for any
European Community country. The presence of nearby radar operation
may result in temporary interruption of operation of this device. The
radar detection feature will automatically restart operation on a channel
free of radar.

◆ The 5 GHz Turbo Mode feature is not allowed for operation in any

European Community country. The current setting for this feature is
found in the 5 GHz 802.11a Radio Settings Window as described in the
user guide.

◆ The 5 GHz radio's Auto Channel Select setting described in the user

guide must always remain enabled to ensure that automatic 5 GHz
channel selection complies with European requirements. The current
setting for this feature is found in the 5 GHz 802.11a Radio Settings
Window as described in the user guide.

◆ This device is restricted to indoor use when operated in the European

Community using the 5.15 - 5.35 GHz band: Channels 36, 40, 44, 48,
52, 56, 60, 64. See table below for allowed 5 GHz channels by country.

◆ This device may be operated indoors or outdoors in all countries of the

European Community using the 2.4 GHz band: Channels 1 - 13, except
where noted below.

■

In Italy the end-user must apply for a license from the national
spectrum authority to operate this device outdoors.

■

In Belgium outdoor operation is only permitted using the 2.46 -

2.4835 GHz band: Channel 13.

■

In France outdoor operation is only permitted using the 2.4 - 2.454
GHz band: Channels 1 - 7.

– 6 –

C

OMPLIANCES

OPERATION USING
5 GHZ CHANNELS IN THE EUROPEAN COMMUNITY

The user/installer must use the provided configuration utility to check the
current channel of operation and make necessary configuration changes to
ensure operation occurs in conformance with European National spectrum
usage laws as described below and elsewhere in this document.

Allowed Frequency Bands Allowed Channel Numbers Countries

5.15 - 5.25 GHz* 36, 40, 44, 48 Austria, Belgium

5.15 - 5.35 GHz* 36, 40, 44, 48, 52, 56, 60, 64 France, Switzerland,

5.15 - 5.35* & 5.470 - 5.725 GHz 36, 40, 44, 48, 52, 56, 60, 64, 100,

5 GHz Operation Not Allowed None Greece

* Outdoor operation is not allowed using 5.15-5.35 GHz bands (Channels 36 - 64).

104, 108, 112, 116, 120, 124, 128,
132, 136, 140

Liechtenstein

Denmark, Finland, Germany,
Iceland, Ireland, Italy,
Luxembourg, Netherlands,
Norway, Portugal, Spain,
Sweden, U.K.

DECLARATION OF CONFORMITY IN LANGUAGES OF THE EUROPEAN
COMMUNITY

Czech
Česky

Estonian
Eesti

English Hereby, Edgecore, declares that this Radio LAN device is in compliance with the essential

Finnish
Suomi

Dutch
Nederlands

French
Français

Swedish
Svenska

Danish
Dansk

German
Deutsch

Greek

Ελληνική

Edgecore tímto prohlašuje, že tento Radio LAN device je ve shodě se základními
požadavky a dalšími příslušnými ustanoveními směrnice 1999/5/ES.

Käesolevaga kinnitab Edgecore seadme Radio LAN device vastavust direktiivi 1999/5/EÜ
põhinõuetele ja nimetatud direktiivist tulenevatele teistele asjakohastele sätetele.

requirements and other relevant provisions of Directive 1999/5/EC.

Valmistaja Edgecore vakuuttaa täten että Radio LAN device tyyppinen laite on direktiivin
1999/5/EY oleellisten vaatimusten ja sitä koskevien direktiivin muiden ehtojen mukainen.

Hierbij verklaart Edgecore dat het toestel Radio LAN device in overeenstemming is met
de essentiële eisen en de andere relevante bepalingen van richtlijn 1999/5/EG

Bij deze Edgecore dat deze Radio LAN device voldoet aan de essentiële eisen en aan de
overige relevante bepalingen van Richtlijn 1999/5/EC.

Par la présente Edgecore déclare que l'appareil Radio LAN device est conforme aux
exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE

Härmed intygar Edgecore att denna Radio LAN device står I överensstämmelse med de
väsentliga egenskapskrav och övriga relevanta bestämmelser som framgår av direktiv
1999/5/EG.

Undertegnede Edgecore erklærer herved, at følgende udstyr Radio LAN device
overholder de væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF

Hiermit erklärt Edgecore, dass sich dieser/diese/dieses Radio LAN device in
Übereinstimmung mit den grundlegenden Anforderungen und den anderen relevanten
Vorschriften der Richtlinie 1999/5/EG befindet". (BMWi)

Hiermit erklärt Edgecore die Übereinstimmung des Gerätes Radio LAN device mit den
grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie
1999/5/EG. (Wien)

με την παρουσα Edgecore δηλωνει οτι radio LAN device συμμορφωνεται προσ τισ
ουσιωδεισ

απαιτησεισ και τισ λοιπεσ σχετικεσ διαταξεισ τησ οδηγιασ 1999/5/εκ.

– 7 –

C

OMPLIANCES

Hungarian
Magyar

Italian
Italiano

Latvian
Latviski

Lithuanian
Lietuvių

Maltese
Malti

Spanish
Español

Polish
Polski

Portuguese
Português

Slovak
Slovensky

Slovenian
Slovensko

Alulírott, Edgecore nyilatkozom, hogy a Radio LAN device megfelel a vonatkozó alapvetõ
követelményeknek és az 1999/5/EC irányelv egyéb elõírásainak.

Con la presente Edgecore dichiara che questo Radio LAN device è conforme ai requisiti
essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE.

Ar šo Edgecore deklarē, ka Radio LAN device atbilst Direktīvas 1999/5/EK būtiskajām
prasībām un citiem ar to saistītajiem noteikumiem.

Šiuo Edgecore deklaruoja, kad šis Radio LAN device atitinka esminius reikalavimus ir
kitas 1999/5/EB Direktyvos nuostatas.

Hawnhekk, Edgecore, jiddikjara li dan Radio LAN device jikkonforma mal-ħtiġijiet
essenzjali u ma provvedimenti oħrajn relevanti li hemm fid-Dirrettiva 1999/5/EC.

Por medio de la presente Edgecore declara que el Radio LAN device cumple con los
requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la
Directiva 1999/5/CE

Niniejszym Edgecore oświadcza, że Radio LAN device jest zgodny z zasadniczymi
wymogami oraz pozostałymi stosownymi postanowieniami Dyrektywy 1999/5/EC.

Edgecore declara que este Radio LAN device está conforme com os requisitos
essenciais e outras disposições da Directiva 1999/5/CE.

Edgecore týmto vyhlasuje, že Radio LAN device spĺňa základné požiadavky a všetky
príslušné ustanovenia Smernice 1999/5/ES.

Edgecore izjavlja, da je ta radio LAN device v skladu z bistvenimi zahtevami in ostalimi
relevantnimi določili direktive 1999/5/ES.

– 8 –

ABOUT THIS GUIDE

PURPOSE This guide gives specific information on how to install the 11n wireless

access point and its physical and performance related characteristics. It
also gives information on how to operate and use the management
functions of the access point.

AUDIENCE This guide is intended for use by network administrators who are

responsible for installing, operating, and maintaining network equipment;
consequently, it assumes a basic working knowledge of LANs (Local Area
Networks), the Internet Protocol (IP), and Simple Network Management
Protocol (SNMP).

CONVENTIONS The following conventions are used throughout this guide to show

information:

N

OTE

:

Emphasizes important information or calls your attention to related
features or instructions.

C

AUTION

damage the system or equipment.

W

ARNING

:

Alerts you to a potential hazard that could cause loss of data, or

:

Alerts you to a potential hazard that could cause personal injury.

RELATED PUBLICATIONS As part of the access point’s software, there is an online web-based help

that describes all management related features.

REVISION HISTORY This section summarizes the changes in each revision of this guide.

SEPTEMBER 2009 REVISION

This is the first revision of this guide. It is valid for software version

1.1.0.13.

– 9 –

CONTENTS

COMPLIANCES 3

A

BOUT THIS GUIDE 9

ONTENTS 10

C

F

IGURES 15

T

ABLES 18

NDEX OF CLI COMMANDS 21

I

SECTION I GETTING STARTED 24

1INTRODUCTION 25

Key Hardware Features 25

Description of Capabilities 25

Package Contents 26

Hardware Description 27

Antennas 28

External Antenna Connectors 28

LED Indicators 30

Console Port 31

Ethernet Port 31

Power Connector 31

Reset Button 31

2NETWORK TOPOLOGIES 32

Interference Issues 32

Infrastructure Wireless LAN 32

Infrastructure Wireless LAN for Roaming Wireless PCs 33

Infrastructure Wireless Bridge 34

3INSTALLING THE ACCESS POINT 36

– 10 –

C

ONTENTS

Location Selection 36

Mounting on a Horizontal Surface 37

Mounting on a Wall 38

Connecting and Powering On 39

4INITIAL CONFIGURATION 40

Connecting to the Login Page 40

Home Page and Main Menu 41

Common Web Page Buttons 42

Quick Start 43

Step 1 43

Step 2 44

Step 3 46

Main Menu Items 47

SECTION II WEB CONFIGURATION 48

5SYSTEM SETTINGS 49

Administration Settings 50

IP Address 51

RADIUS Settings 52

Primary and Secondary RADIUS Server Setup 52

RADIUS Accounting 53

System Time 54

SNTP Server Settings 55

Time Zone Setting 55

Daylight Saving Settings 55

SpectraLink Voice Priority 56

VLAN Configuration 56

System Logs 58

Quick Start Wizard 59

6MANAGEMENT SETTINGS 60

Remote Management Settings 60

Access Limitation 62

Simple Network Management Protocol 63

SNMP Basic Settings 63

– 11 –

C

ONTENTS

SNMP Trap Settings 65

View Access Control Model 66

SNMPv3 Users 67

SNMPv3 Targets 68

SNMPv3 Notification Filters 69

7ADVANCED SETTINGS 71

Local Bridge Filter 71

Link Layer Discovery Protocol 72

Access Control Lists 74

Source Address Settings 74

Destination Address Settings 75

Ethernet Type 76

8WIRELESS SETTINGS 77

Spanning Tree Protocol (STP) 77

Bridge 78

Ethernet Interface 79

Wireless Interface 79

Authentication 80

Local MAC Authentication 80

RADIUS MAC Authentication 82

Interface Mode 83

Radio Settings 84

Virtual Access Points (VAPs) 87

VAP Basic Settings 88

WDS-STA Mode 89

Wireless Security Settings 90

Wired Equivalent Privacy (WEP) 92

Quality of Service (QoS) 93

9MAINTENANCE SETTINGS 98

Upgrading Firmware 98

Running Configuration 101

Resetting the Access Point 102

10 STATUS INFORMATION 103

AP Status 103

AP System Configuration 103

– 12 –

C

ONTENTS

AP Wireless Configuration 105

Station Status 105

Event Logs 106

SECTION III COMMAND LINE INTERFACE 108

11 USING THE COMMAND LINE INTERFACE 110

Console Connection 110

Telnet Connection 111

Entering Commands 112

Keywords and Arguments 112

Minimum Abbreviation 112

Command Completion 112

Getting Help on Commands 112

Showing Commands 112

Negating the Effect of Commands 113

Using Command History 113

Understanding Command Modes 113

Exec Commands 114

Configuration Commands 114

Command Line Processing 115

12 GENERAL COMMANDS 116

13 S

YSTEM MANAGEMENT COMMANDS 120

YSTEM LOGGING COMMANDS 135

14 S

15 S

YSTEM CLOCK COMMANDS 139

16 DHCP R

17 SNMP C

18 F

LASH/FILE COMMANDS 160

ELAY COMMANDS 144

OMMANDS 146

19 RADIUS C

20 802.1X A

21 MAC A

LIENT COMMANDS 163

UTHENTICATION COMMANDS 169

DDRESS AUTHENTICATION COMMANDS 171

– 13 –

C

ONTENTS

22 FILTERING COMMANDS 175

23 S

PANNING TREE COMMANDS 180

24 WDS B

25 E

26 W

27 W

28 L

29 VLAN C

30 WMM C

RIDGE COMMANDS 191

THERNET INTERFACE COMMANDS 193

IRELESS INTERFACE COMMANDS 198

IRELESS SECURITY COMMANDS 212

INK LAYER DISCOVERY COMMANDS 222

OMMANDS 226

OMMANDS 229

SECTION IV APPENDICES 234

ATROUBLESHOOTING 235

Diagnosing LED Indicators 235

Before Contacting Technical Support 235

BWDS SETUP EXAMPLES 238

Basic WDS Link Between Two APs 239

WDS Links Between Three or More APs 244

CHARDWARE SPECIFICATIONS 247

DC

ABLES AND PINOUTS 250

Twisted-Pair Cable Assignments 250

10/100BASE-TX Pin Assignments 250

Straight-Through Wiring 251

Crossover Wiring 252

1000BASE-T Pin Assignments 252

Console Port Pin Assignments 254

GLOSSARY 255

NDEX 259

I

– 14 –

FIGURES

Figure 1: Top Panel 27

Figure 2: Rear Panel 27

Figure 3: Ports 28

Figure 4: External Antenna Connectors 29

Figure 5: Screw-off External Antenna Connector - Close Up 29

Figure 6: LEDs 30

Figure 7: Infrastructure Wireless LAN 33

Figure 8: Infrastructure Wireless LAN for Roaming Wireless PCs 34

Figure 9: Bridging Mode 35

Figure 10: Attach Feet 37

Figure 11: Wall Mounting 38

Figure 12: Login Page 40

Figure 13: Home Page 41

Figure 14: Set Configuration Changes 42

Figure 15: Help Menu 42

Figure 16: Quick Start - Step 1 43

Figure 17: Quick Start - Step 2 44

Figure 18: Quick Start - Step 3 46

Figure 19: Administration 50

Figure 20: IP Configuration 51

Figure 21: RADIUS Settings 53

Figure 22: SNTP Settings 54

Figure 23: SVP Settings 56

Figure 24: Setting the VLAN Identity 57

Figure 25: System Log Settings 58

Figure 26: Remote Management 61

Figure 27: Access Limitation 62

Figure 28: SNMP Basic Settings 64

Figure 29: SNMP Trap Settings 65

Figure 30: SNMP VACM 66

Figure 31: Configuring SNMPv3 Users 67

– 15 –

F

IGURES

Figure 32: SNMPv3 Targets 69

Figure 33: SNMP Notification Filter 69

Figure 34: Local Bridge Filter 71

Figure 35: LLDP Settings 72

Figure 36: Source ACLs 74

Figure 37: Destination ACLs 75

Figure 38: Ethernet Type Filter 76

Figure 39: Spanning Tree Protocol 78

Figure 40: Local Authentication 81

Figure 41: RADIUS Authentication 82

Figure 42: Interface Mode 83

Figure 43: Radio Settings 84

Figure 44: VAP Settings 87

Figure 45: VAP Basic Settings 88

Figure 46: WDS-STA Mode 89

Figure 47: Configuring VAPs - Common Settings 90

Figure 48: WEP Configuration 92

Figure 49: WMM Backoff Wait Times 95

Figure 50: QoS 95

Figure 51: Firmware 99

Figure 52: Running Configuration File 101

Figure 53: Resetting the Access Point 102

Figure 54: AP System Configuration 103

Figure 55: AP Wireless Configuration 105

Figure 56: Station Status 105

Figure 57: Event Logs 106

Figure 58: Basic WDS Link Between Two APs 239

Figure 59: WDS Example — Access Point A VAP Setting 240

Figure 60: WDS Example — Access Point A VAP Details 240

Figure 61: WDS Example — Access Point A WDS-AP VAP Setting 241

Figure 62: WDS Example — Access Point A VAP SSID and MAC 241

Figure 63: WDS Example — Access Point B VAP Details 242

Figure 64: WDS Example — Access Point B WDS-STA VAP Setting 242

Figure 65: WDS Example — Access Point A Station Status 243

Figure 66: WDS Links Between Three or More APs 244

Figure 67: RJ-45 Connector 250

– 16 –

F

IGURES

Figure 68: Straight Through Wiring 251

Figure 69: Crossover Wiring 252

Figure 70: RJ-45 Console 254

– 17 –

TABLES

Table 1: Key Hardware Features 25

Table 2: LED Behavior 30

Table 3: Logging Levels 59

Table 4: WMM Access Categories 94

Table 5: Command Modes 114

Table 6: Keystroke Commands 115

Table 7: General Commands 116

Table 8: System Management Commands 120

Table 9: Country Codes 121

Table 10: System Management Commands 135

Table 11: Logging Levels 137

Table 12: System Clock Commands 139

Table 13: DHCP Relay Commands 144

Table 14: SNMP Commands 146

Table 15: Flash/File Commands 160

Table 16: RADIUS Client Commands 163

Table 17: 802.1x Authentication 169

Table 18: MAC Address Authentication 171

Table 19: Filtering Commands 175

Table 20: Spanning Tree Commands 180

Table 21: WDS Bridge Commands 191

Table 22: Ethernet Interface Commands 193

Table 23: Wireless Interface Commands 198

Table 24: Wireless Security Commands 212

Table 25: Link Layer Discovery Commands 222

Table 26: VLAN Commands 226

Table 27: WMM Commands 229

Table 28: AP Parameters 231

Table 29: BSS Parameters 231

Table 30: LED Indicators 235

Table 31: 10/100BASE-TX MDI and MDI-X Port Pinouts 251

– 18 –

T

ABLES

Table 32: 1000BASE-T MDI and MDI-X Port Pinouts 253

Table 33: Console Port Pinouts 254

– 19 –

T

ABLES

– 20 –

INDEX OF CLI COMMANDS

NUMERICS

802.1x enable 169

802.1x session-timeout 170

A

address filter default 171
address filter delete 172
address filter entry 172
a-mpdu 199
a-msdu 200
apmgmgtui ssh enable 123
apmgmtip 128
apmgmtui http port 125
apmgmtui http server 125
apmgmtui http session-timeout 126
apmgmtui https port 126
apmgmtui https server 127
apmgmtui snmp 128
apmgmtui ssh port 124
apmgmtui telnet-server enable 124
assoc-timeout-interval 208
auth 212
auth-timeout-interval 208

B

beacon-interval 205
bridge stp br-conf forwarding-delay

181
bridge stp br-conf hello-time 182
bridge stp br-conf max-age 182
bridge stp br-conf priority 183
bridge stp port-conf interface 183
bridge stp service 181
bridge-link path-cost 184
bridge-link port-priority 184

C

channel 200
cipher-suite 217
cli-session-timeout 117
closed-system 207
configure 116
copy 161
country 121

D

dhcp-relay server 144
dns 194
dtim-period 205
dual-image 160

E

encryption 214
end 117
exit 117

F

filter acl-destination-address 177
filter acl-source-address 176
filter ap-manage 176
filter ethernet-type enabled 177
filter ethernet-type protocol 178
filter local-bridge 175

I

interface ethernet 193
interface wireless 199
interface-radio-mode 202
ip address 194
ip dhcp 195

K

key 215

L

lldp service 222
lldp transmit delay-to-local-change

224
lldp transmit interval 223
lldp transmit re-init-delay 224
lldp-transmit hold-muliplier 223
logging clear 137
logging console 136
logging host 136
logging level 137
logging on 135

– 21 –

I

NDEX OF

CLI C

OMMANDS

M

mac-authentication server 173
mac-authentication session-timeout

173
make-radius-effective 167
make-rf-setting-effective 203
make-security-effective 219
management-vlanid 227

P

password 123
path-cost (STP Interface) 185
ping 118
pmksa-lifetime 219
port-priority (STP Interface) 186
preamble 203
prompt 122

R

radius-server accounting address 165
radius-server accounting key 166
radius-server accounting port 166
radius-server accounting

timeout-interim 167
radius-server address 164
radius-server enable 163
radius-server key 165
radius-server port 164
reset 119
rts-threshold 206

S

short-guard-interval 204
show apmanagement 129
show authentication 174
show bridge br-conf 187
show bridge forward address 189
show bridge port-conf interface 187
show bridge status 188
show bridge stp 186
show config 130
show dual-image 162
show event-log 138
show filters 179
show interface ethernet 196
show interface wireless 209
show line 119
show lldp 225
show logging 138
show radius 168
show snmp 157
show snmp filter 157
show snmp target 156
show snmp users 156
show snmp vacm group 158
show snmp vacm view 158

show sntp 142
show station 211
show system 129
show version 130
show wds wireless 192
shutdown 196
shutdown 209
snmp-server community 147
snmp-server contact 147
snmp-server enable server 148
snmp-server filter 155
snmp-server host 149
snmp-server location 148
snmp-server target 154
snmp-server trap 150
snmp-server user 153
snmp-server vacm group 152
snmp-server vacm view 151
sntp-server date-time 140
sntp-server daylight-saving 141
sntp-server enabled 140
sntp-server ip 139
sntp-server timezone 142
ssid 207
system name 122

T

transmit-key 216
transmit-power 202

V

vap 199
vap (STP Interface) 185
vlan 226
vlan-id 228

W

wds ap 191
wds sta 191
wmm 229
wmm-acknowledge-policy 230
wmmparam 230
wpa-pre-shared-key 218

– 22 –

I

NDEX OF

CLI C

OMMANDS

– 23 –

S

ECTION

GETTING STARTED

This section provides an overview of the access point, and introduces some
basic concepts about wireless networking. It also describes the basic
settings required to access the management interface.

This section includes these chapters:

◆ “Introduction” on page 25

◆ “Network Topologies” on page 32

◆ “Installing the Access Point” on page 36

I

◆ “Initial Configuration” on page 40

– 24 –

1 INTRODUCTION

The EAP8518 is an IEEE 802.11n access point (AP) that meets draft 2.0
standards. It is fully interoperable with older 802.11a/b/g standards,
providing a transparent, wireless high speed data communication between
the wired LAN and fixed or mobile devices. The unit includes three
detachable dual-band 2.4/5 GHz antennas with the option to attach
alternative antennas that can extend or shape the network coverage area.

KEY HARDWARE FEATURES

The following table describes the main hardware features of the AP.

Table 1: Key Hardware Features

Feature Description

Antennas Three detachable dual-band 2.4/5 GHz MIMO antennas.

LAN Port One 1000BASE-T RJ-45 port that supports a Power over Ethernet

Console Port Console connection through an RJ-45 port with included RS-232

(PoE) connection to power the device.

serial cable.

Reset Button For resetting the unit and restoring factory defaults.

LEDs Provides LED indicators for system status, wireless radio status,

Power Power over Ethernet (PoE) support through the RJ-45 Ethernet

Mounting Options Can be mounted on a wall, or on any horizontal surface such as a

DESCRIPTION OF CAPABILITIES

The EAP8518 supports up to eight Virtual Access Point (VAP) interfaces,
which allow traffic to be separated for different user groups within the
same AP service area. The VAPs can support up to a total of 64 wireless
clients, whereby the clients associate with each VAP in the same way as
they would with physically separate access points. This means that each
VAP can be configured with its own Service Set Identification (SSID),
security settings, VLAN assignments, and other parameters, allowing the
AP to serve a diverse range of client needs in an area from a single unit.

In addition, the access point offers full network management capabilities
through an easy to configure web interface, a command line interface for

and LAN port status.

port, or from an external AC power adapter.

desktop or shelf.

– 25 –

C

HAPTER

Package Contents

1

| Introduction

PACKAGE CONTENTS

initial configuration and troubleshooting, and support for Simple Network
Management tools.

The EAP8518 utilises MIMO technology and Spatial Multiplexing to achieve
the highest possible data rate and throughput on the 802.11n frequency.
The unit’s PoE RJ-45 port provides a 1 Gbps full-duplex link to a wired LAN.

The EAP8518 package includes:

◆ 11n Access Point (EAP8518)

◆ RJ-45 to RS-232 console cable

◆ AC power adapter

◆ Four rubber feet

◆ User Guide CD

Inform your dealer if there are any incorrect, missing or damaged parts. If
possible,retain the carton, including the original packing materials. Use
them again to repack the product in case there is a need to return it.

– 26 –

HARDWARE DESCRIPTION

LED Indicators

Antennas

DC Power Socket

RJ-45 PoE Port

Reset Button

RJ-45 Console Port

Figure 1: Top Panel

C

HAPTER

1

| Introduction

Hardware Description

Figure 2: Rear Panel

– 27 –

C

DC Power Port

RJ-45 PoE Port

RJ-45 Console Port

HAPTER

Hardware Description

1

| Introduction

Figure 3: Ports

ANTENNAS The access point includes three integrated external MIMO (multiple-input

EXTERNAL ANTENNA

CONNECTORS

and multiple-output) antennas. MIMO uses multiple antennas for
transmitting and receiving radio signals to improve data throughput and
link range.

Each antenna transmits the outgoing signal as a toroidal sphere (doughnut
shaped), with the coverage extending most in a direction perpendicular to
the antenna. Therefore, the antennas should be adjusted to an angle that
provides the appropriate coverage for the service area.

The antennas supplied with the AP screw off in a clockwise manner and can
be replaced with alternative antennas that can extend or shape the
coverage area.

– 28 –

Figure 4: External Antenna Connectors

C

HAPTER

1

| Introduction

Hardware Description

Figure 5: Screw-off External Antenna Connector - Close Up

– 29 –

C

Ethernet
Link/Activity

System Error
or Failure

Power

802.11 a/b/g/n
Link/Activity

HAPTER

1

| Introduction

Hardware Description

LED INDICATORS The access point includes four status LED indicators, as described in the

following figure and table.

Figure 6: LEDs

Table 2: LED Behavior

LED Status Description

LAN Off Ethernet RJ-45 has no valid link.

Blue

Ethernet RJ-45 has a 1000 Mbps link.

network activity.

Green

Ethernet RJ-45 has a 100 Mbps link.

network activity.

Amber

Ethernet RJ-45 has a 10 Mbps link.

network activity.

WLAN Off

Green

The AP radio is disabled.

The radio is operating at 5 GHz (802.11a/n). Blinking
indicates network activity.

Yel low

The radio is operating at 2.4 GHz (802.11b/g/n). Blinking
indicates network activity.

Diag/Fail Off

Red

Blinking

Power Off

Yel low

The AP is operating normally.

The AP has detected a fault.

The system is initializing.

The AP has no power.

The AP is receiving power.

Blinking indicates

Blinking indicates

Blinking indicates

– 30 –

C

HAPTER

1

| Introduction

Hardware Description

CONSOLE PORT This port is used to connect a console device to the access point through a

serial cable. The console device can be a PC or workstation running a VT­100 terminal emulator, or a VT-100 terminal. A crossover RJ-45 to DB-9
cable is supplied with the unit for connecting to the console port.

ETHERNET PORT The access point has one 1000BASE-T RJ-45 port that can be attached

directly to 10BASE-T/100BASE-TX/1000BASE-TX LAN segments.

This port supports automatic MDI/MDI-X operation, so you can use
straight-through cables for all network connections to PCs, switches, or
hubs.

The access point appears as an Ethernet node and performs a bridging
function by moving packets from the wired LAN to remote workstations on
the wireless infrastructure.

N

OTE

:

The RJ-45 port also supports Power over Ethernet (PoE) based on
the IEEE 802.3af standard. Refer to the description for the “Power
Connector” for information on supplying power to the access point’s
network port from a network device, such as a switch or power injector,
that provides Power over Ethernet (PoE).

POWER CONNECTOR The access point does not have a power switch. It is powered on when

connected to the AC power adapter, and the power adapter is connected to
a power source. The power adapter automatically adjusts to any voltage
between 100~240 volts at 50 or 60 Hz, and supplies 12 volts DC power to
the unit. No voltage range settings are required.

The access point may also receive Power over Ethernet (PoE) from a switch
or other network device that supplies power over the network cable based
on the IEEE 802.3af standard.

N

OTE

:

The access point supports both endspan and midspan PoE.

If the access point is connected to a PoE source device and also connected
to a local power source through the AC power adapter, AC power will be
disabled.

RESET BUTTON This button can be used to restart the AP.

– 31 –

2 NETWORK TOPOLOGIES

Wireless networks support a standalone configuration as well as an
integrated configuration with 10/100/1000 Mbps Ethernet LANs. The
EAP8518 also provides bridging services that can be configured
independently on on any of the virtual AP (VAP) interfaces.

Access points can be deployed to support wireless clients and connect
wired LANs in the following configurations:

◆ Infrastructure for wireless LANs

◆ Infrastructure wireless LAN for roaming wireless PCs

◆ Infrastructure wireless bridge to connect wired LANs

INTERFERENCE ISSUES

The 802.11b, 802.11g and 802.11n frequency band operating at 2.4 GHz
can easily encounter interference from other 2.4 GHz devices, such as
other 802.11b/g/n wireless devices, cordless phones and microwave
ovens. If you experience poor wireless LAN performance, try the following
measures:

◆ Limit any possible sources of radio interference within the service area

◆ Increase the distance between neighboring access points

◆ Decrease the signal strength of neighboring access points

◆ Increase the channel separation of neighboring access points (e.g. up

to 3 channels of separation for 802.11b, or up to 4 channels for

802.11a, or up to 5 channels for 802.11g)

INFRASTRUCTURE WIRELESS LAN

The access point also provides access to a wired LAN for wireless
workstations. An integrated wired/wireless LAN is called an Infrastructure
configuration. A Basic Service Set (BSS) consists of a group of wireless PC
users, and an access point that is directly connected to the wired LAN.
Each wireless PC in this BSS can talk to any computer in its wireless group
via a radio link, or access other computers or network resources in the
wired LAN infrastructure via the access point.

– 32 –

C

Server

Switch

Desktop PC

Access Point

Wired LAN Extension
to Wireless Clients

Desktop PC

Notebook PC

HAPTER

Infrastructure Wireless LAN for Roaming Wireless PCs

2

| Network Topologies

The infrastructure configuration extends the accessibility of wireless PCs to
the wired LAN.

A wireless infrastructure can be used for access to a central database, or
for connection between mobile workers, as shown in the following figure.

Figure 7: Infrastructure Wireless LAN

INFRASTRUCTURE WIRELESS LAN FOR ROAMING WIRELESS PCS

The Basic Service Set (BSS) defines the communications domain for each
access point and its associated wireless clients. The BSS ID is a 48-bit
binary number based on the access point’s wireless MAC address, and is
set automatically and transparently as clients associate with the access
point. The BSS ID is used in frames sent between the access point and its
clients to identify traffic in the service area.

The BSS ID is only set by the access point, never by its clients. The clients
only need to set the Service Set Identifier (SSID) that identifies the service
set provided by one or more access points. The SSID can be manually
configured by the clients, can be detected in an access point’s beacon, or
can be obtained by querying for the identity of the nearest access point.
For clients that do not need to roam, set the SSID for the wireless card to
that used by the access point to which you want to connect.

A wireless infrastructure can also support roaming for mobile workers.
More than one access point can be configured to create an Extended
Service Set (ESS). By placing the access points so that a continuous
coverage area is created, wireless users within this ESS can roam freely. All

– 33 –

C

<BSS 2>

<ESS>

<BSS 1>

Server

Switch

Desktop PC

Access Point

Seamless Roaming

Between Access Points

Desktop PC

Notebook PC

Access Point

Notebook PC

Switch

HAPTER

2

| Network Topologies

Infrastructure Wireless Bridge

wireless network cards and adapters and wireless access points within a
specific ESS must be configured with the same SSID.

Figure 8: Infrastructure Wireless LAN for Roaming Wireless PCs

INFRASTRUCTURE WIRELESS BRIDGE

The IEEE 802.11 standard defines a Wireless Distribution System (WDS)
for bridge connections between BSS areas (access points). The access
point uses WDS to forward traffic on links between units.

The access point supports WDS bridge links that are independently

configurable on each VAP. There are two WDS modes; WDS-AP and WDS­STA. Otherwise, VAPs operate in a normal AP mode.

◆ AP Mode: The VAP provides services to clients as a normal access

point.

◆ WDS-AP Mode: The VAP operates as an access point in WDS mode,

which accepts connections from client stations in WDS-STA mode.

◆ WDS-STA Mode: The VAP operates as a client station in WDS mode,

which connects to an access point VAP in WDS-AP mode. The user
needs to specify the MAC address of the VAP in WDS-AP mode to which
it intends to connect.

– 34 –

Figure 9: Bridging Mode

WDS Links

Between Access Points

VAP 2

AP Mode

VAP 1

AP Mode

VAP 2

AP Mode

VAP 1

AP Mode

Network

Core

VAP 0

WDS-AP Mode

VAP 1

WDS-AP Mode

VAP 0

WDS-STA Mode

VAP 0

WDS-STA Mode

VAP 1

WDS-AP Mode

VAP 0

WDS-STA Mode

C

HAPTER

2

| Network Topologies

Infrastructure Wireless Bridge

– 35 –

3 INSTALLING THE ACCESS POINT

This chapter describes how to install the access point.

LOCATION SELECTION

Choose a proper place for the access point. In general, the best location is
at the center of your wireless coverage area, within line of sight of all
wireless devices. Try to place the access point in a position that can best
cover its service area. For optimum performance, consider these
guidelines:

◆ Mount the access point as high as possible above any obstructions in

the coverage area.

◆ Avoid mounting next to or near building support columns or other

obstructions that may cause reduced signal or null zones in parts of the
coverage area.

◆ Mount away from any signal absorbing or reflecting structures (such as

those containing metal).

The access point can be mounted on any horizontal surface, or a wall.

– 36 –

MOUNTING ON A HORIZONTAL SURFACE

To keep the access point from sliding on the surface, attach the four rubber
feet provided in the accessory kit to the marked circles on the bottom of
the access point.

Figure 10: Attach Feet

C

HAPTER

3

| Installing the Access Point

Mounting on a Horizontal Surface

– 37 –

C

Mounting Slots

HAPTER

Mounting on a Wall

3

| Installing the Access Point

MOUNTING ON A WALL

To mount on a wall follow the instructions below.

Figure 11: Wall Mounting

The access point should be mounted only to a wall or wood surface that is
at least 1/2-inch plywood or its equivalent. To mount the access point on a
wall, always use its wall-mounting bracket. The access point must be
mounted with the RJ-45 cable connector oriented upwards to ensure
proper operation.

1. Mark the position of the three screw holes on the wall. For concrete or

brick walls, you will need to drill holes and insert wall plugs for the
screws.

2. Insert the included 20-mm M4 tap screws into the holes, leaving about

2-3 mm clearance from the wall.

3. Line up the three mounting points on the AP with the screws in the wall,

then slide the AP down onto the screws until it is in a secured position.

– 38 –

CONNECTING AND POWERING ON

Connect the power adapter to the access point, and the power cord to an
AC power outlet.

Otherwise, the access point can derive its operating power directly from
the RJ-45 port when connected to a device that provides IEEE 802.3af
compliant Power over Ethernet (PoE).

C

AUTION

Otherwise, the product may be damaged.

N

OTE

AC power source, AC will be disabled.

1. Observe the Self Test – When you power on the access point, verify

:

Use ONLY the power adapter supplied with this access point.

:

If the access point is connected to both a PoE source device and an

that the Power indicator turns on, and that the other indicators start
functioning as described under “LED Indicators” on page 30.

C

HAPTER

3

| Installing the Access Point

Connecting and Powering On

If the red DIAG/FAIL LED does not turn off, the self test has not
completed correctly. Refer to “Troubleshooting” on page 235.

2. Connect the Ethernet Cable – The access point can be connected to

a 10/100/1000 Mbps Ethernet through a network device such as a hub
or a switch. Connect your network to the RJ-45 port on the back panel
with Category 5E or better UTP Ethernet cable. When the access point
and the connected device are powered on, the Ethernet Link LED
should turn on indicating a valid network connection.

N

OTE

:

The RJ-45 port on the access point supports automatic MDI/MDI-X
operation, so you can use straight-through cables for all network
connections to PCs, switches, or hubs.

3. Position the Antennas – Each antenna emits a radiation pattern that

is toroidal (doughnut shaped), with the coverage extending most in the
direction perpendicular to the antenna. Therefore, the antennas should
be oriented so that the radio coverage pattern fills the intended
horizontal space. Also, the antennas should both be positioned along
the same axes, providing the same coverage area. For example, if the
access point is mounted on a horizontal surface, all antennas should be
positioned pointing vertically up to provide optimum coverage.

4. (Optional) Connect the Console Port – Connect the RJ-45 console

cable (included with access point) to the RS-232 console port for
accessing the command-line interface. You can manage the access
point using the console port, the web interface, or SNMP management
software.

– 39 –

4 INITIAL CONFIGURATION

The EAP8518 offers a user-friendly web-based management interface for
the configuration of all the unit’s features. Any PC directly attached to the
unit can access the management interface using a web browser, such as
Internet Explorer (version 6.0 or above) or Firefox (version 2.0 or above).

CONNECTING TO THE LOGIN PAGE

It is recommended to make initial configuration changes by connecting a
PC directly to the EAP8518’s LAN port. The EAP8518 has a default IP
address of 192.168.1.1 and a subnet mask of 255.255.255.0. You must set
your PC IP address to be on the same subnet as the EAP8518 (that is, the
PC and EAP8518 addresses must both start 192.168.1.x).

To access the access point management interface, follow these steps:

1. Use your web browser to connect to the management interface using

the default IP address of 192.168.1.1.

2. Log into the interface by entering the default username “admin” and

password also “admin,” then click Login.

N

OTE

:

It is strongly recommended to change the default user name and
password the first time you access the web interface. For information on
changing user names and passwords, See “Administration Settings” on

page 50.

Figure 12: Login Page

– 40 –

HOME PAGE AND MAIN MENU

After logging in to the web interface, the Home page displays. The Home
page shows some basic settings for the AP, including Country Code and the
management access password.

Figure 13: Home Page

C

HAPTER

4

| Initial Configuration

Home Page and Main Menu

The web interface Main Menu menu provides access to all the configuration
settings available for the access point.

The following items are displayed on this page:

◆ System Name – An alias for the access point, enabling the device to

be uniquely identified on the network. (Default: 11n_AP; Range: 1-32
characters)

◆ Username – The name of the user is fixed as “admin” and is not

configurable.

◆ Old Password – Type your old password. The default password is

“admin.”

◆ New Password – The password for management access. (Length: 5-

32 characters, case sensitive)

◆ Confirm New Password – Enter the password again for verification.

◆ Country Code – This command configures the access point’s country

code, which identifies the country of operation and sets the authorized
radio channels.

– 41 –

C

HAPTER

Common Web Page Buttons

4

| Initial Configuration

C

AUTION

:

You must set the country code to the country of operation.
Setting the country code restricts operation of the access point to the radio
channels and transmit power levels permitted for wireless networks in the
specified country.

COMMON WEB PAGE BUTTONS

The list below describes the common buttons found on most web
management pages:

◆ Set – Applies the new parameters and saves them to temporary RAM

memory. Also displays a screen to inform you when it has taken affect.
Clicking ‘OK’ returns to the home page. The running configuration will
not be saved upon a reboot unless you use the “Save Config” button.

Figure 14: Set Configuration Changes

◆ Cancel – Cancels the newly entered settings and restores the originals.

◆ Help – Displays the help window.

Figure 15: Help Menu

– 42 –

QUICK START

C

HAPTER

◆ Logout – Ends the web management session.

◆ Save Config – Saves the current configuration so that it is retained

after a restart.

The Quick Start menu is designed to help you configure the basic settings
required to get the access point up and running. Click ‘System’, followed by
‘Quick Start’.

4

| Initial Configuration

Quick Start

STEP 1 The first page of the Quick Start configures the system identification,

access password, and the Country Code.

Figure 16: Quick Start - Step 1

The following items are displayed on the first page of the Quick Start
wizard:

IDENTIFICATION

◆ System Name — The name assigned to the access point.

(Default: 11n_AP)

CHANGE PASSWORD

◆ Username — The name of the user is fixed as “admin” and is not

configurable.

– 43 –

C

HAPTER

Quick Start

4

| Initial Configuration

◆ Old Password — If the unit has been configured with a password

◆ New Password — The password for management access.

◆ Confirm New Password — Enter the password again for verification.

COUNTRY CODE

◆ Country Code — Configures the access point’s country code from a

C

Setting the country code restricts operation of the access point to the radio
channels and transmit power levels permitted for wireless networks in the
specified country.

already, enter that password, otherwise enter the default password
“admin.”

(Length: 5-32 characters, case sensitive)

drop down menu, which identifies the country of operation and sets the
authorized radio channels.

AUTION

:

You must set the country code to the country of operation.

◆ Cancel — Cancels the newly entered settings and restores the orignals.

◆ Next — Proceeds to the next page.

STEP 2 The Step 2 page of the Quick Start configures IP settings and DHCP client

status.

Figure 17: Quick Start - Step 2

– 44 –

C

HAPTER

4

| Initial Configuration

Quick Start

The following items are displayed on this page:

DHCP

◆ DHCP Status — Enables/disables DHCP on the access point. (Default:

disabled)

◆ IP Address — Specifies an IP address for management of the access

point. Valid IP addresses consist of four decimal numbers, 0 to 255,
separated by periods. (Default: 192.168.1.1.)

◆ Subnet Mask — Indicates the local subnet mask. Select the desired

mask from the drop down menu. (Default: 255.255.255.0)

◆ Default Gateway — The default gateway is the IP address of the

router for the access point, which is used if the requested destination
address is not on the local subnet. (Default: 192.168.1.254)

If you have management stations, DNS, RADIUS, or other network
servers located on another subnet, type the IP address of the default
gateway router in the text field provided.

◆ Primary and Secondary DNS Address — The IP address of Domain

Name Servers on the network. A DNS maps numerical IP addresses to
domain names and can be used to identify network hosts by familiar
names instead of the IP addresses. (The default Primary and Secondary
DNS addresses are null values.)

◆ Prev — Returns to the previous screen.

◆ Cancel — Cancels the newly entered settings and restores the orignals.

◆ Next — Proceeds to the final step in the Quick Start wizard.

– 45 –

C

HAPTER

Quick Start

4

| Initial Configuration

STEP 3 The Step 3 page of the Quick Start configures radio interface settings.

Figure 18: Quick Start - Step 3

The following items are displayed on this page:

INTERFACE SETTING

◆ WiFi Mode — Sets the mode of operation of the radio chip to

802.11n/g (2.4 GHz) or 802.11n/a (5 GHz). (Default: 11n/g)

BASIC SETTING

◆ SSID — Sets the service set identifier for the primary VAP.

(Default: EC_VAP_0)

SECURITY

◆ Association Mode — Selects the security mode for association of

other access points and wireless devices to the access point. For more
information, see “Wireless Security Settings” on page 90.
(Default: Open System; Range: Open System, WPA, WPA-PSK, WPA2,
WPA2-PSK, WPA-WPA2-mixed, or WPA-WPA2-PSK-mixed)

◆ Encryption Mode — The available data encryption methods depend on

the selected Association Mode. (Default: None)

■

None: Implements no encryption for Open System association.

■

WEP: WEP is used as the multicast encryption cipher. You should
select WEP only when both WPA and WEP clients are supported.

– 46 –

C

HAPTER

■

TKIP: TKIP is used as the multicast encryption cipher.

■

AES-CCMP: AES-CCMP is used as the multicast encryption cipher.

4

| Initial Configuration

Main Menu Items

AES-CCMP is the standard encryption cipher required for WPA2.

AUTHENTICATION

◆ 802.1x — Enables 802.1X authentication. (Default: Disabled)

◆ 802.1x Reauthentication Refresh Rate — The time period after

which a connected client must be re-authenticated. During the
reauthentication process of verifying the client’s credentials on the
RADIUS server, the client remains connected the network. Only if
reauthentication fails is network access blocked. (Default: 3600
seconds; Range: 0-65535 seconds; 0=disabled)

N

OTE

:

When 802.1X is enabled, be sure to configure RADIUS server

details. For more information, see “RADIUS Settings” on page 52.

MAIN MENU ITEMS

To configure settings, click the relevant Main Menu item. Each Main Menu
item is sumarized below with links to the relevant section in this guide
where configuration parameters are described in detail:

◆ System — Configures Management IP, WAN, LAN and QoS settings.

See “System Settings” on page 49.

◆ Management — Configures SNMP, HTTP and Telnet settings. See

“Management Settings” on page 60.

◆ Advanced — Confiures LLDP and Access Control Lists. See “Advanced

Settings” on page 71.

◆ Wireless — Configures Wi-Fi access point settings. See “Wireless

Settings” on page 77.

◆ Mantentance — Congifures firmware upgrades remote and locally. See

“Maintenance Settings” on page 98.

◆ Information — Displays current system settings. See “Status

Information” on page 103.

– 47 –

S

ECTION

WEB CONFIGURATION

This section provides details on configuring the access point using the web
browser interface.

This section includes these chapters:

◆ “System Settings” on page 49

◆ “Management Settings” on page 60

◆ “Advanced Settings” on page 71

◆ “Wireless Settings” on page 77

II

◆ “Maintenance Settings” on page 98

◆ “Status Information” on page 103

– 48 –

5 SYSTEM SETTINGS

This chapter describes basic system settings on the access point. It
includes the following sections:

◆ “Administration Settings” on page 50

◆ “IP Address” on page 51

◆ “RADIUS Settings” on page 52

◆ “System Time” on page 54

◆ “SpectraLink Voice Priority” on page 56

◆ “VLAN Configuration” on page 56

◆ “System Logs” on page 58

◆ “Quick Start Wizard” on page 59

– 49 –

C

HAPTER

Administration Settings

5

| System Settings

ADMINISTRATION SETTINGS

The Administration Settings page configures some basic settings for the AP,
such as the system identification name, the management access password,
and the wireless operation Country Code.

Figure 19: Administration

The following items are displayed on this page:

◆ System Name — An alias for the access point, enabling the device to

be uniquely identified on the network. (Default: 11n_AP; Range: 1-32
characters)

◆ Username — The user name is fixed as “admin” and cannot be

configured.

◆ Old Password — Type your current password.

◆ New Password — The password for management access.

(Length: 5-32 characters, case sensitive)

◆ Confirm New Password — Enter the password again for verification.

◆ Country Code — This command configures the access point’s country

code, which identifies the country of operation and sets the authorized
radio channels.

– 50 –

IP ADDRESS

C

C

AUTION

HAPTER

:

You must set the country code to the country of operation.

5

| System Settings

IP Address

Setting the country code restricts operation of the access point to the radio
channels and transmit power levels permitted for wireless networks in the
specified country.

Configuring the access point with an IP address expands your ability to
manage the access point. A number of access point features depend on IP
addressing to operate.

You can use the web browser interface to access IP addressing only if the
access point already has an IP address that is reachable through your
network.

By default, the access point will be not be automatically configured with IP
settings from a Dynamic Host Configuration Protocol (DHCP) server. The
default IP address is 192.168.1.1, subnet mask 255.255.255.0 and a
default gateway of 192.168.1.254.

Figure 20: IP Configuration

The following items are displayed on this page:

◆ DHCP Status — Enables/disables DHCP on the access point.

◆ IP Address — Specifies an IP address for management of the access

point. Valid IP addresses consist of four decimal numbers, 0 to 255,
separated by periods. (Default: 192.168.1.1.)

◆ Subnet Mask — Indicates the local subnet mask. Select the desired

mask from the drop down menu. (Default: 255.255.255.0)

– 51 –

C

HAPTER

RADIUS Settings

5

| System Settings

◆ Default Gateway — The default gateway is the IP address of the

router for the access point, which is used if the requested destination
address is not on the local subnet.

If you have management stations, DNS, RADIUS, or other network
servers located on another subnet, type the IP address of the default
gateway router in the text field provided.

◆ Primary and Secondary DNS Address — The IP address of Domain

Name Servers on the network. A DNS maps numerical IP addresses to
domain names and can be used to identify network hosts by familiar
names instead of the IP addresses.

If you have one or more DNS servers located on the local network, type
the IP addresses in the text fields provided.

After you have network access to the access point, you can use the web
browser interface to modify the initial IP configuration, if needed.

If there is no DHCP server on your network, or DHCP fails, the access point
will automatically start up with a default IP address of 192.168.1.1

RADIUS SETTINGS

PRIMARY AND

SECONDARY RADIUS

ERVER SETUP

S

Remote Authentication Dial-in User Service (RADIUS) is an authentication
protocol that uses software running on a central server to control access to
RADIUS-aware devices on the network. An authentication server contains a
database of user credentials for each user that requires access to the
network.

A primary RADIUS server must be specified for the access point to
implement IEEE 802.1X network access control and Wi-Fi Protected Access
(WPA) wireless security. A secondary RADIUS server may also be specified
as a backup should the primary server fail or become inaccessible.

In addition, you can configure a RADIUS Accounting server to receive user­session accounting information from the access point. RADIUS Accounting
can be used to provide valuable information on user activity in the
network.

This guide assumes that you have already configured RADIUS server(s) to
support the access point. Configuration of RADIUS server software is
beyond the scope of this guide, refer to the documentation provided with
the RADIUS server software.

– 52 –

Figure 21: RADIUS Settings

C

HAPTER

5

| System Settings

RADIUS Settings

The following items are displayed on the RADIUS Settings page:

◆ RADIUS Status — Enables/disables the primary RADIUS server.

◆ IP Address — Specifies the IP address or host name of the RADIUS

server.

◆ Port (1024-65535) — The UDP port number used by the RADIUS

server for authentication messages. (Range: 1024-65535; Default:

1812)

◆ Key — A shared text string used to encrypt messages between the

access point and the RADIUS server. Be sure that the same text string
is specified on the RADIUS server. Do not use blank spaces in the
string. (Maximum length: 255 characters)

RADIUS ACCOUNTING The following items are displayed on the RADIUS Settings page:

◆ Account Status — Enables/disables RADIUS accounting.

◆ IP Address — Specifies the IP address or host name of the RADIUS

accounting server.

– 53 –

C

HAPTER

System Time

5

| System Settings

SYSTEM TIME

◆ Port (1024-65535) — The UDP port number used by the RADIUS

accounting server for authentication messages. (Range: 1024-65535;
Default: 1813)

◆ Key — A shared text string used to encrypt messages between the

access point and the RADIUS accounting server. Be sure that the same
text string is specified on the RADIUS server. Do not use blank spaces
in the string. (Maximum length: 255 characters)

◆ Interim Update Timeout (60-86400) — The interval between

transmitting accounting updates to the RADIUS server. (Range: 60­86400; Default: 300 seconds)

Simple Network Time Protocol (SNTP) allows the access point to set its
internal clock based on periodic updates from a time server (SNTP or NTP).
Maintaining an accurate time on the access point enables the system log to
record meaningful dates and times for event entries. If the clock is not set,
the access point will only record the time from the factory default set at the
last bootup.

The access point acts as an SNTP client, periodically sending time
synchronization requests to specific time servers. You can configure up to
two time server IP addresses. The access point will attempt to poll each
server in the configured sequence.

Figure 22: SNTP Settings

– 54 –

C

HAPTER

5

| System Settings

System Time

SNTP SERVER

SETTINGS

Configures the access point to operate as an SNTP client. When enabled, at
least one time server IP address must be specified.

◆ SNTP Status — Enables/disables SNTP. (Default: enabled)

◆ Primary Server — The IP address of an SNTP or NTP time server that

the access point attempts to poll for a time update.

◆ Secondary Server — The IP address of a secondary SNTP or NTP time

server. The access point first attempts to update the time from the
primary server; if this fails it attempts an update from the secondary
server.

TIME ZONE SETTING SNTP uses Greenwich Mean Time, or GMT (sometimes referred to as

Coordinated Universal Time, or UTC) based on the time at the Earth’s
prime meridian, zero degrees longitude. To display a time corresponding to
your local time, you must indicate the number of hours your time zone is
located before (east) or after (west) GMT.

◆ Time Zone — Select from the scroll down list the locale you are

situated most close to, for example for New York, select ‘(GMT-05)
Eastern Time (US & Canada)’.

DAYLIGHT SAVING

SETTINGS

The access point provides a way to automatically adjust the system clock
for Daylight Savings Time changes. To use this feature you must define the
month and date to begin and to end the change from standard time.
During this period the system clock is set back by one hour.

◆ Daylight Saving Status — Enalbes/disables daylight savings time.

(Default: disabled)

When enabled, set the month, day, and week to start and stop the
daylight savings time.

– 55 –

C

HAPTER

SpectraLink Voice Priority

5

| System Settings

SPECTRALINK VOICE PRIORITY

SpectraLink Voice Priority (SVP) is a voice priority mechanism for WLANs.
SVP is an open, straightforward QoS approach that has been adopted by
most leading vendors of WLAN APs. SVP favors isochronous voice packets
over asynchronous data packets when contending for the wireless medium
and when transmitting packets onto the wired LAN.

Figure 23: SVP Settings

The following items are displayed on this page:

◆ SVP Status — Enables/disables SVP on the access point.

VLAN CONFIGURATION

VLANs (virtual local area networks) are turned off by default when first
installing the access point. If turned on they will automatically tag any
packets received by the LAN port before sending them on to the relevant
VAP (virtual access point).

The access point can employ VLAN tagging support to control access to
network resources and increase security. VLANs separate traffic passing
between the access point, associated clients, and the wired network. There
can be a default VLAN for each VAP (Virtual Access Point) interface, and a
management VLAN for the access point.

Note the following points about the access point’s VLAN support:

◆ The management VLAN is for managing the access point through

remote management tools, such as the web interface, SSH, SNMP, or
Telnet. The access point only accepts management traffic that is tagged
with the specified management VLAN ID.

◆ All wireless clients associated to the access point are assigned to a

VLAN. Wireless clients are assigned to the default VLAN for the VAP
interface with which they are associated. The access point only allows
traffic tagged with default VLAN IDs to access clients associated on
each VAP interface.

– 56 –

C

HAPTER

5

| System Settings

VLAN Configuration

◆ When VLAN support is enabled on the access point, traffic passed to the

wired network is tagged with the appropriate VLAN ID, either a VAP
default VLAN ID, or the management VLAN ID. Traffic received from the
wired network must also be tagged with one of these known VLAN IDs.
Received traffic that has an unknown VLAN ID or no VLAN tag is
dropped.

◆ When VLAN support is disabled, the access point does not tag traffic

passed to the wired network and ignores the VLAN tags on any received
frames.

N

OTE

:

Before enabling VLAN tagging on the access point, be sure to
configure the attached network switch port to support tagged VLAN frames
from the access point’s management VLAN ID and default VLAN IDs.
Otherwise, connectivity to the access point will be lost when you enable the
VLAN feature.

Figure 24: Setting the VLAN Identity

The following items are displayed on this page:

◆ VLAN Classification — Enables/disables VLAN packet tagging.

(Default: disabled)

◆ Native VLAN ID(1-4094) — If enabled the packets received by the

LAN port must be tagged within the Management VLAN ID (native VLAN
ID). (Range: 1-4094)

– 57 –

C

HAPTER

System Logs

5

| System Settings

SYSTEM LOGS

The access point can be configured to send event and error messages to a
System Log Server. The system clock can also be synchronized with a time
server, so that all the messages sent to the Syslog server are stamped with
the correct time and date.

Figure 25: System Log Settings

The following items are displayed on this page:

◆ Syslog Status — Enables/disables the logging of error messages.

(Default: enabled)

◆ Server 1~4 — Enables the sending of log messages to a Syslog server

host. Up to four Syslog servers are supported on the access point.
(Default: disabled)

◆ IP — The IP address or name of a Syslog server. (Server 1 Default:

10.7.16.98; Server 2 Default: 10.7.13.48; Server 3 Default:

10.7.123.123; Server 4 Default: 10.7.13.77)

◆ UDP Port — The UDP port used by a Syslog server. (Range: 514 or

11024-65535; Server 1~2 Default: 514; Server 3 Default: 6553;
Server 4 Default: 5432)

◆ Logging Console — Enables the logging of error messages to the

console. (Default: disabled)

– 58 –

C

HAPTER

5

| System Settings

Quick Start Wizard

◆ Logging Level — Sets the minimum severity level for event logging.

(Default: Debug)

The system allows you to limit the messages that are logged by
specifying a minimum severity level. The following table lists the error
message levels from the most severe (Emergency) to least severe
(Debug). The message levels that are logged include the specified
minimum level up to the Emergency level.

Table 3: Logging Levels

Error Level Description

Emergency System unusable

Alerts Immediate action needed

Critical Critical conditions (e.g., memory allocation, or free memory

Error Error conditions (e.g., invalid input, default used)

Warning Warning conditions (e.g., return false, unexpected return)

Notice Normal but significant condition, such as cold start

Informational Informational messages only

Debug Debugging messages

error - resource exhausted)

QUICK START WIZARD

The Quick Start menu item is described in the preceding chapter, see

“Quick Start” on page 43.

– 59 –

6 MANAGEMENT SETTINGS

This chapter describes management access settings on the access point. It
includes the following sections:

◆ “Remote Management Settings” on page 60

◆ “Access Limitation” on page 62

◆ “Simple Network Management Protocol” on page 63

REMOTE MANAGEMENT SETTINGS

The Web, Telnet, and SNMP management interfaces are enabled and open
to all IP addresses by default. To provide more security for management
access to the access point, specific interfaces can be disabled and
management restricted to a single IP address or a limited range of IP
addresses.

Once you specify an IP address or range of addresses, access to
management interfaces is restricted to the specified addresses. If anyone
tries to access a management interface from an unauthorized address, the
access point will reject the connection.

Telnet is a remote management tool that can be used to configure the
access point from anywhere in the network. However, Telnet is not secure
from hostile attacks. The Secure Shell (SSH) can act as a secure
replacement for Telnet. The SSH protocol uses generated public keys to
encrypt all data transfers passing between the access point and SSH­enabled management station clients and ensures that data traveling over
the network arrives unaltered. Clients can then securely use the local user
name and password for access authentication.

Note that SSH client software needs to be installed on the management
station to access the access point for management via the SSH protocol.

Both HTTP and HTTPS service can be enabled independently. If you enable
HTTPS, you must indicate this in the URL: https://device:port_number]

When you start HTTPS, the connection is established in this way:

◆ The client authenticates the server using the server’s digital certificate.

◆ The client and server negotiate a set of security protocols to use for the

connection.

– 60 –

C

HAPTER

6

| Management Settings

Remote Management Settings

◆ The client and server generate session keys for encrypting and

decrypting data.

◆ The client and server establish a secure encrypted connection.

◆ A padlock icon should appear in the status bar for Internet Explorer.

Figure 26: Remote Management

The following items are displayed on Admin Interface page:

◆ Telnet Access — Enables/disables management access from Telnet

interfaces. (Default: enabled)

◆ Telnet Access Port — Sets the specified Telnet port for

communication. (Default: 23)

◆ SSH Server — Enables/disables management access from SSH

Servers. (Default: enabled)

◆ SSH Server Port — Sets the specified SSH Server port for

communication. (Default: 22)

◆ HTTP Access — Enables/disables management access from any IP

address. (Default: enabled)

◆ HTTP Timeout — Specifies the time after which the HTTP connection

will be lost with a period of inactivity. (Default: 1800 seconds; Range:
1-1800 seconds; 0=disabled)

◆ HTTP Port — Specifies the HTTP port for IP connectivity. (Default: 80;

Range 1024-65535)

– 61 –

C

HAPTER

Access Limitation

6

| Management Settings

ACCESS LIMITATION

◆ HTTPS Server — Enables/disables management access from a HTTPS

server. (Default: enabled)

◆ HTTPS Port — Specifies the HTTPS port for secure IP connectivity.

(Default: 443; Range 1024-65535)

◆ SNMP Access — Enables/disables management access from SNMP

interfaces. (Default: enabled)

The Access Limitation page limits management access to the access point
from specified IP addresses or wireless clients.

Figure 27: Access Limitation

The following items are displayed on the Access Limitation page:

IP MANAGEMENT CONTROL

◆ Any IP — Indicates that any IP address is allowed management

access.

◆ Single IP — Specifies a single IP address that is allowed management

access.

◆ Multiple IP — Specifies an address range as defined by the entered IP

address and subnet mask. For example, IP address 192.168.1.6 and
subnet mask 255.255.255.0, defines all IP addresses from 192.168.1.1
to 192.168.1.254.

◆ IP Address — Specifies the IP address.

– 62 –

◆ Subnet Mask — Specifies the subnet mask in the form 255.255.255.x

RESTRICT MANAGEMENT

◆ Enable/Disable — Enables/disables management of the device by a

wireless client. (Default: disabled)

SIMPLE NETWORK MANAGEMENT PROTOCOL

Simple Network Management Protocol (SNMP) is a communication protocol
designed specifically for managing devices on a network. Equipment
commonly managed with SNMP includes switches, routers and host
computers. SNMP is typically used to configure these devices for proper
operation in a network environment, as well as to monitor them to evaluate
performance or detect potential problems.

Managed devices supporting SNMP contain software, which runs locally on
the device and is referred to as an agent. A defined set of variables, known
as managed objects, is maintained by the SNMP agent and used to manage
the device. These objects are defined in a Management Information Base
(MIB) that provides a standard presentation of the information controlled
by the agent. SNMP defines both the format of the MIB specifications and
the protocol used to access this information over the network.

C

HAPTER

Simple Network Management Protocol

6

| Management Settings

SNMP BASIC

SETTINGS

The access point includes an onboard agent that supports SNMP versions
1, 2c, and 3 clients. This agent continuously monitors the status of the
access point, as well as the traffic passing to and from wireless clients. A
network management station can access this information using SNMP
management software that is compliant with MIB II. To implement SNMP
management, the access point must first have an IP address and subnet
mask, configured either manually or dynamically. Access to the onboard
agent using SNMP v1 and v2c is controlled by community strings. To
communicate with the access point, the management station must first
submit a valid community string for authentication.

Access to the access point using SNMP v3 provides additional security
features that cover message integrity, authentication, and encryption; as
well as controlling notifications that are sent to specified user targets.

The access point SNMP agent must be enabled to function (for versions 1,
2c, and 3 clients). Management access using SNMP v1 and v2c also
requires community strings to be configured for authentication. Trap
notifications can be enabled and sent to up to four management stations.

– 63 –

C

HAPTER

Simple Network Management Protocol

6

| Management Settings

Figure 28: SNMP Basic Settings

The following items are displayed on this page:

◆ SNMP — Enables or disables SNMP management access and also

enables the access point to send SNMP traps (notifications). (Default:
Disable)

◆ System Location — A text string that describes the system location.

(Maximum length: 255 characters)

◆ System Contact — A text string that describes the system contact.

(Maximum length: 255 characters)

◆ Read-Only Community — Defines the SNMP community access string

that has read-only access. Authorized management stations are only
able to retrieve MIB objects. (Maximum length: 23 characters, case
sensitive; Default: public)

◆ Read-Write Community — Defines the SNMP community access

string that has read/write access. Authorized management stations are
able to both retrieve and modify MIB objects. (Maximum length: 23
characters, case sensitive; Default: private)

– 64 –

C

HAPTER

Simple Network Management Protocol

6

| Management Settings

SNMP TRAP SETTINGS Traps indicating status changes are issued by the AP to specified trap

managers. You must specify trap managers so that key events are reported
by the AP to your management station (using network management
platforms).

Figure 29: SNMP Trap Settings

The following items are displayed on this page:

◆ Trap Destination — Specifies the recipient of SNMP notifications.

Enter the IP address or the host name. (Host Name: 1 to 63 characters,
case sensitive)

◆ Community — The community string sent with the notification

operation. (Maximum length: 23 characters, case sensitive; Default:
public)

◆ Action — Adds a new SNMP trap destination to the list.

◆ Trap Destination List — Lists the configured SNMP trap destinations.

◆ Trap Configuration — Enables or disables trap status.

■

sysSystemUp: The access point is up and running.

■

sysSystemDown: The access point is about to shutdown and
reboot.

◆ Save Trap Config — Applies the new parameters and saves them to

RAM memory. Also prompts a screen to inform you when it has taken
affect. Clicking ‘OK’ returns to the home page. Changes will not be
saved upon a reboot unless the running configuration file is saved.

– 65 –

C

HAPTER

Simple Network Management Protocol

6

| Management Settings

VIEW ACCESS

CONTROL MODEL

To configure SNMPv3 management access to the AP, follow these steps:

1. Specify read and write access views for the AP MIB tree.

2. Configure SNMP user groups with the required security model (that is,

SNMP v1, v2c, or v3) and security level (authentication and privacy).

3. Assign SNMP users to groups, along with their specific authentication

and privacy passwords.

Figure 30: SNMP VACM

CREATING VIEWS

SNMPv3 views are used to restrict user access to specified portions of the
MIB tree. The are no predefined views by default.

The following items are displayed on the VACM page.

◆ View Name – The name of the SNMP view. (Range: 1-32 characters)

◆ Type – Indicates if the object identifier of a branch within the MIB tree

is included or excluded from the SNMP view.

◆ OID – Allows you to configure the object identifiers of branches within

the MIB tree. Wild cards can be used to mask a specific portion of the
OID string.

◆ Mask (option) – A hexadecimal value with each bit masking the

corresponding ID in the MIB subtree. A “1” in the mask indicates an
exact match and a “0” indicates a “wild card.” For example, a mask
value of 0xFFBF provides a bit mask “1111 1111 1011 1111.” If applied

– 66 –

C

HAPTER

Simple Network Management Protocol

6

| Management Settings

to the subtree “1.3.6.1.2.1.2.2.1.1.23,” the zero corresponds to the
10th subtree ID. When there are more subtree IDs than bits in the
mask, the mask is padded with ones.

◆ View List – Shows the currently configured object identifiers of

branches within the MIB tree that define the SNMP view.

CREATING GROUPS

An SNMPv3 group sets the access policy for its assigned users, restricting
them to specific read, write, and notify views. You can create new groups
to map a set of SNMP users to SNMP views.

◆ Group Name – The name of the SNMP group. (Range: 1-32

characters)

◆ Security Level – The security level used for the group:

■

noAuthNoPriv – There is no authentication or encryption used in
SNMP communications.

■

AuthNoPriv – SNMP communications use authentication, but the
data is not encrypted.

■

AuthPriv – SNMP communications use both authentication and
encryption.

◆ Read View – The configured view for read access. (Range: 1-32

characters)

◆ Write View – The configured view for write access. (Range: 1-32

characters)

SNMPV3 USERS The access point allows multiple SNMP v3 users to be configured. Each

SNMPv3 user is defined by a unique name. Users must be configured with a
specific security level and assigned to a group. The SNMPv3 group restricts
users to a specific read, write, or notify view.

Figure 31: Configuring SNMPv3 Users

– 67 –

C

HAPTER

Simple Network Management Protocol

6

| Management Settings

The following items are displayed on this page:

◆ User Name — The SNMPv3 user name. (32 characters maximum)

◆ Group — The SNMPv3 group name.

◆ Auth Type — The authentication type used for the SNMP user; either

MD5 or none. When MD5 is selected, enter a password in the
corresponding Passphrase field.

◆ Auth Passphrase — The authentication password or key associated

with the authentication and privacy settings. A minimum of eight plain
text characters is required.

◆ Priv Type — The data encryption type used for the SNMP user; either

DES or none. When DES is selected, enter a key in the corresponding
Passphrase field.

◆ Priv Passphrase — The password or key associated with the

authentication and privacy settings. A minimum of eight plain text
characters is required.

◆ Action — Click the Add button to add a new user to the list. Click the

edit button to change details of an existing user. Click the Del button to
remove a user from the list.

N

OTE

:

Users must be assigned to groups that have the same security
levels. For example, a user who has “Auth Type” and “Priv Type” configured
to MD5 and DES respectively (that it, uses both authentication and data
encryption) must be assigned to the RWPriv group. If this same user were
instead assigned to the read-only (RO) group, the user would not be able
to access the database.

SNMPV3 TARGETS An SNMP v3 notification Target ID is specified by the SNMP v3 user, IP

address, and UDP port. A user-defined filter can also be assigned to
specific targets to limit the notifications received to specific MIB objects.
(Note that the filter must first be configured. See “SNMPv3 Notification

Filters” on page 69.)

To configure a new notification receiver target, define the parameters and
select a filter, if required. Note that the SNMP v3 user name must first be
defined (See “SNMPv3 Users” on page 67.)

– 68 –

C

HAPTER

Simple Network Management Protocol

Figure 32: SNMPv3 Targets

6

| Management Settings

The following items are displayed on this page:

◆ Target ID — A user-defined name that identifies a receiver of

notifications. (Maximum length: 32 characters)

◆ IP Address — Specifies the IP address of the receiving management

station.

SNMPV3

NOTIFICATION FILTERS

◆ UDP Port — The UDP port that is used on the receiving management

station for notification messages.

◆ SNMP User — The defined SNMP v3 user that is to receive notification

messages.

◆ Notification Filter — The name of a user-defined notification filter

that is applied to the target.

SNMP v3 users can be configured to receive notification messages from the
access point. An SNMP Target ID is created that specifies the SNMP v3 user,
IP address, and UDP port. A user-defined notification filter can be created
so that specific notifications can be prevented from being sent to particular
targets.

Figure 33: SNMP Notification Filter

– 69 –

C

HAPTER

Simple Network Management Protocol

6

| Management Settings

The following items are displayed on this page:

◆ Filter ID — A user-defined name that identifies the filter. (Maximum

length: 32 characters)

◆ Subtree — Specifies MIB subtree to be filtered. The MIB subtree must

be defined in the form “.1.3.6.1” and always start with a “.”.

◆ Type — Indicates if the filter is to “include” or “exclude” the MIB

subtree objects from the filter. Note that MIB objects included in the
filter are not sent to the receiving target and objects excluded are sent.
By default all traps are sent, so you can first use an “include” filter
entry for all trap objects. Then use “exclude” entries for the required
trap objects to send to the target. Note that the filter entries are
applied in the sequence that they are defined.

◆ Action — Adds the notification filter.

– 70 –

7 ADVANCED SETTINGS

This chapter describes advanced settings on the access point. It includes
the following sections:

◆ “Local Bridge Filter” on page 71

◆ “Link Layer Discovery Protocol” on page 72

◆ “Access Control Lists” on page 74

LOCAL BRIDGE FILTER

The access point can employ network traffic frame filtering to control
access to network resources and increase security. You can prevent
communications between wireless clients and prevent access point
management from wireless clients. Also, you can block specific Ethernet
traffic from being forwarded by the access point.

The Local Bridge Filter sets the global mode for wireless-to-wireless
communications between clients associated to Virtual AP (VAP) interfaces
on the access point. (Default: Disabled)

Figure 34: Local Bridge Filter

The following items are displayed on this page:

◆ Disabled — All clients can communicate with each other through the

access point.

◆ Prevent Intra VAP client communication — When enabled, clients

associated with a specific VAP interface cannot establish wireless
communications with each other. Clients can communicate with clients
associated to other VAP interfaces.

– 71 –

C

HAPTER

Link Layer Discovery Protocol

7

| Advanced Settings

◆ Prevent Inter and Intra VAP client communication — When

enabled, clients cannot establish wireless communications with any
other client, either those associated to the same VAP interface or any
other VAP interface.

LINK LAYER DISCOVERY PROTOCOL

This page allows you to configure the Link Layer Discovery Protocol (LLDP).
LLDP allows devices in the local broadcast domain to share information
about themselves. LLDP-capable devices periodically transmit information
in messages called Type Length Value (TLV) fields to neighbor devices.
Advertised information is represented in Type Length Value (TLV) format
according to the IEEE 802.1ab standard, and can include details such as
device identification, capabilities and configuration settings.

This information can be used by SNMP applications to simplify
troubleshooting, enhance network management, and maintain an accurate
network topology.

Figure 35: LLDP Settings

The following items are displayed on this page:

◆ Disable/Enable — Disables/Enables LLDP on the access point.

◆ Message Transmission Hold Time — Configures the time-to-live

(TTL) value sent in LLDP advertisements as shown in the formula
below. (Range: 2-10; Default: 4)

The time-to-live tells the receiving LLDP agent how long to retain all
information pertaining to the sending LLDP agent if it does not transmit
updates in a timely manner. TTL in seconds is based on the following
rule: (Transmission Interval * Hold time) ≤ 65536. Therefore, the
default TTL is 4*30 = 120 seconds.

– 72 –

C

HAPTER

7

| Advanced Settings

Link Layer Discovery Protocol

◆ Message Transmission Interval (seconds) — Configures the

periodic transmit interval for LLDP advertisements. (Range: 5-32768
seconds; Default: 30 seconds)

This attribute must comply with the following rule: (Transmission
Interval * Hold Time) ≤ 65536, and Transmission Interval >= (4 *
Delay Interval)

◆ ReInitial Delay Time (seconds) — Configures the delay before

attempting to re-initialize after LLDP ports are disabled or the link goes
down. (Range: 1-10 seconds; Default: 2 seconds)

When LLDP is re-initialized on a port, all information in the remote
systems LLDP MIB associated with this port is deleted.

◆ Transmission Delay Value (seconds) — Configures a delay between

the successive transmission of advertisements initiated by a change in
local LLDP MIB variables. (Range: 1-8192 seconds; Default: 4 seconds)

The transmit delay is used to prevent a series of successive LLDP
transmissions during a short period of rapid changes in local LLDP MIB
objects, and to increase the probability that multiple, rather than single
changes, are reported in each transmission.

This attribute must comply with the rule: (4 * Delay Interval) ≤
Transmission Interval

– 73 –

C

HAPTER

Access Control Lists

7

| Advanced Settings

ACCESS CONTROL LISTS

Access Control Lists allow you to configure a list of wireless client MAC
addresses that are not authorized to access the network. A database of
MAC addresses can be configured locally on the access point.

SOURCE ADDRESS

SETTINGS

The ACL Source Address Settings page enables traffic filtering based on the
source MAC address in the data frame.

Figure 36: Source ACLs

The following items are displayed on this page:

◆ SA Status — Enables network traffic with specific source MAC

addresses to be filtered (dropped) from the access point.

◆ MAC Address — Specifies a source MAC address to filter, in the form

xx.xx.xx.xx.xx.xx, or xx-xx-xx-xx-xx-xx.

◆ Action — Selecting “Add” adds a new MAC address to the filter list,

selecting delete removes the specified MAC address.

◆ Number — Specifies the number associated with the MAC address.

◆ MAC Address — Displays the configured source MAC address.

– 74 –

C

HAPTER

7

| Advanced Settings

Access Control Lists

DESTINATION

ADDRESS SETTINGS

The ACL Destination Address Settings page enables traffic filtering based
on the destination MAC address in the data frame.

Figure 37: Destination ACLs

The following items are displayed on this page:

◆ DA Status — Enables network traffic with specific destination MAC

addresses to be filtered (dropped) from the access point.

◆ MAC Address — Specifies a destination MAC address to filter, in the

form xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx.

◆ Action — Selecting “Add” adds a new MAC address to the filter list,

selecting delete deletes the specified MAC address.

◆ Number — Specifies the number of the MAC address in the filter table.

◆ MAC Address — Displays the configured destination MAC address.

– 75 –

C

HAPTER

Access Control Lists

7

| Advanced Settings

ETHERNET TYPE The Ethernet Type Filter controls checks on the Ethernet type of all

incoming and outgoing Ethernet packets against the protocol filtering table.
(Default: Disabled)

Figure 38: Ethernet Type Filter

The following items are displayed on this page:

◆ Disabled — Access point does not filter Ethernet protocol types.

◆ Enabled — Access point filters Ethernet protocol types based on the

configuration of protocol types in the filter table. If the status of a
protocol is set to “ON,” the protocol is filtered from the access point.

◆ Local Management — Describes the Ethernet filter type.

◆ ISO Designator — Describes the ISO Designator identifier.

◆ Filter Status — Turns the filter on or off.

– 76 –

8 WIRELESS SETTINGS

This chapter describes wireless settings on the access point. It includes the
following sections:

◆ “Spanning Tree Protocol (STP)” on page 77

◆ “Authentication” on page 80

◆ “Radio Settings” on page 84

◆ “Virtual Access Points (VAPs)” on page 87

◆ “Quality of Service (QoS)” on page 93

SPANNING TREE PROTOCOL (STP)

The Spanning Tree Protocol (STP) can be used to detect and disable
network loops, and to provide backup links between switches, bridges or
routers. This allows the wireless bridge to interact with other bridging
devices (that is, an STP-compliant switch, bridge or router) in your network
to ensure that only one route exists between any two stations on the
network, and provide backup links which automatically take over when a
primary link goes down.

STP uses a distributed algorithm to select a bridging device (STP-compliant
switch, bridge or router) that serves as the root of the spanning tree
network. It selects a root port on each bridging device (except for the root
device) which incurs the lowest path cost when forwarding a packet from
that device to the root device. Then it selects a designated bridging device
from each LAN which incurs the lowest path cost when forwarding a packet
from that LAN to the root device. All ports connected to designated
bridging devices are assigned as designated ports. After determining the
lowest cost spanning tree, it enables all root ports and designated ports,
and disables all other ports. Network packets are therefore only forwarded
between root ports and designated ports, eliminating any possible network
loops.

Once a stable network topology has been established, all bridges listen for
Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge.
If a bridge does not get a Hello BPDU after a predefined interval (Maximum
Age), the bridge assumes that the link to the root bridge is down. This
bridge will then initiate negotiations with other bridges to reconfigure the
network to reestablish a valid network topology.

– 77 –

C

HAPTER

Spanning Tree Protocol (STP)

8

| Wireless Settings

Figure 39: Spanning Tree Protocol

BRIDGE Sets STP bridge link parameters.

The following items are displayed on the STP page:

◆ Spanning Tree Protcol — Enables/disables STP on the AP.

(Default: Enabled)

◆ Priority — Used in selecting the root device, root port, and designated

port. The device with the highest priority becomes the STP root device.
However, if all devices have the same priority, the device with the
lowest MAC address will then become the root device. (Note that lower
numeric values indicate higher priority.)
(Default:32768; Range: 0-65535)

◆ Max Age — The maximum time (in seconds) a device can wait without

receiving a configuration message before attempting to reconfigure. All
device ports (except for designated ports) should receive configuration
messages at regular intervals. Any port that ages out STP information
(provided in the last configuration message) becomes the designated
port for the attached LAN. If it is a root port, a new root port is selected

– 78 –

C

HAPTER

8

| Wireless Settings

Spanning Tree Protocol (STP)

from among the device ports attached to the network.
(Default: 20 seconds; Range: 6-40 seconds)

Minimum: The higher of 6 or [2 x (Hello Time + 1)].
Maximum: The lower of 40 or [2 x (Forward Delay - 1)]

◆ Hello Time — Interval (in seconds) at which the root device transmits

a configuration message. (Default: 2 seconds; Range: 1-10 seconds)

Minimum: 1
Maximum: The lower of 10 or [(Max. Message Age / 2) -1]

◆ Forwarding Delay — The maximum time (in seconds) this device

waits before changing states (i.e., discarding to learning to forwarding).
This delay is required because every device must receive information
about topology changes before it starts to forward frames. In addition,
each port needs time to listen for conflicting information that would
make it return to a discarding state; otherwise, temporary data loops
might result. (Default: 15 seconds; Range: 4-30 seconds)

Minimum: The higher of 4 or [(Max. Message Age / 2) + 1]
Maximum: 30

ETHERNET INTERFACE Sets STP settings for the Ethernet port.

◆ Link Path Cost — This parameter is used by the STP to determine the

best path between devices. Therefore, lower values should be assigned
to ports attached to faster media, and higher values assigned to ports
with slower media. (Path cost takes precedence over port priority.)
(Default: Ethernet interface: 19; Wireless interface: 40;
Range: 1-65535

◆ Link Port Priority — Defines the priority used for this port in the

Spanning Tree Protocol. If the path cost for all ports on a switch are the
same, the port with the highest priority (i.e., lowest value) will be
configured as an active link in the spanning tree. This makes a port
with higher priority less likely to be blocked if the Spanning Tree
Protocol is detecting network loops. Where more than one port is
assigned the highest priority, the port with lowest numeric identifier will
be enabled. (Default: 128; Range: 0-240, in steps of 16)

WIRELESS INTERFACE Sets STP settings for the radio interface.

◆ Index — Describes the VAP in question.

◆ Link Path Cost — This parameter is used by the STP to determine the

best path between devices. Therefore, lower values should be assigned
to ports attached to faster media, and higher values assigned to ports
with slower media. (Path cost takes precedence over port priority.)
(Default: Ethernet interface: 19; Wireless interface: 40;
Range: 1-65535

– 79 –

C

HAPTER

Authentication

8

| Wireless Settings

AUTHENTICATION

◆ Link Port Priority — Defines the priority used for this port in the

Spanning Tree Protocol. If the path cost for all ports on a switch are the
same, the port with the highest priority (i.e., lowest value) will be
configured as an active link in the spanning tree. This makes a port
with higher priority less likely to be blocked if the Spanning Tree
Protocol is detecting network loops. Where more than one port is
assigned the highest priority, the port with lowest numeric identifier will
be enabled. (Default: 128; Range: 0-240, in steps of 16)

Wireless clients can be authenticated for network access by checking their
MAC address against the local database configured on the access point, or
by using a database configured on a central RADIUS server. Alternatively,
authentication can be implemented using the IEEE 802.1X network access
control protocol.

You can configure a list of the MAC addresses for wireless clients that are
authorized to access the network. This provides a basic level of
authentication for wireless clients attempting to gain access to the
network. A database of authorized MAC addresses can be stored locally on
the access point or remotely on a central RADIUS server. (Default: Local
MAC)

LOCAL MAC

AUTHENTICATION

Configures the local MAC authentication database. The MAC database
provides a mechanism to take certain actions based on a wireless client’s
MAC address. The MAC list can be configured to allow or deny network
access to specific clients.

– 80 –

Figure 40: Local Authentication

C

HAPTER

8

| Wireless Settings

Authentication

The following items are displayed on Authentication page:

MAC Authentication — Selects between, disabled, Local MAC
authentication and RADIUS authentication.

◆ Local MAC — The MAC address of the associating station is compared

against the local database stored on the access point. The Local MAC
Authentication section enables the local database to be set up.

◆ System Default — Specifies a default action for all unknown MAC

addresses (that is, those not listed in the local MAC database).

■

Deny: Blocks access for all MAC addresses except those listed in
the local database as “Allow.”

■

Allow: Permits access for all MAC addresses except those listed in
the local database as “Deny.”

◆ MAC Authentication Settings — Enters specified MAC addresses and

permissions into the local MAC database.

■

MAC Address: Physical address of a client. Enter six pairs of
hexadecimal digits separated by hyphens; for example, 00-90-D1­12-AB-89.

■

■

Permission: Select Allow to permit access or Deny to block access.

Add/Delete: Adds or deletes the specified MAC address and

permission setting into or from the local database.

– 81 –

C

HAPTER

Authentication

8

| Wireless Settings

◆ MAC Authentication Table — Displays current entries in the local

MAC database.

RADIUS MAC

A

UTHENTICATION

The MAC address of the associating station is sent to a configured RADIUS
server for authentication. When using a RADIUS authentication server for
MAC address authentication, the server must first be configured on the
RADIUS page.

Figure 41: RADIUS Authentication

The following items are displayed on Authentication page:

MAC Authentication — Selects between, disabled, Local MAC
authentication and RADIUS authentication.

◆ RADIUS MAC — The MAC address of the associating station is

compared against the RADIUS server database. The RADIUS MAC
Authentication section enables the RADIUS database to be set up.

◆ Session Timeout — The time period after which a connected client

must be re-authenticated. During the re-authentication process of
verifying the client’s credentials on the RADIUS server, the client
remains connected the network. Only if re-authentication fails is
network access blocked. (Default: 0 means disabled; Range: 30-65535
seconds)

– 82 –

INTERFACE MODE

C

HAPTER

8

| Wireless Settings

Interface Mode

The access point can operate in two modes, IEEE 802.11a/n only, or

802.11g/n only. Also note that 802.11g is backward compatible with

802.11b, operating in the 2.4 GHz band. The 802.11a/n mode operates in
the 5 GHz band.

N

OTE

:

The EAP8518 radio can operate in 2.4 GHz mode or 5 GHz mode. It
does not operate at 2.4 GHz and 5 GHz modes at the same time. You must
first select the basic radio operating mode you want to use for your
network.

Figure 42: Interface Mode

The following items are displayed on the Interface Mode Selection page:

◆ Interface0 Mode — Selects the mode of the radio interface:

■

11ng: All 802.11g and n clients can communicate with the wireless
AP/ Router (up to 300 Mbps) using the 2.4 GHz band, but data
transmission rates may be slowed to compensate for 802.11g
clients.

■

11na: All 802.11a and n clients can communicate with the wireless
AP/ Router (up to 300 Mbps) using the 5 GHz band, but data
transmission rates may be slowed to compensate for 802.11a
clients.

– 83 –

C

HAPTER

Radio Settings

8

| Wireless Settings

RADIO SETTINGS

The IEEE 802.11n interfaces include configuration options for radio signal
characteristics and wireless security features.

The access point can operate in two modes, mixed 802.11g/n (2.4 GHz), or
mixed 802.11a/n (5 GHz). Note that the radio cannot not operate at

2.4 GHz and 5 GHz modes at the same time.

Each radio supports eight virtual access point (VAP) interfaces, referred to
as VAP0 ~ VAP7. Each VAP functions as a separate access point, and can
be configured with its own Service Set Identification (SSID) and security
settings. However, most radio signal parameters apply to all VAP
interfaces. The configuration options are nearly identical, and are therefore
both covered in this section of the manual. Traffic to specific VAPs can be
segregated based on user groups or application traffic. The clients
associate with each VAP in the same way as they would with separate
physical access points. The access point supports up to a total of 64
wireless clients across all VAP interfaces.

Figure 43: Radio Settings

– 84 –

C

HAPTER

8

| Wireless Settings

Radio Settings

The following items are displayed on this page:

◆ High Throughput Mode — The access point provides a channel

bandwidth of 20 MHz by default giving an 802.11g connection speed of
54 Mbps and a 802.11n connection speed of up to 108 Mbps, and
ensures backward compliance for slower 802.11b devices. Setting the
HT Channel Bandwidth to 40 MHz (sometimes referred to as Turbo
Mode) increases connection speed for 802.11g and 802.11n to 74 Mbps
and 300 Mbps respectively. HT40plus indicates that the secondary
channel is above the primary channel. HT40minus indicates that the
secondary channel is below the primary channel.
(Default: HT20; Range:HT20, HT40PLUS, HT40MINUS)

N

OTE

:

Some 802.11n wireless clients may be capable of transmission rates
of up to 600 Mbps, however the access point will only be able to connect to
them at a maximum transmission rate of 300 Mbps.

◆ Radio Channel — The radio channel that the access point uses to

communicate with wireless clients. When multiple access points are
deployed in the same area, set the channel on neighboring access
points at least five channels apart to avoid interference with each other.
For example, in 11ng HT20 mode you can deploy up to three access
points in the same area using channels 1, 6, 11. Note that wireless
clients automatically set the channel to the same as that used by the
access point to which it is linked. (The available channels are
dependent on the Radio Mode, High Throughput Mode, and Country
Code settings.)

◆ Auto Channel Select — Selecting Auto Select enables the access point

to automatically select an unoccupied radio channel.

◆ Transmit Power — Adjusts the power of the radio signals transmitted

from the access point. The higher the transmission power, the farther
the transmission range. Power selection is not just a trade off between
coverage area and maximum supported clients. You also have to
ensure that high-power signals do not interfere with the operation of
other radio devices in the service area. (Default: Minimum; Range:
min, 12.5%, 25%, 50%, 100%)

◆ Maximum Association Clients — The total maximum number of

clients that may associate with all VAPs is fixed at 64.

◆ Radio Mode — Defines the radio mode for the VAP interface. (Default:

11n (g compatible); 11ng Mode Options: 11n (b&g compatible), 11n (g
compatible), 11n; 11na Mode Options: 11n (a compatible), 11n)

N

OTE

:

Enabling the access point to communicate with 802.11b/g clients in
both 802.11b/g/n Mixed and 802.11n modes also requires that HT
Operation be set to HT20.

– 85 –

C

HAPTER

Radio Settings

8

| Wireless Settings

◆ Preamble Length — The radio preamble (sometimes called a header)

is a section of data at the head of a packet that contains information
that the wireless device and client devices need when sending and
receiving packets. You can set the radio preamble to long or short. A
short preamble improves throughput performance, whereas a long
preamble is required when legacy wireless devices are part of your
network.

◆ Beacon Interval (20-1000) — The rate at which beacon signals are

transmitted from the access point. The beacon signals allow wireless
clients to maintain contact with the access point. They may also carry
power-management information. (Range: 20-1000 TUs; Default:
100 TUs)

◆ Data Beacon Rate (DTIM) (1-255) — The rate at which stations in

sleep mode must wake up to receive broadcast/multicast
transmissions.

Known also as the Delivery Traffic Indication Map (DTIM) interval, it
indicates how often the MAC layer forwards broadcast/multicast traffic,
which is necessary to wake up stations that are using Power Save
mode. The default value of 2 indicates that the access point will save all
broadcast/multicast frames for the Basic Service Set (BSS) and forward
them after every second beacon. Using smaller DTIM intervals delivers
broadcast/multicast frames in a more timely manner, causing stations
in Power Save mode to wake up more often and drain power faster.
Using higher DTIM values reduces the power used by stations in Power
Save mode, but delays the transmission of broadcast/multicast frames.
(Range: 1-255 beacons; Default: 1 beacon)

◆ RTS Threshold (0-2345) — Sets the packet size threshold at which a

Request to Send (RTS) signal must be sent to a receiving station prior
to the sending station starting communications. The access point sends
RTS frames to a receiving station to negotiate the sending of a data
frame. After receiving an RTS frame, the station sends a CTS (clear to
send) frame to notify the sending station that it can start sending data.

If the RTS threshold is set to 0, the access point always sends RTS
signals. If set to 2347, the access point never sends RTS signals. If set
to any other value, and the packet size equals or exceeds the RTS
threshold, the RTS/CTS (Request to Send / Clear to Send) mechanism
will be enabled.

The access points contending for the medium may not be aware of each
other. The RTS/CTS mechanism can solve this “Hidden Node Problem.”
(Range: 0-2345 bytes: Default: 2345 bytes)

◆ Short Guard Interval — The 802.11n draft specifies two guard

intervals: 400ns (short) and 800ns (long). Support of the 400ns GI is
optional for transmit and receive. The purpose of a guard interval is to
introduce immunity to propagation delays, echoes, and reflections to
which digital data is normally very sensitive. Enabling the Short Guard
Interval sets it to 400ns. (Default: Disabled)

– 86 –

◆ Aggregate MAC Protocol Data Unit (A-MPDU) — Enables / disables

the sending of this four frame packet header for statistical purposes.
(Default: Enabled)

◆ A-MPDU Length Limit (1024-65535) — Defines the A-MPDU length.

(Default: 65535 bytes; Range: 1024-65535 bytes)

◆ Aggregate MAC Service Data Unit (A-MSDU) — Enables / disables

the sending of this four frame packet header for statistical purposes.
(Default: Enabled)

◆ A-MSDU Length Limit (2290-4096) — Defines the A-MSDU length.

(Default: 4096 bytes; Range: 2290-4096 bytes)

◆ Set Radio — Sets all entered parameters.

VIRTUAL ACCESS POINTS (VAPS)

C

HAPTER

8

| Wireless Settings

Virtual Access Points (VAPs)

The access point supports up to eight virtual access point (VAP) interfaces
numbered 0 to 7. Each VAP functions as a separate access point, and can
be configured with its own Service Set Identification (SSID) and security
settings. However, most radio signal parameters apply to all eight VAP
interfaces.

The VAPs function similar to a VLAN, with each VAP mapped to its own
default VLAN ID. Traffic to specific VAPs can be segregated based on user
groups or application traffic. All VAPs can support up to a total of 64
wireless clients, whereby the clients associate with each VAP the same way
as they would with separate physical access points.

N

OTE

:

The radio channel settings for the access point are limited by local
regulations, which determine the number of channels that are available.
See “Operating Channels” on page 248 for additional information on the
maximum number channels available.

Figure 44: VAP Settings

– 87 –

C

HAPTER

Virtual Access Points (VAPs)

8

| Wireless Settings

The following items are displayed on this page:

◆ VAP Number — The number associated with the VAP, 0-7.

◆ SSID — The name of the basic service set provided by a VAP interface.

Clients that want to connect to the network through the access point
must set their SSID to the same as that of an access point VAP
interface. (Default: EC _VAP_# (0 to 7); Range: 1-32 characters)

◆ Enable — Enables the specified VAP. (Default: Disabled)

◆ Status — Displays the mode of the VAP. The default is set to "AP," for

normal access point services.

◆ Edit Setting — Click to open the page for configuring the selected VAP.

VAP B ASIC SETTINGS Sets the basic operating mode and other settings for the VAP.

Each VAP can operate in one of three modes; normal AP mode, WDS-AP
bridge AP mode, or WDS-STA bridge station mode. The default mode is AP
for the VAP to support normal access point services.

N

OTE

:

For more information and examples for setting up WDS networks,
see “WDS Setup Examples” on page 238.

Note that the Basic Settings are the same for both AP and WDS-AP modes.

Figure 45: VAP Basic Settings

The following items are displayed on this page:

◆ Closed System — When enabled, the VAP does not include its SSID in

beacon messages. Nor does it respond to probe requests from clients
that do not include a fixed SSID. (Default: Disable)

– 88 –

C

HAPTER

8

| Wireless Settings

Virtual Access Points (VAPs)

◆ Mode — Selects the mode in which the VAP will function.

■

AP Mode: The VAP provides services to clients as a normal access
point.

■

WDS-AP Mode: The VAP operates as an access point in WDS
mode, which accepts connections from client stations in WDS-STA
mode.

■

WDS-STA Mode: The VAP operates as a client station in WDS
mode, which connects to an access point VAP in WDS-AP mode. The
user needs to specify the MAC address of the access point in WDS­AP mode to which it intends to connect.

◆ Association Timeout Interval — The idle time interval (when no

frames are sent) after which a client is disassociated from the VAP
interface. (Range: 5-60 minutes; Default: 30 minutes)

◆ Authentication Timeout Interval — The time within which the client

should finish authentication before authentication times out.
(Range: 5-60 minutes; Default: 60 minutes)

◆ Default VLAN ID — The VLAN ID assigned to wireless clients

associated to the VAP interface that are not assigned to a specific VLAN
by RADIUS server configuration. (Default: 1)

◆ DHCP Relay Server — The IP address of the DHCP relay server.

Dynamic Host Configuration Protocol (DHCP) can dynamically allocate
an IP address and other configuration information to network clients
that broadcast a request. To receive the broadcast request, the DHCP
server would normally have to be on the same subnet as the client.
However, when the access point’s DHCP relay agent is enabled,
received client requests can be forwarded directly by the access point
to a known DHCP server on another subnet. Responses from the DHCP
server are returned to the access point, which then broadcasts them
back to clients. (Default: 0.0.0.0 (disabled))

◆ SSID — The service set identifier for the VAP.

WDS-STA MODE Describes additional basic VAP settings when functioning in WDS-STA

mode.

Figure 46: WDS-STA Mode

– 89 –

C

HAPTER

Virtual Access Points (VAPs)

8

| Wireless Settings

The following items are displayed in the VAP Basic Settings when WDS-AP
mode is selected:

◆ WDS-AP (Parent) SSID — The SSID of the VAP on the connecting

access point that is set to WDS-AP mode.

◆ WDS-AP (Parent) MAC — The MAC address of the VAP on the

connecting access point that is set to WDS-AP mode.

WIRELESS SECURITY

SETTINGS

Describes the wireless security settings for each VAP, including association
mode, encryption, and authentication.

N

OTE

:

For VAPs set to WDS-AP or WDS-STA mode, the security options are
limited to WPA-PSK and WPA2-PSK only.

Figure 47: Configuring VAPs - Common Settings

The following items are common to all three modes:

◆ Association Mode — Defines the mode with which the access point

will associate with other clients.

■

■

■

Open System: The VAP is configured by default as an “open
system,” which broadcasts a beacon signal including the configured
SSID. Wireless clients with an SSID setting of “any” can read the
SSID from the beacon and automatically set their SSID to allow
immediate connection.

WPA: WPA employs a combination of several technologies to
provide an enhanced security solution for 802.11 wireless networks.

WPA-PSK: For enterprise deployment, WPA requires a RADIUS
authentication server to be configured on the wired network.
However, for small office networks that may not have the resources

– 90 –

C

HAPTER

8

| Wireless Settings

Virtual Access Points (VAPs)

to configure and maintain a RADIUS server, WPA provides a simple
operating mode that uses just a pre-shared password for network
access. The Pre-Shared Key mode uses a common password for
user authentication that is manually entered on the access point
and all wireless clients. The PSK mode uses the same TKIP packet
encryption and key management as WPA in the enterprise,
providing a robust and manageable alternative for small networks.

■

WPA2: WPA2 – WPA was introduced as an interim solution for the
vulnerability of WEP pending the ratification of the IEEE 802.11i
wireless security standard. In effect, the WPA security features are
a subset of the 802.11i standard. WPA2 includes the now ratified

802.11i standard, but also offers backward compatibility with WPA.
Therefore, WPA2 includes the same 802.1X and PSK modes of
operation and support for TKIP encryption.

■

WPA2-PSK: Clients using WPA2 with a Pre-shared Key are
accepted for authentication.

■

WPA-WPA2 Mixed: Clients using WPA or WPA2 are accepted for
authentication.

■

WPA-WPA2-PSK-mixed: Clients using WPA or WPA2 with a Pre­shared Key are accepted for authentication.

◆ Encryption Method — Selects an encryption method for the global

key used for multicast and broadcast traffic, which is supported by all
wireless clients.

■

WEP: WEP is used as the multicast encryption cipher. You should
select WEP only when both WPA and WEP clients are supported.

■

TKIP: TKIP is used as the multicast encryption cipher.

■

AES-CCMP: AES-CCMP is used as the multicast encryption cipher.
AES-CCMP is the standard encryption cipher required for WPA2.

◆ 802.1X — The access point supports 802.1X authentication only for

clients initiating the 802.1X authentication process (i.e., the access
point does not initiate 802.1X authentication). For clients initiating

802.1X, only those successfully authenticated are allowed to access the
network. For those clients not initiating 802.1X, access to the network
is allowed after successful wireless association with the access point.
The 802.1X mode allows access for clients not using WPA or WPA2
security.

◆ Pre-Authentication — When using WPA2 over 802.1X, pre-

authentication can be enabled, which allows clients to roam to a new
access point and be quickly associated without performing full 802.1X
authentication. (Default: Disabled)

◆ 802.1x Reauthentication Time — The time period after which a

connected client must be re-authenticated. During the re­authentication process of verifying the client’s credentials on the

– 91 –

C

HAPTER

Virtual Access Points (VAPs)

8

| Wireless Settings

RADIUS server, the client remains connected the network. Only if re­authentication fails is network access blocked. (Range: 0-65535
seconds; Default: 0 means disabled)

WIRED EQUIVALENT

PRIVACY (WEP)

WEP provides a basic level of security, preventing unauthorized access to
the network, and encrypting data transmitted between wireless clients and
the VAP. WEP uses static shared keys (fixed-length hexadecimal or
alphanumeric strings) that are manually distributed to all clients that want
to use the network.

WEP is the security protocol initially specified in the IEEE 802.11 standard
for wireless communications. Unfortunately, WEP has been found to be
seriously flawed and cannot be recommended for a high level of network
security. For more robust wireless security, the access point provides Wi-Fi
Protected Access (WPA) and WPA2 for improved data encryption and user
authentication.

Setting up shared keys enables the basic IEEE 802.11 Wired Equivalent
Privacy (WEP) on the access point to prevent unauthorized access to the
network.

If you choose to use WEP shared keys instead of an open system, be sure
to define at least one static WEP key for user authentication and data
encryption. Also, be sure that the WEP shared keys are the same for each
client in the wireless network. All clients share the same keys, which are
used for user authentication and data encryption. Up to four keys can be
specified.

Figure 48: WEP Configuration

– 92 –

C

HAPTER

8

| Wireless Settings

Quality of Service (QoS)

The following items are on this page for WEP configuration:

◆ Default WEP Key Index – Selects the key number to use for

encryption for the VAP interface. If the clients have all four WEP keys
configured to the same values, you can change the encryption key to
any of the settings without having to update the client keys.
(Default: Key 1)

◆ Key Type – Select the preferred method of entering WEP encryption

keys for the VAP, either hexadecimal digits (Hex) or alphanumeric
characters (ASCII).

◆ Key Length – Select 64 Bit or 128 Bit key length. Note that the same

size of encryption key must be supported on all wireless clients.
(Default: 64 bit)

◆ Key – Enter up to four WEP encryption keys for the VAP.

■

Hex: Enter keys as 10 hexadecimal digits (0-9 and A-F) for 64 bit
keys, or 26 hexadecimal digits for 128 bit keys.

■

N

OTE

:

Key index, type, and length must match that configured on the
clients.

QUALITY OF SERVICE (QOS)

Wireless networks offer an equal opportunity for all devices to transmit
data from any type of application. Although this is acceptable for most
applications, multimedia applications (with audio and video) are
particularly sensitive to the delay and throughput variations that result
from this “equal opportunity” wireless access method. For multimedia
applications to run well over a wireless network, a Quality of Service (QoS)
mechanism is required to prioritize traffic types and provide an “enhanced
opportunity” wireless access method.

The access point implements QoS using the Wi-Fi Multimedia (WMM)
standard. Using WMM, the access point is able to prioritize traffic and
optimize performance when multiple applications compete for wireless
network bandwidth at the same time. WMM employs techniques that are a
subset of the developing IEEE 802.11e QoS standard and it enables the
access point to inter operate with both WMM-enabled clients and other
devices that may lack any WMM functionality.

ASCII: Enter keys as 5 alphanumeric characters for 64 bit keys, or
13 alphanumeric characters for 128 bit keys.

Access Categories — WMM defines four access categories (ACs): voice,
video, best effort, and background. These categories correspond to traffic
priority levels and are mapped to IEEE 802.1D priority tags (see “WMM

Access Categories” on page 94). The direct mapping of the four ACs to

– 93 –

C

HAPTER

Quality of Service (QoS)

8

| Wireless Settings

802.1D priorities is specifically intended to facilitate inter operability with
other wired network QoS policies. While the four ACs are specified for
specific types of traffic, WMM allows the priority levels to be configured to
match any network-wide QoS policy. WMM also specifies a protocol that
access points can use to communicate the configured traffic priority levels
to QoS-enabled wireless clients.

Table 4: WMM Access Categories

Access
Category

AC_VO (AC3) Voice Highest priority, minimum delay. Time-sensitive

AC_VI (AC2) Video High priority, minimum delay. Time-sensitive

AC_BE (AC0) Best Effort Normal priority, medium delay and throughput.

AC_BK (AC1) Background Lowest priority. Data with no delay or

WMM
Designation

Description 802.1D

data such as VoIP (Voice over IP) calls.

data such as streaming video.

Data only affected by long delays. Data from
applications or devices that lack QoS
capabilities.

throughput requirements, such as bulk data
transfers.

Tags

7, 6

5, 4

0, 3

2, 1

WMM Operation — WMM uses traffic priority based on the four ACs; Voice,
Video, Best Effort, and Background. The higher the AC priority, the higher
the probability that data is transmitted.

When the access point forwards traffic, WMM adds data packets to four
independent transmit queues, one for each AC, depending on the 802.1D
priority tag of the packet. Data packets without a priority tag are always
added to the Best Effort AC queue. From the four queues, an internal
“virtual” collision resolution mechanism first selects data with the highest
priority to be granted a transmit opportunity. Then the same collision
resolution mechanism is used externally to determine which device has
access to the wireless medium.

For each AC queue, the collision resolution mechanism is dependent on two
timing parameters:

◆ AIFSN (Arbitration Inter-Frame Space Number), a number used to

calculate the minimum time between data frames

◆ CW (Contention Window), a number used to calculate a random backoff

time

After a collision detection, a backoff wait time is calculated. The total wait
time is the sum of a minimum wait time (Arbitration Inter-Frame Space, or
AIFS) determined from the AIFSN, and a random backoff time calculated
from a value selected from zero to the CW. The CW value varies within a
configurable range. It starts at CWMin and doubles after every collision up
to a maximum value, CWMax. After a successful transmission, the CW
value is reset to its CWMin value.

– 94 –

C

AIFS Random Backoff

AIFS

Random Backoff

CWMin CWMax

CWMin CWMax

Time

High Priority

Low Priority

Minimum Wait Time Random Wait Time

Minimum Wait Time Random Wait Time

HAPTER

8

| Wireless Settings

Quality of Service (QoS)

Figure 49: WMM Backoff Wait Times

For high-priority traffic, the AIFSN and CW values are smaller. The smaller
values equate to less backoff and wait time, and therefore more transmit
opportunities.

Figure 50: QoS

– 95 –

C

HAPTER

Quality of Service (QoS)

8

| Wireless Settings

The following items are displayed on this page:

◆ WMM — Sets the WMM operational mode on the access point. When

enabled, the parameters for each AC queue will be employed on the
access point and QoS capabilities are advertised to WMM-enabled
clients. (Default: Disabled)

■

Disable: WMM is disabled.

■

Enable: WMM must be supported on any device trying to
associated with the access point. Devices that do not support this
feature will not be allowed to associate with the access point.

◆ WMM Acknowledge Policy — By default, all wireless data

transmissions require the sender to wait for an acknowledgement from
the receiver. WMM allows the acknowledgement wait time to be turned
off for each Access Category (AC) 0-3. Although this increases data
throughput, it can also result in a high number of errors when traffic
levels are heavy. (Default: Acknowledge)

■

Aknowledge — Applies the WMM policy.

■

No Aknowledge — Ignores the WMM policy.

◆ WMM BSS Parameters — These parameters apply to the wireless

clients.

◆ WMM AP Parameters — These parameters apply to the access point.

■

logCWMin (Minimum Contention Window): The initial upper limit of
the random backoff wait time before wireless medium access can be
attempted. The initial wait time is a random value between zero and
the CWMin value. Specify the CWMin value in the range 0-15
microseconds. Note that the CWMin value must be equal or less
than the CWMax value.

■

logCWMax (Maximum Contention Window): The maximum upper
limit of the random backoff wait time before wireless medium
access can be attempted. The contention window is doubled after
each detected collision up to the CWMax value. Specify the CWMax
value in the range 0-15 microseconds. Note that the CWMax value
must be greater or equal to the CWMin value.

■

AIFSN (Arbitration Inter-Frame Space): The minimum amount of
wait time before the next data transmission attempt. Specify the
AIFS value in the range 0-15 microseconds.

■

TXOP Limit (Transmit Opportunity Limit): The maximum time an
AC transmit queue has access to the wireless medium. When an AC
queue is granted a transmit opportunity, it can transmit data for a
time up to the TxOpLimit. This data bursting greatly improves the
efficiency for high data-rate traffic. Specify a value in the range 0­65535 microseconds.

– 96 –

C

HAPTER

■

Admission Control: The admission control mode for the access

8

| Wireless Settings

Quality of Service (QoS)

category. When enabled, clients are blocked from using the access
category. (Default: Disabled)

◆ Set WMM — Applies the new parameters and saves them to RAM

memory. Also prompts a screen to inform you when it has taken affect.
Click “OK” to return to the home page. Changes will not be saved upon
a reboot unless the running configuration file is saved.

– 97 –

9 MAINTENANCE SETTINGS

Maintenance settings includes the following sections:

◆ “Upgrading Firmware” on page 98

◆ “Running Configuration” on page 101

◆ “Resetting the Access Point” on page 102

UPGRADING FIRMWARE

You can upgrade new access point software from a local file on the
management workstation, or from an FTP or TFTP server. New software
may be provided periodically from your distributor.

After upgrading new software, you must reboot the access point to
implement the new code. Until a reboot occurs, the access point will
continue to run the software it was using before the upgrade started. Also
note that new software that is incompatible with the current configuration
automatically restores the access point to the factory default settings when
first activated after a reboot.

– 98 –

Figure 51: Firmware

C

HAPTER

9

| Maintenance Settings

Upgrading Firmware

The following items are displayed on this page:

◆ Firmware Version — Displays what version of software is being used

as a runtime image - “Active”, and what version is a backup image ­“Backup”. You may specify up to two images.

◆ Next Boot Image — Specifies what version of firmware will be used as

a runtime image upon bootup.

◆ Set Next Boot — Applies the runtime image setting.

◆ Local — Downloads an operation code image file from the web

management station to the access point using HTTP. Use the Browse
button to locate the image file locally on the management station and
click Start Upgrade to proceed.

■

New Firmware File: Specifies the name of the code file on the
server. The new firmware file name should not contain slashes (\ or
/), the leading letter of the file name should not be a period (.), and
the maximum length for file names is 32 characters for files on the
access point. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

– 99 –

C

HAPTER

9

| Maintenance Settings

Upgrading Firmware

◆ Remote — Downloads an operation code image file from a specified

remote FTP or TFTP server. After filling in the following fields, click Start
Upgrade to proceed.

■

New Firmware File: Specifies the name of the code file on the
server. The new firmware file name should not contain slashes (\ or
/), the leading letter of the file name should not be a period (.), and
the maximum length for file names on the FTP/TFTP server is 255
characters or 32 characters for files on the access point. (Valid
characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

■

IP Address: IP address or host name of FTP or TFTP server.

■

Username: The user ID used for login on an FTP server.

■

Password: The password used for login on an FTP server.

◆ Start Upgrade — Commences the upgrade process.

– 100 –