HP

Published on March 2017 | Categories: Documents | Downloads: 39 | Comments: 0 | Views: 420

of 140

Content

Guide for for the HP V-M200 802.11n Access Point Management and Configuration Guide

5400zl Switches HP V-M200 802.11n Access Point

Installation and Getting Started Guide Management and Configuration Guide

HP V-M200 802.11n Access Point

Management and Configuration Guide

Copyright and Disclaimer Notices

© Copyright 2010 Hewlett-Packard Development Company, L.P L.P.. The information contained herein is subject to change without notice. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard.

HEWLETT-PACKARD HEWLETT-P ACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

Publication Number 5998-0296 August 2010

Applicable Products V-M200 802.11n Access Point

Disclaimer

WW

US A

J9468A

J9467A

Trademark Credits Windows NT®, Windows®, and MS Windows® are US registered trademarks of Microsoft Corporation.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard.

Warranty See the Customer Support/Warranty information included with the product. A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer.

Open Source Software Acknowledgement Statement This software incorporates open source components that are governed by the GNU General Public License (GPL), version 2. In accordance with this license, HP Networking will make available a complete, machine-readable copy of the source code components covered by the GNU GPL upon receipt of a written request. Send a request to: Hewlett-Packard Company, L.P. GNU GPL Source Code Attn: HP Networking Support Roseville, CA 95747 USA

Safety Before installing and operating this product, please read Safety information on page 1-5.

Hewlett-Packard Company 8000 Foothills Boulevard Roseville, California 95747 www.hp.com/networking

Contents 1 Introduction About this this guide ......................................................... ........................................................................................................... .................................................. 1-2 Conventions ......................................................... Conventions ........................................................................................................... .................................................. 1-2 Managementt tool ..................................................... Managemen ............................................................................................ ....................................... 1-2 Warnings Wa rnings and cautions ....................................................... ................................................................................... ............................ 1-2 Introducing Introduc ing the HP V-M200 V-M200 802.11n 802.11n Access Point Point ................................................... 1-3 Sample deployments deployments ............................................................................................. ............................................................ ................................. 1-3 Key features............................................................................................................1-5 Safety information........................................................................................................1-5 Important information information to read before installing................................................ 1-5 Servicing ................................................................................................................. ...................................................... ........................................................... 1-6 HP Networking support...............................................................................................1-6 Before contacting support....................................................................................1-6 Getting started................................................................. started .............................................................................................................. ............................................. 1-7 Online documentation documentation ................................................................................................. ............................................................... .................................. 1-7

2 Using Quick Setup Overview .................................................... ................................................................................................................. ................................................................... ......2-2 2-2 Automatically Automatic ally running running Quick Setup Setup the first first time you you login ........................... 2-2 Manually running running Quick Quick Setup after after your first login ........................................ 2-3 Basic wireless network ............................................................................................... ........................................................ ....................................... 2-3 Step 1: Specify Specify wireless wireless network settings .......................................................... 2-4 Step 2: Specify Specify wireless wireless network settings .......................................................... 2-5 Identify the wireless network........................................................................2-5 Secure the wireless wireless network ......................................................................... ........................................................ .................2-5 2-5 Multiple wireless networks.........................................................................................2-7 Step 1: Specify Specify wireless wireless network settings .......................................................... 2-8 Step 2: Specify Specify wireless wireless network settings .......................................................... 2-9 Buttons............................................................. Buttons ............................................................................................................. ................................................ 2-9 Wireless Wirel ess community community table.............................................................................. table.............................................................. ................2-9 2-9

iii

Wireless Wirel ess community community settings......................................................................... settings....................................................... ..................2-9 2-9 Identify the wireless network......................................................................2-10 Secure the wireless wireless network ....................................................................... ........................................................ ...............2-10 2-10 Prioritize wireless network traffic..............................................................2-11 Multiple wireless wireless networks with wired VLANS...................................................... 2-12 Step 1: Specify Specify wireless wireless network settings ........................................................ 2-14 Step 2: Specify Specify wireless wireless network settings ........................................................ 2-14 Buttons............................................................. Buttons ........................................................................................................... .............................................. 2-14 Wireless Wirel ess community community table............................................................................ table.............................................................. ..............2-14 2-14 Wireless Wirel ess community community settings....................................................................... settings....................................................... ................2-15 2-15 Identify the wireless network......................................................................2-15 Secure the wireless wireless network ....................................................................... ........................................................ ...............2-15 2-15 Prioritize wireless network traffic..............................................................2-17 Map wireless wireless network network to to a VLAN VLAN ............................................................... ........................................................ .......2-17 2-17 Multiple wireless wireless networks with RADIUS authenti authentication cation .................................... 2-18 Global settings page...................................................................................................2-20 Step 1: Configure Configure access access point point settings ............................................................ 2-21 Configure the radio.......................................................................................2-21 Get an IP address............................................................ address .......................................................................................... .............................. 2-22 Change administrator administrator login credentials............................ credentials..................................................... ......................... 2-22 Step 2: Specify Specify wireless wireless network settings ........................................................ 2-23 Buttons............................................................. Buttons ........................................................................................................... .............................................. 2-23 Wireless Wirel ess community community table............................................................................ table.............................................................. ..............2-23 2-23 Wireless Wirel ess community community settings....................................................................... settings....................................................... ................2-24 2-24 Identify the wireless network......................................................................2-24 Secure the wireless wireless network ....................................................................... ........................................................ ...............2-24 2-24 Prioritize wireless network traffic..............................................................2-27 Map wireless wireless network network to to a VLAN VLAN ............................................................... ........................................................ .......2-28 2-28

3 Managing the V-M200 Management tool..........................................................................................................3-2 Customizing Customiz ing management management tool settings.............................................................. settings................................. ............................. 3-2 About the manager and and operator operator accounts accounts ................................................. 3-2 Passwords........................................................................................................3-3

iv

SNMP ........................................................................................................................... ........................................................... .................................................................. ..3-4 3-4 Configuring the SNMP agent................................................................................3-4 System time...................................................................................................................3-4 Configuring Configur ing the system time ................................................................................ ..................................................... ........................... 3-5 Set timezone .................................................................................................... ........................................................... ......................................... 3-5 Set date & time (manually)............................................................................3-5 Set date and time (time servers)...................................................................3-6 Time server protocol protocol ...................................................................................... ......................................................... ............................. 3-6 Country..........................................................................................................................3-6

4 Working with wireless communities Overview .................................................... ................................................................................................................. ................................................................... ......4-2 4-2 Managing wireless communities communities ................................................................................ ......................................................... ....................... 4-3 About the default wireless wireless community........................ community............................................................... ....................................... 4-3 Wireless Wire less community configuration configuration options options ............................................................. ............................................................... 4-4 General....................................................................................................................4-5 Wireless Wirel ess settings .................................................................................................... .................................................... ................................................ 4-5 Ethernet VLAN.......................................................................................................4-7 Wireless protection................................................................................................4-7 WPA WP A .................................................................................................................. .......................................................... ........................................................ 4-7 802.1X ...................................................... ............................................................................................................. ....................................................... 4-10 WEP ................................................................................................................ ........................................................ ........................................................ 4-12 MAC-based MAC-base d authentication authentication ................................................................................. ....................................................... .......................... 4-12 MAC filtering.......................................................... filtering ........................................................................................................ .............................................. 4-14 Wireless Wire less community data flow ................................................................................. ...................................................... ........................... 4-15 Quality of service (QoS) ............................................................................................ ........................................................... ................................. 4-15 Upstream/downstrea Upstream/d ownstream m traffic traffic marking ............................................................ ..................................................... .......4-17 4-17 Upstream traffic marking.............................................................................4-17 Downstream traffic marking ....................................................... ....................................................................... ................4-17 4-17

5 Wireless configuration Wireless coverage.........................................................................................................5-2 Factors limiting limiting wireless coverage................................................................ coverage...................................................................... ......5-2 5-2 Interference Interfere nce ...................................................... ..................................................................................................... ............................................... 5-2

v

Physical characteris characteristics tics of the location location ....................................................... 5-2 Configuring Configur ing overlapping overlapping wireless cells............................................................... cells................................................... ............5-3 5-3 Performance Performan ce degradation and channel separation..................................... separation..................................... 5-3 Selecting channels ....................................................... .......................................................................................... ................................... 5-4 802.11n best practices..................................................................................................5-7 Supporting Supporti ng legacy legacy wireless wireless clients.................................................................. clients ...................................................................... ....5-7 5-7 Available Av ailable 802.11n 802.11n modes modes ................................................................................ ....................................................... ......................... 5-8 802.11n (5 GHz) and 802.11n (2.4 GHz)........................................................5-8 802.11n/a, 802.11n/b/g.....................................................................................5-9 802.11n/g .......................................................................................................... ............................................................ .............................................. 5-9 Channel width........................................................................................................5-9 Radio configuration configuration ................................................................................................... ...................................................... ............................................. 5-10 Radio ................................................... ................................................................................................................ .................................................................. .....5-10 5-10 Regulatory Regulato ry domain ......................................................... .............................................................................................. ..................................... 5-10 Operating mode ........................................................ ................................................................................................... ........................................... 5-11 Wireless mode......................................................................................................5-11 Channel width......................................................................................................5-12 Channel.......................................................... Channel ................................................................................................................. ....................................................... 5-12 Detecting rogue APs .................................................................................................. ................................................................. ................................. 5-13 Scanning modes...................................................................................................5-13 Viewing scan results.............. results........................................................................... .............................................................................. .................5-14 5-14 Scanning for rogue APs ...................................................................................... ............................................................. ......................... 5-15 Creating a list of authorized access access points....................................................... 5-15 Viewing wireless information information............................................................ ................................................................................... ....................... 5-16 Viewing all connected connected wireless wireless clients............................................................. clients ............................................................. 5-16 Viewing wireless statistics statistics for for the radio. radio........................................................... .......................................................... 5-18 Viewing throughput throughput for wireless wireless clients clients ........................................................... 5-22

6 Configuring network settings and VLANs Assigning Assignin g an IP address address to the the V-M200 V-M200................................................................. ...................................................................... .....6-2 6-2 Automatically Automatic ally assigning assigning an IP address (default (default method)................................. method).................................6-2 6-2 Manually assigning an IP address........................................................................6-2 Ethernett port Etherne port link link settings .................................................... .......................................................................................... ...................................... 6-4 Working with VLANs....................................................................................................6-4 VLAN assignment assignment via wireless community community ........................................................ 6-5

vi

VLAN assignment assignment via RADIUS................................................... RADIUS............................................................................. .......................... 6-5 Example ........................................................................................................... ............................................................ ............................................... 6-6 Bridging traffic traffic between wireless wireless communities communities with VLANs .......................... 6-6 Discovery protocols.....................................................................................................6-7 CDP .................................................................................................................... ....................................................... .................................................................. .....6-7 6-7 LLDP........................................................................................................................6-7 SNMP support .............................................................. ................................................................................................. ................................... 6-8 Supported Supporte d LLDP LLDP TL TLVs .............................................................. .................................................................................... ...................... 6-8 LLDP default settings ........................................................... ..................................................................................... .......................... 6-8 Configuring Configur ing LLDP support support on the V-M200 V-M200 ................................................... 6-9 Bridge spanning tree protocol protocol............................................................ .................................................................................... ........................ 6-9 DNS server configuration..........................................................................................6-10 DNS servers ................................................................................................... ..................................................... .............................................. 6-11 DNS advanced settings.................................................................................6-11

7 Authentication services Using a third-party RADIUS server............................................................................7-2 Defining a RADIUS client client profile on the V-M200 V-M200............................................... ............................................... 7-2 To define define a RADIUS profile profile ........................................................ ........................................................................... ...................7-2 7-2 Configuration Configur ation settings........................................................... settings .................................................................................... ......................... 7-3 Configuring Configur ing user accounts accounts on on a RADIUS server server ............................................... 7-5 Access Request Request attributes...................................................... attributes.............................................................................. ........................ 7-5 Access Accept Accept attributes attributes ............................................................. ............................................................................... ..................7-7 7-7 Access Reject Reject .................................................................................................. ............................................................ ...................................... 7-8 Access Challenge Challenge attributes attributes .......................................................................... .......................................................... ................7-8 7-8 Accounting Accounti ng Request Request attributes attributes...................................................... ...................................................................... ................7-9 7-9 Global 802.1X settings settings ............................................................................................... ........................................................... .................................... 7-11 Supplicant Supplica nt timeout .............................................................................................. ............................................................. ................................. 7-11 Group key update .............................................................. ................................................................................................ .................................. 7-11 Reauthentication Reauthe ntication ................................................................................................. ............................................................ ..................................... 7-12

8 Creating WDS links Key concepts.................................................................................................................8-2 Configuration Configur ation considerations considerations .............................................................................. ............................................................ ..................8-2 8-2

vii

Simultaneous Simultane ous access access point and and WDS support support ................................................... 8-3 Using the the 5 GHz band for WDS links .................................................................. .............................................................. ....8-3 8-3 Quality of service...................................................................................................8-3 Priority mechanisms.......................................................................................8-4 Spanning-tree Spanning -tree protocol protocol ......................................................................................... .................................................... ..................................... 8-5 Discovery protocols .............................................................................................. .......................................................... .................................... 8-5 Configuration Configur ation considerations considerations .............................................................................. ............................................................ ..................8-5 8-5 WDS configuration configuration settings ........................................................................................ ........................................................... ............................. 8-6 Settings ................................................................................................................... ......................................................... .......................................................... 8-6 Security........................................................ Security ................................................................................................................... ........................................................... 8-7 Addressing Address ing ................................................................. .............................................................................................................. ............................................. 8-7 Sample WDS deployment............................................................................................8-7 A. Obtain the MAC address address of V-M200 V-M200 #2 .................................................... 8-8 B. Setup the the WDS link on V-M200 V-M200 #1 ............................................................ 8-8 C. Setup the the WDS link on V-M200 V-M200 #2 ............................................................ 8-9 D. Test the link and make performance adjustments...............................8-10 adjustments............................... 8-10 9 Maintenance Config file management...............................................................................................9-2 Backup configuration............................................................................................9-2 Restore configuration configuration ........................................................................................... ....................................................... .................................... 9-2 Reset configuration configuration ............................................................................................... ......................................................... ...................................... 9-3 Software updates..........................................................................................................9-3

A Regulatory statements Industry Canada statement ................................................................................. ...................................................... ........................... A-2 Conformité Conformit é Européene Européene — CE marking.............................................................. A-2

B Resetting to factory defaults Factory reset procedures procedures ........................................................................................... ........................................................... ................................ B-2 Using the reset button.......................................................................................... button........................................................................ .................. B-2 Using the the management management tool................................................................................. tool................................................................ ................. B-2

viii

Chapter 1: Introduction

1 Introduction Contents About this this guide ......................................................... ........................................................................................................... .................................................. 1-2 Conventions Convent ions ......................................................... ........................................................................................................... .................................................. 1-2 Introducing Introduc ing the HP V-M200 V-M200 802.11n 802.11n Access Point Point ................................................... 1-3 Sample deployments deployments ............................................................................................. ............................................................ ................................. 1-3 Key features............................................................................................................1-5 Safety information........................................................................................................1-5 Important information information to read before installing................................................ 1-5 Servicing ................................................................................................................. ...................................................... ........................................................... 1-6 HP Networking support...............................................................................................1-6 Before contacting support....................................................................................1-6 Getting started................................................................. started .............................................................................................................. ............................................. 1-7 Online documentation documentation ................................................................................................. ............................................................... .................................. 1-7

Introduction About this guide

About this guide This guide explains how to install, configure, and operate the HP V-M200 802.11n Access Point.

Conventions The following conventions are used in this guide.

Management tool This guide uses specific syntax when directing you to interact with the management tool user interface. Refer to the following image for identification of key user-interface elements and then the table below for example directions: Main Sub-menu

Exampl Exa mple e direct direction ions s iin n this this guide guide

What What tto o do in the the user user inter interfac face e

Select Wireless Select Wire less > Radio Radio..

Select Wire on the main menu, and then Wireless less on select Radio on the sub-menu.

For Password specify secret22 Password specify secret22..

In the Password field, enter the text secret22 Password field, secret22   exactly as shown.

Warnings W arnings and cautions Do not proceed beyond a WARNING or CAUTION notice until you fully understand the hazardous conditions and have taken appropriate steps.

Warning Caution

1-2

Identifies a hazard that can cause physical injury or death.

Identifies a hazard that can cause the loss of data or configuration information, create a noncompliant condition, or hardware damage.

Introduction Introducing the HP V-M200 802.11n Access Point

Introducing the HP V-M200 802.11n Access Point Geared towards small and medium-sized businesses (SMBs), the HP V-M200 802.11n Access Point offers next-generation 802.11n technology, superior bandwidth, and multiple operating modes. The V-M200 is an 802.11n MIMO (multiple input, multiple output) access point that provides extended coverage and enhanced throughput for both legacy 802.11a/b/g and newer 802.11n clients. The V-M200 dispenses multiple network services, delivers high-performance client access, and offers ease of deployment. Since SMBs often lack the IT resources of large companies, and their network security may not be strong enough to protect the integrity of their business data, the V-M200 is designed to offer robust and consistent security through the following authentication and encryption standards: 

Wi-Fi Protected Access (WPA and WPA2)



Extensible Authentication Protocol (EAP) Types, including EAP-MD5, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and EAP-FAST

These authentication and encryption certifications support IEEE 802.1X for user-based authentication, Temporal Key Integrity Protocol (TKIP) for WPA encryption, and Advanced Encryption Standard (AES) for WPA2 encryption. The V-M200 is managed through its easy-to-use Web-based management tool, and it can be easily deployed and integrated into an existing LAN infrastructure.

Sample deployments In a small office, the V-M200 can be directly connected to a broadband router (DSL or cable) to provide wireless networking for all employees. In the following scenario, employees can share data and resources with each other and access the Internet at the same time.

Wireless community High security wireless network for employees using WP WPA/WP A/WPA2. A2.

V-M200

Router with DHCP server

1-3

Introduction Introducing the HP V-M200 802.11n Access Point

With its wireless community feature, the V-M200 can be configured to provide up to four separate wireless networks (all on the same wireless channel), each with its own configuration settings for security, quality of service, VLAN support, and more.

Employees with secure access to all network resources and the Internet.

Wireless community 1 High security wireless network (WPA/ (WP A/ WP WPA2) A2) for employees.

Wireless community 2 Low security wireless network for guests.

VLAN 1

Switch

V-M200

VLAN 2 Guests with access to a network printer and the Internet.

In this scenario, employees connect to wireless community 1, which is protected with WPA/ WPA2. All employee traffic exits the V-M200 on VLAN 1, providing access to private resources on the company network, as well as the Internet. Guests connect to wireless community 2, which is protected with WEP. All guest traffic exits the V-M200 on VLAN 2, providing access only to the Internet. In addition, wireless traffic from guests is given a lower priority than employee traffic. For offices that already have a wired networking infrastructure, the V-M200 is easily integrated to provide wireless networking. It can also be used to extend the reach of the network to areas that are difficult or impossible to reach with traditional cabling. In the following scenario, V-M200 #1 provides wireless network services to the employees in the main office. While V-M200 #2 and V-M200 #3 use the Wireless Distribution System (WDS) to create a wireless link between the main office network and a small network in a warehouse. WDS eliminates the need to run cabling, allowing for fast and easy deployment.

Main office area

Warehouse WDS

Wireless link

File server DHCP server

Wireless community

Employee computers

V-M200 #2

Wireless community

V-M200 #1

1-4

V-M200 #3

Introduction Safety information

Key features 

Radio: Supports IEEE 802.11a, 802.11b, 802.11g, and 802.11n (2.4 GHz /5 GHz).



Automatic channel selection selection:: Auto-selects RF channel and transmit power.



Wireless communities Wireless communities:: Allows you to create up to four different wireless networks (on the same channel), each with its own configuration settings, including network name, user authentication, encryption, quality of service, and more.



Power over Ethernet (PoE): (PoE): Supports 802.3af PoE as a powered device (PD), so that it can be mounted where power outlets are not readily available.









Authentication and encryption Authentication encryption:: Enforces client authorization based on user credentials (802.1X/EAP), or hardware identifiers (MAC address, WEP key). Intrusion detection: detection: Detects rogue APs by scanning the radio frequency (RF) space for unauthorized APs at specific intervals to protect the network. Wireless Distribution Wireless Distribution System (WDS) (WDS):: Provides point-to-point bridging to extend the network to places where Ethernet infrastructure is not available. Ethernet port: port: Provides a single 10/100/1000 Mbps IEEE 802.3 Ethernet port for connection to a wired network.

Safety information Warning

Important information to read before installing See the HP V-M200 802.11n Access Point Quickstart for installation instructions. Prior to installing or using the V-M200, make sure that the installation plans are in compliance with RF and other regulations, such as building and wiring codes, safety, channel, indoor/outdoor restrictions, and license requirements for the intended country of use. It is the responsibility of the end user to ensure that installation and use comply with local safety and radio regulations. Surge protection and grounding: grounding: Make sure that proper surge protection and grounding precautionss are taken according tto precaution o local electrical electrical code. Failure to do so may may result in personal injury injury,, fire, equipment equipment dam damage, age, or a voided voided warranty. warranty. The HP hardware warranty warranty provides no protection protection against against damage caused caused by static static discharge or a power surge. Cabling: You must use the appropriate cables, and where applicable, surge protection, for Cabling: You your given region. For For complian compliance ce with EN55022 EN55022 Class-B emissions requirements use use shielded Ethernet cables. At least Cat 5e cabling is required. Country of use: In use: In some regions, you are prompted to select the country of use during setup. Once the country has been set, the V-M200 will automatically limit the available wireless channels, ensuring compliant operation in the selected country. Entering the incorrect country may result in illegal operation and may cause harmful interference to other systems.

1-5

Introduction HP Networking support

Safety: Take note of the following safety information during installation. 

If your network covers an area served by more than one power distribution system, be sure all safety grounds are securely interconnected.



Network cables may occasionally be subject to hazardous transient voltages (caused by lightning or disturbances in the electrical power grid).



Handle exposed metal components of the network with caution.



The V-M200 is powered-on when its Ethernet port is plugged into a PoE power source or when an external power supply is connected.



The V-M200 and all interconnected equipment must be installed indoors within the same building, including all PoE-powered network connections as described by Environment A of the IEEE 802.3af standard.

Servicing There are no user-serviceable parts inside HP Networking products. Any servicing, adjustment, maintenance, or repair must be performed only by trained service personnel.

HP Networking support provides up-to-date support The HP Web site, www site, www.hp.com/netw .hp.com/networking/support orking/support provides information. Additionally,, your Additionally your HP-authorized HP-authorized network reseller can provide you with with assistance, assistance, both with services that they offer and with services offered by HP.

Before contacting support To make the support process most efficient, before calling your networking dealer or HP Networking support, you first should collect the following information:

1-6

Collect this information

Where to find it

Product identification.

On the bottom of the product.

Software version.

The V-M200 management tool Login page.

Network topology map, including the addresses assigned to all relevant devices.

Your network administrator.

Introduction Getting started

Getting started Get started with your V-M200 by following the directions in the HP V-M200 802.11n Access Point Quickstart.

Online documentation For the latest documentation, visit the HP Networking support Web page at: Manuals.. www www.hp.com/netw .hp.com/networking/suppor orking/supportt and select Manuals

1-7

Introduction Online documentation

1-8

Chapter 2: Using Quick Setup

2 Using Quick Setup Contents Overview .................................................... ................................................................................................................. ................................................................... ......2-2 2-2 Automatically Automatic ally running running Quick Setup Setup the first first time you you login ........................... 2-2 Manually running running Quick Quick Setup after after your first login ........................................ 2-3 Basic wireless network ............................................................................................... ........................................................ ....................................... 2-3 Step 1: Specify Specify wireless wireless network settings .......................................................... 2-4 Step 2: Specify Specify wireless wireless network settings .......................................................... 2-5 Multiple wireless networks.........................................................................................2-7 Step 1: Specify Specify wireless wireless network settings .......................................................... 2-8 Step 2: Specify Specify wireless wireless network settings .......................................................... 2-9 Multiple wireless wireless networks with wired VLANS...................................................... 2-12 Step 1: Specify Specify wireless wireless network settings ........................................................ 2-14 Step 2: Specify Specify wireless wireless network settings ........................................................ 2-14 Multiple wireless wireless networks with RADIUS authenti authentication cation .................................... 2-18 Global settings page...................................................................................................2-20 Step 1: Configure Configure access access point point settings ............................................................ 2-21 Step 2: Specify Specify wireless wireless network settings ........................................................ 2-23

Using Quick Setup Overview

Overview Quick Setup provides an easy way to quickly configure settings on the V-M200 for several different networking scenarios. Just pick the scenario that most closely resembles your installation and fill in the appropriate fields to get going.

Automatically running Quick Setup the first time you login The first time you login to the management tool (see the HP V-M200 802.11n Access Point Quickstart for first time login procedure), the Quick Setup home page is automatically presented at the end of the startup startup sequenc sequence. e. This page lets you you choose one of four four configuration scenarios to use as the basis for your setup.

See the following sections for a description of each scenario:

2-2



Basic wireless network on page 2-3



Multiple wireless networks on page 2-7



Multiple wireless networks with wired VLANS on page 2-12



Multiple wireless networks with RADIUS authentication on page 2-18.

Using Quick Setup Basic wireless network

Manually running Quick Setup after your first login If you manually launch Quick Setup by selecting Home > Quick Setup, Setup, you will see the Quick Setup global settings page instead of the Quick Setup home page. See Global settings page on page 2-20.

Basic wireless network See also the HP V-M200 V-M200 802.11n Access Point Quickstart which describes the configuration procedure for a basic wireless wirele ss network.

Choose this option if you want to create a single wireless network to provide wireless connectivity for your users. This option can be used to connect the V-M200 directly to a broadband router or to an existing wired network, using either static IP addressing or DHCP.

2-3

Using Quick Setup Basic wireless network

Click OK to display the configuration page for the scenario. OK to

Step 1: Specify wireless network settings For a complete description of all settings see: 



2-4

Step 1: Configure access point settings on page 2-21.

The online help for this section.

Using Quick Setup Basic wireless network

Step 2: Specify wireless network settings Identify the wireless network Use this section to define names for the wireless community.

Community name Specify a name to identify the community on the V-M200.

Network name (SSID) Specify a name to uniquely identify the wireless network associated with this community. Each wireless user that wants to connect to this community must use the network name. The name is case-sensiti case-sensitive. ve. By default, the V-M200 will broadcast this name so that wireless users can see it when they try to connect to the wireless network.

Secure the wireless network Use this section to define security settings for the wireless network.

Security method Choose the method that will be used to protect wireless transmissions. Refer to the sections that follow for configuration details. WPA, WPA2, WPA, WPA2, WP WPA A or WPA2 WPA2 Wi-Fi Protected Access (WPA) is a security protocol that provides for both encryption of the wireless data stream (via TKIP or AES/CCMP) and authentication of wireless users (via 802.1X/EAP).

The following versions are supported:

Version

Description

WPA

WPA with TKIP encryption. WPA cannot be used when the radio operating mode supports 802.11n.

WPA2 WPA 2

WPA2 (802.11i) with CCMP encryption. If all your clients are WPA2, select this option for the maximum possible security.

WPA or WP WPA2 A2

Mixed mode supports both WPA (version 1) and WPA2 (version 2) at the same time. Some legacy WPA clients may not work if this mode is selected. This mode is slightly less secure than using the pure WPA2 mode.

2-5

Using Quick Setup Basic wireless network

Key source This scenario only supports the use of a PreShared key . 

Key: The V-M200 uses the key you specify in this field to generate the TKIP or AES/ CCMP keys that are used to encrypt the wireless data stream. This key must be configured by each user in their WPA software. Specify a key that is between 8 and 63 alphanumeric characters in length. It is recommended that the preshared key be at least 20 characters long, and be a mix of letters and numbers. The double quote character (”) should not be used.

WEP This is the least secure method of protecting wireless transmissions. WEP is provided to so you can support client client stations stations that do not have W WP PA software.

Note

WEP cannot be used when the radio operating mode supports 802.11n. Key The number of characters you specify for the key determines the level of encryption. 

For 40-bit encryption, specify 5 ASCII characters or 10 hexadecimal digits.



For 128-bit encryption, specify 13 ASCII characters or 26 hexadecimal digits.

When encryption is enabled, wireless stations that do not support encryption cannot communicate with the V-M200. The definition for each encryption key must be the same on the V-M200 and all client stations. Key format Select the format used to specify the encryption key: 



2-6

ASCII: ASCII keys are much weaker than carefully chosen HEX keys. You can ASCII: ASCII include ASCII characters between 32 and 126, inclusive, in the key. However, note that not all client stations support non-alphanumeric characters such as spaces, punctuation, punctuatio n, or special special symbols symbols in the key. key. HEX: Your keys should only include the following characters: 0-9, a-f, A-F. HEX: Your

Using Quick Setup Multiple wireless networks

Multiple wireless networks Choose this option if you want to create multiple wireless networks to support users with different networking requirements. For example, you could create two wireless networks, one for employees and one for guests. The guest network could be given a lower priority so employee traffic is never delayed due to excessive guest traffic. This option can be used to connect the V-M200 to a network using either static IP addressing or DHCP.

Click OK OK to to display the configuration page for the scenario.

2-7

Using Quick Setup Multiple wireless networks

Step 1: Specify wireless network settings For a complete description of all settings see: 



2-8

Step 1: Configure access point settings on page 2-21.

The online help for this section.

Using Quick Setup Multiple wireless networks

Step 2: Specify wireless network settings Buttons Add New Wireless Wireless Community Community Select this button to add a new wireless community to the table. The V-M200 supports up to four wireless communities. After you add a new community, configure its settings using the fields under Wirel under Wireless when you are done. ess com community munity s settings ettings.. Select Update Community  when

Delete Select this button to delete the selected wireless community. (The one that is currently being edited.) If the community is configured to use a RADIUS server for WPA authentication, the RADIUS profile created when the community was added is also deleted if it is not being used by another wireless community.

Update Community Select this button to update the community with your configuration settings. The settings are not saved until you select the Save button. Save button.

Cancel Select this button to discard your settings.

Save Select this button to save your settings.

Wireless Wirele ss community table This table lists all wireless communities that are defined on the V-M200. The V-M200 supports up to four wireless communities. Each wireless community defines the settings for a distinct wireless network with its own configuration settings. To edit the settings for a community, select the community in the table, then configure the fields under Wirel under Wireless ess com community munity s settings ettings.. Select Update Community  when when you are done.

Wireless Wirele ss community settings The following sections present the settings for the selected wireless community.

2-9

Using Quick Setup Multiple wireless networks

Identify the wireless network Use this section to define names for the wireless community.

Community name Specify a name to identify the community on the V-M200.

Network name (SSID) Specify a name to uniquely identify the wireless network associated with this community. Each wireless user that wants to connect to this community must use the network name. The name is case-sensiti case-sensitive. ve. By default, the V-M200 will broadcast this name so that wireless users can see it when they try to connect to the wireless network.

Secure the wireless network Use this section to define security settings for the wireless network.

Security method Choose the method that will be used to protect wireless transmissions. Refer to the sections that follow for configuration details. WPA, WPA2, WPA, WPA2, WP WPA A or WPA2 WPA2 Wi-Fi Protected Access (WPA) is a security protocol that provides for both encryption of the wireless data stream (via TKIP or AES/CCMP) and authentication of wireless users (via 802.1X/EAP).

The following versions are supported:

Version

2-10

Description

WPA

WPA with TKIP encryption. WPA cannot be used when the radio operating mode supports 802.11n.

WPA2 WPA 2

WPA2 (802.11i) with CCMP encryption. If all your clients are WPA2, select this option for the maximum possible security.

WPA or WP WPA2 A2

Mixed mode supports both WPA (version 1) and WPA2 (version 2) at the same time. Some legacy WPA clients may not work if this mode is selected. This mode is slightly less secure than using the pure WPA2 mode.

Using Quick Setup Multiple wireless networks

Key source This scenario only supports the use of a PreShared key . 

Key: The V-M200 uses the key you specify in this field to generate the TKIP or AES/ CCMP keys that are used to encrypt the wireless data stream. This key must be configured by each user in their WPA software. Specify a key that is between 8 and 63 alphanumeric characters in length. It is recommended that the preshared key be at least 20 characters long, and be a mix of letters and numbers. The double quote character (”) should not be used.

WEP This is the least secure method of protecting wireless transmissions. WEP is provided to so you can support client client stations stations that do not have W WP PA software.

Note

WEP cannot be used when the radio operating mode supports 802.11n. Key The number of characters you specify for the key determines the level of encryption. 

For 40-bit encryption, specify 5 ASCII characters or 10 hexadecimal digits.



For 128-bit encryption, specify 13 ASCII characters or 26 hexadecimal digits.

When encryption is enabled, wireless stations that do not support encryption cannot communicate with the V-M200. The definition for each encryption key must be the same on the V-M200 and all client stations. Key format Select the format used to specify the encryption key: 



ASCII: ASCII keys are much weaker than carefully chosen HEX keys. You can ASCII: ASCII include ASCII characters between 32 and 126, inclusive, in the key. However, note that not all client stations support non-alphanumeric characters such as spaces, punctuation, punctuatio n, or special special symbols symbols in the key. key. HEX: Your keys should only include the following characters: 0-9, a-f, A-F. HEX: Your

Prioritize wireless network traffic The quality of service (QoS) feature provides a number of different mechanisms to prioritize wireless traffic sent to wireless client stations.

2-11

Using Quick Setup Multiple wireless networks with wired VLANS

This is useful when you have defined multiple wireless communities and want to ensure a specific level of service for each one. For example, if you have two communities, one for employees and one for guests, you might want to make the employee traffic higher priority so that employee traffic is never delayed due to excessive guest traffic.

Priority mechanism By default, Diffserv is used. Unless you have specific requirements you can leave this setting. off service (QoS) (QoS) on page 4-15. For a complete description of all options, see Quality o

Multiple wireless networks with wired VLANS Choose this option if you want to: 

Create multiple wireless networks to support users with different requirements.



Map the traffic from each wireless network to a specific VLAN.

This option can be used to connect the V-M200 to a network using either static IP addressing or DHCP.

Click OK OK to to display the configuration page for the scenario.

2-12

Using Quick Setup Multiple wireless networks with wired VLANS

2-13

Using Quick Setup Multiple wireless networks with wired VLANS

Step 1: Specify wireless network settings For a complete description of all settings see: 



Step 1: Configure access point settings on page 2-21.

The online help for this section.

Step 2: Specify wireless network settings Buttons Add New Wireless Wireless Community Community Select this button to add a new wireless community to the table. The V-M200 supports up to four wireless communities. After you add a new community, configure its settings using the fields under Wirel under Wireless when you are done. ess com community munity s settings ettings.. Select Update Community  when

Delete Select this button to delete the selected wireless community. (The one that is currently being edited.) If the community is configured to use a RADIUS server for WPA authentication, the RADIUS profile created when the community was added is also deleted if it is not being used by another wireless community.

Update Community Select this button to update the community with your configuration settings. The settings are not saved until you select the Save button. Save button.

Cancel Select this button to discard your settings.

Save Select this button to save your settings.

Wireless Wirele ss community table This table lists all wireless communities that are defined on the V-M200. The V-M200 supports up to four wireless communities. Each wireless community defines the settings for a distinct wireless network with its own configuration settings. To edit the settings for a community, select the community in the table, then configure the fields under Wirel under Wireless when you are done. ess com community munity s settings ettings.. Select Update Community  when

2 14

Using Quick Setup Multiple wireless networks with wired VLANS

Wireless Wirele ss community settings The following sections present the settings for the selected wireless community.

Identify the wireless network Use this section to define names for the wireless community.

Community name Specify a name to identify the community on the V-M200.

Network name (SSID) Specify a name to uniquely identify the wireless network associated with this community. Each wireless user that wants to connect to this community must use the network name. The name is case-sensiti case-sensitive. ve. By default, the V-M200 will broadcast this name so that wireless users can see it when they try to connect to the wireless network.

Secure the wireless network Use this section to define security settings for the wireless network.

Security method Choose the method that will be used to protect wireless transmissions. Refer to the sections that follow for configuration details. WPA, WPA2, WPA, WPA2, WP WPA A or WPA2 WPA2 Wi-Fi Protected Access (WPA) is a security protocol that provides for both encryption of the wireless data stream (via TKIP or AES/CCMP) and authentication of wireless users (via 802.1X/EAP).

2 15

Using Quick Setup Multiple wireless networks with wired VLANS

The following versions are supported:

Version

Description

WPA

WPA with TKIP encryption. WPA cannot be used when the radio operating mode supports 802.11n.

WPA2 WPA 2

WPA2 (802.11i) with CCMP encryption. If all your clients are WPA2, select this option for the maximum possible security.

WPA or WP WPA2 A2

Mixed mode supports both WPA (version 1) and WPA2 (version 2) at the same time. Some legacy WPA clients may not work if this mode is selected. This mode is slightly less secure than using the pure WPA2 mode.

Key source This scenario only supports the use of a PreShared key . 

Key: The V-M200 uses the key you specify in this field to generate the TKIP or AES/ CCMP keys that are used to encrypt the wireless data stream. This key must be configured by each user in their WPA software. Specify a key that is between 8 and 63 alphanumeric characters in length. It is recommended that the preshared key be at least 20 characters long, and be a mix of letters and numbers. The double quote character (”) should not be used.

WEP This is the least secure method of protecting wireless transmissions. WEP is provided to so you can support client client stations stations that do not have W WP PA software.

Note

WEP cannot be used when the radio operating mode supports 802.11n. Key The number of characters you specify for the key determines the level of encryption. 

For 40-bit encryption, specify 5 ASCII characters or 10 hexadecimal digits.



For 128-bit encryption, specify 13 ASCII characters or 26 hexadecimal digits.

When encryption is enabled, wireless stations that do not support encryption cannot communicate with the V-M200. The definition for each encryption key must be the same on the V-M200 and all client stations.

2 16

Using Quick Setup Multiple wireless networks with wired VLANS

Key format Select the format used to specify the encryption key: 

ASCII: ASCII keys are much weaker than carefully chosen HEX keys. You can ASCII: ASCII include ASCII characters between 32 and 126, inclusive, in the key. However, note that not all client stations support non-alphanumeric characters such as spaces, punctuation, punctuatio n, or special special symbols symbols in the key. key.



HEX: Your keys should only include the following characters: 0-9, a-f, A-F. HEX: Your

Prioritize wireless network traffic The quality of service (QoS) feature provides a number of different mechanisms to prioritize wireless traffic sent to wireless client stations.

This is useful when you have defined multiple wireless communities and want to ensure a specific level of service for each one. For example, if you have two communities, one for employees and one for guests, you might want to make the employee traffic higher priority so that employee traffic is never delayed due to excessive guest traffic.

Priority mechanism By default, Diffserv is used. Unless you have specific requirements you can leave this setting. off service (QoS) (QoS) on page 4-15. For a complete description of all options, see Quality o

Map wireless network to a VLAN Use this option to bind the wireless community to a specific VLAN on the Ethernet port. All traffic sent by the wireless community will be assigned to the VLAN you specify when it exits the Ethernet port. The VLAN is not used for wireless traffic. If you do not set a VLAN, traffic is sent untagged.

VLAN Select this checkbox to enable VLAN support.

VLAN ID Specify the VLAN ID to assign to this community.

2-17

Using Quick Setup Multiple wireless networks with RADIUS authentication

Multiple wireless networks with RADIUS authentication Choose this option if you want to: 





Create multiple wireless networks to support users with different requirements. Map the traffic from each wireless network to a specific VLAN. Authenticate Authenticat e user login login credentials credentials using a third-party RADIUS server. server.

This option can be used to connect the V-M200 to a network using either static IP addressing or DHCP.

Click OK to display the configuration page for the scenario. OK to

2-18

Using Quick Setup Multiple wireless networks with RADIUS authentication

For a complete description of all settings see: 

Global settings page on page page 2-20. Global settings



The online help for this page.

2-19

Using Quick Setup Global settings page

Global settings page If you manually launch Quick Setup by selecting Home > Quick setup, setup, you will see the Quick Setup global settings page. This page shows all the settings that are supported by all Quick Setup scenarios. See the sections that follow for complete descriptions of each setting.

2-20

Using Quick Setup Global settings page

Step 1: Configure access point settings Configure the radio Use this section to set the radio operating mode.

Wireless Wire less mode Select the mode that best supports the wireless client stations at your location. Supported wireless modes are determined by the regulatory domain (country) in which the V V-M200 M200 is configured configured to operate. Available Available options options may include one one or more of of the following: following: 









Note

802.11n (5 GHz): (Pure GHz): (Pure 802.11n) Supports up to 300 Mbps in the 802.11n 5 GHz frequency band. 802.11n/a: (Compatibility mode.) Supports up to 270 Mbps for 802.11n and 54 Mbps for 802.11n/a: (Compatibility 802.11a in the 5 GHz frequency band. 802.11n (2.4 GHz): (Pure GHz): (Pure 802.11n) Supports up to 144.4 Mbps in the 802.11n 2.4 GHz frequency band. 802.11n/g: (Compatibility mode.) Supports up to 130 Mbps for 802.11n and 54 Mbps for 802.11n/g: (Compatibility 802.11g in the 2.4 GHz frequency band. Only use this setting when support for 802.11g is necessary. 802.11n/b/g: (Compatibility mode.) Up to 130 Mbps for 802.11n, 54 Mbps for 802.11g, and 802.11n/b/g: (Compatibility 11 Mbps for 802.11b in the 2.4 GHz frequency band. Only use this setting when support for 802.11b is necessary.



802.11b:: Supports up to 11 Mbps in the 2.4 GHz frequency band. 802.11b



802.11b/g:: Supports up to 11 and 54 Mbps in the 2.4 GHz frequency band. 802.11b/g



802.11g:: Supports up to 54 Mbps in the 2.4 GHz frequency band. 802.11g



802.11a:: Supports up to 54 Mbps in the 5 GHz frequency band. 802.11a





In 802.11n (2.4) and (2.4) and 802.11n (5 GHz) modes, GHz) modes, the   V-M200 V-M200 does not permit non-802.11n clients to associate. Also in these modes, the V-M200 does not use protection mechanisms (RTS/CTS or CTS-to-self) to enable legacy APs to operate on the same frequency. This can potentially cause problems with legacy (a/b/g) APs operating on the same channel, but provides the best throughput for the V-M200 and its 11n clients. In 802.11n/a, 802.11n/g, 802.11n/b/g modes, 802.11n/b/g modes, the V-M200 permits both 802.11n and legacy clients (a/b/g) to associate. The V-M200 uses protection mechanisms (RTS/CTS or CTS-to-self) when sending 11n data to prevent disruption to legacy (a/b/g) clients associated on the same channel.

2-21

Using Quick Setup Global settings page

Get an IP address Use this section to configure how an IP address is assigned to the V-M200.

IP configuration Select the method that will be used to assign an IP address to the Ethernet port on the V V-M200. M200. DHCP server The V-M200 will operate as a DHCP client and automatically obtain an IP address from a DHCP server on the network connected to the Ethernet port. If no DHCP server is found, the IP address 192.168.1.1 is assigned to the Ethernet and wireless ports.

Static You must manually specify the IP address, subnet mask, and default gateway to assign to the Ethernet port. By default, the address 192.168.1.1 is assigned. 192.168.1.1 is



IP address: Specify address: Specify the IP address you want to assign to the Ethernet port in the format: n.n.n.n,, where n is a number between 1 and 255. n.n.n.n



Subnet mask: Specify mask: Specify the appropriate subnet mask for the IP address you specified in the format: n.n.n.n n.n.n.n,, where n is a number between 1 and 255.



Default gateway: Specify gateway: Specify the IP address of the default gateway in the format: n.n.n.n n.n.n.n,, where n is a number between 1 and 255. This is generally the address of the device on the wired network that provides access to the Internet.

Change administrator login credentials Use these settings to change the username and password for the manager account. If you leave the Username Username and and Password Password fields fields blank and then select Save Save,, no change is made to the current manager username and password.

2-22

Using Quick Setup Global settings page

Username Specify a new login name for the V-M200 manager account. By default, the username is set to admin.. admin

New password Confirm password Specify a new password for the V-M200 manager account. By default, the password is set to admin.. admin Passwords must be 6 to 16 printable ASCII characters in length, and contain at least 4 different characters. Passwords Passwords are case sensitive. Space characters and double quotes ( “ ) cannot be used.

Step 2: Specify wireless network settings Buttons Add New Wireless Wireless Community Community Select this button to add a new wireless community to the table. After you add a new community, configure its settings using the fields under Wirel under Wireless ess community community settings settings. Select Add Select when you are done. Add Community Community  when

Delete Select this button to delete the selected wireless community. (The one that is currently being edited.) If the community is configured to use a RADIUS server for WPA or 802.1X authentication, the RADIUS profile created when the community was added is also deleted if it is not being used by another wireless community.

Update Community Select this button to update the community with your configuration settings. The settings are not saved until you select the Save button. Save button.

Cancel Select this button to discard your settings.

Save Select this button to save your settings.

Wireless Wirele ss community table This table lists all wireless communities that are defined on the V-M200. The V-M200 supports up to four wireless communities. Each wireless community defines the settings for a distinct wireless network with its own configuration settings.

2-23

Using Quick Setup Global settings page

To edit the settings for a community, select the community in the table, then configure the fields under Wirel under Wireless when you are done. ess com community munity s settings ettings.. Select Update Community  when

Wireless Wirele ss community settings The following sections present the settings for the selected wireless community.

Identify the wireless network Use this section to define names for the wireless community.

Community name Specify a name to identify the community on the V-M200.

Network name (SSID) Specify a name to uniquely identify the wireless network associated with this community. Each wireless user that wants to connect to this community must use the network name. The name is case-sensiti case-sensitive. ve.

Secure the wireless network Use this section to define security settings for the wireless network.

Security method Choose the method that will be used to protect wireless transmissions. Refer to the sections that follow for configuration details.

2-24

Using Quick Setup Global settings page

WPA, WPA2, WPA, WPA2, WP WPA A or WPA2 WPA2 Wi-Fi Protected Access (WPA) is a security protocol that provides for both encryption of the wireless data stream (via TKIP or AES/CCMP) and authentication of wireless users (via 802.1X/EAP).The following versions are supported:

Version

Note

Description

WPA

WPA with TKIP encryption.

WPA2 WPA 2

WPA2 (802.11i) with CCMP encryption. If all your clients are WPA2, select this option for the maximum possible security.

WPA or WP WPA2 A2

Mixed mode supports both WPA (version 1) and WPA2 (version 2) at the same time. Some legacy WPA clients may not work if this mode is selected. This mode is slightly less secure than using the pure WPA2 mode.

WPA cannot be used when the radio operating mode supports 802.11n. Key source This option determines how the WPA encryption keys are generated. 

PreShared Key : The V-M200 uses a statically defined key to encrypt traffic. To connect to this community, wireless users must configure their WPA software with this key.



Key: The V-M200 uses the key you specify in this field to generate the TKIP or AES/CCMP keys that are used to encrypt the wireless data stream. Since Since this is a static key, it is not as secure as the RADIUS option. Specify a key that is between 8 and 63 alphanumeric characters in length. It is recommended that the preshared key be at least 20 characters long, and be a mix of letters and numbers. The double quote character (”) should not be used.

2-25

Using Quick Setup Global settings page 

RADIUS: The V-M200 retrieves the key from the RADIUS server and uses it to RADIUS: generate the TKIP or AES/CCMP keys that are used to encrypt the wireless data stream. The key is dynamically dynamically generated by the RADIUS server each time the user logs in. Communication with the RADIUS server occurs via 802.1X using the EAP protocol specified by by the user’s user’s WPA WPA client so software. ftware.

When you select this option, a RADIUS profile is created with the same name as the wireless community. To customize the settings for this RADIUS profile, select Authentication > RADIUS pro profiles files.. See Using a third-party RADIUS server on page 7-2. 



RADIUS server address: Specify the IP address of the RADIUS server. Secret / Confirm secret: Specify the secret (password) that V-M200 will use when communicating with the RADIUS server. The shared secret is used to authenticate authenticat e all packets exchanged with the server to prove that they originate from a valid/trusted source.

802.1X 802.1X provides for user authentication via a third-party RADIUS server. By default, user traffic is not encrypted. To enable encryption, you need to edit the wireless community (select Wire (select Wireless less > Communities Communities)) and enable WEP encryption for 802.1X.

RADIUS server address Specify the IP address of the RADIUS server. Secret/Confirm secret Specify the secret (password) that V-M200 will use when communicating with the RADIUS server. The shared secret is used to authenticate all packets exchanged with the server to prove that they originate from a valid/trusted source.

2-26

Using Quick Setup Global settings page

WEP This is the least secure method of protecting wireless transmissions. WEP provides encryption only, no user authentication.

Note

WEP cannot be used when the radio operating mode supports 802.11n. Key The number of characters you specify for the key determines the level of encryption. 

For 40-bit encryption, specify 5 ASCII characters or 10 hexadecimal digits.



For 128-bit encryption, specify 13 ASCII characters or 26 hexadecimal digits.

When encryption is enabled, wireless stations that do not support encryption cannot communicate with the V-M200. The definition for each encryption key must be the same on the V-M200 and all client stations. Key format Select the format used to specify the encryption key: 



ASCII: ASCII keys are much weaker than carefully chosen HEX keys. You can ASCII: ASCII include ASCII characters between 32 and 126, inclusive, in the key. However, note that not all client stations support non-alphanumeric characters such as spaces, punctuation, punctuatio n, or special special symbols symbols in the key. key. HEX: Your HEX: Your keys should only include the following characters: 0-9, a-f, A-F.

Prioritize wireless network traffic The quality of service (QoS) feature provides a number of different mechanisms to prioritize wireless traffic sent to wireless client stations. This is useful when you have defined multiple wireless communities and want to ensure a specific level of service for each one. For example, if you have two communities, one for employees and one for guests, you might want to make the employee traffic higher priority so that employee traffic is never delayed due to excessive guest traffic.

Priority mechanism off service (QoS) (QoS) on page 4-15. For a complete description of all options, see Quality o

2-27

Using Quick Setup Global settings page

Map wireless network to a VLAN Use this option to bind the wireless community to a specific VLAN on the Ethernet port. All traffic sent by the wireless community will be assigned to the VLAN you specify when it exits the Ethernet port. The VLAN is not used for wireless traffic. If you do not set a VLAN, traffic is sent untagged.

A VLAN can can be assigned assigned on a per per-user -user basis by setting an an attribute in the user's user's RADIUS RADIUS account (when using RADIUS-based authentication). RADIUS assigned VLANs take precedence over over those assigned assigned to the wireless community. community. For example, example, if the the community community has an Ethernet VLAN of 10, and a user receives a VLAN of 20 via RADIUS, all traffic for this user exits the Ethernet port on VLAN 20. Traffic for other users exits on VLAN 10. See Wo Working rking with with VLANs on page page 6-4 for information on using this feature.

VLAN Select this checkbox to enable VLAN support.

VLAN ID Specify the VLAN ID to assign to this community.

2-28

Chapter 3: Managing the V-M200

3 Managing the V-M200 Contents Management tool..........................................................................................................3-2 Customizing Customiz ing management management tool settings.............................................................. settings................................. ............................. 3-2 SNMP ........................................................................................................................... ........................................................... .................................................................. ..3-4 3-4 Configuring the SNMP agent................................................................................3-4 System time...................................................................................................................3-4 Configuring Configur ing the system time ................................................................................ ..................................................... ........................... 3-5 Country..........................................................................................................................3-6

Managing the V-M200 Management tool

Management tool The V-M200 is configured and monitored via its Web-based management tool at address <V-M200-ip-address> where <V-M200-ip-address> is the IP address assigned to https:// <V-M200-ip-address> the V-M200. Use Microsoft Internet explorer 7/8 or Firefox 3.x. For information on launching the management tool for the first time, see the HP V-M200 802.11n Access Point Quickstart.

Note

A security security certificate certificate warning is displayed displayed the the first time you you connect connect to the management management tool. tool. This is normal. Select whatever option is needed in your Web browser to continue to the management tool. The security warning will not appear again unless you change the IP address of the V-M200.

Customizing management tool settings To customize management tool settings, select Management > Management tool. tool.

About the manager and and operator accounts Two types of administrator accounts are available: manager and operator. 

The manager account provides full management tool rights.



The operator account provides read-only rights plus the ability to perform troubleshooting.

3-2

Managing the V-M200 Management tool

The management tool has an automatic inactivity logout timer that timer that is set to five minutes. If a manager or operator is idle for five minutes, then they are automatically logged out. Only one administrator (manager or operator) can be logged in at any given time. The following options control what happens when an administrator attempts to log in while another administrator administrator (or the same administrator in a different session) in already logged in. In every case, the rights of a manager supersede those of an operator. Manager settings  Terminates the current manager session: When session: When enabled, an active manager or operator session will be terminated by the login of another manager. This prevents the management tool from being locked by an idle session until the inactivity logout timeout expires. 

Is blocked until the current manager logs out: When out: When enabled, access to the management tool is blocked until an existing manager logs out or is automatically logged out due to an idle session. An operator operator session session is always terminated terminated if if a manager manager logs in. in. An active operator operator session session cannot block a manager from logging in.

Operator settings 



Terminates the current operator session: When session: When enabled, an active operator’s session will be terminated by the login of another operator. This prevents the management tool from being locked by an idle session until the inactivity logout timeout expires. 

Operator access to the management tool is blocked if a manager is logged in. An active manager session cannot be terminated by the login of an operator.



An operator operator session is always terminated if a manager logs logs in. An active operator operator session cannot block a manager from logging in.

Is blocked until the current operator logs out: When out: When enabled, access to the management tool is blocked until an existing operator logs out or is automatically logged out due to an idle session.

Passwords Passwords must be 6 to 16 printable ASCII characters in length, with at least 4 different characters. Passwords are case sensitive. Space characters and double quotes ( “ ) cannot be used.

Note

If you leave Username Username and and Password Password fields fields blank and then select Save Save,, no change is made to the current username and password.

Caution

If you forget the manager password, the only way to access the manager account is to reset the V-M200 to factory default settings. For information see Appendix B: Resetting to factory defaultss on page B-1. default

3-3

Managing the V-M200 SNMP

SNMP The V-M200 provides a robust SNMP v1/v2 implementation supporting both industrystandard MIB II objects as well as HP-specific MIBs.

Configuring the SNMP agent Select Management > SNMP to SNMP to open the SNMP agent configuration page.

SNMP Use this checkbox to enable/disable the SNMP agent. By default, the SNMP agent is enabled. If you disable the agent, the V-M200 will not respond to SNMP requests.

Read-only community name This is the password that controls read-only access to SNMP information on the V-M200. A network management program must supply this name when attempting to get SNMP information from the V-M200. By default, the name is set to public public..

System time Correct system time is important for proper operation of the V-M200, especially when using the logs to troubleshoot.

3-4

Managing the V-M200 System time

Configuring the system time Select Management > System time to time to open the System time page. This page enables you to configure time server and time zone information.

Set timezone Select the timezone for your area and enable support for daylight savings time if required. If the rules for daylight savings time are different in your area, click Customize DST Rule to Rule to make the appropriate changes.

Set date & time (manually) Use this option to manually set the system date and time.

3-5

Managing the V-M200 Country

Set date and time (time servers) (A working Internet connection is required to use this option.) Select this option to have the V-M200 periodically contact a network time server to update its internal clock. By default, the list contains pool.ntp.org pool.ntp.org,, which is a large, virtual cluster of timeservers providing reliable NTP NTP service. When multiple servers are defined, the V-M200 contacts the first server in the list. If the server does not reply, the V-M200 tries the next server, and so on.

Time server protocol Select the protocol that will be used to communicate with the time servers.

Country Note

The country page is not available on V-M200s delivered with a fixed country setting. The country of operation, also known as the regulatory domain, determines the availability of certain wireless settings on the V-M200. Once the country has been set, the V-M200 automatically limits the available wireless channels, channel width, and adjusts the radio power level in accordance with the regulations of the selected country. To configure country settings, select Management > Country.

Caution

Note

Incorrectly selecting the country may result in illegal operation and may cause harmful interference to other systems. Please ensure that the V-M200 is operating in accordance with channel, power, indoor/outdoor restrictions, and license requirements for the intended country. If you fail to heed this caution, you may be held liable for violating the local regulatory compliance.



In some regions, you are prompted to select the country of use during setup.



The currently selected country (regulatory domain) is displayed on the management tool home page.

3-6

Chapter 4: Working with wireless communities

4 Working with wireless communities Contents Overview .................................................... ................................................................................................................. ................................................................... ......4-2 4-2 Managing wireless communities communities ................................................................................ ......................................................... ....................... 4-3 About the default wireless wireless community........................ community............................................................... ....................................... 4-3 Wireless Wire less community configuration configuration options options ............................................................. ............................................................... 4-4 General....................................................................................................................4-5 Wireless settings .................................................................................................... Wireless .................................................... ................................................ 4-5 Ethernet VLAN.......................................................................................................4-7 Wireless protection................................................................................................4-7 MAC-based MAC-base d authentication authentication ................................................................................. ....................................................... .......................... 4-12 MAC filtering.......................................................... filtering ........................................................................................................ .............................................. 4-14 Wireless Wire less community data flow ................................................................................. ...................................................... ........................... 4-15 Quality of service (QoS) ............................................................................................ ........................................................... ................................. 4-15 Upstream/downstrea Upstream/d ownstream m traffic traffic marking ............................................................ ..................................................... .......4-17 4-17

Working with wireless communities Overview

Overview The V-M200 allows you to create up to four wireless communities. Each wireless community defines the settings for a distinct wireless network, with its own network name (SSID), settings for wireless protection, user authentication, VLANs, quality of service, and more. For example, in the following scenario, four wireless communities are defined. Each wireless community is configured with a different wireless network name (SSID), and the priority of user traffic is set to different levels using the QoS feature.

Wireless community 1 SSID = Employee Security = WP WPA A

Priority = Normal

Wireless community 2 SSID = Guest Security = None

Priority = Low

192.168.5.0

Wireless community 3 SSID = Admin Security = WP WPA A

Priority = High

DHCP server

Company network

Wireless community 4 SSID = Phone Security = None

Priority Priori ty = Very High

Even though multiple wireless communities are in use, all wireless users are on the same network (192.168.5.0). This means that all wireless users can reach resources on the corporate network. However, communication between wireless users may or may not be possible depending depending on the configuration configuration settings defined defined for each each wireless community. community.

4-2

Working with wireless communities Managing wireless communities

Managing wireless communities Wireless communities are managed on the Wireless communities page, which you open by selecting Wire selecting Wireless less > Communities Communities..

You can define up to four wireless communities. 

To edit an existing community, click its name in the list.



To add a new community, click Add click Add New Wireless Wireless Community Community Profile Profile..

In both cases, the Add/Edit Wireless Community page opens providing access to all options on page 4-4 for configuration options. (See Wireless community configuration options details.)

About the default wireless community By default, a single wireless community is defined. It is named HP Networking, Networking, which is also its network name (SSID).

Caution

The default wireless community does not have any security or authentication options enabled. To protect the wireless network from malicious third-party wireless users, it is strongly recommended that you enable some form of wireless protection on the default wireless community.

4-3

Working with wireless communities Wireless community configuration options

Wireless W ireless community con configuration figuration options Wireless community settings are configured using the Add/Edit Wireless Community page. If you edit the default wireless community community (HP (HP Networking) Networking) you will will see these these settings.

The following sections describe all wireless community configuration options and explain how they can be used.

4-4

Working with wireless communities Wireless community configuration options

General Controls general settings for the wireless community.

Wireless Wire less community community Select this checkbox to enable the wireless community. Once enabled, wireless users can connect to the wireless network defined by the community.

Community name Define a name to identify the community on the V-M200.

Wireless Wire less settings Configures the wireless network created by the wireless community.

Network name (SSID) Specify a name to uniquely identify the wireless network associated with this wireless community. Each wireless user that wants to connect to this community must use this name. The name is case-sensitive.

Broadcast the network name This option controls whether the network name (SSID) is broadcast to all wireless users or not. 

When enabled, it means that the wireless network will be visible to wireless users when they scan the wireless neighborhood. Most wireless adapter cards have a setting that enables them to automatically discover APs that broadcast their names and automatically connect to the one with the strongest signal.



When disabled, it means that the network is not visible to scans and that wireless users must manually specify the network name (SSID) to successfully connect to the network.

4-5

Working with wireless communities Wireless community configuration options

Allow traffic traffic between between All/No wireless clients clients This option controls the exchange of traffic between wireless users. The following settings are available: 



All: Wireless users connected to the same community can communicate with each other All: Wireless over the wireless network. No: Wireless No: Wireless users cannot communicate with each other over the wireless network.

Communication between users on different wireless communities Communication between wireless users who are connected to different wireless communities can only occur if the users are assigned to the same VLAN. In addition, the following rules govern how traffic is exchanged: 

Unicast traffic exchanged between wireless communities is controlled by the setting of the receiving community.



Multicast traffic exchanged between wireless communities is always controlled by the setting of the sending community.

The following table summarizes all possible scenarios:

Sender

Receiver

Unicast ttr raffic

Multicast ttr raffic

All

All

Allowed

Allowed

All

No

Blocked

Allowed

No

All

Blocked

Blocked

No

No

Blocked

Blocked

For example, if two communities have the following settings, then all wireless users on both communities can communicate with each other. 



Allow traffic traffic between wireless clients set clients set to all all.. set to the same value on both communities. Ethernet VLAN VLAN set

By assigning VLAN attributes on a per-user basis via RADIUS (VLAN assignment via RADIUS on page 6-5), you can enable communication between specific users only.

Priority mechanism The quality of service (QoS) feature provides a number of different mechanisms to prioritize wireless traffic sent to wireless client stations. This is useful when you have defined multiple wireless communities and want to ensure a specific level of service for each one. For example, if you have two communities, one for employees and one for guests, you might want to make the employee traffic higher priority so that employee traffic is never delayed due to excessive guest traffic. off service (QoS) (QoS) on page 4-15 for See Quality o

more information on using this feature.

4-6

Working with wireless communities Wireless community configuration options

Ethernet VLAN Use this option to bind the wireless community to a specific VLAN on the Ethernet port. All traffic sent/received on the Ethernet port by the wireless community will be assigned to the VLAN you you specify. specify.

If you do not set a VLAN, traffic is sent untagged. However, a VLAN can still be assigned on a per-user peruser basis by setting an attribute attribute in the user's RADIUS RADIUS account (when using using RADIUSRADIUSbased authentication). with VLANs on page page 6-4 for information on using this feature. Working with See Working

Wireless Wire less protection The V-M200 provides several methods to protect wireless transmissions from eavesdropping and to safeguard network access from unauthorized users. To choose the method that best meets the needs of your network, refer to the sections that follow.

WPA Wi-Fi Protected Access (WPA) is a security protocol that provides for both encryption of the wireless data stream (via TKIP or AES/CCMP) and authentication of wireless users using an third-party RADIUS server (via 802.1X/EAP). The WPA options you see change depending on the setting of Key source. source. set to PreShared Key Key source source set

4-7

Working with wireless communities Wireless community configuration options

ey source set source set to RADIUS

Security method 





Note

WPA (TKIP): WPA (TKIP): WPA with TKIP encryption. Original version of the standard. Still supported by many legacy clients. WPA2 (AES/CCMP) WPA2 (AES/CCMP):: WPA2 (802.11i) with AES/CCMP encryption. More secure than WPA (TKIP). If all your users have WPA2 client software, select this option for the maximum possible security. WPA or WPA2 WPA WPA2:: Mixed mode supports both WPA (version 1) and WPA2 (version 2) at the same time. Some legacy WPA clients may not work if this mode is selected. This mode is slightly less secure than using the WPA2 (AES/CCMP) mode.

WPA (TKIP) cannot be used when the radio operating mode supports 802.11n.

Key source This option determines how the WPA encryption keys are generated and whether 802.1X authentication is used. 

PreShared Key : The V-M200 uses the key you specify in the Key  field field to generate the TKIP or AES/CCMP keys that are used to encrypt the wireless data stream. Since this is a static key, it is not as secure as the RADIUS option. Specify a key that is between 8 and 63 alphanumeric alphanu meric characters in length. It is recommended that the preshared key be at least 20 characters long, and be a mix of letters and numbers. The double quote character (”) should not be used.

4-8

Working with wireless communities Wireless community configuration options 

RADIUS: The V-M200 retrieves the key from the RADIUS server and uses it to generate RADIUS: the TKIP or AES/CCMP keys that are used to encrypt the wireless data stream. The key is dynamically generated by the RADIUS server each time the user logs in. Communication with the RADIUS server occurs via 802.1X using the EAP protocol specified by the user’s WPA client software. If you select the RADIUS option, you need to configure the following settings: RADIUS option, 







RADIUS profile: Select profile: Select the RADIUS profile to use. The profile defines the settings that are used by the V-M200 to communicate with the RADIUS server. RADIUS profiles are defined b by y selecting Authentication selecting Authentication > RADIUS profiles. profiles. For more third-party -party RADIUS RADIUS server server on page 7-2. information, see Using a third RADIUS accounting: Enable this option to have the V-M200 generate a RADIUS START/STOP and interim request for each user. The V-M200 respects the RADIUS interim-update-interval interim-up date-interval attribute if it is present inside the RADIUS access accept response for the authentication. RADIUS accounting profile: Select profile: Select the RADIUS profile to use for accounting requests. The profile defines the settings that are used by the V-M200 to communicate with the RADIUS server. RADIUS profiles are defined by selecting Authentication selecting Authentication > RADIUS profiles. profiles. For more information, see Using a third-party RADIUS server on page 7-2. Called-Station-ID content: Select the value that the V-M200 will return as the Called-Station-ID called station ID. 







Port 1: 1: MAC address of the Ethernet port on the V-M200. Wireless Wire less radio: radio: MAC address of the wireless port on the V-M200. BSSID:: Basic service set ID of the wireless network defined by this community. BSSID MAC address:SSID: The address:SSID: The MAC address of the V-M200 followed by a colon followed by the SSID of the wireless community to which the client station is connected.



Station ID delimiter: Select delimiter: Select the one-character delimiter that will be used to format both the calling station ID and the called station ID attributes in RADIUS packets. By default, a dash (-) is used.



Station ID MAC case: Select case: Select the case applied to the station ID.

4-9

Working with wireless communities Wireless community configuration options

802.1X 802.1X enables you to authenticate wireless clients via user accounts stored on a third-party RADIUS server.

Caution

802.1X is purely a protocol for user authentication. Using 802.1X without enabling the WEP the WEP option results in wireless traffic being unencrypted encryption option encryption unencrypted.. Therefore, for security reasons, use of 802.1X without enabling WEP encryption is not recommended.

Supported 802.1X protocols The following EAP protocols are supported by the V-M200. Other EAP protocols may also work, but have not been tested. The 802.1X protocol that is used is always determined by the configuration of the user’s 802.1X client software and is not configured on the V-M200. 

EAP-MD5: Extensible Authentication Protocol Message Digest 5. Offers minimum security. Not recommended.



EAP-TLS: Extensible Authentication Protocol Transport Layer Security. Provides strong security based on mutual authentication. Requires both client and server-side certificates.



EAP-TTLS: Extensible Authentication Protocol Tunnelled Transport Layer Security. Provides excellent security with less overhead than TLS, as client-side certificates can be used, but are not required.



PEAPv0: Protected Extensible Authentication Protocol. One of the most supported implementations across all client platforms. Uses MSCHAPv2 as the inner protocol.



PEAPv1: Protected Extensible Authentication Protocol. Alternative to PEAPv0 that permits other other inner protocols protocols to be used. used.



EAP-FAST: Extensible Authentication Protocol Flexible Authentication via Secure Tunneling). Can use a pre-shared key instead of server-side certificate.

For more detailed information, see the appropriate Internet Engineering Task Force (IETF) Request for Comments (RFC) for each protocol.

4-10

Working with wireless communities Wireless community configuration options

802.1X settings If you select the 802.1X 802.1X option, option, the following settings are configurable: 



RADIUS profile: Select profile: Select the RADIUS profile to use. RADIUS profiles are defined by selecting Authenticati selecting Authentication on > RADIUS profiles profiles.. The profile defines the settings that are used by the V-M200 to communicate with the RADIUS server. RADIUS profiles are defined by selecting Authenticati selecting Authentication information, see on > RADIUS profiles profiles.. For more information, third-party -party RA RADIUS DIUS server server on page 7-2. Using a third RADIUS accounting: Enable this option to have the V-M200 generate a RADIUS START/ STOP and interim request for each user. The V-M200 respects the RADIUS interimupdate-interval attribute if it is present inside the RADIUS access accept response for the

authentication. 



RADIUS accounting profile: Select profile: Select the RADIUS profile to use for accounting requests. The profile defines the settings that are used by the V-M200 to communicate with the RADIUS server. RADIUS profiles are defined by selecting Authenticati selecting Authentication on > RADIUS third-party RADIUS RADIUS server on page page 7-2. profiles.. For more information, see Using a third-party profiles WEP encryption: encryption: Enable Enable the use of dynamic WEP keys for all 802.1X sessions. Dynamic key rotation occurs on key 1, which is the broadcast key. Key 0 is the pair-wise key. It is automatically generated by the V-M200. To configure the key change interval, select Authentication > 802.1X Authentication 802.1X.



Called-Station-ID content: Select Called-Station-ID content: Select the value that the V-M200 will return as the called station ID. 









Port 1: 1: MAC address of the Ethernet port on the V-M200. Wireless Wire less radio: radio: MAC address of the wireless port on the V-M200. BSSID: Basic service set ID of the wireless network defined by this community. BSSID: MAC address:SSID: The address:SSID: The MAC address of the V-M200 followed by a colon followed by the SSID of the wireless community to which the client station is connected.

Station ID delimiter: Select delimiter: Select the one-character delimiter that will be used to format both the calling station ID and the called station ID attributes in RADIUS packets. By default, a dash (-) is used.



Note

Station ID MAC case: Select case: Select the case applied to the station ID.

Global settings for 802.1X are configured by selecting Authentication selecting Authentication > 802.1X. 802.1X. See settings on page 7-11. Global 802.1X settings

4-11

Working with wireless communities Wireless community configuration options

WEP WEP enables you to encrypt wireless transmissions, but does not provide for user authentication. WEP is not as secure as WPA.

Note

WEP cannot be used when the radio operating mode supports 802.11n.

Key The number of characters you specify for the key determines the level of encryption. 

For 40-bit encryption, specify 5 ASCII characters or 10 HEX digits.



For 128-bit encryption, specify 13 ASCII characters or 26 HEX digits.

Key format Select the format used to specify the encryption key. The definition for the encryption key must be the same on the V-M200 and all client stations. 



ASCII: ASCII keys are much weaker than carefully chosen HEX keys. You can include ASCII: ASCII ASCII characters characters between 32 and 126, inclusive, in the key. key. However, However, note that that not all client stations support non-alphanumeric characters such as spaces, punctuation, or special symbols in the key. HEX: Your keys should only include the following characters: 0-9, a-f, A-F. HEX: Your

MAC-based authentication This feature enables you to authenticate wireless users based on the MAC address of their wireless device. Authentication occurs via a third-party RADIUS server.

4-12

Working with wireless communities Wireless community configuration options

Note



When both this option and the MAC filtering option are enabled, MAC filtering occurs first.



MAC-based authentication cannot be enabled at the if Wireless protection is set to WPA/ WPA2 with RADIUS.

To successfully authenticate a user, an account must be created on the RADIUS server with both username and password set to the MAC address of the user’s wireless device. The MAC address sent by the V-M200 (in the RADIUS REQUEST packet) for both username and password is 12 is 12 hexadecimal numbers, with the values “a” to “f” in lowercase. lowercase. For example, 0003520a0f01. The RADIUS server will reply to the REQUEST with either an ACCEPT or REJECT RADIUS RESPONSE packet. In the case of an ACCEPT, the RADIUS server can return the sessiontimeout RADIUS attribute (if configured for the account). This attribute indicates the amount of time, in seconds, that the authentication is valid for. When this period expires, the V-M200 will re-authenticate the user.

MAC-based authentication Select this checkbox to enable MAC-based authentication.

RADIUS profile Select the RADIUS profile to use for authentication.The profile defines the settings that are used by the V-M200 to communicate with the RADIUS server. RADIUS profiles are defined by selecting Authentication selecting Authentication > RADIUS profiles profiles.. For more information, see Using a third party RADIUS server on page 7-2.

RADIUS accounting Enable this option to have the V-M200 generate a RADIUS START/STOP and interim request for each user. The V-M200 respects the RADIUS interim-update-interval attribute if it is present inside inside the RADIUS RADIUS acce access ss accept response response for the authentication. authentication.

RADIUS accounting profile Select the RADIUS profile to use for accounting. The profile defines the settings that are used by the V-M200 to communicate with the RADIUS server. RADIUS profiles are defined by selecting Authentication selecting Authentication > RADIUS profiles profiles.. For more information, see Using a third party RADIUS server on page 7-2.

Station ID delimiter Select the one-character delimiter that will be used to format both the calling station ID and the called station ID attributes in RADIUS packets. By default, a colon (:) is used.

Station ID MAC case Select the case applied to the station ID.

4-13

Working with wireless communities Wireless community configuration options

Called-Station-ID Content Select the value that the V-M200 will return as the called station ID. 







Port 1: 1: MAC address of the Ethernet port on the V-M200. Wireless Wire less Radio Radio:: MAC address of the wireless port on the V-M200. BSSID: Basic service set ID of the wireless network defined by this community. BSSID: MAC address:SSID: The address:SSID: The MAC address of the V-M200 followed by a colon followed by the SSID of the wireless community to which the client station is connected.

MAC filtering This feature enables you to control access to the wireless network based on the MAC address of a user’s wireless device. You can either block access or allow access, depending on your requirements.

Note

MAC filtering occurs before any other authentication method.

MAC filter Select this checkbox to enable the MAC filter.

Filter mode 



Allow: Only users whose MAC addresses appear in the MAC address list can connect to Allow: the wireless network created by this community. Block: Users whose MAC address appear in the MAC address list are blocked from Block: accessing the wireless network created by this community.

Address list list List of defined MAC addresses. Up to 64 MAC addresses are supported. To delete an address, select it in the list and click Delete Delete..

MAC address To add a MAC address, specify six pairs of hexadecimal digits separated by colons and click 00:00:00:0a:0f:01. 01. Add. For example: 00:00:00:0a:0f: Add.

4-14

Working with wireless communities Wireless community data flow

Wireless W ireless communit community y data flow The following diagram illustrates the order in which the wireless community features act upon incoming data from a wireless user.

Wireless community 1 Wireless user

SSID

MAC filtering

Allowed

Blocked

MAC-based authentication Re fu se d

Allowed

Wireless protection

Allowed

Priority

Ethernet VLAN

Ethernet port

R e fu s e d

User connection refused

For a detailed description of each feature, see Wireless community configuration options on pag pagee 44-4 4.

Quality of service (QoS) The QoS feature defines four traffic queues based on the Wi-Fi Multimedia (WMM) access categories. In order of priority, these queues are:

Queu Qu eue e WMM WMM acc acces ess s cate catego gory ry Typic ypical ally ly use used d for for 1

AC_VO

Voice Vo ice traffic

2

AC_VI

Video traffic traffic

3

AC_BE

Best effort data traffic

4

AC_BK

Background data traffic

Outgoing wireless traffic on a wireless community is assigned to a queue based on the selected priority mechanism. Traffic delivery is based on strict priority (per the WMM standard). Therefore, Therefore, if excessive traffic is present on queues 1 or 2, it will reduce the flow of traffic on queues 3 and 4. To see how traffic is marked based on QoS settings, see Upstream/downstream traffic marking on page 4-17 . Regardless of the priority mechanism that is selected, traffic that cannot be classified by a priority mechanism mechanism is assigned to queue 3. Priority mechanisms are used to classify wireless community traffic and assign it to the appropriate queue. The following mechanisms are available:

4-15

Working with wireless communities Quality of service (QoS)

802.1p This mechanism classifies traffic based on the value of the VLAN priority field present within the VLAN header.

Queu Qu eue e

802. 802.1p 1p (VLAN (VLAN prior priorit ity y fie field ld valu value) e)

1

6, 7

2

4, 5

3

0, 3

4

1, 2

Community Based priority This mechanism enables you to assign a single priority level to all traffic on a wireless community. If you enable the community based priority mechanism, it takes precedence regardless of the priority mechanism supported by associated client stations. For example, if you set Community Based Low priority, Low priority, then all clients connected to this community have their traffic set at low priority.

Queu Qu eue e

Comm Commun unity ity Base Based d pr prior iorit ity y valu value e

1

Community Based Very-high

2

Community Based High

3

Community Based Normal

4

Community Based Low

Diffserv (Differentiated Services) This mechanism classifies traffic based on the value of the Differentiated Services (DS) codepoint field in IPv4 and IPv6 packet headers (as defined in RFC2474). The codepoint is composed of the six most significant bits of the DS field.

Queu Qu eue e

Di DifffSer fServ v (DS (DS code codepo poin intt valu value) e)

1

111000 (Network control) 110000 (Internetwork control)

2

101000 (Critical) 100000 (Flash override)

3

011000 (Flash) 000100 (Routine)

4

010000 (Immediate) 001000 (Priority)

4-16

Working with wireless communities Quality of service (QoS)

Upstream/downstream traffic marking Depending on the priority mechanism that is active, upstream and downstream traffic is marked as described in this section.

Upstream traffic marking This table describes the marking applied to wireless traffic sent by connected client stations to the V-M200 and then forwarded onto the wired network (via the Ethernet port) by the V V-M200. M200.

Mechanism

INCOMING TRAFFIC

OUTGOING TRAFFIC Traffic sent by the V-M200 to the wired network

Wireless traffic sent from wireless client stations to the V-M200

L2 marking

802.1p

WMM

802.1p (requires an Ethernet VLAN to be defined on the wireless community).

Comm Co mmun unit ity y Base Based d

WMM WMM Non-WMM

If an egress VLAN is defined for the wireless community, then 802.1p and IP DSCP are set to reflect the Community Based priority setting. If no egress VLAN is defined for the wireless community, then the 802.1p header is not added, and only IP DSCP is set to reflect the Community Based priority setting.

DiffServ

DiffServ

None

Downstream traffic marking This table describes the marking applied to traffic received from the wired network (via the Ethernet port) by the V-M200 and then sent to connected wireless client stations.

OUTGOING TRAFFIC INCOMING TRAFFIC

Mechanism

Wireless traffic sent from the V-M200 V-M 200 to wireless client client stations

Traffic received from the wired network

WMM Client 802.1p

802.1p

Community Based

All traffic on the community community

DiffServ

DiffServ

WMM + HPQ (WMM marking done according to the rules for the mechanism.)

Non-WMM Client HPQ (hardware priority queueing) queueing)

Although the WMM specification specification refers to 802.1D 802.1D and not not 802.1p, this guide uses the term term 802.1p because it is more widely recognized. (The updated IEEE 802.1D: ISO/IEC 15802-3 (MAC Bridges) standard covers all parts of the Traffic Class Expediting and Dynamic Multicast Filtering described in the IEEE 802.1p standard.)

4-17

Working with wireless communities Quality of service (QoS)

4-18

Chapter 5: Wireless configuration

5 Wireless configuration Contents Wireless coverage.........................................................................................................5-2 Factors limiting limiting wireless coverage................................................................ coverage...................................................................... ......5-2 5-2 Configuring Configur ing overlapping overlapping wireless cells............................................................... cells................................................... ............5-3 5-3 802.11n best practices..................................................................................................5-7 Supporting Supporti ng legacy legacy wireless wireless clients.................................................................. clients ...................................................................... ....5-7 5-7 Channel width........................................................................................................5-9 Radio configuration configuration ................................................................................................... ...................................................... ............................................. 5-10 Radio ................................................... ................................................................................................................ .................................................................. .....5-10 5-10 Regulatory Regulato ry domain ......................................................... .............................................................................................. ..................................... 5-10 Operating mode ........................................................ ................................................................................................... ........................................... 5-11 Wireless mode......................................................................................................5-11 Channel width......................................................................................................5-12 Channel.......................................................... Channel ................................................................................................................. ....................................................... 5-12 Detecting rogue APs .................................................................................................. ................................................................. ................................. 5-13 Scanning modes...................................................................................................5-13 Viewing scan results.............. results........................................................................... .............................................................................. .................5-14 5-14 Scanning for rogue APs ...................................................................................... ............................................................. ......................... 5-15 Creating a list of authorized access access points....................................................... 5-15 Viewing wireless information information............................................................ ................................................................................... ....................... 5-16 Viewing all connected connected wireless wireless clients............................................................. clients ............................................................. 5-16 Viewing wireless statistics statistics for for the radio. radio........................................................... .......................................................... 5-18 Viewing throughput throughput for wireless wireless clients clients ........................................................... 5-22

Wireless configuration Wireless coverage

Wireless W ireless coverage As a starting starting point for for plannin planning g your network, network, you can assume assume that when operating at at high power,, the V-M200 power V-M200 radio provides a wireless networking networking area (also called a wireless cell) of up to 300 feet (100 meters) in diameter. Before creating a permanent installation, you should always perform a site survey to determine the optimal settings and location for the V-M200. The following sections provide information on wireless coverage. A tool that can help simplify planning a secure wireless network is the HP RF Planner. For more information, see the RF Planner Admin Guide.

Factors limiting wireless coverage Wireless coverage is affected by the factors discussed in this section.

Interference Interference is caused by other APs or devices that operate in the same frequency band as the V V-M200 M200 and can substantially substantially affect throughput. throughput. Several tools tools are available available to diagnose diagnose interference problems as they occur. 





Caution

Select Wireless > Rogue AP detection to Select Wireless detection to view detailed information about all wireless APs operating operating in the the immediate area so that you can effectively set the operating operating frequencies. This feature also makes it easy for you to find rogue APs. See Detecting rogue APs on page 5-13. Select Status > Wireless to view detailed information about packets sent and received, transmission errors, and other low-level events. Select Status > Client data rate matrix to view information about data rates for all connected client stations. stations. This makes it easy to determine if low-speed clients are affecting network performance.

APs that operate operate in the the 2.4 GHz band may experience interference interference from 2.4 GHz cordless phones and microwave microwave ovens.

Physical characteristics of the location To maximize coverage of a wireless cell, the V-M200s are best installed in an open area with as few obstructions as possible. Try to choose a location that is central to the area being served. Radio waves cannot penetrate metal; they are reflected instead. The V-M200 can transmit through wood or plaster walls and closed windows. However, the steel reinforcing found in concrete walls and floors may block transmissions or reduce signal quality by creating reflections. This can make it difficult or impossible for a single V-M200 to serve users on different floors in a concrete building. Such installations require a separate V-M200 on each floor.

5-2

Wireless configuration Wireless coverage

Configuring overlapping wireless cells When the radio is operating in the 2.4 GHz band, overlapping wireless cells occur when two or more APs are within transmission range of each other. This may be under your control, (for example, when you use several cells to cover a large location), or out of your control (for example, when your neighbors set up their own wireless networks). In either case, the problems you face are similar. similar.

Note

Overlapping channels do not occur when the radio is operating in the 5 GHz band. All 5 GHz channels are non-overlapping.

Performance degradation and channel separation When two wireless cells operating on the same frequency overlap, throughput can be reduced in both cells. Reduced throughput occurs because a wireless user that is attempting to transmit data defers (delays) transmission if another station is transmitting. In a network with many users and much traffic, these delayed transmissi transmissions ons can severely affect performance, because wireless wireless users users may defer several several times before before the channel channel becomes becomes available. If a wireless user is forced to delay transmission too many times, data can be lost. Delays and lost transmissions can severely reduce throughput on a network. To view this information about your network, select Status > Wireless. For recommendations on using this information to diagnose wireless problems, see the online help for this page. The following example shows two overlapping wireless cells operating on the same frequency. Since both APs are within range of each other, the number of deferred transmissions can be large.

Cell 1 Channel = 1

Cell 2 Channel = 1

AP

AP

5-3

Wireless configuration Wireless coverage

The solution to this problem is to set the two networks to different channels with as great a separation as possible in their operating frequencies. This reduces crosstalk and enables client stations connected to each V-M200 to transmit at the same time.

Cell 1 Channel = 1

Cell 2 Channel = 6

AP

AP

Selecting channels For optimal performance when operating in the 2.4 GHz band, select an operating frequency that is different by at least 25 MHz from the frequency used by other wireless APs that operate in neighboring cells. Two channels with the minimum 25 MHz frequency separation always perform worse than two channels that use maximum separation. It is always best to use the greatest separation possible between overlapping overlapping networks. networks. With the proliferation of wireless networks, it is very possible that the wireless cells of APs outside your control overlap your intended area of coverage. To choose the best operating frequency, select Wire select Wireless to generate a list of all APs that operate less > Rogue Rogue AP de detection tection to near you and their operating frequencies. The set of available channels is automatically determined based on the Country  setting setting you define by selecting Management > Country. This means that the number of nonoverlapping channels available to you varies by geographical location, which affects how you set up your multi-cell network.

5-4

Wireless configuration Wireless coverage

Sample channel selections For example, when operating in 802.11b mode, the V-M200 supports the following 14 channels in the the 2.4 GHz band. band.

Channel Frequency

Channel

Frequency

1

2412

8

2447

2 3 4 5 6 7

2417 2422 2427 2432 2437 2442

9 10 11 12 13 14

2452 2457 2462 2467 2472 2477

However, the number of channels available for use in a particular country are determined by the regulations defined by the local governing body. The following table shows the number of channels that are available in North America and Europe.

Region

Available channels

North America

1 to 11

Europe

1 to 13

Since the minimum recommended recommended separation separation between overlapping channels channels is 25 MHz (five cells) the recommended maximum number of overlapping cells you can have in most regions is three. The following table gives examples examples relevant to North America and Europe for channels in the 2.4 GHz band.

North America 





cell 1 on channel 1 cell 2 on channel 6 cell 3 on channel 11

Europe 





cell 1 on channel 1 cell 2 on channel 7 cell 3 on channel 13

5-5

Wireless configuration Wireless coverage

In North America, you can reduce transmission delays by using different operating frequencies as shown in the following figure.

e Channel = 1

e Channel = 6

e Channel = 11

AP

AP

AP

Alternatively,, you can stagger cells to reduce o Alternatively overlap verlap and increase increase channel channel separation separation as shown in the following figure.

Cell 1 Channel = 1

Cell 2 Channel = 6

Cell 3 Channel = 11

Cell 4 Channel 1

AP

AP

AP

AP

5-6

Wireless configuration 802.11n best practices

This strategy can be expanded to cover an even larger area using three channels as shown in the following figure.

Cell 1 Channel = 1

Cell 2 Channel = 6

Cell 3 Channel = 11

Cell 4 Channel 1

AP

AP

AP

AP

AP

AP

AP

AP

Cell 5 Channel = 11

Cell 6 Channel = 1

Cell 7 Channel = 6

Cell 8 Channel 11

802.11n best practices This section provides recommendations on how to best use 802.11n wireless technology, especially when legacy (a/b/g) clients must also be supported.

Supporting legacy wireless clients The 802.11n standard is very similar to the 802.11g standard, in that both provide mechanisms to support older wireless standards. In the case of 802.11g, protection mechanisms were created to allow 802.11b and 802.11g wireless devices to co-exist on the same frequencies. The data rates of 802.11g (6, 9, 12, 18, 24, 36, 48 and 54 Mbps) are transmitted using Orthogonal Frequency Division Multiplexing (OFDM) modulation, while the data rates of 802.11b are transmitted using Direct Sequence Spread Spectrum (DSSS) modulation. Since older 802.11b-only clients cannot detect OFDM transmissions, 802.11g clients must “protect” their transmissions by first sending a frame using DSSS modulation. This frame (usually a CTS-to-self CTS-to-se lf or RTS/CTS exchange) exchange) alerts 802.11b clients to not attempt to transmit for a specified period of time.

5-7

Wireless configuration 802.11n best practices

If protection is not used, 802.11b clients may transmit a frame while an 802.11g frame is already being sent. This leads to a collision and both devices need to re-transmit. If there are enough devices in the network, the collision rate will grow exponentially and prevent any useful throughput from the wireless network. 802.11n clients face the same problem as described for 802.11g clients. Legacy a/b/g clients cannot detect the High Throughput (HT) rates that 802.11n uses. So to avoid causing excessive collisions, 802.11n clients must protection use the same protection mechanismscauses when a a legacy client is present. Even the most efficient mechanism (CTS-to-self) substantial decline in throughput; performance can decline by as much as 50 percent. The 802.11n clients can achieve maximum data rates only when the legacy clients are not present.

Available A vailable 802.11n modes Supported wireless modes are determined by the regulatory domain. Available options may include one or more of the following: 

Note

(Pure 802.11n) Up to 300 Mbps in the 802.11n 5 GHz frequency band. 802.11n (5 GHz): GHz): (Pure



mode.) Up to 270 Mbps for 802.11n and 54 Mbps for 802.11a in 802.11n/a: (Compatibility mode.) 802.11n/a: (Compatibility the 5 GHz frequency band.



(Pure 802.11n) Up to 144.4 Mbps in the 802.11n 2.4 GHz frequency 802.11n (2.4 GHz): GHz): (Pure band.



802.11n/g: (Compatibility mode.) Up to 130 Mbps for 802.11n and 54 Mbps for 802.11g in 802.11n/g: (Compatibility the 2.4 GHz frequency band. Only use this setting when support for 802.11g is necessary.



802.11n/b/g: (Compatibility mode.) Up to 130 Mbps for 802.11n, 54 Mbps for 802.11g, and 802.11n/b/g: (Compatibility 11 Mbps for 802.11b in the 2.4 GHz frequency band. Only use this setting when support for 802.11b is necessary.

The V-M200 Radio can also be set to legacy a/b/g values with no 802.11n support.

802.11n (5 GHz) and 802.11n (2.4 GHz) HP refers to these two modes as Pure-N. When the V-M200 radio is in either of these modes, it will not allow non-802.11n clients to associate. Legacy clients can see the V-M200, and may attempt to associate, but they will be rejected. The V-M200 makes this determination based on the supported rate set that the client presents during its association request. If the client’s rate does not match the 802.11n rate, it is not allowed to associate. In these modes, the V-M200 will not use protection when sending HT frames to associated clients. If legacy V-M200s or clients are using the same channel, this may lead to collisions. In the 5 GHz band, this will probably not be a common problem since the band isn’t heavily used. However in the 2.4 GHz band, this mode may cause serious performance deterioration for everyone on the channel (both the 802.11b/g and 802.11n clients). The V-M200 will still signal associated clients to use protection when they send data. The V V-M200 M200 does does this via a field in the beacons beacons that it send sends. s. So clients sending data to the V-M200 V-M200 will use protection, but data sent from the V-M200 will not be protected.

5-8

Wireless configuration 802.11n best practices

Note

Note that some people may refer to this mode as Greenfield, which is not correct. Greenfield is an 802.11n-specific preamble. The V-M200 does not support this preamble and therefore does not support Greenfield mode. The Pure-N modes can be used when there is no legacy wireless traffic present in or around the premises on the channels that will be used. All client devices must support 802.11n.

802.11n/a, 802.11n/b/g These modes are referred to as compatibility modes. 802.11n/a, which supports 802.11n and 802.11a clients in the 5 GHz spectrum, is the default mode of the V-M200 radio. 802.11n/b/g supports 802.11n and 802.11b/g clients in the 2.4 GHz spectrum. In either of these modes, the V V-M200 M200 allows allows both both 802.11 802.11n n and legacy clients clients to associate. The V-M200 V-M200 advertises advertises protection protection in the beacon when legacy clients are associated or operating on the same channel. This alerts the associated 802.11n clients to use protection when transmitting. The V-M200 also uses protection when necessary while sending HT data. When to use these modes: these compatibility modes should be used when legacy clients are present in the netwo network. rk. HP recommends recommends 802.11n/a 802.11n/a or 802.11 n/b/g n/b/g as the typical typical operating operating mode. Both modes allow for all wireless clients to connect and they use protection to avoid causing interference.

802.11n/g This mode is the same as 802.11n/b/g except that 802.11b clients are prevented from associating. The V-M200 does not advertise 1, 2, 5.5 and 11 Mbps as supported rates in its beacons or Probe-Responses. The V-M200 does not tell 802.11g clients to use protection, and this can cause collisions with any 802.11b clients present on the same channel. When to use this mode: this mode should only be used in special cases where 802.11b clients are causing problems in the network.

Channel width When operating in the 5 GHz band, the V-M200 enables you to use the standard channel width of 20 MHz or a double width of 40 MHz. 40 MHz widths are achieved by using two adjacent channels to send data simultaneously. The advantage of using a 40 MHz width channel is that the available bandwidth is doubled leading to much higher throughput. When operating in the 2.4 Ghz band, a channel width of 20 MHz is automatically selected and cannot be changed. When operating operating in the 5 GHz band, the the Auto Auto 20/40 MHz option MHz option should be used as the channel width. When a channel width of 20 MHz is used, channel usage is the same as in legacy mode. In the 2.4 GHz band, band, channels 1, 6, and and 11 can be used without without overlappin overlapping. g. In the 5 GHz band, each each channel is separate, with no overlapping.

5-9

Wireless configuration Radio configuration

When Auto 20/40 MHz is selected, the V-M200 radio uses a 40 MHz channel width. However, both 20 and 40 MHz clients can associate. The channel selected on the radio page is the primary channel channel and the the secondary secondary (or extension) extension) channel channel is located located adjacent adjacent to it. The The secondary channel is either above or below depending on which channel was selected as the primary.. In the 5 GHz ban primary band, d, the channels channels are paired: paired: 36 and and 40 are always always used together, together, 44 and 48 are always used together, etc.

Radio configuration To define configuration settings for the V-M200 radio, select Wire select Wireless less > Radi Radio o to open the Radio configuration page.

Radio Select this checkbox to activate the radio.

Regulatory domain Note

This option is not available on V-M200s delivered with a fixed country setting. Indicates the geographical region in which the V-M200 operates. To change the domain, click the domain name or select Management > Country .

Caution

Wireless radios are governed by different regulatory standards depending on the region in which they are installed. By setting the regulatory domain, the V-M200 will only allow you to configure wireless settings in accordance with the regulations in the selected domain. Therefore, the settings that are available on this page may not include all options that are described in this section. Please ensure that the V-M200 is operating in accordance with channel, power, indoor/outdoor restrictions and license requirements for the intended country.

5-10

Wireless configuration Radio configuration

Operating mode Select the operating mode. Available options are: 

Standard operating mode provides support for all Access point point and WD WDS S bridge: bridge: Standard wireless functions.



Access point point only: Only only: Only provides AP functionality, WDS links cannot be created.



WDS bridge: Only bridge: Only provides WDS functionality. Wireless client stations cannot connect.



Monitor: Puts the radio in promiscuous mode (no transmissions). Both AP and WDS bridge functionality are disabled. Use this option for continuous scanning for rogue APs across all channels in all wireless modes. See the results of the scans on the Wire Wireless less > Rogue AP detection page. detection page. This mode also enables 802.11 traffic to be traced when using the Tools > Network trace command.

Wireless Wirel ess mode Select the mode that best supports the wireless client stations at your location. Supported wireless modes are determined by the regulatory domain (country). Available options may include one or more of the following. 









802.11n (5 GHz): (Pure GHz): (Pure 802.11n) Supports up to 300 Mbps in the 802.11n 5 GHz frequency band. 802.11n/a: (Compatibility mode) Supports up to 270 Mbps for 802.11n and 54 Mbps for 802.11n/a: (Compatibility 802.11a in the 5 GHz frequency band. 802.11n (2.4 GHz): (Pure GHz): (Pure 802.11n) Supports up to 144.4 Mbps in the 802.11n 2.4 GHz frequency band. 802.11n/g: (Compatibility mode) Supports up to 130 Mbps for 802.11n and 54 Mbps for 802.11n/g: (Compatibility 802.11g in the 2.4 GHz frequency band. Only use this setting when support for 802.11g is necessary. 802.11n/b/g: (Compatibility mode) Supports up to 130 Mbps for 802.11n, 54 Mbps for 802.11n/b/g: (Compatibility 802.11g, and 11 Mbps for 802.11b in the 2.4 GHz frequency band. Only use this setting when support for 802.11b is necessary.



802.11b:: Supports up to 11 Mbps in the 2.4 GHz frequency band. 802.11b



802.11b/g:: Supports up to 11 and 54 Mbps in the 2.4 GHz frequency band. 802.11b/g



802.11g:: Supports up to 54 Mbps in the 2.4 GHz frequency band. 802.11g



802.11a:: Supports up to 54 Mbps in the 5 GHz frequency band. 802.11a

5-11

Wireless configuration Radio configuration

Note

In 802.11n (2.4 GHz) and GHz) and 802.11n (5 GHz) modes, GHz) modes, the V-M200 does not permit non802.11n clients to associate. Also in this mode, the V-M200 does not use protection mechanisms (RTS/CTS or CTS-to-self) to enable legacy APs to operate on the same frequency. This can potentially cause problems with legacy (802.11a/b/g) APs operating on the same channel, but provides the best throughput for the V-M200 and its 802.11n clients.

In 802.11n/a modes, the V-M200 permits both 802.11n and 802.11n/a,, 802.11n/g 802.11n/g,, and 802.11n/b/g 802.11n/b/g modes, legacy clients (802.11a/b/g) to associate. The V-M200 uses protection mechanisms (RTS/CTS or CTS-to-self) when sending 802.11n data to prevent disruption to legacy (802.11a/b/g) clients associated on the same channel. best st practices practices on page 5-7 . For more information, refer to 802.11n be

Channel width (Only applicable when when Wirel includes some type of 802.11n support.) Wireless ess mode mode includes (Only configurable when Wirel when Wireless ess mode mode is is set to 802.11n (5 GHz) or GHz) or 802.11n/a 802.11n/a.. For all other 802.11n modes, Channel width is width is set to 20 MHz and MHz and cannot be changed.) Select the Channel width that width that will be used for 802.11n users.  20 MHz: Sets MHz: Sets channel width to 20 MHz. 

Note

Auto 20/40 MHz: Under MHz: Under most conditions this can double throughput by bonding adjacent channels to form a 40 MHz channel. This option reduces the number of unoccupied channels available to neighboring APs.

Although some 802.11n 802.11n clients o only nly support support 20 MHz MHz channels, channels, they can still associate associate with a V V-M200 M200 configured configured for Auto for Auto 20/40 MHz. MHz.

Channel Select channel and frequency for wireless services. The channels that are available are determined by the regulations that apply in your country. Use the Automatic the Automatic option option to have the V-M200 select the best available channel. If setting the channel manually, for optimal performance when operating in 2.4 GHz modes, select a channel that is different from other wireless APs that operate in neighboring neighboring cells by at least by five channel numbers (25 MHz). For example, if another AP is operating on channel 1, set the V-M200 to channel 6 or higher. Select Wire Select Wireless less > Rogue Rogue AP detection detection,, and then select Configure Access Point List to view a list of APs currently operating operating in your area. When operating in 802.11a or 802.11n (5 GHz) modes, interference between APs is not a consideration as all channels are non-overlapping.

5-12

Wireless configuration Detecting rogue APs

When Wireless When Wirel and Channel width is ess mod mode e is 802.11n (5 GHz) or GHz) or 802.11n/a 802.11n/a and width is Auto Auto 20/40 20/40 list include either a “(1) “ (1)”” or “(-1) “(-1)”” to their right. MHz,, the channel numbers in the Channel MHz Channel list A “(1)” indicates indicates that the 40 MHz chan channel nel is formed formed from the the indicated indicated channel plus the next next channel. A “-1” indicates that the 40 MHz channel is formed from the indicated channel plus the previous channel. With a 40 MHz Channel width in the 5 GHz band, channel selection and usage is as follows for th the e fir first st fo four ur ch chan anne nels ls::

Note

Chan Ch anne nell se sele lect cted ed

Chan Channe nels ls used used

36(1)

36+40

40(-1)

40+36

44(1)

44+48

48(-1)

48+44

The channel selected is the primary channel and the channel above or below it becomes the secondary channel. The AP beacon is transmitted only on the primary channel and all legacy client traffic is carried on the primary channel.

Detecting rogue APs You can use the t he Rogue AP detection feature detection feature to scan for other APs operating nearby and flag them as either authorized APs or rogue APs. This is useful for monitoring the installation of wireless access points in your company’s work areas to ensure that new APs (which could be a security risk if improperly configured) are not deployed without your knowledge. This feature can also be used to determine the operating frequencies of nearby APs for site planning purposes. purposes.

Note



Scanning is temporarily disabled when a trace is active ( Tools > Network trace page). trace page).



To obtain the best possible wireless performance (such as needed for voice applications), scanning should be disabled. To disable, clear the Repeat scan checkbox scan checkbox under Scan interval.. interval

Scanning modes The way in which the V-M200 performs scanning depends on the configuration of the wireless radio ( Wireless Wireless > Ra Radio dio page). page). The following scanning modes are possible: 

Monitor mode: When mode: When the radio has its Operating mode set mode set to Monitor Monitor,, scanning occurs continuously. The scan switches to a new channel every 200 ms, sequentially covering all supported wireless modes and channels. Use this method to quickly obtain an overview of all APs in your area for site planning, or for initial configuration configuration of the authorized access points list.

5-13

Wireless configuration Detecting rogue APs 



set to Automatic to Automatic,, scanning is Automatic channel: When channel: When the radio has its Channel Channel set performed for all the channels channels in the currently selected Wire selected Wireless V-M200 less mode when mode when the V-M200 starts up. Background scanning: For scanning: For any other radio configuration, scanning is controlled by the settings on the Rogue AP detection page. To enable scanning, select the Repeat scan scan checkbox and set the Scan interval. interval. Scanning is performed for all the channels in the currently selected radio Wirele radio Wireless ss mode mode.. One channel is scanned during each scan interval. By default, the scan interval is set to 600 seconds. This is done to minimize the impact on radio throughput. Use this method to continuously view APs operating in your area while minimizing the effect on throughput.

Viewing V iewing scan results To view the results of the latest scan, open the Wirel the Wireless page. For ess > Rogue Rogue AP detection detection page. example:

To update scanning results, click the refresh button in your browser.

Note

Rogue access points are not listed until you define at least one authorized access point as Creating ng a list of author authorized ized access points points on page 5-15. described under Creati

5-14

Wireless configuration Detecting rogue APs

Scanning for rogue APs When the V-M200 discovers an AP during a scan it compares the MAC address of the AP against the list of authorized APs (which you must define). If the scanned AP does not appear in the list of authorized APs, it is displayed in the Rogue access points table. If the V-M200 is in background scanning mode, it will scan all channels in the currently selected radio operating mode approximately once every two hours (assuming the default scan interval of 600 seconds). This provides for continuous background monitoring for rogue APs.

Creating a list of authorized access points The easiest way to create this list is automatically. However, this requires that the authorized APs are already already operating operating and have been foun found d by a scan. scan. If not, then the list can be be defined manually.

To create the list 1. Under the Authorized the Authorized access access points table, points table, click Configure Access Point List. List. 2. Under Under Add Add access points, points, do the following for each access point you want to authorize:



If the access points you want to add appear in the All the All access access points table: table: 1. Select the option Select from list of scanned access points points.. the All access that you want to authorize. 2. Select the access point in the All access points table table that 3. Select Add Select Add.. The MAC address for this access point is added to the Authorized the Authorized access points table. points table.

5-15

Wireless configuration Viewing wireless information 

To add access points that do not appear in the All the All access points table: table: 1. Select the option Manually configure. configure. 2. Specify the MAC address of address of the access point that you want to authorize. The MAC address must be in the following format: 12 hexadecimal numbers separated by colons, with the values “a” to “f” in lowercase. For example: 00:03:520:a0:f01.. 00:03:520:a0:f01 3. Select Select Add Add.. The MAC address is added to the Authorized the Authorized access access points table. points table.

3. Select Save Save to to return to the Rogue AP detection page. The Authorized access points table will show all the new APs that you added, and they will no longer appear in the Rogue access points table.

Viewing V iewing wireless inform information ation The V-M200 provides several pages where you can view information related to wireless operation.

Viewing V iewing all connected wireless clients Select Wireless Select Wirele connections. ss > Clie Client nt connections.

MAC address The MAC address of the client station.

IP Address The IP address assigned to the client station.

VLAN The Ethernet VLAN assigned to the client station.

SSID The SSID with which the client station is associated.

Authorized Authorize d 

Yes: Client station has the right to transmit/receive traffic. Yes: Client

5-16

Wireless configuration Viewing wireless information 

No: Client station can only transmit/receive 802.1X packets. No: Client



Filtered: Client Filtered: Client traffic is blocked by the MAC filtering feature.

Authentication Authentic ation Indicates how the client station was authenticated.

Association Associati on time Indicates how long the client station has been associated with the V-M200.

Signal Indicates the strength of the radio signal received from the client station. Signal strength is expressed in decibel milliwatt (dBm). The higher the number the stronger the signal.

Noise Indicates how much background noise exists in the signal path between the client station and the V-M200. Noise is expressed in decibel milliwatt (dBm). The lower (more negative) the value, the weaker the n noise. oise.

SNR Indicates the relative strength of client station radio signals versus the radio interference (noise) in the radio signal path. In most environments, SNR is a good indicator for the quality of the radio link between the client station and the V-M200. A higher SNR value means a better quality radio link.

5-17

Wireless configuration Viewing wireless information

Viewing V iewing wireless statistics for the radio Select Status > Wireless. Wireless.

5-18

Wireless configuration Viewing wireless information

Wireless Wire less port 

UP: Port is operating normally



DOWN: Port is not operating

Frequency The current operating frequency.

Protocol Identifies the wireless protocol used by the V-M200 to communicate with wireless users.

Mode Current mode of operation.

Tx power Current transmission power.

Tx packets The total number of packets transmitted.

Rx packets The total number of packets received.

Tx dropped The number of packets that could not be transmitted. This can occur when the wireless configuration is being changed.

Rx dropped The number of received packets that were dropped due to lack of resources on the V-M200. This should not occur under normal circumstances. A possible cause could be if many client stations are continuously continuously transmitting small packets at a high data rate.

Tx errors

The total number of packets that could not be sent due to the following error: Rx retry limit exceeded.

Tx multicast octets The number of octets transmitted successfully as part of successfully successfully transmitted multicast MSDUs. These octets include MAC Header and Frame Body of all associated fragments.

Tx unicast octets The number of octets transmitted successfully as part of successfully successfully transmitted unicast MSDUs. These octets include MAC Header and Frame Body of all associated fragments.

Tx fragments The number of MPDUs of type Data or Management delivered successfully; i.e., directed MPDUs transmitted and being ACKed, as well as non-directed MPDUs transmitted.

5-19

Wireless configuration Viewing wireless information

Tx multicast frames The number of MSDUs, of which the destination address is a multicast MAC address (including broadcast MAC address), transmitted successfully.

Tx unicast frames The number of MSDUs, of which the destination address is a unicast MAC address, transmitted successfully. This implies having received an acknowledgment to all associated MPDUs.

Rx multicast octets The number of octets received successfully as part of multicast (including broadcast) MSDUs. These octets include MAC Header and Frame Body of all associated fragments.

Rx unicast octets The number of octets received successfully as part of unicast MSDUs. These octets include MAC Header and Frame Body of all associated fragments.

Rx fragments The number of MPDUs of type Data or Management received successfully.

Rx multicast frames The number of MSDUs, with a multicast MAC address (including the broadcast MAC address), as the Destination Address, received successfully.

Rx unicast frames The number of MSDUs, with a unicast MAC address as the Destination Address received successfully.

Tx discards wrong SA The number of transmit requests that were discarded because the source address is not equal to the MAC address.

Tx discards The number of transmit requests that were discarded to free up buffer space on the V-M200. This can be caused by packets being queued too long in one of the transmit queues, or because too many retries and defers occurred, or otherwise not being able to transmit (for example, when scanning).

Tx retry limit exceeded The number of times an MSDU is not transmitted successfully because the retry limit is reached, due to no acknowledgment or no CTS received.

Tx multiple retry frames The number of MSDUs successfully transmitted after more than one retransmission (on the total of all associated fragments). May be due to collisions, noise, or interference. Excessive retries can indicate that too many computers are using the wireless network or that something is interfering with transmissions.

5-20

Wireless configuration Viewing wireless information

Tx single retry frames The number of MSDUs successfully transmitted after one (and only one) retransmission (on the total of all associated fragments). May be due to collisions, noise, or interference. Large numbers of single retries can indicate that too many computers are using the wireless network or that something is interfering with transmissions.

Tx deferred transmissions The number of MSDUs for which (one of) the (fragment) transmission attempt(s) was one or more times deferred to avoid a collision. Large numbers of deferred transmissions can indicate that too many computers are using the wireless network.

QoS low priority tx Total number of QoS low priority packets that have been sent.

QoS medium priority tx Total number of QoS medium priority packets that have been sent.

QoS high priority tx Total number of QoS high priority packets that have been sent.

QoS very high priority tx Total number of QoS very high priority packets that have been sent.

Rx discards no buffer The number of received MPDUs that were discarded because of lack of buffer space.

Rx discards WEP excluded The number of discarded packets, excluding WEP-related errors.

Rx discards WEP ICV error The number of received MPDUs that were discarded due to malformed WEP packets.

Rx MSG in bad msg fragments The number of MPDUs of type Data or Management received successfully, while there was another reception going on above the carrier detect threshold but with bad or incomplete PLCP Preamble and Header (the message-in-message path #2 in the modem).

Rx MSG in msg fragments The number of MPDUs of type Data or Management received successfully, while there was another good reception going on above the carrier detect threshold (the message-in-message path #2 in the modem). modem).

Rx WEP undecryptable The number of received MPDUs, with the WEP subfield in the Frame Control field set to one, that were discarded because they should not have been encrypted or due to the receiving station not implementing the privacy option.

5-21

Wireless configuration Viewing wireless information

Rx FCS errors The number of MPDUs, considered to be destined for this station (Address matches), received with an FCS error. Note that this does not include data received with an incorrect CRC in the PLCP header. These are not considered to be MPDUs.

Clear counters Click this button to reset all counters to zero.

Viewing V iewing throughput for wireless clients Select Status > Wireless rates. rates.

This page indicates the volume of traffic sent and received at each data rate for each connected user. 



Legacy rate traffic: Displays traffic: Displays information for clients using 802.11 a/b/g modes. The size of the bar indicates the amount of traffic sent at each rate. High Throughput rate traffic: Displays information for clients using 802.11n modes for each supported MCS (modulation coding scheme). The size of the bar indicates the amount of traffic sent at each MCS. For the V-M200, supported rates are as follows:

MCS

Data rate in Mbps based on channel width 20 MHz

40 MHz

0

6.50

13.50

1

13.00

27.00

2

19.50

40.50

3

26.00

54.00

4

39.00

81.00

5

52.00

108.00

5-22

Wireless configuration Viewing wireless information

MCS

Data rate in Mbps based on channel width 20 MHz

40 MHz

6

58.50

121.50

7

65.00

135.00

8

13.00

27.00

9

26.00

54.00

10

39.00

81.00

11

52.00

108.00

12

78.00

162.00

13

104.00

216.00

14

117.00

243.00

15

130.00

270.00

5-23

Wireless configuration Viewing wireless information

5-24

Chapter 6: Configuring network settings and VLANs

6 Configuring network settings and VLANs Contents Assigning Assignin g an IP address address to the the V-M200 V-M200................................................................. ...................................................................... .....6-2 6-2 Automatically Automatic ally assigning assigning an IP address (default (default method)................................. method).................................6-2 6-2 Manually assigning an IP address........................................................................6-2 Ethernett port Etherne port link link settings .................................................... .......................................................................................... ...................................... 6-4 Working with VLANs....................................................................................................6-4 VLAN assignment assignment via wireless community community ........................................................ 6-5 VLAN assignment assignment via RADIUS................................................... RADIUS............................................................................. .......................... 6-5 Bridging traffic traffic between wireless wireless communities communities with VLANs .......................... 6-6 Discovery protocols.....................................................................................................6-7 CDP .................................................................................................................... ....................................................... .................................................................. .....6-7 6-7 LLDP........................................................................................................................6-7 Bridge spanning tree protocol protocol............................................................ .................................................................................... ........................ 6-9 DNS server configuration..........................................................................................6-10

Configuring network settings and VLANs Assigning an IP address to the V-M200

Assigning an IP address to the V-M200 V-M200 There are several ways to assign an IP address to the Ethernet port on the V-M200.

Automatically assigning an IP address (default method)

By default the V-M200 operates as a DHCP client. This means that if the network has a DHCP server, the V-M200 will automatically receive a new IP address in place of its default IP address (192.168.1.1) upon connecting to the network. The DHCP server will assign an address from its pool of available addresses. You can find the IP address of the V-M200 by looking for its Ethernet base MAC address in the DHCP server log. The Ethernet MAC address is printed on the V-M200 label identified as Ethernet Base MAC,, or listed on the management tool Home page as Ethernet MAC address. MAC address. To have the DHCP server assign a specific IP address to the V-M200, you need to preconfigure the DHCP to associate the IP address you want to use with the MAC address of the Ethernet port on the V-M200.

Manually assigning an IP address You can manually assign an IP address to the Ethernet port. This requires that you also define the address of the DNS server and default gateway that are in use on your network. 1. Select Network > DNS. The DNS. The DNS page opens.

6-2

Configuring network settings and VLANs Assigning an IP address to the V-M200

2. Select the checkbox next to Override dynamically assigned DNS servers. servers. 3. Define an IP address for at least Server 1. 1. Define values for Server 2 and 2 and Server 3 if 3 if available on your network. 4. Select the checkbox next to DNS cache. cache. 5. Select Save Save.. 6. Select Network > IP. IP. The IP configuration page opens.

Under Assign IP address via, and then select Configure 7. Under Assign via, select Static Static and Configure.. The Static configuration page opens.

8. Configure the following settings: 

IP address: address: Set an address that is on the same subnet as the network to which the V V-M200 M200 will connect connect once once installed. installed. Respect any any DHCP server-m server-mandated andated static static address ranges.



Subnet mask: mask: Set the corresponding mask for the IP address.



Default gateway : Set the IP address of the gateway on the network.

9. Select Save Save.. Your connection to the management tool will be lost. 10. You can now connect the Ethernet port on the V-M200 to your network.

6-3

Configuring network settings and VLANs Ethernet port link settings

Ethernet port link settings If required, you can adjust the link settings by selecting Network > Ethernet.

If you do not use the Auto the Auto setting setting for Speed Speed or or Duplex Duplex,, make sure that the device to which the V-M200 is connected has a matching configuration. If there is a speed mismatch, the link will not be established. If there is a duplex mismatch, the link may be established but with transmission errors and reduced connectivity.

Speed 

Auto: Lets Auto: Lets the V-M200 automatically set port speed based on the type of equipment it is



connected to. Forces the port to operate at 10 Mbps. 10: Forces 10:



Forces the port to operate at 100 Mbps. 100: Forces 100:



1000: Forces 1000: Forces the port to operate at 1000 Mbps.

Duplex 

Auto: Lets the V-M200 automatically set duplex mode based on the type of equipment to Auto: Lets which it is connected.



Full: Forces the port to operate in full duplex mode. Full: Forces



Forces the port to operate in half duplex mode. Half: Forces Half:

Working W orking with VLANs The V-M200 provides a robust and flexible VLAN implementation that enables you to group wireless clients by functionality, workgroup, or application rather than by their physical location. VLANs enable enable you to effectively effectively send traffic from wireless users onto different logical logical segments on the same physical network connected to the Ethernet port. VLANs can can be assigned assigned globally to all users on a wireless community, community, or individuall individually y on a perperuser when using RADIUS server for authentication. The following sections explain how basis to configure both aoptions.

6-4

Configuring network settings and VLANs Working with VLANs

VLAN assignment via wireless community The easiest way to assign user traffic to a VLAN is to configure the Ethernet VLAN setting VLAN setting in ). This puts all the traffic from users a wireless community (See Ethernet VLAN on page 4-7 ). that connect to the wireless community onto the specified VLAN via the V-M200 Ethernet port. In the following scenario, two wireless communities are defined, each with its own VLAN. Employee #1

Employee #2

VLAN 10

Employee

Switch

wireless community VLAN = 10

Company file server

VLAN 10, 20

VLAN 10, 20

Shared printer

V-M200

Guest wireless community

VLAN 10, 20

VLAN = 20

Guest #1

Guest #2





Note

No VLAN

DHCP server

The Employee wireless community is configured with VLAN 10. All employee traffic exits the V-M200 on VLAN 10, providing access to the company file server, shared printer, and the Internet. The Guest wireless community is configured with VLAN 20. All guest traffic exits the V V-M200 -M200 on VLAN20, VLAN20, providing providing access access to the shared printer printer and the Internet.

If two wireless communities are assigned to the same VLAN, wireless users may be able to communicate with each other. See Communication between users on different wireless communities commun ities on page page 4-6.

VLAN assignment via RADIUS VLANs can also also be assigned on a per-user per-user basis basis by setting VLAN attributes in a user’s user’s RADIUS RADIUS account. To use this option you need to do the following: 





Configure a wireless community with Security  method set to WPA to WPA  or or 802.1X method set 802.1X.. If using WPA, Key source must source must be set to RADIUS RADIUS.. For configuration details, see Wireless protection on page 4-7 . Configure a RADIUS profile to connect with the RADIUS server. For configuration details, see Defining a RADIUS client profile on the V-M200 on page 7-2. Define RADIUS user accounts with the appropriate VLAN attributes (Tunnel-MediumType, Tunnel-Private-Group-ID, and Tunnel-Type). For configuration details, see Configuring guring user accounts accounts on a RADIUS server on page 7-5. Confi

6-5

Configuring network settings and VLANs Working with VLANs

Note

When a VLAN is defined in a user’s RADIUS account it always overrides the Ethernet VLAN defined for a wireless community. This enables you to define an Ethernet VLAN setting for a community and then override it on a per-user basis as required.

Example In the following scenario, RADIUS user accounts are configured to assign employees to different VLANs depending on the workgroup to which an employee belongs. Employee wireless community  R&D employees are assigned to VLAN 10 via attributes in their RADIUS account. 

Accounting Accountin g employees employees are assigned assigned to VLA VLAN N 15 via attributes attributes in their RADIUS RADIUS account. account.



Employees without a VLAN assignment in their RADIUS account get assigned to the VLAN that is config configured ured for the the wireless community community,, which in this example example is 20. 20. This enables these employees to access the shared printer and the Internet.

Guest wireless community  The Guest community does not use RADIUS. All traffic on the Guest community is assigned to VLAN 20, providing access to the shared printer and the Internet.

R&D Employee VLAN = 10

Accounting Employee VLAN = 15

Employee Wireless community VLAN = 20

R&D file server

VLAN 15

Accounting file server

Switch VLAN VL AN 10 10,, 15 15,, 20

VLAN VL AN 10 10,, 15 15,, 20

Shared printer

V-M200

Guest Wireless community VLAN = 20

Guest #1

VLAN 10

Guest #2

VLAN VL AN 10 10,, 15 15,, 20

NoVLAN

RADIUS server DHCP server

Bridging traffic between wireless communities with VLANs When users on two different wireless communities are assigned to the same VLAN, they may be able to communicate with each other depending on the setting of the Allow the Allow traffic traffic between all/no wireless clients option. clients option. See Communication between users on different wireless communit communities ies on page 4-6 for details.

6-6

Configuring network settings and VLANs Discovery protocols

Discovery protocols The V-M200 supports the Link Layer Discovery Protocol (LLDP) and the Cisco Discovery Protocol (CDP). These protocols provide a mechanism for the V-M200 to exchange information about its identity, capabilities, and interconnection with other devices on the network. Information gathered via LLDP and CDP is stored in the V-M200 in a management information database (MIB) and can be retrieved with the simple network management protocol (SNMP).

CDP CDP (Cisco Discovery Protocol) provides a mechanism for the V-M200 to advertise information about itself to other devices on the wired network. This information is useful for network administration purposes and is sent on the Ethernet port and any active WDS links. When the CDP support is enabled, the CDP settings are configured by default and cannot be changed.

To enable CDP support 1. Select Network > Discovery protocols. protocols.

2. Select Enabled Enabled under under CDP support and support and then select Save Save..

LLDP The IEEE 802.1AB Link Layer Discovery Protocol (LLDP) provides a standards-based method for network devices to discover each other and exchange information about their capabilities.. An LLDP device advertises itself to adjacent (neighbor) devices by transmitting capabilities LLDP data packets on all ports on which outbound LLDP is enabled, and reading LLDP advertisements from neighbor devices on ports that are inbound LLDP-enabled. An LLDP enabled port receiving LLDP packets inbound from neighbor devices stores the packet data in a Neighbor database (MIB). LLDP information is used by network management tools to create accurate physical network topologies by determining which devices are neighbors and through which ports they connect.

6-7

Configuring network settings and VLANs Discovery protocols

LLDP operates at layer 2 and requires an LLDP agent to be active on each network interface that will send and receive LLDP advertisements. LLDP advertisements can contain a variable number of TLV (type, length, value) information elements. Each TLV describes a single attribute of a device. When an LLDP agent receives information from another device, it stores the information locally in a special LLDP MIB (management information base). This information can then be queried by other devices via SNMP. For example, the HP Manager software retrieves this information to build an overview of a network and all its components.

Note

LLDP information is only sent/received on the Ethernet port and active WDS links. LLDP information is not collected from wireless devices connected to an AP.

SNMP support Support is provided for the following MIBs: 

LLDP MIB definition described in chapter 12 of the 802.1AB standard.



Interfaces MIB (RFC 2863).

Supported LLDP TLVs When the LLDP support is enabled, the LLDP agent supports the following mandatory and optional TLVs.

Mandatory TLVs TLVs 

Chassis ID (Type 1): The 1): The MAC address of the V-M200.



Port ID (Type 2): The 2): The MAC address of the port on which the TLV will be transmitted.



Time to live (Type 3): Defines the length of time that neighbors will consider LLDP information sent by this agent to be valid. Calculated by multiplying Transmit interval by the Multiplier.

Optional TLVs TLVs 

A description of the port. Port description (Type 4): 4): A



System name (Type 5): Administrative 5): Administrative name assigned to the device from which the TLV was transmitted.



System description (Type 6): Description 6): Description of the system, comprised of the following information: operational mode, hardware type, hardware revision, and firmware version.



Indicates the primary function of the device. Set to: System capabilities (Type 7): 7): Indicates WLAN access access point. point.

LLDP default settings When the LLDP support is enabled, the values of the following LLDP settings are configured by default. You cannot change these values.

6-8

Configuring network settings and VLANs Bridge spanning tree protocol 





Transmit interval = 30 seconds. The seconds. The interval at which local LLDP information is updated and TLVs are sent to neighboring network devices. Multiplier = 5 seconds. The seconds. The value of Multiplier is multiplied by the Transmit interval to define Time to live. Time to live = 150 seconds. Length seconds. Length of time that neighbors consider LLDP information sent by this agent to be valid. Time to live is calculated by multiplying Transmit interval by Multiplier.

Configuring LLDP support on the V-M200 LLDP settings are configured by selecting Network > Discovery protocols. protocols.

To enable LLDP support, select Enabled Enabled under under LLDP support. support.

Bridge spanning tree protocol The V-M200 uses the Spanning-Tree Protocol (STP) to prevent undesirable loops from occurring in the network that may result in decreased throughput. Spanning tree is configured by selecting Network > IP. IP.

6-9

Configuring network settings and VLANs DNS server configuration

Spanning tree can be enabled for: 



Untagged ports: Applies ports: Applies to all untagged traffic on the Ethernet port and active WDS links. VLAN ports: ports: Applies Applies to any traffic tha thatt has a VL VLAN AN assigned assigned to it. it. VLANs VLANs can be be assigned assigned by setting the Ethernet VLAN option in a wireless community, or by setting a user-defined VLAN via RADIUS attributes. attributes.

Priority Sets the priority of the V-M200 within the spanning tree network. Generally, the bridge with lowest priority is designated as the root bridge of the spanning tree.

DNS server configuration The V-M200 provides several options to customize DNS handling. To configure these options, select Network > DNS. 

If static IP addressing is being used, the following page is displayed allowing you to define up to three DNS servers.

6-10

Configuring network settings and VLANs DNS server configuration 

If DHCP IP addressing is being used, the following page is displayed. It shows the servers that have been dynamically assigned by the DHCP server. To manually assign your own DNS servers, select the Override dynamically assigned DNS option DNS option and then specify up to three DNS servers.

DNS servers 

Server 1 1:: Specify the IP address of the primary DNS server for the V-M200 to use.



Server 2 2:: Specify the IP address of the secondary DNS server for the V-M200 to use.



Server 3: 3: Specify the IP address of the tertiary DNS server for the V-M200 to use.

DNS advanced settings DNS cache Enable this checkbox to activate the DNS cache. Once a host name is successfully resolved to an IP address by a remote DNS server, it is stored in the cache. This speeds up network performance, because the the remote DNS DNS server does does not have have to be queried queried for subsequent subsequent requests for this host. An entry stays stays in the cache unti untill one of the following following is true: true: 





An error occurs occurs when connecting to the remote remote host. The time to live (TTL) of the DNS request expires. The V-M200 restarts.

6-11

Configuring network settings and VLANs DNS server configuration

DNS switch on server failure This setting controls how the V-M200 switches between the primary and secondary DNS servers. 



When enabled, the V-M200 switches servers if the current server replies with a DNS server failure message. When disabled, the V-M200 switches servers if the current server does not reply to a DNS request.

DNS switch over This setting controls how the V-M200 switches back to the primary DNS server after it has switched to the secondary DNS server because the primary was unavailable. 

When enabled, the V-M200 switches back to the primary server after it becomes available again.



When disabled, the V-M200 switches back to the primary server only if the secondary server becomes unavailable.

6-12

Chapter 7: Authentication services

7 Authentication services Contents Using a third-party RADIUS server............................................................................7-2 Defining a RADIUS client client profile on the V-M200 V-M200............................................... ............................................... 7-2 Configuring Configur ing user accounts accounts on on a RADIUS server server ............................................... 7-5 Global 802.1X settings settings ............................................................................................... ........................................................... .................................... 7-11 Supplicant Supplica nt timeout .............................................................................................. ............................................................. ................................. 7-11 Group key update .............................................................. ................................................................................................ .................................. 7-11 Reauthentication Reauthe ntication ................................................................................................. ............................................................ ..................................... 7-12

Authentication services Using a third-party RADIUS server

Using a third-party RADIUS server The V-M200 can use third-party RADIUS servers to perform a number of authentication and configuration tasks, including the tasks shown in the table below.

Task

For more information see

Validating user Validating user login credentials credentials for the WPA, WPA, 802.1X, or MAC-based authentication options.

Wire Wireless less protection protection on page page 4-7 . MAC-based authentication on page 4-12.

Storing custom configuration settings, such as a VLAN ID, for each user.

Configuring user accounts on a RADIUS server ser ver on page page 7-5.

Storing accounting information for each user.

Wireless protection Wireless protection on page page 4-7  or MACbased authenticat authentication ion on page 4-12 for

information on how to enable accounting support.

Defining a RADIUS client profile on the V-M200 V-M200 The V-M200 enables you to define a maximum of 16 RADIUS profiles. Each profile defines the settings for a RADIUS client connection. To support a client connection, you must create a client account on the RADIUS server. The settings for this account must match the profile settings you define on the V-M200. For backup redundancy, each profile supports a primary and secondary server. The V-M200 can function with any RADIUS server that supports RFC 2865 and RFC 2866. Authentication Authenticat ion occurs occurs via authentication authentication types types such as: EAP-MD5, EAP-MD5, CHAP, CHAP, MSCHAP v1/v2, PAP, EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-SIM, EAP-AKA, EAP-FAST, and EAP-GTC.

Note

If you change a RADIUS profile to connect to a different server while users are active, all RADIUS traffic for active user sessions is immediately sent to the new server.

To define a RADIUS profi profile le Select Authentication 1. Select Authentication > RADIUS pr profiles. ofiles. The RADIUS profiles page opens.

7-2

Authentication services Using a third-party RADIUS server

Select Add 2. Select Add New Profile. Profile. The Add/Edit RADIUS profile page opens.

3. Configure the profile settings as described in the following section. 4. Select Save Save..

Configuration settings Profile name Specify a name to identify the profile.

Settings 



Authentication port: Specify Authentication port: Specify a port on the RADIUS server to use for authentication. By default RADIUS servers use port 1812. Accounting port: Specify port: Specify a port on the RADIUS server to use for accounting. By default RADIUS servers use port 1813.

7-3

Authentication services Using a third-party RADIUS server 

Retry interval: Specify interval: Specify the number of seconds that the RADIUS server waits before access and accounting accounting requests time out. If the server does not receive a reply within this interval, the V-M200 switches between the primary and secondary RADIUS servers, if a secondary server is defined. A reply that is received after the retry interval expires is ignored. Retry interval applies to access and accounting requests that are generated by the following: 

802.1x authentication.



MAC-based authentication.

You can determine the maximum number of retries as follows:



 



MAC-based authentication: authentication: Number of retries is infinite.



WPA/802.1X authentication: Retries are controlled by the 802.1X client software.

Retry timeout: When enabled, this option allows the V-M200 to drop accounting requests after retrying (every retry interval) for the specified Retry timeout value. timeout value. When disabled, the V-M200 retries forever. Retry timeout value: Specify the amount of time (in seconds) between retries. Authentication method: Select Authentication method: Select the default authentication method that the V-M200 uses when exchanging authentication packets with the RADIUS server defined for this profile. For 802.1X users, the authentication method is always determined by the 802.1X client software and is not controlled by this setting. If traffic between the V-M200 and the RADIUS server is not protected by a VPN, it is recommended that you use either EAP-MD5 or MSCHAPv2 (if supported by your RADIUS Server). PAP, MSCHAPv1, and CHAP are less secure protocols.





NAS ID: Specify the identifier for the network access server that you want to use for the V V-M200. -M200. By default, default, the serial number number of the V-M200 V-M200 is used. used. The V-M200 V-M200 includes includes the NAS-ID attribute in all packets that it sends to the RADIUS server. Always try try primary server server first: Enable first: Enable this option if you want to force the V-M200 to contact the primary server first. Otherwise, the V-M200 sends the first RADIUS access request to the last known RADIUS server that replied to any previous RADIUS access request. If the request times out, the next request is sent to the other RADIUS server if defined. For example, assume that the primary RADIUS server was not reachable and that the secondary server responded to the last RADIUS access request. When a new authentication request is received, the V-M200 sends the first RADIUS access request to the secondary RADIUS server. If the secondary RADIUS server does not reply, the V-M200 retransmits the RADIUS access request to the primary RADIUS server. When two servers are configured, the V V-M200 -M200 always alternates between between the two. two.

7-4

Authentication services Using a third-party RADIUS server 

Use message authenticator: When enabled, causes the RADIUS Message Authenticator Authentic ator attribute to be inc included luded in all RADIUS access requests requests sent by by the V-M200. V-M200.

Note: This option has no effect on 802.1X authentication requests. These requests always include the RADIUS Message-Authenticator attribute.

Primary/Secondary RADIUS server 

Specify the IP address of the RADIUS server. Server address: address: Specify



Specify the password for the V-M200 to use to communicate Secret/Confirm secret: Secret/Confirm secret: Specify with the RADIUS server. The shared secret is used to authenticate all packets exchanged with the server, proving that the packets originate from a valid/trusted source.

Configuring user accounts on a RADIUS server This section presents all RADIUS attributes that are supported for user accounts. These attributes apply when a wireless community is configured to use WPA or 802.1X with RADIUS support.

Access Request Request attributes This table lists attributes supported in Access Request packets for each authentication type.

Attribute

WPA / 802.1X

Acct-Session-Id Acct-Sessio n-Id

MAC-based Format

✓

✓

32-bit unsigned integer

Called-Station-Id

✓

✓

Called-Station-Id

Calling-Station-Id

✓

✓

Calling-Station-Id

EAP-Message

✓

-

EAP-Message

Framed-MTU

✓

-

Framed-MTU

✓

✓

Message-Authenticator

✓

✓

NAS-Identifier

✓

✓

NAS-IP-Address

✓

✓

NAS-Port

✓

✓

NAS-Port-Type

✓

✓

Service-Type

Message-Authenticator NAS-Identifier

NAS-Ip-Address

NAS-Port

NAS-Port-Type

Service-Type State User-Name

State

✓

✓

✓

User-Password Vendor Ven dor-specific -specific

-

User-Name

✓ ✓

User-Password Colubris-AVPair (SSID)

(Colubris) SSID

7-5

Authentication services Using a third-party RADIUS server

Descriptions 







Acct-Session-Id (32-bit unsigned integer): A unique accounting ID used to make it easy Acct-Session-Id to match up records in a log file. Called-Station-Id (string): This value can be customized for each wireless community Called-Station-Id (string): by setting the value of Called-Station Called-Station-ID -ID content (page content (page 4-9). The format can be customized for each wireless community by setting the value of Station ID delimiter delimiter and Station ID MAC case (page case (page 4-9) Calling-Station-Id (string): The MAC address of the 802.1X client station. By default, Calling-Station-Id (string): the MAC address is sent in IEEE format. For example: 00-02-03-5E-32-1A. 00-02-03-5E-32-1A. The format can can be customized for each wireless community by setting the value of Station ID delimiter and delimiter and Station ID MAC case (page case (page 4-9). Framed-MTU (32-bit Framed-MTU (32-bit unsigned integer): Hard-coded value of 1496.



Message-Authenticator (string): As defined in RFC 2869. Always present even when not doing an EAP authentication. Length = 16 bytes.



the Authentication > RADIUS NAS-Identifier (string): The NAS ID set on the Authentication NAS-Identifier (string): RADIUS  profiles profiles   page for the the RADIUS profile being being used.







NAS-Ip-Address (32-bit unsigned integer): The IP address of the port the V-M200 is NAS-Ip-Address (32-bit using to communicate with the RADIUS server. NAS-Port (32-bit unsigned integer): A virtual port number starting at 1. Assigned by the NAS-Port (32-bit V V-M200. -M200. NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents NAS-Port-Type (32-bit WIRELESS_802_11.



Service-Type (32-bit Service-Type (32-bit unsigned integer): Set to LOGIN_USER.



State (string): As defined in RFC 2865. State (string):



User-Name (string): The username assigned to the user. Or if MAC-authentication is User-Name (string): enabled, the MAC address of the wireless client station.

The following attributes are mutually exclusive depending on the RADIUS authentication method. 





User-Password (string): The password supplied by a user or device when logging in. User-Password (string): Encoded as defined in RFC 2865. Present only when the Authentication the Authentication method on method on the Authentication Authentica tion > RADIUS profiles profiles page page is set set to PAP. Or, if MAC-based authentication is being used, this is set to the MAC address of the wireless client station. the Authentication EAP-Message (string): As defined in RFC 2869. Only present when the Authentica EAP-Message (string): tion on the Authentica the Authentication page is set set to EAP-MD5. EAP-MD5. method on method tion > RADIUS profiles profiles page Vendor Vendor-specific -specific (Colubris-A (Colubris-AVPair VPair SSID) SSID):: SSID of the wireless community to which the user is connected.

7-6

Authentication services Using a third-party RADIUS server

The Colubris-AVPair attribute conforms to RADIUS RFC 2865. You may need to define this attribute on your RADIUS server (if it is not already present) using the following values: 

SMI network management private enterprise code = 8744



Vendor Ven dor-specific -specific attribute type number = 0



Attribute type: type: A string in the fol following lowing form format at <keyword>=<value>

Access Accept Accept attributes This table lists all attributes supported in Access Accept packets for each authentication type.

Attribute Acct-Interim-Interval Acct-Interim-I nterval Class

WPA / 802.1X 802.1X

MAC-based

✓

✓

✓

✓

✓

-

✓

-

EAP-Message Idle-Timeout

MS-MPPE-Recv-Key

✓

-

MS-MPPE-Send-Key

✓

-

✓

✓

✓

-

✓

-

✓

-

✓

-

✓

-

Session-Timeout

Termination-Action

Tunnel-Medium-Type

Tunnel-Private-Group-ID Tunnel-Type

Vendor-specific Vendor -specific (Microsoft) (Microsoft) MS-MPPE-Recv-Key MS-MPPE-Send-Key

✓

Descriptions 





(32-bit unsigned integer): When present, enables the Acct-Interim-Interval (32-bit Acct-Interim-Interval transmission of RADIUS accounting requests of the Interim Update type. Update type. Specify the number of seconds between each transmission. Class (string): Class (string): As defined in RFC 2865. EAP-Message (string): Note that the content will not be read, as the RADIUS Access EAP-Message (string): Accept EAP-Message EAP-Message overrid overrides es whatever indication indication is contained contained inside inside this packet. packet.

7-7

Authentication services Using a third-party RADIUS server 













Idle-Timeout (32-bit unsigned integer): Maximum idle time in seconds allowed for the Idle-Timeout (32-bit user. Once reached, the user session is terminated with termination-cause IDLETIMEOUT. Omitting the attribute or specifying 0 disables the feature. Session-Timeout (32-bit unsigned integer): Maximum time a session can be active. After Session-Timeout (32-bit this interval, the 802.1X client is re-authenticated. Termination-Action: As defined by RFC 2865. If set to 1, user traffic is not allowed Termination-Action: during the 802.1X re-authentication. re-authentication. Tunnel-Medium-Type : Used only when assigning a specific VLAN number to a user. In Tunnel-Medium-Type: this case, it must be set to 802. The tag field for this attribute must be set to 0. Tunnel-Private-Group-ID : Used only when assigning a specific VLAN number to a user. Tunnel-Private-Group-ID: In this case it must be set to the VLAN ID. The tag field for this attribute must be set to 0. Tunnel-Type: Used only when assigning a specific VLAN number to a user. In this case it Tunnel-Type: must be set to VLAN. The tag field for this attribute must be set to 0. Vendor Vendor-specific -specific (Microsoft) (Microsoft) 

MS-MPPE-Recv-Key : As defined by RFC 3078.



MS-MPPE-Send-Key : As defined by RFC 3078.

Access Reject Access Reject Reject RADIUS attributes are not supported.

Access Challenge Challenge attributes This table lists all attributes supported in Access Challenge packets for each authentication type.

Attribute EAP-Message

Message-Authenticator State

WPA / 802.1X 802.1X

MAC-based

✓

-

✓

-

✓

-

Descriptions 





EAP-Message (string): EAP-Message (string): As defined in RFC 2869. Message-Authenticator (string): As defined in RFC 2869. Always present even when not doing an EAP authentication. Length = 16 bytes. State (string): State (string): As defined in RFC 2865.

7-8

Authentication services Using a third-party RADIUS server

Accounting Request attributes attributes This table lists all attributes supported in Accounting Request packets for each authentication type.

Attribute Acct-Input-Gigawords Acct-Input-Gigawords Acct-Input-Octets Acct-InputOctets

Acct-Input-Packets Acct-InputPackets

Acct-Output-Gigaword Acct-Outpu t-Gigawordss Acct-Output-Octets Acct-Outpu t-Octets

Acct-Output-Packets Acct-Outpu t-Packets

Acct-Session-Id Acct-Sessio n-Id

Acct-Session-Time Acct-Sessio n-Time

Acct-Status-Type Acct-Status-T Acct-Terminate-Caus Acct-T erminate-Cause e

WPA / 802.1X 802.1X

MAC-based

✓ ✓

-

✓

-

✓

-

✓

-

✓

-

✓

✓

✓

✓

✓

✓

✓

-

Called-Station-Id

✓

✓

Calling-Station-Id

✓

✓

✓

✓

✓

-

✓

-

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

Class

Framed-IP-Address

Framed-MTU

NAS-Identifier NAS-Port

NAS-Port-Type User-Name

Vendor-specific Vendor -specific (Colubris) (Colubris) SSID Descriptions 



Acct-Input-Gigawords (32-bit unsigned integer): High 32-bit value of the number of Acct-Input-Gigawords octets/bytes received by the user. Only present when Acct-Status-Type is Interim-Update or Stop. (32-bit unsigned integer): Low 32-bit value of the number of octets/ Acct-Input-Octets (32-bit Acct-Input-Octets bytes received by the user. Only present when Acct-Status-Type is Interim-Update or Stop.

7-9

Authentication services Using a third-party RADIUS server 





(32-bit unsigned integer): Number of packets received by the user. Acct-Input-Packets (32-bit Acct-Input-Packets Only present when Acct-Status-Type is Interim-Update or Stop. Acct-Output-Gigawords (32-bit Acct-Output-Gigawords (32-bit unsigned integer): High 32-bit value of the number of octets/bytes sent by the user. Only present when Acct-Status-Type is Interim-Update or Stop. As defined in RFC 2869. (32-bit unsigned integer): Low 32-bit value of the number of octets/ Acct-Output-Octets (32-bit Acct-Output-Octets bytes sent by the user. Only present when Acct-Status-Type is Interim-Update or Stop. (32-bit unsigned integer): Number of packets sent by the user. Acct-Output-Packets (32-bit Acct-Output-Packets Only present when Acct-Status-Type is Interim-Update or Stop.







(32-bit unsigned integer): Random value generated by the V-M200. Acct-Session-Id Acct-Session -Id (32-bit Acct-Session-Time Acct-Session-T ime (32-bit (32-bit unsigned integer): Number of seconds since this session was authenticated. Acct-Status-Type (32-bit ype (32-bit unsigned integer): Supported values are Accounting-Start (1), Accounting-Stop Accountin g-Stop (2), and Accounting-On Accounting-On (7) and Accounting-Off Accounting-Off (8). Acct-Terminate-Cause Acct-Terminate -Cause (32-bit (32-bit unsigned integer): Termination cause for the session. Only present when Acct-Status-Type is Stop. Supported causes are: Idle-Timeout, LostCarrier, Session-Timeout, and User-Request. See RFC 2866 for details.



Called-Station-Id (string): This value can be customized for each wireless community Called-Station-Id (string): by setting the value of Called-Station Called-Station-ID -ID content (page content (page 4-9). The format can be customized for each wireless community by setting the value of Station ID delimiter delimiter and Station ID MAC case (page case (page 4-9)



Calling-Station-Id (string): The MAC address of the 802.1X client station. By default, Calling-Station-Id (string): the MAC address is sent in IEEE format. For example: 00-02-03-5E-32-1A. 00-02-03-5E-32-1A. The format can can be customized for each wireless community by setting the value of Station ID delimiter and delimiter and Station ID MAC case (page case (page 4-9).



(string): As defined in RFC 2865. Multiple instances are supported. Class (string): Class



Framed-IP-Address (32-bit unsigned integer): IP Address as configured on the client Framed-IP-Address (32-bit station (if known by the V-M200).



Framed-MTU (32-bit unsigned integer): Hard-coded value of 1496. The value is always Framed-MTU (32-bit four bytes lower than the wireless MTU maximum which is 1500 bytes in order to support IEEE802.1X authentication.



the Authentication > RADIUS NAS-Identifier (string): The NAS ID set on the Authentication NAS-Identifier (string): RADIUS  profiles profiles   page for the the profile being being used. used.



NAS-Port (32-bit unsigned integer): A virtual port number starting at 1. Assigned by the NAS-Port (32-bit V V-M200. -M200.



NAS-Port-Type (32-bit unsigned integer): Always set to 19, which represents NAS-Port-Type (32-bit WIRELESS_802_11.



User-Name (string): The RADIUS username provided by the 802.1X client. User-Name (string):



Vendor Vendor-specific -specific (Colubris-A (Colubris-AVPair VPair SSID) SSID):: SSID that the user is associated with.

7-10

Authentication services Global 802.1X settings

The Colubris-AVPair attribute conforms to RADIUS RFC 2865. You may need to define this attribute on your RADIUS server (if it is not already present) using the following values: 

SMI network management private enterprise code = 8744



Vendor Ven dor-specific -specific attribute type number = 0



Attribute type: type: A string in the fol following lowing form format at <keyword>=<value>

Global 802.1X settings Global 802.1X settings are configured by selecting Authentication selecting Authentication > 802.1X 802.1X.. These settings apply to all 802.1X connections in all wireless communities. This includes connections made with WPA/WPA2 when using a RADIUS server for authentication.

Supplicant timeout Specify the maximum length of time that the V-M200 will wait for a client station to respond to an EAPOL (Extensible Authentication Protocol over LAN) packet before resending it. (802.1X uses EAPOL for port access control.) If client stations are configured to manually enter the 802.1X username or password or both, increase the value of the timeout to 15 to 20 seconds.

Group key update Enable this option to force updating of 802.1X group keys at the selected Key change interval.. interval 

Key change interval interval:: Select the amount of time between updates to the group key.

7-11

Authentication services Global 802.1X settings

Reauthentication Enable this option to force 802.1X clients to reauthenticate. 

Specify the interval at which client stations must Reauthentication interval: Reauthentication interval: Specify reauthenticate.



Block client traffic: When this option is disabled, client stations remain connected during reauthentication. Client traffic is blocked only when reauthentication fails. When this option is enabled, client traffic is blocked during reauthentication and is only reactivated if authentication succeeds.

7-12

Chapter 8: Creating WDS links

8 Creating WDS links Contents Key concepts.................................................................................................................8-2 Configuration Configur ation considerations considerations .............................................................................. ............................................................ ..................8-2 8-2 Simultaneous Simultane ous access access point and and WDS support support ................................................... 8-3 Using the the 5 GHz band for WDS links .................................................................. .............................................................. ....8-3 8-3 Quality of service...................................................................................................8-3 Spanning-tree protocol Spanning-tree protocol ......................................................................................... .................................................... ..................................... 8-5 Discovery protocols .............................................................................................. .......................................................... .................................... 8-5 Configuration Configur ation considerations considerations .............................................................................. ............................................................ ..................8-5 8-5 WDS configuration configuration settings ........................................................................................ ........................................................... ............................. 8-6 Settings ................................................................................................................... ......................................................... .......................................................... 8-6 Security........................................................ Security ................................................................................................................... ........................................................... 8-7 Addressing Address ing ................................................................. .............................................................................................................. ............................................. 8-7 Sample WDS deployment............................................................................................8-7

Creating WDS links Key concepts

Key concepts The Wireless Distribution System (WDS) feature enables you to create point-to-point wireless links between one or more V-M200s. These links create a wireless bridge that interconnects the networks connected to the Ethernet port on each V-M200. For example, V-M200 #2 and V V-M200 M200 #3 use the WDS to create a wireles wirelesss link link between between the main office office network network and and a small network in a warehouse.

Main office area

Warehouse WDS Wireless link Wireless community

File server DHCP server

Employee computers

V-M200 #2

V-M200 #3

Wireless community

V-M200 #1

WDS links provide an effective solution for extending network coverage in situations where it is impractical or expensive to run cabling. Each V-M200 can create up to three WDS links.

Configuration considerations The following guidelines apply when you create a WDS link between two or more V-M200s. 







The radios on all V-M200s must be set to the same operating frequency and channel. This means that on the Wirele the Wireless ss > Radio page Radio page under Channel Channel,, you cannot select Automatic select Automatic.. The Ethernet ports for all V-M200s must be connected to the same subnet, and each V V-M200 -M200 must have a unique unique IP address. address. If AES/CCMP security is enabled, the same key must be defined on all V-M200s. Although the V-M200 V-M200 can ssupport upport up to three WDS WDS links, only one link can be defined defined between any two V-M200s.

8-2

Creating WDS links Key concepts

Simultaneous access point and WDS support The V-M200 can be configured to simultaneously support wireless communities and one or more WDS links. Although this offers flexibility, it does have the following limitations: 

The total available bandwidth on the radio is shared between all WDS links and wireless users. This can result in reduced throughput if lots of traffic is being sent by both wireless users and the WDS links. You can use the QoS feature to prioritize traffic. See Quality of service (QoS) on on page 4-15 for details.



The same radio options are used for both wireless clients and WDS links.

Using the 5 GHz band for WDS links It is recommended that 802.11n or 802.11a in the 5 GHz band be used for WDS links whenever possible. possibl e. This optimizes optimizes throughput throughput and reduces reduces the potential potential for interference. interference.

Advantages Advantage s 





Most Wi-Fi clients support 802.11b or b/g, therefore most APs are set to operate in the 2.4 GHz band. This frees the 5 GHz band for other applications such as WDS. 802.11a and 802.11n channels in the 5 GHz band are non-overlapping. Assuming an optimal optimal implementation, implementation, 802.11a 802.11a supports supports up to 54 Mbps and and 802.11n supports up to 300 Mbps, providing a fat pipe for traffic exchange.

Limitations 

WDS links are not supported when the radio is configured in one of the following compatibility modes: 802.11n/a 802.11n/a,, 802.11n/g 802.11n/g,, or 802.11n/b/g 802.11n/b/g.. Since the same radio options must be used for both wireless clients and WDS links, support for 802.11b/g clients is not possible.



The 5 GHz band has a shorter reach when compared to the 2.4 GHz band. This could be a factor depending on the distance your WDS link span.

Quality of service The WDS feature enables you to define a quality of service (QoS) setting that will govern how traffic is sent on all WDS links. The QoS feature defines four traffic queues based on the Wi-Fi Multimedia (WMM) access categories. In order of priority, these queues are:

Queu Qu eue e WMM WMM acc acces ess s cate catego gory ry Typic ypical ally ly use used d for for 1

AC_VO

Voice Vo ice traffic

2

AC_VI

Video traffic traffic

3

AC_BE

Best effort data traffic

4

AC_BK

Background data traffic

8-3

Creating WDS links Key concepts

Traffic on a WDS link is assigned to a queue based on the selected priority mechanism. Traffic delivery is based on strict priority (per the WMM standard). Therefore, if excessive traffic is present on on queues 1 or 2, it will will reduce the flow of of traffic on queues 3 and and 4. Regardless of the priority mechanism that is selected, traffic that cannot be classified by a priority mechanism mechanism is assigned to queue 3.

Note

When traffic is forwarded onto a WDS link from a wireless community, the QoS settings of the community take priority. For example, if you create a wireless community with a QoS setting of Community Based High, High, then traffic from this community will traverse the WDS link on queue 2, even if the QoS setting on the WDS link is Low (queue 4). Low (queue

Priority mechanisms Priority mechanisms are used to classify wireless community traffic and assign it to the appropriate queue. The following mechanisms are available:

802.1p This mechanism classifies traffic based on the value of the VLAN priority field present within the VLAN header.

Queu Qu eue e

802. 802.1p 1p (VLAN (VLAN prior priorit ity y fie field ld valu value) e)

1

6, 7

2

4 ,5

3

0, 3

4

1, 2

V Very ery High, High, Normal, Normal, Low These mechanisms enable you to assign a specific priority level to all traffic.

Queue

Priorit ity y value

1

Very High

2

High

3

Normal

4

Low

8-4

Creating WDS links Key concepts

Diffserv (Differentiated Services) This mechanism classifies traffic based on the value of the Differentiated Services (DS) codepoint field in IPv4 and IPv6 packet headers (as defined in RFC2474). The codepoint is composed of the six most significant bits of the DS field.

Queu Qu eue e

Di DifffSer fServ v (DS (DS code codepo poin intt valu value) e)

1

111000 (Network control) 110000 (Internetwork control)

2

101000 (Critical) 100000 (Flash override)

3

011000 (Flash) 000100 (Routine)

4

010000 (Immediate) 001000 (Priority)

Spanning-tree protocol The Spanning-Tree Protocol (STP) can be used to prevent undesirable loops from occurring in the network that may result in decreased throughput. To enable STP for wireless links, see Bridge spanning tree protocol on page 6-9.

Discovery protocols The V-M200 supports the Link Layer Discovery Protocol (LLDP) and the Cisco Discovery Protocol (CDP). These protocols provide a mechanism for the V-M200 to exchange information about its identity, capabilities, and interconnection with other devices on the network. When enabled, both protocols function across an active WDS links. See Discovery protocols on page 6-7 .

Configuration considerations The following guidelines apply when you create a WDS link between two or more V-M200s. 

All radios radios must be be set to the the same ope operating rating frequenc frequency y and channel. channel. This means that on the Wirel Wireless ess > Radio page under under Channel, you cannot cannot select Automatic.



The Ethernet ports for all V-M200s must be connected to the same subnet, and each V V-M200 -M200 must have a unique unique IP address. address.





If AES/CCMP security is enabled, the same key must be defined on all V-M200s. Although the V-M200 V-M200 can ssupport upport up to three WDS WDS links, links, only one one wireless link link can be defined between any two V-M200s.

8-5

Creating WDS links WDS configuration settings

WDS configuration settings settings To view or add a WDS link, select Wire select Wireless less > WDS. WDS.

To configure a WDS link, select its name in the list. Or to add a WDS link, select Add select Add WDS Link.. In either case, the WDS link Link link   page page opens. opens.

Settings Enabled/Disabled Specify if the WDS link is enabled or disabled. Once a link is enabled, it actively attempts to establish the WDS connection to the remote V-M200. To view the status of the WDS

connection, select Status > WDS. WDS.

8-6

Creating WDS links Sample WDS deployment

Name Name of the WDS link. Speed Sets the speed the link will operate at. For load balancing you may want to limit the speed of a link when connecting to multiple destinations. Select the Auto the Auto option option to have the V-M200 automatically choose the speed that provides the best throughput (least number of errors).

Security AES/CCMP security Enables AES with CCMP encryption to secure traffic on the link. The V-M200 uses the key you specify specify in the Key  field field to generate the keys that encrypt the wireless data stream. Specify a key that is between 8 and 63 ASCII characters in length. It is recommended that the key be at least 20 characters long and be a mix of letters and numbers.

Addressing Remote MAC address Specify the MAC address of the wireless port on the remote <<PRODUCT-NAME>> to which this link will connect. The MAC address must be in the following format: 12 hexadecimal numbers, with the values “a” to “f” in lowercase. For example: 0003520a0f01. Local MAC address Shows the MAC address of the wireless port on the V-M200. This address needs to be entered on the V-M200 to which this link will connect.

Sample WDS deployment This example shows you how to create a wireless link between two physically separate network segments. V-M200 #1

WDS Wireless link

V-M200 #2

DHCP server

192.168.5.10

5.1

5.15

5.16

192.168.5.20

5.21

5.22

This example assumes that both V-M200s have their IP addresses set and are connected to

their respective networks as shown in the diagram.

8-7

Creating WDS links Sample WDS deployment

A. Obtain the MAC address of V-M200 #2 1. Connect to the management tool on V-M200 #2. Open the home page and write down its MAC address.

B. Setup the WDS link on V-M200 #1 2. Open the management tool on V-M200 #1. 3. Select Select Wire Wireless less > Radio Radio.. The Radio configuration page opens. 

Enable the Radio Radio..



Set Operating mode to mode to Access Access point point and WDS bridge. bridge.



Set Wire Set Wireless less mode to 802.11n (5 GHz). GHz).



Set Channel to Channel Channel  36 36..



Select Save Save..

4. Select Select Wire Wireless less > WDS. WDS.

8-8

Creating WDS links Sample WDS deployment

Select Add 5. Select Add WDS Link Link. 

Under Security : 

Enable security .



Set Key  to to a39xm2 a39xm2..



Under Addressing:: Under Addressing  Set Remote MAC address to the MAC address of V-M200 #2. 

Select Save Save..

C. Setup the WDS link on V-M200 #2 Configuration settings on V-M200 #2 are similar to those defined on V-M200 #1. 1. Open the management tool on the V-M200 #2. 2. Select Select Wire Wireless less > Radio Radio.. The Radio configuration page opens. 

Enable the Radio Radio..



Set Operating mode to mode to Access Access point point and WDS bridge. bridge.



Set Wireless Set Wire less mode to 802.11n (5 GHz). GHz).



Set Channel to Channel Channel  36 36..



Select Save Save..

Select Wire 3. Select Wireless less > WDS. WDS.

8-9

Creating WDS links Sample WDS deployment

Select Add 4. Select Add WDS Link Link. 

Under Security : 

Enable AES/CCMP Enable AES/CCMP security .



Set Key  to to a39xm2 a39xm2..



Under Addressing:: Under Addressing  Set Remote MAC address to the MAC address of V-M200 #2. 

Select Save Save..

D. Test the link and make performance adjustments The WDS link should now be active. 1. Select Tools > Ping on Ping on V-M200 #1 and ping the address of V-M200 #2 (192.168.5.20). If the ping succeeds, succeeds, it means means that th the e WDS link link is working. working. 2. Select Status > WDS. WDS. The WDS status page opens.

Select WDS 3. Select WDS link in link in the table. The WDS link status page opens.

4. Use the SNR SNR value value as a guide to adjust the antennas to obtain the best possible Tx Rate. Rate. A higher SNR SNR value means a better better quality radi radio o link. After each change, change, allow allow a minimum minimum of two minutes for Tx Rate to Rate to report its new value.

8-10

Chapter 9: Maintenance

9 Maintenance Contents Config file management...............................................................................................9-2 Backup configuration............................................................................................9-2 Restore configuration configuration ........................................................................................... ....................................................... .................................... 9-2 Reset configuration configuration ............................................................................................... ......................................................... ...................................... 9-3 Software updates..........................................................................................................9-3

Maintenance Config file management

Config file management The configuration file contains all the settings that customize the operation of the V-M200. You can save and restore the configuration file by selecting Maintenance > Config file management.. management

Backup configuration The Backup configuration feature enables you to back up your configuration settings so that they can be easily restored in case of failure. Before you install new software, you should always back up your current configuration. Select Backup to start the process. You are prompted for the location in which to save the Backup to configuration file.

Note

The local username and password for the manager and operator accounts are not saved to the backup configuration file. If you restore a configuration file, the current manager and operator username and password are not overwritten.

Restore configuration The Restore configuration feature enables you to load a previously previously saved configuration configuration file. Use the following steps to restore a saved configuration file. 1. Select Maintenance > Config file management. The Config file management page opens.

9-2

Maintenance Software updates

to navigate to the configuration file that 2. Under Restore configuration, select Browse Browse to you want want to restore. 3. To upload the selected file to the V-M200, select Restore.

Note

The V-M200 automatically restarts when the upload is completed.

Reset configuration See Appendix B: Resetting to factory defaults on page B-1.

Software updates To update the V-M200 software, select Maintenance > Software updates. updates.

Caution



Before updating be sure to check for update issues in the Release Notes.



Even though configuration settings are preserved during software updates, it is recommended that you back up your configuration settings before updating. See Config file management on page 9-2.



At the end of the update update process process,, the V-M200 V-M200 autom automatically atically restarts, restarts, disconnecting disconnecting all users. Once the V-M200 resumes operation, all users must reconnect.

To update the V-M200 software, Browse Browse to to the software file (with the extension .cim) and then select Install Install..

9-3

Maintenance Software updates

9-4

Appendix Appendix A A : Regulatory statements

A Regulatory statements Contents Industry Canada statement ................................................................................. ...................................................... ........................... A-2 Conformité Conformit é Européene Européene — CE marking.............................................................. A-2

Regulatory statements

Industry Canada statement This device complies with RSS-210 of the Industry Canada Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Règlement d’Industry Canada Canada   Les conditions de fonctionnement sont sujettes à deux conditions: 1. Ce périphérique ne doit pas causer d’interférence et. 2. Ce périphérique doit accepter toute interférence, y compris les interférences pouvant perturber le le bon fonctionnemen fonctionnementt de ce périphérique. périphérique. IMPORTANT NOTE: Radiation Exposure Statement: This equipment complies with Canada radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20cm between the radiator & your body.

Conformité Européene — CE marking Europe – EU Declaration of Conformity This device complies with the essential requirements of the R&TTE Directive 1999/5/EC. The following test methods have been applied in order to prove presumption of conformity with the essential requirements of the R&TTE Directive 1999/5/EC: EN60950-1: 2006 + A11: 2009 Safety of Information Technology Equipment EN 50385: 2002 Product standard to demonstrate the compliance of radio base stations and fixed terminal stations for wireless telecommunication telecommunication systems with the basic restrictions or the reference levels related to human exposure to radio frequency electromagnetic fields (110MHz - 40 GHz) - General public EN 300 328 V1.7.1 Electromagnetic compatibility and Radio spectrum Matters (ERM); Wideband transmission systems; Data transmission equipment operating in the 2,4 GHz ISM band and using wide band modulation techniques; Harmonized EN covering essential requirements under article 3.2 of the R&TTE Directive EN 301 893 V1.5.1 Broadband Radio Access Networks (BRAN); 5 GHz high performance RLAN; Harmonized EN covering essential requirements requirements of article 3.2 of the R&TTE Directive

EN 301 489-1 V1.8.1

A-2

V-M200 802.11n Access Point Management and Configuration Guide

Electromagnetic compatibility and Radio Spectrum Matters (ERM); ElectroMagnetic Electromagnetic Compatibility (EMC) standard for radio equipment and services; Part 1: Common technical requirements EN 301 489-17 V2.1.1 V2.1.1   Electromagnetic Electromagne tic compatibility and Radio spectrum Matters (ERM); ElectroMagnetic Compatibility (EMC) standard for radio equipment and services; Part 17: Specific conditions for Broadband Data Transmission Systems This device is a 2.4 GHz wideband transmission system (transceiver), intended for use in all EU member states and EFTA countries, except in France and Italy where restrictive use applies. In Italy the end-user should apply for a license at the national spectrum authorities in order to obtain authorization to use the device for setting up outdoor radio links and/or for supplying public access access to tele telecommunicat communications ions and/or and/or network services. This device may not be used for setting up outdoor radio links in France and in some areas the RF output power may be limited to 10 mW EIRP in the frequency range of 2454 – 2483.5 MHz. For detailed information the end-user should contact the national spectrum authority in France.

A-3

Regulatory statements

A-4

Appendix Appendix B B:: Resetting to factory defaults

B Resetting to factory defaults Contents Factory reset procedures procedures ........................................................................................... ........................................................... ................................ B-2 Using the reset button.......................................................................................... button........................................................................ .................. B-2 Using the the management management tool................................................................................. tool................................................................ ................. B-2

Resetting to factory defaults Factory reset procedures

Factory reset procedures To force the V-M200 into its factory default state, follow the procedures in this section.

Caution

Resetting the V-M200 to factory defaults deletes all configuration settings, resets the manager user name and password to admin admin,, and enables the DHCP client on the Ethernet port. If no DHCP server assigns an address to the V-M200, its address defaults to 192.168.1.1.

Using the reset button Using a tool such as a paper clip, press and hold the reset button for a few seconds until the status lights blink three times.

Note

If you keep the reset button pressed for too long, the V-M200 will switch into maintenance mode as indicated by a rapid blinking of the status lights. If this occurs, power cycle the V V-M200 M200 and repeat repeat the factory-default factory-default reset reset procedure.

Using the management tool To reset the V-M200 to factory defaults, follow this procedure: 1. Launch the management tool (default https://192.168.1.1). 2. Select Maintenance > Config file management. management. 3. Under Reset configuration, configuration, click Reset Reset..

B-2

Technology for better business outcomes To learn more, visit www.hp.com/networking © Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP will not be liable for technical or editorial errors or omissions contained herein.

August 2010 2010 Manual Part Number

HP

Comments

Content

Sponsor Documents

Recommended