Wireless Mesh Network Solution Reference

Part No.
318507-B Rev 01
March 2005
Wireless Mesh Network

Solution Reference
Copyright 2005 Nortel Networks

All rights reserved. March 2005
The information in this document is subject to change without notice. The statements, configurations, technical data, and
recommendations in this document are believed to be accurate and reliable, but are presented without express or implied
warranty. Users must take full responsibility for their applications of any products specified in this document. The
information in this document is proprietary to Nortel Networks Inc.
The software described in this document is furnished under a license agreement and may be used only in accordance
with the terms of that license. The software license agreement is included in this document.
Trademarks
Nortel Networks, the Nortel Networks logo, and Contivity are trademarks of Nortel Networks.
Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated.
Check Point and Firewall 1 are trademarks of Check Point Software Technologies Ltd.
Java is a trademark of Sun Microsystems.
Microsoft, Windows, Windows NT, and MS-DOS are trademarks of Microsoft Corporation.
NETVIEW is a trademark of International Business Machines Corp (IBM).
OPENView is a trademark of Hewlett-Packard Company.
SPECTRUM is a trademark of Cabletron Systems, Inc.
All other trademarks and registered trademarks are the property of their respective owners.
Restricted rights legend

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the
Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the
right to make changes to the products described in this document without notice.
Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or
circuit layout(s) described herein.
Portions of the code in this software product may be Copyright 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the
above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising
materials, and other materials related to such distribution and use acknowledge that such portions of the software were
developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote
products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE.
318507-B Rev 01
3
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains
restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third
parties).
Nortel Networks Inc. software license agreement

This Software License Agreement (License Agreement) is between you, the end-user (Customer) and Nortel
Networks Corporation and its subsidiaries and affiliates (Nortel Networks). PLEASE READ THE FOLLOWING
CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE
SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE
AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping
container, within 30 days of purchase to obtain a credit for the full purchase price.
Software is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted
and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content
(such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel
Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no
rights other than those granted to you under this License Agreement. You are responsible for the selection of the
Software and for the installation of, use of, and results obtained from the Software.
1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on
only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To
the extent Software is furnished for use with designated hardware or Customer furnished equipment (CFE), Customer
is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade
secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer
uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that
anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use,
copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile,
reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly
authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel Networks are
beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated
hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or certify its
destruction. Nortel Networks may audit by remote polling or other reasonable means to determine Customers Software
activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to include
additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks with respect to such
third party software.
2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer,
Software is provided AS IS without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS
ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to
provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in
such event, the above exclusions may not apply.
3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE
LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF,
OR DAMAGE TO, CUSTOMERS RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL,
INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS),
WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR
USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN
ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier
of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not
allow these limitations or exclusions and, in such event, they may not apply.
Wireless Mesh Network Solution Reference
4
4. General
a.
If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks
Software available under this License Agreement is commercial computer software and commercial computer
software documentation and, in the event Software is licensed for or on behalf of the United States
Government, the respective rights to the software and software documentation are governed by Nortel
Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections
12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).
b.
Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails
to comply with the terms and conditions of this license. In either event, upon termination, Customer must
either return the Software to Nortel Networks or certify its destruction.
c.
Customer is responsible for payment of any taxes, including personal property taxes, resulting from
Customers use of the Software. Customer agrees to comply with all applicable laws including all applicable
export and import laws and regulations.
d.
Neither party may bring an action, regardless of form, more than two years after the cause of the action arose.
e.
The terms and conditions of this License Agreement form the complete and exclusive agreement between
Customer and Nortel Networks.
f.
This License Agreement is governed by the laws of the country in which Customer acquires the Software. If
the Software is acquired in the United States, then this License Agreement is governed by the laws of the state
of New York.
318507-B Rev 01
Preface
19
Before you begin
19
Text conventions
20
Icon conventions
21
Documentation roadmap
22
Hard-copy technical manuals
24
How to get help
24
Chapter 1
Fundamentals
27
Wireless Mesh Network solutions
27
Network overview
28
Network architecture
28
Community Area Network
29
Network Access Point
29
Wireless Access Point 7220
29
Enterprise/ISP backbone network
30
Wireless Gateway 7250
30
Enterprise / ISP / Metro distribution network
31
Border Gateway
31
Network Operations Support System
31
Wireless Mobile Node
35
Inter-Wireless Gateway 7250 roaming and mobility
35
Access and transit links
38
Principles of operation
39
Wireless Mesh Network topology
40
Mobility management
40
Chapter 2
Network installation overview
43
IP addressing requirements
43
Wireless Mesh Network subnetting

Requirements for a pre-existing network
44
47
DHCP server requirements
48
RADIUS server requirements
50
6
FTP server requirements
50
SNTP server
51
NAP router requirements
51
Network Access Controller requirements
52
Ethernet switch
55
ONMS installation and configuration
55
Distribution network
56
Wireless AP 7220 deployment requirements
57
Power requirements and information
57
Network specifications
58
Chapter 3
Fault management
Faults in the Wireless Mesh Network
59
59
Faults in the Wireless AP 7220
59
Faults in the Wireless Gateway 7250
60
Optivity Network Management System (ONMS)

Collecting and managing fault data
60
61
Collecting fault data
61
Managing fault data
62
Alarm filtering
62
Error logging
63
Alarm statistics
64
Fault reports and fault summaries
64
Fault detection and investigation
65
Fault correction
67
Network recovery / auto-healing
68
Chapter 4
Configuration management
69
Configuration overview
69
Tools and utilities
70
KeyGen tool
70
ConfigVerify tool
71
Configuring the Dynamic Host Configuration Protocol (DHCP) server

318507-B Rev 01
71
7
Configuring the NAP router
72
Configuring the RADIUS server
73
Configuring the FTP server
74
Configuring super ping in ONMS
75
Configuring the Network Access Controller (NAC)
76
Configuring an Ethernet switch
76
Configuring the Wireless Gateway 7250
77
Managing the Wireless Gateway 7250 through a console
79
Configuring the interfaces
80
Connecting to the Wireless Gateway 7250 using the web browser
82
Configuring default routes (private and public)
82
Configuring default routes
82
Configuring default routes using the CLI
84
Enabling services
85
Enabling the FTP, Telnet, and SNMP service
85
Using the Telnet service
86
Installing/upgrading/downgrading Wireless Gateway 7250 software
86
Setting up an FTP server
86
Starting the upgrade process
86
Enabling and configuring the Stateful Firewall

Creating filters
90
92
Saving and activating a policy
101
Configuring advanced routing software
103
Configuring client address redistribution (CAR) pools
105
Configuring IPsec parameters
109
Configuring Wireless AP 7220 user accounts
121
Configuring a static IP address
123
Configuring classifier rules
124
Creating classifiers
124
Creating classifier rules
126
Associating the classifier to the rules
130
Applying the classifiers to the interfaces
133
Configuring a Wireless AP 7220 @ NAP
136
Configuring a Wireless AP 7220
137
Wireless AP 7220 pre-deployment configuration
138
8
Wireless AP 7220 post-deployment configuration
140
Initializing the Wireless AP 7220 from flash memory
140
Initializing the Wireless AP 7220 from the Ethernet port
140
Writing an image into flash memory
141
Command line interface (CLI) option
141
Configuring the configuration manager (ConfigMgr)
141
Manually upgrading the Wireless AP 7220 software
142
Software image information
143
Configuring the DHCP user class
143
Restarting a Wireless AP 7220
143
Configuring the Wireless AP 7220 location
144
Configuring the access link
144
Configuring the transit link
145
Enabling and configuring Wireless AP 7220 logging
147
Configuring the log subsystem
147
Specifying the severity of Wireless AP 7220 events forwarded to syslog
149
Enabling or disabling Wireless AP 7220 logging
149
Specifying the syslog server

Upgrading the Wireless AP 7220 software
Wireless AP 7220 pre-deployment software upgrade
Command Line Interface (CLI) Wireless AP 7220 software download
152
152
152
153
Switching to the new Wireless AP 7220 software load
154
Rebooting the Wireless AP 7220
154
Wireless AP 7220 post-deployment software upgrade
155
ONMS Wireless AP 7220 software download
155
Setting the delay timer
157
157
Starting the delay reboot
158
Load Redundancy in flash memory
158
Configuring the Wireless AP 7220 for transit link authentication
158
Configuring the Simple Network Time Protocol (SNTP)
159
Configuring the Simple / Secure Network Management Protocol (SNMP)
160
Configuring the RADIUS server shared secret
160
Configuring the DHCP server user class
161
Configuring the Subscriber Management Entity (SME)
161
318507-B Rev 01
9
162
Chapter 5
Accounting
163
Overview
163
Accounting server configurations
164
RADIUS server accounting attributes
165
Tracking of services and resource usage
168
Time-based accounting
168
Idle timeouts
168
Network failure
169
Fraud reporting
170
Accounting traps
170
Chapter 6
Performance management
171
171
Collecting performance measurements
172
Reporting performance measurements
173
Analyzing performance measurements
173
Maintaining and analyzing logs
176
Chapter 7
Security
179
Security standards
179
Security in the Wireless Mesh Network
179
Subscriber security
181
Transit link security
182
Network security
183
AAA policy services
184
Authenticating Wireless AP 7220s
185
Authenticating subscribers
185
Authenticating subscribers using RSNA mobile nodes

Authenticating subscribers using non-RSNA devices
Quarantining unauthorized mobile nodes
185
186
187
10
Security alarms and event reporting
187
Security audit trails
188
Chapter 8
Administration
189
Tools and utilities
189
Managing network changes
190
Managing Wireless Access Point 7220s
190
192
Managing Wireless Gateway 7250s
193
Managing network access point routers (NAP-Rs)
194
Managing end users

Creating user accounts
194
195
Modifying user accounts
196
Deleting user accounts
196
Performing and managing backups
196
Restoring from backups
197
Appendix A
KeyGen tool
199
Appendix B
Sample DHCP configuration file
201
Appendix C
FTP server user permissions
209
Modifying FTP server user permissions
209
Appendix D
Sample NAP router configuration
211
Appendix E
Sample NAC configuration
215
Appendix F
Sample FTP configuration file
219
Appendix G
318507-B Rev 01
11
Wireless Access Point 7220 performance statistics

Wireless Access Point 7220 statistics
223
223
Wireless AP 7220 Access Link statistics
224
Wireless AP 7220 Mobile IP statistics
224
Wireless AP 7220 Transit Link Activity statistics
224
Wireless AP 7220 IPsec Activity statistics
225
RADIUS Authentication statistics
225
RADIUS Authentication General statistics
225
RADIUS Authentication Incoming statistics
225
RADIUS Authentication OutGoingToServer statistics
226
RADIUS Accounting statistics
226
RADIUS Accounting General statistics
226
RADIUS Accounting Incoming statistics
227
RADIUS Accounting Outgoing statistics
227
SNMP statistics
227
SNMP engine statistics
228
SNMP MPD statistics
228
SNMP target statistics
228
SNMP USM statistics
228
OSPF statistics
229
OSPF area table statistics
229
OSPF interface statistics
229
OSPF neighbor table statistics
229
MIB-II statistics
230
MIB-II system statistics
230
MIB-II system status/profile statistics

MIB-II interface statistics
230
231
MIB-II interface status/profile statistics
231
MIB-II interface InActivity statistics
231
MIB-II interface OutActivity statistics
232
MIB-II IP statistics
232
MIB-II IP profile statistics
232
MIB-II IP InActivity statistics
232
MIB-II IP OutActivity statistics
233
MIB-II IP address table statistics
233
12
MIB-II IP route table statistics
MIB-II ICMP statistics
233
234
MIB-II ICMP InActivity statistics
234
MIB-II ICMP OutActivity statistics
235
MIB-II UDP statistics

MIB-II UDP activity statistics
MIB-II TCP statistics
235
235
236
MIB-II TCP profile statistics
236
MIB-II TCP activity statistics
236
MIB-II SNMP statistics
236
MIB-II SNMP InActivity statistics
236
MIB-II SNMP OutActivity statistics
237
Appendix H
Wireless Access Point 7220 traps
239
Glossary
241
318507-B Rev 01
13
Figure 1
Basic Wireless Mesh Network architecture
28
Figure 2
Inter-Wireless Gateway 7250 roaming Wireless Mesh Network

architecture 36
Figure 3
Wireless AP 7220 radio links overview
39
Figure 4
Basic Wireless Mesh Network IP addressing architecture
44
Figure 5
InfoCenter window indicating devices in fault
66
Figure 6
Fault Summary window with fault, trap, and syslog details
67
Figure 7
Basic network layout example
77
Figure 8
Inter-Wireless Gateway 7250 roaming and mobility network layout

example 78
Figure 9
The Static Routes screen
83
Figure 10
Private Default Route screen
83
Figure 11
Enabling the FTP service
85
Figure 12
Directory tree screen
87
Figure 13
The Upgrades screen
87
Figure 14
Upgrade Retrieval screen
88
Figure 15
Retrieval progress screen
89
Figure 16
New Version Retrieve status screen
89
Figure 17
Upgrade apply screen
90
Figure 18
The License key screen
91
Figure 19
The Firewall / NAT screen
92
Figure 20
New Policy screen
93
Figure 21
Adding a MIP policy
94
Figure 22
Creating a mobile IP (MIP) service filter
95
Figure 23
Adding a mobile IP (MIP) service filter
96
Figure 24
The Stateful Firewall screen
96
Figure 25
Network Object Type Selection screen
98
Figure 26
IP range object screen
Figure 27
Assigning a captive portal to the mobile node pool
100
Figure 28
Defined mobile node pools
101
Figure 29
Global configuration
102
Figure 30
Enabling the gratuitous ARP
103
Figure 31
Example of the local OSPF parameters
104
Figure 32
Example of the global OSPF parameters
105
Figure 33
Adding an IP address pool
107
Figure 34
Example of an IP address pool list
107
99
14
Figure 35
Enable CAR pools
108
Figure 36
Enabling a route policy
109
Figure 37
Global IPsec parameters
110
Figure 38
Global IPsec parameters (continued)
110
Figure 39
Global IPsec parameters (continued)
111
Figure 40
Example of a Wireless AP 7220 address pool configuration
113
Figure 41
Example of adding a Wireless AP 7220 group
114
Figure 42
Example of editing a Wireless AP 7220 group
115
Figure 43
Wireless AP 7220 @ NAP group connectivity parameters
116
Figure 44
Wireless AP 7220 @ NAP group connectivity parameters (continued) 116
Figure 45
Wireless AP 7220 @ NAP group connectivity parameters (continued) 117
Figure 46
Wireless AP 7220 group connectivity parameters
117
Figure 47
Wireless AP 7220 group connectivity parameters (continued)
118
Figure 48
Wireless AP 7220 group connectivity parameters (continued)
118
Figure 49
Group IPsec parameters
120
Figure 50
Group IPsec parameters (continued)
121
Figure 51
Example of configuring a Wireless AP 7220 user account
122
Figure 52
123
Figure 53
Creating a classifier
125
Figure 54
Edit Classifier screen
125
Figure 55
Classifiers screen
126
Figure 56
127
Figure 57
Classifiers Rules Port screen
128
Figure 58
Create Port screen
129
Figure 59
131
Figure 60
Edit Classifier (PRIVATE_INGRESS) screen
132
Figure 61
Edit Classifier (PUBLIC_EGRESS) screen
133
Figure 62
QoS Interfaces screen
134
Figure 63
Enabling the private classifier
135
Figure 64
Computer to Wireless AP 7220 @ NAP Ethernet connection
136
Figure 65
Pre-deployment configuration
139
Figure 66
Selecting a Wireless AP 7220 to enable logging
150
Figure 67
The Monitor Options - Syslog Registration option
151
Figure 68
164
318507-B Rev 01
15
Figure 69
Example OmniView GUI displaying Wireless AP 7220 statistics tables

174
Figure 70
Example OmniView GUI displaying Wireless AP 7220 statistics graphs

175
Figure 71
Example OmniView MIB help window
Figure 72
Wireless Mesh Network and other network components relative to private

and public network entities 180
Figure 73
Subscriber security in the Wireless Mesh Network
182
Figure 74
Transit link and network security in the Wireless Mesh Network
183
Figure 75
Wireless AP 7220 device configuration screen
192
176
16
318507-B Rev 01
17
Table 1
NOSS requirements
32
Table 2
ONMS applications
34
Table 3
45
Table 4
IP address categories
46
Table 5
Private ingress classifier rules port information
129
Table 6
Public egress classifier rules port information
130
Table 7
Accounting attributes
165
Table 8
Transit link parameters requiring Wireless AP 7220 reboot
191
Table 9
Fault correlation of Wireless Mesh Network traps
240
18
318507-B Rev 01
19
Preface
This guide introduces the Nortel Wireless Mesh Network. It provides overview,
configuration, and maintenance information to help you install, configure and
maintain your Wireless Mesh Network.
Before you begin

This guide is for network managers who are responsible for setting up,
configuring, and maintaining the Wireless Mesh Network. This guide assumes
that you have experience with windowing systems or graphical user interfaces
(GUIs) and familiarity with network management.
Along with the Wireless AP 7220 software provided on the Wireless AP 7220
software CD, two Wireless Mesh Network tools are also provided: KeyGen and
ConfigVerify. You can also download these tools using theNortel Customer
Support portal at http://www.nortelnetworks.com/index.html if you have a Nortel
Customer Support Contract.
20
Preface
Text conventions
This guide uses the following text conventions:
angle brackets (< >)
Indicate that you choose the text to enter based on the

description inside the brackets. Do not type the
brackets when entering the command.
Example: If the command syntax is
ping <ip_address>, you enter
ping 192.32.10.12
bold Courier text
Indicates command names and options and text that

you need to enter.
Example: Use the dinfo command.
Example: Enter show ip {alerts|routes}.
braces ({})
Indicate required elements in syntax descriptions where

there is more than one option. You must choose only
one of the options. Do not type the braces when
entering the command.
show ip {alerts|routes}, you must enter either
show ip alerts or show ip routes, but not both.
brackets ([ ])
Indicate optional elements in syntax descriptions. Do

not type the brackets when entering the command.
show ip interfaces [-alerts], you can enter
either show ip interfaces or
show ip interfaces -alerts.
ellipsis points (. . . )
Indicate that you repeat the last element of the

command as needed.
ethernet/2/1 [<parameter> <value>]... ,
you enter ethernet/2/1 and as many

parameter-value pairs as needed.
318507-B Rev 01
Preface
21
italic text
Indicates new terms, book titles, and variables in

command syntax descriptions. Where a variable is two
or more words, the words are connected by an
underscore.
show at <valid_route>, valid_route is one
variable and you substitute one value for it.
plain Courier
text
Indicates command syntax and system output, for

example, prompts and system messages.
Example: Set Trap Monitor Filters
separator ( > )
Shows menu paths.

Example: Protocols > IP identifies the IP option on the
Protocols menu.
vertical line ( | )
Separates choices for command keywords and

arguments. Enter only one of the choices. Do not type
the vertical line when entering the command.
show ip {alerts|routes}, you enter either
show ip alerts or show ip routes, but not
both.
Icon conventions
Figures in this guide that depict a Wireless Mesh Network use the following
standard icons:
Network Access Point router
22
Preface
Network Access Controller
Ethernet switch
Network Operations Support System (NOSS) servers

(DHCP, FTP, RADIUS AAA, SNTP)
Optivity Network Management System (ONMS) in
NOSS
Mobile Node
RF wireless connection
Border Gateway
Documentation roadmap
For information about installing, configuring, monitoring, and managing a
Wireless Mesh Network, refer to the following publications:
Wireless Mesh Network Solution Reference Guide (318507-A)

Configuration Record for a Nortel Networks Wireless Mesh Network
(318509-A)
For information about installing a Wireless Access Point 7220, refer to the
following publications:
318507-B Rev 01
Installing the Nortel Networks Wireless Access Point 7220 (318527-A)
Preface
23
Quick Reference to Installing the Nortel Networks Wireless Access Point 7220
(318528-A)
For information about installing and using a Wireless Gateway 7250, refer to the
following publications:
Installing the Nortel Networks Wireless Gateway 7250 (318511-A)

Installing Hardware Options for the Nortel Networks Wireless Gateway 7250
(318519-A)
Configuring Firewalls and Filters for the Nortel Networks Wireless Gateway
7250 (318516-A)
Managing and Troubleshooting the Nortel Networks Wireless Gateway 7250
(318517-A)
Command Line Interface for the Nortel Networks Wireless Gateway 7250
(318518-A)
For information about using the Optivity Network Management System, refer to
the following publications:
Release Notes for Optivity NMS Release 10.2 (205970-G)

Provides the latest information, including brief descriptions of the new
features, problems fixed in this release, and known problems and
workarounds.
Quick Installation and Startup for Optivity NMS 10.2 for Windows
(208830-F)
Provides brief instructions for installing and getting started with Optivity
NMS 10.2 for Windows NT*, Windows 2000, and Windows 2003 platforms.
Quick Installation and Startup for Optivity NMS 10.2 for UNIX (208949-F)
Provides brief instructions for installing and getting started with Optivity
NMS 10.2 for UNIX platforms.
Quick Installation of Optivity NMS 10.2 Database (213315-C)

Provides brief instructions for installing the Oracle database software required
for Optivity NMS 10.2 on a UNIX or Windows platform.
Installing and Administering Optivity NMS 10.2 (205969-G)
24
Preface
Describes how to install and administer Optivity NMS 10.2 to start managing
your Wireless Mesh Network.
Using Optivity NMS 10.2 Applications (207569-E)

Describes how to use the integrated Optivity Network Management System
tools and applications to get the most out of your network resources.
Agent Support for Optivity NMS 10.2 (216729-A)

Describes devices and agents supported for Optivity NMS 10.2.
Hard-copy technical manuals

You can print selected technical manuals and release notes free of charge, directly
from the Internet. Go to the www.nortelnetworks.com/documentation URL. Find
the product for which you need documentation. Then locate the specific category
and model or version for your hardware or software product. Use Adobe* Acrobat
Reader* to open the manuals and release notes, search for the sections you need,
and print them on most standard printers. Go to Adobe Systems at the
www.adobe.com URL to download a free copy of the Adobe Acrobat Reader.
How to get help

If you purchased a service contract for your Nortel product from a distributor or
authorized reseller, contact the technical support staff for that distributor or
reseller for assistance.
If you purchased a Nortel service program, contact one of the following Nortel
Technical Solutions Centers:
Technical Solutions Center
Telephone
Europe, Middle East, and Africa
(33) (4) 92-966-968
North America
(800) 4NORTEL or (800) 466-7835
Asia Pacific
(61) (2) 9927-8800
China
(800) 810-5000
318507-B Rev 01
Preface
25
Additional information about the Nortel Technical Solutions Centers is available

from the www.nortelnetworks.com/help/contact/global URL.
An Express Routing Code (ERC) is available for many Nortel products and
services. When you use an ERC, your call is routed to a technical support person
who specializes in supporting that product or service. To locate an ERC for your
product or service, go to the http://www.nortelnetworks.com/help/contact/erc/
index.html URL.
26
Preface
318507-B Rev 01
27
Chapter 1
Fundamentals
Wireless Mesh Network solutions
A Wireless Mesh Network enables mobile users to enjoy secure, seamless,
wireless roaming across converging public and private networks, as well as
hotspot environments.
Nortels Wireless Mesh Network solution uses a number of wireless access points
connected point to point. The traditional hub or star configuration found in a
traditional WLAN backhaul is replaced with point to point connections between
wireless access points to form a mesh network backhaul to the broadband
network. Replacing the wired backhaul with wireless backhaul does not require
existing LAN infrastructure when deploying the Wireless Mesh Network solution.
The Wireless Mesh Network solution uses standard IEEE 802.11 technology for
providing broadband wireless access and wireless backhaul. A Wireless Mesh
Network solution is ideal in providing WLAN coverage in open spaces where
traditional WLAN systems are prohibitive to deploy because CAT5 or LAN
cabling does not exist or is costly and difficult to deploy. Some examples of places
where a Wireless Mesh Network solution would have advantages over a standard
WLAN solution are:
open spaces such as parks or public plazas

shopping malls
campus environments such as universities or research parks
airports, bus stations, train stations
industrial facilities such as truck stops and dockyards
stadiums and outdoor recreational facilities
metropolitan areas
28 Chapter 1 Fundamentals
Network overview
Network architecture
A graphical representation of a basic Wireless Mesh Network system is shown in
Figure 1.
Figure 1 Basic Wireless Mesh Network architecture
318507-B Rev 01
Chapter 1 Fundamentals 29

The Community Area Network (CAN) is a cluster of Wireless Access Point 7220s
that form a self-organizing and auto-configuring mesh structure. It is a cluster of
Wireless Access Point 7220s that can associate with each other within the control
of one Wireless Gateway 7250. The CAN uses multi-hop, wireless (unlicensed)
backhaul from a wired broadband network access point (NAP). Security functions
protect control, management, and user traffic flowing over the wireless links, and
authorize access by mobile subscribers.

The Wireless AP 7220 connected to the Network Access Point (NAP) router
(known as a NAP-R) is referred to as a Wireless AP 7220 @ NAP. It is the point
of interconnection between the CAN and the distribution network. The Wireless
AP 7220 @ NAP is a Wireless AP 7220 connected to the NAP-R via a wired
Ethernet connection. This Wireless AP 7220 @ NAP communicates with a cluster
of Wireless AP 7220s in a CAN. The Wireless AP 7220 @ NAP performs traffic
collection and distribution functions for traffic originating and terminating over
the broadband backbone network.
The NAP-R incorporates routing functions and multiple wired Ethernet links for
connection to Wireless AP 7220 @ NAPs. The NAP-R acts as a standard IP router
or an IP routing function in a network edge device. The IP router must support
OSPF.

The Wireless Access Point 7220 (Wireless AP 7220) provides the following:
traffic collection and distribution functions for traffic within the Community
Area Network
extended reach, simplified deployment, and reliability due to its antenna
design
wireless access functions for connection to wireless mobile nodes (MNs)
routing and wireless transit functions for connection to two or more Wireless
AP 7220s and to NAPs
incorporates security functions for validating connections to other Wireless
AP 7220s
security functions for controlling user device access
The Wireless AP 7220 also acts as a:
DHCP-Client - for itself

DHCP-Relay - for mobile nodes and for neighbor Wireless AP 7220s
RADIUS Authentication Client (Authenticator) - for mobile nodes and for
neighbor Wireless AP 7220s
RADIUS Accounting Client - for mobile nodes
Enterprise/ISP backbone network

The Enterprise/ISP backbone network is a Layer 3 routed domain (that is, IP
routing decisions are made by the backbone network). It is used to carry IP traffic
between the Wireless Gateway 7250 and other elements of the Enterprise/ISP
network (for example, Border Gateways and NOSS servers).

The Wireless Gateway 7250 advertises reachability (within the Enterprise/ ISP
Distribution Network) for one or more IP subnets assigned to Wireless Mesh
Network CAN subscribers and network entities. It is the security and mobility
anchor point for the Wireless Mesh Network. In addition, it hides Wireless Mesh
Network-specific mobility and security functions from the rest of the Enterprise /
ISP Distribution and Backbone Networks.
The Wireless Mesh Network solution integrates elements of existing Nortel
products and solutions. As a result, references to Contivity may appear in both
Wireless Gateway 7250 operator interfaces and in this document. However, note
that the Wireless Gateway 7250 platform is unique to the Wireless Mesh Network
solution, and is not interchangeable with any other Nortel platform.
The standard CLI can be used for all needed OAM&P interactions with the
Wireless Gateway 7250, such as statistics, configuration, event/fault handling.
The CLI can be accessed remotely by using the standard telnet protocol.
318507-B Rev 01
Enterprise / ISP / Metro distribution network

The Enterprise / ISP / Metro distribution network is used to carry IP traffic
between the Wireless Gateway 7250 and Network Access Point routers (NAP-R).
It can be a Layer 3 routed domain (where IP routing decisions are made by the
distribution network), or can be a Layer 1 or Layer 2 transport domain (that is,
(virtual) point-to-point links between Wireless Gateway 7250 and NAP-R). This
network can be the same network as the Enterprise / ISP Backbone Network.
Border Gateway
The Border Gateway is a (logical) network entity that incorporates all functions
required to interface with the Internet. It advertises reachability to the Internet for
IP addresses assigned to Wireless Mesh Network subscribers and network entities.
The border gateway can also provide connectivity for other, non-Wireless Mesh
Network Enterprise/ISP entities. Also, it can incorporate other inter-networking
functions (for example, NAT, firewall, redirection). However, the border gateway
has no knowledge of Wireless Mesh Network specific mobility and security
functions.

The Network Operations Support Systems (NOSS) provides centralized facilities
for monitoring and managing network operations, using industry-standard
protocols to communicate with the distributed elements in the Wireless Mesh
Network.
The NOSS consists of the Nortel Optivity Network Management System

(ONMS), industry standard FTP, RADIUS, Dynamic Host Configuration Protocol
(DHCP), and SNTP servers. The minimum requirements for the NOSS are listed
in Table 1.
Table 1 NOSS requirements
Element
Requirement
Description
Network Management
System
Nortel Optivity NMS (release The ONMS provides fault,

10.2)
performance, and
configuration management,
and discovers and displays
Wireless AP 7220s and the
DHCP server
RFC3011 support (subnet

selection option)
The DHCP server provides

dynamic IP address
assignments for Wireless AP
7220s and mobile nodes
RADIUS server
EAP-TLS, EAP-TTLS,
EAP-PEAP, EAP-LEAP
support
The RADIUS server

performs mobile and
Wireless AP 7220
authentication and
accounting
FTP Server
No special requirements
The FTP server stores:

- Configuration files that the
Wireless AP 7220
downloads when powering
up
- Wireless AP 7220 software
SNTP server
No special requirements
The SNTP server provides

the Wireless AP 7220 with
the time parameters it needs
to ensure that each event
logged on the Wireless AP
7220 has the proper
time-stamp information
Centralized management
The NOSS provides centralized facilities for monitoring and managing network
operations, using industry-standard protocols to communicate with the distributed
elements in the Wireless Mesh Network.
318507-B Rev 01
In the first release of Wireless Mesh Networks, the NOSS uses ONMS version
10.2 (with the Wireless Mesh Network specific OIT Optivity Integration Toolkit
and patches. Refer to ONMS installation and configuration for more
information.) which incorporates the added functionality to support the Wireless
AP 7220 and enable the ONMS to manage the Wireless AP 7220s in the network.
The ONMS uses common graphical user interfaces and proven technology to
provide the necessary tools to manage and visualize the Wireless Mesh Network
and its key elements.
ONMS fits into any network operations model, providing the flexibility to access
key management functions across the network from various locations. Based upon
a scalable client/server architecture, ONMS enables users to access any ONMS
server in the network from one client installation, or supported web browser
(Internet Explorer or Netscape). This distributed approach provides access to key
management tools from any Web-enabled workstation.
The following Optivity Network Management Options are available:
ONMS Campus supports 500 IP Nodes (Nodes is the number of managed

Nortel IP Interfaces. This is only available for Windows OS.)
ONMS Enterprise supports 5000 IP Nodes (Nodes is the number of
managed Nortel IP interfaces. An upgrade to 10000 IP Nodes is available.)
ONMS Eval to Campus upgrade from Campus Evaluation to a licensed
version. Note that this is the same as buying a Campus version.
With ONMS Enterprise, a single ONMS server scales to support up to 5,000 IP

addressable network elements. An upgrade is available for ONMS Enterprise to
support 10,000 IP addressable network elements. With ONMS Enterprise, a
network manager can display a sum of 5,000 objects across all views. They can
use multiple servers to manage a larger number of IP addressable network
elements from a single management station.
For smaller environments, Nortel offers the Campus version of ONMS. Optivity
Campus scales to support up to 500 IP addressable network elements and runs on
Windows NT and Windows 2000. With Campus, a network manager can display a
sum of 1,500 objects in all views.
In addition, ONMS provides day one device support via the Optivity Integration
Toolkit (OIT). The OIT enables ONMS applications to take advantage of new
Nortel hardware devices right out of the box.
ONMS provides a single location for managing fault and performance across the
network, and a launch point and interface to other Optivity products. ONMS
provides visualization of Layer 1, 2, and 3 devices, network topology, faults, and
real-time performance statistics.
The following table briefly describes the supported ONMS applications:
Table 2 ONMS applications
ONMS Application
Support
Description
Discovery
Enables discovery of Wireless Mesh Network devices with

ONMS AutoTopology applications.
Organization
Wireless Mesh Network devices are placed in the WMN

folder in the ONMS InfoCenter folder tree.
Performance Management
Ability to monitor Wireless Mesh Network device

performance with ONMS OmniView.
Fault Management
Enables management of Wireless Mesh Network device

traps and faults with Fault Summary.
Device Configuration
Management
Ability to open the embedded web configuration interfaces

for Wireless Mesh Network devices in InfoCenter by
right-clicking the device and choosing Configuration /
Embedded Web Interface.
Inventory Management
The inventory of Wireless Mesh Network devices and

agents can be managed with the Device Inventory Viewer.
Graphical View
ONMS ExpandedView presents a physical graphical view

of a given network device. For the Wireless AP 7220, using
ExpandedView enables the use to verify specific
configuration parameters.
Key benefits of ONMS include
318507-B Rev 01
ease of managing and troubleshooting networks

automated discovery and display of topology and devices
consolidation and correlation of network faults
powerful diagnostic functions
real-time performance analysis
scalability and security for managing large networks
Wireless Mobile Node

The subscriber's wireless mobile node is a commercial, off-the-shelf consumer
device (For example, a PDA or laptop) with a standard IEEE 802.11b/g Network
Interface Card.
Inter-Wireless Gateway 7250 roaming and mobility

The Wireless Mesh Network architecture can be extended to support seamless
Inter-Wireless Gateway 7250 roaming and mobility. This distributed architecture
allows for extensive scalablity over multiple CANs across multiple Wireless
Gateway 7250s in a wide area Wireless Mesh Network. The Inter-Wireless
Gateway 7250 roaming and mobility functionality is well-suited for larger
deployments.
The Inter-Wireless Gateway 7250 roaming architecture is based on a two-tier
anchor points hierarchy over a distributed network.
Figure 2 Inter-Wireless Gateway 7250 roaming Wireless Mesh Network architecture
Inter-Wireless Gateway 7250 roaming adds two major network elements into the
Wireless Mesh Network architecture:
Network Access Controller

The Network Access Controller (NAC) performs two major functions:
318507-B Rev 01
Inter-Wireless Gateway 7250 roaming support function

It is responsible for controlling mobile traffic going in and coming out of the
Wireless Mesh Network cluster (WMC). Traffic originating from or
terminating at a mobile node must be funneled to a NAC through a routing
protocol information exchange or through a static route configuration.The
same NAC remains the anchor point for the mobile node to direct all the
incoming and outgoing traffic to and from the mobile node.
Access control function

The access control function includes the captive portal re-direct function of
the NAC. It ensures all mobile subscribers are authenticated before mobile
node traffic can flow through. Before a mobile subscriber is authenticated, the
captive portal redirects all mobile node HTTP traffic to a dedicated internet
web page specified by the local network provider for mobile subscriber
authentication.
Any product that can support these two functions can be configured as a NAC in a
Wireless Mesh Network.Additional requirements must be met if the NAC is
deployed in a network that supports the Inter-Wireless Gateway 7250 roaming
capability. Refer to Network Access Controller requirements for more
information.
Once the mobile subscriber has successfully authenticated, the NAC provides
web-based accounting support for non-RSNA-based subscribers. RSNA
subscribers that use web-based accounting must be independently authenticated
twice: once through the Wireless AP 7220 with the RADIUS server, and once
through the captive portal with the RADIUS server. RSNA subscribers that do not
use web-based accounting are authenticated only through the Wireless AP 7220
with the RADIUS server but must provide special filtering at the captive portal.
Refer to Configuring the Network Access Controller (NAC) and Appendix E,
Sample NAC configuration for complete instructions on how to configure a
sample NAC.
The NAC can be deployed in a basic Wireless Mesh Network architecture as well
as in a network that supports Inter-Wireless Gateway 7250 roaming. In both cases,
packet steering rules must be configured on the Wireless Gateway 7250 to direct
mobile traffic towards the appropriate NAC. The NAC can then authenticate the
mobile subscriber (if the mobile subscriber has not yet been authenticated) and
exercise access control on the mobile traffic.
Refer to Filter 4 and Configuring client address redistribution (CAR) pools in
Chapter 4, Configuration management for complete information about
configuring packet steering rules.
Ethernet switch
The Layer 2 Ethernet switch provides the technology to support the mobility
information exchange between the two-tier anchor points. It connects the
distributed Network Access Controllers and the distributed Wireless Mesh
Network cluster (WMC).
Any Ethernet switch that can support this function can be configured in a Wireless
Mesh Network.
Access and transit links

The Nortel Wireless Mesh Network Wireless AP 7220 has both access and transit
link antennas.
Transit links are used in the Wireless Mesh Network to interconnect the Wireless
AP 7220s to form a self-configuring access network for packet data services.
There is a single transit link (TL) IEEE 802.11a radio per Wireless AP 7220 and
this is shared among the directional (patch) antennas for the transit links to
neighboring Wireless AP 7220s. The antenna is configured for six independently
selected, directional, facet-equipped beam antennas. The Wireless AP 7220 or
Wireless AP 7220 @ NAP automatically selects the best transit link beam to
connect with its neighbors.
Access links connect mobile stations (subscribers) to the Wireless AP 7220s.
There is a single access link (AL) IEEE 802.11b or 802.11g radio per Wireless AP
7220 with two switched antenna diversity connections. The Access Link antenna
is at the base of the unit and provides omni-directional coverage and is used to
connect to wireless mobile nodes.
Access and Transit Radio links are separated in frequency (2.4 GHz for access and
5 GHz for transit). Figure 3 shows an overview of Wireless AP 7220 radio links.
318507-B Rev 01
Figure 3 Wireless AP 7220 radio links overview
Principles of operation
A Nortel Wireless Mesh Network operates in the following manner:
traffic routing follows users as they roam from the coverage of one Wireless
AP 7220 to another
fault recovery occurs when a Wireless AP 7220 becomes unavailable
Wireless Mesh Network topology

A Wireless Mesh Network has an arbitrary topology. The network operates in a
peer-to-peer fashion which means that each Wireless AP 7220 has routing
capabilities built into it and can use its neighbors as routers to transmit traffic back
and forth to the broadband network. The Wireless AP 7220 also incorporates
neighbor auto-discovery techniques, enabling it to identify neighboring Wireless
AP 7220s and possible routing paths automatically without the intervention of a
technician or management system. When combined with the included adaptive
routing algorithms using OSPF routing capabilities, this provides a self-healing
network - a network that is able to recover from the loss of a Wireless AP 7220 by
connecting with other neighboring Wireless AP 7220s and using alternate routes
to transmit data.
Mobility management
In the Wireless Mesh Network solution, end users can roam seamlessly across the
Wireless AP 7220s in the network that are within the span of the Wireless
Gateway 7250 or in the case of Inter-Wireless Gateway 7250 roaming, between
multiple Wireless Gateway 7250s. Key attributes to this solution include:
mobility client software is not required on a mobile node

path update is transparent to the mobile node
session hand-over between Wireless AP 7220s
multi-session accounting co-ordination across Wireless AP 7220s (Note that
this functionality is only applicable in a basic Wireless Mesh Network
environment.)
IP address retention while mobile node roaming
When a mobile node moves from one Wireless AP 7220 coverage area to another
(either through roaming or link fading), the endpoint of the connection path is
moved to the new Wireless AP 7220 using IP layer 3 routing capabilities. The new
path may even be routed through a different NAP router. No client software is
required on mobile node.
318507-B Rev 01
If one node in the routing path has a problem (either within the Wireless AP 7220
itself or with maintaining one of the links), the OSPF routing algorithms and the
interconnections of the mesh network allow the network to find an alternate path
to the Wireless AP 7220 that is providing service to the mobile node. This
automatic rerouting is transparent to the mobile node.
318507-B Rev 01
43
Chapter 2
Network installation overview
This chapter contains the following topics:
Topic
Page
43
47
57
Prior to installing a Wireless Mesh Network, ensure the following:
an IP addressing plan must be available

NOSS components must be installed and configured
Wireless Gateway 7250 must be installed and configured
a Network Access Point (NAP) must be installed and configured
in an Inter-Wireless Gateway 7250 roaming environment, an Ethernet switch
and Network Access Controller (NAC) must be installed and configured
The information in this section is intended to provide guidelines for IP address
planning for the Wireless Mesh Network.
The Wireless Mesh Network IP addressing architecture is shown in Figure 4.
44 Chapter 2 Network installation overview

Figure 4 Basic Wireless Mesh Network IP addressing architecture

The Wireless Mesh Network consists of two basic networks; intranet and extranet.
Each Wireless Access Point 7220 is assigned an extranet address and an intranet
address. All other devices excluding mobile nodes are assigned Intranet addresses.
The Wireless AP 7220 Extranet address is primarily used for signalling within the
Wireless Mesh Network while the Intranet address is used for management
318507-B Rev 01
Chapter 2 Network installation overview 45
purposes and IPsec tunneling. All mobile nodes are assigned an IP address from
the mobile node address pool. To allow for better security control of mobile
traffic, the mobile node IP addresses are completely separated from the Intranet
and Extranet address pools.
The following are examples of subnets used on a typical network deployment (see
Figure 7):
NOSS subnet is 192.168.30.0/24

AP Extranet Subnet is 27.0.27.x/24 subnet
AP intranet subnet is 192.168.50.x/24 subnet
mobile node subnet is 192.168.40.y subnet (for example, a range of
192.168.40.10 to 192.168.40.50).
Table 3 provides further details for Wireless Mesh Network subnetting.

Table 3 Wireless Mesh Network subnetting
Network Segment
Subnet
Specific Addresses
Comments
NOSS Elements
192.168.30.0/24
DHCP=192.168.30.11
FTP=192.168.30.13
RADIUS=192.168.30.12
SNTP=192.168.30.15
Can be any subnet within

Corporate network
AP Network (Extranet)
27.0.27.x
NAP-R=27.0.27.1
Wireless AP 7220 @
NAP=27.0.27.4
All APs assigned address

within this range with
mask 255.255.255.255
(except for the Wireless
AP 7220 @ NAP which is
set to 255.255.255.0.)
AP Network (Intranet)
192.168.50.x/24
Wireless Gateway
7250=30.0.30.1
Assigned by Wireless
Gateway 7250

Untrusted
30.0.30.1
Any

Management
192.168.20.248
Any
Distribution Network
Any
Any
Mobile Nodes
192.168.40.y (e.g., range Access Point Access

of 192.168.40.10 to
Link=192.168.40.9
192.168.40.50)
Can be any subnet

between NAP router and
One address in this
Subnet is reserved for AP
Access Link

Table 3 Wireless Mesh Network subnetting
Network Segment
Subnet
Specific Addresses
Comments
Ethernet switch
192.168.20.x
192.168.20.0
netmask 255.255.255.0
Network Access
Controller Interface
192.168.20.10x (e.g.
range of 192.168.20.101
to 192.168.20.199)
192.168.20.101
The NAC must be located

northbound of the
Wireless Gateway 7250.
Network Access
Controller Private
Interface IP
192.168.80.1/99
192.168.80.1

northbound of the
192.168.80.101

northbound of the
Network Access
192.168.80.10x (e.g.
Controller Private
range of 192.168.80.101
Management Interface IP to 192.168.80199)
IP Address categories and usage are shown in Table 4. See Figure 7 for the
network layout of this example.:
Table 4 IP address categories
Address
Type
Value (Examples)
Specific
192.168.30.13
Configured on the N/W Element interface
Specific
Specific
192.168.30.12
192.168.30.12

DHCP Server
Specific
192.168.30.11
FTP File Server (for software download and Wireless

AP 7220 configuration data download)
Specific
192.168.30.13
SNTP Server
Specific
192.168.30.14
Subnet
192.168.50.x (24
bit netmask)
Configured at the Wireless Gateway 7250. The

Wireless Gateway 7250 assigns a unique i.AP
address from this subnet pool to each Wireless AP
7220 that establishes an IPsec tunnel with the
Address Category (See accompanying documents for descriptions)
Additional Comments
Intranet Domain Addresses

2A
NOSS Elements
RADIUS Servers
Authentication Server
Accounting Server
2B
Enterprise Extension Space

2B1 i.AP - The intranet Wireless AP 7220 IP Address range
2B2 i.WG - The intranet Wireless Gateway 7250 IP Address

Private Interface IP Address
Management IP Address
2B3 i.MN - Mobile Node intranet IP Address
318507-B Rev 01
Each Wireless Gateway 7250 in the network requires

the following IP addresses.
Specific
Specific
192.168.20.1
192.168.20.248
Configured on the Wireless Gateway 7250.

Configured on the Wireless Gateway 7250 private
interface.
Subnet
192.168.40.y
(e.g., range of
192.168.40.10 to
192.168.40.50)
Configured on the DHCP Server. The DHCP assigns a

unique i.MN address from this subnet pool to each
mobile node (MN) that establishes connection with the
Wireless Mesh Network.

Table 4 IP address categories
Address
Type
Value (Examples)
x.AP - The extranet Wireless AP 7220 IP Address
Subnet
27.0.27.x (32 bit

netmask)
AP 7220 @ NAP IP static address
Specific
27.0.27.4/24
Configured on the DHCP Server. The DHCP assigns a

unique x.AP address from this subnet pool to each
Wireless AP 7220 that establishes connection with the
Wireless Mesh Network. Any statically configured
Wireless AP 7220 IP address (for example, Wireless
AP 7220 @ NAP) must be excluded from the x.AP
subnet pool configured at the DHCP Server.
3B
x.WG - The extranet Wireless Gateway 7250 IP Address
Specific
30.0.30.1
Configured on the public interface of the Wireless

Gateway 7250.
3C
x.NAP - The extranet IP Address for the NAP router
Specific
27.0.27.1
Configured on the NAP interface to which Wireless AP

7220 @ NAP will be connected. A NAP router may
have multiple interfaces to which each Wireless AP
7220 @ NAP is connected. Each of these interfaces
requires an IP address.
Note that for each Wireless AP 7220 @ NAP, the IP
address must belong to the subnet of the NAP router
interface to which the Wireless AP 7220 @ NAP is
connected via its Ethernet interface.
Address Category (See accompanying documents for descriptions)
Additional Comments
Extranet Domain Addresses

3A

For an overview of Network Operations and Support Systems (NOSS)
requirements see Table 1. The following network elements are included in the
NOSS:
DHCP Server
The installation and operation of the DHCP server will depend on the
vendor chosen to supply the server. Please refer to the vendor manuals for
information on the mechanisms used to configure the chosen DHCP
server.
For DHCP configuration information, refer to the section titled
Configuring the Dynamic Host Configuration Protocol (DHCP) server
and Appendix B, Sample DHCP configuration file for complete
instructions.
FTP Server
(Optivity) Network Management System (ONMS)
RADIUS Server
SNTP server
Before Wireless Mesh Network deployment ensure that existing network

components meet the requirements indicated in the sections that follow.
DHCP server requirements

The DHCP Server must:
support the RFC 3011 subnet selection option (SSO)

have a reserved lease timer set to be high (or configurable to be high)
The high time is necessary to accommodate the delays potentially incurred
through multiple Wireless AP 7220 hops.
DHCP configuration information can be found in Chapter 4, Configuration

management.
Possible DHCP server configurations

The following Wireless AP 7220 configurations are provisioned through the
DHCP server:
address pool (x.AP subnet)

subnet mask
default routers
address lease time
location of Configuration File (FTP server address)
name of Configuration File (on the FTP server)
The following mobile node configurations are provisioned through the DHCP
server:
address pools (i.MN subnet) and subnet mask reflecting the size of the pool
default router Wireless Gateway 7250 intranet IP address
address lease time
DHCP server configuration for Wireless AP 7220

Configure the DHCP for standalone Wireless AP 7220 support with the following
information:
318507-B Rev 01
a range of extranet IP addresses (x.AP) for assignment to Wireless AP 7220s

a Subnet mask of 255.255.255.255 must be assigned to all Wireless AP 7220s
the Default router list must contain only one entry which must be set to the IP
address of the designated Wireless Gateway 7250 (This is the public side of
the network.)
the Server Name must be set to the IP address of the FTP server
the Filename must be set to the pathname of the configuration file on the FTP
server.
Note: The Wireless AP 7220 @ NAP must be statically configured. Refer to

Configuring a Wireless AP 7220 @ NAP.
DHCP server configuration for mobile nodes

Configure the DHCP for mobile node support with the following information:
a range of intranet IP addresses (i.MN) for assignment to mobile nodes

a Subnet mask reflecting the size of the address pool reserved for mobile
nodes
the Default router list must contain only one entry which must be set to the
management IP address of the Wireless Gateway 7250 for this mobile node
address pool
It is possible to assign an IP address to any mobile node statically by creating a

host declaration that contains each mobile node Ethernet MAC address. When the
mobile node broadcasts for an IP address, the MAC address for that device is
allocated to a specific IP address. The following parameters can be modified for
each declared host:
mobile node Ethernet MAC address

the fixed address of this mobile node (must be in the same subnet and outside
the declared range values)
lease times
For more information on statically assigning an IP address to a mobile node see

Appendix B, Sample DHCP configuration file.
RADIUS server requirements

The RADIUS authentication server must provide:
EAP Support (EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-LEAP)

Tunnel Support
In order to authenticate a mobile node, the user device must be matched to a
profile stored on the server. Once the user is authenticated, a Tunnel-Id stored
in the profile is returned to the Wireless AP 7220. The Wireless AP 7220
maps the Tunnel-Id to the Subnet Selection Option. This mapping has been
downloaded earlier to the Wireless AP 7220 as part of the Wireless AP 7220
configuration file. Once the Wireless AP 7220 has completed the Tunnel-Id to
SSO mapping, the DHCP Relay Agent in the Wireless AP 7220 requests a
session IP address for the mobile node from the DHCP server.
KeyGen is a software package that is installed on the same workstation that

houses the RADIUS server during initial installation of the Wireless Mesh
Network. The output of KeyGen is used as the password for a Wireless AP 7220
account on both the RADIUS server and the Wireless Gateway 7250. Although
KeyGen can run on any Windows based platform, it is best if the tool is installed
on the RADIUS server that runs on a Windows platform.
RADIUS configuration information and KeyGen information can be found in
Chapter 4, Configuration management. A KeyGen configuration example can
be found in Appendix A, KeyGen tool.
FTP server requirements

The FTP server is the host for software that will be downloaded to other network
elements in the Wireless Mesh Network. The FTP server in a Wireless Mesh
Network is used for several functions:
318507-B Rev 01
for downloading the configuration file to a Wireless AP 7220 (The FTP server
hosts the configuration file which is used to dynamically configure a Wireless
AP 7220 when it initializes)
for software upgrade to Wireless AP 7220 (The FTP server hosts the software
images for APs)
for software upgrade and for backup and restore operations to the Wireless
Gateway 7250
The Following parameters must be configured at the FTP server (as well as at the
Wireless AP 7220):
the location of the FTP server (IP address)

the user name for File/Image access
the password to access the configuration file or the software image
FTP server configuration information can be found in Configuring the FTP

server. An FTP configuration example can be found in Appendix F, Sample
FTP configuration file.
SNTP server
The SNTP server provides the Wireless AP 7220 with the time parameters it
needs to ensure that each event logged on the Wireless AP 7220 has the proper
time-stamp information.
NAP router requirements

The NAP router performs traffic collection and distribution functions for traffic
originating and terminating over the broadband backbone network. It incorporates
routing functions and multiple wired Ethernet links for connection to Wireless AP
7220 @ NAPs. It acts as a standard IP router or an IP routing function in a
network edge device.
Any IP router that supports OSPF can act as a NAP router in the Wireless Mesh
Network. The NAP router must be able to propagate default route information
into the CAN. OSPF on the CAN interfaces of the NAP router must be configured
so that it can exchange routing information with the Wireless AP 7220 @ NAP.
NAP configuration information can be found in Chapter 4, Configuration
management. For a sample NAP router configuration see Appendix D, Sample
NAP router configuration.
Network Access Controller requirements

In an Inter-Wireless Gateway 7250 roaming environment, the Network Access
Controller (NAC) is responsible for the reachability of the set of authenticated
mobile nodes within a specified IP address range to support the mobile
communications for external and internal networking.
The Wireless Mesh Network requires the following two main functions from the
NAC to enable
Inter-Wireless Gateway 7250 roaming and mobility support

Subscriber management system interface
Inter-Wireless Gateway 7250 roaming and mobility support

The NAC interfaces with the Wireless Gateway 7250 through the Ethernet
switching function. This layer-2 Ethernet switching function is used to leverage
the auto-learning bridge design rather than the host-specific layer-3 routing update
to enable the NAC to keep track of the mobile subscribers mobility within the
In order to minimize the amount of broadcast traffic to support Ethernet
switching, the NAC must support the following key Ethernet functions:
318507-B Rev 01
unsolicited unicast Address Resolution Protocol (ARP) requests (that is,

gratuitous ARP requests).
Allows Wireless Gateway 7250s to send unicast ARP requests to update the
ARP cache in the NAC to enable the incoming packet forwarding to the
mobile subscribers through their serving Wireless Gateway 7250s
configurable ARP cache size
Ensures sufficient ARP cache entries in the NAC to sustain the expected
mobile subscriber volume that is engineered for the NAC. Without a sufficient
amount of ARP cache size, broadcast proxy ARP requests may have to be
generated to resolve the IP-to-MAC address mapping if the corresponding
entry is overwritten by the latest ARP request originating from the Wireless
Gateway 7250.
The recommended ARP cache size is two times the number of mobile
subscribers supported by the NAC. For example, if each NAC supports 2000
mobile subscribers, set the ARP cache size to 4000. Refer to Appendix E,
Sample NAC configuration for a sample NAC configuration.
configurable ARP entry age out time
The ARP entry age out time must be configurable to a long enough time to
sustain the duration of the mobile subscribers connection to the Wireless
Mesh Network. Otherwise, the ARP entry will expire before the active mobile
subscribers disconnect from the Wireless Mesh Network. As a result, the
broadcast proxy ARP request may be generated by the NAC to resolve the
IP-to-MAC address mapping to support IP packet forwarding.
The recommended ARP entry age out time is one and a half times the
session-idle-timeout value returned by the RADIUS server. For example, if
the session-idle-timeout value is set to 5 minutes (300 seconds), set the ARP
entry age out time to 450. Refer to Appendix E, Sample NAC configuration
for a sample NAC configuration.
For assured Wireless Mesh Network security, the NAC must support multiple
subnets over the same logical and physical interfaces. This multi-netting support
feature allows you to assign a different IP addressing plan for the mobile
subscribers and the network management and control systems. This is so that the
IP addressing space for network management and control systems is never
exposed to the mobile subscribers.
Subscriber management system interface

The NAC provides the access control for the Wireless Mesh Network. It must
support
captive portal re-direct function

The captive portal re-direct function intercepts any unauthenticated mobile
subscribers HTTP request and redirects the mobile subscriber to a
pre-configured web page. The web page captures the mobile subscribers
information for the authentication, authorization, and accounting process used
to grant network access privileges. The web page can be used for the
following purposes:
Notify mobile subscribers regarding the network providers Acceptable
Use Policy (AUP) that must be agreed to before the mobile subscriber can
be granted access to the Wireless Mesh Network and the Internet.
Inform mobile subscribers of any information relevant to the access to

which they are being granted. For example, this can be information about
restricted ports or services, or specific details of the network provider.
Authenticate mobile subscribers with a user ID and password against a
AAA server (that is, a standard RADIUS server) before being granted
access to the Wireless Mesh Network and the Internet.
Support configurable HTTP re-direct to the dedicated web portal. That is,
the web portals URL used for re-direction for mobile subscriber session
authentication.
access control firewall rules
There can be three mail groups of IP addressing plans assigned in the Wireless
Mesh Network:
management and control
non-RSNA mobile subscribers (that is, captive portal-based authenticated
mobile subscribers)
RSNA mobile subscribers (that is, 802.1X-based authenticated mobile
subscribers)
Configure different firewall rules for each of these groups to control packet
processing and forwarding. For example,
management and control traffic bypasses the NACs firewall northbound
towards the NOSS
unauthenticated non-RSNA mobile subscribers trigger the captive portal
HTTP re-direct function to execute the authentication, authorization, and
accounting process
RSNA mobile subscriber authentication and authorization processing
bypasses the NACs firewall. However, the per-RSNA mobile subscriber
access is controlled by the authentication, authorization, and accounting
process results.
a mobile subscribers originated unicast DHCP renew messaging and
RSNA mobile subscribers authentication messaging is allowed to pass
through the NACs firewall and be forwarded to the DHCP server
a mobile subscriber of one subnet cannot have access to the network
resources for another subnet through the use of the Access Control List
(ACL)
318507-B Rev 01
Ethernet switch
In an Inter-Wireless Gateway 7250 roaming environment, the Layer 2 Ethernet
switch connects the distributed NACs and the distributed Wireless Mesh Network
cluster (WMC). Any Ethernet switch that can provide a scalable high performance
capacity and a high density port count can be used in the Wireless Mesh Network.
ONMS installation and configuration

Wireless Mesh Network uses Optivity NMS (ONMS) to manage Wireless AP
7220s and Wireless Gateway 7250s. To ensure the latest Wireless Mesh Network
functionality, the following load-line up (based on the ONMS 10.2 code base) is
required:
Oracle Database: ORc9.2

Oracle patch 9.2.0.5
ONMS 10.2 and ONMS 10.2.0.3 patch
OIT version 1.0B (Optivity Integration Toolkit) for Wireless AP 7220
OIT version 1.0 for Wireless Gateway 7250
All existing and new customers need to use the ONMS 10.2 code base (with the
Wireless AP 7220 and Wireless Gateway 7250 OITs and 10.2.0.3 patch) in order
to have the full and latest Wireless Mesh Network functionality available.
For complete information about ONMS, refer to the Optivity NMS 10.2
documentation suite.
Note: To add the Wireless Gateway 7250 and Wireless AP 7220 OITs in
Optivity, run the install.bat file for each OIT. Do not use the oitadmin tool to
add these OITs.
Distribution network
The Enterprise / ISP / Metro distribution network is used to carry IP traffic
between Wireless Gateway 7250s and Network Access Point routers (NAP-Rs). It
can be a Layer 3 routed domain (where IP routing decisions are made by the
distribution network), or can be a Layer 1 or Layer 2 transport domain (that is,
(virtual) point-to-point links between Wireless Gateway 7250 and Wireless AP
7220). This network can be the same network as the Enterprise / ISP Backbone
Network.
Wireless Gateway 7250 configuration

The Wireless Gateway 7250 performs the following functions:
advertises reachability (within Enterprise / ISP Distribution Network) for one

or more IP subnets assigned to Wireless Mesh Network subscribers and
network entities
hides Wireless Mesh Network specific mobility and security functions from
the rest of the Enterprise / ISP Distribution and Backbone Networks
The following configurations are required at the Wireless Gateway 7250:
318507-B Rev 01
subnet addresses for mobiles for which the Wireless Gateway 7250 acts as a
home agent (these must be the same mobile node subnets configured on the
DHCP server)
security related configurations
user accounts for Wireless AP 7220s
Two groups must be configured, one for standalone Wireless AP 7220 and
one for Wireless AP 7220 @ NAP. For more information see Configuring
Wireless AP 7220 user accounts.
address pool from which to assign intranet IP addresses to the IPsec clients on
Wireless AP 7220s
the statefull firewall enables the ability to dynamically modify policies that
ensure network security (Specific filters can be defined to allow certain traffic
flow.)

The overall available capacity of a Wireless Mesh Network is directly
proportional to the number of Wireless AP 7220 @ NAPs in the network.
The Access Link throughput is determined by the Access Link data rate and
network capacity. The Access Link throughput is also determined by the distance
from a mobile node to a Wireless AP 7220 in the deployed network.
A capacity increase can be provided by deploying multiple Wireless AP 7220 @
NAPs, each wired to a common Wireless Gateway 7250.
The Wireless AP 7220 @ NAP needs to be located where the wired network is
accessible, and where AC power can be accessed. The Wireless AP 7220 @ NAP
and the NAP router may be separated by up to 100m (328 ft) of Ethernet cable. To
prevent radio interference between Wireless AP 7220 @ NAPs connected to the
NAP router, the minimum recommended distance between the Wireless AP 7220
@ NAPs is 8m (26 ft).
For redundancy and to take advantage of the mesh capabilities, each Wireless AP
7220 @ NAP should have routes to at least two subtending Wireless AP 7220s.
Power requirements and information

Depending on the deployment scenario, power to the Wireless AP 7220 can be
sourced from:
standard building power sources

lamp posts
utility poles
In the event of AC power outages, the Wireless Mesh Network is designed to

re-route around localized failures. Service availability depends on the level of
access coverage overlap.
Network specifications
The network must be configured in a mesh, with at least two transit links to each
Wireless AP 7220 to take advantage of mesh capabilities. This enables the
self-healing aspects of the network that allows rerouting around failed Wireless
AP 7220s. To maximize the performance of Wireless AP 7220 @ NAP radio links
at the Network Access Point, there should be two or more links into the NAP.
318507-B Rev 01
59
Chapter 3
Fault management
Faults in the Wireless Mesh Network
The Wireless Mesh Network issues fault events when conditions occur that affect
the network. The Nortel Optivity Network Management System (ONMS)
provides the platform for fault management of the Wireless Mesh Network. Fault
events created by components of the Wireless Mesh Network are sent as
notifications (or traps) to the ONMS database.
Faults in the Wireless AP 7220

Software running on a Wireless AP 7220 detects operational and functional
anomalies that can cause fault conditions. Each software module monitors and
defines relevant conditions, such as
criteria and threshold values to determine what constitutes a defect

transient and non-transient faults
when to inform ONMS of a fault
If the alarm condition warrants notification to ONMS, the software raises an event
to ONMS via an SNMP agent running on the Wireless AP 7220.
The Wireless AP 7220 software detects statuses and problems with
Wireless AP 7220 software operation

transit link connectivity
security (IPsec tunnel status and mobile node quarantine)
DHCP leases (used for assigning IP addresses)
RADIUS authentication and accounting server connectivity
60 Chapter 3 Fault management
Wireless AP 7220 software download

network time synchronization
For detailed information about Wireless AP 7220 traps supported for the Wireless
Mesh Network, see Appendix H, Wireless Access Point 7220 traps.
Faults in the Wireless Gateway 7250

Software running on a Wireless Gateway 7250 detects operational and
environmental anomalies that can cause fault conditions.
The Wireless Gateway 7250 generates a fault condition upon detection of any
illegal operation or out-of-bounds activity. This information is stored in a crash
file that is kept for later retrieval. This crash file contains sufficient information to
reconstruct the state of the Wireless Gateway 7250 for post analysis. A log is also
stored in the Event Log file when certain system activity is detected. For example,
the Wireless Gateway 7250 generates and logs an event in the Event Log file
when it tears down an IPsec tunnel to a Wireless AP 7220.
For detailed information about Wireless Gateway 7250 faults, refer to Managing
and Troubleshooting the Wireless Gateway 7250 (315900-A).

The Nortel Optivity Network Management System (ONMS) provides the
platform for fault management of the Wireless Mesh Network. ONMS includes
several applications that are useful for fault management tasks, including:
InfoCenter, to view your network

InfoCenter provides an Alarms folder on the main tree that indicates the
highest level of faults in the Wireless Mesh Network, and lets you launch
Fault Summary.
Fault Summary, to view fault details

Information displayed by Fault Summary comes from SNMP agent software
running on Wireless AP 7220s and Wireless Gateway 7250s of the Wireless
Mesh Network.
318507-B Rev 01
Chapter 3 Fault management 61
Monitor Options, to establish how Optivity NMS will manage your fault
processes or control the level of fault monitoring within the Wireless Mesh
Network (syslog registration, ICMP polling and trap registration)
ONMS requires two Optivity Integrated Toolkit (OIT) packages to support the
Wireless Mesh Network:
OIT for Wireless AP 7220 permits ONMS to manage faults on the Wireless
AP 7220.
OIT for Wireless Gateway 7250 permits ONMS to translate fault information
for the Wireless Gateway 7250.
Note: To add the Wireless Gateway 7250 and Wireless AP 7220 OITs
in Optivity, run the install.bat file for each OIT. Do not use the oitadmin
tool to add these OITs.
For information about using ONMS tools and applications, refer to Using Optivity
NMS 10.2 Applications (207569-E).
Collecting and managing fault data

Collecting fault data
ONMS supports two ways of collecting the alarms and faults at the management
station:
Notifications (traps) sent by a device to ONMS.

Notifications sent to ONMS by devices in the Wireless Mesh Network
passively provide users with fault management information. Alarms and
faults are detected at the managed device, and notifications (traps) are
generated towards the management station. Each alarm/fault carries an alarm
identification, severity level, alarm category, and identifies the device that
detected and triggered the trap.
Polling by ONMS of a device.
Polling the Wireless Mesh Network by ONMS allows users to actively query
the health of any Wireless Gateway 7250 or Wireless AP 7220 by sending a
super ping message. The user can define the polling period or interval, or use
a default setting. For information about configuring the ONMS polling
interval, refer to Configuring super ping in ONMS.
Managing fault data

When a Wireless Mesh Network device experiences a fault condition, an alarm
identifying the device displays in one of the Alarms folders in the InfoCenter. The
Alarms folder in which an alarm displays depends on the alarm status (critical,
warning or caution).
Use Monitor Options to manage fault data as follows:
Establish how Optivity NMS manages your fault processes.

Control the level of fault monitoring within the Wireless Mesh Network with
fault correlation control, ICMP polling, and trap registration.
For information about managing fault data with the Monitor Options application,
refer to the chapter on specifying the level of statistics gathering with Monitor
Options in Using Optivity NMS 10.2 Applications (207569-E).
Alarm filtering
Users can use Fault Summary filters to select and view a subset of all the events
contained in the ONMS database. This allows a user to collect events for:
an individual Wireless AP 7220 or a set of Wireless AP 7220s within a

Wireless Mesh Network
an individual Wireless Gateway 7250 or a set of Wireless Gateway 7250s
within a Wireless Mesh Network
For information about filtering alarms with the Fault Summary application, refer
to the chapter on managing events with Fault Summary in Using Optivity NMS
10.2 Applications (207569-E).
318507-B Rev 01
Error logging
Each Wireless AP 7220 logs all events locally (i.e., on the log subsystem of the
individual Wireless AP 7220), and may forward events to a syslog server. The
syslog server collecting Wireless AP 7220 events may be the ONMS syslog
server, or any other syslog server available to the Wireless Mesh Network.
Network managers can configure the severity of events forwarded to the syslog
server.
Users can use ONMS Fault Summary to display the syslog events in a tabular
form. Figure 6 shows an example of the Fault Summary displaying events in the
Syslog window. Users can view the details of an event by selecting and opening
the event from the table.
Users can also view all active events for any individual Wireless AP 7220. To
view all active log events for an individual Wireless AP 7220, do the following:
1
Start a Telnet session to the Wireless AP 7220.
Type the following command to change to the log configuration mode:

log
Type the following command to display the list of all active log events:
show all
Network managers must manually configure each Wireless AP 7220 to
specify the level of events forwarded by a Wireless AP 7220 to the syslog

server
enable the Wireless AP 7220 to send events to a syslog server
specify the syslog server to which Wireless AP 7220 events are sent
For information about configuring the severity of Wireless AP 7220 events sent,
refer to Specifying the severity of Wireless AP 7220 events forwarded to
syslog. For information about enabling the Wireless AP 7220 to send log events,
refer to Enabling or disabling Wireless AP 7220 logging. For information about
specifying the syslog server to which events will be logged, refer to Specifying
the syslog server.
Alarm statistics
Alarm statistics reflect the health of the network and the individual devices at a
point in time. Alarm statistics are normally presented in the form of fault
summary reports; ONMS sorting options allow users to locate a specific fault, a
category of faults, or any individual device that is faulty.
Fault reports and fault summaries

ONMS allows users to generate fault reports and fault summaries. A fault report
displays information about a problem in the network. A fault summary displays a
list of fault reports relevant to a single device, a subset of devices or the entire
network.
Fault Reports indicate the following information:
Current Status
Fault States
Severity
Nature of the fault
Agent IP that reported the fault
Data and time that fault was reported
Number of traps consolidated into the report
There are a two ways to view the fault summary:
Fault Summary Table - Provides a tabular view of the fault summary and
provides access to the fault shortcut menu
Fault Indicator - Provides visual indication of a new or updated fault
Several operations are available with the fault reports:
318507-B Rev 01
Starting and stopping the loading process for a complete fault report
Viewing details of a specific fault
Displaying the latest fault
Changing the status of a fault
Acknowledging a fault
Changing a fault to be unmonitored

Deleting a single fault, or all aged or unmonitored faults
Fault detection and investigation

Users can use the ONMS InfoCenter and Fault Summary applications to detect
and investigate Wireless Mesh Network faults:
The InfoCenter Alarms folder on the main pane indicates any severity of
faults in the Wireless Mesh Network and lets you identify the faulty device.
InfoCenter also allows you to launch the Fault Summary tool to get further
details about the faults. Figure 5 shows an example of an InfoCenter window
with the faulty device (Critical) identified.
The Fault Summary application provides detailed information for
investigating faults, traps, or syslog events. Figure 6 shows an example of a
Fault Summary window with fault, trap and syslog filter windows. ONMS
allows users to create custom filters that will collect faults, traps, or syslog
events for individual elements in their own Wireless Mesh Network.
For more information about using ONMS InfoCenter and Fault Summary
applications, refer to Using Optivity NMS 10.2 Applications (207569-E).

Figure 5 InfoCenter window indicating devices in fault
318507-B Rev 01

Figure 6 Fault Summary window with fault, trap, and syslog details
Fault correction
Faults resulting in critical alarms must be corrected immediately to maintain
functionality of the Wireless Mesh Network. Faults resulting in warning alarms
should be investigated to determine what network improvements will correct the
conditions causing the warning alarm.
Certain faults in the Wireless Mesh Network are auto-healing and do not require
attention. For more information about Wireless Mesh Network auto-healing, refer
to Network recovery / auto-healing. Repetitive recurrences of auto-healing
alarms in a particular part of the Wireless Mesh Network may indicate the need
for revised network planning, to correct the conditions causing the auto-healing.
The ONMS ExpandedView application allows users to perform several fault

management tasks which may include:
enabling ports and modules

disabling ports and modules
resetting ports and modules
Network recovery / auto-healing

The design of the Wireless Mesh Network delivers auto-healing recovery when a
Wireless AP 7220 fails. The Wireless Mesh Networks auto-discovery capability
automatically reconfigures links through a failed Wireless AP 7220. Although the
broken link is automatically healed, users should investigate and correct the root
problem to ensure that the Wireless Mesh Network continues to function as
planned. Auto-healing may place unplanned loads on other links within the
network when transferring traffic from the failed Wireless AP 7220.
318507-B Rev 01
69
Chapter 4
Configuration management
Configuration overview
This chapter describes the steps required to configure
a Wireless Gateway 7250

FTP, RADIUS, and DHCP servers
Wireless AP 7220s
Network Access Controllers
Ethernet switches
Refer to Chapter 8, Administration for information about Wireless Mesh

Network administration and maintenance.
To set up your Wireless Mesh Network, you need to perform the following tasks:
Configure the NOSS:

The Network Operation Support System (NOSS) provides centralized
facilities for monitoring and managing network operations and uses
industry-standard protocols to communicate with distributed elements in the
Wireless Mesh Network system. All NOSS elements are configured on the
private side of the Wireless Mesh Network.
The NOSS consists of
Dynamic Host Configuration Protocol (DHCP) server
Remote Authentication Dial-In User Services (RADIUS) server
industry-standard File Transfer Protocol (FTP)
Simple/Secure Network Management Protocol (SNMP)
70 Chapter 4 Configuration management
Configure the Network Access Controller (NAC).

Configure the Ethernet switch.
Configure the network access point (NAP) router.
Configure the Wireless Gateway 7250.
Configure the Wireless Access Point 7220s.
For complete information about ONMS, see Installing and Administering Optivity
NMS 10.2 (part no. 205969-G).
Tools and utilities

KeyGen tool
The KeyGen tool generates an IPsec password that is unique for each Wireless AP
7220. KeyGen uses the unique Wireless AP 7220 username (that is, the Wireless
AP 7220 serial number) and the common password to generate the IPsec
password. This password is then used by the Wireless AP 7220 during negotiation
with the Wireless Gateway 7250 to establish a secure IPsec tunnel. The Wireless
Gateway 7250 uses the Wireless AP 7220 username with the generated IPsec
password to verify and provide access for the Wireless AP 7220 to the network.
The KeyGen output is also used on the RADIUS server as the password to
configure a Wireless AP 7220 account. As with the IPsec password, it uses the
Wireless AP 7220 username which is the Wireless AP 7220 serial number.
The KeyGen tool can be installed on any Windows operating system-based
computer.
Note: The KeyGen tool is case-sensitive. You must enter the Wireless
AP 7220 serial number exactly as it appears on the Wireless AP 7220.
Refer to Appendix A, KeyGen tool for complete instructions on how to use the
KeyGen tool.
318507-B Rev 01
Chapter 4 Configuration management 71
ConfigVerify tool
The ConfigVerify tool is a Wireless Mesh Network tool used for checking the
syntax of the configuration file for Wireless AP 7220s in the network. For more
information, refer to the online help provided with the tool.
Configuring the Dynamic Host Configuration Protocol

(DHCP) server
The DHCP server provides dynamic and static IP address assignments for the
Wireless AP 7220s and mobile nodes. It must support
RFC 3011 Subnet Selection Option (SSO)

a reserved lease timer set to high or be configurable to high.
This is necessary to accommodate the delays potentially incurred through
multiple Wireless AP 7220 hops.
The following Wireless AP 7220 parameters are configured using the DHCP
server:
IP address
subnet mask of 255.255.255.255
designated Wireless Gateway 7250 (public IP address of the Wireless
Gateway 7250)
address lease time
FTP server IP address
Wireless AP 7220 configuration filename
Open Shortest Path First (OSPF) Area ID
The following mobile node parameters are configured using the DHCP server:
IP address
subnet mask reflecting the size of the address pool
default router (on the same subnet as the mobile node)
address lease time
home agent IP address
You can optionally configure static IP addresses for any element in the network by
including a host declaration in the DHCP configuration file. The static IP
addresses must be outside the declared range and on the same subnet of
dynamically assigned IP addresses. To assign an IP address statically to a Wireless
AP 7220 or mobile node, create a host declaration in the DHCP configuration file
that contains each Wireless AP 7220 or mobile node Ethernet MAC address.
In some cases you may want to hide the IP address of the DHCP server from the
mobile subscribers. This is done by specifying the option dhcp-server-identifier
parameter with a dummy DHCP server IP address in the mobile node section of
the DHCP configuration file. For example,
option dhcp-server-identifier 255.255.255.255;
Refer to Appendix B, Sample DHCP configuration file for an example of an

DHCP configuration file that dynamically and statically assigns IP addresses to
Wireless AP 7220s and mobile nodes.
Configuring the NAP router

Any router that can support OSPF can be configured as a NAP router in the
The NAP router must be able to propagate default route information into the
Community Area Network (CAN). OSPF on the CAN interfaces of the NAP
router are configured so that it can exchange routing information with the
Wireless AP 7220 @ NAP.
Refer to Appendix D, Sample NAP router configuration for an example of a
NAP router configuration file.
318507-B Rev 01
Configuring the RADIUS server

The RADIUS server is used to authenticate the Wireless AP 7220s and mobile
nodes. It is responsible for all accounting functions for the mobile nodes. The
RADIUS server must be able to support user authentication based on a native
database or through backend servers as well as EAP support.
To authenticate a mobile node, it must be matched to a profile stored on the server.
Once the mobile is authenticated, a Tunnel-ID stored in the profile is returned to
the Wireless AP 7220. The Wireless AP 7220 maps the Tunnel-ID to the Subnet
Selection Option (SSO). This mapping is contained in the Wireless AP 7220
configuration file. (Refer to Configuring the FTP server for more information
about the configuration file.) Once the Wireless AP 7220 has completed the
Tunnel-ID to SSO mapping, the DHCP Relay Agent requests a session IP address
for the mobile node from the DHCP server.
The standard RADIUS messages and attributes are used for communication
between the Wireless AP 7220 and the RADIUS server. However, for mobile
nodes, the following parameters must be configured on the RADIUS server:
Called-Station-ID
This parameter is passed by the Wireless AP 7220 into the Access-Request
message. It is used as an additional authentication attribute along with the
username and password stored in the authentication database.
OPEN:<AL_SSID> for non-RSNA mobiles
RSNA:<AL_SSID> for RSNA mobiles
Tunnel-Private-Group-ID
This parameter is returned by the RADIUS server in Access-Accept
messages. This parameter must match the Tunnel-ID in the FTP configuration
file.
<Tunnel-ID>
Calling-station-ID (optional)
This parameter is set to the MAC address of the mobile node which is inserted
by the Wireless AP 7220 to which the mobile node is associated. This value
must not include colons. This parameter can be used as an additional
authentication parameter if configured on the RADIUS server.
<mobile_node_MAC_address>
To configure the Wireless AP 7220s on the RADIUS server, create an account for
each Wireless AP 7220 in your network. The username is the serial number of the
Wireless AP 7220; the password is the output of the KeyGen tool that maps to the
username. Refer to Appendix A, KeyGen tool for more information.
The default RADIUS NAS client password must be configured on the RADIUS
server. The default value is SB7nh6dg5t. If you want to change this password, you
must first configure the new password on the Wireless AP 7220 and then on the
RADIUS server.
Configuring the FTP server

The Wireless AP 7220 uses the FTP configuration file for automatic
configuration. You can create one file for each Wireless AP 7220 or one file for a
group of Wireless AP 7220s.
The FTP server is used for
downloading the configuration file to the Wireless AP 7220

upgrading software to the Wireless AP 7220
upgrading software to the Wireless Gateway 7250
saving and backing up the Wireless Gateway 7250 configuration files
storing Wireless AP 7220 logs
The user account containing the username and password for file/image access
must be configured at the FTP server and the Wireless AP 7220.
Refer to ConfigVerify tool for information about verifying the syntax of your
configuration using the ConfigVerify tool.
Refer to Appendix F, Sample FTP configuration file for an example of an FTP
configuration file.
318507-B Rev 01
Configuring super ping in ONMS

Super ping in ONMS allows you to poll the Wireless Gateway 7250 or any
Wireless AP 7220 to detect the health of the Wireless Mesh Network by issuing a
ping message. By default, 64 ping messages are issued every 55 milliseconds.
This means that in a network of 64 devices, each device receives one ping
message every 55 millisecond. In a small network, the default setting may be too
frequent and conversely, in a larger network too infrequent.
It is highly recommended to reconfigure the superping frequency according to the
size of your network and to the acceptable frequency per device per superping
interval.
To configure the super ping parameters
1
Open a Command Prompt window in ONMS.
Go to the \optiivity\lnms\bin directory.
Enter superp_param and press Enter.
A list of the super ping parameters appears. For example
--------------------------------------------------------Super Ping Parameters----------------------------------------------------MAX_RETRIES is : 6

MGMT_MAX_RETRIES is : 1
Reading SLOT_WIDTH
SLOT_WIDTH is : 55
MAX_PINGS is : 64
MAX_TIMEOUT is : 3500
---------------------------------------------
Enter the correct parameters for your Wireless Mesh Network and press Enter
after each entry. Enter -1 to keep the current parameter setting. For example
MAX_RETRIES : -1
MGMT_MAX_RETRIES : -1
SLOT_WIDTH : 100
MAX_PINGS : 5
MAX_TIMEOUT : -1
Close the Command Prompt window.
Configuring the Network Access Controller (NAC)

In an Inter-Wireless Gateway 7250 roaming environment, the Network Access
Controller (NAC) is responsible for advertising the reachability of a subset of
mobile nodes to the external and internal networks to reach other devices in the
network. It must support
captive portal re-direct function

Ethernet interface
configurable ARP cache size
configurable ARP age out time
updatable ARP cache upon receiving a unicast ARP request
packet forwarding either through dynamic or static routing
mobile session idle timeout
client filter and access rules to stop mobile nodes from access the internal
network elements of Wireless Mesh Network
On the NAC, you must configure the web portal URL to redirect the mobile node
session for authentication. It must be able to block all mobile traffic until the
mobile subscriber is authenticated.
For mobile nodes that are not served by the NAC, you can configure static routes
to forward mobile traffic to the appropriate northbound router.
Refer to Appendix E, Sample NAC configuration for an example of a NAC
configuration.
Configuring an Ethernet switch

In an Inter-Wireless Gateway 7250 roaming environment, the Layer 2 Ethernet
switch connects the distributed NACs and the distributed Wireless Mesh Network
cluster (WMC). Any Ethernet switch that can provide a scalable high performance
capacity and a high density port count can be used in the Wireless Mesh Network.
318507-B Rev 01
Configuring the Wireless Gateway 7250

This section describes the steps required to configure the Wireless Gateway 7250.
All example references reflect the basic network layout as described in Figure 7 or
the Inter-Wireless Gateway 7250 roaming and mobility network layout as
described in Figure 8.
Figure 7 Basic network layout example

Figure 8 Inter-Wireless Gateway 7250 roaming and mobility network layout example
The following configurations are required at the Wireless Gateway 7250:
318507-B Rev 01
security-related configurations
user account for the Wireless AP 7220
address pool from which to assign IP addresses to the IPsec clients on
Wireless AP 7220s
firewall configurations
specific filters to allow certain traffic flow
NOSS configurations
default routes for reachabilty to the Wireless AP 7220s
Note: Nortel recommends locating the NOSS servers on the same
subnet as the private interface of the Wireless Gateway 7250.
Managing the Wireless Gateway 7250 through a console

Connect the molded serial cable (supplied with your Wireless Gateway 7250) that
ships with the switch between a PC and the serial DB9 connection in the back of
the Wireless Gateway 7250.
Your terminal emulator must use the following communications parameters:
9600 baud
8 data bits
1 stop bit
No parity
To connect the Wireless Gateway 7250 to a console

1
Power on the PC.
Using a terminal emulation program, press Enter.
The Welcome screen appears.

Welcome to the Contivity VPN Switch
Copyright 1999,2000,2001 Nortel Networks
Version: V04_76-163
Creation date: Dec. 16, 2003, 20:51:06
Date: 09/08/2004
Unit Serial Number: 17563
Enter admin and press Enter.
Enter setup and press Enter.

Warning: Do not change this username nor password. There is no way
to easily retrieve the username or password if it is forgotten. In this case,
the Wireless Gateway 7250 would have to be returned to Nortel to be
reset.
The following menu appears:

Main Menu: System is currently in NORMAL mode.
1) Interfaces
2) Administrator
3) Default Private Route Menu
4) Default Public Route Menu
5) Create A User Control Tunnel(IPsec) Profile
6) Restricted Management Mode FALSE
7) Allow HTTP Management TRUE
8) Firewall Options
9) Shutdown
B) System Boot Options
P) Configure Serial Port
C) Controlled Crash
L) Command Line Interface
R) Reset System to Factory Defaults
E) Exit, Save and Invoke Changes
Please select a menu choice (1 - 9,B,P,C,L,R,E):
Configuring the interfaces

To configure the interfaces
318507-B Rev 01
In the Main Menu, enter 1 and press Enter to enter the Interface menu:
Interface Menu
0) Slot 0, Port 1, Private LAN
Management IP Address = 192.168.20.248
Subnet Mask = 255.255.255.0
Interface IP Address = 192.168.20.1
(Subnet Mask = 255.255.255.0)
Speed/Duplex = AutoNegotiate
1) Slot 1, Port 1, Public LAN
IP Address = 30.0.30.1
Subnet Mask = 255.255.255.0
Speed/Duplex = AutoNegotiate
R) Return to the Main Menu.
Please select a menu choice:
Enter 0 and press Enter to configure the private LAN interface.

This interface requires two addresses. The first address is called the
management IP address and is used for all management tasks such as Telnet,
http, and FTP. This address can only be reached from the private side of the
Wireless Mesh Network or from a secure IPsec tunnel if an appropriate filter
setting is applied in the firewall configuration.
In the example shown in Figure 7, the private LAN is class-C subnet
192.168.20.0/24. The management address is set to 192.168.20.248 with a
subnet mask of 255.255.255.0. The interface IP address is the interface used
by hosts on the private LAN side to communicate with mobile nodes attached
to Wireless AP 7220s on the public side of the Wireless Mesh Network. The
interface IP address is set to 192.168.20.1.
Enter 100Mbps/Full Duplex and press Enter for Speed/Duplex.
Enter R and press Enter to return to the Main Menu.
To configure the public LAN interface, enter 1 and press Enter.

This is the insecure side of the Wireless Mesh Network where the Wireless
AP 7220s connect to Wireless Gateway 7250. In the example, the public LAN
is class-C subnet 30.0.30.0/24. The public LAN IP address is set to 30.0.30.1
with a subnet mask of 255.255.255.0.
Enter 100Mbps/Full Duplex and press Enter for Speed/Duplex.
Following the example in Figure 7, you should now be able to ping the
management address 192.168.20.248 from a PC with a LAN connection to the
private LAN and an IP address assigned to it in the 192.168.20.0/24 subnet.
Connecting to the Wireless Gateway 7250 using the web

browser
There are many configuration procedures that you can perform using a GUI
interface through your web browser. To connect to the Wireless Gateway 7250
using your web browser
1
Start your web browser.

Note: Nortel recommends using Netscape 7.0 or higher or Internet
Explorer 6.00 or higher. You must have Java Virtual Machine loaded.
Connect to the Wireless Gateway 7250 by entering the management IP

address (for example, http://192.168.20.248) in the web browser.
Log on to the Wireless Gateway 7250. The default user is admin and the
default password is setup.
Configuring default routes (private and public)

Default routes can be configured to each element in the network on the private
side of the network or to the router on the public side of the network. You can
either use your web browser or CLI to configure the default routes.
Configuring default routes

To configure a default route to the FTP server in the private LAN network
1
Connect to the Wireless Gateway 7250 using your web browser.
Select ROUTING / STATIC ROUTES.
318507-B Rev 01

Figure 9 The Static Routes screen
Click Add Private Route.
Figure 10 Private Default Route screen
Ensure the Admin State is set to enable and the Cost is set to 10.
Enter the IP address for the network element in the Gateway Address text box.
(For example, 192.168.30.13)
Click OK.
To configure a default route to the closest router attached in the public LAN
network
1
Select ROUTING / STATIC ROUTES.
Click Add Public Route.
Ensure the Admin State is set to enable and the Cost is set to 10.
Enter the IP address for the router. For example, 30.0.30.2.
Click OK.
Configuring default routes using the CLI

To configure a default route to the FTP server in the private LAN network
1
In the Main Menu, enter 3 to access the Default Private Route Menu.
Set the router address. For example, 192.168.30.13.
Set the cost appropriate for your network layout. For example, 10.
Enter E and press Enter to Exit, Save and Invoke Changes.
To configure a default route to the closest router attached in the public LAN
network
1
In the Main Menu, enter 4 and press Enter to access the Default Public Route
Menu.
Set the router address. For example, 30.0.30.2.
Set the cost appropriate for your network layout. For example, 10.
Enter E and press Enter to Exit, Save and Invoke Changes.
318507-B Rev 01
Enabling services
There are three services you can enable:
FTP
Telnet
Simple/Secure Network Management Protocol (SNMP)
Enabling the FTP, Telnet, and SNMP service

When you want to update the Wireless Gateway 7250 with current software
versions, the easiest way is to download a new image using an FTP service. By
enabling an FTP service in the Wireless Gateway 7250, it can act as an FTP
server. All of the Wireless Gateway 7250-specific commands used to set up and
manage the home agent and monitor the various binding information are done
using command line interface (CLI) commands. These commands can be
launched from the console if CLI is selected from the Main Menu.
Figure 11 Enabling the FTP service
Select SERVICES / AVAILABLE from the menu bar.
Ensure the SNMP, Telnet and FTP checkboxes are selected.

Click OK.
Using the Telnet service

To set up and manage the Wireless Gateway 7250 using the Telnet service
1
Log onto the Wireless Gateway 7250 using the Telnet service. The default
user is admin. The default password is setup.
To use the CLI set or show commands, you must be in privileged mode. To
change to privileged mode, enter enable.
Enter the password setup.
The prompt on the screen changes from CES> (unprivileged mode) to CES#
(privileged mode).
Installing/upgrading/downgrading Wireless Gateway 7250

software
Upgrading the Wireless Gateway 7250 leads to a reboot of the entire system
where all bindings are deleted. A complete Wireless Mesh Network upgrade
management survey is performed.
Setting up an FTP server

To upgrade the Wireless Gateway 7250 software, you need an FTP server from
where the switch can download the new software. Configure any FTP server with
a unique username and password. The FTP server must be accessible from the
private side of the Wireless Gateway 7250. Therefore, it is recommended that the
FTP server be configured on a network element that is connected on the same
subnet as the Wireless Gateway 7250.
Starting the upgrade process

To upgrade the software
1
Download the software into a directory. The default directory is C:\PG.
318507-B Rev 01

Figure 12 Directory tree screen
Select ADMIN / UPGRADES from the menu bar.
Figure 13 The Upgrades screen
Enter the FTP IP address in the Host text box.
Enter the parent path in the Path text box. For example, if the location of the
software is C:\PG\W01_00.006, enter C:\PG.
Enter the software version number in the Version text box.
Enter the FTP server username in the User ID text box. For example, pg.
Enter the FTP server password in the Password text box. For example, warp.
Re-enter the password in the Confirm Password text box.
10 Click Retrieve.
11 The Retrieval screen is displayed.
Figure 14 Upgrade Retrieval screen
12 Click OK to download the software or Cancel to cancel the download

procedure.
Note: If you encounter problems in the upgrade process, check the
STATUS / LOG for information.
13 The Retrieval Progress screen is displayed. The Wireless Gateway 7250 can
download more than 1000 files.
318507-B Rev 01

Figure 15 Retrieval progress screen
14 Click Close on the New Version Retrieve status screen.

Figure 16 New Version Retrieve status screen

Figure 17 Upgrade apply screen
15 Click Apply to complete the software upgrade.

16 Restart the Wireless Gateway 7250 to activate the new settings.
Enabling and configuring the Stateful Firewall

The Stateful Firewall manages the traffic flow. By default, the Wireless Gateway
7250 denies all traffic except traffic coming through an established IPsec tunnel
on the public LAN interface.
You must first install a license key: Your license keys are contained in an envelope
that was shipped with your Wireless Gateway 7250.
318507-B Rev 01

Figure 18 The License key screen
Select ADMIN / LICENSE KEYS from the menu bar.
Enter the license key in the Stateful Firewall field.
Ensure that the Key/Status field has a status of Installed.
To enable the Stateful Firewall

Figure 19 The Firewall / NAT screen
Select SERVICES / Firewall / NAT from the menu bar.
Ensure that the Firewall radio button and the Stateful Firewall checkbox are
selected.
Ensure the Tunnel filter checkbox is not selected.
Accept all the remaining default values and click OK.
Select ADMIN / Shutdown to restart the Wireless Gateway 7250 for the
changes to take effect.
Click OK.
Creating filters
To configure the Stateful Firewall you first need to create the filters.
Filter 1
The first filter allows mobile IP signalling traffic to reach the home agent in the
1
318507-B Rev 01
Select SERVICES / Firewall / NAT from the menu bar.
Click Manage Policies to launch the Firewall Java-GUI.
Enter admin in the user field.
Enter setup in the password field.
Click New.
Figure 20 New Policy screen
Enter the new policy name. (For example, WMN-1.)
Click OK.
On the Java console, select the Default Rules Tab.

Figure 21 Adding a MIP policy
10 Right-click the # (pound sign) box and select Add / New Rule to create a new
filter.
11 Right-click the Src interface box and select Untrusted.
12 Set the Dst interface, Source, and Destination boxes to Any.
13 Right-click the Service box and select Add to add a new service for Mobile IP
traffic.
14 Click New in the Service Object Selection screen to create a new policy
object.
15 Select UDP from the Category drop-down menu in the Service Object Type
Selection screen.
16 Click OK.
17 Enter MIP in the Service Name box in the UDP object insert screen.
18 Enter 434 in the Port box.
19 Enter Mobile IP Traffic in the Remark box.
318507-B Rev 01

Figure 22 Creating a mobile IP (MIP) service filter
20 Click OK.
21 Select UDP MIP from the Service Object Selection screen list.
22 Click OK.

Figure 23 Adding a mobile IP (MIP) service filter
23 Right-click the Action box and select Accept.

Figure 24 The Stateful Firewall screen
318507-B Rev 01
Filter 2
The second filter allows traffic from the private LAN network to pass through the
Wireless Gateway 7250 to the public LAN network:
1
Right-click the # (pound sign) box and select Add / New Rule to create a new
filter.
Right-click the Src interface box and select Trusted.
Set the Dst interface, Source, and Destination boxes to Any.
Right-click the Action box and select Accept.
Filter 3
The third filter allows traffic inside an IPsec tunnel to reach any destination both
on the private LAN and back out on the public LAN:
1
filter.
Right-click the Src interface box and select Tunnel:Any.
Set the Dst interface, Source, and Destination boxes to Any.
Right-click the Action box and select Accept.
Filter 4
The fourth filter allows packet steering traffic inside an IPsec tunnel to reach any
destination both on the private LAN and back out on the public LAN. Packet
steering is only applicable to the set of designated mobile node address pools that
have been defined with a leading asterisk (*). If the Source IP address is within
the range of the address pool, the packet is forwarded to the specified captive
portal. Otherwise, the packet steering rule is skipped and the firewall continues to
the next rule.
One or more packet steering rules must be defined for each captive portal. Use
multiple rules if the captive portal is responsible for non-contiguous mobile node
IP addresses.
filter.
Right-click Src interface box and select Tunnel:Any.
Set the Dst interface box to Any.
Right-click the Source box to define the IP address range for the set of mobile
nodes and click Add.
On the Network Object Selection screen, click New.
On the Network Object Type screen, click the IP_range icon and click OK.
Figure 25 Network Object Type Selection screen
On the ip_range object insert screen, enter an IP range name for that set of
mobile nodes. For example, MNPOOL1.
Enter a description for the set of mobile nodes in the Remark box. For
example, Mobility1.
Enter the starting IP address range in the Starting Address box.
10 Enter the ending IP address range in the Ending Address box.
318507-B Rev 01

Figure 26 IP range object screen
11 Click OK.
12 Select the mobile node pool (for example, MNPOOL1) and click OK.
13 Right-click the Destination box and click Add.
14 On the Network Object Selection screen, click New.
15 On the Network Object Type screen, click the Host icon and click OK.
16 On the host object screen, enter the captive portal name in the Host Name
box. For example, CP1.
17 Enter the IP address for the captive portal in the IP Address box.
18 Enter a description for the captive portal in the Remark box. For example,
CaptivePortal 1.

Figure 27 Assigning a captive portal to the mobile node pool
19 Click OK.
20 Right-click the Service box and select any.
21 Right-click the Action box and select Accept.
22 Repeat steps 2 through 21 until all the mobile node address pools have been
defined.
318507-B Rev 01

Figure 28 Defined mobile node pools
Saving and activating a policy

After creating the filters:
1
Select Save Policy from the Policy menu.
Select OK on the Saving Policy succeeded window to enable this firewall

setting.
Click Refresh on the Stateful Firewall screen.
Select the policy you created from the Policy drop down menu. For example,
WMN1.
Click OK to activate the policy.
To allow traffic from a tunnel to go back out in another tunnel, a global

configuration must be set in the Wireless Gateway 7250:

Figure 29 Global configuration
Select SYSTEM / FORWARDING from the menu bar.
Ensure the Allow End User to End User checkbox is selected.
For Inter-Wireless Gateway 7250 roaming, ensure the Enable Gratuitous ARP
checkbox is selected.
318507-B Rev 01

Figure 30 Enabling the gratuitous ARP
Keep the remaining parameters at their default values.
Click OK.
Configuring advanced routing software

1
Select ADMIN / LICENSE KEYS to install the advanced routing license key.
Enter your key in the Advanced Routing field.
Select ROUTING / INTERFACES to configure the local Open Shortest Path

First (OSPF) parameters.
Click Configure for OSPF.
Enter the appropriate values for your configuration.
Click OK.

Figure 31 Example of the local OSPF parameters
Select ROUTING / OSPF to configure the global OSPF parameters for the
entire Wireless Gateway 7250.
Ensure the Enabled box is checked.

Note: In an Inter-Wireless Gateway 7250 roaming environment, the
OSPF state must be set to Disabled.
10 Enter the Router ID.

Note: The Router ID must be configured exactly as it appears in the IP
Address in the local OSPF parameters.
11 Set the AS-Boundary-Router to True.
12 Click OK in the OSPF section.
318507-B Rev 01

Figure 32 Example of the global OSPF parameters
Configuring client address redistribution (CAR) pools

Client address redistribution (CAR) pools are used to provide full support for
mobile node IP addresses that are not part of the local address range (that is, that
are not directly connected networks to the Wireless Gateway 7250). By
configuring one or more IP address pools with a non-local subnet and enabling
CAR and OSPF routing, the Wireless Gateway 7250 redistributes the networks of
the mobile node as soon as the first mobile node of a specified pool is successfully
registered. When the last mobile node in a specified pool de-registers, the
Wireless Gateway 7250 sends an OSPF update to remove the network route for
this pools subnet.
Note: In an Inter-Wireless Gateway 7250 roaming environment, OSPF
must be disabled. Instead, in conjunction with enabling CAR pools,
mobile node information is redistributed through the Gratuitous ARP
setting. Refer to Figure 30 for more information.
CAR pools must be defined for all mobile nodes. In the case of Inter-Wireless
Gateway 7250 roaming, the mobile node maintains the same IP address as it
roams from one Wireless Gateway 7250 to another until its DHCP lease timer
expires. To support this functionality, all the Wireless Gateway 7250s in the
network must be configured with the same CAR pools for the mobile nodes. If a
CAR pool is modified on one Wireless Gateway 7250, it must be modified on
each Wireless Gateway 7250 in the Wireless Mesh Network.
To configure CAR pools
1
Select SERVERS / USER IP ADDR / ADD
Create one or more mobile node pool subnets. The mobile node CAR pool
should not be mapped to any group configuration since all mobile node
address assignments are provided by the external DHCP server in the NOSS.
Enter the CAR pool starting IP address.
Enter the CAR pool ending IP address.
Enter the subnet mask.
Enter the CAR pool name. For a Wireless Mesh Network architecture that
requires a NAC, the CAR pool name for all mobile node pool subnets must
start with an asterisk (*). It is this notation that determines whether packet
steering is applicable to that CAR pool.
Note: To disable packet steering towards a NAC, define all mobile node
CAR pools with a name that does not contain a leading asterisk (*).
318507-B Rev 01

Figure 33 Adding an IP address pool
Click OK after creating each CAR pool.
Figure 34 Example of an IP address pool list
Select ROUTING / CLIENT-ADDR-DIS to enable CAR.

10 Ensure the Enabled and Summarization boxes are checked. Enabling

Summarization forces the Wireless Gateway 7250 to only redistribute the
network part in the OSPF link state updates. This minimizes the Wireless
Gateway 7250 and neighboring routers route tables. If summarization is not
enabled, every mobile node IP address is redistributed as a host-specific route.
Figure 35 Enable CAR pools
11 Select ROUTING / POLICY to enable the redistribution of the UTunnels as

the mobile node route entries.
12 Ensure the Route Policy box is Enabled and the UTunnel box in the OSPF
area is checked.
318507-B Rev 01

Figure 36 Enabling a route policy
Configuring IPsec parameters

To configure the Wireless Gateway 7250 for IPsec tunneling, you first configure
the parameter on a global level.
1
Select SERVICES / IPsec.

Note: Only those parameters checked in the IPsec Settings screen are
shown and configurable in the PROFILES / GROUP screens.

Figure 37 Global IPsec parameters
Figure 38 Global IPsec parameters (continued)
318507-B Rev 01

Figure 39 Global IPsec parameters (continued)
Configure the IPsec Authentication settings.
Configure the IPsec RADIUS Authentication settings for the connection.

Click the appropriate check box to enable support for the authentication types
that your RADIUS server supports.
Configure the IPsec encryption settings for the connection. Click the
appropriate check box to either enable or disable the supported encryption
methods for this group. The encryption methods are shown in order of
strength, from strongest to weakest.
Note: Using higher-level encryption, such as Triple DES, decreases
performance.
Configure the IPsec IKE encryption and Diffie-Hellman Group settings for
the connection. If you select both 56-bit DES with Group 1 and Triple DES
with Group 2 option, you can edit this field when configuring group IPsec
parameters.
You now must define an address pool to allow the Wireless AP 7220s to set up
IPsec tunnels to the Wireless Gateway 7250.
Note: If your configuration allows the Wireless Gateway 7250 to
communicate directly to the inner address of the Wireless AP 7220, you
must first configure the CAR pool. Refer to Configuring client address
redistribution (CAR) pools for complete instructions.
1
Select SERVERS / USER IP ADDR.
Click Add.
Enter the Starting IP Address, Ending IP Address, and Subnet Mask

information.
Ensure that the New radio button is selected.
Enter the address pool name.

Note: The address pool name for a Wireless AP 7220 can start with any
character except an asterisk (*). This designation is reserved for mobile
node CAR pools that are subject to packet steering rules.
318507-B Rev 01
Click OK.

Figure 40 Example of a Wireless AP 7220 address pool configuration
Next, configure a group profile for all the Wireless AP 7220s. Separate groups
must be created for Wireless AP 7220 @ NAPs and Wireless AP 7220s.
1
Select PROFILES / GROUPS
Click Add.

Figure 41 Example of adding a Wireless AP 7220 group
Enter a group name. (For example, AP7220@NAP.)
Click OK.
Click Add to create a group for the Wireless AP 7220s.
Enter a group name. (For example, WirelessAP7220s.)
Click OK.
Note: You can map all the Wireless AP 7220s to the /Base group.
However, it is recommended that you create a subgroup which has all the
default group configurations. In this case, individual changes are only
applied to the new group.
318507-B Rev 01

Figure 42 Example of editing a Wireless AP 7220 group
Click OK.
Click Edit for Group /parent group/groupname. (For example, /Base/WARP.)
10 Click Configure for the Connectivity.

Figure 43 Wireless AP 7220 @ NAP group connectivity parameters
Figure 44 Wireless AP 7220 @ NAP group connectivity parameters (continued)
318507-B Rev 01

Figure 45 Wireless AP 7220 @ NAP group connectivity parameters (continued)
Figure 46 Wireless AP 7220 group connectivity parameters

Figure 47 Wireless AP 7220 group connectivity parameters (continued)
Figure 48 Wireless AP 7220 group connectivity parameters (continued)
318507-B Rev 01
The Number of Logins parameter is used to determine the number of

simultaneous active sessions a Wireless AP 7220 can have with the Wireless
Gateway 7250. If a Wireless AP 7220 has a static IP address configured on the
Wireless Gateway 7250, the Wireless Gateway 7250 only allows a single active
IPsec session for that Wireless AP 7220. However, if the Wireless AP 7220 uses
dynamically assigned IPsec tunnels, then the Number of Logins parameter for the
Wireless AP 7220 group should be configured to a value greater than 1. This
allows a Wireless AP 7220 that has just rebooted to re-establish a new IPsec
tunnel with the Wireless Gateway 7250 while the Wireless Gateway 7250 still has
a valid IPsec tunnel with that Wireless AP 7220 which was previously established
prior to the Wireless AP 7220 reboot. The Wireless Gateway 7250 clears the
previously established IPsec tunnel with the expiry of the Keep Alive parameter.
The Idle Timeout parameter is used to detect when there has been no activity in a
user tunnel for a specified amount of time. This is used to detect system errors
such as connectivity problems between the Wireless AP 7220s and the Wireless
Gateway 7250.
In normal operation, the Wireless AP 7220 always sends traffic through the tunnel
even if no user data is forwarded. A mobile IP (MIP) message is sent periodically
if no other registrations or de-registrations are sent. When the idle timeout value
has expired, the connection is released. All mobile node bindings connected to
this IPsec tunnel are also removed. The default value is 00:15:00; the range is
00:00:00 to 23:59:59. An Idle Timeout parameter set to 00:00:00 means no idle
time out.
Note: Nortel recommends setting the Idle Timeout value for Wireless
AP 7220s to 00:00:00.
The Rekey Timeout parameter is used to refresh the encryption keys that encrypt
traffic through the IPsec tunnel between the Wireless Gateway 7250 and the
Wireless AP 7220. The maximum value is 23:59:59. If a strong encryption
algorithm is used (for example, Triple DES with MD5 Integrity) the
recommended value range is 00:12:00 to 23:59:59.
The Keep Alive parameter is used by either end of the IPsec tunnel endpoint to
ensure that the other IPsec tunnel endpoint is available. The recommended value
for Wireless AP 7220 @ NAPs is 00:00:30; the recommended value for Wireless
AP 7220s is 0:08:00.
11 Select the new Wireless AP 7220 address pool from the drop down menu. The
Address Pool Name parameter must be consistent with the New address pool
name identified on the Wireless AP 7220 configuration (refer to Figure 40).
12 Click OK to activate the changes.
Modify the IPsec parameters for ESP, AH, and IKE to match the required settings
for the Wireless AP 7220:
Note: Keep the parameters at their default settings except for those
indicated in the following procedure.
Figure 49 Group IPsec parameters
318507-B Rev 01

Figure 50 Group IPsec parameters (continued)
Select PROFILES / GROUPS / Edit.
Select Configure for the IPsec.
In the Database Authentication (LDAP) section, ensure the User Name and
Password boxes are checked.
Set the default Server Certificate to (None).
Set Accept ISAKMP Initial Contact Payload to Enabled.
In the Encryption section, ensure all boxes are checked.
Set Max Number of Retransmissions to 9 in the Client Keepalive Tuning

section.
Set Anti Replay to Enabled.
Click OK to activate the changes.
Configuring Wireless AP 7220 user accounts

You must create one unique account for each the Wireless AP 7220.

Figure 51 Example of configuring a Wireless AP 7220 user account
Select PROFILES / USERS.
Click the Group drop-down list box and select the appropriate group.
Click either Add User button to add a new Wireless AP 7220 account.
Enter the username in the IPsec area. This username is the serial number of
the Wireless AP 7220.
Enter the password. This password is the output generated by the KeyGen
tool. Refer to Appendix A, KeyGen tool for more information about the
KeyGen tool.
Note: After entering the username and password, the Wireless Gateway
7250 converts all letters to lowercase. The KeyGen tool is case-sensitive
and therefore produces two different passwords based on upper and
lowercase letters. Always use the password that is generated from the
Wireless AP 7220 serial number exactly as it appears on the Wireless AP
7220.
7
318507-B Rev 01
Click OK.

The tunnel IP addresses for a Wireless AP 7220 can either be statically
configured, or automatically configured in the network. Refer to Configuring a
Wireless AP 7220 for complete instructions about automatically configuring a
Wireless AP 7220.
To configure a static IP address for a Wireless AP 7220
Figure 52 Configuring a static IP address
Select PROFILES / USERS /User Management / Add User.
Enter the serial number of the Wireless AP 7220 in the Name text box.
Select the group to which this Wireless AP 7220 belongs from the Group
drop-down list box.
Enter the static IP address and static subnet mask in the Remote User text
boxes.
Note: The static IP address and static subnet mask must previously be
configured. Refer to Configuring IPsec parameters.
Click OK.
Note: If the Wireless AP 7220 reboots for any reason, the Wireless
Gateway 7250 may not release the tunnel IP until the timeout has
expired. The default timeout on the Wireless AP 7220 @ NAPs is
00:00:30 and 00:08:00 for the Wireless AP 7220s. In this case, the
Wireless AP 7220 tries to re-establish a connection but will be unable
until the idle timeout on the Wireless Gateway 7250 expires.
Configuring classifier rules

The Wireless Gateway 7250 must be configured to uniquely tag control packets
between the NOSS elements and Wireless Gateway 7250 so that they are not
dropped during network congestion.
Creating classifiers
To create the classifier
1
Select QOS / Classifier.
Enter a classifier name for the inbound packets on the private interface of the
network. (For example, PRIVATE-INGRESS.)
318507-B Rev 01

Figure 53 Creating a classifier
Click Create.
Click OK on the Edit Classifier screen.
Figure 54 Edit Classifier screen
Enter a classifier name for the outbound packets on the public interface of the
network. (For example, PUBLIC-EGRESS.)
Click Create.
Click OK on the Edit Classifier screen.
Figure 55 Classifiers screen

To create the classifier rules
1
Select QOS / Classifiers.
Select the classifier you previously created for the private interface from the
list box. For example, PRIVATE-INGRESS.
Click Manage Rules.
318507-B Rev 01

Figure 56 Creating classifier rules
Click Create.
Enter the name of the rule in the Rule Name text box.
Select udp from the Protocol drop-down list box.
Click Modify for the TCP/UDP Source Port and TCP/UDP Destination Port.

Figure 57 Classifiers Rules Port screen
Click Create.
Enter the name of the port in the Port Name text box. For example, to create a
rule for the RADIUS Authentication server, enter RADIUS1.
10 Enter the port number in the Port Number text box. For example, 1812.
318507-B Rev 01

Figure 58 Create Port screen
11 Click OK.
12 Click Close on the Classifiers Rule Port screen.
13 Select the port name and number previously created from the drop-down list
box. (For example, RADIUS,1812.)
14 Ensure the Assured Forwarding 4 (AF4) radio button is selected.
15 Click OK.
16 Repeat these steps for each element in the network on the private interface.
Use Table 5 as an example:
Table 5 Private ingress classifier rules port information
Type
Classifier
Rule Name
Source Address
(default)
Destination Address
(default)
Protocol
TCP/UDP
Source Port
TCP/UDP
Destination
Port
Current
DSCP
DiffServ
Marking
RADIUS
authentication
WMN-RADIUS1
any,0.0.0.0,
255.255.255.255
any,0.0.0.0,
255.255.255.255
UDP
any,0
RADIUS1,1812
any
assured
forwarding
RADIUS
accounting
WMN-RADIUS2
any,0.0.0.0,
255.255.255.255
any,0.0.0.0,
255.255.255.255
UDP
any,0
RADIUS2,1813
any
assured
forwarding
SNTP
WMN-SNTP
any,0.0.0.0,
255.255.255.255
any,0.0.0.0,
255.255.255.255
UDP
SNTP,123
any,0
any
assured
forwarding

Table 5 Private ingress classifier rules port information
Type
Classifier
Rule Name
Source Address
(default)
Destination Address
(default)
Protocol
TCP/UDP
Source Port
TCP/UDP
Destination
Port
Current
DSCP
DiffServ
Marking
SNMP
WMN-SNMP
any,0.0.0.0,
255.255.255.255
any,0.0.0.0,
255.255.255.255
UDP
any,0
SNMP,161
any
assured
forwarding
DHCP
WMN-DHCP
any,0.0.0.0,
255.255.255.255
any,0.0.0.0,
255.255.255.255
UDP
any,0
DHCP,68
any
assured
forwarding
17 Repeat the same steps for the outbound packets on the public interface of the
network selecting the appropriate classifier in step 2. For example,
PUBLIC-EGRESS.
18 Repeat these steps for each element in the network on the public interface.
Use Table 6 as an example:
Table 6 Public egress classifier rules port information
Type
Classifier Rule
Name
Source Address
(default
Destination Address
(default)
Protocol
TCP/UDP
Source Port
TCP/UDP
Destination
Port
Current
DSCP
DiffServ
Markings
Foreign Agent/
Home Agent
FAHA
any,0.0.0.0,
255.255.255.255
any,0.0.0.0,
255.255.255.255
UDP
any,0
FAHA,434
any
assured
forwarding
IKE
IKE
any,0.0.0.0,
255.255.255.255
any,0.0.0.0,
255.255.255.255
UDP
IKE,500
IKE,500
any
assured
forwarding

To associate the classifier to the rules
1
Select QOS / Classifiers.
Select PRIVATE-INGRESS.
Click Edit.
318507-B Rev 01

Figure 59 Associating the classifier to the rules
Click OK.
Select the rule to add in the Available Rules list box.
Click the arrow button to move the rule to the Rules in Classifier list box.
Repeat step 6 for each rule. Refer to Table 5 for a list of the Private Ingress
classifier rules.

Figure 60 Edit Classifier (PRIVATE_INGRESS) screen
Click OK when all the PRIVATE-INGRESS classifiers are associated with a

rule.
Select PUBLIC-EGRESS and repeat steps 3 to 7. Refer to Table 6 for a list of

the Public Egress classifier rules.
318507-B Rev 01

Figure 61 Edit Classifier (PUBLIC_EGRESS) screen
10 Click OK when all the PUBLIC-EGRESS classifiers are associated with a

rule.
Applying the classifiers to the interfaces

To apply the classifiers to the private and public interfaces of the Wireless
Gateway 7250
1
Select QOS / Interfaces.
Select LAN from the Current Interface drop-down list box to associate the
classifier to the private interface of the Wireless Gateway 7250.

Figure 62 QoS Interfaces screen
Click Configure in the DiffServ Edge section.
Ensure the Multi-Field Classifier State is set to Enabled.
Select the Ingress (inbound) classifier from the Multi-Field Classifier

drop-down list box. (For example, PRIVATE-INGRESS.)
Click Update.
318507-B Rev 01

Figure 63 Enabling the private classifier
Click OK.
Select Slot 1 Interface 1 from the Current Interface drop-down list box to
associate the classifiers to the public interface of the Wireless Gateway 7250.
Click Configure in the DiffServ Edge section.
10 Ensure the Multi-Field Classifier State is set to Enabled.

11 Select the Egress (outbound) classifier from the Multi-Field Classifier
drop-down list box. (For example, PUBLIC-EGRESS.)
12 Click Update.
13 Click OK.
Note: The Wireless Gateway 7250 is configured to mark higher priority
packets. Any intervening transport network (that is, routers or switches)
between the Wireless Gateway 7250 and the Wireless AP 7220 @ NAP
must not remark or reset the DSCP marking of higher priority packets. In
cases where this intervening network is provided by a third-party
transport provider, ensure that your SLA with the third-party transport
provider includes that the marking on the data packets are neither
remarked nor reset.
Configuring a Wireless AP 7220 @ NAP

The Wireless AP 7220 @ NAP must be statically configured in the network so
that it can DHCP relay and act as a RADIUS authenticator for the Wireless AP
7220s.
To statically configure a Wireless AP 7220 @ NAP
Note: Ensure your computer is configured to Ethernet IP address
192.168.10.1 subnet mask 255.255.255.0. The default IP address for the
Wireless AP 7220 @ NAP is 192.168.10.2.
1
Connect an Ethernet cable from the Wireless AP 7220 @ NAP to your

computer.
Figure 64 Computer to Wireless AP 7220 @ NAP Ethernet connection
Power on the Wireless AP 7220 @ NAP. It is recommended that you wait

approximately three minutes after power on.
Enter the Telnet IP address (192.168.10.2) and press Enter to start a Telnet
session.
Enter admin and press Enter at the login prompt.
Enter admin and press Enter at the password prompt.
Enter configure and press Enter.
Enter set ip <IP_address> and press Enter to set the static IP address. For
example, 27.0.27.4.
Enter set netmask <netmask> and press Enter to set the netmask to full
class-C subnet. For example, 255.255.255.0.
318507-B Rev 01
Enter set areaid <OSPF_areaID> and press Enter to set the OSPF Area ID.
For example, 10.0.0.0.
10 Enter set gw <NAPR_Public_IPaddress> and press Enter to set the IP address

of the NAP router. For example, 27.0.27.1.
11 Enter set pktgw <Gateway_ Public_IPaddress> and press Enter to set the IP
address of the Wireless Gateway 7250. For example, 30.0.30.1
12 Enter show and press Enter to verify the parameters.
13 Enter exit and press Enter to return to the Main menu.
14 Enter configmgr and press Enter to start a ConfigMgr session.
15 Enter set server <IP_address> and press Enter to set the IP address of the FTP
server. For example, 192.168.30.13
16 Enter set file <filename> and press Enter to set the name of the configuration
file.
17 Enter show and press Enter to verify the parameters.
18 Enter exit and press Enter to exit the ConfigMgr.
19 Enter reboot and press Enter to reboot the Wireless AP 7220 @ NAP.
20 Enter Yes to restart the Wireless AP 7220 @ NAP.
21 Immediately remove the Ethernet cable from your computer and connect it to
the NAP router.
22 After the reboot sequence, the Wireless AP 7220 @ NAP recognizes the NAP
router, authenticates through the RADIUS server, and then obtains an IPsec
tunnel from the Wireless Gateway 7250.
Configuring a Wireless AP 7220

The Wireless AP 7220s can be automatically configured in the network. To do
this, the Wireless AP 7220 receives required information from various elements in
the network during initialization.
The following network elements must be configured correctly before the Wireless
AP 7220 can be initialized:
FTP server
DHCP server
RADIUS server
ONMS
The following steps show the high-level sequence required for Wireless AP 7220
initialization in the Wireless Mesh Network:
1
Wireless AP 7220 powers up and loads the software from flash memory.
The Wireless AP 7220 requests authentication from the RADIUS server.

Refer to Configuring the RADIUS server for RADIUS server configuration
information.
The Wireless AP 7220 requests a dynamic extranet address. Refer to

Configuring the Dynamic Host Configuration Protocol (DHCP) server for
DHCP server configuration information.
The Wireless AP 7220 requests an IPsec tunnel from the Wireless Gateway
7250. Refer to Configuring the Wireless Gateway 7250 for Wireless
Gateway 7250 configuration information.
The Wireless AP 7220 downloads the configuration file. Refer to

Configuring the FTP server for FTP server configuration information.
In addition, the network manager must configure each Wireless AP 7220 to

provide appropriate syslog data to the syslog server used (typically the ONMS
syslog server). Refer to Enabling and configuring Wireless AP 7220 logging for
syslog configuration information.
Wireless AP 7220 pre-deployment configuration

Although all Wireless AP 7220s are configured automatically, they can also be
manually configured.
The Wireless AP 7220 software contains the default values for the parameters that
are required for initializing the Wireless AP 7220 into the network:
318507-B Rev 01
username and password for the FTP configuration file

a common Wireless AP 7220 password required for the RADIUS server and
IPsec authentication
These default settings can be modified for security reasons or for conformance to
local policies and configurations.
To perform a pre-deployment configuration, the Wireless AP 7220 must have a
wired 10/100 BaseT Ethernet connection to a computer. A connection between the
Wireless AP 7220 and the Ethernet hub is made using an RJ45 connector in the
base of the Wireless AP 7220. An FTP server must be configured at the computer.
If a hub is not used, a cross-over CAT5 cable is required.
Note: Ensure your computer is configured to Ethernet IP address
192.168.10.1 subnet mask 255.255.255.0. The default IP address for the
Wireless AP 7220 is 192.168.10.2.
Figure 65 Pre-deployment configuration
The Wireless AP 7220 is initialized by loading the software image from flash
memory. After initialization
1
Start a Telnet application on the computer.
Establish a session with the Wireless AP 7220.
Use the CLI to modify the configuration parameters
username
password
FTP server address for the configuration file
common Wireless AP 7220 password
Refer to Command line interface (CLI) option for more information about the
CLI.
Wireless AP 7220 post-deployment configuration

The Wireless AP 7220 can be initialized either from the Ethernet port or from
flash memory.
Initializing the Wireless AP 7220 from flash memory

Initializing the Wireless AP 7220 from flash memory is the recommended
method. In this case, the Wireless AP 7220 only requires the configuration file
from the FTP server. If the configuration file parameters were not changed in the
pre-deployment phase, the following default parameters are used:
user name
password
nortelWarp
nortelWarp
After initialization has completed, use the CLI or ONMS to modify the Wireless
AP 7220 as required.
Initializing the Wireless AP 7220 from the Ethernet port

If the Wireless AP 7220 fails to load the software image from flash memory or the
image is not usable, an image will instead load from the Ethernet port.
1
Ensure that the Ethernet port on the Wireless AP 7220 is connected.
Ensure the PC is configured with the IP address 192.168.10.1 subnet mask

255.255.255.0.
Configure an FTP server on the PC using this configuration:

AP Image name
FTP session username
FTP session password
vxWorks-wdb
tl
testing
Reboot the Wireless AP 7220.
After the Wireless AP 7220 has successfully downloaded the file (for
example, vxWorks-wdb), immediately remove the Ethernet cable to allow the
Wireless AP 7220 to initialize as a stand-alone Wireless AP 7220.
318507-B Rev 01
Writing an image into flash memory

Initializing a Wireless AP 7220 using the Ethernet port does not write the image
directly into flash memory. You must use the following steps to perform a
software download which writes the image into flash memory.
1
Power on the Wireless AP 7220. It is recommended that you wait for

approximately three minutes after power on.
Enter the Telnet IP address and press Enter to start a Telnet session.
Enter admin and press Enter at the password prompt.
Enter swdld and press Enter and at the AP7220# prompt.
Enter set image <filename.bin> and press Enter at the swdld prompt.
Enter set server <ftp Server IP> and press Enter.
Enter set user <username> and press Enter.
Enter set password <password> and press Enter.
10 Enter set versioncheck <on> or <off> and press Enter. (The default is on.)
11 Enter start and press Enter.
12 A message appears when the software has been successfully downloaded.
Command line interface (CLI) option

The Wireless AP 7220 can be accessed through the standard Telnet port number
using the tunnel IP address assigned to the Wireless AP 7220. The following
sections provide examples using this method.
Configuring the configuration manager (ConfigMgr)

The configuration manager (ConfigMgr) is used to configure the username,
password, and configuration file location. By default when a Wireless AP 7220
powers up, it automatically tries to log into the FTP server using the username
nortelWarp and the password nortelWarp.
To manually define a username and password prior to Wireless AP 7220
deployment
Start a Telnet session.
Enter configmgr and press Enter.
Enter set server <IP address> and press Enter to set the IP address of the FTP
server.
Enter set file <filename> and press Enter to set the name of the configuration
file.
Enter set user <username> and press Enter to set the new username.
Enter set passwd <password> and press Enter to set the new password.
Enter exit and press Enter to exit the ConfigMgr configuration.
You can enter show at anytime to display the ConfigMgr parameters. Enter del all
to delete all configurable parameters.
Manually upgrading the Wireless AP 7220 software

New software can be manually downloaded to the Wireless AP 7220. To
configure the software upgrade subsystem
1
Enter swdld and press Enter.
Enter set server <IP address> and press Enter to set the IP address of the FTP
server where the new software is stored.
Enter set image <image name> and press Enter to set the name of the new
software image.
Enter set user <username> and press Enter to set the username.
Enter set passwd <password> and press Enter to set the password.
Enter set versioncheck <on> or <off> and press Enter to set the version
check during the software upgrade. (The default is on.)
Enter start and press Enter to start the upgrade process.
Enter status and press Enter to check the status of the download.
10 After the software upgrade has completed, enter exit and press Enter to exit
the software upgrade configuration.
318507-B Rev 01
You can enter show at anytime to display the configured parameters.
Software image information

You can view and set the name and version of the current and standby software
image on the Wireless AP 7220:
1
Enter imageinfo and press Enter.
Enter show and press Enter to display the current and standby software image
information.
Enter toggle and press Enter to automatically switch between the two
software images. (That is, the current software image becomes the standby
and the standby software image becomes the current image.)
Enter exit and press Enter to exit the imageinfo mode.
Configuring the DHCP user class

To configure the DHCP user class
1
Enter dhcp and press Enter.
Enter show and press Enter to display the current user class information.
Enter set userclass class and press Enter.
Enter exit and press Enter to exit the DHCP configuration.
Enter del to delete any configured user class.
Restarting a Wireless AP 7220

To restart a Wireless AP 7220
1
Enter reboot and press Enter.
Enter Yes to restart the Wireless AP 7220.

Configuring the Wireless AP 7220 location

To configure the Wireless AP 7220 information parameters
1
Enter set location <empty> and press Enter to set the physical location of the
Wireless AP 7220.
Enter set name <name> and press Enter to set the name of this particular
Wireless AP 7220.
Enter set contact <contact name> and press Enter to set a contact person for
this particular Wireless AP 7220.
Enter exit and press Enter to exit the Wireless AP 7220 configuration.
Configuring the access link

To configure the access link on a particular Wireless AP 7220
1
Enter al and press Enter.
Use the following commands to configure any or all of the parameters:
318507-B Rev 01
show current displays all the access link parameters

show default displays all the default access link parameters
reset all resets all the access link parameters with the default values
reset channel resets the access link channel with the default value
(The default is 6.)
reset ssid resets the access link SSID with the default value (The
default is WMN_AP7220.)
reset power resets the access link power level with the default value
(The default is 1.)
reset country resets the access link country code with the default
value (The default is US-UNITED_STATES.)
set channel <al_channel_number> sets the access link channel

number
Note: Channels 1 and 11 are unavailable. Nortel recommends using
channels 2 and 10.
set ssid <al_ssid> sets the SSID

set power <al_power> sets a new power level for the access link
Enter save and press Enter to save the new access link parameters. If you omit
this step, all modified access link parameters are not saved in the
configuration file.
Enter exit and press Enter to exit the access link configuration.
The new parameter values take effect only after a save command is executed.
Configuring the transit link

To configure the transit link on a particular Wireless AP 7220
1
Enter tl and press Enter.
show current displays all the transit link parameters

show default displays all the default transit link parameters
reset all resets all the transit link parameters with the default values
reset anports resets the transit link antenna ports with the default
values (The default is 6,4,2,5,3,1,0.)
reset auxantdiv resets the auxiliary antenna to the default value (The
default is 0 diversity enabled.)
reset channels resets the transit link channels with the default values
(The default is 152,156,160,164,168,148.)
reset bssid resets the transit link BSSID with the default value (The
default is 006038DFCF87.)
reset minrssi resets the transit link min_rssi with the default value
(The default is 15.)
reset power resets the transit link power level with the default value
(The default is 1.)
reset country resets the transit link country code with the default
value (The default is US-UNITED_STATES.)
set channels <tl_channel_list> sets the transit link channel list. This
list can be used to find all neighboring Wireless AP 7220s.
set antports <tl_antenna_port_list> sets the antenna port list. This list
can be used by the link-discovery task can detect all neighboring Wireless
AP 7220s.
set auxantdiv <diversity_value> sets the auxiliary antenna diversity to
a specified value. The value can be one of the following:
0 diversity enabled (default)
1 use Aux1 for transmit and receive
2 use Aux2 for transmit and receive
set bssid <tl_bssid> sets the BSSID

set minirssi <tl_min_rssi> sets the TL_MIN_RSSI
set power <tl_power> sets a new power level for the transit link
listnb lists all neighboring Wireless AP 7220s
blocknb <index-in-neighborlist> blocks a neighboring Wireless AP
7220. A confirmation request is sent.
unblocknb <index-in-neighborlist> unblocks a neighboring Wireless
AP 7220. A confirmation request is sent.
tldrop <index-in-neighborlist> drops the transit link with a neighbor.
A confirmation request is sent.
Enter save and press Enter to save the new transit link parameters. If you omit
this step, all modified transit link parameters are not saved in the
configuration file.
Enter exit and press Enter to exit the transit link configuration.
For reset power and set power, the new parameter values take effect only after a
save command is executed. For all parameters except reset power and set power,
you must restart the Wireless AP 7220 for the new parameter values to take effect.
318507-B Rev 01
Enabling and configuring Wireless AP 7220 logging

Network managers must individually and manually configure each Wireless AP
7220 to
specify the level of events forwarded by each Wireless AP 7220 to the syslog
server
enable or disable the Wireless AP 7220 to send events to a Wireless Mesh
Network syslog server (using either ONMS or by CLI command)
specify the syslog server to which events are sent
Configuring the log subsystem

The log subsystem is local to the Wireless AP 7220 in flash memory. To configure
the log subsystem on a specific Wireless AP 7220
1
Enter log and press Enter.

Global commands
erase erases the active log

filterreset disables all filters
ftpexport exports the active log as a text file using FTP
lock locks the active log. After this command is executed, all
subsequent incoming messages are ignored.
unlock unlocks the active log
readreset clears the Previous record was not read bit in flash
memory to allow the log to be saved before a reboot in case of a critical
failure.
set commands
set active {CURRENT | RESTORED} sets the active log to either

the current log or restored log
set ftpaddr <FTP_IPaddress> sets the IP address of the FTP server to

which to export the log. For example, set ftpaddr 192.168.10.1.
Note: This parameter cant be changed until the Wireless AP 7220 is
rebooted.
set ftplogin <FTP_username> <FTP_password> sets the username and
password to connect to the FTP server
set size <byte_size> sets the size of the current log
set sizefilter <byte_size> sets the size of the filter
set taskfilter <taskname> sets the task filter to save only the events
associated with the specified task to flash memory
set sevfilter {HIGH | MEDIUM | LOW} sets the severity filter to
save only high, medium, or low severity log events to flash memory
set syslogfilter {HIGH | MEDIUM | LOW} sets the syslog filter to
save only high, medium, or low events to the syslog server
show commands
318507-B Rev 01
show all displays the log records in the active log

show info displays general information about the active log
show filters displays the current log filters parameters
show tasklist displays a list of task written to the active log
show task <taskname> displays all log records originating from a
specific task
show file <filename> displays all log records originating from a
specific source file
show severity {HIGH | MEDIUM | LOW} displays all log records
with the specified severity
show lastn <record_number> displays the last specified number of log
records
show period <period_X> <period_Y> displays all log records in the
specified time period.
Enter exit and press Enter to exit the log configuration.
Specifying the severity of Wireless AP 7220 events

forwarded to syslog
The Wireless AP 7220 records events within its log subsystem software. Events
recorded are typically forwarded to a Wireless Mesh Network syslog server. You
can set the severity of events that each Wireless AP 7220 forwards.
To set the severity of events forwarded to the syslog server
1
Enter log and press Enter to change to the log configuration mode.
Enter set sevfilter {HIGH | MEDIUM | LOW} and press Enter to set the
severity of log events.
Note: HIGH forwards only high severity event. MEDIUM forwards
high and medium severity events. LOW forwards all events.
Enabling or disabling Wireless AP 7220 logging

In order for a Wireless AP 7220 to forward the events it records to a Wireless
Mesh Network syslog server, you must enable each Wireless AP 7220 to forward
the recorded events to the syslog server.
To enable or disable Wireless AP 7220 logging (using ONMS)
1
Start the ONMS InfoCenter application.
Select a Wireless AP 7220 icon on the network map.
Select Admin / Monitor Options.

Figure 66 Selecting a Wireless AP 7220 to enable logging
318507-B Rev 01
To enable Wireless AP 7220 logging, ensure the Syslog Registration

checkbox in the Fault section of the Monitor Options screen is selected.
Otherwise, to disable Wireless AP 7220 logging, ensure the Syslog
Registration checkbox is unchecked.

Figure 67 The Monitor Options - Syslog Registration option
Click OK.
To enable or disable Wireless AP 7220 logging (using CLI command)

1
Enter syslog and press Enter to change to the syslog configuration mode.
Enter enable and press Enter to enable logging. Otherwise, enter disable and
press Enter to disable logging.
Specifying the syslog server

Typically, the Wireless Mesh Network syslog server to which Wireless AP 7220
events are logged is specified in the configuration file for Wireless AP 7220s,
which is saved on the FTP server and retrieved automatically as part of the
Wireless AP 7220 boot process.
Alternatively, network managers can set or change the syslog server using ONMS
ExpandedView, or by CLI commands.
To specify a syslog server by CLI commands
1
Enter syslog and press Enter to change to the syslog configuration mode.
Enter set ip <syslog_IP_address> and press Enter to specify the IP address of

the log server.
Upgrading the Wireless AP 7220 software

The Wireless AP 7220 software upgrade procedure is used to download new
Wireless AP 7220 software into flash memory. There are two methods you can
use to upgrade the Wireless AP 7220 software:
pre-deployment method using the Ethernet link

post-deployment method using the transit link
Optionally, you can manually upgrade the Wireless AP 7220 software. Refer to
Manually upgrading the Wireless AP 7220 software for more information.
Wireless AP 7220 pre-deployment software upgrade

To perform a pre-deployment software upgrade, the Wireless AP 7220 must have
a wired 10/100 BaseT Ethernet connection to a computer. An FTP server must be
configured at the computer. A connection between the Wireless AP 7220 and the
Ethernet hub is made using an RJ45 connector in the base of the Wireless AP
7220. If a hub is not used, a cross-over CAT5 cable is required.
318507-B Rev 01
Before starting the software upgrade, the following conditions must exist:
the Wireless AP 7220 must have a working load in flash memory

an FTP server must be set up on the computer
the new software load must be stored on the FTP server
your computer is configured to Ethernet IP address 192.168.10.1 subnet mask
255.255.255.0
Command Line Interface (CLI) Wireless AP 7220 software

download
To download the new software to the Wireless AP 7220
1
Power on the Wireless AP 7220. It is recommended to wait approximately

three minutes to allow the Wireless AP 7220 to power up correctly.
On the computer, initiate a DOS prompt.
At the DOS prompt, enter telnet 192.168.10.2 and press Enter.
At the login prompt, enter admin and press Enter.
At the password prompt, enter admin and press Enter.
Enter imageinfo and press Enter.
Enter show and press Enter to verify the primary and secondary loads are
stored in flash memory.
Enter exit and press Enter.
Enter swdld and press Enter.
10 Enter set image <filename.bin> and press Enter.

11 Enter set server 192.168.10.1 and press Enter.
12 Enter set versionCheck <value> and press Enter.
Note: This parameter determines whether or not to allow an older (or
same) version of the software load to be downloaded. If the <value> is
set to OFF, no version checking is performed and an older version of the
software can be downloaded.
13 Enter set user <username> and press enter.
14 Enter set passwd <password> and press enter.

15 Enter start and press Enter to start the software download.
16 After the software is downloaded (this should take about three minutes), a
software download complete message appears.
Note: A software download complete trap must also appear on the
ONMS trap view.

To switch to the new Wireless AP 7220 software load, first verify the new
software is stored as secondary in flash memory and then toggle to the new load:
1
Log onto the Wireless AP 7220 using the Telnet service. The default user is
admin. The default password is admin.
At the AP7220# prompt, enter imageinfo and press Enter.
At the imageinfo# prompt, enter show and press Enter to verify the new
software load is in secondary flash memory.
Enter toggle and press Enter to switch to the new software load.
Enter show and press Enter to verify the new software load is stored as
primary in flash memory.
Enter logout and press Enter.

To reboot the Wireless AP 7220
1
At the AP7220# prompt, enter reboot and press Enter.
The Wireless AP 7220 reinitializes with the new software load.
318507-B Rev 01
Wireless AP 7220 post-deployment software upgrade

The following procedure must be used for all Wireless AP 7220s that have already
been deployed, have established transit links, and are reachable by the network
management center.
Before starting the software upgrade, the following conditions must exist:
ONMS must be installed and running

ONMS fault summary must be open to view traps and faults
the Wireless AP 7220 must already have an existing software load in flash
memory
ONMS Wireless AP 7220 software download

The new Wireless AP 7220 software must be downloaded to all the existing
Wireless AP 7220s in the network before allowing any Wireless AP 7220 to
reboot with the new software load.
Note: You can use the CLI to perform this procedure. Refer to
Command Line Interface (CLI) Wireless AP 7220 software download
for more information.
The software upgrade procedure
ensures the new Wireless AP 7220 software load is stored in secondary flash
memory
prevents automatic Wireless AP 7220 reboot
sets the manual reboot delay timer
issues a manual reboot command to all the Wireless AP 7220s to initialize the
new software load
Note: The manual reboot must always be started from the Wireless AP
7220 farthest in its topological position from the Wireless Access Point
7220 @ NAP.
The ExpandedView application of ONMS is used for Wireless AP 7220

configuration management. However you can also use the CLI to perform this
procedure. Refer to Command Line Interface (CLI) Wireless AP 7220 software
download for more complete instructions on using the CLI to download new
software to the Wireless AP 7220.
To set the Wireless AP 7220 software download configuration using ONMS
1
Click Start / Programs / Optivity / ExpandedView.
Enter the username and password.
Enter the IP address of the Wireless AP 7220.
Click OK.
In the ExpandedView window for the Wireless AP 7220, right click on the
Wireless AP 7220.
In the pop-up menu, select Software Download.
Select Software Download / Image Profile to verify the software load version.
Select Software Download / Toggle Image and confirm your choice to switch
to the new software load.
You can determine whether or not to allow an older version of the software
load to be downloaded. To allow an older version of the software to be
downloaded, set the version check to off by selecting Software Download /
Disable Version Check. Otherwise, set the version check to on by selecting
Software Download / Enable Version Check.
10 Select Software Download / Configuration.

11 The Wireless AP 7220 Device Configuration window appears. Enter the
appropriate information in the text boxes.
12 Select Software Download / Start Download to start the software download.
13 Select Software Download / Configuration to check the status of the
download or for setting configuration parameters such as Time2Reboot.
Refer to Rebooting the Wireless AP 7220 for more information about starting
the reboot delay timer.
318507-B Rev 01
Setting the delay timer

After the new software load has been downloaded successfully to all the Wireless
AP 7220s in the network, explicit commands are sent by ONMS to the Wireless
AP 7220s requesting a reboot after a specified delay. This delay must be
sufficiently long enough to allow for confirmations to be received from all the
Wireless AP 7220s even if retries are required.
To set the delay timer
1
Log onto each Wireless AP 7220 individually using the Telnet service. The
default user is admin. The default password is admin.
At the AP7220# prompt, enter ShowRebootDelay and press Enter.
Enter SetBootDelay <value> and press Enter.
Each Wireless AP 7220 schedules the reboot to be performed after the specified
delay time and returns a message that the reboot command has been received and
the delayed reboot has been initiated. If no message is received, the reboot
command is reissued until a response is received. However, if no message is
received, the Wireless AP 7220 will be deemed faulty.

To switch to the new Wireless AP 7220 software load, first verify the new
software is stored as secondary in flash memory and then toggle to the new load:
1
At the AP7220# prompt, enter imageinfo and press Enter.
At the imageinfo# prompt, enter show and press Enter to verify the new
software load is in secondary flash memory.
Enter toggle and press Enter to switch to the new software load.
Enter show and press Enter to verify the new software load is stored as
primary in flash memory.
Enter logout and press Enter.

Starting the delay reboot

When all the Wireless AP 7220s are configured for the delay timer reboot and the
new software load is set to primary in flash memory, start the delay reboot:
1
At the AP7220# prompt, enter startRebootDelay and press Enter.
Load Redundancy in flash memory

The primary and secondary software loads in flash memory must be compatible.
Reverting to the secondary software load if the primary software load fails, does
not ensure the Wireless AP 7220 will regain connectivity to the network. In this
case, repeat the software download procedure (using either the CLI or ONMS).
Use the same software load stored in primary flash memory but use a different
filename as the same name will not be accepted.
Note: If the Wireless AP 7220 does not successfully initialize, use the
pre-deployment procedure to download a new software load into flash
memory.
Configuring the Wireless AP 7220 for transit link

authentication
To configure the Wireless AP 7220 for transit link authentication and encryption,
you need to have the serial number and common password for the Wireless AP
7220. The serial number is used as the Wireless AP 7220 username during transit
link authentication. The username in conjunction with the common password is
used to authenticate the Wireless AP 7220 by the RADIUS server.
Note: To obtain the serial number and password of the Wireless AP
7220 use the show command from the tlauth submenu of the CLI.
318507-B Rev 01
Note: If you change the transit link authentication password, you must
update the accounts for the Wireless AP 7220 that reference this
password. (That is, the Wireless Gateway 7250 IPsec user account,
primary and secondary RADIUS server accounts.) Use the KeyGen tool
as described in Appendix A, KeyGen tool. The KeyGen tool uses the
new transit link authentication password to generate the KeyGen output.
To set the Wireless AP 7220 common password
1
Start a Telnet application on the computer.
Establish a session with the Wireless AP 7220.
Enter tlauth # and press Enter.
Enter set passwd <password> to set the password.
Configuring the Simple Network Time Protocol (SNTP)

To configure the SNTP client configuration
1
Enter sntp and press Enter.
disable changes the state of the SNTP client to disable

enable changes the state of the SNTP client to enable
set ip <ip> sets the IP address of the SNTP server
set period <period> sets the time in seconds to periodically poll the
SNTP server (10 - 900)
show displays the current SNTP parameters
Enter exit and press Enter to exit the SNTP configuration.
Configuring the Simple / Secure Network Management

Protocol (SNMP)
To configure the SNMP configuration
1
Enter snmp and press Enter.
set readCommunity sets the SNMP read community

set writeCommunity sets the SNMP write community
reset readCommunity resets the SNMP read community to the
default value
reset writeCommunity resets the SNMP write community to the
default value
show all displays all of the current SNMP parameters
show readCommunity displays the value of the readCommunity
parameter
show writeCommunity displays the value of the writeCommunity
parameter
Enter exit and press Enter to exit the SNMP configuration.
Configuring the RADIUS server shared secret

To configure the RADIUS server shared secret
1
Enter radius and press Enter.
318507-B Rev 01
set acct <ip_address> <secret> sets the RADIUS accounting server

shared secret
set auth <ip_address> <secret> sets the RADIUS authentication
server shared secret
del acct <ip_address> deletes the RADIUS accounting server shared

secret
del auth <ip_address> deletes the RADIUS authentication server
shared secret
show displays the current RADIUS servers shared secrets
Enter exit and press Enter to exit the RADIUS server shared secret
configuration.
Note: If you change the RADIUS server shared secret, remember to also
update the RAS client to reflect the new RADIUS shared secrets for
authentication and accounting. Otherwise, when the Wireless AP 7220
reboots, it may not authenticate the neighboring Wireless AP 7220s or
mobile nodes and may not direct accounting information.
Configuring the DHCP server user class

To configure the DHCP server user class for the DHCP client
1
Enter dhcp and press Enter.
set userclass <userclass> sets the DHCP user class option for the
DHCP client
del deletes the DHCP user class
show displays the current DHCP user class configuration
Enter exit and press Enter to exit the DHCP user class configuration.
Configuring the Subscriber Management Entity (SME)

The Subscriber Management Entity (SME) shows which tunnel a mobile node is
using on a given Wireless AP 7220. To configure the SME
1

Enter sme and press Enter.
318507-B Rev 01
addtunnel <tunnel_ID> adds a mapping of tunnel ID to the Subnet

Selection Option (SS0)
deltunnel <tunnel_ID> deletes a mapping of tunnel ID to the IP
address
show displays the current SME mapping of tunnel ID to the IP address
Enter exit and press Enter to exit the SME configuration.
163
Chapter 5
Accounting
Overview
The Wireless Access Point 7220 operates as a client of the RADIUS accounting
server. The Wireless AP 7220 is responsible for passing mobile node accounting
information to a designated RADIUS accounting server. The RADIUS accounting
server is responsible for receiving the accounting request and returning an
acknowledgment to the Wireless AP 7220.
In a basic Wireless Mesh Network environment, two types of mobile nodes can be
set in the RADIUS server. Robust Security Network Association (RSNA) mobile
nodes are tracked by the user name on the RADIUS server. Non-RSNA mobile
nodes (legacy devices) are all tracked under one user name (unknown).
Note: This chapter is not applicable to a Wireless Mesh Network that
uses captive portal -based accounting or to support Inter-Wireless
Gateway 7250 roaming accounting.
In a basic Wireless Mesh Network environment, you can customize your existing
billing systems to leverage the accounting messages provided by the Wireless
Mesh Network.
164 Chapter 5 Accounting

Figure 68 Accounting server configurations
The Wireless AP 7220 communicates with the RADIUS server through the IPsec
tunnel established through the Wireless Gateway 7250 that is identified during
Wireless AP 7220 initialization and configuration. The Wireless Gateway 7250
forwards the accounting information messages to and from the Wireless AP 7220
and RADIUS servers but doesnt retain or process any accounting information.
The following configurations are supported:
318507-B Rev 01
Separate Authentication and Accounting servers: The Wireless AP 7220 must

be configured with the address of both servers. Access-request packets are
sent to the authentication server and accounting-request packets are sent to the
accounting server.
Integrated Authentication and Accounting server: The Wireless AP 7220 must
be configured with the address of the combined server. Both access-request
and accounting-request packets are sent to the RADIUS server.
Chapter 5 Accounting 165
Primary and Secondary servers: The Network Operations Support Systems

(NOSS) is configured with multiple servers that can assume the role of
primary authentication server and/or accounting server in the event of a
primary server failure.
Any backup of information between the primary and secondary RADIUS
servers is the responsibility of the NOSS and is hidden from the Wireless AP
7220. If the primary RADIUS server fails, the Wireless AP 7220 detects the
failure and switches to the secondary RADIUS server.
Regardless of the type of server configuration, it is recommended that all

accounting servers use the standard RADIUS accounting port number 1813.
Using another port number can create conflicts with other services in the network.
The RADIUS server allows a common password for all the RADIUS clients
residing on the Wireless AP 7220s. Refer to Configuring the RADIUS server
for more information about configuring a user name and password for a new
Wireless AP 7220.
RADIUS server accounting attributes

The following section describes the supported RADIUS server accounting
attributes that are contained in the accounting request messages sent by the
Wireless AP 7220:
Table 7 Accounting attributes
Typ
e
Attribute Name
Description
User-Name
Identity of the user.
NAS-IP Address
Indicates the IP address of the Wireless AP 7220

requesting authentication of the mobile node.
NAS-Port
Framed-IP-Address
On
Star
Stop
t
X
Indicates the local identifier assigned by the Wireless AP

7220 to the mobile session.
Indicates the IP address assigned to the mobile node.

Typ
e
Attribute Name
Description
30
Called-Station-ID
Identifies the type of authentication used by the Wireless

AP 7220 (that is, RSNA or non-RSNA) and the SSID
used by the mobile node to connect to the Wireless AP
7220.
This attribute is in the following format for RSNA devices:
RSNA:<AP_SSID>
This attribute is in the following format for non-RSNA
(legacy) devices:
OPEN:<AP_SSID>
31
Calling-Station-ID
Indicates the MAC address of the mobile node.
40
Acct-Status-Type
Identifies the type of accounting packet. It can be used to X

indicate
Accounting-On(7) sent by the Wireless AP 7220
after initialization when it is ready to accept mobile
node traffic or after a Wireless Gateway 7250
recovers.
Accounting-Start(1) sent by the Wireless AP 7220
after successful authentication of a mobile user.
Accounting-Stop(2) sent by the Wireless AP 7220
after it has disassociated from the mobile user.
41
Acct-Delay-Time
Indicates the amount of time (in seconds) the Wireless

AP 7220 has been attempting to send the accounting
packet.
44
Acct-Session-ID
Uniquely identifies the mobile node session on the

Wireless AP 7220.
This attribute is in the following format:
<AP_MACaddress><MN_MACaddress>
<session_sequence_number>
45
Acct-Authentic
Indicates how the mobile node was authenticated. The

value of this attribute is set to RADIUS(1).
318507-B Rev 01
On
Star
Stop
t

Typ
e
On
Star
Stop
t
Attribute Name
Description
49
Acct-Terminate-Caus
e
Indicates how the mobile node session was terminated

on the Wireless AP 7220. The cause can be one of the
following
User Request(1) User requested termination of the
session.
Lost Service(3) The service can no longer be
provided.
Idle Timeout(4) Idle timer expired.
Session Timeout(5) Maximum session length timer
expired.
Admin Reset(6) Administrator reset the port or
session.
Admin Reboot(7) Administrator is ending service
on the Wireless AP 7220.
Port Error(8) Wireless AP 7220 detected an error
on the port that required ending the session.
NAS Error(9) Wireless AP 7220 detected an error
(other than an error on the port) that required ending
the session.
NAS Request(10) Wireless AP 7220 ended the
session for a reason not related to an error.
NAS Reboot(11) Wireless AP 7220 ended the
session due to a network crash.
Service Unavailable(15) Wireless AP 7220 was
unable to provide the requested service.
User Error(17) User input error causing
termination of the session.
Host Request(18) Wireless AP 7220 terminated
the session normally.
50
Acct-Multi-Session-ID Uniquely links together multiple related sessions of a

roaming mobile node. Each session has a unique
Acct-Session-ID, but the same Acct-Multi-Session-ID.
This attribute is in the following format:
<AP_MACaddress><MN_MACaddress>
<session_sequence_number>
61
NAS-Port-Type
Indicates the port type. This attribute is set to

Wireless-IEEE 802.11 (19).
Tracking of services and resource usage

The Wireless Gateway 7250 tracks a mobile node by generating a multi-session
ID (MSID) when the mobile node first associates with the Wireless AP 7220. The
Wireless AP 7220 generates a new session ID (SID) for each mobile node
connection. In order for the RADIUS accounting server to log accounting
messages for a mobile node session that uses multiple Wireless AP 7220s (due to
mobility), the Wireless Gateway 7250 retains the MSID and passes it to the
relevant Wireless AP 7220s for inclusion in the subsequent RADIUS client
accounting messages.
Time-based accounting
Time-based accounting is based on the session duration of each user. It uses the
MSID generated for that user after authentication. When the MSID is generated, a
start message is sent to the RADIUS server. A stop message is sent when the user
session is terminated. The RADIUS server timestamps these start and stop
messages locally. Time-based accounting is achieved by calculating the delta
between the timestamp at the start of the session with the timestamp assigned to
the stop message to determine the complete session length.
Since the MSID is used for an entire session, a mobile node can move easily
between one Wireless AP 7220 and another while maintaining accounting
information for the mobile user.
There can be multiple start and stop messages. Only the first start and last stop
message that have the same MSID should be used to calculate the session time.
The Acct-Delay-Time attribute in the start and stop messages should be taken into
account when calculating the session time.
Idle timeouts
An idle timeout interval is the number of seconds a mobile node can be idle before
the Wireless AP 7220 terminates the user session. The idle timeout interval is set
on the RADIUS server for each user. When a session is terminated due to an idle
timeout, the accounting stop message indicates the idle timeout in the
Acct-Terminate-Cause attribute. For time-based accounting, the idle timeout
interval value is subtracted from the session time if the session was terminated due
to an idle timeout.
318507-B Rev 01
When a user roams from one Wireless AP 7220 to another within the same
session, an accounting stop message is sent from the Wireless AP 7220 to the
RADIUS server after the specified idle time has been reached on the previous
Wireless AP 7220 or when the IPsec tunnel is manually torn down on the Wireless
Gateway 7250.
Network failure
Four types of network failures that would affect accounting can occur:
Wireless AP 7220 failure

Wireless Gateway 7250 failure
RADIUS server failure
IPsec tunnel teardown
An accounting stop message is not sent if an Wireless AP 7220 fails. The network
operator must track the Wireless AP 7220 failure times to determine the
approximate termination time for each session.
A Wireless AP 7220 failure does not affect time-based accounting if the mobile
node is picked up by another Wireless AP 7220. In this case, the mobile node is
treated the same was as if it was roaming. If the mobile node does not connect to
another Wireless AP 7220 in the same network, the session remains tracked by the
Wireless Gateway 7250. The next time the mobile node authenticates, the
Wireless Gateway 7250 uses the same MSID.
A Wireless Gateway 7250 failure causes all user sessions to be terminated. No
stop messages can be sent to the RADIUS server. However, since all accounting
information is logged on the RADIUS server, all previous accounting information
is retained. The network operator must track all Wireless Gateway 7250 failure
times to determine the approximate termination time for each session.
A RADIUS server failure causes subsequent accounting messages to be lost.
There is no queuing on the Wireless AP 7220. To prevent losing the accounting
information, it is recommended that you configure a back up RADIUS server in
your network. Refer to Configuring the RADIUS server for more information.
The Wireless AP 7220 sends an Accounting-On message to the RADIUS server
when the Wireless Gateway 7250 recovers.
An IPsec tunnel teardown on the Wireless AP 7220 causes all existing sessions to
be terminated. In this case the Wireless AP 7220 reboots.
Fraud reporting
Fraud can possibly be detected when a new mobile node fails to authenticate. In
this case, no accounting message for this specific user is sent to the RADIUS
server. Refer to Quarantining unauthorized mobile nodes for more information.
In severe cases, an unauthorized mobile node can appropriate an authenticated
session. In this case, the session is terminated and a stop message is sent to the
RADIUS server. The mobile node is then quarantined from the Wireless AP 7220.
Refer to Security for more information.
Accounting traps
An accounting trap is sent when
no RADIUS server is configured

a Wireless AP 7220 fails to receive an accounting response from the RADIUS
server after several retries
RADIUS server switch over (from primary to secondary)
Refer to Appendix H, Wireless Access Point 7220 traps for complete

information.
318507-B Rev 01
171
Chapter 6
Performance management
The Wireless Mesh Network collects statistics that describe network traffic and
usage. Understanding traffic flow in your Wireless Mesh Network, and balancing
traffic to eliminate over- and under-utilized segments can dramatically improve
the network performance. Over-utilized interfaces are potential bottlenecks;
under-utilized network segments may represent potential cost savings.

The Nortel Optivity Network Management System (ONMS) provides the
platform for performance management of the Wireless Mesh Network. ONMS
includes several applications that are useful for performance management tasks,
including:
InfoCenter, to view your network resources and organize devices into logical
groups (by device type, location, or other pertinent attributes) from which to
collect performance statistics. InfoCenter provides a launch point for
OmniView.
OmniView, to view statistics for network resources in either tabular or
graphic form. Information displayed by OmniView comes from SNMP agent
software running on Wireless AP 7220s and Wireless Gateway 7250s of the
For information about using ONMS tools and applications, refer to Using Optivity
NMS 10.2 Applications (207569-E).
172 Chapter 6 Performance management
Collecting performance measurements

ONMS collects Wireless Mesh Network performance data by polling Wireless AP
7220s. Users use ONMS features to configure the polling interval - for more
information see the section on setting polling parameters in Using Optivity NMS
10.2 Applications (207569-E).
ONMS collects the performance data using SNMP message exchanges with
SNMP agents running on Wireless AP 7220s. Software in the Wireless AP 7220
updates a set of performance-related objects that are pre-defined by Wireless AP
7220 MIBs:
Wireless AP 7220 tracks performance data related to the Wireless AP 7220

itself (for example, accumulated packet count, accumulated traffic offering)
Transit Link Control tracks transit link performance metrics (for example,
usage of transit link, queue size of a transit link, number of octets, number of
packets in the transit link queue)
Access Link Control tracks access link performance metrics (for example,
number of authentication failures)
The ONMS OmniView application displays the following types of statistics

collected for Wireless AP 7220 performance measurement:
Statistics defined by the Wireless Mesh Network-specific enterprise MIB:

Wireless AP 7220 statistics (Access Link Statistics; Mobile IP Statistics;
Transit Link Activity statistics; and IPsec Activity statistics)
Statistics defined by standard MIBs:
RADIUS Authentication statistics (General, Incoming, and Outgoing)
RADIUS Accounting statistics (General, Incoming, and Outgoing)
SNMP statistics (SNMP Engine, MPD, Target, and USM)
OSPF statistics (Area Table, Interface Events, and Neighbor Table)
MIB-II statistics (System, Interface, IP, ICMP, UDP, TCP, and SNMP)
Appendix G, Wireless Access Point 7220 performance statistics lists the

parameters counted for Wireless AP 7220 and standard performance
measurements.
318507-B Rev 01
Chapter 6 Performance management 173
ONMS also collects performance data from Wireless Gateway 7250s in the
Wireless Mesh Network as defined in the standard MIB for MIB-II statistics
(System, Interface, IP, ICMP, UDP, TCP, and SNMP statistics). The section
MIB-II statistics in Appendix G, Wireless Access Point 7220 performance
statistics lists the standard MIB-II parameters counted for Wireless Gateway
7250 performance measurements.
Reporting performance measurements

The ONMS OmniView application can report statistics as
Totals
Deltas/Sec
Peak Deltas/Sec
Avg Deltas/Sec
For more information about ONMS tools for reporting performance

measurements, refer to Using Optivity NMS 10.2 Applications (207569-E).
Analyzing performance measurements

The ONMS OmniView application provides tools for viewing and analyzing
Wireless Mesh Network performance data. OmniView allows you to:
View collected statistics in tabular or graphical form (pie chart, line graph, or
bar graph).
Figure 69 shows an example of the OmniView GUI displaying Wireless AP
7220 statistics for a Wireless AP 7220 in tabular form.
Figure 70 shows an example of the OmniView GUI displaying Wireless AP
7220 statistics for a Wireless AP 7220 in graphical form.
Export collected statistics to files for archiving or for other processing.

Import previously exported statistics into a graph window, in order to
compare against other historical statistics (imported from previously archived
statistics files) or current statistics.
Update statistics for a monitored device to show the current status.

Set a polling interval for all statistics or a selected subset of statistics.
Clear a set of collected statistics.
List all network elements or find a specific network element to view the
collected statistics.
Get descriptions of statistics displayed in a selected statistics pane. A MIB
help window describes each performance parameter shown in a particular
OmniView pane (see Figure 71).
OmniView allows users to create custom statistics panes to query and display the
data that is most important to them, and allows users to configure other options for
performing the above tasks.
For more information about ONMS tools for viewing and analyzing performance
measurements, refer to the chapter on monitoring devices with OmniView in
Using Optivity NMS 10.2 Applications (207569-E).
Figure 69 Example OmniView GUI displaying Wireless AP 7220 statistics tables
318507-B Rev 01

Figure 70 Example OmniView GUI displaying Wireless AP 7220 statistics graphs

Figure 71 Example OmniView MIB help window
Maintaining and analyzing logs

Network administrators should maintain a historical record of Wireless Mesh
Network performance by creating copies of performance statistics on a regular
schedule and saving them securely, separate from the NOSS. ONMS provides two
ways of saving Wireless Mesh Network performance statistics:
Save statistics by printing to either HTML or ASCII files. This allows you to
view saved statistics with any text editor or Web browser.
For more information, see the procedure on saving statistics with print to file
in Using Optivity NMS 10.2 Applications (207569-E).
318507-B Rev 01
Export statistics to files so that you can review them later. You have two
options for exporting statistics:
Export only the statistics that are currently in memory.

Export the statistics currently in memory, and continue adding statistics to
the file until a specified number of samples have been collected.
For more information, see the procedure on exporting statistics in Using

Optivity NMS 10.2 Applications (207569-E).
318507-B Rev 01
179
Chapter 7
Security
Security in the Wireless Mesh Network serves to protect the security of the
Wireless Mesh Network, authorize mobile subscriber access, and protect network
and user traffic. Security features of the Wireless Mesh Network include:
authentication of Wireless AP 7220s

authentication of subscriber mobile nodes (mobile nodes)
security and privacy for user traffic
security and privacy for Wireless Mesh Network control and management
traffic
Security standards
The security practices implemented in the Wireless Mesh Network are compatible
with the Wi-Fi Protected Access (WPA) standard and IEEE standard 802.11i.
Security in the Wireless Mesh Network

Networks can be partitioned into private and public entities.
The private network consists of the network operators private network, from the
Wireless Gateway 7250 to the NOSS and border gateway. The Wireless Mesh
Network assumes that the private network is a trusted environment where network
operators implement their own security mechanisms and practices. The Wireless
Mesh Network does not provide any security mechanisms for the private network.
180 Chapter 7 Security
The public network extends from the Wireless Gateway 7250 to the mobile node.
The Wireless Mesh Network solution assumes that the public network is an
untrusted environment; hence the Wireless Mesh Network solution provides
security mechanisms (IPsec tunnels, authentication, and encryption) to create a
trusted environment that protects user traffic, control traffic, and management
traffic.
Figure 72 shows the relationship of Wireless Mesh Network and other network
components to the private/public network entities.
Figure 72 Wireless Mesh Network and other network components relative to private and public
network entities
318507-B Rev 01
Chapter 7 Security 181
There are three main components to the Wireless Mesh Network security solution:
Subscriber security
Network security
Subscriber security
Subscriber security between the mobile node (client) and the Wireless AP 7220
requires client authentication and provides client traffic encryption. It uses Wi-Fi
Protected Access (WPA). Figure 73 describes subscriber security in the Wireless
Mesh Network.
The Wireless AP 7220 authenticates subscribers using RSNA mobile nodes
against a subscriber database on the RADIUS authentication server.
Authentication for RSNA clients uses Extensible Authentication Protocol (EAP)
schemes (TLS, TTLS, and PEAP).
The Wireless Mesh Network can be configured to authenticate subscribers using
web-based authentication through the support of the captive portal re-direct
function on the Network Access Controller (NAC).
Regardless of the type of mobile node, operators can control mobile node access
to the Wireless Mesh Network based on the mobile node MAC address. The
Wireless Gateway 7250 is not involved in subscriber authentication.
Encryption for RSNA clients using Temporal Key Integrity (TKIP) and Advanced
Encryption Standard (AES). Non-RSNA clients do not incorporate encryption for
traffic between the mobile node and the Wireless AP 7220 - if encryption is
needed, it must be established separately (for example, through an IP VPN
tunnel).
An IPsec tunnel secures client traffic between the Wireless AP 7220 and the

Figure 73 Subscriber security in the Wireless Mesh Network

Transit link security (for control traffic between neighboring Access Point 7220s)
requires Wireless AP 7220 authentication and provides control traffic encryption.
The Wireless Gateway 7250 is not involved in transit link security.
New Wireless AP 7220s joining the network authenticate in accordance with
IEEE standard 802.1x. This prevents a rogue access point from joining the
network, and prevents valid Wireless AP 7220s from joining rogue networks.
The transit link is protected with 128 bit encryption to secure routing and control
protocols passing between neighboring Wireless AP 7220s.
Figure 74 describes transit link security in the Wireless Mesh Network.
318507-B Rev 01

Figure 74 Transit link and network security in the Wireless Mesh Network
Network security
Network security between the Wireless AP 7220 and Wireless Gateway 7250s
uses an encrypted IPsec tunnel created between the Wireless Gateway 7250 and
each Wireless AP 7220. It carries all user, internal signaling and OAM&P traffic.
Figure 74 describes network security in the Wireless Mesh Network.
AAA policy services

The Wireless Mesh Network implements policy-based AAA services through a
RADIUS server in the Network Operations Support System (NOSS), to control
security for both Wireless AP 7220s and for mobile node subscribers. AAA policy
services for security include:
Authenticating Wireless AP 7220s.

Authenticating subscribers (mobile nodes).
Monitoring the Wireless Mesh Network for security breaches, quarantining
unauthorized mobile nodes attempting to log in, and notifying the NOSS of
any attempted security breaches detected.
The RADIUS server used for authentication and authorization may be:
Separate from the accounting server.

Integrated with the accounting server.
A primary and backup pair of servers (where a backup authentication server
acts as a fallback in the event of a failure of the primary server).
Regardless of the server configuration, Nortel recommends using port number

1812 (the standard port for RADIUS authentication) for all authentication servers.
Using a different port number may create conflicts with other services in the
network. See Configuring the RADIUS server for more information.
Network operators implement their authentication policies by setting
authentication data (user name/password pairs) for Wireless AP 7220s and mobile
node subscribers in databases on the RADIUS server. For more information about
configuring a user name and password for a new Wireless AP 7220 or for creating
a user profile for a new mobile node subscriber, see Configuring the RADIUS
server.
318507-B Rev 01
Authenticating Wireless AP 7220s

Each Wireless AP 7220 must be authenticated when connecting to the Wireless
Mesh Network, to prevent an unauthorized Wireless AP 7220 (i.e. a Wireless AP
7220 belonging to a different Wireless Mesh Network) from connecting. The
Wireless AP 7220 user name and password must be previously configured in a
database on the RADIUS server. For more information about configuring a user
name and password for a new Wireless AP 7220, see Configuring Wireless AP
7220 user accounts.
Each Wireless AP 7220 communicates with the RADIUS server through a
specific Wireless Gateway 7250 that is designated during Wireless AP 7220
initialization. For more information, see Configuring the Wireless Gateway
7250.
Authenticating subscribers
Each subscriber (that is, mobile node) must be authenticated when connecting to
the Wireless Mesh Network. Authentication practices differ for RSNA and
non-RSNA enabled mobile nodes.
Authenticating subscribers using RSNA mobile nodes

Subscribers using a RSNA mobile node must be authenticated when connecting to
the Wireless Mesh Network, by matching to a profile stored locally on the
RADIUS server or by authentication through a remote server (using LDAP, SQL,
Windows NT, UNIX, etc.). When the subscriber is authenticated, a Tunnel- Id
stored in the profile is mapped by the Wireless AP 7220 to the Subnet Selection
Option (according to the Wireless AP 7220s earlier configuration), allowing the
DHCP Relay Agent in the Wireless AP 7220 to request a session IP address from
the DHCP server for the mobile node. Users with same profile will be assigned
the same Tunnel-Id. For more information about creating a user profile for a new
mobile node subscriber, see Configuring the RADIUS server.
Authenticating subscribers using non-RSNA devices

Subscribers using a non-RSNA enabled device are not authenticated by the
Wireless Mesh Network. To ensure the security of their Wireless Mesh Network,
network operators must implement their own authentication practices for
non-RSNA devices.
A default user name of UNKNOWN supports non-RSNA devices. This user
name is only for internal use by the Wireless Mesh Network. For more
information about creating a user profile for a mobile node subscriber using a
non-RSNA device, refer to the Called-Station-ID parameter described in the
section Configuring the RADIUS server.
Note: To ensure the security of their Wireless Mesh Network, network
operators who allow non-RSNA devices to connect must implement
their own authentication practices for the non-RSNA devices.
Non-RSNA devices are not authenticated by the Wireless Mesh
Network.
You can configure your Wireless Mesh Network so that subscribers are
authenticated through the captive portal on the Network Access Controller.
In this type of authentication, the mobile node associates with the Wireless AP
7220 that initiates a preliminary RADIUS authentication for the mobile node. A
Tunnel-ID stored in the profile is mapped by the Wireless AP 7220 to the Subnet
Selection Option (SSO) allowing the DHCP Relay Agent in the Wireless AP 7220
to request a session IP address from the DHCP server for the mobile node.
However, this preliminary RADIUS authentication only obtains basic
configuration information for the mobile node and is not the actual Wireless Mesh
Network authentication.
Once the mobile node obtains its session IP address, it can send an HTTP request.
The firewall on the Wireless Gateway 7250 intercepts the IP packet, identifies the
mobile nodes IP address and forwards the IP packet to the appropriate NAC. The
NAC verifies that this mobile node has not yet been authenticated and redirects
the HTTP request to the appropriate web server.The web server establishes a
secured SSL session and sends the mobile node a customized web page to
exchange credential information such as a user ID, password, and billing
318507-B Rev 01
information. The web server verifies the mobile nodes credential information
against the information on the RADIUS server. Once the mobile nodes credential
information is accepted, the web server directs the NAC to trigger authentication
for the mobile node.
Quarantining unauthorized mobile nodes

The Wireless Mesh Network provides security against attempts to break into the
network by quarantining a mobile node after 5 consecutive authentication failures.
This feature quarantines either:
An unauthorized mobile node that attempts to break into the network.

A legitimate mobile node that presents incorrect authorization credentials.
Quarantining blocks a mobile node from authenticating through a specific

Wireless AP 7220 until the quarantine period expires. A mobile node quarantined
by one Wireless AP 7220 can still try to authenticate through another Wireless AP
7220 in the network.
The initial quarantine period is 300 seconds (5 minutes). For successive security
quarantines of the same mobile node-Wireless AP 7220 pair, the quarantine period
increases with each successive quarantine (5 minutes, 15 minutes, 30 minutes, 50
minutes, 75 minutes, etc.).
When a Wireless AP 7220 quarantines a mobile node, it sends an SNMP trap
containing the MAC address of the mobile node to ONMS. The Wireless AP 7220
sends a similar trap when the quarantine period expires. Wireless Mesh Network
performance management allows ONMS to query the number of mobile nodes
quarantined by each Wireless AP 7220.
Security alarms and event reporting

In the event of a Wireless Mesh Network disruptions, the Wireless Mesh Network
sends SNMP traps to notify the Optivity Network Management System of the
disruption. Traps are sent to the ONMS when:
The RADIUS client on the Wireless AP 7220 switches over to a different

authentication server.
The RADIUS client on the Wireless AP 7220 is unable to communicate with

any authentication server, or the last authentication server has been removed.
The RADIUS client on the Wireless AP 7220 restores communication with at
least one authentication server.
A mobile node is placed in or released from quarantine.
Appendix H, Wireless Access Point 7220 traps describes the security traps sent
to ONMS.
Security audit trails

The RADIUS server may provide security audit trails for the Wireless Mesh
Network, depending on the specific make and model of RADIUS server
implemented in your network. The Wireless Mesh Network provides client MIB
support to assist the RADUIS server to log a security audit trail. The RADIUS
server may log:
318507-B Rev 01
A record of successful and failed login attempts.

The identity of subscribers that successfully log in to the Wireless Mesh
Network.
The time when a subscriber logs in.
The Wireless AP 7220 through which the subscriber logs in.
189
Chapter 8
Administration
Administration of a Wireless Mesh Network requires the network manager to:
manage changes to network elements (adding and removing Wireless AP

7220s, Wireless Gateway 7250s, and Network Access Point routers)
maintain subscriber account information (adding, modifying or deleting
subscribers)
protect and maintain the network configuration (performing backup and
restore maintenance tasks)
Administration of a Wireless Mesh Network described in this chapter refers to

regular, ongoing operational tasks, and assumes a pre-existing, functional
Wireless Mesh Network. Administration does not refer to establishing a Wireless
Mesh Network for the first time, nor to major replanning and redesign of an
existing network.
Tools and utilities

There are two sets of tools for administering a Wireless Mesh Network:
generic NOSS tools used to administer data stored on the RADIUS, SNTP,
FTP and DHCP servers
These are tools specified by the customers standard practices, or tools
specific to the RADIUS, SNTP, FTP or DHCP server used in the Wireless
Mesh Network. They are not specific to or supplied with the Wireless Mesh
Network.
specific tools supplied with the Wireless Mesh Network

These tools are:
190 Chapter 8 Administration
KeyGen, a Wireless Mesh Network tool used to generate the IPsec

password when adding Wireless AP 7220s. Refer to Appendix A,
KeyGen tool for more information.
ConfigVerify, a Wireless Mesh Network tool used for checking the
syntax of the configuration file for Wireless AP 7220s in the network.
For more information, refer to the online help provided with the tool.
Managing network changes

From time to time, network operators may need to change their Wireless Mesh
Network (to accommodate changing service needs) by adding, modifying, or
removing network elements. Network administrators change the Wireless Mesh
Network by updating configuration data on the DHCP, FTP, and RADIUS servers
in the NOSS.
Changing the Wireless Mesh Network means:


Network operators can add, modify, or delete Wireless AP 7220s in their Wireless
Mesh Network by changing the individual Wireless AP 7220 accounts on the
RADIUS server, the DHCP server, and the Wireless Gateway 7250.
The Wireless Mesh Network uses an individual account on the RADIUS server
for each Wireless AP 7220 to authenticate the Wireless AP 7220 before it can
connect to the network. The Wireless AP 7220 account on the RADIUS server
contains a user name (the serial number of the Wireless AP 7220) and password
(the IPsec password generated separately by the KeyGen tool).
To add, modify, or delete a Wireless AP 7220, you must:
318507-B Rev 01
Update the individual account of the Wireless AP 7220 in the RADIUS server
database. For more information, see Configuring the RADIUS server.
Chapter 8 Administration 191
Update the individual account of the Wireless AP 7220 on the Wireless

Gateway 7250. For more information, see Configuring IPsec parameters.
If adding the Wireless AP 7220 exceeds the Wireless Gateway 7250s
pool of available IP addresses assignable to Wireless AP 7220s, you must
update the pool of IP addresses available from the Wireless Gateway 7250
For more information, see Configuring Wireless AP 7220 user accounts
and Configuring the Dynamic Host Configuration Protocol (DHCP)
server.
If the Wireless AP 7220 serves as a Wireless AP 7220 @ NAP, it must be
statically configured within the Wireless Mesh Network. For more
information, see Configuring a Wireless AP 7220 @ NAP.
If reconfiguring some Wireless AP 7220 transit link parameters, you may
need to reboot the Wireless AP 7220 (depending on the method used to
reconfigure the parameter). To determine if you must reboot the Wireless
AP 7220, see Table 8.
Table 8 Transit link parameters requiring Wireless AP 7220 reboot

Reboot required?
Transit link parameter
(reconfigured by CLI)
(reconfigured by
ONMS)
Required
Not required
warpTLConfigAntennaPortAdminState Required
Not required
warpTLConfigChannelAdminState
Required
Not required
warpTLDiscMinRSSI
Required
Required
warpTLAcumenBSSID
For more information about rebooting a Wireless AP 7220, see

Rebooting the Wireless AP 7220, Restarting a Wireless AP 7220 (for
immediate reboot) or Setting the delay timer and Starting the delay
reboot (for time-delayed reboot).
Use generic NOSS tools (or server-specific tools provided with your servers) to
update the DHCP and RADIUS servers. Use Wireless Mesh Network tools to
configure the Wireless AP 7220s and Wireless Gateway 7250s.

At certain times it may be required to reboot a Wireless AP 7220. This procedure
involves resetting the reboot delay timer for that Wireless AP 7220. This can be
done through the ExpandedView application of ONMS. To reboot a Wireless AP
7220
1
Click Start / Programs / Optivity / Expanded View.
Enter the user name and password.
Enter the IP address of the Wireless AP 7220.
Click OK.
In the ExpandedView window for the Wireless AP 7220, right click on the
Wireless AP 7220.
In the pop-up menu, select Software Download / Configuration.
Figure 75 Wireless AP 7220 device configuration screen
Verify the value of the RebootDelay field (displayed in seconds).

a
318507-B Rev 01
If the value of the RebootDelay field is sufficient, right-click on the

Wireless AP 7220 in ExpandedView. Select Software Download / Start
Reboot Delay.
b
8
If the value of the RebootDelay field is not sufficient, modify the value
and click Apply. (The value must be greater than 0.)
Select Software Download / Start Reboot Delay to start the reboot delay
timer.

Network administrators can only modify Wireless Gateway 7250s in their
Wireless Mesh Network, by changing information in the DHCP and FTP server
databases. You cannot add or delete Wireless Gateway 7250s; the current release
allows only one Wireless Gateway 7250 for each Community Access Network
(CAN), and the single Wireless Gateway 7250 is essential for the Wireless Mesh
Network to operate.
Caution: Modifying a Wireless Gateway 7250 causes service outage
among the Wireless AP 7220s connected through the Wireless Gateway
7250.
The DHCP server determines the specific Wireless Gateway 7250 through which
a given set of Wireless AP 7220s connect to the Wireless Mesh Network.
The DHCP server defines the Wireless Gateway 7250 through which the Wireless
AP 7220s connect to the Wireless Mesh Network; the FTP server stores the file
that configures a Wireless AP 7220 within the network. When a Wireless Gateway
7250 is modified, you must update the DHCP server to point the Wireless AP
7220s to the new Wireless Gateway 7250, and also reconfigure the Wireless AP
7220s connecting through that Wireless Gateway 7250 (via the configuration file
stored on the FTP server).
To modify a Wireless Gateway 7250, you must:
Configure the IP address of the Wireless Gateway 7250 in the DHCP server
database. For more information, see Configuring the Dynamic Host
Configuration Protocol (DHCP) server.
Update the Wireless AP 7220 configuration file on the FTP server to redefine
the public IP address and the Home Agent IP address of the Wireless Gateway
7250 through which the Wireless AP 7220s connect to the Wireless Mesh
Network. For more information, see Configuring the FTP server.
Configure the set of Wireless AP 7220s connecting through the new,

modified, or deleted Wireless Gateway 7250. For more information, see
Configuring the Wireless Gateway 7250.
update the DHCP and FTP server databases.

Network operators can add, modify, or delete network access point routers
(NAP-Rs) in their Wireless Mesh Network. Network operators will typically add
or modify NAP-Rs to:
replace a failed NAP-R

add redundancy in the network
balance the traffic load within the network
To add or modify a NAP-R, you must modify the NAP-R as follows:
Update the IP address of the NAP-R on the Wireless AP 7220 @ NAP.

Configure OSPF on the NAP-R to ensure that the OSPF Area ID of the
NAP-R matches the OSPF Area ID configured on the Wireless AP 7220s. For
detailed information, refer to Configuring the NAP router.
Ensure that the NAP-R is configured to propagate a default route to the
Wireless Mesh Network. For detailed information, refer to Configuring the
NAP router.
Any Wireless AP 7220s that connect through a deleted NAP-R are lost to the
network. If the network must retain any Wireless AP 7220s through an alternate
NAP-R, you must update the alternate NAP-R to support these Wireless AP
7220s. A Wireless Mesh Network requires at least one NAP-R.
Managing end users

Network administrators can manage end users to:
318507-B Rev 01
allow/disallow a subscriber mobile node to connect
control the VPN that a subscriber may use
Network operators manage end users with subscriber accounts on the RADIUS
server that permit subscriber access.
update subscriber account information in the RADIUS server database. For more
information, see Configuring the RADIUS server.
Creating user accounts

Wireless Mesh Network operators must create a subscriber account on the
RADIUS server to permit a subscriber mobile node to authenticate.
The subscriber account must contain the following mandatory data:
A user name/password pair sent by the mobile node to the RADIUS server to
request authentication
TunnelPrivateGroupID - a Wireless Mesh Network parameter that determines
the VPN that the subscriber can access. The TunnelPrivateGroupID tells a
Wireless AP 7220 the range of IP addresses the Wireless AP 7220 can assign
to the calling mobile node, based on mapping defined in the Wireless AP
7220s configuration file. Constraining the IP address used by a mobile node
for a session constrains the VPN that a mobile node can access.
You can change a subscribers VPN by changing the subscribers
TunnelPrivateGroupID. You can change the VPN for a group of subscribers
by remapping the range of IP addresses defined in the configuration file for
Wireless AP 7220s.
The subscriber account may contain the following optional data:
CalledStationID - an optional Wireless Mesh Network parameter used to

restrict the Wireless AP 7220s through which the mobile node can connect to
the network.
IdleTimeOut - an optional Wireless Mesh Network parameter used to limit the
mobile nodes connection time with no traffic flow.
CallingStationID - an optional Wireless Mesh Network parameter used to

restrict which Wireless LAN cards can used be used in the network. The
CallingStationID must be set to the MAC address of the mobile nodes that are
allowed to use the network.
Modifying user accounts

Wireless Mesh Network operators can change the VPN that the mobile node
subscriber can access by altering the TunnelPrivateGroupID defined in the
subscriber account on the RADIUS server.
Deleting user accounts

Wireless Mesh Network operators can delete a subscriber account on the RADIUS
server to disallow mobile node subscriber authentication and prevent the users
access to Wireless Mesh Network services.
Performing and managing backups

Wireless Mesh Network managers should maintain backups of their network data,
as a basis from which to restore the network to normal operation in case of
network operational problems or disasters. Back up a Wireless Mesh Network by
backing up the following Wireless Mesh Network data:
318507-B Rev 01
Data describing configuration data for Wireless AP 7220s and Wireless

Gateway 7250s, stored on the DHCP server in the NOSS.
Data describing configuration data for Wireless AP 7220s, stored on the FTP
server in the NOSS.
Data describing authenticated Wireless AP 7220s, stored on the RADIUS
authentication server in the NOSS.
Data describing authenticated subscribers, stored on the RADIUS
authentication server in the NOSS. In an Inter-Wireless Gateway 7250
roaming environment, this data is stored on the Network Access Controller.
Accounting data, stored on the RADIUS accounting server in the NOSS.
Data defining ONMS practices (for example, ONMS alarm filters, ONMS
data logged to files)
For detailed information about backing up Wireless Mesh Network data from
NOSS servers, refer to user documentation for the particular make and model of
DHCP, FTP, or RADIUS server employed in your Wireless Mesh Network.
Network managers must follow their own standard corporate practices for
maintaining suitable backups. Network managers should perform regular backups
of the Wireless Mesh Network databases when the Wireless Mesh Network is
running in a stable state, as a basis from which to restore the Wireless Mesh
Network to normal operation if it becomes corrupted. Network managers should
perform special backups of the Wireless Mesh Network databases before and after
making network changes (i.e., when adding or deleting Wireless AP 7220s,
Wireless AP 7220 @ NAPs, or Wireless Gateway 7250s). Wireless Mesh
Network managers should store backed up data at a secure site separate from the
NOSS site, to protect against complete corruption of the NOSS servers or
destruction of the NOSS servers and their environment.
Restoring from backups

Wireless Mesh Network managers can restore corrupted Wireless Mesh Network
data from a previous backup version.
For detailed information about restoring Wireless Mesh Network data from a
backup, refer to user documentation for the particular make and model of DHCP,
FTP, or RADIUS server employed in your network.
318507-B Rev 01
199
Appendix A
KeyGen tool
The KeyGen tool is a DOS-based password generation tool for the Wireless AP
7220s. This tool is used to generate a unique IPsec password for each Wireless AP
7220. The IPsec password is used when configuring new Wireless AP 7220 user
accounts on both the Wireless Gateway 7250 and the RADIUS server.
Refer to Before you begin for KeyGen software download and update
information.
Note: The KeyGen tool is case-sensitive. You must enter the Wireless
AP 7220 serial number exactly as it appears on the Wireless AP 7220.
To use the KeyGen tool:
1
Create an input file that contains a list of Wireless AP 7220 serial numbers.
Note: Each Wireless AP 7220 serial number must appear on a separate
line in the input file.
Initiate a DOS prompt on the computer.
Enter WAPKeyGenTool <input_filename> <output_filename>

<AP7220_common_password> and press Enter.
When the KeyGen tool has finished executing, the output file contains a list of
IPsec passwords (one per line) that directly map to the list in the input file.
200 Appendix A KeyGen tool
318507-B Rev 01
201
Appendix B
Sample DHCP configuration file
#******** Sample configuration file for ISC dhcpd - dhcpd.conf ********
# Note: The information in this sample DHCP configuration file reflects the
# Inter-Wireless Gateway 7250 roaming and mobility network layout as described in
# Figure 8.
#*************** Start of DHCP configuration legend *******************
#
# DHCP Server: 192.168.30.11
# FTP Server and ONMS workstation: 192.168.30.13
# RADIUS Server: 192.168.30.12
#
# Wireless Gateway 7250
#
Public Interface IP: 30.0.30.1
#
Private Interface IP: 192.168.20.1
#
Priv. Mgmt Int. IP: 192.168.20.248
#
# In an Inter-Wireless Gateway 7250 roaming environment, include all
# Wireless Gateway 7250s
# Wireless Gateway 7250-2
#
#
#
Priv. Mgmt Int. IP: 192.168.20.249
#
# Wireless Gateway 7250-3
#
#
#
Priv. Mgmt Int. IP: 192.168.20.250
#
# Network Access Controllers
# Network Access Controller-1
#
Interface IP 192.168.20.101
#
#
Priv. Mgmt. Int. IP: 192.168.80.101
#
#
#
Priv. Mgmt. Int. IP: 192.168.80.102
202 Appendix B Sample DHCP configuration file

#
#
#
Priv. Mgmt. Int. IP: 192.168.80.103
# Ethernet switches
# Ethernet switch-1
#
Interface IP: 192.168.20.0
#
Netmask: 255.255.255.0
#
#
# Subnets:
#
AP - Standalone (Extranet): 27.0.27.0
#
AP@NAP (Extranet): 27.0.27.4
#
Mobile Node: 192.168.40.0
#
# NAP-R
#
Facing WG7250: 30.0.30.2
#
Facing AP@NAP: 27.0.27.1
#
# OSPF Area ID: 10.0.0.0
#
# *************** End of DHCP configuration legend ********************
#
default-lease-time 3660;
max-lease-time 3660;
# The default lease times for IP addresses are measured in seconds.
#
# If this DHCP server is the official DHCP server for the local network, the
# authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also have to
# hack syslog.conf to complete the redirection).
log-facility local7;
# This is the subnet address to which the DHCP server belongs:
subnet 192.168.30.11 netmask 255.255.255.0 {
}
ddns-update-style none;
#This section is the vendor option space definition and is specific to the
#Wireless Mesh Network. It must be entered as:
#vendor option space definition
option space acumen;
318507-B Rev 01
Appendix B Sample DHCP configuration file 203

option acumen.ospfareaid code 1 = ip-address;
option acumen.pgaddr code 2 = ip-address;
if option vendor-class-identifier = "Nortel" {
vendor-option-space acumen;
}
#**************** Start of Declaration for all AP IP Addresses *****************
# This section is the subnet declaration of the AP extranet IP addresses
# (not the tunnel IP address).
# It contains:
#
# 1) the range IP addresses for the APs.
# 2) option acumen.pgaddr which is the Public IP address of the Wireless
# Gateway.
# 3) The file name of the config file.
# 4) The IP address of the FTP server.
#
#Wireless AP 7220s in CAN 1:
subnet 27.0.27.0 netmask 255.255.255.0 {
range 27.0.27.1 27.0.27.254;
option acumen.ospfareaid 10.0.0.0;
option acumen.pgaddr 30.0.30.1;
option subnet-mask 255.255.255.255;
filename "configFile.cfg";
server-name "192.168.30.13"; # FTP server IP address
#
#
subnet 27.0.37.0 netmask 255.255.255.0 {
range 27.0.37.10 27.0.37.254;
#
#
subnet 27.0.47.0 netmask 255.255.255.0 {
range 27.0.47.10 27.0.47.254;

#
#
################################################################################
# This section is optional if you want to assign an IP address to any
# AP statically by creating a host declaration that contains each AP
# Ethernet MAC address.
# When the AP broadcasts for an IP address, the MAC address for that device
# will be allocated a specific IP address.
#
# The following parameters can be modified for each declared host.
# 1) AP or mobile node Ethernet MAC address
# 2) The fixed address of this AP or mobile node
#
(must be in the same subnet and outside the declared range values).
# 3) lease times.
#
#
#
NOTE: This section is OPTIONAL
#
###############################################################################
host SA-AP-1 {
hardware ethernet 00:02:b3:3c:16:95;
fixed-address 27.0.27.5;
server-name "192.168.30.13";
}
# Note: The Wireless AP 7220s download the configuration file from the FTP
# server.
#
#
################################################################################
# This section is optional if you want to assign a different set of
# configuration parameters to different groups of DHCP clients. That is, if you
# have two groups of Wireless AP 7220s (all of which get an IP address from the
# same subnet) and you want to assign a different configuration file to each
# group. For example, Group1 is assigned to the group1.cfg1 configuration file
# and Group2 is assigned to group2.cfg2. In this case, you can configure these
# two groups of Wireless AP 7220s with two different user classes (i.e. group1
318507-B Rev 01

# and group2, respectively) The DHCP server must also be configured to
# differentiate these Wireless AP 7220s using their user class values. For
# example,
#
#
###############################################################################
class "group1" {
match if option user-class = "group1";
}
class "group2" {
match if option user-class = "group2";
}
subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.1 192.168.10.250;
server-name "192.168.4.40";
pool {
allow members of "group1";
deny members of "group2";
filename "group1.cfg";
}
pool {
allow members of "group2";
deny members of "group1"
filename "group2.cfg";
}
}
###############################################################################
#**************** END of Declaration for all AP IP Addresses *******************
#**************** Start of Space for allocation to Mobile Node ******************

#####################################################################
# This section is the subnet declaration Mobile Nodes IP addresses.
#

# It contains:
#
# 1) the range IP addresses for the Mobile Nodes.
# 2) option routers
# 3) option mobile-ip-home-agent - IP of Wireless Gateway management port
#
#
#
# NOTE: This subnet must match the value of the subnet selection option defined
# in the [SubscriberGroup] block of the configuration file downloaded by APs.
#
#
# NAC-1 is the home Network Access Controller for all mobile nodes within the
# IP address range 10.1.1.1 to 10.1.1.254
#
## NAC-2 is the home Network Access Controller for all mobile nodes within the
#
# NAC-3 is the home Network Access Controller for all mobile nodes within the
#
#
################################################################################
subnet 10.1.0.0 netmask 255.255.0.0 {
Pool 1 {
range 10.1.1.1 10.1.1.128;
}
Pool 2 {
range 10.1.11.1 10.1.11.128;
}
Pool 3 {
range 10.1.21.1 10.1.21.128;
}
Pool 4 {
range 10.1.1.129 10.1.1.254;
}
Pool 5 {
range 10.1.11.129 10.1.11.254;
}
Pool 6 {
range 10.1.21.129 10.1.21.254;
}
option
option
# The
option
# The
routers 10.1.0.1;
subnet-mask 255.255.0.0;
following option hides the DHCP server IP address from the mobile nodes.
dhcp-server-identifier 255.255.255.255;
following option is the management interface of the Wireless Gateway 7250
318507-B Rev 01

option mobile-ip-home-agent 192.168.20.248;
################################################################################
# This section is optional if you want to assign an IP address to any
# mobile node statically by creating a host declaration that contains each mobile
# node Ethernet MAC address.
#
# When the mobile node broadcasts for an IP address, the MAC address for that
# device is allocated to a specific IP address.
#
#The following parameters can be modified for each declared host.
# 1) mobile node Ethernet MAC address
# 2) The fixed address of this mobile node
#
(must be in the same subnet and outside the declared range values).
# 3) lease times.
#
#
#
host MN-1
{
fixed-address 192.168.40.60;# Unique address outside range.
}
host MN-2
{
}
}
#********* END of Sample configuration file for ISC dhcpd - dhcpd.conf *********#
318507-B Rev 01
209
Appendix C
FTP server user permissions
Modifying FTP server user permissions
To allow access to the Wireless Gateway 7250 software, modify the user
permissions:
1
Select File Access / Add.
Enter the path. For example, the default path C:\PG.
Click OK.
Set the access permissions by highlighting the path. For example, C:\PG.
Check the Root, Home, Mapping, and Recursive tick-boxes. By default, the
Files and Directory boxes should be checked.
Select Properties / Start service to start the FTP service.
210 Appendix C FTP server user permissions
318507-B Rev 01
211
Appendix D
Sample NAP router configuration
The following commands can be used to configure a Passport 5430 as a NAP
router:
Configure Global parameter

[ASN]$ bcc
bcc> config
stack# telnet
telnet# server
(Go to command mode)

(Enter configure mode)
server# prompt {[NAP-R-5430$ }

server# client
client# prompt {[NAP-R-5430$ }
console/1# prompt {[NAP-R-5430$ }
console/1# ftp
ftp# ip
(Enable Telnet Server to allow

incoming telnet)
(Configure Telnet Server Login
Prompt)
(Enable Telnet Client to allow
outgoing telnet)
(Configure Telnet Server Login
Prompt)
(Configure console Login Prompt)
(Enable FTP daemon)
Configure IP Global parameters

ip# all-subnets ena
(allow all zero broadcast subnet to

be used)
ip# classless ena

ip# ospf
ospf# router-id 10.0.4.1
ospf# area 10.0.0.0
(activate default route)
ospf /10.0.0.0# stub-metric 50
(configure OSPF router id)

(create OSPF area 10.0.0.0 for
Software Release 1.00 and 1.01)
Configure Ethernet Port 1/4/1
which connects to
Wireless Gateway 7250s public
212 Appendix D Sample NAP router configuration
interface & NOSS

<Use the corresponding interface
on the PP5430
ether1/4/1 # ip address 192.168.10.253 mask 255.255.255.0
ip/192.168.10.253/255.255.255.0# host-cache-aging cache-120
(By default, Nortel router wont
flush ARP table, this command
changes the aging timer to 2
minutes)
Configure IP Global parameters
area/10.0.0.0# ether 1/4/1
ip# all-subnets ena

ip# classless ena
ip# ospf
ospf# router-id 10.0.4.1
(allow all zero broadcast subnet to

be used)
(activate default route)
(configure OSPF router id; NAP-R
interface towards the
Wireless AP 7220 @ NAP)
ospf# area 10.0.0.0
(create OSPF area 10.0.0.0 for

Software Release 1.00)
ospf /10.0.0.0# stub-metric 50
Configure Ethernet Port 1/4/1
which connects to
Wireless Gateway 7250s Public
Interface & NOSS
area/10.0.0.0# ether 1/4/1
<Use the corresponding interface
on the PP5430>
ether1/4/1 # ip address 192.168.10.253 mask 255.255.255.0
ip/192.168.10.253/255.255.255.0# host-cache-aging cache-120
(By default, Nortel router wont
flush ARP table, this command
changes the aging timer to 2
minutes)
Configure Ethernet port 1/3/1 which connects to the NAP-R
# ether 1/3/1
<Change to the port facing the

Wireless AP 7220 @ NAP>
ethernet/1/3/1# ip address 10.0.4.1 mask 255.255.255.0
ip/ 10.0.4.1 /255.255.255.0# host-cache-aging cache-120
relay-agent/10.0.4.1/192.168.10.253 # back; back; back
318507-B Rev 01
Configure Ethernet port 1/3/1 which connects to the NAP-R
Appendix D Sample NAP router configuration 213
stack# ip
ip# static-route 0.0.0.0/0.0.0.0/192.168.10.254
configure default route)
ip/0.0.0.0/0.0.0.0/192.168.10.254# exit
bcc> exit
214 Appendix D Sample NAP router configuration
318507-B Rev 01
215
Appendix E
Sample NAC configuration
The following commands can be used to configure a Nortel Wireless Secure
Switch (WSS) 2250 as a NAC:
To configure the ARP cache size and ARP Age Out Time
1
Log on to the WSS 2250 as root.
At the prompt, go to the /osconfig/etc directory.
Create a copy of the sysctl.conf file. For example, enter cp sysctl.conf

sysctl.conf.orig and press Enter.
Initiate the file editor for the sysctl.conf file.
Add the ARP cache size parameters to the sysctl.conf file. For example, if the
WSS 2250 supports 2000 subscribers (set the ARP cache size to roughly two
times the target number of subscribers), enter the following
net.ipv4.neigh.default.gc_thresh1=4000
Save the sysctl.conf file.

Note: If the number of ARP entries is exhausted, any new ARP requests
are ignored by the WSS 2250 and no new entry is added to the ARP
cache.
Create another copy of the sysctl.conf file. For example, enter cp sysctl.conf
sysctl.conf.orig and press Enter.
Initiate the file editor for the sysctl.conf file.
Add the ARP Age Out Time parameter to the sysctl.conf file. It is
recommended that you set the ARP Age Out Time to one and a half times the
216 Appendix E Sample NAC configuration
value of the mobile nodes session-idle-timeout value set in the RADIUS

server. For example, if the mobile nodes session-idle-timeout value is set to 5
minutes (300 seconds), set the ARP parameter to 450:
#
# Tuning parameters for Inter-Wireless Gateway 7250 roaming
#
net.ipv4.neigh.default.gc_stale_time=450
#
# Ensure all other interfaces use their default value of
# 60 seconds.
#
net.ipv4.neigh.eth0.gc_stale_time=60
net.ipv4.neigh.lo.gc_stale_time=60
net.ipv4.neigh.eoip0.gc_stale_time=60
net.ipv4.neigh.imq0.gc_stale_time=60
net.ipv4.neigh.imq1.gc_stale_time=60
net.ipv4.neigh.zrm.gc_stale_time=60
net.ipv4.neigh.dummy0.gc_stale_time=60
10 Save the sysctl.conf file.

11 Reboot the WSS 2250.
12 After the WSS 2250 has rebooted, enter sysctl -a | grep gc_ and press Enter.
This command verifies that the new ARP configuration parameters are in
effect.
To configure the ARP web portal URL
1
Start a Telnet session on the WSS 2250.
Enter the password and press Enter at the password prompt.
Configure the WSS 2250 to allow pass-through to the PAS server. For
example,
/cfg/wss/fw/captive
redir <PAS_server_IP>/pas/compat/demo/plain?loginurl=https://
<WSS_virtualIP>/login_post.yaws
318507-B Rev 01
Appendix E Sample NAC configuration 217
Log out of the Telnet session.
To configure a static route for any mobile node that is not advertised by the NAC
1
Start a Telnet session on the WSS 2250.
Enter the password and press Enter at the password prompt.
Add a static route for all the mobile node subnets not advertised by the NAC
to forward the mobile node traffic to the next router. For example,
/cfg/sys/routes list
/cfg/sys/routes add
218 Appendix E Sample NAC configuration
318507-B Rev 01
219
Appendix F
Sample FTP configuration file
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
********************
Sample FTP Configuration File for AP 7220 **************
This file maintains all the parameters that must be dynamically provided to an
initializing AP 7220.
There are several sections to the file. Each block contains information about
the named section for each software module that must be configured on the AP.
Logically, each block is composed of a series of entries, with each entry
starting with an identifier and ending with the identifier for the next entry
or the beginning of the next block.
Note: The information in this sample FTP configuration file reflects the basic
network layout as described in Figure 7.
The current list of supported blocks are:
1. [radius]
2. [dhcp]
3. [pgHa]
4. [subscriberGroup]
5. [nms]
6. [AccessLinkip]
7. [wpa]
8. [nonrsna]
9. [sntp]
10. [syslog]
11. [accessLink]
12. [eventlog]
13. [TL pruning]
14. [interwirelessgateway]
# Configuration parameters for RADIUS Client on AP 7220

[radius]
PrimaryAccountingServer = 192.168.30.12:1813
#SecondaryAccountingServer = 192.168.30.10:1813
PrimaryAuthenticationServer = 192.168.30.12:1812
#SecondaryAuthenticationServer = 192.168.30.10:1812
# Configuration parameters for the DHCP Relay Agent
# The AP7220 may act as DHCP relay for forwarding the DHCP requests
220 Appendix F Sample FTP configuration file

# from the other neighboring AP7220s as well as for the mobile nodes.
# This field configures the DHCP server address used by the AP 7220 relay.
[dhcp]
WarpPrimaryDhcp = 192.168.30.11
MnPrimaryDhcp = 192.168.30.11
# Configuration parameters for Wireless Gateway 7250 and Home Agent (HA) Mapping
# This block defines the mapping between the Wireless Gateway intranet & extranet
# IP addresses.
[pgHa]
PgAddrAndHaAddr = 30.0.30.1,192.168.20.248
# In this example 30.0.30.1 is the intranet IP address & 192.168.20.248 is the
# extranet IP address.
# Configuration parameters for Subscriber Group Mapping
[subscriberGroup]
MnSubnetAndTunnelId = 192.168.40.0,ISP1
Status = 1
# The above block illustrates the mapping between tunnel ID, the subnet selection
# option (SSO) & whether the access link is enabled or disabled (1 or 0). The
# above example of tunnel ID "ISP1" denotes the name of the SSID that mobile
# nodes will use. The IP address 192.168.20.0 denotes the IP subnet to
# which the mobile nodes belong.
[nms]
nmsIpAddr = 192.168.30.13
# IP address of the network management station where SNMP traps are sent.
# IP address is supported.
Only 1
[AccessLinkIP]
AccessLinkIp = 192.168.40.9,255.255.255.0
# Access Link (AL) IP address of the AP to be used by the mobile node
[nonrsna]
NonRsna=1
# authentication method for mobile nodes
# user type definition for authentication purposes i.e. RSNA (wpa) or non-RSNA
# (legacy devices)
[wpa]
wpa=1
# [sntp]
# SntpServer = 192.168.30.14
[syslog]
SyslogServer = 192.168.30.13
318507-B Rev 01
Appendix F Sample FTP configuration file 221
[accessLink]
mode = 802.11b
SubnetaddrAndMask= 192.168.30.0,255.255.255.0
# The mode parameter can either be set to 802.11b or 802.11g. The default is
# 802.11g.
#
# Packets received from the access link and destined to any of these addresses
# are blocked by the Wireless AP 7220. The format of the block is as follows:
#
# SubnetaddrAndAMask=w.x.y.z,a.b.c.d
#
# where w.x.y.z. is an IP address or network address and a.b.c.d is the netmask
# corresponding to that IP address. There can be multiple entries of addresses to
# filter in this block with each new address specified on a new line.
[eventlog]
OverWriteAlways=1
AutoFTPLog=1
# Enabling this flag sends a logfile from the Wireless AP 7220 to the FTP server
# upon reboot of the Wireless AP 7220. This logfile contains events that occurred
# on the Wireless AP # 7220 prior to the reboot. The AutoFTPlog parameter
# determines if automatic FTP logging is enabled or disabled. The OverWriteAlways
# parameter determines whether or not existing log files are overwritten with new
# log files. It is recommended not to overwrite the log files.
#
# The value for OverWriteAlways and AutoFTPLog is as follows:
# 0 = false
# 1 = true
# TL Pruning is a feature where at config time we force certain AP neighbors not

# talk to each other in order to "prune" our network. TL Pruning is a method to
# implement a non-full mesh network.
# "WarpId" represents the Ethernet MAC address of the Wireless AP 7220 enforcing
# the pruning rules.
# "Neighborblocklist" is the list of neighboring AP MAC addresses which need to
# be blocked.
# "neighborMac" is the TL MAC address of the neighbor AP you wish to block
#WARP ID=1
[neighborblocklist]
WarpId=00:60:38:df:cf:6e
neighborMac=00:60:38:15:ce:42
neighborMac=00:60:38:15:ce:a8
neighborMac=00:0a:5e:97:d2:0f
#WARP ID=2
[neighborblocklist]
222 Appendix F Sample FTP configuration file

WarpId=00:60:38:15:cd:b3
neighborMac=00:60:38:df:cf:44
neighborMac=00:60:38:15:cd:b2
neighborMac=00:60:38:df:cf:2b
neighborMac=00:60:38:df:cf:5b
neighborMac=00:60:38:15:cd:b9
neighborMac=00:60:38:df:cf:47
neighborMac=00:60:38:15:cd:be
neighborMac=00:60:38:15:cd:af
[interwirelessgateway]
Interwirelessgateway=1
# The interwirelessgateway attribute enables Inter-Wireless Gateway 7250 roaming
# on the Wireless AP 7220.
# ***************
318507-B Rev 01
End of Sample FTP Configuration File for AP 7220 ***********
223
Appendix G
Wireless Access Point 7220 performance statistics
This appendix describes the statistics collected to describe Wireless Access Point
7220 performance within the Wireless Mesh Network. The Wireless Mesh
Network collects the following types of Wireless AP 7220 statistics:
Statistics defined by the Wireless Mesh Network-specific enterprise MIB for

the Wireless AP 7220:
Wireless Access Point 7220 statistics (Access Link Statistics; Mobile
IP Statistics; Transit Link Activity; and IPsec Activity)
Statistics defined by standard MIBs:
Wireless AP 7220 IPsec Activity statistics (General, Incoming, and
OutgoingToServer)
RADIUS Accounting statistics (General, Incoming, and
OutGoingToServer)
SNMP statistics (SNMP Engine, MPD, Target, and USM)
OSPF statistics (Area Table, Interface Events, and Neighbor Table)
MIB-II statistics (System, Interface, IP, ICMP, UDP, TCP, and
SNMP)
Use the Optivity Network Management System (ONMS) application to display

Wireless Mesh Network statistics.
Wireless Access Point 7220 statistics

The Wireless Mesh Network groups Wireless AP 7220 statistics into:
Access Link statistics

Mobile IP statistics
Transit Link Activity statistics
224 Appendix G Wireless Access Point 7220 performance statistics
IPsec Activity statistics
Wireless AP 7220 Access Link statistics

The Wireless Mesh Network collects the following Wireless AP 7220 Access
Link statistics describing Wireless AP 7220 performance:
Current Mobile Count

Num. of Authentication Failures
Num. of IP Configuration Failures
Num. of IPsec Tunnel Failures
Num. of HA Binding Failures
Wireless AP 7220 Mobile IP statistics

The Wireless Mesh Network collects the following Wireless AP 7220 Mobile IP
statistics describing Wireless AP 7220 performance:
Home Agent Address

Num. of Registration Request
Num. of Registration Reply
Reg. denial on Unspecified Reason
Reg. denial on Admin Reason
Request denial on Insufficient Resources
Reg. denial on Poorly Formed Request
Wireless AP 7220 Transit Link Activity statistics

The Wireless Mesh Network collects the following Wireless AP 7220 Transit
Link Activity statistics describing Wireless AP 7220 performance:
318507-B Rev 01
Transit Link Identifier

Num. of Octets in Queue
Num. of Packets in Queue
Average Egress Data Rate
Appendix G Wireless Access Point 7220 performance statistics 225
Wireless AP 7220 IPsec Activity statistics

The Wireless Mesh Network collects the following Wireless AP 7220 IPsec
Activity statistics describing Wireless AP 7220 performance:
Wireless Gateway IP Addr

Operational Status
Tunnel In Packets
Tunnel Out Packets
RADIUS Authentication statistics

The Wireless Mesh Network groups RADIUS Authentication statistics into:
General statistics
Incoming statistics
OutGoingToServer statistics
RADIUS Authentication General statistics

The Wireless Mesh Network collects the following RADIUS Authentication
General statistics describing Wireless AP 7220 performance:
Num. of Invalid Server Addresses Received
RADIUS Authentication Incoming statistics

Incoming statistics describing Wireless AP 7220 performance:
Auth. Server Address

Total Num. of Access-Accepts
Total Num. of Access-Rejects
Total Num. of Access-Challenges
Num. of Malformed Access-Responses
Num. of Bad Authenticators

Num. of Unknown Types
Num. of Packets Dropped
RADIUS Authentication OutGoingToServer statistics

OutGoingToServer statistics describing Wireless AP 7220 performance:
Auth. Server Address

Num. of Access-Requests
Num. of Access Retransmissions
Num. of Pending Requests
Num. of Timeouts
RADIUS Accounting statistics

The Wireless Mesh Network groups RADIUS Accounting statistics into:
General statistics
Incoming statistics
Outgoing statistics
RADIUS Accounting General statistics

The Wireless Mesh Network collects the following RADIUS Accounting General
318507-B Rev 01
Num. of Invalid Server Addresses Received
RADIUS Accounting Incoming statistics

The Wireless Mesh Network collects the following RADIUS Accounting
Incoming statistics describing Wireless AP 7220 performance:
Acct. Server Address

Num. of Responses
Num. of Malformed Responses
Num. of Bad Authenticators
Num. of Unknown Types
Num. of Packets Dropped
RADIUS Accounting Outgoing statistics

The Wireless Mesh Network collects the following RADIUS Accounting
Outgoing statistics describing Wireless AP 7220 performance:
Acct. Server Address

Num. of Requests
Num. of Retransmissions
Num. of Pending Requests
Num. of Timeouts
SNMP statistics
The Wireless Mesh Network groups SNMP statistics into:

SNMP MPD statistics
SNMP USM statistics

The Wireless Mesh Network collects the following SNMP engine statistics
describing Wireless AP 7220 performance:
Num. of Reboots
snmp Engine Time
Maximum Message Size
SNMP MPD statistics

The Wireless Mesh Network collects the following SNMP MPD statistics
Num. of Unknown Security Models

Num. of Invalid Messages
Unknown PDU Handlers

The Wireless Mesh Network collects the following target statistics describing
Wireless AP 7220 performance:
Packets Dropped of Unavailable Context

Packets Dropped of Unknown Context
SNMP USM statistics

The Wireless Mesh Network collects the following SNMP USM statistics
318507-B Rev 01
Unsupported Security Level

Not INTime Windows
Unknown User Name
Unknown Engine IDs
Wrong Digest Values
Decryption Errors
OSPF statistics
The Wireless Mesh Network groups OSPF statistics into:
Area table statistics

Interface event statistics
Neighbor table statistics
OSPF area table statistics

The Wireless Mesh Network collects the following OSPF area table statistics
Num. of Times Route Calculated

Border Router Count
Autonomous System Border Router Count
Area LSA Count
OSPF interface statistics

The Wireless Mesh Network collects the following OSPF interface statistics
Interface State Change Count
OSPF neighbor table statistics

The Wireless Mesh Network collects the following OSPF neighbor table statistics
Nbr. State Change Count

Length of Retransmission Queue
MIB-II statistics
The Wireless Mesh Network groups MIB-II statistics into:
System statistics, sub-grouped into:

Status/Profile statistics
Interface statistics, sub-grouped into:
Status/Profile statistics
InActivity statistics
OutActivity statistics
IP statistics, sub-grouped into:
Profile statistics
Address table statistics
Route table statistics
ICMP statistics, sub-grouped into:
UDP statistics, sub-grouped into:
Activity statistics
TCP statistics, sub-grouped into:
Profile statistics
Activity statistics
SNMP statistics, sub-grouped into:
MIB-II system statistics

MIB-II system status/profile statistics
The Wireless Mesh Network collects the following MIB-II system status/profile
318507-B Rev 01
Description
Num. Interface
System up time
Location
MIB-II interface statistics

MIB-II interface status/profile statistics
The Wireless Mesh Network collects the following MIB-II interface status/profile
Interface Index
Type
MTU
Speed
Physical Address
Admin Status
Operational Status
Last Change
Description
MIB-II interface InActivity statistics

The Wireless Mesh Network collects the following MIB-II interface InActivity
Interface Index
Utilization
In Utilization
In Octets
In Ucast Pkts
In NUcast Pkts
In Discards
In Errors
In Unknown Proto
MIB-II interface OutActivity statistics

The Wireless Mesh Network collects the following MIB-II interface OutActivity
Interface Index
Net Utilization
Out Util
Out Octets
Out Ucast Pkts
Out NUcast Pkts
Out Discards
Out Errors
Out Pkt Queue Length
MIB-II IP statistics
MIB-II IP profile statistics
The Wireless Mesh Network collects the following MIB-II IP profile statistics
Forwarding
Default TTL
Reassembly Timeout
MIB-II IP InActivity statistics

The Wireless Mesh Network collects the following MIB-II IP InActivity statistics
318507-B Rev 01
In Receives
In Header Errors
In Address Errors
In Forwarded Datagrams
In Unknown Protocols
In Discards
In Delivers
MIB-II IP OutActivity statistics

The Wireless Mesh Network collects the following MIB-II IP OutActivity
Out Requests
Out Discards
No Route Found
Reassembly Required
Reassembly Successful
Reassembly Failed
Fragmenting Successful
Fragmenting Failed
Fragmenting Created
MIB-II IP address table statistics

The Wireless Mesh Network collects the following MIB-II IP address table
IP Address
If Index
Subnet mask
IP Bcast Address Bit
Reassembly Max Size
MIB-II IP route table statistics

The Wireless Mesh Network collects the following MIB-II IP route table statistics
Destination
If Index
Metric 1
Metric 2
Metric 3
Metric 4
Next Hop
Type of Route
Source protocol
Route Age
Route Mask
MIB-II ICMP statistics

MIB-II ICMP InActivity statistics
The Wireless Mesh Network collects the following MIB-II ICMP InActivity
318507-B Rev 01
In Messages
In Errors
In Dest. Unreach
In Time Exceeded
In Parameter Problem
In Src Quench
In Redirects
In Echos
In Echo Reply
In Time Stamps
In Time Stamp Reply
In Address Mask
In Address Mask Reply
MIB-II ICMP OutActivity statistics

The Wireless Mesh Network collects the following MIB-II ICMP OutActivity
Out Messages
Out Errors
Out Dest. Unreach
Out Time Exceeded
Out Parameter Problem
Out Src Quench
Out Redirects
Out Echos
Out Echo Reply
Out Time Stamps
Out Time Stamp Reply
Out Address Mask
Out Address Mask Reply
MIB-II UDP statistics

MIB-II UDP activity statistics
The Wireless Mesh Network collects the following MIB-II UDP activity statistics
In Datagrams
Num. Dest Port
In Errors
Out Datagrams
MIB-II TCP statistics

MIB-II TCP profile statistics
The Wireless Mesh Network collects the following MIB-II TCP profile statistics
Retransmitting Algorithm
Retransmitting Min
Retransmitting Max
Max Connection
MIB-II TCP activity statistics

The Wireless Mesh Network collects the following MIB-II TCP activity statistics
Active Opens
Passive Opens
Attempt Fails
Established Resets
Current Established
In Segments
Out Segments
Retransmitted Segments
In Errors
Out RST Segments
MIB-II SNMP statistics

MIB-II SNMP InActivity statistics
The Wireless Mesh Network collects the following MIB-II SNMP InActivity
318507-B Rev 01
In Pkts
In Bad Versions
In Bad Comm Names
In Bad Comm Used
In ASN Parse Errs
In Too Big
In No Such Name
In Bad Values
In Read Only
In GenErrors
In Total Request Vars
In Total Set Vars
In Get Requests
In Get Nexts
In Set Requests
In Get Response
In Traps
MIB-II SNMP OutActivity statistics

The Wireless Mesh Network collects the following MIB-II SNMP OutActivity
Out Pkts
Out Too Big
Out No Such Name
Out Bad Values
Out GenErrors
Out Get Requests
Out Get Nexts
Out Set Requests
Out Get Response
Out Traps
318507-B Rev 01
239
Appendix H
Wireless Access Point 7220 traps
The Wireless AP 7220 supports the following traps:
warpBootup
warpCriticalTaskFailure
warpDhcpLeaseExpiring
warpDhcpLeaseRenewalFailed
warpDhcpRenewalFailureCleared
warpNetworkTimeSynchronized
warpNetworkTimeSynchronizationLost
warpSoftwareDownloadStatus
warpSubscriberDatabaseFull
warpSubscriberDatabaseNormal
warpSubscriberManagmentFailed
warpSubscriberManagmentStarted
warpIPSecTunnelEstablished
warpMobileQuarantined
warpMobileQuarantineCleared
warpRadiusAcctServerFailover
warpRadiusAcctServerRestored
warpRadiusAcctServerUnavailable
warpRadiusAuthServerFailover
warpRadiusAuthServerUnavailable
warpRadiusAuthServerRestored
Table 9 correlates the Wireless AP 7220 traps with the fault and the severity of the
fault.
240 Appendix H Wireless Access Point 7220 traps
Wireless Mesh Network fault severity is consistent with ONMS fault severity:
1 to 3 = low severity
4 to 6 = medium severity
7 to 10 = high severity
Table 9 Fault correlation of Wireless Mesh Network traps

Trap
Fault correlation
Fault
severity
warpBootup
WARP_Bootup
warpCriticalTaskFailure
Critical_Task_Failure
warpDhcpLeaseRenewalFailed
DHCP_lease_Renewal_Failed
warpDhcpRenewalFailureCleared
clears the fault DHCP_lease_Renewal_Failed
warpDhcpLeaseExpiring
DHCP_Lease_expiring
warpIPSecTunnelEstablished
clears the fault DHCP_Lease_expiring
warpMobileQuarantineCleared
clears the fault Mobile_Quarantined
warpMobileQuarantined
Mobile_Quarantined
warpNetworkTimeSynchronized
clears the fault Network_Time_Synchronization_Lost 0
warpNetworkTimeSynchronizationLost
Network_Time_Synchronization_Lost
warpRadiusAcctServerFailover
Radius_Accounting_Server_Failover
warpRadiusAcctServerRestored
clears the fault Radius_Accounting_Server_Failover
warpRadiusAcctServerUnavailable
Radius_Accounting_Server_Unavailable
warpRadiusAuthServerFailover
Radius Authentication Server Failover
warpRadiusAuthServerRestored
clears the fault

Radius_Accounting_Server_Unavailable
warpRadiusAuthServerUnavailable
Radius_Authentication_Server_Unavailable
Software_Download_Error
clears the fault Software_Download_Error
warpSubscriberDatabaseFull
Subscriber_database_Full
warpSubscriberDatabaseNormal
clears the fault Subscriber_database_Full
warpSubscriberManagmentFailed
Subscriber_management_Failed
warpSubscriberManagmentStarted
clears the fault Subscriber_management_Failed
318507-B Rev 01
241
Glossary
802.11
This is a family of IEEE specifications for wireless area networks.

802.11a
The IEEE specification for wireless area networks that operate at radio
frequencies in the 5 GHz band, use a modulation scheme known as orthogonal
frequency-division multiplexing (OFDM), and provide a maximum raw data
speed of 54 Mbps.
802.11b
frequencies in the 2.4 GHz band, use a modulation scheme known as
complementary code keying (CCK), and provide a maximum raw data speed
of 11 Mbps.
802.11g
frequencies in the 2.4 GHz band, use a modulation scheme known as
complementary code keying (CCK), and provide a maximum raw data speed
of 54 Mbps.
802.11i
Specifications developed by the IEEE for wireless LAN technology for

security.
AC
Alternating Current
Access Link
A radio link between a Wireless Access Point 7220 and a subscribers

wireless mobile terminal
242 Glossary
AES
Advanced Encryption Standard

AL
Access Link
API
Application Programming Interface

ARP
Address Resolution Protocol

ASCII
American Standard Code for Information Interchange

ASN
Application Programming Interface

BG
Border Gateway
BSSID
Basic Service Set Identifier - used by the Wireless Mesh Network as a unique
identifier used for establishing communications between Wireless AP 7220s
and mobile nodes
CAN

Captive Portal function
Maintains the authorization state of the mobile nodes. It is located on the

Network Access Controller (NAC).
CAR
Client Address Redistribution
318507-B Rev 01
Glossary 243
CAT5
CATegory 5 - a cable grade under a system for categorizing twisted pair

cabling systems (wires, junctions, and connectors) that supports electrical
transmission up to 100Mbits/sec full duplex.
CCK
Complementary Code Keying

CLI
Command Line Interface

DHCP
Dynamic Host Configuration Protocol

EAP
Extensible Authentication Protocol

EAPOL
Extensible Authentication Protocol Over Local Area Network - a method of

encapsulating an EAP message over a LAN network
ESP
Encapsulating Security Payload

FTP
File Transfer Protocol

GUI
Graphical User Interface

HA
Home Agent
HTML
HyperText Markup Language

HTTP
HyperText Transmission Protocol

244 Glossary
ICMP
Internet Control Message Protocol. The protocol used to handle errors and
control messages at the IP layer. ICMP is actually part of the IP protocol.
ID
Identifier, Identity
IP
Internet Protocol
IPsec
Internet Protocol Security

IEEE
Institute of Electrical and Electronic Engineers

Inter-Wireless Gateway 7250 roaming
A network environment that allows clientless seamless roaming and mobility

across multiple Wireless Gateway 7250s in a Wireless Mesh Network.
ISP
Internet Service Provider

LAN
Local Area Network

LDAP
Lightweight Directory Access Protocol

LEAP
Lightweight Extensible Authentication Protocol

LOS
Line of Sight
LSA
Link State Advertisement
318507-B Rev 01
Glossary 245
MAC address
Six-byte physical or hardware address

MAC
Media Access Control

Mbps
Megabits per second

MIB
Management Information Base

MIP
Mobile IP filter
MN
(Wireless) Mobile Node

MPD
Message Processing and Dispatch

MSID
Multi-Session ID - used by a Wireless Gateway 7250 for session tracking

purposes. Created when a mobile node associates with a Wireless AP 7220.
MTU
Maximum Transmission Unit

NAC
Network Access Controller - controls mobile traffic going in and coming out
of the Wireless Mesh Network cluster (WMC).
NAP

NAP-R
Network Access Point Router
246 Glossary
NAS
Network Access Server - used by the RADIUS protocol

NAT
Network Address Translation

NMS
Network Management System

NOSS

OAM&P
Operations, Accounting, Maintenance, and Provisioning

OIT
Optivity Integration Toolkit

ONMS
Optivity Network Management System

OSPF
Open Shortest Path First. An interior gateway protocol that routes messages
according to the least expensive path, developed to replace the RIP (Routing
Information Protocol) protocol. A Proposed Standard IGP (Inter-Packet
Gaps) for the Internet.
PAS
Payment server - used for billing purposes.

PC
Personal Computer
PDA
Personal Digital Assistant

PDU
Payload Data Unit

318507-B Rev 01
Glossary 247
PEAP
Protected Extensible Authentication Protocol

QoS
Quality of Service
RADIUS
Remote Authentication Dial-In User Services

RAS client
Remote Access Service client - an entity in communication with a RADIUS

server
RF
Radio Frequency
RFC
Request For Comments. A series of numbered international documents (RFC

822, RFC 1123, etc.) that sets standards which are voluntarily followed by
many makers of software in the Internet community.
RJ45
A serial connector used with Ethernet and Token Ring devices that looks like
a telephone jack but has eight wires instead of four or six.
RSA
Rivest-Shamir-Adleman - a form of cryptography named after the inventors

RSNA
Robust Security Network Association

RSSI
Received Signal Strength Indicator

RST
Reset Flag from TCP protocol exchange
248 Glossary
SNMP
Simple / Secure Network Management Protocol

SQL
Structured Query Language

SNTP
Simple Network Time Protocol

TKIP
Temporal Key Integrity Protocol

TL
Transit Link (Wireless)

TLS
Transport Layer Security

Transit Link
Radio links between neighboring AP7220

TTLS
Tunnelled Transport Layer Security

VPN
Virtual Private Network

WAN
Wide Area Network

Wi-Fi
Wireless Fidelity Alliance compatible 802.11

WLAN
Wireless Local Area Network
318507-B Rev 01
Glossary 249
WMC
Wireless Mesh Network cluster - a group of Wireless AP 7220s and Wireless

AP 7220 @ NAPs anchored to one or more Wireless Gateway 7250 in a mesh
configuration.
250 Glossary
WPA
Wi-Fi Protected Access, a security enhancement that increases the level of

data protection and access control for existing Wi-Fi networks. It utilizes the
enhanced data encryption TKIP (Temporal Key Integrity Protocol) in addition
to user authentication using 802.1x and EAP (Extensible Authentication
Protocol).
WSS
Wireless Security Switch
318507-B Rev 01

2005 Nortel Networks
All rights reserved
Information subject to change without notice
Publication: 318507-B Rev 01
Date: March 2005

Wireless Mesh Network Solution Reference

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Wireless Mesh Network Solution Reference

Caricato da

Copyright:

Formati disponibili

Part No.

Wireless Mesh Network

Copyright 2005 Nortel Networks

Restricted rights legend

Nortel Networks Inc. software license agreement

Wireless Mesh Network Solution Reference

Before you begin

Hard-copy technical manuals

How to get help

Wireless Mesh Network solutions

Community Area Network

Network Access Point

Wireless Access Point 7220

Enterprise/ISP backbone network

Wireless Gateway 7250

Enterprise / ISP / Metro distribution network

Network Operations Support System

Wireless Mobile Node

Inter-Wireless Gateway 7250 roaming and mobility

Access and transit links

Wireless Mesh Network topology

Wireless Mesh Network subnetting

DHCP server requirements

RADIUS server requirements

NAP router requirements

Network Access Controller requirements

ONMS installation and configuration

Wireless AP 7220 deployment requirements

Power requirements and information

Faults in the Wireless AP 7220

Faults in the Wireless Gateway 7250

Optivity Network Management System (ONMS)

Collecting fault data

Managing fault data

Fault reports and fault summaries

Fault detection and investigation

Network recovery / auto-healing

Tools and utilities

Configuring the Dynamic Host Configuration Protocol (DHCP) server

Configuring the RADIUS server

Configuring the FTP server

Configuring super ping in ONMS

Configuring the Network Access Controller (NAC)

Configuring an Ethernet switch

Configuring the Wireless Gateway 7250

Managing the Wireless Gateway 7250 through a console

Configuring the interfaces

Connecting to the Wireless Gateway 7250 using the web browser

Configuring default routes (private and public)

Configuring default routes

Configuring default routes using the CLI

Enabling the FTP, Telnet, and SNMP service

Using the Telnet service

Installing/upgrading/downgrading Wireless Gateway 7250 software

Setting up an FTP server

Starting the upgrade process

Enabling and configuring the Stateful Firewall

Saving and activating a policy

Configuring advanced routing software

Configuring client address redistribution (CAR) pools

Configuring IPsec parameters

Configuring Wireless AP 7220 user accounts

Configuring a static IP address

Configuring classifier rules