Configuration

This chapter describes configuring the unit's settings using the unit's Web Interface.

Help and Exit buttons also appear on each page of the Web interface; click the Help button to access online help; click the Exit button to exit the application.

System Parameters

The System configuration page lets you change the unit's System Name, Location, Mode of Operation, and so on. These details help you to distinguish the unit from other routers and let you know whom to contact in case you experience problems.

Click the Configure button and the System tab; the following window is displayed.

System Name: This is the system name for easy identification of the BSU or SU. The System Name field is limited to a length of 32 bytes. Use the system name of a BSU to configure the Base Station System Name parameter on an SU if you want the SU to register only with this BSU. If the Base Station System Name is left blank on the SU, it can register with any Base Station that has a matching Network Name and Network Secret.

Country: The Dynamic Frequency Selection (DFS) is enabled automatically when you choose a country with a regulatory domain that requires it. The Country selection pre-selects and displays only the allowed frequencies for the selected country.

Click Configure > Interfaces > Wireless to see the channel/frequency list for the selected Country.

NOTE: Units sold in the United States are pre-configured to scan and display only the outdoor frequencies permitted by the FCC. No other Country selections, channels, or frequencies can be configured. Units sold outside of the United States and Canada support the selection of a Country by the professional installer. If you change the Country, a reboot of the unit is necessary for the upgrade to take place.

Dynamic Frequency Selection is not supported in 2.4 GHz operational mode; it is supported on Model 5054-R units only.

Support for the 5.25 - 5.35 GHz and 5.725 - 5.825 GHz frequency bands is provided with a single country selection, UNITED STATES (US), which does not provide DFS capability in these frequency bands.

For a non US-only device, the default country selected is United Kingdom (GB).

Note the following:

The channel center frequencies are not regulated; only the band edge frequencies are regulated.

If, before upgrade, US was selected as a country for a non US-Only device (which is an incorrect configuration), the country is changed automatically to United Kingdom upon upgrade.

See Country Codes and Channels for a list of country codes.

Location: This field can be used to describe the location of the unit, for example "Main Lobby."

Contact Name, Contact Email, and Contact Phone: In these fields, you can enter the details of the person to contact.

Mode of Operation: This field sets the unit as bridge (layer 2) or as router (layer 3). See Bridge and Routing Modes for more information.

ObjectID: This field shows the OID of the product name in the MIB.

Ethernet MAC Address: The MAC address of the Ethernet interface of the device.

Descriptor: Shows the product name and firmware build version.

Up Time: The length of time the device has been up and running since the last reboot.

Bridge and Routing Modes

Bridge Mode

A bridge is a product that connects a local area network (LAN) to another local area network that uses the same protocol (for example, Ethernet). You can envision a bridge as being a device that decides whether a message from you to someone else is going to the local area network in your building or to someone on the local area network in the building across the street. A bridge examines each message on a LAN, passing those known to be within the same LAN, and forwarding those known to be on the other interconnected LAN (or LANs).

In bridging networks, computer or node addresses have no specific relationship to location. For this reason, messages are sent out to every address on the network and accepted only by the intended destination node. Bridges learn which addresses are on which network and develop a learning table so that subsequent messages can be forwarded to the correct network.

Bridging networks are generally always interconnected LANs since broadcasting every message to all possible destination would flood a larger network with unnecessary traffic. For this reason, router networks such as the Internet use a scheme that assigns addresses to nodes so that a message or packet can be forwarded only in one general direction rather than forwarded in all directions.

A bridge works at the data-link (physical) layer of a network, copying a data packet from one network to the next network along the communications path.

This mode works if you do not use source routing in your network. If your network is configured to use source routing, then you should use either Multi-Ring SRTB or Single-Ring SRTB mode.

In Multi-Ring SRTB mode, each unit must be configured with the Bridge number, Radio Ring number, and Token Ring number. The Radio Ring number is unique for each Token Ring Access Point and the Bridge number is unique for each Token Ring Access Point on the same Token Ring segment.

Alternatively, you may use the Single-Ring SRTB mode. In this mode, only the Token Ring number is required for configuration.

Routing Mode

Routing mode can be used by customers seeking to segment their outdoor wireless network using routers instead of keeping a transparent or bridged network. By default the unit is configured as a bridge device, which means traffic between different outdoor locations can be seen from any point on the network.

By switching to routing mode, your network now is segmented by a layer 3 (IP) device. By using Routing mode, each network behind the BSU and SUs can be considered a separate network with access to each controlled through routing tables.

The use of a router on your network also blocks the retransmission of broadcast and multicast packets on your networks, which can help to improve the performance on your outdoor network in larger installations.

The use of Routing mode requires more attention to the configuration of the unit and thorough planning of the network topology of your outdoor network. The unit can use Routing mode in any combination of BSU and SUs. For example, you may have the BSU in Routing mode and the SU in Bridge mode, or vice versa.

When using Routing mode, pay close attention to the configuration of the default gateway both on your unit and on your PCs and servers. The default gateway controls where packets with unknown destinations (Internet) should be sent. Be sure that each device is configured with the correct default gateway for the next hop router. Usually this is the next router on the way to your connection to the Internet. You can configure routes to other networks on your Intranet through the addition of static routes in your router's routing table.

Key Reasons to Use Routing Mode

One key reason why customers would use Routing mode is to implement virtual private networks (VPNs) or to let nodes behind two different SUs communicate with each other. Many customers do this same thing in Bridging mode by using secondary interfaces on the router at the BSU or virtual interfaces at the BSU in VLAN mode to avoid some of the drawbacks of IP Routing mode.

Routing mode prevents the transport of non-IP protocols, which may be desirable for Service Providers.

Routing mode is usually more efficient because Ethernet headers are not transported and non-IP traffic is blocked.

Benefits of using Routing Mode

Enabling RIP makes the unit easier to manage for a Service Provider that uses RIP to dynamically manage routes. RIP is no longer very common for Service Providers or Enterprise customers and an implementation of a more popular routing protocol like OSPF would be desirable.

Routing mode saves bandwidth by not transporting non-IP protocols users might have enabled, like NetBEUI or IPX/SPX, which eliminates the transmission of broadcasts and multicasts.

The MAC header is:

Destination MAC: 6 bytes

Source MAC: 6 bytes

Ethernet Type: 2 bytes

If the average packet size is 1000 bytes, the overhead saved is 1.5%; With a frame size of 64 bytes, the overhead saved is 20%; and for frame sizes of 128 bytes, the saving is 10%. Network researches claim that most network traffic consists of frames smaller than 100 bytes.

In order to support routers behind the SUs with multiple subnets and prevent routing loops, you want individual routes (and more than one) per SU.

Routing Mode Examples

In the first example, both the BSU and the SUs are configured for Routing mode. This example is appropriate for businesses connecting remote offices that have different networks.

In example 2, the BSU is in Routing mode and the SUs are in Bridge mode. Notice the PCs behind the SUs must configure their default gateways to point to the BSU, not the SU.

One of the most important details to pay attention to in Routing mode are the unit's and the PC's default gateways. It is a common mistake to set up the PC's gateway to point to the SU when the SU is in Bridge mode and the BSU is in Routing mode. Always check to make sure the PCs on your network are configured to send their IP traffic to the correct default gateway.

Be sure to reboot the unit to permanently save static routes. New routes take effect immediately without a reboot, but are not permanently saved with your configuration until you do reboot the device. An unexpected power outage could cause static routes you entered to "disappear" when the unit reboots if they have not been saved. You also should save a copy of your unit's configuration file in case the unit must be reloaded. This saves you from being required to re-enter numerous static routes in a large network.

The routing table supports up to 500 static routes.

Network Parameters

Change IP Parameters

The IP Configuration window lets you change the IP parameters. These settings differ when the unit is in Routing mode.

Click Configure > Network > IP Configuration to view and configure local IP address information. See Setting the IP Address with ScanTool for more information.

If the device is configured in Bridge mode, you can set the IP Address Assignment Type parameter:

Select Static if you want to assign a static IP address to the unit.

Select Dynamic to have the device run in DHCP client mode, which gets an IP address automatically from a DHCP server over the network.

If you do not have a DHCP server or if you want to manually configure the IP settings, set this parameter to Static.

When the unit is in Bridge mode, only one IP address is required. This IP address also can be changed with ScanTool (see Setting the IP Address with ScanTool). In Routing mode, both Ethernet and Wireless interfaces require an IP address.

You can set the following remaining parameters only when the IP Address Assignment Type is set to Static.

IP Address: The unit's static IP address (default IP address is 10.0.0.1).

Subnet Mask: The mask of the subnet to which the unit is connected (the default subnet mask is 255.255.255.0).

Default Router IP Address: The IP address of the default gateway.

Default TTL: The default time-to-live value.

Configure Spanning Tree Options

This protocol is executed between the bridges to detect and logically remove redundant paths from the network. Spanning Tree can be used to prevent link-layer loops (broadcast is forwarded to all port where another device may forward it and, finally, it gets back to this unit; therefore, it is looping). Spanning Tree can also be used to create redundant links and operates by disabling links: hot standby customer is creating a redundant link without routing function.

If your network does not support Spanning Tree, be careful to avoid creating network loops between radios. For example, creating a WDS link between two units connected to the same Ethernet network creates a network loop (if spanning tree is disabled).

The Spanning Tree configuration options are advanced settings. Proxim recommends that you leave these parameters at their default values unless you are familiar with the Spanning Tree protocol.

Configure IP Routes (Routing Mode only)

Click Configure > Network > IP Routes to configure IP routes. You cannot configure IP Routes in Bridge mode. In Routing mode, the Add Table Entries and Edit/Delete Table Entries buttons are enabled.

Click the Add button to add entries; a window such as the following is displayed:

Enter the route information and click Add. The IP Address and Subnet Mask combination is validated for a proper combination.

Click the Edit/Delete Table Entries button to make changes to or delete existing entries.

Edit the route information and click OK. The IP address and subnet mask combination is validated for a proper combination.

Enable or Disable Roaming

Roaming Overview

Roaming is a feature by which an SU terminates the session with the current BSU and starts the registration procedure with another BSU when it finds the quality of the other BSU to be better. Roaming provides MAC level connectivity to the SU that roams from one BSU to another. Roaming takes place across the range of frequencies and channel bandwidths (5, 10, or 20 MHz) that are available per configuration. The current release offers handoff times of up to a maximum of 80 ms. This is fast enough to allow the SU to seamlessly roam from one BSU to the other therefore supporting session persistence for delay-sensitive applications. The feature also functions as BSU backup in case the current BSU fails or becomes unavailable.

The Roaming feature lets the SU monitor local SNR and data rate for all frames received from the current BSU. As long as the average local SNR for the current BSU is greater than the slow scanning threshold, and the number of retransmitted frames is greater than the slow scanning threshold given in percentage, the SU does not scan other channels for a better BSU.

The normal scanning procedure starts when the average local SNR for the current BSU is less than or equal to the slow scanning threshold and the number of retransmitted frames is greater than the slow scanning threshold given in percentage. During the normal scanning procedure the SU scans the whole list of active channels while maintaining the current session uninterrupted.

Fast scanning is the scanning procedure performed when the average local SNR for the current BSU is very low (below the fast scanning threshold) and the number of retransmitted frames is greater than the fast scanning retransmission threshold given in %, so that the current session should terminate as soon as possible. During this procedure, the SU scans other active channels as fast as possible.

Roaming can only occur if the normal scanning or fast scanning procedure is started under the following conditions:

If the roaming is started from the normal scanning procedure (after the SU scans all the active channels), the SU selects the BSU with the best SNR value on all available channels. The SU roams to the best BSU only if the SNR value for the current BSU is still below the slow scanning SNR threshold, and best BSU offers a better SNR value for at least roaming threshold than the current BSU. The SU starts a new registration procedure with the best BSU without ending the current session.

If the roaming is started from the fast scanning procedure, the SU selects the first BSU that offers better SNR than the current BSU, and starts a new registration procedure with the better BSU without ending the current session.

Roaming with Dynamic Data Rate Selection (DDRS) Enabled

When an SU roams from BSU-1 to BSU-2 and DDRS is enabled, the data rate at which the SU connects to BSU-2 is the default DDRS data rate. If this remains at the factory default of 6 Mbps, there can be issues with the application if it requires more then 6 Mbps (for example multiple video streams).

Applications requiring a higher data rate could experience a slight data loss during the roaming process while DDRS selects a higher rate (based upon link conditions).

When the applications re-transmit at a possibly slower rate, the WORP protocol initially services the data at 6 Mbps and increases the data rate up to the "Maximum DDRS Data Rate" (ddrsmaxdatarate) one step at a time. Because the applications are not being serviced at the best possible rate, they further slow down the rate of data send.

The DDRS algorithm requires data traffic (a minimum of 128 frames) to raise the rate to a higher value. Although roaming occurs successfully, the previous scenario causes applications to drop their sessions; hence session persistence is not maintained.

Configuring Roaming

Click Configure > Network > Roaming to configure Roaming. The screen differs depending on whether the unit is configured as a BSU or as an SU.

BSU Screen

Enable or disable the Roaming feature by selecting the Enable Roaming Status check box. The default value is disabled (clear). If you enable roaming, you may set the Announcement Period (from 25 to 100 ms, default is 100 ms).

On this screen you may also enable or disable the Multi-Frame Bursting (default value is enabled).

An SU scans all available channels for a given bandwidth during roaming. In order to reduce the number of channels an SU has to scan and thus decrease the roaming time, a channel priority list that tells the SU what channels to scan is implemented. Each channel in the channel priority list is specified with its corresponding bandwidth and the priority with which it should be scanned, either "Active" (standard priority), "Active High" (high priority), or "Inactive".

An SU will scan all channels indicated as "Active" during roaming. However, it will scan active channels indicated as "High Priority" before scanning active channels indicated as standard priority. Channels that are not going to be used in the wireless network should be configured as "Inactive" so that the SU can skip over those channels during scanning saving this way time.

A BSU broadcasts the channel priority list to all valid authenticated SUs in its sector. It re-broadcasts the channel priority list to all SUs every time the list is updated on the BSU.

Note that an SU may roam from one BSU with a bandwidth setting to another BSU with a different bandwidth setting. Since in this case more channels need to be scanned than with only one channel bandwidth setting, it is important that the channel priority list mentioned above is properly used to limit scanning time.

When Scanning Across Bandwidth on the SU is enabled (see Interface Parameters), the SU supports bandwidth selection of the communications channel of either 20 MHz, 10 MHz, or 5 MHz. This allows the BSUs in the network to be set to different bandwidths while an SU can still roam from one BSU to the next, because it will not only scan other frequencies (when the signal level or quality are lower than the threshold) but it will also switch to other bandwidths to find a BSU that may be on another bandwidth than its current one.

During roaming, the SU will start scanning first the channels on its current bandwidth from the "Active" channel list provided by the BSU in order to find a BSU to register, since that is the most likely setting for other BSUs in the network. If the SU cannot find an acceptable roaming candidate, it will switch bandwidth and start scanning channels on that corresponding bandwidth from the "Active" channel list provided by the BSU. The process is repeated until the SU finds an appropriate BSU to register.

In the example above, an SU whose current bandwidth is 20 MHz will start scanning all active channels within the bandwidth of 20 MHz. If it cannot find a suitable BSU, it will switch to a 10 MHz bandwidth and start scanning all active channels within that bandwidth, in this case channel 56 first since it is configured as high priority and channel 60 next. No channels will be scanned on the 5 MHz bandwidth since all those channels are configured as inactive.

SU Screen

Enable or disable the Roaming feature in the Roaming Status drop-down box. The default value is disabled.

Enable and Configure the DHCP Server

Click Configure > Network > DHCP Server to enable the unit on a DHCP Server. The Gateway IP Address and Primary DNS IP Address must be entered, there must be at least one entry in the DHCP Server IP Pool Table, and the DHCP Relay Agent must be disabled, in order to enable the DHCP Server.

When enabled, the DHCP server allows allocation of IP addresses to hosts on the Ethernet side of the SU or BSU. Specifically, the DHCP Server feature lets the SU or BSU respond to DHCP requests from Ethernet hosts with the following information:

Host IP address

Gateway IP address

Subnet Mask

DNS Primary Server IP address

DNS Secondary Server IP

DHCP Server Status: Verify that DHCP Relay Agent is disabled. After you have made at least one entry in the DHCP server IP Pool Table, enable DHCP Server by selecting "Enable" from the DHCP Server Status pull-down menu.

NOTE: There must be at least one entry in the DHCP server IP Pool Table to enable DHCP server. Also, DHCP server cannot be enabled if DHCP Relay Agent is enabled.

Subnet Mask: The unit supplies this subnet mask in its DHCP response to a DHCP request from an Ethernet host. Indicates the IP subnet mask assigned to hosts on the Ethernet side using DHCP.

Gateway IP Address: The unit supplies this gateway IP address in the DHCP response. Indicates the IP address of a router assigned as the default gateway for hosts on the Ethernet side.

Primary DNS IP Address: The unit supplies this primary DNS IP address in the DHCP response. Indicates the IP address of the primary DNS server that hosts on the Ethernet side uses to resolve Internet host names to IP addresses

Secondary DNS IP Address: The unit supplies this secondary DNS IP address in the DHCP response.

Number of IP Pool Table Entries: The number of IP pool table entries is a read-only field that indicates the total number of entries in the DHCP server IP Pool Table. See Add Entries to the DHCP Server IP Pool Table.

Add Entries to the DHCP Server IP Pool Table

You can add up to 20 entries in the IP Pool Table. An IP address can be added if the entry's network ID is the same as the network ID of the device. To add an entry click Add Table Entries.

Start IP Address: Indicates the starting IP address that is used for assigning address to hosts on the Ethernet side in the configured subnet.

End IP Address: Indicates the ending IP address that is used for assigning address to hosts on the Ethernet side in the configured subnet.

Default Lease Time: Specifies the default lease time for IP addresses in the address pool. The value is 3600-86400 seconds.

Max Lease Time: The maximum lease time for IP addresses in the address pool. The value is 3600-86400 seconds.

Comment: The comment field is a descriptive field of up to 255 characters.

Edit/Delete Entries to the DHCP Server IP Pool Table Entries

Click Edit/Delete Table Entries to make changes; enter your changes and click OK.

Enable the DHCP Relay Agent (Routing Mode Only)

Click Configure > Network > DHCP RA to enable the unit's DHCP Relay Agent. When enabled, the DHCP relay agent forwards DHCP requests to the set DHCP server. There must be at least one entry in the corresponding Server IP Address table in order to enable the DHCP Relay Agent.

Note that DHCP Relay Agent parameters are configurable only in Routing mode. It cannot be enabled when NAT or DHCP Server is enabled.

Add Entries to the DHCP Relay Agent Table

To add entries to the table of DHCP Relay Agents, click Add Table Entries; the following window is displayed:

Edit/Delete Entries to the DHCP Relay Agent Table

Click Edit/Delete Table Entries to make changes; enter your changes and click OK.

Interface Parameters

Configure the Wireless Interface

For Base Station units, the wireless interface can be placed in either WORP Base or WORP Satellite mode (selected from the Interface Type drop-down box). SUs can be placed only in WORP Satellite mode. The wireless interface settings depend upon whether the mode is Base or Satellite.

The Wireless Outdoor Router Protocol (WORP) is a polling algorithm designed for wireless outdoor networks. WORP takes care of the performance degradation incurred by the so-called "hidden-node" problem, which can occur when wireless LAN technology is used for outdoor building-to-building connectivity. In this situation, when multiple radios send an RTS, if another radio is transmitting, it corrupts all data being sent, degrading overall performance. The WORP polling algorithm ensures that these collisions cannot occur, which increases the performance of the overall network significantly.

WORP dynamically adapts to the number of SUs that are active on the network and the amount of data they have queued to send.

The following are examples of the Wireless window when the country selected is US, and for countries different than the US:

Base Mode - US Country

Interface Type: The interface type can be WORP Satellite or WORP Base.

MAC Address: The factory-assigned MAC address of the unit. This is a read-only field.

Network Name: A Network Name is a name given to a network so that multiple networks can reuse the same frequency without problems. An SU can only register to its base if it has the same Network Name. The Network Name is one of the parameters that allow a Subscriber Unit to register on a Base Station. The Base Station System Name and Frequency Channel also are parameters to guide the SU to the proper BSU on the network, but they provide no security. Basic security is provided through encryption, as it causes none of the messages to be sent in the clear. Further security is provided by mutual authentication of the BSU and SU using the Network Secret. The Network Name can be 2 to 32 characters in length.

Operational Mode: This field indicates the operational mode of the unit - 11a, 11b, or 11g - depending upon the specific Tsunami MP.11. This operational mode cannot be changed as it is based upon a license file.

Dynamic Data Rate Selection (DDRS) Status: The DDRS Status is configurable only for the WORP Base Mode. For WORP Base Mode, select the DDRS Status "Enable" or "Disable" from the drop-down box provided.

For the WORP Satellite Mode, DDRS Status is read-only parameter and its value is based upon the WORP Base to which this SU is associated.

When you enable or disable DDRS on the BSU, the BSU sends an announcement to the SUs and the SUs enable or disable DDRS automatically.

Transmit Power Control (TPC): By default, the unit lets you transmit at the maximum output power for the country or regulatory domain and frequency selected. However, with Transmit Power Control (TPC), you can adjust the output power of the unit to a lower level in order to reduce interference to neighboring devices or to use a higher gain antenna without violating the maximum radiated output power allowed for your country. Also, most countries in the ETSI regulatory domain require the transmit power to be set to a 6 dB lower value than the maximum allowed EIRP when link quality permits. You can see your unit's current output power for the selected frequency in the event log.

The event log shows the selected power for all data rates, so you must look up the proper data rate to determine the actual power level.

NOTE: This feature only lets you decrease your output power; it does not let you increase your output power beyond the maximum allowed defaults for your frequency and country.

Select one of the following options and click OK at the bottom of the window. Your original output power is adjusted relative to the value selected. The new setting takes effect immediately without rebooting:


TPC Selection (dB)	Maximum TX Power (dBm)
0 (default)	16
-3	13
-6	10
-9	7
-12	4
-15	1
-18 (minimum TPC level)	0

NOTE: 24 Mbps and lower modulation have maximum +16 dBm TX power, 36 Mbps has maximum +13 dBm TX power, 48 Mbps has maximum +12 dBm TX power, and 54 Mbps has maximum +11 dBm TX power. Because higher modulation has a lower maximum TX power, the total TPC range is smaller at a higher data rate. Because the minimum TX power is equal for all data rates, each TPC selection has constant TX power for all data rates except where the maximum TX power is limited.

Enable Turbo Mode: Check this box to enable Turbo Mode. Turbo Mode is supported only in the United States, and only for the 5054-R.

Enabling turbo mode, in its current implementation, allows the unit to use two adjacent frequency channels to transmit and receive a signal. By enabling turbo mode, the receive sensitivity improves by 4 dB for the 36 Mbps data rate and by 2 dB for the 24 Mbps data rate.

NOTE: The additional sensitivity is provided with the impact of using twice as much spectrum and thus increasing the opportunity of interference and decreased ability for system collocation. Generally, Turbo mode is not recommended except when the extra sensitivity is absolutely required.

Frequency Channel: The frequency channel indicates the band center frequency the unit uses for communicating with peers. This frequency channel can be set in several ranges, depending upon regulatory domain. Refer to Country Codes and Channels for channelization information.

For countries in which DFS is not enabled, the Frequency Channel list displays only the channels and frequencies allowed for the selected country.

Multicast Rate: The rate at which data is to be transferred. This drop down box is unavailable when DDRS is enabled.

The default multicast rate for the unit is 36 Mbps. The SU must never be set to a lower data rate than the BSU because timeouts will occur at the BSU and communication will fail.

Selections for multicast rate for 5, 10, and 20 MHz channel bandwidths are shown in the following table:


5 MHz	10 MHz	20 MHz
1.5	3	6
2.25	4.5	9
3	6	12
4.5	9	18
6	12	24
9	18	36
12	24	48
13.5	27	54

Antenna Gain (BSU only): You can modify the sensitivity of the radio card when detecting radar signals in accordance with ETSI and FCC Dynamic Frequency Selection (DFS) requirements. Given the radar detection threshold is fixed by ETSI and the FCC and that a variety of antennas with different gains may be attached to the unit, you must adjust this threshold to account for higher than expected antenna gains and avoid false radar detection events. This can result in the units constantly changing frequency channels.

You can configure the threshold for radar detection at the radio card to compensate for increased external antenna gains.

The Antenna Gain value ranges from 0 to 35. The default value is 0.

Satellite Density: The Satellite Density setting is a valuable feature for achieving maximum bandwidth in a wireless network. It influences the receive sensitivity of the radio interface and improves operation in environments with a high noise level. Reducing the sensitivity of the unit enables unwanted "noise" to be filtered out (it disappears under the threshold).

You can configure the Satellite Density to be Large, Medium, Small, Mini, or Micro. The default value for this setting is Large. The smaller settings are appropriate for high noise environments; a setting of Large would be for a low noise environment.

A long distance link may have difficulty maintaining a connection with a small density setting because the wanted signal can disappear under the threshold. Consider both noise level and distance between the peers in a link when configuring this setting. The threshold should be chosen higher than the noise level, but sufficiently below the signal level. A safe value is 10 dB below the present signal strength.

If the Signal-to-Noise Ratio (SNR) is not sufficient, you may need to set a lower data rate or use antennas with higher gain to increase the margin between wanted and unwanted signals. In a point-to-multipoint configuration, the BSU should have a density setting suitable for all of its registered SUs, especially the ones with the lowest signal levels (longest links).

Take care when configuring a remote interface; check the available signal level first, using Remote Link Test.

WARNING: When the remote interface accidentally is set at too small a value and communication is lost, it cannot be reconfigured remotely and a local action is required to bring the communication back. Therefore, the best place to experiment with the level is at the unit that can be managed without going through the link; if the link is lost, the setting can be adjusted to the correct level to bring the link back.

To set the Satellite Density, click the Configure button, then the Interfaces tab and the Wireless sub-tab. Make your density selection from the drop-down menu. This setting requires a reboot of the unit.

Sensitivity threshold settings related to the density settings for the unit are:


Set Satellite Density to:	For a Receive Sensitivity Threshold of:	And a Defer Threshold of:
Large	-95 dBm	-62 dBm
Medium	-86 dBm	-62 dBm
Small	-78 dBm	-52 dBm
Mini	-70 dBm	-42 dBm
Micro	-62 dBm	-36 dBm

Maximum Satellites (BSU only): You can specify a maximum value of 250 in this field, because up to 250 SUs can be connected to a BSU. If a BSU already has as many SUs as specified in this field, a new SU cannot connect to the BSU.

No-Sleep Mode (BSU only): No-Sleep Mode was a feature used to control jitter in Tsunami MP.11 products running 2.2.6, and earlier, versions of software. The introduction of QoS and the new WORP resource scheduling mechanism have eliminated the need for No-Sleep Mode. Furthermore, QoS provides better control over jitter and latency-sensitive applications (see QoS (Quality of Service) Parameters for details on configuration). This field is inactive and makes no difference whether is enabled or disabled.

Automatic Multi-Frame Bursting (BSU only): In order to achieve higher throughput, WORP protocol allows each side (BSU or SU) to send a burst of up to 4 data messages instead of a single data message. The sole criteria for sending a burst is enough traffic to be sent out. This feature is called Multi-Frame Bursting support.

Automatic Multi-Frame bursting optimizes multi-burst performance when configuring QoS high-priority Service Flows. Three scenarios may be defined:

No Multi-Frame Burst Support -To disable Multi-Frame burst support, click Configure > Network > Roaming, and select "Disable" on the drop-down box (see BSU Screen). In this case, each active SFC is limited to send a single data message. Total throughput available to remaining best effort traffic is around 76% of the maximum available throughput.

Multi-Frame Burst Support - The system will enable Multi-Frame burst for all SFCs, but the maximum number of data messages sent in a burst will be defined by the parameter "Number of data messages in a burst" for each of the SFCs (see Service Flow Class (SFC). This scenario is set by clicking Configure > Network > Roaming and enabling Multi-Frame burst on the drop-down box (see BSU Screen), and disabling Automatic Multi-Frame Bursting (this parameter).

The maximum number of data messages in a burst directly influences the total throughput of the system. Typical values are:


No. of messages in a burst:	% of the maximum throughput:
4	100%
3	97.6%
2	92.9%
1	76.2%

Automatic Multi-Frame Burst Support - The system will continuously be monitoring which of the active SFCs has the highest priority and dynamically enable Multi-Frame burst for the highest priority SFC only, keeping all the lower priority SFCs with Multi-Frame burst disabled. If there are multiple SFCs having the same, highest priority, all of them will have Multi-Frame burst enabled. The maximum number of data messages sent in a burst is defined by the parameter "Number of data messages in a burst" and it can be different for each SFC (see Service Flow Class (SFC)). This scenario is set by clicking Configure > Network > Roaming and enabling Multi-Frame burst on the drop-down box (see BSU Screen), and enabling Automatic Multi-Frame Bursting (this parameter). In this case, even the lowest priority SFC will have Multi-Frame burst dynamically enabled as long as it is the only SFC in the system that has traffic. By default, configuring even a single high priority SFC with automatic multi-frame bursting enabled will decrease throughput of low priority best-effort traffic to approximately 76% of maximum available throughput, because low priority traffic will have Multi-Frame burst disabled to optimize bandwidth for the high priority traffic.

Registration Timeout: This is the registration process time-out of an SU on a BSU. Default is 5 seconds.

Network Secret: A network secret is a secret password given to all nodes of a network. An SU can only register to a BSU if it has the same Network Secret. The Network Secret is sent encrypted and can be used as a security option.

Input / Output Bandwidth Limit: These parameters limit the data traffic received on the wireless interface and transmitted to the wireless interface, respectively. Selections are in steps of 64 Kbps from 64 Kbps to 108,064 Kbps.

Satellite Mode - US Country

All the fields that are common to both the BSU and the SU are applicable here. The SU features two additional fields:

Base Station System Name (SU only): The name found on the system page of the BSU to which this SU is connecting. This parameter can be used as an added security measure, and when there are multiple BSUs in the network and you want an SU to register with only one when it may actually have adequate signal strength for either. The System Name field is limited to a length of 32 bytes.

If the Base Station System Name is left blank on the SU, it can register with any BSU with a matching Network Name and Network Secret.

Scanning Across Bandwidth (SU only): Enable this field if you want the SU to scan across the whole range of channel bandwidths (5, 10, or 20 MHz) with or without roaming enabled. Disable this field if you wish the SU to scan only across its configured channel bandwidth.

Base Mode - Non-US Country

The differences between the BSU Wireless interface screen for a non-US country and the equivalent screen for the US are:

There is no Turbo Mode.

Frequency Channel is not configurable. Instead the channel is auto-selected by the DFS process.

For descriptions of all the other fields that appear in both the US and non-US screen for the BSU, see Base Mode - US Country. In addition, the BSU screen for non-US countries contains these additional fields:

DFS Preferred Channel: A single DFS preferred frequency channel on the BSU is provided so that when the DFS process starts the BSU will first try the DFS preferred channel before scanning all the other active channels in the DFS channel list. The DFS preferred channel must be selected from those channels indicated as "Disable" in the DFS channel blacklist list. It is not possible to select the DFS preferred channel from those channels in the DFS channel blacklist list indicated as "Enable".

Channel Blacklist Table: The DFS channel blacklist table shows all the channels in the current bandwidth and specifies the blacklist status of each channel as one of the following:

Enable - Channels that are made unavailable either for a certain period of time upon detection of a radar signal, or permanently because the operator has configured them as blacklisted. These channels are skipped over during DFS channel selection.

Disable - Channels that are to be scanned during DFS.

Edit Entries to the Channel Blacklist Table

In accordance to the EN301-893 non-occupancy rule, when a radar signal is detected on any active channel, the blacklist status of that channel will change to "Enable" and the Radar Detected status will change to TRUE (see previous figure). The channel will not be used for a period of 30 minutes after the radar signal has been detected. The elapsed time is also shown in the DFS channel blacklist table. When the elapsed time for a channel in the blacklist is greater than or equal to 30 minutes, the blacklist status of the channel will change to Disable and the Radar Detected and Elapsed Time fields will change accordingly.

If an operator knows in advance on which channels a radar signal is likely to exist, those channels can be blacklisted and hence they will be skipped during DFS. Similarly, if the operator knows of channels where a radar signal is unlikely to be detected, those channels can be defined as active and hence they will be scanned during DFS. This makes the whole process more efficient.

When you click Edit, the channel blacklist table screen appears. Here you can manually configure each channel as "active" (Blacklist Status = Disable) or "blacklisted" (Blacklist Status = Enable). Enter your changes and click OK. To go back, click on the arrow button.

Satellite Mode - Non-US Country

The differences between the SU Wireless interface screen for a non-US country and the equivalent screen for the US are:

There is no Turbo Mode.

Frequency Channel is not configurable. Instead the channel is auto-selected by the DFS process.

Turbo mode is available only when the specified Country is US and only for the 5054.

The list of parameters to configure for registration of the SU on a Base Station are:

Network Name

Base Station System Name (when used)

Channel Frequency

Encryption (when used)

Network Secret

Configure the Ethernet Interface

To set the Ethernet speed, duplex mode, and input and output bandwidth limits, click Configure > Interfaces > Ethernet.

You can set the desired speed and transmission mode by clicking on Configuration. Select from these settings for the type of Ethernet transmission:

Half-duplex means that only one side can transmit at a time.

Full-duplex lets both sides transmit.

Auto-duplex selects the best transmission mode available when both sides are set to auto-select.

SNMP Parameters

Click Configure > SNMP to enable or disable trap groups, and to configure the SNMP management stations to which the unit sends system traps. See "Trap Groups" in the Tsunami MP.11 Reference Manual for a list of the system traps.

Trap Groups: You can enable or disable different types of traps in the system. By default, all traps are enabled.

Trap Host Table: This table shows the SNMP management stations to which the unit sends system traps.

Add Entries to the Trap Host Table

Edit/Delete Entries to the Trap Host Table

Click the Edit/Delete Table Entries button to make changes to or delete existing entries.

RIP Parameters

Routing Internet Protocol (RIP) is a dynamic routing protocol you can use to help automatically propagate routing table information between routers. The unit can be configured as RIPv1, RIPv2, RIPv1 Compatible, or a combination of the three versions while operating in Routing mode. In general, the unit's RIP module is based upon RFC 1389.

RIPv2 is enabled by default when routing mode is selected.

You may turn RIP off by clearing the Enable RIP Interface check box for the Ethernet or the wireless interface. Any RIP advertisements that are received on the designated interface are ignored. All other options on the page are dimmed.

If the Enable RIP Interface check box is selected, the unit sends RIP requests and "listens" for RIP updates coming from RIP-enabled devices advertising on the network. You may configure the Receive field for RIPv1, RIPv2, or a combination of both. Although the unit receives and processes these updates, it does not further propagate these updates unless configured to advertise RIP. Again, you may configure the Advertize field for RIPv1, RIPv2, or a combination of both.

The ability to enable or disable default route propagation is not user configurable. Once initialized, the unit uses its static default route and does not advertise this route in RIP updates. If another router on your network is configured to advertise its default route, this route overwrites the static default route configured on the unit. The unit then also propagates the new dynamic default route throughout the network.

Be aware that, once a dynamic default route is learned, it behaves just as any other dynamic route learned through RIP. This means if the device sending the default route stops sending RIP updates, the default route times out and the unit has no default route to the network. Workarounds for this condition include rebooting or re-entering a static default route. In general, the best approach is to disable the propagation of default routes on the other routers in your network unless you understand the risks.

The following table describes the properties and features of each version of RIP supported.

RIP Example

Properties and Features of Supported RIP Versions
RIPv1	RIPv2	RIPv1 Compatible
Broadcast	Multicast	Broadcast
No Authentication	Authentication	Authentication
Class routing	Classless routing (VLSM)	Classless routing (VLSM)
Distance-vector protocol	Distance-vector protocol	Distance-vector protocol
Metric-Hops	Metric-Hops	Metric-Hops
Maximum Distance 15	Maximum Distance 15	Maximum Distance 15
IGP	IGP	IGP

In the following example, assume that both the BSU and the SUs all are configured in Routing mode with RIP enabled to send and receive on both the Ethernet and Wireless interfaces. The network converges through updates until each unit has the following routing table:

RIP Notes

Ensure that routers on the same physical network are configured to use the same version of RIP.

Routing updates occur every 30 seconds. It may take up to 3 minutes for a route that has gone down to timeout in a routing table.

RIP is limited to networks with 15 or fewer hops.

Management Parameters

When you click the Management button, Passwords is displayed automatically. The other tab under Management is the Services tab.

Configure Passwords

The Password tab lets you configure the SNMP, Telnet, and HTTP (Web Interface) passwords.

For all password fields, the passwords must be between 6 and 32 characters. Changes take effect immediately after you click OK. The following passwords are configurable:

SNMP Read Community Password: The password for read access using SNMP. Enter a password in both the Password field and the Confirm field. The default password is public.

SNMP Read/Write Community Password: The password for read and write access using SNMP. Enter a password in both the Password field and the Confirm field. The default password is public.

Telnet (CLI) Password: The password for the CLI interface. Enter a password in both the Password field and the Confirm field. The default password is public.

HTTP (Web) Password: The password for the Web browser HTTP interface. Enter a password in both the Password field and the Confirm field. The default password is public.

Configure Service Parameters

The Services tab lets you configure the SNMP, Telnet, and HTTP (Web Interface) parameters. Changes to these parameters require a reboot to take effect.

SNMP Configuration Settings

SNMP Interface Bitmask: Configure the interface or interfaces (Ethernet, Wireless, All Interfaces) from which you will manage the unit using SNMP. You also can select Disabled to prevent a user from accessing the unit through SNMP.

HTTP Configuration Settings

HTTP Interface Bitmask: Configure the interface or interfaces (Ethernet, Wireless, All Interfaces) from which you will manage the unit through the Web interface. For example, to allow Web configuration through the Ethernet network only, set HTTP Interface Bitmask to Ethernet. You can also select Disabled to prevent a user from accessing the unit from the Web interface.

HTTP Port: Configure the HTTP port from which you will manage the unit through the Web interface. By default, the HTTP port is 80.

Telnet Configuration Settings

Telnet Interface Bitmask: Select the interface (Ethernet, Wireless, All Interfaces) from which you can manage the unit through telnet. This parameter can also be used to disable telnet management.

Telnet Port Number: The default port number for Telnet applications is 23. However, you can use this field if you want to change the Telnet port for security reasons (but your Telnet application also must support the new port number you select).

Telnet Login Timeout (seconds): Enter the number of seconds the system is to wait for a login attempt. The unit terminates the session when it times out. The range is 1 to 300 seconds; the default is 30 seconds.

Telnet Session Timeout (seconds): Enter the number of seconds the system is to wait during a session while there is no activity. The unit ends the session upon timeout. The range is 1 to 36000 seconds; the default is 900 seconds.

Serial Configuration Settings

The serial port interface on the unit is enabled at all times. See "Serial Port" in the Tsunami MP.11 Reference Manual for information about how to access the CLI interface through the serial port. You can configure and view following parameters:

Serial Baud Rate: Select the serial port speed (bits per second). Choose between 2400, 4800, 9600, 19200, 38400, or 57600; the default Baud Rate is 9600.

Serial Flow Control: Select either None (default) or Xon/Xoff (software controlled) data flow control. To avoid potential problems when communicating with the unit through the serial port, Proxim recommends that you leave the Flow Control setting at None (the default value).

Serial Data Bits: This is a read-only field and displays the number of data bits used in serial communication (8 data bits by default).

Serial Parity: This is a read-only field and displays the number of parity bits used in serial communication (no parity bits by default).

Serial Stop Bits: This is a read-only field that displays the number of stop bits used in serial communication (1 stop bit by default).

Security Parameters

Configure MAC Authentication

Click Configure > Security > MAC Auth to build a list of authorized wireless stations that can register at the unit and access the network.

This feature is supported on the wireless interface and only wireless MAC addresses should be entered in the list. For example, build a list of wireless MAC addresses on the BSU for the authorized SUs.

To add table entries, click the Add Table Entries button; a window such as the following is displayed:

Enter the MAC address and any comment, then click Add. The maximum number of MAC addresses that can be entered is 250.

To edit or delete table entries, click the Edit/Delete Table Entries button; make your corrections in the window displayed and click OK.

Configure Encryption Parameters

You can protect the wireless data link by using encryption. Encryption keys can be 5 (64-bit), 13 (WEP 128-bit), or 16 (AES 128-bit) characters in length. Both ends of the wireless data link must use the same parameter values.

In addition to Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP), the unit supports Advanced Encryption Standard (AES) 128-bit encryption. To provide even stronger encryption, the AES CCM Protocol is also supported.

Click Configure > Security > Encryption to set encryption keys for the data transmitted and received by the unit. Note that all devices in one network must use the same encryption parameters to communicate to each other.

Configure RADIUS Authentication

Click Configure > Security > Radius Auth to set the IP address of the RADIUS server containing the central list of MAC addresses that are allowed to access the network. The RADIUS parameters let you enable HTTP or Telnet RADIUS management access to configure a RADIUS Profile for management access control, to enable or disable local user access, and to configure the local password.

In large networks with multiple units, you can maintain a list of MAC addresses on a centralized location using a RADIUS authentication server that grants or denies access. If you use this kind of authentication, you must specify at least the primary RADIUS server. The backup RADIUS server is optional.

Filtering Parameters

Click Configure > Filtering to configure packet filtering. Packet filtering can be used to control and optimize network performance.

Overview

The Filtering feature can selectively filter specific packets based upon their Ethernet protocol type. Protocol filtering is done at the Bridge layer.

Protocol filters are useful for preventing bridging of selected protocol traffic from one segment of a network to other segments (or subnets). You can use this feature both to increase the amount of bandwidth available on your network and to increase network security.

Increasing Available Bandwidth

It may be unnecessary to bridge traffic from a subnet using IPX/SPX or AppleTalk to a segment of the network with UNIX workstations. By denying the IPX/SPX AppleTalk traffic from being bridged to the UNIX subnet, the UNIX subnet is free of this unnecessary traffic.

Increasing Network Security

By bridging IP and IP/ARP traffic and blocking LAN protocols used by Windows, Novell, and Macintosh servers, you can protect servers and client systems on the private local LAN from outside attacks that use those LAN protocols. This type of filtering also prevents private LAN data from being bridged to an untrusted remote network or the Internet.

To prevent blocking your own access (administrator) to the unit, Proxim recommends that IP (0x800) and ARP (0x806) protocols are always passed through.

Sample Use and Validation

Configure the protocol filter to let only IP and ARP traffic pass through the unit (bridge) from one network segment to another. Then, attempt to use Windows file sharing across the bridge. The file should not allow sharing; the packets are discarded by the bridge.

Setting the ARP Filter

There may be times when you need to set the ARP or Multicast. Usually, this is required when there are many nodes on the wired network that are sending ARP broadcast messages or multicast packets that unnecessarily consume the wireless bandwidth. The goal of these filters is to allow only necessary ARP and multicast traffic through the 1.6 Mbps wireless pipe.

The TCP/IP Internet Protocol Suite uses a method known as ARP (Address Resolution Protocol) to match a device's MAC (Media Access Control) address with its assigned IP address. The MAC address is a unique 48-bit identifier assigned to each hardware device at the factory by the manufacturer. The MAC address is commonly represented as 6 pairs of hexadecimal digits separated by colons. For example, a device may have the MAC address of 00:20:A6:33:ED:45.

When devices send data over the network (Ethernet, Token Ring, or wireless), they use the MAC address to identify a packet's source and destination. Therefore, an IP address must be mapped to a MAC address in order for a device to send a packet to particular IP address. In order to resolve a remote node's IP address with its MAC address, a device sends out a broadcast packet to all nodes on the network. This packet is known as an ARP request or ARP broadcast and requests that the device assigned a particular IP address respond to the sender with its MAC address.

Because ARP requests are broadcast packets, these packets are forwarded to wireless nodes by default, even if the packet is not meant for a wireless node. As the number of nodes on a network backbone increases, so does the number of ARP broadcasts that are forwarded to the wireless nodes. Many of these ARP broadcasts are unnecessary and can consume valuable wireless bandwidth. On some networks, there are so many ARP broadcasts that the performance of the wireless network will degrade due to the amount of bandwidth being consumed by these messages.

To reduce the number of ARP broadcasts that are forwarded to the wireless nodes, you can enable ARP filtering. When enabled, the ARP Filter allows the unit to forward only those ARP broadcasts destined for an IP address that falls within the range specified by the ARP Filter Network Address and the ARP Filter Subnet Mask. The ARP Filter performs a logical AND function (essentially keeping what is the same and discarding what is different) on the IP address of the ARP request and the ARP Filter Subnet Mask. It then compares the result of the logical AND to the ARP Filter Network Address. If the two values match, the ARP broadcast is forwarded to the wireless network by the unit.

Configure Ethernet Protocol Filtering

The Ethernet Protocol filter blocks or forwards packets based upon the Ethernet protocols they support. Click Configure > Filtering > Ethernet Protocol to enable or disable certain protocols in the table. Entries can be selected from a drop-down box.

Select the interfaces that will implement the filter from the Ethernet Protocol Filtering drop-down menu.

Ethernet: Packets are examined at the Ethernet interface

Wireless-Slot A or Wireless-Slot B: Packets are examined at the Wireless A or B interfaces

All Interfaces: Packets are examined at both interfaces

Disabled: The filter is not used

Select the Filter Operation Type.

If set to Block, the bridge blocks enabled Ethernet Protocols listed in the Filter Table.

If set to Passthru, only the enabled Ethernet Protocols listed in the Filter Table pass through the bridge.

Configure the Filter Table.

To add an entry, click Add Table Entries. You may add one of the supplied Ethernet Protocol Filters, or you may enter additional filters by specifying the appropriate parameters:

To add one of the supplied Ethernet Protocol Filters to the filter table:

Select the appropriate filter from the Specify Common Protocol drop-down menu. Protocol Name and Protocol Number fields will be filled in automatically.

Click Add

To add a new filter to the filter table:

Enter the Protocol Number. See http://www.iana.org/assignments/ethernet-numbers for a list of protocol numbers.

Enter the Protocol Name.

Click Add.

To edit or delete an entry, click Edit and change the information, or select Enable, Disable, or Delete from the Status drop-down menu.

NOTE: Entries must be enabled in order to be subject to the filter.

Configure Static MAC Pair Filtering

The Static MAC Address filter optimizes the performance of a wireless (and wired) network. When this feature is configured properly, the unit can block traffic between wired devices on the wired (Ethernet) interface and devices on the wireless interface based upon MAC address.

The filter is an advanced feature that lets you limit the data traffic between two specific devices (or between groups of devices based upon MAC addresses and masks) through the unit's wireless interface. For example, if you have a server on your network with which you do not want wireless clients to communicate, you can set up a static MAC filter to block traffic between these devices. The Static MAC Filter Table performs bi-directional filtering. However, note that this is an advanced filter and it may be easier to control wireless traffic through other filter options, such as Protocol Filtering.

Click Configure > Filtering > Static MAC to access the Static MAC Address filter.

Each MAC address or mask is comprised of 12 hexadecimal digits (0-9 and A-F) that correspond to a 48-bit identifier. (Each hexadecimal digit represents 4 bits (0 or 1).

Taken together, a MAC address/mask pair specifies an address or a range of MAC addresses that the unit looks for when examining packets. The unit uses Boolean logic to perform an "and" operation between the MAC address and the mask at the bit level. However, for most users, you do not need to think in terms of bits. It should be sufficient to create a filter using only the hexadecimal digits 0 and F in the mask (where 0 is any value and F is the value specified in the MAC address). A mask of 00:00:00:00:00:00 corresponds to all MAC addresses, and a mask of FF:FF:FF:FF:FF:FF:FF:FF applies only to the specified MAC address.

For example, if the MAC address is 00:20:A6:12:54:C3 and the mask is FF;FF;FF;00:00:00, the unit examines the source and destination addresses of each packet looking for any MAC address starting with 00:20:A6. If the mask is FF;FF;FF;FF;FF;FF, the unit looks only for the specific MAC address (in this case, 00:20:A6:12:54:C3).

When creating a filter, you can configure the Wired parameters only, the Wireless parameters only, or both sets of parameters. Which parameters to configure depends upon the traffic that you want to block:

To prevent all traffic from a specific wired MAC address from being forwarded to the wireless network, configure only the Wired MAC address and Wired mask (leave the Wireless MAC and Wireless mask set to all zeros).

To prevent all traffic from a specific wireless MAC address from being forwarded to the wired network, configure only the Wireless MAC and Wireless mask (leave the Wired MAC address and Wired mask set to all zeros).

To block traffic between a specific wired MAC address and a specific wireless MAC address, configure all four parameters.

Add Entries to the Static MAC Filter Table

After entering the data, click the Add button. The entry is enabled automatically when saved.

To edit an entry, click Edit. To disable or remove an entry, click Edit and change the Status field from Enable to Disable or Delete.

Wired MAC Address: Enter the MAC address of the device on the Ethernet network that you want to prevent from communicating with a device on the wireless network.

Wired Mask: Enter the appropriate bit mask to specify the range of MAC addresses to which this filter is to apply. To specify only the single MAC address you entered in the Wired MAC Address field, enter 00:00:00:00:00:00 (all zeroes).

Wireless MAC Address: Enter the MAC address of the wireless device on the wireless interface that you want to prevent from communicating with a device on the wired network.

Wireless Mask: Enter the appropriate bit mask to specify the range of MAC addresses to which this filter is to apply. To specify only the single MAC address you entered in the Wireless MAC Address field, enter 00:00:00:00:00:00 (all zeroes).

Comment: Enter related information.

Status: The Status field can show Enable, Disable, or Delete.

Static MAC Filter Examples

Consider a network that contains a wired server and three wireless clients. The MAC address for each unit is as follows:

Wired Server: 00:40:F4:1C:DB:6A

Wireless Client 1: 00:02:2D:51:94:E4

Wireless Client 2: 00:02:2D:51:32:12

Wireless Client 3: 00:20:A6:12:4E:38

Prevent two specific devices from communicating:

Configure the following settings to prevent the Wired Server and Wireless Client 1 from communicating:

Wired MAC Address: 00:40:F4:1C:DB:6A

Wired Mask: FF:FF:FF:FF:FF:FF

Wireless MAC Address: 00:02:2D:51:94:E4

Wireless Mask: FF:FF:FF:FF:FF:FF

Result: Traffic between the Wired Server and Wireless Client 1 is blocked. Wireless Clients 2 and 3 still can communicate with the Wired Server.

Prevent Multiple Wireless Devices From Communicating With a Single Wired Device

Configure the following settings to prevent Wireless Clients 1 and 2 from communicating with the Wired Server:

Wired MAC Address: 00:40:F4:1C:DB:6A

Wired Mask: FF:FF:FF:FF:FF:FF

Wireless MAC Address: 00:02:2D:51:94:E4

Wireless Mask: FF:FF:FF:00:00:00

Result: When a logical "AND" is performed on the Wireless MAC Address and Wireless Mask, the result corresponds to any MAC address beginning with the 00:20:2D prefix. Since Wireless Client 1 and Wireless Client 2 share the same prefix (00:02:2D), traffic between the Wired Server and Wireless Clients 1 and 2 is blocked. Wireless Client 3 can still communicate with the Wired Server since it has a different prefix (00:20:A6).

Prevent All Wireless Devices From Communicating With a Single Wired Device

Configure the following settings to prevent all three Wireless Clients from communicating with Wired Server:

Wired MAC Address: 00:40:F4:1C:DB:6A

Wired Mask: FF:FF:FF:FF:FF:FF

Wireless MAC Address: 00:00:00:00:00:00

Wireless Mask: 00:00:00:00:00:00

Result: The unit blocks all traffic between the Wired Server and all wireless clients.

Prevent A Wireless Device From Communicating With the Wired Network

Configure the following settings to prevent Wireless Client 3 from communicating with any device on the Ethernet:

Wired MAC Address: 00:00:00:00:00:00

Wired Mask: 00:00:00:00:00:00

Wireless MAC Address: 00:20:A6:12:4E:38

Wireless Mask: FF:FF:FF:FF:FF:FF

Result: The unit blocks all traffic between Wireless Client 3 and the Ethernet network.

Prevent Messages Destined for a Specific Multicast Group from Being Forwarded to the Wireless LAN

If devices on your Ethernet network use multicast packets to communicate and these packets are not required by your wireless clients, you can set up a Static MAC filter to preserve wireless bandwidth. For example, if routers on your network use a specific multicast address (such as 01:00:5E:00:32:4B) to exchange information, you can set up a filter to prevent these multicast packets from being forwarded to the wireless network:

Wired MAC Address: 01:00:5E:00:32:4B

Wired Mask: FF:FF:FF:FF:FF:FF

Wireless MAC Address: 00:00:00:00:00:00

Wireless Mask: 00:00:00:00:00:00

Result: The unit does not forward any packets that have a destination address of 01:00:5E:00:32:4B to the wireless network.

Configure Storm Threshold Filtering

Click Configure > Filtering > Storm Threshold to use threshold limits to prevent broadcast/multicast overload.

Storm Threshold is an advanced Bridge setup option that you can use to protect the network against data overload by specifying:

A maximum number of frames per second as received from a single network device (identified by its MAC address).

An absolute maximum number of messages per port.

The Storm Threshold parameters let you specify a set of thresholds for each port of the unit, identifying separate values for the number of broadcast messages per second and multicast messages per second.

When the number of frames for a port or identified station exceeds the maximum value per second, the unit ignores all subsequent messages issued by the particular network device, or ignores all messages of that type.

Per Address Threshold: Enter the maximum allowed number of packets per second.

Ethernet Threshold: Enter the maximum allowed number of packets per second.

Wireless Threshold: Enter the maximum allowed number of packets per second.

Configure Broadcast Protocol Filtering

Click Configure > Filtering > Broadcast Protocol to deny specific IP broadcast, IPX broadcast, and multicast traffic.

Click the Edit Table Entries button to display an editable window such as the following. You can configure whether this traffic must be blocked for Ethernet to wireless, wireless to Ethernet, or both.

Configure IP Access Table Filtering

Click Configure > Filtering > IP Access Table to limit in-band management access to the IP addresses or range of IP addresses specified in the table. This feature applies to all management services (SNMP, HTTP, and CLI), except for CLI management over the serial port.

To add an entry, click the Add Table Entries button, specify the IP address and mask of the wireless stations to which you want to grant access, and click Add.

To edit or delete table entries, click the Edit/Delete Table Entries button, make your changes, and click OK.

For example, 172.17.23.0/255.255.255.0 allows access from all wireless stations with an IP address in the 172.17.23.xxx range.

Ensure that the IP address of the management PC you use is within the first entry in the table, as this filter takes effect immediately. Otherwise, you have locked yourself out.

When you do lock yourself out, you may try to give the PC the correct IP address; otherwise you must reset the unit.

Intra-Cell Blocking (Base Station Unit only)

Overview

The Intra-Cell Blocking feature lets traffic be blocked between two SUs registered to the same Base Station. There are two potential reasons to isolate traffic among wireless subscribers:

To provide better security to the subscribers by isolating the traffic from one subscriber to another in a public space.

To block unwanted traffic between subscribers to prevent this traffic from using bandwidth.

You can form groups of SUs at the Base Station, which define the filtering criteria. All data to or from SUs belonging to the same group are bridged. All other data from SUs that do not belong to a particular group are automatically forwarded through the Ethernet interface of the Base Station. If an SU does not belong to any group, the Base Station discards the data.

You can also configure a Security Gateway to block traffic between SUs connected to different BSUs. All packets destined for SUs not connected to the same Base Station are forwarded to the Security Gateway MAC address (configured in the Security Gateway tab).

When you change the device from Bridge to Routing mode, Intra-Cell Blocking stops working with or without a reboot. When you change the device from Routing to Bridge mode, Intra-Cell Blocking starts working with or without a reboot.

Intra-Cell Blocking Group Rules

One SU can be assigned to more than one group.

An SU that has not been assigned to any group cannot communicate to any other SU connected to the same or different BSU.

Example of Intra-Cell Blocking Groups

Assume that four Intra-Cell Blocking Groups have been configured on one BSU. SUs 1 through 6 are registered to BSU 1. SUs 7 through 9 are registered to BSU 2.

In this example, SU 1 belongs to two groups, Group 1 and Group 3. Therefore, packets from SU 1 destined to SU 4, SU 5, SU 6, and SU 3 are not blocked. However, SU 9 belongs to group 4 only and packets from SU 9 are blocked unless sent to SU 8 or SU 2.

Achieving Communication Between Two SUs

In a multipoint configuration, an SU can communicate with another SU through the BSU when in Bridge mode by default. Use the intra-cell blocking feature if this is not desired. In a routing configuration, each of the SUs must have a different subnet on their Ethernet port to distinguish traffic for each SU, and each subnet must be entered into a routing rule in the BSU as well as into an upstream router. The wireless side of all SUs must share the same subnet with the BSU wireless interface. These IP addresses must be used as next hop when creating the routes for the SU subnets.

Enable Intra-Cell Blocking

Intra-Cell Blocking Group Example
Group 1	Group 2	Group 3	Group 4
SU 1	SU 2	SU 6	SU 8
SU 4	SU 3	SU 1	SU 9
SU 5	SU 8	SU 3	SU 2

Click Configure > Intra-Cell Blocking > Group Table to enable the Intra-Cell Blocking feature and to configure Intra-Cell Blocking Groups.

Intra-Cell Blocking Status: Enables or disables the Intra-Cell Blocking feature.

Group Table: Entries in this table show the Intra-Cell Blocking filter groups that have been configured. When Intra-Cell Blocking is enabled, the Base Station Unit discards all packets coming from one SU to another SU, if both SUs do not belong to the same filter group.

Configure Intra-Cell Blocking Groups

Enter the group name, and click Add. The group is assigned an Index and appears in the Group Table. Up to 16 groups can be configured per Base Station.

You can enable, disable or delete an existing filter group by using the Edit/Delete Table Entries button.

Assign MAC Addresses (MAC Table)

After configuring the Intra-Cell Blocking Groups on the Group Table tab, use the MAC Table tab to assign specific MAC addresses to an Intra-Cell Blocking Group.

Adding Entries

Enter the MAC address of the SU. Select Enable from the drop-down menu for the Group Index

Click Add. The MAC address is assigned to the groups. Additions to the MAC Table take effect immediately after clicking the Add button.

You can Enable, Disable, Delete, or Reassign the groups for a MAC address by using the Edit/Delete Table Entries button. A maximum of 250 MAC addresses can be added among all filter groups.

Block Traffic Between SUs (Security Gateway)

You can configure a Security Gateway to block traffic between SUs connected to different BSUs. Verify that Intra-Cell Blocking has been enabled on the Group Table tab before configuring the Security Gateway.

Security Gateway Status: Enables or disables packet forwarding to the external Security Gateway.

Security Gateway MAC Address: Lets you configure the MAC address of the external Security Gateway.

VLAN Parameters

Lets the BSU and SU be used in a VLAN-aware network.

Processes IEEE 802.1Q VLAN-tagged packets.

Overview

VLAN Modes

Transparent Mode

Transparent mode is available on both the SU and the BSU. This mode is equivalent to NO VLAN support and is the default mode. It is used when the devices behind the SU and BSU are both VLAN aware and unaware. The SU/BSU transfers both tagged and untagged frames received on the Ethernet or WORP interface. Both tagged and untagged management frames can access the device.

Trunk Mode

Trunk mode VLAN is available on both the SU and the BSU. It is used when all devices behind the SU and BSU are VLAN aware. The SU and BSU transfer only tagged frames received on the Ethernet or WORP interface. Both tagged and untagged management frames can access the device.

Access Mode

Access mode is available only on the SU. It is used when the devices behind the SU are VLAN unaware. Frames to and from the Ethernet interface behind the SU map into only one VLAN segment.

Frames received on the Ethernet interface are tagged with the configured Access VLAN ID before forwarding them to the WORP interface. Both tagged and untagged management frames can access the device from the WORP interface. However, only untagged management frames can access the device from the Ethernet Interface.

VLAN Forwarding

The VLAN Trunk mode provides a means to configure a list of VLAN IDs in a Trunk VLAN Table. The SU and BSU only forward frames (between Ethernet and WORP interface) tagged with the VLAN IDs configured in the Trunk VLAN Table. Up to 256 VLAN IDs can be configured for the BSU and up to 16 VLAN IDs can be configured for the SU (depending upon the capabilities of your switching equipment).

VLAN Relaying

The VLAN Trunk mode for BSU operation provides an option to enable and disable a VLAN relaying flag; when enabled, the BSU shall relay frames between SUs on the same BSU having the same VLAN ID.

Management VLAN

The BSU and SU allow the configuration of a separate VLAN ID and priority for SNMP, ICMP, Telnet, and TFTP management frames for device access.

The management VLAN ID and management VLAN priority may be applied in any mode. The management stations tag the management frames they send to the BSU or SU with the management VLAN ID configured in the device. The BSU and SU tag all the management frames from the device with the configured management VLAN and priority.

BSU and SU in Transparent Mode

When the BSU is in Transparent mode, all associated SUs must be in Transparent mode.

How the BSU and SUs function in Transparent mode is described in the following table.

BSU in Trunk Mode and SU in Trunk/Access Mode

When the BSU is in Trunk mode, the associated SUs must be in either Trunk mode or Access mode. When an SU associates to a BSU that is in Trunk mode, it gets the VLAN mode from the BSU.

How the BSU and SU function in Trunk mode, and the SU in Access mode, is described in the following table.

BSU VLAN Configuration

The HTTP Interface to configure BSU VLAN parameters is shown in the following figure.

BSU Function - Transparent Mode	SU Function - Transparent Mode
BSU forwards both tagged and untagged frames received from the Ethernet interface or from any of the associated SUs. If a valid management VLAN ID is configured, BSU allows only management frames tagged with the configured management VLAN ID to access it. If a valid management VLAN ID is configured, BSU tags all management frames generated by the BSU with the configured management VLAN ID and priority. If the management VLAN ID is configured as -1 (untagged), BSU allows only untagged management frames to access it.	SU forwards both tagged and untagged frames received from the Ethernet interface or from the BSU. If a valid management VLAN ID is configured, SU allows only management frames tagged with the configured management VLAN ID to access it. If a valid management VLAN ID is configured, SU tags all management frames generated by the SU with the configured management VLAN ID and priority. If the management VLAN ID is configured as -1 (untagged), SU allows only untagged management frames to access them.

BSU Function - Trunk Mode	SU Function - Trunk Mode	SU Function - Access Mode
Up to 256 VLAN IDs can be configured on a BSU. BSU discards all untagged frames received from the Ethernet interface or from any of the associated SUs (unexpected). If a valid VLAN ID is configured, BSU forwards only VLAN-tagged frames received from the Ethernet interface or from any of the associated SUs that are tagged with the configured VLAN IDs; it discards all other tagged frames. If a valid management VLAN ID is configured, BSU allows only management frames tagged with the configured management VLAN ID to access it. If a valid management VLAN ID is configured, BSU tags all management frames generated by the BSU with the configured management VLAN ID and priority. If the management VLAN ID is configured as -1 (untagged), BSU allows only untagged management frames to access it.	Up to 16 VLAN IDs can be configured on an SU. SU discards all untagged frames received from the Ethernet interface or from the BSU (unexpected). If a valid VLAN ID is configured, SU forwards only VLAN-tagged frames received from the Ethernet interface or from the BSU that are tagged with the configured VLAN IDs; it discards all other tagged frames. If a valid management VLAN ID is configured, SU allows only management frames tagged with the configured management VLAN ID to access it. If a valid management VLAN ID is configured, SU tags all management frames generated by the SU with the configured management VLAN ID and priority. If the management VLAN ID is configured as -1 (untagged), SU allows only untagged management frames to access it.	SU discards all tagged frames received from the Ethernet interface and all untagged frames received from the BSU (unexpected). SU tags all untagged frames received from the Ethernet interface with the configured Access VLAN ID and forwards them to the BSU. SU untags all tagged frames received from the BSU that are tagged with the configured Access VLAN ID and forwards them to the Ethernet interface; it discards all other tagged frames from the BSU. If a valid management VLAN ID is configured, SU allows only management frames tagged with the configured management VLAN ID to access it from the BSU. If a valid management VLAN ID is configured, SU tags all management frames generated by the SU with the configured management VLAN ID and priority and forwards them to the BSU. If the management VLAN ID is configured as -1 (untagged), SU allows only untagged management frames to access it from the BSU. SU allows only untagged management frames to access it from the Ethernet interface, regardless of the value of the management VLAN ID.

BSU VLAN Mode: The BSU VLAN mode can be either Transparent or Trunk. By default, the BSU is in Transparent mode.

Management VLAN ID: The Management VLAN ID is configurable in any mode. The management VLAN ID has a default value of untagged and may be configured with a value in the range of 1 to 4095.

Management VLAN Priority: The Management VLAN priority values range from 0 to 7 and the default priority is 0 (zero).

Relaying Flag: When this flag is enabled, the BSU relays frames between SUs on the same BSU.

BSU VLAN Table: The BSU VLAN Table is configurable in both Transparent and Trunk mode, but applies only when the BSU is in Trunk mode. The VLAN ID values for the BSU VLAN Table range from 1 to 4095. The maximum number of VLAN IDs that can be configured in the BSU VLAN Table is 256. An SU in Trunk mode is assigned VLAN IDs from this table.

Add BSU VLAN Table Entries

To add entries to the BSU VLAN table, click the Add Table Entries button. Enter a VLAN ID and select a Status, then click Add to add your entry to the table.

Edit or Delete BSU VLAN Table Entries

To edit or delete entries in the BSU VLAN Table, click the Edit/Delete Table Entries button, make your changes, then click OK for your changes to take effect.

Restricting Unit Management

Management access to the unit can be easily secured by making management stations or hosts and the unit itself members of a common VLAN. Simply configure a non-zero management VLAN ID: management of the unit will be restricted to members of the same VLAN.

Providing Access to Hosts in the Same VLAN

The VLAN feature lets hosts manage the unit. If the Management VLAN ID matches a VLAN User ID, those hosts who are members of that VLAN will have management access to the unit.

SU VLAN Configuration

The HTTP Interface to configure SU VLAN parameters is shown in the following figure.

Add SU Table Entries

To add entries to the SU VLAN Table, click the Add Table Entries button. Enter the desired parameters in the corresponding fields, then click Add to add and save the entry.

MAC: Enter the MAC address of the SU to be configured.

SU VLAN Mode: The SU VLAN mode can be either Transparent, Trunk, or Access (by default, the BSU is in Transparent mode).

When the BSU is in Transparent mode, the SU must be in Transparent mode.

When the BSU is in Trunk mode, the SU must be in either Access mode or Trunk mode.

When the BSU is changed from Transparent mode to Trunk mode, all the configured SUs are changed to Trunk mode by default.

Access VLAN ID: The Access VLAN ID is configurable in any mode, but applies only when the SU is in Access mode. The Access VLAN ID values range from 1 to 4095; the default value is 1.

Access VLAN Priority: The Access VLAN Priority is configurable in any mode, but applies only when the SU is in Access mode. The Access VLAN priority values range from 0 to 7; the default priority is 0. For voice frames, the priority field is set to the VoIP configured value (5 according to latest IETF draft, or 6 according to IEEE 802.1D) regardless of the priority value configured.

Management VLAN ID: The management VLAN ID is configurable in any mode. The management VLAN ID has a default value of untagged (-1) and may be configured with a value in the range of 1 to 4095.

Management Priority: The Management VLAN priority values range from 0 to 7 and the default priority is 0 (zero).

VLAN 1-16: The VLAN IDs are configurable in any mode, but apply only when the SU is in Trunk mode. The VLAN ID values range from 1 to 4095; the default value is untagged (-1). The maximum number of VLAN IDs that can be configured in the SU VLAN Table is 16 for each SU. The SU VLAN IDs must be in the BSU VLAN Table that corresponds to the BSU.

Edit SU Table Entries

To edit SU table entries, click the Edit/Delete Table Entries button; make your changes on the window displayed, then click OK to save your changes.

Typical User VLAN Configurations

VLANs segment network traffic into groups, which lets you limit broadcast and multicast traffic. These groups enable hosts from different VLANs to access different resources using the same network infrastructure. Hosts using the same physical network are limited to those resources available to their workgroup.

The unit can segment users into a maximum of 16 different VLANs per unit, based upon a VLAN ID.

VLAN disabled: Your network does not use VLANs.

VLAN enabled: Each VLAN workgroup uses a different VLAN ID Tag. A mixture of Tagged and Untagged workgroups may be supported.

QoS (Quality of Service) Parameters

The Quality of Service (QoS) feature is based on 802.16 standard and defines the classes, service flows (SFCs), and packet identification rules (PIRs) for specific types of traffic. The main priority of QoS is to guarantee a reliable and adequate transmission quality for all traffic types under conditions of high congestion and bandwidth over-subscription (for a complete discussion on QoS see Quality of Service (QoS).

There are already several pre-defined QoS classes, SFCs and PIRs available that you may choose from which cover the most common types of traffic. If you want to configure something else, you start building the hierarchy of a QoS class by defining PIRs; then you associate some of those PIRs to specific Service Flow classes (SFCs); you assign priorities to each PIR within each SFC; and finally you define the QoS class by associating relevant SFCs to each QoS class.

QoS PIR Configuration

To view/edit the parameters of each PIR click on its Details button. You may enable, disable or delete any PIR entry by clicking on the Status drop-down box and then clicking OK.

To add entries to the PIR Table, click the Add Table Entries button. Enter the Rule Name and select Enable or Disable from the Entry Status drop-down box, then click Add to add the entry. Once the new entry appears on the screen (as shown below), click its Details button to view/edit its parameters.

QoS SFC Configuration

SF Name: Enter the name of the SF class you want to add.

SF Schd Type: This field can be set to BE (Best Effort) or RtPS (Real-Time Polling Service).

SF Direction: This field can be set to Downlink (traffic from BSU to SU) or Uplink (traffic from SU to BSU).

MIR (Maximum Information Rate): The maximum sustained data rate specified in units of 1 Kbps from 8 Kbps up to the maximum rate of 108000 Kbps per SU.

CIR (Committed Information Rate): The minimum reserved traffic rate specified in units of 1 Kbps from 0 Kbps up to the maximum rate of 10000 Kbps per SU.

Latency: The maximum allowed latency specified in increments of 5 ms steps from a minimum of 5 ms up to a maximum of 100 ms.

Jitter: The maximum tolerable jitter specified in increments of 5 ms steps from a minimum of 0 ms up to the Maximum Latency (in ms).

Priority: The priority of this SFC from zero (0) to seven (7), 0 being the lowest, 7 being the highest.

Number of Frames per Burst: The Maximum number of data messages in a Multi-Frame burst from one (1) to four (4), which affects the percentage of the maximum throughput of the system according to following table.


No. of messages in a burst:	% of the maximum throughput:
4	100 %
3	97.6 %
2	92.9 %
1	76.2%

SF Entry State: This field can be set to Enable, Disable, or Delete.

Click Add to add the entry. The new entry will appear on the screen, taking up the next sequential index entry.

To make changes to the entries of the SFC Table, click the Edit/Delete Table Entries button.

Enter your changes and click OK. To delete an entry, click the Status drop-down box and select Delete, then click OK.

QoS Class Configuration

To view/edit a QoS Class click on its Details button. You may enable, disable or delete this QoS Class entry by clicking on the Status drop-down box and then clicking OK. You may also edit an existing SFC associated to this QoS class, or add a new SFC.

To edit an existing SFC associated to this QoS Class click its Details button. You may enable, disable or delete this SFC entry by clicking on the Status drop-down box and then clicking OK. You may also delete a PIR associated to this SFC by clicking on the Status drop-down box and then clicking OK, or add a new PIR to this SFC.

PIR Table Reference Index: Select one of the possible PIRs that have been previously configured from the drop-down box.

PIR Priority: This priority per rule defines the order of execution of PIRs during packet identification process. The PIR priority is a number in the range 0-63, with priority 63 being executed first, and priority 0 being executed last. The PIR priority is defined within a QoS class, and can be different for the same PIR in some other QoS class. If all PIRs within one QoS class have the same priority, the order of execution of PIR rules will be defined by the order of definition of SFCs, and by the order of definition of PIRs in each SFC, within that QoS class.

Entry Status: This field is always set to Enable.

Click Add to add the entry. The new entry will show up on the screen taking up the next sequential index entry. You may delete any PIR entry by clicking on the Status drop-down box.

Back on the QoS Class screen, click the Add Table Entries button to add a new SFC and associate it to this QoS Class.

SF Table Reference Index: Select one of the possible SFCs that have been previously configured from the drop-down box to associate to this QoS Class.

PIR Table Reference Index: Select one of the possible PIRs that have been previously configured from the drop-down box to associate to this SFC.

Entry Status: This field is always set to Enable.

Click Add to add the entry. The new entry will show up on the screen taking up the next sequential index entry.

From this screen you may also edit an existing SFC by clicking on its Details button. This will take you back to the QoS Class SF Class Entry Details.

Finally, to add a new QoS Class click the Add Table Entries button on the screen.

Class Name: Enter the name of the QoS class you want to add.

SF Table Reference Index: Select one of the possible SFCs that have been previously configured from the drop-down box to associate to this QoS Class.

PIR Table Reference Index: Select one of the possible PIRs that have been previously configured from the drop-down box to associate to this SFC.

Entry Status: This field is always set to Enable.

Click Add to add the entry. The new entry will show up on the screen taking up the next sequential index entry.

From this screen you may also edit an existing QoS Class by clicking on its Details button. This will take you to the QoS Class Entry View/Edit screen.

QoS SU Configuration

This screen defines which QoS Classes will be associated to which given SUs by using their MAC addresses.

SU MAC Address: The MAC Address of the SU you want to associate to a specific QoS Class.

SU QOSC Index: Select one of the possible QoS Classes that have been previously configured from the drop-down box to associate to this SU.

SU QOSC State: This field can be set to Enable, Disable, or Delete.

Click Add to add the entry. The new entry will show up on the screen taking up the next sequential index entry.

Enter your changes and click OK. To delete an entry, click the Status drop-down box and select Delete, then click OK.

SU Access to the Public Network (NAT)

The NAT (Network Address Translation) feature lets hosts on the Ethernet side of the SU transparently access the public network through the BSU. All hosts in the private network can have simultaneous access to the public network.

Both dynamic mapping (allowing private hosts to access hosts in the public network) and static mapping (allowing public hosts to access hosts in the private network) are supported:

In dynamic mapping, the SU maps the private IP addresses and its transport identifiers to transport identifiers of a single Public IP address as they originate sessions to the public network. This is used only for outbound access.

Static mapping is used to provide inbound access. The SU maps a private IP address and its local port to a fixed public port of the global IP address. This is used to provide inbound access to a local server for hosts in the public network. Static port mapping allows only one server of a particular type. Up to 1000 ports (500 UDP and 500 TCP) are supported.

NAT Status: Enables or disables the NAT feature. NAT can be enabled only for SUs in Routing mode. The default is disabled.

NAT Static Bind Status: Enables or disables the NAT Static Bind status (static mapping) allowing public hosts to access hosts in a private network. The default is disabled.

Public IP Address: The NAT Public IP address is the wireless interface IP address.

NAT Static Port Mapping Table

Adding entries to the NAT Static Mapping Table lets configured hosts in a private address realm on the Ethernet side of the SU access hosts in the public network using Network Address Port Translation (NAPT). Up to 1000 entries can be configured (500 UDP ports and 500 TCP ports).

Adding Entries

Click the Add Table Entries button.

Enter the Local IP Address of the host on the Ethernet side of the SU.

Select the Port Type: TCP, UDP, or Both.

Enter the Start Port and End Port.

Click Add.

Editing Entries

Click the Edit/Delete Table Entries button.

Enter your changes. To delete an entry, click the Status drop-down box and select Delete

Click OK.

Supported Session Protocols

The NAT feature supports the following session protocols for both inbound and outbound access with the required support, applications, and limitations given in the following table.

Certain Internet applications require an Application Level Gateway (ALG) to provide the required transparency for an application running on a host in a private network to connect to its counterpart running on a host in the public network. An ALG may interact with NAT to set up state information, use NAT state information, modify application specific payload and perform the tasks necessary to get the application running across address realms.

No more than one server of a particular type is supported within the private network behind the SU.

These VPN protocols are supported with their corresponding ALGs: IPsec, PPTP, L2TP.

Supported Session Protocols
Protocol	Support	Applications	Limitations
ICMP	ICMP ALG	Ping
FTP	FTP ALG	File transfer
H.323	H.323 ALG	Multimedia conferencing
HTTP	Port mapping for inbound connection.	Web browser
TFTP	Port mapping for inbound connection.	File transfer
Telnet	Port mapping for inbound connection.	Remote login
CUSeeMe	Port mapping for inbound and outbound connection.	Video conferencing	One user is allowed for video conferencing
IMAP	Port mapping for inbound connection.	Mail
PNM	Port mapping for inbound connection.	Streaming media with Real Player
POP3	Port mapping for inbound connection.	E-mail
SMTP	Port mapping for inbound connection.	E-mail	Mails with IP addresses of MTAs or using IP addresses in place of FQDN are not supported (requires SMTP ALG).
RTSP	Port mapping for inbound connection.	Streaming audio/video with Quick Time and Real Player
ICQ	Port mapping for inbound connection.	Chat and file transfer	Each host using ICQ needs to be mapped for different ports.
IRC	Port mapping for inbound connection.	Chat and file transfer	Each host using IRC needs to be mapped for different ports.
MSN Messenger	Port mapping for inbound and outbound connection.	Conference and Share files with Net meeting	Only one user is allowed for net meeting.
Net2Phone	Port mapping for inbound and outbound connection.	Voice communication
IP Multicast	Pass Through	Multicasting
Stream works	Port mapping for inbound connection.	Streaming video
Quake	Port mapping for inbound connection.	Games	When a Quake server is configured within the private network behind a SU, the SU cannot provide information about that server on the public network. Also, certain Quake servers do not let multiple users log in using the same IP address, in which case only one Quake user is allowed.