SMC Networks SMCE21011 User manual

USER GUIDE

SMCE21011

EliteConnectTM SMCE21011

802.11b/g/n AP

EliteConnect

User Guide

TM

SMCE21011

20 Mason
Irvine, CA 92618
Phone: (949) 679-8000

April 2009

Pub. # XXXXXXXXXXX

E042009-DT-R01

Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable.
However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or
other rights of third parties which ma y result from its use. No license is granted by implication or
otherwise under any pat ent or pate nt rights of SMC. SMC re serves the right to change specificatio ns
at any time without notice.

Copyright © 2009 by

SMC Networks, Inc.

20 Mason

Irvine, CA 92618

All rights reserved

Trademarks:
SMC is a registered trademark; and EZ Switch, TigerStack, TigerSwitch, and TigerAccess are

trademarks of SMC Networks, Inc. Other product and company names are trademarks or registered
trademarks of their respective holders.

LIMITED WARRANTY

Limited Warranty Statement: SMC Networks, Inc. (“SMC”) warrants its
products to be free from defects in workmanship and materials, under
normal use and service, for the applicable warrant y term. All SMC products
carry a standard 90-day limited warr anty from the date of purchase from
SMC or its Authorized Reseller. SMC may, at its own discret ion, repair or
replace any product not operating as warranted with a similar or
functionally equivalent pro d uct, during the applicable warranty term. SMC
will endeavor to repair or replace any product returned under warranty
within 30 days of receipt of the product.

The standard limited warranty can be upgraded to a Limited Lifetime*
warranty by register ing new products within 30 days of purchase from SMC
or its Authorized Reseller. Registration can be accomplished via the
enclosed product regist ration card or online via the SMC Web site. Failure
to register will not affect the standard limited warranty. The Limited
Lifetime warranty cover s a product d uring the Life of th at Product, whi ch is
defined as the period of time during whi ch the product is an “Active” SMC
product. A product is considered to be “Active” while it is listed on the
current SMC price list. As new technologies emerge, older technologies
become obsolete and SMC will, at its discretion , replace an older pr oduct in
its product line with one that incorporates these newer technologies. At
that point, the obsolete produ ct is discontinued and is no longer an “ Activ e”
SMC product. A list of discontinued products with their respective dates of
discontinuance can be found at:

http://www.smc.com/index.cfm?action=customer_service_warranty

.

All products that are replaced become the propert y of SMC. Replacement
products may be either new or reconditioned. Any replaced or repaired
product carries either a 30-day limited warranty or the remainder of the
initial warranty, whichever is longer. SMC is not responsible for any custom
software or firmware, configuration infor m ation , or memo ry data of
Customer contained in, stor ed on, or integr ated with any products returned
to SMC pursuant to any warranty. Products returned to SMC should have
any customer-installed accessory or add-on components, such as
expansion modules, removed prio r to returning the product for
replacement. SMC is not respons i ble for these items if they are returned
with the product.

Customers must contact SMC for a Return Material Authorization number
prior to returning any product to SMC. Proof of purchase may be required.
Any product returned t o SMC without a valid Return Material Authorization
(RMA) number clearly marked on the outside of the package will be
returned to customer at customer’s expense. For warranty claims within
North America, please call our toll-free customer support number at (800)
762-4968. Customers are responsible for all shipping charges from their
facility to SMC. SMC is responsible for return shipping charges from SMC to
customer.

WARRANTIES EXCLUSIVE: IF AN SMC PRODUCT DOES NOT OPERA TE AS
WARRANTED ABOVE, CUSTOMER’S SOLE REMEDY SHALL BE REPAIR OR
REPLACEMENT OF THE PRODUCT IN QUESTION, AT SMC’S OPTION. THE
FOREGOING WARRANTIES AND REMEDIES ARE EXCLUSIVE AND ARE IN

– 4 –

LIEU OF ALL OTHER WARRANTIES OR CONDITIONS, EXPRESS OR
IMPLIED, EITHER IN FACT OR BY OPERATION OF LAW, STATUTORY OR
OTHERWISE, INCLUDING WARRANTIES OR CONDITIONS OF
MERCHANTABILITY AND FITNESS FOR A P ARTICULAR PURPOSE. SMC
NEITHER ASSUMES NOR AUTHORIZES ANY OTHER PERSON TO ASSUME
FOR IT ANY OTHER LIABILITY IN CONNECTION WITH THE SALE,
INSTALLATION, MAINTENANCE OR USE OF ITS PRODUCTS. SMC SHALL
NOT BE LIABLE UNDER THIS WARRANTY IF ITS TESTING AND
EXAMINATION DISCLO SE THE ALLEGED DEFECT I N THE PRODUCT DOES
NOT EXIST OR WAS CAUSED BY CUSTOMER’S OR ANY THIRD PERSON’S
MISUSE, NEGLECT, IMPROPER INSTALLATION OR TESTING,
UNAUTHORIZED ATTEMPTS TO REPAIR, OR ANY OTHER CAUSE BEYOND
THE RANGE OF THE INTENDED USE, OR BY ACCIDENT, FIRE, LIGHTNING,
OR OTHER HAZARD.

LIMITATION OF LIABILITY: IN NO EVENT, WHETHER BASED IN CONTRACT
OR TORT (INCLUDING NEGLIGENCE), SHALL SMC BE LIABLE FOR
INCIDENTAL, CONSEQUENTIAL, INDIRECT, SPECIAL, OR PUNITIVE
DAMAGES OF ANY KIND, OR FOR L OS S OF RE VENUE, LOSS OF BUSINESS,
OR OTHER FINANCIAL LOSS ARISING OUT OF OR IN CONNECTION WITH
THE SALE, INSTALLATION, MAINTENANCE, USE, PERFORMANCE, FAILURE,
OR INTERRUPTION OF ITS PRODUCTS, EVEN IF SMC OR ITS AUTHORIZED
RESELLER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

SOME ST ATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES
OR THE LIMITA TION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES FOR
CONSUMER PRODUCTS, SO THE ABOVE LIMIT ATIONS AND EXCLUSIONS
MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL
RIGHTS, WHICH MAY VARY FROM STATE TO STATE. NOTHING IN THIS
WARRANTY SHALL BE TAKEN TO AFFECT YOUR STATUTORY RIGHTS.

* SMC will provide warranty service for one year following discontinuance
from the active SMC price list. Un der t he limited li fetime warranty, internal
and external power supplies, fans, and cables are covered by a standard
one-year warranty from date of purchase.

SMC Networks, Inc.

20 Mason

Irvine, CA 92618

– 5 –

– 6 –

COMPLIANCES

FEDERAL COMMUNICATION COMMISSION INTERFERENCE STATEMENT

This equipment has been tested and found to comply with the limits for a
Class B digital device, pursuant to Part 15 of the FCC Ru les. These limits
are designed to provide reaso nable protection again st harmful interfer ence
in a residential installation. This equipment generates, uses and can
radiate radio fre quency energy and, if not in stalled and u sed in accordance
with the instructions, may cause harmful interference to radio
communications. However, there is no guarantee that interference will no t
occur in a particular installation. If this equipment does cause harmful
interference to radio or television reception, which can be determine d by
turning the equipment off and on, the user is encouraged to try to correct
the interference by one of the following measures:

◆ Reorient or relocate the receiving antenna

◆ Increase the separation between the equipment and receiver

◆ Connect the equipment into an outlet on a circuit differ ent from that to

which the receiver is connected

◆ Consult the dealer or an experienced radio/TV technician for help

This device complies with Part 15 of the FCC Rules. Operation is subject to
the following two conditions: (1) T his device may not cause harmful
interference, and (2) this device must accept any interference received,
including interference that may cause undesired operation.

FCC Cautio n: Any changes or modifications not expressly approved by the
party responsible for compliance could void the user's authority to operate
this equipment.

For product av ailable in the USA/Canada mark et, only channel 1~11 can be
operated. Selection of other chan nels is not possible.

This device and its antenna(s) must not be co-located or operation in
conjunction with any other antenna or tr ansmitter.

This device is going to be oper ated in 5. 15~5.25GH z frequ ency r ange, it is
restricted in ind o or envi ro nment only.

– 7 –

A

BOUT THIS GUIDE

IMPORTANT NOTE:
FCC RADIATION EXPOSURE STATEMENT

This equipment complies with FCC r adiation exposu re limits set for th for an
uncontrolled environment. This equipment should be installed and
operated with minimum distance 20 cm between the radiator & your body.

IC STATEMENT :

This Class B digital apparatus complies with Canadian ICES-003.
Operation is subject to the following two conditio ns: (1) this device may

not cause interference, and (2) this device must accept any inte rference,
including interference that may cause undesired operation of the device.

Cet appareil numérique de la classe B conforme á la norme NMB-003 du
Canada.

To reduce potential radio interference to o ther user s, the ant enna type and
its gain should be so chosen that the equivalent isotropically radiated
power (e.i.r.p) is not more than that permitted for successful
communication.

This device has been designed to operate with the antennas listed below,
and having a maximum gain of [
having a gain greater than [
device. The required antenna impedance i s 50 ohms .

The device could automatical ly discontinue tr ansmis sion in case of absence
of information to transmit, or operational failure. Note that this is not
intended to prohibit tr ansmission of control or signaling information or the
use of repetitive codes where required by the technology.

The device for the band 5150-5250 MHz is only for indoor usage to reduce
potential for harmful interference to co-c hannel mobile satellite systems.

The maximum antenna gain permitted (for devices in the band 5725-5825
MHz) to comply with the e.i.r.p. limits specified for point-to-point and non
point-to-point operation as appropriate, as stated in section A9.2(3).

IMPORTANT NOTE:
IC Radiatio n Ex posure Sta te m ent:
This equipment complies with IC RSS-102 radiatio n exposure limits set

forth for an uncontrolled environment. This equipment should be installed
and operated with minimum distance 20 cm between the radiator & your
body.

5] dB. Antennas not included in th is lis t or

5] dB are strictly prohibited for use with this

– 8 –

AUSTRALIA/NEW ZEALAND AS/NZS 4771

ACN 066 352010

JAPAN VCCI CLASS B

TAIWAN NCC

根據交通部低功率管理辦法規定：

A

BOUT THIS GUIDE

第十二條　經型式認證合格之低功率射頻電機，非經許可，公司、商號或使用者均不得擅自變更

頻率、加大功率或變更原設計之特性及功能。

第十四條　低功率射頻電機之使用不得影響飛航安全及干擾合法通信；經發現有干擾現象時，應
立即停用，並改善至無干擾時方得繼續使用。前項合法通信，指依電信法規定作業之無線電通
信。低功率射頻電機須忍受合法通信或工業、科學及醫療用電波輻射性電機設備之干擾。

EC CONFORMANCE DECLARATION

Marking by the above symbol indicates compliance with the Essential
Requirements of the R&TTE Directive of the European Union (1999/5/EC).
This equipment meets the following conformance standards:

◆ EN 60950-1 (IEC 60950-1) - Product Safety

◆ EN 301 893 - Technical requirements for 5 GHz radio equipment

◆ EN 300 328 - Technical requirements for 2.4 GHz radio equipment

◆ EN 301 489-1 / EN 301 489-17 - EMC requirements for radio

equipment

This device is intended for use in the following European Community and
EFTA countries:

Austria ◆ Belgium ◆ Cyprus ◆ Czech Republic ◆ Denmark

◆

◆ Estonia ◆ Finland ◆ France ◆ Germany ◆ Greece

◆ Hungary ◆ Iceland ◆Ireland ◆ Italy ◆ Latvia

◆ Liechtenstein ◆ Lithuania ◆ Luxembourg ◆ Malta ◆ Netherlands

◆ Norway ◆ Poland ◆ Portugal ◆ Slovakia ◆ Slovenia

◆ Spain ◆ Sweden ◆ Switzerland ◆ United Kingdom ◆

Requirements for indoor vs. outdoor operation, license re quirements and
allowed channels of operation apply in some countries as descr ibed below:

– 9 –

A

BOUT THIS GUIDE

◆ In Italy the end-user must apply for a license from the national

spectrum authority to operate this device outdoors.

◆ In Belgium outdoor operation is only permitted us ing the 2.46 - 2. 4835

GHz band: Channel 13.

◆ In France outdoor operatio n is only permitted using the 2.4 - 2.454 GHz

band: Channels 1 - 7.

N

OTE

:

The user must use the configuration utility provided with this
product to ensure the cha nnels of operation are in conformance with the
spectrum usage rules for European Community countries as described
below.

◆ This device requires that the user or installer pro perly enter the current

country of operation in the co mmand line interface as described in the
user guide, before operating this device.

◆ This device will automatically limit the allowable channels determined

by the current country of operation. Incorrectly entering the c ountry of
operation may result in illegal operation and may cause harmful
interference to other systems. The user is obligated to ensure the
device is operating according t o the channel limitations , indoor/outdoo r
restrictions and license requirements for each European Community
country as described in this document.

◆ This device employs a radar detect ion feature required for European

Community operation in the 5 GHz band. This feature is automatically
enabled when the country of operation is co rrectly configured for any
European Community country. The presence of nearby radar operation
may result in temporary interruption of operation of this device. The
radar detection feature will automatic ally restart operation on a channel
free of radar.

◆ The 5 GHz Turbo Mode feature is not allowed for operation in any

European Community country. The current setting for this feature is
found in the 5 GHz 802.11a R a dio Settings Window as described in the
user guide.

◆ The 5 GHz radio's Auto Channel Select setting described in the user

guide must always remain enabled to ensure that automatic 5 GHz
channel selection complies with Europ ean requirements. The current
setting for this feature is found in the 5 GHz 802.11a Radio Settings
Window as described in the user guide.

◆ This device is restricted to indoor use when operated in the European

Community using the 5.15 - 5.35 GHz band: Channels 36, 40, 44, 48,
52, 56, 60, 64. See table below for allowed 5 GHz channels by country.

◆ This device may be operated indoors or outdoors in all countries of the

European Community using the 2.4 GHz band: Channels 1 - 13, except
where noted below .

– 10 –

A

BOUT THIS GUIDE

◆ In Italy the end-user must apply for a license from the national

spectrum authority to operate this device outdoors.

◆ In Belgium outdoor operat ion is only permitted using the 2.46 -

2.4835 GHz band: Channel 13.

◆ In France outdoor oper atio n is only permitt ed using the 2.4 - 2.454

GHz band: Channels 1 - 7.

OPERATION USING
5 GHZ CHANNELS IN THE EUROPEAN COMMUNITY

The user/installer must use the provided configuration utility to check the
current channel of operation and make necessary configuration changes to
ensure operation occurs in conformance with European National spectrum
usage laws as described below and elsewhere in this doc ument.

Allowed Frequency Ba nd s Allowed Channel Numbers Countries

5.15 - 5.25 GHz* 36, 40, 44, 48 Austria, Belgium

5.15 - 5.35 GHz* 36, 40, 44, 48, 52, 56, 60, 64 France, Switzerland,

5.15 - 5.35* & 5.470 - 5.725 GHz 36, 40, 44, 48, 52, 56, 60, 64, 100,

5 GHz Operation Not Allowed None Greece

* Outdoor operation is not allowed using 5.15-5.35 GHz bands (Channels 36 - 64).

104, 108, 112, 116, 120, 124, 128,
132, 136, 140

Liechtenstein

Denmark, Finland, Germany,
Iceland, Ireland, Italy,
Luxembourg, Netherlands,
Norway, Portugal, Spain,
Sweden, U.K.

DECLARATION OF CONFORMITY IN LANGUAGES OF THE EUROPEAN
COMMUNITY

Czech

Estonian

Eesti

English Hereby, SMC, declares that this Radio LAN device is in compliance with the essential

Finnish

Suomi

Dutch

Nederlands

French

Français

Käesolevaga kinnitab SMC seadme Radio LAN vastavust direktiivi 1999/5/EÜ
põhinõuetele ja nimetatud direktiivist tulenevatele teistele asjakohastele sätetele.

requirements and other relevant provisions of Directive 1999/5/EC.
Valmistaja SMC vakuuttaa täten että Radio LAN device tyyppinen laite on direktiivin 1999/

5/EY oleellisten vaatimusten ja sitä koskevien direktiivin muiden ehtojen mukainen.

Hierbij verklaart SMC dat het toestel Radio LAN device in overeenstem ming is met de
essentiële eisen en de andere relevante bepalingen van richtlijn 1999/5/EG

Bij deze SMC dat deze Radio LAN device voldoet aan de essentiële eisen en aan de
overige relevante bepalingen van Richtlijn 1999/5/EC.

Par la présente SMC déclare que l'appareil Radio LAN device est conforme aux
exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE

– 11 –

A

BOUT THIS GUIDE

Swedish

Svenska

Danish

Dansk

German

Deutsch

Greek

ελληνικά

Hungarian

Magyar

Italian

Italiano

Latvian

Latviski

Lithuanian

Härmed intygar SMC att denna Radio LAN device står I överensstämmelse med de
väsentliga egenskapskrav och övriga relevanta bestämmelser som framgår av direktiv
1999/5/EG.

Undertegnede SMC erklærer herved, at følgende udstyr Radio LAN device overholder de
væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF

Hiermit erklärt SMC, dass sich dieser/diese/dieses Radio LAN device in
Übereinstimmung mit den grundlegenden Anforderungen und den anderen relevanten
Vorschriften der Richtlinie 1999/5/EG befindet". (BMWi)

Hiermit erklärt SMC die Übereinstimmung des Gerätes Radio LAN device mit den
grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie
1999/5/EG. (Wien)

Με την παρουσα SMC δηλωνει οτι radio LAN device συμμορφωνεται προσ τισ ουσιωδεισ
απαιτησεισ και τισ λοιπεσ σΧετικεσ διαταξεισ τησ οδηγιασ 1999/5/εκ

Alulírott, SMC nyilatkozom, hogy a Radio LAN megfelel a vonatkozó alapvetõ
követelményeknek és az 1999/5/EC irányelv egyéb elõírásainak.

Con la presente SMC dichiara che questo Radio LAN device è conforme ai requisiti
essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE.

Maltese

Malti

Spanish

Español

Polish

Polski

Portuguese

Português

Slovak

Slovensky

Slovenian

Slovensko

Por medio de la presente SMC declara que el Radio LAN device cumple con los requisitos
esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/
5/CE

SMC declara que este Radio LAN device está conforme com os requisitos essenciais e
outras disposições da Directiva 1999/5/CE.

SMC izjavlja, da je ta Radio LAN v skladu z bistvenimi zahtevami in ostalimi relevantnimi
doloili direktive 1999/5/ES.

– 12 –

ABOUT THIS GUIDE

PURPOSE This guide gives specific information on how to install the 11n wireless

access point and its physical and performance related characteristics. It
also gives information on how to operate and use the management
functions of the access point.

AUDIENCE This guide is intended for use by network administrators who are

responsible for installing, operating, and maintaining network equipment;
consequently, it assumes a basic working knowledge of LANs (Local Area
Networks), the Internet Protocol (IP), and Simple Network Management
Protocol (SNMP) .

CONVENTIONS The fol lowing conventions are used throughout this guide to show

information:

N

OTE

:

Emphasizes important information or calls you r attention to related
features or instructions.

C

AUTION

damage the system or equipment.

W

ARNING

:

Alerts you to a potential hazard that could caus e loss of data, or

:

Alerts you to a potential hazard that cou l d cause personal injury.

RELATED PUBLICATIONS As part of the access point’s software, there is an online web-based help

that describes all management related fe atures.

REVISION HISTORY This secti on summarizes the changes in each revision of this guide.

MARCH 2009 REVISION

This is the first revision of this guide.

– 13 –

CONTENTS

LIMITED WARRANTY 4

OMPLIANCES 7

C

BOUT THIS GUIDE 13

A

ONTENTS 14

C

IGURES 19

F

ABLES 21

T

NDEX OF CLI COMMANDS 23

I

SECTION I GETTING STARTED 26

1INTRODUCTION 27

Key Hardware Features 27
Description of Capabilities 27
Package Contents 28
Hardware Description 29

Antennas 30
External Antenna Connector 30
LED Indicators 32
Console Port 33
Ethernet Por t 33
Power Connector 33
Reset Button 34

2NETWORK TOPOLOGIES 35

Interference Is sues 35
Infrastructure Wireless LAN 35
Infrastructure Wireless LAN for Roaming Wireless PCs 36
Infrastructure Wireless Bridge 37

– 14 –

C

ONTENTS

3INSTALLING THE ACCESS POINT 39

Location Selection 39
Mounting on a Horizontal Surface 40
Mounting on a Wal l 41
Connecting a nd P ow e r in g On 42

4INITIAL CONFIGURATION 43

Connecting to the Login Page 43
Home Page and Main Menu 44
Common Web Page Buttons 45
Quick Start 46

Step 1 46
Step 2 47
Step 3 49

Main Menu Items 50

SECTION II WEB CONFIGURATION 51

5SYSTEM SETTINGS 52

Administration Settings 52
IP Address 54
Radius Settings 55

Primary and Secondary RADIUS Server Setup 56
RADIUS Accounting 58

System Time 58

SNTP Server Settings 59
Time Zone Setting 59

Daylight Saving Settings 60
SpectraLink Voice Priority 60
VLAN Configuration 60
System Logs 62
Quick Start Wizard 64

6MANAGEMENT SETTINGS 65

Remote Management Settings 65
Access Limitation 67
Simple Network Management Protocol 68

– 15 –

C

ONTENTS

SNMP Basic Settings 68

SNMP Trap Settings 70

View Access Control Model 71

SNMPv3 Users 73

SNMPv3 Targets 74

SNMPv3 Notification Filters 74

7ADVANCED SETTINGS 76

Local Bridge Filter 76
Link Layer Discov ery Protocol 77
Access Contr ol Lists 78

Source Address Settings 78

Destination Address Sett in gs 79

Ethernet Type 80

8WIRELESS SETTINGS 82

Spanning Tree Protocol (STP) 82

Bridge 83

Ethernet Interface 84

Wireless Interface 85
Authentication 85

Local Authentication 85

RADIUS MAC Authentication 87
Interface Mode 88
Radio Settings 89
Virtual Access Points (VAPs) 93

VAP Basic Settings 94

WDS-STA Mode 95

Wireless Security Settings 95

Wired Equivalent Privacy (WEP) 97
QoS 99

9MAINTENANCE SETTINGS 103

Upgrading Firmware 103
Running Configuration 106
Resetting the Access Point 107

10 STATUS INFORMATION 109

AP Status 109

– 16 –

C

ONTENTS

AP System Configuration 109

AP Wireless Configuration 111
Station Status 112
System Logs 112

SECTION III COMMAND LINE INTERFACE 114

11 USING THE COMMAND LINE INTERFACE 116

Console Connection 116
Telnet Connection 117
Entering Commands 118

Keywords and Arguments 118

Minimum Abbreviation 118

Command Completion 118

Getting Help on Commands 118

Showing Commands 118

Negating the Effect of Commands 119

Using Command History 119

Understanding Command Modes 119

Exec Commands 120

Configuration Commands 120

Command Line Processing 121

12 GENERAL COMMANDS 122

YSTEM MANAGEMENT COMMANDS 127

13 S

System Management Commands 127

14 SYSTEM LOGGING COMMANDS 143

YSTEM CLOCK COMMANDS 148

15 S

16 DHCP R

ELAY COMMANDS 152

17 SNMP C

LASH/FILE COMMANDS 167

18 F

19 RADIUS C

20 802.1X A

OMMANDS 154

LIENT COMMANDS 170

UTHENTICATION COMMANDS 175

– 17 –

C

ONTENTS

21 MAC ADDRESS AUTHENTICATION COMMANDS 177

ILTERING COMMANDS 181

22 F

PANNING TREE COMMANDS 186

23 S

24 WDS B

25 E

26 W

27 W

28 L

29 VLAN C

30 WMM C

RIDGE COMMANDS 193

THERNET INTERFACE COMMANDS 195

IRELESS INTERFACE COMMANDS 201

IRELESS SECURITY COMMANDS 218

INK LAYER DISCOVERY COMMANDS 228

OMMANDS 232

OMMANDS 235

SECTION IV APPENDICES 240

ATROUBLESHOOTING 241

Diagnosing LED Indicators 241
Before Contacting Technical Support 241

BHARDWARE SPECIFICATIONS 244

ABLES AND PINOUTS 247

CC

Twisted-Pair Cable Assignments 247
10/100BASE-TX Pin Assignments 248
Straight-Through Wiring 248
Crossover Wi ring 249
1000BASE-T Pin Assignments 250

Cable Testing for Existing Category 5 Cable 250

Adjusting Existing Category 5 Cabling to Run 1000BASE-T 250
Console Port Pin Assignments 251

GLOSSARY 252

NDEX 256

I

– 18 –

FIGURES

Figure 1: Top Panel 29
Figure 2: Rear Panel 29
Figure 3: Ports 30
Figure 4: External Antenna Connector 31
Figure 5: Screw-off External Antenna Connector - Close Up 31
Figure 6: LEDs 32
Figure 7: Infrastructure Wireless LAN 36
Figure 8: Infrastructure Wireless LAN for Roaming Wireless PCs 37

Figure 9: Bridging Mode 38
Figure 10: Attach Feet 40
Figure 11: Wall Mounting 41
Figure 12: Login Page 43
Figure 13: Home Page 44
Figure 14: Set Configuration Changes 45
Figure 15: Help Menu 45
Figure 16: Quick Start - Step 1 46
Figure 17: Quick Start - Step 2 47
Figure 18: Quick Start - Step 3 49
Figure 19: Administration 53
Figure 20: Set DNS Address 54
Figure 21: TCP/IP Settings 54
Figure 22: Invalid DNS 55
Figure 23: RADIUS Settings 57
Figure 24: SNTP Settings 59
Figure 25: SVP Settings 60
Figure 26: Setting the VLAN Identity 62
Figure 27: System Log Settings 63
Figure 28: Remote Management 66
Figure 29: Access Limitation 67
Figure 30: SNMP Basic Settings 69
Figure 31: SNMP Trap Settings 70

– 19 –

F

IGURES

Figure 32: SNMP VACM 71
Figure 33: Configuring SNMPv3 Users 73
Figure 34: SNMPv3 Targets 74
Figure 35: SNMP Notification Filter 75
Figure 36: Local Bridge Filter 76
Figure 37: LLDP Settings 77
Figure 38: Source ACLs 79
Figure 39: Destination ACLs 79
Figure 40: Ethernet Type Filter 81
Figure 41: Spanning Tree Protocol 83
Figure 42: Local Authentication 86
Figure 43: RADIUS Authentication 87
Figure 44: Interface Mode 88
Figure 45: Radio Settings 90
Figure 46: VAP Settings 93
Figure 47: VAP Basic Settings 94
Figure 48: WDS-STA Mode 95
Figure 49: Configuring VAPs - Common Settings 96
Figure 50: WEP Configuration 98
Figure 51: WMM Backoff Wait Times 100
Figure 52: QoS 101
Figure 53: Firmware 104
Figure 54: Running Configuration File 106
Figure 55: Resetting the Access Point 107
Figure 56: AP System Configuration 110
Figure 57: AP Wireless Configuration 111
Figure 58: Station Status 112
Figure 59: System Logs 112
Figure 60: RJ-45 Connector 247
Figure 61: S tra i g h t Thro u g h Wi ri n g 249
Figure 62: Crossover Wiring 249
Figure 63: DB-9 Connector 251

– 20 –

TABLES

Table 1: Key Hardware Features 27
Table 2: LED Behavior 32
Table 3: RADIUS Attributes 62
Table 4: Logging Levels 64
Table 5: WMM Access Categori es 99
Table 6: Command Modes 120
Table 7: Keystroke Commands 121
Table 8: General Commands 122

Table 9: System Management Commands 127
Table 10: Country Codes 128
Table 11: System Management Commands 143
Table 12: Logging Levels 145
Table 13: System Clock Commands 148
Table 14: DHCP Relay Commands 152
Table 15: SNMP Commands 154
Table 16: Flash/File Commands 167
Table 17: RADIUS Client Commands 170
Table 18: 802.1x Authentication 175
Table 19: MAC Address Authentication 177
Table 20: Filtering Commands 181
Table 21: Spanning Tree Commands 186
Table 22: WDS Bridge Commands 193
Table 23: Ethernet Interface Commands 195
Table 24: Wireless Interface Commands 201
Table 25: Wireless Security Commands 218
Table 26: Link Layer Discovery Commands 228
Table 27: VLAN Commands 232
Table 28: WMM Commands 235
Table 29: AP Parameters 237
Table 30: BSS Parameters 237
Table 31: LED Indicators 241

– 21 –

T

ABLES

Table 32: 10/100BASE-TX MDI and MDI-X Port Pinouts 248
Table 33: 1000BASE-T MDI and MDI-X Port Pinouts 250
Table 34: 10/100BASE-TX MDI and MDI-X Port Pinouts 251

– 22 –

INDEX OF CLI COMMANDS

802.1x enable 175

802.1x session - timeout 176
address filter default 177
address filter delete 178
address filter entry 178
a-mpdu 203
a-msdu 203
APmgmtIP 135
APmgmtUI 136
assoc-timeout-interval 214
auth 218
auth-timeout-value 214
beacon-interval 210
bridge stp br-conf forwarding-delay
187
bridge stp br-conf hello-time 187
bridge stp br-conf interface 189
bridge stp br-conf max-age 188
bridge stp br-conf priority 188
bridge stp service 186
bridge-link path-cost 198
bridge-link port-priority 199
channel 204
cipher-suite 222
cli-session-timeout 123
closed-system 213
configure 122
copy 168
country 128
description 212
dhcp-relay 153
dhcp-relay enable 152
dns server 196
dtim-period 210
dual-image 167
encryption 220
end 123
exit 123
filter acl-destination-address enable
183
filter acl-destination-address mac-ad­dress 183
filter acl-source-address enable 182
filter acl-source-address mac-address
183
filter ap-manage 182
filter ethernet-ty pe enabled 184
filter ethernet-ty pe protocol 184
filter local-b ridge 181
interface ethernet 195

interface wireless 202
interface-radio-mode 205
ip address 196
ip dhcp 197
ip http port 133
ip http server 133
ip https port 134
ip https server 134
ip ssh-server enable 131
ip ssh-server port 132
ip telnet-server enable 132
key 221
lldp service 228
lldp transmit delay-to-local-change
230
lldp transmit in terval 229
lldp transmit re- i nit-delay 229
lldp-transmit hold-muliplier 229
logging clear 146
logging console 144
logging facility-type 145
logging host 144
logging level 145
logging on 143
mac-authentication server 179
mac-authentication session-timeout
179
make-rf-setting-effective 207
make-security-effective 225
management-vlanid 233
password 131
ping 124
pmksa-lifetime 224
preamble 208
prompt 129
protection-met hod 209
radius-server accounting timeout-inter­im 173
radius-server accounting key 173
radius-server accounting port 172
radius-server accounting-address 172
radius-server address 171
radius-server enable 170
radius-server key 171
radius-server port 171
reset 125
rts-threshold 211
short-guard-interval 209
show apmanagement 137
show authentication 176

– 23 –

I

NDEX OF

CLI C

OMMANDS

show bridge br-conf 190
show bridge forward address 192
show bridge port-conf 190
show bridge status 192
show bridge stp 190
show config 138
show dhcp-relay 153
show dual-image 169
show event-log 147
show filters 185
show hardware 142
show history 125
show interface ethernet 200
show interface wireless 215
show line 126
show lldp 230
show logging 146
show radius 174
show snmp target 164
show snmp users 164
show snmp vacm group / show snmp
vacm view 165
show sntp 151
show station 217
show system 137
show version 138
show wds wireless 194
shutdown 198
shutdown 214
snmp-server community 154
snmp-server contact 155
snmp-server enable server 156
snmp-server fi lter 163
snmp-server host 157
snmp-server location 155
snmp-server targets 162
snmp-server trap 157
snmp-server user 161
snmp-server vacm group 160
snmp-server vacm view 159
sntp-server date-time 149
sntp-server daylight-saving 150
sntp-server enable 149
sntp-server ip 148
sntp-server timezone 150
ssid 212
system name 130
transmit-key 222
transmit-power 205
username 130
vap 203
vlan 232
vlan-id 234
wds ap 193
wds sta 193
wmm 235
wmm-acknowledge-policy 236
wmmparam 236
wpa-pre-shared-key 224

– 24 –

I

NDEX OF

CLI C

OMMANDS

– 25 –

S

ECTION

GETTING STARTED

This section provides an ov erview of the ac cess point, and intr oduces some
basic concepts about wireless networking. It also describes the basic
settings required to access the management inte rface.

This section includ es these chapters:

◆ “Introduction” on page 27

◆ “Network Topologies” on page 35

◆ “Installing the access point” on page 39

I

◆ “Initial Configuration” on page 43

– 26 –

1 INTRODUCTION

The EliteConnect
meets draft 2.0 standards. It is fully interoperable with olde r 802.11a/b/g
standards, providing a transparent, wireless high speed data
communication between the wired LAN and fixed or mobile devices. The
unit includes three detachable dual-band 2.4/5 GHz antennas with the
option to attach higher specification external ante nnas that boost network
coverage.

KEY HARDWARE FEATURES

The following table describes the main hardware features of the AP.

Table 1: Key Hardware Features

Feature Description

Antennas Three detachable dual-band 2.4/5 GHz MIMO antennas.
LAN Port One 1000BASE-T RJ-45 port that supports a Power over Ethernet

Console Port Console connection through an RJ-45 port with included RS-232

Reset Button For resetting the unit and restoring factory defaults.

TM

SMCE21011 is an IEEE 802.11n access point (AP) that

(PoE) connection to power the device .

serial cable.

LEDs Provides LED indicators for system status, wireless radio status,

Power Power over Ethernet (PoE) support through the RJ-45 Ethernet

Mounting Options Can be mounted on a wall, or on any horizontal surface such as a

DESCRIPTION OF CAPABILITIES

The SMC21011 supports up to eight Virtual Access Point (VAP) interfaces,
which allow traffic to be separated for different user groups within the
same AP service area. Each VAP can support up to 64 wireless clients,
whereby the clients associate with each VAP in the same way as they would
with physically separate access points. This means that each VAP can be
configured with its own Service Set Id entification (S SID), security se ttings,
VLAN assignments, and other parameters, allowing the AP to serve a
diverse range of client needs in an area from a single unit.

and LAN port status.

port, or from an external AC power adapter.

desktop or shelf.

– 27 –

C

HAPTER

Package Contents

1

| Introduction

PACKAGE CONTENTS

In addition, the access point offers full network management capabilities
through an easy to configure web interf ace, a command line interface for
initial configuration and troubles hooting, and support for Simple Network
Management tools.

The SMCE21011 utilises MIMO technology and Spatial Multiplexing to
achieve the highest possible data rate and throughput on the 802.11n
frequency. The unit’s PoE RJ-45 port provides a 1 Gb ps full-duplex l ink to a
wired LAN.

The EliteConnect

TM

SMCE21011 package includes:

◆ 11n Access Point (SMCE21011)

◆ RJ-45 Category 5 network cable

◆ RJ-45 to RS-232 console cable

◆ AC power adapter

◆ Four rubber feet

◆ User Guide CD

Inform your dealer if there are an y incor rect, mis sing or damaged p arts. If
possible,retain the carton, including the original packing materials. Use
them again to repack the product in case there is a need to return it.

– 28 –

HARDWARE DESCRIPTION

Figure 1: Top Panel

C

HAPTER

1

| Introduction

Hardware Description

Antennas

LED Indicators

Figure 2: Rear Panel

DC Power Port

Reset Button

RJ-45 PoE Port

– 29 –

C

HAPTER

Hardware Description

1

| Introduction

Figure 3: Ports

ANTENNAS The access point includes three integrated external MIMO (multiple-input

EXTERNAL ANTENNA

CONNECTOR

DC Power Port

RJ-45 PoE Port

RJ-45 Console Port

and multiple-output) antennas. MIMO uses multiple antennas for
transmitting and receiving radio signals to improve data throughput and
link range.

Each antenna transmits the outgoing signal as a toroidal sphere (doughnut
shaped), with the cover a ge extending most in a direction perpendicular to
the antenna. Therefore, the antennas should be adjusted to an angle that
provides the appropriate coverage for the service area.

The access point supports external antenn as for improving the cove r age of
the 802.11n signal. The antennas supplied with the unit screw off in a
clockwise manner and can be replaced with with alternative antennas that
extend or shape th e coverage a re a .

– 30 –

Figure 4: External Antenna Connector

C

HAPTER

1

| Introduction

Hardware Description

Figure 5: Screw-off External Antenna Connector - Close Up

– 31 –

C

HAPTER

1

| Introduction

Hardware Description

LED INDICATORS The access point includes four status LED indicators, as described in the

following figure and table.

Figure 6: LEDs

802.11 b/g/n
Indicator

802.11 a/n
Indicator

Ethernet
Link/Activity

Power

Table 2: LED Behavior

LED Status Description

LAN
(802.11a/n 5 GHz)

WLAN
(802.11b/g/n 2.4GHz)

DIAG/FAIL Off There is no connection on the LAN port.

Off The 802.11a/n radio is disabled.
Blue There is an 802.11n link.
Green There is an 802.11a link.
Flashing Indicates activity.
Off The 802.11b/g/n radio is disabled.
Blue There is an 802.11n link.
Green There is an 802.11b/g link.
Flashing Indicates activity.

Blue Indicates a 1000 Mbps link.
Green Indicates a 100 Mbps link.
Orange Indicates a 10 Mbps link.
Flashing Indicates activity.

– 32 –

Table 2: LED Behavior (Continued)

LED Status Description

C

HAPTER

1

| Introduction

Hardware Description

POWER Off Indicates that there is no power or the power

Flashing Green Indicates that the system is rebooting or has

Green Indicates that power is being supp lied an d the

Red Indicates that there has been a system

source has been disconnected.

started a reset.

system is funct ion in g normally.

malfunction.

CONSOLE PORT This port is used to connect a console device to the access point thr ough a

serial cable. The console device can be a PC or workstation running a VT­100 terminal emulator, or a VT-100 terminal. A crossover RJ-45 to RS-232
cable is supplied with the unit for connecting to the console port.

ETHERNET PORT The access point has one 1000BASE-T RJ-45 port that can be attached

directly to 10BASE-T/100BASE-TX/1000BASE-TX LAN segments.
This port supports automatic MDI/MDI-X operation, so you can use

straight-through cables for all network connections to PCs, switches, or
hubs.

The access point appears as an Ethernet node and performs a bridging
function by moving packets from the wired LAN to remote workstation s on
the wireless infrastructure.

N

OTE

:

The RJ-45 port also supports P ower over Ethernet (PoE) based on
the IEEE 802.3af standard. Refer to the description for the “Power
Connector” for info rm atio n on supplying power to the access point’s
network port from a network device, such as a switch or power injector,
that provides Power over Ethernet (PoE).

POWER CONNECTOR The access point does not have a power switch. It is powered on when

connected to the AC power adapter, and the power adapter is connec ted to
a power source. The power adapter automatically adjusts to any voltage
between 100~240 volts at 50 or 60 Hz, and supplies 48 volts DC power to
the unit. No voltage range settings are required.

The access point may also receive Power over Ethernet (PoE) from a switch
or other network device that supplies power over the network cable based
on the IEEE 802.3af standard.

– 33 –

C

HAPTER

Hardware Description

1

| Introduction

RESET BUTTON This button is used to reset the access point or restore the factory default

N

OTE

:

The access point supports both endspan and midspan PoE.
If the access point is connected to a PoE sourc e device and also connected

to a local power source through the AC power adapter, AC power will be
disabled.

configuration. If you hold down the button for less than 5 seconds, the
access point will perform a hardware reset. If you hol d down the button for
5 seconds or more, any configuration changes you may have made are
removed, and the factory default con fig uration is restor e d to the acce ss
point.

– 34 –

2 NETWORK TOPOLOGIES

Wireless networks support a standalone configuration as well as an
integrated configuratio n with 10/100/1000 Mbps Ethernet LANs. The
SMCE21011 also provides bridging services that can be configured
independently on either the 5 GHz or 2.4 GHz radio interfaces.

Access points can be deployed to support wireless clients and connect
wired LANs in the following configurations:

◆ Infrastructure for wireless LANs

◆ Infrastructu re w ireless LAN for roaming wireless PCs

◆ Infrastructure wireles s bridge to connect wired LANs

INTERFERENCE ISSUES

The 802.11b, 802.11g and 802.11n frequency band operating at 2.4 GHz
can easily encounter interference from other 2.4 GHz devices, such as
other 802.11b/g/n wireless devices, cordless phones and microwa ve
ovens. If you experience poor wireless LAN performance, try the following
measures:

◆ Limit any possible sources of radio interference within the service area

◆ Increase the distance between neighboring access points

◆ Decrease the signal strength of neighboring access points

◆ Increase the channel sep aration of neighboring access points (e.g. up

to 3 channels of separation for 802.11b, or up to 4 channels for

802.11a, or up to 5 channels for 802.11g)

INFRASTRUCTURE WIRELESS LAN

The access point also provides access to a wired LAN for wireless
workstations. An integrated wired/wireless LAN is called an Infrastructure
configuration. A Basic Service Set (BSS) consists of a group of wireless PC
users, and an access point that is directly connected to the wired LAN.
Each wireless PC in this BSS can talk to any computer in its wireles s group
via a radio link, or access other computers or network resources in the
wired LAN infrastructure via the access point.

– 35 –

C

HAPTER

Infrastructure Wireless LAN for Roaming Wireless PCs

2

| Network Topologies

The infrastructure configur ation extends t he accessibility of wirele ss PCs to
the wired LAN.

A wireless infrastructure can be us ed for access to a central database, or
for connection between mobile workers, as shown in the following figure.

Figure 7: Infrastru c t ur e Wi reless LAN

Wired LAN Extension
to Wireless Clients

Server

Desktop PC

Switch

Access Point

Desktop PC

INFRASTRUCTURE WIRELESS LAN FOR ROAMING WIRELESS PCS

The Basic Service Set (BSS) defines the communication s domain for each
access point and its associated wireless cl ients. The BSS ID is a 48-bit
binary number based on the access point’s wireless MAC address, and is
set automatically and transparently as client s asso ciat e with the access
point. The BSS ID is used in frames sent between the access point and its
clients to identify traffic in the service area.

Notebook PC

The BSS ID is only set by the access point, never by its clients. The clients
only need to set the Service Set Identifier (SSID) that identifies the service
set provided by one or more access points. The SSID can be manually
configured by the clients, can be detected in an access point’s beacon, or
can be obtained by querying for the identity of the nearest access point.
For clients that do not ne ed to roam, set the SSID for the wireless card to
that used by the access point to which you w ant to connect.

A wireless infrastructure can also support roaming for mobile workers.
More than one access point can be configured to cre a te an Extended
Service Set (ESS). By placing the access points so that a continuous

– 36 –

C

HAPTER

2

| Network Topologies

Infrastructure Wireless Bridge

coverage area is create d, wireless users within this ESS can r oam freely. All
wireless network cards and adapters and wireless access points within a
specific ESS must be configur e d wit h the sa m e SSID.

Figure 8: Infrastructure Wireless LAN for Roaming Wireless PCs

Seamless Roaming

Between Access Points

Server

Desktop PC

Switch

Access Point

Desktop PC

Notebook PC

<BSS 1>

Switch

Access Point

Notebook PC

<BSS 2>

<ESS>

INFRASTRUCTURE WIRELESS BRIDGE

The IEEE 802.11 standard defines a Wireless Distribution System (WDS)
for bridge connections between BSS areas (acce ss points). The access
point uses WDS to forward traffic on links between units.

The access point supports WDS bridge links that are independently
configurable on each VAP. There are two WDS modes; WDS-AP and WDS­STA. Otherwise, VAPs operate in a normal AP mode.

◆ AP Mode: Provides services to clients as a normal access point.

◆ WDS-AP Mode: Operates as an access point in WDS mode, which

accepts connections from client stations in WDS mode.

◆ WDS-STA Mode: Operates as a client station in WDS mode, which

connects to an access point in WDS mode. The user needs to specify
the MAC address of the access point in WDS mode to which it intends t o
connect.

– 37 –

C

HAPTER

2

| Network Topologies

Infrastructu r e Wireless Bridge

Figure 9: Bridging Mode

VAP 2

WDS AP Mode

VAP 1

WDS AP Mode

Network

Core

VAP 1

WDS AP Mode

VAP 0

WDS STAMode

WDS Links

Between Access Points

VAP 0

WDS AP Mode

VAP 0

WDS STAMode

VAP 2

WDS STAMode

VAP 1

WDS AP Mode

VAP 0

WDS STAMode

VAP 1

WDS STAMode

– 38 –

3 INSTALLING THE ACCESS POINT

This chapter describes how to install the access po int.

LOCATION SELECTION

Choose a proper place for the access point. In general, the be st location is
at the center of your wireless coverage area, within line of sight of all
wireless devices. Try to place the access point in a position that can best
cover its service area. For optimum performance, cons ider these
guidelines:

◆ Mount the access point as high as possible above any obstructions in

the coverage area.

◆ Avoid mounting next to or near building support columns or other

obstructions that may cause red uced sig nal or nu ll zone s in parts of the
coverage area.

◆ Mount away from any signal absorbing or reflecting structures (such as

those containing metal).

The access point can be mounted on any horizontal surface, or a wall.

– 39 –

C

HAPTER

Mounting on a Horizontal Surface

3

| Installing the access point

MOUNTING ON A HORIZONTAL SURFACE

T o ke ep the access point from sliding on the surface, attach the four ru bber
feet provided in the accessory kit to the mark ed circles on the bottom of
the access point.

Figure 10: Attach Feet

– 40 –

MOUNTING ON A WALL

To mount on a wall follow the instructions below.

Figure 11: Wall Mounting

C

HAPTER

3

| Installing the access point

Mounting on a Wall

Mounting Slots

The access point should be mounted only to a wall or wood surface that is
at least 1/2-inch plywood or its equivalent. To mount the access point on a
wall, always use its wall-mounting bracket. The access point must be
mounted with the RJ-45 cable connector oriented upwards to ensure
proper operation.

1. Mark the position of the three scr ew hole s on the wall. For concrete or

brick walls, you will need to drill holes and insert wall plugs for the
screws.

2. Insert the included screws into the holes, leavi ng about 2-3 mm

clearance from the wall.

3. Line up the three mo unting points on th e AP with the screws in th e wall,

then slide the AP down onto the screws until it is in a secured position.

– 41 –

C

HAPTER

Connecting and Powering On

3

| Installing the access point

CONNECTING AND POWERING ON

Connect the power adapter to the access point, and the power cord to an
AC power outlet.

Otherwise, the access point can deri ve its operating power directly from
the RJ-45 port when connected to a device that provides IEEE 802. 3af
compliant Power over Et h e rnet (PoE).

C

AUTION

Otherwise, the product may be damaged.

N

OTE

AC power source, AC will be disabled.

:

Use ONLY the power adapter supplied with this access point.

:

If the access point is connected to both a PoE source device and an

1. Observe the Self Test – When you power on the access point, verify

that the Power indicator sto ps fl ashing and remains on, and that the
other indicators start functioning as described under “LED Indicators”

on page 32.

If the PWR LED does not stop flashing, the self test has not completed
correctly. Refer to “Troubleshooting” on page 241.

2. Connect the Ethernet Cable – The access point can be connected to

a 10/100/1000 Mbps Ethernet through a network device such as a hub
or a switch. Connect your network to the RJ-45 port on the back panel
with Category 5E or better UTP Ethernet cable. When the acc ess point
and the connected device are powered on, the Ethernet Link LED
should light indicating a valid networ k connection.

N

OTE

:

The RJ-45 port on the access point supports automatic MDI/MDI-X
operation, so you can use straight-through cables for all network
connections to PCs, switches, or hubs.

3. Position the Antennas – Each antenna emits a radiation pattern that

is toroidal (doughnut shape d), with the cove rage e xtending most in the
direction perpendicular to the anten na. T heref ore, the antennas shou ld
be oriented so that the radio cove rage pattern fills the intended
horizontal space. Also, the antennas should both be positioned along
the same axes, providing the same coverage area. For example, if the
access point is mounted on a horizontal su rface, all antennas should be
positioned pointing vertically up to provide optimum coverage.

4. Connect the Console Port – Connect the RJ-45 console cable

(included with access point) to the RS-232 console port for accessing
the command-line interface. You can manage the access point using
the console port, the web interface, or SNMP management software.

– 42 –

4 INITIAL CONFIGURATION

The SMCE21011 offers a user-friendly web-based management interface
for the configuration of all the unit’s features. Any PC directly attached to
the unit can access the management interface using a web brows er, such
as Internet Explorer (version 6.0 or above).

CONNECTING TO THE LOGIN PAGE

It is recommended to make initial configuration changes by connec ting a
PC directly to the SMCE21011’s LAN port. The SMCE21011 has a default IP
address of 192.168.1.1 and a subnet mask of 255.255.255.0. Y ou must set
your PC IP address to be on the same subnet as the SMCE21011 (that is,
the PC and SMCE21011 addresses must both start 192.168.1.x).

To access the access point management interface, follow these steps:

1. Use your web browser to connect to the management interface using

the default IP address of 192.168.1.1.

2. Log into the interface by entering the default username “accton” and

password also “accton,” then click Login.

N

OTE

:

It is strongly recommended to change the default us er name and
password the first time you access the web interface. For information on
changing user names and passwords, See “Administration Settings” on

page 52.

Figure 12: Login Page

– 43 –

C

HAPTER

Home Page and Main Menu

4

| Initial Configuration

HOME PAGE AND MAIN MENU

After logging in to the web interface, the Home page displays. The Home
page shows some basic settings for the AP, including Country Code and the
management access password.

Figure 13: Home Page

The web interface Main Menu menu pro vides access to all th e configur ation
settings available for the access point.

The following items are displayed on this page:

◆ System Name – An alias for the access point, enabling the device to

be uniquely identified on the network. (Default: 11n_AP; Range: 1-32
characters)

◆ Username – The name of the user. The default name is “admin.”

(Length: 3-16 characters, case sensitive)

◆ Old Password – Type your old password. The default password is

“smcdamin.”

◆ New Password – The password for management access. (Length: 3-

16 characters, case sensitive)

◆ Confirm New Password – Enter the password again for verification.

◆ Country Code – This command configures the access point’s country

code, which identifies the country of operation and sets the authorized
radio channels .

– 44 –

C

AUTION

:

You must set the country code to the country of operation.
Setting the country code restric ts operatio n of the access poin t to the radio
channels and transmit power levels permitte d fo r wireless networks in the
specified country.

COMMON WEB PAGE BUTTONS

The list below describes the common buttons found on most web
management pages:

◆ Set – Applies the new parameters and saves them to temporary RAM

memory. Also displays a screen to inform yo u when it has taken af fect.
Clicking ‘OK’ returns to the home page. The running configuration will
not be saved upon a reboot unless you use the “Save Config” button.

Figure 14: Set Configuration Changes

C

HAPTER

4

| Initial Configuration

Common Web Page Buttons

◆ Cancel – Cancels the newly entered settin gs and res tores the origin als.

◆ Help – Displays the help window.

Figure 15: Help Menu

– 45 –

C

HAPTER

Quick Start

4

| Initial Configuration

QUICK START

◆ Logout – Ends the web management session.

◆ Save Config – Saves the current configuration so that it is retained

after a restart.

The Quick Start menu is designed to help you c onf igure the basic settings
required to get the access point up and running. Click ‘System’, followed by
‘Quick Start’.

STEP 1 The first page of the Quick Start configures the system identification,

access password, and the Country Code.

Figure 16: Quick Start - Step 1

The following items are display ed on the first page of the Quick Start
wizard:

IDENTIFICATION

◆ System Name — The name assigned to the access point.

(Default: 11n_AP)

– 46 –

C

HAPTER

4

| Initial Configuration

Quick Start

CHANGE PASSWORD

◆ Username — The name of the user, non-configurable.

(Default: accton)

◆ Old Password — If the unit has been configured with a password

already, enter that password, otherwise enter a null string.

◆ New Password — The password for management access.

(Length: 3-16 characters, case sensitive)

◆ Confirm New Password — Enter the password again for verification.

COUNTRY CODE

◆ Country Code — Configures the access point’s country code from a

drop down menu, which id entifie s the c ountry of ope ration and s ets the
authorized radio c ha nnels.

C

AUTION

Setting the country code restric ts operatio n of the access poin t to the radio
channels and transmit power levels permitte d fo r wireless networks in the
specified country.

:

You must set the country code to the country of operation.

◆ Cancel — Cancels the newly entered setting s and restore s the origna ls.

◆ Next — Proceeds to the next page.

STEP 2 The Step 2 page of the Quick Start configures IP settings and DHCP client

status.

Figure 17: Quick Start - Step 2

– 47 –

C

HAPTER

Quick Start

4

| Initial Configuration

The following items are displayed on this page:

DHCP

◆ DHCP Status — Enables/disables DHCP on the access point. (Default:

◆ IP Address — Specifies an IP address for management of the access

◆ Subnet Mask — Indicates the local subnet mask. Select the desired

◆ Default Gateway — The default gateway is the IP address of the

disabled)

point. Valid IP addres ses consist of four decimal numbers, 0 to 255,
separated by periods. (Default: 192.168.1.1.)

mask from the drop down menu. (Default: 255.255.255.0)

router for the access point, which is used if the requested destination
address is not on the local subnet. (Default: 192.168.1.254)

If you have managemen t sta tions, DNS, RADIUS, or othe r ne t w o rk
servers located on another sub net, type the IP address of the default
gateway router in the text field provided.

◆ Primary and Secondary DNS Address — The IP address of Domain

Name Servers on the network. A DNS maps numerical IP addresses to
domain names and can be used to identify network hosts by familiar
names instead of the IP addresses. (Primary DNS Default Address:

10.10.1.1; Secondary DNS Default Address: 192.168.1.2)

◆ Prev — Returns to the previous screen.

◆ Cancel — Cancels the newly entered setting s and restore s the origna ls.

◆ Next — Proceeds to the final step in the Quick Start wizard.

– 48 –

C

HAPTER

4

| Initial Configuration

Quick Start

STEP 3 The Step 3 page of the Quick Start configures radio in terface settings.

Figure 18: Quick Start - Step 3

The following items are displayed on this page:

INTERFACE SETTING

◆ WiFi Mode — Selects mode of operation of the radio chip from

802.11n/g compliant or 802.11n/a compliant. (Default: 11n/g)

BASIC SETTING

◆ SSID — Sets the service set identifyer for the primary VAP.

(Default: vap_a0)

SECURITY

◆ Association Mode — Selects the securi ty mode for association of

other access points and wireless devices to the access point.
(Default: Open System; Range: Open System, WPA, WPA-PSK, WPA2,
WPA2-PSK, WPA-WPA2-mixed, or WPA-WPA2-PSK-mixed)

◆ Encryption Mode — If set to Open System the Encryption Method is

‘None’, or WEP Keys may be enabled

– 49 –

C

HAPTER

Main Menu Items

4

| Initial Configuration

MAIN MENU ITEMS

AUTHENTICATION

◆ 802.1x — Enables 802.1x authentication. (Default: Enabled)

◆ 802.1x Reauthentication Refresh Rate — Sets the reauthentication

refresh rate for 802.1x authe ntication. (Default: 3600 seconds; R ange :
1-65535 seconds; 0=disabled)

◆ RADIUS — If configuring a RADIUS server refer to the section

“RADIUS Client Commands” on page 170.

To configure settings, click the relevant Main Menu item. Each Main Menu
item is sumarized below with links to the relevant section in this guide
where configuration par a meters are described in detail:

◆ System — Configures Management IP, WAN, LAN and QoS settings.

See “System Settings” on page 52.

◆ Adminstration — Configures HTTP and Telnet settings. See

“Management Settings” on page 65

◆ Advance — Confiures LLDP and Access Control Lists. See “Advanced

Settings” on page 76

◆ Wireless Settings — Configures Wi-Fi access point settings. See

“Wireless Settings” on page 82.

◆ SNMP — Configures SNMP settings. See “SNMP Services” on page 92

◆ Mantentance — Congifures firmw are upgrades remote and locally . Se e

“Maintenance Settings” on page 103

◆ Information — Displays current system settings. See “Status

Information” on page 109.

– 50 –

S

ECTION

WEB CONFIGURATION

This section provides details on configurin g the access point using the web
browser interface.

This section includ es these chapters:

◆ “System Settings” on page 52

◆ “Management Settings” on page 65

◆ “Advanced Settings” on page 76

◆ “Wireless Settings” on page 82

II

◆ “SNMP Services” on page 92

◆ “Maintenance Settings” on page 103

◆ “Status Information” on page 109

– 51 –

5 SYSTEM SETTINGS

This chapter describes basic system settings on the access point. It
includes the following sections:

◆ “Administration Settings” on page 52

◆ “IP Address” on pag e 54

◆ “Radius Settings” on page 55

◆ “System Time” on page 58

◆ “SpectraLink Voice Priority” on page 60

◆ “VLAN Configuration” on page 60

◆ “System Logs” on page 62

◆ “Quick Start Wizard” on page 64

ADMINISTRATION SETTINGS

The access point can be managed by any computer using a web browser
(Internet Explorer 5.0 or above, or Firefox 2.0 or above). Enter the
configured IP address of the access point, or use the default address:
http://192.168.1.1

To log into the access point, enter the default us er name “accton” and the
password “accton”, then click “LOGIN” . When the home page displays, click
on Advanced Setup. The following page will display.

– 52 –

Figure 19: Administration

C

HAPTER

5

| System Sett ings

Administration Settings

The following items are displayed on this page:

◆ System Name — An alias for the access point, enabling the device to

be uniquely identified on the network. (Default: SMC; Range: 1-32
characters)

◆ Username — The name of the user. The default name is “admin.”

(Length: 3-16 characters, case sensitive)

◆ Old Password — Type your old password.

◆ New Password — The password for management access. (Length: 3-

16 characters, case sensitive)

◆ Confirm New Password — Enter the password again for verification.

◆ Country Code — This command configures the access point’s country

code, which identifies the country of operation and sets the authorized
radio channels .

– 53 –

C

HAPTER

IP Address

5

| System Settings

IP ADDRESS

Configuring the access point with an IP address expands your ability to
manage the access point. A number of access point fe atures depend on IP
addressing to operate.

You can use the web browser interface to access IP addressing only if the
access point already has an IP address that is reachable through your
network.

By default, the access point will be not be automatically co nfigur ed with IP
settings from a Dynamic Host Configuration Protocol (DHCP) server. The
default IP address is 192.168.1.1, subnet mask 255.255.255.0 and a
default gateway of 192.168.1.254.

Yo u will first be prompted to e nter the primary and secondar y DNS address
for the unit before having access to the other IP parameters.

Figure 20: Set DNS Address

Figure 21: TCP/IP Settings

The following items are displayed on this page:

– 54 –

C

HAPTER

5

| System Sett ings

Radius Settings

◆ DHCP Status — Enables/disables DHCP on the access point.

◆ IP Address — Specifies an IP address for management of the access

point. Valid IP addres ses consist of four decimal numbers, 0 to 255,
separated by periods. (Default: 192.168.1.1.)

◆ Subnet Mask — Indicates the local subnet mask. Select the desired

mask from the drop down menu. (Default: 255.255.255.0)

◆ Default Gateway — The default gateway is the IP address of the

router for the access point, which is used if the requested destination
address is not on the local subnet.

If you have managemen t sta tions, DNS, RADIUS, or othe r ne t w o rk
servers located on another sub net, type the IP address of the default
gateway router in the text field provided.

◆ Primary and Secondary DNS Address — The IP address of Domain

Name Servers on the network. A DNS maps numerical IP addresses to
domain names and can be used to identify network hosts by familiar
names instead of the IP addresses.

If you have one or more DNS servers loca ted on the local network, type
the IP addresses in the text fields provided.

Make sure to type the correct DNS server addres s or the following
message will display.

Figure 22: Invalid DNS

After you have network access to the access point, you can use the web
browser interface to modify the initial IP configuration, if needed.

If there is no DHCP server on your network, or DHCP fails, the access point
will automatically start up with a default IP address of 192.168.1.1

RADIUS SETTINGS

Remote Authentication Dial-in User Service (RADIUS) is an authentication
protocol that use s softw are run ning on a cent ral se rver to co ntrol a ccess to
RADIUS-aware devices on the network. An authentic ation server contains a
database of user credentials for each user that requires access to the
network.

– 55 –

C

HAPTER

Radius Settin gs

5

| System Settings

PRIMARY AND

SECONDARY RADIUS

SERVER SETUP

A primary RADIUS server must be specified for the access point to
implement IEEE 802.1X network access control and Wi-Fi Pr otected Access
(WPA) wireless security. A secondary RADIUS server may also be specified
as a backup should the primary server fail or become inaccessible.

In addition, the configured RADIUS server can also act as a RADIUS
Accounting server and receive user-session accounting information fro m
the access point. RADIUS Accounting can be used to provide valuable
information on user activity in the network.

This guide assumes that you have already configured RADIUS server(s) to
support the access point. Configuration of RADIUS server software is
beyond the scope of this guide, ref er to the documentation provided with
the RADIUS server software.

– 56 –

Figure 23: RADIUS Settings

C

HAPTER

5

| System Sett ings

Radius Settings

The following items are displayed on the RADIUS Settings page:

◆ RADIUS Status — Enables/disables the primary RADIUS server.

◆ IP Address — Specifies the IP address or host name of the RADIUS

server.

◆ Port (1024-65535) — The UDP port number used by the RADIUS

server for authentication messages. (Range: 1024-65535; Default:

1812)

◆ Key — A shared text string used to encrypt messages between the

access point and the RADIUS server. Be sure that the same text string
is specified on the RADIUS server . Do not use blank spaces in the
string. (Maximum length: 255 characters)

– 57 –

C

HAPTER

System Time

5

| System Settings

RADIUS ACCOUNTING The following items are displayed on the RADIUS Settings page:

◆ Account Status — Enables/disables RADIUS accounting.

◆ IP Address — Specifies the IP address or host name of the RADIUS

accounting se rver.

◆ Port (1024-65535) — The UDP port number used by the RADIUS

accounting server for authentication messages. (Range: 1024-65535;
Default: 1812)

◆ Key — A shared text string used to encrypt messages between the

access point and the RADIUS accounting server. Be sure that the same
text string is specified on the RADIUS server. Do not use blank spaces
in the string. (Maximum length: 255 characters)

◆ Interim Update Timeout (60-86400) — The interval between

transmitting accounting updates to the RADIUS server. (Range: 60­86400; Default: 3600 seconds)

SYSTEM TIME

Simple Network Time Protocol (SNTP) allows the access point to set it s
internal clock based on periodic updates from a time s erver (SNTP or NTP).
Maintaining an accurate time on the access point e nables the system log t o
record meaningful dates and times for event entr ies. If the clo ck is not set,
the access point will only record the ti me from the factory default s et at the
last bootup.

The access point acts as an SNTP client, periodically sending time
synchronization reques ts to specific time servers. You can configure up to
two time server IP addresses. The access poin t will attemp t to poll each
server in the configured sequence.

– 58 –

Figure 24: SNTP Settings

C

HAPTER

5

| System Sett ings

System Time

The following items are displayed on this page:

SNTP SERVER

SETTINGS

Configures the access point to oper ate as an SNTP client. When enabled, at
least one time server IP address must be specified.

◆ SNTP Status — Enables/disables SNTP. (Default: enabled)

◆ Primary Server — The IP address of an SNTP or NTP time server that

the access point attempts to poll for a time update.

◆ Secondary Server — The IP address of a secondary SNTP or NTP time

server. The access point first attempts to update the time from the
primary server; if this fails it attempts an update from the secondary
server.

TIME ZONE SETTING SNTP uses Greenwich Mean Time, or GMT (sometimes referred to as

Coordinated Universal Time, or UTC) based on the time at the Earth’s
prime meridian, zero degrees longi tude. To display a time corresponding to
your local time, you must indicate the number of hours your time zone is
located before (east) or after (west) GMT.

◆ Time Zone — Select from the scroll down list the locale you are

situated most close to, for example for New York, select ‘(GMT-05)
Eastern Time (US & Canada)’.

– 59 –

C

HAPTER

SpectraLink Voice Priority

5

| System Settings

DAYLIGHT SAVING

SETTINGS

The access point provides a way to automatically adjust the system clock
for Daylight Savings Time changes. To use this feature you must define the
month and date to begin and to end the change from standard time.
During this period the system clock is set back by one hour.

◆ Daylight Saving Status — Enalbes/disables daylight savings time.

(Default: disabled)

SPECTRALINK VOICE PRIORITY

SpectraLink Voice Priority (SVP) is a voice priority mechanism for WLANs.
SVP is an open, straightforward QoS approac h that has been adopted by
most leading vendors of WLAN APs. SVP favors isochronous v oic e packets
over asynchronous data packet s when contendin g for the wi reless mediu m
and when transmitting packets onto the wired LAN.

Figure 25: SVP Settings

The following items are displayed on this page:

◆ SVP Status — Enables/disables SVP on the access point.

VLAN CONFIGURATION

VLANs (virtual local area networks) are turned off by default when first
installing the access point. If turned on they will automatically tag any
packets received by the WAN port before sending them on to the relev a nt
VAP (virtual access point).

The access point can employ VLAN tagging support to contr ol access to
network resources and increase security. VLANs separate traffic passing
between the access point, assoc iated clients, and the wired network. There
can be a VLAN assigned to each associated client, a default VLAN for each
VAP (Virtual Access Point) interface, and a management VLAN for the
access point.

Note the following points about the access point’s VLAN support:

– 60 –

C

HAPTER

5

| System Sett ings

VLAN Config uration

◆ The management VLAN is for managing the access point through

remote management tools, such as the web interface, SSH, SNMP, or
T eln et. The access point only acce pts management traffic th at is tagged
with the specified management VLAN ID.

◆ All wireless clients associated to the access point are assigned to a

VLAN. If IEEE 802.1X is being used to authenticate wireless clients,
specific VLAN IDs can be configured on the RADIUS server to be
assigned to each client. If a client is not assigned to a specific VLAN or
if 802.1X is not used, the client is assigned to the default VLAN for the
VAP interface with which it is associated. The access point only allows
traffic tagged with assigned VLAN IDs or default VLAN IDs to access
clients asso ciated on each VAP interface.

◆ When VLAN support is enabled on th e access point, tr affic passed to the

wired network is tagged with the appropriate VLAN ID, either an
assigned client VLAN ID, default VLAN ID, o r the management VLAN ID .
T r affic received fro m the wired network must also be tagged with one of
these known VLAN IDs. Received traffic that has an unknown VLAN ID
or no VLAN tag is dropped.

◆ When VLAN support is disabled, the access point does not tag traffic

passed to the wired network and ignor es the VLAN tags on any re ceived
frames.

N

OTE

:

Before enabling VLAN tagging on the access point, be sure to
configure the attached network switch port to support tag ged VLAN frames
from the access point’ s management VLAN ID , default VL AN IDs, and other
client VLAN IDs. Otherwise, connectivity to the access point will be lost
when you enable the VLAN feature.

Using IEEE 802.1X and a central RADIUS server, up to 64 VLAN IDs can be
mapped to specific wireless clients, allowing users to remain within the
same VLAN as they move around a campus site. This feature can also be
used to control access to net w or k re so ur ce s fr om cl i ent s, ther eb y
improving security.

A VLAN ID (1-4094) can be assigned to a client after successful IEEE

802.1X authentication. The client VLAN IDs must be configured on the
RADIUS server for each user authorized to access the network. If a client
does not have a configured VLAN ID on the RADIUS server, the access
point assigns the client to the configured def a ult VLAN ID for the VAP
interface.

N

OTE

:

When using IEEE 802.1X to dynamically assign VLAN IDs, the access
point must have 802.1X authentication enabled and a RADIUS server
configured. Wireless clients must also support 802.1X client software.

– 61 –

C

HAPTER

System Logs

5

| System Settings

Table 3: RADIUS Attributes

Number RADIUS Attribute Val ue

64 Tunnel-Type VLAN (13)
65 Tunnel-Medium-Type 802
81 Tunnel-Private-Group-ID VLANID

(1 to 4094 as hexadecimal or string)

VLAN IDs on the RADIUS server can be entered as hexadecimal digits or a
string

The specific configuration of RADIUS server software is beyond the scope
of this guide. Refer to the documentatio n provide d with the RADIUS server
software.

Figure 26: Setting the VLAN Identity

SYSTEM LOGS

The following items are displayed on this page:

◆ VLAN Classification — Enables/disables VLAN packet tagging.

(Default: disabled)

◆ Native VLAN ID(1-4094) — If enabled the packets received by the

WAN port must be tagged within the native VLAN ID. (Range: 1-4094)

The access point can be configured to send event and error messages to a
System Log Server. The syst em clock can also be sy nchroniz ed wit h a time
server, so that all the mess ages sent to the S yslog serv er are stampe d with
the correct time and date.

– 62 –

Figure 27: System Log Settings

C

HAPTER

5

| System Sett ings

System Logs

The following items are displayed on this page:

◆ syslog status — Enables/disables the logging of error messages.

(Default: enabled)

◆ Server 1~4 — Enables the sending of log messages to a S yslog ser ver

host. Up to four Syslog servers are supported on the access point.
(Default: disabled)

◆ IP — The IP address or name of a Syslog server. (Server 1 Default:

10.7.16.98; Server 2 Default: 10.7.13.48; Server 3 Default:

10.7.123.123; Server 4 Default: 10.7.13.77)

◆ UDP Port — The UDP port used by a Syslog server. (Range: 514 or

11024-65535; Server 1~2 Default: 514; Server 3 Default: 6553;
Server 4 Default: 5432)

◆ Logging Console — Enables the logging of error messages to the

console. (Defaul t : disab l e d)

◆ Logging Level — Sets the minimum severity level for event logging.

(Default: Debug)

■

The system allows you to limit the messages that are logged by
specifying a minimum severity level. The following table lists the
error message levels from the most severe (Emergency) to lea st

– 63 –

C

HAPTER

5

| System Settings

Quick Start Wizard

severe (Debug). The message leve ls that are logged include the
specified minimum level up to the Emergency level.

Table 4: Logging Levels

Error Level Description

Emergency System unusable
Alerts Immediate action needed
Critical Criti cal c ondi tion s (e.g ., mem ory all ocat ion, or fr ee memo ry err or - r esour ce ex haust ed)
Error Error conditions (e.g., invalid input, default used)
Warning Warning conditions (e.g., return false, unexpected return)
Notice Normal but significant condition, such as cold start
Informational Informational messages only
Debug Debugging messages

QUICK START WIZARD

The Quick Start menu item is described in the preceding chapte r, see

“Quick Start” on page 46.

– 64 –

6 MANAGEMENT SETTINGS

This chapter describes management acces s settings on the access point. It
includes the following sections:

◆ “Remote Management Settings” on page 65

◆ “Access Limitation” on page 67

◆ “Simple Network Management Pr otocol” on page 68

REMOTE MANAGEMENT SETTINGS

The Web, Telnet , and S NMP m an a ge m e n t interfaces are enabled and open
to all IP addresses by default. To provide more security for management
access to the access point, specific interfaces can be disabled and
management restricted to a single IP address or a limited range of IP
addresses.

Once you specify an IP address or range of addresses, access to
management interfaces is restricted to t he specified addresses. If anyone
tries to access a management interface from an unauthoriz ed address, the
access point will reject the connection.

Telnet is a remote management tool that can be used to configure the
access point from anywhere in the ne twork. However, Telnet is not secure
from hostile attacks. The Secure Shell (SSH) can act as a secure
replacement for Telnet. The SSH protocol uses generated public keys to
encrypt all data transfers passing between the access point and SSH­enabled management station clients and ensures that data traveling over
the network arrives unaltered. Clients can then securely use the local user
name and password for access authe n tic at ion .

Note that SSH client softwa re needs to be installed on the management
station to access the access point for management via the SSH protocol.

Both HTTP and HTTPS service can be en abled independently. If you enable
HTTPS, you must indicate this in the URL: https://device:port_number]

When you start HTTPS, the connection is established in this way:

◆ The client authenticates the server using the server’s digital certi fic ate.

◆ The client and server negotiate a set of security protoco ls to use for the

connection.

– 65 –

C

HAPTER

Remote Management Settings

6

| Management Settings

◆ The client and server gener ate session keys for encrypting and

◆ The client and server establish a secure encrypted connection.

◆ A padlock icon should appe ar in the s tatus ba r for Int ernet Explor er 5.x.

Figure 28: Remote Management

decrypting data.

The following items are displayed on Admin Interface page:

◆ Telnet Access — Enables/disables management access from Telnet

interfaces. (Default: enabled)

◆ Telnet Access Port — Sets the specified Telnet port for

communication. (Default: 23)

◆ SSH Server — Enables/disables management access from SSH

Servers. (Defau l t : en ab l ed )

◆ SSH Server Port — Sets the specified SSH Server port for

communication. (Default: 22)

◆ HTTP Access — Enables/disables management access from any IP

address. (Default: enabled)

◆ HTTP Timeout — Specifies the time after which the HTTP connection

will be lost with a period of inactivity. (Default: 1800 seconds; Range:
1-1800 seconds; 0=disabled)

– 66 –

ACCESS LIMITATION

C

HAPTER

6

| Management Settings

Access Limitation

◆ HTTP Port — Specifies the HTTP port for IP connectivity. (Default: 80;

Range 1024-65535)

◆ HTTPS Server — Enables/disables management access from a HTTPS

server. (Default: enabled)

◆ HTTPS Port — Specifies the HTTPS port for secure IP connectivity.

(Default: 443; Range 1024-65535)

◆ SNMP Access — Enables/disables management access from SNMP

interfaces. (Default: enabled)

The Access Limitation page limits management access to the access point
from specified IP addresse s or wirele ss cl ien ts.

Figure 29: Access Limitation

The following items are displayed on the Access Limitation page:

IP MANAGEMENT CONTROL

◆ Any IP — Indicates that any IP address is allowed management

access.

◆ Single IP — Specifies a single IP address that is allowed management

access.

◆ Multiple IP — Specifies an addr ess ra nge as defined by the ent ered IP

address and subnet mask. For example, IP address 192.168.1 .6 and
subnet mask 255.255.255.0, defines all IP addresses from 192.168.1.1
to 192.168.1.254.

– 67 –

C

HAPTER

Simple Network Manage ment Protocol

6

| Management Settings

◆ IP Address — Specifies the IP address.

◆ Subnet Mask — Specifies the subnet mask in the form 255.255.255.x

RESTRICT MANAGEMENT

◆ Enable/Disable — Enables/disables management of the device by a

wireless client. (Default: disabled)

SIMPLE NETWORK MANAGEMENT PROTOCOL

Simple Network Management Protocol (SNMP) is a communication protocol
designed specifically for managing devices on a network. Equipment
commonly managed with SNMP includes switches, routers and host
computers. SNMP is typically used to configure these devices for proper
operation in a network environ ment, as well as to monitor them to evaluate
performance or detect potential problems.

Managed devices supporting SNMP contain software, which runs locally on
the device and is referred to as an agent. A defined set of variabl es, known
as managed objects, is maintained by t he SNMP agent and used to manage
the device. These objects are defined in a Management Information Base
(MIB) that provides a standard presentati on of the information controlled
by the agent. SNMP defines both the format of the MIB specifications and
the protocol used to acces s this information over the network.

The access point includes an onboard agent that supports SNMP versions
1, 2c, and 3 clients. This agent continuously monitors the status of the
access point, as well as the traffic passing to and from wireless clients. A
network management station can access this information using SNMP
management software that is compliant with MIB II. To implement SNMP
management, the access point must first have an IP address and su bnet
mask, configured either manually or dynamically. Access to the onboard
agent using SNMP v1 and v2c is controlled by community strings. To
communicate with the access point, the management station must first
submit a valid community string for auth en ti cat ion .

Access to the access point using SNMP v3 provides additional secu rity
features that cover message integrity, authentication, and encryption; as
well as controlling notifications that are sent to specified user targets.

SNMP BASIC

SETTINGS

The access point SNMP agent must be enabled to f unctio n (fo r vers ions 1,
2c, and 3 clients). Management access using SNMP v1 and v2c also
requires community strings to be configured for authentication. Trap
notifications can be enabl ed and sent to up to four management stations.

– 68 –

C

HAPTER

Simple Network Management Protocol

Figure 30: SNMP Basic Settings

6

| Management Settings

The following items are displayed on this page:

◆ SNMP — Enables or disables SNMP management access and also

enables the access point to send SNMP traps (notifications). (Default:
Disable)

◆ System Location — A text string that describes the system location.

(Maximum length: 255 characters)

◆ System Contact — A text string that describes the system contact.

(Maximum length: 255 characters)

◆ Read-Only Community — Defines the SNMP com munity access strin g

that has read-only access. Authorized management stations are only
able to retrieve MIB objects. (Maximum length: 23 characters, case
sensitive; Default: public)

◆ Read-Write Community — Defines the SNMP community access

string that has read/write access. Authorized management stations are
able to both retrieve and modify MIB objects. (Maximum length: 23
characters, case sensitive; Default: private)

– 69 –

C

HAPTER

Simple Network Manage ment Protocol

6

| Management Settings

SNMP TRAP SETTINGS Traps indicating status changes are issued by the AP to specified trap

managers. Y ou must speci fy trap mana gers so that key e vents are reported
by the AP to your management station (using network management
platforms).

Figure 31: SNMP Trap Settings

The following items are displayed on this page:

◆ Trap Destination — Specifies the recipient of SNMP notifications.

Enter the IP address or the host name. (Host Name: 1 to 63 charac ters,
case sensitive)

◆ Community — The community string sent with the notification

operation. (Maximum length: 23 characters, case sensitive; Default:
public)

◆ Action — Adds a new SNMP trap destination to the list.

◆ Trap Destination L ist — Lists the configured SNMP tra p destinations.

◆ Trap Configuration — Enables or disables trap status.

■

sysSystemUp: The access point is up and running.

■

sysSystemDown: The access point is about to shutdown and
reboot.

◆ save Trap Config — Applies the new parameters and saves the m to

RAM memory. Also prompts a screen to inform y ou when it has taken

– 70 –

C

HAPTER

Simple Network Management Protocol

affect. Clicking ‘OK’ returns to the home page. Changes will not be
saved upon a reboot unless the running configuration file is saved.

6

| Management Settings

VIEW ACCESS

CONTROL MODEL

To configure SNMPv3 management access to the AP, follow these steps:

1. Specify read and write access views for the AP MIB tree.

2. Configure SNMP user groups with the required security model (that is,

SNMP v1, v2c, or v3) and security level (authentication and privacy).

3. Assign SNMP users to groups, along with their specific authentication

and privacy passwords.

Figure 32: SNMP VACM

CREATING VIEWS

SNMPv3 views are used to restrict user access to specified portions of the
MIB tree. The are no predefined views by default.

The following items are displayed on the VACM page.

◆ View Name – The name of the SNMP view. (Range: 1-32 characters)

◆ Type – Indicates if the object identifier of a br anc h within the MIB tree

is included or excl uded from the SNMP view.

◆ OID – Allows you to configure the object identifiers of branches within

the MIB tree. Wild cards can be used to mask a specific portion of the
OID string.

– 71 –

C

HAPTER

Simple Network Manage ment Protocol

6

| Management Settings

◆ Mask (option) – A hexadecimal value with each bit masking the

corresponding ID in the MIB subtree. A “1” in the mask indicates an
exact match and a “0” indicates a “wild card.” For example, a mask
value of 0xFFBF provides a bi t mask “1111 1111 1011 11 11.” If applied
to the subtree “1.3.6.1.2.1.2.2.1.1.23,” the zero corresponds to the
10th subtree ID. When there are more subtree IDs than bits in the
mask, the mask is padded with ones.

◆ View List – Shows the currently configured object iden tifiers of

branches within the MIB tree that define the SNMP vi ew.

CREATING GROUPS

An SNMPv3 group sets the access policy for its assigned users, restr i cting
them to specific read, write, and notify views. You can create new groups
to map a set of SNMP users to SNMP views.

◆ Group Name – The name of the SNMP group. (Range: 1-32

characters)

◆ Security Level – The security level used for the group:

■

noAuthNoPriv – There is no authentication or encryption used in
SNMP communications.

■

AuthNoPriv – SNMP communications use authentication, but the
data is not encrypted.

■

AuthPriv – SNMP communications use both authentication and
encryption.

◆ Read View – The configured view for read access. (Range: 1-32

characters)

◆ Write View – The configured view for write access. (Range: 1-32

characters)

– 72 –

C

HAPTER

Simple Network Management Protocol

6

| Management Settings

SNMPV3 USERS The access point allows up to 10 SNMP v3 users to be configured. Each

SNMPv3 user is defined by a unique name. Users must be configured with a
specific security level and assigne d to a gro up. The SNMPv3 group restricts
users to a specific read, wr ite, or notify view.

Figure 33: Configuring SNMPv3 Users

The following items are displayed on this page:

◆ User Name — The SNMPv3 user name. (32 characters maximum)

◆ Group — The SNMPv3 group name.

◆ Auth Type — The authentication type used for the SNMP user; either

MD5 or none. When MD5 is se lected, enter a password in the
corresponding Passphrase fie ld.

◆ Auth Passphrase — The authentication password or key associated

with the authentication and privacy settings. A minimum of eight plain
text characters is required.

◆ Priv Type — The data encryption type used for the SNMP user; either

DES or none. When DES is select ed, enter a key in the corresponding
Passphrase field.

◆ Priv Passphrase — The password or key associated with the

authentication and privacy settings. A minimum of eight plain text
characters is required.

◆ Action — Click the Add button to add a new user to the list. Click the

edit button to change details of an exis ting user. Click the Del button to
remove a user from the list.

N

OTE

:

Users must be assigned to groups that have the same security
levels. F or example, a user who has “Auth T ype” and “Priv Type” configured
to MD5 and DES respectively (that it, uses both authenticat ion and data
encryption) must be assigned to the RWPriv group. If this same user were
instead assigned to the read-only (RO) group, the user would not be able
to access the database.

– 73 –

C

HAPTER

Simple Network Manage ment Protocol

6

| Management Settings

SNMPV3 TARGETS An SNMP v3 notification Target ID is specified by the SNMP v3 user, IP

address, and UDP port. A user-defined fi lter can also be assigned to
specific targets to limit the notifications recei ved to specific MIB objects.
(Note that the filter must fi rst be configured. See “SNMPv3 Notification

Filters” on page 74.)

To configure a new notification receiver target, define the parameters and
select a filter, if required. Note that the SNMP v3 user name must first be
defined (See “SNMPv3 Users” on page 73.)

Figure 34: SNMPv3 Targets

SNMPV3

N

OTIFICATION FILTERS

The following items are displayed on this page:

◆ Target ID — A user -defined name that identifies a receiver of

notifications. The access point su pports up to 10 target IDs . (Maximum
length: 32 characters)

◆ IP Address — Specifies the IP address of the receiving management

station.

◆ UDP Port — The UDP port that is used on the receiving management

station for notification messages.

◆ SNMP User — The defined SNMP v3 user that is to receive notification

messages.

◆ Notification Filter — The name of a user-defined noti fication filter

that is applied to the target.

SNMP v3 users can be configured to receive notification messages from the
access point. An SNMP Target ID is created that specifies the SNMP v3 user ,
IP address, and UDP port. A user-defined notification filter can be created
so that specific notifications can be pr evented fro m being sent t o particular
targets.

The access point allows up to 10 notification filters to be created. Each
filter can be defined by up to 20 MIB subtree ID entries.

– 74 –

C

HAPTER

Simple Network Management Protocol

Figure 35: SNMP Notification Filter

6

| Management Settings

The following items are displayed on this page:

◆ Filter ID — A user-defined name that identifies the filter. (Maximum

length: 32 characters)

◆ Subtree — Specifies MIB subtree to be filtered. The MIB subtree must

be defined in the form “.1.3.6.1” and always start with a “.”.

◆ Type — Indicates if the filter is to “include” or “exclude” the MIB

subtree objects from the filter. Note that MIB objects included in the
filter are not sent to the receivin g target and objects excluded are s ent.
By default all traps are sent, so you can first use an “include” filter
entry for all trap objects. Then use “exclude” entries for the required
trap objects to send to the target. Note that the filter entries are
applied in the sequence that they are defined.

◆ Action — Adds the notification filter.

– 75 –

7 ADVANCED SETTINGS

This chapter describes advanced settings on the access point. It includes
the following sections:

◆ “Local Bridge Filter” on page 76

◆ “Link Layer Discovery Protocol” on page 77

◆ “Access Control Lists” on page 78

LOCAL BRIDGE FILTER

The access point can employ network tr affic frame filtering to control
access to network resources and increase security. You can prevent
communications between wireless clients and prevent access point
management from wireless clients. Also, you can block specific Ethernet
traffic from being forwarded by the ac ce ss point.

Inter Client ST As Communication Filter – Sets the global mode for wirele ss­to-wireles s c ommu ni ca ti ons b e tween clients associat ed to Vi rtu al AP (VAP)
interfaces on the access point. (Default: Prev ent Inte r and Intr a VAP client
Communication)

Figure 36: Local Bridge Filter

The following items are displayed on this page:

◆ Disabled — All clients can communicate with each other through the

access point.

– 76 –

◆ Prevent Intra VAP client communication — When enabled, clients

associated with a specific VAP interface cannot establish wireless
communications with each other. Clients can communicate with clients
associated to other VAP interfaces.

◆ Prevent Inter and Intra VAP client communication — When

enabled, clients cannot establish wireless communications with any
other client, either those associated to the same VAP interface or any
other VAP interface.

LINK LAYER DISCOVERY PROTOCOL

This page allows you to configure the Link Layer Discov ery Protocol (LLDP) .
LLDP allows devices in the local broadcast domain to share information
about themselves. LLDP-capable devices periodically transmit information
in messages called Type Length Value (TLV) fields to neighbor devices.
Advertised information is represen ted in Type Length Value (TLV) format
according to the IEEE 802.1ab standard, and can include details such as
device identification, capabilities and conf iguration settings.

C

HAPTER

7

| Advanced Settings

Link Layer Discovery Protocol

This information can be used by SNMP applications to simplify
troubleshooting, enhance netwo rk management, and maint ain an accur ate
network topology.

Figure 37: LLDP Settings

The following items are displayed on this page:

◆ Disable/Enable — Disables/Enables LLDP on the access point.

– 77 –

C

HAPTER

Access Control Lists

7

| Advanced Settings

◆ Message Transmission Hold Time — Configures the time-to-live

(TTL) value sent in LLDP advertisements as shown in the for m ula
below. (Range: 2-10; Default: 4)

The time-to-live tells the receiving LLDP agent how long to retain all
information pertaining to the sending LLDP agent if i t does not tr ansmit
updates in a timely manner. TTL in seconds is based on the following
rule: (Transmission Inte rval * Hold time) ? 65536. Therefore, the
default TTL is 4*30 = 120 seconds.

◆ Message Transmission Interval (seconds) — Configures the

periodic transmit interval for LLDP advertisements. (Range: 5-32768
seconds; Default: 30 seconds)

This attribute must comply with the following rule: (Transmission
Interval * Hold Time) ? 65536, and Transmission Interval >= (4 *
Delay Interval)

◆ ReInitial Delay Time (sec onds) — Configures the delay before

attempting to re-initialize after LLDP ports are di sable d or the link goes
down. (Ra nge: 1-10 seconds; Default: 2 seco nds)

◆ Transmissio n Delay V alue (s econds) — Configures a delay between

ACCESS CONTROL LISTS

Access Control Lists allow you to configure a list of wireless client MAC
addresses that are not authorized to access the network. A database of
MAC addresses can be configured locally on the access point.

When LLDP is re-initialized on a port, all information in the remote
systems LLDP MIB associated with this port is deleted.

the successive transmission of advertisements initiated by a change in
local LLDP MIB variables. (Range: 1-8192 seconds; Default: 4 seconds)

The transmit delay is used to prevent a series of successive LLDP
transmissions during a short per i od of rapid changes in local LLDP MIB
objects, and to increase the p robability t hat multiple, r ather than si ngle
changes, are reported in each transmission.

This attribute must comply with the rule: (4 * Delay I n terval) ?
Transmission Interval

SOURCE ADDRESS

SETTINGS

The ACL Source Address Settings page enables traffi c filtering based on the
source MAC address in the data frame.

– 78 –

C

HAPTER

Figure 38: Source ACLs

7

| Advanced Settings

Access Control Lists

The following items are displayed on this page:

◆ SA Status — Enables network traffic with specific source MAC

addresses to be filtered (dropped) from the access point.

DESTINATION

ADDRESS SETTINGS

◆ MAC Address — Specifies a source MAC address to filter, in the form

xx.xx.xx.xx.xx.xx, or xx-xx-xx-xx-xx-xx.

◆ Action — Selecting “Add” adds a new MAC address to the filter list,

selecting delete removes the specified MAC ad dress.

◆ Number — Specifies the number associated with the M A C address.

◆ MAC Address — Displays the configured source MAC address.

The ACL Destination Address Settings page enables traffic filtering based
on the destination MAC address in the data frame.

Figure 39: Destination ACLs

– 79 –

C

HAPTER

Access Control Lists

7

| Advanced Settings

The following items are displayed on this page:

◆ DA Status — Enables/disables the destination address to be filtered.

◆ MAC Address — Specifies a destination MAC address to filter, in the

form xx.xx.xx.xx.xx.x x.

◆ Action — Selecting “Add” adds a new MAC address to the filter list,

selecting delete deletes the specified MAC ad dress.

◆ Number — Specifies the number associated with the MAC address, up

to a maximum of eight.

◆ MAC Address — Displays the configured destination MAC address.

◆ Set — Applies the new parameters and saves them to RAM memory.

Also prompts a screen to inform you when it has taken affect. Clicking
‘OK’ returns to the home page. Changes will not be saved upon a
reboot unless the running configuration file is saved.

◆ Cancel — Cancels the newly entered settings and restores the

originals.

◆ Help — Prompts the help window to appear.

ETHERNET TYPE The Ethernet Type Filter controls checks on the Ethernet type of all

incoming and outgoing Ether net packets against the protocol filtering t able.
(Default: Disabled)

– 80 –

Figure 40: Ethernet Type Filter

C

HAPTER

7

| Advanced Settings

Access Control Lists

The following items are displayed on this page:

◆ Disabled — Access point does not filter Ethernet protocol types.

◆ Enabled — Access point filters Ethernet protocol types based on the

configuration of protocol types in the filter table. If the status of a
protocol is set to “ON,” the protocol is filtered fr om the access point.

◆ Local Management — Describes the Ethernet filter type.

◆ ISO Designator — Describes the ISO Designator identifyer.

◆ Filter Status — Turns the filter on or off.

– 81 –

8 WIRELESS SETTINGS

This chapter describes wireless settin gs on the access point. It includes the
following sections:

◆ “Spanning Tree Protocol (STP)” on page 82

◆ “Authentication” on page 85

◆ “Radio Settings” on page 89

◆ “Virtual Access Points (V APs)” on page 93

◆ “QoS” on page 99

SPANNING TREE PROTOCOL (STP)

The Spanning Tree Protocol (STP) can be used to detect and disable
network loops, and to provide backup links between switches, bridges or
routers. This allows the wireless bridge to interact with other bridging
devices (that is, an STP-compliant switch, bridge or router) in your networ k
to ensure that only one route exists between any two stations on the
network, and provide backup links which automatically take over when a
primary link goes down.

STP uses a distributed algorithm to select a bridging device (STP-compliant
switch, bridge or router) that serves as the root of the spanning tree
network. It selects a root port on each bridging devi ce (except for the root
device) which incurs the lowest path cost when forwarding a packet from
that device to the root device. Then it selects a designated bridging de vice
from each LAN which incurs the lowest path cost when forwardin g a packet
from that LAN to the root device. All ports connected to designated
bridging devices are assigned as designated ports. After determining the
lowest cost spanning tree, it enables all root ports and designated ports,
and disables all other ports. Network packets are therefo re only forwar ded
between root ports and de signated ports, elimin ating any possible network
loops.

Once a stable network topology has be en established, all bridges listen for
Hello BPDUs (Bridge Protocol Data Units) tr ansmitted from the r oot bridge.
If a bridge does not get a Hello BPDU after a pr edefined inter val (Maximum
Age), the bridge assumes that the link to the root bridge is down. This
bridge will then initiate negotiations with other bridges to reconfigure the
network to reestablish a valid network topology.

– 82 –

Figure 41: Spanning Tree Protocol

C

HAPTER

8

| Wireless Settings

Spanning Tr ee Protocol (ST P)

BRIDGE Sets STP bridge link parameters.

The following items are displayed on the STP page:

◆ Spanning Tree Protcol — Enables/disables STP on the wireless

bridge. (Default: Enabled)

◆ Priority — Used in selecting the root device, root port, and designated

port. The device with th e highe st pri ori ty b ecomes the STP root devic e.
However, if all devices have the same priority, the device with the
lowest MAC address will then become the root device. (Note that lower

– 83 –

C

HAPTER

Spanning Tree Protocol (STP)

8

| Wireless Settings

numeric values indicate higher priority.)
(Default:32768; Range: 0-65535)

◆ Max Age — The maximum time (in seconds) a device can wait without

receiving a configuration mess age before attempting to recon figure. All
device ports (except for des i gnated ports) should receive configuration
messages at regular intervals. Any port that ages out STP information
(provided in the last configuration message) becomes the designated
port for the attached LAN. If it is a root port, a new root port is selected
from among the device ports attached to the network.
(Default: 20 seconds; Range: 6-40 seconds)

■

Minimum: The higher of 6 or [2 x (Hello Time + 1)].

■

Maximum: The lower of 40 or [2 x (Forward Delay - 1)]

◆ Hello Time — Interval (in seconds) at which the root device transmits

a configuration mess age. (Default: 2 seconds; Range: 1-10 seconds)

■

Minimum: 1

■

Maximum: The lower of 10 or [(Max. Message Age / 2) -1]

◆ Forwarding Delay — The maximum time (in seconds) this device

waits before changing states (i.e., discarding to learning to forwarding).
This delay is required because every device must receive infor mation
about topology changes before it starts to forw ard frames. In addition,
each port needs time to listen for conflicting information that would
make it return to a discarding state; otherwise, temporary data loops
might result. (Default: 15 seconds; Range: 4-30 seconds)

■

Minimum: The higher of 4 or [(Max. Message Age / 2) + 1]

■

Maximum: 30

ETHERNET INTERFACE Sets STP settings for the Ethernet port.

◆ Link Path Cost — This parameter is used by the STP to determine the

best path between devices. Therefo re, lower v alues should be as signed
to ports attached to faster media, and higher values assigned to ports
with slower media. (Path cost takes precedence over port priority.)
(Default: Ethernet interface: 19; Wireless interface: 40;
Range: 1-65535

◆ Link Port Priority — Defines the priority used for this port in the

Spanning Tree Protocol. If the path cost for all ports on a switch are the
same, the port with the highest priority (i.e., lowest value) will be
configured as an active link in the spanning tree. This makes a port
with higher priority less likely to be blocked if the Spanning Tree
Protocol is detecting network loops. Where more than one port is
assigned the highest priori ty, the port with lowest numeric identifier will
be enabled. (Default: 128; Range: 0-240, in steps of 16)

– 84 –

WIRELESS INTERFACE Sets STP settings for the radio interface.

◆ Index — Describes the VAP in question.

◆ Link Path Cost — This parameter is used by the STP to determine the

best path between devices. Therefo re, lower v alues should be as signed
to ports attached to faster media, and higher values assigned to ports
with slower media. (Path cost takes precedence over port priority.)
(Default: Ethernet interface: 19; Wireless interface: 40;
Range: 1-65535

◆ Link Port Priority — Defines the priority used for this port in the

Spanning Tree Protocol. If the path cost for all ports on a switch are the
same, the port with the highest priority (i.e., lowest value) will be
configured as an active link in the spanning tree. This makes a port
with higher priority less likely to be blocked if the Spanning Tree
Protocol is detecting network loops. Where more than one port is
assigned the highest priori ty, the port with lowest numeric identifier will
be enabled. (Default: 128; Range: 0-240, in steps of 16)

C

HAPTER

8

| Wireless Settings

Authentication

AUTHENTICATION

LOCAL

AUTHENTICATION

Wireless clients can be authenticated for network access by checking their
MAC address against the local database configured on the access point, or
by using a database configured on a central RADIUS serve r. Alternatively,
authentication can be implemented using the IEEE 802.1X network access
control protocol.

The access point can also operate in a 802.1X supplicant mode. This
enables the access point itself and any bridge-connected units to be
authenticated with a RADIUS server using a configure d MD5 user name
and password. This mechanism can prevent rogue access points from
gaining access to the network.

Y ou can configure a list of the MAC addresses for wireless clients that are
authorized to access the network. This provides a basic level of
authentication for wireless clients attempting to gain access to the
network. A database of authorized MAC addresses can be stored locally on
the access point or remotely on a central RADIUS server. (Default: Local
MAC)

Local MAC Authentication – Configures the local MAC authentication
database. The MAC database provides a mechan ism to take certain actio ns
based on a wireless client’s MAC addres s. The MAC list can be configured to
allow or deny network access to specific clients.

– 85 –

C

HAPTER

Authentication

8

| Wireless Settings

Figure 42: Local Authentication

The following items are displayed on Authentication page:
MAC Authentication — Selects between, disabled, Local MAC

authentication and RADIUS authentication.

◆ Local MAC — The MAC address of the associating station is compared

against the local database stored on the access point. The Local MAC
Authentication section enables the local database to be set up.

◆ System Default — Specifies a default action for all unknown MAC

addresses (that is, those not listed in th e local MAC database).

■

Deny: Blocks access for all MAC addresses except those listed in
the local database as “Allow.”

■

Allow: Permits access for all MAC addresses except those listed in
the local database as “Deny.”

◆ MAC Authentication Settings — Enters specified MAC addresses an d

permissions into the local MAC database.

■

MAC Address: Physical address of a client. Enter six pairs of
hexadecimal digits separated by hyphens; for example, 00-90-D1­12-AB-89.

– 86 –

C

HAPTER

■

Add/Delete: Adds or deletes the specified MAC address and

8

| Wireless Settings

Authentication

permission setting into or from the loca l database.

■

Permission: Select Allow to permit access or Deny to block access.
If Delete is selected, the specified MAC address entry is removed
from the database.

◆ MAC Authentication Table — Displays current entries in the local

MAC database.

◆ make MAC authentication take effect — Applies the specified

settings.

RADIUS MAC

AUTHENTICATION

Radius MAC: The MAC address of the associating station is sent to a
configured RADIUS server for authentication. When usin g a RADIUS
authentication server for MAC address authentic ation, the serv er must first
be configured in the RADIUS window.

Figure 43: RADIUS Authentication

The following items are displayed on Authentication page:
MAC Authentication — Selects between, disabled, Local MAC

authentication and RADIUS authentication.

◆ RADIUS MAC — The MAC address of the associating station is

compared against the RADIUS server database. The RADIUS MAC
Authentication section enables the RADIUS database to be set up.

◆ Session Timeout — The time period after which a connected client

must be re-authenticated. During the re-authentication process of
verifying the client’s credentials on the RADIUS server, the client
remains connected the network. Only if re-authentication fails is
network access blocked. (Default: 0 mean s disabled; R ange: 30-65535
seconds)

– 87 –

C

HAPTER

Interface Mode

8

| Wireless Settings

INTERFACE MODE

◆ make MAC authentication take effect — Applies the specified

settings.

The access point can operate in two modes, IEEE 802.11a/n only, or

802.11g/n only. Also note that 802.11g is backward compatible with

802.11b. Also note that 802.11g is backward compatible with 802.11b,
operating in the 2.4 GHz band. The 802.11a/n mode o perate s in the 5 GHz
band.

Figure 44: Interface Mode

The following items are displayed on the Interface Mode Selection page:

◆ Interface0 Mode — Selects the mode of the radio interface:

■

11ng: All 802.11g and n clients can communicate with the wireless
AP/ Router (up to 300 Mbps) using the 2.4 GHz band, but data
transmission rates may be slowed to compensate for 802.11g
clients.

■

11na: All 802.11a and n clients can communicate with the wireless
AP/ Router (up to 300 Mbps) using the 5 GHz band, but data
transmission rates may be slowed to compensate for 802.11a
clients.

– 88 –

RADIO SETTINGS

C

HAPTER

8

| Wireless Settings

Radio Settings

The IEEE 802.11n interfaces include configuration options for radio signal
characteristics and wireless security features.

The access point can operate in two modes, mixed 802. 11g/n, or mixed

802.11a/n only. Also note that 802.11g is backward compatible with

802.11b, and 802.11n is backward compatible with both 802.11b/g and

802.11a at slower data transmit rates.
Each radio supports eight virtual access point (VAP) interfaces, re ferred to

as VAP0 ~ VAP7. Each VAP functions as a separate access point, and can
be configured with its own Ser vi ce Se t Ident i ficat io n (SSID) and secu r ity
settings. However, most radio signal para meters apply to both VAP
interfaces. The configur ation options are nearly identical, and are therefore
both covered in this section of the manual. Traffic to specific VAPs can be
segregated based on user groups or application tr affic. Both VAPs can h ave
up to 64 wireless cli ents, whereby the clients as sociate with thes e VA Ps the
same as they would with a physical access point.

Packets from 802.11n clients are referred to as High Throughput (HT)
Greenfield packets, in ot her words pack ets that can be tr ansmitted at r ates
of up to 300 Mbps assuming that HT Channel Bandwidth is set to 20/
40Mhz, see HT Channel Bandwidth next page.

802.11b/g packets are referred to as non-HT packets, being transmitted at
lower throughput r ates (s ee R adi o Mode). HT mixed f ormat f r ames contai n
a preamble compatible with the non-HT receive rs. HT Greenfield fr ames do
not contain a non-HT compatible part. Support f or HT Greenfield format is
optional. An HT station that does not support the reception of an HT
Greenfield format frame must be able to detect that an HT Greenfield
format frame is an HT tr ansmission (as opposed to a non-HT transmi ssion).
In this case the receiver must decode the high throughput signal (HT-SIG)
in the packet header and determine if the HT-SIG cyclic redundancy check
(CRC) passes. (Default: Mixed)

– 89 –

C

HAPTER

Radio Settin gs

8

| Wireless Settings

Figure 45: Radio Settings

The following items are displayed on this page:

◆ High Throughput Mode — The access point provides a channel

bandwidth of 20 MHz by default giving an 802. 11g connec tion s peed of
54 Mbps and a 802.11n connection speed of up to 108 Mbps, and
ensures backward compliance for slower 802.11b devices. Setting the
HT Channel Bandwidth to 40 MHz (sometimes referred to as Turbo
Mode) increases connection speed for 802.11g and 802.11n to 74 Mbps
and 300 Mbps respectively. HT40plus indicates that the secondary
channel is above the primary channel. HT40minus indic ates that the
secondary channel is below the primary channel.
(Default: HT20; Range:HT20, HT40PLUS, HT40MINUS)

N

OTE

:

Some 802.11n wireless client s may be capable of tr ansmissi on r ates
of up to 600 Mbps, however the access point will only be able to connect to
them at a maximum transmission rate of 300 Mbps.

◆ Radio Channel — The radio channel that the access point uses to

communicate with wireless clients. When multiple access points are
deployed in the same area, set the channel on neighboring access
points at least five channels apart to av oid interference with each other.
For example, you can deploy up to three access points in the s ame area

– 90 –

C

HAPTER

8

| Wireless Settings

Radio Settings

using channels 1, 6, 11. Note that wireless clients automaticall y set the
channel to the same as that used by the access point to which it is
linked. (The supported channels are dependent on the country code
setting.)

◆ Auto Channel Select — Selecting Auto Select enables the access point

to automatically select an unoccupied radio channel.

◆ Transmit Power — Adjusts the po wer of the rad io s ignals tr ans mitt ed

from the access point. The higher the transmission power, the farther
the transmission range. Power selection is not just a trade off between
coverage area and maximum supported clients. You also have to
ensure that high-power signals do not interfere with the operation of
other radio devices in the service area. (Default: Minimum; Range:
min, 12.5%, 25%, 50%, 100%)

◆ Maximum Association Client per VAP — The maximum number of

clients that may associate with each VAP is preset top 64.

◆ Radio Mode — Defines the radio mode for the VAP interface. (Def ault:

11n (g compatible); Range: 11n (b&g compatible), 11n)

N

OTE

:

Enabling the access point to communicate with 802.11b/g clients in
both 802.11b/g/n Mixed and 802.11n modes also requires that HT
Operation be set to HT20.

◆ Protection Method — Selects between Request to Send (RTS) and

mixed RTS-CTS (c lear to send) packet transmission threshold.

◆ Preamble Length — The radio preamble (sometimes called a header)

is a section of data at the head of a packet that contains information
that the wireless device and client devices need when sending and
receiving packets. You can set the radio preamble to long or short. A
short preamble improves throughput performance, whereas a long
preamble is required when legacy wireless devices are par t of your
network.

◆ Beacon Interval (20-1000) — The rate at which beacon signals are

transmitted from the access point. The beacon signals allow wireless
clients to maintain contact with the access point. They may also carry
power-management information. (Range: 20-1000 TUs; Default: 100
TUs)

◆ Data Beacon Rate (DTIM) (1-255) — The rate at which stations in

sleep mode must wake up to receive broa dcast/multicast
transmissions.

Known also as the Delivery Traffic Indication Map (DTIM) interval, it
indicates how often the MAC layer f orw ards broadcast/mul tic ast tr aff ic,
which is necessary to wake up stations that are using Power Save
mode. The default value of 2 indicates that the access point will save all
broadcast/multicast frames for the Basic Service Set (BSS) and forwar d
them after every second beacon. Using smaller DTIM intervals delivers

– 91 –

C

HAPTER

Radio Settin gs

8

| Wireless Settings

broadcast/multicast frames in a more timely manner, causing stations
in Power Save mod e to wake up more often and drain power faster.
Using higher DTIM values reduces the power used by stations in Power
Save mode, but delays the trans mission of broadcast/multic ast frames.
(Range: 1-255 beacons; Default: 1 beacon)

◆ RTS Threshold (0-2345) — Sets the packet size threshol d at wh ich a

Request to Send (RTS) signal must be sent to a receiving station prior
to the sending station starting commu nications. The access poi nt sends
RTS frames to a receiving station to negotiate the sending of a data
frame. After receiving an RTS frame, the station sends a CTS (clear to
send) frame to notif y the sending station t hat it can star t sending data.

If the RTS threshold is set to 0, the access point always sends RTS
signals. If set to 2347, the access point never sends RTS sign als. If set
to any other value, and the packet size equals or exceeds the RTS
threshold, the RTS/CTS (Request to Send / Clear to Send) mechanism
will be enabled.

The access points contending for the medium may not be aware of each
other. The RTS/CTS mechanism can solve this “Hidden Node Problem.”
(Range: 0-2345 bytes: Default: 2345 bytes)

◆ Short Guard Interval — The 802.11n draft specifies two guard

intervals: 400ns (short) and 800ns (long). Support of the 400ns GI is
optional for transmit and receive. The purpose of a guard inte rv al is to
introduce immunity to propagation delays, echoes, and reflections to
which digital data is normally very sensitive. Enab ling the Short Guard
Interval sets it to 400ns. (Default: Disabled)

◆ Aggregate MAC Protocol Data Unit (A-MPDU) — Enables / disables

the sending of this four frame packet header for statistical purposes.
(Default: Enabled)

◆ A-MPDU Length Limit (1024-65535) — Defines the A-MPDU length.

(Default: 65535 bytes; Range: 1024-65535 bytes)

◆ Aggregate MAC Service Data Unit (A-M SDU) — Enables / disables

the sending of this four frame packet header for statistical purposes.
(Default: Enabled)

◆ A-MSDU Length Limit (2290-4096) — Defines the A-MSDU length.

(Default: 4096 bytes; Range: 2290-4096 bytes)

◆ Set Radio — Sets all entered parameters.

◆ Cancel — Cancels the newly entered settings and restores the

originals.

– 92 –

VIRTUAL ACCESS POINTS (VAPS)

The access point supports up to eight virtual access point (VAP) interfaces
numbered 0 to 7. Each VAP functions as a separate access point, and can
be configured with its own Ser vi ce Se t Ident i ficat io n (SSID) and secu r ity
settings. However, most radio signal para meters apply to all eight VAP
interfaces.

The VAPs function similar to a VLAN, with each VAP mapped to its own
VLAN ID. Traffic to specific VAPs can be segregated based on user groups
or application traffic. Each VAP can have up to 64 wireless clients, whereby
the clients associate with these VAPs the same as they woul d with a
physical access point.

N

OTE

:

The radio channel settings for the access point are limited by local
regulations, which determine the number of channels that are available.
Refer to “General Spec ific ations” on page C-1 for additional information on
the maximum number channels available.

C

HAPTER

8

| Wireless Settings

Virtual Access Points (VAPs)

Figure 46: VAP Settings

The following items are displayed on this page:

◆ VAP Number — The number associated with the VAP, 0-7.

◆ SSID — The name of the basic service set provided b y a V AP inter face.

Clients that want to connect to the networ k through the access point
must set their SSID to the same as that of an access point VAP
interface. (Default: SMC_A # (0 to 7); Range: 1-32 characters)

◆ Enable — Enables the specified VAP. (Default: Disabled)

◆ Status — Displays the mode of the VAP. The default is set to "AP," for

normal access point services.

– 93 –

C

HAPTER

Virtual Access Points (VAPs)

8

| Wireless Settings

◆ Edit Setting — CLicking “Edit” opens the dialogue box for configuring

the selected VAP.

VAP BASIC SETTINGS Sets the basic operating mode and other settings for the VAP.

Each VAP can operate in one of three modes; normal AP mode, WDS-AP
bridge root mode, or WDS-STA bridge station mode. The default mode is
AP for the VAP to support normal access point services.

Note that the Basic Settings are the same for both AP and WDS-AP modes.

Figure 47: VAP Basic Settings

The following items are displayed on this page:

◆ Closed System — When enabled, the VAP does not include it s S SID in

beacon messages. Nor does it respond to probe requests from clients
that do not include a fixed SSID. (Default: Disable)

◆ Mode — Selects the mode in which the VAP will function.

■

AP Mode: The VAP provides services to clients as a normal access
point.

■

WDS-AP Mode: The VAP operates as an access point in WDS
mode, which accepts connections from client stations in WDS-STA
mode.

■

WDS-STA Mode: The VAP operates as a client station in WDS
mode, which connect s to an acce ss poi nt V AP in WDS- AP mode. The
user needs to specify the MAC address of the access point in WDS­AP mode to which it intends to connect.

◆ Association Timeout Int er v al — Th e idle time interval (when no

frames are sent) after which a client is disa ss ociated from the VAP
interface. (Range: 5-60 minutes ; Default: 30 minutes)

– 94 –

C

HAPTER

8

| Wireless Settings

Virtual Access Points (VAPs)

◆ Authentication Timeout Interval — The time within which the c lient

should finish authentication before authentication times out.
(Range: 5-60 minutes; Default: 60 minutes)

◆ Default VLAN ID — The VLAN ID assigned to wireless clients

associated to the VAP int erface that are not assi gned to a sp ecific VLAN
by RADIUS server configuration. (Default: 1)

◆ DHCP Relay Server — The IP address of the DHCP relay server.

◆ SSID — The service set identifier for the VAP.

WDS-STA MODE Describes additional basic VAP settings when functioning in WDS-STA

mode.

Figure 48: WDS-STA Mode

WIRELESS SECURITY

SETTINGS

The following items are displayed in the VAP Basic Settings when WDS-AP
mode is selected:

◆ WDS-AP (Parent) SSID — The SSID of the VAP on the connecting

access point that is set to WDS-AP mode.

◆ WDS-AP (Parent) MAC — The MAC address of the VAP on the

connecting access point that is set to WDS-AP mode.

Describes the wireless security settings for each VAP, including association
mode, encryption, and authentication.

N

OTE

:

For VAPs set to WDS- AP or WDS-STA mode, the security options are
limited to WPA-PSK and WPA2-PSK only.

– 95 –

C

HAPTER

Virtual Access Points (VAPs)

8

| Wireless Settings

Figure 49: Configuring VAPs - Common Settings

The following items are common to all three modes:

◆ Association Mode — Defines the mode with whic h the acce ss poi nt

will associate with other clients.

■

Open System: The VAP is configured by default as an “open
system,” which broadcasts a beacon signal including the configured
SSID. Wireless clients with an SSID setting of “any” can read the
SSID from the beacon and automatically set their SSID to allow
immediate connection.

■

WPA: WPA employs a combination of several technolog ies to
provide an enhanced security solution for 802.11 wireless networks.

■

WPA-PSK: For enterprise deploy ment, WPA requires a RADIUS
authentication server to be configured on the wired network.
However, for small office networks that may not have the resour ces
to configure and maintain a RADIUS server, WPA provides a simple
operating mode that uses just a pre-shared password for network
access. The Pre-Shared Key mode uses a common password for
user authentication that is manually entered on the access point
and all wireless clients. The PSK mode uses the same TKIP packet
encryption and key management as WPA in the enterprise,
providing a robust and manageable alternative for small networks.

■

WPA2: WPA2 – WPA was introduc ed as an interim solution for the
vulnerability of WEP pending the ratification of the IEEE 802.11i
wireless security standard. In effect, the WPA security features are
a subset of the 802.11i standard. WPA2 includes the now ratified

802.11i standard, but also offers backward compatibility with WP A.
Therefore, WPA2 includes the same 802.1X and PSK modes of
operation and support for TKIP encryption.

■

WPA2-PSK: Clients using WPA2 with a Pre-shared Key are
accepted for authentication.

– 96 –

C

HAPTER

■

WPA-WPA2 Mixed: Clients using WPA or WPA2 are accepted for

8

| Wireless Settings

Virtual Access Points (VAPs)

authentication.

■

WPA-WPA2-PSK-mixed: Clients using WPA or WPA2 with a Pre­shared Key are accepted for authentication.

◆ Encryption Method — Selects an encryption method for the global

key used for multicast and broadcast traffic, which is supp orted by all
wireless clients.

■

WEP: WEP is used as the multicast encryption cipher. You should
select WEP only when both WPA and WEP clients are supported.

■

TKIP: TKIP is used as the multicast encryption cipher.

■

AES-CCMP: AES-CCMP is used as the multicast encryption cipher.
AES-CCMP is the standard encryption cipher required f or WPA2.

◆ 802.1X — The access point supports 802.1X authentication only for

clients initiating the 802.1X authentication process (i.e., the access
point does not initiate 802.1X authentication). For clients initiating

802.1X, only those successfully authenticated are allowed to access the
network. For those clien ts no t initiating 802.1X, access to the network
is allowed after successful wireless associat ion with the access point.
The 802.1X mode allows access for clients not using WPA or WPA2
security .

WIRED EQUIVALENT

PRIVACY (WEP)

◆ Pre-Authentication — When using WPA2 over 802.1X, pre-

authentication can be enabled, which allows clients to roam to a new
access point and be quickly associated without performing full 802.1X
authentication. (Default: Disabled)

◆ 802.1x Reauthentication Time — The time period after which a

connected client must be re-authenticated. During the re­authentication proc ess of verifying the client’s credentials on the
RADIUS server, the client remains connected the network. Only if re­authentication fails is network access blocked. (Range: 0-65535
seconds; Default: 0 means disabled)

WEP provides a basic level of secur ity, preventing unauthorized access to
the network, and encrypting data tr ansmitte d between wire less cl ients and
the access point. WEP uses s tatic shared keys (fixed-length he xadecimal or
alphanumeric strings) that are manually distributed to all clients that want
to use the network.

WEP is the security protocol initially specified in the IEEE 802.11 standard
for wireless communications. Unfortunately, WEP has been found to be
seriously flawed and cannot be recommended for a high level of network
security. For more robust wire less s ecur ity, the access point pro vides Wi -Fi
Protected Access (WPA) for improved data encryption and user
authentication.

– 97 –

C

HAPTER

Virtual Access Points (VAPs)

8

| Wireless Settings

Setting up shared keys enables the basic IEEE 802.11 Wired Equivalent
Privacy (WEP) on the access point to prevent unauthorized access to the
network.

If you choose to use WEP shared keys instead of an open system, be sure
to define at least one static WEP key for user authentica tion and data
encryption. Also, be sure that the WEP shared k eys are the same for each
client in the wireless network.

Note that all clients share the same keys, which are used for user
authentication and data encryption . Up to four keys c an be specified. The se
four keys are used for all VAP interfaces on the same radio.

Figure 50: WEP Con figuration

The following items are displayed on this page:

◆ Key Type – Select the preferred method of entering WEP encryption

keys on the access point and enter up to four keys:

■

Hexadecimal: Enter keys as 10 hexadecimal digits (0-9 and A-F)
for 64 bit keys, 26 hexadecimal digits for 128 bit keys, or 32
hexadecimal digits for 152 bit keys (802.11a r adio o nly). This is the
default setting.

■

Alphanumeric: Enter keys as 5 alphanumeric characters for 64 bit
keys, 13 alphanumeric characters for 128 bit keys, or 16
alphanumeric characters for 152 bit keys (802.11a radio only).

◆ Key Number – Selects the key number to use for encryption for each

VAP interface. If the clients have all four k eys configured to the same
values, you can change the enc ryption key to any of the eight settings
without having to update the client keys. (Default: Key 1)

◆ Shared Key Setup – Select 64 Bit, 128 Bit, or 152 Bit key length. Note

that the same size of encryption key must be supported on all wireless
clients. (Default: None)

– 98 –

QOS

C

HAPTER

N

OTE

:

Key index and type must match that configured on the clients.

8

| Wireless Settings

QoS

In a mixed-mode environment with clie nts using s tatic WEP ke ys and WP A,
select WEP transmit key index 2, 3, or 4. The access point uses transmit
key index 1 for the generation of dynamic keys.

Wireless networks offer an equal opportunity for all devices to transmit
data from any type of application. Although this is acceptable for most
applications, multimedia applications (with audio and video) are
particularly sensitive to the delay and throughput variations that result
from this “equal opportunity” wireless access method. For multimedia
applications to run well over a wireless networ k, a Quality of Service (QoS)
mechanism is required to prioritize traffic types and provide an “enhanced
opportunity” wireless access method.

The access point implements QoS using the Wi-Fi Multimed ia (WMM)
standard. Using WMM, the access point is able to prioritize tr affic and
optimize performance when multiple applications compete for wireless
network bandwidth at the same time. WMM employs techniques that are a
subset of the developing IEEE 802.11e QoS standard and it enables the
access point to inter operate with both WMM- enabled clients and other
devices that may lack any WMM functionality.

Access Categories — WMM defines four access categories (ACs): voice,
video, best effort, and background. These categories correspond to traffic
priority levels and are mapped to IEEE 802.1D prio rity tags (see “WMM

Access Categories” on page 99). The direct mapping of the four ACs to

802.1D priorities is specifically intended to facilitate inter operability with
other wired network QoS policie s. While the four ACs are specified for
specific types of traffic, WMM allows the priority levels to be configur ed to
match any network-wide QoS policy. WMM also specifies a protocol that
access point s can use to communicate the configured tra ffic priority levels
to QoS-enabled wireless clients.

Table 5: WMM Access Categories

Number RADIUS

AC_VO
(AC3)

Attribute

Voice Highest priority, minimum delay. Time-sensitive data

Value

such as VoIP (Voice over IP) calls.

7, 6

AC_VI (AC2) Video High priority, minimum delay. Time-sensitive data

AC_BE
(AC0)

AC_BK
(AC1)

Best Effort Normal priority, medium delay and throughput. Data

Background Lowe s t pr ior ity. Data with no delay or throughput

such as streaming video.

only affected by long delays. Data from applications or
devices that lack QoS capabilities.

requirements, such as bulk data transfers.

– 99 –

5, 4

0, 3

2, 1

C

HAPTER

QoS

8

| Wireless Settings

WMM Operation — WMM uses traffic priority based on the four ACs; Voice,
Video, Best Effort, and Background. The higher the AC priority, the higher
the probability that data is transmitted.

When the access point forwards traffic, WMM adds data packets to four
independent transmit queue s, one for each AC, depending on the 802.1D
priority tag of the packet. Data packet s without a priority tag are always
added to the Best Effort AC queue. From the four queues, an internal
“virtual” collision resolution mechanism firs t se lects data with the highest
priority to be granted a trans mit opportunity. Then the same collision
resolution mechanism is used externally to determine which devic e has
access to the wireless medium.

For each AC queu e, the collision resolutio n mechanism is dependent on two
timing parameters:

◆ AIFSN (Arbitration Inter-Frame Space Number), a number used to

calculate the minimum time between data frames

◆ CW (Contention Window), a nu mber used to cal culate a random backoff

time

After a collision detection, a backof f wait time is calculated. The total wait
time is the sum of a minimum w ait time (Arbi tration Inter-Fr ame Space, or
AIFS) determined from the AIFSN, and a random backoff time calculated
from a value select ed from zero to the CW. The CW value varies with in a
configurable range. It starts at CWMin and doubles after every collision up
to a maximum value, CWMax. After a successful transmission, the CW
value is reset to its CWMin value.

Figure 51: WMM Backoff Wait Times

Time

CWMin CWMax

High Priority

Low Priority

AIFS Random Backoff

Minimum Wait Time Random Wait Time

CWMin CWMax

AIFS

Minimum Wait Time Random Wait Time

Random Backoff

For high-priority traffic, the AIFSN and CW va lues are smaller. The smaller
values equate to less back off and wait time, and therefore more tr ansmit
opportunities.

– 100 –