Beruflich Dokumente
Kultur Dokumente
Configuration Guide
43-10-0000-00
Copyright 2006 Colubris Networks, Inc. All rights reserved, including those to
reproduce this document or parts thereof in any form without written permission from
Colubris Networks, Inc.
Colubris is a registered trademark, and the Colubris Networks logo, the tag line The
Intelligent Wireless Networking Choice, InReach, InMotion, InCharge, and TriPlane are
trademarks of Colubris Networks, Inc., in the United States and other countries.
All other product and brand names are the service marks, trademarks, registered
trademarks, or registered service marks of their respective owners.
Changes are periodically made to the information herein; these changes will be
incorporated into new editions of the document.
You can download the most up-to-date product information from the Colubris Networks
website. Go to www.colubris.com and on the homepage at left select Support >
Product Registration.
Colubris Networks, Inc.
200 West Street Ste 300
Waltham, Massachusetts 02451-1121
UNITED STATES
Phone: +1 781 684 0001
Fax: +1 781 684 0009
Sales Informationsales@colubris.com
Customer Supportsupport@colubris.com
Trainingtraining@colubris.com
http://www.colubris.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Contents
Chapter 1
Introduction
Chapter 4
Enterprise deployment
In this chapter............................................................................................64
Chapter 2
Management
13
In this chapter............................................................................................14
Management Tool overview .......................................................................15
Management station ............................................................................15
Administrator account .........................................................................15
Security................................................................................................15
Validating administrator logins using a RADIUS server .............................16
Remote management.................................................................................17
How it works........................................................................................17
Configuration road map .......................................................................18
Chapter 3
63
In this chapter............................................................................................22
Scenario 1c: Hotspot with satellites and roaming (local mode) .................29
How it works........................................................................................29
Configuration road map .......................................................................30
Chapter 5
21
WDS scenarios
91
In this chapter............................................................................................92
Wireless bridging considerations...............................................................93
Single or dual radios?..........................................................................93
Using 802.1a for WDS .........................................................................93
Scenario 1: Using RF extension to expand a wired network.......................94
How it works........................................................................................94
Configuration road map .......................................................................95
Scenario 2: Deploying a point-to-point wireless link..................................98
How it works........................................................................................98
Configuration road mapsingle radio.................................................99
Configuration road mapdual radios................................................101
Scenario 3: Setting up multi-hop wireless links .......................................104
How it works......................................................................................104
Configuration road map .....................................................................105
Chapter 6
109
Colubris.com ...........................................................................................110
For registered customers...................................................................110
For Annual Maintenance Support Program customers ......................110
Information by telephone and e-mail .......................................................111
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Chapter 1: Introduction
Chapter 1
Introduction
In this chapter you can find an explanation of the conventions used in
this guide and an overview of its contents. For information on using
different software revisions in your Colubris subnetwork, see the
Software compatibility matrix on page 8.
Chapter 2: Management
Scenario/Topic
See page
15
16
Remote management
17
See page
23
26
29
32
35
39
42
45
49
50
54
59
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
See page
65
67
69
71
73
77
80
83
See page
93
94
98
104
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Supported software
version on Colubris
access controllers
MSC-3200d
MSC-3300e
MGW-3500
MSC-5200
MSC-5500
MSC-5200/MSC-5500
plus
COS Services Packf
MAP-320a
MAP-330b
MAP-330 Sensorc
WCB-200c
2.4.x
Not supported
2.4.x
2.4.x
N/A
N/A
3.1.x
3.1.x
3.1.x, 2.4.x
3.1.x, 2.4.x
N/A
N/A
4.1.x
4.1.x, 3.1.x
4.1.x, 3.1.x
4.1.x, 3.1.x
N/A
N/A
3.1.x
3.1.x
3.1.x, 2.4.x
3.1.x, 2.4.x
N/A
N/A
4.1.x
4.1.x, 3.1.x
4.1.x, 3.1.x
4.1.x, 3.1.x
N/A
N/A
4.1.x
N/A
4.1 only
4.1 only
N/A
N/A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Typographical conventions
The following table gives the typographical conventions used in Colubris Networks
technical documentation.
Example
Description
ip_address
Items in italics identify parameters for which you must supply a value.
use-access-list=usename
ssl-certificate=URL [ %s ]
Square brackets identify optional arguments. That is, you can decide
whether to enter the argument. Do not enter the brackets.
[ ONE | TWO ]
{ ONE | TWO }
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Lead
Description
Warning!
Caution!
Note:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Related documents
The following documents provide additional information. You can find instructions on
how to download additional documentation on the copyright page.
Document
Quickstart Guides
Administrator Guides
Public Access
Administrator Guide
Engineering Release
Notes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2: Management
Chapter 2
Management
In this chapter you can find scenarios that illustrate strategies for
managing one or more devices across various network topologies.
In this chapter
This chapter contains the following topics.
Scenario/Topic
See page
15
16
Remote management
17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Management
station
Management station refers to the computer that an administrator uses to connect to the
Management Tool. To act as a management station, a computer must
Have a JavaScript-enabled Web browser installed; that is, Netscape 7.01 or higher, or
Internet Explorer 6.0 or higher, including all updates
Be able to establish an IP connection with the MAP/MSC, either through the wireless
port or LAN ports
Administrator
account
Administrator password
Access to the Management Tool is protected by a username and password. The
factory default setting for both is admin. Colubris Networks recommends that you
change both on the Management tool configuration page, which you can access by
selecting Management > Management tool.
Caution! If you forget the administrator password, the only way to gain access to the
Management Tool is to reset the MAP/MSC to factory default settings.
Account policy
To maintain the integrity of configuration settings, only one administrator can be
connected to the Management Tool at a given time. To prevent the Management Tool
from being locked up by an idle administrator, two mechanisms are in place:
If a administrators connection to the Management Tool remains idle for more than
ten minutes, the MAP/MSC automatically logs the administrator out.
If a second administrator connects to the Management Tool and logs in with the
correct username and password, the first administrators session is terminated.
(Default setting) If required, you can disable this mechanism on the Management
tool configuration page, which you can access by selecting Management >
Management tool.
Security
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Remote management
This scenario shows you how to set up an MSC to provide remote management of the
MAPs connected to it.
How it works
When a MAP is installed behind an MSC, enabling remote access to its management
tool requires configuration settings to be defined on the MSC and the RADIUS server.
This section explains how to configure remote management for the following two
topologies:
Topology A
Topology B
Management
station
RADIUS
server
192.168.20.0
Management
station
RADIUS
server
(address in
VPN tunnel)
20.1
VPN server
20.1
30.3
20.3
20.2
30.1
20.4
(address in
VPN tunnel)
VPN tunnel
192.168.20.0
Router
192.168.10.0
10.1
30.2 (address in
VPN tunnel)
MSC
MSC
M S C
M S C
1.1
1.1
192.168.1.0
192.168.1.0
MAP
1.2
PU
BLIC WL A N
MAP
1.3
PU
BLIC WL A N
1.2
MAP
PU
BLIC WL A N
1.3
MAP
PU
BLIC WL A N
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
Topology A
To reach MAP A: HTTPS://192.168.10.1:5002
To reach MAP B: HTTPS://192.168.10.1:5003
Topology B
To reach MAP A: HTTPS://192.168.30.2:5002
To reach MAP B: HTTPS://192.168.30.2:5003
Static NAT mappings are used on the MSC to direct traffic to the proper MAP. MAC
address authentication enables the MAPs to log into the public access network. Access
list definitions allow traffic to be sent from the MSCs to the management stations.
Replace address and username with the MAC address of the MAP. Replace password
with the same password that the MSC uses to communicate with the RADIUS server.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 3
In this chapter
This chapter contains the following scenarios.
Scenario/Topic
See page
23
26
29
32
35
39
42
45
49
50
54
59
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario a single MSC (with radio) is installed to provide a wireless network and
access to the Internet. The MSC is connected to the Internet by way of a broadband
modem, and the Internet connection is protected by the MSCs firewall and NAT features
(which are enabled by default).
1.2
1.3
Internet port
192.168.1.0
LAN port
LAN
MSC
1.4
PU
BLIC WL A N
1.5
1.7
1.6
A local area network is connected to the MSCs LAN port to support wired customers.
The MSC acts as the DHCP server on both the wireless and wired networks which are
bridged together on subnet 192.168.1.0.
The MSC is operating in local mode, which means that:
Customer authentication is handled locally by the MSC and accounts are created on
the MSC for each customer. There is no support for accounting.
A RADIUS server is not required to activate the public access interface. Instead, the
default public access interface resident on the MSC is used by customers to login and
manage their sessions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5. Next, you are automatically redirected to the web site you originally requested.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario, a web server is used to store custom pages for the public access
interface. The MSC loads these pages each time it is restarted.
There are two ways to deploy this scenario.
Topology 1
In this version, the web server is located on the Internet.
Web server
1.2
1.3
Internet port
192.168.1.0
LAN port
LAN
1.1
MSC
1.4
PU
BLIC WL A N
1.5
1.7
1.6
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Topology 2
In this version the web server is located on local LAN B. Instead of being directly
connected to the Internet, the MSC is also connected to local LAN B which provides a
router/firewall to handle the connection to the Internet.
1.2
Web server
1.3
5.1
192.168.1.0
1.1
Internet port
LAN B
LAN port
LAN A
Router
Firewall
192.168.5.0
5.2
MSC
1.4
PU
BLIC WL A N
1.5
1.7
1.6
In this scenario, the web server is also the DHCP server for LAN B, operating on subnet
192.168.5.0. The MSCs Internet port is set to operate as a DHCP client.
Configuration
road map
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4. Copy the following files from the current QuickSetup.zip file and place them in the
newpages folder.
login.html
transport.html
session.html
fail.html
5. Edit login.html to meet the requirements of your site, keeping the following
restrictions in mind:
Do not alter the ID tags <!-- Colubris --> & <!-- Custom --> located at the top of
the page.
Do not alter any JavaScript code.
6. Open the Security > Local config page and define the following attributes:
login-page=web_server_URL/newpages/login.html
transport-page=web_server_URL/newpages/transport.html
session-page=web_server_URL/newpages/session.html
fail-page=web_server_URL/newpages/fail.html
logo=web_server_URL/newpages/logo.gif
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario several MAP devices are connected to an MSC by way of a backbone
LAN to provide multiple wireless cells for large physical location.
Customers can log into the public access network at any location and can roam
between access points without losing their connection.
By default, each MAP is configured as a DHCP client and obtains its address from the
MSC, which by default is configured as the DHCP server.
Customer authentication is handled locally by the MSC, and accounts are created on
the MSC for each customer. There is no support for accounting.
Note: This scenario can also be created using an MSC with no radio, in which case
wireless cells are only provided by the MAP devices. When using non-radio MSC units,
the DHCP server option must be enabled manually on the MSC.
The following diagrams illustrate how the two topologies described in Scenario 1b can
be modified to support satellites and roaming. In both cases the configuration procedure
is the same.
Topology 1
Web server
1.2
1.3
192.168.1.0
1.8
MAP
Internet port
1.9
MAP
LAN port
LAN
MSC 1.1
PU
BLIC WL A N
PU
BLIC WL A N
1.4
PU
BLIC WL A N
1.5
1.7
1.6
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Topology 2
1.2
Web server
1.3
5.1
Router
Firewall
192.168.1.0
1.8
MAP
MSC
LAN port
1.9
MAP
1.1
PU
BLIC WL A N
192.168.5.0
5.2
PU
BLIC WL A N
1.4
PU
BLIC WL A N
1.5
Configuration
road map
Internet port
LAN B
LAN A
1.7
1.6
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
This scenario creates three virtual service communities (VSCs) on each device. Each
VSC provides support for a different security option: WEP, WPA (with preshared key),
and none.
To connect with the wireless network, customers must select the SSID of the VSC that
matches the option that they want to use. Roaming is supported, since the same VSCs
are defined on all access points.
The following diagrams illustrate how the two topologies described in Scenario 1c can
be modified to support layer 2 security. In both cases the configuration procedure is the
same.
Topology 1
Web server
1.2
1.3
192.168.1.0
1.4
MAP
MAP
Internet port
1.5
LAN port
LAN
MSC 1.1
SSID
WPA
SSID
None
SSID
WEP
SSID
WPA
SSID
None
SSID
WEP
SSID
WPA
SSID
None
SSID
WEP
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Topology 2
1.2
Web server
1.3
5.1
Router
Firewall
192.168.1.0
1.4
MAP
MSC
SSID
WPA
SSID
None
SSID
WEP
LAN port
1.5
MAP
1.1
Internet port
LAN B
LAN A
192.168.5.0
5.2
SSID
WPA
SSID
None
SSID
WEP
SSID
WPA
SSID
None
SSID
WEP
Configuration
road map
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario a single MSC is installed to provide a wireless network and access to
the Internet.
A local area network is connected to the MSCs LAN port to support wired customers.
The MSC acts as the DHCP server on both the wireless and wired networks which are
bridged together on subnet 192.168.1.0.
A RADIUS server (either local or remote) provides services for customer authentication
and accounting.
There are two ways to deploy this scenario as illustrated by topology 1 and topology 2 in
the sections that follow.
Topology 1
In this version, the NOC is located at a remote site and is accessed through the Internet.
The MSC is connected to the Internet by way of a broadband modem, and the Internet
connection is protected by the MSCs firewall and NAT features.
The MSC connects to the VPN server at the NOC using its PPTP client. This provides a
secure link through which data can be transferred.
RADIUS server
VPN server
1.2
1.3
myVPN.com
VPN tunnel
Internet port
192.168.1.0
LAN port
LAN
MSC
1.4
PU
BLIC WL A N
1.5
1.7
1.6
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 35 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Topology 2
In this version the RADIUS server is located on local LAN B. Instead of being directly
connected to the Internet, the MSC is also connected to local LAN B which provides a
router/firewall to handle the connection to the Internet.
1.2
RADIUS server
1.3
5.1
192.168.1.0
1.1
Internet port
LAN B
LAN port
LAN A
Router
Firewall
192.168.5.0
5.2
MSC
1.4
PU
BLIC WL A N
1.5
Configuration
road map
1.7
1.6
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 37 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4. Next, you are automatically redirected to the web site you originally requested.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 38 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario a web server is used to store custom pages for the public access
interface. The MSC loads these pages each time it is restarted.
The following diagrams show how the two topologies described in Scenario 2a can be
modified to support layer 2 security. In both cases the configuration procedure is the
same.
Topology 1
In this version the Web server is located at a remote site and is accessed through the
Internet. by way of a VPN tunnel.
Web server
RADIUS server
VPN server
1.2
1.3
myVPN.com
VPN tunnel
Internet port
192.168.1.0
LAN port
LAN
MSC
1.4
PU
BLIC WL A N
1.5
1.7
1.6
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 39 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Topology 2
In this version the Web server is located on local LAN B.
1.2
RADIUS
server
1.3
5.1
5.3
Router
Firewall
192.168.1.0
1.1
Internet port
LAN B
LAN port
LAN A
Web
server
192.168.5.0
5.2
MSC
1.4
PU
BLIC WL A N
15
Configuration
road map
1.7
16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 40 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
For more information on these attributes, consult the Public Access Administrator Guide.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 41 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario several MAP devices are connected to an MSC by way of a backbone
LAN to provide multiple wireless cells for large physical location.
Customers can log into the public access network at any location and can roam
between access points without losing their connection.
By default, each MAP is configured as a DHCP client and obtains its address from the
MSC, which by default is configured as the DHCP server.
A RADIUS server (either local or remote) provides services for customer authentication
and accounting.
Note: This scenario can also be created using an MSC with no radio, in which case
wireless cells are only provided by the MAP devices. When using non-radio MSC units,
the DHCP server option must be enabled manually on the MSC.
The following diagrams illustrate how the two topologies described in Scenario 2b can
be modified to support satellites and roaming. In both cases the configuration procedure
is the same.
Topology 1
Web server
RADIUS server
VPN server
1.2
1.3
myVPN.com
VPN tunnel
192.168.1.0
MAP
1.1
Internet port
MAP
192.168.1.0
1.8
1.9
LAN port
LAN
MSC
PU
BLIC WL A N
PU
BLIC WL A N
1.4
PU
BLIC WL A N
1.5
1.7
1.6
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 42 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Topology 2
1.2
RADIUS
server
1.3
5.1
192.168.1.0
192.168.1.0
1.8
MAP
1.1
Internet port
1.9
MAP
5.3
Router
Firewall
LAN B
LAN port
LAN A
LAN
Web
server
192.168.5.0
5.2
MSC
PU
BLIC WL
AN
PU
BLIC WL
AN
1.4
PU
BLIC WL A N
1.5
Configuration
road map
1.7
1.6
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 43 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 44 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
This scenario creates three virtual service communities (VSCs) on each device. Each
VSC provides support for a different security option: 802.1x (with WEP), WPA, and
none.
To connect with the wireless network, customers must select the SSID that matches the
option that they want to use. Roaming between MAPs is supported, since the same
VSCs are defined on all access points.
Authentication of client stations occurs as follows:
On the SSIDs 8021x and WPA, authentication is handled by way of 802.1x by the
MSC using accounts defined on the RADIUS server. These stations do not see the
public access interface.
On the SSID None, client stations must login through the public access interface and
are authenticated by the MSC by way of accounts defined on the RADIUS server.
The following diagrams show how the two topologies described in Scenario 2c can be
modified to support layer 2 security. In both cases the configuration procedure is the
same.
Topology 1
Web server
RADIUS server
VPN server
1.2
1.3
VPN tunnel
myVPN.com
192.168.1.0
MAP
MAP
1.1
SSID
WPA
SSID
None
SSID
8021x
SSID
8021x
5.2
MSC
SSID
WPA
SSID
None
Internet port
192.168.1.0
1.8
1.9
LAN port
LAN
SSID
WPA
SSID
None
SSID
8021x
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 45 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Topology 2
1.2
RADIUS
server
1.3
5.1
192.168.1.0
192.168.1.0
1.8
MAP
MAP
MSC 1.1
SSID
WPA
SSID
None
SSID
8021x
Internet port
1.9
5.3
Router
Firewall
LAN B
LAN port
LAN A
LAN
Web
server
192.168.5.0
5.2
SSID
WPA
SSID
None
SSID
8021x
SSID
WPA
SSID
None
SSID
8021x
Configuration
road map
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 46 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 47 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 48 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario an MSC 3300 is used in conjunction with two MAP-330s. Both products
support dual radios.
The radios on all these devices are to operate as follows:
Radio 1: 802.11b/g mode
Radio 2: 802.11a mode
The three wireless profiles created in Scenario 2d are changed to transmit and receive
on both radio 1 and radio 2.
Customers are now able to connect with regardless of their radio type: 802.11a/b/g.
Since 802.11a customers are on a separate radio, they do not share bandwidth with the
b/g customers.
Note: See scenario 2d for a diagram of the network topology.
Configuration
road map
Configure radio 2
1. Select Wireless > Radios.
2. Under Radio 2:
Change Operating mode to Access point only.
Change Wireless mode to 802.11a.
3. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 49 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
This scenario shows you how to deploy a wireless network so that it can be shared
between company employees and paying customers. It enables you to leverage a single
wireless infrastructure to build a hotspot and provide easy access for mobile employees.
Employees connect using the SSID Private and are routed to the corporate network
on VLAN 50. The MSC authenticates employees using the Corporate RADIUS server.
Once authenticated, customer traffic is forwarded on VLAN 50 so that it can reach the
corporate intranet.
Customers connect using the SSID Public and login using the MSCs public access
interface. The MSC authenticates customers using the ISP RADIUS server. Once
authenticated, customer traffic is forwarded on VLAN 60 so that it can reach the
Internet.
Corporate
RADIUS server
ISP
RADIUS server
Corporate
Intranet
Firewall
VLAN 50
Switch
VLAN 60
192.168.5.5
VLAN 50
VLAN 60
192.168.5.1
Employees
MSC
Employee
SSID = Private
MAP
Guest
SSID = Public
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 50 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
Create VLANs
1. Select Network > Ports.
2. Under VLAN configuration, click Add New VLAN.
Under General
Leave the Port selection as Internet port.
Set VLAN ID to 50.
Set VLAN name to Private.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 51 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create VSCs
Use the following steps to create two virtual service communities on the MSC:
Note: This Private profile must be defined first to enable it to also support wired
employees, since untagged incoming traffic on the LAN port is always sent to the first
VSC profile.
1. Select VSC > Profiles.
2. On the Virtual Service Communities page, click the Colubris Networks profile to
edit it.
3. On the Add/Edit Virtual Service Community page:
Under General, enter the Name as Private.
Under General, select the Provide access control checkbox.
Under Virtual AP, enter the WLAN name (SSID) as Private.
Under VSC ingress mapping, select SSID.
Under VSC egress mapping, for Authenticated select Private.
Enable HTML-based user logins.
Select the RADIUS authentication checkbox.
For RADIUS Profile, select CorporateRADIUS.
Click Save.
4. On the Virtual Service Communities page, click Add new profile.
5. On the Add/Edit Virtual Service Community page:
Under General, enter the Name as Public.
Under Virtual AP, enter the WLAN name (SSID) as Public.
Under VSC ingress mapping, select SSID.
Under VSC egress mapping, for Authenticated select Public.
Enable HTML-based user logins.
Select the RADIUS authentication checkbox.
For RADIUS Profile, select ISPRADIUS.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 52 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 53 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario a hotel assigns customer traffic to a different VLAN based on an access
points location within the building.
The MAPs serving the hotel rooms on each floor are configured to return customer
traffic on VLAN 40.
The MAPs serving the hotel lobby, terrace, and restaurant are configured to return
customer traffic on VLAN 50.
VLAN 30 is defined for management purposes. It is used by the network administrator
to reach the management tool on the MSC and MAPs.
One advantage to this strategy is that it enables all devices to have the same SSID
(Hotspot, for example), making it easy for customers to connect.
Custom content is triggered based on the VLAN ID that customer traffic is mapped to.
RADIUS Server
MSC
VLAN 30
VLAN 40
VLAN 50
VLAN 30
VLAN 40
VLAN 30
VLAN 40
MAP
MAP
Floor 3
SSID =
Hotspot
VLAN 30
VLAN 50
VLAN 30
VLAN 50
MAP
MAP
MAP
Floor 2
Floor 1
Terasse
Restaurant
SSID =
Hotspot
SSID =
Hotspot
SSID =
Hotspot
SSID =
Hotspot
Hotel Rooms
VLAN 30
VLAN 40
Public Spaces
In this scenario the MSC is used to provide access control only and does support
wireless clients.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 54 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
Create a server-side script to retrieve the VLAN value and then display a custom Login
page as follows:
If VLAN = 40, display the customer Login page.
If VLAN = 50, display the public access Login page.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 55 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create VLANs
1. Select Network > Ports.
2. Under VLAN configuration, click Add New VLAN.
Under General
Leave the Port selection as LAN port.
Set VLAN ID to 30.
Set VLAN name to Management.
Under Assign IP address via, select Static.
Set IP address to 192.168.30.1.
Set Mask to 255.255.255.0.
Leave Gateway blank.
Click Save.
3. Under VLAN configuration, click Add New VLAN.
Under General
Leave the Port selection as LAN port.
Set VLAN ID to 40.
Set VLAN name to Guest.
Under Assign IP address via, select None.
Click Save.
4. Under VLAN configuration, click Add New VLAN.
Under General
Leave the Port selection as LAN port.
Set VLAN ID to 50.
Set VLAN name to Public.
Under Assign IP address via, select None.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 56 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create VSCs
The following two virtual service communities need to be created on the MSC:
Guest: Handles guest traffic on VLAN 40.
Public: Handles public traffic on VLAN 50.
1. Select VSC > Profiles.
2. On the Virtual Service Communities page, click the Colubris Networks profile to
edit it.
3. On the Add/Edit Virtual Service Community page:
Under General, enter the Name as Guest.
Under General, select the Provide access control checkbox.
Under VSC ingress mapping, clear the SSID checkbox.
Under VSC ingress mapping, select VLAN then select Guest.
Enable HTML-based user logins.
Select the RADIUS authentication checkbox.
For RADIUS Profile, select RADIUS1.
Click Save.
4. On the Virtual Service Communities page, click Add new profile.
5. On the Add/Edit Virtual Service Community page:
Under General, enter the Name as Public.
Under VSC ingress mapping, clear the SSID checkbox.
Under VSC ingress mapping, select VLAN and then select Public.
Enable HTML-based user logins.
Select the RADIUS authentication checkbox.
For RADIUS Profile, select RADIUS1.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 57 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure a VSC
1. Select VSC > Profiles.
2. On the Virtual Service Communities page, click the Colubris Networks profile.
3. On the Add/Edit Virtual Service Community page:
Under General, enter the Name as Hotspot.
Under General, select the Use Colubris access controller check box.
Under Virtual AP, enter the WLAN name (SSID) as Hotspot.
Under Egress VLAN:
If the MAP is serving a hotel room, set VLAN ID to 40 (which corresponds to the
Guest VLAN).
If the MAP is serving a public area, set VLAN ID to 50 (which corresponds to the
Public VLAN).
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 58 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario wireless networking for a condo complex is deployed using multiple
MAPs and a single MSC. The complex features three buildings, each with several
condos serviced by a single MAP.
Since the tenant turnover is low, and network access is included in the monthly condo
fee, accounting support is not needed. Therefore this scenario does not use a RADIUS
server. Instead, all logins are validated by the MSC using a locally defined user list.
To offer personalized service for each building, a set of custom web pages are created
for each building and stored in a separate folder on a web server. (A third-party server
on the Internet is used to keep costs down.) Customers are redirected to the
appropriate set of pages based on the location-aware group name assigned to each
MAP.
Web server
Internet port
MSC
1.1 LAN port
192.168.1.0
MAP 1
1.2
Condo complex 1
MAP 2
1.3
Condo complex 2
MAP 3
1.4
Condo complex 3
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 59 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
welcome.html
This is the page tenants will see after their login is approved. It is a standard HTML
page and can be customized as required.
welcome.html
This is the page tenants will see after they logout. It is a standard HTML page and
can be customized as required.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 60 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The next three attributes provide support for the custom pages. Each time a tenant
logs in the MSC calls these pages, replacing the %G with the group name assigned
to the MAP that the tenant is associated with.
login-url=web_server_URL/newpages/%G/login.html
welcome-url=web_server_URL/newpages/%G/welcome.html
goodbye-url=web_server_URL/newpages/%G/goodbye.html
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 61 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
By default the MSC blocks access to any resources that are connected to its Internet
port until a client station successfully logs in. However, to log in, a client station must
be able to load the custom login page hosted on the web server. To solve this
problem, an access list definition is added that permits access to the web server for
all unauthenticated stations.
Access-list=loginpage,ACCEPT,tcp,web_server_URL,80
Use-access-list=loginpage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 62 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 4
Enterprise deployment
In this chapter you can find sample deployment strategies for common
enterprise scenarios. These scenarios can give you a good idea about
how to approach your installation.
In this chapter
This chapter contains the following scenarios.
Scenario
See page
65
67
69
71
73
77
80
83
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 64 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
DCHP
server
5.2
5.4
5.3
5.6
Corporate Network
192.168.5.0
5.7
MAP
5.8
WPA
WPA
5.9
WLA N
Configuration
road map
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 65 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure addressing
By default, the MAP is set to operate as a DHCP client. In the sample topology it is
automatically assigned the IP address 5.7 by the corporate DHCP server. To make the
MAP easier to manage, it may be useful to assign a static IP address to it as follows:
1. Select Network > Ports.
2. Under Port configuration, click Bridge port.
3. Under Assign IP address via, select Static then click the Configure button.
4. Set the static addressing parameters and click Save.
Configure a VSC
1. Select VSC > Profiles.
2. Click the Colubris Networks profile in order to edit it.
3. Clear the Wireless security filters checkbox.
4. Under Wireless protection:
Select the checkbox and leave the default setting of WPA.
For Mode, select WPA or WPA2.
For Key source, select Preshared key.
For Key and Confirm key, set a unique key value.
5. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 66 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
RADIUS
server
5.2
5.3
5.4
5.5
DCHP
server
5.6
Corporate Network
192.168.5.0
5.7
MAP
5.8
802.1x
802.1x
5.9
WLA N
Configuration
road map
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 67 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure addressing
By default, the MAP is set to operate as a DHCP client. In the sample topology it is
automatically assigned the IP address 5.7 by the corporate DHCP server. To make the
MAP easier to manage, it may be useful to assign a static IP address to it as follows:
1. Select Network > Ports.
2. Under Port configuration, click Bridge port.
3. Under Assign IP address via, select Static then click the Configure button.
4. Set the static addressing parameters and click Save.
Configure a VSC
1. Select VSC > Profiles.
2. Click the Colubris Networks profile to edit it.
3. Clear the Wireless security filters checkbox.
4. Under Wireless protection
Select the checkbox.
Select 802.1x
For RADIUS profile, select Corporate.
Select RADIUS accounting.
Select Mandatory authentication.
5. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 68 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario the MAP provides three different wireless networks and uses QoS
settings to prioritize traffic:
Employee: This network is for use by all employees. It features 802.1x security and a
QoS setting that provides for normal traffic priority.
Guest: This network is for use by guests. It features WEP security and a QoS setting
that provides for low traffic priority. Guest traffic is restricted using the MAPs security
filter capability so that guests traffic can only reach the router for Internet access. For
this to work, the DHCP server must be configured to return the router as the default
gateway.
Video: This network is for video conferencing. It features 802.1x security and a QoS
setting that provides for high traffic priority.
RADIUS
server
5.2
5.3
5.4
5.5
DCHP
server
5.6
5.99
Router/Firewall
Corporate Network
192.168.5.0
SSID=Guest
QoS=VAP-based Low
5.7
SSID=Video
QoS=VAP-based High
MAP
SSID=Employee
QoS=VAP-based Normal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 69 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
Configure VSCs
Use the following steps to define the three virtual service communities required for this
scenario.
1. Select VSC > Profiles.
2. Click the Colubris Networks profile to edit it.
Under Name, enter Employee.
Under WLAN name (SSID), enter Employee.
Under Virtual AP, QoS priority mechanism, select VAP Based Normal.
Clear the Wireless security filters checkbox.
Under Wireless protection
Select the checkbox.
Select 802.1x
For RADIUS profile, select Corporate.
Select RADIUS accounting.
Select Mandatory authentication.
Click Save.
3. Click Add New Profile.
Under Name, enter Guest.
Under WLAN name (SSID), enter Guest.
Under Virtual AP, QoS priority mechanism, select VAP Based Low.
Under Wireless protection
Select the checkbox.
Select WEP.
Define a set of unique WEP keys.
Click Save.
4. Click Add New Profile.
Under Name, enter Video.
Under WLAN name (SSID), enter Video.
Under Virtual AP, QoS priority mechanism, select VAP Based High.
Clear the Wireless security filters checkbox.
Under Wireless protection
Select the checkbox.
Select 802.1x
For RADIUS profile, select Corporate.
Select RADIUS accounting.
Select Mandatory authentication.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 70 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
This scenario adds two virtual service communities to provide support for wireless
phones. Authentication of phones is accomplished by adding the MAC address of each
phone to an internal list maintained on the MAP. Only phones that appear in the list can
connect.
A separate VSC is added for each type of phones: Spectralink and SIP.
RADIUS
server
5.2
5.3
5.4
5.5
DHCP
server
SIP
server
5.6
5.6
5.99
Router/Firewall
Corporate Network
192.168.5.0
SSID=Guest
QoS=VAP-based Low
5.7
MAP
SSID=Video
QoS=VAP-based High
SSID=Spectralink
QoS=Diffsrv
SSID=Employee
QoS=VAP-based Normal
SSID=SIP
QoS=VAP-based High
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 71 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure the
VSC
Add a VSC
Use the following steps to define the virtual service community required for this
scenario.
1. Select VSC > Profiles.
2. Click Add New Profile.
Under Name, enter Phone.
Under WLAN name (SSID), enter Spectralink.
Under Virtual AP, QoS priority mechanism, leave the default selection Diffsrv,
which maps phone traffic to traffic queue 1.
Clear the Wireless security filters checkbox.
Under MAC Filter
Enable the MAC Filter checkbox.
Select Allow.
Under MAC address, enter the MAC address for each phone.
Click Add.
3. Click Add New Profile.
Under Name, enter Phone.
Under WLAN name (SSID), enter SIP.
Clear the Wireless security filters checkbox.
Under Virtual AP, QoS priority mechanism, leave the default selection VAPbased Very High, which maps phone traffic to traffic queue 1.
Under MAC Filter
Enable the MAC Filter checkbox.
Select Allow.
Under MAC address, enter MAC address for each phone.
Click Add.
4. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 72 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario, multiple VSCs are used to provide a wireless architecture that mirrors
the segmented configuration of the backbone LAN. Wireless traffic is secured using
either 802.1x or WPA and leverages the existing corporate RADIUS server for employee
authentication.
Since all MAPs are installed on the same network segment, and each features an
identical wireless setup, employees are able to roam between wireless cells without
losing their network connection.
An unprotected guest network is provided, allowing company guests to access the
Internet through a wireless connection.
RADIUS and
DHCP server
Server 1
Server 2
Router/Firewall
VLAN 40
VLAN 50
VLAN 60
802.1Q trunk
Layer 3
switch with
trunk port
802.1Q trunk
MAP 1
50.2
50.3
LAN port
VLAN=50
SSID=Guest
VLAN=40
MAP 2
50.4
SSID=Priv_802.1x
VLAN=60
MAP 3
SSID=Priv_WPA
VLAN=60
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 73 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Addressing details
Following are addressing details used in this scenario:
The MAPs are connected to the layer 3 switch through LAN port 1. Each MAP has a
unique static IP address on the 50.0 segment.
Employees on the Guest, Priv_802.1x, and Priv_WPA SSIDs are bridged to the
appropriate VLAN. This means that they receive an IP address from the DHCP server
on the network.
The Layer 3 switch provides routing between VLAN 60 and VLAN 40, enabling
employees to access the Internet.
Configuration
road map
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 74 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 75 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 76 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario multiple MAPs are installed to provide wireless networking coverage on
two different subnets. Client stations are able to roam between MAPs without loosing
their connection, even across different subnets.
The MSC provides centralized management of client sessions to support layer 3
roaming between wireless cells. The MAPs automatically discover the MSC and
establishes a secure tunnel with it, through which they can exchange management and
control information to support features such as fast authentication and layer 3 mobility.
The layer 3 mobility feature is used in this scenario to support client station roaming
between subnets. The fast authentication feature enables quick handoff between MAPs
on the same subnet.
Wireless security is provided by enabling 802.1x on the MAPs, using the services of the
RADIUS server to validate logins.
Address allocation is provided by the DHCP server for all devices, even wireless client
stations. (The routers must be configured to support DHCP relay.)
Router
Firewall
DHCP
server
RADIUS
server
MSC
5.1
5.3
5.2
LAN port
Router
Router
192.168.1.0
192.168.2.0
1.2
MAP A
1.3
2.2
MAP B
1.4
WLA N
WLA N
Area 1
1.5
MAP C
2.3
MAP D
2.4
WLA N
2.5
WLA N
Area 2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 77 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Autodiscovery
Discovery of MSCs on the same subnet as a MAP is automatic and occurs through
Layer 2 broadcasts.
Discovery of MSCs on different subnets from a MAP is fully automated if the DHCP
server is properly configured. By default a MAP searches for MSCs with the names
cnsrv1, cnsrv2, and cnsrv3 on the default domain returned by the DHCP server. In the
this example, the DHCP server is configured to return company.lan as the default
domain. This means the MAPs will search for MSCs with the following names (in order):
cnserv1.company.lan
cnserv2.company.lan
cnserv3.company.lan
By setting up the DHCP server to associate the name cnserv1.company.lan with the
IP address of the MSC, the MAPs will automatically be able to find and establish a
secure tunnel with it. No configuration is necessary on the MAPs.
Configuration
road map
Configure addressing
By default, the MAPs are set to operate as a DHCP client. In the sample topology they
are automatically assigned IP addresses by the DHCP server (through DHCP relay on
the routers). To make the MAPs easier to manage however, it may be useful to assign a
static IP address to them as follows:
1. Select Network > Ports.
2. Under Port configuration, click Bridge port.
3. Under Assign IP address via, select Static then click the Configure button.
4. Set the static addressing parameters as required by the network and click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 78 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure addressing
By default, the MSCs LAN port is set to the static IP address 192.168.1.1. For this
scenario, the address needs to be changed to 192.168.5.3.
1. Under Port configuration, click LAN port.
2. Under Addressing, set LAN IP port address to 192.168.5.3.
3. Under Addressing, set LAN port mask to 255.255.255.0.
4. Click Save.
Note: After clicking Save you will have to reconnect to the management tool using the
new address.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 79 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario multiple MAPs are installed to provide wireless networking coverage on
two different subnets. Client stations are able to roam between MAPs without loosing
their connection, even across different subnets.
The MSC provides centralized management of client sessions to support layer 3
roaming between wireless cells. The MAPs automatically discover the MSC and
establishes a secure tunnel with it, through which they can exchange management and
control information to support features such as fast authentication and layer 3 mobility.
The layer 3 mobility feature is used in this scenario to support client station roaming
between subnets. The fast authentication feature enables quick handoff between MAPs
on the same subnet.
To support roaming between the subnets, the two MSCs also establish a secure
channel with each other to exchange management and control information. One MSC is
designated as the primary. In this scenario, it is MSC A.
Wireless security is provided by enabling 802.1x on the MAPs, using the services of the
RADIUS server to validate logins.
Address allocation is provided by the DHCP server for all devices, even wireless client
stations. (The router must be configured to support DHCP relay.)
DHCP
server
RADIUS
server
Router
Firewall
5.1
5.2
5.3
192.168.5.0
MSC A
MSC B
1.6
1.2
MAP A
Router
192.168.1.0
1.3
MAP B
1.4
WLA N
WLA N
Area 1
2.6
1.5
192.168.2.0
MAP C
2.2
2.3
MAP D
2.4
WLA N
2.5
WLA N
Area 2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 80 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Autodiscovery
Discovery of MSCs on the same subnet as a MAP is automatic and occurs through
Layer 2 broadcasts.
Discovery of MSCs on different subnets from a MAP is fully automated if the DHCP
server is properly configured. By default a MAP searches for MSCs with the names
cnsrv1, cnsrv2, and cnsrv3 on the default domain returned by the DHCP server. In the
above example, the DHCP server is configured to return company.lan as the default
domain. This means the MAPs will search for MSCs with the following names (in order):
cnserv1.company.lan
cnserv2.company.lan
cnserv3.company.lan
By setting up the DHCP server to associate the name cnserv1.company.lan with the
IP address of the MSC, the MAPs will automatically be able to find and establish a
secure tunnel with it. No configuration is necessary on the MAPs.
Configuration
road map
Configure addressing
By default, the MAPs are set to operate as DHCP clients. In the sample topology they
are automatically assigned IP addresses by the DHCP server. To make the MAPs easier
to manage however, it may be useful to assign a static IP address to them as follows:
1. Select Network > Ports.
2. Under Port configuration, click Bridge port.
3. Under Assign IP address via, select Static then click the Configure button.
4. Set the static addressing parameters as required by the network and click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 81 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure addressing
By default, the MSCs LAN port is set to the static IP address 192.168.1.1. For this
scenario, the address needs to be changed as follows:
1. Select Network > Ports.
1. Under Port configuration, click LAN port.
2. Under Addressing, set LAN IP port address to 192.168.1.6 for MSC A and
192.168.2.6 for MSC B.
3. Under Addressing, set LAN port mask to 255.255.255.0 for both units.
4. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 82 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario two MAPs are installed to provide wireless networking coverage.
DHCP
DNS
server
5.1
192.168.5.0
RADIUS
server
5.2
Router
Firewall
5.3
5.5
5.4
Internet port
MSC
Router
LAN port
VLAN Switch
192.168.30.0
MAP A
SSID
Private
IP=192.168.10.10
Gateway=192.168.10.1
LAN port 1
30.10
SSID
Guest
MAP B
SSID
Private
LAN port 1
30.20
SSID
Guest
IP=192.168.20.15
Gateway=192.168.20.1
Private
This VSC is used by employees to access the corporate network. It is not access
controlled. It uses 802.1x to provide secure networking and validates logins using the
corporate RADIUS server.
Once authenticated, employee traffic is forwarded on VLAN 10.
Employees are able to roam between MAPs without loosing their connection, even
across different subnets.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 83 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Guest
This VSC is used by company guests. It is access controlled, which means:
Guest authentication is handled by the MSC in conjunction with the RADIUS server,
rather than on the MAP.
Guests log in through the public access interface that is provided by the MSC.
Guests cannot roam between subnets. Roaming is only supported on the same
subnet when a VAP is access controlled.
The VSC forwards guest traffic to the MSC on VLAN 20. Once authenticated, guest
traffic is forwarded through the Internet port on the MSC. An access list definition is
used to restrict guest traffic to the router/firewall. This way customers gain access to the
Internet but not the corporate network.
Addressing
Client stations on the Private VSC are assigned addresses on 192.168.10.0 by the
DHCP server by way of the DHCP relay function on the router. The DHCP server must
return the default gateway as the router (192.168.10.1) for these stations.
The MAPs are assigned addresses on 192.168.30.0 by the DHCP server by way of
the DHCP relay function on the router. The DHCP server must return the default
gateway as the router (192.168.30.1) for the MAPs.
Client stations on the Guest VSC are assigned addresses on 192.168.20.0 by the
DHCP server by way of the DHCP relay function on the MSC. The DHCP server must
return the default gateway as the MSC (192.168.20.1) for these stations.
The management VLAN on both MAPs must be configured as the default VLAN on
LAN port 1 for compatibility with the auto-discovery feature.
The MAPs are assigned addresses on 192.168.30.0 by the DHCP server by way of
the DHCP relay function on the router. The DHCP server must return the default
gateway as the router (192.168.30.1) for these stations.
The corporate DHCP server must be configured to serve addresses on subnet
192.168.20.0 for DHCP requests from the MSCs relay agent, and on subnets
192.168.10.0 and 192.168.30.0 for DHCP requests from the router relay agent.
For the DHCP relay function to work on the MSC and on the router, Network Address
Translation (NAT) must be disabled on both devices. As a result, routes for the
192.168.10.0, 192.168.20.0 and 192.168.30 subnets must exist on the corporate
servers (DHCP, DNS, and RADIUS).
Autodiscovery
Discovery of an MSC on the same subnet as a MAP is automatic and occurs through
Layer 2 broadcasts.
Discovery of MSCs on different subnets from a MAP is fully automated if the DHCP
server is properly configured. By default a MAP searches for MSCs with the names
cnsrv1, cnsrv2, and cnsrv3 on the default domain returned by the DHCP server. In the
above example, the DHCP server is configured to return company.lan as the default
domain. This means the MAPs will search for MSCs with the following names (in order):
cnserv1.company.lan
cnserv2.company.lan
cnserv3.company.lan
By setting up the DHCP server to associate the name cnserv1.company.lan with the
IP address of the MSC, the MAPs will automatically be able to find and establish a
secure tunnel with it. No configuration is necessary on the MAPs.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 84 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
Create VLANs
Three VLANs need to be defined on each MAP. VLAN 10 for employee traffic, VLAN 20
for guest traffic, and VLAN 30 to permit management traffic to reach the MSC.
1. Select Network > Ports.
2. Under VLAN configuration, click Add New VLAN.
Under General
Leave the Port selection as LAN port.
Set VLAN ID to 10.
Set VLAN name to Private.
Under Assign IP address via, select Static.
On MAP A, set IP address to 192.168.30.2.
On MAP B, set IP address to 192.168.30.3.
Set Mask to 255.255.255.0.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 85 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 86 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 87 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure VLANs
VLAN 20 needs to be defined to support guest traffic. It will be associated with the
Guest VSC. VLAN 30 needs to be defined for management traffic. It is not associated
with a VSC.
1. Select Network > Ports.
2. Under VLAN configuration, click Add New VLAN.
Under General
Leave the Port selection as LAN port.
Set VLAN ID to 20.
Set VLAN name to Private.
Under Assign IP address via, select None.
Click Save.
3. Under VLAN configuration, click Add New VLAN.
Under General
Leave the Port selection as LAN port.
Set VLAN ID to 30.
Set VLAN name to Management.
Under Assign IP address via, select Static.
Set IP address to 192.168.30.2.
Set Mask to 255.255.255.0.
Leave Gateway blank.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 88 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 89 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 90 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 5
WDS scenarios
In this chapter you can find sample deployment strategies for using the
WDS standardwireless distribution systemto wirelessly extend and
interconnect networks.
In this chapter
This chapter contains the following scenarios.
Scenario/Topic
See page
93
94
98
104
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 92 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Using 802.1a
for WDS
Colubris Networks recommends using 802.11a for wireless bridging whenever possible.
This optimizes throughput and reduces the potential for interference because:
Most Wi-Fi clients support 802.11b or b/g, therefore most APs are set to operate in
the 2.4 GHz band. This frees the 5 GHz (802.11a) band for use in other applications
such as WDS.
802.11a provides more channels and more non-overlapping channels (twelve,
including four that are dedicated for point-point use) than 802.11b/g.
Assuming an optimal implementation, 802.11a supports up to 54 Mbps for data
throughput, providing a fat pipe for Point-Point or Point-Multipoint WDS
communications.
Keep in mind that there are limitations inherent in using 802.11a, most notably shorter
reach when compared to 2.4 GHz-based technology. Even so, 802.11a is a good
choice in general for WDS.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 93 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario a corporate network uses three MAPs to provide wireless access for
employees. Units 1 and 2 are installed in locations that are currently served by the
backbone network. Unit 3 is deployed in an area without cabling support and uses a
wireless bridge to link with unit B.
Each MAP features two VSCs, one supporting 802.1x and one WPA. Both use the
corporate RADIUS server to authenticate wireless clients.
The corporate DHCP server assigns addresses to all stations, even those on the other
side of the wireless bridge.
Employee workstations
5.2
5.3
5.4
Corporate Network
192.168.5.0
RADIUS
server
5.5
DCHP
server
5.6
MAP 1
5.7
MAP 2
5.8
5.9
wireless bridge
MAP 3
Radio 2 operating
in 802.11a mode.
802.11b/g
802.11b/g
Radio 1 operating
in 802.11b/g mode.
802.11b/g
Radio 1 operating
in 802.11b/g mode.
Note: For the bridge to be successful, the wireless cells of units 2 and 3 must overlap,
and both units must be operating in the same wireless mode and on the same channel.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 94 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 95 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure addressing
By default, the MAPs are set to operate as a DHCP client. In the sample topology they
are automatically assigned IP addresses by the DHCP server. To make the MAPs easier
to manage however, it may be useful to assign a static IP address to them as follows:
1. Select Network > Ports.
2. Under Port configuration, click Bridge port.
3. Under Assign IP address via, select Static then click the Configure button.
4. Set the static addressing parameters as required by the network and click Save.
Configure a VSC
1. Select VSC > Profiles.
2. Click the Colubris Networks profile in order to edit it.
Under General, set Name to 8021x.
Under SSID, set WLAN name to 8021x.
Clear the Wireless security filters checkbox.
Under Wireless protection:
Enable the checkbox and select 802.1x.
For RADIUS profile, select Corporate.
Select RADIUS accounting.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 96 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 97 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario two MAPs are used to wirelessly link the networks in two offices located
in neighboring buildings, enabling workers in both offices to share data and resources
as if they were on the same network. To maximize signal power, directional antennas
are used to establish the connection, which must be line-of-sight.
Single-radio
When using single-radio units with a directional antenna, a local wireless network
cannot be created at each office. Instead the MAPs are directly connected to the
backbone LANs in each office.
wireless bridge
antenna
antenna
5.5
main
main
5.4
5.6
5.7
MAP 1
MAP 2
5.3
5.8
5.2
5.9
5.1
5.10
RADIUS
server
DCHP
server
Building 1
Employee workstations
Employee workstations
Radio operating
in 802.11a mode.
Building 2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 98 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dual-radio
With dual-radio units, radio 1 can be used to provide wireless networking, and radio 2
can be used to establish the wireless bridge.
Each MAP on radio 1 features two VSCs, one supporting 802.1x and one WPA. Both
use the corporate RADIUS server to authenticate wireless clients.
wireless bridge
antenna
antenna
main
5.5
MAP 1
main
5.6
MAP 2
5.4
5.3
5.7
Radio 1 operating
in 802.11b/g mode.
Radio 1 operating
5.8
in 802.11b/g mode.
RADIUS
server
DCHP
server
5.2
5.9
5.1
5.10
Building 1
Configuration
road map
single radio
Employee workstations
Employee workstations
Radio 2 operating
in 802.11a mode.
Building 2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 99 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure addressing
By default, the MAPs are set to operate as a DHCP client. In the sample topology they
are automatically assigned IP addresses by the DHCP server. To make the MAPs easier
to manage however, it may be useful to assign a static IP address to them as follows:
1. Select Network > Ports.
2. Under Port configuration, click Bridge port.
3. Under Assign IP address via, select Static then click the Configure button.
4. Set the static addressing parameters as required by the network and click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 100 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure addressing
By default, the MAPs are set to operate as a DHCP client. In the sample topology they
are automatically assigned IP addresses by the DHCP server. To make the MAPs easier
to manage however, it may be useful to assign a static IP address to them as follows:
1. Select Network > Ports.
2. Under Port configuration, click Bridge port.
3. Under Assign IP address via, select Static then click the Configure button.
4. Set the static addressing parameters as required by the network and click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 101 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 102 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure a VSC
1. Select VSC > Profiles.
2. Click the Colubris Networks profile in order to edit it.
Under General, set Name to 8021x.
Under SSID, set WLAN name to 8021x.
Clear the Wireless Security Filters checkbox.
Under Wireless protection
Enable the checkbox and select 802.1x.
For RADIUS profile, select Corporate.
Select RADIUS accounting.
Click Save.
3. Click Add New Profile.
Under General, set Name to WPA.
Under SSID, set WLAN name to WPA.
Clear the Wireless Security Filters checkbox.
Under Wireless protection:
Enable the checkbox and select WPA.
Set Mode to WPA or WPA2.
For RADIUS profile, select Corporate.
Select RADIUS accounting.
Select Mandatory authentication.
Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 103 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
How it works
In this scenario three MAPs are used to create a wireless link between two buildings
that are not within direct line of sight.
Channel 44
Channel 36
antennas
Employee workstations
5.5
Radio 2
Radio 2
Radio 1
MAP 1
5.6
MAP 2
5.4
5.3
antenna
Employee workstations
antenna
5.7
MAP 3
Radio 1 operating
in 802.11b/g mode.
Radio 1 operating
5.8
in 802.11b/g mode.
RADIUS
server
DCHP
server
5.2
5.9
5.1
5.10
Building 1
Building 2
MAP 3 is within line of sight of both MAP 1 and MAP 2. The two radios on MAP 3 are set
to operate on different channels to avoid interference and increase throughput. (Every
added WDS-link on the same frequency cuts throughput roughly by a factor of two.)
This concept can be extended to cover even longer ranges as follows:
Channel 44
Radio 2
Channel 36
Radio 1
Radio 2
Channel 44
Radio 1
Radio 2
Channel 36
Radio 1
Radio 2
Radio 2
Radio 1
Radio 1
MAP 1
Building 1
MAP 2
MAP 3
MAP 4
MAP 5
Building 2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 104 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration
road map
MAP 3 configuration
1. Select Wireless > Radios.
2. Under Radio 1:
Set Operating mode to Wireless links only.
Set Operating mode to 802.11a.
Set Channel to Channel 44.
Set Antenna selection to Main antenna.
3. Under Radio 2:
Set Operating mode to Wireless links only.
Set Operating mode to 802.11a.
Set Channel to Channel 36.
Set Antenna selection to Main antenna.
4. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 105 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configure addressing
By default MAPs operate as a DHCP client. In the sample topology they are
automatically assigned IP addresses by the DHCP server. To make the MAPs easier to
manage however, it may be useful to assign a static IP address to them as follows:
1. Select Network > Ports.
2. Under Port configuration, click Bridge port.
3. Under Assign IP address via, select Static then click the Configure button.
4. Set the static addressing parameters as required by the network and click Save.
MAP 3 configuration
1. Select Wireless > Wireless links.
2. Click Wireless link #1 to edit it.
3. Under Settings, select Enabled.
4. Under Security:
Enable the checkbox.
Select WEP.
Under 128-bit WP key, enter 26 hexadecimal characters for the key.
5. Under Addressing, set Remote MAC address to the MAC address of wireless port
2 on MAP 1.
6. Click Save.
7. Click Wireless link #2 to edit it.
8. Under Settings:
Select Enabled.
For Transmit/receive on, select Radio 2.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 106 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9. Under Security:
Enable the checkbox.
Select WEP.
Under 128-bit WP key, enter 26 hexadecimal characters for the key.
10. Under Addressing, set Remote MAC address to the MAC address of wireless port
2 on MAP 2.
11. Click Save.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 107 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 108 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 6
Colubris.com
Visit Colubris.com to access Datasheets, Whitepapers, Case Studies, and
Solution Guides. From the left side of the homepage, select Literature in order to view
these menu items. Access to this material is free and does not require product
registration.
For registered
customers
By registering your product at Colubris.com, you can access the information listed
below.
To register, simply go to Colubris.com and from the left side of the home page select
Support > Product Registration. Complete and submit the Product Registration
Form in order to gain access to the support area of the website.
Once you register your product purchase with Colubris, you can log in and access the
following information:
Technical documentation
Administrators guides
Quickstart guides
Quick setup tools
SNMP MIBs
Software license agreement
Return Material Authorization (RMA) procedures and forms
For Annual
Maintenance
Support
Program
customers
Colubris Networks offers a comprehensive set of annual support programs that focus on
the hardware and software content of Colubris' award-winning family of secure Wi-Fi
solutions.
Annual Maintenance Support Programs provide a broad level of hardware and software
assistance that combines various elements of support:
Telephone-based technical support
Hardware support
Software support
When visiting Colubris.com, customers who have purchased an Annual Maintenance
Support Program can access the following information in addition to the website
material discussed above:
FAQs
Technical notes
Release notes
Software downloads
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 110 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 111 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 112 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -