ZyXEL Communications G-3000H User Manual

Download

Page 1

G-3000H

802.11g Wireless Access Point

User’s Guide

Version 3.50

11/2005

Page 2

G-3000H User’s Guide

The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.

Disclaimer

ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.

Copyright

Trademarks

ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.

2 Copyright

Page 3

G-3000H User’s Guide

Federal Communications

Commission (FCC) Interference

Statement

This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:

• This device may not cause harmful interference.

• This device must accept any interference received, including interference that may cause undesired operations.

This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.

If this equipment does cause harmful interference to radio/television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and the receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

• Consult the dealer or an experienced radio/TV technician for help.

Notice 1

Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.

This Class B digital apparatus complies with Canadian ICES-003.

Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada.

Federal Communications Commission (FCC) Interference Statement 3

Page 4

G-3000H User’s Guide

Certifications

Go to www.zyxel.com

1 Select your product from the drop-down list box on the ZyXEL home page to go to that

product's page.

2 Select the certification you wish to view from this page

4 Federal Communications Commission (FCC) Interference Statement

Page 5

G-3000H User’s Guide

ZyXEL Limited Warranty

ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product is modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.

Note

Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser.

To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit be insured when shipped. Any returned products without proof of purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.

Safety Warnings

1 To reduce the risk of fire, use only No. 26 AWG or larger telephone wire.

2 Do not use this product near water, for example, in a wet basement or near a swimming

pool.

3 Avoid using this product during an electrical storm. There may be a remote risk of

electric shock from lightening.

This product has been designed for the WLAN 2.4 GHz network throughout the EC region and Switzerland, with restrictions in France.

ZyXEL Limited Warranty 5

Page 6

G-3000H User’s Guide

Please have the following information ready when you contact customer support.

• Product model and serial number.

• Warranty Information.

• Date that you received your device.

• Brief description of the problem and the steps you took to solve it.

Customer Support

METHOD

LOCATION

CORPORATE HEADQUARTERS (WORLDWIDE)

CZECH REPUBLIC

DENMARK

FINLAND

FRANCE

GERMANY

HUNGARY

KAZAKHSTAN

NORTH AMERICA

NORWAY

SUPPORT E-MAIL TELEPHONE

SALES E-MAIL FAX FTP SITE

support@zyxel.com.tw +886-3-578-3942 www.zyxel.com

sales@zyxel.com.tw +886-3-578-2439 ftp.zyxel.com

info@cz.zyxel.com +420-241-091-350 www.zyxel.cz ZyXEL Communications

info@cz.zyxel.com +420-241-091-359

support@zyxel.dk +45-39-55-07-00 www.zyxel.dk ZyXEL Communications A/S

sales@zyxel.dk +45-39-55-07-07

support@zyxel.fi +358-9-4780-8411 www.zyxel.fi ZyXEL Communications Oy

sales@zyxel.fi +358-9-4780 8448

info@zyxel.fr +33-4-72-52-97-97 www.zyxel.fr ZyXEL France

+33-4-72-52-19-20

support@zyxel.de +49-2405-6909-0 www.zyxel.de ZyXEL Deutschland GmbH.

sales@zyxel.de +49-2405-6909-99

support@zyxel.hu +36-1-3361649 www.zyxel.hu ZyXEL Hungary

info@zyxel.hu +36-1-3259100

http://zyxel.kz/support +7-3272-590-698 www.zyxel.kz ZyXEL Kazakhstan

sales@zyxel.kz +7-3272-590-689

support@zyxel.com 1-800-255-4101

+1-714-632-0882

sales@zyxel.com +1-714-632-0858 ftp.us.zyxel.com

support@zyxel.no +47-22-80-61-80 www.zyxel.no ZyXEL Communications A/S

sales@zyxel.no +47-22-80-61-81

WEB SITE

www.europe.zyxel.com

ftp.europe.zyxel.com

www.us.zyxel.com ZyXEL Communications Inc.

REGULAR MAIL

ZyXEL Communications Corp. 6 Innovation Road II

Science Park Hsinchu 300 Ta iw a n

Czech s.r.o. Modranská 621 143 01 Praha 4 - Modrany Ceská Republika

Columbusvej 2860 Soeborg Denmark

Malminkaari 10 00700 Helsinki Finland

1 rue des Vergers Bat. 1 / C 69760 Limonest France

Adenauerstr. 20/A2 D-52146 Wuerselen Germany

48, Zoldlomb Str. H-1025, Budapest Hungary

43, Dostyk ave.,Office 414 Dostyk Business Centre 050010, Almaty Republic of Kazakhstan

1130 N. Miller St. Anaheim CA 92806-2001 U.S.A.

Nils Hansens vei 13 0667 Oslo Norway

6 Customer Support

Page 7

G-3000H User’s Guide

METHOD

LOCATION

POLAND

RUSSIA

SPAIN

SWEDEN

UKRAINE

UNITED KINGDOM

a. “+” is the (prefix) number you enter to make an international telephone call.

SUPPORT E-MAIL TELEPHONE

SALES E-MAIL FAX FTP SITE

info@pl.zyxel.com +48-22-5286603 www.pl.zyxel.com ZyXEL Communications

+48-22-5206701

http://zyxel.ru/support +7-095-542-89-29 www.zyxel.ru ZyXEL Russia

sales@zyxel.ru +7-095-542-89-25

support@zyxel.es +34-902-195-420 www.zyxel.es ZyXEL Communications

sales@zyxel.es +34-913-005-345

support@zyxel.se +46-31-744-7700 www.zyxel.se ZyXEL Communications A/S

sales@zyxel.se +46-31-744-7701

support@ua.zyxel.com +380-44-247-69-78 www.ua.zyxel.com ZyXEL Ukraine

sales@ua.zyxel.com +380-44-494-49-32

support@zyxel.co.uk +44-1344 303044

08707 555779 (UK only)

sales@zyxel.co.uk +44-1344 303034 ftp.zyxel.co.uk

WEB SITE

REGULAR MAIL

ul.Emilli Plater 53 00-113 Warszawa Poland

Ostrovityanova 37a Str. Moscow, 117279 Russia

Alejandro Villegas 33 1º, 28043 Madrid Spain

Sjöporten 4, 41764 Göteborg Sweden

13, Pimonenko Str. Kiev, 04050 Ukraine

www.zyxel.co.uk ZyXEL Communications UK

Ltd.,11 The Courtyard, Eastern Road, Bracknell, Berkshire, RG12 2XB, United Kingdom (UK)

Customer Support 7

Page 8

G-3000H User’s Guide

8 Customer Support

Page 9

G-3000H User’s Guide

Copyright ..................................................................................................................2

Federal Communications Commission (FCC) Interference Statement ............... 3

ZyXEL Limited Warranty.......................................................................................... 5

Customer Support.................................................................................................... 6

Table of Contents ..................................................................................................... 9

List of Figures ........................................................................................................ 17

List of Tables .......................................................................................................... 23

Preface ....................................................................................................................27

Chapter 1

Getting to Know Your ZyAIR ................................................................................. 31

1.1 Introducing the ZyAIR .......................................................................................31

1.2 ZyAIR Features ..................................................................................................31

1.2.1 Physical Features .....................................................................................31

1.2.2 Firmware Features ....................................................................................32

1.3 Applications for the ZyAIR ..................................................................................36

1.3.1 Access Point .............................................................................................37

1.3.2 Multiple ESS .............................................................................................37

1.3.3 AP + Bridge ..............................................................................................38

1.3.4 Bridge / Repeater ......................................................................................39

Chapter 2

Introducing the Web Configurator........................................................................ 41

2.1 Accessing the ZyAIR Web Configurator .............................................................41

2.2 Resetting the ZyAIR ...........................................................................................43

2.2.1 Procedure To Use The Reset Button ........................................................43

2.2.2 Method of Restoring Factory-Defaults ......................................................43

2.3 Navigating the ZyAIR Web Configurator ............................................................43

Chapter 3

Wizard Setup .......................................................................................................... 45

3.1 Wizard Setup Overview ......................................................................................45

3.1.1 Channel ....................................................................................................45

3.1.2 ESS ID ......................................................................................................45

Table of Contents 9

Page 10

G-3000H User’s Guide

3.2 Wizard Setup: General Setup ............................................................................46

3.3 Wizard Setup: Wireless LAN ..............................................................................46

3.4 Wizard Setup: IP Address ..................................................................................48

3.5 Basic Setup Complete ........................................................................................50

Chapter 4

System Screens ..................................................................................................... 51

4.1 System Overview ...............................................................................................51

4.2 Configuring General Setup .................................................................................51

4.3 Configuring Password ........................................................................................52

4.4 Configuring Time Setting ...................................................................................53

Chapter 5

Wireless Configuration......................................................................................... 57

3.1.3 WEP Encryption ........................................................................................45

3.4.1 IP Address Assignment ............................................................................48

3.4.2 IP Address and Subnet Mask ...................................................................48

5.1 Wireless LAN Overview .....................................................................................57

5.1.1 BSS ...........................................................................................................57

5.1.2 ESS ...........................................................................................................58

5.2 Wireless LAN Basics ..........................................................................................59

5.3 WMM QoS ..........................................................................................................60

5.3.1 WMM QoS Priorities .................................................................................60

5.3.2 Type Of Service (ToS) ...............................................................................60

5.3.2.1 DiffServ ............................................................................................61

5.3.2.2 DSCP and Per-Hop Behavior ..........................................................61

5.3.3 ToS (Type of Service) and WMM QoS ......................................................61

5.4 Spanning Tree Protocol (STP) ...........................................................................62

5.4.1 Rapid STP ................................................................................................62

5.4.2 STP Terminology ......................................................................................62

5.4.3 How STP Works .......................................................................................63

5.4.4 STP Port States ........................................................................................63

5.5 Wireless Screen Overview .................................................................................63

5.6 Configuring Wireless ..........................................................................................64

5.6.1 Access Point Mode ...................................................................................64

5.6.2 Bridge/Repeater Mode ..............................................................................66

5.6.3 AP+Bridge Mode ......................................................................................70

5.6.4 Multiple ESS Mode ...................................................................................71

Chapter 6

Wireless Security Configuration........................................................................... 73

6.1 Wireless Security Overview ...............................................................................73

6.1.1 Encryption .................................................................................................73

10 Table of Contents

Page 11

G-3000H User’s Guide

6.1.2 Authentication ...........................................................................................73

6.1.3 Restricted Access .....................................................................................73

6.1.4 Hide ZyAIR Identity ...................................................................................74

6.1.5 WEP Encryption ........................................................................................74

6.2 Configuring WEP Encryption ..............................................................................74

6.3 802.1x Overview ................................................................................................74

6.4 EAP Authentication Overview ............................................................................74

6.5 Dynamic WEP Key Exchange ............................................................................75

6.6 Introduction to WPA ...........................................................................................75

6.6.1 User Authentication .................................................................................76

6.6.2 Encryption ................................................................................................76

6.6.3 WPA(2)-PSK Application Example ...........................................................76

6.7 WPA(2) with RADIUS Application Example .......................................................77

6.8 Security Modes ..................................................................................................78

6.9 Security Modes and Wireless Client Compatibility .............................................79

6.10 Wireless Client WPA Supplicants .....................................................................79

6.11 Wireless Security Effectiveness .......................................................................80

6.12 Configuring Security .........................................................................................80

6.12.1 Security: No Access ................................................................................81

6.12.2 Security: WEP .........................................................................................82

6.12.3 Security: 802.1x Only, 802.1x Static 64-bit WEP, 128-bit WEP ..............83

6.12.4 Security: 802.1x Dynamic 64-bit WEP, 128-bit WEP ..............................85

6.12.5 Security: WPA, WPA-MIX, WPA2, WPA2-MIX ........................................86

6.12.6 Security: WPA-PSK, WPA2-PSK, WPA2-PSK-MIX ................................87

6.13 Introduction to RADIUS ....................................................................................89

6.14 Configuring RADIUS ........................................................................................89

6.15 Configuring Local User Database ....................................................................91

Chapter 7

Multiple ESS, SSID and VLAN............................................................................... 93

7.1 Wireless LAN Infrastructures .............................................................................93

7.1.1 Multiple ESS .............................................................................................93

7.1.2 Notes on Multiple-ESS ..............................................................................93

7.1.3 Multiple ESS Example ..............................................................................94

7.1.4 Multi-ESS with VLAN Example .................................................................94

7.1.5 Configuring Multiple ESS ..........................................................................94

7.2 SSID ...................................................................................................................97

7.2.1 Configuring SSID ......................................................................................98

7.2.2 Second Rx VLAN ID ...............................................................................100

Chapter 8

Other Wireless Configurations ........................................................................... 103

8.1 Layer-2 Isolation Introduction ...........................................................................103

Table of Contents 11

Page 12

G-3000H User’s Guide

8.2 Configuring Layer-2 Isolation ...........................................................................104

8.3 Configuring MAC Filter .....................................................................................108

8.4 Configuring Roaming .......................................................................................109

Chapter 9

VLAN ..................................................................................................................... 113

9.1 VLAN ................................................................................................................113

9.2 Configuring VLAN ............................................................................................ 113

8.2.1 Layer-2 Isolation Examples ....................................................................105

8.2.2 Layer-2 Isolation Example 1 ...................................................................106

8.2.3 Layer-2 Isolation Example 2 ...................................................................106

8.2.4 Layer-2 Isolation Example 3 ...................................................................107

8.4.1 Requirements for Roaming ..................................................................... 111

9.1.1 Management VLAN ID ............................................................................113

9.1.2 VLAN Tagging ......................................................................................... 113

9.2.1 Configuring Management VLAN Example ..............................................115

9.2.2 Configuring Microsoft’s IAS Server Example .......................................... 117

9.2.2.1 Configuring VLAN Groups ............................................................. 118

9.2.2.2 Configuring Remote Access Policies ............................................119

Chapter 10

IP Screen............................................................................................................... 127

10.1 Factory Ethernet Defaults ..............................................................................127

10.2 TCP/IP Parameters ........................................................................................127

10.2.1 IP Address and Subnet Mask ...............................................................127

10.2.2 WAN IP Address Assignment ...............................................................127

10.3 Configuring IP ................................................................................................128

Chapter 11

Certificates............................................................................................................ 129

11.1 Certificates Overview .....................................................................................129

11.1.1 Advantages of Certificates ....................................................................130

11.2 Self-signed Certificates ..................................................................................130

11.3 Configuration Summary ..................................................................................130

11.4 My Certificates ................................................................................................130

11.5 Certificate File Formats ..................................................................................132

11.6 Importing a Certificate ....................................................................................133

11.7 Creating a Certificate ......................................................................................134

11.8 My Certificate Details ......................................................................................136

11.9 Trusted CAs ....................................................................................................139

11.10 Importing a Trusted CA’s Certificate .............................................................141

11.11 Trusted CA Certificate Details .......................................................................142

12 Table of Contents

Page 13

G-3000H User’s Guide

Chapter 12

Remote Management Screens ............................................................................ 147

12.1 Remote Management Overview .....................................................................147

12.1.1 Remote Management Limitations .........................................................147

12.1.2 Remote Management and NAT ............................................................148

12.1.3 System Timeout ...................................................................................148

12.2 Configuring WWW ..........................................................................................148

12.3 Configuring Telnet ..........................................................................................150

12.4 Configuring TELNET ......................................................................................150

12.5 Configuring FTP .............................................................................................151

12.6 SNMP .............................................................................................................152

12.6.1 Supported MIBs ....................................................................................154

12.6.2 SNMP Traps .........................................................................................154

12.7 SNMP Traps ...................................................................................................155

12.7.1 Configuring SNMP ................................................................................155

Chapter 13

Log Screens.......................................................................................................... 157

13.1 Configuring View Log .....................................................................................157

13.2 Configuring Log Settings ................................................................................158

Chapter 14

Maintenance ......................................................................................................... 161

14.1 Maintenance Overview ...................................................................................161

14.2 System Status Screen ....................................................................................161

14.2.1 System Statistics ...................................................................................162

14.3 Association List ..............................................................................................163

14.4 Channel Usage ..............................................................................................164

14.5 F/W Upload Screen ........................................................................................166

14.6 Configuration Screen .....................................................................................168

14.6.1 Backup Configuration ...........................................................................168

14.6.2 Restore Configuration ..........................................................................169

14.6.3 Back to Factory Defaults .......................................................................170

14.7 Restart Screen ...............................................................................................170

Chapter 15

Introducing the SMT ............................................................................................171

15.1 Connect to your ZyAIR Using Telnet ..............................................................171

15.2 Changing the System Password ....................................................................171

15.3 ZyAIR SMT Menu Overview Example ............................................................172

15.4 Navigating the SMT Interface .........................................................................173

15.4.1 System Management Terminal Interface Summary ..............................174

Table of Contents 13

Page 14

G-3000H User’s Guide

Chapter 16

General Setup....................................................................................................... 177

16.1 General Setup ................................................................................................177

Chapter 17

LAN Setup............................................................................................................. 179

17.1 LAN Setup ......................................................................................................179

17.2 TCP/IP Ethernet Setup ...................................................................................179

17.3 Wireless LAN Setup .......................................................................................180

Chapter 18

Dial-in User Setup ................................................................................................ 193

16.1.1 Procedure To Configure Menu 1 ...........................................................177

17.3.1 Configuring MAC Address Filter ...........................................................182

17.3.2 Configuring Roaming ............................................................................184

17.3.3 Configuring SSID Profiles .....................................................................186

17.3.4 Configuring Bridge Link ........................................................................187

17.3.5 Configuring Layer-2 Isolation ................................................................189

18.1 Dial-in User Setup ..........................................................................................193

Chapter 19

VLAN Setup .......................................................................................................... 195

19.1 VLAN Setup ...................................................................................................195

Chapter 20

SNMP Configuration ............................................................................................ 197

20.1 SNMP Configuration ......................................................................................197

Chapter 21

System Security ................................................................................................... 199

21.1 System Security .............................................................................................199

21.1.1 System Password .................................................................................199

21.1.2 Configuring Security Profiles ................................................................199

Chapter 22

System Information and Diagnosis .................................................................... 201

22.1 System Status ................................................................................................201

22.2 System Information ........................................................................................203

22.2.1 System Information ...............................................................................203

22.2.2 Console Port Speed ..............................................................................204

22.3 Log and Trace ................................................................................................204

22.3.1 Viewing Error Log .................................................................................204

22.4 Diagnostic ......................................................................................................205

14 Table of Contents

Page 15

G-3000H User’s Guide

Chapter 23

Firmware and Configuration File Maintenance ................................................. 207

23.1 Filename Conventions ...................................................................................207

23.2 Backup Configuration .....................................................................................208

23.2.1 Backup Configuration Using FTP .........................................................208

23.2.2 Using the FTP command from the DOS Prompt ..................................209

23.2.3 Backup Configuration Using TFTP .......................................................210

23.2.4 Example: TFTP Command ................................................................... 211

23.2.5 Backup Via Console Port ......................................................................211

23.3 Restore Configuration ...................................................................................212

23.3.1 Restore Using FTP ...............................................................................213

23.4 Uploading Firmware and Configuration Files .................................................213

23.4.1 Firmware Upload ..................................................................................214

23.4.2 Configuration File Upload .....................................................................214

23.4.3 Using the FTP command from the DOS Prompt Example ...................215

23.4.4 TFTP File Upload ..................................................................................215

23.4.5 Example: TFTP Command ...................................................................216

23.4.6 Uploading Via Console Port ..................................................................216

23.4.7 Uploading Firmware File Via Console Port ...........................................216

23.4.8 Example Xmodem Firmware Upload Using HyperTerminal ..................217

23.4.9 Uploading Configuration File Via Console Port ....................................217

23.4.10 Example Xmodem Configuration Upload Using HyperTerminal .........218

Chapter 24

System Maintenance and Information ...............................................................219

24.1 Command Interpreter Mode ...........................................................................219

24.1.1 CNM ......................................................................................................220

24.1.2 Configuring Vantage CNM ....................................................................220

24.1.3 Configuration Example .........................................................................223

24.2 Time and Date Setting ....................................................................................224

24.2.1 Resetting the Time ................................................................................226

24.3 Remote Management Setup ..........................................................................226

24.3.1 Telnet ....................................................................................................226

24.3.2 FTP .......................................................................................................226

24.3.3 Web ......................................................................................................227

24.3.4 Remote Management Setup .................................................................227

24.3.5 Remote Management Limitations .........................................................229

24.4 Remote Management and NAT ......................................................................229

24.5 System Timeout .............................................................................................229

Appendix A

Troubleshooting................................................................................................... 231

Table of Contents 15

Page 16

G-3000H User’s Guide

Appendix B

Specifications...................................................................................................... 233

Appendix C

Power over Ethernet (PoE) Specifications ........................................................ 235

Appendix D

Brute-Force Password Guessing Protection..................................................... 237

Appendix E

Setting up Your Computer’s IP Address............................................................ 239

Appendix F

IP Address Assignment Conflicts ......................................................................251

Appendix G

Wireless LANs ...................................................................................................... 255

Appendix H

IP Subnetting ........................................................................................................ 267

Appendix I

Command Interpreter........................................................................................... 275

Appendix J

Log Descriptions.................................................................................................. 277

Appendix K

Indoor Installation Recommendations............................................................... 281

Appendix L

Power Adaptor Specifications ............................................................................ 283

Index...................................................................................................................... 285

16 Table of Contents

Page 17

G-3000H User’s Guide

List of Figures

Figure 1 PoE Installation Example ...................................................................................... 32

Figure 2 WDS Functionality Example ................................................................................. 33

Figure 3 Access Point Application ....................................................................................... 37

Figure 4 Multiple ESS Application ....................................................................................... 38

Figure 5 AP+Bridge Application ........................................................................................ 39

Figure 6 Bridge Application ................................................................................................. 40

Figure 7 Repeater Application ............................................................................................. 40

Figure 8 Change Password Screen .................................................................................... 42

Figure 9 Replace Certificate Screen ................................................................................... 42

Figure 10 The MAIN MENU Screen of the Web Configurator ............................................. 44

Figure 11 Wizard 1: General Setup ..................................................................................... 46

Figure 12 Wizard 2: Wireless LAN Setup ............................................................................ 47

Figure 13 Wizard 3: IP Address Assignment ...................................................................... 49

Figure 14 Wizard 4: Setup Complete .................................................................................. 50

Figure 15 System General Setup ........................................................................................ 51

Figure 16 Password. ........................................................................................................... 53

Figure 17 Time Setting ........................................................................................................ 54

Figure 18 Basic Service set ................................................................................................ 58

Figure 19 Extended Service Set ......................................................................................... 59

Figure 20 DiffServ: Differentiated Service Field .................................................................. 61

Figure 21 Wireless: Access Point ....................................................................................... 65

Figure 22 Bridging Example ................................................................................................ 67

Figure 23 Bridge Loop: Two Bridges Connected to Hub ..................................................... 68

Figure 24 Bridge Loop: Bridge Connected to Wired LAN ................................................... 68

Figure 25 Wireless: Bridge/Repeater .................................................................................. 69

Figure 26 Wireless: AP+Bridge ........................................................................................... 71

Figure 27 EAP Authentication ............................................................................................. 75

Figure 28 WPA(2)-PSK Authentication ............................................................................... 77

Figure 29 WPA(2) with RADIUS Application Example ........................................................ 78

Figure 30 Security ............................................................................................................... 81

Figure 31 Security: No Access or None .............................................................................. 82

Figure 32 Security: WEP ..................................................................................................... 82

Figure 33 Security: 802.1x Only, 802.1x Static 64-bit WEP, 128-bit WEP ........................... 84

Figure 34 Security: 802.1x Dynamic 64-bit WEP, 128-bit WEP .......................................... 85

Figure 35 Security: WPA, WPA-MIX, WPA2 or WPA2-MIX ................................................. 87

Figure 36 Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX ......................................... 88

Figure 37 RADIUS .............................................................................................................. 90

Figure 38 Local User Database .......................................................................................... 91

List of Figures 17

Page 18

G-3000H User’s Guide

Figure 39 Multi-ESS with VLAN Example ........................................................................... 94

Figure 40 Wireless: Multiple ESS ........................................................................................ 95

Figure 41 SSID .................................................................................................................... 97

Figure 42 Configuring SSID ................................................................................................ 99

Figure 43 Second Rx VLAN ID Example ............................................................................ 100

Figure 44 Configuring SSID: Second Rx VLAN ID Example ............................................... 100

Figure 45 Layer-2 Isolation Application ............................................................................... 104

Figure 46 Layer-2 Isolation Configuration Screen ............................................................... 105

Figure 47 Layer-2 Isolation Example .................................................................................. 106

Figure 48 Layer-2 Isolation Example 1 ............................................................................... 106

Figure 49 Layer-2 Isolation Example 2 ............................................................................... 107

Figure 50 Layer-2 Isolation Example 3 ............................................................................... 108

Figure 51 MAC Address Filter ............................................................................................. 109

Figure 52 Roaming Example ............................................................................................... 110

Figure 53 Roaming ..............................................................................................................111

Figure 54 VLAN ................................................................................................................... 114

Figure 55 Management VLAN Configuration Example ....................................................... 115

Figure 56 VLAN-Aware Switch - Static VLAN ..................................................................... 116

Figure 57 VLAN-Aware Switch ............................................................................................ 116

Figure 58 VLAN-Aware Switch - VLAN Status .................................................................... 116

Figure 59 VLAN Setup ........................................................................................................ 117

Figure 60 New Global Security Group ............................................................................... 118

Figure 61 Add Group Members .......................................................................................... 119

Figure 62 New Remote Access Policy for VLAN Group .................................................... 120

Figure 63 Specifying Windows-Group Condition ................................................................. 120

Figure 64 Adding VLAN Group .......................................................................................... 121

Figure 65 Granting Permissions and User Profile Screens ................................................ 121

Figure 66 Authentication Tab Settings ................................................................................ 122

Figure 67 Encryption Tab Settings ..................................................................................... 122

Figure 68 Connection Attributes Screen ............................................................................ 123

Figure 69 RADIUS Attribute Screen ................................................................................... 124

Figure 70 802 Attribute Setting for Tunnel-Medium-Type .................................................. 124

Figure 71 VLAN ID Attribute Setting for Tunnel-Pvt-Group-ID ........................................... 125

Figure 72 VLAN Attribute Setting for Tunnel-Type ............................................................. 125

Figure 73 Completed Advanced Tab .................................................................................. 126

Figure 74 IP Setup ............................................................................................................. 128

Figure 75 My Certificates .................................................................................................... 131

Figure 76 My Certificate Import ........................................................................................... 133

Figure 77 My Certificate Create .......................................................................................... 134

Figure 78 My Certificate Details .......................................................................................... 137

Figure 79 Trusted CAs ........................................................................................................ 140

Figure 80 Trusted CA Import ............................................................................................... 141

Figure 81 Trusted CA Details .............................................................................................. 143

18 List of Figures

Page 19

G-3000H User’s Guide

Figure 82 Remote Management: WWW ............................................................................. 149

Figure 83 Telnet Configuration on a TCP/IP Network ......................................................... 150

Figure 84 Remote Management: Telnet .............................................................................. 151

Figure 85 Remote Management: FTP ................................................................................. 152

Figure 86 SNMP Management Model ................................................................................. 153

Figure 87 Remote Management: SNMP ............................................................................. 156

Figure 88 View Log .............................................................................................................157

Figure 89 Log Settings ........................................................................................................ 159

Figure 90 System Status ..................................................................................................... 161

Figure 91 System Status: Show Statistics ........................................................................... 162

Figure 92 Association List ................................................................................................... 163

Figure 93 Channel Usage ................................................................................................... 165

Figure 94 Firmware Upload ................................................................................................. 166

Figure 95 Firmware Upload In Process ............................................................................... 167

Figure 96 Network Temporarily Disconnected .................................................................... 167

Figure 97 Firmware Upload Error ........................................................................................ 168

Figure 98 Configuration ....................................................................................................... 168

Figure 99 Configuration Upload Successful ........................................................................ 169

Figure 100 Network Temporarily Disconnected .................................................................. 169

Figure 101 Configuration Upload Error ............................................................................... 170

Figure 102 Reset Warning Message ................................................................................... 170

Figure 103 Restart Screen .................................................................................................. 170

Figure 104 Login Screen ..................................................................................................... 171

Figure 105 Menu 23.1 System Security: Change Password ............................................... 172

Figure 106 G-3000H SMT Main Menu ................................................................................ 174

Figure 107 Menu 1 General Setup ...................................................................................... 177

Figure 108 Menu 3 LAN Setup ........................................................................................... 179

Figure 109 Menu 3.2 TCP/IP Setup .................................................................................... 180

Figure 110 Menu 3.5 Wireless LAN Setup .......................................................................... 181

Figure 111 Menu 3.5 Wireless LAN Setup .......................................................................... 183

Figure 112 Menu 3.5.1 WLAN MAC Address Filter ............................................................. 183

Figure 113 Menu 3.5 Wireless LAN Setup .......................................................................... 185

Figure 114 Menu 3.5.2 Roaming Configuration .................................................................. 185

Figure 115 Menu 3.5 Wireless LAN Setup .......................................................................... 186

Figure 116 Menu 3.5.6 - SSID Profile Edit .......................................................................... 187

Figure 117 Menu 3.5 Wireless LAN Setup .......................................................................... 188

Figure 118 Menu 3.5.4 Bridge Link Configuration ............................................................... 189

Figure 119 Menu 3.5 Wireless LAN Setup .......................................................................... 190

Figure 120 Menu 3.5.5 Layer-2 Isolation ............................................................................ 190

Figure 121 Menu 14- Dial-in User Setup ............................................................................. 193

Figure 122 Menu 14.1- Edit Dial-in User ............................................................................. 194

Figure 123 Menu 16 VLAN Setup ....................................................................................... 195

Figure 124 Menu 22 SNMP Configuration ......................................................................... 197

List of Figures 19

Page 20

G-3000H User’s Guide

Figure 125 Menu 23 System Security ................................................................................. 199

Figure 126 Menu 23 - System Security ............................................................................... 200

Figure 127 Menu 23.5 Security Profile Edit ......................................................................... 200

Figure 128 Menu 24 System Maintenance ......................................................................... 201

Figure 129 Menu 24.1 System Maintenance: Status .......................................................... 202

Figure 130 Menu 24.2 System Information and Console Port Speed ................................. 203

Figure 131 Menu 24.2.1 System Information: Information .................................................. 203

Figure 132 Menu 24.2.2 System Maintenance: Change Console Port Speed .................... 204

Figure 133 Menu 24.3 System Maintenance: Log and Trace ............................................. 205

Figure 134 Sample Error and Information Messages ......................................................... 205

Figure 135 Menu 24.4 System Maintenance: Diagnostic .................................................... 205

Figure 136 Menu 24.5 Backup Configuration ...................................................................... 209

Figure 137 FTP Session Example ...................................................................................... 210

Figure 138 System Maintenance: Backup Configuration .................................................... 212

Figure 139 System Maintenance: Starting Xmodem Download Screen ............................. 212

Figure 140 Backup Configuration Example ......................................................................... 212

Figure 141 Successful Backup Confirmation Screen .......................................................... 212

Figure 142 Menu 24.6 Restore Configuration ..................................................................... 213

Figure 143 Menu 24.7 System Maintenance: Upload Firmware ......................................... 213

Figure 144 Menu 24.7.1 System Maintenance: Upload System Firmware ......................... 214

Figure 145 Menu 24.7.2 System Maintenance: Upload System Configuration File ............ 214

Figure 146 FTP Session Example ...................................................................................... 215

Figure 147 Menu 24.7.1 as seen using the Console Port ................................................... 217

Figure 148 Example Xmodem Upload ................................................................................ 217

Figure 149 Menu 24.7.2 as seen using the Console Port .................................................. 218

Figure 150 Example Xmodem Upload ................................................................................ 218

Figure 151 Menu 24 System Maintenance ......................................................................... 220

Figure 152 Valid CI Commands .......................................................................................... 220

Figure 153 CNM CL ............................................................................................................ 221

Figure 154 CNM Configuration Example ............................................................................ 224

Figure 155 Menu 24.10 System Maintenance: Time and Date Setting ............................... 225

Figure 156 Telnet Configuration on a TCP/IP Network ....................................................... 226

Figure 157 Menu 24.11 Remote Management Control ....................................................... 228

Figure 158 WIndows 95/98/Me: Network: Configuration ..................................................... 240

Figure 159 Windows 95/98/Me: TCP/IP Properties: IP Address ......................................... 241

Figure 160 Windows 95/98/Me: TCP/IP Properties: DNS Configuration ............................ 242

Figure 161 Windows XP: Start Menu .................................................................................. 243

Figure 162 Windows XP: Control Panel .............................................................................. 243

Figure 163 Windows XP: Control Panel: Network Connections: Properties ....................... 244

Figure 164 Windows XP: Local Area Connection Properties .............................................. 244

Figure 165 Windows XP: Advanced TCP/IP Settings ......................................................... 245

Figure 166 Windows XP: Internet Protocol (TCP/IP) Properties ......................................... 246

Figure 167 Macintosh OS 8/9: Apple Menu ........................................................................ 247

20 List of Figures

Page 21

G-3000H User’s Guide

Figure 168 Macintosh OS 8/9: TCP/IP ................................................................................ 247

Figure 169 Macintosh OS X: Apple Menu ........................................................................... 248

Figure 170 Macintosh OS X: Network ................................................................................. 249

Figure 171 IP Address Conflicts: Case A ............................................................................ 251

Figure 172 IP Address Conflicts: Case B ........................................................................... 252

Figure 173 IP Address Conflicts: Case C ............................................................................ 252

Figure 174 IP Address Conflicts: Case D ............................................................................ 253

Figure 175 Peer-to-Peer Communication in an Ad-hoc Network ........................................ 255

Figure 176 Basic Service Set .............................................................................................. 256

Figure 177 Infrastructure WLAN ......................................................................................... 257

Figure 178 RTS/CTS .......................................................................................................... 258

List of Figures 21

Page 22

G-3000H User’s Guide

22 List of Figures

Page 23

G-3000H User’s Guide

List of Tables

Table 1 IEEE 802.11b ......................................................................................................... 34

Table 2 IEEE 802.11g ......................................................................................................... 34

Table 3 Wizard 1: General Setup ....................................................................................... 46

Table 4 Wizard 2: Wireless LAN Setup .............................................................................. 47

Table 5 Private IP Address Ranges ................................................................................... 48

Table 6 Wizard 3: IP Address Assignment ......................................................................... 49

Table 7 System General Setup .......................................................................................... 51

Table 8 Password ............................................................................................................... 53

Table 9 Time Setting ..........................................................................................................54

Table 10 WMM QoS Priorities ............................................................................................ 60

Table 11 ToS and IEEE 802.1d to WMM QoS Priority Level Mapping ............................... 61

Table 12 STP Path Costs ................................................................................................... 62

Table 13 STP Port States ................................................................................................... 63

Table 14 Wireless: Access Point ........................................................................................ 65

Table 15 Wireless: Bridge/Repeater ................................................................................... 69

Table 16 Security Modes .................................................................................................... 78

Table 17 Security Modes for ZyAIR and Windows XP Wireless Client .............................. 79

Table 18 ZyAIR Wireless Security Levels .......................................................................... 80

Table 19 Security ................................................................................................................ 81

Table 20 Security: No Access or None ............................................................................... 82

Table 21 Security: WEP ..................................................................................................... 82

Table 22 Security: 802.1x Only, 802.1x Static 64-bit WEP, 128-bit WEP ........................... 84

Table 23 Security: 802.1x Dynamic 64-bit WEP, 128-bit WEP ........................................... 85

Table 24 Security: WPA, WPA-MIX, WPA2 or WPA2-MIX ................................................. 87

Table 25 Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX .......................................... 88

Table 26 RADIUS ...............................................................................................................90

Table 27 Local User Database ........................................................................................... 91

Table 28 Wireless: Multiple ESS ........................................................................................ 95

Table 29 SSID .................................................................................................................... 97

Table 30 Configuring SSID ................................................................................................. 99

Table 31 Layer-2 Isolation Configuration ............................................................................ 105

Table 32 MAC Address Filter ............................................................................................. 109

Table 33 Roaming ..............................................................................................................111

Table 34 VLAN ................................................................................................................... 114

Table 35 Standard RADIUS Attributes ............................................................................... 117

Table 36 Private IP Address Ranges ................................................................................. 127

Table 37 IP Setup ............................................................................................................... 128

Table 38 My Certificates ..................................................................................................... 131

List of Tables 23

Page 24

G-3000H User’s Guide

Table 39 My Certificate Import ........................................................................................... 133

Table 40 My Certificate Create ........................................................................................... 134

Table 41 My Certificate Details ........................................................................................... 137

Table 42 Trusted CAs ......................................................................................................... 140

Table 43 Trusted CA Import ............................................................................................... 141

Table 44 Trusted CA Details ............................................................................................... 143

Table 45 Remote Management: WWW .............................................................................. 149

Table 46 Remote Management: Telnet .............................................................................. 151

Table 47 Remote Management: FTP ................................................................................. 152

Table 48 SNMP Traps ........................................................................................................ 154

Table 49 SNMP Interface Index to Physical Port Mapping ................................................. 155

Table 50 Remote Management: SNMP .............................................................................. 156

Table 51 View Log .............................................................................................................. 157

Table 52 Log Settings .........................................................................................................159

Table 53 System Status ...................................................................................................... 161

Table 54 System Status: Show Statistics ........................................................................... 162

Table 55 Association List .................................................................................................... 163

Table 56 Channel Usage .................................................................................................... 165

Table 57 Firmware Upload ................................................................................................. 166

Table 58 Restore Configuration .......................................................................................... 169

Table 59 SMT Menus Overview ......................................................................................... 172

Table 60 Main Menu Commands ....................................................................................... 173

Table 61 Main Menu Summary .......................................................................................... 174

Table 62 Menu 1 General Setup ........................................................................................ 177

Table 63 Menu 3.2 TCP/IP Setup ....................................................................................... 180

Table 64 Menu 3.5 Wireless LAN Setup ............................................................................ 181

Table 65 Menu 3.5.1 WLAN MAC Address Filter ............................................................... 184

Table 66 Menu 3.5.2 Roaming Configuration ..................................................................... 185

Table 67 Menu 3.5.6 - SSID Profile Edit ............................................................................. 187

Table 68 Menu 3.5.4 Bridge Link Configuration ................................................................. 189

Table 69 Menu 3.5.5 Layer-2 Isolation ............................................................................... 191

Table 70 Menu 14.1- Edit Dial-in User ............................................................................... 194

Table 71 Menu 16 VLAN Setup .......................................................................................... 195

Table 72 Menu 22 SNMP Configuration ............................................................................. 197

Table 73 Menu 24.1 System Maintenance: Status ............................................................. 202

Table 74 Menu 24.2.1 System Maintenance: Information .................................................. 203

Table 75 Menu 24.4 System Maintenance Menu: Diagnostic ............................................ 206

Table 76 Filename Conventions ......................................................................................... 208

Table 77 General Commands for Third Party FTP Clients ................................................. 210

Table 78 General Commands for Third Party TFTP Clients .............................................. 211

Table 79 CNM Commands ................................................................................................. 221

Table 80 System Maintenance: Time and Date Setting ..................................................... 225

Table 81 Remote Management Port Control ...................................................................... 227

24 List of Tables

Page 25

G-3000H User’s Guide

Table 82 Menu 24.11 Remote Management Control .......................................................... 228

Table 83 Troubleshooting the Start-Up of Your ZyAIR ....................................................... 231

Table 84 Troubleshooting the Ethernet Interface ............................................................... 231

Table 85 Troubleshooting the Password ............................................................................ 232

Table 86 Troubleshooting Telnet ........................................................................................ 232

Table 87 Troubleshooting the WLAN Interface ................................................................... 232

Table 88 Hardware .............................................................................................................233

Table 89 Firmware .............................................................................................................. 233

Table 90 Power over Ethernet Injector Specifications ....................................................... 235

Table 91 Power over Ethernet Injector RJ-45 Port Pin Assignments ................................. 235

Table 92 Brute-Force Password Guessing Protection Commands .................................... 237

Table 93 IEEE 802.11b ....................................................................................................... 259

Table 94 Comparison of EAP Authentication Types ........................................................... 263

Table 95 Wireless Security Relational Matrix ..................................................................... 264

Table 96 Classes of IP Addresses ..................................................................................... 267

Table 97 Allowed IP Address Range By Class ................................................................... 268

Table 98 “Natural” Masks .................................................................................................. 268

Table 99 Alternative Subnet Mask Notation ....................................................................... 269

Table 100 Two Subnets Example ....................................................................................... 269

Table 101 Subnet 1 ............................................................................................................270

Table 102 Subnet 2 ............................................................................................................270

Table 103 Subnet 1 ............................................................................................................271

Table 104 Subnet 2 ............................................................................................................271

Table 105 Subnet 3 ............................................................................................................271

Table 106 Subnet 4 ............................................................................................................272

Table 107 Eight Subnets .................................................................................................... 272

Table 108 Class C Subnet Planning ................................................................................... 272

Table 109 Class B Subnet Planning ................................................................................... 273

Table 110 System Maintenance Logs ................................................................................ 277

Table 111 ICMP Notes ........................................................................................................ 277

Table 112 Sys log ............................................................................................................... 278

Table 113 Log Categories and Available Settings .............................................................. 279

Table 114 North American Plug Standards ........................................................................ 283

Table 115 European Plug Standards .................................................................................. 283

Table 116 United Kingdom Plug Standards ........................................................................ 283

Table 117 Australia and New Zealand Plug Standards ...................................................... 283

List of Tables 25

Page 26

G-3000H User’s Guide

26 List of Tables

Page 27

G-3000H User’s Guide

Preface

Congratulations on your purchase of the G-3000H - 802.11g Wireless Access Point/Bridge/ Repeater.

An AP acts as a bridge between the wireless and wired networks, extending your existing wired network without any additional wiring.

The ZyAIR can function as a wireless network bridge/repeater and establish up to five wireless links with other APs.

The ZyAIR also supports both AP and bridge connections at the same time.

Your ZyAIR is easy to install and configure.

Note: Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com American products.

for global products, or at www.us.zyxel.com for North

About This User's Guide

This User’s Guide is designed to guide you through the configuration of your ZyAIR using the web configurator or the SMT. The web configurator parts of this guide contain background information on features configurable by web configurator. The SMT parts of this guide contain background information solely on features not configurable by web configurator

Note: Use the web configurator, System Management Terminal (SMT) or command interpreter interface to configure your ZyAIR. Not all features can be configured through all interfaces.

Getting to Know Your ZyAIR

This chapter introduces the main features and applications of the ZyAIR.

1.1 Introducing the ZyAIR

The G-3000H extends the range of your existing wired network without any additional wiring efforts, providing easy network access to mobile users.

The ZyAIR offers highly secured wireless connectivity to your wired network with IEEE

802.1x, Wi-Fi Protected Access, WEP data encryption and MAC address filtering.

The ZyAIR is easy to install and configure. The embedded web-based configurator enables easy operation and configuration.

G-3000H User’s Guide

CHAPTER 1

1.2 ZyAIR Features

The following sections describe the features of the ZyAIR

1.2.1 Physical Features

10/100M Auto-negotiating Ethernet/Fast Ethernet Interface

This auto-negotiating feature allows the ZyAIR to detect the speed of incoming transmissions and adjust appropriately without manual intervention. It allows data transfer of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending on your Ethernet network.

10/100M Auto-crossover Ethernet/Fast Ethernet Interface

An auto-crossover (auto-MDI/MDI-X) port automatically works with a straight-through or crossover Ethernet cable.

Reset Button

The ZyAIR reset button is built into the side panel. Use this button to restore the factory default password to 1234; IP address to 192.168.1.2, subnet mask to 255.255.255.0.

Chapter 1 Getting to Know Your ZyAIR 31

Page 32

G-3000H User’s Guide

ZyAIR LED

The blue ZyAIR LED (also known as the Breathing LED) is on when the ZyAIR is on and blinks (or breaths) when data is being transmitted to/from its wireless stations. You may use the web configurator to turn this LED off even when the ZyAIR is on and data is being transmitted/received.

Bridge/Repeater LED

A Bridge/Repeater link LED turns steady on green when your ZyAIR acts as a bridge, establishing up to six wireless links with other APs.

Power over Ethernet (PoE)

Power over Ethernet (PoE) is the ability to provide power to your ZyAIR via an 8-pin CAT 5 Ethernet cable, eliminating the need for a nearby power source. An injector or PoE device (not included) is also needed to supply the Ethernet cable with power. This feature allows increased flexibility in the locating of your ZyAIR. You only need to connect the external power adaptor if you are not using PoE. If you simultaneously use both PoE and the external power adaptor, the ZyAIR will draw power from the PoE connection only. Refer to the appendix for more information about PoE.

Figure 1 PoE Installation Example

1.2.2 Firmware Features

Wi-Fi Protected Access

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft. Key differences between WPA and WEP are user authentication and improved data encryption.

Layer-2 Isolation

Layer-2 isolation is used to prevent wireless clients associated with your ZyAIR from communicating with other wireless clients, AP’s, computers or routers in a network.

32 Chapter 1 Getting to Know Your ZyAIR

Page 33

G-3000H User’s Guide

VLAN

A VLAN (Virtual Local Area Network) allows a physical network to be partitioned into multiple logical networks. Only stations within the same group can talk to each other. Stations on a logical network can belong to one or more groups. The ZyAIR supports 802.1Q VLAN tagging. Tagged VLAN uses an explicit tag (VLAN ID) in the MAC header of a frame to identify VLAN membership. The ZyAIR can identify VLAN tags for incoming Ethernet frames and add VLAN tags to outgoing Ethernet frames.

Configure VLAN (virtual LAN) to extend the wireless logical grouping to the wired network. A ZyAIR that you configure with the built-in wireless card uses the same Management VLAN ID as a ZyAIR configured with a removable wireless card.

WDS Functionality

A Distribution System (DS) is a wired connection between two or more APs, while a Wireless Distribution System (WDS) is a wireless connection. Your ZyAIR supports WDS, providing a cost-effective solution for wireless network expansion.

Figure 2 WDS Functionality Example

802.11b Wireless LAN Standard

The ZyAIR complies with the 802.11b wireless standard.

Chapter 1 Getting to Know Your ZyAIR 33

Page 34

G-3000H User’s Guide

The 802.11b data rate and corresponding modulation techniques are shown in the table below. The modulation technique defines how bits are encoded onto radio waves.

Table 1 IEEE 802.11b

DATA RATE (MBPS) MODULATION

1 DBPSK (Differential Binary Phase Shifted Keying)

2 DQPSK (Differential Quadrature Phase Shifted Keying)

5.5 / 11 CCK (Complementary Code Keying)

802.11g Wireless LAN Standard

The ZyAIR, complies with the 802.11g wireless standard and is also fully compatible with the

802.11b standard. This means an 802.11b radio card can interface directly with an 802.11g device (and vice versa) at 11 Mbps or lower depending on range. 802.11g has several intermediate rate steps between the maximum and minimum data rates. The 802.11g data rate and modulation are as follows:.

Table 2 IEEE 802.11g

DATA RATE (MBPS) MODULATION

6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing)

Note: The ZyAIR may be prone to RF (Radio Frequency) interference from other 2.4 GHz devices such as microwave ovens, wireless phones, Bluetooth enabled devices, and other wireless LANs.

STP (Spanning Tree Protocol) / RSTP (Rapid STP)

(R)STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other (R)STP-compliant bridges in your network to ensure that only one path exists between any two stations on the network.

WMM QoS

WMM (Wi-Fi MultiMedia) QoS (Quality of Service) allows you to prioritize wireless traffic according to the delivery requirements of the individual and applications.

Certificates

The ZyAIR can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication.

34 Chapter 1 Getting to Know Your ZyAIR

Page 35

G-3000H User’s Guide

Limit the number of Client Connections

You may set a maximum number of wireless stations that may connect to the ZyAIR. This may be necessary if for example, there is interference or difficulty with channel assignment due to a high density of APs within a coverage area.

SSL Passthrough

SSL (Secure Sockets Layer) uses a public key to encrypt data that's transmitted over an SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with “https” instead of “http”. The ZyAIR allows SSL connections to take place through the ZyAIR.

Brute-Force Password Guessing Protection

The ZyAIR has a special protection mechanism to discourage brute-force password guessing attacks on the ZyAIR's management interfaces. You can specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered. Please see the appendix for details about this feature.

Wireless LAN MAC Address Filtering

Your ZyAIR checks the MAC address of the wireless station against a list of allowed or denied MAC addresses.

WEP Encryption

WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless network to help keep network communications private.

IEEE 802.1x Network Security

The ZyAIR supports the IEEE 802.1x standard to enhance user authentication. Use the built-in user profile database to authenticate up to 32 users using MD5 encryption. Use an EAPcompatible RADIUS (RFC2138, 2139 - Remote Authentication Dial In User Service) server to authenticate a limitless number of users using EAP (Extensible Authentication Protocol). EAP is an authentication protocol that supports multiple types of authentication.

SNMP

SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyAIR supports SNMP agent functionality, which allows a manger station to manage and monitor the ZyAIR through the network. The ZyAIR supports SNMP version one (SNMPv1) and version two c (SNMPv2c).

Chapter 1 Getting to Know Your ZyAIR 35

Page 36

G-3000H User’s Guide

Full Network Management

The embedded web configurator is an all-platform web-based utility that allows you to easily access the ZyAIR’s management settings. Most functions of the ZyAIR are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menudriven interface that you can access from a terminal emulator over a telnet connection.

Logging and Tracing

• Built-in message logging and packet tracing.

• Unix syslog facility support.

Embedded FTP and TFTP Servers

The ZyAIR’s embedded FTP and TFTP servers enable fast firmware upgrades as well as configuration file backups and restoration.

Wireless Association List

With the wireless association list, you can see the list of the wireless stations that are currently using the ZyAIR to access your wired network.

Wireless LAN Channel Usage

The Wireless Channel Usage screen displays whether the radio channels are used by other wireless devices within the transmission range of the ZyAIR. This allows you to select the channel with minimum interference for your ZyAIR.

1.3 Applications for the ZyAIR

Here are some ZyAIR application examples.

The ZyAIR can be configured using the following WLAN operating modes

1 AP

2 AP+Bridge

3 Bridge/Repeater

Applications for each operating mode are shown below.

Note: A different channel should be configured for each WLAN interface to reduce the effects of radio interference.

36 Chapter 1 Getting to Know Your ZyAIR

Page 37

1.3.1 Access Point

The ZyAIR is an ideal access solution for wireless Internet connection. A typical Internet access application for your ZyAIR is shown as follows. Stations A, B and C can access the wired network through the ZyAIRs.

Figure 3 Access Point Application

G-3000H User’s Guide

1.3.2 Multiple ESS

The ZyAIR’s Multiple ESS function allows multiple ESSs to be configured on just one access point (the ZyAIR). Wireless stations can use different ESSIDs to associate with the same AP. Only wireless stations with the same ESSID can communicate with each other.

In this application example, wireless stations 1 and 2 both associate with the ZyAIR but cannot communicate with each other as they belong to different ESSs. Stations 1, 3 and 4 can communicate with each other. Similarly, stations 2, 5 and 6 can communicate with each other.

Station 1 relays communications via the ZyAIR within the Multi-ESS coverage area and with AP X if it moves to the RD ESS coverage area. Similarly, Station 2 relays communications via the ZyAIR within the Multi-ESS coverage area and with AP Y if it moves to the Sales ESS coverage area.

You cannot configure WPA on your ZyAIR in Multiple ESS mode.

Chapter 1 Getting to Know Your ZyAIR 37

Page 38

G-3000H User’s Guide

Figure 4 Multiple ESS Application

1.3.3 AP + Bridge

In AP+Bridge mode, the ZyAIR supports both AP (A and B can connect to the wired network through X) and bridge (X can communicate with Y) connection at the same time.

When the ZyAIR is in AP + Bridge mode, the traffic between ZyAIRs (the WDS) is not encrypted. The security settings on the ZyAIR refer to the traffic between the wireless station and the ZyAIR.

38 Chapter 1 Getting to Know Your ZyAIR

Page 39

Figure 5 AP+Bridge Application

G-3000H User’s Guide

1.3.4 Bridge / Repeater

The ZyAIR can act as a wireless network bridge and establish wireless links with other APs. In bridge mode, the ZyAIR’s (A and B) are connected to independent wired networks and have a bridge (A can communicate with B) connection at the same time. A ZyAIR in repeater mode (C) has no Ethernet connection. When the ZyAIR is in the bridge mode, you should enable STP to prevent bridge loops.

When the ZyAIR is in Bridge/Repeater mode, you don’t have to enter a pre-shared key, but the traffic between devices won’t be encrypted if you don’t. The peer bridge must use the same pre-shared key and encryption method.

The ZyAIR in AP+Bridge mode cannot connect to another ZyAIR in Bridge/Repeater mode that uses manual WEP keys with 64-bit or 128-bit WEP encryption.

Chapter 1 Getting to Know Your ZyAIR 39

Page 40

G-3000H User’s Guide

Figure 6 Bridge Application

Figure 7 Repeater Application

40 Chapter 1 Getting to Know Your ZyAIR

Page 41

CHAPTER 2

Introducing the Web

Configurator

This chapter describes how to access the ZyAIR web configurator and provides an overview of its screens. The default IP address of the ZyAIR is 192.168.1.2.

2.1 Accessing the ZyAIR Web Configurator

1 Make sure your ZyAIR hardware is properly connected and prepare your computer/

computer network to connect to the ZyAIR (refer to the Quick Start Guide).

Launch your web browser.

G-3000H User’s Guide

Type "192.168.1.2" as the URL.

Type "1234" (default) as the password and click Login. In some versions, the default

password appears automatically - if this is the case, click Login.

You should see a screen asking you to change your password (highly recommended) as

shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore.

Note: If you do not change the password, the following screen appears every time you login.

Chapter 2 Introducing the Web Configurator 41

Page 42

G-3000H User’s Guide

Figure 8 Change Password Screen

6 Click Apply in the Replace Certificate screen to create a certificate using your ZyAIR’s

MAC address that will be specific to this device.

Figure 9 Replace Certificate Screen

You should now see the MAIN MENU screen.

Note: The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyAIR if this happens to you.

42 Chapter 2 Introducing the Web Configurator

Page 43

2.2 Resetting the ZyAIR

If you forget your password or cannot access the web configurator, you will need to reload the factory-default configuration file or use the RESET button on the side panel of the ZyAIR. Uploading this configuration file replaces the current configuration file with the factorydefault configuration file. This means that you will lose all configurations that you had previously. The password will be reset to 1234.

2.2.1 Procedure To Use The Reset Button

Make sure the SYS LED is on (not blinking) before you begin this procedure.

Press the RESET button for ten seconds or until the SYS LED, LINK LED or BDG/

RPT LED turns red, and then release it. If the SYS LED begins to blink, the defaults have

been restored and the ZyAIR restarts. Otherwise, go to step 2.

Turn the ZyAIR off.

While pressing the RESET button, turn the ZyAIR on.

Continue to hold the RESET button. The SYS LED will begin to blink and flicker very

quickly after about 20 seconds. This indicates that the defaults have been restored and the ZyAIR is now restarting.

G-3000H User’s Guide

Release the RESET button and wait for the ZyAIR to finish restarting.

2.2.2 Method of Restoring Factory-Defaults

You can erase the current configuration and restore factory defaults in three ways:

Use the RESET button on the side panel of the ZyAIR to upload the default configuration file (hold this button in for about 10 seconds or until the SYS LED, LINK LED or BDG/RPT LED turns red). Use this method for cases when the password or IP address of the ZyAIR is not known.

Use the web configurator to restore defaults (refer to Chapter 14, on page 161).

Transfer the configuration file to your ZyAIR using FTP. See later in the part on SMT configuration for more information.

2.3 Navigating the ZyAIR Web Configurator

We use the G-3000H web configurator in this guide as an example. The web configurator screens for your model may vary slightly for different ZyAIR models.

The following summarizes how to navigate the web configurator from the MAIN MENU screen.

Chapter 2 Introducing the Web Configurator 43

Page 44

G-3000H User’s Guide

Note: Follow the instructions you see in the MAIN MENU screen or click the icon (located in the top right corner of most screens) to view online help.

The icon does not appear in the MAIN MENU screen.

Figure 10 The MAIN MENU Screen of the Web Configurator

Click WIZARD SETUP for initial configuration including general setup, Wireless LAN setup and IP address assignment.

Click the links under ADVANCED to configure advanced features such as SYSTEM (General Setup, Password and Time Zone), WIRELESS (Wireless, SSID, Security, RADIUS, Layer-2 Isolation, MAC Filter, Roaming, Local User Database), IP, REMOTE MGNT (Telnet, FTP, WWW and SNMP), CERTIFICATES (

My Certificates, Trusted CAs), LOGS

(View reports and Log Settings) and VLAN.

Click MAINTENANCE to view information about your ZyAIR or upgrade configuration/ firmware files. Maintenance includes Status (Statistics), Association List, Channel Usage, F/W (firmware) Upload, Configuration (Backup, Restore and Default) and Restart

Click LOGOUT at any time to exit the web configurator

44 Chapter 2 Introducing the Web Configurator

Page 45

This chapter provides information on the Wizard Setup screens in the web configurator.

3.1 Wizard Setup Overview

The web configurator’s setup wizard helps you configure your ZyAIR for wireless stations to access your wired LAN.

3.1.1 Channel

A channel is the radio frequency(ies) used by IEEE 802.11b and IEEE 802.11g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.

G-3000H User’s Guide

CHAPTER 3

Wizard Setup

Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11.

The ZyAIR’s “Scan” function is especially designed to automatically scan for a channel with the least interference.

3.1.2 ESS ID

An Extended Service Set (ESS) is a group of access points connected to a wired LAN on the same subnet. An SS ID uniquely identifies each set. All access points and their associated wireless stations in the same set must have the same SSID.

3.1.3 WEP Encryption

WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless network. WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless stations and the access points must use the same WEP key for data encryption and decryption.

Chapter 3 Wizard Setup 45

Page 46

G-3000H User’s Guide

3.2 Wizard Setup: General Setup

General Setup contains administrative and system-related information.

Figure 11 Wizard 1: General Setup

The following table describes the labels in this screen.

Table 3 Wizard 1: General Setup

LABEL DESCRIPTION

System Name It is recommended you type your computer's "Computer name".

In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification tab, note the entry for the Computer Name field and enter it as the System Name.

In Windows 2000, click Start, Settings, Control Panel and then double-click System. Click the Network Identification tab and then the Properties button. Note the entry for the Computer name field and enter it as the System Name.

In Windows XP, click Start, My Computer, View system information and then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyAIR System Name.

This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted.

Domain Name This is not a required field. Leave this field blank or enter the domain name here

if you know it.

Next Click Next to proceed to the next screen.

3.3 Wizard Setup: Wireless LAN

Use the second wizard screen to set up the wireless LAN.

46 Chapter 3 Wizard Setup

Page 47

Figure 12 Wizard 2: Wireless LAN Setup

The following table describes the labels in this screen.

G-3000H User’s Guide

Table 4 Wizard 2: Wireless LAN Setup

LABEL DESCRIPTION

Wireless LAN Setup

Name (SSID) Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the

Choose Channel ID To manually set the ZyAIR to use a channel, select a channel from the drop-

Scan Click this button to have the ZyAIR automatically scan for and select a channel

WEP Encryption Select Disable allows all wireless computers to communicate with the access

ASCII Select this option in order to enter ASCII characters as the WEP keys.

Hex Select this option to enter hexadecimal characters as the WEP keys.

Key 1 to Key 4 The WEP keys are used to encrypt data. Both the ZyAIR and the wireless

Back Click Back to return to the previous screen.

Next Click Next to continue.

wireless LAN. If you change this field on the ZyAIR, make sure all wireless stations use the

same Name (SSID) in order to access the network.

down list box. Open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.

To have the ZyAIR automatically select a channel, click Scan instead.

with the least interference.

points without any data encryption. Select 64-bit WEP or 128-bit WEP to allow data encryption.

The preceding 0x is entered automatically.

stations must use the same WEP key for data transmission. If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal

characters ("0-9", "A-F"). If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal

characters ("0-9", "A-F"). You must configure all four keys, but only one key can be activated at any one

time. The default key is key 1.

Chapter 3 Wizard Setup 47

Page 48

G-3000H User’s Guide

3.4 Wizard Setup: IP Address

The third wizard screen allows you to configure IP address assignment.

3.4.1 IP Address Assignment

Every computer on the Internet must have a unique IP address. If your networks are isolated from the Internet, for instance, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks.

Table 5 Private IP Address Ranges

10.0.0.0 - 10.255.255.255

172.16.0.0 - 172.31.255.255

192.168.0.0 - 192.168.255.255

You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.

Note: Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.

3.4.2 IP Address and Subnet Mask

Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.

Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.

If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network.

48 Chapter 3 Wizard Setup

Page 49

G-3000H User’s Guide

Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.2, for your ZyAIR, but make sure that no other device on your network is using that IP address.

The subnet mask specifies the network number portion of an IP address. Your ZyAIR will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the ZyAIR unless you are instructed to do otherwise.

Figure 13 Wizard 3: IP Address Assignment

The following table describes the labels in this screen.

Table 6 Wizard 3: IP Address Assignment

LABEL DESCRIPTION

IP Address Assignment

Get automatically from DHCP

Select this option if your ZyAIR is using a dynamically assigned IP address from a DHCP server each time.

Note: You must know the IP address assigned to the ZyAIR (by the DHCP server) to access the ZyAIR again.

Use fixed IP address Select this option if your ZyAIR is using a static IP address. When you select

this option, fill in the fields below.

IP Address Enter the IP address of your ZyAIR in dotted decimal notation.

Note: If you changed the ZyAIR's IP address, you must use the new IP address if you want to access the web configurator again.

IP Subnet Mask Type the subnet mask.

Gateway IP Address Type the IP address of the gateway. The gateway is an immediate neighbor

of your ZyAIR that will forward the packet to the destination. The gateway must be a router on the same segment as your ZyAIR's LAN or WAN port.

Back Click Back to return to the previous screen.

Finish Click Finish to proceed to complete the Wizard setup.

Chapter 3 Wizard Setup 49

Page 50

G-3000H User’s Guide

3.5 Basic Setup Complete

When you click Finish in the Wizard 3 IP Address Assignment screen, a warning window display as shown. Click OK to close the window and log in to the web configurator again using the new IP address if you change the default IP address (192.168.1.2).

You have successfully set up the ZyAIR. A screen displays prompting you to close the web browser.

Click Ye s. Otherwise, click No and the congratulations screen shows next.

Figure 14 Wizard 4: Setup Complete

Well done! You have successfully set up your ZyAIR to operate on your network and access the Internet.

50 Chapter 3 Wizard Setup

Page 51

4.1 System Overview

This section provides information on general system setup.

4.2 Configuring General Setup

Click the SYSTEM link under ADVANCED to open the General screen.

Figure 15 System General Setup

G-3000H User’s Guide

CHAPTER 4

System Screens

The following table describes the labels in this screen.

Table 7 System General Setup

LABEL DESCRIPTION

General Setup

System Name Type a descriptive name to identify the ZyAIR in the Ethernet network.

This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted.

Domain Name This is not a required field. Leave this field blank or enter the domain name

here if you know it.

Chapter 4 System Screens 51

Page 52

G-3000H User’s Guide

Table 7 System General Setup

LABEL DESCRIPTION

Administrator Inactivity Timer

System DNS Servers

First DNS Server Second DNS Server Third DNS Server

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to reload the previous configuration for this screen.

Type how many minutes a management session (either via the web configurator or SMT) can be left idle before the session times out.

The default is 5 minutes. After it times out you have to log in with your password again. Very long idle timeouts may have security risks.

A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended).

Select From DHCP if your DHCP server dynamically assigns DNS server information (and the ZyAIR's Ethernet IP address). The field to the right displays the (read-only) DNS server IP address that the DHCP assigns.

Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose User-Defined, but leave the IP address set to 0.0.0.0, User-Defined changes to None after you click Apply. If you set a second choice to User-Defined, and enter the same IP address, the second User-Defined changes to None after you click Apply.

Select None if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.

The default setting is None.

4.3 Configuring Password

To change your ZyAIR’s password (recommended), click the SYSTEM link under ADVANCED and then the Password tab. The screen appears as shown. This screen allows

you to change the ZyAIR’s password.

If you forget your password (or the ZyAIR IP address), you will need to reset the ZyAIR. See the Resetting the ZyAIR section for details

52 Chapter 4 System Screens

Page 53

G-3000H User’s Guide

Figure 16 Password.

The following table describes the labels in this screen.

Table 8 Password

LABEL DESCRIPTIONS

Old Password Type in your existing system password (1234 is the default password).

New Password Type your new system password (up to 31 characters). Note that as you type a

password, the screen displays an asterisk (*) for each character you type.

Retype to Confirm Retype your new system password for confirmation.

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to reload the previous configuration for this screen.

4.4 Configuring Time Setting

To change your ZyAIR’s time and date, click the SYSTEM link under ADVANCED and then the Time Setting tab. The screen appears as shown. Use this screen to configure the ZyAIR’s time based on your local time zone.

Chapter 4 System Screens 53

Page 54

G-3000H User’s Guide

Figure 17 Time Setting

The following table describes the labels in this screen.

Table 9 Time Setting

LABEL DESCRIPTION

Time Protocol Select the time service protocol that your time server sends when you turn on

the ZyAIR. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.

The main difference between them is the format.

Daytime (RFC 867) format is day/month/year/time zone of the server. Time (RFC 868) format displays a 4-byte integer giving the total number of

seconds since 1970/1/1 at 0:0:0. The default, NTP (RFC 1305), is similar to Time (RFC 868). Select None to enter the time and date manually.

Time Server Address Enter the IP address or the URL of your time server. Check with your ISP/

Current Time (hh:mm:ss)

New Time (hh:mm:ss) This field displays the last updated time from the time server.

Current Date (yyyy/ mm/dd)

New Date (yyyy/mm/ dd)

network administrator if you are unsure of this information.

This field displays the time of your ZyAIR. Each time you reload this page, the ZyAIR synchronizes the time with the time

server.

When you select None in the Time Protocol field, enter the new time in this field and then click Apply.

This field displays the date of your ZyAIR. Each time you reload this page, the ZyAIR synchronizes the date with the time

server.

This field displays the last updated date from the time server. When you select None in the Time Protocol field, enter the new date in this

field and then click Apply.

54 Chapter 4 System Screens

Page 55

G-3000H User’s Guide

Table 9 Time Setting

LABEL DESCRIPTION

Time Zone Choose the time zone of your location. This will set the time difference

between your time zone and Greenwich Mean Time (GMT).

Daylight Savings Select this option if you use daylight savings time. Daylight saving is a period

from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.

Start Date (mm-dd) Enter the month and day that your daylight-savings time starts on if you

End Date (mm-dd) Enter the month and day that your daylight-savings time ends on if you

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to reload the previous configuration for this screen.

selected Daylight Savings.

Chapter 4 System Screens 55

Page 56

G-3000H User’s Guide

56 Chapter 4 System Screens

Page 57

Wireless Configuration

This chapter discusses how to configure Wireless screens on the ZyAIR.

5.1 Wireless LAN Overview

This section introduces the wireless LAN (WLAN) and some basic scenarios.

5.1.1 BSS

A Basic Service Set (BSS) exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point (AP).

G-3000H User’s Guide

CHAPTER 5

Intra-BSS traffic is traffic between wireless stations in the BSS. When Intra-BSS is enabled, wireless station A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless station A and B can still access the wired network but cannot communicate with each other.

Chapter 5 Wireless Configuration 57

Page 58

G-3000H User’s Guide

Figure 18 Basic Service set

5.1.2 ESS

An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless stations within the same ESS must have the same ESSID in order to communicate.

58 Chapter 5 Wireless Configuration

Page 59

Figure 19 Extended Service Set

G-3000H User’s Guide

5.2 Wireless LAN Basics

Refer also to the Wizard Setup chapter for more background information on Wireless LAN features, such as channels.

See the Wireless LANs Appendix for information on the following:

• Wireless LAN Topologies

•Channel

• RTS/CTS

• Fragmentation Threshold

• Preamble Type

• IEEE 802.1x

• RADIUS

• Types of Authentication

•WPA

• Security Parameters Summary

Chapter 5 Wireless Configuration 59

Page 60

G-3000H User’s Guide

5.3 WMM QoS

WMM (Wi-Fi MultiMedia) QoS (Quality of Service) ensures quality of service in wireless networks for multimedia applications. WMM QoS prioritizes wireless traffic according to the delivery requirements of the individual and applications. WMM QoS is a part of the IEEE

802.11e QoS enhancement to certified Wi-Fi wireless networks.

On APs without WMM QoS, all traffic streams are given the same access throughput to the wireless network. If the introduction of another traffic stream creates a data transmission demand that exceeds the current network capacity, then the new traffic stream reduces the throughput of the other traffic streams.

The ZyAIR uses WMM QoS to prioritize traffic streams according to the needs of the application. The ZyAIR automatically determines the priority to use for an individual traffic stream. This prevents reductions in data transmission for applications that are sensitive to jitter (variations in delay).

5.3.1 WMM QoS Priorities

The following table describes the WMM QoS priority levels that the ZyAIR uses.

Table 10 WMM QoS Priorities

PRIORITY LEVEL DESCRIPTION

voice Typically used for traffic that is especially sensitive to jitter. Use this priority to

video Typically used for traffic which has some tolerance for jitter but needs to be

besteffort Typically used for traffic from applications or devices that lack QoS

background This is typically used for non-critical traffic such as bulk transfers and print jobs

reduce latency for improved voice quality.

prioritized over other data traffic.

capabilities. Use best effort priority for traffic that is less sensitive to latency, but is affected by long delays, such as Internet surfing.

that are allowed but that should not affect other applications and users. Use background priority for applications that do not have strict latency and throughput requirements.

5.3.2 Type Of Service (ToS)

Network traffic can be classified by setting the ToS (Type Of Service) values at the data source (for example, at the Prestige) so a server can decide the best method of delivery, that is the least cost, fastest route and so on.

60 Chapter 5 Wireless Configuration

Page 61

5.3.2.1 DiffServ

DiffServ is a class of service (CoS) model that marks packets so that they receive specific perhop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going.

5.3.2.2 DSCP and Per-Hop Behavior

DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field.

DSCP is backward compatible with the three precedence bits in the ToS octet so that nonDiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping.

Figure 20 DiffServ: Differentiated Service Field

G-3000H User’s Guide

DSCP (6-bit)

Unused

(2-bit)

The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different priorities of forwarding. Resources can then be allocated according to the DSCP values and the configured policies.

5.3.3 ToS (Type of Service) and WMM QoS

The DSCP value of outgoing packets is between 0 and 255. 0 is the default priority. WMM QoS checks the DSCP value in the header of data packets. It gives the traffic a priority according to this number.

In order to control which priority level is given to traffic, the device sending the traffic must set the DSCP value in the header. If the DSCP value is not specified, then the traffic is treated as best-effort. This means the wireless clients and the devices with which they are communicating must both set the DSCP value in order to make the best use of WMM QoS. A Voice over IP (VoIP) device for example may allow you to define the DSCP value.

The following table lists which WMM QoS priority level the ZyAIR uses for specific DSCP values.

Table 11 ToS and IEEE 802.1d to WMM QoS Priority Level Mapping

DSCP VALUE WMM QOS PRIORITY LEVEL

224, 192 voice

160, 128 video

Chapter 5 Wireless Configuration 61

Page 62

G-3000H User’s Guide

Table 11 ToS and IEEE 802.1d to WMM QoS Priority Level Mapping

DSCP VALUE WMM QOS PRIORITY LEVEL

96, 0

64, 32 background

a. The ZyAIR also uses best effort for any DSCP value for which another

WMM QoS priority is not specified (255, 158 or 37 for example).

besteffort

5.4 Spanning Tree Protocol (STP)

STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other STP-compliant bridges in your network to ensure that only one route exists between any two stations on the network.

5.4.1 Rapid STP

The ZyAIR uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only aware bridges). Using RSTP topology change information does not have to propagate to the root bridge and unwanted learned addresses are flushed from the filtering database. In RSTP, the port states are Discarding, Learning, and Forwarding.

5.4.2 STP Terminology

The root bridge is the base of the spanning tree; it is the bridge with the lowest identifier value (MAC address).

Path cost is the cost of transmitting a frame onto a LAN through that port. It is assigned according to the speed of the link to which a port is attached. The slower the media, the higher the cost - see the following table.

Table 12 STP Path Costs

LINK SPEED

Path Cost 4Mbps 250 100 to 1000 1 to 65535

Path Cost 10Mbps 100 50 to 600 1 to 65535

Path Cost 16Mbps 62 40 to 400 1 to 65535

Path Cost 100Mbps 19 10 to 60 1 to 65535

Path Cost 1Gbps 4 3 to 10 1 to 65535

Path Cost 10Gbps 2 1 to 5 1 to 65535

RECOMMENDED VALUE

RECOMMENDED RANGE

ALLOWED RANGE

62 Chapter 5 Wireless Configuration

Page 63

On each bridge, the root port is the port through which this bridge communicates with the root. It is the port on this switch with the lowest path cost to the root (the root path cost). If there is no root port, then this bridge has been accepted as the root bridge of the spanning tree network.

For each LAN segment, a designated bridge is selected. This bridge has the lowest cost to the root among the bridges connected to the LAN.

5.4.3 How STP Works

After a bridge determines the lowest cost-spanning tree with STP, it enables the root port and the ports that are the designated ports for connected LANs, and disables all other ports that participate in STP. Network packets are therefore only forwarded between enabled ports, eliminating any possible network loops.

STP-aware bridges exchange Bridge Protocol Data Units (BPDUs) periodically. When the bridged LAN topology changes, a new spanning tree is constructed.

Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down. This bridge then initiates negotiations with other bridges to reconfigure the network to re-establish a valid network topology.

G-3000H User’s Guide

5.4.4 STP Port States

STP assigns five port states (see next table) to eliminate packet looping. A bridge port is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops.

Table 13 STP Port States

PORT STATES DESCRIPTIONS

Disabled STP is disabled (default).

Blocking Only configuration and management BPDUs are received and processed.

Listening All BPDUs are received and processed.

Learning All BPDUs are received and processed. Information frames are submitted to the

learning process but not forwarded.

Forwarding All BPDUs are received and processed. All information frames are received and

forwarded.

5.5 Wireless Screen Overview

The following is a list of the screens you can configure on the ZyAIR.

Chapter 5 Wireless Configuration 63

Page 64

G-3000H User’s Guide

1 Configure the ZyAIR as an AP, an AP+Bridge, a Bridge/Repeater or to use multiple ESS

in the Wireless screen. You can also select an SSID Profile in the Wireless screen.

2 Use the SSID screens to view and create SSID profiles.

3 Use the Security screen to configure wireless profiles. For each profile you can configure

a name and one of the wireless security modes.

4 Use the RADIUS screen to configure RADIUS authentication and accounting settings.

5 Use the Layer-2 Isolation screen to prevent wireless clients associated with your ZyAIR

from communicating with other wireless clients, AP’s, computers or routers in a network.

6 Use the MAC Filter screen to restrict access to your wireless network by MAC address.

7 Use the Roaming screen to configure the ZyAIR so that in a network environment with

multiple access points, wireless stations are able to switch from one access point to another as they move between the coverage areas.

8 Configure the built-in authentication database in the Local User Database screen.

5.6 Configuring Wireless

Click the WIRELESS link under ADVANCED to display the Wireless screen. The screen varies depending upon the operating mode you select.

5.6.1 Access Point Mode

Select Access Point as the Operating Mode to display the screen as shown next.

64 Chapter 5 Wireless Configuration

Page 65

G-3000H User’s Guide

Figure 21 Wireless: Access Point

The following table describes the general wireless LAN labels in this screen.

Table 14 Wireless: Access Point

LABEL DESCRIPTION

Operating Mode Select the operating mode from the drop-down list. The options are Access Point,

Choose Channel IDSet the operating frequency/channel depending on your particular region.

Scan Click this button to have the ZyAIR automatically scan for and select a channel with

RTS/CTS Threshold

Fragmentation Threshold

SSID Profile The SSID (Service Set IDentity) identifies the Service Set with which a wireless

Bridge/Repeater, AP+Bridge and MESSID.

To manually set the ZyAIR to use a channel, select a channel from the drop-down list box. Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.

To have the ZyAIR automatically select a channel, click Scan instead. Refer to the Wizard Setup chapter for more information on channels.

the least interference.

(Request To Send) The threshold (number of bytes) for enabling RTS/CTS handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to zero turns on the RTS/CTS handshake. Enter a value between 800 and 2432.

The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Enter a value between 800 and 2432.

station is associated. Wireless stations associating to the access point (AP) must have the same SSID. Select an SSID Profile from the drop-down list box.

Configure SSID profiles in the SSID screen.

Note: If you are configuring the ZyAIR from a computer connected to the wireless LAN and you change the ZyAIR’s SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyAIR’s new settings.

Chapter 5 Wireless Configuration 65

Page 66

G-3000H User’s Guide

Table 14 Wireless: Access Point

LABEL DESCRIPTION

Hide Name (SSID)

Enable IntraBSS Traffic

Enable Breathing LED

Enable Spanning Tree Control (STP)

Output Power Set the output power of the ZyAIR in this field. If there is a high density of APs within

Preamble Select a preamble type from the drop-down list menu. Choices are Long, Short and

802.11 Mode Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to

Max. Frame Burst

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

Select this check box to hide the SSID in the outgoing beacon frame so a station cannot obtain the SSID through scanning using a site survey tool.

Intra-BSS traffic is traffic between wireless stations in the same BSS. Select this check box to enable Intra-BSS traffic.

Select this check box to enable the Breathing LED, also known as the ZyAIR LED. The blue ZyAIR LED is on when the ZyAIR is on and blinks (or breaths) when data is

being transmitted to/from its wireless stations. Clear the check box to turn this LED off even when the ZyAIR is on and data is being

transmitted/received.

(R)STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other (R)STP compliant bridges in your network to ensure that only one path exists between any two stations on the network. Select the check box to activate STP on the ZyAIR.

an area, decrease the output power of the ZyAIR to reduce interference with other APs. Select one of the following 100%(Full Power), 50%, 25% or 12.5%. These percentages represent the following power ranges;

• 100%(Full Power) <11b>17dBm/<11g>13dBm (<11b>50mW/<11g>20mW),

• 50% <11b>15dBm/<11g>11dBm (<11b>32mW/<11g>12.6mW),

• 25% <11b>13dBm/<11g>9dBm (<11b>20mW/<11g>7.9mW),

• 12.5% <11b>11dBm/<11g>7dBm (<11b>12.6mW/<11g>5mW).

Dynamic. See the section on preamble for more information.

associate with the ZyAIR. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to

associate with the ZyAIR. Select Mixed to allow either IEEE802.11b or IEEE802.11g compliant WLAN devices

to associate with the ZyAIR. The transmission rate of your ZyAIR might be reduced.

Enable Maximum Frame Burst to help eliminate collisions in mixed-mode networks (networks with both IEEE 802.11g and IEEE 802.11b traffic) and enhance the performance of both pure IEEE 802.11g and mixed IEEE 802.11b/g networks. Maximum Frame Burst sets the maximum time, in microseconds, that the ZyAIR transmits IEEE 802.11g wireless traffic only.

Type the maximum frame burst between 0 and 1800 (650, 1000 or 1800 recommended). Enter 0 to disable this feature.

5.6.2 Bridge/Repeater Mode

The ZyAIR can act as a wireless network bridge and establish wireless links with other APs. You need to know the MAC address of the peer device, which also must be in bridge mode.

The ZyAIR can establish up to five wireless links with other APs.

66 Chapter 5 Wireless Configuration

Page 67

G-3000H User’s Guide

In the example below, when both ZyAIRs are in Bridge/Repeater mode, they form a WDS (Wireless Distribution System) allowing the computers in LAN 1 to connect to the computers in LAN 2.

Figure 22 Bridging Example

Be careful to avoid bridge loops when you enable bridging in the ZyAIR. Bridge loops cause broadcast traffic to circle the network endlessly, resulting in possible throughput degradation and disruption of communications. The following examples show two network topologies that can lead to this problem:

If two or more ZyAIRs (in bridge mode) are connected to the same hub as shown next.

Chapter 5 Wireless Configuration 67

Page 68

G-3000H User’s Guide

Figure 23 Bridge Loop: Two Bridges Connected to Hub

If your ZyAIR (in bridge mode) is connected to a wired LAN while communicating with another wireless bridge that is also connected to the same wired LAN as shown next.

Figure 24 Bridge Loop: Bridge Connected to Wired LAN

To prevent bridge loops, ensure that you enable STP in the Wireless screen or your ZyAIR is not set to bridge mode while connected to both wired and wireless segments of the same LAN.

Click the WIRELESS link under ADVANCED. Select Bridge/Repeater as the Operating Mode to have the ZyAIR act as a wireless bridge only.

68 Chapter 5 Wireless Configuration

Page 69

Figure 25 Wireless: Bridge/Repeater

G-3000H User’s Guide

The following table describes the bridge labels in this screen.

Table 15 Wireless: Bridge/Repeater

LABEL DESCRIPTIONS

Operating Mode Select Bridge/Repeater in this field to display the screen as shown.

Choose Channel ID Set the operating frequency/channel depending on your particular region.

To manually set the ZyAIR to use a channel, select a channel from the dropdown list box. Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.

To have the ZyAIR automatically select a channel, click Scan instead. Refer to the Wizard Setup chapter for more information on channels.

Scan Click this button to have the ZyAIR automatically scan for and select a channel

RTS/CTS Threshold (Request To Send) The threshold (number of bytes) for enabling RTS/CTS

Fragmentation Threshold

with the least interference.

handshake. Data with its frame size larger than this value will perform the RTS/ CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to zero turns on the RTS/CTS handshake. Enter a value between 800 and 2432.

The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Enter a value between 800 and 2432.

Chapter 5 Wireless Configuration 69

Page 70

G-3000H User’s Guide

Table 15 Wireless: Bridge/Repeater

LABEL DESCRIPTIONS

Enable WDS Security Select the check box to enable WDS on your ZyAIR. A Wireless Distribution

# This is the index number of the bridge connection.

Active Select the check box to enable the bridge connection. Otherwise, clear the

Remote Bridge MAC Address

PSK Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including

See Table 14 on page 65 for information on the other labels in this screen.

System (WDS) is a wireless connection between two or more APs. When you select the check box, you are prompted to type a Pre-Shared Key

(PSK). The ZyAIR uses TKIP to encrypt traffic on the WDS between AP’s.

Note: Other AP’s must use the same encryption method to enable WDS.

check box to disable it.

Type the MAC address of the peer device in a valid MAC address format, that is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc.

spaces and symbols).

5.6.3 AP+Bridge Mode

Click the WIRELESS link under ADVANCED. Select AP+Bridge as the Operating Mode to display the screen as shown next. In this screen, you can configure the ZyAIR to function as an AP and bridge simultaneously. See the section on ZyAIR applications for more information.

70 Chapter 5 Wireless Configuration

Page 71

Figure 26 Wireless: AP+Bridge

G-3000H User’s Guide

See the tables describing the fields in the Access Point and Bridge/Repeater operating modes for descriptions of the fields in this screen.

5.6.4 Multiple ESS Mode

Select MESSID as the Operating Mode to display the screen. Refer to the chapter on Multiple ESS and VLAN for configuration and detailed information. See the chapter on wireless security for details on the security settings.

Note: The following screens are configurable only in Access Point and AP+Bridge operating modes only.

Chapter 5 Wireless Configuration 71

Page 72

G-3000H User’s Guide

72 Chapter 5 Wireless Configuration

Page 73

G-3000H User’s Guide

CHAPTER 6

Wireless Security Configuration

This chapter describes how to use the Security, RADIUS and Local User Database screens to configure wireless security on your ZyAIR.

6.1 Wireless Security Overview

Wireless security is vital to your network to protect wireless communication between wireless stations, access points and the wired network.

Wireless security methods available on the ZyAIR are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyAIR identity.

6.1.1 Encryption

• Use WPA(2) security if you have WPA(2)-aware wireless clients and a RADIUS server. WPA has user authentication and improved data encryption over WEP.

• Use WPA(2)-PSK if you have WPA(2)-aware wireless clients but no RADIUS server.

• If you don’t have WPA(2)-aware wireless clients, then use WEP key encrypting. A higher bit key offers better security at a throughput trade-off. You can use manually enter 64-bit, or 128-bit WEP keys.

6.1.2 Authentication

WPA has user authentication and you can also configure IEEE 802.1x to use the built-in database (Local User Database) or a RADIUS server to authenticate wireless clients before joining your network.

• Use RADIUS authentication if you have a RADIUS server. See the appendices for information on protocols used when a client authenticates with a RADIUS server via the ZyAIR.

• Use the Local User Database if you have less than 32 wireless clients in your network. The ZyAIR uses MD5 encryption when a client authenticates with the Local User Database

6.1.3 Restricted Access

The MAC Filter screen allows you to configure the AP to give exclusive access to devices (Allow Association) or exclude them from accessing the AP (Deny Association).

Chapter 6 Wireless Security Configuration 73

Page 74

G-3000H User’s Guide

6.1.4 Hide ZyAIR Identity

If you hide the ESSID, then the ZyAIR cannot be seen when a wireless client scans for local APs. The trade-off for the extra security of “hiding” the ZyAIR may be inconvenience for some valid WLAN clients.

6.1.5 WEP Encryption

WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless stations and the access points must use the same WEP key.

Your ZyAIR allows you to configure up to four 64-bit or 128-bit WEP keys but only one key can be enabled at any one time.

6.2 Configuring WEP Encryption

In order to configure and enable WEP encryption; click the WIRELESS link under ADVANCED to display the Wireless screen.

Note: The WEP Encryption, Authentication Method and the WEP key fields are not visible when you enable Dynamic WEP Key, WPA or WPA-PSK in the Security screen.

6.3 802.1x Overview

The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management. Authentication can be done using the local user database internal to the ZyAIR (authenticate up to 32 users) or an external RADIUS server for an unlimited number of users.

6.4 EAP Authentication Overview

EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, the access point helps a wireless station and a RADIUS server perform authentication.

The type of authentication you use depends on the RADIUS server or the AP. The ZyAIR supports EAP-TLS, EAP-TTLS, EAP-MD5 and PEAP with RADIUS. Refer to the Types of EAP Authentication appendix for descriptions on the common types.

74 Chapter 6 Wireless Security Configuration

Page 75

G-3000H User’s Guide

The following figure shows an overview of authentication when you specify a RADIUS server on your access point.

Figure 27 EAP Authentication

The details below provide a general description of how IEEE 802.1x EAP authentication works. For an example list of EAP-MD5 authentication steps, see the IEEE 802.1x appendix.

1 The wireless station sends a “start” message to the ZyAIR.

2 The ZyAIR sends a “request identity” message to the wireless station for identity

information.

3 The wireless station replies with identity information, including username and password.

4 The RADIUS server checks the user information against its user profile database and

determines whether or not to authenticate the wireless station.

6.5 Dynamic WEP Key Exchange

The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed.

To use Dynamic WEP, enable and configure the RADIUS server and enable one of the Dynamic WEP Security Modes in the Security screen. Ensure that the wireless station’s EAP type is configured to one of the following:

•EAP-TLS

•EAP-TTLS

• PEAP

Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange.

6.6 Introduction to WPA

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. Key differences between WPA and WEP are user authentication and improved data encryption.

Chapter 6 Wireless Security Configuration 75

Page 76

G-3000H User’s Guide

6.6.1 User Authentication

WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. See later in this chapter and the appendices for more information on IEEE 802.1x, RADIUS, EAP and PEAP.

If you don’t have an external RADIUS server you should use WPA-PSK (WPA -Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a client will be granted access to a WLAN.

6.6.2 Encryption

WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x.

Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.

TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), TKIP makes it much more difficult to decode data on a Wi-Fi network than WEP, making it difficult for an intruder to break into the network.

The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA-PSK susceptible to brute-force password-guessing attacks but it’s still an improvement over WEP as it employs an easier-touse, consistent, single, alphanumeric password.

6.6.3 WPA(2)-PSK Application Example

A WPA(2)-PSK application looks as follows.

76 Chapter 6 Wireless Security Configuration

Page 77

G-3000H User’s Guide

1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key

(PSK) must consist of between 8 and 63 ASCII characters (including spaces and symbols).

2 The AP checks each wireless client's password and (only) allows it to join the network if

the password matches.

3 The AP derives and distributes keys to the wireless clients.

4 The AP and wireless clients use the TKIP or AES encryption process to encrypt data

exchanged between them.

Figure 28 WPA(2)-PSK Authentication

6.7 WPA(2) with RADIUS Application Example

You need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. “A” is the RADIUS server. “DS” is the distribution system.

1 The AP passes the wireless client’s authentication request to the RADIUS server.

2 The RADIUS server then checks the user's identification against its database and grants

or denies network access accordingly.

3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then

sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.

Chapter 6 Wireless Security Configuration 77

Page 78

G-3000H User’s Guide

Figure 29 WPA(2) with RADIUS Application Example

6.8 Security Modes

The following table describes the security modes you can configure.

Table 16 Security Modes

SECURITY MODE DESCRIPTION

None Select this to have no data encryption.

WEP Select this to use WEP encryption.

802.1x-Only Select this to use 802.1x authentication with no data encryption.

802.1x-Dynamic64 Select this to use 802.1x authentication with a dynamic 64bit WEP key.

802.1x-Dynamic128 Select this to use 802.1x authentication with a dynamic 128bit WEP key.

802.1x-Static64 Select this to use 802.1x authentication with a static 64bit WEP key and an

802.1x-Static128 Select this to use 802.1x authentication with a static 128bit WEP key and

WPA-PSK Select this to use WPA with a pre-shared key.

WPA2-PSK Select this to use WPA2 with a pre-shared key.

WPA2-PSK-MIX Select this to use either WPA-PSK or WPA2-PSK depending on which

WPA Select this to use WPA.

WPA-MIX Select this to use either WPA or 802.1x Only depending on which security

WPA2 Select this to use WPA2.

authentication server.

an authentication server.

security mode the wireless client uses.

mode the wireless client uses.

78 Chapter 6 Wireless Security Configuration

Page 79

G-3000H User’s Guide

Table 16 Security Modes

SECURITY MODE DESCRIPTION

WPA2-MIX Select this to use either WPA2 or WPA depending on which security mode

the wireless client uses.

No-Access Select this to prevent wireless client access to the ZyAIR.

6.9 Security Modes and Wireless Client Compatibility

Different security modes can be configured for each SSID. However, not all security modes are compatible with the security mode of the wireless client. The following table shows combinations of security modes between a Windows XP wireless client and the ZyAIR. Combinations of security modes not marked with a “O” or not listed may not be able to make a connection using the SSID. Other wireless clients such as Funk Odyssey may connect using a security combination not listed on the table.

Table 17 Security Modes for ZyAIR and Windows XP Wireless Client

8021X-

WEP

ONLY

8021XDYNAMIC

8021XSTATIC

WPA

WPAPSK

WPAMIX

WPA2

-PSK

WPA2MIX

WPA2PSK-MIX

NONE

NO ACCESS

WEP

8021X-ONLY

8021X-DYNAMIC OO O O O

8021X-STATIC

WPA

WPA-PSK

WPA-MIX OO O

WPA2 OOOO

WPA2-PSK

WPA2-MIX

WPA2-PSK-MIX

NONE O

NO ACCESS OO O O O

OO O O O

OOO

OOO O

6.10 Wireless Client WPA Supplicants

A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client, and Meetinghouse Data Communications' AEGIS client.

The Windows XP patch is a free download that adds WPA capability to Windows XP's builtin "Zero Configuration" wireless client. However, you must run Windows XP to use it.

Chapter 6 Wireless Security Configuration 79

Page 80

G-3000H User’s Guide

The Funk Software's Odyssey client is bundled free (at the time of writing) with the client wireless adaptor(s).

6.11 Wireless Security Effectiveness

The following figure shows the relative effectiveness of these wireless security methods available on your ZyAIR. EAP (Extensible Authentication Protocol) is used for authentication and utilizes dynamic WEP key exchange. It requires interaction with a RADIUS (Remote Authentication Dial-In User Service) server either on the WAN or your LAN to provide authentication service for wireless stations.

Table 18 ZyAIR Wireless Security Levels

Security Level Security Type

Least Secure

Most Secure

Unique SSID (Default)

Unique SSID with Hide SSID Enabled

MAC Address Filtering

WEP Encryption

IEEE802.1x EAP with RADIUS Server Authentication

Wi-Fi Protected Access (WPA)

WPA2

If you do not enable any wireless security on your ZyAIR, your network is accessible to any wireless networking device that is within range.

6.12 Configuring Security

Use the Security screen to create secure profiles. A security profile is a group of configuration settings which can be assigned to an SSID profile in the SSID configuration screen.

You can configure up to 16 security profiles.

To change your ZyAIR’s wireless security settings, click the WIRELESS link under ADVANCED and then the Security tab.

80 Chapter 6 Wireless Security Configuration

Page 81

Figure 30 Security

G-3000H User’s Guide

The following table describes the labels in this screen.

Table 19 Security

LABEL DESCRIPTION

Index This is the index number of the security profile address.

Profile Name This field displays a name given to a security profile in the Security

configuration screen.

Security Mode This field displays the security mode given to this security profile.

Edit Select an entry from the list and click Edit to open a screen to configure a

security mode, and to name the security profile.

The next screen varies by the Security Mode you select.

6.12.1 Security: No Access

Select No Access in the Security Mode field to display the following screen.

Chapter 6 Wireless Security Configuration 81

Page 82

G-3000H User’s Guide

Figure 31 Security: No Access or None

The following table describes the labels in this screen.

Table 20 Security: No Access or None

LABEL DESCRIPTION

Name Type a name to identify this security profile.

Security Mode Choose No Access or None in this field.

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

6.12.2 Security: WEP

Select WEP in the Security Mode field to display the following screen.

Figure 32 Security: WEP

The following table describes the labels in this screen.

Table 21 Security: WEP

LABEL DESCRIPTION

Name Type a name to identify this security profile.

Security Mode Choose WEP in this field.

82 Chapter 6 Wireless Security Configuration

Page 83

G-3000H User’s Guide

Table 21 Security: WEP

LABEL DESCRIPTION

WEP Encryption Select Disable to allow wireless stations to communicate with the access points

without any data encryption. Select 64-bit WEP or 128-bit WEP to enable data encryption.

Authentication Method

ASCII Select this option to enter ASCII characters as the WEP keys.

Hex Select this option to enter hexadecimal characters as the WEP keys.

Key 1 to Key 4

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

Select Auto, Open System or Shared Key from the drop-down list box. The default setting is Auto.

The preceding “0x” is entered automatically.

The WEP keys are used to encrypt data. Both the ZyAIR and the wireless stations must use the same WEP key for data transmission.

If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F").

If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal characters ("0-9", "A-F").

You must configure all four keys, but only one key can be activated at any one time. The default key is key 1.

6.12.3 Security: 802.1x Only, 802.1x Static 64-bit WEP, 128-bit WEP

Select 802.1x Only, 802.1x Static 64 or 802.1x Static 128 in the Security Mode field to display the following screen.

Chapter 6 Wireless Security Configuration 83

Page 84

G-3000H User’s Guide

Figure 33 Security: 802.1x Only, 802.1x Static 64-bit WEP, 128-bit WEP

The following table describes the labels in this screen.

Table 22 Security: 802.1x Only, 802.1x Static 64-bit WEP, 128-bit WEP

LABEL DESCRIPTION

Name Type a name to identify this security profile.

Security Mode Choose 802.1x Only, 802.1x Static 64 or 802.1x Static 128 in this field.

ASCII Select this option to enter ASCII characters as the WEP keys.

Hex Select this option to enter hexadecimal characters as the WEP keys.The preceding

“0x” is entered automatically.

Key 1 to Key 4 If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters

(ASCII string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.

If you chose 128-bit WEP in the WEP Encryption field, then enter 13 characters (ASCII string) or 26 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.

There are four data encryption keys to secure your data from eavesdropping by unauthorized wireless users. The values for the keys must be set up exactly the same on the access points as they are on the wireless stations.

The preceding “0x” is entered automatically. You must configure all four keys, but only one key can be activated at any one time. The default key is key 1.

ReAuthentication Timer

Specify how often wireless stations have to resend user names and passwords in order to stay connected.

Enter a time interval between 10 and 9999 seconds. The default time interval is

1800 seconds (30 minutes).

Note: If wireless station authentication is done using a RADIUS

server, the reauthentication timer on the RADIUS server has priority.

Idle Timeout The ZyAIR automatically disconnects a wireless station from the wired network

after a period of inactivity. The wireless station needs to enter the user name and password again before access to the wired network is allowed.

The default time interval is 3600 seconds (or 1 hour).

84 Chapter 6 Wireless Security Configuration

Page 85

G-3000H User’s Guide

Table 22 Security: 802.1x Only, 802.1x Static 64-bit WEP, 128-bit WEP

LABEL DESCRIPTION

Authentication Databases

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

The authentication database contains wireless station login information. The local user database is the built-in database on the ZyAIR. The RADIUS is an external server. Use this drop-down list box to select which database the ZyAIR should use (first) to authenticate a wireless station.

Before you specify the priority, make sure you have set up the corresponding database correctly first.

Select Local User Database Only to have the ZyAIR just check the built-in user database on the ZyAIR for a wireless station's username and password.

Select RADIUS Only to have the ZyAIR just check the user database on the specified RADIUS server for a wireless station's username and password.

Select Local first, then RADIUS to have the ZyAIR first check the user database on the ZyAIR for a wireless station's username and password. If the user name is not found, the ZyAIR then checks the user database on the specified RADIUS server.

Select RADIUS first, then Local to have the ZyAIR first check the user database on the specified RADIUS server for a wireless station's username and password. If the ZyAIR cannot reach the RADIUS server, the ZyAIR then checks the local user database on the ZyAIR. When the user name is not found or password does not match in the RADIUS server, the ZyAIR will not check the local user database and the authentication fails.

6.12.4 Security: 802.1x Dynamic 64-bit WEP, 128-bit WEP

Select 802.1x Dynamic 64 or 802.1x Dynamic 128 in the Security Mode field to display the following screen.

Figure 34 Security: 802.1x Dynamic 64-bit WEP, 128-bit WEP

The following table describes the labels in this screen.

Table 23 Security: 802.1x Dynamic 64-bit WEP, 128-bit WEP

LABEL DESCRIPTION

Name Type a name to identify this security profile.

Security Mode Choose 802.1x Dynamic 64 or 802.1x Dynamic 128 in this field.

Chapter 6 Wireless Security Configuration 85

Page 86

G-3000H User’s Guide

Table 23 Security: 802.1x Dynamic 64-bit WEP, 128-bit WEP

LABEL DESCRIPTION

ReAuthentication Timer

Specify how often wireless stations have to resend usernames and passwords in order to stay connected.

Enter a time interval between 10 and 9999 seconds. The default time interval is

1800 seconds (30 minutes).

Note: If wireless station authentication is done using a RADIUS

server, the reauthentication timer on the RADIUS server has priority.

Idle Timeout The ZyAIR automatically disconnects a wireless station from the wired network

after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed.

The default time interval is 3600 seconds (or 1 hour).

Authentication Databases

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

Before you specify the priority, make sure you have set up the corresponding database correctly first.

Select Local User Database Only to have the ZyAIR just check the built-in user database on the ZyAIR for a wireless station's username and password.

Select RADIUS Only to have the ZyAIR just check the user database on the specified RADIUS server for a wireless station's username and password.

6.12.5 Security: WPA, WPA-MIX, WPA2, WPA2-MIX

Select WPA, WPA-MIX, WPA2 or WPA2-MIX in the Security Mode field to display the following screen.

86 Chapter 6 Wireless Security Configuration

Page 87

G-3000H User’s Guide

Figure 35 Security: WPA, WPA-MIX, WPA2 or WPA2-MIX

The following table describes the labels not previously discussed

Table 24 Security: WPA, WPA-MIX, WPA2 or WPA2-MIX

LABEL DESCRIPTIONS

Name Type a name to identify this security profile.

Security Mode Choose WPA, WPA-MIX, WPA2 or WPA2-MIX in this field.

ReAuthentication Timer

Specify how often wireless stations have to resend usernames and passwords in order to stay connected.

Enter a time interval between 10 and 9999 seconds. The default time interval is

1800 seconds (30 minutes).

Note: If wireless station authentication is done using a RADIUS

server, the reauthentication timer on the RADIUS server has priority.

Idle Timeout The ZyAIR automatically disconnects a wireless station from the wired network

after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed.

The default time interval is 3600 seconds (or 1 hour).

Group Key Update Timer

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

The Group Key Update Timer is the rate at which the AP (if using WPA-PSK key management) or RADIUS server (if using WPA key management) sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPAPSK mode. The ZyAIR default is 1800 seconds (30 minutes).

6.12.6 Security: WPA-PSK, WPA2-PSK, WPA2-PSK-MIX

Select WPA-PSK, WPA2-PSK or WPA2-PSK-MIX in the Security Mode field to display the following screen.

Chapter 6 Wireless Security Configuration 87

Page 88

G-3000H User’s Guide

Figure 36 Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX

The following table describes the labels not previously discussed

Table 25 Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX

LABEL DESCRIPTION

Name Type a name to identify this security profile.

Security Mode Choose WPA-PSK, WPA2-PSK or WPA2-PSK-MIX in this field.

Pre-Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same. The only

ReAuthentication Timer

Idle Timeout The ZyAIR automatically disconnects a wireless station from the wired network

Group Key Update Timer

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials.

Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including spaces and symbols).

Specify how often wireless stations have to resend usernames and passwords in order to stay connected.

Enter a time interval between 10 and 9999 seconds. The default time interval is

1800 seconds (30 minutes).

Note: If wireless station authentication is done using a RADIUS

server, the reauthentication timer on the RADIUS server has priority.

after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed.

The default time interval is 3600 seconds (or 1 hour).

88 Chapter 6 Wireless Security Configuration

Page 89

6.13 Introduction to RADIUS

RADIUS is based on a client-sever model that supports authentication and accounting, where access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks among others:

• Authentication

Determines the identity of the users.

• Accounting

Keeps track of the client’s network activity.

RADIUS user is a simple package exchange in which your ZyAIR acts as a message relay between the wireless station and the network RADIUS server.

6.14 Configuring RADIUS

G-3000H User’s Guide

Use RADIUS if you want to authenticate wireless users using an external server.

You can configure up to four RADIUS server profiles. Each profile also has one backup authentication server and a backup accounting server. These profiles can be assigned to an SSID profile in the SSID configuration screen

To set up your ZyAIR’s RADIUS server settings, click the WIRELESS link under ADVANCED and then the RADIUS tab. The screen appears as shown.

Chapter 6 Wireless Security Configuration 89

Page 90

G-3000H User’s Guide

Figure 37 RADIUS

The following table describes the labels in this screen.

Table 26 RADIUS

LABEL DESCRIPTION

Index Select the RADIUS profile you want to configure from the drop-down list box.

Profile Name Type a name for the RADIUS profile associated with the Index number above.

Primary Configure the fields below to have user authenticate and accounting through

Backup If the ZyAIR cannot authenticate a wireless station(s) using the Primary

Active Select the check box to enable user authentication through an external

RADIUS Server IP Address

RADIUS Server Port Enter the port number of the external authentication server. The default port

Share Secret Enter a password (up to 31 alphanumeric characters) as the key to be shared

Active Select the check box to enable user accounting through an external

external servers.

RADIUS server or communicate with the Primary accounting server, you can have the ZyAIR use a Backup RADIUS server. Make sure the Active check boxes are selected if you want to use backup servers.

The ZyAIR will attempt to communicate three times before using the Backup servers. Requests can be issued from the client interface to use the backup server. The length of time for each authentication is decided by the wireless client or based on the configuration of the ReAuthentication Timer field in the in the Security screen.

authentication server. Clear the check box to enable user authentication using the local user profile on the ZyAIR.

Enter the IP address of the external authentication server in dotted decimal notation.

number is 1812. You need not change this value unless your network administrator instructs you to do so with additional information.

between the external authentication server and the ZyAIR. The key must be the same on the external authentication server and your ZyAIR. The key is not sent over the network.

authentication server.

90 Chapter 6 Wireless Security Configuration

Page 91

Table 26 RADIUS

LABEL DESCRIPTION

G-3000H User’s Guide

Accounting Server IP Address

Accounting Server Port Enter the port number of the external accounting server. The default port

Share Secret Enter a password (up to 31 alphanumeric characters) as the key to be shared

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

Enter the IP address of the external accounting server in dotted decimal notation.

number is 1813. You need not change this value unless your network administrator instructs you to do so with additional information.

between the external authentication server and the ZyAIR. The key must be the same on the external authentication server and your ZyAIR. The key is not sent over the network.

6.15 Configuring Local User Database

To change your ZyAIR’s local user database, click the WIRELESS link under ADVANCED and then the Local User Database tab. The screen appears as shown.

Figure 38 Local User Database

The following table describes the labels in this screen.

Table 27 Local User Database

LABEL DESCRIPTION

Active Select this check box to activate the user profile.

User Name Enter the username (up to 31 characters) for this user profile.

Password Type a password (up to 31 characters) for this user profile. Note that as you

type a password, the screen displays a (*) for each character you type.

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

Chapter 6 Wireless Security Configuration 91

Page 92

G-3000H User’s Guide

92 Chapter 6 Wireless Security Configuration

Page 93

Multiple ESS, SSID and VLAN

This chapter describes how to use configure multiple ESS, SSID and VLAN on your ZyAIR.

7.1 Wireless LAN Infrastructures

See the Wizard Setup and Wireless LAN chapters for some basic WLAN scenarios and terminology.

7.1.1 Multiple ESS

Traditionally, you needed different APs to configure different ESSs. As well as the cost of buying extra APs, there was also the possibility of channel interference. The ZyAIR’s Multiple ESS (Multi-ESS) function allows multiple ESSs to be configured on just one access point (the ZyAIR).

G-3000H User’s Guide

CHAPTER 7

Wireless stations can use different ESS IDs to associate with the same AP. Only wireless stations with the same ESS ID can communicate with each other. This allows the AP to logically group wireless stations in a manner similar to VLAN (Virtual LAN).

With Multi-ESS, the ZyAIR ignores the ToS in the header of data packets and uses a single QoS priority level for all of an ESS’s traffic.

7.1.2 Notes on Multiple-ESS

• A maximum of eight ESSs are allowed on one AP.

• Each ESS has its own MAC filter set; see the MAC filter set section for more information.

• When you enable Multi-ESS on the ZyAIR, you need to configure separate Unicast and Multicast/Broadcast keys for each ESS. A Unicast transmission is from one sender to one recipient. A broadcast transmission is from one sender to everybody on the network. A Multicast transmission is from one sender to a group of hosts on the network.

• You must use different WEP keys for different ESSs. If two stations have different ESS IDs (they are in different ESSs), but have the same WEP keys, they may hear each other’s communications (but not communicate with each other).

• When you enable Multi-ESS, ESS IDs are automatically hidden (so site survey tools cannot find other station ESS IDs).

• Multi-ESS should not replace but rather be used in conjunction with 802.1x security.

Chapter 7 Multiple ESS, SSID and VLAN 93

Page 94

G-3000H User’s Guide

7.1.3 Multiple ESS Example

Refer to the section on ZyAIR applications for more information.

7.1.4 Multi-ESS with VLAN Example

In this example, VLAN 2 is the management VLAN and includes the computers in ESS1 and LAN 1. Computers in ESS2 and LAN 2 belong to VLAN 2. “Wireless group” ESS1is limited to accessing the resources on LAN 1 and similarly “wireless group” ESS2 may only access resources on LAN 2.

The switch adds the PVID tag to incoming frames that don’t already have tags on switch ports where PVID is enabled.

Figure 39 Multi-ESS with VLAN Example

7.1.5 Configuring Multiple ESS

Click the WIRELESS link under ADVANCED and the Wireless tab. Select MESSID in the Operating Mode drop-down list box to display the screen as shown.

94 Chapter 7 Multiple ESS, SSID and VLAN

Page 95

Figure 40 Wireless: Multiple ESS

G-3000H User’s Guide

The following table describes the labels in this screen.

Table 28 Wireless: Multiple ESS

LABEL DESCRIPTION

Operating Mode Select MESSID in this field to display the screen as shown

Choose Channel ID Set the operating frequency/channel depending on your particular region. To

manually set the ZyAIR to use a channel, select a channel from the drop-down list box. Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network. To have the ZyAIR automatically select a channel, click Scan instead. Refer to the Wizard Setup chapter for a little more information on channels.

Scan To have the ZyAIR automatically select a channel, click Scan instead.

RTS/CTS Threshold (Request To Send) The threshold (number of bytes) for enabling RTS/CTS

handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to zero turns on the RTS/CTS handshake. Enter a value between 800 and 2432.

Fragmentation Threshold

The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Enter a value between 800 and 2432.

Chapter 7 Multiple ESS, SSID and VLAN 95

Page 96

G-3000H User’s Guide

Table 28 Wireless: Multiple ESS

LABEL DESCRIPTION

Select SSID Profile The SSID (Service Set IDentity) identifies the Service Set with which a

Index Select the check box to activate an ESS on the ZyAIR.

Profile Select an SSID Profile from the drop-down list box. Configure SSID profiles in

Enable Intra-BSS Traffic

Enable Breathing LED Select this check box to enable the Breathing LED, also known as the ZyAIR

Enable Spanning Tree Control (STP)

Output Power Set the output power of the ZyAIR in this field. If there is a high density of APs

Preamble Select a preamble type from the drop-down list menu. Choices are Long,

802.11 Mode Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to

wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID.

the SSID screen.

Intra-BSS traffic is traffic between wireless stations in the same BSS. Select this check box to enable Intra-BSS traffic.

LED. The blue ZyAIR LED is on when the ZyAIR is on and blinks (or breaths) when

data is being transmitted to/from its wireless stations. Clear the check box to turn this LED off even when the ZyAIR is on and data is

being transmitted/received.

within an area, decrease the output power of the ZyAIR to reduce interference with other APs. Select one of the following 100%(Full Power), 50%, 25% or

12.5%. These percentages represent the following power ranges;

• 100%(Full Power) <11b>17dBm/<11g>13dBm (<11b>50mW/ <11g>20mW),

• 50% <11b>15dBm/<11g>11dBm (<11b>32mW/<11g>12.6mW),

• 25% <11b>13dBm/<11g>9dBm (<11b>20mW/<11g>7.9mW),

• 12.5% <11b>11dBm/<11g>7dBm (<11b>12.6mW/<11g>5mW).

Short and Dynamic. See the section on preamble for more information.

associate with the ZyAIR. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to

associate with the ZyAIR. Select Mixed to allow either IEEE802.11b or IEEE802.11g compliant WLAN

devices to associate with the ZyAIR. The transmission rate of your ZyAIR might be reduced.

96 Chapter 7 Multiple ESS, SSID and VLAN

Page 97

Table 28 Wireless: Multiple ESS

LABEL DESCRIPTION

Max. Frame Burst Enable Maximum Frame Burst to help eliminate collisions in mixed-mode

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

7.2 SSID

Click the WIRELESS link under ADVANCED and the SSID tab to display the screen as shown.

Figure 41 SSID

G-3000H User’s Guide

networks (networks with both IEEE 802.11g and IEEE 802.11b traffic) and enhance the performance of both pure IEEE 802.11g and mixed IEEE

802.11b/g networks. Maximum Frame Burst sets the maximum time, in

microseconds, that the ZyAIR transmits IEEE 802.11g wireless traffic only. Type the maximum frame burst between 0 and 1800 (650, 1000 or 1800

recommended). Enter 0 to disable this feature.

The following table describes the labels in this screen.

Table 29 SSID

LABEL DESCRIPTION

Index This field displays the index number of each SSID profile.

Name This field displays the identification name of each SSID profile on the ZyAIR.

Chapter 7 Multiple ESS, SSID and VLAN 97

Page 98

G-3000H User’s Guide

Table 29 SSID

LABEL DESCRIPTION

SSID This field displays the name of the wireless profile on the network. When a

VLAN This field displays the VLAN ID. Incoming traffic from the WAN is tagged with

Second Rx VLAN This field displays the identification number of incoming Ethernet frames that

Security This field displays a security profile. See Configuring Security on page 80 for

RADIUS This field displays a RADIUS profile, if you have a RADIUS server configured.

QoS This field displays the Quality of Service setting for this profile.

Edit Click the radio button next to the profile you want to configure and click Edit to

wireless client scans for an AP to associate, this is the identity that is broadcast and viewed in the wireless client utility.

this ID before it is sent to the LAN interface. Different SSID profiles can use the same or different VLAN IDs. This allows you to split wireless stations into groups using similar VLAN IDs.

are forwarded to this ESS. This number can be the same for many ESS groups, depending on how many you want to be members of a particular VLAN.

more information.

go to the SSID configuration screen.

7.2.1 Configuring SSID

Configure appropriate fields in the Wireless, Security, RADIUS, MAC Filter, Layer-2 Isolation and VLAN screens to use those settings in the following screen. These settings can

be used instead of the default settings to create SSID profiles.

98 Chapter 7 Multiple ESS, SSID and VLAN

Page 99

G-3000H User’s Guide

Figure 42 Configuring SSID

The following table describes the labels in this screen.

Table 30 Configuring SSID

LABEL DESCRIPTION

Name Type a name to identify this SSID profile on the ZyAIR.

SSID Type a name to identify this wireless profile on the network. When a wireless

VLAN Enter a number from 1 to 4094. Incoming traffic from the WAN is tagged with

Second Rx VLAN Enter a number from 1 to 4094, but different to the VLAN ID entered.

Security Select a security profile. See Configuring Security on page 80 for more

RADIUS Select a RADIUS profile from the drop-down list box, if you have a RADIUS

QoS With Multi-ESS, the ZyAIR ignores the ToS in the packet headers and uses a

L2 Isolation Select Enable from the drop down list box to activate layer-2 isolation.

Enable MAC Filtering

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

client scans for an AP to associate, this is the identity that is broadcast and viewed in the wireless client utility.

this ID before it is sent to the LAN interface. Different SSID profiles can use the same or different VLAN IDs. This allows you to split wireless stations into groups using similar VLAN IDs.

Traffic received from the LAN interface is tagged with a Second Rx VLAN and forwarded to this SSID profile on the wireless LAN interface.

information.

server configured. If you do not need to use RADIUS authentication, ignore this field.

single QoS priority level for all of an ESS’s traffic. Select the Quality of Service priority for this ESS’s traffic. See Table 10 on

page 60 for more information on the priority levels.

Select Enable from the drop down list box to activate MAC address filtering.

Chapter 7 Multiple ESS, SSID and VLAN 99

Page 100

G-3000H User’s Guide

7.2.2 Second Rx VLAN ID

The ZyAIR tags Ethernet frames in VLAN 1 with VLAN ID 1 and tags Ethernet frames in VLAN 2 with VLAN ID 2. Both VLAN 1 and VLAN 2 have Internet access. VLAN 1 and VLAN 2 have access to a server. Ethernet frames forwarded from the server back to the switch are tagged. Ethernet frames are tagged with a second Rx VLAN ID (incoming VLAN ID). These incoming VLAN packets are forwarded to the ZyAIR. The ZyAIR matches the Second Rx VLAN ID with VLAN ID.

Figure 43 Second Rx VLAN ID Example

The following steps show you where to setup a Second Rx VLAN ID on the ZyAIR.

1 Click WIRELESS under ADVANCED in your web configurator and the SSID tab.

2 Click Edit in the SSID screen.

3 You can enter a Second Rx VLAN ID in the following screen. The following screen

shows VLAN 1 tagged with VLAN ID 1. Incoming packets (Second Rx VLAN ID) with a VLAN ID 3 are matched to VLAN 1.

Figure 44 Configuring SSID: Second Rx VLAN ID Example

4 Click Apply to save these settings to the ZyAIR.

100 Chapter 7 Multiple ESS, SSID and VLAN

ZyXEL Communications G-3000H User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Copyright

Federal Communications Commission (FCC) Interference Statement 3

ZyXEL Limited Warranty

Customer Support

Table of Contents

List of Figures

List of Tables

Preface

Getting to Know Your ZyAIR

1.1 Introducing the ZyAIR

1.2 ZyAIR Features

1.2.1 Physical Features

1.2.2 Firmware Features

1.3 Applications for the ZyAIR

1.3.1 Access Point

1.3.2 Multiple ESS

1.3.3 AP + Bridge

1.3.4 Bridge / Repeater

2.1 Accessing the ZyAIR Web Configurator

2.2 Resetting the ZyAIR

2.2.1 Procedure To Use The Reset Button

2.2.2 Method of Restoring Factory-Defaults

2.3 Navigating the ZyAIR Web Configurator

3.1 Wizard Setup Overview

3.1.1 Channel

Wizard Setup

3.1.2 ESS ID

3.1.3 WEP Encryption

3.2 Wizard Setup: General Setup

3.3 Wizard Setup: Wireless LAN

3.4 Wizard Setup: IP Address

3.4.1 IP Address Assignment

3.4.2 IP Address and Subnet Mask

3.5 Basic Setup Complete

4.1 System Overview

4.2 Configuring General Setup

System Screens

4.3 Configuring Password

4.4 Configuring Time Setting

Wireless Configuration

5.1 Wireless LAN Overview

5.1.1 BSS

5.1.2 ESS

5.2 Wireless LAN Basics

5.3 WMM QoS

5.3.1 WMM QoS Priorities

5.3.2 Type Of Service (ToS)

5.3.2.1 DiffServ

5.3.2.2 DSCP and Per-Hop Behavior

5.3.3 ToS (Type of Service) and WMM QoS

5.4 Spanning Tree Protocol (STP)

5.4.1 Rapid STP

5.4.2 STP Terminology

5.4.3 How STP Works

5.4.4 STP Port States

5.5 Wireless Screen Overview

5.6 Configuring Wireless

5.6.1 Access Point Mode

5.6.2 Bridge/Repeater Mode

5.6.3 AP+Bridge Mode

5.6.4 Multiple ESS Mode

Wireless Security Configuration

6.1 Wireless Security Overview

6.1.1 Encryption

6.1.2 Authentication

6.1.3 Restricted Access

6.1.4 Hide ZyAIR Identity

6.1.5 WEP Encryption

6.2 Configuring WEP Encryption

6.3 802.1x Overview

6.4 EAP Authentication Overview

6.5 Dynamic WEP Key Exchange

6.6 Introduction to WPA

6.6.1 User Authentication

6.6.2 Encryption

6.6.3 WPA(2)-PSK Application Example