EL-500 Access Point User's Guide - Support
Contents
1. IP Address Range Size IP Address Range Start 129 v wlan2 Mode server v Default Lease Timeout 86400 seconds Maximum Lease 86400 seconds Timeout Reserved DHCP Range 0 IP Address Range Size IP Address Range Start 161 v wlan3 Mode server v Default Lease Timeout 86400 seconds Maximum Lease 86400 seconds Timeout Reserved DHCP Range 0 IP Address Range Size wired IP Address Range Start 193 v wlan4 Mode server v Default Lease Timeout gg4gp seconds Maximum Lease 85400 seconds Timeout Reserved DHCP Range 0 Mode none v Save Changes actual value 127 v actual value actual value 31 M actual value actual value 31 Y actual value actual value 31 v actual value 1 127 129 31 161 31 193 31 Hide Help Mode Sets the DHCP mode supported by the interface The three possible modes are e none no DHCP services are provided local server a DHCP server will respond to client DHCP requests on the interface central server the node will provide DHCP addresses from a centralized DHCP server only available if Centralized DHCP is enabled client the node will attempt to acquire an address for the interface via DHCP only valid for the wired interface2. 03 53PM Oct 15 2007 local time Passwords Firewall ACLs l OnRamp Status Configure your system passwords Profile Management Hide Hel Please note changing the admin password will force you Initial Configuration to log back into the webpages to continue with configuration Admin Password Minimal Configuration Admin Password ETTET The admin password controls access Detailed Configuration to changing settings on the node Verify Admin Password TTET System Parameters 2 Save Changes Security Wireless Interfaces Wired Interface QoS Upgrade Diagnostics Reboot Figure 24 Passwords page TR0190 Rev B1 47 Chapter 9 System Settings 9 2 fere m B The only use of the node ID parameter when operating in bridge mode is for BRIDGE setting the default IP address of the bridge interface when one has not been explicitly set or acquired via DHCP The node ID assigned to an EL 500 affects the IP address spaces assigned to each of the EL 500 s virtual AP client access interfaces when it uses implicit addressing in routed mode If multiple EL 500s are connected to the same LAN it is recommended that they be assigned different node IDs unless they have the NAT option enabled or use the explicit addressing scheme CLI The node ID is set with the id node parameter in the sys interface as shown below gt use sys Sys set id node 107 Web GUI The node ID can be set via the web inter
3. Scheme AP Routed v Scheme Node Hostname GW 1 The scheme determines this node s Node ID 1 role in the network Implicit Addressing disabled v The AP Routed scheme provides L routed access to the network for wireless client Layer 2 Emulation f The AP Bridge scheme bridges all L2 Emulation disabled v client interfaces wireless and wired at layer 2 Hostname textual name for this node Figure 23 Setting operating mode TRO190 Rev B1 46 Chapter 9 System Settings 9 System Settings This section describes settings that are applicable to the overall operation of the EL 500 but are not related directly to a particular interface 9 1 User Password The password for the admin user is configurable The default password is default See section 2 4 for instructions on resetting the admin password if it has been lost CLI The password for the admin user can be set using the password admin parameter in the sys interface The password will not be displayed when using the get command with these parameters The example below shows how to set the admin password using the CLI gt use sys sys gt set password admin newpass Web GUI The admin password can be changed via the web interface using the Passwords tab on the System Parameters page 9 TRANIZEOS WIRELESS TECHNOLOGIES INC
4. CLI The conntrack connlimit enable parameter in the firewall interface is used to set the state of TCP connection limiting The conntrack connlimit connections parameter is used to set the maximum number of connections allowed per client device use firewall firewall set conntrack connlimit enable yes firewall set conntrack connlimit connections 30 Web GUI The TCP connection limit related settings are set on the Connections sub tab on the Firewall tab of the Security page see Figure 48 The Conntrack Limiting drop down box sets the state of TCP connection limiting and the Conntrack Connection Limits sets the maximum number of TCP connections allowed per client device 16 5 Custom Firewall Rules Custom firewall rules can be added that control how traffic forwarded by an EL 500 is handled For example rules can be added to e Block client traffic on certain ports e Block traffic from a given client access interface to a certain subnet The custom firewall rules can be added on the Custom Rules sub tab on the Firewall tab on the Security page as shown in Figure 49 These rules are specified as you would specify TRO0190 Rev B1 105 Chapter 16 Controlling Access to the EH 1000 rules for iptables with the exception of the chain that they are to be added to cannot be specified All rules will be applied to the iptables forwarding chain List one rule per line in the text box on t
5. In the example below the central DHCP server and next WAN router reside on the same segment to which the EL 500 s Ethernet interface is connected gt use sys Sys set dhcp relay server 192 168 5 2 Sys set dhcp relay gateway 192 168 5 1 The example below shows how to set the DHCP mode parameters for the wlan1 and wlan2 interfaces gt use wlanl wlanl set dhcp server wlanl set wlanl dhcp relay enable yes use wlan2 wlan2 set dhcp server wlanl set wlan2 dhcp relay enable yes To disable distribution of centralized DHCP addresses on an interface set the interface s dhcp role parameter to none as shown below use wlan3 wlan3 set dhcp none The Client Address Space value is set with the dhcp relay dhcp subnet parameter in the sys interface This value should be a class A B or C subnet specified using CIDR notation as shown in the example below gt use sys sys set dhcp relay dhcp subnet 192 168 5 0 24 The Base Value which sets the IP address of client access interfaces on an EL 500 is set through the dhcp relay base parameter in the sys interface use sys Sys set dhcp relay base 192 168 5 3 Web GUI Centralized DHCP mode can be enabled via the web interface on the DHCP Relay sub tab under the DHCP tab on the System Parameters page see Figure 46 The external DHCP server IP address the gateway router address the Client Address Space pa
6. TR0190 Rev B1 Interface Protocol Packet Count Show Host Names Show MAC Addresses Packet Length Optional Host Optional Port Common Protocols Optional Additional Parameters Output Start Capture Figure 64 wlanl al i 20 Oo o 68 DHCP DNS SMTP RADIUS webpage O File Max saved files is 10 Capturing network traffic Interface The network interface on which packets will be captured Protocol The protocol of the packets which will be captured If you do not see the particular protocol you want use the all option to capture all network traffic on the specified interface Packet Count The number of packets which will be captured 131 Chapter 20 Diagnostics Tools Option Description Selects the interface from which packets are captured Note that some packets may be interface available on multiple interfaces For example data from a client device connected to wlan1 destined for a device on the Internet will pass through wlani and the wired interface Data can be captured for the following protocols TCP UDP ICMP and ARP Set the Protocol i ps value to all if you do not wish to filter out packets based on protocol type Packet Count Sets the number of packets to capture The provided settings are 20 50 100 and 500 Sh Captured data will show resolved host names instead of IP
7. 2 3 Default Login and Password The EL 500 s default login is admin and the default password is default The login and password are the same for the web interface and the CLI Changing the password using one of the interfaces will change it for the other interface as well 2 4 Resetting the admin Password The EL 500 supports a password recovery feature for the admin account should the password be lost Completing the password recovery procedure requires that you contact Tranzeo technical support Please check the Tranzeo website www tranzeo com for how to contact technical support and hours of operation For security purposes the admin password can only be reset in the first 15 minutes of operation of the device You will be able to power the unit on and off to be able to reset the password TR0190 Rev B1 15 Chapter 3 Using the Web Interface 3 Using the Web Interface The EL 500 has a web interface accessible through a browser that can be used to configure the device and display status parameters 3 1 Accessing the Web Interface You can access the web interface by entering one of the EL 500 s IP addresses in the URL field of a web browser see section 2 2 for a description of how to access an unconfigured EL 500 using its Ethernet interface When you enter this URL you will be prompted for a login and password The default login and password used for the web interface are admin an
8. Default Lease Timeout The default lease time the DHCP server will assign to DHCP clients If a DHCP request from a client does not contain a lease time request this is the lease time that will be used Maximum Lease Timeout The maximum lease time the DHCP server will assign to DHCP clients DHCP client lease time requests in excess of this value will be responded to with this lease time Reserved Address Range The number of addresses set aside for use as static IPs Figure 36 Address space settings in implicit addressing mode 63 Chapter 10 Client Addressing Schemes 10 2 Explicit Addressing Scheme When using the explicit addressing scheme the IP parameters for each interface can be specified manually on the Wireless Interface page When specifying the IP addresses and subnet sizes for the client access interfaces the following rules should be followed Specify IP address and subnet combinations that do not lead to misalignment e g 10 0 0 4 24 is not a properly aligned address subnet size combination Do not specify subnets that are in the following ranges o 169 254 0 0 16 o 127 0 0 0 8 Each subnet specified for a client access interface must not overlap with that of any other client access interface on the device Do not specify any subnets for client access interfaces that overlap with subnets outside the device that you want client devices to be able to connect to Do not specify a gatewa
9. ESSID The identifying name for the 802 11 network that this access point supports The ESSID must be no longer than 32 characters and can only contain letters amp Z a z numbers 0 9 spaces hyphens and underscores Hide ESSID ESSID broadcasting can be disabled with this setting Channel The access point s operating channel NOTE All access points on e ug lm LEO arne nanne Figure 41 Virtual access point interface page with EL 500 in routed mode TR0190 Rev B1 74 Chapter 13 Virtual Access Point VAP Configuration 13 1 Virtual Access Point Interfaces There are four interfaces that are used to configure the VAPs wlan1 wlan2 wlan3 and wlan4 The VAPs have equivalent configuration capabilities and there is no inherent prioritization or preference for one VAP The section on quality of service settings section 17 describes how prioritization on a per VAP basis can be configured 13 2 Enabling and Disabling Virtual Access Points VAPs can be individually enabled or disabled A VAP can be configured when it is disabled and parameter settings are retained when it is disabled CLI A VAP can be enabled with the enable parameter in the wlanN interface as shown below gt use wlanl wlanl gt set enable yes A VAP can be disabled with the following commands gt use wlanl wlanl gt set enable no Web GUI Each VAP can be enabled or disabled by setting the State parameter v
10. ARP tab on the Status page 9 TRAN ZEO WIRELESS TECHNOLOGIES INC ARP Table IP Address MAC Address Interface 10 3 108 199 00 18 8B CB 24 44 ethod 10 3 108 254 00 13 46 86 BF EB etho 10 3 108 253 00 09 5B CF 14 C2 eth0 Figure 15 ARP table TRO190 Rev B1 38 Chapter 6 Status Information 6 6 Event Log The main system log for the device is accessible by selecting Event Log on the Status page The log is displayed in reverse chronological order with the last recorded event appearing at the top of the page 9 TRAWNZEOS WIRELESS TECHNOLOGIES INC 02 15PM Oct 15 2007 Config Overview Status Routing arp Event Log DHCP Events local time Event Log all times in UTC Oct 07 16 GU 1 dhclient bound to 10 3 108 170 renewal in 33587 seconds Profile Management Oct 07 GW 1 dhclient DHCPACK from 10 3 108 254 Oct 07 07 GW 1 dhclient DHCPREQUEST on eth0 to 255 255 255 255 port 67 iti i i Oct 07 07 GW 1 dhclient DHCPOFFER from 10 3 108 254 initia ECC DITS TE Oct 07 07 GW 1 dhclient DHCPDISCOVER on eth to 255 255 255 255 port 67 interval 16 Oct 07 GW 1 dhclient Sending on Socket fallback Mini l Confi ati Oct 07 GW 1 dhclient Sending on LPFYeth0 00 d0 12 02 41 61 nima sonngurason Oct 07 07 GW 1 dhclient Listening on LPF eth0 00 d0 12 02 41 61 n K Oct 07 07 GW 1 dhclient wifi0 unknown hardware address type 801 Detailed Configuration Oct 07 06 GW 1 dhclien
11. Available diagnostic dumps No files available Figure 67 Generating a diagnostic dump The list of diagnostic dumps available for download is displayed at the bottom of the page The diagnostic dumps can be downloaded by clicking on the filenames To delete one or more diagnostic dumps select the check boxes next to the ones you wish to delete and then click on the Delete Selected button TRO190 Rev B1 134 Chapter 21 Firmware Management 21 Firmware Management 21 1 Displaying the Firmware Version The firmware version string contains the following information Build date Major version number Minor version number Build number These values are embedded in the version string as follows enroute1000 Build date gt _ lt Major version gt _ lt Minor version gt _ lt Build number CLI Firmware version information is available in the version interface The example below shows how to display the current firmware version gt use version version get release release ENROUTE1000 20070911 03 00 0215 Web GUI The firmware version is displayed at the top of the Status page accessible via the web interface 21 2 Upgrading the Firmware The EL 500 supports secure remote firmware upgrade Prior to upgrading firmware please contact Tranzeo technical support to find out if there are any version specific instructions for upgrading from the firmware version you are currently using A The
12. Chapter 6 Status Information D TRANZEO WIRELESS TECHNOLOGIES INC Bridging Status Bridged Interfaces Bridge Name Bridge ID STP Enabled Interfaces br 8000 00156d5011f1 no eth wlani wlan2 wlan3 wlan4 Known Devices a Interface Mac Address Local Aging Timer wired 00 09 5b cf 14 c2 no 76 02 wired 00 0c 29 86 7a 6a no 228 92 wired 00 13 46 86 bf eb no 48 54 wlani 00 15 6d 50 11 f1 0 00 wired 00 18 8b cb 24 44 na 0 26 wired 00 19 59 32 df 21 na 52 50 wired 00 26 54 0e de e4 no 12 14 wired 00 80 77 7d fd 00 no 100 87 wired 00 d0 12 02 41 61 0 00 wlan2 wlan3 wlan4 06 15 6d 50 11 f1 0a 15 6d 50 11 f1 08 15 6d 50 11 f1 0 00 0 00 0 00 6 4 Spanning Tree Protocol Details Spanning Tree Protocol is disabled Figure 13 Bridging status information Routing Table The routing table used by the device can be displayed by selecting the Routing tab on the Status page TRO190 Rev B1 37 Chapter 6 Status Information 9 TRANIZEOS WIRELESS TECHNOLOGIES INC Routing Table Destination Gateway Netmask Interface 10 3 108 0 0 0 0 0 255 255 255 0 eth 10 1 4 0 0 0 0 0 255 255 255 0 wlan4 10 1 1 0 0 0 0 0 255 255 255 0 wlani 10 1 2 0 0 0 0 0 255 255 255 0 wlana 10 1 3 0 0 0 0 0 255 255 255 0 wlan3 169 254 0 0 0 0 0 0 255 255 0 0 eth 0 0 0 0 10 3 108 254 0 0 0 0 eth Figure 14 Routing table 6 5 ARP Table The device s ARP table can be displayed by selecting the
13. Default Port VID which is often appropriate for the wired interface IP Address Gateway Netmask Broadcast The IP address gateway address netmask and broadcast address for the wired interface These values are only configurable when the wired interface is not configured for DHCP client mode Enable NAT Network address translation NAT Figure 56 Configuring VLAN for Ethernet interface TRO190 Rev B1 119 Chapter 19 Integration with Enterprise Equipment 19 Integration with Enterprise Equipment The EL 500 supports authentication accounting and monitoring services that easily integrate with enterprise equipment In this section the following topics are described e Splash pages e Layer 2 client emulation BRIDGE Splash pages are not supported and Layer 2 emulation is unnecessary when operating in bridge mode 19 1 Configuring Splash Pages The EL 500 supports splash pages which can be used to restrict access to the 802 11 network and provide information to users that connect to the network When a user connects through a client access interface to an EL 500 with splash page support enabled the splash page for the appropriate interface will be displayed and the user will be restricted from accessing other destinations on the Internet until they have logged in The splash page can require the user to enter logon credentials or simply click a button to complete the login process To use splash pages
14. GU 1 modprobe creating wifi device wlan4 Oct i GU 1 modprobe creating wifi device wlan3 Oct A GW 1 modprobe creating wifi device wlan2 Figure 16 Event log The time reported in the Event Log corresponds to the time maintained by the EL 500 and may not be consistent with that shown in the upper left corner of the webpage as this is the time maintained by the computer running the web browser 6 7 DHCP Event Log The log of DHCP related events for the device is accessible by selecting DHCP Events on the Status page The log is displayed in reverse chronological order with the last recorded event appearing at the top of the page All times in the log are in UTC time Messages related to both local and relayed DHCP activity are displayed in the log TRO0190 Rev B1 39 Chapter 6 Status Information 9 TRAN ZEO WIRELESS TECHNOLOGIES INC DHCP Event Log all times in UTC 17 33 GU 1 dhcpd 33 GW 1 dhcpd GW 1 dhcpd GW 1 dhepd GW 1 dhcpd GW 1 dhcpd GU 1 dhcpd GW 1 dhcpd GW 1 dhcpd GU 1 dhcpd GW 1 dhcpd GW 1 dhcpd GU 1 dhcpd GW 1 dhcpd GW 1 dhcpd GU 1 dhcpd GWU 1 dhcpd GW 1 dhcpd GW 1 dhcpd GU 1 dhcpd GW 1 dhcpd dhcpd dhcpd dhcpd dhcpd DHCP Events DHCPACK to 10 1 4 254 DHCPINFORM from 10 1 4 254 via wlan4 DHCPACK to 10 1 4 254 DHCPINFORM from 10 1 4 254 via wlon4 DHCPACK on 10 1 4 254 to 00 1b 77 52 69 86 lfn mini via wlan4 DHCPREQUEST for 10 1 4 254 10 1
15. Out Reserve Flow Priority DEFAULT Out Limit DEFAULT Out Reserve DEFAULT Priority of data based on source interface 4 higher value means n higher priority The default value will Flow Priority DEFAULT be applied if no value is set for an Out Limit DEFAULT interface Flow Priority Out Reserve DEFAULT Flow Priority DEFAULT Out Limit Que emits DEFAULT The output limit in kbps for the Out Reserve DEFAULT interface Flow Priority DEFAULT Out Limit DEFAULT Out Reserve Out Reserve DEFAULT The reserved bandwidth in kbps for an interface Flow Priority DEFAULT Out Limit DEFAULT Out Reserve DEFAULT Save Changes Figure 51 QoS settings TRO190 Rev B1 111 Chapter 17 Quality of Service QoS Configuration 9 NZEOS WIRELESS TECHNOLOGIES INC 03 58PM Oct 15 2007 local time oos Advanced QoS Status Configure Advanced Quality of Service QoS settings Profile Management Hide Help Initial Configuration DEFAULT Voice Out Limit kbps Voice Out Limit Minimal Configuration Voice OUt Reserve kbps The output limit in kbps for voice Detailed Configuration video Out Limit kbps traffic from the interface Systemibaraneters Video Out Reserve kbps Best Effort Out Limit kbps ecurity MCN Best Effort Out Reserve kbps Voice Out Reserve Wireless I
16. a firewall and QoS which are not available in bridge mode TR0190 Rev B1 92 Chapter 14 Client DHCP Configuration 14 2 1 Support for Clients with Static IP Addresses When using centralized DHCP server mode for a client access interface client devices connected to that interface can be assigned static addresses within the client address space However for these client devices to roam successfully across EL 500s and third party access point bridges connected to the same LAN they must employ duplicate address detection by sending out ARP requests for their own IP address Windows based devices support this requirement Please contact the client device manufacturer if you are unsure if your client device meets this requirement 14 2 2 Configuring the EL 500s When operating in centralized DHCP server mode each EL 500 client access interface that is to serve DHCP addresses from the centralized server must be explicitly configured to use centralized DHCP server mode The EL 500s with client access interfaces in centralized DHCP server mode must also use the same centralized DHCP server The IP address of the central DHCP server is set with the DHCP relay server parameter The server must be reachable through the EL 500 s Ethernet interface A gateway router IP address must be entered This will be supplied to DHCP client devices as their gateway This IP address can be the same as for the DHCP server but need not be Each client acce
17. output intf gt lt input intf gt limit parameters in the qos interface where output intf gt is one of the following default ethO TRO0190 Rev B1 113 Chapter 17 Quality of Service QoS Configuration wlan1 wlan2 wlan3 wlan4 and input intf gt is one of the following default ethO local wlant wlan2 wlan3 wlan4 The out default default limit value is applied to interfaces that have the out lt output intf gt lt input intf gt limit parameter set to inherit or is left blank The example below shows how to limit the maximum output rate of data from wlant wlan2 wlan3 and wlan4 through the ethO interface to 2 Mbps 1 Mbps 512 kbps and 256 kbps respectively gt use qos qos set out ethO0 qos set out ethO0 qos set out ethO qos set out ethO wlanl limit 2048 wlan2 limit 1024 wlan3 limit 512 wlan4 limit 256 Traffic type limits can be set with the out lt output intf gt lt input intf gt lt traffic type gt limit parameters in the gos interface where output intf gt is one of the following default ethO wlani wlan2 wlan3 wlan4 lt input intf gt is one of the following default ethO local wlant wlan2 wlan3 wlan4 traffic type is one of the following vo vi be bk see Table 13 for description of traffic types The example below shows how to limit the maximum output rate of voice video best effort an
18. value can be set via the web interface using the DHCP sub tab on the DHCP tab on the System Parameters page see Figure 42 13 7 Client Devices Each VAP has a status page that displays information about attached client devices and total throughput through the VAP The signal strength of each client device its MAC address its IP address and the time since data was last received from it are listed The status pages can be accessed under the Status tab on the Status page as shown in Figure 43 9 TRANIZEOS WIRELESS TECHNOLOGIES INC 10 33AM Oct 16 2007 local Config Overview Status Routing are DHCP Events time status wlani wlan2 wlan3 wlan4 wired ERP eee a GW 1 wlan4 Status initial Configuration Interface Statistics Minimal Configuration Noise Level 96 dBm Decale di ConiguLston Data Transfered Byte Totals Data Rates Packet Totals Packet Rates System Parameters last 10 secs last 10 secs Transmitted 31 3 KB 1 49 KBytes sec 120 packets 4 79 packets sec Security Received 29 1 KB 1 45 KBytes sec 124 packets 5 59 packets sec Wireless Interfaces Clients MAC Address IP Address RX data TX data dBm RSSI Rate Last reception Client Capabilities QoS 00 1b 77 52 69 86 10 1 4 254 30 KBytes 2 KBytes 75 20 54M us Normal WME Wired Interface Upgrade Diagnostics Reboot Figure 43 Virtual access point client device status information 13 8 Encry
19. 0 disabled enabled 1194 216 100 192 50 Save Changes YPN Credentials Hide Help VLAN Segregate client traffic into Virtual LANs Your internet router must have VLAN support enabled You will probably need to enable VLAN on all node Wireless Interfaces as well depending on your network design Valid VLAN IDs are 0 4095 but 0 1 and 4095 are reserved by convention 1 is the Default Port VID which is often appropriate for the wired interface IP Address Gateway Netmask Broadcast The IP address gateway address netmask and broadcast address for the wired interface These values are only configurable when the wired interface is not configured for DHCP Your vendor may provide you with a package of VPN Credential files client mode If you need to install a credential package you can load it onto the node here Please refer to the help for more details VPN Credentials LBrewse Upload Credentials Enable NAT Network address translation NAT Figure 47 NAT and VPN settings 15 2 Bridge Mode In bridge mode the EL 500 can be connected to a LAN with minimal configuration See section 12 2 for the parameters that are available to control bridging behavior TRO190 Rev B1 99 Chapter 16 Controlling Access to the ER 1000 16 Controlling Access to the EL 500 The EL 500 supports the following features for restricting access to it restricting inter client device communication and sh
20. 17 Chapter 3 Using the Web Interface 3 2 Navigating the Web Interface The web interface uses a three tiered navigation scheme 1 The first tier of navigation is the navigation bar shown on the left side of the screen This navigation bar is displayed on all pages in the web interface and remains the same on all pages 2 The second tier of navigation is the primary row of tabs shown across the top of the screen on many of the pages in the web interface The labels in these tabs vary based on which page is selected on the navigation bar 3 The third tier of navigation is the second row of tabs shown below the first row These tabs are not present on all pages and their labels vary based on the selections made on the navigation bar and the primary row of tabs ee TRZ TECHNOLOGIES INC 03 27PM Oct 15 2007 N time Status DNS DNS Proxy Profile Management Configure your DNS Proxy Initial Configuration Hide Help Minimal Configuration DNS Proxy enabled v DNS Proxy Detailed Configuration System Parameters Agg OMS Proxy Entry Enabling the DNS Proxy resolves 1 names to local IP addresses Used in Hostname conjunction with splash pages Security Wireless Interfaces IP Address Wired Interface Add New Host Save Changes Qos Both the hostname and IP address Upgrade are required The IP address should be one of the enabled wlan Diagnostics DNS Proxy Hosts Hostname Proxied IP Address interfaces apsigni
21. 3 CEI Interfaces ne eneee e AE onan ts Ceara Ceci E t e n e SE 22 4 4 GU SAU 88s cei r Et Im IE E Senge 22 4 4 1 Controlot the CUISOR NE 22 44 2 Cancel amp Command eiit demsadednnds des dandaceadenanducdantadeedanaadeaduccadnede 22 4 4 3 Searching the Command History cccceeceeeeeeeeeeeeeeeeeeeeeeeeeeaaeeeeeeeeeeeeeeeeaaees 23 4 4 4 Executing a Previous COTmImalid sien eet disset ise Ede iae ION EUR S ER REO MM ITUE 23 4 5 GT GOomimaridse suns ca mess ASA ete cM er arr 23 4 5 1 COLEMAN Ce Sid gc Seas O Susie nice debe ET Deae BL Penue Otek Arati dene S ar caet UR Red 23 4 5 2 WIGAN COMIMTANG ee er T T 23 Z5 vhelpscommiriglitdd cessisset ducas usse miM d eme Dnm d MEL ADM KH MUR Ed UE 24 45 4 SNOW command i o ere bip tetuer nc ocn di d e cse dues ades 24 4 5 5 geoana Iae E EE cont ded anonnicanian tan tnncan natn nina ennui oma cea 25 4 5 6 SOV COM IMAG fere mee 25 ASA EU reip ice 26 4 5 8 TISE COFDIETIRTIO issen teretne aer adu atta att iit bterbtesttm tite bla itecblats tact force 27 45 9 ping COMMANA s ls acer acorde onere cere Scag acere Lone eel cecus 27 TRO190 Rev B1 4 ER 1000 User s Guide 4 5 10 4 5 11 4 5 12 4 5 13 4 5 14 4 5 15 4 5 16 TRO190 Rev B1 ifconfig command ooi a in S eben Dependent esum dediiaepnu iut peius cad nennen 28 OUTS CONN ciem nO 28 clear command sons cess TM 28 istory command eg lc Ae cle
22. Configuration The scheme determines this node s Node ID role in the network Detailed Configuration 1 System Parameters Implicit Addressing disabled IB The AP Routed scheme provides routed access to the network for Security wireless client Wireless Interfaces Layer 2 Emulation The AP Bridge scheme bridges all WiredlIntertace L2 Emulation disabled v client interfaces wireless and wired at layer 2 Qos Save Changes Upgrade Diagnostics Hostname Reboot Figure 34 Setting the addressing scheme 10 1 Implicit Addressing Scheme The implicit addressing scheme requires the sharing of a class C network between all active client access interfaces The subnet address space is based on the node ID and the LAN prefix as shown in Figure 35 19 12 19750 3 LAN prefix Node ID Figure 35 Subnet address structure If the EL 500 is operating in centralized DHCP server mode the addresses used for the implicit addressing scheme have no bearing on the addresses that are assigned to client devices through DHCP INFO The default division of the class C address space is shown in Table 7 It is possible to change this configuration assigning larger address spaces to certain interfaces if not all interfaces are enabled TRO0190 Rev B1 60 Chapter 10 Client Addressing Schemes Interface Interface address Broadcast address Client device address range subnet 127 subnet 2 126 subnet 129 subnet 159 subnet 130 158 subne
23. EL 500 must have access to the Internet and specifically the Tranzeo upgrade server to complete an upgrade TRO190 Rev B1 135 Chapter 21 Firmware Management If power to the EL 500 is lost during the upgrade process it is possible that the device will become inoperable The firmware can be upgraded using the Upgrade page This page displays the following information Firmware currently installed on the EL 500 Firmware available on the remote upgrade server Firmware available in the non volatile memory of the EL 500 Space used available in non volatile memory for storing upgrade images Follow the procedure below to upgrade the firmware on a device 1 Select the firmware version you want to upgrade to from the Firmware on Server box 2 Click on the button with the arrow to the right of the Firmware on Server box This will begin the download process of the firmware from the Tranzeo upgrade server to the non volatile memory on the EL 500 While the firmware is downloading it will be shown in blue in the Firmware on Node box 3 When the download has been completed select the firmware you wish to upgrade to from the Firmware on Node box 4 Click on the Install button 5 Wait for the install to complete The EL 500 will reboot automatically when the upgrade has been completed 9 NIZEOS WIRELESS TECHNOLOGIES INC Upgrade Node Firmware 03 59PM Oct 15 2007 local time Status Upload new f
24. Ethernet interface and four IP addresses are set aside for the client access interfaces on the EL 500 Therefore the address pool starts from 192 168 5 7 TRO190 Rev B1 96 Chapter 15 Connecting an ER 1000 to a LAN 15 Connecting an EL 500 to a LAN The options for connecting an EL 500 to a LAN are described below 15 1 Routed mode 15 1 1 Manual Configuration An EL 500 can be directly connected to a LAN without using Network Address Translation With this configuration and with the implicit client addressing scheme in use the router on the network that the EL 500 is attached to must be configured to forward the client access interface subnets to the EL 500s Ethernet IP address The subnet that needs to be forwarded is Class C subnet LAN prefix octet 1 gt lt LAN prefix octet 2 gt lt node ID gt 0 In the case where the LAN prefix is 10 12 and the node ID is 14 the subnet the router would need to forward to the EL 500 is 10 12 14 0 255 255 255 0 If the explicit addressing scheme is used all the individual client access interface subnets must be forwarded to the EL 500 s Ethernet IP address The sections below describe how to acquire the parameter values that determine what subnets the router should forward to the EnRoute1000 CLI When using the implicit addressing scheme the subnet information can be retrieved from the sys interface as shown below gt use sys sys gt get id sys id lanprefi
25. Hostname GW l 1 The scheme determines this node s Node ID 1 role in the network sus z The AP Routed scheme provides Implicit Addrassing disabled v routed access to the intem for wireless client Layer 2 Emulation The AP Bridge scheme bridges all L2 Emulation disabled v client interfaces wireless and wired at layer 2 Save Changes Hostname A textual name for this node Figure 61 Enabling disabling layer 2 emulation TRO190 Rev B1 128 Chapter 20 Diagnostics Tools 20 Diagnostics Tools The EL 500 has a number of diagnostics tools to help the user diagnose and correct configuration issues These tools are available on the Diagnostics page accessible from the navigation bar The individual diagnostics tools are accessible from the row of tabs shown on the Diagnostics page The Ping tab on the Diagnostics page allows the user to check for network connectivity by pinging a remote device see Figure 62 Either an IP address e g 10 1 2 3 or a hostname e g www yahoo com can be specified The number of pings to send can be set to 1 10 or 100 Click on Ping Address to start pinging the device The results of the pings will appear on the bottom half of the page shortly after clicking on the button There may be a delay of a few seconds to display the ping results if the ping destination is not responsive D ZEO WIRELESS TECHNOLOGIES I
26. The Max Min Hardware Priority parameters can be used to limit the hardware priority queues that traffic from a particular interface can use for outbound traffic Valid values for these parameters are from 1 to 4 which are the priority levels listed in Table 13 Abbreviation Description Priority level 4 highest Background 1 lowest Table 13 Hardware priority levels Best Effort TRO190 Rev B1 109 Chapter 17 Quality of Service QoS Configuration When sending data out through any of the wireless interfaces wlanN these hardware priorities map directly to the 802 11e hardware priority output queues on the wireless card The default level for all traffic is Best Effort To increase the hardware priority of all traffic originating from a particular interface set the value of Min Hardware Priority to a value larger than 1 This will force all traffic from the chosen interface to use a hardware queue equal to or greater than the Min Hardware Priority value set To reduce the maximum hardware priority of traffic from an interface set the Max Hardware Priority parameter to a value less than 4 To disable hardware prioritization set the Min Max Hardware Priority parameters to 0 Setting an interface s flow priority above that of another interface results in all traffic originating on the higher flow priority interface blocking traffic on the lower priority interface until all traffic from the prioritized interface has been
27. a number of URLs for login successful login and failed login must be specified A RADIUS server that provides authentication services may also need to be specified 19 1 1 Enabling Splash Pages The enabling of splash pages can be controlled on a per interface basis Two splash page modes are supported one which requires client device users to login in to gain access to the network and another which requires them to simply click on a button on the web page to proceed CLI Enable or disable splash pages with the splash enable wlanN parameters in the sys interface For a splash page to be displayed on an interface the appropriate parameter must be set to yes The example below illustrates how to set the splash enable wlan1 parameter in the sys interface to enable splash pages for the wlan1 interface gt use sys Sys set splash enable wlanl yes TR0190 Rev B1 120 Chapter 19 Integration with Enterprise Equipment Use the splash auth server wlan N enable parameters in the sys interface to select whether a user is required to provide login credentials for a particular interface The example below illustrates how to set the parameter for the wlan1 interface such that a user will be required to login to access the network gt use sys Sys set splash auth server enable wlanl yes Web GUI Splash pages can be enabled on a per interface basis on the Splash Pages sub tab under the AAA tab on
28. add additional DNS servers please see the User s Guide Primary DNS Server 10 13 108 254 Secondary DNS Server i f 3 Set the node ID The node ID is a unique identifier incorporated into the addresses served by this node s DHCP server to distinguish this node from other nearby nodes The ID must be a number between 1 and 254 Node ID 1 Save Changes Figure 9 Initial configuration web page 33 Chapter 6 Status Information 6 Status Information Multiple web interface pages that display status information about the EL 500 and client devices attached to it are available These web pages are accessible by clicking on the Status link in the navigation bar and then selecting the appropriate tab shown at the top of the page The status information is not accessible through the CLI 6 1 Configuration Overview Page The main status page which is displayed when clicking on Status in the navigation bar and when logging in is the Config Overview page RANZ WIRELESS TECHNOLOGIES INC Config Overview Status Routing Event Log DHCP Events 02 11PM Oct 15 2007 local time Status GW 1 Configuration Profile Management System Information Initial Configuration Minimal Configuration Detailed Configuration System Parameters Security Wireless Interfaces Wired Interface Qos Upgrade Diagnostics Reboot Serial
29. addresses when this option is ow Host Names selected addresses displayed for each packet when this option is selected Sets the length of each packet that should be captured If you are only interested in the Packet Length header contents of a packet this value can be lowered to reduce the size of the data capture file If it is set to too low of a value critical data may be not be captured though their source OR destination address will be captured Sets a port to use for filtering purposes All packets with this port as their source OR Optional Port destination port will be captured NOTE this setting only has an effect on capture of TCP or UDP packets Click on the protocol names listed to add filtering parameters for them in the Additional ommon Protocols P i i P n arameters text box It is possible to select more than one protocol to filter on The underlying application used to capture packets is tcpdump Use this field to specify Parameters additional parameters to tcpdump that are not made available through the GUI Select whether to display the data on the webpage or to save it to a file which can be Output downloaded from the device The file name format used is file prefix MMDDYYY HHMM Output File Prefix Sets an optional file prefix for saved files Table 14 Packet capture options 20 4 Centralized DHCP Testing The DHCP tab on the Diagnostics page can be used to test access to an external DHCP server when
30. are available for controlling how the bridge mode operates forwarding delay and Spanning Tree Protocol control The forwarding delay sets how long in seconds the EL 500 will watch traffic before participating If there are no other bridges nearby the EL 500 this value can be set to 0 When the DHCP mode for the bridge interface is set to client the forwarding delay will be automatically set to 15 to avoid DHCP requests timing out The EL 500 supports the Spanning Tree Protocol STP which is used to ensure a loop free topology for any bridged LAN STP support can be disabled or enabled CLI The forwarding delay is set with the forwarding delay parameter in the brO interface The delay is specified in seconds gt use brO br0 set forwarding delay 5 Spanning Tree Protocol state is set with the stp enable parameter in the brO interface Set this parameter to yes to enable it and to no to disable it gt use brO br0 set stp enable yes Web GUI The forwarding delay and Spanning Tree Protocol state can be set on the L2 Bridge page TRO0190 Rev B1 73 Chapter 13 Virtual Access Point VAP Configuration 13 Virtual Access Point VAP Configuration An EL 500 has four virtual access points VAPs that can be configured to suit different application needs These VAPs share a common radio but with a few exceptions noted in this chapter can be configured independently The availability of
31. below scheme wireless node type 4 5 4 show command Syntax show Description Displays all available interfaces An interface in this list can be selected with the use command TRO190 Rev B1 24 Chapter 4 Using the Command Line Interface 4 5 5 use command Syntax use interface where interface is one of the EL 500 s interfaces A complete list of interfaces is available with the show command Description Selects an interface to use By selecting an interface you can view and modify the parameters associated with the interface Example use wlanl will select the wlan1 virtual AP interface and change the CLI prompt to wlanl to reflect the interface selection 4 5 6 set command Syntax set lt parameter gt lt value gt where parameter is the parameter being set and value is the value it is being set to Description Sets a configuration parameter Note that is only possible to set the parameters for the currently selected interface If the value of the parameter contains spaces the value must be surrounded by double quotes If a valid set command is entered it will output its result and any effects on other parameters If changes are made to attributes of other interfaces as a result of changing the parameter these attributes are preceded by a to signify that they are in another interface Changing certain parameters will require the EL 500 to be rebooted Example With th
32. has a maximum length of 32 characters It must only contain alphanumeric characters spaces dashes and underscores _ The ESSID setting is case sensitive It is possible to hide a VAP ESSID by restricting it from broadcasting advertisements for that ESSID Whether it is appropriate for a VAP ESSID to be hidden depends on the application CLI The VAP ESSID is set as shown in the example below When setting an ESSID that contains spaces the ESSID value must be enclosed by quotes the quotes are optional otherwise gt use wlanl wlanl gt set essid wlanl_ap The broadcast of the ESSID can be controlled with the hide_essid parameter in the wlanN interface The example below shows how hiding of the ESSID can be enabled gt use wlanl wlanl gt set hide_essid yes Web GUI The VAP ESSIDs and their broadcast state can be set via the web interface using the appropriate wlanN tab on the Wireless Interfaces page see Figure 41 TRO0190 Rev B1 78 Chapter 13 Virtual Access Point VAP Configuration 13 6 IP Configuration of Client Devices The VAP interfaces allow client devices to connect to the EL 500 The client devices can be assigned their IP configuration in one of three ways when the EL 500 is operating in routed mode e Via DHCP from a centralized server e Via DHCP from a local server on the EL 500 that the client device is connected to e Bemanually configured When the EL 500
33. ip implicit size actual read only ip implicit size requested 31 ip implicit start actual read only ip implicit start requested 1 When an EL 500 is using the implicit addressing scheme the VAP IP settings can be changed by altering the id node id mesh and id lanprefix parameters in the sys interface and the ip implicit start requested parameter in the appropriate wlanN interface When an EL 500 is using the explicit addressing scheme the IP address netmask gateway address and broadcast address can be set using the ip address force ip netmask force ip gateway force and ip broadcast_force parameters in the appropriate wlanN interface as shown in the example below gt use wlanl wlanl gt set ip address_force 10 12 8 1 wlanl ip broadcast force 10 12 8 255 wlanl ip gateway force wlanl ip netmask force 255 255 255 0 Web GUI The current VAP IP settings can be viewed through the web interface on the Config Overview tab on the Status page When using the implicit addressing scheme the VAP IP settings can be changed by altering the node ID and LAN prefix settings on the System parameters tab on the System Parameters page In explicit addressing mode the IP parameters can be set on the appropriate tab on the Wireless Interface page TRO0190 Rev B1 76 Chapter 13 Virtual Access Point VAP Configuration 13 4 Channel The EL 500HG has an 802 11b g radi
34. is operating in bridge mode the client device IP address requirements will depend on the settings for the LAN that the EL 500 is connected to 13 6 1 IP Configuration of Clients Devices via DHCP The EL 500 can be set to serve IP addresses to client devices on the VAP interfaces using DHCP DHCP provided addresses can be served either from a local server on the EL 500 or from an external server The two DHCP modes are described in detail in section 14 13 6 2 Manual IP Configuration of Client Devices In routed mode with centralized DHCP server mode disabled client devices that use static IP addresses must have an IP address that is within the subnet of the VAP interface that they connect to See section 14 2 1 for information on using static IP addresses for client devices with centralized DHCP server mode enabled When operating in bridge mode the client devices IP configuration requirements will depend on the network settings for the LAN that the EL 500 is connected to TR0190 Rev B1 79 Chapter 13 Virtual Access Point VAP Configuration D ZEO WIRELESS TECHNOLOGIES INC once centralized pner DHCP Configure DHCP wlani Mode server v Default Lease Timeout 86400 seconds Maximum Lease 86400 seconds Timeout Reserved DHCP Range 0 IP Address Range Start 1 vw IP Address Range Size 127 v wlan2 actual value actual val
35. maximum requestable dhcp lease dhcp relay enabl use dhcp relay if sys dhcp relay enable yes dhcp reserve ip addresses to reserve at bottom of range dhcp role interface dhcp role none client server enable interface is enabled ip address IP address read only ip address force override ip address or blank ip broadcast broadcast address read only ip broadcast force override ip broadcast or blank ip gateway gateway read only ip gateway force override ip gateway or blank ip implicit size actual actual size of address range ip implicit size requested requested size of address range ip implicit start actual actual interface fourth octet ip implicit start requested requested interface fourth octet ip netmask network mask read only ip netmask force override ip netmask or blank routes static static routes for this interface vlan enable use a vlan vlan id vlan id avoid 0 and 1 normally vpn enable enable vpn on gateway node vpn keyfile base name of crt key files vpn port port number for vpn vpn server hostname or ip address of the vpn server 4 5 9 ping command Syntax ping IP address or hostname Description Pings a remote network device Halt pinging with Ctrl C Example ping 172 29 1 1 TRO190 Rev B1 27 Chapter 4 Using the Command Line Interface 4 5 10 ifconfig command Syntax ifconfig ethO wlan 1 4 Description Displays information such as IP address and MAC address for the specif
36. on the System Parameters page of the web interface see Figure 60 The list of IP addresses of bypassed hosts is displayed on this page To delete an IP address from the list click on the Delete Host button next to the IP address 19 2 Layer 2 Emulation Certain back end systems e g Internet gateways use the MAC addresses of client devices for authentication and accounting purposes When the EL 500 is operating in routed mode client device MAC addresses are typically not provided to the back end servers A layer 2 emulation mode can be enabled on the EL 500 to provide the client device MAC address information to back end systems When layer 2 emulation is enabled the EL 500 will send Ethernet layer 2 frames to the LAN using the MAC address of the device the packet originated from as the source address The EL 500 will also act as a proxy and forward packets with MAC destination addresses of client devices that are connected to it In layer 2 emulation mode an EL 500 will respond to ARP requests if it has a route to the target IP address contained in the ARP request The list of subnets that the EL 500 has routes to includes implicit explicit network addresses Thus care must be taken that these subnets are not used elsewhere in the network Alternatively to reduce the amount of address space consumed by the EL 500 s subnets the ARP responses can be limited to certain parts of the EL 500 s address space The EL 500 can be configured
37. pool of available bandwidth for other traffic types to use The points at which rate reservations can be made are shown in Figure 54 These points are similar to where rate limits can be placed except that rate reservations require both an input and output interface whereas rate limits can be made without specifying 7T 9 2z3727 21753 Output 0S Control Point Input 8 d dT 0321 Figure 54 Quality of Service rate reservation control points All rate reservation parameter values are in kbps If no rate reservation parameter is set rate reservation will be disabled for that interface or interface and traffic combination INFO A rate reservation which guarantees a certain amount of bandwidth can be made for traffic that enters the EL 500 through a particular interface and exits it through another interface Rate reservations can also be set based on traffic type through an interface The default value set for the EL 500 rate reservation is applied to interfaces that have their bandwidth reservation parameters set to inherit or are left blank TR0190 Rev B1 115 Chapter 17 Quality of Service QoS Configuration cL The parameters that are used to set these rate reservations are in the qos interface and are of the form out lt output intf gt lt input intf gt reserve where output intf gt is one of the following default ethO wlan wlan2 wlan3 wlan4 and input intf gt is one of the follow
38. spaces hyphens B and underscores Radio Rate 54 v Mbps v Auto Transmit Power Cap 30 0 dBm Hide ESSID Use Short Preamble yes v ESSID broadcasting can be disabled with this setting Beacon Interval 100 milliseconds Distance DEFAULT kilometers Channel The access point s operating Save Changes channel NOTE All access points on Figure 55 Configuring VLAN for VAP interfaces 18 2 Ethernet Interface Configuration For VLAN tags to be preserved on traffic that traverses the Ethernet interface VLAN support must be enabled for the Ethernet interface The Enable VLAN parameter for the wired interface controls the state of VLAN tagging If VLAN tagging is enabled on the Ethernet interface all outbound traffic will have its VLAN tags preserved If VLAN tagging is disabled for the Ethernet interface all VLAN tags will be stripped from frames received through the Ethernet interface TRO190 Rev B1 118 Chapter 18 Enabling VLAN Tagging When VLAN is enabled for the wired interface data frames forwarded by the EL 500 to the LAN will preserve their existing VLAN tag if they have one Frames that do not have a tag will be tagged with the default VLAN ID for the EL 500 s Ethernet interface The VLAN ID must be in the range from 0 to 4095 Note that 0 and 4095 are reserved values and 1 is the default VLAN ID CLI The example below
39. the EL 500 is in centralized DHCP server mode see Figure 65 Click on the Test DHCP button to initiate a test The results of the test will be displayed at the bottom of the page NIZEOS WIRELESS TECHNOLOGIES INC 5 Ping ll Traceroute Packet Capture Ji DHCP I RADIUS ll Diagnostic Dump 04 01PM Oct 15 2007 local time Status Centralized DHCP Diagnostics Hide Help Profile Management Centralized DHCP Cnabled Minimal Configuration Central DHCP Server 127 0 0 1 change Whether or not Centralized DHCP is enabled Test DHCP no change Centralized DHCP Enabled Initial Configuration Detailed Configuration System Parameters Figure 65 Testing the connection to an external DHCP server TR0190 Rev B1 132 Chapter 20 Diagnostics Tools 20 5 RADIUS Server Testing The RADIUS tab on the Diagnostics page can be used to test authentication of credentials by a RADIUS servers used for splash page or WPA authentication see Figure 66 Use the procedure below to test the validity of credentials with a RADIUS server 1 Select the RADIUS server you want to use for the test from the drop down menu 2 Enter the credentials you want to test in the Username and Password fields 3 Click on the Test User button The results of the test will be displayed at the bottom of the page Three outcomes are possible e The credentials were authenticated by the ser
40. the four VAPs provides more flexibility in configuration and catering to different user classes than a single AP does The interfaces for the VAPs will be referred to as wlanN when it applies to any of the four VAPs wlan1 will be used in all examples WIRELESS TECHNOLOGIES INC wlani wlan2 wlans wlan DHCP Authentication ACLs Qos 03 56PM Oct 15 2007 local time Status Profile Management Initial Configuration Minimal Configuration Detailed Configuration System Parameters Security Wireless Interfaces Wired Interface Qos Upgrade Diagnostics Reboot Configure wlan1 wlanl State wlani Mode IP Address Gateway Address Netmask Broadcast ESSID Hide ESSID Channel VLAN State VLAN ID Transmit Power Cap Radio Rate Use Short Preamble Beacon Interval Distance Save Changes enabled v 80211B G 10 d 255 255 255 10 1 n erl 00 api no Vv l p412GHz disabled 11 NOTE enabling VLAN on this interface requires VLAN to be configured on the wired interface 30 0 dBm JB 54 Mbps Auto yes 100 milliseconds DEFAULT kilometers Hide Help wlan1 Enable or disable this access point IP Address Gateway Netmask Broadcast The IP address gateway address netmask and broadcast address for the wlani interface These values are only configurable when implicit addressing is disabled
41. to disregard all ARP requests except for those with IP addresses within the client address space that it has a host or network route for CLI Layer 2 emulation is enabled with the l2 client mac fwd parameter in the sys interface The example below shows how to enable layer 2 emulation gt use sys Sys set l2 client mac fwd yes To limit the range of addresses for ARP requests that the EL 500 will respond to set the 2 hide internal enable parameter in the sys interface to yes Set l2 hide_internal gateway deny all in the sys interface to yes to disregard all ARP requests except for those with addresses within the client address subnet The example shows how to disregard all ARP requests except for those for addresses within the client address space TRO190 Rev B1 127 Chapter 19 Integration with Enterprise Equipment gt use sys Sys set l2 hide internal enable yes Sys set l2 hide internal gateway deny all yes Web GUI The state of layer 2 emulation is set on the System tab of the System page see Figure 61 The console interface in the web GUI must be used to configure which address ranges the EL 500 responds to ARP requests for See the CLI section above for parameter names and set these using the console interface see section 9 10 RANI ZEO WIRELESS TECHNOLOGIES INC Configure your system parameters Hide Help Scheme AP Routed v Scheme Node
42. use as static IPs Figure 45 Virtual access point DHCP configuration TRO190 Rev B1 91 Chapter 14 Client DHCP Configuration 14 2 Using a Centralized DHCP Server Centralized DHCP server mode uses DHCP relaying to enable assignment of IP addresses to wireless client devices from a common remote DHCP server The remote DHCP server may reside either on a host connected to the LAN segment that the EL 500 s Ethernet is attached to or on a server that is beyond one or more routers When using a common DHCP server wireless client devices are assigned IP addresses from a single address pool and are allowed to keep their IP address while roaming seamlessly from AP to AP There are three classes of entities that must be configured when using this DHCP mode 1 The EL 500 2 The central DHCP server 3 Any intermediate router s in the path between the DHCP server and the EL 500 When using a centralized DHCP server a Client Address Space CAS from which client device IP addresses are assigned must be defined The active VAP client access interfaces on the EL 500 there can be up to 4 per EL 500 must also have IP addresses that fall within the CAS This is to facilitate DHCP relay and selection of client device IP addresses from the correct DHCP scope on servers that serve hosts connected to different subnets The VAP client access interface IP addresses must be configured statically and must be contiguous It is recommended that a c
43. wlan3 and wang interfaces Refer to Table 8 for allowed values for these parameters In the first example below the wlan1 interface is set to use the entire class C address space this requires that all the other client access interfaces wlan2 4 are disabled In the second example the wlan1 interface is set to use the upper half of the class C address space gt use wlanl eth0 set ip implicit start requested 1 eth0 set ip implicit size requested 255 use wlanl eth0 set ip implicit start requested 129 eth0 set ip implicit size requested 127 TR0190 Rev B1 62 Chapter 10 Client Addressing Schemes The actual start address and size of a segment are accessible via the ip implicit start actual and ip implicit size actual parameters These may values may differ from the requested values if the rules for setting these parameters were not abided by Web GUI The address space segments start addresses and sizes can be set via the web interface using the DHCP sub tab on the DHCP tab on the System Parameters page see Figure 36 D ZEO WIRELESS TECHNOLOGIES INC TR0190 Rev B1 DHCP Configure DHCP DHCP Centralized DHCP IP Address Range Size IP Address Range Start 1 v wlani Mode server v Default Lease Timeout 86400 seconds Maximum Lease 86400 seconds Timeout Reserved DHCP Range 0
44. 0 gt tr td Username lt td gt lt td gt lt input name username type text gt lt br gt lt td gt ETE QEIESS td Password lt td gt lt td gt lt input name password type password gt lt td gt Eae lt table gt DIDNDMHBPWNHNFOUW WMATA 4 CO P2 ES No input name login type submit value Submit gt lt form gt lt body gt lt html gt N N FO N N Figure 58 Sample HTML code for login web page with password authentication If the splash page is not configured to require a user to provide login credentials the requirements for the login page are slightly different as shown in Figure 59 The page must still contain a form definition similar to that on line 6 in Figure 59 The action value must be set to point to a proxied server name just as for the case where a user is required to provide login credentials The last part of the action value must be splash nologin cgi Also a button with the name login must be defined as shown on line 8 of Figure 59 html head title Test Login Page lt title gt head body form method POST action https dns proxy name here splash nologin cgi Welcoming text or Terms of Service could go here br input name login type submit value Continue gt form body lt html gt FPOMOWA DTA HNBWNHE me Figure 59 Sample HTML code fo
45. 07 Chapter 16 Controlling Access to the EH 1000 9 TRANIZEOS WIRELESS TECHNOLOGIES INC Passwords Firewall ACLs onramp wlant wlan2 wans wiana wired SS Configure wlan1 Access Control Lists ACLs Hide Help Please note the address is white or black listed immediately after it is added No reboot is required ACL Mode If a black listed client is currently connected it will be kicked The ACL mode determines whether from the network before the it is added to the blacklist client devices on the ACL list will be permitted access to the access point The supported ACL modes are wlani blacklist v Change ACL Mode none all devices will be permitted access blacklist devices on the ACL Enter address will be denied access i whitelist only devices on the ACL will be allowed access Add MAC wire Hmms Uosi Add MAC Address Use this form to add client device MAC addresses to the ACL Black listed MAC Addresses for wlan1 none Figure 50 VAP ACL configuration TRO190 Rev B1 108 Chapter 17 Quality of Service QoS Configuration 17 Quality of Service QoS Configuration BRIDGE QoS rate limiting and reservations are not supported when the EL 500 is operating in bridge mode Priority level settings are supported in bridge mode The EL 500 has extensive support for quality of service settings that allow traffic to b
46. 1 Status information for one of the virtual AP interfaces TRO0190 Rev B1 35 Chapter 6 Status Information 6 2 2 Wired Interface Status The wired interface status pages is similar to the wireless interface status pages with the exception that it only displays summary information for the interface and does not break down data transferred on a per device basis 9 ZEO WIRELESS TECHNOLOGIES INC 10 31AM Oct 16 2007 local time Config Overview status Routing ane eventtog pner events SHAD wlani wlan2 wlan3 wlan4 wired Profile Management e 3 GW 1 Wired Interface Status Initial Configuration Minimal Configuration Interface Statistics Noise Level n a Detailed Configuration Data Transfered Byte Totals Data Rates Packet Totals Packet Rates Syste AL ame cere last 10 secs last 10 secs Security Transmitted 3 0 MB 214 50 Bytes sec 33 811 packets 1 26 packets sec Received 1 5 MB 98 82 Bytes sec 14 393 packets 0 63 packets sec Wireless Interfaces Wired Interface Qos Upgrade Diagnostics Reboot Figure 12 Wired interface status information 6 3 Bridging The Bridging tab is only present when the EL 500 is in bridge mode This page displays information about the current bridge configuration A summary of the interfaces that are bridged is provided at the top of the page This is followed by a list of known devices identified by their MAC addresses TRO190 Rev B1 36
47. 1 84 Chapter 13 Virtual Access Point VAP Configuration wpa enable wpa key mgmt wpa auth server addr wpa auth server port wpa auth server shared secret The wpa key_mgmt parameter must be set to indicate that both PSK and EAP modes can be supported as shown in the example below The example below shows how to enable WPA EAP mode gt use wlanl wlanl set wpa enable yes wlanl set wpa key mgmt WPA PSK WPA EAP wlanl set wpa auth server addr 1 2 3 4 wlanl set wpa auth server port 1812 wlanl set wpa auth shared secret enroutel1000 radius secret Web GUI WPA EAP can be enabled and the authentication server parameters can be set via the web interface using the WPA WEP sub tab under the AAA tab on the System Parameters page see Figure 44 Select WPA EAP as the type of encryption authentication from the drop down menu for the VAP you wish to configure and set the authentication server IP address port and secret in the text boxes below the drop down menu In the example in Figure 44 wlan3 has been configured to use WPA EAP 13 9 Transmit Power Cap The maximum transmit power cap of the EL 500 s radio is configurable Increased output power will improve communication range but will also extend the interference range of the radios By default the power cap is set to 30 dBm so as not to limit the power of the AP If the transmit power is set to a value in excess of what can be suppo
48. 29 3 vy IP Address Range Size actual value 31 wlan3 Mode server v Default Lease Timeout 86400 seconds Maximum Lease 86400 seconds Timeout Reserved DHCP Range fo IP Address Range Start 161 v actual value 161 IP Address Range Size actual value 31 wlan4 Mode server K Default Lease Timeout 86400 seconds Maximum Lease 86400 seconds Timeout Reserved DHCP Range RN IP Address Range Start 193 v actual value 193 IP Address Range Size 31 v actual value 31 wired Figure 38 Wired DHCP settings Hide Help Mode Sets the DHCP mode supported by the interface The three possible modes are e none no DHCP services are provided local server a DHCP server will respond to client DHCP requests on the interface central server the node will provide DHCP addresses from a centralized DHCP server only available if Centralized DHCP is enabled client the node will attempt to acquire an address for the interface via DHCP only valid for the wired interface Default Lease Timeout The default lease time the DHCP server will assign to DHCP clients If a DHCP request from a client does not contain a lease time request this is the lease time that will be used Maximum Lease Timeout The maximum lease time the DHCP server will assign to DHCP clients DHCP client lease time requests in excess of this value will be responded to wit
49. 4 1 from 00 1b 77 52 e9 86 lfn mini DHCPACK on 10 1 4 254 to 00 1b 77 52 869 86 lfn mini via wlan4 DHCPREQUEST for 10 1 4 254 10 1 4 1 from 00 1b 77 52 89 86 lfn mini Wrote 1 leases to leases file DHCPOFFER on 10 1 4 254 to 00 1b 77 52 69 86 lfn mini via wlan4 DHCPDISCOVER from 00 1b 77 52 69 86 via wlan4 DHCPNAK on 10 3 108 186 to 00 1b 77 52 69 86 via wlan4 DHCPREQUEST for 10 3 108 186 from 00 1b 77 52 89 86 via wlan4 wrong nety DHCPNAK on 10 3 109 196 to 00 1b 77 52 e9 86 via wlan4 3 DHCPREQUEST for 10 3 108 186 from 00 1b 77 52 e9 86 via wlan4 wrong nety Wrote 0 leases to leases file For info please visit http www isc org sw dhcp ll rights reserved Copyright 2004 Internet Systems Consortium Internet Systems Consortium DHCP Server V3 0 2 Wrote 0 leases to leases file For info please visit http www isc org sw dhcp ll rights reserved Copyright 2004 Internet Systems Consortium Internet Systems Consortium DHCP Server V3 0 2 Figure 17 DHCP event log TRO190 Rev B1 The time reported in the DHCP Log corresponds to the time maintained by the EL 500and may not be consistent with that shown in the upper left corner of the webpage as this is the time maintained by the computer running the web browser 40 Chapter 7 Configuration Profile Management 7 Configuration Profile Management Configuration profiles describe an EL 500 s configuration state and can be created to simplify the provisioni
50. AN status and ID for all interfaces To access the status page from any other page in the web interface click on the Status link in the navigation bar that appears on the left side of the web interface TRANIZEO WIRELESS TECHNOLOGIES INC TRO190 Rev B1 GW 1 Configuration System Information Serial Number Firmware version ENROUTESOO_20070911_03_00_0215 0 days 3 minutes AP Routed Country Code 840 United States Access Point 1 wlan1 Enabled yes ESSID eri000 api Channel 1 2 412 GHz DHCP server Encryption none VLAN disabled IP Address 10 1 1 1 Netmask 255 255 255 0 MAC Address 00 15 6D 50 11 F1 Access Point 2 wlan2 Enabled yes ESSID er1000_ap2 Channel 1 2 412 GHz DHCP server Encryption WPA PSK VLAN disabled IP Address 10 1 2 1 Netmask 255 255 255 0 MAC Address 06 15 6D 50 11 F1 Access Point 3 wlan3 Enabled yes ESSID er1000_ap3 Channel 1 2 412 GHz DHCP server Encryption WPA Enterprise VLAN disabled IP Address 10 1 3 1 Netmask 255 255 255 0 MAC Address 0A 15 6D 50 11 F1 Access Point 4 wlan4 Enabled yes ESSID er1000_ap4 Figure 5 Configuration overview page displayed when logging in change change change change change change change change change change change change change change change change change change change change change change change change change change change
51. CLI is accessible through its network interfaces using an SSH client Any of the network interfaces can be used to establish the SSH connection to the EL 500 However connecting through the Ethernet port is required for devices that have not previously been configured Windows XP does not include an SSH client application You will need to install a 3 party client such as SecureCRT from Van Dyke software http www vandyke com products securecrt or the free PuTTY SSH client http www putty nl to connect to an EL 500 using SSH When you log in to the EL 500 the CLI will present a command prompt The shell timeout is displayed above the login prompt The CLI will automatically log out a user if a session is inactive for longer than the timeout period Section 9 9 describes how to change the timeout period Shell timeout 3 minutes Press for help gt 4 2 User Account The user login used to access the EL 500 is admin The procedure for changing the password for this account is described in section 9 1 TR0190 Rev B1 21 Chapter 4 Using the Command Line Interface 4 3 CLI Interfaces The CLI provides the user with a number of interfaces that contain related parameters and controls Some of these interfaces are hardware interfaces such as Ethernet while others are virtual interfaces that contain a set of related parameters The available interfaces are wlan1 wlan2 wlan3 wlan4 controls for the virtu
52. DHCP When configured as a DHCP client the EL 500 will continually attempt to contact a DHCP server until it is successful If the DHCP mode is set to client the IP configuration must be carried out manually as described in the next section TRO190 Rev B1 66 Chapter 11 Ethernet Interface Configuration CLI To set the DHCP mode to client on the Ethernet interface set the value of the dhcp role parameter in the ethO interface to client as shown in the example below gt use ethO eth0 set dhcp role client To disable Ethernet DHCP client mode set the DHCP mode parameter to none as shown below gt use ethO eth0 set dhcp role none Web GUI The Ethernet DHCP mode value can be set via the web interface using the DHCP sub tab on the DHCP tab on the System Parameters page see Figure 38 TRO0190 Rev B1 67 Chapter 11 Ethernet Interface Configuration 9 TRAN ZEOS WIRELESS TECHNOLOGIES INC TRO190 Rev B1 DHCP Centralized DHCP Configure DHCP wlani Mode server v Default Lease Timeout gg400 seconds Maximum Lease 86400 seconds Timeout Reserved DHCP Range lo IP Address Range Start 1 v actual value 1 IP Address Range Size 127 na actual value 127 wlan2 Default Lease Timeout 86400 seconds Maximum Lease 85400 seconds Timeout Reserved DHCP Range IP Address Range Start 129 actual value 1
53. Document No TR0190 Rev B1 EL 500 Access Point User s Guide Rev B1 D TRANZEO WIRELESS TECHNOLOGIES INC Communicate Without Boundaries Tranzeo Wireless Technologies Inc 19473 Fraser Way Pitt Meadows BC Canada V3Y 2V4 www tranzeo com technical support email support tranzeo com ER 1000 Access Point User s Guide Tranzeo the Tranzeo logo and EL 500 are trademarks of Tranzeo Wireless Technologies Inc All rights reserved All other company brand and product names are referenced for identification purposes only and may be trademarks that are the properties of their respective owners Copyright 2007 Tranzeo Wireless Technologies Inc TR0190 Rev B1 2 ER 1000 User s Guide FCC Notice to Users and Operators This device complies with Part 15 of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference and 2 This device must accept any interference received including interference that may cause undesired operation This equipment has been tested and found to comply with the limits for Class B Digital Device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This equipment generates and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications Howev
54. E PORT LABELED CPE ON THE PoE INJECTOR NETWORK EQUIPMENT THAT DOES NOT SUPPORT PoE CAN BE PERMANENTLY DAMAGED BY CONNECTING TO A PoE SOURCE NOTE THAT MOST ETHERNET INTERFACES ON PERSONAL COMPUTERS PCs LAPTOP NOTEBOOK COMPUTERS AND OTHER NETWORK EQUIPMENT E G ETHERNET SWITCHES AND ROUTERS DO NOT SUPPORT PoE The EL 500 AP radio port is an N type RF connector that can interface with a wide range of Tranzeo antennas After purchasing the desired 2 4GHz or 5 8GHz antenna for the EL 500HG or EL 500HA models respectively attach the antenna to the access point AP radio port on the EL 500 The antenna must be chosen such that its gain combined with the output power of the radio complies with maximum radiation power regulatory requirements in the area the EL 500 is used 1 4 Deployment Considerations The EL 500 s radio operates in either the 2 4 GHz or the 5 8 GHz ISM band depending on the model It is possible that there will be other devices operating in these bands that will interfere with the EL 500 s radio Interference from adjacent EL 500s can also degrade performance if the EL 500s are not configured properly It is advisable to carry out a site survey prior to installation to determine what devices are operating in the band that your EL 500 uses To detect the presence of other 802 11 devices a tool such as Netstumbler http www netstumbler com downloads can be used A spectrum analyzer can be used for furt
55. I to set this parameter Web GUI The VAPs communication rate can be set via the web interface using the appropriate wlan N tab on the Wireless Interfaces page see Figure 41 To limit communication to a specific rate use the drop down menu to select the appropriate rate and verify that the Auto checkbox is not selected To set the device to automatically select the most appropriate rate click on the Auto checkbox to select it 13 11 Preamble Length The VAPs can be configured to use short preambles when there are no client devices present that only support long preambles Alternatively the device can be forced to always use long preambles Using short preambles reduces communication overhead but may not be supported by older 802 11 client devices A The preamble length setting is uniform across all VAPs Changing it for one will automatically change it for all others as well TRO0190 Rev B1 86 Chapter 13 Virtual Access Point VAP Configuration CLI The example below shows how to set the preamble type used by a VAP using the CLI The preamble type is set with the iwpriv short preamble parameter in the wlanN interfaces To enable short preambles set this parameter to 1 To force use of long preambles set this parameter to 0 gt use wlanl wlanl set iwpriv short preamble 1 Web GUI The preamble types supported by the VAPs can be set via the web interface using the appropria
56. LAN prefix first octet gt lt node ID 1 1 CLI The bridge IP settings are set with the ip address force ip broadcast force ip gateway_force and ip netmask force parameters in the brO interface For these settings to be used the bridge interface DHCP mode must be disabled using the dhcp role parameter in the brO interface as shown in the example below The example below shows how to manually set an IP configuration for the bridge interface gt use brO br0 set dhcp role none br0 set ip address force 10 5 1 27 br0 set ip broadcast force 10 5 1 255 br0 set ip gateway force 10 5 1 1 br0 set ip netmask force 255 255 255 0 To set the DHCP mode to client for the bridge interface set the dhcp role parameter in the brO interface to client as shown below gt use brO br0 set dhcp role client Web GUI The IP address gateway netmask and broadcast address parameters can be set on the L2 Bridge page when the DHCP mode for the bridge interface is set to none see Figure 13 A link to the L2 Bridge page appears in the navigation bar when bridge mode is selected TR0190 Rev B1 71 Chapter 12 Bridge Interface Configuration 9 TRAN ZEOS WIRELESS TECHNOLOGIES INC L2 Bridge Loner o Configure Bridging Hide Help IP Address 10 IP Address Gateway Netmask Broadcast Gateway Address Netmask 255 The IP a
57. Minimal Configuration Note if the profile with the same name already exists on the node it will be overwritten Detailed Configuration System Parameters ki Upload Profile Security Wireless Interfaces Wired Interface QoS Upgrade Diagnostics Reboot Figure 22 Uploading a configuration profile to an EL 500 TRO190 Rev B1 44 Chapter 8 Mode of Operation 8 Mode of Operation The EL 500 can be configured to operate in either routed or bridge mode In routed mode all communication is managed at the IP layer 3 level with the EL 500 acting as a router In bridge mode all communication across the EL 500 is managed at the MAC layer 2 level with the EL 500 acting as a switch The choice of the operating mode affects the availability of many of the EL 500 s features which is reflected in the web GUI options available when a particular mode is chosen Table 5 summarizes the feature differences between the two modes Bridge Mode Routed mode e The bridge interface can be a Nall can be a e PNE from e DHCP requests from client DHCP client devices attaching to devices attaching to the virtual APs can be handled by a local dde oe DHCP server on the EL 500 or y p can be forwarded to a device on the network centralized server Splash pages Not available Available Fiwall Custom firewall rules cannot be Custom firewall rules can be added added Wired and virtual AP The interfaces do not have IP IP addr
58. N prefix octet 1 gt LAN prefix octet 2 Node ID lt wlan IP address range start address gt lt wlan1 IP address range size gt 2 TRO0190 Rev B1 89 Chapter 14 Client DHCP Configuration The EL 500 can be configured to set aside a number of IP addresses for client devices that will use a static IP address These IP addresses are taken from the pool that DHCP assigns IP addresses from Thus increasing the number of IP addresses set aside for devices with static IP addresses will reduce the size of the DHCP address pool The DHCP reserve parameter controls the number of IP addresses that will be reserved for static use By default this parameter is set to zero assigning the maximum possible number of IP addresses to the DHCP pool You may reserve the entire range of IP addresses but the EL 500 will use at least the highest address in the range for DHCP If the dhcp reserve value is non zero the DHCP range start address will be affected as shown below Start address lt LAN prefix octet 1 gt lt LAN prefix octet 2 gt Node ID lt wlan1 IP address range start address 1 lt wlan DHCP reserve CLI The DHCP mode parameters in the wlanW interfaces control DHCP behavior When the mode is set to server the EL 500 will respond to DHCP requests received from client devices connected to the interface The examples below show how to set the DHCP server state for the wlan1 interfac
59. NC Ping Traceroute Packet Capture DHCP RADIUS I Diagnostic Dump 03 59PM Oct 15 2007 local time Status Ping Address Hide Help Profile Management IP Address or Name IP Address or Name Initial Configuration Ping Count Minimal Configuration The remote host to be pinged Record Route Detailed Configuration Ping Address System Parameters Figure 62 Pinging a remote device 20 2 Traceroute The Traceroute tab on the Diagnostics page allows the user to determine the individual intermediary devices used to route traffic from the EL 500 to a remote device see Figure 63 Enter the IP address e g 10 1 2 3 or hostname e g www yahoo com of the device you wish to find the route path to Check the Resolve Names box if traceroute should show device names when available instead of just IP addresses Click on the Trace Route button to begin tracing the route The intermediary nodes will be displayed on the bottom half of the page Click on Stop Trace to stop the tracing process TR0190 Rev B1 129 Chapter 20 Diagnostics Tools D EO WIRELESS TECHNOLOGIES INC Traceroute Packet Capture DHCP RADIUS Diagnostic Dum 04 00PM Oct 15 2007 local time Pins E bias E Status Trace the Route to an Address Hide Help Profile Management Initial Configuration IP Address or Name IP Address or Name Resolve Names Minimal Configuration The remote host to be t
60. NS settings are only used locally by the EL 500 and are not provided to any other devices on the network CLI The DNS server s used by an EL 500 are specified with the dns servers parameter in the sys interface To specify multiple DNS servers list them as a space delimited string enclosed by quotes as shown in the example below gt use sys Sys set dns servers 10 5 0 5 192 168 5 5 Web GUI A primary and secondary DNS server can be set via the web interface using the DNS tab on the System Parameters page WIRELESS TECHNOLOGIES INC 03 26PM Oct 15 2007 local time System ons once snme Location aaa Console Profile Management Configure your DNS Initial Configuration Hide Help Minimal Configuration Domain Name tranzeo cam Domain Name Detailed Configuration Primary DNS Server The domain name associated with this node System Parameters 7 Secondary DNS Server Security Wireless Interfaces Primary Netbios Server DNS Servers Wired Interface i QoS Secondary Netbios Server The DNS Server address es are provided to clients via DHCP Upgrade Save Changes Diagnostics Reboot Netbios Servers Figure 26 Setting the DNS and Netbios server s TR0190 Rev B1 49 Chapter 9 System Settings 9 4 DNS Proxy Configuration DNS proxy entries can be added to an EL 500 to force local resolution of host names to IP addresses for the hosts in
61. Number Firmware version Patch version s Uptime Mode Country Code 869 ENROUTESOO_20070911_03_00_0215 0 days 3 minutes AP Routed 840 United States Access Point 1 wlan1 Enabled ESSID Channel DHCP Encryption VLAN IP Address Netmask MAC Address yes eri000 api 1 2 412 GHz server none disabled 10 1 1 1 255 255 255 0 00 15 6D 50 11 F1 change change change change change change change change Access Point 2 wlan2 Enabled yes change ESSID eri000 ap2 change Channel 1 2 412 GHz change DHCP server change Figure 10 Partial configuration overview page The configuration overview page shows a summary of settings for the virtual access point interfaces and the wired interface The firmware version uptime of the device and its operating mode are also displayed Links labeled change are shown next to the settable parameters These links take you to the appropriate page to change the setting TR0190 Rev B1 34 Chapter 6 Status Information 6 2 Interface Status Traffic and neighbor information for the virtual AP and wired interfaces are available on the Status tab of the Status page Select the appropriate interface for which you wish to view information from the row of tabs below the primary tab row 6 2 1 Virtual AP Interfaces The sub tabs display status information about the virtual AP interfaces Data statistics information for the in
62. QoS Configuration The maximum output data rate for interfaces can be limited with the Output Limit parameters for each client access interface The default output limit value is applied to interfaces that have the Output Limit parameter set to inherit car ee Ce Cer D n n QoS Control Point QOS local ethO wlan1 wlan2 wlan3 wlan4 s mE ms BEES BEI SS 8 t tug5cdggtc Figure 53 Quality of Service rate limit control points Input Data rate limits can also be imposed based on traffic type through an interface The maximum data rate for a certain type of traffic that enters the EL 500 through a particular interface and exits it through another interface can be limited There is no standalone input rate limiting Limiting the input rate of an interface on the EL 500 only makes sense in the context of the output for another interface s In most cases you are concerned with ethO as the output interface INFO CLI The example below shows how to limit the maximum output rate of the ethO interface to 8 Mbps and the maximum output rates of all four wlanN interfaces to 2 Mbps each gt use qos qos set out eth0 limit 8192 qos set out wlanl limit 2048 qos set out wlan2 limit 2048 qos set out wlan3 limit 2048 qos set out wlan4 limit 2048 The maximum data rate for traffic that enters the EL 500 through a particular interface and exits it through another interface can be limited with the out
63. R PassWord MENTA ree ened een nee ete eer eee ante eee de 47 Node ID z niian seins A a a A E DE a aaaea aa Eaa 48 DNS Domain Settings esehs etie tA t LLL A t LU hed Mas 49 DNS Prox Config ralo M siete Rees eee tan Er Er aee a RE c DoD p Dat alque d 50 NetBIOS Server cu ice coelis al Laude aAA a 51 c DH 51 ferozirol REM rr EE 52 Certificate NORM AON scree ites cease tbv cune aua uuo tuu n ive Lec Det ae tastes iU ua RE DLE 54 Time Synchronization ceo echt cio ter ces ER deg eher eie e ae het ice putt ee cte omes 54 Web GUI Console osten eustio etia Spe pepe bri epe ipee eb orbes eeDebbo pe beius ai 56 OnRamp Configuration ACCESS oi cnni eterna Per be wee Pes Ee EN vases 56 SB Igino meet ops EIE nOD TERES 58 Client Addressing Schemes eese 59 Implicit Addressing Scheme sneri docete leer dest Seen tes ee ti desee etal ut na 60 LAN Rui td aterm ee nee aed eae ae ae nah ae State tah a And PECORE 61 ER 1000 User s Guide 10 1 2 10 2 11 12 12 1 12 2 13 13 1 13 2 13 3 13 4 13 5 13 6 13 6 1 13 6 2 13 7 13 8 13 8 1 13 8 2 13 8 3 13 9 13 10 13 11 13 12 13 13 14 14 1 14 2 14 2 1 14 2 2 14 2 3 15 15 1 15 1 1 15 1 2 15 2 16 16 1 16 2 TRO190 Rev B1 Client Address Space Segmentation in Implicit Addressing Mode 61 Explicit Addressing SCPig Hie cde eiat tbe et ee i A ea 64 Ethernet Interface Configuration cccccccesssseeeeeeeeeeeeeee
64. The EL 500 is a full featured access point in a ruggedized enclosure designed for outdoor installation This user s guide presents a wide array of configuration options but only a limited number of options have to be configured in order to deploy an EL 500 1 1 EL 500 Variants There are two EL 500 variants available as shown in Table 1 Model Number Frequency Band 802 11 standard EL 500HG 802 1 1b g EL 500HA 802 11a Table 1 EL 500 variants Throughout the manual EL 500 will be used to collectively refer to this family of products Where the functionality of the variants differs the actual model number will be used 1 2 EL 500 Capabilities Based on the IEEE 802 11b g and 802 11a standards and complete with FCC certification the EL 500 family of outdoor access points are fully standards compliant This family of outdoor access points has been designed with a multitude of network and management features for ease of installation and operation in any new or existing network Features include Multiple ESSIDs per radio High powered 26dBm output in 802 11b g mode High powered 23dBm output in 802 11a mode Router or bridge mode operation DHCP server DHCP relay QoS support IEEE 802 11e WMM VLAN support IEEE802 1q Security o WPA o WPA2 o WEP 64 128 TRO190 Rev B1 8 Chapter 1 Working with the ER 1000 o Stateful packet inspection o Custom firewall rules Web GUI Tranzeo CLI SSH Remote upgrade Configu
65. age 9 ZEO WIRELESS TECHNOLOGIES INC Configure your location parameters Hide Help Location Location Latitude m in decimal degrees Text description of the location of the device e g On the light post at intersection of 1st St and Main St Longitude in decimal degrees Altitude in meters Organization Latitude Longitude City Altitude State Province Latitude longitude and altitude of Country the node Save Changes Organization City State Figure 29 Setting location and certificate information TRO190 Rev B1 53 Chapter 9 System Settings 9 8 Certificate Information A certificate for use with splash pages and the web interface is locally generated on the EL 500 The information embedded in this certificate can be defined by the user A new certificate is automatically generated when the parameters describing the EL 500 s location are changed The specific location parameters to which the certificate is tied to are listed in the sections below CLI The information used in certificate generation can be set using the organization parameters in the sys interface These parameters are e sys organization name name of organization must be enclosed in quotes if it contains spaces e sys organization city city name must be enclosed in quotes if it contains spaces e sys organization state
66. al APs supported by the EL 500 ethO controls for the Ethernet interface brO controls for bridge mode firewall controls firewall settings qos controls Quality of Service QoS settings version displays version information for the installed firmware system system settings The currently selected interface is shown as part of the command prompt For example when the wlan1 interface is selected the command prompt will be wlanl gt After logging in no interface is selected by default Before setting or retrieving any parameters an interface must be selected 4 4 CLI Features The CLI has a number of features to simplify the configuration of the EL 500 These features are explained in the following sub sections 4 4 1 Control of the Cursor The cursor can be moved to the end of the current line with Ctrl E Ctrl A moves it to the beginning of the line 4 4 2 Cancel a Command Ctrl C cancels the input on the current command line and moves the cursor to a new blank command line TR0190 Rev B1 22 Chapter 4 Using the Command Line Interface 4 4 3 Searching the Command History The command history can be searched by pressing Ctrl R and entering a search string The most recently executed command that matches the string entered will be displayed Press Enter to execute that command 4 4 4 Executing a Previous Command By using the up and down arrow keys you can select previously executed comm
67. ands When you find the command you wish to execute you can either edit it or press Return to execute it 4 5 CLI Commands The usage of all CLI commands is explained in the following subsections The command syntax used Is command lt mandatory argument gt command optional argument 4 5 1 command Syntax 2 Description Pressing at any time in the CLI will display a help menu that provides an overview of the commands that are described in this section It is not necessary to press Enter after pressing 4 5 2 whoami command Syntax whoami Description Displays the name of the user you are logged in as TR0190 Rev B1 23 Chapter 4 Using the Command Line Interface 4 5 3 help command Syntax help command parameter where the optional argument is either one of the CLI commands command or a parameter in the currently selected interface parameter Description When no argument follows the help command a help menu showing a list of available commands is displayed When a command is supplied as the argument a help message for that particular command is displayed When a parameter in the current interface is specified as the argument help information for it is displayed Example help get will display the help information for the get command With the sys interface selected Sys help scheme displays help information about that scheme parameter as shown
68. ash pages System Parameters Wireless Interfaces IP Address Wired Interface Add New Host Save Changes as Both the hostname and IP address Upgrade are required The IP address should be one of the enabled wlan Diagnostics DNS Proxy Hosts Hostname Proxied IP Address interfaces apsignin company com 1 2 3 4 Reboot Figure 27 Configuring DNS proxy TRO0190 Rev B1 50 Chapter 9 System Settings 9 5 NetBIOS Server The NetBIOS server parameter is used to define a NetBIOS servers IP address that is provided to client devices when configured by the EL 500 s local DHCP server BRIDGE The NetBIOS settings are not used when operating in bridge mode CLI The NetBIOS server is set with the netbios servers parameter in the sys interface To specify multiple NetBIOS servers list them as a space delimited string enclosed by quotes as shown in the example below gt use sys Sys set netbios servers 10 6 0 5 192 168 6 5 Web GUI A primary and secondary NetBIOS server can be set via the web interface using the DNS tab on the System Parameters page see Figure 26 The EL 500 supports SNMP The read only and read write passwords and the port that SNMP uses can be configured A contact person and device location can also be specified as part of the SNMP configuration CLI The SNMP read only and read write passwords are set with the snmp community ro and snmp community rw parame
69. bps 256 kbps and 128 kbps respectively gt use qos qos set out ethO0 qos set out ethO0 qos set out ethO0 qos set out ethO0 Web GUI The rate reservation parameters can be set via the web interface under the QoS and Advanced QoS tabs on the QoS page see Figure 51 and Figure 52 lanl vo reserve 512 lanl vi reserve 1024 lanl be reserve 256 lanl bk reserve 128 WwW W WwW W TR0190 Rev B1 116 Chapter 18 Enabling VLAN Tagging 18 Enabling VLAN Tagging The EL 500 supports VLAN tagging with each client access interface capable of supporting a different VLAN tag 18 1 Client Access Interface Configuration VLAN tagging can be independently controlled on each client access interface wlan1 4 The Enable VLAN parameters for the wlan1 wlan2 wlan3 and wlan4 interfaces controls the state of VLAN tagging A VLAN tagging must be enabled on the Ethernet interface for VLAN tags to be included in data frames sent to the LAN See section 18 2 for more details The VLAN ID value for each client access interface is set with the VLAN ID parameter for each interface The VLAN ID must be in the range from 0 to 4095 Note that 0 and 4095 are reserved values and 1 is the default VLAN ID There are no restrictions on VLAN IDs for different interfaces having to match or be different CLI The example below shows how to enable VLAN tagging on the wlan1 interface a
70. ce eet ae Reece eet ee eo 29 COMMING ERN Nc ban 30 MOXIE commana t 31 We iME CoU RIS ee ces eee epee Tm 31 Initial Configuration of an EL 500 eeeeeeeeeeneeeeeeeenennn 32 EzjcurAiri i 34 Configuration Overview Page ccccccceeeessseececeeeeeeeeeeseeeaaeaeeeeeeeeeeesenseaeeeeeeeeees 34 NEMS HACE Statis irenda idee eet ees on uiuce mutuo bids ic e vM UD DM DU EU Aa 35 Virtual AP InterlaeeSvoo s Miata tt tot Cette dtm icf 35 WiKeg Intelfdo6 Statu Set eroi ounen aai aa fe a etc a iode E 36 BrndgiNg RR ER RR N 36 stelVitioie M zio mob ae Ae uae ctc PL EUREN 37 hir ME tm OPEE 38 PVG MIE LOC 2 esatto mu RM DM ccu E UE 39 DHOP Evelit 6 6 itn wen n UR Enn RU ER NIE 39 Configuration Profile Management eeeeeeeeeeeeeeeeeeeennnne 41 saving the Current ConflQUratlori ooo creer eio ep enero Ae eet 41 Load a ConligurauomPEFolle cocti auda dace ue eU dut itt tie 42 Delete a Configuration Profile eai eoe oe eir eere eor Eua Ert dees Dr Qe Ri RUE 42 Downloading a Configuration Profile from an EL 500 ssesseesssss 43 Uploading a Configuration Profile to an EL 500 sseeeeeeeeeessss 44 Mode of Operation cocer etre ee euet tact eei aeo aeo Pre aor E Cera aa ei iki ate 45 System CURLING S oui neni ero VA REEL EVE Io UR IN UE ao Leu VE LUVRIO EE TU VS Ru ESL VSEE pisip EP c LEE RUE 47 SO
71. ckets forwarding is done by the EL 500 The two supported operating modes are bridge and router with the former using layer 2 based traffic forwarding mechanisms and the latter using layer 3 based mechanisms TRO0190 Rev B1 137 Abbreviations Abbreviations ACL AP CLI Client access interface ESSID LAN NAT PoE QoS RSSI STP VAP VLAN VPN WAN WLAN WPA WPA PSK TRO190 Rev B1 Access Control List Access Point Command line interface An interface on the EL 500 used by a client device such as an 802 11 enabled laptop to connect to the EL 500 The client access interfaces are the virtual APs wlan1 wlan4 Extended Service Set Identifier Local Area Network Network Address Translation Power over Ethernet Quality of Service Received signal strength indicator Spanning Tree Protocol Virtual Access Point An access point that uses the same radio as other access points in the system Virtual Local Area Network Virtual Private Network Wide Area Network Wireless Local Area Network Wi Fi Protected Access Wi Fi Protected Access Pre Shared Key 138
72. clients and itself A key WEP Key common to all users connecting to Reboot this access point Legal key lengths are Save Changes 5 or 13 ascii characters Figure 44 Virtual access point authentication and encryption settings 13 8 1 WEP Encryption The VAPs can be protected with a WEP based encryption key to prevent unauthorized users from intercepting or spoofing traffic CLI To enable WEP based encryption set the key parameter in the wlanN interface The length of the encryption key is determined by the format used to specify the key value Valid key formats and the corresponding encryption type and key length are listed in Table 11 If WPA is enabled for an interface wpa enable CLI parameter in the wlanN interfaces the WPA settings will be used for encryption and authentication and the key value used to enable WEP will be ignored TR0190 Rev B1 82 Chapter 13 Virtual Access Point VAP Configuration Key format Encryption format Encryption key length s lt 5 ASCII characters lt 10 hex values gt WEP 40 bits s lt 13 ASCII characters gt WEP 104 bits lt 26 hex values gt N A Table 11 WEP encryption key formats For example 104 bit WEP encryption can be enabled using an ASCII key with gt use wlan1 wlanl set key s abcdefghijklm or using a hexadecimal key with gt use wlanl wlanl set key 0123456789abcdef01234506789 WEP encryption can be disabled by sp
73. d default respectively User name admin v Password eeoe Remember my password Figure 3 Login window for web interface Since the certificate used in establishing the secure link to the EL 500 has not been signed by a Certification Authority CA your browser will most likely display one or more warnings similar to those shown below These warnings are expected and can be disregarded Information you exchange with this site cannot be viewed or M changed by others However there is a problem with the site s security certificate The security certificate was issued by a company you have not chosen to trust View the certificate to determine whether you want to trust the certifying authority The security certificate date is valid The name on the security certificate is invalid or does not match the name of the site Do you want to proceed View Certificate Figure 4 Certificate warning TR0190 Rev B1 16 Chapter 3 Using the Web Interface A configuration overview page is loaded by default after the login process has been completed This page contains the following information System uptime Firmware version and list of installed patches System mode of operation router or bridge Bridge information if bridge mode is selected IP addresses netmasks and MAC addresses for each client access interface Status channel ESSID and encryption type for each virtual access point interface VL
74. d background traffic from wlan1 through the ethO interface to 256 kbps 1 Mbps 256 kbps and 256 kbps respectively gt use qos qos set out ethO qos set out ethO0 qos set out ethO qos set out ethO Web GUI The interface and traffic based Output Limit parameters can be set via the web interface under the QoS and Advanced QoS tabs on the QoS page see Figure 51 and Figure 52 17 3 Rate Reservation Rate reservation is used to guarantee bandwidth for certain types of traffic Rate reservations can be made for traffic based on lanl vo limit 256 Ww wlanl vi limit 1024 wi Ww lanl be limit 256 lanl bk limit 256 e The traffic input and output interfaces e The traffic type input interface and output interface TRO190 Rev B1 114 Chapter 17 Quality of Service QoS Configuration For rate reservations to be enforced a rate limit must be set for the traffic type that the reservation is made for Setting a rate limit for a broader traffic type of which the one the reservation is made for is a subset is also acceptable For example when making a rate reservation for voice traffic from wlan1 to ethO out ethO wlan1 vo reserve a limit must be set with out eth0 limit out ethO wlan1 limit or out ethO wlan1 vo limit Rate reservations guarantee bandwidth for a particular traffic type but if no such traffic is present the bandwidth reserved will be returned to the
75. ddress gateway address netmask and broadcast address for this interface These values are only configurable when implicit addressing Forwarding Delay 0 eecands is disabled Broadcast 10 Spanning Tree Protocol disabled v Save Changes Forwarding Delay The node will watch traffic for this long before participating If there are no other bridges nearb Figure 39 Bridge configuration page with DHCP client mode disabled The DHCP mode for the bridge interface is set on the DHCP tab on the System page When bridge mode is selected the only setting available on this page is the bridge DHCP mode as shown in Figure 40 9 TRAN ZEOS WIRELESS TECHNOLOGIES INC DHCP Configure DHCP Hide Help bridge Mode Mode nung vw Sets the DHCP mode supported by the interface The three possible Save Changes modes are e none no DHCP services are provided local server a DHCP server will respond to client DHCP requests on the interface central server the node will provide DHCP addresses from a centralized DHCP server only available if Centralized DHCP is enabled client the node will attempt to acquire an address for the interface via DHCP only valid Figure 40 DHCP configuration page when operating in bridge mode TRO190 Rev B1 72 Chapter 12 Bridge Interface Configuration 12 2 Bridging Parameters Two parameters
76. de Help Maecenas Trusted MAC Trusted MACs Detailed Configuration Addresses Add New MAC Address Clients with a MAC address in this list System Parameters not be shown the splash page or be Enter address l required to authenticate Security Wireless Interfaces Add MAC Wired Interface Bypass Hosts QoS IP addresses listed here can be Trusted MAC List No MAC addresses currently configured accessed by a client without the client having to view a splash Diagnostics screen Upgrade Reboot Bypass Hosts Add New Host Bypass Host List No hosts currently configured Figure 60 Adding trusted MAC addresses and accessible hosts 19 1 6 Bypass Splash Pages for Access to Specific Hosts It is possible to specify a list of IP addresses that client devices can access without the client devices having to view a splash screen CLI The list of hosts that can be accessed without having to view a splash screen is set with the splash bypass hosts parameter in the sys interface The hosts are specified by their IP addresses and must be separated by commas An example of setting this parameter is shown below gt use sys sys gt set splash bypass_hosts 1 1 1 1 2 2 2 2 TRO190 Rev B1 126 Chapter 19 Integration with Enterprise Equipment Web GUI The IP addresses of hosts that can be accessed without having to view a splash screen can be set on the Advanced Splash Pages sub tab under the AAA tab
77. dio Rale TTL gene ge ere n 86 Presmble EGriglhcs e iu bru ae iad ot alae hei oti ptas 6s ei ee ee tals e 86 BEACON Intervaly sestese etes eeete oco ecce uc eee ito laisse reat bou Cu t CE SA 87 Max im m tmk Dista CE coo rr ea Ee to e CE assent unt sas ERE ecce E ER 87 Client DHCP Configuration tacui aan ratto ta ne conn aan uaa no can ck audax 89 Using Local DHCP SOIVOls eoa Sir ood erbe mood n Sob ee Spice eo bon edendis ct 89 Using a Centralized DHCP Server ode deed te diet ieu iade 92 Support for Clients with Static IP Addresses eeeeeeesessssssssssse 93 Configuring the EL 5008 DET 93 Configuring the Central DHCP Servet ccccceceeeeeeeeeceeeeeeeeeeeeeeeeeessneaeeeees 95 Connecting an EL 500 to a LAN ceeeeeeeeeeeeeeeeennen nennen 97 Fouad mode ds si P rna te nce nai 97 Manual Contigurallo euro ii pone epe brer debe bre ob ebrei bre robore tebe tpl bebe pride 97 Network Address Translation NAT sssseeeene 98 Biidge Noe cicero eerte RE S ctun EUR AOA PNER AUR Oa PUO CERE d RIEL PROPERE RUE 99 Controlling Access to the EL 500 eeeeeeeeeeeeeeeeeeeee 100 Firewall tea e etae Siti d aa ecu Nt OG O Nt Oe LN LONE cet ORS 100 Gateway FIreWallo eot cs pede dct asd ahead PUE RII end MESURER IU I RS QM Leu iie 101 ER 1000 User s Guide 16 3 Blocking Client to Client Traffic ccceccccc
78. e gt use wlanl wlanl gt set dhcp role server wlanl gt set dhcp relay enable no To disable the DHCP server set the dhcp role parameter to none gt use wlanl wlanl gt set dhcp role none The example below shows how to set the DHCP reserve parameter gt use wlanl wlanl gt set dhcp reserve 5 Web GUI The VAP interfaces DHCP server state can be set via the web interface using the DHCP sub tab under the DHCP tab on the System Parameters page see Figure 45 All of the interfaces DHCP settings can be configured on this page Set the Mode field to Server to set the DHCP mode for a client access interface to be the local DHCP server TRO0190 Rev B1 90 Chapter 14 Client DHCP Configuration The DHCP reserve setting for all VAPs and the wired interface can be set via the web interface using the DHCP sub tab under the DHCP tab on the System Parameters page see Figure 45 9 TRAN ZEO WIRELESS TECHNOLOGIES INC DHCP DHCP Centralized DHCP Configure DHCP wlani Made server v Default Lease Timeout 86400 seconds Maximum Lease 86400 seconds Timeout Reserved DHCP Range fo IP Address Range Start 1 v actual value 1 IP Address Range Size 127 v actual value 127 wlan2 Mode server v Default Lease Timeout 86400 seconds Maximum Lease 86400 seconds Timeout Reserved DHCP Range RN IP Address Range Start 129 actua
79. e prioritized based on the source interface destination interface and type of traffic The EL 500 QoS scheme allows both rate limiting and rate reservation for all interfaces 17 1 Priority Levels The Flow Priority parameters set the relative priority of outbound traffic based on the source interface These parameters can be set to an integer value in the range from 0 to 99 with a higher number indicating a higher priority If a flow priority level parameter is set to inherit the associated interface will assume the default priority level set The default flow priority is the flow priority inherited by each interface if another flow priority setting is not applied The default flow priority is configurable Traffic originating from an interface with a higher priority will take priority over traffic from all interfaces with a lower priority value until the higher priority interface has no more data to send If multiple interfaces have the same priority level their traffic will be given equal access to the outbound interface Rate reservation and rate limiting described in the following sections can be used to avoid one interface dominating the use of the Ethernet interface bandwidth The absolute values of the flow priority settings do not have any weighting effect If a flow priority is higher for one interface than another the former will always be prioritized with any remaining bandwidth allocated to the other one INFO
80. e sys interface selected TRO190 Rev B1 set id node 2 will set the node ID to 2 Chapter 4 Using the Command Line Interface 4 5 7 get command Syntax get lt parameter gt where parameter is the parameter whose value is being fetched Description Gets the value of one or more configuration parameters for the currently selected interface The character can be used to specify wildcard characters This allows multiple values to be fetched with a single command Example With the ethO interface selected get ip address will return the Ethernet interface s IP address while get ip will return all parameters that begin with ip ip address 10 6 0 1 read only ip address_force ip broadcast 10 6 0 255 read only ip broadcast_force ip gateway read only ip gateway_force ip implicit size actual 31 read only ip implicit size requested 31 ip implicit start actual 225 read only ip implicit start requested 225 ip netmask 255 255 255 0 read only ip netmask_force TR0190 Rev B1 26 Chapter 4 Using the Command Line Interface 4 5 8 list command Syntax list Description Lists all parameters for the selected interface Example With the ethO interface selected list will display acl mode access control list mode dhcp default lease tim default dhcp lease expiration in dhcp max_lease_time
81. e interface No client device would be able to access the network through the interface if splash pages are enabled and the login URL parameter does not point to a valid URL The success URL parameter sets the URL that a user is redirected to when they have successfully logged in If this variable is left blank a default page that indicates login success will be displayed The fail URL parameter sets the URL that a user is redirected to when a login attempt fails If this variable is left blank a default page that indicates login failure will be displayed The error URL parameter sets the URL that a user is redirected to when a login error has occurred For example this page would be displayed if a valid authentication server could not be reached If this variable is left blank a default page that indicates an error has occurred will be displayed CLI In the examples that follow lt intf gt represents any of the client access interfaces wlan1 wlan2 wlang or wlan4 The splash url lt intf gt login parameters in the sys interface set the login URLs The splash url lt intf gt success parameters in the sys interface set the success URLs The splash url lt intf gt fail parameters in the sys interface set the fail URLs The splash url lt intf gt error parameters in the sys interface set the error URLs The example below shows how the wlan1 and wlan inte
82. each entry in the command history Use this number as an argument to the command to execute that command from the history When a string is provided as an argument to the command the string will be matched against the beginning of previously executed commands and the most recently executed command that matches will be executed Use to execute the last command again If the command history is as follows use wlanl get essid set essid new ap essidl use wlan2 set essid new ap essid2 Op 0 PK P the command 1 will execute use wlanl The command use will execute use wlan2 30 Chapter 4 Using the Command Line Interface 4 5 15 exit command Syntax exit Description Terminates the current CLI session and logs out the user 4 5 16 quit command Syntax quit Description Terminates the current CLI session and logs out the user TRO0190 Rev B1 Chapter 5 Initial Configuration of an ER 1000 5 Initial Configuration of an EL 500 This users guide provides a comprehensive overview of all of the EL 500 s features and configurable parameters However it is possible to deploy a network of EL 500s while only changing a limited number of parameters The list below will guide you through a minimal configuration procedure that prepares a network of EL 500s for deployment Change the admin password 1 The default password should be changed to prevent See section 9 1 unauthori
83. ecified These lists can be set with the following parameters in the firewall interface node tcp allow dest node tcp allow source node udp allow dest node udp allow source The list of allowed ports must be a space delimited string enclosed by quotes The example below shows how to set the TCP source ports parameters gt use firewall firewall set node tcp allow dest 22 23 80 5280 Web GUI It is not possible to configure the state of the firewall and the open firewall ports via the web interface It is enabled by default 16 2 Gateway Firewall The gateway firewall blocks connections originating outside the EL 500 and its client address spaces from entering the device protecting VAP client devices from unwanted traffic The gateway firewall will permit return traffic for connections that originate from devices in the VAP client subnets INFO If you have enabled NAT see section 15 1 2 you will have an implicit firewall that limits the type of inbound connections that are possible CLI The state of the gateway firewall is controlled with the gateway parameter in the firewall interface Enable the gateway firewall with gt use firewall TR0190 Rev B1 101 Chapter 16 Controlling Access to the EH 1000 firewall set gateway yes disable it with gt use firewall firewall set gateway no Web GUI It is not possible to configure the state of the gateway firewall via the web i
84. ecifying a blank value as shown below gt use wlanl wlanl set key Web GUI WEP encryption can be enabled and the key can be set via the web interface using the WPA WEP sub tab under the AAA tab on the System Parameters page see Figure 44 Select WEP as the type of encryption from the drop down menu for the VAP you wish to configure and set the WEP key in the text box below the drop down menu In the example in Figure 44 wlan1 has been configured to use WEP 13 8 2 WPA Pre Shared Key Mode WPA PSK In WPA pre shared key PSK mode a common passphrase is used for client devices connecting to an EL 500 VAP To set the WPA PSK mode enable WPA for the interface and set the pre shared key value as shown below The passphrase must be between 8 and 63 characters in length The minimum number of characters required for the WPA passphrase is 8 However it is recommended that a longer passphrase with at least 15 characters is used This will increase the strength of the encryption used for the wireless link INFO TRO0190 Rev B1 83 Chapter 13 Virtual Access Point VAP Configuration CLI The example below shows how to enable WPA PSK mode for wlan1 The wpa key mgmt parameter must also be set to indicate that PSK mode is being used as shown below gt use wlanl wlanl set wpa enable yes wlanl set wpa key mgmt WPA PSK wlanl set wpa passphrase long passphrases improve encryption effect
85. ed to the EL 500 The advantages of using NAT are e You can easily attach an EL 500 to an existing network You do not need to modify any settings on the router on your existing network to forward packets to the IP addresses used for the VAP interfaces and their client devices e The devices connected to the EL 500 are shielded from the network that the EL 500 is attached to e You only consume a single IP address on your existing network when connecting the EL 500 to it The main disadvantage of using NAT is e You are not able to initiate connections to the client devices connected to the EL 500 from devices connected to the LAN or points beyond that CLI To set the NAT state use the commands gt use sys sys gt set nat enable lt yes no gt TRO190 Rev B1 98 Chapter 15 Connecting an ER 1000 to a LAN Web GUI The NAT state can be set via the web interface on the Wired Interface page Figure 47 D TRANZEO WIRELESS TECHNOLOGIES INC 03 57PM Oct 15 2007 local time Status Profile Management Initial Configuration Minimal Configuration Detailed Configuration System Parameters Security Wireless Interfaces Wired Interface QoS Upgrade Diagnostics Reboot ower dos Configure your wired interface Enable VLAN VLAN ID IP Address Gateway Address Netmask Broadcast Enable NAT Enable VPN VPN Port VPN Server disabled v 1 10 255 255 256 10 J
86. eeeeeeeeeeeeeeeeeeeeeeeeeeeeseneeeeeeeeeeeeeeenees 102 16 4 Connection Tracking usos et d ere rera co tpud pec eot sede ie prc pe pe tue OE prs 103 16 4 1 Connection Tracking Table SIZ6 oro beet ee Dex pti cives uu cu Rx utei qutE 104 16 4 2 Connection Tracking TImeoUL 4 este deett le te eth Ne dad 104 16 4 3 Limiting Number of TCP Connections Per Client Device 105 16 5 Custom Firewall Filles 23i epu e ERU aS duel cubed kcal 105 16 6 Access Control Lists ACIS aec c Dre aeree ento prec cd hen ice ERE nee 107 17 Quality of Service QoS Configuration s sseeeess 109 17 1 POM EBVDISS er Most tite eiea a AE E EEEE Eae EEEE EEE Enar ies 109 17 2 Rate Limiting 2s culices cale anean a a a a Ede aaa t 112 17 3 Rate ROSEY GON r a ra T a ara a a Ra aft utat af um aa vou EF ud 114 18 Enabling VLAN Tagging 2 criteri nai ciickec uera dann asse ak eL bininin ia 117 18 1 Client Access Interface Configuration ccccceeceeeeeseeeeeeeeeeeeeeeeeeteesneeaeeeees 117 18 2 Ethernet Interface Configuration eaae eoe Eti Eo PR ci EVE DIRx eC 118 19 Integration with Enterprise Equipment ceeeeeeeeeeeeeeee 120 19 1 Configuring Splash PAGS secos hed aie ae Lr d E 120 19 1 1 Enabling Splash Pages iuitoeee tonnes Iuno epened I duieeee Penn E Ier evD o uoce Rne Repos 120 19 1 2 Configuring Splash URLS m cette IPAE DRE RR Dei
87. eeeeeseeeneeeeeeeeeeseeeees 66 DIAG SNNT ARP ONCE 66 Manual IP GonligllatlOEisssisose a oec tec i e tance soo bR EFIE per EO pP EH PabI Pete E due pA GAP e 69 Bridge Interface Configuration cccccceeeeeeseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeees 71 PPC OM ATOM es once eee scab n RE n pP Dent edm qe edet 71 Bridging Parameters irton veils totreie etch heii ioc bebe petebeesccoDeBebe pode deo AsbL us 73 Virtual Access Point VAP Configuration esses 74 Virtual Access Point InterfdegS ss ccpit Guile stadia vais ates uec uit es 75 Enabling and Disabling Virtual Access Points ssseseeeesssss 75 Virtual Access Point Client Device Address Space sesssse 75 GCGhannel Np vo ccc DM 77 S pM A iva ca E HT 78 IP Configuration of Client DeviGes 3 2 ducta ha xir oA iun lect lae pa hice 79 IP Configuration of Clients Devices via DHCP ssseeeeeeeeeeeeeeeee 79 Manual IP Configuration of Client Devices eesssesessseeeeeeeeeeee 79 Client DEVICES d aS iex tubos ua e i HOD ADHI MEME EM INE 81 Encryption and AMINGNUICAHON eeu oot dense ep eti SEES RE UC dep bee denial 81 WEP EnCGIVDIIOE 3 sni iterare tap aca paca otn iiio Somit 82 WPA Pre Shared Key Mode WPA PSK cccceeeeeeeseeeeeeeeeeeeeeeeeesseeeeeees 83 WPA EAP MOUS siete toad oaa mne 84 Transmit Power Cap iue cedro ctae da dst alea aul ta a Een 85 Ra
88. er there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures e Reorient or relocate the receiving antenna e Increase the separation between the equipment and receiver e Connect the equipment into an outlet on a circuit different from that to which the receiver is connected e Consult the dealer or an experienced radio TV technician for help To reduce potential radio interference to other users the antenna type and its gain should be so chosen that the equivalent isotropically radiated power EIRP is not more than that required for successful communication Any changes or modification to said product not expressly approved by Tranzeo Wireless Technologies Inc could void the user s authority to operate this device The Tranzeo EL 500 Access Point must be installed by a trained professional value added reseller or systems integrator who is familiar with RF cell planning issues and the regulatory limits defined by the FCC for RF exposure specifically those limits outlined in sections 1 1307 INFO TRO0190 Rev B1 3 ER 1000 User s Guide Table of Contents 1 Working with the EL 500 ribi oin bebe DD re ei Pra Pug boa be ba da ua Devas 8 1 1 EL 500 1c 2 1
89. er the AAA tab on the System Parameters page of the web interface see Figure 57 using the fields for Login Server Address Login Server Port and Login Server Secret 19 1 5 Trusted MAC Addresses A list of trusted MAC addresses which do not require splash page authentication can be defined When a device with one of these MAC addresses connects to an EL 500 it will automatically have full access to the WAN CLI The list of trusted MAC addresses is set with the splash trusted macs parameter in the sys interface The MAC addresses are specified as a list of 48 bit addresses separated by commas An example of setting this parameter is shown below gt use sys Sys set splash trusted_macs aa bb cc 00 00 01 aa bb cc 00 00 02 Web GUI The authentication server parameters can be set on the Advanced Splash Pages sub tab under the AAA tab on the System Parameters page of the web interface see Figure 60 The list of trusted MAC addresses is displayed on this page To delete a trusted MAC from the list click on the Delete MAC button next to the MAC address TR0190 Rev B1 125 Chapter 19 Integration with Enterprise Equipment WIRELESS TECHNOLOGIES INC 03 52PM Oct 15 2007 local time System ons once sw Location AAA Console ORBI WPA WEP Splash Pages Advanced Splash Pages Profile Management Configure advanced splash page features Initial Configuration Hi
90. ere is a DNS proxy entry on the EL 500 and the last part of it must be radius login cgi The DNS proxy entry which will be different for each deployed EL 500 must be mapped to one of the EL 500 s IP addresses see section 9 4 for more information on how to set DNS proxy configuration The example below shows how to configure the DNS proxy assuming the login page redirects to the host redirect domain com and the IP address of the wlan1 interface is 10 1 2 1 gt use sys Sys set dnsproxy enable yes Sys set dnsproxy hosts dns proxy name here 10 1 2 1 The DNS proxy setting is used in conjunction with the splash pages to ensure that a common login URL can be used on all EL 500 The DNS proxy entry directs the results of the login process to the right location that is the EL 500 that the client device is connected to INFO The login page must also contain the input fields on lines 12 15 and 19 These are used to allow a user logging in to provide their username and password and to submit them The names of these input fields username password and login must not be changed TRO0190 Rev B1 123 Chapter 19 Integration with Enterprise Equipment html head title Test Login Page lt title gt head body form method POST action https dns proxy name here radius login cgi Welcoming text or Terms of Service could go here br table border
91. esses must be assigned to IP addresses addresses the interfaces QoS Not available Available DNS proxy Not available Available Table 5 Feature differences between bridge and routed mode When switching to bridge mode all the IP addresses for virtual access points wlan1 4 and the wired interface will be disabled A bridge interface will be created to provide IP access to the EL 500 in bridge mode By default the address of this interface will be set to LAN prefix first octet gt lt node ID gt 1 1 It is recommended that an IP address is explicitly set for the bridge interface when switching to bridge mode See section 12 1 for instructions on how to set the bridge interface parameters Certain web GUI pages are only available when the device is configured for bridge mode operation These pages are e L2 Bridge in the main navigation bar e Bridging tab on the Status page TR0190 Rev B1 45 Chapter 8 Mode of Operation CLI The EL 500 s operating mode is set with the scheme parameter in the sys interface Valid values are aponly for routed mode and I2bridge for bridge mode For example set the operating mode to routed mode with gt use sys sys gt set scheme aponly Web GUI The operating mode can be set via the web interface using the System tab on the System Parameters page TRANIZEO WIRELESS TECHNOLOGIES INC Configure your system parameters Hide Help
92. exci veredas 122 19 1 3 Sample HTML Code for Splash Pages sssessseeeeeeeeeen 123 19 1 4 Configuring the Authentication Server sseessseeeeseeeneeeeee 124 19 1 5 Trusted MAC Addresses occ las ket hs ce ada aeta Ut Me ME 125 19 1 6 Bypass Splash Pages for Access to Specific Hosts suuussusse 126 19 2 Layer 2 EIU luna cate aus obrui Ev dele SO etal M elon theta et itid idee cue Ludi 127 20 Diagnostics Tools nanc saeicicivicice kein eue X34 EYE E NF TEQE XE TTE E QTY QICE sarana nasaat 129 20 1 al lB o PP nee NES ERREUR RENTEN NET VETT ETAT PETI CHART ONSLE ETIN MEN 129 20 2 TIaCOr Ota cete ce En NO INE DID ID DI D e ees 129 20 3 PACKER aput eani ce as aen quU euet aN eS alata at ie eMe Cas ca DANCE ant 130 20 4 Centralized DACP Testing irse ette ere better ie ee ete eee 132 20 5 RADIUS Server Testi int oio rote sok ooh nied p eese 133 20 6 Diagnostic DUMP pee anne Ree Meera cer UR Ree 133 21 Firmware Management iciiictscstesccvecacscatennmscuscsiicstesetasetosesicetiseunieusaetivewsewcnsess 135 Displaying the Firmware Versions sce o eoe ee ete e eme eee PER PS 135 Upgrading the Firmwale wns cesta seated eco tenia aac 135 GIGS C a et UT MI T 137 ae olaa doTi en Cet LCEpe bea Frase Desi Ee ca Chas bobr ua Lon da ELLE T 138 TRO190 Rev B1 Chapter 1 Working with the ER 1000 1 Working with the EL 500 Thank you for choosing the Tranzeo EL 500 802 11 Access Point
93. f client to client isolation is disabled for both interfaces Client to client isolation is only enabled if the EL 500 firewall firewall node enable is enabled section 16 1 16 4 Connection Tracking The firewall keeps track of existing TCP connections It is advisable to enable connection tracking for public networks that can have large numbers of users In particular it is important to enable connection tracking if your network is heavily loaded or if it has users running file TRO190 Rev B1 103 Chapter 16 Controlling Access to the ER 1000 sharing applications A number of parameters are available for tuning how connection tracking is handled 16 4 1 Connection Tracking Table Size The size of the connection tracking table can be set Allowed values are in the range from 4096 to 16384 A larger connection tracking table allows more connections to be maintained without dropping older connections Typically the default size of 8192 is adequate for normal operation and the setting should only be increased on devices with high levels of traffic and many users CLI The connection tracking table size is set by selecting the firewall interface and setting the conntrack table size parameter use firewall firewall set conntrack table_size 16384 Web GUI The connection tracking table size is set with the Conntrack Size field on the Connections sub tab on the Firewall tab of the Security page see Fi
94. f iieiea UD eg ib ue REA DI LEON me 8 1 2 m Esa Capabilities mer a a a aaa iNi 8 1 3 is ao ICM ACCS det 9 Ethernet and POE o ee emere ana clara aa a E A cue e eu Ere UR ERREUR 10 1 E E e E E E AMD EM LM SLE CMM 11 1 4 Deployment Considerations ccceccceeeeceeeeeeeeeeeeeeeeaeeeeeeeeeeeeeeeeenaeeeeeeeeeeeeeeaes 11 1 4 1 AP Channel Selection a ede diece p i codes MON EN ub Adela tis eiet uode 11 2 Connecting to the ELE 500 nero rre red exe nonnnongi e ase nord dae des vd eid 13 2 1 NOmoDKIntertates ofer ULL ND t A dt A Dd Ee 13 2 2 Connecting to an Unconfigured EL 500 sssssssseeen 14 2 3 Default Login and P assWOTQ u dieci oig rio CERE E tx b oU s tbe tu E E PRRSE 15 2 4 Resetting the admin Password ascen nene etes ocn eun ERR MEE Reds 15 3 Using the Web Interface ieiioieiieiucuuecee ckckecax edax ek aged ag e aa cR ARA dA 16 3 1 Accessing the Web InterfaeO oua toro poder exeo Do cece oe eren en Douce verum Dr tease ub euis 16 3 2 Navigating the Web TIntematbe usc ed cna ER ER ee da iue edet ueud 18 3 3 Setting Parameters iisen Fo eiue eee teense secreta e reae eue ipe ne tas S Eb es ete 18 3 4 mijeMisirsiiarziijo Misses A ls aos HH a ea ae ee ates Sol 19 3 5 FREDOOUING A n nvnn 19 4 Using the Command Line Interface eese 21 4 1 Accessing the TOL MMC TH X 21 4 2 User ACCOUNT reed 21 4
95. face s client isolation parameter to yes client devices connecting to that interface will not be able to communicate with any other client devices connected to the EL 500 9 RAWNIZEOS WIRELESS TECHNOLOGIES INC 03 53PM Oct 15 2007 local time Firewall ACLs OnRamp Status Connections I Custom Rules Profile Management Configure the firewall Initial Configuration Hide Hel Minimal Configuration Client Isolation if enabled will prevent client to amp client communication Client Isolation Detailed Configuration wlani disabled Controls whether client devices are wlan2 disabled i able to communicate with each M other wlan3 disabled Wireless Interfaces wlang disabled System Parameters Security Wired Interface wired disabled v Conntrack Size QoS Allows you to set the connection Connection Tracking tracking table size Setting it higher Upgrade uses more cpu and memory on the Diagnostics Conntrack Size 8192 node Setting it too low means mi established connections may be Reboot conntrackikimiting disabled dropped as new ones are Seated Conntrack Connection 50 Generally this is only an issue on Limits gateway nodes on busy meshes Conntrack Connection 3600 caconds where this may want to be boosted Timeout to 16384 Save Changes Figure 48 Connection related firewall settings Note that devices connected to different interfaces can only communicate with each other i
96. face using the System tab on the System Parameters page as shown in Figure 25 9 ZEO WIRELESS TECHNOLOGIES INC 02 21PM Oct 15 2007 local time System DNS DHCP SNMP Location AAA Time Console peA Configure your system parameters Profile Management Hide Help Scheme AP Routed v Initial Configuration Scheme Minimal Configuration Node Hostname GW 1 The scheme determines this node s Detailed Configuration Node ID 1 role in the network System Parameters Implicit Addressing disabled M The AP Routed scheme provides routed access to the network for wireless client Security Wireless Interfaces Layer 2 Emulation The AP Bridge scheme bridges all client interfaces wireless and wired at layer 2 Wired Interface L2 Emulation disabled v Ros Save Changes Upgrade Diagnostics Hostname Reboot 4 textual name for this node Figure 25 System settings page with EL 500 in routed mode TR0190 Rev B1 48 Chapter 9 System Settings 9 3 DNS Domain Settings At least one DNS server accessible from the EL 500 must be specified for the device to be able to resolve host names This DNS server is also provided to client devices that acquire an IP address from the local DHCP server on an EL 500 If an EL 500 acquires DNS server information through DHCP on its wired interface this DNS server information will overwrite any manually set DNS server setting BRIDGE When operating in bridge mode the D
97. ge mode bridge mode Configuring the device Static before a unique Ethernet Always Configuration Einen IP address has been present jesus eed ues configured Configuring the device before a unique Ethernet IP address has been configured Unlike the OnRamp static configuration Disabled by Configuration eiieinet interface this interface s default NA s address can be modified allowing multiple unconfigured EL 500s to be attached to a LAN 10 253 1 1 24 AP radio Providing connectivity to p Mobi 10 253 2 1 24 No wireless client devices default y 10 253 3 1 24 10 253 4 1 24 Provides a gateway for f T ee N A client devices when using ja pue N A No centralized DHCP mode i Table 4 EL 500 network interfaces Note that the Static Configuration interface is the only interface that has a fixed address that cannot be changed by the user Since this interface is known to always be present it can be TR0190 Rev B1 13 Chapter 2 Connecting to the ER 1000 used for initial configuration and for accessing devices whose configuration settings are unknown 2 2 Connecting to an Unconfigured EL 500 Use the Static Configuration interface with IP address 169 254 253 253 and netmask 255 255 0 0 to establish network connectivity to an unconfigured EL 500 The Static Configuration interface functions only with the EL 500 s wired interface Do not try to access the EL 500 over a wireless link using the address of this interface To c
98. guration is available through the following read only parameters ip address IP address ip broadcast IP broadcast address ip gateway default gateway ip netmask netmask These parameters cannot be set though These default parameters can be overridden with the parameters listed below ip address_force ip broadcast_force ip gateway_force ip netmask_force The example below shows how a custom IP address can be set for the Ethernet interface gt use eth0 eth0 eth0 eth0 etho set dhcp none set ip address_force 192 168 1 2 set ip broadcast_force 192 168 1 255 set ip gateway_force 192 168 1 1 TRO190 Rev B1 69 Chapter 11 Ethernet Interface Configuration eth0 set ip netmask force 255 255 255 0 Web GUI The Ethernet IP address gateway netmask and broadcast address parameters can be set via the web interface using the Wired Interface page see Figure 37 The current IP values can be viewed on the Status page TRO0190 Rev B1 70 Chapter 12 Bridge Interface Configuration 12 Bridge Interface Configuration 12 1 IP Configuration The bridge interface has an IP address that can be set manually or acquired via DHCP With the exception of the fixed configuration IP address this is the only active IP address on the device when it is operating in bridge mode When not explicitly specifying an IP address or enabling DHCP client mode the address for the bridge interface will default to
99. gure 48 This field is located under the Connection Tracking heading 16 4 2 Connection Tracking Timeout The connection tracking timeout parameter allows you to flush connections that have been idle for an extended period of time from the connection tracking table This will help limit the maximum required size of the connection tracking table By default this parameter is set to 3600 seconds 1 hour CLI The connection tracking timeout is set by selecting the firewall interface and setting the conntrack tcp timeout established parameter The timeout is specified in seconds gt use firewall firewall set conntrack tcp timeout established 3600 TRO190 Rev B1 104 Chapter 16 Controlling Access to the EH 1000 Web GUI The connection tracking timeout is set with the Conntrack Connection Timeout field on the Connections sub tab on the Firewall tab of the Security page see Figure 48 This field is located under the Connection Tracking heading Specify the timeout limit in seconds 16 4 3 Limiting Number of TCP Connections Per Client Device The number of TCP connections allowed per client device can be limited For most use cases setting the connection limit to 30 is sufficient Users running file sharing applications may have difficulties establishing connections when TCP connection limiting is enabled since the file sharing application may be consuming the maximum number of TCP connections allowed
100. h this lease time Reserved Address Range The number of addresses set aside for use as static IPs Address Range Start 68 Chapter 11 Ethernet Interface Configuration 11 2 Manual IP Configuration If the Ethernet DHCP mode parameter is set to none the manually configured IP address will be used The default IP configuration that is assigned to the interface based on the LAN prefix and node ID settings is available through the CLI and the web GUI Note that for the manually configured IP address to be used the Ethernet DHCP mode setting must be set to none if the EL 500 is connected to a network which provides access to a DHCP server The IP configuration settings shown in the ethO interface in the CLI and on the Wired Interface page of the web interface do not necessarily reflect the current settings of the interface They are the requested settings and do not take into account whether the interface has been configured via DHCP If the Ethernet DHCP mode parameter is set to client the ip address ip broadcast ip gateway and ip netmask parameters will respond to a get command with lt dhcp gt to indicate that the parameters will be assigned by a DHCP server instead of any values assigned via the CLI Use the ifconfig eth0 command in the CLI or access the Status page in the web interface to get current interface settings CLI The Ethernet default IP confi
101. hanges Upgrade Read Write Community Diagnostics Authentication string used to read or EIS IPLA EET um ll Tua Furl Reboot Figure 28 SNMP configuration 9 7 Location Two types of device location information can be stored e Latitude longitude altitude e Postal address or description a device s location Note that these values are not automatically updated and must be entered after a device has been installed Altitude is in meters Latitude and longitude must be given as geographic coordinates in decimal degrees with latitude ranging from 90 to 90 with negative being south positive being north and longitude ranging from 180 to 180 with negative being west positive being east TR0190 Rev B1 52 Chapter 9 System Settings CLI The geographic location of the EL 500 can be stored in the following fields in the sys interface e sys location gps altitude e sys location gps latitude e sys location gps longitude For example you can set the latitude value as follows gt use sys Sys set location gps latitude 34 01 A description of the EL 500 s location can be stored in the location postal field in the sys interface For example you can set the location value as shown below gt use sys Sys set location postal Light post near 123 Main St Anytown CA Web GUI The location information can be set via the web interface using the Location tab on the System Parameters p
102. he Custom Rules tab and click on the Save and Apply Changes button when all rules have been entered The following examples of custom rules illustrate how to use the custom firewall interface Blocking SMTP traffic 25 This rule will block all SMTP traffic which uses port 25 dport 25 j DROP Limiting Access Based on Client Access Interface Packets can be filtered based upon which interface they were received through For example wlani and wlan2 can be used to provide users with access to two different private subnets while wlan3 users have access to neither of these subnets Users of all wlans would have access to the Internet though The following rules will e Drop traffic from wlan1 destined for the 192 168 2 0 subnet e Drop traffic from wlan2 destined for the 192 168 1 0 subnet e Drop traffic from wlan3 destined for the 192 168 1 0 and 192 168 2 0 subnets i wlanl dst 192 168 2 0 24 j DROP i wlan2 dst 192 168 1 0 24 j DROP i wlan3 dst 192 168 1 0 24 j DROP i wlan3 dst 192 168 2 0 24 j DROP TRO0190 Rev B1 106 Chapter 16 Controlling Access to the ER 1000 RAWNIZEOS WIRELESS TECHNOLOGIES INC 03 54PM Oct 15 2007 local time Passwords Firewall ACLs OnRamp Stratis Connections Custom Rules Profile Management Custom Firewall Rules Initial Configuration Additional firewall rules may be added which affect packets passing though the node This allows you to tailor rules for your pa
103. her a splash page is displayed when clients first connect to the interface Require Login A splash page can require login credentials or simply require a click through Splash Page URL URL of the splash page to be displayed when a client connects to the interface Success Page URL URL of the page to be displayed following a successful login Specifying this URL is optional If no URL is specified a generic success page will be displayed Failed Login Page URL URL of the page to be displayed following a failed login Specifying this URL is optional If no URL is specified a generic failure page will be displayed Login Server Port Secret When the splash page is configured to require a login information about the RADIUS server used to verify the login information must be specified Figure 57 Splash page configuration TRO190 Rev B1 121 Chapter 19 Integration with Enterprise Equipment 19 1 2 Configuring Splash URLs The URL that a user is redirected to for login purposes can be individually configured for each client access interface that supports splash pages wlan1 4 URLs for successful login failed login and error conditions can also be specified for each interface The login URL parameter sets the URL that a user is redirected to when they attach to the interface and have not yet been authenticated This parameter should not be left blank if splash pages are enabled for th
104. her characterization of interference in the band 1 4 1 AP Channel Selection A site survey should be conducted to determine which access point channel will provide the best performance Some of the 802 11b g channels that the EL 500HG s radio can be configured to use are overlapping Only channels 1 6 and 11 are non overlapping TR0190 Rev B1 11 Chapter 1 Working with the ER 1000 2400 2410 2420 2430 2440 2450 2460 2470 2480 MHz Figure 2 802 11b g channel chart showing top bottom and center frequencies for each channel TRO190 Rev B1 12 Chapter 2 Connecting to the ER 1000 2 Connecting to the EL 500 The EL 500 can be configured and monitored by connecting to one of its network interfaces The wired Ethernet interface on the EL 500 should be used for initial configuration of the device but the wireless network interface can be used to connect to the device after initial configuration has been completed 2 1 Network Interfaces The EL 500 has several network interfaces as shown in Table 4 The network interfaces listed in the table below are logical not hardware interfaces Some of the interfaces listed in the table share the same hardware interface Can be Hardware Interface Default altered by Interface Primary Function Availability Address the user Enabled by Ethernet Connecting to a LAN default 10 253 0 1 24 No N A Access to the device when Enabled in 10 253 1 1 24 No operating in brid
105. ia the web interface using the appropriate wlanN tab on the Wireless Interfaces page see Figure 41 13 3 Virtual Access Point Client Device Address Space Each VAP interface is either assigned a segment of the EL 500 s class C client address space if the device is using implicit addressing mode or an arbitrary address space can be set for the interface when using the explicit addressing scheme See section 10 for more information on client addressing schemes The EL 500 VAPs interface IP configurations can be changed directly when it is using the explicit addressing scheme They cannot be changed directly when the device is using the implicit addressing scheme When an EL 500 is configured to use the implicit addressing scheme set the IP address to the desired value by modifying the node ID and LAN prefix parameters see sections 9 2 and TRO0190 Rev B1 75 Chapter 13 Virtual Access Point VAP Configuration 10 1 1 Set the netmask by changing the client address space segments as described in 10 1 2 CLI You can view the IP settings for the VAP interfaces with the ip parameters in the appropriate wlanN interface as shown in the example below gt use wlanl wlanl get ip ip address 10 2 4 1 read only ip address_force ip broadcast 10 2 4 127 read only ip broadcast_force ip gateway read only ip gateway_force ip netmask 255 255 255 0 read only ip netmask_force
106. ied network interface Example ifconfig wlanl will display wlanl Link encap Ethernet HWaddr 00 15 6D 52 01 FD inet addr 10 2 10 1 Bceast 172 29 255 255 Mask 255 255 0 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 0 errors 0 dropped 0 overruns 0 frame 0 TX packets 2434 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 0 0 0 b TX bytes 233128 227 6 Kb 4 5 11 route command Syntax route Description Displays the current route table 4 5 12 clear command Syntax clear Description Clears the screen TR0190 Rev B1 28 Chapter 4 Using the Command Line Interface 4 5 13 history command Syntax history Description Shows the command history since the EL 500 was last rebooted Example After switching to the wlan1 interface inspecting the ESSID setting and then changing it history will display 1 use wlanl 2 get essid 3 set essid new ap essid TR0190 Rev B1 29 Chapter 4 Using the Command Line Interface 4 5 14 P command Syntax Description Example TRO190 Rev B1 command history number string that matches start of previously executed command 11 Executes a previously executed command based either on a command history number or matching a string to the start of a previously executed command Note that there is no space between the and the argument The history command shows the command history with a number preceding
107. ielding client devices from an external network e Firewall e Client to client communication blocking e Gateway firewall It further supports controlled network access by client devices through MAC address black lists BRIDGE The firewalls are disabled and client to client blocking is not possible when operating in bridge mode 16 1 Firewall The EL 500 has a firewall that blocks certain types of traffic destined for the EL 500 This prevents client devices attached to an EL 500 and devices on the LAN which the EL 500 is attached to from connecting to it The default firewall rules only affect packets destined for the EL 500 and have no effect on packets forwarded by the device The firewall should typically be enabled on all EL 500s since it prevents undesired access them INFO By default the ports listed in Table 12 are set to be allowed for connection to the EL 500 Function Port s Type Protocol Source amp destination HTTP redirect if splash pages are Destination TCP enabled 3060 20123 Source amp destination Table 12 Source and destination ports allowed by default TR0190 Rev B1 100 Chapter 16 Controlling Access to the ER 1000 CLI The firewall is enabled by selecting the firewall interface and setting the node enable parameter gt use firewall firewall gt set node enable yes Lists of allowed source and destination ports for inbound TCP and UDP traffic can be sp
108. ing default ethO local wlani wlan2 wlan3 wlan4 Typically most rate reservations will involve reserving bandwidth for traffic from a particular client access interface to the ethO interface The example below shows how to reserve differing amount of bandwidth on ethO for traffic originating from the wlani wlan2 wlan3 and wlan4 interfaces gt use qos qos set out ethO qos set out ethO0 qos set out ethO0 qos set out ethO wlanl reserve 2048 wlan2 limit 1024 wlan3 limit 512 wlan4 limit 256 A rate reservation for a certain type of traffic that enters the EL 500 through a particular interface and exits it through another interface can be set with the out lt output intf gt lt input intf gt lt traffic type gt reserve parameters in the qos interface where output intf gt is one of the following default ethO wlan1 wlan2 wlan3 wlan4 input intf gt is one of the following default ethO local wlan1 wlan2 wlan3 wlan4 traffic type is one of the following vo vi be bk see Table 13 for description of traffic types The out default default limit value is applied to interfaces that have the out lt output intf gt lt input intf gt reserve parameter set to inherit or is left blank The example below shows how to reserve bandwidth for voice video best effort and background traffic from wlant through the ethO interface to 512 kbps 1 M
109. irmware versions to the node or manage current firmware on the node Profile Management Installed Firmware ENROUTESO0 20070811 03 00 0213 Initial Configuration A Patch Version s none Minimal Configuration Disk Space Detailed Configuration Total Space 89 Mb System Parameters Used 47 Mb Available 37 Mb Security Wireless Interfaces Firmware on Server Firmware on Node Wired interface ENROUTESO0_20070811_03_00_0213 ENROUTESO0_20070811_03_00_0213 ENROUTESOO 20070213 02 30 0178 Qos j Upgrade Diagnostics Reboot Get Alternate Firmware Version Occassionally your vendor will provide a custom or other type of unique upgrade and may give you a specific version which you must load onto your nades If you are attempting to install such a version please enter the vendor provided firmware name below to have it loaded onto your node earners Figure 68 Updating firmware TRO190 Rev B1 136 Glossary Client access An interface on the EL 500 used by a client device such as an interface 802 11 enabled laptop to connect to the EL 500 The client access interfaces are the virtual APs wlan wlan4 Client device A device that is connected to one of the EL 500 s client access interfaces e g a laptop Client address The method used to assign address spaces to client address scheme interfaces The two supported client address schemes are implicit and explicit Operating mode The mode that sets the method for how pa
110. iveness Web GUI WPA PSK can be enabled and the pre shared key can be set via the web interface using the WPA WEP sub tab under the AAA tab on the System Parameters page see Figure 44 Select WPA PSK as the type of encryption authentication from the drop down menu for the VAP you wish to configure and enter the WPA PSK key in the text box below the drop down menu In the example in Figure 44 wlan2 has been configured to use WPA PSK 13 8 3 WPA EAP Mode In WPA EAP mode a client device is authenticated using an 802 1x authentication server which is typically a RADIUS server The supported EAP modes are e TLS X509v3 server amp client certificates e PEAP TLS X509v3 server amp client certificates e TTLS X509v3 server certificate e PEAP MSCHAPv2 X509v3 server certificate The following information must be provided about the RADIUS server e address the IP address of the 802 1x server that will be used for authentication e port the port that the authentication server is listening on UDP port 1812 by default e secret the shared secret for the authentication server The secret must be a string that is no longer than 32 characters in length See section 20 5 for instructions on how to test the RADIUS configuration and a specific set of credentials CLI To configure the EL 500 to support 802 1x authentication the following parameters in a WlanN interface must be set TR0190 Rev B
111. kbox next to the filename in the Available tcpdump list and click on the Delete Selected button This will delete the file from the EL 500 and free up space for other capture files Seo qe co Irem e Capturing All Traffic From a Specific Client Device TRO190 Rev B1 130 Chapter 20 Diagnostics Tools 1 Set Interface to the one that the client device is attached to 2 Set Protocol to all 3 Set Packet Count to 500 4 Set Packet Length to 500 5 Set the Optional Host to the IP address of the client device of interest 6 Set Output to File 7 Click on Start Capture 8 Allow the capture to complete automatically when the prescribed number of packets has been captured or click on Stop Capture to halt the capture 9 The captured data is accessible by clicking on the link at the bottom of the page under the heading Available tcpdump files The file name format used is cfile prefix gt _MMDDYYY HHMM Click on this link to save it to your computer The downloaded file can be parsed by packet analyzers such as Wireshark 10 Click the checkbox next to the filename in the Available tcpdump list and click on the Delete Selected button This will delete the file from the EL 500 and free up space for other capture files D TRANZEO WIRELESS TECHNOLOGIES INC Ping Traceroute Packet Capture DHCP RADIUS Diagnostic Dump Examine Network Traffic with tcpdump
112. l value 129 IP Address Range Size 3 v actual value 31 wlan3 Mode Default Lease Timeout gg400 seconds Maximum Lease 85400 seconds Timeout Reserved DHCP Range g IP Address Range Start 161 actual value 161 IP Address Range Size 31 vw actual value 31 wlan4 Mode Default Lease Timeout Maximum Lease Timeout Reserved DHCP Range o IP Address Range Start 193 v actual value 193 IP Address Range Size 3 v actual value 31 wired Mode Sets the DHCP mode supported by the interface The three possible modes are none no DHCP services are provided e local server a DHCP server will respond to client DHCP requests on the interface central server the node will provide DHCP addresses from a centralized DHCP server only available if Centralized DHCP is enabled client the node will attempt to acquire an address for the interface via DHCP only valid for the wired interface Default Lease Timeout The default lease time the DHCP server will assign to DHCP clients If a DHCP request from a client does not contain a lease time request this is the lease time that will be used Maximum Lease Timeout The maximum lease time the DHCP server will assign to DHCP clients DHCP client lease time requests in excess of this value will be responded to with this lease time Reserved Address Range The number of addresses set aside for
113. n company com 1 2 3 4 Reboot Figure 6 Web interface navigation components The time displayed at the top of the navigation bar is the current time of the PC used to log in to the web GUI not the time kept by the EL 500 3 3 Setting Parameters Many of the web interface pages allow you to set EL 500 operating parameters Each page that contains settable parameters has a Save Changes button at the bottom of the page When you have made your changes on a page and are ready to commit the new configuration TR0190 Rev B1 18 Chapter 3 Using the Web Interface click on the Save Changes button It typically takes a few seconds to save the changes after which the page will be reloaded For the changes to take effect the EL 500 must be rebooted After a change has been committed a message reminding the user to reboot the EL 500 will be displayed at the top of the screen t9 Configuration has been updated EO Reboot required for changes to take effect WIRELESS TECHNOLOGIES INC 04 03PM Oct 15 2007 local time System DNS DHCP SNMP Location AAA Time Console BEES DNS Proxy Profile Management Configure your DNS Proxy Initial Configuration Show Help Minimal Configuration DNS Proxy enabled Detailed Configuration System Parameters Add DNS Proxy Entry Security Hostname IP Address Save Changes Wireless Interfaces Wired Interface QoS Upgrade Diagnostics DNS Proxy Hosts No hosts curren
114. nd set the VLAN ID to 12 using the parameters vlan enable and vlan id in the wlan1 interface use wlanl wlanl set vlan enable yes use wlanl wlanl set vlan id 12 Web GUI The VLAN Enable and VLAN ID parameters can be set via the web interface under the wlanN tabs on the Wireless Interfaces page and on the Wired Interface page see Figure 55 TR0190 Rev B1 117 Chapter 18 Enabling VLAN Tagging TRANIZEO WIRELESS TECHNOLOGIES INC wlani wanz wans tons once Authentication acts gos Configure wlani Hide Help wlan1 State enabled v wlan1 wlani Mode 80211B G w Enable or disable this access point IP Address 10 WW Gateway Address IP Address Gateway Netmask Broadcast Netmask 255 255 Broadcast 10 ah The IP address gateway address netmask and broadcast address for the wlani interface These values are only configurable when implicit addressing is disabled ESSID erl000_ap1 Hide ESSID no v Channel l 2412GHz VLAN State disabled ESSID VLAN ID 11 NOTE enabling VLAN on this interface The identifying name for the 802 11 requires VLAN to be configured on the network that this access point wired interface supparts The ESSID must be no longer than 32 characters and can only contain letters A Z a z numbers 0 9
115. ng and management of devices The EL 500 supports the following configuration profile related actions Saving the current configuration as a configuration profile Loading or applying a configuration profile stored on an EL 500 to the device Downloading a configuration profile stored on the EL 500 to a computer Uploading a configuration profile from a computer to the EL 500 Deleting a configuration profile stored on the EL 500 Currently configuration profile management is only supported via the web interface 7 1 Saving the Current Configuration The current configuration can be saved on the Save tab on the Profile Management page Enter a profile name or select an existing profile name from the list of existing configurations and then click on Save Profile The saved profile is stored locally on the EL 500 and will appear in the Existing profiles text box Use the Download from Node tab to download it to a different device 9 TRANZEO WIRELESS TECHNOLOGIES INC 02 58PM Oct 15 2007 local time Save Load Download from Node Upload to Node Status Save Profile Profile Management This page allows you to save a copy of the current configuration locally on the node Once saved you can Initial Configuration download a copy of the profile to your local computer via the Download Profile page Minimal Configuration M R Enter a new profile name or choose an existing profile to be overwritten Detailed Configu
116. niform across all VAPs Changing it for one will automatically change it for all others as well CLI The example below shows how to set the maximum link distance supported by a VAP using the CLI The maximum link distance is set with the distance parameter in the wlanN interfaces and is specified in either kilometers or miles The units parameter in the sys interface determines whether the distance units are to be entered in kilometers or miles Set units to metric for kilometers and to imperial for miles Set the distance parameter to DEFAULT or leave it blank to use the default maximum link range gt use sys Sys set units metric gt use wlanl wlanl gt set distance 10 Web GUI The maximum link distance supported by an VAP can be set via the web interface using the appropriate wlanN tab on the Wireless Interfaces page see Figure 41 Enter a value and specify whether it is in kilometers of miles using the adjacent drop down menu Set the distance parameter to DEFAULT or leave it blank to use the default maximum link range TRO0190 Rev B1 88 Chapter 14 Client DHCP Configuration 14 Client DHCP Configuration When operating in routed mode two configuration options exist for assigning IP addresses to client devices using DHCP e The EL 500 hosts a local DHCP server and supplies IP addresses to devices attaching to any of the client access interfaces e A centralized DHCP
117. nterface 16 3 Blocking Client to Client Traffic Client to client traffic can be blocked or permitted on a per interface basis By enabling client to client traffic blocking for one or more of an EL 500 s client access interfaces the client devices that attach to that particular interface will not be able to communicate with any client devices attached to that or any other client access interface on the EL 500 Client to client traffic can be controlled for interfaces wlan wlan2 wlan3 and wlan4 CLI The parameters that control client to client access are all in the firewall interface They are node allowc2c wlan1 node allowc2c wlan2 node allowc2c wlan3 node allowc2c wlan4 To block client to client traffic select the firewall interface and set the parameter for the appropriate interface to no To allow traffic between client devices set the parameter to yes The examples below illustrate how to configure these parameters To block client to client traffic for client devices attached to wlan1 use firewall firewall set node allowc2c wlanl no To allow client to client traffic for client devices attached to wlan2 gt use firewall firewall set node allowc2c wlan2 yes TR0190 Rev B1 102 Chapter 16 Controlling Access to the EH 1000 Web GUI The client isolation parameters can be set via the web interface on the Firewall tab on the Security page see Figure 48 By setting an inter
118. nterfaces Sh Background Out Limit kbps The output bandwidth in kbps Wired Interface i reserved for voice traffic from the Background Out Reserve b kbps interface QoS Upgrade Yoice Out Limit DEFAUL kbps Diagnostics Voice Out Reserve DEFAULT kbps Video Out Limit Video Out Limit DEFAU kbps Video Out Reserve DEFAULT kbps Reboot The output limit in kbps for video traffic from the interface Best Effort Out Limit DEFAUL kbps Best Effort Out Reserve IDEFAULT kbps Background Out Limit DEFAU kbps Video Out Reserve Background Out Reserve DEFAU kbps The output bandwidth in kbps reserved for video traffic from the Voice Out Limit DEFAUL kbps interface Voice Out Reserve DEFAULT kbps Figure 52 Advanced QoS configuration only settings for some interfaces are shown 17 2 Rate Limiting A rate limit can be set at each QoS Control Point shown in Figure 53 The Control Points can be split into three groups listed below in decreasing order of importance e Interface output limit e Interface output limit of traffic from a particular interface e Interface output limit of traffic of a certain type from a particular interface All rate limit parameter values are in kbps If no rate limit parameter is set rate limiting will be disabled for that interface or interface and traffic combination INFO TR0190 Rev B1 112 Chapter 17 Quality of Service
119. o that can be set to operate in the channels listed in Table 9 Channel Center Frequency GHz 1 2 412 2412 2 417 2 422 2 427 2 432 Z 2442 9 245 10 2457 O mo 2462 O Table 9 EL 500HG access point channels and associated center frequencies Note that only channels 1 6 and 11 are non overlapping The EL 500HA has an 802 11a radio that can be set to operate in the channels listed in Table 10 Channel Center Frequency GHz 5 785 5 805 Table 10 EL 500HA access point channels and associated center frequencies It is not possible to configure the VAPs to use different channels If the channel for wlan2 is changed the channel will be changed for wlan1 wlan3 and wlan4 CLI The VAP channel is set with the channel parameter in the wlanN interfaces The example below shows how to set the VAP channel to 6 gt use wlanl TR0190 Rev B1 77 Chapter 13 Virtual Access Point VAP Configuration wlanl gt set channel 6 Web GUI The access point channel can be set via the web interface using the appropriate wlanN tab on the Wireless Interfaces page see Figure 41 The ESSID or Extended Service Set Identifier is used in 802 11 infrastructure networks to identify a particular network consisting of one or more Basic Service Sets It is used to differentiate logical networks that operate on the same channel The ESSID value must be a text string that
120. ollowing restrictions are placed on the address segment configuration TR0190 Rev B1 61 Chapter 10 Client Addressing Schemes e Each active client access interface must be assigned an address segment e The IP address range start address ip implicit start requested in the CLI must be one of the following values 1 33 65 97 129 161 193 225 e The IP address range size ip implicit size requested in the CLI must be one of the following values 31 63 127 255 e The IP address range size and start address must be chosen such that the address segment does not cross a netmask boundary Table 8 lists allowed combinations e The address spaces for enabled interfaces must start at different addresses e The address spaces for enabled interfaces should not overlap Address range start IP address range size ip implicit size requested ip implicit start requested po 129 Table 8 Allowed address segment start address and size combinations Each of the enabled interfaces address segments should be configured to avoid overlap with the other interfaces address segments In the case where an EL 500 is not configured such that this requirement is met address spaces will be automatically reduced in size to prevent overlap CLI The start and size of client address spaces are set with the ip implicit start requested and ip implicit size requested parameters in the wlan1 wlan2
121. omatic time synchronization will keep your time current Time is synchronized to the listed server once per day It is recommended that you leave automatic time synchronization enabled unless your network does not have access to a time server Disabling automatic time synchronization will allow you to manually set the time Figure 30 Automatic time synchronization When automatic synchronization is disabled the user can set the EL 500 s UTC time Figure 31 Enter the time using the available drop down menus and check the Change Time checkbox ZEO Reboot required for changes to take effect WIRELESS TECHNOLOGIES INC Configure Time Show Help Automatic Time disabled Synchronization Hand Configure Time Time UTC w 30 October Change Time O i Save Changes Figure 31 Setting the time manually TR0190 Rev B1 55 Chapter 9 System Settings 9 10 Web GUI Console The web interface allows the user to set parameters that are not otherwise settable through the web interface using a console interface The console is available on the Console tab on the System page CLI key value pairs can be entered through the console The key format used is lt interface name key For example wlan1 channel is the key to set the channel used by virtual AP wlan1 To use the console enter one or more key value pairs in the large text box on the
122. on how to configure the bridge interface to provide IP access to the EL 500 when operating in bridge mode The Ethernet interface is used to connect the EL 500 to a LAN It is also used for initial configuration of the device The Ethernet interface IP address can either be acquired from a DHCP server on the LAN or be set manually TRAN ZEO WIRELESS TECHNOLOGIES INC Q DHCP QoS 03 57PM Oct 15 2007 local time Status Configure your wired interface Hide Help Profile Management Initial Configuration Enable VLAN disabled VLAN VLAN ID 1 Minimal Configuration Segregate client traffic into Virtual LANs Your internet router must have Detailed Configuration IP Address i i VLAN support enabled You will probably need to enable VLAN on all node Wireless Interfaces as well Security Netmask f depending on your network design System Parameters Gateway Address Wireless Interfaces Broadcast Valid VLAN IDs are 0 4095 but 0 1 and 4095 are reserved by Wired Interface Enable N T disabled v convention 1 is the Default Port VID which is often appropriate for QoS the wired interface Enable VPN enabled VPN Port 1194 Upgrade Diagnostics eee 216 100 192 50 IP Address Gateway Reboot Netmask Broadcast Save Changes The IP address gateway address Figure 37 Wired interface parameters 11 4 DHCP The EL 500 can be set to obtain an IP address for its Ethernet interface using
123. onnect to an EL 500 using its Static Configuration IP address you must configure your computer s IP address to be in the 169 254 253 253 16 subnet e g 169 254 253 1 and connect the computer s Ethernet cable to the PC port on the EL 500 s PoE injector ENSURE THAT THE DATA CONNECTION FROM THE PC OR THE LAN IS MADE TO THE PC PORT DO NOT CONNECT ANY DEVICE OTHER THAN THE EL 500 TO THE PORT LABELED CPE ON THE PoE INJECTOR NETWORK EQUIPMENT THAT DOES NOT SUPPORT PoE CAN BE PERMANENTLY DAMAGED BY CONNECTING TO A PoE SOURCE NOTE THAT MOST ETHERNET INTERFACES ON PERSONAL COMPUTERS PCs LAPTOP NOTEBOOK COMPUTERS AND OTHER NETWORK EQUIPMENT E G ETHERNET SWITCHES AND ROUTERS DO NOT SUPPORT PoE Since the Static Configuration IP address is the same for all EL 500s you should not simultaneously connect multiple EL 500s to a common LAN and attempt to access them using the Static Configuration IP address TRO190 Rev B1 14 Chapter 2 Connecting to the ER 1000 If you are configuring multiple EL 500s with the same computer in rapid succession it may be necessary to clear the ARP cache since the IP addresses for the EL 500s will all be the same but the MAC addresses will vary The following commands can be used to clear the ARP cache Windows XP executed in a command prompt window arp d to clear the entire cache or arp d 169 254 253 253 to just clear the EL 500 entry Linux euo el 159 254 2253 253
124. ontiguous range of IP addresses at either the beginning or the end of the CAS be set aside one for each VAPs on the EL 500 The Client Address Space CAS is not equivalent to the range of addresses served by the DHCP server The DHCP served address range is a subset of the CAS The CAS must also include the addresses for the client access interfaces and the address of the EL 500 s Ethernet interface Consider the example where an EL 500 has all four of its VAPs enabled The DHCP server resides on a host that also acts as the WAN router and is connected to the same LAN segment that the EL 500 s wired interface is We will set aside 4 IP addresses for the EL 500 s VAPs Assuming the client address space is 192 168 5 0 24 with available addresses from 192 168 5 1 to 192 168 5 255 we will use 192 168 5 1 for the server hosting the DHCP server 192 168 5 2 for the EL 500 s Ethernet interface set aside 192 168 5 3 to 192 168 5 6 for the EL 500 s VAP interfaces and configure the remote DHCP server to serve IP addresses in the range of 192 168 5 7 to 192 168 5 254 to wireless client devices We will keep 192 168 5 255 as the broadcast address A bridged EnRoute1000 will pass DHCP traffic through its wired interface to any client devices on its VAPs regardless of the EnRoute1000 s DHCP mode settings e Centralized DHCP mode provides similar capability for an EnRoute1000 in routed mode while adding the capability to support different subnets
125. ow The full configuration of the central DHCP server will depend on the type of DHCP server that is used and is beyond the scope of this document Typically the following information must be available in order to configure the server 1 The local interface to the DHCP server over which the DHCP related messages from the EL 500 arrive 2 The parameter s that define the address lease time 3 Whether DNS and domain names are to be provided by the DHCP server to client devices 4 The range of the flat IP address that is used for assigning IP addresses to client devices The range must not include the IP addresses set aside for the client access interfaces on the EL 500 The following is a segment of the dhcpd conf file for a Linux DHCP server ISC DHCP server that illustrates the scope settings for the part of the network pertaining to the EL 500 TRO0190 Rev B1 95 Chapter 14 Client DHCP Configuration subnet 192 168 5 0 netmask 255 255 255 0 option broadcast address 192 168 5 255 option subnet mask 255 255 255 0 option domain name domain com range 192 168 5 7 192 168 5 254 Note that in this definition no routers option is needed If a global routers option is defined the EL 500 will automatically change it to an appropriate value in DHCP responses to client devices based on the centralized DHCP settings on the EL 500 In this example two IP addresses are set aside for the DHCP server and the EL 500 s
126. page either separating each pair with a space or placing each pair on its own line Click on the Submit Commands button to set the values entered in the text box EO WIRELESS TECHNOLOGIES INC 03 53PM Oct 15 2007 local time S stem ons once snmp Location AAA ore Status Command Console Profile Management Allows you to set configuration keys directly Initial Configuration Syntax key value eg wlani essid ESSID 1 Minimal Configuration Detailed Configuration Key value pairs can be separated by either a space or a newline Values which have spaces in them must be enclosed in double quotes System Parameters Security Wireless Interfaces Wired Interface QoS Upgrade Diagnostics Submit Commands Reboot Figure 32 Web interface console 9 11 OnRamp Configuration Access ONRAMP IS A PC BASED TOOL THAT WILL BECOME AVAILABLE TO SUPPORT INITIAL CONFIGURATION OF THE EL 500 IT HAS NOT BEEN RELEASED AT THE TIME OF THE WRITING OF THIS DOCUMENT CHECK A WWW TRANZEO COM ONRAMP FOR STATUS IT IS RECOMMENDED THAT ONRAMP CONFIGURATION ACCESS IS DISABLED UNTIL THE TOOL IS MADE AVAILABLE TRO0190 Rev B1 56 Chapter 9 System Settings The OnRamp utility provides network detection and configuration capabilities for EL 500s The configuration capabilities are only intended for initial configuration and for security reasons it is strongly recommended that OnRamp configuration capability i
127. ption and Authentication The EL 500 supports several common encryption authentication schemes including WEP WPA and WPA2 to provide secure wireless access for client devices WEP keys with 40 bit or 104 bit lengths pre shared WPA keys and multiple WPA EAP modes TR0190 Rev B1 81 Chapter 13 Virtual Access Point VAP Configuration The WEP and WPA configuration settings for each VAP are independent A VAP can only support one of the encryption authentication modes at a time but the VAPs in the EL 500 do not all have to use the same encryption authentication scheme 9 SUAE EO WIRELESS TECHNOLOGIES INC 03 50PM Oct 15 2007 local time System DNS DHCP SNMP Location AAA Time Console Status WPA WEP Splash Pages Advanced Splash Pages Profile Management Configure your authentication and encryption for the APs Initial Configuration Hide Help Minimal Configuration wlani No Authentication Y EET s No Authentication Detailed Configuration wlan2 WPA PSK 3 l The access point uses no System Parameters WPA PSK Passphrase enroutepsk authentication and clients can log on without requiring an encryption key Security username or password wlan3 WPA Enterprise WPA Enterprise Address gg 99 99 99 Wired Interface RADIUS Server Wireless Interfaces Port 1812 Qos Secret secret WEP Upgrade The access point uses WEP wlan4 WEP encryption to protect data transfers Diagnostics between
128. r web page when authentication is disabled 19 1 4 Configuring the Authentication Server A RADIUS authentication server must be specified when the splash page is enabled for an interface and login is required The following parameters must be specified the server address can be either a hostname or and IP address TRO190 Rev B1 124 Chapter 19 Integration with Enterprise Equipment the port on the server that the RADIUS server is listening on the shared secret must be a string of alohanumeric characters that is 32 characters or less in length CLI The splash auth server lt intf gt host splash auth server lt intf gt port and splash auth server lt intf gt secret parameters in the sys interface where lt intf gt is either wlan1 wlan2 wang or wang specify the authentication server to use The example below shows how to configure the authentication server for interfaces wlan1 and wlan2 gt use sys sys gt set splash auth server sys gt set splash auth server wlanl port 1812 sys gt set splash auth server wlanl secret authsecret wlanl host authl yourserverhere com WwW W sys gt set splash auth server wlan2 host auth2 yourserverhere com wW W sys gt set splash auth server wlan2 port 1812 sys gt set splash auth server wlan2 secret authsecret Web GUI The authentication server parameters can be set on the Splash Pages sub tab und
129. raced Detailed Configuration System Parameters Figure 63 Determining the route from the EL 500 to a remote device using traceroute 20 3 Packet Capture The Packet Capture tab on the Diagnostics page allows the user to capture traffic on the EL 500 s network interfaces see Figure 64 The captured data can either be displayed in the web interface or saved to a file that can be downloaded and analyzed using 3 party tools such as Wireshark http www wireshark org At most 10 captured files can be saved on the EL 500 at any given time The full array of options available for packet capture is described in Table 14 A number of examples of common packet capture scenarios are also presented below Capturing DHCP Traffic From Clients on wlan1 Set Interface to wlan1 Set Protocol to all Set Packet Count to 20 Set Packet length to 500 Click on DHCP next to Common Protocols Set Output to File Click on Start Capture Allow the capture to complete automatically when the prescribed number of packets has been captured or click on Stop Capture to halt the capture The captured data is accessible by clicking on the link at the bottom of the page under the heading Available tcpdump files The file name format used is cfile prefix MMDDYYY HHMM Click on this link to save it to your computer The downloaded file can be parsed by packet analyzers such as Wireshark 10 Click the chec
130. rameter and the Base Value can also be set on this page The DHCP mode parameters for all client access interfaces can be set on the DHCP sub tab under the DHCP tab on the System Parameters page Set the DHCP mode to central server for all interfaces whose client devices should receive addresses from the central DHCP server TR0190 Rev B1 94 Chapter 14 Client DHCP Configuration On the System tab of the System page set the L2 Emulation to enabled TRANZEO WIRELESS TECHNOLOGIES INC 02 28PM Oct 15 2007 local time System DNS DHCP SNMP Location AAA Time Console Status DHCP Centralized DHCP Profile Management Configure Centralized DHCP Initial Configuration Hide Help Minimal Configuration Centralized DHCP enabled v Centralized DHCP Detailed Configuration Enables relaying of DHCP messages System Parameters Central DHCP Server Q to and from a central DHCP server Security Wireless Interfaces Gateway Router Central DHCP Server Wired Interface QoS Central DHCP server IP address Client amp ddress Space T Upgrade Diagnostics Relay Base Address lo Gateway Router When using static IP clients all Save Changes nodes in a mesh must be configured to have the save gateway router Reboot Figure 46 Centralized DHCP server mode settings 14 2 3 Configuring the Central DHCP Server Guidelines for configuring the central DHCP server are provided bel
131. ration Profile Name System Parameters Security Choose an Existing Profile ENROUTE500_20070811_03_00_0213 v Wireless Interfaces Wired Interface QoS Upgrade Diagnostics Reboot Figure 18 Save a configuration profile TR0190 Rev B1 41 Chapter 7 Configuration Profile Management 7 2 Load a Configuration Profile A configuration stored on the EL 500 can be applied using the Load tab on the Profile Management page This profile must either have been saved earlier or uploaded to the EL 500 Choose a profile name from the Existing Profiles box and then click on Load Profile It is necessary to reboot the EL 500 for the loaded profile settings to take effect A number of default configuration profiles are available on the EL 500 They are Ne TBD 9 TRANZEO WIRELESS TECHNOLOGIES INC 02 59PM Oct 15 2007 local time save Load Download from Node Upload to Node Status Load Saved Profile Profile Management This page allows you to restore a previously saved configuration from a profile on the node Use Upload Profile Initial Configuration page to upload a saved profile from your computer Minimal Configuration F NOTE Loading a profile will overwrite all existing Detailed Configuration settings and replace them with those from the loaded profile System Parameters Please choose a profile from the list below to load onto this node Security Wireless Interfaces Choo
132. ration management 1 3 EL 500 Interfaces The interfaces available on the EL 500 are Ethernet and a radio port Expansion port for AP radio future use port uf Seriol Number ER1A0228437 Firmware Version Ethernet MAC 00 00 12 03 13 76 24GHzMAC 00608338 D4 EA Ethernet Figure 1 EL 500 interfaces TRO190 Rev B1 Chapter 1 Working with the ER 1000 Interface Description AP radio port i i N type antenna connector for access point radio Ethernet PoE power input 9 28VDC 12W Not compatible with IEEE 802 3af Table 2 EL 500 Interfaces 1 3 1 Ethernet and PoE The EL 500 has a 10 100 Ethernet port that supports passive Power over Ethernet PoE The PoE power injector should supply an input voltage between 9 28VDC and a minimum of 12W The pinout for the Ethernet interface on the EL 500 is provided in Table 3 INFO The EL 500 is equipped with an auto sensing Ethernet port that allows both regular and cross over cables to be used to connect to it Pin Signal Standard Wire Color Orange Blue 6 Re Green 8 Gnd Brown Table 3 Ethernet port pinout To power the EL 500 connect an Ethernet cable from the Ethernet port of the EL 500 to the port labeled CPE on the supplied PoE injector and apply power to the PoE injector using the supplied power supply TR0190 Rev B1 10 Chapter 1 Working with the ER 1000 DO NOT CONNECT ANY DEVICE OTHER THAN THE EL 500 TO TH
133. refix settings Client access addresses interface addresses cannot be directly set Explicit addressing scheme Can be set to arbitrary values with a few reserved address ranges that cannot be used The address space size for each client access interface can be set independently and can be of arbitrary size Each of the active client access interfaces must share a class C address space Size of client address space Table 6 Differences between explicit and implicit addressing schemes CLI The choice of implicit or explicit addressing scheme is controlled by the implicit enable parameter in the mesh interface Set this parameter to yes to select implicit addressing and to no to select explicit addressing The example below demonstrates how to select the implicit addressing scheme gt use meshO0 Sys set implicit enable yes Web GUI The addressing scheme is set with the Implicit Addressing drop down menu on the System tab of the System page Set this to disabled to choose the explicit addressing scheme TRO0190 Rev B1 59 Chapter 10 Client Addressing Schemes TRANZEO WIRELESS TECHNOLOGIES INC 02 21PM Oct 15 2007 localtime S stem pns pner snme ana time console Status Configure your system parameters Profile Management Hide Help Scheme AP Routed Initial Configuration Scheme Node Hostname GW Li Minimal
134. rfaces can be set to use different URLs for the login process gt use sys sys set splash url wlanl login http server domain com wlanl_login htm Sys set splash url wlanl success http server domain com wlanl success htm Sys set splash url wlanl fail http server domain com wlanl fail htm Sys set splash url wlanl error http server domain com wlanl error htm Sys set splash url wlan2 login http server domain com wlan2 login htm Sys set splash url wlan2 success http server domain com wlan2 success htm Sys set splash url wlan2 fail http server domain com wlan2 fail htm Sys set splash url wlan2 error http server domain com wlan2 error htm TR0190 Rev B1 122 Chapter 19 Integration with Enterprise Equipment Web GUI All of the splash page related URLs can be set on the Splash Pages sub tab under the AAA tab on the System Parameters page of the web interface see Figure 57 19 1 3 Sample HTML Code for Splash Pages The login HTML page must contain specific form information as shown in the sample code in Figure 58 and Figure 59 Figure 58 contains the code required for an interface that requires a login Figure 59 contains code for a login page that the user just clicks through to unlock network access The critical lines in Figure 58 are 6 12 15 and 19 The action value in line 6 of Figure 58 must point to a server name for which th
135. rted by the AP radio the actual radio output power will be the highest power supported by the AP radio When setting the output power for an VAP consider the output power of the client devices that will be communicating the VAP If these devices have output power INFO levels that are far lower than that of the VAP an asymmetric link may result Such a link exists when the received signal strength at client devices is sufficient for a downlink to the client device be established but the received signal level at the VAP is not sufficient for an uplink from the client device to be established TRO0190 Rev B1 85 Chapter 13 Virtual Access Point VAP Configuration CLI The example below shows how to set the access point radio s maximum transmit power using the CLI The Tx power is specified in dBm with a granularity of 0 5 dBm gt use wlanl wlanl gt set txpower 20 Web GUI The VAPs maximum transmit power can be set via the web interface using the appropriate wlanN tab on the Wireless Interfaces page see Figure 41 The and buttons can be used to increase or decrease the power setting in 0 5 dBm steps 13 10 Radio Rate The VAPs can be set to communicate at a specific rate or to automatically select the best rate available For most applications choosing automatic rate selection will be the best choice CLI It is not currently possible to set this through the CLI Please use the web GU
136. rticular installation eg blocking all traffic on port 25 smtp Minimal Configuration Detailed Configuration By default all traffic is allowed through System Parameters Your rules should look like Security Wireless Interfaces rules j target Wired Interface ex drop all packets addressed for 192 168 0 0 24 QoS p ALL dst 192 168 0 0 24 j DROP Upgrade NOTE All changes will take immediate effect and will not require a reboot Diagnostics Reboot Save and Apply Changes Figure 49 Custom firewall settings 16 6 Access Control Lists ACLs The access control lists ACLs for the VAP interfaces wlani wlan4 block access to any device with a MAC address matching those on the list Individual ACLs can be defined for each VAP Web GUI The ACLs can be defined via the web interface on the appropriate wlan N sub tab under the ACL tab on the Security page as shown in Figure 50 Enter a MAC address and click on the Add MAC button to add the address to the ACL for that VAP Once an address has been added it will appear at the bottom of the page To delete a MAC address in an ACL click on the Delete MAC button next to the address The ACL for an VAP must be enabled after it has been created Choose blacklist from the drop down menu and click on Change ACL Mode to enable the list Choose none from the drop down menu and click on Change ACL Mode to disable the ACL TRO0190 Rev B1 1
137. s disabled after initial configuration You can use the CLI the web interface or OnRamp to determine whether a device can be configured from OnRamp In OnRamp the Prog column displays the programming capability from OnRamp A Y in this column indicates that OnRamp can configure the device an N indicates that it cannot CLI The OnRamp configuration capability is controlled by the provisioning enable parameter in the sys interface Set this parameter to 0 to disable configuration through OnRamp as shown in the example below gt use sys Sys set provisioning enable 0 Web GUI The OnRamp configuration capability is set on the OnRamp tab on the Security page see Figure 33 9 ZEO WIRELESS TECHNOLOGIES INC 03 56PM Oct 15 2007 local time Firewall OnRamp Status Configure OnRamp Access Profile Management Z Hide Help Configuration via OnRamp enabled R Initial Configuration i Configuration via OnRamp Minimal Configuration Save Changes OnRamp is a utility which allows for provisioning of a node s configuration If this value is set to System Parameters enabled OnRamp can set configuration values on this node If Security it is set to disabled OnRamp will still be able to detect this node but not Wireless Interfaces be able to alter values Detailed Configuration Wired Interface QoS Upgrade Diagnostics Reboot Figure 33 OnRamp config
138. se Profile FACTORY v Wired Interface Load Profile QoS Upgrade Diagnostics Reboot Figure 19 Load a configuration profile 7 3 Delete a Configuration Profile A locally stored configuration profile can be deleted using the Delete tab on the Profile Management page Choose a profile to delete from the profile drop down box on the page and then click on Delete Profile TR0190 Rev B1 42 Chapter 7 Configuration Profile Management 9 ZEO WIRELESS TECHNOLOGIES INC 03 00PM Oct 15 2007 local time Save Load Delete Download from Node Upload to Node Status Delete Profile Profile Management Please choose a profile from the list below to delete Initial Configuration Minimal Configuration NOTE once deleted this profile cannot be recovered from the node If you think you may want to use the profile again please save a copy to your local computer via the Download Profile page Detailed Configuration System Parameters SECULI Choose Profile ENROUTESO0 20070811 03 00 0213 v Wireless Interfaces Delete Profile Wired Interface QoS Upgrade Diagnostics Reboot Figure 20 Deleting a configuration profile 7 4 Downloading a Configuration Profile from an EL 500 A configuration profile can be download from an EL 500 using the Download from node tab on the Profile Management page The existing configuration profiles are listed on this page Click on the one that is
139. sent In comparison elevating the Min Hardware Priority associated with an interface will prioritize but not fully block traffic tagged with a lower hardware priority Instead the medium access delay will be reduced as dictated by the IEEE 802 11e standard for the traffic with the elevated hardware priority Thus these two priority types provide different gradations of quality control even when applied en mass to an interface although further refinements can be set using the EnRoute1000 rate limiting features discussed below INFO Changing hardware priorities does not affect the rate limiting and reservation section 17 2 it only affects which output hardware queues that provide the required support for the 802 11e standard CLI Flow priority levels are set with the in intf2 flow priority parameters in the qos interface where lt intf gt is one of the following default local ethO wlan1 wlan2 wlan3 wlan4 local refers to traffic originating on the device itself not from its client devices The example below sets locally generated traffic to have top priority and wlan1 to have priority over all other interfaces gt use qos qos set in default flow priority 10 qos set in local flow priority 90 qos set in wlanl flow priority 20 qos set in wlan2 flow priority inherit qos set in wlan3 flow priority inherit qos set in wlan4 flow priority inherit qos set in ethO0 flo
140. server supplies IP addresses to client devices with the EL 500s relaying DHCP messages between client devices and the centralized server The DHCP modes for client access interfaces on an EL 500 can be set individually to use a local server a centralized server or be disabled This allows a device to support client access interfaces with a combination of centralized and localized DHCP An EL 500 operating in bridge mode can provide access to a DHCP server on the LAN that it is bridging to but it will not provide any local DHCP functionality for client devices when operating in this mode Centralized DHCP server mode does not need to be configured in bridge mode since the relaying occurs implicitly by virtue of the bridging function that the EL 500 provides It is possible to configure the bridge interface to receive an address via DHCP see section 12 1 14 1 Using Local DHCP Servers The EL 500 can be set to serve IP addresses to client devices on enabled VAP interfaces using DHCP The IP addresses provided by the local DHCP server will be in the subnet defined by the LAN prefix and node ID and the IP address range start address and size parameters in the appropriate client access interface For example for the wlan1 interface the start and end of the address range are Start address lt LAN prefix octet 1 gt lt LAN prefix octet 2 gt Node ID wlan IP address range start address 1 End address lt LA
141. shows how to enable VLAN tagging on Ethernet interface using the vlan enable parameter in the ethO interface gt use ethO eth0 set vlan enable yes The example below shows how to set the VLAN ID for the Ethernet interface using the vlan id parameter in the ethO interface gt use ethO eth0 set vlan id 1 Web GUI The Ethernet interface VLAN parameters are set on the Wired Interface page as shown in Figure 56 TRANIZEO WIRELESS TECHNOLOGIES INC once aos E Configure your wired interface Hide Help Enable VLAN VLAN ID IP Address Gateway Address Netmask Broadcast Enable NAT Enable VPN VPN Port VPN Server disabled i 255 M disabled enabled 1184 216 100 182 50 Save Changes VPN Gredentials Your vendor may provide you with a package of VPN Credential files If you need to install a credential package you can load it onto the node here Please refer to the help for more details VPN Credentials Browse Upload Credentials VLAN Segregate client traffic into Virtual LANs Your internet router must have VLAN support enabled You will probably need to enable VLAN on all node Wireless Interfaces as well depending on your network design Valid VLAN IDs are 0 4095 but 0 1 and 4095 are reserved by convention 1 is the
142. ss interface on the EL 500 that is to support centralized DHCP server mode must have its DHCP mode set to server for it to support relay of IP addresses to client devices from a central DHCP server It is possible to disable DHCP address assignments to client devices on a per interface basis and have them use static IP addresses instead The address space that is to be used for the wireless client devices is a subnet specified with the Client Address Space parameter The value must be specified in CIDR notation a subnet and its size separated by a e g 192 168 5 0 24 The IP addresses of the EL 500 s client access interfaces wlani 4 need to be manually assigned This is done by setting the Address Base parameter which is assigned to the first enabled client access interface Addresses for the remaining client access interfaces are determined by successively incrementing the Base Address by one Layer 2 emulation must also be enabled when operating in centralized DHCP server mode This setting is located on the System tab of the System page of the web interface See section 19 2 for more information on layer 2 emulation mode CLI Centralized DHCP mode is enabled using the dhcp relay enable and I2 client mac fwd parameters in the sys interface as shown in the example below TRO190 Rev B1 93 Chapter 14 Client DHCP Configuration gt use sys Sys set dhcp relay enable yes Sys set l2 client mac fwd yes
143. state name e sys organization country two letter country abbreviation Web GUI The certificate information can be set via the web interface using the Location tab on the System Parameters page see Figure 29 Changing any of the Organization City State Province or Country parameters will cause the certificate information to be recalculated 9 9 Time Synchronization An EL 500 can be configured to synchronize its internal clock with an external RFC 868 compliant time server The time synchronization will ensure that proper time stamps are displayed for entries in the event logs that are available on the web GUI s Status page CLI The time synchronization server is set with the time rfc868 server in the sys interface The example below shows how to set the time synchronization server gt use sys sys gt set time rfc858 server your timeserver here It is not possible to manually adjust the device time through the CLI Please use the web GUI to adjust it TRO190 Rev B1 54 Chapter 9 System Settings Web GUI The synchronization mode and server can be set on the Time tab on the System page Figure 30 NZEOS WIRELESS TECHNOLOGIES INC Configure Time Hide Help Automatic Time enabled v 3 Synchronization Time Server rfc868 Automatic Time Synchronization RFC868 compliant time server Time Server rfc868 time a nist gov In most cases the aut
144. t wifi0 unknown hardware address type 801 Oct 06 GW 1 dhclient System Parameters Oct 06 GW 1 dhclient For info please visit http www isc org products DHCP Oct 06 GW 1 dhclient All rights reserved Security Oct 07 06 GU 1 dhclient Copyright 2004 Internet Systems Consortium Oct 06 GU 1 dhclient Internet Systems Consortium DHCP Client V3 0 2 Oct 06 57 GW 1 root 2972 ROOT LOGIN ON tts 0 Oct i 57 GW 1 login pam unix 2972 session opened for user root by LOGIN uid 0 Oct 53 GW 1 login 2972 FAILED LOGIN 1 FROM null FOR root Authentication failure Wired Interface Oct 06 51 GW 1 login pam unix 2972 authentication failure logname LOGIN uid 0 euid 0 tty t Oct 41 GW 1 hostapd wlan3 RADIUS Unable to connect to authentication server at 99 99 99 99 QoS Oct I 41 GU 1 hostapd wlan3 RADIUS Authentication server 99 99 99 99 1812 Oct H 41 GU 1 hostapd wlan2 RADIUS Only WPA PSK specified won t try to connect to authent Upgrade Oct i H GU 1 hostapd wlan2 RADIUS Authentication server 192 168 0 12 1812 Oct GW 1 logger Re generating https certs Oct H GU 1 logger sbin iwconfig wlan4 txpower 16 dBm Status Wireless Interfaces Diagnostics Oct H GU 1 logger sbin iwconfig wlan3 txpower 16 dBm Oct GU 1 logger sbinZiwconfig wlan2 txpower 16 dBm Reboot Oct GU 1 logger sbin iwconfig wlanl txpower 16 dBm Oct GU 1 temp Current temperature 47 C Oct GW 1 enroute succeeded Oct
145. t 161 subnet 191 subnet 162 190 subnet 193 subnet 223 subnet 194 222 subnet LAN prefix first octet gt lt LAN prefix second octet gt lt node ID Table 7 Default subnet segmentation between interfaces 10 1 1 LAN Prefix The LAN prefix parameter sets the first two octets of the client access interface IP address when using the implicit addressing scheme The suggested values for the LAN prefix are 10 x and 192 168 The LAN prefix parameter only has an effect on an EL 500 using the explicit addressing scheme when explicit addresses have not been defined for the client access interfaces See section 10 2 for more information on use of the LAN prefix when using the explicit addressing scheme CLI The first octet of the LAN prefix is set with the id lanprefix parameter in the sys interface as shown in the example below gt use sys sys gt id lanprefix 10 The second octet is set with the id mesh parameter in the sys interface as shown below gt use sys sys gt id mesh 12 Web GUI The LAN prefix can be set via the web interface using the System tab on the System Parameters page see Figure 34 10 1 2 Client Address Space Segmentation in Implicit Addressing Mode As mentioned above the client access interfaces must share a class C address space when the EL 500 is using the implicit addressing scheme The start address of each address segment and its size can be set The f
146. te wlanN tab on the Wireless Interfaces page see Figure 41 To allow support for short preambles set the Use Short Preamble drop down menu to Yes To limit preambles to long ones set the drop down menu to No 13 12 Beacon Interval The VAPs beacon intervals are configurable The beacon interval must fall in the range from 20 to 500 ms The beacon interval is set to 100 ms by default CLI The example below shows how to set the beacon interval for a VAP using the CLI The beacon interval is set with the iwpriv beacon interval parameter in the wlanN interfaces and is specified in milliseconds gt use wlanl wlanl set iwpriv beacon interval 100 Web GUI The beacon interval for an VAP can be set via the web interface using the appropriate wlanN tab on the Wireless Interfaces page see Figure 41 Enter a value specified in milliseconds in the Beacon Interval field 13 13 Maximum Link Distance The 802 11 standard defines delay values in the communication between devices that affect the maximum communication distance that can be supported By default the communication distance is limited to approximately 4 km 2 5 mi The maximum communication distance can TR0190 Rev B1 87 Chapter 13 Virtual Access Point VAP Configuration be increased by setting a custom maximum link distance value This value can be specified in either metric or imperial units The maximum link distance setting is u
147. terface are displayed showing received and transmitted data in terms of bytes and packets On the wlan sub tabs the client devices connected to the virtual APs are displayed The following information is displayed for each client device MAC address IP address Quantity of data received from the client device and transmitted to the client device Received signal strength RSSI in dBm and in parentheses the associated signal level based on a noise floor of 96dBm e Time since last reception from the device e A summary of the capabilities of the client device s radio card D ZEO WIRELESS TECHNOLOGIES INC 10 33AM Oct 16 2007 local Config Overview status Routing are Event tog pner Events time Statis wianl wlanz wlan3 wlana wired Profile Management GW 1 wlan4 Status initial Lonfiguration Interface Statistics Minimal Configuration Noise Level 96 dBm Feicio Con CIRCE GT Data Transfered Byte Totals Data Rates Packet Totals Packet Rates System Parameters last 10 secs last 10 secs Transmitted 31 3 KB 1 40 KBytes sec 120 packets 4 79 packets sec Security Received 29 1 KB 1 45 KBytes sec 124 packets 5 59 packets sec Wireless Interfaces Clients Wired Interf mm ALLEE S MAC Address IP Address RX data TX data dBm RSSI Rate Last reception Client Capabilities QoS 00 1b 77 52 69 86 10 1 4 254 30KBytes 2 KBytes 75 20 54M 1s Normal WME Upgrade Diagnostics Reboot Figure 1
148. ters in the sys interface The example below shows how to set these parameters gt use sys Sys set snmp community ro read only password Sys set snmp community rw read write password The SNMP port is set with the snmp port parameter in the sys interface as shown below By default this parameter is set to 161 gt use sys Sys set snmp port 161 TR0190 Rev B1 51 Chapter 9 System Settings The contact person and location of the device located via SNMP are set with the snmp contact and snmp location parameters in the sys interface as shown below gt use sys Sys set snmp contact Joe Smith Sys set snmp location 123 Main St Anytown USA Web GUI The SNMP related parameters can be set on the SNMP tab on the System page see Figure 28 9 ZEO Reboot required for changes to take effect WIRELESS TECHNOLOGIES INC 03 45PM Oct 15 2007 local time System DNS DHCP SNMP Location AAA Time Console Status Configure your SNMP parameters Profile Management Hide Help SNMP Port 151 Initial Configuration Port Minimal Configuration Port on which SNMP will listen for ical communitys public requests from SNMP clients Detailed Configuration Read Write Community private System Parameters s it R ecurity Contact COT Read Only Community Wireless Interfaces na Location Authentication string used to read Wired Interface SNMP variables on this node QoS Save C
149. the System Parameters page of the web interface see Figure 57 Setting whether client login is required can also be set on this page with the Require Login parameter ZEO WIRELESS TECHNOLOGIES INC AAA WPA WEP splash Pages advanced Splash Pages Configure your Splash Page wlani Enable Splash Page disabled v Require Login yes v Splash Page URL Success Page URL Failed Login Page URL Login Server Address Login Server Port Login Server Secret wlan2 Enable Splash Page disabled Require Login yes v Splash Page URL Success Page URL Failed Login Page URL Login Server Address Login Server Port Login Server Secret wlan3 Enable Splash Page disabled vw Require Login yes v Splash Page URL Success Page URL Failed Login Page URL Login Server Address Login Server Port Login Server Secret wlan4 Enable Splash Page disabled v Require Login yes v Splash Page URL Success Page URL Failed Login Page URL Login Server Address Login Server Port Login Server Secret Save Changes Hide Help Enable Splash Page Controls whet
150. the proxy list Use of a DNS proxy list on the EL 500 is a two step process first populating the host name IP address pairs and then enabling DNS proxy BRIDGE DNS proxy is not supported when operating in bridge mode CLI A list of hostname IP address to be resolved locally can be specified using the dnsproxy hosts parameter in the sys interface If multiple hostname IP address entries are specified they must be separated by semi colons as shown in the example below DNS proxy must be explicitly enabled using the dnsproxy enable parameter in the sys interface after the list of hosts has been specified gt use sys sys gt set dnsproxy enable yes Sys set dnsproxy hosts serverl domain com 10 0 0 1 server2 domain com 10 0 0 129 Web GUI DNS proxy can be enabled on the DNS Proxy sub tab on the DNS tab on the System Parameters page as shown in Figure 27 Hostname IP address pairs can be added on this page as well 9 ZEO WIRELESS TECHNOLOGIES INC 03 27PM Oct 15 2007 local time System DNS DHCP SNMP l Location I AAA Console Status DNS DNS Proxy Profile Management Configure your DNS Proxy Initial Configuration Hide Help Minimal Configuration DNS Proxy enabled v DNS Proxy Detailed Configuration Add DNS Proxy Entry Enabling the DNS Proxy resolves names to local IP addresses Used in Security Hostname conjunction with spl
151. tly configured Reboot Figure 7 Page showing Save Changes button and message prompting the user to reboot 3 4 Help Information Help information is provided on most web GUI pages The help information is shown on the right hand side of the page The help information can be hidden by clicking on the Hide Help link inside the help frame When help is hidden it can be displayed by clicking on the Show help link 3 5 Rebooting Click on the Reboot link on the left of the page and then click on the Reboot Now button to reboot the EL 500 Any changes made prior to rebooting will take effect following completion of the boot process It takes approximately 3 minutes for the device to reboot TR0190 Rev B1 19 Chapter 3 Using the Web Interface ZEO WIRELESS TECHNOLOGIES INC TR0190 Rev B1 Reboot Click the button below to restart the node A restart will take about 3 and a half minutes so please be patient Figure 8 Rebooting the EL 500 Reboot Click on the Reboot Now button to begin the reboot process 20 Chapter 4 Using the Command Line Interface 4 Using the Command Line Interface All configurable EL 500 parameters can be accessed with a Command Line Interface CLI The CLI allows you to Modify and verify all configuration parameters Save and restore device configurations Reboot the device Upgrade the firmware 4 1 Accessing the CLI The EL 500 s command line interface
152. to be downloaded to your computer and you will be given the option to specify where the profile should be saved on the host computer 9 TRANIZEO WIRELESS TECHNOLOGIES INC 03 07PM Oct 15 2007 local time Save ll Load I Delete Download from Node Upload to Node Status Download Saved Profile Profile Management Please choose a profile to download to your workstation Initial Configuration Minimal Configuration ENROUTES5O00 20070811 03 00 0213 backup Detailed Configuration System Parameters Security Wireless Interfaces Wired Interface QoS Upgrade Diagnostics Reboot Figure 21 Downloading a configuration profile from an EL 500 TR0190 Rev B1 43 Chapter 7 Configuration Profile Management 7 5 Uploading a Configuration Profile to an EL 500 A configuration profile can be uploaded to an EL 500 using the Upload to node tab on the Profile Management page Use the Browse button to select a profile file on your host computer for upload to the EL 500 Alternatively enter the file name by hand in the text box adjacent to the Browse button Click on the Upload Profile button to upload the selected file to the EL 500 D TRANZEO WIRELESS TECHNOLOGIES INC 02 19PM Oct 15 2007 local time save Download from Node Upload to Node Status Upload Profile Profile Management Please choose a profile on your computer to upload to the node Initial Configuration
153. ue Mode server v Default Lease Timeout 86400 seconds Maximum Lease 86400 seconds Timeout Reserved DHCP Range 0 IP Address Range Start 129 v IP Address Range Size 31 v wlan3 actual value actual value Mode server v Default Lease Timeout 86400 seconds Maximum Lease 86400 seconds Timeout Reserved DHCP Range 0 IP Address Range Start 161 vw IP Address Range Size 31 v wlan4 actual value actual value Mode server v Default Lease Timeout 86400 seconds Maximum Lease 85400 seconds Timeout Reserved DHCP Range 0 IP Address Range Start 193 v IP Address Range Size 31 v wired Mode none y Save Changes actual value actual value 1 127 129 31 Hide Help Mode Sets the DHCP mode supported by the interface The three possible modes are e none no DHCP services are provided local server a DHCP server will respond to client DHCP requests on the interface central server the node will provide DHCP addresses from a centralized DHCP server only available if Centralized DHCP is enabled client the node will attempt to acquire an address for the interface via DHCP only valid for the wired interface Default Lease Timeout The defa
154. ult lease time the DHCP server will assign to DHCP clients If a DHCP request from a client does not contain a lease time request this is the lease time that will be used Maximum Lease Timeout The maximum lease time the DHCP server will assign to DHCP clients DHCP client lease time requests in excess of this value will be responded to with this lease time Reserved Address Range The number of addresses set aside for use as static IPs Address Range Start Figure 42 Virtual access point and wired interface DHCP and address space settings If the local DHCP server is enabled for an VAP interface IP addresses must be reserved for statically configured devices by setting the DHCP reserve parameter This will reserve the specified number of IP addresses at the bottom of the IP range for the interface For example if the interface has the IP address 10 2 4 1 the netmask 255 255 255 128 and the DHCP reserve value 5 the IP addresses 10 2 4 2 through 10 2 4 6 will be available for use by statically configured devices The remaining IP addresses in the interface s address space can be assigned by the DHCP server to other client devices TRO190 Rev B1 80 Chapter 13 Virtual Access Point VAP Configuration cL The number of IP addresses reserved for statically configured devices connected to the Ethernet interface is set with the dhcp reserve parameter in the ethO interface Web GUI The dhcp reserve
155. uration access TRO0190 Rev B1 57 Chapter 9 System Settings 9 12 CLI Timeout The CLI will automatically log out a user if the interface has remained inactive for a certain length of time The time in seconds that a shell must remain inactive before a user is automatically logged out is set with the shell timeout parameter in the sys interface as shown in the example below The maximum idle time that can be set is 21600 seconds 6 hours gt use sys sys gt set shell timeout 300 TRO190 Rev B1 58 Chapter 10 Client Addressing Schemes 10 Client Addressing Schemes BRIDGE The client addressing scheme setting has no effect when the EL 500 is operating in bridge mode The choice of client addressing scheme affects how EL 500 client access interface addresses are assigned The EL 500 can be configured to use an implicit addressing scheme for its client access interfaces where the address spaces assume a default size and the addresses are affected by a number of settable parameters Alternatively explicit address spaces can be defined for each client access interface The addressing scheme choice also affects what the addresses of client devices will be when the EL 500 is not operating in centralized DHCP server mode Table 6 compares how the behavior of the EL 500 differs depending upon the addressing scheme that is chosen Implicit addressing scheme Derived from node ID and LAN Client access interface p
156. ver e Communication was established with the server but the credentials were not valid e t was not possible to establish communication with the server 9 ZEO WIRELESS TECHNOLOGIES INC Ping Traceroute Packet Capture DHCP RADIUS Diagnostic Dump 04 01PM Oct 15 2007 local time Status Test access to a RADIUS server Hide Help Profile Management Initial Configuration Choose RADIUS server 192 168 0 12 1812 v Choose RADIUS Server Minimal Configuration Username The RADIUS server against which you want to run diagnostics The list of RADIUS servers is composed of all WPA Enterprise RADIUS servers and System Parameters any defined splash page Login Security servers Detailed Configuration Password Figure 66 Testing credentials with a RADIUS server 20 6 Diagnostic Dump The Diagnostic Dump tab on the Diagnostics page allows the user to create a snapshot of diagnostic data that can be downloaded to a PC and sent to Tranzeo technical support for analysis see Figure 67 TRO0190 Rev B1 133 Chapter 20 Diagnostics Tools D ZEO WIRELESS TECHNOLOGIES INC Ping Traceroute Packet Capture pHcP RADIUS Diagnostic Dump Diagnostics Hide Help Dump File Prefix Generate Diagnostics Dump Generate Diagnostics Dump A diagnostic dump runs a series of Max saved files is 10 tests then packages the results into a file to give to technical support
157. w priority inherit Hardware priority levels are set with in lt intf gt hwpri max min in the gos interface where lt intf gt is one of the following default local ethO wlan1 wlan2 wlan3 wlan4 TRO0190 Rev B1 110 Chapter 17 Quality of Service QoS Configuration The example below shows how to configure the system such that all traffic from wlan1 with a Voice or Video priority will be reduced to a Best Effort priority Traffic with Best Effort and Background priorities will not be affected gt use qos qos set in wlanl hwpri max 2 The example below shows how to configure the system such that all traffic from wlan2 with a Background or Best Effort priority will be increased to a Video priority Traffic with Video and Voice priorities will not be affected gt use qos gos gt set in wlan2 hwpri min 2 Web GUI Flow priorities can be set via the web interface under the QoS tab on the QoS page see Figure 51 The hardware priority levels can be set for each interface under the Advanced QoS tab on the QoS page see Figure 52 ZEO WIRELESS TECHNOLOGIES INC QoS Configure Quality of Service QoS Hide Help Enable QoS enabled Quality of Service QoS DEFAULT Flow Priority The master enable for QoS must be Out Limit set for any QoS settings to have an effect
158. x 10 sys id mesh 12 sys id node 4 This indicates the router needs to forward traffic destined for the 10 12 4 0 255 255 255 0 subnet to the EL 500 When using the explicit addressing scheme the subnet information has to be retrieved from the individual interfaces The example below shows how to obtain the address information for wlan1 A similar approach can be used to obtain that information for the other interfaces TRO190 Rev B1 97 Chapter 15 Connecting an ER 1000 to a LAN gt use wlanl sys gt get ip _force ip address_force 10 5 1 1 ip broadcast_force 10 5 1 255 ip gateway_force ip netmask_force 255 255 255 0 Web GUI The LAN prefix and node ID can be obtained by inspecting the IP addresses available on the Status page The addresses of interest are the IP addresses for each of the active VAPs When using the implicit addressing scheme all of these addresses will fall within a single class C address space whereas when using the explicit addressing scheme they can be of arbitrary size 15 1 2 Network Address Translation NAT Network Address Translation NAT shields the client access interfaces and client devices connected to the VAPs from the LAN network that the EL 500 is connected to The EL 500 and its client devices are able to communicate with devices connected to the external network However devices on the external network cannot initiate communication with any devices connect
159. y IP address for any of the client access interfaces when operating using the explicit addressing scheme This field should be left blank for each interface If an address space is not defined for a client access interface when operating in explicit addressing mode a default address space will be defined with the following parameters IP address first octet of LAN prefix gt lt node ID virtual AP number 1 4 gt 1 IP netmask 255 255 255 0 CLI Set the implicit enable parameter in the meshO to no interface to select the explicit addressing scheme The example below demonstrates this gt use meshO0 Sys set implicit enable no See section 13 3 for instructions on how to set the IP addresses for the client access interfaces when using the explicit addressing scheme Web GUI The addressing scheme is set with the Implicit Addressing drop down menu on the System tab of the System page see Figure 34 Set this to disabled to use the explicit addressing scheme TR0190 Rev B1 64 Chapter 10 Client Addressing Schemes See section 13 3 for instructions on how to set the IP addresses for the wired and wireless client access interfaces when using the explicit addressing scheme TRO190 Rev B1 65 Chapter 11 Ethernet Interface Configuration 11 Ethernet Interface Configuration The Ethernet interface features described in this chapter are not used in bridge mode See section 12 for information
160. zed access to the EL 500 Set the node ID 2 The node ID affects the client access interface IP address See section 9 2 spaces when the using implicit addressing scheme 3 Set the DNS servers Specify DNS servers to allow hostnames to be resolved SEE SPUD To simplify initial configuration the web GUI has a page that allows the user to change all the parameters listed in this section on a single page This page can be accessed by clicking on the Minimal configuration link in the web interface navigation bar on the left side of the web interface In addition to setting the parameters on the Minimal Configuration page OnRamp access should be disabled after initial programming See section 9 11 for instructions on how to enable OnRamp access to the EL 500 TR0190 Rev B1 32 Chapter 5 Initial Configuration of an ER 1000 9 TRANIZEOS WIRELESS TECHNOLOGIES INC TRO190 Rev B1 Basic Initial Configuration 1 Change the admin password The default passwords should be changed to prevent unauthorized access to the nodes A password must be a string of four to 32 characters Please note changing the admin password will force you to relog onto the webpages to continue with configuration Admin Password Verify Admin Password 2 Set the DNS servers Specify DNS server s to allow hostnames to be resolved You may specify one or two DNS servers by their IP addresses If you need to
Download Pdf Manuals
Related Search