Introduction
This chapter contains information on the following:
Products Covered in this User Guide
This User Guide details functionality of the AP-4000 Series Access Points, consisting of the following:
Document Conventions
- AP refers to an AP-4000, AP-4000M, or AP-4900M Access Point.
- AP Series refers to the AP-4000, AP-4000M and AP-4900M Access Points.
NOTE: Unless otherwise noted, screen captures in this User Guide are from the AP-4000.- 802.11 is used to describe features that apply to the 802.11a, 802.11b, and 802.11g wireless standards.
- Blue underlined text indicates a link to a topic or Web address. If you are viewing this documentation on your computer, click the blue text to jump to the linked item.
- Text enclosed within triangle brackets, < >, should be replaced with a user-defined value.
- The following special notations are used:
NOTE: A note contains important information that helps you make better use of the AP or your computer.CAUTION: A Caution indicates potential damage to hardware or loss of data.WARNING: A Warning indicates imminent danger to hardware or loss of data.Introduction to Wireless Networking
An Access Point extends the capability of an existing Ethernet network to devices on a wireless network. Wireless devices can connect to a single Access Point, or they can move between multiple Access Points located within the same vicinity. As wireless clients move from one coverage cell to another, they maintain network connectivity.
In a typical network environment (see Figure 1-1), the AP functions as a wireless network access point to data and voice networks. An AP network provides:
Mesh Networking (AP-4000M/4900M Only)
Using the ORiNOCO Mesh Creation Protocol (OMCP), the AP-4000M and AP-4900M support structured Mesh networking. For information on converting an AP-4000 into an AP-4000M to enable Mesh functionality, see ORiNOCO Mesh Creation Protocol Software Kit.
In a mesh network, access points use their wireless interface as a backhaul to the rest of the network. Access points connected directly to the wired infrastructure are called "portals;" mesh access points relay packets to other mesh access points to reach the portal, dynamically determining the best route over multiple "hops."
Mesh networks are self-configuring (a mesh access point will scan for other mesh access points periodically and choose the best path to the portal) and self-healing (the network will reconfigure data paths if an AP or link fails or becomes inactive).
Mesh Network Convergence
Mesh networks are formed when mesh APs on the same channel have the identical Mesh SSID, security settings, and management VLAN ID when VLAN is enabled. As these Mesh APs come online, they discover and set up links with each other to form the Mesh network.
Figure 1-2 Mesh Startup Topology Example - Step 1In Figure 1-2, MP1 and MP9 are APs configured as Mesh portals, each on a different channel. When they are up and running, they will transmit beacons with a Mesh information element (IE) containing a Mesh SSID, and respond to probe requests that contain Mesh IEs with the same Mesh SSID.
To find Mesh connections, Mesh AP (MAP) 2 through 8 will scan all allowed channels, either actively or passively. In active scanning, the MAP sends a broadcast probe request; in passive scanning, the MAP listens for beacons. Active scanning is used in regulatory domains that do not use Dynamic Frequency Selection (DFS); passive scanning is used in DFS-controlled regulatory domains (see Dynamic Frequency Selection/Radar Detection (DFS/RD)). As other Mesh APs are discovered, MAP2 through MAP8 will build a neighbor table from the beacons and probe responses they receive. The neighbor table contains three kinds of links:
- Active: Link with a mesh neighbor that has gone through association and authentication, and the port is open.
- Connected: Link with a mesh neighbor that has gone through association and authentication, but the port is closed.
- Disconnected: Possible link to a mesh neighbor that has not gone through association and authentication.
From the neighbor table, MAP2 through MAP8 will select the best possible connection to the backbone network. This connection is the active link. If a link to the backbone on a different channel is significantly better than any on the current channel, then MAP2 through MAP8 will switch to a new channel and join the Mesh network on that channel.
In Figure 1-2 through Figure 1-4, the circles approximately indicate the range of the respective Mesh radios. As shown in these figures, MAP2 and MAP4 will discover Mesh Portal (MP) 1, and MAP7 and MAP8 will discover MP9. MAP3 is also within reach of MAP2 and MAP4, but they will not allow MAP3 to connect until they have established a Mesh link to the Mesh Portal.
Assume that links are established as shown in Figure 1-3. Solid lines indicate established links.
Figure 1-3 Mesh Startup Topology Example - Step 2After the first Mesh links are formed, MAP2,4,7 and 8 will add the Mesh IE to their beacon and respond to probe requests with a Mesh IE containing the same Mesh SSID and security settings. Eventually MAP 3 will find both MAP2 and 4 and will setup a Mesh link with the one with the best path to the portal, say MAP2. Optimal paths have low "path costs;" path costs are calculated based on the number of hops to the portal, RSSI (relative signal strength), and medium occupancy.
Once MAP4 has established a path to the Mesh portal, MAP 3 will also establish a Mesh link with MAP4, but that connection will remain inactive. It will only be used as a possible alternative uplink for MAP3, and at the same time an alternative uplink for MAP4. If for some reason the link from MAP4 to MP1 fails, MAP4 can still reach the backbone via MAP3 and MAP2. The same goes for other MAPs that discover each other.
After a short while, the network in this example will look like Figure 1-4, where solid lines indicate active Mesh links and dotted lines indicate established but inactive Mesh links.
Figure 1-4 Mesh Startup Topology Example - Step 3In this example, if MAP8 loses the Mesh link to MP9, MAP8 will immediately activate the Mesh link to MAP7. If the link to MAP7 has a higher path cost than a possible link to MAP4, which has the same Mesh SSID and security mode but is on a different channel, then MAP7 may decide to switch channels and establish and activate a link to MAP4.
Mesh Network Configuration
In the AP-4000M/4900M, either of the wireless interfaces may be configured for Mesh functionality, with the following considerations in mind:
- To form or join a Mesh network, Mesh APs must have identical Mesh SSIDs and security modes (None or AES).
- All Mesh APs connected to a Portal must be on the same channel. The channel used by the Mesh Portal will determine the channel used by all of its connected Mesh APs.
- Mesh APs must have static IP addresses, as the DHCP client will not function on wireless interfaces.
- On Mesh APs, Mesh and WDS functionality cannot co-exist on the same wireless interface. Mesh and WDS can co-exist on Mesh Portals.
- The maximum number of links downlinks from a Mesh Portal to Mesh APs in the tree is 32. Proxim recommends a maximum of 30-40 APs total per portal (whether connected directly to the Portal or to another Mesh AP) for an average per-client throughput of 300-500 Kbps. This recommendation is based on the following assumptions:
- 18 Mbps throughput is available at the portal (max is 25 Mbps, but rates decrease as distance between APs increases).
- 20 wireless clients are supported per AP.
- Average utilization (time that a client is actually transferring data) is 10%.
If the conditions on your network are different than the assumptions above, then the maximum number of APs should be adjusted accordingly.
NOTE: Clients whose traffic must traverse multiple hops in order to reach the portal will have lower throughput than clients whose traffic traverses fewer hops.- Although this solution is designed to be flexible and have a short convergence time after a topology change, it is not recommended for high-speed roaming or a highly dynamic environment. Typical roaming times are as follows:
- The Mesh network assumes that the uplink to the backbone will be provided by Mesh only.
NOTE: To avoid loops, the administrator should not configure alternate links to the backbone through Ethernet or WDS connections.- Mesh APs will avoid loops caused by Mesh links; similarly, Spanning Tree will detect and correct loops caused by WDS and wired links.
NOTE: Neither Mesh APs nor Spanning Tree will detect loops caused by a mixture of Mesh and WDS/wired links. Administrators should avoid any such scenario while deploying Mesh.- When VLAN is enabled, all APs in a Mesh network must have the same Management VLAN ID.
For information on configuring Mesh using the HTTP interface, see Mesh (AP-4000M and AP-4900M Only). For information on configuring Mesh using the Command Line Interface (CLI), see Mesh Network Parameters in the Command Line Interface chapter.
Guidelines for Roaming
- Typical voice network cell coverages vary based on environment. Proxim recommends having a site survey done professionally to ensure optimal performance. For professional site surveyors, Ekahau™ Site Survey software is included in the Xtras folder of the Installation CD.
- An AP can only communicate with client devices that support its wireless standards.
- All Access Points must have the same Network Name to support client roaming.
- All workstations with an 802.11 client adapter installed must use either a Network Name of "any" or the same Network Name as the Access Points that they will roam between. If an AP has Closed System enabled, a client must have the same Network Name as the Access Point to communicate (see Reboot the AP.).
- All Access Points and clients must have matching security settings to communicate.
- The Access Points' cells should overlap to ensure that there are no gaps in coverage and to ensure that the roaming client will always have a connection available. To ensure optimal AP placement, Proxim recommends having a professional site survey done. To facilitate the automation of this placement, site surveyors may use the Ekahau™ Site Survey software included in the Xtras folder of the Installation CD.
- An 802.11a/4.9 or 802.11b/g AP operates at faster data rates than the 802.11b AP. 802.11a/4.9 and 802.11g products operate at speeds of up to 54 Mbits/sec; 802.11b products operate at speeds of up to 11 Mbits/sec.
- All Access Points in the same vicinity should use a unique, independent channel. By default, the AP automatically scans for available channels during boot-up but you can also set the channel manually (see Interfaces for details).
- Access Points that use the same channel should be installed as far away from each other as possible to reduce potential interference.
- If a Mesh AP switches to a new uplink, by default it will send a deauthentication message to clients connected to it. Administrators can prevent the sending of this message by disabling the "sendclientdeathmessage" parameter in the Command Line Interface. See Mesh Network Parameters in the Command Line Interface (CLI) chapter.
- In countries that require passive scanning for Mesh, the roam time may be higher.
- When an AP-4000M/4900M is mounted in a vehicle and is being used in a Mesh network, there will be limited connectivity when the vehicle is moving.
IEEE 802.11 Specifications
In 1997, the Institute of Electrical and Electronics Engineers (IEEE) adopted the 802.11 standard for wireless devices operating in the 2.4 GHz frequency band. This standard includes provisions for three radio technologies: direct sequence spread spectrum, frequency hopping spread spectrum, and infrared. Devices that comply with the 802.11 standard operate at a data rate of either 1 or 2 Megabits per second (Mbits/sec).
In 1999, the IEEE modified the 802.11 standard to support direct sequence devices that can operate at speeds of up to 11 Mbits/sec. The IEEE ratified this standard as 802.11b. 802.11b devices are backwards compatible with 2.4 GHz 802.11 direct sequence devices (that operate at 1 or 2 Mbits/sec). Available Frequency Channels vary by regulatory domain and/or country. See Available Channels for details.
Also in 1999, the IEEE modified the 802.11 standard to support devices operating in the 5 GHz frequency band. This standard is referred to as 802.11a. 802.11a devices are not compatible with 2.4 GHz 802.11 or 802.11b devices. 802.11a radios use a radio technology called Orthogonal Frequency Division Multiplexing (OFDM) to achieve data rates of up to 54 Mbits/sec. Available Frequency Channels vary by regulatory domain and/or country. See Available Channels for details.
In 2003, the IEEE introduced the 802.11g standard. 802.11g devices operate in the 2.4 GHz frequency band using OFDM to achieve data rates of up to 54 Mbits/sec. In addition, 802.11g devices are backwards compatible with 802.11b devices. Available Frequency Channels vary by regulatory domain and/or country. See Available Channels for details.
Management and Monitoring Capabilities
There are several management and monitoring interfaces available to the network administrator to configure and manage an AP on the network:
HTTP/HTTPS Interface
The HTTP Interface (Web browser Interface) provides easy access to configuration settings and network statistics from any computer on the network. You can access the HTTP Interface over your LAN (switch, hub, etc.), over the Internet, or with a "crossover" Ethernet cable connected directly to your computer's Ethernet Port.
HTTPS provides an HTTP connection over a Secure Socket Layer. HTTPS is one of three available secure management options on the AP; the other secure management options are SNMPv3 and SSH. Enabling HTTPS allows the user to access the AP in a secure fashion using Secure Socket Layer (SSL) over port 443. The AP supports SSLv3 with a 128-bit encryption certificate maintained by the AP for secure communications between the AP and the HTTP client. All communications are encrypted using the server and the client-side certificate.
The AP comes pre-installed with all required SSL files: default certificate, private key and SSL Certificate Passphrase installed.
Command Line Interface
The Command Line Interface (CLI) is a text-based configuration utility that supports a set of keyboard commands and parameters to configure and manage an AP.
Users enter Command Statements, composed of CLI Commands and their associated parameters. Statements may be issued from the keyboard for real time control, or from scripts that automate configuration.
For example, when downloading a file, administrators enter the download CLI Command along with IP Address, file name, and file type parameters.
You access the CLI over a HyperTerminal serial connection or via Telnet. During initial configuration, you can use the CLI over a serial port connection to configure an Access Point's IP address. When accessing the CLI via Telnet, you can communicate with the Access Point from over your LAN (switch, hub, etc.), from over the Internet, or with a "crossover" Ethernet cable connected directly to your computer's Ethernet Port. See Command Line Interface (CLI) for more information on the CLI and for a list of CLI commands and parameters.
SNMP Management
In addition to the HTTP and the CLI interfaces, you can also manage and configure an AP using the Simple Network Management Protocol (SNMP). Note that this requires an SNMP manager program, like HP Openview or Castlerock's SNMPc. The AP supports several Management Information Base (MIB) files that describe the parameters that can be viewed and/or configured over SNMP:
Proxim provides these MIB files on the CD-ROM included with each Access Point. You need to compile one or more of the above MIBs into your SNMP program's database before you can manage an Access Point using SNMP. See the documentation that came with your SNMP manager for instructions on how to compile MIBs.
The Enterprise MIB defines the read and read-write objects that can be viewed or configured using SNMP. These objects correspond to most of the settings and statistics that are available with the other management interfaces. See the Enterprise MIB for more information; the MIB can be opened with any text editor, such as Microsoft Word, Notepad, or WordPad.
SNMPv3 Secure Management
SNMPv3 is based on the existing SNMP framework, but addresses security requirements for device and network management.
The security threats addressed by Secure Management are:
- Modification of information: An entity could alter an in-transit message generated by an authorized entity in such a way as to effect unauthorized management operations, including the setting of object values. The essence of this threat is that an unauthorized entity could change any management parameter, including those related to configuration, operations, and accounting.
- Masquerade: Management operations that are not authorized for some entity may be attempted by that entity by assuming the identity of an authorized entity.
- Message stream modification: SNMP is designed to operate over a connectionless transport protocol. There is a threat that SNMP messages could be reordered, delayed, or replayed (duplicated) to effect unauthorized management operations. For example, a message to reboot a device could be copied and replayed later.
- Disclosure: An entity could observe exchanges between a manager and an agent and thereby could learn of notifiable events and the values of managed objects. For example, the observation of a set command that changes passwords would enable an attacker to learn the new passwords.
To address the security threats listed above, SNMPv3 provides the following when secure management is enabled:
The default SNMPv3 username is administrator, with SHA authentication, and DES privacy protocol.
SSH (Secure Shell) Management
You may securely also manage the AP using SSH (Secure Shell). The AP supports SSH version 2, for secure remote CLI (Telnet) sessions. SSH provides strong authentication and encryption of session data.
The SSH server (AP) has host keys - a pair of asymmetric keys - a private key that resides on the AP and a public key that is distributed to clients that need to connect to the AP. As the client has knowledge of the server host keys, the client can verify that it is communicating with the correct SSH server.
