Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
318507-B Rev 01
March 2005
Trademarks
Nortel Networks, the Nortel Networks logo, and Contivity are trademarks of Nortel Networks.
Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated.
Check Point and Firewall 1 are trademarks of Check Point Software Technologies Ltd.
Java is a trademark of Sun Microsystems.
Microsoft, Windows, Windows NT, and MS-DOS are trademarks of Microsoft Corporation.
NETVIEW is a trademark of International Business Machines Corp (IBM).
OPENView is a trademark of Hewlett-Packard Company.
SPECTRUM is a trademark of Cabletron Systems, Inc.
All other trademarks and registered trademarks are the property of their respective owners.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the
right to make changes to the products described in this document without notice.
Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or
circuit layout(s) described herein.
Portions of the code in this software product may be Copyright 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the
above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising
materials, and other materials related to such distribution and use acknowledge that such portions of the software were
developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote
products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE.
318507-B Rev 01
3
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains
restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third
parties).
4
4. General
a.
If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks
Software available under this License Agreement is commercial computer software and commercial computer
software documentation and, in the event Software is licensed for or on behalf of the United States
Government, the respective rights to the software and software documentation are governed by Nortel
Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections
12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).
b.
Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails
to comply with the terms and conditions of this license. In either event, upon termination, Customer must
either return the Software to Nortel Networks or certify its destruction.
c.
Customer is responsible for payment of any taxes, including personal property taxes, resulting from
Customers use of the Software. Customer agrees to comply with all applicable laws including all applicable
export and import laws and regulations.
d.
Neither party may bring an action, regardless of form, more than two years after the cause of the action arose.
e.
The terms and conditions of this License Agreement form the complete and exclusive agreement between
Customer and Nortel Networks.
f.
This License Agreement is governed by the laws of the country in which Customer acquires the Software. If
the Software is acquired in the United States, then this License Agreement is governed by the laws of the state
of New York.
318507-B Rev 01
Preface
19
19
Text conventions
20
Icon conventions
21
Documentation roadmap
22
24
24
Chapter 1
Fundamentals
27
27
Network overview
28
Network architecture
28
29
29
29
30
30
31
Border Gateway
31
31
35
35
38
Principles of operation
39
40
Mobility management
40
Chapter 2
Network installation overview
43
IP addressing requirements
43
44
47
48
50
Wireless Mesh Network Solution Reference
6
FTP server requirements
50
SNTP server
51
51
52
Ethernet switch
55
55
Distribution network
56
57
57
Network specifications
58
Chapter 3
Fault management
Faults in the Wireless Mesh Network
59
59
59
60
60
61
61
62
Alarm filtering
62
Error logging
63
Alarm statistics
64
64
65
Fault correction
67
68
Chapter 4
Configuration management
69
Configuration overview
69
70
KeyGen tool
70
ConfigVerify tool
71
71
7
Configuring the NAP router
72
73
74
75
76
76
77
79
80
82
82
82
84
Enabling services
85
85
86
86
86
86
90
92
101
103
105
109
121
123
124
Creating classifiers
124
126
130
133
136
137
138
8
Wireless AP 7220 post-deployment configuration
140
140
140
141
141
141
142
143
143
143
144
144
145
147
147
149
149
152
152
152
153
154
154
155
155
157
157
158
158
158
159
160
160
161
161
318507-B Rev 01
9
162
Chapter 5
Accounting
163
Overview
163
164
165
168
Time-based accounting
168
Idle timeouts
168
Network failure
169
Fraud reporting
170
Accounting traps
170
Chapter 6
Performance management
171
171
172
173
173
176
Chapter 7
Security
179
Security standards
179
179
Subscriber security
181
182
Network security
183
184
185
Authenticating subscribers
185
185
186
187
10
Security alarms and event reporting
187
188
Chapter 8
Administration
189
189
190
190
192
193
194
194
195
196
196
196
197
Appendix A
KeyGen tool
199
Appendix B
Sample DHCP configuration file
201
Appendix C
FTP server user permissions
209
209
Appendix D
Sample NAP router configuration
211
Appendix E
Sample NAC configuration
215
Appendix F
Sample FTP configuration file
219
Appendix G
318507-B Rev 01
11
223
223
224
224
224
225
225
225
225
226
226
226
227
227
SNMP statistics
227
228
228
228
228
OSPF statistics
229
229
229
229
MIB-II statistics
230
230
230
231
231
231
232
MIB-II IP statistics
232
232
232
233
233
Wireless Mesh Network Solution Reference
12
MIB-II IP route table statistics
MIB-II ICMP statistics
233
234
234
235
235
235
236
236
236
236
236
237
Appendix H
Wireless Access Point 7220 traps
239
Glossary
241
318507-B Rev 01
13
Figure 1
28
Figure 2
Figure 3
39
Figure 4
44
Figure 5
66
Figure 6
67
Figure 7
77
Figure 8
Figure 9
83
Figure 10
83
Figure 11
85
Figure 12
87
Figure 13
87
Figure 14
88
Figure 15
89
Figure 16
89
Figure 17
90
Figure 18
91
Figure 19
92
Figure 20
93
Figure 21
94
Figure 22
95
Figure 23
96
Figure 24
96
Figure 25
98
Figure 26
Figure 27
100
Figure 28
101
Figure 29
Global configuration
102
Figure 30
103
Figure 31
104
Figure 32
105
Figure 33
107
Figure 34
107
99
14
Figure 35
108
Figure 36
109
Figure 37
110
Figure 38
110
Figure 39
111
Figure 40
113
Figure 41
114
Figure 42
115
Figure 43
116
Figure 44
Figure 45
Figure 46
117
Figure 47
118
Figure 48
118
Figure 49
120
Figure 50
121
Figure 51
122
Figure 52
123
Figure 53
Creating a classifier
125
Figure 54
125
Figure 55
Classifiers screen
126
Figure 56
127
Figure 57
128
Figure 58
129
Figure 59
131
Figure 60
132
Figure 61
133
Figure 62
134
Figure 63
135
Figure 64
136
Figure 65
Pre-deployment configuration
139
Figure 66
150
Figure 67
151
Figure 68
164
318507-B Rev 01
15
Figure 69
Figure 70
Figure 71
Figure 72
Figure 73
182
Figure 74
183
Figure 75
192
176
16
318507-B Rev 01
17
Table 1
NOSS requirements
32
Table 2
ONMS applications
34
Table 3
45
Table 4
IP address categories
46
Table 5
129
Table 6
130
Table 7
Accounting attributes
165
Table 8
191
Table 9
240
18
318507-B Rev 01
19
Preface
This guide introduces the Nortel Wireless Mesh Network. It provides overview,
configuration, and maintenance information to help you install, configure and
maintain your Wireless Mesh Network.
20
Preface
Text conventions
This guide uses the following text conventions:
angle brackets (< >)
braces ({})
brackets ([ ])
ellipsis points (. . . )
318507-B Rev 01
Preface
21
italic text
plain Courier
text
separator ( > )
vertical line ( | )
Icon conventions
Figures in this guide that depict a Wireless Mesh Network use the following
standard icons:
Wireless Access Point 7220
22
Preface
Ethernet switch
RF wireless connection
Border Gateway
Documentation roadmap
For information about installing, configuring, monitoring, and managing a
Wireless Mesh Network, refer to the following publications:
For information about installing a Wireless Access Point 7220, refer to the
following publications:
318507-B Rev 01
Preface
23
Quick Reference to Installing the Nortel Networks Wireless Access Point 7220
(318528-A)
For information about installing and using a Wireless Gateway 7250, refer to the
following publications:
For information about using the Optivity Network Management System, refer to
the following publications:
Quick Installation and Startup for Optivity NMS 10.2 for Windows
(208830-F)
Provides brief instructions for installing and getting started with Optivity
NMS 10.2 for Windows NT*, Windows 2000, and Windows 2003 platforms.
Quick Installation and Startup for Optivity NMS 10.2 for UNIX (208949-F)
Provides brief instructions for installing and getting started with Optivity
NMS 10.2 for UNIX platforms.
24
Preface
Describes how to install and administer Optivity NMS 10.2 to start managing
your Wireless Mesh Network.
Telephone
North America
Asia Pacific
China
(800) 810-5000
318507-B Rev 01
Preface
25
26
Preface
318507-B Rev 01
27
Chapter 1
Fundamentals
Wireless Mesh Network solutions
A Wireless Mesh Network enables mobile users to enjoy secure, seamless,
wireless roaming across converging public and private networks, as well as
hotspot environments.
Nortels Wireless Mesh Network solution uses a number of wireless access points
connected point to point. The traditional hub or star configuration found in a
traditional WLAN backhaul is replaced with point to point connections between
wireless access points to form a mesh network backhaul to the broadband
network. Replacing the wired backhaul with wireless backhaul does not require
existing LAN infrastructure when deploying the Wireless Mesh Network solution.
The Wireless Mesh Network solution uses standard IEEE 802.11 technology for
providing broadband wireless access and wireless backhaul. A Wireless Mesh
Network solution is ideal in providing WLAN coverage in open spaces where
traditional WLAN systems are prohibitive to deploy because CAT5 or LAN
cabling does not exist or is costly and difficult to deploy. Some examples of places
where a Wireless Mesh Network solution would have advantages over a standard
WLAN solution are:
28 Chapter 1 Fundamentals
Network overview
Network architecture
A graphical representation of a basic Wireless Mesh Network system is shown in
Figure 1.
Figure 1 Basic Wireless Mesh Network architecture
318507-B Rev 01
Chapter 1 Fundamentals 29
traffic collection and distribution functions for traffic within the Community
Area Network
extended reach, simplified deployment, and reliability due to its antenna
design
wireless access functions for connection to wireless mobile nodes (MNs)
routing and wireless transit functions for connection to two or more Wireless
AP 7220s and to NAPs
incorporates security functions for validating connections to other Wireless
AP 7220s
Wireless Mesh Network Solution Reference
30 Chapter 1 Fundamentals
318507-B Rev 01
Chapter 1 Fundamentals 31
Border Gateway
The Border Gateway is a (logical) network entity that incorporates all functions
required to interface with the Internet. It advertises reachability to the Internet for
IP addresses assigned to Wireless Mesh Network subscribers and network entities.
The border gateway can also provide connectivity for other, non-Wireless Mesh
Network Enterprise/ISP entities. Also, it can incorporate other inter-networking
functions (for example, NAT, firewall, redirection). However, the border gateway
has no knowledge of Wireless Mesh Network specific mobility and security
functions.
32 Chapter 1 Fundamentals
Requirement
Description
Network Management
System
DHCP server
RADIUS server
EAP-TLS, EAP-TTLS,
EAP-PEAP, EAP-LEAP
support
FTP Server
No special requirements
SNTP server
No special requirements
Centralized management
The NOSS provides centralized facilities for monitoring and managing network
operations, using industry-standard protocols to communicate with the distributed
elements in the Wireless Mesh Network.
318507-B Rev 01
Chapter 1 Fundamentals 33
In the first release of Wireless Mesh Networks, the NOSS uses ONMS version
10.2 (with the Wireless Mesh Network specific OIT Optivity Integration Toolkit
and patches. Refer to ONMS installation and configuration for more
information.) which incorporates the added functionality to support the Wireless
AP 7220 and enable the ONMS to manage the Wireless AP 7220s in the network.
The ONMS uses common graphical user interfaces and proven technology to
provide the necessary tools to manage and visualize the Wireless Mesh Network
and its key elements.
ONMS fits into any network operations model, providing the flexibility to access
key management functions across the network from various locations. Based upon
a scalable client/server architecture, ONMS enables users to access any ONMS
server in the network from one client installation, or supported web browser
(Internet Explorer or Netscape). This distributed approach provides access to key
management tools from any Web-enabled workstation.
The following Optivity Network Management Options are available:
34 Chapter 1 Fundamentals
ONMS provides a single location for managing fault and performance across the
network, and a launch point and interface to other Optivity products. ONMS
provides visualization of Layer 1, 2, and 3 devices, network topology, faults, and
real-time performance statistics.
The following table briefly describes the supported ONMS applications:
Table 2 ONMS applications
ONMS Application
Support
Description
Discovery
Organization
Performance Management
Fault Management
Device Configuration
Management
Inventory Management
Graphical View
318507-B Rev 01
Chapter 1 Fundamentals 35
36 Chapter 1 Fundamentals
Figure 2 Inter-Wireless Gateway 7250 roaming Wireless Mesh Network architecture
Inter-Wireless Gateway 7250 roaming adds two major network elements into the
Wireless Mesh Network architecture:
318507-B Rev 01
Chapter 1 Fundamentals 37
Any product that can support these two functions can be configured as a NAC in a
Wireless Mesh Network.Additional requirements must be met if the NAC is
deployed in a network that supports the Inter-Wireless Gateway 7250 roaming
capability. Refer to Network Access Controller requirements for more
information.
Once the mobile subscriber has successfully authenticated, the NAC provides
web-based accounting support for non-RSNA-based subscribers. RSNA
subscribers that use web-based accounting must be independently authenticated
twice: once through the Wireless AP 7220 with the RADIUS server, and once
through the captive portal with the RADIUS server. RSNA subscribers that do not
use web-based accounting are authenticated only through the Wireless AP 7220
with the RADIUS server but must provide special filtering at the captive portal.
Refer to Configuring the Network Access Controller (NAC) and Appendix E,
Sample NAC configuration for complete instructions on how to configure a
sample NAC.
The NAC can be deployed in a basic Wireless Mesh Network architecture as well
as in a network that supports Inter-Wireless Gateway 7250 roaming. In both cases,
packet steering rules must be configured on the Wireless Gateway 7250 to direct
mobile traffic towards the appropriate NAC. The NAC can then authenticate the
mobile subscriber (if the mobile subscriber has not yet been authenticated) and
exercise access control on the mobile traffic.
Refer to Filter 4 and Configuring client address redistribution (CAR) pools in
Chapter 4, Configuration management for complete information about
configuring packet steering rules.
38 Chapter 1 Fundamentals
Ethernet switch
The Layer 2 Ethernet switch provides the technology to support the mobility
information exchange between the two-tier anchor points. It connects the
distributed Network Access Controllers and the distributed Wireless Mesh
Network cluster (WMC).
Any Ethernet switch that can support this function can be configured in a Wireless
Mesh Network.
318507-B Rev 01
Chapter 1 Fundamentals 39
Figure 3 Wireless AP 7220 radio links overview
Principles of operation
A Nortel Wireless Mesh Network operates in the following manner:
traffic routing follows users as they roam from the coverage of one Wireless
AP 7220 to another
fault recovery occurs when a Wireless AP 7220 becomes unavailable
40 Chapter 1 Fundamentals
Mobility management
In the Wireless Mesh Network solution, end users can roam seamlessly across the
Wireless AP 7220s in the network that are within the span of the Wireless
Gateway 7250 or in the case of Inter-Wireless Gateway 7250 roaming, between
multiple Wireless Gateway 7250s. Key attributes to this solution include:
When a mobile node moves from one Wireless AP 7220 coverage area to another
(either through roaming or link fading), the endpoint of the connection path is
moved to the new Wireless AP 7220 using IP layer 3 routing capabilities. The new
path may even be routed through a different NAP router. No client software is
required on mobile node.
318507-B Rev 01
Chapter 1 Fundamentals 41
If one node in the routing path has a problem (either within the Wireless AP 7220
itself or with maintaining one of the links), the OSPF routing algorithms and the
interconnections of the mesh network allow the network to find an alternate path
to the Wireless AP 7220 that is providing service to the mobile node. This
automatic rerouting is transparent to the mobile node.
42 Chapter 1 Fundamentals
318507-B Rev 01
43
Chapter 2
Network installation overview
This chapter contains the following topics:
Topic
Page
IP addressing requirements
43
47
57
IP addressing requirements
The information in this section is intended to provide guidelines for IP address
planning for the Wireless Mesh Network.
The Wireless Mesh Network IP addressing architecture is shown in Figure 4.
318507-B Rev 01
purposes and IPsec tunneling. All mobile nodes are assigned an IP address from
the mobile node address pool. To allow for better security control of mobile
traffic, the mobile node IP addresses are completely separated from the Intranet
and Extranet address pools.
The following are examples of subnets used on a typical network deployment (see
Figure 7):
Subnet
Specific Addresses
Comments
NOSS Elements
192.168.30.0/24
DHCP=192.168.30.11
FTP=192.168.30.13
RADIUS=192.168.30.12
SNTP=192.168.30.15
AP Network (Extranet)
27.0.27.x
NAP-R=27.0.27.1
Wireless AP 7220 @
NAP=27.0.27.4
AP Network (Intranet)
192.168.50.x/24
Wireless Gateway
7250=30.0.30.1
Assigned by Wireless
Gateway 7250
30.0.30.1
Any
192.168.20.248
Any
Distribution Network
Any
Any
Mobile Nodes
Subnet
Specific Addresses
Comments
Ethernet switch
192.168.20.x
192.168.20.0
netmask 255.255.255.0
Network Access
Controller Interface
192.168.20.10x (e.g.
range of 192.168.20.101
to 192.168.20.199)
192.168.20.101
Network Access
Controller Private
Interface IP
192.168.80.1/99
192.168.80.1
192.168.80.101
Network Access
192.168.80.10x (e.g.
Controller Private
range of 192.168.80.101
Management Interface IP to 192.168.80199)
IP Address categories and usage are shown in Table 4. See Figure 7 for the
network layout of this example.:
Table 4 IP address categories
Address
Type
Value (Examples)
Specific
192.168.30.13
Specific
Specific
192.168.30.12
192.168.30.12
DHCP Server
Specific
192.168.30.11
Specific
192.168.30.13
SNTP Server
Specific
192.168.30.14
Subnet
192.168.50.x (24
bit netmask)
Additional Comments
NOSS Elements
Optivity Network Management System (ONMS)
RADIUS Servers
Authentication Server
Accounting Server
2B
318507-B Rev 01
192.168.20.1
192.168.20.248
Subnet
192.168.40.y
(e.g., range of
192.168.40.10 to
192.168.40.50)
Value (Examples)
Subnet
Specific
27.0.27.4/24
3B
Specific
30.0.30.1
3C
Specific
27.0.27.1
Additional Comments
DHCP Server
The installation and operation of the DHCP server will depend on the
vendor chosen to supply the server. Please refer to the vendor manuals for
information on the mechanisms used to configure the chosen DHCP
server.
For DHCP configuration information, refer to the section titled
Configuring the Dynamic Host Configuration Protocol (DHCP) server
and Appendix B, Sample DHCP configuration file for complete
instructions.
FTP Server
(Optivity) Network Management System (ONMS)
RADIUS Server
SNTP server
The following mobile node configurations are provisioned through the DHCP
server:
address pools (i.MN subnet) and subnet mask reflecting the size of the pool
default router Wireless Gateway 7250 intranet IP address
address lease time
318507-B Rev 01
the Default router list must contain only one entry which must be set to the IP
address of the designated Wireless Gateway 7250 (This is the public side of
the network.)
the Server Name must be set to the IP address of the FTP server
the Filename must be set to the pathname of the configuration file on the FTP
server.
318507-B Rev 01
for downloading the configuration file to a Wireless AP 7220 (The FTP server
hosts the configuration file which is used to dynamically configure a Wireless
AP 7220 when it initializes)
for software upgrade to Wireless AP 7220 (The FTP server hosts the software
images for APs)
for software upgrade and for backup and restore operations to the Wireless
Gateway 7250
The Following parameters must be configured at the FTP server (as well as at the
Wireless AP 7220):
SNTP server
The SNTP server provides the Wireless AP 7220 with the time parameters it
needs to ensure that each event logged on the Wireless AP 7220 has the proper
time-stamp information.
318507-B Rev 01
The recommended ARP cache size is two times the number of mobile
subscribers supported by the NAC. For example, if each NAC supports 2000
mobile subscribers, set the ARP cache size to 4000. Refer to Appendix E,
Sample NAC configuration for a sample NAC configuration.
configurable ARP entry age out time
The ARP entry age out time must be configurable to a long enough time to
sustain the duration of the mobile subscribers connection to the Wireless
Mesh Network. Otherwise, the ARP entry will expire before the active mobile
subscribers disconnect from the Wireless Mesh Network. As a result, the
broadcast proxy ARP request may be generated by the NAC to resolve the
IP-to-MAC address mapping to support IP packet forwarding.
The recommended ARP entry age out time is one and a half times the
session-idle-timeout value returned by the RADIUS server. For example, if
the session-idle-timeout value is set to 5 minutes (300 seconds), set the ARP
entry age out time to 450. Refer to Appendix E, Sample NAC configuration
for a sample NAC configuration.
For assured Wireless Mesh Network security, the NAC must support multiple
subnets over the same logical and physical interfaces. This multi-netting support
feature allows you to assign a different IP addressing plan for the mobile
subscribers and the network management and control systems. This is so that the
IP addressing space for network management and control systems is never
exposed to the mobile subscribers.
318507-B Rev 01
Ethernet switch
In an Inter-Wireless Gateway 7250 roaming environment, the Layer 2 Ethernet
switch connects the distributed NACs and the distributed Wireless Mesh Network
cluster (WMC). Any Ethernet switch that can provide a scalable high performance
capacity and a high density port count can be used in the Wireless Mesh Network.
All existing and new customers need to use the ONMS 10.2 code base (with the
Wireless AP 7220 and Wireless Gateway 7250 OITs and 10.2.0.3 patch) in order
to have the full and latest Wireless Mesh Network functionality available.
For complete information about ONMS, refer to the Optivity NMS 10.2
documentation suite.
Note: To add the Wireless Gateway 7250 and Wireless AP 7220 OITs in
Optivity, run the install.bat file for each OIT. Do not use the oitadmin tool to
add these OITs.
Distribution network
The Enterprise / ISP / Metro distribution network is used to carry IP traffic
between Wireless Gateway 7250s and Network Access Point routers (NAP-Rs). It
can be a Layer 3 routed domain (where IP routing decisions are made by the
distribution network), or can be a Layer 1 or Layer 2 transport domain (that is,
(virtual) point-to-point links between Wireless Gateway 7250 and Wireless AP
7220). This network can be the same network as the Enterprise / ISP Backbone
Network.
318507-B Rev 01
subnet addresses for mobiles for which the Wireless Gateway 7250 acts as a
home agent (these must be the same mobile node subnets configured on the
DHCP server)
security related configurations
user accounts for Wireless AP 7220s
Two groups must be configured, one for standalone Wireless AP 7220 and
one for Wireless AP 7220 @ NAP. For more information see Configuring
Wireless AP 7220 user accounts.
address pool from which to assign intranet IP addresses to the IPsec clients on
Wireless AP 7220s
the statefull firewall enables the ability to dynamically modify policies that
ensure network security (Specific filters can be defined to allow certain traffic
flow.)
Network specifications
The network must be configured in a mesh, with at least two transit links to each
Wireless AP 7220 to take advantage of mesh capabilities. This enables the
self-healing aspects of the network that allows rerouting around failed Wireless
AP 7220s. To maximize the performance of Wireless AP 7220 @ NAP radio links
at the Network Access Point, there should be two or more links into the NAP.
318507-B Rev 01
59
Chapter 3
Fault management
Faults in the Wireless Mesh Network
The Wireless Mesh Network issues fault events when conditions occur that affect
the network. The Nortel Optivity Network Management System (ONMS)
provides the platform for fault management of the Wireless Mesh Network. Fault
events created by components of the Wireless Mesh Network are sent as
notifications (or traps) to the ONMS database.
If the alarm condition warrants notification to ONMS, the software raises an event
to ONMS via an SNMP agent running on the Wireless AP 7220.
The Wireless AP 7220 software detects statuses and problems with
For detailed information about Wireless AP 7220 traps supported for the Wireless
Mesh Network, see Appendix H, Wireless Access Point 7220 traps.
318507-B Rev 01
Monitor Options, to establish how Optivity NMS will manage your fault
processes or control the level of fault monitoring within the Wireless Mesh
Network (syslog registration, ICMP polling and trap registration)
ONMS requires two Optivity Integrated Toolkit (OIT) packages to support the
Wireless Mesh Network:
OIT for Wireless AP 7220 permits ONMS to manage faults on the Wireless
AP 7220.
OIT for Wireless Gateway 7250 permits ONMS to translate fault information
for the Wireless Gateway 7250.
Note: To add the Wireless Gateway 7250 and Wireless AP 7220 OITs
in Optivity, run the install.bat file for each OIT. Do not use the oitadmin
tool to add these OITs.
For information about using ONMS tools and applications, refer to Using Optivity
NMS 10.2 Applications (207569-E).
Polling the Wireless Mesh Network by ONMS allows users to actively query
the health of any Wireless Gateway 7250 or Wireless AP 7220 by sending a
super ping message. The user can define the polling period or interval, or use
a default setting. For information about configuring the ONMS polling
interval, refer to Configuring super ping in ONMS.
For information about managing fault data with the Monitor Options application,
refer to the chapter on specifying the level of statistics gathering with Monitor
Options in Using Optivity NMS 10.2 Applications (207569-E).
Alarm filtering
Users can use Fault Summary filters to select and view a subset of all the events
contained in the ONMS database. This allows a user to collect events for:
For information about filtering alarms with the Fault Summary application, refer
to the chapter on managing events with Fault Summary in Using Optivity NMS
10.2 Applications (207569-E).
318507-B Rev 01
Error logging
Each Wireless AP 7220 logs all events locally (i.e., on the log subsystem of the
individual Wireless AP 7220), and may forward events to a syslog server. The
syslog server collecting Wireless AP 7220 events may be the ONMS syslog
server, or any other syslog server available to the Wireless Mesh Network.
Network managers can configure the severity of events forwarded to the syslog
server.
Users can use ONMS Fault Summary to display the syslog events in a tabular
form. Figure 6 shows an example of the Fault Summary displaying events in the
Syslog window. Users can view the details of an event by selecting and opening
the event from the table.
Users can also view all active events for any individual Wireless AP 7220. To
view all active log events for an individual Wireless AP 7220, do the following:
1
Type the following command to display the list of all active log events:
show all
For information about configuring the severity of Wireless AP 7220 events sent,
refer to Specifying the severity of Wireless AP 7220 events forwarded to
syslog. For information about enabling the Wireless AP 7220 to send log events,
refer to Enabling or disabling Wireless AP 7220 logging. For information about
specifying the syslog server to which events will be logged, refer to Specifying
the syslog server.
Alarm statistics
Alarm statistics reflect the health of the network and the individual devices at a
point in time. Alarm statistics are normally presented in the form of fault
summary reports; ONMS sorting options allow users to locate a specific fault, a
category of faults, or any individual device that is faulty.
Current Status
Fault States
Severity
Nature of the fault
Agent IP that reported the fault
Data and time that fault was reported
Number of traps consolidated into the report
Fault Summary Table - Provides a tabular view of the fault summary and
provides access to the fault shortcut menu
Fault Indicator - Provides visual indication of a new or updated fault
318507-B Rev 01
Starting and stopping the loading process for a complete fault report
Viewing details of a specific fault
Displaying the latest fault
Changing the status of a fault
Acknowledging a fault
The InfoCenter Alarms folder on the main pane indicates any severity of
faults in the Wireless Mesh Network and lets you identify the faulty device.
InfoCenter also allows you to launch the Fault Summary tool to get further
details about the faults. Figure 5 shows an example of an InfoCenter window
with the faulty device (Critical) identified.
The Fault Summary application provides detailed information for
investigating faults, traps, or syslog events. Figure 6 shows an example of a
Fault Summary window with fault, trap and syslog filter windows. ONMS
allows users to create custom filters that will collect faults, traps, or syslog
events for individual elements in their own Wireless Mesh Network.
For more information about using ONMS InfoCenter and Fault Summary
applications, refer to Using Optivity NMS 10.2 Applications (207569-E).
318507-B Rev 01
Fault correction
Faults resulting in critical alarms must be corrected immediately to maintain
functionality of the Wireless Mesh Network. Faults resulting in warning alarms
should be investigated to determine what network improvements will correct the
conditions causing the warning alarm.
Certain faults in the Wireless Mesh Network are auto-healing and do not require
attention. For more information about Wireless Mesh Network auto-healing, refer
to Network recovery / auto-healing. Repetitive recurrences of auto-healing
alarms in a particular part of the Wireless Mesh Network may indicate the need
for revised network planning, to correct the conditions causing the auto-healing.
318507-B Rev 01
69
Chapter 4
Configuration management
Configuration overview
This chapter describes the steps required to configure
For complete information about ONMS, see Installing and Administering Optivity
NMS 10.2 (part no. 205969-G).
318507-B Rev 01
ConfigVerify tool
The ConfigVerify tool is a Wireless Mesh Network tool used for checking the
syntax of the configuration file for Wireless AP 7220s in the network. For more
information, refer to the online help provided with the tool.
The following Wireless AP 7220 parameters are configured using the DHCP
server:
IP address
subnet mask of 255.255.255.255
designated Wireless Gateway 7250 (public IP address of the Wireless
Gateway 7250)
address lease time
FTP server IP address
Wireless AP 7220 configuration filename
Open Shortest Path First (OSPF) Area ID
The following mobile node parameters are configured using the DHCP server:
IP address
subnet mask reflecting the size of the address pool
default router (on the same subnet as the mobile node)
address lease time
Wireless Mesh Network Solution Reference
You can optionally configure static IP addresses for any element in the network by
including a host declaration in the DHCP configuration file. The static IP
addresses must be outside the declared range and on the same subnet of
dynamically assigned IP addresses. To assign an IP address statically to a Wireless
AP 7220 or mobile node, create a host declaration in the DHCP configuration file
that contains each Wireless AP 7220 or mobile node Ethernet MAC address.
In some cases you may want to hide the IP address of the DHCP server from the
mobile subscribers. This is done by specifying the option dhcp-server-identifier
parameter with a dummy DHCP server IP address in the mobile node section of
the DHCP configuration file. For example,
option dhcp-server-identifier 255.255.255.255;
318507-B Rev 01
Called-Station-ID
This parameter is passed by the Wireless AP 7220 into the Access-Request
message. It is used as an additional authentication attribute along with the
username and password stored in the authentication database.
OPEN:<AL_SSID> for non-RSNA mobiles
RSNA:<AL_SSID> for RSNA mobiles
Tunnel-Private-Group-ID
This parameter is returned by the RADIUS server in Access-Accept
messages. This parameter must match the Tunnel-ID in the FTP configuration
file.
<Tunnel-ID>
Calling-station-ID (optional)
This parameter is set to the MAC address of the mobile node which is inserted
by the Wireless AP 7220 to which the mobile node is associated. This value
must not include colons. This parameter can be used as an additional
authentication parameter if configured on the RADIUS server.
<mobile_node_MAC_address>
To configure the Wireless AP 7220s on the RADIUS server, create an account for
each Wireless AP 7220 in your network. The username is the serial number of the
Wireless AP 7220; the password is the output of the KeyGen tool that maps to the
username. Refer to Appendix A, KeyGen tool for more information.
The default RADIUS NAS client password must be configured on the RADIUS
server. The default value is SB7nh6dg5t. If you want to change this password, you
must first configure the new password on the Wireless AP 7220 and then on the
RADIUS server.
The user account containing the username and password for file/image access
must be configured at the FTP server and the Wireless AP 7220.
Refer to ConfigVerify tool for information about verifying the syntax of your
configuration using the ConfigVerify tool.
Refer to Appendix F, Sample FTP configuration file for an example of an FTP
configuration file.
318507-B Rev 01
Enter the correct parameters for your Wireless Mesh Network and press Enter
after each entry. Enter -1 to keep the current parameter setting. For example
MAX_RETRIES : -1
MGMT_MAX_RETRIES : -1
SLOT_WIDTH : 100
MAX_PINGS : 5
MAX_TIMEOUT : -1
On the NAC, you must configure the web portal URL to redirect the mobile node
session for authentication. It must be able to block all mobile traffic until the
mobile subscriber is authenticated.
For mobile nodes that are not served by the NAC, you can configure static routes
to forward mobile traffic to the appropriate northbound router.
Refer to Appendix E, Sample NAC configuration for an example of a NAC
configuration.
318507-B Rev 01
318507-B Rev 01
security-related configurations
user account for the Wireless AP 7220
address pool from which to assign IP addresses to the IPsec clients on
Wireless AP 7220s
firewall configurations
specific filters to allow certain traffic flow
NOSS configurations
default routes for reachabilty to the Wireless AP 7220s
Note: Nortel recommends locating the NOSS servers on the same
subnet as the private interface of the Wireless Gateway 7250.
9600 baud
8 data bits
1 stop bit
No parity
318507-B Rev 01
In the Main Menu, enter 1 and press Enter to enter the Interface menu:
Interface Menu
0) Slot 0, Port 1, Private LAN
Management IP Address = 192.168.20.248
Subnet Mask = 255.255.255.0
Interface IP Address = 192.168.20.1
(Subnet Mask = 255.255.255.0)
Speed/Duplex = AutoNegotiate
1) Slot 1, Port 1, Public LAN
IP Address = 30.0.30.1
Subnet Mask = 255.255.255.0
Speed/Duplex = AutoNegotiate
R) Return to the Main Menu.
Please select a menu choice:
Following the example in Figure 7, you should now be able to ping the
management address 192.168.20.248 from a PC with a LAN connection to the
private LAN and an IP address assigned to it in the 192.168.20.0/24 subnet.
Log on to the Wireless Gateway 7250. The default user is admin and the
default password is setup.
318507-B Rev 01
Ensure the Admin State is set to enable and the Cost is set to 10.
Wireless Mesh Network Solution Reference
Enter the IP address for the network element in the Gateway Address text box.
(For example, 192.168.30.13)
Click OK.
To configure a default route to the closest router attached in the public LAN
network
1
Ensure the Admin State is set to enable and the Cost is set to 10.
Click OK.
In the Main Menu, enter 3 to access the Default Private Route Menu.
Set the cost appropriate for your network layout. For example, 10.
To configure a default route to the closest router attached in the public LAN
network
1
In the Main Menu, enter 4 and press Enter to access the Default Public Route
Menu.
Set the cost appropriate for your network layout. For example, 10.
318507-B Rev 01
Enabling services
There are three services you can enable:
FTP
Telnet
Simple/Secure Network Management Protocol (SNMP)
Click OK.
Log onto the Wireless Gateway 7250 using the Telnet service. The default
user is admin. The default password is setup.
To use the CLI set or show commands, you must be in privileged mode. To
change to privileged mode, enter enable.
The prompt on the screen changes from CES> (unprivileged mode) to CES#
(privileged mode).
318507-B Rev 01
Enter the parent path in the Path text box. For example, if the location of the
software is C:\PG\W01_00.006, enter C:\PG.
Enter the FTP server username in the User ID text box. For example, pg.
Enter the FTP server password in the Password text box. For example, warp.
10 Click Retrieve.
11 The Retrieval screen is displayed.
Figure 14 Upgrade Retrieval screen
318507-B Rev 01
Ensure that the Firewall radio button and the Stateful Firewall checkbox are
selected.
Select ADMIN / Shutdown to restart the Wireless Gateway 7250 for the
changes to take effect.
Click OK.
Creating filters
To configure the Stateful Firewall you first need to create the filters.
Filter 1
The first filter allows mobile IP signalling traffic to reach the home agent in the
Wireless Gateway 7250.
1
318507-B Rev 01
Click New.
Click OK.
10 Right-click the # (pound sign) box and select Add / New Rule to create a new
filter.
11 Right-click the Src interface box and select Untrusted.
12 Set the Dst interface, Source, and Destination boxes to Any.
13 Right-click the Service box and select Add to add a new service for Mobile IP
traffic.
14 Click New in the Service Object Selection screen to create a new policy
object.
15 Select UDP from the Category drop-down menu in the Service Object Type
Selection screen.
16 Click OK.
17 Enter MIP in the Service Name box in the UDP object insert screen.
18 Enter 434 in the Port box.
19 Enter Mobile IP Traffic in the Remark box.
318507-B Rev 01
20 Click OK.
21 Select UDP MIP from the Service Object Selection screen list.
22 Click OK.
318507-B Rev 01
Filter 2
The second filter allows traffic from the private LAN network to pass through the
Wireless Gateway 7250 to the public LAN network:
1
Right-click the # (pound sign) box and select Add / New Rule to create a new
filter.
Filter 3
The third filter allows traffic inside an IPsec tunnel to reach any destination both
on the private LAN and back out on the public LAN:
1
Right-click the # (pound sign) box and select Add / New Rule to create a new
filter.
Filter 4
The fourth filter allows packet steering traffic inside an IPsec tunnel to reach any
destination both on the private LAN and back out on the public LAN. Packet
steering is only applicable to the set of designated mobile node address pools that
have been defined with a leading asterisk (*). If the Source IP address is within
the range of the address pool, the packet is forwarded to the specified captive
portal. Otherwise, the packet steering rule is skipped and the firewall continues to
the next rule.
One or more packet steering rules must be defined for each captive portal. Use
multiple rules if the captive portal is responsible for non-contiguous mobile node
IP addresses.
Right-click the # (pound sign) box and select Add / New Rule to create a new
filter.
Right-click the Source box to define the IP address range for the set of mobile
nodes and click Add.
On the Network Object Type screen, click the IP_range icon and click OK.
On the ip_range object insert screen, enter an IP range name for that set of
mobile nodes. For example, MNPOOL1.
Enter a description for the set of mobile nodes in the Remark box. For
example, Mobility1.
318507-B Rev 01
11 Click OK.
12 Select the mobile node pool (for example, MNPOOL1) and click OK.
13 Right-click the Destination box and click Add.
14 On the Network Object Selection screen, click New.
15 On the Network Object Type screen, click the Host icon and click OK.
16 On the host object screen, enter the captive portal name in the Host Name
box. For example, CP1.
17 Enter the IP address for the captive portal in the IP Address box.
18 Enter a description for the captive portal in the Remark box. For example,
CaptivePortal 1.
19 Click OK.
20 Right-click the Service box and select any.
21 Right-click the Action box and select Accept.
22 Repeat steps 2 through 21 until all the mobile node address pools have been
defined.
318507-B Rev 01
Select the policy you created from the Policy drop down menu. For example,
WMN1.
For Inter-Wireless Gateway 7250 roaming, ensure the Enable Gratuitous ARP
checkbox is selected.
318507-B Rev 01
Click OK.
Select ADMIN / LICENSE KEYS to install the advanced routing license key.
Click OK.
Select ROUTING / OSPF to configure the global OSPF parameters for the
entire Wireless Gateway 7250.
318507-B Rev 01
CAR pools must be defined for all mobile nodes. In the case of Inter-Wireless
Gateway 7250 roaming, the mobile node maintains the same IP address as it
roams from one Wireless Gateway 7250 to another until its DHCP lease timer
expires. To support this functionality, all the Wireless Gateway 7250s in the
network must be configured with the same CAR pools for the mobile nodes. If a
CAR pool is modified on one Wireless Gateway 7250, it must be modified on
each Wireless Gateway 7250 in the Wireless Mesh Network.
To configure CAR pools
1
Create one or more mobile node pool subnets. The mobile node CAR pool
should not be mapped to any group configuration since all mobile node
address assignments are provided by the external DHCP server in the NOSS.
Enter the CAR pool name. For a Wireless Mesh Network architecture that
requires a NAC, the CAR pool name for all mobile node pool subnets must
start with an asterisk (*). It is this notation that determines whether packet
steering is applicable to that CAR pool.
Note: To disable packet steering towards a NAC, define all mobile node
CAR pools with a name that does not contain a leading asterisk (*).
318507-B Rev 01
318507-B Rev 01
318507-B Rev 01
Configure the IPsec encryption settings for the connection. Click the
appropriate check box to either enable or disable the supported encryption
methods for this group. The encryption methods are shown in order of
strength, from strongest to weakest.
Note: Using higher-level encryption, such as Triple DES, decreases
performance.
Configure the IPsec IKE encryption and Diffie-Hellman Group settings for
the connection. If you select both 56-bit DES with Group 1 and Triple DES
with Group 2 option, you can edit this field when configuring group IPsec
parameters.
You now must define an address pool to allow the Wireless AP 7220s to set up
IPsec tunnels to the Wireless Gateway 7250.
Note: If your configuration allows the Wireless Gateway 7250 to
communicate directly to the inner address of the Wireless AP 7220, you
must first configure the CAR pool. Refer to Configuring client address
redistribution (CAR) pools for complete instructions.
1
Click Add.
318507-B Rev 01
Click OK.
Next, configure a group profile for all the Wireless AP 7220s. Separate groups
must be created for Wireless AP 7220 @ NAPs and Wireless AP 7220s.
1
Click Add.
Click OK.
Click OK.
Note: You can map all the Wireless AP 7220s to the /Base group.
However, it is recommended that you create a subgroup which has all the
default group configurations. In this case, individual changes are only
applied to the new group.
318507-B Rev 01
Click OK.
318507-B Rev 01
318507-B Rev 01
11 Select the new Wireless AP 7220 address pool from the drop down menu. The
Address Pool Name parameter must be consistent with the New address pool
name identified on the Wireless AP 7220 configuration (refer to Figure 40).
12 Click OK to activate the changes.
Modify the IPsec parameters for ESP, AH, and IKE to match the required settings
for the Wireless AP 7220:
Note: Keep the parameters at their default settings except for those
indicated in the following procedure.
Figure 49 Group IPsec parameters
318507-B Rev 01
In the Database Authentication (LDAP) section, ensure the User Name and
Password boxes are checked.
Click the Group drop-down list box and select the appropriate group.
Click either Add User button to add a new Wireless AP 7220 account.
Enter the username in the IPsec area. This username is the serial number of
the Wireless AP 7220.
Enter the password. This password is the output generated by the KeyGen
tool. Refer to Appendix A, KeyGen tool for more information about the
KeyGen tool.
Note: After entering the username and password, the Wireless Gateway
7250 converts all letters to lowercase. The KeyGen tool is case-sensitive
and therefore produces two different passwords based on upper and
lowercase letters. Always use the password that is generated from the
Wireless AP 7220 serial number exactly as it appears on the Wireless AP
7220.
7
318507-B Rev 01
Click OK.
Enter the serial number of the Wireless AP 7220 in the Name text box.
Select the group to which this Wireless AP 7220 belongs from the Group
drop-down list box.
Enter the static IP address and static subnet mask in the Remote User text
boxes.
Note: The static IP address and static subnet mask must previously be
configured. Refer to Configuring IPsec parameters.
Wireless Mesh Network Solution Reference
Click OK.
Note: If the Wireless AP 7220 reboots for any reason, the Wireless
Gateway 7250 may not release the tunnel IP until the timeout has
expired. The default timeout on the Wireless AP 7220 @ NAPs is
00:00:30 and 00:08:00 for the Wireless AP 7220s. In this case, the
Wireless AP 7220 tries to re-establish a connection but will be unable
until the idle timeout on the Wireless Gateway 7250 expires.
Creating classifiers
To create the classifier
1
Enter a classifier name for the inbound packets on the private interface of the
network. (For example, PRIVATE-INGRESS.)
318507-B Rev 01
Click Create.
Enter a classifier name for the outbound packets on the public interface of the
network. (For example, PUBLIC-EGRESS.)
Click Create.
Select the classifier you previously created for the private interface from the
list box. For example, PRIVATE-INGRESS.
318507-B Rev 01
Click Create.
Enter the name of the rule in the Rule Name text box.
Click Modify for the TCP/UDP Source Port and TCP/UDP Destination Port.
Click Create.
Enter the name of the port in the Port Name text box. For example, to create a
rule for the RADIUS Authentication server, enter RADIUS1.
10 Enter the port number in the Port Number text box. For example, 1812.
318507-B Rev 01
11 Click OK.
12 Click Close on the Classifiers Rule Port screen.
13 Select the port name and number previously created from the drop-down list
box. (For example, RADIUS,1812.)
14 Ensure the Assured Forwarding 4 (AF4) radio button is selected.
15 Click OK.
16 Repeat these steps for each element in the network on the private interface.
Use Table 5 as an example:
Table 5 Private ingress classifier rules port information
Type
Classifier
Rule Name
Source Address
(default)
Destination Address
(default)
Protocol
TCP/UDP
Source Port
TCP/UDP
Destination
Port
Current
DSCP
DiffServ
Marking
RADIUS
authentication
WMN-RADIUS1
any,0.0.0.0,
255.255.255.255
any,0.0.0.0,
255.255.255.255
UDP
any,0
RADIUS1,1812
any
assured
forwarding
RADIUS
accounting
WMN-RADIUS2
any,0.0.0.0,
255.255.255.255
any,0.0.0.0,
255.255.255.255
UDP
any,0
RADIUS2,1813
any
assured
forwarding
SNTP
WMN-SNTP
any,0.0.0.0,
255.255.255.255
any,0.0.0.0,
255.255.255.255
UDP
SNTP,123
any,0
any
assured
forwarding
Classifier
Rule Name
Source Address
(default)
Destination Address
(default)
Protocol
TCP/UDP
Source Port
TCP/UDP
Destination
Port
Current
DSCP
DiffServ
Marking
SNMP
WMN-SNMP
any,0.0.0.0,
255.255.255.255
any,0.0.0.0,
255.255.255.255
UDP
any,0
SNMP,161
any
assured
forwarding
DHCP
WMN-DHCP
any,0.0.0.0,
255.255.255.255
any,0.0.0.0,
255.255.255.255
UDP
any,0
DHCP,68
any
assured
forwarding
17 Repeat the same steps for the outbound packets on the public interface of the
network selecting the appropriate classifier in step 2. For example,
PUBLIC-EGRESS.
18 Repeat these steps for each element in the network on the public interface.
Use Table 6 as an example:
Table 6 Public egress classifier rules port information
Type
Classifier Rule
Name
Source Address
(default
Destination Address
(default)
Protocol
TCP/UDP
Source Port
TCP/UDP
Destination
Port
Current
DSCP
DiffServ
Markings
Foreign Agent/
Home Agent
FAHA
any,0.0.0.0,
255.255.255.255
any,0.0.0.0,
255.255.255.255
UDP
any,0
FAHA,434
any
assured
forwarding
IKE
IKE
any,0.0.0.0,
255.255.255.255
any,0.0.0.0,
255.255.255.255
UDP
IKE,500
IKE,500
any
assured
forwarding
Select PRIVATE-INGRESS.
Click Edit.
318507-B Rev 01
Click OK.
Click the arrow button to move the rule to the Rules in Classifier list box.
Repeat step 6 for each rule. Refer to Table 5 for a list of the Private Ingress
classifier rules.
318507-B Rev 01
Select LAN from the Current Interface drop-down list box to associate the
classifier to the private interface of the Wireless Gateway 7250.
Click Update.
318507-B Rev 01
Click OK.
Select Slot 1 Interface 1 from the Current Interface drop-down list box to
associate the classifiers to the public interface of the Wireless Gateway 7250.
Enter the Telnet IP address (192.168.10.2) and press Enter to start a Telnet
session.
Enter set ip <IP_address> and press Enter to set the static IP address. For
example, 27.0.27.4.
Enter set netmask <netmask> and press Enter to set the netmask to full
class-C subnet. For example, 255.255.255.0.
318507-B Rev 01
Enter set areaid <OSPF_areaID> and press Enter to set the OSPF Area ID.
For example, 10.0.0.0.
FTP server
Wireless Mesh Network Solution Reference
DHCP server
RADIUS server
ONMS
Wireless Gateway 7250
The following steps show the high-level sequence required for Wireless AP 7220
initialization in the Wireless Mesh Network:
1
Wireless AP 7220 powers up and loads the software from flash memory.
The Wireless AP 7220 requests an IPsec tunnel from the Wireless Gateway
7250. Refer to Configuring the Wireless Gateway 7250 for Wireless
Gateway 7250 configuration information.
318507-B Rev 01
These default settings can be modified for security reasons or for conformance to
local policies and configurations.
To perform a pre-deployment configuration, the Wireless AP 7220 must have a
wired 10/100 BaseT Ethernet connection to a computer. A connection between the
Wireless AP 7220 and the Ethernet hub is made using an RJ45 connector in the
base of the Wireless AP 7220. An FTP server must be configured at the computer.
If a hub is not used, a cross-over CAT5 cable is required.
Note: Ensure your computer is configured to Ethernet IP address
192.168.10.1 subnet mask 255.255.255.0. The default IP address for the
Wireless AP 7220 is 192.168.10.2.
Figure 65 Pre-deployment configuration
The Wireless AP 7220 is initialized by loading the software image from flash
memory. After initialization
1
username
password
FTP server address for the configuration file
common Wireless AP 7220 password
Refer to Command line interface (CLI) option for more information about the
CLI.
nortelWarp
nortelWarp
After initialization has completed, use the CLI or ONMS to modify the Wireless
AP 7220 as required.
vxWorks-wdb
tl
testing
After the Wireless AP 7220 has successfully downloaded the file (for
example, vxWorks-wdb), immediately remove the Ethernet cable to allow the
Wireless AP 7220 to initialize as a stand-alone Wireless AP 7220.
318507-B Rev 01
Enter the Telnet IP address and press Enter to start a Telnet session.
Enter set image <filename.bin> and press Enter at the swdld prompt.
10 Enter set versioncheck <on> or <off> and press Enter. (The default is on.)
11 Enter start and press Enter.
12 A message appears when the software has been successfully downloaded.
Enter set server <IP address> and press Enter to set the IP address of the FTP
server.
Enter set file <filename> and press Enter to set the name of the configuration
file.
Enter set user <username> and press Enter to set the new username.
Enter set passwd <password> and press Enter to set the new password.
You can enter show at anytime to display the ConfigMgr parameters. Enter del all
to delete all configurable parameters.
Enter set server <IP address> and press Enter to set the IP address of the FTP
server where the new software is stored.
Enter set image <image name> and press Enter to set the name of the new
software image.
Enter set user <username> and press Enter to set the username.
Enter set passwd <password> and press Enter to set the password.
Enter set versioncheck <on> or <off> and press Enter to set the version
check during the software upgrade. (The default is on.)
Enter status and press Enter to check the status of the download.
10 After the software upgrade has completed, enter exit and press Enter to exit
the software upgrade configuration.
318507-B Rev 01
Enter show and press Enter to display the current and standby software image
information.
Enter toggle and press Enter to automatically switch between the two
software images. (That is, the current software image becomes the standby
and the standby software image becomes the current image.)
Enter show and press Enter to display the current user class information.
Enter set location <empty> and press Enter to set the physical location of the
Wireless AP 7220.
Enter set name <name> and press Enter to set the name of this particular
Wireless AP 7220.
Enter set contact <contact name> and press Enter to set a contact person for
this particular Wireless AP 7220.
Enter exit and press Enter to exit the Wireless AP 7220 configuration.
318507-B Rev 01
Enter save and press Enter to save the new access link parameters. If you omit
this step, all modified access link parameters are not saved in the
configuration file.
Enter exit and press Enter to exit the access link configuration.
The new parameter values take effect only after a save command is executed.
reset power resets the transit link power level with the default value
(The default is 1.)
reset country resets the transit link country code with the default
value (The default is US-UNITED_STATES.)
set channels <tl_channel_list> sets the transit link channel list. This
list can be used to find all neighboring Wireless AP 7220s.
set antports <tl_antenna_port_list> sets the antenna port list. This list
can be used by the link-discovery task can detect all neighboring Wireless
AP 7220s.
set auxantdiv <diversity_value> sets the auxiliary antenna diversity to
a specified value. The value can be one of the following:
0 diversity enabled (default)
1 use Aux1 for transmit and receive
2 use Aux2 for transmit and receive
Enter save and press Enter to save the new transit link parameters. If you omit
this step, all modified transit link parameters are not saved in the
configuration file.
Enter exit and press Enter to exit the transit link configuration.
For reset power and set power, the new parameter values take effect only after a
save command is executed. For all parameters except reset power and set power,
you must restart the Wireless AP 7220 for the new parameter values to take effect.
318507-B Rev 01
specify the level of events forwarded by each Wireless AP 7220 to the syslog
server
enable or disable the Wireless AP 7220 to send events to a Wireless Mesh
Network syslog server (using either ONMS or by CLI command)
specify the syslog server to which events are sent
set commands
show commands
318507-B Rev 01
Enter log and press Enter to change to the log configuration mode.
Enter set sevfilter {HIGH | MEDIUM | LOW} and press Enter to set the
severity of log events.
Note: HIGH forwards only high severity event. MEDIUM forwards
high and medium severity events. LOW forwards all events.
318507-B Rev 01
Click OK.
Enter syslog and press Enter to change to the syslog configuration mode.
Enter enable and press Enter to enable logging. Otherwise, enter disable and
press Enter to disable logging.
Enter syslog and press Enter to change to the syslog configuration mode.
Optionally, you can manually upgrade the Wireless AP 7220 software. Refer to
Manually upgrading the Wireless AP 7220 software for more information.
Before starting the software upgrade, the following conditions must exist:
Enter show and press Enter to verify the primary and secondary loads are
stored in flash memory.
Log onto the Wireless AP 7220 using the Telnet service. The default user is
admin. The default password is admin.
At the imageinfo# prompt, enter show and press Enter to verify the new
software load is in secondary flash memory.
Enter toggle and press Enter to switch to the new software load.
Enter show and press Enter to verify the new software load is stored as
primary in flash memory.
Log onto the Wireless AP 7220 using the Telnet service. The default user is
admin. The default password is admin.
318507-B Rev 01
ensures the new Wireless AP 7220 software load is stored in secondary flash
memory
prevents automatic Wireless AP 7220 reboot
sets the manual reboot delay timer
issues a manual reboot command to all the Wireless AP 7220s to initialize the
new software load
Note: The manual reboot must always be started from the Wireless AP
7220 farthest in its topological position from the Wireless Access Point
7220 @ NAP.
Click OK.
In the ExpandedView window for the Wireless AP 7220, right click on the
Wireless AP 7220.
Select Software Download / Image Profile to verify the software load version.
Select Software Download / Toggle Image and confirm your choice to switch
to the new software load.
You can determine whether or not to allow an older version of the software
load to be downloaded. To allow an older version of the software to be
downloaded, set the version check to off by selecting Software Download /
Disable Version Check. Otherwise, set the version check to on by selecting
Software Download / Enable Version Check.
318507-B Rev 01
Log onto each Wireless AP 7220 individually using the Telnet service. The
default user is admin. The default password is admin.
Each Wireless AP 7220 schedules the reboot to be performed after the specified
delay time and returns a message that the reboot command has been received and
the delayed reboot has been initiated. If no message is received, the reboot
command is reissued until a response is received. However, if no message is
received, the Wireless AP 7220 will be deemed faulty.
Log onto the Wireless AP 7220 using the Telnet service. The default user is
admin. The default password is admin.
At the imageinfo# prompt, enter show and press Enter to verify the new
software load is in secondary flash memory.
Enter toggle and press Enter to switch to the new software load.
Enter show and press Enter to verify the new software load is stored as
primary in flash memory.
Log onto the Wireless AP 7220 using the Telnet service. The default user is
admin. The default password is admin.
318507-B Rev 01
Note: If you change the transit link authentication password, you must
update the accounts for the Wireless AP 7220 that reference this
password. (That is, the Wireless Gateway 7250 IPsec user account,
primary and secondary RADIUS server accounts.) Use the KeyGen tool
as described in Appendix A, KeyGen tool. The KeyGen tool uses the
new transit link authentication password to generate the KeyGen output.
To set the Wireless AP 7220 common password
1
318507-B Rev 01
Enter exit and press Enter to exit the RADIUS server shared secret
configuration.
Note: If you change the RADIUS server shared secret, remember to also
update the RAS client to reflect the new RADIUS shared secrets for
authentication and accounting. Otherwise, when the Wireless AP 7220
reboots, it may not authenticate the neighboring Wireless AP 7220s or
mobile nodes and may not direct accounting information.
set userclass <userclass> sets the DHCP user class option for the
DHCP client
del deletes the DHCP user class
show displays the current DHCP user class configuration
Enter exit and press Enter to exit the DHCP user class configuration.
318507-B Rev 01
163
Chapter 5
Accounting
Overview
The Wireless Access Point 7220 operates as a client of the RADIUS accounting
server. The Wireless AP 7220 is responsible for passing mobile node accounting
information to a designated RADIUS accounting server. The RADIUS accounting
server is responsible for receiving the accounting request and returning an
acknowledgment to the Wireless AP 7220.
In a basic Wireless Mesh Network environment, two types of mobile nodes can be
set in the RADIUS server. Robust Security Network Association (RSNA) mobile
nodes are tracked by the user name on the RADIUS server. Non-RSNA mobile
nodes (legacy devices) are all tracked under one user name (unknown).
Note: This chapter is not applicable to a Wireless Mesh Network that
uses captive portal -based accounting or to support Inter-Wireless
Gateway 7250 roaming accounting.
In a basic Wireless Mesh Network environment, you can customize your existing
billing systems to leverage the accounting messages provided by the Wireless
Mesh Network.
The Wireless AP 7220 communicates with the RADIUS server through the IPsec
tunnel established through the Wireless Gateway 7250 that is identified during
Wireless AP 7220 initialization and configuration. The Wireless Gateway 7250
forwards the accounting information messages to and from the Wireless AP 7220
and RADIUS servers but doesnt retain or process any accounting information.
The following configurations are supported:
318507-B Rev 01
Attribute Name
Description
User-Name
NAS-IP Address
NAS-Port
Framed-IP-Address
On
Star
Stop
t
X
Attribute Name
Description
30
Called-Station-ID
31
Calling-Station-ID
40
Acct-Status-Type
41
Acct-Delay-Time
44
Acct-Session-ID
45
Acct-Authentic
318507-B Rev 01
On
Star
Stop
t
On
Star
Stop
t
Attribute Name
Description
49
Acct-Terminate-Caus
e
50
61
NAS-Port-Type
Time-based accounting
Time-based accounting is based on the session duration of each user. It uses the
MSID generated for that user after authentication. When the MSID is generated, a
start message is sent to the RADIUS server. A stop message is sent when the user
session is terminated. The RADIUS server timestamps these start and stop
messages locally. Time-based accounting is achieved by calculating the delta
between the timestamp at the start of the session with the timestamp assigned to
the stop message to determine the complete session length.
Since the MSID is used for an entire session, a mobile node can move easily
between one Wireless AP 7220 and another while maintaining accounting
information for the mobile user.
There can be multiple start and stop messages. Only the first start and last stop
message that have the same MSID should be used to calculate the session time.
The Acct-Delay-Time attribute in the start and stop messages should be taken into
account when calculating the session time.
Idle timeouts
An idle timeout interval is the number of seconds a mobile node can be idle before
the Wireless AP 7220 terminates the user session. The idle timeout interval is set
on the RADIUS server for each user. When a session is terminated due to an idle
timeout, the accounting stop message indicates the idle timeout in the
Acct-Terminate-Cause attribute. For time-based accounting, the idle timeout
interval value is subtracted from the session time if the session was terminated due
to an idle timeout.
318507-B Rev 01
When a user roams from one Wireless AP 7220 to another within the same
session, an accounting stop message is sent from the Wireless AP 7220 to the
RADIUS server after the specified idle time has been reached on the previous
Wireless AP 7220 or when the IPsec tunnel is manually torn down on the Wireless
Gateway 7250.
Network failure
Four types of network failures that would affect accounting can occur:
An accounting stop message is not sent if an Wireless AP 7220 fails. The network
operator must track the Wireless AP 7220 failure times to determine the
approximate termination time for each session.
A Wireless AP 7220 failure does not affect time-based accounting if the mobile
node is picked up by another Wireless AP 7220. In this case, the mobile node is
treated the same was as if it was roaming. If the mobile node does not connect to
another Wireless AP 7220 in the same network, the session remains tracked by the
Wireless Gateway 7250. The next time the mobile node authenticates, the
Wireless Gateway 7250 uses the same MSID.
A Wireless Gateway 7250 failure causes all user sessions to be terminated. No
stop messages can be sent to the RADIUS server. However, since all accounting
information is logged on the RADIUS server, all previous accounting information
is retained. The network operator must track all Wireless Gateway 7250 failure
times to determine the approximate termination time for each session.
A RADIUS server failure causes subsequent accounting messages to be lost.
There is no queuing on the Wireless AP 7220. To prevent losing the accounting
information, it is recommended that you configure a back up RADIUS server in
your network. Refer to Configuring the RADIUS server for more information.
The Wireless AP 7220 sends an Accounting-On message to the RADIUS server
when the Wireless Gateway 7250 recovers.
Wireless Mesh Network Solution Reference
An IPsec tunnel teardown on the Wireless AP 7220 causes all existing sessions to
be terminated. In this case the Wireless AP 7220 reboots.
Fraud reporting
Fraud can possibly be detected when a new mobile node fails to authenticate. In
this case, no accounting message for this specific user is sent to the RADIUS
server. Refer to Quarantining unauthorized mobile nodes for more information.
In severe cases, an unauthorized mobile node can appropriate an authenticated
session. In this case, the session is terminated and a stop message is sent to the
RADIUS server. The mobile node is then quarantined from the Wireless AP 7220.
Refer to Security for more information.
Accounting traps
An accounting trap is sent when
318507-B Rev 01
171
Chapter 6
Performance management
The Wireless Mesh Network collects statistics that describe network traffic and
usage. Understanding traffic flow in your Wireless Mesh Network, and balancing
traffic to eliminate over- and under-utilized segments can dramatically improve
the network performance. Over-utilized interfaces are potential bottlenecks;
under-utilized network segments may represent potential cost savings.
InfoCenter, to view your network resources and organize devices into logical
groups (by device type, location, or other pertinent attributes) from which to
collect performance statistics. InfoCenter provides a launch point for
OmniView.
OmniView, to view statistics for network resources in either tabular or
graphic form. Information displayed by OmniView comes from SNMP agent
software running on Wireless AP 7220s and Wireless Gateway 7250s of the
Wireless Mesh Network.
For information about using ONMS tools and applications, refer to Using Optivity
NMS 10.2 Applications (207569-E).
318507-B Rev 01
ONMS also collects performance data from Wireless Gateway 7250s in the
Wireless Mesh Network as defined in the standard MIB for MIB-II statistics
(System, Interface, IP, ICMP, UDP, TCP, and SNMP statistics). The section
MIB-II statistics in Appendix G, Wireless Access Point 7220 performance
statistics lists the standard MIB-II parameters counted for Wireless Gateway
7250 performance measurements.
Totals
Deltas/Sec
Peak Deltas/Sec
Avg Deltas/Sec
View collected statistics in tabular or graphical form (pie chart, line graph, or
bar graph).
Figure 69 shows an example of the OmniView GUI displaying Wireless AP
7220 statistics for a Wireless AP 7220 in tabular form.
Figure 70 shows an example of the OmniView GUI displaying Wireless AP
7220 statistics for a Wireless AP 7220 in graphical form.
OmniView allows users to create custom statistics panes to query and display the
data that is most important to them, and allows users to configure other options for
performing the above tasks.
For more information about ONMS tools for viewing and analyzing performance
measurements, refer to the chapter on monitoring devices with OmniView in
Using Optivity NMS 10.2 Applications (207569-E).
Figure 69 Example OmniView GUI displaying Wireless AP 7220 statistics tables
318507-B Rev 01
Save statistics by printing to either HTML or ASCII files. This allows you to
view saved statistics with any text editor or Web browser.
For more information, see the procedure on saving statistics with print to file
in Using Optivity NMS 10.2 Applications (207569-E).
318507-B Rev 01
Export statistics to files so that you can review them later. You have two
options for exporting statistics:
318507-B Rev 01
179
Chapter 7
Security
Security in the Wireless Mesh Network serves to protect the security of the
Wireless Mesh Network, authorize mobile subscriber access, and protect network
and user traffic. Security features of the Wireless Mesh Network include:
Security standards
The security practices implemented in the Wireless Mesh Network are compatible
with the Wi-Fi Protected Access (WPA) standard and IEEE standard 802.11i.
The public network extends from the Wireless Gateway 7250 to the mobile node.
The Wireless Mesh Network solution assumes that the public network is an
untrusted environment; hence the Wireless Mesh Network solution provides
security mechanisms (IPsec tunnels, authentication, and encryption) to create a
trusted environment that protects user traffic, control traffic, and management
traffic.
Figure 72 shows the relationship of Wireless Mesh Network and other network
components to the private/public network entities.
Figure 72 Wireless Mesh Network and other network components relative to private and public
network entities
318507-B Rev 01
There are three main components to the Wireless Mesh Network security solution:
Subscriber security
Transit link security
Network security
Subscriber security
Subscriber security between the mobile node (client) and the Wireless AP 7220
requires client authentication and provides client traffic encryption. It uses Wi-Fi
Protected Access (WPA). Figure 73 describes subscriber security in the Wireless
Mesh Network.
The Wireless AP 7220 authenticates subscribers using RSNA mobile nodes
against a subscriber database on the RADIUS authentication server.
Authentication for RSNA clients uses Extensible Authentication Protocol (EAP)
schemes (TLS, TTLS, and PEAP).
The Wireless Mesh Network can be configured to authenticate subscribers using
web-based authentication through the support of the captive portal re-direct
function on the Network Access Controller (NAC).
Regardless of the type of mobile node, operators can control mobile node access
to the Wireless Mesh Network based on the mobile node MAC address. The
Wireless Gateway 7250 is not involved in subscriber authentication.
Encryption for RSNA clients using Temporal Key Integrity (TKIP) and Advanced
Encryption Standard (AES). Non-RSNA clients do not incorporate encryption for
traffic between the mobile node and the Wireless AP 7220 - if encryption is
needed, it must be established separately (for example, through an IP VPN
tunnel).
An IPsec tunnel secures client traffic between the Wireless AP 7220 and the
Wireless Gateway 7250.
318507-B Rev 01
Network security
Network security between the Wireless AP 7220 and Wireless Gateway 7250s
uses an encrypted IPsec tunnel created between the Wireless Gateway 7250 and
each Wireless AP 7220. It carries all user, internal signaling and OAM&P traffic.
Figure 74 describes network security in the Wireless Mesh Network.
The RADIUS server used for authentication and authorization may be:
318507-B Rev 01
Authenticating subscribers
Each subscriber (that is, mobile node) must be authenticated when connecting to
the Wireless Mesh Network. Authentication practices differ for RSNA and
non-RSNA enabled mobile nodes.
318507-B Rev 01
information. The web server verifies the mobile nodes credential information
against the information on the RADIUS server. Once the mobile nodes credential
information is accepted, the web server directs the NAC to trigger authentication
for the mobile node.
Appendix H, Wireless Access Point 7220 traps describes the security traps sent
to ONMS.
318507-B Rev 01
189
Chapter 8
Administration
Administration of a Wireless Mesh Network requires the network manager to:
generic NOSS tools used to administer data stored on the RADIUS, SNTP,
FTP and DHCP servers
These are tools specified by the customers standard practices, or tools
specific to the RADIUS, SNTP, FTP or DHCP server used in the Wireless
Mesh Network. They are not specific to or supplied with the Wireless Mesh
Network.
318507-B Rev 01
Update the individual account of the Wireless AP 7220 in the RADIUS server
database. For more information, see Configuring the RADIUS server.
(reconfigured by CLI)
(reconfigured by
ONMS)
Required
Not required
warpTLConfigAntennaPortAdminState Required
Not required
warpTLConfigChannelAdminState
Required
Not required
warpTLDiscMinRSSI
Required
Required
warpTLAcumenBSSID
Click OK.
In the ExpandedView window for the Wireless AP 7220, right click on the
Wireless AP 7220.
318507-B Rev 01
b
8
If the value of the RebootDelay field is not sufficient, modify the value
and click Apply. (The value must be greater than 0.)
Select Software Download / Start Reboot Delay to start the reboot delay
timer.
Configure the IP address of the Wireless Gateway 7250 in the DHCP server
database. For more information, see Configuring the Dynamic Host
Configuration Protocol (DHCP) server.
Update the Wireless AP 7220 configuration file on the FTP server to redefine
the public IP address and the Home Agent IP address of the Wireless Gateway
7250 through which the Wireless AP 7220s connect to the Wireless Mesh
Network. For more information, see Configuring the FTP server.
Wireless Mesh Network Solution Reference
Use generic NOSS tools (or server-specific tools provided with your servers) to
update the DHCP and FTP server databases.
Any Wireless AP 7220s that connect through a deleted NAP-R are lost to the
network. If the network must retain any Wireless AP 7220s through an alternate
NAP-R, you must update the alternate NAP-R to support these Wireless AP
7220s. A Wireless Mesh Network requires at least one NAP-R.
318507-B Rev 01
Network operators manage end users with subscriber accounts on the RADIUS
server that permit subscriber access.
Use generic NOSS tools (or server-specific tools provided with your servers) to
update subscriber account information in the RADIUS server database. For more
information, see Configuring the RADIUS server.
A user name/password pair sent by the mobile node to the RADIUS server to
request authentication
TunnelPrivateGroupID - a Wireless Mesh Network parameter that determines
the VPN that the subscriber can access. The TunnelPrivateGroupID tells a
Wireless AP 7220 the range of IP addresses the Wireless AP 7220 can assign
to the calling mobile node, based on mapping defined in the Wireless AP
7220s configuration file. Constraining the IP address used by a mobile node
for a session constrains the VPN that a mobile node can access.
You can change a subscribers VPN by changing the subscribers
TunnelPrivateGroupID. You can change the VPN for a group of subscribers
by remapping the range of IP addresses defined in the configuration file for
Wireless AP 7220s.
318507-B Rev 01
For detailed information about backing up Wireless Mesh Network data from
NOSS servers, refer to user documentation for the particular make and model of
DHCP, FTP, or RADIUS server employed in your Wireless Mesh Network.
Network managers must follow their own standard corporate practices for
maintaining suitable backups. Network managers should perform regular backups
of the Wireless Mesh Network databases when the Wireless Mesh Network is
running in a stable state, as a basis from which to restore the Wireless Mesh
Network to normal operation if it becomes corrupted. Network managers should
perform special backups of the Wireless Mesh Network databases before and after
making network changes (i.e., when adding or deleting Wireless AP 7220s,
Wireless AP 7220 @ NAPs, or Wireless Gateway 7250s). Wireless Mesh
Network managers should store backed up data at a secure site separate from the
NOSS site, to protect against complete corruption of the NOSS servers or
destruction of the NOSS servers and their environment.
318507-B Rev 01
199
Appendix A
KeyGen tool
The KeyGen tool is a DOS-based password generation tool for the Wireless AP
7220s. This tool is used to generate a unique IPsec password for each Wireless AP
7220. The IPsec password is used when configuring new Wireless AP 7220 user
accounts on both the Wireless Gateway 7250 and the RADIUS server.
Refer to Before you begin for KeyGen software download and update
information.
Note: The KeyGen tool is case-sensitive. You must enter the Wireless
AP 7220 serial number exactly as it appears on the Wireless AP 7220.
To use the KeyGen tool:
1
Create an input file that contains a list of Wireless AP 7220 serial numbers.
Note: Each Wireless AP 7220 serial number must appear on a separate
line in the input file.
When the KeyGen tool has finished executing, the output file contains a list of
IPsec passwords (one per line) that directly map to the list in the input file.
318507-B Rev 01
201
Appendix B
Sample DHCP configuration file
#******** Sample configuration file for ISC dhcpd - dhcpd.conf ********
# Note: The information in this sample DHCP configuration file reflects the
# Inter-Wireless Gateway 7250 roaming and mobility network layout as described in
# Figure 8.
#*************** Start of DHCP configuration legend *******************
#
# DHCP Server: 192.168.30.11
# FTP Server and ONMS workstation: 192.168.30.13
# RADIUS Server: 192.168.30.12
#
# Wireless Gateway 7250
#
Public Interface IP: 30.0.30.1
#
Private Interface IP: 192.168.20.1
#
Priv. Mgmt Int. IP: 192.168.20.248
#
# In an Inter-Wireless Gateway 7250 roaming environment, include all
# Wireless Gateway 7250s
# Wireless Gateway 7250-2
#
Public Interface IP: 30.0.40.1
#
Private Interface IP: 192.168.20.2
#
Priv. Mgmt Int. IP: 192.168.20.249
#
# Wireless Gateway 7250-3
#
Public Interface IP: 30.0.50.1
#
Private Interface IP: 192.168.20.3
#
Priv. Mgmt Int. IP: 192.168.20.250
#
# In an Inter-Wireless Gateway 7250 roaming environment, include all
# Network Access Controllers
# Network Access Controller-1
#
Interface IP 192.168.20.101
#
Private Interface IP: 192.168.80.1
#
Priv. Mgmt. Int. IP: 192.168.80.101
# Network Access Controller-2
#
Interface IP 192.168.20.102
#
Private Interface IP: 192.168.80.2
#
Priv. Mgmt. Int. IP: 192.168.80.102
318507-B Rev 01
318507-B Rev 01
routers 10.1.0.1;
subnet-mask 255.255.0.0;
following option hides the DHCP server IP address from the mobile nodes.
dhcp-server-identifier 255.255.255.255;
following option is the management interface of the Wireless Gateway 7250
318507-B Rev 01
################################################################################
# This section is optional if you want to assign an IP address to any
# mobile node statically by creating a host declaration that contains each mobile
# node Ethernet MAC address.
#
# When the mobile node broadcasts for an IP address, the MAC address for that
# device is allocated to a specific IP address.
#
#The following parameters can be modified for each declared host.
# 1) mobile node Ethernet MAC address
# 2) The fixed address of this mobile node
#
(must be in the same subnet and outside the declared range values).
# 3) lease times.
#
#
NOTE: This section is OPTIONAL
#
host MN-1
{
hardware ethernet 00:02:b3:3c:16:95;
fixed-address 192.168.40.60;# Unique address outside range.
}
host MN-2
{
hardware ethernet 00:02:b3:3c:16:90;
fixed-address 192.168.40.61;
default-lease-time 196000;
max-lease-time 196000;
}
}
#********* END of Sample configuration file for ISC dhcpd - dhcpd.conf *********#
318507-B Rev 01
209
Appendix C
FTP server user permissions
Modifying FTP server user permissions
To allow access to the Wireless Gateway 7250 software, modify the user
permissions:
1
Click OK.
Set the access permissions by highlighting the path. For example, C:\PG.
Check the Root, Home, Mapping, and Recursive tick-boxes. By default, the
Files and Directory boxes should be checked.
318507-B Rev 01
211
Appendix D
Sample NAP router configuration
The following commands can be used to configure a Passport 5430 as a NAP
router:
318507-B Rev 01
stack# ip
ip# static-route 0.0.0.0/0.0.0.0/192.168.10.254
configure default route)
ip/0.0.0.0/0.0.0.0/192.168.10.254# exit
bcc> exit
318507-B Rev 01
215
Appendix E
Sample NAC configuration
The following commands can be used to configure a Nortel Wireless Secure
Switch (WSS) 2250 as a NAC:
To configure the ARP cache size and ARP Age Out Time
1
Add the ARP cache size parameters to the sysctl.conf file. For example, if the
WSS 2250 supports 2000 subscribers (set the ARP cache size to roughly two
times the target number of subscribers), enter the following
net.ipv4.neigh.default.gc_thresh1=4000
net.ipv4.neigh.default.gc_thresh2=4000
net.ipv4.neigh.default.gc_thresh3=4000
Create another copy of the sysctl.conf file. For example, enter cp sysctl.conf
sysctl.conf.orig and press Enter.
Add the ARP Age Out Time parameter to the sysctl.conf file. It is
recommended that you set the ARP Age Out Time to one and a half times the
Wireless Mesh Network Solution Reference
Configure the WSS 2250 to allow pass-through to the PAS server. For
example,
/cfg/wss/fw/captive
redir <PAS_server_IP>/pas/compat/demo/plain?loginurl=https://
<WSS_virtualIP>/login_post.yaws
318507-B Rev 01
To configure a static route for any mobile node that is not advertised by the NAC
1
Add a static route for all the mobile node subnets not advertised by the NAC
to forward the mobile node traffic to the next router. For example,
/cfg/sys/routes list
/cfg/sys/routes add
318507-B Rev 01
219
Appendix F
Sample FTP configuration file
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
********************
This file maintains all the parameters that must be dynamically provided to an
initializing AP 7220.
There are several sections to the file. Each block contains information about
the named section for each software module that must be configured on the AP.
Logically, each block is composed of a series of entries, with each entry
starting with an identifier and ending with the identifier for the next entry
or the beginning of the next block.
Note: The information in this sample FTP configuration file reflects the basic
network layout as described in Figure 7.
The current list of supported blocks are:
1. [radius]
2. [dhcp]
3. [pgHa]
4. [subscriberGroup]
5. [nms]
6. [AccessLinkip]
7. [wpa]
8. [nonrsna]
9. [sntp]
10. [syslog]
11. [accessLink]
12. [eventlog]
13. [TL pruning]
14. [interwirelessgateway]
Only 1
[AccessLinkIP]
AccessLinkIp = 192.168.40.9,255.255.255.0
# Access Link (AL) IP address of the AP to be used by the mobile node
[nonrsna]
NonRsna=1
# authentication method for mobile nodes
# user type definition for authentication purposes i.e. RSNA (wpa) or non-RSNA
# (legacy devices)
[wpa]
wpa=1
# [sntp]
# SntpServer = 192.168.30.14
[syslog]
SyslogServer = 192.168.30.13
318507-B Rev 01
[accessLink]
mode = 802.11b
SubnetaddrAndMask= 192.168.30.0,255.255.255.0
# The mode parameter can either be set to 802.11b or 802.11g. The default is
# 802.11g.
#
# Packets received from the access link and destined to any of these addresses
# are blocked by the Wireless AP 7220. The format of the block is as follows:
#
# SubnetaddrAndAMask=w.x.y.z,a.b.c.d
#
# where w.x.y.z. is an IP address or network address and a.b.c.d is the netmask
# corresponding to that IP address. There can be multiple entries of addresses to
# filter in this block with each new address specified on a new line.
[eventlog]
OverWriteAlways=1
AutoFTPLog=1
# Enabling this flag sends a logfile from the Wireless AP 7220 to the FTP server
# upon reboot of the Wireless AP 7220. This logfile contains events that occurred
# on the Wireless AP # 7220 prior to the reboot. The AutoFTPlog parameter
# determines if automatic FTP logging is enabled or disabled. The OverWriteAlways
# parameter determines whether or not existing log files are overwritten with new
# log files. It is recommended not to overwrite the log files.
#
# The value for OverWriteAlways and AutoFTPLog is as follows:
# 0 = false
# 1 = true
318507-B Rev 01
223
Appendix G
Wireless Access Point 7220 performance statistics
This appendix describes the statistics collected to describe Wireless Access Point
7220 performance within the Wireless Mesh Network. The Wireless Mesh
Network collects the following types of Wireless AP 7220 statistics:
318507-B Rev 01
General statistics
Incoming statistics
OutGoingToServer statistics
General statistics
Incoming statistics
Outgoing statistics
318507-B Rev 01
SNMP statistics
The Wireless Mesh Network groups SNMP statistics into:
Num. of Reboots
snmp Engine Time
Maximum Message Size
318507-B Rev 01
Decryption Errors
OSPF statistics
The Wireless Mesh Network groups OSPF statistics into:
MIB-II statistics
The Wireless Mesh Network groups MIB-II statistics into:
Description
Num. Interface
System up time
Location
Interface Index
Type
MTU
Speed
Physical Address
Admin Status
Operational Status
Last Change
Description
Interface Index
Utilization
In Utilization
In Octets
In Ucast Pkts
In NUcast Pkts
In Discards
In Errors
Wireless Mesh Network Solution Reference
In Unknown Proto
Interface Index
Net Utilization
Out Util
Out Octets
Out Ucast Pkts
Out NUcast Pkts
Out Discards
Out Errors
Out Pkt Queue Length
MIB-II IP statistics
MIB-II IP profile statistics
The Wireless Mesh Network collects the following MIB-II IP profile statistics
describing Wireless AP 7220 performance:
Forwarding
Default TTL
Reassembly Timeout
318507-B Rev 01
In Receives
In Header Errors
In Address Errors
In Forwarded Datagrams
In Unknown Protocols
In Discards
In Delivers
Out Requests
Out Discards
No Route Found
Reassembly Required
Reassembly Successful
Reassembly Failed
Fragmenting Successful
Fragmenting Failed
Fragmenting Created
IP Address
If Index
Subnet mask
IP Bcast Address Bit
Reassembly Max Size
Destination
If Index
Metric 1
Metric 2
Metric 3
Metric 4
Next Hop
Type of Route
Source protocol
Route Age
Route Mask
318507-B Rev 01
In Messages
In Errors
In Dest. Unreach
In Time Exceeded
In Parameter Problem
In Src Quench
In Redirects
In Echos
In Echo Reply
In Time Stamps
In Time Stamp Reply
In Address Mask
In Address Mask Reply
Out Messages
Out Errors
Out Dest. Unreach
Out Time Exceeded
Out Parameter Problem
Out Src Quench
Out Redirects
Out Echos
Out Echo Reply
Out Time Stamps
Out Time Stamp Reply
Out Address Mask
Out Address Mask Reply
In Datagrams
Num. Dest Port
In Errors
Out Datagrams
Retransmitting Algorithm
Retransmitting Min
Retransmitting Max
Max Connection
Active Opens
Passive Opens
Attempt Fails
Established Resets
Current Established
In Segments
Out Segments
Retransmitted Segments
In Errors
Out RST Segments
318507-B Rev 01
In Pkts
In Bad Versions
In Bad Comm Names
In Bad Comm Used
In ASN Parse Errs
In Too Big
In No Such Name
In Bad Values
In Read Only
In GenErrors
In Total Request Vars
In Total Set Vars
In Get Requests
In Get Nexts
In Set Requests
In Get Response
In Traps
Out Pkts
Out Too Big
Out No Such Name
Out Bad Values
Out GenErrors
Out Get Requests
Out Get Nexts
Out Set Requests
Out Get Response
Out Traps
318507-B Rev 01
239
Appendix H
Wireless Access Point 7220 traps
The Wireless AP 7220 supports the following traps:
warpBootup
warpCriticalTaskFailure
warpDhcpLeaseExpiring
warpDhcpLeaseRenewalFailed
warpDhcpRenewalFailureCleared
warpNetworkTimeSynchronized
warpNetworkTimeSynchronizationLost
warpSoftwareDownloadStatus
warpSubscriberDatabaseFull
warpSubscriberDatabaseNormal
warpSubscriberManagmentFailed
warpSubscriberManagmentStarted
warpIPSecTunnelEstablished
warpMobileQuarantined
warpMobileQuarantineCleared
warpRadiusAcctServerFailover
warpRadiusAcctServerRestored
warpRadiusAcctServerUnavailable
warpRadiusAuthServerFailover
warpRadiusAuthServerUnavailable
warpRadiusAuthServerRestored
Table 9 correlates the Wireless AP 7220 traps with the fault and the severity of the
fault.
Wireless Mesh Network fault severity is consistent with ONMS fault severity:
1 to 3 = low severity
4 to 6 = medium severity
7 to 10 = high severity
Fault correlation
Fault
severity
warpBootup
WARP_Bootup
warpCriticalTaskFailure
Critical_Task_Failure
warpDhcpLeaseRenewalFailed
DHCP_lease_Renewal_Failed
warpDhcpRenewalFailureCleared
warpDhcpLeaseExpiring
DHCP_Lease_expiring
warpIPSecTunnelEstablished
warpMobileQuarantineCleared
warpMobileQuarantined
Mobile_Quarantined
warpNetworkTimeSynchronized
warpNetworkTimeSynchronizationLost
Network_Time_Synchronization_Lost
warpRadiusAcctServerFailover
Radius_Accounting_Server_Failover
warpRadiusAcctServerRestored
warpRadiusAcctServerUnavailable
Radius_Accounting_Server_Unavailable
warpRadiusAuthServerFailover
warpRadiusAuthServerRestored
warpRadiusAuthServerUnavailable
Radius_Authentication_Server_Unavailable
warpSoftwareDownloadStatus
Software_Download_Error
warpSoftwareDownloadStatus
warpSubscriberDatabaseFull
Subscriber_database_Full
warpSubscriberDatabaseNormal
warpSubscriberManagmentFailed
Subscriber_management_Failed
warpSubscriberManagmentStarted
318507-B Rev 01
241
Glossary
802.11
The IEEE specification for wireless area networks that operate at radio
frequencies in the 5 GHz band, use a modulation scheme known as orthogonal
frequency-division multiplexing (OFDM), and provide a maximum raw data
speed of 54 Mbps.
802.11b
The IEEE specification for wireless area networks that operate at radio
frequencies in the 2.4 GHz band, use a modulation scheme known as
complementary code keying (CCK), and provide a maximum raw data speed
of 11 Mbps.
802.11g
The IEEE specification for wireless area networks that operate at radio
frequencies in the 2.4 GHz band, use a modulation scheme known as
complementary code keying (CCK), and provide a maximum raw data speed
of 54 Mbps.
802.11i
Alternating Current
Access Link
242 Glossary
AES
Access Link
API
Border Gateway
BSSID
Basic Service Set Identifier - used by the Wireless Mesh Network as a unique
identifier used for establishing communications between Wireless AP 7220s
and mobile nodes
CAN
318507-B Rev 01
Glossary 243
CAT5
Home Agent
HTML
244 Glossary
ICMP
Internet Control Message Protocol. The protocol used to handle errors and
control messages at the IP layer. ICMP is actually part of the IP protocol.
ID
Identifier, Identity
IP
Internet Protocol
IPsec
Line of Sight
LSA
318507-B Rev 01
Glossary 245
MAC address
Mobile IP filter
MN
Network Access Controller - controls mobile traffic going in and coming out
of the Wireless Mesh Network cluster (WMC).
NAP
246 Glossary
NAS
Open Shortest Path First. An interior gateway protocol that routes messages
according to the least expensive path, developed to replace the RIP (Routing
Information Protocol) protocol. A Proposed Standard IGP (Inter-Packet
Gaps) for the Internet.
PAS
Personal Computer
PDA
Glossary 247
PEAP
Quality of Service
RADIUS
Radio Frequency
RFC
A serial connector used with Ethernet and Token Ring devices that looks like
a telephone jack but has eight wires instead of four or six.
RSA
248 Glossary
SNMP
318507-B Rev 01
Glossary 249
WMC
250 Glossary
WPA
318507-B Rev 01