FCC ID: Q87-LAPAC1750PO AC1750 Pro Dual Band Access Point

User Guide LAPAC1750PRO Linksys Table of Contents Section 1: Getting Started . . . . . . . . . . . . . . . . . . . . . . 1 Administrators Computer Requirements 1 Wireless Client Requirements 2 Online Help, Supported Browsers, and Limitations 2 Dynamic and Static IP Addressing on the AP 3 Installing the Access Point 3 Configuring the Ethernet Settings 5 Configuring IEEE 802 1X Authentication 6 Configuring Security on the Wireless Access Point 6 Section 2: Viewing Access Point System Status . . . . . . . . 7 System Summary 7 Network Interfaces 8 Radio Statistics 10 Workgroup Bridge 13 Associated Client 13 TSPEC Client Associations 15 TSPEC Status and Statistics 16 TSPEC AP Statistics 17 Email Alert Status 18 System Log 18 Section 3: Configuring the Access Point . . . . . . . . . . . . .19 Administration 19 LAN 29 Wireless 33 Table of Contents Security 63 QoS and Access Control 66 SNMP 81 Captive Portal 88 Cluster 88 Section 4: Maintenance of the Access Point . . . . . . . . . 110 Maintenance 110 Diagnostics 114 ii ii Linksys Section 1: Getting Started Section 1: Getting Started The LAPAC1750PRO Access Point provides continuous, high-speed access between wireless devices and Ethernet devices It is an advanced, standards-

based solution for wireless networking in businesses of any size The access point

(AP) enables wireless local area network (WLAN) deployment while providing state-of-the-art wireless networking features The access point can operate in one modes: Standalone Mode In Standalone Mode, the access point acts as an individual access point in the network, and you manage it by using the Administrator Web User Interface (UI) or SNMP This document describes how to perform the setup, management, and maintenance of the access point in Standalone Mode Before you power on a new access point, review the following sections to check required hardware and software components, client configurations, and compatibility issues Make sure you have everything you need for a successful launch and test of your new or extended wireless network This section contains the following topics:

Administrators Computer Requirements Wireless Client Requirements Online Help, Supported Browsers, and Limitations Dynamic and Static IP Addressing on the AP Installing the Access Point Configuring the Ethernet Settings Configuring IEEE 802.1X Authentication Configuring Security on the Wireless Access Point To manage the access point by using the Web interface, the AP needs an IP address If you use VLANs or IEEE 802 1X Authentication (port security) on your network, you might need to configure additional settings on the AP before it can connect to the network note:

The access point is not designed to function as a gateway to the Internet To connect your WLAN to other LANs or the Internet, you need a gateway device Administrators Computer Requirements The following table describes the minimum requirements for the administrators computer for configuration and administration of the access point through a Web-based user interface (UI) Table 1: Requirements for the Administrators Computer Required Software or Component ethernet Connection to the Access Point Wireless Connection to the network Description The computer used to configure the first access point must be connected to the access point by an Ethernet cable After initial configuration and launch of the first access point on your new wireless network, you can make subsequent configuration changes through the Administration Web pages using a wireless connection to the internal network For wireless connection to the access point, your administration device will need Wi-Fi capability similar to that of any wireless client: Portable or built-in Wi-Fi client adapter that supports one or more of the IEEE 802 11 modes in which you plan to run the access point 1 1 Linksys Web Browser and operating System Security Settings Configuration and administration of the access point is provided through a Web-based user interface hosted on the access point We recommend using one of the following supported Web browsers to access the access point Administration Web pages:

Microsoft Internet Explorer version 9.x or 11 x (with up-to-date patch level for either major version) Mozilla Firefox version 26.x Google Chrome version 32.x Safari version 5.x The administration Web browser must have JavaScript enabled to support the interactive features of the administration interface Ensure that security is disabled on the wireless client used to initially configure the access point Wireless Client Requirements The access point provides wireless access to any client with a properly configured Wi-Fi client adapter for the 802 11 mode in which the access point is running The access point supports multiple client operating systems Clients can be laptop or desktop computers, personal digital assistants (PDAs), or any other hand-held, portable or stationary device equipped with a Wi-Fi adapter and supporting drivers In order to connect to the access point, wireless clients need the software and hardware described in the following table Table 2: Requirements for Wireless Clients Required Component Description Wi-Fi Client Adapter Portable or built-in Wi-Fi client adapter that supports one or more of the IEEE 802 11 modes in which you plan to run the access point (IEEE 802 11a, 802 11b, 802 11g, 802 11n, and 802 11ac modes are supported ) Section 1: Getting Started Wireless Client Software Client software, such as Microsoft Windows Supplicant, configured to associate with the access point Client Security Settings Security should be disabled on the client used to do initial configuration of the access point If the Security mode on the access point is set to anything other than plain text, wireless clients will need to set a profile to the authentication mode used by the access point and provide a valid username and password, certificate, or similar user identity proof Security modes are Static WEP, IEEE 802 1X, WPA with RADIUS server, and WPA-PSK For information about configuring security on the access point, see Virtual Access Point (VAP) Online Help, Supported Browsers, and Limitations Online help for the access point Administration Web pages provides information about all fields and features available from the user interface (UI) The information in the online help is a subset of the information available in the LAPAC1750PRO Access Point Administrators Guide Online help information corresponds to each page on the access point Administration UI For information about the settings on the current page, click the link on the right side of a page or the More link at the bottom of the help panel on the UI The following figure shows an example of the online help available from the links on the user interface 2 Linksys Section 1: Getting Started Figure 1: Administrator UI Online Help Dynamic and Static IP Addressing on the AP When you power on the access point, the built-in DHCP client searches for a DHCP server on the network in order to obtain an IP address and other network information If the AP does not find a DHCP server on the network, the AP continues to use its default Static IP Address (192 168 1 252) until you re-assign it a new static IP address (and specify a static IP addressing policy) or until the AP successfully receives network information from a DHCP server To change the connection type and assign a static IP address by using the Web UI, see VLAN and IPv4 Address on page 46 note:

If you do not have a DHCP server on your internal network, and do not plan to use one, the first thing you must do after powering on the access point is change the connection type from DHCP to static IP You can either assign a new static IP address to the AP or continue using the default address We recommend assigning a new static IP address so that if you bring up another WLAN AP on the same network, the IP address for each AP will be unique Recovering an IP Address If you experience trouble communicating with the access point, you can recover a static IP address by resetting the AP configuration to the factory defaults (see Restoring Configuration on page 164 and To Restore the Factory Default Configuration on page 165), or you can get a dynamically assigned address by connecting the AP to a network that has a DHCP server Discovering a Dynamically Assigned IP Address If you have access to the DHCP server on your network and know the MAC address of your AP, you can view the new IP address associated with the MAC address of the AP note:

The MAC address of access point is shown on product label and brown box label Installing the Access Point To access the Administration Web UI, you enter the IP address of the AP into a Web browser You can use the default IP address of the AP (192 168 1 252) to log on to the AP and assign a static IP address, or you can use a DHCP server on you network to assign network information to the AP The DHCP client on the AP is enabled by default To install the access point, use the following steps:

1 Connect the AP to an administrative PC by using a LAN connection or a direct-cable connection 3 Linksys Section 1: Getting Started To use a LAN connection, connect one end of an Ethernet cable to the network port on the access point and the other end to the same hub where your PC is connected, as shown in the following figure The hub or switch you use must permit broadcast signals from the access point to reach all other devices on the network To use a direct-cable connection, connect one end of an Ethernet straight-

through or crossover cable to the network port on the access point and the other end of the cable to the Ethernet port on the PC, as shown in the following figure You can also use a serial cable to connect the serial port on the AP to a serial port on the administrative computer For initial configuration with a direct Ethernet connection and no DHCP server, be sure to set your PC to a static IP address in the same subnet as the default IP address on the access point (The default IP address for the access point is 192 168 1 252 ) If you use this method, you will need to reconfigure the cabling for subsequent startup and deployment of the access point so that the access point is no longer connected directly to the PC but instead is connected to the LAN (either by using a hub or directly) note:

It is possible to detect access points on the network with a wireless connection However, we strongly advise against using this method In most environments you may have no way of knowing whether you are actually connecting to the intended AP Also, many of the initial configuration changes required will cause you to lose connectivity with the AP over a wireless connection note:

Ethernet Port 1 and Port 2 can be used together in Link Aggregation mode when supported by the connected devices 2 Connect the power adapter to the power port on the back of the access point, and then plug the other end of the power cord into a power outlet 3 Use your Web browser to log on to the access point Administration Web pages If the AP did not acquire an IP address from a DHCP server on your network, enter 192 168 1 252 in the address field of your browser, which is the default IP address of the AP If you used a DHCP server on your network to automatically configure network information for the AP, enter the new IP address of the AP into the Web browser 4 When prompted, enter admin for the user name and admin for the password, then click Log In When you first log in, the System Summary page for access point administration is displayed, as the following figure shows 4 Linksys Section 1: Getting Started Figure 2: System Summary Page 5 Verify the settings on the System Summary page For information about the fields on the System Summary page, see System Summary on page 11 Review access point description 6 If you do not have a DHCP server on the management network and do not plan to use one, you must change the Connection Type from DHCP to Static IP You can either assign a new Static IP address to the AP or continue using the default address We recommend assigning a new Static IP address so that if you bring up another Access Point on the same network, the IP address for each AP will be unique To change the connection type and assign a static IP address, see VLAN and IPv4 Address on page 46 7 If your network uses VLANs, you might need to configure the management VLAN ID or untagged VLAN ID on the access point in order for it to work with your network For information about how to configure VLAN information, see VLAN and IPv4 Address on page 46 8 If your network uses IEEE 802 1X port security for network access control, you must configure the 802 1X supplicant information on the AP For information about how to configure the 802 1X user name and password, see 802 1X Supplicant on page 94 Configuring the Ethernet Settings The default Ethernet settings, which include DHCP and VLAN information, might not work for all networks By default, the DHCP client on the access point automatically broadcasts requests for network information If you want to use a static IP address, you must disable the DHCP client and manually configure the IP address and other network information The management VLAN is VLAN 1 by default This VLAN is also the default untagged VLAN If you already have a management VLAN configured on your network with a different VLAN ID, you must change the VLAN ID of the management VLAN on the access point For information about using the Web interface to configure the Ethernet settings, see VLAN and IPv4 Address on page 46 5 Linksys Section 1: Getting Started Configuring IEEE 802.1X Authentication On networks that use IEEE 802 1X, port-based network access control, a supplicant (client) cannot gain access to the network until the 802 1X authenticator grants access If your network uses 802 1X, you must configure 802 1X authentication information that the AP can supply to the authenticator If your network uses IEEE 802 1X see 802 1X Supplicant on page 94 for information about how to configure 802 1X by using the Web interface Verifying the Installation Make sure the access point is connected to the LAN and associate some wireless clients with the network Once you have tested the basics of your wireless network, you can enable more security and fine-tune the AP by modifying advanced configuration features 1 Connect the access point to the LAN If you configured the access point and administrator PC by connecting both into a network hub, then your access point is already connected to the LAN The next step is to test some wireless clients If you configured the access point by using a direct cable connection from your computer to the access point, do the following procedures:

a Disconnect the cable from the computer and the access point b Connect an Ethernet cable from the access point to the LAN c Connect your computer to the LAN by using an Ethernet cable or a wireless card 2 Test LAN connectivity with wireless clients Test the access point by trying to detect it and associate with it from some wireless client devices For information about requirements for these clients, see Wireless Client Requirements on page 2 3 Secure and configure the access point by using advanced features Once the wireless network is up and you can connect to the AP with some wireless clients, you can add in layers of security, create multiple virtual access points (VAPs), and configure performance settings note:

The WLAN AP is not designed for multiple, simultaneous configuration changes If more than one administrator is logged onto the Administration Web pages and making changes to the configuration, there is no guarantee that all configuration changes specified by multiple users will be applied By default, no security is in place on the access point, so any wireless client can associate with it and access your LAN An important next step is to configure security, as described in Virtual Access Point (VAP) on page 64 Configuring Security on the Wireless Access Point You configure secure wireless client access by configuring security for each virtual access point (VAP) that you enable You can configure up to 8 VAPs per radio that simulate multiple APs in one physical access point By default, only one VAP is enabled For each VAP, you can configure a unique security mode to control wireless client access VLAN ID: 1 Each radio has 8 VAPs, with VAP IDs from 0-7 By default, only VAP 0 on each radio is enabled VAP0 has the following default settings:

SSID: LinksysSMB24G for Radio 1 (2 4GHz), and LinksysSMB5G for Radio 2

(5GHz) Broadcast SSID: Enabled Security: None MAC Authentication Type: None All other VAPs are disabled by default The default SSID for VAPs 17 is Virtual Access Point x where x is the VAP ID Redirect Mode: None To prevent unauthorized access to the access point, we recommend that you select and configure a security option other than None for the default VAP and for each VAP that you enable For information about how to configure the security settings on each VAP, see Virtual Access Point (VAP) on page 64 6 Linksys Section 2: Viewing Access Point System Status Section 2: Viewing Access Point System Status System Summary From the System Summary page, you can view various information about the access point (AP), including IP and MAC address information Table 3 describes the fields and configuration options on the System Summary page This section describes the information you can view from the tabs under the Status and Statistics heading on the Administration Web UI Radio Statistics System Summary Network Interfaces Status and Statistics This topic contains the following subsections:

Workgroup Bridge Associated Client TSPEC Status and Statistics TSPEC Client Associations TSPEC AP Statistics Email Alert Status System Log Field IPv4 Address IPv6 Address IPv6 Address Status IPv6 Autoconfigured Global Addresses IPv6 Link Local Address Table 3: System Summary Page Description Shows the IP address assigned to the AP This field is not editable on this page because the IP address is already assigned (either by DHCP, or statically through the Ethernet Settings page) Shows the IPv6 address assigned to the AP This field is not editable on this page because the IP address is already assigned (either by DHCPv6, or statically through the Management IPv6 page) Shows the operational status of the static IPv6 address assigned to the management interface of the AP The possible values are Operational and Tentative note:

If an IPv6 address has not been manually configured or leased from a DHCPv6 server, the field is blank Shows each automatically configured global IPv6 address for the management interface of the AP Shows the IPv6 Link Local address, which is the IPv6 address used by the local physical link The Link Local address is not configurable and is assigned by using the IPv6 Neighbor Discovery process Device name Generic name to identify the type of hardware Model number Identifies the AP hardware model Serial number Shows the AP serial number 7 Linksys MAC Address Firmware Version Shows the MAC address of the AP The address shown here is the MAC address associated with the management interface This is the address by which the AP is known externally to other networks Shows version information about the firmware currently installed on the AP As new versions of the WLAN AP firmware become available, you can upgrade the firmware on your AP Hardware Version Identifies the AP hardware version System Uptime Provides information about the system start up time Power Source The power source of monitor system is the power adapter or PoE Connecting to the AP Web Interface Using the IPv6 Address To connect to the AP by using the IPv6 global address or IPv6 Link Local address, you must enter the AP address into your browser in a special format note:

The following instructions and examples work with Microsoft Internet Explorer 7 (IE7) and might not work with other browsers To connect to an IPv6 global address, add square brackets around the IPv6 address For example, if the AP global IPv6 address is 2520::230:abff:fe00:2420, type the following address into the IE7 address field: http://[2520::230:abff:fe00:2420]

To connect to the iPv6 Link Local address, replace the colons (:) with hyphens

(-), add the interface number, preceded by an s, then add ipv6-literal net For example, if the AP Link Local address is fe80::230:abff:fe00:2420, and the Windows interface is defined as %6, type the following address into the IE7 address field: http://fe80--230-abff-fe00-2420s6 ipv6-literal net Section 2: Viewing Access Point System Status Network Interfaces This page displays the current settings for the wired Ethernet interface and the wireless radio interfaces on the AP To monitor Ethernet LAN (wired) and wireless LAN (WLAN) settings, click the System Status > Status and Statistics > Network Interfaces tab Figure 3: Viewing Network Interfaces note:

The information on this page is read-only To change the wired or wireless interface settings, click the edit link associated with the appropriate section 8 Linksys Section 2: Viewing Access Point System Status LAN Status (Management Interface) LAN Status shows information about the internal Ethernet interface, which is the primary interface used to manage the AP To change the wired settings, click the Edit link After you click Edit, you are redirected to the VLAN and IPv4 Address page For information about configuring these settings, see VLAN and IPv4 Address Table 4: LAN Interface Settings Field Description MAC Address VLAn ID The MAC address for the LAN interface for the Ethernet port on this AP This is a read-only field that you cannot change The management VLAN is the VLAN associated with the IP address you use to access the AP management interface The default management VLAN ID is 1 ID This IPv4 Address The IP address of the management interface Subnet Mask The subnet mask associated with the management IP address DnS-1 DnS-2 The primary and secondary DNS servers to use for name-to-IP address resolution Default Gateway The default gateway for the IPv4 network interface IPv6 Address The IPv6 address of the management interface IPv6 Autoconfigured Global Addresses IPv6 Link Local Address IPv6-DnS-1 IPv6-DnS-2 Default IPv6 Gateway If the AP has been assigned one or more IPv6 addresses automatically, the addresses are listed The IPv6 Link Local address, which is the IPv6 address used by the local physical link The Link Local address is not configurable and is assigned by using the IPv6 Neighbor Discovery process The primary and secondary DNS servers to use for name-to-IPv6 address resolution The default gateway for the IPv6 network interface Wireless Status The wireless settings show summary information about the radio interface configuration Table 5 describes the fields and configuration options available on the Wireless Status page Field AeroScout engine Communications Status Table 5: Wireless Status Description The status of the AeroScout protocol on the AP When enabled, AeroScout devices are recognized and data is sent to an AeroScout Engine (AE) for analysis The AE determines the geographical location of 802 11-capable devices, such as STAs, APs, and AeroScouts line of 802 11-enabled RFID devices, or tags The AE communicates with APs that support the AE protocol in order to collect information about the RF devices detected by the APs Radio One and Radio Two MAC Address The MAC addresses for the interface This page shows the MAC addresses for Radio Interface One and Radio Interface Two A MAC address is a permanent, unique hardware address for any device that represents an interface to the network The MAC address is assigned by the manufacturer You cannot change the MAC address It is provided here for informational purposes as a unique identifier for an interface 9 Linksys Mode The Physical Layer (PHY) standard the radio uses:

IEEE 802 11b/g 802 11b and 802 11g clients can connect to the AP IEEE 802 11b/g/n 802 11b, 802 11g, and 802 11n clients operating in the 2 4-GHz frequency can connect to the AP IEEE 802 11n Only 802 11n clients operating in the 2 4-GHz frequency can connect to the AP IEEE 802 11a Only 802 11a clients can connect to the AP This mode is available only on Radio 2 IEEE 802 11a/n/ac 802 11a, 802 11n, and 802 11ac clients operating in the 5-GHz frequency can connect to the AP This mode is available only on Radio 2 IEEE 802 11n/ac 802 11n clients and 802 11ac clients operating in the 5-GHz frequency can connect to the AP This mode is available only on Radio 2 Channel operational Bandwidth The current operating channel The channel defines the portion of the radio spectrum the radio uses for transmitting and receiving Each mode offers a number of channels, depending on how the spectrum is licensed by national and transnational authorities such as the Federal Communications Commission (FCC) or the International Telecommunication Union (ITU-R) The size of the bandwidth, in MHz, the current channel is using To change the radio mode or channel settings, click the Edit link After you click Edit, you are redirected to the Radio page For information about configuring these settings, see Radio Section 2: Viewing Access Point System Status Radio Statistics The Radio Statistics page provides detailed information about the packets and bytes transmitted and received on the radio (wireless) interface of this access point To view Radio Statistics, click the System Status > Radio Statistics tab Figure 4: Radio Statistics The following table describes details about the Radio Statistics information Table 6: Radio Statistics Information Field Radio Description Choose either radio 1 or radio 2 WLAn Packets Received WLAn Bytes Received WLAn Packets transmitted Total packets received by the AP on this radio interface Total bytes received by the AP on this radio interface Total packets transmitted by the AP on this radio interface 10 Linksys WLAn Bytes transmitted WLAn Packets Received Dropped WLAn Bytes Received Dropped WLAn Packets transmit Dropped WLAn Bytes transmit Dropped Fragments Received Fragments transmitted Multicast Frames Received Multicast Frames transmitted Duplicate Frame Count Section 2: Viewing Access Point System Status Total bytes transmitted by the AP on this radio interface Multiple Retry Count Number of times an MSDU is successfully transmitted after more than one retry Number of packets received by the AP on this radio interface that were dropped Number of bytes received by the AP on this radio interface that were dropped RtS Success Count RtS Failure Count ACK Failure Count Count of CTS frames received in response to an RTS frame Count of CTS frames not received in response to an RTS frame Count of ACK frames not received when expected Number of packets transmitted by the AP on this radio interface that were dropped FCS error Count Count of FCS errors detected in a received MPDU frame transmitted Frame Count WeP Undecryptable Count Count of each successfully transmitted MSDU Count of encrypted frames received where:

1 The key configuration of the transmitter indicates that the frame should not have been encrypted 2 The frame was discarded due to the receiving station not implementing the privacy option Number of bytes transmitted by the AP on this radio interface that were dropped Count of successfully received MPDU frames of type data or management Number of transmitted MPDU with an individual address or an MPDU with a multicast address of type data or management Count of MSDU frames received with the multicast bit set in the destination MAC address Count of successfully transmitted MSDU frames where the multicast bit is set in the destination MAC address Number of times a frame is received and the Sequence Control field indicates it is a duplicate Failed transmit Count Number of times an MSDU is not transmitted successfully due to transmit attempts exceeding either the short retry limit or the long retry limit transmit Retry Count Number of times an MSDU is successfully transmitted after one or more retries 11 Linksys Section 2: Viewing Access Point System Status Interface Statistics The Interface Statistics page provides some basic information about the AP and a real-time display of transmit and receive statistics for the Ethernet interface on the AP, and for the VAPs on both radio interfaces All transmit and receive statistics shown are totals since the AP was last started If you reboot the AP, these figures indicate transmit and receive totals since the reboot To view transmit and receive statistics, click the System Status > Interface Statistics tab Figure 5: Interface Statistics Field Interface Status Table Interface name (SSID) Status MAC Address VLAn ID Table 7: Interface Statistics Description The name of the Ethernet or VAP interface Wireless network name Also known as the SSID, this alphanumeric key uniquely identifies a wireless local area network The SSID is set on the VAP tab (See Virtual Access Point (VAP) on page 64) Shows whether the interface is enabled (up) or disabled (down) MAC address for the specified interface The AP has a unique MAC address for each interface Each radio has a different MAC address for each interface on each of its two radios Virtual LAN (VLAN) ID You can use VLANs to establish multiple internal and guest networks on the same AP The VLAN ID is set on the VAP tab (See Virtual Access Point (VAP) on page 64) Indicates total packets sent or received by this AP Indicates total bytes sent or received by this AP Indicates total number of packets sent or received by this AP that were dropped Indicates total number of bytes sent or received by this AP that were dropped Indicates total errors related to sending and receiving data on this AP Interface Statistics Table total Packets total Bytes Dropped Packets Dropped Bytes errors Click Refresh to refresh the information on the page 12 Linksys Section 2: Viewing Access Point System Status Workgroup Bridge The Workgroup Bridge page displays packet and byte counts for traffic between stations on a workgroup bridge The information in the following table is available for each network interface that is configured as a workgroup bridge interface Figure 6: Workgroup Bridge total Bytes The total number of Sent/Received bytes bridged between the wired clients in the workgroup bridge and the wireless network Associated Client The associated clients are displayed along with information about packet traffic transmitted and received for each station Click the System Status > Associations Client tab. Figure 7: Association Client Table 8: Workgroup Bridge Field Description Status Table Interface Name of the Ethernet or VAP interface name (SSID) Status VLAn ID Statistics Table total Packets Wireless network name Also known as the SSID, this alphanumeric key uniquely identifies a wireless local area network The SSID is set on the VAP tab See Configuring VAPs Whether the interface is disconnected or is administratively configured as enabled (up) or disabled (down) Virtual LAN (VLAN) ID You can use VLANs to establish multiple internal and guest networks on the same AP The VLAN ID is set on the VAP tab See Configuring VAPs The total number of Sent/Received packets bridged between the wired clients in the workgroup bridge and the wireless network Field network Table 9: Associated Clients Description Shows which VAP the client is associated with For example, an entry of wlan0vap2 means the client is associated with Radio 1, VAP 2 An entry of wlan0 means the client is associated with VAP 0 on Radio 1 An entry of wlan1 means the client is associated with VAP 0 on Radio 2 Station Shows the MAC address of the associated wireless client 13 Linksys Status The Authenticated and Associated Status shows the underlying IEEE 802 11 authentication and association status, which is present no matter which type of security the client uses to connect to the AP This status does not show other (IEEE 802 1X) authentication or association status Some points to keep in mind with regard to this field are:

If the AP security mode is None or Static WEP, the authentication and association status of clients showing on the Client Associations tab will be in line with what is expected; that is, if a client shows as authenticated to the AP, it will be able to transmit and receive data (This is because Static WEP uses only IEEE 802 11 authentication ) If the AP uses IEEE 802.1X or WPA security, however, it is possible for a client association to show on this tab as authenticated (via the IEEE 802 11 security) but actually not be authenticated to the AP via the second layer of security From Station These fields report information about traffic sent from a wireless client to the AP Packets Bytes The number of packets received from the wireless client The number of bytes received from the wireless client Drop Packets The number of packets that were dropped after being received Drop Bytes tS Violate Packets The number of bytes that were dropped after being received The number of packets sent from a wireless client to the AP in excess of its active TS uplink bandwidth, or for an access category requiring admission control to which the wireless client has not been admitted Section 2: Viewing Access Point System Status To Station These fields report information about traffic sent from the AP to a wireless client Packets Bytes The number of packets sent from the AP to the wireless client The number of bytes sent from the AP to the wireless client Drop Packets The number of packets that the AP attempted to send to the wireless client but were dropped Drop Bytes tS Violate Packets The number of bytes that the AP attempted to send to the wireless client but were dropped The number of packets sent from the AP to a wireless client in excess of its active TS downlink bandwidth, or for an access category requiring admission control to which the wireless client has not been admitted Link Integrity Monitoring The access point provides link integrity monitoring to continually verify its connection to each associated client To do this, the AP sends data packets to clients every few seconds when no other traffic is passing This allows the AP to detect when a client goes out of range, even during periods when no normal traffic is exchanged The client connection drops off the list within 300 seconds if these data packets are not acknowledged, even if no disassociation message is received 14 Linksys Section 2: Viewing Access Point System Status TSPEC Client Associations The TSPEC Client Association Status and Statistics page provides information about the TSPEC client data transmitted and received by this access point Table 10 shows voice and video packets transmitted and received by the association, along with status information The page shows a real-time display of transmit and receive statistics for the TSPEC clients All transmit and receive statistics shown are totals since the client association started A TSPEC is a traffic specification that is sent from a QoS-capable wireless client to an AP requesting a certain amount of network access for the traffic stream

(TS) it represents A traffic stream is a collection of data packets identified by the wireless client as belonging to a particular user priority An example of a voice traffic stream is a Wi-Fi-certified telephone handset that marks its codec-

generated data packets as voice priority traffic An example of a video traffic stream is a video player application on a wireless laptop that prioritizes a video conference feed from a corporate server To view TSPEC Client Association statistics, click the System Status > TSPEC Client Associations tab Figure 8: TSPEC Client Associations tS Identifier TSPEC Traffic Session Identifier (range 0-7) Access Category TS Access Category (voice or video) Direction User Priority Uplink The traffic direction for this TS Bidirectional Downlink The User Priority (UP) for this TS The UP is sent with each packet in the UP portion of the IP header Typical values are:

The value may differ depending on other priority traffic sessions 4 or 5 for video 6 or 7 for voice Medium time excess Usage events The time that the TS traffic occupies the transmission medium The number of times the client has exceeded the medium time established for its TSPEC Minor, infrequent violations are ignored VAP MAC Address Statistics The VAP MAC address network Station Radio interface used by the client Client station MAC address tS Identifier TSPEC Traffic Session Identifier (range 0-7) Access Category TS Access Category (voice or video) Table 10: TSPEC Client Associations Description Field Status network SSID Station Radio interface used by the client The service set identifier associated with this TS client Client station MAC address Direction Uplink The traffic direction for this TS Direction can be:

Bidirectional Downlink 15 Section 2: Viewing Access Point System Status Figure 9: TSPEC Status and Statistics Linksys From Station to Station The number of packets and bytes received from the wireless client, and the number of packets and bytes that were dropped after being received Also, the number of packets:

for which no TSPEC has been established when admission is required by the AP in excess of an admitted TSPEC The number of packets and bytes transmitted from the AP to the client, and the number of packets and bytes that were dropped upon transmission Also, the number of packets:

for which no TSPEC has been established when admission is required by the AP in excess of an admitted TSPEC TSPEC Status and Statistics The TSPEC Status and Statistics page provides:

Summary information about TSPEC sessions by VAP Summary information about TSPEC sessions by radio Real-time transmit and receive statistics for the TSPEC VAPs on all radio interfaces All transmit and receive statistics shown are totals since the AP was last started If you reboot the AP, these figures indicate transmit and receive totals since the reboot To view TSPEC status and statistics, click the System Status > TSPEC Status and Statistics tab The following image has been edited to show some of the transmit and receive statistics 16 Linksys Section 2: Viewing Access Point System Status Table 11: TSPEC Status and Statistics Field Description Interface Indicates the name of the Radio or VAP interface Access Category Status Active tS tS Clients Med . time Admitted Med . time Unallocated total Bytes Indicates Current Access Category associated with this Traffic Stream (voice or video) Indicates whether the TSPEC session is enabled (up) or disabled (down) for the corresponding Access Category note: This is a configuration status (does not necessarily represent the current session activity) Indicates the number of currently active TSPEC Traffic Streams for this radio and Access Category Indicates the number of Traffic Stream clients associated with this radio and Access Category Time allocated for this Access Category over the transmission medium to carry data This value should be less than or equal to the maximum bandwidth allowed over the medium for this TS Time of unused bandwidth for this Access Category Indicates the total number of TS bytes sent (in Transmit table) or received (in Received table) by this Radio for the specified Access Category total Packets Indicates the total number of TS packets sent (in Transmit table) or received (in Received table) by this Radio for the specified Access Category total Voice Packets Indicates the total number of TS voice packets sent (in Transmit table) or received (in Received table) by this AP for this VAP total Voice Bytes Indicates the total TS voice bytes sent (in Transmit table) or received (in Received table) by this AP for this VAP total Video Packets Indicates the total number of TS video packets sent (in Transmit table) or received (in Received table) by this AP for this VAP total Video Bytes Indicates the total TS video bytes sent (in Transmit table) or received (in Received table) by this AP for this VAP Click Refresh to refresh the page TSPEC AP Statistics The TSPEC AP Statistics page provides information on the voice and video Traffic Streams accepted and rejected by the AP To view TSPEC AP statistics, click the System Status > TSPEC AP Statistics tab Figure 10: TSPEC AP Statistics Table 12: TSPEC AP Statistics Field Description tSPeC Statistics Summary for Voice ACM tSPeC Statistics Summary for Video ACM Indicates the total number of accepted and the total number of rejected voice Traffic Streams Indicates the total number of accepted and the total number of rejected video Traffic Streams Click Refresh to refresh the page 17 Linksys Section 2: Viewing Access Point System Status Email Alert Status The Email Alert Status page provides information about the email alerts sent based on the syslog messages generated in the AP System Log From the System Log page, you can view the most recent system log generated by this AP To view the Email Alert Operational Status, click the System Status > Email Alert Status tab To view the Email Alert Operational Status, click the System Status > System Log tab To configure the email alerts, see Email Alert on page 38 To configure the Log settings, see Log Settings Figure 11: Email Alert Status Figure 13: System Log Table 13: Email Alert Status Field Description email Alert Status number of email Sent number of email Failed time Since Last email Sent The Email Alert operational status The status is either Up or Down The default is Down The total number of emails sent so far The range is an unsigned integer of 32 bits The default is 0 The total number of email failures so far The range is an unsigned integer of 32 bits The default is 0 The time and date when the last email alert was sent The AP uses the system time to report the information If an email has not been sent since the device was reset, the status is not sent Table 14: System Log Field Description time Settings The system time when the event occurred type alert alert crit critical emerg emergency Specify the type of the log messages to write to non-

volatile memory warn warning debug debug notice notice info info err error Service The software component associated with the log Description Log content 18 Linksys Section 3: Configuring the Access Point Section 3: Configuring the Access Point Administration LAN Wireless Security Cluster SNMP Captive Portal QoS and Access Control Time Settings System Settings Administration This section describes how to set up your access point and perform diagnostics Use the tabs under the Configuration heading on the Administration Web UI Management Access HTTP/HTTPS Service Discovery - Bonjour Discovery - LLDP Log Settings Email Alert System Settings From the System Settings page, you can change the administrator password and system settings e g device name, system contact We strongly recommended you choose a new password based on the standard guidelines for strong password security instead of using default password, which is admin Figure 12 shows the System Settings page Figure 12: System Settings Table 15: System Settings page Field Description new Password Enter a new administrator password The characters you enter are displayed as bullets to prevent others from seeing your password as you type The password can be up to 32 characters Do not use special characters or spaces note: As an immediate first step in securing your wireless network, we recommend that you change the administrator password from the default Confirm new Password Re-enter the new administrator password to confirm that you typed it as intended 19 Linksys Device name System Contact System Location Name your AP This name appears only on the Basic Settings page and is used to identify the AP to the administrator A valid name is 1 to 64 alphanumeric characters, and can include letters, digits, hyphens and spaces Enter the name, e-mail address, or phone number of the person to contact regarding issues related to the AP Enter the physical Conference Room A location of the AP, for example Time Settings The Network Time Protocol (NTP) is an Internet standard protocol that synchronizes computer clock times on your network NTP servers transmit Coordinated Universal Time (UTC, also known as Greenwich Mean Time) to their client systems NTP sends periodic time requests to servers, using the returned time stamp to adjust its clock The timestamp is used to indicate the date and time of each event in log messages See http://www .ntp .org for more information about NTP To configure the address of the NTP server that the AP uses or to set the system time manually, click the Configuration > Administration > Time Settings tab and update the fields as described in Table 16 note:

The fields available to configure depend on whether you choose to set the system time manually or by using an NTP server Section 3: Configuring the Access Point Figure 13 shows the Time Settings page when the manual option is selected Figure 13: Setting the Time Manually Figure 14 shows the Time Settings page when the Use Network Time Protocol

(NTP) option is selected Figure 14: Setting the Time Using an NTP Server 20 Linksys Section 3: Configuring the Access Point Table 16: Time Settings Field Description System Clock Source ntP Server IPv4/

IPv6 Addr/name Set the system time To permit the AP to poll an NTP server, select Network Time Protocol (NTP) To manually configure the time and date, select Manually When this option is selected, the AP does not attempt to poll an NTP server If NTP is enabled, specify the NTP server to use You can specify the NTP server by hostname, IPv4 address, or IPv6 address, although using the IPv4/IPv6 address is not recommended as these can change more readily The length must be between 1253 characters If you specify a hostname, note the following requirements:

Upper and lower case characters, numbers, and hyphens are accepted The first character must be a letter (az or AZ) or number (09), and the last character cannot be a hyphen Select your local time zone from the menu The default is USA (Pacific) System will adjust the reported time for Daylight Savings Time (DST), which is also known as Summer Time When selected, fields to configure Daylight Savings Time settings will appear time Zone Adjust time for Daylight Savings Daylight Savings Start Configure the date and time to begin Daylight Savings Time for the System Time Daylight Saving end Configure the date and time to end Daylight Savings Time for the System Time Daylight Savings offset Select the number of minutes to offset DST The default is 60 (minutes) note:

After you configure the Time settings, you must click Save to apply the changes and save the changes to startup configuration file Changing some settings might cause the AP to stop and restart system processes If this happens, wireless clients will temporarily lose connectivity We recommend that you change AP settings when WLAN traffic is low note:

Hostnames are composed of a series of labels joined with dots, as are all domain names Each label must be between 1 and 63 characters long, and the entire hostname (including dots) has a maximum of 253 characters Log Settings The Log Settings page shows real-time system logs on the AP such as wireless clients associating with the AP and being authenticated From the Log Settings page, you can enable and configure persistent logging to write system logs to non-volatile memory so that the events are not erased when the system reboots This page also gives you the option of enabling a remote log relay host to capture all system logs and errors in a kernel log To view system events, click the Configuration > Administration > Log Settings tab Figure 15: Log Settings 21 Linksys Section 3: Configuring the Access Point Configuring Persistent Logging Options If the system unexpectedly reboots, log messages can be useful to diagnose the cause However, log messages are erased when the system reboots unless you enable persistent logging Caution!

Enabling persistent logging can wear out the flash (non-volatile) memory and degrade network performance You should only enable persistent logging to debug a problem Make sure you disable persistent logging after you finish debugging the problem Table 17: Logging Options Field Description Persistence Choose Enabled to save system logs to non-volatile memory so that the logs are not erased when the AP reboots When persistence is enabled, we can store up to 128 messages in non-volatile memory Choose Disabled to save system logs to volatile memory Logs in volatile memory are deleted when the system reboots Severity Depth 1 alert 2 critical 0 emergency Specify the severity level of the log messages to write to non-

volatile memory For example, if you specify 2, critical, alert, and emergency logs are written to non-volatile memory Error messages with a severity level of 37 are written to volatile memory You can store up to 512 messages in non-volatile memory Once the number you configure in this field is reached, the oldest log event is overwritten by the new log event 4 warning 7 debug 5 notice 3 error 6 info note:

To apply your changes, click Save Changing some settings might cause the AP to stop and restart system processes If this happens, wireless clients will temporarily lose connectivity We recommend that you change AP settings when WLAN traffic is low Configuring the Log Relay Host for Kernel Messages The Kernel Log is a comprehensive list of system events (shown in the System Log) and kernel messages such as error conditions, like dropping frames You cannot view kernel log messages directly from the Administration Web UI for an AP You must first set up a remote server running a syslog process and acting as a syslog log relay host on your network Then, you can configure the access point to send syslog messages to the remote server Allows aggregation of syslog messages from multiple APs Stores a longer history of messages than kept on a single AP Remote log server collection for AP syslog messages provides the following features:

To use Kernel Log relaying, you must configure a remote server to receive the syslog messages The procedure to configure a remote log host depends on the type of system you use as the remote host Triggers scripted management operations and alerts note:

The syslog process will default to use port 514 We recommend keeping this default port However, If you choose to reconfigure the log port, make sure that the port number you assign to syslog is not being used by another process 22 Linksys Section 3: Configuring the Access Point Enabling or Disabling the Log Relay Host on the Log Settings Page To enable and configure Log Relaying on the Log Settings page, set the Log Relay options as described in the following table, and then click Save Table 18: Log Relay Host Field Description Relay Log Select Enabled to allow the access point to send log messages to a remote host Select Disabled to keep all log messages on the local system Relay Host Specify the IPv4 address, IPv6 address, or DNS name of the remote log server Relay Port Specify the Port number for the syslog process on the Relay Host The default port is 514 note:

To apply your changes, click Save Changing some settings might cause the AP to stop and restart system processes If this happens, wireless clients will temporarily lose connectivity We recommend that you change AP settings when WLAN traffic is low note:

Hostnames are composed of series of labels joined with dots, as are all domain names Each label must be between 1 and 63 characters long, and the entire hostname (including dots) has a maximum of 253 characters If you enabled the Log Relay Host, clicking Save will activate remote logging The AP will send its kernel messages in real-time for display to the remote log server monitor, a specified kernel log file, or other storage, depending on how you configured the Log Relay Host If you disabled the Log Relay Host, clicking Save will disable remote logging Email Alert The Email Alert feature allows the AP to automatically send email messages when an event at or above the configured severity level occurs Use the Email Alert page to configure mail server settings, to set the severity level that triggers alerts, and to add up to three email addresses where urgent and non urgent email alerts are sent Figure 16: Configuring Email Alert Table 19: Email Alert Configuration Field Description Global Configuration Admin Mode Globally enable or disable the Email Alert feature on the AP By default, email alerts are disabled 23 Linksys From email Address Log Duration Urgent Message Severity Specify the email address that appears in the From field of alert messages sent from the AP, for example AP23@foo com The address can be a maximum of 255 characters and can contain only printable characters By default, no address is configured This duration, in minutes, determines how frequently the non critical messages are sent to the SMTP Server The range is 30-1440 minutes The default is 30 minutes Configures the severity level for log messages that are considered to be urgent Messages in this category are sent immediately The security level you select and all higher levels are urgent:

Emergency indicates system is unusable It is the highest level of severity indicates Alert immediately action must be taken Error indicates error conditions Critical indicates critical conditions Warning indicates warning conditions indicates normal but Notice conditions significant Informational indicates informational messages Debug indicates debug-level messages non Urgent Severity Configures the severity level for log messages that are considered to be non urgent Messages in this category are collected and sent in a digest form at the time interval specified by the Log Duration field The security level you select, and all levels up to but not including the lowest urgent level, are considered non-urgent Messages below the security level you specify are not sent via email See the Urgent Message field description for information about the security levels Section 3: Configuring the Access Point Mail Server Configuration Mail Server Address Specify the IP address or hostname of the SMTP server on the network Mail Server Security Specify whether to use SMTP over SSL (TLSv1) or no security (Open) for authentication with the mail server The default is TLSv1 Mail Server Port Username Password Configures the TCP port number for SMTP The range is a valid port number from 0 to 65535 The default is 465, which is the standard port for SMTP Specify the username to use when authentication with the mail server is required The username is a 64-byte character string with all printable characters The default is admin Specify the password associated with the username configured in the previous field Message Configuration to Address 1 to Address 2 to Address 3 email Subject Configure the first email address to which alert messages are sent The address must be a valid email address By default, no address is configured Optionally, configure the second email address to which alert messages are sent The address must be a valid email address By default, no address is configured Optionally, configure the third email address to which alert messages are sent The address must be a valid email address By default, no address is configured Specify the text to be displayed in the subject of the email alert message The subject can contain up to 255 alphanumeric characters The default is Log message from AP 24 Linksys Section 3: Configuring the Access Point note:

After you configure the Email Alert settings, you must click Save to apply the changes and save the changes to startup configuration file note:

Hostnames are composed of a series of labels joined with dots, as are all domain names Each label must be between 1 and 63 characters long, and the entire hostname (including dots) has a maximum of 253 characters To validate the configured email server credentials, click Test Mail You can send a test email once the email server details are configured The following text shows an example of an email alert sent from the AP to the network administrator:

From: AP-192 168 2 10@mailserver com Sent: Wednesday, February 08, 2012 11:16 AM To: administrator@mailserver com Subject: log message from AP TIME Priority Process Id Message Feb 8 03:48:25 info login[1457] root login on ttyp0 Feb 8 03:48:26 info mini_http-ssl[1175] Max concurrent connections of 20 reached on current connections of 20 reached Management Access You can create an access control list (ACL) that lists up to five IPv4 hosts and five IPv6 hosts that are authorized to access the AP management interface If this feature is disabled, anyone can access the management interface from any network client by supplying the correct AP user name and password Figure 17: Management Access Table 20: Management Access Field Description Management ACL Mode Enable or disable the management ACL feature At least one IPv4 or IPv6 address should be configured before enabling Management ACL Mode If enabled, only the IP addresses you specify will have Web, Telnet, SSH, and SNMP access to the management interface IP Address

(15) five Enter up to IPv4 addresses that are allowed management access to the AP Use dotted-decimal format

(for example, 192 168 10 10) IPv6 Address

(15) five Enter up to IPv6 addresses that are allowed management access to the AP Use the standard IPv6 address format (for example 2001:0db8:1234::abcd) note:

After you configure the settings, click Save to apply the changes and to save the settings 25 Linksys Section 3: Configuring the Access Point HTTP/HTTPS Service The AP can be managed through HTTP or secure HTTP (HTTPS) sessions By default both HTTP and HTTPS access are enabled Either access type can be disabled separately To configure Web server settings, click the Services > Web Server tab Figure 18: HTTP/HTTPS Service Table 21: HTTP/HTTPS Service Field Description HttP Server Status Enable or disable access through HTTP This setting is independent of the HTTPS server status setting HttP Port Specify the port number for HTTP traffic (default is 80) HttP Redirect to HttPS Redirecting all traffic from HTTP to HTTPS and make sure users always access the site securely This field is available only when HTTP access disabled HttPS Server Status HttPS Port Maximum Sessions Session timeout Enable or disable access through a Secure HTTP Server

(HTTPS) Specify the port number for HTTPS traffic (default is 443) When a user logs in to the AP web interface, a session is created This session is maintained until the user logs off or the session inactivity timer expires Enter the number web sessions, including both HTTP and HTTPS, that can exist at the same time The range is 110 sessions The default is 5 If the maximum number of sessions is reached, the next user who attempts to log on to the AP web interface receives an error message about the session limit Enter the maximum amount of time in minutes an inactive user remains logged on to the AP web interface When the configured timeout is reached, the user is automatically logged off the AP The range is 11440 minutes (1440 minutes = 1 day) The default is 60

(minutes) Generate SSL Certificate 26 Linksys Generate Certificate SSL Click Generate to generate a new HTTP SSL certificate for the secure Web server This should be done once the access point has an IP address to ensure that the common name for the certificate matches the IP address of the access point Generating a new SSL certificate will restart the secure Web server The secure connection will not work until the new certificate is accepted on the browser SSL Certificate File Status Certificate Present File Indicates if the HTTP SSL Certificate file is present Range is either Yes or No Certificate expiration Date Certificate Issuer Common name To Get the Current HTTP SSL Certificate Indicates when the HTTP SSL Certificate file will expire The range is a valid date The Common Name attribute of the server certificate The range is a valid string For example, /CN=self-

signed/OU=Broadcom Corp /L=Morrisville/ST=North Carolina/C=US Download Method HttP SSL Certificate File Select either HTTP/HTTPS or TFTP option Click Download to save the current HTTP SSL Certificate as a backup file to your PC This field is available when the selected download method is TFTP Enter the filename of the certificate The filename is a 256-byte alphanumeric string The default is Mini_httpd pem note: File name should not contain spaces, < , > , | , \ ,

/ , : , (, ), & , ; , # , ?, *, $, %, , , and successive Server IP The IPv4 or IPv6 address of the TFTP server where the file will be downloaded The default is 0 0 0 0 Upload SSL Certificate Section 3: Configuring the Access Point Upload Method HttP Certificate File SSL Server IP Select the upload method:

HTTP/HTTPS: Upload the file by using a Web browser TFTP: Upload the file from a TFTP server If the selected upload method is HTTP, click the Browse button to browse to the file to upload to the AP If the selected upload method is TFTP, this field displays a text box Enter the filename of the certificate to upload to the AP note: File name should not contain spaces, < , > , | , \ ,

/ , : , (, ), & , ; , # , ?, *, $, %, , , and successive The IPv4 or IPv6 address of the TFTP server where the file is located The default is 0 0 0 0 note:

Click Save to apply the changes and save the changes to startup configuration file If you disable the protocol you are currently using to access the AP management interface, the current connection will end and you will not be able to access the AP by using that protocol until it is enabled 27 Linksys Section 3: Configuring the Access Point Discovery - LLDP Link Layer Discovery Protocol (LLDP) is defined by the IEEE 802 1AB standard and allows the access point to advertise information about itself such as the system name, port name, system capabilities, and power requirements This information can help you identify system topology and detect bad configurations on the LAN The AP also supports the Link Layer Discovery Protocol for Media Endpoint Devices (LLDP-MED), which standardizes additional information elements that devices can pass to each other to improve network management To configure LLDP settings, click the Services > LLDP tab and update the fields as described in Table 22 Figure 19: Discovery-LLDP Discovery - Bonjour Bonjour is a software feature that allows the wireless access point and its services to be discovered on a local network using multicast Domain Name System (mDNS) service records You can either enable or disable the Bonjour component systemwide The feature is not configurable on any specific network interface To set Bonjour status, click the Configuration > Administrator > Discovery -

Bonjour tab Figure 20: Discovery - Bonjour Table 22: LLDP Settings Field Description LLDP Mode Enables or disables LLDP The default is Enabled Advertise Interval Poe Priority Specifies the number of seconds between LLDP message interval transmissions The default transmission is 30 seconds and can be set from 5 to 32768 (seconds) The priority level transmitted by the AP in the Extended Power information element The PoE priority level helps the Power Sourcing Equipment (PSE), such as a switch, determine which powered devices should be given priority in power allocation when the PSE doesnt have enough capacity to supply power to all connected devices The PoE priority can be one of the following:

Low High Critical Unknown Click Save to apply the changes and save the changes to startup configuration file Table 23: Discovery - Bonjour Field Bonjour Status Description Enables or disables Bonjour The default is Enabled The access point uses a default AP IP address assignment if a DHCP server is absent in the network There is no implementation of IPv4 Link-Local Addressing or IPv6 Stateless Address Auto-configuration for the access point DNS-SD and mDNS are used for advertisement of services and hostname lookup The service types listed in the following table are defined by the DNS-

SD records and advertised via mDNS by the Bonjour component The Bonjour component works in both IPv4 and IPv6 networks Table 24: Bonjour Status Service Types Service type Description brcm-sb Broadcom-specific service type Allows clients to discover Broadcom devices http https telnet ssh AP management Web UI AP switch management Web UI AP management CLI Secure AP management CLI 28 Linksys Section 3: Configuring the Access Point VLAN and IPv4 Address LAN This section describes how to manage the access point and contains the following subsections:

The configuration pages for the features in this section are located under the Manage heading on the Administration Web UI IPv6 Address IPv6 Tunnel VLAN and IPv4 Address The default wired interface settings, which include DHCP and VLAN information, might not work for all networks By default, the DHCP client on the access point automatically broadcasts requests for network information If you want to use a static IP address, you must disable the DHCP client and manually configure the IP address and other network information The management VLAN is VLAN 1 by default This VLAN is also the default untagged VLAN If you already have a management VLAN configured on your network with a different VLAN ID, you must change the VLAN ID of the management VLAN on the AP To configure the LAN settings, click the Configuration > LAN > VLAN and IPv4 Address tab Figure 21: VLAN and IPv4 Address The following table describes the fields to view or configure on the VLAN and IPv4 Address page Table 25: VLAN and IPv4 Address Field Description MAC Address Shows the MAC address for the LAN interface for the Ethernet port on this AP This is a read-only field that you cannot change Management VLAn ID The management VLAN is the VLAN associated with the IP address you use to access the AP The default management VLAN ID is 1 Provide a number between 1 and 4094 for the management VLAN ID 29 Linksys Section 3: Configuring the Access Point VLAn tagging If you disable the untagged VLAN, all traffic is tagged with a VLAN ID By default all traffic on the access point uses VLAN 1, which is the default untagged VLAN This means that all traffic is untagged until you disable the untagged VLAN, change the untagged traffic VLAN ID, or change the VLAN ID for a VAP or client using RADIUS Provide a number between 1 and 4094 for the untagged VLAN ID Traffic on the VLAN that you specify in this field will not be tagged with a VLAN ID If you select DHCP, the access point acquires its IP address, subnet mask, DNS, and gateway information from a DHCP server If you select Static IP, you must enter information in the Static IP Address, Subnet Mask, and Default Gateway fields Untagged VLAn ID Connection type Static IP Address Enter the static IP address in the text boxes This field is disabled if you use DHCP as the connection type Subnet Mask Enter the Subnet Mask in the text boxes Default Gateway DnS name Servers Enter the Default Gateway in the text boxes Select the mode for the DNS In Dynamic mode, the IP addresses for the DNS servers are assigned automatically via DHCP This option is only available if you specified DHCP for the Connection Type In Manual mode, you must assign static IP addresses to resolve domain names note:

After you configure the wired settings, you must click Save to apply the changes and save the changes to startup configuration file Changing some settings might cause the AP to stop and restart system processes If this happens, wireless clients will temporarily lose connectivity We recommend that you change AP settings when WLAN traffic is low IPv6 Address The IPv6 Address page contains settings that allow the LAPAC1750PRO Access Point to be managed over an IPv6 network Use this page to configure the IPv6 management interface settings By default, the DHCPv6 client on the access point automatically broadcasts requests for network information If you want to use a static IPv6 address, you must disable the DHCPv6 client and manually configure the Static IPv6 address and other network information To configure the settings that allow system management over an IPv6 network, click the Configuration > LAN > IPv6 Address tab Figure 22: IPv6 Address 30 Linksys Section 3: Configuring the Access Point Table 26: IPv6 Address Settings Field Description IPv6 Connection type IPv6 Admin Mode IPv6 Auto Config Admin Mode Select the option to determine how the IPv6 address for the management interface is configured:

DHCPv6 The Access Point acquires its IPv6 address, DNS, and gateway information from a DHCPv6 server Static IPv6 You must enter information in the Static IPv6 Address, Prefix length, and Default Gateway fields note:

If the selected connection type is DHCPv6, only the IPv6 Connection Type, IPv6 Admin Mode, and IPv6 Auto Config Admin Mode can be configured All other fields are for static IPv6 configuration only Enable or disable IPv6 management access to the AP Enable or disable IPv6 auto address configuration on the AP When IPv6 Auto Config Mode is enabled, automatic IPv6 address configuration and gateway configuration is allowed by processing the Router Advertisements received on the LAN port The AP can have multiple auto configured IPv6 addresses Static IPv6 Address Enter a static IPv6 address The AP can have a static IPv6 address even if addresses have already been configured automatically Static IPv6 Address Prefix Length Static IPv6 Address Status Enter the static IPv6 prefix length, which is an integer in the range of 0128 Shows the operational status of the static IPv6 address assigned to the management interface of the AP The possible values are Operational and Tentative note:

configured, the field is blank If an IPv6 address has not been manually IPv6 Autoconfigured Global Addresses IPv6 Link Local Address Default IPv6 Gateway IPv6 DnS name Servers If the AP has been assigned one or more IPv6 addresses automatically, the addresses are listed Shows the IPv6 Link Local address, which is the IPv6 address used by the local physical link The link local address is not configurable and is assigned by using the IPv6 Neighbor Discovery process Enter the IPv6 address of the default IPv6 gateway Select the method to use to configure the IPv6 address of the DNS server(s) to use for name-to-IPv6 address resolution:

Dynamic The IPv6 addresses for the DNS servers are assigned automatically via DHCPv6 This option is only available if you specified DHCPv6 for the Connection Type Manual You must assign static IPv6 addresses to resolve domain names note:

After you configure the wired settings, you must click Save to apply the changes and save the changes to startup configuration file Changing some settings might cause the AP to stop and restart system processes If this happens, wireless clients will temporarily lose connectivity We recommend that you change AP settings when WLAN traffic is low 31 Linksys Section 3: Configuring the Access Point IPv6 Tunnel The access point supports the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), which enables the AP to transmit IPv6 packets over the LAN encapsulated within IPv4 packets The protocol enables the access point to communicate with remote IPv6-capable hosts even when the LAN that connects them does not support IPv6 The access point acts as an initiator of the tunnel and allows communication with remote IPv6 hosts An ISATAP router acts as the end of the tunnel within the network to help Access Point to auto-configure ISATAP tunnel interface From the IPv6 Tunnel page, you can enable, configure and display ISATAP global operational and configuration parameters To configure the ISATAP settings on the access point, click the Configuration > LAN > IPv6 Tunnel tab Figure 23: IPv6 Tunnel Settings The following table describes the fields to view or configure on the IPv6 Tunnel page Table 27: IPv6 Tunnel Settings Field Description ISAtAP Status Select Enable or Disable for the administrative mode of ISATAP ISAtAP Capable Host ISAtAP Query Interval ISAtAP Solicitation Interval ISAtAP IPv6 Link Local Address ISAtAP IPv6 Global Address Specify the IP address or DNS name of the ISATAP router The default value is isatap Specify how often the AP should send queries to the DNS server to attempt to resolve the ISATAP host name into an IP address The AP sends router solicitation messages only when the IP address of an ISATAP router is unknown The valid range is 1203600 seconds (The default value is 120 seconds ) Specify how often the AP should send router solicitation messages to the ISATAP router(s) it learns about through the DNS query messages The AP sends router solicitation messages only when there is no active ISATAP router The valid range is 1203600 seconds

(The default value is 120 seconds ) Displays Link Local IPv6 address of the ISATAP interface Displays global IPv6 address of ISATAP the interface note:

After you configure the wired settings, you must click Save to apply the changes and save the changes to startup configuration file Changing some settings might cause the AP to stop and restart system processes If this happens, wireless clients will temporarily lose connectivity 32 Linksys Section 3: Configuring the Access Point note:

DNS name is composed of a series of labels joined with dots, as are all domain names Each label must be between 1 and 63 characters long, and the entire hostname (including dots) has a maximum of 253 characters Radio Rogue AP Detection Virtual Access Point (VAP) Wireless The wireless features are located under the Configuration heading on the administration Web UI MAC Filter WDS Bridge Workgroup Bridges Scheduler Association Bandwidth Utilization Scheduler Qos 33 Linksys Section 3: Configuring the Access Point Radio Radio settings directly control the behavior of the radio devices in the AP, and determine how and what type of electromagnetic waves the AP emits Different settings display depending on the mode you select All settings are described in Table 28 Figure 24: Radio Settings Field Radio Table 28: Radio Settings Description Select Radio 1 or Radio 2 to specify which radio to configure Radio 1 stands for 2 4GHz radio, and Radio 2 stands for 5GHz radio The rest of the settings on this tab apply to the radio you select in this field Be sure to configure settings for both radios Status (on/off) Specify whether you want the radio on or off by selecting On or Off If you turn off a radio, the AP sends disassociation frames to all the wireless clients it is currently supporting so that the radio can be gracefully shutdown and the clients can start the association process with other available APs MAC Address Indicates the Media Access Control (MAC) addresses for the interface This page shows the MAC addresses for Radio interface A MAC address is a permanent, unique hardware address for any device that represents an interface to the network The MAC address is assigned by the manufacturer You cannot change the MAC address It is provided here for informational purposes as a unique identifier for an interface 34 Linksys Mode AeroScout engine Protocol Support The Mode defines the Physical Layer (PHY) standard the radio uses note: The modes available depend on the country code setting and radio Select one of the following modes for each radio interface:

IEEE 802 11b/g 802 11b and 802 11g clients can connect to the AP IEEE 802 11b/g/n 802 11b, 802 11g, and 802 11n clients operating in the 2 4-GHz frequency can connect to the AP IEEE 802 11n Only 802 11n clients operating in the 2 4-GHz frequency can connect to the AP IEEE 802 11a Only 802 11a clients can connect to the AP This mode is available only on Radio 2 IEEE 802 11a/n/ac 802 11a, 802 11n, and 802 11ac clients operating in the 5-GHz frequency can connect to the AP This mode is available only on Radio 2 IEEE 802 11n/ac 802 11n clients and 802 11ac clients operating in the 5-GHz frequency can connect to the AP This mode is available only on Radio 2 Station Isolation To enable Station Isolation, select the check box directly beside it When Station Isolation is disabled, wireless clients can communicate with one another normally by sending traffic through the AP Isolation When Station is enabled, the AP blocks communication between wireless clients on the same VAP The AP still allows data traffic between its wireless clients and wired devices on the network, across a Wireless Distribution System (WDS) link, and with other wireless clients associated with a different VAP, but not among wireless clients Section 3: Configuring the Access Point Options are Enabled or Disabled The default is Disabled When enabled, Aeroscout devices are recognized and data is sent to an Aeroscout Engine (AE) for analysis The AE determines the geographical location of 802 11-capable devices, such as STAs, APs, and AeroScouts line of 802 11-enabled RFID devices, or tags The AE communicates with APs that support the AE protocol in order to collect information about the RF devices detected by the APs Using the AE protocol, LAPAC1750PRO supports direct communication between AE and the APs When operating in managed mode, the AE is configured with the IP address of the managed access points from which it collects information The Wireless Switch cannot communicate with the AE note: Only AeroScout tag hardware of types T2 and T3 are explicitly supported Other tag models are also supported only if their implementation of the AeroScout protocol conforms to the AeroScout Engine - Access Point Interface Specification, version 2 1 note: AeroScout tags operate only in 802 11 b/g mode Therefore, network administrators who use the AeroScout tags must configure at least one radio on APs that are expected to detect tags in either 802 11b/g or 802 11b/g/n mode The radios configured in 2 4 GHz IEEE 802 11 mode or any of the 5GHZ modes cannot detect AeroScout tags note: The AE protocol allows access points to mark detected APs as rogue devices The LAPAC1750PRO APs do not support this feature and never report detected APs as rogues 35 Linksys Section 3: Configuring the Access Point Channel Select the Channel The range of available channels is determined by the mode of the radio interface and the country code setting If you select Auto for the channel setting, the AP scans available channels and selects a channel where no traffic is detected The channel defines the portion of the radio spectrum the radio uses for transmitting and receiving Each mode offers a number of channels, depending on how the spectrum is licensed by national and transnational authorities such as the Federal Communications Commission (FCC) or the International Telecommunication Union (ITU-R) When automatic channel assignment is enabled on the Channel Management page for Clustering, the channel policy for the radio is automatically set to static mode, and the Auto option is not available for the Channel field This allows the automatic channel feature to set the channels for the radios in the cluster The 802 11n specification allows a 40 MHz-wide channel in addition to the legacy 20 MHz channel available with other modes The 40 MHz channel enables higher data rates but leaves fewer channels available for use by other 2 4 GHz and 5 GHz devices The 802 11ac specification allows an 80 MHz-wide channel in addition to the 20 MHz and 40 MHz channels Set the field to 20 MHz to restrict the use of the channel bandwidth to a 20 MHz channel For the 802 11ac mode, set the field to 40 MHz to prevent the radio from using the 80 MHz channel bandwidth Channel Bandwidth

(802 .11n and 802 .11ac modes only) Primary Channel

(802 .11n modes only) Short Guard Interval Supported This setting can be changed only when the channel bandwidth is set to 40 MHz A 40-MHz channel can be considered to consist of two 20-MHz channels that are contiguous in the frequency domain These two 20-

MHz channels are often referred to as the Primary and Secondary channels The Primary Channel is used for 802 11n clients that support only a 20-MHz channel bandwidth and for legacy clients Select one of the following options:

Upper Set the Primary Channel as the upper 20-

MHz channel in the 40-MHz band Lower Set the Primary Channel as the lower 20-

MHz channel in the 40-MHz band This field is available only if the selected radio mode includes 802 11n The guard interval is the dead time, in nanoseconds, between OFDM symbols The guard interval prevents Inter-Symbol and Inter-Carrier Interference (ISI, ICI) The 802 11n mode allows for a reduction in this guard interval from the a and g definition of 800 nanoseconds to 400 nanoseconds Reducing the guard interval can yield a 10% improvement in data throughput Select one of the following options:

Yes The AP transmits data using a 400 nanosecond guard Interval when communicating with clients that also support the short guard interval No The AP nanosecond guard interval transmits data using an 800 36 Linksys Multidomain Regulatory Mode StBC Mode This feature is configurable on a per radio basis By default it is enabled Multidomain Regulatory Mode (World Mode) causes the AP to broadcast which country it is operating in as a part of its beacons and probe responses This allows client stations to operate in any country without reconfiguration Disabling this feature prevents the country code setting from being broadcast in the beacons However, this only applies to radios configured to operate in the g band (2 4 GHz band) For radios operating in the a band

(5 GHz band), the AP software configures support for 802 11h When 802 11h is supported, the country code information is broadcast in the beacons This field is available only if the selected radio mode includes 802 11n Space Time Block Coding (STBC) is an 802 11n technique intended to improve the reliability of data transmissions The data stream is transmitted on multiple antennas so the receiving system has a better chance of detecting at least one of the data streams Select one of the following options:

On The AP transmits the same data stream on multiple antennas at the same time Off The AP does not transmit the same data on multiple antennas Protection Beacon Interval Section 3: Configuring the Access Point The protection feature contains rules to guarantee that 802 11 transmissions do not cause interference with legacy stations or applications By default, these protection mechanisms are enabled

(Auto) With protection enabled, protection mechanisms will be invoked if legacy devices are within range of the AP You can disable (Off) these protection mechanisms When protection is off, legacy clients or APs within range can be affected by 802 11n transmissions Protection is also available when the mode is 802 11b/g When protection is enabled in this mode, it protects 802 11b clients and APs from 802 11g transmissions note: This setting does not affect the ability of the client to associate with the AP Beacon frames are transmitted by an AP at regular intervals to announce the existence of the wireless network The default behavior is to send a beacon frame once every 100 milliseconds (or 10 per second) Enter a value from 20 to 2000 milliseconds DtIM Period Specify a DTIM period from 1 to 255 beacons The Delivery Traffic Information Map (DTIM) message is an element included in some beacon frames It indicates which client stations, currently sleeping in low-power mode, have data buffered on the AP awaiting pick-up The DTIM period you specify indicates how often the clients served by this AP should check for buffered data still on the AP awaiting pickup The measurement is in beacons For example, if you set this field to 1, clients will check for buffered data on the AP at every beacon If you set this field to 10, clients will check on every 10th beacon 37 Linksys Section 3: Configuring the Access Point Fragmentation threshold Specify a number between 256 and 2,346 to set the frame size threshold in bytes RtS threshold Specify a Request to Send (RTS) Threshold value between 0 and 2347 The fragmentation threshold is a way of limiting the size of packets (frames) transmitted over the network If a packet exceeds the fragmentation threshold you set, the fragmentation function is activated and the packet is sent as multiple 802 11 frames If the packet being transmitted is equal to or less than the threshold, fragmentation is not used Setting the threshold to the largest value (2,346 bytes) effectively disables fragmentation Fragmentation plays no role when Aggregation is enabled Fragmentation involves more overhead both because of the extra work of dividing up and reassembling of frames it requires, and because it increases message traffic on the network However, fragmentation can help improve network performance and reliability if properly configured Sending smaller frames (by using lower fragmentation threshold) might help with some interference problems;

for example, with microwave ovens By default, fragmentation is off We recommend not using fragmentation unless you suspect radio interference The additional headers applied to each fragment increase the overhead on the network and can greatly reduce throughput The RTS threshold indicates the number of octets in an MPDU, below which an RTS/CTS handshake is not performed Changing the RTS threshold can help control traffic flow through the AP, especially one with a lot of clients If you specify a low threshold value, RTS packets will be sent more frequently This will consume more bandwidth and reduce the throughput of the packet On the other hand, sending more RTS packets can help the network recover from interference or collisions which might occur on a busy network, or on a network experiencing electromagnetic interference Maximum Stations Specify the maximum number of stations allowed to access this AP at any one time You can enter a value between 0 and 200 transmit Power Enter a percentage value for the transmit power level for this AP The default value, which is 100%, can be more cost-

efficient than a lower percentage since it gives the AP a maximum broadcast range and reduces the number of APs needed To increase capacity of the network, place APs closer together and reduce the value of the transmit power This helps reduce overlap and interference among APs A lower transmit power setting can also keep your network more secure because weaker wireless signals are less likely to propagate outside of the physical location of your network Fixed Multicast Rate Select the multicast traffic transmission rate you want the AP to support 38 Linksys Legacy Rate Sets Check the transmission rate sets you want the AP to support and the basic rate sets you want the AP to advertise:

Rates are expressed in megabits per second Supported Rate Sets indicate rates that the AP supports You can check multiple rates (click a check box to select or deselect a rate) The AP will automatically choose the most efficient rate based on factors like error rates and distance of client stations from the AP Basic Rate Sets indicate rates that the AP will advertise to the network for the purposes of setting up communication with other APs and client stations on the network It is generally more efficient to have an AP broadcast a subset of its supported rate sets Broadcast/

Multicast Rate Limiting Enabling multicast and broadcast rate limiting can improve overall network performance by limiting the number of packets transmitted across the network Rate Limit Rate Limit Burst By default the Multicast/Broadcast Rate Limiting option is disabled Until you enable Multicast/Broadcast Rate Limiting, the following fields will be disabled Enter the rate limit you want to set for multicast and broadcast traffic The limit should be greater than 1, but less than 50 packets per second Any traffic that falls below this rate limit will always conform and be transmitted to the appropriate destination The default and maximum rate limit setting is 50 packets per second Setting a rate limit burst determines how far above the rate limit bursts can go before all traffic exceeds the rate limit This burst limit allows intermittent bursts of traffic on a network above the set rate limit The default and maximum rate limit burst setting is 75 packets per second Section 3: Configuring the Access Point tSPeC Mode Regulates the overall TSPEC mode on the AP On The AP handles TSPEC requests according to the TSPEC settings you configure on the Radio page Use this setting if the AP handles traffic from QoS-

capable devices, such as a Wi-Fi-certified phone Off The AP ignores TSPEC requests from client stations Use this setting if you do not want to use TSPEC to give QoS-capable devices priority for time-

sensitive traffic tSPeC Violation Interval Specify the time interval (in seconds) for the AP to report (through the system log and SNMP traps) associated clients that do not adhere to mandatory admission control procedures tSPeC Voice ACM Mode tSPeC Voice ACM Limit tSPeC Video ACM Mode Regulates mandatory admission control (ACM) for the voice access category The options are:

On A station is required to send a TSPEC request for bandwidth to the AP before sending or receiving a voice traffic stream The AP responds with the result of the request, which includes the allotted medium time if the TSPEC was admitted Off A station can send and receive voice priority traffic without requiring an admitted TSPEC; the AP ignores voice TSPEC requests from client stations Specify an upper limit on the amount of traffic the AP attempts to transmit on the wireless medium using a voice admission control to gain access Regulates mandatory admission control for the video access category The options are:

On A station is required to send a TSPEC request for bandwidth to the AP before sending or receiving a video traffic stream The AP responds with the result of the request, which includes the allotted medium time if the TSPEC was admitted Off A station can send and receive video priority traffic without requiring an admitted TSPEC; the AP ignores video TSPEC requests from client stations 39 Linksys Section 3: Configuring the Access Point tSPeC Video ACM Limit Specify an upper limit on the amount of traffic the AP attempts to transmit on the wireless medium using a video admission control to gain access tSPeC AP Inactivity timeout tSPeC Station Inactivity timeout tSPeC Legacy WMM Queue Map Mode Specify the amount of time for an AP to detect a downlink TS as idle before deleting it Specify the amount of time for an AP to detect an uplink TS as idle before deleting it Select On to allow intermixing of legacy traffic on queues operating as ACM Use the Radio page to configure both Radio 1 and Radio 2 The settings on the page apply only to the radio that you choose from the Radio drop-down list After you configure settings for one of the radios, click Save and then select and configure the other radio Be sure to click Save to apply the second set of configuration settings for the other radio note:

Changing some settings might cause the AP to stop and restart system processes If this happens, wireless clients will temporarily lose connectivity We recommend that you change AP settings when WLAN traffic is low Rogue AP Detection A Rogue AP is an access point that has been installed on a secure network without explicit authorization from a system administrator Rogue access points pose a security threat because anyone with access can mistakenly or maliciously install a wireless AP that can potentially allow unauthorized parties to access the network The status page for Rogue AP Detection provides real-time statistics for all APs detected by the LAPAC1750PRO Access Point in the vicinity of the network If the AP listed as a rogue is actually a legitimate AP, you can add it to the Known AP List Click Refresh to refresh the page note:

The detected Rogue AP List and Known AP List provide information The LAPAC1750PRO Access Point does not have any control over the APs on the lists and cannot apply any security policies to APs detected through the RF scan When AP detection is enabled, the radio will periodically switch from its operating channel to scan other channels within the same band Neighbor AP detection can be configured independently on each radio Click Save to refresh the screen and display the most current information note:

Note: Rogue AP detection does not have any refresh mechanism and the SSID are retained in the database once detected To view information about other access points on the wireless network, click the Status > Rogue AP Detection tab 40 Linksys Section 3: Configuring the Access Point Figure 25: Viewing Rogue AP Detection Action MAC Radio Beacon Interval type You must enable AP detection on a radio in order to collect information about other APs within range Table 29: Rogue AP Detection Field Description AP Detection for Radio 1 To enable Radio 1 to perform neighbor AP detection and collect information about neighbor APs, select Enabled To disable neighbor AP detection on Radio 1, select Disabled If you change the AP detection setting, click Save AP Detection for Radio 2 To enable Radio 2 to perform neighbor AP detection and collect information about neighbor APs, select Enabled To disable neighbor AP detection on Radio 2, select Disabled If you change the AP detection setting, click Save The available action depends on which list an AP is in If the AP is in the Detected Rogue AP List, the Grant button is available Click Grant to move the AP from the Detected Rogue AP List to the Trusted AP List If the AP is in the Trusted AP List, the Delete button is available Click Delete to move the AP from the Trusted AP list to the Detected Rogue AP List note: The Detected Rogue AP List and Known AP List provide information The LAPAC1750PRO Access Point does not have any control over the APs on the list and cannot apply any security policies to APs detected through the RF scan Shows the MAC address of the neighboring AP indicates which radio detected the The Radio field neighboring AP:

wlan0 (Radio 1) wlan1 (Radio 2) Shows the beacon interval being used by this AP Beacon frames are transmitted by an AP at regular intervals to announce the existence of the wireless network The default behavior is to send a beacon frame once every 100 milliseconds (or 10 per second) Indicates the type of device:

AP indicates the neighboring device is an AP that supports IEEE 802 11 Wireless Networking Framework in Infrastructure Mode the Ad Hoc indicates a neighboring station running in Ad Hoc Mode Stations set to Ad Hoc Mode communicate with each other directly, without the use of a traditional AP Ad Hoc Mode is an IEEE 802 11 Wireless Networking Framework also referred to as peer-to-peer mode or an Independent Basic Service Set (IBSS) 41 Linksys Section 3: Configuring the Access Point SSID The Service Set Identifier (SSID) for the AP Privacy WPA Band The SSID is an alphanumeric string of up to 32 characters that uniquely identifies a wireless local area network It is also referred to as the Network Name Indicates whether there is any security on the neighboring device Off indicates that the Security mode on the neighboring device is set to None (no security) On indicates that the neighboring device has some security in place Security is configured on the AP from the VAP page Indicates whether WPA security is on or off for this AP This indicates the IEEE 802 11 mode being used on this AP

(For example, IEEE 802 11a, IEEE 802 11b, IEEE 802 11g ) The number shown indicates the mode according to the following map:

2 4 indicates IEEE 802 11b, 802 11g, or 802 11n mode (or a combination of the modes) 5 indicates IEEE 802 11a or 802 11n mode (or both modes) Channel Shows the channel on which the AP is currently broadcasting The channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving Rate Shows the rate (in megabits per second) at which this AP is currently transmitting The current rate will always be one of the rates shown in Supported Rates Signal Indicates the strength of the radio signal emitting from this AP If you hover the mouse pointer over the bars, a number appears and shows the strength in decibels (dB) Beacons Shows the total number of beacons received from this AP since it was first discovered Last Beacon Shows the date and time of the last beacon received from this AP Rates Shows supported and basic (advertised) rate sets for the neighboring AP Rates are shown in megabits per second

(Mbps) All Supported Rates are listed, with Basic Rates shown in bold Rate sets are configured on the Radio page To save the Known AP List to a file, click Save The list contains the MAC addresses of all APs that have been added to the Known AP List By default, the filename is Rogue2 cfg You can use a text editor or Web browser to open the file and view its contents Use the Import feature to import a list of known APs from a saved list The list might be from another AP or created from a text file If the MAC address of an AP appears in the Known AP List, it will not be detected as a rogue To import an AP list from a file, use the following steps:

1 Choose whether to replace the existing Known AP List or add the entries in the imported file to the Known AP List Select Replace to import the list and replace the contents of the Known AP List Select Merge to import the list and add the APs in the imported file to the APs currently displayed in the Known AP List 2 Click Browse and choose the file to import The file you import must be a plain-text file with a txt or cfg extension Entries in the file are MAC addresses in hexadecimal format with each octet separated by colons, for example 00:11:22:33:44:55 Separate entries with a single space For the AP to accept the file, it must contain only MAC addresses 3 Click Import Once the import is complete, the screen refreshes and the MAC addresses of the APs in the imported file appear in the Known AP List 42 Linksys Section 3: Configuring the Access Point Virtual Access Point (VAP) Virtual Access Points (VAPs) segment the wireless LAN into multiple broadcast domains that are the wireless equivalent of Ethernet VLANs VAPs simulate multiple APs in one physical AP Each radio supports up to 8 VAPs For each VAP you can customize the security mode to control wireless client access Each VAP can also have a unique SSID Multiple SSIDs make a single AP look like two or more APs to other systems on the network By configuring VAPs, you can maintain better control over broadcast and multicast traffic, which affects network performance You can configure each VAP to use a different VLAN, or you can configure multiple VAPs to use the same VLAN, whether the VLAN is on the same radio or on a different radio VAP0, which is always enabled on both radios, is assigned to the default VLAN 1 The AP adds VLAN ID tags to wireless client traffic based on the VLAN ID you configure on the VAP page or by using the RADIUS server assignment If you use an external RADIUS server, you can configure multiple VLANs on each VAP The external RADIUS server assigns wireless clients to the VLAN when the clients associate and authenticate If wireless clients use a security mode that does not communicate with the RADIUS server, or if the RADIUS server does not provide the VLAN information, you can assign a VLAN ID to each VAP The AP assigns the VLAN to all wireless clients that connect to the AP through that VAP About the RADIUS server setting please see RADIUS Server note:

Before you configure VLANs on the AP be sure to verify that the switch and DHCP server the AP uses can support IEEE 802 1Q VLAN encapsulation To set up multiple VAPs, click Configuration > Wireless > Virtual Access Points

(VAP) Figure 26: Virtual Access Points (VAP) Field Radio VAP Table 30: Virtual Access Point Settings Description Select the radio to configure VAPs are configured independently on each radio You can configure up to eight VAPs for each radio VAP0 is the physical radio interface; so to disable VAP0 you must disable the radio Enabled You can enable or disable a configured network If you disable the specified network, you will lose the VLAN ID you entered 43 Linksys VLAN ID SSID When a wireless client connects to the AP using this VAP, the AP tags all traffic from the wireless client with the VLAN ID you enter in this field unless you enter the untagged VLAN ID or use a RADIUS server to assign a wireless client to a VLAN The range for the VLAN ID is 14094 Broadcast SSID Tunnel-Type If you use RADIUS-based authentication for clients, you can optionally add the following attributes to the appropriate file in the RADIUS or AAA server to configure a VLAN for the client:

The RADIUS-assigned VLAN ID overrides the VLAN ID you configure on the VAP page Tunnel-Private-Group-ID Tunnel-Medium-Type You configure the untagged and management VLAN IDs on the VLAN and IPv4 Address page Enter a name for the wireless network The SSID is an alphanumeric string of up to 32 characters You can use the same SSID for multiple VAPs, or you can choose a unique SSID for each VAP note: If you are connected as a wireless client to the same AP that you are administering, resetting the SSID will cause you to lose connectivity to the AP You will need to reconnect to the new SSID after you save this new setting Band Steer Section 3: Configuring the Access Point Specify whether to allow the AP to broadcast the Service Set Identifier (SSID) in its beacon frames The Broadcast SSID parameter is enabled by default When the VAP does not broadcast its SSID, the network name is not displayed in the list of available networks on a client station Instead, the client must have the exact network name configured in the supplicant before it is able to connect To enable the SSID broadcast, select the Broadcast SSID check box To prohibit the SSID broadcast, clear the Broadcast SSID check box note: Disabling the broadcast SSID is sufficient to prevent clients from accidentally connecting to your network, but it will not prevent even the simplest of attempts by a hacker to connect or monitor unencrypted traffic Suppressing the SSID broadcast offers a very minimal level of protection on an otherwise exposed network (such as a guest network) where the priority is making it easy for clients to get a connection and where no sensitive information is available Enable this feature to encourage dual-band wireless clients to connect to the radio operating in the 5 GHz band instead of the radio operating in the 2 4 GHz band The 5 GHz band has more channels available and is generally utilized less than the 2 4 GHz band The Access Point can improve overall network throughput by effectively utilizing the 5 GHz band 44 Linksys Security MAC Authentication Type None Static WEP IEEE802.1X Select one of the following Security modes for this VAP:

WPA Personal WPA Enterprise If you select a security mode other than None, additional fields appear These fields are explained below note: The security mode you set here is specifically for this VAP You can configure a global list of MAC addresses that are allowed or denied access to the network The drop-

down menu for this feature allows you to select the type of MAC Authentication to use:

Disabled: Do not use MAC Authentication Local: Use the MAC Authentication list that you configure on the MAC Authentication page RADIUS: Use the MAC Authentication list on the external RADIUS server For more information about MAC Authentication, see MAC Filter note:

After you configure the VAP settings, you must click Save to apply the changes and save the changes to startup configuration file Changing some settings might cause the AP to stop and restart system processes If this happens, wireless clients will temporarily lose connectivity We recommend that you change AP settings when WLAN traffic is low Section 3: Configuring the Access Point None (Plain-text) If you select None as your security mode, no further options are configurable on the AP This mode means that any data transferred to and from the access point is not encrypted This security mode can be useful during initial network configuration or for problem solving, but it is not recommended for regular use on the internal network because it is not secure Static WEP Wired Equivalent Privacy (WEP) is a security algorithm for 802 11 wireless networks WEP uses static 64-bit (40-bit secret key + 24-bit initialization vector

(IV)) or 128-bit (104-bit secret key + 24-bit IV) shared key for data encryption between wireless stations and access points WEP uses the stream cipher RC4 for encryption Static WEP is an easily broken security algorithm, but it offers more protection than setting the security mode to None (Plain-text), as it does prevent an outsider from easily sniffing out unencrypted wireless traffic 45 Linksys Section 3: Configuring the Access Point Table 31: Static WEP Field Description transfer Key Index Key Length Key type WeP Keys The Transfer Key Index indicates which WEP key the AP uses to encrypt the data it transmits with WPA devices Key indexes 1 through 4 are available The default is 1 Select the length of the key:

128 bits 64 bits Select the length of the key:

ASCII Hex There are four WEP keys can be set The keys you enter depend on the key type selected:

ASCII: Includes uppercase and lowercase alphabetic letters, the numeric digits, and special symbols such as @ and #

Hex: Hexadecimal (base 16) characters (0-9 and A-F) Use the same number of characters for each key as specified in the Characters Required field These are the RC4 WEP keys shared with the stations using the access point Each client station must be configured to use one of these same WEP keys in the same slot as specified on the access point The number of characters you enter into the WEP Key fields is determined by the key length and key type you select For example, if you use 128-bit ASCII keys, you must enter 26 characters in the WEP key The number of characters required updates automatically based on how you set the key length and key type Authentication The authentication algorithm defines the method used to determine whether a client station is allowed to associate with the access point when static WEP is the security mode Open System: authentication allows any client station to associate with the WAP device whether that client station has the correct WEP key or not This algorithm is also used in plaintext, IEEE 802 1X, and WPA modes When the authentication algorithm is set to Open System, any client can associate with the access point Shared Key: authentication requires the client station to have the correct WEP key in order to associate with the access point When the authentication algorithm is set to Shared Key, a station with an incorrect WEP key cannot associate with theaccess point Open System and Shared Key: When you select both authentication algorithms, client stations configured to use WEP in shared key mode must have a valid WEP key in order to associate with the access point Also, client stations configured to use WEP as an open system (shared key mode not enabled) can associate with the access point even if they do not have the correct WEP key note:

After you configure the security settings, you must click Save to apply the changes and save the changes to startup configuration file 46 Linksys Section 3: Configuring the Access Point WPA Personal WPA Personal is a Wi-Fi Alliance IEEE 802 11i standard, which includes AES-

CCMP and TKIP mechanisms It employs a pre-shared key (instead of using IEEE 802 1X and EAP as is used in the Enterprise WPA security mode) The PSK is used for an initial check of credentials only This security mode is backwards-compatible for wireless clients that support the original WPA Table 32: WPA Personal Field Description WPA Versions Cipher Suites Select the types of client stations you want to support:

WPA: If all client stations on the network support the original WPA but none support the newer WPA2, then select WPA WPA2: If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802 11i standard WPA and WPA2: If you have a mix of clients, some of which support WPA2 and others which support only the original WPA, select both of the check boxes This lets both WPA and WPA2 client stations associate and authenticate, but uses the more robust WPA2 for clients who support it This WPA configuration allows more interoperability, at the expense of some security TKIP CCMP (AES) TKIP and CCMP (AES) Select the cipher suite you want to use:

TKIP and AES clients can associate with the AP WPA clients must have one of the following to be able to associate with the AP:

Clients not configured to use WPA Personal will not be able to associate with the AP A valid TKIP key A valid AES-CCMP key Key The pre-shared key is the shared secret key for WPA Personal Enter a string of between 8 and 63 characters Acceptable characters include upper and lower case alphabetic letters, the numeric digits, and special symbols such as @ and #

Broadcast Key Refresh Rate Enter a value to set the interval at which the broadcast (group) key is refreshed for clients associated to this VAP (the default is 300) The valid range is 086400 seconds A value of 0 indicates that the broadcast key is not refreshed WPA Enterprise WPA Enterprise with RADIUS is an implementation of the Wi-Fi Alliance IEEE 802 11i standard, which includes CCMP (AES), and TKIP mechanisms The Enterprise mode requires the use of a RADIUS server to authenticate users This security mode is backwards-compatible with wireless clients that support the original WPA Table 33: WPA Enterprise Field WPA Versions Description Select the types of client stations you want to support:

WPA: If all client stations on the network support the original WPA but none support the newer WPA2, then select WPA WPA2: If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802 11i standard WPA and WPA2: If you have a mix of clients, some of which support WPA2 and others which support only the original WPA, select both WPA and WPA2 This lets both WPA and WPA2 client stations associate and authenticate, but uses the more robust WPA2 for clients who support it This WPA configuration allows more interoperability, at the expense of some security 47 Linksys enable pre-authentication Cipher Suites If for WPA versions you select only WPA2 or both WPA and WPA2, you can enable pre-authentication for WPA2 clients Click enable pre-authentication if you want WPA2 wireless clients to send a pre-authentication packet The pre-authentication information will be relayed from the AP the client is currently using to the target AP Enabling this feature can help speed up authentication for roaming clients who connect to multiple APs This option does not apply if you selected WPA for WPA versions because the original WPA does not support this feature RADIUS IP Address type RADIUS IP Address RADIUS IPv6 Address Section 3: Configuring the Access Point Specify the IP version that the RADIUS server uses You can toggle between the address types to configure IPv4 and IPv6 global RADIUS address settings, but the AP contacts only the RADIUS server or servers for the address type you select in this field Enter the IPv4 or IPv6 address for the primary RADIUS server for this VAP IPv4 RADIUS IP Address Type option If the is selected in the previous field, enter the IP address of the RADIUS server that all VAPs use by default, for example 192 168 10 23 If the IPv6 RADIUS IP Address Type option is selected, enter the IPv6 address of the primary global RADIUS server, for example 2001:0db8:1234::abcd TKIP CCMP (AES) TKIP and CCMP (AES) Select the cipher suite you want to use:

By default both TKIP and CCMP are selected When both TKIP and CCMP are selected, client stations configured to use WPA with RADIUS must have one of the following:

A valid TKIP RADIUS IP address and RADIUS Key A valid CCMP (AES) IP address and RADIUS key RADIUS IP or IPv6 Address 13 Enter up to three IPv4 and/or IPv6 addresses to use as the backup RADIUS servers for this VAP The field label is RADIUS IP Address when the IPv4 RADIUS IP Address Type option is selected and RADIUS IPv6 Address when the IPv6 RADIUS IP Address Type option is selected If authentication fails with the primary server, each configured backup server is tried in sequence RADIUS Key Enter the RADIUS key in the text box Use Global RADIUS Server Settings By default each VAP uses the global RADIUS settings that you define for the AP at the top of the VAP page However, you can configure each VAP to use a different set of RADIUS servers To use the global RADIUS server settings, make sure the check box is selected To use a separate RADIUS server for the VAP, clear the check box and enter the RADIUS server IP address and key in the following fields RADIUS Key 13 The RADIUS Key is the shared secret key for the global RADIUS server You can use up to 63 standard alphanumeric and special characters The key is case sensitive, and you must configure the same key on the AP and on your RADIUS server The text you enter will be displayed as * characters to prevent others from seeing the RADIUS key as you type Enter the RADIUS key associated with the configured backup RADIUS servers The server at RADIUS IP Address-1 uses RADIUS Key-1, RADIUS IP Address-2 uses RADIUS Key-2, and so on 48 Linksys enable RADIUS Accounting Active Server Broadcast Key Refresh Rate Select this option to track and measure the resources a particular user has consumed such as system time, amount of data transmitted and received, and so on If you enable RADIUS accounting, it is enabled for the primary RADIUS server and all backup servers The RADIUS IP address and key for up to four RADIUS servers can be configured on the AP Select which of the four RADIUS servers the VAP should contact to authenticate wireless clients Enter a value to set the interval at which the AP will refresh session (unicast) keys for each client associated to the VAP The valid range is 086400 seconds A value of 0 indicates that the broadcast key is not refreshed Session Key Refresh Rate Enter a value to set the interval at which the AP will refresh session (unicast) keys for each client associated to the VAP Section 3: Configuring the Access Point Scheduler The Radio and VAP Scheduler is a standalone LAPAC1750PRO Access Point feature To configure the Radio and VAP scheduler, select the Scheduler tab in the Manage section The Radio and VAP Scheduler allows you to configure a rule with a specific time interval for VAPs or radios to be operational, thereby automating the enabling or disabling of the VAPs and radios One of the ways you can use this feature is to schedule radios to operate only during the office working hours in order to achieve security and reduce power consumption You can also use the scheduler to allow access to VAPs for wireless clients only during specific times of day Each rule specifies the start time, end time and day (or days) of the week the radio or VAP can be operational The rules are periodic in nature and are repeated every week Days of the Week Start Time (hour and minutes) A valid rule must contain all of the following parameters:

Only valid rules are added to the profile Up to 16 rules are grouped together to form a scheduling profile Any two entries belonging to the same profile must not overlap The time granularity for the schedules is one minute The LAPAC1750PRO Access Point supports up to 16 profiles End Time (hour and minutes) 49 Linksys Section 3: Configuring the Access Point Figure 27: Scheduler Configuration Table 34: Scheduler Configuration Description A global switch to enable or disable the scheduler feature The default is Disable Field Global Scheduler Mode Scheduler Operational Status Status Reason Scheduler Profile Rule Configuration Select Profile Set Schedule The operational status of the scheduler The range is up or down The default is down Provides additional information about the status The reason can be one or more of the following:

ConfigDown Operational status is down because global configuration is disabled IsActive Operational status is up TimeNotSet Operational status is down because the AP time has not been set, either manually or by specifying an NTP server to use ManagedMode Operational status is down because the AP is in managed mode The scheduler profile defines the list of profile names that can be associated to the VAP or Radio configuration Rules are associated with a named scheduler profile You can define up to 16 scheduler profile names By default, no profiles are created The profile name can be up to 32 alphanumeric characters Click Add to add the profile name Each scheduler profile may have up to 16 periodic rules This table includes the settings you use to configure periodic rules Select the profile name from the menu The day of the week Range is: Daily, Weekday (Monday to Friday), Weekend (Saturday and Sunday), Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday The default is Daily. 50 Section 3: Configuring the Access Point Scheduler Association For a scheduler profile to take effect, you must associate it with at least one radio or VAP interface To associate the Scheduler profiles, select the Scheduler Association tab in the Manage section By default, there are no scheduler profiles created, so no profile is associated to any radio or VAP The scheduler profile needs to be explicitly associated to a radio or VAP configuration Only one scheduler profile can be associated to any radio or VAP configuration;

however, a single profile can be associated to multiple radios or VAPs If the scheduler profile associated with a VAP or radio is deleted, then the associated profile to the VAP or radio is removed implicitly If the radio is operationally disabled, then all the VAPs associated to that radio are also operationally disabled irrespective of the VAP configuration Figure 28: Scheduler Association Linksys Start time end time The time when the radio or VAP will be operationally enabled The time is in HH:MM 24-hour format The range is <00-23>:<00-59> The default is 00:00 The time when the radio or VAP will be operationally disabled The time is in HH:MM 24-hour format The range is <00-23>:<00-59> The default is 00:00 After you select a profile from the Select Profile field, the rules that have been added to the selected profile appear in the table below the Rule Configuration area When you add a new rule to a profile, it appears in the table Use the Modify Rule and Remove Rule buttons to manage the rules associated with a profile Use the buttons to perform the following tasks:

Add: To add a scheduler profile, specify the name of the profile in the appropriate field and click Add Remove: To remove a scheduler profile, select it from the Select Profile field in the Rule Configuration table and click Remove Add Rule: After you configure the rule settings, click Add Rule to add the rule to the selected profile Modify Rule: To change an existing rule, select the rule, update the values in the Rule Configuration area, and click Modify Rule Remove Rule: To delete a rule from a profile, select the rule and click Remove Rule Save: After making any modifications, click Save to apply the changes and to save the settings The scheduler profiles need to be associated to a radio interface or the VAP interface for applying the periodic rules to a specific radio or VAP 51 Linksys Section 3: Configuring the Access Point Bandwidth Utilization Use this page to load balance the distribution of wireless client connections across multiple access points You can set network utilization thresholds on the access point to maintain the speed and performance of the wireless network as clients associate and disassociate with the AP The load balancing settings apply to both radios, but the load of each radio is calculated independently With load balancing, you can ensure that all access points on the network handle a proportionate share of wireless traffic, and that no single access point gets overloaded To configure load balancing and set limits and behavior to be triggered by a specified utilization rate of the access point, click the Configuration > Wireless

> Bandwidth Utilization tab and save the fields shown in the following figure Figure 29: Bandwidth Utilization Table 35: Scheduler Association Settings Field Description Per-Radio Scheduler Association Radio Identifies the radio associated with the rest of the information in the row Scheduler Profile Select the scheduler profile to associate with Radio 1 or Radio 2 operational Status The operational status of the scheduler, which is either up or down Per-VAP Scheduler Association VAP Scheduler Profile Identifies the VAP associated with the rest of the information in the row Select the scheduler profile to associate with the desired VAP operational Status The operational status of the scheduler, which is either up or down note:

After you associate a scheduler profile with a radio interface or a VAP interface, you must click Save to apply the changes and to save the settings 52 Linksys Section 3: Configuring the Access Point Table 36: Bandwidth Utilization Field Description Bandwidth Utilization Maximum Utilization To enable load balancing on this AP, click Enabled To disable load balancing on this AP, click Disabled Provide the percentage of network bandwidth utilization allowed on the radio before the AP stops accepting new client associations The default is 0, which means that all new associations will be allowed regardless of the utilization rate note:

After you configure the load balancing settings, you must click Save to apply the changes and save the changes to startup configuration file Changing some settings might cause the AP to stop and restart system processes If this happens, wireless clients will temporarily lose connectivity We recommend that you change AP settings when WLAN traffic is low MAC Filtering A Media Access Control (MAC) address is a hardware address that uniquely identifies each node of a network All IEEE 802 network devices share a common 48-bit MAC address format, usually displayed as a string of 12 hexadecimal digits separated by colons, for example 00:DC:BA:09:87:65 Each wireless network interface card (NIC) used by a wireless client has a unique MAC address You can use the Administrator UI on the AP or use an external RADIUS server to control access to the network through the AP based on the MAC address of the wireless client This feature is called MAC Filtering To control access, you configure a global list of MAC addresses locally on the AP or on an external RADIUS server Then, you set a filter to specify whether the clients with those MAC addresses are allowed or denied access to the network When a wireless client attempts to associate with an AP, the AP looks up the MAC address of the client in the local stations list or on the RADIUS server If it is found, the global allow or deny setting is applied If it is not found, the opposite is applied On the Virtual Access Point (VAP) page, MAC Filtering Type controls whether the AP uses the station list configured locally on the MAC Filtering page or the external RADIUS server The Allow/Block filter setting on the MAC Filtering page determines whether the clients in the station list (local or RADIUS) can access the network through the AP To enable filtering by MAC address, click the Configuration > Wireless > MAC Filtering tab Figure 30: MAC Filtering 53 Linksys Section 3: Configuring the Access Point note:

Global MAC Authentication settings apply to all VAPs on both radios Field Filter Stations List Table 37: MAC Filtering Description To set the MAC Address Filter, select one of the following options:

Allow only stations in the list Any station that is not in the stations list is denied access to the network through the AP Block all stations in list Only the stations that appear in the list are denied access to the network through the AP All other stations are permitted access note: The filter you select is applied to the clients in the stations list, regardless of whether that station list is local or on the RADIUS server This is the local list of clients that are either permitted or denied access to the network through the AP To add a MAC address to the local stations list, enter its 48-bit MAC address into the lower text boxes, then click Add To remove a MAC address from the stations list, select its 48-bit MAC address, then click Remove The stations in the list will either be allowed or denied access based on how you set the filter in the previous field The Access Point allows up to 512 MAC addresses to be added to the station list note:

If MAC authentication for the VAP is set to Local, the AP uses the stations list to permit or deny the clients access to the network If the MAC authentication type is set to RADIUS, the AP ignores the MAC addresses configured in this list and uses the list that is stored on the RADIUS server The MAC authentication type is set on the VAP page note:

After you configure local MAC Authentication settings, you must click Update to apply the changes and to save the settings Changing some settings might cause the AP to stop and restart system processes If this happens, wireless clients will temporarily lose connectivity We recommend that you change AP settings when WLAN traffic is low Configuring MAC Authentication on the RADIUS Server If you use RADIUS MAC authentication for MAC-based access control, you must configure a station list on the RADIUS server The station list contains client MAC address entries, and the format for the list is described in the following table Table 38: Configuring MAC Authentication on the RADIUS Server Description Value RADIUS Server Attribute User-Name (1) MAC address of the client station User-Password (2) A fixed global password used to lookup a client MAC entry Valid Ethernet MAC address NOPASSWORD 54 Linksys Section 3: Configuring the Access Point Figure 31: WDS Bridge WDS Bridge The Wireless Distribution System (WDS) allows you to connect multiple Access Points With WDS, APs communicate with one another without wires in a standardized way This capability is critical in providing a seamless experience for roaming clients and for managing multiple wireless networks It can also simplify the network infrastructure by reducing the amount of cabling required You can configure the AP in point-to-point or point-to-multipoint bridge mode based on the number of links to connect In the point-to-point mode, the AP accepts client associations and communicates with wireless clients and other repeaters The AP forwards all traffic meant for the other network over the tunnel that is established between the APs The bridge does not add to the hop count It functions as a simple OSI layer 2 network device In the point-to-multipoint bridge mode, one AP acts as the common link between multiple APs In this mode, the central AP accepts client associations and communicates with the clients and other repeaters All other APs associate only with the central AP that forwards the packets to the appropriate wireless bridge for routing purposes The access point can also act as a repeater In this mode, the AP serves as a connection between two APs that might be too far apart to be within cell range When acting as a repeater, the AP does not have a wired connection to the LAN and repeats signals by using the wireless connection No special configuration is required for the AP to function as a repeater, and there are no repeater mode settings Wireless clients can still connect to an AP that is operating as a repeater To specify the details of traffic exchange from this access point to others, click the Configuration > Wireless > WDS Bridge tab 55 Linksys Section 3: Configuring the Access Point Before you configure WDS on the AP, note the following guidelines:

When using WDS, be sure to configure WDS settings on both APs Remote Address participating in the WDS link You can have only one WDS link between any pair of APs That is, a remote MAC address may appear only once on the WDS Bridge page for a particular AP Both APs participating in a WDS link must be on the same radio channel and using the same IEEE 802 11 mode (See Radio for information on configuring the Radio mode and channel ) When 802 11h is operational, setting up two WDS links can be difficult If you use WPA encryption on the WDS link over Radio 1, VAP0 of Radio 1 must use WPA Personal or WPA Enterprise as the security mode If you use WPA on a WDS link over Radio 2, VAP0 of Radio 2 must use WPA Personal or WPA Enterprise as the security mode Channel auto setting is not recommended for all WDS link device both APs participating in the WDS link To configure WDS on this AP, describe each AP intended to receive hand-offs and send information to this AP For each destination AP, configure the fields listed in Table 39 Table 39: WDS Bridge Field Description Spanning tree Mode Spanning Tree Protocol (STP) prevents switching loops STP is recommended if you configure WDS links Radio Select Enabled to use STP Select Disabled to turn off STP links (not recommended) For each WDS link on a two-radio AP, select Radio 1 or Radio 2 The rest of the settings for the link apply to the radio selected in this field The read-only local address will change depending on which radio you select in this field Local Address Indicates the MAC addresses for this AP For each WDS link on a two-radio AP, the local address reflects the MAC address for the internal interface on the selected radio (Radio 1 on wlan0 or Radio 2 on wlan1) Specify the MAC address of the destination AP; that is, the AP on the other end of the WDS link to which data will be sent or handed-off and from which data will be received note: Click the drop-down arrow to the right of the Remote Address field to see a list of all the available MAC addresses and their associated SSIDs on the network Select the appropriate MAC address from the list The SSID displayed in the drop-down list is simply to help you identify the correct MAC address for the destination AP This SSID is a separate SSID to that which you set for the WDS link The two do not (and should not) be the same value or name encryption You can use no encryption or WPA (PSK) on the WDS link If you are unconcerned about security issues on the WDS link you may decide not to set any type of encryption Alternatively, if you have security concerns you can choose WPA (PSK) In WPA (PSK) mode, the AP uses WPA2-

PSK with CCMP (AES) encryption over the WDS link note:

In order to configure WPA-PSK on any WDS link, VAP0 of the selected radio must be configured for WPA-

PSK or WPA-Enterprise If you select None as your preferred WDS encryption option, you will not be asked to fill in any more fields on the WDS Bridge page All data transferred between the two APs on the WDS link will be unencrypted note:

To disable a WDS link, you must remove the value configured in the Remote Address field 56 Linksys Section 3: Configuring the Access Point WPA/PSK on WDS Links The following table describes the additional fields that appear when you select WPA/PSK as the encryption type note:

In order to configure WPA-PSK on any WDS link, VAP0 of the selected radio must be configured for WPA-PSK or WPA-Enterprise Table 40: WPA/PSK on WDS Links Field Description encryption WPA (PSK) SSID Key Enter an appropriate name for the new WDS link you have created This SSID should be different from the other SSIDs used by this AP However, it is important that the same SSID is also entered at the other end of the WDS link If this SSID is not the same for both APs on the WDS link, they will not be able to communicate and exchange data The SSID can be any alphanumeric combination Enter a unique shared key for the WDS bridge This unique shared key must also be entered for the AP at the other end of the WDS link If this key is not the same for both APs, they will not be able to communicate and exchange data The WPA-PSK key is a string of at least 8 characters to a maximum of 63 characters Acceptable characters include upper and lower case alphabetic letters, the numeric digits, and special symbols such as @ and #

note:

After you configure the WDS settings, you must click Save to apply the changes and to save the settings Changing some settings might cause the AP to stop and restart system processes If this happens, wireless clients will temporarily lose connectivity We recommend that you change AP settings when WLAN traffic is low note:

Partner WDS AP in the remote network retains its management IP address acquired from a DHCP server connected to the WDS AP in the main network even if the WDS link is broken The IP address is released when the WDS interface is brought administratively down Workgroup Bridges The Workgroup Bridge feature enables the AP to extend the accessibility of a remote network In Workgroup Bridge mode, the access point acts as a wireless station (STA) on the wireless LAN It can bridge traffic between a remote wired network or associated wireless clients and the wireless LAN that is connected using the Workgroup Bridge mode The Workgroup Bridge feature enables support for STA-mode and AP-mode operation simultaneously The access point can operate in one BSS as an STA device while operating on another BSS as an access point When Workgroup Bridge mode is enabled, then the access point supports only one BSS for wireless clients that associate with it, and another BSS to which the access point associates as a wireless client It is recommended that Workgroup Bridge mode be used only when the WDS bridge feature cannot be operational with a peer Access Point WDS is a better solution and is preferred over the Workgroup Bridge solution The Workgroup Bridge feature should be used only when connecting to AP devices from a different manufacturer When the Workgroup Bridge feature is enabled, the VAP configurations are not applied; only the Workgroup Bridge configuration is applied note:

The WDS feature does not work when the Workgroup Bridge mode is enabled on the access point In Workgroup Bridge mode, the BSS managed by the access point while operating in access point mode is referred to as the access point interface, and associated STAs as downstream STAs The BSS managed by the other access point (that is, the one to which the access point associates as an STA) is referred to as the infrastructure client interface, and the other access point is referred as the upstream AP 57 Linksys Section 3: Configuring the Access Point Figure 32: Workgroup Bridge The devices connected to the wired interface of the access point, as well as the downstream stations associated to the access points access point interface can access the network connected by the infrastructure client interface To allow the bridging of packets, the VLAN configuration for the access point interface and wired interface should match that of the infrastructure client interface Workgroup Bridge mode can be used as range extender to enable the BSS to provide access to remote or hard-to-reach networks A single-radio can be configured to forward packets from associated STAs to another access point in the same ESS, without using WDS note:

Workgroup Bridge mode currently supports only IPv4 traffic note:

Workgroup Bridge mode is not supported across a cluster Use the WorkGroup Bridge page to configure the Work Group Bridge mode on the AP and to configure the settings that allow the AP to serve as a bridge between remote clients and the wireless LAN To configure the Workgroup Bridge settings, click the Configuration > Wireless

> WorkGroup Bridge tab 58 Linksys Section 3: Configuring the Access Point Table 41: Workgroup Bridge Field Description Workgroup Bridge Mode Set the administrative mode of the Workgroup Bridge feature Radio Select the radio on which to configure Workgroup Bridge mode Infrastructure Client Interface VLAn ID The VLAN associated with the BSS SSID Security The SSID of the Basic Service Set (BSS) The BSS includes upstream access point and all of its connected clients

(STAs) The type of security to use for authenticating as a client station on the upstream access point Choices are:

WPA Personal WPA Enterprise Static WEP None Connection Status The Infrastructure Client Interface will be associated to the upstream access point with the configured credentials The access point may obtain its IP address from a DHCP server on the upstream link Alternatively, you can assign a static IP address The Connection Status field indicates whether the WAP is connected to the upstream access point Click Refresh to view the latest connection status Access Point Interface Status VLAn ID Status is indicated as Up (Enable) or Down (disable) If the downstream interface is down, wireless clients cannot connect to the access point The VLAN ID on the local AP interface This VLAN ID should be the same VLAN ID as advertised on the Infrastructure Client Interface SSID Specify the SSID to broadcast to downstream clients Broadcast SSID Security MAC Authentication type Select this option if you want the downstream SSID to be broadcast to wireless clients Select the type of security downstream clients will use to authenticate with the access point Choices are:

WPA Personal WPA Enterprise None Select one of the following options for MAC authentication:

DisabledThe set of clients in the APs BSS that can access the upstream network is not restricted to the clients specified in a MAC address list LocalThe set of clients in the APs BSS that can access the upstream network is restricted to the clients specified in a locally defined MAC address list RADIUSThe set of clients in the APs BSS that can access the upstream network is restricted to the clients specified in a MAC address list on a RADIUS server If you select Local or RADIUS, see MAC Filter for instructions on creating the MAC filter list 59 Linksys Section 3: Configuring the Access Point QoS Quality of Service (QoS) provides you with the ability to specify parameters on multiple queues for increased throughput and better performance of differentiated wireless traffic like Voice-over-IP (VoIP), other types of audio, video, and streaming media, as well as traditional IP data over the access point Configuring QoS on the access point consists of setting parameters on existing queues for different types of wireless traffic, and effectively specifying minimum and maximum wait times (through Contention Windows) for transmission The settings described here apply to data transmission behavior on the AP only, not to that of the client stations AP Enhanced Distributed Channel Access (EDCA) Parameters affect traffic flowing from the AP to the client station Station Enhanced Distributed Channel Access (EDCA) Parameters affect traffic flowing from the client station to the AP The default values for the AP and station EDCA parameters are those suggested by the Wi-Fi Alliance in the Wi-Fi MultiMedia (WMM) specification In normal use these values should not need to be changed Changing these values will affect the QoS provided note:

The QoS settings apply to both radios, but the traffic for each radio is queued independently To set up queues for QoS, click the QoS tab under the Wireless heading and configure settings as described in Table 42 Field Radio eDCA template Figure 33: QoS Table 42: QoS Settings Description Select the radio with the QoS settings to view or configure Custom The AP has multiple templates with predefined EDCA parameters The menu includes the following templates:

You can change the individual EDCA parameters only when the selected EDCA template is Custom Optimized for Voice Default WAP EDCA Parameters 60 Linksys Queue Queues are defined for different types of data transmitted from AP-to-station:

Data 0 (Voice) High priority queue, minimum delay Time-sensitive data such as VoIP and streaming media are automatically sent to this queue Data 1(Video) High priority queue, minimum delay Time-sensitive video data is automatically sent to this queue Data 2 (best effort) Medium priority queue, medium throughput and delay Most traditional IP data is sent to this queue Data 3 (Background) Lowest priority queue, high requires maximum throughput and is not time-sensitive is sent to this queue (FTP data, for example) throughput Bulk data that AIFS (Inter-Frame Space) Arbitration Inter-Frame Spacing (AIFS) specifies a wait time for data frames The wait time is measured in slots Valid values for AIFS are 1 through 255 cwMin(Minimum Contention Window) This parameter input to the algorithm that determines the initial random backoff wait time

(window) for retry of a transmission is The value specified for Minimum Contention Window is the upper limit (in milliseconds) of a range from which the initial random backoff wait time is determined The first random number generated will be a number between 0 and the number specified here If the first random backoff wait time expires before the data frame is sent, a retry counter is incremented and the random backoff value (window) is doubled Doubling will continue until the size of the random backoff value reaches the number defined in the Maximum Contention Window Valid values for cwMin are 1, 3, 7, 15, 31, 63, 127, 255, 511, or 1023 The value for cwMin must be lower than the value for cwMax cwMax

(Maximum Contention Window) Max . Burst Length Section 3: Configuring the Access Point The value specified for the Maximum Contention Window is the upper limit (in milliseconds) for the doubling of the random backoff value This doubling continues until either the data frame is sent or the Maximum Contention Window size is reached Once the Maximum Contention Window size is reached, retries will continue until a maximum number of retries allowed is reached Valid values for cwMax are 1, 3, 7, 15, 31, 63, 127, 255, 511, or 1023 The value for cwMax must be higher than the value for cwMin The Max Burst Length is an AP EDCA parameter and only applies to traffic flowing from the AP to the client station This value specifies (in milliseconds) the maximum burst length allowed for packet bursts on the wireless network A packet burst is a collection of multiple frames transmitted without header information The decreased overhead results in higher throughput and better performance Valid values for maximum burst length are 0 0 through 999 Wi-Fi Multimedia Settings 61 Linksys Wi-Fi Multimedia Wi-Fi Multimedia (WMM) is enabled by default With WMM enabled, QoS prioritization and coordination of wireless medium access is on With WMM enabled, QoS settings on the access point control downstream traffic flowing from the AP to client station (AP EDCA parameters) and the upstream traffic flowing from the station to the AP (station EDCA parameters) Disabling WMM deactivates QoS control of station EDCA parameters on upstream traffic flowing from the station to the AP With WMM disabled, you can still set some parameters on the downstream traffic flowing from the AP to the client station (AP EDCA parameters) To disable WMM extensions, click Disabled To enable WMM extensions, click Enabled Station eDCA Parameters Queue Queues are defined for different types of data transmitted from station-to-AP:

Data 0 (Voice) Highest priority queue, minimum delay Time-sensitive data such as VoIP and streaming media are automatically sent to this queue Data 1(Video) Highest priority queue, minimum delay Time-sensitive video data is automatically sent to this queue Data 2 (best effort) Medium priority queue, medium throughput and delay Most traditional IP data is sent to this queue Data 3 (Background) Lowest priority queue, high throughput Bulk data that requires maximum throughput and is not time-sensitive is sent to this queue (FTP data, for example) AIFS

(Inter-Frame Space) Arbitration Inter-Frame Spacing (AIFS) specifies a wait time for data frames The wait time is measured in slots Valid values for AIFS are 1 through 255 cwMin

(Minimum Contention Window) cwMax

(Maximum Contention Window) tXoP Limit Section 3: Configuring the Access Point This parameter is used by the algorithm that determines the initial random backoff wait time

(window) for retry of a data transmission during a period of contention for Unified Access Point resources The value specified here in the Minimum Contention Window is the upper limit (in milliseconds) of a range from which the initial random backoff wait time will be determined The first random number generated will be a number between 0 and the number specified here If the first random backoff wait time expires before the data frame is sent, a retry counter is incremented and the random backoff value

(window) is doubled Doubling will continue until the size of the random backoff value reaches the number defined in the Maximum Contention Window The value specified here in the Maximum Contention Window is the upper limit (in milliseconds) for the doubling of the random backoff value This doubling continues until either the data frame is sent or the Maximum Contention Window size is reached Once the Maximum Contention Window size is reached, retries will continue until a maximum number of retries allowed is reached The TXOP Limit is a station EDCA parameter and only applies to traffic flowing from the client station to the AP The Transmission Opportunity (TXOP) is an interval of time, in milliseconds, when a WME client station has the right to initiate transmissions onto the wireless medium (WM) towards the Unified Access Point The TXOP Limit maximum value is 65535 other QoS Settings no Acknowledgement Select On to specify that the AP should not acknowledge frames with QosNoAck as the service class value 62 Linksys APSD Select On to enable Automatic Power Save Delivery

(APSD), which is a power management method APSD is recommended if VoIP phones access the network through the AP note:

After you configure the QoS settings, you must click Save to apply the changes and save the changes to startup configuration file Changing some settings might cause the AP to stop and restart system processes If this happens, wireless clients will temporarily lose connectivity We recommend that you change AP settings when WLAN traffic is low Section 3: Configuring the Access Point Security You can configure up to four global IPv4 or IPv6 RADIUS servers One of the servers always acts as a primary while the others act as backup servers The network type (IPv4 or IPv6) and accounting mode are common across all configured RADIUS servers You can configure each VAP to use the global RADIUS server settings, which is the default, or you can configure a per-VAP RADIUS server set You can also configure separate RADIUS server settings for each VAP For example, you can configure one VAP to use an IPv6 RADIUS server while other VAPs use the global IPv4 RADIUS server settings you configure To set up multiple VAPs, click Configuration > Security > RADIUS Server Figure 34: Setting RADIUS Server 63 Linksys Section 3: Configuring the Access Point Virtual Access Point Settings describes the fields and configuration options on the VAP page Table 43: RADIUS Server Settings Field Description RADIUS IP Address type RADIUS IP Address RADIUS IPv6 Address RADIUS IP or IPv6 Address 13 Specify the IP version that the RADIUS server uses You can toggle between the address types to configure IPv4 and IPv6 global RADIUS address settings, but the AP contacts only the RADIUS server or servers for the address type you select in this field Enter the IPv4 or IPv6 address for the primary global RADIUS server By default, each VAP uses the global RADIUS settings that you define for the AP at the top of the VAP page, see Virtual Access Point (VAP) When the first wireless client tries to authenticate with the AP, the AP sends an authentication request to the primary server If the primary server responds to the authentication request, the AP continues to use this RADIUS server as the primary server, and authentication requests are sent to the address you specify If the IPv4 RADIUS IP Address Type option is selected in the previous field, enter the IP address of the RADIUS server that all VAPs use by default, for example 192 168 10 23 If the IPv6 RADIUS IP Address Type option is selected, enter the IPv6 address of the primary global RADIUS server, for example 2001:0db8:1234::abcd Enter up to three IPv4 or IPv6 addresses to use as the backup RADIUS servers The field label is RADIUS IP Address when the IPv4 RADIUS IP Address Type option is selected and RADIUS IPv6 Address when the IPv6 RADIUS IP Address Type option is selected If authentication fails with the primary server, each configured backup server is tried in sequence The IPv4 or IPv6 address must be valid in order for the AP to attempt to contact the server RADIUS Key RADIUS Key 13 Enter the RADIUS key in the text box The RADIUS key is the shared secret key for the global RADIUS server You can use up to 63 standard alphanumeric and special characters The key is case sensitive, and you must configure the same key on the AP and on your RADIUS server The text you enter will be displayed as * characters to prevent others from seeing the RADIUS key as you type Enter the RADIUS key associated with the configured backup RADIUS servers The server at RADIUS IP Address-1 uses RADIUS Key-1, RADIUS IP Address-2 uses RADIUS Key-

2, and so on enable RADIUS Accounting Select this option to track and measure the resources a particular user has consumed such as system time, amount of data transmitted and received, and so on If you enable RADIUS accounting, it is enabled for the primary RADIUS server and all backup servers note:

After you configure the VAP settings, you must click Save to apply the changes 64 Linksys Section 3: Configuring the Access Point 802.1X Supplicant 802 1X Supplicant settings allow the access point to gain access to a secured wired network Use these settings to enable the access point as an 802 1X supplicant (client) on the wired network An MD5 user name and password can be configured to allow the access point to authenticate via 802 1X On networks that use IEEE 802 1X, port-based network access control, a supplicant cannot gain access to the network until the 802 1X authenticator grants access If your network uses 802 1X, you must configure 802 1X authentication information that the AP can supply to the authenticator To configure the access point 802 1X supplicant user name and password by using the Web interface, click the Configuration > Security > 802 1X Supplicant tab and configure the fields shown in Table 44 Figure 35: 802 1X Supplicant Table 44: 802 1X Supplicant Authentication Field Description Supplicant Configuration 802 .1X Supplicant Click Enabled to enable the Administrative status of the 802 1X Supplicant Click Disabled to disable the Administrative status of the 802 1X Supplicant eAP Method Username Password Select the algorithm to be used for encrypting authentication user names and passwords The options are as follows:

MD5A hash function defined in RFC 3748 that provides basic security PEAPProtected Extensible Authentication Protocol, which provides a higher level of security than MD5 by encapsulating it within a TLS tunnel TLSTransport Layer Security, as defined in RFC 5216, an open standard that provides a high level of security Enter the MD5 user name for the AP to use when responding to requests from an 802 1X authenticator The user name can be up to 64 characters ASCII printable characters are allowed, which includes upper and lower case alphabetic letters, the numeric digits, and special symbols such as @ and #

Enter the MD5 password for the AP to use when responding to requests from an 802 1X authenticator The password can be up1 to 64 characters ASCII printable characters are allowed, which includes upper and lower case letters, numbers, and special symbols such as @ and #

Certificate File Status Certificate File Present Indicates if the HTTP SSL Certificate file is present Range is yes or no The default is no Certificate expiration Date Indicates when the HTTP SSL Certificate file will expire The range is a valid date If no certificate file exists on the AP, the field displays Not Present Certificate File Upload 65 Linksys Upload Method Filename Select the method to use for uploading a certificate file to the AP, which is either HTTP/HTTPS (upload by Web browser) or TFTP (upload by TFTP server) Specify the path and filename of the certificate file:

For HTTP uploads, click Browse to find the location where the certificate file is stored Select the file to upload to the access point Click Upload to initiate the file transfer For TFTP uploads, enter the filename, including the path, of the certificate to upload to the access point Server IP (tFtP Upload only) The IPv4 or IPv6 address of the TFTP server where the file is located The default is 0 0 0 0 After you specify the filename and server IP, click Upload to initiate the file transfer note:

After you configure the settings on the 802 1X Supplicant page, you must click Save to apply the changes Changing some settings might cause the AP to stop and restart system processes If this happens, wireless clients will temporarily lose connectivity We recommend that you change AP settings when WLAN traffic is low Section 3: Configuring the Access Point QoS and Access Control This section describes how to configure QoS settings that affect traffic from the wireless clients to the AP By using the access point Client QoS features, you can limit bandwidth and apply ACLs and DiffServ policies to the wireless interface ACL Global Settings This section describes the following features:

Client QoS Status Policy Map Class Map 66 Linksys Section 3: Configuring the Access Point Global Settings The client QoS features on the access point provide additional control over certain QoS aspects of wireless clients that connect to the network, such as the amount of bandwidth an individual client is allowed to send and receive To control general categories of traffic, such as HTTP traffic or traffic from a specific subnet, you can configure ACLs and assign them to one or more VAPs In addition to controlling general traffic categories, Client QoS allows you to configure per-client conditioning of various micro-flows through Differentiated Services (DiffServ) DiffServ policies are a useful tool for establishing general micro-flow definition and treatment characteristics that can be applied to each wireless client, both inbound and outbound, when it is authenticated on the network From the Global Settings page, you can enable the Client QoS feature, specify client bandwidth limits, and select the ACLs and DiffServ policies to use as default values for clients associated with the VAP when the client does not have their own attributes defined by a RADIUS server To enabled or disabled the Client QoS and to configure the QoS settings for a VAP, click the Configuration > QoS and Access Control > Global Settings tab Figure 36: QoS Global Settings Table 45: QoS Global Settings Field Description Client QoS Enable or disable Client QoS operation on the AP Radio VAP Changing this setting will not affect the WMM settings you configure on the QoS page Select Radio 1 or Radio 2 to specify which radio to configure Specify the VAP that will have the Client QoS settings that you configure The QoS settings you configure for the selected VAP will not affect clients that access the network through other VAPs Client QoS Mode Enable or disable QoS operation on the VAP selected in the VAP menu Bandwidth Limit Down Bandwidth Limit Up QoS must be enabled globally (from the Client QoS field) and on the VAP for the Client QoS settings to be applied to wireless clients Enter the maximum allowed transmission rate from the AP to the wireless client in bits per second The valid range is 0429496000 bits/sec The value you enter must be a multiple of 8000 bits/sec, in other words, the value must be n 8000 bits/sec, where n = 0, 1, 2, 3 If you attempt to set the limit to a value that is not a multiple of 8000 bits/sec, the configuration will be rejected A value of 0 means that the bandwidth maximum limit is not enforced in this direction Enter the maximum allowed client transmission rate to the AP in bits per second The valid range is 04294967295 bps The value you enter must be n 8000 bits/sec, where n = 0, 1, 2, 3 If you attempt to set the limit to a value that is not a multiple of 8000 bits/sec, the configuration will be rejected A value of 0 means that the bandwidth maximum limit is not enforced in this direction 67 Linksys Section 3: Configuring the Access Point ACL type Down Select the type of ACL to apply to traffic in the outbound

(down) direction, which can be one of the following:

IPv4: The ACL examines IPv4 packets for matches to ACL rules IPv6: The ACL examines IPv6 packets for matches to ACL rules MAC: The ACL examines layer 2 frames for matches to ACL rules ACL name Down Select the name of the ACL applied to traffic in the outbound (down) direction ACL type Up After switching the packet or frame to the outbound interface, the ACLs rules are checked for a match The packet or frame is transmitted if it is permitted, and discarded if it is denied Select the type of ACL to apply to traffic in the inbound

(up) direction, which can be one of the following:

IPv4: The ACL examines IPv4 packets for matches to ACL rules IPv6: The ACL examines IPv6 packets for matches to ACL rules MAC: The ACL examines Layer 2 frames for matches to ACL rules ACL name Up Select the name of the ACL applied to traffic entering the AP in the inbound (up) direction When a packet or frame is received by the AP, the ACLs rules are checked for a match The packet or frame is processed if it is permitted, and discarded if it is denied Select the name of the DiffServ policy applied to traffic from the AP in the outbound (down) direction Select the name of the DiffServ policy applied to traffic sent to the AP in the inbound (up) direction DiffServ Policy Down DiffServ Policy Up ACL ACLs are a collection of permit and deny conditions called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources ACLs can block any unwarranted attempts to reach network resources The access point supports up to 50 IPv4, IPv6, and MAC ACLs IPv4 and IPv6 ACLs IP ACLs classify traffic for Layers 3 and 4 Each ACL is a set of up to 10 rules applied to traffic sent from a wireless client or to be received by a wireless client Each rule specifies whether the contents of a given field should be used to permit or deny access to the network Rules can be based on various criteria and may apply to one or more fields within a packet, such as the source or destination IP address, the source or destination L4 port, or the protocol carried in the packet ACL Configuration Process Configure ACLs and rules on the ACL page (steps 15), and then apply the rules to a specified VAP on the Global Settings page (step 6) Use the following general steps to configure ACLs:

1 Specify a name for the ACL 2 Select the type of ACL to add 3 Add the ACL 4 Add new rules to the ACL 5 Configure the match criteria for the rules 6 Apply the ACL to one or more VAPs To configure an ACL click the Configuration >Qos and Access Control > ACL tab The following figure shows the page after an IPv4 ACL has been created 68 Linksys Section 3: Configuring the Access Point Figure 37: ACL Field ACL ACL name ACL type Table 46: ACL Configuration Description Enter a name to identify the ACL The name can contain from 131 alphanumeric characters and the following special characters: hyphen, underscore, backslash and colon Spaces are not allowed Select the type of ACL to configure:

IPv4 IPv6 MAC IPv4 and IPv6 ACLs control access to network resources based on Layer 3 and Layer 4 criteria MAC ACLs control access based on Layer 2 criteria ACL RULE SETTING ACL name and type Select the ACL to configure with the new rule The list contains all ACLs added in the ACL Configuration section Rule To configure a new rule to add to the selected ACL, select New Rule To add an existing rule to an ACL or to modify a rule, select the rule number When an ACL has multiple rules, the rules are applied to the packet or frame in the order in which you add them to the ACL There is an implicit deny all rule as the final rule 69 Linksys Action Match every IPv4 ACL Specifies whether the ACL rule permits or denies an action When you select Permit, the rule allows all traffic that meets the rule criteria to enter or exit the AP (depending on the ACL direction you select) Traffic that does not meet the criteria is dropped When you select Deny, the rule blocks all traffic that meets the rule criteria from entering or exiting the AP (depending on the ACL direction you select) Traffic that does not meet the criteria is forwarded unless this rule is the final rule Because there is an implicit deny all rule at the end of every ACL, traffic that is not explicitly permitted is dropped Indicates that the rule, which either has a permit or deny action, will match the frame or packet regardless of its contents If you select this field, you cannot configure any additional match criteria The Match Every option is selected by default for a new rule You must clear the option to configure other match fields Protocol Source IP Address Wild Card Mask Section 3: Configuring the Access Point Select the Protocol field to use a Layer 3 or Layer 4 protocol match condition based on the value of the IP Protocol field in IPv4 packets or the Next Header field of IPv6 packets Once you select the field, choose the protocol to match by keyword or enter a protocol ID Select From List Select one of the following protocols from the list:

Match to Value To match a protocol that is not listed by name, enter the protocol ID The protocol ID is a standard value assigned by the IANA The range is a number from 0255 IP ICMP IGMP TCP UDP Select this field to require a packets source IP address to match the address listed here Enter an IP address in the appropriate field to apply this criterion Specifies the source/destination IP address wildcard mask The wild card mask determines which bits are used and which bits are ignored A wild card mask of 255 255 255 255 indicates that no bit is important A wildcard of 0 0 0 0 indicates that all of the bits are important This field is required when Source IP Address is checked A wild card mask is in essence the inverse of a subnet mask For example, to match the criteria to a single host address, use a wildcard mask of 0 0 0 0 To match the criteria to a 24-bit subnet (for example, 192 168 10 0/24), use a wild card mask of 0 0 0 255 70 Linksys Source Port ftp ftpdata http smtp snmp telnet tftp www Select this field to include a source port in the match condition for the rule The source port is identified in the datagram header Once you select the field, choose the port name or enter the port number Select From List Select the keyword associated with the source port to match:

Each of these keywords translates into its equivalent port number Match to Port Enter the IANA port number to match to the source port identified in the datagram header The port range is 065535 and includes three different types of ports:

01023: Well Known Ports 102449151: Registered Ports 4915265535: Dynamic and/or Private Ports Destination Port Section 3: Configuring the Access Point ftp ftpdata http smtp snmp telnet tftp www Select this field to include a destination port in the match condition for the rule The destination port is identified in the datagram header Once you select the field, choose the port name or enter the port number Select From List Select the keyword associated with the destination port to match:

Each of these keywords translates into its equivalent port number Match to Port Enter the IANA port number to match to the destination port identified in the datagram header The port range is 065535 and includes three different types of ports:

01023: Well Known Ports 102449151: Registered Ports 4915265535: Dynamic and/or Private Ports Destination Address IP Select this field to require a packets destination IP address to match the address listed here Enter an IP address in the appropriate field to apply this criterion IP toS Bits Select this field and enter a value to use the packets Type of Service bits in the IP header as match criteria The IP TOS field in a packet is defined as all eight bits of the Service Type octet in the IP header The TOS Bits value is a two-digit hexadecimal number from 00 to ff The high-order three bits represent the IP precedence value The high-order six bits represent the IP Differentiated Services Code Point (DSCP) value 71 Linksys IP toS Mask IPv6 ACL Protocol Source IPv6 Address Source IPv6 Prefix Len Source Port Enter an IP TOS mask value to identify the bit positions in the TOS Bits value that are used for comparison against the IP TOS field in a packet The TOS Mask value is a two-digit hexadecimal number from 00 to ff, representing an inverted (i e wildcard) mask The zero-valued bits in the TOS Mask denote the bit positions in the TOS Bits value that are used for comparison against the IP TOS field of a packet For example, to check for an IP TOS value having bits 7 and 5 set and bit 1 clear, where bit 7 is most significant, use a TOS Bits value of a0 and a TOS Mask of 00 This is an optional configuration Select the Protocol field to use a Layer 3 or Layer 4 protocol match condition based on the value of the IP Protocol field in IPv4 packets or the Next Header field of IPv6 packets Once you select the field, choose the protocol to match by keyword or protocol ID Select this field to require a packets source IPv6 address to match the address listed here Enter an IPv6 address in the appropriate field to apply this criterion Enter the prefix length of the source IPv6 address Select this option to include a source port in the match condition for the rule The source port is identified in the datagram header Once you select the option, choose the port name or enter the port number Destination IPv6 Address Select this field to require a packets destination IPv6 address to match the address listed here Enter an IPv6 address in the appropriate field to apply this criterion Section 3: Configuring the Access Point Destination IPv6 Prefix Len Source Port Range Destination Port Enter the prefix length of the destination IPv6 address Enter the port range to match to the source port identified in the datagram header The port range is 065535 and includes three different types of ports:

To specify a single port, use the same value for the start and end range 01023: Well Known Ports 102449151: Registered Ports 4915265535: Dynamic and/or Private Ports Select this option to include a destination port in the match condition for the rule The destination port is identified in the datagram header Once you select the option, choose the port name or enter the port number IPv6 Flow Label Flow label is 20-bit number that is unique to an IPv6 packet It is used by end stations to signify quality-of-

service handling in routers (range 0 to 1048575) MAC ACL 72 Linksys ethertype Class of Service Select the EtherType field to compare the match criteria against the value in the header of an Ethernet frame Select an EtherType keyword or enter an EtherType value to specify the match criteria Select from List Select Select one of the following protocol types:

Match to Value Enter a custom protocol identifier to which packets are matched The value is a four-digit hexadecimal number in the range of 0600FFFF appletalk arp ipv4 ipv6 ipx netbios pppoe Select this field and enter an 802 1p user priority to compare against an Ethernet frame The valid range is 07 This field is located in the first/

only 802 1Q VLAN tag Source MAC Address Select this field and enter the source MAC address to compare against an Ethernet frame Source MAC Mask Select this field and enter the source MAC address mask specifying which bits in the source MAC to compare against an Ethernet frame A 0 indicates that the address bit is significant, and an f indicates that the address bit is to be ignored A MAC mask of 00:00:00:00:00:00 matches a single MAC address Destination MAC Address Select this field and enter the destination MAC address to compare against an Ethernet frame Section 3: Configuring the Access Point Destination MAC Mask Enter the destination MAC address mask specifying which bits in the destination MAC to compare against an Ethernet frame A 0 indicates that the address bit is significant, and an f indicates that the address bit is to be ignored A MAC mask of 00:00:00:00:00:00 matches a single MAC address VLAn ID Select this field and enter the VLAN IDs to compare against an Ethernet frame This field is located in the first/only 802 1Q VLAN tag After you set the desired rule criteria, click Save To delete an ACL, select the Delete ACL option and click Save Class Map The Client QoS feature contains Differentiated Services (DiffServ) support that allows traffic to be classified into streams and given certain QoS treatment in accordance with defined per-hop behaviors Standard IP-based networks are designed to provide best effort data delivery service Best effort service implies that the network delivers the data in a timely fashion, although there is no guarantee that it will During times of congestion, packets may be delayed, sent sporadically, or dropped For typical Internet applications, such as e-mail and file transfer, a slight degradation in service is acceptable and in many cases unnoticeable However, on applications with strict timing requirements, such as voice or multimedia, any degradation of service has undesirable effects By classifying the traffic and creating policies that define how to handle these traffic classes, you can make sure that time-sensitive traffic is given precedence over other traffic The access point supports up to 50 class maps 73 Linksys Section 3: Configuring the Access Point Figure 38: QoS DiffServ Class Map Class: create classes and define class criteria Policy: create policies, associate classes with policies, and define policy Defining DiffServ To use DiffServ for Client QoS, use the Configuration > Qos and Access Control

> Class Map and Configuration > Qos and Access Control > Policy Map pages to define the following categories and their criteria:

statements Once you define the class and associate it with a policy, apply the policy to a specified VAP on the Global Settings page Packets are classified and processed based on defined criteria The classification criteria are defined by class The processing is defined by a policys attributes Policy attributes may be defined on a per-class instance basis, and it is these attributes that are applied when a match occurs A policy can contain multiple classes When the policy is active, the actions taken depend on which class matches the packet Packet processing begins by testing the class match criteria for a packet A policy is applied to a packet when a class match within that policy is found DiffServ is supported for IPv4 and IPv6 packets Use the Class Map page to add a new Diffserv class name, or to rename or delete an existing class, and define the criteria to associate with the DiffServ class To configure a DiffServ Class Map, click the Configuration > Qos and Access Control > Class Map tab note:

The Class Map page displays the Match Criteria Configuration fields only if a class map has been created To create a class map, enter a name in the Class Map Name field and click Add Class Map 74 Linksys Section 3: Configuring the Access Point Table 47: DiffServ Class Map Protocol Field Description Class Map Configuration Class Map name The name can range from 1 to 31 alphanumeric characters Match Layer 3 Protocol Specify whether to classify IPv4 or IPv6 packets Match Criteria Configuration Class Map name Match every Select name of the class to configure Use the fields in the Match Criteria Configuration area to match packets to a class Select the check box for each field to be used as a criterion for a class and enter data in the related field You can have multiple match criteria in a class note: The match criteria fields that are available depend on whether the class map is an IPv4 or IPv6 class map Select Match Every to specify that the match condition is true to all the parameters in a Layer 3 packet All Layer 3 packets will match a Match Every match condition Select the Protocol field to use a Layer 3 or Layer 4 protocol match condition based on the value of the IP Protocol field in IPv4 packets or the Next Header field of IPv6 packets Once you select the field, choose the protocol to match by keyword or enter a protocol ID Select From List Select one of the following protocols from the list:

Match to Value To match a protocol that is not listed by name, enter the protocol ID The protocol ID is a standard value assigned by the IANA The range is a number from 0255 IP ICMP IPv6 ICMPv6 IGMP TCP UDP IPv4 Class Maps Source IP Address Select this field to require a packets source IP address to match the address listed here Enter an IP address in the appropriate field to apply this criterion Source IP Mask Enter the source IP address mask The mask for DiffServ is a network-style bit mask in IP dotted decimal format indicating which part(s) of the destination IP Address to use for matching against packet content A DiffServ mask of 255 255 255 255 indicates that all bits are important, and a mask of 0 0 0 0 indicates that no bits are important The opposite is true with an ACL wild card mask For example, to match the criteria to a single host address, use a mask of 255 255 255 255 To match the criteria to a 24-bit subnet (for example, 192 168 10 0/24), use a mask of 255 255 255 0 75 Linksys Section 3: Configuring the Access Point Destination IP Address Select this field to require a packets destination IP address to match the address listed here Enter an IP address in the appropriate field to apply this criterion Source Port Destination IP Mask Enter the destination IP address mask The mask for DiffServ is a network-style bit mask in IP dotted decimal format indicating which part(s) of the destination IP Address to use for matching against packet content A DiffServ mask of 255 255 255 255 indicates that all bits are important, and a mask of 0 0 0 0 indicates that no bits are important The opposite is true with an ACL wild card mask For example, to match the criteria to a single host address, use a mask of 255 255 255 255 To match the criteria to a 24-bit subnet (for example 192 168 10 0/24), use a mask of 255 255 255 0 IPv6 Class Maps Source IPv6 Address Source IPv6 Prefix Length Destination IPv6 Address Destination IPv6 Prefix Length IPv6 Flow Label Select this field to require a packets source IPv6 address to match the address listed here Enter an IPv6 address in the appropriate field to apply this criterion Enter the prefix length of the source IPv6 address Select this field to require a packets destination IPv6 address to match the address listed here Enter an IPv6 address in the appropriate field to apply this criterion Enter the prefix length of the destination IPv6 address Flow label is 20-bit number that is unique to an IPv6 packet It is used by end stations to signify QoS handling in routers (range 0 to 1048575) IPv4 and IPv6 Class Maps Select this field to include a source port in the match condition for the rule The source port is identified in the datagram header Once you select the field, choose the port name or enter the port number Select From List Select the keyword associated with the source port to match:

ftp ftpdata http smtp snmp telnet tftp www Each of these keywords translates into its equivalent port number Match to Port Enter the IANA port number to match to the source port identified in the datagram header The port range is 065535 and includes three different types of ports:

01023: Well Known Ports 102449151: Registered Ports 4915265535: Dynamic and/or Private Ports 76 Linksys Destination Port ftp ftpdata http smtp snmp telnet tftp www Select this field to include a destination port in the match condition for the rule The destination port is identified in the datagram header Once you select the field, choose the port name or enter the port number Select From List Select the keyword associated with the destination port to match:

Each of these keywords translates into its equivalent port number Match to Port Enter the IANA port number to match to the destination port identified in the datagram header The port range is 065535 and includes three different types of ports:

01023: Well Known Ports 102449151: Registered Ports 4915265535: Dynamic and/or Private Ports Section 3: Configuring the Access Point Select the EtherType field to compare the match criteria against the value in the header of an Ethernet frame Select an EtherType keyword or enter an EtherType value to specify the match criteria Select from List Select Select one of the following protocol types:

appletalk arp ipv4 ipv6 ipx netbios pppoe Match to Value Enter a custom protocol identifier to which packets are matched The value is a four-digit hexadecimal number in the range of 0600FFFF Select the field and enter a class of service 802 1p user priority value to be matched for the packets The valid range is 07 ethertype Class of Service Source MAC Address Select this field and enter the source MAC address to compare against an Ethernet frame Source MAC Mask Enter the source MAC address mask specifying which bits in the destination MAC to compare against an Ethernet frame An f indicates that the address bit is significant, and a 0 indicates that the address bit is to be ignored A MAC mask of ff:ff:ff:ff:ff:ff matches a single MAC address Destination MAC Address Select this field and enter the destination MAC address to compare against an Ethernet frame 77 Linksys Destination MAC Mask Enter the destination MAC address mask specifying which bits in the destination MAC to compare against an Ethernet frame An f indicates that the address bit is significant, and a 0 indicates that the address bit is to be ignored A MAC mask of ff:ff:ff:ff:ff:ff matches a single MAC address VLAn ID Select the field and enter a VLAN ID to be matched for packets The VLAN ID range is 04095 IPv4 Class Maps Service type IP DSCP You can specify one type of service to use in matching packets to class criteria To use IP DSCP as a match criterion, select the check box and select a DSCP value keyword or enter a DSCP Select from List Select from a list of DSCP types Match to Value Enter a DSCP Value to match (063) IP Precedence Select this field to match the packets IP Precedence value to the class criteria IP Precedence value The IP Precedence range is 07 IP toS Bits Select this field and enter a value to use the packets Type of Service bits in the IP header as match criteria The TOS bit value ranges between (00FF) The high-

order three bits represent the IP precedence value The high-order six bits represent the IP Differentiated Services Code Point (DSCP) value Section 3: Configuring the Access Point IP toS Mask Enter an IP TOS mask value to perform a boolean AND with the TOS field in the header of the packet and compared against the TOS entered for this rule The TOS Mask can be used to compare specific bits

(Precedence/Type of Service) from the TOS field in the IP header of a packet against the TOS value entered for this rule (00FF) Delete Class Map Check to delete the class map selected in the Class Map Name menu The class map cannot be deleted if it is already attached to a policy To delete a Class Map, select the Delete Class Map option and click Save Policy Map Use the Policy Map page to create DiffServ policies and to associate a collection of classes with one or more policy statements The access point supports up to 50 policy maps Packets are classified and processed based on defined criteria The classification criteria are defined by class on the Class Map page The processing is defined by a policys attributes on the Policy Map page Policy attributes may be defined on a per-class instance basis, and it is these attributes that are applied when a match occurs A policy map can contain up to 10 class maps When the policy is active, the actions taken depend on which class matches the packet Packet processing begins by testing the class match criteria for a packet A policy is applied to a packet when a class match within that policy is found note:

The Policy Map page displays the policy configuration fields only if a policy map has been created To create a policy map, enter a name in the Policy Map Name field and click Add Policy Map To create a DiffServ policy, click the Configuration > Qos and Access Control >

Policy Map tab The following image shows the page after a policy map has been created 78 Linksys Section 3: Configuring the Access Point Figure 39: QoS DiffServ Policy Map Field Policy Map name Table 48: DiffServ Policy Map Description Policy Map name

(Policy Class Definition) Class Map name Police Simple Send Drop Enter then name of the policy map to add The name can contain up to 31 alphanumeric characters Select the policy to associate with a member class Select the member class to associate with this policy name Select this option to establish the traffic policing style for the class The simple form of the policing style uses a single data rate and burst size, resulting in two outcomes: conform and nonconform Committed Rate Enter the committed rate, in Kbps, to which traffic must conform Committed Burst Enter the committed burst size, in bytes, to which traffic must conform Ideally, burst size should be 1 5 times the committed rate (in bytes) for Rate Limiting to work properly For example, if the committed rate is 1 Gbps, then the committed burst size should be 187500000 bytes Select Send to specify that all packets for the associated traffic stream are to be forwarded if the class map criterion is met Select Drop to specify that all packets for the associated traffic stream are to be dropped if the class map criterion is met 79 Linksys Mark Class of Service Mark IP DSCP Mark IP Precedence Disassociate Class Map Member Classes Delete Policy Map Select this field to mark all packets for the associated traffic stream with the specified class of service value in the priority field of the 802 1p header If the packet does not already contain this header, one is inserted The CoS value is an integer from 07 Select this field to mark all packets for the associated traffic stream with the IP DSCP value you select from the list or specify Select from List Select from a list of DSCP types. Select this field to mark all packets for the associated traffic stream with the specified IP precedence value The IP precedence value is an integer from 07 Select this option and click Save to remove the class selected in the Class Map Name menu from the policy selected in the Policy Map Name menu Lists all DiffServ classes currently defined as members of the selected policy If no class is associated with the policy, the field is empty Select this field to delete the policy map showing in the Policy Map Name menu To delete a Policy Map, select the Delete Policy Map option and click Save Section 3: Configuring the Access Point Client QoS Status The Client QoS Status page shows the client QoS settings that are applied to each client currently associated with the AP To view QoS settings for an associated client, click the Configuration > QoS and Access Control > Client QoS Status tab Figure 40: Client QoS Status Table 49: Client QoS Status Field Description Station QoS Mode The Station menu contains the MAC address of each client currently associated with the AP To view the QoS settings applied to a client, select its MAC address from the list Shows whether the QOS mode for the selected client is up

(enabled) or down (disabled) note: For the QoS Mode to be enabled on a client, it must be globally enabled on the AP and enabled on the VAP the client is associated with Use the Global Settings page to enable the QoS Global Admin mode and the per-VAP QoS Mode 80 Linksys Section 3: Configuring the Access Point Bandwidth Limit Up Shows the maximum allowed transmission rate from the client to the AP in bits per second (bps) The valid range is 04294967295 bps Bandwidth Limit Down Shows the maximum allowed transmission rate from the AP to the client in bits per second (bps) The valid range is 04294967295 bps ACL type Up ACL name Up ACL type Down ACL name Down Shows the type of ACL that is applied to traffic in the inbound

(client-to-AP) direction, which can be one of the following:

IPv4: The ACL examines IPv4 packets for matches to ACL rules IPv6: The ACL examines IPv6 packets for matches to ACL rules MAC: The ACL examines layer 2 frames for matches to ACL rules Shows the name of the ACL applied to traffic entering the AP in the inbound direction When a packet or frame is received by the AP, the ACLs rules are checked for a match The packet or frame is processed if it is permitted and discarded if it is denied Shows the type of ACL to apply to traffic in the outbound (AP-

to-client) direction, which can be one of the following:

IPv4: The ACL examines IPv4 packets for matches to ACL rules IPv6: The ACL examines IPv6 packets for matches to ACL rules MAC: The ACL examines layer 2 frames for matches to ACL rules Shows the name of the ACL applied to traffic in the outbound direction After switching the packet or frame to the outbound interface, the ACLs rules are checked for a match The packet or frame is transmitted if it is permitted and discarded if it is denied SNMP This section describes how to configure the SNMP settings on the access point and contains the following subsections:

General Views Groups Targets Users General Simple Network Management Protocol (SNMP) defines a standard for recording, storing, and sharing information about network devices SNMP facilitates network management, troubleshooting, and maintenance The AP supports SNMP versions 1, 2, and 3 Unless specifically noted, all configuration parameters on this page apply to SNMPv1 and SNMPv2c only Key components of any SNMP-managed network are managed devices, SNMP agents, and a management system The agents store data about their devices in Management Information Bases (MIBs) and return this data to the SNMP manager when requested Managed devices can be network nodes such as APs, routers, switches, bridges, hubs, servers, or printers The access point can function as an SNMP managed device for seamless integration into network management systems such as HP OpenView From the SNMP page under the Services heading, you can start or stop control of SNMP agents, configure community passwords, access MIBs, and configure SNMP Trap destinations To configure SNMP, click the Configuration > SNMP > General tab and save the fields described in Table 50 on page 118 DiffServ Policy Up Shows the name of the DiffServ policy applied to traffic sent to the AP in the inbound (client-to-AP) direction DiffServ Policy Down Shows the name of the DiffServ policy applied to traffic from the AP in the outbound (AP-to-client) direction 81 Linksys Section 3: Configuring the Access Point Figure 41: SNMP-General UDP Port Read only Community Read Write Community Management Station Restriction Table 50: SNMP-General Settings Field Description SnMP enabled/Disabled You can specify the SNMP administrative mode on your network By default SNMP is enabled To enable SNMP, click Enabled To disable SNMP, click Disabled After changing the mode, you must click Save to save your configuration changes note:

If SNMP is disabled, all remaining fields on the SNMP page are disabled This is a global SNMP parameter which applies to SNMPv1, SNMPv2c, and SNMPv3 By default an SNMP agent only listens to requests from port 161 However, you can configure this so the agent listens to requests on another port Enter the port number on which you want the SNMP agents to listen to requests The valid range is 1-65535 note: This is a global SNMP parameter that applies to SNMPv1, SNMPv2c, and SNMPv3 Enter a read-only community name The valid range is 1-256 characters The community name, as defined in SNMPv2c, acts as a simple authentication mechanism to restrict the machines on the network that can request data to the SNMP agent The name functions as a password, and the request is assumed to be authentic if the sender knows the password The community name can be in any alphanumeric format If you have enabled SNMP set requests you can set a read-write community name The valid range is 1-256 characters Setting a community name is similar to setting a password Only requests from the machines that identify themselves with this community name will be accepted The community name can be in any alphanumeric format You can restrict the source of permitted SNMP requests To restrict the source of permitted SNMP requests, click Enabled To permit any source submitting an SNMP request, click Disabled 82 Linksys nMS IPv4 Address/name Specify the IPv4 DNS hostname or subnet of the machines that can execute get and set requests to the managed devices The valid range is 1-256 characters As with community names, this provides a level of security on SNMP settings The SNMP agent will only accept requests from the hostname or subnet specified here To specify a subnet, enter one or more subnetwork address ranges in the form address/mask_length where address is an IP address and mask_length is the number of mask bits Both address/mask and address/

mask_length formats are supported Individual hosts can be provided for this, i e IP address or Hostname For example, if you enter a range of 192 168 1 0/24 this specifies a subnetwork with address 192 168 1 0 and a subnet mask of 255 255 255 0 The address range is used to specify the subnet of the designated NMS Only machines with IP addresses in this range are permitted to execute get and set requests on the managed device Given the example above, the machines with addresses from 192 168 1 1 through 192 168 1 254 can execute SNMP commands on the device (The address identified by suffix 0 in a subnetwork range is always reserved for the subnet address, and the address identified by 255 in the range is always reserved for the broadcast address) As another example, if you enter a range of 10 10 1 128/25 machines with IP addresses from 10 10 1 129 through 10 10 1 254 can execute SNMP requests on managed devices In this example, 10 10 1 128 is the network address and 10 10 1 255 is the broadcast address 126 addresses would be designated nMS IPv6 Address/name Specify the IPv6 DNS hostname or subnet of the machines that can execute get and set requests to the managed devices trap Community Host type Hostname or IP address Section 3: Configuring the Access Point Enter the global community string associated with SNMP traps The valid range is 1-256 characters Traps sent from the device will provide this string as a community name The community name can be in any alphanumeric format Special characters are not permitted Specify whether the enabled host is an IPv4 host or an IPv6 host Enter the DNS hostname of the computer to which you want to send SNMP traps The valid range is 1-256 characters An example of a DNS hostname is: snmptraps foo com Since SNMP traps are sent randomly from the SNMP agent, it makes sense to specify where exactly the traps should be sent You can add up to a maximum of three DNS hostnames Ensure you select the Enabled check box beside the appropriate hostname note:

After you configure the SNMP settings, you must click Save to apply the changes Changing some settings might cause the AP to stop and restart system processes If this happens, wireless clients will temporarily lose connectivity We recommend that you change AP settings when WLAN traffic is low note:

Hostnames are composed of series of labels concatenated with dots, as are all domain names Each label must be between 1 and 63 characters long, and the entire hostname (including the delimiting dots) has a maximum of 253 characters 83 Linksys Section 3: Configuring the Access Point Views A MIB view is a family of view subtrees, which is a pairing of an OID subtree value together with a bit string mask value Each MIB view is defined by two sets of view subtrees, included in or excluded from the MIB view You can create MIB views to control the OID range that SNMP users can access Note that the access point supports a maximum of 16 views The following notes summarize some critical guidelines regarding SNMP View configuration Please read all the notes before proceeding with SNMP View configuration note:

A MIB view called all is created by default in the system This view contains all management objects supported by the system note:

By default, view-all and view-none SNMP views are created on the AP These views cannot be deleted but OID, Masks and Type fields can be modified Figure 1: SNMP Views Configuration To display the SNMP Views Configuration page, click the Configuration > SNMP

> Views tab Table 51 describes the fields you can configure on the Views page Field Description Table 51: SNMP Views View name Enter a name to identify the MIB view View names can contain up to 32 alphanumeric characters type oID Mask Specifies whether to include or exclude the view subtree or family of subtrees from the MIB view Enter an OID string for the subtree to include or exclude from the view For example, the system subtree is specified by the OID string 1 3 6 1 2 1 1 The OID mask is 47 characters in length The format of the OID mask is xx xx xx ( ) or xx:xx:xx (:) and is 16 octets in length Each octet is 2 hexadecimal characters separated by either a period or a colon Only hex characters are accepted in this field For example, OID mask FA 80 is 11111010 10000000 A family mask is used to define a family of view subtrees The family mask indicates which sub-identifiers of the associated family OID string are significant to the familys definition A family of view subtrees allows control access to one row in a table, in a more efficient manner SnMP Views This field shows the MIB views on the access point Use the buttons on the page to perform the following tasks:

Add: Add the new view to the SNMP Views table Remove: Remove the selected view from the SNMP Views table Save: Apply and save the changed SNMP view settings 84 Linksys Section 3: Configuring the Access Point noAuthNoPriv authNoPriv authPriv Groups SNMP groups allow you to combine users into groups of different authorization and access privileges Each group is associated with one of three security levels:

Read and/or write access to management objects (MIBs) for each group is controlled by associating a MIB view to a group for read and write access, separately By default, the access point has two groups:

RO A read-only group with no authentication and no data encryption No security is provided by this group By default, users of this group will have read access to the default all MIB view, which can be modified by the user RW A read/write group using authentication and data encryption Users in this group use an MD5 key/password for authentication and a DES key/

password for encryption Both the MD5 and DES key/passwords must be defined By default, users of this group will have read and write access to default all MIB view, which can be modified by the user note:

The default groups RO and RW cannot be deleted note:

The Access Point supports a maximum of 8 groups To define additional groups, navigate to the Configuration > SNMP > Groups page and configure the settings that Table 52 describes Field name Security Level Figure 42: SNMP Groups Table 52: SNMP Groups Description Specify a name to use to identify the group The default group names are RW and RO Group names can contain up to 32 alphanumeric characters Select one of the following security levels for the group:

noAuthentication-noPrivacy No authentication and no data encryption (no security) Authentication-noPrivacy Authentication, but no data encryption With this security level, users send SNMP messages that use an MD5 key/password for authentication, but not a DES key/password for encryption Authentication-Privacy Authentication and data encryption With this security level, users send an MD5 key/password for authentication and a DES key/

password for encryption For groups that require authentication, encryption, or both, you must define the MD5 and DES key/passwords on the SNMP Users page 85 Linksys Write Views Read Views Select the write access to management objects (MIBs) for the group:

write-all The group can create, alter, and delete MIBs write-none The group is not allowed to create, alter, or delete MIBS Select the read access to management objects (MIBs) for the group:

view-all The group is allowed to view and read all MIBs view-none The group cannot view or read MIBs SnMP Groups This field shows the default groups and the groups that have been defined on the AP Use the buttons on the page to perform the following tasks:

Add: Add the new group to the SNMP Groups table Remove: Remove the selected group from the SNMP Group table Save: Apply and save the changed SNMP group settings Section 3: Configuring the Access Point Targets An SNMP target receives trap messages and forwards them to the SNMP manager Inform messages are not supported Each target is associated with target IP address, UDP port, and SNMP user name note:

Required SNMP user configuration Users on page 125 should be completed before configuring SNMP targets note:

The access point supports a maximum of eight targets To display the SNMP Targets Configuration page, click the Configuration >

SNMP > Targets tab Figure 43: SNMP Targets 86 Linksys Table 53: SNMP Targets Field IPv4/IPv6 Address Port Users SnMP targets Description Enter the IP address of the remote SNMP target

(receiver) Enter the UDP port to use for sending SNMP targets Enter the name of the SNMP user to associate with the target To configure SNMP users, see Users on page 125 This field shows the SNMP targets configured on the access point Use the buttons on the page to perform the following tasks:

Add: Add the new target to the SNMP Targets table Remove: Remove the selected target from the SNMP Targets table Save: Apply and save the changed SNMP target settings Section 3: Configuring the Access Point Users From the Users page, you can define multiple users, associate the desired security level to each user, and configure per user security keys Each user is mapped to an SNMP group, either from predefined or user-defined groups, configured for authentication and encryption types with authentication encryption pass-phrases (optional if authentication or encryption type is set to none ) For authentication, only MD5 type is supported, and for encryption only DES type is supported There are no default SNMP users on the access point Figure 44: SNMP Users Table 54 describes the fields to configure SNMP users Table 54: SNMP Users Field Name Group Authentication Type Description Enter the user name to identify the SNMP user User names can contain up to 32 alphanumeric characters Map the user to a group The default groups are RW and RO You can define additional groups on the SNMP Groups page Select the type of authentication to use on SNMP requests from the user:

MD5 Require MD5 authentication on SNMP requests from the user None SNMP requests from this user require no authentication 87 Linksys Authentication Key Encryption Type If you specify MD5 as the authentication type, enter a password to enable the SNMP agent to authenticate requests sent by the user Note: The passphrase must be between 8 and 32 characters in length If you wish to use a space in the phrase, you must use quotation marks ex: Admin 123 or the phrase will be truncated as Admin Select the type of privacy to use on SNMP requests from the user:

DES Use DES encryption on SNMP requests from the user None SNMP requests from this user require no privacy Encryption Key SNMP Users If you specify DES as the privacy type, enter a key to use to encrypt the SNMP requests note: The passphrase must be between 8 and 32 characters in length If you wish to use a space in the phrase, you must use quotation marks ex: Admin 123 or the phrase will be truncated as Admin This field shows the users that have been defined on the AP Use the buttons on the page to perform the following tasks:

Add: Add the new user to the SNMP Users table Remove: Remove the selected user from the SNMP Users table Save: Apply and save the changed SNMP user settings Section 3: Configuring the Access Point Captive Portal This section describes the Captive Portal (CP) feature, which allows you to block wireless clients from accessing the network until user verification has been established You can configure CP verification to allow access for both guest and authenticated users The access point CP feature supports both IPv4 and IPv6 clients Authenticated users must be validated against a database of authorized Captive Portal groups or users before access is granted The database can be stored locally on the access point or on a RADIUS server Captive Portal consists of two CP instances Each instance can be configured independently, with different verification methods for each VAP or SSID The AP operates concurrently with some VAPs configured for CP authentication and other VAPs configured for normal wireless authentication methods, such as WPA or WPA Enterprise This section describes the following features:

Global ConfigurationAuthenticated Clients Failed Authentication Clients Instance Configuration Instance Association Global Configuration Web Portal Customization Web Customization Preview Upload Custom Images Local Groups Local Users Authenticated Clients Failed Authentication Clients 88 Linksys Section 3: Configuring the Access Point Global Configuration The Captive Portal (CP) feature allows you to block wireless clients from accessing the network until user verification has been established Use the CP Global Configuration page to control the administrative state of the CP feature and configure global settings that affect all captive portal instances configured on the AP Click the Configuration > Captive Portal > Global Configuration tab to access the page, which the following figure shows Figure 45: Global Configuration The following table describes the fields on the CP Global Configuration page Table 55: Global Configuration Field Description Captive Portal Mode Enables or disables the administrative mode of CP on the AP Authentication timeout Additional HttP Port This field specifies the number of seconds the AP keeps the unauthenticated client information If the user does not enter authentication credentials within the authentication timeout period, the client details are removed so that stale entries do not persist upon leaving The default authentication timeout is 300 seconds HTTP traffic uses port 80, but you can configure an additional port for HTTP traffic Enter a port number between 1025-65535 Port number 80 or 443 cannot be used, and the HTTP and HTTPs ports cannot be the same Additional HttPS Port HTTP traffic over SSL (HTTPS) uses port 443, but you can configure an additional port for HTTPS traffic Enter a port number between 1025-65535 Port number 80 or 443 cannot be used, and the HTTP and HTTPs ports cannot be the same Instance Count Group Count User Count The number of CP instances currently configured on the AP Up to two instances can be configured The number of CP groups currently configured on the AP Up to two groups can be configured Default Group exists by default and cannot be deleted The number of CP users currently configured on the AP Up to 128 users can be configured 89 Linksys Section 3: Configuring the Access Point Instance Configuration You can create up to two Captive Portal instances; each CP instance is a defined set of instance parameters Instances can be associated with one or more VAPs Different instances can be configured to respond differently to users as they attempt to access the associated VAP Click the Configuration > Captive Portal > Instance Configuration tab to access the page Figure 46 shows the CP Instance Configuration page when the Create option is selected from the Captive Portal Instances menu Figure 46: CP Instance Configuration - Create Figure 47: CP Instance Configuration Figure 47 on page 129 shows the CP Instance Configuration page when a CP instance has been created and is selected from the Captive Portal Instances menu The fields available also change depending on the option selected from the Verification menu In Figure 47 on page 129, the verification method is RADIUS The following table describes the fields on the CP Instance Configuration page The fields that appear on the page depend on the option selected from the Captive Portal Instances menu 90 Linksys Section 3: Configuring the Access Point Table 56: Captive Portal Instance Configuration Redirect URL Field Description Captive Portal Instances Select an existing instance to view or configure its settings, or select Create to configure a new CP instance The access point supports two instances If both instances have been configured, you must delete an instance before you can create a new one Instance name This field is available only if Create is selected from the Captive Portal Instances field Specify a name for the new CP instance Instance ID The CP instance identifier For an existing instance, this field cannot be configured When creating a new CP instance, the ID cannot be used by another CP instance If you attempt to assign an Instance ID that is in use, an error message is displayed Admin Mode Select the option to enable the administrative mode of the selected CP instance, or clear the option to disable it Protocol Verification Specifies HTTP or HTTPs as the protocol for the CP instance to use during the verification process The authentication method for CP to use to verify clients:

GuestThe user does not need to be authenticated by a database LocalThe Access Point uses a local database to authenticated users RADIUSThe Access Point uses a database on a remote RADIUS server to authenticate users Redirect Specifies that CP should redirect the newly authenticated client to the configured URL If this option is clear, the user sees the locale-specific welcome page after a successful verification Away time Session timeout Max Bandwidth Upstream Max Bandwidth Downstream Enter the URL (including http://), either IPv4 or an IPv6 address, to which the newly authenticated client is redirected if the URL Redirect Mode is enabled The IPv4 address should be in a form similar to http://xxx xxx xxx xxx (http://192 0 2 10) The IPv6 address should be in a form similar to http://[xxxx:xxxx:xxxx:xxxx::xxxx:xxxx:xxx x:xxxx] (http://[2001:DB8::CAD5:7D91]) The range is from 0 to 256 characters The amount of time a user remains in the CP authenticated client list after it disassociates from the AP If the time specified in this field expires before the client attempts to reauthenticate, its entry is removed from the authenticated client list The range is from 0 to 1440 minutes The default value is 60 minutes note: An away timeout value is also configured for each user See the Local Users page The users away timeout value has precedence over the value configured here The amount of time to wait before terminating a session A user is logged out after the session timeout is reached If the value is set to 0, the timeout is not enforced The range is from 0 to 1440 minutes The default value is 0 The maximum upload speed, in megabits per second, that a client can transmit traffic when using the captive portal This setting limits the bandwidth at which the client can send data into the network The range is from 0 to 300 Mbps The default value is 0 The maximum download speed, in megabits per second, that a client can receive traffic when using the captive portal This setting limits the bandwidth at which the client can receive data from the network The range is from 0 to 300 Mbps The default value is 0 User Group name The user group associated with this instance Each CP user is associated with a group, and a group is associated with a CP instance 91 Section 3: Configuring the Access Point RADIUS Key The shared secret key that the access point uses to authenticate to the primary RADIUS server You can use up to 63 standard alphanumeric and special characters The key is case sensitive and must match the key configured on the RADIUS server The text you enter will be displayed as * characters RADIUS Backup Key 13 The RADIUS key associated with the configured backup RADIUS servers The server at RADIUS IP Address-1 uses RADIUS Key-1, RADIUS IP Address-2 uses RADIUS Key-2, and so on Locale Count The number of locales associated with the instance You can create and assign up to three different locales to each CP instance from the Web Customization page Delete Instance To delete the current instance, select this option and click Save . Linksys Global RADIUS RADIUS Accounting RADIUS IP network RADIUS IP If the Verification Mode is RADIUS, select to specify that the default Global RADIUS server list is used to authenticating clients If you want the CP feature to use a different set of RADIUS servers, clear this setting and configure the servers in the fields on this page Enables tracking and measuring the resources a particular user has consumed, such as system time and amount of data transmitted and received Specify whether the RADIUS IP addresses are IPv4 or IPv6 RADIUS server addresses The IPv4 or IPv6 address for the primary RADIUS server for this VAP The IPv4 address should be in a form similar to xxx xxx xxx xxx (192 0 2 10) The IPv6 address should be in a form similar to xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:

xxxx (2001:DB8::CAD5:7D91) When the first wireless client tries to authenticate with a VAP, the access point sends an authentication request to the primary server If the primary server responds to the authentication request, the access point continues to use this RADIUS server as the primary server, and authentication requests are sent to the address you specify RADIUS Backup IP 13 Up to three IPv4 or IPv6 backup RADIUS server addresses If authentication fails with the primary server, each configured backup server is tried in sequence RADIUS Current Specify which RADIUS server to use to authenticate clients:

primary Use the RADIUS server with the IP address configured in the RADIUS IP field backupone Use the RADIUS server with the IP address configured in the RADIUS Backup IP 1 field backuptwo Use the RADIUS server with the IP address configured in the RADIUS Backup IP 2 field backupthree Use the RADIUS server with the IP address configured in the RADIUS Backup IP 3 field 92 Linksys Section 3: Configuring the Access Point Instance Association Use the Instance Association page to associate a CP instance to a VAP The associated CP instance settings will apply to users who attempt to authenticate on the VAP Click the Configuration > Captive Portal > Instance Association tab to access the page, which the following figure shows Figure 48: Instance Association Field RADIo VAP Table 57: Captive Portal Instance Association Description Select the radio associated with the VAP to configure The list of VAP IDs A CP instance can be associated with multiple VAPs Instance name Select the instance to associate with each VAP If the menu is blank, no instance is associated with the VAP Web Portal Customization When users initiate access to a VAP that is associated with a captive portal instance, an authentication page displays You can use the page to create unique pages for different locales on your network, and to customize the textual and graphic elements of the pages Use this page to create and customize the authentication page Click the Configuration > Captive Portal > Web Portal Customization tab to access the page, which the following figure shows The following table describes the fields on the CP Instance Association page 93 Linksys Figure 49: Web Portal Customization Section 3: Configuring the Access Point Field Captive Portal Locale Table 58: Web Portal Customization Description To create a new Web locale, select Create from the available menu To view or update an existing Web locale, select its name from the menu Captive Portal Web Local Parameters Web Locale name Captive Portal Instances This field is displayed only if Create is selected from the Captive Portal Web Locale menu Enter a Web Locale Name to assign to the page The name can be from 1 to 32 alphanumeric characters This field is displayed only if Create is selected from the Captive Portal Web Locale menu From the Captive Portal Instances list, select the CP instance that this locale is associated with You can associate multiple locales with an instance When a user attempts to access a particular VAP that is associated with a CP instance, the locales that are associated with that instance display as links on the authentication page The user can select a link to switch to that locale Locale ID The ID that is automatically assigned to the locale when it is created The ID cannot be configured Instance ID The ID of the CP instance associated with the locale Instance name The user-configured name of the CP instance Background Image name Logo Image name The image to display as the page background You can click Upload/Delete Custom Image to upload images to the AP for use with Captive Portal instances The image file to display on the top left corner of the page This image is used for branding purposes, such as the company logo If you uploaded a custom logo image to the access point, you can select it from the list 94 Linksys Foreground color Background color Separator The HTML code for the foreground color in 6-digit hexadecimal format The range is from 1 to 32 characters The default is #999999 The HTML code for the background color in 6-digit hexadecimal format The range is from 1 to 32 characters The default is #BFBFBF The HTML code for the color of the thick horizontal line that separates the page header from the page body, in 6-digit hexadecimal format The range is from 1 to 32 characters The default is #BFBFBF The default is

#BFBFBF Locale Label A descriptive label for the locale, from 1 to 32 characters The default is English Locale An abbreviation for the locale, from 1 to 32 characters The default is en Account Image The image file to display above the login field to depict an authenticated login User Label The label for the user name text box The range is from 0 to 32 characters Password Label The label for the user password text box The range is from 0 to 64 characters Button Label The label on the button users click to submit their user name/password for authentication The range is from 2 to 32 characters The default is Connect Fonts The name of the font to use for all text on the CP page You can enter multiple font names, each separated by a comma If the first font is not available on the client system, the next font will be used, and so on For font names that have spaces, surround the entire name in quotes The range is from 1 to 512 characters The default is arial, sans-serif, MS UI Gothic Section 3: Configuring the Access Point Browser title The text to display in the browser title bar The range is from 1 to 128 characters The default is Captive Portal Browser Content Content The text that displays in the page header, to the right of the logo The range is from 1 to 128 characters The default is Welcome to the Wireless Network The instructive text that displays in the page body below the user name and password text boxes The range is from 0 to 256 characters The default is: To start using this service, enter your credentials and click the connect button Acceptance Use Policy The text that appears in the Acceptance Use Policy box The range is from 0 to 8192 characters The default is:

Acceptance Use Policy Accept Label The text that instructs users to select the check box to acknowledge reading and accepting the Acceptance Use Policy The range is from 0 to 128 characters The default is: Check here to indicate that you have read and accepted the Acceptance Use Policy The text that displays in a pop-up window when a user submits login credentials without selecting the Acceptance Use Policy check box The range is from 1 to 128 characters The default is: Error: You must acknowledge the Acceptance Use Policy before connecting!

The text that displays during authentication The range is from 1 to 128 characters The default is: Connecting, please be patient The text that displays when a user fails authentication The range is from 1 to 128 characters The default is:

Error: Invalid Credentials, please try again!

Work In Progress text Denied text Welcome title The text that displays when the client has authenticated to the VAP The range is from 1 to 128 characters The default is: Congratulations!

95 Account Label The text that instructs the user to enter a user name The range is from 0 to 32 characters no Accept text Linksys Welcome Content The text that displays when the client has connected to the network The range is from 0 to 256 characters The default is: You are now authorized and connected to the network Delete Locale To delete the current locale, select this option and click Save Web Customization Preview Use the Web Customization Preview page to view an example of the authentication page a CP user sees upon connecting to the access point Click the Configuration > Captive Portal > Web Customization Preview tab to access the page, which the following figure shows Figure 50: CP Web Customization Preview To preview a CP authentication page, select the Web locale from the menu Section 3: Configuring the Access Point Upload Custom Images When users initiate access to a VAP that is associated to a captive portal instance, an authentication page displays You can customize this page with your own logo and other graphics Up to 18 images can be uploaded (assuming six locales, with each locale having three images) Click the Configuration > Captive Portal > Upload Custom Images tab to access the page, which the following figure shows Figure 51: Upload Custom Images Images will be resized to fit the specified dimensions For best results, the logo and account images should be similar in proportion to the default images, as follows:

Table 59: Captive Portal Default Images Image type Use Default Width x Height Background Displays in the page background Logo Account Displays at top left of page to provide branding information Displays above the login field to depict an authenticated login 10 800 pixels 168 78 pixels 295 55 pixels The following table describes the fields on the Captive Portal Upload Custom Images page 96 Linksys Section 3: Configuring the Access Point Table 60: Captive Portal Upload Custom Images Field Description Upload Web Customization Image To select an image to upload to the AP for use in the CP authentication page, click Browse and browse to the image to upload After you select the appropriate image, click Upload Delete Web Customization Image To remove an image that has been uploaded, select the name of the image from the available menu and click Delete Local Groups Each local user is assigned to a user group Each group is assigned to a CP instance The group facilitates managing the assignment of users to CP instances The user group named Default is built-in and cannot be deleted You can create up to two additional user groups The fields available on the page depend on the option selected from the Captive Portal Groups menu Click the Configuration > Captive Portal > Local Groups tab to access the page, which the following figure shows Figure 52: CP Local Groups The following table describes the fields on the CP Local Groups page that you use to create a CP local group Table 61: Captive Portal Local Group Configuration Field Description Captive Portal Groups Group name Delete Group The menu includes all CP groups that exist on the switch To create a new group, select Create To delete a CP group, select the group name This field is available only if the option selected from the Captive Portal Group menu is Create Specify a name for the local user This field is available only if the option selected from the Captive Portal Group menu is a user-created CP group To delete the selected group, select the check box and click Save 97 Linksys Section 3: Configuring the Access Point Local Users You can configure a captive portal instance to accommodate both guest users and authorized users Guest users do not have assigned user names and passwords Authorized users provide a valid user name and password that must first be validated against a local database or RADIUS server Authorized users are typically assigned to a CP instance that is associated with a different VAP than guest users Use the Local Users page to configure up to 128 authorized users in the local database Click the Configuration > Captive Portal > Local Users tab to access the page, which the following figure shows Figure 53: CP Local Users The following table describes the fields on the CP Local Users page that you use to configure settings for an existing CP local user Table 63: Creating Captive Portal Local Users Field Description Captive Portal Users Select the name of the user with the settings to configure The following table describes the fields on the CP Local Users page that you use to create a CP local user Table 62: Creating Captive Portal Local Users Field Description Captive Portal Users To create a new user, select Create User name Specify a name for the local user After you create a user or select an existing user from the Captive Portal Users menu, additional fields appear on the screen User Password Away time Enter the users password, from 8 to 64 alphanumeric and special characters A user enter must enter the password to log into the network through the captive portal The amount of time a user remains in the CP authenticated client list after it disassociates from the AP If the time specified in this field expires before the client attempts to reauthenticate, its entry is removed from the authenticated client list The range is from 0 to 1440 minutes The default value is 0 note: An away timeout value is also configured for a captive portal instance See the Instance Configuration page The timeout value configured for a local user has precedence over the value configured for the captive portal instance 98 Linksys Group name Maximum Bandwidth Upstream Maximum Bandwidth Downstream Select the group to which the user belongs Each CP instance is configured to support a particular group of users The maximum upload speed, in megabits per second, that a client can transmit traffic when using the captive portal This setting limits the clients bandwidth used to send data into the network The range is from 0 to 300 Mbps The default is 0 The maximum download speed, in megabits per second, at which a client can receive traffic when using the captive portal This setting limits the clients bandwidth used to receive data from the network The range is from 0 to 300 Mbps The default is 0 Delete User To delete the current user, select this option and click Save Section 3: Configuring the Access Point Authenticated Clients The Authenticated Clients page provides information about clients that have authenticated on any captive portal instance Click the Configuration > Captive Portal > Authenticated Clients tab to access the page, which the following figure shows Figure 54: CP Authenticated Clients The following table describes the fields on the CP Authenticated Clients page Table 64: Captive Portal Authenticated Client List Field Description total number of Authenticated Clients The number of clients that have successfully authenticated on any CP instance This number includes only clients that are currently authenticated MAC Address The MAC address of the client IP Address The IPv4 or IPv6 address of the client If the client has a valid IPv4 address assigned, it will be displayed here otherwise a global IPv6 address, either from DHCPv6 or Autoconfiguration or statically configured, will be used User name The clients Captive Portal user name Protocol Mode Verify Mode The protocol the user used to establish the connection (HTTP or HTTPS) The method used to authenticate the user on the Captive Portal, which can be one of these values:

Guest The user does not need to be authenticated by a database Local The access point uses a local database to authenticated users RADIUS The access point uses a database on a remote RADIUS server to authenticate users 99 Linksys VAP ID Radio ID The VAP that the user is associated with The ID of the radio Because the WAP321 has a single radio, this field always displays Radio1 Captive Portal ID The ID of the Captive Portal instance to which the user is associated Session timeout Away timeout Rx Packets tx Packets Rx Bytes tx Bytes The time remaining, in seconds, for the CP session to be valid After the time reaches zero, the client is deauthenticated The time remaining, in seconds, for the client to be valid The timer starts when the client dissociates from the CP After the time reaches zero, the client is deauthenticated The number of IP packets received by the access point from the user station The number of IP packets transmitted from the access point to the user station The number of bytes received by the access point from the user station The number of bytes transmitted from the access point to the user station Section 3: Configuring the Access Point Failed Authentication Clients The Failed Authenticated Clients page lists information about clients that attempted to authenticate on a Captive Portal and failed Click the Configuration > Captive Portal > Failed Authenticated Clients tab to access the page, which the following figure shows Figure 55: CP Failed Authenticated Clients The following table describes the fields on the CP Failed Authenticated Clients page Table 65: Captive Portal Failed Authenticated Client List Field Description MAC Address The MAC address of the client IP Address The IP address of the client User name The clients Captive Portal user name Verify Mode The method the client attempted to use to authenticate on the Captive Portal, which can be one of these values:

Guest The user does not need to be authenticated by a database Local The Access Point uses a local database to authenticated users RADIUS The Access Point uses a database on a remote RADIUS server to authenticate users VAP ID The VAP that the user attempted to associated with Radio ID Captive Portal ID The ID of the radio that the user attempted to connect to The ID of the Captive Portal instance to which the user attempted to associate Failure time The time that the authentication failure occurred A timestamp is included that shows the time of the failure 100 Linksys Section 3: Configuring the Access Point Cluster The access point supports AP clusters A cluster provides a single point of administration and lets you view, deploy, configure, and secure the wireless network as a single entity rather than a series of separate wireless devices Access Points Sessions Channel Management Wireless Neighborhood Access Points The AP cluster is a dynamic, configuration-aware group of APs in the same subnet of a network Each cluster can have up to 16 members Only one cluster per wireless network is supported; however, a network subnet can have multiple clusters Clusters can share various configuration information such as VAP settings and QoS queue parameters A cluster can be formed between two APs if the following conditions are met:

The APs use the same radio mode (for example, radio 1 uses 802 11g) The APs are connected on the same bridged segment The APs joining the cluster have the same Cluster Name Clustering mode is enabled on both APs note:

For two APs to be in the same cluster, they do not need to have the same number of radios; however, the supported capabilities of the radios should be same Clustering Single and Dual Radio APs Clusters can contain a mixture of APs with two radios and APs with a single radio When the configuration of a single-radio AP in the cluster changes, the AP propagates the change to the first radio of all cluster members The configuration of the second radio on any dual-radio APs in the cluster is not affected If a cluster contains only single-radio APs and a dual radio AP joins the cluster, then only radio 1 on the dual-radio AP is configured with the cluster configuration Radio 2 on the AP remains as it was prior to joining the cluster However, if the cluster already has at least one dual-radio AP, then the second radio of the AP joining the cluster is configured with the cluster settings Viewing and Configuring Cluster Members The Access Points tab allows you to start or stop clustering on an AP, view the cluster members, and configure the location and cluster name for a cluster member From the Configuration > Cluster > Access Points page, you can also click the IP address of each cluster member to navigate to configuration settings and data on an access point in the cluster To view information about cluster members and to configure the location and cluster of an individual member, click the Configuration > Cluster > Access Points tab Figure 56: Cluster Information and Member Configuration If clustering is currently disabled on the AP, the Start Clustering button is visible If clustering is enabled, the Stop Clustering button is visible You can edit the clustering option information when clustering is disabled The following table describes the configuration and status information available on the cluster Access Points page 101 Linksys Table 66: Access Points in the Cluster Field Description Status If the status field is visible, then the AP is enabled for clustering If clustering is not enabled, then the AP is operating in stand-alone mode and none of the information in this table is visible To disable clustering on the AP, click Stop Clustering Location Description of where the access point is physically located MAC Address Media Access Control (MAC) address of the access point IP Address The address shown here is the MAC address for the bridge (br0) This is the address by which the AP is known externally to other networks Specifies the IP address for the access point Each IP address is a link to the Administration Web pages for that access point You can use the links to navigate to the Administration Web pages for a specific access point This is useful for viewing data on a specific access point to make sure a cluster member is picking up cluster configuration changes, to configure advanced settings on a particular access point, or to switch a standalone access point to cluster mode The following table describes the cluster information to configure for an individual member The clustering options are read-only when clustering is enabled To configure the clustering options, you must stop clustering Field Location Cluster name Table 67: Clustering Options Description Enter a description of where the access point is physically located Enter the name of the cluster for the AP to join The cluster name is not sent to other APs in the cluster You must configure the same cluster name on each AP that is a member of the cluster The cluster name must be unique for each cluster you configure on the network Clustering IP Version Specify the IP version that the APs in the cluster use to communicate with each other Section 3: Configuring the Access Point Removing an Access Point from the Cluster To remove an access point from the cluster, do the following 1 Go to the Administration Web pages for the clustered access point The Administration Web pages for the standalone access point are displayed 2 Click the Configuration > Cluster > Access Points tab in the Administration pages 3 Click Stop Clustering The change will be reflected under Status for that access point; the access point will now show as standalone (instead of cluster) Click the Configuration > Cluster > Access Points tab in the Adding an Access Point to a Cluster To add an access point that is currently in standalone mode back into a cluster, do the following 1 Go to the Administration Web pages for the standalone access point The Administration Web pages for the standalone access point are displayed 2 Administration pages for the standalone access point The Access Points tab for a standalone access point indicates that the current mode is standalone and provides a button for adding the access point to a cluster (group) 3 The access point is now a cluster member Status (Mode) on the Configuration

> Cluster > Access Points tab now indicates cluster instead of Not Clustered Click Start Clustering Navigating to Configuration Information for a Specific AP In general, the access point is designed for central management of clustered access points All access points in a cluster reflect the same configuration In this case, it does not matter which access point you actually connect to for administration 102 Linksys Section 3: Configuring the Access Point There may be situations, however, when you want to view or manage information on a particular access point For example, you might want to check status information such as client associations or events for an access point In this case, you can navigate to the Administration Web interface for individual access points by clicking the IP address links on the Access Points tab All clustered access points are shown on the Cluster > Access Points page To navigate to clustered access points, you can simply click on the IP address for a specific cluster member shown in the list Navigating to an AP by Using its IP Address in a URL You can also link to the Administration Web pages of a specific access point, by entering the IP address for that access point as a URL directly into a Web browser address bar in the following form:

http://IPAddressOfAccessPoint where IPAddressOfAccessPoint is the address of the particular access point you want to monitor or configure Sessions The Sessions page shows information on client stations associated with access points in the cluster Each client is identified by its MAC address, along with the AP (location) to which it is currently connected This page shows a maximum of 20 clients per radio of the clustered APs See all clients associated with a particular AP, view the Status and Statistics > Associations Clients web page directly on that AP To view a particular statistic for client sessions, select an item from the Display drop-down list and click Go You can view information about idle time, data rate, signal strength and so on; all of which are described in detail in the table below A session in this context is the period of time in which a user on a client device (station) with a unique MAC address maintains a connection with the wireless network The session begins when the client logs on to the network, and the session ends when the client either logs off intentionally or loses the connection for some other reason note:

A session is not the same as an association, which describes a client connection to a particular access point A client network connection can shift from one clustered AP to another within the context of the same session A client station can roam between APs and maintain the session To manage sessions associated with the cluster, click the Cluster > Sessions tab Figure 57: Cluster Sessions Details about the session information are described in the following table Field Description Table 68: Cluster Sessions AP Location Indicates the location of the access point This is derived from the location description specified on the System Settings tab User MAC Idle Indicates the MAC address of the wireless client device A MAC address is a hardware address that uniquely identifies each node of a network Indicates the amount of time this station has remained inactive A station is considered to be idle when it is not receiving or transmitting data 103 Linksys Rate Signal Rx total tx total The speed at which this access point is transferring data to the specified client The data transmission rate is measured in megabits per second (Mbps) This value should fall within the range of the advertised rate set for the mode in use on the access point For example, 6 to 54 Mbps for 802 11a Indicates the strength of the radio frequency (RF) signal the client receives from the access point The measure used for this is a value known as Received Signal Strength Indication (RSSI), and will be a value between 0 and 100 RSSI is determined by a mechanism implemented on the network interface card (NIC) of the client station Indicates number of total packets received from the client during the current session Indicates number of total packets transmitted to the client during this session error Rate Indicates the percentage of time frames are dropped during transmission on this access point Section 3: Configuring the Access Point Sorting Session Information To sort the information shown in the tables by a particular indicator, click the column label by which you want to order things For example, if you want to see the table rows ordered by signal strength, click the Signal column label The entries will be sorted by signal strength Channel Management When Channel Management is enabled, the access point automatically assigns radio channels used by clustered access points The automatic channel assignment reduces mutual interference (or interference with other access points outside of its cluster) and maximizes Wi-Fi bandwidth to help maintain the efficiency of communication over the wireless network You must start channel management to get automatic channel assignments;

it is disabled by default on a new AP At a specified interval, the Channel Manager maps APs to channel use and measures interference levels in the cluster If significant channel interference is detected, the Channel Manager automatically re-assigns some or all of the APs to new channels per an efficiency algorithm (or automated channel plan) If the Channel Manager determines that a change is necessary, that information is sent to all members of the cluster and a syslog message is generated indicating the sender AP, new and old channel assignments The Channel Management page shows previous, current, and planned channel assignments for clustered access points By default, automatic channel assignment is disabled You can start channel management to optimize channel usage across the cluster on a scheduled interval To configure and view the channel assignments for the cluster members, click the Configuration > Cluster > Channel Management tab 104 Linksys Section 3: Configuring the Access Point Figure 58: Cluster Channel Management Stopping/Starting Automatic Channel Assignment By default, automatic channel assignment is disabled (off) note:

Channel Management overrides the default cluster behavior, which is to synchronize radio channels of all APs across a cluster When Channel Management is enabled, the radio channel is not synced across the cluster to other APs From this page, you can view channel assignments for all APs in the cluster and stop or start automatic channel management By using the advanced settings on the page, you can modify the interference reduction potential that triggers channel re-assignment, change the schedule for automatic updates, and re-configure the channel set used for assignments Click Start to resume automatic channel assignment When automatic channel assignment is enabled, the Channel Manager periodically maps radio channels used by clustered access points and, if necessary, re-assigns channels on clustered APs to reduce interference

(with cluster members or other APs outside the cluster) Click Stop to stop automatic channel assignment (No channel usage maps or channel re-assignments will be made Only manual updates will affect the channel assignment ) note:

When automatic channel assignment is enabled, the channel policy for the radio is automatically set to static mode, and the Auto option is not available for the Channel field on the Wireless Settings or Radio pages This allows the automatic channel feature to set the channels for the radios in the cluster 105 Linksys Section 3: Configuring the Access Point Viewing Current Channel Assignments and Setting Locks The Current Channel Assignments section shows a list of all access points in the cluster by IP address The display shows the band on which each AP is broadcasting (a/b/g/n), the current channel used by each AP, and an option to lock an AP on its current radio channel so that it cannot be re-assigned to another Table 69: Channel Assignments Field Description IP Address Specifies the IP address for the access point Radio Band Current Locked Identifies the MAC address of the radio Indicates the band on which the access point is broadcasting Indicates the radio channel on which this access point is currently broadcasting Click Locked to force the access point to remain on the current channel When Locked is selected (enabled) for an access point, automated channel management plans will not re-assign the AP to a different channel as a part of the optimization strategy Instead, APs with locked channels will be factored in as requirements for the plan If you click Save, you will see that locked APs show the same channel for the Current Channel and Proposed Channel fields Locked APs will keep their current channels Viewing the Last Proposed Set of Changes The Proposed Channel Assignments shows the last channel plan The plan lists all access points in the cluster by IP address, and shows the current and proposed channels for each AP Locked channels will not be re-assigned and the optimization of channel distribution among APs will take into account the fact that locked APs must remain on their current channels APs that are not locked may be assigned to different channels than they were previously using, depending on the results of the plan Table 70: Last Proposed Changes Field Description IP Address Specifies the IP address for the access point Radio Indicates the radio channel on which this access point is currently broadcasting Proposed Channel Indicates the radio channel to which this access point would be re-assigned if the channel plan is executed Configuring Advanced Settings Advanced settings allow you to customize and schedule the channel plan for the cluster If you use Channel Management as provided (without updating Advanced Settings), channels are automatically fine-tuned once every hour if interference can be reduced by 25 percent or more Channels will be re-

assigned even if the network is busy The appropriate channel sets will be used (b/g for APs using IEEE 802 11b/g and a for APs using IEEE 802 11a) The default settings are designed to satisfy most scenarios where you would need to implement channel management Use Advanced Settings to modify the interference reduction potential that triggers channel re-assignment, change the schedule for automatic updates, and re-configure the channel set used for assignments If there are no fields showing in the Advanced section, click the toggle button to display the settings that modify timing and details of the channel planning algorithm 106 Linksys Section 3: Configuring the Access Point Table 71: Channel Management Advanced Settings Field Description Change channels if interference is reduced by at least Determine if there is better set of channels every Specify the minimum percentage of interference reduction a proposed plan must achieve in order to be applied The default is 75 percent Use the drop-down menu to choose percentages ranging from 5 percent to 75 percent This setting lets you set a gating factor for channel re-assignment so that the network is not continually disrupted for minimal gains in efficiency For example, if channel interference must be reduced by 75 percent and the proposed channel assignments will only reduce interference by 30 percent, then channels will not be re-assigned However, if you re-set the minimal channel interference benefit to 25 percent and click Save, the proposed channel plan will be implemented and channels re-

assigned as needed Use the drop-down menu to specify the schedule for automated updates A range of intervals is provided, from 30 minutes to 6 months The default is 1 Hour (channel usage re-assessed and the resulting channel plan applied every hour) Click Save under Advanced settings to apply these settings Advanced settings will take affect when they are applied and influence how automatic channel management is performed Wireless Neighborhood The Wireless Neighborhood shows up to 20 access points per radio within range of every member of the cluster, shows which access points are within range of which cluster members, and distinguishes between cluster members and nonmembers Note: The Wireless Neighborhood page shows up to 20 access points per radio To see all the access points detected on a given cluster access point, navigate to that cluster members web interface For each neighbor access point, the Configuration > Cluster > Wireless Neighborhood view shows identifying information (SSID or Network Name, IP address, MAC address) along with radio statistics (signal strength, channel, beacon interval) You can click on an AP to get additional statistics about the APs in radio range of the currently selected AP The Wireless Neighborhood view can help you:

Detect and locate unexpected (or rogue) access points in a wireless domain so that you can take action to limit associated risks Verify coverage expectations By assessing which APs are visible at what signal strength from other APs, you can verify that the deployment meets your planning goals Detect faults Unexpected changes in the coverage pattern are evident at a glance in the color coded table To view neighboring access points, click the Configuration > Cluster > Wireless Neighborhood tab 107 Linksys Section 3: Configuring the Access Point Figure 59: Wireless Neighborhood Neighbors Table 72: Wireless Neighborhood Information Field Display neighboring APs Cluster Description Click one of the following radio buttons to change the view:

In cluster Shows only neighbor APs that are members of the cluster Not in cluster Shows only neighbor APs that are not cluster members Both Shows all neighbor APs (cluster members and non-members) The Cluster list at the top of the table shows IP addresses for all access points in the cluster (This is the same list of cluster members shown on the Cluster > Access Points tab ) If there is only one AP in the cluster, only a single IP address column will be displayed here, indicating that the AP is clustered with itself You can click on an IP address to view more details on a particular AP Dark Blue Bar A dark blue bar and a high Access points which are neighbors of one or more of the clustered APs are listed in the left column by SSID

(Network Name) An access point which is detected as a neighbor of a cluster member can also be a cluster member itself Neighbors who are also cluster members are always shown at the top of the list with a heavy bar above and include a location indicator The colored bars to the right of each AP in the Neighbors list shows the signal strength for each of the neighbor APs as detected by the cluster member whose IP address is shown at the top of the column The color of the bar indicates the signal strength:

signal strength number (for example 50) indicates good signal strength detected from the neighbor seen by the AP whose IP address is listed above that column lower signal strength number (for example 20 or lower) indicates medium or weak signal strength from the neighbor seen by the AP whose IP address is listed above that column indicates that a neighboring AP that was detected by one of the cluster members cannot be detected by the AP whose IP address if listed above that column Light Gray Bar A light gray bar and no signal strength number indicates a neighbor that is detected by other cluster members but not by the AP whose IP address is listed above that column signal strength number indicates this is the AP whose IP address is listed above that column (since it is not applicable to show how well the AP can detect itself) White Bar A white bar and the number 0 Lighter Blue Bar A lighter blue bar and a Dark Gray Bar A dark gray bar and no 108 Linksys Section 3: Configuring the Access Point Viewing Details for a Cluster Member To view details on a cluster member AP, click on the IP address of a cluster member at the top of the page The following figure shows the Neighbor Details for Radio 1 of the AP with an IP address of 192 168 20 97 Figure 60: Details for a Cluster Member AP Signal Beacon Interval Indicates the strength of the radio signal emitting from this access point as measured in decibels (Db) Shows the beacon interval being used by this access point Beacon frames are transmitted by an access point at regular intervals to announce the existence of the wireless network The default behavior is to send a beacon frame once every 100 milliseconds (or 10 per second) Beacon Age Shows the date and time of the last beacon received from this access point Field SSID MAC Address Channel Rate Table 73: Cluster Member Details Description The Service Set Identifier (SSID) for the access point The SSID is an alphanumeric string of up to 32 characters that uniquely identifies a wireless local area network It is also referred to as the Network Name A guest network and an internal network running on the same access point must always have two different network names Shows the MAC address of the neighboring access point A MAC address is a hardware address that uniquely identifies each node of a network Shows the channel on which the access point is currently broadcasting The channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving Shows the rate (in megabits per second) at which this access point is currently transmitting The current rate will always be one of the rates shown in Supported Rates 109 Linksys Section 4: Maintenance of the Access Point Section 4: Maintenance of the Access Point This section describes how to maintain the access point and see system detailed information Maintenance Diagnostics Maintenance From the access point Administrator UI, you can perform the following maintenance tasks:

Switching Firmware Image Firmware Upgrade Firmware Configuration Backup/Restore Reset/Reboot Restoring Configuration Backup Configuration To Reboot the Access Point To Restore the Factory Default Configuration Firmware Use this page to select the firmware image that the AP loads when it boots and to upload a new firmware image to the device Figure 61: Firmware Maintenance Table 74: Firmware Information and Management Field Active Image Description Identifies the firmware images on the system:

Active Image Firmware VersionThe version number of the image that is loaded during system boot Image Firmware VersionThe version Inactive number of the inactive (backup) image on the system Upload Method The method to use to upload a new firmware image to the HTTPUse a Web browser AP:

Click Browse to find and select the new firmware image located on an administrative system TFTPUse a TFTP server new Firmware Image

(HttP Upload) Image Filename

(tFtP Upload) The path and filename of the firmware image to upload to the AP Server IP (tFtP Upload) The IP address of the TFTP server where the new firmware image is located 110 110 Linksys Section 4: Maintenance of the Access Point Use the buttons to perform the following tasks:

Switch: Use the secondary image as the primary image The change takes effect the next time the AP boots For more information, see Switching Firmware Image Upgrade: Upload the specified firmware image to the AP For more information about the firmware upgrade procedures, see Firmware Upgrade Click Maintenance > Firmware to display the Manage Firmware page From the Manage Firmware page, you can:

View the current firmware version for the primary and secondary image Switch the firmware image running on the AP. Upload a new firmware version. Switching Firmware Image The AP always tries to boot with the primary image If the primary image fails to load, then the secondary image is used to boot the AP Whenever such a failover occurs, the system creates a log message to help you troubleshoot the firmware failure Use the following steps to switch the firmware image running on the AP:

1 Click Switch A dialog box displays confirming the firmware image switch and subsequent reboot 2 Click oK to proceed The process may take several minutes during which time the access point will be unavailable Do not power down the access point while the image switch is in process When the image switch is complete, the access point restarts The AP resumes normal operation with the same configuration settings it had before the upgrade Firmware Upgrade As new versions of the access point firmware become available, you can upgrade the firmware on your devices to take advantage of new features and enhancements The AP uses a TFTP client for firmware upgrades You can also use HTTP to perform firmware upgrades After you upload new firmware and the system reboots, the newly added firmware becomes the primary image If the upgrade fails, the original firmware remains as the primary image note:

When you upgrade the firmware, the access point retains the existing configuration information Use the following steps to upgrade the firmware on an access point by using TFTP:

1 Select TFTP for Upload Method 2 Enter a name (1 to 256 characters) for the image file in the Image Filename field, including the path to the directory that contains the image to upload For example, to upload the ap_upgrade tar image located in the /share/

builds/ap directory, enter /share/builds/ap/ap_upgrade tar in the New Firmware Image field The firmware upgrade file supplied must be a tar file Do not attempt to use bin files or files of other formats for the upgrade;

these types of files will not work 3 Enter the IP address of the TFTP server 4 Click Upgrade Upon clicking Upgrade for the firmware upgrade, a popup confirmation window is displayed that describes the upgrade process 111 Linksys Section 4: Maintenance of the Access Point 5 Click OK to confirm the upgrade and start the process note:

The firmware upgrade process begins once you click Upgrade and then OK in the popup confirmation window The upgrade process may take several minutes during which time the access point will be unavailable Do not power down the access point while the upgrade is in process When the upgrade is complete, the access point restarts The AP resumes normal operation with the same configuration settings it had before the upgrade 6 To verify that the firmware upgrade completed successfully, check the firmware version shown on the Firmware page (or the System Summary tab) If the upgrade was successful, the updated version name or number is indicated Use the following steps to upgrade the firmware on an access point by using HTTP:

1 Select HTTP for Upload Method 2 If you know the path to the new firmware image file, enter it in the New Firmware Image field Otherwise, click the Browse button and locate the firmware image file The firmware upgrade file supplied must be a tar file Do not attempt to use bin files or files of other formats for the upgrade; these types of files will not work 3 Click Upgrade to apply the new firmware image Upon clicking Upgrade for the firmware upgrade, a popup confirmation window is displayed that describes the upgrade process 4 Click OK to confirm the upgrade and start the process note:

The firmware upgrade process begins once you click Upgrade and then OK in the popup confirmation window The upgrade process may take several minutes during which time the access point will be unavailable Do not power down the access point while the upgrade is in process When the upgrade is complete, the access point restarts The AP resumes normal operation with the same configuration settings it had before the upgrade 1 To verify that the firmware upgrade completed successfully, check the firmware version shown on the Firmware page (or the Status Status > Status and Statistics > System Summary tab) If the upgrade was successful, the updated version name or number is indicated Configuration Backup/Restore The access point configuration file is in XML format and contains all of the information about the AP settings You can download the configuration file to a management station to manually edit the content or to save as a back-up copy (for example, config xml) The backup file can be used at a later date to restore the access point to the previously save configuration When you upload a configuration file to the AP, the configuration information in the XML file is applied to the AP note:

When you click Restore, the access point will reboot Please wait for the reboot process to complete (a minute or two) The AP Administration Web pages will not be accessible until the AP has rebooted Upon reboot, you should see the configuration settings restored to those contained in the specified backup file When you upload a configuration file to the AP, the configuration information in the XML file is applied to the AP Click the Maintenance > Configuration Backup/Restore tab to access the configuration management page, which the following figure shows 112 Linksys Section 4: Maintenance of the Access Point Figure 62: Configuration Backup/Restore note:

File name should not contain spaces, < , > , | , \ , / , : , (, ), & , ; , # , ?, *, $, %, ,

, and successive 3 Enter the IP address of the TFTP server 4 Click Backup to save the file Use the following steps to save a copy of the current settings on an AP to a backup configuration file by using HTTP:

1 Select HTTP for Download Method 2 Click the Backup button A dialog box will pop up to verify the download 3 To proceed with the download, select OK Backup Configuration You can use HTTP or TFTP to transfer files to and from the access point After you download a configuration file to the management station, you can manually edit the file, which is in XML format Then, you can upload the edited configuration file to apply those configuration settings to the AP Use the following steps to save a copy of the current settings on an AP to a backup configuration file by using TFTP:

1 Select TFTP for Download Method 2 Enter a name (1 to 256 characters) for the backup file in the Filename field, including the xml file name extension and the path to the directory where you want to save the file A dialog box will open asking you to view or save the file 4 Select the Save File option and select OK 5 Use the file browser to navigate to the directory where you want to save the file, and click OK to save the file You can keep the default file name (config xml) or rename the backup file, but be sure to save the file with an xml extension 113 Linksys Section 4: Maintenance of the Access Point Restoring Configuration You can use HTTP or TFTP to transfer files to and from the access point After you download a configuration file to the management station, you can manually edit the file, which is in XML format Then, you can upload the edited configuration file to apply those configuration settings to the AP Use the following procedures to restore the configuration on an AP to previously saved settings by using TFTP:

1 Select TFTP for Upload Method 2 Enter a name (1 to 256 characters) for the backup file in the Filename field, including the xml file name extension and the path to the directory that contains the configuration file to upload note:

File name should not contain spaces, < , > , | , \ , / , : , (, ), & , ; , # , ?, *, $, %, ,

, and successive 3 Enter the IP address of the TFTP server in the Server IP field 2 User the Browse button to select the file to restore 3 Click the Restore button A File Upload or Choose File dialog box will pop up 4 Navigate to the directory that contains the file, select the file to upload and click Open

(Only those files created with the Backup function and saved as xml backup configuration files are valid to use with Restore; for example, ap_ config xml ) 5 Click the Restore button A dialog box will open asking you to verify the restore 6 Click OK to proceed The AP will reboot A reboot confirmation dialog and follow-on rebooting status message will pop up Please wait for the reboot process to complete, which might take several minutes The Administration Web UI is not accessible until the AP has rebooted 4 Click the Restore button The AP will reboot A reboot confirmation dialog and follow-on rebooting status message will pop up Please wait for the reboot process to complete, which might take several minutes The Administration Web UI is not accessible until the AP has rebooted Use the following steps to save a copy of the current settings on an AP to a backup configuration file by using HTTP:

1 Select HTTP for Upload Method to Restore the Factory Default Configuration Reset/Reboot If you are experiencing problems with the access point and have tried all other troubleshooting measures, click Reset This restores factory defaults and clears all settings, including settings such as a new password or wireless settings For maintenance purposes or as a troubleshooting measure, you can reboot the access point To reboot the access point, click the Reboot button on the Reset/Reboot page to Reboot the Access Point Diagnostics This section include following subsections:

Packet Capture Diagnostic Log 114 Linksys Section 4: Maintenance of the Access Point Capture file mode Packet Capture 1 Wireless packet capture operates in two modes:

For capture file mode, captured packets are stored in a file on the access point The AP can transfer the file to a TFTP server The file is formatted in pcap format and can be examined using tools such as Wireshark and OmniPeek Remote capture mode For remote capture mode, the captured packets are redirected in real time to an external PC running the Wireshark tool The AP can capture the following types of packets:

802 11 packets received and transmitted on radio interfaces Packets captured on radio interfaces include the 802 11 header 802 3 packets received and transmitted on the Ethernet interface 802 3 packets received and transmitted on the internal logical interfaces such as VAPs and WDS interfaces View the current packet capture status Click Maintenance > Diagnostics > Packet Capture to display the Packet Capture Configuration and Settings page From this page you can:

Configure packet capture parameters Configure a remote capture port Download a packet capture file Configure packet file capture Figure 63: Packet Capture Configuration 115 Linksys Section 4: Maintenance of the Access Point Packet Capture Status Packet Capture Status allows you to view the status of packet capture on the AP Table 75 describes the fields to configure the packet capture status Table 75: Packet Capture Status Field Description Current Capture Status Packet Capture time Packet Capture File Size Shows whether packet capture is running or stopped Shows elapsed capture time Shows the current capture file size Packet Capture Configuration Packet Capture Configuration allows you to configure parameters that affect how packet capture functions on the radio interfaces Table 76 describes the fields to configure the packet capture status Table 76: Packet Capture Configuration Field Description Capture Beacons Promiscuous Capture Enable to capture the 802 11 beacons detected or transmitted by the radio Enable to place the radio in promiscuous mode when the capture is active In promiscuous mode the radio receives all traffic on the channel, including traffic that is not destined to this AP While the radio is operating in promiscuous mode, it continues serving associated clients Packets not destined to the AP are not forwarded As soon as the capture is completed, the radio reverts to non-promiscuous mode operation Client Filter enable Enable to use the WLAN client filter to capture only frames that are transmitted to, or received from a WLAN client with a specified MAC address Client Filter MAC Address Specify a MAC address for WLAN client filtering Note: The MAC filter is active only when capture is performed on an 802 11 interface note:

Changes to packet capture configuration parameters take affect after packet capture is restarted Modifying the parameters while the packet capture is running doesnt affect the current packet capture session In order to begin using new parameter values, an existing packet capture session must be stopped and re-started Packet File Capture In Packet File Capture mode the AP stores captured packets in the RAM file system The capture file reaches its maximum size The capture time reaches configured duration Upon activation, the packet capture proceeds until one of the following occurs:

During the capture, you can monitor the capture status, elapsed capture time, and the current capture file size This information can be updated, while the capture is in progress, by clicking Refresh The administrator stops the capture Table 77 describes the fields to configure the packet capture status 116 Linksys Section 4: Maintenance of the Access Point Table 77: Packet File Capture Field Description Capture Interface Capture Duration Max Capture File Size brtrunk - Linux bridge interface in the AP Select an AP Capture Interface name from the drop-down menu AP capture interface names are eligible for packet capture are the following:

wlan0wds0 ~ wlan0wds3 Traffic on the specified WDS interface eth0 - 802 3 traffic on the Ethernet port wlan0 - VAP0 traffic on radio 1 wlan0vap1 ~ wlan0vap7 Traffic on the specified VAP on Radio 1 wlan1 - VAP0 traffic on radio 2 wlan1vap1 ~ wlan1vap7 Traffic on the specified VAP on Radio 2 radio2 - 802 11 traffic on radio 2 radio1 - 802 11 traffic on radio 1 Specify the time duration in seconds for the capture (range 10 to 3600) Specify the maximum allowed size for the capture file in KB (range 64 to 4096) Remote Packet Capture Remote Packet Capture allows you to specify a remote port as the destination for packet captures This feature works in conjunction with the Wireshark network analyzer tool for Windows A packet capture server runs on the AP and sends the captured packets via a TCP connection to the Wireshark tool A Windows PC running the Wireshark tool allows you to display, log, and analyze captured traffic When the remote capture mode is in use, the AP doesnt store any captured data locally in its file system You can trace up to five interfaces on the AP at the same time However, you must start a separate Wireshark session for each interface You can configure the IP port number used for connecting Wireshark to the AP The default port number is 2002 The system uses 5 consecutive port numbers starting with the configured port for the packet capture sessions If a firewall is installed between the Wireshark PC and the AP, these ports must be allowed to pass through the firewall The firewall must also be configured to allow the Wireshark PC to initiate TCP connection to the AP In order to configure Wireshark to use the AP as the source for captured packets, you must specify the remote interface in the Capture Options menu For example, to capture packets on an AP with IP address 192 168 1 252 on radio 1 using the default IP port, specify the following interface:

rpcap://192 168 1 252/radio1 To capture packets on the Ethernet interface of the AP and VAP0 on radio 1 using IP port 58000, start two Wireshark sessions and specify the following interfaces:

rpcap://192 168 1 252:58000/eth0 rpcap://192 168 1 252:58000/wlan0 Data frames in the trace When you are capturing traffic on the radio interface, you can disable beacon capture, but other 802 11 control frames are still sent to Wireshark You can set up a display filter to show only the following:

Some examples of useful display filters are:

Exclude beacons and ACK/RTS/CTS frames:

Traffic between two clients Traffic on specific BSSIDs

!(wlan fc type_subtype == 8 || wlan fc type == 1) Data frames only:

wlan fc type == 2 Traffic on a specific BSSID:

wlan bssid == 00:02:bc:00:17:d0 All traffic to and from a specific client:

wlan addr == 00:00:e8:4e:5f:8e 117 Linksys Section 4: Maintenance of the Access Point In remote capture mode, traffic is sent to the PC running Wireshark via one of the network interfaces Depending on where the Wireshark tool is located the traffic can be sent on an Ethernet interface or one of the radios In order to avoid a traffic flood caused by tracing the trace packets, the AP automatically installs a capture filter to filter out all packets destined to the Wireshark application For example if the Wireshark IP port is configured to be 58000 then the following capture filter is automatically installed on the AP:

not portrange 58000-58004 Enabling the packet capture feature impacts performance of the AP and can create a security issue (unauthorized clients may be able to connect to the AP and trace user data) The AP performance is negatively impacted even if there is no active Wireshark session with the AP The performance is negatively impacted to a greater extent when packet capture is in progress Due to performance and security issues, the packet capture mode is not saved in NVRAM on the AP; if the AP resets, the capture mode is disabled and then you must re-enable it in order to resume capturing traffic Packet capture parameters (other than mode) are saved in NVRAM In order to minimize performance impact on the AP while traffic capture is in progress, you should install capture filters to limit which traffic is sent to the Wireshark tool When capturing 802 11 traffic, a large portion of the captured frames tends to be beacons (typically sent every 100ms by all Access Points) Although Wireshark supports a display filter for beacon frames, it does not support a capture filter to prevent the AP from forwarding captured beacon packets to the Wireshark tool In order to reduce performance impact of capturing the 802 11 beacons, you can disable the capture beacons mode The remote packet capture facility is a standard feature of the Wireshark tool for Windows note:

Remote packet capture is not standard on the Linux version of Wireshark;

the Linux version doesnt work with the AP Wireshark is an open source tool and is available for free; it can be downloaded from http://www wireshark org Table 78 describes the fields to configure the packet capture status Table 78: Remote Packet Capture Field Description Remote Capture Port Specify the remote port to use as the destination for packet captures Default port is 2002 (Range 1025 to 65530) Packet Capture File Download Packet Capture File Download allows you to download the capture file by TFTP to a configured TFTP server or by HTTP(S) to a PC TFTP file name should not contain spaces, <, >, |, \, /, : , (, ), &, ; , #, ? , *, $, % and successive The captured packets are stored in file /tmp/apcapture pcap on the AP A capture is automatically stopped when the capture file download command is triggered Because the capture file is located in the RAM file system, it disappears if the AP is reset Diagnostic Log The Diagnostic Log page provides a way to gather the diagnostic/

troubleshooting information about the AP beyond what is available through the Web UI Table 79 describes the field of diagnostic log Table 79: Diagnostic Log Field Download Description To download the diagnostic information for support, click Download button 118 Visit linksys .com/support for award-winning technical support 2014 Belkin International, Inc. and/or its affiliates. All rights reserved. BELKIN, LINKSYS and many product names and logos are trademarks of the Belkin group of companies. Third-party trademarks mentioned are the property of their respective owners. LNKPG-00129 Rev. A00

Regulatory Information Dual-Band Products Table of Contents Wireless Regulatory Information FCC Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Mexico Regulatory Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 EAC Mark of Conformity for Russia, Kazakhstan and Belarus . . . . . . . . . . 1 FCC Radiation Exposure Statement . . . . . . . . . . . . . . . . . . . . . . . . . 1 Safety Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Industry Canada Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Restrictions in the 5 GHz Band . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Avis dIndustrie Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Restrictions dans la bande 5 GHz . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Wireless Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Avis de non-responsabilit concernant les appareils sans fil . . . . . . . . . . . 8 Declaration of Conformity with Regard to EU Directive 1999/5/EC

(R&TTE Directive) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Wireless Equipment

(Wireless-AC/N/G/A/B Products) . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 National Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Product Usage Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Technical Documents on www .linksys .com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 WEEE Information User Information for Consumer Products Covered by EU Directive 2002/96/EC on Waste Electric and Electronic Equipment (WEEE) . . . . . . 12 i Table of Contents Wireless Regulatory Information Wireless Regulatory Information interference FCC Statement This device complies with Part 15 of the FCC Rules . Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and

(2) this device must accept any interference received, including that may cause undesired operation . This product has been tested and complies with the specifications for a Class B digital device, pursuant to Part 15 of the FCC Rules . These limits are designed to provide reasonable protection against harmful interference in a residential installation . This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used according to the instructions, may cause harmful interference to radio communications . However, there is no guarantee that interference will not occur in a particular installation . If this equipment does cause harmful interference to radio or television reception, which is found by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

Reorient or relocate the receiving antenna Increase the separation between the equipment or devices Connect the equipment to an outlet other than the receivers Consult a dealer or an experienced radio/TV technician for assistance FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the users authority to operate this equipment . IEEE 802 .11b or 802 .11g operation of this product in the USA is firmware-limited to channels 1 through 11 . The device for the band 5150-5250 MHz is only for indoor usage to reduce the potential for harmful interference to co-channel mobile satellite systems . Mexico Regulatory Statement La operacin de este equipo est sujeta a las siguientes dos condiciones: (1) es posible que este equipo o dispositivo no cause interferencia perjudicial y (2) este equipo o dispositivo debe aceptar cualquier interferencia, incluyendo la que pueda causar su operacin no deseada . EAC Mark of Conformity for Russia, Kazakhstan and Belarus FCC Radiation Exposure Statement This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment . This equipment should be installed and operated with minimum distance 20 cm between the radiator and your body . This device and its antennas(s) must not be co-located or operating in conjunction with any other antenna or transmitter except in accordance with FCC multi-

transmitter product procedures . Safety Notices English WARNING: Do not use this product near water, for example, in a wet basement or near a swimming pool . WARNING: Avoid using this product during an electrical storm . There may be a remote risk of electric shock from lightning . WARNING: This product may contain chemicals, known to the State of California to cause cancer, and birth defects or other reproductive harm . Wash hands after handling . WARNING: To reduce the risk of fire, use only No .26 AWG or larger telecommunication line cord . WARNING: This equipment will be inoperable when main power fails . WARNING: The power adaptor the equipments disconnection device . The power outlet must be located nearby the equipment and its access must be easy . is 1 Wireless Regulatory Information

]Arabic[

Hrvatski ]Croatian[

:

.

:

.

:

26

. AWG

:

. :

.

]Bulgarian[

:

, .

:

.

:

, No .26 AWG

- .

:

.

:

. UPOZORENJE: Ne koristite proizvod u blizini vode, primjerice u mokrom podrumu ili blizu bazena . UPOZORENJE:

koristiti proizvod tijekom grmljavinskog vremena . Postoji rizik od strujnog udara zbog grmljavine . Izbjegavajte UPOZORENJE: Da biste umanjili opasnost od poara, koristite samo AWG icu br . 26 ili dulje telekomunikacijske kabele . UPOZORENJE: Ova oprema nee raditi kada nestane struje . UPOZORENJE: Prilagodnik za napajanje je ureaj za iskljuivanje opreme . Strujna utinica mora biti smjetena blizu opreme i mora biti lako dostupna . esky ]Czech[

UPOZORNN: Nepouvejte tento produkt v blzkosti vody, napklad ve vlhkch sklepnch podlach nebo v blzkosti bazn . Nepouvejte UPOZORNN:

produkt pi boukch . Existuje mal riziko razu elektrickm proudem, kter me zpsobit blesk . UPOZORNN: Chcete-li snit riziko poru, pouvejte pouze telekomunikan spojovac ru, kter m tlouku vodi 0,405 mm nebo vt . UPOZORNN: Pokud zazen nebude fungovat . sele napjen, UPOZORNN: Napjec je vypnacm zazenm produktu . Elektrick zsuvka se mus nachzet v blzkosti zazen a mus bt snadno dostupn . adaptr 2 Wireless Regulatory Information Dansk ]Danish[

[Greek]

ADVARSEL: Brug i nrheden af vand, f .eks . i en vd klder eller i nrheden af en swimmingpool . ikke dette produkt ADVARSEL: Undlad at bruge produktet i tordenvejr . Der kan vre en lille risiko for elektrisk std som flge af lynnedslag . ADVARSEL: For at mindske risikoen for brand, brug kun No .26 AWG eller strre telekabel . ADVARSEL: Dette udstyr kan ikke bruges uden strm . ADVARSEL: Strmforsyningen er udstyrets afkoblingsenhed . Strmudtaget skal placeres tt ved udstyret og vre let tilgngelig . Deutsch ]German[

WARNUNG: Verwenden Sie dieses Gert nicht in der Nhe von Wasser, wie z . B . in einem feuchten Keller oder in der Nhe eines Schwimmbeckens . WARNUNG: Vermeiden Sie die Verwendung dieses Produkts whrend eines Gewitters . Es besteht eine geringe Gefahr eines Stromschlags durch Blitzschlag . WARNUNG: Verwenden Sie zur Reduzierung der Brandgefahr ein Telefonkabel der AWG-

Klasse Nr .26 oder grer . WARNUNG: Dieses Equipment Stromausfall funktionsunfhig . ist bei WARNUNG: Die Verbindung des Gerts kann ber das Netzteil getrennt werden . Die Steckdose muss sich in der Nhe des Gerts befinden und leicht zugnglich sein .

:

, ..

:

.

:

,

. 26 ,

(AWG).

:

.

:

. Espaol ]Spanish[

ADVERTENCIA: No use este producto cerca del agua, por ejemplo en un sotano hmedo o cerca de una piscina . ADVERTENCIA: Evite usar este producto durante una tormenta elctrica . Puede existir el riesgo remoto de que se produzca una descarga elctrica producida por un rayo . ADVERTENCIA: Para reducir el riesgo de incendio, utilice nicamente un cable de lnea de telecomunicaciones AWG n 26 o ms grueso . ADVERTENCIA: Este equipo no ser operativo si la fuente de alimentacin deja de funcionar . El adaptador ADVERTENCIA:

de alimentacin es el dispositivo de desconexin del equipo . La base de toma de corriente debe estar cerca del equipo y ser fcilmente accessible . 3 Wireless Regulatory Information Suomi ]Finnish[

Magyar ]Hungarian[

VAROITUS: l kyt tuotetta veden lhell, esimerkiksi kosteassa kellarissa tai uima-

altaan lheisyydess . VAROITUS: Vlt ukkosmyrskyn aiheuttaa shkiskun . tuotteen kyttmist saattaa aikana . Salama VAROITUS: Tulipalovaaran pienentmiseksi kyt tietoliikennekaapelia, jonka lpimitta on vhintn 26 AWG . VAROITUS: Laite ei toimi, jos verkkovirran sytt katkeaa . VAROITUS: Verkkolaite on tmn laitteen virrankatkaisulaite . Pistorasian on oltava lhell laitetta ja helposti kytettviss . Franais ]French[

AVERTISSEMENT : Nutilisez pas ce produit proximit dune source deau, sur un sol humide ou prs dune piscine, par exemple . AVERTISSEMENT

: Evitez dutiliser ce produit pendant un orage . La foudre pourrait provoquer un choc lectrique . AVERTISSEMENT : Afin de rduire les risques dincendies, utilisez uniquement des cbles tlphoniques No . 26 AWG (ou de diamtre suprieur) . AVERTISSEMENT : Cet quipement est inutilisable en cas dinterruption de courant . AVERTISSEMENT : Ladaptateur de courant secteur est le dispositif de sectionnement de lquipement . La prise de courant secteur doit tre situe proximit de lquipement et facile daccs . FIGYELMEZTETS: Ne a termket vz kzelben, pldul nedves pincben vagy szmedence mellett . hasznlja FIGYELMEZTETS: Kerlje az eszkz hasznlatt elektromos vihar esetn . A villmls ramtst okozhat . FIGYELMEZTETS: A tz kockzatnak cskkentse No .26 AWG kategrij telekommunikcis kbelt hasznljon . rdekben jelzs, vagy csak jobb FIGYELMEZTETS: A berendezs nem fog mkdni, ha az ramellts megsznik . berendezs FIGYELMEZTETS: A hlzati adapter a eszkze . A tpfeszltsg-aljzatnak berendezs kzelben s knnyen elrhet helyen kell lennie . lekapcsol a Italiano ]Italian[

AVVERTENZA: Non utilizzare il prodotto in prossimit dacqua, ad esempio in un seminterrato umido o nei pressi di una piscina . AVVERTENZA: Non usare il prodotto durante un temporale . Potrebbe esserci un rischio remoto di scosse elettriche causate dai fulmini . AVVERTENZA: Per ridurre il rischio di incendio, utilizzare esclusivamente un cavo per linea di telecomunicazioni di sezione 26 AWG o maggiore . AVVERTENZA: Questo apparecchio non utilizzabile in caso di mancanza di corrente elettrica . Ladattatore AVVERTENZA:

di corrente il dispositivo di spegnimento dellapparecchiatura . La presa di corrente deve trovarsi vicino allapparecchiatura, in un punto di facile accesso . 4 Wireless Regulatory Information Nerderlands ]Dutch[

Polski ]Polish[

WAARSCHUWING: Gebruik dit product niet in de buurt van water, bijvoorbeeld in een vochtige kelder of bij een zwembad . WAARSCHUWING: Gebruik het product bij voorkeur niet als het onweert . Er is mogelijk een zeer klein risico op een elektrische schok als gevolg van blikseminslag . WAARSCHUWING: Om het risico op brand te verkleinen, mag uitsluitend een telecommunicatiekabel van 26 AWG of een dikkere kabel worden gebruikt . WAARSCHUWING: Dit apparaat zal niet werken zonder stroomvoorziening . WAARSCHUWING: Via de voedingsadapter kan de verbinding van het apparaat verbroken worden . Het stopcontact moet zich in de buurt van het apparaat bevinden en makkelijk toegankelijk zijn . Norsk ]Norwegian[

ADVARSEL: Ikke bruk dette produktet i nrheten av vann, for eksempel i en vt kjeller eller nr et svmmebasseng . ADVARSEL: Unng bruke dette produktet under tordenvr . Lynnedslag kan innebre en risiko for elektrisk stt . ADVARSEL: For redusere for brann, skal kun nr . 26 AWG eller strre telekommunikasjonsledning brukes . faren ADVARSEL: Dette utstyret kan ikke brukes ved et strmbrudd . ADVARSEL: Strmadapteren er utstyrets frakoblingsmetode . Strmuttaket m vre plassert i nrheten av utstyret og tilgangen til dette m vre enkel . UWAGA: Nie uywa tego produktu w pobliu wody, np . w wilgotnej piwnicy lub niedaleko basenu . UWAGA: Nie korzysta z tego produktu podczas burzy . Istnieje pewne niewielkie ryzyko poraenia prdem w wyniku wyadowania elektrycznego . UWAGA:

poaru, telekomunikacyjny nr 26 AWG lub wikszy . zmniejszy stosowa wycznie ryzyko przewd Aby UWAGA: W przypadku usterki zasilania ten sprzt nie bdzie dziaa . UWAGA: Elementem odczajcym tego urzdzenia jest zasilacz . Gniazdo zasilania musi znajdowa si w pobliu urzdzenia i by atwo dostpne . Portugus ]Portuguese[

AVISO: No utilize este produto prximo de gua, por exemplo, numa cave hmida ou perto de uma piscina . AVISO: Evite utilizar este produto durante uma trovoada . Existe a possibilidade, embora remota, de apanhar um choque eltrico provocado por trovoada . AVISO: Para reduzir o risco de incndio, utilize apenas cabo de linha de telecomunicao n 26 AWG ou superior . AVISO: Este equipamento ser inopervel em caso de falha de alimentao eltrica . AVISO: O transformador o aparelho de desligar do equipamento . A tomada de corrente eltrica tem de ficar junto ao equipamento e ser de fcil acesso . 5 Wireless Regulatory Information Romn ]Romanian[

Srpski ]Serbian[

AVERTISMENT: Nu utilizai acest produs n apropierea apei, de exemplu ntr-un subsol umed sau lng o piscin . AVERTISMENT: Evitai utilizarea acestui produs n timpul unei furtuni cu descrcri electrice . Poate exista un pericol minor de electrocutare cauzat de fulgere . AVERTISMENT: Pentru a reduce riscul de incendii, utilizai numai cabluri de telecomunicaii AWG Nr . 26 sau mai groase . AVERTISMENT:

acestui echipament va fi ntrerupt n cazul unei pene de curent . Funcionarea AVERTISMENT: Adaptorul de putere este dispozitivul pentru deconectare al echipamentului . Priza trebuie s fie aproape de echipament iar accesul la aceasta trebuie s fie facil . UPOZORENJE: Nemojte da koristite ovaj proizvod u blizini vode, na primer, u vlanom podrumu ili u blizini bazena . UPOZORENJE: Izbegavajte upotrebu ovog proizvoda tokom grmljavine . Postoji mali rizik od elektrinog udara groma . UPOZORENJE: U cilju smanjenja rizika od poara, koristite iskljuivo kabl za telekomunikacionu liniju br . 26 AWG ili vei . UPOZORENJE: Ovaj biti neupotrebljiv kada doe do kvara glavnog napajanja . ureaj e UPOZORENJE: Strujni adapter je ureaj za prekidanje dovoda struje do opreme . Strujna utinica mora da se nalazi u blizini opreme i pristup njoj mora biti jednostavan .

]Russian[

Slovenina ]Slovak[

:

, ,

.

:

.

:

, 26

.

:

,

.

:

. UPOZORNENIE:

toto zariadenie v blzkosti vody, napr . vo vlhkom suterne alebo v blzkosti bazna . Nepouvajte UPOZORNENIE:

toto zariadenie poas brky . Hroz urit riziko razu elektrickm prdom zaprinen bleskom . Nepouvajte UPOZORNENIE:

znenia nebezpeenstva pouvajte telekomunikan kbel AWG .26 alebo hrub . Z poiaru dvodu UPOZORNENIE: Toto zariadenie nebude mon pouva pri vpadku elektriny . UPOZORNENIE: Napjac adaptr sa pouva aj na vypnutie zariadenia . Elektrick zsuvka sa mus nachdza v blzkosti zariadenia a mus by dobre prstupn . 6 Wireless Regulatory Information Slovenina ]Slovenian[

Trke ]Turkish[

OPOZORILO:

uporabljajte blizu vode, na primer v vlani kleti ali blizu bazena . Izdelka ne OPOZORILO: Izogibajte se uporabi izdelka med nevihtami . Obstaja lahko majhno tveganje elektrinega udara zaradi strele . OPOZORILO: Za zmanjanje tveganja poara uporabljajte samo telekomunikacijske linijske kable t . 26 AWG ali veje . OPOZORILO: V primeru napajanja oprema ne bo delovala . izpada glavnega OPOZORILO: Elektrini polnilnik je odklopna naprava opreme . Elektrina vtinica mora biti blizu opreme in enostavno dostopna . UYARI: Bu rn, nemli bodrum veya yzme yakn yerlerde kullanmayn . kenar gibi havuzu su UYARI: Gk grltl ve saanak yal havalarda bu rn kullanmaktan kann . Uzak bir olaslk olsa da yldrm nedeniyle elektrik arpabilir . UYARI: Yangn riskini azaltmak iin, sadece No .26 AWG veya daha byk telekomnikasyon hatt kablosu kullannz . UYARI: Ana g arzalandnda ekipman altrlamaz duruma gelir . UYARI: G Adaptr, cihazn balantsn Elektrik kesmek prizi, cihazn eriilebilir bir konumda olmaldr . kullanlr . kolay iin yaknnda, Svenska ]Swedish[

VARNING! : Anvnd inte produkten i nrheten av vatten, t .ex . i en fuktig kllare eller nra en simbassng . VARNING! : Undvik att anvnda produkten under skvder . Det finns en liten risk fr elsttar vid blixtnedslag . VARNING! : Minska brandrisken genom att endast anvnda telekabel 26AWG eller grvre . VARNING! : Denna utrustning r obrukbar vid strmavbrott . VARNING! : Strmadaptern r strmbrytare fr utrustningen . Eluttaget mste finnas i nrheten av utrustningen och vara ltt att komma t . Industry Canada Statement CAN ICES-3 (B)/NMB-3 (B) Operation is subject to the following two conditions:

1 . This device may not cause interference and 2 . This device must accept any interference, including interference that may cause undesired operation of the device . For product available in the USA/Canada market, only channel 1~11 can be operated . Selection of other channels is not possible . The device could automatically discontinue transmission in case of absence of information to transmit, or operational failure . Note that this is not intended to prohibit transmission of control or signaling information or the use of repetitive codes where required by the technology . Industry Canada Radiation Exposure Statement This equipment complies with IC radiation exposure limits set forth for an uncontrolled environment . This equipment should be installed and operated with minimum distance 20 cm between the radiator & your body . 7 Wireless Regulatory Information This device and its antennas(s) must not be co-located or operating in conjunction with any other antenna or transmitter except in accordance with IC multitransmitter product procedures . Restrictions in the 5 GHz Band The device for the band 5150-5250 MHz is only for indoor usage to reduce potential for harmful interference to co-channel mobile satellite systems . Because high power radars are allocated as primary users

(meaning they have priority) in 5250-5350 MHz and 5650-5850 MHz, these radars could cause interference and/or damage to licensed exempt LAN devices Additional requirements for the band 5600-5650 MHz:

Until further notice, devices subject to this Section shall not be capable of transmitting in the band 5600-

5650 MHz, so that Environment Canada weather radars operating in this band are protected . Avis dIndustrie Canada CAN ICES-3 (B)/NMB-3 (B) . Lutilisation de ce dispositif est autorise seulement aux conditions suivantes :

1 . il ne doit pas produire de brouillage et 2 . il doit accepter tout brouillage radiolectrique reu, mme si ce brouillage est susceptible de compromettre le fonctionnement du dispositif . Pour les produits disponibles sur le march aux tats-

Unis et au Canada, seuls les canaux de 1 11 peuvent tre utiliss . La slection dautres canaux nest pas possible . Le dispositif peut automatiquement cesser dmettre en cas dabsence dinformations transmettre, ou cause dune dfaillance technique . Notez que lobjet nest pas dinterdire la transmission des informations lutilisation de de contrle ou de signalisation ou codes rptitifs lorsque requis par la technologie . Avis dIndustrie Canada concernant lexposition aux radiofrquences Ce matriel est conforme aux limites tablies par IC en matire dexposition aux radiofrquences dans un environnement non contrl . Ce matriel doit tre install et utilis une distance dau moins 20 cm entre lantenne et le corps de lutilisateur . Cet appareil et son (ses) antenne (s) ne doivent pas tre situs proximit ou fonctionner en association avec une autre antenne ou un autre metteur autre quen respectant les procdures d Industrie Canada relatives au fonctionnement des dispositifs multi-metteurs . Restrictions dans la bande 5 GHz Lappareil pour la bande de 5150 5250 MHz est conu pour usage lintrieur seulement afin de rduire le potentiel dinterfrences pour les systmes mobiles par satellite qui utilisent le mme canal . Du fait que les radars haute puissance ont la priorit dans les bandes 5250-5350 MHz et 5650-5850 MHz, ils pourraient causer des interfrences ou endommager les priphriques rseau sans fil Autres restrictions pour la bande 5600-5650 MHz: sauf avis contraire, les priphriques concerns par cette section ne doivent pas tre capables de transmettre dans la bande 5600-5650 MHz afin de protger les radars dEnvironnement Canada qui lutilisent . Wireless Disclaimer The maximum performance for wireless is derived from IEEE Standard 802 .11 specifications . Actual performance can vary, including lower wireless network capacity, data throughput rate, range and coverage . Performance depends on many factors, conditions and variables, including distance from the access point, volume of network traffic, building materials and construction, operating system used, mix of wireless products used, interference and other adverse conditions . Avis de non-responsabilit concernant les appareils sans fil Les performances maximales pour les rseaux sans fil sont tires des spcifications de la norme IEEE 802 .11 . Les performances relles peuvent varier, notamment en fonction de la capacit du rseau sans fil, du dbit de la transmission de donnes, de la porte et de la couverture . Les performances dpendent de facteurs, conditions et variables multiples, en particulier de la distance par rapport au point daccs, du volume du trafic rseau, des matriaux utiliss dans le btiment et du type de construction, du systme dexploitation et de la combinaison de produits sans fil utiliss, des interfrences et de toute autre condition dfavorable . 8 Wireless Regulatory Information Declaration of Conformity with Regard to EU Directive 1999/5/EC (R&TTE Directive) Compliance Information for Linksys consumer products

(2,4 and 5 GHz) Relevant to the European Union and Other Countries Following the EU Directive 1999/5/EC

(R&TTE Directive)

[Bulgarian]

1999/5/. Lietuvi

[Lithuanian]:

is renginys tenkina 1999/5/EB Direktyvos esminius reikalavimus ir kitas ios direktyvos nuostatas. Nederlands

[Dutch]:

Dit apparaat voldoet aan de essentiele eisen en andere van toepassing zijnde bepalingen van de Richtlijn 1999/5/EC. Malti

[Maltese]:

Dan l-apparat huwa konformi mal-tiiet essenzjali u l-provedimenti l-ora rilevanti tad-

Direttiva 1999/5/EC. esky

[Czech]:

Dansk

[Danish]:

Deutsch

[German]:

Toto zazen poadavky a ustanovenmi Smrnice 1999/5/EC. je v souladu se zkladnmi odpovdajcmi ostatnmi Magyar

[Hungarian]:

a Ez kszlk kvetelmnyeket irnyelvben rendelkezseket. teljesti s ms meghatrozott az alapvet 1999/5/EK vonatkoz Dette udstyr er i overensstemmelse med de vsentlige krav og andre relevante bestemmelser i Direktiv 1999/5/EF. Norsk

[Norwegian]:

Dette utstyret er grunnleggende krav og andre bestemmelser i EU-direktiv 1999/5/EF. i samsvar med de relevante Dieses Gert entspricht den grundlegenden Anforderungen weiteren entsprechenden Vorgaben der Richtlinie 1999/5/EU. und den Eesti

[Estonian]:

See seade vastab direktiivi 1999/5/E olulistele nuetele ja teistele asjakohastele stetele. English:

Espaol

[Spanish]:

[Greek]:

Franais

[French]:

This equipment is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Este equipo cumple con requisitos esenciales asi como con otras disposiciones de la Directiva 1999/5/CE. los 1999/5/EC. Cet appareil est conforme aux exigences essentielles et aux autres dispositions pertinentes de la Directive 1999/5/EC. Polski

[Polish]:

jest Urzdzenie oglnymi wymaganiami oraz szczeglnymi warunkami okrelonymi Dyrektyw UE: 1999/5/EC. zgodne z Portugus

[Portuguese]:

Este equipamento est em conformidade com os requisitos essenciais e outras provises relevantes da Directiva 1999/5/EC. Romn

[Romanian]

in conformitate Acest echipament este cu cerintele esentiale si cu alte prevederi relevante ale Directivei 1999/5/EC. Slovensko

[Slovenian]:

Ta naprava je skladna z bistvenimi zahtevami in ostalimi relevantnimi pogoji Direktive 1999/5/

EC. Slovensky

[Slovak]:

Toto zariadenie je v zhode so zkladnmi poiadavkami a inmi prslunmi nariadeniami direktv: 1999/5/EC. Suomi

[Finnish]:

laite tytt direktiivin 1999/5/EY Tm olennaiset vaatimukset ja on siin asetettujen muiden koskevien mrysten mukainen. laitetta slenska

[Icelandic]:

etta tki er samkvmt grunnkrfum og rum kvum Tilskipunar 1999/5/EC. vieigandi Svenska

[Swedish]:

Denna utrustning r i verensstmmelse med de vsentliga kraven och andra relevanta bestmmelser i Direktiv 1999/5/EC. Italiano

[Italian]:

Latviski

[Latvian]:

Questo apparato conforme ai requisiti essenziali e agli altri principi sanciti dalla Direttiva 1999/5/CE. iekrta atbilst Direktvas 1999/5/

EK btiskajm prasbm un citiem ar to saisttajiem noteikumiem. For all products, the Declaration of Conformity (DofC) is available through one or more of these options:

A pdf file is included on the products CD . A print copy is included with the product . 9 Wireless Regulatory Information A pdf file is available on the Linksys web site . Visit http://support.linksys.com/eudoc and select your product . If you need any other technical documentation, see the Technical Documents on http://support .linksys .com section, as shown later in this document . Wireless Equipment

(Wireless-AC/N/G/A/B Products) The following standards were applied during the assessment of the product against the requirements of the Directive 1999/5/EC:

Radio: EN 300 328 and/or EN 301 893 as applicable EMC: EN 301 489-1, EN 301 489-17 Safety: EN 60950-1 and either EN 50385 or EN 50371 For the Linksys Wireless-AC, -N, -G, -B, and/or -A products, the following CE mark and class 2 identifier are added to the equipment . National Restrictions This product may be used in all EU countries (and other countries following the EU directive 1999/5/EC) without any limitation except for the countries mentioned below:

Ce produit peut tre utilis dans tous les pays de lUE (et dans tous les pays ayant transposs la directive 1999/5/CE) sans aucune limitation, except pour les pays mentionns ci-dessous:

Questo prodotto utilizzabile in tutti i paesi EU (e in tutti gli altri paesi che seguono le direttive EU 1999/5/EC) senza nessuna limitazione, eccetto per i paesi menzionati di seguito:

Das Produkt kann in allen EU Staaten ohne Einschrnkungen eingesetzt werden (sowie in anderen Staaten die der EU Direktive 1999/5/CE folgen) mit Aunahme der folgenden aufgefhrten Staaten:

In the EU and other European countries, the 2,4- and 5-GHz bands have been made available for the use of wireless local area networks (LANs). The Overview of Regulatory Requirements for Wireless LANs table provides an overview of the regulatory requirements applicable for the 2,4- and 5-GHz bands. Later in this document you will find an overview of countries in which additional restrictions or requirements or both are applicable. The requirements for any country may evolve. Linksys recommends that you check with the local authorities for the latest status of their national regulations for both the 2,4- and 5-GHz wireless LANs. Overview of Regulatory Requirements for Wireless LANs Frequency Band (MHz) Max Power Level (EIRP) Indoor ONLY Indoor &

Outdoor

(mW) 100 200 1000 X 2400-2483,5 5150-5250 5470-5725 Dual band versions which can also operate in the 5 GHz band are limited to only operate within the band 5150-

5250 MHz and as such are restricted to indoor use only

(except Denmark) . X X The following countries have restrictions and/or requirements in addition to those given in the Overview of Regulatory Requirements for Wireless LANs table:

Denmark In Denmark, the band 5150 - 5350 MHz is also allowed for outdoor usage. I Danmark m frekvensbndet 5150 - 5350 ogs anvendes udendrs. France For 2,4 GHz, the product should not be used outdoors in the band 2454 - 2483,5 MHz. There are no restrictions when used in other parts of the 2,4 GHz band OR when used indoors. Check http://www.arcep.fr/ for more details. Pour la bande 2,4 GHz, l quipement ne doit pas tre utilis en extrieur dans la bande 2454 - 2483,5 MHz. Il ny a aucune restriction pour son utilisation dans dautres parties de la bande des 2,4 GHz ainsi que pour une utilisation en intrieur. Consultez http://www.arcep.fr/ pour de plus amples dtails. Italy This product meets the National Radio Interface and the requirements specified in the National Frequency Allocation Table for Italy. Unless this 2,4-GHz wireless LAN product is operating within the boundaries of the owners property, its use requires a general authorization. Please check http://www.comunicazioni.it/ for more details. Questo prodotto conforme alle specifiche di Interfaccia Radio Nazionali e rispetta il Piano Nazionale di ripartizione delle frequenze in Italia. Se non viene installato allinterno del proprio fondo, lutilizzo di prodotti Wireless LAN a 2,4 GHz richiede una Autorizzazione Generale. Consultare http://www.comunicazioni.it/ per maggiori dettagli. Latvia The outdoor usage of the 2,4 GHz band requires an authorization from the Electronic Communications Office. Please check http://www.esd.lv for more details. 2,4 GHz frekveu joslas izmantoanai rpus telpm nepiecieama atauja no Elektronisko sakaru direkcijas. Vairk informcijas:

http://www.esd.lv. 10 Wireless Regulatory Information Notes:

1 . Although Norway, Switzerland and Liechtenstein are not EU member states, the EU Directive 1999/5/EC has also been implemented in those countries . 2 . The regulatory limits for maximum output power are specified in EIRP . The EIRP level of a device can be calculated by adding the gain of the antenna used

(specified in dBi) to the output power available at the connector (specified in dBm) . Product Usage Restrictions This product is designed for indoor usage only . Outdoor usage is not recommended, unless otherwise noted . 2,4 GHz Restrictions This product is designed for use with the standard, integral or dedicated (external) antenna(s) that is/are shipped together with the equipment . Third-Party Software or Firmware The use of software or firmware not supported/provided by Linksys products may result that the equipment is no longer compliant with the regulatory requirements . Technical Documents on www .linksys .com Follow these steps to access technical documents:

1 . Enter www.linksys.com/business/support in your web browser . 2 . Click the model number link . 3 . Select Downloads from the list of tabs . 4 . Select the version of product . 5 . Click on the document you want and it will open in PDF format if you have Adobe Reader installed on your computer . 11 WEEE Information WEEE Information User Information for Consumer Products Covered by EU Directive 2002/96/EC on Waste Electric and Electronic Equipment (WEEE) This document contains important information for users with regards to the proper disposal and recycling of Linksys home networking products. Consumers are required to comply with this notice for all electronic products bearing the following symbol:

English - Environmental Information for Customers in the European Union European Directive 2002/96/EC requires that the equipment bearing this symbol on the product and/or its packaging must not be disposed of with unsorted municipal waste. The symbol indicates that this product should be disposed of separately from regular household waste streams. It is your responsibility to dispose of this and other electric and electronic equipment via designated collection facilities appointed by the government or local authorities. Correct disposal and recycling will help prevent potential negative consequences to the environment and human health. For more detailed information about the disposal of your old equipment, please contact your local authorities, waste disposal service, or the shop where you purchased the product.

(Bulgarian)

-

2002/96/EC ,

/ ,

.

,

.

-

,

, . etina (Czech) - Informace o ochran ivotnho prosted pro zkaznky v zemch Evropsk unie Evropsk smrnice 2002/96/ES zakazuje, aby zazen oznaen tmto symbolem na produktu anebo na obalu bylo likvidovno s netdnm komunlnm odpadem. Tento symbol udv, e dan produkt mus bt likvidovn oddlen od bnho komunlnho odpadu. Odpovdte za likvidaci tohoto produktu a dalch elektrickch a elektronickch zazen prostednictvm urench sbrnch mst stanovench vldou nebo mstnmi ady. Sprvn likvidace a recyklace pomh pedchzet potencilnm negativnm dopadm na ivotn prosted a lidsk zdrav. Podrobnj informace o likvidaci starho vybaven si laskav vydejte od mstnch ad, podniku zabvajcho se likvidac komunlnch odpad nebo obchodu, kde jste produkt zakoupili. Dansk (Danish) - Miljinformation for kunder i EU EU-direktiv 2002/96/EF krver, at udstyr der brer dette symbol p produktet og/eller emballagen ikke m bortskaffes som usorteret kommunalt affald. Symbolet betyder, at dette produkt skal bortskaffes adskilt fra det almindelige husholdningsaffald. Det er dit ansvar at bortskaffe dette og andet elektrisk og elektronisk udstyr via bestemte indsamlingssteder udpeget af staten eller de lokale myndigheder. Korrekt bortskaffelse og genvinding vil hjlpe med til at undg mulige skader for miljet og menneskers sundhed. Kontakt venligst de lokale myndigheder, renovationstjenesten eller den butik, hvor du har kbt produktet, angende mere detaljeret information om bortskaffelse af dit gamle udstyr. Deutsch (German) - Umweltinformation fr Kunden innerhalb der Europischen Union Die Europische Richtlinie 2002/96/EC verlangt, dass technische Ausrstung, die direkt am Gert und/oder an der Verpackung mit

, nicht zusammen mit unsortiertem diesem Symbol versehen ist Gemeindeabfall entsorgt werden darf. Das Symbol weist darauf hin, dass das Produkt von regulrem Haushaltmll getrennt entsorgt werden sollte. Es liegt in Ihrer Verantwortung, dieses Gert und andere elektrische und elektronische Gerte ber die dafr zustndigen und von der Regierung oder rtlichen Behrden dazu bestimmten Sammelstellen zu entsorgen. Ordnungsgemes Entsorgen und Recyceln trgt dazu bei, potentielle negative Folgen fr Umwelt und die menschliche Gesundheit zu vermeiden. Wenn Sie weitere Informationen zur Entsorgung Ihrer Altgerte bentigen, wenden Sie sich bitte an die rtlichen Behrden oder stdtischen Entsorgungsdienste oder an den Hndler, bei dem Sie das Produkt erworben haben. 12 WEEE Information

(Estonian) informatsioon

- Keskkonnaalane Eesti Euroopa Liidus asuvatele klientidele Euroopa Liidu direktiivi 2002/96/E nuete kohaselt on seadmeid, millel on tootel vi pakendil kesolev smbol

, keelatud krvaldada koos sorteerimata olmejtmetega. See smbol nitab, et toode tuleks krvaldada eraldi tavalistest olmejtmevoogudest. Olete kohustatud krvaldama kesoleva ja ka muud elektri- ja elektroonikaseadmed riigi vi kohalike ametiasutuste poolt ette nhtud kogumispunktide kaudu. Seadmete korrektne krvaldamine ja ringlussevtt aitab vltida vimalikke negatiivseid tagajrgi keskkonnale ning inimeste tervisele. Vanade seadmete krvaldamise kohta tpsema informatsiooni saamiseks vtke palun hendust kohalike ametiasutustega, jtmekitlusfirmaga vi kauplusega, kust te toote ostsite. Espaol (Spanish) - Informacin medioambiental para clientes de la Unin Europea La Directiva 2002/96/CE de la UE exige que los equipos que lleven este smbolo en el propio aparato y/o en su embalaje no deben eliminarse junto con otros residuos urbanos no seleccionados. El smbolo indica que el producto en cuestin debe separarse de los residuos domsticos convencionales con vistas a su eliminacin. Es responsabilidad suya desechar este y cualesquiera otros aparatos elctricos y electrnicos a travs de los puntos de recogida que ponen a su disposicin el gobierno y las autoridades locales. Al desechar y reciclar correctamente estos aparatos estar contribuyendo a evitar posibles consecuencias negativas para el medio ambiente y la salud de las personas. Si desea obtener informacin ms detallada sobre la eliminacin segura de su aparato usado, consulte a las autoridades locales, al servicio de recogida y eliminacin de residuos de su zona o pregunte en la tienda donde adquiri el producto.

(Greek)

-

2002/96/EC,

/

.

,

.

,

,

. Franais (French) - Informations environnementales pour les clients de lUnion europenne La directive europenne 2002/96/CE exige que lquipement sur lequel est appos ce symbole sur le produit et/ou son emballage ne soit pas jet avec les autres ordures mnagres. Ce symbole indique que le produit doit tre limin dans un circuit distinct de celui pour les dchets des mnages. Il est de votre responsabilit de jeter ce matriel ainsi que tout autre matriel lectrique ou lectronique par les moyens de collecte indiqus par le gouvernement et les pouvoirs publics des collectivits territoriales. Llimination et le recyclage en bonne et due forme ont pour but de lutter contre limpact nfaste potentiel de ce type de produits sur lenvironnement et la sant publique. Pour plus dinformations sur le mode dlimination de votre ancien quipement, veuillez prendre contact avec les pouvoirs publics locaux, le service de traitement des dchets, ou lendroit o vous avez achet le produit. Italiano (Italian) - Informazioni relative allambiente per i clienti residenti nellUnione Europea La direttiva europea 2002/96/EC richiede che le apparecchiature contrassegnate con questo simbolo sul prodotto e/o sullimballaggio non siano smaltite insieme ai rifiuti urbani non differenziati. Il simbolo indica che questo prodotto non deve essere smaltito insieme ai normali rifiuti domestici. responsabilit del proprietario smaltire sia questi prodotti sia le altre apparecchiature elettriche ed elettroniche mediante le specifiche strutture di raccolta indicate dal governo o dagli enti pubblici locali. Il corretto smaltimento ed il riciclaggio aiuteranno a prevenire conseguenze potenzialmente negative per lambiente e per la salute dellessere umano. Per ricevere informazioni pi dettagliate circa lo smaltimento delle vecchie apparecchiature in Vostro possesso, Vi invitiamo a contattare gli enti pubblici di competenza, il servizio di smaltimento rifiuti o il negozio nel quale avete acquistato il prodotto. Latvieu valoda (Latvian) - Ekoloiska informcija klientiem Eiropas Savienbas jurisdikcij Direktv 2002/96/EK ir prasba, ka aprkojumu, kam pievienota uz paa izstrdjuma vai uz t iesaiojuma, nedrkst zme izmest neirot veid kop ar komunlajiem atkritumiem

(tiem, ko rada vietji iedzvotji un uzmumi). zme nozm to, ka ierce ir jizmet atkritumos t, lai t nenonktu kop ar parastiem mjsaimniecbas atkritumiem. Jsu pienkums ir o un citas elektriskas un elektroniskas ierces izmest atkritumos, izmantojot paus atkritumu savkanas veidus un ldzekus, ko nodroina valsts un pavaldbu iestdes. Ja izmeana atkritumos un prstrde tiek veikta pareizi, tad mazins iespjamais kaitjums dabai un cilvku veselbai. Skkas zias par novecojua aprkojuma js varat saemt vietj pavaldb, atkritumu savkanas dienest, k ar veikal, kur iegdjties o izstrdjumu. izmeanu atkritumos 13 WEEE Information Lietuvkai (Lithuanian) - Aplinkosaugos informacija, skirta Europos Sjungos vartotojams Europos direktyva 2002/96/EC numato, kad rangos, kuri ir kurios pakuot yra paymta iuo simboliu (veskite simbol), negalima alinti kartu su neriuotomis komunalinmis atliekomis. is simbolis rodo, kad gamin reikia alinti atskirai nuo bendro buitini atliek srauto. Js privalote utikrinti, kad i ir kita elektros ar elektronin ranga bt alinama per tam tikras nacionalins ar vietins valdios nustatytas atliek rinkimo sistemas. Tinkamai alinant ir perdirbant atliekas, bus ivengta galimos alos aplinkai ir moni sveikatai. Daugiau informacijos apie js senos rangos alinim gali pateikti vietins valdios institucijos, atliek alinimo tarnybos arba parduotuvs, kuriose sigijote t gamin. Malti (Maltese) - Informazzjoni Ambjentali gal Klijenti fl-Unjoni Ewropea Id-Direttiva Ewropea 2002/96/KE titlob li t-tagmir li jkun fuq il-prodott u/jew fuq l-ippakkjar ma jistax fih is-simbolu jintrema ma skart muniipali li ma iex isseparat. Is-simbolu jindika li dan il-prodott gandu jintrema separatament minn ma l-iskart domestiku regolari. Hija responsabbilt tiegek li tarmi dan it-tagmir u kull tagmir ieor ta l-elettriku u elettroniku permezz ta failitajiet ta bir appuntati apposta mill-gvern jew mill-awtoritajiet lokali. Ir-rimi bmod korrett u r-riikla jgin jipprevjeni konsegwenzi negattivi potenzjali gall-ambjent u gas-saa tal-bniedem. Gal aktar informazzjoni dettaljata dwar ir-rimi tat-tagmir antik tiegek, jekk jogbok ikkuntattja lill-awtoritajiet lokali tiegek, is-servizzi gar-rimi ta l-iskart, jew il-anut minn fejn xtrajt il-prodott. Magyar (Hungarian) - Krnyezetvdelmi informci az eurpai unis vsrlk szmra A 2002/96/EC szm eurpai unis irnyelv megkvnja, hogy azokat a termkeket, amelyeken, s/vagy amelyek csomagolsn megjelenik, tilos a tbbi szelektlatlan lakossgi az albbi cmke hulladkkal egytt kidobni. A cmke azt jelli, hogy az adott termk kidobsakor a szokvnyos hztartsi hulladkelszlltsi rendszerektl elklntett eljrst kell alkalmazni. Az n felelssge, hogy ezt, s ms elektromos s elektronikus berendezseit a kormnyzati vagy a helyi hatsgok ltal kijellt gyjtredszereken keresztl szmolja fel. A megfelel hulladkfeldolgozs segt a krnyezetre s az emberi egszsgre potencilisan rtalmas negatv hatsok megelzsben. Ha elavult berendezseinek felszmolshoz tovbbi rszletes informcira van szksge, krjk, lpjen kapcsolatba a helyi hatsgokkal, a hulladkfeldolgozsi szolglattal, vagy azzal zlettel, ahol a termket vsrolta. Nederlands (Dutch) - Milieu-informatie voor klanten in de Europese Unie De Europese Richtlijn 2002/96/EC schrijft voor dat apparatuur die is voorzien van dit symbool op het product of de verpakking, niet mag worden ingezameld met niet-gescheiden huishoudelijk afval. Dit symbool geeft aan dat het product apart moet worden ingezameld. U bent zelf verantwoordelijk voor de vernietiging van deze en andere elektrische en elektronische apparatuur via de daarvoor door de landelijke of plaatselijke overheid aangewezen inzamelingskanalen. De juiste vernietiging en recycling van deze apparatuur voorkomt mogelijke negatieve gevolgen voor het milieu en de gezondheid. Voor meer informatie over het vernietigen van uw oude apparatuur neemt u contact op met de plaatselijke autoriteiten of afvalverwerkingsdienst, of met de winkel waar u het product hebt aangeschaft. Norsk (Norwegian) - Miljinformasjon for kunder i EU EU-direktiv 2002/96/EF krever at utstyr med flgende symbol avbildet p produktet og/eller pakningen, ikke m kastes sammen med usortert avfall. Symbolet indikerer at dette produktet skal hndteres atskilt fra ordinr avfallsinnsamling for husholdningsavfall. Det er ditt ansvar kvitte deg med dette produktet og annet elektrisk og elektronisk avfall via egne innsamlingsordninger slik myndighetene eller kommunene bestemmer. Korrekt avfallshndtering og gjenvinning vil vre med p forhindre mulige negative konsekvenser for milj og helse. For nrmere informasjon om hndtering av det kasserte utstyret ditt, kan du ta kontakt med kommunen, en innsamlingsstasjon for avfall eller butikken der du kjpte produktet. Polski (Polish) - Informacja dla klientw w Unii Europejskiej o przepisach dotyczcych ochrony rodowiska Dyrektywa Europejska 2002/96/EC wymaga, aby sprzt oznaczony znajdujcym si na produkcie i/lub jego opakowaniu symbolem nie by wyrzucany razem z innymi niesortowanymi odpadami komunalnymi. Symbol ten wskazuje, e produkt nie powinien by usuwany razem ze zwykymi odpadami z gospodarstw domowych. Na Pastwu spoczywa obowizek wyrzucania tego i innych urzdze elektrycznych oraz elektronicznych w punktach odbioru wyznaczonych przez wadze krajowe lokalne. Pozbywanie si sprztu we waciwy sposb i jego recykling pomog zapobiec potencjalnie negatywnym konsekwencjom dla rodowiska i zdrowia ludzkiego. W celu uzyskania szczegowych informacji o usuwaniu starego sprztu, prosimy zwrci si do lokalnych wadz, sub oczyszczania miasta lub sklepu, w ktrym produkt zosta nabyty. lub 14 WEEE Information Portugus (Portuguese) - Informao ambiental para clientes da Unio Europeia A Directiva Europeia 2002/96/CE exige que o equipamento que exibe este smbolo no produto e/ou na sua embalagem no seja eliminado junto com os resduos municipais no separados. O smbolo indica que este produto deve ser eliminado separadamente dos resduos domsticos regulares. da sua responsabilidade eliminar este e qualquer outro equipamento elctrico e electrnico atravs das instalaes de recolha designadas pelas autoridades governamentais ou locais. A eliminao e reciclagem correctas ajudaro a prevenir as consequncias negativas para o ambiente e para a sade humana. Para obter informaes mais detalhadas sobre a forma de eliminar o seu equipamento antigo, contacte as autoridades locais, os servios de eliminao de resduos ou o estabelecimento comercial onde adquiriu o produto. Romn (Romanian) - Informaii de mediu pentru clienii din Uniunea European Directiva european 2002/96/CE impune ca echipamentele care pe produs i/sau pe ambalajul acestuia s prezint acest simbol nu fie casate mpreun cu gunoiul menajer municipal. Simbolul indic faptul c acest produs trebuie s fie casat separat de gunoiul menajer obinuit. Este responsabilitatea dvs. s casai acest produs i alte echipamente electrice i electronice prin intermediul unitilor de colectare special desemnate de guvern sau de autoritile locale. Casarea i reciclarea corecte vor ajuta la prevenirea potenialelor consecine negative asupra sntii mediului i a oamenilor. Pentru mai multe informaii detaliate cu privire la casarea acestui echipament vechi, contactai autoritile locale, serviciul de salubrizare sau magazinul de la care ai achiziionat produsul. Slovenina (Slovak) - Informcie o ochrane ivotnho prostredia pre zkaznkov v Eurpskej nii Poda eurpskej smernice 2002/96/ES zariadenie s tmto symbolom na produkte a/alebo jeho balen nesmie by likvidovan spolu s netriedenm komunlnym odpadom. Symbol znamen, e produkt by sa mal likvidova oddelene od benho odpadu z domcnost. Je vaou povinnosou likvidova toto i ostatn elektrick a elektronick zariadenia prostrednctvom pecializovanch zbernch zariaden urench vldou alebo miestnymi orgnmi. Sprvna likvidcia a recyklcia pome zabrni prpadnm negatvnym dopadom na ivotn prostredie a zdravie ud. Ak mte zujem o podrobnejie informcie o likvidcii starho zariadenia, obrte sa, prosm, na miestne orgny, organizcie zaoberajce sa likvidciou odpadov alebo obchod, v ktorom ste si produkt zakpili. Slovenina (Slovene) - Okoljske informacije za stranke v Evropski uniji Evropska direktiva 2002/96/ES prepoveduje odlaganje opreme s tem simbolom na izdelku in/ali na embalai z nesortiranimi komunalnimi odpadki. Ta simbol opozarja, da je treba izdelek zavrei loeno od preostalih gospodinjskih odpadkov. Vaa odgovornost je, da to in preostalo elektrino in elektronsko opremo oddate na posebna zbiralia, ki jih doloijo dravne ustanove ali in recikliranjem boste prepreili morebitne kodljive vplive na okolje in zdravje ljudi. e elite izvedeti ve o odlaganju stare opreme, se obrnite na lokalne oblasti, odlagalie odpadkov ali trgovino, kjer ste izdelek kupili. lokalne oblasti. S pravilnim odlaganjem jos Suomi (Finnish) - Ymprist koskevia tietoja EU-alueen asiakkaille laitteistossa EU-direktiivi 2002/96/EY edellytt, ett itse tuotteessa ja/tai sen pakkauksessa, on tm symboli laitteistoa ei saa hvitt lajittelemattoman yhdyskuntajtteen mukana. Symboli merkitsee sit, ett tm tuote on hvitettv erilln tavallisesta kotitalousjtteest. Sinun vastuullasi on hvitt ja muut vastaavat elektroniikkatuotteet viemll tuote tai tuotteet viranomaisten mrmn keryspisteeseen. Laitteiston oikea hvittminen est mahdolliset kielteiset vaikutukset ympristn ja ihmisten terveyteen. Listietoja vanhan laitteiston oikeasta hvitystavasta saa paikallisilta viranomaisilta, jtteenhvityspalvelusta tai siit myymlst, josta ostit tuotteen. tm elektroniikkatuote Svenska (Swedish) - Miljinformation fr kunder i Europeiska unionen Det europeiska direktivet 2002/96/EC krver att utrustning med denna symbol p produkten och/eller frpackningen inte fr kastas med osorterat kommunalt avfall. Symbolen visar att denna produkt br kastas efter att den avskiljts frn vanligt hushllsavfall. Det faller p ditt ansvar att kasta denna och annan elektrisk och elektronisk utrustning p faststllda insamlingsplatser utsedda av regeringen eller lokala myndigheter. Korrekt kassering och tervinning skyddar mot eventuella negativa konsekvenser fr miljn och personhlsa. Fr mer detaljerad information om kassering av din gamla utrustning kontaktar du dina lokala myndigheter, avfallshanteringen eller butiken dr du kpte produkten. WEB: For additional information, please visit http://linksys.com 15 Visit www.linksys.com/business/support for more information BELKIN, LINKSYS and many product names and logos are trademarks of the Belkin group of companies . Third-party trademarks mentioned are the property of their respective owners . 2014 Belkin Interntional, Inc . and/or its affiliates . All rights reserved . RGD-00793 Rev .B00