Page 1 Motorola Solutions AP-6511 Access Point System Reference Guide...
Page 2 Motorola Solutions AP-6511 Access Point System Reference Guide > > > > > >...
Page 3: Table Of Contents
1.1 About the Motorola Solutions WiNG 5 Software ....... . .
Page 4 Motorola Solutions AP-6511 Access Point System Reference GuideMotorola 5.2.2 RSA Key Management ........... .5-15 5.2.3 Certificate Creation .
Page 5 6.2.3.1 WLAN QoS Deployment Considerations ........6-47 6.3 Radio QoS Policy .
Page 6 Motorola Solutions AP-6511 Access Point System Reference GuideMotorola Chapter 9 Services Configuration 9.1 Configuring Captive Portal Policies ..........9-2 9.1.1 Configuring a Captive Portal Policy .
Page 7 13.1.2 Inventory ............. .13-5 13.2 RF Domain .
Page 8 Motorola Solutions AP-6511 Access Point System Reference GuideMotorola 13.3.13.2 RSA Keys ............13-57 13.3.14 WIPS .
Page 9: About This Guide
Documentation Set The documentation set for the Motorola Solutions AP-6511 Access Point is partitioned into the following guides to provide information for specific user needs. • Installation Guide - Describes the basic hardware setup and configuration required to transition to a more advanced configuration of the AP.
Page 10: Document Conventions
Motorola Solutions AP-6511 Access Point System Reference Guide Document Conventions The following conventions are used in this document to draw your attention to important information: NOTE: Indicate tips or special requirements. CAUTION: Indicates conditions that can cause equipment damage or data loss.
Page 11: Chapter 1 Overview
The AP-6511 Access Point uses a subset of the WING 5 software as an onboard operating system unique to the Access Point. The WING 5 software resident on the AP-6511 Access Point supports a subset of the Enterprise class feature set available on RFS4000, RFS6000 and RFS7000 model controllers.
Page 12: About The Motorola Solutions Wing 5 Software
A WiNG 5 network supports rapid application delivery, mixed-media application optimization and quality assurance. Deploying a new Motorola Solutions WiNG 5 network does not require the replacement of an existing Motorola Solutions wireless infrastructure. WiNG 5 enables the simultaneous use of existing architectures from Motorola Solutions and other vendors, even if those other architectures are centralized models.
Page 13: Chapter 2 Web Ui Overview
Web UI Overview The AP-6511 Access Point uses a Controller AP version of the WING 5 software. The AP-6511 UI is a subset of the functionality deployed on RFS4000, RFS6000 and RFS7000 model controllers. The AP-6511's resident user interface contains a set of features specifically designed to enable an AP-6511 to function as either a Controller AP, Standalone AP or Dependent mode AP.
Page 14: Accessing The Web Ui
In addition, the “?” character is also not supported in text fields. 2.1.2 Connecting to the Web UI 1. Connect one end of an Ethernet cable to any of the LAN ports on the AP-6511 and connect the other end to a computer with a working Web browser.
Page 15: Using The Initial Setup Wizard
Web UI Overview 6. Select the Login button to load the management interface. 7. If this is the first time the management interface has been accessed, a dialogue displays to start the initial setup wizard. For more information on using the initial setup wizard see Using the Initial Setup Wizard on page 3-2.
Page 16: Glossary Of Icons Used
Motorola Solutions AP-6511 Access Point System Reference Guide 2.2 Glossary of Icons Used The AP-6511's interface utilizes a number of icons designed to interact with the system, gather information from managed devices and obtain status. This chapter is a compendium of the icons used, and is organized as follows: •...
Page 17: Dialog Box Icons
Web UI Overview Create new policy – Select this icon to create a new policy. Policies define different configuration parameters that can be applied to device configurations, and device profiles. Edit policy – Select this icon to edit an existing policy. To edit a policy, click on the policy and select this button.
Page 18: Status Icons
Adoption Policy – Represents an adoption policy. Adoption policies are a set of configuration parameters that define how APs and wireless clients are adopted. An AP-6511 Adoption Policy only applies to other AP-6511 models. Wireless LANs – States an action impacting a WLAN has occurred.
Page 19 Web UI Overview Radio QoS Policy – Indicates a QoS policy configuration has been impacted. AAA Policy – Indicates an Authentication, Authorization and Accounting (AAA) policy has been impacted. AAA policies define RADIUS authentication and accounting parameters. Association ACL – Indicates an Association Access Control List (ACL) configuration has been impacted.
Page 20 Motorola Solutions AP-6511 Access Point System Reference Guide Advanced WIPS Policy – States the conditions of an advanced WIPS policy have been invoked. WIPS prevents unauthorized access to the system by checking for and removing rogue APs and wireless clients.
Page 21: Configuration Objects
Web UI Overview Configuration icons are used to define the following: Configuration – Indicates an item capable of being configured by the AP-6511 interface. View Events / Event History – Defines a list of events. Select this icon to view events or view the event history.
Page 22: Access Type Icons
Motorola Solutions AP-6511 Access Point System Reference Guide 2.2.8 Access Type Icons  Web UI Overview The following icons display a user access type: Web UI – Defines a Web UI access permission. A user with this permission is permitted to access an associated device’s Web UI.
Page 23: Device Icons
Help Desk – Indicates help desk privileges. A help desk user is allowed to use troubleshooting tools like sniffers, execute service commands, view or retrieve logs and reboot the AP-6511. Web User – Indicates a Web user privilege. A Web user is allowed accessing the device’s Web user interface.
Page 24 Motorola Solutions AP-6511 Access Point System Reference Guide 2-12...
Page 25: Chapter 3 Getting Started
Getting Started AP-6511 model Access Points utilize an initial settings wizard to streamline the process of accessing the wireless network for the first time. The wizard helps configure location, network and WLAN settings and aids in the discovery of access points. For instructions on how to use the initial setup wizard as well as an...
Page 26: Using The Initial Setup Wizard
1. Connect one end of an Ethernet cable to the PoE port on the back of the AP-6511. Connect the other end to a computer with a functional Web browser. Use a power injector as needed to consolidate power and Ethernet in one cable.
Page 27 Access Point Type from the available options. • Controller AP - When more than one AP-6511 is deployed, a single AP-6511 can function as a Controller AP to manage Dependent mode AP-6511s. Up to 24 Dependant APs can be connected to a Controller AP.
Page 28 Changing the default password is critical before any configuration refinements are made to protect the data exchanged between the AP-6511 and its peers. Ensure the Location represents the AP-6511’s deployment area and the Contact accurately reflects the administrator responsible for this AP-6511.
Page 29 Getting Started Figure 3-4 Initial Setup Wizard - System Information 9. Select any or all of access methods (HTTP, HTTPS, Telnet or SSHv2) used for connecting to this AP-6511 access point. 10. Select the Next button to continue to the Topology Selection screen.
Page 30 11. Select a network topology based on your network’s configuration. The network topology mode determines which options are available in subsequent screens. Router Mode In Router Mode the AP-6511 routes the traffic between the local network (LAN) and internet or external network (WAN). Bridge Mode Displays the device’s factory assigned MAC address used as hardware...
Page 31 Getting Started Figure 3-6 Initial Setup Wizard - LAN Configuration 13. The LAN Configuration screen is partitioned into Interface, DHCP Address Assignment Domain Name Server (DNS). LAN Interface section contains configuration for the LAN IP Address and Subnet as well as VLAN configuration.
Page 32 Motorola Solutions AP-6511 Access Point System Reference Guide Configure VLANs Select the Configure VLANs Manually checkbox to enable advanced manual Manually VLAN configuration. For more information on VLAN configuration see Virtual Interface Configuration on page 7-11. Advanced VLAN Select the Advanced VLAN Configuration button to set associations between Configuration VLANs and physical interfaces.
Page 33 Getting Started Figure 3-7 Initial Setup Wizard - WAN Configuration 14. Select the Next button when completed to advance to the WAN Configuration screen. The WAN Configuration screen is partitioned into Interface, and Gateway fields. WAN Interface field contains configuration parameters for the WAN IP Address, Subnet and VLAN. WAN IP Address/ Enter an IP Address and a subnet for the controller’s WAN interface.
Page 34 WLAN Setup screen. Figure 3-8 Initial Setup Wizard - WLAN Setup 16. The WLAN Setup screen allows you to define which WLANs are initially enabled on the AP-6511. 17. To add a WLAN, select WLAN. 3-10...
Page 35 - SSID < > | " & \ ? , WLAN Type Use the WLAN Type to select a basic authentication and encryption scheme for a AP-6511 WLAN. Available options include No authentication, no encryption Captive portal authentication, no encryption PSK authentication, WPA2 encryption EAP authentication, WPA2 encryption...
Page 36 Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share. The alphanumeric string allows character spaces. The AP-6511 converts the string to a numeric value. This passphrase saves the administrator from entering the 256-bit key each time keys are generated.
Page 37 Getting Started Figure 3-11 Initial Setup Wizard - AP Discovery 20. The AP Discovery screen displays a list of Access Points discovered by the AP-6511. The screen lists their Model, Hostname, MAC Address Serial Number. If you have connected any APs recently, select Refresh List button to update the list of known APs.
Page 38 Wireless Client Association screen displays adopted wireless clients and the WLANs they are associated with. To verify the WLAN configuration, associate a wireless client with each configured AP-6511 WLAN. After associating, click the Refresh button to update the list of associated wireless clients. Select...
Page 39 Settings modified by the updates made to the AP-6511 configuration using the Initial Setup Wizard. Scroll to any screen listed within the Complete tab to display that screen within the AP-6511 user interface if additional modifications are required beyond the scope of the Initial Setup Wizard.
Page 40 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 3-14 Initial Setup Wizard - Completed 25. Once you have reviewed the changes, click the Close button to exit the wizard and return the AP-6511’s Web UI. 3-16...
Page 41: Chapter 4 Dashboard
Dashboard The dashboard allows network administrators to review and troubleshoot the operation of the devices comprising the AP-6511 managed network. Use the dashboard to review the current network topology, assess the network’s component health and diagnose problematic device behavior. By default, the Dashboard screen displays the System Dashboard screen, which is the top level in the device hierarchy.
Page 42: Dashboard Conventions
• Health – Displays information about the state of the AP-6511 managed network. • Inventory – Displays information on the physical devices being managed by the AP-6511. 4.1.1.1 Health  Health Health tab displays information about the state of the AP-6511 managed network.
Page 43 Dashboard Figure 4-2 Dashboard screen - Health tab Information in this tab is classified as: • Device Details • Radio RF Quality Index • Radio Utilization Index • Client RF Quality Index 4.1.1.1.1 Device Details  Health The Device Details field displays model and version information.
Page 44  Health The Radio RF Quality Index field displays a RF quality table for the AP-6511’s single RF Domain. It’s a percentage of the overall effectiveness of the RF environment. It’s a function of the data rate in both directions, the retry rate and the error rate.
Page 45 (at the bottom of the screen) to update the radio utilization information displayed. Figure 4-5 Radio Utilization Index field 4.1.1.1.4 Client RF Quality Index  Health The Client RF Quality field displays a list of the worst 5 performing clients managed by the AP-6511. Figure 4-6 Client RF Quality Index field...
Page 46: Inventory
 Dashboard Conventions The Inventory tab displays information relative to the devices managed by this AP-6511. This screen affords a system administrator an overview of the number and state of managed devices. The screen contains links to display more granular data specific to a specific radio.
Page 47 4.1.1.2.6 WLAN Utilization  Inventory The WLAN Utilization field displays the top 5 WLANs utilized by this AP-6511 in respect to deployment on behalf of AP-6511 client support. Figure 4-9 Device Types field The table displays how effectively each WLAN is utilized, its WLAN name and each listed WLANs’s SSID.
Page 48 Information in the Wireless Clients field is presented in two tables. The first table lists the total number of wireless clients managed by this AP-6511. The second table lists an ordered ranking of radios based on their supported client count. Use this information to assess if an AP-6511 managed radio is optimally deployed in respect to its radio type and intended client support requirements.
Page 49: Network View
4.2 Network View  Dashboard The Network View displays device topology association between an AP-6511 its RF Domain and its managed wireless clients. This association is displayed using a number of different graph and filter options. To review the Network Topology, select Dashboard >...
Page 50: Filters Field
Show Label option to display hardware MAC address. The left-hand side of the Network View display contains an expandable System column where peer AP-6511 Access Points can be selected and expanded to displays connected peers. Use the System area as required to review device connections within an AP-6511 managed network.
Page 51 Dashboard Figure 4-15 Filters field The following filter options are available: • RF Quality – Select this option to filter based on the overall RF health. RF health is a ratio of connection rate, retry rates, and error rates. The available ranges are: •...
Page 52: Device Specific Information
Motorola Solutions AP-6511 Access Point System Reference Guide 4.2.2 Device Specific Information  Network View The device specific information field displays information for a selected device. The screen displays the Access Points factory encoded MAC address and serial number. While this information cannot be modified by the administrator, it does enable the administrator to review the device’s system uptime within the...
Page 53: Chapter 5 Device Configuration
• Assigning Certificates An AP-6511 RF Domain allows an administrator to assign configuration data to multiple devices deployed in a common coverage area (floor, building or site). In such instances, there’s many configuration attributes these devices share, as their general client support roles are quite similar. However, device configurations may need periodic refinement and overrides from their original RF Domain administered design.
Page 54: Basic Device Configuration
RF Domain or Profile. To assign a device am AP-6511 a Basic Configuration: 1. Select the Configuration tab from the Web UI.
Page 55 Device Configuration Figure 5-1 Device Basic Configuration screen 4. Set the following Configuration settings for the target device: System Name Provide the selected device a system name up to 64 characters in length. This is the device name that appears within the RF Domain or Profile the device supports.
Page 56 Motorola Solutions AP-6511 Access Point System Reference Guide 6. Refer to the Set Clock parameter to update the AP-6511 system time. Refer to the Device Time parameter to assess the device’s current time, or whether the device time is unavailable. Select Refresh as required to update the device’s system time.
Page 57: Assigning Certificates
A RSA key pair must be generated on the client. The public portion of the key pair resides with the licensed device, while the private portion remains on the client. To configure AP-6511 certificate usage: 1. Select the Configuration tab from the Web UI.
Page 58: Certificate Management
If not wanting to use an existing certificate or key with a selected device, an existing stored certificate can be leveraged from a different device for use with a AP-6511. Device certificates can be imported and exported to a secure remote location for archive and retrieval as required for application to other devices.
Page 59 Device Configuration Figure 5-3 Certificate Management - Trustpoints screen The Certificate Management screen displays with the Trustpoints section displayed by default. 2. Select a device from amongst those displayed to review its certificate information. Refer to the Certificate Details to review the certificate’s properties, self-signed credentials, validity period and CA information.
Page 60 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 5-4 Certificate Management - Import New Trustpoint screen 4. Define the following configuration parameters required for the Import of the trustpoint. Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual.
Page 61 Device Configuration Hostname Provide the hostname of the server used to import the trustpoint. This option is not valid for cf, usb1, and usb2. Path Specify the path to the trustpoint. Enter the complete relative path to the file on the server. 5.
Page 62 Motorola Solutions AP-6511 Access Point System Reference Guide Protocol Select the protocol used for importing the target CA certificate. Available options include: tftp sftp http usb1 usb2 Port Use the spinner control to set the port. This option is not valid for cf, usb1, and usb2.
Page 63 Device Configuration Figure 5-6 Certificate Management - Import CRL screen 10. Define the following configuration parameters required for the Import of the CRL: Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate.
Page 64 Motorola Solutions AP-6511 Access Point System Reference Guide IP Address Enter IP address of the server used to import the CRL. This option is not valid for cf, usb1, and usb2. Hostname Provide the hostname of the server used to import the CRL. This option is not valid for cf, usb1, and usb2.
Page 65 Device Configuration Provide the complete URL to the location of the signed certificate. If needed, select Advanced to expand the dialog to display network address information to the location of the signed certificate. The number of additional fields that populate the screen is also dependent on the selected protocol. Protocol Select the protocol used for importing the target signed certificate.
Page 66 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 5-8 Certificate Management - Export Trustpoint screen 16. Define the following configuration parameters required for the Export of the trustpoint. Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual.
Page 67: Rsa Key Management
Device Configuration Hostname Provide the hostname of the server used to export the trustpoint. This option is not valid for cf, usb1, and usb2. Path Specify the path to the trustpoint. Enter the complete relative path to the file on the server. 17.
Page 68 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 5-9 Certificate Management - RSA Keys screen 3. Select a listed device to review its current RSA key configuration. Each key can have its size and character syntax displayed. Once reviewed, optionally generate a new RSA key, import a key from a selected device, export a key to a remote location or delete a key from a selected device.
Page 69 Key Name Enter the 32 character maximum name assigned to the RSA key. Key Passphrase Define the key used by both the AP-6511 and the server (or repository) of the target RSA key. Select the Show textbox to expose the actual characters used in the passphrase.
Page 70 Motorola Solutions AP-6511 Access Point System Reference Guide Protocol Select the protocol used for importing the target key. Available options include: tftp sftp http usb1 usb2 Port Use the spinner control to set the port. This option is not valid for cf, usb1, and usb2.
Page 71: Certificate Creation
Key Name Enter the 32 character maximum name assigned to the RSA key. Key Passphrase Define the key passphrase used by both the AP-6511 and the server. Select the Show textbox to expose the actual characters used in the passphrase. Leaving the Show checkbox unselected displays the passphrase as a series of asterisks “*”.
Page 72 To create a new RSA key, select the radio button to define 32 character name used to identify the RSA key. Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Motorola Solutions recommends leaving this value at the default setting (1024) to ensure optimum functionality. For more...
Page 73: Generating A Certificate Signing Request
Device Configuration 4. Set the following Certificate Subject Name parameters required for the creation of the certificate: Certificate Subject Select either the auto-generate radio button to automatically create the Name certificate's subject credentials or select user-defined to manually enter the credentials of the self signed certificate.
Page 74 To create a new RSA key, select the radio button to define a 32 character name used to identify the RSA key. Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Motorola Solutions recommends leaving this value at the default setting (1024) to ensure optimum functionality. For more...
Page 75 Device Configuration 4. Set the following Certificate Subject Name parameters required for the creation of the certificate: Certificate Subject Select either the auto-generate radio button to automatically create the Name certificate's subject credentials or select user-defined to manually enter the credentials of the self signed certificate.
Page 76: Rf Domain Overrides
RF Domain assignment. An AP-6511 RF Domain allows an administrator to assign configuration data to multiple devices deployed in a common coverage area (floor, building or site). In such instances, there’s many configuration attributes these devices share as their general client support roles are quite similar.
Page 77 Device Configuration Figure 5-15 RF Domain Overrides screen NOTE: A blue override icon (to the left of any parameter) defines the parameter as having an override applied. To revert the override back to its original setting, select the override icon to display an Action pop-up.
Page 78 VPNs and encryption and authentication policies. The AP-6511 supports WIPS through the use of dedicated sensor devices designed to actively detect and locate unauthorized AP devices. After detection, they use mitigation techniques to block the devices by manual termination, air lockdown, or port suppression.
Page 79: Profile Overrides
Device Configuration 5.4 Profile Overrides Profiles enable administrators to assign a common set of configuration parameters and policies. Profiles can be used to assign shared or unique network, wireless and security parameters to Access Points across a large, multi segment, site. The configuration parameters within a profile are based on the hardware model the profile was created to support.
Page 80: Profile Interface Override Configuration
5.4.1 Profile Interface Override Configuration An AP-6511 requires its Virtual Interface be configured for layer 3 (IP) access or layer 3 service on a VLAN. A virtual interface defines which IP address is associated with each connected VLAN ID.
Page 81: Ethernet Port Override Configuration
5.4.1.1 Ethernet Port Override Configuration  Profile Interface Override Configuration Use an Ethernet Port override to change (modify) parameters of an AP-6511 Ethernet Port configuration. Displays the physical port name reporting runtime data and statistics. The following ports are available on an AP-6511: •...
Page 82 Displays the VLANs allowed to send packets over the listed port. Allowed VLANs are only listed when the mode has been set to Trunk. 8. To edit (or override) the configuration of an existing AP-6511 port, select it from amongst those displayed and select the Edit button.
Page 83 Device Configuration Figure 5-18 Ethernet Ports - Basic Configuration screen 9. Set (or override) the following Ethernet port Properties: Description Provide a brief description for the AP-6511 port (64 characters maximum). Admin Status Select the Enabled radio button to define this port as active to the profile it supports.
Page 84 Motorola Solutions AP-6511 Access Point System Reference Guide Cisco Discover Select the radio button to allow the Cisco discovery protocol for transmitting Protocol Transmit data on this port. Link Layer Discovery Select this option to snoop LLDP on this port. The default setting is enabled.
Page 85 Device Configuration Figure 5-19 Ethernet Ports - Security screen 14.Refer to the Access Control field. As part of the port’s security configuration, Inbound IP and MAC address firewall rules are required. The configuration can be optionally overriden if needed. Use the Inbound IP Firewall Rules Inbound MAC Firewall Rules drop-down menus to select...
Page 86 Motorola Solutions AP-6511 Access Point System Reference Guide NOTE: Some vendor solutions with VRRP enabled send ARP packets with Ethernet SMAC as a physical MAC and inner ARP SMAC as VRRP MAC. If this configuration is enabled, a packet is allowed, despite a conflict existing.
Page 87: Virtual Interface Override Configuration
Device Configuration 5.4.1.2 Virtual Interface Override Configuration  Profile Interface Override Configuration A Virtual Interface is required for layer 3 (IP) access or provide layer 3 service on a VLAN. The Virtual Interface defines which IP address is associated with each VLAN ID. A Virtual Interface is created for the default VLAN (VLAN 1) to enable remote administration.
Page 88 Motorola Solutions AP-6511 Access Point System Reference Guide 7. Review the following parameters unique to each Virtual Interface configuration to determine whether a parameter override is warranted: Name Displays the name of each listed Virtual Interface assigned when it was created.
Page 89 Device Configuration 10.Define or override the following parameters from within the Properties field: Description Provide or edit a description (up to 64 characters) for the Virtual Interface that helps differentiate it from others with similar configurations. Admin Status Either select the Disabled or Enabled radio button to define this interface’s current status within the network.
Page 90 Motorola Solutions AP-6511 Access Point System Reference Guide 17.Select the Security tab. Figure 5-22 Profile Overrides - Virtual Interfaces Security screen 18.Use the Inbound IP Firewall Rules drop-down menu to select the firewall rule configuration to apply to this Virtual Interface.
Page 91: Radio Override Configuration
 Profile Interface Override Configuration AP-6511 model Access Points can have their radio profile configurations overridden if a portion of a profile is no longer relevant to the Access Point’s deployment objective. To define a radio configuration override for an AP-6511: 1.
Page 92 Motorola Solutions AP-6511 Access Point System Reference Guide 6. Review the following radio configuration data to determine whether a radio configuration requires modification or override: Name Displays whether the reporting radio is the Access Point’s radio1 or radio2. Type Displays the type of radio housed by each listed Access Point.
Page 93 Device Configuration Figure 5-24 Profile Overrides - Access Point Radio Settings tab Radio Settings tab displays by default. 8. Define or override the following radio configuration parameters from within the Properties field: Description Provide or edit a description (1 - 64 characters in length) for the radio that helps differentiate it from others with similar configurations.
Page 94 (isotropically), and has no losses. Although the gain of an antenna is directly related to its directivity, its gain is a measure that takes into account the efficiency of the antenna as well as its directional capabilities. Motorola Solutions recommends that only a professional installer set the antenna gain.
Page 95 Device Configuration Rate Once the radio band is provided, the Rate drop-down menu populates with rate options depending on the 2.4 or 5 GHz band selected. If the radio band is set to Sensor or Detector, the Data Rates drop-down menu is not enabled, as the rates are fixed and not user configurable.
Page 96 Motorola Solutions AP-6511 Access Point System Reference Guide RTS Threshold Specify a Request To Send (RTS) threshold (between 1 - 2,347 bytes) for use by the WLAN's adopted Access Point radios. RTS is a transmitting station's signal that requests a Clear To Send (CTS) response from a receiving client. This RTS/ CTS procedure clears the air where clients are contending for transmission time.
Page 97 Device Configuration Figure 5-25 Profile Overrides - WLAN Mapping tab 12.Refer to the WLAN/BSS Mappings field to set or override WLAN BSSID assignments for an existing Access Point deployment. Administrators can assign each WLAN its own BSSID. If using a single-radio access point, there are 8 BSSIDs available.
Page 98 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 5-26 Profile Overrides - Access Point Radio Advanced Settings tab 15.Refer to the Aggregate MAC Protocol Data Unit (A-MPDU) field to define or override how MAC service frames are aggregated by the Access Point radio.
Page 99: Overriding A Profile's Network Configuration
Client Count Weight Sets the client load per Access Point radio between 0 - 10. Motorola Solutions recommends considering the client load on an Access Point before defining its radio configuration.
Page 100: Overriding A Profile's Dns Configuration
Motorola Solutions AP-6511 Access Point System Reference Guide other devices and requires careful administration to ensure this one device still supports the deployment requirements within the network. A profile’s network configuration process consists of the following: • Overriding a Profile’s DNS Configuration •...
Page 101 Device Configuration Figure 5-27 Profile Overrides - Network DNS screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To revert the override back to its original profile setting, select the override icon to display an Action pop-up.
Page 102: Overriding A Profile's Arp Configuration
When an incoming packet destined for a host arrives at the AP-6511, the AP-6511 gateway uses ARP to find a physical host or MAC address that matches the IP address. ARP looks in its ARP cache and, if it finds the address, provides it so the packet can be converted to the right packet length and format and sent to the destination.
Page 103 Device Configuration Figure 5-28 Profile Overrides - Network ARP screen 6. Set or override the following parameters to define the ARP configuration: VLAN Use the spinner control to select a VLAN for an address requiring resolution. IP Address Define the IP address used to fetch a MAC Address. MAC Address Displays the target MAC address that’s subject to resolution.
Page 104: Overriding A Profile's Quality Of Service (Qos) Configuration
Motorola Solutions AP-6511 Access Point System Reference Guide 5.4.2.3 Overriding a Profile’s Quality of Service (QoS) Configuration  Overriding a Profile’s Network Configuration QoS values are required to provide priority of service to some packets over others. For example, VoIP packets get higher priority than data packets to provide a better quality of service for high priority voice traffic.
Page 105 Device Configuration Figure 5-29 Profile Overrides - Network QoS screen 6. Set or override the following parameters for the IP DSCP mappings for untagged frames: DSCP Lists the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification.
Page 106: Overriding A Profile's Static Route Configuration
Motorola Solutions AP-6511 Access Point System Reference Guide 5.4.2.4 Overriding a Profile’s Static Route Configuration  Overriding a Profile’s Network Configuration Use the Static Routes screen to set or override Destination IP and Gateway addresses enabling assignment of static IP addresses for requesting clients without creating numerous host pools with manual bindings. This eliminates the need for a long configuration file and reduces the resource space required to maintain address pools.
Page 107 Device Configuration 6. Select Add Row + as needed to include single rows in the static routes table. 7. Add IP addresses and network masks in the Network column. 8. Set or override the Gateway used to route traffic. A green checkmark in the Default Gateway column defines a default gateway being applied. A red “X” means a gateway assignment has been made.
Page 108: Overriding A Profile's Forwarding Database Configuration
Motorola Solutions AP-6511 Access Point System Reference Guide 5.4.2.5 Overriding a Profile’s Forwarding Database Configuration  Overriding a Profile’s Network Configuration A Forwarding Database is used by a bridge to forward or filter packets. The bridge reads the packet’s destination MAC address and decides to either forward the packet or drop (filter) it. If it’s determined the destination MAC is on a different network segment, it forwards the packet to the segment.
Page 109 Device Configuration Figure 5-31 Profile Overrides - Network Forwarding Database screen 6. Define or override a Bridge Aging Time between 0, 10-1,000,000 seconds. The aging time defines the length of time an entry will remain in the a bridge’s forwarding table before being deleted due to lack of activity.
Page 110: Overriding A Profile's Bridge Vlan Configuration
Motorola Solutions AP-6511 Access Point System Reference Guide 5.4.2.6 Overriding a Profile’s Bridge VLAN Configuration  Overriding a Profile’s Network Configuration A Virtual LAN (VLAN) is separately administrated virtual network within the same physical. VLANs are broadcast domains to allow control of broadcast, multicast, unicast, and unknown unicast within a Layer 2 device.
Page 111 Device Configuration Figure 5-32 Profile Overrides - Network Bridge VLAN screen 6. Review the following VLAN configuration parameters to determine whether an override is warranted: VLAN Lists the numerical identifier defined for the Bridge VLAN when it was initially created. The available range is from 1 - 4095. This value cannot be modified during the edit process.
Page 112 Motorola Solutions AP-6511 Access Point System Reference Guide Trust ARP Response When ARP trust is enabled, a green checkmark displays. When disabled, a red “X” displays. Trusted ARP packets are used to update the IP-MAC Table to prevent IP spoof and arp-cache poisoning attacks.
Page 113 DHCP Snoop Table to prevent IP spoof attacks. This feature is disabled by default. Overlaid VLAN Select this checkbox to separate this VLAN from the wired VLAN used by the AP-6511. This feature is disabled by default. 11.Select the button to save the changes and overrides to the General tab. Select Reset to revert to the last saved configuration.
Page 114: Overriding A Profile's Miscellaneous Network Configuration
Motorola Solutions AP-6511 Access Point System Reference Guide 5.4.2.7 Overriding a Profile’s Miscellaneous Network Configuration  Overriding a Profile’s Network Configuration A profile can be configured to include a hostname in a DHCP lease for a requesting device and its profile.
Page 115: Overriding A Profile's Security Configuration
Device Configuration 7. Select the button to save the changes and overrides. Select Reset to revert to the last saved configuration. 5.4.3 Overriding a Profile’s Security Configuration A profile can have its own firewall policy, wireless client role policy, WEP shared key authentication, NAT policy and VPN policy applied.
Page 116: Overriding A Profile's General Security Settings
Motorola Solutions AP-6511 Access Point System Reference Guide 5.4.3.1 Overriding a Profile’s General Security Settings  Overriding a Profile’s Security Configuration A profile can leverage existing firewall, wireless client role and WIPS policies and configurations and apply them to the profile’s configuration. This affords each profile a truly unique combination of data protection policies best meeting the data protection requirements of that profile.
Page 117 Select the radio button to require devices using this profile to use a WEP key Authentication to access the network using this profile. Clients without Motorola adapters need to use WEP keys manually configured as hexadecimal numbers. This option is disabled by default.
Page 118: Overriding A Profile's Certificate Revocation List (Crl) Configuration
Motorola Solutions AP-6511 Access Point System Reference Guide 5.4.3.2 Overriding a Profile’s Certificate Revocation List (CRL) Configuration  Overriding a Profile’s Security Configuration A certificate revocation list (CRL) is a list of certificates that have been revoked or are no longer valid. A certificate can be revoked if the certificate authority (CA) had improperly issued a certificate, or if a private- key is compromised.
Page 119 Device Configuration Additionally, a certificate can be placed on hold for a user defined period. If, for instance, a private key was found and nobody had access to it, its status could be reinstated. a. Provide the name of the trustpoint in question within the Trustpoint Name field.
Page 120: Overriding A Profile's Nat Configuration
Motorola Solutions AP-6511 Access Point System Reference Guide 5.4.3.3 Overriding a Profile’s NAT Configuration  Overriding a Profile’s Security Configuration Network Address Translation (NAT) is a technique to modify network address information within IP packet headers in transit across a traffic routing device. This enables mapping one IP address to another to protect wireless controller managed network address credentials.
Page 121 Device Configuration Figure 5-37 Profile Overrides - NAT Pool screen NAT Pool displays by default. The NAT Pool screen lists those NAT policies created thus far. Any of these policies can be selected and applied to a profile. 6. Select to create a new NAT policy that can be applied to a profile.
Page 122 Motorola Solutions AP-6511 Access Point System Reference Guide 7. If adding a new NAT policy or editing the configuration of an existing policy, define the following parameters: Name If adding a new NAT policy, provide a name to help distinguish it from others with similar configurations.
Page 123 Device Configuration To map a source IP address from an internal network to a NAT IP address click the + Add Row button. Enter the internal network IP address in Source IP field. Enter the NAT IP address in the NAT IP field.
Page 124 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 5-41 NAT Destination Add screen 11.Set or override the following Destination configuration parameters: Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address.
Page 125 Device Configuration NAT IP Enter the IP address of the matching packet to the specified value. The IP address modified can be either source or destination based on the direction specified. NAT Port Enter the port number of the matching packet to the specified value. This option is valid only if the direction specified is destination.
Page 126 Motorola Solutions AP-6511 Access Point System Reference Guide 14.Refer to the following to determine whether a new Dynamic NAT configuration requires creation, edit or deletion: Lists an ACL name to define the packet selection criteria for the NAT Source List ACL configuration.
Page 127: Overriding A Profile's Services Configuration
Device Configuration 15.Set or override the following to define the Dynamic NAT configuration: Source List ACL Use the drop-down menu to select an ACL name to define the packet selection criteria for NAT. NAT is applied only on packets which match a rule defined in the access-list.
Page 128 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 5-44 Profile Overrides - Services screen 5. Refer to the Captive Portal field to set or override a guest access configuration (captive portal) for use with this profile. A captive portal is guest access policy for providing guests temporary and restrictive access to the network.
Page 129: Overriding A Profile's Management Configuration
Device Configuration Either select an existing captive portal policy or select the Create button to create a new captive portal configuration that can be applied to this profile. For more information, see Configuring a Captive Portal Policy on page 9-2 7.
Page 130 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 5-45 Profile Overrides - Management Settings screen 5. Refer to the Management Policy field to set or override a management configuration for use with this profile. A default management policy is also available if no existing policies are usable.
Page 131 Notice, Info and Debug. The default logging level is Error. 7. Refer to the System Event Messages field to define or override how AP-6511 system messages are logged and forwarded on behalf of the profile. Select the Enable System Events radio button to allow the profile to capture system events and append them to a log file.
Page 132 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 5-46 Profile Overrides - Management Firmware screen 10.Select the Enable Configuration Update radio button (from within the Automatic Configuration Update field) to enable automatic configuration file updates for the profile from a location external to the device.
Page 133: Overriding A Profile's Miscellaneous Configuration
Device Configuration 14.Select Heartbeat from the Management menu. Figure 5-47 Profile Overrides - Management Heartbeat screen 15.Select the Service Watchdog option to implement heartbeat messages to ensure other associated devices are up and running and capable of effectively interoperating. The Service Watchdog is enabled by default.
Page 134 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 5-48 Profile Overrides - Miscellaneous screen 2. Set a NAS-Identifier Attribute up to 253 characters in length. This is the RADIUS NAS-Identifier attribute that typically identifies where a RADIUS message originates.
Page 135: Chapter 6 Wireless Configuration
Wireless Configuration A Wireless Local Area Network (WLAN) is a data-communications system and wireless local area network that flexibly extends the functionalities of a wired LAN. A WLAN links two or more computers or devices using spread-spectrum or OFDM modulation based technology. A WLAN does not require lining up devices for line-of-sight transmission, and are thus, desirable for wireless networking.
Page 136 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 6-1 Configuration > Wireless field...
Page 137: Wireless Lan Policy
Wireless Configuration 6.1 Wireless LAN Policy To review the attributes of existing WLANs and, if necessary, modify their configurations: 1. Select Configuration > Wireless > Wireless LANs to display a high-level display of existing WLANs. Figure 6-2 Wireless LANs screen 2.
Page 138: Basic Wlan Configuration
Motorola Solutions AP-6511 Access Point System Reference Guide VLAN Pool Lists each WLANs current VLAN mapping. When a client associates with a WLAN, the client is assigned a VLAN by means of load balance distribution. The VLAN is picked from a pool assigned to the WLAN. Keep in mind however, typical deployments only map a single VLAN to a WLAN.
Page 139 Wireless Configuration Figure 6-3 WLAN Policy Basic Configuration screen 3. Refer to the WLAN Configuration field to define the following: WLAN Policy If adding a new WLAN, enter its name in the space provided. Spaces between words are not permitted. The name could be a logical representation of the WLAN coverage area (engineering, marketing etc.).
Page 140: Configuring Wlan Security
Before defining a WLAN’s basic configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective: • Motorola Solutions recommends one VLAN be deployed for secure WLANs, while separate VLANs be defined for each WLAN providing guest access.
Page 141 Wireless Configuration Figure 6-4 WLAN Policy Security screen Authentication ensures only known and trusted users or devices access a WLAN. Authentication is enabled per WLAN to verify the identity of both users and devices. Authentication is a challenge and response procedure for validating user credentials such as username, password and sometimes secret-key information.
Page 142: Eap, Eap Psk And Eap Mac
RADIUS server is used, EAP authentication requests are forwarded. When using PSK with EAP, packets are sent requesting a secure link using a pre-shared key. The AP-6511 and authenticating device must use the same authenticating algorithm and passcode during authentication.
Page 143: Mac Authentication
• Motorola Solutions recommends a valid certificate be issued and installed on devices providing 802.1X EAP. The certificate should be issued from an Enterprise or public certificate authority to allow 802.1X clients to validate the identity of the authentication server prior to forwarding credentials.
Page 144 Motorola Solutions AP-6511 Access Point System Reference Guide user credentials. MAC authentication is somewhat poor as a standalone data protection technique, as MAC addresses can be easily spoofed by hackers who can provide a device MAC address to mimic a trusted device within the wireless controller managed network.
Page 145: Psk / None
Wireless Configuration 6.1.2.3 PSK / None  Configuring WLAN Security Open-system authentication can be referred to as no authentication, since no actual authentication takes place. A client requests (and is granted) authentication with no credential exchange. NOTE: Although None implies no authentication, this option is also used when pre-shared keys are used for encryption (thus the /PSK in the description).
Page 146 Motorola Solutions AP-6511 Access Point System Reference Guide Wi-Fi Protected Access 2 (WPA2) is an enhanced version of WPA. WPA2 uses the Advanced Encryption Standard (AES) instead of TKIP. AES supports 128-bit, 192-bit and 256-bit keys. WPA/WPA2 also provide strong user authentication based on 802.1x EAP.
Page 147 Motorola recommends rotating these keys so a potential hacker would not have enough data using a single key to attack the deployed encryption scheme.
Page 148: Wpa2-Ccmp
WPA2-TKIP information elements. Enabling this option allows backwards compatibility for clients that support WPA-TKIP and WPA2-TKIP but do not support WPA2-CCMP. Motorola recommends enabling this feature if WPA-TKIP or WPA2-TKIP supported clients operate in a WLAN populated by WPA2-CCMP enabled clients.
Page 149 Wireless Configuration 2. Select the button to create an additional WLAN or select an existing WLAN and choose Edit modify the properties of an existing wireless controller WLAN. 3. Select Security. 4. Select the WPA2-CCMP radio button from within the select Select Encryption field. The screen populates with the parameters required to define a WPA2-CCMP configuration for the new or existing WLAN.
Page 150 AP, and one broadcast key, the common key for all the clients in that subnet. Motorola recommends rotating these keys so a potential hacker would not have enough data using a single key to attack the deployed encryption scheme.
Page 151: Wep 64
• Motorola recommends WPA2-CCMP be configured for all new (non visitor) WLANs requiring encryption, as it’s supported by the majority of the hardware and client vendors using Motorola wireless networking equipment. • WPA2-CCMP supersedes WPA-TKIP and implements all the mandatory elements of the 802.11i standard.
Page 152 The pass key can be any alphanumeric string. The wireless controller, other proprietary routers, and Motorola clients use the algorithm to convert an ASCII string to the same hexadecimal number. Clients without Motorola adapters need to use WEP keys manually configured as hexadecimal numbers.
Page 153 Before defining a WEP 64 supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: • Motorola recommends additional layers of security (beyond WEP) be enabled to minimize the likelihood of data loss and security breaches. WEP enabled WLANs should be mapped to an isolated VLAN with Firewall policies restricting access to hosts and suspicious network applications.
Page 154 The pass key can be any alphanumeric string. The wireless controller, other proprietary routers, and Motorola clients use the algorithm to convert an ASCII string to the same hexadecimal number. Clients without Motorola adapters need to use WEP keys manually configured as hexadecimal numbers.
Page 155: Wep 128
Before defining a WEP 128 supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: • Motorola recommends additional layers of security (beyond WEP) be enabled to minimize the likelihood of data loss and security breaches. WEP enabled WLANs should be mapped to an isolated VLAN with Firewall policies restricting access to hosts and suspicious network applications.
Page 156 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 6-9 WLAN Policy Firewall screen The screen displays editable fields for IP Firewall Rules, MAC Firewall Rules, Trust Parameters and Client Deny Limits. Select an existing inbound and outbound IP Firewall Rule using the drop-down menu.
Page 157 Wireless Configuration Figure 6-10 IP Firewall Rules screen 6. Define the following parameters for either the inbound or outbound IP Firewall Rules: Allow Every IP Firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported: Deny—...
Page 158 Motorola Solutions AP-6511 Access Point System Reference Guide Action The following actions are supported: Log—Creates a log entry that a Firewall rule has allowed a packet to either be denied or permitted. Mark—Modifies certain fields inside the packet and then permits them.
Page 159 Wireless Configuration 10.Define the following parameters for either the inbound or outbound MAC Firewall Rules: Allow Every IP Firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported: Deny—...
Page 160: Configuring Client Settings
Motorola Solutions AP-6511 Access Point System Reference Guide 13.Set the following Wireless Client Deny configuration: Wireless Client If enabled, any associated client which exceeds the thresholds configured Denied Traffic for storm traffic is either deauthenticated or blacklisted depending on the Threshold selected Action.
Page 161 Wireless Configuration Figure 6-12 WLAN Policy Client Settings screen 4. Define the following Client Settings for the WLAN: Disallow Select this option to disallow client to client communication within this WLAN. Client-to-Client The default is enabled, meaning clients are allowed to exchange packets with Communication other clients.
Page 162: Configuring Wlan Accounting Settings
Motorola Solutions AP-6511 Access Point System Reference Guide Enforce DHCP Client Select the checkbox to enforce that the firewall only allows packets from Only clients if they used DHCP to obtain an IP address, disallowing static IP addresses. This feature is disabled by default.
Page 163: Accounting Deployment Considerations
Before defining a AAA configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective: • When using RADIUS authentication, Motorola Solutions recommends the WAN port round trip delay not exceed 150ms. Excessive delay over a WAN can cause authentication and roaming issues. When excessive delays exists, a distributed RADIUS service should be used.
Page 164: Configuring Advanced Wlan Settings
Motorola Solutions AP-6511 Access Point System Reference Guide • Authorization policies can also apply bandwidth restrictions and assign Firewall policies to users and devices. 6.1.6 Configuring Advanced WLAN Settings  Wireless LAN Policy To configure advanced settings on a WLAN: 1.
Page 165 Wireless Configuration SA Query Attempts Use the spinner control to set the number of security association query attempts between 1-15. The default value is 3. SA Query Retry The timeout value is the configurable interval used to timeout association Timeout requests that exceed the defined interval.
Page 166 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 6-15 Advanced WLAN Rate Settings 2.4 GHz screen Figure 6-16 Advanced WLAN Rate Settings 5 GHz screen Define both minimum Basic and optimal Supported rates as required for the 802.11b rates, 802.11g rates and 802.11n rates supported by the 2.4 GHz band and 802.11a and 802.11n rates supported by the 5.0...
Page 167 Wireless Configuration intervals and modulation types. Clients can associate as long as they support basic MCS (as well as non- 11n basic rates). The selected rates apply to associated client traffic within this WLAN only. 7. Select when completed to update this WLAN’s advanced settings. Select Reset to revert the screen back to its last saved configuration.
Page 168: Configuring Wlan Qos Policies
Motorola Solutions AP-6511 Access Point System Reference Guide 6.2 Configuring WLAN QoS Policies  Wireless LAN Policy QoS provides a data traffic prioritization scheme. QoS reduces congestion from excessive traffic. If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a very high cost), then applying QoS has very little value.
Page 169 Wireless Configuration 2. Refer to the following read-only information on each listed QoS policy to determine whether an existing policy can be used as is, an existing policy requires edit or a new policy requires creation: WLAN QoS Policy Displays the name assigned to this WLAN QoS policy when it was initially created.
Page 170: Configuring A Wlan's Qos Wmm Settings
Motorola Solutions AP-6511 Access Point System Reference Guide NOTE: When using a wireless client classification other than WMM, only legacy rates are supported on that WLAN. 3. Either select the button to define a new WLAN QoS policy, or select an existing WLAN QoS policy...
Page 171 Wireless Configuration 2. Select the button to create a new QoS policy or Edit to modify the properties of an existing WLAN QoS policy. The WMM tab displays by default. Figure 6-18 WLAN QoS Policy - WMM screen 6-37...
Page 172 Select this option if Voice traffic is prioritized on the WLAN. This gives Prioritization priority to voice and voice management packets and is supported only on certain legacy Motorola VOIP phones. This feature is enabled by default. Enable SVP Enabling Spectralink Voice Prioritization (SVP) allows the...
Page 173 Wireless Configuration Multicast Mask Set a secondary multicast mask for the WLAN QoS policy. Secondary Multicast Mask Select a drop-down menu option to determine the priority at which Classification immediate multicast/broadcast packets go out. This setting overwrites the WLAN Client Classification. This does not affect multicast/broadcast packets going out at DTIM.
Page 174 Motorola Solutions AP-6511 Access Point System Reference Guide 5. Set the following Normal (Background) Access settings for the WLAN’s QoS policy: Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. The default value is 25.
Page 175: Configuring A Wlan's Qos Rate Limit Settings
(upstream) and data transmitted from a WLAN’s wireless clients back to their associated Access Point radios (downstream). Before defining rate limit thresholds for WLAN upstream and downstream traffic, Motorola Solutions recommends you define the normal number of ARP, broadcast, multicast and unknown unicast packets that typically transmit and receive from each supported WMM access category.
Page 176 Motorola Solutions AP-6511 Access Point System Reference Guide 4. Configure the following parameters in respect to the intended WLAN Upstream Rate Limit. Enable Select the Enable radio button to enable rate limiting for data transmitted from Access Point radios to associated wireless clients. Enabling this option does not invoke rate limiting for data traffic in the downstream direction.
Page 177 Wireless Configuration Video Traffic Set a percentage value for video traffic in the upstream direction. This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped and a log message is generated.
Page 178: Configuring A Wlan's Qos Wireless Client Rate Limit Settings
Motorola Solutions AP-6511 Access Point System Reference Guide 6. Set the following Downstream Random Early Detection Threshold settings for each access category. An early random drop is done when the amount of tokens for a traffic stream falls below the set threshold.
Page 179 Wireless Configuration Figure 6-20 WLAN QoS Policy - WLAN Client Rate Limit screen 4. Configure the following parameters in respect to the intended Wireless Client Upstream Rate Limit: Enable Select the Enable radio button to enable rate limiting for data transmitted from the client to its associated access point radio.
Page 180 Motorola Solutions AP-6511 Access Point System Reference Guide Video Traffic Set a percentage value for video traffic in the upstream direction. This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped by the client and a log message is generated.
Page 181: Wlan Qos Deployment Considerations
Wireless Configuration 8. Select when completed to update this WLAN’s QoS rate limit settings for wireless clients. Select Reset to revert the screen back to its last saved configuration. 6.2.3.1 WLAN QoS Deployment Considerations Before defining a WLAN QoS configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective: •...
Page 182: Radio Qos Policy
WMM settings, while parameters used by wireless clients are controlled by a WLAN’s WMM settings. An AP-6511 supports static QoS mechanisms per WLAN to provide prioritization of WLAN traffic when legacy (non WMM) clients are deployed. An AP-6511 Access Point allows flexible WLAN mapping with a 6-48...
Page 183: Radio Qos Configuration And Deployment Considerations
• WMM enabled clients can co-exist with non-WMM clients on the same WLAN. Non-WMM clients are always assigned a Best Effort access category. • Motorola Solutions recommends default WMM values be used for all deployments. Changing these values can lead to unexpected traffic blockages, and the blockages might be difficult to diagnose.
Page 184: Aaa Policy
Authentication, Authorization, and Accounting (AAA) provides the mechanism network administrators define access control within the network. The AP-6511 can interoperate with external Radius and LDAP Servers (AAA Servers) to provide user database information and user authentication data. Each WLAN can maintain its own unique AAA configuration.
Page 185 Wireless Configuration Figure 6-21 Authentication, Authorization, and Accounting (AAA) screen 2. Refer to the following information listed for each existing Radio QoS policy: AAA Policy Displays the name assigned to the AAA policy when it was initially created. the name cannot be edited within a listed profile. Accounting Packet Displays the accounting type set for the AAA policy.
Page 186: Association Acl
Motorola Solutions AP-6511 Access Point System Reference Guide 6.5 Association ACL An Association ACL is a policy-based Access Control List (ACL) that either prevents or allows wireless clients from connecting to a WLAN. An Association ACL affords a system administrator the ability to grant or restrict client access by specifying a wireless client MAC address or range of MAC addresses to either include or exclude from connectivity.
Page 187: Association Acl Deployment Considerations
Wireless Configuration Figure 6-23 Association Access Control List (ACL) screen 3. Select the + Add Row button to add an association ACL template that requires configuration. 4. Set the following parameters for the creation or modification of the Association ACL: Association ACL If creating an new Association ACL, provide a name specific to its function.
Page 188 Motorola Solutions AP-6511 Access Point System Reference Guide • Motorola Solutions recommends using the Association ACL screen strategically to name and configure ACL policies meeting the requirements of the particular WLANs they may map to. However, be careful not to name ACLs after specific WLANs, as individual ACL policies can be used by more than one WLAN.
Page 189: Smart Rf Policy
Wireless Configuration 6.6 Smart RF Policy Self Monitoring At Run Time RF Management (Smart RF) is a Motorola innovation designed to simplify RF configurations for new deployments, while (over time) providing on-going deployment optimization radio performance improvements. A Smart RF policy can reduce deployment costs by scanning the RF environment to determine the best channel and transmit power configuration for each managed radio.
Page 190 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 6-24 Smart RF Policy screen 2. Refer to the following configuration data for existing Smart RF policies: Smart RF Policy Displays the name assigned to the Smart RF policy when it was initially created.
Page 191 Auto Assign Sensor Select the radio button to enable an AP-651 to auto assign a sensor radio for neighbor activity monitoring within the AP-6511 Smart RF supported network. Interference Select the radio button to enable Interference Recovery when radio...
Page 192 Motorola Solutions AP-6511 Access Point System Reference Guide Coverage Hole Select the radio button to enable Coverage Hole Recovery when a radio Recovery coverage hole is detected within the Smart RF supported radio coverage area. When coverage hole is detected, Smart RF first determines the power increase needed based on the signal to noise ratio for a client as seen by the Access Point radio.
Page 193 Wireless Configuration Figure 6-26 Smart RF Channel and Power screen NOTE: The Power Settings and Channel Settings parameters are only enabled when Custom is selected as the Sensitivity setting from the Basic Configuration screen. 8. Refer to the Power Settings to define Smart RF recovery settings for either the selected 5.0 GHz (802.11a) or 2.4 GHz (802.11bg) radio.
Page 194 Motorola Solutions AP-6511 Access Point System Reference Guide 9. Set the following Channel Settings for the 5.0 GHz and 2.4 GHz radio bands: 5.0 GHz Channels Use the Select drop-down menu to select the 5 GHz channels used in Smart RF scans.
Page 195 Wireless Configuration Figure 6-27 Smart RF Advanced Configuration screen - Neighbor Recovery tab Power Hold Time Defines the minimum time between two radio power changes during neighbor recovery. Set the time in either Seconds (0 - 3,600), Minutes (0 - 60) or Hours (0 - 1).
Page 196 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 6-28 Smart RF Advanced Configuration screen - Interference Recovery tab 16.Set the following Interference Recovery parameters: Interference Select the radio button to allow the Smart RF policy to scan for excess interference from supported radio devices.
Page 197 Wireless Configuration 17.Select to update the Smart RF Interference Recovery settings for this policy. Select Reset to revert to the last saved configuration. 18.Select the Coverage Hole Recovery tab. Figure 6-29 Smart RF Advanced Configuration screen - Coverage Hole Recovery tab 19.Set the following Coverage Hole Recovery for 5.0 GHz and 2.4 GHz parameters:...
Page 198: Smart Rf Configuration And Deployment Considerations
Motorola Solutions AP-6511 Access Point System Reference Guide 20.Select to update the Smart RF Coverage Hole Recovery settings for this policy. Select Reset to revert to the last saved configuration. 6.6.1 Smart RF Configuration and Deployment Considerations  Smart RF Policy...
Page 199: Chapter 7 Profile Configuration
The configuration parameters within a profile are based on the hardware model the profile was created to support. An AP-6511 supports both default and user defined profiles implementing new features or updating existing parameters to groups of Access Points. The central benefit of a profile is its ability to update devices collectively without having to modify individual device configurations.
Page 200 Adoption Policy Displays the AP-6511 adoption policy applied to this profile. At adoption, an AP solicits and receives multiple adoption responses from controllers available on the network. These adoption responses contain preference and loading policy information the AP uses to select the optimum controller for adoption.
Page 201 Profile Configuration • General Profile Configuration • Profile Interface Configuration • Profile Network Configuration • Profile Security Configuration • Profile Services Configuration • Profile Management Configuration • Miscellaneous Profile Configuration...
Page 202: General Profile Configuration
Network Time Protocol (NTP) manages time and/or network clock synchronization within the network. NTP is a client/server implementation. The AP-6511 periodically synchronizes its clock with a master clock (an NTP server). For example, the AP-6511 resets its clock to 07:04:59 upon reading a time of 07:04:59 from its designated NTP server.
Page 203: General Profile Configuration And Deployment Considerations
Before defining a general profile configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective: • A default profile is applied automatically to an AP-6511, and default AP profiles are applied to APs discovered and adopted by a controller.
Page 204: Profile Interface Configuration
AP-6511 Access Point. An AP-6511 requires its Virtual Interface be configured for layer 3 (IP) access or layer 3 service on a VLAN. A Virtual Interface defines which IP address is associated with each VLAN ID the Access Point is connected If the profile is configured to support an Access Point radio, an additional Radios option is available, unique to the Access Point’s radio configuration.
Page 205 Profile Configuration Figure 7-3 Profiles Ethernet Ports screen 4. Refer to the following to assess port status and performance: Name Displays the physical port name reporting runtime data and statistics. Supported ports vary depending model. Type Displays the physical port type. Cooper is used on RJ45 Ethernet ports and Optical materials are used on fiber optic gigabit Ethernet ports.
Page 206 Motorola Solutions AP-6511 Access Point System Reference Guide Tag Native VLAN A green checkmark defines the native VLAN as tagged. A red “X” defines the native VLAN as untagged. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN...
Page 207 Profile Configuration Speed Select the speed at which the port can receive and transmit the data. Select either 10 Mbps, 100 Mbps, 1000 Mbps. Select either of these options to establish a 10, 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission over the port.
Page 208 Motorola Solutions AP-6511 Access Point System Reference Guide Tag Native VLAN Select the radio button to tag the native VLAN. The IEEE 802.1Q specification is supported for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs.
Page 209: Virtual Interface Configuration
Profile Configuration 11.Refer to the Access Control field. As part of the port’s security configuration, Inbound IP and MAC address firewall rules are required. Use the Inbound IP Firewall Rules Inbound MAC Firewall Rules drop-down menus to select the firewall rules to apply to this profile’s Ethernet port configuration. The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances.
Page 210 Motorola Solutions AP-6511 Access Point System Reference Guide 1. Select Configuration > Profiles > Interface. 2. Expand the Interface menu to display its submenu options. 3. Select Virtual Interfaces. Figure 7-6 Virtual Interfaces screen 4. Review the following parameters unique to each virtual interface configuration:...
Page 211 IP Addresses field: Enable Zero The AP-6511 can use Zero Config for IP assignments on an individual virtual Configuration interface basis. Select Primary to use Zero Config as the designated means of providing an IP address, this eliminates the means to assign one manually.
Page 212 Motorola Solutions AP-6511 Access Point System Reference Guide Use DHCP to obtain Select this option to allow DHCP to obtain a default gateway address, and DNS Gateway/DNS resource for one virtual interface. This setting is disabled by default and only Servers available when the Use DHCP to Obtain IP option is selected.
Page 213: Access Point Radio Configuration
 Profile Interface Configuration An AP-6511 model Access Point can have its radio configurations modified by a connected controller once its radios have successfully associated to the network. Take care not to modify an Access Point’s configuration using its resident Web UI, CLI or SNMP interfaces when managed by a profile, or risk the Access Point having a configuration independent from the profile until the profile can be uploaded to the Access Point once again.
Page 214 4. Review the following radio configuration data to determine whether a radio configuration requires modification to better support the network: Name Displays whether the reporting AP-6511 radio is radio 1 or radio 2. Type Displays the type of radio housed by each listed Access Point.
Page 215 Profile Configuration 5. If required, select a radio configuration and select the Edit button to modify its configuration. Figure 7-10 Access Point Radio - Radio Settings tab Radio Settings tab displays by default. 6. Define the following radio configuration parameters from within the Properties field: Description...
Page 216 (isotropically), and has no losses. Although the gain of an antenna is directly related to its directivity, its gain is a measure that takes into account the efficiency of the antenna as well as its directional capabilities. Motorola Solutions recommends that only a professional installer set the antenna gain.
Page 217 Indoors. Max Clients Use the spinner control to set a maximum permissible number of clients to connect with this AP-6511 radio. The available range is between 1- 128. 8. Set the following profile WLAN Properties for the selected Access Point radio.
Page 218 Motorola Solutions AP-6511 Access Point System Reference Guide RTS Threshold Specify a Request To Send (RTS) threshold (between 1 - 2,347 bytes) for use by the WLAN's adopted Access Point radios. RTS is a transmitting station's signal that requests a Clear To Send (CTS) response from a receiving client. This RTS/ CTS procedure clears the air where clients are contending for transmission time.
Page 219 Profile Configuration Figure 7-11 Access Point Radio - WLAN Mapping screen 10.Refer to the WLAN/BSS Mappings field to set WLAN BSSID assignments for an existing Access Point deployment. Administrators can assign each WLAN its own BSSID. If using a single-radio access point, there are 8 BSSIDs available.
Page 220 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 7-12 Access Point Radio - Advanced Settings screen 13.Refer to the Aggregate MAC Protocol Data Unit (A-MPDU) field to define how MAC service frames are aggregated by the Access Point radio.
Page 221 Client Count Weight Sets the client load per Access Point radio between 0 - 10. Motorola Solutions recommends considering the client load on an Access Point before defining its radio configuration.
Page 222: Profile Interface Deployment Considerations
• When changing from a default DHCP address to a fixed IP address, set a static route first. This is critical when the AP-6511 is being accessed from a subnet not directly connected to the Access Point and the default route was set from DHCP.
Page 223: Profile Network Configuration
DNS is supported on an AP-6511 by dedicating DNS server resources. As a resource is accessed (using human-friendly hostnames), it’s possible to access the resource even if the underlying machine friendly notation name changes.
Page 224: Arp
Motorola Solutions AP-6511 Access Point System Reference Guide Figure 7-13 DNS screen 4. Provide a default Domain Name used when resolving DNS names. The name cannot exceed 64 characters. 5. Set the following DNS configuration data: Enable Domain Select the radio button to enable DNS. When enabled, human friendly domain Lookup names can be converted into numerical IP destination addresses.
Page 225 Profile Configuration address as its own returns a reply so indicating. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied. To define an ARP supported configuration: 1. Select Configuration > Profiles >...
Page 226: Quality Of Service (Qos)
Select Reset to revert to the last saved configuration. 7.3.3 Quality of Service (QoS)  Profile Network Configuration The AP-6511 uses different Quality of Service (QoS) screens to define WLAN and device radio QoS configurations. The Configuration > Profiles >...
Page 227: Static Routes
Profile Configuration 4. Set the following parameters for IP DSCP mappings for untagged frames: DSCP Lists the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification. 802.1p Priority Assign a 802.1p priority as a 3-bit IP precedence value in the Type of Service field of the IP header used to set the priority.
Page 228: Forwarding Database
Motorola Solutions AP-6511 Access Point System Reference Guide Figure 7-16 Static Routes screen 4. Select Add Row + as needed to include single rows in the static routes table. 5. Add IP addresses and network masks in the Network column.
Page 229: Bridge Vlan
Profile Configuration Figure 7-17 Forwarding Database screen 4. Define a Bridge Aging Time between 0, 10-1,000,000 seconds. The aging time defines the length of time an entry will remain in the bridge’s forwarding table before being deleted due to lack of activity. If an entry replenishments a destination generating continuous traffic, this timeout value will never be invoked.
Page 230 Motorola Solutions AP-6511 Access Point System Reference Guide For example, say several computers are used into conference room X and some into conference Y. The systems in conference room X can communicate with one another, but not with the systems in conference room Y.
Page 231: Miscellaneous Network Configuration
Profile Configuration Figure 7-18 Bridge VLAN screen - General Tab General tab displays by default. 6. If adding a new Bridge VLAN configuration, use the spinner control to define a VLAN ID between 1 - 4095. This value must be defined and saved before the General tab can become enabled and the remainder of the settings defined.
Page 232: Profile Network Configuration And Deployment Considerations
Motorola Solutions AP-6511 Access Point System Reference Guide When numerous DHCP leases are assigned, an administrator can better track the leases when hostnames are used instead of devices. To include a hostnames in DHCP request: 1. Select Configuration > Profiles >...
Page 233 Profile Configuration • Static routes require extensive planning and have a high management overhead. The more routers that exist in a network, the more routes needing to be configured. If you have N number of routers and a route between each router is needed, then you must configure N x N routes. Thus, for a network with nine routers, you’ll need a minimum of 81 routes (9 x 9 = 81).
Page 234: Profile Security Configuration
Motorola Solutions AP-6511 Access Point System Reference Guide 7.4 Profile Security Configuration An Access Point profile can have its own firewall policy, wireless client role policy, WEP shared key authentication and NAT policy applied. If an existing firewall, client role or NAT policy is unavailable, an...
Page 235 Authentication to access the network using this profile. The Access Point, other proprietary routers, and Motorola clients use the key algorithm to convert an ASCII string to the same hexadecimal number. Clients without Motorola adapters need to use WEP keys manually configured as hexadecimal numbers. This option is disabled by default.
Page 236: Setting The Certificate Revocation List (Crl) Configuration
Motorola Solutions AP-6511 Access Point System Reference Guide 7.4.2 Setting the Certificate Revocation List (CRL) Configuration  Profile Security Configuration A certificate revocation list (CRL) is a list of certificates that have been revoked or are no longer valid. A certificate can be revoked if the certificate authority (CA) had improperly issued a certificate, or if a private- key is compromised.
Page 237: Setting The Profile's Nat Configuration
IP masquerading which hides RFC1918 private IP addresses behind a single public IP address. NAT can provide a profile outbound Internet access to wired and wireless hosts connected to an AP-6511. Many-to-one NAT is the most common NAT technique for outbound Internet access. Many-to-one NAT allows an Access Point to translate one or more internal private IP addresses to a single, public facing, IP address assigned to a 10/100/1000 Ethernet port or 3G card.
Page 238 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 7-22 Security NAT screen NAT Pool displays by default. The NAT Pool screen lists those NAT policies created thus far. Any of these policies can be selected and applied to a profile.
Page 239 Profile Configuration Figure 7-23 Security NAT Pool screen 7. If adding a new NAT policy or editing the configuration of an existing policy, define the following parameters: Name If adding a new NAT policy, provide a name to help distinguish it from others with similar configurations.
Page 240 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 7-24 Static NAT screen 11.To map a source IP address from an internal network to a NAT IP address click the + Add Row button. Enter the internal network IP address in Source IP field.
Page 241 Profile Configuration Figure 7-25 NAT Destination screen 14.Select to create a new NAT destination configuration, Edit to modify the attributes of an existing configuration or Delete to permanently remove a NAT destination. Figure 7-26 NAT Destination Add screen 7-43...
Page 242 Motorola Solutions AP-6511 Access Point System Reference Guide 15.Set the following Destination configuration parameters: Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address.
Page 243 Profile Configuration Figure 7-27 Dynamic NAT screen 18.Refer to the following to determine whether a new Dynamic NAT configuration requires creation, edit or deletion: Source List ACL Lists an ACL name to define the packet selection criteria for the NAT configuration.
Page 244 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 7-28 Source ACL List screen 20.Set the following to define the Dynamic NAT configuration: Source List ACL Use the drop-down menu to select an ACL name to define the packet selection criteria for NAT. NAT is applied only on packets which match a rule defined in the access-list.
Page 245: Profile Security Configuration And Deployment Considerations
Profile Configuration 7.4.4 Profile Security Configuration and Deployment Considerations  Profile Security Configuration Before defining a profile’s security configuration, refer to the following deployment guidelines to ensure the profile configuration is optimally effective: • Ensure the contents of the Certificate Revocation List are periodically audited to ensure revoked certificates remained quarantined or validated certificates are reinstated.
Page 246: Profile Services Configuration
A captive portal is guest access policy for providing guests temporary and restrictive access to the AP-6511 managed network. The primary means of securing such guest access is a hotspot. A captive portal policy’s hotspot configuration provides secure authenticated access using a standard Web browser.
Page 247: Profile Services Configuration And Deployment Considerations
Profile Configuration to the wireless network. Once logged into the hotspot, additional Agreement, Welcome and Fail pages provide the administrator with a number of options on the hotspot’s screen flow and user appearance. Either select an existing captive portal policy, use the default captive portal policy or select the Create link to create a new captive portal configuration that can be applied to this profile.
Page 248: Profile Management Configuration
Motorola Solutions AP-6511 Access Point System Reference Guide 7.6 Profile Management Configuration The AP-6511 has mechanisms to allow/deny management access to the network for separate interfaces and protocols (HTTP, HTTPS, Telnet, SSH or SNMP). These management access configurations can be applied strategically to profiles as resource permissions dictate.
Page 249 Profile Configuration 7. Refer to the Management Policy field to select or set a management configuration for use with this profile. A default management policy is also available if no existing policies are usable. Use the drop-down menu to select an existing management policy to apply to this profile. If no management policies exist meeting the data access requirements of this profile, select the Create icon...
Page 250 Motorola Solutions AP-6511 Access Point System Reference Guide 9. Refer to the System Event Messages field to define how system messages are logged and forwarded on behalf of the profile. Select the Enable System Events radio button to allow the profile to capture system events and append them to a log file.
Page 251: Profile Management Configuration And Deployment Considerations
Profile Configuration 13.Use the parameters within the Automatic Adopted AP Firmware Upgrade field to define an automatic firmware configuration. Enable Controller Select this option to enable adopted Access Point radios to upgrade to a Upgrade of AP Firmware newer firmware version using its associated controller’s most recent firmware file for that AP model.
Page 252 • Define profile management access configurations providing both encryption and authentication. Management services like HTTPS, SSH and SNMPv3 should be used when possible, as they provide data privacy and authentication. • Motorola Solutions recommends SNMPv3 be used for management profile configurations, as it provides both encryption, and authentication. 7-54...
Page 253: Miscellaneous Profile Configuration
This is the RADIUS NAS port ID attribute which identifies the device port where a RADIUS message originates. 7. Select the Turn on LEDs option to keep the AP-6511’s functioning as normal. Some deployments (hospitals for example) prefer to keep an Access Point’s LED from illuminating, so consider this option when creating the profile configuration. 7-55...
Page 254 Motorola Solutions AP-6511 Access Point System Reference Guide 8. Select to save the changes made to the profile’s Miscellaneous configuration. Select Reset to revert to the last saved configuration. 7-56...
Page 255: Chapter 8 Security Configuration
There are multiple dimensions to consider when addressing the security of an AP-6511 managed network, including: •...
Page 256: Wireless Firewall
A Firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the Motorola wireless network. The means by which this is accomplished varies, but in principle, a Firewall can be thought of as mechanisms both blocking and permitting data traffic within the wireless network.
Page 257 Security Configuration Figure 8-1 Wireless Firewall screen 2. Refer to the following configuration data for existing wireless Firewall policies: Firewall Policy Displays the name assigned to the Wireless Firewall policy when it was initially created. the name cannot be modified as part of the edit process. Status Displays a green check mark if the Wireless Firewall policy has been enabled.
Page 258 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 8-2 Wireless Firewall Policy Configuration screen 5. Refer to the Enable Firewall radio buttons to define the Firewall as either Enabled or Disabled. The Firewall is enabled by default. If disabling the Firewall, a confirmation prompt displays stating NAT, wireless hotspot, proxy ARP, deny- static-wireless-client and deny-wireless-client sending not permitted traffic excessively will be disabled.
Page 259 Security Configuration IPMAC Conflict Select this option to log and act upon detected IPMAC conflicts. These Enable occur when removing a device from the network and attaching another using the same IP address. IPMAC Conflict When enabled, use the drop-down menu to set the logging level (Error, Logging Warning, Notification, Information or Debug) if an attack is detected.
Page 260: Configuring Ip Firewall Rules
Motorola Solutions AP-6511 Access Point System Reference Guide Stateless TCP Flow Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540) or Hours (1 - 9). The default setting is 90 seconds. Stateless FIN/RESET Define a flow timeout value in either Seconds (1 - 32,400), Minutes Flow (1 - 540) or Hours (1 - 9).
Page 261 Security Configuration IP based Firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying an IP ACL. NOTE: Once defined, a set of IP Firewall rules must be applied to an interface to be a functional filtering tool.
Page 262 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 8-4 IP Firewall Rules Add screen 4. If adding a new rule, provide a name up to 32 characters in length. 5. Define the following parameters for the IP Firewall Rule: Allow Every IP Firewall rule is made up of matching criteria rules.
Page 263: Configuring Mac Firewall Rules
Security Configuration Action The following actions are supported: Log—Events are logged for archive and analysis. Mark—Modifies certain fields inside the packet and then permits them. Therefore, mark is an action with an implicit permit. - VLAN 802.1p priority. - DSCP bits in the IP header. - TOS bits in the IP header.
Page 264 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 8-5 MAC Firewall Rules screen 2. Select + Add Row to create a new MAC Firewall Rule. Select an existing policy and click Edit to modify the attributes of the rule’s configuration.
Page 265 Security Configuration 4. If adding a new MAC Firewall Rule, provide a name up to 32 characters in length. 5. Define the following parameters for the IP Firewall Rule: Allow Every IP Firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria.
Page 266: Firewall Deployment Considerations
Motorola Solutions AP-6511 Access Point System Reference Guide 8.1.4 Firewall Deployment Considerations  Configuring a Firewall Policy Before defining a Firewall supported configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective: • Firewalls implement access control policies, so if you don't have an idea of what kind of access to allow or deny, a Firewall is of little value.
Page 267: Intrusion Prevention
The unauthorized AP can then steal user credentials from the client, launch a man-in-the middle attack or take control of wireless clients to launch denial-of-service attacks. NOTE: WIPS support is not supported natively by an AP-6511 Access Point and must be deployed using an external WIPS server resource.
Page 268 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 8-7 Wireless IPS screen 2. Refer to the following configuration data for existing Wireless IPS policies: WIPS Policy Displays the name assigned to the WIPS policy when it was initially created. The name cannot be modified as part of the edit process.
Page 269 Security Configuration Figure 8-8 WIPS Policy screen - Settings tab 4. If creating a new WIPS Policy, assign it name to help differentiate it from others that may have a similar configuration. The policy name cannot exceed 64 characters. The name cannot be modified as part of the edit process.
Page 270 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 8-9 WIPS Events screen - Excessive tab The Excessive tab lists a series of events that can impact the performance of the network. An administrator can enable or disable the filtering of each listed event and set the thresholds required for the generation of the event notification and filtering action applied.
Page 271 Security Configuration Filter Expiration Set the duration the anomaly causing client is filtered. This creates a special ACL entry and frames coming from the client are dropped. The default setting is 0 seconds. This value is applicable across the RF Domain. If a station is detected performing an attack and is filtered by an Access Point, the information is passed to the domain controller.
Page 272 Motorola Solutions AP-6511 Access Point System Reference Guide 13.Set the configurations of the following MU Anomaly Events configurations: Name Displays the name of the MU Anomaly event. This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted.
Page 273 Security Configuration Figure 8-11 WIPS Events screen - AP Anomaly tab AP Anomaly events are suspicious frames sent by a neighboring APs. Use this screen to determine whether an event is enabled for tracking. 16.Set the configurations of the following MU Anomaly Events configurations: Name Displays the name of the MU Anomaly event.
Page 274 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 8-12 WIPS Signatures screen The WIPS Signatures tab displays the following read-only configuration data: Name Lists the name assigned to each signature as it was created. A signature name cannot be modified as part of the edit process.
Page 275 Security Configuration Figure 8-13 WIPS Signatures Configuration screen 20.If adding a new WIPS signature, define a Name to distinguish it from others with similar configurations. The name cannot exceed 64 characters. 21.Set the following network address information for a new or modified WIPS Signature: Enable Signature Select the radio button to enable the WIPS signature for use with the profile.
Page 276: Intrusion Detection Deployment Considerations
• Is the detected Access Point properly configured according to your organization’s security policies? • Motorola Solutions recommends trusted and known Access Points be added to an sanctioned AP list. This will minimize the number of unsanctioned AP alarms received.
Page 277: Chapter 9 Services Configuration
Services Configuration The AP-6511 supports services providing guest user access and leased DHCP IP addresses to requesting clients. For more information, refer to the following: • Configuring Captive Portal Policies • Setting the DHCP Server Configuration...
Page 278: Configuring Captive Portal Policies
Hotspot authentication does not provide end-user data encryption, but it can be used with static WEP, WPA- PSK or WPA2-PSK encryption. AN AP-6511 Access Point supports RAIDUS authentication, but does not have an onboard RADIUS server for local user authentication.
Page 279 Lists each policy’s hosting mode as either Internal (Self) or External Server Mode (centralized). If the mode is Internal (Self), the AP-6511 is maintaining the captive portal internally, while External (centralized) means the captive portal is being supported on an external server.
Page 280 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 9-2 Captive Portal Policy Basic Configuration screen...
Page 281 Connection Mode Select either the HTTP or HTTPS radio button to define the connection medium. Motorola Solutions recommends the use of HTTPs, as is offers additional data protection HTTP cannot provide. The default value however is HTTP. Simultaneous Users...
Page 282 Motorola Solutions AP-6511 Access Point System Reference Guide 7. Set the following Access parameters to define how hotspot access is permitted, RADIUS lookup information and whether the hotspot’s login pages contain agreement terms that must be accepted before access is granted to resources:...
Page 283 Services Configuration Figure 9-3 Captive Portal DNS Whitelist screen b. Provide a numerical IP address or Hostname within the DNS Entry parameter for each destination IP address or host included in the Whitelist. c. Use the Match Suffix parameter to match any hostname or domain name as a suffix. The default setting is disabled.
Page 284 Motorola Solutions AP-6511 Access Point System Reference Guide Syslog Host Use the drop-down menu to determine whether an IP address or a host name is used as a syslog host. The IP address or host name of an external server resource is required to route captive portal syslog events to that destination.
Page 285 Services Configuration Figure 9-4 Captive Portal Policy Basic Web Page screen The Login screen prompts the user for a username and password to access the hotspot and proceed to either the Terms and Conditions page (if used) or the Welcome page. The Terms and Conditions page provides conditions that must be agreed to before wireless client guest access is provided for the captive portal policy.
Page 286 Motorola Solutions AP-6511 Access Point System Reference Guide 13.Provide the following required information if creating Basic Login, Agreement, Welcome Fail pages maintained internally (when the Basic radio button is selected as the Web Page Source). The Basic (internally hosted) captive portal is the default setting.
Page 287 Select Reset to revert the screen back to its last saved configuration. 18.Select Advanced to use a custom directory of Web pages copied to and from the AP-6511 for captive portal support. 9-11...
Page 288 The following parameters are required: Protocol - Select the file transfer method used between the AP-6511 and the resource maintaining the custom captive portal files. Use the spinner control to set the port used on the external Server Port - maintaining the custom captive portal files.
Page 289: Captive Portal Deployment Considerations
For private access applications, Motorola Solutions recommends WPA2 (with a strong passphrase) be enabled to provide strong encryption. • Motorola Solutions recommends guest user traffic be assigned a dedicated VLAN, separate from other internal networks.
Page 290: Setting The Dhcp Server Configuration
Motorola Solutions AP-6511 Access Point System Reference Guide 9.2 Setting the DHCP Server Configuration Dynamic Host Configuration Protocol (DHCP) allows hosts on an IP network to request and be assigned IP addresses as well as discover information about the network where they reside. Each subnet can be configured with its own address pool.
Page 291: Defining Dhcp Pools
Services Configuration 2. Review the following DHCP server configurations (at a high level) to determine whether a new server policy requires creation, an existing policy requires modification or an existing policy requires deletion: DHCP Server Policy Lists the name assigned to each DHCP server policy when it was initially created.
Page 292 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 9-8 DHCP Server Policy screen - DHCP Pool tab 2. Review the following DHCP pool configurations to determine if an existing pool can be used as is, a new one requires creation or edit, or a pool requires deletion: DHCP Pool Displays the name assigned to the network pool when created.
Page 293 Services Configuration Boot File Boot files (Boot Protocol) are used to boot remote systems over the network. BOOTP messages are encapsulated inside UDP messages so requests and replies can be forwarded. Each DHCP network pool can use a different file as needed. Lease Time If a lease time has been defined for a listed network pool, it displays in an interval between 1 - 9,999,999 seconds.
Page 294 Motorola Solutions AP-6511 Access Point System Reference Guide 4. Set the following General parameters from within the Basic Settings tab: Network Pool If adding a new pool, a name is required. The pool is the range of IP addresses defined for DHCP assignment or lease. The name assigned cannot be modified as part of the edit process.
Page 295 Services Configuration 6. Select the Static Bindings tab from within the DHCP Pools screen. A binding is a collection of configuration parameters, including an IP address, associated with, or bound to, a DHCP client. Bindings are managed by DHCP servers. DHCP bindings automatically map a device MAC address to an IP address using a pool of DHCP supplied addresses.
Page 296 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 9-11 Static Bindings Add screen 9. Define the following General parameters required to complete the creation of the static binding configuration: Client Identifier Use the drop-down menu whether the client is using a...
Page 297 Services Configuration Boot File Enter the name of the boot file used with this pool. Boot files (Boot Protocol) can be used to boot remote systems over the network. BOOTP messages are encapsulated inside UDP messages so requests and replies can be forwarded.
Page 298 Motorola Solutions AP-6511 Access Point System Reference Guide 14.Select when completed to update the static bindings configuration. Select Reset to revert the screen back to its last saved configuration. 15.Select the Advanced tab to define additional NetBIOS and Dynamic DNS parameters.
Page 299: Defining Dhcp Server Global Settings
Services Configuration 17.Set the following NetBIOS parameters for the network pool: NetBIOS Node Type Set the NetBIOS Node Type used with this pool. The following types are available: Broadcast - Uses broadcasting to query nodes on the network for the owner of a NetBIOS name.
Page 300 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 9-13 DHCP Server Policy screen - Global Settings tab 2. Set the following parameters within the Configuration field: Ignore BOOTP Select the checkbox to ignore BOOTP requests. BOOTP (boot protocol) requests Requests boot remote systems within the network.
Page 301: Dhcp Class Policy Configuration
Services Configuration 9.2.3 DHCP Class Policy Configuration The DHCP server assigns IP addresses to DHCP enabled wireless clients based on user class option names. Clients with a defined set of user class option names are identified by their user class name. The DHCP server can assign IP addresses from as many IP address ranges as defined by the administrator.
Page 302 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 9-15 DHCP Class Name Add screen 3. If adding a new DHCP Class Name, assign a name representative of the device class supported. The DHCP user class name should not exceed 32 characters.
Page 303: Chapter 10 Management Access Policy Configuration
Management Access Policy Configuration The AP-6511 has mechanisms to allow/deny Management Access to the network for separate interfaces and protocols (HTTP, HTTPS, Telnet, SSH or SNMP). Management access can be enabled/disabled as required for unique policies. The Management Access functionality is not meant to function as an ACL (in routers or other firewalls), where administrators specify and customize specific IPs to access specific interfaces.
Page 304: Viewing Management Access Policies
Motorola Solutions AP-6511 Access Point System Reference Guide 10.1 Viewing Management Access Policies Management Access policies display in the lower left-hand side of the screen. Existing policies can updated as management permissions change, or new policies can be added as needed.
Page 305 Management Access Policy Configuration Figure 10-2 Management screen 3. Refer to the following Management Access policy parameters to discern whether these policies can be used as is, require modification or a new policy requires creation: A green check mark indicates device access is allowed using the protocol. A red X indicates device access is denied using the protocol.
Page 306: Adding Or Editing A Management Access Policy
Motorola Solutions AP-6511 Access Point System Reference Guide SNMPv 3 SNMP (Simple Network Management Protocol) exposes a device’s management data so it can be managed remotely. Device data is exposed as variables that can be accessed and modified. However, SNMP is generally used to monitor system performance and other parameters.
Page 307: Creating An Administrator Configuration
Management Access Policy Configuration 10.1.1.1 Creating an Administrator Configuration  Adding or Editing a Management Access Policy Use the Administrators tab to review existing administrators, their access medium and their administrative role within the network. New administrators can be added, existing administrative configurations modified or deleted as required.
Page 308 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 10-4 Administrators screen 2. If creating a new administrator, enter a user name in the User Name field. This is a mandatory field for new administrators and cannot exceed 32 characters. Optimally assign a name representative of the user and role.
Page 309 Assign this role to someone who typically troubleshoots and debugs reported problems. The Help Desk manager typically runs troubleshooting utilities (like a sniffer), executes service commands, views/retrieves logs and reboots the AP-6511. Web User Select Web User to assign the administrator privileges needed to add users for captive portal authentication.
Page 310: Setting The Access Control Configuration
(HTTP, HTTPS, Telnet, SSH or SNMP). Access options can be either enabled or disabled as required. Motorola Solutions recommends disabling unused interfaces to reduce unnecessary security holes. The Access Control tab is not meant to function as an ACL (in routers or other firewalls), where you can specify and customize specific IPs to access specific interfaces.
Page 311 Management Access Policy Configuration 2. Set the following parameters required for Telnet access: Enable Telnet Select the checkbox to enable Telnet device access. Telnet provides a command line interface to a remote host over TCP. Telnet provides no encryption, but it does provide a measure of authentication. Telnet access is disabled by default.
Page 312: Setting The Authentication Configuration
Authentication tab from the Management Policy screen. Figure 10-6 Management Policy screen - Authentication tab 2. Set the following AP-6511 external resource settings to authenticate management access requests: Local Set to disabled to provide the AP-6511 and external RADIUS server resource for authentication requests.
Page 313: Setting The Snmp Configuration
 Adding or Editing a Management Access Policy The AP-6511 can use Simple Network Management Protocol (SNMP) to communicate with wireless devices. SNMP is an application layer protocol that facilitates the exchange of management information. SNMP enabled devices listen on port 162 (by default) for SNMP packets from the management server. SNMP uses read-only and read-write community strings as an authentication mechanism to monitor and configure supported devices.
Page 314 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 10-7 Management Policy screen - SNMP tab 2. Enable or disable SNMPv2 and SNMPv3. Enable SNMPv2 Select the checkbox to enable SNMPv2 support. SNMPv2 provides device management using a hierarchical set of variables. SNMPv2 uses Get, GetNext, and Set operations for data management.
Page 315 Management Access Policy Configuration 3. Set the SNMP v1/v2 Community String configuration. Use the + Add Row function as needed to add additional SNMP v1/2 community strings, or select an existing community string’s radio button and select Delete icon to remove it. Community Define a public or private community designation.
Page 316: Snmp Trap Configuration
 Adding or Editing a Management Access Policy The AP-6511 can use SNMP trap receivers for fault notifications. SNMP traps are unsolicited notifications triggered by thresholds (or actions) on devices, and are therefore an important fault management tool. A SNMP trap receiver is the SNMP message destination. A trap is like a Syslog message, just over another protocol (SNMP).
Page 317: Management Access Deployment Considerations
SSH and SNMPv3 should be used when possible, as they provide both data privacy and authentication. • By default, SNMPv2 community strings on most devices are set to public for the read-only community string and private for the read-write community string. Legacy Motorola Solutions devices may use other community strings by default.
Page 318 Motorola Solutions AP-6511 Access Point System Reference Guide 10-16...
Page 319: Chapter 11 Diagnostics
Diagnostics An AP-6511’s resident diagnostic capabilities enable administrators to understand how devices are performing and troubleshoot issues impacting network performance. Performance and diagnostic information is collected and measured for anomalies causing a key processes to potentially fail. Numerous tools are available within the Diagnostics menu. Some allow event filtering, some enable log views and some allowing you to manage files generated when hardware or software issues are detected.
Page 320: Fault Management
Use the Configure Events screen to create filters for managing AP-6511 events. Events can be filtered based on severity, the module received, the source MAC of the event, the device MAC of the event and the MAC address of the wireless client.
Page 321 Diagnostics 2. Define the following Customize Event Filters for the Fault Management configuration: Severity Set the severity of the event being filtered. Select from the following: All Severities – All events are displayed irrespective of their severity Critical – Only critical events are displayed Error –...
Page 322 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 11-2 Fault Management View Events screen Use the View Events screen to track and troubleshoot events using source and severity levels defined in the Configure events screen. 6. Refer to the following event parameters to assess nature and severity of the displayed event: Timestamp Displays the timestamp (time zone specific) when the event or fault occurred.
Page 323: Snapshots
Displays the factory encoded MAC address assigned to the device reporting the core event. System Name Lists the name assigned to each listed AP-6511 managed device. Type Displays the device type (model) of each device providing the core event. 11-5...
Page 324: Panic Snapshots
Motorola Solutions AP-6511 Access Point System Reference Guide 11.2.2 Panic Snapshots  Snapshots Refer to the Panic Snapshots screen to view panic dump files used to troubleshoot issues specific to the device on which it was generated. When necessary for issue evaluation, panic files can be sent to the support team to expedite issues with the reporting device.
Page 325: Advanced Diagnostics
Diagnostics 11.3 Advanced Diagnostics Refer to the Advanced UI Diagnostics to review and troubleshoot any potential issue with the resident User Interface (UI). The UI Diagnostics screen provides a large number of diagnostic tools to effectively identify and correct issues. Diagnostics can also be performed at the device level for connected clients. To access the UI diagnostics: 1.
Page 326 Motorola Solutions AP-6511 Access Point System Reference Guide 2. Use the NETCONF Viewer to review NETCONF information. NETCONF is a tag-based configuration protocol. Messages are exchanged using XML tags. Real Time NETCONF Messages area lists an XML representation of any message generated by the system.
Page 327: Chapter 12 Operations
Self Monitoring At Run Time RF Management (Smart RF) is a Motorola Solutions innovation designed to simplify RF configurations for new deployments, while (over time) providing on-going deployment optimization and radio performance improvements.
Page 328: Device Operations
Solutions Support Web site. If an Access Point’s (or its associated device’s) firmware is older than the version on the Web site, Motorola Solutions recommends updating to the latest firmware version for full feature functionality and optimal utilization. Additionally, selected devices can either have a primary or secondary firmware image applied or fallback back to a selected firmware image if an error were to occur in the update process.
Page 329 Operations Figure 12-1 Device Details screen Refer to the following to determine whether a firmware image needs to be updated for the selected device, or a device requires a restart or revert to factory default settings. Device MAC Displays the factory assigned hardware MAC address (in the banner of the screen) for the selected device.
Page 330 Motorola Solutions AP-6511 Access Point System Reference Guide Upgrade Status Displays the status of the last firmware upgrade performed for each listed device. for information on upgrading device firmware, see Upgrading Device Firmware on page 12-5. Show Startup Config Select this option (from the drop-down menu on the bottom of the screen) to display the startup configuration of the selected device.
Page 331: Upgrading Device Firmware
12.1.1.1 Upgrading Device Firmware  Managing Firmware and Config Files The AP-6511 has the ability to conduct firmware updates for managed devices. To update the firmware of a managed device: 1. Select a device from either the RF Domain or Network tabs.
Page 332: Managing File Transfers
12.1.2 Managing File Transfers  Device Operations Transfer files from a device to this AP-6511, to a remote server or from a remote server. An administrator can transfer logs, configurations and crash dumps. To administrate files for managed devices: 1. Select the Operations >...
Page 333 Select the source of the file transfer. Select Server to indicate the source of the file is a remote server. Select Access Point to indicate the source of the file is the AP-6511. File If the source is Access Point, enter the name of the file to be transferred.
Page 334: Using The File Browser
 Device Operations The AP-6511 maintains a File Browser enabling an administrator to review the files currently residing on any internal or external memory locations. Directories can be created and maintained for each File Browser location and folders and files can be moved and deleted as an administrator interprets necessary.
Page 335: Ap Upgrade
Create Folder button to implement. 4. Optionally, use the Delete Folder Delete File buttons to remove a folder or file from within the memory resource. 12.1.4 AP Upgrade  Device Operations To configure an AP upgrade for an AP-6511: 12-9...
Page 336 Available options are: All - All supported models are available to upgrade. AP6511 - Only AP-6511 models are available to upgrade. Scheduled Upgrade Time To perform the upgrade immediately, select Now. To schedule the upgrade to take place at a specified time, enter a date and time in the appropriate boxes.
Page 337 AP Image Type AP image types should be available to use during an upgrade. Available options are: AP6511 - Only AP-6511 models are available to upgrade. Enter a URL pointing to the location of available AP image files. Advanced Selecting Advanced will list additional options for AP image file location including protocol, host and path to the image files.
Page 338 Motorola Solutions AP-6511 Access Point System Reference Guide Displays the current upgrade status of each known Access Point. Possible State states include: • Waiting • Downloading • Updating Scheduled • Reboot • Rebooting Done • Cancelled • Done • No Reboot...
Page 339: Certificates
Operations 12.2 Certificates  Operations A certificate links identity information with a public key enclosed in the certificate. A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate.
Page 340 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 12-7 Trustpoints screen Trustpoints screen displays for the selected MAC address. 12-14...
Page 341 Operations 2. Refer to the Certificate Details to review the certificate’s properties, self-signed credentials, validity period and CA information. 3. To optionally import a certificate, select the Import button from the Trustpoints screen. Figure 12-8 Import New Trustpoint screen 4. Define the following configuration parameters required for the Import of the trustpoint.
Page 342 Motorola Solutions AP-6511 Access Point System Reference Guide Port Use the spinner control to set the port. This option is not valid for cf, usb1, and usb2. IP Address Enter IP address of the server used to import the trustpoint. This option is not valid for cf, usb1, and usb2.
Page 343 Operations Protocol Select the protocol used for importing the target CA certificate. Available options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 Port Use the spinner control to set the port. This option is not valid for cf, usb1, and usb2.
Page 344 Motorola Solutions AP-6511 Access Point System Reference Guide 10.Define the following configuration parameters required for the Import of the CRL: Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate.
Page 345 Operations Figure 12-11 Import Signed Cert screen 13.Define the following configuration parameters required for the Import of the CA certificate: Certificate Name Enter the 32 character maximum name of the trustpoint with which the certificate should be associated From Network Select the From Network radio button to provide network address...
Page 346 Motorola Solutions AP-6511 Access Point System Reference Guide IP Address Enter IP address of the server used to import the signed certificate. This option is not valid for cf, usb1, and usb2. Hostname Provide the hostname of the server used to import the signed certificate. This option is not valid for cf, usb1, and usb2.
Page 347: Rsa Key Management
Operations Provide the complete URL to the location of the trustpoint. If needed, select Advanced to expand the dialog to display network address information to the location of the target trustpoint. The number of additional fields that populate the screen is also dependent on the selected protocol. Protocol Select the protocol used for exporting the target trustpoint.
Page 348 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 12-13 RSA Keys screen Each key can have its size and character syntax displayed. Once reviewed, optionally generate a new RSA key, import a key from a selected device, export a key to a remote location or delete a key from a selected device.
Page 349 Key Size Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality. 5. To optionally import a CA certificate, select the Import button from the RSA Keys screen.
Page 350 Motorola Solutions AP-6511 Access Point System Reference Guide Port Use the spinner control to set the port. This option is not valid for cf, usb1, and usb2. IP Address Enter IP address of the server used to import the RSA key. This option is not valid for cf, usb1, and usb2.
Page 351: Certificate Creation
Operations Protocol Select the protocol used for exporting the RSA key. Available options include: • tftp • ftp • sftp • http • cf • usb1 • usb2 Port Use the spinner control to set the port. This option is not valid for cf, usb1, and usb2.
Page 352 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 12-17 Create Certificate screen 3. Define the following configuration parameters required to Create New Self-Signed Certificate: Certificate Name Enter the 32 character maximum name assigned to identify the name of the trustpoint associated with the certificate.
Page 353 RSA key. Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality. For more...
Page 354: Generating A Certificate Signing Request
Motorola Solutions AP-6511 Access Point System Reference Guide 12.2.4 Generating a Certificate Signing Request  Certificates A certificate signing request (CSR) is a message from a requestor to a certificate authority to apply for a digital identity certificate. The CSR is composed of a block of encrypted text generated on the server the certificate will be used on.
Page 355 Create or use an existing key by selecting the appropriate radio button. Use the spinner control to set the size of the key (between 1,024 - 2,048 bits). Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality.
Page 356 Motorola Solutions AP-6511 Access Point System Reference Guide 4. Set the following Certificate Subject Name parameters required for the creation of the certificate: Certificate Subject Select either the auto-generate radio button to automatically create the Name certificate's subject credentials or select user-defined to manually enter the credentials of the self signed certificate.
Page 357: Smart Rf
Within a well planned AP-6511 RF Domain, any associated radio should be reachable by at least one other radio. The Smart RF feature records signals received from its neighbors as well as signals from external, un- managed radios.
Page 358 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 12-19 Smart RF screen 2. Refer to the following to determine whether Smart RF calibrations or interactive calibration is required. AP MAC Address Displays the hardware encoded MAC address assigned to each Access Point radio within the RF Domain.
Page 359 Operations Old Power Lists the transmit power assigned to each listed Access Point MAC address within this RF Domain. The power level may have been increased or decreased as part an Interactive Calibration process applied to this RF Domain. Compare this Old Power level against the Power value to right of it (in the table) to determine whether a new power level was warranted to compensate for a coverage hole.
Page 360 Motorola Solutions AP-6511 Access Point System Reference Guide Discard Discards the results of the Interactive Calibration without applying them to their respective devices. Commit Commits the Smart RF module Interactive Calibration results to their respective Access Point radios. 6. Select the Run Calibration option to initiate a calibration.
Page 361: Chapter 13 Statistics
Statistics This chapter describes the statistical information displayed by the AP-6511 GUI. Statistics can be exclusively displayed to validate active Access Points, their VLAN assignments and the current authentication and encryption schemes. Wireless client statistics are available for each connected client to provide an overview of client health.
Page 362: System Statistics
Motorola Solutions AP-6511 Access Point System Reference Guide 13.1 System Statistics System screen displays information about the different devices managed by the Access Point. Use this information to obtain an overall view of the state of the devices in the network. The data is organized as follows: •...
Page 363 Statistics Figure 13-1 System screen This screen displays fields supporting Device Health, RF Quality Index, Utilization, and Wireless Security. Device Health field displays a table showing the total number of devices in the network. The pie chart illustrates a proportional view of how many devices are functional and are currently online. Green indicates online devices and the red offline devices.
Page 364 Motorola Solutions AP-6511 Access Point System Reference Guide This area displays the following information: Worst 5 Displays the lowest quality indices in the wireless network. The values can be interpreted as: • 0-50 – Poor quality • 50-75 – Medium quality •...
Page 365: Inventory
Statistics 13.1.2 Inventory  System Statistics The Inventory screen displays information about the physical hardware managed by the AP-6511. Use this information to assess the overall performance of managed devices. To display the inventory statistics: 1. Select the Statistics menu from the Web UI.
Page 366 Motorola Solutions AP-6511 Access Point System Reference Guide Wireless Clients field displays the total number of wireless clients. This Top Client Count table lists the top in terms of the number of wireless clients adopted: Top Client Count Displays the number of wireless clients adopted by the RF Domain.
Page 367: Rf Domain
AP-6511’s RF domain. This includes the AP-6511’s health and device inventory, wireless clients and Smart RF feature. Use the information to obtain an overall view of the performance of the selected RF Domain and troubleshoot the domain or any member device.
Page 368: Ap Detection
Motorola Solutions AP-6511 Access Point System Reference Guide Figure 13-3 Access Points screen Access Point Displays the name of the Access Point. AP MAC Address Displays the MAC address of the Access Point. Type Displays the Access Point type. Mode Displays AP’s the mode of operation, either WLAN or sensor.
Page 369: Wireless Clients
Statistics Figure 13-4 AP Detection screen The screen provides the following information: Unsanctioned Displays the MAC address of the detected rogue AP. Reporting AP Displays the MAC address of the AP, which detected the rogue AP. SSID Displays the Service Set ID (SSID) of the network to which the rogue AP belongs.
Page 370: Wireless Lans
Motorola Solutions AP-6511 Access Point System Reference Guide 2. Select the RF Domain tab from the left navigation pane and then select the RF Domain node. 3. Select Wireless Clients. Figure 13-5 Wireless Clients screen This screen provides the following information:...
Page 371 Statistics To view the wireless LAN statistics: 1. Select the Statistics menu from the Web UI. 2. Select the RF Domain tab from the left navigation pane and then select the RF Domain node. 3. Select Wireless LANs. Figure 13-6 Wireless LAN screen This screen displays the following information: WLAN Name Displays a text-based name used to identify the WLAN.
Page 372: Radio
Motorola Solutions AP-6511 Access Point System Reference Guide Rx Bytes Displays the average number of packets (in bytes) received on the selected WLAN. Rx User Data Displays the average data rate per user for packets received. Rate 13.2.5 Radio ...
Page 373: Radio Status
Statistics 13.2.5.1 Radio Status To view the RF Domain radio statistics: 1. Select the Statistics menu from the Web UI. 2. Select the RF Domain tab from the left navigation pane and select the RF Domain node. 3. Expand Radios. 4.
Page 374: Radio Rf Statistics
Motorola Solutions AP-6511 Access Point System Reference Guide 13.2.5.2 Radio RF Statistics To view the RF Domain radio statistics: 1. Select the Statistics menu from the Web UI. 2. Select the RF Domain tab from the left navigation pane and select the RF Domain node.
Page 375 Statistics Traffic Index Displays the traffic utilization index of the radio. This is expressed as an integer value. 0–20 indicates very low utilization, and 60 and above indicate high utilization. RF Quality Index Displays an integer that indicates overall RF performance. The RF quality indices are: •...
Page 376: Radio Traffic Statistics
Motorola Solutions AP-6511 Access Point System Reference Guide 13.2.5.3 Radio Traffic Statistics To view the RF Domain radio statistics: 1. Select the Statistics menu from the Web UI. 2. Select the RF Domain tab from the left navigation pane and select the RF Domain node.
Page 377: Smart Rf
Statistics Tx Dropped Displays the total number of transmitted packets which have been dropped by each radio. This includes all user data as well as any management overhead packets that were dropped. Rx Errors Displays the total number of received packets which contained errors for each radio.
Page 378: Wips
 RF Domain Motorola’s Wireless Intrusion Protection Software (WIPS) monitors for unauthorized rogue Access Points. Unauthorized attempt to access the WLAN is generally accompanied by anomalous behavior as intruding wireless clients trying to find network vulnerabilities. Basic forms of this behavior can be monitored and reported without a dedicated WIPS.
Page 379: Wips Events
Statistics 13.2.7.1 WIPS Events  WIPS The WIPS Events screen provides details about unauthorized rogue Access Points. To view the rogue access point statistics: 1. Select the Statistics menu from the Web UI. 2. Select the RF Domain tab from the left navigation pane and then select the RF Domain node.
Page 380: Historical Data
Motorola Solutions AP-6511 Access Point System Reference Guide Figure 13-12 Captive Portal screen This screen provides the following information: Client MAC Displays the MAC address of the wireless client. Client IP Displays the IP address of the wireless client. Captive Portal Displays whether the captive portal is enabled by default.
Page 381: Viewing Smart Rf History
Statistics 13.2.9.1 Viewing Smart RF History  Historical Data To view the Smart RF history: 1. Select the Statistics menu from the Web UI. 2. Select the RF Domain tab from the left navigation pane and then select the RF Domain node.
Page 382: Access Point Statistics
Motorola Solutions AP-6511 Access Point System Reference Guide 13.3 Access Point Statistics  Statistics The Access Point Statistics screen displays an overview of the APs created for use within the network. Use this data as necessary to check all the APs that are active, their VLAN assignments and the current authentication and encryption schemes.
Page 383 Statistics Figure 13-14 Access Point - Health screen Device Details area displays the following information: Hostname Displays the AP’s unique name. A hostname is assigned to a device connected to a computer network. Device MAC Displays the MAC address of the AP. This is factory assigned and cannot be changed.
Page 384: Inventory
Motorola Solutions AP-6511 Access Point System Reference Guide RF Quality Index field displays the following: Bottom Radios Displays radios having very low quality indices. RF quality index indicates the overall RF performance. The RF quality indices are: • 0–50 (poor) •...
Page 385 Statistics Figure 13-15 Access Point - Inventory screen Radio Types field displays the total number of radios detected. It also displays the number of radios that use the 2.4 GHz and the 5 GHz frequency bands. Wireless LANs area displays the total number of WLANs. It also displays the following: Top 5 Displays the maximum traffic utilization of the WLAN in which the access point is a member.
Page 386: Device
Motorola Solutions AP-6511 Access Point System Reference Guide Clients on 5 GHz Channels field displays the number of wireless clients with radios operating in the 5 GHz frequency band. Clients on 2.4 GHz Channels area displays the number of wireless clients with radios operating in the 2.4 GHz band.
Page 387: Ap Upgrade
Statistics Fallback Enabled Displays whether this option is enabled. This method enables a user to store a known legacy version and a new version in device memory. The user can test the new software, and use an automatic fallback, which loads the old version in the device if the new version fails.
Page 388: Ap Detection
Motorola Solutions AP-6511 Access Point System Reference Guide Figure 13-17 Access Point - AP Upgrade screen Upgrade screen displays the following: Upgraded By Displays the device that performed the upgrade. Type Displays the model of Access Point. Displays the MAC Address of each Access Point.
Page 389: Wireless Client
Statistics 3. Select Detection. Figure 13-18 Access Point - AP Detection Screen This screen provides the following: Unsanctioned Displays the MAC address of the unauthorized AP. Reporting AP Displays the hardware encoded MAC address of the radio used with the detecting AP.
Page 390: Wireless Lans
Motorola Solutions AP-6511 Access Point System Reference Guide Figure 13-19 Access Point - Wireless Clients screen This screen provides the following: Client MAC Displays the MAC address of the wireless client. WLAN Displays the name of the WLAN the client is currently associated with. Use this information to determine if the client/WLAN placement best suits intended operation and the client coverage area.
Page 391 Statistics 3. Select Wireless LANs. Figure 13-20 Access Point - Wireless LANs screen This screen provides the following: WLAN Name Displays the name of the WLAN the Access Point is currently associated with. SSID Displays the Service Set ID of the WLAN to which the access point is associated.
Page 392: Radios
Motorola Solutions AP-6511 Access Point System Reference Guide Rx Bytes Displays the average number of packets in bytes received on the selected WLAN. Rx User Data Displays the received user data rate. Rate 13.3.8 Radios  Access Point Statistics Radio screens display information on Access Point radios.
Page 393: Radio Status
Statistics 13.3.8.1 Radio Status To view the Access Point radio statistics: 1. Select the Statistics menu from the Web UI. 2. Select the System tab from the left navigation pane and then select the Access Point node. 3. Expand Radios. 4.
Page 394: Radio Rf Statistics
Motorola Solutions AP-6511 Access Point System Reference Guide 13.3.8.2 Radio RF Statistics To view the Access Point radio statistics: 1. Select the Statistics menu from the Web UI. 2. Select the System tab from the left navigation pane and then select the Access Point node.
Page 395: Radio Traffic Statistics
Statistics 13.3.8.3 Radio Traffic Statistics To view the Access Point radio statistics: 1. Select the Statistics menu from the Web UI. 2. Select the System tab from the left navigation pane and then select the Access Point node. 3. Expand Radios. 4.
Page 396: Interfaces
Motorola Solutions AP-6511 Access Point System Reference Guide Rx User Data Displays the rate (in kbps) that user data is received by the radio. This rate Rate only applies to user data and does not include any management overhead. Tx Dropped Displays the total number of transmitted packets which have been dropped by each radio.
Page 397: General Statistics
Statistics 13.3.9.1 General Statistics  Interfaces The General screen provides information on the interface such as its MAC address, type and TX/RX statistics. To view the general interface statistics: 1. Select the Statistics menu from the Web UI. 2. Select the System tab from the left navigation pane and then select the Access Point...
Page 398 Motorola Solutions AP-6511 Access Point System Reference Guide General field describes the following: Name Displays the name of the interface. Interface MAC Displays the MAC address of the interface. Address IP Address IP address of the interface. IP Address Type...
Page 399 Statistics Traffic field describes the following: Good Octets Sent Displays the number of octets (bytes) with no errors sent by the interface. Good Octets Displays the number of octets (bytes) with no errors received by the interface. Received Good Pkts Sent Describes the number of good packets transmitted.
Page 400 Motorola Solutions AP-6511 Access Point System Reference Guide MAC Receive Displays the number of received packets failed because of an internal MAC Error sublayer that is not late collision, excessive collisions, or carrier sense error. Bad CRC Displays the CRC error. The Cyclical Redundancy Check (CRC) is the 4 byte field at the end of every frame.
Page 401: Viewing Interface Statistics Graph
Statistics 13.3.9.2 Viewing Interface Statistics Graph  Interfaces Network Graph tab displays interface statistics graphically. To view a detailed graph for an interface, select an interface and drop it on to the graph. The graph has Port Statistics as the Y-axis and the Polling Interval as the X-axis.
Page 402: Arp Entries
Motorola Solutions AP-6511 Access Point System Reference Guide 13.3.10.1 ARP Entries  Network ARP is a networking protocol for determining a network host’s hardware address when its IP address or network layer address is known. To view the ARP statistics: 1.
Page 403 Statistics 4. Select Route Entries. Figure 13-27 Access Point Network - Route Entries screen This screen supports the following data: Destination Displays the IP address of a specific destination address. DKEY Displays the destination IP address. FLAGS Displays the connection status for this entry. indicates a connected state.
Page 404: Dhcp Options
 Network An AP-6511 can use a DHCP server resource to provide the dynamic assignment of IP addresses automatically. This is a protocol that includes IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. Some of these parameters are IP address, gateway and network mask.
Page 405: Dhcp Server
Statistics 13.3.11 DHCP Server  Network To view DHCP statistics within an AP-6511 managed network: 1. Select the Statistics menu from the Web UI. 2. Select the System tab from the left navigation pane and then select the Access Point node.
Page 406 Motorola Solutions AP-6511 Access Point System Reference Guide Displays the IP address for each client with a listed MAC address. IP Address Displays the MAC address (client hardware ID) of the client. Client ID 13-46...
Page 407: Dhcp Bindings
Statistics 13.3.11.1 DHCP Bindings  Network To view a network’s DHCP Bindings: 1. Select the Statistics menu from the Web UI. 2. Select the System tab and then select the Access Point node. 3. Select Network > DHCP Bindings. Figure 13-30 Access Point Network DHCP Server - Bindings tab The DHCP Bindings screen displays the following: Expiry Time Displays the expiration of the lease used by the client for DHCP resources.
Page 408: Dhcp Networks
Motorola Solutions AP-6511 Access Point System Reference Guide 13.3.11.2 DHCP Networks  Network To view a network’s DHCP Networks: 1. Select the Statistics menu from the Web UI. 2. Select the System tab and then select the Access Point node.
Page 409 Statistics Figure 13-31 Access Point Firewall - Packet Flow screen 13-49...
Page 410: Ip Firewall Rules
Motorola Solutions AP-6511 Access Point System Reference Guide 13.3.12.2 IP Firewall Rules  Firewall Create firewall rules to let any computer to send traffic to, or receive traffic from, programs, system services, computers or users. Firewall rules can be created to take one of the three actions listed below that match the rule’s criteria:...
Page 411: Mac Firewall Rules
Statistics This screen displays the following: Precedence Displays the precedence value applied to packets. The rules within an Access Control Entries (ACL) list are based on precedence values. Every rule has a unique precedence value between 1 and 5000. You cannot add two rules with the same precedence.
Page 412: Nat Translations
Motorola Solutions AP-6511 Access Point System Reference Guide 13.3.12.4 NAT Translations  Firewall To view the MAC Firewall Rules: 1. Select the Statistics menu from the Web UI. 2. Select the System tab and then select the Access Point node.
Page 413 Statistics Reverse Source Displays the source port for the reverse NAT flow (contains ICMP ID if it is an Port ICMP flow). Reverse Dest IP Displays the destination IP address for the reverse NAT flow. Reverse Dest Displays the destination port for the reverse NAT flow (contains ICMP ID if it Port is an ICMP flow).
Page 414: Dhcp Snooping
Motorola Solutions AP-6511 Access Point System Reference Guide 13.3.12.5 DHCP Snooping  Firewall When DHCP servers are allocating IP addresses to clients on the LAN, DHCP snooping can be configured to better enforce the security on the LAN to allow only clients with specific IP/MAC addresses.
Page 415: Certificates
Statistics Lease Time When a DHCP server allocates an address for a DHCP client, the client is assigned a lease (which expires after a designated interval defined by the administrator). The lease time is the time an IP address is reserved for re- connection after its last use.
Page 416 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 13-35 Access Point Certificate - Trustpoint screen 13-56...
Page 417: Rsa Keys
Statistics Certificate Details field displays the following: Subject Name Lists details about the entity to which the certificate is issued. Alternate Displays alternative details to the information specified under the Subject Subject Name Name field. Issuer Name Displays the name of the organization issuing the certificate. Serial Number The unique serial number of the certificate issued.
Page 418: Wips
Motorola Solutions AP-6511 Access Point System Reference Guide Figure 13-36 Access Point Certificates - RSA Key screen RSA Key Details field displays the size (in bits) of the desired key. If not specified, a default key size of 1024 is used.
Page 419: Wips Events
Statistics 13.3.14.1 WIPS Events  WIPS The WIPS Events screen details the wireless intrusion event by an access point. To view the WIPS events statistics: 1. Select the Statistics menu from the Web UI. 2. Select the System tab and then select the Access Point node.
Page 420: Network Time
Motorola Solutions AP-6511 Access Point System Reference Guide Figure 13-38 Access Point - Captive Portal screen The Captive Portal screen supporting the following: Client MAC Displays the MAC address of the wireless client. Client IP Displays the IP address of the wireless client.
Page 421: Ntp Status
Statistics 13.3.16.1 NTP Status  Network Time To view the Network Time statistics of an access point: 1. Select the Statistics menu from the Web UI. 2. Select the System tab and then select the Access Point node. 3. Select Network Time.
Page 422: Ntp Association
Motorola Solutions AP-6511 Access Point System Reference Guide 13.3.16.2 NTP Association  Network Time To view the Network Time statistics of an access point: 1. Select the Statistics menu from the Web UI. 2. Select the System tab and then select the Access Point node.
Page 423 Statistics Displays the NTP association status. This can be one of the following: State Synced - Indicates the Access Point is synchronized to this NTP server. Unsynced - Indicates the Access Point has chosen this master for synchronization. However, the master itself is not yet synchronized to UTC. Selected - Indicates this NTP master server will be considered the next time the Access Pointchooses a master to synchronize with.
Page 424: Wireless Client Statistics
Motorola Solutions AP-6511 Access Point System Reference Guide 13.4 Wireless Client Statistics  Statistics The wireless client statistics display read-only statistics for each client. It provides an overview of the health of wireless clients in the network. The wireless client statistics includes RF quality, traffic utilization, user details, etc.
Page 425 Statistics Figure 13-41 Wireless Clients - Health screen Wireless Client field displays the following: Client MAC Displays the MAC address of the wireless client. Vendor Displays the vendor name or the manufacturer of the wireless client. State Displays the state of the wireless client. It can be idle, authenticated, associated or blacklisted.
Page 426 Motorola Solutions AP-6511 Access Point System Reference Guide Encryption Displays if encryption is applied. Captive Portal Displays whether captive portal authentication is enabled. Authentication RF Quality Index field displays the following: RF Quality Index Displays information on the RF quality for the selected wireless client. The RF...
Page 427: Details
Statistics This field also displays the following: Total Bytes Displays the total bytes processed by the wireless client. Total Packets Displays the total number of packets processed by the wireless client. User Data Rate Displays the average user data rate. Physical Layer Displays the average packet rate at the physical layer.
Page 428 Motorola Solutions AP-6511 Access Point System Reference Guide Figure 13-42 Wireless Clients - Details screen Wireless Client area displays the following: SSID Displays the Service Set ID the wireless client is associated with. RF Domain Displays the RF domain name the wireless client belongs to.
Page 429 Statistics Last Association Displays the duration for which the wireless client was in association with the AP. Session Time Displays the duration for which a session can be maintained by the wireless client without it being dis-associated from the system. SM Power Save Displays whether this feature is enabled on the wireless client.
Page 430: Traffic
Motorola Solutions AP-6511 Access Point System Reference Guide Displays the Association ID established by an AP. 802.11 association enables the access point to allocate resources and synchronize with a radio NIC. An NIC begins the association process by sending an association request to an access point.
Page 431 Statistics Figure 13-43 Wireless Clients - Traffic screen Traffic Utilization statistics provide the traffic index, which measures how efficiently the traffic medium is used. It is defined as the percentage of current throughput relative to the maximum possible throughput. This screen also provides the following: Total Bytes Displays the total bytes processed by the client.
Page 432 Motorola Solutions AP-6511 Access Point System Reference Guide Rx Errors Displays the degree of errors encountered during data transmission. The higher the error rate, the less reliable the connection or data transfer. Rx Actions Displays the number of receive actions during data transmission.
Page 434 MOTOROLA SOLUTIONS INC. 1303 E. ALGONQUIN ROAD SCHAUMBURG, IL 60196 http://www.motorolasolutions.com 72E-146915-01 Revision A February 2011...

Motorola AP-6511 Reference Manual

Chapter 1 Overview

Chapter 2 Web UI Overview

Chapter 3 Getting Started

Chapter 4 Dashboard

Chapter 5 Device Configuration

Chapter 6 Wireless Configuration

Chapter 7 Profile Configuration

Chapter 8 Security Configuration

Chapter 9 Services Configuration

Chapter 10 Management Access Policy Configuration

Chapter 11 Diagnostics

Chapter 12 Operations

Chapter 13 Statistics

Quick Links

Related Manuals for Motorola AP-6511

Summary of Contents for Motorola AP-6511