The WS 2000 Wireless Switch provides a low-cost, feature-rich wireless switch for sites with one to six Access Ports. The WS 2000 Wireless Switch works at the center of a network’s infrastructure to seamlessly and securely combine wireless LANs (WLANs) and wired networks.
PoE have a third LED that indicates whether power is being delivered over the line to a power device (such as an Access Port). (See the WS 2000 Wireless Switch LED explanation for more information on the meaning of the different state of the LEDs.) •...
• Operating Altitude: 2.4 km • Storage Altitude: 4.6 km Software Overview The WS 2000 Wireless Switch software provides a fully integrated solution for managing every aspect of connecting Wireless LANs (WLANs) to a wired network, and includes the following components:...
• Rate Scaling: This feature seeks to connect MUs to the WS 2000 Wireless Switch (via Access Port) at the highest possible rate, automatically scaling to a lower rate when network traffic demands.
WS 2000 Wireless Switch receives a “boot me” packet, it uploads the appropriate firmware for the Access Port. Once complete, the Access Port becomes active. For an Access Port to be adopted by the WS 2000 Wireless Switch, three things must be configured: 1.
NAT allows a company to use a single IP address to communicate with the Internet community. The WS 2000 Wireless Switch provides service, or forward, and reverse NAT translation on packets to and from the WAN and is fully compliant with RFC 1631.
Layer 3 Routing DHCP Client and Server The WS 2000 Wireless Switch can act as a DHCP client on the WAN and each of its three subnets. It also act as an independent DHCP server on each of the three subnets.
Wired Equivalency Privacy (WEP) uses a key, or string of case-sensitive characters, to encrypt and decrypt data packets transmitted between a mobile unit (MU) and the WS 2000 Wireless Switch. The administrator configures mobile units (MUs) and the WS 2000 Wireless Switch to use the same key.
WS 2000 Wireless Switch to share the same key. The MU authenticates by presenting the key to a WS 2000 Wireless Switch. The switch examines the key, and uses it to perform a checksum, or error-checking operation, by comparing the key to one on the switch. The MU accesses network services only when the key passes the checksum process.
Kerberos server exists as a separate entity on the wired LAN. On initial request from a Kerberos-enabled MU, the WS 2000 Wireless Switch acts as a proxy to the external KDC. The switch passes initial Kerberos authentication information to the external KDC until the MU authenticates in the manner described in this section.
Getting Started Overview Installing the Switch To install the WS 2000 Wireless Switch hardware, follow the directions in the WS 2000 Wireless Switch Quick Installation Guide found in the box with the switch and on the CD- ROM that is distributed with the switch. These instructions describe how to: •...
Page 19
Getting Started Overview 4. Log in using “admin” as the username and “symbol” as the password. 5. If the login is successful, the following prompt will be displayed. Enter a new admin password in both fields, and click the Update Password Now button.
Changing the Administrator Password The password information set at the factory is the same for all WS 2000 Network Switches. For security reasons, it is important to change the switch’s admin password as soon as possible.
The first step of the network configuration process is to figure out the topology of the LAN. The WS 2000 Wireless Switch allows the administrator to enable and configure three different subnets. The administrator can assign a IP address, port associations, DHCP settings, and security settings to each subnet.
Step 2: Configure Subnets The WS 2000 Network Management System allows the administrator to define and refine the configuration of the enabled subnets. Each of three subnets (short for “subnetworks”) can be configured as an identifiably separate part of the switch-managed Local Area Network (LAN).
Page 25
2. Specify the address of a Primary DNS server. The Internet Server Provider (ISP) or a network administrator can provide this address. A DNS server translates a domain name, such as www.symbol.com, into an IP address that networks can use. 3. Specify the address of a Secondary DNS server if one is available.
WAN port might connect to a DSL or cable modem to access the Internet. The administrator needs to enter the WAN configuration information. The WS 2000 Wireless Switch includes one WAN port. In order to set up communications with the outside world, select Network Configuration -->...
3. It is not necessary to specify the IP Address or any of the other fields on the top section of this form when the WS 2000 wireless switch is set as a DHCP Client. The network host (router, switch, or modem) will provide these values each time it makes a connection with the wireless switch.
6. Click the Apply button to save changes. Step 4: Enable Wireless LANs (WLANs) The WS 2000 Wireless Switch works either in a wired or wireless environment; however, the power of the switch is associated with its support of wireless networks. In order to use the wireless features of the switch, the administrator needs to enable one, two or three wireless LANs (WLANs).
Rename the WLAN in this field, if desired. Character spaces are allowed. This change affects several other screens and the interface will also change the name in the left menu tree. Symbol Technologies recommends the use of descriptive names for WLANs.
Decryption applies the algorithm in reverse to restore the data to its original form. Sender and receiver employ the same encryption/decryption method. The WS 2000 Wireless Switch provides three methods for data encryption: WEP, WPA- TKIP, and KeyGuard-MCM. The WPA-TKIP and KeyGuard-MCM methods use WEP 104-bit key encryption.
Page 34
5. Specify a Pass Key and click the Generate button. The pass key can be any alphanumeric string. The switch, other proprietary routers, and Symbol cards in mobile units (MUs) use an algorithm to convert an ASCII string to the same hexadecimal number, but this conversion is not required for a wireless connection.
Page 36
KeyGuard-MCM KeyGuard-MCM is a proprietary encryption method developed by Symbol Technologies. KeyGuard is Symbol’s enhancement to WEP encryption and can work with any WEP device. This encryption method rotates WEP keys for devices that support the method. This encryption implementation is based on the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11i.
Port to the list of known ports under the left menu item, Network Configuration --> Wireless --> Access Ports--> <Access Port Name>. For an Access Port to be adopted by the WS 2000 Wireless Switch, three things must be configured: 1.
Page 38
Location information set in the System Settings screen and upon settings in the Default Access Port Settings screen for the radio type. The WS 2000 Wireless Switch GUI also allows the administrator to refine the basic Access Port configuration that is set at the point of detection. To examine or change that information: 4.
Ports. For more information, see Advanced Access Port Settings. Step 8: Configure Subnet Access The WS 2000 Network Management System allows the administrator to set up access rules for subnet-to-subnet and subnet-to-WAN communication. These access rules control communication between subnets and the outside world (the WAN). Select Network Configuration -->...
6. Click the Apply button to save changes. WLAN—Setting Default Access Port Settings The WS 2000 Network Switch can support up to six Access Port. These Access Ports can be either a 802.11a or 802.11b radio type. When an Access Port associates with the wireless switch, the initial settings for that Access Port are taken from the Default Access Port Setting for the appropriate radio type..
10. Click the Apply button to save changes WLAN—Advanced Access Port Settings The WS 2000 Wireless Switch GUI allows the administrator to configure the Access Port settings. To examine or change that information: 1. Select Network Configuration --> Wireless --> Access Ports from the left menu and then click the + to the left of the menu item.
Gateway—How to Configure the WS 2000 Firewall Gateway—How to Configure the WS 2000 Firewall The WS 2000 Wireless Switch provides a secure firewall / Network Address Translation (NAT) solution for the WAN uplink. The firewall includes a proprietary CyberDefense Engine to protect internal networks from known Internet attacks. It also provides additional protection by performing source routing, IP unaligned timestamp, and sequence number prediction.
A router uses routing tables and protocols to forward data packets from one network to another. The switch’s router manages traffic within the switch’s network, and directs traffic from the WAN to destinations on the switch-managed LAN. The WS 2000 Network Management System provides the Router screen to view and set the router’s connected routes.
Chapter 5. System Administration Overview The WS 2000 Network Management System provides several screens for administering the switch and monitoring activity on the switch. From the interface the administrator can: • Change the general system settings, such as the name of the switch and the location of the switch •...
Changing the Name of the Switch When the administrator first logs into the WS 2000 Network Management System, the System Settings screen appears. One of the fields in this screen is the System Name field.
System Administration Change the Location and Country Settings of the WS 2000 When the administrator first logs into the WS 2000 Network Management System, the System Settings screen appears. One of the fields in this screen is the Country field.
1. Select System Configuration --> System Settings from the left menu. 2. Click the Restart WS 2000 button to restart the switch. A second window appears, asking for confirmation. 3. Select the Restart button. Upon confirming the restart, the switch reboots. Typically, normal communications with the switch are restored within a minute or two.
Page 65
WS 2000 Wireless Switch. 4. Compare the WS 2000 Version with the most recent version listed on the site. All updates will be listed along with a description of what the update contains. 5. Check to see if an administrator has already downloaded the file. It might already be on an FTP server at the site.
System Configuration Exporting and Importing Wireless Switch Settings All of the configuration settings for the WS 2000 Wireless Switch can be saved to a configuration file and then either imported back into the same switch or transferred to another switch. This file-based configuration saving feature provides several benefits: •...
Although it should not be necessary during the normal course of operations, the administrator might need to restore the default configuration settings of the switch. This procedure is typically performed from the WS 2000 Network Management System user interface; however, there are circumstances in which the administrator cannot access the switch through the user interface (for example, if the administrator accidentally disables all the subnet checkboxes in the WS2000 Access screen).
SNMP allows an administrator to manage network performance, find and solve network problems, and plan for network growth. The WS 2000 Wireless Switch includes SNMP management functions for gathering information from its network components, and communicating that information to specific users.
Configure Administrator Access The WS 2000 Network Management System allows two different users to log in to perform administration tasks: the switch administrator and the manager. The switch administrator can change any settings within the WS 2000 Network Management System.
Page 76
WAN can access the log screen by specifying one of the IP addresses associated with the user interface. The WS 2000 Access screen allows the administrator to restrict access from different locations. By selecting the appropriate checkboxes, the administrator can allow or disallow specific types of access from the WAN port or from the LAN subnets.
3. Click the Apply button to save changes. Changing the Administrator and Manager Passwords In the lower half of the WS 2000 Access screen, two buttons open sub-screens that allow the administrator to change either the switch administrator’s or switch manager’s passwords.
Packets Subnet Statistics The WS 2000 Network Management System provides a set of screens that allow the administrator to view real-time statistics for monitoring the switch’s activity. One of those screens displays statistics for each of the subnets. Selecting Status & Statistics -->...
Access Ports for each of the associated WLANs are listed. WAN Statistics The WS 2000 Network Management System provides a set of screens that allow the administrator to view real-time statistics for monitoring the switch’s activity. One of those screens displays statistics for the Wide Area Network (WAN) port. Selecting Status &...
The total number of TCP/IP data carrier errors received Setting Up and Viewing the System Log The WS 2000 Network Management System keeps a log of the events that happen on the switch. The switch has a modest of amount of memory to store events. If the administrator wishes to keep a more complete event history, the administrator needs to enable a log server.
POS terminals. The WS 2000 allows the administrator to restrict access from one subnet to another, so Clarisa will create a subnet that is just for WLAN #3, and then restrict access from that subnet to the other subnets.
Page 89
Retail Use Cases Clarisa starts her web browser and enters “http://192.168.0.1/” as the URL. The WS 2000 sends a login page to her browser. She logs in using “admin” for the username and “symbol” as the password. Entering the Basic System Settings Clarisa selects System Settings in the left menu, located under the System Configuration heading.
Page 90
In the WS 2000 Access screen, Clarisa controls which network interfaces can be used to reconfigure the WS 2000 switch. She is currently using HTTP access on port 80 over the LAN, so she leaves that on. She wants to be able to manage the switch from corporate headquarters, but she does not want to leave the standard HTTP port, port 80, open over the WAN.
Now Clarisa needs to name and define the subnets. The subnet menu items are under the LAN item in Network Configuration in the WS 2000 left menu. The subnets can be renamed, assigned an IP address, and have ports associated with them. Before she can do this, however, Clarisa needs to plan how she is going to assign IP addresses to the subnets and the devices on them.
Inspecting the Firewall Clarisa selects the Firewall item in the left menu. Each of the checkbox items represents a type of attack the WS 2000 can filter out. She checks to see that all of the options are enabled. Clarisa clicks the Apply button to confirm that all attacks listed will be filtered.
WLAN. This is the WLAN that she plans to use for the cafe WLAN. The WLAN name is used with in the WS 2000 configuration screens to make the interface easier to navigate. She names this WLAN from “WLAN3” to “Cafe”. She also gives it an ESSID of “CCC-Cafe”.
After she is confident that everything is working, she moves the Access Ports to their permanent locations. She connects the WS 2000 to the DSL modem. Finally, she tests the connection from each subnet to the WAN.
Leo has decided to upgrade to a WS 2000 wireless switch. He will have four Access Ports, one in the administration office area, one in the sales office area, one in the sales engineering area, and one in the engineers’...
A Field Office Example The Plan Each WS 2000 WLAN has exactly one security policy, where a security policy is defined as a user authentication method and a data encryption method. Because each WLAN can have one and only one security policy, WLAN configuration is usually defined by the security needs of the installation.
Page 114
Leo clicks the “+” to the left of System Configuration in the left menu, then selects System Settings in the left menu. The system name is used to distinguish between WS 2000 switches for remote configuration. Leo gives the switch a descriptive name, “Atlanta1”. This name will appear in the footer for subsequent configuration windows for the switch.
A Field Office Example Setting Access Control Leo then clicks the WS 2000 Access node in the left menu. This controls which subnet can be used to reconfigure the WS 2000 switch and how that reconfiguration can be accomplished. Leo will be inside the LAN, so he leaves on all means of reconfiguring from within the LAN.
10/100BaseT ports and the WLANs) that are currently associated with each subnet. All of the subnets are enabled; no changes are needed there. Next Leo needs to configure each of the subnets. He clicks the “+” symbol to the left of LAN in the left menu to expand it.
The next step is to configure the WAN interface. Configuring the WAN Next Leo configures the WS 2000 WAN interface. This interface connects the WS 2000 switch to the VPN appliance and, through that appliance, to the Internet. Leo enables the WAN interface, but leaves the DHCP client option disabled. Instead of using DHCP to get address information for the switch, he enters the permanent information that he previously obtained from the corporate network administrator.
After entering the IP addresses for the WAN interface, Leo clicks the “+” left of the WAN item in the left menu to expand it. He then selects the NAT item. The WS 2000 displays the three IP addresses he entered when configuring the WAN.
WLAN. He expands the Wireless node in the left menu, and selects the first WLAN listed. Leo gives the WLAN the name “EngWLAN” so that subsequent screens in the WS 2000 interface will be a little easier to read. The ESSID is the identification string that his users will see, so he uses a name that will be easy for them to recognize, the string “Engineering.”...
Page 129
Leo does need to set the frequency with which the key for broadcast communication is changed. By default, the WS 2000 changes the broadcast every 600 seconds, every ten minutes. Breaking WEP encryption requires several hours of solid traffic, so Leo decides to change the broadcast key rotation to 3600 seconds, or once an hour.
After these WLANs are configured, the next step is to configure the Access Ports. Configuring the Access Ports The WS 2000 allows the user to specify default settings for Access Ports. Leo expands the Access Ports node in the left menu and selects the 11b Defaults node. Leo has four 802.11a ports, so he will set the default settings for the 802.11a Access Ports.
Page 131
He clicks the “+” to the left of Access Ports in the left menu and selects the menu item labeled “AP1”. The WS 2000 switch has found and queried the Access Port for its MAC address. Leo enters a new name for the Access Port, “Eng-AP1,” and its location, “Eng.
Sample Configuration File Appendix A. Sample Configuration File All of the configuration settings for the WS 2000 Wireless Switch can be saved to a configuration file, and then either imported back into the same switch or transferred to another switch.