Document 178509

Configuration Guide for RFMS 3.0 Initial Configuration
[WiNG 5.1] How-To Guide
[1 Hop Mesh]
[July] 2011
Revision [Rev 2]
XXX-XXXXXX-XX
MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office.
Symbol is a registered trademark of Symbol Technologies, Inc. All other product or service names are the
property of their respective owners.
© 2009 Motorola, Inc. All rights reserved.
Table of Contents:
1.
2.
3.
Introduction: ........................................................................................................................ 4
1.1
Overview: ..................................................................................................................... 5
1.2
DATA PATH................................................................................................................. 6
1.3
SECURITY .................................................................................................................. 7
1.4
RADAR HANDLING IN MESH ..................................................................................... 7
1.5
STATUS AND TROUBLESHOOTING.......................................................................... 7
Pre-Requisites: ..................................................................................................................10
2.1
Requirements: ............................................................................................................10
2.2
Components Used: .....................................................................................................10
Configuration: ....................................................................................................................11
3.1
Feature 1: Portal AP ...................................................................................................11
3.2
Feature 2: Client AP....................................................................................................13
3.3
AP-650 Setup is Identical as 7131 with one exception: ...............................................15
3.4
Configuration-Persistance GUI....................................................................................17
4.
RF Switch Running Configuration: .....................................................................................18
5.
Reference Documentation: ................................................................................................22
How-To-Guide for Single Hop Mesh
1. Introduction:
WiNG 5.1 allows AP‟s to operate wirelessly, connecting to other access points for data backhaul, in a
mesh topology. This feature offers a cost-effective way to extend the network outdoors or in remote areas,
relying on a highly resilient, self-configuring system. Taking advantage of the dual-radio architecture and
the easy-to-use configuration interface, it becomes a simple task to deploy a wireless network of access
points connected securely via 802.11a/n, providing enterprise-class 802.11b/g /n service
WiNG 5.1 supports single-hop mesh. The mesh node that has connectivity to the wire will be referred to
as a ‟Portal‟ to use the term from 802.11s. The node that is ‟wireless‟ will be referred to as a ‟client‟. In
comparison with WiNG 4.x AAP Mesh a ‟Portal‟ is analogous to a ‟Base Bridge‟ and a ‟client‟ is analogous
to a ‟Client bridge‟. One difference is that a client is also a portal by default once its link is up (in releases
past 5.0) while in AAP client-bridge was not automatically a base bridge. Two other differences from
AAP mesh are, instead of STP and standard bridge forwarding, MiNT will be used as the data path
forwarding algorithm; and there is no requirement of a ‟mesh wlan‟ if there is another wlan being used
on the same radio.
This feature will be supported on all platforms supporting a radio in 5.0: AP650, AP7131, and RFS4000
Radio SKU.
How-To-Guide for Single Hop Mesh
5Ghz Mesh
Client AP
5Ghz Mesh
Portal AP
Client AP
1.1 Overview:
Support for wireless meshing will be enabled/disabled on a per radio basis with the following options:
no mesh – default value
mesh portal – turns the radio into a mesh portal
mesh client – turns the radio into a mesh client
The mesh IE will be included in the beacon of any existing WLAN on that radio. So if the mesh
radio also supports a data-wlan the IE is piggybacked on it. In the event that the mesh radio does not
How-To-Guide for Single Hop Mesh
include a wlan, the administrator needs to create a ‟service wlan‟. The ‟service-WLAN‟ is needed ONLY
if there are no other WLANs on the radio (pure-backhaul case). If there are other WLANs, then there
is no need to create a service-WLAN.
**Note also that the service-WLAN (if-any) MUST be mapped to the first BSS of the radio.
All mesh association and data packets use the first BSS of the radio. **
The „service-WLAN‟ is a regular‟ wlan and is created and mapped as such. However the ‟client-access‟
configuration on this wlan will be set to OFF, this will not allow clients to associate on this wlan. An SSID
will not be included in the beacons (as if secure-beacon is ON); probe-responses will not be sent for this
wlan, and all incoming management frames will be ignored (unless they are an association request
from a mesh peer). In real-life an MU should not even send an association request as all identifying
features of this wlan (primarily the SSID) have been disabled.
Each mesh client will only have support for one link to a portal; however a portal will include links
for multiple clients. The maximum number of links per portal will be configurable from 1..6. The default
value will be 3.
Once a link comes up the client can tear down the link if it is no longer ‟useful‟. Without a multi-link
mesh the main use-case for teardown is if a portal or client has gone down or the link is so noisy that it
is difficult to pass traffic on it. Link quality and cost are not criteria at this point as in any case only one
link will be supported at a time.
Two criteria that will be supported for taking a mesh link down are:
missed beacons - if any mesh peer stops hearing beacons from its peers for a while it assumes
the link has been lost. The time for which missed beacons are tolerated will be configurable from
1 to 10 seconds, with a default of 2 seconds.
transmit failures - if any mesh peer faces a certain number of successive transmit failures for
a peer it assumes the link is extremely bad, tears it down and tries other nodes. Since this is
disruptive and there is potential for flapping if there are no other candidate mesh nodes the teardown
criteria is fairly strict at a default of 10 successive failed packets. For reference for wireless
clients (MUs) we currently use a value of 6 successive failed packets.
In addition to the automatic discovery of peer nodes the administrator can choose to select a number
of APs as the peers for certain mesh nodes ensuring that connection is only allowed among those peer
nodes. Up to 6 preferred-peers can be configured on a per radio basis. If a radio has a preferred-peer
configured it will only allow configuration from/to that peer. Note that unlike AP5131/AP7131 these
static links are configured using the wired MAC address of the device (same MAC that is used in
configuration and is printed on the AP itself), instead of the BSSID (which is not known unless the AP
is powered up and adopted).
1.2 DATA PATH
Mesh forwarding will utilize MiNT routing and discovery for forwarding of data frames across the
meshed network. As soon as the wireless link is complete the Radio Interface
Module (rim) will send a mint-link-add message to the Data path Daemon (dpd). This link will start to
show up in ’show mint links’, initially with 0 adjacencies, and then MiNT will exchange Hello and LSP
packets to ‟bring up‟ the link. At the point where the link comes up the nodes will show up in the CLI
under ’show mint neighbors’ and the link will also show up in ’show mint lsp’ and ’show mint lsp-db’.
From that point on data frames will be forwarded across this link.
**Note that the mesh link is a point-to-point link from a MiNT perspective (much like L3 links) so any
VLAN that is served up across the mesh will need to be extended across it using the standard MiNT
configuration for extended VLANs (bridge vlan).**
Once the MiNT link is up mint routing will ensure that all nodes in the network are aware of this
How-To-Guide for Single Hop Mesh
node and can reach it and forward frames from it.
1.3 SECURITY
MiNT security will be the backend security mechanism for the mesh nodes. Please refer to the MiNT
security specification for all details. The only difference being that on this link instead of the AESSHA256
encryption used in general for MiNT security AES-CCMP will be used. The keys will still
be derived from the MiNT security mechanism, just for encryption the radio crypto support will be
leveraged.
1.4 RADAR HANDLING IN MESH
One of issues with mesh has been handling of Radar when the mesh has been formed on a DFS
channel(s). It‟s been a major concern on the ability of the mesh to quickly reform in the event of
Radar as seen by one or more mesh peers. To address this issue a simple mechanism has been
incorporated. The behavior of the mesh will be as follows:
Once one or more mesh node sees a radar it brings down the mesh connection with its peers
by sending deauth frames.
It is followed by the transmissions of beacons with channel-switch announcement IE.
Mesh nodes on receiving the beacons with channel-switch announcement IEs from peers shall
mark their primary (and extension channel if operating in 40MHz mode) channels as radar interfered
which will make the channel(s) unusable for the next 30 minutes.
After 30 mins the mesh portal resumes the operation in the home channel. It leads to mesh
reformation once again
1.5 STATUS AND TROUBLESHOOTING
The status of the mesh links on a particular node can be seen by the "Show wireless mesh links" CLI
command. On a client node in 5.0 there will only be one mesh link as only a single hop to a portal is
supported. On the portal all mesh clients connected with this portal will be displayed.
Syslogs will be generated for link bring up and tear-down:
How-To-Guide for Single Hop Mesh
1.5.1 Feature 1: Portal AP (Radio)
How-To-Guide for Single Hop Mesh
1.5.2 Feature 2: Client AP (Radio)
How-To-Guide for Single Hop Mesh
2. Pre-Requisites:
2.1 Requirements:
The following requirements must be met prior to attempting this configuration:
One (or more) RF Switches are installed and operational on the network.
A Windows XP workstation is available with Microsoft Internet Explorer or Mozilla Firefox to
perform Web UI or CLI configuration.
The reader has read the Motorola RFS Series Wireless LAN Switches - WiNG System Reference
Guide.
2.2 Components Used:
The information in this document is based on the following Motorola hardware and software versions:
1 x RFS4000 or RFS7000 Version 5.1.

Registered users may download the latest software and firmware from the Motorola Technical
Support Site http://support.symbol.com.
How-To-Guide for Single Hop Mesh
3. Configuration:
The following section outlines the configuration steps required to create a single hop Mesh with 2
AP7131‟s
1) Feature 1 [Portal AP]:
2) Feature 2 [Client AP]:
3.1 Feature 1: Portal AP
3.1.1 Web UI Configuration Example:
1)
On the GUI interface- Configuration, Devices, APxxx-, interface, Radios, Radio2
2)
MeshConnex Tab
3)
Select Portal from drop down window
How-To-Guide for Single Hop Mesh
3.1.2 CLI Configuration Example:
1)
RFS4000# configure terminal
Enter configuration commands, one per line.
End with CNTL/Z.
2)
rfs4000-22D070(config)#ap71xx 00-23-68-97-00-10
rfs4000-22D070(config-device-00-23-68-97-00-10)#interface radio2
rfs4000-22D070(config-device-00-23-68-97-00-10-if-radio2)#
mesh portal
3)
rfs4000-22D070(config-device-00-23-68-97-00-10-if-radio2)#com wr
ap71xx 00-23-68-97-00-10
use profile default-ap71xx
use rf-domain default
hostname ap71xx-970010
interface radio2
mesh portal
!
!
end
How-To-Guide for Single Hop Mesh
3.2 Feature 2: Client AP
3.2.1 Web UI Configuration Example:
1)
On the GUI interface- Configuration, Devices, APxxx-, interface, Radios, Radio2
2)
MeshConnex Tab
3)
Select Client from drop down window
How-To-Guide for Single Hop Mesh
3.2.2 CLI Configuration Example:
1)
Configuration Terminal
RFS7000# configure terminal
Enter configuration commands, one per line.
2)
End with CNTL/Z.
Connect to Client AP
rfs4000-22D070(config)#ap71xx 00-23-68-93-11-34
rfs4000-22D070(config)#ap71xx 00-23-68-93-11-34# bridge vlan 1
rfs4000-22D070(config-device-00-23-68-93-11-34)#interface radio2
rfs4000-22D070(config-device-00-23-68-93-11-34-if-radio2)#
3)
mesh client
Commit and Write
rfs4000-22D070(config-device-00-23-68-93-11-34-if-radio2)#com wr
ap71xx 00-23-68-93-11-34
use profile default-ap71xx
use rf-domain default
hostname ap7131-931134
How-To-Guide for Single Hop Mesh
bridge vlan 1
interface radio1
wlan MD-RFS4000 bss 1 primary
interface radio2
mesh client
wlan mesh bss 2 primary
no use dhcp-server-policy
3.3 AP-650 Setup is Identical as 7131 with one exception:
1. Configuration-persistence needs to be turned on for the Portal AP
1)
Login as self
ap650-3185CD88#self
ap650-3185CD88(config-device-00-23-68-85-CD-88)#configurationpersistence
ap650-3185CD88(config-device-00-23-68-85-CD-88)#com wr
2)
Radio 2 Setup
ap650-3185CD88(config-device-00-23-68-85-CD-88)#interface radio 2
ap650-3185CD88(config-device-00-23-68-85-CD-88-if-radio2)#mesh client
3)
Commit and Write
ap650-3185CD88(config-device-00-23-68-85-CD-88-if-radio2)#com wr
ap650 00-23-68-85-CD-88
use profile default-ap650
use rf-domain default
hostname ap650-85CD88
interface radio1
rf-mode 2.4GHz-wlan
channel smart
power smart
data-rates default
no preamble-short
radio-share-mode off
interface radio2
rf-mode 5GHz-wlan
channel 149+
power smart
data-rates an
mesh portal
How-To-Guide for Single Hop Mesh
wlan test bss 3 primary
no preamble-short
radio-share-mode off
lock-rf-mode
configuration-persistence
2. Configuration-persistence has to be “Enabled” on the Client AP-650
1)
ap650-313088#self
ap650-313088(config-device-00-23-68-31-30-88)#configuration-persistence
ap650-313088(config-device-00-23-68-31-30-88)#com wr
2)
ap650-313088(config-device-00-23-68-31-30-88)#interface radio 2
ap650-313088(config-device-00-23-68-31-30-88-if-radio2)#mesh client
ap650-313088(config-device-00-23-68-31-30-88-if-radio2)#com wr
3)
ap650 00-23-68-31-30-88
use profile default-ap650
use rf-domain default
hostname ap650-313088
interface radio1
rf-mode 2.4GHz-wlan
channel smart
power smart
data-rates default
no preamble-short
radio-share-mode off
interface radio2
rf-mode 5GHz-wlan
channel smart
power smart
data-rates an
mesh client
wlan test bss 1 primary
no preamble-short
radio-share-mode off
lock-rf-mode
configuration-persistence
How-To-Guide for Single Hop Mesh
3.4 Configuration-Persistence GUI
1)
On the GUI interface
2)
Configuration,AP-650-xx-xxx
3)
Management, Persist configuration across reloads, “Enable”
How-To-Guide for Single Hop Mesh
4. RF Switch Running Configuration:
The following shows the running configuration of the RFS4000 switch used to create this guide:
RFS4000# show running-config
!
! Configuration of RFS4000 version 5.2.0.0-032D
!
!
version 2.1
!
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows
netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
firewall-policy default
no ip dos smurf
no ip dos twinge
no ip dos invalid-protocol
no ip dos router-advt
no ip dos router-solicit
no ip dos option-route
no ip dos ascend
no ip dos chargen
no ip dos fraggle
no ip dos snork
no ip dos ftp-bounce
no ip dos tcp-intercept
no ip dos broadcast-multicast-icmp
no ip dos land
no ip dos tcp-xmas-scan
no ip dos tcp-null-scan
no ip dos winnuke
no ip dos tcp-fin-scan
no ip dos udp-short-hdr
no ip dos tcp-post-syn
no ip dos tcphdrfrag
no ip dos ip-ttl-zero
no ip dos ipspoof
no ip dos tcp-bad-sequence
no ip dos tcp-sequence-past-window
no ip-mac conflict
no ip-mac routing conflict
no stateful-packet-inspection-l2
!
igmp-snoop-policy default
no igmp-snooping
no querier
unknown-multicast-fwd
!
!
mint-policy global-default
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
aaa-policy mdlab
authentication server 1 onboard self
mac-address-format pair-colon case upper attributes all
accounting server preference auth-server-number
How-To-Guide for Single Hop Mesh
!
captive-portal cp
access-type no-auth
server host 192.168.2.100
server mode centralized
terms-agreement
!
wlan MD-RFS4000
ssid MD-RFS4000
vlan 1
bridging-mode tunnel
encryption-type ccmp
authentication-type none
wpa-wpa2 psk 0 george01
no ip arp header-mismatch-validation
!
wlan cp
ssid cp
vlan 1
bridging-mode local
encryption-type ccmp
authentication-type eap
use aaa-policy mdlab
use captive-portal cp
!
wlan mesh
ssid mesh
vlan 1
bridging-mode tunnel
encryption-type none
authentication-type none
no broadcast-ssid
no answer-broadcast-probes
!
smart-rf-policy MD-Lab
group-by area
assignable-power 5GHz max 8
assignable-power 2.4GHz max 8
!
radius-group onboard-ap
policy day mo
policy day tu
policy day we
policy day th
policy day fr
policy day sa
policy day su
!
radius-user-pool-policy ap-users
user pete password 0 miller group onboard-ap
!
radius-server-policy on-ap-radius
use radius-user-pool-policy ap-users
authentication eap-auth-type peap-gtc
!
dhcp-server-policy vlan1
dhcp-pool pool1
network 192.168.2.0/24
address range 192.168.2.200 192.168.2.240
default-router 192.168.2.100
!
!
management-policy default
no http server
https server
ssh
user admin password 1 d33cd505a9f0f040022a95c135da53fdeda5e09764f3e54887847d01bc8073f4 role
superuser access all
user operator password 1 20e0dc7ded6f5deaaec5f3dc9cf71b690b2faaa52bceed16f645f5ac98c5a555 role
monitor access all
no snmp-server manager v2
snmp-server community public ro
snmp-server user snmptrap v3 encrypted des auth md5 0 motorola
snmp-server user snmpoperator v3 encrypted des auth md5 0 operator
snmp-server user snmpmanager v3 encrypted des auth md5 0 motorola
!
profile rfs4000 default-rfs4000
autoinstall configuration
autoinstall firmware
crypto isakmp policy default
How-To-Guide for Single Hop Mesh
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
interface radio1
interface radio2
interface up1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge2
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge3
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge4
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge5
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface wwan1
use firewall-policy default
logging on
service pm sys-restart
!
profile ap71xx default-ap71xx
autoinstall configuration
autoinstall firmware
interface radio1
preamble-short
interface radio2
wlan MD-RFS4000 bss 1 primary
interface radio3
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge2
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface vlan1
ip address dhcp
ip dhcp client request options all
interface wwan1
use firewall-policy default
logging on
service pm sys-restart
!
profile ap6532 default-ap6532
autoinstall configuration
autoinstall firmware
interface radio1
interface radio2
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface vlan1
ip address dhcp
ip dhcp client request options all
use firewall-policy default
logging on
service pm sys-restart
!
profile ap650 default-ap650
autoinstall configuration
autoinstall firmware
interface radio1
interface radio2
interface ge1
ip dhcp trust
qos trust dscp
How-To-Guide for Single Hop Mesh
qos trust 802.1p
interface vlan1
ip address dhcp
ip dhcp client request options
use firewall-policy default
logging on
service pm sys-restart
!
profile ap6521 default-ap6521
autoinstall configuration
autoinstall firmware
interface radio1
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options
use firewall-policy default
logging on
service pm sys-restart
!
profile ap621 default-ap621
autoinstall configuration
autoinstall firmware
interface radio1
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options
use firewall-policy default
logging on
service pm sys-restart
!
profile ap6511 default-ap6511
autoinstall configuration
autoinstall firmware
interface radio1
interface up1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface fe1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface fe2
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface fe3
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface fe4
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options
use firewall-policy default
logging on
service pm sys-restart
!
rf-domain default
country-code us
use smart-rf-policy MD-Lab
control-vlan 1
!
rfs4000 00-23-68-22-D0-70
use profile default-rfs4000
use rf-domain default
all
all
all
all
How-To-Guide for Single Hop Mesh
hostname rfs4000-22D070
license AP DEFAULT-6AP-LICENSE
license ADSEC DEFAULT-ADV-SEC-LICENSE
ip default-gateway 192.168.2.100
interface vlan1
ip address 192.168.2.100/24
ip dhcp client request options all
use dhcp-server-policy vlan1
logging on
logging console warnings
logging buffered warnings
!
ap71xx 00-23-68-93-11-34
use profile default-ap71xx
use rf-domain default
hostname ap7131-931134
bridge vlan 1
interface radio1
wlan MD-RFS4000 bss 1 primary
interface radio2
mesh client
wlan mesh bss 2 primary
no use dhcp-server-policy
!
ap71xx 00-23-68-96-FD-34
use profile default-ap71xx
use rf-domain default
hostname ap71xx-96FD34
interface vlan1
ip address 192.168.2.190/24
!
ap71xx 00-23-68-97-00-10
use profile default-ap71xx
use rf-domain default
hostname ap71xx-970010
ip default-gateway 192.168.2.100
use radius-server-policy on-ap-radius
interface radio1
wlan cp bss 2 primary
interface radio2
mesh portal
wlan mesh bss 1 primary
interface vlan1
description vlan1
no use dhcp-server-policy
!
!
end
5. Reference Documentation:
Description
Location
Motorola RFS WiNG 5.1 System Reference Guide
http://support.symbol.com
Motorola WiNG 5.1 CLI Reference Guide
http://support.symbol.com