How it Works
Motorola
Loading...
WS5100
User Manual
364 pgs8.16 Mb1
Table of contents
Loading...

Motorola WS5100 User Manual

WS5100 Series Switch
System Reference Guide
© 2007 Motorola, Inc. All rights reserved.
MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. Symbol is a registered trademark of Symbol Technologies, Inc. All other product or service names are the property of their respective owners.

Contents

Chapter 1. Overview
1.1.1 Physical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
1.1.2 System Status LED Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
1.1.3 10/100/1000 Port Status LED Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
1.2.1 Infrastructure Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
1.2.2 Wireless Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
1.2.3 Wired Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
1.2.4 Management Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
1.2.5 Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
1.2.6 Access Port Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24
Chapter 2. Switch Web UI Access and Image Upgrades
2.1 Accessing the Switch Web UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
2.1.1 Web UI Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
2.1.2 Connecting to the Switch Web UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
2.2 Switch Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
2.3 Upgrading the Switch Image. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
2.3.1 Upgrading the Switch Image from 1.4.x or 2.x to Version 3.x. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
2.5 Downgrading the Switch Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
2.6 AP-4131 Access Point to Access Port Conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Chapter 3. Switch Information
3.1 Viewing the Switch Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
3.1.1 Viewing the Switch Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
3.1.2 Viewing Switch Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
3.2 Viewing Switch Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
3.2.1 Viewing the Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
3.2.2 Viewing the Ports Runtime Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
3.2.3 Viewing the Ports Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
3.3 Viewing Switch Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
3.3.1 Viewing the Detailed Contents of a Config File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
3.3.2 Editing a Config File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18
3.3.3 Transferring a Config File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
3.4 Viewing Switch Firmware Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20
3.4.1 Editing the Switch Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
TOC-2 WS5100 Series Switch System Reference Guide
3.4.2 Enabling Global Settings for the Failover Image. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
3.4.3 Updating the Switch Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
3.5 Configuring Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24
3.6 Viewing the Switch Alarm Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26
3.6.1 Viewing Alarm Log Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27
3.7 Viewing Switch Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28
3.8 How to use the Filter Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29
Chapter 4. Network Setup
4.1 Displaying the Network Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
4.2 Viewing Network IP Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
4.2.1 Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
4.2.2 Configuring IP Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
4.2.3 Viewing Address Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
4.3 Viewing and Configuring Layer 2 Virtual LANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
4.3.1 Editing the Details of an Existing VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11
4.4 Configuring Switch Virtual Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
4.4.1 Configuring the Virtual Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
4.4.2 Viewing Virtual Interface Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15
4.5 Viewing and Configuring Switch WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
4.5.1 Configuring WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
4.5.2 Viewing WLAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-45
4.5.3 Viewing VLAN/Tunnel Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-52
4.5.4 Configuring WMM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-53
4.6 Viewing Associated MU Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-57
4.6.1 Viewing MU Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-57
4.6.2 Viewing MU Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-60
4.7 Viewing Access Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-64
4.7.1 Configuring Access Port Radios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-65
4.7.2 Viewing AP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-74
4.7.3 Configuring WLAN Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-78
4.7.4 Configuring WMM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-80
4.8 Viewing Access Port Adoption Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-82
4.8.1 Configuring AP Adoption Defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-82
4.8.2 Configuring Layer 3 Access Port Adoption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-88
4.8.3 Configuring WLAN Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-88
4.8.4 Configuring WMM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-90
4.9 Viewing Access Port Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-92
4.9.1 Viewing Adopted Access Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-92
4.9.2 Viewing Unadopted Access Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-93
Chapter 5. Switch Services
5.1 Displaying the Services Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
5.2.1 Configuring the Switch DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
5.2.2 Viewing the Attributes of Existing Host Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11
5.2.3 Configuring Excluded IP Address Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12
5.2.4 Configuring DHCP Server Relay Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
TOC-3
5.2.5 Viewing DHCP Server Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
5.3 Configuring Secure NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
5.3.1 Defining the SNTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
5.3.2 Adding a New SNTP Symmetric Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18
5.3.3 Defining a SNTP Neighbor Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
5.3.4 Adding an NTP Neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
5.3.5 Viewing SNTP Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
5.3.6 Viewing SNTP Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24
5.4 Configuring Switch Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
5.4.1 Reviewing Redundancy Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28
5.4.2 Configuring Redundancy Group Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-30
5.4.3 Redundancy Group License Aggregation Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34
5.5 Layer 3 Mobility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-35
5.5.1 Configuring Layer 3 Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-35
5.5.2 Defining the Layer 3 Peer List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-38
5.5.3 Reviewing Layer 3 Peer List Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-39
5.5.4 Reviewing Layer 3 MU Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40
5.6 Configuring GRE Tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-41
5.6.1 Editing the Properties of a GRE Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44
5.6.2 Adding a New GRE Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45
5.7 Configuring Self Healing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-46
5.7.1 Configuring Self Healing Neighbor Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-47
5.8 Configuring Switch Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-50
5.8.1 Configuring Discovery Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-50
5.8.2 Viewing Discovered Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-53
Chapter 6. Switch Security
6.1 Displaying the Main Security Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
6.2.1 Enabling and Configuring AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
6.2.2 Approved APs (Reported by APs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
6.2.3 Unapproved APs (Reported by APs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
6.2.4 Unapproved APs (Reported by MUs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
6.3.1 Configuring MU Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
6.3.2 Viewing Filtered MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
6.4 Configuring Wireless Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12
6.4.1 Editing an Existing Wireless Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14
6.4.2 Adding a new Wireless Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15
6.4.3 Associating an ACL with WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
6.5 Configuring ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
6.5.1 ACL Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
6.5.2 Configuring an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20
6.5.3 Attaching an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24
6.5.4 Attaching an ACL on a WLAN Interface/Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25
6.5.5 Reviewing ACL Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27
6.6 Configuring NAT Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28
6.6.1 Defining Dynamic NAT Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28
TOC-4 WS5100 Series Switch System Reference Guide
6.6.2 Defining Static NAT Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-31
6.6.3 Configuring NAT Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-34
6.6.4 Viewing NAT Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-35
6.7 Configuring IKE Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-36
6.7.1 Defining the IKE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-37
6.7.2 Setting IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-38
6.7.3 Viewing SA Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-42
6.8 Configuring IPSec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-43
6.8.1 Defining the IPSec Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-45
6.8.2 Defining the IPSec VPN Remote Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-49
6.8.3 Configuring IPSEC VPN Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-50
6.8.4 Configuring Crypto Maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-52
6.8.5 Viewing IPSec Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-61
6.9 Configuring the Radius Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-62
6.9.1 Radius Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-62
6.9.2 Using the Switch’s Radius Server Versus an External Radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-64
6.9.3 Defining the Radius Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-65
6.9.4 Configuring Radius Authentication and Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-67
6.9.5 Configuring Radius Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-69
6.9.6 Configuring Radius User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-71
6.9.7 Viewing Radius Accounting Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-73
6.10 Creating Server Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-74
6.10.1 Using Trustpoints to Configure Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-75
6.10.2 Configuring Trustpoint Associated Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-81
Chapter 7. Switch Management
7.1 Displaying the Management Access Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
7.2 Configuring Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
7.3 Configuring SNMP Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
7.3.1 Configuring SNMP v1/v2 Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
7.3.2 Configuring SNMP v3 Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
7.3.3 Accessing SNMP v2/v3 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
7.4 Configuring SNMP Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11
7.4.1 Enabling Trap Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11
7.4.2 Configuring Trap Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13
7.5 Configuring SNMP Trap Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16
7.5.1 Editing SNMP Trap Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
7.5.2 Adding SNMP Trap Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
7.6 Configuring Management Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18
7.6.1 Configuring Local Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18
7.6.2 Configuring Switch Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23
Chapter 8. Diagnostics
8.1 Displaying the Main Diagnostic Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
8.1.1 Switch Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
8.1.2 CPU Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
8.1.3 Switch Memory Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
8.1.4 Switch Disk Allocation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
TOC-5
8.1.5 Switch Memory Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
8.1.6 Other Switch Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
8.2 Configuring System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
8.2.1 Log Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
8.2.2 File Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
8.3 Reviewing Core Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
8.3.1 Transferring Core Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13
8.4 Reviewing Panic Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-14
8.4.1 Viewing Panic Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16
8.4.2 Transferring Panic Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16
8.5 Debugging the Applet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17
8.6 Configuring a Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18
8.6.1 Modifying the Configuration of an Existing Ping Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20
8.6.2 Adding a New Ping Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20
8.6.3 Viewing Ping Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22
TOC-6 WS5100 Series Switch System Reference Guide
Introduction
This guide provides information about using the WS5100 Series Switch.
About This Guide
NOTE: Screens and windows pictured in this guide are samples and can differ from actual screens.
Documentation Set
The documentation set for the WS5100 Series Switch is partitioned into the following guides to provide information for specific user needs.
WS5100 Installation Guide - describes the basic setup and configuration required to transition to more
advanced configuration of the switch.
WS5100 CLI Reference - describes the Command Line Interface (CLI) and Management Information
Base (MIB) commands used to configure the WS5100 Series Switch.
WS5100 Migration Guide - provides upgrade instructions and new feature descriptions for legacy
users of the WS5100 Series Switch.
WS5100 Troubleshooting Guide- describes workarounds to known conditions the user may encounter.
RF Management Software Users Guide - describes how to use Motorola RFMS to set up and monitor
your WS5100 in respect to areas of good RF throughput and defined physical barriers.
Document Conventions
The following conventions are used in this document to draw your attention to important information:
NOTE: Indicate tips or special requirements.
CAUTION: Indicates conditions that can cause equipment damage or data loss.
!
WARNING! Indicates a condition or procedure that could result in personal injury or equipment damage.
viii WS5100 Series Switch System Reference Guide
Notational Conventions
The following additional notational conventions are used in this document:
Italics are used to highlight the following:
• Chapters and sections in this and related documents
• Dialog box, window and screen names
• Drop-down list and list box names
• Check box and radio button names
• Icons on a screen.
GUI text is used to highlight the following:
• Screen names
• Menu items
• Button names on a screen.
• bullets (•) indicate:
• Action items
• Lists of alternatives
• Lists of required steps that are not necessarily sequential
• Sequential lists (e.g., those that describe step-by-step procedures) appear as numbered lists.

Overview

The switch provides a centralized management solution for wireless networking components across the wired network infrastructure. The switch connects to legacy access ports through a Layer 2 switch/hub. The switch connects to non-legacy access ports through a Layer 3 interface.
The switch functions as the center of the wireless network. The access ports function as radio antennas for data traffic management and routing. All of the system configuration and intelligence for the wireless network resides in the switch.
The switch uses access ports to bridge data from associated wireless devices to the wireless switch. The wireless switch applies appropriate policies to the data packets before routing them to their destination. Data packets destined for devices on the wired network are processed by the switch, where appropriate policies are applied before they are encapsulated and sent to their destination.
Access port configuration is managed by the switch through the Graphical User Interface (GUI), SNMP or the Command Line Interface (CLI). The switch streamlines the management of a large wireless system and allows for Quality of Service (QoS), virtual WLANs and packet forwarding implementations.

1.1 Hardware Overview

The wireless switch is a rack-mountable device that manages all inbound and outbound traffic on the wireless network. It provides security, network service and system management applications.
Unlike traditional wireless infrastructure devices that reside at the edge of a network, the switch uses centralized, policy-based management to apply sets of rules or actions to all devices on the wireless network. It collects management “intelligence” from individual access points and moves the collected information into the centralized switch. Then, it replaces access points with “dumb” radio antennas called access ports.
Access ports (APs) are 48V power-over-Ethernet devices connected to the switch by an Ethernet cable. An access port receives 802.11x data from MUs and forwards the data to the switch which applies the appropriate policies and routes the packets to their destinations. Depending on the model, an AP can support as many as 16 WLANs.
Access ports do not have software or firmware upon initial receipt from the factory. When the access port is first powered on and cleared for the network, the switch initializes the access port and installs a small firmware file automatically. Therefore, installation and firmware upgrades are automatic and transparent.
1-2 WS5100 Series Switch System Reference Guide

1.1.1 Physical Specifications

The physical dimensions and operating parameters of the WS5100 Series Switch include:
Width 48.1 cm / 18.93 in. (with mounting brackets)
42.9 cm / 16.89 in. (without mounting brackets)
Height 4.39 cm / 1.73 in.
Depth 40.46 cm / 15.93 in.
Weight 6.25 kg / 13.75 lbs.
Max Power Consumption 100 VAC, 50/60 Hz, 3A
240 VAC, 50/60 Hz, 1.5A
Operating Temperature 10°C - 35°C / 50°F - 95°F
Operating Humidity 5% - 85% without condensation
1.1.1.1 Power Cord Specifications
A power cord is not supplied with the device. Use only a correctly rated power cord certified for the country of operation
.
1.1.1.2 Power Protection
To best protect the switch from unexpected power surges or other power-related problems, ensure the system installation meets the following power protection guidelines:
If possible, use a dedicated circuit to protect data processing equipment. Commercial electrical contractors are familiar with wiring for data processing equipment and can help with the load balancing of dedicated circuits.
Install surge protection. Use a surge protection device between the electricity source and the switch.
Install an Uninterruptible Power Supply (UPS). A UPS provides continuous power during a power outage. Some UPS devices have integral surge protection. UPS equipment requires periodic maintenance to ensure reliability.
1.1.1.3 Cabling Requirements
Two Category 6 Ethernet cables (not supplied) are required to connect the switch to the LAN and the WLAN. The cables are used with the two Ethernet ports on the front panel of the switch.
The console cable that comes with the switch is used to connect the switch to a computer running a serial terminal emulator program to access the switch’s Command Line Interface (CLI) for initial configuration. Initial configuration steps are described in the WS5100 Series Switch Installation Guide.

1.1.2 System Status LED Codes

A WS5100 has two LEDs on the front panel (adjacent to the RJ45 ports). The System Status LEDs display three colors—blue, amber, or red —and three “lit” states—solid, blinking, or off.
1.1.2.1 Start Up
Power off Off Off
Power On Self Test (POST) running All colors in rotation All colors in rotation
POST succeeded Blue solid Blue solid
1.1.2.2 Primary
Active (Continually Adopting Access Ports) Blue blinking Blue solid
No License to Adopt Amber blinking Amber blinking
1.1.2.3 Standby
Overview 1-3
Event Top LED Bottom LED
Event Top LED Bottom LED
Event Top LED Bottom LED
Active (Failed Over and Adopting Ports) Blue blinking Blue blinking
Active (Not Failed Over) Blue blinking Amber solid
1.1.2.4 Error Codes
Event Top LED Bottom LED
POST failed (critical error) Red blinking Red blinking
Software initialization failed Amber solid Off
Country code not configured.
Note: During first time setup, the LEDs will remain in this state until the country code is configured.
No access ports have been adopted Blue blinking Amber blinking

1.1.3 10/100/1000 Port Status LED Codes

A WS5100 Series Switch has two LED indicators for its RJ-45 ports:
• Upper left (amber/green) for link rate
• Upper right (green) for link activity
Amber solid Amber blinking
The following table provides additional information about the status of the 10/100/1000 Port Status LEDs.
1-4 WS5100 Series Switch System Reference Guide
LED State Meaning
Upper left Off 10 Mbps link rate
Green steady 100 Mbps link rate
Amber steady 1 Gigabit link rate
Upper right Off The port isn’t linked
Green steady The port is linked
Green blinking The port is linked and active

1.2 Software Overview

The switch includes a robust set of features.This section provides an overview of the software and features. The features are listed and described in the following sections:
Infrastructure Features
Wireless Switching
Wired Switching
Management Features
Security Features
Access Port Support
NOTE: The Motorola RF Management Software is also a recommended utility to plan the deployment of the switch and view its configuration once operational in the field. Motorola RFMS can help optimize the positioning and configuration of a switch in respect to a WLAN’s MU throughput requirements and can help detect rogue devices. For more information, refer to the Motorola Web site.

1.2.1 Infrastructure Features

The switch includes the following Infrastructure features:
Installation Feature
Licensing Support
Configuration Management
Diagnostics
Serviceability
Tracing / Logging
Process Monitor
Hardware Abstraction Layer and Drivers
Redundancy
Secure Network Time Protocol (SNTP)
Password Recovery
1.2.1.1 Installation Feature
The upgrade/downgrade of the switch can be performed at boot time using one of the following methods:
•Web UI
•DHCP
•CLI
•SNMP
• Patches
NOTE: HTTPS must be enabled to access the switch Web UI. Ensure that HTTPS access has been enabled before using the login screen to access the switch Web UI.
The switch platform has sufficient non-volatile memory to store multiple firmware images. The switch stores an active and a passive firmware image. The switch supports staged upgrade operations.
1.2.1.2 Licensing Support
The following licensing information is utilized when upgrading the switch.
Overview 1-5
• The maximum numbers of AP licenses a switch can adopt is 48.
• You can install/remove AP licenses in batches of 6 APs at a time.
• The Radius server and VPN capability is not a part of the licenses feature.
1.2.1.3 Configuration Management
The system supports redundant storage of configuration files to protect against corruption during a write operation and ensures at any given time a valid configuration file exists. If a configuration file has failed to completely execute, it is rolled back and the pre-write file is used.
Text Based Configuration
The configuration is stored in human readable format. It is stored as a set of CLI commands.
1.2.1.4 Diagnostics
The following diagnostics are available for the switch:
1. In-service Diagnostics – In-service diagnostics provide a range of automatic health monitoring features ensuring both the system hardware and software are in working order. The in-service-diagnostics continuously monitor any available physical characteristics (as detailed below) and issues log messages when either warning or error thresholds are reached. There are three types of in-service diagnostics:
• Hardware– Ethernet ports, chip failures, system temperature via the temperature sensors provided by the hardware, etc.
• Software– CPU load, memory usage, etc.
• Environmental– CPU and air temperature, fans speed, etc.
2. Out-of-service Diagnostics – Out-of-service diagnostics are a set of intrusive tests run from the user interface. Out-of-service diagnostics cannot be run while the unit is in operation. The intrusive tests include:
• Ethernet loopback tests
1-6 WS5100 Series Switch System Reference Guide
• RAM tests, Real Time Clock tests, etc.
3. Manufacturing Diagnostics – Manufacturing diagnostics are a set of diagnostics used by manufacturing to inspect quality of hardware.
1.2.1.5 Serviceability
A special set of Service CLI commands are available to provide additional troubleshooting capabilities for service personnel (for example, check the time critical processes were started), access to Linux services, panic logs, etc. Only authorized users or service personnel are provided access to the Service CLI.
A built-in Packet Sniffer allows service personnel to capture incoming and outgoing packets in a buffer.
The switch also maintains various statistics for RF activity, Ethernet ports etc. RF statistics include roaming stats, packet counters, octets tx/rx, signal, noise SNR, retry, and information for each MU.
1.2.1.6 Tracing / Logging
Log messages are well-defined and documented system messages with various destinations. They are numbered and referenced by ID. Each severity level group, can be configured separately to go to either the serial console, telnet interface, log file or remote syslog server.
Trace messages are more free-form and are used mainly by support personnel for tracking problems. They are enabled or disabled via CLI commands. Trace messages can go to a log file, the serial console, or the current tty.
Log and trace messages are interleaved in the same log file, so chronological order is preserved. Log and trace messages from different processes are similarly interleaved in the same file for the same reason.
Log message format is similar to the format used by syslog messages (RFC 3164). Log messages include message severity, source (facility), the time the message was generated and a textual message describing the situation triggering the event. For more information on using the switch logging functionality, see Configuring System Logging on page 8-7.
1.2.1.7 Process Monitor
The Process Monitor constantly checks to ensure processes under its control are up and running. Each monitored process sends the Process Monitor periodic heartbeat messages. A process that is down (due to a software crash or stuck in an endless loop) is detected when its heartbeat is not received. Such a process is terminated (if still running) and restarted (if configured) by the Process Monitor.
1.2.1.8 Hardware Abstraction Layer and Drivers
The Hardware Abstraction Layer (HAL) provides an abstraction library with an interface hiding hardware/ platform specific data. Drivers include platform specific components such as Ethernet, Flash Memory storage and thermal sensors.
1.2.1.9 Redundancy
Using the switch redundancy functionality, up to 12 switches can be configured in a redundancy group (and thereby provide group monitoring). In the event of a switch failure, a switch within the cluster takes control. Therefore, the switch supported network is always up and running even if a switch fails or is removed for maintenance or software upgrade. Switch redundancy provides minimal traffic disruption in the event of a switch failure or intermediate network failure.
The following redundancy features are supported:
• Up to 12 switch redundancy members supported per group. Each member is capable of tracking statistics for the entire group in addition to their own.
• Each redundancy group is capable of supporting an Active/Active configuration. Each redundancy group can support two or more primary members, each responsible for group load sharing.
• Members within the same redundancy group can be deployed across different subnets and maintain their interdependence as redundancy group members.
• Each member of the redundancy group supports AP load balancing by default.
• Members of the redundancy group support license aggregation. When a new member joins the group, the new member can leverage the access port adoption license(s) of existing members.
• Each member of the redundancy group (including the reporting switch) capable of displaying cluster performance statistics for all members in addition to their own.
• Centralized redundancy group management using the switch CLI.
For more information on configuring the switch for redundancy group support, see Configuring Switch Redundancy on page 5-25.
1.2.1.10 Secure Network Time Protocol (SNTP)
Overview 1-7
Secure Network Time Protocol (SNTP) manages time and/or network clock synchronization within the switch
managed network environment. SNTP is a client/server implementation. The switch (a SNTP client) periodically synchronizes its clock with a master clock (an NTP server). For example, the switch resets its clock to 07:04:59 upon reading a time of 07:04:59 from its designated NTP server. Time synchronization is recommended for the switch’s network operations. The following additionally hold true:
• The switch can be configured to provide NTP services to NTP clients.
• The switch can provide NTP support for user authentication.
Secure Network Time Protocol (SNTP) clients can be configured to synchronize switch time with an external NTP server.
For information on configuring the switch to support SNTP, see Configuring Secure NTP on page 5-16.
1.2.1.11 Password Recovery
The switch has a provision enabling the switch to restore its factory default configuration if your password is lost. In doing so however the current configuration is erased and can be restored assuming if has been exported to a secure location. For information on password recovery, see Switch Password Recovery on page 2-3.

1.2.2 Wireless Switching

The switch includes the following wireless switching features:
Physical Layer Features
Rate Limiting
Proxy-ARP
HotSpot / IP Redirect
IDM (Identity Driven Management)
Voice Prioritization
1-8 WS5100 Series Switch System Reference Guide
Self Healing
Wireless Capacity
AP and MU Load Balancing
Wireless Roaming
Power Save Polling
QoS
Wireless Layer 2 Switching
Automatic Channel Selection
WMM-Unscheduled APSD
1.2.2.1 Physical Layer Features
802.11a
• DFS Radar Avoidance – Dynamic Frequency Selection (DFS) functionality is mandatory for WLAN equipment that is intended to operate in the frequency bands 5150 MHz to 5350 MHz and 5470 MHz to 5725 MHz when the equipment operates in the countries of EU.
The purpose of DFS is:
• Detect interference from other systems and avoid co-channeling with those systems, most notably radar systems.
• Provide uniform loading of the spectrum across all devices.
This feature is enabled automatically when the country code indicates that DFS is required for at least one of the frequency bands that are allowed in the country.
• TPC – Transmit Power Control (TPC) meets the regulatory requirement for maximum power and mitigation for each channel. The TPC functionality is enabled automatically for every AP that operates on the channel.
802.11bg
• Dual mode b/g protection – The ERP builds on the payload data rates of 1 and 2 Mbit/s that use DSSS modulation and builds on the payload data rates of 1, 2, 5.5, and 11 Mbit/s, that use DSSS, CCK, and optional PBCC modulations. ERP provides additional payload data rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbit/s. Of these rates, transmission and reception capability for 1, 2, 5.5, 11, 6, 12, and 24 Mbit/s data rates is mandatory.
Two additional optional ERP-PBCC modulation modes with payload data rates of 22 and 33 Mbit/s are defined. An ERP-PBCC station may implement 22 Mbit/s alone or 22 and 33 Mbit/s. An optional modulation mode known as DSSS-OFDM is also incorporated with payload data rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbit/s.
• Short slot protection – The slot time is 20 µs, except an optional 9 µs slot time may be used when the BSS consists of only ERP STAs capable of supporting this option. The optional 9 µs slot time should not be used if the network has one or more non-ERP STAs associated. For IBSS, the Short Slot Time field is set to 0, corresponding to a 20 µs slot time.
1.2.2.2 Rate Limiting
Rate limiting controls the maximum rate sent or received on a network. Rate limiting enables the proper allocation of bandwidth, based on the source MAC address, destination MAC address, source IP address,
destination IP address and/or TCP/UDP port number. Rate limiting allows the definition of two rates: a guaranteed minimum bandwidth and a second burst size. Rate limiting is performed as part of the flow control process (WISP protocol) between access ports and the switch.
1.2.2.3 Proxy-ARP
Proxy ARP is provided for MU's in PSP mode whose IP address is known. The WLAN generates an ARP reply on behalf of a MU, if the MU's IP address is known. The ARP reply contains the MAC address of the MU (not the MAC address of switch). Thus, the MU is not woken to send ARP replies (increasing battery life and conserving wireless bandwidth).
If an MU goes into PSP mode without transmitting at least one packet, its Proxy ARP will not work for such an MU.
1.2.2.4 HotSpot / IP Redirect
A hotspot is a Web page that users are forced to visit before they are granted access to the Internet. With the advent of Wi-Fi enabled client devices (such as laptops and PDAs) commercial hotspots are common and can be found at many airports, hotels and coffee shops.The Hotspot / IP Redirect feature allows the switch to function as a single on-site switch supporting WLAN hotspots. The Hotspot feature re-directs user traffic (for a hotspot enabled WLAN) to a Web page that requires them to authenticate before granting access to the WLAN. The IP-Redirection requires no special software on the client but its does require the client be set to receive its IP configuration through DHCP. The following is a typical sequence of events for hotspot access:
Overview 1-9
1. A visitor with a laptop requires hotspot access at a site.
2. A user ID/ Password and the hotspot ESSID are issued by the site receptionist or IT staff.
3. The user connects their laptop to this ESSID
4. The laptop receives its IP configuration via DHCP. The DHCP service can be provided by an external DHCP server or provided by the internal DHCP server located on the switch.
5. The user opens a Web browser and connects to their home page.
6. The switch re-directs them to the hotspot Web page for authentication.
7. The user enters their User ID/ Password.
8. A Radius server authenticates the user.
9. Upon successful authentication, the user is directed to a Welcome Page that lists among other things an Acceptable Use Policy, connection time remaining and an I Agree button.
10.The user accepts by clicking the I Agree button and is granted access to the Internet. (or other network services).
To redirect user traffic from a default home page to a login page, the switch uses destination network address translation (destination NAT is similar to the source NAT/ PAT but the destination IP address and port get modified instead of the source as in traditional NAT). More specifically, when the switch receives an HTTP Web page request from the user (when the client first launches its browser after connecting to the WLAN), a protocol stack on the switch intercepts the request and sends back an HTTP response after modifying the network and port address in the packet. Therefore, acting like a proxy between the user and the Web site they are trying to access.
To setup a hotspot, create a WLAN ESSID and select Hotspot authentication from the Authentication menu. This is simply another way to authenticate a WLAN user for it would be impractical to authenticate visitors using 802.1x authentications. Motorola also recommends reviewing the WS5100 Migration Guide (available
1-10 WS5100 Series Switch System Reference Guide
on the Motorola Web site) for a use case on hotspot deployment. For information on configuring a hotspot, see Configuring Hotspots on page 4-29.
1.2.2.5 IDM (Identity Driven Management)
Radius authentication is performed for all protocols using a Radius-based authentication scheme such as EAP. Identity driven management is provided using a Radius client. The following IDMs are supported:
• User based SSID authentication — Denies authentication to MUs if associated to a SSID configured differently in their Radius server.
• User based VLAN assignment — Allows the switch to extract VLAN information from the Radius server.
• User based QoS — Enables QoS for the MU based on settings in Radius Server.
1.2.2.6 Voice Prioritization
The switch has the capability of having its QoS policy configured to prioritize network traffic requirements for associated MUs. Use QoS to enable voice prioritization for devices using voice as its transmission priority.
Voice prioritization allows you to assign priority to voice traffic over data traffic, and (if necessary) assign legacy voice supported devices (non WMM supported voice devices) additional priority.
Currently voice support implies the following:
• Spectralink voice prioritization - Spectralink sends packets that allow the switch to identify these MU's as voice MU's. Thereafter, any UDP packet sent by these MU's is prioritized ahead of data.
• Strict priority - The prioritization is strict.
• Multicast prioritization - Multicast frames that match a configured multicast mask bypass the PSP queue. This features permits intercom mode operation without delay (even in the presence of PSP MU's).
For more information on configuring voice prioritization for a target WLAN, see
Configuring WMM on page 4-53
1.2.2.7 Self Healing
Self Healing is the ability to dynamically adjust the RF network by modifying transmit power and/or supported rates, based on an AP failure.
In a typical RF network deployment, the APs are configured for Transmit Power below its maximum level. This allows the Tx Power to be increased when there is a need to increase coverage whenever an AP fails.
When an AP fails, the Tx Power/Supported rates of APs neighboring the failed AP is adjusted. The Tx power is increased and/or Supported rates are decreased. When the failed AP becomes operational again, the Neighbor AP’s Tx Power/Supported rates are brought back to the levels in operation before the self healing operation changed them.
The switch detects an AP failure when:
• AP stops sending heartbeats.
• AP beacons are no longer being sent.
Configure 0 (Zero) or more APs to act as either:
• Detector APs — Detector APs scan all channels and send beacons to the switch which uses the information for self-healing.
• Neighbor APs — When an AP fails, neighbor APs assist in self healing.
Overview 1-11
• Self Healing Actions — When an AP fails, actions are taken on the neighbor APs to do self-healing.
Detector APs
Configure an AP in either – Data mode (the regular mode) or Detector mode.
In Detector mode, the AP scans all channels at a configurable rate and forwards received beacons the switch. The switch uses the received information to establish a receive signal strength baseline over a period of time and initiates self-healing procedures (if necessary).
Neighbor Configuration
Neighbor detect is a mechanism allowing an AP to detect its neighbors and their signal strength. This enables you to verify your installation and configure it for self-healing when an AP fails.
Self Healing Actions
This mechanism allows you to assign a self healing action to an AP's neighbors, on a per-AP basis. If AP1 detects AP2 and AP3 as its neighbors, you can assign failure actions to AP2 and AP3 whenever AP1 fails.
You can assign four self healing actions:
• No action
• Decrease supported rates
• Increase Tx power
• Both 2 and 3.
You can also specify the Detector AP (AP2 or AP3) to stop detecting and adopt the RF settings of the failed AP. For more information on configuring self healing, see Configuring Self Healing on page 5-46.
1.2.2.8 Wireless Capacity
Wireless capacity specifies the maximum numbers of MUs, access ports and wireless networks usable by a given switch. Wireless capacity is largely independent of performance. Aggregate switch performance is divided among the switch clients (MUs and access ports) to find the performance experienced by a given user. Each switch platform is targeted at specific market segments, so the capacity of each platform is chosen appropriately. Wireless switch capacity is measured by:
• Maximum number of WLANs per switch
• Maximum number of access ports per switch
• Maximum number of MUs per switch
• Maximum number of MUs per access port.
Up to 48 access ports are supported by the switch. The actual number of access ports adoptable by a switch is defined on a per platform basis and will typically be lower than 48.
1.2.2.9 AP and MU Load Balancing
Fine tune a network to evenly distribute the data and/or processing across available resources. The following 2 topics explain load balancing:
MU Balancing Across Multiple APs
AP Balancing Across Multiple Switches
1-12 WS5100 Series Switch System Reference Guide
MU Balancing Across Multiple APs
As per the 802.11 standard, AP and MU association is a process conducted independently of the switch.
802.11 provides message elements used by the MU firmware to influence the roaming decision. The switch implements the following MU load balancing techniques:
• 802.11e admission control — 1 byte: channel utilization % and 1 byte: MU count is sent in QBSS Load Element in beacons to MU.
• Motorola load balancing element (proprietary) — 2 byte: Kbps, 2 byte : Kbps and 2 byte : MU Count are sent in beacon to MU.
NOTE: Each switch can support a maximum of 4096 MUs.
AP Balancing Across Multiple Switches
At adoption time, the AP solicits and receives multiple adoption responses from the switches on the network. These adoption responses contain preference and loading information the AP uses to select the optimum switch to be adopted by. Use this mechanism to define which APs are adopted by which switches. By default, the adoption algorithm generally distributes AP adoption evenly among the switches available.
NOTE: Each switch can support a maximum of 48 access ports. However, port adoption per switch is determined by the number of licenses acquired.
CAUTION: An access port is required to have a DHCP provided IP address before
!
In a layer 3 environment, the access port adoption process is somewhat unique, for more information, see
Configuring Layer 3 Access Port Adoption on page 4-88.
attempting layer 3 adoption, otherwise it will not work. Additionally, the access port must be able to find the IP addresses of the switches on the network.
To locate switch IP addresses on the network:
• Configure DHCP option 189 to specify each switch IP address.
• Configure a DNS Server to resolve an existing name into the IP of the switch. The access port has to get DNS server information as part of its DHCP information. The default DNS name requested by an AP300 is “Symbol-CAPWAP-Address”. However, since the default name is configurable, it can be set as a factory default to whatever value is needed.
1.2.2.10 Wireless Roaming
The following types of wireless roaming are supported by the switch:
L3 Roaming
Fast Roaming
Interswitch Layer 2 Roaming
International Roaming
MU Move Command
Virtual AP
Overview 1-13
L3 Roaming
L3 roaming works with switches in the mobility domain to exchange mobility related control information. This includes IP addresses, Media Access Control (MAC) address information and the HS-VLAN-id of all MUs in the mobility-domain. A consistent peer configuration results in full-mesh sessions required for L3 roaming to work correctly. Peering sessions use Transmission Control Protocol (TCP) as the transport layer protocol to carry mobility update messages. TCP provides the following advantages:
• TCP retransmits lost messages thereby providing reliable connectivity
• TCP ensures ordered message delivery using sequenced numbers.
• TCP has a built-in “keep-alive” mechanism which helps detect loss of connectivity to the peer or peer failure.
In a layer 3 environment, the access port adoption process is somewhat unique, for more information, see Configuring Layer 3 Access Port Adoption on page 4-88.
Fast Roaming
MUs roam from AP to AP as an MU moves throughout a WLAN coverage area. To improve roaming performance, various fast roaming features are implemented:
Pairwise Master Key (PMK) — Caching credentials are in the AP, so the MU does not need to re- authenticate.
• PMK Opportunistic Caching — The MU starts transmitting on another AP in order for both AP's to connect to a common wireless switch.
• Switch to Switch Hand-Off — When an MU roams from a wireless switch in one subnet to a wireless switch in another subnet, the transport layer connections will be preserved as far as possible.
• PMK Pre-Authentication —The MU authenticates itself with the AP before roaming to it.
Interswitch Layer 2 Roaming
An associated MU (connected to a particular wireless switch) can roam to another access port connected to a different wireless switch. Both switches must be on the same L2 domain. Authentication information is not shared between the switches, nor is buffered packets on one switch transferred to the other switch. Pre­authentication between the switch and MU allows faster roaming.
International Roaming
The wireless switch supports international roaming as per the 802.11d specification.
MU Move Command
As a value added proprietary feature between Motorola infrastructure products and Motorola MUs, a move command has been introduced. This command permits an MU to roam between ports connected to the same wireless switch without the need to perform the full association and authentication defined by the 802.11 standard. The move command is a simple packet up/packet back exchange with the access port. Verification of this feature is dependent on its implementation in one or more mobile units.
Virtual AP
The switch supports multiple Basic Service Set Identifiers (BSSIDs). An access port capable of supporting multiple BSSID's generates multiple beacons, one per BSSID. Hence, an AP that supports 4 BSSID's can send 4 beacons. The basic requirement for supporting multiple BSSID's is multiple MAC addresses, since each BSSID is defined by its MAC address.
1-14 WS5100 Series Switch System Reference Guide
When multiple BSSID's are enabled, you cannot tell by snooping the air whether any pair of beacons is sent out by the same physical AP or different physical AP. Hence the term "virtual AP's"- each virtual AP behaves exactly like a single-BSSID AP.
Each BSSID supports 1 Extended Service Set Identifier (ESSID). Sixteen ESSIDs per switch are supported.
1.2.2.11 Power Save Polling
An MU uses Power Save Polling (PSP) to reduce power consumption. When an MU is in PSP mode, the switch buffers its packets and delivers them using the DTIM interval. The PSP-Poll packet polls the AP for buffered packets. The PSP null data frame is used by the MU to signal the current PSP state to the AP.
1.2.2.12 QoS
QoS provides the user a data traffic prioritization scheme. A QoS configuration scheme is useful in the case of congestion from excessive traffic or different data rates and link speeds.
If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a very high cost), then applying QoS has very little value. QoS provides policy enforcement for mission-critical applications and/or users that have critical bandwidth requirements when the switch’s total bandwidth is shared by different users and applications.
The objective of QoS is to ensure each WLAN configured on the switch receives a fair share of the overall bandwidth, either equally or as per the proportion configured. Packets directed towards MUs are classified into categories such as Management, Voice and Data. Packets within each category are processed based on the weights defined for each WLAN.
The switch supports the following QoS types:
802.11e QoS
802.11e enables real-time audio and video streams to be assigned a higher priority over regular data. The switch supports the following 802.11e features:
•Basic WMM
• WMM Linked to 802.1p Priorities
• WMM Linked to DSCP Priorities
• Fully Configurable WMM
• Admission Control
• Unscheduled-APSD
• TSPEC Negotiation
• Block ACKQBSS Beacon Element
802.1p Support
802.1p is a standard for providing QoS in 802-based networks. 802.1p uses three bits to allow switches to re-order packets based on priority level. 802.1p uses the Generic Attributes Registration Protocol (GARP) and the GARP VLAN Registration Protocol (GVRP). GARP allows MUs to request membership within a multicast domain, and GVRP lets them register to a VLAN.
Voice QoS
When switch resources are shared between a Voice over IP (VoIP) conversation and a file transfer, bandwidth is normally exploited by the file transfer, thus reducing the quality of the conversation or even causing it to
disconnect. With QoS, the VoIP conversation (a real-time session), receives priority, maintaining a high level of voice quality. The voice QoS used by the switch ensures:
• Strict Priority
• Spectralink Prioritization
• VOIP Prioritization (IP ToS Field)
• Multicast Prioritization
Data QoS
The switch supports the following for data QoS techniques:
• Egress Prioritization by WLAN
• Egress Prioritization by ACL
DCSCP to AC Mapping
The switch provides for the arbitrary mapping between Differentiated Services Code Point (DCSCP) values and WMM Access Categories. This mapping can be set manually.
1.2.2.13 Wireless Layer 2 Switching
Overview 1-15
The switch supports the following layer 2 wireless switching techniques:
•WLAN to VLAN
• MU User to VLAN
•WLAN to GRE
1.2.2.14 Automatic Channel Selection
Automatic channel selection works as follows:
1. When a new AP is adopted, it scans each channel. However, the switch does not forward traffic at this time.
2. The switch then selects the least crowded channel based on the noise and traffic detected on each channel.
3. The algorithm used is a simplified maximum entropy algorithm for each radio, where the signal strength from adjoining AP's/MU's associated to adjoining AP's is minimized.
4. The algorithm ensures adjoining AP's are as far away from each other as possible in terms of channel assignment.
NOTE: Individual radios can be configured to perform automatic channel selection.
1.2.2.15 WMM-Unscheduled APSD
This feature is also known as WMM Power Save or WMM-UPSD (Unscheduled Power Save Delivery). WMM-UPSD defines an unscheduled service period, which are contiguous periods of time during which the switch is expected to be awake. If the switch establishes a downlink flow and specifies UPSD power management, then it requests and the AP delivers buffered frames associated with that flow during an unscheduled service period. The switch initiates an unscheduled service period by transmitting a trigger frame, where a trigger frame is defined as a data frame (e.g. an uplink voice frame) associated with an uplink
1-16 WS5100 Series Switch System Reference Guide
flow having UPSD enabled. After the AP acknowledges the trigger frame, it transmits the frames in its UPSD power save buffer addressed to the triggering switch.
UPSD is well suited to support bi-directional frame exchanges between a voice STA and its AP

1.2.3 Wired Switching

The switch includes the following wired switching features:
DHCP Servers
DDNS
GRE Tunneling
VLAN Enhancements
Interface Management
Multiple WLAN Support
1.2.3.1 DHCP Servers
Dynamic Host Configuration Protocol (DHCP) allows hosts on an IP network to request and be assigned IP addresses, and discover information about the network to which they are attached. Configure address pools for each subnet, and whenever a DHCP client in that subnet requests an IP address, the DHCP server assigns an IP address from the address pool configured for that subnet.
When a DHCP server allocates an address for a DHCP client, the client is assigned a lease, which expires after an pre-determined interval. Before a lease expires, clients (to which leases are assigned) are expected to renew them to continue to use the addresses. Once the lease expires, the client is no longer permitted to use the leased IP address. For information on defining the switch DHCP configuration, see DHCP Server Settings on page 5-3.
1.2.3.2 DDNS
Dynamic DNS (DDNS) is a method of keeping a domain name linked to a changing IP address. Typically, when a user connects to a network, the user’s ISP assigns it an unused IP address from a pool of IP addresses. This address is only valid for a short period. Dynamically assigning IP addresses increases the pool of assignable IP addresses. DNS maintains a database to map a given name to an IP address used for communication on the Internet. The dynamic assignment of IP addresses makes it necessary to update the DNS database to reflect the current IP address for a given name. Dynamic DNS updates the DNS database to reflect the correct mapping of a given name to an IP address.
1.2.3.3 GRE Tunneling
GRE tunnelling extends a WLAN across a Layer 3 network using standards based GRE tunneling technology.
• GRE tunnels need to be explicitly provisioned on the switch as well as the tunnel termination device present at the other end of the Layer 3 network.
• One or more WLANS on the switch are then mapped to the GRE tunnel interface. The configuration is very similar to mapping WLANs to VLANs.
• All IP packets received from MUs on the WLAN are encapsulated in GRE and sent across the Layer 3 network. The tunnel termination device at the other end decapsulates the GRE header and routes the inner IP packet to its original destination.
• When packets are received on the GRE tunnel interface by the switch, the switch decapsulates the GRE header and forwards the IP packet to the MU based on the destination IP address. The MAC address of the MU is obtained from the MU table.
1.2.3.4 VLAN Enhancements
The switch has incorporated the following VLAN enhancements:
• Physical port (L2) is now operated in Trunk Mode or Access Mode.
• A VLAN now allows an AP to receive and send only untagged packets. All tagged packets received by the AP are discarded. The untagged traffic received is internally placed in an “access vlan”.
• A trunk port can now receive, both tagged and untagged packets. Only one native VLAN per trunk port is supported. All untagged traffic received on is placed into a “native vlan”.
• You can now configure a set of allowed VLANS on a trunk port. Packets received on this port that belong to other VLANs are discarded.
1.2.3.5 Interface Management
The switch permits a physical interface to Auto Negotiate, Full Duplex or Half Duplex. The switch also allows:
Overview 1-17
• Manual bandwidth configuration of a physical interface to 10/100/1000Mbps. This is only permitted if duplex is not set to Auto-Negotiate.
• Manual configuration of administrative shutdown of a physical interface.
1.2.3.6 Multiple WLAN Support
A WS5100 switch supports 32 WLANS.

1.2.4 Management Features

The switch includes the following management features:
• Secure browser-based management console
Command Line Interface (CLI) accessible via the serial port or through a Secure Shell (SSH) application
• CLI Service mode enables the capture of system status information that can be sent to Motorola personnel for use in problem resolution
• Support for Simple Network Management Protocol (SNMP) version 3 as well as SNMP version 2
• TFTP upload and download of access port firmware and configuration files
• Graphing of wireless statistics
• Dashboard summary of system state in the Web UI
• Multi switch management via MSP application
• Heat Map support for RF deployment
• Secure Guest Access
• Switch Discovery enabling users to discover each Motorola switch on the specified network.
1-18 WS5100 Series Switch System Reference Guide

1.2.5 Security Features

The switch security can be classified into wireless security and wired security.
The switch includes the following Wireless Security features:
Encryption and Authentication
MU Authentication
Secure Beacon
MU to MU Allow
MU to MU Disallow
Switch-to-Wired
802.1x Authentication
IEEE 802.1AB LLDP
WIPS
Rogue AP Detection
The switch includes the following wired security features:
ACLs
Local Radius Server
IPSec VPN
NAT
Certificate Management
1.2.5.1 Encryption and Authentication
The switch can implement the following encryption and authentication types:
WEP
WPA
WPA2
Keyguard-WEP
WEP
Wired Equivalent Privacy (WEP) is an encryption scheme used to secure wireless networks. WEP was intended to provide comparable confidentiality to a traditional wired network, hence the name. WEP had many serious weaknesses and hence was superseded by Wi-Fi Protected Access (WPA). Regardless, WEP still provides a level of security that can deter casual snooping. For more information on configuring WEP for a target WLAN, see Configuring WEP 64 on page 4-40 or Configuring WEP 128 / KeyGuard on page 4-41.
WEP uses passwords entered manually at both ends (Pre Shared Keys). Using the RC4 encryption algorithm, WEP originally specified a 40-bit key, but was later boosted to 104 bits. Combined with a 24-bit initialization vector, WEP is often touted as having a 128-bit key.
Overview 1-19
WPA
WPA is designed for use with an 802.1X authentication server, which distributes different keys to each user; however, it can also be used in a less secure pre-shared key (PSK) mode, where every user is given the same passphrase.
WPA uses Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used. When combined with the much larger Initialization Vector, it defeats well-known key recovery attacks on WEP. For information on configuring WPA for a WLAN, see Configuring WPA/WPA2 using TKIP and CCMP on page 4-43.
WPA2
WPA2 uses a sophisticated key hierarchy that generates new encryption keys each time a MU associates with an access point. Protocols including 802.1X, EAP and Radius are used for strong authentication. WPA2 also supports the TKIP and AES-CCMP encryption protocols. For information on configuring WPA for a WLAN, see Configuring WPA/WPA2 using TKIP and CCMP on page 4-43.
Keyguard-WEP
KeyGuard is Motorola’s proprietary dynamic WEP solution. Motorola (upon hearing of the vulnerabilities of WEP) developed a non standard method of rotating keys to prevent compromises. Basically, KeyGuard is TKIP without the message integrity check MIC. KeyGuard is proprietary to Motorola MUs only. For information on configuring KeyGuard for a WLAN, see Configuring WEP 128 / KeyGuard on page 4-41.
1.2.5.2 MU Authentication
The switch uses the following authentication schemes for MU association:
Kerberos
802.1x EAP
MAC ACL
Refer to Editing the WLAN Configuration on page 4-22 to WLAN MU authentication.
Kerberos
Kerberos allows for mutual authentication and end-to-end encryption. All traffic is encrypted and security keys are generated on a per-client basis. Keys are never shared or reused, and are automatically distributed in a secure manner. For information on configuring Kerberos for a WLAN, see Configuring Kerboros on page 4-27.
802.1x EAP
802.1x EAP is the most secure authentication mechanism for wireless networks and includes EAP-TLS, EAP-TTLS and PEAP. The switch is a proxy for Radius packets. An MU does a full 802.11 authentication and association and begins transferring data frames. The switch realizes the MU needs to authenticate with a Radius server and denies any traffic not Radius related. Once Radius completes its authentication process, the MU is allowed to send other data traffic. You can use either an onboard Radius server or internal Radius Server for authentication purpose. For information on configuring 802.1x EAP for a WLAN, see Configuring 802.1x EAP on page 4-26.
MAC ACL
The MAC ACL feature is basically a dynamic MAC ACL where MUs are allowed/denied access to the network based on their configuration on the Radius server. The switch allows 802.11 authentication and association, then checks with the Radius server to see if the MAC address is allowed on the network. The Radius packet
1-20 WS5100 Series Switch System Reference Guide
uses the MAC address of the MU as both the username and password (this configuration is also expected on the Radius server). MAC-Auth supports all encryption types, and (in case of 802.11i) the handshake is allowed to be completed before the Radius lookup begins. For information on configuring 802.1x EAP for a WLAN, see Configuring Dynamic MAC ACL on page 4-36.
1.2.5.3 Secure Beacon
All the devices in a wireless network use Service Set Identifiers (SSIDs) to communicate. An SSID is a text string up to 32 bytes long. An AP in the network announces its status by using beacons. To avoid others from accessing the network, the most basic security measure adopted is to change the default SSID to one not easily recognizable, and disable the broadcast of the SSID.
The SSID is a code attached to all packets on a wireless network to identify each packet as part of that network. All wireless devices attempting to communicate with each other must share the same SSID. Apart from identifying each packet, the SSID also serves to uniquely identify a group of wireless network devices used in a given service set.
1.2.5.4 MU to MU Allow
MU to MU allow enables frames from one MU (where the destination MAC is that of another MU) to be switched to the second MU.
1.2.5.5 MU to MU Disallow
Use MU to MU Disalllow to restrict MU to MU communication within a WLAN. The default is ‘no’, which allows MUs to exchange packets with other MUs. It does not prevent MUs on other WLANs from sending packets to this WLAN. You would have to enable MU to MU Disallow on the other WLAN.
1.2.5.6 Switch-to-Wired
The MU frames are switched out to the wired network (out of the switch). Another upstream device decides whether the frame should be sent back to the second MU, and if so it sends the frame back to the switch, and it is switched out just like any other frame on the wire. This allows a drop/allow decision to be made by a device other than the wireless switch.
1.2.5.7 802.1x Authentication
802.1x Authentication cannot be disabled (its always enabled). A factory delivered out-of-the-box AP300 supports 802.1x authentication using a default username and password. EAP-MD5 is used for 802.1x.
• The default username is admin
• The default password is symbol
When you initially switch packets on an out-of-the-box AP300 port, it immediately attempts to authenticate using 802.1x. Since 802.1x supports supplicant initiated authentication, the AP300 attempts to initiate the authentication process.
On reset (all resets including power-up), the AP300 sends an EAPOL start message every time it sends a Hello message (periodically every 1 second). The EAPOL start is the supplicant initiated attempt to become authenticated.
If an appropriate response is received in response to the EAPOL start message, the AP300 attempts to proceed with the authentication process to completion. Upon successful authentication, the AP300 transmits the Hello message and the download proceeds the way as it does today.
Loading...
+ 334 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use