Zebra AP-7131N-FGR Product Reference Manual

AP-7131N-FGR Access Point

Product Reference Guide

Zebra and the Zebra head graphic are registered trademarks of ZIH Corp. The Symbol logo is a registered
trademark of Symbol Technologies, Inc., a Zebra Technologies company.

© 2015 Symbol Technologies, Inc.

Contents

Chapter 1.
Introduction

New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

IP Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

MU Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Per Radio MU Limit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Power Setting Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

AMSDU Transmission Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

IPSec VPN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

802.11n Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Sensor Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Mesh Roaming Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

Dual Mode Radio Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

Separate LAN and WAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

Multiple Mounting Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Antenna Support for 2.4 GHz and 5 GHz Radios . . . . . . . . . . . . . . . . . . . . . . 1-10

Sixteen Configurable WLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Support for 4 BSSIDs per Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Quality of Service (QoS) Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

Industry Leading Data Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

EAP Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . WPA2-CCMP (802.11i) Encryption1-12

Firewall Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

2

AP-7131N-FGR Access Point Product Reference Guide

VPN Tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-13

Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-13

VLAN Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-14

Multiple Management Accessibility Options . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Updatable Firmware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-14

Programmable SNMP v3 Trap Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-15

Power-over-Ethernet Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-15

MU-MU Transmission Disallow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Voice Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-16

Support for CAM and PSP MUs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17

Statistical Displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17

Transmit Power Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17

Advanced Event Logging Capability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-18

Configuration File Import/Export Functionality . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Default Configuration Restoration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-18

DHCP Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-18

Mesh Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-19

Additional LAN Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-20

On-board Radius Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-20

Hotspot Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-20

Routing Information Protocol (RIP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-21

Manual Date and Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-21

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-21

Auto Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-22

Adaptive AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-22

Rogue AP Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-22

Radius Time-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-22

QBSS Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-23

Theory of Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-23

Wireless Coverage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-24

MAC Layer Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-25

Media Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-25

Direct-Sequence Spread Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-26

MU Association Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-26

Operating Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-27

Management Access Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-28

MAC Address Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-29

Chapter 2.
Hardware Installation

Precautions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Package Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Access Point Placement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Site Surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-4

Antenna Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Power Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Power Injector System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-6

Installing the Power Injector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-8

Preparing for Site Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Cabling the Power Injector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-9

Mounting an AP-7131N-FGR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-10

Wall Mounted Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-10

Suspended Ceiling T-Bar Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-13

Above the Ceiling (Plenum) Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15

LED Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-18

Dual Radio (2.4/5 GHz) LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-20

Rear LED. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21

Setting Up MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-21

Legacy MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-21

802.11n MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-22

3

Chapter 3. Getting Started

Installing the Access Point. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2

Initially Connecting to the Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Connecting to the Access Point using the WAN Port . . . . . . . . . . . . . . . . . . . . 3-3

Connecting to the Access Point using the LAN Port . . . . . . . . . . . . . . . . . . . . . 3-3

Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

Configuring Your Browser for AP-7131N-FGR Support . . . . . . . . . . . . . . . . . . .3-4

Accessing the AP-7131N-FGR Using Internet Explorer . . . . . . . . . . . . . . . 3-4

Accessing the AP-7131N-FGR Using Mozilla Firefox . . . . . . . . . . . . . . . . 3-5

Configuring the Access Point. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Configuring Device Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8

4

AP-7131N-FGR Access Point Product Reference Guide

Configuring Basic WLAN Security Settings . . . . . . . . . . . . . . . . . . . . . .3-15

Testing Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-17

Where to Go from Here? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-18

Chapter 4.
System Configuration

Configuring System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Configuring Power Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-6

Adaptive AP Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-11

Configuring Data Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-14

Managing Certificate Authority (CA) Certificates . . . . . . . . . . . . . . . . . . . . . . . . . .4-18

Importing a CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-18

Creating Self Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20

Creating a Certificate for Onboard RADIUS Authentication . . . . . . . . . . . . . .4-23

Configuring SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-27

Configuring SNMP Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-33

Enabling SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-34

Configuring Specific SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-36

Configuring SNMP RF Trap Thresholds. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-39

Configuring Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41

Logging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-45

Importing/Exporting Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-47

Updating Device Firmware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-51

Key Zeroisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-53

Key Zeroisation Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-54

Chapter 5. Network Management

Configuring the LAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1

Configuring VLAN Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-5

Configuring LAN1 and LAN2 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-8

Configuring Advanced DHCP Server Settings . . . . . . . . . . . . . . . . . . . . .5-12

Setting the Type Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .5-13

Configuring WAN Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-15

Configuring Network Address Translation (NAT) Settings . . . . . . . . . . . . . . .5-21

Configuring Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-22

Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-24

Enabling Wireless LANs (WLANs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

Creating/Editing Individual WLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28

Configuring WLAN Security Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-33

Configuring a WLAN Access Control List (ACL) . . . . . . . . . . . . . . . . . . .5-34

Setting the WLAN Quality of Service (QoS) Policy . . . . . . . . . . . . . . . . .5-37

Configuring WLAN Hotspot Support . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-43

Setting the WLAN’s Radio Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-49

Configuring the 802.11a/n or 802.11b/g/n Radio . . . . . . . . . . . . . . . . . .5-54

Configuring MU Rate Limiting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-65

Configuring Router Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-66

Setting the RIP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-69

Configuring IP Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-71

Applying a Filter to LAN1, LAN2 or a WLAN (1-16) . . . . . . . . . . . . . . . . . . . .5-74

Chapter 6. Configuring Access Point Security

Configuring Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-2

Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-2

Resetting the Access Point Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

Enabling Authentication and Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

Configuring 802.1x EAP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6

Configuring WPA2-CCMP (802.11i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-11

Configuring Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-13

Configuring LAN to WAN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-15

Available Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-17

Configuring Advanced Subnet Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18

Configuring VPN Tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-22

Creating a VPN Tunnel between Two Access Points . . . . . . . . . . . . . . . . . . . 6-25

Configuring Manual Key Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27

Configuring Auto Key Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-31

Configuring IKE Key Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-33

Viewing VPN Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-35

Configuring Content Filtering Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-38

Configuring Rogue AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41

Moving Rogue APs to the Allowed AP List . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-45

Displaying Rogue AP Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-47

Using MUs to Detect Rogue Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-49

5

6

AP-7131N-FGR Access Point Product Reference Guide

Configuring User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-51

Configuring the Radius Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-51

Configuring LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-55

Configuring a Proxy Radius Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-57

Managing the Local User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-59

Wireless Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-59

Management Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-61

Mapping Users to Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-63

Defining User Access Permissions by Group. . . . . . . . . . . . . . . . . . . . . . . . . .6-65

Editing Group Access Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-67

Chapter 7. Monitoring Statistics

Viewing WAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2

Viewing LAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-6

Viewing a LAN’s STP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-9

Viewing Wireless Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-11

Viewing WLAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-14

Viewing Radio Statistics Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17

Viewing Radio Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19

Retry Histogram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-23

Viewing MU Statistics Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-24

Viewing MU Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-26

Pinging Individual MUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-28

MU Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-29

Viewing the Mesh Statistics Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-30

Viewing Known Access Point Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-32

Chapter 8. CLI Reference

Connecting to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-2

Accessing the CLI through the Serial Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-2

Accessing the CLI via SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-2

Admin and Common Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-3

Network Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-11

Network LAN Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-12

Network LAN, Bridge Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-17

Network LAN, WLAN-Mapping Commands . . . . . . . . . . . . . . . . . . . . . .8-20

Network LAN, DHCP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-29

Network Type Filter Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35

Network WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40

Network WAN NAT Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43

Network WAN, VPN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-49

Network WAN, Dynamic DNS Commands . . . . . . . . . . . . . . . . . . . . . . . 8-62

Network Wireless Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-66

Network WLAN Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-67

Network Security Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-80

Network ACL Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-87

Network Radio Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . 8-92

Network Quality of Service (QoS) Commands. . . . . . . . . . . . . . . . . . . . 8-123

Network Rate Limiting Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-128

Network Rogue-AP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-131

WIPS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-141

Network MU Locationing Commands . . . . . . . . . . . . . . . . . . . . . . . . . .8-144

Network Firewall Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-147

Network Router Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-152

System Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-159

Power Setup Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-164

Adaptive AP Setup Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-167

System Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-171

System Certificate Management Commands . . . . . . . . . . . . . . . . . . . . . . . . 8-175

System SNMP Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-188

System SNMP Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-189

System SNMP Traps Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-194

System User Database Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-200

System Radius Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-218

System Network Time Protocol (NTP) Commands . . . . . . . . . . . . . . . . . . . . 8-241

System Log Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-246

System Configuration-Update Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 8-253

Firmware Update Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-261

FIPS Test Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-266

Statistics Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-271

7

8

AP-7131N-FGR Access Point Product Reference Guide

Chapter 9. Configuring Mesh Networking

Mesh Networking Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-1

The Client Bridge Association Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-3

Client Bridge Configuration Process Example . . . . . . . . . . . . . . . . . . . . . .9-4

Spanning Tree Protocol (STP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-4

Defining the Mesh Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-4

Mesh Networking and the Access Point’s Two Subnets. . . . . . . . . . . . . . . . . .9-5

Normal Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-5

Impact of Importing/Exporting Configurations to a Mesh Network . . . . . . . . .9-5

Configuring Mesh Networking Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-7

Setting the LAN Configuration for Mesh Networking Support . . . . . . . . . . . . .9-7

Configuring a WLAN for Mesh Networking Support . . . . . . . . . . . . . . . . . . . . .9-9

Configuring the Access Point Radio for Mesh Support . . . . . . . . . . . . . . . . . .9-13

Mesh Network Deployment - Quick Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-20

Scenario 1 - Two Base Bridges and One Client Bridge . . . . . . . . . . . . . . . . . .9-20

Configuring AP#1:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-21

Configuring AP#2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-24

Configuring AP#3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-25

Verifying Mesh Network Functionality for Scenario #1. . . . . . . . . . . . . .9-27

Scenario 2 - Two Hop Mesh Network with a Base Bridge Repeater and a Client Bridge9-

27

Configuring AP#1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-27

Configuring AP#2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-28

Configuring AP#3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-29

Verifying Mesh Network Functionality for Scenario #2. . . . . . . . . . . . . .9-31

Mesh Networking Frequently Asked Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . .9-32

Chapter 10.
Adaptive AP

Adaptive AP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-1

Where to Go From Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-2

Adaptive AP Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-3

Licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-3

Switch Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-3

Manual Adoption Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-3

Securing a Configuration Channel Between Switch and AP . . . . . . . . . . . . . .10-4

Adaptive AP WLAN Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-4

Configuration Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-4

Securing Data Tunnels between the Switch and AAP . . . . . . . . . . . . . . . . . .10-5

Adaptive AP Switch Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-5

Remote Site Survivability (RSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-6

Adaptive Mesh Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-6

Supported Adaptive AP Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-7

Topology Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-7

Extended WLANs Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-8

Independent WLANs Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-8

Extended WLANs with Independent WLANs . . . . . . . . . . . . . . . . . . . . . . . . .10-8

Extended WLAN with Mesh Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-9

How the AP Receives its Adaptive Configuration . . . . . . . . . . . . . . . . . . . . . . . . . .10-9

Establishing Basic Adaptive AP Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-11

Adaptive AP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-11

Adopting an Adaptive AP Manually. . . . . . . . . . . . . . . . . . . . . . . . . . . .10-11

Adopting an Adaptive AP Using a Configuration File . . . . . . . . . . . . . .10-13

Switch Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-13

Adaptive AP Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . .10-15

Sample Switch Configuration File for IPSec and Independent WLAN . . . . .10-16

9

Appendix A. Technical Specifications

Physical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2

Electrical Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2

Radio Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3

Country Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4

Appendix B. Usage Scenarios

Configuring an IPSEC Tunnel and VPN FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2

Configuring a VPN Tunnel Between Two Access Points . . . . . . . . . . . . . . . . . B-2

Configuring a Cisco VPN Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-5

Frequently Asked VPN Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-6

Appendix C. Zebra Support

10

AP-7131N-FGR Access Point Product Reference Guide

About This Guide

Introduction

This guide provides configuration and setup information for the AP-7131N-FGR model access
point.

Document Conventions

The following document conventions are used in this document:

NOTE Indicate tips or special requirements.

CAUTION Indicates conditions that can cause equipment damage or data

loss.

WARNING! Indicates a condition or procedure that could result in personal

injury or equipment damage.

viii

AP-7131N-FGR Access Point Product Reference Guide

Notational Conventions

The following notational conventions are used in this document:

• Italics are used to highlight specific items in the general text, and to identify chapters and
sections in this and related documents.

• Bullets (•) indicate:

• action items

• lists of alternatives

• lists of required steps that are not necessarily sequential

• Sequential lists (those describing step-by-step procedures) appear as numbered lists.

Service Information

If a problem is encountered with the access point, contact Zebra Support. Refer to

Appendix C, Zebra Support for contact information. Before calling, have the model and serial number

on hand.

1

Introduction

As a standalone access point, an AP-7131N-FGR provides small and medium-sized businesses with
a consolidated wired and wireless networking infrastructure, all in a single device. The integrated
router, gateway, firewall, DHCP and Power-over-Ethernet (PoE) simplify and reduce the costs
associated with networking by eliminating the need to purchase and manage multiple devices.

The access point is also designed to meet the needs of large, distributed enterprises by converging
the functionality of a thick access point and thin access port into a single device. This mode enables
the deployment of a fully featured intelligent access point that can be centrally configured and
managed via a wireless switch in either corporate headquarters or a network operations center
(NOC). In the event the connection between the access point and the wireless switch is lost, a Remote
Site Survivability (RSS) feature ensures the delivery of uninterrupted wireless services at the local or
remote site. All traffic between the adaptive access points and the wireless switch is secured though
an IPSec tunnel. Additionally, compatibility with The RF Management Suite (RFMS) allows you to
centrally plan, deploy, monitor and secure large deployments.

If you are new to using an access point for managing your network, refer to Theory of Operations on

page 1-23 for an overview on wireless networking fundamentals.

1-2

AP-7131N-FGR Access Point Product Reference Guide

Beginning with the 4.x access point firmware baseline, the AP-7131N-FGR model access point has
been introduced as a compliment to the existing AP-7131 access point family. The new AP-7131N­FGR access point supports the same feature set as existing AP-7131and AP-7131N model access
points. Unlike the AP-7131 and AP-7131N models however, an AP-7131N-FGR has specialized data
protection mechanisms and prompts the user when secure information is displayed within the access
point GUI applet.

The AP-7131N-FGR enables you to configure one radio for 802.11a/n support, and the other for

802.11b/g/n support.

The two models available to the AP-7131N-FGR series include:

• AP-7131N-66040-FGR (802.11an and 802.11bgn capable)

• AP-7131N-44040-FGR (802.11a and 802.11bg capable)

1.1 New Features

The following features are now available with the introduction of the new 4.0 access point hardware
and firmware baseline:

• IP Filtering

• MU Rate Limiting

• Per Radio MU Limit

• Power Setting Configuration

• AMSDU Transmission Support

• IPSec VPN Support

Introduction

1.1.1 IP Filtering

IP filtering determines which IP packets are processed normally and which are discarded. If discarded,
the packet is deleted and completely ignored (as if never received). Optionally apply different criteria
to better refine which packets to filter.

IP filtering supports the creation of up to 20 filter rules enforced at layer 3. Once defined (using the
access point’s SNMP, GUI or CLI), filtering rules can be enforced on the access point’s LAN1, LAN2
and WLAN interfaces. An additional default action is also available denying traffic when the filter
rules fail. Lastly, imported and exported configurations retain their defined IP filtering configurations.

For information on configuring the access point’s IP filtering functionality, see Configuring IP Filtering

on page 5-71.

1.1.2 MU Rate Limiting

MU rate limiting enables an administrator to determine how much radio bandwidth is allocated to
each MU within any one of the 16 supported WLANs.

Before this 4.0 baseline release, access points supported bandwidth management on a per-WLAN
basis. Each WLAN could be configured to receive (at most) a certain percentage of the total available
downstream bandwidth. The new rate limiting feature is a replacement of the bandwidth
management feature allowing for better MU radio bandwidth allotments on a per WLAN basis.

1-3

To globally enable or disable the MU rate limit and assess the WLANs in which it’s currently invoked,
see Configuring MU Rate Limiting on page 5-65.

To define the actual MU rate limit (maximum downstream bandwidth allocation in kbps), see

Creating/Editing Individual WLANs on page 5-28.

1.1.3 Per Radio MU Limit

Prior to this new 4.0 AP firmware baseline, an access point allowed a total of 127 MU associations,
regardless of the number of radios on the AP. With a dual-radio AP, if there were already 127 MUs
associated to one radio, that were no slots available for a MU to associate with another radio.

With the new 4.0 firmware, an AP can reserve slots on each radio so MUs of one radio type (11a/n
or 11bg/n) have better chances for AP association. Therefore, the total number of MUs allowed to
associate remains at 127, but you can now strategically distribute the 127 MU associations between
the data radios.

1-4

AP-7131N-FGR Access Point Product Reference Guide

For information on setting the number of MU associations on a specific radio, see Configuring the

802.11a/n or 802.11b/g/n Radio on page 5-54.

1.1.4 Power Setting Configuration

The access point’s power management functionality automatically configures the AP's operational
mode so it safely operates within available power. The power setting feature enables the user to
select one of three power operating modes, 3af, 3at and full power. When an access point is
operating in either 3af or 3at mode, the transmit power is always lower than the full power setting.
With the introduction of the AP-7131N-FGR model access point, the power options available for dual
radio model access points has never been more diverse, and careful consideration must be made
before deploying the access point.

The AP’s hardware design uses a complex programmable logic device (CPLD). When an AP is powered
on (or performing a cold reset), the CPLD determines the maximum power available to the AP by a
POE device. Once an operational power configuration is defined, the AP firmware can read the power
setting and configure operating characteristics based on the AP’s SKU and power configuration. If the
POE cannot provide sufficient power (with all interfaces enabled), the following interfaces could be
disabled or modified:

• Radio transmit power could be reduced due to lack of sufficient power or the radio can be
disabled

• The WAN port configuration could be changed (enabled or disabled)

For information on configuring the access point’s power configuration, see Configuring Power

Settings on page 4-6.

1.1.5 AMSDU Transmission Support

Aggregate MAC Service Data Unit (AMSDU) is an 802.11n specific MAC feature which enhances the
transmission of multiple MSDU contents wrapped within a single preamble/packet infrastructure.
The AMSDU transmission limit is set to 3839 bites by default.

For information on configuring AMSDU support for an access point radio, see Configuring the

802.11a/n or 802.11b/g/n Radio on page 5-54. AMSDU support can be defined by selecting the Set

Aggregation button within the Network Configuration -> Wireless -> Radio Configuration ->

Radio1 screen.

Introduction

1.1.6 IPSec VPN Support

A VPN ensures data privacy between two end points, even while using a communication medium
which is itself insecure (like the Internet). VPNs create a secure tunnel between two end points as if
they are directly connected over a secure connection. Traffic is secured using a robust IPSec
encryption technique.

You can get the safety of a VPN in a WLAN by hosting the VPN server at the access point, and the
VPN client software on the MU. For that reason, a VPN provides secure WLAN access to MUs. A VPN
solution was more common before 802.11i was introduced, but is not as common now, since 802.11i/
WPA2 is considered more secure.

For information on configuring VPN support, see Configuring VPN Tunnels on page 6-22. For
instructions on configuring a IPSec VPN tunnel using two access points, see Creating a VPN Tunnel

between Two Access Points on page 6-25.

1.2 Feature Overview

The following legacy features have been carried forward into the 4.x firmware baseline:

• 802.11n Support

• Sensor Support

• Mesh Roaming Client

• Dual Mode Radio Options

• Separate LAN and WAN Ports

• Multiple Mounting Options

• Antenna Support for 2.4 GHz and 5 GHz Radios

• Sixteen Configurable WLANs

• Support for 4 BSSIDs per Radio

• Quality of Service (QoS) Support

• Industry Leading Data Security

• VLAN Support

• Multiple Management Accessibility Options

• Updatable Firmware

• Programmable SNMP v3 Trap Support

• Power-over-Ethernet Support

1-5

1-6

AP-7131N-FGR Access Point Product Reference Guide

• MU-MU Transmission Disallow

• Voice Prioritization

• Support for CAM and PSP MUs

• Statistical Displays

• Transmit Power Control

• Advanced Event Logging Capability

• Configuration File Import/Export Functionality

• Default Configuration Restoration

• DHCP Support

• Mesh Networking

• Additional LAN Subnet

• On-board Radius Server Authentication

• Hotspot Support

• Routing Information Protocol (RIP)

• Manual Date and Time Settings

• Dynamic DNS

• Auto Negotiation

• Adaptive AP

• Rogue AP Enhancements

• Radius Time-Based Authentication

• QBSS Support

1.2.1 802.11n Support

Full life-cycle support is provided for either a new or existing 802.11n mobility deployment, from
network design to day-to-day support. For information on deploying your 802.11n radio, see

Configuring the 802.11a/n or 802.11b/g/n Radio on page 5-54.

1.2.2 Sensor Support

The Wireless Intrusion Protection System (WIPS) protects your wireless network, mobile devices and
traffic from attacks and unauthorized access. WIPS provides tools for standards compliance and
around-the-clock 802.11a/b/g wireless network security in a distributed environment. WIPS allows
administrators to identify and accurately locate attacks, rogue devices and network vulnerabilities in

Introduction

real time and permits both a wired and wireless lockdown of wireless device connections upon
acknowledgement of a threat.

An access point radio can function as a sensor and upload sensor mode operation information to a
dedicated WIPS server. WIPS is not supported on a WLAN basis, rather sensor functionality is
supported on the access point radio(s) available to each WLAN. When an access point radio is
functioning as a WIPS sensor, it is able to scan in sensor mode across all channels within the 2.4 and

5.0 GHz bands.

NOTE Sensor support requires an AirDefense WIPS Server on the network.

Sensor functionality is not provided by the access point alone. The access
point works in conjunction with a dedicated WIPS server.

The following is a network topology illustrating how a sensor functions within an access point
supported wireless network:

1-7

1-8

AP-7131N-FGR Access Point Product Reference Guide

A radio in sensor mode supports three basic features:

NOTE The functions described below are conducted on the WIPS server side,

not on the access point.

• Wireless Termination - The access point attempts to force an unwanted (or unauthorized)
connection to disconnect.

• Wireless Sniffing - All received frames are reported to the WIPS server. This feature
provides the WIPS server with visibility into the activity on the wireless network. The WIPS
server processes the received traffic and provides the IT administrator with useful
information about the 802.11 RF activities in the enterprise.

• Spectrum Analysis - The data needed to provide the current RF Spectrum is provided to the
WIPS server. The access point does not display the data, but it is available to the WIPS
server. Spectrum analysis can operate only when there are no WLAN radios configured. The
WIPS daemon and server are responsible for limiting operation only when there is no radio
in WLAN mode. When a configuration change is made at the AP, the Spectrum Analysis
operation stops.

• Live View- The WIPS application provides a live view of the sensors, APs and MUs operating
in a WLAN. Live view support exists throughout the WIPS application, wherever a device
icon appears in an information panel or navigation tree. Access Live View by right-clicking
on the device, which automatically limits the data to the specific device your choose.

Sensor radios can be tuned to channels in both the 2.4GHz and 5.0 GHz band. The channels in use by
a given radio are defined by the WIPS application. There is no need to explicitly set a band for a
sensor radio. Instead, select either default values or specific channels. Specific channels can be in
either band.

CAUTION Users cannot define a radio as a sensor when one of the access point

radios is functioning as a rogue AP detector. To use one of the radios
as a WIPS sensor, you must disable its current detector method(s)
first, then set the radio for WIPS sensor support. For information on
disabling rogue AP detection, see Configuring Rogue AP Detection on

page 6-41.

With this most recent 4.0 release of the access point firmware, WIPS functionality is no longer
configured within a designated WIPS screen. WIPS functionality is now defined as part of the access
point’s quick setup procedure. For information on using the access point’s Quick Setup screen to

Introduction

define how WIPS can be supported on an access point radio, see Configuring Device Settings on page

3-8.

1.2.3 Mesh Roaming Client

Enable the Mesh Roaming Client feature (using the access point’s CLI) to allow a client bridge to
associate in the same manner as a regular mesh client bridge. After an initial (single) association, the
client bridge will not attempt additional associations. Since STP will be disabled, the association
forwards data as soon as the association attempt is successful. When Mesh Roaming Client is
enabled, base bridge mode is not supported to avoid a loop within the mesh topology. Thus, the Mesh
Roaming Client is always an end point (by design) within the mesh wireless topology. The base bridge
will need STP disabled to immediately begin forwarding data when a roaming client bridge
associates.

1.2.4 Dual Mode Radio Options

When the access pointAP-5131 is manufactured as a dual-radio access point, as is the case with the
AP-7131N-FGR, theAP-5131 access point enables you to configure one radio for 802.11a/n support,
and the other for 802.11b/g/n support.

1-9

The two models available to the AP-7131N-FGR series include:

• AP-7131N-66040-FGR (802.11an and 802.11bgn capable)

• AP-7131N-44040-FGR (802.11a and 802.11bg capable)

For detailed informationAP-5131, see Setting the WLAN’s Radio Configuration on page 5-49.

1.2.5 Separate LAN and WAN Ports

The access pointAP-5131 has one LAN (GE1/POE) port and one WAN (GE2) port, each with their own
MAC address. The access point must manage all data traffic over the LAN connection carefully as
either a DHCP client, BOOTP client, DHCP server or using a static IP address. The access point can
only use a Power-over-Ethernet device when connected to the LAN port.

For detailed information on configuring the AP-5131 LAN port, see Configuring the LAN Interface on

page 5-1.

A Wide Area Network (WAN) is a widely dispersed telecommunications network. In a corporate
environment, the WAN port might connect to a larger corporate network. For a small business, the
WAN port might connect to a DSL or cable modem to access the Internet. Regardless, network
address information must be configured for the access pointAP-5131’s intended mode of operation.

1-10

AP-7131N-FGR Access Point Product Reference Guide

For detailed information on configuring the AP-5131access point’s WAN port, see Configuring WAN

Settings on page 5-15.

The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats screens.

For detailed information on locating the access point’s MAC addresses, see Viewing WAN Statistics

on page 7-2 and Viewing LAN Statistics on page 7-6. For information on access point MAC address

assignments, see MAC Address Assignment on page 1-29.

1.2.6 Multiple Mounting Options

The accAP-5131ess point attaches to a wall, mounts under a ceiling or above a ceiling (attic). Choose
a mounting option based on the physical environment of the coverage area. Do not mount the access
pointAP-5131 in a location that has not been approved in a radio coverage site survey.

For detailed information on the mounting options available AP-5131, see Mounting an AP-7131N-FGR

on page 2-10.

1.2.7 Antenna Support for 2.4 GHz and 5 GHz Radios

The AP-5131access point supports several 802.11a/n and 802.11b/g/n radio antennas. Select the
antenna best suited to the radio transmission requirements of your coverage area.

1.2.8 Sixteen Configurable WLANs

A Wireless Local Area Network (WLAN) is a data-communications system that flexibly extends the
functionalities of a wired LAN. A WLAN does not require lining up devices for line-of-sight
transmission, and are thus, desirable for wireless networking. Roaming users can be handed off from
one access pointAP-5131 to another like a cellular phone system. WLANs can therefore be configured
around the needs of specific groups of users, even when they are not in physical proximity. Sixteen
WLANs are configurable on each access pointAP-5131.

To enable and configure WLANs on an access pointAP-5131 radio, see Click Undo Changes (if

necessary) to undo any changes made. Undo Changes reverts the settings displayed on the screen to
the last saved configuration. on page 5-25.

1.2.9 Support for 4 BSSIDs per Radio

The access point supports four BSSIDs per radio. Each BSSID has a corresponding MAC address. The
first MAC address corresponds to BSSID #1. The MAC addresses for the other three BSSIDs (BSSIDs
#2, #3, #4) are derived by adding 1, 2, 3, respectively, to the radio MAC address.

Introduction

If the radio MAC address displayed on the Radio Settings screen is 00:23:68:72:20:DC, then the
BSSIDs for that radio will have the following MAC addresses:

BSSID MAC Address Hexadecimal Addition

BSSID #1 00:23:68:72:20:DC Same as Radio MAC address

BSSID #2 00:23:68:72:20:DD Radio MAC address +1

BSSID #3 00:23:68:72:20:DE Radio MAC address +2

BSSID #4 00:23:68:72:20:DF Radio MAC address +3

For detailed information on strategically mapping BSSIDs to WLANs, see Configuring the 802.11a/n

or 802.11b/g/n Radio on page 5-54. For information on access point MAC address assignments, see
MAC Address Assignment on page 1-29.

1.2.10 Quality of Service (QoS) Support

The AP-5131QoS implementation provides applications running on different wireless devices a
variety of priority levels to transmit data to and from the access pointAP-5131. Equal data
transmission priority is fine for data traffic from applications such as Web browsers, file transfers or
email, but is inadequate for multimedia applications.

1-11

Voice over Internet Protocol (VoIP), video streaming and interactive gaming are highly sensitive to
latency increases and throughput reductions. These forms of higher priority data traffic can
significantly benefit from the AP-5131 QoS implementation.The WiFi Multimedia QOS Extensions
(WMM) implementation used by the AP-5131 shortens the time between transmitting higher priority
data traffic and is thus desirable for multimedia applications. In addition, U-APSD (WMM Power
Save) is also supported.

WMM defines four access categories—voice, video, best effort and background—to prioritize traffic
for enhanced multimedia support.

For detailed information on configuring QoS supportAP-5131, see Setting the WLAN Quality of

Service (QoS) Policy on page 5-37.

1.2.11 Industry Leading Data Security

The AP-5131AP-7131N-FGR a unique set of encryption and authentication techniques to protect the
data transmitting on the WLAN.

The following authentication techniques are supported:

1-12

AP-7131N-FGR Access Point Product Reference Guide

• EAP Authentication

The following encryption techniques are supportedAP-5131:

• WPA2-CCMP (802.11i) Encryption

In addition, the AP-5131access point supports the following additional security features:

• Firewall Security

• VPN Tunnels

• Content Filtering

For an overview on the encryption and authentication schemes available AP-5131, refer to

Configuring Access Point Security on page 6-1.

1.2.11.1 EAP Authentication

The Extensible Authentication Protocol (EAP) feature provides access points and their associated
MUs an additional measure of security for data transmitted over the wireless network. Using EAP,
authentication between devices is achieved through the exchange and verification of certificates.

EAP is a mutual authentication method whereby both the MU and AP are required to prove their
identities. Using EAP, the user loses device authentication if the server cannot provide proof of device
identification.

Using EAP, a user requests connection to a WLAN through the access pointAP-5131. The access point
AP-5131then requests the identity of the user and transmits that identity to an authentication server.
The server prompts the AP for proof of identity (supplied to the AP-5131 by the user) and then
transmits the user data back to the server to complete the authentication process.

An MU is not able to access the network if not authenticated. When configured for EAP support, the
access point displays the MU as an EAP station.

EAP is only supported on mobile devices running Windows XP, Windows 2000 (using Service Pack #4)
and Windows Mobile 2003. Refer to the system administrator for information on configuring a Radius
Server for EAP (802.1x) support.

For detailed information on EAP configurations, see Configuring 802.1x EAP Settings on page 6-6.

1.2.11.2 WPA2-CCMP (802.11i) Encryption

WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected
Access (WPA) and WEP. Counter-mode/CBC-MAC Protocol (CCMP) is the security standard used by

Introduction

the Advanced Encryption Standard (AES). CCMP computes a Message Integrity Check (MIC) using the
proven Cipher Block Message Authentication Code (CBC-MAC) technique. Changing just one bit in a
message produces a totally different result.

WPA2-CCMP is based on the concept of a Robust Security Network (RSN), which defines a hierarchy
of keys with a limited lifetime . Messages are encrypted using a 128-bit secret key and a 128-bit block
of data. The end result is an encryption scheme as secure as any the access pointAP-5131 provides.

For detailed information on WPA2-CCMP, see Configuring WPA2-CCMP (802.11i) on page 6-11.

1.2.11.3 Firewall Security

A firewall keeps personal data in and hackers out. The AP-5131access point’s firewall prevents
suspicious Internet traffic from proliferating the access pointAP-5131 managed network. The
AP-5131access point performs Network Address Translation (NAT) on packets passing to and from
the WAN port. This combination provides enhanced security by monitoring communication with the
wired network.

For detailed information on configuring the access point’s AP-5131firewall, see Configuring Firewall

Settings on page 6-13.

1.2.11.4 VPN Tunnels

1-13

Virtual Private Networks (VPNs) are IP-based networks using encryption and tunneling providing
users remote access to a secure LAN. In essence, the trust relationship is extended from one LAN
across the public network to another LAN, without sacrificing security. A VPN behaves like a private
network; however, because the data travels through the public network, it needs several layers of
security. The AP-5131access point can function as a robust VPN gateway.

For detailed information on configuring VPN security support, see Configuring VPN Tunnels on page

6-22.

1.2.11.5 Content Filtering

Content filtering allows system administrators to block specific commands and URL extensions from
going out through theAP-5131 WAN port. Therefore, content filtering affords system administrators
selective control on the content proliferating the network and is a powerful screening tool. Content
filtering allows the blocking of up to 10 files or URL extensions and allows blocking of specific
outbound requests.

For detailed information on configuring content filtering support, see Configuring Content Filtering

Settings on page 6-38.

1-14

AP-7131N-FGR Access Point Product Reference Guide

1.2.12 VLAN Support

A Virtual Local Area Network (VLAN) can electronically separate data on the same AP from a single
broadcast domain into separate broadcast domains. By using a VLAN, you can group by logical
function instead of physical location. There are 16 VLANs supported on the access pointAP-5131. An
administrator can map up to 16 WLANs to 16 VLANs and enable or disable dynamic VLAN
assignment. In addition to these 16 VLANs, the access point supports dynamic, user-based, VLANs
when using EAP authentication.

VLANs enable organizations to share network resources in various network segments within large
areas (airports, shopping malls, etc.). A VLAN is a group of clients with a common set of requirements
independent of their physical location. VLANs have the same attributes as physical LANs, but they
enable administrators to group clients even when they are not members of the same network
segment.

For detailed information on configuring VLAN support, see Configuring VLAN Support on page 5-5.

1.2.13 Multiple Management Accessibility Options

The access pointAP-5131 can be accessed and configured using one of the following:

• Java-Based Web UI

• Human readable config file (imported via SFTP)

• MIB (Management Information Base)

• Command Line Interface (CLI) accessed via RS-232 . Use the access point’sAP-5131 DB-9
serial port for direct access to the command-line interface from a PC. Use a Null-Modem
cable (Part No. 25-632878-0) for the best fitting connection.

1.2.14 Updatable Firmware

Updated versions of device firmware are periodically released to the Zebra Web site. If the AP-5131
firmware version displayed on the System Settings screen (see Configuring System Settings on page

4-2) is older than the version on the Web site, update the access pointAP-5131 to the latest firmware

version for full feature functionality.

For detailed information on updating the AP-5131 firmware using SFTP, see Updating Device

Firmware on page 4-51.

Introduction

1.2.15 Programmable SNMP v3 Trap Support

Simple Network Management Protocol (SNMP) facilitates the exchange of management information
between network devices. SNMP uses Management Information Bases (MIBs) to manage the device
configuration and monitor Internet devices in remote locations. MIB information accessed via SNMP
is defined by a set of managed objects called Object Identifiers (OIDs). An OID is used to uniquely
identify each object variable of a MIB.

SNMP allows a network administrator to configure the access point, manage network performance,
find and solve network problems, and plan network growth. The access pointAP-5131 supports SNMP
management functions for gathering information from its network components. The MIB files are
available at www.zebra.com/support
more information refer Appendix C, Zebra Support

Few acronyms used in the MIB files:

Portal Radio of an AP

MIB Management Information Base

LAN Local Area Network

. The user should serach for “AP7131N-GR MIBS 4.0.4.0”. For

Table 1.1 Acronyms

1-15

WAN Wide Area Network

POE Power Over Ethernet

WLAN Wireless LAN

AP Access Point

Switch RFS7000-GR

MU Mobile Unit

The AP-5131access point’s SNMP agent functions as a command responder and is a multilingual
agent responding to SNMP v3 managers (command generators). For detailed information on
configuring SNMP traps, see Configuring SNMP Settings on page 4-27.

1.2.16 Power-over-Ethernet Support

When users purchase a WLAN solution, they often need to place access points in obscure locations.
In the past, a dedicated power source was required for each access point in addition to the Ethernet

1-16

AP-7131N-FGR Access Point Product Reference Guide

infrastructure. This often required an electrical contractor to install power drops at each access point
location.

An approved Power Injector solution merges power and Ethernet into one cable, reducing the burden
of installation and allows optimal access pointAP-5131 placement in respect to the intended radio
coverage area. The access point can only use a Power-over-Ethernet device when connected to the
access point’s LAN (GE1/POE) port. The access point can also support 3af/3at compliant products
from other vendors.

The Power Injector (Part No. AP-PSBIAS-1P3-AFR) is a single-port Power over Ethernet hub combining
low-voltage DC with Ethernet data in a single cable connecting to the access pointAP-5131. The
Power Injector’s single DC and Ethernet data cable creates a modified Ethernet cabling environment
on the AP-5131access point’s LAN port eliminating the need for separate Ethernet and power cables.
For detailed information on using the Power Injector, see Power Injector System on page 2-6.

1.2.17 MU-MU Transmission Disallow

The access point’s MU-MU Disallow feature prohibits MUs from communicating with each other even
if on the same WLAN, assuming one of the WLAN’s is configured to disallow MU-MU
communication. Therefore, if an MU’s WLAN is configured for MU-MU disallow, it will not be able to
communicate with any other MUs connected to this access point.

For detailed information on configuring an AP-5131 WLAN to disallow MU to MU communications,
see Creating/Editing Individual WLANs on page 5-28.

1.2.18 Voice Prioritization

Each AP-5131access point WLAN has the capability of having its QoS policy configured to prioritize
the network traffic requirements for associated MUs. A WLAN QoS page is available for each
enabled WLAN on either the AP-5131802.11a/n or 802.11b/g/n radio.

Use the QoS page to enable voice prioritization for devices to receive the transmission priority they
may not normally receive over other data traffic. Voice prioritization allows the access pointAP-5131
to assign priority to voice traffic over data traffic, and (if necessary) assign legacy voice supported
devices (non WMM supported voice devices) additional priority.

For detailed information on configuring voice prioritization over other voice enabled devices, see

Setting the WLAN Quality of Service (QoS) Policy on page 5-37.